A lightweight password-based authentication protocol using smart card

Transcription

1 Receved: 12 February 2017 Revsed: 26 March 2017 Accepted: 17 Aprl 2017 DOI: /dac.3336 RESEARCH ARTICLE A lghtweght password-based authentcaton protocol usng smart card Chenyu Wang 1 Dng Wang 2 Guoa Xu 1 Yanhu Guo 1 1 Bejng Unversty of Posts and Telecommuncatons, Bejng, Chna 2 School of Electroncs Engneerng and Computer Scence, Pekng Unversty, Bejng, Chna Correspondence Dng Wang, School of Electroncs Engneerng and Computer Scence, Pekng Unversty, Bejng, Chna. Emal: wangdngg@mal.nanka.edu.cn Fundng nformaton Natonal Natural Scence Foundaton of Chna (NSFC), Grant/Award Number: Summary Wth ts smplcty and feasblty, password-based remote user authentcaton becomes a popular way to control remote access to network. These years, numerous password-based authentcaton schemes have been proposed. Recently, Matra et al proposed a smart card based scheme whch clams to be resstant to varous attacks. Unfortunately, we found some mportant flaws n ths scheme. Therefore, n ths paper, we wll demonstrate that the scheme of Matra et al s not secure enough as clamed: nether resstng aganst off-lne password guessng attack and nsder attack nor preserve forward secrecy. To overcome those flaws, we put forward an mproved new scheme whch not only s resstant to all known attacks but also provdes many attractve attrbutes, such as user revocaton and re-regster. Also, we compared the scheme wth other related schemes, the result proved the superorty of our scheme. Partcularly, we show a new way (beyond the conventonal Deffe-Hellman approach) to acheve forward secrecy. Furthermore, we put some efforts nto explorng the desgn prncple of authentcaton schemes. KEYWORDS 2-factor remote user authentcaton, dscrete logarthm problem, offlne-password guessng attack, RAS cryptosystem, smart card 1 INTRODUCTION Wth the rapd prolferaton of Internet, onlne servces become an ndspensable part of people s lfe. However, due to the openness of the Internet, people are bound to be faced wth the attendant securty threats when they enjoy the convenence of the Internet. In fact, t s not surprsng to a varety of reports of user nformaton dsclosure any more. Most recently, Ashley Madson, whch s a web about extramartal love affar, suffered from an attack where ts 32 mllon Ashley Madson users nformaton got exposed; Jngdong, whch s an e-commerce platform, dvulged nearly 12G users prvacy data; Gmal, whch s an emal product provded by Google, had ts 5 mllon passwords accounts breached. Thus, t s vtal to authentcate a remote user wth password when he/she ntends to access the server va an nsecure communcaton channel, and ths securty mechansm s called password-based remote user authentcaton. The remote authentcaton s a sgnfcant securty mechansm to guarantee the legtmacy of the user to enjoy resources n varous open envronments, such as cloud computng, E-health, and wreless sensor. 1-4 The hstory of password-based user authentcaton scheme can be traced back to 1981, when Lamport 5 frstly advsed a password-based remote authentcaton scheme. Snce then, authentcaton schemes armed wth passwords were wdely accepted. And many password-based authentcaton schemes 6-9 sprang up. However, these schemes have an nherent weakness: A password table must be mantaned by a server, whch therefore results n 2 serous problems: (1) Most schemes are vulnerable to stolen-verfer attack or off-lne dctonary attack, and (2) t costs a lot to protect and mantan Int J Commun Syst. 2017;e3336. wleyonlnelbrary.com/journal/dac Copyrght 2017 John Wley & Sons, Ltd. 1of11

2 2of11 a password table. To overcome these ptfalls, Chang and Wu 10 frstly ntroduced the smart card as another factor besdes password nto authentcaton schemes, whch contrbutes to the 2-factor authentcaton scheme. In such scheme, the users are not only requred to know the correct password but also the correspondng smart card, then he/she can access to remote resource by nteractng wth the server. The smart card based authentcaton scheme usually nvolves 2 partcpants: the users (the number may be a lot) and the server (only a sngle). Furthermore, t ncludes 4 basc phases: regstraton phase, logn phase, verfcaton phase, and password-change phase. In regstraton phase, the user frstly submts the server hs/her personal messages, then he/she wll receve a smart card wth mportant parameters from the server. If a regstered user wants to access to the server, he/she wll send a access request n logn phase. Then n verfcaton phase, the 2 partcpants are requred to authentcate each other. If they both get authentcated, the authentcaton process fnshed successfully, then, the user can enjoy the servces from the server. Furthermore, once the user wants to change hs/she password, he/she can ntate the password change phase to change password locally or remotely. In short, a well-defned smart card based password authentcaton scheme should ensure that only when a user who does not only submt the correct password but also owns correspondng smart card can the access request be allowed. Thanks to Chang and Wu, smart card got popular n most 2-factor authentcaton schemes and some notable ones ncludng Compared wth the prevous sngle-factor password-based schemes, these schemes are low cost and have better cryptographc capacty. Tll now, smart card based password authentcaton scheme becomes one of the most common or convenent mechansms to ensure the securty of network n 2-factor authentcaton protocols. Furthermore, these years, many schemes use bometrc characterstc as an addtonal factor to provde the authentcaton, whle the bometrc-based authentcaton scheme has ts nherent drawback: hgh deployment costs and unrecoverable. Anyway, bometrc characterstc s beyond our work n ths paper. Wth n-depth study, scholars have reached a consensus on several key ponts about desgnng smart card based password authentcaton scheme: 1. The nformaton n the smart card can be extracted. Wth smart card, both the adversary and the legtmate user can get the parameters stored n smart card To acheve user anonymty and resstance of off-lne password guessng attack, a lghtweght publc key algorthm s necessary In 2015, Wang et al 23 ndcated that there s an unavodable trade off between changng password locally and resstng to smart card loss attack wthout new technque. Surprsngly, Wang and Wang 20 n 2016 for the frst tme WANG ET AL. ntegrated honeywords and fuzzy-verfers to settle ths ssue successfully. 4. Forward secrecy requres server sde to conduct more than 2 exponentaton operatons Motvatons and contrbutons Although have been developed for 20 years, password-based authentcaton schemes are stll far from satsfactory. What s more, many schemes even volate some basc desgn prncples thus makng elementary mstakes. Ths stuaton forces us to try to devse a secure but lghtweght scheme whch can be resstant to known attacks and provde deal attrbutes. Furthermore, to avod elementary mstakes n the area of 2-factor authentcaton scheme, a detaled explanaton of the desgn thnkng and ponts s necessary. So, n ths paper, we frst choose a recent scheme as a study case and analyze ts weaknesses and desgn thnkng. On the bass of the analyss, we proposed an mproved scheme and proved that our scheme can be resstant to varous attacks wth lower computng and storage overhead. In a word, our contrbuton can be summarzed as below: 1. We analyze a recent proposed scheme: the scheme of Matra et al, 24 whch clamed to be resstant to varous attacks. Unfortunately, we demonstrate that, under ther assumptons of the capabltes of the adversary, ths scheme s not secure to resst offlne-password attack and nsder attack, and fals to acheve forward secrecy, etc. 2. On the bass of the scheme of Matra et al, we explan the desgn thnkng and ponts of 2-factor authentcaton scheme then propose an enhanced scheme. 3. We prove that our scheme can be resstant to the known attacks wth lower computng and storage than other related schemes. Partcularly, we show a new way (beyond the conventonal Deffe-Hellman approach) to acheve forward secrecy. 1.2 Constructon of the paper The remander of ths paper s organzed as follows: Secton 2 ntroduces the prelmnares. The cryptanalyss of the scheme of Matra et al s gven n Secton 3. Then, we propose our scheme n Secton 4. Secton 5 gves a securty and performance analyss to our scheme. Secton 6 gves a concluson. 2 PRELIMINARIES Ths secton frstly descrbes the computatonal problems, then lsts the notatons, and fnally ntroduces the capactes

3 WANG ET AL. 3of11 of adversary and the evaluaton crtera of the authentcaton scheme. 2.1 Computatonal problems Ths secton ntroduces the dscrete logarthm problem, hash functon, and Rvest-Shamr-Adleman (RSA) cryptosystem; they are the key to desgn the scheme of Matra et al and our scheme The dscrete logarthm problem Dscrete logarthm problem: g s the generator of cyclc group Zp, for gven (g, g α mod p); t s hard to compute α(α Zp) wthn a polynomal tme. Computatonal Dffe-Hellman problem: g s the generator of the cyclc group Zp,andα, β Zp, for gven (g β, g α mod p); t s hard to compute g αβ wthn a polynomal tme RSA cryptosystem 1. Key generaton. Choose 2 dstnct prme numbers p and q; compute n = p q. Compute r =(p 1)(q 1). Choose an nteger e such that 1 < e < r, e and r are coprme. Compute d as d e 1 mod r. Then the publc key s (n, e),andtheprvatekeys(n, d). 2. Encrypton. c m e mod n, wherem s an nteger and c s the cphertext. 3. Decrypton. c d (m e ) d m mod n One-way hash functon The length of x s varable; y has a fxed-length. Gven x, t s easy to get y; whle gven y, t s dffcult to compute x. 2.2 Notatons and abbrevatons The notatons used n the schemes are shown n Table The capactes of adversary In cryptanalyss of 2-factor authentcaton scheme, the adversary s also supposed to be armed wth some capactes 20,23,25,26 as shown n Table 2: TABLE 1 Symbol U S x ID PW Notatons and abbrevatons th user Descrpton remote server the adversary the secret key of S dentty of U password of U XOR operaton concatenaton operaton h( ) 1-way hash functon 2.4 Evaluaton crtera a common channel a secure channel In the hstory of the 2-factor authentcaton protocol, a mass of new protocols were proposed, whle shortly were ponted nsecure to known attacks or lackng some crucal attrbute. One of the mportant reasons s that the evaluaton crtera s not unform. The authors tend to desgn ther own crtera set whch ther new protocol can satsfy, whle gnorng those crtera whch ther protocol fals to meet. To settle ths ssue, Madhusudhan and Mttal 27 n 2012 put forward a seres of evaluaton crtera, ncludng several securty requrements and desre attrbutes. In fact, after that, most authors desgn ther evaluaton crtera accordng to them: Select some of the ndcators n Mad-Mt crtera set to form ther own evaluaton crtera. However, there s no protocol that meets all the ndcators n the Mad-Mt crtera set smultaneously so far. In 2015, Wang et al 23 demonstrated that those evaluaton ndcators are not ndependent of each other. For example, Insde attack s actually equvalent to No password reveal ; Password dependent s ncluded n Smart card loss attack. Thus, n 2016, Wang and Wang 20 desgned a new evaluaton crtera. These evaluaton ndcators are ndependent of each other and cover all the securty requrements and deal attrbutes nvolved n the current 2-factor protocols. So n ths paper, we wll employ ths set of evaluaton crtera (shown n Table 3). It should be noted that, here, the attrbute Password frendly not only requres to allow the user choose ther password freely but also change ther password locally; the attrbute No smart card loss attack refers to those attacks that the adversary owns the smart card, whle n Resstance to know attacks, the adversary does not obtan the card; the attrbute Sound reparablty means that a user revokes the account and re-regster wthout changng hs/her dentty; the attrbute No clock synchronzaton requres no-tme-clock based operatons.

4 4of11 WANG ET AL. TABLE 2 The capactes of the adversary 20 1 The adversary can control the open channel fully, e, can ntercept, modfy, delete, and resend the messages over the open channel. 2 The adversary can lst all pars of (ID, PW ) from pw d n a polynomal tme, where pw refers the password space and d denotes the dentty space. 3 The adversary can ether acqure the password of the user va malcous termnal or extract the parameters from smart card. 4 When evaluatng forward secrecy, the adversary can get server s prvate key. 5 The adversary can extract the nformaton stored n smart card. TABLE 3 Evaluaton crtera 1 No password verfer table 2 Password frendly 3 No password exposure 4 No smart card loss attack 5 Resstance to know attacks 6 Sound reparablty 7 Provson of key agreement 8 No clock synchronzaton 9 Tmely typo detecton 10 Mutual authentcaton 11 User anonymty 12 Forward secrecy 3 REVIEW OF THE SCHEME OF MAITRA ET AL In 2016, Matra et al revealed that the scheme of Lee et al cannot resst aganst forgery attack, password guessng attack, etc, thus proposed an mproved scheme clamng to be resstant to those attacks. Whle n ths secton, we wll demonstrate that the scheme of Matra et al s stll vulnerable to varous attacks. Furthermore, we analyze the nherent reason for these attacks. 3.1 The scheme of Matra et al We frst brefly ntroduce the scheme of Matra et al. 24 As the password change phase has lttle relaton to our work, we omt t. 1. Intalzaton phase. S selects a generator g of a multplcatve group G of prme order p and a secret long key x where x Z q, then, the correspondng publc key y = g x mod p. There s also a hash functon h(.):0, 1 0, 1 l,wherel s the bt length of functon output. 2. Regstraton phase. Step 1. A S: {PW, ID }. Step 2. S chooses a random number n and calculates A = h(id h(x)), PWR = h(pw n ), L = A PWR, B = h(a PWR ), and n = n h(id PW ),and adds {h(h(a ))} nto user_lst to store. Step 3. S A: a smart card wth {L, B, n, h(.)} 3. Logn and authentcaton phase. Step 1. U puts the smart card nto a card reader and enters ID and PW. Step 2. The smart card computes n = n h(id PW ), PWR = h(pw n ), A = L PWR, and B = h(a PWR ),fb B, ends the sesson, chooses a random number r 1 and tmestamp T, and computes C 1 = A r 1 mod p, C 2 = g r 1 mod p, D = h(t A ) mod (p 1), DID = ID h(y r 1 mod p), E = A D mod p, andf = E (C 1 ) D mod p. Step 3. A S: {DID, C 1, C 2, F, T}. Step 4. S frst tests the freshness of T, then computes ID = DID h(c x 2 mod p), A = h(id h(x)), checks whether h(h(a )) s n the user_lst, f not, ends the sesson, otherwse, computes D = h(t A ) mod (p 1);fF (C D 1 ) 1 A D mod p, ends the sesson, otherwse, computes G = h(t s A ) mod p and K = C G 1 mod p,wheret s s the tmestamp n server sde. Step 5. S A: {K, T s }. Step 6. The smart card checks the valdty of T s, then computes G = h(t s A ) mod (p 1), K = C G 1 mod p, and tests whether K =?K, and f t fals, ends the sesson and the authentcaton fals. If t s true, both S and U accept the sesson key SK = h(h(a ) T s)=h(h(a ) T s). 3.2 Cryptanalyss of the scheme of Matra et al Ths secton demonstrates that the scheme of Matra et al not only s not secure from off-lne password guessng attack and nsder attack but also cannot preserve forward secrecy, etc Off-lne password guessng attack I Supposng an adversary stole U s smart card and extracted {L, B, n} from the smart card, then, he can perform off-lne password guessng attack I as below: Step 1. Guess the value of PW to be PW from the password dctonary space pw and the value of ID to be ID from the dentty dctonary space d. Step 2. Compute n = n h(id PW ), PWR = h(pw n ), A = L PWR, B = h(a PWR ),wherel and n were extracted from the smart card. Step 3. Verfy the correctness of PW and ID by checkng f B =?B, where B 1 was extracted from the smart card.

5 WANG ET AL. 5of11 Step 4. Repeat Steps 1 to 3 untl the correct values of PW and ID are found. After gettng PW and ID, the adversary can mpersonate of U through multple ways, such as gettng a smart card and nputtng PW and ID or computng {DID, C 1, C 2, F, T} drectly and sendng them to the server. also can compute A = L PWR, G = h(t s A ) mod (p 1), K = C G 1.So can mpersonate of S to communcate wth U.Furthermore, a man-n-the-mddle attack s feasble too. So once ths attack s performed successfully, the whole securty of the system would be compromsed. The tme complexty: ( pw d (2T H + 3T I ). T H s the runnng tme for hash computaton, and T I s the runnng tme of exclusve-or operaton. pw denotes the number of passwords n pw,and d denotes the number of denttes n d. pw or d s very lmted n practce, 26,28 usually d pw 10 6, so the attack s effcent. In the above attack, just extracts the message n the smart card then can perform the attack. Accordng to our analyss, t s obvous that the attack s qute practcal and effcent, and the attack occason can be found n many papers. 15,21,23,29 The nherent reason for ths attack s that, on the one hand, the adversary can get a verfcaton parameter to verfy the correctness of hs guessng value. In ths scheme, the verfcaton parameter s B ; on the other hand, the parameters that consst B can be denoted wth the guessed PW, ID (other parameters such as L and n are accurately known by ). Despte B results n the attack, B s also the key parameter to help the user change password locally. Ths s exactly the trade off between the securty and usablty demonstrated by Wang et al. 23 Luckly, Wang and Wang, 20 for the frst tme, ntegrated honeywords and fuzzy-verfers to settle ths conflct. Accordng to Wang and Wang, 20 the ssue can be tackled as follows: Let the verfcaton B = h(a PWR ) mod n 0 ),where2 4 n and n 0 determnes the capacty of the pool of the (ID, PW). Sonow,thereare pw d n canddates of (ID, PW ) par for adversary to guess when n 0 = 2 8 and pw = d = 2 6. For these canddates, the adversary can only guess the correct one from onlne guessng. Whle there s also a way called honeywords to tmely detect whether the smart card s breached to avod such onlne dctonary guessng Off-lne password guessng attack II Supposng an adversary not only stole U s smart card and extracted {L, B, n} from the smart card but also eavesdropped {DID, C 1, C 2, F, T} from the open channel, then, he could perform off-lne password guessng attack II as below: Step 1. Guess the value of PW to be PW and ID to be ID. Step 2. Compute n = n h(id PW ), PWR = h(pw n ), A = L PWR, D = h(t A ) mod (p 1), E = A D mod p,andf = E (C 1 ) D mod p Step 3. Verfy the correctness of PW and ID by checkng f F =?F,whereF was extracted from the open channel. Step 4. Repeat Steps 1 to 3 untl the correct value of PW and ID are found. Once the adversary gets PW and ID, the whole securty of the system s compromsed. As the way to other attacks such as user mpersonaton attack are smlar to what we descrbled n off-lne password guessng attack I, so we omt the detal attackng steps. The tme complexty: ( pw d (3T H + 4T I + 2T E + T M ). T E s the tme of modular exponentaton operaton and T M s the tme of modular multplcaton operaton. Furthermore, the attack occason can be found n many papers. 21,23,30,31 Thus, the attack s effcent but practcal. The nherent reason for ths attack s that, on the one hand, the adversary can fnd a verfcaton to check the correcton of the guessng value, whch s nevtable to the demand of authentcatng the user for the server n any authentcaton scheme; on the other hand, the password s the only unknown value to the adversary, whch means the adversary can get other parameters consstng of the verfcaton except for the password or the dentty. Avodng the later ssue s where the researchers should strve to. Generally, n a sound 2-factor authentcaton scheme, the verfcaton parameters should nclude a random number (or ts transformaton) at least. Furthermore, the random number (or ts transformaton) cannot be exposed to the open channel. To avod such attack, the lghtweght publc-key algorthm s a necessary but not suffcent condton to settle the problem, as explaned n Ma et al Forward secrecy Supposng knew S s secret key x, as well as got {DID, C 1, C 2, F, T}, then, he can calculate the sesson key SK as follows: Step 1. Compute ID = DID h(c 2 mod p) and A = h(id h(x)). Step 2. Interrupt {K, T s }. Step 3. Compute SK = h(h(a ) T s), at ths pont gets SK successfully. The tme complexty of the attack above s ( pw d (5T H + 3T I ). So the attack above s qute effcent. In ths scheme, the sesson key conssts of A (where A = L PWR = h(id h(x))) and an open tmestamp T s.as T s s an open parameter and can be easly obtaned by, the only key parameter s A, whle A s an unchanged value and also can be calculated by. So ths scheme certanly cannot preserve forward secrecy. Usually, to acheve forward secrecy, t s better that f the SK conssts of 2 fresh random number. Furthermore, the 2 fresh parameters cannot be exposed to the

6 6of11 open channel or be stored n the smart card. Ths requrement also proves that more than two exponentaton operatons conducted on the server sde s necessary to acheve forward secrecy Insder attack In ths scheme, the user U submts a par of PW and ID to the server S wthout any transformaton or protecton, thus, the server S can get the PW and ID,performngannsder attack to mpersonate the user U. Insder attack s a basc ssue, and t can be settled easly: Do some transformatons to camouflage the PW,suchas h(pw a) (a s a random number). 4 PROPOSED SCHEME Inspred by the way to deal wth the conflct between the securty and usablty n Wang and Wang, 20 we make some amendments to the scheme of Matra et al and reduce unnecessary computaton for the sake of performance, then put forward an mproved new remote authentcaton scheme whch overcomes these weaknesses n the scheme of Matra et al. Compared wth the scheme of Wang and Wang, 20 our scheme explots a way of ntegratng the dscrete logarthm problem wth RSA cryptosystem to acheve forward securty. Furthermore, the scheme of Wang and Wang 20 focus on provdng a model or a template for 2-factor authentcaton protocols, partcularly n the way to settle the conflct between securty and usablty. Whle our scheme s bult on the scheme of Matra et al, t ams to mprove ths scheme to meet the evaluaton ndcators lsted n Secton 2.4. In short, our scheme ncludes 5 phases: ntalzaton phase, regstraton phase, logn phase, authentcaton phase, and password change phase. As the ntalzaton phase s smlar to the phase n the scheme of Matra et al as descrbed n Secton 3.1, we omt t here. The process of our scheme s shown n Fgure Regstraton phase If a new user ntends to access the resource on the server, he has to regster to the server frstly: 1. The user U chooses a password PW and an dentty ID. Then, the system generates a random number b and computes PWR = h(pw b). 2. U S: {PWR, ID }. 3. After recevng {PWR, ID } at T rg (the tme, and t s secure to brute-force guessng), the server S calculates A = h(h(id ) h(pwr ) mod n 0 ),wheren 0 s an nteger such that 2 4 n 0 2 8, and checks whether ID has been n the User_Lst. Ifnot,S creates a new entry for U as {ID, y, T rg, Hoeny_Lst}, wherey s a unque random number to U chosen by S, Hoeny_Lst s a lst to record the WANG ET AL. number of logn falures and s ntalzed to 0; otherwse, S updates T rg and y n the User_Lst. ThenS calculates K = h(id x y T rg ), L = K PWR. 4. S U : a smart card wth {A, L, n 0, p, g, y, h(.)}. 5. U enters b nto the smart card. 4.2 Logn phase and authentcaton phase Once the user regsters to the server successfully, he can send the access request to the server when he wants to enjoy the servce as follows: 1. U nserts the card nto a card reader, nputs ID and PW. 2. The smart card computes PWR = h(pw b), A = h(h(id ) h(pwr ) mod n 0),andfA A, exts the sesson. Otherwse, the card generates a random number r 1 and computes C 1 = g r 1 mod p, C2 = y r 1 mod p, D = ID h(c 1 C 2 ),andk = L PWR, M 1 = h(d C 1 C 2 K ). 3. U S: {C 1, D, M 1 }. 4. Upon gettng {C 1, D, M 1 }, S computes C 2 =(C 1) x mod p and ID = D h(c 1 C ).ThenSsearches the User_Lst 2 to fnd the ID such that ID = ID. If there s not an ID that satsfes the condton, S rejects the access request and sets Hoeny_Lst to be Hoeny_Lst + 1. Once the value of Honey_Lst exceeds the predetermned threshold (such as 10), S thnks that the smart card has been breached, thus suspends the card tll U re-regsters. Otherwse, S derves y and T rg from the User_Lst and computes K = h(id x y T rg ) and M 1 = h(d C 1 C 2 K ). Then S verfes U by testng whether M =?M 1 1 and, f the equaton s false, ends the sesson, sets Hoeny_Lst to be Hoeny_Lst + 1, and once the value of Hoeny_Lst exceeds the predetermned threshold (such as 10), suspends the card tll U re-regsters; otherwse, S ntalzes the RSA algorthm as descrbed n Secton 2.1.2, generates the publckey (n, e) and the prvatekey (n, d), and then computes M 2 = h(id K C 1 C 2 n e). 5. S U : {M 2, n, e}. 6. On obtanng {C 3, M 2, T s }, the smart card computes M 2 = h(id K C 1 C 2 n e) then tests whether M 2 =?M 2.If M 2 M 2, ext the sesson. Otherwse the smart card generates a random number r 2 (0 r 2 n) and computes C 3 = r e 2 mod n and M 3 = h(id C 3 K r 2 C 2 ). 7. U S: {M 3, C 3 }. 8. When gettng {M 3, C 3 }, S computes r 2 = Cd mod n and 3 M 3 = h(id C 3 K r 2 C 2 ).IfM 2 M 2, ext the sesson. Otherwse, both the user U and the server S computes ther sesson key as SK = h(id C 1 C 2 C 3 K r 2) and SK = h(id C 1 C 2 C 3 K r ), respectvely Password change phase When the user U wants to change hs password, he needs perform the followng steps:

7 WANG ET AL. 7of11 FIGURE 1 The proposed scheme 1. U nserts the smart card nto a card reader and nputs ID, PW, and new password PWnew. 2. The smart card computes PWR = h(pw b), A = h(h(id ) h(pwr ) mod n 0 ), check whether A =? A and, f the equaton does not hold, exts the sesson. Otherwse, the smart card computes PWR new A new = h(h(id ) h(pwrnew PWR PWRnew. 3. Replace L wth L new 4.4 Revocaton phase ) mod n 0 ) and L new = h(pw new b), = L and A wth A new, respectvely. If the user U fnds that hs/her smart card s lost or s breached, he/she can revoke the account wthout changng the dentty as follows: 1. U nserts the smart card nto a card reader, nputs ID, PW. 2. The smart card computes PWR = h(pw b), A = h(h(id ) h(pwr ) mod n 0 ), check whether A =? A and, f the equaton does not hold, exts the sesson. Otherwse, the card generates a random number r 1, computes C 1 = g r 1 mod p, C2 = y r 1 mod p, D = ID h(c 1 C 2 ), K = L PWR, M 1 = h(d C 1 C 2 K ). 3. U S: {C 1, D, M 1, Revoke_request}. 4. Upon gettng {C 1, D, M 1, Revoke_request}, S computes C 2 =(C 1) x mod p, ID = D h(c 1 C 2 ).ThenSsearches the User_Lst to fnd the ID such that ID = ID.If there s not an ID that satsfes the condton, S rejects the access request, and sets Hoeny_Lst to be Hoeny_Lst + 1. Once the value of Honey_Lst exceeds the predetermned threshold (such as 10), S thnks that the smart card has been breached, thus suspends the card tll U re-regsters. Otherwse, S derves y and T rg from the User_Lst, computes K = h(id x y T rg ), M 1 = h(d C 1 C 2 K ).Then S verfes U by testng whether M =?M 1 1 and, f the equaton s false, ends the sesson, sets Hoeny_Lst to be Hoeny_Lst + 1, and once the value of Honey_Lst exceeds the predetermned threshold (such as 10), suspends the card tll U re-regsters; otherwse, S sets y to be NULL, thus next tme, U cannot logn successfully. 4.5 Re-regstraton phase If the account of U does not work properly, then U may want to re-regster as follows: 1. U S: {PWR, ID }. 2. S frst checks whether the ID s n the Uer_Lst and whether the account of the U s revoked or hs/her card s suspended. If so, S executes the regstraton as Secton SECURITY AND PERFORMANCE ANALYSIS In ths secton, we frst prove that our scheme can wthstand all known attacks well, then, we compare our scheme wth other related schemes n functonalty and performance; the result demonstrates the superorty of our scheme. 5.1 Securty analyss We prove our scheme can be resstant to known attacks by heurstc analyss of the scheme. Ths secton lsts almost all

8 8of11 known attacks to the smart-based remote user authentcaton schemes and demonstrates how our scheme performs well n resstng aganst those attacks. 1. Off-lne password guessng attack. Suppose the adversary extracted the nformaton n the smart card and eavesdropped the message between the user U and the server S, he may conduct the attack as followng steps: Step 1. Guess PW to be PW and ID to be ID. Step 2. Compute PWR = h(pw b), A = h(h(id ) h(pwr ) mod n 0 ). Step 3. Verfy the correctness of PW and ID by checkng f A =?A. Even the adversary fnds such PW and ID that satsfy the equaton, he/she stll s not sure whether they actually are same to PW and ID. Then the only way s to conduct an onlne guessng attack to test the value of those correct PW and ID, whle ths attack s prevented by Honey_Lst. Each tme the logn fals, the value of Honey_Lst wll add 1. Once the value of Hoeny_Lst exceeds the predetermned threshold (such as 10), the card wll be suspended tll U re-regsters. Thus, the adversary cannot perform such attack by ths process. Besdes the methods above, there s usually another way as follows to execute the off-lne password guessng attack: Step 1. Guess PW to be PW and ID to be ID. Step 2. Compute PWR = h(pw b), chose a random number r 1, computes C 1 = gr 1 mod p, C 2 = yr 1 mod p, K = L PWR, D = ID h(c 1 C 2 ),andm 1 = h(d C 1 C 2 K ). Step 3. Verfy the correctness of PW and ID by checkng f M 1 =? M 1. Whle there are 3 uncertan parameters n M 1 : PW, ID, r 1.ThePW and ID s n a fnte set, but the random number r s too strong to be 1 guessed. Therefore, our scheme has good resstance to off-lne password guessng attack. 2. Smart card loss attack. Suppose the adversary stole the user U s smart card and extracted L, A, b n smart card. Accordng to our analyss n off-lne password guessng attack, although wth smart card and L, A, b, cannot conduct an off-lne password guessng attack. What s more, there are no other way to get the PW. Wthout knowng PW,evenwthsmartcard,the stll nether can construct M 1 to mpersonate the user to the server nor performs other attacks. Therefore, our scheme can be resstant to smart card loss attack. 3. User anonymty. User anonymty protects the user actvtes from not beng tracked by the adversary to analyze user habts. Usually, user anonymty refers to 2 WANG ET AL. aspects: (1) Do not expose the dentty noton to an open channel and (2) keep the dentty untraceable. Whle n our new protocol, on the one hand, there s no dentty notons transmtted n the open channel; on the other hand, the dentty ID s transmtted to the server n the form of D =ID h(c 1 C 2 ),wherec 1 and C 2 are changed wth the random number r 1. Each tme the user logs n, the r 1 s dfferent, so the D s also changed every tme. Thus, the dentty ID s untraceable. All n all, our scheme preserves user anonymty. 4. Mutual authentcaton. In our scheme, S authentcates U through testng whether M 1 equals to M 1; U verfes S by testng whether M 2 equals to M 2. So our scheme acheve mutual authentcaton. 5. Replay attack. Our scheme takes advantage of random numbers to prevent replay attack, and the random number s dfferent n every sesson. On the one hand, the user and the server both wll check the valdty of the random number everytme they receved a new message. On the other hand, even f the adversary replays the eavesdropped messages from the open channel, he/she stll cannot construct the sesson key. Thus, our scheme s resstant to replay attack. 6. User mpersonaton attack. To mpersonate a legtmate user, the adversary usually has 2 ways: gettng the PW and ID and constructng {C 1, D, M 1 }.Theformerways mpossble for accordng to off-lne password guessng attack and smart card loss attack. So the later way becomes the only choce. The dffcult pont s buldng M 1, D. To acheve ths, has to get the key parameters K and ID,whereK =L PWR =h(id x y T rg ).Even assumng ID can be gotten by 23, t s stll mpossble to compute K, because PWR s related to PW and x s a secret key whch cannot be known to. Thus, our scheme can be resstant to user mpersonaton attack. 7. Server spoofng attack. As x s a secret number, cannot recover C 2 (C 2 = (C 1 ) x mod p), thus, t fals to construct M 2 (M 2 =h(id K C 1 C 2 n e)) to mpersonate the server. 8. Provson of key agreement. In our scheme, after authentcatng wth each other successfully, the server and the user both accept the sesson key SK=h(ID C 1 C 2 C 3 K r 2 ), so our scheme bulds the sesson key successfully. Furthermore, ths key s changed wth the random numbers. 9. De-synchronzaton attack. On the one hand, no parameters needs to be updated n the user sde and the server sde; on the other hand, whenever a user wants to change the password, he/she has to get authentcated frstly; fnally, our scheme dose not requre the server or the user to synchronze ther tme clock. Thus, a de-synchronzaton attack cannot be executed successfully. 10. Forward secrecy. Assumng got x, theuser_st and all the parameters n the open channel and smart card,

9 WANG ET AL. he can recover the parameters lke ID, C 1, C 2, C 3,and K. Whle computng r 2 to means to break RSA securty, whch s mpossble. Wthout r 2, cannot compute SK as h(id C 1 C 2 C 3 K r 2 ). So the mproved scheme provdes strong forward secrecy. 11. Insder attack. In regstraton phase, the user U submts PWR =h(pw b) to the server S, thepw s conceal by random number b, thus an admnstrator of the server cannot get PW, e, our scheme can wthstand nsder attack. 12. Parallel attack. The parallel attack usually happens when reuses the hstorcal messages n the open channel to construct a new request, then mpersonates the legtmate user U to compute SK, makng the server beleve that t communcates wth U. Whle n our scheme, has to know the parameter conssted of the messages, then he can form the correct access request or the sesson key. Whle accordng to our analyss above, s unable to get the 2 random numbers chosen by the user. Thus, our scheme can resst parallel attack. 5.2 Performance analyss 9of11 We compare our scheme wth other related scheme 24,32-38 n functonalty and performance to manfest the advantages of our scheme as shown n Tables 4 and 5, respectvely. Typcally, accordng to Wang and Wang, 20,Wangetal, 23 and Matra et al, 24 n cryptographc operatons, the tme complexty can be roughly expressed as T E > T O T M T H > T S, and the lghtweght operaton such as XOR and are too small that can be gnored, where T E s the tme of modular exponentaton operaton, T O s the runnng tme of the ellptc curve pont multplcaton, T M s the runnng tme of modular multplcaton/dvson operaton, T H s the runnng tme for hash computaton, and T S s the runnng tme of symmetrc encrypton/decrypton. Thus, accordng to Table 5, our scheme only spends more total tme than Kumar, Khan et al 32 and Kumar, L et al. 33 These 2 schemes are only based on hash operaton, whch face wth many securty threats as shownntable4. In concluson, through the functonalty comparson, t s clear that our scheme has obvous advantages: It satsfes all TABLE 4 Functonalty comparsons Desgn Goals Kumar 32 Kumar 33 Jang 34 L 35 Islam 36 Marmuthu 37 Matra 24 Xe 38 Ours No password verfer table Password frendly No smart card loss attack Resstance to know attacks Sound reparablty User anonymty Mutual authentcaton Provson of key agreement No clock synchronzaton Forward secrecy No password exposure Tmely typo detecton Note: means the property s satsfed; means the property s not satsfed; means the property s not related to the scheme. TABLE 5 Performance comparsons Schemes User sde Server sde Total Kumar 32 9T H 9T H 18T H Kumar 33 12T H 9T H 20T H Jang 34 3T E + T M + 4T H 3T E + 5T H 6T E + T M + 9T H L 35 4T E + T M + 4T H 5T E + 5T H 9T E + T M + 9T H Islam 36 5T E + T M + 5T H 2T E + 4T H 7T E + T M + 9T H Marmuthu 37 6T E + 9T H 6T E + 9T H 12T E + 18T H Matra 24 6T E + T M + 8T H 4T E + T M + 12T H 10T E + 2T M + 20T H Xe 38 3T O + 6T H 3T O + 3T S + 6T H 6T O + 3T S + 12T H Ours 3T E + 10T H 2T E + 10T H 5T E + 20T H

10 10 of 11 WANG ET AL. the lsted desgn goals, whle other related schemes 24,35-37 have weaknesses more or less; n performance comparsons, our scheme costs less tme than most of schemes. 24,34-38 Therefore, our scheme s more secure but more effcent. 6 CONCLUSION Preservng securty and effcency smultaneously s a challengng problem n desgnng smart card based authentcaton schemes. Over the past 2 decades, massve schemes were proposed whle later proved to be wth varous weaknesses. To make some changes to ths stuaton, we frst choose a recent scheme as a study case to analyze ts weaknesses and desgn thnkng. On the bass of these analyss, we proposed an mproved new scheme. Partcularly, we show a new way (beyond the conventonal Deffe-Hellman approach) to acheve forward secrecy. Furthermore, the securty and performance analyss results manfest the advantages of our scheme not only satsfes all 12 securty requrements but also costs less tme than most of related schemes. Our analyss n desgn thnkng and fal reasons can provde references for analyss and desgn of other protocols. ACKNOWLEDGEMENT The authors thank the anonymous revewers and the Edtor for the constructve comments and generous feedback. Ths research was supported by the Natonal Natural Scence Foundaton of Chna (NSFC) under Grant No REFERENCES 1. Xa Z, Wang X, Zhang L, Qn Z, Sun X, Ren K. A prvacy-preservng and copy-deterrence content-based mage retreval scheme n cloud computng. IEEE Trans Inform Foren Secur. 2016;11(11): Fu Z, Ren K, Shu J, Sun X, Huang F. Enablng personalzed search over encrypted outsourced data wth effcency mprovement. IEEE Trans Inform Foren Secur. 2016;27(9): Lu Q, Ca W, Shen J, Fu Z, Lu X, Lnge N. A speculatve approach to spatal-temporal effcency wth mult-objectve optmzaton n a heterogeneous cloud envronment. Secur Commun Netw. 2016;9(17): Wang D, Wang P. On the anonymty of two-factor authentcaton schemes for wreless sensor networks: attacks, prncple and solutons. Computer Networks. 2014;73(C): Lamport L. Password authentcaton wth nsecure communcaton. Commun ACM. 1981;24(11): Shmzu A. A danamc password authentcaton method usng a one-way functon. Syst Comput Japan. 1991;22(7): Sheh S, Yang W, Sun H. An authentcaton protocol wthout trusted thrd party. IEEE Commun Lett. 1997;1(3): Chen T, Lee W. A new method for usng hash functons to solve remote user authentcaton. Comput Electr Eng. 2008;34(1): Hwang T. Password authentcaton usng publc-key encrypton. Proc IEEE Int Carnahan Conf Securty Technol. 1983: Chang CC, Wu TC. Remote password authentcaton wth smart cards. IEE Proc-Comput Dg Technques. 1991;138(3): Huang X, Xang Y, Chonka A, Zhou J, Deng RH. A generc framework for three-factor authentcaton: preservng securty and prvacy n dstrbuted systems. IEEE Trans Parallel Dstrb Syst. 2011;22(8): He D, Zeadally S, Xu B, Huang X. An effcent dentty-based condtonal prvacy-preservng authentcaton scheme for vehcular ad hoc networks. IEEE Trans Inform Foren Secur. 2015;10(12): He D, Zeadally S, Kummar NWW. Effcent and anonymous moble user authentcaton protocol usng self-certfed publc key cryptography for mult-server archtectures. IEEE Trans Inform Foren Secur. 2016;11(9): Yu J, Ren K, Wang C, Huang X. Enablng cloud storage audtng wth verfable outsourcng of key updates. IEEE Trans Inform Foren Secur. 2016;11(6): Odelu V, Das A, Goswam A. A secure bometrcs-based mult-server authentcaton protocol usng smart cards. IEEE Trans Inform Foren Secur. 2015;10(9): Yuan C, XS. Fngerprnt lveness detecton based on mult-scale LPQ and PCA. Chna Commun. 2016;13(7): He D, Wang D. Robust bometrcs-based authentcaton scheme for multserver envronment. IEEE Syst J. 2015;9(3): Das A. Analyss and mprovement on an effcent bometrc-based remote user authentcaton scheme usng smart cards. IET Inform Secur. 2015;5(3): L X, Qu W, Zheng D, Chen K, L J. Anonymty enhancement on robust and effcent password-authentcated key agreement usng smart cards. IEEE Trans Ind Electron. 2010;57(2): Wang D, Wang P. Two brds wth one stone: two-factor authentcaton wth securty beyond conventonal bound. IEEE Trans Depend Secur Comput Jang Q, Ma J, We F. On the securty of a prvacy-aware authentcaton scheme for dstrbuted moble cloud computng servces. IEEE Syst J Ma C, Wang D, Zhao S. Securty flaws n two mproved remote user authentcaton schemes usng smart cards. Int J Commun Syst. 2014;27(10): Wang D, He D, Wang P, Chu C. Anonymous two-factor authentcaton n dstrbuted systems: certan goals are beyond attanment. IEEE Trans Depend Secur Comput. 2015;12(4): Matra T, Obadat M, Amn R, Islam S, Chaudhry S, Gr D. A robust elgamal-based password-authentcaton protocol usng smart card for clent-server communcaton. Int J Commun Syst Huang X, Xang Y, Bertno E, Zhou J, Xu L. Robust mult-factor authentcaton for fragle communcatons. IEEE Trans Depend Secur Comput. 2013;11(6): Wang D, Zhang Z, Wang P. Targeted onlne password guessng: an underestmated threat. Proc. ACM CCS. 2016: Madhusudhan R, Mttal R. Dynamc d-based remote user password authentcaton schemes usng smart cards: a revew. J Netw Comput Appl. 2012;35(4): Wang D, Wang P. On the mplcatons of Zpf s law n passwords. Proc ESORICS. 2016: We F, Ma J, Ma C, L X. A two-factor authentcated key exchange protocol based on rsa wth dynamc passwords. Int J Embedded Syst. 2015;7(3): L X, Nu J, Lao J, Lang W. Cryptanalyss of a dynamc dentty-based remote user authentcaton scheme wth verfable password update. Int J Commun Syst. 2015;28(2):

11 WANG ET AL. 11 of L X, Xong Y, Ma J, Wang W. An enhanced and securty dynamc dentty based authentcaton protocol for mult-server archtecture usng smart cards. J Netw Comput Appl. 2012;35(2): Kumar S, Khan M, L X. An mproved remote user authentcaton scheme wth key agreement. Comput Electr Eng. 2014;40(6): Kumar S, L X, Wu F, Das A, Odelu V, Khan M. A user anonymous mutual authentcaton protocol. KSII T Internet Inf. 2016;10(9): Jang Q, Ma J, L G, XL. Improvement of robust smart-card-based password authentcaton scheme. Int J Commun Syst. 2015; 28(2): L X, Nu J, Khan M, Lao J. An enhanced smart card based remote user password authentcaton scheme. J Netw Comput 2013;36(5): Islam SH. Desgn and analyss of an mproved smartcard-based remote user password authentcaton scheme. Int J Commun Syst. 2016;29(11): Marmuthu K, Saravanan R. A secure remote user mutual authentcaton scheme usng smart cards. J Inform Secur Appl. 2014;19: Xe Q, Wong D, Wang G, Tan X, Chen K, Fang L. Provably secure dynamc d-based anonymous two-factor authentcated key exchange protocol wth extended securty model. IEEE Trans Inform Foren Secur. 2017;12(6): How to cte ths artcle: Wang C, Wang D, Xu G, Guo Y. A lghtweght password-based authentcaton protocol usng smart card. Int J Commun Syst. 2017;e