A secure and enhanced elliptic curve cryptography

Received: 13 December 2017

Revised: 28 February 2018

Accepted: 30 March 2018

DOI: 10.1002/dac.3701

RESEARCH ARTICLE

A secure and enhanced elliptic curve cryptography-based dynamic authentication scheme using smart card Madhusudhan R1

Manjunath Hegde1

1 Department of Mathematical and Computational Science, National Institute of Technology Karnataka, India 2

Imran Memon2

Summary In remote system security, 2-factor authentication is one of the security

College of computer science, Zhejiang University, Hangzhou, China

approaches and provides fundamental protection to the system. Recently, numerous 2-factor authentication schemes are proposed. In 2014, Troung et al

Correspondence Madhusudhan R, Department of Mathematical and Computational Science, National Institute of Technology Karnataka, Surathkal 575025, India. Email: [email protected]

proposed an enhanced dynamic authentication scheme using smart card mainly to provide anonymity, secure mutual authentication, and session key security. By the analysis of Troung et al's scheme, we observed that Troung et al' s scheme does not provide user anonymity, perfect forward secrecy, server's secret key security and does not allow the user to choose his/her password. We also identified that Troung et al's scheme is vulnerable to replay attack. To fix these security weaknesses, a robust authentication scheme is proposed and analyzed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more secure and easy to implement practically. K E Y WO R D S authentication, dynamic ID, network communication, password, security protocol, smart card

1

I N T RO DU CT ION

With the rapid growth in communication technology and distributed system, people carrying out various transactions through the Internet. Many sensitive and secret information is stored in remote systems. These information can be accessed through the network. Presently, the Internet threats and hacker tools are becoming more powerful. When attacker becomes more strong, communication network becomes insecure. If the network is insecure, then the rate of unauthorized access, use, alteration, theft, or physical damage to an object that maintains confidential information will increase. Therefore, knowledge protection of any system is a key and challenging problem.1 Authentication is a fundamental building block for a secured network environment. For example, a server knows for certain the identity of a client, it can decide whether to provide the service, whether the user should be given special privileges, who should receive the bill for the service, etc.2 According to Kizza,1 "Authentication is a service used to identify a user." This identification will be done based on what the user knows (password), what the user has (hardware tokens and smart cards), and what the user is (biometric).3 Among these 3 methods, password authentication is the simplest and widely used authentication method. But, the limitations of traditional password authentication4 approached towards the development of 2-factor authentication. Today, the systems which require more security like e-commerce, banking, and health care are adopting the 2-factor authentication. In 2-factor authentication, smart card authentication stands better side when compared with other 2-factor authentication. Portability, low cost, efficiency, and the cryptographic capacities are the key reasons to choose this authentication Int J Commun Syst. 2018;e3701. https://doi.org/10.1002/dac.3701

wileyonlinelibrary.com/journal/dac

Copyright © 2018 John Wiley & Sons, Ltd.

1 of 21

2 of 21

MADHUSUDHAN ET AL.

type. In smart card-based authentication method, the user must have the registered smart card. Using this smart card, user can access the system. The traditional model of smart card-based remote user authentication system is explained in the further section.

1.1

Motivations and contributions

In 2012, Madhusudhan and Mittal5 states that, existed 2-factor authentication schemes does not resist all feasible weaknesses and each has its own pros and cons. Recently, Wang et al6 also said that the password authentication schemes are still far from all the security. By the literature survey, we observed that many schemes violate basic security of 2-factor authentication such as user anonymity, forward secrecy, password independence, etc. If the scheme fails to provide security against known weaknesses, then it directly affects the usability of the scheme. In this study, we enhance the security boundary of a smart card-based remote user authentication scheme. As a study case, we selected a scheme which violates basic requirement and proved its weaknesses and attacks. On the basis of the analysis, we proposed an enhanced scheme and proved its security. Our contributions are summarized as follows: 1. In this paper, we first analyze Troung et al's scheme7 which is proposed in 2014 and proved that the scheme will not provide security to the server secret key, user anonymity, perfect forward secrecy, and does not allows the user to choose his/her own password. We also identified that Troung et al's7 scheme is vulnerable to replay attack. 2. As the main contribution, we proposed a secure and enhanced elliptic curve cryptography-based remote user authentication scheme. The proposed scheme overcomes not only identified drawbacks of Troung et al's7 scheme but also fills the basic security gaps like session key establishment, forward secrecy, mutual authentication, password selection independency, etc. 3. Through the security analysis, we discussed the security of feasible attacks of the proposed scheme. Here, we proved that the proposed scheme provides security to all the identified pitfalls of the Troung et al's7 scheme. Using Burrows-Abadi-Needham (BAN) log in, we have given the formal verification proof and simulated the proposed scheme using automated validation of internet security protocols and applications (AVISPA) tool. We also compared the proposed scheme's computation efficiency with other remote user authentication schemes.

1.2

Related work

In 2004, Das et al8 introduced dynamic ID-based remote user authentication scheme to provide user anonymity. Later, Liao et al9 identified the guessing attack in Das et al's8 scheme and developed an improved scheme in 2005. In 2006, Yoon and Yoo10 proved that Liao et al's9 scheme is vulnerable to reflection and insider attacks. To enhance the security of Liao et al's9 scheme, Yoon and Yoo10 proposed a new scheme. In 2008, Wang et al11 reviewed Das et al's8 scheme and showed that user authentication can be done independently of the password and proposed new scheme to resolve identified weaknesses. In 2010, Yeh et al12 identified the impersonation and man in middle attacks in Wang et al's11 scheme and developed an authentication scheme to withstand the identified weaknesses. Later, Wang et al13 cryptanalyzed Wang et al's11 scheme in 2011 and pointed the known key and smart card loss attacks in the scheme. To resist the identified weaknesses, Wang et al13 proposed an elliptic curve cryptosystem-based remote user authentication scheme. Wang et al's11 scheme was also analyzed by Wen and Li14 in 2012. They showed that the scheme is vulnerable to impersonation and insider attacks. To overcome identified weaknesses, Wen and Li14 proposed a new remote user authentication with key agreement scheme. In 2011, Khan et al15 reviewed Wang et al's13 scheme and proved that the scheme failed to provide security against user anonymity and vulnerable to stolen smart card attack. They also proposed an improved scheme to resist the identified weaknesses. Further, An16 showed that Khan et al's15 scheme is sensitive to password guessing and forgery attacks. He also proved that the scheme does not provide user anonymity. In 2012, Ding and Chun-guang17 developed an upgraded methodology for Chen et al's18 scheme. In 2013, Li et al19 reviewed Lee et al's20 scheme and identified the forgery and server spoofing attacks in the scheme. They also identified the improper authentication and inefficient password change phase in Lee et al's20 scheme. To improve the identified weaknesses, Li et al21 proposed a new dynamic ID remote user authentication scheme. In the same year, Li et al21 reviewed Chen et al's22 scheme and identified the perfect forward secrecy, delay in wrong password detection and unfriendliness and inefficiency in password change phase. To overcome these weaknesses Li et al21 proposed a new authentication scheme. In 2014, Kumari et al23 reviewed the Chang et al's24 scheme and identified that the scheme is vulnerable to password guessing, impersonation, and masquerading attacks. To overcome these weaknesses, Kumari et al23 proposed an improved

MADHUSUDHAN ET AL.

3 of 21

remote user authentication scheme. In 2014, Troung et al7 reviewed Sood et al's25 scheme, which was proposed in the year 2010 and pointed that Sood et al's25 scheme is vulnerable to spoofing attack and verifier attack. To overcome these weaknesses, Troung et al7 proposed an elliptic curve cryptography-based enhanced authentication scheme. In 2015, Li et al26 reviewed Chang et al's24 scheme and pointed the off-line password guessing attack, stolen smart card attack, insider attack, and impersonation attack in the scheme. They also identified the user identity traceability and password change inefficiency in the Chang et al's24 scheme. To enhance the privacy and authenticity, Memon et al27 proposed an authentication scheme in 2015. In the same year, Memon et al28 proposed an authenticated key establishment protocol for road networks. Further, In 2016, Maitra et al29 reviewed the ElGamal-based remote user authentication scheme proposed by Lee et al30 in 2014. They identified forgery attack, stolen smart card attack, password guessing attack, and smart card forgery attack in Lee et al's30 scheme. To overcome these vulnerabilities, Maitra et al29 proposed an improved scheme. Maitra et al's29 scheme was analysed by Wang et al31 in 2017. They identified off-line password guessing attack and insider attack. Also, Wang et al31 proved that Maitra et al's29 scheme does not provide perfect forward secrecy. To overcome these weaknesses, Wang et al31 proposed a lightweight password authentication scheme. In 2016, Wang et al32 made a comparative study of 2-factor authentication schemes. In this study, they reviewed Li et al's scheme,21 Odelu et al's scheme,33 and Kumari and Khan's scheme34 and identified the weaknesses based on the criteria proposed by Madhusudhan and Mittal5 in the year 2012. In 2017, Nikooghadam et al35 reviewed Kumari et al's23 scheme and Chaudhry et al's36 scheme and identified various pitfalls in the reviewed schemes. Then they proposed the new remote user authentication scheme to overcome the identified weaknesses. In 2017, Memon et al37 proposed the location privacy protection for mapping services. In the same year, Memon et al38 also proposed pseudonym changing strategy with multiple mix zones for trajectory privacy protection in road networks. In 2017, Li et al39 proposed an anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. In 2018, Chandrakar and Om40 illustrated that existing schemes are not providing security against various threats, and they proposed a remote user authentication and session key agreement scheme using the Rabin cryptosystem. Rest of the article is assembled as follows. Section 2 presents the system model and evaluation criteria for the smart card-based remote user authentication. Troung et al's7 scheme is briefly discussed in Section 3 followed by cryptanalysis of Troung et al's7 scheme in Section 4. Section 5 proposes a new scheme, which is an improvement of Troung et al's7 scheme. Section 6 discusses the security proofs of the proposed scheme. These proofs involves the cryptanalysis of the proposed scheme followed by formal analysis of the proposed scheme using BAN logic and formal verification of the proposed scheme using AVISPA tool. Section 7 compares the performance of the proposed scheme with other schemes.7,14,17 Section 8 depicts the concluding remarks of this article.

2

SYSTEM MODEL A ND EVALUATION CRITERIA

This section elaborates the system model and evaluation criteria for traditional smart card-based remote user authentication scheme. These are important factors to evaluate schemes systematically. Many of the research work deals with smart card-based password authentication system (eg, other studies9,11,15,41-43 ), but only a few talks about models and criteria.44-46 Before stepping into the details of protocol specifications, we describe the traditional smart card-based authentication system model, and evaluation criteria are the efficient smart card-based authentication scheme.

2.1

System model

Smart card-based password authentication schemes6,47,48 involves 2 participants. One is a user and the other one is a server. The schemes mainly consist 3 phases: (1) registration phase, (2) log in and authentication phase, and (3) password change phase. Recent schemes having one extra phase called smart card revocation phase.17,49 The general system model is shown in Figure 1. To access the server in smart card-based remote user authentication, the user must register, and he/she should have the issued smart card. To register for the smart card, the user must choose the identity (ID) and password (PW) and submit it to the server. After submission of user credentials, server issues the smart card to the user. To log in to the server, a user inserts the smart card into the card reader and enters ID and PW. The smart card generates log in message and sends it to the server S. On the server side, S receives log in message and verifies it. Server rejects the log in message if the ID and PW are wrong. During the password change phase, the user can change his/her password and update the information on

4 of 21

MADHUSUDHAN ET AL.

FIGURE 1 System model

the card. This can be done locally or interaction with the server. But it is better to develop the scheme which can change password locally. To revoke the lost card, many recent schemes provide additional phase called smart card revocation phase.

2.2

Evaluation criteria

In 2006, Liao et al50 proposed a set of 10 requirements for evaluation of smart card security. They said that the requirement set gives the answer for all security threats. Later, Yang et al51 made an argument over Liao et al's50 criteria. They showed that there are several numbers of redundancies in Liao et al's50 requirements set. Further, Yang et al51 proposed new criteria set for remote user authentication. But these criteria set was more theoretical and difficult to adopt in real applications. As a solution, Tsai et al52 presented another group of security property. This has 9 security requirements and 10 desirable features group, which are based on the tamper-resistant assumptions. Ambiguities and redundancies are identified in previous criteria by Madhusudhan and Mittal5 in 2012. They also proposed a new set of 9 security requirements and 10 security goals. Further, Wang et al4 made a comprehensive set of criteria (C) which is based on the summary of Madhusudhan and Mittal's5 scheme. It is not enough if the scheme fulfils security requirements and goals. The performance also concerns for practical implementation. The scheme should be efficient to implement practically. Based on these properties, efficient scheme development can be achieved. Wang et al4 security criteria are listed below: C1. No password verification table: The remote system should not maintain password table or hashed password dictionary to authenticate the user. C2. Password friendliness: The password should be memorable and can be chosen freely and changed locally by the user. C3. No password exposure: The password should not be derived by the insider or administrator of the server. C4. No smart card loss attack: The scheme is free from smart card loss attack, ie, the unauthorized user should not impersonate the legal user by logging in to the system or should not guess the password even after the smart card is stolen and secret data in the smart card is revealed. C5. Resistance to all active attacks: The scheme should resist various basic attacks like off-line password guessing attack, replay attack, parallel session attack, stolen verifier attack, impersonation attack, etc necessary information related to the active attacks are given in Madhusudhan and Mittal.5 C6. Provides smart card revocation with good repairability: The scheme should provide smart card revocation with good repairability, ie, a user can revoke the lost smart card without changing his/her identity. C7. Provision of key agreement: The client and the server can establish a common session key for secure data communications after the authentication process. C8. No clock synchronization and time delay: The scheme is not prone to the problems of time delay, ie, the server needs not to synchronize its time clock with time clocks of input devices used by smart cards. C9. Quick wrong password detection: The user will be quickly notified if he/she inputs a wrong password while logging in to the system.

MADHUSUDHAN ET AL.

5 of 21

C10. Achieve mutual authentication: The user and the server must verify the authenticity of each other before providing the service. C11. Preserves user anonymity: The authentication scheme should protect the user identity and prevent user activities in secret. C12: Provide perfect forward secrecy: The scheme should not reveal previous session key information to the adversary even after compromising the server's secret key. For better perception, we improved the security requirements, which is not clearly addressed in Wang et al's4 requirement list. Wang et al4 said that the user anonymity should be preserved from the adversary. By the observation of many schemes, we say that the insider also can trace the identity of the user. Many schemes communicate user identity in the registration phase with the server. Here, the insider of the server can trap the registration message which contains the user identity. This may create the chance to obtain/guess the user password. Hence, the user's identity should be preserved from the insider. Wang et al4 also says that password should be memorable. But sometimes, memorable passwords may be weak, and it leads to the adversary to apply the brute force attack. Therefore, the password should be memorable, but it should be strong. By applying some conditions during the selection of password (eg, password must contain upper case and lower case alphabets, numeric values, and special characters), we can make the selected password strong. It is necessary to provide security to the server secret key. The secret key involves in encryption and decryption operations. Also, the secret key is used to calculate the session key. If the secret key of the server is compromised and the session key is revealed, then the whole session will be insecure. It is also necessary to develop the scheme which is password dependent. Wang et al4 proved that the password-independent scheme is insecure, and it leads to impersonate the legal user without using the password. These additional criteria make authentication schemes to be more robust.

3

REVIEW OF TROUNG ET A L' S SCHEME

In this section, we briefly reviewed Troung et al's7 scheme. This scheme contains, registration phase, log in phase, authentication phase, and password change phase. For the presentation purpose, we have used some notations listed in Table 1.

3.1

Registration phase

Before registration, S selects an elliptic curve Ep over the finite field Fp with a large prime number “p” and a 1-way hash function h(.). Server also choose a base point “P” of order “n” and selects “x” as private key and publish the parameters {Ep , P, Fp , h(.)}. 1. In the registration phase, first Ui selects IDi and sends it to the server. 2. Server selects PWi , random number “e” and random value N. This N will be 0 at first registration. TABLE 1 Notations and descriptions Notations

Descriptions

S

Server

Ui

ith User

IDi

identity of Ui

PWi

password of Ui

x

Secret key of S

⊕, ||

Bitwise XOR and concatenation operator

T, T'

Time stamps acquired at the user side and server side

Ep

Elliptic curve

Fp

Finite field

P

Base point of Ep

h(.)

1-way hash function



Adversary

6 of 21

MADHUSUDHAN ET AL.

3. S computes RPWi = h(PWi || N),Ri = h(x || e) ⊕ h(RPWi ||IDi ), and Vi = h(h(x || e)||IDi ||RPWi ). 4. S stores {h(.), Vi , Ri , e, N} into the smart card and sends to Ui with PWi through secure channel. 5. Ui receives the card and changes PWi .

3.2

Log in phase

When Ui wants to log in the server, he/she inserts the card, inputs IDi and PWi . Further operations are as follows: 1. Computes RPWi = h(PWi || N)h(x || e) = Ri ⊕ h(RPWi ||IDi )Vi = h(h(x || e)||IDi ||RPWi ) 2. Smart Card (SC) verifies Vi * = Vi or not. If equal, then system generates random number ru ∈ [2, n-1] and computes CIDi = h(ru *P || h(x || e)) ⊕IDi and MACu = h(IDi || h(x || e) ||ru *P). 3. SC transmits the log in request {CIDi , ru *P, MACu , e} to S via public channel.

3.3

Mutual authentication phase

In mutual authentication phase S receives the log in request message {CIDi , ru *P,MACu , e}, authenticates the user as follows: S reconstructs h(x || e), with information e. Extracts IDi = h(ru *P || h(x || e)) ⊕CIDi . System verifies the validity of IDi . S checks the condition, MACu ' = h(IDi || h(x || e) ||ru *P) with the received MACu . Further S generates random number rs ∈[2, n − 1] and computes Session key (SK) = h(ru *rs *P || h(x || e) ||IDi ) and MACs = h(SK || h(x || e) ||IDi ). S transmits {MACs , rs *P } to Ui for mutual authentication. 5. User receives the message {MACs , rs *P }, then calculates SK' = h(ru *rs *P || h(x || e) ||IDi ), MACs ' = h(SK || h(x || e) ||IDi ). Verifies MACs ' with received MACs . If MACs ' = MACs , further it computes RUS = h(SK) and sends RUS to the server, and the received RUS will be verified by calculating RUS '. If both RUS and RUS ' are equal, S accepts Ui as valid. Otherwise, S terminates the session.

1. 2. 3. 4.

3.4

Off-line password change phase

In this phase Ui change the password from PWi to PWinew as follows: 1. Ui inserts the card, inputs IDi and PWi . Smart card computesRPWi = h(PWi || N), h(x || e) = Ri ⊕ h(RPWi ||IDi ), Vi = h(h(x || e)||IDi ||RPWi ). 2. Smart card verifies, Vi * = Vi or not. If it is, then asks for a new password PWinew . 3. Once the user enters new password PWinew and smart card checks for N. If N is 0 then select new value for Nnew . Fur= Ri ⊕ h(IDi || RPW) ⊕ h(IDi ||RPWnew ),Vinew ther, smart card computes the following: RPWnew = h(PWinew ||N new ),Rnew i = h(h(x || e) ||RPWnew ||IDi ). , Vinew , and N new in place of Ri , Vi , and N. 4. Smart card stores Rnew i

4

C RY P TA NALY SIS O F T ROU NG ET AL' S SC HEME

Through cryptanalysis, we observed that Troung et al's7 scheme is vulnerable to replay attack, does not provide user anonymity, and perfect forward secrecy. We also proved that Troung et al's7 scheme will not provide any security to the server secret key and does not allow the user to choose his/her own password. This section discusses the security problems of Troung et al's7 scheme. The security weaknesses are illustrated below.

4.1

Password selection is done by server side

During the registration phase of Troung et al's7 scheme, the password is selected by the server S. User has no choice of his/her own password selection. In Troung et al's7 scheme, if the user wants to choose his/her own password, then he/she must perform the password change phase. Suppose the user forgot to change the password after registration, then the user should remember the server generated password to access the server next time. But, server-generated passwords are long,

MADHUSUDHAN ET AL.

7 of 21

random, and difficult to remember. Hence, the selection of password must be done by the user. Unfortunately, Troung et al's7 scheme does not allow the user to choose his/her own password.

4.2

Insecure server secret key

In Troung et al's7 authentication scheme encryption and decryption, operations are done with the help of server secret key. Once the secret key is compromised, there is a possibility of leakage of passwords. An adversary can get the secret key as follows. Assume that an adversary  registers to the server as a legal user and obtains a smart card, containing the parameters {Ri , Vi , N, e, h(.)}. Using these smart card parameter,  first computes h(x || e) = h(RPWi ||IDi ) ⊕Ri . The values Ri and e are obtained from the smart card. Further,  calculates, RPWi = h(PWi || N) where N is obtained from the smart card. Now, to calculate the server's secret key, adversary guesses the random value x', computes h(x' || e) and compares with calculated h(x || e). If h(x' || e) = h(x || e) then adversary guessed the server secret key. If not,  repeats the above procedure, until he/she get the correct value x. Hence, Troung et al's7 scheme do not provide any security to the server secret key.

4.3

Traceable user's identity

Assume that, an adversary  has stolen the log in message {CIDi , MACu , ru *P, e}. Now,  can trace the identity of the user, if he/she has the knowledge of server secret key “x”. In Section 4.2, we proved that Troung et al's7 scheme does not provide security to the server's secret key. By the method, which is explained in Section 4.2,  computes the server secret key x. Now, consider the equation IDi = h(ru *P || h(x || e)) ⊕CIDi . Server uses this equation to extract IDi in mutual authentication phase. Here,  can obtain the values CIDi , e, and ru *P from stolen log in message {CIDi , MACu , ru *P, e}. Once  gets the server secret key x, he/she computes h(x || e) and IDi = h(ru *P || h(x || e)) ⊕CIDi to get IDi . Hence, Troung et al's7 scheme does not provide user untraceability.

4.4

Replay attack

In Troung et al's7 scheme, when log in message {CIDi , MACu , ru *P, e} sent from Ui to server S, server starts further computation without verifying freshness of message. If  steals the previous successfully authenticated log in request message {CIDi , MACu , ru *P, e} and sent the same message to the server. Then, the server will not verify the freshness of the received message. Server directly calculates h(x||e), IDi = h(ru *P || h(x || e)) ⊕CIDi , and MACu ' = h(IDi || h(x || e) ||ru *P). Server compares MACu ' with MACu . Obviously, both MACu ' and MACu are equal because the message which  sent to the server is previously successful authenticated message. The server gives access to . Hence, Troung et al's7 scheme does not provide security against replay attack.

4.5

No perfect forward secrecy

During mutual authentication phase of Troung et al's7 scheme, Ui sends authentication message Rus to the server through the public channel where Rus = h(SK). If adversary steals the authentication message, then he/she can guess the value of SK directly as follows:First, adversary guess SK', calculates Rus ' = h(SK') and compares Rus = Rus '. If both Rus and Rus ' are equal, then  has guessed the correct value of SK, else, adversary repeats the above process until he/she gets the correct value. Correct identification of session key makes entire session insecure. Hence, Troung et al's7 scheme does not provide perfect forward secrecy.

5

T H E PRO POSE D SCH E M E

In this section, we propose a secure and enhanced authentication scheme using smart card. The proposed scheme uses the elliptic curve cryptosystem (ECC) for random variable generation and communication. An elliptic curve is a cubic equation of the form y2 + a1 xy + a2 y = x3 + a3 x2 + a4 x+ a5 where a1 , a2 , a3 , a4 , and a5 are real numbers. In an ECC, the elliptic curve equation is defined in the form of Ep (a, b): y2 = x3 + ax + b(modp) over a prime finite field Fp , where a, b, Fp , and the point multiplication over Ep (a, b) ∶ s ∗ P = P + P + P + .. … + P. 53 In the proposed scheme, we use the fuzzy

8 of 21

MADHUSUDHAN ET AL.

verifier4 for quick wrong password detection. The proposed scheme contains registration phase, log in, and authentication phase and password change phase. These phases are illustrated below.

5.1

Registration phase

Before registration, system initializes some values. S selects an elliptic curve Ep over the finite field Fp with a large prime number p and a 1-way hash function h(.). Server also choose a base point P of order n and selects x as private key and publish the parameters {Ep , P, Fp , h(.)}. Registration phase of the proposed scheme is shown in Figure 2. When the user Ui wants to register for the first time, he/she follow the procedure, which is given below: 1. User Ui choose IDi , PWi and a random number b. 2. Once Ui selects the IDi and PWi client system computes Revised Password (RPW) = h(IDi ||PWi || b), Ai = IDi ⊕ b and sends {RPW, Ai } to the server S through secure channel. 3. Upon receiving {RPW, Ai } from user, S generates random number e, “n0 ” and computes the following: B = e.P, mi = h(e || x),Ri = mi ⊕ h(Ai || RPW), Vi = h(Ri ||Ai ) mod n0 . 4. After computation, S stores e, P into the database and {h(.), Vi , Ri , B, P, n0 } into the smart card. The stored parameters {h(.), Vi , Ri , B, P, n0 } will be delivered to the Ui through secure channel. 5. Ui receives {h(.), Vi , Ri , B, P, n0 } and computes Zi = h(ID ||PWi )⊕ b. Ui store Zi into the smart card. Finally, parameters stored in smart card are {h(.), Vi , Ri , Zi , B, P, n0 }.

5.2

Log in and authentication phase

To log in into the server, Ui inserts the smart card, inputs IDi and PWi . The card performs the following procedure: 1. Computes b* = h(IDi ||PWi ) ⊕Zi Ai * = IDi ⊕ b* and Vi * = h(Ri ||Ai *) mod n0 2. SC verifies the condition Vi * = Vi . This condition will fail only if entered IDi or PWi are wrong. If this condition is false, then immediately session will be dropped, else computes RPW* = h(IDi ||PWi || b)mi * = Ri ⊕ h(RPW* ||Ai *). User generates random number w ∈[2, n − 1] and computes Cu = w.P, Ku = w.B Dynamic ID (CID) = h(Ku || T ||mi ) ⊕ b and MACu = h(CID ||mi ||Ku || b). 3. Smart card sends the request message {CID, Cu , MACu , T} for log in to the server S through public channel. After receiving the log in request message {CID, Cu , MACu , T} from the user, further authentication will be done as follows: 1. Server takes the present time T' and verifies the validity of the received message time T. First server verifies the ′ condition T −T≤ΔT and also confirms there is no other request with same parameter within the period of (T' + ΔT) and (T' − ΔT), then S performs further calculation, else, it rejects the request message {CID, ru *P, MACu , T} and drops the session. 2. Computes mi = h(e || x),Ku ' = Cu .e, b' = CID ⊕ h(Ku′ || T ||mi '), and computes MACu ' = h(CID ||mi ||Ku′ || b). 3. S verifies the condition MACu = MACu '. If this condition is true, server proceeds to next step, else, drops the session.

FIGURE 2 Registration phase of the proposed scheme

MADHUSUDHAN ET AL.

9 of 21 ′

4. S generates random number y ∈ [2, n − 1] and computes Cs = y.P, Ks = y.Cu SK = h(Ks ||b ||mi ) and MACs = h(SK || b' || T' ||mi ). S transmits {MACs , Cs , T'} to Ui for mutual authentication through public channel. 5. User receives {MACs , Cs , T'} and checks the validity of the time stamp T'. If T" − T' ≥ΔT, then smart card rejects the message and drops the session, else proceeds to the next step. 6. Computes Ks ' = w.Cs SK' = h(Ks′ || b ||mi ), MACs ' = h(SK' || b' || T'). Verifies MACs ' with received MACs . If MACs ' = MACs further it computes RUS = h(SK || b) and sends RUS to the server and the server receives RUS , computes RUS ' = h(SK' || b) and compares RUS and RUS '. If it is equal then the server assure that authentication done with the legal user. 7. After successful authentication, further communication will be continued through common sessions keys. The session key of user, which is shared with the server is SK' = h(ru * rs * P||b ||mi ), and the session keys of the server, which is shared with the user is SK = ru * rs * P||b' ||mi ). Log in and authentication phase of the proposed scheme is shown in Figure 3.

5.3

Off-line password change phase

In this phase Ui , change the password PWi to PWi *. Procedure to change the password is given as follows: 1. Ui inserts the smart card, inputs IDi and PWi . Smart card computes b* = h(IDi ||PWi ) ⊕Zi RPW* = h(IDi ||PWi || b)mi * = Ri ⊕ h(RPW* ||Ai *) where Ai * = IDi ⊕ b* and Vi * = h(Ri ||Ai *) mod n0 2. Smart card verifies the condition Vi * = Vi or not. If it is equal, then the entered password is correct, and it asks for a new password PWi * else smart card drops the session. = Ri ⊕ h(Ai || RPW) ⊕ 3. Once the user choose PWi *, card computes RPWnew = h(IDi ||PWi ∗ || b),Rnew i new new new new h(Ai ||RPW ),Vi = h(Ri ||Ai ) mod n0 Zi = h(IDi ||PWi *) ⊕ b. , Vinew and Zinew in place of Ri , Vi , Zi . 4. Smart card stores Rnew i

6 6.1

S EC U RI T Y ANALY SIS O F T HE PROPOSED SC HEME Cryptanalysis of the proposed scheme

This section presents the cryptanalysis of the proposed scheme. Through this cryptanalysis, we can say that the proposed scheme overcomes all the pointed weaknesses, which are identified in Troung et al's7 authentication scheme. The cryptanalysis of the proposed scheme is explained below.

FIGURE 3 Log in and authentication phase of the proposed scheme

10 of 21

6.1.1

MADHUSUDHAN ET AL.

Password selection is done by user side

In the proposed scheme, unlike Troung et al's7 authentication scheme, password selection is done by the user. If the server selects the password, it could be long and random, which is difficult to remember for a registered user, if he/she does not use the system frequently. If the user is allowed to choose his password, then he/she has a choice of choosing his/her own password. In many real-life applications like online banking, social media subscriptions and many more accounts, it would be good if the passwords are memorable. Therefore, the proposed scheme allows the user to choose the password.

6.1.2

Provides security to server secret key

The server's secret key is involved in encryption and decryption operations. Therefore, it is important to provide security to server secret key. It is good to develop a scheme, which protects the server secret key from both legal user and the adversary. In the proposed scheme, plain text format of server secret key is not used in any operation. Like Troung et al's7 scheme, the proposed scheme also generates random number e and calculates h(x || e) on the server side of the registration phase. But unlike Troung et al's7 scheme, random number e is not stored in the smart card. In the proposed scheme, random number e is stored in the database of the server. This secures the server secret key even though the smart card is lost. Hence, the proposed scheme provides security to server secret key.

6.1.3

Untraceable user's identity

In the proposed scheme, untraceability of Ui is preserved in each log in request. The proposed scheme computes dynamic identity CID = h(Ku || T ||mi )⊕ b in each session. This CID is different at each log in attempt. In the proposed scheme, verification of IDi and PWi are done at the user side. Therefore, it is not required to use IDi directly for the calculation of CID. Consider the equation CID = h(Ku || T ||mi )⊕ b. Here, user ID is not used directly in the equation. Instead of ID, we used mi to calculate CID in terms mi = Ri ⊕ h(RPW ||Ai ) where RPW = h(IDi ||PWi || b) and Ai = IDi ⊕ b. It is not possible to guess the IDi , even if  has the knowledge of mi . To calculate IDi , an adversary must know the PWi and b, which are unknown to . Hence, the proposed scheme provides untraceable user identity.

6.1.4

Provides security against replay attack

To avoid the replay attack, the server first verifies the freshness of the log in message, we used time stamp to verify the log in message freshness. In the proposed scheme, once server receives the log in message, it checks the validity of the time stamp T. Server verifies the condition T' − T ≤ΔT and no other log in message is with same parameter {CID, Cu , MACu , T} within the time period (T' + ΔT) and (T' − ΔT) where T' is the time stamp generated by the server. If this condition satisfied, S proceeds to the further calculation. If not, S rejects the log in request message. Assume that, an adversary steals the previous successfully authenticated log in request message {CID, Cu , MACu , T} and sent the same message to the server. Here, S first checks the freshness of the log in message by generating the new time stamp T*. If the time stamp T is not modified in the log in request message, then the condition T* − T ≤ ΔT will fail and S rejects the log in message. Suppose, an adversary  changed the time stamp T to T** in the log in message. Then also server drops the session because the component values of log in message involves the respective time stamp sent in the log in message. Therefore, the proposed scheme provides security against the replay attack.

6.1.5

Perfect forward secrecy

In the proposed scheme, RUS = h(SK || b) is the authentication message sent from user to the server. An adversary  cannot calculate SK by obtaining the value RUS . To calculate SK,  must have the knowledge of RUS and b.  can get the information of RUS from public channel, but it is not possible to obtain the random number b, which is chosen by the user. Therefore to calculate SK,  has to guess both SK and b at the same time, which is not possible. Hence, the proposed scheme provides perfect forward secrecy.

MADHUSUDHAN ET AL.

6.2

11 of 21

Formal analysis of the proposed scheme using BAN Logic

˝ ˝ BurrowsUAbadi UNeedham logic54 is a formal method for the analysis of cryptographic protocols. This section presents the formal evaluation method and results using BAN logic. Before step into the method, proof model, notations, and the logical postulates are presented. According to BAN logic,54 Principles, encryption keys and formulas are considered as objects. To illustrate these objects following notations are used. P and Q will be principles, X and Y as the range over statements, and K will be the key. The symbols and notations used in entire BAN model are given in next section.

6.2.1

The BAN statements54

Once we have a formal definition of terms, we need a formal definition of the statements we may make (the constructs) P believes X or P | ≡ X: Principle P would be entitled to believe X. In particular, P can take X as true. P sees X or P ⊲ X : Principle P has received some message X and is capable of reading and repeating it. P said X or P | ∼ X: Principle P at some time sent a message including the statement X. It is not known whether this is a replay, though it is known that P believed X when he sent it. P controls X or P ⇒ X: The principal P is an authority on X and should be trusted on this matter. fresh (X) or #(X): The message X is fresh; that is, X has not been sent in a message at any time before the current run of the protocol. This is usually true for nonces. K

P ↔ Q: P and Q may use the shared keyK to communicate. The key K is good in that it will be known only by P and Q. K

→ P: P has K as a public key. The matching secret key (denoted K−1 ) will never be discovered by any principal except P or a principal trusted by P. X

−−−−−−⇀ P↽ −− Q: The formula X is a secret known only to P and to Q, and possibly to principals trusted by them. Only P and Q may use X to prove their identities to one another. An example is a secret password. {X}K or [X]K : This represents the formula X encrypted under the key K. This is short for [X]K fromP. ⟨X⟩Y : This represents Xcombined with the formula Y.Y is intended to be secret and that its presence proves the identity of whoever utters ⟨X⟩Y . In implementations, X can simply be concatenated with the password Y. We assume that this is encrypted so that replay cannot be used.

6.2.2

Logical postulates54

1. Message meaning rules concern the interpretation of messages. They all derive beliefs about the origin of messages: K

P| ≡ Q ↔ P, P ⊲ [X]K P| ≡ Q| ∼ X If P believes that the key K is shared with Q and sees X encrypted under K, then P believes that Q once said X. 2. The nonce verification rule expresses the check that a message is recent, and hence, that the sender still believes in it: P| ≡ #(X), P| ≡ Q| ∼ X . P| ≡ Q| ≡ X 3. The jurisdiction rule states that if P believes that Q has jurisdiction over X, then P trusts Q on the truth of X: P| ≡ Q ⇒ X, P| ≡ Q| ≡ X . P| ≡ X 4. If 1 part of the formula is fresh, then the entire formula must be fresh: P| ≡ #(X) . P| ≡ #(X, Y )

12 of 21

MADHUSUDHAN ET AL.

TABLE 2 Symbols and keywords used to execute the proposed scheme

6.2.3

Symbols

Descriptions

.

Associative concatenation

,

Separates elements of a sets

;

Sequential composition of roals

:=

Initialization of local variables

xor

Used for xor operation

∧

Parallel composition of roals

=|>

Immediate transition

{ }_

Encryption or signature

agent

Data-type for agents

channel(dy)

Intruder channel

const

Constant data type

def=

Beginning of body of a role

hash_func

One-way hash function

public_key

Public key data type

secret

Used to check the secrecy

witness

Used to check authentication(together with request)

request

Used to check authentication(together with witness)

Proposed scheme goals

Formal analysis of the proposed scheme is nothing but verification of goal (G) achievement. Our goal is, secure communication of SK between client and server. Therefore, to prove this U and S should trust each other. Hence, we set mainly 4 goals (G1 , G2 , G3 , G4 ), ie, sk

G1 : U| ≡ U ↔ S, sk

G2 : S| ≡ S ↔ U, sk

G3 : U| ≡ S| ≡ U ↔ S, sk

G4 : S| ≡ U| ≡ U ↔ S.

6.2.4

Proposed scheme assumptions

For analysis of the proposed scheme using BAN logic, some assumptions are required to achieve the goal and those assumptions (A1 , A2 , A3 , A4 , A5 , A6 ) are given below. H(x||e)

A1 : U| ≡ U ↔ S sk

A2 : U| ≡ S ⇒ U ↔ S sk

A3 : S| ≡ U ⇒U ↔ S H(x||e)

A4 : S| ≡ S ↔ U A5 : S| ≡ #T ′′ A6 : S| ≡ #T

6.2.5

Communicated messages

In analysis of proposed scheme, we are using BAN logic model to prove that the proposed scheme authenticates mutually and shares a common session key. To prove this, we use the communication messages, which were send and received trough insecure channel between client and server. Message 1: {CID, Cu , MACu , T} Message 2: {MACs , Cs , T' } Message 3: {RUS }

MADHUSUDHAN ET AL.

13 of 21

FIGURE 4 Role specification for the Ui of the proposed scheme

6.2.6

Idealized form of the proposed scheme

To describe BAN logic model, the scheme messages should be change to the idealized forms, which are given below. H(x||e)

MACu : (U ↔ S, w.e.P, b, T) H(x||e)

sk

MACs : (U ↔ S, U ↔ S, b, T ′ ) sk

RUS : (w.𝑦.P, U ↔ S, b′ )

14 of 21

6.2.7

MADHUSUDHAN ET AL.

Security analysis proof

Analyzing the idealized form of proposed scheme, we prove that the user and server securely share common SK. Apply message meaning rule with A1 and MACs , ie, H(x||e)

H(x||e)

sk

U| ≡ U ↔ S, U ⊲ {(U ↔ S, U ↔ S, b, T ′ )} H(x||e)

sk

.

(1)

U| ≡ S| ∼ (U ↔ S, U ↔ S, b, T ′ ) According to A5 and MACs , apply the freshness rule, ie, U| ≡ #T ′ H(x||e)

.

sk

(2)

U| ≡ #(U ↔ S, U ↔ S, b, T ′ ) According to (1) and (2), apply the nonce verification rule, ie, H(x||e)

sk

H(x||e)

sk

U| ≡ #(U ↔ S, U ↔ S, b, T ′ ),U| ≡ S| ∼ (U ↔ S, U ↔ S, b, T ′ ) sk

,

(3)

U| ≡ S| ≡ S ↔ U which satisfies G3 . According to A2 and Equation 3, apply jurisdiction rule, ie, sk

sk

U| ≡ S ⇒ U ↔ S, U| ≡ S| ≡ U ↔ S sk

,

(4)

U| ≡ U ↔ S which satisfies G1 . Apply message meaning rule with A4 and Rus , ie, H(x||e)

sk

S| ≡ S ↔ U, S ⊲ {(w.𝑦.P, U ↔ S, b)} sk

.

(5)

S| ≡ U| ∼ (w.𝑦.P, U ↔ S, b) According to A5 and MACs , apply the freshness rule, ie, S| ≡ #T

.

sk

(6)

S| ≡ #(w.𝑦.P, U ↔ S, b) According Equations 5 and 6, apply the nonce verification rule, ie, sk

sk

S| ≡ #(w.𝑦.P, U ↔ S, b), S| ≡ U| ∼ (w.𝑦.P, U ↔ S, b) sk

.

(7)

S| ≡ U| ≡ (w.𝑦.P, U ↔ S, b) From the Equation 7 sk

S| ≡ U| ≡ (w.𝑦.P, U ↔ S, b) sk

,

(8)

S| ≡ U| ≡ U ↔ S which satisfies G4 . According to A2 and (8), apply jurisdiction rule, ie, sk

sk

S| ≡ U ⇒ (w.𝑦.P, U ↔ S, b)S| ≡ U| ≡ (w.𝑦.P, U ↔ S, b) sk

.

(9)

S| ≡ (w.𝑦.P, U ↔ S, b) From the Equation 9 sk

S| ≡ (w.𝑦.P, U ↔ S, b) sk

,

(10)

S| ≡ S ↔ U which satisfies G2 . In accordance with proof, all the goals (G1 , G2 , G3 , G4 ) are achieved. Now, we can conclude that both the server and user believes that, other believes the common SK is shared between the authorized user and server.

MADHUSUDHAN ET AL.

6.3

15 of 21

Result of formal security verification using AVISPA tool

Automated validation of internet security protocols and applications is a tool, which is used for the verification of security protocols. This tool provides, a formal language to state the protocols and their security properties and gives different back ends that implement different state of automatic analysis techniques. On-the-fly model checker,55 constraint logic-based attack searcher,56 SAT-based model checker,57 and tree automata based on automatic approximations for the analysis of security protocols58 are the 4 different back ends supported by AVISPA used for security analysis. To implement security protocols, AVISPA uses a language called high-level protocol specification language (HLPSL). High-level protocol specification language is a role-oriented language in which every participant plays a role during the execution. Each role is independent and through the channels, it communicates with others. In AVISPA, Dolev and Yao's59 model used to design the intruder. This model helps to play the legitimate role in the system. While execution of protocol, HLPSL code is converted into the intermediate format using the translator hlpsl2if. Further, back end reads the intermediate format and analyses if the security goals are satisfied or not. If the protocol satisfies all goals, then AVISPA gives output as SAFE else it gives UNSAFE as output. The system also describes the number of sessions, principals, and

FIGURE 5 Role specification for the S of the proposed scheme

16 of 21

MADHUSUDHAN ET AL.

the roles. Based on back ends, the output format is generated. After execution, the output format describes the result whether the protocol is SAFE or UNSAFE. Symbols and keywords of HLPSL used to execute the proposed scheme in AVISPA are given in Table 2. In the proposed scheme, we have implemented registration phase and the login and authentication phase in AVISPA. In this implementation, there are mainly two basic roles called alice and bob, which represents the participants as Ui and

FIGURE 6 Role specification for the session of the proposed scheme

FIGURE 7 Role specification for the goal and environment of the proposed scheme

MADHUSUDHAN ET AL.

17 of 21

Sj. The role of Ui is given in Figure 4. Here, the process starts by receiving start signal. After receiving the signal it changes state from 0 to 1, computes RPW and Ai and sends registration request message {RPW, Ai } to S using symmetric key SKuisj. To send and receive the parameters between client and server, we use Snd() and Rcv() functions respectively. Similarly, the server S begins the process by receiving the message {RPW, Ai } from the Ui . The role of Sj is given in Figure 5. In the Figure 6 and 7, we have given the session and environment roles specification. In the session role, all the basic roles are included for composition. In the environment role, we specified the global constants and included one more session, where an adversary can play as legitimate user roles. In the role environment, we also specify the goals of the proposed scheme. The obtained result of formal verification using AVISPA tool is presented in Figure 8 and 9. We used the back ends on-the-fly model checker and constraint logic-based attack searcher to obtain the simulation result of the proposed scheme. By this simulation result, we proved that the scheme is secure from all defined goals.

FIGURE 8 On-the-fly model checker (OFMC) simulation result of proposed scheme

FIGURE 9 Constraint logic-based attack searcher (CL-AtSe) simulation result of proposed scheme

18 of 21

7

MADHUSUDHAN ET AL.

CO MPUTAT ION EFFICIENCY

In the performance analysis, we mainly focused on computation cost. We compared the computation cost of the proposed scheme with the other related schemes. Comparison results are presented in Table 3. Here, H represents the 1-way hash function, ME denotes modular operation, and ECC signifies the elliptic curve scalar multiplication. We also presented the simulation results of the estimated execution time of the proposed scheme in the same table. We used the simulation results of the execution timings for various operations illustrated in Xie et al.60 According to Xie et al,60 simulation has been done using Miracl library. The environment used for simulation is Windows 7 sp1 64-bit PC, Intel Core i5-3210M CPU of 2.5 GHz, 8GB RAM. According to this simulation, the execution time of 1 hash operation takes 0.068 ms (millisecond), the execution time of 1 block encryption/decryption is 0.56 ms, the execution time of 1 modular exponentiation is 3.043 ms, and the execution time of 1 scalar multiplication on the elliptic curve is 2.501 ms. The proposed scheme takes 14H + 6ECC + 1ME in log in and authentication phase to execute the protocol. Estimated computation time to execute the scheme is 19.001 ms. Compared with the other schemes, the proposed scheme takes more computation time to execute the protocol. In the proposed scheme, we used the fuzzy-verifier quick password verification, and this technique also overcomes the dilemma of usability maintenance while achieving security even after smart card tampering.4 We also used the public key operations to preserve the anonymity and secrecy. Therefore, the proposed scheme takes more computation cost when compared with other schemes. Also, the proposed scheme succeeded to resist all attacks whereas other schemes are vulnerable to different attacks as mentioned in the Table 4. Table 4 summarizes the comparison of various security attacks and goals of recent schemes with the proposed scheme. Included attacks in the table are denial of service attack, password guessing attack, parallel session attack, server masquerading attack, insider attack, and stolen smart card attack. Also, it presents some goals like quick password verification, security for server's secret key, user anonymity, and perfect forward secrecy. Here, Y denotes that the scheme provides security for the particular attack or goal, and N represents that the scheme does not provide any security for the respective attack or goal. The proposed scheme resists all attacks and satisfies all goals. This result shows that the proposed scheme is more robust when compared with other schemes.

TABLE 3 Computational cost comparison Schemes Wen and

Li14

Ding et al17 Truong et

al7

Proposed scheme

Computation Cost

Estimated Time, ms

21H

1.768 ms

16H + 3ME

10.829 ms

13H + 3ECC

8.659 ms

14H + 6ECC + 1ME

19.001 ms

TABLE 4 Comparison of security attacks and characteristics Security Attacks and Goals

Wen and Li 14, 14

Ding et al17

Troung et al7

Proposed Scheme

Resilience to denial of service attack

Y

Y

N

Y Y

Resilience to password guessing attack

Y

N

Y

Resilience to parallel session attack

Y

Y

Y

Y

Resilience to server masquerading attack

Y

N

Y

Y

Resilience to insider attack

N

N

Y

Y

Resilience to stolen smart card attack

N

N

Y

Y

Resilience to replay attack

Y

Y

N

Y

Resilience to impersonation attack

Y

N

N

Y

Provides quick password verification

N

Y

Y

Y

Provides security for server secret key

Y

N

N

Y

Provides user anonymity

Y

N

N

Y

Provides perfect forward secrecy

N

N

N

Y

MADHUSUDHAN ET AL.

8

19 of 21

CO N C LU S I O N

In this study, cryptanalysis of Troung et al's7 scheme is presented, and its vulnerabilities are identified. To overcome these security problems, a robust authentication scheme is proposed, which is capable of resisting all attacks. This scheme is developed with less number of hash functions, so that the scheme becomes more lightweight, which also makes it easy for practical implementation. Through security analysis, it is proved that the proposed scheme protects from all pointed weaknesses. Computation cost comparison illustrates the practical suitability of the proposed scheme. Hence, we conclude that the proposed scheme is more robust and easy to implement practically.

ORCID Madhusudhan R http://orcid.org/0000-0002-2775-254X http://orcid.org/0000-0002-8202-6604 Imran Memon

REFERENCES 1. Kizza JM. A Guide to Computer Network Security. London: Springer; 2009. 2. Steiner JG, Neuman BC, Schiller JI. Kerberos: An authentication service for open network systems. In: Usenix winter; 1988; Dallas, Texas:191-202. 3. Tatlı EI. Cracking more password hashes with patterns. IEEE Trans Inf Forensics Secur. 2015;10(8):1656-1665. 4. Wang D, Wang P. Two birds with one stone: two factor authentication with security beyond conventional bound. IEEE Trans Dependable Secure Comput. 2016:1. https://doi.org/10.1109/TDSC.2016.2605087. 5. Madhusudhan R, Mittal R. Dynamic id based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl. 2012;35(4):1235-1248. 6. Wang D, He D, Wang P, Chu CH. Anonymous two factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput. 2015;12(4):428-442. 7. Truong TT, Tran MT, Duong AD. Enhanced dynamic authentication scheme (edas). Inf Syst Front. 2014;16(1):113-127. 8. Das ML, Saxena A, Gulati VP. A dynamic ID based remote user authentication scheme. IEEE Trans Consum Electron. 2004;50(2):629-631. 9. Liao IE, Lee CC, Hwang MS. Security enhancement for a dynamic ID based remote user authentication scheme. In: Next generation web services practices, 2005. NWeSP 2005. International Conference on. IEEE; 2005; Seoul, South Korea, Korea:4. 10. Yoon EJ, Yoo KY. Improving the dynamic ID based remote mutual authentication scheme. In: On the move to meaningful internet systems 2006: Otm 2006 workshops Springer; October 29 --November 3 2006; Montpellier, France:499-507. 11. Wang YY, Liu Jy, Xiao Fx, Dan J. A more efficient and secure dynamic id based remote user authentication scheme. Compu Commun. 2009;32(4):583-585. 12. Yeh KH, Su C, Lo NW, Li Y, Hung YX. Two robust remote user authentication protocols using smart cards. J Syst Software. 2010;83(12):2556-2565. 13. Wang RC, Juang WS, Lei CL. Robust authentication and key agreement scheme preserving the privacy of secret key. Comput Commun. 2011;34(3):274-280. 14. Wen F, Li X. An improved dynamic ID based remote user authentication with key agreement scheme. Comput Electr Eng. 2012;38(2):381-387. 15. Khan MK, Kim SK, Alghathbar K. Cryptanalysis and security enhancement of a more efficient & secure dynamic ID based remote user authentication scheme. Comput Commun. 2011;34(3):305-309. 16. An YH. Security improvements of dynamic ID based remote user authentication scheme with session key agreement. In: Advanced communication technology (ICACT), 2013 15th international conference on. IEEE; 2013; PyeongChang, South Korea:1072-1076. 17. Ding W, Chun-guang M. Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards. J China Univ Posts Telecommun. 2012;19(5):104-114. 18. Chen THo, Hsiang HC, Shih WK. Security enhancement on an improvement on two remote user authentication schemes using smart cards. Future Gener Comput Syst. 2011;27(4):377-380. 19. Li X, Ma J, Wang W, Xiong Y, Zhang J. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Math Comput Modell. 2013;58(1-2):85-95. 20. Lee CC, Lin TH, Chang RX. A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards. Expert Syst Appl. 2011;38(11):13863-13870. 21. Li X, Niu J, Khan MK, Liao J. An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl. 2013;36(5):1365-1371. 22. Chen BL, Kuo WC, Wuu LC. Robust smart-card-based remote user password authentication scheme. Int J Commun Syst. 2014;27(2):377-389. 23. Kumari S, Khan MK, Li X. An improved remote user authentication scheme with key agreement. Comput Electr Eng. 2014;40(6):1997-2012.

20 of 21

MADHUSUDHAN ET AL.

24. Chang YF, Tai WL, Chang HC. Untraceable dynamic identity based remote user authentication scheme with verifiable password update. Int J Commun Syst. 2014;27(11):3430-3440. 25. Sood SK, Sarje AK, Singh K. An improvement of Liou et al.'s authentication scheme using smart cards. Int J Comput Appl. 2010; 1(8):16-23. 26. Li X, Niu J, Liao J, Liang W. Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. Int J Commun Syst. 2015;28(2):374-382. 27. Memon I, Hussain I, Akhtar R, Chen G. Enhanced privacy and authentication: an efficient and secure anonymous communication for location based service using asymmetric cryptography scheme. Wirel Pers Commun. 2015;84(2):1487-1508. 28. Memon I. A secure and efficient communication scheme with authenticated key establishment protocol for road networks. Wirel Pers Commun. 2015;85(3):1167-1191. 29. Maitra T, Obaidat MS, Amin R, Islam S, Chaudhry SA, Giri D. A robust ElGamal-based password-authentication protocol using smart card for client-server communication. Int J Commun Syst. 2017;30(11):e3242. 30. Lee YC, Hsieh YC, Lee PJ, You PS. Improvement of the ElGamal based remote authentication scheme using smart cards. J Appl Sci Technol. 2014;12(6):1063-1072. 31. Wang C, Wang D, Xu G, Guo Y. A lightweight password-based authentication protocol using smart card. Int J Commun Syst. 2017;30:e3336. 32. Wang D, Gu Q, Cheng H, Wang P. The request for better measurement: a comparative evaluation of two-factor authentication schemes. In: Proceedings of the 11th acm on asia conference on computer and communications security. ACM; 2016:475-486. 33. Odelu V, Das AK, Goswami A. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur. 2015;10(9):1953-1966. 34. Kumari S, Khan MK. Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme. Int J Commun Syst. 2014;27(12):3939-3955. 35. Nikooghadam M, Jahantigh R, Arshad H. A lightweight authentication and key agreement protocol preserving user anonymity. Multimed Tools Appl. 2017;76(11):13401-13423. 36. Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK. An enhanced privacy preserving remote user authentication scheme with provable security. Secur Commun Netw. 2015;8(18):3782-3795. 37. Memon I, Arain QA, Memon MH, Mangi FA, Akhtar R. Search me if you can: multiple mix zones with location privacy protection for mapping services. Int J Commun Syst. 2017;30(16):e3312. 38. Memon I, Chen L, Arain QA, Memon H, Chen G. Pseudonym changing strategy with multiple mix zones for trajectory privacy protection in road networks. Int J Commun Syst. 2018;31(1):e3437. 39. Li X, Ibrahim MH, Kumari S, Sangaiah AK, Gupta V, Choo KKR. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput Netw. 2017;129:429-443. 40. Chandrakar P, Om H. An efficient two-factor remote user authentication and session key agreement scheme using Rabin cryptosystem. Arab J Sci Eng. 2018;43(2):661-673. 41. Song R. Advanced smart card based password authentication protocol. Comput Stand Interfaces. 2010;32(5):321-325. 42. Xu J, Zhu WT, Feng DG. An improved smart card based password authentication scheme with provable security. Comput Stand Interfaces. 2009;31(4):723-728. 43. Yoon EJ, Ryu EK, Yoo KY. An improvement of Hwang–Lee–Tang's simple remote user authentication scheme. Comput Secur. 2005;24(1):50-56. 44. Wang D, Wang P, Ma CG, Chen Z. ipass: Robust smart card based password authentication scheme against smart card loss problem. J Comput Syst Sci. Accepted 2014;1-35. Full version available at http://eprint.iacr.org/2012/439.pdf. 45. Wang Y. Password protected smart card and memory stick authentication against off-line dictionary attacks. In: IFIP international information security conference. Springer; June 4 - June 6, 2012; Heraklion, Crete, Greece:489-500. 46. Yang G, Wong DS, Wang H, Deng X. Two factor mutual authentication based on smart cards and passwords. J Comput Syst Sci. 2008;74(7):1160-1172. 47. Huang X, Chen X, Li J, Xiang Y, Xu L. Further observations on smart card based password authenticated key agreement in distributed systems. IEEE Trans Parallel Distrib Syst. 2014;25(7):1767-1775. 48. Wang D, Wang P. Offline dictionary attack on password authentication schemes using smart cards. In: Information Security. Springer; 2015; Dallas, Texas:221-237. 49. Wu S, Zhu Y, Pu Q. Robust smart cards based user authentication scheme with user anonymity. Secur Commun Netw. 2012;5(2):236-248. 50. Liao IE, Lee CC, Hwang MS. A password authentication scheme over insecure networks. J Comput Syst Sci Int. 2006;72(4):727-740. 51. Yang G, Wong DS, Wang H, Deng X. Formal analysis and systematic construction of two factor authentication scheme (short paper). In: International conference on information and communications security. Springer; December 4 - December 7, 2006; Raleigh, NC, USA:82-91. 52. Tsai CS, Lee CC, Hwang MS. Password authentication schemes: current status and key issues.IJ Network Secur. 2006;3(2):101-115. 53. Koblitz N. Elliptic curve cryptosystems. Math Comput. 1987;48(177):203-209. 54. Burrows M, Abadi M, Needham RM. A logic of authentication. In: Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, Vol. 426. The Royal Society; 1989; London. 233-271. 55. Basin D, Mödersheim S, Vigano L. Ofmc: A symbolic model checker for security protocols. Int J Inf Secur. 2005;4(3):181-208. 56. Turuani M. The cl-atse protocol analyser. In: International conference on rewriting techniques and applications. Springer; 2006; Seattle, WA/USA:277-286.

MADHUSUDHAN ET AL.

21 of 21

57. Armando A, Compagna L. Satmc: A sat-based model checker for security protocols. In: European Workshop on Logics in Artificial Intelligence. Springer; 2004; New York:730-733. 58. Boichut Y, Héam PC, Kouchnarenko O, Oehl F. Improvements on the Genet and Klay technique to automatically verify security protocols. In: International Workshop on Automated Verification of Infinite-State Systems (AVIS'2004). Proc. AVIS, vol. 4, 2004: 1-11. 59. Dolev D, Yao A. On the security of public key protocols. IEEE Trans Inf Theory. 1983;29(2):198-208. 60. Xie Q, Wong DS, Wang G, Tan X, Chen K, Fang L. Provably secure dynamic ID-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans Inf Forensics Secur. 2017;12(6):1382-1392.

How to cite this article: R M, Hegde M, Memon I. A secure and enhanced elliptic curve cryptography based dynamic authentication scheme using smart card. Int J Commun Syst. 2018;e3701. https://doi.org/10.1002/dac.3701