Abstract

A password authentication scheme using smart card is called two-factor authentication scheme. Two-factor authentication scheme is the most accepted and commonly used mechanism that provides the authorized users a secure and efficient method for accessing resources over insecure communication channel. Up to now, various two-factor user authentication schemes have been proposed. However, most of them are vulnerable to smart card loss attack, offline password guessing attack, impersonation attack, and so on. In this paper, we design a password remote user authentication with key agreement scheme using elliptic curve cryptosystem. Security analysis shows that the proposed scheme has high level of security. Moreover, the proposed scheme is more practical and secure in contrast to some related schemes.

1. Introduction

Due to the rapid growth of Internet technology, more and more people use the network to acquire desired services and exchange data. Remote user authentication is one of the most important mechanisms to identify the legal user over insecure communication network. Since Lamport [1] proposed the first password-based remote user authentication scheme, many password-based single-factor authentication schemes [27] have been proposed in the literatures. However, most of password-based single-factor authentication schemes have various security pitfalls. In order to provide better security of the system, Hwang and Li [8] developed a two-factor authentication scheme in 2000. Two-factor authentication scheme is that the authentication schemes are based on the user’s password and smart card. In the two-factor authentication scheme, when the user wants to access resources on a server, he/she inserts the smart card into a card reader and inputs his/her password. Then the smart card using the user’s password generates a login request message and sends the request to the server. When receiving the login request, the server verifies the validity of the request message. In 2009, Xu et al. [9] proposed a smart-card-based password authentication scheme. They claimed that their scheme could resist stolen smart card attack. But, in 2010, Sood et al. [10] and Song [11] pointed out that Xu et al.’s scheme was vulnerable to impersonation attack and internal attack. And they proposed the improved scheme, respectively. In 2012, Chen et al. [12] analyzed Xu et al.’s scheme and pointed out that any user can impersonate other users and fool the service providing server. Meanwhile, Chen et al. [12] pointed out the security flaws of Sood et al. [10] and Song’s [11] scheme. According to Chen et al. [12], Sood et al.’s scheme [10] does not guarantee mutual authentication during authentication phase, and Song’s scheme is susceptible to an internal offline guessing attack. Then, an improved scheme is presented in Chen et al.’s scheme paper. Unfortunately, in 2013, Kumari and Khan [13] pointed out that Chen et al.’s scheme cannot withstand user impersonation attack, server spoofing attack, and offline password guessing attack. Besides, Chen et al.’s scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Also in 2013, Jiang et al. [14] still pointed out that Chen et al. was insecure against offline dictionary attacks and proposed an improved authentication protocol without using smart card.

In 2009, Yang and Chang [15] proposed an ID-based remote mutual authentication with key agreement scheme on ECC. In their scheme, the server and the user accomplish mutual authentication through the user’s unique identity. And they claimed that the computation costs and the number of communication costs of their scheme are less than some related schemes. Nevertheless, Islam and Biswas [16] stated that Yang and Chang’s scheme [15] is vulnerable to replay attack, known session-specific temporary information attack. Besides, Yang and Chang’s scheme [15] does not provide user’s anonymity and session key forward secrecy. Islam and Biswas further found that Yang and Chang’s scheme does not define how to revoke the authentication key with same identity. Later, Truong et al. [17] pointed out that Islam and Biswas’s [16] scheme still cannot resist known session-specific temporary information attack. In this paper, we present a two-factor user authentication with key agreement scheme using elliptic curve cryptosystem based on Yang and Islam’s scheme. Security analysis shows that our proposed scheme can resist various attacks.

The rest of the paper is organized as follows. Section 2 introduces some preliminaries. In Section 3, the proposed two-factor authentication with key agreement scheme is described; the corresponding security analysis is given in Section 4. Finally, we conclude this paper in Section 5.

2. Preliminaries

In this section, we will introduce the basic concepts of elliptic curve cryptosystem (ECC). In all elliptic curve cryptosystem, the elliptic curve equation is defined as the form of : . Given an integer and a point , the point multiplication over can be defined as ( times). Generally, the security of ECC relies on the difficulties of the following problems.

Definition 1. Given two points and over , the elliptic curve discrete logarithm problem (ECDLP) is to find an integer such that .

Definition 2. Given three points , , and over for , , the computational Diffie-Hellman problem (CDLP) is to find the point over .

Definition 3. Given two points and over for , , the elliptic curve factorization problem (ECFP) is to find two points and over .

3. The Proposed Scheme

In this section, we will propose a two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem. The notations used in proposed scheme are listed in notations. And the detailed information is described as follows and shown in Figure 1. Our scheme includes five phases: system initializing phase, the registration phase, login phase, authentication phase, and password change phase. The details of these phases are as follows.

3.1. System Initializing Phase

Step 1. The server chooses an elliptic curve equation and a base point with the order over .

Step 2. The server selects the private key and computes the corresponding public key .

Step 3. The server chooses three one-way hash functions: , , .

Step 4. The server publishes .

3.2. Registration Phase

If the user wants to become a legal user of the system, he has to submit the related information to the server . The detail of the registration phase is described in the following steps.

Step 1. The user generates his own identity and and a random number ; then the user submits and to the server over a secure communication channel.

Step 2. The server computes and .

Step 3. The server stores into a smart card and issues the smart card to the user via a secure channel.

Step 4. On receiving the smart card, the user enters the random into the smart card, and the smart card contains .

3.3. Login Phase

When the user wants to login to the server , he/she inserts his smart card into the card reader of a terminal and inputs and . Then, the smart card performs the following steps for login.

Step 1. The user computes and checks if . If it holds, it means that the user inputs the correct identity and password. Otherwise, the smart card terminates the session.

Step 2. The user selects a random and computes , , , , and , where .

Step 3. The user submits the login request message to the server .

3.4. Authentication and Key Agreement Phase

Upon receiving the login message from the user , the server performs the following steps to mutual authentication.

Step 1. The server computes , , , and and then checks whether . If they are equal, the validity of the user is authenticated by the server . Otherwise, the session is terminated by the server .

Step 2. The server chooses a random number and computes ,  , and .

Step 3. The server sends the authentication message to the user .

Step 4. After receiving , the user computes ,   and checks if holds. If the equation holds, the server is authenticated by the user . And the user sends the message , where .

Step 5. On receiving the message , the server computes and compares it with received . If it holds, the server and the user achieve mutual authentication. Otherwise, the smart card terminates the session.

Step 6. At last, the user and the server can compute the session key and .

3.5. Password Change Phase

When the user wants to change his/her password to a new one , the user can update his/her password by performing the following steps without the help of the server .

Step 1. The user inserts his smart card into a card reader and inputs and . The smart card computes and checks if the is the same as . If both values are the same, the user inputs a new password .

Step 2. The smart card computes , .

Step 3. At last, the smart card replaces and with and , respectively.

4. Security Analysis of Our Scheme

At first, we discuss the security features of the proposed authentication with key agreement scheme in this section. Then we evaluate the performance of the proposed scheme and make comparisons with some related works.

4.1. Mutual Authentication with Session Key Agreement

In the proposed scheme, the user sends the login request message to ; after receiving the message , the server authenticates the user by checking if the equation holds or not. If the computed value equals the received value , the server confirms that the user is valid. Then the server replies the message to the user. When the user receives the message, he/she authenticates the server by comparing the computed value with the received value . If it is equal, the user confirms that the server is legitimate. At last, the server authenticates the user after checking if the equation holds or not. Only when all previous equations are satisfied, the session continues and the communication parties share a session key . During the aforementioned discussion, the proposed scheme can achieve mutual authentication with session key agreement.

4.2. Forward Secrecy

Forward secrecy means that if the long-term private keys related to participating entities (e.g., the server’s secret key and user’s password ) are compromised, the secrecy of the previous session keys should not be affected. In the proposed scheme, the session key , where , relies on the random values and . and are independently generated in each session and they have no relation with the server’s secret key and user’s password . So, the attacker cannot compute any previous without the random value chosen by the user and the random value chosen by the server . On the other hand, even if the attacker knows and from the public channel, he/she still cannot get the session key because he/she will face solving the computational Diffie-Hellman problem. Thus, the proposed scheme provides forward secrecy.

4.3. User Anonymity

In the proposed scheme, user’s identity is not stored in smart card and is also not transmitted via plain text form. In fact, user’s identity is submitted with , which is changed for each login phase. Even if the attacker eavesdrops the login request message and the authentication messages and , the attacker has no way to know the user’s identity . This is because the attacker cannot procedure out of without knowing the server’s secret key and user’s password . Thus, the proposed scheme provides the user anonymity.

4.4. Resisting Server Spoofing Attack

In the proposed scheme, if the attacker wants to masquerade as the remote server to cheat the user , he/she has to generate a valid message , where , . That is to say, the attacker must get the values and to compute a valid message . However, the attacker cannot compute the values and without knowing the private key of the server and user’s password . Therefore, our scheme is secure against the server spoofing attack.

4.5. Resisting Insider Attack

Insider attack means that the user may register to more than one server with the same identity and password; then a privileged insider of the server can impersonate the user and access the other servers by making a valid login quest. In the registration of the proposed scheme, the user freely chooses his/her identity and password and submits and to the server . The server cannot obtain the password from since he/she will face CDL (computational discrete logarithm) problem. Therefore, the proposed scheme can resist insider attack.

4.6. Resisting Smart Card Loss Attack

Assume that the user ’s smart card is lost or stolen, and the attacker can extract the information stored in the smart card, where , . On the one hand, the attacker cannot guess user’s password from and since it is protected by one-way hash function. On the other hand, the attacker cannot fabricate a valid login request message or compute the session key using the stolen smart card. Besides, it is impossible for the attacker to update the user’s password. This is because the attacker must have the real identity and to pass the verification . Therefore, the proposed scheme is secure against the stolen smart card attack.

4.7. Resisting Impersonation Attack

If the attacker wants to impersonate as a legitimate user to pass the authentication of the server , he/she has to forge a valid login request message . Assume that the attacker possesses the user’s smart card and intercepts the user’s previous login request message, the attacker attempts to impersonate the user and sends the login message login message . However, this impersonation attempt will fail in step 1 of the authentication phase, since he/she has no way to obtain the values of , , and . Therefore, the proposed scheme is secure against impersonate attack.

4.8. No Key Control

In proposed scheme, the session key consists of , , and , where and are, respectively, provided by the user and the server. Therefore, the fairness of the session key is guaranteed and either party is in vain attempting to preselect or control the session key.

4.9. Resisting Replay Attack

Replay attack means that the attacker may impersonate the legitimate user by reusing the information obtained from the previous run protocols. In the proposed scheme, and are the random numbers that are selected by the user and the server , respectively. And they are different for each session. So, the messages exposed in public channel are different in each session. Thus, the proposed scheme can prevent replay attack.

4.10. Known Session-Specific Temporary Information Attack

Known session-specific temporary information attack means that if the session ephemeral secrets are exposed to an adversary accidentally, this exposure should not compromise the generated session key. In the proposed scheme, if the session ephemeral secrets and are leaked, the adversary cannot obtain the session key . This is because the adversary has no way to know and . Hence, the proposed scheme can resist known session-specific temporary information attack.

5. Performance and Functionality Analysis

In this section, we compare the efficiency and security properties of the proposed scheme with related schemes proposed by Yang and Chang [15] and Islam and Biswas [16].

Table 1 is about the computation cost comparison between our proposed scheme and other related schemes. We only consider ECC multiplication operation, ECC addition/subtraction operation, and hash operation. And the computation cost of XOR operation can be ignored when compared to these operations. According to Table 1, the cost of our proposed scheme is slightly higher than other schemes. However, our proposed scheme can achieve all security properties as mentioned in Table 2. We summarize security properties comparisons between the proposed scheme and two previous schemes in Table 2. It is easy to draw that our proposed scheme can achieve all security requirements. So, the proposed scheme has stronger security.

6. Conclusion

In this paper, we have proposed a two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem. The analysis shows that the computation costs of our proposed scheme are slightly higher than other schemes; however, our scheme can accomplish most desired security goals compared with some related schemes. As a result, our scheme is more secure and practical for real-life use.

Notations

Sever
:User
():The server ’s private/public key pair, where
: Identity of the user
:Password of the user
:A secure one-way hash function, where
:A secure one-way hash function, where
:A secure one-way hash function, where
:A secret number chosen by the user
:A secret number chosen by the server
:Message concatenation operation
:A finite field
:An elliptic curve defined on finite field with prime order
:Additive group of points on over a finite field
:Generator of .

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.