An enhanced approach for three factor remote user authentication in multi

Abstract

With the agile development of the Internet era, starting from the message transmission to money transactions, everything is online now. Remote user authentication (RUA) is a mechanism in which a remote server verifies the user’s correctness over the shared or public channel. In this paper, we analyze an RUA scheme proposed by Chen for the multi-server environment and prove that their scheme is not secured. We also find numerous vulnerabilities such as password guessing attack, replay attack, Registration Center (RC) spoofing attack, session key verification attack, and perfect forward secrecy attack for Chen’s scheme. After performing the cryptanalysis of Chen’s scheme, we propose a biometric-based RUA scheme for the same multi-server environment. We prove that the proposed authentication scheme achieves higher security than Chen’s scheme with the use of informal security analysis as well as formal security analysis. The formal security analysis of the proposed scheme is done using a widely adopted random oracle method.

Keywords

Multi-server smart card biometrics three factor authentication

1 Introduction

In recent years, the popularity of the web is expanding massively. Most of the services are available online via the Internet. In current trends, a user does not need to go anywhere physically to get essential services. Still, instead of user remotely orders those services over the web by giving his/her accreditation. Therefore, the user’s information or data goes through an unreliable or open channel. As all the correspondence and information exchange is done on a public or open channel, it is a significant challenge to develop reliable and secure information sharing mechanism to protect the data against various sorts of attacks. For that, the system needs to authenticate (i.e., is the remote user who he/she claims to be) and to authorize (i.e., is the remote user has rights to get to specific administration) the remote user. A conventional system for RUA incorporates a password table at the server-side. However, these days, the entire authentication system is transformed with the use of a smart card (SC). The SC is a plastic card or pocket estimate card having a microchip that can store the data or the information. We can use SC for the authentication as well as for the storage of secret security parameters. Through the replacement of the password table by the SC, researchers have improved the security for data sharing platforms and tried to protect those data-sharing platforms from the sharp watchdog systems of an attacker.

In the single-server system, multiple users get service from the single server while in the multi-server system, numerous users try to get service from the innumerable servers simultaneously. In the multi-server environment, the user registers with the central RC, allowing access to all the associated servers. Nowadays, we use a single login system to access the multiple servers of google, and this is a real-time example for the multi-server system. Authentication in the multi-server system can be either two-factor based authentication or three-factor based authentication. The authentication system is either two-factor or three-factor depends on the number of parameters selected for the articulation of the authentication mechanism. During designing of any secure and reliable authentication system, we need to concede the following strands:

What remote user know (password, pin),

What remote user has (mobile, RFID, SC, e-token),

Who remote user is (biometrics).

In this paper, we propose a three-factor authentication scheme for the multi-server environment. In 1981, Lamport [1] presented the first password-based authentication of the remote user over an open or regular channel. The proposal of Lamport had the major drawback of password storage. For the system with only password-based security, if server stores the password then it doesn’t assure the security of the system from insider attacks, password spoofing attacks and other major attacks. Thus, to overcome the limitations of the password-based approach, Hwang et al. [8] in 2000 proposed an SC based authentication scheme. But, the scheme proposed by Hwang et al. did not permit a remote user to select and update their passwords uninhibitedly; therefore, there was a vulnerability inside password updation in Hwang et al.’s scheme.

Towards the Further improvement in the authentication system, in 2003, Aoshima et al. [2] (US Patent - One-time Login Method) presented the difference among authentication and authorization, and they suggested a One time password (OTP) based system to improve the security of the system. Further, in 2003, Lee et al. [3] proposed the RUA scheme based on two-factor authentications by the combination of password and SC. In 2006, Cheng’s scheme [6] offered a first multiple servers based system and gave a brief idea about the interaction between multiple servers and numerous end-user devices. In the continuation of security enhancement, various other authors in [3–20 , 43] had also proposed RUA schemes and prove the strength for their systems using security analysis and performance analysis. Authors in the papers, as mentioned above, claimed that their schemes do not bother for the storage of the password table, but instead, they make use of either SC or OTP.

In 2009, Xu et al. [5] put forward a SC based authentication scheme by limiting the attacker’s capability using guess that attacker can’t steal both (password and SC of the user) at the same time. Therefore, they tried to limit the attacker’s capability, and guessed that an attacker could not have a SC and an original password of the user simultaneously and proposed a RUA scheme. In 2006, Cheng et al. [6] introduced a system that deals with multiple servers and their interaction with the end-users. To cope with the drawback of password table authentication and two-factor authentication, in 2009, Li et al. [8] proposed a three-factor meant biometrics-based authentication scheme with the random number. All the schemes [1 –23] had certain security vulnerabilities. Authors in [24 –40] had tried to overcome those limitations and proposed secure and efficient RUA schemes using a hash function, OTP, Random number, time-stamp, etc. We recommend the researcher to study those schemes. Recently authors in [45] published an authentication scheme for the sensor-based network setup where the user communicates with sensors through the gateway device.

The principal motivation for writing this paper and proposing a new authentication scheme is the existence of proven vulnerabilities in the recently proposed authentication scheme. In the past works, the authors store the password in the password table at the server-side. The stored password can be either in plaintext or in encrypted form. To address these challenges, SC is a proven tool. The user and the server stores the secret data on microchip available with the SC. SC is easy to use, highly secure, tamper-proof and the most reliable approach for the key generation and the password updation.

Subsequent sections in the paper are organized as follows: Section 2 discusses preliminaries used for the articulation of proposed work. Section 3 Chen’s Scheme provides review for the scheme proposed by Chen et al. [23]. Section 4 provides cryptanalysis for the Chen et al. [23] scheme and highlights vulnerabilities for it. Section 5 put forward a proposed authentication scheme. In section 6, we provide an informal security analysis for the proposed work based on the Dolev-Yao channel. The formal security analysis for the proposed work is discussed in section 7 using Real-or-Random (ROR) model. In section 8, we carry out performance analysis for the proposed work in terms of time complexity and attack analysis. Finally, in section 10, we provide a conclusion followed by the future work related to proposed work.

2 Preliminaries

2.1 Symbols and notations

Table 1 provides symbols and notations which are used in the articulation of proposed work.

Table 1
Symbols and notation

Symbols Description

U user

S server

r random number

h (.) One way Hash function

T Time stamp

k _s Server secret key

ID user Identity

SK Session key

PW user Password

BM User biometrics

PUB _S Server Public key

KFH Pre-shared key between RC and server

SEC _S Server private key

$C$ challenger

→ Insecure channel

SC Smart Card

Symbols	Description
U	user
S	server
r	random number
h (.)	One way Hash function
T	Time stamp
k _s	Server secret key
ID	user Identity
SK	Session key
PW	user Password
BM	User biometrics
PUB _S	Server Public key
KFH	Pre-shared key between RC and server
SEC _S	Server private key
$C$	challenger
→	Insecure channel
SC	Smart Card

2.2 Hash-function

The cryptographic hash function H is defined as a H : {0, 1} ^* → {0, 1} ⁿ, where * is a random size input and n is the fix size output. A function H is a subordinate function that uses various cryptographic purposes such as designing of digital signature, authenticated key exchange, random number generation, and so on. Every cryptographic hash function must satisfy certain properties such as second pre-image resistant or week collision property, pre-image resistant or one-way property, variable size input, fixed-size output, collision-resistant, or strong collision property, efficiency, and randomness.

3 Review of Chen’s scheme

In this section, we put forward a detailed analysis for the RUA scheme proposed by Chen et al. [23]. Following 4 phases was used by Chen et al. [23] in their proposed work.

Registration Phase,

Authentication Phase,

Password Change Phase,

3.1 Registration phase

In this phase, user picks {r, ID_i, PW_i}. User sends selected identity ID_i, and hash of the generated random number r with selected password PW_i over a protected channel for registration. The RC performs necessary verification and calculations. Here x and y are secret keys generated by the RC. After performing the required operations, the RC creates a SC and passes it to the user over a protected channel.

User computes h(r ⊕ PW_i) and sends ID_i with h(r ⊕ PW_i) over a secure channel to the server.

Server computes R_i = h(h(r ⊕ PW_i)), M_i = h(R_i||h (x ⊕ y)), E_i = M_i ⊕ h (r ⊕ PW_i), L_i=h(ID_i||x), W_i = L_i ⊕ h (ID_i||h (r ⊕ PW_i)), F_i = h(L_i).

Server generates SC = {W_i,E_i,F_i,h(.),h(y)} and sends it to user over a secure manner.

3.2 Login phase and authentication phase

In the login phase, user inputs ID_i and PW_i. Then, at the user side certain operations (discussed below) are followed, and then the user sends a parameter set m1 to the remote server for the login purpose. In the login phase, server performs operation for the user validation and sends a parameter m2 to the user. Now, the user verifies the server message and sends a parameter set m3 to the server for authentication and key generation. Thus, both the parties mutually authenticate each other and draw a session key.

User computes L_i = W_i ⊕ h (ID_i||h (r ⊕ PW_i)), F_i* = h(L_i) then check F_i* ?= F_i, if this is verified.

User generates random number N_i and computes M_i= E_i ⊕ h (r ⊕ PWi), R_i = h(h(r ⊕ PW_i)),

User computes G_ij = R_i ⊕ h (h (y) ||N_i||SID_j), CID_i = h(r ⊕ PW_i) ⊕ h (Li||Mi||Ni)

User computes H_ij = L_i ⊕ h (M_i||Ni_||SID_j), Z_i = h(E_i||M_i||N_i).

User sends message m1= {CID_i, G_ij, H_ij, Z_i, N_i} to server through open insecure channel.

After receiving a message from the user, server computes R_i = G_ij ⊕ h (h (y) ||N_i||SID_j), M_i = h(R_i||h (x||y)), L_i = H_ij ⊕ h (M_i||N_i||SID_j), h(r ⊕ PW_i) = CID_i ⊕ h (L_i||M_i||N_i), E_i = M_i ⊕ h (r ⊕ PW_i), h(E_i||M_i||N_i) ?= Z_i

Server generates random number N_j and computes V_ij = h(E_i||N_i||M_i||SID_j). Server prepares message m2 = {V_ij,N_j} and sends it to user.

User computes h(E_i||N_i||M_i||SID_j) ?= V_ij, $V_{ij}^{'}$ = h(E_i||N_j||M_i||SID_j). User generates message m3 = $V_{ij}^{'}$ and sends it to the server over an open insecure channel.

Server receives a message and computes h(E_i||N_j||M_i||SID_j) ?= $V_{ij}^{’}$ , SK = h(E_i||N_i||N_j||M_i||SID_j).

User also computes session key SK = h(E_i||N_i||N_j||M_i||SID_j).

3.3 Password change phase

In this phase, user can change password using his/her credentials.

User provides ID_i and PW_i, now user system computes L_i = W_i ⊕ h (ID_i||h (r ⊕ PW_i)), F_i* = h(L_i).

User system verifies F_i* ?= F_i and selects (PW_{i
_new}, r_new).

User system computes W_{i
_new} = L_i ⊕ h (ID_i||h (r_new ⊕ PW_{i
_new})), E_{i
_new} = E_i ⊕ h (r ⊕ PW_i) ⊕ h (r_new ⊕ PW_{i
_new}).

User system updates SC = {W_{i
_new}, E_{i
_new}, F_i, r_new, h(.), h(y)}.

4 Cryptanalysis for the Chen’s scheme

In this section, we discuss vulnerabilities for the authentication scheme proposed by Chen et al. [23].

4.1 Password guessing attack

During the authentication phase, user and server exchanges parameter $V_{ij}^{'}$ = h (E_i ∥ N_i ∥ M_i ∥ SID_j). In this parameter the value of N_j (server nonce) can be intercepted because it is in the plain text format in the second parameter set m2. The value of SID_j (Server’s identity) is publicly available to everyone, the value of E_i can also be intercepted if an attacker successfully gets SC (because SC contains the parameter E_i) of the user. Therefore, we have only one parameter E_i left which is unknown for an attacker. Now, we know that M_i = h (r ⊕ PW_i) ⊕ E_i. So, as per the rules of XOR, if we have any two operands out of three, we can easily get the third one. The attacker tries to perform dictionary attacks in the bruit-force approach and tries all the passwords ${PW}_{i}^{'}$ one by one. And, for the correct password, by the computation of $M_{i}^{'}$ = $h (r \oplus {PW}_{i}^{'}) \oplus E_{i}$ , we can obtain the right value of the E_i. Thus, we have all the four correct values which is used in $V_{ij}^{'}$ . So, we can easily get it, impersonate as a genuine user.

4.2 Replay attack

Whenever, an attacker tries to send the same message, which is intercepted by him/her before some time, he/she tries to perform the replay attack. In Chen’s scheme, during an authentication phase, if an attacker intercepts the first parameter set m1= {G_ij, CID_i, N_i, Z_i, H_ij} and sends the m1 to the server after a while. Server computes {R_i, M_i, L_i, E_i} and compares Z_i ?= h (E_i||M_i||N_i) and then generates server nonce N_j. If the user is not a genuine user, then also the server continues the computation of many other operations means eight-time hash function and six time XOR function. After these many operations only, server can validate weather user is a genuine one or not. Over here, server wastes CPU and takes unnecessary time for user verification.

4.3 RC spoofing attack

If the RC acts as an attacker, then the attacker has all the resulting values for which it will perform computation. Thus, in the registration phase RC has these resulting parameters: {R_i, M_i, E_i, L_i, W_i, F_i}. In this scheme, session key can be computed in the authentication phase: SK = h (E_i||N_i||N_j||M_i||SID_j), where N_i (user nonce) and N_j (server nonce) can be intercepted from the public channel, SID_j is known to everyone and rest of the parameters E_i and M_i can be received easily as it is available at RC and in RC spoofing attack, RC itself behaves as an attacker. As a result, the attacker has all five parameters necessary for the session key and thus it can easily impersonate as a legal user.

4.4 Perfect forward secrecy

In the authentication phase, the value of $V_{ij}^{'}$ = h (E_i||N_j||M_i||SID_j), thus among these parameters, only Nj (server nonce) is a random number generated by the server and is dynamic for each calculation. The values of parameters must not remain same, if a user wants to get certain services from a specific server. Thus, If the same random number is generated by the server for N_j, the value of $V_{ij}^{'}$ will be the same as the previous occurrence of N_j. For example, $N_{j} = 1 \to V_{ij}^{'} = 23$ , if $N_{j} = 5 \to V_{ij}^{'} = 42$ but if now N_j = 1 then it is surely $V_{ij}^{'}$ will be 23 again.

4.5 Session key verification attack

In the authentication phase, both communicating parties generate a session key, SK = h (E_i||N_i||N_j||M_i||SID_j), but session key is not verified, This is not the right way to provide a mutual authentication before the actual conversation. Before further communication, session key must be established and verified by both the parties.

4.6 Performance issue

Chen’s scheme has a number of hash functions. It can take a significant amount of time to perform authentication. In the registration phase, there are eight hash functions while in the login phase, there are nine hash functions. In the authentication phase, there are nine hash functions, while in the password change phase, there are four hash functions. Thus, a total of 30 times hash operation is performed, and therefore, it consumes a significant amount of time and compromises the system’s performance.

5 Proposed scheme

In this section, we propose a new approach for the multi-server authentication by adopting a key agreement scheme using a SC. We apply three-factor authentication in a multi-server environment. We propose following three phases:

Registration phase,

Password change phase.

There are three entities in our proposed algorithm:

Remote user

Registration center (RC)

Server

The RC generates:

KFH→ pre-shared key between the RC and the server.

MSK→ secret key generated by the RC for legitimate remote user.

FSK→ secret key generated by RC for the legitimate server, where KFH = h (ID_Server||FSK).

5.1 Registration phase

New user can register himself/herself with the RC and access any of the servers associated with RC. Following steps describe registration procedure followed by the user:

User selects ID_i, PW_i, BM_i and random number r.

SCR computes RPW_i = h(PW_i||h (BM_i)) or RPW_i = h(PW_i||ID_i||r) then, SCR sends registration request (ID_i, RPW_i) to RC over Secure Channel.

RC performs A_i = h(ID_i||MSK), B_i = A_i ⊕ RPW_i, then RC sends the reply with parameters (B_i, A_i, Ek(.)/ Dk(.), h(.)) to remote user over secure channel.

Remote user saves (B_i, A_i, Ek(.)/ Dk(.), h(.), (BM_i ⊕ r))

At the completion of the registration phase, user has parameters that he/she will use for the login and authentication phase. So, the next phase is the user login, mutual authentication and key generation phase.

5.2 Login and authentication phase

In this phase, user and server performs mutual authentication and generates secret session key. During this phases, user and remote server performs the following steps:.

User enters ID_i, PW_i and BM_i.

SCR computes RPW_i = h (PW_i||h (BM_i)) or h (PW_i||ID_i||r) by getting r = (BM_i ⊕ r) ⊕ BM_i. Now SCR verifies $A_{i} \oplus {RPW}_{i} \overset{?}{=} B_{i}$ , if it is not equal then the process gets termination here, otherwise it continues for the further steps. SCR generates rMU and performs RMU = rMU . P, D_i = EPUB_S {RMU, A_i, B_i, T₁, ID_i}.

SCR sends login request (D_i, T₁) to the server.

Server computes, T₂ - T₁ < = ΔT, DSEC_S {D_i}.

Server sends message to the RC in encrypted format and the KFH is pre-shared key. Thus, the message EKFH {A_i, ID_i, T₃} is sent and then the RC computes T₄ - T₃ < = ΔT, DKFH {A_i, ID_i, If $h ({ID}_{i} | | MSK) \overset{?}{=} A_{i}$ .

RC sends response to the server (T₅) and server computes T₆ - T₅ < = ΔT and generates rFA. Server computes RFA = rFA . RMU, RPW_i = Bi ⊕ Ai, Fi = RMU ⊕ RFA, SK = h (RFA||ID_i||RPW_i||T₇).

Server sends response to the remote user (h (SK) , T₇, F_i) and user computes T₈ - T₇ < = ΔT and gets RFA = F_i ⊕ RMU, If $h (h (RFA | | {ID}_{i} | | {RPW}_{i} | | T_{7})) \overset{?}{=} h (SK)$ .

SCR verifies the session key and performs the session key agreement.

5.3 Password change phase

In the proposed RUA scheme, user does not contact with the RC or the server for the password updation. The user follows following steps for the password updation:

User selects ID_i, PW_i, BM_i,

SCR computes RPW_i = h(PW_i||h (BM_i)) or h(PW_i||ID_i||r), if $A_{i} \oplus {RPW}_{i} \overset{?}{=} B_{i}$ . If not equal then the process terminates here otherwise it performs next steps,

User selects a new password ${PW}_{i}^{*}$ . The SCR computes ${RPW}_{i}^{*}$ = h( ${PW}_{i}^{*} | | h ({BM}_{i})$ ) or h( ${PW}_{i}^{*} | | {ID}_{i} | | r$ )

The SCR computes Bi^* = $A_{i} \oplus {RPW}_{i}^{*}$ . Then the SCR updates the parameters (r, $B_{i}^{*}$ , A_i, Ek(.)/ Dk(.), h(.)) in SC.

6 Informal security analysis for the proposed scheme

6.1 Password guessing attack

In the password guessing attack, an attacker performs guesswork and tries different passwords. If an attacker succeeds than he/she can prove himself/herself as a valid user. In the proposed scheme, the intruder performs RPW_i = h (PW_i||h (B_i)) or h (PW_i||ID_i||r). As a result, an attacker may guess the password, but he/she can never guess the values of RPW_i as RPW_i which are inked with the parameters such as user biometrics, user identity and random numbers generated by the user. Thus, the attacker can not prove him/herself as a genuine user for the proposed system.

6.2 Replay attack

If An attacker stores the past login messages and utilizes those messages to login into the server after some time into the system. In our Proposed scheme, we utilize a timestamp for each communicated message over an open channel. Both the communicating parties first verify the timestamp upon receiving the message. Therefore, in our proposed method, we perform verification twice for security enhancement.

6.3 Spoofing attack

In the RC spoofing attack, RC, as an insider, performs an attack on the system. Attacker misuses parameters stored by RC to derive a session key. In our proposed work, we generate a session Key SK = h (RFA||ID_i||RPW_i||T₇). If the RC attacks the system, then RC can use the available parameters Ai and Bi. But, the proposed system does not use Ai and Bi for the session key computations, Thus, there is no possibility that RC ever succeeds in spoofing of the original session key.

6.4 Perfect forward secrecy attack

If the attacker compromises the user’s credentials or any other sensitive information and the attacker derives the original session key using those parameters, it is called a perfect forward secrecy attack. In the proposed scheme, we take care that let random number does not appear as an open parameter to any party during the verification procedure. We follow the multiple multiplications of random numbers for security enhancement in the proposed scheme. The final result of random number multiplications is inked as one of the security parameter for the final session key. For example, generated random numbers are rMU, P and rFA, We calculate RMU = rMU . P followed by RFA = rFA . RMU ., and SK = h (RFA||ID_i||RPW_i||T₇). Thus, the proposed scheme is strong enough against the perfect forward secrecy attack.

6.5 Session key verification property

For any mutually authenticated secure system, Both the communicating parties must compute session key as well as ensure that counter party also computed the same session key. If the session key is verified, then the system achieves session key verification property or mutually authentication property. In the proposed scheme, server generates SK = h (RFA||ID_i||RPW_i||T₇) and sends h (SK) over public channel. At the user side, user verifies this session key by $h (h (RFA | | {ID}_{i} | | {RPW}_{i} | | T_{7})) \overset{?}{=} h (SK)$ . Thus, we can say that the proposed RUA scheme achieves session key verification successfully.

6.6 User anonymity property

When the server is not aware of user identity, it is called user anonymity. In the remote server, the authenticated user must be unidentifiable and untraceable. In our Proposed Scheme, SC does not store the user’s identity SC = {r, A_i, B_i, Ek (.) , Dk (.) , h (.)}. If the SC is compromised, then also the identity of the user is not revealed. During the login and authentication phase also, the user never sends his/her identity as a plain text over a public channel. User sends (D_i, T₁) where D_i is encrypted and secure. Thus, we can say that the proposed method achieves user anonymity property.

6.7 User impersonation attack

In the user impersonation attack, the attacker claims that he/she is the genuine user for the system. Thus, the attacker sends the login request to the server, and if the server authenticates him/her, he/she can prove himself/herself as a legitimate user. In the proposed scheme, an attacker can not generate a correct login request. A public key of the server encrypts parameter D_i in the login message, and D_i is generated using parameters like A_i and B_i which are protected by a random number, and validated pair of id and password. Thus, it is next to impossible that an attacker can impersonate the legal user as the value of D_i depends on the identity, password, random number, and MSK. Thus, the proposed RUA scheme provides immunity against user impersonate attack.

6.8 Secure and user-friendly password change phase

In the proposed scheme, a valid user can easily change the password. In the password Change Phase, user provides registered credentials like identity, password and random number / biometrics followed by the SCR verification. After successful verification, only the valid user becomes eligible to provide a new password PWi^*. The SCR computes parameters ( ${RPW}_{i}^{*}$ = $h ({PW}_{i}^{*} | | h (B_{i}))$ or $h ({PW}_{i}^{*} | | {ID}_{i} | | r)$ , $B_{i}^{*}$ = $A_{i} \oplus {RPW}_{i}^{*}$ ) and updates the SC by using newly computed parameters. In the proposed scheme, user does not communicate with the RC or any other server during password updation phase.

6.9 Denial of service attack

In DoS attack, an attacker tries to reduce the server’s performance by either syn flooding or any other means. In the proposed scheme, we use Biohash function for the improvement of security and reduction in time. This is because in the normal hashing function, if the input is biometric, then the avalanche effect of hash function takes more time and resources than the Biohash function. In Chen’s scheme, the system uses additional CPU resources to prove user legitimacy. Still, in the proposed scheme, we perform lighter computations for the same purpose. Thus, the proposed system also achieves efficient resource utilization.

6.10 Smart card stolen attack

If an attacker steals the SC of a genuine user, he/she tries to read all the parameters from SC. If an attacker succeeds, he /she gets access to the user’s account. In the proposed scheme, if the SC is stolen then also an attacker will not get value of D_i = EPUB_S {RMU, A_i, B_i, T₁, ID_i} which is principal parameter for the session key generation. Thus, our proposed scheme is secured against the SC stolen attack.

6.11 Message modification attack

An attacker can modify any of the messages communicated through the public channels. In the proposed scheme, all the messages pass through the open channel, but these messages are in either encrypted or digested format. and therefore, only legitimate user or server can access those data or interpret them. Thus, the proposed scheme is secured against the message modification attack.

6.12 Session key computation attack

An attacker can intercept and compute the session key passing through the public channel. In the proposed scheme, session key is computed as a SK = h (RFA||ID_i||RPW_i||T₇). The session key computation requires original timestamp and precise random numbers, which are unique and dynamic values for each session key. Therefore, we claim that the proposed scheme provides security against the session key computation attack. In mutual authentication, both the parties authenticate each other. In the proposed scheme, the RC authenticates both, remote server and remote user by providing three keys (MSK, FSK, KFH). The user encrypts the data with the server’s public key. If the server can decrypt it using its secret key, mutual authentication between the user and the server can be performed efficiently. The server encrypts the data using the pre-shared key and sends those data to RC. If the RC can decrypt the encrypted data, mutual authentication between the server and the RC is performed efficiently. The RC also authenticates a remote user, so a user and the RC mutually authenticate each other. Thus, our proposed scheme possesses mutual authentication properties.

6.13 Mutual authentication property

In mutual authentication, both the parties authenticate each other. In the proposed scheme, the RC authenticates both, remote server and remote user by providing three keys (MSK, FSK, KFH). The user encrypts the data with the server’s public key. If the server can decrypt it using its secret key, mutual authentication between the user and the server can be performed efficiently. The server encrypts the data using the pre-shared key and sends those data to RC. If the RC can decrypt the encrypted data, mutual authentication between the server and the RC is performed efficiently. The RC also authenticates a remote user, so a user and the RC mutually authenticate each other. Thus, our proposed scheme possesses mutual authentication properties.

7 Formal security analysis of propose scheme using random oracle

There are many tools such as AVISPA [44] and ROR [41] available for the security analysis of RUA schemes. The ROR [41] is a random oracle based tool that is utilized to analyze the proposed protocol in formal way. The challenger C launches various attacks on the proposed scheme in ROR using an oracle queries. The fundamental objective of an challenger C is to successfully distinguish the real session key and retrieve an accurate random value. A equal approach was also adopted in [42] for formal analysis of the proposed scheme.

Random Oracles: The random oracles produce non-reversible random value r_i using hash function for given input m_i.

Participants and oracle instances: In the proposed scheme, there are two entities, the server S_j and the user U_i. Let us assume that $Ω_{U_{i}}^{x}$ , and $Ω_{S_{i}}^{y}$ are oracles with instances x and y for the U_i and S_j respectively.

Partnering: The two oracle instances Ω^{t
₁}, Ω^{t
₂} are partners if they divide the similar scid (transcript of all messages) and both are in the acceptance state.

challenger: The challenger C is an intermediary who accesses open channel for to perform oracle queries.

T (Ω^{t
₁}) : In this query, the challenger C uses an unbiased coin to guess the value of b. The challenge has limited access for this query.

S (Ω^{t
₁}, m_i) Using this query, the challenger C exchanges message m_i with the instance t₁.

CorruptUserDevice: The challenger C captures stored information from the secret memory of the user device using itCorruptUserDevice query. The challenger C have limited access for this query.

Freshness: The oracle Ω^{t
₁} is fresh if no reveal query is performed by the challenger C on the instance t₁.

E (Ω^{t
₁}, Ω^{t
₂}) Using the execute query, the challenger C performs passive attack on communication occurring between instances t₁ and t₂.

R (Ω^{t
₁}) : The reveal query provides a session key computed by an instance t₁ with its partnering instance t₂.

If the SUC represents victory of the challenger C , the advantage function itAd_P defines the success of the challenger C in capturing SK. If itAd_P is negligible, we can say that the proposed scheme is secured. The itAd_P can be defined as follows: $it AdP (A) = 2 * \Pr [SUC] - 1$ (1)

7.1 The formal security proof:

We provide the formal security proof for the propose protocol as follows:

Theorem 1. We can define the security for the proposed protocol from the challenger C as, $it AdP (A) \leq \frac{q_{h}^{2}}{2^{l_{h} + 1}} + \frac{(q_{s} + q_{e})^{2}}{2^{l_{r} + 1}} + \frac{1}{2^{l_{r} + 1}}$ (2) where l_h, l_r represents the hash size and random number size in bits respectively; q_s, q_e and q_h represents number of times send query, execute query, and hash query are implemented by the challenger C .

Proof. We define four security games G₀, G₁, G₂ and G₃ to prove the security of the proposed protocol P. Over here, the Pr[ $SUC$ ] defines the winning probability for a challenger such that he/she can differentiate computed or retrieved value and real session key SK successfully.

Game G₀: The game G₀ is a starting game to realize protocol P. Therefore, the game G₀ can be defined as per equation. 3, $it AdP (A) = 2 * \Pr [{SUC}_{0}] - 1$ (3)

Game G₁: In the game G₁, the challenger uses execute E query to perform the passive attack. Let us assume that the challenger $C$ experiments E (Ω^x, Ω^y) query to monitor the transmitted messages between both the entities. The winning probability Pr[ $SUC$ ] in this game for $C$ hang on the calculation of the session key SK from the tracked messages. There are two messages communicated between the user and the server. Let us guess that using the E query, the challenger receives itmessage 1 = (D_i, T₁) and itmessage 2 = (h (SK) , T₇, F_i). Meanwhile, the computation of itSK = h(RFA||ID_i||RPW_i||T₇) is protected by the unique id of both participants. It also involves parameters such as RFA that is protected by the master secret of the RC and randomization approach. The C does not get any single parameters that is necessary for the session key computation. Therefore, the game G₁ concludes as, $\Pr [{SUC}_{1}] = \Pr [{SUC}_{0}]$ (4) The equation 4 proves that the Pr[ $SUC$ ] is negligible under the game G₁.

Game G₂: In this game, the challenger C performs an active attack by the experiments of send query and hash query. The fundamental goal of the challenger C is to update the messages and persuade the communicated parties to accept the modified messages. Now let us assume that C receives itmessage 1 = (D_i, T₁), from U_i and tries to modify itmessage 1 in such a way that the server accepts the modified message. However, the computation of DSEC_S {D_i} requires the secret key of the server, which is not possible to receive by the challenger. D_i is an encrypted object which has variables that are hashed output of other variables. D_i also has a random number of RMU. The hitting probability for the random numbers is $\frac{(q_{s} + q_{e})^{2}}{2^{l_{r} + 1}}$ [42], and the hitting probability of hash query is at most $\frac{q_{h}^{2}}{2^{l_{h} + 1}}$ [42]. Therefore, through the birthday paradox, we can say that: $\Pr [{SUC}_{2}] - \Pr [{SUC}_{1}] \leq \frac{q_{h}^{2}}{2^{l_{h} + 1}} + \frac{(q_{s} + q_{e})^{2}}{2^{l_{r} + 1}}$ (5)

Game G₃: The game G₃ considers the other attacks implemented by the challenger C using oracle queries. C makes use of itCorruptUserDevice and retrieves (B_i, A_i, Ek(.)/ Dk(.), h(.), (BM_i ⊕ r)). The challenger attempts to calculate itSK = h(RFA||ID_i||RPW_i||T₇) from the captured values. Using these queries, C gets ID_i but can not compute the value RPW_i and RFA because both the values depend on random number r. The guessing probability for the random number by the challenge C is $\frac{1}{2^{l_{r} + 1}}$ . Therefore, we can say that, $\Pr [{SUC}_{3}] - \Pr [{SUC}_{2}] \leq \frac{1}{2^{l_{r} + 1}}$ (6) After finishing all this games, the only option left with the challenger C is to toss the unbiased. By this way, the challenges attempts to predict the correct value of bit b. The winning chance in this experiment is almost $\frac{1}{2}$ . Therefore, from the equations 3, 4, 5, we can say that, $\frac{1}{2} it AdP (A) = \Pr [{SUC}_{1}] - \Pr [{SUC}_{3}]$ (7) With the help of equations 5,6,7, we can obtain, $it AdP (A) \leq \frac{q_{h}^{2}}{2^{l_{h} + 1}} + \frac{(q_{s} + q_{e})^{2}}{2^{l_{r} + 1}} + \frac{1}{2^{l_{r} + 1}}$ (8)

8 Performance analysis

In order to compare our proposed scheme with Chen’s scheme [23], we use two metrics:

Time complexity.

Security analysis.

In the first parameter, we prove that our proposed scheme takes lesser time than Chen’s scheme, and in the second parameter, we prove that our proposed scheme is more secure against different attacks as compared to Chen’s scheme.

8.1 Analysis based on security

In Table 2, we compare Chen’s scheme and the proposed scheme in terms of attacks. We consider a list of attacks and compare both the schemes against those attacks as depicted in the table. We demonstrate that our proposed scheme is more secure as compared to Chen’s scheme.

Table 2
Comparison based on security

Attack Chen’s scheme propose scheme

Password guessing attack Insecure Secure

Replay attack Insecure Secure

Denial of Service attack Secure Secure

Stolen smart card attack Secure Secure

RC spoofing attack Insecure Secure

Modification attack Secure Secure

Perfect forward secrecy attack Insecure Secure

User anonymity attack Secure Secure

Session key verification attack Insecure Secure

User impersonation attack Secure Secure

Session key computation attack Secure Secure

Mutual authentication attack Secure Secure

Attack	Chen’s scheme	propose scheme
Password guessing attack	Insecure	Secure
Replay attack	Insecure	Secure
Denial of Service attack	Secure	Secure
Stolen smart card attack	Secure	Secure
RC spoofing attack	Insecure	Secure
Modification attack	Secure	Secure
Perfect forward secrecy attack	Insecure	Secure
User anonymity attack	Secure	Secure
Session key verification attack	Insecure	Secure
User impersonation attack	Secure	Secure
Session key computation attack	Secure	Secure
Mutual authentication attack	Secure	Secure

8.2 bfTime complexity analysis

In Table 3, we compare Chen’s scheme and the proposed scheme in terms of time complexity. We consider the time taken by the hash function (T_h), XOR function (T_x), concatenation function (T_c), symmetric (E and D) and asymmetric encryption/decryption function (AE and AD). As shown in the table, we demonstrate that our proposed work diminishes the overhead to validate the user as compared to Chen’s scheme. Therefore, Table 4 shows time computation required by both the schemes. It shows that the proposed remote user authentication scheme is better than the Chen’s scheme. The implementation of the proposed scheme is performed in system with Core-i7 processor with 8 GB RAM on the Linux environment. The individual time consumption for the various cryptographic functions are as follows. The hash function T_h takes 0.023 s, XOR function (T_x) takes 0.013 s, concatenation function (T_c) takes 0.0122 s, symmetric functions (E and D) takes 0.0466 s and asymmetric encryption/decryption functions (AE and AD) take 0.112 s.

Table 3
Comparison based on operations

Scheme Registration Login Authentication Password Change

Chen’s Scheme ^[23] 10T_h + 6T_x + 4T_c 11T_h + 9T_x + 9T_c 14T_h + 5T_x + 30T_c 7T_h + 6T_x + 2T_c

Proposed Scheme 2T_h + 1T_x + 3T_c 6T_h + 3T_x + 12T_c +1E + 1D +1AE +1AD 2T_h + 2T_x + 4T_c

Scheme	Registration	Login	Authentication	Password Change
Chen’s Scheme ^[23]	10T_h + 6T_x + 4T_c	11T_h + 9T_x + 9T_c	14T_h + 5T_x + 30T_c	7T_h + 6T_x + 2T_c
Proposed Scheme	2T_h + 1T_x + 3T_c	6T_h + 3T_x + 12T_c +1E + 1D +1AE +1AD	2T_h + 2T_x + 4T_c

Table 4

Comparison based on timing

Scheme	Total
Chen’s Scheme ^[23]	42T_h + 26T_x + 45T_c +2T_r bf= 1.8535s
Proposed Scheme	10T_h + 6T_x + 19T_c + 1E + 1D + 1AE + 1ADbf= 0.857s

9 Acknowledgments

This work is carried out by Chintan Patel and Dhara Joshi under the supervision of Nishant Doshi. Rutij Jhaveri and Veeramuthu helps in communication and various stage of this paper. We are thankful to Pandit Deendayal Petroleum University, Marwadi University and Sathyabama University for the support to carried out this work. We are thankful to Guest Editor and anonymous reviewers for their painstaking efforts in making this paper as it now.

10 Conclusions and future work

In this paper, we perform the cryptanalysis for Chen’s authentication scheme. During cryptanalysis, we discovered that Chen’s scheme is vulnerable to various attacks such as password guessing attack, replay attack, RC spoofing attack, perfect forward secrecy attack, and the session Key Verification attack. To address the limitations of Chen’s scheme, we proposed a scheme for the multi-server environment. Using the Dolev-Yao channel, we performed an informal security analysis while we used the random oracle based ROR model to show the formal security analysis. We highlighted the performance analysis of the proposed scheme based on time complexity. To summarize, the proposed authentication scheme is considerably efficient and secured against the attacks mentioned above and other well-known attacks. The Proposed scheme also has certain computational limitations and vulnerabilities. The scheme proposed uses a client-server-based network model, which can be enhanced with different network models such as user-gateway-sensor, which is used in sensor networks and the Internet of Things. In the proposed scheme, we used hash function and other traditional crypto algorithms. In this era of smart devices, it is imperative to use light-weight cryptography algorithms such as an Elliptic Curve Cryptography (ECC). As future work, we would consider resource constraint devices as a communicating party and derive a light-weight authentication scheme for the setup.

References

Chen.

C.T.

, Anonymity authentication method in multi-server environments, US Patent 9 (2016), 264–425.

Lamport

, Password Authentication with Insecure Communication, In: Commun ACM 24.11 (Nov. 1981), pp. 770–772. ISSN : 0001-0782. DOI: 10.1145/358790.358797. URL: http://doi.acm.org/10.1145/358790.358797.

Aoshima

, Tasaka

and Takeda

, One-time logon method for distributed computing systems, US Patent 7 (2006), 136–996. URL: http://www.google.tl/patents/US7136996.

Yih -Lee

and Chiu

Y.-C.

, Improved remote authentication scheme with smart card. In: Computer Standards and Interfaces 27(2) (2005), pp. 177–180. ISSN:0920-5489.

Cheng

R.C.H.

, Van Oorschot

P.C.

and Hillier

S.W.

, Sys-tems and methods providing interactions between multiple servers and an end use device, US Patent 7 (2006), 010–582. URL:https://www.google.com/patents/US7010582

Khan

M.K.

and Zhang

, An Efficient and Practical Fingerprint-Based Remote User Authentication Scheme with Smart Cards. In:Information Security Practice and Experience: Second International Conference, ISPEC 2006, Hangzhou, China, April 11-14, 2006. Proceedings. Ed. by Kefei Chen et al. Berlin, Hei-delberg: Springer Berlin Heidelberg, 2006, pp. 260–268.ISBN: 978-3-540-33058-5.DOI:10.1007/1168952224. URL: https://doi.org/10.1007/1168952224.

, Zhu

W.-T.

and Feng

D.-G.

, An improved smart card based password authentication scheme with provable security. In: Computer Standards and Interfaces 31(4) (2009), pp. 723–728. ISSN:0920-5489. DOI: https://doi.org/10.1016/j.csi.2008.09.006. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S0920548908001165

Chen

C.T.

, Anonymity authentication method for global mobility networks, US Patent 9 (2015), 021–265.

C.-T.

and Hwang

M.-S.

, An efficient biometricsbased remote user authentication scheme us-ing smart cards. In: Journal of Network and Computer Applications 33(1) (2010), pp. 1–5. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2009.08.001. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S1084804509001192.

10.

, et al., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme us-ing smart cards. In: Journal of Network and Computer Applications 34(1) (2011), pp. 73–79. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2010.09.003. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S1084804510001657.

11.

Chaturvedi

, Mishra

and Mukhopadhyay

, Improved Biometric-Based Three-factor Remote User Authentication Scheme with Key Agreement Using Smart Card. In: Information Systems Security: 9th International Conference, ICISS 2013, Kolkata, India, December 16-20, 2013. Proceedings. Ed. by Aditya Bagchi and Indrakshi Ray. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 63–77. ISBN: 978-3-642-45204-8. DOI: 10.1007/978-3-642-45204-85. URL: https://doi. org/10.1007/978-3-642-45204-85.

12.

and Wang

, Robust Biometrics-Based Authentication Scheme for Multiserver Environment. In: IEEE Systems Journal 9(3) (2015), pp. 816–823. ISSN: 1932-8184. DOI:10.1109/JSYST.2014.2301517

13.

, et al., An enhanced biometrics-based user authentication scheme for multi-server environments in critical systems. In: Journal of Ambient Intelligence and Humanized Computing 7(3) (2016), pp. 427–443. ISSN: 1868-5145. DOI: 10.1007/s12652-015-0338-z. URL: https://doi.org/10.1007/s12652-015-0338-z.

14.

Sarvabhatla

, Giri

and Vorugunti

C.S.

, Crypt-analysis of a robust and effective smart card-based remote user authentication mechanism using hash function. In: 2014 International Conference on Computer and Communication Technology (ICCCT). 2014, pp. 123–128. DOI: 10.1109/ICCCT.2014.7001479

15.

Mishra

, Design and Analysis of a Provably Secure Multi-server Authentication Scheme. In: Wireless Personal Communications 86(3) (2016), pp. 1095–1119. ISSN: 1572-834X. DOI: 10.1007/s11277-015-2975-0. URL: https://doi.org/10.1007/s11277-015-2975-0.

16.

Nikooghadam

, Jahantigh

and Arshad

, A lightweight authentication and key agreement protocol preserving user anonymity. In: Multimedia Tools and Applications 76(11) (2017), pp. 13401–13423In. ISSN: 1573-7721. DOI: 10.1007/s11042-016-3704-8. URL: https://doi.org/10.1007/s11042-016-3704-8.

17.

Odelu

, Das

A.K.

and Goswami

, A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards. In: IEEE Transactions on Informa-tion Forensics and Security 10(9) (2015), pp. 1953–1966. ISSN: 1556-6013.

18.

Yoon

E.-J.

and Yoo

K.-Y.

, Robust biometricsbased multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. In: The Journal of Supercomputing 63(1) (2013), pp. 235–255. ISSN: 1573-0484. DOI: 10.1007/s11227-010-0512-1. URL: https://doi.org/10.1007/s11227-010-0512-1.

19.

Chuang

M.-C.

and Chen

M.C.

, An anony-mous multi-server authenticated key agreement scheme based on trust computing using smart cards and biomet-rics. In: Expert Systems with Applications 41(4) (2014), pp. 1411–1418. ISSN: 0957-4174. DOI: https:7//doi.org/10.1016/j.eswa.2013.08.040. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S0957417413006611.

20.

Irshad

, et al., An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre. In: The Journal of Supercomputing 72(4) (2016), pp. 1623–1644. ISSN: 1573-0484. DOI: 10.1007/s11227-016-1688-9. URL: https://doi.org/10.1007/s11227-016-1688-9.

21.

Reddy

A.G.

, et al., A Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptog-raphy, IEEE Access 4 (2016), pp. 2169–3536. ISSN: 2169-3536.

22.

Shaik

, Password self encryption method and system and encryption by keys generated from personal secret information, US Patent App 12/402,786. 2009. URL: https://www.google.tl/patents/US20090296927.

23.

Chen

and Majumdar

, Password-based cryptographic method and apparatus, US Patent 8 (2013), 464–058.

24.

Shen

, et al., New biometrics-based authentication scheme for multi-server environment in critical systems. In: Journal of Ambient Intelligence and Humanized Com-puting 6(6) (2015), pp. 825–834. ISSN: 1868-5145. DOI: 10.1007/s12652-015-0305-8. URL: https://doi.org/10.1007/s12652-015-0305-8.

25.

Chen

, et al., Flexible neural trees based early stage identification for IP traffic. In: Soft Computing 21(8) (2017), pp. 2035–2046. ISSN: 1433-7479. DOI: 10.1007/s00500-015-1902-3. URL: https ://doi.org/10.1007/s00500-015-1902-3.

26.

Liu

, et al., Preserving Privacy with Probabilistic Indistinguishability in Weighted Social Networks. In: IEEE Transactions on Parallel and Distributed Systems 28(5) (2017), pp. 1417–1429. ISSN: 1045-9219. DOI: 10.1109/TPDS.2016.2615020.

27.

Liu

, et al., Finger vein secure biometric template generation based on deep learning. In: Soft Computing 22(7) (2018), pp. 2257–2265. ISSN: 1433-7479. DOI: 10.1007/s00500-017-2487-9. URL: https://doi.org/10.1007/s00500-017-2487-9.

28.

Peng

, et al., Collaborative trajectory privacy preserving scheme in location-based services. In: Information Sciences 387 (2017), pp. 165–179. ISSN: 0020-0255. DOI: https://doi.org/10.1016/j.ins.2016.08.010. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S0020025516305801.

29.

Chen

, Lei

and Qi

, Lattice-based linearly homomorphic signatures in the standard model, The-oretical Computer Science 634 (2016), pp. 47–54. ISSN: 0304-3975.

30.

Tian

and Li

, A short non-delegatable strong designated verifier signature. In: Frontiers of Computer Science 8(3) (2014), pp. 490–502. ISSN: 2095-2236. DOI: 10.1007/s11704-013-3120-4. URL: https://doi.org/10.1007/s11704-013-3120-4.

31.

, et al., Securely Outsourcing Attribute-Based Encryp-tion with Checkability, IEEE Transactions on Parallel and Distributed Systems 25(8) (2014), pp. 2201–2210. ISSN: 1045-9219. DOI: 10.1109/TPDS.2013.271

32.

Lin

, et al., An ID-Based Linearly Homomorphic Signature Scheme and Its Application in Blockchain. In: IEEE Access 6 (2018), pp. 20632–20640. DOI: 10.1109/ACCESS.2018.2809426

33.

Jhaveri

R.H.

, et al., Sensitivity Analysis of an Attack-Pattern Discovery Based Trusted Routing Scheme for Mo-bile Ad-Hoc Networks in Industrial IoT, In: IEEE Access 6 (2018), pp. 20085–20103. DOI: 10.1109/ACCESS.2018.2822945

34.

Wang

, et al., A Novel Security Scheme Based on Instant Encrypted Transmission for Internet of Things, in: Security and Communication Networks 2018 (2018), pp. 10179–10188. DOI: https://doi.org/10.1155/2018/3680851.

35.

Meng

, et al., When Intrusion Detection Meets Blockchain Technology: A Review. In: IEEE Access 6 (2018), pp. 10179–10188. DOI: 10.1109/ACCESS.2018.2799854

36.

, et al., Dynamic Fully Homomorphic encryption-based Merkle Tree for lightweight streaming authenticated data structures. In: Journal of Network and Computer Applications 107 (2018), pp. 1084–8045. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2018.01.014. URL: https://www-sciencedirect-com.web.bisu.edu.cn/science/article/pii/S1084804518300286.

37.

Yang

, et al., A remotely keyed file encryption scheme under mobile cloud computing. In: Journal of Network and Computer Applications 106 (2018), pp. 90–99. ISSN: 1084-8045.

38.

Yan

, et al., Centralized Duplicate Removal Video Storage System with Privacy Preservation in IoT. In: Sensors 18(6) (2018).

39.

Liu

, et al., Cloud-based electronic health record system supporting fuzzy keyword search. In: Soft Computing 20(8) (2016), pp. 3243–3255. ISSN: 1433-7479. DOI: 10.1007/s00500-015-1699-0. URL: https://doi.org/10.1007/s00500-015-1699-0.

40.

Cai

, et al., Towards Secure and Flexible HER Sharing in Mobile Health Cloud Under Static Assumptions. In: Cluster Computing 20(3) (Sept. 2017), pp. 2415–2422. ISSN: 1386-7857. DOI: 10.1007/s10586-017-0796-5. URL: https://doi.org/10.1007/s10586-017-0796-5.

41.

Abdalla

, Fouque

P.A.

and Pointcheval

, Password-based authenticated key ex-change in the three-party setting. In:Vaudenay, S. (ed.) PublicKey Cryptography- PKC 2005. pp. 65–84. Springer Berlin Heidelberg, Berlin, Heidelberg (2005).

42.

Roy

, Chatterjee

, Das

A.K.

, Chattopadhyay

, Kumari

and Jo

, Chaoticmap-based anonymous user authentication scheme with user biometrics and fuzzyextractor for crowdsourcing internet of things, IEEE Internet of Things Journal 5(4) (2018), 2884–2895.

43.

Rajan

R.A.

and Kumaran

, Multi-biometric cryptosystem using graph for secure cloud authentication. Journal of Intelligent and Fuzzy Systems, (Preprint), 1–8.

44.

Kumar

, Chand

and Kumar

, A PKC-based user authentication scheme without smart card, Journal of Intelligent and Fuzzy Systems 35(5) (2018), 5379–5390.

45.

Roy

, Chatterjee

and Mahapatra

, An efficient biometric based remote user authentication scheme for secure internet of things environment, Journal of Intelligent Fuzzy Systems 34(3) (2018), 1403–1410.

46.

Hwang

M.-S.

and Li

L.-H.

, A new remote user authentication scheme using smart cards, IEEE Transactions on consumer Electronics 46(1) (2000), 28–30.

An enhanced approach for three factor remote user authentication in multi - server environment

Abstract

Keywords

1 Introduction

2 Preliminaries

2.1 Symbols and notations

3 Review of Chen’s scheme

3.1 Registration phase

3.2 Login phase and authentication phase

3.3 Password change phase

4 Cryptanalysis for the Chen’s scheme

4.1 Password guessing attack

4.2 Replay attack

4.3 RC spoofing attack

4.4 Perfect forward secrecy

4.5 Session key verification attack

4.6 Performance issue

5 Proposed scheme

5.1 Registration phase

5.2 Login and authentication phase

5.3 Password change phase

6 Informal security analysis for the proposed scheme

6.1 Password guessing attack

6.2 Replay attack

6.3 Spoofing attack

6.4 Perfect forward secrecy attack

6.5 Session key verification property

6.6 User anonymity property

6.7 User impersonation attack

6.8 Secure and user-friendly password change phase

6.9 Denial of service attack

6.10 Smart card stolen attack

6.11 Message modification attack

6.12 Session key computation attack

6.13 Mutual authentication property

7 Formal security analysis of propose scheme using random oracle

8.1 Analysis based on security

Table 3 Comparison based on operations Scheme Registration Login Authentication Password Change Chen’s Scheme [23] 10T h + 6T x + 4T c 11T h + 9T x + 9T c 14T h + 5T x + 30T c 7T h + 6T x + 2T c Proposed Scheme 2T h + 1T x + 3T c 6T h + 3T x + 12T c +1E + 1D +1AE +1AD 2T h + 2T x + 4T c

10 Conclusions and future work

References

Table 3
Comparison based on operations

Scheme Registration Login Authentication Password Change

Chen’s Scheme ^[23] 10T_h + 6T_x + 4T_c 11T_h + 9T_x + 9T_c 14T_h + 5T_x + 30T_c 7T_h + 6T_x + 2T_c

Proposed Scheme 2T_h + 1T_x + 3T_c 6T_h + 3T_x + 12T_c +1E + 1D +1AE +1AD 2T_h + 2T_x + 4T_c