Abstract

Due to the rapid advancement of cryptographic techniques, the smart card has recently become a popular device because it is capable of storing and computing essential information with such properties as tamper resistance. However, many service providers must satisfy the user’s desire to be able to access services anytime and anywhere with the smart card computing devices. Therefore, multipurpose smart cards have become very popular identification tokens. In 2011, Wang et al. proposed an authentication and key agreement scheme for smart card use. Even so, two drawbacks still exist; that is, (1) the security requirement of mutual authentication has not been satisfied and (2) the authentication scheme cannot be used for multipurpose smart cards. In this paper, we propose an efficient and secure multipurpose, authenticated, key agreement scheme in which the user is required to register only once and can be authenticated without any registration center. Furthermore, the proposed scheme can be used in ubiquitous environments because of its low computation and communication overhead.

1. Introduction

Currently, the uses of smart cards include shopping, taking buses or subway, paying bills, parking cars, and passing through guarded gates. When the smart card is embedded in a mobile phone, many commercial transactions can be performed in ubiquitous computing environments. Therefore, multipurpose smart cards are very popular identification tokens, and service providers must satisfy the user’s desire to be able to access services anytime and anywhere with the smart card computing devices. However, in the ubiquitous computing environment, the communication channels are insecure and may suffer from eavesdropping, interception, and impersonation attacks [1]. Hence, we must simultaneously consider both service and security requirements to protect the rights and the privacy of users and providers [2]. These ubiquitous computing devices usually are small with limited computation and communication capabilities. Therefore, it is a difficult challenge to deploy comprehensive security mechanisms in the ubiquitous computing environment.

Although the smart card can be used to authenticate a user’s identity and perform electronic transactions, we must still consider the risk of accidental loss of the cards. Therefore, establishing a password is the most popular method for protecting the user.

In general, people choose words that are easy to remember or word strings with special meanings as passwords, but just using a password for authentication can easily make the user vulnerable to security breaches. Hence, the smart card is applied to improve the authentication security. As a result, most e-commercial transactions use both the smart cards and the passwords to ensure authentication and maintain security. Over the past two decades, many schemes have been proposed to achieve both user authentication and confidentiality of messages based on smart cards. In 1981, Lamport [3] proposed the well-known remote user authentication scheme with password tables. In 1993, to provide better security, Chang and Hwang proposed a novel multiserver authentication scheme [4] without password tables. Afterwards, many related research essays [511] have been proposed to improve the security and performance of authentication.

In 2004, Das et al. proposed a dynamic ID-based remote user authentication scheme [6] using smart cards. However, it had a serious security flaw; that is, if a malicious attacker gets the smart card, he or she can freely choose passwords to be authenticated by the server. In 2009, Wang et al. proposed an improved scheme [12] to enhance Das et al.’s scheme, but Khan et al. [13] found that Wang et al.’s scheme is infeasible because it cannot provide a secure communication channel between users and servers. Thus, Khan et al. proposed an enhanced scheme [13] to overcome these weaknesses. However, Khan et al.’s scheme cannot be applied in multipurpose and ubiquitous environments.

In 2011, Wang et al. proposed an improved scheme [14] to solve the problems associated with losing a smart card and the known-key attacks, which are vulnerabilities that exist in Wang et al.’s scheme [15] in 2007. They claimed that their scheme can achieve the following criteria [14]:(C1) No verification table: no verification or password table is stored at the server’s end.(C2) Freely chosen password: users can arbitrarily choose and change their passwords.(C3) The server administrator being not able to derive the user’s passwords: even the administrator will not obtain privilege to derive the user’s passwords.(C4) No one being able to impersonate a valid user: the authentication scheme must completely resist impersonation attacks.(C5) No clock synchronization or time-delay problems: it can get higher performance and better reduce synchronization cost than others.(C6) Mutual authentication: the scheme should resist reply, password-guessing, known-key, and stolen-verifier attacks.(C7) Session key agreement: the server and the user must negotiate a session key for protecting subsequent communications.(C8) Low computation and communication cost: due to the constrained power and the limited memory of the smart card, high computation operations should be reduced to achieve bandwidth demands.(C9) The user’s ability to revoke the smart card rather than the user’s identity: even if the user losses her or his smart card, her or his identity can be unchanged.(C10) The smart card loss protection: the scheme can protect the lost smart card from impersonation or guessing attacks.(C11) The smart card’s possibility to be used in a multipurpose environment: the smart card can be used to log in to many servers that provide a variety of services.

After a thorough analysis of Wang et al.’s scheme [14], we found some security issues; that is, a malicious attacker can easily impersonate the legitimate server to deceive the user, but the user cannot be conscious of this attack. So, the fooled user may submit his privacy information to an attacker and the scheme cannot achieve the multipurpose smart card requirement because it only has single-server authentication. In this paper, we propose a novel approach for solving these problems and improving the security strength. Furthermore, our scheme can be applied to the multipurpose, smart card environment; that is, the smart card can be authenticated by multipurpose servers. In addition, our scheme ensures computation efficiency, so it can be easily implemented in ubiquitous computing environments.

The rest of this paper is organized as follows. In Section 2, we review Wang et al.’s user authentication scheme and demonstrate the security drawback. Then, in Section 3, we present our scheme, that is, the multipurpose, smart card authenticated key agreement scheme, followed by the security and efficiency analyses shown in Section 4. Finally, concluding remarks are presented in Section 5.

2. Review of Wang et al.’s Scheme

In this section, we briefly review Wang et al.’s authentication and key agreement scheme [14] and demonstrate that their scheme cannot satisfy mutual authentication (C6) against the impersonation attack. Notations used throughout this paper are described in Section 2.1. The details and the drawbacks of Wang et al.’s scheme are demonstrated in Sections 2.2 and 2.3, respectively.

2.1. Notations

: the set of users, ,: the set of registered servers, ,RC: the registration center,: the server’s master key, the length of which is sufficient to resist the brute force attack,UID: the identity of the user,CID: the identity of the smart card,SID: the identity of the server,PW: the password of the user,: a secure one-way hash function [16, 17] with an -bit output,: a nonce value,, : two large primes,: an elliptic curve equation over of the server,: a generator point of with a large order ,, : two integer elements,: a large prime generated by , where ,, : two random numbers,SK: the session key,: the exclusive-or operation done for two-bit strings,: the string concatenation operator,: the ciphertext of , which is the product of encrypted using the key in the secure symmetric cryptosystem [18, 19],: the plaintext of , which is the product of decrypted using the key in the secure symmetric cryptosystem [18, 19],CRL: the smart card revocation list.

2.2. Review of Wang et al.’s Scheme

In this subsection, we briefly review and discuss Wang et al.’s scheme [14]. There are two participants involved, that is, the user and the server. Let UID, CID, and SID be the unique identification of the user, server, and smart card, respectively.

Wang et al.’s scheme comprises several phases, that is, registration phase, authentication phase, password changing phase, revoking smart card phase, user eviction phase, and user anonymity phase, but we only discuss the first two phases. The other phases of their scheme basically conform to the above-mentioned security requirements.

Before the scheme starts, it must set some system parameters, which must satisfy the elliptic curve cryptosystem requirements [20], for example, , , and . We assume that all system parameters conform to the security requirements.

Registration Phase. In this phase, all messages are delivered in a secure channel, since the smart card cannot be transmitted in the network. When a new user wants to access a server’s services, he/she must first submit his/her identity (UID) to the server for registration. If the server accepts the application, it then takes the following steps.

Step 1. The server computes a parameter .

Step 2. The server stores () in the smart card and issues it to .

Step 3. The server maintains the (UID, CID) table.

Step 4. After receiving the smart card, inputs her or his password (PW) into the smart card. The smart card computes . Then it replaces with in the smart card. As a result, the smart card stores ():

Authentication Phase. We illustrate this phase in (1) and explain the details as follows. When wants to log in to the server, he/she inserts the smart card into the card reader and inputs his/her password PW into the device. The user performs the following steps.

Step 1. computes , , and .

Step 2. delivers (UID, , ) to the server.
The server receives the above message and then executes the steps as follows.

Step 3. The server computes .

Step 4. The server checks with . If they are equal, then the user’s identity can be sure. Otherwise, terminates this procedure.

Step 5. The server calculates , , and .

Step 6. The server returns () to the user.
After receiving (), enforces the steps to validate the server’s identity and generate a session key as follows.

Step 7. computes ) and .

Step 8. checks with . If they are equal, then the server’s identity is valid. Otherwise, terminates this procedure.

Step 9. computes and transfers to the server.

Step 10. If passes the validation with , then the server and can obtain a session key . Otherwise, the server will give up on this authentication.

2.3. Drawbacks of the Reviewed Scheme

After analyzing the above protocol, we can easily derive the session key to keep data secrecy in further communications. However, we find that it still has two drawbacks. First, their scheme cannot be applied in the smart card multipurpose requirements because it is only designed for a single-server authentication environment. In addition, it has a security flaw. The malicious attacker can impersonate a legal server to cheat the user. Hence, it cannot satisfy the mutual authentication requirement. We show how the attacker can impersonate a legitimate server in the authentication phase as follows.

Assume that a malicious attacker Mary can intercept all transmitted messages between the user and the server. Then, she counterfeits a legal server to perform authentication with the user. First, the user sends (UID, , ) to Mary. Then, Mary randomly chooses a number to compute , , and as in Step . After that, Mary delivers to . As a result, can pass the validation in Step because and . Finally, Mary drops the returned of Step , so she can securely communicate with using the session key . Therefore, Wang et al.’s scheme cannot achieve mutual authentication.

3. The Proposed Scheme

In this section, we first list the superiorities of our scheme over Wang et al.’s scheme in Section 3.1. Then, the details of our novel scheme are presented in Section 3.2.

3.1. Superiorities of Our Scheme
3.1.1. Mutual Authentication

Our protocol ensures mutual authentication between and without a password table.

3.1.2. Multipurpose Smart Cards

The smart card can satisfy the multipurpose requirement. The smart card can be used to access multiple servers on the user’s demand.

3.1.3. Efficiency and Practicability

The user can dynamically choose or remove services, as he or she chooses. The user’s changing of her or his demands will not affect any service server. In addition, the transmission rounds and computation load are simplified in the authentication phase. Therefore, our scheme can be easily implemented for ubiquitous environments.

3.2. Our Proposed Scheme

In our scheme, the user can use the smart card to dynamically access many kinds of services. Therefore, the registration center RC is a necessary participant to manage adding or removing the services of the users.

The proposed scheme consists of five phases, that is, the initialization phase, the registration phase, the authentication phase, the demands-changing phase, and the card-revoking phase. Note that is the RC’s secret key in our scheme. The details are shown as follows.

Initialization Phase

Step 1. If the server wants to join this service group, it must submit its identity and its secret prime number to RC for registration.

Step 2. RC stores () and sends to through a secure channel.

Registration Phase

Step 1. arbitrarily chooses a large prime and sends () to RC for registration and asks a set of services, where .

Step 2. RC performs the following processes:(2.1)RC computes all ’s, where .(2.2)RC expands the length of each to be by setting the most significant bit to be 1.(2.3)RC calculates and .

Step 3. RC stores () in the smart card. Then, RC issues this smart card to .

Step 4. After receiving the smart card, inputs her or his password into the smart card. The smart card computes . Then it replaces with in the smart card. As a result, the smart card stores ().

Authentication Phase. We illustrate this phase in (2) and explain the details as follows. When wants to log in to , where , he/she inserts the smart card into the card reader and inputs his/her password into the device. The user performs the steps as follows.

Step 1. The smart card computes and generates a random key , where .

Step 2. The smart card calculates and , where is a nonce value.

Step 3. delivers () to the server .
receives the above message and then executes the steps as follows.

Step 4. computes and to obtain , , , and .

Step 5. checks the , , and . If and pass the validation and does not belong to CRL, then the user’s identity can be sure. Otherwise, terminates this procedure.

Step 6. calculates .

Step 7. returns () to .
After receiving (), executes the steps to validate the server’s identity as follows.

Step 8. computes to obtain and .

Step 9. checks and with the received and . If they are valid, then the server’s identity can be sure, and the session key . Otherwise, terminates this procedure:

Demands-Changing Phase. When the user changes her mind, she wants to increase or remove some services. She must perform the registration phase again. She chooses a new services combination set . Then RC and perform Steps through . Afterwards, RC gets a new set (), and the smart card stores a new (). Other participants will not be affected by these changes.

Card-Revoking Phase. When the user loses his smart card, he must apply to RC for a new one. RC will record the lost card’s CID into CRL and publish the CRL to all registered servers. Then, RC will perform the same steps in the registration phase to issue a new smart card to the user.

4. Security and Efficiency Analyses

In this section, we discuss several significant attacks and analyze the efficiency of our scheme. The security analyses are shown in Section 4.1. Then, we demonstrate that the proposed scheme can achieve the computation and communication efficiency listed in Section 4.2.

4.1. Security Analyses
4.1.1. Choosing the Session Key

Because the session key is a modular, it must be less than all ’s of . Otherwise, the server will not derive the correct session key . However, for security reasons, we expect the value to be as large as possible. To achieve these two requirements, the session key must satisfy . Otherwise, there is a possibility that an incorrect number will be derived in the server. To ensure that the above equation holds, we expand the length of each to be and set the most significant bit as 1. Meanwhile, the system must check whether . Therefore, the availability of our scheme can be sure.

4.1.2. Session Key Security

If an attacker collects many ’s and tries to derive the next session , it will be impossible. Due to the process of generating the session key in the authentication phase, each session key is independent and different.

4.1.3. The Server’s Secrecy Protection

Although the user knows , the server’s secrecy can still be protected. The user cannot compute any , since is a secure one-way hash function [16, 17]. In addition, each may not be a prime, so it can resist the collusion attacks of several legitimate subscribers. The malicious user will get nothing to calculate because both and are two products of many respective different factors. It is hard to find any common divisor among them, since and are different.

4.1.4. Impersonating Attacks

No adversary can impersonate the eligible user in our scheme. When the adversary tries to impersonate the eligible user, he/she uses the fake message to log in to the server and will get stuck in the authentication process. Since he/she does not know and of , he/she cannot compute and .

On the other hand, if the attacker impersonates the service server, the user will detect that someone is trying to impersonate the server in Step of authentication phase. This is because the adversary cannot compute without the true . As a result, he/she cannot respond with the correct messages and to the user.

Even if a legal subscriber wants to impersonate a legal subscriber , it is still very difficult because the user cannot derive the from . Hence, no one can impersonate the eligible user or the service server in our scheme.

4.1.5. Reply Attacks

Both and must check nonce ; meanwhile, they are protected by the secure key encryption, since the attacker cannot change it arbitrarily. This way, we can eliminate the possibility of a replay attack.

4.1.6. Password-Guessing Attacks

If a malicious attacker tries to guess the password of a lost smart card, he will fail. The password is stored neither in the smart card nor on the server’s disk. His incorrect guesses of the password will be rejected in Step of the authentication phase, since the incorrect is used.

4.1.7. Known-Key Attacks

Each session key is different from all others, since the session key is randomly generated during each iteration. Hence, our scheme can achieve forward secrecy and backward secrecy.

4.1.8. Smart Card Loss Attacks

If any user loses his smart card, he can apply for a new one and revoke the lost smart card in the card-revoking phase. If an attacker deploys a lost smart card to log in to the server, it will fail because the server will check CID in Step of authentication phase. Therefore, our scheme can satisfy (C9) and (C10) of the aforementioned criteria.

4.2. Efficiency Analyses

Property 1 (the scheme needs no password and encrypted key table). Since the server and the user can compute in the authentication phase without the help of the encrypted key table or the password table, the challenge-response interactive authentication can be ensured.

Property 2 (the scheme provides mutual authentication without RC’s support). As shown in our scheme, when the new server and the user join this system, RC does not need to transmit any message to each user and the server. Since the smart card and compute the session key, RC is not involved. On the other hand, RC only takes charge of the registration of new users or new servers. Hence, our proposed scheme can reduce RC’s overhead.

Property 3 (the scheme provides higher security and computation efficiency). Wang et al.’s scheme is based on the difficulty of solving the elliptic curve discrete logarithm problem with a 160-bit key; the security is quite solid, for now. However, our scheme deploys a symmetric cryptosystem and key length with at least 128 bits. According to Table 1 [14], our scheme will provide higher security than ECC-160 bits and provide greater computation efficiency because it can estimate an account of a symmetric key encryption (DES or AES functions) 1000 times faster than the asymmetric key encryption (ECC) speed, according to Schneier’s book [20]. Therefore, our scheme fits for low computation devices and ubiquitous environments.

Property 4 (the scheme provides both communication and round efficiencies). It is assumed that both the output size of the secure one-way hashing function [16] and the block size of the secure symmetric cryptosystems are 160 bits. We list the comparisons of communication cost between our scheme and the related schemes in Table 2. Obviously, our scheme’s communication efficiency is better than Wang et al.’s scheme [14]. Moreover, both of Wang et al.’s schemes [14, 15] are insecure. In addition, our scheme only needs two-round interactions to complete authentication and key agreement negotiation. That is the smallest number of rounds in any of the related schemes.

Property 5 (the scheme is practical). In Table 3, comparisons of the criteria between our scheme and the related schemes are shown.

According to Table 3, our scheme proposes a solution to enhance the security drawback of Wang et al.’s scheme, and it also satisfies the multipurpose smart card requirement. Moreover, the numbers of different kinds of computation operations required by our scheme are smaller than those required by Wang et al.’s scheme [14], so the computation load of our scheme is lighter than the others. In addition, among aforementioned schemes, ours is the only one that can be used in the distributed authentication architecture. It is obvious that our proposed scheme is superior to both of Wang et al.’s schemes [14, 15] in terms of both round efficiency and computation efficiency.

5. Conclusions

In this paper, we have proposed a multipurpose key agreement scheme using smart cards. The proposed scheme enhances Wang et al.’s scheme. Moreover, it provides better functionality and efficiency. According to the analyses in the above section, our scheme can be practically used in ubiquitous computing environments.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.