Keywords

1 Introduction

User authentication scheme is essential for implementing the secure communication because it can provide mutual authentication. Two-factor authentication protocols are widely used to ensure secure communication between the remote client and the server. It is a critical task to design a secure and robust two-factor authentication protocols. To ensure the security of client-server communication in single server environment, many authentication protocols using RSA cryptosystem [1,2,3], hash function [1, 4, 5], chaotic map [6, 7] and elliptic curve [8] have been proposed. However, most of these protocols cannot be used in multi-server environments. To address the issue, many authentication protocols for multiple server environments have been designed. The multi-server communications contain three entities: the registration center, the users and multiple application-servers. All the users and application-servers must register themselves to the registration center. The responsibility of application-servers is to provide remote services for the users.

One of the most important aspects in authentication protocol is user anonymity [9, 10]. The adversary shouldn’t obtain user’s identity in many application areas such as wireless sensor network [11], medical system and banking, where the adversary cannot guess or extract user’s identity in the phase of login and authentication.

1.1 Related Work

To achieve strong security as well as lower complexities, the researchers have designed a lot of authentication protocols for multiple servers environments. Liao et al. [12] designed a authentication protocol for multi-server environments. Unfortunately, Hsiang et al. [13] showed that Liao et al.’s protocol cannot withstand several common attacks, and then they improved the identified weaknesses. However, Lee et al. [14] demonstrated that Hsiang et al.’s scheme also have some security issues. To solve these problems, they designed an efficient and enhanced authentication protocol. Unfortunately, Troung et al. [15] demonstrated that their scheme cannot withstand user impersonation and smart-card stolen attacks. To overcome these problems, they designed a secure authentication protocol in [15]. Further, Sood et al. [16] demonstrated that Hsiang et al.’s protocol [13] had different security weaknesses and put forwarded a new authentication protocol. Subsequently, Li et al. [17] showed that Sood et al.’s protocol cannot resist smart-card stolen attack and proposed a new protocol.

Recently, Pippal et al. [18] put forward a new user authentication protocol and claimed that their protocol could resist known attacks. However, He et al. [19] showed that their protocol cannot withstand impersonation attacks. In 2015, Giri et al. [2] put forward a secure protocol based on RSA and showed that their protocol could resist known attacks. Unfortunately, Amin and Biswas [1] pointed out that Giri et al.’s protocol could not against several security attacks, and then they devised a new protocol. However, Arshad et al. [20] demonstrated that [1] was not secure and proposed a new RSA-based authentication protocol.

1.2 Our Contributions

We put forward a secure and efficient two-factor authentication protocol based on RSA signature. Our major contributions are summarized as follows:

  • Firstly, we analyse Amin et al.’s scheme [21] and prove it cannot withstand the common modulus attack.

  • Secondly, we put forward a secure and efficient two-factor authentication protocol using RSA signature for multi-server environment. The new scheme can resist against various attacks.

  • Finally, we analyse the security of our scheme and demonstrate that it is provably secure. Moreover, the performance analysis shows that our scheme is better in terms of communication overheads and computation.

1.3 Organization of the Article

The organization of this paper are described as follows: Sect. 2 analyzes the security problems of [21] and then a secure and efficient two-factor authentication protocol using RSA signature for multi-server environments are proposed in Sect. 3. Section 4 elaborates the security of the new scheme briefly. Furthermore, the comparison with some relevant protocols for efficiency and security are presented Sect. 5. Finally, we draw a conclusion.

2 Security Analysis of Amin et al.’s Scheme

In this section, we analyze the security of [21]. From our analysis, their scheme is insecure against common modulus attack. We present a list of symbols used throughout this article in Table 1. The details are described as follows:

Table 1. Notations
Full size table

Any of the application server can extract a public key \( e_{j2} \) and it’s public/private key pair \( \left( e_{j1}, d_{j1} \right) \). All the application servers share the public modulu \( \phi \left( n \right) \), where \( n = p *q \), \( \phi \left( n \right) = \left( p-1 \right) \left( q-1 \right) \). It can computes \( e_{j1}d_{j1}\equiv 1\) mod \(\phi \left( n \right) \), \( e_{j1}d_{j1} - 1 = k \phi \left( n \right) \), \( \phi \left( n \right) \mid e_{j1}d_{j1} - 1 \). It can computes \( \left( e_{j1}d_{j1} - 1,e_{j2} \right) = s \) using euclidean algorithm. If \( s = 1 \), there exist some fg such that \( f\left( e_{j1}d_{j1} - 1 \right) + ge_{j2} = 1 \). So the value of g is the private key corresponding to \( e_{j2} \). If \( s\ne 1 \), suppose that \( t = e_{j1}d_{j1} - 1 / s \), \( \left( e_{j1}d_{j1} - 1 / s, e_{j2} \right) = 1 \). There exist some fg such that \( ft + ge_{j2} = 1 \) using extended euclidean algorithm. Therefore, \( ge_{j2} \equiv 1\) mod \(\phi \left( n \right) \), the value of g is the private key corresponding to \( e_{j2} \).

Suppose that the adversary dispatches the same message m whose encryption exponents respectively are \(e_{j1} \) and \(e_{j2} \). Suppose further that \( gcd\left( e_{j1}, e_{j2} \right) = 1 \), it can computes \( c_{1} = m^{e_{j1}} \) mod n, \( c_{2} = m^{e_{j2}} \) mod n. There exist some rs such that \(re_{j1} + se_{j2} = 1 \), \( m = m^{re_{j1} + se_{j2}} = \left( m^{e_{j1}} \right) ^{r}\left( m^{e_{j2}} \right) ^{s} = c_{1}^{r}c_{2}^{s} \) mod n. Therefore, the adversary can get the value of m using \( c_{1}, c_{2}, r, s \).

3 Proposed Protocol

We put forward a secure authentication system for multi-server environment which can withstand the above mentioned security issues. Our scheme consists of three phases: application-server registration phase, user registration phase, verification phase.

3.1 Application-Server Registration Phase

  • \( AS_{j} \) selects two large prime numbers p, q, and computes \( n_{j} = p_{j} \times q_{j} \), \( \phi \left( n_{j} \right) =\left( p_{j}-1 \right) \left( q_{j}-1 \right) \).

  • \( AS_{j} \) chooses a public key \( e_{j} \) \( \left( 1<e_{j}<\phi \left( n_{j} \right) \right) \), where \( gcd\left( \phi \left( n_{j} \right) , e_{j}\right) = 1 \). Then, it computes it’s private key \( d_{j} \equiv e_{j}^{-1} \) mod \(\phi \left( n_{j} \right) \).

  • Finally, \( AS_{j} \) chooses his/her identity \( ID_{j} \) and sends \( \left\langle e_{j}, n_{j}, ID_{j} \right\rangle \) to RC securely.

  • RC computes \( Cer_{j} = h\left( e_{j} \left| \right| ID_{j}\left| \right| n_{j} \right) ^{d} \) and sends \( Cer_{j} \) to \( AS_{j} \).

3.2 User Registration Phase

  • \( U_{i} \) chooses his/her identity \(ID_{i} \) and sends it to RC.

  • After receiving \( \left\langle ID_{i} \right\rangle \), RC computes \( d_{i} = h\left( ID_{i} \right) ^{d} \) mod \( n_{j} \).

  • RC sends \( d_{i} \) to \( U_{i} \) securely.

3.3 Authentication Phase

  • \( U_{i} \) randomly selects a number \( T_{i} \), then it sends \( T_{i} \) to \( AS_{j} \).

  • After receiving \( T_{i} \), \( AS_{j} \) computes \( A_{j} = h\left( T_{i} \right) ^{d_{j}} \). Then, it sends \( \left\langle e_{j}, n_{j},\right. \left. Cer_{j}, A_{j} \right\rangle \) to \( U_{i} \).

  • Upon receiving the message, \( U_{i} \) checks whether \( Cer_{j}^{e} \) mod \( n_{j} = h\left( ID_{j}\right. \left. \left| \right| e_{j}\left| \right| n_{j} \right) \) and \( A_{j}^{e_{j}} = h\left( T_{i} \right) \). If holds, \( U_{i} \) authenticates \( AS_{j} \).

  • \( U_{i} \) chooses three random number \( a_{i}, r, m \) and computes \( PID_{i} = \left( ID_{i} \oplus a_{i} \left| \right| a_{i} \right) ^{e_{j}} \) mod \( n_{j} \), \( R_{i} = h\left( PID_{i} \right) ^{r} \) mod \( n_{j} \), \( x = h\left( m, R_{i} \right) \) and \(S_{i} = d_{i}^{r-x} \). Then, \( U_{i} \) sends \( \left\langle PID_{i}, R_{i}, S_{i}, x \right\rangle \) to \( AS_{j} \).

  • After receiving the message, \( AS_{j} \) computes \( S_{i}^{e_{j}} = h\left( ID_{i} \right) ^{r-x} \), \( PID_{i}^{d_{j}} \) mod \( n_{j} = ID_{i} \oplus a_{i} \left| \right| a_{i} \), \( ID_{i}^{'} = ID_{i} \oplus a_{i} \left| \right| a_{i} \). Then, it checks whether \( S_{i}^{e_{j}}h\left( ID_{i}^{'} \right) ^{x} = R_{i} \). If holds, \( AS_{j} \) authenticates \( U_{i} \).

4 Security Analysis

4.1 Security Proof

In this subsection, according to the formal security model described as [22], we show our protocol is secure as follows.

Theorem 1

If has advantage \( Adv_{P}^{ake}\left( A \right) \) against our scheme running in time \( q_{send} \) Send queries, \( q_{exe} \) Execute queries and \( q_{h} \) Hash queries. Define the security length l and the password space |D|. Then, we can attain: \( Adv_{P}^{ake} \le \frac{q_{h}^{2}}{2^{l-1}} + \frac{\left( q_{send}+q_{exe} \right) ^{2} }{p} + 2q_{h}\cdot Adv_{G}^{DLP}\left( t \right) + \frac{q_{send}}{2^{l-2}} + \frac{2q_{send}}{|D|} \), where \( Adv_{G}^{DLP}\left( t \right) \) denote the probabilistic polynomial time t to breach DLP problem.

Proof: C obtains \( \left( y, g, n \right) \) and intends to compute x satisfying \( g^{x} = y \) mod n using the PPT turingmachine A. C utilizes the hash function as a random oracle and maintains an empty \( H-list \). We define \( G_{i} \) as the sequence of games and \( Suc_{i} \) as A gets b successfully.

Game \( G_{0}\): This game corresponds to the real attack, we have \( Adv_{P}^{ake}\left( A \right) = 2Pr[Suc_{0}] - 1 \).

Game \( G_{1}\): In this game, we imitate the hash oracles \( h\left( \cdot \right) \) by maintaining hash list \( L_{h} \) and the Execute, Reveal, Send, Corrupt and Test oracles are simulated as real attacks (see Figs. 1 and 2). Therefore, we have \(Pr[Suc_{1}] = Pr[Suc_{0}] \).

Game \( G_{2}\): In this game, we imitate all oracles as previous games, except that we will halt all executions under the condition: A collision occurs in the transcript \( \left\langle e_{j}, n_{j}, Cer_{j}, A_{j} \right\rangle \), \( \left\langle PID_{i}, R_{i}, S_{i}, x \right\rangle \). According to the birthday paradox, the probability of the hash oracle collisions is \( \frac{q_{h}^{2}}{2^{l+1}} \). The probability of the transcripts colisions is \( \frac{\left( q_{send}+q_{exe} \right) ^{2} }{2p} \).

Fig. 1.
figure 1

Simulation of Send query.

Full size image
Fig. 2.
figure 2

Simulation of Execute, Reveal, Test query.

Full size image

Game \( G_{3}\): In this game, we simulate all oracles as previous games, except that we will cancel all executions where in the adversary guess the authentication parameters \( A_{j} \) and \( R_{i} \) without making hash query. Therefore, we have \( Pr\left[ Suc_{3}\right] - Pr \left[ Suc_{2} \right] \le \frac{q_{send}}{2^{l}}\).

Game \( G_{4}\): In this game, we imitate all oracles under the condition that the adversary guess the parameter \( h\left( T_{i} \right) \) successfully without making the related queries. We define \( k = h\left( T_{i} \right) \) to imitate this game.

  • \( AS_{j}\): Search for \( (*,k) \) in \( L_{h} \). This game will be terminated if the information does not exist. Otherwise, compute \( A_{j} = k^{d_{j}} \).

  • \( U_{i}\): Computes \( A_{j}^{e_{j}} \) and checks whether \( A_{j}^{e_{j}} = h\left( T_{i} \right) \). If holds, \( U_{i} \) search for \( \left\langle e_{j}, n_{j}, Cer_{j}, A_{j} \right\rangle \) in the send list.

If A guess the parameter k successfully without making hash quries, this game will succeed. Therefore, we have \( Pr\left[ Suc_{3}\right] - Pr \left[ Suc_{2} \right] \le \frac{q_{send}}{2^{l}} \).

Game \( G_{5}\): We design this game to imitate Discrete logarithm problem. The security of our protocol depends on the Discrete logarithm problem solely: \( R_{i} = h\left( PID_{i} \right) ^{r} \) mod \( n^{j} \).

  • \( U_{i}\): Chooses two random numbers \( a_{i} \) and r. Then calculates: \( PID_{i} = \left( ID_{i} \oplus a_{i} \left| \right| a_{i} \right) ^{e_{j}} \) mod \( n_{j} \), \( S_{i} = d_{i}^{r-x} \). Finally, stores \( \left\{ S_{i}, x \right\} \) into hash list.

  • \( AS_{j}\): Calculates \( S_{i}^{e_{j}} = h\left( ID_{i} \right) ^{r-x} \), \( PID_{i}^{d_{j}} \) mod \( n_{j} = ID_{i} \oplus a_{i} \left| \right| a_{i} \), \( ID_{i}^{'} = ID_{i} \oplus a_{i} \left| \right| a_{i} \). Then stores \( \left\{ S_{i}^{e_{j}}, h\left( ID_{i} \right) ^{x} \right\} \) into hash list.

This game is different from previous games where in the adversary quries \( h\left( \cdot \right) \) on \( g^{x} = y \) mod n. We can obtain DLP secret with \( \frac{1}{q_{h}} \). Hence, we have \( Pr \left[ Suc_{5} \right] - Pr \left[ Suc_{4} \right] \le q_{h}\cdot Adv_{G}^{DLP}\left( t \right) \).

Game \( G_{6}\): In this game, we simulate all oracles as in game \( G_{5} \), except that we will abort the Test query in which A asks a \( h\left( \cdot \right) \) for \( g^{x} = y \) mod n. The probability that A gets the session key is \( \frac{q_{h}^{2}}{2^{l+1}} \). Therefore, we have \( Pr\left[ Suc_{5}\right] - Pr\left[ Suc_{4}\right] \le \frac{q_{h}^{2}}{2^{l+1}} \).

In addition, the probability of off-line dictionary attacks is \( \frac{q_{send}}{|D|} \). Therefore, we can get the conclusion showed in the beginning of this subsection.

4.2 Other Discussions

This subsection shows our scheme is able to withstand various attacks.

  • User impersonation attack: To impersonate as a legal \( U_{i} \), A has to compute a valid message \( \left\langle PID_{i}, R_{i}, S_{i}, x \right\rangle \) during authentication phase, where \( PID_{i} = \left( ID_{i} \oplus a_{i} \left| \right| a_{i} \right) \) mod \( n_{j} \), \( R_{i} = h\left( PID_{i} \right) ^{r} \) mod \( n_{j} \), \( x = h\left( m, R_{i} \right) \) and \(S_{i} = d_{i}^{r-x} \). However, it is infeasible to compute \( PID_{i} \) and \( R_{i} \) without knowing the random number \( a_{i} \) and r. Therefore, our proposed scheme can withstand user impersonation attack.

  • Server impersonation attack: To impersonate as a legal application-server, A has to compute the message \( \left\langle e_{j}, n_{j}, Cer_{j}, A_{j} \right\rangle \), which is to be authenticated by \( U_{i} \), where \( A_{j} = h\left( T_{i} \right) ^{d_{j}} \) and \( Cer_{j} = h\left( e_{j}\left| \right| ID_{j}\left| \right| n_{j} \right) ^{d} \). However, it is infeasible to compute \( A_{j} \) and \( Cer_{j} \) without knowing the private key d of RC. Therefore, our proposed scheme can withstand server impersonation attack.

  • User anonymity: Our proposed scheme can provide anonymity of users. Taking the situation where an adversary can get the message \( d_{i} \), where \( d_{i} = h\left( ID_{i} \right) ^{d} \) mod \( n_{j} \). However, d cannot be known by the adversary. The adversary may also eavesdrop the information \( \left\langle PID_{i}, R_{i}, S_{i}, x \right\rangle \), where \( PID_{i} \) are related to the user’s identity and \( PID_{i} = \left( ID_{i} \oplus a_{i} \left| \right| a_{i} \right) ^{d_{j}} \). As the random \( a_{i} \) cannot be known by the adversary, it is impossible to get the user’s identity from \( PID_{i} \). Therefore, our proposed scheme can provide anonymity of users.

  • Common modulus attacks: In our proposed scheme, the public key and private key of \( AS_{j} \) are generated by the server itself. \( AS_{j} \) computes \( n_{j} = p_{j} \times q_{j} \), \( \phi \left( n_{j} \right) =\left( p_{j}-1 \right) \left( q_{j}-1 \right) \). The modulu of \( n_{j} \) is not same in every application server and the application servers does not share the public modulu. Therefore, our proposed scheme can withstand Common modulus attack.

  • Mutual authentication: In our proposed scheme, \( AS_{j} \) and \( U_{i} \) authenticate each other. \( U_{i} \) authenticates \( AS_{j} \) by checking whether \( Cer_{j}^{e} \) mod \( n_{j} = h\left( ID_{j}\left| \right| e_{j}\left| \right| n_{j} \right) \) and \( A_{j}^{e_{j}} = h\left( T_{i} \right) \). A needs to get \( T_{i} \) to reconstruct \( A_{j} \), however, only a legal \( AS_{j} \) owns the value. \( AS_{j} \) authenticates \( U_{i} \) by checking whether \( S_{i}^{e_{j}}h\left( ID_{i}^{'} \right) ^{x} = R_{i} \). A needs to compute \( PID_{i} \) and r to reconstruct \( R_{i} \), however, only a legal \( U_{i} \) can compute those values. Therefore, \( U_{i} \) and \( AS_{j} \) mutually authenticate and our proposed scheme can provide proper mutual authentication.

  • Smart-card stolen attack: An adversary A can extract the information of smart-card by means of power consumption monitoring technique. Suppose that A obtains the smart card of \( U_{i} \) and extracts the information \( \left\langle d_{i} \right\rangle \), where \( d_{i} = h\left( ID_{i} \right) ^{d_{j}} \) mod \( n_{j} \). From the value, A cannot compute any useful information, because the value is safeguarded with a one-way hash function. Further, A cannot obtain the value of \( d_{j} \). Therefore, our proposed scheme can withstand smart card stolen attacks.

5 Performance Analysis

In this section, we compare the proposed scheme with recent authentication schemes [18, 21, 23,24,25] proposed in terms of security and performance (as shown in Table 2). We use some time complexities to evaluate the computational cost. \( T_{h} \) denotes the cost time for one-way hash operation. \( T_{sym} \) denotes the execution time for symmetric key encryption/decryption operation. \( T_{e} \) denotes the running time for exponentiation operation. \( T_{m} \) denotes the execution time for modular multiplication operation.

Table 2. Comparison of security
Full size table

We have implemented various cryptographic operations with the MIRACL C/C++ Library [26] on a personal computer with 4G bytes memory and the Windows 7 operating system. It requires Visual C++ 2008, 1024-bit cyclic group, AES for symmetric encryption/decryption, 160-bit prime field \( F_{p} \) and SHA-1 operation. The execution time of these different operations are: 0.0004 ms, 0.1303 ms, 0.0147 ms and 1.8269 ms.

In Table 1, we find that our proposed scheme can withstand known attacks, such as user anonymity, common modulus attacks, mutual authentication, Server impersonation attack. In Tables 3 and 4, we find that computational cost time of our proposed scheme is lower than the schemes in [18, 23] and nearly equal with the schemes in [21, 24, 25].

Table 3. Comparison of computation cost at the user side and the server side
Full size table
Table 4. Comparison of execution time at the user side and the server side
Full size table

6 Conclusion

In this paper, we cryptanalyzed Amin et al.’s scheme, and found that their protocol is susceptible to common modulus attack. Then We present a secure and efficient two-factor authentication protocol using RSA signature for multi-server environments. We prove informally that our protocol can withstand different cryptographic attacks. In the proposed scheme, we employ RSA signature to implement the authentication scheme. Our proposed scheme is suitable for deployment in various low-power smart cards, and in particular for the mobile computing networks.