Cryptanalysis of Sood et al.'s Dynamic Identity Based Authentication Protocol for Multi-Server Architecture

Bae-Ling Chen; Wen-Chung Kuo; Lih-Chyau Wuu
March 2012
International Journal of Digital Content Technology & its Applic;Mar2012, Vol. 6 Issue 4, p180
Academic Journal
Sood, Sarje, and Singh recently proposed a secure dynamic identity-based (ID-based) authentication protocol for multi-server architectures utilizing smart cards, wherein they reveal security weaknesses of Hsiang and Shih's dynamic identity-based remote user authentication scheme. Sood et al. claim their proposed scheme can provide protection from various attacks such as replay, malicious user, stolen smart card, and offline dictionary attacks. However, we found their protocol does not have any defense mechanism against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks such as resource exhaustion attack which severely affects cascade style authentication schemes. We also found the protocol is susceptible to smart card vulnerabilities such as power analysis attack from privileged insiders. In addition, if an attacker has knowledge of both the verification tables and the master secret of the control server, the client verification tables and the service provider server database are susceptible to the verifier disclosure attack and offline dictionary attack. In this paper, we will demonstrate that Sood et al.'s protocol is insecure and suffers from aforementioned potential security vulnerabilities in detail.


Related Articles

  • Managed security or Web censorship? ISP's intrusion-detection system freezes usage. McClure, Stuart; Scambray, Joel // InfoWorld;10/02/2000, Vol. 22 Issue 40, p56 

    Calls for the use of managed security-monitoring services that treat the customer as a partner in the monitoring effort. Monitoring capabilities of an Internet service provider; Enforcement of good Internet citizenship through managed security-monitoring services.

  • Threat Stats.  // SC Magazine: For IT Security Professionals (15476693);Aug2012, Vol. 23 Issue 8, p10 

    Statistics related to cyber security are presented which include the worst spam-support Internet service provider (ISP), top security breaches recorded in June 2012, and global distribution of zombie Internet Protocol (IP) addresses.

  • Certify your network. Collins, Jonathan // Total Telecom Magazine;Apr2003, p26 

    Explains the benefits to Internet service providers of adopting certification and security management practices. First step to tackling security services; Reason why large customers do not trust carriers; Estimated value of the market for managed security services.

  • Is your ISP secure? Radcliff, Deborah // InfoWorld;03/02/98, Vol. 20 Issue 9, p97 

    Discusses the need for companies to pay attention to an Internet service provider's (ISP) security policy when storing valuable information on Web servers that are housed at an ISP or Web hosting center. Existing dangers for ISP-housed information; Key questions to consider; Costs of security;...

  • Making Security Pay. Shultz, Scott // Telecommunications - Americas Edition;Aug2002, Vol. 36 Issue 9, p42 

    Examines the proactive network element security systems for service provides in the U.S. Implication of security cost from element malfunctions and service disruptions; Overview of the proposed network element security system architecture; Level of defense for firewalls with network element...

  • ISPs, take action. Andress, Mandy // InfoWorld;5/13/2002, Vol. 24 Issue 19, p44 

    Comments on the need for Internet service providers (ISP) to provide security for companies using their Internet infrastructure. Policy of ISP regarding security issues; ISP Web sites that provides security information to users; Tips in helping users to secure their networks.

  • Moving 'Beyond PCI'. Taylor, David // Cards & Payments;May2009, Vol. 22 Issue 5, p40 

    The article discusses the author's view on the impact of the Payment Card Industry (PCI) Data Security Standard on the threats, cybersecurity and science and technology before the U.S. House Committee on Homeland Security's subcommittee. The author said that the standard is far more effective at...

  • A Novel Solution to Query Assurance Verification for Dynamic Outsourced XML Databases. Viet Hung Nguyen; Tran Khanh Dang // Journal of Software (1796217X);Apr2008, Vol. 3 Issue 4, p9 

    Database outsourcing model is emerging as an important new trend beside the "application-as-aservice" model. In this model, since a service provider is typically not fully trusted, security and privacy of outsourced data are significant issues. These problems are referred to as data...

  • Smart card hacking may not affect access control. Jesse, Dominic // Security: Solutions for Enterprise Security Leaders;Sep98, Vol. 35 Issue 9, p91 

    Focuses on the use of differential power analysis (DPA) to hack into smart cards. Vulnerability of cards to DPA; Efforts to address security breaches resulting from DPA; Smart card applications threatened by DPA attacks.


Read the Article


Sorry, but this item is not currently available from your library.

Try another library?
Sign out of this library

Other Topics