DOI QR코드

DOI QR Code

An Improved Lightweight Two-Factor Authentication and Key Agreement Protocol with Dynamic Identity Based on Elliptic Curve Cryptography

  • Qiu, Shuming (Elementary Educational College, Jiangxi Normal University) ;
  • Xu, Guosheng (School of CyberSpace Security, Beijing University of Posts and Telecommunications) ;
  • Ahmad, Haseeb (Department of Computer Science, National Textile University) ;
  • Xu, Guoai (School of CyberSpace Security, Beijing University of Posts and Telecommunications) ;
  • Qiu, Xinping (Jiangxi University of Finance and Economics) ;
  • Xu, Hong (High-Tech Research and Development Center, the Ministry of Science and Technology)
  • Received : 2018.04.10
  • Accepted : 2018.09.05
  • Published : 2019.02.28

Abstract

With the rapid development of the Internet of Things, the problem of privacy protection has been paid great attention. Recently, Nikooghadam et al. pointed out that Kumari et al.'s protocol can neither resist off-line guessing attack nor preserve user anonymity. Moreover, the authors also proposed an authentication supportive session initial protocol, claiming to resist various vulnerability attacks. Unfortunately, this paper proves that the authentication protocols of Kumari et al. and Nikooghadam et al. have neither the ability to preserve perfect forward secrecy nor the ability to resist key-compromise impersonation attack. In order to remedy such flaws in their protocols, we design a lightweight authentication protocol using elliptic curve cryptography. By way of informal security analysis, it is shown that the proposed protocol can both resist a variety of attacks and provide more security. Afterward, it is also proved that the protocol is resistant against active and passive attacks under Dolev-Yao model by means of Burrows-Abadi-Needham logic (BAN-Logic), and fulfills mutual authentication using Automated Validation of Internet Security Protocols and Applications (AVISPA) software. Subsequently, we compare the protocol with the related scheme in terms of computational complexity and security. The comparative analytics witness that the proposed protocol is more suitable for practical application scenarios.

Keywords

1. Introduction

With the growing applications of cloud computing and multimedia services, the issue of communication privacy protection has gained more attention. To solve the privacy problem, numerous authentication and key agreement protocols are presented [1-20]. In order to login the server, the users execute the authentication process through session initial protocol (SIP). More precisely, SIP is a communication protocol that signals and controlls multimedia communication sessions in practical applications, such as telecare medical information systems, distributed cloud computing environment, and internet telephony etc. Authentication and key agreement is a vital part of SIP. After the first authentication protocol was presented by Franks et al. in 1999 [21], many researchers analyzed and designed a lot of authentication and key agreement protocols based on the work of Franks et al. However, most of these schemes have at least one security vulnerability, such as perfect forward secrecy and off-line password guessing attack, etc [22-25].

1.1 Related Work

Recently, Chang et al. [26] observed that Wang et al.’s protocol [27] is unable to resist impersonation attack and provides user-untraceability because the identity is transmitted in login request message. Moreover, Chang et al. [26] also pointed out that password changing phase has no verification step in Wang et al’s protocol [27]. Implying that the legitimate user will not be able to access the remote server anymore. In order to solve these problems, Chang et al. [26] presented a dynamic-identity based remote user authentication scheme while only incorporating hash function without session key agreement. In 2014, Kumari et al. [28] revealed that Chang et al. [26] protocol cannot resist off-line password guessing attack, impersonation attacks, etc. Further, Chang et al. [26] protocol also faces denial of service and cannot provide session key. For eliminating these vulnerabilities in Chang et al. protocol [26], Kumari et al. [28] also designed an authentication protocol. However, Chaudhry et al.[29] identified that Kumari et al.’s protocol [28] is still vulnerable against smart card stolen attack and cannot provide user anonymity in 2015. Subsequently, Chaudhry et al. [29] proposed an improved remote user authentication scheme with privacy preserving to remedy those flaws of Kumari et al.’s protocol [28]. But in 2016, Nikooghadam et al. [30] proved that Kumari et al. [28]’s and Chaudhry et al. [29]’s protocols are unable to resist offline-password-guessing attacks. Afterward, Nikooghadam et al. [30] designed a new authentication protocol and asserted that their protocol can both resist various attacks and provide user-anonymity. But, we remark that Nikooghadam et al.’s protocol [30] also has some flaws including perfect forward secrecy and off-line password guessing attack, etc. In fact, in throughout aforementioned protocols, the authors only used one-way hash function to provide security. Moreover, there exist several defects in the designs of authentication protocols. Under these circumstances, it is impossible to preserve perfect-forward-secrecy and avoid some known attacks, such as impersonation attacks and off-line password guessing attack, etc. In order to establish secure shared key in an authentication scheme, public key cryptography, which can efficiently provide perfect-forward-secrecy and resist various known attacks according to [47-52], is considered as the first choice including elliptic curve cryptography (ECC), RSA, etc. Because, the elliptic curve cryptography is more efficient than RSA under the same security condition, therefore, it is widely used in many special scenarios, especially for resource-constrained devices.

1.2 Contributions and Organization

In order to fill the aforementioned gaps, we present an improved authentication protocol with a full security function. The contributions of this paper are following:

(1) We present a supplementary cryptanalysis of Kumari et al.’s protocol and point out that it is still vulnerable to key-compromise impersonation attack and is unable to provide perfect-forward-secrecy. Moreover, we also remark that Nikooghadam et al.’s protocol is unable to provide perfect forward secrecy and is also vulnerable to off-line password guessing attack and key-compromise impersonation attack.

(2) We establish a novel lightweight authentication protocol for SIP using ECC.

(3) By heuristic security analysis, we illustrate that the proposed protocol is immune to all known attacks. Moreover, the proposed protocol can provide more comprehensive security functions including perfect forward secrecy, dynamic identity, and anonymity, etc.

(4) Via AVISPA software simulation verification, we show that the improved protocol is SAFE against active and passive attacks including replay and man-in-the-middle attacks under the Dolev-Yao model[31].

(5) According to BAN-Logic proof, we show that user and server can mutual authenticate successfully each other in the improved protocol.

(6) Comparing with the relevant solutions, we remark that our protocol is more secure and suitable for application in the actual scene.

The rest of this paper is organized as follows: attacker model and intractable problems are listed in Section 2. The protocol of Kumari et al. and its cryptanalysis is explained in Section 3. The protocol of Nikooghadam et al. and its cryptanalysis is provided in Section 4. The proposed scheme is presented in Section 5. The heuristic security analysis, simulation and security proof through AVISPA software and BAN-Logic are presented in Sections 6, 7 and 8, respectively. Security and performance comparisons are depicted in Section 9. Finally, the conclusion is summarised in Section 10.

2. Preliminaries

In this section, we introduce the capacities of the adversary of the authentication protocol. Some notations used in this paper are listed in Table 1.

2.1 Attacker model

According to [32-35], throughout this paper, we summarize the capacities of the attacker \(\mathcal{A}\) suitable for the whole paper as follows:

(1) According to [33,34], if \(\mathcal{A}\) steals the smart card of user or is in the effective range of the smart card being attacked, \(\mathcal{A}\) may have the ability to obtain all datum stored in smart card by using the power-analysis technology.

(2) In open channels, all datum transmitted on these channels are public. So \(\mathcal{A}\)  has the capacity to eavesdrop, delete, modify, insert, replay, and block these messages on pubic channels.

(3) According to [32,35], \(\mathcal{A}\) can have the ability to guess identity and password simultaneously in polynomial time. Thus, \(\mathcal{A}\) can traverse all pairs of identity and password in dictionary space with in polynomial time.

(4) According to [32,35], \(\mathcal{A}\) can either steal password or get all datum from user’s smart card, but not both. If they are compromised by \(\mathcal{A}\) simultaneously, then any two-factor authentication protocol is insecure.

(5) When perfect forward secrecy [32,35] and key-compromise user impersonation attack are discussed, the long-term private key of the server can be leaked to \(\mathcal{A}\). Since perfect forward security is the ultimate security, and key-compromise user impersonation attack is the ultimate attack, if an authentication protocol can both provide forward security and resist key-compromise user impersonation attack, it will be a better protocol. When assessing any attack, key-compromise user impersonation attack in particular, it is assumed that any adversary cannot get the verifiers and the private key of server simultaneously.

2.2 Intractable problems over ECC

Generally, let \(p\) be a secure prime number and \(F_{p}\) be a finite field, the elliptic curve equation in ECC is defined in the following form:

\(E_{p}(a, b): y^{2}=x^{3}+a x+b(\bmod p) \text { over } F_{p} \text { with } 4 a^{3}+27 b \neq 0(\bmod p)\)

Where a, b ∈ \(F_{p}\).

  • Elliptic curve discrete logarithm problem (ECDLP): Let \(P\) is a generator of Ep ( a, b) and Q = xP , where x ∈R Fp , it is almost impossible for \(\mathcal{A}\)PPT (probabilistic polynomial time adversary) to figure out the random number x satisfying Q = xP .
  • Elliptic curve computational Diffie-Hellman problem (ECCDHP): Let x1P, x2P ∈ Ep(a ,b ), it is almost impossible for \(\mathcal{A}\)PPT to figure out ( x1x2)P .

Table 1. Notations

 

3. A Brief Review and Supplementary Cryptanalysis of Kumari et al.’s Protocol

3.1 A brief introduction of Kumari et al.’s protocol

This part simply describes Kumari et al.’s protocol [28]. We omit the password changing phase of their protocol. The registration-phase, login and authentication phase are introduced as follows.

3.1.1 Registration phase

User Ui selects identity \(I D_{i}\), password \(P W_{i}\) in dictionary space and picks a random number b. First, Ui calculates \(R P W_{i}=h\left(b \| P W_{i}\right)\) and sends \(\left\{I D_{i}, R P W_{i}\right\}\) to server S W on the secret channel. Second, once the registration-request \(\left\{I D_{i}, R P W_{i}\right\}\) is received, S  picks a random number \(y_{i}\) and calculates \(N_{i}=h\left(I D_{i} \| x\right) \oplus R P W_{i}, Y_{i}=y_{i} \oplus h\left(I D_{i} \| x\right)\), \(D_{i}=h\left(I D_{i}\left\|y_{i}\right\| R P W_{i}\right)\) and \(E_{t}=y_{i} \oplus h(y \| x)\). Subsequently, server S sends \(N_{i}\) and a new smart card SC containing \(\left\{Y_{i}, D_{i}, E_{i}, h(.)\right\}\) to \(U_{i}\). Finally, on receiving SC and \(N_{i}\) from server, \(U_{i}\) computes \(A_{i}=\left(I D_{i} \| P W_{i}\right) \oplus b, M_{i}=N_{i} \oplus b\) . Then, \(U_{i}\) inserts \(\left\{A_{i}, M_{i}\right\}\) into SC. Thus, \(U_{i}\) obtains a smart card in which \(\left\{A_{i}, M_{i}, Y_{i}, D_{i}, E_{i}, h(.)\right\}\) are stored.

3.1.2 Login and authentication phase

In this part, \(U_{i}\)(SC) and S execute the following steps for login and authentication:

(1) \(U_{i}\)  inserts his smart card SC into the card reader and inputs correct \(I D_{i}, P W_{i}\) . Then, SC  computes \(b=\left(I D_{i} \| P W_{i}\right) \oplus A_{i}\) , \(R P W_{i}=h\left(b \| P W_{i}\right)\) and calculates \(h\left(I D_{i} \| x\right)=M_{i} \oplus R P W_{i} \oplus b, y_{i}=h\left(I D_{i} \| x\right) \oplus Y_{i}\) and \(D_{i}^{*}=h\left(I D_{i}\left\|y_{i}\right\| R P W_{i}\right)\) . Afterward, SC checks \(D_{i}^{*}=? D_{i}\) . After finishing this verification, figures out ℎ( y∥x ) = \(y_{i}\)⨁ \(E_{i}\) and \(N_{i}=M_{i} \oplus b\) . Subsequently, SC selects current timestamp \(T_{i}\) and calculates \(C I D_{i}=I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\) , \(N_{i}^{\prime}=N_{i} \oplus h\left(y_{i} \| T_{i}\right)\) , \(B_{i}=N_{i} \oplus R P W_{i}\) , \(C_{i}=h\left(N_{i}\left\|y_{i}\right\| B_{i} \| T_{i}\right)\) and \(F_{i}=y_{i} \oplus\left(h(y \| x) \| T_{i}\right)\). Finally, SC sends the login request message \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) to S over a public channel.

 

(2) On receiving \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) from SC, S verifies the timestamp \(T_{i}\)according to the current timestamp. Then S computes \(y_{i}=\left(h(y \| x) \| T_{i}\right) \oplus F_{i}\) , \(N_{i}=N_{i}^{\prime} \oplus\)\(h\left(y_{i} \| T_{i}\right)\), \(I D_{i}=C I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\), \(B_{i}^{*}=h\left(I D_{i} \| x\right)\) and \(C_{i}^{*}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}\right)\). Afterward, S checks \(C_{i}^{*}=? C_{i}\) . If the equation doesn’t, S ends this request, otherwise, S selects the current timestamp \(T_{S S}\) and calculates \(a=h\left(B_{i}^{*}\left\|y_{i}\right\| T_{S S}\right)\). Afterwards, S sends {a, \(T_{S S}\) } to SC.

(3) On receiving {a, \(T_{S S}\)} from S, SC verifies the timestamp \(T_{S S}\) according to the current timestamp. Then, SC figures out \(a^{*}=h\left(B_{i}\left\|y_{i}\right\| T_{S S}\right)\) and checks \(a_{i}^{*}=? a_{i}\) .

(4) If the aforementioned steps are performed successfully, then Uand S can figure out the common session key SK= \(h\left(B_{i}\left\|y_{i}\right\| T_{i}\left\|T_{s s}\right\| h(y \| x)\right)\).

3.2 Vulnerability analysis of Kumari et al.’s protocol

In this subsection, we prove that the protocol of Kumari et al. [28] can neither resist key-compromise-impersonation attack nor provide perfect-forward-secrecy, except the vulnerability pointed out by Nikooghadam et al. [30].

3.2.1 Perfect-forward-secrecy

According to the analysis of Nikooghadam et al. [30], if a legitimate user Uj acts as an attacker and knows the long-term private key x of S, the malicious client Uj obtains the session key between Ui and S by performing the following steps.

(1) Uj computes bj = ( IDj∥PWj ) ⊕ Aj, RPWj = ℎ(bj ∥PWj ) , ℎ( IDj∥x ) = Mj ⊕ RPWj, yj = Y⊕ ℎ( IDj∥x ) and ℎ( y∥x ) = y⊕ Ej .

(2) Uextracts the values { Yi, Mi, Ai, Di, Ei} of the Ui’s smart card and intercepts the login request message \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) and the respond message \(\left\{a, T_{s s}\right\}\) to  Ufrom S.

(3) Uj calculates \(y_{i}=F_{i} \oplus\left(h(y \| x) \| T_{i}\right)\), \(N_{i}=N_{i}^{\prime} \oplus\left(y_{i} \| T_{i}\right)\), \(I D_{i}=C I D_{i} \oplus h\left(N_{i} \|\right.\left.y_{i} \| T_{i}\right)\) and \(B_{i}=h\left(I D_{i} \| x\right)\).

(4) Finally, Uj successfully computes the session key \(S K_{i}=h\left(B_{i}\left\|y_{i}\right\| T_{i}\left\|T_{s s}\right\| h(y \| x)\right)\).

3.2.2 Key-compromise-impersonation-attack

If a legitimate user \(U_{j}\) acts as an attacker and compromises the long term secret key x of S, then \(U_{j}\) executes the following steps to impersonate \(U_{i}\) to S .

(1) \(U_{j}\) computes b = \(\left(I D_{j} \| P W_{j}\right) \oplus A_{j}\) , \(R P W_{j}=h\left(b \| P W_{j}\right)\) , \(h\left(I D_{j} \| x\right)=M_{j} \oplus R P W_{j}\) , \(y_{j}=Y_{j} \oplus h\left(I D_{j} \| x\right)\) and \(h(y \| x)=y_{j} \oplus E_{j}\) .

(2) \(U_{j}\) extracts the values \(\left\{Y_{i}, M_{i}, A_{i}, D_{i}, E_{i}\right\}\) of the \(U_{i}\)’s smart card and intercepts the login request message \(​​\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\).

(3) \(U_{j}\) computes \(y_{i}=F_{i} \oplus\left(h(y \| x) \| T_{i}\right)\) , \(N_{i}=N_{i}^{\prime} \oplus\left(y_{i} \| T_{i}\right)\) , \(I D_{i}=C I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\) and \(B_{i}=h\left(I D_{i} \| x\right)\).

(4) \(U_{j}\) selects a new legitimate timestamp \(T_{i}^{\prime}\). \(U_{j}\) calculates \(C I D_{i}^{\prime}=I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}^{\prime}\right)\), \(N_{i}^{\prime \prime}=N_{i} \oplus h\left(y_{i} \| T_{i}^{\prime}\right), C_{i}^{\prime}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}^{\prime}\right)\) and \(F_{i}^{\prime}=y_{i} \oplus\left(h(y \| x) \| T_{i}^{\prime}\right)\).

(5) \(U_{j}\) transmits the forged login message \(\left\{C I D_{i}^{\prime}, N_{i}^{\prime}, C_{i}^{\prime}, F_{i}^{\prime}, T_{i}^{\prime}\right\}\) to S.

(6) Once \(\left\{C I D_{i}^{\prime}, N_{i}^{\prime}, C_{i}^{\prime}, F_{i}^{\prime}, T_{i}^{\prime}\right\}\) from \(U_{j}\) is received, S verifies \(T_{i}^{\prime}\), if it’s within range, S computes \(\left.y_{i}=F_{i}^{\prime} \oplus h(y \| x) \| T_{i}^{\prime}\right)\) , \(N_{i}=N_{i}^{\prime} \oplus h\left(y_{i} \| T_{i}^{\prime}\right)\) , \(I D_{i}=C I D_{i}^{\prime} \oplus\)\(h\left(N_{i}\left\|y_{i}\right\| T_{i}^{\prime}\right)\), \(B_{i}^{*}=h\left(I D_{i} \| x\right)\), and \(C_{i}^{*}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}^{\prime}\right)\). Afterwards, S verifies whether \(C_{i}^{*}=C_{i}^{\prime}\) , if these are equal, S chooses a timestamp \(T_{S S}\) and computes \(a^{\prime}=h\left(B_{i}^{*}\left\|y_{i}\right\| T_{s s}\right)\).

(7) sends the respond message \(\left\{a^{\prime}, T_{s s}\right\}\) to \(U_{j}\).

(8) Finally, S establishes the session key \(S K_{i}=h\left(B_{i}\left\|y_{i}\right\| T_{i}^{\prime}\left\|T_{\mathrm{ss}}\right\| h(y \| x)\right)\) with the malicious user \(U_{j}\).

4. Introduction and Cryptanalysis of Nikooghadam et al.’s Protocol

4.1 Review of Nikooghadam et al.’s protocol

4.1.1 Registration part

(1) Ui selects his identity IDi, password PWi in dictionary space, and then picks a random number \(\gamma\). Afterward, Ui computes \(M P W_{i}=h\left(I D_{i}\|r\| P W_{i}\right)\). Ui sends \(\left\{I D_{i}, M P W_{i}\right\}\) to S on the secret channel.

(2) Once the registration-request \(\left\{I D_{i}, M P W_{i}\right\}\) is received, S chooses a random element N and calculates \(A_{i}=h\left(I D_{i} \| x\right)\), \(B_{i}=A_{i} \oplus M P W_{i}\) , \(M I D_{i}=E_{x}\left(I D_{i} \| N\right)\). Then, S stores IDi in his database and takes \(\left\{B_{i}, M I D_{i}, E_{k}(.), D_{k}(.), h(.)\right\}\) into a new smart card SC. Subsequently, S sends SC to Ui.

(3) Finally, on receiving SC from the server, Ui inserts {\(\gamma\)} into SC . Thus, Ui gets a smart card in which \(\left\{r, B_{i}, M I D_{i}, E_{k}(.), D_{k}(.), h(.)\right\}\) are stored.

4.1.2 Login & authentication part

Ui(SC) and S can finish login and authentication phase using the following steps:

(1) Ui inserts his smart card SC into the card reader and inputs IDi, PWi. Then, SC computes \(A_{i}=B_{i} \oplus h\left(I D_{i}\|r\| P W_{i}\right)\). Subsequently, SC selects a random element RNi and the current timestamp Ti, and computes \(M_{1}=E_{A_{i}}\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\). Finally, SC transmits the login-request \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) to S on public-channel.

(2) On obtaining \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) from SC, S verifies the timestamp Ti according to the current timestamp. Then, S decrypts \(M I D_{i}\) to get \(\left(I D_{i} \| N\right)\) using his secret element x and figures out \(A_{i}^{*}=h\left(I D_{i} \| x\right)\) , \(D_{A_{i}^{*}}\left(M_{1}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\) . Aferwards, S selects random numbers \(R N_{S}\)and \(N^{N e w}\). Subsequently, S computes \(I D_{i}^{N e w}=E_{x}\left(I D_{i} \| N^{N e w}\right)\) and \(M_{2}=E_{A_{i}^{*}}\left(M I D_{i}^{\text {New}}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\) . Finally, S sends \(\left\{M_{2}\right\}\) to SC.

(3) On receiving \(\left\{M_{2}\right\}\) from S, SC decrypts M2 to be \(\left(M I D_{i}^{N e w}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\) using \(A_{i}^{*}\) and verifies \(I D_{i}, R N_{i}\) . Afterward, SC figures out \(M_{3}=h\left(R N_{s}\left\|M I D^{N e w}\right\|\right.R N_{i})\) and the session key SK = ℎ\(\left(R N_{i}\left\|A_{i}\right\| R N_{S}\right)\) . Then, replaces \(M I D_{i}\) with \(M I D_{i}^{N e w}\) by itself. At last, SC sends the response M3 to S.

(4) After receiving M3 , S figures out \(M_{3}^{*}=h\left(R N_{s}\left\|M I D^{N e w}\right\| R N_{i}\right)\) and checks \(M_{3}^{*}=? M_{3}\). If these are equal, S computes \(S K=h\left(R N_{i}\left\|A_{i}\right\| R N_{s}\right)\). Otherwise, ends this session.

(5) Finally, Ui and S get the common session key \(S K=h\left(R N_{i}\left\|A_{i}\right\| R N_{S}\right)\).

4.2 Vulnerability analysis of Nikooghadam et al.’s protocol

4.2.1 Off-line password guessing attack

If \(\mathcal{A}\) gets the smart card SCi of some user Ui, then \(\mathcal{A}\) can obtain the useful datum \(\left\{B_{i}, M I D_{i}, r, E_{k e y}(\cdot) / D_{k e y}(\cdot), h(\cdot)\right\}\) in SCi and intercepts the request message \(\left\{M I D_{i}\right.,\left.M_{i}, T_{i}\right\}\). Afterwards, \(\mathcal{A}\) is able to get the correct password and identity of Ui as follows:

(1) \(\mathcal{A}\) selects \(I D_{i}^{*}, P W_{i}^{*}\) as identity and password of Ui in the identity space \(\mathcal{D}_{I D}\) and password space \(\mathcal{D}_{P W}\).

(2) \(\mathcal{A}\) figures out \(A_{i}^{*}=B_{i} \oplus h\left(I D_{i}^{*}\|r\| P W_{i}^{*}\right)\).

(3) \(\mathcal{A}\) uses \(A_{i}^{*}\) to decrypt the value of Mi. If the decryption is failed, then \(\mathcal{A}\) repeats 1), 2) and 3) till the decryption becomes succussful. Otherwise, \(\mathcal{A}\) calculates \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}^{*}\right)\) and checks whether \(M I D_{i}^{*}=M I D_{i}\) . If these are equal, it infers that \(I D_{i}^{*}, P W_{i}^{*}\) are the correct identity and password of user Ui.

By observing the above steps, we find that two guessing factors are used in login phase, that is, Ai and \(M I D_{i}\). Ai is the decryption key of Mi. On successful decryption, \(\mathcal{A}\)  cotinues to verify the second guessing factor transmitted through open channel. Moreover, we can compute the computation time complexity of guessing attack as follows: \(O\left(\left|\mathcal{D}_{I D}\right| *\right.\left.\left|\mathcal{D}_{P W}\right| *\left(T_{h}+T_{S}\right)\right)\), where T is the computaional cost for a hash fuction computation and Ts is the computaional cost for symmetric encryption or decryption, \(\left|\mathcal{D}_{l D}\right|\) and \(\left|\mathcal{D}_{P W}\right|\)  respectively denote the number of \(\mathcal{D}_{I D}\) and the number of \(\mathcal{D}_{P W}\). Usally,  \(\left|\mathcal{D}_{l D}\right|\)\(\left|\mathcal{D}_{P W}\right|\) ≤106 [32,36,37].

Because of the low entropy of identity and password, \(\mathcal{A}\) can successfully get the correct identity and password of user Ui within a polynomial time.

4.2.2 Perfect-forward-secrecy

In the protocol of Nikooghadam et al. [30], if \(\mathcal{A}\) knows the long term secret key x of S, then \(\mathcal{A}\) can obtain the session key between Ui and S.

(1) \(\mathcal{A}\) eavesdrops on the login request message \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) and the respond message { Ms } of Ui.

(2) \(\mathcal{A}\) decrypts \(M I D_{i}\) using the long term private key x of S, that is , \(D_{x}\left(M I D_{i}\right)=\left(I D_{i} \| N\right)\). Then, \(\mathcal{A}\) computes \(A_{i}^{*}=h\left(I D_{i} \| x\right)\).

(3) Afterward, \(\mathcal{A}\) decrypts \(M_{i}, M_{s}\) using \(A_{i}^{*}\), that is , \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\), \(D_{A_{i}^{*}}\left(M_{s}\right)=\left(M I D_{i}^{N e w}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\), respectively. Thus, \(\mathcal{A}\) obtains the values of \(\left\{R N_{i}, h\left(I D_{i}|| x\right), R N_{S}\right\}\).

(4) Finally, \(\mathcal{A}\) successfully calculates the session key \(S K=h\left(R N_{i}\left\|h\left(I D_{i} \| x\right)\right\| R N_{S}\right)\).

4.2.3 Key compromise user impersonation attack

If \(\mathcal{A}\) compromises the long-term secret key x of S, then \(\mathcal{A}\) is able to execute the following steps to impersonate Ui to S.

(1) \(\mathcal{A}\) firstly gets the login-message \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) of Ui\(\mathcal{A}\) computes \(D_{x}\left(M I D_{i}\right)=\left(I D_{i} \| N\right)\). Afterwards, \(\mathcal{A}\) computes \(A_{i}^{*}=h\left(I D_{i} \| x\right)\).

(2) \(\mathcal{A}\) chossees a new legitimate timestamp Ti′. And then, \(\mathcal{A}\) selects a random element \(R N_{i}^{\prime}\) and figures out \(M_{i}^{\prime}=E_{A_{i}}\left(I D_{i}\left\|R N_{i}^{\prime}\right\| T_{i}^{\prime} \| M I D_{i}\right)\).

(3) \(\mathcal{A}\) transmits S the forged message \(\left\{M I D_{i}, M_{i}^{\prime}, T_{i}^{\prime}\right\}\).

(4) Upon \(\left\{M I D_{i}, M_{i}^{\prime}, T_{i}^{\prime}\right\}\) from \(\mathcal{A}\) is received, checks ′. If it is invalid, ends the session. Otherwise, S calculates \(\left(I D_{i} \|_{N}\right)=D_{x}\left(M I D_{i}\right)\) , \(A_{i}^{*}=h\left(I D_{i} \| x\right)\) and \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}^{\prime}\right\| T_{i}^{\prime} \| M I D_{i}\right)\). Afterwards, S chooses two random numbers \(R N_{S}^{\prime}\), \(N^{N e w^{\prime}}\) . Subsequently, S computes \(M I D_{i}^{N e w}\)′ = \(E_{x}\left(I D_{i} \| N^{N e w \prime}\right)\) and \(M_{2}^{\prime}=E_{A_{i}^{*}}\left(M I D_{i}^{N e w^{\prime}}\left\|R N_{s}^{\prime}\right\| I D_{i} \| R N_{i}^{\prime}\right)\).

(5) S sends the challenge message { M2′ } to \(\mathcal{A}\).

(6) After getting the challenge message from S, \(\mathcal{A}\) calculates \(D_{A_{i}^{*}}\left(M_{2}^{\prime}\right)=\left(M I D_{i}^{N e w^{\prime}}\left\|R N_{s}^{\prime}\right\| I D_{i} \| R N_{i}^{\prime}\right)\). Then, \(\mathcal{A}\) verifies the validity of \(I D_{i}\) and \(R N_{i}^{\prime}\). If these are invalid, \(\mathcal{A}\) ends this attack. Otherwise, \(\mathcal{A}\) continues to calculate \(M_{3}^{\prime}=h\left(R N_{s}^{\prime}\left\|M I D_{i}^{N e w^{\prime}}\right\| R N_{i}^{\prime}\right)\).

(7) \(\mathcal{A}\) forwards the response message { M3′ } to S.

(8) On receiving the response message from \(\mathcal{A}\), S computes \(M_{3}^{*}=h\left(R N_{s}^{\prime} \| M I D_{i}^{N e w}\right.\|R N_{i}^{\prime}\). Afterwards, S verifies whether \(M_{3}^{*}=M_{3}^{\prime}\). If these are not equal, S terminates this session. Otherwise, S calculates the session key SK= ℎ(\(R N_{i}^{\prime}\left\|A_{i}^{*}\right\| R N_{S}^{\prime}\)) and believes that he has successfully established this session with the legimate user. Actually, \(\mathcal{A}\) is “the legimate user”.

To sum up, the adversary successfully impersonates the legitimate user to S. Therefore, Nikooghadam et al.’s protocol fails to withstand such attack.

5. The Improved Protocol

According to the above cryptanalysis on Nikooghadam et al.’s protocol, first, the information {\(B_{i}, r\)} in smart card and the symmetric encryption key \(A_{i}\) are used in the login request phase of their protocol, so that the attacker can perform off-line guessing. Second, their protocol does not employ public key cryptography, which is the key technology to preserve forward secrecy. Third, their protocol is incapable of resisting key-compromise-impersonation attack, because of lacking some secret number. However, the main aim of this part is to remove the weakness of Nikooghadam et al.’s protocol by using ECC and some tricks. And we present an improved lightweight authentication protocol using ECC. The improved protocol consists of four parts: initialization part, registration part, login and authentication part and password updating part. The registration part is depicted in Fig. 1. The login and authentication part is depicted in Fig. 2.

 

Fig. 1. Registration part of User Ui

5.1 Initialization part

S chooses an elliptic curve \(E_{p}(a, b)\) over Fp introduced in “Preliminaries”. Then S picks a random element x∈Fp and a hash function H(⋅). Subsequently, S calculates Q=xP . Lastly, S makes public the parameters { E, Q, H(⋅)} and preserves x as its long-term secret key.

5.2 Registration part

(1) User Ui chooses Idi, Pwi and a random element \(\gamma\) and calculates ℎ\(\left(I d_{i}\|r\| P w_{i}\right)\). Then, Ui trasmits S the registration request \(\left\{I d_{i}, h\left(I d_{i}\|r\| P w_{i}\right)\right\}\) secretly.

(2) S selects a random number Ti as the registration time of Ui. Afterwards, computs \(A_{i}=H\left(I d_{i}\|x\| T_{i}\right)\), \(B_{i}=A_{i} \oplus H\left(I d_{i}\|r\| P w_{i}\right)\). Subsequently, S picks a random element N and computes \(M I d_{i}=H\left(I d_{i} \| N\right) \oplus A_{i}\) . Lastly, S stores Ti in its database and distributes a new smart card \(S C=\left\{B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) to  Ui.

(3) On receiving SC, user Ui inserts \(\gamma\) into SC. Therefore, SC= \(\left\{r, B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\).

5.3 Login & authentication part

(1) Ui inserts his smart card into card reader. Then Ui inputs Idi, Pwi . Subsequently, SC figures out \(A_{i}=B_{i} \oplus h\left(I d_{i}\|r\| P w_{i}\right)\) and picks a random element a.

Afterwards, calculates C1 = aP, C2 = aQ, M0 = \(E_{C_{2}}\left(I d_{i}\left\|H\left(A_{i}\right)\right\| M I d_{i}\right)\) , M1 = \(H\left(I d_{i}\left\|C_{2}\right\| A_{i} \| M I d_{i}\right)\), and transmits { C1, M0, M1} to S via a public channel.  

 

Fig. 2. Login and authentication part

(2) On receiving { C1, M0, M1} , S computes \(C_{2}^{*}=x C_{1}\) , \(\left(I d_{i}^{*}\left\|H\left(A_{i}^{*}\right)\right\| M I d_{i}^{*}\right)=D_{C_{2}^{*}}\left(M_{0}\right)\)\(A_{i}=H\left(I d_{i}^{*}\|x\| T_{i}\right)\) and verifies \(H\left(A_{i}^{*}\right)=? H\left(A_{i}\right)\). If these are not equal, S terminates the login request. Otherwise, S computes \(M_{1}^{*}=H\left(I d_{i}\left\|C_{2}\right\| A_{i} \|\right.\left.M I d_{i}\right)\) and checks \(M_{1}^{*}=? M_{1}\) . If these are not equal, S ends the next operation. Otherwise, S selects random numbers \(b, N^{\text {new }}\) and computes \(M I d_{i}^{n e w}=H\left(I d_{i} \|\right.\left.N^{\text {new }}\right) \oplus A_{i}\)\(C_{3}=\left(M I d_{i}^{n e w} \| b\right) \oplus H\left(A_{i} \| C_{2}\right)\) and \(M_{2}=H\left(I d_{i}\left\|M I d_{i}^{n e w}\right\| A_{i} \|\right.\left.C_{2}\left\|C_{3}\right\| b\right)\). Then, S sends { C3, M2} to Ui via a public channel.

(3) After receiving { C3, M2} , SC figures out \(\left(M I d_{i}^{n e w} \| b\right)=C_{3} \oplus H\left(A_{i} \| C_{2}\right)\) , \(M_{2}^{*}=H\left(I d_{i}\left\|M I d_{i}^{n e w}\right\| A_{i}\left\|C_{2}\right\| C_{3} \| b\right)\) and checks \(M_{2}^{*}=? M_{2}\) . If these are not equal, SC terminates this session. Otherwise, SC compute \(S K=H\left(I d_{i}\left\|C_{2}\right\| b \|\right.\left.A_{i} \| M I d_{i}^{n e w}\right)\)\(M_{3}=H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) and replaces \(M I d_{i}\) with \(M I d_{i}^{n e w}\). Finally, SC transmits M3 to S via a public channel.

(4) Upon obtaining M3 , S calculates the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\|\right.\left.M I d_{i}^{n e w}\right)\), then computes \(M_{3}^{*}=H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) and checks \(M_{3}^{*}=? M_{3}\). If these are not equal, S ends this session. Otherwise, S accepts this session and the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\| M I d_{i}^{n e w}\right)\).

5.4 Password updating part

After Ui and S have completed the authentication and the session key SK is established, Ui can renew his/her password at will. Firstly, Ui inputs his identity Idi, old password Pwi  and new password \(P w_{i}^{n e w}\). Then, SC computes

\(B_{i}^{n e w}=B_{i} \oplus H\left(I d_{i}\|r\| P w_{i}\right) \oplus H\left(I d_{i}\|r\| P w_{i}^{n e w}\right)\).

Finally, SC replaces Bi with \(B_{i}^{n e w}\).

Remark: To eliminate the shortcomings of Kumari et al.'s and Nikooghadam et al.’s protocols and provide better security, in our protocol, 1. we adopt a pattern that the smart card does not check the correctness of the login, but the correctness of the login is verified by the server; 2. according to [53], in order to obtain perfect forward secrecy, the improved protocol uses elliptic curve cryptography (ECC); 3. in order to resist key-compromise user impersonation attack, the server store a secret element Ti in its database which cannot be leak to the adversary.

6. Heuristic security analysis

6.1 Preserve user anonymity & un-traceability

We suppose that the adversary \(\mathcal{A}\) has stolen Ui’s smart card and has obtained all datum \(\left\{B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) . In the login process of Ui, \(\mathcal{A}\) eavesdrops all transmitted message { C1, M0, M1, C3, M2, M3}. Since, these parameters are either protected by hash function or is computed by elliptic curve discrete logarithm cryptography, \(\mathcal{A}\) is unable to derive the identity Idi from them in polynomial time. Moreover, those transmitted message are variable in every time communication. Therefore, the presented protocol can provide user anonymity & un-traceability.

6.2 Resist privileged insider attack

During the registration phase, the user Ui sends \(\left\{I d_{i}, h\left(I d_{i}\|r\| P w_{i}\right)\right\}\) to S. The password Pwi of Ui is protected by hash function and the secret element \(r\), so the inside adversary cannot get the plaintext password of Ui. Accordingly, the proposed scheme is immune to such attack.

6.3 Resist replay attack

In our proposed scheme, all transmitted message { C1, M0, M1, C3, M2, M3} in open channel are different for every communication. Once the adversary replays these message, the server or user can detect the problem. Therefore, it is impossible to perform the replay attack for the adversary in the improved protocol.

6.4 Resist stolen verifier attack

In our improved protocol, suppose that \(\mathcal{A}\) steals the verifier table stored in S, however, \(\mathcal{A}\) still cannot perform any attack. Thereupon, the improved protocol can resistance against stolen-verifier-attack.

6.5 Resist off-line password guessing attack

Suppose that \(\mathcal{A}\) gets all elements stored in SCi of Ui. On one hand, \(\mathcal{A}\) is not able to guess the correct password Pwi of Ui, since, there does not exist any verifying value in these parameters. On the other hand, if \(\mathcal{A}\) not only gets these parameters in smart card, but also intercepts the login request message { C1, M0, M1}, then attempts to guess the password Pwi of Ui. In the login request message, { M0, M1} be used as verifying values. Afterwards, \(\mathcal{A}\) can choose identity and password from dictionary space and computes \(A_{i}^{*}=B_{i} \oplus\left(I d_{i}^{*}\|r\| P w_{i}^{*}\right)\). However, if \(\mathcal{A}\) wants to calculate the corresponding verifier value { M0, M1}, he must know \(C_{2}=a Q=x C_{1}\), which is only known to the user and server. Accordingly, \(\mathcal{A}\) cannot guess the correct password of Ui by computing the corresponding verifying values. Therefore, our proposed protocol is resistant to off-line dictionary attack.

6.6 Resist key-compromise user impersonation attack

Suppose that if the long-term private element x has been leaked to \(\mathcal{A}\), and \(\mathcal{A}\) can impersonate the legal user to server, then it infers that the analyzed protocol is vulnerable to key compromise impersonation attack. In proposed protocol, to impersonate the legal user Ui\(\mathcal{A}\) must be able to figure out the forged login request message. Since, the random number Ti of S hasn’t been leaked to \(\mathcal{A}\), it implies that \(\mathcal{A}\) cannot get the correct value of \(A_{i}=H\left(I d_{i}\|x\| T_{i}\right)\) . Thereupon, \(\mathcal{A}\) has no way to forge the legal value of M1 = H( Idi∥ C2 ∥ Ai∥MIdi ) and M3 = \(H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) . Thus, the proposed protocol is immune to key compromise user impersonation attack.

6.7 Resist server impersonation attack

If \(\mathcal{A}\) wants to masquerade as S, then \(\mathcal{A}\) must have to calculate a valid responding message { C3, M2} for Ui. In proposed protocol, firstly, \(\mathcal{A}\) captures the login request message { C1, M0, M1} and extracts the information \(\left\{B_{i}, M I d_{i}, P, r, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) in smart card. Then, \(\mathcal{A}\) selects two random numbers \(b^{\prime}, N^{n e w^{\prime}}\). To compute the valid message { C3, M2}, \(\mathcal{A}\) must know the value of { Ai, C2} that can compute \(M I d_{i}^{n e w}\). However, \(\mathcal{A}\) is unable to create C2 without the long-term private key x of S. Thus, \(\mathcal{A}\) cannot forge C3 or even M2. According to above discussion, it is inferred that the improved protocol can be protected against the server impersonation attack.

6.8 Provide mutual authentication

During the login & authentication part of the improved protocol, Ui is authenticated by S  by using the equations \(H\left(A_{i}^{*}\right)=? H\left(A_{i}\right) \text { and } M_{1}^{*}=? M_{1}\) . Subsequently, S by using the equation \(M_{2}^{*}=? M_{2}\). According to the previous analysis, our improved protocol is immune to impersonation attack. Therefore, S and Ui can carry out authentication smoothly. That is to say, the proposed protocol addresses the requirements of mutual authentication.

6.9 Provide perfect forward security

Suppose the adversary can intercept any message over public channels and extracts the data in smart card by side-channel attack. In proposed protocol, though \(\mathcal{A}\) knows password Pwi  of Ui and the long-term private key x of S, \(\mathcal{A}\) still cannot calculate the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\| M I d_{i}^{n e w}\right)\), because the key is protected by \(b, \quad N^{n e w}\) and Ai. Accordingly, the improved protocol can preserve perfect forward secrecy.

7. Security simulation of proposed protocol using AVISPA software

AVISPA [38] is a pushbutton software tool for the automated validation of internet security-sensitive protocols and applications, can simulate the formal security verification for the improved protocol. Here, we give the simulation of the improved protocol by using AVISPA tool that estimates whether our protocol is safe under the Dolev-Yao model [31]. Since AVISPA tool accepts High Level Protocol Specification Language (HLPSL), we firstly provide the HLPSL codes, which are provided in Figs. 3-5, for Ui , S, the session, goal and the environment, respectively. The analysis results of the proposed protocol are displayed in Figs. 6 and 7. From the simulation results of OFMC and CL-AtSe, it is inferred that that the proposed protocol is SAFE against active and passive attacks including replay and man-in-the-middle attacks under Dolev-Yao model.

8. BNA-Logic Proof of Proposed Protocol

Here, we give the security proof of the improved protocol using BAN-Logic [39]. We prove that Ui can establish a session initial key with S in the proposed protocol. First, some BAN-Logic notations are listed in Table 2. Second, some BAN-logic postulates are listed in Table 3, and the idealized form, security goals and initiative premises of the improved protocol are formally provided.

(1) The idealized form of the proposed protocol is given as follows:

• Message-1: \(U_{i} \rightarrow S: \quad C_{1},\left(I d_{i}, C_{2}, M I d_{i}\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\)\(\left(I d_{i}, M I d_{i}^{n e w}, U_{i} \stackrel{S K}{\leftrightarrow} S\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S} \)

• Message-2: \(S \rightarrow U_{i}: \quad_{U_{i} \stackrel{H\left(A_{i} \| C_{2}\right)}{\longrightarrow} S}\)\(\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\)

(2) Security goals of the proposed protocol are presented as follows:

• Goal-1: \(U_{i}|\equiv S| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-2: \(U_{i} | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-3: \(S\left|\equiv U_{i}\right| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-4: \(S | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

(3) Initiative premises of the improved protocol are presented as follows:

• I-1:  \(\left.U_{i}\right\rfloor \equiv \# a\)

• I-2: \(S | \equiv \# b\)

• I-3: \(U_{i} | \equiv \# M I d_{i}^{n e w}\)

• I-4: \(S | \equiv \# M I d_{i}^{n e w}\)

• I-5: \(U_{i} | \equiv U_{i} \stackrel{A_{i}}{\leftrightarrow} S\)

• I-6: \(S | \equiv U_{i} \stackrel{A_{i}}{\leftrightarrow} S\)  

• I-7: \(U_{i}|\equiv S| \Rightarrow U_{i} \stackrel{S K}{\leftrightarrow} S\)

• I-8: \(S\left|\equiv U_{i}\right| \Rightarrow U_{i} \stackrel{S K}{\leftrightarrow} S\)

(4) We conduct the BAN-Logic proof of the improved protocol as follows:

• P-1: According to Message-2, we have

\(\begin{equation} U_{i} \end{equation}\)\(\begin{equation} \left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}_{ U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\).

• P-2: From P-1, I-5, and Message-meaning rule, we deduce

\(\begin{equation} U_{i}|\equiv S| \sim\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-3: By P-2, I-1, I-2, I-3, and Freshness-conjuncatenation rule, we infer

\(\begin{equation} U_{i} | \equiv \#\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-4: By P-3, P-2, and Nonce-verification fule, we deduce

\(\begin{equation} U_{i}|\equiv S| \equiv\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-5: From P-4 and Believe rule, we obtain \(\begin{equation} U_{i}|\equiv S| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S \end{equation}\) ----- Goal-1

 

Fig. 3. Role specification of user in HLPSL

• P-6: By I-7, P-5, and Jurisdiction rule, we get \(\begin{equation} U_{i} | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S \end{equation}\) ----- Goal-2

• P-7: According to Message-1, we have \(\begin{equation} S \end{equation}\) ⊲ \(\begin{equation} \left(I d_{i}, M I d_{i}^{n e w}, U_{i} \stackrel{S K}{\leftarrow} S\right) \end{equation}_{ U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\).  

 

Fig. 4. Role specification of server in HLPSL

 

• P-8: By P-7, I-5, and Message-meaning rule, we infer  \(\begin{equation} S\left|\equiv U_{i}\right| \sim\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K}{\leftrightarrow} S\right) \end{equation}\).

• P-9: From P-8, I-4, and Freshness-conjuncatenation rule, we have \(S | \#\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K} {\leftrightarrow} S\right)\).

 

Fig. 5. Roles for session, goal and environment in HLPSL.

• P-10: From P-8, P-9, and Nonce-verification fule, we deduce

\(S\left|\equiv U_{i}\right| \equiv\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K} {\leftrightarrow} S\right)\).

• P-11: By P-10 and Believe rule, we get \(S\left|\equiv U_{i}\right| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\) ----- Goal-3

• P-12: From P-11, I-8, and Jurisdiction rule, we infer \(S | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\) ----- Goal-4

In summary, since Goals-1-2-3-4 are addressed, Ui and S are convinced that the session key is shared successfully between them.

 

Fig. 6. The experiment result using OFMC.

 

Fig. 7. The experiment result using CL-AtSe.

Table 2. BAN-Logic notations

 

Table 3. BAN-Logic rules

 

9. Performance Analysis of improved Protocol with Related Literatures

In this part, we compare the performance of the improved protocol with some related protocols [26-30, 40-44, 54] in terms of computational cost and security performance. Usually, we neglect the lightweight operations such as exclusive-OR and string concatenation. However, the following cryptographic operations are considered: Tℎ: the time for executing a hash operation, Ts : the time for performing symmetric key encryption/decryption, Tmm: an 160-bit modular multiplication, Tme: the computational time for an elliptic curve point multiplication, Tae: the computational cost for an elliptic curve point addition computation, Te: the computational time for an 1024-bit modular exponentiation. According to the experimental results of [45,46], Tℎ, Ts, Tmm, Tme, Tae and Te approximately take 0.0023 , 0.0046 , 0.001855 , 2.226 , 0.0288ms, 3.85 , respectively.

Table 4. The computational cost in login-authentication phase

 

From Table 4, since the protocols of Chang et al.[26], Kumari et al. [28], Chaudhry et al. [29], Nikooghadam et al. [30], Chou et al. [40], Wen et al. [41] only use hash function and symmetric key cryptographic operations, the computational cost is quite small not exceeding 0.05ms . In order to make the authentication protocol more secure, Wang et al. [27], Chen et al. [42], Mishra et al. [43], Qu et al. [44] and Chaudhry et al.[54] use public key cryptographic, such as: ECC, RSA and discrete logarithms on a general group. The computational cost of login-authentication phase in the protocols of Wang et al. [27], Chen et al. [42], Mishra et al. [43], Qu et al. [44] and Chaudhry et al.[54] are approximately 23.1322ms , 15.4217ms , 15.4253ms , 8.9684ms and 13.417ms respectively. While the computational cost of the proposed protocol is approximately only 6.7217ms . Therefore, it illustrates that the improved protocol is more efficient than [27,42-44] under the advantage of public key cryptography.

From Table 5, we observe that Chang et al.[26], Kumari et al. [28], Chaudhry et al. [29], Nikooghadam et al. [30], Chou et al. [40], Wen et al. [41]’s protocols are unable to provide perfect forward secrecy because of only using hash function and symmetric key cryptographic operations in their protocols. Among comparative literature, only our, Chaudhry et al. [29] and Mishra et al. [43]’s protocols can resist key-compromise impersonation attack. To summarize, all these compared literatures are more or less vulnerable to certain security vulnerabilities, except our and Mishra et al.’s protocol. According to Table 4, Mishra et al.’s protocol requires about 15.4253ms in login-authentication phase, while the proposed protocol executes only in 6.7217ms . These illustrate that the improved protocol has better performance than the compared protocols.

Table 5. Comparison of security features

 

F1: Preserve user anonymity & un-traceability, F2: Resist privileged-insider attack, F3: Resist replay attack, F4: Resist stolen verifier attack, F5: Resist off-line password guessing attack, F6: Resist (key-compromise) user impersonation attack, F7: Resist server impersonation attack, F8: Provide mutual authentication, F9: Provide perfect forward security. N/A: means the evaluation indicator is not considered.

10. Conclusion

In this paper, we proved that Kumari et al.’s protocol [28] is vulnerable to key-compromise impersonation attack and cannot provide perfect forward secrecy, while Nikooghadam et al.’s protocol [30] is vulnerable to key compromise impersonation attack, off-line password-guessing attack, and unable to provide perfect forward secrecy. In order to remedy these limitations, we design a new authentication and key agreement protocol based on Nikooghadam et al.’s protocol. By heuristic analysis, AVISPA software simulation and BAN-logic proof, we proved that the improved protocol is more secure than those relevant protocols. By comparison of computational cost, the improved protocol is also more efficient than comparative works under the category of public key cryptography. Therefore, through a comprehensive analysis and evaluation, it is inferred that the proposed protocol is more practical for real application scenarios because of its more secure and efficient features. In our future research, we will focus on exploring the more lightweight public key cryptography to design a practical authentication scheme. Moreover, according to [55-58], we will further explore the application of some cryptographic methods applied to image compression and digital watermarking.

Acknowledgment

The authors are thankful to the Editor and anonymous reviewers for the generous feedback and constructive comments. This research was supported by BUPT Excellent Ph.D. Students Foundation (No. CX2018312), the National Key Research and Development Program of China (No. 2018YFB0803600).

 

References

  1. J.Arkko, V. Torvinen, G. Camarillo, A. Niemi and T. Haukka, "Security mechanism agreement for SIP sessions," IETF Internet Draft, Jun. 2002.
  2. MK. Khan, "Fingerprint Biometric-based Self-Authentication and Deniable Authentication Schemes for the Electronic World," Iete Technical Review, vol. 26, no. 3, pp. 191-195, 2009. https://doi.org/10.4103/0256-4602.50703
  3. TH. Chen, HL. Yeh, PC. Liu, HC. Hsiang and WK. Shih, "A secured authentication protocol for SIP using elliptic curves cryptography," FGIT-FGCN, vol. 119, no.1, pp. 46-55, 2010.
  4. FW. Liu and H. Koenig, "Cryptanalysis of a SIP authentication scheme," In: 12th IFIP TC6/TC11 International Conference, CMS, Lecture Notes in Computer Science, vol. 7025, pp. 134-143, 2011.
  5. DB. He, J. Chen and Chen Y, "A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography," Secur Commun Netw, vol.5, no.12, pp. 1423-1429, 2012. https://doi.org/10.1002/sec.506
  6. R. Arshad and N. Ikram, "Elliptic curve cryptography based mutual authentication scheme for session initiation protocol," Multimed Tools Appl, vol.66, no.2, pp. 165-178, 2013. https://doi.org/10.1007/s11042-011-0787-0
  7. MS. Farash and MA. Attari, "An Enhanced authenticated key agreement for session initiation protocol," Inf Technol Control, vol.42, no.4, pp. 333-342, 2013.
  8. H. Tang and X. Liu, "Cryptanalysis of Arshad et al'.s ECC-based mutual authentication scheme for session initiation protocol," Multimed Tools Appl, vol. 65, no. 3, pp. 321-333, 2013. https://doi.org/10.1007/s11042-012-1001-8
  9. XM. Wang, W. Guo, WF. Zhang, MK. Khan and K Alghathbar, "Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network," Telecommunication Systems, vol. 52, no. 2, pp. 515-524, 2013. https://doi.org/10.1007/s11235-011-9457-9
  10. S. Kumari and MK. Khan, "More secure smart card-based remote user password authentication scheme with user anonymity," Security and Communication Networks, vol.7, no.11, pp. 2039-2053, 2014. https://doi.org/10.1002/sec.916
  11. S. Kumari, SA. Chaudhry, F. Wu, X. Li, MS. Farash and MK. Khan, "An improved smart card based authentication scheme for session initiation protocol," Peer-to-Peer Networking and Applications, 2015.
  12. SA. Chaudhry, H. Naqvi, T. Shon, M. Sher and MS. Farash, "Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems," J. Medical Systems, vol. 39, no.6, pp. 1-11, 2015. https://doi.org/10.1007/s10916-014-0182-2
  13. S. Challa, AK. Das, S. Kumari, V. Odelu, F. Wu and X. Li, "Provably secure three-factor authentication and key agreement scheme for session initiation protocol," Security and Communication Networks, vol. 9, no.18, pp. 5412-5431, 2016. https://doi.org/10.1002/sec.1707
  14. SA. Chaudhry, I. Khan, A. Irshad, MU. Ashraf, MK. Khan and HF. Ahmad, "A provably secure anonymous authentication scheme for session initiation protocol," Secur Commun Netw, 2016.
  15. AK. Sutrala, AK. Das, V. Odelu, M. Wazid and S. Kumari, "Secure anonymity-preserving password-based user authentication and session key agreement protocol for telecare medicine information systems," Computer Methods and Programs in Biomedicine, vol.135, pp. 167-185, 2016. https://doi.org/10.1016/j.cmpb.2016.07.028
  16. MS. Farash, SA. Chaudhry, M. Heydari, SMS. Sadough, S. Kumari and MK. Khan, "A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security," Int. J. Communication Systems, vol.30, no.4, 2017.
  17. S. Kumari, M. Karuppiah, AK. Das, X. Li, F. Wu and V. Gupta, "Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography," J Ambient Intell Human Comput, 2017.
  18. S. Kumari, "Design flaws of "an anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography," Multimed Tools Appl, vol.76, pp. 13581, 2017. https://doi.org/10.1007/s11042-016-3771-x
  19. SM. Qiu, GA. Xu, H. Ahmad and LC. Wang, "A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems," IEEE Access, 6, pp. 7452-7463, 2018. https://doi.org/10.1109/ACCESS.2017.2780124
  20. SM. Qiu, GA. Xu, H. Ahmad and YH. Guo, "An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy," PLoS ONE, vol. 13, no. 3, e0194072, 2018. https://doi.org/10.1371/journal.pone.0194072
  21. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leac and A. Luotonen, "HTTP Authentication: Basic and digest access authentication," IETF RFC, 2617, 1999.
  22. C. Yang, R. Wang and W. Liu, "Secure authentication scheme for session initiation protocol," Comput Secur, vol. 24, 381-386, 2015. https://doi.org/10.1016/j.cose.2004.10.007
  23. HF. Huang, WC. Wei and GE. Brown, "A new efficient authentication scheme for session initiation protocol," in Proc. of 9th Joint Conference on Information Sciences, 2006.
  24. D. Denning, G. Sacco. "Timestamps in key distribution systems," Commun ACM, vol. 24, no.8, pp. 533-536, 1981. https://doi.org/10.1145/358722.358740
  25. A. Durlanik and I. Sogukpinar, "SIP authentication scheme using ECDH," World Enformatika Soc Trans Eng Comput Technol, 8, pp. 350-353, 2005.
  26. Y. Chang, W. Tai and H. Chang, "Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update," Int J Commun Syst, 2015.
  27. D. Wang, C. Ma, P. Wang and Z. Chen, "Robust smart card based password authentication scheme against smart card security breach," IACR Cryptology ePrint Archive, 2012. Retrieved from eprint.iacr.org/2012/439.pdf.
  28. S. Kumari, M. Khan and X. Li, "An improved remote user authentication scheme with key agreement," Comput Electr Eng, vol.40, no.6, pp. 1997-2012, 2014. https://doi.org/10.1016/j.compeleceng.2014.05.007
  29. SA. Chaudhry, MS. Farash, H. Naqvi, S. Kumari and MK. Khan, "An enhanced privacy preserving remote user authentication scheme with provable security," Secur Commun Netw, vol.8, no.18, pp. 3782-3795, 2015. https://doi.org/10.1002/sec.1299
  30. Morteza. Nikooghadam, Reza. Jahantigh and Hamed. Arshad, "A lightweight authentication and key agreement protocol preserving user anonymity," Multimedia Tools Appl, Vol. 76, no.11, pp. 13401-13423, 2017. https://doi.org/10.1007/s11042-016-3704-8
  31. D. Dolev and A. Yao, "On the security of public key protocols," IEEE Trans Inf Theory, vol. 29, no.2, pp. 198-208, 1983. https://doi.org/10.1109/TIT.1983.1056650
  32. D. Wang and P. Wang, "Two birds with one stone: two-factor authentication with security beyond conventional bound," IEEE Trans Depend Secur Comput, 2016.
  33. P. Kocher, J. Jaffe and B. Jun, "Differential power analysis," Advances in Cryptology, 1666, pp. 388-397, 1999.
  34. TS. Messerges, EA. Dabbish and RH. Sloan, "Examining smart-card security under the threat of power analysis attacks," IEEE Trans Comput, vol.51, no.5, pp. 541-552, 2002. https://doi.org/10.1109/TC.2002.1004593
  35. D. Wang, DB. He, P. Wang and C. Chu, "Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment," IEEE Trans Depend Secur Comput, vol. 12, no. 4, pp. 428-442, 2015. https://doi.org/10.1109/TDSC.2014.2355850
  36. DD. Wang, Z. Zhang, and P. Wang, ''Targeted online password guessing: An underestimated threat,'' in Proc. of ACM CCS, vol. 16, pp. 1242-1254, 2016.
  37. D. Wang and P. Wang, "On the implications of Zipf's law in passwords," in Proc. of ESORICS, 2016, pp. 111-131.
  38. AVISPA. "Automated validation of internet security protocols and applications," http://www.avispaproject.org/ (accessed on March 2018).
  39. M. Burrow, M. Abadi, and R. M. Needham, "A logic of authentication," ACM Trans. Comput. Syst, vol. 8, no. 1, pp. 18-36, 1990. https://doi.org/10.1145/77648.77649
  40. J. Chou, C. Huang, Y. Huang and Y. Chen, "Efficient two-pass anonymous identity authentication using smart card," IACR Cryptology ePrint Archive, 2013. Retrieved from eprint.iacr.org/2013/402.pdf.
  41. F. Wen and X. Li, "An improved dynamic id-based remote user authentication with key agreement scheme," Comput Electr Eng, vol. 38, no. 2, pp. 381-387, 2011. https://doi.org/10.1016/j.compeleceng.2011.11.010
  42. BL. Chen, WC. Kuo and LC. Wuu, "Robust smart-card-based remote user password authentication scheme," Int J Commun Syst, 27, pp. 377-389, 2012. https://doi.org/10.1002/dac.2368
  43. D. Mishra, AK. Das, A. Chaturvedi and S. Mukhopadhyay, "A secure password-based authentication and key agreement scheme using smart cards," J Inf Secur Appl, 23, pp. 28-43, 2015. https://doi.org/10.1016/j.jisa.2015.06.003
  44. Juan. Qu and Li-min. Zou, "An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme," J. Electrical and Computer Engineering, pp. 786587:1-786587:, 2013.
  45. H. Kilinc and T. Yanik, "A survey of SIP authentication and key agreement schemes," IEEE Communications Surveys and Tutorials, vol. 16, no. 2, pp. 1005-1023, 2014. https://doi.org/10.1109/SURV.2013.091513.00050
  46. H. Arshad and M. Nikooghadam, "An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC," Multimedia Tools and Applications, vol. 75, no. 1, pp. 181-197, 2016. https://doi.org/10.1007/s11042-014-2282-x
  47. Chunguang. Ma, Dingwang. and Sendong. Zhao, "Security flaws in two improved remote user authentication schemes using smart cards," Int. J. Communication Systems, vol. 27, no. 10, pp. 2215-2227, 2014. https://doi.org/10.1002/dac.2468
  48. Xinyi. Huang, Xiaofeng. Chen, Jin. Li, Yang. Xiang and Li. Xu, "Further Observations on Smart-Card-Based Password-Authenticated Key Agreement in Distributed Systems," IEEE Trans. Parallel Distrib. Syst, vol. 25, no. 7, pp. 1767-1775, 2014. https://doi.org/10.1109/TPDS.2013.230
  49. Ding. Wang, Haibo. Cheng, Debiao. He and Ping. Wang, "On the Challenges in Designing Identity-Based Privacy-Preserving Authentication Schemes for Mobile Devices," IEEE Systems Journal, vol. 12, no. 1, pp. 916-925, 2018. https://doi.org/10.1109/JSYST.2016.2585681
  50. Ding. Wang and Ping. Wang, "On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions," Computer Networks, 73, pp. 41-57, 2014. https://doi.org/10.1016/j.comnet.2014.07.010
  51. Ding. Wang, Qianchen. Gu, Haibo. Cheng and Ping. Wang, "The Request for Better Measurement: A Comparative Evaluation of Two-Factor Authentication Schemes," AsiaCCS, pp. 475-486, 2016.
  52. Mohammad. Wazid, Ashok Kumar. Das, Vanga. Odelu, Neeraj. Kumar, Mauro. Conti and Minho. Jo, "Design of Secure User Authenticated Key Management Protocol for Generic IoT Networks," IEEE Internet of Things Journal, vol. 5, no. 1, pp. 269-282, 2018. https://doi.org/10.1109/JIOT.2017.2780232
  53. Ding. Wang, Nan, Wang, Ping. Wang and Sihan. Qing, "Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity," Inf. Sci, 321, pp. 162-178, 2015. https://doi.org/10.1016/j.ins.2015.03.070
  54. Shehzad Ashraf. Chaudhry, Husnain. Naqvi, Khalid. Mahmood, Hafiz. Farooq. Ahmad and Muhammad Khurram. Khan, "An Improved Remote User Authentication Scheme Using Elliptic Curve Cryptography," Wireless Personal Communications, vol. 96, no. 4, pp. 5355-5373, 2017. https://doi.org/10.1007/s11277-016-3745-3
  55. Shuai. Liu, Zheng. Pan and Houbing. Song, "Digital image watermarking method based on DCT and fractal encoding," IET Image Processing, vol. 11, no. 10, pp. 815-821, 2017. https://doi.org/10.1049/iet-ipr.2016.0862
  56. Shuai. Liu, Zheng. Pan and Xiaochun. Cheng, "A Novel Fast Fractal Image Compression Method based on Distance Clustering in High Dimensional Sphere Surface," Fractals, vol. 25, no. 4, 1740004, 2017. https://doi.org/10.1142/S0218348X17400047
  57. Zheng. Pan, Shuai. Liu and Weina. Fu, "A review of visual moving target tracking," Multimedia Tools Appl, vol. 76, no. 16, pp. 16989-17018, 2017. https://doi.org/10.1007/s11042-016-3647-0
  58. Shuai. Liu, Mengye. Lu, Gaocheng. Liu and Zheng. Pan, "A Novel Distance Metric: Generalized Relative Entropy," Entropy, vol. 19, no. 6, pp. 269, 2017. https://doi.org/10.3390/e19060269

Cited by

  1. Chebyshev Polynomial-Based Authentication Scheme in Multiserver Environment vol.2020, 2019, https://doi.org/10.1155/2020/3579705
  2. Analysis and Improvement Authentication Scheme of ‘A Study on Smart-Card based User Authentication’ vol.19, pp.10, 2019, https://doi.org/10.14801/jkiit.2021.19.10.67