Sage Journals: Discover world-class research

Abstract

There is an increasing demand of an anonymous authentication to secure communications between numerous different network members while preserving privacy for the members. In this study, we address this issue by using an ID based authenticated and key agreement protocol to improve the recent protocol proposed by Xue et al. They claimed that their protocol could resist masquerade and insider attacks. Unfortunately, we find that Xue et al.'s protocol is not only really insecure against masquerade and insider attacks but also vulnerable to off-line password guessing attack. Therefore, a slight modification to their protocol is proposed to improve their shortcomings. Moreover, our protocol does not use timestamps, so it is not required to synchronize the time. As a result, according to our performance and security analyses, we can prove that our proposed protocol can enhance efficiency and improve security in comparison to previous protocols.

1. Introduction

With the rapid growth of network technology, user authentication plays an important role in achieving the dependable network environments. When we enjoy online shopping, online game, on line documentation, data exchange, and so forth, identity authentication is a basic protection measure to authenticate the identity of remote users [1]. Since Lamport [2] first protocol was shown in 1981, numerous protocols have been proposed and used in many communication systems [3–7]. In 2000, Hwang and Li [8] proposed a new remote user authentication scheme using smart card based on ElGamal's public key cryptosystem. However, their scheme is inefficient because of high communication and computation costs. In order to remedy the security problems and to reduce the communication and computation costs, a large number of smart cards based authentication schemes using one way hash function have been investigated [9–14].

Traditionally, password authentication is mostly considered in single server environment where it has not been efficiently solved in a multiserver based environment. In addition, not only does each user need to log into different remote servers repetitively but also it needs to remember many various sets of identities and passwords if he wants to access these services. In order to solve this problem, different protocols have been suggested to access the resources of multiserver environments. In 2009, Hsiang and Shih [15] proposed a one-way hash function based remote authentication protocol for multisever environment. Later, Sood et al. [16] showed that Hsiang et al.'s protocol could not resist stolen smart card and replay and impersonation attacks and then they proposed an improved protocol. Unfortunately, Li et al. [17] pointed out that Sood et al.'s protocol was susceptible to stolen smart card and replay attacks and was not able to provide key agreement phase. Li et al. also proposed a modified version of Sood et al.'s protocol so as to remedy the security deficiencies. Recently, Xue et al. [18] showed that Li et al.'s protocol was still vulnerable to eavesdropping and replay and forgery attacks. To remedy the weaknesses of Li et al.'s protocol, they proposed a one-way hash based authentication and key agreement protocol for multiserver architecture, which was claimed to resist many kinds of attacks. However, through careful analysis, we found that Xue et al.'s protocol had some critical security pitfalls and is insecure for practical applications.

In this paper, we analyze a novel multiserver authentication protocol proposed by Xue et al. We show that the protocol suffers from masquerade, off-line password guessing, and insider attacks. In order to overcome these security weaknesses, a slight modification to their protocol is proposed to improve their shortcomings. Moreover, our protocol employs random numbers instead of timestamps to avoid time synchronization. As a result, according to our performance and security analysis, we can prove that our proposed protocol is able to enhance efficiency and improve security in comparison to previous protocols.

The rest of paper is organized as follows. In Section 2, we review Xue et al.'s protocol and Section 3 shows the security weaknesses of Xue et al.'s protocol. In Section 4, we propose a new enhancement authentication protocol for multisever environment to overcome these security weaknesses. In Section 5, we present analysis of our protocol. Section 6 shows the performance and functionality comparison among the proposed protocol and other related ones. We conclude in Section 7.

2. Review of Xue et al.'s Protocol

In Xue et al.'s protocol, there are three participants, user $U_{i}$ , service providing servers $S_{j}$ , and control server $CS$ , and four phases, namely, registration, login and authentication, password updating, and identity updating. The notations used throughout this paper are summarized as follows.

$U_{i}, S_{j}, CS:$ user, service providing server, and control server;

${ID}_{i}, {SID}_{j} :$ identity of $U_{i}$ and $S_{j}$ ;

$h (\cdot) :$ hash function;

$P_{i} :$ password of $U_{i}$ ;

$x, y :$ secret key selected by $CS$ ;

$\oplus, ∥ :$ exclusive-OR operation and concatenation operation;

$N_{i 1}, N_{i 2}, N_{i 3} :$ random number selected by $U_{i}$ , $S_{j}$ , and $CS$ .

The login and authentication phases are shown in Box 1.

Box 1: Login and authentication phases of Xue et al.'s protocol.

$U_{i}$ $S_{j}$ $C S$

(1) Input $I D_{i}$ , $P_{i}$ , ( $3$ ) Check $T S_{j} - T S_{i} < Δ T$ , ( $5$ ) Check $T S_{C S} - T S_{i} < Δ T$ ,

$A_{i} = h (b ∥ P_{i})$ , $J_{i} = B S_{j} \oplus N_{i 2}$ , $N_{i 2} = B S_{j} \oplus J_{i}$ ,

Check $C_{i}^{'} = h (I D_{i} ∥ A_{i}) \overset{?}{=} C_{i}$ $K_{i} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i})$ , $K_{i}^{'} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i}) \overset{?}{=} K_{i}$ ,

Generate $N_{i 1}$ , $T S_{i}$ , $L_{i} = S I D_{j} \oplus h ({B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥}^{“} 00^{”})$ , $B_{i} = h (P I D_{i} ∥ x)$ , $N_{i 1} = F_{i} \oplus B_{i}$ ,

$B_{i} = D_{i} \oplus C_{i}, F_{i} = B_{i} \oplus N_{i 1}$ , $M_{i} = d \oplus h ({B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥}^{“} 11^{”})$ . $S I D_{j} = L_{i} \oplus h ({B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥}^{“} 00^{”})$ ,

$P_{i j} = h (B_{i} \oplus h (N_{i 1} ∥ S I D_{j} ∥ P I D_{i} ∥ T S_{i}))$ , $\overset{(4) F_{i}, P_{i j}, C I D_{i}, G_{i}, P I D_{i}, T S_{i}, J_{i}, K_{i}, L_{i}, M_{i}, P S I D_{j}}{\to}$

$C I D_{i} = I D_{i} \oplus h ({B_{i} ∥ N_{i 1} ∥ T S_{i} ∥}^{“} 00^{”})$ , $h (B_{i} \oplus h (N_{i 1} ∥ S I D_{j} ∥ P I D_{i} ∥ T S_{i})) \overset{?}{=} P_{i j}$ ,

$G_{i} = b \oplus h ({B_{i} ∥ N_{i 1} ∥ T S_{i} ∥}^{“} 11^{”})$ . Generate $N_{i 3}$ ,

$\overset{(2) F_{i}, P_{i j}, C I D_{i}, G_{i}, P I D_{i}, T S_{i}}{\to}$ $P_{i} = N_{i 1} \oplus N_{i 3} \oplus h (S I D_{j} ∥ N_{i 2} ∥ B S_{j})$ ,

$R_{i} = N_{i 2} \oplus N_{i 3} \oplus h (I D_{i} ∥ N_{i 1} ∥ B_{i})$ ,

$Q_{i} = h (N_{i 1} \oplus N_{i 3}), V_{i} = h (N_{i 2} \oplus N_{i 3})$ .

$\overset{(6) P_{i}, Q_{i}, R_{i}, V_{i}}{\leftarrow}$

(9) $N_{i 2} \oplus N_{i 3} = R_{i} \oplus h (I D_{i} ∥ N_{i 1} ∥ B_{i})$ , (7) $N_{i 1} \oplus N_{i 3} = P_{i} \oplus h (S I D_{j} ∥ N_{i 2} ∥ B S_{j})$ ,

Check $Q_{i}^{'} = h (N_{i 1} \oplus N_{i 3}) \overset{?}{=} Q_{i}$ .

Check $V_{i}^{'} = h (N_{i 2} \oplus N_{i 3}) \overset{?}{=} V_{i}$ .

$\overset{(8) R_{i}, V_{i}}{\leftarrow}$

$\overset{S K = h ((N_{i 1} \oplus N_{i 2} \oplus N_{i 3}) ∥ T S_{i})}{\leftrightarrow}$

2.1. Registration Phase

$CS$ firstly chooses two security elements x and y.

(1) $U_{i}$ selects a password $P_{i}$ and a random number b. Then, $U_{i}$ computes $A_{i} = h (b ∥ P_{i})$ and sends ${I D_{i}, b, A_{i}}$ to $CS$ through a secure channel.

(2) $CS$ computes $PI D_{i} = h (I D_{i} ∥ b)$ and $B_{i} = h (PI D_{i} ∥ x)$ and sends $B_{i}$ to $U_{i}$ via a secure channel.

(3) $U_{i}$ computes $C_{i} = h (I D_{i} ∥ A_{i})$ and $D_{i} = B_{i} \oplus h (PI D_{i} \oplus A_{i})$ and stores ${C_{i}, D_{i}, h (\cdot), b}$ into the smart card.

2.2. Login and Authentication Phases

(1) $U_{i}$ inserts his smart card into the terminal and inputs his identity $I D_{i}$ and password $P_{i}$ .

(2) $U_{i}$ computes $A_{i} = h (b ∥ P_{i})$ and $C_{i}^{'} = h (I D_{i} ∥ A_{i})$ and checks whether $C_{i}^{'} \overset{?}{=} C_{i}$ . If it is true, $U_{i}$ is viewed as a legitimate user. Otherwise, the terminal rejects the login request. Then, $U_{i}$ computes $B_{i} = D_{i} \oplus C_{i}$ , $F_{i} = B_{i} \oplus N_{i 1}$ , $P_{i j} = h (B_{i} \oplus h (N_{i 1} ∥ SI D_{j} ∥ PI D_{i} ∥ T S_{i}))$ , $CI D_{i} = I D_{i} \oplus h (B_{i} ∥ N_{i 1} ∥ T S_{i} ∥ “ 00 “)$ , and $G_{i} = b \oplus h (B_{i} ∥ N_{i 1} ∥ T S_{i} ∥ “ 11 “)$ and transmits ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}}$ to $S_{j}$ .

(3) $S_{j}$ generates a random number d and sends ${SI D_{j}, b}$ to $CS$ . Finally, $S_{j}$ obtains $B S_{j} = h (PSI D_{j} ∥ y)$ from $CS$ and stores ${B S_{j}, b}$ into its database. When receiving the message from $U_{i}$ , $S_{j}$ checks whether $T S_{j} - T S_{i} < Δ T$ is valid and where $T S_{j}$ is the current time. If it is true, $S_{j}$ chooses a number $N_{i 2}$ and computes $J_{i} = B S_{j} \oplus N_{i 2}$ , $K_{i} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i})$ , $L_{i} = SI D_{j} \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥ “ 00 “)$ , and $M_{i} = d \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥ “ 11 “)$ and transmits ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}, J_{i}, K_{i}, L_{i}, M_{i}, PSI D_{j}}$ to $CS$ .

(4) $CS$ checks whether $T S_{CS} - T S_{i} < Δ T$ is valid, where $T S_{CS}$ is the current time. If it is true, $S_{j}$ chooses a random number $N_{i 2}$ , computes $B S_{j} = h (PSI D_{j} ∥ y)$ , $N_{i 2} = J_{i} \oplus B S_{j}$ , and $K^{'} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i})$ and checks whether $K^{'} \overset{?}{=} K$ . If it is true, $CS$ continues to calculate $B_{i} = h (PI D_{i} ∥ x)$ , $N_{i 1} = F_{i} \oplus B_{i}$ , $SI D_{i} = L_{i} \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥ “ 00 “)$ , and $P_{i j}^{'} = h (B_{i} \oplus h (N_{i 1} ∥ SI D_{j} ∥ PI D_{i} ∥ T S_{i}))$ and checks whether $P_{i j}^{'} \overset{?}{=} P_{i j}$ . If it is true, $CS$ chooses a random number $N_{i 3}$ and calculates $P_{i} = N_{i 1} \oplus N_{i 3} \oplus h (SI D_{j} ∥ N_{i 2} ∥ B S_{j})$ , $Q_{i} = h (N_{i 1} \oplus N_{i 3})$ , $R_{i} = N_{i 2} \oplus N_{i 3} \oplus h (I D_{i} ∥ N_{i 1} ∥ B_{i})$ , and $V_{i} = h (N_{i 2} \oplus N_{i 3})$ . Then, $CS$ delivers ${P_{i}, Q_{i}, R_{i}, V_{i}}$ to $S_{j}$ .

(5) $S_{j}$ computes $N_{i 1} \oplus N_{i 3} = P_{i} \oplus h (SI D_{j} ∥ N_{i 2} ∥ B S_{j})$ and $Q_{i}^{'} = h (N_{i 1} \oplus N_{i 3})$ and checks whether $Q_{i}^{'} \overset{?}{=} Q_{i}$ . If it follows, $S_{j}$ transmits ${R_{i}, V_{i}}$ to $U_{i}$ .

(6) $U_{i}$ computes $N_{i 2} \oplus N_{i 3} = R_{i} \oplus h (I D_{i} ∥ N_{i 1} ∥ B_{i})$ and $V_{i}^{'} = h (N_{i 2} \oplus N_{i 3})$ and checks whether $V_{i}^{'} \overset{?}{=} V_{i}$ . If it follows, $CS$ and $S_{j}$ are authenticated by $U_{i}$ . Finally, the common session key $SK = h ((N_{i 1} \oplus N_{i 2} \oplus N_{i 3}) ∥ T S_{i})$ can be shared among $U_{i}$ , $S_{j}$ , and $CS$ .

2.3. Password Updating Phase

(1) $U_{i}$ computes $C_{i}^{'} = h (I D_{i} ∥ A_{i}^{'})$ and $D_{i}^{'} = B_{i} \oplus h (PI D_{i} \oplus A_{i}^{'})$ and updates corresponding value in the smart card.

(2) $U_{i}$ submits ${I D_{i}, A_{i}^{'}}$ with a new password $P_{i}^{'}$ to $CS$ . Then, $CS$ updates user's $P_{i}$ stored in its verification table.

2.4. Identity Updating Phase

(1) $U_{i}$ chooses a random number $b^{'}$ and computes $A_{i}^{'} = h (b^{'} ∥ P_{i})$ . Then, $U_{i}$ submits ${I D_{i}, b^{'}, A_{i}^{'}}$ to $CS$ .

(2) $CS$ computes $PI D_{i} = h (I D_{i} ∥ b^{'})$ and $B_{i}^{'} = h (PI D_{i} ∥ x)$ and submits $B_{i}^{'}$ to $U_{i}$ .

(3) $U_{i}$ computes $C_{i}^{'} = h (I D_{i} ∥ A_{i}^{'})$ and $D_{i}^{'} = B_{i}^{'} \oplus h (PI D_{i} \oplus A_{i}^{'})$ . Finally, the smart card is updated to ${C_{i}^{'}, D_{i}^{'}, h (\cdot), b^{'}}$ .

(4) $S_{j}$ selects a random number $d^{'}$ and submits ${SI D_{j}, d^{'}}$ to $CS$ .

(5) $CS$ computes $PSI D_{j}^{'} = h (SI D_{j} ∥ d^{'})$ and $B S_{j}^{'} = h (PSI D_{j}^{'} ∥ y)$ . Then, $CS$ sends $B S_{j}$ to $S_{j}$ . $S_{j}$ updates ${B S_{j}^{'}, d^{'}}$ in its database.

3. Cryptanalysis of Xue et al.'s Protocol

Although Xue et al. claimed that their protocol can resist many types of attacks, the actual situation is not the case. In this section, we analyze the security weaknesses of Xue et al.'s protocol. Through careful analysis, we find that Xue et al.'s protocol is vulnerable to two kinds of masquerade, insider and off-line password guessing attacks. The detailed analyses are described as follows.

3.1. Masquerade Attack against a Legitimate User

We here assume that a malicious attacker $A$ can totally control communication channels among $U_{i}$ , $S_{j}$ , and $CS$ since the messages are transmitted via a public channel in the login and key agreement phase. Therefore, $U_{i}$ can intercept, insert, or delete any messages at his will [2]. Once $A$ steals user's smart card, he can masquerade as $U_{i}$ through the following steps.

(1) $A$ steals $U_{i}$ 's smart card containing the information ${C_{i}, D_{i}, h (\cdot), b}$ [19, 21], where $C_{i} = h (I D_{i} ∥ h (b ∥ P_{i}))$ and $D_{i} = h (h (I D_{i} ∥ b) ∥ x) \oplus h (h (I D_{i} ∥ b) \oplus h (b ∥ P_{i}))$ .

(2) $A$ can intercept a request message ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}}$ of $U_{i}$ from the public communication channel. Then $A$ can calculate $B_{i} = C_{i} \oplus D_{i}$ , $N_{i 1} = B_{i} \oplus F_{i}$ , and $I D_{i} = CI D_{i} \oplus h (B_{i} ∥ N_{i 1} ∥ T S_{i} ∥ “ 00 “)$ . $A$ can select a random number $N_{i 1}^{'}$ and calculate $F_{i} = B_{i} \oplus N_{i 1}^{'}$ , $P_{i j} = h (B_{i} \oplus h (N_{i 1}^{'} ∥ SI D_{j} ∥ h (I D_{i} ∥ b) ∥ T S_{i}^{'})$ , $CI D_{i} = I D_{i} \oplus h (B_{i} ∥ N_{i 1}^{'} ∥ T S_{i}^{'} ∥ “ 00 “)$ , and $G_{i} = b \oplus h (B_{i} ∥ N_{i 1}^{'} ∥ T S_{i}^{'} ∥ “ 11 “)$ , where $T S_{i}^{'}$ is a new timestamp generated by $A$ . Now $A$ can deliver valid request message ${F_{i}^{'}, P_{i j}^{'}, CI D_{i}^{'}, G_{i}^{'}, PI D_{i}, T S_{i}^{'}}$ by masquerading as $U_{i}$ to $S_{j}$ .

(3) This valid request message from $A$ is verified by $S_{j}$ if $T S_{j} - T S_{i}^{'} < Δ T$ , after $A$ passing authentication by $S_{j}$ , $S_{j}$ calculates $J_{i} = B S_{j} \oplus N_{i 2}$ , $K_{i}^{'} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i}^{'})$ , $L_{i}^{'} = SI D_{j} \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i}^{'} ∥ “ 00 “)$ , and $M_{i}^{'} = d \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i}^{'} ∥ “ 11 “)$ and transmits the message ${F_{i}^{'}, P_{i j}^{'}, CI D_{i}^{'}, G_{i}^{'}, PI D_{i}, T S_{i}^{'}, J_{i}, K_{i}^{'}, L_{i}^{'}, M_{i}^{'}, PSI D_{j}}$ to $CS$ .

(4) When receiving the message from $S_{j}$ , $CS$ checks whether $T S_{CS} - T S_{i}^{'} < Δ T$ . If it is true, $CS$ calculates $B S_{j} = h (PSI D_{j} ∥ y)$ , $N_{i 2} = J_{i} \oplus B S_{j}$ , $K_{i}^{'} = h (N_{i 2} ∥ B S_{j} ∥ P_{i j}^{'} ∥ T S_{i}^{'})$ , $B_{i} = h (PI D_{i} ∥ x)$ , $N_{i 1}^{'} = F_{i}^{'} \oplus B_{i}$ , $I D_{i} = CI D_{i}^{'} \oplus h (B_{i} ∥ N_{i 1}^{'} ∥ T S_{i}^{'} ∥ “ 00 “)$ , $SI D_{j} = L_{i}^{'} \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i}^{'} ∥ “ 00 “)$ , and $P_{i j}^{'} = h (B_{i} \oplus h (N_{i 1}^{'} ∥ SI D_{j} ∥ PI D_{i} ∥ T S_{i}^{'}))$ and checks whether $P_{i j}^{'} \overset{?}{=} P_{i j}$ . If it is true, $CS$ continues to compute $b = G_{i}^{'} \oplus h (B_{i} ∥ N_{i 1}^{'} ∥ T S_{i}^{'} ∥ “ 11 “)$ , $d = M_{i}^{'} \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i}^{'} ∥ “ 11 “)$ , $PI D_{i} = h (I D_{i} ∥ b)$ , and $PSI D_{j} = h (SI D_{j} ∥ d)$ and verifies whether $PI D_{i}$ and $PSI D_{j}$ are equal with the received corresponding values. If they follow, $CS$ selects a random number $N_{i 3}$ and computes $P_{i} = N_{i 1}^{'} \oplus N_{i 3} \oplus h (SI D_{j} ∥ N_{i 2} ∥ B S_{j})$ , $Q_{i} = h (N_{i 1}^{'} \oplus N_{i 3})$ , $R_{i} = N_{i 2} \oplus N_{i 3} \oplus h (I D_{i} ∥ N_{i 1}^{'} ∥ B_{i})$ , and $V_{i} = h (N_{i 2} \oplus N_{i 3})$ . Then $CS$ sends ${P_{i}^{'}, Q_{i}^{'}, R_{i}^{'}, V_{i}}$ to $S_{j}$ .

(5) After receiving the message from $CS$ , $S_{j}$ computes $N_{i 1}^{'} \oplus N_{i 3} = P_{i}^{'} \oplus h (SI D_{j} ∥ N_{i 2} ∥ B S_{j})$ and $Q_{i}^{'} = h (N_{i 1}^{'} \oplus N_{i 3})$ and checks whether $Q_{i}^{'} \overset{?}{=} Q_{i}$ . Then, $S_{j}$ directly transmits ${R_{i}^{'}, V_{i}}$ to $A$ who is masquerading as $U_{i}$ .

(6) The masquerading user $A$ can verify the received value of $V_{i} = h (N_{i 2} \oplus N_{i 3})$ by $N_{i 2} \oplus N_{i 3} = R_{i}^{'} \oplus h (I D_{i} ∥ N_{i 1}^{'} ∥ B_{i})$ . Finally, $A$ is masquerading as $U_{i}$ , $S_{j}$ , and $CS$ agree on the common session key $SK = h ((N_{i 1}^{'} \oplus N_{i 2} \oplus N_{i 3}) ∥ T S_{i}^{'})$ and access the services provided by $S_{j}$ .

3.2. Masquerade Attack against a Legitimate Service Providing Server

Assume a malicious attacker $A$ has broken $S_{j}$ . Then, $A$ can get the secret number $B S_{j}$ and perform the following masquerade attack.

(1) $A$ has intercepted a valid request message ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}}$ sent from $U_{i}$ to $S_{j}$ in the public communication. Then, $A$ computes $J_{i} = B S_{j} \oplus N_{i 2}^{'}$ , $K_{i} = h (N_{i 2}^{'} ∥ B S_{j} ∥ P_{i j} ∥ T S_{i})$ , $L_{i} = SI D_{j} \oplus h (B S_{j} ∥ N_{i 2}^{'} ∥ T S_{i} ∥ “ 00 “)$ , and $M_{i} = d \oplus h (B S_{j} ∥ N_{i 2} ∥ T S_{i} ∥ “ 11 “)$ , where $N_{i 2}^{'}$ is a random number generated by $A$ . Then $A$ transmits the message ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}^{'}, J_{i}, K_{i}, L_{i}, M_{i}, PSI D_{j}}$ to $CS$ .

(2) Upon receiving the message, $CS$ carries out a series of computations and verifications according to his original protocol without being detected since $CS$ has no operation to validate the correctness of $B S_{j}$ . Finally, $CS$ sends ${P_{i}, Q_{i}, R_{i}, V_{i}}$ to $A$ who is masquerading as $S_{i}$ .

(3) The masquerading sever $A$ can verify the received value of $Q_{i} = h (N_{i 1} \oplus N_{i 3})$ through $N_{i 1} \oplus N_{i 3} = P_{i} \oplus h (SI D_{j} ∥ N_{i 2}^{'} ∥ B S_{j})$ . Then the masquerading sever $A$ delivers the message ${R_{i}, V_{i}}$ to $U_{i}$ .

(4) When receiving the message from $A$ who is masquerading as $S_{j}$ , $U_{i}$ computes $N_{i 2} \oplus N_{i 3} = R_{i} \oplus h (I D_{i} ∥ N_{i 1}^{'} ∥ B_{i})$ and $V_{i}^{'} = h (N_{i 2} \oplus N_{i 3})$ and verifies $V_{i}^{'}$ with the received value of $V_{i}$ . $U_{i}$ will notify $A$ that the attacker who is masquerading as the sever $S_{j}$ is the service providing server. Therefore, $A$ can further establish a session key $SK = h (N_{i 1} \oplus N_{i 2}^{'} \oplus N_{i 3} ∥ T S_{i}^{'})$ with $U_{i}$ and $CS$ .

3.3. Off-Line Password Guessing Attack

A malicious attacker $A$ stealing user's smart card can gather information ${C_{i}, D_{i}, h (\cdot), b}$ from the memory of the stolen smart card [19, 21].

(1) $A$ intercepts a request message ${F_{i}, P_{i j}, CI D_{i}, G_{i}, PI D_{i}, T S_{i}}$ delivered from $U_{i}$ to $S_{j}$ in the public communication channel.

(2) $A$ guesses a password $P_{i}^{'}$ to compute $A_{i}^{'} = h (b ∥ P_{i}^{'})$ and checks whether $h (PI D_{i} \oplus A_{i}^{'}) \overset{?}{=} C_{i}$ . If it is true, $A$ has guessed the correct password. Otherwise, $A$ repeatedly guesses a new password until he succeeds.

(3) $A$ can also launch an off-line guessing attack on $PI D_{i} = h (I D_{i} ∥ b)$ to obtain the identity $I D_{i}$ of $U_{i}$ since $A$ knows the value of b from the stolen smart card of $U_{i}$ .

(4) $A$ possesses the valid smart card of $U_{i}$ and knows the identity $I D_{i}$ and the password $P_{i}$ corresponding to $U_{i}$ and hence can login to any service server.

3.4. Insider Attack

In general, the password is human memorable short strings. That is, password is not high-entropy keys [20]. Therefore, the following attack is feasible in practice.

(1) In the registration phase, $U_{i}$ sends ${I D_{i}, b, A_{i}}$ to $CS$ , where $A_{i} = h (b ∥ P_{i})$ ; $P_{i}$ is the password of $U_{i}$ . Then, a malicious insider attacker $A$ can guess a password $P_{i}$ and therefore it is not difficult for $A$ to find out user's exact password $P_{i}$ from $A_{i}$ by performing an off-line password guessing attack.

(2) $A$ tries to use identity-password pair $(I D_{i}, P_{i})$ of $U_{i}$ , following the password authentication of Xue et al.'s protocol and can successfully login to the other servers.

4. Our Improved Protocol

In this section, we propose an enhanced and simple ID based authentication protocol to remedy the weaknesses of Xue et al.'s protocol. Our protocol has three phases; that is, registration, login, and authentication are shown in Box 2, and password update.

Box 2: Login and authentication phases of our improved protocol.

$U_{i}$ $S_{j}$ $C S$

(1) Input $I D_{i}$ , $P_{i}$ , ( $3$ ) Generate $N_{i 2}$ , ( $5$ ) Check

$A_{i} = h (b ∥ P_{i})$ , $P S I D_{j} = B S_{j} \oplus z$ , $P_{i j}^{'} = K_{i} \oplus M_{i} {\oplus P S I D}_{j}$ ,

Check $C_{i}^{'} = h (I D_{i} ∥ A_{i} ∥ h (y)) \overset{?}{=} C_{i}$ $P_{i j} = P S I D_{j} \oplus F_{i}$ , $P_{i j_{i}} = h (P I D_{i} ∥ A_{i} ∥ h (y)),$

$P_{i j} = h (P I D_{i} ∥ A_{i} ∥ h (y))$ , $K_{i} = P S I D_{j} \oplus N_{i 2}$ , $P_{i j}^{'} \overset{?}{=} P_{i j}$ .

$F_{i} = h (S I D_{j} ∥ h (y)) \oplus P_{i j}$ , $M_{i} = P_{i j} \oplus N_{i 2}$ . $N_{i 1} = G_{i} \oplus h (A_{i} ∥ P I D_{i} ∥ S I D_{j} ∥ h (y))$ ,

Generate $N_{i 1}$ , $\overset{(4) K_{i}, M_{i}, G_{i}}{\to} N_{i 2} = P_{i j} \oplus M_{i}$ ,

$G_{i} = h (A_{i} ∥ P I D_{i} ∥ S I D_{j} ∥ h (y)) \oplus N_{i 1}$ . $R_{i} = h (N_{i 1} \oplus A_{i}), V_{i} = h (N_{i 2} \oplus P S I D_{j})$ ,

$\overset{(2) F_{i}, G_{i}}{\to}$ Generate $N_{i 3}$ ,

$P_{i} = N_{i 1} \oplus N_{i 2} \oplus N_{i 3} \oplus h (I D_{i} ∥ N_{i 1} ∥ P_{i j})$ ,

$Q_{i} = N_{i 1} \oplus N_{i 2} \oplus N_{i 3} \oplus h (P S I D_{j} ∥ N_{i 2} ∥ P_{i j}$ ).

$(9) c h e c k$ $\overset{(6) P_{i}, Q_{i}, V_{i}, R_{i}}{\leftarrow}$

$R_{i}^{'} = h (N_{i 1} \oplus A_{i}) \overset{?}{=} R_{i}$ . $(7)$ $V_{i}^{'} = h (N_{i 2} \oplus P S I D_{j}) \overset{?}{=} V_{i}$ ,

$N_{i 2} \oplus N_{i 3} = h (I D_{i} ∥ N_{i 1} ∥ P_{i j}) \oplus P_{i}$ . $N_{i 1} \oplus N_{i 3} = h (P S I D_{j} ∥ N_{i 2} ∥ P_{i j}) \oplus Q_{i}$ .

$\overset{(8) R_{i}, P_{i}}{\leftarrow}$

$\overset{S K = h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3} ∣ ∣ h (P_{i j}))}{\leftrightarrow}$

4.1. Registration Phase

The registration phase of $U_{i}$ is as follows.

(1) $U_{i}$ generates a random number b and computes $A_{i} = h (b ∥ P_{i})$ . Then, $U_{i}$ submits ${I D_{i}, A_{i}}$ to control sever $CS$ .

(2) Upon receiving message from $U_{i}$ , $CS$ first generates a random number d and computes $B_{i} = h (A_{i} ∥ d)$ and $PI D_{i} = h (I D_{i} ∥ h (y))$ . Then, $CS$ stores ${B_{i}, PI D_{i}}$ into a smart card and returns it to $U_{i}$ .

(3) $U_{i}$ computes $C_{i} = h (I D_{i} ∥ h (y) ∥ A_{i})$ and stores the information ${B_{i}, C_{i}, h (y)}$ into the smart card.

The registration phase of $S_{j}$ is as follows.

(1) $S_{j}$ submits his identity $SI D_{j}$ to $CS$ .

(2) When $CS$ receives a registration request from $S_{j}$ , $CS$ generates a random number e and computes $PSI D_{j} = h (SI D_{j} ∥ e)$ . Then, $CS$ sends $PSI D_{j}$ to $S_{j}$ .

(3) $S_{j}$ stores $PSI D_{j}$ by computing $B S_{j} = PSI D_{j} \oplus z$ , where z is the secret key of $S_{j}$ .

4.2. Login and Authentication Phases

(1) $U_{i}$ inserts his smart card into device and enters his identity $I D_{i}$ and password $P_{i}$ . Then, the smart card validates the entered $I D_{i}$ and $P_{i}$ by checking whether $C_{i}^{'} = h (I D_{i} ∥ h (b ∥ P_{i}) ∥ h (y))$ is equal to the stored $C_{i}$ . If it holds, the smart card generates a random number $N_{i 1}$ and computes $P_{i j} = h (PI D_{i} ∥ A_{i} ∥ h (y))$ , $F_{i} = h (SI D_{j} ∥ h (y)) \oplus P_{i j}$ , and $G_{i} = h (A_{i} ∥ PI D_{i} ∥ SI D_{j} ∥ h (y)) \oplus N_{i 1}$ . Finally, $U_{i}$ submits ${F_{i}, G_{i}}$ to $S_{j}$ .

(2) Upon receiving the message from $U_{i}$ , $S_{j}$ first extracts $PSI D_{j}$ from $B S_{j}$ by using his secret key z and generates a random number $N_{i 2}$ . Then, $S_{j}$ computes $P_{i j} = PSI D_{j} \oplus F_{i}$ , $K_{i} = PSI D_{j} \oplus N_{i 2}$ , and $M_{i} = P_{i j} \oplus N_{i 2}$ and transmits ${G_{i}, K_{i}, M_{i}}$ to $CS$ .

(3) $CS$ first checks whether $P_{i j}^{'} = h (PI D_{i} ∥ A_{i} ∥ h (y)) \overset{?}{=} P_{i j}$ . If it is true, $CS$ generates a random number $N_{i 3}$ and computes $R_{i} = h (N_{i 1} \oplus A_{i})$ , $V_{i} = h (N_{i 2} \oplus PSI D_{j})$ , $N_{i 1} = G_{i} \oplus h (A_{i} ∥ PI D_{i} ∥ SI D_{j} ∥ h (y))$ , $N_{i 2} = P_{i j} \oplus M_{i}$ , $P_{i} = N_{i 1} \oplus N_{i 2} \oplus N_{i 3} \oplus h (I D_{i} ∥ N_{i 1} ∥ P_{i j})$ , and $Q_{i} = N_{i 1} \oplus N_{i 2} \oplus N_{i 3} \oplus h (PSI D_{j} ∥ N_{i 2} ∥ P_{i j})$ . Finally, $CS$ delivers ${R_{i}, V_{i}, P_{i}, Q_{i}}$ to $S_{j}$ .

(4) $S_{j}$ directly verifies $V_{i}^{'} = h (N_{i 2} \oplus PSI D_{j}) \overset{?}{=} V_{i}$ . If it holds, $S_{j}$ calculates $N_{i 1} \oplus N_{i 3} = h (PSI D_{j} ∥ N_{i 2} ∥ P_{i j}) \oplus Q_{i}$ and sends ${R_{i}, P_{i}}$ to $U_{i}$ .

(5) Upon receiving the message from $S_{j}$ , $U_{i}$ first checks whether $R_{i}^{'} = h (N_{i 1} \oplus A_{i}) \overset{?}{=} R_{i}$ and then computes $N_{i 2} \oplus N_{i 3} = h (I D_{i} ∥ N_{i 1} ∥ P_{i j}) \oplus P_{i}$ . Finally, a session key $SK = h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3} ∥ h (P_{i j}))$ is established among $U_{i}$ , $S_{j}$ , and $CS$ .

4.3. Password Updating Phase

When $U_{i}$ changes original password by simply inserting the smart card into a device and he can finish this process without any assistance from $CS$ .

$U_{i}$ generates a random $b^{'}$ and a new password $P_{i}^{'}$ ; then $U_{i}$ computes $A_{i}^{'} = h (b^{'} ∥ P_{i})$ . Then, the smart card will compute $C_{i}^{'} = h (A_{i}^{'} ∥ I D_{i} ∥ b^{'})$ and replace $C_{i}$ with $C_{i}^{'}$ .

5. Security Analysis of Our Improved Protocol

In this section, we first adopt Burrows-Abadi-Needham (BAN) logic [22] to prove that a session key between communicating parties can be correctly generated within authentication process. Then, we conduct a security analysis of the improved protocol to show that the improved protocol can withstand all possible security attacks. The following attacks are based on the assumptions that a malicious attacker $A$ has completely monitored the communication channel in login and authentication phases. So $A$ can eavesdrop, modify, insert, or delete any messages transmitted via public channel [2].

5.1. Verifying Authentication with BAN Logic

BAN logic has been highly successful in analyzing the security of authentication schemes [23]. We introduce some notations of BAN logic as follows:

$A| \equiv X :$ A believes a statement X;

$A \overset{K}{\leftrightarrow} B :$ share a key K between A and B;

$# X :$ X is fresh;

$A ⊲ X :$ A sees X;

$A \Rightarrow X :$ A controls X;

$A| ~ X :$ A said X;

${(X, Y)}_{K} :$ X and Y are hashed with the key K;

${〈X〉}_{K} :$ X is XORed with the key K.

We introduce logical postulates of BAN logic that we used into our protocol as follows.

(1)

BAN logical postulates are as follows.

(a)

Message-meaning rule: Consider $(A | \equiv A \overset{K}{\leftrightarrow} B, A ⊲ {〈X〉}_{K}) / (A | \equiv | B ~ X)$ ; if A believes that the key K is shared by A and B and sees X encrypted with K, then A believes that B once said X.

(b)

(c)

The belief rule: Consider $(A | \equiv X, A | \equiv Y) / (A | \equiv (X, Y))$ ; if A believes X and Y, then A believes $(X, Y)$ .

(d)

Fresh conjuncatenation rule: Consider $(A | \equiv # (X)) / (A | \equiv # (X, Y))$ ; if A believes freshness of X, then B believes freshness of $(X, Y)$ .

(e)

Jurisdiction rule: Consider $(A | \equiv B \Rightarrow X, A | \equiv B | \equiv X) / (A | \equiv X)$ ; if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.

(f)

Introduction of the session key: Consider $(A | \equiv # (SK), A | \equiv B | \equiv # (SK)) / (A | \equiv A \leftrightarrow B)$ ; if A believes that the session key $SK$ is fresh and B believes X, which are the necessary elements for a key, then A believes that he/she shares the session key $SK$ with B.

(2)

Establishment of security goals:

$(g_{1})$

$U_{i} | \equiv U_{i} \overset{SK}{\leftrightarrow} S_{j}$ ;

(g_{2})

$U_{i} | \equiv S_{j} | \equiv U_{i} \overset{SK}{\leftrightarrow} S_{j}$ ;

(g_{3})

$S_{j} | \equiv U_{i} \overset{S K}{\leftrightarrow} S_{j}$ ;

(g_{4})

$S_{j} | \equiv U_{i} | \equiv U_{i} \overset{SK}{\leftrightarrow} S_{j}$ ;

(g_{5})

$CS | \equiv S_{j} \overset{SK}{\leftrightarrow} CS$ ;

(g_{6})

$CS | \equiv S_{j} | \equiv S_{j} \overset{SK}{\leftrightarrow} CS$ ;

(g_{7})

$S_{j} | \equiv S_{j} \overset{SK}{\leftrightarrow} CS$ ;

(g_{8})

$S_{j} | \equiv CS | \equiv S_{j} \overset{SK}{\leftrightarrow} CS$ ;

(g_{9})

$U_{i} | \equiv U_{i} \overset{SK}{\leftrightarrow} CS$ ;

(g_{10})

$U_{i} | \equiv CS | \equiv U_{i} \overset{SK}{\leftrightarrow} CS$ ;

(g_{11})

$CS | \equiv U_{i} \overset{SK}{\leftrightarrow} CS$ ;

(g_{12})

$CS | \equiv U_{i} | \equiv U_{i} \overset{SK}{\leftrightarrow} CS$ .

(3)

Idealized protocol:

$U_{i} : {〈P_{i j}〉}_{h (SI D_{j} ∥ h (y))}$ , ${〈(I D_{i} ∥ h (b ∥ P_{i}) ∥ SI D_{j} ∥ h (y))〉}_{N_{i 1}}$ ;

$S_{j} : {〈N_{i 2}〉}_{h (SI D_{j} ∥ e)}$ , ${〈P_{i j}〉}_{N_{i 2}}$ ;

$CS: {(P_{i j}, I D_{i})}_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , $(PSI D_{j}, P_{i j})_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , ${〈N_{i 1}〉}_{h (P_{i} ∥ b)}$ , ${〈N_{i 2}〉}_{h (SI D_{j} ∥ e)}$ .

(4)

Initiative premises:

$(p_{1})$

$U_{i} | \equiv # N_{i 1}$ ;

(p_{2})

$U_{i} | \equiv # N_{i 2}$ ;

(p_{3})

$U_{i} | \equiv # N_{i 3}$ ;

(p_{4})

$S_{j} | \equiv # N_{i 1}$ ;

(p_{5})

$S_{j} | \equiv # N_{i 2}$ ;

(p_{6})

$S_{j} | \equiv # N_{i 3}$ ;

(p_{7})

$CS | \equiv # N_{i 1}$ ;

(p_{8})

$CS | \equiv # N_{i 2}$ ;

(p_{9})

$CS | \equiv # N_{i 3}$ ;

(p_{10})

$S_{j} | \equiv S_{j} \overset{h (y)}{\leftrightarrow} CS$ ;

(p_{11})

$U_{i} | \equiv I D_{i}$ ;

(p_{12})

$U_{i} | \equiv (P_{i}, b)$

(p_{13})

$S_{j} | \equiv (SI D_{j}, e)$ ;

(p_{14})

$CS | \equiv U_{i} \Rightarrow (P_{i}, b)$ ;

(p_{15})

$CS | \equiv U_{i} \Rightarrow P_{i j}$ .

(5)

Protocol analysis:

$(a_{1})$

By $(p_{1}) – (p_{3})$ and $U_{i} ⊲ (P_{i j}, I D_{i})_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , we obtain $U_{i} | \equiv 〈N_{i 1}, N_{i 2}, N_{i 3}〉$ ;

(a_{2})

by $U_{i} ⊲ (P_{i j}, I D_{i})_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ and $(a_{1})$ , we apply the message-meaning rule to derive $U_{i} | \equiv S_{j} ~ P_{i j}$ ;

(a_{3})

by $(a_{2})$ , we apply the freshness conjuncatenation rule and the nonce-verification rule to derive $U_{i} | \equiv S_{j} | \equiv P_{i j}$ ;

(g_{1})

by $(a_{3})$ , $(p_{1}) – (p_{3})$ , and introduction of the session keys, we get $U_{i} \equiv U_{i} | \overset{SK}{\leftrightarrow} S_{j}$ ;

(g_{2})

by $(g_{1})$ and $(p_{1}) – (p_{3})$ , we apply the nonce-verification rule to derive $U_{i} | \equiv S_{j} | \equiv U_{i} | \overset{SK}{\leftrightarrow} S_{j}$ ;

(a_{4})

by $(p_{10})$ and $S_{j} ⊲ {〈P_{i j}〉}_{h (SI D_{j} ∥ h (y))}$ , we obtain $S_{j} | \equiv h (SI D_{j} ∥ h (y))$ ;

(a_{5})

by $S_{j} ⊲ {〈P_{i j}〉}_{h (SI D_{j} ∥ h (y))}$ and $(a_{1})$ , we apply the message-meaning rule to derive $S_{j} | \equiv U_{i} ~ P_{i j}$ ;

(a_{6})

by $(a_{5})$ , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive $S_{j} | \equiv U_{i} | \equiv P_{i j}$ ;

(g_{3})

by $(a_{6})$ , $(p_{4}) – (p_{6})$ , and introduction of the session keys, we get $S_{j} | \equiv U_{i} | \equiv U_{i} | \overset{SK}{\leftrightarrow} S_{j}$ ;

(g_{4})

by $(g_{3})$ and $(p_{4}) – (p_{6})$ , we apply the nonce-verification rule to derive $S_{j} | \equiv U_{i} | \equiv U_{i} | \overset{SK}{\leftrightarrow} S_{j}$ ;

(a_{7})

by $(p_{6}) – (p_{8})$ and $CS ⊲ {〈P_{i j}〉}_{N_{i 2}}$ , we apply the message-meaning rule, the fresh conjuncatenation rule, and the nonce-verification rule to derive $CS | \equiv U_{i} | \equiv P_{i j}$ ;

(a_{8})

by $(p_{12})$ , $(p_{14}) - (p_{15})$ , and $(a_{7})$ , we apply the jurisdiction rule and the belief rule to derive $CS | \equiv P_{i j}$ ;

(a_{9})

by $(a_{10})$ , $(p_{8})$ , and $CS ⊲ {〈P_{i j}〉}_{N_{i 2}}$ , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive $CS | \equiv S_{j} | \equiv P_{i j}$ ;

(g_{5})

by $(a_{9})$ , $(p_{6}) – (p_{8})$ , and introduction of the session keys, we get $CS | \equiv S_{j} | \overset{SK}{\leftrightarrow} CS$ ;

(g_{6})

by $(g_{5})$ and $(p_{6}) – (p_{8})$ , we apply the nonce-verification rule to derive $CS | \equiv S_{j} | \equiv S_{j} | \overset{SK}{\leftrightarrow} CS$ ;

(a_{10})

by $(a_{9})$ , $(p_{4}) – (p_{6})$ , and $S_{j} ⊲ {(PSI D_{j}, P_{i j})}_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , we apply the message-meaning rule, the fresh conjuncatenation rule, and the nonce-verification rule to derive $S_{j} | \equiv CS | \equiv P_{i j}$ ;

(g_{7})

by $(a_{10})$ , $(p_{4}) – (p_{6})$ , and introduction of the session keys, we get $S_{j} | \equiv S_{j} | \overset{SK}{\leftrightarrow} CS$ ;

(g_{8})

by $(g_{7})$ and $(p_{4}) – (p_{6})$ , we apply the nonce-verification rule to derive $S_{j} | \equiv CS | \equiv S_{j} | \overset{SK}{\leftrightarrow} CS$ ;

(a_{11})

by $(p_{1}) – (p_{3})$ , $(p_{11})$ and $U_{i} ⊲ (I D_{i}, P_{i j})_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , we apply the belief rule to derive $U_{i} | \equiv P_{i j}$ ;

(a_{12})

by $(a_{11})$ and $U_{i} ⊲ (I D_{i}, P_{i j})_{〈N_{i 1}, N_{i 2}, N_{i 3}〉}$ , we apply the message-meaning rule, the fresh conjuncatenation rule, and the nonce-verification rule to derive $U_{i} | \equiv CS | \equiv P_{i j}$ ;

(g_{9})

by $(a_{12})$ , $(p_{1}) – (p_{3})$ , and introduction of the session keys, we get $U_{i} | \equiv U_{i} | \overset{SK}{\leftrightarrow} CS$ ;

(g_{10})

by $(g_{9})$ and $(p_{1}) – (p_{3})$ , we apply the nonce-verification rule to derive $U_{i} | \equiv CS | \equiv U_{i} | \overset{SK}{\leftrightarrow} CS$ ;

(a_{13})

by $(p_{7})$ and $CS ⊲ {〈I D_{i} ∥ h (b ∥ P_{i}) ∥ SI D_{j} ∥ h (y)〉}_{N_{i 1}}$ , we apply the message-meaning rule, the fresh conjuncatenation rule, and the nonce-verification rule to derive $CS | \equiv U_{i} | \equiv (I D_{i} ∥ h (b ∥ P_{i}) ∥ S I D_{j} ∥ h (y))$ ;

(a_{14})

by $(a_{13})$ and $(p_{10}) – (p_{12})$ , $(p_{15})$ , we apply the belief rule to derive $CS | \equiv U_{i} | \equiv P_{i j}$ ;

(g_{11})

by $(a_{14})$ , $(p_{6}) – (p_{8})$ , and introduction of the session keys, we get $CS | \equiv U_{i} | \overset{SK}{\leftrightarrow} CS$ ;

(g_{12})

by $(g_{11})$ and $(p_{6}) – (p_{8})$ , we apply the nonce-verification rule to derive $CS | \equiv U_{i} | \equiv U_{i} | \overset{SK}{\leftrightarrow} CS$ ;

As a result, analyzing the security of our protocol with BAN logic, we can now be sure that the proposed protocol is truly capable of achieving the goals.

5.2. Masquerade Attack

Assume a malicious attacker $A$ has extracted [19, 21] the information ${B_{i}, C_{i}, h (y)}$ stored in the smart card. Furthermore, $A$ intercepts a request message ${F_{i}, G_{i}}$ and tries to masquerade the legal user to compute the session key $SK$ . However, it is impossible for $A$ to forge a valid login request ${F_{i}, G_{i}}$ because $A$ does not know the identity $I D_{i}$ and the random number b of $U_{i}$ , which will result in $A$ incorrectly computing the value of $A_{i} = h (P_{i} ∥ b)$ . The identity $I D_{i}$ and $A_{i}$ of $U_{i}$ are all protected by the one-way hash function, and thus it is computationally infeasible to derive $A_{i}$ and $I D_{i}$ from the values $B_{i} = h (A_{i} ∥ d)$ and $C_{i} = h (I D_{i} ∥ A_{i} ∥ h (y))$ , respectively. Thus, masquerade attack as $U_{i}$ is infeasible to the proposed protocol. On the other hand, suppose $A$ intercepts a message ${F_{i}, G_{i}}$ and ${K_{i}, M_{i}, G_{i}}$ and tries to masquerade as $S_{j}$ to authenticate by $CS$ , he will fail because he cannot compute the correct $P_{i j}$ . Besides, it is also impossible to forge $K_{i}$ without the knowledge of secret key z of $S_{j}$ . Thus, masquerade attack as $S_{j}$ is also infeasible to the proposed protocol.

5.3. Insider Attack with Smart Card

Our proposed protocol provides user registration using cipher code $A_{i} = h (P_{i} ∥ b)$ over a secret channel. Even if a malicious attacker $A$ has gotten [19, 21] the information ${B_{i}, C_{i}, h (y)}$ stored in the smart card, he cannot guess the parameter b which avoids the inherent risk of stolen passwords. Thus, our protocol resists insider attack.

5.4. Replay Attack

Replay attack means a malicious attacker $A$ must not obtain sensitive information by replaying previously transmitted messages [24]. If a malicious attacker $A$ wants to replay the same messages of the sender or the receiver, it is clear that user cannot succeed because $U_{i}$ , $S_{j}$ , and $CS$ chooses different random numbers $(N_{i 1}, N_{i 2}, N_{i 3})$ in each new session. Besides, $A$ cannot compute the session key $SK = h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3} ∥ h (P_{i j}))$ correctly since the parameter $P_{i j}$ is not directly exposed in public channel. Thus, $A$ has no opportunity to successfully replay used messages.

5.5. Mutual Authentication

Our protocol can provide mutual authentication among $U_{i}$ , $S_{j}$ , and $CS$ .

(1) $CS$ authenticates $S_{j}$ by computing the message $P_{i j} = h (PI D_{i} ∥ A_{i} ∥ h (y))$ with its own memory comparing with the receiving message $P_{i j}^{'} = K_{i} \oplus PSI D_{i} \oplus M_{i}$ , where both of $K_{i}$ and $M_{i}$ come from $S_{j}$ . Furthermore, the authentication of $CS$ to $U_{i}$ is completely dependent on the authentication of $CS$ to $S_{j}$ since obtained $P_{i j}$ of $S_{j}$ is directly derived from $U_{i}$ .

(2) $CS$ is authenticated by verifying the computed $R_{i}^{'} = h (N_{i 1} ∥ I D_{i})$ and $V_{i}^{'} = h (N_{i 2} ∥ PSI D_{j})$ with the received $R_{i}$ and $V_{i}$ , respectively. At the same time, the authentication of $U_{i}$ to $S_{j}$ is completely dependent on the authentication of $U_{i}$ to $CS$ since $V_{i} = h (I D_{i} ∥ N_{i 1})$ transmitted by $S_{j}$ is headed from $CS$ .

5.6. Off-Line Password Guessing Attack

Assume a malicious attacker $A$ has stolen the smart card and extracted [19, 21] the information ${B_{i}, C_{i}, h (y)}$ from it. Moreover, $A$ has eavesdropped the request message ${F_{i}, G_{i}}$ . If $A$ tries to obtain the identity $I D_{i}$ and password $P_{i}$ correctly at the same time, $A$ first should obtain $A_{i} = h (b ∥ P_{i})$ . It is obviously impossible to get $A_{i}$ from $B_{i} = h (A_{i} ∥ d)$ since it is protected by a one-way hash function and a random number d. Thus, the proposed protocol is secure against the off-line password guessing attack.

5.7. The Session Key Perfect Forward Secrecy

Even if a malicious attacker $A$ obtains all of participants’ secret keys and previous session keys, he still cannot compromise session key $SK = h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3} ∥ h (P_{i j}))$ . Since in each session a fresh session key is generated depending on $(N_{i 1}, N_{i 2}, N_{i 3}, P_{i j})$ and the secret differs in every session. Thus, the proposed protocol can provide the session key perfect forward secrecy.

5.8. Stolen Smart Card Attack

Even though $A$ has read [19, 21] the information $\{B_{i}, C_{i}, h (y)\}$ from the stolen smart card, $A$ cannot get real identity $I D_{i}$ and the password $P_{i}$ correctly at the same time since they are protected by a one-way hash function and two random numbers ( $b, d$ ). Thus, it is not possible to guess these two parameters correctly at the same time in polynomial time. Therefore, the proposed protocol is secure against the stolen smart card attack.

5.9. Not Requiring Clock Synchronization

In timestamps authentication protocols, the clocks of all devices must be synchronized [25]. In our protocol, we provide random numbers based authentication mechanism, instead of the timestamps that cause serious time synchronization problems.

6. Performance and Functionality Analysis

In this section, we compare our protocol with other related protocols regarding performance and security. It is crucial for smart card based schemes to provide low computation cost due to the smart card possesses the power constraints and small flash memory [26]. We take the login phase and authentication phase into consideration since these two are the principal part of an authentication protocol. To analyze the computational complexity of the protocols, we use hashing operation as the time complexity since xor operations require very little computations. Figure 1 shows comparison regarding the performance. From this comparison, we can see that our proposed protocol has almost the least computation costs compared with other's protocols. Hence, our proposed protocol is very useful in environments of limited computation and communication resources to access remote information systems.

Figure 1

Performance comparison.

Table 1 lists the functionality comparisons of our proposed protocol with Sood et al.'s protocol [16], Li et al.'s protocol [17], and Xue et al.'s protocol [18]. We can see that the proposed protocol not only provides proper mutual authentication and perfect forward secrecy but also can prevent masquerade attack and other attacks. As a result, the proposed protocol is more secure and has many functionalities compared with these related protocols.

Table 1

Functionality comparison.

	Ours	Xue et al. [18]	Li et al. [17]	Sood et al. [16]
Provide mutual authentication	Yes	Yes	Yes	Yes
Provide perfect forward secrecy	Yes	Yes	Yes	Yes
Resist insider attack	Yes	No	No	No
Resist masquerade attack	Yes	No	No	No
Resist replay attack	Yes	Yes	No	No
No time synchronization	Yes	No	Yes	Yes

7. Conclusion

In this paper, we have shown that Xue et al.'s protocol cannot really protect against masquerade attack, off-line password guessing, and insider attacks. In order to avoid these security weaknesses, a slight modification without using timestamps to their protocol is proposed to improve their shortcomings. Moreover, we discussed the security of the proposed protocol and showed that it conforms to all desirable security attributes. Finally, we compared the proposed protocol and existing competitive protocols regarding efficiency and security and showed that the proposed protocol is more secure and has the least computation costs. Therefore, our protocol is able to satisfy all of the essential requirements for multiserver environments. In the future, we will propose a cryptanalysis scheme [27] to prove that our authentication mechanism is secure. Moreover, we will evaluate our scheme for the energy and communication overheads using some network simulator for practical implementation. In addition, we will continue to extend our study to combine a user's biometrics [28] and discuss the biometrics matching issue in detail.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors are grateful to the anonymous referees for their valuable comments and suggestions to improve the presentation of this paper. This paper is supported by the National Natural Science Foundation of China (Grant nos. 61472045 and 61121061), the Beijing Higher Education Young Elite Teacher Project (Grant no. YETP0449), the Asia Foresight Program under NSFC Grant (Grant no. 61411146001), and the Beijing Natural Science Foundation (Grant no. 4142016).

References

Khan

S. U.

Lavagno

Pastrone

Spirito

M. A.

Online authentication and key establishment scheme for heterogeneous sensor networks

International Journal of Distributed Sensor Networks 2014 2014 11

718286

10.1155/2014/718286

Lamport

Password authentication with insecure communication

Communications of the ACM 1981 24 11 770 772

10.1145/358790.358797

2-s2.0-0019634370

Awasthi

A. K.

Lal

An enhanced remote user authentication scheme using smart cards

IEEE Transactions on Consumer Electronics 2004 50 2 583 586

10.1109/TCE.2004.1309430

2-s2.0-4043089982

Zhu

W.-T.

Feng

D.-G.

An improved smart card based password authentication scheme with provable security

Computer Standards and Interfaces 2009 31 4 723 728

10.1016/j.csi.2008.09.006

2-s2.0-64249125305

Qiu

Zheng

Chen

Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards

IEEE Transactions on Industrial Electronics 2010 57 2 793 800

2-s2.0-75449106985

10.1109/TIE.2009.2028351

Zhao

D.-W.

Peng

H.-P.

L.-X.

Yang

Y.-Y.

A secure and effective anonymous authentication scheme for roaming service in global mobility networks

Wireless Personal Communications 2014 78 1 247 269

10.1007/s11277-014-1750-y

2-s2.0-84897351558

Khan

M. K.

Kumari

An improved user authentication protocol for healthcare services via wireless medical sensor networks

International Journal of Distributed Sensor Networks 2014 2014 10

347169

10.1155/2014/347169

2-s2.0-84901008838

Hwang

M.-S.

L.-H.

A new remote user authentication scheme using smart cards

IEEE Transactions on Consumer Electronics 2000 46 1 28 30

10.1109/30.826377

2-s2.0-0034140374

Fan

C.-I.

Chan

Y.-C.

Zhang

Z.-K.

Robust remote authentication scheme with smart cards

Computers & Security 2005 24 8 619 628

10.1016/j.cose.2005.03.006

2-s2.0-28044451335

10.

Hwang

M.-S.

Chong

S.-K.

Chen

T.-Y.

DoS-resistant ID-based password authentication scheme using smart cards

Journal of Systems and Software 2010 83 1 163 172

10.1016/j.jss.2009.07.050

2-s2.0-71649104505

11.

Lee

S.-W.

Kim

H.-S.

Yoo

K.-Y.

Efficient nonce-based remote user authentication scheme using smart cards

Applied Mathematics and Computation 2005 167 1 355 361

10.1016/j.amc.2004.06.111

MR2170921

2-s2.0-24944502757

12.

Liu

J.-Y.

Zhou

A.-M.

Gao

M.-X.

A new mutual authentication scheme based on nonce and smart cards

Computer Communications 2008 31 10 2205 2209

2-s2.0-44549086640

10.1016/j.comcom.2008.02.002

13.

C.-T.

Hwang

M.-S.

An efficient biometrics-based remote user authentication scheme using smart cards

Journal of Network and Computer Applications 2010 33 1 1 5

2-s2.0-70349792182

10.1016/j.jnca.2009.08.001

14.

Song

Advanced smart card based password authentication protocol

Computer Standards and Interfaces 2010 32 5-6 321 325

10.1016/j.csi.2010.03.008

2-s2.0-77955312905

15.

Hsiang

H.-C.

Shih

W.-K.

Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment

Computer Standards and Interfaces 2009 31 6 1118 1123

10.1016/j.csi.2008.11.002

2-s2.0-68849128250

16.

Sood

S. K.

Sarje

A. K.

Singh

A secure dynamic identity based authentication protocol for multi-server architecture

Journal of Network and Computer Applications 2011 34 2 609 618

10.1016/j.jnca.2010.11.011

2-s2.0-79251600218

17.

Xiong

Y.-P.

Wang

W.-D.

An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards

Journal of Network and Computer Applications 2012 35 2 763 769

10.1016/j.jnca.2011.11.009

2-s2.0-84856217617

18.

Xue

K.-P.

Hong

P.-L.

C.-S.

A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture

Journal of Computer and System Sciences 2014 80 1 195 206

10.1016/j.jcss.2013.07.004

MR3105916

2-s2.0-84884990326

19.

Kocher

Jaffe

Jun

Differential power analysis

Advances in Cryptology—CRYPTO' 99: 19th Annual International Cryptology Conference Santa Barbara, California, USA, August 15–19, 1999 Proceedings 1999 1666

Berlin, Germany

Springer

388 397 Lecture Notes in Computer Science

10.1007/3-540-48405-1_25

20.

D.-J.

M.-D.

Zhang

Chen

J.-J.

A strong user authentication scheme with smart cards for wireless communications

Computer Communications 2011 34 3 367 374

10.1016/j.comcom.2010.02.031

2-s2.0-78751648745

21.

Messerges

T. S.

Dabbish

E. A.

Sloan

R. H.

Examining smart-card security under the threat of power analysis attacks

IEEE Transactions on Computers 2002 51 5 541 552

MR1901004

10.1109/tc.2002.1004593

2-s2.0-0036566408

22.

Burrows

Abadi

Needham

A logic of authentication

ACM Transactions on Computer Systems 1990 8 1 18 36

23.

Tsai

J.-L.

N.-W.

T.-C.

Novel anonymous authentication scheme using smart cards

IEEE Transactions on Industrial Informatics 2013 9 4 2004 2013

10.1109/TII.2012.2230639

2-s2.0-84886653936

24.

Das

A.-K.

A secure and effictive user authentication and privacy preserving protocol with smart cards for wireless communications

Networking Science 2013 2 1-2 12 27

10.1007/s13119-012-0009-8

25.

Yang

Wang

Bao

Wang

Deng

R. H.

New efficient user identification and key distribution scheme providing enhanced security

Computers and Security 2004 23 8 697 704

10.1016/j.cose.2004.08.005

2-s2.0-10644225185

26.

Juang

W.-S.

Efficient multi-server password authenticated key agreement using smart cards

IEEE Transactions on Consumer Electronics 2004 50 1 251 255

10.1109/TCE.2004.1277870

2-s2.0-1942455353

27.

Alomair

Poovendran

Efficient authentication for mobile and pervasive computing

IEEE Transactions on Mobile Computing 2014 13 3 469 481

2-s2.0-84894565582

10.1109/TMC.2012.252

28.

J.-P.

Ding

Y.-M.

Xiong

Z.-G.

Liu

S.-Y.

An improved biometric-based user authentication scheme for C/S system

International Journal of Distributed Sensor Networks 2014 2014 9

275341

10.1155/2014/275341

2-s2.0-84901049661

A Lightweight ID Based Authentication and Key Agreement Protocol for Multiserver Architecture

Abstract

1. Introduction

2. Review of Xue et al.'s Protocol

Box 1: Login and authentication phases of Xue et al.'s protocol.

2.1. Registration Phase

2.2. Login and Authentication Phases

2.3. Password Updating Phase

2.4. Identity Updating Phase

3. Cryptanalysis of Xue et al.'s Protocol

3.1. Masquerade Attack against a Legitimate User

3.2. Masquerade Attack against a Legitimate Service Providing Server

3.3. Off-Line Password Guessing Attack

3.4. Insider Attack

4. Our Improved Protocol

Box 2: Login and authentication phases of our improved protocol.

4.1. Registration Phase

4.2. Login and Authentication Phases

4.3. Password Updating Phase

5. Security Analysis of Our Improved Protocol

5.1. Verifying Authentication with BAN Logic

5.2. Masquerade Attack

5.3. Insider Attack with Smart Card

5.4. Replay Attack

5.5. Mutual Authentication

5.6. Off-Line Password Guessing Attack

5.7. The Session Key Perfect Forward Secrecy

5.8. Stolen Smart Card Attack

5.9. Not Requiring Clock Synchronization

6. Performance and Functionality Analysis

7. Conclusion

Footnotes

Conflict of Interests

Acknowledgments

References