Understanding security failures of anonymous authentication schemes for cloud environments

Currently, password-based remote authentication mechanism has become an essential procedure to ensure users access the resources of the cloud server securely. Dozens of password-based multi-factor authentication schemes have been successively proposed recently. Unfortunately, most of them are vulnerable to various known attacks. The key to designing a secure and privacy-preserving authentication scheme is drawing some lessons from the security failures of existing schemes. In this work, we investigate three anonymous multi-factor authentication schemes based on passwords for cloud environments (i.e., Karuppiah et al.’s scheme at MONET’19, Lin’s scheme at IEEE Syst J’19, Rajamanickam et al.’s scheme at IEEE Syst J’20), and demonstrate that these three schemes all suffer from off-line guessing attacks and are short of an important property (i.e., forward secrecy). We also propose several effective countermeasures to remedy these weaknesses. Our analysis shows that none of these three protocols can achieve their security goals. Furthermore, we make a summary of the causes of the flaws, and reveal that the vulnerabilities of these schemes are caused by violating the basic design principles for a secure protocol (e.g., Ma et al.’s principles at IJCS’14). In addition, we investigate whether dozens of recently proposed schemes follow the design principles of Ma et al..