A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

Wang, Chenyu; Xu, Guoai; Li, Wenting

doi:https://doi.org/10.1155/2018/9062675

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

User Authentication in the IoE Era: Attacks, Challenges, Evaluation, and New Designs

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 9062675 | https://doi.org/10.1155/2018/9062675

A Secure and Anonymous Two-Factor Authentication Protocol in Multiserver Environment

Chenyu Wang,¹Guoai Xu,¹and Wenting Li²

Academic Editor: Shujun Li

Received28 Aug 2017

Accepted29 Jan 2018

Published15 Apr 2018

Abstract

With the great development of network technology, the multiserver system gets widely used in providing various of services. And the two-factor authentication protocols in multiserver system attract more and more attention. Recently, there are two new schemes for multiserver environment which claimed to be secure against the known attacks. However, after a scrutinization of these two schemes, we found that their description of the adversary’s abilities is inaccurate; their schemes suffer from many attacks. Thus, firstly, we corrected their description on the adversary capacities to introduce a widely accepted adversary model and then summarized fourteen security requirements of multiserver based on the works of pioneer contributors. Secondly, we revealed that one of the two schemes fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so forth and also demonstrated that another scheme fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack, and so forth. Finally, we designed an enhanced scheme to overcome these identified weaknesses, proved its security via BAN logic and heuristic analysis, and then compared it with other relevant schemes. The comparison results showed the superiority of our scheme.

1. Introduction

The development of network technology has greatly changed the way people live and work. Internet brings our society into an information age, and it has become an indispensable element of people’s life. Nowadays, with the maturity and rapid development of Internet technology, people’s schedule was more convenient and efficient due to the increasing online services. However, the openness and virtuality of the Internet have resulted in the fact that the network environment became untrusted which is accompanied by the information security and privacy issues. In recent years, we have heard too many events about user privacy information being leaked; for example, in 2015, about 10 G user data of Ashley Madison (the world’s largest extramarital affairs web site who offers dating services for married people) has been exposed. In this event, many celebrities were exposed, and the whole society was surrounded by fear; Anthem lost 80 million user datasets including user name, birthday, social insurance code, phone number, email, and so on, which is the largest medical institution user data exposed event in the United States. For a more secure network environment, the cryptographic approach is one of the key technologies, among which a necessary part is to provide authentication and key agreement for remote entities. And this mechanism is called user authentication.

Usually, a well-defined authentication scheme should promise that only the legitimate user can enjoy the service, and the corresponding server is exactly real and legitimate. At the beginning, the passwords, with its facility and accessibility, have been used widely in authentication process. While it has been found that the password-based single-server authentication protocols always risk in stolen-verifier attack, because the server has to maintain a password related table. Thus, the smart card, as a second security factor, gets widely used [1–5].

Furthermore, the increasing demands in network life greatly prompted that service providers extend the traditional single-server environment into a multiserver one to offer more kinds of services and improve their quality of services. Then multiserver system comes into being. However, the single-server-based authentication scheme is not suitable to multiserver system any more: the single-server-based scheme asks a user to register on each server one by one, and so the users have to remember many different identities and passwords, which is bound to bring unnecessary trouble for the users; in order to remember a mountain of identities and passwords, a user is more likely to choose the same identity and password; thus, the information disclosure emerged in multiserver system.

To solve this problem, scholars put forward the multiserver environment authentication mechanism whose goals are that the user only needs to register to the registration center, and then he/she can login to the corresponding different application servers using the same account. This ideal is also of high reference value to cloud computing, Internet of things, car networking, and so forth. In 2001, Li et al. [6] proposed a neural-networks-based scheme for multisever system: its communication and computation costs are very high and, furthermore, the users have to store large amount of data. In 2003, Lin et al. [7] proposed a new scheme with lower costs, which was pointed out to be inefficient by Juang [8]. Thus he recommended a symmetric-cryptography-based protocol which resolved the problem of reregistration with high computational efficiency. Unfortunately, Chang and Lee [9] revealed that Juang’s scheme suffers from off-line password guessing attack, and the users cannot change their password; therefore, they proposed a new improved scheme. In 2004, Tsaur et al. [10] demonstrated that Chang and Lee’s scheme is vulnerable to insider attack and forgery attack, so they designed a RSA-based scheme. Once again, their scheme was noted to be subjected to impersonation attack [11].

Those schemes above have a common problem: the user identity is static; thus they usually fail to achieve perfect user anonymity. To remedy this problem, Liao and Wang [12] in 2009 proposed a dynamic-identity-based protocol, while later it was proved to be insecure to impersonation attack and insider attack by Hsiang and Shih [13]. Unfortunately, Sood et al. [14] revealed that Hsiang and Shih’s scheme is not as secure as they claimed.

1.1. Contributions

Recently, Li et al. [15] and Sood [16] proposed a user authentication scheme in multiserver networks; they both claimed to be secure to various known attacks. However, in 2016, Amin [17] demonstrated the two schemes cannot resist off-line guessing attack, insider attack, and so on, therefore providing a new enhanced protocol overcoming those weaknesses. In the same year, Maitra et al. [18] reexamined Leu and Hsieh’s scheme [19] and Li et al.’s scheme [20] and found that their schemes were subject to many security threats; thus they also put forward a new scheme using symmetric cryptosystem and aiming to resist various attacks with some desire attributes. Unfortunately, according to our analysis, their schemes, once again, fail to be a sound authentication protocol. To point out the common issues in the user authentication scheme, we use these two advanced and representative schemes as study case to show the possible weakness in most schemes. Then, based on the analysis, we propose an improved scheme trying to show a possible way to overcome those weakness. In a word, our contributions can be summarized as follows:(1)We revealed the description of adversary’s abilities in many schemes are inaccurate and thus redescribed a widely accepted and practical adversary model.(2)We summarized fourteen security requirements of multiserver environment based on the works of pioneer contributors.(3)We demonstrate that Maitra et al.’s scheme [18] fails to preserve forward secrecy and user anonymity and cannot resist stolen-verifier attack and off-line dictionary attack and so on; Amin’s scheme [17] fails to preserve forward secrecy and user anonymity and is not secure to insider attack and off-line dictionary attack and so on.(4)We propose an enhanced scheme with user anonymity and proved its security via BAN logic and heuristic analysis and, furthermore, compared it with other relevant schemes. The comparison result shows that our scheme, though increasing the costs slightly, achieves all the fourteen security requirements, so it is more suitable to multiserver.

1.2. Construction of the Paper

In Section 2, we described the preliminaries and then analyzed Maitra et al.’s scheme [18] and Amin’s scheme [17] in Sections 3 and 4, respectively. And we proposed a new scheme in Section 5, proved its security in Section 6, and analyzed its performance in Section 7. The conclusion was given in Section 8.

2. Preliminaries

For better understanding of the two-factor authentication scheme in multiserver environment, it is necessary to describe the computational problems, communication model, adversary model, and security requirements firstly.

2.1. Computational Problems

(1)Discrete logarithm problem: given ( mod ), it is hard to compute () within the polynomial time, where is the generator of cyclic group .(2)Computational Diffie-Hellman problem: given ( mod ), it is hard to compute within the polynomial time, where .

2.2. Communication Model

A multiserver environment (shown in Figure 2) refers to the fact that a service provider can offer a variety of services for the users, for example, Google, who not only provides mail service but also provides news, video, and other services. To a user, he/she only needs to have one account of Google and then can enjoy all the services provided by it. And the way to implement this function is what we know as the user authentication protocol in a multiserver environment. Usually, people may be more familiar with distributed systems (shown in Figure 1) where each service corresponds to a server, and it only involves two participants: a set of users and a single server. However, typically, a two-factor authentication protocol in multiserver environment involves three participants: a set of users, a set of servers, and a register center. Among these participants, only the register center is trusted; it may store some sensitive information in the database. Furthermore, the authentication process usually consists of four basic phases: registration, login, authentication, and password change phase. The registration phase includes two parts: user registration phase, where a user submits his/her personal information, and then the register center issues the user a smart card containing security messages; server registration phase, where the servers send their identities to the register center to get a secret key. In login phase, the user selects a server to offer service and sends a login request to the server. Then in authentication phase, the user and the server need to verify the legitimacy of each other. Furthermore, according to whether the registration center is involved in the authentication process, the multiserver authentication protocols can be divided into two categories: the registration center involved one; the registration center did not involve one. Among the four phases, only the registration phase is carried out via a secure channel and the others are all conducted via an insecure channel. And the notations used in the protocols are shown in Table 1.

2.3. Adversary Model

In fact, both Amin [17] and Maitra et al. [18] described the capacities of the adversaries inaccurately. In their adversary model, there are three obvious flaws which are overlooked but critical in authentication protocol.

The first one is about “whether an adversary can exhaust the password space and identity space to conduct off-line dictionary attack simultaneously?”. Many schemes [17, 18, 20, 21] think that can exhaust either the password space or the identity space, but not simultaneously. While it is really not practical, Wang et al. [22] for the first time revealed that user-chosen passwords follow the Zipf-like distribution, a distribution far from uniform. This indicates that user-chosen passwords are prone to static guessing attacks. Furthermore, in [23] Section 4.2, we can see that even the adversary guesses the password and identity simultaneously and the whole attack can be finished within limited time. Therefore, the adversary can exhaust the password and identity space simultaneously, and many scholars follow this principle [2, 24–27].

The second one is about “whether an adversary can easily get a user’s identity once owning the user’s smart card?”; the answer is also positive. As Wang et al. [28] explained, on the one hand, the identity usually is a static short string with limited space. And the same user is accustomed to using the same identity even for different service providers. So it is of high possibility that an adversary learns the identity from other common service providers; on the other hand, the users do not regard identity as a secret parameter, and, for easy remembrance, they will even write the identity on the card directly. So when cryptanalyzing a scheme, it is more practical to assume that the identity is an open parameter.

The third one is about “whether an adversary can get the long term secret key?”. Maitra et al.’s work [18] just ignored this problem and supposed that the adversary can never learn about the long term secret key; as, for Amin’s work, he assumed that a valid user can always know the secret information and may provide it to the adversary, while, in fact, these two statements are both not accurate enough. A widely accepted assumption is that an adversary can know the long term secret key only when evaluating the forward secrecy [28–32].

Besides, it is widely accepted that an adversary has the full control of the channel; that is, can intercept, delete, modify, resend, and reroute the messages in an open channel [33–35]. Furthermore, may also learn users’ passwords via a malicious terminal or extract the parameters from the smart card by side-channel attack, but cannot achieve both [2, 27, 36]. We summarize the capacities of the adversary in Table 2.

2.4. Security Requirements

According to the user authentication protocols in multiserver environment [34, 37, 38] and some works on analysis of security requirements in user authentication scheme [2, 4, 28], we describe the security requirements in a two-factor authentication scheme of multiserver in Table 3.

3. Review of the Scheme of Maitra et al.

In 2016, Maitra et al. [18] criticized two recent protocols, namely, Leu and Hsieh’s scheme [19] and Li et al.’s scheme [20], and pointed out that the two schemes are vulnerable to various attacks, such as forgery attack, and password guessing attack; therefore, they designed a new enhanced scheme being confident to resist a variety of known attacks and with some attractive attributes such as freely changing password and identity. However, when we reexamined their scheme, we found some serious security threats of the scheme and revealed that the scheme is not secure against verifier-stolen attack and off-line password guessing attack and also fails to provide forward secrecy and user anonymity.

3.1. The Scheme of Maitra et al.

In this section, we review Maitra et al.’s scheme [18] briefly, and as password change phase and identity change phase have little relevance to our work, we omit them.

3.1.1. Initialization Phase

selects a secret long key and a symmetric key encryption/decryption Enc/Dec algorithm (AES); then there is a hash function : .

3.1.2. Server Registration Phase

Step 1. :

Step 2. : . first checks the availability of , then calculates , and adds into the , where , finally sends to ; otherwise, rejects the server ’s request.

Step 3. stores .

3.1.3. User Registration Phase

Step 1. : . selects , , and a random number , computes , , and then sends to .

Step 2. : a smart card with . tests by the , chooses a random number , calculates , , and , then stores into the , and issues a smart card with .

Step 3. computes and stores it.

3.1.4. Login and Authentication Phase

Step 1. : . inputs and . The card computes , , , , and . If , end the session. Otherwise, the card chooses a random number and timestamp , computes , , and sends to .

Step 2. : . first checks and the freshness of , then computes , and sends to .

Step 3. : . first tests and , catches corresponding () from the , decrypts with , and then checks ?= and ?= ?= . If one of the equations does not hold, end the session. Otherwise, computes , and compares with . If they are not equal, end the session. Otherwise computes , , , , and finally answers with .

Step 4. : . computes , checks , then computes . If , computes , , , where is a random number, and then sends with . Otherwise, exit.

Step 5. : . The smart card first tests and then computes , . If , the smart card computes , the session key , and sends to . Otherwise, end.

Step 6. After checking the freshness of , computes ; , compares with the received . If they are equal, the authentication is finished successfully; both and accept the session key .

3.2. Cryptanalysis of Maitra et al.’s Scheme

It has to admit that Maitra et al.’s scheme has many attractive advantages, such as providing password and identity change phase. Furthermore, the way to protect the real identity and password is somewhat illuminating. While it is regrettable that this scheme is still not secure against various attacks, including stolen-verifier attack, off-line password guessing attack, and no forward secrecy and user anonymity.

3.2.1. Off-Line Dictionary Attack

In Section 2.3, we explain that can guess the identity and password simultaneously and also can learn the identity. No matter whether knows about the identity, he/she can carry out the off-line dictionary attack. Here, we take not knowing the identity as an example. Suppose steals ’s smart card and extracts from the smart card; then he can perform off-line dictionary attack as the following steps.

Step 1. Guess the value of to be from the password dictionary space , the value of to be from the identity dictionary space .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

Step 6. Compute .

Step 7. Verify the correctness of and by checking if .

Step 8. Repeat Steps 1~6 until the correct value of and are found.

With and , the adversary can impersonate the user to enjoy the service.

The time complexity of the above attack is , where is the running time for hash computation; and denote the number of passwords in and the number of identities in , respectively. is very limited due to the Zipf’s law in passwords [22]; is also very limited as generally . So the attack can be finished in the polynomial time.

3.2.2. Forward Secrecy

Suppose an adversary somehow learns the long term secret key and eavesdrops the message in the open channel to get , , ; then he/she can compute the session key between and as follows.

Step 1. Compute ’s secret key , where is an open parameter.

Step 2. Decrypt with , and get , , where and is from the open channel.

Step 3. Decrypt with to get and , where is from the open channel.

Step 4. Decrypt with to get , where is from the open channel.

Step 5. Compute .

Step 6. Compute , where is from the open channel.

Step 7. Compute the session key .

The time complexity of the above attack is , where is the running time of symmetric encryption operation. According to the TABLE VI. in [2], the attack can be finished within seconds. So the above attack can be completed in the polynomial time.

3.2.3. Verifier-Stolen Attack

As we mentioned before, only the register center is trusted, the user and the server are both likely to be an adversary to conduct an attack. Consider such a condition where the legitimate server somehow gets the verifier table in the database of register center. Then this adversary can also compute and, furthermore, damage the whole system as follows.

Step 1. Compute , where is from the list of the verifier table.

Step 2. Compute any other server ’s private secret key , where is from the list of the verifier table.

The operations in the above procedure are some lightweight operation and the procedure is very simple.

With and the verifier table, has the same capacity with the register center. Thus can impersonate to the user and the other server. What is more, with , once intercepts the message or (), can compute any user’s and as the way do. Furthermore, with , has the same capacity with other server, so he/she can also impersonate other servers to and the users. Therefore, the security of the whole system is compromised.

3.2.4. User Anonymity

In this era of information explosion, user privacy protection is extremely important to the individuals. And user anonymity, as a pivotal way to protect the user privacy, contains two requirements: do not expose the identity directly; keep the identity untraceable. Once user anonymity cannot get guaranteed, the adversary may link the different communication in open channel to the same user and thus learns his preference and personal information for marketing purpose or other horrible purpose.

In Maitra et al.’s scheme [18], there is a static value in the open channel. More specifically, to the same user, is unchanged () unless changes his identity and password. While the frequency of changing the identity or the password is so low, which means every time initiates an access request to any servers, the same will be transmitted in the open channel in most occasions. Therefore, an adversary can link the access request to the same user from the huge amounts of data to learn the user’s habits and preferences. So this scheme violates user untraceability.

More specifically, an adversary can eavesdrop the open channel and then get the following message:As a constant value, the adversary knows that among those messages, , , and were sent by the same user; this user usually accesses , , and at times , , and , respectively. Thus the user untraceability is violated. Furthermore, once the adversary acquires and as we showed in Section 3.2.1, he can compute and thus traces the specific user and learns more about the victim’s habits.

4. Review of the Scheme of Amin

In 2016, Amin [17] showed two protocols [15, 16] both suffer from off-line guessing attack, impersonation attack, and so forth; thus he improved the two schemes to a new one claiming to be resistant to all known attacks, while, once again, we found Amin’s scheme is not as secure as his claim. In this section, we demonstrate that this scheme is vulnerable to off-line dictionary attack and insider attack and fails to achieve forward secrecy and user anonymity.

4.1. The Scheme of Amin

The authentication process of Amin’s scheme [17] is shown as follows briefly.

4.1.1. Server Registration Phase

Step 1. :

Step 2. : calculates and then sends to .

Step 3. keeps as his secret key.

4.1.2. User Registration Phase

Step 1. : . selects , , and a random number , computes , and then sends .

Step 2. : smart card . calculates , where is a random number, then checks the availability of , stores into , computes , , finally, stores into a smart card, and sends it to .

Step 3. inputs into the card.

4.1.3. Login and Authentication Phase

Step 1. : . inputs and . The card computes , . If , exit the session. Otherwise, the card generates two random numbers and and computes , , , .

Step 2. : . first checks and and then computes , , , , . If , reject the request; otherwise, computes , , , .

Step 3. . computes , , . If , exit; otherwise, authenticates , chooses a random number , and computes , , .

Step 4. The smart card computes , , . If , authenticates and accepts as their session key.

4.2. Cryptanalysis of Amin’s Scheme

This section will demonstrate that Amin’s scheme suffers from insider attack and off-line dictionary attackl furthermore, it fails to achieve forward secrecy and user anonymity.

4.2.1. Off-Line Dictionary Attack

If steals ’s smart card and gets from the card, then a dictionary attack can be performed as follows:

Step 1. Guess to be and to be .

Step 2. Compute .

Step 3. Compute .

Step 4. Verify the correctness of and by checking if == .

Step 5. Repeat Steps 1~4 until the correct values of and are found.

Once the adversary gets and , he/she can impersonate . And the time complexity of the attack is , so the attack is efficient.

4.2.2. User Impersonation Attack

Suppose is also a legitimate server ; then can impersonate to as follows.

Step 1. Eavesdrop from via the open channel.

Step 2. Follow the protocol steps as a legitimate server to gain the response from .

Step 3. Continue acting as a legitimate server to compute , .

Step 4. Record .

Step 5. Compute , where is from Step 1.

Step 6. Compute .

The above procedure only involves the lightweight XOR operation; thus it is quite efficient. Now, (also ) knows ’s ; then he/she can forge ’s request message as to other server to enjoy the service. What is more, can perform the above attack to all the users who have ever requested to login . So such attack is terrible and has a huge effect to the system.

In fact, after recording , the adversary can directly replay the access request as to , where ; then, with the knowledge of , can always compute the correct session key as , .

4.2.3. Forward Secrecy

Assume that gets and eavesdrops , , , , , and ; then he/she can compute the session key by the following steps:

Step 1. Compute .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

Step 6. Compute .

Step 7. Compute .

Till now, gets session key , and the time complexity of the attack is which is a very short time.

4.2.4. User Anonymity

Similar to Maitra et al.’s scheme [18], this scheme also has the static parameters and to uniquely identify ; thus it fails to provide user anonymity.

5. Proposed Scheme

To overcome the identified weaknesses, we designed a new enhanced scheme (shown in Figures 3, 4, and 5). For better comprehension, we sketch the ideas behind our scheme:(i)We adopt a way of “honeywords” + “fuzzy-verifiers” which is introduced by D. Wang and P. Wang [2] to settle the off-line dictionary attack in these two schemes. As we mentioned above, the inherent reason for such attack is the critical parameter which can be used to test the correctness of the guessed and . However, in the way of “honeywords” + “fuzzy-verifiers”, is recalculated as mod where () is a integer to determine the size of . Furthermore, there is a maintained in to record the numbers of failed logins. Thus even if finds a pair of that satisfies the equation, he/she still cannot know whether and , for there are candidates of pair. Then has to verify these candidates online, but it is stopped by .(ii)We follow the principle in [39] to deploy a public key algorithm to achieve user anonymity. We conceal the identity in , then the adversary cannot get from unless he/she knows the secret long term key or solves the discrete logarithm program. Furthermore, is changed with the random number to avoid identity being traced.(iii)From the verifier-stolen attack in Maitra et al.’s scheme, it is important to protect the long term secret key , “XOR” operation on is a risky behavior which is likely to expose . Thus, in our scheme, is used in a form of and .(iv)The server in multiserver environment is a special adversary, which should be treated carefully. In Section 4.2.2, we witnessed how carries out an attack. The key to prevent such attack is to let not know the key parameter of or . So we, on one hand, compute the shared key of and as to make learn nothing about ; on the other hand, we use the output of public key algorithm concealed in for to authenticate ( does not know any key parameter such as of ).

5.1. Initialization Phase

selects a generator of a multiplicative group of prime order and a secret long key () and then computes the public key mod . Then, similar to Maitra et al.’s scheme [18], there is a symmetric key encryption/decryption algorithm and also a hash function : .

5.2. Server Registration Phase

Step 1. : .

Step 2. : researches the to check the valid of . If it is not in it, it computes , where is the register time. Then adds into the , finally sends to ; otherwise, rejects.

Step 3. After getting , keeps it as its secret key.

5.3. User Registration Phase

Step 1. : . chooses password , identity , and a random number , computes , , and then sends to .

Step 2. : a smart card with . tests the valid of from the . If it has been used by other users, it asks for a new identity; otherwise, it chooses a unique random number and calculates , , mod where is a integer and and then stores into the . It should be noted that is to record the number of login failures and is initialized to 0. At last, issues a smart card with .

Step 3. computes and enters into the smart card.

5.4. Login and Authentication Phase

Step 1. : . puts the smart card into a terminal and inputs and . The card computes , , and then verifies the legitimacy of by testing mod . If it is not equal, exit the session.

Otherwise, the card selects a random number , computes mod , mod , , , and , then sends to .

Step 2. : . chooses a random number as a “challenge”, computes: , and sends to .

Step 3. : . first checks the valid of , then gets from the , and computes: , where ; then tests to verify the legitimacy of . If they are not equal, end the session.

Otherwise, continues computing mod , , then acquires and from the , computes , and checks to authenticate . If is not a valid user, sets to be + 1 and ends the session. Once the value of the predetermined threshold (such as 10), it is likely that the information in the smart card was exposed; thus suspends the card till reregisters.

Otherwise, continues computing , , , , finally responding to with .

Step 4. : . first decrypts with to obtain and , computes , and then compares with to authenticate . If the condition is not satisfied, exit.

Otherwise, selects a random number , computes mod , mod , , , sends to .

Step 5. : . The smart card computes mod , , . If , believes that is the desired server and accepts as the session key and then sends to . Otherwise, exit the session.

Step 6. computes . If , believes the legitimacy of . Till now, the authentication phase finished successfully, and the session key is established.

5.5. Password Change Phase

When the user wants to change the password, he can perform the steps as follows.

Step 1. inputs , , and new password .

Step 2. The card computes , , , if mod , the card rejects the request. Otherwise, it computes , mod and replaces with .

5.6. Revocation Phase

Once the user realized the card is not in the control of himself, he can revoke the account as follows.

Step 1. firstly gets authenticated by the card in the same way as in Step 1 in Section 5.4.

Step 2. : . The way to compute , , and is similar to Step 1 in Section 5.4, expect .

Step 3. authenticates by computing mod , , , . If accepts , it sets to revoke the account. Otherwise, reject the request.

5.7. Reregistration Phase

If with correct password and identity is still rejected by , then he can reregister as follows.

Step 1. : .

Step 2. first researches in the and checks whether the account of is revoked or the card is suspended. If so, accepts the request and conducts the register phase in Section 5.3.

6. Security Analysis

In this section, we first use the Burrows-Abadi-Needham (BAN) logic [40] to prove the security of our scheme formally, then analyze it in a heuristic method. The results demonstrate the security and practicability of our scheme.

6.1. Formal Analysis Based on BAN Logic

As an efficient and simple way to analyze the design logic and security of the authentication scheme, BAN logic [40] has been widely used. As shown in Table 4, it uses some particular notions to depict a protocol.

The goals of our proposed scheme are as follows: these four goals ensure that the server and the user get authenticated mutually (corresponding to our proposed S1, S10, and S13), and they build a session key successfully (corresponding to our proposed S14):(1)Goal 1: .(2)Goal 2: .(3)Goal 3: .(4)Goal 4: .

According to the BAN logic, we first transform the scheme to an idealized one: : : . : : . : : . : : . : : .

Then, to analyze the scheme, we make some assumptions about its initial state as follows: : . : . : . : . : . : . : . : . : . : . : . : .

Based on these assumptions above, we will prove the security of our protocol according to BAN logic as follows.

From , we have

Then according to H8, , , it is obvious that

From , we have

Then according to , , , it is obvious that

From , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

From , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

From , we have

Then according to , , , it is obvious that

And according to , , and , we get

And according to , , , we can get

Thus with Goals 14, we proved that the user and the server have authenticated to each other; furthermore they accepted and shared the session key .

6.2. Informal Analysis

The heuristic method without complex formula is a direct and simple way for a quick analysis of the security of the protocol. It plays a significant role in cryptoanalysis of authentication protocols, though its analytic process heavily depends on human experience rather than a set of scientific tools. This section uses a heuristic method to prove that our scheme not only provides desire attributes but also is resistant to various attacks.

6.2.1. User Anonymity

In our scheme, on one hand, the adversary cannot get : the user identity was concealed in where , so an adversary without cannot guess the value of via dictionary attack; on the other hand, cannot link the message flows to a certain user: though is a fixed value, it is transmitted in a form of , where and are changed with different turns of the protocol, and only the user and the one knowing the long term secret key can compute . This indicates that is changed with and , and cannot get . Thus fails to link the message flows to a certain user. So our scheme achieves user anonymity.

6.2.2. Forward Secrecy

The session key of the proposed scheme consists of two “special” parameters: and , where and mod mod mod . Suppose that an adversary gets the secret key , then he can intercept and to compute and . However, computing for is equivalent to solving the DLP problem, which is bound to fail. So our scheme provides perfect forward security.

6.2.3. Mutual Authentication

In Step 3 of Section 5.4, with verifies the validity of by checking , if is legitimate, computes and constructs to . So with the help of , authenticates . In a short, both and authenticate .

In Step 3 of Section 5.4, with authenticates by checking . If passes the test, respond to ’s challenge with which is an encryption with the key . Then verifies ’s validity by checking . Furthermore, with in , verifies and . So all in all, authenticates and ; authenticates and .

Therefore, our scheme achieves mutual authentication.

6.2.4. Privileged Insider Attack

In the registration phase of our scheme, submits to . From this message, learns nothing about ’s or other useful information. Thus our scheme is resistant to privileged insider attack.

6.2.5. Off-Line Dictionary Attack

Suppose an adversary has the full control of the open channel and obtains the information in the smart card; then we prove that our scheme can resist the off-line dictionary attack through two aspects.

On one hand, with and , guesses and to be and , respectively. Then computes , , , then verifies the correctness of and by testing mod , and repeats these processes till the equation is satisfied. However, even if finds such a pair of , he still is not sure whether and , for there are candidates of pair when and [2]. Then has to verify in a manner of online, which will be stopped by the .

On the other hand, may try another way to conduct an off-line dictionary attack: obtaining , and , using to check the correctness of the guessed and , while has to compute which is impossible for the entity (except ) without as we explained in Section 6.2.1.

In conclusion, our scheme is secure to dictionary attack.

6.2.6. Verifier-Stolen Attack

In our scheme, maintains a in form of and a in form of , while the parameters in the two list are not security-related. Thus an adversary with the verifier table has no security threat to the system.

6.2.7. Replay Attack

We apply the random number to prevent replay attack. Suppose an adversary eavesdrops the message in the open channel, such as ; then replays the message flow to . While without , cannot construct a correct to pass the verification of . So can neither gain any benefits from replaying the message nor be authenticated by . Similarly, also fails to carry out a replay attack on other message flows. Therefore, our scheme can resist replay attack.

6.2.8. User Impersonation Attack

According to the analysis above, the adversary can neither guess and nor replay to impersonate , so there is only one way left: constructing . So selects a random number and computes , forges and , then computes , and sends it to . However, after computes and obtains , either cannot find such a in or computes that is not equal to . Both two conditions lead to the failure in authentication of . That means that is bound to find that is forged. Therefore, cannot impersonate .

6.2.9. Server Impersonation Attack

On one hand, according to the analysis above, the adversary cannot replay the message flows to impersonate ; on the other hand, finds no way to get the private key . Thus our scheme is secure from server impersonation attack.

7. Performance Analysis

In this section, we compared our scheme with other two-factor authentication schemes for multiserver environment [17–20, 41–43]. As shown in Table 5, the result manifests the advantages of the proposed scheme in security attributes. We can see that our scheme satisfied all the security attributes, and it is the best one among these schemes, though its computation overhead and communication cost are higher, while others [17–20, 41–43] have weaknesses more or less. Actually, according to Wang et al. [28, 32], the public key algorithm is the key to achieve user anonymity and resistance against off-line dictionary attack, while the public key algorithm is bound to cost more than symmetric algorithm. So these schemes [17–19, 43] only using the symmetric algorithm need less communication cost than our scheme, but they are definitely not secure. Among the compared schemes, only these schemes [20, 41, 42] are equipped with the public key algorithm. Both the schemes of Kumari et al. [41] and Irshad et al. [42] cost more than our scheme. And our scheme does not spend much more communication cost or computation overhead than Lix et al.’s, while achieving all the fourteen evaluation criteria (Lix et al.’s scheme only nine). As a matter of fact, certain communication cost is a must for achieving better security. We think that ensuring the security of the protocol is the most important goal for an authentication scheme; furthermore, our scheme actually does not significantly increase the computation overhead and communication cost. Therefore, compared to those schemes vulnerable to attacks, our scheme is more suitable to multiserver environment.

8. Conclusion

In this paper, firstly, we described the communication model and adversary model of multiserver environment, pointing out that some of the adversary capacities in many schemes are impractical and unreasonable. Then based on the works of pioneer contributors, we summarized fourteen security requirements for user authentication in multiserver environment. Secondly, according to the adversary model and security requirements, we demonstrated the weakness in the scheme of Amin and Maitra et al. Thirdly, to overcome the identified weaknesses, we proposed a new improved scheme for multiserver environment and proved its security via BAN logic and heuristic analysis. Furthermore, the comparison results showed the superiority of our scheme.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research are supported by the National Key Research and Development Program of China (no. 2017YFB0801900); the BUPT Excellent Ph.D. Students Foundation; the National High Technology Research and Development Program Foundation of China under Grant no. 2015AA017202; the Guangdong Provincial Science and Technology Department Frontier and Key Technology Innovation Project Foundation under Grant no. 2016B010110002; the State Grid Corporation of China Key Technology Innovation Project Foundation under Grant no. SGRIXTKJ 2017 265.

References

X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic framework for three-factor authentication: Preserving security and privacy in distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 8, pp. 1390–1397, 2011.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound,” IEEE Transactions on Dependable and Secure Computing, 2016.
View at: Publisher Site | Google Scholar
S. Kumari, M. K. Khan, X. Li, and F. Wu, “Design of a user anonymous password authentication scheme without smart card,” International Journal of Communication Systems, vol. 29, no. 3, pp. 441–458, 2016.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, G. Xu, and Y. Guo, “A lightweight password-based authentication protocol using smart card,” International Journal of Communication Systems, vol. 30, no. 16, Article ID e3336, 2017.
View at: Publisher Site | Google Scholar
A. K. Das, “Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards,” IET Information Security, vol. 5, no. 3, pp. 145–151, 2011.
View at: Publisher Site | Google Scholar
L. Li, I. Lin, and M. Hwang, “A remote password authentication scheme for multiserver architecture using neural networks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 12, no. 6, pp. 1498–1504, 2001.
View at: Publisher Site | Google Scholar
I. C. Lin, M. S. Hwang, and L. H. Li, “A new remote user authentication scheme for multi-server architecture,” Future Generation Computer Systems, vol. 19, no. 1, pp. 13–22, 2003.
View at: Publisher Site | Google Scholar
W. S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 251–255, 2004.
View at: Publisher Site | Google Scholar
C.-C. Chang and J.-S. Lee, “An efficient and secure multi-server password authentication scheme using smart cards,” in Proceedings of the Proceedings - 2004 International Conference on Cyberworlds, CW 2004, pp. 417–422, jpn, November 2004.
View at: Google Scholar
W. Tsaur, C. Wu, and W. Lee, “A smart card-based remote scheme for password authentication in multi-server internet services,” Computer Standards & Interfaces, vol. 27, no. 1, pp. 39–51, 2004.
View at: Google Scholar
J.-L. Tsai, “Efficient multi-server authentication scheme based on one-way hash function without verification table,” Computers & Security, vol. 27, no. 3-4, pp. 115–121, 2008.
View at: Publisher Site | Google Scholar
Y. Liao and S. Wang, “A secure dynamic id based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 24–29, 2009.
View at: Google Scholar
H. Hsiang and W. Shih, “Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118–1123, 2009.
View at: Google Scholar
S. K. Sood, A. K. Sarje, and K. Singh, “A secure dynamic identity based authentication protocol for multi-server architecture,” Journal of Network and Computer Applications, vol. 34, no. 2, pp. 609–618, 2011.
View at: Publisher Site | Google Scholar
C. Li, C. Weng, and C. Fan, “Two-factor user authentication in multi-server networks,” International Journal of Security and its Applications, vol. 6, pp. 261–267, 2012.
View at: Google Scholar
S. Sood, “Dynamic idengtity based authentication protocol for two-sever architecture,” Journal of Information Security, vol. 3, no. 4, pp. 326–334, 2012.
View at: Google Scholar
R. Amin, “Cryptanalysis and efficient dynamic ID based remote user authentication scheme in multi-server environment using smart card,” International Journal of Network Security, vol. 18, no. 1, pp. 172–181, 2016.
View at: Google Scholar
T. Maitra, S. H. Islam, R. Amin, D. Giri, M. K. Khan, and N. Kumar, “An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design,” Security and Communication Networks, vol. 9, no. 17, pp. 4615–4638, 2016.
View at: Publisher Site | Google Scholar
J.-S. Leu and W.-B. Hsieh, “Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards,” IET Information Security, vol. 8, no. 2, pp. 104–113, 2014.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari, J. Liao, and W. Liang, “An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture,” Wireless Personal Communications, vol. 80, no. 1, pp. 175–192, 2015.
View at: Publisher Site | Google Scholar
D. Mishra, “Design and Analysis of a Provably Secure Multi-server Authentication Scheme,” Wireless Personal Communications, vol. 86, no. 3, pp. 1095–1119, 2016.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipfs law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
D. Wang, Q. Gu, H. Cheng, and P. Wang, “The request for better measurement: A comparative evaluation of two-factor authentication schemes,” in Proceedings of 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS, pp. 475–486, China, June 2016.
View at: Publisher Site | Google Scholar
Q. Jiang, Z. Chen, B. Li, J. Shen, L. Yang, and J. Ma, “Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems,” Journal of Ambient Intelligence and Humanized Computing, pp. 1–13, 2017.
View at: Publisher Site | Google Scholar
S. H. Islam, “Design and analysis of an improved smartcard-based remote user password authentication scheme,” International Journal of Communication Systems, vol. 29, no. 11, pp. 1708–1719, 2016.
View at: Publisher Site | Google Scholar
C. Wang and G. Xu, “Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card,” Security and Communication Networks, vol. 2017, pp. 1–14, 2017.
View at: Publisher Site | Google Scholar
L. Xiong, D. Peng, T. Peng, H. Liang, and Z. Liu, “A Lightweight Anonymous Authentication Protocol with Perfect Forward Secrecy for Wireless Sensor Networks,” Sensors, vol. 17, no. 11, p. 2681, 2017.
View at: Google Scholar
D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015.
View at: Publisher Site | Google Scholar
Q. Xie, N. Dong, D. S. Wong, and B. Hu, “Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol,” International Journal of Communication Systems, vol. 29, no. 3, pp. 478–487, 2016.
View at: Publisher Site | Google Scholar
J. Wei, W. Liu, and X. Hu, “Secure and efficient smart card based remote user password authentication scheme,” International Journal of Network Security, vol. 18, no. 4, pp. 782–792, 2016.
View at: Google Scholar
F. Wu, L. Xu, S. Kumari, X. Li, and A. Alelaiwi, “A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof,” Security and Communication Networks, vol. 8, no. 18, pp. 3847–3863, 2015.
View at: Publisher Site | Google Scholar
C.-G. Ma, D. Wang, and S.-D. Zhao, “Security flaws in two improved remote user authentication schemes using smart cards,” International Journal of Communication Systems, vol. 27, no. 10, pp. 2215–2227, 2014.
View at: Publisher Site | Google Scholar
X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust multi-factor authentication for fragile communications,” IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 568–581, 2014.
View at: Publisher Site | Google Scholar
Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,” IEEE Access, vol. 5, pp. 3376–3392, 2017.
View at: Publisher Site | Google Scholar
X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, and M. K. Khan, “A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity,” Security and Communication Networks, vol. 9, no. 15, pp. 2643–2655, 2016.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, C. Yang, X. Ma, J. Shen, and S. A. Chaudhry, “Efficient end-to-end authentication protocol for wearable health monitoring systems,” Computers and Electrical Engineering, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016.
View at: Publisher Site | Google Scholar
V. Odelu, A. K. Das, and A. Goswami, “A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions,” Computer Networks, vol. 73, pp. 41–57, 2014.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, K.-K. R. Choo, and J. Shen, “Design of a provably secure biometrics-based multi-cloud-server authentication scheme,” Future Generation Computer Systems, vol. 68, pp. 320–330, 2017.
View at: Publisher Site | Google Scholar
A. Irshad, M. Sher, S. A. Chaudhry et al., “A secure mutual authenticated key agreement of user with multiple servers for critical systems,” Multimedia Tools and Applications, 2017.
View at: Google Scholar
A. Irshad, S. A. Chaudhry, S. Kumari, M. Usman, K. Mahmood, and M. S. Faisal, “An improved lightweight multiserver authentication scheme,” International Journal of Communication Systems, 2017.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Chenyu Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2885

Downloads

1389

Citations