ArticlesAll Issue
ArticlesTAMA: Three-Factor Authentication for Multi-serverArchitecture
• Haleh Amintoosi1, Mahdi Nikooghadam1, Saru Kumari2, Sachin Kumar3, and Chien-Ming Chen4,*

Human-centric Computing and Information Sciences volume 11, Article number: 39 (2021)
https://doi.org/10.22967/HCIS.2021.11.039

Abstract

Thanks to the sharp improvement in computer science and information technology, we are witnessing the emergence of new mobile-based Internet services such as telemedicine, electronic payments, and smart home management. Due to the rapid growth of mobile services, a single-server architecture that includes one server and multiple clients is not responsive to customer needs. For this reason, architecture was developed with several providers to extend scalability and accessibility. However, as the customer-to-provider communication is done over the Internet, providing a secure communication via efficient and provably secure mutual authentication and key agreement is of great importance. So, a great amount of research has been done to support authentication and key agreement in environments with multiple servers. In this article, we introduce a secure robust elliptic curve cryptography (ECC)-based three-factor authentication and key agreement scheme for multi-server architecture that is robust to various attacks and meets significant security requirements. We assess the computational complexity and prove that the proposed method generates minimum time complexity and very low communication complexity in comparison with similar methods. Finally, we evaluate and verify the scheme’s security with the official Scyther tool.

Keywords

Scyther, ECC, Authentication, Multi-server

Introduction

With the growing evolution of the Internet and information technology (IT), the quality of online communications and services in distributed systems, such as online medication, learning, banking and coaching, has become increasingly important for users. To provide better online services, there was a need for environments with high scalability and accessibility. As a result, environments with multiple service providers emerged, so that users can easily use online services.
In an environment with one service provider, each user is required to register with only one service provider in order to use the service, which leads to user restrictions. To address this limitation, a structure with several service providers has been proposed. In multi-server environments, three entities, namely, the user, the registration center (RC), and the service provider are the main components. The service provider receives the registration parameters from the registration center, and so does the user. Once they authenticate each other in a mutual way, the user can use the provided services.

Motivation and Contribution
In environments with multiple service providers, users normally use the same credentials to access different servers. So, they are potentially exposed to greater number of security threats. So, security provision and mutual authentication is a significant challenge in this area. To overcome this challenge, multi-server authentication has been proposed in which, the user can communicate with any of the servers using a single registration.
As stated in [1], most of multi-server-based authentication schemes have used two factors, e.g., password and smartcard, for user authentication. However, these schemes are susceptible to various kinds of attacks such as password guessing, replay, and masquerade attacks. To address these issues, biometric parameter has been added as the third factor for authentication as the uniqueness property of biometrics increases the security of the proposed authentication schemes.
Recently, several three-factor authentication protocols appropriate for multi-server environments [26] have been presented. However, they are still incapable of satisfying essential security requirements and resisting against security attacks [7], making them inappropriate for practical applications.
In this article, we design a provably secure elliptic curve cryptography (ECC)-based protocol for authentication and key agreement in environments with multiple service providers. Our proposed scheme makes use of three credentials, i.e., password, smartcard, and biometric parameter for user authentication, with the aim of increasing the security. Moreover, the scheme is applicable to multi-server environments, enabling users to contact with each of the servers using the same credentials, thus removing the need to exchange one different credential for each server. We go through security analysis and indicate that the proposed protocol is safe against different types of attacks and meets the essential security demands. We also prove that the scheme, in addition to being superior in terms of security, also performs better in terms of time complexity than similar ECC-based protocols designed for multi-server environments.
Our contribution is as follows:

We introduce a robust and secure three-factor ECC-based authentication and key agreement scheme for multi-server architecture that can support mutual authentication considering the three authentication parameters, i.e., password, smartcard, and biometric parameter. We prove the robustness of the protocol to different attacks.

We formally analyze the security of the model by the Scyther [8] tool to demonstrate its correctness. We also show that the scheme satisfies different security needs.

We assess the computation as well as communication complexity and show that the computational overhead incurred by the proposed protocol is minimum, while comparing with other ECC-based methods designed for multi-server architecture. The communication overhead is also comparable with those schemes.

Organization of the Article
We express the article’s structure as below. The review of the related articles is outlined in Section 2. We express the system model and the security requirements in Section 3. Section 4 illustrates the structure of the proposed protocol. We perform security assessment in Section 5. Next, in Section 6, we consider the computational and communication complexity as the evaluation criteria to compare with similar works. At last, we present the conclusion in Section 7.

Related Work

Due to the importance of security in multi-server architectures, research has focused on proposing secure and efficient authentication schemes [26].
In 2015, He and Wang [3] proposed an identification-based authentication scheme using ECC for multi-server environments, but Odelu et al. [9] reviewed their scheme and pointed out its shortcomings and designed a new three-factor biometric-based scheme to address them. Guo and Wen [10] presented an authentication scheme which was shown in 2017 by Ali and Pal [1] to be prone to attacks such as insider strikes and session key disclosure attacks. They further outlined a scheme as the remedy for the mentioned issues.
Also, in 2017, a scheme was designed by Reddy et al. [11] for multi-server domain. However, in 2019, their scheme was shown in [12] to fail providing users’ untraceability and is prone to privileged insider attacks.
In 2018, Xiong et al. [13] designed a lightweight protocol for authenticating users in multi-server architecture which aimed at reducing the cost of computation as well as communication. Barman et al. [14] designed an authentication scheme by leveraging fuzzy commitment approach. Kumari et al. [15] used the fuzzy extractor concept to support a proper match between biometric patterns. Xu et al. [16] designed an authentication scheme which was proved to support user untraceability. Jiang et al. [17] analyzed the work presented in [18] and pointed out that it is prone to the impersonation attack. Another scheme was proposed by Chatterjee et al. [19] that made use of the chaotic map.
In 2019, Yao et al. [20] suggested a remote biometric authentication protocol for multi-server architecture. Lwamo et al. [21] also offered an anonymity preserving authentication protocol which considers three factors of password, biometric data and smart card for authentication. Roy et al. [22] proposed a data access control model in a domain with multi-cloud servers. Also, Ying and Nayak[23] suggested a scheme for multi-server environments in 5G networks and showed that it is secure against various security attacks. However, in 2020, Wang and Zhu [7] first prove that the scheme of Ying and Nayak [23] has several vulnerabilities, and then, introduced a new scheme to recover from those vulnerabilities. They proved the robustness of their scheme with AVISPA.
In 2021, Wu et al. [24] reviewed the work proposed by Wang et al. [25] and proved that it cannot withstand the impersonation and known session-specific temporary information attacks. They further proposed an improved scheme.
Based on the above review and the analysis presented in [7], it is clear that there are still security vulnerabilities in the authentication models proposed for multi-server environments. Hence, providing secure and robust authentication is of great significance in multi-server architecture. Our proposed scheme is different from the abovementioned schemes as it is secure against almost all well-known security attacks in the domain of multi-server environments such as insider attack, man-in-the-middle attack, denial of service attack, user/server impersonation attack, replay attack, stolen smart card attack, and user/server impersonation attack. Besides, the proposed scheme satisfies the most dominant security requirements such as mutual authentication, session key agreement, perfect forward secrecy, and anonymity. In terms of performance comparison, our scheme incurs very low computation and communication cost, making it appropriate for real-world applications.

System Models

Initial Vertex Selection
In a multi-server environment, the entities are the user $U_i$, the RC, and the server $S_j$.
The RC is a trusted third party that generates the required credentials for $U_i$ and $S_j$ in the registration phase. RC also provides a smart card for $U_i$ loaded with $U_i$’ s secret information.
User $U_i$ takes the smart card from RC and makes use the password, smartcard, and biometric parameters to authenticate himself. Once the server $S_j$’s is authenticated, $U_i$ can have access to the services offered by $S_j$.
The server $S_j$ receives its private credentials from RC. Upon authenticating $U_i$, $S_j$ provides services for $U_i$.

Attack Model
In our proposed scheme, we take two threat models into consideration, as explained below.
- Dolev-Yao (DY): The adversary in the DY threat model [26] can intercept the transmitted messages and alter their contents or remove them. He is also capable of injecting malicious contents in the multi-server environment.
- Canetti and Krawczyk (CK): The adversary in the CK-adversary model [27] has the capabilities of the DY model. Besides, he is able to access the smartcard’s memory and falsify the stored credentials such as secret keys.

Security Requirements
The security requirements for an authentication scheme in multi-server architecture are as follows:
- Single registration: Users just need to sign up to the registration center to receive the services presented by all servers.
- Mutual authentication: The authentication scheme must support mutual authentication between the user and the server before sharing the session key.
- Session key agreement: Once mutual authenticate is done, a session key has to be shared among the user and the server to be used in subsequent communication.
- Perfect forward secrecy: To provide secure message exchange, perfect forward secrecy should be guaranteed. Specifically, the adversary should not acquire the session key even by having knowledge about the secret credentials of the user or the server.
- User anonymity: The user’s identity should not be obtainable from the exchanged messages by the adversary.
- Robustness to various attacks: To provide the required security, the scheme should be secure against the privileged insider attack, man-in-the-middle attack, denial of service attack, user/server impersonation attack, replay attack, stolen smart card attack, and user/server impersonation attack.

The Proposed Scheme

In this section, we outline the detail of the steps of the proposed scheme. Notations have been displayed in Table 1.

Registration Phase
This phase has the server registration and the user registration parts, expressed as below.

Server registration
1. At first, the server $S_j$ sends off a join request to the RC.
2. Upon message receipt, RC securely sends an identity $SID_j$ and a master secret key s as the reply to $S_j$.

Table 1. Notations of protocol
Symbol Description
$RC$ Registration center
$S_j$ $j_{th}$ server
$U_i$ $i_{th}$ user
$ID_i$ $U_i$’s identity
$SC_i$ Smartcard belonging to $U_i$
$SID_j$ $S_j$’s identity
$PW_i$ $U_i$’s password
$BIO_i$ $U_i$’s biometric information
s Master secret key
$SK_i$,$SK_i^*$ The session keys
$a_i, b_i, r_i,d_i, f_i$ Random numbers
P The elliptic curve’s base point
$T_i,T_j$ Timestamps
$∆T$ Maximum allowable delay
$||$ concatenation operation
Bitwise (XOR) operation
$Enc()/Dec()$ Encryption/Decryption with symmetric key
$h(.)$ Hash function
$H(.)$ Hash function for biometric
=> Secure channel
Public channel

User registration
Step 1. At first, user U_i picks out an identity and a password, $ID_i$ and $PW_i$, respectively. He also selects a random number $a_i$ and enters his biometric information $BIO_i$. Next, the $U_i$ computes $A_i=h(ID_i||a_i)$ $h(PW_i||H(BIO_i)||ID_i)$ and $B_i$ = $h(A_i||a_i)$. At the end, $U_i$ sends <$B_i$ ; $ID_i$ ; $A_i$ ; $a_i$ > to $RC$ over a secure communication medium.
Step 2. Once RC gets the registration message, it considers a random number $b_i$ and computes $HID_i$ = $h(ID_i||b_i), k_i = (HID_i||SID_j||s), C_i = h(A_i || HID_i)B_i, Q_i = C_i k_i , and W_i = Enc_(A_i )(Q_i||C_i) and c_i = b_i a_i.RC$ then stores <$W_i ; c_i ; b_i ; h(.)$ > to the user’s smartcard $SC_i$ and securely sends $SC_i$ to the user $U_i$.
Step 3. Once $U_i$ obtains $SC_i$, he adds H(.) to it.
The user registration phase has been demonstrated in Fig. 1.

Login and Authentication Phase
Step 1. The user U_i enters $ID_i^*$ and $PW_i^*$. He also imprints his biometric parameter $BIO_i^*$. He then extracts $b_i$ and $c_i$ from the smartcard and computes $a_i = b_i c_i$. He also computes $A_i^* = h (ID_i^*||a_i) h (PW_i^*||H(BIO_i^* ) ||ID_i^*), HID_i^* = h(ID_i^*||b_i), W_i^* = Dec _{A_i^*}(Q_i^{**}||C_i^{**}), and C_i^* = h(A_i^*|| HID_i^*)B_i^*$. He then checks whether $C_i^*$ equals $C_i^{**}$ obtained from decryption. If so, it determines that the user is the owner of the smartcard.
Fig. 1. Proposed scheme: registration phase.

Fig. 2. Proposed scheme: login and authentication phase.

Step 2. Next, the smartcard selects two random numbers r_i and d_i and a timestamp T_i. Then, the following parameters are calculated:

$\begin{eqnarray} k_i = C_i⊕Q_i\\ M_i = h(H(BIO_i)||b_i||d_i)\\ N_i = h(k_i||r_i.P||T_i||M_i)\\ D_i = M_i⊕N_i \end{eqnarray}$

At the end, the smartcard publicly sends $HID_i^*, T_i, N_i, D_i, r_i.P to S_j$.
Step 3. Obtaining the message send by the server, $S_j$ first verifies its freshness by choosing timestamp $T_j$ and verifying $|T_j – T_i | < ΔT$. If not true, the server stops the session. If so, $S_j$ calculates the following:

$\begin{eqnarray} k_i^*= (HID_i||SID_i||s)\\ M_i = D_i⊕N_i\\ N_i^*= h(k_i||r_i.P||T_i||M_i) \end{eqnarray}$

The server then verifies $N_i^*$? = $N_i$ and if so, the user $U_i$ is authenticated. It then selects the random number $f_i$ and calculates the session key $SK_i = h(k_i^*||N_i^*||f_i.r_i.P)$ and $Auth_i = h(k_i^*||N_i^*||SK_i)$. At the end, the server $S_j$ publicly sends {$Auth_i, f_i.P,T_j$} to $U_i$.
Step 4. Upon receipt, the user computes the session key $SK_i^*= h (k_i||N_i||r_i.f_i.P)$. Note that since $r_i.f_i. p = f_i.r_i.p$, the session key generated at the user side ($SK_i^*$) is the same as the one at the server side ($SK_i$). The user also computes $Auth_i^* = h(k_i||N_i|| SK_i^*)$ and verifies $Auth_i^*$ equals Authi sent by the server. If so, the server is authenticated. Fig. 2 depicts the login and authentication step.

To change the user’s password, these steps should be done:
Step 1. $U_i$ insets the smartcard, enters $ID_i^*$ and $PW_i^*$, and imprints his biometric $BIO_i^*$.
Step 2. The followings are computed by the smartcard:

$\begin{eqnarray} a_i= b_i⊕c_i\\ A_i^* = h(ID_i^*||a_i)⊕h(PW_i^*||H(BIO_i^*)||ID_i^*)\\ B_i^* = h(A_i^*||a_i)\\ HID_i^*= h(b_i ||ID_i^*)\\ C_i^*= h(A_i^* || HID_i^*)⊕B_i^* \end{eqnarray}$

It then verifies $C_i^*$ equals $C_i$ stored in the smartcard. If $C_i^*= C_i$, the user is verified to be the smartcard’s owner. Step 3. Next, the user enters the new password $PW_i^{**}$. Further computations are as below:

$\begin{eqnarray} a_i=b_i⊕c_i\\ A_i^(**) = h(ID_i^*||a_i)⊕h(PW_i^(**)||H(BIO_i^*)||ID_i^*)\\ B_i^(**) = h(A_i^(**)||a_i)\\ HID_i^*= h(b_i ||ID_i^*)\\ C_i^(**)= h(A_i^(**) || HID_i^*) ⊕B_i^* \end{eqnarray}$

Finally, $C_i^{**}$ replaces $C_i$ in the smartcard of $U_i$.

Security Analysis

In this section, we discuss the security of the scheme. Specifically, Section 5.1 outlines the result of informal analysis, and formal analysis result via the Scyther tool is presented in Section 5.2.

Informal Security Analysis
Server impersonation attack
In this attack, theintentionoftheadversaryisimpersonatingalegitimateserver.So, he creates $Auth_i^{'}$ insteadof $Auth_i$ and sends {$Auth_i^{'}, f_i.P$} to the user. Theuserthencomputes $SK_i^*=h(k_i||N_i||r_i.f_i.P) and Auth_i^* = h(k_i||N_i||SK_i^*)$ and verifies $Auth_i^*$ equals $Auth_i^{'}$ received fromtheserver(whichistheadversaryincaseoftheattack).However,since $Auth_i^*$ includes $SK_i^*$ whichitself includes random numbers $r_i$ and $f_i$, not accessible to the adversary, the comparison fails resulting in session termination.

User impersonation attack
To run this attack, the adversary eavesdrops $HID_i^*, T_i, N_i, D_i, r_i.P$, generates $HID_i^{'}, T_i^{'}, N_i^{'}, D_i^{'}, r_i.P$ message and transmits it to the server. When received, the server calculates $k_i^*(HID_i^{'}||SID_i||s),M_i=D_i^{'}⊕N_i^{'}, and N_i^*=h(k_i^*||r_i.P||T_i^{'}||M_i)$. Theserverthenverifies $N_i^*$? =$N_i^{'}$ and if so, the user $U_i$ isauthenticated. However, in the case of user impersonation attack, the comparison fails since $k_i^*$ and $N_i^*$ containrandomparameters that are not in the possession of the adversary. This shows that the adversary cannot impersonate the user.

Denial of service attack
We utilize timestamps to verify that the exchanged messages are fresh and avoid re-submission of old ones. Random numbers have also been used in various places, thus making the creation of repetitive messages impossible for the attacker.

Replay attack
If the adversary intends to run replay attack, he replays the previously sent message <$HID_i^*,T_i,N_i,D_i,r_i$> to the server. However, the server verifies the freshness of the message by $|T_j – T_i| ≤ ΔT$, and if it is nottrue,the server considers the message as outdated and terminates the session. Eveniftheadversaryplaces T_i^(**) instead of current time T_i and transmits <$HID_i^{**}, T_i^{**}, N_i, D_i, r_i.P$>, the server computes $N_i^* =h(k_i^*||r_i.P||T_i^(**)||M_i)$ andcheckstheequalityof $N_i^* with N_i$, whereinthecaseoftheattack scenario mentionedabove, is not true, implying that the timestamp has been altered.

Known-session-key temporary information attack
As described in [28], being secure against this attack implies that the adversary cannot retrieve the session key even by having access to session random numbers, which are $a_i, b_i, d_i, f_i, r_i$ in our scheme. As mentioned in the authentication step in Section 4.2, the session key $SK_i = h(k_i^* ||N_i^* ||f_i.r_i.P)$ includes $k_i^*$ which is computed as $k_i^*= (HID_i||SID_i ||s)$, where s is the master secret key. In other words, $SK_i$ is dependent on the parameter that is not available for the adversary. So, even if the random numbers are acquired by the adversary, he cannot compute the session key.

Insider attack
The user password $PW_i$ is not transmitted to the server directly in the registration step. Instead, he computes $A_i = h(ID_i||a_i) ⊕h($PW_i||H(BIO_i)||ID_i$) and sends$A_i$as well as other parameters to the server. So, in case the adversary serves as the insider and acquires$A_i$, and even if he obtains the user’s identity$ID_i$, he cannot extract$PW_i$from$A_i$since the random numbera_iand the biometric parameter$BIO_i$are only in the possession of the user. Denning-Sacco attack Assuming that the attacker obtains the session key, resistance to Denning-Sacco attack implies that he should not obtain secret keys or passwords. Session key is computed as$SK_i= h (k_i||N_i||r_i.f_i.P)$. So, even if the attacker obtains$SK_i$, he cannot obtain the server’s secret key s or the user’s password$PW_i$. Perfect forward secrecy To supply perfect forward secrecy, disclosure of the longterms for example the identities or secret keys should not lead to the disclosure of the session key [29]. The session key$SK_i = h(k_i^* ||N_i^* ||f_i.r_i.P$) includes random numbers$f_i$and$r_i$. So, the adversary is unable to retrieve$SK_i$even if he acquires random numbers. So, perfect forward secrecy is supported. Mutual authentication As mentioned in Section 4.2, authentication of the server is done through the verification of$Auth_i^*$?=$Auth_i$. Similarly, the user is authenticated through the verification of$N_i^*$? =$N_i$. Assume that the attacker intends to authenticate as the legitimate user. So, he generates a fake$HID_i^{'}$and sends it viathemessage{$HID_i^{'}, T_i, N_i, D_i, r_i.P$}to the server. Since$N_i^*$is dependent on$HID_i$, replacing it with$HID_i^{'}$leads to the inequalitybetween$N_i^*$and$N_i$, andhence, the adversary willnot be authenticated. The same stands for sending$D_i^{'}$instead of$D_i$and$r_i^{'}.P$instead of$r_i$.P.Likewise, if the attacker decides to authenticate himself as a legal server,he generates a fake$f_i^{'}.P$, adds it in {$Auth_i, f_i^{'}.P$}message and sends it to theuser. However,$Auth_i^*$is dependent on$f_i.P$and hence,$Auth_i^*$will not be equalto$Auth_i$. So, the adversary will not be authenticated. User anonymity In the proposed scheme, we do not transmit the user’s identity$ID_i$in {$HID_i^*, T_i, N_i, D_i, r_i.P$} to$S_j$message. Instead, it is included in$HID_i$as$HID_i^*= h(ID_i^*||b_i)$, where$b_i$is a random number, inaccessible to the adversary. Thus, the adversary is incapable of knowing the user’s identity, meaning that the scheme supports user anonymity. Fig. 3. Proposed scheme: Scyther analysis result. Informal Security Analysis by Scyther Syther is a powerful tool for the purpose of analysis and identification of possible vulnerabilities in security protocols. This official tool automatically analyzes the scheme and carefully monitor its reaction to the most significant attacks. Fig. 3 shows the formal analysis output via the Scyther tool. The Niagree feature ensures that both parties are confident that the messages are exchanged securely. Nisynch’s feature ensures that messages exchanged between the parties cannot be decrypted and resent. The Alive feature certifies that the protocol steps order is approved by the communication entities. TheWeakagree feature warrants that in the protocol, it is not possible to forge an identity. The secret feature will also ensure that the corresponding parameter remains secure. As Fig. 3 shows, the proposed authentication model supportsall mentioned features. The Scyther code is shown in Fig. 4. Fig. 4. Proposed scheme: the Scythercode. Performance Analysis We first analyze the performance of our authentication protocol in respect to meeting various security features and perform comparison with Mishra [2], He and Wang [3], Reddy et al. [11], and Lin et al. [30]. Next, we evaluate the computational complexity (i.e., computation time in milliseconds) and communi-cation complexity (i.e., number of transmitted bits) for the proposed method and those mentioned above as well as Tomarand Dhar [4], Qi and Chen [5], Park et al. [6], Xu et al. [31], Wu et al. [24], Ying and Nayak [26], and Wang and Zhu [7]. Table 2 demonstrates the results of security analysis, showing that the authentication scheme resists all attacks, and supports mutual authentication and perfect forward secrecy. Table 2. Security features comparison Symbol Description Mishra [2] He and Wang [3] Reddy et al. [11] Lin et al. [30] Current study$F_1$Perfect forward secrecy provision Yes Yes Yes Yes Yes$F_2$Mutual authentication provision Yes Yes Yes No Yes$F_3$User impersonation attack resistance No No Yes No Yes$F_4$Server impersonation attack resistance No No Yes No Yes$F_5$Replay attack resistance Yes Yes Yes No Yes$F_6$Known-session-specific temporary information attack resistance No No Yes Yes Yes$F_7$Denial of service attack resistance Yes Yes Yes No Yes$F_8$Insider attack resistance Yes Yes No Yes Yes To evaluatethecomputationaltimecomplexity,theresultsexpressedin[32,33],have been used where,the execution timings of hash function operation ($T_{hf}$), scalar multiplication operation ($T_{mu}$), and symmetricencryption/decryption($T_{en/d}$)are0.0004ms,7.3529ms, and0.1303ms,respectively.The cost of theseoperationshasbeenobtainedusingalaptopwithCPU (IntelCore2T65702.1 GHz), memory (4G),operating system (Windows 7,32 bit), software (Visual C++ 2008,MIRACLC/C++Library). In the proposed protocol, four scalar multiplication operations and eleven hash function operations are needed. Hence, the computationalcostis4T_mu+11T_hf+2T_(en/d),whichis29.674640ms. The computationalcost for Mishra [2] is 39.1793 ms, for He and Wang [3] is 73.5374 ms, for Tomar and Dhar [04] is 58.8312 ms, for Qi and Chen [05] is 44.642 ms, for Park et al. [06] is 29.4156 ms, for Xu et al. [31] is 44.1204 ms, for Reddy et al. [11] is 29.4156 ms, for Lin et al. [30] is 29.934 ms, for Wu et al. [24] is 73.5338 ms, for Ying and Nayak [23] is 73.5338 ms, and for Wang and Zhu [7] is 73.533 ms. The computation time comparison results have been shown in Table 3 and Fig. 5. Table 3. Computation time comparison Scheme Total computation Time(ms) Mishra [2]$9T_{mu} + 8T_{hf}$39.1793 He and Wang [3]$10T_{mu} + 21T_{hf}$73.5374 Tomar and Dhar [4]$8T_{mu}+ 30T_{hf}$58.8312 Qi and Chen [5]$6T_{mu}+ 4T_{en/d}+ 16T_{hf}$44.6420 Park et al. [6]$4T_{mu} + 15T_{hf}$29.4156 Xu et al. [31]$6T_{mu}+ 15T_{hf}$44.1204 Reddy et al. [11]$4T_{mu} + 15T_{hf}$29.4156 Lin et al. [30]$6T_{mu}+4T_(en/d)+ 8T_{hf}$29.9340 Ying and Nayak [23]$10T_{mu} + 12T_{hf}$73.5338 Wang and Zhu [7]$10T_{mu} + 10T_{hf}$73.5330 Current study$4T_{mu} + 2T_(en/d)+ 11T_{hf}$29.6746 Fig. 5. Computation time of comparative schemes (in milliseconds). As seen in Table 3 and Fig. 5, the proposedauthenticationprotocoloutperformstherelated multi-serverauthenticationschemesintermsofachievingminimumcomputationaltimeoverhead.Inthefollowing,weelaborate more on the results obtained form the computational cost comparison. An aim of [2] was to propose a secure authentication scheme, and was not that much concerned about the time, as it has used nine computationally expensive scalar multiplication operations, resulting in high computational overhead. Tomar and Dhar [4] assumes three entities, namely service providing server, user, and control server in the proposed architecture, which increases the number of exchange messages between the three entities, thus increasing the computation overhead. Scheme of [6] has a similar architecture to our scheme, and hence, its computation cost is comparable to ours. However, it is not secure against attacks as it has not considered any long-term in its session key. He and Wang [3] and Qi and Chen [5] both employ RC in their authentication phase between the user and the server, resulting in the increased number of computation and communication. He and Wang [3] has also used ECDLP and ECDHP at the same time, thus increasing the number of scalar multiplications to 10. The same has happened in Xu et al. [31]. Wu et al. [24] employs RC in their authentication phase between the user and the server, resulting in the increased number of computation and communication. Wang and Zhu [7] and Ying and Nayak [23] have used both ECDLP and ECDHP in their mutual authentication protocol, which leads to an increase in the number of expensive scalar multiplication operations, thus increasing the computation time. Our scheme is different as it does not involve RC in the mutual authentication of user and server and has only used ECDHP. This has resulted in less computational cost, compared to almost all the related schemes. The importance of this point becomes clear when we consider the advantage of the scheme regarding resistance to known attacks. Said otherwise, as seen in Table 2, the proposed scheme better meets the well-known security requirements and is resistant to all attacks better than most similar methods while incurring the least computation overhead. To evaluate the communication complexity, we compared the communication cost (with regard to the number of exchanged bits) between the proposed protocol and the methods of Mishra [2], He and Wang [3], Tomar and Dhar [4], Qi and Chen [5], Park et al. [6], Xu et al. [31], Reddy et al. [11], Lin et al. [30], Wu et al. [24], Ying and Nayak [23], and Wang and Zhu [7]. Results have been displayed in Table 4 and Fig. 6. According to [28,32,34], the communication cost of transmitting identity is set to be 160 bits, elliptic curve point multiplication is 320 bits, encryption/decryption operations are 128bits, the realm is 32 bits, the timestamp is 32 bits, output hash function and random number are 160 bits and 32 bits, respectively. In the proposed scheme, the message {$HID_i, T_i, N_i, D_i, r_i.P$} requires(160+32+160+160+320)=830bits, and the message {$f_i.P,Auth_i,T_j\$} needs(320+160+32)=512bits.Hence,thecommunicationcostis(830+512)=1342 bits.AsdemonstratedinTable4,theproposedschemehascomparablecommunicationcost,inrelationwith the recent similar methods.

Table 4. Comparison of communication cost
 Scheme Number of message 1st message 2nd message 3rd message 4th message Number of bits Current study 2 830 512 - - 1342 Mishra [2] 2 710 512 - - 1222 He and Wang [3] 4 640 1120 640 800 3200 Tomar and Dhar [4] 4 1600 1952 512 832 4896 Qi and Chen [5] 4 480 160 512 160 1312 Park et al. [6] 3 672 512 192 - 1376 Xu et al. [31] 3 640 480 480 - 1600 Reddy et al. [11] 3 608 128 320 - 1056 Lin et al. [30] 3 672 672 160 - 1342 Wu et al. [24] 3 440 128 480 - 1048 Ying and Nayak [23] 2 960 1120 - - 2080 Wang and Zhu [7] 2 1120 480 - - 1600

Fig. 6. Comparison of communication cost (in bits).

Conclusion

In this article, we designed a three-factor ECC-based authentication and key agreement scheme for secure connection between service providers and users in multi-server architecture. The security analysis showed its resistance to different types of attacks and capability to meet various security needs. The security accuracy of the protocol was also verified via the Scyther tool. The proposed protocol was shown to achieve minimum computational overhead and comparable communication overhead compared with related schemes. In future, we can extend the protocol to a lightweight version to reduce the computation overhead.

Acknowledgements

Not applicable.

Author’s Contributions

Conceptualization, SachinK. Investigation and methodology, SaruK. Project administration, CMC. Writing of the original draft, HA. Writing of the review and editing, HA. Validation, MN. Formal analysis, MN. Visualization, MN.

Funding

None.

Competing Interests

The authors declare that they have no competing interests.

Authors Bio

Haleh Amintoosi received her B.Sc and M.Sc, both in Computer Engineering at Ferdowsi University of Mashhad, Iran, on 2000, and 2003, respectively. She got her PhD in Computer Science from the University of New South Wales, Australia on 2014. She is currently an assistant professor at the Department of Computer Engineering, Ferdowsi University of Mashhad, Iran. She is also a visiting senior lecturer at the School of Computer Science and Engineering, the University of New South Wales, Australia. Her research focuses on Security, Cryptography and Computer Networks.

Mahdi Nikooghadam received MSc degree in Computer Science from Ferdowsi University of Mashhad, Iran. His research interests include information security, cryptography and security protocols

Saru Kumarigot the Ph.D. degree in mathematics from Chaudhary Charan Singh University, Meerut, India, in 2012, and she is currently the assistant professor at the Department of Mathematics. She has published many research papers in reputed international journals and conferences. Her current research interests include applied cryptographyand information security. She is a Technical Program Committee Member for many international conferences. She is on the Editorial Board of more than 12 journals of international repute including seven SCI journals. She served as the Lead/Guest Editor of four Special Issues in SCI journals of Elsevier, Springer, and Wiley.

SACHIN KUMAR (Member, IEEE) received the Ph.D. degree in computer science from CCS University, Meerut, in 2007. He has been working as a Professor with the Department of Computer Science and Engineering, Ajay Kumar Garg Engineering College (AKGEC), Ghaziabad, since October 2011. Prior to joining AKGEC, he worked with the Raj Kumar Goel Institute of Technology (RKGIT) Ghaziabad, the Krishna Institute of Engineering Technology (KIET), Ghaziabad, and CCS University, Meerut. He has more than 18 years of academic experience. He has guided four Ph.D. and ten M.Tech. students. He has published/presented several articles in journals/conferences of repute. He is the author/coauthor of three books of computer science.

CHIEN-MING CHEN is currently an Associate Professor of Shandong University of Science and Technology, China. He has published more than 100 reputed international journals, including 90 publications in SCI-indexed journals. His current research interests include network security, the mobile internet, wireless sensor networks, and cryptography. He is currently an Associate Editor of IEEE ACCESS and an Executive Editor of the International Journal of Information and Computer Security.

References

[1] R. Ali and A. K. Pal, “Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment,” Arabian Journal for Science and Engineering, vol. 42, no. 8, pp. 3655-3672, 2017.
[2] D. Mishra, “Design and analysis of a provably secure multi-server authentication scheme,” Wireless Personal Communications, vol. 86, no. 3, pp. 1095-1119, 2016.
[3] D. He and D. Wang, “Robust biometrics-based authentication scheme for multiserver environment,” IEEE Systems Journal, vol. 9, no. 3, pp. 816-823, 2015.
[4] A. Tomar and J. Dhar, “An ECC based secure authentication and key exchange scheme in multi-server environment,” Wireless Personal Communications, vol. 107, no. 1, pp. 351-372, 2019.
[5] M. Qi and J. Chen, “Anonymous biometrics-based authentication with key agreement scheme for multi-server environment using ECC,” Multimedia Tools and Applications, vol. 78, no. 19, pp. 27553-27568, 2019.
[6] Y. Park, K. Park, and Y. Park, “Secure user authentication scheme with novel server mutual verification for multiserver environments,” International Journal of Communication Systems, vol. 32, no. 7, article no. e3929, 2019.https://doi.org/10.1002/dac.3929
[7] J. Wang and Y. Zhu, “Secure two-factor lightweight authentication protocol using self-certified public key cryptography for multi-server 5G networks,” Journal of Network and Computer Applications, vol. 161, article no. 102660, 2020. https://doi.org/10.1016/j.jnca.2020.102660
[8] C. J. F. Cremers, Scyther: Semantics and Verification of Security Protocols. Eindhoven, Netherlands: Eindhoven University of Technology, 2006.
[9] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-based multi-server authentication protocol using smart cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953-1966, 2015.
[10] D. Guo and F. Wen, “Analysis and improvement of a robust smart card based-authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 78, no. 1, pp. 475-490, 2014.
[11] A. G. Reddy, E. J. Yoon, A. K. Das, V. Odelu, and K. Y. Yoo, “Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment,” IEEE Access, vol. 5, pp. 3622-3639, 2017.
[12] S. Barman, H. P. Shum, S. Chattopadhyay, and D. Samanta, “A secure authentication protocol for multi-server-based e-healthcare using a fuzzy commitment scheme,” IEEE Access, vol. 7, pp. 12557-12574, 2019.
[13] L. Xiong, D. Peng, T. Peng, H. Liang, and Z. Liu, “A lightweight anonymous authentication protocol with perfect forward secrecy for wireless sensor networks,” Sensors, vol. 17, no. 11, article no. 2681, 2017. https://doi.org/10.3390/s17112681
[14] S. Barman, A. K. Das, D. Samanta, S. Chattopadhyay, J. J. Rodrigues, and Y. Park, “Provably secure multi-server authentication protocol using fuzzy commitment,” IEEE Access, vol. 6, pp. 38578-38594, 2018.
[15] S. Kumari, A. K. Das, X. Li, F. Wu, M. K. Khan, Q. Jiang, and S. H. Islam, “A provably secure biometrics-based authenticated key agreement scheme for multi-server environments,” Multimedia Tools and Applications, vol. 77, no. 2, pp. 2359-2389, 2018.
[16] G. Xu, S. Qiu, H. Ahmad, G. Xu, Y. Guo, M. Zhang, and H. Xu, “A multi-server two-factor authentication scheme with un-traceability using elliptic curve cryptography,” Sensors, vol. 18, no. 7, article no. 2394, 2018. https://doi.org/10.3390/s18072394
[17] Q. Jiang, J. Ma, and F. Wei, “On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 12, no. 2, pp. 2039-2042, 2018.
[18] J. L. Tsai and N. W. Lo, “A privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 9, no. 3, pp. 805-815, 2015.
[19] S. Chatterjee, S. Roy, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, “Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 824-839, 2018.
[20] H. Yao, C. Wang, X. Fu, C. Liu, B. Wu, and F. Li, “A privacy-preserving RLWE-based remote biometric authentication scheme for single and multi-server environments,” IEEE Access, vol. 7, pp. 109597-109611, 2019.
[21] N. M. Lwamo, L. Zhu, C. Xu, K. Sharif, X. Liu, and C. Zhang, “SUAA: a secure user authentication scheme with anonymity for the single & multi-server environments,” Information Sciences, vol. 477, pp. 369-385, 2019.
[22] S. Roy, A. K. Das, S. Chatterjee, N. Kumar, S. Chattopadhyay, and J. J. Rodrigues, “Provably secure fine-grained data access control over multiple cloud servers in mobile cloud computing based healthcare applications,” IEEE Transactions on Industrial Informatics, vol. 15, no. 1, pp. 457-468, 2019.
[23] B. Ying and A. Nayak, “Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography,” Journal of Network and Computer Applications, vol. 131, pp. 66-74, 2019.
[24] T. Y. Wu, L. Yang, Z. Lee, C. M. Chen, J. S. Pan, and S. K. Islam, “Improved ECC-based three-factor multiserver authentication scheme,” Security and Communication Networks, vol. 2021, article no. 6627956, 2021.https://doi.org/10.1155/2021/6627956
[25] F. Wang, G. Xu, C. Wang, and J. Peng, “A provably secure biometrics-based authentication scheme for multiserver environment,” Security and Communication Networks, vol. 2019, article no. 2838615, 2021. https://doi.org/10.1155/2019/2838615
[26] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-208, 1983.
[27] R. Canetti and H. Krawczyk, “Universally composable notions of key exchange and secure channels,” in Advances in Cryptology – EUROCRYPT 2002. Heidelberg, Germany: Springer, 2002, pp. 337-351.
[28] N. Ravanbakhsh, M. Mohammadi, and M. Nikooghadam, “Perfect forward secrecy in VoIP networks through design a lightweight and secure authenticated communication scheme,” Multimedia Tools and Applications, vol. 78, pp. 11129-11153, 2019.
[29] M. Nikooghadam and H. Amintoosi, “Perfect forward secrecy via an ECC-based authentication scheme for SIP in VoIP,” The Journal of Supercomputing, vol. 76, pp. 3086-3104, 2020.
[30] H. Lin, F. Wen, and C. Du, “An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics,” Wireless Personal Communications, vol. 84, no. 4, pp. 2351-2362, 2015.
[31] D. Xu, J. Chen, and Q. Liu, “Provably secure anonymous three-factor authentication scheme for multi-server environments,” Journal of Ambient Intelligence and Humanized Computing, vol. 10, pp. 611-627, 2019.
[32] L. Xu and F. Wu, “Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and anonymity for connected health care,” Journal of Medical Systems, vol. 39, article no. 10, 2015. https://doi.org/10.1007/s10916-014-0179-x
[33] R. Amin, S. H. Islam, G. P. Biswas, M. K. Khan, and M. S. Obaidat, “Design and analysis of an enhanced patient-server mutual authentication protocol for telecare medical information system,” Journal of Medical Systems, vol. 39, article no. 137, 2015. https://doi.org/10.1007/s10916-015-0307-2
[34] S. Kumari, M. Karuppiah, A. K. Das, X. Li, F. Wu, and V. Gupta, “Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, pp. 643-653, 2018.

Haleh Amintoosi1, Mahdi Nikooghadam1, Saru Kumari2, Sachin Kumar3, and Chien-Ming Chen4,*, TAMA: Three-Factor Authentication for Multi-serverArchitecture, Article number: 11:39 (2021) Cite this article 3 Accesses