Abstract
Secure and efficient authentication protocols are necessary for cloud service. Multifactor authentication protocols taking advantage of smart card, user’s password, and biometric, are more secure than password-based single-factor authentication protocols which are widely used in practice. However, most of the multiserver authentication protocols may have weak points, such as smart card loss attack, man-in-the-middle attack, anonymity, and high computation cost of authentication center. In order to overcome the above weaknesses, we propose a novel multiserver multifactor authentication protocol based on the Kerberos protocol using the extended Chebyshev chaotic mapping as a cryptographic algorithm. The proposed protocol achieves anonymity without sharing secret keys in advance and needs the user to register with the authentication center only once. Finally, we prove the security of the new protocol with BAN logic and compare it with other multifactor authentication protocols for multiserver environment. The results show that our proposed protocol is more secure and efficient and better for practical application.
1. Introduction
With the rapid developing of cloud computing [1, 2], now a variety of cloud servers have stored massive user sensitive data. When users want to access the data, they need to log on to the server through the public channel. What is more, users may have a variety of service requirements and may need to access multiple application servers in a short time. Figure 1 depicts a typical scenario for cloud service. However, in this process, an adversary could intercept, tamper, and forge the information between the user and the server through some technical means. When users access some privacy services, they do not even want other people to know their identity. In order to provide secure and efficient services for a valid user, authentication protocols were proposed [3].
In practice, there are three basic methods to verify the identity of users: what the user knows, such as user password; what the user has, such as smart card; the user’s unique biological information, such as fingerprint and iris. As single-factor authentication protocols are based on password which are easy to operate, scalable, and cheap, most people prefer to use this authentication scheme. Therefore, the most commonly used authentication scheme in the current network is still single-factor authentication protocols based on password [4]. However the single-factor authentication protocol has the following inherent defects: the limitation of human memory capacity leads to low entropy of password selection; the development of password cracking hardware and algorithm makes the efficiency of offline dictionary attack greatly improved. Moreover in a single-factor authentication protocol the server needs to store the user’s identity and the corresponding password information, even if the password information is hashed; once the server data is stolen, the user will face serious security threat [5].
To solve the problem, Chang et al. [6] firstly introduced the smart card as another factor besides password into authentication schemes, which contributes to the two-factor authentication scheme. In such scheme, the users are required to know not only the correct password but also the corresponding smart card; then he/she can access to resource by interacting with the server. However, passwords might be forgotten, and smart cards might be lost or stolen. In contrast, biometric methods, such as fingerprints or iris scans, have no such drawbacks. Therefore, these years, many multifactor authentication protocols using biometric characteristic as an additional factor were proposed [7–13]. Many of these protocols are only for the single server environment. That is, when users want to access multiple servers, they have to register many times and maintain a lot of username/password pairs with the corresponding smart card, which is inefficient if each login should be unique for each server or insecure if the same login is used for multiple servers.
In 2016, Amin et al. proposed a new multifactor authentication scheme for multiserver environment and claimed that it was secure for all known attacks [14]. However, in 2017, Jiang et al. found that Amin et al.’s scheme has the following security issues. If the smart card was stolen, the attacker could recover the user’s ID and password. If the temporary parameters of either of the two parties were leaked, the attacker could obtain the session key [15]. Then, Jiang et al. improved Amin et al.’s scheme with Rabin cryptosystem, fuzzy validation, and timestamp and verified the security of the improved scheme with ProVerif. In article [15], Jiang et al. also pointed out that Wu et al.’s scheme [16] is vulnerable to smart card loss attacks. Nevertheless, we found that, in Jiang et al.’s scheme [15], the user’s identity is hidden in a message only with the timestamp as variable. If the user’s timestamp is the same as the adversary’s, then the adversary could obtain the user’s real identity by simple XOR operations. So the scheme does not achieve anonymity. Recently, several multifactor authentication schemes have been proposed to the study of authentication and key agreement in the multiserver environment [16–19]. However, most of these schemes’ computational cost is high due to the modulus exponentiation operation, the point addition operation of elliptic curve, and so on. Thus, those schemes may not be suitable for some cloud scenarios, in which the user may access multiple servers in a short time, the user terminal only has limited computing power, the server needs to handle a large number of requests at the same time, and so on.
Though multifactor authentication protocols are widely studied by many scholars, few of them are specifically for cloud service. We have taken into account the needs of cloud services and applied new technologies to design multifactor authentication for the above environment. In order to design more efficient and secure authentication protocols, the extended Chebyshev chaotic mapping [20–22] is introduced in this paper. The computational cost of extended Chebyshev polynomials is lower, compared to the traditional modular exponentiation operation and the point addition operation of elliptic curve [20–24]. Moreover, with the idea of Kerberos protocol, we propose a novel multifactor authentication protocol for the multiserver environment. In our scheme, the frequency of user accessing the authentication center is reduced, which greatly relieves the burden of the authentication center. In addition, the new protocol accomplishes security and usability features necessary for all the participants, while maintaining high efficiency.
The remainder of this paper is organized as follows. The preliminaries of enhanced Chebyshev chaotic maps and fuzzy extraction are given in Section 2. In Section 3, we propose a novel multifactor authentication protocol for multiserver environment. Section 4 and Section 5 present security and efficiency analyses of the new protocol. Section 6 concludes the paper.
2. Preliminaries
2.1. Enhanced Chebyshev Chaotic Maps [20–22]
The enhanced Chebyshev polynomial is a polynomial in of degree and is defined by the following relation:where and is a large prime number.
The enhanced Chebyshev polynomial satisfies the semigroup property and satisfiesfor .
2.2. Difficulty Assumptions
Enhanced Chebyshev polynomials are associated with three hard problems, which are the extended chaotic-map-based discrete logarithm problem (DLP), the computational Diffie–Hellman problem (CDHP), and the decisional Diffie–Hellman problem (DDHP), described as follows.
Extended Chaotic-Map-Based DLP: given ,, and , where is a large prime number, finding the integer satisfyingis computationally infeasible.
Extended Chaotic-Map-Based CDHP: given , , , , and , where , and is a large prime number, calculating is computationally infeasible.
Extended Chaotic-Map-Based DDHP: given , , , , , and , is a large prime number, deciding whetherholds or is not computationally infeasible.
2.3. Fuzzy Extractor
Traditional hash functions return different outputs if their inputs are not completely the same. Thus we need some other technology to extract biometrics. According to [25], the biometrics of all persons can be retrieved as nearly uniform random bit strings by an auxiliary string from biometric input with a fuzzy extractor. The extractor can recover with the auxiliary string even if the biometric input is , as long as it is very close to the original . Thus, R can be utilized as a key stand for biometrics in a security application. Fuzzy extractor consists of two procedures (Gen, Rep).
Gen is a probabilistic algorithm, which takes a biometric input as input and outputs a random string with length and a public string P.
Rep is a deterministic reproduction procedure which is able to recover from a slightly different biometric and the auxiliary parameter . That is, for all satisfying , where is an error-tolerance.
2.4. Adversary’s Capability
In this paper, we assume the following about a probabilistic, polynomial-time adversary to properly capture the security requirements of a multifactor biometric authentication scheme that uses smart cards during the registration phase, authentication phase, and password change phase.
The adversary is able to have complete control over all message exchanges between the protocol participants. That is, the adversary can intercept, insert, modify, delete, and eavesdrop on messages exchanged among the two parties at will.
The adversary can extract sensitive information from the smart card of a user through a power analysis attack.
2.5. Notations
Table 1 lists the notation that is used throughout this paper.
3. Our Proposed Authentication Protocol
For cloud service, we proposed a multifactor authentication protocol in which there are three kinds of entities: the user, the server, and the authentication center (the trusted third party), as described in Figure 2.
The characteristics of each participant are different. In our scheme, the actual needs of all the participating entities are considered under the guarantee of security. For user, the user’s anonymity is first achieved. Secondly, in multiserver environment users can access all servers only by registering one time. At the same time, considering the limitation of the user’s computing power, the user’s computational cost is low in our scheme. In addition, the user can change his/her password offline. For the authentication center, taking into account the fact that authentication center needs to participate in each user’s access in existing authentication protocols for multiserver environment, our scheme designs a ticket. When the ticket is not expired, there is no need for authentication center to participate in the authentication process, which greatly reduces the burden of the authentication center. For the server, in our scheme the authentication center and the server do not need to share a key in advance. Moreover, considering the different actual requirements of each application server, the expiry time of the ticket in our scheme is determined by the server.
Our scheme contains four phases, namely, system setup phase (Figure 3), user registration phase (Figure 4), authentication phase (Figure 5), and password change phase (Figure 6).
3.1. System Setup
selects and computes the system parameters in offline mode. And sever registers with through a secure channel.
Step 1. chooses master secret keys and . Then generates a random number and a large prime number and chooses a random number as private key. Next, computes as public key and makes the parameters known to the public.
Step 2. Sever selects an identity and sends it to through secure channel. checks whether exists in the database. If it does, indicates to select a new identity; otherwise, compute and send it to through a secure channel.
Step 3. Sever chooses a random number as private key and computes as public key. Finally, stores in its memory and makes known to the public.
3.2. User Registration
In this phase, registers with through secure channel and gets back a smart card .
Step 1. User selects an identity and a password ; then inputs fingerprint information through fingerprint extractor. Next, gets a random bit strings and an auxiliary string from biometric input with algorithm Gen. Then, chooses a high-entropy random number and computes and . Finally, sends and to through a secure channel.
Step 2. After receiving and from , checks whether exists in the database. If it does, indicates to select a new identity; otherwise, computes and ; then stores into . Finally, sends to through a secure channel.
Step 3. After receiving from , stores into . Finally, contains .
3.3. Authentication
first logins to the ; then starts a mutual authentication process with to get a ticket for accessing sever . Next, implements mutual authentication with by and establishes a session key with , where the ticket has an expiry time which is determined by .
Step 1. attaches the smart card and enters the identity , password , and fingerprint . Then, computes and. The smart card rejects ’s login request if ; otherwise, chooses a random number and computes , , , , and . Finally, sends to .
Step 2. After receiving the message from , verifies whether is valid. If not, rejects ’s request; otherwise, computes , , , and . Then terminates the session, if ; otherwise, computes a ticket , , and , where is the generation time of . Finally, sends to .
Step 3. After receiving the message , verifies whether is valid. If not, terminates the session; otherwise, computes and . Then terminates the session, if ; otherwise, chooses a random number and then computes , , and . Finally, sends to .
Step 4. After receiving the message , verifies whether is valid. If not, terminates the session; otherwise, computes and . Then verifies whether and is valid. If not, terminates the session; otherwise, computes and . Then terminates the session, if ; otherwise, chooses a random number and then computes and . Finally, sends to .
Step 5. After receiving the message , verifies whether is valid. If not, terminates the session; otherwise, computes and . Then terminates the session, if ; otherwise, and complete mutual authentication successfully. At this point, a session key has been established among and .
After all these steps are completed, if wants to access again, it can be executed directly from Step 3 without ’s participating, where the ticket must be not out of date.
3.4. Password Change
In this phase, only needs to log into successfully and then inputs new password and fingerprint information , without involvement of and .
Step 1. inserts the smart card into a card reader and enters the identity , password , and fingerprint .
Step 2. computes and . The smart card rejects ’s login request if ; otherwise, indicates to input new password and fingerprint information.
Step 3. inputs new password and fingerprint information .
Step 4. computes , then chooses a random number , and computes , , , and . Finally, updates with .
4. Security Analysis
In this section, we first use the BAN logic [26] to prove that a ticket will be agreed between the user and the authentication center; moreover, a session key will be agreed between the user and the sever after performing our new protocol. Then we demonstrate that the proposed protocol can withstand various known attacks and satisfy security requirements in cloud service.
4.1. Notations and Logic Rules
Table 2 lists the notations used in the BAN logic.
There are 19 logical rules in BAN logic. The th logical rule denotes . Some main logical rules of the BAN logic, which will be used in our analysis, are described as follows, where means conclusion can be deduced by precondition sets .
The message-meaning rule is
The nonce-verification rule is
The jurisdiction rule is
The seeing rule is
The freshness rule is
The belief rule is
4.2. Formal Proof
First, our proposed protocol is transformed to the idealized form.
Message 1:
Message 2:
Message 3:
Message 4:
We need to prove that our proposed protocol could achieve the following goals.
Goal 1:
Goal 2:
Goal 3:
Goal 4:
Goal 5:
Goal 6:
Goal 7:
Goal 8:
Goal 9:
Goal 10:
Then, the following assumptions are made about the initial status of our proposed protocol.
The detailed steps are presented as follows.
From message 1, it is easy to have the following statement:
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , , , and , it is easy to obtain
From message 2, it is easy to have the following statement:
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , , , , , and , it is easy to obtain
By and , we can deduce that
By , , and , it is easy to obtain
By , , and , it is easy to obtain
In message 3, sends and encrypted by ’s public key to the sever . As and and are integrity protected by secure hash function, combining , we can deduce that
From message 3, it is easy to have the following statement:
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By , , and difficulty assumptions, we can deduce that
By , , and , it is easy to obtain
From message 4, it is easy to have the following statement:
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By and , it is easy to obtain
By , , and , it is easy to obtain
By , , and difficulty assumptions, we can deduce that
By , , and , it is easy to obtain
Through (Goal 1)…(Goal 10), we have proved that the user and the authentication center believe that they share a ticket, and the user and the sever believe that they share a session key.
4.3. Resisting Stolen/Lost Smart Card Attack
If the smart card is stolen/lost by the adversary, the adversary can extract the information stored in the smart card, where and . But, the adversary only knows the value of . Obviously, he or she cannot obtain ’s identification or password. So our proposed protocol could withstand the stolen/lost smart card attack.
4.4. Resisting Replay Attack
In our protocol, the mechanism of timestamp is included in each message. Then , , and could detect the replay of some message by checking the freshness of the timestamp. Therefore, our new protocol can withstand the replay attack.
4.5. Resisting Man-in-the-Middle Attack
If the adversary carries out the man-in-the-middle attack, he or she needs to choose a and compute a valid . However, the adversary cannot get and included in . Thus, the adversary cannot compute a valid . Similarly, the adversary cannot also compute a valid . Therefore, our new protocol can withstand the man-in-the-middle attack.
4.6. Mutual Authentication
Our new protocol achieves mutual authentication both between and and between and .
Mutual authentication between and : in Step 2 of authentication phase, computes and checks the legitimacy of by checking whether is equal to , because only with the correct password and smart card has the knowledge of the secret and the capability of generating the valid value . can ensure that is really who he or she claims. In Step 3 of authentication phase, checks the legitimacy of by checking whether is equal to , because only with the master key can compute secret and . can ensure that he or she is communicating with the real .
Mutual authentication between and : in Step 4 of authentication phase, computes and checks the legitimacy of by checking whether is equal to , because only verified by has the knowledge of the ticket and the capability of generating the valid value . ensured that is really who he or she claims. In Step 5 of authentication phase, checks the legitimacy of by checking whether is equal to , because only with the private key can compute the ticket and . ensured that he or she is communicating with a legitimate .
4.7. Anonymity
In our protocol, the user’s identity is involved in , , and , which is encrypted with and . The adversary cannot get without knowing the random number , , and the ’s private key , because and are computationally infeasible because of the hardness of the extended chaotic-map-based CDHP. Thus the adversary cannot extract the user’s real identity . Therefore, our protocol achieves user anonymity.
4.8. Ticket Security
If the adversary wants to get the ticket , he or she can only retrieve it from . However, through Section 4.3 we know that the attacker could not get secrecy even if the smart card was lost or stolen. Thus the adversary cannot compute and .
Moreover, the server’s identity is involved in the , , and , which is encrypted with and . The adversary cannot get , because and are computationally infeasible because of the hardness of the extended chaotic-map-based CDHP. So though the adversary get the ticket , he or she does not know which sever to access with .
4.9. Perfect Forward Secrecy
In our protocol, the established session key is , where and are random numbers selected by the user and the sever, respectively. Previously established session keys remain secure even when the long-term keys of the server and the user are disclosed, because the adversary is computationally infeasible to calculate the session key with and because of the hardness of the extended chaotic-map-based CDHP.
4.10. Security Features Comparisons
We compare the security features of the proposed protocol with those of the previous multifactor authentication protocols for multiserver environment, including Jiang et al.’s [19], Wu et al.’s [20], and Das’s [27].
Table 3 shows the results of the security features comparisons. From Table 3, we note that Jiang et al.’s protocol does not achieve user anonymity. Wu et al.’s and Das et al.’s protocol cannot resist stolen/lost smart card attack. Table 3 shows that our new protocol is the only one that is free from security attacks and provides anonymity and perfect forward secrecy.
5. Efficiency Analysis
This section compares the efficiency of the proposed protocol with that of the previous multifactor authentication protocols for multiserver environment, including Jiang et al.’s [19], Wu et al.’s [20], and Das’s [27]. Table 4 shows separately the results of the security features comparisons and the efficiency comparisons.
To simplify the presentation, the following symbols are defined. denote the time for executing in Chebyshev polynomial using the algorithm in the literature [28], ECC point multiplication, the hash, the symmetric encryption/decryption, the modular squaring, and the computation of a square root modulo , respectively. To be more precise, on an Intel Pentium4 2600 MHz processor with 1024 MB RAM, where and are 1024 bits long, is 21 ms, 63.1ms, 0.5ms, and 8.7ms, respectively [28, 29]. The computational time of the bit XOR operation and multiplication operation is ignored compared with the above operations.
Table 4 shows that our proposed protocol has better efficiency than the protocols of Wu et al. and Das et al. Although the protocol of Jiang et al. has slightly better efficiency than our proposed protocol, it cannot accomplish anonymity. Besides, as any user accesses any server, the participation of the authentication center is required. When the number of users is huge, the computational cost of the authentication center may be very high, which could cause the authentication center crashing. In our protocol, when the ticket is valid, there is no need for the authentication center to participate. What is more, the total computational cost is greatly reduced. Overall, compared with other schemes, our scheme is more in accordance with the actual application requirements while ensuring the security and efficiency.
6. Conclusion
In this paper, we propose a novel multiserver authentication protocol based on the extended Chebyshev chaotic map with multifactors for cloud service. In our protocol, we designed a ticket for achieving mutual authentication between the user and the server which is innovative. When the ticket is valid, there is no need for authentication center to participate in the authentication process, which further reduces the burden of the authentication center. The ticket has an expiry time which is determined by the server according to specific requirement. Compared with the Kerberos protocol, there is no need to share a secret key in advance between the authentication center and the server.
Efficiency analysis shows that our protocol can resist a variety of attacks and provide the desirable security features. Compared with the existing schemes, the new protocol accomplishes various security and usability features necessary for all the participants, while maintaining relative high efficiency. Therefore, our scheme is more suitable for practical application.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This paper is supported by National Key Research and Development Program (nos. 2016YFB0800101 and 2016YFB0800100), Innovative Research Groups of the National Natural Science Foundation of China (Grant no. 61521003), and National Natural Science Foundation of China (Grants nos. 61379150 and 61309016).