An efficient dynamic ID-based remote user authentication scheme using self-certified public keys for multi-server environments.

Recently, Li et al. proposed a novel smart card and dynamic ID-based remote user authentication scheme for multi-server environments. They claimed that their scheme can resist several types of attacks. However, through careful analysis, we find that Li et al.'s scheme is vulnerable to stolen smart card and off-line dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. By analyzing other similar schemes, we find that a certain type of dynamic ID-based multi-server authentication scheme in which only hash functions are used and whereby no registration center participates in the authentication and session key agreement phase faces difficulties in providing perfectly efficient and secure authentication. To compensate for these shortcomings, we propose a novel dynamic ID-based remote user authentication scheme for multi-server environments based on pairing and self-certified public keys. Security and performance analyses show that the proposed scheme is secure against various attacks and has many excellent features.

Introduction

With the rapid development of network technologies, increasingly more people are beginning to use networks to acquire various services such as on-line financial information, on-line medical information, on-line shopping, on-line bill payment, and on-line documentation and data exchange. In addition, the architecture of servers providing services to be accessed over a network often consists of many different servers around the world instead of just one. Although they currently enjoy the comfort and convenience of the internet, people are facing emerging challenges with regard to network security.

Identity authentication is the key security issue facing various types of on-line applications and service systems. Before a user accesses services provided by a service provider server, mutual identity authentication between the user and server is needed to prevent unauthorized personnel from accessing services provided by the server and avoiding an illegal system defrauding the user by masquerading as a legitimate server. In a single-server environment, password-based authentication schemes [1] and enhanced versions that additionally use smart cards [2-9] are widely used to provide mutual authentication between the users and servers. However, conventional password-based authentication methods are not suitable for multi-server environments since each user need to not only log into various remote servers repetitively but also remember many different sets of identities and passwords if he/she wants to access these service provider servers. To resolve this problem, in 2000, based on the difficulty of factorization and hash functions, Lee and Chang [10] proposed a user identification and key distribution scheme that can be applied to multi-server environments. Since then, authentication schemes for multi-server environments have been widely investigated and designed by many researchers [11-37].

Based on the utilized basic cryptographic algorithms, multi-server authentication schemes can be divided into two types: hash-based authentication schemes and public-key-based authentication schemes. Simultaneously, among existing multi-server authentication schemes, some of them need a registration center (RC) to participate in the authentication and session key agreement phase, whereas others do not have this requirement. Therefore, based on whether the RC participates in the authentication and session key agreement phase, we divide the multi-server authentication schemes into RC-dependent authentication schemes and non-RC-dependent authentication schemes.

In this paper, we analyze a novel multi-server authentication scheme, Li et al.’s scheme [20], which is only based on hash functions and a non-RC-dependent authentication scheme. We find that this scheme is vulnerable to stolen smart cards and offline dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. By analyzing other similar schemes [15, 17–19], we find that the type of dynamic ID-based multi-server authentication scheme that only uses hash functions and are not dependent on RCs face difficulties in providing perfectly efficient and secure authentication. To compensate for these shortcomings, we propose a novel dynamic ID-based remote user authentication scheme for multi-server environments. Compared with previous related works, our scheme has many advantages. First, the scheme enjoys important security attributes, including being able to prevent various attacks, user anonymity, a lack of verification table, and local password verification. Second, the scheme does not use a timestamp; therefore, it avoids the clock synchronization problem. Further, the scheme uses self-certified public keys, by which the user’s public key can be computed directly from the signature of the trusted third party on the user’s identity instead of verifying the public key using an explicit signature on a user’s public key. Therefore, our scheme is more practical and universal for multi-server environments. Finally, the performance and cost analysis show that our scheme is very efficient and more secure than other related schemes.

Related works

A large number of authentication schemes have been proposed for multi-server environments. Hash functions are a key technology in the construction of multi-server authentication schemes. In 2004, Juang et al. [11] proposed an efficient multi-server password authenticated key agreement scheme based on a hash function and symmetric key cryptosystem. In 2009, Hsiang and Shih [12] proposed a dynamic ID-based remote user authentication scheme for multi-server environments in which only a hash function is used. However, Sood et al. [13] found that Hsiang and Shih’s scheme is susceptible to replay attacks, impersonation attacks and stolen smart card attacks. Moreover, the password change phase of Hsiang and Shih’s scheme is insecure. Later, Sood et al. presented a novel dynamic identity-based authentication protocol for multi-server architectures to resolve the security flaws of Hsiang and Shih’s scheme [13]. In addition, Sood et al.’s protocol is practical and computationally efficient because only nonce, one-way hash functions and XOR operations are used in its implementation. After that, Li et al. [14] noted that Sood et al.’s protocol remains vulnerable to leak-of-verifier attacks, stolen smart card attacks and impersonation attacks. Simultaneously, Li et al. [14] proposed another dynamic identity-based authentication protocol for multi-server architectures. However, the above-mentioned schemes are all RC-dependent multi-server authentication schemes. In 2009, Liao and Wang [15] proposed a dynamic ID-based multi-server authentication scheme that is based on hash functions and does not depend on RCs. This scheme not only satisfies all requirements for multi-server environments but also achieves efficient computation. However, Liao and Wang’s scheme has been found to be vulnerable to insider attacks, masquerade attacks, server spoofing attacks, and registration center spoofing attacks and is not reparable [16]. Later, Shao et al. [17] and Lee et al. [18, 19] proposed similar types of multi-server authentication schemes. In 2012, Li et al. [20] noted that Lee et al.’s scheme [18] cannot withstand forgery attacks or server spoofing attacks and cannot provide proper authentication; they then proposed a novel dynamic ID-based multi-server authentication scheme that only uses a hash function and is not dependent on RCs. Moreover, the scheme is found to be suitable for financial security authentication. However, through careful analysis, we find that Li et al.’s scheme [20] remains vulnerable to stolen smart card and offline dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. We also analyzed Shao et al.’s scheme [17] and Lee et al.’s scheme [19]; they are all vulnerable to stolen smart card and offline dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. In general, it is difficult to construct a secure dynamic ID-based and non-RC-dependent multi-server authentication scheme if only hash functions are used.

Public-key cryptography is another useful technique that is widely used in the construction of multi-server authentication schemes. In 2000, Lee and Chang [21] proposed a user identification and key distribution scheme in which the difficulty of factorization on public key cryptography is used. In 2001, Tsaur [22] proposed a remote user authentication scheme based on an RSA cryptosystem and Lagrange interpolating polynomials for multi-server environments. Then, Lin et al. [23] proposed a multi-server authentication protocol based on the simple geometric properties of the Euclidean and discrete logarithm problem concept. In their scheme, the system does not need to maintain a verification table, and the users who have registered with the servers do not need to remember different login passwords for various servers. Since traditional public key cryptographic algorithms require many expensive computations and consume substantial energy, Geng and Zhang [24] proposed a dynamic ID-based user authentication and key agreement scheme for multi-server environments using bilinear pairings. However, Geng and Zhang’s scheme cannot withstand user spoofing attacks [25]. Later, Tseng et al. [26] proposed an efficient pairing-based user authentication scheme with smart cards. Performance analysis and experimental data demonstrate that their scheme is well suited for mobile devices with limited computing capabilities. However, in 2013, Liao and Hsiao [27] noted that Tseng et al.’s scheme is vulnerable to insider attacks, offline dictionary attacks and malicious server attacks and cannot provide proper mutual authentication and session key agreement. Simultaneously, Liao and Hsiao proposed a novel non-RC-dependent multi-server remote user authentication scheme using self-certified public keys for mobile clients [27]. Recently, Chou et al. [28] found that Liao and Hsiao’s scheme cannot withstand password guessing attacks. Furthermore, through careful analysis, we found that Liao and Hsiao’s scheme remains vulnerable to denial of service attacks and cannot ensure a user’s anonymity or provide local password verification. In this paper, we propose a secure dynamic ID-based and non-RC-dependent multi-server authentication scheme using pairing and self-certified public keys.

Preliminaries

In this section, we introduce the concepts of bilinear pairings, self-certified public keys, as well as some related mathematical assumptions.

Bilinear pairings

Let G1 be an additive cyclic group with a large prime order q, and let G2 be a multiplicative cyclic group with the same order q. In particular, G1 is a subgroup of the group of points on an elliptic curve over a finite field E(F), and G2 is a subgroup of the multiplicative group over a finite field. P is a generator of G1.

A bilinear pairing is a map e: G1 × G1 → G2 and satisfies the following properties:

(1) Bilinear: e(aP, bQ) = e(P, Q) for all P, Q ∈ G1 and .

(2) Non-degenerate: There exists P, Q ∈ G1 such that e(P, Q)≠1.

(3) Computability: There is an efficient algorithm to compute e(P, Q) for all P, Q ∈ G1.

Self-certified public keys

In [27], Liao et al. first proposed a key distribution scheme based on self-certified public keys (SCPKs) [38, 39] among the service servers. Using the SCPK, a user’s public key can be computed directly from the signature of the trusted third party (TTP) on the user’s identity instead of verifying the public key using an explicit signature on a user’s public key. The SCPK scheme is described as follows.

(1) Initialization: The trusted third party (TTP) first generates all the needed parameters of the scheme. The TTP chooses a non-singular high elliptic curve E(F) defined over a finite field, which is used with a point-based generator P of prime order q. Then, the TTP freely chooses his/her secret key s and computes his/her public key pub = s ⋅ P. The related parameters and pub are publicly and authentically available.

(2) Private key generation: A user A chooses a random number k, computes K = k ⋅ P and sends his/her identity ID and K to the TTP. The TTP chooses a random number r, computes W = K + r ⋅ P and , and sends W and to user A. Then, A obtains his/her secret key by calculating .

(3) Public key extraction: Anyone can calculate A’s public key pub = h(ID ∥ W)pub + W given W.

Related mathematical assumptions

To prove the security of our proposed protocol, we present some important mathematical problems and assumptions for bilinear pairings defined on elliptic curves. The related concrete description can be found in [40, 41].

(1) Computational discrete logarithm (CDL) problem: Given R = x ⋅ P, where P, R ∈ G1, it is easy to calculate R given x and P, but it is hard to determine x given P and R.

(2) Elliptic curve factorization (ECF) problem: Given two points P and R = x ⋅ P + y ⋅ P for , it is hard to find x ⋅ P and y ⋅ P.

(3) Computational Diffie-Hellman (CDH) problem: Given P, xP, yP ∈ G1, it is hard to compute xyP ∈ G1.

Review and cryptanalysis of Li et al.’s authentication scheme

Review of Li et al.’s scheme

There are three participants in Li et al.’s scheme: the registration center RC, the server S, and the user U. RC generates the master secret key x and a secret number y to construct h(x‖y) and h(SID‖h(y)), in which SID is the identity of server S; then, it delivers them to the server S through a secure channel. Li et al.’s scheme contains four phases:the registration phase, the login phase, the verification phase and the password change phase.

Registration phase

When the remote user authentication scheme starts, the registration process should be first performed by the user U and RC:

(1) U generates a random number b and freely chooses his/her identity ID and the password PW. Then, U calculates A = h(b ⊕ PW). After that, U transmits ID and A to RC for registration through a secure channel.

(2) RC computes B = h(ID‖x), C = h(ID‖h(y)‖A), D = h(B‖h(x‖y)) and E = B ⊕ h(x‖y). Then, RC stores {C, D, E, h(⋅), h(y)} on the smart card of U and sends it to U by a secure channel.

(3) U adds the random number b into the smart card, which ultimately possesses the information {C, D, E, b, h(⋅), h(y)}.

Login phase

When user U wants to log into the server S, the following procedures should be performed:

(1) After the smart card is inserted into the card reader, the user is prompted to enter his/her ID and PW. After that, the smart card calculates A = h(b ⊕ PW), and checks whether is equal to C. If is equal to C, the Login process continues. Otherwise, the session will be aborted.

(2) The smart card produces a number N randomly and calculates P = E ⊕ h(h(SID‖h(y))‖N), CID = A ⊕ h(D‖SID‖N), M1 = h(P‖CID‖D‖N) and M2 = h(SID‖h(y)) ⊕ N.

(3) The smart card transmits the login request message {P, CID, M1, M2} to S.

Verification phase

When S receives the login request message, the mutual authentication and session key agreement between S and U will be performed in accordance with the following steps.

(1) The server S calculates N = M2 ⊕ h(SID‖h(y)), E = P ⊕ h(h(SID‖h(y))‖N), B = E ⊕ h(x‖y), D = h(B‖h(x‖y)), and A = CID ⊕ h(D‖SID‖N).

(2) The server S calculates h(P‖CID‖D‖N); if the calculated result is not equal to M1, S rejects the login request and aborts this session. Otherwise, S accepts the login request message. Then, S chooses a random number N and calculates M3 = h(D‖A‖N‖SID), M4 = A ⊕ N ⊕ N. Finally, S sends {M3, M4} to U.

(3) According to the received message {M3, M4}, U calculates N = A ⊕ N ⊕ M4, and verifies whether is equal to M3. If they are not equal, U rejects these messages and terminates this session. Otherwise, U successfully authenticates S. In addition, U calculates M5 = h(D‖A‖N‖SID) and sends it to S.

(4) The server S computes h(D‖A‖N‖SID) and compares it with the received {M5} sent from U. If they are equal, U is successfully authenticated by S, and the mutual authentication is completed. After the mutual authentication phase, the user U and the server S calculate SK = h(D‖A‖N‖N‖SID) as their session key in future secure communication.

Password change phase

For security, the password of the user should be changed frequently. The password change phase is performed when user U wants to replace the old password PW with a new password .

(1) The user U inserts his/her smart card into the card reader and inputs his/her ID and PW.

(2) The smart card calculates A = h(b ⊕ PW), and verifies whether is equal to C. If they are not equal, the password change request will be rejected. Otherwise, the user U provides a new random number b and a new password .

(3) The smart card calculates and .

(4) The smart card uses and b to replace C and b. The password change phase is completed.

Cryptanalysis of Li et al.’s scheme

Li et al. claimed that their scheme can resist many types of attacks and satisfy all the essential requirements for multi-server architecture authentication. However, if we assume that A is an adversary who has broken a user U and a server S or a combination of a malicious user U and a dishonest server S, then A can obtain the secret number h(x‖y) and h(y) and perform stolen smart card and offline dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks on Li et al.’s scheme. The concrete cryptanalysis of the Li et al.’s scheme is shown as follows.

Stolen smart card and offline dictionary attacks

If a user U’s smart card is stolen by an adversary A, A can extract the information {C, D, E, b, h(⋅), h(y)} from the memory of the stolen smart card. Furthermore, if A intercepts a valid login request message {P, CID, M1, M2} sent from user U to server S in the public communication channel, A can compute N = h(SID‖h(y)) ⊕ M2, E = P ⊕ h(h(SID‖h(y))‖N), B = E ⊕ h(x‖y), D = h(B‖h(x‖y)) and A = CID ⊕ h(D‖SID‖N) using h(y) and h(x‖y). Then, A can launch an offline dictionary attack on C = h(ID‖h(y)‖A) to determine the identity ID of user U because A knows the values of A and h(y) corresponding to the user U. In addition, A can launch offline dictionary attacks on A = h(b ⊕ PW) to determine the password PW of U because A knows the value of b from the stolen smart card of the user U. Now, A possesses the valid smart card of user U, knows the identity ID and password PW corresponding to user U and hence can login to any service provider server.

Replay attacks

A replay attack is when an adversary replays the same message of a receiver or sender again. If adversary A has intercepted a valid login request message {P, CID, M1, M2} sent from user U to server S in the public communication channel, then A can compute N = h(SID‖h(y)) ⊕ M2, E = P ⊕ h(h(SID‖h(y))‖N), B = E ⊕ h(x‖y), D = h(B‖h(x‖y)) and A = CID ⊕ h(D‖SID‖N) using h(y) and h(x‖y). Then, adversary A can replay this login request message {P, CID, M1, M2} to S by masquerading as the user U at some later time. After verification of the login request message, S computes M3 = h(D‖A‖N‖SID) and M4 = A ⊕ N ⊕ N and sends the message {M3, M4} to A, who is masquerading as the user U. The adversary A can verify the received value of {M3, M4} and compute since they know the values of N, E, B, D and A. Then, A sends to the server S. The server S computes h(D‖A‖N‖SID) and checks it with the received message . This equivalency authenticates the legitimacy of the user U and the service provider server S, and the login request is accepted. Finally, after mutual authentication, adversary A masquerading as the user U and the server S agree on the common session key as SK = h(D‖A‖N‖N‖SID). Therefore, the adversary A can masquerade as user U to login to server S by replaying the same login request message that had been sent from U to S.

Impersonation attacks

In this subsection, we show that an adversary A who possesses h(y) and h(x‖y) can masquerade as any user U to login to any server S as follows.

Adversary A chooses two random numbers a and b and computes A = h(a) and B = h(b). Then, A can compute D = h(B‖h(x‖y)), E = B ⊕ h(x‖y), P = E ⊕ h(h(SID‖h(y))‖N), CID = A ⊕ h(D‖SID‖N), M1 = h(P‖CID‖D‖N) and M2 = h(SID‖h(y)) ⊕ N using h(y) and h(x‖y). Now, A sends the login request message {P, CID, M1, M2} by masquerading as the user U to server S. After receiving the login request message, S computes N = h(SID‖h(y)) ⊕ M2, E = P ⊕ h(h(SID‖h(y))‖N), B = E ⊕ h(x‖y), D = h(B‖h(x‖y)) and A = CID ⊕ h(D‖SID‖N) using {P, CID, M1, M2}, h(x‖y) and h(SID‖h(y)). Then, S computes M3 = h(D‖A‖N‖SID) and M4 = A ⊕ N ⊕ N and sends the message {M3, M4} to A, who is masquerading as the user U. Then, adversary A computes N = A ⊕ N ⊕ M4 and verifies M3 by computing h(D‖A‖N‖SID). Then, A computes M5 = h(D‖A‖N‖SID) and sends {M5} back to the server S. The server S computes h(D‖A‖N‖SID) and checks it against the received message {M5}. This equivalency authenticates the legitimacy of the user U and the service provider server S, and the login request is accepted. Finally, after mutual authentication, adversary A masquerading as the user U and the server S agree on the common session key as SK = h(D‖A‖N‖N‖SID).

Server spoofing attacks

In this subsection, we show that an adversary A who possesses h(y) and h(x‖y) can masquerade as the server S to spoof user U if A has intercepted a valid login request message {P, CID, M1, M2} sent from user U to server S over a public communication channel.

After intercepting a valid login request message {P, CID, M1, M2} sent from user U to server S over a public communication channel, A can compute N = h(SID‖h(y)) ⊕ M2, E = P ⊕ h(h(SID‖h(y))‖N), B = E ⊕ h(x‖y), D = h(B‖h(x‖y)) and A = CID ⊕ h(D‖SID‖N) corresponding to U. Then, A can choose a random number and compute and . A then sends the message {M3, M4} by masquerading as the server S to the user U. After receiving the message {M3, M4}, U computes and verifies M3 by computing . Then, U computes M5 = h(D‖A‖N‖SID) and sends it to the server S, who is masquerading as the adversary A. Then, A computes h(D‖A‖N‖SID) and checks it against the received message {M5}. Finally, after mutual authentication, the adversary A masquerading as the server S and the user U agree on the common session key as .

Discussion

Except for Li et al.’s scheme, we also analyzed four other dynamic ID-based authentication schemes for multi-server environments [15, 17–19]. These schemes are all based on hash functions and are not dependent on RCs. We found that this type of multi-server remote user authentication scheme is generally vulnerable to stolen smart card and offline dictionary attacks, impersonation attacks, server spoofing attacks etc. The cryptanalysis methods used by these schemes are similar to that of Li et al.’s scheme shown in Section 4.2. We believe that under the assumptions that no RC participates in the authentication and session key agreement phase, the dynamic ID and hash function-based user authentication schemes for multi-server environments face difficulties in providing perfectly efficient and secure authentication. Fortunately, there is another technique, public-key cryptography, that is widely used in the construction of authentication schemes. Therefore, to construct a secure, low-power-consumption and non-RC-dependent authentication scheme, we adopt the elliptic curve cryptographic technology of public-key techniques, and we propose a novel dynamic ID-based and non-RC-dependent remote user authentication scheme using pairing and self-certified public keys for multi-server environments.

The proposed scheme

In this section, we propose a novel dynamic ID-based and non-RC-dependent remote user authentication scheme for multi-server environments using pairing and self-certified public keys. Our scheme contains three participants: the user U, the service provider server S, and the registration center RC. A legitimate user U can easily login to the service provider server using his smart card, identity and password. There are six phases in the proposed scheme: the system initialization phase, the user registration phase, the server registration phase, the login phase, the authentication and session key agreement phase, and the password change phase. The notations used in our proposed scheme are summarized in Table 1.

Table 1

Notations used in the proposed scheme.

e	A bilinear map, e: G1 × G1 → G2.
Ui	The ith user.
IDi	The identity of the user Ui.
Sj	The jth service provider server.
SIDj	The identity of the service provider server Sj.
RC	The registration center.
sRC	The master secret key of the registration center RC in Zq*.
pubRC	The public key of RC, pubRC = sRC ⋅ P.
P	A generator of group G1.
H()	A map-to-point function, H: 0, 1* → G1.
h()	A one-way hash function, h: 0, 1* → 0, 1k, where k is the output length. h() allows the concatenation of some integer values and points on an elliptic curve.
⊕	A simple XOR operation in G1. If P1, P2 ∈ G1, P1 and P2 are points on an elliptic curve over a finite field, the operation P1 ⊕ P2 means that it performs the XOR operations of the x-coordinates and y-coordinates of P1 and P2, respectively.
∥	The concatenation operation.

System initialization phase

In the proposed scheme, the registration center RC is assumed to be a TTP. In the system initialization phase, RC generates all the needed parameters of the scheme.

(1) The RC selects a cyclic additive group G1 of prime order q, a cyclic multiplicative group G2 of the same order q, a generator P of G1, and a bilinear map e: G1 × G1 → G2.

(2) The RC freely chooses a number held as the system private key and computes pub = s ⋅ P as the system public key.

(3) The RC selects two cryptographic hash functions H(⋅) and h(⋅).

Finally, all the related parameters {e, G1, G2, q, P, Pub, H(⋅), h(⋅)} are publicly and authentically available.

User registration phase

When the user U wants to access the services, he/she has to submit some of his/her related information to the registration center RC for registration. The steps of the user registration phase are as follows:

(1) U freely generates his/her identity ID and password pw and chooses a random number b. Then, U computes HPW = h(ID ∥ pw ∥ b) ⋅ P and submits ID and HPW to RC for registration through a secure channel.

(2) When receiving the message ID and HPW, RC computes QID = H(ID), CID = s ⋅ QID, and H = h(QID ∥ CID). Then, RC stores the message in U’s smart card and submits the smart card to U through a secure channel.

(3) After receiving the smart card, U enters b into the smart card. Finally, the smart card contains the parameters .

Server registration phase

If a service provider server S wants to provide services to the users, he/she must perform the registration to the registration center RC to become a legal service provider server. The process of the server registration phase of the proposed scheme is based on SCPK.

(1) S chooses a random number v and computes V = v ⋅ P. Then, S submits SID and V to RC for registration via a secure channel.

(2) After receiving the message {SID, V}, RC chooses a random number w and computes W = w ⋅ P + V and mod q. Then, RC submits the message to S through a secure channel.

(3) After receiving , S computes their private key mod q and checks the validity of the values issued to them by checking the following equation: pub = s ⋅ P = h(SID ∥ W) ⋅ pub + W. Finally, S’s personal information contains {SID, pub, s, W}

The details of the user registration phase and server registration phase are shown in Fig 1.

Fig 1

User and server registration phases of the proposed scheme.

Login phase

If user U wants to access the services provided by server S, U needs to login to S, where the process of the login phase are as follows:

(1) The user U inserts their smart card into the smart card reader and inputs their identity ID and password pw. The smart card then calculates QID = H(ID), , and and verifies whether is equal to H. If they are equal, it is verified that U has the correct user identity and password. Thus, U is a legitimate user. Otherwise, the smart card aborts the session.

(2) The smart card chooses two random numbers u and r, and it computes DID = u ⋅ QID and R = r ⋅ P. Then, the smart card sends the login request message {DID, R} to server S over a public channel.

Authentication and session key agreement phase

(1) Based on the received login request message {DID, R} sent from the user U, the server S chooses a random number r and computes R = r ⋅ P, T = r ⋅ R, K = s ⋅ R and Auth = h(DID ∥ SID ∥ K ∥ R). Then, S sends the message {W, R, Auth} to U.

(2) When receiving {W, R, Auth}, U computes T = r ⋅ R, pub = h(SID ∥ W) ⋅ pub + W, K = r ⋅ pub and Auth = h(DID ∥ SID ∥ K ∥ R). Then, U checks Auth with the received Auth. If they are not equal, U terminates this session. Otherwise, S is proven to have the correct private key s, and thus, S is authenticated. U continues to compute M = r ⋅ DID, N = u ⋅ CID, d = h(DID ∥ SID ∥ K ∥ M) and B = (r + d) ⋅ N. Finally, U sends the message {M, B} to S.

(3) After receiving the message {M, B} sent from U, S computes d = h(DID ∥ SID ∥ K ∥ M) and checks whether e(M + d ⋅ DID, pub) = e(B, P). If they are not equal, S terminates this session. Otherwise, U is authenticated.

Finally, the user U and the server S agree on a common session key as U: SK = h(DID ∥ SID ∥ K ∥ T), S: SK = h(DID ∥ SID ∥ K ∥ T).

Sections 5.4 and 5.5 give the detailed procedures of the login phase and authentication and session key agreement phase, which are also depicted in Fig 2.

Fig 2

Login phase and authentication and session key agreement phase.

Password change phase

For security purposes, users need to change their passwords frequently. The following steps show the password change phase process for a user U.

(1) The user U inserts his/her smart card into the smart card reader and inputs their identity ID and password pw. Then, the smart card computes QID = H(ID), , and checks whether . If they are equal, U is verified as a legitimate user; otherwise, the smart card rejects the password change request.

(2) The smart card generates a random number z and computes Z = z ⋅ P and AID = CID ⊕ z ⋅ pub. Then, the smart card sends the message {ID, AID, Z} to the registration center RC.

(3) After receiving the message {ID, AID, Z}, RC computes CID = AID ⊕ s ⋅ Z, QID = H(ID), and checks whether e(CID, P) = e(QID, pub). If they are equal, user U is authenticated. Then, RC computes V1 = h(CID ∥ s ⋅ Z) and sends {V1} to U.

(4) When receiving {V1}, the user computes and checks it against the received V1. If they are equal, the registration center RC is authenticated. Then, U chooses his/her new password and the new random number , and they compute , and . Then, U submits {V2, V3} to RC.

(5) Upon receiving the response {V2, V3}, the registration server RC computes and . Then, RC compares with the received V3. If they are equal, RC continues to compute , and . After that, RC sends {V4, V5} to U.

(6) After receiving {V4, V5}, U computes and . Then, U checks whether . If they are equal, user U replaces the original and b with and .

In addition to the descriptions listed above, the procedures of the password change phase of the proposed scheme are also given in Fig 3.

Fig 3

Password change phase of the proposed scheme.

Security analysis

Stolen smart card and offline dictionary attacks

In the proposed scheme, we assume that if a smart card is stolen, physical protection methods cannot prevent malicious attackers for obtaining the stored secure elements. Simultaneously, an adversary A can access a large dictionary of words that likely includes the user’s password and intercept the communications between the user and server.

In the proposed scheme, if a user U’s smart card is stolen by an adversary A, the latter can extract from the memory of the stolen smart card. Simultaneously, it is assumed that adversary A has intercepted a previous full session of messages {DID, R, W, R, Auth, M, B} between the user U and server S. However, the adversary still cannot obtain U’s identity ID and password pw except by guessing ID and pw simultaneously. Therefore, it is impossible to obtain U’s identity ID and password pw from a stolen smart card and using offline dictionary attacks in our proposed scheme.

Replay attacks

Replaying a message of a previous session into a new session is useless in our proposed scheme because the user’s smart card and the server choose different rand numbers r and r, and the user’s identity is different in each new session. These factors make all messages dynamic and valid for that session only. If we assume that an adversary A replies with an intercepted previous login request {DID, R} to S, after receiving the response message {W, R, Auth} sent from S, A cannot compute the correct response message {M, B} to pass S’s authentication since they do not know the values of ID, pw, u and r. Therefore, the proposed scheme is robust to replay attacks.

Impersonation attacks

If an adversary A wants to masquerade as a legitimate user U to pass the authentication of a server S, the user must have the values of both QID and CID. However, QID and CID are protected by U’s smart card, ID and pw since QID = H(ID) and . Therefore, unless the adversary A can obtain the user U’s smart card, ID and pw simultaneously, the proposed scheme is secure to impersonation attacks.

Server spoofing attacks

If an adversary A wants to masquerade as a legal server S to cheat a user U, the adversary must calculate a valid Auth that is embedded with the shared secret key K = s ⋅ R to pass the authentication of U. However, the adversary A cannot derive the shared secret key K without knowing the private key s of the server S. Therefore, our scheme is secure against server spoofing attacks.

Insider attacks

In the proposed scheme, the registration center RC cannot obtain U’s password pw. Since in the registration phase U chooses a random number b and sends ID and HPW = h(ID ∥ pw ∥ b) ⋅ P to RC, RC cannot derive pw from HPW based on the CDL problem. Therefore, the proposed scheme is robust to insider attacks.

Denial of service attacks

In denial of service attacks, an adversary A updates the identity and password verification information on the smart card to some arbitrary value, and hence, legitimate users cannot login successfully in subsequent login requests to the server. In the proposed scheme, the smart card checks the validity of user U’s identity ID and password pw before the password update procedure. An adversary can insert the stolen smart card of the user U into the smart card reader and must guess the identity ID and password pw corresponding to the user U correctly. The smart card computes and compares it with the stored value of H in its memory to verify the legitimacy of the user U before the smart card accepts the password update request. It is not possible to guess the identity ID and password pw correctly simultaneously in real polynomial time even after obtaining the smart card of the user U. Therefore, the proposed scheme is secure against denial of service attacks.

Perfect forwarding secrecy

Perfect forwarding secrecy means that even if an adversary compromises all the passwords of the users, it still cannot compromise the session key. In the proposed scheme, the session key SK = h(DID ∥ SID ∥ K ∥ T) SK = h(DID ∥ SID ∥ K ∥ T) is generated by three single-use random numbers u, r and r in each session. These single-use random numbers are only held by the user U and the server S and cannot be retrieved from SK based on the security of the CDH problem. Thus, even if an adversary obtains previous session keys, it cannot compromise other session keys. Hence, the proposed scheme achieves perfect forwarding secrecy.

User anonymity

In our proposed scheme, the user U’s login message is different in each login phase. For each login message, DID = u ⋅ H(ID) is associated with a random number u, which is known by U alone. Therefore, no adversary can identity the real identity of the logged on user, and our scheme can ensure the user’s anonymity.

No verification table

In our proposed scheme, it is obvious that the user, server and registration center do not maintain a verification table.

Local password verification

In the proposed scheme, the smart card checks the validity of user U’s identity ID and password pw before logging into server S. Since the adversary cannot compute the correct CID without knowledge of ID and pw to satisfy the verification equation , our scheme can avoid unauthorized access via local password verification.

Proper mutual authentication

In our scheme, the user first authenticates the server. U sends the message {DID, R} to the server S to establish a connection. After receiving the response message {W, R, Auth} sent from S, U computes T, pub, K, and Auth and checks whether Auth = Auth. If they are equal, S is authenticated by U. Otherwise, U stops to login to this server. Since Auth = h(DID ∥ SID ∥ K ∥ R) and K = s ⋅ R, an adversary A cannot compute the correct K without knowledge of the value of s. Any fabricated message cannot pass verification. Then, U computes M, N, d, and B and sends the message {M, B} to S. After receiving the message {M, B} sent from U, S computes d and checks whether e(M + d ⋅ DID, pub) = e(B, P). If they are not equal, S terminates this session; otherwise, U is authenticated. Since B = (r + d) ⋅ N, an adversary A cannot compute the correct B without knowledge of the values of u, r etc. Any fabricated message cannot pass verification. Therefore, our proposed scheme can provide proper mutual authentication.

Performance comparison and functionality analysis

In this section, we compare the performance and functionality of our proposed scheme with some previous schemes. To analyze the computation cost, some notations are defined as follows.

TG: The time for executing a bilinear map operation, e: G1 × G1 → G2.

TG: The time for executing point scalar multiplication on the group G1.

TG: The time for executing a map-to-point hash function H(.).

TG: The time for executing point addition on the group G1.

T: The time for executing a one-way hash function h(.).

Since the XOR operation and the modular multiplication operation require very few computations, it is usually negligible considering their computation costs.

Table 2 shows the performance comparisons of our proposed scheme and various other related protocols. We focus on three computational costs: C1, the total time for all operations executed during the user registration phase; C2, the total time spent by the user during the login phase and verification phase; and C3, the total time spent by the server during the verification phase. As shown in Table 2, Tseng et al.’s scheme is more efficient in terms of computational cost. However, Tseng et al.’s scheme is vulnerable to stolen smart card and offline dictionary attacks, server spoofing attacks and insider attacks and cannot provide perfect forwarding secrecy, user anonymity, proper mutual authentication and session key agreement. In our proposed scheme, the total computational cost for the user (C2) is 9TG+TG+TG+5T. However, similar to Liao et al.’s scheme, the user U can pre-compute R = r ⋅ P in the client, and then, the computational cost of the user (C2) requires 8TG+TG+TG+5T on-line computations. It can be found that our proposed scheme has a slightly higher computational cost than Liao et al.’s scheme in C2, and the others are almost equal. However, Liao et al.’s scheme is vulnerable to stolen smart card and offline dictionary attacks and denial of service attacks and cannot provide user anonymity and local password verification.

Table 2

Computational cost comparison of our scheme with other schemes.

	Proposed scheme	Liao et al.’scheme [27]	Tseng et al.’scheme [26]
C1	3TGmul+TGH+2Th	3TGmul+TGH+Th	2TGmul+TGH+Th
C2	8TGmul+TGH+TGadd+5Th	5TGmul+TGH+TGadd+5Th	3TGmul+2Th
C3	2TGe+4TGmul+TGadd+2Th	2TGe+5TGmul+TGadd+2Th	2TGe+TGmul+TGH+TGadd+Th

Table 3 lists the functionality comparisons among our proposed scheme and other related schemes. It is obvious that our scheme has many excellent features and is more secure than other related schemes.

Table 3

Functionality comparisons among related multi-server authentication protocols.

	Proposed scheme	Liao et al. [27]	Tseng et al. [26]	Li et al. [20]	Lee et al. [18]	Shao et al. [17]	Lee et al. [19]
Resist stolen smart card and offline dictionary attacks	Yes	No	No	No	No	No	No
Resist replay attacks	Yes	Yes	Yes	No	No	No	No
Resist impersonation attacks	Yes	Yes	Yes	No	No	No	No
Resist server spoofing attacks	Yes	Yes	No	No	No	No	No
Resist insider attacks	Yes	Yes	No	Yes	Yes	No	Yes
Resist denial of service attacks	Yes	No	Yes	Yes	Yes	Yes	No
Perfect forwarding secrecy	Yes	Yes	No	Yes	Yes	No	No
Ensure user’s anonymity	Yes	No	No	Yes	Yes	No	Yes
No verification table	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Local password verification	Yes	No	Yes	Yes	Yes	Yes	No
Proper mutual authentication	Yes	Yes	No	Yes	No	Yes	Yes

Conclusion

In this paper, we note that Li et al.’s scheme is vulnerable to stolen smart card and offline dictionary attacks, replay attacks, impersonation attacks and server spoofing attacks. Furthermore, by analyzing some other similar schemes, we find that certain types of dynamic ID-based and non-RC-dependent multi-server authentication schemes in which only hash functions are used face difficulties in providing perfectly efficient and secure authentication. To compensate for these shortcomings, we propose a novel dynamic ID-based and non-RC-dependent remote user authentication scheme for multi-server environments using pairing and self-certified public keys. The security and performance analyses show that the proposed scheme is secure against various attacks and has many excellent features. In the future, the use of authentication for high-tech industries, such as cloud computing [42-44] and big data [44-46], will be an important area and research task.