Cryptanalysis of a Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment

The conventional user authentication scheme is designed for a single-sever environment. In the case of multiple servers, a user must register with each server individually, and memorize different pairs of identities and passwords to login to each one. This approach is inconvenient and impractical for a multi-server environment. Therefore, various user authentication schemes for multi-server environments have been proposed. In these schemes, a user only needs to register with the registration center once, and then he/she will be allowed to login to any server in this system. Recently, Liao and Wang proposed a dynamic ID-based remote user authentication scheme for multi-server environments. However, some flaws have been identified in their scheme. This paper demonstrates that anyone with relevant server access not only can derive each session key agreed upon between any user and any server, but he/she also can masquerade as any user to login to whichever server in this system.