An Improved Lightweight Two-Factor Authentication and Key Agreement Protocol with Dynamic Identity Based on Elliptic Curve Cryptography

Abstract

With the rapid development of the Internet of Things, the problem of privacy protection has been paid great attention. Recently, Nikooghadam et al. pointed out that Kumari et al.'s protocol can neither resist off-line guessing attack nor preserve user anonymity. Moreover, the authors also proposed an authentication supportive session initial protocol, claiming to resist various vulnerability attacks. Unfortunately, this paper proves that the authentication protocols of Kumari et al. and Nikooghadam et al. have neither the ability to preserve perfect forward secrecy nor the ability to resist key-compromise impersonation attack. In order to remedy such flaws in their protocols, we design a lightweight authentication protocol using elliptic curve cryptography. By way of informal security analysis, it is shown that the proposed protocol can both resist a variety of attacks and provide more security. Afterward, it is also proved that the protocol is resistant against active and passive attacks under Dolev-Yao model by means of Burrows-Abadi-Needham logic (BAN-Logic), and fulfills mutual authentication using Automated Validation of Internet Security Protocols and Applications (AVISPA) software. Subsequently, we compare the protocol with the related scheme in terms of computational complexity and security. The comparative analytics witness that the proposed protocol is more suitable for practical application scenarios.

1. Introduction

With the growing applications of cloud computing and multimedia services, the issue of communication privacy protection has gained more attention. To solve the privacy problem, numerous authentication and key agreement protocols are presented [1-20]. In order to login the server, the users execute the authentication process through session initial protocol (SIP). More precisely, SIP is a communication protocol that signals and controlls multimedia communication sessions in practical applications, such as telecare medical information systems, distributed cloud computing environment, and internet telephony etc. Authentication and key agreement is a vital part of SIP. After the first authentication protocol was presented by Franks et al. in 1999 [21], many researchers analyzed and designed a lot of authentication and key agreement protocols based on the work of Franks et al. However, most of these schemes have at least one security vulnerability, such as perfect forward secrecy and off-line password guessing attack, etc [22-25].

1.1 Related Work

Recently, Chang et al. [26] observed that Wang et al.’s protocol [27] is unable to resist impersonation attack and provides user-untraceability because the identity is transmitted in login request message. Moreover, Chang et al. [26] also pointed out that password changing phase has no verification step in Wang et al’s protocol [27]. Implying that the legitimate user will not be able to access the remote server anymore. In order to solve these problems, Chang et al. [26] presented a dynamic-identity based remote user authentication scheme while only incorporating hash function without session key agreement. In 2014, Kumari et al. [28] revealed that Chang et al. [26] protocol cannot resist off-line password guessing attack, impersonation attacks, etc. Further, Chang et al. [26] protocol also faces denial of service and cannot provide session key. For eliminating these vulnerabilities in Chang et al. protocol [26], Kumari et al. [28] also designed an authentication protocol. However, Chaudhry et al.[29] identified that Kumari et al.’s protocol [28] is still vulnerable against smart card stolen attack and cannot provide user anonymity in 2015. Subsequently, Chaudhry et al. [29] proposed an improved remote user authentication scheme with privacy preserving to remedy those flaws of Kumari et al.’s protocol [28]. But in 2016, Nikooghadam et al. [30] proved that Kumari et al. [28]’s and Chaudhry et al. [29]’s protocols are unable to resist offline-password-guessing attacks. Afterward, Nikooghadam et al. [30] designed a new authentication protocol and asserted that their protocol can both resist various attacks and provide user-anonymity. But, we remark that Nikooghadam et al.’s protocol [30] also has some flaws including perfect forward secrecy and off-line password guessing attack, etc. In fact, in throughout aforementioned protocols, the authors only used one-way hash function to provide security. Moreover, there exist several defects in the designs of authentication protocols. Under these circumstances, it is impossible to preserve perfect-forward-secrecy and avoid some known attacks, such as impersonation attacks and off-line password guessing attack, etc. In order to establish secure shared key in an authentication scheme, public key cryptography, which can efficiently provide perfect-forward-secrecy and resist various known attacks according to [47-52], is considered as the first choice including elliptic curve cryptography (ECC), RSA, etc. Because, the elliptic curve cryptography is more efficient than RSA under the same security condition, therefore, it is widely used in many special scenarios, especially for resource-constrained devices.

1.2 Contributions and Organization

In order to fill the aforementioned gaps, we present an improved authentication protocol with a full security function. The contributions of this paper are following:

(1) We present a supplementary cryptanalysis of Kumari et al.’s protocol and point out that it is still vulnerable to key-compromise impersonation attack and is unable to provide perfect-forward-secrecy. Moreover, we also remark that Nikooghadam et al.’s protocol is unable to provide perfect forward secrecy and is also vulnerable to off-line password guessing attack and key-compromise impersonation attack.

(2) We establish a novel lightweight authentication protocol for SIP using ECC.

(3) By heuristic security analysis, we illustrate that the proposed protocol is immune to all known attacks. Moreover, the proposed protocol can provide more comprehensive security functions including perfect forward secrecy, dynamic identity, and anonymity, etc.

(4) Via AVISPA software simulation verification, we show that the improved protocol is SAFE against active and passive attacks including replay and man-in-the-middle attacks under the Dolev-Yao model[31].

(5) According to BAN-Logic proof, we show that user and server can mutual authenticate successfully each other in the improved protocol.

(6) Comparing with the relevant solutions, we remark that our protocol is more secure and suitable for application in the actual scene.

The rest of this paper is organized as follows: attacker model and intractable problems are listed in Section 2. The protocol of Kumari et al. and its cryptanalysis is explained in Section 3. The protocol of Nikooghadam et al. and its cryptanalysis is provided in Section 4. The proposed scheme is presented in Section 5. The heuristic security analysis, simulation and security proof through AVISPA software and BAN-Logic are presented in Sections 6, 7 and 8, respectively. Security and performance comparisons are depicted in Section 9. Finally, the conclusion is summarised in Section 10.

2. Preliminaries

In this section, we introduce the capacities of the adversary of the authentication protocol. Some notations used in this paper are listed in Table 1.

2.1 Attacker model

According to [32-35], throughout this paper, we summarize the capacities of the attacker \(\mathcal{A}\) suitable for the whole paper as follows:

(1) According to [33,34], if \(\mathcal{A}\) steals the smart card of user or is in the effective range of the smart card being attacked, \(\mathcal{A}\) may have the ability to obtain all datum stored in smart card by using the power-analysis technology.

(2) In open channels, all datum transmitted on these channels are public. So \(\mathcal{A}\)  has the capacity to eavesdrop, delete, modify, insert, replay, and block these messages on pubic channels.

(3) According to [32,35], \(\mathcal{A}\) can have the ability to guess identity and password simultaneously in polynomial time. Thus, \(\mathcal{A}\) can traverse all pairs of identity and password in dictionary space with in polynomial time.

(4) According to [32,35], \(\mathcal{A}\) can either steal password or get all datum from user’s smart card, but not both. If they are compromised by \(\mathcal{A}\) simultaneously, then any two-factor authentication protocol is insecure.

(5) When perfect forward secrecy [32,35] and key-compromise user impersonation attack are discussed, the long-term private key of the server can be leaked to \(\mathcal{A}\). Since perfect forward security is the ultimate security, and key-compromise user impersonation attack is the ultimate attack, if an authentication protocol can both provide forward security and resist key-compromise user impersonation attack, it will be a better protocol. When assessing any attack, key-compromise user impersonation attack in particular, it is assumed that any adversary cannot get the verifiers and the private key of server simultaneously.

2.2 Intractable problems over ECC

Generally, let \(p\) be a secure prime number and \(F_{p}\) be a finite field, the elliptic curve equation in ECC is defined in the following form:

\(E_{p}(a, b): y^{2}=x^{3}+a x+b(\bmod p) \text { over } F_{p} \text { with } 4 a^{3}+27 b \neq 0(\bmod p)\)

Where a, b ∈ \(F_{p}\).

• Elliptic curve discrete logarithm problem (ECDLP): Let \(P\) is a generator of E_p ( a, b) and Q = xP , where x ∈_R F_p , it is almost impossible for \(\mathcal{A}\)^PPT (probabilistic polynomial time adversary) to figure out the random number x satisfying Q = xP .
• Elliptic curve computational Diffie-Hellman problem (ECCDHP): Let x₁P, x₂P ∈ E_p(a ,b ), it is almost impossible for \(\mathcal{A}\)^PPT to figure out ( x₁x₂)P .

Table 1. Notations

 

3. A Brief Review and Supplementary Cryptanalysis of Kumari et al.’s Protocol

3.1 A brief introduction of Kumari et al.’s protocol

This part simply describes Kumari et al.’s protocol [28]. We omit the password changing phase of their protocol. The registration-phase, login and authentication phase are introduced as follows.

3.1.1 Registration phase

User U_i selects identity \(I D_{i}\), password \(P W_{i}\) in dictionary space and picks a random number b. First, U_i calculates \(R P W_{i}=h\left(b \| P W_{i}\right)\) and sends \(\left\{I D_{i}, R P W_{i}\right\}\) to server S W on the secret channel. Second, once the registration-request \(\left\{I D_{i}, R P W_{i}\right\}\) is received, S  picks a random number \(y_{i}\) and calculates \(N_{i}=h\left(I D_{i} \| x\right) \oplus R P W_{i}, Y_{i}=y_{i} \oplus h\left(I D_{i} \| x\right)\), \(D_{i}=h\left(I D_{i}\left\|y_{i}\right\| R P W_{i}\right)\) and \(E_{t}=y_{i} \oplus h(y \| x)\). Subsequently, server S sends \(N_{i}\) and a new smart card SC containing \(\left\{Y_{i}, D_{i}, E_{i}, h(.)\right\}\) to \(U_{i}\). Finally, on receiving SC and \(N_{i}\) from server, \(U_{i}\) computes \(A_{i}=\left(I D_{i} \| P W_{i}\right) \oplus b, M_{i}=N_{i} \oplus b\) . Then, \(U_{i}\) inserts \(\left\{A_{i}, M_{i}\right\}\) into SC. Thus, \(U_{i}\) obtains a smart card in which \(\left\{A_{i}, M_{i}, Y_{i}, D_{i}, E_{i}, h(.)\right\}\) are stored.

3.1.2 Login and authentication phase

In this part, \(U_{i}\)(SC) and S execute the following steps for login and authentication:

(1) \(U_{i}\)  inserts his smart card SC into the card reader and inputs correct \(I D_{i}, P W_{i}\) . Then, SC  computes \(b=\left(I D_{i} \| P W_{i}\right) \oplus A_{i}\) , \(R P W_{i}=h\left(b \| P W_{i}\right)\) and calculates \(h\left(I D_{i} \| x\right)=M_{i} \oplus R P W_{i} \oplus b, y_{i}=h\left(I D_{i} \| x\right) \oplus Y_{i}\) and \(D_{i}^{*}=h\left(I D_{i}\left\|y_{i}\right\| R P W_{i}\right)\) . Afterward, SC checks \(D_{i}^{*}=? D_{i}\) . After finishing this verification, figures out ℎ( y∥x ) = \(y_{i}\)⨁ \(E_{i}\) and \(N_{i}=M_{i} \oplus b\) . Subsequently, SC selects current timestamp \(T_{i}\) and calculates \(C I D_{i}=I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\) , \(N_{i}^{\prime}=N_{i} \oplus h\left(y_{i} \| T_{i}\right)\) , \(B_{i}=N_{i} \oplus R P W_{i}\) , \(C_{i}=h\left(N_{i}\left\|y_{i}\right\| B_{i} \| T_{i}\right)\) and \(F_{i}=y_{i} \oplus\left(h(y \| x) \| T_{i}\right)\). Finally, SC sends the login request message \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) to S over a public channel.

 

(2) On receiving \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) from SC, S verifies the timestamp \(T_{i}\)according to the current timestamp. Then S computes \(y_{i}=\left(h(y \| x) \| T_{i}\right) \oplus F_{i}\) , \(N_{i}=N_{i}^{\prime} \oplus\)\(h\left(y_{i} \| T_{i}\right)\), \(I D_{i}=C I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\), \(B_{i}^{*}=h\left(I D_{i} \| x\right)\) and \(C_{i}^{*}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}\right)\). Afterward, S checks \(C_{i}^{*}=? C_{i}\) . If the equation doesn’t, S ends this request, otherwise, S selects the current timestamp \(T_{S S}\) and calculates \(a=h\left(B_{i}^{*}\left\|y_{i}\right\| T_{S S}\right)\). Afterwards, S sends {a, \(T_{S S}\) } to SC.

(3) On receiving {a, \(T_{S S}\)} from S, SC verifies the timestamp \(T_{S S}\) according to the current timestamp. Then, SC figures out \(a^{*}=h\left(B_{i}\left\|y_{i}\right\| T_{S S}\right)\) and checks \(a_{i}^{*}=? a_{i}\) .

(4) If the aforementioned steps are performed successfully, then U_i and S can figure out the common session key SK_i = \(h\left(B_{i}\left\|y_{i}\right\| T_{i}\left\|T_{s s}\right\| h(y \| x)\right)\).

3.2 Vulnerability analysis of Kumari et al.’s protocol

In this subsection, we prove that the protocol of Kumari et al. [28] can neither resist key-compromise-impersonation attack nor provide perfect-forward-secrecy, except the vulnerability pointed out by Nikooghadam et al. [30].

3.2.1 Perfect-forward-secrecy

According to the analysis of Nikooghadam et al. [30], if a legitimate user U_j acts as an attacker and knows the long-term private key x of S, the malicious client U_j obtains the session key between U_i and S by performing the following steps.

(1) U_j computes b_j = ( ID_j∥PW_j ) ⊕ A_j, RPWj = ℎ(b_j ∥PW_j ) , ℎ( ID_j∥x ) = M_j ⊕ RPW_j, y_j = Y_j ⊕ ℎ( ID_j∥x ) and ℎ( y∥x ) = y_j ⊕ E_j .

(2) U_j extracts the values { Y_i, M_i, A_i, D_i, E_i} of the U_i’s smart card and intercepts the login request message \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) and the respond message \(\left\{a, T_{s s}\right\}\) to  U_i from S.

(3) U_j calculates \(y_{i}=F_{i} \oplus\left(h(y \| x) \| T_{i}\right)\), \(N_{i}=N_{i}^{\prime} \oplus\left(y_{i} \| T_{i}\right)\), \(I D_{i}=C I D_{i} \oplus h\left(N_{i} \|\right.\left.y_{i} \| T_{i}\right)\) and \(B_{i}=h\left(I D_{i} \| x\right)\).

(4) Finally, U_j successfully computes the session key \(S K_{i}=h\left(B_{i}\left\|y_{i}\right\| T_{i}\left\|T_{s s}\right\| h(y \| x)\right)\).

3.2.2 Key-compromise-impersonation-attack

If a legitimate user \(U_{j}\) acts as an attacker and compromises the long term secret key x of S, then \(U_{j}\) executes the following steps to impersonate \(U_{i}\) to S .

(1) \(U_{j}\) computes b = \(\left(I D_{j} \| P W_{j}\right) \oplus A_{j}\) , \(R P W_{j}=h\left(b \| P W_{j}\right)\) , \(h\left(I D_{j} \| x\right)=M_{j} \oplus R P W_{j}\) , \(y_{j}=Y_{j} \oplus h\left(I D_{j} \| x\right)\) and \(h(y \| x)=y_{j} \oplus E_{j}\) .

(2) \(U_{j}\) extracts the values \(\left\{Y_{i}, M_{i}, A_{i}, D_{i}, E_{i}\right\}\) of the \(U_{i}\)’s smart card and intercepts the login request message \(​​\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\).

(3) \(U_{j}\) computes \(y_{i}=F_{i} \oplus\left(h(y \| x) \| T_{i}\right)\) , \(N_{i}=N_{i}^{\prime} \oplus\left(y_{i} \| T_{i}\right)\) , \(I D_{i}=C I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}\right)\) and \(B_{i}=h\left(I D_{i} \| x\right)\).

(4) \(U_{j}\) selects a new legitimate timestamp \(T_{i}^{\prime}\). \(U_{j}\) calculates \(C I D_{i}^{\prime}=I D_{i} \oplus h\left(N_{i}\left\|y_{i}\right\| T_{i}^{\prime}\right)\), \(N_{i}^{\prime \prime}=N_{i} \oplus h\left(y_{i} \| T_{i}^{\prime}\right), C_{i}^{\prime}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}^{\prime}\right)\) and \(F_{i}^{\prime}=y_{i} \oplus\left(h(y \| x) \| T_{i}^{\prime}\right)\).

(5) \(U_{j}\) transmits the forged login message \(\left\{C I D_{i}^{\prime}, N_{i}^{\prime}, C_{i}^{\prime}, F_{i}^{\prime}, T_{i}^{\prime}\right\}\) to S.

(6) Once \(\left\{C I D_{i}^{\prime}, N_{i}^{\prime}, C_{i}^{\prime}, F_{i}^{\prime}, T_{i}^{\prime}\right\}\) from \(U_{j}\) is received, S verifies \(T_{i}^{\prime}\), if it’s within range, S computes \(\left.y_{i}=F_{i}^{\prime} \oplus h(y \| x) \| T_{i}^{\prime}\right)\) , \(N_{i}=N_{i}^{\prime} \oplus h\left(y_{i} \| T_{i}^{\prime}\right)\) , \(I D_{i}=C I D_{i}^{\prime} \oplus\)\(h\left(N_{i}\left\|y_{i}\right\| T_{i}^{\prime}\right)\), \(B_{i}^{*}=h\left(I D_{i} \| x\right)\), and \(C_{i}^{*}=h\left(N_{i}\left\|y_{i}\right\| B_{i}^{*} \| T_{i}^{\prime}\right)\). Afterwards, S verifies whether \(C_{i}^{*}=C_{i}^{\prime}\) , if these are equal, S chooses a timestamp \(T_{S S}\) and computes \(a^{\prime}=h\left(B_{i}^{*}\left\|y_{i}\right\| T_{s s}\right)\).

(7) sends the respond message \(\left\{a^{\prime}, T_{s s}\right\}\) to \(U_{j}\).

(8) Finally, S establishes the session key \(S K_{i}=h\left(B_{i}\left\|y_{i}\right\| T_{i}^{\prime}\left\|T_{\mathrm{ss}}\right\| h(y \| x)\right)\) with the malicious user \(U_{j}\).

4. Introduction and Cryptanalysis of Nikooghadam et al.’s Protocol

4.1 Review of Nikooghadam et al.’s protocol

4.1.1 Registration part

(1) U_i selects his identity ID_i, password PW_i in dictionary space, and then picks a random number \(\gamma\). Afterward, U_i computes \(M P W_{i}=h\left(I D_{i}\|r\| P W_{i}\right)\). U_i sends \(\left\{I D_{i}, M P W_{i}\right\}\) to S on the secret channel.

(2) Once the registration-request \(\left\{I D_{i}, M P W_{i}\right\}\) is received, S chooses a random element N and calculates \(A_{i}=h\left(I D_{i} \| x\right)\), \(B_{i}=A_{i} \oplus M P W_{i}\) , \(M I D_{i}=E_{x}\left(I D_{i} \| N\right)\). Then, S stores ID_i in his database and takes \(\left\{B_{i}, M I D_{i}, E_{k}(.), D_{k}(.), h(.)\right\}\) into a new smart card SC. Subsequently, S sends SC to U_i.

(3) Finally, on receiving SC from the server, U_i inserts {\(\gamma\)} into SC . Thus, U_i gets a smart card in which \(\left\{r, B_{i}, M I D_{i}, E_{k}(.), D_{k}(.), h(.)\right\}\) are stored.

4.1.2 Login & authentication part

U_i(SC) and S can finish login and authentication phase using the following steps:

(1) U_i inserts his smart card SC into the card reader and inputs ID_i, PW_i. Then, SC computes \(A_{i}=B_{i} \oplus h\left(I D_{i}\|r\| P W_{i}\right)\). Subsequently, SC selects a random element RN_i and the current timestamp T_i, and computes \(M_{1}=E_{A_{i}}\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\). Finally, SC transmits the login-request \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) to S on public-channel.

(2) On obtaining \(\left\{C I D_{i}, N_{i}^{\prime}, C_{i}, F_{i}, T_{i}\right\}\) from SC, S verifies the timestamp T_i according to the current timestamp. Then, S decrypts \(M I D_{i}\) to get \(\left(I D_{i} \| N\right)\) using his secret element x and figures out \(A_{i}^{*}=h\left(I D_{i} \| x\right)\) , \(D_{A_{i}^{*}}\left(M_{1}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\) . Aferwards, S selects random numbers \(R N_{S}\)and \(N^{N e w}\). Subsequently, S computes \(I D_{i}^{N e w}=E_{x}\left(I D_{i} \| N^{N e w}\right)\) and \(M_{2}=E_{A_{i}^{*}}\left(M I D_{i}^{\text {New}}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\) . Finally, S sends \(\left\{M_{2}\right\}\) to SC.

(3) On receiving \(\left\{M_{2}\right\}\) from S, SC decrypts M₂ to be \(\left(M I D_{i}^{N e w}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\) using \(A_{i}^{*}\) and verifies \(I D_{i}, R N_{i}\) . Afterward, SC figures out \(M_{3}=h\left(R N_{s}\left\|M I D^{N e w}\right\|\right.R N_{i})\) and the session key SK = ℎ\(\left(R N_{i}\left\|A_{i}\right\| R N_{S}\right)\) . Then, replaces \(M I D_{i}\) with \(M I D_{i}^{N e w}\) by itself. At last, SC sends the response M₃ to S.

(4) After receiving M₃ , S figures out \(M_{3}^{*}=h\left(R N_{s}\left\|M I D^{N e w}\right\| R N_{i}\right)\) and checks \(M_{3}^{*}=? M_{3}\). If these are equal, S computes \(S K=h\left(R N_{i}\left\|A_{i}\right\| R N_{s}\right)\). Otherwise, ends this session.

(5) Finally, U_i and S get the common session key \(S K=h\left(R N_{i}\left\|A_{i}\right\| R N_{S}\right)\).

4.2 Vulnerability analysis of Nikooghadam et al.’s protocol

4.2.1 Off-line password guessing attack

If \(\mathcal{A}\) gets the smart card SC_i of some user U_i, then \(\mathcal{A}\) can obtain the useful datum \(\left\{B_{i}, M I D_{i}, r, E_{k e y}(\cdot) / D_{k e y}(\cdot), h(\cdot)\right\}\) in SC_i and intercepts the request message \(\left\{M I D_{i}\right.,\left.M_{i}, T_{i}\right\}\). Afterwards, \(\mathcal{A}\) is able to get the correct password and identity of U_i as follows:

(1) \(\mathcal{A}\) selects \(I D_{i}^{*}, P W_{i}^{*}\) as identity and password of U_i in the identity space \(\mathcal{D}_{I D}\) and password space \(\mathcal{D}_{P W}\).

(2) \(\mathcal{A}\) figures out \(A_{i}^{*}=B_{i} \oplus h\left(I D_{i}^{*}\|r\| P W_{i}^{*}\right)\).

(3) \(\mathcal{A}\) uses \(A_{i}^{*}\) to decrypt the value of M_i. If the decryption is failed, then \(\mathcal{A}\) repeats 1), 2) and 3) till the decryption becomes succussful. Otherwise, \(\mathcal{A}\) calculates \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}^{*}\right)\) and checks whether \(M I D_{i}^{*}=M I D_{i}\) . If these are equal, it infers that \(I D_{i}^{*}, P W_{i}^{*}\) are the correct identity and password of user U_i.

By observing the above steps, we find that two guessing factors are used in login phase, that is, A_i and \(M I D_{i}\). A_i is the decryption key of M_i. On successful decryption, \(\mathcal{A}\)  cotinues to verify the second guessing factor transmitted through open channel. Moreover, we can compute the computation time complexity of guessing attack as follows: \(O\left(\left|\mathcal{D}_{I D}\right| *\right.\left.\left|\mathcal{D}_{P W}\right| *\left(T_{h}+T_{S}\right)\right)\), where T_ℎ is the computaional cost for a hash fuction computation and T_s is the computaional cost for symmetric encryption or decryption, \(\left|\mathcal{D}_{l D}\right|\) and \(\left|\mathcal{D}_{P W}\right|\)  respectively denote the number of \(\mathcal{D}_{I D}\) and the number of \(\mathcal{D}_{P W}\). Usally,  \(\left|\mathcal{D}_{l D}\right|\) ≤ \(\left|\mathcal{D}_{P W}\right|\) ≤10⁶ [32,36,37].

Because of the low entropy of identity and password, \(\mathcal{A}\) can successfully get the correct identity and password of user U_i within a polynomial time.

4.2.2 Perfect-forward-secrecy

In the protocol of Nikooghadam et al. [30], if \(\mathcal{A}\) knows the long term secret key x of S, then \(\mathcal{A}\) can obtain the session key between U_i and S.

(1) \(\mathcal{A}\) eavesdrops on the login request message \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) and the respond message { M_s } of U_i.

(2) \(\mathcal{A}\) decrypts \(M I D_{i}\) using the long term private key x of S, that is , \(D_{x}\left(M I D_{i}\right)=\left(I D_{i} \| N\right)\). Then, \(\mathcal{A}\) computes \(A_{i}^{*}=h\left(I D_{i} \| x\right)\).

(3) Afterward, \(\mathcal{A}\) decrypts \(M_{i}, M_{s}\) using \(A_{i}^{*}\), that is , \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}\right\| T_{i} \| M I D_{i}\right)\), \(D_{A_{i}^{*}}\left(M_{s}\right)=\left(M I D_{i}^{N e w}\left\|R N_{s}\right\| I D_{i} \| R N_{i}\right)\), respectively. Thus, \(\mathcal{A}\) obtains the values of \(\left\{R N_{i}, h\left(I D_{i}|| x\right), R N_{S}\right\}\).

(4) Finally, \(\mathcal{A}\) successfully calculates the session key \(S K=h\left(R N_{i}\left\|h\left(I D_{i} \| x\right)\right\| R N_{S}\right)\).

4.2.3 Key compromise user impersonation attack

If \(\mathcal{A}\) compromises the long-term secret key x of S, then \(\mathcal{A}\) is able to execute the following steps to impersonate U_i to S.

(1) \(\mathcal{A}\) firstly gets the login-message \(\left\{M I D_{i}, M_{i}, T_{i}\right\}\) of U_i. \(\mathcal{A}\) computes \(D_{x}\left(M I D_{i}\right)=\left(I D_{i} \| N\right)\). Afterwards, \(\mathcal{A}\) computes \(A_{i}^{*}=h\left(I D_{i} \| x\right)\).

(2) \(\mathcal{A}\) chossees a new legitimate timestamp T_i′. And then, \(\mathcal{A}\) selects a random element \(R N_{i}^{\prime}\) and figures out \(M_{i}^{\prime}=E_{A_{i}}\left(I D_{i}\left\|R N_{i}^{\prime}\right\| T_{i}^{\prime} \| M I D_{i}\right)\).

(3) \(\mathcal{A}\) transmits S the forged message \(\left\{M I D_{i}, M_{i}^{\prime}, T_{i}^{\prime}\right\}\).

(4) Upon \(\left\{M I D_{i}, M_{i}^{\prime}, T_{i}^{\prime}\right\}\) from \(\mathcal{A}\) is received, checks ′. If it is invalid, ends the session. Otherwise, S calculates \(\left(I D_{i} \|_{N}\right)=D_{x}\left(M I D_{i}\right)\) , \(A_{i}^{*}=h\left(I D_{i} \| x\right)\) and \(D_{A_{i}^{*}}\left(M_{i}\right)=\left(I D_{i}\left\|R N_{i}^{\prime}\right\| T_{i}^{\prime} \| M I D_{i}\right)\). Afterwards, S chooses two random numbers \(R N_{S}^{\prime}\), \(N^{N e w^{\prime}}\) . Subsequently, S computes \(M I D_{i}^{N e w}\)′ = \(E_{x}\left(I D_{i} \| N^{N e w \prime}\right)\) and \(M_{2}^{\prime}=E_{A_{i}^{*}}\left(M I D_{i}^{N e w^{\prime}}\left\|R N_{s}^{\prime}\right\| I D_{i} \| R N_{i}^{\prime}\right)\).

(5) S sends the challenge message { M₂′ } to \(\mathcal{A}\).

(6) After getting the challenge message from S, \(\mathcal{A}\) calculates \(D_{A_{i}^{*}}\left(M_{2}^{\prime}\right)=\left(M I D_{i}^{N e w^{\prime}}\left\|R N_{s}^{\prime}\right\| I D_{i} \| R N_{i}^{\prime}\right)\). Then, \(\mathcal{A}\) verifies the validity of \(I D_{i}\) and \(R N_{i}^{\prime}\). If these are invalid, \(\mathcal{A}\) ends this attack. Otherwise, \(\mathcal{A}\) continues to calculate \(M_{3}^{\prime}=h\left(R N_{s}^{\prime}\left\|M I D_{i}^{N e w^{\prime}}\right\| R N_{i}^{\prime}\right)\).

(7) \(\mathcal{A}\) forwards the response message { M₃′ } to S.

(8) On receiving the response message from \(\mathcal{A}\), S computes \(M_{3}^{*}=h\left(R N_{s}^{\prime} \| M I D_{i}^{N e w}\right.\|R N_{i}^{\prime}\). Afterwards, S verifies whether \(M_{3}^{*}=M_{3}^{\prime}\). If these are not equal, S terminates this session. Otherwise, S calculates the session key SK= ℎ(\(R N_{i}^{\prime}\left\|A_{i}^{*}\right\| R N_{S}^{\prime}\)) and believes that he has successfully established this session with the legimate user. Actually, \(\mathcal{A}\) is “the legimate user”.

To sum up, the adversary successfully impersonates the legitimate user to S. Therefore, Nikooghadam et al.’s protocol fails to withstand such attack.

5. The Improved Protocol

According to the above cryptanalysis on Nikooghadam et al.’s protocol, first, the information {\(B_{i}, r\)} in smart card and the symmetric encryption key \(A_{i}\) are used in the login request phase of their protocol, so that the attacker can perform off-line guessing. Second, their protocol does not employ public key cryptography, which is the key technology to preserve forward secrecy. Third, their protocol is incapable of resisting key-compromise-impersonation attack, because of lacking some secret number. However, the main aim of this part is to remove the weakness of Nikooghadam et al.’s protocol by using ECC and some tricks. And we present an improved lightweight authentication protocol using ECC. The improved protocol consists of four parts: initialization part, registration part, login and authentication part and password updating part. The registration part is depicted in Fig. 1. The login and authentication part is depicted in Fig. 2.

 

Fig. 1. Registration part of User U_i

5.1 Initialization part

S chooses an elliptic curve \(E_{p}(a, b)\) over F_p introduced in “Preliminaries”. Then S picks a random element x∈F_p and a hash function H(⋅). Subsequently, S calculates Q=xP . Lastly, S makes public the parameters { E, Q, H(⋅)} and preserves x as its long-term secret key.

5.2 Registration part

(1) User U_i chooses Id_i, Pw_i and a random element \(\gamma\) and calculates ℎ\(\left(I d_{i}\|r\| P w_{i}\right)\). Then, U_i trasmits S the registration request \(\left\{I d_{i}, h\left(I d_{i}\|r\| P w_{i}\right)\right\}\) secretly.

(2) S selects a random number T_i as the registration time of U_i. Afterwards, computs \(A_{i}=H\left(I d_{i}\|x\| T_{i}\right)\), \(B_{i}=A_{i} \oplus H\left(I d_{i}\|r\| P w_{i}\right)\). Subsequently, S picks a random element N and computes \(M I d_{i}=H\left(I d_{i} \| N\right) \oplus A_{i}\) . Lastly, S stores T_i in its database and distributes a new smart card \(S C=\left\{B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) to  U_i.

(3) On receiving SC, user U_i inserts \(\gamma\) into SC. Therefore, SC= \(\left\{r, B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\).

5.3 Login & authentication part

(1) U_i inserts his smart card into card reader. Then U_i inputs Id_i, Pw_i . Subsequently, SC figures out \(A_{i}=B_{i} \oplus h\left(I d_{i}\|r\| P w_{i}\right)\) and picks a random element a.

Afterwards, calculates C₁ = aP, C₂ = aQ, M₀ = \(E_{C_{2}}\left(I d_{i}\left\|H\left(A_{i}\right)\right\| M I d_{i}\right)\) , M₁ = \(H\left(I d_{i}\left\|C_{2}\right\| A_{i} \| M I d_{i}\right)\), and transmits { C₁, M₀, M₁} to S via a public channel.  

 

Fig. 2. Login and authentication part

(2) On receiving { C₁, M₀, M₁} , S computes \(C_{2}^{*}=x C_{1}\) , \(\left(I d_{i}^{*}\left\|H\left(A_{i}^{*}\right)\right\| M I d_{i}^{*}\right)=D_{C_{2}^{*}}\left(M_{0}\right)\), \(A_{i}=H\left(I d_{i}^{*}\|x\| T_{i}\right)\) and verifies \(H\left(A_{i}^{*}\right)=? H\left(A_{i}\right)\). If these are not equal, S terminates the login request. Otherwise, S computes \(M_{1}^{*}=H\left(I d_{i}\left\|C_{2}\right\| A_{i} \|\right.\left.M I d_{i}\right)\) and checks \(M_{1}^{*}=? M_{1}\) . If these are not equal, S ends the next operation. Otherwise, S selects random numbers \(b, N^{\text {new }}\) and computes \(M I d_{i}^{n e w}=H\left(I d_{i} \|\right.\left.N^{\text {new }}\right) \oplus A_{i}\), \(C_{3}=\left(M I d_{i}^{n e w} \| b\right) \oplus H\left(A_{i} \| C_{2}\right)\) and \(M_{2}=H\left(I d_{i}\left\|M I d_{i}^{n e w}\right\| A_{i} \|\right.\left.C_{2}\left\|C_{3}\right\| b\right)\). Then, S sends { C₃, M₂} to U_i via a public channel.

(3) After receiving { C₃, M₂} , SC figures out \(\left(M I d_{i}^{n e w} \| b\right)=C_{3} \oplus H\left(A_{i} \| C_{2}\right)\) , \(M_{2}^{*}=H\left(I d_{i}\left\|M I d_{i}^{n e w}\right\| A_{i}\left\|C_{2}\right\| C_{3} \| b\right)\) and checks \(M_{2}^{*}=? M_{2}\) . If these are not equal, SC terminates this session. Otherwise, SC compute \(S K=H\left(I d_{i}\left\|C_{2}\right\| b \|\right.\left.A_{i} \| M I d_{i}^{n e w}\right)\), \(M_{3}=H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) and replaces \(M I d_{i}\) with \(M I d_{i}^{n e w}\). Finally, SC transmits M₃ to S via a public channel.

(4) Upon obtaining M₃ , S calculates the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\|\right.\left.M I d_{i}^{n e w}\right)\), then computes \(M_{3}^{*}=H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) and checks \(M_{3}^{*}=? M_{3}\). If these are not equal, S ends this session. Otherwise, S accepts this session and the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\| M I d_{i}^{n e w}\right)\).

5.4 Password updating part

After U_i and S have completed the authentication and the session key SK is established, U_i can renew his/her password at will. Firstly, U_i inputs his identity Id_i, old password Pw_i  and new password \(P w_{i}^{n e w}\). Then, SC computes

\(B_{i}^{n e w}=B_{i} \oplus H\left(I d_{i}\|r\| P w_{i}\right) \oplus H\left(I d_{i}\|r\| P w_{i}^{n e w}\right)\).

Finally, SC replaces B_i with \(B_{i}^{n e w}\).

Remark: To eliminate the shortcomings of Kumari et al.'s and Nikooghadam et al.’s protocols and provide better security, in our protocol, 1. we adopt a pattern that the smart card does not check the correctness of the login, but the correctness of the login is verified by the server; 2. according to [53], in order to obtain perfect forward secrecy, the improved protocol uses elliptic curve cryptography (ECC); 3. in order to resist key-compromise user impersonation attack, the server store a secret element T_i in its database which cannot be leak to the adversary.

6. Heuristic security analysis

6.1 Preserve user anonymity & un-traceability

We suppose that the adversary \(\mathcal{A}\) has stolen U_i’s smart card and has obtained all datum \(\left\{B_{i}, M I d_{i}, P, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) . In the login process of U_i, \(\mathcal{A}\) eavesdrops all transmitted message { C₁, M₀, M₁, C₃, M₂, M₃}. Since, these parameters are either protected by hash function or is computed by elliptic curve discrete logarithm cryptography, \(\mathcal{A}\) is unable to derive the identity Id_i from them in polynomial time. Moreover, those transmitted message are variable in every time communication. Therefore, the presented protocol can provide user anonymity & un-traceability.

6.2 Resist privileged insider attack

During the registration phase, the user U_i sends \(\left\{I d_{i}, h\left(I d_{i}\|r\| P w_{i}\right)\right\}\) to S. The password Pw_i of U_i is protected by hash function and the secret element \(r\), so the inside adversary cannot get the plaintext password of U_i. Accordingly, the proposed scheme is immune to such attack.

6.3 Resist replay attack

In our proposed scheme, all transmitted message { C₁, M₀, M₁, C₃, M₂, M₃} in open channel are different for every communication. Once the adversary replays these message, the server or user can detect the problem. Therefore, it is impossible to perform the replay attack for the adversary in the improved protocol.

6.4 Resist stolen verifier attack

In our improved protocol, suppose that \(\mathcal{A}\) steals the verifier table stored in S, however, \(\mathcal{A}\) still cannot perform any attack. Thereupon, the improved protocol can resistance against stolen-verifier-attack.

6.5 Resist off-line password guessing attack

Suppose that \(\mathcal{A}\) gets all elements stored in SC_i of U_i. On one hand, \(\mathcal{A}\) is not able to guess the correct password Pw_i of U_i, since, there does not exist any verifying value in these parameters. On the other hand, if \(\mathcal{A}\) not only gets these parameters in smart card, but also intercepts the login request message { C₁, M₀, M₁}, then attempts to guess the password Pw_i of U_i. In the login request message, { M₀, M₁} be used as verifying values. Afterwards, \(\mathcal{A}\) can choose identity and password from dictionary space and computes \(A_{i}^{*}=B_{i} \oplus\left(I d_{i}^{*}\|r\| P w_{i}^{*}\right)\). However, if \(\mathcal{A}\) wants to calculate the corresponding verifier value { M₀, M₁}, he must know \(C_{2}=a Q=x C_{1}\), which is only known to the user and server. Accordingly, \(\mathcal{A}\) cannot guess the correct password of U_i by computing the corresponding verifying values. Therefore, our proposed protocol is resistant to off-line dictionary attack.

6.6 Resist key-compromise user impersonation attack

Suppose that if the long-term private element x has been leaked to \(\mathcal{A}\), and \(\mathcal{A}\) can impersonate the legal user to server, then it infers that the analyzed protocol is vulnerable to key compromise impersonation attack. In proposed protocol, to impersonate the legal user U_i, \(\mathcal{A}\) must be able to figure out the forged login request message. Since, the random number T_i of S hasn’t been leaked to \(\mathcal{A}\), it implies that \(\mathcal{A}\) cannot get the correct value of \(A_{i}=H\left(I d_{i}\|x\| T_{i}\right)\) . Thereupon, \(\mathcal{A}\) has no way to forge the legal value of M₁ = H( Id_i∥ C₂ ∥ A_i∥MId_i ) and M₃ = \(H\left(M I d_{i}^{n e w}\|S K\| I d_{i} \| A_{i}\right)\) . Thus, the proposed protocol is immune to key compromise user impersonation attack.

6.7 Resist server impersonation attack

If \(\mathcal{A}\) wants to masquerade as S, then \(\mathcal{A}\) must have to calculate a valid responding message { C₃, M₂} for U_i. In proposed protocol, firstly, \(\mathcal{A}\) captures the login request message { C₁, M₀, M₁} and extracts the information \(\left\{B_{i}, M I d_{i}, P, r, Q, E_{k}(\cdot) / D_{k}(\cdot), H(\cdot)\right\}\) in smart card. Then, \(\mathcal{A}\) selects two random numbers \(b^{\prime}, N^{n e w^{\prime}}\). To compute the valid message { C₃, M₂}, \(\mathcal{A}\) must know the value of { A_i, C₂} that can compute \(M I d_{i}^{n e w}\). However, \(\mathcal{A}\) is unable to create C₂ without the long-term private key x of S. Thus, \(\mathcal{A}\) cannot forge C₃ or even M₂. According to above discussion, it is inferred that the improved protocol can be protected against the server impersonation attack.

6.8 Provide mutual authentication

During the login & authentication part of the improved protocol, U_i is authenticated by S  by using the equations \(H\left(A_{i}^{*}\right)=? H\left(A_{i}\right) \text { and } M_{1}^{*}=? M_{1}\) . Subsequently, S by using the equation \(M_{2}^{*}=? M_{2}\). According to the previous analysis, our improved protocol is immune to impersonation attack. Therefore, S and U_i can carry out authentication smoothly. That is to say, the proposed protocol addresses the requirements of mutual authentication.

6.9 Provide perfect forward security

Suppose the adversary can intercept any message over public channels and extracts the data in smart card by side-channel attack. In proposed protocol, though \(\mathcal{A}\) knows password Pw_i  of U_i and the long-term private key x of S, \(\mathcal{A}\) still cannot calculate the session key \(S K=H\left(I d_{i}\left\|C_{2}\right\| b\left\|A_{i}\right\| M I d_{i}^{n e w}\right)\), because the key is protected by \(b, \quad N^{n e w}\) and A_i. Accordingly, the improved protocol can preserve perfect forward secrecy.

7. Security simulation of proposed protocol using AVISPA software

AVISPA [38] is a pushbutton software tool for the automated validation of internet security-sensitive protocols and applications, can simulate the formal security verification for the improved protocol. Here, we give the simulation of the improved protocol by using AVISPA tool that estimates whether our protocol is safe under the Dolev-Yao model [31]. Since AVISPA tool accepts High Level Protocol Specification Language (HLPSL), we firstly provide the HLPSL codes, which are provided in Figs. 3-5, for U_i , S, the session, goal and the environment, respectively. The analysis results of the proposed protocol are displayed in Figs. 6 and 7. From the simulation results of OFMC and CL-AtSe, it is inferred that that the proposed protocol is SAFE against active and passive attacks including replay and man-in-the-middle attacks under Dolev-Yao model.

8. BNA-Logic Proof of Proposed Protocol

Here, we give the security proof of the improved protocol using BAN-Logic [39]. We prove that U_i can establish a session initial key with S in the proposed protocol. First, some BAN-Logic notations are listed in Table 2. Second, some BAN-logic postulates are listed in Table 3, and the idealized form, security goals and initiative premises of the improved protocol are formally provided.

(1) The idealized form of the proposed protocol is given as follows:

• Message-1: \(U_{i} \rightarrow S: \quad C_{1},\left(I d_{i}, C_{2}, M I d_{i}\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\), \(\left(I d_{i}, M I d_{i}^{n e w}, U_{i} \stackrel{S K}{\leftrightarrow} S\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S} \)

• Message-2: \(S \rightarrow U_{i}: \quad_{U_{i} \stackrel{H\left(A_{i} \| C_{2}\right)}{\longrightarrow} S}\), \(\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right)_{U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\)

(2) Security goals of the proposed protocol are presented as follows:

• Goal-1: \(U_{i}|\equiv S| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-2: \(U_{i} | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-3: \(S\left|\equiv U_{i}\right| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

• Goal-4: \(S | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\)

(3) Initiative premises of the improved protocol are presented as follows:

• I-1:  \(\left.U_{i}\right\rfloor \equiv \# a\)

• I-2: \(S | \equiv \# b\)

• I-3: \(U_{i} | \equiv \# M I d_{i}^{n e w}\)

• I-4: \(S | \equiv \# M I d_{i}^{n e w}\)

• I-5: \(U_{i} | \equiv U_{i} \stackrel{A_{i}}{\leftrightarrow} S\)

• I-6: \(S | \equiv U_{i} \stackrel{A_{i}}{\leftrightarrow} S\)  

• I-7: \(U_{i}|\equiv S| \Rightarrow U_{i} \stackrel{S K}{\leftrightarrow} S\)

• I-8: \(S\left|\equiv U_{i}\right| \Rightarrow U_{i} \stackrel{S K}{\leftrightarrow} S\)

(4) We conduct the BAN-Logic proof of the improved protocol as follows:

• P-1: According to Message-2, we have

\(\begin{equation} U_{i} \end{equation}\)⊲ \(\begin{equation} \left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}_{ U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\).

• P-2: From P-1, I-5, and Message-meaning rule, we deduce

\(\begin{equation} U_{i}|\equiv S| \sim\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-3: By P-2, I-1, I-2, I-3, and Freshness-conjuncatenation rule, we infer

\(\begin{equation} U_{i} | \equiv \#\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-4: By P-3, P-2, and Nonce-verification fule, we deduce

\(\begin{equation} U_{i}|\equiv S| \equiv\left(I d_{i}, M I d_{i}^{n e w}, C_{2}, C_{3}, b\right) \end{equation}\).

• P-5: From P-4 and Believe rule, we obtain \(\begin{equation} U_{i}|\equiv S| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S \end{equation}\) ----- Goal-1

 

Fig. 3. Role specification of user in HLPSL

• P-6: By I-7, P-5, and Jurisdiction rule, we get \(\begin{equation} U_{i} | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S \end{equation}\) ----- Goal-2

• P-7: According to Message-1, we have \(\begin{equation} S \end{equation}\) ⊲ \(\begin{equation} \left(I d_{i}, M I d_{i}^{n e w}, U_{i} \stackrel{S K}{\leftarrow} S\right) \end{equation}_{ U_{i} \stackrel{A_{i}}{\leftrightarrow} S}\).  

 

Fig. 4. Role specification of server in HLPSL

 

• P-8: By P-7, I-5, and Message-meaning rule, we infer  \(\begin{equation} S\left|\equiv U_{i}\right| \sim\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K}{\leftrightarrow} S\right) \end{equation}\).

• P-9: From P-8, I-4, and Freshness-conjuncatenation rule, we have \(S | \#\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K} {\leftrightarrow} S\right)\).

 

Fig. 5. Roles for session, goal and environment in HLPSL.

• P-10: From P-8, P-9, and Nonce-verification fule, we deduce

\(S\left|\equiv U_{i}\right| \equiv\left(I d_{i}, M I d_{i}^{n e w}, U_{i}\stackrel{S K} {\leftrightarrow} S\right)\).

• P-11: By P-10 and Believe rule, we get \(S\left|\equiv U_{i}\right| \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\) ----- Goal-3

• P-12: From P-11, I-8, and Jurisdiction rule, we infer \(S | \equiv U_{i} \stackrel{S K}{\leftrightarrow} S\) ----- Goal-4

In summary, since Goals-1-2-3-4 are addressed, U_i and S are convinced that the session key is shared successfully between them.

 

Fig. 6. The experiment result using OFMC.

 

Fig. 7. The experiment result using CL-AtSe.

Table 2. BAN-Logic notations

 

Table 3. BAN-Logic rules

 

9. Performance Analysis of improved Protocol with Related Literatures

In this part, we compare the performance of the improved protocol with some related protocols [26-30, 40-44, 54] in terms of computational cost and security performance. Usually, we neglect the lightweight operations such as exclusive-OR and string concatenation. However, the following cryptographic operations are considered: Tℎ: the time for executing a hash operation, Ts : the time for performing symmetric key encryption/decryption, Tmm: an 160-bit modular multiplication, Tme: the computational time for an elliptic curve point multiplication, Tae: the computational cost for an elliptic curve point addition computation, Te: the computational time for an 1024-bit modular exponentiation. According to the experimental results of [45,46], Tℎ, Ts, Tmm, Tme, Tae and Te approximately take 0.0023 , 0.0046 , 0.001855 , 2.226 , 0.0288ms, 3.85 , respectively.

Table 4. The computational cost in login-authentication phase

 

From Table 4, since the protocols of Chang et al.[26], Kumari et al. [28], Chaudhry et al. [29], Nikooghadam et al. [30], Chou et al. [40], Wen et al. [41] only use hash function and symmetric key cryptographic operations, the computational cost is quite small not exceeding 0.05ms . In order to make the authentication protocol more secure, Wang et al. [27], Chen et al. [42], Mishra et al. [43], Qu et al. [44] and Chaudhry et al.[54] use public key cryptographic, such as: ECC, RSA and discrete logarithms on a general group. The computational cost of login-authentication phase in the protocols of Wang et al. [27], Chen et al. [42], Mishra et al. [43], Qu et al. [44] and Chaudhry et al.[54] are approximately 23.1322ms , 15.4217ms , 15.4253ms , 8.9684ms and 13.417ms respectively. While the computational cost of the proposed protocol is approximately only 6.7217ms . Therefore, it illustrates that the improved protocol is more efficient than [27,42-44] under the advantage of public key cryptography.

From Table 5, we observe that Chang et al.[26], Kumari et al. [28], Chaudhry et al. [29], Nikooghadam et al. [30], Chou et al. [40], Wen et al. [41]’s protocols are unable to provide perfect forward secrecy because of only using hash function and symmetric key cryptographic operations in their protocols. Among comparative literature, only our, Chaudhry et al. [29] and Mishra et al. [43]’s protocols can resist key-compromise impersonation attack. To summarize, all these compared literatures are more or less vulnerable to certain security vulnerabilities, except our and Mishra et al.’s protocol. According to Table 4, Mishra et al.’s protocol requires about 15.4253ms in login-authentication phase, while the proposed protocol executes only in 6.7217ms . These illustrate that the improved protocol has better performance than the compared protocols.

Table 5. Comparison of security features

 

F1: Preserve user anonymity & un-traceability, F2: Resist privileged-insider attack, F3: Resist replay attack, F4: Resist stolen verifier attack, F5: Resist off-line password guessing attack, F6: Resist (key-compromise) user impersonation attack, F7: Resist server impersonation attack, F8: Provide mutual authentication, F9: Provide perfect forward security. N/A: means the evaluation indicator is not considered.

10. Conclusion

In this paper, we proved that Kumari et al.’s protocol [28] is vulnerable to key-compromise impersonation attack and cannot provide perfect forward secrecy, while Nikooghadam et al.’s protocol [30] is vulnerable to key compromise impersonation attack, off-line password-guessing attack, and unable to provide perfect forward secrecy. In order to remedy these limitations, we design a new authentication and key agreement protocol based on Nikooghadam et al.’s protocol. By heuristic analysis, AVISPA software simulation and BAN-logic proof, we proved that the improved protocol is more secure than those relevant protocols. By comparison of computational cost, the improved protocol is also more efficient than comparative works under the category of public key cryptography. Therefore, through a comprehensive analysis and evaluation, it is inferred that the proposed protocol is more practical for real application scenarios because of its more secure and efficient features. In our future research, we will focus on exploring the more lightweight public key cryptography to design a practical authentication scheme. Moreover, according to [55-58], we will further explore the application of some cryptographic methods applied to image compression and digital watermarking.