Sage Journals: Discover world-class research

Abstract

The age of Internet of things gives rise to more challenges to various secure demands when designing the protocols, such as object identification and tracking, and privacy control. In many of the current protocols, a malicious server may cheat users as if it was a legal server, making it vital to verify the legality of both users and servers with the help of a trusted third-party, such as a registration center. Li et al. proposed an authentication protocol based on dynamic identity for multi-server environment, which is still susceptible to password-guessing attack, eavesdropping attack, masquerade attack, and insider attack etc. Besides, their protocol does not provide the anonymity of users, which is an essential request to protect users’ privacy. In this article, we present an improved authentication protocol, depending on the registration center in multi-server environments to remedy these security flaws. Different from the previous protocols, registration center in our proposed protocol is one of parties in authentication phase to verify the legality of the users and the servers, thus can effectively avoid the server spoofing attack. Our protocol only uses nonce, exclusive-OR operation, and one-way hash function in its implementation. Formal analysis has been performed using the Burrows–Abadi–Needham logic to show its security.

Keywords

Dynamic identity multi-server registration center smart card Burrows–Abadi–Needham logic

Introduction

In the past decades, great research efforts have been made on Internet of things (IoT), and a wide range of application scenarios, such as object identification and tracking, healthcare, privacy control, and military.^1–4 Along with the convenience they bring security issues of personal privacy in terms of the constant, and transparent leakage of private information may also arise. End-devices like smart cards often carry a certain level of infrastructure equivalent to a tiny computer, including the computation power, storage functionality, and communications, which make the mutual authentication and key agreement protocol possible. They can prevent unauthorized users from gaining access to sensitive resources and prevent legitimate users from accessing resources in an unauthorized manner.

Since Lamport⁵ proposed the first password-based authentication protocol, great efforts have been made on the authentication to improve the security. Password-based authentication is simple, but it needs to maintain the verification table and leads to table disclosure or password compromising. Hwang and Li⁶ presented a new remote user authentication protocol with the help of smart cards based on the protocol proposed by ElGamal.⁷ In their schemes, the servers do not need to keep any verification table. Since then, kinds of smart card–based authentication protocols with hash function have been presented.^8–12 Traditional password-based or smart card–based authentication protocols are adapted in single-server environments and are not suitable for the multi-server environments. To overcome these weaknesses, many protocols for multi-server environment have been devised.^13–16 They can implement mutual authentication with one registration. However, we find that they are still susceptible to replay attack, impersonation attack, password-guessing attack, and so on. To remedy these flaws, enhance security, and reduce the computational complexity, we propose an improved dynamic identity (ID) based on authentication protocol for multi-server architecture. This protocol not only achieves user’s anonymity and resists various kinds of attacks, but also finishes the mutual authentication and session key agreement.

The rest of the article is organized as follows. In section “Related work and discussion,” we provide a brief review of related protocols and analyze their securities. Then, we present an improved authentication protocol for the multi-server environment in section “The proposed protocol.” The correctness of the proposed protocol is verified by performing formal verification with the Burrows–Abadi–Needham (BAN) logic in section “Analysis of correctness.” Section “Security analysis of the improved protocol” evaluates the security of our proposed protocol. Section “Cost and functionality analysis” analyzes the costs and functionalities among ours and other protocols. Finally, we present the conclusion in section “Conclusion.”

Related work and discussion

In the lectures, Liao and Wang¹⁷ presented a secure user authentication protocol for multi-server architectures based on dynamic ID. However, Hsiang et al. claimed that Liao et al.’s protocol not only failed to achieve mutual authentication but also could not withstand server spoofing attack, insider attack, masquerade attack, and so on. Moreover, Lee et al.¹⁸ proposed an improved remote user authentication scheme based on dynamic ID, but their protocol is still vulnerable to server spoofing attack and forgery attack. Hsiang et al. presented a new authentication protocol.¹⁹ They claimed that their protocol efficiently protects the identity of the user and can resist various known attacks. Unfortunately, Sood et al.²⁰ stated that Hsiang et al.’s scheme cannot withstand stolen smart card attack, replay attack, and impersonation attack. Besides, the password change method of Hsiang et al.’s scheme is incorrect. In order to overcome these security weaknesses, Sood et al. presented an improved authentication protocol.²⁰ They declared that their proposed protocol can help the servers and the registration center validate the user’s identity successfully and can also keep the dynamic ID of users in communication channel. Sood et al. argued that their scheme can withstand various known attacks, such as impersonation attack, offline dictionary attack, and replay attack. However, Li et al.²¹ found that Sood et al.’s scheme cannot withstand stolen smart card attack and leak-of-verifier attack. Furthermore, Li et al. presented an efficient and secure dynamic ID–based authentication scheme.²¹ Unfortunately, Li et al.’s protocol was soon identified to be susceptible to password-guessing attack and masquerade attack by Han.²² In addition, Xue et al.²³ claimed that Li et al.’s protocol is susceptible to insider attack, eavesdropping attack, masquerade attack, and so on. Moreover, Wang et al.²⁴ uncovered two other vulnerabilities: offline password-guessing attack and no provision of user’s anonymity. In recent years, many researchers also studied group data sharing via cloud storage or new preserving encryption model in cloud environments.^25–27

Review of Li et al.’s protocol

In this section, we mainly review the authentication protocol presented by Li et al.²¹ This protocol consists of three parties: the user $U_{i}$ , the server $S_{j}$ , and the registration center $RC$ . It is known that $RC$ is trusted for $U_{i}$ and $S_{j}$ , and they can register in it and authenticate with it. $RC$ chooses a master key $x$ and a secret number $y$ . When $S_{j}$ registers in $RC$ , $RC$ calculates $h (SI D_{j} ∥ y)$ and $h (x ∥ y)$ , then submits $h (x ∥ y)$ and $h (SI D_{j} ∥ y)$ to $S_{j}$ over a secure channel. Their protocol can be divided into four phases: registration phase, login phase, authentication and session key agreement phase, and password change phase. The notations are listed in Table 1.

Table 1.

Notations.

Name	Description
$U_{i}$	$i th$ user
$RC$	Registration center
$S_{j}$	$j th$ server
$I D_{i}$	Identity of $U_{i}$
$P_{i}$	Password of the user $U_{i}$
$SI D_{j}$	Identity of $S_{j}$
$x$	Master secret key
$y$	Secret number
$b$	A random number chosen by the user for registration
$CI D_{i}$	Dynamic identity generated by $U_{i}$ for authentication
$SK$	Session key shared among the user, the server and $RC$
$N_{i 1}$ , $N_{i 2}$ , $N_{i 3}$	Random numbers chosen by $U_{i}$ , $S_{j}$ and $RC$
$h (\cdot)$	One way hash function
⊕	Bitwise exclusive-OR operation
∥	Bitwise concatenation operation

Registration phase

Step 1: $U_{i}$ chooses his or her identity $I D_{i}$ and password $P_{i}$ freely and chooses a random number $b$ . Then $U_{i}$ calculates $A_{i} = h (b ∥ P_{i})$ , and sends $A_{i}$ and $I D_{i}$ to $RC$ over a secure channel.

Step 2: Upon receiving $I D_{i}$ and $A_{i}$ , $RC$ computes $B_{i} = h (I D_{i} ∥ x)$ , $C_{i} = h (I D_{i} ∥ h (y) ∥ A_{i})$ , $D_{i} = B_{i} \oplus h (I D_{i} ∥ A_{i})$ , $E_{i} = B_{i} \oplus h (y ∥ x)$ , and then stores { $C_{i}$ , $D_{i}$ , $E_{i}$ , $h (\cdot)$ , $h (y)$ } into the smart card. Finally, $RC$ sends them to the user over a secure channel.

Step 3: $U_{i}$ keys $b$ into the smart card.

Login phase

Step 1: When $U_{i}$ wants to login $S_{j}$ , $U_{i}$ inserts the smart card into a card reader, and then keys $I D_{i}$ , $P_{i}$ , and $SI D_{j}$ . The smart card computes $A_{i} = h (b ∥ P_{i})$ and $C'_{i} = h (I D_{i} ∥ h (y) ∥ A_{i})$ and then checks whether $C'_{i}$ is equal to $C_{i}$ . If they are equal, the user is legal, otherwise the user is illegal.

Step 2: After local verification, the smart card generates a random number $N_{i 1}$ and computes $B_{i} = D_{i} \oplus h (I D_{i} ∥ A_{i})$ , $F_{i} = h (y) \oplus N_{i 1}$ , $P_{ij} = E_{i} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ , $CI D_{i} = A_{i} \oplus h (B_{i} ∥ F_{i} ∥ N_{i 1})$ , and $G_{i} = h (B_{i} ∥ A_{i} ∥ N_{i 1})$ . Then, it sends { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ } to $S_{j}$ over an unsecure channel.

Authentication and session key agreement phase

Step 1: Upon receiving the login request from the user, $S_{j}$ chooses a random number $N_{i 2}$ and computes $K_{i} = h (SI D_{j} ∥ y) \oplus N_{i 2}$ and $M_{i} = h (h (x ∥ y) ∥ N_{i 2})$ . Then $S_{j}$ transmits { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ , $K_{i}$ , $M_{i}$ } to $RC$ .

Step 2: Once $RC$ receives the login request from $S_{j}$ , it computes $N_{i 2} = K_{i} \oplus h (SI D_{j} ∥ y)$ and $M_{i}' = h (h (x ∥ y) ∥ N_{i 2})$ and then checks whether $M'_{i}$ is equal to $M_{i}$ or not. If it holds, $RC$ authenticates the server successfully. Otherwise, $RC$ terminates the session.

Step 3: $RC$ computes $N_{i 1} = F_{i} \oplus h (y)$ , $B_{i} = P_{ij} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j}) \oplus h (y ∥ x)$ , $A_{i} = CI D_{i} \oplus h (B_{i} ∥ F_{i} ∥ N_{i 1}),$ and $G'_{i} = h (B_{i} ∥ A_{i} ∥ N_{i 1})$ and check whether $G'_{i} = G_{i}$ . If it holds, the legality of $S_{j}$ is verified by $RC$ . Otherwise, $RC$ terminates the session.

Step 4: $RC$ generates a random number $N_{i 3}$ , and computes $Q_{i} = N_{i 1} \oplus N_{i 3} \oplus h (SI D_{j} ∥ N_{i 2})$ , $R_{i} = h (A_{i} ∥ B_{i}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})$ , $V_{i} = h (h (A_{i} ∥ B_{i}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ , and $T_{i} = N_{i 2} \oplus N_{i 3} \oplus h (A_{i} ∥ B_{i} ∥ N_{i 1})$ . Then $RC$ submits the mutual authentication message to $S_{j}$ .

Step 5: On receiving the mutual authentication message, $S_{j}$ computes $h (A_{i} ∥ B_{i}) = R_{i} \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})$ and $V_{i}^{'} = h (h (A_{i} ∥ B_{i}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ after $N_{i 1} \oplus$ $N_{i 3} = Q_{i} \oplus h (SI D_{j} ∥ N_{i 2})$ and checks whether $V_{i}^{'}$ is equal to $V_{i}$ . If they are not equal, $S_{j}$ terminates the session. Otherwise, $S_{j}$ authenticates $RC$ successfully and sends ${V_{i}, T_{i}}$ to the user.

Step 6: Upon receiving messages from $S_{j}$ , the smart card computes $N_{i 2} \oplus N_{i 3} = T_{i} \oplus h (A_{i} ∥ B_{i} ∥ N_{i 1})$ and $V_{i}^{'} = h (h (A_{i} ∥ B_{i}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ and then checks whether $V_{i}^{'} = V_{i}$ . If it holds, $RC$ and $S_{j}$ are legal for $U_{i}$ . Otherwise, $U_{i}$ terminates the session.

Finally, $U_{i}$ , $S_{j}$ , and $RC$ agree on $SK = h (h (Ai ∥ B_{i}) ∥ (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ .

Password change phase

When $U_{i}$ wants to change his or her password $P_{i}$ to a new password $P_{i}^{new}$ , $U_{i}$ can make it by his or her own smart card with no need of $RC$ involvement. The user inserts it into a card reader and keys $I D_{i}$ and $P_{i}$ . The smart card computes $A_{i} = h (b ∥ P_{i})$ , $B_{i} = D_{i} \oplus h (I D_{i} ∥ A_{i})$ , and $C'_{i} = h (I D_{i} ∥ h (y) ∥ A_{i})$ and then checks whether $C'_{i} = C_{i}$ . If it holds, the user submits $P_{i}^{new}$ . Then the smart card computes $A_{i}^{new} = h (b ∥ P_{i}^{new})$ , $C_{i}^{new} = h (I D_{i} ∥ h (y) ∥ A_{i}^{new})$ , and $D_{i}^{new} = B_{i} \oplus h (I D_{i} ∥ A_{i}^{new})$ . Furthermore, $C_{i}$ and $D_{i}$ will be replaced with $C_{i}^{new}$ and $D_{i}^{new}$ .

Cryptanalysis of Li et al.’s protocol

Li et al. stated that their protocol could resist kinds of security attacks; however, we find that their protocol is still vulnerable to many attacks, such as insider attack, smart card forgery attack, eavesdropping attack, masquerade attack, and offline password-guessing attack, which are detailed as the following.

Insider attack

If an adversary is a malicious legal user, he or she is able to extract $h (y)$ from his or her own smart card. Then he or she can compute his or her own $B_{f} = D_{f} \oplus h (I D_{f} ∥ A_{f})$ and $h (y ∥ x) = E_{f} \oplus B_{f}$ . Having known $h (y ∥ x)$ and $h (y)$ , the adversary can launch eavesdropping attacks to get the session key shared among another users, the related servers, and $RC$ .

Smart card forgery attack

For Li et al.’s scheme is lack of $RC$ ’s authentication to $A_{i}$ and $B_{i}$ , so a malicious attacker can get $h (y)$ and $h (y ∥ x)$ . As a result, the attacker can fabricate a new smart card. If an attacker wants to fabricate $U_{s}$ ’s smart card, he must first choose two random parameters $A_{s} = N_{um 1}$ and $B_{s} = N_{um 2}$ .

If the attacker makes use of the fabricated smart card to get services from $S_{j}$ . The necessary messages are computed as follows

\begin{matrix} F_{s} = h (y) \oplus N_{s 1} \\ G_{s} = h (B_{s} ∥ A_{s} ∥ N_{s 1}) = h (N_{um 2} ∥ N_{um 1} ∥ N_{s 1}) \end{matrix}

\begin{matrix} P_{sj} = E_{s} \oplus h (h (y) ∥ N_{s 1} ∥ SI D_{j}) \\ = N_{um 2} \oplus h (y ∥ x) \oplus h (h (y) ∥ N_{s 1} ∥ SI D_{j}) \end{matrix}

\begin{matrix} CI D_{s} = A_{s} \oplus h (B_{s} ∥ F_{s} ∥ N_{s 1}) \\ = N_{um 1} \oplus h (N_{um 2} ∥ ∥ N_{s 1}) F_{s} \end{matrix}

In Li et al.’s scheme, these messages can be verified by $S_{j}$ and $RC$ successfully. If $S_{j}$ and $RC$ generate two random numbers $N_{s 2}$ and $N_{s 3}$ , respectively, $S_{j}$ and $RC$ agree on $SK = h (h (N_{um 1} ∥ N_{um 2}) ∥ (N_{s 1} \oplus N_{s 2} \oplus N_{s 3}))$ successfully.

Eavesdropping attack

As a malicious legal user, he or she can use his or her own smart card to attain $h (y)$ and $h (y ∥ x)$ . The adversary intercepts ${F_{m}, G_{m}, P_{mn}, CI D_{m}}$ sent to the server by $U_{m}$ , and then computes $N_{m 1} = h (y) ∥ F_{m}$ with $F_{m}$ and $N_{m 1}$ . In addition, $E_{m}$ , $B_{m}$ , and $A_{m}$ can be easily acquired by $E_{m} = P_{mn} \oplus h (h (y) ∥ N_{m 1} ∥ SI D_{n})$ , $B_{m} = E_{m} \oplus h (y ∥ x)$ , and $A_{m} = CI D_{m} \oplus h (B_{m} ∥ F_{m} ∥ N_{m 1})$ . It can be seen that the critical secure information { $A_{m}$ , $B_{m}$ , $N_{m 1}$ } can be obtained by the messages transmitted in the public channel. And the parameter $E_{m}$ can also be attained. Even though the adversary cannot compute $C_{m}$ and $D_{m}$ without the user’s $ID$ , he or she can get $N_{m 2} \oplus N_{m 3} = T_{m} \oplus h (A_{m} ∥ B_{m} ∥ N_{i 1})$ . Then the adversary can get the agreement session key among $U_{m}$ , $S_{n}$ , and $RC$ .

Masquerade attack

From the eavesdropping attack mentioned above, the adversary obtains a legal user $U_{m}$ ’s information and pretends to be another legal user to conduct malicious attack. He can get $h (y)$ and $h (y ∥ x)$ by insider attack, further get $A_{m}$ , $B_{m}$ , and $E_{m}$ by eavesdropping attack. With these messages, the adversary can masquerade as a legitimate user $U_{m}$ to launch authentication and session key agreement phase.

First, the adversary chooses a random number $N_{MA}$ freely and calculates these parameters

\begin{matrix} F_{m} = h (y) \oplus N_{MA} \\ G_{m} = h (B_{m} ∥ A_{m} ∥ N_{MA}) \\ P_{mp} = E_{m} \oplus h (h (y) ∥ N_{MA} ∥ SI D_{p}) \\ CI D_{m} = A_{m} \oplus h (B_{m} ∥ F_{m} ∥ N_{MA}) \end{matrix}

Then, $S_{p}$ and $RC$ think these messages are legal and generate random numbers $N_{m 2}$ and $N_{m 3}$ , respectively. Finally, the adversary, $S_{p}$ and $RC$ agree on $SK = h (h (N_{um 1} ∥ N_{um 2}) ∥ (N_{s 1} \oplus N_{s 2} \oplus N_{s 3}))$ successfully. Therefore, $S_{p}$ and $RC$ mistakenly think that they are communicating with a legitimate user.

Server-spoofing attack

First, a malicious attacker intercepts the messages $K_{i}$ and $M_{i}$ transmitted by $S_{n}$ . We can assume that $U_{m}$ ’s information is revealed to a malicious attacker because of insider attack and eavesdropping attack. When $U_{m}$ logins $S_{n}$ , he or she chooses a random number $N_{m 1}$ and sends { $F_{m}$ , $G_{m}$ , $P_{mn}$ , $CI D_{m}$ } to $S_{n}$ . The attacker masquerades $S_{n}$ to compute $K_{i}$ and $M_{i}$ , then sends { $F_{m}$ , $G_{m}$ , $P_{mn}$ , $CI D_{m}$ , $SI D_{n}$ , $K_{i}$ , $M_{i}$ } to $RC$ . The message transmitted by the attacker can also be authenticated by $RC$ . Finally, $U_{m}$ and $RC$ agree on $SK = h (h (A_{m} | B_{m}) ∥ h (N_{m 1} \oplus N_{m 2} \oplus N_{m 3}))$ .

Unfortunately, $U_{m}$ thinks that he or she is communicating with a legitimate $S_{n}$ . Although the attacker cannot extract $N_{i 2}$ from $K_{i}$ , he or she can still obtain the correct session key. Therefore, the attacker can not only masquerade as a legitimate server but also encrypt and decrypt user’s database.

User’s anonymity

A malicious server $S_{k}$ and a malicious inside user $U_{m}$ could destroy the anonymity of any legal user. $U_{m}$ extracts $h (y)$ and $h (y ∥ x)$ from his or her own smart card and attains a user’s $E_{i}$ using a previous login message ${P_{ik}, SI D_{k}}$ . $U_{m}$ can intercept $F_{i}$ from the public channel. Thus $U_{m}$ can compute $N_{i 1} = F_{i} \oplus h (y)$ and $E_{i} = P_{ik} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{k})$ . As we all know, every legal user has a unique $E_{i}$ because of $E_{i} = h (I D_{i} ∥ x) \oplus h (y ∥ x)$ , thus Li et al.’s scheme has no provision of user’s anonymity.

Offline password-guessing attack

If the smart card of a legal user $U_{i}$ ’s is stolen by a malicious inside user $U_{m}$ , $U_{m}$ can extract the secret values { $h (y)$ , $D_{i}$ , $E_{i}$ , $b$ } stored in the smart card. With previous login message { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ , $SI D_{j}$ , $K_{i}$ , $M_{i}$ }, $U_{m}$ can guess $U_{i}$ ’s password as follows. First, $U_{m}$ extracts $h (y)$ from his or her own smart card and then computes $N_{i 1} = F_{i} \oplus h (y)$ with $F_{i}$ . Second, $U_{m}$ makes use of $P_{ij}$ and $SI D_{j}$ to compute $E_{i} = P_{ij} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ . Then $U_{m}$ conducts $h (y ∥ x) = E_{m} \oplus B_{m} = E_{m} \oplus D_{m} \oplus h (I D_{m} ∥ A_{m}) = E_{m} \oplus D_{m} \oplus h (I D_{m} ∥ h (b ∥ P_{m}))$ , among which $D_{m}$ , $E_{m}$ , and b are also extracted. Then $B_{i} = E_{i} \oplus h (y ∥ x)$ and $A_{i} = CI D_{i} \oplus h (B_{i} ∥ F_{i} ∥ N_{i 1})$ . Finally, $U_{m}$ guesses $U_{i}$ ’s password $P_{i}^{*}$ and computes $A_{i}^{*} = h (b ∥ P_{i}^{*})$ to check whether $A_{i}^{*} = A_{i}$ . If not, the attacker guesses another password until $A_{i}^{*} = A_{i}$ . Hence, the attacker can guess $U_{i}$ ’s password successfully.

The proposed protocol

This proposed protocol also consists of four phases. In the protocol, the server has only one private key, which can effectively resist server spoofing attack. The mutual authentication among user, server, and registration center can achieve multiple security goals.

Registration phase

If a user wants to get services from servers, he or she shall register in $RC$ in advance. The registration phase is shown in Figure 1, and detailed steps are illustrated as follows.

Step 1: $U_{i}$ chooses $I D_{i}$ , $P_{i}$ and $b$ and computes $A_{i} = h (b ∥ P_{i} ∥ I D_{i})$ . Then, $U_{i}$ transmits $I D_{i}$ and $A_{i}$ to $RC$ over a secure channel.

Step 2: Upon receiving $I D_{i}$ and $A_{i}$ , $RC$ computes $B_{i} = h (I D_{i} ∥ x)$ , $C_{i} = h (I D_{i} ∥ h (y) ∥ A_{i})$ , $D_{i} = B_{i} \oplus h (I D_{i} ∥ A_{i})$ , and $E_{i} = B_{i} \oplus h (y ∥ A_{i})$ and stores { $C_{i}$ , $D_{i}$ , $E_{i}$ , $h (\cdot)$ , $h (y)$ } into the smart card. At last, $RC$ sends the smart card to $U_{i}$ through a secure channel.

Step 3: Upon receiving the smart card, $U_{i}$ keys b into it. Finally, the smart card contains parameters { $C_{i}$ , $D_{i}$ , $E_{i}$ , $h (\cdot)$ , $h (y)$ , $b$ }.

Figure 1.

Registration phase of the improved protocol.

Login phase

In the phase, $U_{i}$ can login $S_{j}$ to get services with the registration information and the smart card. The detailed login phase is illuminated in Figure 2.

Step 1: When $U_{i}$ wants to login $S_{j}$ , he or she inserts the smart card into a card reader, and then keys $I D_{i}$ , $P_{i}$ , and the server’s identity $SI D_{j}$ . The smart card computes $A_{i} = h (b ∥ P_{i} ∥ I D_{i})$ and $C_{i}^{'} = h (I D_{i} ∥ h (y) ∥ A_{i})$ and then checks whether $C_{i}^{'}$ is equal to $C_{i}$ . If it holds, the user is legal. Otherwise, the user is illegal.

Step 2: After local verification, the smart card generates a random number $N_{i 1}$ and computes $B_{i} = D_{i} \oplus h (I D_{i} ∥ A_{i})$ , $F_{i} = h (y) \oplus N_{i 1}$ , and $P_{ij} = E_{i} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ , based on the value of $E_{i}$ stored in it. The smart card generates a random number a, and computes $E_{i}^{'} = E_{i} \oplus a$ , $B_{i}^{'} = E_{i}^{'} \oplus h (y ∥ A_{i}) = E_{i}^{'} \oplus B_{i} \oplus E_{i}$ , $CI D_{i} = A_{i}^{'} \oplus h (B_{i} ∥ F_{i} ∥ N_{i 1})$ , and $G_{i} = h (B_{i}^{'} ∥ A_{i} ∥ N_{i 1})$ . Then it sends { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ } to $S_{j}$ over a public channel.

Figure 2.

Authentication and session key generation phase

$RC$ validates the legality of $S_{j}$ and $U_{j}$ , and they generate mutual authentication messages. This phase is depicted in Figure 3, and we illustrated it as the following.

Step 2: Once $RC$ receives the login request, it computes $N_{i 2} = K_{i} \oplus h (SI D_{j} ∥ y)$ and $M_{i}^{'} = h (h (x ∥ y) ∥ N_{i 2})$ and then checks whether $M_{i}$ is equal to $M_{i}$ . If it holds, $RC$ can authenticate the server successfully. Otherwise, $RC$ terminates the session.

Step 3: $RC$ computes $N_{i 1} = F_{i} \oplus h (y)$ , $A_{i} = P_{ij} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ , $E_{i'} = CI D_{i} \oplus h (A_{i} ∥ F_{i} ∥ N_{i 1})$ , $B'_{i} = E'_{i} \oplus h (y ∥ A_{i})$ , and $G'_{i} = h (B'_{i} ∥ A_{i} ∥ N_{i 1})$ and checks whether $G'_{i}$ is equal to $G_{i}$ . If they are equal, $S_{j}$ is legal for $RC$ . Otherwise, $RC$ terminates the session.

Step 4: $RC$ generates a random number $N_{i 3}$ and computes

\begin{matrix} Q_{i} = N_{i 1} \oplus N_{i 3} \oplus h (SI D_{j} ∥ N_{i 2}) \\ R_{i} = h (A_{i} ∥ B'_{i}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}) \\ V_{i} = h (h (A_{i} ∥ B'_{i}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})) \\ T_{i} = N_{i 2} \oplus N_{i 3} \oplus h (A_{i} ∥ B'_{i} ∥ N_{i 1}) \end{matrix}

Then $RC$ transmits the mutual authentication message to $S_{j}$ .

Step 5: Once $S_{j}$ receives the mutual authentication message, it computes $N_{i 1} \oplus N_{i 3} = Q_{i} \oplus h (SI D_{j} ∥ N_{i 2})$ , $h (A_{i} ∥ B_{i}^{'}) = R_{i} \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})$ , and $V'_{i} = h (h (A_{i} ∥ B_{i}^{'}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ and checks whether $V'_{i}$ is equal to $V_{i}$ . If they are not, $S_{j}$ terminates the session. Otherwise $S_{j}$ authenticates $RC$ successfully. After authentication, $S_{j}$ sends ${V_{i}, T_{i}}$ to $U_{i}$ .

Step 6: Upon receiving the message from $S_{j}$ , the smart card computes $N_{i 2} \oplus N_{i 3} = T_{i} \oplus h (A_{i} ∥ B'_{i} ∥ N_{i 1})$ and $V'_{i} = h (h (A_{i} ∥ B'_{i}) ∥ h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ with an aim to check whether $V'_{i} = V_{i}$ . If it holds, the legality of $RC$ and $S_{j}$ is verified by $U_{i}$ . Otherwise, $U_{i}$ terminates the session. Finally, $U_{i}$ , $RC$ and $S_{j}$ agree on $SK = h (h (A_{i} ∥ B'_{i}) ∥ (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ .

Figure 3.

Authentication phase of the improved protocol.

Password change phase

$U_{i}$ inserts the smart card into a card reader and inputs $I D_{i}$ and $P_{i}$ . The smart card computes $A_{i} = h (b ∥ P_{i} ∥ I D_{i})$ , $B_{i} = D_{i} \oplus h (I D_{i} ∥ A_{i})$ , and $C_{i'} = h (I D_{i} ∥ h (y) ∥ A_{i})$ to check whether $C'_{i} = C_{i}$ . If it holds, the user submits a new password $P_{i}^{new}$ . Then the smart card computes $A_{i}^{new} = h (b ∥ P_{i}^{new} ∥ I D_{i})$ , $C_{i}^{new} = h (I D_{i} ∥ h (y) ∥ A_{i}^{new})$ , and $D_{i}^{new} = B_{i} \oplus h (I D_{i} ∥ A_{i}^{new})$ and later sends $B_{i}$ and $A_{i}^{new}$ to $RC$ . $RC$ computes $E_{i}^{new} = B_{i} \oplus h (y ∥ A_{i}^{new})$ and sends $E_{i}^{new}$ to $U_{i}$ through a secure channel. Furthermore, $C_{i}^{new}$ , $D_{i}^{new}$ , and $E_{i}^{new}$ will be stored in the smart card to replace $C_{i}$ , $D_{i}$ , and $E_{i}$ .

Analysis of correctness

First of all, we can prove the correctness of the protocol using the BAN logic.²⁸ Through specific logic analysis, it can be proved that the protocol can not only achieve session key agreement among users, servers, and $RC$ but also realize mutual authentication among them. According to the BAN logic, every step must be converted into a specific form of the agreement.

BAN logic notation

The notations for BAN logic are listed as the following.²⁹

$P | \equiv X$ : $P$ believes $X$ .

$P ◃ X$ : $P$ sees $X$ .

$P | ~ X$ : $P$ said $X$ .

$P | \Rightarrow X$ : $P$ controls $X$ .

$# (X)$ : $X$ is fresh.

$P \leftrightarrow^{K} Q$ : $K$ is the key shared by $P$ and $Q$ , and only $P$ and $Q$ , the users authorized by them can get $K$ .

$| \to^{K} P$ : $K$ is the public key of $P$ .

$P \Leftrightarrow^{X} Q$ : $X$ is the public key shared by $P$ and Q, and only $P$ and Q know $K$ .

${X}_{K}$ : the ciphertext of X encrypted by the key $K$ .

$< X >_{Y}$ : $X$ is connected with $Y$ .

BAN logical postulates

To prove feasibility and correctness of the protocol, the BAN logic needs to set some special rules to complete the authentication protocol analysis and reasoning. The rules used in the article are as follows.

R1: Message-meaning rule

\frac{P | \equiv P \overset{K}{\leftrightarrow} Q, P ◃ {X}_{K}}{P | \equiv Q | ~ X}

If $P$ believes that the key $K$ is shared by $P$ and $Q$ and sees $X$ encrypted under $K$ , $P$ believes that $Q$ once said $X$ .

R2: Nonce-verification rule

\frac{P | \equiv # (X), P | \equiv Q | ~ X}{P | \equiv Q | \equiv X}

If $P$ believes that $X$ could have been uttered only recently and that $Q$ once said $X$ , $P$ believes that $Q$ believes $X$ .

R3: Jurisdiction rule

\frac{P | \equiv Q | \Rightarrow X, P | \equiv Q | \equiv X}{P | \equiv X}

If $P$ believes that $Q$ can control $X$ , $P$ trusts $Q$ on the truth of $P$ believes $X$ .

R4: Freshness rule

\frac{P | \equiv # (X)}{P | \equiv # (X, Y)}

If $P$ believes that one part $X$ of a formula is fresh, then the entire formula ( $X$ , $Y$ ) must also be fresh.

Logic premises

Based on the aforementioned, we can obtain the initiative premises as below

S_{j} | \equiv CI D_{i}

RC | \equiv CI D_{i}

S_{j} | \equiv # (N_{i 1}, N_{i 3})

U_{i} | \equiv # (N_{i 2}, N_{i 3})

RC | \equiv # (N_{i 1}, N_{i 3})

U_{i} | \equiv U_{i} \leftrightarrow^{SK} S_{j}

U_{i} | \equiv S_{j} | \equiv U_{i} \leftrightarrow^{SK} S_{j}

S_{j} | \equiv U_{i} \leftrightarrow^{SK} S_{j}

S_{j} | \equiv U_{i} | \equiv U_{i} \leftrightarrow^{SK} S_{j}

U_{i} | \equiv U_{i} \leftrightarrow^{SK} RC

U_{i} | \equiv RC | \equiv U_{i} \leftrightarrow^{SK} RC

RC | \equiv U_{i} \leftrightarrow^{SK} RC

RC | \equiv U_{i} | \equiv U_{i} \leftrightarrow^{SK} RC

S_{j} | \equiv S_{j} \leftrightarrow^{SK} RC

S_{j} | \equiv RC | \equiv S_{j} \leftrightarrow^{SK} RC

RC | \equiv S_{j} \leftrightarrow^{SK} RC

RC | \equiv S_{j} | \equiv S_{j} \leftrightarrow^{SK} RC

Correctness analysis using BAN logic

In this protocol, three messages are used to achieve key agreements and mutual authentications. The first one is sent to $RC$ for login request, and the second one is sent by $RC$ to the server to get verification information. The last one is also the verification information sent to the user. The analysis is illuminated as the following.

Message1

\begin{matrix} S_{j} \to RC : F_{i}, G_{i}, P_{ij}, CI D_{i}, SI D_{j}, h (SI D_{j} ∥ y) \\ \oplus N_{i 2}, h (< h (x ∥ y) > N_{i 2}) \end{matrix}

Message2

\begin{matrix} N_{i 1} \oplus N_{i 3} \oplus h (< SI D_{j} > SI D_{j}), h (< A_{i} > Oi') \\ \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}), \\ h (< h (< A_{i} > Oi') > h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})), \\ N_{i 2} \oplus N_{i 3} \oplus h (<< A_{i} > O_{i'} > N_{i 1}) \end{matrix}

Message3: $V_{i}, T_{i}$ .

The basic believes are as follows.

A1. $U_{i} | \equiv U_{i} \Leftrightarrow^{h 0} S_{j}$ ,

A2. $U_{i} | \equiv U_{i} \Leftrightarrow^{h 0} RC$ ,

A3. $U_{i} | \equiv # (N_{i 2})$ ,

A4. $U_{i} | \equiv # (N_{i 3})$ ,

A5. $U_{i} | \equiv (U_{i} | \Rightarrow F_{i}, G_{i}, P_{ij}, CI D_{i})$ ,

A6. $S_{j} | \equiv (U_{i} | \Rightarrow F_{i}, G_{i}, P_{ij}, CI D_{i})$ ,

A7. $RC | \equiv (U_{i} | \Rightarrow F_{i}, G_{i}, P_{ij}, CI D_{i})$ ,

A8. $S_{j} | \equiv U_{i} \Leftrightarrow^{h 0} S_{j}$ ,

A9. $S_{j} | \equiv S_{j} \Leftrightarrow^{h 0} RC$ ,

A10. $S_{j} | \equiv # (N_{i 1})$ ,

A11. $S_{j} | \equiv # (N_{i 3})$ ,

A12. $RC | \equiv RC \Leftrightarrow^{h 0} U_{i}$ ,

A13. $RC | \equiv RC \Leftrightarrow^{h 0} S_{j}$ ,

A14. $RC | \equiv # (N_{i 1})$ ,

A15. $RC | \equiv # (N_{i 2})$ ,

A16. $RC | \equiv (S_{j} | \Rightarrow SI D_{j})$ ,

A17. $U_{i} | \equiv (S_{j} | \Rightarrow U_{i} \leftrightarrow^{SK} S_{j})$ ,

A18. $U_{i} | \equiv (RC | \Rightarrow U_{i} \leftrightarrow^{SK} RC)$ ,

A19. $S_{j} | \equiv (U_{i} | \Rightarrow U_{i} \leftrightarrow^{SK} S_{j})$ ,

A20. $S_{j} | \equiv (RC | \Rightarrow S_{j} \leftrightarrow^{SK} RC)$ ,

A21. $RC | \equiv (U_{i} | \Rightarrow U_{i} \leftrightarrow^{SK} RC)$ ,

A22. $RC | \equiv (S_{j} | \Rightarrow S_{j} \leftrightarrow^{SK} RC)$ .

Based on the above assumptions, the agreement can be converted to BAN logic in specific patterns. The specific logic proved as follows:

$RC$ receives message 1, which can be expressed as

R C ⊲ {F_{i}, G_{i}, P_{i j}, C I D_{i}, S I D_{j}, h (S I D_{j} | | y) \oplus N_{i 2}, h (< h (x | | y) > N_{i 2}}

(1)

Formula 1 can be disassembled

RC ◃ S_{j} | ~ F_{i}

(2)

RC ◃ S_{j} | ~ G_{i}

(3)

RC ◃ S_{j} | ~ P_{ij}

(4)

RC ◃ S_{j} | ~ CI D_{i}

(5)

RC ◃ S_{j} | ~ SI D_{j}

(6)

RC ◃ S_{j} | ~ h (SI D_{j} ∥ y) \oplus N_{i 2}

(7)

RC ◃ S_{j} | ~ h (< h (x ∥ y) > N_{i 2})

(8)

Based on A6, equation (2), and R2, we can obtain

RC ◃ U_{j} | ~ F_{i}

(9)

Based on A7, equation (9), and R2, we can obtain

RC | \equiv F_{i}

(10)

Based on A6, equation (3), and R2, we can obtain

RC ◃ U_{j} | ~ G_{i}

(11)

Based on A7, equation (11), and R2, we can obtain

RC | \equiv G_{i}

(12)

Based on A6, equation (4), and R2, we can obtain

RC ◃ U_{j} | ~ P_{ij}

(13)

Based on A7, equation (13), and R2, we can obtain

RC | \equiv P_{ij}

(14)

Based on A6, equation (5), and R2, we can obtain

RC ◃ U_{j} | ~ CI D_{i}

(15)

Based on A7, equation (15), and R2, we can obtain

RC ◃ U_{j} | ~ CI D_{i}

(16)

Based on A16, equation (6), and R2, we can obtain

RC | \equiv SI D_{j}

(17)

Based on A15, equation (7), and R2, we can obtain

RC | \equiv S_{j} | ~ h (< SI D_{j} > v) \oplus N_{i 2}

(18)

Based on A13, equation (18), and R1, we can obtain

RC | \equiv h (< SI D_{j} > v) \oplus N_{i 2}

(19)

Based on A15, equation (8), and R2, we can obtain

RC | \equiv S_{j} | ~ h (< h (< x > v) > N_{i 2})

(20)

Based on A13, equation (20), and R1, we can obtain

RC | \equiv h (< h (< x > v) > N_{i 2})

(21)

Then $S_{j}$ receives message 2, which can be expressed as

\begin{matrix} S_{j} ◃ {N_{i 1} \oplus N_{i 3} \oplus h (< SI D_{j} > N_{i 2}), \\ h (< A_{i} > B_{i'}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}), \\ h (< h (< A_{i} > B_{i'}) > h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})), \\ N_{i 2} \oplus N_{i 3} \oplus h (<< A_{i} > B_{i'} > N_{i 1})} \end{matrix}

(22)

and they can be converted as

S_{j} ◃ RC | ~ N_{i 1} \oplus N_{i 3} \oplus h (< SI D_{j} > N_{i 2})

(23)

S_{j} ◃ RC | ~ h (< A_{i} > B_{i'}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})

(24)

S_{j} ◃ RC | ~ h (< h (< A_{i} > B_{i'}) > h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))

(25)

S_{j} ◃ RC | ~ N_{i 2} \oplus N_{i 3} \oplus h (<< A_{i} > Bi' > N_{i 1})

(26)

Based on A10, A11, equation (23), and R2, we can obtain

S_{j} | \equiv RC | ~ N_{i 1} \oplus N_{i 3} \oplus h (< SI D_{j} > N_{i 2})

(27)

Based on A9, equation (27), and R1, we can obtain

S_{j} | \equiv N_{i 1} \oplus N_{i 3} \oplus h (< SI D_{j} > N_{i 2})

(28)

Based on A9, equation (24), and R1, we can obtain

S_{j} | \equiv RC | ~ h (< A_{i} > B_{i'}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})

(29)

Based on A10, A11, equation (29), and R2, we can obtain

S_{j} | \equiv h (< A_{i} > B_{i'}) \oplus h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3})

(30)

Based on A9, equation (25), and R1, we can obtain

S_{j} | \equiv RC | ~ h (< h (< A_{i} > B_{i'}) > h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))

(31)

Based on A10, A11, equation (31), and R2, we can obtain

S_{j} | \equiv h (< h (< A_{i} > B_{i'}) > h (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))

(32)

Based on A10, A11, equation (26), and R2, we can obtain

S_{j} | \equiv RC | ~ N_{i 2} \oplus N_{i 3} \oplus h (<< A_{i} > B_{i'} > N_{i 1})

(33)

Based on A9, equation (33), and R1, we can obtain

S_{j} | \equiv N_{i 2} \oplus N_{i 3} \oplus h (<< A_{i} > B_{i'} > N_{i 1})

(34)

Finally, $U_{i}$ receives message 3, which can be expressed as

U_{i} ◃ {V_{i}, T_{i}}

(35)

Then they can be converted as

U_{i} ◃ S_{j} | ~ V_{i}

(36)

U_{i} ◃ S_{j} | ~ T_{i}

(37)

Based on A3, equation (33), and R2, we can obtain

U_{i} | \equiv V_{i}

(38)

Based on A3, equation (34), and R2, we can obtain

U_{i} | \equiv T_{i}

(39)

Finally, based on R2, it can be proved that

U_{i} | \Rightarrow U_{i} \leftrightarrow^{SK} S_{j}

(40)

U_{i} | \Rightarrow U_{i} \leftrightarrow^{SK} RC

(41)

S_{j} | \Rightarrow U_{i} \leftrightarrow^{SK} S_{j}

(42)

S_{j} | \Rightarrow RC \leftrightarrow^{SK} S_{j}

(43)

RC | \Rightarrow U_{i} \leftrightarrow^{SK} RC

(44)

RC | \Rightarrow S_{j} \leftrightarrow^{SK} RC

(45)

Hence, the improved protocol can achieve mutual authentication among the user, the server and $RC$ as shown in equations (12), (21), (32), and (38). The three parties of the protocol also achieve session key agreement as shown in equations (40), (41), (32), (33), (34), and (35).

Security analysis of the improved protocol

Compared with other related protocols, our protocol can resist much more attacks illuminate as the following.

Leak of verifier attack

Different from some other protocols, registration center is involved in the authentication, and session key agreement phase. There is no verification table in both the registration center and the servers in our protocol, so it can avoid leak of verifier attack.

User’s anonymity

When $U_{i}$ logins the system, the smart card generates a random number $a$ and encrypts the number $E_{i}$ by $E_{i}' = E_{i} \oplus a$ . $RC$ computes $E_{i}'$ by the login request message to verify $U_{i}$ . Even though the attacker eavesdrops the message transmitted in the public channel and computes $E_{i}'$ , the attacker still cannot get $E_{i}$ which is unique to every user. Thus, user’s anonymity is protected in our protocol.

Insider attack

After registering in $RC$ , $S_{j}$ gets $h (SI D_{j} ∥ y)$ and $h (x ∥ y)$ , and both of them are used to compute the login request submitted to $RC$ , with neither of them participating in the computation of the user’s login request message. Besides, as a trusted party, $RC$ will not reveal the user’s information to the server. Hence, our protocol can resist insider attacks.

Eavesdropping attack

Even if the adversary intercepts the message { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ , $K_{i}$ , $M_{i}$ } that $S_{j}$ transmits to $RC$ , and computes $N_{i 1} = F_{i} \oplus h (y)$ , $A_{i} = P_{ij} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ , $E_{i}' = CI D_{i} \oplus h (A_{i} ∥ F_{i} ∥ N_{i 1})$ , without knowing the secret number y, the adversary still cannot compute $B_{i}' = E_{i}' \oplus h (y ∥ A_{i})$ and obtain $SK = h (h (A_{i} ∥ B_{i}') ∥ (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ consistent with $S_{j}$ and $RC$ . Thus, our protocol can withstand eavesdropping attack.

Masquerade attack

Even though a malicious user can extract $h (y)$ from his or her own smart card, he or she cannot obtain $U_{i}$ ’s ID $I D_{i}$ and password $P_{i}$ . Thus, the attacker cannot know $O_{i}'$ by $O_{i}' = E_{i}' \oplus h (y ∥ A_{i})$ , and achieve $SK = h (h (A_{i} ∥ B_{i}') ∥ (N_{i 1} \oplus N_{i 2} \oplus N_{i 3}))$ consistent with $S_{j}$ and $RC$ . To sum up, the attacker cannot masquerade $U_{i}$ to login the system; therefore, our protocol is resistant to masquerade attack.

Offline password-guessing attack

When a malicious legal user intercepts the login message { $F_{i}$ , $G_{i}$ , $P_{ij}$ , $CI D_{i}$ , $K_{i}$ , $M_{i}$ } transmitted to $RC$ by $S_{j}$ , he or she can compute $N_{i 1} = F_{i} \oplus h (y)$ and $A_{i} = P_{ij} \oplus h (h (y) ∥ N_{i 1} ∥ SI D_{j})$ based on $h (y)$ in the smart card. However, the attacker still cannot guess $U_{i}$ ’s identity $I D_{i}$ and password $P_{i}$ for $A_{i} = h (b ∥ P_{i} ∥ I D_{i})$ . Therefore, our protocol is immune to offline password-guessing attack.

Stolen smart card attack

If a user’s smart card is lost or stolen, the adversary is able to extract the parameters stored in the smart card. Unfortunately, the adversary does not know the user’s $I D_{i}$ and $P_{i}$ , he or she cannot pretend $U_{i}$ to login the system. To sum up, our protocol can resist stolen smart card attack.

Cost and functionality analysis

In this section, we evaluate the computational costs and functionality of our proposed protocol and compare it with some related authentication protocols for multi-server environment. To analyze the computational complexity, let $T_{h}$ denote the time complexity of hashing function, $T_{∥}$ be the time complexity of bitwise concatenation operation, and $T_{xor}$ be the time complexity of bitwise exclusive-OR operation. Table 2 shows the performance comparisons among our proposed protocol and some other related protocols. It can be seen that our protocol is more secure, when the computational complexity is similar to Li et al.’s protocol. Table 3 lists the functionality comparisons among our proposed protocol and other related protocols, which shows that our protocol can resist replay attack, stolen smart card attack, and password-guessing attack, and so on. Besides, the proposed protocol has achieved the security performances, such as proper mutual authentication, correct session key generation, user’s anonymity, and free password changing. These features make our protocol have a high level of security and efficiency.

Table 2.

Cost comparisons of our protocol and other related protocols.

Protocols	Login phase	Verification phase	Total
Proposed	6 $T_{h}$ +7 $T_{xor}$ +11 $T_{∥}$	20 $T_{h}$ +17 $T_{xor}$ +22 $T_{∥}$	26 $T_{h}$ +24 $T_{xor}$ +33 $T_{∥}$
Li et al.²¹	6 $T_{h}$ +4 $T_{xor}$ +10 $T_{∥}$	20 $T_{h}$ +19 $T_{xor}$ +22 $T_{∥}$	26 $T_{h}$ +23 $T_{xor}$ +32 $T_{∥}$
Sood et al.²⁰	5 $T_{h}$ +10 $T_{xor}$ +5 $T_{∥}$	14 $T_{h}$ +20 $T_{xor}$ +18 $T_{∥}$	19 $T_{h}$ +30 $T_{xor}$ +23 $T_{∥}$
Hsiang and Shih¹⁹	7 $T_{h}$ +8 $T_{xor}$ +8 $T_{∥}$	14 $T_{h}$ +13 $T_{xor}$ +24 $T_{∥}$	21 $T_{h}$ +21 $T_{xor}$ +32 $T_{∥}$
Liao and Wang¹⁷	6 $T_{h}$ +3 $T_{xor}$ +7 $T_{∥}$	8 $T_{h}$ +3 $T_{xor}$ +18 $T_{∥}$	14 $T_{h}$ +6 $T_{xor}$ +25 $T_{∥}$

Table 3.

Functionality comparisons of our protocol and other related protocols.

Functionalities	Proposed	Li et al.²¹	Sood et al.²⁰	Hsiang and Shih¹⁹	Liao and Wang¹⁷
User’s anonymity	Yes	No	Yes	Yes	Yes
Computation cost	Low	Low	Low	Low	Low
Single registration	Yes	Yes	Yes	Yes	Yes
No time synchronization	Yes	Yes	Yes	Yes	Yes
Resist leak-of-verifier attack	Yes	Yes	No	Yes	Yes
Resist replay attack	Yes	Yes	Yes	No	No
Resist impersonation attack	Yes	Yes	No	No	No
Resist password-guessing attack	Yes	No	Yes	Yes	Yes
Resist stolen smart card attack	Yes	Yes	No	No	No
Correct password update	Yes	Yes	Yes	No	Yes
Correct mutual authentication	Yes	Yes	No	Yes	Yes

Conclusion

In this article, we investigate Li et al.’s dynamic ID–based authentication protocol for multi-server architecture and show that Li et al.’s protocol is susceptible to certain security issues including insider attack, stolen smart card attack, eavesdropping attack, masquerade attack, no provision of user’s anonymity, and password-guessing attack. In order to address these issues, we propose an improved authentication protocol based on dynamic ID, and it is dependent on registration center for multi-server environments. Compared with other related schemes, our protocol remedies the secure flaws existing in Li et al.’s protocol with a minor increase in computational complexity. In addition, we provide the correctness analysis by using BAN logic.

Footnotes

Handling Editor: Gary Leavens

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported in part by the Natural Science Foundation of China under grants 61472229 and 61701284, in part by project funded by the China Postdoctoral Science Foundation (2016M592216) and Qingdao Postdoctoral Research Project (2016125).

ORCID iDs

Jianming Cui

Xiaojun Zhang

Ning Cao

Jianrui Ding

References

Wang

G-R

Nie

et al . Distance metric optimization driven convolutional neural network for age invariant face recognition. Pattern Recogn 2018; 75: 51–62.

Mezghani

Exposito

Drira

. A model-driven methodology for the design of autonomic and cognitive IoT-based systems: application to healthcare. IEEE T Emerg Top Comp Intel 2017; 1(3): 224–234.

Sun

L-C

Yan

Q-B

et al . Significant permission identification for machine learning based android malware detection. IEEE T Ind Inform. Epub ahead of print 12 January 2018. DOI: 10.1109/TII.2017.2789219.

Reyes

CRP

Vaca

Caldern

et al . MilNova: an approach to the IoT solution based on model-driven engineering for the military health monitoring. In: Proceeding of the 2017 CHILEAN conference on electrical, electronics engineering, information and communication technologies (CHILECON), Pucon, Chile, 18–20 October 2017. New York: IEEE.

Lamport

. Password authentication with insecure communication. Commun ACM 1981; 24(24): 770–772.

Hwang

M-S

L-H

. A new remote user authentication scheme using smart cards. IEEE T Consum Electr 2000; 46(1): 28–30.

ElGamal

. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE T Inform Theory 1985; 31(4): 469–472.

Liao

I-E

Lee

C-C

Hwang

M-S

. Security enhancement for a dynamic id-based remote user authentication scheme. In: Proceeding of the conference on next generation web services practices, Seoul, South Korea, 22–26 August 2005, pp.437–440. New York: IEEE.

Shen

Gui

Z-Y

et al . Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks. J Netw Comput Appl 2018; 106: 117–123.

10.

Zhu

W-T

Feng

D-G

. An improved smart card based password authentication scheme with provable security. Comp Stand Inter 2009; 31(4): 723–728.

11.

Song

R-G

. Advanced smart card based password authentication protocol. Comp Stand Inter 2010; 32(5–6): 321–326.

12.

X-X

Qiu

W-D

Zheng

et al . Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE T Ind Electron 2010; 57(2): 793–800.

13.

Yang

Y-J

Deng

R-H

Bao

. A practical password-based two-server authentication and key exchange system. IEEE T Depend Secure 2006; 3(2): 105–114.

14.

J-W

Chen

X-F

et al . Identity-based encryption with outsourced revocation in cloud computing. IEEE T Comput 2015; 64(2): 425–437.

15.

Madhusudhan

Praveen

. Weaknesses of a dynamic ID based remote user authentication protocol for multi-server environment. Comp Stand Commun 2016; 2(4): 196–200.

16.

Leu

J-S

Hsieh

W-B

. Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards. IET Inform Secur 2014; 8(2): 104–113.

17.

Liao

Y-P

Wang

S-S

. A secure dynamic ID based remote user authentication scheme for multi-server environment. Comp Stand Inter 2009; 31(1): 24–29.

18.

Lee

C-C

Lai

Y-M

C-T

. An improved secure dynamic ID based remote user authentication scheme for multi-server environment. Int J Sec Appl 2012; 6(2): 203–210.

19.

Hsiang

Shih

Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comp Stand Inter 2009; 31(6): 1118–1123.

20.

Sood

Sarje

Singh

. A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 2011; 34(2): 609–618.

21.

Xiong

Y-P

et al . An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J Netw Comput Appl 2012; 35(2): 763–769.

22.

Han

W-W

. Weaknesses of a dynamic identity based authentication protocol for multi-server architecture (arXiv preprint arXiv:1201.0883), 2012, http://arxiv.org/abs/1201.0883

23.

Xue

K-P

Hong

P-L

C-S

. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J Comput Syst Sci 2014; 80(1): 195–206.

24.

Wang

C-G

D-L

et al . Cryptanalysis of two dynamic ID-based remote user authentication schemes for multi-server architecture. In: Proceedings of the 6th international conference on network and system security, Wuyishan, China, 21–22 November 2012, pp.462–475. Berlin: Springer-Verlag.

25.

Zhang

Y-H

Chen

X-F

et al . Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 2018; 72: 1–12.

26.

Huang

et al . Privacy-preserving outsourced classification in cloud computing. Cluster Comput. Epub ahead of print 8 April 2017. DOI: 10.1007/s10586-017-0849-9.

27.

Gao

C-Z

Cheng

et al . Cloud-assisted privacy-preserving profile-matching scheme under multiple keys in mobile social network. Cluster Comput. Epub ahead of print 2 February 2018. DOI: 10.1007/s10586-017-1649-y.

28.

Koblitz

. Elliptic curve cryptosystems. Math Comp 1987; 48: 203–209.

29.

Cai

Q-L

Zhan

Y-J

Wang

Y-H

. A minimalist mutual authentication protocol for RFID system & BAN logic analysis. In: Proceeding of the ISECS international colloquium on computing, communication, control, and management, Guangzhou, China, 3–4 August 2008, pp.449–453. New York: IEEE.

An improved authentication protocol–based dynamic identity for multi-server environments

Abstract

Keywords

Introduction

Related work and discussion

Review of Li et al.’s protocol

Registration phase

Login phase

Authentication and session key agreement phase

Password change phase

Cryptanalysis of Li et al.’s protocol

Insider attack

Smart card forgery attack

Eavesdropping attack

Masquerade attack

Server-spoofing attack

User’s anonymity

Offline password-guessing attack

The proposed protocol

Registration phase

Login phase

Authentication and session key generation phase

Password change phase

Analysis of correctness

BAN logic notation

BAN logical postulates

Logic premises

Correctness analysis using BAN logic

Security analysis of the improved protocol

Leak of verifier attack

User’s anonymity

Insider attack

Eavesdropping attack

Masquerade attack

Offline password-guessing attack

Stolen smart card attack

Cost and functionality analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iDs

References