Anonymity Preserving Secure Hash Function Based ...

Download PDF
2 downloads 0 Views 129KB Size Report
Comment
Abstract—A USB (Universal Serial Bus) mass storage device, which makes a (USB) device accessible to a host computing device and enables file transfers after ...
Anonymity Preserving Secure Hash Function Based Authentication Scheme for Consumer USB Mass Storage Device Ruhul Amin

GP Biswas

Computer Science and Engineering Indian School of Mines Dhanbad, Jharkhand 826004 amin [email protected]

Computer Science and Engineering Indian School of Mines Dhanbad, Jharkhand 826004 [email protected]

Abstract—A USB (Universal Serial Bus) mass storage device, which makes a (USB) device accessible to a host computing device and enables file transfers after completing mutual authentication between the authentication server and the user. It is also very popular device because of it’s portability, large storage capacity and high transmission speed. To protect the privacy of a file transferred to a storage device, several security protocols have been proposed but none of them is completely free from security weaknesses. Recently He et al. [1] proposed a multi-factor based security protocol which is efficient but the protocol is not applicable for practical implementation, as they does not provide password change procedure which is an essential phase in any password based user authentication and key agreement protocol. As the computation and implementation of the cryptographic one-way hash function is more trouble-free than other existing cryptographic algorithms, we proposed a light weight and anonymity preserving three factor user authentication and key agreement protocol for consumer mass storage devices and analyzes our proposed protocol using BAN logic. Furthermore, we have presented informal security analysis of the proposed protocol and confirmed that the protocol is completely free from security weaknesses and applicable for practical implementation.

I. I NTRODUCTION The USB(Universal Serial Bus) is the most popular standard interface, used for connecting storage to consumer electronic device such as keyboard, charger, cell phones, printer, flash disk etc. because of high availability and easy of connectivity. Though it has great advantages, it suffers from some weaknesses such as (1) anyone including un-authorized user could read or steal confidential information easily, as all the information is stored in the plain text format, (2) an attacker could intercept all the transmitted information, as the transmitting channel is open to the attacker between the device and the computer. To solve these problems, an authentication protocol can be implemented to ensure user privacy and secure communication between the computer and the storage device, so that it can be used in many application area. Last 10 years ago, many two factor or three factor along with smart card based session key agreement protocols have been proposed in the literature. First lamport [2] proposed a password based user authentication and key agreement pro-

tocol and thereafter many password based authentication [3], [4], [5], [6], [7], [8] protocols have been introduced but most of the protocols suffer from password guessing attack as most of the user’s passwords is of low entropy, which are guessable. In addition, a malicious user or attacker can forcibly obtain a password from the valid user by some means and he/she can act as a valid user to the system. To overcome these difficulties, combination of biometric features with password can be used to provide strong security system. The following properties imply that the biometric based remote user authentication schemes [9], [10], [11], [12], [13] are more secure than the password based authentication scheme: 1) Biometric key cannot be lost or forgotten and very difficult to copy or share. 2) Biometric key is extremely hard to forge or distribute. 3) Guessing biometric key is dreadfully hard. The USB Mass storage device can store one or more files as per the user’s choice and if we assume that the mass storage device has stolen by some means by an attacker then he/she easily get all the files stored in it. So, it is an important issue that where is the security of the stored file in the USB storage device. To solve such types of problem, first Yang et al. [14] proposed secure control protocol using the schnorr signature scheme [15] to provide the file secrecy of the USB mass storage device. Chen et al. [16] proposed a secure authentication protocol for the removal mass storage media and it has been found that the protocol is vulnerable to forgery and replay attack. In 2013, Lee et al. [17] protocol describes that the protocol proposed by Yang et al. [14] was computationally heavy due to use of modular exponentiation operations. To solve these, Lee et al. proposed a light weight three factor key agreement protocol for consumer USB mass storage device using ECC and claimed that their protocol is efficient in terms of security and complexities. But, recently He et al. [1] demonstrated that Lee et al. protocol suffers from password guessing attack, Dos attack (Denial-of-service) and replay attack and proposed an enhance scheme of the Lee et al. protocol. Like Lee et al. protocol, He et al. also claimed

that their protocol is applicable in practical implementation. During long time reviews, the paper regarding user authentication and session key agreement for providing the file secrecy of the USB mass storage device, it is confirmed that still now there is no suitable authentication protocol exists in the literature, as most of the protocol does not provide complete security requirements. To fulfill our discussion, we proposed a light weight and anonymity preserving user authentication and key agreement protocol for USB mass storage device which is free from security weaknesses and achieves complete aspects, such as password change phase, mutual authentication, efficient login phase etc. The system architecture of the proposed protocol is same as mentioned in [1]. Rest of the paper is sketched as follows: In section II, we discussed the concept and property of cryptographic oneway hash function and some Fuzzy extractor definitions as preliminaries of our works. Section III addresses our proposed protocol. Security authentication proof using BAN logic are given in section IV. Discussion and security analysis of the proposed protocol are also given in section V. Finally, we conclude the paper in section VI.

Definition 3. Entropy:[18] The min entropy 𝐻∞ (𝛼) of a random variable 𝛼 is −𝑙𝑜𝑔(𝑚𝑎𝑥𝑎 𝑃 𝑟[𝛼 = 𝑎]). A fuzzy extractor extracts a nearly random string 𝜎 from its biometric characteristics 𝜔 in an error tolerant way. If the input changes but remain close to 𝜔, then the extracted 𝜔 remains the same. To assist in recovering 𝜔 from a biometric ′ characteristics input 𝜔 , a fuzzy extractor output an auxiliary string 𝜂. However, 𝜎 remains uniformly random for a given 𝜂. The fuzzy extractor is formally defined as below: Definition 4. Fuzzy extractor:[18] A (𝛾, 𝑚, 𝑙, 𝑡, 𝜀) fuzzy extractor is given by two procedures, Gen, Rep: Gen() is a probabilistic generation procedure, which on (biometric characteristic )input 𝜔 ∈ 𝛾 outputs an extracted string 𝜎 ∈ (0, 1)𝑙 and an auxiliary string 𝜂. For any distribution W on 𝛾 of min-entropy m, if < 𝜎, 𝜂 >← 𝐺𝑒𝑛(𝑊 ), then 𝑆𝐷(< 𝜎, 𝜂 >, < 𝑈𝑙 , 𝜂 >) ≤ 𝜀, where 𝑈𝑙 denotes the uniform distribution on l bit string. Rep() is a deterministic reproduction procedure allowing to recover 𝜎 from the corresponding auxiliary string 𝜂 and vector ′ ′ ′ 𝜔 close to 𝜔: for all 𝜔, 𝜔 ∈ 𝛾 satisfying dis(𝜔, 𝜔 ≤ 𝑡), if ′ < 𝜎, 𝜂 >← 𝐺𝑒𝑛(𝑊 ), then 𝑅𝑒𝑝(𝜔 , 𝜂) = 𝜎.

II. P RELIMINARIES In this section, a briefly review the basic concepts of cryptographic one-way hash function and fuzzy extractor used in the proposed protocol are introduced. Cryptographic One-way Hash Function: A cryptographic one-way hash function maps a string of arbitrary length to a string of fixed length called the hashed value. It can be symbolized as: ℎ : 𝑋 → 𝑌 , where 𝑋 = {0, 1}∗ , and 𝑌 = {0, 1}𝑛 . 𝑋 is binary string of arbitrary length and 𝑌 is a binary string of fixed length 𝑛. It is used in many cryptographic applications such as digital signature, random sequence generators in key agreement, authentication protocols and so on. Cryptographic one-way hash function satisfies the following properties: 1) Preimage Resistant: It is hard to find 𝑚 from given 𝑦, where ℎ(𝑚) = 𝑦. 2) Second-Preimage Resistant: It is hard to find input 𝑚′ ∈ 𝑋 such that ℎ(𝑚) = ℎ(𝑚′ ) for given input 𝑚 ∈ 𝑋 and 𝑚′ ∕= 𝑚. 3) Collision Resistant: It is hard to find a pair (𝑚, 𝑚′ ) ∈ 𝑋 × 𝑋 such that ℎ(𝑚) = ℎ(𝑚′ ), where 𝑚 ∕= 𝑚′ . 4) Mixing-Transformation: On any input 𝑚 ∈ 𝑋, the hashed value 𝑦 = ℎ(𝑚) is computationally indistinguishable from a uniform binary string in the interval {0, 2𝑛 }, where 𝑛 is the output length of hash ℎ(⋅). Some definition on fuzzy extractor: Definition 1. Metric Space:[18] A metric space is a set Υ with a distance function dis: Υ × Υ → 𝑅+ = (0, ∞) which follows various natural properties. Hamming metric is the example of metric space, defined as Υ = Γ𝑛 (e.g Γ𝑛 = ′ (0, 1)) and 𝑑𝑖𝑠(𝜔, 𝜔 ) is the number of position in which they differ. Definition 2. Static Distance:[18] It is the distance between two ∑probability distribution 𝛼, 𝛽 and is denoted by SD(𝛼 𝛽)= 1 𝑣 ∣𝑝𝑟[𝛼 − 𝑣] − 𝑝𝑟[𝛽 − 𝑣]. 2

III. P ROPOSED P ROTOCOL In this section, we propose a user authentication and key agreement protocol for providing file secrecy of the USB mass storage device using cryptographic one-way hash function. The proposed method comprises four phases namely, registration phase, verification and data encryption phase, key agreement phase and password change phase as described below, where the notations used are listed in Table-1. Symbol

Description

𝑈𝑖 𝐴𝑆 𝑃𝑖 𝐼𝐷 𝑖 𝐵𝑖 𝑥 𝐹𝑛 𝑇𝑎 𝑇𝑠 ℎ(⋅) ∥ 𝐸(⋅) 𝐷(⋅)

𝑖-𝑡ℎ User Authentication server Password of the user 𝑈𝑖 Identity of the user 𝑈𝑖 Biometric of the user 𝑈𝑖 Secret key of the authentication server (AS) Encrypted file name Timestamp generated by the user 𝑈𝑖 Timestamp generated by the AS Cryptographic One-way hash function Concatenation operation Symmetric Key Encryption Algorithm Symmetric Key Decryption Algorithm TABLE I L IST OF NOTATIONS USED

A. Registration Phase It is an initial phase of the proposed protocol and whenever a new user wants to register with the trusted server, he/she needs registration to the server. During registration, an 𝑖 − 𝑡ℎ user for i = 1 to n, computes (𝜎𝑖 , 𝜂) = 𝐺𝑒𝑛(𝐵𝑖 ) provides useridentity 𝑃 𝐼𝐷𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝜎𝑖 ), masked password 𝑀 𝑃 𝑊𝑖 = ℎ(𝑃𝑖 ∥ 𝐼𝐷𝑖 ) and the biometric template 𝐵𝑖 , where 𝑃𝑖 is the password of the user, to the server through a secure channel or in person, however, for the user anonymity protection, we

does not provide user original identity to the server. The server maintains a table which stores 𝑃 𝐼𝐷𝑖 for all user 𝑈𝑖 . After receiving the registration message, server first checks the uniqueness of 𝑃 𝐼𝐷𝑖 that means whether the parameter 𝑃 𝐼𝐷𝑖 exists or not in the database. If it exists, server sends re-registration message request to the user for choosing new identity ; otherwise, computes the following operation: 𝐸𝑖 = ℎ(ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑥) ∥ 𝑀 𝑃 𝑊𝑖 ) 𝑆𝑖 = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑥) ⊕ 𝑀 𝑃 𝑊𝑖 Then, AS stores ⟨𝐸𝑖 , 𝑆𝑖 ⟩ into the USB storage device and delivers it to the user securely. After getting it, user computes 𝐵𝑃 𝑊𝑖 = 𝜂⊕ℎ(𝑃𝑖 ) and finally stores it in USB storage device. B. Verification and Data Encryption Phase This phase executes several steps for achieving mutual authentication between the user and the authentication server. All the steps of this phases are presented below: Step 1: 𝑈𝑖 inserts his/her USB storage device into the client ′ ′ ′ machine and inputs 𝐼𝐷𝑖 , 𝑃𝑖 , 𝐵𝑖 . Then the device computes ′ ′ ′ ′ ′ 𝜂 = 𝐵𝑃 𝑊𝑖 ⊕ ℎ(𝑃𝑖 ), 𝜎𝑖 = 𝑅𝑒𝑝(𝐵𝑖 , 𝜂𝑖 ), 𝑃 𝐼𝐷𝑖 = ℎ(𝐼𝐷𝑖 ∥ ′ ′ ′ ′ ′ ′ 𝜎𝑖 ), 𝑀 𝑃 𝑊𝑖 = ℎ(𝑃𝑖 ∥ 𝐼𝐷𝑖 ), 𝑊𝑖 = 𝑆𝑖 ⊕ 𝑀 𝑃 𝑊𝑖 , 𝑆𝑖 = ′ ′ ℎ(𝑊𝑖 ∥ 𝑀 𝑃 𝑊𝑖 ) and matches computed 𝑆𝑖 with the stored 𝑆𝑖 . If it matches, it implies that the user 𝑈𝑖 provides correct identity, password and biometric template; otherwise, terminates the current session. The USB storage device then takes current timestamp 𝑇𝑢 and computes 𝑎 = ℎ(𝑇𝑢 ), 𝐾𝑖 = 𝑎⊕𝑊𝑖 , ′ ′ 𝑋𝑖 = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑎 ∥ 𝐹𝑛 ∥ 𝑊𝑖 ∥ 𝑀 𝑃 𝑊𝑖 ) and sends 𝑀1 ′ = ⟨𝑃 𝐼𝐷𝑖 , 𝐾𝑖 , 𝐹𝑛 , 𝑋𝑖 , 𝑆𝑖 ⟩ to the AS through open channel, where 𝐹𝑛 represents encrypted file name. Step 2: After receiving 𝑀1 , AS computes 𝑊𝑖∗ = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑥), 𝑀 𝑃 𝑊𝑖∗ = 𝑆𝑖 ⊕𝑊𝑖∗ , 𝑎∗ = 𝐾𝑖 ⊕𝑊𝑖∗ , 𝑋𝑖∗ = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑎∗ ∥ 𝐹𝑛 ∥ 𝑊𝑖∗ ∥ 𝑀 𝑃 𝑊𝑖∗ ) and verifies if whether the computed 𝑋𝑖∗ and the received 𝑋𝑖 are equal or not. If it does not equal, AS terminates the session; otherwise, takes system timestamp 𝑇𝑠 and computes the following operations: 𝑏 = ℎ(𝑇𝑠 ) 𝐿𝑖 = 𝑎 ∗ ⊕ 𝑏 𝑆𝐾 = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑎∗ ∥ 𝑏 ∥ 𝑀 𝑃 𝑊𝑖∗ ) 𝑛 = ℎ(𝑥 ∥ 𝐹𝑛 ) 𝐶 = 𝐸𝑆𝐾 (𝑛) 𝑌𝑖 = ℎ(”0” ∥ 𝑃 𝐼𝐷𝑖 ∥ 𝑎∗ ∥ 𝐹𝑛 ∥ 𝑏 ∥ 𝑛 ∥ 𝑊𝑖∗ ∥ 𝑀 𝑃 𝑊𝑖∗ ) Finally, AS sends 𝑀2 = ⟨𝐿𝑖 , 𝐶, 𝑌𝑖 ⟩ to the USB storage device through open channel. Step 3: After receiving 𝑀2 , the USB storage device computes 𝑏∗ = 𝐿𝑖 ⊕ 𝑎∗ , 𝑆𝐾 ∗ = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑎 ∥ 𝑏∗ ∥ 𝑀 𝑃 𝑊𝑖 ) and decrypts 𝑛∗ = 𝐷𝑆𝐾 (𝐶) using computed 𝑆𝐾. Then, further computes 𝑌𝑖∗ = ℎ(”0” ∥ 𝑃 𝐼𝐷𝑖 ∥ 𝑎 ∥ 𝐹𝑛 ∥ ∗ 𝑏 ∥ 𝑛∗ ∥ 𝑊𝑖 ∥ 𝑀 𝑃 𝑊𝑖 ) and verifies it with the received 𝑌𝑖 . If it does not hold, terminates the session; otherwise, computes 𝑍𝑖 = ℎ(”1” ∥ 𝑃 𝐼𝐷𝑖 ∥ 𝑎 ∥ 𝐹𝑛 ∥ 𝑏∗ ∥ 𝑛 ∥ 𝑊𝑖 ∥ 𝑀 𝑃 𝑊𝑖 ) and sends ⟨𝑍𝑖 ⟩ to the AS through open channel. Step 4: After getting it, AS computes 𝑍𝑖∗ = ℎ(”1” ∥ 𝑃 𝐼𝐷𝑖 ∥ 𝑎∗ ∥ 𝐹𝑛 ∥ 𝑏 ∥ 𝑛 ∥ 𝑊𝑖∗ ∥ 𝑀 𝑃 𝑊𝑖∗ ) and verifies it with the received 𝑍𝑖 . If it holds, 𝑈𝑖 is authentic, as well as the protocol achieves mutual authentication property.

C. Key Agreement Phase After completing mutual authentication, 𝑈𝑖 computes an encrypted key 𝐾 = ℎ(𝑃 𝐼𝐷𝑖 ∥ 𝑛) which is used to encryptdecrypt the file. Since encrypted key depends upon the encrypted file name, so encrypted key will be different for different file. Now, 𝑈𝑖 uses the key K to encrypt/decrypt a file. Thus, an user 𝑈𝑖 protects the file of the USB storage device with the help of trusted authentication server. D. Password Change Phase To change the password, 𝑈𝑖 initially provides user infor′ ′ ′ mation 𝐼𝐷𝑖 , 𝑃𝑖 , 𝐵𝑖 to the USB storage device and it com′ ′ ′ ′ ′ putes 𝜂 = 𝐵𝑃 𝑊𝑖 ⊕ ℎ(𝑃𝑖 ), 𝜎𝑖 = 𝑅𝑒𝑝(𝐵𝑖 , 𝜂𝑖 ), 𝑃 𝐼𝐷𝑖 = ′ ′ ′ ′ ′ ℎ(𝐼𝐷𝑖 ∥ 𝜎𝑖 ), 𝑀 𝑃 𝑊𝑖 = ℎ(𝑃𝑖 ∥ 𝐼𝐷𝑖 ), 𝑊𝑖 = 𝑆𝑖 ⊕ 𝑀 𝑃 𝑊𝑖 , ′ ′ 𝑆𝑖 = ℎ(𝑊𝑖 ∥ 𝑀 𝑃 𝑊𝑖 ) and then USB mass storage device ′ matches the computed 𝑆𝑖 with the stored 𝑆𝑖 . If matches found, 𝑈𝑖 provides new password 𝑃𝑖𝑛𝑒𝑤 to the USB storage device and further computes 𝑀 𝑃 𝑊𝑖𝑛𝑒𝑤 = ℎ(𝑃𝑖𝑛𝑒𝑤 ∥ ′ ′ 𝐼𝐷𝑖 ), 𝑉𝑖 = 𝑆𝑖 ⊕ 𝑀 𝑃 𝑊𝑖 , 𝐸𝑖𝑛𝑒𝑤 = ℎ(𝑉𝑖 ∥ 𝑀 𝑃 𝑊𝑖𝑛𝑒𝑤 ), 𝑆𝑖 = 𝑉𝑖 ⊕ 𝑀 𝑃 𝑊𝑖𝑛𝑒𝑤 , 𝐵𝑃 𝑊𝑖𝑛𝑒𝑤 = 𝜂𝑖 ⊕ ℎ(𝑃𝑖𝑛𝑒𝑤 ) and then replaces the value of ⟨𝐸𝑖 , 𝑆𝑖 , 𝐵𝑃 𝑊𝑖 ⟩ with the new values ⟨𝐸𝑖𝑛𝑒𝑤 , 𝑆𝑖𝑛𝑒𝑤 , 𝐵𝑃 𝑊𝑖𝑛𝑒𝑤 ⟩ respectively into memory of USB storage device and uses it properly in future with the new effective password 𝑃𝑖𝑛𝑒𝑤 . IV. AUTHENTICATION PROOF BASED ON BAN LOGIC This section addresses the security analysis of our proposed protocol using Burrows-Abadi-Needham logic [19], [20], generally called as BAN logic. The BAN logic is well-known formal model in the literature. It has been widely used for analyzing the security of authentication and key distribution protocols. Some preliminaries and notations of the BAN logic are described as follows: Principals are those agents which are involved in the protocol (usually people or programs). Keys are used to encrypt messages symmetrically. Public Keys are similar to Keys except that they are used in pairs. Nonces are message parts that are not meant to be repeated. Timestamps are similar to nonces in that they are unlikely to be repeated. Some BAN statements which are helpful for analyzing security of the proposed protocol are given below: 𝑃 ∣≡ 𝑋 : P believes X, or P would be entitled to believe X. In particular, P can take X as true. 𝑃 ⊲ 𝑋 : P sees X. P has received some message X and is capable of reading and repeating it (Seeing rule). 𝑃 ∣∼ 𝑋 : P once said X. P at some time sent a message including the statement X. It is not known whether this is a replay, though it is known that P believed X when he sent it. 𝑃 ⇒ 𝑋 : P has jurisdiction over X. The principal P is an authority on X and should be trusted on this matter.

♯(𝑋) : The message X is fresh. (𝑋, 𝑌 ) : The formulae X or Y is one part of the formulae (X,Y). < 𝑋 >𝑌 : The formulae X combined with the formulae Y. {𝑋}𝐾 : The formulae X is encrypted under the key K. (𝑋)𝐾 : The formulae X is hashed with the key K. 𝐾 𝑃 ←→ 𝑄: Principals 𝑃 and 𝑄 communicate via shared key 𝐾. 𝑃 ⇐⇒𝐾 𝑄: The formula X is a secret known only to P and Q, and possibly to principals trusted by them. 𝐾 → 𝑃 : Principal 𝑃 has 𝐾 as its public key. 𝑆𝐾 : The session key used in the current session. Some main logical postulates of the BAN logic are as follows: ∙ The message-meaning rule for shared secret: 𝑃 ∣≡𝑃 ⇐⇒𝐾 𝑄, 𝑃 ⊲𝐾 𝑃 ∣≡𝑄∣∼𝑋











if P believes that the secret Y is shared with Q and sees < 𝑋 >𝑌 , then P believes that Q once said X ∣≡♯(𝑋) The freshness-conjuncatenation rule: 𝑃𝑃∣≡♯(𝑋,𝑌 ) If the principal believes that X is fresh, then the principal P believes freshness of (X,Y). ∣≡𝑌 The belief rule: 𝑃 ∣≡(𝑋),𝑃 𝑃 ∣≡(𝑋,𝑌 ) If the principal P believes X and Y, then the principal P believes (X,Y). 𝑃 ∣≡𝑄∣∼𝑋 The nonce-verification rule: 𝑃 ∣≡♯(𝑋, 𝑃 ∣≡𝑄∣≡𝑋 If the principal P believes that X is fresh and the principal Q once sent X, then principal P believes that Q believes X. 𝑃 ∣≡𝑄∣≡𝑋 The jurisdiction rule: 𝑃 ∣≡𝑄⇒𝑋, 𝑃 ∣≡𝑋 If the principal believes that Q has jurisdiction over X and Q believes X, then P believes that X is true. ∣≡𝑄∣≡𝑋 The session keys rule: 𝑃 ∣≡♯(𝑋),𝑃 𝐾 𝑃 ∣≡𝑃 ←→𝑄

If the principal P believes that the session key is fresh and the principal P and Q believes X,which are the necessary parameters of the session key, then principal P believes that he/she shares the session key K with Q. To prove an authentication protocol secure, the following process should be performed: ∙ First, idealize the proposed authentication scheme in the language of formal logic. ∙ Second, identify the assumptions about the initial state of the proposed authentication scheme. ∙ Third, use the production and use of rules of the logic to deduce new predicates. ∙ Fourth, use logic to discover the beliefs held by the parties in the proposed scheme. In order to prove the proposed protocol secure, the proposed protocol must satisfy the following goals based on the BAN logic which are given as follows: 𝑆𝐾 ∙ Goal 1: 𝑈𝑖 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 𝑆𝐾 ∙ Goal 2: 𝑈𝑖 ∣≡ 𝐴𝑆 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 𝑆𝐾 ∙ Goal 3: 𝐴𝑆 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 𝑆𝐾 ∙ Goal 4: 𝐴𝑆 ∣≡ 𝑈𝑖 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆

First the proposed protocol is transformed into idealized form: 𝑀1 : 𝑈𝑖 → 𝐴𝑆 : 𝑃 𝐼𝐷𝑖 , 𝐾𝑖 , 𝐹𝑛 , 𝑆𝑖 , < 𝑎 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) 𝑀2 : 𝐴𝑆 → 𝑈𝑖 : 𝐿𝑖 , < 𝐶 >𝑆𝐾 , < 𝑏 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) Second, the following assumptions about the initial state of the protocol are made to analyze the proposed protocol: 𝐴1 : 𝑈𝑖 ∣≡ ♯𝑎 𝐴2 : 𝐴𝑆 ∣≡ ♯𝑏 ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) 𝐴3 : 𝑈𝑖 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) 𝐴4 : 𝐴𝑆 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 𝐴5 : 𝐴𝑆 ∣≡ 𝑈𝑖 ⇒ 𝑎 𝐴6 : 𝑈𝑖 ∣≡ 𝐴𝑆 ⇒ 𝑏 Third, the idealized form of the proposed protocol is analyzed based on the BAN logic rules and the assumptions. The main proofs are stated as follows: 𝑀1 : 𝑈𝑖 → 𝐴𝑆 : 𝑃 𝐼𝐷𝑖 , 𝐾𝑖 , 𝐹𝑛 , 𝑆𝑖 , < 𝑎 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) According to seeing rule, we get 𝑆1 : 𝐴𝑆 ⊲ 𝑃 𝐼𝐷𝑖 , 𝐾𝑖 , 𝐹𝑛 , 𝑆𝑖 , < 𝑎 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) According to A4, S1 and message meaning rule, we get 𝑆2 : 𝐴𝑆 ∣≡ 𝑈𝑖 ∣∼ 𝑎 According to A2, S2 and freshness-conjuncatenation rule and nonce verification rule is applied, we get 𝑆3 : 𝐴𝑆 ∣≡ 𝑈𝑖 ∣≡ 𝑎, where 𝑎 is the necessary parameter of the session key of the proposed protocol. According to A5, S3 and the jurisdiction rule is applied, we get 𝑆4 : 𝐴𝑆 ∣≡ 𝑎 According to A2, S3 and the session key rule is applied, we get 𝑆𝐾 (Goal 3) 𝑆5 : 𝐴𝑆 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 According to A2, S5 and nonce verification rule is applied, we get 𝑆𝐾 (Goal 4) 𝑆6 : 𝐴𝑆 ∣≡ 𝑈𝑖 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 𝑀2 : 𝐴𝑆 → 𝑈𝑖 : 𝐿𝑖 , < 𝐶 >𝑆𝐾 , < 𝑏 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) According to seeing rule, we get 𝑆7 : 𝑈𝑖 ⊲ 𝐿𝑖 , < 𝐶 >𝑆𝐾 , < 𝑏 >ℎ(𝑃 𝐼𝐷𝑖 ∥𝑥) According to A3, S7 and message meaning rule, we get 𝑆8 : 𝑈𝑖 ∣≡ 𝐴𝑆 ∣∼ 𝑏 According to A1, S8 and freshness-conjuncatenation rule and nonce verification rule is applied, we get 𝑆9 : 𝑈𝑖 ∣≡ 𝐴𝑆 ∣≡ 𝑏, where 𝑏 is the necessary parameter of the session of the proposed protocol. According to A6, S9 and the jurisdiction rule is applied, we get 𝑆10 : 𝑈𝑖 ∣≡ 𝑏 According to A1, S9 and the session key rule is applied, we get 𝑆𝐾 (Goal 1) 𝑆11 : 𝑈𝑖 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 According to A1, S11 and nonce verification rule is applied, we get 𝑆𝐾 (Goal 2) 𝑆12 : 𝑈𝑖 ∣≡ 𝐴𝑆 ∣≡ 𝑈𝑖 ←→ 𝐴𝑆 It is confirmed that our protocol proves our objectives (Goal 1 - Goal 4) using BAN Logic. So, we can conclude that the proposed protocol provides mutual authentication and shares a common secret session key 𝑆𝐾 between the user 𝑈𝑖 , the authentication server.

V. A DVERSARY M ODEL AND I NFORMAL S ECURITY A NALYSIS In this section, we primarily presented an adversary model and then informal security analysis of the proposed protocol is also presented below: A. Adversary Model As the authentication protocol is executed over the insecure communication, the attacker has several advantages or capabilities over the authentication protocol. In the following, we present some valid assumptions. 1) An adversary is able to extract the smart card information by monitoring the power consumption. For example if an attacker gets the smart card of the valid user, s/he then may get all the stored information of the smart card. 2) An adversary may eavesdrop all the communication between the entities involved of the protocol over the public channel. It is also assume that an attacker cannot intercept the message over the secure channel. 3) An adversary can guess low entropy password and identity individually easily but guessing two secret parameters (e.g. password, identity) is computationally infeasible in polynomial time. 4) An adversary can modify, delete, resend and reroute the eavesdrops message. 5) An adversary may be a legitimate user or vice versa. 6) It can be assumed that the protocol used in the authentication system is known to the adversary. 7) If we assume that the length of the user’s identity and password is n character, then the probability of 1 , guessing approximately composed of n character is 26𝑛 as mentioned in [21]. B. User Anonymity Suppose we assume that an authenticated user 𝑈𝑖 accesses an important file which is stored in the USB storage device of the 𝑈𝑖 and wants to get it. If an attacker knows that the 𝑈𝑖 is the user of the important file then he/she may get the file either steal or by some means. But, it is confirmed that if the attacker does not know the user who are using the important file, then it is extremely hard to capture the important file. Therefore user anonymity is necessary for such type of application and our protocol provides it efficiently. The proposed protocol uses user’s identity 𝑃 𝐼𝐷𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝜎𝑖 ) instead of original identity 𝐼𝐷𝑖 of the user 𝑈𝑖 . Since the parameter 𝑃 𝐼𝐷𝑖 is protected by the non-invertible cryptographic one-way hash function, so an attacker unable to get the value of 𝐼𝐷𝑖 . If we assume that the length of the 𝐼𝐷𝑖 is n character and the parameter 𝜎 has m bits then the 1 probability of guessing the identity is approximately 26𝑛+𝑚 which is enormously negligible. Hence, the proposed protocol preserves user anonymity property. C. User-Server Impersonation Attack If an attacker is authenticated to the entities of the system after providing login-reply messages (generated by the

attacker) and if the login-reply messages is accepted to the entities, he/she can successfully launch user-server impersonation attack on the authentication protocol. As per our assumption, an attacker traps the login-reply messages of the proposed protocol during transmission and tries to forge the message after some modification to authenticate him/herself. As the login message is dependent on the secret parameters ⟨𝑎, 𝑊𝑖 , 𝑀 𝑃 𝑊𝑖 ⟩ and the reply message is ⟨𝑎∗ , 𝑏, 𝑊𝑖 , 𝑀 𝑃 𝑊𝑖 ⟩ and it is not possible to retrieve the mentioned secret parameters, so it is not feasible to forge valid login-reply message by the attacker. Hence, our protocol resists user-server impersonation attack. D. Session key discloser Attack The authenticated session key is used for secure communication between the entities involved, and an attacker upon disclosure of the key can decrypt the secret information. So, the secrecy of session key is the mandatory property of any key agreement protocol. The session key of the proposed protocol depends upon the difficulty of cryptographic one-way hash function and the parameters ⟨𝑎, 𝑏, 𝑀 𝑃 𝑊𝑖 ⟩ is involved. It is also confirmed that an attacker cannot compute the parameters which are involved in the session key. As a result, he/she fails to compute the session key. Hence, the proposed protocol provides secure session key. E. Encrypted key discloser Attack In the proposed protocol, The key 𝐾 is used to encrypt/decrypt the different file and it is different, as the file name is different. The encrypted file is protected by the cryptographic one-way hash function and the secret session key of the proposed protocol. As, invertible one-way hash function and obtaining secret session key is infeasible by an attacker, so the computation of encrypted key is not possible. Therefore, the proposed protocol provides strong security on the encrypted key 𝐾. VI. C ONCLUSION In this paper, we have presented a light weight and anonymity preserving user authentication and key agreement protocol for providing security of the file stored in the USB mass storage device using cryptographic one-way hash function. After rigorous security analysis and discussion using BAN logic and informal security analysis confirms that the proposed protocol withstand relevant security aspects of the protocol including user anonymity, user-server impersonation attack, session key discloser attack and encrypted key discloser attack. Moreover, the proposed protocol provides efficient login phase and user-friendly password change phase. Finally, It can be concluded that the proposed protocol can be implemented in practical application as the objectives of the protocol achieved securely.

R EFERENCES [1] Debiao He, Neeraj Kumar, Jong-Hyouk Lee, R. Simon Sherratt: Enhanced Three-factor Security Protocol for Consumer USB Mass Storage Devices, IEEE Transactions on Consumer Electronics, Vol. 60, No. 1, February 2014. [2] L. Lamport: Password authentication with insecure communication, communication of the ACM, Vol. 24, No. 11, PP. 770-772, 1981. [3] J.Xu, W.T.Zhu, D.G.Feng: An improved smartcard based password authentication scheme with provable security, Computer Standards and Interfaces 31 (4) (2009)723-728. [4] R. Amin, T. Maitra, S. Rana: An Improvement of Wang. et. al.s Remote User Authentication Scheme Against Smart Card Security Breach, IJCA, vol-75, no-13, 2013. [5] K. A. Shim: Security flaws in three password-based remote user authentication schemes with smart cards, Cryptologia, Taylor and Francis, vol. 36, no. 1, pp. 62-69, Jan. 2012. [6] Ruhul Amin: Cryptanalysis and An Efficient Secure ID-Based Remote User Authentication Scheme Using Smart Card, International Journal of Computer Applications (0975 - 8887), Volume 75- No. 13, 2013. [7] X.Li, W.Qiu, D.Zheng, K.Chen, J.Li: Anonymity enhancement on robust and efficient password authenticated key agreement using smartcards, IEEE Transactions on Industrial Electronics 57(2)(2010)793-800. [8] SK Hafizul Islam, G.P. Biswas: Design of improved password authentication and update scheme based on elliptic curve cryptography, Mathematical and Computer Modelling, Volume 57, Issues 1112, June 2013, Pages 2703-2717. [9] Fan, C. I., and Lin, Y. H.:Provably secure remote truly three-factor authentication scheme with privacy protection on biometric, IEEE T. Inf. Forensic Secur. 4(4):933- 945, 2009. [10] Bhargav-Spantzel, A., Squicciarini, A. C., Bertino, E., Modi, S., Young, M., and Elliott, S. J: Privacy preserving multi-factor authentication with biometric, J. Com- put. Secur 15(5):529-560, 2007. [11] Pointcheval, D., and Zimmer, S.: Multi-factor authen- ticated key exchange. ACNS 2008 LNCS. 5037:277-295, 2008. [12] Li, C. T., and Hwang, M.-S: An effcient biometric-based remote user authentication scheme using smart cards, J. Netw. Comput. Appl. 33(1):15, 2010. [13] Xiong Li, Jian-wei niu, Jian ma, wen-dong wang, Cheng- lian Liu: Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards, Journal of Network and Computer Applications Volume 34, Issue 1, Pages 73-79 , January 2011. [14] F. Y. Yang, T. D. Wu, and S. H. Chiu: A secure control protocol for USB mass storage devices, IEEE Trans. Consumer Electron., vol. 56, no. 4, pp. 2339-2343, Nov. 2010. [15] C. Schnorr: Efficient identification and signatures for smart cards, Journal of Cryptology, Springer, vol. 4, no. 3, pp. 161-174, 1991. [16] B. Chen, C. Qin, and L. Yu: A Secure Access Authentication Scheme for Removable Storage Media, Journal of Information and Computational Science, Binary Information Press, vol. 9, no. 15, pp. 4353-4363, Nov. 2012. [17] C. Lee, C. Chen, and P. Wu: Three-factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices, IET Computers and Digital Techniques, vol. 7, no. 1, pp. 48-55, Jan. 2013. [18] Y. Dodis, L. Reyzin, and A. Smith: Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, in Proc. 2004 Int. Conf. Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, in Lecture Notes in Computer Science, pp. 523-540, 2004. [19] Burrows, M., Abadi, M., Needham, R.: A logic of authentication, ACM Trans. Comput. Syst., 1990, 8, (1), pp. 1836. [20] Tsai, J.-L., Wu, T.-C., Tsai, K.-Y.: New dynamic ID authentication scheme using smart cards, Int. J. Commun. Syst., 2010, 23, pp. 14491462. [21] Chang, Y.-F., Yu, S.-H., and Shiao, D.-R., ”An uniqueness-and anonymity- preserving remote user au- thentication scheme for connected health care”, J. Med. Syst. 37:9902, 2013.