Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 9178941, 13 pages
https://doi.org/10.1155/2018/9178941
Research Article

Secure and Efficient User Authentication Scheme Based on Password and Smart Card for Multiserver Environment

1State Key Laboratory of Mathematic Engineering and Advanced Computing, Zhengzhou 450002, China
2College of Physical and Electronic Information, Luoyang Normal University, Luoyang 471022, China
3College of Computer Science and Information Engineering, Harbin Normal University, Harbin 150025, China

Correspondence should be addressed to Yan Zhao; moc.361@yl_oahznay

Received 15 January 2018; Revised 28 March 2018; Accepted 18 April 2018; Published 20 May 2018

Academic Editor: Kim-Kwang Raymond Choo

Copyright © 2018 Yan Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

The rapid development of information and network technologies motivates the emergence of various new computing paradigms, such as distributed computing, cloud computing, and edge computing. This also enables more and more network enterprises to provide multiple different services simultaneously. To ensure these services can only be accessed conveniently by authorized users, many password and smart card based authentication schemes for multiserver architecture have been proposed. Recently, Truong et al. introduced an identity based user authentication scheme on elliptic curve cryptography in multiserver environment and claimed that their scheme is secure against popular attacks. However, in this paper, we point out that their scheme suffers from offline password guessing and impersonation attack and fails to achieve security requirements of this kind of authentication scheme. Moreover, we put forward a new scheme to conquer security pitfalls in the above scheme. Security analysis indicates that the proposed scheme can be free from well-known attacks. Performance discussion demonstrates that our scheme has advantages in terms of both security property and computation efficiency and thus is more desirable for practical applications in multiserver environment.

1. Introduction

The authentication and key agreement protocol is one of fundamental building blocks for securing communications over the Internet. It enables protocol participants to authenticate each other’s identities and establish shared session keys subsequently used by encryption algorithms and is widely implemented in many areas, such as online-shopping, Internet banking, electronic governance, and electronic medical record system.

Roughly speaking, the above application scenarios can be abstracted to a user-server model. That is, when a user wants to remotely access the service provided by a server, he/she first registers with the service provider. Then, the service provider can ensure that the service can only be accessed by legitimate users; meanwhile, the user can believe that the service provider is legal. So far, there are many kinds of authentication scheme that are applicable to the user-server setting, such as certificate-based authentication scheme [1, 2], identity-based authentication scheme [35], and password-based authentication scheme [6, 7].

Among these variants of authentication scheme, password-based authentication scheme is particularly attractive due to its unique features, i.e., the password is easy to remember and the scheme is conveniently to be deployed. Specifically, in the context of this kind of authentication scheme, each user possesses a personal password, as the credential of accessing the service provider by a server. At the same time, the service provider maintains a table to verify the validity of all user’s passwords such that invalid users’ access request would be rejected. However, this also makes the scheme vulnerable to offline password guessing attack, especially when the verification table is disclosed. To conquer this issue, smart card is introduced into the design of password-based authentication scheme, which results in password and smart card based two-factor authentication scheme. Such an authentication provides stronger security guarantee; namely, even if the password or the smart card (not the both) gets exposed, the scheme can remain secure. Since the introduction of this kind of two-factor authentication scheme, a lot of schemes [814] based on different cryptography primitives have been proposed. Particularly, these schemes are designed for the single server environment.

On the other hand, the rapid development of information and network technologies brings a number of new information systems, e.g., social networks, wireless sensor networks, and cloud computing, which can provide multiple services simultaneously. To solve the access control problem in the setting of multiple service providers, we can concurrently implement multiple instances of a password and smart card based authentication scheme designed in the single server environment. However, for a system user, this will bring tremendous workload of managing passwords and smart cards issued by different service providers. In addition, it also increases the damage of password disclosure.

To improve the usability of password and smart card based authentication scheme, researchers propose to design this kind of authentication scheme for multiserver architecture. Informally, in the improved scheme, each user just needs to register with a registration center and then can access any service provided by those servers managed by the registration center. Specifically, Yeh [15] recently proposed such authentication scheme based on RSA cryptosystem and proved its security in the random oracle model. However, Truong et al. [16] found that Yeh’s scheme fails to provide mutual authentication and key agreement, which are basic security requirements of an authentication scheme. Furthermore, they proposed a new scheme to conquer these security pitfalls. Their scheme is built upon elliptic curve cryptography and is claimed to be secure against various attacks. Unfortunately, in this paper, we will demonstrate that Truong et al.’s [16] scheme cannot resist impersonation attack and offline password guessing attack, which is the most realistic and serious threat against this kind of authentication scheme. In addition, we also put forward a security enhanced password and smart card based authentication scheme in multiserver environment. The security analysis and performance discussion indicate that our scheme has advantages in terms of both security property and computation efficiency and thus are more desirable for practical applications.

1.1. Related Work

In 1981 Lamport [17] proposed the first password authentication scheme. This scheme is built upon cryptographically secure one-way hash function and has advantages of simplicity and convenience. However, it inevitably suffers from password guessing attack and the threat of the disclosure of the verification table. To enhance the security of password-based authentication scheme, Chang and Wu [18] introduced password and smart card based two-factor remote user authentication scheme. Since then, a number of such schemes [1927] have been proposed to improve the security and efficiency of this kind of authentication scheme. In general, these schemes fall into two types, i.e., using static identity or dynamic identity. The main drawback of using static identity is that publicly transmitted identity will reveal user privacy. To conquer this issue, Das et al. [19] introduced the notion of password and smart card authentication scheme using dynamic identity and proposed a concrete protocol. However, Liao et al. [28] pointed out that this scheme cannot resist user impersonation attack and also proposed an improved scheme with mutual authentication. Subsequently, although there are various similar schemes designed to fix security pitfalls in previous schemes, most of them [2022] are still vulnerable to offline password guessing attack when the smart card is lost.

Today, with the rapid development of information and network technologies, more and more network enterprises can simultaneously provide multiple different kinds of services. If we directly use those authentication schemes designed for the single server environment, then a user has to register with all of service providers, which will bring heavy workload for the user to manage all passwords and identities. To solve this problem, Li et al. [29] proposed a password authentication scheme based on neural network in multiserver environment and claimed that one registration enables a user to access all of services. Subsequently, Lin et al. [30] gave a new scheme based on ElGamal signature to improve the efficiency of Li et al.’s scheme. Moreover, Juang [31] further used hash function and symmetric encryption algorithm to decrease the computation cost of this kind of authentication. However, Ku et al. [32] found that Juang’s scheme cannot resist insider attack and also cannot support perfect forward secrecy.

To enhance the security of the above password-based authentication schemes for multiserver environment, in 2009 Liao and Wang [33] proposed the first password and smart card based authentication scheme in the multiserver environment using dynamic identity. But Hsiang and Shih [34] immediately noted that Liao et al.’s scheme is vulnerable to inside attack, impersonation attack, and forgery attack. Although Hsiang and Shih gave an improved scheme, Sood et al. [35] found that Hsiang and Shih’s scheme is susceptible to replay attack, impersonation attack, and stolen smart card attack. Recently, motivated by security requirements from different areas, a few of new two-factor authentication schemes [15, 16, 3640] for multiserver environment have been put forward. These schemes are mainly built upon elliptic curve cryptosystem. In addition, there are several works that introduce biometrics into the design of authentication scheme for multiserver environment. For example, Odelu et al. [41] proposed a secure multiserver authentication protocol using biometric-based smart card. He and Wang [42] presented a biometrics-based three-factor authentication scheme for multiserver environment using elliptic curve cryptography. Moreover, there are a few similarly schemes [4346] that are put forward recently. Although there have been various multifactor authentication schemes for multiserver environment, how to design a secure and efficient authentication scheme remains challenging.

1.2. Outline

The remainder of this paper is organized as follows. Section 2 briefly reviews Truong et al.’s [16] authentication scheme. Two kinds of practical attack against their scheme are provided in Section 3. We propose a security enhanced password and smart card based authentication scheme in multiserver environment in Section 4 and present the corresponding security analysis in Section 5. Section 6 discusses the performance of the proposed scheme. Finally, we give the conclusion in Section 7.

2. Review of Truong et al.’s Scheme

In this section, we briefly review Truong et al.’s [16] scheme. We summarize the notations used throughout this paper in Table 1. Specifically, Truong et al.’s authentication scheme is comprised of the following four phases.

Table 1: The notations used throughout this paper.
2.1. Initialization Phase

In this phase, the registration center is given a security parameter and initializes the system as follows:(1)Select an elliptic curve defined over , where is a prime number of size and . Let be a cyclic group derived from with prime order and let be a random generator.(2)Randomly choose and select two hash functions , .(3)Publish the system public parameter as , and keep as the secret key.

2.2. Registration Phase

This phase consists of two parts, i.e., server registration and user registration. First, when a service provider intends to register with the registration center , as indicated in Figure 1, they interactively perform as follows:(1)The service provider chooses an identity and submits it to the registration center through a secure channel.(2)After receiving ’s registration request, the registration center picks a random integer and computes and then sends to the service provider via a secure channel.(3)Upon getting the registration center ’s response message, the service provider keeps as its master secret key.

Figure 1: Server registration of Truong et al.’s scheme.

Second, as shown in Figure 2, a user intending to register with the registration center carries out the following steps:(1)The user chooses an identity and submits it to the registration via a secure channel.(2)After receiving the registration request from , the registration center randomly selects and . Then, for each , the registration center computes and .(3)The registration center returns a smart card including the secret information and to the user .(4)Upon getting ’s response information, the user immediately updates the initial password chosen by .

Figure 2: User registration of Truong et al.’s scheme.
2.3. Login-In and Authentication Phase

When a user wants to access the service from a provider , they need to interactively perform an authentication procedure to ensure the provided service is legally accessed. As shown in Figure 3, the details of the authentication procedure are as follows:(1)The user inserts his/her smart card into a card-reader device and inputs the identity and the password .(2)The smart card verifies the validity of the user by recomputing the secret value and checking if . If not, the smart card terminates the authentication procedure; otherwise, it randomly selects an integer and computes After that, the smart card sends the message to the service provider .(3)Upon receiving the message from the user , the service provider verifies and successively computes Then, it checks whether it holds that . If not, the service provider also terminates the authentication procedure; otherwise, it chooses a random integer and computes Subsequently, sends the message to the user .(4)After receiving the message from the service provider , the user ’s smart card computes Then, the smart card checks if . If not, the authentication procedure is terminated; otherwise, the smart card successfully authenticates the service provider and sends to .(5)When receiving the message from the user , the service provider recomputes and checks if . If not, terminates the authentication procedure; otherwise, the user is successfully authenticated by the service provider .(6)The user and the service provider derive a shared session key: This completes the authentication procedure.

Figure 3: Authentication phase of Truong et al.’s scheme.
2.4. Password Update Phase

When a user wants to update his/her password, he/she can conveniently achieve this goal by performing the following procedure:(1)The user inserts the smart card into a card-reader device and provides the corresponding identity and password .(2)The smart card recomputes and checks if it holds that . If not, the update procedure is terminated; otherwise, the smart card requires the user to input a new password and computes .(3)Finally, the smart card replaces with . This completes the update procedure.

3. Cryptanalysis of Truong et al.’s Authentication Scheme

In this section, we show that Truong et al.’s [16] protocol suffers from offline password guessing attack and server impersonation attack. To this end, we first formalize the adversary’s capacity. Roughly, in the literature of two-factor authentication scheme based on password and smart card, an adversary is allowed to(i)overhear, modify, synthesize, and intercept any messages transmitted over the public channel,(ii)obtain the user’s password or the private information stored in the smart card by using the technologies introduced in [48, 49], but not both.

The above two assumptions about the adversary’s capacity are widely recognised and adopted in the security analysis of password and smart card based two-factor authentication protocols, including [16]’s protocol and our scheme. Below we give the attack details.

3.1. Offline Password Guessing Attack

To launch this kind of attack against a user , an adversary records the message appearing in some instance of the authentication procedure executed between and a server and then steals ’s smart card and extracts secret values . After that, the adversary performs as follows:(1)Construct a personal password dictionary , and select a candidate password .(2)Compute , and check if it holds that . If yes, it implies that ’s guess is correct; otherwise, go to the next step.(3)Choose a new candidate password, and repeat the previous step until the correct password is recovered.

After the adversary gets the correct password, it can further completely impersonate the user since it simultaneously holds ’s password and smart card. On the other hand, the computation cost of verifying a candidate password is only one hash operation, which is nearly negligible when running it on a personal computer. Thus, the entire complexity of completing the password guessing attack is linear in the size of the password dictionary , which is rather small in practice. This implies that the adversary can recover a user’s password in just a few minutes and this kind of attack is practical.

3.2. Impersonation Attack

In this kind of attack, a malicious user (adversary) tries to impersonate a legal user or a server. We demonstrate that a malicious user can impersonate any legal server and user.

First, the malicious user extracts secret values stored in his/her smart card, where for any . Intuitively, can directly get (the values are all available for . In Truong et al.’s protocol, although the hash function is not stored in the user’s smart card, we think it is public and is available for any one. In fact, the user can also get from a malicious server), which is the only secret value of the server . Consequently, can utilize it to impersonate the server at any time.

Second, for any user , since his/her identity and the random value are transmitted over the public channel, then the malicious user can directly compute the secret value with the corrupted secret value . Furthermore, by using , the malicious user can impersonate the user to access the service provided by the server , even if he/she does not know ’s password. Essentially speaking, this is mainly because that the correctness of the password is locally checked by the smart card, rather than by the corresponding server.

In short, by either launching offline password guessing attack or using the above two variants of impersonation attack in a combinational way, a malicious user (adversary) can totally break the security of Turong et al.’s [16] scheme. Thus, it does not achieve the intended security requirements and is not adaptable for practical applications.

4. The Proposed Scheme

In this section, to conquer those security pitfalls in Turong et al.’s [16] protocol, we propose a security enhanced password and smart card based authentication scheme in multiserver environment. Before describing the concrete scheme, we give an overview to demonstrate our design criteria.

Note that the reason of Turong et al.’s [16] protocol suffering from offline password guessing attack mainly lies in the fact that the password correctness is locally verified by the smart card. As a result, when the smart card is lost, an adversary can utilize the secret value stored in the smart card to launch offline password guessing attack. In our scheme, we let the service provider check the password validity. Specifically, after a user inputs his/her password, the smart card uses it to recover a secret value, which is computable for the service provider. Then, by verifying the correctness of the secret value, the service provider can ensure whether the user holds the correct password or not. In addition, these messages transmitted over the public channel should also avoid being used to check the validity of the password.

On the other hand, to prevent a malicious user from directly recovering a server’s secret key (i.e., in Turong et al.’s [16] protocol), we let the registration center first perform hash operation on each server’s secret key and then use it to produce a private value for the user, rather than directly employing the server’s secret key to do that as in Turong et al.’s [16] protocol. As shown in the security analysis of our scheme, this enables our scheme to be free from user/server impersonation attack. Moreover, as in the design of most authentication schemes, we call Diffie-Hellman key exchange mechanism to achieve key agreement and forward security and exploit the freshness of random numbers and timestamps to prevent replay attack.

The concrete authentication scheme is comprised of four phases: initialization phase, registration phase, authentication phase, and password update phase, which are separately specialized as follows.

4.1. Initialization Phase

In this phase, the registration center initializes the system according to a security parameter as follows:(1)Choose a prime number with the size and then generate an elliptic curve defined over , where . Furthermore, produce a cyclic group with prime order from , and randomly pick a generator .(2)Randomly sample an integer from , and choose two cryptographically secure hash functions , .(3)Publish the system public parameter as , which are available to all system users, and set as the master secret key.

4.2. Registration Phase

In this phase, each system user registers with the registration center to get a smart card containing several secret values, as a credential of to prove his/her authenticity to service providers. Each service provider registers with to obtain a secret key, as a credential of to show its legality to system users.

Specifically speaking, to register with , as shown in Figure 4, service providers and perform as follows:(1)The service provider selects a unique identity and sends it to the registration center via a secure channel.(2)Upon receiving the registration request from , the registration center directly computes and then sends the message to through a secure channel.(3)After obtaining the registration center ’s response message, keeps as its secret key.

Figure 4: Server registration in our scheme.

For a system user intending to register with the registration center , as shown in Figure 5, they interactively conduct the following steps:(1)The user selects a unique identity and a personal password easy to remember. Moreover, he/she randomly samples an integer and computes . Then, sends the registration request message to via a secure channel.(2)After receiving the registration request from , the registration center computes for each and issues a smart card containing to the user .(3)Upon receipt of the smart card, the user rewrites the random value into the smart card and keeps properly.

Figure 5: User registration in our scheme.
4.3. Authentication Phase

By running an authentication procedure between a system user and a service provider , they can check the validity of each other and establish a secure channel. That is, ensures that is a registered user, and believes that the service provided by is legal. As shown in Figure 6, such a procedure is performed as follows:(1)The user attaches his/her smart card to a card-reader device and inputs his/her identity and the corresponding password .(2)’s smart card first computes and . Then, it randomly selects an integer and further calculates where is the current timestamp. After that, the smart card sends the authentication request message to the service provider .(3)Upon the receipt of the message from the user , the service provider checks the validity of and by verifying if , where is the current timestamp. If not, the user’s authentication request would be rejected. Moreover, computes . Then, it checks whether it holds that . If not, the service provider terminates the authentication procedure; otherwise, it chooses a random integer and computes where is the current timestamp. Subsequently, sends the message to the user .(4)After receiving the message from the service provider , the user ’s smart card first checks the validity of by verifying if , where is the current timestamp. After that, it computes Then, the smart card checks if . If not, the authentication procedure is terminated; otherwise, the smart card successfully authenticates the service provider and sends to , where is the current timestamp.(5)When receiving the message from the user , the service provider first checks the validity of by verifying if , where is the current timestamp. Then, recomputes and checks if . If not, terminates the authentication procedure; otherwise, the user is successfully authenticated by the service provider .(6)The user and the service provider derive a shared session key: This completes the authentication procedure.

Figure 6: Authentication phase in our scheme.
4.4. Password Update Phase

When a user wants to update his/her original password , the following steps are conducted:(1) randomly selects a service provider , with whom performs the authentication procedure.(2)If both and pass through the authentication, then selects a new password and lets the smart card compute (3)The smart card replaces with ().

Remark 1. Note that the password update phase in our scheme is significantly different from that in Truong et al.’s [16] scheme, in which the password update is completed in an offline way. This implies that the smart card has to check the validity of the password. As a result, when the smart card is lost, their scheme suffers from offline password guessing attack. However, in our scheme, the validity of the password is verified by a service provider, rather than the smart card. Although the password update phase in our scheme needs more computation and communication cost (compared with Truong et al.’s [16] scheme), it provides stronger security guarantee.

5. Security Analysis

Although formal security analysis (or provable security) is more desirable, now it is difficult to achieve this requirement due to the complexity of the protocol design. In fact, there are already several similar authentication schemes that are claimed to be provably secure by defining the corresponding security model, or using the BAN logic [50]. However, subsequent works indicate that these schemes all fail to provide the required security properties. Therefore, we use informal and heuristic manner to analyze the security of the proposed scheme. We note that such a manner is widely accepted and used in the literature of multifactor authentication scheme [15, 20, 24, 33, 36, 38, 39, 51].

Specifically, we show that our scheme can resist various well-known attacks, including replay attack, impersonation attack, offline password guessing attack, and known-key attack. We also demonstrate that the proposed scheme achieves intended security goals, such as mutual authentication, key agreement, and two-factor authentication.

5.1. Replay Attack

To launch the replay attack, an adversary first needs to eavesdrop these messages , , and transmitted between a user and a service provider and then resends one of them to or . Now we show how our scheme can be free from this kind of attack.

If the adversary sends (the adversary needs to choose the current timestamp on the user side and recomputes ) to the service provider , then would generate a new message according to the authentication procedure. Note that the computation of involves a new random integer. However, the adversary does not know the random integer originally used in the computation of . As a result, the adversary cannot produce correct response message and would be rejected by the service provider . Similarly, if the adversary wants to send the message to the user , it also cannot pass through the verification of the user , since would use a new random integer to check its validity, rather than the original . Thus, the proposed scheme can be free from the replay attack. Essentially speaking, we use two kinds of mechanism in a combinatorial way to avoid the replay attack, namely, timestamp and nonce (in the case that the time period in the system cannot be synchronized, the timestamp would fail to prevent the replay attack).

5.2. Insider Attack

The insider attack mainly means that a malicious insider party (e.g., the registration center or a service provider) tries to get a user’s password. First, from the perspective of the registration center, it can get the registration information , where is a random integer chosen by the user . Thus, without the knowledge of , the registration center cannot launch offline password guessing attack to recover ’s password . Second, on the side of a service provider , it also cannot get any information about the user ’s password, since those messages transmitted between them do not involve ’s password. Therefore, we conclude that our scheme can resist the insider attack.

5.3. Impersonation Attack

The impersonation attack against the proposed scheme falls into two classes, i.e., user personation and service provider personation. Below we show that the proposed scheme can withstand these two kinds of impersonation attack.

If an adversary , which might be a malicious user or a malicious service provider, wants to impersonate user , then it has to correctly compute the challenge value . Obviously, for this to be computable, the adversary has to know the values , , and . Moreover, if the adversary itself produces the value without (if the adversary holds ’s password and smart card, then it will not have to impersonate ) using ’s secret information (i.e., and ), then the corresponding value computed by the service provider is not equal to . As a result, it holds that , which implies that the adversary cannot pass through the service provider’s authentication since . Thus, the adversary cannot impersonate the user .

On the other hand, if the adversary wants to impersonate a service provider , then it also has to pass through a user ’s authentication. This requires the adversary to compute the correct value . We note that the adversary cannot get correct without the secret value (). Consequently, it cannot impersonate the service provider since it cannot produce the correct value .

5.4. Offline Password Guessing Attack

To launch the offline password guessing attack, an adversary has to hold a value that can be used to check the validity of a candidate password. Below we demonstrate that none of those transmitted messages in the proposed scheme can be used to do this.

In the authentication phase of the proposed scheme, note that a user ’s password is only used to recover the secret value , and its validity is not verified on the user side. Thus, even if the smart card is lost, those secret values stored in the smart card cannot be used to launch offline password guessing attack. Furthermore, for the first message , both the value and the hash value involve ’s password. However, the computation of does not need any secret value and thus cannot be used to check the validity of a candidate password. Moreover, without the knowledge of the value , the public value also cannot be used to verify the validity of a candidate password. For the second message and third message , observe that they do not involve any information about ’s password and thus naturally cannot be used to launch the offline password guessing attack. Therefore, the proposed scheme is secure against password guessing attack.

5.5. Known-Key Attack

The known-key attack means that the disclosure of a session key will affect the security of other session keys. In our scheme, a session key is derived from a fresh value , where and are randomly sampled from . This implies that all session keys are independent from each other. Thus, the disclosure of a session key has no influence on the security of other session keys, and the proposed scheme can withstand known-key attack.

5.6. Mutual Authentication and Key Agreement

In the authentication of the proposed scheme, observe that both the user and the service provider have to respond to the partner’s challenge. Specifically, the service provider uses its secret value to produce a correct response value , whose validity would be checked by the user . On the other hand, the user also utilizes the consistent value to generate a response value , whose correctness would be verified by the service provider . We can see that, to complete the authentication procedure, the user and the service provider are required to pass through each other’s authentication. Thus, the proposed scheme achieves mutual authentication.

Focusing on the generation of the session key, we can see that both the user and the service provider contribute to the computation of session key, namely, and . This implies that neither one can completely control the generation of the session key, and the session key can be sufficiently random if at least one of the participants is able to produce sufficiently random inputs. Therefore, the proposed scheme enjoys the functionality of key agreement.

5.7. Perfect Forward Secrecy

In the setting of the proposed scheme, the perfect forward secrecy requires that after a user ’s secret information (i.e., the password and those secret values stored in the smart card) and a service provider ’s secret key get exposed, previous session keys established and used between and should remain secure. By basing our scheme on the Diffie-Hellman protocol, it achieves perfect forward secrecy. Concretely, with the knowledge of and ’s secret information, an adversary can recover and . However, from the intractability of the computational Diffie-Hellman problem, we know that it is impossible for to compute , and thus cannot further recover the session key . This is why the perfect forward secrecy of the proposed scheme can be achieved.

5.8. Two-Factor Authentication

Two-factor authentication is a major security advantage of password and smart card based authentication scheme. That is, once the password or the smart card is revealed (not the both), the scheme should remain secure. Below we show that the proposed scheme is still secure in the above two cases.

In the case that an adversary knows a user ’s password but does not have ’s smart card, the adversary cannot compute , where is stored in the smart card and . As a result, it cannot produce a correct value that is consistent with the one computed by the service provider. Thus, the adversary cannot pass through the service provider’s authentication. Namely, the proposed scheme remains secure in this case.

In the case that an adversary holds a user’s smart card but does not know the user’s password, as analyzed in the offline password guessing attack, no message can be used check the validity of a candidate password. On the other hand, without the knowledge of the correct password, due to the similar reason, the adversary also cannot pass through the service provider’s authentication. Thus, the proposed scheme is still secure in this case.

6. Performance Discussions

In this section, we discuss the performance of the proposed scheme in terms of security property and computation efficiency via comparing it with other related works.

In Table 2, we present security properties of the listed authentication schemes. We can see that only Li et al.’s [47] scheme cannot resist insider attack since the registration center maintains a table to verify users’ passwords. As analyzed by Truong et al. [16], in Yeh’s [15] scheme, the secret values computed by the user and the service provider are not consistent with each other; thus, this scheme cannot provide the security properties of mutual authentication and session key agreement. In addition, Li et al.’s [47] scheme only uses hash and XOR operations. Thus, after an adversary gets a user/server’s secret keys, it can further recover any previous session keys. Consequently, it cannot provide perfect forward secrecy. Moreover, except for our scheme, other listed schemes [15, 16, 40, 47] all cannot resist offline password guessing attack, which is the most realistic threat aimed at password and smart card based authentication scheme. Even worse, after the user’s smart card is lost, an adversary can correctly recover the corresponding password. This is also why these schemes [15, 16, 40, 47] suffer from user impersonation attack and cannot achieve two-factor authentication. Particularly, in Truong et al.’s [16] scheme, a malicious user can directly obtain any service provider’s secret key. As a result, their scheme is vulnerable to server impersonation attack. In short, our scheme surpasses other listed schemes in terms of security property and provides stronger security guarantee for practical applications.

Table 2: Comparisons of security properties with related works.

In Table 3, we summarize the computation cost of the authentication procedure of these schemes. By running the main operations (i.e., hash operation, XOR operation, modular exponentiation, point multiplication, and point addition) involved in these schemes by calling the library MIRCAL (https://libraries.docs.miracl.com/), we have that . Thus, we can see that Li et al.’s [47] scheme is the most efficient one since it only uses the hash operation and XOR operation, but it cannot provide the required security guarantee. On the other hand, our scheme is more efficient than other schemes [15, 16, 40]; meanwhile, it is also more secure than them. Therefore, from the perspective of both security and efficiency, the proposed authentication is more desirable for practical applications.

Table 3: Comparisons of computation efficiency with related works.

7. Conclusion

In this paper, we study the design and analysis of password and smart card based authentication scheme for multiserver architecture. Specifically, we pointed out that Truong et al.’s [16] scheme is vulnerable to offline password guessing attack and user/server impersonation attack. We also analyzed why their scheme fails to achieve the intended security goal. Moreover, we proposed a security enhanced and cost-effective authentication scheme to secure communications in the setting of multiple service providers. Security analysis and performance discussion show that our scheme has advantages in terms of security and efficiency and thus is more desirable for practical applications.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

References

  1. R. Hummen, J. H. Ziegeldorf, H. Shafagh, S. Raza, and K. Wehrle, “Towards viable certificate-based authentication for the Internet of Things,” in Proceedings of the 2nd ACM Workshop on Hot Topics on Wireless Network Security and Privacy (HotWiSec '13), pp. 37–42, ACM, Budapest, Hungary, April 2013. View at Publisher · View at Google Scholar · View at Scopus
  2. D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016. View at Publisher · View at Google Scholar · View at Scopus
  3. H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for cloud computing,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 5931, pp. 157–166, 2009. View at Publisher · View at Google Scholar · View at Scopus
  4. H. Debiao, C. Jianhua, and H. Jin, “An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security,” Information Fusion, vol. 13, no. 3, pp. 223–230, 2012. View at Publisher · View at Google Scholar · View at Scopus
  5. D. He, S. Zeadally, B. Xu, and X. Huang, “An Efficient Identity-Based Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad Hoc Networks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015. View at Publisher · View at Google Scholar · View at Scopus
  6. M. S. Farash and M. A. Attari, “An efficient client–client password-based authentication scheme with provable security,” The Journal of Supercomputing, vol. 70, no. 2, pp. 1002–1022, 2014. View at Publisher · View at Google Scholar · View at Scopus
  7. C.-C. Lee, C.-T. Li, and C.-W. Hsu, “A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps,” Nonlinear Dynamics, vol. 73, no. 1-2, pp. 125–132, 2013. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  8. D. He, D. Wang, Q. Xie, and K. Chen, “Anonymous handover authentication protocol for mobile wireless networks with conditional privacy preservation,” Science China Information Sciences, vol. 60, no. 5, Article ID 052104, 2017. View at Publisher · View at Google Scholar · View at Scopus
  9. D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015. View at Publisher · View at Google Scholar · View at Scopus
  10. D. He and S. Zeadally, “Authentication protocol for an ambient assisted living system,” IEEE Communications Magazine, vol. 53, no. 1, pp. 71–77, 2015. View at Publisher · View at Google Scholar · View at Scopus
  11. S. Kumari, M. K. Khan, and M. Atiquzzaman, “User authentication schemes for wireless sensor networks: A review,” Ad Hoc Networks, vol. 27, pp. 159–194, 2015. View at Publisher · View at Google Scholar · View at Scopus
  12. S. Kumari, X. Li, F. Wu, A. K. Das, H. Arshad, and M. K. Khan, “A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps,” Future Generation Computer Systems, vol. 63, pp. 56–75, 2016. View at Publisher · View at Google Scholar · View at Scopus
  13. Q. Jiang, M. K. Khan, X. Lu, J. Ma, and D. He, “A privacy preserving three-factor authentication protocol for e-Health clouds,” The Journal of Supercomputing, vol. 72, no. 10, pp. 3826–3849, 2016. View at Publisher · View at Google Scholar · View at Scopus
  14. Q. Jiang, J. Ma, F. Wei, Y. Tian, J. Shen, and Y. Yang, “An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks,” Journal of Network and Computer Applications, vol. 76, pp. 37–48, 2016. View at Publisher · View at Google Scholar
  15. K.-H. Yeh, “A Provably Secure Multi-server Based Authentication Scheme,” Wireless Personal Communications, vol. 79, no. 3, pp. 1621–1634, 2014. View at Publisher · View at Google Scholar · View at Scopus
  16. T.-T. Truong, M.-T. Tran, A.-D. Duong, and I. Echizen, “Provable Identity Based User Authentication Scheme on ECC in Multi-server Environment,” Wireless Personal Communications, vol. 95, no. 3, pp. 2785–2801, 2017. View at Publisher · View at Google Scholar · View at Scopus
  17. L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981. View at Publisher · View at Google Scholar · View at Scopus
  18. C.-C. Chang and T.-C. Wu, “Remote password authentication with smart cards,” IEE Proceedings Part E Computers and Digital Techniques, vol. 138, no. 3, pp. 165–168, 1991. View at Publisher · View at Google Scholar · View at Scopus
  19. M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629–631, 2004. View at Publisher · View at Google Scholar · View at Scopus
  20. Y.-Y. Wang, J.-Y. Liu, F.-X. Xiao, and J. Dan, “A more efficient and secure dynamic ID-based remote user authentication scheme,” Computer Communications, vol. 32, no. 4, pp. 583–585, 2009. View at Publisher · View at Google Scholar · View at Scopus
  21. K.-H. Yeh, C. Su, N. W. Lo, Y. Li, and Y.-X. Hung, “Two robust remote user authentication protocols using smart cards,” The Journal of Systems and Software, vol. 83, no. 12, pp. 2556–2565, 2010. View at Publisher · View at Google Scholar · View at Scopus
  22. M. K. Khan, S.-K. Kim, and K. Alghathbar, “Cryptanalysis and security enhancement of a more efficient & secure dynamic ID-based remote user authentication scheme,” Computer Communications, vol. 34, no. 3, pp. 305–309, 2011. View at Publisher · View at Google Scholar · View at Scopus
  23. Q. Jiang, J. Ma, G. Li, and X. Li, “Improvement of robust smart-card-based password authentication scheme,” International Journal of Communication Systems, vol. 28, no. 2, pp. 383–393, 2015. View at Publisher · View at Google Scholar · View at Scopus
  24. F. Wu, L. Xu, S. Kumari et al., “An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment,” Journal of Network and Computer Applications, vol. 89, pp. 72–85, 2017. View at Publisher · View at Google Scholar · View at Scopus
  25. S. Kumari, S. A. Chaudhry, F. Wu, X. Li, M. S. Farash, and M. K. Khan, “An improved smart card based authentication scheme for session initiation protocol,” Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 92–105, 2017. View at Publisher · View at Google Scholar · View at Scopus
  26. S. Kumari, X. Li, F. Wu, A. K. Das, V. Odelu, and M. K. Khan, “A user anonymous mutual authentication protocol,” KSII Transactions on Internet and Information Systems, vol. 10, no. 9, pp. 4508–4528, 2016. View at Publisher · View at Google Scholar · View at Scopus
  27. J. Wei, X. Hu, and W. Liu, “An improved authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 36, no. 6, pp. 3597–3604, 2012. View at Publisher · View at Google Scholar · View at Scopus
  28. I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “Security enhancement for a dynamic ID-based remote user authentication scheme,” in Proceedings of the International Conference on Next Generation Web Services Practices, NWeSP 2005, pp. 437–440, kor, August 2005. View at Publisher · View at Google Scholar · View at Scopus
  29. L. Li, I. Lin, and M. Hwang, “A remote password authentication scheme for multiserver architecture using neural networks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 12, no. 6, pp. 1498–1504, 2001. View at Publisher · View at Google Scholar · View at Scopus
  30. I. C. Lin, M. S. Hwang, and L. H. Li, “A new remote user authentication scheme for multi-server architecture,” Future Generation Computer Systems, vol. 19, no. 1, pp. 13–22, 2003. View at Publisher · View at Google Scholar · View at Scopus
  31. W. S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 251–255, 2004. View at Publisher · View at Google Scholar · View at Scopus
  32. W.-C. Ku, H.-M. Chuang, and M.-H. Chiang, “Cryptanalysis of a multi-server password authenticated key agreement scheme using smart cards,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E88-A, no. 11, pp. 3235–3238, 2005. View at Publisher · View at Google Scholar · View at Scopus
  33. Y. P. Liao and S. S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 24–29, 2009. View at Publisher · View at Google Scholar · View at Scopus
  34. H.-C. Hsiang and W.-K. Shih, “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118–1123, 2009. View at Publisher · View at Google Scholar · View at Scopus
  35. S. K. Sood, A. K. Sarje, and K. Singh, “A secure dynamic identity based authentication protocol for multi-server architecture,” Journal of Network and Computer Applications, vol. 34, no. 2, pp. 609–618, 2011. View at Publisher · View at Google Scholar · View at Scopus
  36. J. Wei, W. Liu, and X. Hu, “Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 77, no. 3, pp. 2255–2269, 2014. View at Publisher · View at Google Scholar · View at Scopus
  37. X. Li, J. Niu, S. Kumari, J. Liao, and W. Liang, “An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture,” Wireless Personal Communications, vol. 80, no. 1, pp. 175–192, 2015. View at Publisher · View at Google Scholar · View at Scopus
  38. V. Odelu, A. K. Das, and A. Goswami, “An Effective and Robust Secure Remote User Authenticated Key Agreement Scheme Using Smart Cards in Wireless Communication Systems,” Wireless Personal Communications, vol. 84, no. 4, pp. 2571–2598, 2015. View at Publisher · View at Google Scholar · View at Scopus
  39. K. Xue, P. Hong, and C. Ma, “A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture,” Journal of Computer and System Sciences, vol. 80, no. 1, pp. 195–206, 2014. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  40. R. S. Pippal, C. D. Jaidhar, and S. Tapaswi, “Robust smart card authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 72, no. 1, pp. 729–745, 2013. View at Publisher · View at Google Scholar · View at Scopus
  41. V. Odelu, A. K. Das, and A. Goswami, “A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015. View at Publisher · View at Google Scholar · View at Scopus
  42. D. He and D. Wang, “Robust Biometrics-Based Authentication Scheme for Multiserver Environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015. View at Publisher · View at Google Scholar · View at Scopus
  43. S. Kumari, X. Li, F. Wu, A. K. Das, K.-K. R. Choo, and J. Shen, “Design of a provably secure biometrics-based multi-cloud-server authentication scheme,” Future Generation Computer Systems, vol. 68, pp. 320–330, 2017. View at Publisher · View at Google Scholar · View at Scopus
  44. A. Irshad, S. A. Chaudhry, Q. Xie et al., “An Enhanced and Provably Secure Chaotic Map-Based Authenticated Key Agreement in Multi-Server Architecture,” Arabian Journal for Science and Engineering, vol. 43, no. 2, pp. 811–828, 2018. View at Publisher · View at Google Scholar
  45. S. Kumari, A. K. Das, X. Li et al., “A provably secure biometrics-based authenticated key agreement scheme for multi-server environments,” Multimedia Tools and Applications, pp. 1–31, 2018. View at Publisher · View at Google Scholar · View at Scopus
  46. R. Amin, S. K. H. Islam, M. K. Khan, A. Karati, D. Giri, and S. Kumari, “A two-factor RSA-based robust authentication system for multiserver environments,” Security and Communication Networks, vol. 2017, Article ID 5989151, 15 pages, 2017. View at Publisher · View at Google Scholar · View at Scopus
  47. X. Li, Y.-P. Xiong, J. Ma, and W.-D. Wang, “An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network and Computer Applications, vol. 35, no. 2, pp. 763–769, 2012. View at Publisher · View at Google Scholar · View at Scopus
  48. P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Proceedings of the Advances in Cryptology–CRYPTO 1999, pp. 789–789, Springer, 1999.
  49. T. S. Messerges, E. A. Dabbish, and R. . Sloan, “Examining smart-card security under the threat of power analysis attacks,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 51, no. 5, pp. 541–552, 2002. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  50. M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990. View at Publisher · View at Google Scholar · View at Scopus
  51. J. Wei, W. Liu, and X. Hu, “Secure control protocol for universal serial bus mass storage devices,” IET Computers & Digital Techniques, vol. 9, no. 6, pp. 321–327, 2015. View at Publisher · View at Google Scholar · View at Scopus