Security and Communication Networks

Security and Communication Networks / 2019 / Article

Research Article | Open Access

Volume 2019 |Article ID 4656281 | 13 pages | https://doi.org/10.1155/2019/4656281

A Secure and Efficient ECC-Based Anonymous Authentication Protocol

Academic Editor: Dimitrios Geneiatakis
Received16 Aug 2018
Accepted24 Jun 2019
Published20 Aug 2019

Abstract

Nowadays, remote user authentication protocol plays a great role in ensuring the security of data transmission and protecting the privacy of users for various network services. In this study, we discover two recently introduced anonymous authentication schemes are not as secure as they claimed, by demonstrating they suffer from offline password guessing attack, desynchronization attack, session key disclosure attack, failure to achieve user anonymity, or forward secrecy. Besides, we reveal two environment-specific authentication schemes have weaknesses like impersonation attack. To eliminate the security vulnerabilities of existing schemes, we propose an improved authentication scheme based on elliptic curve cryptosystem. We use BAN logic and heuristic analysis to prove our scheme provides perfect security attributes and is resistant to known attacks. In addition, the security and performance comparison show that our scheme is superior with better security and low computation and communication cost.

1. Introduction

With the dramatic increase of network attacks and privacy leakage, it is extremely important for various network services to identify the authenticity of communicating party and protect the privacy of users in insecure environment. As a basic defense strategy for numerous network services, the authentication protocol is aimed at solving these security issues. It has been used in various areas, such as e-banking, e-health, wireless sensor networks, and internet of things [13]. Authentication protocol generally provides three useful functionalities, that is, mutual authentication, user anonymity, and session key agreement.

Recently, there have been a great number of authentication schemes introduced and some evaluation metrics developed [48]. In 2012, Wang et al. [9] presented a robust authentication protocol that is resistant to known attacks, but the protocol has low efficiency, as it requires a number of modular exponentiation operations. Besides, they presented a comprehensive evaluation criteria for smart card based password authentication protocols. Madhusudhan and Mittal [10] defined the security requirements and desirable properties an authentication protocol should fulfil and provide. Kim–Kim [11] introduced an efficient dynamic identity authentication scheme, in which a synchronization mechanism is adopted to achieve user anonymity. In 2014, Islam et al. [12] introduced an anonymous authentication scheme based on elliptic curve cryptosystem (ECC). Huang et al. [13] proposed an anonymous authentication protocol based on RSA cryptosystem. In 2015, Wang et al. [14] demonstrated Kim–Kim’s scheme and its similar schemes that employ the same synchronization mechanism cannot withstand desynchronization attack and introduced an ElGamal cryptosystem based scheme to overcome this threat. In 2016, Nikooghadam et al. [15] presented an efficient authentication protocol using symmetric key cryptosystem and claimed the protocol is resistant to various known attacks. Jung et al. [16] proposed a symmetric key cryptosystem based authentication and key agreement protocol for wireless sensor networks. In 2017, Luo et al. [17] proved that Islam et al.’s scheme is susceptible to insider attack and offline password guessing attack and introduced a new ECC-based scheme for improvement. But their scheme suffers from session key disclosure attack and offline guessing password attack. Xiong et al. [18] proved Jung et al.’s protocol fails to achieve forward secrecy and suffers from smart card loss attack and introduced an improved scheme based on hash chain technique. Xie et al. [19] proposed a provably secure authentication protocol using ECC. Unfortunately, the protocol is inefficient in detection of wrong identity and password. Amin et al. [20] demonstrated that Huang et al.’s scheme cannot resist offline password guessing attack and forgery attack and presented an anonymous RSA cryptosystem based scheme for improvement.

Although a great number of research works have been done on authentication protocols [2135], new authentication schemes still have various security weaknesses [2229, 3234]. Offline guessing password attack and forward secrecy attack are two of the most common security weaknesses.

One prominent issue of authentication protocol is security against offline guessing password attack. In authentication scheme, the verification value is essential to check the validity of inputted password and implement local password updates. But the introduced verification value probably leads to offline password guessing attack, even server impersonation attack, user impersonation attack, and man-in-the-middle attack. To solve this problem, Wang et al. [35] introduced an effective solution by integrating “fuzzy-verifier” with “honeywords”.

On the other hand, forward secrecy is a matter of concern to authentication protocol. Numerous authentication schemes proposed recently achieve many desirable features but fail to preserve forward secrecy. Forward secrecy attack is a security vulnerability that damages the whole server system. Halevi and Krawczyk [36] demonstrated that, for any key exchange scheme, perfect forward secrecy can be achieved through using Diffie-Hellman key exchange.

1.1. Our Contributions

We cryptanalyze several representative schemes in the paper. Firstly, we point out Amin et al.’s scheme [20] suffers from offline guessing attack, user impersonation attack and fails to provide forward secrecy. Next, we reveal Nikooghadam et al.’s protocol [15] suffers from offline guessing attack, man-in-the-middle attack, session key disclosure attack, server impersonation attack, desynchronization attack, user impersonation attack, and fails to preserve forward secrecy and user anonymity. Then we point out Mishra et al.’s session initiation protocol [33] fails to provide forward secrecy. In addition, we demonstrate Hsieh et al.’s authentication scheme for wireless communication [34] suffers from offline password guessing attack and impersonation attack.

To eliminate these security vulnerabilities, we propose an improved authentication protocol based on elliptic curve cryptosystem. We use BAN logic and informal analysis to prove the completeness and security of our scheme. Furthermore, we give the performance and security comparison of related schemes. The results show that our scheme is more practical.

1.2. Structure of the Paper

Section 2 gives the cryptanalysis of Amin et al.’s scheme. Section 3 is the cryptanalysis of Nikooghadam et al.’s scheme. Section 4 is the cryptanalysis of two environment-specific authentication schemes. Section 5 gives the proposed scheme. Section 6 is the security analysis of our scheme. And Section 7 gives the security and performance comparison of related schemes. Section 8 is a conclusion.

We elaborate the notations of this paper in Table 1.


SymbolDescription

user

SRemote server

Malicious adversary

Identity of user

Password of user

Master key of S

PA generator P of elliptic curve group

, The current timestamp of , S

The current timestamp

Symmetric encryption/ decryption algorithm with key

SKSession key between and S

Hash function

The string concatenation operation

The bitwise XOR operation

A public communication channel

A secure communication channel

Identity of home agent

Identity of the foreign agent

2. Cryptanalysis of Amin Et Al.’s Scheme

In this section, we describe Amin et al.’s scheme and reveal its security vulnerabilities.

2.1. Review of Amin Et Al.’s Scheme

Amin et al.’s scheme consists of the following three phases (see Figure 1).

2.1.1. Initialization Phase

S chooses two big prime numbers u, v and calculates . Next, S selects another prime number , where . And d is calculated according to . S publishes public parameters and keeps as secret.

2.1.2. Registration Phase

In this phase, submits his identity information to S with the purpose of obtaining the access permission.

Step 1. picks and freely. calculates , where is a nonce. Afterwards, is transmitted to S via a secure channel.

Step 2. Upon receiving , S calculates , , . S stores in a smart card. The smart card is transmitted to via a secure channel.

Step 3. stores in the smart card.

2.1.3. Login and Authentication Phase

In this phase, delivers a login request message to . verifies the legitimacy of the message and sends back a response.

Step 1. attaches the smart card to a terminal and inputs and . The smart card calculates , , , and checks whether . If the equation holds, perform next step.

Step 2. The smart card computes , , where is random number. is transmitted to S.

Step 3. After receiving , S validates if , where is the current time receives at server end, and is an accredited maximum transport delay. If it holds, it denotes that is fresh. S computes to derive . Then S calculates , .

Step 4. S calculates and checks . If the equation holds, S regards as a legitimate user. Otherwise, this protocol aborts.

Step 5. S computes , , , where is a random number. S sends to .

Step 6. After receiving , the smart card first checks if is fresh. Next, the smart card calculates , , and checks if . If the equation holds, S is authenticated by . Then, the smart card calculates as session key.

2.2. Cryptanalysis of Amin Et Al.’s Scheme

In this part, we elaborate Amin et al.’s scheme is susceptible to several security attacks.

2.2.1. Offline Password Guessing Attack

The adversary extracts from the smart card. performs offline password guessing attack in the following steps.

Step 1. Choose an identity from the identity dictionary space, and a password from the password dictionary space.

Step 2. Calculate , , . Compare with . If they are equal, it shows that is 's real identity, and is 's correct password.

Step 3. Repeat Steps 1-2, until finds the real and .

2.2.2. User Impersonation Attack

Once extracts from the smart card and gets , via “offline password guessing attack”, performs user impersonation attack in the following steps.

Step 1. Calculate , , . Obviously, is equal to .

Step 2. Select a nonce . Calculate , where is the current timestamp. Calculate . Send to .

Step 3. Upon receiving , as is fresh, S computes to retrieve . Then S computes , , . As is equal to , S regards as legitimate user .

The inherent reason for above attacks is that there is a verification value in smart card for the adversary to check if the guessed and are correct.

2.2.3. Forward Secrecy

Suppose gets the secret key and intercepts message and from public channel. Then calculates the session key as follows.

Step 1. Compute to derive .

Step 2. Compute .

Step 3. Compute , .

In Amin et al.’s scheme, and S select random numbers , respectively. The transmission of uses RSA encryption under the public key of S. The transmission of uses bitwise XOR with . Hence, the confidentiality of random numbers is completely dependent on the private key of S. Once the private key of S is compromised, the attacker can easily get all session keys of the whole server system.

3. Cryptanalysis of Nikooghadam Et Al.’s Scheme

In this section, we review Nikooghadam et al.’s scheme and reveal its security vulnerabilities.

3.1. Review of Nikooghadam Et Al.’s Scheme

Nikooghadam et al.’s scheme includes the following two phases (see Figure 2).

3.1.1. Registration Phase

In this phase, when receiving the enrollment request, issues a smart card to .

Step 1. picks , freely. Then calculates , where is a random number. is transmitted to through a secure channel.

Step 2. After receiving , calculates , . computes ’s dynamic identity , where is a random number. stores in a smart card and delivers it to through a secure channel.

Step 3. stores in the smart card.

3.1.2. Login and Authentication Phase

This phase verifies the legitimacy of communicating parties and negotiates a session key.

Step 1. inserts his smart card into a terminal and enters ,. The smart card calculates , , where is a nonce. The smart card delivers to S.

Step 2. After receiving , S checks the freshness of . Then S computes , , , and checks , . If both the two equations hold, perform next step. Otherwise, this protocol aborts.

Step 3. S chooses two random numbers , . Then S computes , , and returns to .

Step 4. Upon receiving , the smart card calculates and checks if . If the two equations hold, perform next step; otherwise, this protocol aborts.

Step 5. The smart card calculates , . is transmitted to S.

Step 6. Upon receiving , S calculates and checks . If the equation holds, S computes .

3.2. Cryptanalysis of Nikooghadam Et Al.’s Scheme

In this part, we demonstrate Nikooghadam et al.’s scheme is susceptible to several security attacks.

3.2.1. Inefficiency for Wrong Password Detection

In the login phase, the smart card never checks the validity of the entered password. If inputs a wrong password by accident, the smart card cannot detect this fault, until a login request is sent to S, and S returns back a response to reject it. It wastes too much time of users.

3.2.2. Offline Password Guessing Attack

The adversary extracts from ’s smart card and intercepts from public channel. Offline password guessing is launched in the following steps.

Step 1. Choose an identity from the identity dictionary space and a password from the password dictionary space.

Step 2. Calculate , . Check , . If both the two equations hold, it shows that is 's real identity, and is 's correct password.

Step 3. Repeat Steps 1-2, until find real and .

3.2.3. User Anonymity

For the message , is compromised by performing offline password guessing attack; this is violation of user anonymity.

Once the adversary gets and obtains and by performing offline password guessing attack and intercepts , , and from pubic channel, performs user impersonation attack, server impersonation attack, man-in-the-middle attack, session key disclosure attack, and desynchronization attack as follows.

3.2.4. User Impersonation Attack

Step 1. computes .

Step 2. computes , where is a nonce, and is current timestamp. sends to S.

Step 3. After S receiving , as is fresh, , , S regards as the legitimate user and returns to .

Step 4. Upon receiving , computes , , and sends to S.

Step 5. After S receiving , as , S computes .
establishes a session key with S successfully.

3.2.5. Server Impersonation Attack

Step 1. Compute .

Step 2. Compute .

Step 3. Intercept from public channel. Generate a nonce and select a binary string whose length is the same as . Compute and return to .

Step 4. After receiving , as , regards as the sever S.

3.2.6. Man-in-the-Middle Attack

Step 1. Intercept from public channel and send to S.

Step 2. Intercept from public channel and send to .

Step 3. Intercept from public channel and send to S.

3.2.7. Session Key Disclosure Attack

Step 1. Calculate .

Step 2. Calculate .

Step 3. Calculate .

3.2.8. Desynchronization Attack

Step 1. Calculate .

Step 2. Intercept from pubic channel. Compute . Select a binary string whose length is same as . Compute . Sends to .

Step 3. Intercept from pubic channel. Compute . Send to S.

After that, cannot login anymore, unless re-register to S.

3.2.9. Forward Secrecy

Suppose obtains the master key of S and intercepts and from public channel, and then calculates the session key as follows.

Step 1. Calculate .

Step 2. Calculate .

Step 3. Calculate .

Step 4. Calculate .

The transmission of random numbers , uses symmetric encryption under key . The confidentiality of random numbers is dependent on the authentication value . Once the master key of S is leaked, the attacker is able to compute and obtain , by decrypting message . Consequently, the session keys of the whole sever system are compromised.

In the authentication scheme, random numbers are essential to establish unique session key in each session. If the user or server cannot transmit random number to the other side securely, it certainly will compromise the session key.

4. Cryptanalysis of Two Authentication Schemes for Specific Environment

Recently, Mishra et al. presented an efficient authentication scheme for session initiation protocol. In addition, Hsieh et al. introduced an authentication scheme for wireless communication. However, after a rigorous analysis, we discover both the two schemes have vulnerabilities. We reveal the weaknesses of the two schemes in this section.

4.1. Review of Mishra Et Al.’s Scheme

We briefly review Mishra et al.’s scheme in this subsection. As the password and biometric update phase is irrelevant to our cryptanalysis, we omit it.

4.1.1. Registration Phase

Step 1. picks , at will and computes , where is a nonce. delivers to the server S securely.

Step 2. Upon receiving , computes , , where is the secret key of S, and is the number of times the user once registered with S. S sends a smart card storing to .

Step 3. imprints his biometric . The smart card computes , , and stores in its memory.

4.1.2. Login and Authentication Phase

Step 1. enters , and imprints . The smart card checks if . If it holds, the smart card calculates , , , , , where u is a nonce. The smart card delivers to S.

Step 2. After receiving the message, S computes , , and checks if . If it holds, S calculates , and sends to .

Step 3. After receiving , the smart card calculates , . If , regards he establishes a valid session key with S.

4.2. Weaknesses of Mishra Et Al.’s Scheme
4.2.1. Forward Secrecy

In the case that the adversary obtains the secret key and intercepts the messages and from public channel, then is able to breach the session key in the following steps.

Step 1. Compute .

Step 2. Let .

Step 3. Compute , .

Step 4. Check if . If they are equal, proceed next step. Otherwise, let , and go to Step 3.

Step 5. Compute the session key .

4.3. Review of Hsieh Et Al.’s Scheme

We briefly review Hsieh et al.’s scheme in this subsection. As the ticket authentication phase is irrelevant to our cryptanalysis, we omit it.

4.3.1. Registration Phase

Step 1. The mobile station MS delivers to the home agent HA securely.

Step 2. After receiving the registration request, HA computes , , , , where are the secret values of HA, and are two random numbers. HA issues a smart card storing to MS.

4.3.2. Ticket-Issuing Phase

Step 1. MS computes , , , , , where are random numbers. MS sends to the foreign agent FA.

Step 2. After receiving the message, FA computes , , where k is a secret key shared by FA and HA. FA delivers to HA.

Step 3. After receiving the message, HA computes , , , , , , , , , . HA delivers to FA.

Step 4. Upon receiving , computes , , . sends to .

Step 5. Upon receiving , MS computes , and checks if . If it holds, MS calculates , , , and sends to FA.

Step 6. Upon receiving , FA checks if . If the equation holds, FA and MS authenticate each other and establish a session key successfully.

4.4. Weaknesses of Hsieh Et Al.’s Scheme
4.4.1. Offline Password Guessing Attack

Suppose the adversary extracts from the smart card and intercepts the messages and from public channel. Then performs the following steps.

Step 1. picks a password from the password dictionary space.

Step 2. computes , , , and checks if . If it holds, it shows that is the correct password.

Step 3. Repeat Steps 1-2, until finds .

4.4.2. MS Impersonation Attack

In the case that smart card is compromised, the adversary is able to obtain the password via offline password guessing attack; that is to say, the adversary has acquired all the authentication information that MS has. The capability of adversary has no differences with the legitimate MS. Hence, the adversary is able to impersonate and defraud and successfully.

4.4.3. HA Impersonation Attack

intercepts the message from public channel. With the smart card and , is able to perform impersonation attack in the following steps.

Step 1. computes , , , , , , , where is a random number. sends to .

Step 2. After receiving , MS computes , . As , MS computes , . MS believes that it establishes a session key with HA.

5. Proposed Scheme

To overcome the weaknesses of Amin et al.’s scheme and Nikooghadam et al.’s scheme, we propose an improved anonymous authentication protocol using ECC. The proposed scheme establishes secure session key based on Diffie-Hellman key exchange. Our scheme consists of the following four phases (see Figure 3).

5.1. Initialization Phase

S chooses an elliptic curve group . is a generator of . Then, S chooses a random number x as its private key and calculates as its public key. S publishes and keeps x as secret.

5.2. Registration Phase

In this phase, when receiving a registration request, issues a smart card containing the parameters for user authentication to .

Step 1. picks and freely. calculates , where is a random number. Afterwards, is transmitted to S via a secure channel.

Step 2. After receiving , S calculates , , , where . stores in a smart card and transmits it to through a secure communication channel.

Step 3. stores in the smart card.

5.3. Login and Authentication Phase

This phase verifies the authenticity of communicating parties and generates a session key.

Step 1. attaches his smart card to a terminal and inputs and . Then the smart card calculates , , and checks . If the equation holds, the smart card computes , , , , , where is a random number. is transmitted to S.

Step 2. After receiving , S computes , , , , and checks . If the equation holds, S generates a random number and computes , , , . is transmitted to .

Step 3. After receiving , computes , , and checks . If the equation holds, S computes . is transmitted to S.

Step 4. After receiving , S computes and checks . If the equation holds, S establishes a session key with successfully.

5.4. Password Updates Phase

updates his original password to a new one as follows.

Step 1. attaches his smart card to a terminal and inputs and . The smart card calculates , , and checks . If it holds, the smart card asks the user to input a new password.

Step 2. enters his new password . Then the smart card calculates , . The smart card deletes and stores in its memory.

6. Security Analysis

6.1. Informal Analysis

The heuristic analysis shows that our scheme can withstand various known attacks.

6.1.1. Offline Password Guessing Attack

Suppose that the adversary steals the smart card of and extracts from it; then executes the following steps.

Step 1. Choose an identity from identity dictionary space and a password from password dictionary space.

Step 2. Compute , .

Step 3. Check .

In our scheme, we employ the verification value . When and the identity and password are 64 bits, there are pairs of conforming to . Even if finds a pair of that conforms to , the probability they are equal to the identity and password of is .

Our scheme overcomes the offline password guessing attack at a cost of false acceptance rate of . But it does not compromise the security. When the server receives a login request message generated with erroneous , as , the server rejects the login request.

6.1.2. Replay Attack

Suppose that the adversary tries to launch replay attack in the following cases.

In the case that the adversary intercepts from public channel and replays the message to S, S handles the message and returns to . However, without and , is unable to generate a valid . The protocol finally aborts.

In the case that replays message or . Both the two messages are generated based on the random numbers and . The random numbers are only valid for the current session. If replays , the smart card will find that the received is not equal with computed based on its secret. Similarly, if replays , S will find that . The protocol finally aborts.

6.1.3. Desynchronization Attack

Desynchronization attack denotes that the adversary modifies the parameters of a message or simply blocks the message causing that the legitimate user cannot access the server anymore.

In our scheme, all the messages are generated based on the authentication value and the random number or . The user and the server check the validity of each message they receive. If the adversary modifies the parameters of a message, the receiver will detect the message is tampered with and reject it. Besides, if blocks a message, it just leads to the single authentication failure for the current session, but it does not alter the parameters that the user and the server have. The user is able to continue to access the server.

6.1.4. User Anonymity

In our scheme, is protected by symmetric encryption under the key . The adversary cannot retrieve , unless he gets the private key of S. Furthermore, the cipher text of changes with random number in each session. Our scheme also achieves user identity untraceability.

6.1.5. User Impersonation Attack

extracts from the stolen smart card and intercepts the transmitted messages between and S from public channel. Then tries to forge a login request to defraud S. generates a random number and computes , . To compute , is required. However, is protected by hash function. The only way to obtain is to retrieve from . As , , the adversary needs to get firstly. But as analyzed in “offline password guessing attack”, the adversary is unable to get in the case that smart card is compromised. Eventually, the adversary cannot forge a valid login request. Our scheme is immune to user impersonation attack.

6.1.6. Server Impersonation Attack

Provided that gets and the transmitted messages between and S, tries to impersonate the server by forging a valid message , where , , , . In order to compute , the adversary has to know . As analyzed in “user impersonation attack”, the adversary is unable to obtain , even if he compromises the smart card. Without , the adversary is unable to perform server impersonation attack successfully.

6.1.7. Forward Secrecy

Assuming the adversary obtains the private key of S and intercepts , , from public channel. Then tries to compute the session key. As , and are required to compute . With the private key x, the adversary computes , , . is known. Next, to obtain , needs to derive from , . That is to say, needs to solve the elliptic curve Diffie–Hellman problem (CDHP). Otherwise, the adversary is unable to reveal SK. Hence, our scheme achieves forward secrecy.

6.1.8. Session Key Disclosure Attack

intercepts the transmitted messages between and S from public channel. Then attempts to compromise SK. and are required to compute SK. To get , needs to break the smart card and password of user at the same time. To get , needs to solve the elliptic curve CDHP. Both are beyond the ability of . Our scheme is secure against session key disclosure attack.

In our scheme, the session key includes a long-term authentication value and a temporary secret key generated by Diffie-Hellman key exchange. The long-term authentication value denotes the shared secret authentication information between S and . The temporary secret key ensures that our scheme is resistant to known key attack and achieves forward secrecy.

6.2. Formal Analysis

We use BAN logic [38] to prove our scheme achieves mutual authentication and session key establishment. Table 2 gives the symbols and rules used in BAN logic.


A principal

A statement

believes is true

P see X, P receives a message that includes X

P said X, P once sent a message containing X

P has jurisdiction over X

X is fresh

P and Q have a shared key K

X is combined with a secret K

Message meaning rule

nonce-verification rule

jurisdiction rule

The goals that our scheme should achieve are as follows.Goal 1: Goal 2: Goal 3: Goal 4: