About this Journal Submit a Manuscript Table of Contents
The Scientific World Journal
Volume 2013 (2013), Article ID 419592, 8 pages
Research Article

An Anonymous User Authentication with Key Agreement Scheme without Pairings for Multiserver Architecture Using SCPKs

State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

Received 5 April 2013; Accepted 30 April 2013

Academic Editors: G. A. Gravvanis and G. Wei

Copyright © 2013 Peng Jiang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


With advancement of computer community and widespread dissemination of network applications, users generally need multiple servers to provide different services. Accordingly, the multiserver architecture has been prevalent, and designing a secure and efficient remote user authentication under multiserver architecture becomes a nontrivial challenge. In last decade, various remote user authentication protocols have been put forward to correspond to the multi-server scenario requirements. However, these schemes suffered from certain security problems or their cost consumption exceeded users’ own constrained ability. In this paper, we present an anonymous remote user authentication with key agreement scheme for multi-server architecture employing self-certified public keys without pairings. The proposed scheme can not only retain previous schemes’ advantages but also achieve user privacy concern. Moreover, our proposal can gain higher efficiency by removing the pairings operation compared with the related schemes. Through analysis and comparison with the related schemes, we can say that our proposal is in accordance with the scenario requirements and feasible to the multi-server architecture.

1. Introduction

In modern society, people’s life is highly dependent on the Internet, but the exposure of networks often causes great loss to users, which brings about that a secure user authentication mechanism has become the key issue to preserve valid remote clients in safety from being attacked. There is no doubt that the user authentication with smart card is one of the most widely used and the simplest approaches. When taking only one sort of service into account, some password authentication schemes for single-server environment have been proposed [1, 2].

Later with the rapid development of technology, different servers are needed to offer service via the network, and conventional methods need users to register with various servers repetitively and remember different identities and passwords. It is obvious that these traditional schemes make authentication inconvenient and cost much. Consequently, an appropriate multiserver user authentication mechanism has turned into a concern. In 2001, Li et al. [3] gave a remote user authentication scheme in neural networks for the first time, which opened up the gateway access to the multiserver architecture.

Considering the system environment without loss of generality, the multiserver architecture consists of multiple distributed service servers and remote clients with limited resource and capability. The service servers offer different access services such as e-commerce, online conference, network game, and remote medical system. If a remote client wants to access to these services, he/she needs to login these service servers through cellular network or wireless local area networks (WLANs).

Due to multiserver environment special characteristics and information security problem in public networks, designing a feasible user authentication scheme under multiserver architecture is a key issue, which can ensure the access of legitimate users and prevent invalid user from interfering with the service server. A practical user authentication scheme under the multiserver environment must address the following requirements. They consist of both the previous criteria [1] and new user anonymity issue.(1)No repetitive registration is needed for the multiserver environments.(2)No verification table is stored in the server.(3)Mutual authentication and session key agreement can be achieved between the users and the service servers to carry on subsequent communications.(4)Various possible attacks can be resisted.(5)User can choose identity and password freely and change his/her password freely.(6)The computational and communication cost is low since the energy resources and computing capability of a smart card are limited.(7)The user is not allowed to expose his identity privacy information to eavesdroppers. Assume that the adversary obtains a valid user’s identity, he/she can masquerade the user to enjoy the regular service without registration, which can cause losses for the valid user or even worse consequences. So the anonymous authentication should be implemented.

In order to satisfy all of these criteria, this paper proposes an anonymous remote user authentication scheme without pairings for multiserver architecture using self-certified public keys (SCPKs). We present public key-based user anonymous authentication scheme under the multiserver environment. Meanwhile, our proposal heightens efficiency increasingly accompanied by the removal of pairings operation; in contrast, the existing public key-based authentication schemes generally employ pairings function. Moreover, our proposal can avoid the server spoofing attack since the verification process relies on the server’s private key. Through security and performance analysis, our proposal not only achieves anonymous authentication with key agreement securely but also results more efficiently, remedying the weaknesses of previous authentication schemes which either encounter some attacks or fail to protect user privacy or cost relatively more energy. Compared with other related achievements, ours is more suitable for the remote user whose resources and capability are constrained under multiserver architecture.

The rest of this paper is organized as follows. Section 2 briefly describes some related works. Some preliminaries are given in Section 3. Our proposed secure and efficient user authentication scheme for multiserver architecture and corresponding analysis are presented in Sections 4 and 5, respectively. Finally, some conclusions are drawn in Section 6.

2. Related Work

Until now, two categories of improved multiserver user authentication schemes, hash-based authentication and public key based authentication, have emerged successively. To hash-based authentication, some user password authentication suggestions [47] based on static ID have been proposed to conquer the weaknesses of Li et al.’s, yet these were proven easy to be traced. In 2009, Liao and Wang [8] raised a dynamic identity authentication protocol for multiserver environment to advance previous work. In the following years, many researchers [912] have developed and enhanced the user authentication scheme step by step. To public key-based authentication, employing public key cryptosystem into the password authentication, Das et al. [13] first proposed a remote user authentication protocol with smart card using bilinear pairings. Yet theirs had an obvious disadvantage: no mutual authentication and key agreement. To improve the security, a series of user authentication schemes [1416] with bilinear pairings have been presented. To improve the efficiency, Tseng et al. [17] gave a low-cost pairing-based user authentication protocol for wireless users and claimed that theirs was efficient, easy password changing, and suitable for multiserver environment in distributed networks. Unfortunately, in 2013, Liao and Hsiao [18] pointed out that Tseng et al.’s scheme also lacked mutual authentication with session key agreement, suffered from insider attack, password guessing attack, and replay attack, and advanced a pairings-based user authentication scheme using self-certified public keys. Liao and Hsiao claimed that their proposal could withstand various possible attacks and was well suited for multiserver environment.

Regretfully, most of the existing related public key based authentication schemes under multiserver architecture mentioned previously did not pay attention to user anonymity issue. Moreover, their authentication schemes needed excessive energy consumption employing pairings operation and suffered from the server spoofing attack, which was not conducive to communication running and trapped in DoS attack easily.

3. Preliminaries

We now briefly review some basic concepts used in this paper, including bilinear pairings [19], related complexity assumptions [20], and self-certified public keys [21, 22].

3.1. Admissible Bilinear Pairing

Let be an additive group generated by with prime order and let be a multiplicative group of the same order. A map is said to be an admissible bilinear pairing if the following three conditions hold true.(1)Bilinearity: for all , we have .(2)Nondegeneracy: .(3)Computability: is efficiently computable.

We refer readers to [19] for more details of such pairings.

3.2. Complexity Assumption

(1)Computational discrete logarithm (CDL) assumption: given , where , there exists no probabilistic polynomial-time algorithm which can determine .(2)Computational Diffie-Hellman (CDH) assumption: given two elements , in a group , where the unknown numbers are selected at random, there exists no probabilistic polynomial-time algorithm which can compute .(3)Elliptic curve factorization (ECF) assumption: given two elements , , where and , there exists no probabilistic polynomial-time algorithm which can obtain and .

3.3. Self-Certified Public Key

Here, we describe a self-certified public key process briefly; more details can be found in [21, 22].(1)Initialization: given a group on an elliptic curve , is a based point generator of prime order , the system authority (SA) selects a random value as its private key and computes the public key . Publish the related parameters and keep secret.(2)Partial private key and private key generation: the user chooses a number randomly, computes , and sends to SA over a secure channel. SA calculates as the witness using a random number . Then, SA computes the user’s partial private key and submits to . can obtain its private key .(3)Public key extraction: ’s public key can be computed by . Any entity, who communicates with and receives the witness , can authenticate ’s public key as long as he/she calculates the equation: .

4. The Proposed Scheme

In this section, we propose an anonymous remote user authentication scheme for multiserver environment without pairings, which consists of five phases: server registration phase, user registration phase, login phase, verification phase, and password change phase. Three entities are involved: user (), service server (), and registration center (). chooses the system private/public key pair , where is a random number in and . Then publish the system parameters and keep secret. The notations used in this section are listed in Table 1. Some detailed steps will be described as follows and shown in Figure 1.

Table 1: Notations used in proposed scheme.
Figure 1: The proposed scheme.
4.1. Server Registration Phase

When the service server wants to access to the multiserver architecture, it needs to register first. In this phase, uses the self-certified public key (SCPK) to generate the related credentials.

Step S1. chooses a random value , computes , and sends to .

Step S2. After receiving the message , generates a randomly, calculates , , and issues to .

Step S3. can obtain its private key with and verify the validity of the message by computing .

If the equation holds, the issued values are valid, and vice versa.

4.2. User Registration Phase

Supposing that the user wants to get service granted only from , he/she needs to register to the same that did, by submitting his identity and password to . Then, returns the smart card back to . The communication between and is through a secure channel. The steps are performed as follows.

Step U1. freely chooses a password and a random number to compute and . Then, submits to RC for user registration via a secure channel.

Step U2. calculates?,?,?,?,?,stores () in ’s smart card, and submits it to . Then keys into the smart card.

4.3. Login Phase

When wants to login to the server , he/she first inserts his/her own smart card to a card reader and then inputs the identity and password . The log-in details with respect to this smart card are as follows.

Step L1. The smart card computes , , and and checks whether . If the answer is yes, it means that the smart card matches to .

Step L2. The smart card generates a random value and computes ?,?,?.

Step L3. The smart card submits the login request message to over a public channel.

4.4. Verification Phase

After receiving the login request message from , performs the following tasks to authenticate the user.

Step V1. checks whether conforms to the fixed format. If the format is wrong, outputs the reject message; otherwise it calculates?,?,?,?,where is a random value, chosen by . Then sends to .

Step V2. Receiving the message , first verifies the public key of by the equation . Only under the case the equation holds, continues to calculate , . Then needs to check whether . When the verification can pass, authenticates and computes?,?.

Then transmits to .

Step V3. Next, undoes , and examines . If it is not the case, rejects the message and stops the session. Otherwise, successfully authenticates .

Step V4. Finally, the user and the service server agree on a common session key as ?.

4.5. Password Change Phase

The password change phase is invoked when the user wants to change his/her password to a new password . The user first inserts his/her smart card into a card reader and enters , . The smart card computes , and . Then, the smart card checks if the is the same as . If both values are the same, the user is asked to input a new password . The smart card calculates new information , , , . At last, the smart card replaces with the new to accomplish changing password. In this phase, is not needed to participate and the user can freely complete changing password by himself.

5. Analysis of Our Scheme

In this section, we first analyze the functionality features of our proposed scheme based on the requirements of the remote user authentication for multiserver architecture, which have been presented in Section 1. Then we evaluate the performance of the proposed scheme and make comparisons with some related works [8, 9, 11, 12, 17, 18].

5.1. No Repetitive Registration

In our scheme, before the user wants to login to the server under multiserver environment, they must run the user registration with his/her information to the registration center. Then, the user can access to all the service without submitting registration request once again.

5.2. No Verification Table

Throughout the protocol process, it is not difficult to find that and have no need to maintain any verification or password table, which can cost much and whose leakage may cause serious disruption. Meanwhile, our scheme does not need to store the user’s password or public key with certificate, too.

5.3. Mutual Authentication with Session Key Agreement

In the verification phase of the proposed scheme, the service server can authenticate the validity of by checking if holds. can verify the public key of with to confirm that is the objective service server; meanwhile check the equation to affirm that the login message is received by . Only when all previous equations are satisfied, the session continues and the communication parties agree on a shared session key . For the aforementioned analysis, our scheme can achieve mutual authentication with session key agreement.

5.4. No Synchronization Clock

In our scheme, both the user and the service server employ the random points to interactive with each other. The timestamp does not appear in the proposed scheme; therefore the synchronization clock problem can also be abstained in the session key.

5.5. Anonymity

In the user registration phase, the identity of the remote user can be protected from disclosure by the secure channel between and . In the login and authentication phase, ’s identity is submitted with substituting , nobody can learn the user’s real identity, and can only verify the user’s validity cannot obtain the real with the received message. To general adversary, he/she can extract the smart card and intercept the login message, but he can do nothing to crack the user’s identity due to the resistance to collision of the hash function. Therefore, we claim that our scheme can provide the user anonymity.

5.6. Security of the Session Key

(1)Perfect Forward Secrecy and Backward Secrecy. In this scheme, the session key is established by , , , where and rely on the random values and . and are independently generated in each session, are also changed for each authentication phase and are not correlated. The adversary cannot use current session key to derive forward and backward session key. Hence, we claim that our scheme achieves perfect forward secrecy and backward secrecy.(2)Known Session Key Security. In this scheme, the session key is composed of , and . Assume that the adversary can seize a session key ; he cannot obtain the parameters , , and attributed to the one-way hash function . Since and consist of , , which are independent for each session, no session keys rely on each other. Furthermore, though the adversary can intercept the current transmitted message , , he cannot compute the new session key ’s components without the server’s private key or due to the CDH problem’s difficulty.(3)No Key Control. In this scheme, the session key consists of , , , where partial parameters , are generated by Diffie-Hellman key exchange form; thereby the fairness of the session key can be guaranteed. More specifically, , , and are respectively provided by the user and the server; therefore either party is in vain attempting to preselect or control the session key.

5.7. Various Common Attacks

Our proposed remote user authentication scheme for multiserver architecture cannot only meet the previous security features, but also be against various known attacks, such as impersonation attack, and stolen smart card attack. We will discuss the following extra four attacks, the others can refer to [11, 18].(1)Impersonation Attack. If an adversary tries to impersonate as a legitimate user to log into the server, he/she must first forge a valid login request message . However, the adversary cannot compute a new and legal login message without knowing or . Suppose that the adversary can steal the smart card of the user by virtue of some approaches, he is still unable to calculate for the reason that he has no information about and . Moreover, even if the adversary utilizes to log into , he cannot pass the verification because he is unable to provide correct without or . The adversary cannot obtain the valid session key. Under the situation, our proposed scheme can withstand the impersonation attack.(2)Stolen Smart Card Attack. We assume that ’s smart card is stolen or lost; the adversary picks it and has the ability to breach the information stored in the smart card . Yet on the one hand, it is impossible to guess and correctly at the same time, on the other hand, and are, respectively, private key and secret value of , so the adversary cannot derive . Consequently, the adversary cannot fabricate a valid login message or compute the session key. That is the reason that our proposed protocol is secure against the stolen smart card attack.(3)Off-Line Password Guessing Attack. Assume that the adversary guesses a password from the dictionary; he can compute , but fails to calculate other information without or . The adversary cannot examine whether the guessed password is correct without comparing parameters. Hence, the adversary can extract the smart card information and intercept the transmitted message in public channel, but our proposed scheme can resist the off-line password guessing attack.(4)Man-in-the-Middle Attack. When an adversary wants to perform the man-in-the-middle attack, he can intercept the login message, communicate, and share the session key with the server. In the proposed scheme, even if the adversary gets the message in public channel, he cannot calculate , , or without or other random values . Consequently, our scheme can resist the man-in-the-middle attack.(5)Server Spoofing Attack. When a valid but malicious server wants to cheat on behalf of and obtain the session key, he needs to know both the witness and private key of . In our scheme, cannot provide the correct witness, and the user cannot pass the server’s public key verification. Even if intercepts , he cannot check the equation since he does not obtain without knowing the private key . Finally, the adversary fails to share the session key with the user . Therefore, our scheme can resist the server spoofing attack.

5.8. Local Password Verification

In our scheme, can account whether the used smart card matches with himself by checking before logging into , and thus accomplish the user password verification locally. Through the previous equation, can avoid network resource wasting caused by wrong password. Because until the authentication phase can authenticate user’s validity and password appropriateness; in other words, wrong password cannot be detected until the authentication phase. Therefore, our scheme can achieve local password verification.

At last, the functionality comparisons among our and other previously proposed schemes, such as [8, 9, 11, 12, 17, 18], are listed in Table 2. In particular, we can clearly see that the other schemes do not assist in the impersonation attack except our proposed scheme. Thus, it is obvious that our proposed scheme is superior to the others in accordance with all of essential comparative items. In addition, unlike the other related public key-based multiserver authentication schemes [17, 18], ours can achieve the user anonymity and local password verification. On the whole, our proposal is the only one that can satisfy all the functionalities for the multiserver architecture.

Table 2: Functionality and security comparison with the related schemes.
5.9. Performance

Under multiserver architecture, the computational cost is a key issue to evaluate whether a remote user authentication scheme is efficient because of mobile devices’ constrained resources and computing capability. Before analyzing the computational cost of each phase, define some notations and equivalence relationship first:(i): the time to compute a bilinear pairing map;(ii): the time to compute a point multiplication on the elliptic curve group;(iii): the time to compute a point addition on the elliptic curve group;(iv): the time to compute a hash function;(a);(b).

The XOR operation, modular multiplication, and modular addition operation are negligible during evaluating the performance. In the following, we will give the computational cost of five phases individually. In the server registration phase, the computational cost is . The user registration phase consumes . When the user logs into the server, it costs . During verification of each other between the server and the user, is demanded. The computational cost of the password change phase is . The detailed cost comparisons with the related authentication schemes [17, 18] are illustrated in Table 3. At the same time, we show the implementation result in Figure 2, which can show the computational cost contrast more intuitively. Table 3 and Figure 2 can clearly indicate that our proposal needs no pairing operation, while [18] contains and [17] contains . Because the relative computational cost of a pairing is approximately 20 times higher than that of the point multiplication over elliptic curve group, we can find that the computational cost of ours is obviously much less than that of others by removing pairing operation.

Table 3: Cost comparison with the related schemes.
Figure 2: Performance comparison between our scheme and others.

From Tables 2 and 3, we can make a conclusion that our remote authentication scheme has more security features and lower computational cost among the existing related works, which satisfies the requirements for the multiserver architecture.

6. Conclusions

An anonymous and efficient remote user authentication scheme for the multiserver architecture is proposed in this paper and the self-certified public keys are employed. Our scheme can satisfy all of the requirements needed for achieving secure authentication in multiserver environments, as compared with the previously proposed schemes. Moreover, the proposal succeeds to both achieve the user’s identity anonymity and remove the pairing operation, which makes that the proposed scheme can provide more advantages and be more practical for the actual applications. Additionally, we analyze the security and performance of our proposal and make comparisons with other related works. From these analysis and comparisons, we can reach a conclusion that our proposed scheme owns more functionalities and attains higher efficiency.


This work is supported by NSFC (Grant nos. 61272057, 61202434, 61170270, 61100203, 61003286, and 61121061) and the Fundamental Research Funds for the Central Universities (Grant nos. 2012RC0612 and 2011YB01).


  1. C. I. Fan, Y. C. Chan, and Z. K. Zhang, “Robust remote authentication scheme with smart cards,” Computers and Security, vol. 24, no. 8, pp. 619–628, 2005. View at Publisher · View at Google Scholar · View at Scopus
  2. S. W. Lee, H. S. Kim, and K. Y. Yoo, “Efficient nonce-based remote user authentication scheme using smart cards,” Applied Mathematics and Computation, vol. 167, no. 1, pp. 355–361, 2005. View at Publisher · View at Google Scholar · View at Scopus
  3. L. H. Li, I. C. Lin, and M. S. Hwang, “A remote password authentication scheme for multiserver architecture using neural networks,” IEEE Transactions on Neural Networks, vol. 12, no. 6, pp. 1498–1504, 2001. View at Publisher · View at Google Scholar · View at Scopus
  4. C. C. Chang and J. S. Lee, “An efficient and secure multi-server password authentication scheme using smart cards,” in Proceedings of the International Conference on Cyberworlds (CW '04), pp. 417–422, Tokyo, Japan, November 2004. View at Scopus
  5. W. S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 251–255, 2004. View at Publisher · View at Google Scholar · View at Scopus
  6. J. L. Tsai, “Efficient multi-server authentication scheme based on one-way hash function without verification table,” Computers and Security, vol. 27, no. 3-4, pp. 115–121, 2008. View at Publisher · View at Google Scholar · View at Scopus
  7. W. J. Tsaur, C. C. Wu, and W. B. Lee, “A smart card-based remote scheme for password authentication in multi-server Internet services,” Computer Standards and Interfaces, vol. 27, no. 1, pp. 39–51, 2004. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. P. Liao and S. S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards and Interfaces, vol. 31, no. 1, pp. 24–29, 2009. View at Publisher · View at Google Scholar · View at Scopus
  9. H. C. Hsiang and W. K. Shih, “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards and Interfaces, vol. 31, no. 6, pp. 1118–1123, 2009. View at Publisher · View at Google Scholar · View at Scopus
  10. C. C. Lee, T. H. Lin, and R. X. Chang, “A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards,” Expert Systems with Applications, vol. 38, no. 11, pp. 13863–13870, 2011. View at Publisher · View at Google Scholar · View at Scopus
  11. X. Li, Y. P. Xiong, J. Ma, and W. D. Wang, “An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network and Computer Applications, vol. 35, no. 2, pp. 763–769, 2012.
  12. S. K. Sood, A. K. Sarje, and K. Singh, “A secure dynamic identity based authentication protocol for multi-server architecture,” Journal of Network and Computer Applications, vol. 34, no. 2, pp. 609–618, 2011. View at Publisher · View at Google Scholar · View at Scopus
  13. M. L. Das, A. Saxena, V. P. Gulati, and D. B. Phatak, “A novel remote user authentication scheme using bilinear pairings,” Computers and Security, vol. 25, no. 3, pp. 184–189, 2006. View at Publisher · View at Google Scholar · View at Scopus
  14. T. Goriparthi, M. L. Das, and A. Saxena, “An improved bilinear pairing based remote user authentication scheme,” Computer Standards and Interfaces, vol. 31, no. 1, pp. 181–185, 2009. View at Publisher · View at Google Scholar · View at Scopus
  15. Z. T. Jia, Y. Zhang, H. Shao, Y. Z. Lin, and J. Wang, “A remote user authentication scheme using bilinear pairings and ECC,” in Proceedings of the 6th International Conference on Intelligent Systems Design and Applications (ISDA '06), pp. 1091–1094, Jinan, China, October 2006. View at Publisher · View at Google Scholar · View at Scopus
  16. W. S. Juang and W. K. Nien, “Efficient password authenticated key agreement using bilinear pairings,” Mathematical and Computer Modelling, vol. 47, no. 11-12, pp. 1238–1245, 2008. View at Publisher · View at Google Scholar · View at Scopus
  17. Y. M. Tseng, T. Y. Wu, and J. D. Wu, “A pairing-based user authentication scheme for wireless clients with smart cards,” Informatica, vol. 19, no. 2, pp. 285–302, 2008. View at Scopus
  18. Y. P. Liao and C. M. Hsiao, “A novel multiserver remote user authentication scheme using selfcertified public keys for mobile clients,” Future Generation Computer Systems, vol. 29, no. 3, pp. 886–900, 2013.
  19. D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003. View at Publisher · View at Google Scholar · View at Scopus
  20. J. H. Yang and C. C. Chang, “An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,” Computers and Security, vol. 28, no. 3-4, pp. 138–143, 2009. View at Publisher · View at Google Scholar · View at Scopus
  21. Y. P. Liao and S. S. Wang, “A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves,” Computer Communications, vol. 33, no. 3, pp. 372–380, 2010. View at Publisher · View at Google Scholar · View at Scopus
  22. W. J. Tsaur, “Several security schemes constructed using ECC-based self-certified public key cryptosystems,” Applied Mathematics and Computation, vol. 168, no. 1, pp. 447–464, 2005. View at Publisher · View at Google Scholar · View at Scopus