|
User authentication schemes for multi-server setting allow a remote user to obtain services from multiple servers without the need to separately register with every individual server.In general, user authentication schemes for a multi-server environment should provide the following properties: single registration,low computation, no need for verification table, mutual authentication and key agreement, and security.Recently Wang, Juang, and Lei proposed a privacy-preservation user authentication scheme based on the quadratic residue and claimed the scheme meets all five requirements.In this paper, we demonstrate that their scheme is, unfortunately, vulnerable to a previously unpublished parallel-session attack.In other words, this attack enables a malicious user to impersonate legitimate users and obtain services from participating application servers without the victims' knowledge.We then show how the flaw in Wang emph{et al.}'s scheme can be fixed. |
|
Keywords:information security;multi-server; mutual authentication; password; smart card; privacy |
|