Security analysis and design of an efficient ECC-based two-factor password authentication scheme

Transcription

1 SECURITY ND COMMUNICTION NETWORKS Securty Comm. Networks 2016; 9: Publshed onlne 24 ugust 2016 n Wley Onlne Lbrary (wleyonlnelbrary.com) RESERCH RTICLE Securty analyss and desgn of an effcent ECC-based two-factor password authentcaton scheme Tanmoy Matra 1, Mohammad S. Obadat 2,SKHafzulIslam 3 *, Debass Gr 4 and Ruhul mn 5 1 Department of Computer Scence and Engneerng, Jadavpur Unversty, Kolkata, West Bengal , Inda 2 Fellow of IEEE and Fellow of SCS, Char and Professor, Department of Computer and Informaton Scence, Fordham Unversty, 441 East Fordham Road, JMH 340, Bronx, NY 10458, U.S.. 3 Department of Computer Scence and Engneerng, Indan Insttute of Informaton Technology, Kalyan, West Bengal , Inda 4 Department of Computer Scence and Engneerng, Halda Insttute of Technology, Halda, West Bengal , Inda 5 Department of Computer Scence and Engneerng, Thapar Unversty, Patala, Panjab , Inda BSTRCT Clent-server-based communcatons provde a faclty by whch users can get several servces from home va the Internet. s the Internet s an nsecure channel, t s needed to protect nformaton of communcators. n authentcaton scheme can fulfll the aforementoned requrements. Recently, Huang et al. presented an ellptc curve cryptosystem-based password authentcaton scheme. Ths work has demonstrated that the scheme of Huang et al. has securty weakness aganst the forgery attack. In addton, ths paper also presented that the scheme of Huang et al. has some desgn drawbacks. Therefore, ths paper has focused on excludng the securty vulnerabltes of the scheme of Huang et al. by proposng an ellptc curve cryptosystem-based password authentcaton scheme usng smart card. The securty of our scheme s based on the hardness assumpton of the one-way hash functons and ellptc curve dscrete logarthm problem. Furthermore, we have demonstrated that our scheme s secured aganst known attacks. The performance of our scheme s also nearly equal when compared to related competng schemes. Copyrght 2016 John Wley & Sons, Ltd. KEYWORDS user anonymty; forgery attack; password authentcaton; ellptc curve cryptography; smart card *Correspondence SK Hafzul Islam, Department of Computer Scence and Engneerng, Indan Insttute of Informaton Technology, Kalyan, West Bengal , Inda. E-mal: haf786@gmal.com 1. INTRODUCTION Clent-server-based applcatons lke Telecare Medcal Informaton Systems, E-Bankng, E-Payment, and E- commerce are rapdly used because of ts easy accessblty, effcency, and securty, but these applcatons are prone to attack by an adversary, because, n clent-server-based applcatons, communcatons between a user (clent) and server are performed through a publc channel (Internet). Hence, t s needed to dentfy the communcators by a secure communcaton. secure authentcaton scheme can provde the aforementoned facltes by whch the users and server can dentfy each other through a secure communcaton. The basc mechansm of authentcaton protocol [1] s to verfy a message MSG sent by lce to Bob wth a challenge where challenge s prevously sent by Bob to lce and challenge s ether random nonce or tmestamp or combnaton of nonce and tmestamp. For ths purpose, lce combnes challenge wth MSG usng some cryptographc technques. Bob accepts MSG when he verfes the combnaton. However, the subsequent functonalty and securty necesstes should be keep n mnd when an authentcaton scheme s gong to be desgned: Preventon of securty attacks: Durng the communcaton through any publc channel, t s needed to secure the messages from the outsders (adversares). Therefore, an authentcaton scheme needs to be desgned n such a way so that the secrecy of the transmtted messages wll be mantaned. Mutual authentcaton: B-drectonal authentcaton (.e., mutual authentcaton) s an essental property for any user authentcaton scheme by whch all the communcators can authentcate or verfy to each other Copyrght 2016 John Wley & Sons, Ltd.

2 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme Sesson key agreement: fter mutual authentcaton between the partcpants, a common secret sesson key agreement s needed between them to carry secure communcatons over nsecure communcaton medum by encryptng the messages by the sesson key. Effcent logn procedure: For any authentcaton scheme, the smart card must verfy the wrong nputs before computng the logn message. By checkng the ncorrect nputs, extra communcaton overhead can be avoded. Therefore, t s crucal property of any authentcaton scheme. Effcent password update procedure: vald user can update hs or her password freely and securely not havng the use of the server. Thus, n the password update phase, the smart card must verfy the old password, so that an unauthorzed user cannot change the authorzed user s password even f he or she gets the smart card of that user. The aforementoned property should present n any robust and effcent authentcaton scheme. Traceablty: In an authentcaton scheme, t s also needed that an ntended recever should able to trace the sender; otherwse, any one can mount denal of servce attack [2]. Low cost: Computaton cost, communcaton cost, and smart card storage cost are three parameters to measure the performance of an authentcaton scheme. Therefore, t has to be consdered that these three parameters are reduced as much possble when an authentcaton scheme s to be desgned. In recent tmes, many smart card-based password authentcaton schemes have been put forwarded. The authentcaton schemes proposed n [3 14] are based on only hash functons [15 17]. But, ellptc curve cryptosystem (ECC) [18] s used to desgn an authentcaton scheme due to ts small key sze than RS-based cryptosystem. Therefore, ECC-based authentcaton schemes [19 30] have been developed by the researchers Prevous works In 2014, authors n [19] mentoned an authentcaton scheme, whch s based on ECC [18], but Islam and Khan [20] demonstrated that the scheme s unsutable for practcal world because t does not ensure the strong authentcaton n logn as well as n authentcaton phases. Therefore, Islam and Khan proposed an mproved scheme n [20]. In [21], Chaudhry et al. ponted out that Islam and Khan s scheme cannot prevent forgery attack and then desgned another mproved scheme. Furthermore, Zhang and Zhu [29] dsclosed that scheme n [20] also suffers from off-lne password guessng and server spoofng attacks, respectvely. L et al. [22] ntroduced a user authentcaton scheme wth the ECC; however, Mshra et al. [23] hghlghted that the scheme of L et al. [22] suffers from password guessng attack and replay attack. s a soluton, Mshra et al. gave a furnshed scheme n [23]. Lao and Hsao [27] demonstrated a new authentcaton scheme usng ECC. However, Zhao mentoned n [28] that the scheme n [27] suffers from the key settlement problem. Therefore, Zhao proposed a new authentcaton scheme n [28] Motvatons and contrbutons In 2014, Qu and Tan [24] put forwarded an ECC-based authentcaton scheme. Huang et al. [25] mentoned that the scheme of Qu and Tan [24] suffers from password guessng and mpersonaton attacks. Therefore, Huang et al. [25] suggested an mproved authentcaton scheme based on ECC. However, we have shown that the scheme of Huang et al. [25] does not resst forgery attack. We have also shown that the scheme [25] has some desgn drawbacks, whch ndcate that ther scheme s not perfect for real-world applcatons lke Telecare Medcal Informaton Systems, E-Bankng, and E-Payment systems. However, as aforementoned secton has dscussed that the prevous works fal to provde securty, the pvotal focus of ths work s to provde a sutable soluton n secure authentcaton mechansm after elmnatng securty attacks of the scheme of Huang et al. [25]. Therefore, ths paper has come up wth a password and ECC-based effcent authentcaton scheme usng smart card. The proposed scheme mantans the property of user anonymty as well as dynamc dentty so that any adversary wll not able to trace a partcular user from the communcaton messages for dfferent sessons between the user and server. Furthermore, securty analyss clams that our scheme s free from all possble securty threats due to hardness of ECDLP and one-way hash functon Organzaton of the artcle Secton 2 brefly dscusses some mathematcal concepts. Secton 3 descrbes an adversary model to analyze our scheme as well as the scheme of Huang et al. We brefly studed the scheme of Huang et al. n Secton 4. Weaknesses of ther scheme are shown n Secton 5. In Secton 6, we proposed a modfed scheme to wthstand the weaknesses of the scheme of Huang et al. Secton 7 descrbes the cryptanalyss of the proposed scheme followed by ts performance comparson wth the related schemes n Secton 8. In Secton 9, concluson of ths work s gven. 2. PRELIMINRIES Bref defnton of related mathematcal problems are descrbed n ths secton Hash functon hash functon [15,17], whch s usable for desgnng the cryptographc schemes, takes a strng of unrestraned Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4167

3 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. length as an nput and supples a strng of predetermned length. It can be symbolzed as follows: H :! B, where s a set of all bnary strng of unrestraned length and B s a set of all bnary strng of fxed length k. Defnton 1. If dv H (t 1) s the advantage for the tme duraton t 1 of a polynomal te bounded adversary to choose a, b 2 so that H(a) = H(b) for dfferent values of a and b, we can take nto account that dv H (t 1) s the probablty n the advantage that s calculated by for the random choces of t 1 span of tme. Then, the cryptographc hash functon H() s collson-resstant, f dv H (t 1) 1, for some neglgble functon 1. Followng s the representaton of dv H (t 1): dv H (t 1)=Pr (a, b) 2 R (a b) ^ H(a) =H(b) where Pr[E] denotes the probablty of event E Ellptc curve Let p be a large prme number. n ellptc curve EC p, whch s defned over the prme feld F p of characterstc 2, 3, s the set of solutons (u, v) to the non-sngular ellptc curve equaton (1) v 2 mod p = (u 3 + au + b) mod p (2) wherea, b2f p and 4a 3 +27b 2 0 [18], that s, (u 3 +au + b) mod p has two dfferent roots. The ellptc curve group GC p s defned as (x, y) :x, y 2 F p and (x, y) 2 EC p [ {O}, where O s called as pont at nfnty and t served as the dentty element of GC p. The pont P 2 EC p has the order n, f[n]p = O holds for the smallest nteger n > 0. Let the pont P =(u, v) s a pont of EC p ; then, the negatve of P s denoted as P, that s, P =(u, v). Thus, we have O = O. Let P, Q be two ponts on the curve (2), then P + Q = R, where the lne jonng P and Q ntersects the curve (2) at the pont R, and the reflecton of t about the x-axs s the pont R. By the same way, we can descrbe the pont doublng operaton. Ths operaton ncludes the addton of a pont P on the curve (2) to tself to get other pont Q on the curve (2). Let [2]P = Q, the tangent lne at P ntersects the curve (2) at the pont Q and the reflecton of t about the x-axs s the pont Q. ssume that Q = P, then P + Q = P P = O, that s, the lne jonng of P and P ntersects the curve (2) at the pont O. Ths property s referred to as ellptc curve pont subtracton. Let s 2 Z p * be a number and P s a pont on EC p. Then, [s]p 2 EC p (u, v), the ellptc curve scalar pont multplcaton operaton s defned as [s]p = P + P ƒ + :::+ P. s tme Defnton 2. The ellptc curve-based dscrete logarthm problem (ECDLP) [18] s defned as follows: It s hard to dscover a 2 Z p * from gven R and P such that R = [a]p, where P, R 2 EC p (u, v). If dv ECDLP (t 2 ) s the advantage of to fnd a 2 Z p * from gven Q and P such that R =[a]p, for the tme span t 2, we can take nto account that dv ECDLP (t 2 ) s the probablty n the advantage that s calculated by for the random choces of t 2 span of tme. Then, the ECDLP s called the hard problem, f dv ECDLP (t 2 ) 2, for some neglgble functon 2. The representaton of dv ECDLP (t 2 ) s as follows: dv ECDLP (t 2 )=Pr ha 2 Z p * R = [a]p Defnton 3. The ellptc curve-based computatonal Dffe Hellman problem (CDHP) [31] over an ellptc curve s defned as follows: It s hard to fnd [a b]p 2 EC p (u, v) from gven R, V and P such that R = [a]p, V=[b]P, where R, V, P 2 EC p (u, v) and a, b 2 Z p *.If dv CDHP (t 3 ) s the advantage of to fnd [a b]p from the gven R, V, and P such that R = [a]p, V = [b]p for the t 3 duraton of tme, we can take nto account that dv CDHP (t 3 ) s the probablty n the advantage that s calculated by for the random choce of the t 3 duraton of tme. Then, the CDHP s called a hard problem, f dv CDHP (t 3 ) 3, for some neglgble functon 3. Followng s the representaton of dv CDHP (t 3 ): (3) dv CDHP (t 3 )=Pr [a b]p 2 EC p (u, v) R =[a]p ^ V =[b]p (4) 3. DVERSRY MODEL Ths secton ntroduces an attacker model to examne the securty of our scheme as well as the scheme of Huang et al. [25]. The Dolev Yao threat model [32] s consdered n whch communcatons are carred out through an nsecure channel. Therefore, the adversary can trap, delete, or alter the transmtted messages. In ths adversaral model, we assume that the smart card s not temper-resstant, that s, the adversary can obtan the stored nformaton of smart card based on the technques explaned n [33,34]. Generally, the password and the dentty of the user are low-entropy n nature and are selected from a small dctonary, that s, can guess the dentty and password ndvdually usng dctonary attack n polynomal tme. However, cannot guess dentty and password smultaneously usng any on-lne/off-lne procedure wthn polynomal tme [35]. ccordng to ths adversary model, we consder two followng cases: Case 1. thrd party, who s not a regstered user beng an adversary, can try to perform varous attacks aganst the authentcaton system. Case 2. regstered user beng an adversary b can try to obtan secret parameters of the server by whch he or she can mount varous attacks aganst the authentcaton system Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

4 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme Term Table I. Nomenclature. Usage Fnally, S dscloses publc parameters he/f p, P, H 1, H 2, H 3, H 4, H 5, n, P pub and retans s secret. U The -th user S The server pw Password of U ID Identty of U a, b Random number chosen by the smart card of U a 2 R Z n * The element a s randomly chosen from Z n * EC p Set of ellptc curve ponts O The pont at nfnty GC p ddtve ellptc curve group, where GC p = EC p [ {O} c s Random number chosen by S P Base pont of GC p s/p pub Secret/Publc key of S, P pub =[s]p (P x, P y ) x and y co-ordnates of the pont P SK s/ Sesson key computed between U and S T Current tmestamp T llowable tme delay H () One-way hash functon, =1,2,3,4,5 k Concatenaton operaton Btwse XOR operator () Multplcaton operator [a]x a tmes addton of the pont X In our adversary model, we have only consdered that the server S s a trusted authorty. 4. BRIEF DESCRIPTION OF HUNG ET L. SCHEME Ths secton provdes a bref descrpton of the authentcaton scheme of Huang et al. [25]. Table I shows the nomenclature that s used throughout the paper. Each phases of the scheme of Huang et al. are explaned n the succeedng text Intalzaton phase S pcks a prme number p and produces an addtve ellptc curve group GC p of order n. S also pcks a base pont P of order n over E/F p, a secret key s 2 R Z n *, and then calculates the publc key as P pub =[s]p. S also selects the followng hash functons: H 1 : {0, 1} *! G p, (5) H 2 : G p G p! Z * p, (6) H 3 : {0, 1} * G p G p! {0, 1} k, (7) H 4 : {0, 1} * G p! Z p * and (8) H 5 : G p {0, 1} * G p G p! {0, 1} k. (9) 4.2. Regstraton phase U computes PID = H 1 (ID kpw kr ) after choosng ther dentty ID, password pw and a random number r 2 R Z * n. U then sends hid, PID to S usng a prvate channel. fter recevng hid, PID, S calculates ID =[(H 1 (s)+ 1) PID ]P and BID = H 2 (H 1 (ID )kpid ). Then, S stores hid, BID nto the memory of a new smart card and dspatches the smart card to U usng a secure channel or by person. fter gettng the smart card, U stores r nto t. Therefore, the smart card holds the parameters hid, BID, r. Fgure 1 shows a pctoral vew of the regstraton phase of the scheme of Huang et al Logn and authentcaton phase Whenever U lkes to get servces through S, heorshe places the smart card nto a termnal and submts ID and pw. Then, the smart card and S perform the followng: (1) The smart card of U calculates PID 0 = H 1 (ID kpw kr ) and BID 0 = H 2 H1 (ID )kpid 0. Then, the smart card verfes the equalty of BID 0 and BID. If BID 0 BID 0, and the smart card rejects U by termnatng the current sesson. Otherwse, the smart card pcks a number a randomly and calculates R = [a ]P, TID = ID PID 0 P, M =[a ]P pub, CID = H 4 (ID km ) H 2 (M ktid ), DID = M PID 0 P and EID = H 3 H4 (ID km )kr km. Fnally, the smart card of U transmts a logn request message hcid, DID, EID, R to S through the Internet (a publc channel). (2) UponrecevnghCID, DID, EID, R from U,S computes M * =[s]r, TID * = H 1 (s) DID M * and, retreves H 4 (ID km ) * = CID H 2 M * ktid* H4 EID * = H 3 (ID km ) * kr km *. S and then checks whether EID * =?EID.IfEID * EID, S stops the sesson; otherwse, computes C s =[c s ]R, D s = C s M * and W s = H 3 EID * kc sktid *, where the random number c s s chosen by S. Then, S sends a reply message hd s, W s to U through the Internet. (3) Upon recevng the reply message hd s, W s from S, U computes Cs 0 = D s M and Ws 0 = H 3 EID kcs 0kTID. Then, U checks whether Ws 0 =?W s. If t holds, U computes X = H 2 (R kcs 0 ), a sesson key SK = H 5 R kcs 0kM ktid, and then sends hx to S over the Internet; otherwse, U termnates the sesson. Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4169

5 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. Fgure 1. Regstraton phase of the scheme of Huang et al. Fgure 2. Logn, and authentcaton and sesson key agreement phases of the scheme of Huang et al. (4) fter recevng hx, S computes X * = H 2 (R kc s ). If X * = X, S computes a sesson key SK s (= SK )= H 5 R kc s km * ktid* ; otherwse, S termnates the sesson. Fgure 2 shows the pctoral vew of logn, and authentcaton and key agreement phases, respectvely, of the scheme of Huang et al Password change phase To change the password, U enters the smart card nto termnal and nputs ID and pw to the smart card. The smart card then evaluates PID 0 = H 1 ID kpw kr, BID 0 = H 2 H1 (ID )kpid 0 and checks the equalty of BID 0 and BID. If BID 0 BID, the smart card rejects U and stops the current sesson; otherwse, a new password pw [new] smart card executes PID [new] ID [new] = [PID [new] wll be mputed by U. Then, the = H 1 ID kpw [new] kr, (PID 0 ) 1 ]ID and BID [new] = H 2 H 1 (ID )kpid [new]. Fnally, the smart card replaces hid, BID wth hid [new], BID [new]. 5. SECURITY VULNERBILITIES OF THE SCHEME OF HUNG ET L. Ths secton hghlghts some securty vulnerabltes of the scheme of Huang et al. [25] Forgery attack ccordng to the adversary model gven n Secton 3, a genune user can behave lke an adversary b. Therefore, b tself tres to create a logn message wth an arbtrary dentty. In the followng, we wll show that the logn message wth an arbtrary dentty created by b s a forged and vald logn message. b frst executes the procedure EXP [attack] b whch s descrbed n lgorthm 1. For ths purpose, b extracts the nformaton hid, BID, r of U s smart card by observng power consumpton [33,34]., 4170 Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

6 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme lgorthm 1 EXP [attack] O Input: ID, pw, ID, BID, r, H 1, P, H 2, H 3, H 4, P pub Output: logn_forge 1: b computes PID = H 1 (ID kpw kr ) usng own dentty ID and password pw. 2: b computes TID = ID ([PID ]P), whch s equal to [H 1 (s) PID ]P 3: b guesses a password pw [a], an dentty ID [a], and two random numbers r [a] and x [a] 4: b computes PID [a] = H 1 (ID [a] kpw [a] kr [a] ), R [a] = [x [a] ]P and M [a] =[x [a] ]P pub 5: b computes TID [a] =[PID [a] ]TID, whch s equal to [H 1 (s) PID PID [a] ]P 6: b computes CID [a] = H 4 (ID [a] km [a] ) H 2 (M [a] ktid [a] ), DID [a] = M [a] ([PID [a] PID ]P) and EID [a] = H 3 (H 4 (ID [a] km [a] )kr [a] km [a] ) 7: Return logn_forge = hcid [a], DID [a], EID [a], R [a] 1. fter executng lgorthm 1, b transmts the logn message hcid [a], DID [a], EID [a], R [a] to S. Upon recevng ths, S computes M [a] * = [s]r [a] and TID [a] * = H 1 (s) DID [a] M [a] *. We observed that TID [a] * = H 1 (s) DID [a] M [a] * = H 1 (s) M [a] hpid [a] PID P M [a] *, because DID [a] = M [a] [PID [a] PID ]P = hh 1 (s) PID [a] PID P, because M [a] = M [a] * = TID [a] 2. S computes H4 ID [a] km [a] * = CID [a] H 2 M [a] * ktid[a] *, EID [a] * = H4 H 3 ID [a] km [a] * kr [a] km [a] *. S then verfes whether the computed EID [a] * and receved EID [a] are equal. It s clearly seen that they are always equal. Therefore, S further computes C s = [c s ]R [a], D s = C s M [a] * and W s = H 3 EID [a] * kc sktid [a] * sends back a reply message hd s, W s to b, where the random number c s s chosen by S. 3. fter gettng the reply message hd s, W s, b computes Cs 0 = D s M [a] and Ws 0 = H 3 EID [a] kcs 0kTID[a]. Then, b checks whether Ws 0 =?W s. Note that Ws 0 = W s s true because TID [a] * = TID [a], and thus, b accepts the logn message and transmts the message hx [a] to S after computng X [a] = H 2 R [a] kcs 0 and sesson key SK [a] = H 5 R [a] kcs 0kM[a] ktid [a]. 4. fter recevng hx [a], S computes X [a] * = H 2 R [a] kc s and checks whether X [a] =?X [a] *. Note that they are dentcal, and therefore, S evaluates the sesson key as SK s (= SK [a] ) = H 5 R [a] kc s km [a] * ktid[a] *. The aforementoned explanaton shows that any vald user can construct a logn message on behalf of other user, and S accepts the logn message. Therefore, b s able to create a forged and genune logn message logn_forge. However, n dynamc dentty-based authentcaton scheme, t s necessary that the server should trace the users denttes perfectly when they are communcatng, but n the scheme of Huang et al., S does not store any dentty of users nto ts database durng the regstraton phase. Therefore, when a vald user as an attacker sends a logn request message wth an arbtrary dentty to S, S s unable to trace the correspondng dentty. s a result, who s actually sent the logn message s untraced by S. Thus, the forgery attack can be mounted n the scheme of Huang et al. as shown earler. Moreover, an adversary can create fntely many vald and forged logn request messages and then send these to make the server busy. In the mean tme, f a vald user sent a vald logn message, he or she has to wat for long tme to valdate t. Ths s another weakness of ther system Other drawbacks In the followng, we wll dscuss some drawbacks of the scheme proposed by Huang et al. 1. In the scheme of Huang et al., the server has to keep track for all the early logn request messages for all users so that t can check a current logn message wth all prevous messages to resst the replay attack. Otherwse, the server cannot detect f the same logn request message s sent by an adversary n dfferent sesson. It s an neffcent way where the server requres huge tme to fnd as well as to compare the messages to prevent the replay attack [2,17]. 2. In ther scheme, the hash functon H 1 : {0, 1} *! G p maps a bnary strngs of unrestraned length to a pont on the ellptc curve. For an example, n regstraton phase, S computes ID = (H 1 (s)+1)pid P = (H 1 (s)+1)h 1 ID kpw kr P, snce PID = H 1 ID kpw kr and n logn phase, U computes (10) Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4171

7 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. DID = M [PID ]P =[a ]P pub H 1 ID kpw kr P, snce PID = H 1 ID kpw kr and M =[a ]P pub (11) where PID, M, P pub and P 2 G p, but there s no such algorthm to compute multplcaton of two ponts on an ellptc curve. Therefore, t s nfeasble to compute ID by S. Further, (H 1 (s)+1) s not feasble, because t s not defned how to compute addton of a pont on ellptc curve and an nteger. The correct mappng can be H 1 : {0, 1} *! Z p * to overcome the nfeasblty, but then also, DID cannot be computed as there s no such algorthm to compute bt-wse XOR operaton of two ponts on a ellptc curve. 6. OUR IMPROVED SCHEME We wll present an ECC-based password authentcaton scheme n ths secton. Our scheme ncorporates the followng phases: 6.1. Intalzaton phase S pcks a prme number p and an ellptc curve E/F p of order n. S then selects a base-pont P over E/F p. Furthermore, S pcks s 2 R Z p * and calculates the publc key P pub =[s]p. S also selects three one-way hash functons H 1 : {0, 1} *! Z p *, H 2 : G p Z p * Z* p! Z* p and H 3 : G p! Z p *. Fnally, S announces publc parameters he/f p, P, H 1, H 2, n, P pub whle keepng s secret User regstraton phase When a new user U lkes to do hs or her regstraton, ths phase s nvoked. Step 1: U selects ID and pw unquely. U selects a number r 2 R Z * p randomly and computes pwr = H 1 (pw kr ). Then, he or she transmts hid, pwr to S securely (or through secure channel). Step 2: fter recevng hid, pwr, S computes DB = H 3 ([ID s]p) and checks the avalablty of DB from ts database. If t s avalable, S proceeds to further procedure; otherwse, S sends a nonavalablty message to U untl avalable dentty s not obtaned from U. S then computes SID = SID x, SID y = [H 1 (ID ks)]p, = H 1 (ID ks) pwr and D = H 1 SID y kpwr. S stores the parameters h, D nto a smart card and supples the smart card through a prvate channel. Furthermore, S stores {DB} nto ts secure database. Step 3: fter obtanng the smart card, U enters t nto a termnal and submts r, ID and pw. The smart card then calculates br = H 1 (ID kpw ) r and stores br nto ts memory. Fnally, the smart card holds h, D, br. Note that, to retreve r from br, the adversary has to guess ID and pw at a tme, whch s hard wthn a polynomal tme [35]. Fgure 3 shows a pctoral vew of the user regstraton phase of our proposed scheme Logn phase Whenever U lkes to get servces through S, heorshe enters hs or her smart card nto termnal and supples hs or her ID and pw. Then, the followng steps are performed by the smart card: Step 1: The smart card retreves r 0 by computng H 1 (ID kpw ) br and computes pwr 0 = H 1 pw kr 0, [H1 (ID ks)] 0 = pwr 0, SID 0 = SID 0 x, SID 0 y = H 1 (ID ks) 0 P and D 0 = H 1 SID 0 y kpwr 0. The smart card then measures the equalty between stored D and computed D 0. For the nequalty, the smart card stops the current sesson; otherwse, go to the succeedng step. Step 2: fter selectng a number b 2 R Z p *, the smart card calculates R = [b ]P, L = L x, L y = Fgure 3. User regstraton phase of proposed scheme Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

8 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme [b ]P pub, DID = ID L x, and K = H 1 SID 0 x kl y kt 1, where T 1 s the current logn tmestamp of U. U transmts a logn request message hdid, K, R, T 1 to S through Internet (a publc channel) uthentcaton and sesson key agreement phase fter executon of logn phase, the smart card U and S perform ths phase as follows: Step 1: fter gettng the logn request message hdid, K, R, T 1 from U at tme T s1, S checks whether (T s1 T 1 ) T. If t s correct, S executes the succeedng step; otherwse, dscards the logn message. Step 2: S computes L * = L * x, L * y = [s]r, ID * = L * x DID, DB * = H 3 hid * s P and checks whether the computed DB * and stored DB are equal. If the condton s correct, S executes the succeedng step; otherwse, the current sesson wll be dsmssed. Step 3: S computes SID * = SID * x, SID * y = hh 1 ID * ks P, K * = H 1 SID * x kl * y kt 1 and checks whether K =?K *. If t s true, S proceeds to followng step; otherwse, the current sesson wll be termnated. Step 4: S selects a number c s 2 R Z p * randomly and calculates Q =[c s ]P, SK s = SK sx, SK sy =[c s ]R, V = H 2 SK s kt s1 ksid * y. Then, S sends a reply message hq, V, T s1 to U. Step 5: Upon recevng hq, V, T s1 at tme T 2, The smart card of U checks whether T 2 T s1 T s correct. If t s true, the smart card executes the next step; otherwse, rejects the reply message. Step 6: The smart card computes SK = SK x, SK y = [b ]Q, V 0 = H 2 SK kt s1 ksid 0 y and checks whether V 0 =?V. If t s false, U rejects the reply message; otherwse, the smart card sends a message hw, T 2 to S after computng W = H 1 SK y kt 2 ksid 0 x and accepts SK x as the shared secret sesson key. Fgure 4. Logn, and authentcaton and sesson key agreement phases of our scheme. Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4173

9 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. Step 7: fter recevng hw, T 2 at tme T s2, S checks whether T 2 T s1 T holds. If t s true, S proceeds to the next; otherwse, rejects U. Step 8: S further checks W =?H 1 SK sy kt 2 ksid * x holds. If t s vald, S accepts SK sx as the shared secret sesson key; otherwse, rejects U. Fgure 4 shows the pctoral vew of logn, and authentcaton and key agreement phases, respectvely, of our proposed scheme Password change phase To update password, U enters the smart card nto termnal and supples ID and pw. The followng steps are performed by the smart card: Step 1: The smart card retreves r 0 by computng H 1 (ID kpw ) br and then computes pwr 0 = H 1 pw kr 0, [H1 (ID ks)] 0 = pwr 0, SID 0 = SID 0 x, SID 0 y = [H 1 (ID ks)] 0 P and D 0 = H 1 SID 0 y kpwr 0. The smart card verfes the equalty of stored D and computed D 0. If D D 0, the smart card stops the sesson; otherwse, executes the next step. Step 2: The smart card gves permsson to U to enter a new password. U submts a new password. Then, the smart card calculates pwr [new] pw [new] kr 0, [new] = H 1 (ID ks) 0 pwr [new], D [new] = H 1 SID 0 y kpwr [new] and br [new] = r 0 H 1 ID kpw [new]. D Fnally, the smart card saves [new], D [new],br [new] E n the place of h, D, br. pw [new] = H 1 pctoral vew of password change phase our scheme s gven n Fgure SECURITY NLYSIS OF OUR SCHEME ccordng to the adversary model gven n the Secton 3, ths secton wll demonstrate that our scheme prevents all possble attacks Formal securty analyss Ths secton presents the securty analyss based on random oracle model, whch s a generc group model of cryptography and t s used to examne the securty of the authentcaton schemes [17]. The random oracles are defned n the followng: OracleH: OracleH s a random oracle. If a hash value b(= H(a)) s gven to t, t uncondtonally produces a from b. OracleECDLP: OracleECDLP s a random oracle. It uncondtonally produces a from the gven values Q =[a]p and P. OracleCDLP: OracleCDLP s a random oracle. It uncondtonally produces [ab]p from the gven values Q =[a]p, R =[b]p and P. Theorem 1. ssumng that the hash functon H() acts lke true random oracle and the ECDLP s a hard problem, the presented scheme s provably secure aganst the attacker for obtanng the password pw and the dentty ID of U even f obtans the nformaton from U s smart card and the messages transmtted between U and S. Proof. We assume that has the capablty to extract pw and ID of U. We also assume that U lose the smart card or U s smart card s stolen by. Thus, can obtan the nformaton h, D, br from the smart card of U by power analyss [33,34]. We also assume that traps the logn request message hdid, K, R, T 1, the reply message hq, V, T s1, and the message hw, T 2. runs the Fgure 5. Password change phase of our scheme Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

10 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme experment, EXP1 oracle aganst our user authentcaton, RUS scheme (US) to derve pw and ID of U as descrbed n lgorthm 2. lgorthm 2 EXP1 oracle, US Input:, D, br, P, P pub, DID, K, R, T 1, Q, V, T s1, W, T 2 Output: 0or1 1: Call the oracle OracleH on the nput D and obtan the nformaton SID y and pwr = H 1 (pw k r )as(sid * y k pwr *) OracleH(D ) 2: Compute [H 1 (ID ks)] * = pwr * and SID (= (SID x, SID y ))=[[H 1 (ID ks)] * ]P 3: Call the oracle OracleH on the nput K and obtan the nformaton SID x, L y and T 1 as (SID * x k L * y kt * ) 1 OracleH(K ) 4: Call the oracle OracleH on the nput V and obtan the nformaton SK s, T s1 and SID y as (SK s * kt* s 1 ksid ** y ) OracleH(V ) 5: Call the oracle OracleH on the nput W and obtan the nformaton SK y, T 2 and SID y as (SK * y kt * ksid *** 2 y ) OracleH(W ) 6: Call the oracle OracleECDLP on the nput R and obtan the nformaton b as (b * ) OracleECDLP(R ) 7: Compute L =[b * ]P pub 8: Call the oracle OracleECDLP on the nput Q and obtan the nformaton c s as (c * s ) OracleECDLP(Q ) 9: Compute SKs =[c * s ]R 10: f (SID * y == SID ** y == SID *** y == SID y )&&(SID x == SID * x )&&(T * == T 1 1 )&&(T s * 1 == T s1 )&&(T * 2 == T 2 )&&(SK s * == SK s )&&(L y == L * y ) then 11: Compute ID * = L x DID 12: Call the oracle OracleH on the nput [H 1 (ID ks)] * and retreve the nformaton ID and s as (ID ** ks * ) OracleH([H 1 (ID ks)] * ) 13: Call the oracle OracleH on the nput pwr * and retreve the nformaton pw and r as (pw * kr* ) OracleH(pwr *) 14: Compute [H 1 (ID kpw )] * = br r * 15: Call the oracle OracleH on the nput [H 1 (ID kpw )] * and retreve the nformaton ID and pw as (ID *** kpw ** ) OracleH([H 1 (ID kpw )] * ) 16: f (ID * == ID** == ID *** )&&(pw ** == pw * ) then 17: Return 1 (Success) 18: else 19: Return 0(Fal) 20: end f 21: else 22: Return 0 (Fal) 23: end f The success probablty for EXP1 oracle s defned h, US as Succ1 oracle = Pr EXP1, US oracle, US =1 1. Then, the advantage of EXP1 oracle s gven by, n US o dv1 oracle, US (t, qh, qdlp) =max Succ1 oracle, where, US durng the runnng tme t, the maxmum s consdered for all ; qh s the number of queres made by to the oracle OracleH and qdlp denotes the number of queres made by to the oracle OracleECDLP. The proposed scheme s provably secure aganst for obtanng pw and ID of U,fdv1 oracle (t, qh, qdlp), for any, US small > 0. ccordng to the algorthm EXP1 oracle, US, f earns success to evaluate the nverson of H() and also gets success to solve the ECDLP, then only he or she can successfully retreve pw and ID of U by usng the random oracles OracleH and OracleECDLP and wns the game. But from Defntons 1 and 2, we know that dv OracleH (t) 1, for any small 1 > 0 and dv OracleECDLP (t) 2, for any small 2 > 0. Hence, we obtan dv1 oracle (t, qh, qdlp), for any small, RUS > 0, because the presented scheme depends on both dv OracleH (t) and dv OracleECDLP (t). Therefore, the proposed scheme provdes securty aganst for obtanng pw and ID of U. Theorem 2. Based on the supposton that the hash functon H() behaves lke true random oracle and the CDHP s a hard problem, our presented scheme s provably secure aganst for obtanng the sesson key SK x (= SK sx ) establshed between U and S even f gets nformaton stored nto U s smart card and traps messages, whch are transmtted between U and S. Proof. We assume that has the capablty to compute or extract the sesson key SK x (= SK sx ), whch s calculated between U and S. We also consder the same assumptons as descrbed n Theorem 1. then runs the experment, EXP2 oracle, US aganst our US to derve SK x, as descrbed n lgorthm 3. We can neglect the parameters hd,, br of the smart card, because the shared secret sesson key SK sx (= SK x ) depends only on the random numbers. Therefore, tres to extract or compute the sesson key from the logn and authentcaton messages, whch are publcly avalable to every one. We defne the success probablty for EXP2 oracle h, US as Succ2 oracle = Pr EXP2, US oracle, US =1 1. Then, the advantage of EXP2 oracle s gven by dv2, US oracle o, US (t, qh, qdhp) =max nsucc2 oracle, where durng the, US runnng tme t, the maxmum s consdered for all ; qh s the number of queres made by to the oracle OracleH and qdhp s the number of queres made by to the oracle OracleCDHP. The presented scheme s sad to be provably secure aganst for obtanng SK x, f dv2 oracle (t, qh, qdhp), for any small > 0., US Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4175

11 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. lgorthm 3 EXP2 oracle, US Input: P, P pub, R, T 1, Q, V, T s1, W, T 2 Output: 0or1 1: Call the oracle OracleH on the nput V and retreve the nformaton SK s, T s1 and SID y as (SK s * kt* s 1 ksid * y ) OracleH(V ) 2: Call the oracle OracleH on the nput W and obtan the nformaton SK y, T 2 and SID y as (SK * y kt * ksid ** 2 y ) OracleH(W ) 3: Call the oracle OracleCDHP on the nput R (= [b ]P), Q (= [c s ]P) and P and obtan the nformaton SK s (= SK ) = [b c s ]P as (SKs ) OracleCDHP(R, Q, P) 4: f (SID * y == SID ** y )&&(T s * 1 == T s1 )&&(T * == T 2 2 ) && (SK s * == SK s ) then 5: f (SK * y == SK s y ) then 6: ccept SK s * x or SKs x as secret shared sesson key 7: Return 1 (Success) 8: else 9: Return 0 (Fal) 10: end f 11: else 12: Return 0 (Fal) 13: end f ccordng to the algorthm EXP2 oracle,f earns success to perform nverson of H() and also gets success to, US solve the CDHP, can successfully obtan the secret sesson key SK x by usng the random oracles OracleH and OracleCDHP and wns the game. But from Defntons 1 and 3, we know that dv OracleH (t) 1, for any small 1 > 0 and dv OracleCDHP (t) 2, for any small 2 >0. Because, we obtan dv1 oracle (t, qh, qdhp), for, US any small > 0, because the proposed scheme depends on both dv OracleH (t) and dv OracleCDHP (t). Therefore, the presented scheme provdes securty aganst for obtanng the sesson key SK x (= SK sx ) computed by U and S Informal securty analyss Securty of our scheme n nformal way s evaluated n ths secton Off-lne guessng attack. ccordng to adversary model presented n the Secton 3, a thrd party as well as a vald user tres to extract and guess the secret nformaton, namely, dentty ID and password pw of U as well as the secret key s and the random numbers {b, c s } from the known parameters of S. For ths purpose, we assume that an adversary has the knowledge of smart card s nformaton h, D, br [33,34] and also trapped the logn message hdid, K, R, T 1, the reply message hq, V, T s1, and the message hw, T 2. From smart card s nformaton h, D, br : From br = r H 1 (ID kpw ), cannot guess ID and pw, because he/she has to predct r, ID and pw at a tme to compute br, whch s not possble n polynomal tme [35]. From = H1 (ID ks) pwr = H1 (ID ks) H 1 (pw kr ) = H 1 (ID ks) H 1 pw k br H 1 ID kpw, cannot guess ID, s and pw, because he or she has to predct s, ID and pw at a tme, whch s agan not possble n polynomal tme [35]. From D = H1 SIDx kpwr = H1 SIDx k H 1 (pw kr ), cannot extract ID, s and pw due to one-wayness of the hash functon. Therefore, s unable to obtan the secret nformaton s, ID, and pw from the smart card s nformaton. From logn message hdid, K, R, T 1 : From R (= [b ]P), cannot extract the random number b, because he or she has to solve the DLP, whch s a hard problem. If tres to extract ID and b from DID = ID L x = ID ([b ]P) x, he or she has to agan solve the DLP or has to predct ID and b at a tme, whch s mpossble to solve n polynomal tme. From K = H 1 SID x kl y kt 1 = H 1 [H1 (ID ks)]p x k([b ]P) y kt 1, cannot extract ID, s and b, because the nverson of the hash functon s hard. Therefore, cannot extract the random number b, dentty ID, and secret key s of S from the logn message. s logn message does not depend on password pw, s unable to extract or guess pw from hdid, K, R, T 1. From the reply messages hq, V, T s1 and hw, T 2 : From Q (= [c s ]P), cannot extract the random number c s, because he or she has to solve the DLP, whch s computatonal nfeasble. From V =H 2 SK s kt s1 ksid y =H 2 [b c s ] PkT s1 k [H 1 (ID ks)]p y and W = H 1 SK sy kt 2 ksid x = H 1 ([b c s ]P) y kt 2 k [H1 (ID ks)]p y, cannot extract ID, s and the random numbers {b, c s }, because the nverson of the hash functon s hard. Therefore, cannot extract the random numbers {b, c s }, dentty ID, and secret key s of S from the reply messages. s the reply messages are ndependent of password pw, s unable to extract or guess pw from hq, V, T s1 and hw, T Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

12 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme vald user as an adversary b s unable to guess or obtan the secret nformaton (.e., dentty and password) of an another vald user for the same reasons as descrbed earler. But as the adversary b s a vald user, he or she knows hs or her dentty ID b and password pw b and also can extract H 1 (ID b ks) by computng H 1 pw b k cr b H 1 ID b kpw b b, where b and cr b are the smart card s nformaton. From H 1 (ID b ks), b s unable to obtan the secret key s of S because the nverson of the hash functon s hard. Thus, our scheme offers the securty aganst the guessng attack Forgery attack. ccordng to the adversary model presented n the Secton 3, a thrd party as well as a vald user try to create the forged messages aganst our scheme. For ths purpose, we presume that an adversary has knowledge of smart card s nformaton h, D, br and trap the logn message hdid, K, R, T 1, the reply message hq, V, T s1, and the message hw, T 2. Case 1: The, who s not a legtmate user of S, san outsder. Forged logn message generaton: In ths case, executes the followng steps to logn nto S on behalf of U by makng a logn request message at tmestamp T such that (T s1 T ) T holds. Step 1: chooses an dentty ID, a random number b 2 Z p * and the secret key s 2 Z p * of S. Step 2: Then, computes SID = SID x, SID y = H 1 ID ks P, R =[b ]P, L =[b ]P pub, DID = ID L x, and K = H 1 SID x kl y kt. Step 3: Fnally, sends a logn message hr, DID, K, T to S. fter gettng the logn message hr, DID, K, T, S fnds that (T s1 T ) T s correct, because selects a tmestamp T such that (T s1 T ) T holds. Therefore, S further computes L * = [s]r, ID h * = L * DID x and DB * = H 3 ID * s P. Then, S checks whether DB * s present n ts database. Note that DB * wll be present n the database f and only f correctly chooses the dentty ID to logn nto S on behalf of U, but the dentty of U cannot be computed and guessed from the knowledge of all parameters as demonstrated n the guessng attack (Secton 7.2.1). Furthermore, f we assume that has knowledge about the dentty of U, then also cannot create logn message, because after checkng h DB *, S further computes SID * = H 1 ID * ks P and whether checks K =?H 1 SID * kl * x kt y. The equalty holds f and only f SID * = SID, more formally s = s. But only S knows s, and no secret nformaton s leaked from the known parameters as shown n Secton Therefore, S rejects the logn message hr, DID, K, T. Forged reply message generaton: If tres to create a vald reply message at tme T such that (T 2 T ) T holds, then he or she also has to correctly compute SID (= [H 1 (ID ks)]p) asv s computed usng SID. But as dscussed earler, no secret nformaton (.e, ID and s) s leaked from the known parameters. Therefore, s unable to create a vald reply message aganst our scheme. Case 2: The b s a legtmate user and he or she tres to mpersonate other legtmate user of S. Forged logn message generaton : In ths case, a vald user b tres to logn nto S by masqueradng another vald user say, U j.s b s a vald user, thus, he or she knows hs or her dentty and password. If b s gong to create a logn message, he or she has to know the secret key s of S, because SID j s computed usng ID j and s, but t s mpossble to extract s by b beng a vald user as shown n Secton Forged reply message generaton: Same as Case User anonymty. In our scheme, the dentty ID of U s secret. Therefore, ID s not sent drectly wth the messages durng communcaton. For ths purpose, SID = H 1 (ID ks) P and DID = ID L x are used rather than only ID. The guessng attack gven n Secton demonstrates that an adversary cannot predct and obtan the dentty of a user from hs or her known parameters. Furthermore, after gettng a logn message, S can correctly trace the sender because S extracts ID from DID by computng L x DID. Not that only S can compute the correct L because s s only known to S. Therefore, an adversary cannot extract ID from DID as he or she does not know the secret key s of S, and t cannot be guessed or extracted from the known Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4177

13 n effcent ECC-based two-factor password authentcaton scheme T. Matra et al. parameters (Secton 7.2.1). Hence, our scheme mantans the property of user anonymty Dynamc dentty. In the proposed scheme, DID (= ID L x ) of a user U s used as a pseudo dentty, and t s also dynamc n nature because, for dfferent sessons, DID s changed due to the random number b. Even though any adversary traps several logn messages of a partcular user for dfferent sessons, however, the adversary cannot trace the user as DID s changed randomly for every sessons Smart card stolen attack. ccordng to adversary model proposed n Secton 3, f U loses hs or her smart card and an attacker gets the same or the smart card of U s stolen by the attacker, then he or she can obtan h, D, br from the smart card. The adversary also traps a logn message hdid, K, R, T 1,a reply message hq, V, T s1 between U and S. fter obtanng the nformaton, t s hard to extract U s password pw, dentty ID, and the prvate key s of S for an adversary as expressed n the guessng attack (Secton 7.2.1). Furthermore, n the absence of proper knowledge about the password pw and dentty ID of U, and the prvate key s of S, the adversary would not be able to get success to perform the forgery attack on the proposed scheme (Secton 7.2.2) for both the cases of adversary model. Thus, our scheme prevents the smart card stolen attack Stolen verfer attack. In the present scheme, S stores H 3 ([ID s]p) nto ts database. If any adversary can have access the database by some means, however, he or she does not obtan the dentty ID of U due to the hardness of hash functon. In addton, the attacker cannot execute the stolen verfer attack because of the secret key s of S. Therefore, our scheme gves the securty aganst the stolen verfer attack Insder attack. For the tme of regstraton process n our scheme, U transmts hid, pwr to S securely, where pwr = H 1 (pw kr ). From pwr, the adversary who s part of the system (nsder of the server) does not obtan pw because of the one-way property of hash functon. Hence, the present scheme prevents the nsder attack Replay attack. The logn request message hdid, K, R, T 1 and the reply message hq, V, T s1 n our proposed scheme are generated usng the random numbers b and c s wth the tmestamps T 1 and T s1, respectvely. Furthermore, the message hw, T 2 n authentcaton and key agreement phase s generated usng b and c s wth dfferent tmestamp T 2, because the messages of a sesson dffers from other sesson due to the random numbers b and c s, and tmestamps. Therefore, the adversary cannot mount the replay attack n the present scheme Mutual authentcaton. The password guessng attack (Secton 7.2.1) shows that an adversary s unable to earn the secret values of a vald user as well as the server, so the attacker cannot perform the forgery attack on the present scheme (Secton 7.2), whch ndcates that the adversary cannot successfully logged-n to the server n any means. In the present scheme, when an authorzed user U transmts the logn message to S, t examnes the valdty of U by extractng the dentty from the logn message, and t also examnes the valdty of the receved logn message; S then reples back to U. U checks the valdty of the reply message. If the message s vald, then U accepts the reply message. Thus, the mutual authentcaton s acheved n our scheme Sesson key dscloser attack. Whenever a user want to send ther data after mutual authentcaton, a secret shared sesson key s used to encrypt/decrypt the nformaton wthn the current sesson. In our scheme, a sesson key SK x or SK sx has been computed after performng mutual authentcaton usng the random numbers b and c s. The sesson key dffers from other sessons due to the random numbers. Furthermore, we have shown n Secton that an adversary cannot extract the random number b from the logn message and the random number c s from the reply message, because t s hard to derve b and c s from R =[b ]P and Q =[c s ]P, respectvely, due to the ECDLP. Therefore, the attacker wll not be able to compute the secret and the shared sesson key between. Thus, we clam that our scheme wthstand the sesson key dscloser attack as well as provdes the forward secrecy Effcent logn phase. By some mstakes, f U submts hs or her ncorrect password pw [faulty] and ncorrect ID [faulty] durng the logn phase, the smart card can effcently detect the wrong nputs as follows. The smart card retreves r [faulty] by computng H 1 (ID [faulty] kpw [faulty] ) br and then computes pwr [faulty] = H 1 (pw [faulty] kr [faulty] ), [H 1 (ID ks)] [faulty] = pwr [faulty], SID [faulty] (= (SID [faulty] x, SID [faulty] y )) = [[H 1 (ID ks)] [faulty] ]P and D [faulty] = H 1 (SID [faulty] y kpwr [faulty] ). The smart card then examnes whether the stored D and the computed D [faulty] are equal. Note that D D [faulty], because U submts faulty dentty and password. Therefore, the smart card halts the current sesson. ccordngly, the proposed scheme mnmzes the extra communcaton overhead. Thus, the effcent logn phase s acheved by the present scheme User-frendly and effcent password change phase. Whenever U lkes to alter the password, he or she provdes hs or her pw and ID to the termnal. Then, the smart card retreves r 0 by computng H 1 (ID kpw ) br 4178 Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd.

14 T. Matra et al. n effcent ECC-based two-factor password authentcaton scheme and computes pwr 0 = H 1(pw kr 0), [H 1(ID ks)] 0 = pwr 0, SID 0 =(SID 0 x, SID 0 y ) = [H 1 (ID ks)] 0 P and D 0 = H 1 (SID 0 y kpwr 0 ). Now, the smart card examnes whether D and D 0 are equal. If D D 0, the smart card rejects U ; otherwse, t gves permsson to U to enter a new password. Therefore, f U submts an ncorrect password by some mstakes, the smart card can easly detect the wrong nputs. Furthermore, wthout takng any help of the server, users can change ther password. Thus, the aforementoned explanaton ndcates that the present scheme acheves the user-frendly and effcent password change phase. 8. COMPRISON Ths secton compares the performances of the scheme desgned n ths paper wth other ECC-based authentcaton schemes, namely, schemes of Xu et al. [19], Islam and Khan [20], Chaudhry et al. [21], L et al. [22], Mshra et al. [23], Qu and Tan s [24], and Huang et al.[25]. However, Table II demonstrates that the exstng schemes are unsutable for real envronments, because they do not prevent all known attacks. In Secton 1, t has been descrbed that the schemes of Islam and Khan [20], Xu et al. [19], L et al. [22], and Qu and Tan [24] are vulnerable aganst some common securty attacks. Moreover, Secton 7 has shown that our scheme can prevent all known attacks. Hence, the present scheme provdes more securty than related exstng schemes. Bascally, the logn phase and authentcaton phase wth key agreement are used frequently; therefore, we have compared these two phases of the present scheme wth the schemes n [19 25]. Table III shows the computatonal cost, storage cost, and communcaton overhead comparson of the schemes n [19 21,24,25] wth our scheme. Here, T dec, T h, T pm, T n and T m denote the tme requred for decrypton operaton, hash operaton, pont multplcaton operaton, nverse computaton, and multplcaton operaton, respectvely. ccordng to the dscusson provded n [36,37], we observed that T dec T h > T m T n > T pm. The executon tme for computng 11 hash operatons n two phases s needed n the proposed scheme, whch s lower than schemes n [19,22], [24], and [25]. reasonable assumpton that the length of ID s 64 bts. The hash functon H(), encrypton/decrypton (ES-128), random numbers, and tmestamp are 128 bts each. The ellptc curve pont P (= (P x, P y )) and the prme number p are 256 and 1024 bts each, where x and y co-ordnates returns 128 bts each. To transmt a logn message, the communcaton cost (total number of bts are needed to transmt a message) of our proposed scheme s ( ) = 640 bts, whch s lower than the schemes n Table II. Securty comparson of our scheme wth the related schemes. Scheme SR 1 SR 2 SR 3 SR 4 SR 5 SR 6 SR 7 SR 8 SR 9 SR 10 p p p p p p Xu et al. [19] p p p p p p p p p p Islam and Khan [20] p p p p Chaudhry et al. [21] p p p p p L et al. [22] p p p p p Mshra et al. [23] p p p p Qu and Tan [24] p p p p p p Huang et al. [25] p p p p p p p p p p Ours SR 1, ressts the password guessng attack; SR 2, ressts the nsder attack; SR 3, ressts the user mpersonaton attack; SR 4, ressts the server mpersonaton attack; SR 5, ressts the sesson key dscloser attack; SR 6,ressts the smart card stolen attack; SR 7, ressts the stolen verfer attack; SR 8, ressts the replay attack; SR 9,preserves user anonymty and dynamc dentty; SR 10, provdes effcent password change phase;, no; p, yes;, not applcable. Table III. comparson: computaton, communcaton, and storage costs, respectvely. Scheme Storage cost (bts) Communcaton cost (bts) Computaton cost LP KP LP KP Xu et al. [19] T h +2T pm 9T h +4T pm Islam and Khan [20] T h +2T pm +T m 6T h +4T pm Chaudhry et al. [21] T h +3T pm +T m 6T h +4T pm +T n L et al. [22] T h +T pm 6T h +3T pm Mshra et al. [23] T h +T pm T dec +6T h +3T pm Qu and Tan [24] T h +3T pm 8T h +6T pm Huang et al. [25] T h +4T pm 9T h +3T pm Ours T h +3T pm 7T h +6T pm +T m LP, logn phase; KP, authentcaton and key agreement phase. Securty Comm. Networks 2016; 9: John Wley & Sons, Ltd. 4179