Cryptanalysis of Sood et al.’s Dynamic Identity Based Authentication Protocol for Multi-Server Architecture

Sood, Sarje, and Singh recently proposed a secure dynamic identity-based (ID-based) authentication protocol for multi-server architectures utilizing smart cards, wherein they reveal security weaknesses of Hsiang and Shih’s dynamic identity-based remote user authentication scheme. Sood et al. claim their proposed scheme can provide protection from various attacks such as replay, malicious user, stolen smart card, and offline dictionary attacks. However, we found their protocol does not have any defense mechanism against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks such as resource exhaustion attack which severely affects cascade style authentication schemes. We also found the protocol is susceptible to smart card vulnerabilities such as power analysis attack from privileged insiders. In addition, if an attacker has knowledge of both the verification tables and the master secret of the control server, the client verification tables and the service provider server database are susceptible to the verifier disclosure attack and offline dictionary attack. In this paper, we will demonstrate that Sood et al.’s protocol is insecure and suffers from aforementioned potential security vulnerabilities in detail.