A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC

KSII Transactions on Internet and Information Systems (TIIS).
2014.
Aug,
8(8):
2930-2947

- Received : October 24, 2013
- Accepted : July 14, 2014
- Published : August 28, 2014

Download

PDF

e-PUB

PubReader

PPT

Export by style

Share

Article

Metrics

Cited by

TagCloud

With the rapid growth of the communication technology, intelligent terminals (i.e. PDAs and smartphones) are widely used in many mobile applications. To provide secure communication in mobile environment, in recent years, many user authentication schemes have been proposed. However, most of these authentication schemes suffer from various attacks and cannot provide provable security. In this paper, we propose a novel remote user mutual authentication scheme for multi-server environments using elliptic curve cryptography (ECC). Unlike other ECC-based schemes, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC). Through this method, the proposed scheme requires less ECC-based operations than the related schemes, and makes it possible to significantly reduce the computational cost. Security and performance analyses demonstrate that the proposed scheme can solve various types of security problems and can meet the requirements of computational complexity for low-power mobile devices.
N
owadays, mobile devices (i.e. smart phones, PDAs) are popular and widely used in many mobile applications, such as online shopping, mobile pay-TV, and electronic transactions. Along with the increasing number of mobile applications, the security issues have been received more and more attention. Generally, the user must be authenticated by the remote server before he accesses the services provided by the remote servers. The password-based authentication scheme is one of widely used mechanisms to verify the validity of the remote users over an insecure communication channel, and is a protective barrier that can prevent unauthorized personnel from accessing services provided by the application server.
In 1981, Lamport
[1]
first proposed a password-based remote authentication scheme for insecure communication. In Lamport’s scheme, the user submits a message which contains his/her identity and password to the remote server, and then he/she can access to the remote server if the submitted information is matched with the information stored in the server’s memory. This method is simple and practical, but it has some inherent drawbacks. The most serious problem is that the server has to store and maintain a verification table to verify the validity of the users, and then it will suffer from the password related attacks, such as stolen-verifier attack, off-line password dictionary attack, password table tampering and corruption attack. Later, some research activities
[2]
[3]
focused on the password-based authentication schemes without verification tables. However, only password-based user authentication scheme is not sufficient to fulfill the security requirements of various applications. Since the smart card has the functions of storage, encryption, computation, etc., many smart card based password authentication schemes have been proposed
[4]
[5]
[6]
[7]
[8]
[21]
by researchers. The smart card based password authentication schemes can not only solve the problem of storing the password table in the server, but can enhance the security of their schemes.
However, most of smart card based user authentication schemes are designed for the single server environments. In the practical application, it is extremely hard for a user to remember these different numerous identities and passwords when he/she uses the single-server authentication scheme to login and access to different remote servers. For this reason, there are also some other research activities
[9]
[10]
[11]
[12]
[20]
contributed to the authentication schemes for multi-server environments. The multi-server authentication scheme resolves the repeated registration problem of single-server authentication scenario where the user has to register at different servers to access to different types of network services. In 2001, Li
et al
.
[9]
proposed a multi-server user authentication protocol based on neural networks, however, it was found that the computational complexity of their scheme is too high
[10]
. To remedy the efficiency problem of Li
et al
.’s scheme, Juang
[10]
proposed a new multi-server password authentication protocol using the hash function and symmetric key cryptosystem. However, Chang and Lee
[11]
pointed out that Juang’s protocol lacks efficiency and is vulnerable to off-line dictionary attack. Therefore, Chang and Lee proposed a novel authentication scheme to remedy these weaknesses. Nevertheless, their protocol was found to be vulnerable to insider attack, spoofing attack and registration center spoofing attack
[12]
. Then, Tsai
[12]
proposed an efficient multi-server authentication protocol based on one-way hash function.
However, all of the above smart card based multi-server authentication schemes are based on static ID, which gives the adversary a chance to trace a legal user. Consequently, to deal with this problem, some dynamic identity based user authentication schemes for multi-server environments have been proposed
[13]
[14]
[15]
[19]
[22]
. In 2009, Liao and Wang
[13]
proposed a dynamic identity based authentication scheme for multi-server architecture. They claimed that their scheme can resist various attacks and can achieve mutual authentication. However, Hsiang and Shih
[14]
pointed out that Liao-Wang’s scheme is still suffering from a variety of different attacks. Besides, Hsiang and Shih found that Liao-Wang’s scheme cannot achieve mutual authentication. To solve these problems, Hsiang and Shih
[14]
proposed an improved protocol on Liao-Wang’s protocol. Unfortunately, Lee
et al
.
[15]
, Sood
et al
.
[16]
, and Chuang and Tseng
[17]
respectively pointed out that Hsiang and Shih’s scheme still suffers from different kinds of attacks, and they are all proposed the enhanced scheme. Later, Li
et al
.
[18]
and Li
et al
.
[19]
respectively pointed out Lee
et al
.’s scheme
[15]
and Sood
et al
.’s scheme
[16]
are both not secure to resist attacks.
Recently, many pairing-based or ECC-based remote user authentication schemes with smart cards were proposed in
[17]
[23]
[24]
[25]
. In 2006, Das
et al
.
[23]
proposed a pairing-based remote client authentication scheme with smart cards. However, their scheme suffered from a forgery attack. Later, Fang and Huang
[24]
proposed an improvement to overcome drawback of Das
et al
.’s scheme. However, Giri and Srivastava
[25]
found that Fang and Huang’s scheme is still suffering from another type of forgery attack. Then, Giri and Srivastava
[25]
presented another improvement to withstand the forgery attack. In 2012, Chuang and Tseng
[17]
proposed an ID-based mutual authentication and key agreement scheme based on bilinear maps for mobile multi-server environment. In 2013, Liao and Hsiao
[4]
proposed a pairing-based remote user authentication scheme which uses secure key distribution based on self-certified public keys among the service servers. However, the computational cost of pairing operation is approximately 20 times higher than that of the scalar multiplication with the same order. Then, several ID-based authentication protocols on ECC are proposed. In 2009, Yang and Chang
[26]
proposed an ID-based remote mutual authentication with key agreement protocol on ECC. In 2012, He
et al
.
[5]
propose an ID-based remote mutual authentication with key agreement scheme on ECC. However, He
et al
.’s scheme cannot support the multi-server environment.
In general, a secure and efficient remote user authentication scheme should satisfy the following requirements
[18]
.
•User anonymity: The adversary cannot track a special user by the user’s identity, therefore it can protect the user’s privacy.
•Single registration: The scheme allows the user to register only once at the registration center and then the user can access to all the permitted services in the whole network.
•No password table: The registration center should be without the user’s password table to authenticate the users.
•Low computation and communication cost: Due to the limited energy, processing and storage resources of mobile devices, the design of authentication scheme must take computation efficiency into consideration.
•Mutual authentication and session key agreement: In mutual authentication scheme, the server and the user must be able to authenticate each other via message exchange (mutual authentication). Through the mutual authentication procedure, the server and the user can negotiate and agree on a session key that is used in the following secret communication.
•Security: The authentication scheme must be able to prevent from various kinds of attacks.
In this paper, we propose a novel remote user mutual authentication scheme with key agreement protocol for mobile multi-server environments. Unlike other ECC-based researches, the proposed scheme uses a secure hash function to protect both the users’ and the servers’ secret values. Besides, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC for short, which is responsible for system initialization, user and server registration and authentication).. Through this method, the proposed scheme requires less ECC-based operations than the related schemes. Performance analysis is made to show that our scheme has better performance than the related schemes
[5]
[17]
[26]
. The security analysis shows that the proposed scheme can withstand various possible attacks. Compared with the related works, the proposed scheme is more secure and efficient for remote authentication.
The remainder of this paper is organized as follows. In Section 2, we briefly review the basic concepts of ECC and some related mathematical preliminaries. Section 3 describes the proposed authentication and key agreement scheme. Then, we present the security analysis and performance evaluation about the proposed scheme in Section 4 and Section 5, respectively. Finally, Section 6 concludes the paper.
p
be a prime number, and let
GF
(
p
) denote the field of integers modulo
p
. An elliptic curve
E
over
GF
(
p
) is defined by an equation of the form:
where
a
,
b
∈
GF
(
p
), and satisfies 4
a
^{3}
+ 27
b
^{2}
≠ 0 (mod
p
) . A pari
Q
(
x
_{1}
,
y
_{1}
) is a point on the curve if Q(
x
_{1}
,
y
_{1}
) satisfies the equation (1), where
x
_{1}
,
y
_{1}
∈
GF
(
p
). The point at infinity, denoted by
∞
, is also said to be on the curve. Any point pair
Q
(
x
,
y
) which satifies the above equation together with
∞
, called ‘point at infinity’, form an additive cyclic group
E
(
F_{p}
) = {(
x
,
y
) |
x
,
y
∈
GF
(
p
) satisfy
y
^{2}
=
x
^{3}
+
ax
+
b
(mod
p
)}∪
∞
. The scalar multiplication of a point
P
over
E_{p}
(
a
,
b
) is computed by repeated addition as,
k
·
P
=
P
+
P
+ · · · +
P
(
k
times), where
k
is a constant integer and
P
is a point on the curve
E
. For simplicity, we omit the details and the readers can refer to the related references
[27]
.
E
defined over a finite field
GF
(
p
), and two points
Q
,
P
∈
E
, it is hard to find an integer
k
∈
Z_{q}
^{*}
such that
Q
=
k
·
P
.
Definition 2. Computational Diffie-Hellman Problem (CDH Problem): Given an elliptic curve
E
defined over a finite field
GF
(
p
), a point
P
∈
E
of order
q
, and points
A
=
a
·
P
;
B
=
b
·
P
, it is hard to find the point
C
=
abP
.
Definition 3. The Elliptic Curve Decision Diffie-Hellman Problem (ECDDH Problem): Given an elliptic curve
E
defined over a finite field
GF
(
p
), a point
P
of order
q
, and points
A
=
a
·
P
,
B
=
b
·
P
, and
C
=
c
·
P
, determine whether or not
C
=
abP
, equivalently, whether
c
≡
a
·
b
(mod
p
) or not.
To the best of our knowledge, there is no polynomial time algorithm to solve any of the above-mentioned problems with non-negligible probability
[28]
.
In the proposed scheme, two kinds of hash function will be used:
h
(·) and
H
(·). The hash function
h
(·) maps binary strings of an arbitrary length to an integer of fixed bit length (
h
: {0, 1}
^{*}
→ Z
_{q}
^{*}
). The hash function
H
(·) maps a point over the elliptic curve
E
to a binary strings of a fixed length (H:
E_{p}
(
a
,
b
) → {0, 1}
^{1}
,
l
is the length of the string). In our scheme,
H
(·) can be constructed by the hash function
h
(·): Let
P_{i}
be a point over the elliptic curve
E
, let
P_{x}
and
P_{y}
be the X-coordinate and the Y-coordinate of the point
P_{i}
, respectively. Then,
H
(·) can be sonstructed as
H
(
P_{i}
) =
h
(
P_{x}
)║
h
(
P_{y}
), where ║ is string concatenation operation.
RC
). Without loss of generality, the proposed authentication scheme consists of four phases: the registration phase, the login phase, the authentication and session key agreement phase and the password change phase. The login and authentication phases are depicted in
Fig. 1
, and more details of all these phases are describe as follows.
The login and authentication phases of our scheme
For the sake of clarity, the notations used in this paper are summarized and defined in
Table 1
.
List of notations
RC
), users and servers.
RC
is responsible for system initialization, user and server registration and authenticaion. The detailed initialization steps are performed as follows.
At the beginning,
RC
chooses a prime number
p
and an elliptic curve equation
E
over the finite field
GF
(
p
), and then selects a base point
P
with the order
q
over
E
, where
q
is a 512-bit prime number and
q
≼
p
. Then,
RC
selects a random number
s
∈
Z_{q}
^{*}
as the master secret key, and computes the public key
P_{pub}
=
s
·
P
.
Next,
RC
chooses two secret keys
x
,
y
∈
Z_{q}
^{*}
, and chooses two secure hash functions
h
(·) and
H
(·), where
h
: {0, 1} =>
Z_{p}
^{*}
, and
H
:
E_{p}
(
a
,
b
) => {0, 1}
^{l}
,
l
is the length of the string.
Then,
RC
computes
h
(
SID_{j}
║
y
) and
h
(
SID_{j}
⊕
y
), and shares these authentication certificate with the corresponding server
S_{j}
via a secure channel.
In the end,
RC
publishes the public system parameters as {
E
,
GF
(
p
),
q
,
P
,
P_{pub}
,
h
(·),
H
(·)} and keeps the master secret key
s
and values
x
and
y
secretly.
U_{i}
wants to use this system, he/she has to submit his/her identity and password to
RC
for registration. The steps of the registration phase are as follows:
Step R1.
U_{i}
→
RC
: {
ID_{i}
,
h
(
b
⊕
PW_{i}
)}.
The user
U_{i}
chooses his/her identity
ID_{i}
and password
PW_{i}
freely.
U_{i}
’s terminal generates a random number
b
. Then,
U_{i}
computes
h
(
b
⊕
PW_{i}
) and sends the message {
ID_{i}
,
h
(
b
⊕
PW_{i}
)} to
RC
via a common channel.
Step R2.
RC
computes
T_{i}
=
h
(
ID_{i}
║
x
) ,
Q_{i}
=
h
(
T_{i}
),
V_{i}
=
T_{i}
⊕
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
))
R_{i}
=
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
).
Step R3.
RC
issues a smart card to
U_{i}
, and the card contains {
V_{i}
,
H_{i}
,
R_{i}
,
h
(·),
H
(·),
E
,
P
}.
Step R4.
U_{i}
’s terminal inserts the value
b
into the smart card. At last, the smart card contains {
V_{i}
,
H_{i}
,
R_{i}
,
b
,
h
(·),
H
(·),
E
,
P
}.
U_{i}
wants to login to the server
S_{j}
, he/she inserts his/her smart card to a terminal (smart phone or PDA) and inputs his/her identity
ID_{i}
and password
PW_{i}
.
Step L1. The smart card computes
T_{i}
^{*}
=
V_{i}
⊕
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)),
Q_{i}
^{*}
=
h
(
T_{i}
^{*}
), and checks whether
Q_{i}
^{*}
is equal to
Q_{i}
. If they are equal, the terminal proceeds to the next step. Otherwise, the smart card rejects this request.
Step L2.
U_{i}
→
S_{j}
: {
C
_{1}
,
C
_{2}
,
TU_{i}
}. The smart card chooses a random number
k
∈
Z_{q}
^{*}
and computes:
w_{i}
=
TU_{i}
⊕(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
SID_{j}
║
R_{i}
),
C
_{1}
=
k
·
P
,
P_{ur}
=
k
·
P_{pub}
,
C
_{2}
=
w_{i}
⊕
H
(
P_{ur}
),
where
TU_{i}
denotes the current timestamp and
SID_{j}
denotes the identity of the destination server. Then,
U_{i}
sends the login request {
C
_{1}
,
C
_{2}
,
TU_{i}
} to the server
S_{j}
for authentication.
S_{j}
→
RC
: {
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
}.
When the server
S_{j}
receives the login request {
C
_{1}
,
C
_{2}
,
TU_{i}
}, it checks whether
TU_{i}
–
T_{s}
≼ △
T
, where
T_{s}
is the time when
S_{j}
receives this request and △
T
is the expected time interval for the transmission delay. If so,
S_{j}
generates a random number
N_{j}
∈
Z_{q}
^{*}
, then computes
m
_{1}
=
h
(
SID_{j}
⊕
y
)║
N_{j}
,
C
_{3}
=
m
_{1}
⊕
H
(
a
·
P_{pub}
), where
a
is the server
S_{j}
’s master key.
Then,
S_{j}
sends the registration request {
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
} to
RC
via a common channel.
Step A2. Upon receiving {
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
},
RC
checks whether
TU_{i}
–
T_{RC}
≼ △
T
, where
T_{RC}
is the time when
RC
receives the above message. If so,
RC
computes:
P_{ru}
=
s
·
C
_{1}
,
w_{i}
^{*}
=
C
_{2}
⊕
H
(
P_{ru}
),
m
_{1}
^{*}
=
C
_{3}
⊕
H
(
s
·(
aP
)).
The above formulae can be deduced as follows:
w_{i}
^{*}
=
C
_{2}
⊕
H
(
P_{ru}
) =
C
_{2}
⊕
H
(
s
·
C
_{1}
) =
C
_{2}
⊕
H
(
s
·(
k
·
P
)) =
C
_{2}
⊕
H
(
k
·(
s
·
P
)) =
C
_{2}
⊕
H
(
k
·
P_{pub}
) =
C
_{2}
⊕
H
(
P_{ur}
) =
w_{i}
=
TU_{i}
⊕(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
SID_{j}
║
R_{i}
),
m
_{1}
^{*}
=
C
_{3}
⊕
H
(
s
·(
aP
)) =
C
_{3}
⊕
H
(
a
·(
sP
)) =
C
_{3}
⊕
H
(
a
·
P_{pub}
) =
m
_{1}
=
h
(
SID_{j}
⊕
y
)║
N_{j}
.
Therefore,
RC
can extract the user’s identity
ID_{i}
and
h
(
b
⊕
PW_{i}
) by computing
w_{i}
⊕
TU_{i}
. At this point,
RC
has both
U_{i}
’s and
S_{j}
’s identity.
RC
computes
h
(
SID_{j}
⊕
y
) and compares it with the value extracted from
m
_{1}
^{*}
. If they are equal,
RC
considers
S_{j}
as a legal server. Then
RC
computes
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
) and compares it with the value
R_{i}
which is extracted from
w_{i}
^{*}
. If
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
) =
R_{i}
,
RC
considers
U_{i}
as a legal user. Then
RC
sends a message to
S_{j}
in the next step.
Step A3.
RC
→
S_{j}
: {
C
_{4}
,
C
_{5}
,
TU_{i}
}. The
RC
computes:
m
_{2}
=
h
(
SID_{j}
⊕
y
)║
ID_{i}
║
h
(
ID_{i}
║
x
),
m
_{3}
=
h
(
ID_{i}
║
x
)║
SID_{j}
║
N_{j}
║
h
(
SID_{j}
║
y
),
C
_{4}
=
m
_{2}
⊕
H
(
s
·(
aP
)),
C
_{5}
=
m
_{3}
⊕
H
(
P_{ru}
).
Then,
RC
sends the message {
C
_{4}
,
C
_{5}
,
TU_{i}
} to the server
S_{j}
via a common channel.
Step A4.
S_{j}
→
U_{i}
: {
C
_{5}
,
N_{j}
,
TU_{i}
}. Upon receiving {
C
_{4}
,
C
_{5}
,
TU_{i}
},
S_{j}
computes
m
_{2}
^{*}
=
C
_{4}
⊕
H
(
a
·(
P_{pub}
)), where
a
is
S_{j}
’s master key. Then,
S_{j}
extracts the value
h
(
SID_{j}
⊕
y
) from
m
_{2}
^{*}
and compares it with of
h
(
SID_{j}
⊕
y
) stored in its memory to verify
RC
. If they are equal,
S_{j}
considers
U_{i}
as a legal user and sends the message {
C
_{5}
,
N_{j}
,
TU_{i}
} to the user
U_{i}
.
S_{j}
further computes
SK
=
h
(
h
(
ID_{i}
║
x
)║
h
(
SID_{j}
║
y
)║
TU_{i}
║
N_{j}
) as the session key for securing communications with
U_{i}
.
Step A5. After receiving {
C
_{5}
,
N_{j}
,
TU_{i}
},
U_{i}
computes
m
_{3}
^{*}
=
C
_{5}
⊕
H
(
k
·
P_{pub}
), then
U_{i}
extracts the value
h
(
ID_{i}
║
x
) from
m
_{3}
^{*}
and computes
H_{i}
^{*}
=
h
(
h
(
ID_{i}
║
x
)). Next,
U_{i}
compares
H_{i}
^{*}
with
H_{i}
. If they are equal,
U_{i}
considers
S_{j}
as a legal server and further computes
SK
=
h
(
h
(
ID_{i}
║
x
)║
h
(
SID_{j}
║
y
)║
TU_{i}
║
N_{j}
) as the session key for securing communications with
S_{j}
.
U_{i}
wants to change his/her password
PW_{i}
to a new password
PW_{new}
. The steps of the password change phase are as follows.
Step P1.
U_{i}
inserts his/her smart card into the terminal and then keys his/her
ID_{i}
and
PW_{i}
.
Step P2. The smart card computes
T_{i}
=
V_{i}
⊕
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)),
Q_{i}
^{*}
=
h
(
T_{i}
) and checks whether
Q_{i}
^{*}
is equal to
Q_{i}
, If they are equal, the smart card lets
U_{i}
choose a new password
PW_{new}
and a new random number
b_{new}
to compute:
h
(
b_{new}
⊕
PW_{new}
),
V_{new}
=
T_{i}
⊕
h
(
ID_{i}
║
h
(
b_{new}
⊕
PW_{new}
)),
C
_{6}
= (
ID_{i}
║
h
(
b_{new}
⊕
PW_{new}
))⊕
H
(
k
·
P_{pub}
).
Then,
U_{i}
sends the message {
ID_{i}
,
C
_{1}
,
C
_{2}
,
C
_{6}
,
TU_{i}
} to
RC
via a secure channel. Step P3. Upon receiving {
ID_{i}
,
C
_{1}
,
C
_{2}
,
C
_{6}
,
TU_{i}
},
RC
checks whether the time stamp
TU_{i}
is valid. If so,
RC
determines the legitimacy of
U_{i}
using the values
C
_{1}
and
C
_{2}
. Then,
RC
computes
C
_{6}
⊕
H
(
s
·
C
_{1}
) =
C
_{6}
⊕
H
(
s
·(
k
·
P
)) =
C
_{6}
⊕
H
(
k
·
P_{pub}
) =
ID_{i}
║
h
(
b_{new}
⊕
PW_{new}
).
Step P4.
RC
calculates
R_{new}
=
h
(
ID_{i}
║
h
(
b_{new}
⊕
PW_{new}
)║
x
),
C
_{7}
= (
R_{new}
║
h
(
ID_{i}
║
x
)║
TU_{i}
)⊕
H
(
s
·
C
_{1}
) and then sends the message {
ID_{i}
,
C
_{7}
,
TU_{i}
} to
U_{i}
.
Step P5. After receiving {
ID_{i}
,
C
_{7}
,
TU_{i}
},
U_{i}
computes
C
_{7}
⊕
H
(
k
·
P_{pub}
) =
C
_{7}
⊕
H
(
s
·(
k
·
P
)) =
C
_{7}
⊕
H
(
s
·
C
_{1}
) =
R_{new}
║
h
(
ID_{i}
║
x
)║
TU_{i}
. Then,
U_{i}
computes
Q_{i}
^{*}
=
h
(
h
(
ID_{i}
║
x
)) and compares it with
Q_{i}
stored in his/her smart card to check the validity of this message. If they are the same, the smart card replaces
b
,
V_{i}
,
R_{i}
with
b_{new}
,
V_{new}
, and
R_{new}
, respectively.
n
users
U
= {
U
_{1}
,
U
_{2}
, …,
U_{n}
}, m servers
S
= {
S
_{1}
,
S
_{2}
, …,
S_{m}
} and a registration center (
RC
). The lth instance of
U_{i}
(resp.
S_{j}
) is denoted by Π
^{l}
_{U}
(resp. Π
^{l}
_{S}
). An adversary
A
is a probabilistic polynomial time machine. It is assumed that
A
is able to potentially control all common communications in the proposed scheme via accessing to a set of oracles (as defined below). The proposed scheme’s public parameters are known by each participant (including the users, servers and
RC
).
•
Extract
(
ID_{i}
): In this query model, an adversary
A
is able to get the private key of
ID_{i}
.
•Send(Π
^{k}_{c}
,
M
): The adversary
A
can send a message
M
to the oracle Π
^{k}_{c}
, where c ∈ {
U
,
S
,
RC
}. When receiving the message
M
, Π
^{k}_{c}
responds to
A
according to the proposed scheme.
•
h
(
m_{i}
): When an adversary
A
makes this hash query with the message
m_{i}
, the oracle Π
^{k}_{c}
returns a random number
r
_{1}
and records (
m_{i}
,
r
_{1}
) into a list
L_{h}
. The list is initially empty.
•
H
(
P_{i}
): When an adversary
A
makes this hash query with a point
P_{i}
over the curve
E
, the oracle Π
^{k}_{c}
returns a random number
r
_{2}
and records (
P_{i}
,
r
_{2}
) into a list
L_{H}
. The list is also empty initially.
•
Reveal
(Π
^{k}_{c}
): In this query model, the adversary
A
can obtain a session key
SK
from the oracle Π
^{k}_{c}
if the oracle has accepted. Otherwise, Π
^{k}_{c}
returns a null to
A
.
•
Corrupt
(
ID_{i}
): The adversary
A
can issue this query to
ID_{i}
and gets back its private key.
•
Test
(Π
^{k}_{c}
): When
A
asks this query to an oracle Π
^{k}_{c}
, the oracle chooses a random bit
b
∈{0, 1}. If
b
= 1, then Π
^{k}_{c}
returns the session key. Otherwise, it returns a random value. This query measures the semantic security of the session key.
In this model, the adversary
A
can make
Send
,
Reveal
,
Corrupt
and
Test
queries. Note that the capabilities of the adversary can make finite queries under adaptive chosen message attacks
[33]
.
Theorem 1
. Assume that an adversary
A
can violate the proposed scheme with a non-negligible advantage
ε
and makes at most
q_{u}
,
q_{s}
,
q_{h}
, and
q_{H}
queries to the oracle of the user Π
^{i}
_{U}
, oracle of the server Π
^{j}
_{S}
,
h
, and
H
, respectively. Then we can construct an algorithm to solve the CDH problem with a non-negligible advantage.
Proof.
We first classify the types of attack into two categories: impersonating the user to communicate with
RC
and impersonating the server to communicate with
RC
. Then we can construct an algorithm to solve the CDH problem.
For an instance of the CDH problem {
q
,
P
,
Q
_{1}
=
xP
,
Q
_{2}
=
yP
},
B
simulates the system initializing algorithm to generate the system parameters {
E
,
q
,
P
,
P_{pub}
=
Q
_{2}
,
h
,
H
}.
h
and
H
are random oracles controlled by
B
. Then,
B
gives the system parameters to
A
.
B
interacts with
A
as follows.
h-query
:
B
maintains a list
L_{h}
of tuples (
str_{i}
,
h_{i}
). When
A
queries the oracle
h
on (
str_{i}
,
h_{i}
),
B
responds as follows:
If
str_{i}
is on
L_{h}
, then
B
responds with
h_{i}
. Otherwise,
B
randomly chooses an integer
h_{i}
that is not found in
L_{h}
, and adds (
str_{i}
,
h_{i}
) into
L_{h}
, then responds with
h_{i}
.
H-query
:
B
maintains a list
L_{H}
of tuples (
P_{c}
,
H_{c}
). When
A
queries the oracle
H
on (
P_{c}
,
H_{c}
),
B
responds as follows:
If
P_{c}
is on
L_{H}
, then
B
responds with
H_{c}
. Otherwise,
B
randomly chooses an integer
H_{c}
that is not found in
L_{H}
, and adds (
P_{c}
,
H_{c}
) into
L_{H}
, then responds with
H_{c}
.
Reveal-query
: When the adversary
A
makes a
Reveal
(Π
^{m}_{c}
) query,
B
responds as follows. If Π
^{m}_{c}
is not accepted,
B
responds none. Otherwise,
B
examines the list
L_{h}
and responds with the corresponding
h_{i}
.
Send-query
: When the adversary
A
makes a
Send
(Π
^{m}_{c}
, “start”) query,
B
responds as follows. If Π
^{m}_{c}
= Π
^{m}
_{u}
,
B
sets
C
_{1}
←
Q
_{1}
, and randomly generates the values
C
_{2}
and
TU_{i}
, and responds with {
C
_{1}
,
C
_{2}
,
TU_{i}
}. Otherwise,
B
generates a random number
k
and computes
C
_{1}
=
kP
,
C
_{2}
=
w_{i}
⊕
kP_{pub}
and responds with {
C
_{1}
,
C
_{2}
,
TU_{i}
}, where
w_{i}
is generated by
B
. The simulation works correctly since
A
cannot distinguish whether
w_{i}
is valid or not unless
A
knows the
RC
’s private key.
When the adversary
A
makes a
Send
(Π
^{m}_{c}
, (
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
)) query,
B
responds as follows. If the Π
^{m}
_{c}
matches the Π
^{m}
_{u}
,
B
cancels the game. Otherwise,
B
computes
w_{i}
=
C
_{2}
⊕
H
(
P_{ru}
), where
P_{ru}
is generated in
Send
(Π
^{m}_{c}
, “start”). Then
B
responds the corresponding message according to the description of the proposed scheme.
When the adversary
A
makes a
Send
(Π
^{m}_{c}
, (
C
_{5}
,
N_{j}
,
TU_{i}
)) query,
B
responds as follows. If the Π
^{m}_{c}
matches the Π
^{m}_{S}
,
B
cancels the game. Otherwise,
B
computes
m
_{3}
^{*}
=
C
_{5}
⊕
H
(
_{pur}
) and then checks the
RC
. If so,
B
computes the session key
SK
=
h
(
h
(
ID_{i}
║
x
)║
h
(
SID_{j}
║
y
)║
TU_{i}
║
N_{j}
), where
h
(
SID_{j}
║
y
) is extracted from
m
_{3}
^{*}
, and
h
(
ID_{i}
║
x
) is extracted from
L_{h}
.
If the adversary
A
can violate a user to the
RC
authentication, it means that
A
can get the values of
h
(
ID_{i}
║
x
) and
R_{i}
=
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
) from the list
L_{h}
and then compute the values of
C
_{1}
and
C
_{2}
. In such case
B
can extract the corresponding
H_{c}
=
s
·(
kP
) in
L_{H}
using
Q
_{2}
=
P_{pub}
,
C
_{1}
=
kP
with non-negligible probability. Therefore, if the adversary
A
can violate a user to the
RC
authentication, then
B
is able to solve the CDH problem with non-negligible probability. It is a contradicting to the intractability of the CDH problem. In addition,
x
is the
RC
’s secret value and
h
is a secure hash function. Therefore, the probability that
A
can compute the value
R_{i}
=
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
) is negligible. From the above analysis, we can see that the probability that
A
can violate the user to the
RC
authentication is negligible.
If the adversary
A
can violate the server to
RC
authentication, it means that
A
can get
h
(
SID_{j}
⊕
y
) and
H_{c}
=
aP
from the lists
L_{h}
and
L_{H}
, respectively, and further computes
C
_{3}
=
m
_{1}
⊕
H
(
a
·
P_{pub}
) and makes a
Send
(Π
^{m}_{c}
, (
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
)) query. Then
B
must have made the corresponding
H_{c}
=
a
·(
P_{pub}
) =
s
·(
aP
) from the list
L_{H}
with non-negligible probability. Consequently,
B
is able to solve the CDH problem with non-negligible probability, which is a contradicting to the intractability of the CDH problem. Besides,
y
is the
RC
’s secret value that the adversary cannot obtain, the hash functions
h
and
H
are collision-resistant hash functions. Therefore, the probability that
A
can violate the server to the
RC
authentication is negligible.
If
B
is able to win such a game, then
B
must have made the corresponding
h
query of the form (
str_{i}
,
h_{i}
) to find the correct
h_{i}
(the session key) with non-negligible probability since
h
is a random oracle. The string
str_{i}
contains the values of
h
(
ID_{i}
║
x
),
h
(
SID_{j}
║
y
),
TU_{i}
and
N_{j}
. If
B
can get the value
h
(
ID_{i}
║
x
), it can find the corresponding
H_{c}
in
L_{H}
with the probability 1/
q_{H}
and output the corresponding
P_{c}
as a solution to the CDH problem. Therefore, if the adversary
A
can compute the correct session key with non-negligible probability
ε
, then the probability that
B
solves the CDH problem is
ε
/
q_{h}
·
q_{H}
. It is a contradicting to the intractability of the CDH problem.
TU_{i}
is used to resist this type of attack. After incepting the previous login request {
C
_{1}
,
C
_{2}
,
TU_{i}
} from the user
U_{i}
, the adversary may replay the same message to the service
S_{j}
. However, he/she cannot launch a replay attack. Since the time stamp
TU_{i}
is a parameter of the value
C
_{2}
, the replay attack can be filtered obviously by the server. After receiving the message {
C
_{1}
,
C
_{2}
,
TU_{i}
}, the server firstly checks the validity of time stamp
TU_{i}
. If the time stamp is not valid, the request will be rejected. If the adversary modifies the time stamp
TU_{i}
with a new time stamp
TU_{i}
^{*}
, he/she cannot compute the corresponding
C
_{2}
^{*}
without the knowledge of
H
(
k
·
P_{pub}
). Thus, the bogus
TU_{i}
^{*}
can be found by checking
C
_{2}
.
In addition, when an attacker replays the message {
SID_{j}
,
C
_{1}
,
C
_{2}
,
C
_{3}
,
N_{j}
,
TU_{i}
,
aP
} or {
C
_{5}
,
N_{j}
,
TU_{i}
} to impersonate as a legal server
S_{j}
, he/she has no capacity to compute the value
C
_{3}
or
C
_{5}
. In the proposed scheme, the values of
C
_{3}
and
C
_{5}
are computed as
C
_{3}
=
m
_{1}
⊕
H
(
a
·
P_{pub}
),
C
_{5}
=
m
_{3}
⊕
H
(
s
·
C
_{1}
). Since
N_{j}
is a parameter of
m
_{1}
and
m
_{3}
, any change of
N_{j}
can affect the values of
C
_{3}
and
C
_{5}
, indirectly. When the adversary modifies the value of
N_{j}
,
RC
or users can detect the replay attack immediately. From the above analysis, we can see that our scheme can resist replay attack.
U_{i}
’s smart card has been lost or stolen, so the attacker can breach the values {
V_{i}
,
H_{i}
,
R_{i}
,
b
,
h
(·),
H
(·),
E
,
P
} which are stored in the smart card. It is important to note that the adversary cannot get the
RC
’s secret value
x
, hence he/she cannot guess the
U_{i}
’s identity
ID_{i}
and password
PW_{i}
from the breached values in polynomial time since they are protected by a secure hash function. Consequently, the adversary cannot compute
h
(
b
⊕
PW_{i}
) and further compute the correct
w_{i}
=
TU_{i}
⊕(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
SID_{j}
║
R_{i}
). As a result, the adversary cannot use the lost or stolen smart card to carry out impersonation attack. From the above analysis, it can be seen that the proposed scheme effectively resists the stolen smart card attack.
RC
when he/she wants to use this authentication scheme. Then, the
RC
issues
U_{i}
a unique value
R_{i}
=
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
), where
x
is the
RC
’s secret value and
PW_{i}
is
U_{i}
’s password. If an adversary wants to impersonate as the user
U_{i}
to communicate with the
RC
, he/she cannot compute the correct
C
_{2}
without the knowledge of
R_{i}
. Thus, the attacker has no way to impersonate a legitimate user to make a request.
In addition, every server has a unique value
h
(
SID_{j}
⊕
y
) and only the
RC
knows all the servers’ authentication certificates. If an adversary wants to impersonate as the server to communicate with the
RC
, he/she cannot compute the correct
C
_{3}
without the authentication certificate of
h
(
SID_{j}
⊕
y
). Thus, the adversary cannot impersonate as a server to communicate with other entities. From the user’s or the server’s perspective, only the legal
RC
has the secret values
x
and
y
. Consequently, there is no way for an attacker to impersonate as the
RC
. From the above analysis, it can be seen that the proposed scheme can withstand this type of attack.
RC
via a secure channel. Therefore, other entities (including the adversary and other users) cannot obtain the user’s identity. In the login phase of the proposed scheme, the user
U_{i}
submits the message {
C
_{1}
,
C
_{2}
,
TU_{i}
} to the server
S_{j}
for authentication. However,
U_{i}
’s identity
ID_{i}
is contained in the value
C
_{2}
. The adversary cannot extract
U_{i}
’s identity without the knowledge of
H
(
P_{ur}
). In the authentication and session key agreement phase of the proposed scheme, the
RC
responds the message {
C
_{4}
,
C
_{5}
,
TU_{i}
} to the server
S_{j}
. The value
h
(
ID_{i}
║
x
) is contained in
C
_{4}
and
C
_{5}
, respectively. The adversary cannot extract
h
(
ID_{i}
║
x
) unless he/she gets the values of
H
(
s
·(
aP
)) and
H
(
P_{ru}
). In addition, since the time stamp
TU_{i}
is a parameter of the value
C
_{2}
,
C
_{2}
will be different for each session when the user logins to the system at different time. Therefore, the attacker cannot distinguish a certain user from different sessions. From the above analysis, it can be seen that our proposed protocol can provide user’s anonymity.
C
_{2}
,
C
_{3}
,
C
_{4}
, and
C
_{5}
are XORed by
H
(
P_{ur}
) and
H
(
a
·
P_{pub}
), respectively. Since the adversary cannot compute the values of
H
(
P_{ur}
) and
H
(
a
·
P_{pub}
), he/she cannot extract the detailed information (
ID_{i}
,
h
(
b
⊕
PW_{i}
),
h
(
SID_{j}
⊕
y
), etc.) from the values of
C
_{2}
,
C
_{3}
,
C
_{4}
, and
C
_{5}
. Thus, it is clear that the adversary cannot launch the man-in-the-middle attack to cheat the user or the server.
In
Table 2
, we summarize the computation cost of the proposed user authentication and key agreement scheme. The user’s terminal is a low-power computing device while the server and the
RC
are regarded as powerful devices. Since the authentication information contained by the user and the server (i.e.
R_{i}
=
h
(
ID_{i}
║
h
(
b
⊕
PW_{i}
)║
x
) and
h
(
SID_{j}
⊕
y
)) are protected by a secure hash function
h
(·), the
RC
needs only to compute several hash functions to authenticate the legality of both the user and the server. From
Table 2
, we can see that the user requires only 2
T_{mul}
+ 2
T_{h}
+
T_{H}
in login phase and 2
T_{h}
in authentication and key agreement phase. In authentication and key agreement phase, The
RC
and the server require only 2
T_{mul}
+ 5
T_{h}
+ 2
T_{H}
and
T_{mul}
+ 2
T_{h}
+
T_{H}
, respectively.
Computation costs of the proposed scheme
In order to present an objective and detailed comparison between our scheme and other related authentication schemes, we make the computation costs analysis on the basis of the implementation results in
[31]
. In
[31]
, The hardware platform is Philips HiPersmart card and Pentium IV offer maximum clock speeds of 36 MHz and 3 GHz, respectively. In order to provide adequate security, a popular and valid choice would be to use the elliptic curve
y
^{2}
=
x
^{3}
+
ax
+
b
defined on a finite field
F_{p}
with
p
= 512 bits and a large prime order
q
= 160 bits. All the operations are built with MIRACLE
[32]
, a standard cryptographic library.
Table 3
lists the experimental data for related pairing-based operations on the Philips HiPersmart card and on the Pentium IV processor, respectively.
Computational cost on the client side and the server side
In
Table 4
, we demonstrate the comparisons between our proposed scheme and the previously authentication schemes on elliptic curve cryptography in terms of the computation cost, the execution time and security properties. The execution time appeared in
Table 4
are measured based on the computational cost listed in
Table 3
. In
Table 4
, we assume that the execution time of the hash function
H
(·) used in our scheme is equal to
T_{h}
because
H
(·) can be constructed by the hash function
h
(·): Let
P_{i}
be a point over
E
, let
P_{x}
and
P_{y}
be the X-coordinate and the Y-coordinate of the point
P_{i}
, respectively. Then, we can construct
H
(·) as
H
(
P_{i}
) =
h
(
P_{x}
║
P_{y}
), where ║ is string concatenation operation. Therefore, we can see that
T_{H}
is equal to
T_{h}
. From
Table 4
, we can see that Yang and Chang’s scheme suffered from impersonation attack. Based on an overall consideration of efficiency and security, our scheme is better than the previously proposed schemes listed in
Table 4
. Therefore, the proposed scheme is more suitable for the mobile client server environments.
Comparisons between the previously proposed schemes and our scheme
The communication cost of the proposed scheme includes the exchange messages involved in the login and authentication phase. While, in the proposed authentication scheme, only the user’s terminal is a resource -constrained device. Thus, we do not consider the communication cost between the server and the
RC
. Therefore, the number of communication parameters includes {
C
_{1}
,
C
_{2}
,
TU_{i}
} and {
C
_{5}
,
N_{j}
,
TU_{i}
}. In order to provide adequate security, as mentioned above, we choose the elliptic curve
E
defined on a finite field
F_{p}
with
p
= 512 bits and a large prime order
q
= 160 bits. Thus, the bit-length of a point
P
is 1024 bits. Since the parameter
C
_{1}
is a point on the curve
E
, the bit-length of
C
_{1}
is 1024 bits, too. In addition, we set the bit-length of the time stamp (
TU_{i}
), the identity number (
ID_{i}
,
SID_{j}
) and the random number (
N_{j}
) are 32 bits, 128 bits and 128 bits, respectively. The bit-length of the hash functions
h
(·) and
H
(·) are 160 bits and 512 bits, respectively. Therefore, the communication cost {
C
_{1}
,
C
_{2}
,
TU_{i}
} and {
C
_{5}
,
N_{j}
,
TU_{i}
} is 1568 (1024+512+32) bits and 672 (512+128+32) bits, respectively. Therefore, the communication cost of the proposed scheme is 3264 bits, which is very small in practice. From the above analysis, we can see that the proposed scheme is well suited for mobile client server environment in term of the communication cost.
Junsong Zhang received his master’s degree in computer software and theory from Zhengzhou University (ZZU) in 2008 and Ph.D. degree in computer science and technology from Beijing University of Posts and Telecommunications (BUPT) in 2014. Dr. Zhang is a lecturer of Zhengzhou University of Light Industry (ZZULI). His research interests include information security and mobile network, etc.
Jian Ma was born in 1959, obtained his Ph.D degree at Helsinki University of Technology in 1994. He is now a professor of Beijing University of Posts and Telecommunications. His research interests span the area of mobile internet, mobile internet of things, wireless sensing network and social network analysis. He has published more than 300 papers in different journals and conferences.
Xiong Li received his master’s degree in mathematics and cryptography from Shaanxi Normal University (SNNU) in 2009 and Ph.D. degree in computer science and technology from Beijing University of Posts and Telecommunications (BUPT) in 2012. Dr. Li now is a lecturer of Hunan University of Science and Technology (HNUST). He has published more than 15 referred journal papers. His research interests include cryptography and information security, etc.
Wendong Wang received the B.S. and M.E. degrees, both in computer science, from Beijing University of Posts and Telecommunications (BUPT), Beijing, China in 1985 and 1991, respectively. He is currently a professor of State Key Lab of Networking and Switching Technology at BUPT. His research interests are IP QoS, next generation Internet, and next generation internet services.

1. Introduction

2. Preliminaries

In this section, we briefly introduce the basic concepts of the elliptic curve and its related mathematical properties. The elliptic curve cryptography (ECC) was first proposed by Miller and Koblitz (1985), respectively. The security of ECC is dependent on the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). Due to the difficulty in breaking its encryption, Elliptic Curve Cryptography can provide the same level of RSA encryption at a greatly reduced bit size
[26]
[27]
.
- 2.1 Elliptic Curve Cryptography (ECC)

Let
PPT Slide

Lager Image

- 2.2 Computational Problems

To prove the security of our proposed protocol, we present some important mathematical properties of ECC as follows.
Definition 1. Elliptic Curve Discrete Logarithm Problem (ECDL Problem): Given an elliptic curve
- 2.3 Hash function

Hash function
[29]
is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, and it is easy to compute on every input but hard to compute the input from a given output. Here "easy" and "hard" are to be understood in the sense of computational complexity theory. The one-way hash function has the following properties.
- • The hash function can be applied to a data block of all sizes.
- • For any given inputx, it is esay to compute the output.
- • It is infeasible to derivingxfrom the given valuey=h(x).
- • It is infeasible to find two different inputs with the same output.
- • It is infeasible to find two different inputs with the same output.

3. The Proposed Scheme

In this section, we propose a novel authentication scheme using ECC to avoid various attacks. ECC is one of the most efficient public key systems nowadays. It has been shown that the ECC has been proven to be successful on the limited hardware
[30]
. The main idea of the proposed scheme is using the ECC in combination with a secure hash function to encrypt the exchange messages among the user, the server and the registration center (
PPT Slide

Lager Image

List of notations

PPT Slide

Lager Image

- 3.1 System Initialization

Without loss of generality, it is assumed that the multi-server environment includes three kinds of participants: a trusted registration center (
- 3.2 The Registration Phase

When a user
- 3.3 The Login Phase

When the user
- 3.4 The Authentication and Session Key Agreement Phase

Step A1.
- 3.5 The Password Change Phase

This phase is invoked whenever
4. Security Analysis of the Proposed Scheme

In this section, we use the random oracle model to analyze the security of our scheme. The random oracle model is often used to verify the security of the key establishment protocol or the signature scheme. In the model, each participant appeared in the authentication and key agreement scheme is treated as an oracle, and the adversary can access these oracles by sending some queries.
- 4.1 Adversarial Model

In this section, we define the adversarial model of a mutual authentication and key agreement protocol. Readers can refer to
[33]
to get the detailed descriptions about the following definitions. Assume that the multi-server environment contains three types of participants:
- 4.2 Security Analysis

In this subsection, we first demonstrate that the proposed scheme can achieve the secure authentication and key agreement under the random oracle model. Then, we analyze the other security properties about the proposed scheme.
- 4.2.1 Formal analysis under the random oracle model

In this subsection, we show that the proposed scheme can provide the secure authentication and key agreement under the computational Diffie-Hellman problem (CDH) assumption.
- 4.2.2 Other security features

- •Replay attack

A replay attack is a form of network attack where an authentication session is replayed by an attacker to fool a computer into granting access. In the proposed scheme, the time stamp
- •Stolen smart card attack

We assume that the user
- •Impersonation attack

In the proposed scheme, every legal user must be registered in the
- •User’s anonymity

In the registration phase and password change phase of our authentication scheme, the user communicates with the
- •Man-in-the-middle attack

A man-in-the-middle attack would be able to successfully only when the attacker can impersonate each party to cheat other parties. In the proposed scheme, the exchange values
5. Performance Evaluation

In this section, we evaluate the performance of our scheme and compare it with other related authentication schemes. It is generally known that most of the mobile devices have limited power resources and computing capability. Therefore, one of the most important concerns of design authentication scheme in mobile environment is power consumption (include computation cost and communication cost). We first evaluate the computational cost and then focus on the communication cost of the proposed scheme. Since exclusive-OR operation requires extremely small computational cost, we neglect its computation cost.
For the convenience of evaluating the computational cost, we define some notations as follows.
- •Tmul: The time of executing a scalar multiplication operation of point.
- •Tadd: The time of executing an addition operation of points.
- •Tpair: The time of executing a bilinear pairing operation.
- •Th: The time of executing a one-way hash function.
- •Tmtph: The time of executing a map-to-point hash function.
- •TH: The time of executing a hash functionH(·) used in this paper.
- •Texp: The time of executing a modular exponential operation.

Computation costs of the proposed scheme

PPT Slide

Lager Image

Computational cost on the client side and the server side

PPT Slide

Lager Image

Comparisons between the previously proposed schemes and our scheme

PPT Slide

Lager Image

6. Conclusion

In this paper, we proposed a secure and efficient ECC-based authentication and key agreement scheme for multi-server environments and low-power mobile devices. Under the CDH problem assumption and the random oracle model, we demonstrated that the proposed scheme is secure against impersonation attack and provides the session key protection. Then, we analyze some other security features about our scheme such as replay attack and stolen smart card attack. According to the comparisons in Section 5, the proposed scheme is more efficient and practical than the other related authentication schemes, and is more suitable for multi-server environment with low-power devices.
Acknowledgements

The authors are grateful to the editor and anonymous reviewers for their valuable suggestions which improved this paper. This research was partially supported by Foundation of China and National High-Tech (863) Programs Grant No. 2011AA01A101, the National Natural Science Foundation of China under Grant No. 61300220 & 61271041, the National Major Science and Technology Special Project of China under Grant No.2012ZX03005008, and FP7 Integrated Project iCore (Internet Connected Objects for Reconfigurable Eco-systems) under Grant No. 287708.

BIO

Lamport L.
1981
“Password authentication with insecure communication”
Communication of ACM
Article (CrossRef Link)
24
770 -
772
** DOI : 10.1145/358790.358797**

Horng G.
1995
“Password authentication without using password table”
Information Processing Letters
Article (CrossRef Link)
55
(5)
247 -
250
** DOI : 10.1016/0020-0190(95)00087-S**

Jan J. K.
,
Chen Y. Y.
1998
“Paramita Wisdom password authentication scheme without verification tables”
The Journal of Systems and Software
Article (CrossRef Link)
42
(1)
45 -
57
** DOI : 10.1016/S0164-1212(98)00006-5**

Liao Y. P.
,
Hsiao C. M.
2013
“A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients”
Future Generation Computer Systems
Article (CrossRef Link)
29
(3)
886 -
900
** DOI : 10.1016/j.future.2012.03.017**

He D.
,
Chen J. H.
,
Hu J.
2012
“An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security”
Information Fusion
Article (CrossRef Link)
13
(3)
223 -
230
** DOI : 10.1016/j.inffus.2011.01.001**

Hwang M. S.
,
Chong S. K.
,
Chen T. Y.
2010
“DoS-resistant ID-based password authentication scheme using smart cards”
Journal of Systems and Software
Article (CrossRef Link)
83
(1)
163 -
172
** DOI : 10.1016/j.jss.2009.07.050**

Song R. G.
2010
“Advanced smart card based password authentication protocol”
Computer Standards & Interfaces
Article (CrossRef Link)
32
(5-6)
321 -
325
** DOI : 10.1016/j.csi.2010.03.008**

Li X.
,
Niu J. W.
,
Khan M.K.
,
Liao J. G.
2013
“An enhanced smart card based remote user password authentication scheme”
Journal of Network and Computer Applications
Article (CrossRef Link)
36
(5)
1365 -
1371
** DOI : 10.1016/j.jnca.2013.02.034**

Li L. H.
,
Lin L. C.
,
Hwang M. S.
2001
“A remote password authentication scheme for multi-server architecture using neural networks”
IEEE Transactions on Neural Networks
Article (CrossRef Link)
12
(6)
1498 -
504
** DOI : 10.1109/72.963786**

Juang W. S.
2004
“Efficient multi-server password authenticated key agreement using smart cards”
IEEE Transaction on Consumer Electronics
Article (CrossRef Link)
50
(1)
251 -
255
** DOI : 10.1109/TCE.2004.1277870**

Chang C. C.
,
Lee J. S.
2004
“An efficient and secure multi-server password authentication scheme using smart cards”
in Proc. of the third international conference on cyberworlds
November
Article (CrossRef Link)
417 -
22

Tsai J. L.
2008
“Efficient multi-server authentication scheme based on one-way hash function without verification table”
Computers & Security
Article (CrossRef Link)
27
(3-4)
115 -
21
** DOI : 10.1016/j.cose.2008.04.001**

Liao Y. P.
,
Wang S. S.
2009
“A secure dynamic ID based remote user authentication scheme for multi-server environment”
Computer Standard & Interfaces
Article (CrossRef Link)
31
(1)
24 -
29
** DOI : 10.1016/j.csi.2007.10.007**

Hsiang H. C.
,
Shih W. K.
2009
“Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment”
Computer Standards & Interfaces
Article (CrossRef Link)
31
(6)
1118 -
1123
** DOI : 10.1016/j.csi.2008.11.002**

Lee C. C.
,
Lin T. H.
,
Chang R. X.
2011
“A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards”
Expert Systems with Applications
Article (CrossRef Link)
38
(11)
13863 -
13870

Sood S. K.
,
Sarje A. K.
,
Singh K.
2011
“A secure dynamic identity based authentication protocol for multi-server architecture”
Journal of Network and Computer Applications
Article (CrossRef Link)
34
(2)
609 -
618
** DOI : 10.1016/j.jnca.2010.11.011**

Chuang Y. H.
,
Tseng Y. M.
2012
“Towards generalized ID-based user authentication for mobile multi-server environment”
International Journal of Communication System
Article (CrossRef Link)
25
(4)
447 -
460
** DOI : 10.1002/dac.1268**

Li X.
,
Ma J.
,
Wang W. D.
,
Xiong Y. P.
,
Zhang J. S.
2013
“A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments”
Mathematical and Computer Modelling
Article (CrossRef Link)
58
(1-2)
85 -
95
** DOI : 10.1016/j.mcm.2012.06.033**

Li X.
,
Xiong Y. P.
,
Ma J.
,
Wang W. D.
2012
“An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards”
Journal of Network and Computer Applications
Article (CrossRef Link)
35
(2)
763 -
769
** DOI : 10.1016/j.jnca.2011.11.009**

Li C.
,
Lee C.
,
Weng C.
,
Fan C.
2013
“An Extended Multi-Server-Based User Authentication and Key Agreement Scheme with User Anonymity”
KSII Transactions on Internet & Information Systems
Article (CrossRef Link)
7
(1)
119 -
131
** DOI : 10.3837/tiis.2013.01.008**

Li X.
,
Zhang Y.
,
Liu X.
,
Cao J.
2013
“A Lightweight Three-Party Privacy-preserving Authentication Key Exchange Protocol Using Smart Card”
KSII Transactions on Internet & Information Systems
Article (CrossRef Link)
7
(5)
1313 -
1327
** DOI : 10.3837/tiis.2013.05.021**

Nam J.
,
Choo K.K.R.
,
Kim M.
,
Paik J.
,
Won D.
2013
“Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols”
KSII Transactions on Internet & Information Systems
Article (CrossRef Link)
7
(12)
3244 -
3260
** DOI : 10.3837/tiis.2013.12.016**

Das M. L.
,
Saxena A.
,
Gulati V. P.
,
Phatak D. B.
2006
“A novel remote client authentication protocol using bilinear pairings”
Computer and Security
Article (CrossRef Link)
25
(3)
184 -
189
** DOI : 10.1016/j.cose.2005.09.002**

Fang G. F.
,
Huang G. X.
“Improvement of recently proposed Remote User Authentication Schemes”
http://eprint.iacr.org/2006/200

Giri D.
,
Srivastava P.D.
“An improved remote client authentication protocol with smart cards using bilinear pairings”
http://eprint.iacr.org/2006/274

Yang J.
,
Chang C.
2009
“An ID-based remote mutual authentication with key agreement protocol for mobile devices on elliptic curve cryptosystem”
Computers and Security
Article (CrossRef Link)
28
(3-4)
138 -
143
** DOI : 10.1016/j.cose.2008.11.008**

Hankerson D.
,
Menezes A.
,
Vanstone S.
2004
Guide to Elliptic Curve Cryptography
Springer
New York
http://dl.acm.org/citation.cfm?id=940321

Li F.
,
Xin X.
,
Hu Y.
2008
“Identity-based broadcast signcryption”
Computer Standard and Interfaces
Article (CrossRef Link)
30
(1-2)
89 -
94
** DOI : 10.1016/j.csi.2007.08.005**

Rogaway P.
,
Shrimpton T.
2004
“Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance”
Lecture Notes in Computer Science
Article (CrossRef Link)
3017
371 -
388

David J. M.
,
Matt W.
,
Michael D. S.
2008
“Implementing Public-Key Infrastructure for Sensor Networks”
ACM Transactions on Sensor Networks
Article (CrossRef Link)
4
(4)
1 -
23

Scott M.
,
Costigan N.
,
Abdulwahab W.
2006
“Implementing cryptographic pairings on smartcards”
Springer-Verlag
in Proc. of Cryptographic Hardware and Embedded Systems - CHES 2006
LNCS, vol. 4249, Article (CrossRef Link)
134 -
147

Shamus Software
http://www.shamus.ie/index.php.

Bellare M.
,
Pointcheval D.
,
Rogaway P.
2000
“Authenticated key agreement secure against dictionary attacks”
Springer-Verlag
in Proc. of the Advances in Cryptology - EUROCRYPT 2000
LNCS, vol. 1807, Article (CrossRef Link)
139 -
155

Citing 'A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC
'

@article{ E1KOBZ_2014_v8n8_2930}
,title={A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC}
,volume={8}
, url={http://dx.doi.org/10.3837/tiis.2014.08.021}, DOI={10.3837/tiis.2014.08.021}
, number= {8}
, journal={KSII Transactions on Internet and Information Systems (TIIS)}
, publisher={Korean Society for Internet Information}
, author={Zhang, Junsong
and
Ma, Jian
and
Li, Xiong
and
Wang, Wendong}
, year={2014}
, month={Aug}