Comments on Three Multi-Server Authentication Protocols

Recently, Tsai et al., Liao et al. and Li et al. each proposed a multi-server authentication protocol. They claimed their protocols are secure and can withstand various attacks. However, we found some security loopholes in each of their schemes, for example, both Tsai et al.’s and Liao et al.‘s schemes suffers from server spoofing attack by an insider server. Li et al.s’ suffers from the lost smart card password-guessing attack. In addition, Liao et al.‘s scheme also has the off-line password-guessing attack. In this paper, we will first review then show the attacks on each of the schemes. Then, based on Li et al.’s scheme, we proposed a novel one and examined its security in several security features. After security analysis, we concluded that our protocol outperformed Li et al.’s scheme in the security feature of lost smart card password-guessing attack. Keywords: multi-server, password authentication protoco

Cryptanalysis of Multiple-Server Password-Authenticated Key

Password-based user-authentication schemes have been widely used when users access a server to avail internet services. Multiserver password-authentication schemes enable remote users to obtain service from multiple servers without separately registering with each server. In 2008, Jia-Lun Tsai proposed an improved and efficient password-authenticated key agreement scheme for a multiserver architecture based on Chang-Lee’s scheme proposed in 2004. However, we found that Tsai’s scheme does not provide forward secrecy and is weak to insider impersonation and denial of service attacks. In this article, we describe the drawbacks of Tsai’s scheme and provide a countermeasure to satisfy the forward secrecy property