With the rapid growth of electronic commerce and demand on variants of the Internet based applications, the system providing resources and business services often consists of many servers around the world. For the reliability of accessing these remote services, user must pass a verification procedure to obtain the authorization for legal resource acquisition and data exchange. So far, a variety of authentication schemes have been published to solve this issue of remote user authentication for multi-server communication environment. However, most of previously proposed mechanisms are subject to system inefficiency or fail to fulfill their security claims. Recently, Lee et al. proposed an authentication protocol, which intends to possess both message exchange reliability and system computation efficiency, for multi-server architecture. At first glance, Lee et al.'s authentication scheme seems to be secure. Nevertheless, based on the protocol analysis derived by us, the proposed scheme is insecure against server spoofing attack, user impersonation attack and undetectable online password guessing attacks. In this study we demonstrate how these malicious attacks can be invoked by an adversary. Furthermore, a security enhanced authentication protocol is developed to eliminate all identified weaknesses and at the same time achieve the same order of computation complexity as Lee et al.'s protocol does.

• 出版日期2010-8