DOI QR코드

DOI QR Code

A User Anonymous Mutual Authentication Protocol

  • Kumari, Saru (Department of Mathematics, Ch. Charan Singh University) ;
  • Li, Xiong (School of Computer Science and Engineering, Hunan University of Science and Technology) ;
  • Wu, Fan (Department of Computer Science and Engineering, Xiamen Institute of Technology) ;
  • Das, Ashok Kumar (Center for Security, Theory and Algorithmic Research, International Institute of Information Technology) ;
  • Odelu, Vanga (Department of Mathematics, Indian Institute of Technology Kharagpur) ;
  • Khan, Muhammad Khurram (Centre of Excellence in Information Assurance (CoEIA), King Saud University)
  • Received : 2016.04.24
  • Accepted : 2016.07.20
  • Published : 2016.09.30

Abstract

Widespread use of wireless networks has drawn attention to ascertain confidential communication and proper authentication of an entity before granting access to services over insecure channels. Recently, Truong et al. proposed a modified dynamic ID-based authentication scheme which they claimed to resist smart-card-theft attack. Nevertheless, we find that their scheme is prone to smart-card-theft attack contrary to the author's claim. Besides, anyone can impersonate the user as well as service provider server and can breach the confidentiality of communication by merely eavesdropping the login request and server's reply message from the network. We also notice that the scheme does not impart user anonymity and forward secrecy. Therefore, we present another authentication scheme keeping apart the threats encountered in the design of Truong et al.'s scheme. We also prove the security of the proposed scheme with the help of widespread BAN (Burrows, Abadi and Needham) Logic.

Keywords

1. Introduction

Now-a-days, various services and an intended communication with some distant entity is just a click away due to fast growing technological advancement. It has created tremendous opportunities in the market and imparted a great deal of convenience to the users. However, this entire Internet based set-up demands for proper security, confidentiality and authenticity to provide transparency and avoid deceit in transactions carried over insecure network. To achieve such goals, many encryption schemes [1-4] have been proposed. Remote user authentication schemes are capable to fulfill this demand efficiently due to provisions like user authentication, mutual authentication and confidential communication between the participants.

The origin of user authentication schemes goes back to 1981 when Lamport [5] proposed a method for password authentication with insecure network. Subsequently, many password-based authentication schemes [6-13] were presented. However, most of these schemes deployed the static identity of the user. In practice, static identity is not preferable in many scenarios such as financial matters and applications requiring high level security also need that user be kept anonymous. This gave invent to the concept of dynamic identity by Das [14] in terms of a user authentication scheme based on the concept of dynamic identity. Das’s scheme attracted many researchers [15-20] to analyze the new proposal. In 2012, Chen et al. [21] presented a password authentication scheme, they claimed it to withstand lost smart card attack and provide mutual authentication. However, we observe a number of attacks in their scheme such as insider, impersonation, DoS and password guessing attack. Besides, it still suffers from lost smart card attack and lack of user anonymity, confidential communication, forward secrecy and other important characteristics. In 2012, Lee [20] observed that Das’s scheme is susceptible to impersonation and guessing attacks. Lee also proposed a scheme to resist these attacks. Recently, Wen et al. [22] and Truong et al. [23] independently highlighted some security problems on Lee’s scheme in view of the researches by Kocher et al. [24] and Messerges et al. [25] over the security of smart cards. They showed that in Lee’s scheme, a legal user of the system can impersonate the other users as well as the server without knowing the information stored in user’s smart card; and anyone can guess user’s password by extracting the secrets stored in user’s smart card. Truong et al. also revealed that Lee’s scheme achieves only one way authentication at the server side and cannot establish the session key essential for confidential communication. Therefore, Truong et al. presented an improved version [23] of Lee’s scheme [20].

1.1 Threat Model

Throughout this paper, we abide by the following threat model. An adversary can extract from smart card the information stored in it by analyzing its power consumption report. An adversary is capable of eavesdropping the communications carried between the user and the server over public channel and can alter or resend these messages. But an adversary cannot guess the password and identity concurrently in real polynomial time.

1.2 Our contribution

In this paper, we study Truong et al.’s user authentication scheme based on the concept of dynamic identity, analyze the extent to which it maintains the merits and improves the weaknesses of Lee’s scheme, identify its demerits, and finally put forward a scheme with better performance. We observe that Truong et al.’s scheme preserves the advantages of Lee’s scheme, like resistance to replay and stolen verifier attacks, and provision of freely password update facility to its users. We find that Truong et al.’s scheme extends the unilateral authentication to mutual authentication by adding three-way challenge response mechanism, adds the feature of session key, offers efficient login and password change phase by incorporating a verification mechanism in smart card, and mended the privileged insider attack. Thus, Truong et al.’s scheme improves Lee’s scheme as just mentioned. However, we find that Truong et al.’s scheme fails to justify authors’ assertion that their scheme is secure under smart-card-theft situation since the situation leads to the guessing of user’s password. Besides, their scheme is weak to resist the impersonation attacks and cannot provide confidential communication. In fact, an adversary can not only masquerade as a registered user and the authorized server but can also read the confidential communication by computing the agreed session key. Consequently, mutual authentication fails even after employing three-way challenge response mechanism and user anonymity is not achieved though the smart card computes different identity for each session. Therefore, at many places Truong et al.’s scheme falls short to improve Lee’s scheme. Further, the established session key in their scheme does not provide forward secrecy. Hence, we find enough scope of improvement in Truong et al.’s scheme. Eventually, we propose an authentication scheme keeping the merits and enhancing the security aspects of Truong et al.’s scheme. We make use of the elliptic curve cryptography (ECC) [26-27] to provide forward secrecy and try our best to overcome the aforementioned security weaknesses.

1.3 Organization of the remaining paper

Section 2 gives reviewof scheme by Truong et al. and Section 3 is about its cryptanalysis. Section 4, deals with preliminaries necessary useful in this paper and also presents the proposed scheme. Sections 5 & 6 pertain to conventional and BAN-logical security analysis respectively, of our scheme. Section 7 & 8 are for comparision and conclusion.

 

2. Review of Truong et al.’s Scheme

Here follows Table 1for notations useful for this paper:

Table 1.A detailed description of Truong et al.’s scheme is as follows:

2.1 Registration Phase

This phase is about the registration of U with S, for which the following steps are executed by both the entities:

2.2 Login Phase

This phase is conducted over a public channel. For the purpose of login and obtaining services from S, U computes her/his login request as follows:

2.3 Mutual Authentication & Session Key Agreement Phase

This phase is conducted over a public channel. First of all S performs the following after receiving {CIDi, Bi, Ci, ei} from U:

2.4 Password Update Phase

This phase is to facilitate the user to update his password at its will for which U executes the following steps:

 

3. Cryptanalysis of Truong et al.’s Scheme

Since the login and mutual authentication & key agreement phase take place on the public channel, therefore, messages transmitted in these phases are available for interception by an adversary E. Moreover, the information stored in user’s smart card can be retrieved [24,25]. Besides, the secret key of user/server may leak. In the light of the aforementioned scenario, we present the security problems of Truong et al.’s scheme.

3.1 Security Breaches through Login Request Interception

We reveal that Truong et al.’s scheme is frail in case E intercepts the login request of any user. The listing and the discussion of various security problems of Truong et al.’s scheme are given below:

Identity guessing attack: Suppose an adversary E intercepts the login request {CIDi, Bi, Ci, ei} of U. Then he efforts to reveal the identity of the user. E guesses IDi* and computes Ri*=CIDi⊕IDi*, (h(x || ei))*= Bi⊕Ri*and Ci*= h[IDi*|| Ri*|| (h(x || ei))*]. Checks if Ci is equal to Ci*, if not then E repeats the procedure with another guess for user’s identity. However, the correct match yields the correct identity IDi along with correct nonce Ri and the secret h(x || ei). Thus, User anonymity is not provided by the scheme. This defect is due to the violation of the public-key principle proposed in [38]: under the non-tamper-resistance assumption of smart cards, no scheme can achieve user anonymity without employing public-key techniques.

User impersonation attack: As discussed above, an adversary E can possess IDi and h(x || ei) of U by intercepting {CIDi, Bi, Ci, ei} of U. Then E is capable of impersonating U at any time as described below:

Server impersonation attack: An adversary E possessing IDi, h(x || ei) and ei of U can easily recognize the login request {CIDi, Bi, Ci, ei} of U due to the presence of ei. E can cheat U by masquerading as S in the following way:

Attack on confidential communication: The adversary E having IDi, h(x || ei) and ei corresponding to the user U can intercept messages {CIDi, Bi, Ci, ei} and {Ks, Vs} from the open network. Then E can recover Ri and Rs by computing Ri=Bi⊕h(x || ei) and Rs= Ks⊕ h(IDi|| Ri) respectively. Further, E is able to compute SessK= h(Ri|| h(x || ei) || Rs) established between U and S. Consequently, E can read the confidential messages exchanged between U and S.

Password guessing attack via smart card loss/theft: An adversary E can maintain a record of the intercepted login requests of many users. If E steals/finds the lost smart card of some user, supposeU, then he can extract [24-25] the values {Ai, Li, ei, ri, h(.)} stored in it. E can easily match this smart card with the corresponding login request {CIDi, Bi, Ci, ei} from the record due to the presence of the common value ei. Then E can obtain the identity IDi and secret h(x || ei) of U by applying identity guessing attack as explained earlier. Now E can proceed to guess the password of U in the following way. E guesses PWi* as U’s password and computes Li*= h[IDi|| h(PWi*|| ri) || h(x || ei)]. If E finds Li*= Li, it implies that the guess PWi* is correct; or else he repeats the process with some other guess. In this way, the scheme fails to resist the smart card theft attack. For a comprehensive taxonomy of smart-card-loss-based password guessing attacks, readers are referred to [39].

3.2 Lack of Forward Secrecy

An authentication scheme satisfies the forward secrecy when the security of the session keys established in previous sessions is not affected due to revelation of the secret keys of the participant entities (server’s secret key/user’s password). In case the secret key x of S is disclosed, E can intercept the login request {CIDi, Bi, Ci, ei} and response message {Ks, Vs} related to a user, suppose U. Then E can easily compute h(x || ei) and hence can obtain Ri=Bi⊕h(x || ei), IDi= CIDi⊕Ri and Rs= Ks⊕ h(IDi|| Ri). Finally, E computes the session key SessK= h(Ri|| h(x || ei) || Rs) which is to be established between U and S. In the same way, E can reveal the previously established session keys using already intercepted pair of login request and response message. Thus, forward secrecy is not available in the scheme.

 

4. The Proposed Scheme

Before presenting our scheme, we give a concise information about an elliptic curve along with its computational problems [26-27] and an important remark related to the proposed scheme.

Preliminary: Elliptic Curve Cryptography (ECC): In (ECC), the elliptic curve equation is given by Ep(a, b) : y2 = x3 + ax + b (mod p) over a finite field Fp of prime order p > 3, where, a, b∈ Fp and 4a3 + 27b2 ≠ 0 (mod p). For an integer r∈Fp* and a point P∈Ep(a, b), the elliptic curve point multiplication r·P over Ep(a, b) is defined as r·P = P +P +...+P (r times). Here follow two intractable problems:

Now, we present our scheme in which security troubles discussed in previous Section have no existance. Summary of the proposed scheme is in Fig. 1.

Fig. 1.The Proposed Scheme

Remark 1: Suppose we want to apply bitwise XOR between two numbers of diverse lengths. This can be done as per the details in [40]. First pad the smaller number with leading zeros to make its length equal to the length of the larger number. Afterwards, we can bitwise XOR the two numbers. For instance, let x and y be two numbers of 128-bit and 64-bit length respectively. First pad y with leading 64 zeros so that the resulting number is of 128-bit length. Now, x and y can be XORed bitwise to give an outcome of 128-bit length. In this way, two numbers of diverse lengths can be XORed bitwise [40-41].

4.1 Initial phase

S selects a large prime number p and the base point P∈Ep with very large prime order n, i.e., n·P = Θ and P ≠ Θ. S also selects a cryptographic one-way hash function h(.) and makes {Ep, P, Fp} public.

4.2 Registration Phase

This phase is about the registration of U with S, for which both the entities perform the steps as given below:

4.3 Login Phase

This phase is conducted over a public channel. To login S to obtain services, U computes her/his login request:

4.4 Mutual Authentication & Session Key Agreement Phase

This phase is conducted over a public channel. It is about achieving mutual authentication and session key agreement between U and S. First of all, S executes the following steps after receiving {CIDi, Ci, ei} from U:

4.5 Password Update Phase

This phase is to facilitate the user to update her/his password at its will for which U executes the following steps:

 

5. Security Analysis of the Proposed Scheme

This section measures the strength of our scheme in the scenario for which Truong et al.’s scheme is shown vulnerable. First of all, we show the key improvements done in our scheme over Truongs' scheme. Then we discuss the Security features of our scheme in detail. Further, we highlight the features which the proposed scheme inherits from Truong et al.’s scheme.

5.1 Key Improvements in Our Scheme over Truongs' Scheme

5.2 Security Features of the Proposed Scheme

5.2.1 Provision of User Anonymity

E can intercept the login request {CIDi, Ci, ei} of U. But to guess the identity IDi of U using CIDi = h[h(x || ei)] ⊕ (IDi || Ri· P) and Ci, he needs Ri· P which is not available. Further, E cannot verify the guessed value of U’s identity since CIDi involves h[h(x || ei)] whereas Ci = h[IDi || h(x || ei) || Ri· P] involves h(x || ei). It is not feasible to obtain h(x || ei) from h[h(x || ei)] due to one-way property of hash functions. Further, since IDi is protected by one-way hash function in user’s SC, so E cannot recover U’s IDi even if he obtains U’s SC and extracts the information stored in it. Moreover, SC and the login request of U do not contain any identical value using which these two can be matched and prove helpful to trace the user’s identity. Thus, the user anonymity is provided by the proposed scheme.

5.2.2 Resistance to Impersonation Attacks

To impersonate U, E should possesses U’s identity IDi and the shared secret h(x || ei). Although, every login request {CIDi, Ci, ei} of U contains the random number ei in plaintext but without knowing the secret key x of the server, E cannot compute h(x || ei). It is not possible to obtain h(x || ei) or IDi from Ci = h[IDi || h(x || ei) || Ri· P] due to one-way property of hash functions. Further, E cannot recover U’s identity IDi as mentioned in subsection 5.2.1. For similar reason, E cannot cheat U by masquerading as S. Without having h(x || ei), E cannot recover IDi and Ri· P from CIDi = h[h(x || ei)] ⊕ (IDi || Ri· P). Hence E cannot compute justifiable Vs to send a valid response message corresponding to an intercepted and blocked login request of U. So, the scheme resists user (server) impersonation attacks.

5.2.3 Provision of Confidential Communication

In order to compute SessK = h[Ri · (Rs· P) || h(x || ei) || IDi] = h[Rs · (Ri· P)* || h(x || ei) || IDi*], an adversary E must possess the following values: IDi, h(x || ei), Ri, Rs &(Ri· P). It is clear from the previous subsections that E has no way to obtain IDi or/and h(x || ei). Besides, E cannot gain Ri· P from CIDi = h[h(x || ei)] ⊕ (IDi || Ri· P) by intercepting a login request unless he possess the correct h(x || ei). Although, Rs· P is available in plaintext through S’s response message {Rs· P, Vs} travelling over the public channel, E cannot find Rs from Rs· P owing to ECDLP. Further, it is not feasible to recover SessK from Mi = h[SessK || h(x || ei) || IDi] traversing the public channel due to one-way property of hash function [42-43]. Hence, the proposed scheme ensures confidential communication.

5.2.4 Resistance to Smart Card Loss /Password Guessing Attack

Consider the situation when E finds the lost SC of U and extracts [24-25] the information {Ai, Li, Qi, Pi, h(.)} stored in it. But U’s password is protected by the one-way property of hash function in each of Ai, Li, Qi and Pi. To correctly guess and verify PWi, E requires the knowledge of IDi, ri, and h(x || ei). Further, the random number ri is not stored in plaintext in SC so E is not at ease to guess PWE and compute h(PWE || ri) in order to identify U’s password. To get ri from Pi, E should know U’s IDi as well as PWi. For similar reasons, E cannot obtain U’s identity IDi or secret value h(x || ei) from SC. Further, it is not possible to guess U’s password from an intercepted login request {CIDi, Ci, ei} as all its constituent values are independent of PWi. A lost or stolen SC of U is not useful for guessing PWi or gaining any other value of interest.

5.2.5 Provision of Perfect Forward Secrecy

Assuming the situation of the disclosure of S’s secret key x, E can intercept the login request {CIDi, Ci, ei} of U and can easily compute h(x || ei). But, to compute an agreed session key SessK = h[Ri · (Rs· P) || h(x || ei) || IDi], the adversary E also needs IDi, Ri, Rs &(Ri· P). However, E has no way to obtain IDi as explained in subsection 5.2.1. Besides, E cannot gain Ri· P from CIDi = h[h(x || ei)] ⊕ (IDi || Ri· P) by intercepting a login request unless he possess IDi. Although, E can get Rs· P from the network, E cannot obtain Rs from Rs· P due to ECDLP. Alternately, if U’s password PWi as well as identity IDi are disclosed then E requires the corresponding SC. By extracting Pi and Ai from SC, E can obtain ri and h(x || ei) by computing ri = Pi ⊕ h(IDi || PWi) and h(x || ei) = Ai ⊕ h[IDi || h(PWi || ri)] respectively. E can get CIDi from the network and can also gain Ri· P as (IDi || Ri· P) = CIDi ⊕ h[h(x || ei)]. But, E still cannot compute SessK in the absence of Rs. Thus, even after possessing SC, IDi and PWi, the adversary cannot compute the established SessK. Hence, the scheme provides perfect forward secrecy.

5.2.6 Provides Mutual Authentication

S verifies the legitimacy of U in two stages: firstly by verifying the equivalence Ci = h[IDi* || h(x || ei) || (Ri· P)*] and secondly by verifying the equivalence Mi = h[SessK || h(x || ei) || IDi*]. U verifies the legitimacy of S by checking the equivalence Vs = h[Rs· P || h(x || ei) || (Ri· P) || IDi]. In addition to hold or retrieve the values IDi or h(x || ei), E should also possess Ri· P & Ri in order to compute a valid reply message {Rs· P, Vs= h[Rs· P || h(x || ei) || (Ri· P)* || IDi*]} like S and a valid challenge response Mi = h[SessK || h(x || ei) || IDi] with SessK = h[Ri · (Rs· P) || h(x || ei) || IDi] like U. But only U knows the value Ri· P and only S can retrieve it from CIDi = h[h(x || ei)] ⊕ (IDi || Ri· P) received in a login request. Moreover, no one can obtain Ri from Ri· P due to ECDLP. As a result, no one except the valid user and the valid server can prove its legitimacy else it is detectable and results in disruption of the session. Furthermore, no one can impersonate any legal participant of the scheme (as discussed in subsection 5.2.2) and the established session key ensures confidential communication (as discussed in subsection 5.2.3 and 5.2.5). Thus, our scheme offers proper mutual authentication.

5.2.7 Merits Inherited from Truong et al.’s Scheme

 

6. Security Proof of the Proposed Scheme using BAN-Logic

We conduct the security analysis of our proposed scheme using Burrows-Abadi-Needham Logic (BAN-logic) [46]. We show that the scheme allows a user to establish a session key with the server near the end of the authentication process. Let Uand S be the user, and the server respectively. The three elementary items of BAN-logic are statements/formulas, principals and encryption keys. Let Y & X are symbols for statements, Q & P are symbols for principals, and K is symbol for cryptographic encryption key. Basic logic notations of BAN-logic needed to analyze our scheme is given below:

♦ P |≡ X: P believes X.

♦ P ⊲X: P sees/receives X.

♦ P |~X: P once said X (or P sent X).

♦ P |⇒X: P controls X.

♦ #(X): X is fresh.

♦ : P and Q communicate using shared key K.

♦ (X): The hashed value of X.

♦ (X,Y)K: Take hash of X and Y using K as key.

♦ X,Y>Y: Combine X and Y using Y.

♦ SessK: Session key for current authentication session

Some basic BAN-logic postulates are as mentioned below:

♦ Message meaning rule:

♦ Nonce-verification rule:

♦ Jurisdiction rule:

♦ Freshness rule:

♦ Believe rule:

The proposed scheme should satisfy the following goals:

♦ Goal1:

♦ Goal2:

♦ Goal3:

♦ Goal4:

The scheme in idealized form in terms of the messages exchanged is given below:

♦ Message1:

♦ Message2:

♦ Message3:

Here, we make initial state assumptions pertaining to the scheme:

♦ A1:

♦ A2:

♦ A3:

♦ A4: S|≡ # (Ri∙P)

♦ A5: U|≡ # (Rs∙P)

♦ A6:

♦ A7:

♦ A8:

Now, we will utilize BAN-logic postulates and rules to show that U&S successfully share a common session key SessK to ensure confidential communication.

♦ From Message1, we have

♦ From (1), A3and the message meaning rule, we get

♦ From A4and the freshness-conjuncatenation rule, we obtain

♦ From (2), (3) and the nonce-verification rule, we deduce

♦ From (4) and believe rule, we infer

♦ From A6, (5) and jurisdiction rule, we have

♦ From A7, (6) and jurisdiction rule, we have

♦ From Message2, we have

♦ From (9), A2and the message meaning rule, we obtain

♦ From A5,and the freshness-conjuncatenation rule, we infer

♦ From (10), (11) and the nonce-verification rule, we deduce

♦ From (12) and believe rule, we get

♦ From A1, A2, A8, goal2and the jurisdiction rule, we obtain

♦ From Message3, we have

♦ From (13), A3and the message meaning rule, we infer

♦ From (7), (8),A4and the freshness-conjuncatenation rule, we deduce

♦ From (14), (15) and the nonce-verification rule, we obtain

♦ From (16) and the believe rule, we get

♦ From (7), A7, Goal4 and the jurisdiction rule, we obtain

According to Goal1, Goal2, Goal3and Goal4, we conclude that U(S) have trust that S(U) believes that the session key SessK between them is shared successfully.

 

7. Comparative Performance Analysis of the Proposed Scheme

This section analyzes the performance of the proposed scheme by comparing it with Truong et al.’s [23], Chen et al.’s [21] and Lee’s scheme [20].We present the comparative analysis at three levels:

Table 2.Comparison of memory capacity and communication cost

Table 3.th is the time complexity for computing one-way hash operation; tepm is the time complexity for computing elliptic curve point multiplication; teis the time complexity of exponential operation; tm is the time complexity of multiplication/division operation.

Table 4.N/A means not applicable

For the first two levels, we assume that the random numbers {ri, ei, etc}, the outcome of an elliptic curve point multiplication {Rs· P, Rs · (Ri· P), etc}, the outcome of exponential operation, the output of modular multiplication/division operation, and the output of one-way hash function {Ci, Vs, Mi, etc} are of 160 bits. It is clear from Table 2 that in our scheme SC does not require additional space in memory and the cost for communication is 160 bits lesser than needed in Truong et al’s and Chen et al.’s schemes. Thus, our scheme excels in performance at the first level.

To compare the computational complexity, we neglect the lightweight operations like exclusive-OR operation and string concatenation. Table 3 depicts the increment of one hash operation at the user side during registration phase from nil computational load in Lee’s and Chen et al.’s schemes to Truong et al.’s and our scheme. During the same phase, S operates only one hash function more than Truong et al.’s scheme whereas in Truong et al.’s scheme S operates two hash functions more than Lee’s scheme. Unlike Chen et al.’s scheme, our scheme is free from costly modular exponential function. At the user side during login-authentication phase, Truong et al.’s scheme uses four more hash operations than Lee’s scheme whereas our scheme uses one hash function and two elliptic curve point multiplication operations more than Truong et al.’s scheme. In the same phase, S operates only two elliptic curve point multiplication operations more than Truong et al.’s scheme and requires no additional hash operations. Only Chen et al.’s scheme uses multiplication/division operation and the time consuming exponential operation. If we look at the aggregate computational load, Truong et al.’s scheme uses ten more hash operations than Lee’s scheme whereas our scheme requires three hash operations and four elliptic curve point multiplication operations more than Truong et al.’s scheme. Although hash overhead is lowest in Chen et al.’s scheme, it is not lightweight due to the involvement of four exponential operations. Undoubtedly, the computational complexity of our scheme is more than that of schemes in [20,21,23] but it boosts the security to a considerable extent as is apparent from Table 4 and discussed below.

Although Truong et al.’s scheme improves upon insider attack applicable on Lee’s and Chen et al.’s schemes but stores the random numbers ri and ei directly in SC which leaves their scheme [23] vulnerable to smart card loss attack and allows an adversary to match a SC with the corresponding login request. Chen et al.’s scheme is also susceptible to smart card loss attack. Our scheme not only resists to insider attack but is also free from weaknesses just mentioned about Truong et al.’s and Chen et al.’s schemes. Truong et al.’s scheme falls short to remedy impersonation attacks and fulfill the requirement of confidential communication of Lee’s and Chen et al.’s schemes. Further, Truong et al.’s scheme is susceptible to password guessing attack via smart card loss as in Lee’s scheme; this attack is also applicable on Chen et al.’s scheme. Our scheme not only amends these security problems of Truong et al.’s and Chen et al.’s schemes but also retains all their merits as depicted in Table 4. Although our scheme employs complex elliptic curve point multiplication operation, it provides perfect forward secrecy which is an important ingredient of the security of the session key. It is noticeable that Chen et al.’s scheme fails to offer forward secrecy property though it uses complex exponential operation. In the absence of the forward secrecy, the established session key cannot guarantee the confidentiality of communication between the user and the server.

 

8. Conclusion

This paper is about the study of a newly proposed dynamic ID-based authentication scheme, and remedying its weaknesses. Our review has revealed that the scheme given by Truong et al. cannot withstand smart-card-theft attack as this situation facilitates the guessing of user’s password. We have also shown that their scheme fails to provide mutual authentication since an adversary can cheat any of the legal participant through impersonation. Further, it is showed that the established session key is inefficient to fulfill the purpose of confidential communication due to lack of forward secrecy and defies the aim of dynamic identity. In order to remove these drawbacks we have presented a scheme with refined security. We have shown the excellence of our scheme over the related schemes through security analysis and comparison.

References

  1. Z. Xia, X. Wang, X. Sun, and Q. Wang, “A Secure and Dynamic Multi-keyword Ranked Search Scheme over Encrypted Cloud Data,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340-352, 2015. Article (CrossRef Link) https://doi.org/10.1109/TPDS.2015.2401003
  2. Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling Personalized Search over Encrypted Outsourced Data with Efficiency Improvement,” IEEE Transactions on Parallel and Distributed Systems, 2015. Article (CrossRef Link)
  3. Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving Efficient Cloud Search Services: Multi-keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing,” IEICE Transactions on Communications, vol. E98-B, no. 1, pp.190-200, 2015. Article (CrossRef Link) https://doi.org/10.1587/transcom.E98.B.190
  4. Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual Verifiable Provable Data Auditing in Public Cloud Storage,” Journal of Internet Technology, vol. 16, no. 2, pp. 317-323, 2015. Article (CrossRef Link) https://doi.org/10.6138/JIT.2015.16.2.20140918
  5. L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770-772, 1981. Article (CrossRef Link) https://doi.org/10.1145/358790.358797
  6. G. Horng, “Password authentication without using password table,” Information Processing Letters, vol. 55, pp. 247-250, 1995. Article (CrossRef Link) https://doi.org/10.1016/0020-0190(95)00087-S
  7. J.K. Jan, and Y.Y. Chen, “Paramita Wisdom’ Password authentication scheme without verification tables,” The Journal of Systems and Software, vol. 42, pp. 45-57, 1998. Article (CrossRef Link) https://doi.org/10.1016/S0164-1212(98)00006-5
  8. P. Guo, J. Wang, B. Li, and S.Y. Lee, “A Variable Threshold-value Authentication Architecture for Wireless Mesh Networks,” Journal of Internet Technology, vol. 15, no. 6, pp. 929-936, 2014. Article (CrossRef Link)
  9. M.S. Hwang, and L.H. Li, “A New Remote User Authentication Scheme Using Smart Cards,” IEEE Transactions on Consumer Electronics, vol. 46, no.1, pp. 28–30, 2000. Article (CrossRef Link) https://doi.org/10.1109/30.826377
  10. X Li, J Niu, S Kumari, J Liao, and W Liang, “An enhancement of a smart card authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 80, no 1, pp. 175-192, 2015. Article (CrossRef Link) https://doi.org/10.1007/s11277-014-2002-x
  11. X. Li, J. Niu, M. K. Khan, J. Liao, and X. Zhao, “Robust three-factor remote user authentication scheme with key agreement for multimedia systems,” Security and Communication Networks, 2014. Article (CrossRef Link)
  12. M.S. Hwang, C.C. Lee, and Y.L. Tang, “A simple remote user authentication scheme,” Mathematical & Computer Modelling, vol. 36, pp. 103-107, 2002. Article (CrossRef Link) https://doi.org/10.1016/S0895-7177(02)00106-1
  13. C.C. Lee, and M.S. Hwang, and W.P. Yang, “Flexible remote user authentication scheme using smart cards,” ACM Operating Systems Review, vol. 36, pp. 46-52, 2002. Article (CrossRef Link) https://doi.org/10.1145/567331.567335
  14. M.L. Das, A. Saxena, and V.P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, 629-631, 2004. Article (CrossRef Link) https://doi.org/10.1109/TCE.2004.1309441
  15. A.K. Awasthi, “Comment on a dynamic id-based remote user authentication scheme,” arXiv preprint cs/0410011, 2004.
  16. H.Y. Chien, and C.H. Chen, “A remote password authentication preserving user anonymity,” in Proc. of 19th International Conference on Advanced Information Networking and Applications (AINA’05), 2, 245-248, 2005. Article (CrossRef Link)
  17. W.C. Ku, and S.T. Chang, “Impersonation attacks on a dynamic ID-based remote user authentication scheme using smart cards,” IEICE Transactions on Communication, vol. E88-B, no. 5, pp. 2165-2167, 2005. Article (CrossRef Link) https://doi.org/10.1093/ietcom/e88-b.5.2165
  18. W. Shi and D. He, “A security enhanced mutual authentication scheme based on nonce and smart cards,” Journal of the Chinese Institute of Engineers, vol. 37, no. 8, pp.1090-1095, 2014. Article (CrossRef Link) https://doi.org/10.1080/02533839.2014.912785
  19. T.T. Truong, M.T. Tran, and A.D. Duong, “Enhanced dynamic authentication scheme (EDAS),” Information System Frontiers, vol. 16, no. 1, pp. 113-127, 2014. Article (CrossRef Link) https://doi.org/10.1007/s10796-013-9461-6
  20. Y.C. Lee, “A new dynamic id-based user authentication scheme to resist smart card theft attack,” Applied Mathematics and Information Sciences, vol. 6, pp. 355-361, 2012.
  21. B.L. Chen, W.C. Kuo, and L.C. Wuu, “Robust smart-card-based remote user password authentication scheme,” International Journal of Communication Systems, vol. 27, no. 2, pp. 377-389, 2014. Article (CrossRef Link) https://doi.org/10.1002/dac.2368
  22. F. Wen, D. Guo, and X. Li, “Cryptanalysis of a new dynamic id-based user authentication scheme to resist smart-card-theft attack,” Applied Mathematics and Information Sciences, vol. 8, no. 4, pp. 1855-1858, 2014. Article (CrossRef Link) https://doi.org/10.12785/amis/080443
  23. T.T. Truong, and M.T. Tran and A.D. Duong “Modified dynamic ID-based user authentication scheme resisting smart-card-theft attack,” Applied Mathematics and Information Sciences, vol. 8, no.3, pp. 967-976, 2014. Article (CrossRef Link) https://doi.org/10.12785/amis/080305
  24. P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proc. of Advances in Cryptology (CRYPTO’99), 388-397, 1999. Article (CrossRef Link)
  25. T.S. Messerges, E.A. Dabbish, and R.H. Sloan, “Examining smart-card security under the threat of power analysis attacks,” IEEE Transactions on Computers, vol. 51, no. 5, pp. 541-552, 2002. Article (CrossRef Link) https://doi.org/10.1109/TC.2002.1004593
  26. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, pp. 203-209, 1987. Article (CrossRef Link) https://doi.org/10.1090/S0025-5718-1987-0866109-5
  27. D. Hankerson, A. Menezes, and S. Vanstone, “Guide to elliptic curve cryptography,” LNCS, Springer: New York, 2004. Article (CrossRef Link)
  28. M.K. Khan, S.K. Kim, and K. Alghathbar, “Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic id-based remote user authentication scheme,” Computer Communications, vol. 34, no. 3, 305-309, 2010. Article (CrossRef Link) https://doi.org/10.1016/j.comcom.2010.02.011
  29. S. Kumari, and M.K. Khan, “More secure smart card based remote user password authentication scheme with user anonymity,” Security and Communication Networks, 2013. Article (CrossRef Link)
  30. D. He, N. Kumar, H. Shen, and J.H. Lee, “One-to-many authentication for access control in mobile pay-TV systems,” Science China-Information Sciences, vol. 59, no. 5, pp. 1-14, 2016. Article (CrossRef Link) https://doi.org/10.1007/s11432-015-5469-5
  31. S. Kumari, and M.K. Khan, “Cryptanalysis and improvement of ‘A robust smart-card-based remote user password authentication scheme,” International Journal of Communication Systems, vol. 27, no. 12, pp. 3939-3955, 2012. Article (CrossRef Link) https://doi.org/10.1002/dac.2590
  32. D. He, N. Kumar, and N. Chilamkurti, “A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks,” Information Sciences, vol. 321, pp.263-277, 2015. Article (CrossRef Link) https://doi.org/10.1016/j.ins.2015.02.010
  33. D. He, and D. Wang, “Robust biometrics-based authentication scheme for multi-server environment,” IEEE Systems Journal, vol. 9, no. 3, pp.816-823, 2015. Article (CrossRef Link) https://doi.org/10.1109/JSYST.2014.2301517
  34. D. He, S Zeadally, N Kumar, and J.H. Lee, “Anonymous authentication for wireless body area networks with provable security,” IEEE Systems Journal, 2016. Article (CrossRef Link)
  35. X. Li, J. Niu, J. Liao, and W. Liang, “Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update,” International Journal of Communication Systems, vol. 28, no.2, pp.374-382, 2015. Article (CrossRef Link) https://doi.org/10.1002/dac.2676
  36. S. Kumari, M.K. Gupta, and M. Kumar, “Cryptanalysis and security enhancement of chen et al.’s remote user authentication scheme using smart card,” Central European Journal of Computer Science, vol. 2, no. 1, pp. 60-75, 2012. Article (CrossRef Link)
  37. S. Kumari, M.K. Gupta, M.K. Khan, and X. Li, “An improved timestamp-based password authentication scheme: comments, cryptanalysis and improvement,” Security and Communication Networks, vol.7, no.11, 1921-1932, 2014. Article (CrossRef Link) https://doi.org/10.1002/sec.906
  38. D. Wang, and P. Wang, “On the Anonymity of Two-Factor Authentication Schemes for Wireless Sensor Networks: Attacks, Principle and Solutions,” Computer Networks, vol. 73, pp. 41-57, 2014. Article (CrossRef Link) https://doi.org/10.1016/j.comnet.2014.07.010
  39. D. Wang, Q. Gu, H. Cheng and P. Wang, “The Request for Better Measurement: A Comparative Evaluation of Two-Factor Authentication Schemes,” in Proc. of the 11th ACM Asia Conference on Computer and Communications Security (AISACCS 2016), pp. 475-486. Article (CrossRef Link)
  40. K.M. Martin, “Everyday cryptography: Fundamental principles and applications,” Oxford University Press, Chapter 13, p. 495, 2012. Article (CrossRef Link)
  41. L. Zhang, S. Tang, and S. Zhu, “An energy efficient authenticated key agreement protocol for SIP-based green VoIP Networks,” Journal of Network and Computer Applications, vol.59, pp. 126-133, 2016. Article (CrossRef Link) https://doi.org/10.1016/j.jnca.2015.06.022
  42. Q. Jiang, J. Ma, G. Li, and X. Li. “Improvement of robust smart-card-based password authentication scheme,” International Journal of Communication Systems, vol. 28, no. 2, pp. 383-393, 2015. Article (CrossRef Link) https://doi.org/10.1002/dac.2644
  43. Q. Jiang, M. K. Khan, X. Lu, J. Ma, and D. He., “A privacy preserving three-factor authentication protocol for e-health clouds,” Journal of Supercomputing, 2016. Article (CrossRef Link)
  44. R. Canetti, and H. Krawczyk, “Analysis of key exchange schemes and their use for building secure channels,” in Proc. of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology-Eurocrypt 2001, pp. 453-473, 2001. Article (CrossRef Link)
  45. D. Wang, D. He, P. Wang, and C. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 228-44, 2015. Article (CrossRef Link) https://doi.org/10.1109/TDSC.2014.2355850
  46. M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Transactions on Computer System, vol. 8, pp. 18-36, 1990. Article (CrossRef Link) https://doi.org/10.1145/77648.77649

Cited by

  1. A privacy preserving authentication scheme for roaming in ubiquitous networks vol.20, pp.2, 2016, https://doi.org/10.1007/s10586-017-0783-x
  2. Secure and Efficient User Authentication Scheme Based on Password and Smart Card for Multiserver Environment vol.2018, pp.None, 2016, https://doi.org/10.1155/2018/9178941