Table of Contents Author Guidelines Submit a Manuscript
Wireless Communications and Mobile Computing
Volume 2018, Article ID 3284324, 14 pages
https://doi.org/10.1155/2018/3284324
Research Article

A Secure Three-Factor Multiserver Authentication Protocol against the Honest-But-Curious Servers

1School of Cyber Science and Technology, Beihang University, Beijing 100191, China
2Hefei Innovation Institute, Beihang University, Anhui 230012, China
3Informatization Office of Beihang University, Beijing 100191, China
4Beijing Key Laboratory of Network Technology, Beihang University, Beijing 100191, China
5School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China
6Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin 541004, China
7School of Computer Science and Engineering, Beihang University, Beijing 100191, China

Correspondence should be addressed to Xiong Li; moc.361@qhzgnoixil

Received 13 April 2018; Revised 26 July 2018; Accepted 26 August 2018; Published 13 September 2018

Academic Editor: Ding Wang

Copyright © 2018 Hua Guo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Three-factor multiserver authentication protocols become a prevalence in recent years. Among these protocols, almost all of them do not involve the registration center into the authentication process. To improve the protocol’s efficiency, a common secret key is shared among all severs, which leads to a serious weakness; i.e., we find that these protocols cannot resist the passive attack from the honest-but-curious servers. This paper takes Wang et al.’s protocol as an example, to exhibit how an honest-but-curious server attacks their protocol. To remedy this weakness, a novel three-factor multiserver authentication protocol is presented. By introducing the registration center into the authentication process, the new protocol can resist the passive attack from the honest-but-curious servers. Security analyses including formal and informal analyses are given, demonstrating the correctness and validity of the new protocol. Compared with related protocols, the new protocol possesses more secure properties and more practical functionalities than others at a relatively low computation cost and communication cost.

1. Introduction

Nowadays, with the rapid development of networks, remote communication becomes increasingly prevalent and provides highly useful services in many aspects. Consequently, communication security significantly attracts public’s attention. Cryptographic authentication allows users to submit their credentials and acquire authorization to access the various online services from remote networks [15]. Since Lamport [6] firstly proposed a password-based remote authentication protocol, great quantities of authentication protocols were proposed to make up continued emerging problems and provide authorized communication between remote entities. However, the traditional protocols gradually cannot catch up with the pace of increasing demand for more users and servers in communication. Multiserver authentication schemes became the mainstream, because most of the practical communication environments are based on several servers to alleviate the pressure of the increasing number of users.

Lots of authentication protocols for multiserver environments were proposed to satisfy the security requirements and provide versatile functionalities to make the scheme more convenient and practical to utilize in real occasions [720]. In 2001, Li et al. [7] proposed a remote multiserver authentication protocol with no verification table, which was found insecure by Lin et al. [8]. They also presented an improved protocol, while it was vulnerable to impersonation attack [9]. Juang et al. [10] adopted symmetric-key cryptosystem to propose a multiserver authentication protocol but it was cracked soon. In 2004, a novel protocol was presented by Chang and Lee [11]. However, all of them ignored user anonymity [12]. In 2009, a remote multiserver authentication scheme which satisfies anonymity property was proposed [13], but it does not have forward security [14]. Besides, Hsiang and Shih [15] presented a new protocol to resist various attacks; however some drawbacks on mutual authentication are pointed out [16]. Recently, a big breakthrough, i.e., the inner relationships of evaluation criteria for anonymous two-factor authentication protocol, is explored by Wang et al. [17]. To improve the security of remote communication, smart card gradually came into use in authentication, which made it possible for more convenient authentication and communication. Some remote authentication protocols for multiserver environment with a smart card were proposed but proved to be insecure in the end [2123].

Relying on smart card and password as the authentication method already cannot meet today’s needs. In the latest few years, more and more authentication protocols adopt biometrics messages in mutual authentication to strengthen the security and enhance the efficiency of the existing protocols. In 2010, Yang et al. [24] introduced a three-factor multiserver authentication protocol. Unfortunately, the protocol has low computation efficiency and can not resist the insider attack. Li et al. proposed an efficient protocol [25] which allows users to change the password and the calculation cost is low. However, their scheme cannot provide appropriate certification and failed to resist man-in-the-middle attack [26]. Adopting elliptic curve cryptography, Yoon et al. [27] in 2011 designed a novel protocol; unfortunately Kim et al. [28] showed that Yoon et al. [27] protocol is insecure. In 2014, Chuang et al. [29] put forward an anonymous protocol, but Mishra et al. [30] broke their protocol. Later, Lu et al. [31] found that there are several weaknesses in Mishra et al.'s improved protocol, and they also presented an improved protocol which is broken by Reddy et al. [32]. Meanwhile, Wang et al. [33] also found that Mishra et al.'s improved protocol is insecure. Regrettably, some weaknesses in Wang et al.’s protocol [33] were shown by Yang et al. [24] and Reddy et al. [34] separately. Recently, Jiang et al. [35] and He et al. put forward multiserver authenticated protocols using elliptic curve cryptography(ECC), separately. Unfortunately, Odelu et al. found that there are flaws in He et al.s protocol in login and password change phases and can not resist the impersonation attack.

All of the above three-factor multiserver authentication protocols can be categorized into two classes, i.e., the protocols which implement the authentication independent of the registration center and the protocols which need the help of the registration center in the authentication phase. After carefully examining the known three-factor multiserver authentication protocols, we find that almost all of the first kind of protocols cannot resist the passive attack from an honest-but-curious server since all servers share a common secret key. More precisely, an honest-but-curious server can compute session keys which are shared between a user and other servers by eavesdropping messages transmitting between the users and other servers. In this paper, we take Wang et al.’s protocol as an example, to show how an honest-but-curious server obtains a session key which should be kept secret from him. Moreover, we find some other drawbacks in their protocol. For example, in the reregister or revocation phase, a user can still use his original password to login and send message even if he is revoked.

To resist the passive attack from the honest-but-curious servers, a trivial solution is to distribute different secret keys to different severs, which would aggravate the user’s storage burden. Another method is introducing the registration center into the authentication phase to deal with secret messages. As we mentioned above, such protocols are based on either ECC or symmetric encryption cryptosystems, which heavily affect the computation efficiency. To balance the security problem brought by the honest-but-curious servers and the efficiency problem brought by involving the registration center into the authentication, we propose a novel multiserver authentication protocol. In authentication phase of new protocol, the involved registration center only adopts hash and XOR operations for the computation, instead of ECC and symmetric cryptosystem, thus greatly improving the protocol’s computation efficiency. As far as we known, this is the first time to consider the passive attack from honest-but-curious servers for multiserver authentication protocols. Moreover, the new protocol is the first protocol which only adopts hash and XOR operations for computation when involving the registration center into the authentication.

The remaining of the paper is organized as follows. Section 2 reviews and analyzes the security of Wang et al.'s protocol. In Section 3, we present the new three-factor multiserver authentication scheme in detail. Section 4 provides the formal and informal secure analysis of the new protocol. In Section 5, comparisons including security, functionalities, computation cost, and communication cost are conducted. The last section gives a conclusion.

2. Some Weakness of Wang et al.’s Scheme

We firstly give the details about Wang et al.’s protocol and then show how an honest-but-curious server attacks their protocol step by step.

2.1. Review of Wang et al.’s Protocol

Wang et al.’s protocol involves five phases, i.e., registration phase, login phase, authentication phase, password changing phase, and revocation/reregistration phase which are executed by the user , the server , and the registration center . The symbols and notations are listed in Table 1. Assume is a trusted third party which is able to register for users and servers.

Table 1: Symbols and notations in Wang et al.’s scheme.

Registration Phase(i)Registration phase of server(a) sends a request message to .(b) authorizes once it receives the message and returns (preshared key) to securely.(c) uses to check ’s legitimacy in authentication phase.(ii)Registration phase of user(a)The new user inserts into the card reader, inputs , , and imprints at the sensor. After that, () is extracted from through . Finally calculates and sends to securely.(b) generates and stores it to the database. Note that indicates the state of ’s account. When revokes his account, sets . When reregisters his account, sets . After that calculates , , , , and where is the time of registration. Finally, sends to securely.(c) receives from , stores into , and stores in .

Login Phase(i) inputs and with his/her smart card and imprints at the sensor.(ii) calculates and . After that, checks whether holds or not. If it is right, computes .(iii) calculates after choosing a random number . After that, computes and where is a timestamp.(iv) sends to .

Authentication Phase(i) checks whether . Note that is the time that receives the login message, and means the time interval.(ii)If the verification is valid, calculates , , and and checks whether .(iii)If this verification is valid, chooses a random number and calculates as the session secret key. Then, computes and . Finally returns to .(iv) calculates and and checks whether . If it is valid, calculates and sends to .(v) checks whether the condition matches with . If holds, confirms the session key . Otherwise, terminates the session immediately.

Password Change Phase(i) inserts his/her smart card, inputs and , and imprints .(ii) retires from and computes . Then checks whether matches with . If it holds, can input the new password.(iii) inputs the new password and calculates , , , and .(iv) displaces with , with , and with , respectively.

Revocation and Reregistration Phase(i)If is revoked, he needs to send verification message to securely.(ii) checks the validity of . If is a valid user, sets .(iii) follows the user registration phase and uses to replace .

2.2. Analysis of Wang et al.’s Protocol

This subsection analyzes Wang et al.’s protocol and shows how to mount a passive attack by an honest-but-curious server.

2.2.1. Passive Attack from an Honest-But-Curious Server

In this attack, an honest-but-curious server (say ) only passively eavesdrops messages between the user and other servers, so that he can obtain the session keys shared by the user and other servers which should be kept secret from using his secret key and eavesdropping messages. More precisely, suppose a user has finished the protocol with a server and is running the protocol with the other server . Now we will show how the server obtains the session key between and step by step.(i)Step 1. finished the protocol with successfully. Thus the server has knowledge of .(ii)Step 2. During the protocol process between and , firstly intercepts sent by to . From these messages, obtains by calculating , , and .(iii)Step 3. After that, intercepts the messages which are sent from to . Then the server obtains by calculating . In this case, the server acquired and generated in this session.(iv)Step 4. With the intercepted and , can obtain the session key by calculating successfully which should be kept secret from him.

2.2.2. User’s Anonymity

User’s anonymity means that user’s and other urgent information indicating user’s identity directly should be protected carefully. In Wang et al.’s scheme, an honest-but-curious server can compute by . At the same time, receives from . can obtain ’s identity by computing . As a consequence, the server can obtain of the user . This does not guarantee the anonymity of the user’s identity.

2.2.3. User Impersonation Attack

The honest-but-curious server can collect and which are sent by and thus can calculate using . After that, can pretend to be and apply authentication from other servers. Specifically, randomly choose a number and calculates , , and . Then sends to other servers through a public channel. In this way, can disguise as .

2.2.4. Wrong Revocation and Reregistration

In this phase, users are allowed to revoke or reregister when he confronts the situation about losing the smart card or his account. In Wang et al.’s scheme, when a user wants to revoke his account, he has to pass the authentication. After that, changes to 0, indicating that is not available any more. In the reregistration phase, also changes to . However, is not involved in login phase and authentication phase. As a result, there is no access for to check whether the user’s account is revoked or not. Thus the user can access the legal servers only using his former password and his biometrics; even he already has been revoked.

2.3. Reasons for the Weakness

In Wang et al.’s protocol, two important temporary secret values and are protected by . Unfortunately, all servers keep the same private key . As a result, an honest-but-curious server with can obtain all session keys which should be kept secret from him. This attack usually exists in the multiserver environment. In the most cases, a legitimate server after registration is assumed to be completely trustworthy, without taking into account the possibility that a particular server can act as an honest-but-curious adversary.

To resist this attack, it is bound to distribute different secret keys to different servers, which can be implemented by involving the registration center in the authentication process. Unfortunately, in most of this kind of protocol, authentication process is excused between the user and the server independent of the registration center. Therefore, to design a secure three-factor authentication protocol against the passive attack from an honest-but-curious server, the registration center should be introduced into the authentication process to protect the important temporary secret values and .

3. The New Protocol

In this section, we first discuss the threat model used in our protocol. We then give the list of notations used in our proposed scheme. Finally, we describe the different phases relate to our scheme.

3.1. Threat Model

In this subsection, we introduce a threat model following the definition of [3639].(i)The adversary is able to control the open communication channel completely; that is, he can intercept, modify, delete, block, and resend the messages over the open channel.(ii)The adversary can list all pairs of from the space of identities and from the space of passwords in a polynomial time.(iii)The adversary can either intercept the password of the user via the malicious device or extract the parameters from the smart card, but both methods cannot be used together. An honest-but-curious server does not have this ability.(iv)When acts as an honest-but-curious server, he can just listen the messages via the open channel.

3.2. The Proposed Protocol

As Wang et al.’s protocol, the new protocol also involves five phases. Table 2 lists the notations used in the new protocol.

Table 2: Notations in the new protocol.
3.2.1. Registration Phase

(i)Server registration phaseDuring server registration, communicates with to authenticate his validity and become a legislative server after receiving the preshared key sent from . The whole process of the server registration phase is shown in Figure 1.(a) sends a request message to .(b) authorizes and adds a novel entry to the database where is a random number. Then is sent to by applying IKEv2 securely.(c) adopts to protect the urgent messages and generates the session key .(ii)User registration phaseA user sends his personal information to and gets his own smart card by executing the process listed in Figure 2.(a) inputs at the sensor and can obtain using . Then selects and and calculates . finally sends to securely.(b) generates a novel entry to the database where is a random number that records the validity of . If has revoked its account or the account is not available at present, generates a negative random number ; otherwise, is a positive random number. At the same time, is a preshared key. After that, computes , , , , , , and , where is the registration time and is the masker secret key between the user and the registration center.(c) puts into . After that, issues it to securely.(d)With , keeps into and initials the authentication.

Figure 1: Registration phase of server.
Figure 2: Registration phase of user.
3.2.2. Login Phase

A user tries to login to a server by executing the steps shown in Figure 3.(i) inputs , , and , then his smart card can recover using .(ii) computes and then checks whether or not. If it is true, calculates , , and . Otherwise, does not pass the identity authentication.(iii) generates a number randomly for each session and calculates , , , and where is a timestamp.(iv) sends to .

Figure 3: Login and authentication phase.
3.2.3. Authentication Phase

This phase offers the details of mutually authentication which are indicated in Figure 3.(i) receives the information from and verifies whether holds or not. If it holds, calculates and . Otherwise, will reject the login request. Then checks whether . If it fails, the protocol would be stopped. Otherwise, the server computes , , and and sends messages to .(ii) receives the messages and verifies whether holds or not. If it holds, checks whether . If it fails, the request would be stopped. Otherwise, computes . Then goes through the database stored in to get and . If is a negative number, the request would be stopped. After that, computes , , and where is an additional timestamp. Finally, returns to .(iii)Once receives the message from , it verifies whether holds or not. If it holds, checks whether . If it fails, the request will be stopped. Otherwise, calculates . After selecting a number randomly, computes , , and . Then, the server sends to .(iv) retrieves and calculates by computing and . After that, checks whether holds or not. If it is valid, the user calculates and sends to .(v)Finally, receives and checks whether the equation holds or not. If so, a secret session key is generated successfully and can be used in the following communication. Otherwise, would reject the authentication.

3.2.4. Password Change Phase

Using this phase, ’s password can be changed without any exchanging message from both and .(i) inputs , the old password , and imprints as well and computes which is used to pass the authentication.(ii) inputs a new password . After that, computes , , , , , and .(iii) replaces , and with , and .

3.2.5. User Revocation or Reregistration Phase

This phase is used for revocation and reregistration when ’s smart card is stolen or lost.(i)In revocation phase, sends revocation requests to . chooses a negative random number and modifies the value of corresponding to as that random number.(ii)In reregistration phase, sends reregistration requests to . selects a positive random number and sets it as of .

4. Security Analysis of the New Protocol

4.1. Verifying the New Protocol with BAN Logic

Burrows-Abadi-Needham (BAN) logic is introduced by Burrows et al. [40] and widely used to analyze the security protocol. In this subsection, BAN logic is used to prove that mutual authentication can be obtained after running the new protocol successfully. The notations and postulates in BAN logic are listed in Table 3.

Table 3: BAN logic notations and postulates.

We first define the test goals which the new protocol should achieve using BAN logic:(g1) (g2) (g3) (g4)

Secondly, we give the idealized form of the new protocol as follows:(m1) (m2) (m3) (m4) (m5)

Next, we list the following initiative premises of the new protocol:(p1) .(p2) .(p3) .(p4) .(p5) .(p6) .(p7) (p8) (p9) .(p10) (p11) (p12) .(p13) .

Finally, we analyze the new protocol using the BAN logic rules and the assumptions.

From message , we obtain(S1) .

From (p5), (S1), and Rule(a), we get(S2) .

From (p12) and Rule(d), we get(S3) .

From (S2), (S3), and Rule(c), we get(S4) .

From (S4) and Rule(e), we get(S5) .

From (p7), (S5), and Rule(b), we get(S6) .

From message (m4), we have(S7) .

From (p10), (S7), and Rule(a), we get(S8) .

From (p1) and Rule(d), we get(S9) .

From (S8), (S9), and Rule(c), we get(S10) .

From (S10) and Rule(e), we get(S11) (g3).

From (P8), (S11), and Rule(b), we get(S12) (g4).

From message (m5), we have(S13) .

From (p11), (S6), (S13), and Rule(a), we get(S14) .

From (p2) and Rule(d), we get(S15) .

From (S14), (S15), and Rule(c), we get(S16) .

From (S16) and Rule(e), we get(S17) (g1).

Finally, From (P9), (S17), and Rule(b), we get(S18) (g2).

According to (g1), (g2), (g3), and (g4), we conclude that the new protocol provides the mutual authentication and a shared secret key between the user and the server after a successful running of the protocol.

4.2. Formal Security Analysis

Recent research has shown that user-chosen passwords follow the Zipf’s law [41], a vastly different distribution from the uniform distribution. In this subsection, we provide a formal security analysis of the new protocol with the Zipf’s law.

Theorem 1. Let be the length of the biometric key , let be the range space of hash function , and both and are the Zipf’s parameters [41]. Let be Send queries and be Hash oracle queries. For any adversary in polynomial time against the new protocol in the random oracle, the advantage of breaking the of is

Proof. Let be the event that guesses bit for in the test session successfully. According to the new protocol, does not need to guess or compute the user’s identity since there is only one user. The games to are listed as follows.
Game . This game corresponds to the real attack in the random oracle model. Hence Game . We simulate ’s eavesdropping attack by querying oracles. Then, sends the query and decides whether the outcome of query matches with which can be calculated as . cannot get the message about , . and , due to the security of ’s and ’s . Thus cannot increase the chance of winning game . Hence we have Game . We simulate ’s active attack by querying and oracles. will manage to find the collisions of in the way of make queries, but it is impossible for him to know the message of both and without the knowledge of , , and . Hence there is no collision when querying oracles. Using the birthday paradox, we obtain Game . This game simulates the smart card lost attack by querying oracle. If wants to obtain the secret information of users, he tries online dictionary attack due to the low entropy of password or other computing modes to get which is used as the biometrics key with the message from . Unfortunately, has to know with the probability approximated as , because we use fuzzy extractor function to extract at most nearly random bits of . Even if using the Zipf’s law on passwords, we still have Moreover, cannot get any useful messages about the value of because of the independence and randomness of each session key. Thus, we have Combined the above steps, we can get the result as follows:

4.3. Informal Security Analysis

In this subsection, informal security analysis is conducted to show that the new protocol can withstand various attacks.

Replay Attack. If replays a former piece of user’s messages to server, he will not success since a timestamp is used in each session to guarantee the freshness of time. If the information in a previous session is replayed, the interval between and will not be in an endurable range. Therefore, in the authentication phase cannot pass the authentication in the first step. Hence, the new protocol can resist the replay attack.

Modification Attack. It is assumed that an adversary intercepts the information transmitted on the public channel and intends to modify the information to pass the authentication. Unfortunately, the integrity of the transmitted messages in the new scheme is protected by using one-way hash function. Moreover, cannot retrieve and from the intercepted messages, thus he cannot generate a legitimate authentication message. Therefore the new protocol can resist the modification attack.

Server Session Key Attack. In our proposed scheme, on one hand, session key contains , , , , , and which are different in every session and thus cannot be retrieved directly by a malicious adversary . On the other hand, our scheme provides mutual authentication in the authentication phase and makes an improvement, i.e., both of the user and the server know whether has already been generated by each other. If the server wants to obtain the session key by calculation, he has to obtain since . Unfortunately, the specific value of is known only to and . After receiving the messages transmitted from the user, the server calculates which means that the authentication is passed and valid session key has already be generated by each other. Therefore our scheme holds the security of session Key.

User Impersonation Attack. If is going to impersonate a valid user, has to retrieve , , and of to pass the authentication in calculating in login phase. It is impossible for him to make it as a result of our perfect user anonymity and the uniqueness of biometric message. If the adversary wants to get access to as a valid user with the messages , , , , , and , he cannot pass the check and form a session key with the server he communicates with.

Forgery Attack. The forgery attack refers to the existence of a legitimate but malicious user who attempts to falsify the identity information of another legitimate user to login and authenticate. In the communication between the legal server and the user , the real identity of is protected by , i.e., . In addition, the identity is different for each user. Therefore, the malicious user cannot obtain the real identity of another legitimate user. Therefore, our scheme can prevent forgery attack.

Masquerade Attack. Under this attack, can authenticate with the server as a legal user and attempt to acquire the session key using the information transmitted at the authentication phase. In order to resist this attack, all messages transmitted in the public channel contain the destination or source information, such as and with or . So that and verify whether one wants to be authenticated by the other. Therefore our protocol can resist the masquerade attack.

Smart Card Attack. If the user’s smart card is stolen or lost and all the messages stored have been divulged by the adversary, there still no way for him to pass the authentication. At first, after acquiring , , , , and , still cannot get and . So is not capable of forging a valid user . Also, cannot get any useful messages such as , , and using the messages stored in a smart card. Therefore, the new protocol is resistant to the stolen or lost smart card attack.

Offline Guessing Attack. may get , , , , , and by side channel attack such as SPA and DPA. However, he cannot change the user’s password without , , , or during the offline environment. In addition, one-way hash function is adopted to protect user’s password. Since it is impossible for different user to own the same biometric template, offline guessing attack can be avoided in the new protocol.

DoS Attack. DoS attack can seriously affect the efficiency of the server, causing the server to lose availability. However, all messages transmitted to the server and would be time stamped. With the help of the timestamp, the server and would verify the freshness and legitimacy of the message by checking , , and . In addition, login operations require a fuzzy extractor to meet the biometric requirements. Therefore, our scheme can resist DoS attack.

Server Spoofing Attack. If attempts to imitate a valid server, he is supposed to have the preshared key, a long-term secret key shared between and . In the new protocol, and function as the preshared key which are transmitted through a secure channel and is unavailable to anyone other than and servers. Without , it is impossible for the adversary to calculate in the authentication phase since . And also, without and , the adversary cannot get since . Thus the adversary cannot imitate a valid server.

User Anonymity. The users real identity is protected by replacing with where . Also, due to the hash function and the secret key, either an outside adversary or an honest-but-curious server cannot figure out through . Thus the weak anonymity of the user is guaranteed.

Regrettably, the anonymity of the new scheme is not perfect. For example, assuming that the server cooperates with a malicious user, the malicious user provides by calculating , and the server calculates through , then the server can calculate by calculating . Moreover, an adversary with ’s lost smart card can also compute ’s identity. Therefore, our scheme just provides the weak anonymity.

5. Efficiency Analysis

Efficiency analysis is conducted in this section to evaluate the new protocol. The comparisons including the resistance, functionality, and performance are summarized. In Table 5, let (S1) denote Chuang et al.’s protocol [29], (S2) denote Wang et al.’s protocol [33], (S3) denote Yang et al.’s protocol [24], (S4) denote Reddy et al.’s protocol [34], (S5) denote HE-WANG’s protocol [42], and (S6) denote Odelu et al.’s protocol [43]. The following notations are defined in Table 4.

Table 4: Notations in security comparison table.
Table 5: The security comparison.

Security comparison is offered by Table 5. In Table 5, “/” denotes that the security has not been analyzed until now. From Table 5, it is easy to see that protocols of (S1), (S2), (S3), and (S4), which do not include the registration center into the authentication phase, can not resist the passive attack from an honest-but-curious server. Although (S5) is resistant to above attack, it can not resist the user impersonate attack and smart card attack. The new protocol, together with (S6), achieves all resistance requirements, since they implement the authentication with the help of the authentication center. Thus they are more secure than the first five protocols.

Functionalities comparison is listed in Table 7. The notations that appear in Table 7 are lists in Table 6. It can be seen that (S1), (S2), (S3), and (S4) do not provide user revocation/reregistration functionality, and (S5) does not offer anonymity property. Only our new protocol and (S6) provide all five basic functionality requirements.

Table 6: Notations in functionality comparison table.
Table 7: The functionality comparison.

Now we conduct the efficiency analysis including computation overhead and communication overhead. To compare with other related works, only login and authentication phase are considered.

Tables 9 and 10 list the computation cost comparisons from different aspects. The notations that appear in Table 9 are listed in Table 8. For the computation efficiency, we only calculate the number of hash functions, while ignore Exclusive OR operation and concatenating operation since they require little computational cost. Let denote the computation time for symmetric-key encryption/decryption which is known as about 0.005ms, denote the computation time for one-way hash function which is known as about 0.002ms, and denote the computation time for elliptic curve point multiplication which is known as about 2.226ms.

Table 8: Notations in computation comparison table.
Table 9: Computation cost comparison in different phase.
Table 10: Computation cost comparison in different participants.

Table 9 compares the computation time according to protocol’s different phase. From Table 9, we can find that the new protocols, together with (S1), (S2), (S3), and (S4), spend almost the same time since only hash function contributes to computation cost. On the other hand, (S5) and (S6) take more time for computation due to the expensive elliptic curve point multiplication operations.

Table 10 compares the computation time according to different participants. The user’s executing time in the new protocol only needs 0.014ms, which proves that the new protocol provides the most efficient use’s computation. In terms of server’s executing time, the new protocol spends almost the same time as that of the most efficient protocols, i.e., (S1), (S2), and (S3). To resist the passive attack from the honest-but-curious servers, (S5), (S6), and the new protocol introduce the registration center into the authentication phase, which would bring extra burden for the trusty registration center. As shown in Table 10, needs extra 4.47ms for (S5) and extra 2.263ms for (S6). In the new protocol, is only used to transmit the secret information instead of authenticating user and server. As a result, the extra executing time for in the new protocol is only 0.008ms, which is much less than that of (S5) and (S6). Therefore, the new protocol is the most efficient one among the second kind of multiserver authentication protocols. In conclusion, among all of the multiserver protocols against the passive attack from an honest-but-curious attack, the new protocol is the most computational efficient one.

Table 12 lists the new protocol’s communication cost together with the other related protocols. Suppose the random number is 160 bits, the length of the user identity is 160 bits, the length of the timestamp is 16 bits, and the output length of one-way hash function is 160 bits if SHA-1 is adopted. Table 11 shows the notations that appear in Table 12. In the new protocol, when logs in, he has to transmit , , , , , and ; thus the length of these messages is (1605+16)/8 = 102 bytes. In the authentication phase, we introduce the registration center, so the communication cost is a little more than (S1), (S3), and (S4), about 180 bytes or so. Among all of the multiserver protocols against the passive attack from an honest-but-curious attack, the new protocol has the high communication efficient.

Table 11: Notations in communication comparison table.
Table 12: Communication cost comparison table.

Combined with the security properties and the functionalities, we conclude that the new protocol and (S6) achieve all basic security properties and satisfy all functionalities. In terms of efficiency, (S6) spends much more computation time, bandwidth, and storage space compared with the new protocol. In conclusion, the new protocol is the most efficient multiserver authentication protocol which satisfies all basic security properties and functionalities.

6. Conclusion

In this paper, we found that a kind of multifactor multiserver authentication protocols can not resist the passive attack from an honest-but-curious servers. We took Wang et al.’s protocol as an example, to exhibit how an honest-but-curious server step by step obtained a session key which should be kept secret from him. Moreover, we observed that the revocation and reregistration process in their protocol is incorrect. To remedy these weaknesses, this paper proposed a novel multiserver authentication protocol. The new protocol satisfies comprehensive demands of security and provides versatile and practical functionalities. Compared with the related protocols in computation cost and communication cost, the new protocol is the most efficient multiserver authentication protocol which satisfies all basic security properties and functionalities. Therefore, the new protocol is secure and relatively efficient in the remote distributed authentication networks. We have noticed that this kind of attack may also exist in other likewise environment, such as the multifactor multigateway authentication protocol in the wireless sensor networks. As a future work, we would apply the passive attack from an honest-but-curious gateway to the multifactor multigateway authentication protocol in the wireless sensor network and try to design secure protocols for multigateway wireless sensor network.

Data Availability

The paper does not use any data set.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (nos. 61572027, 61772194, and U1636208), special foundation for coconstruction project of Beijing, the Hunan Provincial Natural Science Foundation of China under Grant no. 2018JJ3191, and the Guangxi Key Laboratory of Trusted Software (no. KX201707).

References

  1. X. Yang, X. Huang, and J. K. Liu, “Efficient handover authentication with user anonymity and untraceability for Mobile Cloud Computing,” Future Generation Computer Systems, vol. 62, pp. 190–195, 2016. View at Publisher · View at Google Scholar · View at Scopus
  2. S. A. Chaudhry, “A secure biometric based multi-server authentication scheme for social multimedia networks,” Multimedia Tools and Applications, vol. 75, no. 20, pp. 12705–12725, 2016. View at Publisher · View at Google Scholar · View at Scopus
  3. J. Shen, S. Chang, J. Shen, Q. Liu, and X. Sun, “A lightweight multi-layer authentication protocol for wireless body area networks,” Future Generation Computer Systems, 2016. View at Publisher · View at Google Scholar · View at Scopus
  4. D. He, N. Kumar, M. K. Khan, and J.-H. Lee, “Anonymous two-factor authentication for consumer roaming service in global mobility networks,” IEEE Transactions on Consumer Electronics, vol. 59, no. 4, pp. 811–817, 2013. View at Publisher · View at Google Scholar · View at Scopus
  5. C. Jin, C. Xu, X. Zhang, and J. Zhao, “A secure RFID mutual authentication protocol for healthcare environments using elliptic curve cryptography,” Journal of Medical Systems, vol. 39, no. 3, pp. 1–8, 2015. View at Publisher · View at Google Scholar · View at Scopus
  6. L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981. View at Publisher · View at Google Scholar · View at Scopus
  7. L. Li, I. Lin, and M. Hwang, “A remote password authentication scheme for multiserver architecture using neural networks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 12, no. 6, pp. 1498–1504, 2001. View at Publisher · View at Google Scholar · View at Scopus
  8. I. C. Lin, M. S. Hwang, and L. H. Li, “A new remote user authentication scheme for multi-server architecture,” Future Generation Computer Systems, vol. 19, no. 1, pp. 13–22, 2003. View at Publisher · View at Google Scholar · View at Scopus
  9. X. Cao and S. Zhong, “Breaking a remote user authentication scheme for multi-server architecture,” IEEE Communications Letters, vol. 10, no. 8, pp. 580-581, 2006. View at Publisher · View at Google Scholar · View at Scopus
  10. W. S. Juang, “Efficient multi-server password authenticated key agreement using smart cards,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 251–255, 2004. View at Publisher · View at Google Scholar · View at Scopus
  11. C.-C. Chang and J.-S. Lee, “An efficient and secure multi-server password authentication scheme using smart cards,” in Proceedings of the Proceedings - 2004 International Conference on Cyberworlds, CW 2004, pp. 417–422, Japan, November 2004. View at Scopus
  12. J.-L. Tsai, “Efficient multi-server authentication scheme based on one-way hash function without verification table,” Computers & Security, vol. 27, no. 3-4, pp. 115–121, 2008. View at Publisher · View at Google Scholar · View at Scopus
  13. Y. P. Liao and S. S. Wang, “A secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 24–29, 2009. View at Publisher · View at Google Scholar · View at Scopus
  14. T. Chen Y, M. Hwang S, C. Lee et al., “Cryptanalysis of a Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment,” Innovative Computing, Information and Control (ICICIC), pp. 725–728, 2009. View at Google Scholar
  15. H. Hsiang C and K. Shih W, “Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118–1123, 2009. View at Google Scholar
  16. C. Lee, T. Lin, and R. Chang, “A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards,” Expert Systems with Applications, vol. 38, no. 11, pp. 13863–13870, 2011. View at Publisher · View at Google Scholar · View at Scopus
  17. D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015. View at Publisher · View at Google Scholar · View at Scopus
  18. X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and K. R. Choo, “Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks,” Computer Networks, vol. 129, pp. 429–443, 2017. View at Publisher · View at Google Scholar
  19. X. Li, J. Niu, M. Z. A. Bhuiyan, F. Wu, M. Karuppiah, and S. Kumari, “A Robust ECC based Provable Secure Authentication Protocol with Privacy Protection for Industrial Internet of Things,” IEEE Transactions on Industrial Informatics, vol. 14, no. 8, pp. 3599–3609, 2018. View at Google Scholar · View at Scopus
  20. X. Li, J. Peng, J. Niu, F. Wu, J. Liao, and K.-K. R. Choo, “A Robust and Energy Efficient Authentication Protocol for Industrial Internet of Things,” IEEE Internet of Things Journal, vol. 5, no. 3, pp. 1606–1615, 2018. View at Google Scholar · View at Scopus
  21. R. Amin, S. K. H. Islam, N. Kumar, and K.-K. R. Choo, “An untraceable and anonymous password authentication protocol for heterogeneous wireless sensor networks,” Journal of Network and Computer Applications, vol. 104, pp. 133–144, 2018. View at Publisher · View at Google Scholar · View at Scopus
  22. D. He and S. Wu, “Security flaws in a smart card based authentication scheme for multi-server environment,” Wireless Personal Communications, vol. 70, no. 1, pp. 323–329, 2013. View at Publisher · View at Google Scholar · View at Scopus
  23. R. S. Pippal, C. D. Jaidhar, and S. Tapaswi, “Robust smart card authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 72, no. 1, pp. 729–745, 2013. View at Publisher · View at Google Scholar · View at Scopus
  24. L. Yang and Z. Zheng, “Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments,” PLoS ONE, vol. 13, no. 3, 2018. View at Google Scholar · View at Scopus
  25. C.-T. Li and M.-S. Hwang, “An efficient biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 1–5, 2010. View at Publisher · View at Google Scholar · View at Scopus
  26. X. Li, J. W. Niu, J. Ma, W. D. Wang, and C. L. Liu, “Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 34, no. 1, pp. 73–79, 2011. View at Publisher · View at Google Scholar · View at Scopus
  27. E.-J. Yoon and K.-Y. Yoo, “Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem,” The Journal of Supercomputing, vol. 63, no. 1, pp. 235–255, 2013. View at Publisher · View at Google Scholar · View at Scopus
  28. H. Kim, W. Jeon, K. Lee, Y. Lee, and D. Won, “Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme,” in Proceedings of International Conference on Computational Science and Its Applications, pp. 391–406, 2012.
  29. M.-C. Chuang and M. C. Chen, “An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics,” Expert Systems with Applications, vol. 41, no. 4, pp. 1411–1418, 2014. View at Publisher · View at Google Scholar · View at Scopus
  30. D. Mishra, A. Das, and S. Mukhopadhyay, “A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards,” Expert Systems with Applications, vol. 41, no. 18, pp. 8129–8143, 2014. View at Publisher · View at Google Scholar · View at Scopus
  31. Y. Lu, L. Li, X. Yang, and Y. Yang, “Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards,” PLoS ONE, vol. 10, no. 5, Article ID 0126323, 2015. View at Publisher · View at Google Scholar · View at Scopus
  32. A. G. Reddy, A. K. Das, V. Odelu, and K.-Y. Yoo, “An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography,” PLoS ONE, vol. 11, no. 5, 2016. View at Google Scholar · View at Scopus
  33. C. Wang, X. Zhang, and Z. Zheng, “Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme,” PLoS ONE, vol. 11, no. 2, 2016. View at Google Scholar · View at Scopus
  34. A. G. Reddy, E.-J. Yoon, A. K. Das, V. Odelu, and K.-Y. Yoo, “Design of Mutually Authenticated Key Agreement Protocol Resistant to Impersonation Attacks for Multi-Server Environment,” IEEE Access, vol. 5, pp. 3622–3639, 2017. View at Publisher · View at Google Scholar · View at Scopus
  35. P. Jiang, Q. Wen, W. Li, Z. Jin, and H. Zhang, “An anonymous and efficient remote biometrics user authentication scheme in a multi server environment,” Frontiers of Computer Science, vol. 9, no. 1, pp. 142–156, 2015. View at Publisher · View at Google Scholar · View at MathSciNet
  36. A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamic password-based user authentication scheme for hierarchical wireless sensor networks,” Journal of Network and Computer Applications, vol. 35, no. 5, pp. 1646–1656, 2012. View at Publisher · View at Google Scholar · View at Scopus
  37. D. Wang, Q. Gu, H. Cheng, and P. Wang, “The request for better measurement: A comparative evaluation of two-factor authentication schemes,” in Proceedings of 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS, pp. 475–486, China, June 2016. View at Publisher · View at Google Scholar · View at Scopus
  38. S. Qiu, G. Xu, H. Ahmad, and L. Wang, “A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems,” IEEE Access, vol. 6, pp. 7452–7463, 2017. View at Publisher · View at Google Scholar · View at Scopus
  39. S. Qiu, G. Xu, H. Ahmad, and Y. Guo, “An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy,” PLoS ONE, vol. 13, no. 3, 2018. View at Google Scholar · View at Scopus
  40. M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990. View at Publisher · View at Google Scholar · View at Scopus
  41. D. Wang and P. Wang, “On the anonymity of two-factor authentication schemes for wireless sensor networks,” Computer Networks, pp. 73–41, 2014. View at Google Scholar
  42. D. He and D. Wang, “Robust Biometrics-Based Authentication Scheme for Multiserver Environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816–823, 2015. View at Publisher · View at Google Scholar · View at Scopus
  43. V. Odelu, A. K. Das, and A. Goswami, “A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015. View at Publisher · View at Google Scholar · View at Scopus