Introduction
Motivation
Contributions
-
Firstly, a multi-server environment is considered, and then the Elliptic Curve Cryptography is employed to design the proposed Anonymous Mutual Authentication and Key Agreement Scheme (AMAKAS) for securing multi-server environments.
-
The proposed AMAKAS scheme guarantees the security requirements of multi-server environments and withstands against various types of attacks in multi-server environments.
-
The proposed AMAKAS scheme enables users to mutually authenticate with servers without involving the registration center in the authentication phase.
-
The performance of the proposed AMAKAS scheme is outperformed than the related schemes.
Road map of the paper
Related work
System model and threat model
System model
-
In registration phase, RC starts generating the required secret credentials for each user \({U}_{i}\) and each \({S}_{j}\) as each user and each server must register only once with the registration center. Also, RC stores the \({ U}_{i}\)’s secret parameters generated by RC on a smart card SC and delivers smart card to \({U}_{i}\). Both user registration and server registration are done through a secure channel.
-
Once the registration is done, authentication phase started as user authenticate himself by inserting SC into smart card reader and using his login parameters (username, password, and biometric impression) to verify himself. After that, user and server run mutual authentication and key agreement protocol for secure communication between them noting that mutual authentication is done through insecure public channel.
-
Once mutual authentication is achieved, any legitimate registered user can connect with any legitimate registered m severs in the network.
Threat model
-
Has full control over the insecure public communication channel between user and server.
-
Can intercept, modify, replay, or even delete messages transmitted through the public channel.
-
Can find the secret parameters stored on the smart card using the power analysis attack.
-
Can find the password through an offline dictionary attack using parameters which are disclosed from smart card.
-
Try to find the current session key and upon revealing the current session key, old session keys can be comprised as well.
-
Can run user impersonation attack if user’s password or smart card can be accessed.
The proposed AMAKAS scheme
Registration phase
Server registration
User registration
Login phase
Authentication phase
Security analysis
Informal security analysis
Mutual authentication
User anonymity
User un-traceability
Forward secrecy
Impersonation attack
-
If the adversary aims to impersonate the legitimate user, he has to be capable of generating a valid login message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\). The adversary can generate a random number \({C}_{u}\) and calculate \(\text{W}, {PID}_{u}\), and \({OPA}_{u}\), but he cannot generate \({DID}_{u}=h\left({A}_{u}\left|\left|{X}_{u}\right|\right|OP\right)\) as the calculation of \({X}_{u}={Y}_{u}\oplus h\left(M\right|\left|TW\right)\) requires knowing \(\{{Y}_{u}, M,TW\}\), \({Y}_{u}\) is a stored value on the smart card, calculating \(M=H\left({ID}_{u}\right|\left|{B}_{u}\right)\) requires knowing the user identity \({ID}_{u}\) and biometric impression \({B}_{u}\) of the user, and calculating \(TW=h(a\oplus \text{H}\left({B}_{u}|\left|{PW}_{u}\right)\right)\) requires knowing the random number \(a\), the user password \({PW}_{u}\), and the biometric impression \({B}_{u}\) which are known only by the legitimate user. Moreover, password is protected by double hash one way function. Hence, the adversary cannot generate a valid login message \({M}_{1}\), and therefore, the proposed scheme can resist user impersonation attack.
-
The server secret key \({ASID}_{j}=h\left({ ID}_{j}\left|\left|X\right|\right|{e}_{j}\right)\) is calculated through one way hash function for server ID, secret key of registration center, and the random number \({e}_{j}\) generated by the registration center; therefore, \({ASID}_{j}\) is only known by the legitimate server. If the adversary aims to impersonate the legitimate server, he has to be capable of generating \({M}_{2} = \{{Q}_{ju}, {v}_{j}\}\), but calculating \({v}_{j}={D}_{j}\oplus OP\) requires obtaining the correct value of \(OP={C}_{u}.{PKS}_{j}=W.{ASID}_{j}\) which is based on server’s secret key which is known by only legitimate server. Hence, the adversary cannot generate a valid \({v}_{j}\). Similarly for calculating \({Q}_{ju}=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left| {ID}_{j}\right|\left|SK\right)\), it requires calculating the correct value for \(OP\) and the session key \(SK=h\left({ID}_{u}\left|\left|OP\right|\right|{D}_{j}\left|\left|{X}_{u}\right|\right|{ID}_{j}\right)\) which is based on calculating \({X}_{u}=h\left({a}_{i}.{PKS}_{j}\left|\left|{ID}_{u}\right|\right|{ASID}_{j}\right)\) which requires knowing the random number \({a}_{i}\) generated by the registration center, user ID, and the server’s secret key \({ASID}_{j}\). Therefore, still only the legitimate server can generate \({Q}_{ju}\). Hence, the proposed AMAKAS scheme can resist server impersonation attack.
Replay attack
Stolen card attack
Man-in-the-middle attack
Known session specific temporary information attack
Formal security analysis using BAN logic
Idealization
-
\({M}_{1}:\left({U}_{i}\to {S}_{j}\right):W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {({A}_{u} , OP)}_{{U}_{i}\overset{{X}_{u}}{\leftrightarrow}{S}_{j}}\)
-
\({M}_{2}:\left({S}_{j}\to {U}_{i}\right):{V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }{\underleftrightarrow{SK}S}_{j})}_{{U}_{i}\overset{{X}_{u}}{\leftrightarrow}{S}_{j}}\)
Assumptions
-
\({A}_{1}: {U}_{i}|\equiv \#({C}_{u})\)
-
\({A}_{2}: {S}_{j}|\equiv \#({D}_{j})\)
-
\({A}_{3}: {U}_{i}|\equiv ({U}_{i } {\overset{OP}{\leftrightarrow}}{S}_{j})\)
-
\({A}_{4}: {S}_{j}|\equiv ({U}_{i }{\overset{OP}{\leftrightarrow}}{S}_{j})\)
-
\({A}_{5}: {U}_{i}|\equiv ( {U}_{i }{\overset{X_u}{\leftrightarrow}}{S}_{j})\)
-
\({A}_{6}: {S}_{j}|\equiv ({U}_{i }{\overset{X_u}{\leftrightarrow}}{S}_{j})\)
-
\({A}_{7}: {S}_{j}|\equiv ({U}_{i }\Longrightarrow \left(OP\right))\)
-
\({A}_{8}: {U}_{i}|\equiv ({S}_{j }\Longrightarrow \left({U}_{i }{\overset{SK}{\leftrightarrow}}{S}_{j}\right))\)
-
\({A}_{9}: {S}_{j}|\equiv ({U}_{i}\Longrightarrow\left({U}_{i } {\overset{SK}{\leftrightarrow}}{S}_{j}\right))\)
Goals
-
Goal 1: \({U}_{i}|\equiv \left( {S}_{j}\overset{{X}_{u}}{\leftrightarrow}{U}_{i }\right), \#( {S}_{j}\overset{{X}_{u}}{\leftrightarrow}{U}_{i })\)
-
Goal 2: \({U}_{i}|\equiv {S}_{j}|\equiv \#\left({C}_{u}\right)\)
-
Goal 3: \({S}_{j}|\equiv {U}_{i}|\equiv \#\left({D}_{j}\right)\)
Analysis
-
Step 1: From message \({M}_{2}\), we obtain:
-
$${U}_{i } \rhd {V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }\overset{SK}{\leftrightarrow}{S}_{j})}_{{U}_{i}{ \overset{{X}_{u}}{\leftrightarrow} S}_{j}}$$
-
Step 2: From the assumption \({A}_{5}\), we obtain:
-
$${U}_{i}|\equiv ( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j})$$
-
Step 3: From \({M}_{2}\) and \({A}_{5}\), and applying the message-meaning rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \left( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j}\right), {U}_{i }| \lhd {V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j})}_{{U}_{i}{\overset{{X}_{u}}{\leftrightarrow} S}_{j}}}{{U}_{i}|\equiv {S}_{j}|\sim({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j},( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\left)\right)}$$
-
Step 4: From \({A}_{1}\), \({A}_{2}\), step 2, and applying nonce verification rule, we obtain,
-
$$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{S}_{j}|\sim({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j}, ({U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\left)\right)}{{U}_{i}|\equiv {S}_{j}|\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)}$$
-
Step 5: from \({A}_{8}\), step 4, and applying the jurisdiction rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \left({S}_{j }|\Longrightarrow \left({U}_{i } \overset{SK}{\leftrightarrow}{S}_{j}\right)\right), {U}_{i}|\equiv {S}_{j}\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)}{{U}_{i}|\equiv ( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j})}$$
-
Step 6: From \({A}_{1}\), \({A}_{2}\), step 4, and applying the freshness conjuncatenation rule, we obtain:
-
$$\frac{U_i\vert\equiv\#(C_u)}{U_i\vert\equiv\#\left(C_u,\left(U_i{\overset{SK}\leftrightarrow S}_j\right)\right)}$$
-
Step 7: From step 5 and step 6, we obtain:
-
$${U}_{i}|\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right) and {U}_{i}|\equiv \#\left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)$$
-
Step 8: From step 2, \({A}_{2}\), and applying the nonce verification rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{S}_{j}\sim\left({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j}, \left({U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)\right)}{{U}_{i}|\equiv {S}_{j}|\equiv \left( {D}_{j}\right)}$$
-
Step 9: From step 8, \({A}_{8}\), and applying the jurisdiction rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \left({S}_{j }|\Longrightarrow \left({U}_{i } \overset{SK}{\leftrightarrow}{S}_{j}\right)\right), {U}_{i}|\equiv {S}_{j}|\equiv ( {D}_{j})}{{U}_{i}|\equiv ( {D}_{j})}$$
-
Step 10: From step 9,\({A}_{2}\), step 4 and applying the freshness conjuncatenation rule, we obtain:
-
Step 11: From \({A}_{6}\), and applying the message-meaning rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \left( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j}\right),{S}_{j }|{\lhd}W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {({A}_{u} , OP)}_{{U}_{i}{ \overset{{X}_{u}}{\leftrightarrow} S}_{j}}}{{U}_{i}| \sim (W,{<{ID}_{u}>}_{OP} ,{OPA}_{u},{A}_{u} , OP )}$$
-
Step 12: From \({A}_{1}\), step 11, and applying the nonce verification rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{U}_{i}\sim(W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {A}_{u} , OP )}{{S}_{j}|\equiv {U}_{i}|\equiv \left( OP\right)}$$Step 13: From \({A}_{7}\), step 12, and applying the jurisdiction rule, we obtain:
-
Step 14: From \({A}_{1}\), step 11, step 13, and applying the freshness conjuncatenation rule, we obtain:
-
$$\frac{{U}_{i}|\equiv \#({C}_{u})}{{S}_{j}|\equiv \#({C}_{u})}$$
Security and performance comparisons
Security comparison
Computation Party
| [23] | [24] | [25] | [28] | [38] | The proposed AMAKAS scheme |
---|---|---|---|---|---|---|
Mutual authentication
| √ | √ | √ | √ | √ | √ |
User anonymity
| x | √ | √ | √ | x | √ |
User
Un-traceability
| x | √ | x | x | x | √ |
Forward secrecy
| √ | √ | √ | √ | √ | √ |
User impersonation attack
| √ | √ | √ | √ | x | √ |
Sever impersonation attack
| x | x | ×
| √ | √ | √ |
Replay attack
| √ | √ | √ | √ | x | √ |
Stolen card attack
| √ | √ | √ | √ | x | √ |
Man-in-the-middle attack
| x | √ | x | √ | x | √ |
Known session specific temporary information attack
| x | x | x | √ | x | √ |
Computation cost comparison
Notation | Description | Execution time (ms) |
---|---|---|
\({T}_{h}\)
| Time of one-way hash function. | 0.0023 |
\({T}_{m}\)
| Time of point addition. | 0.0288 |
\({T}_{P}\)
| Time of ECC Scalar multiplication. | 2.226 |
\({T}_{inv}\)
| Time of multiplicative inverse over ECC. | 190.189E + 06 |
\({T}_{SED}\)
| Time of symmetric key encryption/decryption. | 0.0046 |
\({T}_{AED}\)
| Time of ECC encryption/decryption. | 3.85 |
\({T}_{F}\)
| Time for fuzzy extraction | 2.226 |
Computation Party | [23] | [24] | [25] | [28] | The proposed AMAKAS scheme |
---|---|---|---|---|---|
User | 4\({T}_{h}\)+2\({T}_{P}\)+2\({T}_{m}\)
| 11\({T}_{h}\)+2\({T}_{P}\)
| 10\({T}_{h}\)+2\({T}_{P}\)+\(1{T}_{AED}\)
| 8\({T}_{h}\)+\(2{T}_{P}\)+\({3T}_{m}\)+\({1T}_{F}\)
|
\(10{T}_{h}+2{T}_{P}\)
|
(ms) | 4.5188 | 4.4773 | 8.325 | 6.7828 | 4.475 |
Server | 6\({T}_{h}\)+2\({T}_{P}\)+3\({T}_{m}\)
| 6\({T}_{h}\)+\({1T}_{inv}\)
| 4\({T}_{h}\)+1\({T}_{P}\)
| 5\({T}_{h}\)+3\({T}_{P}\)+\(4{T}_{m}\)
| 5\({T}_{h}\)+2\({T}_{P}\)
|
(ms) | 4.5522 | ≈ 190.189E + 06 | 2.2352 | 6.8116 | 4.4635 |
Total | 10\({T}_{h}\)+4\({T}_{P}\)+5\({T}_{m}\)
| 17\({T}_{h}\)+2\({T}_{P}\)+\(1{T}_{inv}\)
| 14\({T}_{h}\)+3\({T}_{P}\)+\(1{T}_{AED}\)
| 13\({T}_{h}\)+5\({T}_{P}\)+7\({T}_{m}\)+\(1{T}_{F}\)
|
\(15{T}_{h}+4{T}_{P}\)
|
(ms) | 9.071 | 190.189E + 06 | 10.5602 | 13.5944 | 8.9385 |