Cryptanalysis of Design and Analysis of a Provably Secure Multi-server Authentication Scheme

The rapid growth of inter-networking and communication technologies resulted in an exponential hit rate on commercial service providing websites (servers) like Google, Amazon, Flipkart etc. from remote users connected via Internet. To handle the networking load, the organizations are moving from the traditional two tier client server architecture to multi-server architecture for efficient load balancing. The traditional two-party authentication protocol for remote user authentication are not sufficient to break the ever increasing attacks on open network i.e. Internet. Also, the existing two-party authentication protocols are meant for single server, adopting these protocols for multi-server environment results in the requirement of huge computation cost for separate registration of user at each server. So, researchers started proposing authentication schemes specific to multi-server environment. In 2014, Yeh et al. proposed an improved version over Pippal et al.’s scheme which eliminates all identified weaknesses like susceptible to user impersonation attack, server counterfeit attack, and the man-in-the-middle attack. In 2015, Mishra et al. demonstrated that Yeh et al. scheme is susceptible to off-line password guessing attack, insider attack and user impersonation attack and proposed an improved version. In this manuscript we do a thorough analysis on Mishra et al. scheme and determine that Mishra et al. scheme is liable to ’known session specific temporary information’ attack and based on that, the attacker can realize all key attacks. We also demonstrate that Mishra et al. scheme consists of major inconsistencies like ’inefficient login phase’ which restrict the protocol to adopt to real time implementation.