Towards Smart Card Based Mutual Authentication Schemes in Cloud Computing

Abstract

In the cloud environment, users pay more attentions to their data security since all of them are stored in the cloud server. Researchers have proposed many mutual authentication schemes for the access control of the cloud server by using the smart card to protect the sensitive data. However, few of them can resist from the smart card lost problem and provide both of the forward security and the backward security. In this paper, we propose a novel authentication scheme for cloud computing which can address these problems and also provide the anonymity for the user. The trick we use is using the password, the smart card and the public key technique to protect the processes of the user's authentication and key exchange. Under the Elliptic Curve Diffie-Hellman (ECDH) assumption, it is provably secure in the random oracle model. Compared with the existing smart card based authentication schemes in the cloud computing, the proposed scheme can provide better security degree.

1. Introduction

Cloud computing is a new technology, which is a hot topic in the past dedicate in both of the academic and industry. On one hand, users can take advantages of the cloud server to accomplish complicate calculation which cannot be processed locally. On the other hand, users can store a large number of data in the cloud server to save their own memory space [1]. Therefore, the individuals especially the companies are interesting in outsourcing the service to cloud service provider in order to reduce the cost of management and deployment. Lots of international firms have established their cloud platforms and offered cloud computing services for the Internet users, such as Google App Engine, Microsoft Windows Azure, Amazon Web Services and IBM SmartCloud.

However, users who take advantages of these cloud computing services pay much attentions to the security of their data since the data are outsourced by the cloud server. The secure issues that the individual or the companies concern about in the cloud environment include access control, data integrity, data confidentiality, authentication and authorization [2]. Among them, authentication is important. Becase without a secure authentication scheme the data of the user will be obtained by the illegal person. The authentication between the user and the cloud server cannot only guarantee the data be accessed by the legitimate users successfully but also exclude the malicious visitor. So when using the cloud service, authentication between the user and the server should be considered firstly.

Authentication is the first step when a user accesses his cloud data. It is important for the authorized user to get his service safely and smoothly. Authentication schemes using smart card can provide more convenience and security for the user than other authentication schemes since on one hand users do not need to remember long secret value comparing with the public key mechanism; on the other hand it can provides more security property than authentication schemes using only password [3]. So lots of authentication scheme using smart card were proposed in cloud computing. However, many of them cannot resist the smart card lost attack. Meanwhile, few of them consider the forward and backword security since they cannot be implemented easily. However, these two properties are important. Because we do not know what will happen in the future, if the adversary gets all of our secrets in the future and recovers our conversation which had been encrypted by the session key in the old session or obtains the conversation which is encrypted by the session key in the new session, then it will be a big threat to us.

So how to get an authentication scheme which can both resist the smart card lost attack and provide the forward and backward security in the cloud computing is a chanllege to the researchers. Because the public key techniques do not lie in authentication schemes so these schemes cannot provide the strong secure property when the smart card is lost. Halevi and Krawczyk [4] have pointed out that public key techniques were unavoidable for password protocols that resist off-line dictionary attacks. Following this rule, in this paper, we propose a new authentication scheme for cloud computing using smart card. In the new scheme, even if the smart card is lost, the authentication scheme is still secure. Meanwhile, the new scheme can also provide the anonymity for the user and the properties of forward and backward security. Under the ECDH assumption, the new scheme is provably secure in the random oracle model. The communication framework is also very suitable for the mobile cloud computing which is a hot topic in the next generation communicaiton sicne both of them use the three-level authentication.

In Section 2, we review the previous work of authentication schemes in cloud computing using smart card. In Section 3, we give a security model for authentication schemes using smart card. In Section 4, we present a new authentication scheme for cloud computing using smart card. We then give the security analysis and the performance of the proposed scheme in Section 5. Finally, in Section 6 we make a conclusion of this paper and give the future work.

 

2. Related Work

Authentication schemes between the user and the server are based on the password technique in the early stage [5-6]. However, there are two drawbacks using such method. On one hand, the passwords of the user are short and they are often chosen from names or numbers they frequently use. So the passwords can be guessed by the attacker, i.e., the authentication shcemes are vulnerable to the dictionary attack [7]. On the other hand, in such scenario all the passwords of the users will be stored in the server. Once the server is corrupted, all the users’passwords will be revealed. In order to address these problems, authentication using password and smart card were proposed [3, 8]. In such authentication, user owns a password and a smart card. Only if both of the password and the smart card are correct, the user can login to the server successfully. Lots of the authentication schemes using smart card were present in the cloud environment [9-16].

Choudhur et al. proposed a strong user authentication framework for cloud computing [9]. The new method Out of Brand (OOB) authentication combined with the smart card and the password authentication was used in [9]. However, Chen and Jiang found the security weaknesses of Choudhur et al.’s authentication scheme [10]. There are masquerading attack and the OOB attack in [9] if the smart card of the user is lost. Then, Chen and Jiang proposed an improvement user authentication framework for cloud computing [10]. However, the improvement scheme is not secure. When the attacker obtains the information in the smart card, he can launch the offline dictionary attack. Because the user’s messages are only protected by the password and the information stored in the smart card, so the authentication scheme is vulnerable to the offline dictionary attack when the smart card is lost. The attacker can obtain the information stored in the smart card and guesse the password of the user, then he can verify the correctness of his guess by the authentication messages sent to the cloud server. The same attack also lies in Jiang’s authentication scheme for cloud computing [11]. Han et al. propsed a scheme for data confidentiality in cloud computing for wireless body area networks which further expends the application of the cloud computing [12].

Different from the authentication schemes mentioned above, Nimmy and Sethumadhavan proposed a mutual authentication scheme for cloud computing using secret sharing [13]. The server splits the credential of the user into two shares, one is stored in the smart card and the other is stored in the server. It seems that only getting both of the shares can recover the credential of the user. However, the server still depends on the information stored in the smart card to verify the identity of the user. When getting the smart card, the adversary can also launch the offline dictionary attack and impersonate the user to access the cloud. So the method of the secret share does not provide more security. In order to reduce the time of the authentication, Hao et al. proposed a time-bound ticket-based mutual authentication scheme for cloud environment using smart card [14]. The advantage of Hao et al.’s authentication scheme is that the server issues a certain number of digital tickets to the user. The user can use one ticket for one time of data verification so it can save the time of the authentication since the user’s data verification frequency is reduced. However, although Hao et al. claimed that the authentication scheme was secure, Pippal et al. found it was vulnerable to Denial-of-Service attack and the password change phase was insecure [15]. To resist these weaknesses, Pippal et al. proposed an enhancement to Hao et al.'s scheme. The trick they used in [15] is that the smart card verifies both password and the user’s identifier at the user side before sending the authentication message to the cloud server. If the smart card is a tamper resistant device, the trick they used is helpful. However, as we know, most of the smart cards are not tamper resistant for the two reasons that the tamper resistant smart cards are expensive and the parameters in these smart cards can also be extracted by the side-channel attack [16].

Using the tamper resistant smart card to address the problem in authentication between the user and the server is not a good choice. Huang et al. proposed robust and privacy protection authentication in cloud computing using a third trusted party [17] without using the tamper resistant smart card. The authentication scheme is secure and also has good performance. The only doubtful point is that the discussion of the reliability and complexity of introducing the trusted party. Meanwhile, the forward security and backward security are not considered in [17].

 

3. Security Model

The security model we use is based on the models proposed by Bellare et al. [6] and Zhou et al. [18], respectively. In the model, there are three entities: the user U, the server S and the adversary . The user owns his password and a smart card which is issued from the server. The server owns his private information and the user’s registration information. The adversary can control all the communication between the user and the server. The ability of the adversary is based on the queries to the protocol instances. One execution of the protocol is called an instance. The queries that can ask are as follows:

Execute (, ):This query models passive attacks. The adversary often gets the protocol flows between instances and by eavesdropping. The output of this query is the honest execution of the protocol.

Send (/,m ):This query models the active attacks. who impersonates U to send an message m to instance /. The output of this query is the response generated by the instance after it processes m according to the protocol.

Reveal (/):This query models the misuse of the session key or the known key attack. The output of this query is the session key of instance /. This only happens when the attacked instance actually holds a session key.

Corrupt (U, password): The output of this query is the password of the user.

Corrupt (U, smart card): The output of this query is the secret information which are stored in the smart card.

Test (/):The semantic security of the session key is modeled by this query. When chooses a session as the Test session and asks this session the Test (/) query. The query is answered as follows: one flips a coin b, if b=1 it outputs the session key skUS to ; if b=0, it outputs a random value chosen from session key space to . This query can only be asked to instance which is fresh and can be asked at most once. An instance is fresh if: (1). it is not asked by the Reveal query; (2). the instance which has a matching conversation with is not asked by the Reveal query either.

AKE(Authenticated Key Exchange) Security The privacy of the session key is modeled by the game between the adversary and a simulator . The simulator simulates the protocol for the adversary and answer the queries asks. When asks a Test (/) query, he needs to output a bit b'. The aim of is correctly guessing the bit b in the Test session. The protocol P is said to be AKE-secure if for any polynomial time adversary the following equation holds:

Where qsend is the number of the Send query, N is the the size of the password dictionary and neg(l) is a negligible value.

 

4. A New Authentication Scheme for Cloud Computing Using Smart Card

In this section we propose a new authentication scheme for cloud computing using smart card. We first give the authentication structure of the cloud computing we used in Fig. 1.

Fig. 1.Authentication structure of the cloud computing used in this paper

As shown in Fig. 1, there are three kinds of entities in the scheme: a cloud user A, some cloud servers CSi and a service provider SP. Here we assume SP is a trusted third party and CSi are semi-trusted servers, i.e., CSi are honest but curious and they cannot launch the active attack but they are curious about the password of the user. When the user wants to get the cloud service, he needs to register in the service provider. The service provider SP issues a credential for the use in a secure channel. Here SP does not provide service for the user directly. Actually, it administrates a group of cloud servers {CS1,CS2,...,CSn}. These cloud servers provide service for the user directly, such as storing the sensitive data or dealing with complex computation. There is a secure channel between CSi and SP. However, when the user logins to cloud servers, these cloud servers cannot authenticate the user alone. The authentication between the user and CSi must be completed by the help of SP.

Let’s consider a real example in the cloud computing to show the problem we want to solve. A cloud user has registered in a service provider SP and owns his password and smart card. In order to reduce the burden of SP and avoid the case of single point of failure, SP disperses some of the service to certain cloud server CSiSo some of the service are provided by CSi now. Unfortunately, the smart card of the user is lost some day. In this case, how can the user believe his data stored in CSi are still secure if the attacker gets his smart card but no password? In this paper, we propose a new authentication scheme using smart card to answer this question.

The new authentication scheme includes three phases, the registration phase, the authentication and key exchange phase and the password-changing phase. The first and third parts are similar to that of existing authentication schemes [14-15]. The innovation is in the second part. Firstly, we invite the three-level authentication model into cloud computing which is different from the trick in other authentication schemes in cloud computing [8-16]. The advantage of the three-level authentication model is that: on one hand, it is more easy to convert the static authentication schemes to the dynamic authentication schemes in the three-level model since they use the same framework, i.e., the authentication scheme is more easy to be evolved into a roaming authentication for cloud computing; one the other hand, the new scheme disperses the computation and communication burden of the service provider to the cloud servers. This method avoids the case that when a large number of connection requests between the user and the server provider, the service provider may not be able to deal with these requests in time, then there is a delay experienced by the users. Secondly, we use a new trick in the authentication scheme, i.e., using the ECDH problem to establish a secure key between the user and the service provider, then using this key to encrypt the user’s credential and complete the authentication and generate a new session key between the user and the cloud server. The new trick makes the scheme can resist the smart lost attack. Thirdly, we bring the forward and backward security into the scheme which makes the session be secure even if the long term secret of the user and the server are corrupted.

The notations we use are in Table 1 Note we do not give a definition in detail for the hash function, we just use h(⋅) as a class of cryptographically secure hash functions.

Table 1.Notations

4.1 Registration Phase

The registration phase happens between users and the cloud service provider. When a user wants to get the cloud service, he needs to register in the service provider SP. Fig. 2 shows the details of the registration phase.

Fig. 2.The registration phase

Step 1. User A first selects PWA as his password. Then, in order to increase the entropy of PWA, A chooses a random value r ∈ and computes h(PWA||r). A sends {IDA,h(IDA||r)} to the service provider through a secure channel.

Step 2. When receiving the messages, SP selects a random value R ∈ {0,1}64 and creates a credential CA = h(s||IDA||R) ⊕ h(PWA||r) for A. SP puts the value R in his data space and issues a smart card which contains {IDA,CA} to A.

Step 3. When receiving the smart card, A imbeds r into the smart card. Now the information in the smart card is {IDA, r, CA}.

4.2 Authentication and Key Exchange Phase

When the user wants to get the cloud service, he needs to complete a mutual authentication and key exchange with the ith cloud server CSi . Fig. 3 shows the details of the authentication and key exchange phase.

Fig. 3.The authentication phase of the proposed protocol

Step 1. A → CSi

User A inserts his smart card and inputs his password PWA. Then, he selects two random values, a,r1 ∈ . A computes K = h(a⋅sP) and MA = h(K||r1) ⊕ IDA and reveals the secret value XA = h(PWA||r) ⊕ CA . Then, A computes authentication message NA = h(K||r1||XA) and sends {aP,r1,MA,NA} to the cloud server CSi.

Step 2. CSi → SP

On receiving {aP,r1,MA,NA}, CSi selects a random value b ∈ and computes MCSi = EKCSi-SP(aP,bP,r1,MA,NA) . Then, CSi sends {IDCSi,MCSi} to the service provider SP.

Step 3. SP → CSi

On receiving {IDCSi,MCSi} , SP first decrypts MCSi and obtains {aP,bP,r1,MA,NA} . Then, SP computes K = h(s⋅ap) and gets the identity of the user by IDA = h(K||r1) ⊕ MA . SP computes XA = h(s||IDA||R) by the user’s identity IDA . After that, SP verifies whether NA = h(K||r1||XA) holds. If it does, SP rejects it and requires the user to send the messages again. Otherwise, SP selects a random value s1 ∈ and computes its authentication message AuthSP = h(K||s1||aP||bP) , MSP = EKCSi-SP(IDA, aP,bP,s1,AuthSP). SP sends MSP to CSi.

Step 4. CSi → A

On receiving MSP, CSi first decrypts MSP and obtains {aP,bP,s1,AuthSP} . Then CSi verifies whether bP is equal to the random value it chooses. If it is not equal, CSi rejects it. Otherwise, CSi computes its authentication message AuthCSi = h(b⋅aP||bP||IDCSi) and the session key between CSi and A, KCSi-A = h(abP||aP||bP||IDA||IDCSi) . CSi sends {IDCSi,bP,s1,AuthSP,AuthCSi} to A.

Step 5. On receiving the messages from CSi, user A computes and verifies whether AuthSP = h(K||s1||aP||bP) and AuthCSi = h(a⋅bP||bP||IDCSi) hold. If one of them does not hold, user A rejects them. Otherwise, A computes the session key between A and CSi KCSi-A = h(abP||aP||bP||IDA||IDCSi) .

4.3 Password-changing Phase

If the user wants to change his password, he needs to go through the authentication phase first. It means if the user wants to change the password, he needs to have the old password in hand and so does the smart card. After a successful authentication, the user A gets the secret information h(K||s1) shared with SP. Then, A inputs his new password PWnew, selects a random value r' ∈ and submits Eh(K||s1)(IDA,h(PWnew||r')) to the cloud service provider. On receiving the message, SP decrypts it and obtains the new password of A. Then, SP selects another random value R'∈{0,1}64 and creates a new credential CA' = h(s||IDA||R')⊕h(PWnew||r') for A. SP sends Eh(K||s1)(IDA, CA') to A. A decrypts Eh(K||s1)(IDA, CA') and updates the information in the smart card with {IDA, CA',r'}.

 

5. Security and Performance Analysis

5.1 Security Analysis

We analyze the security of the proposed authentication and key exchange protocol in the model mentioned in Section 3. The security of the scheme is based on the Elliptic Curve Computational Diffie-Hellman (ECDH) Assumption.We first summarize the proof in order to give a clear understanding for readers. The proof is based on the security games between the adversary and a simulator who simulates the protocol for the adversary. The simulator revises the games one by one and imbeds an ECDH problem into the protocol in the last game. In the last game, the protocol is almost random so does the session key which is computed from the ECDH tuple that the simulator imbeds. So if the adversary can correctly guess the session key and wins the game, then the simulator can breaks the ECDH assumption by using the adversary as a subroutine. This is the mainline of the proof.

Elliptic Curve Diffie-Hellman (ECDH) Assumption: Let e be an elliptic curve and G be an additive group with order q which consists of the points of e. Let P be a generator of G, aP and bP be two elements of G and be an ECDH-adversary with running time at most t. The probability that succeeds in computing abP from (aP, bP) is denoted by . The ECDH assumption holds if is negligible.

Theorem 1 (AKE Security) Let D be the distribution of user’s password which size is ｜D｜. Let P be the protocol we proposed. For any adversary running within a time bound t, with less than qsend Send queries, qexe Execute queries and less than qh Hash queries, we have:

Where AdvE(t) is the probability that breaks the encryption scheme. τG denotes the computational time of the point multiplication in group G.

Proof. The security analysis is based on the AKE-game between the adversary and a simulator S. The simulator S initializes the system for all the users, the cloud server and the cloud service provider. We define a sequence of games starting from G0 to G4. For each game Gi (0≤i≤4), we define Si be the event that correctly guesses the bit b in the Test session and Pr[Si] be the probability of this event. Let Di = ｜Pr[Si]-Pr[Si-1]｜. By using the games bellow we can get the Theorem 1.

Game G0: This game is in the real protocol and corresponds to the real attack. So by the definition of S0, we have:

Making a transformation, we have:

Game G1: In this game, S simulates the hash function h as a random oracle and creates a hash list which records the queries to h and the corresponding answers. The Hash queries, the Send queries, the Execute queries, the Reveal queries, the Corrupt queries and the Test query are answered as the G0. The difference lies in G0 is in the real protocol and G1 is in the random oracle model. From the definition of the random oracle, we can see that G0 and G1 are indistinguishable. So we have:

Game G2: S cancels the game when some collisions appear on the transcripts {aP,r1,MA,MA}, {IDCSi,MCSi}, MSP, and {IDCSi,bP,s1,AuthSP,AuthCSi} . In the Send queries, we can see at least one of the transcripts is generated by the honest participant. In the Execute queries, we can see all of them is generated by the honest participant. So by the birthday paradox, we can get the probability of collisions on the transcripts is (qsend)2/2q+(qexe)2/2q2 . The same conclusion can be got in the collisions of the hash function. Then, we have:

Game G3: In this game, S simulates all the oracles in game G2, except S stops the game when the adversary breaks the Encryption algorithm E. If the algorithm E is broken, then the adversary can impersonate CSi and chooses the random value b himself. sends {IDCSi,bP,s1,AuthSP,AuthCSi} to the user A. In such case, will compute the correct session key since he have the value b. can also distinguish between the value returned from the Test session and a random value chosen from the key space successfully. It means will distinguish the game G2 and game G3. Thus,

Game G4: In this game, S first chooses one session as the Test session and another session as the matching session of the Test session. Then, S adds a random value mP into the Test session to instead aP and add another random value nP into the matching session to instead bP. In such case, if can successfully distinguish between the value returned from the session and a random value and win the AKE security game, then we can solve the ECDH problem using as a subroutine, i.e., computing mnP. In order to obtain this conclusion, we need to use the random oracle h. As we know, in the random oracle model, all of the outputs of the random oracle is random. So if can distinguish between the value returned from the Test session and a random value, it means must have computed the session key himself, i.e., h(mnP||mP||nP||IDA||IDCSi) . It further means that must have asked a Hash query by (mnP,mP,nP,IDA,IDCSi) to the hash oracle before. By retrieving the hash list S kept, S can get the value mnP, i.e., solving the ECDH problem. Note here we have to show how h answer the query in order to correctly simulates the protocol. If a Hash query x is asked to the hash oracle (here x is a group of data), the simulator S first checks whether this query has been asked before. If it has been asked, S lookups the hash list and returns the corresponding answer. Otherwise, S chooses a random value as the answer to this hash query and returns it. Then, S updates the hash list with this record.

Now in G4 the protocol is correctly simulated in the random oracle model. Suppose we let the event that has asked a Hash query by (mnP,mP,nP,IDA,IDCSi) in the Test session be Event4. Then we can see if Event4 does not happen, the advantage of in winning the AKE security game in G4 is 1/2 since the session key of the protocol in G4 is random in the random oracle model. Thus, the probability of wins the AKE-game in G4 is:

Next we consider the probability of Event4. Actually, in game G4, Event4 will happen in the following three cases:

Case 1: asks a Corrupt(A,smart card) query to the user A and obtains the secret information in the smart card, i.e., {IDA,CA,r} . Using these secret information, chooses a potential password PWA' of A and a random value m, then the adversary computes K = h(m⋅sP), MA = h(K||r1) ⊕ IDA and XA' = h(PWA'||r) ⊕ CA . After that, the adversary asks a Send(mP,r1,MA,NA) query to . chooses this session as the Test session and asks the Test query. It means launches the online dictionary attack. If ’s guess is correct, then SP will return the message which shows ’s authentication request can pass through. In such case, will ask a Hash query by (mnP,mP,nP,IDA,IDCSi) to the hash oracle, i.e., Event4 happens. We bound the probability of this event by:

Case 2: In this case, the adversary also corrupts the smart card of the user and gets the secret information as in Case 1. Then, different from Case 1, does not choose the random value a himself. just asks Execute(,,) to , and . Then, chooses this session as the Test session which means launches an off-line dictionary attack. In such case, S embeds a tuple (mP, nP) into the protocol and substitutes aP with mP and substitutes bP with nP. If wins the game, he should ask a Hash query by (mnP,mP,nP,IDA,IDCSi), i.e., computing mnP without knowing m and n. In such case, Event4 happens and S can get mnP and solve the ECDH problem by using . In this case, Event4 is bounded by:

Case 3: In this case, first asks an Execute() query to . Then, when gets the messages (mP,r1,MA,NA) output by , continues to ask Execute() ) and Execute(). When obtaining the messages {IDCSi,bP,s1,AuthSP,AuthCSi} from , does not send the messages to the user A. chooses b' and s1' himself and impersonates CSi to send {IDCSi,b'P,s1',AuthSP',AuthCSi'} to A. If both of AuthSP' and AuthCSi' pass through the user's verification, then Event4 will happen since already knows the value b' in b'P. However, the probability of this event is also bounded by the advantage of breaking the ECDH problem. As shown in the protocol, mP is authenticated by K = h(msP) in AuthSP. Without knowing the m and s, cannot compute correct the authentication message, i.e., the random value chosen by cannot pass through by the user’s verification. So Event4 in Case 3 cannot happen unless breaks the ECDH problem. So we have:

So we can bound the probability of Event4 in G4:

Consequently from the equations (2)-(11), we can get the result of the Theorem 1.

Theorem 2 (Anonymity). The proposed scheme provides strong anonymity against an active adversary if the ECDH problem is hard.

Proof. The proof of the anonymity is similar to that of AKE security, so we just give a brief explanation. As the description in Fig. 2, if the adversary wants to reveal the identity of the user A, he needs to compute the value h(K||r1) . So if obtains the identity of A, it means must asked a (K,r1) query to the hash oracle, where K = h(asP) . Then the simulator S can imbed a random tuple (mP, nP) into the protocol to replace the aP and sP respectively. Then, S can check the hash list to find the value mnP if obtains the identity of A. So under the ECDH assumption, the proposed scheme can provide anonymity for the user.

Theorem 3 (Forward security). The proposed scheme provides forward security against an active adversary if the ECDH problem is hard.

Proof. Forward security means that if the long term secret value is corrupted by he cannot recover the session key which is agreed by the honest user before this point. As we can see, the session key of the protocol is consist by the random values chosen from A and CSi respectively. The session key is not related with the long term secret value of A, PW and CA or the long term secret value of SP, s. As the proof of the AKE security, if can break the forward security of the scheme, then S will embed a random tuple (mP, nP) into the protocol to replace the aP and bP respectively. After recovers the session key, S will check the hash list and get the value abP, i.e., solving the ECDH problem. The detailed proof is similar to that of AKE security and we do not repeat here.

Theorem 4 (Backward security). The proposed scheme provides backward security against an active adversary if the ECDH problem is hard.

Proof. The backward security means that if the long term secret value is corrupted by he cannot obtain the session key which is agreed by the honest user after this point. The purpose of is to obtain the secret which is encrypted by the session key between A and CSi. Suppose that has corrupted user A and gets its password and the information in the smart card without being detected by the user. Now wants to obtain the session key of the user in the new session. In the new session can intercept the message of A and impersonate A to communication with CSi and SP. However, without knowing the random value a chosen by A, cannot obtain the authentication message of SP AuthSP = h(K||s1||aP||bP) where K = h(a⋅sP) . So without getting the correct authentication message of SP, even if impersonates CSi and sends {IDCSi,bP,s1,AuthSP,AuthCSi} to A, AuthSP cannot pass the verification of A. Therefore, cannot get the session key of the new session of the user who losts all of his secret either, i.e., the scheme can provide backward security. The detailed proof is similar to that of forward security and we do not repeat here.

5.2 Performance Analysis

In this section we only discuss the authentication scheme using smart card in cloud computing and authentication schemes using other technical are not the main motivation of this paper. We analyze the performance of the proposed authentication scheme in two aspects: one is the security property and the other is the efficiency. Table 2 shows the security properties of the proposed schemes compared with some other authentication schemes for cloud computing using smart card. Actually, security is the primary question we have to answer in the cloud computing since the data are not stored in the users’ computer. As far as the authentication schemes using smart card are concerned, identity protection and security when the smart card is lost and forward/backward security are important properties. From Table 2, we can see only our scheme has all the security properties, so from the security aspect our scheme has better performance than other schemes in the table.

Table 2.P1:Mutual authentication; P2:Providing secure key agreement; P3:Preventing the dictionary attack; P4:Identity protection; P5:Secure when the smart card is lost; P6:Forward security.

Table 3 shows the computation cost between the proposed scheme and some related schemes. In Table 3, the cost of point multiplication operation is similar to that of exponent operation and the cost of hash operation is similar to that of encryption/decryption operation. Point multiplication and exponent operation are more time consuming than hash and encryption/decryption operation. From Table 3 we can see, Huang et al.’s scheme [17] is the most efficient in the four schemes. In the user side, its computation cost is 3h+1E and in the server side its computation cost is 1m+4h+1E after pre-computation. Our authentication scheme has one more point multiplication than Huang et al.’s scheme both in the user side and the server side (here we only consider the multiplication cost since it is more time-consuming than other operations). The reason why this happens is that our scheme has the property of forward security and backward security. As we know if an authentication scheme has the forward security or backward security, one more ECDH tuple (mP, nP) will be added. So if without the forward security and the backward security our scheme has the same performance as Huang etal.’s scheme. Choudhury et al.’s scheme [9] and Chen et al.’s scheme [10] has better performance than our scheme in the server side, however, they are not as good as ours in the user side. We pay much attention to the cost of the user side since its processor speed is often limited. Meanwhile, there is a further advantage of our scheme, in our scheme the server does not need to store the ephemeral secret of the user which can reduce the probability of the attack to the server.

Table 3.m:point multiplication; e:exponent; h:hash; E:encryption/decryption.

In order to give an objective efficiency comparison, we make efficiency analysis on the basis of the implementation of the scheme in [19] and the implementation of our scheme. The operation used in experiment is implemented on an exponent with 1024 bits prime, an ellipse curve which is over a finite field with 192 bits prime, an AES encryption with 256 bits key and a hash function SHA256. The computation cost of the user is evaluated by NXP smartMX PKI controller P5CT072 with 4.5KB RAM and PKI crypto-engine. The computational costs on the server side are evaluated using laptop with a 2.5GHz Intel Core i5-4200M processor and 4GB RAM. The communication between the smart card and the server is completed by the USB bus. Table 4 shows the result of the experiment between related authentication schemes after pre-computation. From Table 4 we can see, our scheme does not have the best efficiency especially in the Server side. The reason lies in that our scheme provides the forward/backward security which is absent in the other schemes. If they can provide this property, at least one more point multiplication is needed as aforementioned.

Table 4.Experimental data between related authentication schemes after pre-computation

So overall consideration of the security and computation cost, our scheme has better performance in the following aspects:

(1). Comparing with the authentication schemes [9-10] using smart card in cloud computing, our scheme can resist the smart card lost attack which is important for the security of the user’s data in the cloud server.

(2). Comparing with the authentication scheme [17], although both our scheme and [17] can resist the smart card lost attack, our scheme has two more advantages than [17]. Firstly, our scheme has the security property of forward and backward security which protects the session of the user in the past and in the future. Secondly, we use three-level authentication model which is different from Huang et al.’s authentication scheme [17]. It makes the authentication scheme in our scheme can be easily converted to an authentication scheme in the mobile roaming scenario since they use the same authentication model.

(3). There is a further advantage of our scheme, in our scheme the service provider does not need to store the ephemeral secret of the user which can reduce the probability of the attack to the service provider. Actually, it disperses the venture to hundreds of cloud server which avoids the case of the single point of failure. Meanwhile, it also reduces the burden of the service provider since the session key is computed between the user and different cloud servers other than the service provider.

 

5. Conclusion and Future Work

Authentication schemes using smart card are more practical in the real word since they can provide more convenience and strong security for the user, such as e-commerce transactions and other Internet connection activities. However, few of these scheme can resist the smart card lost attack in the cloud computing. It is more complicate when we considering more security property, such as the forward and backward security as well as the smart card lost attack. In this paper we had a close look at the authentication in the scenario of cloud computing and propose a new authentication scheme for cloud computing using smart card. The new scheme is able to address two tough problems in the smart card authentication for cloud computing: (1). the problem of smart card lost attack; (2). the problem of forward and backward security. Meanwhile, the new scheme takes advantage of the three-level authentication model which makes it easy to be converted into an authentication scheme in the roaming scenario for cloud computing since they use the same framework (in the mobile roaming cloud computing scenario, the cloud server in our framework is regarded as the foreign server or the roaming server). The distributed authentication model (i.e., the service provider distributes the authentication to the different cloud servers) may be helpful to the researchers to design authentication scheme in multi-party authentication scenario in future. The proposed scheme has all of the security requirements in cloud authentication which are better than other schemes in this scenario. As a compromise, the computation cost in our scheme is not the best. However, it is still efficient and acceptable as shown in Table 4.

As for future work, we want to discuss more complicate authentication scenario for cloud computing, such as: (1). authentication schemes between different domains, i.e., how do the users from different cloud providers authenticate each other and agree on a common session key; (2). authentication between a group of users, i.e., how do a group of users share their own secret data in the cloud server to other users in the group securely using the smart card mechanism.