Advanced
Towards Smart Card Based Mutual Authentication Schemes in Cloud Computing
Towards Smart Card Based Mutual Authentication Schemes in Cloud Computing
KSII Transactions on Internet and Information Systems (TIIS). 2015. Jul, 9(7): 2719-2735
Copyright © 2015, Korean Society For Internet Information
  • Received : January 06, 2015
  • Accepted : April 19, 2015
  • Published : July 31, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Haoxing Li
State Key Laboratory of Integrated Services Networks, Xidian University, Shaanxi, Xi’an, China
Fenghua Li
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Chenggen Song
Institute of Information Security, Beijing Electronic Science and Technology Institute, Beijing, China
Yalong Yan
Institute of Information Security, Beijing Electronic Science and Technology Institute, Beijing, China

Abstract
In the cloud environment, users pay more attentions to their data security since all of them are stored in the cloud server. Researchers have proposed many mutual authentication schemes for the access control of the cloud server by using the smart card to protect the sensitive data. However, few of them can resist from the smart card lost problem and provide both of the forward security and the backward security. In this paper, we propose a novel authentication scheme for cloud computing which can address these problems and also provide the anonymity for the user. The trick we use is using the password, the smart card and the public key technique to protect the processes of the user’s authentication and key exchange. Under the Elliptic Curve Diffie-Hellman (ECDH) assumption, it is provably secure in the random oracle model. Compared with the existing smart card based authentication schemes in the cloud computing, the proposed scheme can provide better security degree.
Keywords
1. Introduction
C loud computing is a new technology, which is a hot topic in the past dedicate in both of the academic and industry. On one hand, users can take advantages of the cloud server to accomplish complicate calculation which cannot be processed locally. On the other hand, users can store a large number of data in the cloud server to save their own memory space [1] . Therefore, the individuals especially the companies are interesting in outsourcing the service to cloud service provider in order to reduce the cost of management and deployment. Lots of international firms have established their cloud platforms and offered cloud computing services for the Internet users, such as Google App Engine, Microsoft Windows Azure, Amazon Web Services and IBM SmartCloud.
However, users who take advantages of these cloud computing services pay much attentions to the security of their data since the data are outsourced by the cloud server. The secure issues that the individual or the companies concern about in the cloud environment include access control, data integrity, data confidentiality, authentication and authorization [2] . Among them, authentication is important. Becase without a secure authentication scheme the data of the user will be obtained by the illegal person. The authentication between the user and the cloud server cannot only guarantee the data be accessed by the legitimate users successfully but also exclude the malicious visitor. So when using the cloud service, authentication between the user and the server should be considered firstly.
Authentication is the first step when a user accesses his cloud data. It is important for the authorized user to get his service safely and smoothly. Authentication schemes using smart card can provide more convenience and security for the user than other authentication schemes since on one hand users do not need to remember long secret value comparing with the public key mechanism; on the other hand it can provides more security property than authentication schemes using only password [3] . So lots of authentication scheme using smart card were proposed in cloud computing. However, many of them cannot resist the smart card lost attack. Meanwhile, few of them consider the forward and backword security since they cannot be implemented easily. However, these two properties are important. Because we do not know what will happen in the future, if the adversary gets all of our secrets in the future and recovers our conversation which had been encrypted by the session key in the old session or obtains the conversation which is encrypted by the session key in the new session, then it will be a big threat to us.
So how to get an authentication scheme which can both resist the smart card lost attack and provide the forward and backward security in the cloud computing is a chanllege to the researchers. Because the public key techniques do not lie in authentication schemes so these schemes cannot provide the strong secure property when the smart card is lost. Halevi and Krawczyk [4] have pointed out that public key techniques were unavoidable for password protocols that resist off-line dictionary attacks. Following this rule, in this paper, we propose a new authentication scheme for cloud computing using smart card. In the new scheme, even if the smart card is lost, the authentication scheme is still secure. Meanwhile, the new scheme can also provide the anonymity for the user and the properties of forward and backward security. Under the ECDH assumption, the new scheme is provably secure in the random oracle model. The communication framework is also very suitable for the mobile cloud computing which is a hot topic in the next generation communicaiton sicne both of them use the three-level authentication.
In Section 2, we review the previous work of authentication schemes in cloud computing using smart card. In Section 3, we give a security model for authentication schemes using smart card. In Section 4, we present a new authentication scheme for cloud computing using smart card. We then give the security analysis and the performance of the proposed scheme in Section 5. Finally, in Section 6 we make a conclusion of this paper and give the future work.
2. Related Work
Authentication schemes between the user and the server are based on the password technique in the early stage [5 - 6] . However, there are two drawbacks using such method. On one hand, the passwords of the user are short and they are often chosen from names or numbers they frequently use. So the passwords can be guessed by the attacker, i.e., the authentication shcemes are vulnerable to the dictionary attack [7] . On the other hand, in such scenario all the passwords of the users will be stored in the server. Once the server is corrupted, all the users’passwords will be revealed. In order to address these problems, authentication using password and smart card were proposed [3 , 8] . In such authentication, user owns a password and a smart card. Only if both of the password and the smart card are correct, the user can login to the server successfully. Lots of the authentication schemes using smart card were present in the cloud environment [9 - 16] .
Choudhur et al. proposed a strong user authentication framework for cloud computing [9] . The new method Out of Brand (OOB) authentication combined with the smart card and the password authentication was used in [9] . However, Chen and Jiang found the security weaknesses of Choudhur et al.’s authentication scheme [10] . There are masquerading attack and the OOB attack in [9] if the smart card of the user is lost. Then, Chen and Jiang proposed an improvement user authentication framework for cloud computing [10] . However, the improvement scheme is not secure. When the attacker obtains the information in the smart card, he can launch the offline dictionary attack. Because the user’s messages are only protected by the password and the information stored in the smart card, so the authentication scheme is vulnerable to the offline dictionary attack when the smart card is lost. The attacker can obtain the information stored in the smart card and guesse the password of the user, then he can verify the correctness of his guess by the authentication messages sent to the cloud server. The same attack also lies in Jiang’s authentication scheme for cloud computing [11] . Han et al. propsed a scheme for data confidentiality in cloud computing for wireless body area networks which further expends the application of the cloud computing [12] .
Different from the authentication schemes mentioned above, Nimmy and Sethumadhavan proposed a mutual authentication scheme for cloud computing using secret sharing [13] . The server splits the credential of the user into two shares, one is stored in the smart card and the other is stored in the server. It seems that only getting both of the shares can recover the credential of the user. However, the server still depends on the information stored in the smart card to verify the identity of the user. When getting the smart card, the adversary can also launch the offline dictionary attack and impersonate the user to access the cloud. So the method of the secret share does not provide more security. In order to reduce the time of the authentication, Hao et al. proposed a time-bound ticket-based mutual authentication scheme for cloud environment using smart card [14] . The advantage of Hao et al.’s authentication scheme is that the server issues a certain number of digital tickets to the user. The user can use one ticket for one time of data verification so it can save the time of the authentication since the user’s data verification frequency is reduced. However, although Hao et al. claimed that the authentication scheme was secure, Pippal et al. found it was vulnerable to Denial-of-Service attack and the password change phase was insecure [15] . To resist these weaknesses, Pippal et al. proposed an enhancement to Hao et al.'s scheme. The trick they used in [15] is that the smart card verifies both password and the user’s identifier at the user side before sending the authentication message to the cloud server. If the smart card is a tamper resistant device, the trick they used is helpful. However, as we know, most of the smart cards are not tamper resistant for the two reasons that the tamper resistant smart cards are expensive and the parameters in these smart cards can also be extracted by the side-channel attack [16] .
Using the tamper resistant smart card to address the problem in authentication between the user and the server is not a good choice. Huang et al. proposed robust and privacy protection authentication in cloud computing using a third trusted party [17] without using the tamper resistant smart card. The authentication scheme is secure and also has good performance. The only doubtful point is that the discussion of the reliability and complexity of introducing the trusted party. Meanwhile, the forward security and backward security are not considered in [17] .
3. Security Model
The security model we use is based on the models proposed by Bellare et al. [6] and Zhou et al. [18] , respectively. In the model, there are three entities: the user U , the server S and the adversary
PPT Slide
Lager Image
. The user owns his password and a smart card which is issued from the server. The server owns his private information and the user’s registration information. The adversary can control all the communication between the user and the server. The ability of the adversary is based on the queries to the protocol instances. One execution of the protocol is called an instance. The queries that
PPT Slide
Lager Image
can ask are as follows:
Execute (
PPT Slide
Lager Image
,
PPT Slide
Lager Image
):This query models passive attacks. The adversary
PPT Slide
Lager Image
often gets the protocol flows between instances
PPT Slide
Lager Image
and
PPT Slide
Lager Image
by eavesdropping. The output of this query is the honest execution of the protocol.
Send (
PPT Slide
Lager Image
/
PPT Slide
Lager Image
, m ):This query models the active attacks.
PPT Slide
Lager Image
who impersonates U to send an message m to instance
PPT Slide
Lager Image
/
PPT Slide
Lager Image
. The output of this query is the response generated by the instance after it processes m according to the protocol.
Reveal (
PPT Slide
Lager Image
/
PPT Slide
Lager Image
):This query models the misuse of the session key or the known key attack. The output of this query is the session key of instance
PPT Slide
Lager Image
/
PPT Slide
Lager Image
. This only happens when the attacked instance actually holds a session key.
Corrupt ( U , password ): The output of this query is the password of the user.
Corrupt ( U , smart card ): The output of this query is the secret information which are stored in the smart card.
Test (
PPT Slide
Lager Image
/
PPT Slide
Lager Image
):The semantic security of the session key is modeled by this query. When
PPT Slide
Lager Image
chooses a session as the Test session and asks this session the Test (
PPT Slide
Lager Image
/
PPT Slide
Lager Image
) query. The query is answered as follows: one flips a coin b , if b =1 it outputs the session key skUS to
PPT Slide
Lager Image
; if b =0, it outputs a random value chosen from session key space to
PPT Slide
Lager Image
. This query can only be asked to instance which is fresh and can be asked at most once. An instance
PPT Slide
Lager Image
is fresh if: (1). it is not asked by the Reveal query; (2). the instance which has a matching conversation with
PPT Slide
Lager Image
is not asked by the Reveal query either.
AKE(Authenticated Key Exchange) Security The privacy of the session key is modeled by the game between the adversary and a simulator . The simulator simulates the protocol for the adversary and answer the queries
PPT Slide
Lager Image
asks. When
PPT Slide
Lager Image
asks a Test (
PPT Slide
Lager Image
/
PPT Slide
Lager Image
) query, he needs to output a bit b '. The aim of
PPT Slide
Lager Image
is correctly guessing the bit b in the Test session. The protocol P is said to be AKE-secure if for any polynomial time adversary
PPT Slide
Lager Image
the following equation holds:
PPT Slide
Lager Image
Where qsend is the number of the Send query, N is the the size of the password dictionary and neg ( l ) is a negligible value.
4. A New Authentication Scheme for Cloud Computing Using Smart Card
In this section we propose a new authentication scheme for cloud computing using smart card. We first give the authentication structure of the cloud computing we used in Fig. 1 .
PPT Slide
Lager Image
Authentication structure of the cloud computing used in this paper
As shown in Fig. 1 , there are three kinds of entities in the scheme: a cloud user A, some cloud servers CS i and a service provider SP. Here we assume SP is a trusted third party and CS i are semi-trusted servers, i.e., CS i are honest but curious and they cannot launch the active attack but they are curious about the password of the user. When the user wants to get the cloud service, he needs to register in the service provider. The service provider SP issues a credential for the use in a secure channel. Here SP does not provide service for the user directly. Actually, it administrates a group of cloud servers {CS 1 ,CS 2 ,...,CS n }. These cloud servers provide service for the user directly, such as storing the sensitive data or dealing with complex computation. There is a secure channel between CS i and SP. However, when the user logins to cloud servers, these cloud servers cannot authenticate the user alone. The authentication between the user and CS i must be completed by the help of SP.
Let’s consider a real example in the cloud computing to show the problem we want to solve. A cloud user has registered in a service provider SP and owns his password and smart card. In order to reduce the burden of SP and avoid the case of single point of failure, SP disperses some of the service to certain cloud server CS i So some of the service are provided by CS i now. Unfortunately, the smart card of the user is lost some day. In this case, how can the user believe his data stored in CSi are still secure if the attacker gets his smart card but no password? In this paper, we propose a new authentication scheme using smart card to answer this question.
The new authentication scheme includes three phases, the registration phase, the authentication and key exchange phase and the password-changing phase. The first and third parts are similar to that of existing authentication schemes [14 - 15] . The innovation is in the second part. Firstly, we invite the three-level authentication model into cloud computing which is different from the trick in other authentication schemes in cloud computing [8 - 16] . The advantage of the three-level authentication model is that: on one hand, it is more easy to convert the static authentication schemes to the dynamic authentication schemes in the three-level model since they use the same framework, i.e., the authentication scheme is more easy to be evolved into a roaming authentication for cloud computing; one the other hand, the new scheme disperses the computation and communication burden of the service provider to the cloud servers. This method avoids the case that when a large number of connection requests between the user and the server provider, the service provider may not be able to deal with these requests in time, then there is a delay experienced by the users. Secondly, we use a new trick in the authentication scheme, i.e., using the ECDH problem to establish a secure key between the user and the service provider, then using this key to encrypt the user’s credential and complete the authentication and generate a new session key between the user and the cloud server. The new trick makes the scheme can resist the smart lost attack. Thirdly, we bring the forward and backward security into the scheme which makes the session be secure even if the long term secret of the user and the server are corrupted.
The notations we use are in Table 1 Note we do not give a definition in detail for the hash function, we just use h (⋅) as a class of cryptographically secure hash functions.
Notations
PPT Slide
Lager Image
Notations
- 4.1 Registration Phase
The registration phase happens between users and the cloud service provider. When a user wants to get the cloud service, he needs to register in the service provider SP. Fig. 2 shows the details of the registration phase.
PPT Slide
Lager Image
The registration phase
Step 1. User A first selects PWA as his password. Then, in order to increase the entropy of PWA , A chooses a random value r
PPT Slide
Lager Image
and computes h ( PWA || r ). A sends { IDA , h ( IDA || r )} to the service provider through a secure channel.
Step 2. When receiving the messages, SP selects a random value R ∈ {0,1} 64 and creates a credential CA = h ( s || IDA || R ) ⊕ h ( PWA || r ) for A. SP puts the value R in his data space and issues a smart card which contains { IDA , CA } to A.
Step 3. When receiving the smart card, A imbeds r into the smart card. Now the information in the smart card is { IDA , r , CA }.
- 4.2 Authentication and Key Exchange Phase
When the user wants to get the cloud service, he needs to complete a mutual authentication and key exchange with the ith cloud server CSi . Fig. 3 shows the details of the authentication and key exchange phase.
PPT Slide
Lager Image
The authentication phase of the proposed protocol
Step 1. A → CS i
User A inserts his smart card and inputs his password PWA . Then, he selects two random values, a , r 1
PPT Slide
Lager Image
. A computes K = h ( a sP ) and MA = h ( K || r 1 ) ⊕ IDA and reveals the secret value XA = h ( PWA || r ) ⊕ CA . Then, A computes authentication message NA = h ( K || r 1 || XA ) and sends { aP , r 1 , MA , NA } to the cloud server CS i .
Step 2. CS i → SP
On receiving { aP , r 1 , MA , NA }, CS i selects a random value b
PPT Slide
Lager Image
and computes MCSi = EKCSi-SP ( aP , bP , r 1 , MA , NA ) . Then, CS i sends { IDCSi , MCSi } to the service provider SP.
Step 3. SP → CS i
On receiving { IDCSi , MCSi } , SP first decrypts MCSi and obtains { aP , bP , r 1 , MA , NA } . Then, SP computes K = h ( s ap ) and gets the identity of the user by IDA = h ( K || r 1 ) ⊕ MA . SP computes XA = h ( s || IDA || R ) by the user’s identity IDA . After that, SP verifies whether NA = h ( K || r 1 || XA ) holds. If it does, SP rejects it and requires the user to send the messages again. Otherwise, SP selects a random value s 1
PPT Slide
Lager Image
and computes its authentication message AuthSP = h ( K || s 1 || aP || bP ) , MSP = EKCSi-SP ( IDA , aP , bP , s 1 , AuthSP ). SP sends MSP to CS i .
Step 4. CS i → A
On receiving MSP , CS i first decrypts MSP and obtains { aP , bP , s 1 , AuthSP } . Then CS i verifies whether bP is equal to the random value it chooses. If it is not equal, CS i rejects it. Otherwise, CS i computes its authentication message AuthCSi = h ( b aP || bP || IDCSi ) and the session key between CS i and A, KCSi-A = h ( abP || aP || bP || IDA || IDCSi ) . CS i sends { IDCSi , bP , s 1 , AuthSP , AuthCSi } to A.
Step 5. On receiving the messages from CS i , user A computes and verifies whether AuthSP = h ( K || s 1 || aP || bP ) and AuthCSi = h ( a bP || bP || IDCSi ) hold. If one of them does not hold, user A rejects them. Otherwise, A computes the session key between A and CS i KCSi-A = h ( abP || aP || bP || IDA || IDCSi ) .
- 4.3 Password-changing Phase
If the user wants to change his password, he needs to go through the authentication phase first. It means if the user wants to change the password, he needs to have the old password in hand and so does the smart card. After a successful authentication, the user A gets the secret information h ( K || s 1 ) shared with SP. Then, A inputs his new password PWnew , selects a random value r ' ∈
PPT Slide
Lager Image
and submits E h(K||s1) ( IDA , h ( PWnew || r ')) to the cloud service provider. On receiving the message, SP decrypts it and obtains the new password of A. Then, SP selects another random value R '∈{0,1} 64 and creates a new credential CA ' = h ( s || IDA || R ')⊕ h ( PWnew || r ') for A. SP sends E h(K||s1) ( IDA , CA ') to A. A decrypts E h(K||s1) ( IDA , CA ') and updates the information in the smart card with { IDA , CA ', r '}.
5. Security and Performance Analysis
- 5.1 Security Analysis
We analyze the security of the proposed authentication and key exchange protocol in the model mentioned in Section 3. The security of the scheme is based on the Elliptic Curve Computational Diffie-Hellman (ECDH) Assumption.We first summarize the proof in order to give a clear understanding for readers. The proof is based on the security games between the adversary and a simulator who simulates the protocol for the adversary. The simulator revises the games one by one and imbeds an ECDH problem into the protocol in the last game. In the last game, the protocol is almost random so does the session key which is computed from the ECDH tuple that the simulator imbeds. So if the adversary can correctly guess the session key and wins the game, then the simulator can breaks the ECDH assumption by using the adversary as a subroutine. This is the mainline of the proof.
Elliptic Curve Diffie-Hellman (ECDH) Assumption : Let e be an elliptic curve and G be an additive group with order q which consists of the points of e . Let P be a generator of G , aP and bP be two elements of G and
PPT Slide
Lager Image
be an ECDH-adversary with running time at most t . The probability that
PPT Slide
Lager Image
succeeds in computing abP from ( aP , bP ) is denoted by
PPT Slide
Lager Image
. The ECDH assumption holds if
PPT Slide
Lager Image
is negligible.
Theorem 1 (AKE Security) Let D be the distribution of user’s password which size is D |. Let P be the protocol we proposed. For any adversary
PPT Slide
Lager Image
running within a time bound t, with less than qsend Send queries, qexe Execute queries and less than qh Hash queries, we have:
PPT Slide
Lager Image
Where AdvE ( t ) is the probability that
PPT Slide
Lager Image
breaks the encryption scheme. τG denotes the computational time of the point multiplication in group G .
Proof. The security analysis is based on the AKE-game between the adversary
PPT Slide
Lager Image
and a simulator S . The simulator S initializes the system for all the users, the cloud server and the cloud service provider. We define a sequence of games starting from G 0 to G 4 . For each game Gi (0≤ i ≤4), we define Si be the event that
PPT Slide
Lager Image
correctly guesses the bit b in the Test session and Pr[ Si ] be the probability of this event. Let Di = |Pr[ Si ]-Pr[ S i-1 ]|. By using the games bellow we can get the Theorem 1.
Game G 0 : This game is in the real protocol and corresponds to the real attack. So by the definition of S 0 , we have:
PPT Slide
Lager Image
Making a transformation, we have:
PPT Slide
Lager Image
Game G 1 : In this game, S simulates the hash function h as a random oracle and creates a hash list which records the queries to h and the corresponding answers. The Hash queries, the Send queries, the Execute queries, the Reveal queries, the Corrupt queries and the Test query are answered as the G 0 . The difference lies in G 0 is in the real protocol and G 1 is in the random oracle model. From the definition of the random oracle, we can see that G 0 and G 1 are indistinguishable. So we have:
PPT Slide
Lager Image
Game G 2 : S cancels the game when some collisions appear on the transcripts { aP , r 1 , MA , MA }, { IDCSi , MCSi }, MSP , and { IDCSi , bP , s 1 , AuthSP , AuthCSi } . In the Send queries, we can see at least one of the transcripts is generated by the honest participant. In the Execute queries, we can see all of them is generated by the honest participant. So by the birthday paradox, we can get the probability of collisions on the transcripts is ( qsend ) 2 /2 q +( qexe ) 2 /2 q 2 . The same conclusion can be got in the collisions of the hash function. Then, we have:
PPT Slide
Lager Image
Game G 3 : In this game, S simulates all the oracles in game G 2 , except S stops the game when the adversary breaks the Encryption algorithm E . If the algorithm E is broken, then the adversary
PPT Slide
Lager Image
can impersonate CS i and chooses the random value b himself.
PPT Slide
Lager Image
sends { IDCSi , bP , s 1 , AuthSP , AuthCSi } to the user A. In such case,
PPT Slide
Lager Image
will compute the correct session key since he have the value b .
PPT Slide
Lager Image
can also distinguish between the value returned from the Test session and a random value chosen from the key space successfully. It means
PPT Slide
Lager Image
will distinguish the game G 2 and game G 3 . Thus,
PPT Slide
Lager Image
Game G 4 : In this game, S first chooses one session
PPT Slide
Lager Image
as the Test session and another session
PPT Slide
Lager Image
as the matching session of the Test session. Then, S adds a random value mP into the Test session
PPT Slide
Lager Image
to instead aP and add another random value nP into the matching session
PPT Slide
Lager Image
to instead bP . In such case, if
PPT Slide
Lager Image
can successfully distinguish between the value returned from the session and a random value and win the AKE security game, then we can solve the ECDH problem using
PPT Slide
Lager Image
as a subroutine, i.e. , computing mnP . In order to obtain this conclusion, we need to use the random oracle h . As we know, in the random oracle model, all of the outputs of the random oracle is random. So if
PPT Slide
Lager Image
can distinguish between the value returned from the Test session and a random value, it means
PPT Slide
Lager Image
must have computed the session key himself, i.e., h ( mnP || mP || nP || IDA || IDCSi ) . It further means that
PPT Slide
Lager Image
must have asked a Hash query by ( mnP , mP , nP , IDA , IDCSi ) to the hash oracle before. By retrieving the hash list S kept, S can get the value mnP , i.e., solving the ECDH problem. Note here we have to show how h answer the query in order to correctly simulates the protocol. If a Hash query x is asked to the hash oracle (here x is a group of data), the simulator S first checks whether this query has been asked before. If it has been asked, S lookups the hash list and returns the corresponding answer. Otherwise, S chooses a random value as the answer to this hash query and returns it. Then, S updates the hash list with this record.
Now in G 4 the protocol is correctly simulated in the random oracle model. Suppose we let the event that
PPT Slide
Lager Image
has asked a Hash query by ( mnP , mP , nP , IDA , IDCSi ) in the Test session be Event 4 . Then we can see if Event 4 does not happen, the advantage of
PPT Slide
Lager Image
in winning the AKE security game in G 4 is 1/2 since the session key of the protocol in G 4 is random in the random oracle model. Thus, the probability of
PPT Slide
Lager Image
wins the AKE-game in G 4 is:
PPT Slide
Lager Image
Next we consider the probability of Event 4 . Actually, in game G 4 , Event 4 will happen in the following three cases:
Case 1 :
PPT Slide
Lager Image
asks a Corrupt (A, smart card ) query to the user A and obtains the secret information in the smart card, i.e. , { IDA , CA , r } . Using these secret information,
PPT Slide
Lager Image
chooses a potential password PWA ' of A and a random value m , then the adversary
PPT Slide
Lager Image
computes K = h ( m sP ), MA = h ( K || r 1 ) ⊕ IDA and XA ' = h ( PWA '|| r ) ⊕ CA . After that, the adversary
PPT Slide
Lager Image
asks a Send ( mP , r 1 , MA , NA ) query to
PPT Slide
Lager Image
.
PPT Slide
Lager Image
chooses this session as the Test session and asks the Test query. It means
PPT Slide
Lager Image
launches the online dictionary attack. If
PPT Slide
Lager Image
’s guess is correct, then SP will return the message which shows
PPT Slide
Lager Image
’s authentication request can pass through. In such case,
PPT Slide
Lager Image
will ask a Hash query by ( mnP , mP , nP , IDA , IDCSi ) to the hash oracle, i.e., Event 4 happens. We bound the probability of this event by:
PPT Slide
Lager Image
Case 2 : In this case, the adversary
PPT Slide
Lager Image
also corrupts the smart card of the user
PPT Slide
Lager Image
and gets the secret information as in Case 1 . Then, different from Case 1 ,
PPT Slide
Lager Image
does not choose the random value a himself.
PPT Slide
Lager Image
just asks Execute (
PPT Slide
Lager Image
,
PPT Slide
Lager Image
,
PPT Slide
Lager Image
) to
PPT Slide
Lager Image
,
PPT Slide
Lager Image
and
PPT Slide
Lager Image
. Then,
PPT Slide
Lager Image
chooses this session as the Test session which means
PPT Slide
Lager Image
launches an off-line dictionary attack. In such case, S embeds a tuple ( mP , nP ) into the protocol and substitutes aP with mP and substitutes bP with nP . If
PPT Slide
Lager Image
wins the game, he should ask a Hash query by ( mnP , mP , nP , IDA , IDCSi ), i.e., computing mnP without knowing m and n . In such case, Event 4 happens and S can get mnP and solve the ECDH problem by using
PPT Slide
Lager Image
. In this case, Event 4 is bounded by:
PPT Slide
Lager Image
Case 3 : In this case,
PPT Slide
Lager Image
first asks an Execute (
PPT Slide
Lager Image
) query to
PPT Slide
Lager Image
. Then, when gets the messages ( mP , r 1 , MA , NA ) output by
PPT Slide
Lager Image
,
PPT Slide
Lager Image
continues to ask Execute (
PPT Slide
Lager Image
) ) and Execute (
PPT Slide
Lager Image
). When obtaining the messages { IDCSi , bP , s 1 , AuthSP , AuthCSi } from
PPT Slide
Lager Image
,
PPT Slide
Lager Image
does not send the messages to the user A.
PPT Slide
Lager Image
chooses b ' and s 1 ' himself and impersonates CS i to send { IDCSi , b ' P , s 1 ', AuthSP ', AuthCSi '} to A. If both of AuthSP ' and AuthCSi ' pass through the user's verification, then Event 4 will happen since
PPT Slide
Lager Image
already knows the value b ' in b ' P . However, the probability of this event is also bounded by the advantage of breaking the ECDH problem. As shown in the protocol, mP is authenticated by K = h ( msP ) in AuthSP . Without knowing the m and s ,
PPT Slide
Lager Image
cannot compute correct the authentication message, i.e. , the random value chosen by
PPT Slide
Lager Image
cannot pass through by the user’s verification. So Event 4 in Case 3 cannot happen unless
PPT Slide
Lager Image
breaks the ECDH problem. So we have:
PPT Slide
Lager Image
So we can bound the probability of Event 4 in G 4 :
PPT Slide
Lager Image
Consequently from the equations (2)-(11), we can get the result of the Theorem 1.
Theorem 2 (Anonymity) . The proposed scheme provides strong anonymity against an active adversary if the ECDH problem is hard.
Proof. The proof of the anonymity is similar to that of AKE security, so we just give a brief explanation. As the description in Fig. 2 , if the adversary
PPT Slide
Lager Image
wants to reveal the identity of the user A, he needs to compute the value h ( K || r 1 ) . So if
PPT Slide
Lager Image
obtains the identity of A, it means
PPT Slide
Lager Image
must asked a ( K , r 1 ) query to the hash oracle, where K = h ( asP ) . Then the simulator S can imbed a random tuple ( mP , nP ) into the protocol to replace the aP and sP respectively. Then, S can check the hash list to find the value mnP if
PPT Slide
Lager Image
obtains the identity of A. So under the ECDH assumption, the proposed scheme can provide anonymity for the user.
Theorem 3 (Forward security) . The proposed scheme provides forward security against an active adversary if the ECDH problem is hard .
Proof. Forward security means that if the long term secret value is corrupted by
PPT Slide
Lager Image
he cannot recover the session key which is agreed by the honest user before this point. As we can see, the session key of the protocol is consist by the random values chosen from A and CS i respectively. The session key is not related with the long term secret value of A, PW and CA or the long term secret value of SP, s . As the proof of the AKE security, if
PPT Slide
Lager Image
can break the forward security of the scheme, then S will embed a random tuple ( mP , nP ) into the protocol to replace the aP and bP respectively. After
PPT Slide
Lager Image
recovers the session key, S will check the hash list and get the value abP , i.e. , solving the ECDH problem. The detailed proof is similar to that of AKE security and we do not repeat here.
Theorem 4 (Backward security) . The proposed scheme provides backward security against an active adversary if the ECDH problem is hard .
Proof. The backward security means that if the long term secret value is corrupted by
PPT Slide
Lager Image
he cannot obtain the session key which is agreed by the honest user after this point. The purpose of
PPT Slide
Lager Image
is to obtain the secret which is encrypted by the session key between A and CS i . Suppose that
PPT Slide
Lager Image
has corrupted user A and gets its password and the information in the smart card without being detected by the user. Now
PPT Slide
Lager Image
wants to obtain the session key of the user in the new session. In the new session
PPT Slide
Lager Image
can intercept the message of A and impersonate A to communication with CS i and SP. However, without knowing the random value a chosen by A,
PPT Slide
Lager Image
cannot obtain the authentication message of SP AuthSP = h ( K || s 1 || aP || bP ) where K = h ( a sP ) . So without getting the correct authentication message of SP, even if
PPT Slide
Lager Image
impersonates CS i and sends { IDCSi , bP , s 1 , AuthSP , AuthCSi } to A, AuthSP cannot pass the verification of A. Therefore,
PPT Slide
Lager Image
cannot get the session key of the new session of the user who losts all of his secret either, i.e., the scheme can provide backward security. The detailed proof is similar to that of forward security and we do not repeat here.
- 5.2 Performance Analysis
In this section we only discuss the authentication scheme using smart card in cloud computing and authentication schemes using other technical are not the main motivation of this paper. We analyze the performance of the proposed authentication scheme in two aspects: one is the security property and the other is the efficiency. Table 2 shows the security properties of the proposed schemes compared with some other authentication schemes for cloud computing using smart card. Actually, security is the primary question we have to answer in the cloud computing since the data are not stored in the users’ computer. As far as the authentication schemes using smart card are concerned, identity protection and security when the smart card is lost and forward/backward security are important properties. From Table 2 , we can see only our scheme has all the security properties, so from the security aspect our scheme has better performance than other schemes in the table.
The Security properties comparison between related schemes and ours
PPT Slide
Lager Image
P1:Mutual authentication; P2:Providing secure key agreement; P3:Preventing the dictionary attack; P4:Identity protection; P5:Secure when the smart card is lost; P6:Forward security.
Table 3 shows the computation cost between the proposed scheme and some related schemes. In Table 3 , the cost of point multiplication operation is similar to that of exponent operation and the cost of hash operation is similar to that of encryption/decryption operation. Point multiplication and exponent operation are more time consuming than hash and encryption/decryption operation. From Table 3 we can see, Huang et al.’s scheme [17] is the most efficient in the four schemes. In the user side, its computation cost is 3h+1E and in the server side its computation cost is 1m+4h+1E after pre-computation. Our authentication scheme has one more point multiplication than Huang et al.’s scheme both in the user side and the server side (here we only consider the multiplication cost since it is more time-consuming than other operations). The reason why this happens is that our scheme has the property of forward security and backward security. As we know if an authentication scheme has the forward security or backward security, one more ECDH tuple ( mP , nP ) will be added. So if without the forward security and the backward security our scheme has the same performance as Huang etal.’s scheme. Choudhury et al.’s scheme [9] and Chen et al.’s scheme [10] has better performance than our scheme in the server side, however, they are not as good as ours in the user side. We pay much attention to the cost of the user side since its processor speed is often limited. Meanwhile, there is a further advantage of our scheme, in our scheme the server does not need to store the ephemeral secret of the user which can reduce the probability of the attack to the server.
Computation cost comparison among related schemes
PPT Slide
Lager Image
m:point multiplication; e:exponent; h:hash; E:encryption/decryption.
In order to give an objective efficiency comparison, we make efficiency analysis on the basis of the implementation of the scheme in [19] and the implementation of our scheme. The operation used in experiment is implemented on an exponent with 1024 bits prime, an ellipse curve which is over a finite field with 192 bits prime, an AES encryption with 256 bits key and a hash function SHA256. The computation cost of the user is evaluated by NXP smartMX PKI controller P5CT072 with 4.5KB RAM and PKI crypto-engine. The computational costs on the server side are evaluated using laptop with a 2.5GHz Intel Core i5-4200M processor and 4GB RAM. The communication between the smart card and the server is completed by the USB bus. Table 4 shows the result of the experiment between related authentication schemes after pre-computation. From Table 4 we can see, our scheme does not have the best efficiency especially in the Server side. The reason lies in that our scheme provides the forward/backward security which is absent in the other schemes. If they can provide this property, at least one more point multiplication is needed as aforementioned.
Experimental data between related authentication schemes after pre-computation
PPT Slide
Lager Image
Experimental data between related authentication schemes after pre-computation
So overall consideration of the security and computation cost, our scheme has better performance in the following aspects:
(1). Comparing with the authentication schemes [9 - 10] using smart card in cloud computing, our scheme can resist the smart card lost attack which is important for the security of the user’s data in the cloud server.
(2). Comparing with the authentication scheme [17] , although both our scheme and [17] can resist the smart card lost attack, our scheme has two more advantages than [17] . Firstly, our scheme has the security property of forward and backward security which protects the session of the user in the past and in the future. Secondly, we use three-level authentication model which is different from Huang et al.’s authentication scheme [17] . It makes the authentication scheme in our scheme can be easily converted to an authentication scheme in the mobile roaming scenario since they use the same authentication model.
(3). There is a further advantage of our scheme, in our scheme the service provider does not need to store the ephemeral secret of the user which can reduce the probability of the attack to the service provider. Actually, it disperses the venture to hundreds of cloud server which avoids the case of the single point of failure. Meanwhile, it also reduces the burden of the service provider since the session key is computed between the user and different cloud servers other than the service provider.
5. Conclusion and Future Work
Authentication schemes using smart card are more practical in the real word since they can provide more convenience and strong security for the user, such as e-commerce transactions and other Internet connection activities. However, few of these scheme can resist the smart card lost attack in the cloud computing. It is more complicate when we considering more security property, such as the forward and backward security as well as the smart card lost attack. In this paper we had a close look at the authentication in the scenario of cloud computing and propose a new authentication scheme for cloud computing using smart card. The new scheme is able to address two tough problems in the smart card authentication for cloud computing: (1). the problem of smart card lost attack; (2). the problem of forward and backward security. Meanwhile, the new scheme takes advantage of the three-level authentication model which makes it easy to be converted into an authentication scheme in the roaming scenario for cloud computing since they use the same framework (in the mobile roaming cloud computing scenario, the cloud server in our framework is regarded as the foreign server or the roaming server). The distributed authentication model (i.e., the service provider distributes the authentication to the different cloud servers) may be helpful to the researchers to design authentication scheme in multi-party authentication scenario in future. The proposed scheme has all of the security requirements in cloud authentication which are better than other schemes in this scenario. As a compromise, the computation cost in our scheme is not the best. However, it is still efficient and acceptable as shown in Table 4 .
As for future work, we want to discuss more complicate authentication scenario for cloud computing, such as: (1). authentication schemes between different domains, i.e., how do the users from different cloud providers authenticate each other and agree on a common session key; (2). authentication between a group of users, i.e., how do a group of users share their own secret data in the cloud server to other users in the group securely using the smart card mechanism.
BIO
Li Haoxing received his B.S. degree in communication engineering from Beijing Electronic Science and Technology Institute in 2004, and he received M.S. degree in electronics and communication engineering from Beihang Univercity in 2010. He is pursuing his Ph.D. degree in Xidian University. His current research interests include access control & cloud data protection.
(E-mail:lhx595@126.com).
Li Fenghua(corresponding author) received his B.S. degree, M.S. degree, and Ph.D. degree in Computer Software and Computer Systems Architecture from Xidian University in 1987, 1990, and 2009 respectively. Currently, he is working as professor and doctoral supervisor in State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences. And he is also a doctoral supervisor of Xidian University. His current research interests include network security, system security & evaluation and trusted computation.
(E-mail: lfh @iie.ac.cn)
Song Chenggen received his B.S. degree, M.S. degree and Ph.D. degree communication engineering from Peking University in 2006, 2009 and 2013 respectively. Currently, He is working as an engineer in Institute of Information Security Engineering, Beijing Electronic Science Technology Institute. His current research interests include PEKS and security protocol.
(Email:songgeng87@gmail.com)
Yan Yalong received his B.S. degree communication engineering from Beijing Electronic Science Technology Institute in 2001. Currently, He is working as a senior engineer in Institute of Information Security Engineering, Beijing Electronic Science Technology Institute. His current research interests include network security and information security.
(E-mail:yalong@besti.edu.cn)
References
Armbrust M. 2010 “A view of cloud computing,” Communications of the ACM 53 (4) 50 - 58    DOI : 10.1145/1721654.1721672
Subashini S. , Kavitha V. 2011 “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications 34 (1) 1 - 11    DOI : 10.1016/j.jnca.2010.07.006
Juang W.S. , Chen S.T. , Liaw H.T. 2008 “Robust and efficient password authenticated key agreement using smart cards,” IEEE Transaction on Industrial Electronics 55 (6) 2551 - 2556    DOI : 10.1109/TIE.2008.921677
Halevi S. , Krawczyk H. “Public-key cryptography and password protocols,” In Proc. of ACM Security CCS November 2-5, 1998 122 - 131
Lamport L. 1981 "Password authentication with insecure communication," Communications of the ACM 24 (11) 770 - 771    DOI : 10.1145/358790.358797
Abdalla M. , Pointcheval D. “Simple password-based encrypted key exchange protocols,” In Proc. of CT-RSA February 14-18, 2005 191 - 208
Bellare M. , Pointcheval D. , Rogaway P. “Authenticated key exchange secure against dictionary attacks,” in Proc. of EUROCRYPT August 14-18, 2000 139 - 155
Li X. , Zhang Y. 2013 “A simple and robust anonymous two-factor authenticated key exchange protocol,” Security and Communication Networks 6 (6) 711 - 722    DOI : 10.1002/sec.605
Choudhury A.J. “A strong user authentication framework for cloud computing,” in Proc. of IEEE Asia-Pacific Services Computing Conference December 12-15, 2011 110 - 115
Chen N. , Jiang R. 2014 “Security analysis and improvement of user authentication framework for cloud computing,” Journal of Networks 9 (1) 198 - 203    DOI : 10.4304/jnw.9.01.198-203
Jiang R. 2013 “Advanced secure user authentication framework for cloud computing,” International Journal of Smart Sensing and Intelligent Systems 6 (4) 1700 - 1724
Han N.D. 2014 “A scheme for data confidentiality in cloud-assisted wireless body area networks,” Information Sciences 284 (10) 157 - 166    DOI : 10.1016/j.ins.2014.03.126
Nimmy K. , Sethumadhavan M. 2014 “Novel mutual authentication protocol for cloud computing using secret sharing and steganography,” Journal of Information Security Research 5 (2) 17 - 19
Hao Z. , Zhong S. , Yu N. 2011 “A time-bound ticket-based mutual authentication scheme for cloud computing,” International Journal of Computers, Communications & Control 6 (2) 227 - 235
Pippal R.S. , Jaidhar C.D. , Tapaswi S. 2013 “Enhanced time-bound ticket-based mutual authentication scheme for cloud computing,” Informatica 37 (2) 149 - 156
Messerges T.S. , Dabbish E.A. , Sloan R.H. 2002 “Examining smart-card security under the threat of power analysis attacks,” IEEE Transactions on Computing 51 (5) 541 - 552    DOI : 10.1109/TC.2002.1004593
Huang J.J. 2013 “Robust and privacy protection authentication in cloud computing,” International Journal of Innovative Computing, Information and Control 9 (11) 4247 - 4261
Zhou T. , Xu J. 2011 “Provable secure authentication protocol with anonymity for roaming service in global mobility networks,” Computer Networks 55 (7) 205 - 213    DOI : 10.1016/j.comnet.2010.08.008
Wu T.Y. , Tseng Y.M. 2010 “An efficient user authentication and key exchange protocol for mobile client-server environment,” Computer Networks 54 (9) 1520 - 1530    DOI : 10.1016/j.comnet.2009.12.008