An anonymous user authentication with key agreement scheme without pairings for multiserver architecture using SCPKs.

With advancement of computer community and widespread dissemination of network applications, users generally need multiple servers to provide different services. Accordingly, the multiserver architecture has been prevalent, and designing a secure and efficient remote user authentication under multiserver architecture becomes a nontrivial challenge. In last decade, various remote user authentication protocols have been put forward to correspond to the multi-server scenario requirements. However, these schemes suffered from certain security problems or their cost consumption exceeded users' own constrained ability. In this paper, we present an anonymous remote user authentication with key agreement scheme for multi-server architecture employing self-certified public keys without pairings. The proposed scheme can not only retain previous schemes' advantages but also achieve user privacy concern. Moreover, our proposal can gain higher efficiency by removing the pairings operation compared with the related schemes. Through analysis and comparison with the related schemes, we can say that our proposal is in accordance with the scenario requirements and feasible to the multi-server architecture.

1. Introduction

In modern society, people's life is highly dependent on the Internet, but the exposure of networks often causes great loss to users, which brings about that a secure user authentication mechanism has become the key issue to preserve valid remote clients in safety from being attacked. There is no doubt that the user authentication with smart card is one of the most widely used and the simplest approaches. When taking only one sort of service into account, some password authentication schemes for single-server environment have been proposed [1, 2].

Later with the rapid development of technology, different servers are needed to offer service via the network, and conventional methods need users to register with various servers repetitively and remember different identities and passwords. It is obvious that these traditional schemes make authentication inconvenient and cost much. Consequently, an appropriate multiserver user authentication mechanism has turned into a concern. In 2001, Li et al. [3] gave a remote user authentication scheme in neural networks for the first time, which opened up the gateway access to the multiserver architecture.

Considering the system environment without loss of generality, the multiserver architecture consists of multiple distributed service servers and remote clients with limited resource and capability. The service servers offer different access services such as e-commerce, online conference, network game, and remote medical system. If a remote client wants to access to these services, he/she needs to login these service servers through cellular network or wireless local area networks (WLANs).

Due to multiserver environment special characteristics and information security problem in public networks, designing a feasible user authentication scheme under multiserver architecture is a key issue, which can ensure the access of legitimate users and prevent invalid user from interfering with the service server. A practical user authentication scheme under the multiserver environment must address the following requirements. They consist of both the previous criteria [1] and new user anonymity issue.

No repetitive registration is needed for the multiserver environments.

No verification table is stored in the server.

Mutual authentication and session key agreement can be achieved between the users and the service servers to carry on subsequent communications.

Various possible attacks can be resisted.

User can choose identity and password freely and change his/her password freely.

The computational and communication cost is low since the energy resources and computing capability of a smart card are limited.

The user is not allowed to expose his identity privacy information to eavesdroppers. Assume that the adversary obtains a valid user's identity, he/she can masquerade the user to enjoy the regular service without registration, which can cause losses for the valid user or even worse consequences. So the anonymous authentication should be implemented.

In order to satisfy all of these criteria, this paper proposes an anonymous remote user authentication scheme without pairings for multiserver architecture using self-certified public keys (SCPKs). We present public key-based user anonymous authentication scheme under the multiserver environment. Meanwhile, our proposal heightens efficiency increasingly accompanied by the removal of pairings operation; in contrast, the existing public key-based authentication schemes generally employ pairings function. Moreover, our proposal can avoid the server spoofing attack since the verification process relies on the server's private key. Through security and performance analysis, our proposal not only achieves anonymous authentication with key agreement securely but also results more efficiently, remedying the weaknesses of previous authentication schemes which either encounter some attacks or fail to protect user privacy or cost relatively more energy. Compared with other related achievements, ours is more suitable for the remote user whose resources and capability are constrained under multiserver architecture.

The rest of this paper is organized as follows. Section 2 briefly describes some related works. Some preliminaries are given in Section 3. Our proposed secure and efficient user authentication scheme for multiserver architecture and corresponding analysis are presented in Sections 4 and 5, respectively. Finally, some conclusions are drawn in Section 6.

2. Related Work

Until now, two categories of improved multiserver user authentication schemes, hash-based authentication and public key based authentication, have emerged successively. To hash-based authentication, some user password authentication suggestions [4-7] based on static ID have been proposed to conquer the weaknesses of Li et al.'s, yet these were proven easy to be traced. In 2009, Liao and Wang [8] raised a dynamic identity authentication protocol for multiserver environment to advance previous work. In the following years, many researchers [9-12] have developed and enhanced the user authentication scheme step by step. To public key-based authentication, employing public key cryptosystem into the password authentication, Das et al. [13] first proposed a remote user authentication protocol with smart card using bilinear pairings. Yet theirs had an obvious disadvantage: no mutual authentication and key agreement. To improve the security, a series of user authentication schemes [14-16] with bilinear pairings have been presented. To improve the efficiency, Tseng et al. [17] gave a low-cost pairing-based user authentication protocol for wireless users and claimed that theirs was efficient, easy password changing, and suitable for multiserver environment in distributed networks. Unfortunately, in 2013, Liao and Hsiao [18] pointed out that Tseng et al.'s scheme also lacked mutual authentication with session key agreement, suffered from insider attack, password guessing attack, and replay attack, and advanced a pairings-based user authentication scheme using self-certified public keys. Liao and Hsiao claimed that their proposal could withstand various possible attacks and was well suited for multiserver environment.

Regretfully, most of the existing related public key based authentication schemes under multiserver architecture mentioned previously did not pay attention to user anonymity issue. Moreover, their authentication schemes needed excessive energy consumption employing pairings operation and suffered from the server spoofing attack, which was not conducive to communication running and trapped in DoS attack easily.

3. Preliminaries

We now briefly review some basic concepts used in this paper, including bilinear pairings [19], related complexity assumptions [20], and self-certified public keys [21, 22].

3.1. Admissible Bilinear Pairing

Let 𝔾 be an additive group generated by P with prime order q and let 𝔾 be a multiplicative group of the same order. A map is said to be an admissible bilinear pairing if the following three conditions hold true.

Bilinearity: for all a, b ∈ ℤ *, we have .

Nondegeneracy: .

Computability: is efficiently computable.

We refer readers to [19] for more details of such pairings.

3.2. Complexity Assumption

Computational discrete logarithm (CDL) assumption: given Q = k · P, where P, Q ∈ 𝔾, there exists no probabilistic polynomial-time algorithm which can determine k.

Computational Diffie-Hellman (CDH) assumption: given two elements aP, bP in a group 𝔾, where the unknown numbers a, b ∈ ℤ * are selected at random, there exists no probabilistic polynomial-time algorithm which can compute a bP.

Elliptic curve factorization (ECF) assumption: given two elements P, Q, where Q = aP + bP and a, b ∈ ℤ *, there exists no probabilistic polynomial-time algorithm which can obtain aP and bP.

3.3. Self-Certified Public Key

Here, we describe a self-certified public key process briefly; more details can be found in [21, 22].

Initialization: given a group 𝔾 on an elliptic curve E, P is a based point generator of prime order q, the system authority (SA) selects a random value s ∈ ℤ * as its private key and computes the public key P pub = s · P. Publish the related parameters and keep s secret.

Partial private key and private key generation: the user U chooses a number k randomly, computes K = k · P, and sends (ID, K ) to SA over a secure channel. SA calculates W = K + w · P as the witness using a random number w . Then, SA computes the user's partial private key and submits to U . U can obtain its private key .

Public key extraction: U 's public key can be computed by Pub = s · P. Any entity, who communicates with U and receives the witness W , can authenticate U 's public key Pub as long as he/she calculates the equation: Pub = H(ID||W ) · P pub + W .

4. The Proposed Scheme

In this section, we propose an anonymous remote user authentication scheme for multiserver environment without pairings, which consists of five phases: server registration phase, user registration phase, login phase, verification phase, and password change phase. Three entities are involved: user (U ), service server (S ), and registration center (RC). RC chooses the system private/public key pair s/P pub, where s is a random number in ℤ * and P pub = s · P. Then publish the system parameters Params = {𝔾, P, q, P pub, H(·)} and keep s secret. The notations used in this section are listed in Table 1. Some detailed steps will be described as follows and shown in Figure 1.

Table 1

Notations used in proposed scheme.

Notations	Descriptions
RC	The registration center
S j	The jth service server
U i	The ith user with mobile device
s	The private key of RC
SIDj	The identity of S j
IDi	The identity of U i
P	A generator of group G
H(·)	A one-way hash function
PWi	The password of U i
SK	A session key shared between U i and S j
x	The secret value maintained by RC
⊕	A simple Exclusive-OR operation
||	The concatenation operation

Figure 1

The proposed scheme.

4.1. Server Registration Phase

When the service server wants to access to the multiserver architecture, it needs to register first. In this phase, RC uses the self-certified public key (SCPK) to generate the related credentials.

Step S1. S chooses a random value k ∈ ℤ *, computes K = k · P, and sends (SID, K ) to RC.

Step S2. After receiving the message (SID, K ), RC generates a w ∈ ℤ * randomly, calculates W = K + w · P, , and issues to S .

Step S3. S can obtain its private key with and verify the validity of the message by computing Pub = s · P = H(SID||W ) · P pub + W .

If the equation holds, the issued values are valid, and vice versa.

4.2. User Registration Phase

Supposing that the user U wants to get service granted only from S , he/she needs to register to the same RC that S did, by submitting his identity ID and password PW to RC. Then, RC returns the smart card back to U . The communication between U and RC is through a secure channel. The steps are performed as follows.

Step U1. U freely chooses a password PW and a random number b to compute A = H(PW||b ) and I = H(ID||b ). Then, U submits (ID, A , I ) to RC for user registration via a secure channel.

Step U2. RC calculatesstores (C , D , E , H(·)) in U 's smart card, and submits it to U . Then U keys b into the smart card.

B = s · H(ID||I ) + x,

C = B ⊕ H(A ),

D = B ⊕ H(ID) ⊕ A ,

X = x · P,

E = H(ID||A ) · P − X,

4.3. Login Phase

When U wants to login to the server S , he/she first inserts his/her own smart card to a card reader and then inputs the identity ID and password PW. The log-in details with respect to this smart card are as follows.

Step L1. The smart card computes A ′ = H(PW||b ), B ′ = D ⊕ H(ID) ⊕ A ′, and C ′ = B ′ ⊕ H(A ′) and checks whether C ′ = C . If the answer is yes, it means that the smart card matches to U .

Step L2. The smart card generates a random value r ∈ ℤ * and computes

W = H(ID||I ),

CID = W ⊕ B ,

R = r · P.

Step L3. The smart card submits the login request message (CID, R ) to S over a public channel.

4.4. Verification Phase

After receiving the login request message from U , S performs the following tasks to authenticate the user.

Step V1. S checks whether CID conforms to the fixed format. If the format is wrong, S outputs the reject message; otherwise it calculateswhere r is a random value, chosen by S . Then S sends (SID, W , R , M ) to U .

K = s · R ,

R = r · P,

T = r · R ,

M = H(CID||K ||R ||R ),

Step V2. Receiving the message (W , R , M ), U first verifies the public key of S by the equation Pub = H(SID||W ) · P pub + W . Only under the case the equation holds, U continues to calculate K = r  · Pub, T = r  · R . Then U needs to check whether . When the verification can pass, U authenticates S and computes

P = B ⊕ H(K ||T ),

X = H(ID||A ) · P − E .

Then U transmits (P , X) to S .

Step V3. Next, S undoes B ′ = P ⊕ H(K ||T ), W ′ = CID ⊕ B ′ and examines . If it is not the case, S rejects the message and stops the session. Otherwise, S successfully authenticates U .

Step V4. Finally, the user U and the service server S agree on a common session key as

SK = H(W ||K ||T ).

4.5. Password Change Phase

The password change phase is invoked when the user wants to change his/her password PW to a new password PW*. The user first inserts his/her smart card into a card reader and enters ID, PW. The smart card computes A = H(PW||b ), B ′ = D ⊕ H(ID) ⊕ A and C ′ = B ′ ⊕ H(A ). Then, the smart card checks if the C ′ is the same as C . If both values are the same, the user is asked to input a new password PW*. The smart card calculates new information A * = H(PW*||b ), C * = C ⊕ H(A ) ⊕ H(A *), D * = D ⊕ A ⊕ A *, E * = H(ID||A *) · P + E − H(ID||A ) · P. At last, the smart card replaces C , D , E with the new C *, D *, E * to accomplish changing password. In this phase, RC is not needed to participate and the user can freely complete changing password by himself.

5. Analysis of Our Scheme

In this section, we first analyze the functionality features of our proposed scheme based on the requirements of the remote user authentication for multiserver architecture, which have been presented in Section 1. Then we evaluate the performance of the proposed scheme and make comparisons with some related works [8, 9, 11, 12, 17, 18].

5.1. No Repetitive Registration

In our scheme, before the user wants to login to the server under multiserver environment, they must run the user registration with his/her information to the registration center. Then, the user can access to all the service without submitting registration request once again.

5.2. No Verification Table

Throughout the protocol process, it is not difficult to find that RC and S have no need to maintain any verification or password table, which can cost much and whose leakage may cause serious disruption. Meanwhile, our scheme does not need to store the user's password or public key with certificate, too.

5.3. Mutual Authentication with Session Key Agreement

In the verification phase of the proposed scheme, the service server S can authenticate the validity of U by checking if X = B ′ · P − W ′ · P pub holds. U can verify the public key of S  Pub = H(SID||W ) · P pub + W with W to confirm that S is the objective service server; meanwhile check the equation M ′ = M to affirm that the login message is received by S . Only when all previous equations are satisfied, the session continues and the communication parties agree on a shared session key SK = H(W ||K ||T ). For the aforementioned analysis, our scheme can achieve mutual authentication with session key agreement.

5.4. No Synchronization Clock

In our scheme, both the user and the service server employ the random points R , R to interactive with each other. The timestamp does not appear in the proposed scheme; therefore the synchronization clock problem can also be abstained in the session key.

5.5. Anonymity

In the user registration phase, the identity of the remote user can be protected from disclosure by the secure channel between U and RC. In the login and authentication phase, U 's identity is submitted with CID substituting ID, nobody can learn the user's real identity, and S can only verify the user's validity cannot obtain the real ID with the received message. To general adversary, he/she can extract the smart card and intercept the login message, but he can do nothing to crack the user's identity due to the resistance to collision of the hash function. Therefore, we claim that our scheme can provide the user anonymity.

5.6. Security of the Session Key

Perfect Forward Secrecy and Backward Secrecy. In this scheme, the session key is established by W , K , T , where K and T rely on the random values r and r . r and r are independently generated in each session, are also changed for each authentication phase and are not correlated. The adversary cannot use current session key to derive forward and backward session key. Hence, we claim that our scheme achieves perfect forward secrecy and backward secrecy.

Known Session Key Security. In this scheme, the session key SK = H(W ||K ||T ) is composed of W , K and T . Assume that the adversary can seize a session key SK; he cannot obtain the parameters W , K , and T attributed to the one-way hash function H(·). Since K and T consist of R , R , which are independent for each session, no session keys rely on each other. Furthermore, though the adversary can intercept the current transmitted message R ′, R ′, he cannot compute the new session key SK's components K ′ without the server's private key or T ′ due to the CDH problem's difficulty.

No Key Control. In this scheme, the session key consists of W , K , T , where partial parameters K , T are generated by Diffie-Hellman key exchange form; thereby the fairness of the session key can be guaranteed. More specifically, K = s · R = r · Pub, T = r · R = r · R , R and R are respectively provided by the user and the server; therefore either party is in vain attempting to preselect or control the session key.

5.7. Various Common Attacks

Our proposed remote user authentication scheme for multiserver architecture cannot only meet the previous security features, but also be against various known attacks, such as impersonation attack, and stolen smart card attack. We will discuss the following extra four attacks, the others can refer to [11, 18].

Impersonation Attack. If an adversary tries to impersonate as a legitimate user to log into the server, he/she must first forge a valid login request message (CID, R ). However, the adversary cannot compute a new and legal login message without knowing ID or B . Suppose that the adversary can steal the smart card of the user U by virtue of some approaches, he is still unable to calculate B for the reason that he has no information about A and ID. Moreover, even if the adversary utilizes (CID, R ) to log into S , he cannot pass the verification because he is unable to provide correct P without B or K . The adversary cannot obtain the valid session key. Under the situation, our proposed scheme can withstand the impersonation attack.

Stolen Smart Card Attack. We assume that U 's smart card is stolen or lost; the adversary picks it and has the ability to breach the information stored in the smart card (C , D , E , H(·), b ). Yet on the one hand, it is impossible to guess A and ID correctly at the same time, on the other hand, s and x are, respectively, private key and secret value of RC, so the adversary cannot derive B . Consequently, the adversary cannot fabricate a valid login message or compute the session key. That is the reason that our proposed protocol is secure against the stolen smart card attack.

Off-Line Password Guessing Attack. Assume that the adversary guesses a password PW′ from the dictionary; he can compute A = H(PW′||b ), B = C ⊕ H(A ) but fails to calculate other information without ID or K . The adversary cannot examine whether the guessed password PW′ is correct without comparing parameters. Hence, the adversary can extract the smart card information and intercept the transmitted message in public channel, but our proposed scheme can resist the off-line password guessing attack.

Man-in-the-Middle Attack. When an adversary wants to perform the man-in-the-middle attack, he can intercept the login message, communicate, and share the session key with the server. In the proposed scheme, even if the adversary gets the message in public channel, he cannot calculate W , K , or T without ID or other random values r , r . Consequently, our scheme can resist the man-in-the-middle attack.

Server Spoofing Attack. When a valid but malicious server S wants to cheat U on behalf of S and obtain the session key, he needs to know both the witness and private key of S . In our scheme, S cannot provide the correct witness, and the user U cannot pass the server's public key verification. Even if S intercepts W , he cannot check the equation X = B ′ · P − W ′ · P pub since he does not obtain K without knowing the private key s . Finally, the adversary fails to share the session key with the user U . Therefore, our scheme can resist the server spoofing attack.

5.8. Local Password Verification

In our scheme, U can account whether the used smart card matches with himself by checking C ′ = C before logging into S , and thus accomplish the user password verification locally. Through the previous equation, U can avoid network resource wasting caused by wrong password. Because until the authentication phase S can authenticate user's validity and password appropriateness; in other words, wrong password cannot be detected until the authentication phase. Therefore, our scheme can achieve local password verification.

At last, the functionality comparisons among our and other previously proposed schemes, such as [8, 9, 11, 12, 17, 18], are listed in Table 2. In particular, we can clearly see that the other schemes do not assist in the impersonation attack except our proposed scheme. Thus, it is obvious that our proposed scheme is superior to the others in accordance with all of essential comparative items. In addition, unlike the other related public key-based multiserver authentication schemes [17, 18], ours can achieve the user anonymity and local password verification. On the whole, our proposal is the only one that can satisfy all the functionalities for the multiserver architecture.

Table 2

Functionality and security comparison with the related schemes.

Functionality	Ours	[18]	[17]	[12]	[11]	[9]	[8]
No repetitive registration	Y	Y	Y	Y	Y	Y	Y
No verification table	Y	Y	Y	Y	Y	Y	Y
Mutual authentication with key agreement	Y	Y	N	N	Y	N	N
No synchronization clock	Y	Y	N	Y	Y	N	Y
Change password freely	Y	Y	Y	Y	Y	Y	Y
Anonymity	Y	N	N	Y	Y	Y	Y
Perfect forward and backward secrecy	Y	Y	N	N	Y	N	N
No key control	Y	Y	Y	Y	Y	Y	Y
Known session key security	Y	Y	Y	Y	Y	Y	Y
Impersonation attack	Y	N	N	N	N	N	N
Stolen smart card attack	Y	Y	N	N	N	N	N
Off-line password guessing attack	Y	N	N	Y	N	N	N
Man-in-the-middle attack	Y	Y	N	Y	Y	N	N
Server spoofing attack	Y	N	N	Y	Y	Y	N
Local password verification	Y	N	N	Y	Y	Y	Y

5.9. Performance

Under multiserver architecture, the computational cost is a key issue to evaluate whether a remote user authentication scheme is efficient because of mobile devices' constrained resources and computing capability. Before analyzing the computational cost of each phase, define some notations and equivalence relationship first:

T : the time to compute a bilinear pairing map;

T : the time to compute a point multiplication on the elliptic curve group;

T : the time to compute a point addition on the elliptic curve group;

T : the time to compute a hash function;

T = 20T ;

T = 6T .

The XOR operation, modular multiplication, and modular addition operation are negligible during evaluating the performance. In the following, we will give the computational cost of five phases individually. In the server registration phase, the computational cost is 5T + 4T + 2T . The user registration phase consumes 2T +  2T + 6T . When the user logs into the server, it costs T + 4T . During verification of each other between the server and the user, 9T + 3T + 6T is demanded. The computational cost of the password change phase is 2T + 2T + 8T . The detailed cost comparisons with the related authentication schemes [17, 18] are illustrated in Table 3. At the same time, we show the implementation result in Figure 2, which can show the computational cost contrast more intuitively. Table 3 and Figure 2 can clearly indicate that our proposal needs no pairing operation, while [18] contains 4T and [17] contains 2T . Because the relative computational cost of a pairing is approximately 20 times higher than that of the point multiplication over elliptic curve group, we can find that the computational cost of ours is obviously much less than that of others by removing pairing operation.

Table 3

Cost comparison with the related schemes.

Phase	Ours	[18]	[17]
Server registration	5T M + 4T A + 2T H	5T M + 4T A + 2T H	—
User registration	2T M + 2T A + 6T H	3T M + 2T H	3T M + 2T H
Login	T M + 4T H	3T M + T A + 3T H	3T M + 2T H
Verification	9T M + 3T A + 6T H	2T e + 8T M + 2T A + 5T H	2T e + T M + T A + 2T H
Password change	2T M + 2T A + 8T H	2T e + 15T M + 6T H	2T M + T H
Total	19T M + 11T A + 26T H	4T e + 31T M + 7T A + 18T H	2T e + 9T M + 5T A + 9T H

Figure 2

Performance comparison between our scheme and others.

From Tables 2 and 3, we can make a conclusion that our remote authentication scheme has more security features and lower computational cost among the existing related works, which satisfies the requirements for the multiserver architecture.

6. Conclusions

An anonymous and efficient remote user authentication scheme for the multiserver architecture is proposed in this paper and the self-certified public keys are employed. Our scheme can satisfy all of the requirements needed for achieving secure authentication in multiserver environments, as compared with the previously proposed schemes. Moreover, the proposal succeeds to both achieve the user's identity anonymity and remove the pairing operation, which makes that the proposed scheme can provide more advantages and be more practical for the actual applications. Additionally, we analyze the security and performance of our proposal and make comparisons with other related works. From these analysis and comparisons, we can reach a conclusion that our proposed scheme owns more functionalities and attains higher efficiency.