An improved authentication protocol–based dynamic ... - SAGE Journals

Special Collection Article

An improved authentication protocol–based dynamic identity for multi-server environments

International Journal of Distributed Sensor Networks 2018, Vol. 14(5) Ó The Author(s) 2018 DOI: 10.1177/1550147718777654 journals.sagepub.com/home/dsn

Jianming Cui1 , Xiaojun Zhang1 , Ning Cao2 , Dexue Zhang1, Jianrui Ding3 and Guofu Li4

Abstract The age of Internet of things gives rise to more challenges to various secure demands when designing the protocols, such as object identification and tracking, and privacy control. In many of the current protocols, a malicious server may cheat users as if it was a legal server, making it vital to verify the legality of both users and servers with the help of a trusted third-party, such as a registration center. Li et al. proposed an authentication protocol based on dynamic identity for multi-server environment, which is still susceptible to password-guessing attack, eavesdropping attack, masquerade attack, and insider attack etc. Besides, their protocol does not provide the anonymity of users, which is an essential request to protect users’ privacy. In this article, we present an improved authentication protocol, depending on the registration center in multi-server environments to remedy these security flaws. Different from the previous protocols, registration center in our proposed protocol is one of parties in authentication phase to verify the legality of the users and the servers, thus can effectively avoid the server spoofing attack. Our protocol only uses nonce, exclusive-OR operation, and one-way hash function in its implementation. Formal analysis has been performed using the Burrows–Abadi– Needham logic to show its security. Keywords Dynamic identity, multi-server, registration center, smart card, Burrows–Abadi–Needham logic

Date received: 4 February 2018; accepted: 12 April 2018 Handling Editor: Gary Leavens

Introduction In the past decades, great research efforts have been made on Internet of things (IoT), and a wide range of application scenarios, such as object identification and tracking, healthcare, privacy control, and military.1–4 Along with the convenience they bring security issues of personal privacy in terms of the constant, and transparent leakage of private information may also arise. End-devices like smart cards often carry a certain level of infrastructure equivalent to a tiny computer, including the computation power, storage functionality, and communications, which make the mutual authentication and key agreement protocol possible. They can prevent unauthorized users from gaining access to

sensitive resources and prevent legitimate users from accessing resources in an unauthorized manner. Since Lamport5 proposed the first password-based authentication protocol, great efforts have been made on the authentication to improve the security.

1

Shandong University of Science and Technology, Qingdao, China Qingdao Binhai University, Qingdao, China 3 Harbin Institute of Technology, Weihai, Weihai, China 4 University of Shanghai for Science and Technology, Shanghai, China 2

Corresponding author: Xiaojun Zhang, Shandong University of Science and Technology, Qingdao 266590, China. Email: [email protected]

Creative Commons CC BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License (http://www.creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work without further permission provided the original work is attributed as specified on the SAGE and Open Access pages (https://us.sagepub.com/en-us/nam/ open-access-at-sage).

2 Password-based authentication is simple, but it needs to maintain the verification table and leads to table disclosure or password compromising. Hwang and Li6 presented a new remote user authentication protocol with the help of smart cards based on the protocol proposed by ElGamal.7 In their schemes, the servers do not need to keep any verification table. Since then, kinds of smart card–based authentication protocols with hash function have been presented.8–12 Traditional password-based or smart card–based authentication protocols are adapted in single-server environments and are not suitable for the multi-server environments. To overcome these weaknesses, many protocols for multi-server environment have been devised.13–16 They can implement mutual authentication with one registration. However, we find that they are still susceptible to replay attack, impersonation attack, password-guessing attack, and so on. To remedy these flaws, enhance security, and reduce the computational complexity, we propose an improved dynamic identity (ID) based on authentication protocol for multi-server architecture. This protocol not only achieves user’s anonymity and resists various kinds of attacks, but also finishes the mutual authentication and session key agreement. The rest of the article is organized as follows. In section ‘‘Related work and discussion,’’ we provide a brief review of related protocols and analyze their securities. Then, we present an improved authentication protocol for the multi-server environment in section ‘‘The proposed protocol.’’ The correctness of the proposed protocol is verified by performing formal verification with the Burrows–Abadi–Needham (BAN) logic in section ‘‘Analysis of correctness.’’ Section ‘‘Security analysis of the improved protocol’’ evaluates the security of our proposed protocol. Section ‘‘Cost and functionality analysis’’ analyzes the costs and functionalities among ours and other protocols. Finally, we present the conclusion in section ‘‘Conclusion.’’

Related work and discussion In the lectures, Liao and Wang17 presented a secure user authentication protocol for multi-server architectures based on dynamic ID. However, Hsiang et al. claimed that Liao et al.’s protocol not only failed to achieve mutual authentication but also could not withstand server spoofing attack, insider attack, masquerade attack, and so on. Moreover, Lee et al.18 proposed an improved remote user authentication scheme based on dynamic ID, but their protocol is still vulnerable to server spoofing attack and forgery attack. Hsiang et al. presented a new authentication protocol.19 They claimed that their protocol efficiently protects the identity of the user and can resist various known attacks. Unfortunately, Sood et al.20 stated that Hsiang et al.’s

International Journal of Distributed Sensor Networks scheme cannot withstand stolen smart card attack, replay attack, and impersonation attack. Besides, the password change method of Hsiang et al.’s scheme is incorrect. In order to overcome these security weaknesses, Sood et al. presented an improved authentication protocol.20 They declared that their proposed protocol can help the servers and the registration center validate the user’s identity successfully and can also keep the dynamic ID of users in communication channel. Sood et al. argued that their scheme can withstand various known attacks, such as impersonation attack, offline dictionary attack, and replay attack. However, Li et al.21 found that Sood et al.’s scheme cannot withstand stolen smart card attack and leak-of-verifier attack. Furthermore, Li et al. presented an efficient and secure dynamic ID–based authentication scheme.21 Unfortunately, Li et al.’s protocol was soon identified to be susceptible to password-guessing attack and masquerade attack by Han.22 In addition, Xue et al.23 claimed that Li et al.’s protocol is susceptible to insider attack, eavesdropping attack, masquerade attack, and so on. Moreover, Wang et al.24 uncovered two other vulnerabilities: offline password-guessing attack and no provision of user’s anonymity. In recent years, many researchers also studied group data sharing via cloud storage or new preserving encryption model in cloud environments.25–27

Review of Li et al.’s protocol In this section, we mainly review the authentication protocol presented by Li et al.21 This protocol consists of three parties: the user Ui , the server Sj , and the registration center RC. It is known that RC is trusted for Ui and Sj , and they can register in it and authenticate with it. RC chooses a master key x and a secret number y. When Sj registers in RC, RC calculates h(SIDj k y) and h(x k y), then submits h(x k y) and h(SIDj k y) to Sj over a secure channel. Their protocol can be divided into four phases: registration phase, login phase, authentication and session key agreement phase, and password change phase. The notations are listed in Table 1. Registration phase. Step 1: Ui chooses his or her identity IDi and password Pi freely and chooses a random number b. Then Ui calculates Ai = h(b k Pi ), and sends Ai and IDi to RC over a secure channel. Step 2: Upon receiving IDi and Ai , RC computes Ci = h(IDi k h(y) k Ai ), Bi = h(IDi k x), Di = Bi  h(IDi k Ai ), Ei = Bi  h(y k x), and then stores {Ci , Di , Ei , h(), h(y)} into the smart card. Finally, RC sends them to the user over a secure channel. Step 3: Ui keys b into the smart card.

Cui et al.

3

Table 1. Notations. Name

Description

Ui RC Sj IDi Pi SIDj x y b

ith user Registration center jth server Identity of Ui Password of the user Ui Identity of Sj Master secret key Secret number A random number chosen by the user for registration Dynamic identity generated by Ui for authentication Session key shared among the user, the server and RC Random numbers chosen by Ui, Sj and RC One way hash function Bitwise exclusive-OR operation Bitwise concatenation operation

CIDi SK Ni1 ,Ni2 ,Ni3 h ()  k

Login phase. Step 1: When Ui wants to login Sj , Ui inserts the smart card into a card reader, and then keys IDi , Pi , and SIDj . The smart card computes Ai = h(b k Pi ) and C 0i = h(IDi k h(y) k Ai ) and then checks whether C 0i is equal to Ci . If they are equal, the user is legal, otherwise the user is illegal. Step 2: After local verification, the smart card generates a random number Ni1 and computes Bi = Di  h(IDi k Ai ), Fi = h(y)  Ni1 , Pij = Ei  h(h(y) k Ni1 k SIDj ), CIDi = Ai  h(Bi k Fi k Ni1 ), and Gi = h(Bi k Ai k Ni1 ). Then, it sends {Fi , Gi , Pij , CIDi } to Sj over an unsecure channel.

Authentication and session key agreement phase. Step 1: Upon receiving the login request from the user, Sj chooses a random number Ni2 and computes Ki = h(SIDj k y)  Ni2 and Mi = h(h(x k y) k Ni2 ). Then Sj transmits {Fi , Gi , Pij , CIDi , Ki , Mi } to RC. Step 2: Once RC receives the login request from Sj , it and Mi 0 = computes Ni2 = Ki  h(SIDj k y) 0 h(h(x k y) k Ni2 ) and then checks whether M i is equal to Mi or not. If it holds, RC authenticates the server successfully. Otherwise, RC terminates the session. Step 3: RC computes Ni1 = Fi  h(y), Bi = Pij  Ai = CIDi  h(Bi k h(h(y) k Ni1 k SIDj )  h(y k x), Fi k Ni1 ), and G0i = h(Bi k Ai k Ni1 ) and check whether G0i = Gi . If it holds, the legality of Sj is verified by RC. Otherwise, RC terminates the session. Step 4: RC generates a random number Ni3 , and computes Qi = Ni1  Ni3  h(SIDj k Ni2 ), Ri = Vi = h(h(Ai k Bi ) h(Ai k Bi )  h(Ni1  Ni2  Ni3 ), and Ti = Ni2  Ni3  k h(Ni1  Ni2  Ni3 )),

h(Ai k Bi k Ni1 ). Then RC submits the mutual authentication message to Sj . Step 5: On receiving the mutual authentication message, Sj computes h(Ai k Bi ) = Ri  h(Ni1  Ni2  Ni3 ) 0 and Vi = h(h(Ai k Bi ) k h(Ni1  Ni2  Ni3 )) after Ni1  0 Ni3 = Qi  h(SIDj k Ni2 ) and checks whether Vi is equal to Vi . If they are not equal, Sj terminates the session. Otherwise, Sj authenticates RC successfully and sends fVi , Ti g to the user. Step 6: Upon receiving messages from Sj , the smart card computes Ni2  Ni3 = Ti  h(Ai k Bi k Ni1 ) and 0 Vi = h(h(Ai k Bi ) k h(Ni1  Ni2  Ni3 )) and then 0 checks whether Vi = Vi . If it holds, RC and Sj are legal for Ui . Otherwise, Ui terminates the session. Finally, Ui , Sj , and RC agree on SK = h(h(Ai k Bi ) k (Ni1  Ni2  Ni3 )). Password change phase. When Ui wants to change his or her password Pi to a new password Pnew i , Ui can make it by his or her own smart card with no need of RC involvement. The user inserts it into a card reader and keys IDi and Pi . The smart card computes Ai = h(b k Pi ), Bi = Di  h(IDi k Ai ), and C 0i = h(IDi k h(y) k Ai ) and then checks whether C 0i = Ci . If it holds, the user submits Pnew Then the smart card computes i . new Anew = h(b k P Cinew = h(IDi k h(y) k Anew and i i ), i ), new new Di = Bi  h(IDi k Ai ). Furthermore, Ci and Di will be replaced with Cinew and Dnew i .

Cryptanalysis of Li et al.’s protocol Li et al. stated that their protocol could resist kinds of security attacks; however, we find that their protocol is still vulnerable to many attacks, such as insider attack, smart card forgery attack, eavesdropping attack, masquerade attack, and offline password-guessing attack, which are detailed as the following. Insider attack. If an adversary is a malicious legal user, he or she is able to extract h(y) from his or her own smart card. Then he or she can compute his or her own Bf = Df  h(IDf k Af ) and h(y k x) = Ef  Bf . Having known h(y k x) and h(y), the adversary can launch eavesdropping attacks to get the session key shared among another users, the related servers, and RC. Smart card forgery attack. For Li et al.’s scheme is lack of RC’s authentication to Ai and Bi , so a malicious attacker can get h(y) and h(y k x). As a result, the attacker can fabricate a new smart card. If an attacker wants to fabricate Us ’s smart card, he must first choose two random parameters As = Num1 and Bs = Num2 .

4

International Journal of Distributed Sensor Networks

If the attacker makes use of the fabricated smart card to get services from Sj . The necessary messages are computed as follows Fs = h(y)  Ns1 Gs = h(Bs k As k Ns1 ) = h(Num2 k Num1 k Ns1 ) Psj = Es  h(h(y) k Ns1 k SIDj ) = Num2  h(y k x)  h(h(y) k Ns1 k SIDj ) CIDs = As  h(Bs k Fs k Ns1 ) = Num1  h(Num2 kk Ns1 )Fs

In Li et al.’s scheme, these messages can be verified by Sj and RC successfully. If Sj and RC generate two random numbers Ns2 and Ns3 , respectively, Sj and RC agree on SK = h(h(Num1 k Num2 ) k (Ns1  Ns2  Ns3 )) successfully. Eavesdropping attack. As a malicious legal user, he or she can use his or her own smart card to attain h(y) and h(y k x). The adversary intercepts fFm , Gm , Pmn , CIDm g sent to the server by Um , and then computes Nm1 = h(y) k Fm with Fm and Nm1 . In addition, Em , Bm , and Am can be easily acquired by Em = Pmn  h(h(y) k Nm1 k SIDn ), Bm = Em  h(y k x), and Am = CIDm  h(Bm k Fm k Nm1 ). It can be seen that the critical secure information {Am , Bm , Nm1 } can be obtained by the messages transmitted in the public channel. And the parameter Em can also be attained. Even though the adversary cannot compute Cm and Dm without the user’s ID, he or she can get Nm2  Nm3 = Tm  h(Am k Bm k Ni1 ). Then the adversary can get the agreement session key among Um , Sn , and RC. Masquerade attack. From the eavesdropping attack mentioned above, the adversary obtains a legal user Um ’s information and pretends to be another legal user to conduct malicious attack. He can get h(y) and h(y k x) by insider attack, further get Am , Bm , and Em by eavesdropping attack. With these messages, the adversary can masquerade as a legitimate user Um to launch authentication and session key agreement phase. First, the adversary chooses a random number NMA freely and calculates these parameters Fm = h(y)  NMA Gm = h(Bm k Am k NMA ) Pmp = Em  h(h(y) k NMA k SIDp ) CIDm = Am  h(Bm k Fm k NMA )

Then, Sp and RC think these messages are legal and generate random numbers Nm2 and Nm3 , respectively. Finally, the adversary, Sp and RC agree on SK = h(h(Num1 k Num2 ) k (Ns1  Ns2  Ns3 )) successfully. Therefore, Sp and RC mistakenly think that they are communicating with a legitimate user. Server-spoofing attack. First, a malicious attacker intercepts the messages Ki and Mi transmitted by Sn . We can assume that Um ’s information is revealed to a malicious attacker because of insider attack and eavesdropping attack. When Um logins Sn , he or she chooses a random number Nm1 and sends {Fm , Gm , Pmn , CIDm } to Sn . The attacker masquerades Sn to compute Ki and Mi , then sends {Fm , Gm , Pmn , CIDm , SIDn , Ki , Mi } to RC. The message transmitted by the attacker can also be authenticated by RC. Finally, Um and RC agree on SK = h(h(Am jBm ) k h(Nm1  Nm2  Nm3 )). Unfortunately, Um thinks that he or she is communicating with a legitimate Sn . Although the attacker cannot extract Ni2 from Ki , he or she can still obtain the correct session key. Therefore, the attacker can not only masquerade as a legitimate server but also encrypt and decrypt user’s database. User’s anonymity. A malicious server Sk and a malicious inside user Um could destroy the anonymity of any legal user. Um extracts h(y) and h(y k x) from his or her own smart card and attains a user’s Ei using a previous login message fPik , SIDk g. Um can intercept Fi from the public channel. Thus Um can compute Ni1 = Fi  h(y) and Ei = Pik  h(h(y) k Ni1 k SIDk ). As we all know, every legal user has a unique Ei because of Ei = h(IDi k x)  h(y k x), thus Li et al.’s scheme has no provision of user’s anonymity. Offline password-guessing attack. If the smart card of a legal user Ui ’s is stolen by a malicious inside user Um , Um can extract the secret values {h(y), Di , Ei , b} stored in the smart card. With previous login message {Fi , Gi , Pij , CIDi , SIDj , Ki , Mi }, Um can guess Ui ’s password as follows. First, Um extracts h(y) from his or her own smart card and then computes Ni1 = Fi  h(y) with Fi . Second, Um makes use of Pij and SIDj to compute Ei = Pij  h(h(y) k Ni1 k SIDj ). Then Um conducts h(y k x) = Em  Bm = Em  Dm  h(IDm k Am ) = Em  Dm  h(IDm k h(b k Pm )), among which Dm , Em , and b are also extracted. Then Bi = Ei  h(y k x) and Ai = CIDi  h(Bi k Fi k Ni1 ). Finally, Um guesses Ui ’s password Pi and computes Ai = h(b k Pi ) to check whether Ai = Ai . If not, the attacker guesses another password until Ai = Ai . Hence, the attacker can guess Ui ’s password successfully.

Cui et al.

5

Figure 1. Registration phase of the improved protocol.

The proposed protocol This proposed protocol also consists of four phases. In the protocol, the server has only one private key, which can effectively resist server spoofing attack. The mutual authentication among user, server, and registration center can achieve multiple security goals.

Registration phase If a user wants to get services from servers, he or she shall register in RC in advance. The registration phase is shown in Figure 1, and detailed steps are illustrated as follows. Step 1: Ui chooses IDi , Pi and b and computes Ai = h(b k Pi k IDi ). Then, Ui transmits IDi and Ai to RC over a secure channel. Step 2: Upon receiving IDi and Ai , RC computes Bi = h(IDi k x),Ci = h(IDi k h(y) k Ai ), Di = Bi  h(IDi k Ai ), and Ei = Bi  h(y k Ai ) and stores {Ci , Di , Ei , h(), h(y)} into the smart card. At last, RC sends the smart card to Ui through a secure channel. Step 3: Upon receiving the smart card, Ui keys b into it. Finally, the smart card contains parameters {Ci , Di , Ei , h(), h(y), b}.

Login phase In the phase, Ui can login Sj to get services with the registration information and the smart card. The detailed login phase is illuminated in Figure 2. Step 1: When Ui wants to login Sj , he or she inserts the smart card into a card reader, and then keys IDi , Pi , and the server’s identity SIDj . The smart card 0 computes Ai = h(b k Pi k IDi ) and Ci = h(IDi k 0 h(y) k Ai ) and then checks whether Ci is equal to Ci . If it holds, the user is legal. Otherwise, the user is illegal. Step 2: After local verification, the smart card generates a random number Ni1 and computes

Figure 2. Login phase of the improved protocol.

Bi = Di  h(IDi k Ai ), Fi = h(y)  Ni1 , and Pij = Ei  h(h(y) k Ni1 k SIDj ), based on the value of Ei stored in it. The smart card generates a random 0 0 0 number a, and computes Ei = Ei  a, Bi = Ei  0 0 CIDi =Ai  h(Bi k Fi k Ni1 ), h(y k Ai ) =Ei  Bi  Ei , 0 and Gi =h(Bi k Ai k Ni1 ). Then it sends {Fi , Gi , Pij , CIDi } to Sj over a public channel.

Authentication and session key generation phase RC validates the legality of Sj and Uj , and they generate mutual authentication messages. This phase is depicted in Figure 3, and we illustrated it as the following. Step 1: Upon receiving the login request from the user, Sj chooses a random number Ni2 and computes Ki = h(SIDj k y)  Ni2 and Mi = h(h(x k y) k Ni2 ). Then Sj transmits {Fi , Gi , Pij , CIDi , Ki , Mi } to RC through a public channel. Step 2: Once RC receives the login request, it com0 putes Ni2 = Ki  h(SIDj k y) and Mi = h(h(x k y) k Ni2 ) and then checks whether Mi is equal to Mi . If it holds, RC can authenticate the server successfully. Otherwise, RC terminates the session. Step 3: RC computes Ni1 = Fi  h(y), Ai = Pij  h(h(y) k Ni1 k SIDj ), Ei0 = CIDi  h(Ai k Fi k Ni1 ), B0i = E0i  h(y k Ai ), and G0i = h(B0i k Ai k Ni1 ) and checks whether G0i is equal to Gi . If they are equal, Sj is legal for RC. Otherwise, RC terminates the session. Step 4: RC generates a random number Ni3 and computes Qi = Ni1  Ni3  h(SIDj k Ni2 ) Ri = h(Ai k B0i )  h(Ni1  Ni2  Ni3 ) Vi = h(h(Ai k B0i ) k h(Ni1  Ni2  Ni3 )) Ti = Ni2  Ni3  h(Ai k B0i k Ni1 )

6

International Journal of Distributed Sensor Networks

Figure 3. Authentication phase of the improved protocol.

Then RC transmits the mutual authentication message to Sj . Step 5: Once Sj receives the mutual authentication message, it computes Ni1  Ni3 = Qi  h(SIDj k Ni2 ), 0 and h(Ai k Bi ) = Ri  h(Ni1  Ni2  Ni3 ), 0 V 0i = h(h(Ai k Bi ) k h(Ni1  Ni2  Ni3 )) and checks whether V 0i is equal to Vi . If they are not, Sj terminates the session. Otherwise Sj authenticates RC successfully. After authentication, Sj sends fVi , Ti g to Ui . Step 6: Upon receiving the message from Sj , the smart card computes Ni2  Ni3 = Ti  h(Ai k B0i k Ni1 ) and V 0i = h(h(Ai k B0i ) k h(Ni1  Ni2  Ni3 )) with an aim to check whether V 0i = Vi . If it holds, the legality of RC and Sj is verified by Ui . Otherwise, Ui

terminates the session. Finally, Ui , RC and Sj agree on SK = h(h(Ai k B0i ) k (Ni1  Ni2  Ni3 )).

Password change phase Ui inserts the smart card into a card reader and inputs and Pi . The smart card computes IDi Ai = h(b k Pi k IDi ), Bi = Di  h(IDi k Ai ), and Ci0 = h(IDi k h(y) k Ai ) to check whether C 0i = Ci . If it holds, the user submits a new password Pnew i . Then the smart card computes Anew = h(b k Pnew k IDi ), i i new new new Ci = h(IDi k h(y) k Ai ), and Di = Bi  h(IDi k new Anew to RC. RC computes i ) and later sends Bi and Ai new new Ei = Bi  h(y k Ai ) and sends Einew to Ui through a new secure channel. Furthermore, Cinew , Dnew will i , and Ei be stored in the smart card to replace Ci , Di , and Ei .

Cui et al.

7

Analysis of correctness First of all, we can prove the correctness of the protocol using the BAN logic.28 Through specific logic analysis, it can be proved that the protocol can not only achieve session key agreement among users, servers, and RC but also realize mutual authentication among them. According to the BAN logic, every step must be converted into a specific form of the agreement.

R3: Jurisdiction rule Pj[Qj ) X , Pj[Qj[X Pj[X

If P believes that Q can control X , P trusts Q on the truth of P believes X . R4: Freshness rule Pj[#(X ) Pj[#(X , Y )

BAN logic notation The notations for BAN logic are listed as the following.29 1. 2. 3. 4. 5.

Pj[X : P believes X . P / X : P sees X . Pj;X : P said X . Pj ) X : P controls X . #(X ) : X is fresh.

6.

P $ Q: K is the key shared by P and Q, and only P and Q, the users authorized by them can get K.

7. 8. 9. 10.

If P believes that one part X of a formula is fresh, then the entire formula (X , Y ) must also be fresh.

Logic premises Based on the aforementioned, we can obtain the initiative premises as below

K

K

j ! P: K is the public key of P. X

P , Q: X is the public key shared by P and Q, and only P and Q know K. fX gK : the ciphertext of X encrypted by the key K. \X .Y : X is connected with Y .

Sj j[CIDi RCj[CIDi Sj j[#(Ni1 , Ni3 ) Ui j[#(Ni2 , Ni3 ) RCj[#(Ni1 , Ni3 ) SK

Ui j[Ui $ Sj SK

Ui j[Sj j[Ui $ Sj SK

BAN logical postulates

Sj j[Ui $ Sj

To prove feasibility and correctness of the protocol, the BAN logic needs to set some special rules to complete the authentication protocol analysis and reasoning. The rules used in the article are as follows.

SK

Sj j[Ui j[Ui $ Sj SK

Ui j[Ui $ RC SK

R1: Message-meaning rule

Ui j[RCj[Ui $ RC SK

RCj[Ui $ RC K

Pj[P $ Q, P / fX gK Pj[Qj;X

SK

RCj[Ui j[Ui $ RC SK

If P believes that the key K is shared by P and Q and sees X encrypted under K, P believes that Q once said X . R2: Nonce-verification rule Pj[#(X ), Pj[Qj;X Pj[Qj[X

If P believes that X could have been uttered only recently and that Q once said X , P believes that Q believes X .

Sj j[Sj $ RC SK

Sj j[RCj[Sj $ RC SK

RCj[Sj $ RC SK

RCj[Sj j[Sj $ RC

Correctness analysis using BAN logic In this protocol, three messages are used to achieve key agreements and mutual authentications. The first one is

8

International Journal of Distributed Sensor Networks

sent to RC for login request, and the second one is sent by RC to the server to get verification information. The last one is also the verification information sent to the user. The analysis is illuminated as the following. Message1 Sj ! RC : Fi , Gi , Pij , CIDi , SIDj , h(SIDj k y)  Ni2 , h(\h(x k y).Ni2 )

Message2 Ni1  Ni3  h(\SIDj .SIDj ), h(\Ai .Oi0 )  h(Ni1  Ni2  Ni3 ), h(\h(\Ai .Oi0 ).h(Ni1  Ni2  Ni3 )), Ni2  Ni3  h(  Ai .Oi0 .Ni1 )

 RC/ Fi , Gi , Pij , CIDi , SIDj , h(SIDj jjy) Ni2 , h(\h(xjjy).Ni2 g:

Formula 1 can be disassembled RC / Sj j;Fi

ð2Þ

RC / Sj j;Gi

ð3Þ

RC / Sj j;Pij

ð4Þ

RC / Sj j;CIDi

ð5Þ

RC / Sj j;SIDj

ð6Þ

RC / Sj j;h(SIDj k y)  Ni2

ð7Þ

RC / Sj j;h(\h(x k y).Ni2 )

ð8Þ

Based on A6, equation (2), and R2, we can obtain RC / Uj j;Fi

Message3: Vi , Ti .

ð1Þ

ð9Þ

Based on A7, equation (9), and R2, we can obtain The basic believes are as follows.

RCj[Fi

ð10Þ

Based on A6, equation (3), and R2, we can obtain

h0

A1. Ui j[Ui , Sj , h0

A2. Ui j[Ui , RC, A3. Ui j[#(Ni2 ), A4. Ui j[#(Ni3 ), A5. Ui j[(Ui j ) Fi , Gi , Pij , CIDi ), A6. Sj j[(Ui j ) Fi , Gi , Pij , CIDi ), A7. RCj[(Ui j ) Fi , Gi , Pij , CIDi ),

RC / Uj j;Gi

ð11Þ

Based on A7, equation (11), and R2, we can obtain RCj[Gi

ð12Þ

Based on A6, equation (4), and R2, we can obtain

h0

A8. Sj j[Ui , Sj ,

RC / Uj j;Pij

h0

A9. Sj j[Sj , RC, A10. Sj j[#(Ni1 ), A11. Sj j[#(Ni3 ),

ð13Þ

Based on A7, equation (13), and R2, we can obtain RCj[Pij

h0

A12. RCj[RC , Ui ,

ð14Þ

Based on A6, equation (5), and R2, we can obtain

h0

A13. RCj[RC , Sj , A14. RCj[#(Ni1 ), A15. RCj[#(Ni2 ), A16. RCj[(Sj j ) SIDj ), SK

A17. Ui j[(Sj j ) Ui $ Sj ),

RC / Uj j;CIDi

ð15Þ

Based on A7, equation (15), and R2, we can obtain RC / Uj j;CIDi

ð16Þ

SK

A18. Ui j[(RCj ) Ui $ RC), SK

Based on A16, equation (6), and R2, we can obtain

A19. Sj j[(Ui j ) Ui $ Sj ), SK

A20. Sj j[(RCj ) Sj $ RC), SK

A21. RCj[(Ui j ) Ui $ RC), SK

A22. RCj[(Sj j ) Sj $ RC). Based on the above assumptions, the agreement can be converted to BAN logic in specific patterns. The specific logic proved as follows: RC receives message 1, which can be expressed as

RCj[SIDj

ð17Þ

Based on A15, equation (7), and R2, we can obtain RCj[Sj j;h(\SIDj .v)  Ni2

ð18Þ

Based on A13, equation (18), and R1, we can obtain RCj[h(\SIDj .v)  Ni2

ð19Þ

Based on A15, equation (8), and R2, we can obtain

Cui et al.

9 RCj[Sj j;h(\h(\x.v).Ni2 )

ð20Þ

Ui / fVi , Ti g

ð35Þ

Based on A13, equation (20), and R1, we can obtain

Then they can be converted as

ð21Þ

Ui / Sj j;Vi

ð36Þ

Then Sj receives message 2, which can be expressed

Ui / Sj j;Ti

ð37Þ

RCj[h(\h(\x.v).Ni2 )

as Sj /



Based on A3, equation (33), and R2, we can obtain Ni1  Ni3  h(\SIDj .Ni2 ),

h(\Ai .Bi0 )  h(Ni1  Ni2  Ni3 ), h(\h(\Ai .Bi0 ).h(Ni1  Ni2  Ni3 )),

Ui j[Vi ð22Þ

Based on A3, equation (34), and R2, we can obtain

Ni2  Ni3  h(  Ai .Bi0 .Ni1 )g

Ui j[Ti

and they can be converted as Sj / RCj;Ni1  Ni3  h(\SIDj .Ni2 )

ð23Þ ð24Þ

Sj / RCj;h(\h(\Ai .Bi0 ).h(Ni1  Ni2  Ni3 ))

ð25Þ

Sj / RCj;Ni2  Ni3  h(  Ai .Bi0 .Ni1 )

ð26Þ

SK

Ui j ) Ui $ Sj SK

Ui j ) Ui $ RC SK

Sj j ) U i $ Sj SK

Sj j ) RC $ Sj

Based on A10, A11, equation (23), and R2, we can obtain Sj j[ RCj;Ni1  Ni3  h(\SIDj .Ni2 )

ð39Þ

Finally, based on R2, it can be proved that

Sj / RCj;h(\Ai .B )  h(Ni1  Ni2  Ni3 ) i0

ð38Þ

SK

RCj ) Ui $ RC

ð27Þ

Based on A9, equation (27), and R1, we can obtain

SK

RCj ) Sj $ RC

ð40Þ ð41Þ ð42Þ ð43Þ ð44Þ ð45Þ

ð29Þ

Hence, the improved protocol can achieve mutual authentication among the user, the server and RC as shown in equations (12), (21), (32), and (38). The three parties of the protocol also achieve session key agreement as shown in equations (40), (41), (32), (33), (34), and (35).

Based on A10, A11, equation (29), and R2, we can obtain

Security analysis of the improved protocol

Sj j[ Ni1  Ni3  h(\SIDj .Ni2 )

ð28Þ

Based on A9, equation (24), and R1, we can obtain Sj j[RCj;h(\Ai .Bi0 )  h(Ni1  Ni2  Ni3 )

Sj j[ h(\Ai .Bi0 )  h(Ni1  Ni2  Ni3 )

ð30Þ

Based on A9, equation (25), and R1, we can obtain Sj j[RCj; h(\h(\Ai .Bi0 ).h(Ni1  Ni2  Ni3 )) ð31Þ

Based on A10, A11, equation (31), and R2, we can obtain Sj j[ h(\h(\Ai .Bi0 ).h(Ni1  Ni2  Ni3 ))

ð32Þ

Based on A10, A11, equation (26), and R2, we can obtain Sj j[RCj; Ni2  Ni3  h(  Ai .Bi0 .Ni1 )

ð33Þ

Based on A9, equation (33), and R1, we can obtain Sj j[ Ni2  Ni3  h(  Ai .Bi0 .Ni1 )

ð34Þ

Finally, Ui receives message 3, which can be expressed as

Compared with other related protocols, our protocol can resist much more attacks illuminate as the following.

Leak of verifier attack Different from some other protocols, registration center is involved in the authentication, and session key agreement phase. There is no verification table in both the registration center and the servers in our protocol, so it can avoid leak of verifier attack.

User’s anonymity When Ui logins the system, the smart card generates a random number a and encrypts the number Ei by Ei 0 = Ei  a. RC computes Ei 0 by the login request message to verify Ui . Even though the attacker eavesdrops the message transmitted in the public channel and computes Ei 0 , the attacker still cannot get Ei which is unique

10

International Journal of Distributed Sensor Networks

Table 2. Cost comparisons of our protocol and other related protocols. Protocols

Login phase

Verification phase

Total

Proposed Li et al.21 Sood et al.20 Hsiang and Shih19 Liao and Wang17

6 Th + 7 Txor + 11 Tk 6 Th + 4 Txor + 10 Tk 5 Th + 10 Txor + 5 Tk 7 Th + 8 Txor + 8 Tk 6 Th + 3 Txor + 7 Tk

20 Th + 17 Txor + 22 Tk 20 Th + 19 Txor + 22 Tk 14 Th + 20 Txor + 18 Tk 14 Th + 13 Txor + 24 Tk 8 Th + 3 Txor + 18 Tk

26 Th + 24 Txor + 33 Tk 26 Th + 23 Txor + 32 Tk 19 Th + 30 Txor + 23 Tk 21 Th + 21 Txor + 32 Tk 14 Th + 6 Txor + 25 Tk

to every user. Thus, user’s anonymity is protected in our protocol.

Insider attack After registering in RC, Sj gets h(SIDj k y) and h(x k y), and both of them are used to compute the login request submitted to RC, with neither of them participating in the computation of the user’s login request message. Besides, as a trusted party, RC will not reveal the user’s information to the server. Hence, our protocol can resist insider attacks.

Eavesdropping attack Even if the adversary intercepts the message {Fi , Gi , Pij , CIDi , Ki , Mi } that Sj transmits to RC, and computes Ai = Pij  h(h(y) k Ni1 k SIDj ), Ni1 = Fi  h(y), Ei 0 = CIDi  h(Ai k Fi k Ni1 ), without knowing the secret number y, the adversary still cannot compute and obtain Bi 0 = Ei 0  h(y k Ai ) SK = h(h(Ai k Bi 0 ) k (Ni1  Ni2  Ni3 )) consistent with Sj and RC. Thus, our protocol can withstand eavesdropping attack.

Masquerade attack Even though a malicious user can extract h(y) from his or her own smart card, he or she cannot obtain Ui ’s ID IDi and password Pi . Thus, the attacker cannot know by Oi 0 = Ei 0  h(y k Ai ), and achieve Oi 0 SK = h(h(Ai k Bi 0 ) k (Ni1  Ni2  Ni3 )) consistent with Sj and RC. To sum up, the attacker cannot masquerade Ui to login the system; therefore, our protocol is resistant to masquerade attack.

Offline password-guessing attack When a malicious legal user intercepts the login message {Fi , Gi , Pij , CIDi , Ki , Mi } transmitted to RC by Sj , he or she can compute Ni1 = Fi  h(y) and Ai = Pij  h(h(y) k Ni1 k SIDj ) based on h(y) in the smart card. However, the attacker still cannot guess Ui ’s identity IDi and password Pi for Ai = h(b k Pi k IDi ). Therefore, our protocol is immune to offline passwordguessing attack.

Stolen smart card attack If a user’s smart card is lost or stolen, the adversary is able to extract the parameters stored in the smart card. Unfortunately, the adversary does not know the user’s IDi and Pi , he or she cannot pretend Ui to login the system. To sum up, our protocol can resist stolen smart card attack.

Cost and functionality analysis In this section, we evaluate the computational costs and functionality of our proposed protocol and compare it with some related authentication protocols for multiserver environment. To analyze the computational complexity, let Th denote the time complexity of hashing function, Tk be the time complexity of bitwise concatenation operation, and Txor be the time complexity of bitwise exclusive-OR operation. Table 2 shows the performance comparisons among our proposed protocol and some other related protocols. It can be seen that our protocol is more secure, when the computational complexity is similar to Li et al.’s protocol. Table 3 lists the functionality comparisons among our proposed protocol and other related protocols, which shows that our protocol can resist replay attack, stolen smart card attack, and password-guessing attack, and so on. Besides, the proposed protocol has achieved the security performances, such as proper mutual authentication, correct session key generation, user’s anonymity, and free password changing. These features make our protocol have a high level of security and efficiency.

Conclusion In this article, we investigate Li et al.’s dynamic ID– based authentication protocol for multi-server architecture and show that Li et al.’s protocol is susceptible to certain security issues including insider attack, stolen smart card attack, eavesdropping attack, masquerade attack, no provision of user’s anonymity, and password-guessing attack. In order to address these issues, we propose an improved authentication protocol based on dynamic ID, and it is dependent on registration center for multi-server environments. Compared with other related schemes, our protocol remedies the

Cui et al.

11

Table 3. Functionality comparisons of our protocol and other related protocols. Functionalities

Proposed

Li et al.21

Sood et al.20

Hsiang and Shih19

Liao and Wang17

User’s anonymity Computation cost Single registration No time synchronization Resist leak-of-verifier attack Resist replay attack Resist impersonation attack Resist password-guessing attack Resist stolen smart card attack Correct password update Correct mutual authentication

Yes Low Yes Yes Yes Yes Yes Yes Yes Yes Yes

No Low Yes Yes Yes Yes Yes No Yes Yes Yes

Yes Low Yes Yes No Yes No Yes No Yes No

Yes Low Yes Yes Yes No No Yes No No Yes

Yes Low Yes Yes Yes No No Yes No Yes Yes

secure flaws existing in Li et al.’s protocol with a minor increase in computational complexity. In addition, we provide the correctness analysis by using BAN logic. 5.

Declaration of conflicting interests

6.

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

7.

Funding

8.

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported in part by the Natural Science Foundation of China under grants 61472229 and 61701284, in part by project funded by the China Postdoctoral Science Foundation (2016M592216) and Qingdao Postdoctoral Research Project (2016125).

ORCID iDs Jianming Cui https://orcid.org/0000-0002-7572-0286 https://orcid.org/0000-0003-0032-4905 Xiaojun Zhang Ning Cao https://orcid.org/0000-0001-6430-3586 Jianrui Ding https://orcid.org/0000-0002-3408-9301

9.

10.

11.

12.

References 1. Li Y, Wang G-R, Nie L, et al. Distance metric optimization driven convolutional neural network for age invariant face recognition. Pattern Recogn 2018; 75: 51–62. 2. Mezghani E, Exposito E and Drira K. A model-driven methodology for the design of autonomic and cognitive IoT-based systems: application to healthcare. IEEE T Emerg Top Comp Intel 2017; 1(3): 224–234. 3. Li J, Sun L-C, Yan Q-B, et al. Significant permission identification for machine learning based android malware detection. IEEE T Ind Inform. Epub ahead of print 12 January 2018. DOI: 10.1109/TII.2017.2789219. 4. Reyes CRP, Vaca HP, Caldern MP, et al. MilNova: an approach to the IoT solution based on model-driven engineering for the military health monitoring. In: Proceeding of the 2017 CHILEAN conference on electrical,

13.

14.

15.

16.

electronics engineering, information and communication technologies (CHILECON), Pucon, Chile, 18–20 October 2017. New York: IEEE. Lamport L. Password authentication with insecure communication. Commun ACM 1981; 24(24): 770–772. Hwang M-S and Li L-H. A new remote user authentication scheme using smart cards. IEEE T Consum Electr 2000; 46(1): 28–30. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE T Inform Theory 1985; 31(4): 469–472. Liao I-E, Lee C-C and Hwang M-S. Security enhancement for a dynamic id-based remote user authentication scheme. In: Proceeding of the conference on next generation web services practices, Seoul, South Korea, 22–26 August 2005, pp.437–440. New York: IEEE. Shen J, Gui Z-Y, Ji S, et al. Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks. J Netw Comput Appl 2018; 106: 117–123. Xu J, Zhu W-T and Feng D-G. An improved smart card based password authentication scheme with provable security. Comp Stand Inter 2009; 31(4): 723–728. Song R-G. Advanced smart card based password authentication protocol. Comp Stand Inter 2010; 32(5–6): 321–326. Li X-X, Qiu W-D, Zheng D, et al. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE T Ind Electron 2010; 57(2): 793–800. Yang Y-J, Deng R-H and Bao F. A practical passwordbased two-server authentication and key exchange system. IEEE T Depend Secure 2006; 3(2): 105–114. Li J, Li J-W, Chen X-F, et al. Identity-based encryption with outsourced revocation in cloud computing. IEEE T Comput 2015; 64(2): 425–437. Madhusudhan R and Praveen A. Weaknesses of a dynamic ID based remote user authentication protocol for multi-server environment. Comp Stand Commun 2016; 2(4): 196–200. Leu J-S and Hsieh W-B. Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards. IET Inform Secur 2014; 8(2): 104–113.

12 17. Liao Y-P and Wang S-S. A secure dynamic ID based remote user authentication scheme for multi-server environment. Comp Stand Inter 2009; 31(1): 24–29. 18. Lee C-C, Lai Y-M and Li C-T. An improved secure dynamic ID based remote user authentication scheme for multi-server environment. Int J Sec Appl 2012; 6(2): 203– 210. 19. Hsiang H and Shih W. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comp Stand Inter 2009; 31(6): 1118–1123. 20. Sood SK, Sarje AK and Singh K. A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 2011; 34(2): 609–618. 21. Li X, Xiong Y-P, Ma J, et al. An efficient and security dynamic identity based authentication protocol for multiserver architecture using smart cards. J Netw Comput Appl 2012; 35(2): 763–769. 22. Han W-W. Weaknesses of a dynamic identity based authentication protocol for multi-server architecture (arXiv preprint arXiv:1201.0883), 2012, http://arxiv.org/ abs/1201.0883 23. Xue K-P, Hong P-L and Ma C-S. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J Comput Syst Sci 2014; 80(1): 195–206.

International Journal of Distributed Sensor Networks 24. Wang D, Ma C-G, Gu D-L, et al. Cryptanalysis of two dynamic ID-based remote user authentication schemes for multi-server architecture. In: Proceedings of the 6th international conference on network and system security, Wuyishan, China, 21–22 November 2012, pp.462–475. Berlin: Springer-Verlag. 25. Li J, Zhang Y-H, Chen X-F, et al. Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 2018; 72: 1–12. 26. Li P, Li J, Huang Z, et al. Privacy-preserving outsourced classification in cloud computing. Cluster Comput. Epub ahead of print 8 April 2017. DOI: 10.1007/s10586-0170849-9. 27. Gao C-Z, Cheng Q, Li X, et al. Cloud-assisted privacypreserving profile-matching scheme under multiple keys in mobile social network. Cluster Comput. Epub ahead of print 2 February 2018. DOI: 10.1007/s10586-017-1649-y. 28. Koblitz N. Elliptic curve cryptosystems. Math Comp 1987; 48: 203–209. 29. Cai Q-L, Zhan Y-J and Wang Y-H. A minimalist mutual authentication protocol for RFID system & BAN logic analysis. In: Proceeding of the ISECS international colloquium on computing, communication, control, and management, Guangzhou, China, 3–4 August 2008, pp.449–453. New York: IEEE.