arxiv: v1 [cs.cr] 28 May 2013

Transcription

1 arxv: v1 [cs.cr] 28 May 2013 An effcent dynamc ID based remote user authentcaton scheme usng self-certfed publc keys for mult-server envronment Dawe Zhao ab Hapeng Peng ab Shudong L c Yxan Yang ab a Informaton Securty Center Bejng Unversty of Posts and Telecommuncatons Bejng Chna. b Natonal Engneerng Laboratory for Dsaster Backup and Recovery Bejng Unversty of Posts and Telecommuncatons Bejng Chna. c School of Mathematcs Shandong Insttute of Busness and Technology Shandong Yanta Chna. Abstract. Recently L et al. analyzed Lee et al. s mult-server authentcaton scheme and proposed a novel smart card and dynamc ID based remote user authentcaton scheme for mult-server envronments. They clamed that ther scheme can resst several knds of attacks. However through careful analyss we fnd that L et al. s scheme s vulnerable to stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack. By analyzng other smlar schemes we fnd that the certan type of dynamc ID based mult-server authentcaton scheme n whch only hash functons are used and no regstraton center partcpates n the authentcaton and sesson key agreement phase s hard to provde perfect effcent and secure authentcaton. To compensate for these shortcomngs we mprove the recently proposed Lao et al. s mult-server authentcaton scheme whch s based on parng and self-certfed publc keys and propose a novel dynamc ID based remote user authentcaton scheme for mult-server envronments. Lao et al. s scheme s found vulnerable to offlne dctonary attack and denal of servce attack and cannot provde user s anonymty and local password verfcaton. However our proposed scheme overcomes the shortcomngs of Lao et al. s scheme. Securty and performance analyses show the proposed scheme s secure aganst varous attacks and has many excellent features. Keyword. Authentcaton Mult-server Parng-based Hash functon Self-certfed publc keys. E-mal address: dwzhao@ymal.com (Dawe Zhao); penghapeng@bupt.edu.cn (Hapeng Peng). 1

2 2 1 Introducton Wth the rapd development of network technologes more and more people begn usng the network to acqure varous servces such as on-lne fnancal on-lne medcal on-lne shoppng on-lne bll payment on-lne documentaton and data exchange etc. And the archtecture of server provdng servces to be accessed over the network often conssts of many dfferent servers around the world nstead of just one. Whle enjoyng the comfort and convenence of the nternet people are facng wth the emergng challenges from the network securty. Identty authentcaton s the key securty ssue of varous types of on-lne applcatons and servce systems. Before an user accessng the servces provded by a servce provder server mutual dentty authentcaton between the user and the server s needed to prevent the unauthorzed personnel from accessng servces provded by the server and avod the llegal system cheatng the user by masqueradng as legal server. In the sngle server envronment password based authentcaton scheme [1] and ts enhanced verson whch addtonally uses smart cards [2-9] are wdely used to provde mutual authentcaton between the users and servers. However the conventonal password based authentcaton methods are not sutable for the mult-servers envronment snce each user does not only need to log nto dfferent remote servers repettvely but also need to remember many varous sets of denttes and passwords f he/she wants to access these servce provdng servers. In order to resolve ths problem n 2000 based on the dffculty of factorzaton and hash functon Lee and Chang [10] proposed a user dentfcaton and key dstrbuton scheme whch agrees wth the mult-server envronment. Snce then authentcaton schemes for the mult-server envronment have been wdely nvestgated and desgned by many researchers [11-28]. Based on the used of the basc cryptographc algorthms the exstng mult-server authentcaton schemes can be dvded nto two types namely the hash based authentcaton schemes and the publc-key based authentcaton schemes. At the same tme among these exstng mult-server authentcaton schemes some of them need the regstraton center (RC) to partcpate n the authentcaton and sesson key agreement phase whle others don t. Therefore accordng to the partcpaton or not of the RC n the authentcaton and sesson key agreement phase we dvde the mult-server authentcaton schemes nto RC dependented authentcaton schemes and non-rc dependented authentcaton schemes. In ths paper we analyze a novel mult-server authentcaton scheme L et al. s scheme [20] whch s only based on hash functon and a non-rc dependented authentcaton scheme. We fnd that ths scheme s vulnerable to stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack. By analyzng some other smlar schemes [ ] we fnd that the type of dynamc ID based mult-server authentcaton scheme whch s only usng hash functons and non-rc dependented s hard to provde perfect effcent and secure authentcaton. To compensate for these shortcomngs we mprove the recently proposed Lao et al. s mult-server authentcaton scheme [27] whch s based on parng and self-certfed publc keys and propose a novel dynamc ID based remote user authentcaton scheme for mult-server envronments. Lao et al. s scheme s found vulnerable to offlne dctonary attack

3 Dawe Zhao et al. 3 [28] and denal of servce attack and cannot provde user s anonymty and local password verfcaton. However our proposed scheme overcomes the shortcomngs of Lao et al. s scheme. Securty and performance analyses show the proposed scheme s secure aganst varous attacks and has many excellent features. 2 Related works A large number of authentcaton schemes have been proposed for the mult-server envronment. Hash functon s one of the key technologes n the constructon of mult-server authentcaton scheme. In 2004 Juang et al. [11] proposed an effcent mult-server password authentcated key agreement scheme based on a hash functon and symmetrc key cryptosystem. In 2009 Hsang and Shh [12] proposed a dynamc ID based remote user authentcaton scheme for mult-server envronment n whch only hash functon s used. However Sood et al. [13] found that Hsang and Shh s scheme s susceptble to replay attack mpersonaton attack and stolen smart card attack. Moreover the password change phase of Hsang and Shh s scheme s ncorrect. Then Sood et al. presented a novel dynamc dentty based authentcaton protocol for mult-server archtecture to resolve the securty flaws of Hsang and Shh s scheme [13]. After that L et al. [14] ponted out that Sood et al. s protocol s stll vulnerable to leak-of-verfer attack stolen smart card attack and mpersonaton attack. At the same tme L et al. [14] proposed another dynamc dentty based authentcaton protocol for mult-server archtecture. However the above mentoned scheme are all RC dependented mult-server authentcaton scheme. In 2009 Lao and Wang [15] proposed a dynamc ID based mult-server authentcaton scheme whch s based on hash functon and non-rc dependented. But Lao and Wang s scheme s vulnerable to nsder s attack masquerade attack server spoofng attack regstraton center spoofng attack and s not reparable [16]. After that Shao et al. [17] and Lee et al. [1819] proposed some smlar types of mult-server authentcaton schemes. In 2012 L et al.[20] ponted out that Lee et al. s scheme [18] cannot wthstand forgery attack server spoofng attack and cannot provde proper authentcaton and then proposed a novel dynamc ID based mult-server authentcaton schemes whch s only usng hash functon and non-rc dependented. However wth careful analyss we fnd that L et al. s scheme [20] s stll vulnerable to stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack. We also analyzed Shao et al. s scheme [17] and Lee et al. s scheme [19] they are all vulnerable to stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack. In general t s dffcult to construct a secure dynamc ID based and non-rc dependented mult-server authentcaton scheme f only hash functons are used. Publc-key cryptograph s another useful technque whch s wdely used n the constructon of mult-server authentcaton scheme. In 2000 Lee and Chang [21] proposed a user dentfcaton and key dstrbuton scheme n whch the dffculty of factorzaton on publc key cryptography s used. In 2001 Tsaur [22] proposed a remote user authentcaton scheme based on RSA cryptosystem and Lagrange nterpolatng polynomal for mult-server envronments. Then

4 4 Ln et al. [23] proposed a mult-server authentcaton protocol based on the smple geometrc propertes of the Eucldean and dscrete logarthm problem concept. Snce the tradtonally publc key cryptographc algorthms requre many expensve computatons and consume a lot of energy Geng and Zhang [24] proposed a dynamc ID-based user authentcaton and key agreement scheme for mult-server envronment usng blnear parngs. But Geng and Zhang s scheme cannot wthstand user spoofng attack [25]. After that Tseng et al. [26] proposed an effcent parng-based user authentcaton scheme wth smart cards. However n 2013 Lao and Hsao [27] ponted out that Tseng et al. s scheme s vulnerable to nsder attack offlne dctonary attack and malcous server attack and cannot provde proper mutual authentcaton and sesson key agreement. At the same tme Lao and Hsao proposed a novel non-rc dependented mult-server remote user authentcaton scheme usng self-certfed publc keys for moble clents [27]. Recently Chou et al. [28] found Lao and Hsao s scheme cannot wthstand password guessng attack. Furthermore wth careful analyss we fnd that Lao and Hsao s scheme s stll vulnerable to denal of servce attack and cannot provde user s anonymty and local password verfcaton. In ths paper based on the Lao and Hsao s scheme we propose a secure dynamc ID based and non-rc dependented mult-server authentcaton scheme usng the parng and self-certfed publc keys. 3 Revew and cryptanalyss of L et al. s authentcaton scheme 3.1 Revew of L et al. s scheme L et al. s contans three partcpants the user U the server S j and the regstraton center RC. RC chooses the master secret key x and a secret number y to compute h(x y) and h(sid j h(y)) and then shares them wth S j va a secure channel. SID j s the dentty of server S j. There are four phases n the scheme: regstraton phase logn phase verfcaton phase and password change phase Regstraton phase When the remote user authentcaton scheme starts the user U and the regstraton center RC need to perform the followng steps to fnsh the regstraton phase: (1) U freely chooses hs/her dentty ID the password PW and computes A = h(b PW ) where b s a random number generated by U. Then U sends ID and A to the regstraton center RC for regstraton through a secure channel. (2) RC computes B = h(id x) C = h(id h(y) A ) D = h(b h(x y)) and E = B h(x y). RC stores {C D E h( )h(y)} on the user s smart card and sends t to user U va a secure channel. (3)U keysbntothesmartcardandfnallythesmartcardcontans{c D E bh( )h(y)}.

5 Dawe Zhao et al Logn phase Whenever U wants to logn S j he/she must perform the followng steps to generate a logn request message: (1) U nserts hs/her smart card nto the card reader and nputs ID and PW. Then the smart card computes A = h(b PW ) C = h(id h(y) A ) and checks whether the computed C s equal to C. If they are equal U proceeds the followng steps. Otherwse the smart card aborts the sesson. (2)ThesmartcardgeneratesarandomnumberN andcomputesp j = E h(h(sid j h(y)) N ) CID = A h(d SID j N ) M 1 = h(p j CID D N ) and M 2 = h(sid j h(y)) N. (3) U submts {P j CID M 1 M 2 } to S j as a logn request message Verfcaton phase Wher S j recevng the logn message {P j CID M 1 M 2 } S j and U perform the followng steps to fnsh the mutual authentcaton and sesson key agreement. (1) S j computes N = M 2 h(sid j h(y)) E = P j h(h(sid j h(y)) N ) B = E h(x y) D = h(b h(x y)) and A = CID h(d SID j N ) by usng {P j CID M 1 M 2 } h(sid j h(y)) and h(x y). (2) S j computes h(p j CID D N ) and checks whether t s equal to M 1. If they are not equal S j rejects the logn request and termnates ths sesson. Otherwse S j accepts the logn request message. Then S j generates a random number N j and computes M 3 = h(d A N j SID j ) M 4 = A N N j. Fnally S j sends the message {M 3 M 4 } to U. (3) After recevng the response message {M 3 M 4 } sent from S j U computes N j = A N M 4 M 3 = h(d A N j SID j ) and checks M 3 wth the receved message M 3. If they are not equal U rejects these messages and termnates ths sesson. Otherwse U successfully authentcates S j. Then the user U computes the mutual authentcaton message M 5 = h(d A N SID j ) and sends {M 5 } to the server S j. (4) Upon recevng the message {M 5 } from U S j computes h(d A N SID j ) and checks t wth the receved message {M 5 }. If they are equal S j successfully authentcates U and the mutual authentcaton s completed. After the mutual authentcaton phase the user U and the server S j compute SK = h(d A N N j SID j ) whch s taken as ther sesson key for future secure communcaton Password change phase Ths phase s nvoked whenever U wants to change hs password PW to a new password PW new. There s no need for a secure channel for password change and t can be fnshed wthout communcatng wth the regstraton center RC. (1) U nserts hs/her smart card nto the card reader and nputs ID and PW. (2) The smart card computes A = h(b PW ) C = h(id h(y) A ) and checks whether the computed C s equal to C. If they are not equal the smart card rejects the password

6 6 change request. Otherwse the user U nputs a new password PW new number b new. (3) The smart card computes A new (4) Fnally the smart card replaces C and b wth C new change phase. and a new random = h(b new PW new ) and C new = h(id h(y) A new ). and b new to fnsh the password 3.2 Cryptanalyss of L et al. s scheme L et al. clamed that ther scheme can resst many types of attacks and satsfy all the essental requrements for mult-server archtecture authentcaton. However f we assume that A s an adversary who has broken a user U m and a server S n or a combnaton of a malcous user U m and a dshonest server S n. Then A could get the secret number h(x y) and h(y) and can perform the stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack to L et al. s scheme. The concrete cryptanalyss of the L et al. s scheme s shown as follows Stolen smart card and offlne dctonary attack IfauserU ssmartcardsstolenbyanadversarya Acanextractthenformaton{C D E b h( )h(y)} from the memory of the stolen smart card. Furthermore n case A ntercepts a vald logn request message {P j CID M 1 M 2 } sent from user U to server S j n the publc communcaton channel A can compute N = h(sid j h(y)) M 2 E = P j h(h(sid j h(y)) N ) B = E h(x y) D = h(b h(x y)) and A = CID h(d SID j N ) by usng h(y) and h(x y). Then A can launch offlne dctonary attack on C = h(id h(y) A ) to know the dentty ID of the user U because A knows the values of A correspondng to the user U. Besdes A can launch offlne dctonary attack on A = h(b PW ) to know the password PW of U because A knows the value of b from the stolen smart card of the user U. Now A possesses the vald smart card of user U knows the dentty ID password PW correspondng to the user U and hence can logn on to any servce server Replay attack The replay attack s replayng the same message of the recever or the sender agan. If adversary A has ntercepted a vald logn request message {P j CID M 1 M 2 } sent from user U to server S j n the publc communcaton channel. Then A can compute N = h(sid j h(y)) M 2 E = P j h(h(sid j h(y)) N ) B = E h(x y) D = h(b h(x y)) and A = CID h(d SID j N ) by usng h(y) and h(x y). Then adversary A can replay ths logn request message {P j CID M 1 M 2 } to S j by masqueradng as the user U at some tme latter. After verfcaton of the logn request message S j computes M 3 = h(d A N j SID j ) and M 4 = A N N j and sends the message {M 3 M 4 } to A who s masqueradng as the user U. The adversary A can verfy the receved value of {M 3 M 4 } and compute M 5 = h(d A N SID j ) snce he knows the values of N E B D and A. Then A sends {M 5} to the servers j. The S j

7 Dawe Zhao et al. 7 computes h(d A N SID j ) and checks t wth the receved message {M 5 }. Ths equvalency authentcates the legtmacy of the user U the servce provder server S j and the logn request s accepted. Fnally after mutual authentcaton adversary A masqueradng as the user U and the server S j agree on the common sesson key as SK = h(d A N N j SID j ). Therefore the adversary A can masquerade as user U to logn on to server S j by replayng the same logn request message whch had been sent from U to S j Impersonaton attack In ths subsecton we show that the adversary A who possesses h(y) and h(x y) can masquerade as any user U to logn any server S j as follows. Adversary A chooses two random numbers a and b and computes A = h(a ) and B = h(b ). Then A can compute D = h(b h(x y)) E = B h(x y) P j = E h(h(sid j h(y)) N ) CID = A h(d SID j N ) M 1 = h(p j CID D N ) and M 2 = h(sid j h(y)) N byusngh(y)andh(x y). NowAsendsthelognrequestmessage{P j CID M 1 M 2 } by masqueradng as the user U to server S j. After recevng the logn request message S j computes N = h(sid j h(y)) M 2 E = P j h(h(sid j h(y)) N ) B = E h(x y) D = h(b h(x y)) and A = CID h(d SID j N ) by usng {P j CID M 1 M 2 } h(x y) and h(sid j h(y)). Then S j computes M 3 = h(d A N j SID j ) and M 4 = A N N j and sends the message {M 3 M 4 } to A who s masqueradng as the user U. Then adversary A computes N j = A N M 4 and verfes M 3 by computng h(d A N j SID j ). Then A computes M 5 = h(d A N SID j ) and sends {M 5 } back to the server S j. The S j computes h(d A N SID j ) and checks t wth the receved message {M 5 }. Ths equvalency authentcates the legtmacy of the user U the servce provder server S j and the logn request s accepted. Fnally after mutual authentcaton adversary A masqueradng as the user U and the server S j agree on the common sesson key as SK = h(d A N N j SID j ) Server spoofng attack In ths subsecton we show that the adversary A who possesses h(y) and h(x y) can masquerade as the server S j to spoof user U f A has ntercepted a vald logn request message {P j CID M 1 M 2 } sent from user U to server S j n the publc communcaton channel. After nterceptng a vald logn request message {P j CID M 1 M 2 } sent from user U to server S j n the publc communcaton channel A can compute N = h(sid j h(y)) M 2 E = P j h(h(sid j h(y)) N ) B = E h(x y) D = h(b h(x y)) and A = CID h(d SID j N ) correspondng to U. Then A can choose a random number N j and compute M 3 = h(d A N j SID j) and M 4 = A N N j. A then sends the message {M 3M 4 } by masqueradng as server S j to the user U. After recevng the message {M 3 M 4 } U computes N j = A N M 4 and verfes M 3 by computng h(d A N j SID j). Then U computes M 5 = h(d A N SID j ) and sends t to the S j who s masqueradng as the adversary A. Then A computes h(d A N SID j ) and checks t wth the receved message {M 5 }. Fnally

8 8 after mutual authentcaton adversary A masqueradng as the server S j and the user U agree on the common sesson key as SK = h(d A N N j SID j). 3.3 Dscusson Except the L et al. s scheme we also analyzed other four dynamc ID based authentcaton schemes for mult-server envronment [ ]. These schemes are all based on hash functons and non-rc dependented. We found that such type of mult-server remote user authentcaton scheme are almost vulnerable to stolen smart card and offlne dctonary attacks mpersonaton attack and server spoofng attack etc. The cryptanalyss methods of these schemes are smlar to that of L et al. s scheme shown n secton 3.2. We thnk that under the assumptons that no regstraton center partcpates n the authentcaton and sesson key agreement phase the dynamc ID and hash functon based user authentcaton schemes for mult-server envronment s hard to provde perfect effcent and secure authentcaton. Fortunately there s another technque publc-key cryptograph whch s wdely used n the constructon of authentcaton scheme. Therefore n order to construct a secure low power consumpton and non-rc dependented authentcaton scheme we adopt the ellptc curve cryptographc technology of publc-key technques and propose a novel dynamc ID based and non-rc dependented remote user authentcaton scheme usng parng and self-certfed publc keys for mult-server envronment. 4 Prelmnares Before presentng our scheme we ntroduce the concepts of blnear parngs self-certfed publc keys as well as some related mathematcal assumptons. 4.1 Blnear parngs Let G 1 be an addtve cyclc group wth a large prme order q and G 2 be a multplcatve cyclc group wth the same order q. Partcularly G 1 s a subgroup of the group of ponts on an ellptc curve over a fnte feld E(F p ) and G 2 s a subgroup of the multplcatve group over a fnte feld. P s a generator of G 1. A blnear parng s a map e : G 1 G 1 G 2 and satsfes the followng propertes: (1) Blnear: e(apbq) = e(pq) ab for all PQ G 1 and ab Z q. (2) Non-degenerate: There exsts PQ G 1 such that e(pq) 1. (3) Computablty: There s an effcent algorthm to compute e(pq) for all PQ G self-certfed publc keys In [27] Lao et al. frst proposes a key dstrbuton based on self-certfed publc keys (SCPKs) [2930] among the servce servers. By usng the SCPK a user s publc key can be computed drectly from the sgnature of the thrd trust party (TTP) on the user s dentty nstead of

9 Dawe Zhao et al. 9 verfyng the publc key usng an explct sgnature on a user s publc key. The SCPK scheme s descrbed as follows. (1) Intalzaton: The thrd trust party (TTP) frst generates all the needed parameters of the scheme. TTP chooses a non-sngular hgh ellptc curve E(F p ) defned over a fnte feld whch s used wth a basedpont generatorp ofprme orderq. Then TTP freely chooseshs/her secret key s T and computes hs/her publc key pub T = s T P. The related parameters and pub T are publcly and authentcally avalable. (2) Prvate key generaton: An user A chooses a random number k A computes K A = k A P and sends hs/her dentty ID A and K A to the TTP. TTP chooses a random number r A computes W A = K A +r A P and s A = h(id A W A )+r A and sends W A and s A to user A. Then A obtans hs/her secret key by calculatng s A = s A +k A. (3) Publc key extracton: Anyone can calculate A s publc key pub A = h(id A W A )pub T + W A when he/she receves W A. 4.3 Related mathematcal assumptons To prove the securty of our proposed protocol we present some mportant mathematcal problems and assumptons for blnear parngs defned on ellptc curves. The related concrete descrpton can be found n [3132]. (1) Computatonal dscrete logarthm (CDL) problem: Gven R = x P where PR G 1. It s easy to calculate R gven x and P but t s hard to determne x gven P and R. (2) Ellptc curve factorzaton (ECF) problem: Gven two ponts P and R = x P +y P for xy Zq t s hard to fnd x P and y P. (3) Computatonal Dffe-Hellman (CDH) problem: Gven PxPyP G 1 t s hard to compute xyp G 1. 5 The proposed scheme In ths secton by mprovng the recently proposed Lao et al. s mult-server authentcaton scheme [27] whch s found vulnerable to offlne dctonary attack and denal of servce attack [28] and cannot provde user s anonymty and local password verfcaton we propose a novel dynamc ID based remote user authentcaton scheme for mult-server envronment usng parng and self-certfed publc keys. Our scheme contans three partcpants: the user U the servce provder server S j and the regstraton center RC. The legtmate user U can easly logn on to the servce provder server usng hs smart card dentty and password. There are sx phases n the proposed scheme: system ntalzaton phase the user regstraton phase the server regstraton phase the logn phase the authentcaton and sesson key agreement phase and the password change phase. The notatons used n our proposed scheme are summarzed n Table 1.

10 10 Table 1: Notatons used n the proposed scheme. e A blnear map e : G 1 G 1 G 2. U The th user. ID The dentty of the user U. S j The jth servce provder server. SID j The dentty of the servce provder server S j. RC The regstraton center. s RC The master secret key of the regstraton center RC n Zq. pub RC The publc key of RC pub RC = s RC P. P A generator of group G 1. H() A map-to-pont functon H : 01 G 1. h() A one way hash functon h : k where k s the output length. h() allows the concatenaton of some nteger values and ponts on an ellptc curve. A smple XOR operaton n G 1. If P 1 P 2 G 1 P 1 and P 2 are ponts on an ellptc curve over a fnte feld the operaton P 1 P 2 means that t performs the XOR operatons of the x-coordnates and y-coordnates of P 1 and P 2 respectvely. The concatenaton operaton. 5.1 System ntalzaton phase In the proposed scheme regstraton center RC s assumed a thrd trust party. In the system ntalzaton phase RC generates all the needed parameters of the scheme. (1) RC selects a cyclc addtve group G 1 of prme order q a cyclc multplcatve group G 2 of the same order q a generator P of G 1 and a blnear map e : G 1 G 1 G 2. (2) RC freely chooses a number s RC Z q keepng as the system prvate key and computes pub RC = s RC P as the system publc key. (3) RC selects two cryptographc hash functons H( ) and h( ). Fnally all the related parameters {eg 1 G 2 qppub RC H( )h( )} are publcly and authentcally avalable. 5.2 User regstraton phase When the user U wants to access the servces he/she has to submt hs/her some related nformaton to the regstraton center RC for regstraton. The steps of the user regstraton phase are as follows: (1) The user U freely chooses hs/her dentty ID and passwordpw and chooses a random number b. Then U computes HPW = h(id pw b ) P and submts ID and HPW to RC for regstraton va a secure channel.

11 Dawe Zhao et al. 11 (2) When recevng the message ID and HPW RC computes QID = H(ID ) CID = s RC QID Reg ID = CID s RC HPW and H = h(qid CID ). Then RC stores the message {Reg ID H } n U s smart card and submts the smart card to U through a secure channel. (3) After recevng the smart card U enters b nto the smart card. Fnally the smart card contans parameters {Reg ID H b }. 5.3 Server regstraton phase If a servce provder server S j wants to provdes servces for the users he/she must perform the regstraton to the regstraton center RC to become a legal servce provder server. The process of server regstraton phase of the proposed scheme s based on SCPK mentoned n secton 4.2. (1) S j chooses a random number v j and computes V j = v j P. Then S j submts SID j and V j to RC for regstraton va a secure channel. (2)After recevngthemessage{sid j V j } RC choosesarandomnumberw j andcomputes W j = w j P +V j and s j = (s RC h(sid j W j )+w j ) mod q. Then RC submts the message {W j s j } to S j through a secure channel. (3) After recevng {W j s j } S j computes the prvate key s j = (s j +v j) mod q and checks the valdty of the values ssued to hm/her by checkng the followng equaton: pub j = s j P = h(sid j W j ) pub RC +W j. At last S j s personal nformaton contans {SID j pub j s j W j } The detals of user regstraton phase and server regstraton phase are shown n Fg Logn phase If user U wants to access the servces provded by server S j U needs to logn on to S j the process of the logn phase are as followng: (1) U nserts hs/her smart card nto the smart card reader and nputs dentty ID and password pw. Then the smart card computes QID = H(ID ) CID = Reg ID h(id pw b ) pub RC H = h(qid CID ) and checks whether H = H. If they are equal t means U s a legal user. Otherwse the smart card aborts the sesson. (2) The smart card generates two random numbers u and r and computes DID = u QID and R = r P. Then the smart card sends the logn request message {DID R } to server S j over a publc channel. 5.5 Authentcaton and sesson key agreement phase (1) After recevng the logn request {DID R } sent from U S j chooses a random number r j and computes R j = r j P T j = r j R K j = s j R and Auth j = h(did SID j K j R j ). Then S j sends the message {W j R j Auth j } to U. (2) When recevng {W j R j Auth j } U computes T j = r R j pub j = h(sid j W j ) pub RC +W j K j = r pub j and Auth j = h(did SID j K j R j ). Then U checks Auth j

12 12 User U Regstraton Center Server RC Sj User regstraton phase: Generate a random number b HPW = h( ID pw b) P Store{ Reg H b} ID Server regstraton phase: { ID HPW} { Reg H} ID QID = H( ID) CID = s QID RC Reg = CID s HPW ID RC H = hqid ( CID). W = w P + V j j j j RC j j Generate a random number w j { SIDj Vj} s = ( s h( SID W) + w)mod q. { Wj sj} v j Generate a random number V = v P. s s v j j = ( j + j)mod q Check fs P? = h( SID W) pub + W j j RC j If no reject the connecton. j Fgure 1: User and server regstraton phase of the proposed scheme. wth the receved Auth j. If they are not equal U termnates ths sesson. Otherwse S j s authentcated and U contnues to compute M = r DID N = u CID d j = h(did SID j K j M ) and B = (r +d j ) N. Fnally U sends the message {M B } to S j. (3) After recevng the message {M B } sent from U S j computes d j = h(did SID j K j M ) and checks whether e(m +d j DID pub RC ) = e(b P). If they are not equal S j termnates ths sesson. Otherwse U s authentcated. Fnally the useru and the servers j agreeon acommon sessonkey asu : SK = h(did SID j K j T j ) S j : SK = h(did SID j K j T j ). The logn phase and authentcaton and sesson key agreement phase are depcted n Fg Password change phase The followng steps show the process of the password change phase of a user U. (1)TheuserU nsertshs/hersmartcardntothesmartcardreaderandnputsdenttyid and password pw. Then the smart card computes QID = H(ID ) CID = Reg ID h(id pw b ) pub RC H = h(qid CID ) and checks whether H = H. If they are equal t

13 Dawe Zhao et al. 13 means U s a legal user. Otherwse the smart card aborts the sesson. (2) The smart card generates a random number z and computes Z = z P and AID = CID z pub RC. Then the smart card sends the message {ID AID Z } to the regstraton center RC. (3) After recevng the message {ID AID Z } RC computes CID = AID s RC Z QID = H(ID ) and checks whether e(cid P) = e(qid pub RC ). If they are equal user U s authentcated. Then RC computes V 1 = h(cid s RC Z ) and sends {V 1 } to U. (4) When recevng{v 1 } user computes h(cid z pub RC ) and checkst wth the receved V 1. If they are equal the regstraton center RC s authentcated. Then U chooses hs/her new password pw new pw new b new ) P V 2 = HPW new Then U submts {V 2 V 3 } to RC. and the new random number b new and computes HPW new = h(id z pub RC and V 3 = h(cid z pub RC HPW new ). (5) Upon recevng the response {V 2 V 3 } the regstraton server RC computes HPW new = V 2 s RC Z and V3 = h(cid s RC Z HPW new ). Then RC compares V3 wth the receved V 3. If they are equal RC contnues to compute RegID new = CID s RC HPW new V 4 = RegID new s RC Z and V 5 = h(s RC Z RegID new ). After that RC sends {V 4 V 5 } to U. (6) After recevng {V 4 V 5 } U computes Reg new ID = V 4 z pub RC and V 5 = h(z pub RC Reg new ID ). Then U checks whether V 5 = V 5. If they are equal user U replaces the orgnal Reg ID and b wth Reg new ID and b new. The detals of a password change phase of the proposed scheme are shown n Fg.3. 6 Securty analyss 6.1 Stolen smart card and offlne dctonary attacks In the proposed scheme we assume that f a smart card s stolen physcal protecton methods cannot prevent malcous attackers to get the stored secure elements. At the same tme adversary A can access to a bg dctonary of words that lkely ncludes user s password and ntercept the communcatons between the user and server. In the proposed scheme n case a user U s smart card s stolen by an adversary A he can extract{reg ID H }fromthememoryofthe stolensmartcard. At the sametme t sassumed thatadversaryahasnterceptedaprevousfullsessonmessages{did R W j R j Auth j M B } between the user U and server S j. However the adversary stll cannot obtan the U s dentty ID and password pw except guessng ID and pw at the same tme. Therefore t s mpossble to get the U s dentty ID and password pw from stolen smart card and offlne dctonary attack n our proposed scheme. 6.2 Replay attack Replayng a message of prevous sesson nto a new sesson s useless n our proposed scheme because user s smart card and the server choose dfferent rand numbers r and r j and the

14 14 user dentty s dfferent n each new sesson whch make all messages dynamc and vald for that sesson only. If we assume that an adversary A reples an ntercepted prevous logn request {DID R }to S j afterrecevngthe responsemessage{w j R j Auth j }sentfrom S j Acannot compute the correct response message {M B } to pass the S j s authentcaton snce he does not know the values of ID pw u and r. Therefore the proposed scheme s robust for the replay attack. 6.3 Impersonaton attack If an adversary A wants to masquerade as a legal user U to pass the authentcaton of a server S j he must have the values of both QID and CID. However QID and CID are protected by U s smart card ID and pw snce QID = H(ID ) and CID = Reg ID h(id pw b ) pub RC. Therefore unless the adversary A can obtan the U s smart card ID and pw at the same tme the proposed scheme s secure to the mpersonaton attack. 6.4 Server spoofng attack If an adversary A wants to masquerade as a legal server S j to cheat a user U he must calculate a vald Auth j whch s embedded wth the shared secret key K j = s j R to pass the authentcaton of U. However adversary A cannot derve the shared secret key K j wthout knowng the prvate key s j of the server S j. Therefore our scheme s secure aganst the server spoofng attack. 6.5 Insder attack In the proposed scheme the regstraton center RC cannot obtan the U s password pw. Snce n the regstraton phase U chooses a random number b and sends ID and HPW = h(id pw b ) P to RC RC can not derve pw from HPW based on CDL problem. Therefore the proposed scheme s robust for nsder attack. 6.6 Denal of servce attack In denal of servce attack an adversary A updates dentty and password verfcaton nformaton on smart card to some arbtrary value and hence legtmate user cannot logn successfully n subsequent logn request to the server. In the proposed scheme smart card checks the valdty of user U s dentty ID and password pw before password update procedure. An adversary can nsert the stolen smart card of the user U nto smart card reader and has to guess the dentty ID and password pw correctly correspondng to the user U. Snce the smart card computes H = h(qid CID ) and compares t wth the stored value of H n ts memory to verfy the legtmacy of the user U before smart card accepts passwordupdate request. It s not possble to guess dentty ID and password pw correctly at the same tme n real polynomal

15 Dawe Zhao et al. 15 tme even after gettng the smart card of the user U. Therefore the proposed scheme s secure aganst the denal of servce attack. 6.7 Perfect forward secrecy Perfect forward secrecy means that even f an adversary compromses all the passwords of the users t stll cannot compromse the sesson key. In the proposed scheme the sesson key SK = h(did SID j K j T j ) (SK = h(did SID j K j T j )) s generated by three one-tme random numbers u r and r j n each sesson. These one-tme random numbers are only held by the user U and the server S j and cannot be retreved from SK based on the securty of CDH problem. Thus even f an adversary obtans prevous sesson keys t cannot compromse other sesson key. Hence the proposed scheme acheves perfect forward secrecy. 6.8 User s anonymty In our proposed scheme the user U s logn message s dfferent n each logn phase. Among each logn message DID = u H(ID ) s assocated wth a random number u whch s known by U only. Therefore any adversary cannot dentty the real dentty of the logon user and our scheme can provde the user s anonymty. 6.9 No verfcaton table In our proposed scheme t s obvous that the user the server and the regstraton center do not mantan any verfcaton table Local password verfcaton In the proposed scheme smart card checks the valdty of user U s dentty ID and password pw beforeloggngntoservers j. Sncetheadversarycannotcomputethe correctcid wthout the knowledge of ID and pw to pass the verfcaton equaton H = H thus our scheme can avod the unauthorzed accessng by the local password verfcaton Proper mutual authentcaton In our scheme the user frst authentcates the server. U sends the message {DID R } to the server S j to buld an connecton. After recevng the response message {W j R j Auth j } sent from S j U computes T j pub j K j Auth j and checks whether Auth j = Auth j. If they are equal S j s authentcated by U. Otherwse U stops to logn onto ths server. Snce Auth j = h(did SID j K j R j ) and K j = s j R an adversary A cannot compute the correct K j wthout the knowledge of value of s j. Any fabrcated message {W j R j Auth j } cannot pass the verfcaton. Then U computes M N d j B and sends the message {M B } to S j. After recevng the message {M B } sent from U S j computes d j and checks whether e(m +

16 16 Table 2: Computatonal cost comparson of our scheme and other schemes. Proposed scheme Lao et al. scheme [27] Tseng et al. scheme [26] C1 3TG mul +TG H +2T h 3TG mul +TG H +T h 2TG mul +TG H +T h C2 8TG mul +TG H +TG add +5T h 5TG mul +TG H +TG add +5T h 3TG mul +2T h C3 2TG e +4TG mul +TG add +2T h 2TG e +5TG mul +TG add +2T h 2TG e +TG mul +TG H +TG add +T h d j DID pub RC ) = e(b P). If they are not equal S j termnates ths sesson. Otherwse U s authentcated. Snce B = (r +d j ) N an adversary A cannot compute the correct B wthout the knowledge of values of u and r etc. Any fabrcated message {M B } cannot pass the verfcaton. Therefore our proposed scheme can provde proper mutual authentcaton. 7 Performance comparson and functonalty analyss In ths secton we compares the performance and functonalty of our proposed scheme wth some prevously schemes. To analyze the computaton cost some notatons are defned as follows. TG e : The tme of executng a blnear map operaton e : G 1 G 1 G 2. TG mul : The tme of executng pont scalar multplcaton on the group G 1. TG H : The tme of executng a map-to-pont hash functon H(.). TG add : The tme of executng pont addton on the group G 1. T h : The tme of executng a one-way hash functon h(.). Snce the XOR operaton and the modular multplcaton operaton requre very few computatons t s usually neglgble consderng ther computaton cost. Table 2 shows the performance comparsons of our proposed scheme and some other related protocols. We manly focus on three computaton costs ncludng: C1 the total tme of all operatons executed n the user regstraton phase; C2 the total tme spent by the user durng the process of logn phase and verfcaton phase; C3 the total tme spent by the server durng the process of verfcaton phase. As shown n Table 2 Tseng et al. s scheme are more effcent n terms of computaton cost. However Tseng et al. s scheme s vulnerable to stolen smart card and offlne dctonary attacks server spoofng attack and nsder attack and cannot provde perfect forward secrecy user s anonymty proper mutual authentcaton and sesson key agreement. In our proposed scheme the total computaton cost of the user (C2) s 9TG mul +TG H +TG add +5T h. But smlar to that n Lao et al. s scheme the user U can pre-compute R = r P n the clent and then the computaton cost of the user (C2) requres 8TG mul +TG H +TG add +5T h on-lne computaton. It can be found that our proposed scheme spends a lttle more computaton cost than Lao et al. s scheme n C2 and the others are almost equal. However Lao et al. s scheme s vulnerable to stolen smart card and offlne dctonary attacks and denal of servce attack and cannot provde user s anonymty and local password verfcaton.

17 Dawe Zhao et al. 17 Table 3: Functonalty comparsons among related mult-server authentcaton protocols. Proposed Lao Tseng L Lee Shao Lee scheme et al. et al. et al. et al. et al. et al. [27] [26] [20] [18] [17] [19] Resst stolen smart card and Yes No No No No No No offlne dctonary attacks Resst replay attack Yes Yes Yes No No No No Resst mpersonaton attack Yes Yes Yes No No No No Resst server spoofng attack Yes Yes No No No No No Resst nsder attack Yes Yes No Yes Yes No Yes Resst denal of servce attack Yes No Yes Yes Yes Yes No Perfect forward secrecy Yes Yes No Yes Yes No No User s anonymty Yes No No Yes Yes No Yes No verfcaton table Yes Yes Yes Yes Yes Yes Yes Local password verfcaton Yes No Yes Yes Yes Yes No Proper mutual authentcaton Yes Yes No Yes No Yes Yes Table 3 lsts the functonalty comparsons among our proposed scheme and other related schemes. It s obvously that our scheme has many excellent features and s more secure than other related schemes. 8 Concluson In ths paper we pont out that L et al. s scheme s vulnerable to stolen smart card and offlne dctonary attack replay attack mpersonaton attack and server spoofng attack. Furthermore by analyzng some other smlar schemes we fnd the certan type of dynamc ID based and non-rc dependented mult-server authentcaton scheme n whch only hash functons are used s hard to provde perfect effcent and secure authentcaton. To compensate for these shortcomngs we mprove the Lao et al. s mult-server authentcaton scheme whch s based on parng and self-certfed publc keys and propose a novel dynamc ID based and non-rc dependented remote user authentcaton scheme for mult-server envronments. The securty and performance analyses show the proposed scheme s secure aganst varous attacks and has many excellent features. 9 Acknowledgment Ths paper was supported by the Natonal Natural Scence Foundaton of Chna (Grant Nos ) and the Asa Foresght Program under NSFC Grant (Grant No ).

18 18 References [1] T. Hwang Y. Chen C.S. Lah Non-nteractve password authentcaton wthout password tables IEEE Regon 10 Conference on Computer and Communcaton System 1 (1990) [2] H.M. Sun An effcent remote user authentcaton scheme usng smart cards IEEE Trans. Consum. Electron. 46 (4) (2000) [3] M.S. Hwang C.C. Lee Y.L. Tang A smple remote user authentcaton scheme Math. Comput. Model. 36 (1-2) (2002) [4] M.L. Das A. Saxena V.P. Gulat A dynamc ID-based remote user authentcaton scheme IEEE Trans. Consum. Electron. 50 (2) (2004) [5] C.I. Fan Y.C. Chan Z.K. Zhang Robust remote authentcaton scheme wth smart cards Computers & Securty 24 (8) (2005) [6] S.W. Lee H.S. Km K.Y. Yoo Effcent nonce-based remote user authentcaton scheme usng smart cards Appled Mathematcs and Computaton 167 (1) (2005) [7] C.T. L M.S. Hwang An effcent bometrcs-based remote user authentcaton scheme usng smart cards Journal of Network and Computer Applcatons 33 (1) (2010) 1-5. [8] He D. Chen J. Hu J An ID-based clent authentcaton wth key agreement protocol for moble clentcserver envronment on ECC wth provable securty Informaton Fuson 13 (3) (2012) [9] X. L J.W. Nu J. Ma W.D. Wang C.L. Lu Cryptanalyss and mprovement of a bometrcs-based remote user authentcaton scheme usng smart cards Journal of Network and Computer Applcatons 34 (1) (2011) [10] W.B. Lee C.C. Chang User dentfcaton and key dstrbuton mantanng anonymty for dstrbuted computer network Journal of Computer and System Scences 5 (4) (2000) [11] W.S. Juang Effcent mult-server password authentcated key agreement usng smart cards IEEE Transactons on Consumer Electroncs 50 (1) (2004) [12] Hsang H. C. Shh W. K. Improvement of the secure dynamc ID based remote user authentcaton scheme for mult-server envronment Computer Standard & Interfaces 31 (6) (2009) [13] Sood S-K SarjeA-K SnghK A secure dynamc dentty based authentcaton protocol for mult-server archtecture Journal of Network and Computer Applcatons 34 (2) (2011)

19 Dawe Zhao et al. 19 [14] X. L Y. P. Xong J. Ma W. D. Wang An effcent and securty dynamc dentty based authentcaton protocol for mult-server archtecture usng smart cards Journal of Network and Computer Applcatons 35 (2) (2012) [15] Y. P. Lao S. S. Wang A secure dynamc ID based remote user authentcaton scheme for mult-server envronment Computer Standards & Interfaces 31 (1) (2009) [16] Hsang H. C. Shh W. K Improvement of the secure dynamc ID based remote user authentcaton scheme for mult-server envronment Computer Standard & Interfaces 31 (6) (2009) [17] Shao M. Chn Y A novel approach to dynamc d-based remote user authentcaton scheme for mult-server envronment In: th Internatonal Conference on Network and System Securty (NSS 2010) IEEE Press 2010 pp [18] C.C. Lee T.H. Ln R.X. Chang A secure dynamc ID based remote user authentcaton scheme for mult-server envronment usng smart cards Expert Systems wth Applcatons 38 (11) (2011) [19] Cheng-Ch Lee Yan-Mng La Chun-Ta L An Improved Secure Dynamc ID Based Remote User Authentcaton Scheme for Mult-Server Envronment Internatonal Journal of Securty and Its Applcatons 6 (2) (2012) [20] Xong L Jan Ma Wendong Wang Yongpng Xong Junsong Zhang A novel smart card and dynamc ID based remote user authentcaton scheme for mult-server envronments Mathematcal and Computer Modellng do: /j.mcm [21] W.B. Lee C.C. Chang User dentfcaton and key dstrbuton mantanng anonymty for dstrbuted computer network Comput. Syst. Sc. 15 (4) (2000) [22] W.J. Tsuar C.C. Wu W.B. Lee A flexble user authentcaton for multserver nternet servces Networkng-JCN2001LNCS vol Sprnger- Verlag 2001 pp [23] C. Ln M.S. Hwang L.H. L A new remote user authentcaton scheme for multserver archtecture Future Generaton Computer Systems 1 (19) (2003) [24] J. Geng L. Zhang A dynamc ID-based user authentcaton and key agreement scheme for mult-server usng blnear parngs n: Proceedngs of the 2008 Workshop on Power Electroncs and Intellgent Transportaton System 2008 pp [25] Y.H. Chung Y.M. Tseng Securty weakness of two dynamc ID-based user authentcaton and key agreement schemes for mult-server envronment n: 2009 Natonal Computer Symposum 2009 pp [26] Y.M. Tseng T.Y. Wu J.D. Wu A parng-based user authentcaton scheme for wreless clents wth smart card Informatcs 19 (2) (2008)

20 20 [27] Y-Pn Lao Chh-Mng Hsao A novel mult-server remote user authentcaton scheme usng self-certfed publc keys for moble clents Future Generaton Computer Systems 29 (2013) [28] Jue-Sam Chou Yaln Chen Chun-Hu Huang Yu-Sang Huang Comments on four multserver authentcaton protocols usng smart card IACR Cryptology eprnt Archve 2012: 406. [29] M. Grault Self-certfed publc keys n: Advances n Cryptology Eurocrypt 91 Sprnger- Verlag 1991 pp [30] H. Petersen P. Horster Self-certfed keys concepts and applcatons n: Proceedngs of the 3rd Conference of Communcatons and Multmeda Securty Athens September 1997 pp [31] N. Kobltz Ellptc curve cryptosystem Mathematcs of Computaton 48 (1987) [32] N.P. Smart An dentty based authentcated key agreement protocol based on the Wel parng Electroncs Letters 38 (13) (2002)

21 Dawe Zhao et al. 21 User U Logn and verfcaton phase: Insert smart card and nput ID pw QID = H( ID ) CID = Reg h( ID pw b ) pub ID RC Check fh? = hqid ( CID ) = H * Generate a random numberu r DID = u QID R = r P. If no reject the logn request T = r R j j pub = h( SID W ) pub + W j j j RC j K = r pub j j { DID R} { W R Auth } j j Check f Auth = h( DID SID K R )? = Auth If yes S j s authentcated M = r DID N = u CID d = h( DID SID K M ) B = ( r + d ) N. j j j j j j j j j SK = h( DID SIDj Kj Tj ) { M B} j Server Generate a random numberr R = r P j T = r R j K = s R j j j j Sj Auth = h( DID SID K R ). j j j j d = h( DID SID K M ) j j j Check fem ( + d DID pub )? = e( B P) If yes j j RC s authentcated. U SK = h( DID SIDj Kj Tj) Fgure 2: Logn and verfcaton phase of the proposed scheme.

22 22 User U Password change phase: Insert smart card and nput ID pw QID = H( ID ) CID = Reg h( ID pw b ) pub ID RC Check fh? = hqid ( CID ) = H * If no reject the request Generate a random numberz Z = z P AID = CID z pub RC. { ID AID Z } { V1} Regstraton Center RC CID = AID s Z QID = H( ID ) Check fecid ( P)? = eqid ( pub ) V = hcid ( s Z ). 1 RC If yes U RC s authentcated RC Check fv = hcid ( z pub ) If yes RCs authentcated new new new HPW = h( ID pw b ) P V = HPW z pub new RC new V = hcid ( z pub HPW ). RC RC { V2 V3} Reg = V z pub new ID 4 RC Check fv = h( z pub Reg )? = V * new 5 RC ID 5 { V4 V5} If yes replacereg and b wthreg andb new new ID ID. new HPW = V s Z Check fv = hcid ( s Z HPW )? = V * new 3 RC 3 new new ID RC new V = Reg s Z ID RC If yes Reg = CID s HPW RC new V = hs ( Z Reg ). RC ID Fgure 3: Password change phase of the proposed scheme.