Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 9062675, 15 pages
https://doi.org/10.1155/2018/9062675
Research Article

A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

1School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China
2School of Software and Microelectronics, Peking University, Beijing, China

Correspondence should be addressed to Guoai Xu; nc.ude.tpub@agx

Received 28 August 2017; Accepted 29 January 2018; Published 15 April 2018

Academic Editor: Shujun Li

Copyright © 2018 Chenyu Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

With the great development of network technology, the multiserver system gets widely used in providing various of services. And the two-factor authentication protocols in multiserver system attract more and more attention. Recently, there are two new schemes for multiserver environment which claimed to be secure against the known attacks. However, after a scrutinization of these two schemes, we found that their description of the adversary’s abilities is inaccurate; their schemes suffer from many attacks. Thus, firstly, we corrected their description on the adversary capacities to introduce a widely accepted adversary model and then summarized fourteen security requirements of multiserver based on the works of pioneer contributors. Secondly, we revealed that one of the two schemes fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so forth and also demonstrated that another scheme fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack, and so forth. Finally, we designed an enhanced scheme to overcome these identified weaknesses, proved its security via BAN logic and heuristic analysis, and then compared it with other relevant schemes. The comparison results showed the superiority of our scheme.

1. Introduction

The development of network technology has greatly changed the way people live and work. Internet brings our society into an information age, and it has become an indispensable element of people’s life. Nowadays, with the maturity and rapid development of Internet technology, people’s schedule was more convenient and efficient due to the increasing online services. However, the openness and virtuality of the Internet have resulted in the fact that the network environment became untrusted which is accompanied by the information security and privacy issues. In recent years, we have heard too many events about user privacy information being leaked; for example, in 2015, about 10 G user data of Ashley Madison (the world’s largest extramarital affairs web site who offers dating services for married people) has been exposed. In this event, many celebrities were exposed, and the whole society was surrounded by fear; Anthem lost 80 million user datasets including user name, birthday, social insurance code, phone number, email, and so on, which is the largest medical institution user data exposed event in the United States. For a more secure network environment, the cryptographic approach is one of the key technologies, among which a necessary part is to provide authentication and key agreement for remote entities. And this mechanism is called user authentication.

Usually, a well-defined authentication scheme should promise that only the legitimate user can enjoy the service, and the corresponding server is exactly real and legitimate. At the beginning, the passwords, with its facility and accessibility, have been used widely in authentication process. While it has been found that the password-based single-server authentication protocols always risk in stolen-verifier attack, because the server has to maintain a password related table. Thus, the smart card, as a second security factor, gets widely used [15].

Furthermore, the increasing demands in network life greatly prompted that service providers extend the traditional single-server environment into a multiserver one to offer more kinds of services and improve their quality of services. Then multiserver system comes into being. However, the single-server-based authentication scheme is not suitable to multiserver system any more: the single-server-based scheme asks a user to register on each server one by one, and so the users have to remember many different identities and passwords, which is bound to bring unnecessary trouble for the users; in order to remember a mountain of identities and passwords, a user is more likely to choose the same identity and password; thus, the information disclosure emerged in multiserver system.

To solve this problem, scholars put forward the multiserver environment authentication mechanism whose goals are that the user only needs to register to the registration center, and then he/she can login to the corresponding different application servers using the same account. This ideal is also of high reference value to cloud computing, Internet of things, car networking, and so forth. In 2001, Li et al. [6] proposed a neural-networks-based scheme for multisever system: its communication and computation costs are very high and, furthermore, the users have to store large amount of data. In 2003, Lin et al. [7] proposed a new scheme with lower costs, which was pointed out to be inefficient by Juang [8]. Thus he recommended a symmetric-cryptography-based protocol which resolved the problem of reregistration with high computational efficiency. Unfortunately, Chang and Lee [9] revealed that Juang’s scheme suffers from off-line password guessing attack, and the users cannot change their password; therefore, they proposed a new improved scheme. In 2004, Tsaur et al. [10] demonstrated that Chang and Lee’s scheme is vulnerable to insider attack and forgery attack, so they designed a RSA-based scheme. Once again, their scheme was noted to be subjected to impersonation attack [11].

Those schemes above have a common problem: the user identity is static; thus they usually fail to achieve perfect user anonymity. To remedy this problem, Liao and Wang [12] in 2009 proposed a dynamic-identity-based protocol, while later it was proved to be insecure to impersonation attack and insider attack by Hsiang and Shih [13]. Unfortunately, Sood et al. [14] revealed that Hsiang and Shih’s scheme is not as secure as they claimed.

1.1. Contributions

Recently, Li et al. [15] and Sood [16] proposed a user authentication scheme in multiserver networks; they both claimed to be secure to various known attacks. However, in 2016, Amin [17] demonstrated the two schemes cannot resist off-line guessing attack, insider attack, and so on, therefore providing a new enhanced protocol overcoming those weaknesses. In the same year, Maitra et al. [18] reexamined Leu and Hsieh’s scheme [19] and Li et al.’s scheme [20] and found that their schemes were subject to many security threats; thus they also put forward a new scheme using symmetric cryptosystem and aiming to resist various attacks with some desire attributes. Unfortunately, according to our analysis, their schemes, once again, fail to be a sound authentication protocol. To point out the common issues in the user authentication scheme, we use these two advanced and representative schemes as study case to show the possible weakness in most schemes. Then, based on the analysis, we propose an improved scheme trying to show a possible way to overcome those weakness. In a word, our contributions can be summarized as follows:(1)We revealed the description of adversary’s abilities in many schemes are inaccurate and thus redescribed a widely accepted and practical adversary model.(2)We summarized fourteen security requirements of multiserver environment based on the works of pioneer contributors.(3)We demonstrate that Maitra et al.’s scheme [18] fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so on; Amin’s scheme [17] fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack and so on.(4)We propose an enhanced scheme with user anonymity and proved its security via BAN logic and heuristic analysis and, furthermore, compared it with other relevant schemes. The comparison result shows that our scheme, though increasing the costs slightly, achieves all the fourteen security requirements, so it is more suitable to multiserver.

1.2. Construction of the Paper

In Section 2, we described the preliminaries and then analyzed Maitra et al.’s scheme [18] and Amin’s scheme [17] in Sections 3 and 4, respectively. And we proposed a new scheme in Section 5, proved its security in Section 6, and analyzed its performance in Section 7. The conclusion was given in Section 8.

2. Preliminaries

For better understanding of the two-factor authentication scheme in multiserver environment, it is necessary to describe the computational problems, communication model, adversary model, and security requirements firstly.

2.1. Computational Problems

(1)Discrete logarithm problem: given ( mod ), it is hard to compute () within the polynomial time, where is the generator of cyclic group .(2)Computational Diffie-Hellman problem: given ( mod ), it is hard to compute within the polynomial time, where .

2.2. Communication Model

A multiserver environment (shown in Figure 2) refers to the fact that a service provider can offer a variety of services for the users, for example, Google, who not only provides mail service but also provides news, video, and other services. To a user, he/she only needs to have one account of Google and then can enjoy all the services provided by it. And the way to implement this function is what we know as the user authentication protocol in a multiserver environment. Usually, people may be more familiar with distributed systems (shown in Figure 1) where each service corresponds to a server, and it only involves two participants: a set of users and a single server. However, typically, a two-factor authentication protocol in multiserver environment involves three participants: a set of users, a set of servers, and a register center. Among these participants, only the register center is trusted; it may store some sensitive information in the database. Furthermore, the authentication process usually consists of four basic phases: registration, login, authentication, and password change phase. The registration phase includes two parts: user registration phase, where a user submits his/her personal information, and then the register center issues the user a smart card containing security messages; server registration phase, where the servers send their identities to the register center to get a secret key. In login phase, the user selects a server to offer service and sends a login request to the server. Then in authentication phase, the user and the server need to verify the legitimacy of each other. Furthermore, according to whether the registration center is involved in the authentication process, the multiserver authentication protocols can be divided into two categories: the registration center involved one; the registration center did not involve one. Among the four phases, only the registration phase is carried out via a secure channel and the others are all conducted via an insecure channel. And the notations used in the protocols are shown in Table 1.

Table 1: Notations and abbreviations
Figure 1: The architecture of the distributed system.
Figure 2: The architecture of the multiserver system.
2.3. Adversary Model

In fact, both Amin [17] and Maitra et al. [18] described the capacities of the adversaries inaccurately. In their adversary model, there are three obvious flaws which are overlooked but critical in authentication protocol.

The first one is about “whether an adversary can exhaust the password space and identity space to conduct off-line dictionary attack simultaneously?”. Many schemes [17, 18, 20, 21] think that can exhaust either the password space or the identity space, but not simultaneously. While it is really not practical, Wang et al. [22] for the first time revealed that user-chosen passwords follow the Zipf-like distribution, a distribution far from uniform. This indicates that user-chosen passwords are prone to static guessing attacks. Furthermore, in [23] Section 4.2, we can see that even the adversary guesses the password and identity simultaneously and the whole attack can be finished within limited time. Therefore, the adversary can exhaust the password and identity space simultaneously, and many scholars follow this principle [2, 2427].

The second one is about “whether an adversary can easily get a user’s identity once owning the user’s smart card?”; the answer is also positive. As Wang et al. [28] explained, on the one hand, the identity usually is a static short string with limited space. And the same user is accustomed to using the same identity even for different service providers. So it is of high possibility that an adversary learns the identity from other common service providers; on the other hand, the users do not regard identity as a secret parameter, and, for easy remembrance, they will even write the identity on the card directly. So when cryptanalyzing a scheme, it is more practical to assume that the identity is an open parameter.

The third one is about “whether an adversary can get the long term secret key?”. Maitra et al.’s work [18] just ignored this problem and supposed that the adversary can never learn about the long term secret key; as, for Amin’s work, he assumed that a valid user can always know the secret information and may provide it to the adversary, while, in fact, these two statements are both not accurate enough. A widely accepted assumption is that an adversary can know the long term secret key only when evaluating the forward secrecy [2832].

Besides, it is widely accepted that an adversary has the full control of the channel; that is, can intercept, delete, modify, resend, and reroute the messages in an open channel [3335]. Furthermore, may also learn users’ passwords via a malicious terminal or extract the parameters from the smart card by side-channel attack, but cannot achieve both [2, 27, 36]. We summarize the capacities of the adversary in Table 2.

Table 2: The capacities of the adversary.
2.4. Security Requirements

According to the user authentication protocols in multiserver environment [34, 37, 38] and some works on analysis of security requirements in user authentication scheme [2, 4, 28], we describe the security requirements in a two-factor authentication scheme of multiserver in Table 3.

Table 3: Security requirements.

3. Review of the Scheme of Maitra et al.

In 2016, Maitra et al. [18] criticized two recent protocols, namely, Leu and Hsieh’s scheme [19] and Li et al.’s scheme [20], and pointed out that the two schemes are vulnerable to various attacks, such as forgery attack, and password guessing attack; therefore, they designed a new enhanced scheme being confident to resist a variety of known attacks and with some attractive attributes such as freely changing password and identity. However, when we reexamined their scheme, we found some serious security threats of the scheme and revealed that the scheme is not secure against verifier-stolen attack and off-line password guessing attack and also fails to provide forward secrecy and user anonymity.

3.1. The Scheme of Maitra et al.

In this section, we review Maitra et al.’s scheme [18] briefly, and as password change phase and identity change phase have little relevance to our work, we omit them.

3.1.1. Initialization Phase

selects a secret long key and a symmetric key encryption/decryption Enc/Dec algorithm (AES); then there is a hash function : .

3.1.2. Server Registration Phase

Step 1. :

Step 2. : . first checks the availability of , then calculates , and adds into the , where , finally sends to ; otherwise, rejects the server ’s request.

Step 3. stores .

3.1.3. User Registration Phase

Step 1. : . selects , , and a random number , computes , , and then sends to .

Step 2. : a smart card with . tests by the , chooses a random number , calculates , , and , then stores into the , and issues a smart card with .

Step 3. computes and stores it.

3.1.4. Login and Authentication Phase

Step 1. : . inputs and . The card computes , , , , and . If , end the session. Otherwise, the card chooses a random number and timestamp , computes , , and sends to .

Step 2. : . first checks and the freshness of , then computes , and sends to .

Step 3. : . first tests and , catches corresponding () from the , decrypts with , and then checks ?= and ?= ?= . If one of the equations does not hold, end the session. Otherwise, computes , and compares with . If they are not equal, end the session. Otherwise computes , , , , and finally answers with .

Step 4. : . computes , checks , then computes . If , computes , , , where is a random number, and then sends with . Otherwise, exit.

Step 5. : . The smart card first tests and then computes , . If , the smart card computes , the session key , and sends to . Otherwise, end.

Step 6. After checking the freshness of , computes ; , compares with the received . If they are equal, the authentication is finished successfully; both and accept the session key .

3.2. Cryptanalysis of Maitra et al.’s Scheme

It has to admit that Maitra et al.’s scheme has many attractive advantages, such as providing password and identity change phase. Furthermore, the way to protect the real identity and password is somewhat illuminating. While it is regrettable that this scheme is still not secure against various attacks, including stolen-verifier attack, off-line password guessing attack, and no forward secrecy and user anonymity.

3.2.1. Off-Line Dictionary Attack

In Section 2.3, we explain that can guess the identity and password simultaneously and also can learn the identity. No matter whether knows about the identity, he/she can carry out the off-line dictionary attack. Here, we take not knowing the identity as an example. Suppose steals ’s smart card and extracts from the smart card; then he can perform off-line dictionary attack as the following steps.

Step 1. Guess the value of to be from the password dictionary space , the value of to be from the identity dictionary space .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

Step 6. Compute .

Step 7. Verify the correctness of and by checking if .

Step 8. Repeat Steps 1~6 until the correct value of and are found.

With and , the adversary can impersonate the user to enjoy the service.

The time complexity of the above attack is , where is the running time for hash computation; and denote the number of passwords in and the number of identities in , respectively. is very limited due to the Zipf’s law in passwords [22]; is also very limited as generally . So the attack can be finished in the polynomial time.

3.2.2. Forward Secrecy

Suppose an adversary somehow learns the long term secret key and eavesdrops the message in the open channel to get , , ; then he/she can compute the session key between and as follows.

Step 1. Compute ’s secret key , where is an open parameter.

Step 2. Decrypt with , and get , , where and is from the open channel.

Step 3. Decrypt with to get and , where is from the open channel.

Step 4. Decrypt with to get , where is from the open channel.

Step 5. Compute .

Step 6. Compute , where is from the open channel.

Step 7. Compute the session key .

The time complexity of the above attack is , where is the running time of symmetric encryption operation. According to the TABLE VI. in [2], the attack can be finished within seconds. So the above attack can be completed in the polynomial time.

3.2.3. Verifier-Stolen Attack

As we mentioned before, only the register center is trusted, the user and the server are both likely to be an adversary to conduct an attack. Consider such a condition where the legitimate server somehow gets the verifier table in the database of register center. Then this adversary can also compute and, furthermore, damage the whole system as follows.

Step 1. Compute , where is from the list of the verifier table.

Step 2. Compute any other server ’s private secret key , where is from the list of the verifier table.

The operations in the above procedure are some lightweight operation and the procedure is very simple.

With and the verifier table, has the same capacity with the register center. Thus can impersonate to the user and the other server. What is more, with , once intercepts the message or (), can compute any user’s and as the way do. Furthermore, with , has the same capacity with other server, so he/she can also impersonate other servers to and the users. Therefore, the security of the whole system is compromised.

3.2.4. User Anonymity

In this era of information explosion, user privacy protection is extremely important to the individuals. And user anonymity, as a pivotal way to protect the user privacy, contains two requirements: do not expose the identity directly; keep the identity untraceable. Once user anonymity cannot get guaranteed, the adversary may link the different communication in open channel to the same user and thus learns his preference and personal information for marketing purpose or other horrible purpose.

In Maitra et al.’s scheme [18], there is a static value in the open channel. More specifically, to the same user, is unchanged () unless changes his identity and password. While the frequency of changing the identity or the password is so low, which means every time initiates an access request to any servers, the same will be transmitted in the open channel in most occasions. Therefore, an adversary can link the access request to the same user from the huge amounts of data to learn the user’s habits and preferences. So this scheme violates user untraceability.

More specifically, an adversary can eavesdrop the open channel and then get the following message:As a constant value, the adversary knows that among those messages, , , and were sent by the same user; this user usually accesses , , and at times , , and , respectively. Thus the user untraceability is violated. Furthermore, once the adversary acquires and as we showed in Section 3.2.1, he can compute and thus traces the specific user and learns more about the victim’s habits.

4. Review of the Scheme of Amin

In 2016, Amin [17] showed two protocols [15, 16] both suffer from off-line guessing attack, impersonation attack, and so forth; thus he improved the two schemes to a new one claiming to be resistant to all known attacks, while, once again, we found Amin’s scheme is not as secure as his claim. In this section, we demonstrate that this scheme is vulnerable to off-line dictionary attack and insider attack and fails to achieve forward secrecy and user anonymity.

4.1. The Scheme of Amin

The authentication process of Amin’s scheme [17] is shown as follows briefly.

4.1.1. Server Registration Phase

Step 1. :

Step 2. : calculates and then sends to .

Step 3. keeps as his secret key.

4.1.2. User Registration Phase

Step 1. : . selects , , and a random number , computes , and then sends .

Step 2. : smart card . calculates , where is a random number, then checks the availability of , stores into , computes , , finally, stores into a smart card, and sends it to .

Step 3. inputs into the card.

4.1.3. Login and Authentication Phase

Step 1. : . inputs and . The card computes , . If , exit the session. Otherwise, the card generates two random numbers and and computes , , , .

Step 2. : . first checks and and then computes , , , , . If , reject the request; otherwise, computes , , , .

Step 3. . computes , , . If , exit; otherwise, authenticates , chooses a random number , and computes , , .

Step 4. The smart card computes , , . If , authenticates and accepts as their session key.

4.2. Cryptanalysis of Amin’s Scheme

This section will demonstrate that Amin’s scheme suffers from insider attack and off-line dictionary attackl furthermore, it fails to achieve forward secrecy and user anonymity.

4.2.1. Off-Line Dictionary Attack

If steals ’s smart card and gets from the card, then a dictionary attack can be performed as follows:

Step 1. Guess to be and to be .

Step 2. Compute .

Step 3. Compute .

Step 4. Verify the correctness of and by checking if == .

Step 5. Repeat Steps 1~4 until the correct values of and are found.

Once the adversary gets and , he/she can impersonate . And the time complexity of the attack is , so the attack is efficient.

4.2.2. User Impersonation Attack

Suppose is also a legitimate server ; then can impersonate to as follows.

Step 1. Eavesdrop from via the open channel.

Step 2. Follow the protocol steps as a legitimate server to gain the response from .

Step 3. Continue acting as a legitimate server to compute , .

Step 4. Record .

Step 5. Compute , where is from Step 1.

Step 6. Compute .

The above procedure only involves the lightweight XOR operation; thus it is quite efficient. Now, (also ) knows ’s ; then he/she can forge ’s request message as to other server to enjoy the service. What is more, can perform the above attack to all the users who have ever requested to login . So such attack is terrible and has a huge effect to the system.

In fact, after recording , the adversary can directly replay the access request as to , where ; then, with the knowledge of , can always compute the correct session key as , .

4.2.3. Forward Secrecy

Assume that gets and eavesdrops , , , , , and ; then he/she can compute the session key by the following steps:

Step 1. Compute .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

Step 6. Compute .

Step 7. Compute .

Till now, gets session key , and the time complexity of the attack is which is a very short time.

4.2.4. User Anonymity

Similar to Maitra et al.’s scheme [18], this scheme also has the static parameters and to uniquely identify ; thus it fails to provide user anonymity.

5. Proposed Scheme

To overcome the identified weaknesses, we designed a new enhanced scheme (shown in Figures 3, 4, and 5). For better comprehension, we sketch the ideas behind our scheme:(i)We adopt a way of “honeywords” + “fuzzy-verifiers” which is introduced by D. Wang and P. Wang [2] to settle the off-line dictionary attack in these two schemes. As we mentioned above, the inherent reason for such attack is the critical parameter which can be used to test the correctness of the guessed and . However, in the way of “honeywords” + “fuzzy-verifiers”, is recalculated as mod where () is a integer to determine the size of . Furthermore, there is a maintained in to record the numbers of failed logins. Thus even if finds a pair of that satisfies the equation, he/she still cannot know whether and , for there are candidates of pair. Then has to verify these candidates online, but it is stopped by .(ii)We follow the principle in [39] to deploy a public key algorithm to achieve user anonymity. We conceal the identity in , then the adversary cannot get from unless he/she knows the secret long term key or solves the discrete logarithm program. Furthermore, is changed with the random number to avoid identity being traced.(iii)From the verifier-stolen attack in Maitra et al.’s scheme, it is important to protect the long term secret key , “XOR” operation on is a risky behavior which is likely to expose . Thus, in our scheme, is used in a form of and .(iv)The server in multiserver environment is a special adversary, which should be treated carefully. In Section 4.2.2, we witnessed how carries out an attack. The key to prevent such attack is to let not know the key parameter of or . So we, on one hand, compute the shared key of and as to make learn nothing about ; on the other hand, we use the output of public key algorithm concealed in for to authenticate ( does not know any key parameter such as of ).

Figure 3: Server registration phase.
Figure 4: User registration phase.
Figure 5: Login and authentication phase.
5.1. Initialization Phase

selects a generator of a multiplicative group of prime order and a secret long key () and then computes the public key mod . Then, similar to Maitra et al.’s scheme [18], there is a symmetric key encryption/decryption algorithm and also a hash function : .

5.2. Server Registration Phase

Step 1. : .

Step 2. : researches the to check the valid of . If it is not in it, it computes , where is the register time. Then adds into the , finally sends to ; otherwise, rejects.

Step 3. After getting , keeps it as its secret key.

5.3. User Registration Phase

Step 1. : . chooses password , identity , and a random number , computes , , and then sends to .

Step 2. : a smart card with . tests the valid of from the . If it has been used by other users, it asks for a new identity; otherwise, it chooses a unique random number and calculates , , mod where is a integer and and then stores into the . It should be noted that is to record the number of login failures and is initialized to 0. At last, issues a smart card with .

Step 3. computes and enters into the smart card.

5.4. Login and Authentication Phase

Step 1. : . puts the smart card into a terminal and inputs and . The card computes , , and then verifies the legitimacy of by testing mod . If it is not equal, exit the session.

Otherwise, the card selects a random number , computes mod , mod , , , and , then sends to .

Step 2. : . chooses a random number as a “challenge”, computes: , and sends to .

Step 3. : . first checks the valid of , then gets from the , and computes: , where ; then tests to verify the legitimacy of . If they are not equal, end the session.

Otherwise, continues computing mod , , then acquires and from the , computes , and checks to authenticate . If is not a valid user, sets to be + 1 and ends the session. Once the value of the predetermined threshold (such as 10), it is likely that the information in the smart card was exposed; thus suspends the card till reregisters.

Otherwise, continues computing , , , , finally responding to with .

Step 4. : . first decrypts with to obtain and , computes , and then compares with to authenticate . If the condition is not satisfied, exit.

Otherwise, selects a random number , computes mod , mod , , , sends to .

Step 5. : . The smart card computes mod , , . If , believes that is the desired server and accepts as the session key and then sends to . Otherwise, exit the session.

Step 6. computes . If , believes the legitimacy of . Till now, the authentication phase finished successfully, and the session key is established.

5.5. Password Change Phase

When the user wants to change the password, he can perform the steps as follows.

Step 1. inputs , , and new password .

Step 2. The card computes , , , if mod , the card rejects the request. Otherwise, it computes , mod and replaces with .

5.6. Revocation Phase

Once the user realized the card is not in the control of himself, he can revoke the account as follows.

Step 1. firstly gets authenticated by the card in the same way as in Step 1 in Section 5.4.

Step 2. : . The way to compute , , and is similar to Step 1 in Section 5.4, expect .

Step 3. authenticates by computing mod , , , . If accepts , it sets to revoke the account. Otherwise, reject the request.

5.7. Reregistration Phase

If with correct password and identity is still rejected by , then he can reregister as follows.

Step 1. : .

Step 2. first researches in the and checks whether the account of is revoked or the card is suspended. If so, accepts the request and conducts the register phase in Section 5.3.

6. Security Analysis

In this section, we first use the Burrows-Abadi-Needham (BAN) logic [40] to prove the security of our scheme formally, then analyze it in a heuristic method. The results demonstrate the security and practicability of our scheme.

6.1. Formal Analysis Based on BAN Logic

As an efficient and simple way to analyze the design logic and security of the authentication scheme, BAN logic [40] has been widely used. As shown in Table 4, it uses some particular notions to depict a protocol.

Table 4: Notations in BAN logic.

The goals of our proposed scheme are as follows: these four goals ensure that the server and the user get authenticated mutually (corresponding to our proposed S1, S10, and S13), and they build a session key successfully (corresponding to our proposed S14):(1)Goal 1: .(2)Goal 2: .(3)Goal 3: .(4)Goal 4: .

According to the BAN logic, we first transform the scheme to an idealized one:: : .: : .: : .: : .: : .

Then, to analyze the scheme, we make some assumptions about its initial state as follows:: .: .: .: .: .: .: .: .: .: .: .: .

Based on these assumptions above, we will prove the security of our protocol according to BAN logic as follows.

From  , we have

Then according to H8, , , it is obvious that

From  , we have

Then according to , , , it is obvious that

From  , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

From  , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

From  , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

Thus with Goals 14, we proved that the user and the server have authenticated to each other; furthermore they accepted and shared the session key .

6.2. Informal Analysis

The heuristic method without complex formula is a direct and simple way for a quick analysis of the security of the protocol. It plays a significant role in cryptoanalysis of authentication protocols, though its analytic process heavily depends on human experience rather than a set of scientific tools. This section uses a heuristic method to prove that our scheme not only provides desire attributes but also is resistant to various attacks.

6.2.1. User Anonymity

In our scheme, on one hand, the adversary cannot get : the user identity was concealed in where , so an adversary without cannot guess the value of via dictionary attack; on the other hand, cannot link the message flows to a certain user: though is a fixed value, it is transmitted in a form of , where and are changed with different turns of the protocol, and only the user and the one knowing the long term secret key can compute . This indicates that is changed with and , and cannot get . Thus fails to link the message flows to a certain user. So our scheme achieves user anonymity.

6.2.2. Forward Secrecy

The session key of the proposed scheme consists of two “special” parameters: and , where and