Security and Communication Networks

Security and Communication Networks / 2020 / Article

Research Article | Open Access

Volume 2020 |Article ID 3579705 | https://doi.org/10.1155/2020/3579705

Toan-Thinh Truong, Minh-Triet Tran, Anh-Duc Duong, "Chebyshev Polynomial-Based Authentication Scheme in Multiserver Environment", Security and Communication Networks, vol. 2020, Article ID 3579705, 21 pages, 2020. https://doi.org/10.1155/2020/3579705

Chebyshev Polynomial-Based Authentication Scheme in Multiserver Environment

Academic Editor: Jiankun Hu
Received11 Nov 2019
Accepted06 May 2020
Published25 Aug 2020

Abstract

Nowadays, communication technologies are more and more strongly advanced, such as 4G or 5G. There are many useful online applications, and one of them is the telecare medical information system (TMIS). If the TMIS is widely deployed, patients and doctors will have more frequently connection. Clearly, this enhances our quality of life. One of the most important modules securely constructing this convenient TMIS is the user-authentication scheme. We should prevent user identity and related information from the adversary’s eavesdropping. Therefore, the authentication scheme could provide user anonymity and concern some kinds of attacks, such as impersonation or password-guessing attacks. Common solutions are a combination of hash function and public-key cryptosystem (RSA or elliptic curve cryptosystem, ECC), but current schemes do not consider identity protection as one main task necessary for medical information environment. In this paper, our results consist of some important analyses of previous works and a multiserver user-authentication scheme suitable for TMIS using Chebyshev polynomial with two models: random oracle and BAN-logic.

1. Introduction

With evolutionary changes in technological fields, all aspects of modern life are influenced positively, especially in medical online-service systems. Internet gives us a chance of providing convenience to our customers. Instead of directly coming to the medical centre or hospital, many people like to experience anytime. Nowadays, people use wearable devices, such as smart watch or bracelet, and make connections with the online medical system to quickly receive some doctors’ advises. It can be said that remote services are an inevitable trend to satisfy remote experiences. In such services, we need to protect the users’ profiles from illegitimate accesses. All exchanged messages between the user and server in a working session need keeping secret. In any application, the user and server must know if their partner is real or fake. Therefore, the authentication scheme is necessary to provide security and privacy for both sides.

Storing a password list to verify the user’s identity is a popular method, and this is not a secure one (PAP/CHAP). This list may be stolen, and then another adversary can launch a password dictionary attack. Furthermore, the information exchanged between the user and server must be kept secure. We need to propose an efficient scheme to overcome some existing limitations. To achieve this goal, we should design an authentication scheme combined with some cryptographic primitives and hard problems to resist some common kinds of attacks. However, many authors prefer the password-based approach to others because it is simple and easily deployed. Some schemes [15] can resist some kinds of attacks at this phase, such as stolen-verifier attack or replay attack. In 2010, Wu et al. [6] proposed a scheme with precomputing phase enhancing the security. The remarkable point of this idea is that a set of prestored random values provides a strong user’s anonymity. Furthermore, authors also use some cryptographic primitives, such as hash function, symmetric encryption scheme, and logarithm problem. Then, Debiao [7] pointed out that Wu’s scheme did not combine the user’s identity with secret information, and this results in impersonation attack. What Debiao claimed is true, but his improved scheme still has this pitfall. Next, Wei [8] discovered that both Debiao and Wu are vulnerable to offline password-guessing attack, and he also proposed improved version to overcome this attack. In 2012, Zhu claimed that Wei’s scheme is still vulnerable to what Wei claimed. Zhu combined the password with a secret key to enhance the difficulty of password verification. Although Zhu’s scheme [9] overcame previous limitations, his scheme transmitted identity information without protection. Therefore, his scheme is not suitable for some privacy environments. Especially, Pu’s plugin scheme [10] can plug any two-party password authentication protocol, 2PAKE with elliptic curve cryptography, to enhance security and save computational cost. However, this scheme also needs to be reconsidered because of unreasonable computation workloads with two session keys. In case of leaking the centre’s master key and the users’ authentication key, the scheme should protect previous exchanged messages between the user and server. That is why session-key perfect forward secrecy (PFS) is one of the standards evaluating a strong scheme. Known-key attack is also a popular one at the authentication phase that receives many attentions. In this kind of attack, leaking another session key may result in attacking another session key. In 2013, Li et al. [11] proposed a scheme in multiserver environment with many improvements, in which each server has its own key. However, leaking smart card’s information may result in password-guessing attack. In 2014, Qu and Tan [12] proposed a different ECC-based scheme. Although they used elliptic curve cryptosystem, leaking the user’s identity may result in impersonation attack. Clearly, this decreases the scheme’s reality because the identity’s nature is public. In 2015, Amin and Biswas [13] proposed a scheme in telecare medicine environment. Their scheme can resist three-factor attack, including password + smart card + biometrics. However, their scheme is still vulnerable to PFS. In 2018, Qiu et al. [14] and Xu et al. [15] proposed a scheme using ECC with untraceability property suitable for the medical services. Also, in 2019, Qiu et al. [16] proposed an ECC-based improved version using automated validation of Internet security protocol and application software. So, it can be said that this scheme has a high reliability.

Client-server authentication is simple and time-efficient, but in such medical or financial systems, we need continuous connections between their servers. Furthermore, in single-server environment, the customer needs many credentials for various services. Recently, using Chebyshev polynomial receives attentions from many authors. In 2016, Li et al. [17] proposed a chaotic map-based authentication scheme in multiserver environment with provable security. Their work is truly impressive because it is based on BAN-logic and random oracle models, which are tools suitable for provable authentication schemes. Their design is a three-party participation in authentication process, so its time-consuming is high. In 2017, Jangirala et al. [18] proposed a multiserver environment scheme based on dynamic ID. Although the correctness of their scheme is correctly proved based BAN-logic, it is not applied with any hard problems. Therefore, it is hard to be a strong scheme. In the same year, Han et al. [19] and Irshad et al. [20] proposed a chaotic map-based scheme. Han et al.’s result is a combination between hard problem (chaotic map) and cryptographic primitives, such as hash function and symmetric encryption scheme. However, we see their scheme uses three-way challenge-response handshake technique with timestamp. In our experience, we only need two three-way challenge-response handshake techniques needed if using timestamp. Irshad’s scheme is similar to Li’s because it is designed with three-party architecture. Therefore, it also takes much time to authenticate. In 2018, Alzahrani et al. [21] proposed a secure and efficient TMIS-based scheme. Their scheme provides TMIS environment with chaotic map-based scheme, but they need to extend in multiserver environment. Especially, in the same year, Wang et al. [22] proposed a security model accurately capturing the adversary’s practical capabilities. We hope their model will be favourable and common soon. In this paper, we will analyse typical works [1113, 18, 20, 21] to have some information needed to propose a new Chebyshev polynomial-based scheme in multiserver environment. Also, we have a work [23] but in the client-server environment.

The rest of our paper is organized as follows. In Section 2, we present the background of Chebyshev polynomial. Section 3 reviews some recently typical results and analyses them on security aspect. Then, in Section 4, we propose an improved scheme in multiserver environment using Chebyshev polynomial [24] in the modular prime number field. In Section 5, we analyse our proposed scheme on two aspects, security and efficiency. Finally, the conclusion is presented in Section 6.

2. Background

Chebyshev polynomial [24] is a chaotic map in field ℝ, Ta: [−1, 1] ⟶ [−1, 1] (∀a ∈ ℕ): Ta (x) = cos (a × arcos (x)), ∀x ∈ [−1, 1].

And it can be rewritten in recursion form as follows:

In 2005, Bergamo et al. [25] analysed Chebyshev polynomial in real field and concluded that we can find r′ ≠ r, such that  = . In 2008, Zhang [24] extended Chebyshev polynomial to ∞ and proved that its property in real field is also right in modular prime number field , p ∈ ℙ. This result allows to construct public-key cryptography and related hard problems. Chebyshev polynomial in can be rewritten in recursion form as in ℝ:With properties in Chebyshev polynomial, a public-key cryptography is proposed. To construct this one, we need to choose p ∈ ℙ and x ∈ [0, p − 1] and then compute with formula Tn (x) mod p, ∀n ∈ ℕ. Furthermore, there are also two related hard problems in this public-key cryptography [26], such as chaotic map discrete logarithm problem (CMDLP) and chaotic map Diffie–Hellman problem (CMDHP):(i)Chaotic map discrete logarithm problem (CMDLP): given p ∈ ℙ and x, y ∈ [0, p − 1], it is hard to find r ∈ ℕ such that Tr (x) = y mod p(ii)Chaotic map Diffie–Hellman problem (CMDHP): given p ∈ ℙ, x ∈ [0, p − 1], Ta (x) mod p and Tb (x) mod p, it is hard to find Ta×b (x) mod p, where a, b ∈ ℕ

3. Cryptanalysis of Some Typical Schemes

This section presents and analyses on some typical schemes.

3.1. Li et al.’s Scheme

This scheme [11] uses hash function combined with random values, including four phases: registration, login, authentication, and password-update phases. Because designed for multiserver environment, the registration centre constructs the master key h (x || y) for itself and the submaster key h (SIDj || h (y)) for each service provider. Table 1 presents some notations used in this scheme.


NotationsDescription

Ui, Sj, RCith user, jth server, registration centre
IDi, PWiIdentity and password of Ui
SIDj, CIDiSj’s identity, Ui’s dynamic identity
x, yMaster key and secret value of RC
h (.), ⊕, ||Hash function, XOR, and concatenation
⇒/⟶Secure/public channels

3.1.1. Registration Phase

Ui registers with RC as follows:(i)Ui chooses IDi, PWi, and random value b and computes Ai = h (b ⊕ PWi). Then, Ui sends IDi and Ai to RC through a secure channel.(ii)On receiving {IDi, Ai} from Ui, RC computes Bi = h (IDi || x), Ci = h (IDi || h (y) || Ai), Di = h (Bi || h (x || y)), and Ei = Bi ⊕ h (x || y).(iii)RC saves {Ci, Di, Ei, h (.), h (y)} into a smart card and sends to Ui via a secure channel.(iv)Ui inputs b into the smart card, and finally, Ui has {Ci, Di, Ei, b, h (.), h (y)}.

In the registration phase, we see that the author used common key h (y), and this is dangerous because the adversary can exploit this to launch an impersonation attack if the smart card’s information is leaked or stolen. Figure 1 describes all steps in this phase.

3.1.2. Login Phase

When logging into service, Ui performs as follows:(i)Ui provides his/her smart card and inputs IDi and PWi. Then, the smart card computes Ai = h (b ⊕ PWi) and  = h (IDi || h (y) || Ai) and checks if  = Ci. If this holds, Ui continues. Otherwise, the smart card terminates the session.(ii)The smart card randomly chooses values Ni and computes Pij = Ei ⊕ (h (h) (SIDj || h (y)) || Ni), CIDi = Ai ⊕ (h (D)i || SIDj || Ni), M1 = h (P)ij || CIDi || Di || Ni), and M2 = h (SIDj ||h (y)) ⊕ Ni.(iii)Ui sends {Pij, CIDi, M1, M2} to Sj through a public channel.

At this phase, the random value Ni can be easily computed because it is only protected by h (y). This decreases the challenge from the user and makes the scheme unbalanced.

3.1.3. Authentication Phase

In this phase, the server also chooses the random value Nj and only the valid user (who has Ai) can recompute this Nj and send a correct response. Figure 2 describes all steps in this phase.

When Sj receives {Pij, CIDi, M1, M2} from Ui, Sj, and Ui, it performs the following steps:(i)Sj computes Ni = h (SIDj || h (y)) ⊕ M2, Ei = Pij ⊕ h (h (SIDj || h (y)) || Ni), Bi = Ei ⊕ h (x || y), Di = h (Bi || h (x || y)), and Ai = CIDi ⊕ h (Di || SIDj || Ni).(ii)Sj computes h (Pij || CIDi || Di || Ni) and compares it with M1. If two values are unequal, Sj rejects the login message and terminates the session. Otherwise, Sj accepts login message. Then, Sj randomly chooses Nj and computes M3 = h (Di || Ai || Nj || SIDj) and M4 = Ai ⊕ Ni ⊕ Nj. Finally, Sj sends {M3, M4} to Ui through a public channel.(iii)When receiving {M3, M4} from Sj, Ui computes Nj = Ai ⊕ Ni ⊕ M4 and h (Di || Ai || Nj || SIDj) and then compares it with M3. If two values are unequal, Ui rejects the message and terminates the session. Otherwise, Ui successfully authenticates with Sj. Then, Ui computes M5 = h (Di || Ai || Ni || SIDj) and sends {M5} to Sj through a public channel.(iv)Sj computes Ni = h (SIDj || h (y)) ⊕ M2, Ei = Pij ⊕ h (h (SIDj  || h (y)) || Ni), Bi = Ei ⊕ h (x || y), Di = h (Bi || h (x || y)), and Ai = CIDi ⊕ h (Di || SIDj || Ni).(v)When receiving {M5} from Ui, Sj computes h (Di || Ai || Ni || SIDj) and compares it with M5. If two values are equal, Sj successfully authenticates with Ui and authentication phase completes.(vi)Next, Ui and Sj compute a common session key SK = h (Di || Ai || Ni || Nj || SIDj) used to encrypt later transactions.

3.1.4. Password-Update Phase

This phase is performed when Ui changes PWi into PWinew without interacting with RC:(i)Ui inputs IDi and PWi and provides his/her smart card at the terminal.(ii)The smart card computes Ai = h (b ⊕ PWi) and  = h (IDi || h (y) || Ai) and checks if  = Ci. Is this does not hold, the smart card rejects password-update request. Otherwise, Ui inputs PWinew and random number bnew.(iii)The smart card computes Ainew = h (bnew ⊕ PWinew) and Cinew = h (IDi || h (y) || Ainew).(iv)Finally, the smart card replaces Ci with Cinew and terminates the session.

3.1.5. The Scheme’s Cryptanalysis

If Ui loses his/her smart card, it can result in impersonation attack. Furthermore, another attacker Ua can exploit Sj to guess the password through session key. Therefore, Li’s scheme is also vulnerable to two-factor attack. Below are some steps to launch an impersonation and password-guessing attacks:(i)Ua computes Pij = Ei ⊕ h (h (SIDj || h (y)) || Ni), where Ei is extracted from the smart card. SIDj, h (y), and Ni are easily computed by Ua because they are public information.(ii)Next Ua computes CIDi = Ai ⊕ h (Di || SIDj || Ni), M1 = h (Pij || CIDi || Di || Ni), and M2 = h (SIDj || h (y)) ⊕ Ni, where Ai = h (b ⊕ PWi) is Ua’s value and Di is extracted from Ui’s smart card.(iii)Ua sends {Pij, CIDi, M1, M2} to Sj. When receiving, Sj will perform the following steps to verify.(iv)Sj extracts Ni = h (SIDj || h (y)) ⊕ M2, Ei = Pij ⊕ h (h (SIDj || h (y)) || Ni), Bi = Ei ⊕ h (x || y), Di = h (Bi || h (x || y)), and Ai = CIDi ⊕ h (Di || SIDj || Ni).(v)Sj sees M1 = h (Pij || CIDi || Di || Ni), so Sj randomly chooses Nj and computes M3 = h (Di || Ai || Nj || SIDj) and M4 = Ai ⊕ Ni ⊕ Nj. Sj sends {M3, M4} to Ua.(vi)When receiving {M3, M4}, Ua computes M5 = h (Di || Ai || Ni || SIDj) and sends to Sj.(vii)Sj sees M5 = h (Di || Ai || Ni || SIDj) and accepts Ua.(viii)Finally, Ua and Sj compute a common session key SK = h (Di || Ai || Ni || Nj || SIDj).

Because Ei is extracted from Ui’s smart card, the values Bi and Di also belong to Ui. However, in Li’s scheme, Ai is separated from other values, so Ua can exploit this limitation to insert his/her information. Furthermore, if Ua captures previous transactions between Ui and Sj, he/she will launch Ui’s password-guessing attack. Assuming Ua has Ui’s M5 = h (Di || Ai || Ni || SIDj), so Ua can construct h (Di || h (b ⊕ guess) || Ni || SIDj) = M5 and use the password dictionary to search “guess” until success. Note that Ui’s Ni is easily found by computing Ni = M2 ⊕ h (SIDj || h (y)), in which SIDj and h (y) are those Ua easily computes.

3.2. Qu and Tan’s Scheme

Qu and Tan’s scheme [12] uses ECC, and it is secure against some popular kinds of attacks as they claimed. However, we will prove their scheme is vulnerable to impersonation attack. This scheme includes five phases: initialization, registration, login, authentication, and password-update phases. Table 2 presents some notations used in this scheme.


NotationsDescription

S, U, (qS, QS)Server/user, key-pair of S
IDU, PWUIdentity and password of U
H1Hash function {0, 1} ⟶ 
H2Hash function  ×  ⟶ 
H3|Hash function {0, 1} ×  ×  ⟶ {0, 1}k
rU, rSSecret values of U and S
, EP ()Finite field, elliptic curve defined over
Group of points in EP (),  = n ∈ ℙ
PBase point P is a generator of

3.2.1. System Initialization

In this phase, the system initializes some parameters:(i)S chooses the elliptic curve EP (a, b) and base point P with big prime order n(ii)S chooses qS ∈ [1, n − 1] and computes the public key QS = qS × P(iii)S chooses three hash functions, H1 (.), H2 (.), and H3 (.), described in Table 2(iv)S published {EP (a, b), P, QS, H1 (.), H2 (.), H3 (.)}

In this phase, we see that H1 (.) is special because it receives any string and outputs a point belonging to the elliptic curve.

3.2.2. Registration Phase

When registering, U must follow following steps:(i)U chooses IDU, PWU, and random numbers bU ∈ [1, n − 1] and then U provides IDU and H1 (PWU || bU) × P to S through a secure channel(ii)When receiving {IDU, H1 (PWU || bU) × P} from U, S computes AIDU = (qS + 1) × H1 (PWU || bU) × P and BIDU = H2 (H1 (IDU) || H1 (PWU || bU) × P)(iii)S saves {AIDU, BIDU} into the smart card and then sends to U via a secure channel(iv)When receiving, U inputs bU into the smart card. Finally, U has {AIDU, BIDU, bU}

At this phase, S attaches U’s personal information with S’s master key qS to create the user’s authentication key by using H1 (.). Figure 3 describes all steps in this phase.

3.2.3. Login Phase

When U logins into S, U provides IDU, PWU, and his/her smart card into the terminal. Then, the smart card performs the following steps:(i)The smart card computes BIDU′ = H2 (H1 (IDU) || (H1 (PWU || bU) × P)) and checks if  = BIDU (BIDU is stored in the smart card). If this holds, U provides correct information. Otherwise, the smart card will terminate the session.(ii)U randomly chooses rU ∈ [1, n − 1] and computes TIDU = AIDU − H1 (PWU || bU) × P, M = rU × QS, CIDU = IDU × H2 (M || TIDU), DIDU = M + H1 (PWU || bU) × P, and EIDU = H3 (IDU || M || R), where R = rU × P.(iii)The smart card sends M1 = {CIDU, DIDU, EIDU, R} to S through a public channel.

In this phase, identity is not attached with U’s authentication key, so this is a weak point that another adversary can exploit to launch an impersonation attack. Figure 4 describes all steps in this phase and authentication phase.

3.2.4. Authentication Phase

When receiving the login message from U, S performs as follows:(i)S computes M′ = qS × R, H1 (PWU || bU) × P = DIDU − M′,  = qS × H1 (PWU || bU) × P, and IDU = CIDU ⊕ H2 (M′ || ). Then, S checks if H3 (IDU ||M′ || R) = EIDU. If this holds, S successfully authenticates with U. Otherwise, the session is terminated.(ii)S chooses rS ∈ [1, n − 1] and then computes S = rS × P, T = S + M′, and HS = H2 (S || ).(iii)S sends M2 = {T, HS} to U through a public channel.(iv)When receiving M2 = {T, HS} from S, U computes S = T – M and  = H2 (S || H1 (PWU || bU) × QS) and checks if  = HS. If this holds, U successfully authenticates with S and U sends M3 = {HRS} to S, where HRS = H2 (R || S). Otherwise, U terminates the session.(v)On receiving M3 = {HRS}, S computes  = H2 (R || S) and checks if  = HRS. If this holds, S and U successfully authenticate each other. Otherwise, S terminates the session.(vi)U and S compute common SK = H3 (IDU || TIDU || rU × S) = H3 (IDU ||  || rS × R).

3.2.5. Password-Update Phase

When receiving the login message from U, S performs as follows:(i)U provides IDU, PWU, and the smart card at the terminal. Then, it computes  = H2 (H1 (IDU) || (H1 (PWU || bU) × P)) and checks if  = BIDU. If this holds, U can choose . Otherwise, the session is terminated.(ii)The smart card computes  = H1 (PWU || bU)−1 × AIDU × H1 ( || bU) and  = H2 (H1 (IDU) || H1 ( || bU) × P).(iii)The smart card replaces AIDU and BIDU with and .

3.2.6. The Scheme’s Cryptanalysis

If the user’s identity is leaked, that user will be impersonated. Assuming another adversary is also a member. We call him/her Ua with corresponding {AIDA, BIDA} in his/her smart card. If Ua knows victim’s IDU, Ua performs the following steps to launch an impersonation attack:(i)Ua randomly chooses rA ∈ [1, n − 1] and computes R = rA × P.(ii)Next, Ua extracts TIDA = AIDA − H1 (PWA || bA) × P, where AIDA, PWA, bA, and TIDA are information in Ua’s smart card.(iii)Ua computes M = rA × QS, CIDA = IDU ⊕ H2 (M || TIDA), DIDA = M + H1 (PWA || bA) × P, and EIDA = H3 (IDU || M || R). Then, Ua sends M1 = {CIDA, DIDA, EIDA, R} to S.(iv)When receiving M1, S computes M′ = qS × R = qS × rA × P = rA × QS, H1 (PWU || bU) × P = DIDA − M′,  = qS × H1 (PWA || bA) × P, and IDU = CIDA ⊕ H2 (M′ || ).(v)S checks if H3 (IDU || M′ || R) = EIDA, and we see this condition holds.(vi)S randomly chooses rS ∈ [1, n − 1], computes S = rS × P, T = S + M′, and HS = H2 (S || ), and sends M2 = {T, HS} to Ua.(vii)On receiving M2, Ua computes S = T − M and HRS = H2 (R || S). Finally, Ua sends M3 = {HRS} to S.(viii)When receiving M3, S computes  = H2 (R || S) and see that  = HRS.

If the user’s identity is leaked, he/she will be impersonated. The reason is that the user’s identity is not attached with their secret information, for example, the authentication key AIDU is not attached with identity, or BIDU is only used for verification of the smart-card owner and does not take part in the authentication phase.

3.3. Amin and Biswas’s Scheme

Amin and Biswas’s scheme [13] uses ECC and biohashing, a special hash function overcoming the problem of sensitive input which exists in traditional hash function. In 2004, Jin et al. [27] proposed a remarkable improved biohashing function. Amin and Biswas’s scheme includes four phases: registration, login, authentication, and password-update phases. Table 3 presents some notations used in this scheme.


NotationsDescription

Ui, Sith user, medical centre
PWi, IDi, BiPassword/identity/biometrics of Ui
p, q, Two prime numbers, finite field
EP ()EC in : y2 = x3 + ax + b (a, b ∈ ) and δ = 4a3 + 27 b2 ≠ 0
Group of points in EP ()
PBase point of with prime order q
aPPoint multiplication P
xSecret key of S (1024 bit)
Multiplicative group
h (.)Hash function {0, 1} ⟶ 
H (.)Biohashing
h1 (.)Hash function  ×  ⟶ 
⊕, ||, ENC/DECXOR, concatenation, encrypt/decrypt

3.3.1. Registration Phase

In this phase, Ui chooses IDi, PWi, and biometrics Ti. Next, Ui computes Ai = h (IDi || PWi) and Fi = H (Ti) and sends {IDi, Ai, Fi} to S through a secure channel. When receiving {IDi, Ai, Fi} from Ui, S computes W = h (IDS ||x || IDi), Bi = h (IDi || Ai) ⊕ W, and CIDi = ENCx (IDi || Rran) and sends a smart card including {Fi, Ai, Bi, CIDi, h (.), H (.)} back to Ui through a secure channel, where IDS is S’s identity and Rran is the random number chosen by S. In this phase, Ui can choose IDi and PWi easily guessed by password-guessing attack or identity-guessing attack. Figure 5 describes all steps in this phase.

3.3.2. Login Phase

When Ui successfully registers, Ui performs as follows:(i)Ui provides the smart card with Ti, and then the smart card computes  = H (Ti) and checks if  = Fi (Fi is stored in the smart card). If this condition holds, Ui continues providing IDi and PWi; otherwise, the scheme is terminated.(ii)The smart card computes  = h (IDi || PWi) and checks if  = Ai (Ai is stored in the smart card). If this condition holds, the phase continues; otherwise, it is terminated.(iii)Ui randomly chooses ri, computes C1 = ri × P, W = Bi ⊕ h (IDi || ), C2 = ri ⊕ W, and C4 = h (IDi || ri || W), and sends {C2, C4, CIDi} to S through a public channel.

In this phase, Ui needs to use biometrics + password + identity to prove the smart-card owner. This method protects the user from impersonation attacks. Figure 6 describes all steps in this phase and the authentication phase.

3.3.3. Authentication Phase

When S receives {C2, C4, CIDi} from Ui, S and Ui perform as follows:(i)When receiving {C2, C4, CIDi} from Ui, S decrypts CIDi by using x and S obtains ( || Rran) = DECx (CIDi). Then, S computes W = h (IDS ||x || ),  = C2 ⊕ W,  =  × P, and  = h (IDi ||  || W) and checks if  = C4 (C4 is stored in the smart card). If this condition holds, S believes Ui is the valid user.(ii)S randomly chooses rj, computes D1 = rj × P, SK = rj ×  = rj ×  × P, G1 = D1 + , Li = h ( || h1 (D1) || W), and  = ENCx ( || ), and sends {Li, G1, } to Ui through a public channel.(iii)When receiving {Li, G1, } from S, Ui computes  = G1 − ,  = h (IDi || h1 () || W), and SK = ri ×  = ri × rj × P and checks if  = Li. If this condition holds, Ui believe S is valid and SK is a common session key of Ui and S. After the successful authentication phase, Ui replaces CIDi with . Finally, Ui computes Zi = h (IDi || SK) and sends to S through a public channel.(iv)When receiving {Zi} from Ui, S computes  = h ( || SK) and checks if  = Zi. If this condition holds, the authentication phase successfully completes.

In this phase, replacing CIDi after successfully authentication will enhance the user’s privacy. Because each transaction has a different value, there is no way to know who is online, as well we cannot identify whether two transactions belong to one user.

3.3.4. Password-Update Phase

Ui needs to successfully login if he/she wants to change the password. Ui needs to provide PWinew, and then his/her smart card computes Ainew = h (IDi || PWinew) and Binew = h (IDi || Ainew) ⊕ W, where W is the old value and replaces (Ai, Bi) with (Ainew, Binew).

3.3.5. The Scheme’s Cryptanalysis

If the master key is leaked, all previous exchanged messages between the user and server are also leaked. For example, if the key x is leaked, the adversary stores previous message packages of the user and server, such as {C2, CIDi, C4} or {Li, G1, }. The adversary will extract IDi by using x to decrypt CIDi, computes W = h (IDS ||x || IDi) and ri = C2 ⊕ W. With ri, the adversary computes C1 = ri × P and D1 = G1 − C1. From ri and Di, the adversary finally computes SK = ri × D1.

3.4. Jangirala et al.’s Scheme

This scheme [18] uses hash function combined with random values, including four phases: registration, login, authentication, and password-update phases. Because designed for multiserver environment, the registration centre constructs the master key h (x || y) for itself and the submaster key h (SIDj || h (y)) for each service provider. Notations used in this scheme are in Table 1.

3.4.1. Registration Phase

Ui registers with RC as follows:(i)Ui chooses IDi, PWi, and random value b and computes Ai = h (IDi ⊕ b ⊕ PWi). Then, Ui sends IDi and Ai to RC through a secure channel.(ii)On receiving {IDi, Ai} from Ui, RC computes Bi = h (Ai || x), Ci = h (IDi || h (y) || Ai), Di = h (Bi || h (x || y)), and Ei = Bi ⊕ h (x || y).(iii)RC saves {Ci, Di, Ei, h (.), h (y)} into a smart card and sends to Ui via a secure channel.(iv)Ui computes Li = b ⊕ h (IDi || PWi). Then, Ui inserts Li into the smart card, and finally, Ui has {Ci, Di, Ei, Li, h (.), h (y)}.

In the registration phase, we see that their scheme encrypts b with h (IDi || PWi). This prevents some kinds of privileged insider attacks. Figure 7 describes all steps in this phase.

3.4.2. Login Phase

This phase sends Ui’s login request to Sj as follows:(i)Ui inserts his/her smart card and inputs IDi and PWi. Then, the smart card computes b = Li ⊕ h (IDi || PWi), Ai = h (IDi ⊕ b ⊕ PWi), and  = h (IDi || h (y) || Ai) and checks if  = Ci. If this holds, Ui continues. Otherwise, the smart card terminates the session.(ii)The smart card randomly chooses values Ni and computes Pij = Ei ⊕ h (h (SIDj || h (y)) || Ni), CIDi = Ai ⊕ h (Di || SIDj || Ni), M1 = h (Pij || CIDi || Ai || Ni), and M2 = h (SIDj || h (y)) ⊕ Ni.(iii)Ui sends {Pij, CIDi, M1, M2} to Sj through a public channel.

At this phase, random value Ni can be easily known by the adversary because it is only protected by h (y). Furthermore, if the user’s smart card is leaked, the adversary can compute his/her Di and discover what the user did in previous session corresponding to Ni.

3.4.3. Authentication Phase

When Sj receives {Pij, CIDi, M1, M2} from Ui, Sj verifies Ui’s login message as follows:(i)Sj computes Ni = h (SIDj || h (y)) ⊕ M2, Ei = Pij ⊕ h (h (SIDj || h (y)) || Ni), Bi = Ei ⊕ h (x || y), Di = h (Bi || h (x || y)), and Ai = CIDi ⊕ h (Di || SIDj || Ni).(ii)Sj computes h (Pij || CIDi || Ai || Ni) and compares it with M1. If two values are not matched, Sj rejects the login message and terminates the session. Otherwise, Sj accepts the login message. Then, Sj randomly chooses Nj and computes SKij = h (h (Bi || h (x || y)) || Ai), M3 = h (SKij || Ai || SIDj || Nj), and M4 = SKij ⊕ Nj ⊕ Nj. Finally, Sj sends {M3, M4} to Ui through a public channel.(iii)When receiving {M3, M4} from Sj, Ui computes SKij = h (Di || Ai), Nj = SKij ⊕ M4, and h (SKij || Ai || SIDj || SIDj) and then compares it with M3. If two values are not matched, Ui rejects the message and terminates the session. Otherwise, Ui successfully authenticates with Sj. Then, Ui computes M5 = h (SKij || Ai || SIDj || Ni || Nj) and sends {M5} to Sj through a public channel.(iv)When receiving {M5} from Ui, Sj computes h (SKij || Ai || SIDj || Ni || Nj) and compares it with M5. If two values are equal, Sj successfully authenticates with Ui.(v)Next, Ui and Sj compute a common session key SKeyij = h (SKij || Ai || SIDj || Ni || Di || Nj) used to encrypt later transactions. Also, Sj chooses the random value Nj and only the valid user (who has Di and Ai) can extract this Nj and send correct response. Figure 8 describes all steps in this phase.

3.4.4. Password-Update Phase

This phase is performed when Ui changes PWi into PWinew without interacting with RC:(i)Ui provides his/her smart card at the terminal and inputs IDi and PWi.(ii)The smart card computes b = Li ⊕ h (IDi || PWi),  = h (IDi ⊕ b ⊕ PWi), and  = h (IDi || h (y) || ) and checks if  = Ci. Is this does not hold, the smart card rejects and terminates the password-update-request session. Otherwise, Ui inputs PWinew.(iii)The smart card computes Ainew = h (IDi ⊕ b ⊕ PWinew) and Cinew = h (IDi || Ainew || h (y)).(iv)Finally, the smart card replaces Ci with Cinew and Li with Linew, where Linew = b ⊕ h (IDi || PWinew).

3.4.5. The Scheme’s Cryptanalysis

If another Ui’s smart card leaks information {Ci, Di, Ei, h (y), h (.)} and the adversary Ua is another valid user, Ua can launch an impersonation attack as follows:(i)Ua computes Pij = Ei ⊕ h (h (SIDj || h (y)) || Na), where Na is random value chosen by Ua(ii)Then, Ua computes CIDi = Aa ⊕ h (Di || SIDj || Na), M1 = h (Pij || CIDi || Aa || Na), and M2 = h (SIDj || h (y)) ⊕ Na, where Aa belongs to Ua(iii)Next, Ua sends {Pij, CIDi, M1, M2} to Sj(iv)Once receiving these messages, Sj computes Na = h (SIDj ||h (y)) ⊕ M2, Ei = Pij ⊕ h (h (SIDj || h (y)) || Na), Bi = Ei ⊕ h (x || y), and Di = h (Bi || h (x || y))(v)Next Sj computes Aa = CIDi ⊕ h (Di || SIDj || Na) and sees that M1 = h (Pij || CIDi || Aa || Na)(vi)Sj chooses Nj and computes SKij = h (h (Bi || h (x || y)) || Aa), M3 = h (SKij || Aa || SIDj || Nj), and M4 = SKij ⊕ Nj(vii)Then, Sj sends {M3, M4} to Ua(viii)Once receiving these messages from Sj, Ua computes SKij = h (Di || Aa) and Nj = SKij ⊕ M4 and sends M5 to Sj, where M5 = h (SKij || Aa || SIDj || Na || Nj).(ix)Once receiving M5 from Ua, Sj sees that M5 = h (SKij || Aa || SIDj || Na || Nj) and computes the session key SKeyij = h (SKij || Aa || SIDj || Na || Di || Nj)

Clearly, Ua successfully authenticates with Sj without knowing the user’s identity and password.

3.5. Han et al.’s Scheme

This scheme [19] uses the fuzzy extractor to process the user’s biometrics, including four phases: registration, login, authentication, and password-update phases. With symmetric encryption, this scheme truly has strong user anonymity because the adversary cannot know if two login sessions are belonged to the same user. Some notations used in this scheme are in Table 4.


NotationsDescription

U, SUser/patient, telecare server
PW, ID, BPassword/identity/biometrics of U
sPrivate key of server
SKSession key between U and S
h (.)Cryptographic one-way hash function
Encx (.)/Decx (.)Symmetric encryption scheme
GenProbabilistic generation algorithm
RepProbabilistic reproduction algorithm
⊕, ||, TnXOR, concatenation, Chebyshev operation

3.5.1. Registration Phase

In the registration phase, we see that their scheme generates <R, P> from the user’s biometrics with the fuzzy extractor. Furthermore, the user’s dynamic identity is made by the server by using the encryption scheme. Figure 9 describes all steps in this phase.

Firstly, the user chooses ID, PW, biometrics B, and random value r. Then, the fuzzy extractor generates <R, P> from B and the user computes A = h (PW || R) ⊕ r. Next, the user sends {ID, A}. Once receiving the user’s messages, the server computes AID = h (ID || s), K = h (AID), V′ = AID ⊕ A, and CID = Encs (ID || a), where a is chosen randomly by and s is private key of the server. Then, the server sends SC = {K, V′, CID, h (.)} to the user. Once receiving the server’s message, the user computes V = V′ ⊕ A ⊕ h (ID || PW || R) and replaces V′ by V. The user inserts P in SC and keeps it secret.

3.5.2. Login Phase

The user sends inserts SC into the terminal and enters ID, PW, and B′ similar to B. Then, SC performs as follows:(i)SC performs Rep (B′, P) to generate R and computes AID = V ⊕ h (ID || PW || R)(ii)SC checks if K = h (AID). If this holds, go to next step(iii)SC generates a nonce u and computes X = Tu (AID) and V1 = h (ID || X || CID || T1)(iv)SC transmits {CID, X, V1, T1} to the server

At this phase, the user needs to recreate the R value by providing correct his/her biometrics.

3.5.3. Authentication Phase

When receiving the login message from the user, S verifies the login message as follows:(i)S checks if |Tc − T1| ≤ δT, where Tc is receiving time. If this holds, S retrieves ID by computing Decs (CID) with the private key s.(ii)Then, S computes AID = h (ID || s) and checks if V1 = h (ID || X || CID || T1). If this holds, S generates random values a′ and v.(iii)Then, S computes CID′ = Encs (ID || a′), SK = h ( (X)), Y =  (AID), and V2 = h (CID′ || Y || SK || T2), where T2 is current time.(iv)Then, S sends {CID′, Y, V2, T2} to the user.(v)Once receiving messages from the server, SC checks T2 and calculates SK = h (Tu (Y)).(vi)Then, SC checks if V2 = h (CID′ || Y || SK || T2). If this holds, SC replaces CID with CID′, computes V3 = h (SK || T3), and sends {V3, T3} to S.(vii)Once receiving messages, the server checks T3 and verifies if V3 = h (SK || T3). If this holds, the user and server successfully authenticate to each other and accept SK as a session key.

This scheme is completely dependent on random values u and , and this is vulnerable to known session-specific temporary information attack. Figure 10 describes all steps in this phase.

3.5.4. Password-Update Phase

This phase is performed when U changes PW into PWnew without interacting with S:(i)U inserts his/her smart card into the terminal and inputs ID, PW, and B′. SC executes Rep (B′, P) = R and computes AID = V ⊕ h (ID || PW || R).(ii)SC checks if h (AID) = K. If this holds, SC allows the change request.(iii)U inputs PWnew and Bnew, and then SC computes <Rnew, Pnew> = Gen (Bnew) and Vnew = V ⊕ h (ID || PW || R) ⊕ h (ID || PWnew || Rnew).(iv)Finally, SC replaces V by Vnew.

3.5.5. The Scheme’s Cryptanalysis

If another session leaks the random value , the adversary can exploit to reattack the user and know previous messages transmitted between the user and server. For example, the adversary Ua obtains {CID, X, V1, T1}, {CID′, Y, V2, T2}, and {V3, T3} with the random value leaked, and Ua can launch an impersonation attack as follows:(i)If U sends the new login message {CID′, X′, , } to S, Ua can block this message.(ii)Ua generates random CIDʺ.(iii)Then, Ua computes SK′ = h ( (X′)) and V2′ = h (CIDʺ || Y || SK′ || ), where is current time and Y is previous value of U and S.(iv)Then, Ua sends {CIDʺ, Y, , } to U.(v)Once receiving the message from Ua, U checks . If this holds, U computes SK′ = h (Tu (Y)), where u′ is a random value chosen by U.(vi)U checks if  = h (CIDʺ || Y || SK′ ||). We see this holds and U sends  = h (SK′ || ) to Ua.

Clearly, the adversary can reuse this random value to reattack the user many times. The main reason is that CID is what the user does not know.

3.6. Proposed Scheme

In Section 3, we review some typical schemes using many approaches such as Chebyshev polynomial or elliptic curve cryptosystem in various environments. Although these schemes are well designed with some interesting primitives, such as fuzzy extractor or symmetric encryption scheme, they are still vulnerable to some typical kinds of attacks, such as password-guessing or impersonation. Indeed, there are still interesting schemes [17, 20], but they are designed with three-party participation different with two-party participation of the proposed scheme. Therefore, we temporarily do not consider in this paper. Figure 11 shows our architecture of participation between registration centre (RC), servers (Sj), and users (UX), where the keys of servers and users are created by RC.

With this architecture in Figure 11, we can deploy a RC to centralize all medical servers. Also, the users easily find the medical services suitable for them. This section presents the phases in our proposed scheme. Our scheme uses Chebyshev polynomial in multiserver environment with two-party participation, including five phases: initialization, registration (server + user), authentication, and password-update phases. Some notations used in our scheme are in Table 5.


NotationsDescription

UX, Sj, RCXth user/jth server, registration centre
BXBiometrics of UX
qRCMaster key of RC
ASIDjSj’s master key
UX’s authentication key with Sj
SKSession key between UX and Sj
H0 (.)Cryptographic one-way hash function
Gen/RepGeneration/reproduction algorithm
⊕, ||, TnXOR, concatenation, Chebyshev operation

3.6.1. System Initialization

RC chooses the big prime number p ∈ ℙ k-bit and a qRC. Then, RC chooses H0: {0, 1} ⟶ {0, 1}k. RC publishes {T (.), H0 (.), p} and keeps qRC secret.

3.6.2. Server Registration Phase

In this phase, Sj provides SIDj to RC through a secure channel. RC chooses rj and computes ASIDj =  (H0 (SIDj || rj)) mod p and then returns {rj, SIDj, ASIDj, H0 (.)} to Sj. Figure 12 shows the steps in this phase.

In this phase, each server Sj has unique master key ASIDj produced by RC. RC must keep the pair <rj, SIDj> for subsequent retrieval and the user’s registration.

3.6.3. User Registration Phase

UX provides biometrics BX and UIDX, using Gen (BX) to generate <RX, PX>. Then, UX sends {UIDX, H0 (RX || UIDX)} to RC through a secure channel. Once receiving the messages, RC computes all submaster keys for all service providers. RC chooses rX and then computes  =  (UIDX || H0 (RX || UIDX)) mod p +  (H0 (rj + rX + UIDX)) mod p and RPWX = H0 (H0 (RX || UIDX) || rX). RC returns {, , …, , RPWX, and H0 (.), rX} to UX through a secure channel. Figure 13 shows the steps in this phase.

In this phase, RC computes , which is an authentication key between UX and Sj (1 ≤ j ≤ m, where m is a number of Sj). Similar to [19], our scheme uses the fuzzy extractor to deal with the problem of output-sensitive due to inputs’ perturbations. Additionally, RC must notify Sj about UX by sending pair <rX, UIDX> for the subsequent user’s authentication.

3.6.4. Authentication Phase

When UX logins to Sj, UX provides the smart card with UIDX and at the terminal. Then, the smart card reproduces RX = Rep (PX, ) and checks if RPWX = H0 (H0 (RX || UIDX) || rX); if this does not hold, the session is terminated; otherwise, the smart card chooses rU and computes (H0 (rj + rX + UIDX)) mod p =   −  (UIDX || H0 (RX || UIDX)) mod p, RU =  ( (H0 (rj + rX + UIDX)) mod p) mod p, R′ = RU +  (H0 (rj + rX + UIDX)) mod p, CID = UIDX ⊕ H0 (RU), and MU = H0 (RU, (H0 (rj + rX + UIDX)) mod p). Then, the smart card sends {CID, R′, MU, rX} to Sj. On receiving the message, Sj computes (H0 (rj + rX + UIDX)) mod p,  = R′ −  (H0 (rj + rX + UIDX)) mod p, and UIDX = CID ⊕ H0 () and checks UIDX; then, Sj checks if MU = H0 (, (H0 (rj + rX + UIDX)) mod p), and if this does not hold, Sj terminates the session; otherwise, Sj chooses rS and computes RS =  ( (H0 (rj + rX + UIDX)) mod p) mod p, S′ = RS + , SK = H0 ( () mod p), and MS = H0 (RS, (H0 (rj + rX + UIDX)) mod p). Sj sends {MS, S′} to UX. On receiving the message, UX computes  = S′ − RU and SK = H0 ( () mod p) and checks if MS = H0 (, (H0 (rj + rX + UIDX)) mod p); if this does not hold, UX terminates the session; otherwise, UX believes Sj is valid and sends MUS = H0 (, () mod p) to Sj. On receiving the message, Sj checks if MUS = H0 (RS, () mod p); if this does not hold, Sj terminates the session; otherwise, Sj believes UX is valid. Figure 14 shows the steps in this phase.

3.6.5. Password-Update Phase

When UX changes BX, UX provides his/her smart card with UIDX and similar at the terminal. Then, the smart card checks if RPWX = H0 (H0 (RX || UIDX) || rX), where RX = Rep (PX, ). If this does not hold, the smart card terminates the session; otherwise, UX inputs Bnew and computes RPWnew = H0 (H0 (Rnew || UIDX) || rX), where <Rnew, Pnew> = Gen (Bnew), Then, the smart card updates RPWX = RPWnew and PX = Pnew. Finally, the smart card updates all authentication keys  =  −  (UIDX || H0 (RX || UIDX)) +  (UIDX || H0 (Rnew || UIDX)), ∀j.

4. Security and Efficiency Analyses

In this section, we analyse our scheme on security and efficiency aspects.

4.1. Correctness Analysis

Similar to previous schemes, we also prove our scheme’s correctness using BAN-logic rules [28] and goals proposed in [29]. For simplicity, we let ⊗ denote the combination using Chebyshev operation. Table 6 shows some assumptions our scheme must satisfy.


Assumption

A1: UX | ≡ (UXSj) − UX believes UX can share UIDX with Sj
A2: UX | ≡ (UXSj) − UX believes UX can share with Sj
A3: UX | ≡ (Sj ⇒ (UXSj)) − UX believes Sj controls the sharing of the session key between UX and Sj
A4: Sj | ≡ (UX ⇒ (UXSj)) − Sj believes UX controls the sharing of UIDX between UX and Sj
A5: Sj | ≡ (UX ⇒ (UXSj)) − Sj believes UX controls the sharing of the session key between UX and Sj
A6: Sj | ≡ (SjUX) − Sj believes Sj can share with UX
A7: UX | ≡ # (rS ⊗ ) − UX believes challenge messages from Sj are fresh
A8: Sj | ≡ # (rU ⊗ ) − Sj believes challenge messages from UX are fresh

These assumptions stand for initial beliefs of the user and server, for example, A1 implies that users can share their identities with the server with the registration phase. Next, we will normalize all messages exchanged between the user and server.(i)From the message {CID}, we have < UXSj, UXSj, rU ⊗ >(ii)From the message {MU}, we have < rU ⊗ , UXSj>(iii)From the third messages {MS}, we have < rS ⊗ , UXSj>(iv)From the fourth message {MUS}, we have < UXSj, UXSj>

The normalization helps to clearly show information exchanged between UX and Sj, for example, CID containing identity, challenge information rU ⊗ , and long-term key . Next, we demonstrate how our scheme satisfies seven lemmas reorganized from [29].

Lemma 1. If Sj believes the authentication key (the long-term key) is successfully shared with UX and UX’s messages encrypted with this key are fresh, Sj will believe that UX believes UX’s UIDX is successfully shared with Sj:

Proof. With A6 and CID, we apply the message-meaning rule to have . With A8, we apply the freshness rule to have . Next, we apply the nonce-verification rule to have . Finally, we apply the believe rule to have . So, with A6 and A8, we successfully demonstrate how our scheme satisfies Lemma 1.

Lemma 2. If Sj believes UX also believes UX’s UIDX is successfully shared with each other and UX totally controls this UIDX’s sharing, Sj also believes UX’s UIDX is successfully shared with each other:

Proof. With Lemma 1 and A4, we apply the jurisdiction rule to have . So, with Lemma 1 and A4, we prove how our scheme satisfies Lemma 2.

Lemma 3. If UX believes is successfully shared with Sj and Sj’s messages encrypted with are fresh, UX will believe Sj also believes UX’s UIDX is successfully shared with each other.

Proof. With A2 and MS, we apply the jurisdiction rule to have . Then, with A7, we apply the freshness rule to have . So, combining two results with the nonce-verification rule, we have . Finally, we apply the believe rule to have . So, with A2 and A7, we successfully prove how our scheme satisfies Lemma 3. In short, with three lemmas, we can say that both Sj and UX believe and successfully share their identities with each other. Next, we need to prove the similar thing for the session key.

Lemma 4. If UX believes that is successfully shared with Sj and Sj’s messages encrypted with are fresh, UX will believe Sj also believes the session key SK is successfully shared with each other:

Proof. With MUS and A2, we apply the message-meaning rule to have . With A7 and MUS, we apply the freshness rule to have . Next, we use the believe rule to have . Again, we apply the believe rule to have . So, with A2 and A7, we successfully prove how our scheme satisfies Lemma 4.

Lemma 5. If UX believes Sj totally controls SK’s sharing and Sj also believes SK is successfully shared with UX, UX will believe SK’s sharing:

Proof. With A3 and Lemma 4, we apply the jurisdiction rule to have . So, with A3 and Lemma 4, we successfully prove how our scheme satisfies Lemma 5.

Lemma 6. If Sj believes is successfully shared with UX and the UX’s messages encrypted with are fresh, Sj will believe UX also believes SK’s sharing:

Proof. With A6 and MUS, we apply the message-meaning rule to have . With A8 and MUS, we apply the freshness rule to have . With two results and the nonce-verification rule, we have . Finally, with A6 and the believe rule, we have . So, with A6 and A8, we successfully prove how our scheme satisfies Lemma 6.

Lemma 7. If Sj believes UX totally controls SK’s sharing, Sj believes SK is successfully shared with UX:

Proof. With Sj |≡ UX|≡ MUS and A5, we apply the message-meaning rule to have . Finally, we apply the believe rule to have . So, with A5, we completely prove how our scheme satisfies Lemma 7. Finally, we can say that both Sj and UX believe the common SK in our scheme.

4.2. Authenticated Key Exchange Security Analysis (AKE-Security)

The adversarial model is presented in this section, and some definitions can be found in [17, 30]. At first, we use some notations standing for the instances of our scheme’s participants:(i)RCk: the kth registration centre holding secret qRC(ii): the ith server holding {rj, ASIDj}(iii): the ith user holding the smart card and {UIDX, BX}(iv)OHash: the hash oracle can be viewed as random functions(v) and : the all messages exchanged between and (vi) =  and  = : the partner identity of is and vice versa

Next, there are some security properties:(i) and are accepted if they can compute the valid session key and receive expected messages(ii) and are partnered if (1) both of them are accepted, (2)  =  ( = ), and (3)  = (iii) are fresh if (1) they are partnered, (2) no secret information of is leaked before it is accepted, (3) no ’s session key is leaked before it is accepted

Next, there are some adversary’s capabilities. Let A be probabilistic polynomial time adversary attacking authentication scheme in AKE-security:(i)Execution query helps A to execute passive attacks against our scheme. We let qE be the sum of the number of execute queries and  ← Execute (, ) be the symbol standing for the output of this query.(ii)Send query helps A to actively interact with or . We let qS be the sum of the number of send queries and mout ← Send (Oi, min) be the symbol standing for the output and input of this query, where Oi is or .(iii)Reveal query helps A to know the session key (sk) of and in another session. We let qR be the sum of the number of reveal queries and ski ← Reveal (Oi) be the symbol standing for the output of this query, where Oi is or . Note that to perform this query, Oi must be fresh.(iv)Corrupt query helps A to know secret information of . We let qC be the sum of the number of corrupt queries and {UIDX, BX} ← Corrupt (, 1) and {smart card} ← Corrupt (, 0) be the symbol standing for the output of this query. Note that A only knows the smart card or {UIDX, BX}.(v)Hash query helps A to query a value m and receive corresponding r. If m is not queried before, OHash returns the random number r to the adversary. Otherwise, it returns the previously generated result. We let qH be the sum of the number of hash queries and r ← Hash (OHash, m) be the symbol standing for the output of this query.

Theorem 1. Our scheme P is AKE-security against A within a time tA if A cannot guess the correct session key of another fresh Oi. Formally, let (A, tA) be the A’s chance of breaking P in AKE-security within in reasonable time tA, and we need (A, tA) is negligible. In summary, we need (A, tA) ≤ ε ().

4.3. The Definition of Experiments

We set (B) be experiment, where the adversary B wins if it successfully breaks CMDHP-security of the Chebyshev polynomial T’s problem within a time tB, and let (B) = Pr[ (B) = 1] be the B’s winning chance. Note that we give OHash to B.

Experiment 1. (B).{s, r}  {0, 1}, X [0, p − 1]M ⟵ Tr (X) mod pN ⟵ Ts (X) mod pK ⟵ Tr (Ts (X)) mod pZ ⟵  (M, N, Hash (OHash, K))if Hash (OHash, Z) = Hash (OHash, K) then return 1else return 0Also, we set (A) be experiment, where the adversary A wins if it successfully breaks AKE-security of our P within a time tA, and let (A) = Pr [ (A) = 1] be the A’s winning chance. Note that we also give OHash to A.

Experiment 2. (A).b {0, 1}, LU ⟵ {U1, …, Un}, LS ⟵ {S1, …, Sn}UiLU, SjLS ⟵ Execute (Ui, Sj)if b = 0 then sk {0, 1}else sk ⟵ Reveal (Ui){b, Z} ⟵  (LU, LS, sk)if b = b then return 1else return 0Note that if b = b = 1, then we must have Hash (OHash, Z) = sk.
The proof of Theorem 1.
Now we assume that B wants to win in B’s experiment, and it runs A as the procedure. Also, A wants to win in A’s experiment and B must simulate the A’s environment as the following algorithm Let l be the security length, for example, the size of the prime p and hash function’s output. If A correctly guesses b, then we must consider some following cases (Algorithm 1):(i)A issues qH queries to OHash, and A has successful probability ≈  due to the birthday paradox.(ii)A chooses qE pairs to execute and have all messages exchanged between them. Furthermore, A issues qC queries to some users to get the smart card or {UID, B}. So, A’s successful probability of correctly guessing random values r or s is ≈ .(iii)If A issues queries to oracles simulated by B, there will be at least one Send query that helps A compute the session key. So, we have (B) ≥ . When A issues the remaining queries to normal Oi, A’s successful probability of correctly guessing is ≈ .Finally, we have (A) ≤  +  +  (B) ×  + . Clearly, the right-hand side of this inequality is negligible, so we complete the proof.

Set LU ⟵ {U1, …, Un}, LS ⟵ {S1, …, Sn}
Run (LU, LS, sk)
if A chooses qE pairs to execute then
  B does & returns all sid to A
end if
if A asks qR queries to fresh Oi in LU and LSthen
if Oi is normal in LU and LSthen
  B lets Oi return session-key to A as usual
else
  B returns random string to A
end if
end if
if A asks qS queries to Oi in LU and LSthen
if Oi is normal in LU and LSthen
  B lets Oi & A exchange mout as usual
else
  B simulates & gives to A mout including M and N
end if
end if
if A asks qC queries to some in LUthen
  B returns smart-card or {UID, B} of to A
else
  B returns random smart-card or {UID, B} to A
end if
if A asks qH queries to OHashthen
  B lets OHash do with A
end if
Until A stops and outputs {b, Z}
B returns (Hash (OHash, Z) = sk)
4.4. Security Analysis

In this section, we will analyse our scheme in some popular kinds of attacks. The comparison of the security feature with previous works is shown in Table 7. Before coming into this section, we want to discuss the privileged insider attacks. In our scheme, we use biometrics rather than the password. Therefore, the privileged insider attacker cannot find it and exploit into different servers. Furthermore, all servers in our scheme use different long-term keys provided from RC, so the attacker cannot use the users’ information in another server to exploit in others. It can be said that it is hard to launch a privileged insider attack in our scheme.


SchemesLi [11]Qu [12]Amin [13]Jangirala [18]Han [19]Ours

Password-guessing
User’s anonymity
Two-factor
Known session-specific temporary information
Session-key perfect forward
User impersonation
Server impersonation
Man-in-the-middle1111
Replay
Parallel session11111

1Untouched.
4.5. Password-Guessing Attack

In this kind of attack, the adversary can guess the user’s password by exploiting leaking information from the smart card. The adversary will have RPWX = H0 (H0 (RX || UIDX) || rX). Because RU is produced by the user’s biometrics, it is hard to guess. Clearly, the adversary cannot use the dictionary method to find biometrics and our scheme can resist this kind of attack.

4.6. User’s Anonymity

In this kind of attack, the adversary eavesdrops {rX, CID, MU, R}, {S, MS}, and {MUS} from UX. All messages are different at each login session because we use random values. So, the adversary cannot trace who is online. In other words, our scheme resists this attack.

4.7. Two-Factor Attack

Although UX loses his/her smart card, the adversary cannot exploit because of needing BX to pass RPWX = H0 (H0 (RX || UIDX) || rX). Even if UX’s biometrics is fake, the adversary cannot exploit all information in the login message because he/she does not other supporting values. Clearly, our scheme resists this attack.

4.8. Known Session-Specific Information Attack

When rU and rS are leaked, the adversary cannot compute the session key (SK). He needs ( ( (H0 (rj + rX + UIDX)) mod p) mod p) mod p to compute the SK. If he does not have the smart card’s information, all important keys cannot be successfully computed. Clearly, our scheme can resist this kind of attack.

4.9. Session-Key Perfect Forward Secrecy

If all important keys are leaked, the adversary cannot compute previous transactions between UX and Sj. With ASIDj and all messages UX sent to Sj, the adversary extracts RU = R −  (H0 (rj + rX + UIDX)) mod p and RS = S − RU. Finally, the adversary cannot compute ( ( (H0 (rj + rX + UIDX)) mod p) mod p) mod p because of facing CMDHP. Clearly, our scheme can resist this kind of attack.

4.10. User Impersonation Attack

To impersonate as a valid user, the adversary needs RS =  ( (H0 (rj + rX + UIDX)) mod p) mod p. To have RS, he/she needs UX’s RU =  ( (H0 (rj + rX + UIDX)) mod p) mod p. Furthermore, the adversary must resend the session key to Sj. Therefore, he/she not only finds RU but also knows rU to impersonate as a valid user. Clearly, our scheme can resist this kind of attack.

4.11. Server Impersonation Attack

To impersonate as a valid server, the adversary needs RU =  ( (H0 (rj + rX + UIDX)) mod p) mod p. So, he/she also needs ASIDj to compute RU. We see this is impossible because Sj keeps ASIDj secret. Clearly, our scheme can resist this kind of attack.

4.12. Man-in-the-Middle Attack

In this kind of attack, the adversary can eavesdrop all messages exchanged between UX and Sj and then edits the parameters in these packages. For example, the adversary can insert his/her own session key with randomly chosen rU and rS. However, this is impossible because UX’s random value combined with ASIDj. Therefore, the adversary needs to compute this key to achieve the goal, but this is impossible because this is UX’s secret key. Clearly, our scheme resists this attack.

4.13. Replay Attack

In this kind of attack, the adversary can eavesdrop all messages exchanged between UX and Sj. At any time, he/she can replay to cheat UX or Sj. We consider if the adversary resends {CID, R, MU, rX} to Sj, and this is the valid message. However, Sj requests UX respond {MUS} for confirmation, and the adversary cannot compute MUS. Furthermore, the adversary can resend Sj’s {MS, S} to cheat UX, but this is impossible because UX and Sj use random values. So {MS, S} is only valid if UX rechooses random values. Clearly, our scheme can resist this kind of attack.

4.14. Parallel Session Attack

In this kind of attack, the adversary will use {MS, S} to create {CID, R, MU, rX}, and cheat Sj. As aforementioned in replay and impersonation attacks, the adversary cannot achieve the goal because he/she needs key UX’s (H0 (rj + rX + UIDX)) mod p and Sj’s ASIDj. Clearly, our scheme resists this attack.

4.15. Efficiency Analysis

Now, this section presents the cost of our scheme compared with previous schemes. Before coming to detail comparison, we will unify some notations and the bit size of some cryptographic primitives. If the scheme does not mention, we assume as follows: the sizes of identity, password, biometrics, timestamp, and random values are 128 bits. The size of hash function’s output and encryption scheme is 128 bits. The prime number in modular is 1024 bits (≈309 decimal digits) and 233 bits (≈70 decimal digits) in ECC. We let the notations denote the time to compute some cryptographic operations:(i)tH: time to compute hash function (≈0.0004 ms)(ii)tPA: time to compute point addition (≈0.36 ms)(iii)tPM: time to compute point multiplication (≈12.4 ms)(iv)tE/D: time to encrypt/decrypt (≈0.09 ms)(v)tT: time to compute Chebyshev polynomial (≈127 ms)

All the amount of time is results we measure on the real Android device with the Bouncy Castle library. Next, we evaluate the computation quantity of previous schemes and ours in Table 8. In Li et al.’s scheme [11], registration needs 4 × tH and authentication needs 15 × tH. In Qu and Tan’s scheme [12], registration needs 4 × tH, 2 × tPM and authentication needs 11 × tH, 5 × tPM and 5 × tPA. In Amin and Biswas’s scheme [13], registration needs 5 × tH, 1 × tE/D and authentication needs 10 × tH, 5 × tPM, 2 × tPA and 1 × tE/D. In Jangirala et al.’s scheme [18], registration needs 5 × tH, 1 × tE/D and authentication needs 10 × tH, 5 × tPM, 2 × tPA and 1 × tE/D. In Han et al.’s scheme [19], registration needs 5 × tH, 1 × tE/D and authentication needs 10 × tH, 5 × tPM, 2 × tPA and 1 × tE/D. In the proposed scheme, registration needs 2 × tT, 4 × tH and authentication needs 11 × tH, 6 × tT.


Schemes phases

Li [11]15 × tH
4 × tH

Qu [12]11 × tH, 5 × tPM, 5 × tPA
4 × tH + 2 × tPM

Amin [13]10 × tH, 5 × tPM, 2 × tPA, 1 × tE/D
5 × tH, 1 × tE/D

Jangirala [18]21 × tH
6 × tH

Han [19]11 × tH, 2 × tE/D, 4 × tT
4 × tH, 1 × tE/D

Ours11 × tH, 6 × tT
4 × tH, 2 × tT

Next, we evaluate the store and authentication costs of previous schemes and ours in Table 9. In Li et al.’s scheme [11], the user stores {Ci, Di, Ei, h (.), h (y), b} with 640 bits. And the authentication in this scheme needs {Pij, CIDi, M1, M2}, {M3, M4}, and {M5} with 896 bits. In Qu and Tan’s scheme [12], the user stores {AIDU, BIDU, bU} with 1618 bits. And the authentication in this scheme needs {CIDU, DIDU, EIDU, R}, {T, HS}, and {HRS} with 3702 bits. In Amin and Biswas’s scheme [13], the user needs {Fi, Ai, Bi, CIDi, h (.), H (.)} with 2304 bits. And authentication in this scheme needs {C2, C4, CIDi}, {Li, G1, }, and {Zi} with 4818 bits. In Jangirala et al.’s scheme [18], the user needs {Ci, Di, Ei, h (y), h (.)} with 768 bits. And authentication in this scheme needs {Pij, CIDi, M1, M2}, {M3, M4}, and {M5} with 896 bits. In Han et al.’s scheme [19], the user needs {P, K, V, CID, h (.)} with 640 bits. And authentication in this scheme needs {CID, X, V1, T1}, {CID, Y, T2, V2}, and {V3, T3} with 3072 bits. In our proposed scheme, the user stores {, , …, , RPWX, H0 (.), rX}, but we assume that the smart card stores only one for convenient comparison with other schemes in single-server environment, so the cost is 722 bits. And authentication in our scheme needs {CID, R, MU, rX}, {MS, S}, and {MUS} with 2688 bits.


SchemesStorage cost (bits)Authentication cost (bits)

Li [11]640896
Qu [12]16183702
Amin [13]23044818
Jangirala [18]768896
Han [19]6403072
Ours7222688

5. Conclusions

This paper proposed a scheme using Chebyshev polynomial in multiserver environment. We survey and analysis current schemes to propose the solution overcoming the limitations in each approach. In the future, we will analyse many different approaches to apply with our scheme. Also, we design some new architectures which have average overall cost even if using high-cost computational operation. Finally, we try to minimize the size of message package exchanged between the user and server to enhance time-efficiency.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors would like to say a special thanks to the University of Science, Vietnam National University, Ho Chi Minh City, Vietnam. This research was funded by the University of Science, Vietnam National University, Ho Chi Minh City, Vietnam, under the grant number T2018-01.

References

  1. L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981. View at: Publisher Site | Google Scholar
  2. C. C. Lee, T. H. Lin, and R. X. Chang, “A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards,” Expert Systems with Applications, vol. 38, no. 11, pp. 13863–13870, 2011. View at: Google Scholar
  3. J. J. Shen, C. W. Lin, and M. S. Hwang, “A modified remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 49, no. 2, pp. 414–416, 2003. View at: Google Scholar
  4. M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629–631, 2004. View at: Publisher Site | Google Scholar
  5. I. E. Liao, C. C. Lee, and M. S. Hwang, “Security enhancement for a dynamic ID-based remote user authentication scheme,” in Proceedings of the International Conference on Next Generation Web Services Practices, Seoul, Korea, 2005. View at: Google Scholar
  6. Z.-Y. Wu, Y.-C. Lee, F. Lai, H.-C. Lee, and Y. Chung, “A secure authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 36, no. 3, pp. 1529–1535, 2010. View at: Publisher Site | Google Scholar
  7. H. Debiao, C. Jianhua, and Z. Rui, “A more secure authentication scheme for tele-care medicine information systems,” Journal of Medical Systems, vol. 36, no. 3, pp. 1589–1995, 2011. View at: Publisher Site | Google Scholar
  8. J. Wei, X. Hu, and W. Liu, “An improved authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 36, no. 6, pp. 3597–3604, 2012. View at: Publisher Site | Google Scholar
  9. Z. Zhu, “An efficient authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 36, no. 6, pp. 3833–3838, 2012. View at: Publisher Site | Google Scholar
  10. Q. Pu, J. Wang, and R. Zhao, “Strong authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 36, no. 4, pp. 2609–2619, 2012. View at: Publisher Site | Google Scholar
  11. X. Li, J. Ma, W. Wang, Y. Xiong, and J. Zhang, “A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments,” Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 85–95, 2013. View at: Publisher Site | Google Scholar
  12. J. Qu and X.-L. Tan, “Two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem,” Journal of Electrical and Computer Engineering, vol. 2014, no. 4, pp. 1–6, 2014. View at: Publisher Site | Google Scholar
  13. R. Amin and G. P. Biswas, “A secure three-factor user authentication and key agreement protocol for TMIS with user anonymity,” Journal of Medical Systems, vol. 39, no. 8, pp. 1–19, 2015. View at: Publisher Site | Google Scholar
  14. S. Qiu, G. Xu, H. Ahmad, and L. Wang, “A robust mutual authentication scheme based on elliptic curve cryptography for telecare medical information systems,” IEEE Access, vol. 6, pp. 7452–7463, 2018. View at: Publisher Site | Google Scholar
  15. G. Xu, S. Qiu, H. Ahmad et al., “A multi-server two-factor authentication scheme with un-traceability using elliptic curve cryptography,” Sensors, vol. 18, no. 7, p. 2394, 2018. View at: Publisher Site | Google Scholar
  16. S. Qiu, G. Xu, H. Ahmad, G. Xu, X. Qiu, and H. Xu, “An improved lightweight two-factor authentication and key agreement protocol with dynamic identity based on elliptic curve cryptography,” KSII Transactions on Internet and Information Systems, vol. 13, no. 2, pp. 978–1002, 2019. View at: Google Scholar
  17. X. Li, J. Niu, S. Kumari et al., “A novel chaotic maps-based user authentication and key agreement protocol for multi-server environments with provable security,” Wireless Personal Communications, vol. 89, no. 2, pp. 569–597, 2016. View at: Publisher Site | Google Scholar
  18. S. Jangirala, S. Mukhopadhyay, and A. K. Das, “A multi-server environment with secure and efficient remote user authentication scheme based on dynamic ID using smart cards,” Wireless Personal Communications, vol. 95, no. 3, pp. 2735–2767, 2017. View at: Publisher Site | Google Scholar
  19. L. Han, Q. Xie, W. Liu, and S. Wang, “A new efficient chaotic maps based three factor user authentication and key agreement scheme,” Wireless Personal Communications, vol. 95, no. 3, pp. 3391–3406, 2017. View at: Publisher Site | Google Scholar
  20. A. Irshad, M. Sher, M. U. Ashraf et al., “An improved and secure chaotic-map based multi-server authentication protocol based on Lu et al. and Tsai and Lo’s scheme,” Wireless Personal Communications, vol. 95, no. 3, pp. 3185–3208, 2017. View at: Publisher Site | Google Scholar
  21. B. A. Alzahrani and A. Irshad, “A secure and efficient TMIS-based authentication scheme improved against Zhang et al.’s scheme,” Arabian Journal for Science and Engineering, vol. 43, no. 12, pp. 8239–8253, 2018. View at: Publisher Site | Google Scholar
  22. D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018. View at: Google Scholar
  23. T.-T. Truong, M.-T. Tran, and A.-D. Duong, “Improved Chebyshev polynomials-based authentication scheme in client-server environment,” Security and Communication Networks, vol. 2019, Article ID 4250743, 11 pages, 2019. View at: Publisher Site | Google Scholar
  24. L. Zhang, “Cryptanalysis of the public key encryption based on multiple chaotic systems,” Chaos, Solitons & Fractals, vol. 37, no. 3, pp. 669–674, 2008. View at: Publisher Site | Google Scholar
  25. P. Bergamo, P. D’Arco, A. De Santis, and L. Kocarev, “Security of public-key cryptosystems based on Chebyshev polynomials,” IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 52, no. 7, pp. 1382–1393, 2005. View at: Publisher Site | Google Scholar
  26. L. Kocarev and S. Lian, Chaos-Based Cryptography: Theory, Algorithms and Applications, Springer, Berlin, Germany, 2011.
  27. A. T. B. Jin, D. N. C. Ling, and A. Goh, “Biohashing: two factor authentication featuring fingerprint data and tokenised random number,” Pattern Recognition, vol. 37, no. 11, pp. 2245–2255, 2004. View at: Publisher Site | Google Scholar
  28. M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990. View at: Publisher Site | Google Scholar
  29. J.-L. Tsai, T.-C. Wu, and K.-Y. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, vol. 23, no. 12, pp. 1449–1462, 2010. View at: Publisher Site | Google Scholar
  30. K.-H. Yeh, “A provably secure multi-server based authentication scheme,” Wireless Personal Communications, vol. 79, no. 3, pp. 1621–1634, 2014. View at: Publisher Site | Google Scholar

Copyright © 2020 Toan-Thinh Truong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


More related articles

 PDF Download Citation Citation
 Download other formatsMore
 Order printed copiesOrder
Views258
Downloads264
Citations

Related articles

Article of the Year Award: Outstanding research contributions of 2020, as selected by our Chief Editors. Read the winning articles.