Efficient Hierarchical Authentication Protocol for Multiserver Architecture

Kou, Jiangheng; He, Mingxing; Xiong, Ling; Lv, Zeqiong

doi:https://doi.org/10.1155/2020/2523834

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 2523834 | https://doi.org/10.1155/2020/2523834

Efficient Hierarchical Authentication Protocol for Multiserver Architecture

Jiangheng Kou,¹Mingxing He,¹Ling Xiong,¹and Zeqiong Lv¹

Academic Editor: José María de Fuentes

Received23 Aug 2019

Revised14 Nov 2019

Accepted22 Jan 2020

Published24 Mar 2020

Abstract

The multiserver architecture authentication (MSAA) protocol plays a significant role in achieving secure communications between devices. In recent years, researchers proposed many new MSAA protocols to gain more functionality and security. However, in the existing studies, registered users can access to all registered service providers in the system without any limitation. To ensure that the system can restrict users that are at different levels and can access to different levels of service providers, we propose a new lightweight hierarchical authentication protocol for multiserver architecture using a Merkle tree to verify user’s authentication right. The proposed protocol has hierarchical authentication functionality, high security, and reasonable computation and communication costs. Moreover, the security analysis demonstrates that the proposed protocol satisfies the security requirements in practical applications, and the proposed protocol is provably secure in the general security model.

1. Introduction

Rapid advances in wireless communication technologies bring convenience to our lives. With an increasing number of users and services, the single-server architecture authentication protocols can no longer meet people’s various requirements [1]. Multiserver architecture authentication (MSAA) protocols have emerged and been widely used in the Internet of things, wireless sensor networks, smart grid, cloud computing, and mobile payment. Because MSAA protocols have better properties than single-server architecture authentication protocols [2, 3], it becomes a hot spot in current research.

However, due to the openness of the multiserver environment, an adversary can easily control communication channels and carries out many types of attacks such as intercept, modify, replay, and delay messages between multiple parties. For defending these attacks, researchers proposed many authentication protocols for the multiserver architecture that are using cryptographic methods to secure communication between different parties. New protocols also have lower computation and communication costs than the previous protocols. Currently, MSAA protocols can be divided into two types by whether it involves the registration center at the authentication phase. The first type is MSAA protocols with the involving at the authentication phase (MSAA1) [1, 2, 4–11], and the second type is MSAA protocols without involving at the authentication phase (MSAA2) [12–23]. In MSAA1 protocols, verifies every mutual authentication process, which makes it a bottleneck in MSAA1 protocols. The communication cost in MSAA1 protocols is significantly increased compared to MSAA2 protocols. To address these drawbacks, researchers proposed many MSAA2 protocols which have more efficiency and security than the existing MSAA1 protocols [14].

Currently, hierarchical authentication functionality is missing in the existing MSAA2 protocols. When a user registered at , he/she can authenticate with all registered service providers [24] and access to their services. However, there are many different users and service providers in this system, and the user’s level is different from each other, and low-level users should not successfully authenticate with high-level service providers and access to their services. Besides, there should be some high-level service providers only providing service for some particular users such as VIP users. In general, the MSAA protocols with the hierarchical authentication functionality will have flexibility in managing user authentication rights and access capabilities. The hierarchical authentication functionality has been achieved in the MSAA1 protocol [2, 4]. In the MSAA1 protocol, an is required at the authentication phase. Therefore, can verify the user’s authentication rights to determine whether he/she can access to service providers that are at a particular level. However, MSAA1 protocols have several drawbacks such as unreasonable communication cost that we showed earlier, making the whole system inefficient. Suppose we apply the existing MSAA2 protocols to the above environment; there should be multiple s to manage users and service providers at different levels. Users and service providers need to store various certificates from different s. The missing of hierarchical authentication functionality in the existing MSAA2 protocols motivates us to design a new lightweight hierarchical authentication protocol for multiserver architecture.

The proposed protocol uses a self-constructed Merkle tree to achieve hierarchical authentication functionality. In the proposed protocol, a session key is established between service providers and users without involving ; this significantly reduces communication cost and makes the authentication process faster. The proposed protocol can meet the security requirements of the multiserver architecture and is provably secure in general security model.

The remainder of this paper is organized as follows. Section 2 discusses the related work. Section 3 describes preliminaries. In Section 4, we show the details of the proposed protocol. Section 5 gives out the formal security proof of the proposed protocol. Section 6 presents a comparison of the proposed protocol with other related protocols on security, computation, and communication costs. Section 7 concludes the paper.

Li et al. [1] proposed a new multiserver architecture authentication (MSAA) protocol for cloud computing based on the identity-based model. Shao and Chin [4] proposed an authentication protocol for multiserver architecture but failed to resist the server spoofing and the impersonation attacks. He and Wang [5] constructed the first genuinely three-factor authentication protocol for the multiserver architecture, but their protocol is vulnerable to the known session-specific temporary information attack and impersonation attack. Odelu et al. [6] proposed an improved protocol to solve the security drawbacks in [5]. Xie et al. [7] proposed a two-factor authentication protocol. However, Xie’s protocol cannot resist the lost smart card attack and the offline dictionary guessing attack. To address the drawbacks, Chandrakar and Om [8] proposed a new security-enhanced three-factor protocol. Feng et al. [9] proposed an enhanced biometrics-based authentication protocol that can provide user anonymity. Amin et al. [10] proposed a lightweight authentication protocol that has lower computational and communication costs. Cui et al. [11] proposed an efficient protocol that only uses nonce, exclusive-OR operation, and one-way hash function; their protocol greatly reduces the computation cost. However, in this kind of protocol, they all need the help of an online registration center to achieve mutual authentication, which increases the communication cost.

In order to solve the drawbacks in the first type protocol, Choi et al. [12] proposed the first MSAA protocol without the online registration center. Tseng et al. [13] proposed a list-free ID-based authentication protocol using bilinear pairings for the multiserver architecture. However, Tseng et al. [13] cannot provide credentials privacy and untraceability for users. Recently, Odelu et al. [14] and He et al. [15] proposed new protocols that reduce the computation and communication costs. Irshad et al. [16] found protocol in [17] cannot achieve desired security goals. Therefore, they proposed an improved multiserver authentication protocol for distributed mobile cloud computing services. Afterward, Xiong et al. [18] found protocol in [16] has unreasonable computation cost, so they proposed an enhanced protocol for distributed mobile cloud. At the same time, Xiong et al. [19] proposed a new lightweight anonymous authentication protocol to reduce computation and communication costs. Barman et al. [25] used fuzzy commitment approach to secure the information stored on personal device. Kumari et al. [20] proposed a concept of the fuzzy extractor to provide the proper matching of biometric patterns. Xu et al. [21] proposed a new protocol that provides untraceability. Jiang et al. [22] performed a security analysis to the protocol in [17], pointing out that it is vulnerable to the impersonation attack. Chatterjee et al. [23] proposed a biometric-based protocol using the chaotic map and enhanced the security for multiserver architecture. We summarize techniques, advantages, and disadvantages that the existing protocols used in Table 1.

3. Preliminaries

In this section, we introduce preliminaries of the proposed protocol.

Let and be an additive cyclic group and a multiplicative cyclic group, both of them have a large prime order q. Let denote a bilinear map. Suppose P is a generator of , is a generator of . A bilinear map has the following properties:(i)Bilinearity: for all and for all , (ii)Computability: there exists an algorithm that can successfully compute for all (iii)Nondegeneracy: there exists such that , where 1 is the identity element of

We list the hard problems that we used in the proposed protocol as follows:(i)Discrete logarithm (DL) problem: given an element , it is hard to compute such that (ii)Computational Diffie–Hellman (CDH) problem: given two elements , it is hard to compute , where a and b are unknown and randomly chosen from (iii)Modified Bilinear Inverse Diffie–Hellman with k value (k-mBIDH) problem [12]: given k elements and elements each of them is in , it is hard to compute , where and τ and η are two unknown elements in

A security system parameter generator used in the proposed protocol is introduced below.

: the system parameter generator takes a security parameter n and outputs system parameters, a bilinear map, an elliptic curve, a multiplicative group, etc. Intuitively, the system parameters will be publicly known.

The notations used in the proposed protocol are listed in Table 2.

4. The Proposed Protocol

4.1. RC Initialization Phase

Registration center runs the generation function which takes a security parameter and outputs parameters as follows:(1) chooses two bilinear map groups and with a prime order q, the generator and , where is a bilinear map.(2) chooses cryptographic hash functions , , , .(3) chooses a random number as the master key, computes the corresponding public key , and constructs an authentication right tree as Figure 1. The detail of the tree will be described in Section 4.5. Finally, publishes .

4.2. User Registration Phase

If a user wants to register with the registration center , the following steps will be executed. The main steps are provided in Table 3.(1) sends his/her identity to via a secure channel.(2) selects an authentication parameter and computes the ’s private key , where e is the expire date of the private key and is an authentication right tree. chooses a parameter and sends to via a secure channel.(3) computes using the fuzzy-extractor generation procedure [26], where is a biometric key, is a public reproduction parameter, and is his/her personal biometrics. computes and uses the widely implemented fuzzy-verifier technique [27, 28] to compute , where pw is his/her password and is the integer that defines in [27]. Finally, stores on its mobile device, where t is the threshold in fuzzy extractor, is the probabilistic generation procedure for outputting , and , is the deterministic reproduction procedure that can recover and from a new personal biometrics input.

4.3. Service Provider Registration Phase

If a service provider wants to register with the , the following steps will be executed. The main steps are provided in Table 4.(1) sends his/her identity to via a secure channel.(2) computes the private key for and sends to him via a secure channel, where is an authentication right tree for service provider. We will describe the detail of in Section 4.5.(3)Finally, saves .

4.4. User and Service Provider Authentication Phase

In this part, we show the mutual authentication phase between a user and a service provider without involving . The main steps are provided in Table 5.(1)First, inputs his/her biometrics , identity and password into his/her mobile device. Mobile device computes and and verifies the validity of inputted biometrics and password by computing . If it holds, mobile device retrieves ’s private key by computing and temporarily saves . Then, selects a temporary session secret , calculates , and computes , by using the identity of . Next, computes, , and . Finally, sends the login message to .(2)After receiving , checks whether is in ; if is not in , retrieves using his/her private key as . retrieves by computing . computes , where , and verifies . If both are equal, is allowed to authenticate with . Then, selects a temporary session secret , then he/she calculates and computes , and session key is set as . Finally calculates and sends the message to .(3)Upon receiving , computes and and checks whether and are equal. If both are not equal, aborts the session. Otherwise, confirms as a valid service provider and sets as session key between and .

4.5. Tree Construction and Verification

The proposed protocol uses an authentication right tree to store user’s and service provider’s hierarchical authentication information. is a Merkle hash tree that was introduced by Merkle [29] in 1998. Merkle hash tree is a digital signature scheme that only uses a conventional encryption function to compute the digital signature, making it extremely efficient. In 2009, Satoshi proposed a peer-to-peer electronic cash system, as known as bitcoin [30]. Bitcoin system stores transactions in Merkle hash tree, which saves disk space, and this method can be used to verify transactions in each block. Therefore, we use a Merkle hash tree to construct our authentication right tree. In this part, we will show how we construct an authentication tree and how to verify a user’s authentication right based on the rules of Merkle hash tree.

4.5.1. Tree Construction

First, we introduce the construction of the authentication right tree as Figure 1. An authentication tree contains the information of n different levels. The first level is the lowest level in the system, and the level is the highest level in the system. Node denotes a user that has the authentication right which is from the first level to level. Value stored in node is computed from the hash values of its left child node and right child node as . The calculation of node as is different from other nodes. If a user is at the first level, is embed in his/her private key, and he/she can only access to first level service providers in this system. If user is at level, is embed in his/her private key, and he/she can access to service providers which are from first to levels. The right child node is an intermediate variable, which prepares for calculating . Value stored in node is computed from the hash values of its left leaf node and right leaf node as . Leaf node and are two 160-bit random strings that are stored on user and service provider separately. If a user is at level, number i is stored in the last bits, and the first bits should be a random string.

4.5.2. Tree Stored on Service Provider

The authentication right tree stored on the service provider has a little different from . Service provider uses to verify user’s authentication right. The scale of stored on each service provider is based on the level of service provider. As we mentioned above, level is the highest level in the system. If service provider is at level, he/she only provides service for level user, so he/she only needs to save the authentication right tree as Figure 2. If service provider is at the level, he/she can provide service for user that is from to level. Therefore, he/she needs to save to and to as Figure 3, where the symbol “?” denotes the node that service provider does not have.

4.5.3. Authentication Right Verification

When an level user wants to access a level service provider, where , user sends to service provider, and when service provider received authentication parameter , he/she checks the last bits of to get user’s level and finds . Service provider computes the value of as and the value of as . Then service provider verifies user’s authentication right by calculating . If the equation holds, service provider continues. Otherwise, he/she aborts the session. For instance, if a level user wants to access to a level service provider, user sends to service provider, and when service provider received authentication parameter , he/she checks the last bits of to get user’s level and finds . Service provider computes and . Service provider verifies user’s authentication right by calculating . If the equation holds, service provider continues. Otherwise, he/she aborts the authentication.

4.6. The User Revocation and Reregistration Phase

Revocation and reregistration has been used in many protocols [31, 32]. In this part, we describe user revocation and reregistration. When a user lost his/her smart card, he/she needs to reregister. submits his/her personal information to , and then, verifies ’s personal information and checks the expire date of the private key . If has already expired, issues a new private key with a new expire date. If has not expired, issues a new ID and a new private key with the same expire date as the lost smart card. adds the lost to its ID revocation list and board casts to all service providers. After received , service providers save it into their local storage.

5. Security Proof

In this section, we analyze the security of our protocol. First, we present a security model for our protocol, which is based on Bellare–Rogaway (BR) model [33] and CK-adversary model [34], and we use Zipf’s law [35] to enhance the security of the base model. Second, we show that the security of the proposed protocol is based on the hardness of mathematical problems. Third, we show that our protocol satisfies security requirements.

5.1. Security Model

We propose a security model for the proposed protocol based on literature studies [5, 15, 27, 33, 36]. There are and at the authentication phase of the proposed protocol. The security of the proposed protocol is defined by a game played between an adversary and a challenger . Let denote the l_th instance of the participant of , respectively. In this game, we describe the capabilities of that is defined in the literature [27] as follows:(i) can enumerate offline all the items in the Cartesian product within polynomial time, where and denote the password space and the identity space, respectively(ii) has the capability of somehow learning the victim’s identity when evaluating security strength (but not privacy provisions) of the protocol(iii) is in full control of the communication channel between the protocol participants(iv) may either (i) learn the password of a legitimate user via malicious card reader or (ii) extract the sensitive parameters in the card memory by side-channel attacks, but cannot achieve both(v) can learn previous session keys(vi) has the capability of learning server’s longtime private keys only when evaluating the resistance to eventual failure of the server (e.g., forward secrecy)

can issue queries to and get answers from it as follows:(i): at any time, issues query where can be any string, and picks a random number and stores into list , where and . Finally, sends to .(ii)ExtractUID (): issues queries of user identity , and generates users private key and stores into list .(iii)ExtractSID : issues queries of service provider’s identity , and generates service provider’s private key and stores into list .(iv)Send : issues query of the message m, and runs the protocol and returns the result to .(v)SKReveal : issues query, and returns the session key produced in to .(vi)CorruptUID : issues the query of user’s identity , and returns user’s private key to .(vii)CorruptSID : issues the query of service provider’s identity , and returns service provider’s private key to .(viii)Test : when issues the query, flips a random coin . If , sends session key in to ; otherwise, , and picks a random number with the same length of session key and sends it to .

After issuing the queries above, outputs , where is about the coin b produced in Test -query. violates the authentication key agreement (AKA) of the proposed protocol , if can guess b correctly. We define ’s advantage in attacking the proposed protocol as .

Definition 1. (AKA-Secure). The proposed protocol is authentication key agreement secure (AKA-Secure) if is negligible for any polynomial-time adversary .
violates the mutual authentication of the proposed protocol , if can generate a legal login message or a legal response message. Let and denote the events that generates a legal login message and a legal response message. We define the advantage of attacking the mutual authentication of the proposed protocol as .

Definition 2. (MA-Secure). The proposed protocol is mutual authentication secure (MA-Secure) if is negligible for any polynomial-time adversary .

5.2. Proof of Security

In this part, we show the proposed protocol for multiserver architecture is AKA-secure and MA-secure in the security model we described above.

Lemma 1. No polynomial-time adversary can forge a legal login message with a nonnegligible probability ϵ.

Proof. Suppose the adversary forges a legal login message with a nonnegligible probability ϵ. We show there is a challenger who can solve the discrete logarithm (DL) problem with a nonnegligible probability.
Given an instance of the DL problem, the aim of challenger is to compute , and sends the system parameters to . randomly selects and answers ’s queries according to the following description:(i): maintains a list initialized empty. Upon receiving the query , checks if exists in . If yes, sends to ; otherwise, randomly picks and stores in then sends to , where .(ii)ExtractUID : maintains a list initialized empty. When receiving the query , checks if exists in then send to ; otherwise, executes the operations as follows:(1)If , sets and stores into , into (2)Otherwise if , randomly selects , sets , and stores in , in (iii)ExtractSID : maintains a list initialized empty. When receiving the query , checks if exists in . If yes, send to ; otherwise, randomly picks and computes . stores into , into and sends to .(iv)Send : checks if and are equal; if yes, aborts the game; otherwise, operates according to protocol .(v)SKReveal : after received the query, sends session key produced in to .(vi)CorruptUID : searches for in and returns to .(vii)CorruptSID : searches for in and returns to .(viii)Test : randomly picks a number with the same length of session key and sends it to .At last, outputs a legal login message corresponding to user’s identity . If , aborts the game. Based on the forking lemma [37], can output another legal login message . Because the login messages is legal, we get the following two equations, is computed by rising to the power of a random number chose by :Based on the two equations above, we get the following equations: outputs as the solution to the given DL problem. The probability that can solve the DL problem is described as follows:(i): dose not abort in the any Send-queries(ii): outputs a legal login request(iii): and are equalLet l denote the number of bits in biometric data, and denote the number of Send-queries and -queries executed in the game, and are the Zipf’s parameters [35], and l is the length of biometric information. We can get , , and .
Therefore, the nonnegligible probability that can solve the DL problem is given byThis contradicts with the hardness of the DL problem. Therefore, we get that no polynomial-time adversary against the proposed MSAA protocol can forge a legal login message with a nonnegligible probability.

Lemma 2. No polynomial-time adversary can forge a legal response message with a nonnegligible probability.

Proof. Suppose the adversary forges a legal response message with a nonnegligible probability . We show there is a challenger who can solve the k-mBIDH problem with a nonnegligible probability.
Given an instance of the k-mBIDH problem, the aim of challenger is to compute ; he picks a random number and computes , and sends the system parameters to . randomly selects and answers ’s queries according to the following description:(i): maintains a list initialized empty. Upon receiving the query , checks if exists in . If yes, sends to ; otherwise, randomly picks and stores in then sends to , where .(ii)ExtractUID : maintains a list initialized empty. When receiving the query , checks if exists in and then sends to ; otherwise, randomly picks and computes . stores in , in and sends to .(iii)ExtractSID : maintains a list initialized empty. When receiving the query , checks if exists in and then sends to ; otherwise, executes the operations as follows:(1)If , sets and stores into , into (2)Otherwise if , randomly selects , sets , and stores in , in (iv)Send : checks if and are equal; if yes, aborts the game; otherwise, operates according to the proposed protocol .Finally, outputs a response message corresponding to identity . outputs as the solution of k-mBIDH problem. The probability that can solve the k-mBIDH problem is described as follows:(i): dose not abort in any Send-queries(ii): C outputs a legal response message(iii): and are equalLet , and denote the number of Response-query, -query, and -query in the game. We can get , , and . Therefore, the nonnegligible probability that can solve the k-mBIDH problem is given byThis contradicts with the hardness of the k-mBIDH problem. Therefore, we get that no polynomial-time adversary against the proposed MSAA protocol can forge a legal response message with a nonnegligible probability.

Theorem 1. The proposed protocol is MA-secure if the DL problem and the k-mBIDH problem are hard.

Proof. Based on Lemmas 1 and 2, we get no polynomial-time adversary can forge a legal login message or a legal response message if the DL problem and the k-mBIDH problem are hard. Therefore, we get the proposed protocol is MA-secure.

Theorem 2. The proposed protocol is AKA-secure if the CDH problem is hard.

Proof. Suppose guesses b correctly in -query with a nonnegligible probability ϵ, then can solve the CDH problem with a nonnegligible probability.
Let denote the event that gets the correct session key. Since the probability that correctly guesses the value b is at least , we can get .
Let and denote the events that uses in the Test-query to a user’s instance and a service provider’s instance, respectively. Let denote the event that can violate the user to service provider authentication. We get the following two equations:Since , we getWe get the probability as follows:According to the proof of Lemma 1, we get is negligible. However, is nonnegligible, suppose that where . Given an instance of the CDH problem, computes with a nonnegligible probability . Therefore, can use to solve the CDH problem with a nonnegligible probability. This contradicts with the hardness of the CDH problem. Therefore, we can conclude that the proposed protocol is AKA-secure if the CDH problem is hard.

5.3. Security Requirements Analysis

We briefly show the proposed protocol satisfies the security requirements as follows:(i)Single registration: according to the specification of the proposed protocol, a user registers at the registration center once, and he/she can log into registered service providers, which is at a specific level. Therefore, the proposed protocol can provide single registration.(ii)Mutual authentication: two lemmas described above show that the adversary against the proposed protocol cannot produce a valid login or response message. Then, and can authenticate with the participant by checking the legality of the received response message and login message, respectively. Therefore, the proposed protocol can support mutual authentication.(iii)User anonymity: according to the proposed protocol, the user’s identity is only in the message . To get , adversary needs to compute from , and it turns out the adversary need to solve the k-mBIDH problem. Then, we know that the proposed protocol can provide user anonymity as long as k-mBIDH problem is hard.(iv)Untraceability: according to the proposed protocol, user generates a new random number to compute . Due to the randomness of , adversary cannot find any relation of messages sent by the user and cannot trace the user’s behavior. Therefore, the proposed protocol can provide untraceability.(v)Session key agreement: according to the proposed protocol, both two participants calculate session key , which can be used in future communications. Therefore, the proposed protocol can provide session key agreement.(vi)Perfect forward secrecy: assume the adversary steals both private keys of the user and the service provider. We also assume that the adversary intercepts sent between the user and the service provider. Using the service provider’s private key, the adversary can compute . To get session key , the adversary must to compute where . Thus, adversary must solve the CDH problem. Then, the proposed protocol can provide the perfect forward secrecy, since the CDH problem is hard.(vii)No smart card lose attack [20]: assume the adversary steals the user’s device. By using the side-channel attack, the adversary can extract the data . The adversary can guess password , but he/she cannot verify its correctness because we have implemented the fuzzy-verifier technique [27, 28]. The adversary cannot get the user’s password, so he cannot get the user’s private key . Therefore, adversaries cannot impersonate the user to the service provider, and the proposed protocol can resist smart card lose attack.(viii)No password verifier table: according to the proposed protocol, both two participants need to store their private keys, and the registration center needs no password verifier table. Thus, the proposed protocol provides no password verifier table.(ix)No online registration center: according to the proposed protocol, two participants can authenticate with each other without the help of the registration center. Thus, the proposed protocol does not need an online registration center.(x)Hierarchical authentication: this security requirement only satisfied by the proposed protocol. The hierarchical information is embedded in the user’s private key, when authentication is with a service provider, service provider will check the user’s authentication right by computing whether the equation holds.(xi)The resistance of various attacks: the proposed protocol can resist the insider attack, the replay attack, the man-in-the-middle attack, etc. We briefly describe it as follows:(1)Temporary information attack: if the adversary gets the temporary information , he/she has no ability to derive the user’s secret key from because the exponential of is composed of two values: one is session temporary secret and other is the private key of the user . Therefore, the proposed protocol is secure against temporary information attack.(2)Insider attack: suppose an insider in the system gets the user’s information . The adversary can guess a password . However, he/she cannot verify its correctness because user’s password is protected by the secure hash function and the biometric key . Thus, the insider cannot get user’s password, and the proposed protocol withstands the insider attack.(3)User impersonation attack [38, 39]: according to the proof of Lemma 1, we conclude that no adversary can forge a legal login message without the user’s private key. Thus, the service provider can find out about the attack by verifying the validity of the received login message. Therefore, the proposed protocol can resist the user impersonation attack.(4)Server spoofing attack: according to the proof of Lemma 2, we know that no adversary can generate a legal response message without the service provider’s private key. Therefore, users can find out about the attack by verifying the validity of the received response message. Therefore, the proposed protocol can resist the server spoofing attack.(5)Modification attack: according to the proof of Lemma 1, we know that is a digital signature of the login message and no polynomial-time adversary can forge a legal one. The service provider can find any modification by checking if the equation and holds. Besides is the message authentication code of the response message under the key . The user can find out about any modification of the response message because the hash function is secure. Therefore, the proposed protocol can resist the modification attack.(6)Replay attack: according to the proposed protocol, both two participants generate new random number and , which are involved in the login message and the response message. Due to the freshness of , the user and the service provider can find the replay of messages by checking the validity of the received message. Therefore, the proposed protocol resists the replay attack.(7)Man-in-the-middle attack: based on the above description, we conclude that the proposed protocol provides mutual authentication between two participants. Therefore, the proposed protocol can resist the man-in-the-middle attack.

5.4. Security Comparison

In this part, we compare the security of the proposed protocol with other multiserver architecture protocols in Table6. We introduce a new independent criterion, which is based on a widely adopted standard [40, 41] as follows: C1 (no password verifier table): the server does not need to maintain a database for storing user passwords or some derived values of user passwords. C2 (password friendly): the password is memorable and can be chosen freely and changed locally by the user. C3 (no password exposure): the password cannot be derived by the privileged administrator of the server. C4 (no smart card loss attack): the scheme is free from smart card loss attack, i.e., unauthorized users getting a victim’s card should not be able to easily change the password of the smart card, recover the victim’s password by using online, offline or hybrid guessing attacks, or impersonate the user to login to the system, even if the smart card is obtained and/or secret data in the smart card are revealed. C5 (resistance to known attacks): the scheme resists various kinds of basic/sophisticated attacks, including offline password guessing attack, replay attack, parallel session attack, desynchronization attack, stolen verifier attack, impersonation attack, key control, unknown key share attack, and known key attack. C6 (sound repairability): the scheme provides smart card revocation with good repairability, i.e., a user can revoke her card without changing her identity. C7 (provision of key agreement): the client and the server can establish a common session key for secure data communications during the authentication process. C8 (no clock synchronization): the scheme is not prone to the problems of clock synchronization and time delay, i.e., the server needs not to synchronize its time clock with these time clocks of all input devices used by smart cards, and vice versa. C9 (timely typo detection): the user will be timely notified if she inputs a wrong password by mistake when login. C10 (mutual authentication): the user and server can verify the authenticity of each other. C11 (user anonymity): the scheme can protect user identity and prevent user activities from being traced. C12 (forward secrecy): the scheme provides the property of perfect forward secrecy. C13 (hierarchical authentication): when a server authenticates with a user, it checks the user’s authentication right. If the user authentication right belongs to the server authentication level, the authentication is successful. Otherwise, the authentication request is denied.

6. Performance Comparison

We show the computation and communication costs of the proposed protocol. We compare its performance with other protocol. For the purpose of getting a trusted security level (1024-bit RSA algorithm), an Ate pairing: is used. with order q is generated by a point on a supersingular elliptic curve which is defined on the finite field . Order q is a 160-bit prime number and p is a 512-bit prime number.

6.1. Computation Cost Comparison

We give the running time of various operations performed in the proposed protocol, and we compare the results with He et al. [15] and Odelu et al. [14]. In this section, we use the following notations for the following running times in this paper:(i): the running time of a bilinear pairing operation(ii): the running time of a scalar multiplication operation in (iii): the running time of a map-to-point hash function in (iv): the running time of a point addition operation in (v): the running time of an exponentiation operation in (vi): the running time of a multiplication operation in (vii): the running time of a general hash operation

The above operations are implemented with MIRACLE [42] library on a rooted android mobile phone (A5000 with Qualcomm 801 processor, 2-gigabyte memory, Google Android 4.4.2 operating system) and a personal computer (Lenovo with an i7-6700HQ 2.6 GHz, 16-gigabyte memory, Windows 7® operating system). The running time of those operations is listed in Table 7.

We compare the computation costs of the proposed protocol with He et al. [15] and Odelu et al. [14] based on the running time of the user and the service providerand the result is shown in Table 6.

6.2. Communication Cost Comparison

According to the description of the trusted security level, q is a 160-bit prime number and p is a 512-bit prime number. The size of an element in is 1024 bits. The size of the hash function’s output is 160 bits, and the identity and the expire parameter are both 32 bits. In our protocol, we only have two rounds of communication for establishing a session key. On client side, the messages require 320 + 320+256 = 896 bits, and on service provider side, messages require 160 + 512 = 672 bits. The total communication costs are 1568 bits. In He et al.’s [15] protocol, on client side, messages require 1024 + 32+1024 + 160 = 2240 bits, and on server side, messages require 1024 + 160 = 1184 bits. In Odelu et al.’s [14] protocol, on client side, messages require 320 + 512 = 832 bits, and on server side, message require 672 bits. The comparison of communication costs is shown in Table 6.

6.3. Storage Cost Analysis

Because the mobile devices are limited to storage spaces, we therefore analyze the storage cost on the user side to show the proposed protocol has reasonable storage cost. In Odelu et al.’s protocol, a user needs to store in his/her device, which costs 1674 bits. In He et al.’s protocol, user needs to store , which costs 3230 bits. In our protocol, user needs to store , which costs 1834 bits.

7. Conclusion

In this paper, we have proposed a hierarchical authentication protocol for the multiserver environment. The significant contribution of this paper is that we have built an authentication right tree based on the Merkle hash tree, which can be used to verify the authentication right of a user when he/she is authenticating with the service provider. The extended hierarchical authentication feature has added more flexibility and security to multiserver architecture. The security proof has demonstrated that our protocol is provably secure under the random oracle model. Our protocol has reasonable computation and communication costs, which could be suitable for multiserver architecture.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this article.

Acknowledgments

This work was funded by the Chengdu Science and Technology Bureau (no. 2016-XT00-00015-GX) and the Civil Aviation Administration of China (no. PSDSA201802).

References

H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for cloud computing,” in Cloud Computing, M. G. Jaatun, G. Zhao, and C. Rong, Eds., pp. 157–166, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
H. Ning, H. Liu, and L. T. Yang, “Aggregated-proof based hierarchical authentication scheme for the internet of things,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 3, pp. 657–667, 2015.
View at: Publisher Site | Google Scholar
H. Tohidi and V. T. Vakili, “Lightweight authentication scheme for smart grid using merkle hash tree and lossless compression hybrid method,” IET Communications, vol. 12, no. 19, pp. 2478–2484, 2018.
View at: Publisher Site | Google Scholar
M.-H. Shao and Y.-C. Chin, “A privacy-preserving dynamic id-based remote user authentication scheme with access control for multi-server environment,” IEICE Transactions on Information and Systems, vol. E95-D, no. 1, pp. 161–168, 2012.
View at: Publisher Site | Google Scholar
D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, SEP 2015.
View at: Publisher Site | Google Scholar
V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-based multi-server authentication protocol using smart cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015.
View at: Publisher Site | Google Scholar
Q. Xie, D. S. Wong, G. Wang, X. Tan, K. Chen, and L. Fang, “Provably secure dynamic id-based anonymous two-factor authenticated key exchange protocol with extended security model,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1382–1392, 2017.
View at: Publisher Site | Google Scholar
P. Chandrakar and H. Om, “A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ecc,” Computer Communications, vol. 110, pp. 26–34, 2017.
View at: Publisher Site | Google Scholar
Q. Feng, D. He, S. Zeadally, and H. Wang, “Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment,” Future Generation Computer Systems, vol. 84, pp. 239–251, 2018.
View at: Publisher Site | Google Scholar
R. Amin, N. Kumar, G. P. Biswas, R. Iqbal, and V. Chang, “A light weight authentication protocol for iot-enabled devices in distributed cloud computing environment,” Future Generation Computer Systems, vol. 78, pp. 1005–1019, 2018.
View at: Publisher Site | Google Scholar
J. Cui, X. Zhang, N. Cao, D. Zhang, J. Ding, and G. Li, “An improved authentication protocol-based dynamic identity for multi-server environments,” International Journal of Distributed Sensor Networks, vol. 14, no. 5, 2018.
View at: Publisher Site | Google Scholar
K. Choi, J. Hwang, D. Lee, and I. Seo, “ID-based authenticated key agreement for low-power mobile devices,” in Proceedings of the 10th Australasian Conference on Information Security and Privacy, C. Boyd and J. M. Gonzalez Nieto, Eds., vol. 3574, pp. 494–505, Brisbane, Australia, July 2005.
View at: Publisher Site | Google Scholar
Y.-M. Tseng, S.-S. Huang, T.-T. Tsai, and J.-H. Ke, “List-free ID-based mutual authentication and key agreement protocol for multiserver architectures,” IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 102–112, 2016.
View at: Publisher Site | Google Scholar
V. Odelu, A. K. Das, S. Kumari, X. Huang, and M. Wazid, “Provably secure authenticated key agreement scheme for distributed mobile cloud computing services,” Future Generation Computer Systems, vol. 68, pp. 74–88, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and anonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016.
View at: Publisher Site | Google Scholar
A. Irshad, M. Sher, H. F. Ahmad, B. A. Alzahrani, S. A. Chaudhry, and R. Kumar, “An improved multi-server authentication scheme for distributed mobile cloud computing services,” KSII Transactions on Internet and Information Systems, vol. 10, pp. 5529–5552, 2016.
View at: Google Scholar
J.-L. Tsai and N.-W. Lo, “A privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 9, no. 3, pp. 805–815, 2015.
View at: Publisher Site | Google Scholar
L. Xiong, D. Peng, T. Peng, and H. Liang, “An enhanced privacy-aware authentication scheme for distributed mobile cloud computing services,” KsII Transactions on Internet and Information Systems, vol. 11, no. 12, pp. 6169–6187, 2017.
View at: Publisher Site | Google Scholar
L. Xiong, D. Y. Peng, T. Peng, H. B. Liang, and Z. C. Liu, “A lightweight anonymous authentication protocol with perfect forward secrecy for wireless sensor networks,” Sensors, vol. 17, no. 11, p. 2681, 2017.
View at: Publisher Site | Google Scholar
S. Kumari, A. K. Das, X. Li et al., “A provably secure biometrics-based authenticated key agreement scheme for multi-server environments,” Multimedia Tools and Applications, vol. 77, no. 2, pp. 2359–2389, 2018.
View at: Publisher Site | Google Scholar
G. Xu, S. Qiu, H. Ahmad et al., “A multi-server two-factor authentication scheme with un-traceability using elliptic curve cryptography,” Sensors, vol. 18, no. 7, p. 2394, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, and F. Wei, “On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 12, no. 2, pp. 2039–2042, 2018.
View at: Publisher Site | Google Scholar
S. Chatterjee, S. Roy, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, “Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 824–839, 2018.
View at: Publisher Site | Google Scholar
W.-S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 251–255, 2004.
View at: Publisher Site | Google Scholar
S. Barman, A. K. Das, D. Samanta, S. Chattopadhyay, J. J. P. C. Rodrigues, and Y. Park, “Provably secure multi-server authentication protocol using fuzzy commitment,” IEEE Access, vol. 6, pp. 38578–38594, 2018.
View at: Publisher Site | Google Scholar
Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” in Advances in Cryptology—EUROCRYPT 2004, C. Cachin and J. L. Camenisch, Eds., pp. 523–540, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015.
View at: Publisher Site | Google Scholar
P. Wang, Z. Zhang, and D. Wang, “Revisiting anonymous two-factor authentication schemes for multi-server environment,” in Proceedings of the 2018 International Conference on Information and Communications Security, Lille, France, October 2018.
View at: Publisher Site | Google Scholar
R. C. Merkle, “A digital signature based on a conventional encryption function,” in Advances in Cryptology—CRYPTO ’87, C. Pomerance, Ed., pp. 369–378, Springer, Berlin, Germany, 1988.
View at: Publisher Site | Google Scholar
S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” 2009, https://metzdowd.com.
View at: Google Scholar
A. G. Reddy, E.-J. Yoon, A. K. Das, V. Odelu, and K.-Y. Yoo, “Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment,” IEEE Access, vol. 5, pp. 3622–3639, 2017.
View at: Publisher Site | Google Scholar
S. Jangirala, S. Mukhopadhyay, and A. K. Das, “A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards,” Wireless Personal Communications, vol. 95, no. 3, pp. 2735–2767, 2017.
View at: Publisher Site | Google Scholar
M. Bellare, R. Canetti, and H. Krawczyk, “A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract),” in Proceedings of the 30th Annual ACM Symposium on Theory of Computing—STOC ’98, pp. 419–428, Dallas, TX, USA, May 1998.
View at: Publisher Site | Google Scholar
C. Ran and H. Krawczyk, “Universally composable notions of key exchange and secure channels,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, Amsterdam, Netherlands, April 2002.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and their use for building secure channels,” in Advances in Cryptology—EUROCRYPT 2001, B. Pfitzmann, Ed., pp. 453–474, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, K.-K. R. Choo, and J. Shen, “Design of a provably secure biometrics-based multi-cloud-server authentication scheme,” Future Generation Computer Systems, vol. 68, pp. 320–330, 2017.
View at: Publisher Site | Google Scholar
A. G. Reddy, A. K. Das, V. Odelu, and K.-Y. Yoo, “An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography,” PLoS One, vol. 11, no. 5, Article ID e0154308, 2016.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9, pp. 4081–4092, 2018.
View at: Publisher Site | Google Scholar
S. S. Ltd, “BWorld robot control software,” 2015, http://www.shamus.ie/index.php?page=home.
View at: Google Scholar

Copyright

Copyright © 2020 Jiangheng Kou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

717

Downloads

806

Citations

Security and Communication Networks

Efficient Hierarchical Authentication Protocol for Multiserver Architecture

Abstract

1. Introduction

2. Related Work

3. Preliminaries

4. The Proposed Protocol

4.1. RC Initialization Phase

4.2. User Registration Phase

4.3. Service Provider Registration Phase

4.4. User and Service Provider Authentication Phase

4.5. Tree Construction and Verification

4.5.1. Tree Construction

4.5.2. Tree Stored on Service Provider

4.5.3. Authentication Right Verification

4.6. The User Revocation and Reregistration Phase

5. Security Proof

5.1. Security Model

5.2. Proof of Security

5.3. Security Requirements Analysis

5.4. Security Comparison

6. Performance Comparison

6.1. Computation Cost Comparison

6.2. Communication Cost Comparison

6.3. Storage Cost Analysis

7. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright