Introduction

The multi-server environment was established as a result of the rapid increase in internet users and Internet of Things (IoT). A multi-server environment is a sort of server infrastructure that makes use of multiple physical servers to give consumers access to numerous services and applications. The key benefit of using a multi-server system is that it can provide a higher level of availability, reliability, and security than a single-server environment. Additionally, because the load may be distributed across numerous servers, a multi-server architecture can provide a higher level of performance than a single-server environment. However, secure and efficient communication between the concerned parties has grown more vital in multi-server environment especially in areas including e-commerce and distributed storage systems.

Many security requirements must be achieved in multi-server environments such as mutual authentication between the user and the server, user anonymity, user intractability and forward secrecy. Moreover, there are many types of attacks that must be resisted in multi-server environment such as impersonation attack, replay attack, insider attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack. To communicate securely and effectively over an unsecure network, a shared session key must be negotiated and agreed between the involved parties first. The only remedy for such negotiations is to use authentication-and-key-agreement protocols. The first password authentication using insecure communication is proposed by Lamport [1] as the most simple and practical method for authenticating a user from remote servers. However, Lamport’s scheme [1] could not resist insider attack once the password file stored in the server is compromised. To overcome this limitation, many two-factor authentication schemes have been proposed based on smart cards in which important secret parameters are stored [2,3,4]. The main drawback of the two-factor authentication schemes is the power analysis attack on a stolen smart card which may lead the scheme to be exposed to offline password attack. As a result, research has shifted to three-factor authentication techniques based on biometrics [5,6,7].

Elliptic Curve Cryptography (ECC) was employed in two-factor and three-factor authentication protocols [8,9,10,11] in order to gain the advantages of ECC properties of creating small size keys with high security efficiency [12]. Some multi-sever authentication protocols employed registration center to be involved not only in registration phase but also in authentication phase between user and server in order to decrease the computation load on user to overcome the limitation resources of the user [10, 13, 14]. However, involving the registration center also in authentication phase between user and server adds overload on the registration center which causes delay of registration center response.

Motivation

The rapid increase of internet users and IoT makes the current research concerned in multi-server environment in which authentication and key agreement are the main goals to securely offer several services and applications. Numerous existing schemes are proposed to provide authentication and key agreement in multi-server environment using different methods such as password-based authentication [1], smart cards-based authentication [4, 15, 16], three-factor authentication [6, 7, 13], dynamic ID-based authentication [17, 18], and ECC-based authentication [9, 12]. However, most of the existing schemes can’t achieve some security services like mutual authentication and user untraceability and can’t resist different types of attacks. On the other side, the scheme that succeeded in providing secure communications is at the expense of high computation cost and communication overhead. Motivated by the existing studies and the need of secure multi-server environment, designing a lightweight authenticated key agreement scheme with a small number of messages of small number of bits is imperatively needed to resist security threats, reduce communication overhead, and to meet the limitations of devices with low computation capabilities.

Contributions

We summarize our significant and key contributions in the field of multi-server environments as follows:

  • Firstly, a multi-server environment is considered, and then the Elliptic Curve Cryptography is employed to design the proposed Anonymous Mutual Authentication and Key Agreement Scheme (AMAKAS) for securing multi-server environments.

  • The proposed AMAKAS scheme guarantees the security requirements of multi-server environments and withstands against various types of attacks in multi-server environments.

  • The proposed AMAKAS scheme enables users to mutually authenticate with servers without involving the registration center in the authentication phase.

  • The performance of the proposed AMAKAS scheme is outperformed than the related schemes.

Road map of the paper

The remaining section of the paper is structured as follows: In “Related work” section, related work is reviewed, “System model and threat model” section depicts the system model and the threat model, while “The proposed AMAKAS scheme” section introduces the proposed anonymous mutual authentication and key agreement scheme. “Security analysis” section passes through a security analysis of the proposed scheme. The security and performance comparison with other related schemes is demonstrated in “Security and performance comparisons” section. Finally, the paper is concluded in “Conclusion” section.

Related work

In 2016, Chang et al. proposed a scheme based on smart card and biometrics [15]; this scheme can resist offline password guessing and stolen card attack, but it could not resist user impersonation attack. In 2017, Quan et al. proposed a biometrics-based scheme [16] to overcome the shortcoming of Chang et al.‘s scheme [15] to resist the impersonation attack. In the same year, Jangirala et al. proposed a remote user authentication scheme based on dynamic ID using smart cards [17] in which the user is free to choose his login credentials; However, Sahoo et al. [18] proved that Jangirala et al.‘s scheme [17] failed to attain mutual authentication as it claimed and failed to resist user impersonation attack, forgery attack, and replay attack. Additionally, Sahoo et al. [18] proposed an improved two-factor dynamic ID based scheme to overcome the shortcoming of Jangirala et al. [17]; however, Sudhakar et al. [19] analyzed Sahoo et al.‘s scheme [18] and proved that it still cannot resist replay and user impersonation attack. Shunmuganathan [20] proposed a lightweight two factor-based scheme to overcome the drawbacks of Sahoo et al. [18], but it failed to achieve user anonymity nor user-un-tractability as a result. Moreover, Shunmuganathan’s scheme [20] has high computations at server and registration center.

Kuo-Hui Yeh proposed a novel multi-server-based authentication scheme [21]; however, Truong et al. [22] proved that Kuo-Hui Yeh’s scheme [21] failed to achieve mutual authentication and session-key agreement. Hence, Truong et al. [22] proposed an improved ECC based scheme to overcome the shortcoming of Yeh’s scheme [21]. However, Yan et al. [23] observed that Truong et al.‘s scheme [22] could not resist impersonation attack. Hence, Yan et al. [23] they proposed a scheme to overcome Truong et al.‘s scheme [22]. However, Yan et al.‘s scheme [23] still cannot achieve user anonymity and needs synchronization nodes to resist replay attack. Additionally, Yan et al.‘s scheme [23] can’t resist man-in-the-middle attack and known session specific temporary information attack.

In 2020, Akram et al. [24] proposed a three factor ECC-based authentication scheme that can achieve mutual authentication and user anonymity, and could resist replay, impersonation and password guessing attack. However, on the other hand, Akram et al.‘s scheme [24] has a very high computational time due to using the ECC multiplicative inverse. In 2021, Amintoosi et al. [25] proposed an ECC-based three factor authentication scheme which is capable to achieve mutual authentication, user anonymity and forward secrecy, but it could not achieve user un-tractability and could not resist sever impersonation attack. Wang et al. [26] proposed a biometric-based multi-server authentication scheme using elliptic curve cryptosystem to achieve authentication; however, Wu et al. [27] demonstrated that Wang et al.‘s scheme [26] can’t resist user impersonation attacks, server impersonation attacks, and known session-specific temporary information attacks. Both schemes [26, 27] suffered from high computations at registration center side as registration center is involved in authentication phase.

In 2022, Truong et al. proposed a three factor-based authentication scheme [28] in which registration center is a party in authentication phase to decrease the computations at user side where the user’s resources are limited compared to registration center. Truong et al.‘s scheme [28] could achieve mutual authentication and user anonymity, and also could resist both user and server impersonation attack, replay attack, man-in-the-middle attack, and known session specific temporary information attack. However, Truong et al.‘s scheme [28] failed to achieve user un-tractability and suffers from high load computation at registration center side.

Guo et al. proposed biometric-based authentication scheme using public key encryption [29] to achieve authentication; however, Chen et al. [30] demonstrated that Guo et al.‘s scheme [29] can’t resist user impersonation attack and replay attack. Additionally, Chen et al. [30] proposed a threeFactor authentication scheme to overcome the drawbacks of Guo et al.‘s scheme [29]; but Chen et al. [30] failed to resist server impersonation attack; moreover, it needs synchronization nodes to resist replay attack due to using time stamp.

Bae et al. [31] proposed a smart card-based authentication protocol to protect multi-server IoT environment from potential security vulnerabilities; Agarwal et al. [32] demonstrated that Bae et al.‘s scheme [31] can’t resist user impersonation attack, replay attack, and insider attack. Additionally, Agarwal et al. [32] proposed a threeFactor authentication scheme to overcome the drawbacks of Bae et al.‘s scheme [31]; however, Agarwal et al.‘s scheme [32] suffers from high computations at server and registration center as well.

Cho et al. [33] proposed an ECC three factor-based authentication scheme to overcome the drawbacks of Sudhakar et al.‘s scheme [19], but Cho et al.‘s scheme [33] needs synchronization nodes to resist replay attack. Khan et al. [34] proposed an ECC three factor-based authentication scheme for cloud server, but it failed to achieve user un-tractability and it could not resist replay attack.

In 2023, Yao et al. proposed an authentication and key agreement scheme for edge computing in vehicular ad hoc networks (VANETs) [35] based on bilinear map. It could achieve mutual authentication, user anonymity, user un-tractability and forward secrecy. However, Yao et al.‘s scheme [35] suffers from high computational time due to employing bilinear map. Also, Also, LAMAS scheme [36] has been proposed for securing fog computing environment; however, the scheme didn’t consider the mobility movability of fog users between fog areas.

Ui Haq et al. [37] proposed a hash-based authenticated key agreement scheme using only x-or operations and hash functions. The scheme [37] can achieve user anonymity at a low-cost; however, it can’t achieve user un-traceability as the attacker can trace user and link many sessions f the same user by using Ex-OR between the sent parameters of the login request. Moreover, the scheme [37] can’t achieve perfect forward secrecy, and it is also vulnerable to replay attacks. Dhillon and Kalra [38] proposed a lightweight three-factor user authentication scheme based on x-or operations and hash functions; however, Lee et al. [39] found that Dhillon and Kalra’s scheme [38] can’t provide a session key agreement and user un-traceability and can’t resist user impersonation attack, replay attack, stolen mobile device attack, and known session-specific temporary information attack. Additionally, Mahmood et al. [40] proved that Dhillon and Kalra’s scheme [38] can’t provide user anonymity.

System model and threat model

In this section, the system model and threat model will be demonstrated.

System model

As shown in Fig. 1, multi-servers’ architecture consists of three entities which are n users, m servers and the Registration Center (RC).

Fig. 1
figure 1

Multi-server’s architecture

Full size image

  • In registration phase, RC starts generating the required secret credentials for each user \({U}_{i}\) and each \({S}_{j}\) as each user and each server must register only once with the registration center. Also, RC stores the \({ U}_{i}\)’s secret parameters generated by RC on a smart card SC and delivers smart card to \({U}_{i}\). Both user registration and server registration are done through a secure channel.

  • Once the registration is done, authentication phase started as user authenticate himself by inserting SC into smart card reader and using his login parameters (username, password, and biometric impression) to verify himself. After that, user and server run mutual authentication and key agreement protocol for secure communication between them noting that mutual authentication is done through insecure public channel.

  • Once mutual authentication is achieved, any legitimate registered user can connect with any legitimate registered m severs in the network.

Threat model

Assuming that the adversary:

  • Has full control over the insecure public communication channel between user and server.

  • Can intercept, modify, replay, or even delete messages transmitted through the public channel.

  • Can find the secret parameters stored on the smart card using the power analysis attack.

  • Can find the password through an offline dictionary attack using parameters which are disclosed from smart card.

  • Try to find the current session key and upon revealing the current session key, old session keys can be comprised as well.

  • Can run user impersonation attack if user’s password or smart card can be accessed.

The proposed AMAKAS scheme

To achieve anonymous mutual authentication and key agreement between user and server in multi-server environments, we proposed a scheme consisting of three phases which are: Registration phase, login phase, and authentication phase.

Registration phase

In this phase, both user and server register with the registration center \(\left(RC\right)\) as follows:

Server registration

  1. 1.

    Initially, a server \({S}_{j}\) registers with the \(RC\) by choosing an identity \({ID}_{j}\) and sends it to the \(RC\) through secure channel.

  2. 2.

    The \(RC\) generates a random number \({e}_{j}\) and calculates server secret key \({ASID}_{j}=h\left({ID}_{j}\left|\left|X\right|\right|{e}_{j}\right)\) where \(X\) is the secret key of RC and calculates the server public key \({PKS}_{j}={ASID}_{j}.P\) where \(P\) is the elliptic curve base point.

  3. 3.

    Finally, the \(RC\) sends to each server \({S}_{j}\) its own secret key and server public key through a secure channel.

User registration

  1. 1.

    Similarly, each user \({U}_{i}\) registers with the RC by selecting the user identity \({ID}_{u}\) and password \({PW}_{u}\) and describes his biometric impression \({\text{B}}_{u}\).

  2. 2.

    User \({U}_{i}\) generates random nonce \(a\), calculates \(M=H\left({ID}_{u}\right|\left|{B}_{u}\right)\) and \(TW=h(a\oplus \text{H}\left({B}_{u}|\left|{PW}_{u}\right)\right)\), and sends \(\{{ID}_{u},M, TW\}\) to the \(RC\) through secure channel.

  3. 3.

    \(RC\) generates random number \({a}_{u}\) and calculates \({ A}_{u=}{a}_{u}.P\), \({X}_{u}=h\left({a}_{u}.{PKS}_{j}\left|\left|{ID}_{u}\right|\right|{ASID}_{j}\right)\), \({Y}_{u}={X}_{u}\oplus h\left(M\right|\left|TW\right)\), and \({F}_{u}=h\left(h\right({ID}_{u}\left|\right|TW\left)\right)\).

  4. 4.

    Finally, the \(RC\) sends \(\{{A}_{u},{Y}_{u}, {F}_{u}\}\) through a secure channel to be printed on the Smart Card (\(SC\)).

Login phase

Login and authentication phase is shown in Fig. 2; In login phase, the user \({U}_{i}\) logs into a system by taking the subsequent steps:

Fig. 2
figure 2

Login and authentication phase

Full size image
  1. 1.

    Initially, user \({U}_{i}\)   inserts the \(SC\) into smart card reader and inputs his login parameters\(\{{ID}_{u}, {PW}_{u}, {B}_{u}\}\) 

  2. 2.

     \(SC\) calculates \(TW=h(a\oplus H({B}_{u}\left|\right|{PW}_{u}\left)\right)\) and \({F}_{u}^{*}=h\left(h\right({ID}_{u}\left|\right|\text{T}\text{W}\left)\right)\), and compares \({F}_{u}^{*}\) with the stored \({\text{F}}_{u}\) in the SC.

  3. 3.

    If \({F}_{u}^{*}\ne {\text{F}}_{u}\), the session will be discarded; otherwise, \(SC\) generates random number \({C}_{u}\) and computes \(W={C}_{u}.P\), \(OP={C}_{u}.{PKS}_{j}={C}_{u}.{ ASID}_{j}.P\), \({OPA}_{u}={A}_{u}\oplus OP\), and uses the most significant l-bits of \(h\left(OP\right)\) to compute \({PID}_{u}= {ID}_{u}\oplus h\left(OP\right)\), \(M=H\left({ID}_{u}\right|\left|{B}_{u}\right)\), \({X}_{u}={Y}_{u}\oplus h\left(M\right|\left|TW\right)\) and \({DID}_{u}=h\left({A}_{u}\right|\left|{X}_{u}\right|\left|OP\right)\).

  4. 4.

    Finally, user \({U}_{i}\) sends \({M}_{1}=\{W,{OPA}_{u}, {PID}_{u}, {DID}_{u}\}\) to server \({S}_{j}\) via public channel.

Authentication phase

In this phase, mutual authentication and key agreement between the user and the server can be achieved by taking the subsequent steps:

  1. 1.

    Upon receiving \({M}_{1}= \{\text{W}, {{OPA}_{u}, PID}_{u}, {DID}_{u}\}\), the server calculates \(OP={C}_{u}.{PKS}_{j}=W.{ASID}_{j}={C}_{u}.P.{ASID}_{j}\), \({A}_{u}={OPA}_{u}\oplus OP\), and uses the most significant l-bits of \(h\left(OP\right)\) to compute \({ID}_{u}= {PID}_{u}\oplus h\left(OP\right)\), \({X}_{u}= h ({A}_{u}.{ASID}_{j}|\left|{ID}_{u}\right|\left|{ASID}_{j}\right)\), and \({DID}_{u}^{*}=h\left({A}_{u}\right|\left|{X}_{u}\right|\left|OP\right)\). Then, \({S}_{j}\) compares the calculated \({DID}_{u}^{*}\) with the received \({DID}_{u}\).

  2. 2.

    If \({DID}_{u}^{*}\ne {DID}_{u}\), the session will be discarded; otherwise, \({S}_{j}\) generates random number \({D}_{j}\), and calculates \({v}_{j}={D}_{j}\oplus OP\), \(SK=h\left({ID}_{u}\left|\left|OP\right|\right|{D}_{j}\left|\left|{X}_{u}\right|\right|{ID}_{j}\right)\), and \({Q}_{ju}=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left| {ID}_{j}\right|\left|SK\right)\).

  3. 3.

    The server sends \({M}_{2} = \{{Q}_{ju}, {v}_{j}\}\) to the user \({U}_{i}\) via public channel.

  4. 4.

    Upon receiving \({M}_{2}= \{{Q}_{uj}, {v}_{j}\}\), user \({U}_{i}\) calculates \({D}_{j}={v}_{j}\oplus OP\), \(SK=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{X}_{u}\right|\left|{ID}_{j}\right)\), and \({Q}_{uj}=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{ID}_{j}\right|\left|SK\right)\), and compares the calculated \({Q}_{uj}\) with the received \({Q}_{ju}\).

  5. 5.

    If \({Q}_{uj}= {Q}_{ju},\) mutual authentication has been achieved and session key has been agreed between the user \({U}_{i}\) and the server \({S}_{j}\); otherwise, the session will be discarded.

Security analysis

This section provides an informal security analysis of the proposed AMAKAS scheme in addition to formal security analysis using Burrows-Abadi-Needham (BAN) logic [41].

Informal security analysis

In this subsection, an informal security analysis will be provided to explain how the proposed AMAKAS scheme achieves the most important security requirements including mutual authentication, user anonymity, un-traceability, and forward secrecy. In addition, we explain how the proposed AMAKAS scheme resists the most known attacks including impersonation attack, replay attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack.

Mutual authentication

The proposed AMAKAS scheme achieves mutual authentication since both the legitimate user and the legitimate server can authenticate each other.

The server \({S}_{j}\) authenticates the user \({U}_{i}\) by computing \({DID}_{u}^{*}=h\left({A}_{u}\right|\left|{X}_{u}\right|\left|OP\right)\) and comparing it with the received\({ DID}_{u}\) in\({ M}_{1}\). The user computes \({DID}_{u}=h\left({A}_{u}\right|\left|{X}_{u}\right|\left|OP\right)\) by calculating \({ X}_{u}={Y}_{u}\oplus h\left(M\right|\left|TW\right)\) where \({Y}_{u}\) is stored on the SC, calculating \(M=H\left({ID}_{u}\right|\left|{B}_{u}\right)\) requires knowing the user identity \({ID}_{u}\) and biometric impression \({B}_{u}\) of the user, and calculating \(TW=h(a\oplus \text{H}\left({B}_{u}|\left|{PW}_{u}\right)\right)\) requires knowing the random number \(a\), the biometric impression \({B}_{u}\), and the user password \({PW}_{u}\) which are known only to the legitimate user. Therefore, the server can authenticate the user.

On the other hand, the user \({U}_{i}\) authenticates the server \({S}_{j}\) by computing \({Q}_{uj}=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{ID}_{j}\right|\left|SK\right)\)and comparing it with the received \({Q}_{ju}\) in \({M}_{2}\). The server \({S}_{j}\) can obtain \(OP={C}_{u}.{PKS}_{j}=W.{ASID}_{j}\) using the server’s private key \({ASID}_{j}\) which is known only to the server \({S}_{j}\), and then extract the identity of the user as \({ID}_{u}= {PID}_{u}\oplus h\left(OP\right)\). Thus, the server can authenticate the user.

Therefore, mutual authentication between user and server has been achieved and session key has been agreed on. Furthermore, early detection of any possible replay attack has been ensured.

User anonymity

The proposed AMAKAS scheme can achieve user anonymity as in each authentication message, the user identity \({ID}_{u}\) is randomized using \(OP={C}_{u}.{PKS}_{j}\) where \({C}_{u}\) is a random number and hidden through a dynamic-pseudo identity \({PID}_{u}={ID}_{u} \oplus h\left(OP\right)\). Even if the Adversary \(A\) intercepts the transmitted message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\), he still cannot extract the user identity \({ID}_{u}\) from the dynamic-pseudo identity \({PID}_{u}={ID}_{u} \oplus h\left(OP\right)\) as the adversary needs first to obtain \(OP\) using the server’s secret key \({ASID}_{j}\) which is unknown to the adversary.

User un-traceability

The proposed AMAKAS scheme can achieve user’s un-tractability as in each login message sent to the server by the user \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\),, the user generates a new random number \({C}_{u}\) which is used to calculate \(W={C}_{u}.P\) and \(OP={C}_{u}.{PKS}_{j}\), then \(OP\) is used to randomize \({OPA}_{u}={A}_{u}\oplus OP\), \({PID}_{u}={ID}_{u}\oplus h\left(OP\right)\), and \({DID}_{u}=h\left({A}_{u}\right|\left|{X}_{u}\right|\left|OP\right)\). Hence, the value of the transmitted message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\) is updated in each session. Moreover, if the attacker computes \({OPA}_{u}\oplus {PID}_{u}\), this will result in \({A}_{u}\oplus OP\oplus {ID}_{u}\oplus h\left(OP\right)\) which is not a fixed value; this is why we used \(h\left(OP\right)\) to randomize \({ID}_{u}\) instead of using \(OP\) directly. Thus, even if the Adversary \(A\) intercepts the transmitted message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\), he still cannot relate any repeated messages. Therefore, user un-tractability is guaranteed.

Forward secrecy

Forward Secrecy can be achieved in the encryption scheme when producing temporary secret session key uniquely generated for every individual session between user and server. If one of these session keys is compromised, transmitted messages in past sessions will be protected from attacks.

In the proposed AMAKAS scheme, the session keys are independent on each other as in in each session, the session key \(SK=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{X}_{u}\right|\left|{ID}_{j}\right)\) is generated based on new random values of \({C}_{u}\) and \({D}_{j}\) where \({D}_{j}\) is a random number generated by the legitimate server and \({C}_{u}\) is a random number generated by the legitimate user as well to compute \(OP={C}_{u}.{PKS}_{j}\). Therefore, even if the current session key is comprised, the adversary still cannot obtain the previous session keys.

Additionally, assuming that the attacker can get the server’s secret key \({ASID}_{j}\) and can intercept all transmitted messages \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\) and \({M}_{2}=\{{Q}_{ju}, {v}_{j}\}\). Even under these assumptions, without knowing the random number \({D}_{j}\) and the value of \(OP\), the attacker will not be able to compromise the messages of previous sessions. Furthermore, the computation to obtain the server’s secret key \({ASID}_{j}\) is a very complex task due to ECDHP problem.

Impersonation attack

Impersonation attack has two types: user impersonation and server impersonation attack. The proposed AMAKAS scheme can resist both types of impersonation attack.

For the user impersonation attack:

  • If the adversary aims to impersonate the legitimate user, he has to be capable of generating a valid login message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\). The adversary can generate a random number \({C}_{u}\) and calculate \(\text{W}, {PID}_{u}\), and \({OPA}_{u}\), but he cannot generate \({DID}_{u}=h\left({A}_{u}\left|\left|{X}_{u}\right|\right|OP\right)\) as the calculation of \({X}_{u}={Y}_{u}\oplus h\left(M\right|\left|TW\right)\) requires knowing \(\{{Y}_{u}, M,TW\}\), \({Y}_{u}\) is a stored value on the smart card, calculating \(M=H\left({ID}_{u}\right|\left|{B}_{u}\right)\) requires knowing the user identity \({ID}_{u}\) and biometric impression \({B}_{u}\) of the user, and calculating \(TW=h(a\oplus \text{H}\left({B}_{u}|\left|{PW}_{u}\right)\right)\) requires knowing the random number \(a\), the user password \({PW}_{u}\), and the biometric impression \({B}_{u}\) which are known only by the legitimate user. Moreover, password is protected by double hash one way function. Hence, the adversary cannot generate a valid login message \({M}_{1}\), and therefore, the proposed scheme can resist user impersonation attack.

For the server impersonation attack:

  • The server secret key \({ASID}_{j}=h\left({ ID}_{j}\left|\left|X\right|\right|{e}_{j}\right)\) is calculated through one way hash function for server ID, secret key of registration center, and the random number \({e}_{j}\) generated by the registration center; therefore, \({ASID}_{j}\) is only known by the legitimate server. If the adversary aims to impersonate the legitimate server, he has to be capable of generating \({M}_{2} = \{{Q}_{ju}, {v}_{j}\}\), but calculating \({v}_{j}={D}_{j}\oplus OP\) requires obtaining the correct value of \(OP={C}_{u}.{PKS}_{j}=W.{ASID}_{j}\) which is based on server’s secret key which is known by only legitimate server. Hence, the adversary cannot generate a valid \({v}_{j}\). Similarly for calculating \({Q}_{ju}=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left| {ID}_{j}\right|\left|SK\right)\), it requires calculating the correct value for \(OP\) and the session key \(SK=h\left({ID}_{u}\left|\left|OP\right|\right|{D}_{j}\left|\left|{X}_{u}\right|\right|{ID}_{j}\right)\) which is based on calculating \({X}_{u}=h\left({a}_{i}.{PKS}_{j}\left|\left|{ID}_{u}\right|\right|{ASID}_{j}\right)\) which requires knowing the random number \({a}_{i}\) generated by the registration center, user ID, and the server’s secret key \({ASID}_{j}\). Therefore, still only the legitimate server can generate \({Q}_{ju}\). Hence, the proposed AMAKAS scheme can resist server impersonation attack.

Replay attack

The proposed AMAKAS scheme can resist replay attack as with each login message \({M}_{1}=\{\text{W}, {OPA}_{u}, {PID}_{u}, {DID}_{u}\}\), generated by the user, a fresh random number \({C}_{u}\) is generated. Even if the Adversary could replay \({M}_{1},\) mutual authentication between user and server cannot be achieved as the Adversary does not know the random number \({C}_{u}\); therefore, he cannot compute \(OP={C}_{u}.{PKS}_{j}\) nor \({D}_{j}={v}_{j}\oplus OP\). Hence, he cannot extract the session key \(SK=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{X}_{u}\right|\left|{ID}_{j}\right)\).

Stolen card attack

The proposed AMAKAS scheme can resist the stolen card attack as even if the adversary can steal the SC and extract the stored data on the SC \(\{{\text{A}}_{u},{\text{Y}}_{u}, {\text{F}}_{u}\}\), he still cannot guess the user password nor the user ID since the extracted data are not used in computing the password, and user ID is not included in the extracted data. Therefore, the Adversary cannot generate the login message. Therefore, the proposed AMAKAS scheme can resist stolen card attack.

Man-in-the-middle attack

Between the user and server, a man-in-the-middle attacker pretends to be a node in the middle, but the attacker can’t know the password \({PW}_{u}\) of the user \({U}_{i}\) and can’t get his biometric impression \({B}_{u}\), also the attacker can’t obtain the secret key \({ASID}_{j}\) of server \({S}_{j}\). When the attacker attempts to impersonate each party in this situation, he is unable to generate a valid \({DID}_{u}\) as it is computed using \({X}_{u}={Y}_{u}\oplus h\left(M\right|\left|TW\right)\) which is locally computed at user \({U}_{i}\) using user’s password and biometric impression as \(TW=h(a\oplus H({B}_{u}\left|\right|{PW}_{u}\left)\right)\). Additionally, the attacker can’t know the shared session key \(SK=h\left({ID}_{u}\right|\left|OP\right|\left|{D}_{j}\right|\left|{X}_{u}\right|\left|{ID}_{j}\right)\) as it requires knowing \(OP\) and the random number \({D}_{j}\) which can’t be obtained without knowing the secret key \({ASID}_{j}\) of server \({S}_{j}\). Hence, the proposed AMAKAS scheme can resist man-in-the-middle attack.

Known session specific temporary information attack

In this attack, when temporary secret values, such as random numbers, are revealed, an attacker tries to obtain the current session key. After completing the login and authentication phase, if \(OP\) and the random number \({D}_{j}\) can be obtained, the attacker can compute \({A}_{u}\) and \({ID}_{u}\), but it can’t compute the session key \(SK=h\left({ID}_{u}\left|\left|OP\right|\right|{D}_{j}\left|\left|{X}_{u}\right|\right|{ID}_{j}\right)\) as it depends on \({X}_{u}\) which is computed using user’s password and biometric impression at user side and using the secret key \({ASID}_{j}\) of server \({S}_{j}\) at server side. Hence, the proposed AMAKAS scheme can resist known session specific temporary information attack.

Formal security analysis using BAN logic

In this subsection, BAN Logic is used to formally prove the security of the proposed AMAKAS scheme.

Idealization

The idealized messages between the user and the server are listed as follows.

  •  \({M}_{1}:\left({U}_{i}\to {S}_{j}\right):W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {({A}_{u} , OP)}_{{U}_{i}\overset{{X}_{u}}{\leftrightarrow}{S}_{j}}\) 

  • \({M}_{2}:\left({S}_{j}\to {U}_{i}\right):{V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }{\underleftrightarrow{SK}S}_{j})}_{{U}_{i}\overset{{X}_{u}}{\leftrightarrow}{S}_{j}}\) 

Assumptions

The assumptions of the proposed scheme to proceed the BAN logic analysis are listed as follows:

  • \({A}_{1}: {U}_{i}|\equiv \#({C}_{u})\) 

  • \({A}_{2}: {S}_{j}|\equiv \#({D}_{j})\) 

  • \({A}_{3}: {U}_{i}|\equiv ({U}_{i } {\overset{OP}{\leftrightarrow}}{S}_{j})\) 

  • \({A}_{4}: {S}_{j}|\equiv ({U}_{i }{\overset{OP}{\leftrightarrow}}{S}_{j})\) 

  • \({A}_{5}: {U}_{i}|\equiv ( {U}_{i }{\overset{X_u}{\leftrightarrow}}{S}_{j})\) 

  • \({A}_{6}: {S}_{j}|\equiv ({U}_{i }{\overset{X_u}{\leftrightarrow}}{S}_{j})\) 

  • \({A}_{7}: {S}_{j}|\equiv ({U}_{i }\Longrightarrow \left(OP\right))\) 

  • \({A}_{8}: {U}_{i}|\equiv ({S}_{j }\Longrightarrow \left({U}_{i }{\overset{SK}{\leftrightarrow}}{S}_{j}\right))\)

  • \({A}_{9}: {S}_{j}|\equiv ({U}_{i}\Longrightarrow\left({U}_{i } {\overset{SK}{\leftrightarrow}}{S}_{j}\right))\)

Goals

The goals that our proposed scheme should be achieved are listed as follows.

  • Goal 1: \({U}_{i}|\equiv \left( {S}_{j}\overset{{X}_{u}}{\leftrightarrow}{U}_{i }\right), \#( {S}_{j}\overset{{X}_{u}}{\leftrightarrow}{U}_{i })\) 

  • Goal 2: \({U}_{i}|\equiv {S}_{j}|\equiv \#\left({C}_{u}\right)\) 

  • Goal 3: \({S}_{j}|\equiv {U}_{i}|\equiv \#\left({D}_{j}\right)\)

Analysis

The following steps are taken to perform the BAN logic proof of our suggested scheme.

  • Step 1: From message \({M}_{2}\), we obtain:

  •   

    $${U}_{i } \rhd {V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }\overset{SK}{\leftrightarrow}{S}_{j})}_{{U}_{i}{ \overset{{X}_{u}}{\leftrightarrow} S}_{j}}$$

  • Step 2: From the assumption \({A}_{5}\), we obtain:  

  • $${U}_{i}|\equiv ( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j})$$

  • Step 3: From \({M}_{2}\) and \({A}_{5}\), and applying the message-meaning rule, we obtain:

  •   

    $$\frac{{U}_{i}|\equiv \left( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j}\right), {U}_{i }| \lhd {V}_{i}, {({ID}_{u}, OP, {D}_{j},{ID}_{j}, {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j})}_{{U}_{i}{\overset{{X}_{u}}{\leftrightarrow} S}_{j}}}{{U}_{i}|\equiv {S}_{j}|\sim({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j},( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\left)\right)}$$

  • Step 4: From \({A}_{1}\), \({A}_{2}\), step 2, and applying nonce verification rule, we obtain,

  •   

    $$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{S}_{j}|\sim({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j}, ({U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\left)\right)}{{U}_{i}|\equiv {S}_{j}|\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)}$$

  • Step 5: from \({A}_{8}\), step 4, and applying the jurisdiction rule, we obtain:

  • $$\frac{{U}_{i}|\equiv \left({S}_{j }|\Longrightarrow \left({U}_{i } \overset{SK}{\leftrightarrow}{S}_{j}\right)\right), {U}_{i}|\equiv {S}_{j}\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)}{{U}_{i}|\equiv ( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j})}$$

  • Step 6: From \({A}_{1}\), \({A}_{2}\), step 4, and applying the freshness conjuncatenation rule, we obtain:

  •  

    $$\frac{U_i\vert\equiv\#(C_u)}{U_i\vert\equiv\#\left(C_u,\left(U_i{\overset{SK}\leftrightarrow S}_j\right)\right)}$$

  • Step 7: From step 5 and step 6, we obtain: 

  • $${U}_{i}|\equiv \left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right) and {U}_{i}|\equiv \#\left( {U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)$$

Hence, Goal 1 has been achieved.

  • Step 8: From step 2, \({A}_{2}\), and applying the nonce verification rule, we obtain:

  •  

    $$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{S}_{j}\sim\left({V}_{i},{ID}_{u}, OP, {D}_{j},{ID}_{j}, \left({U}_{i }{\overset{SK}{\leftrightarrow}S}_{j}\right)\right)}{{U}_{i}|\equiv {S}_{j}|\equiv \left( {D}_{j}\right)}$$

  • Step 9: From step 8, \({A}_{8}\), and applying the jurisdiction rule, we obtain:

  •  

    $$\frac{{U}_{i}|\equiv \left({S}_{j }|\Longrightarrow \left({U}_{i } \overset{SK}{\leftrightarrow}{S}_{j}\right)\right), {U}_{i}|\equiv {S}_{j}|\equiv ( {D}_{j})}{{U}_{i}|\equiv ( {D}_{j})}$$

  • Step 10: From step 9,\({A}_{2}\), step 4 and applying the freshness conjuncatenation rule, we obtain: 

$$\frac{{U}_{i}|\equiv \#({C}_{u})}{{U}_{i}|\equiv \#({C}_{u},\left({D}_{j}\right))}$$

Thus, \({U}_{i}|\equiv \#({D}_{j})\) and Goal 3 has been achieved.

  • Step 11: From \({A}_{6}\), and applying the message-meaning rule, we obtain:

  •  

    $$\frac{{U}_{i}|\equiv \left( {U}_{i }\overset{{X}_{u}}{\leftrightarrow}{S}_{j}\right),{S}_{j }|{\lhd}W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {({A}_{u} , OP)}_{{U}_{i}{ \overset{{X}_{u}}{\leftrightarrow} S}_{j}}}{{U}_{i}| \sim (W,{<{ID}_{u}>}_{OP} ,{OPA}_{u},{A}_{u} , OP )}$$

  • Step 12: From \({A}_{1}\), step 11, and applying the nonce verification rule, we obtain:

  • $$\frac{{U}_{i}|\equiv \#\left({C}_{u}\right),{U}_{i}\sim(W,{<{ID}_{u}>}_{OP} ,{OPA}_{u}, {A}_{u} , OP )}{{S}_{j}|\equiv {U}_{i}|\equiv \left( OP\right)}$$

    Step 13: From \({A}_{7}\), step 12, and applying the jurisdiction rule, we obtain: 

$$\frac{ {S}_{j}|\equiv ({U}_{i }\Longrightarrow \left(OP\right)), {U}_{i}|\equiv {S}_{j}|\equiv ( OP)}{{S}_{j}|\equiv ( OP)}$$

Noting that \(OP={C}_{u}.{PKS}_{j}\) 

  • Step 14: From \({A}_{1}\), step 11, step 13, and applying the freshness conjuncatenation rule, we obtain:

  •  

    $$\frac{{U}_{i}|\equiv \#({C}_{u})}{{S}_{j}|\equiv \#({C}_{u})}$$

Therefore, \({S}_{j}|\equiv \#({C}_{u})\) and Goal 2 has been achieved.

Security and performance comparisons

In this section, the security and performance of the proposed AMAKAS scheme are compared with the existing related schemes. The performance will be evaluated in terms of computation cost and communication overheads.

Security comparison

Table 1 provides a summarized analysis for the security features of the proposed AMAKAS scheme while comparing it with some related schemes [23,24,25, 28, 38]. From Table 3, we can observe that the schemes in [23, 38] cannot achieve user anonymity, and the schemes [23, 25, 28, 38] are unable to achieve user un-traceability. Moreover, the schemes [23, 25, 38] cannot resist man-in-the-middle attack, and none of the schemes in [23,24,25, 38] can resist server impersonation attack or known session specific temporary information attack. It can be seen that the lightweight authentication scheme in [38] can’t resist against several attacks including user impersonation attack, replay attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack. However, it is obvious that the proposed AMAKAS scheme can achieve mutual authentication, user anonymity, user un-traceability and forward secrecy. In addition, our scheme can resist user and server impersonation attacks, replay attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack.

Table 1 Security comparison
Full size table

Computation cost comparison

In this section, we present an analysis for the computational cost of the proposed AMAKAS scheme compared with the related schemes [23,24,25, 28] that can provide equipollent security requirements.

Table 2 shows the execution time of the required cryptographic operations for the comparison between the proposed AMAKAS scheme, and the other related schemes as computed in [42] using a machine with E2200 2.20 GHz Intel Pentium CPU, 2 GB of RAM, and a 32-bit Ubuntu 12.04.1 LTS operating system. During calculating the computational cost, we are considering the following operations: \({T}_{h}\) is execution time of one-way hash function, \({T}_{p}\) is execution time of ECC scalar multiplication, \({T}_{inv}\) is the execution time multiplicative inverse over ECC, \({T}_{m}\) is the execution time of point addition, \({T}_{SED}\) is the execution time of symmetric key encryption/decryption, \({T}_{AED}\) is the execution time of ECC encryption/decryption, and \({T}_{F}\) is the execution time of fuzzy extraction. The pre-mentioned operations are calculated while using a machine with E2200 2.20 GHz Intel Pentium CPU, 2 GB of RAM, and a 32-bit Ubuntu 12.04.1 LTS operating system.

Table 2 The execution time of the required cryptographic operations
Full size table

Table 3 shows the computation cost of login and authentication phases for the proposal schemes compared to schemes [23,24,25, 28]. We can observe that scheme [24] consumes the highest execution time during login and authentication phase, it costs 190.189E + 06 ms due to the complex operation of computing the multiplicative inverse over ECC. Scheme [23] consumes time of executing 10 hash functions, 4 ECC scalar multiplication, and 5-point addition operations which totally costs 9.071 ms. Scheme [25] consumes time of executing 14 hash function, 3 ECC scalar multiplication, and one ECC encryption/decryption operations which totally costs 10.5602 ms. Scheme [28] consumes execution time of 13 one-way hash functions, 5 ECC Scalar multiplications, 7-point addition operations and one fuzzy extraction operations which totally costs 13.5944 ms. Finally, it is obvious that the lowest computation cost can be offered by the proposed scheme as the proposed scheme consumes the time of executing 15 one-way hash functions and 4 ECC Scalar multiplication operations which total costs 8.9385 ms. The comparison of computation cost is also graphically shown in Fig. 3.

Table 3 Computation cost comparison
Full size table
Fig. 3
figure 3

The comparison of computation cost

Full size image

Hence, the proposed scheme is highly efficient in terms of computation cost as compared to other related schemes which makes the proposed AMAKAS scheme more suitable and practical for multi-server environments than other related schemes.

Communication overhead comparison

The number of communication messages is shown in Table 4. It is obvious that the proposed AMAKAS scheme and the scheme in [24] require only 2 messages to complete login and authentication phase, however, the schemes in [23, 25, 28] require 3 messages to complete the same phases.

Table 4 Number of communication messages
Full size table

In Table 5, we compared the communication overhead of the proposed scheme and that of the schemes [23,24,25, 28], where the bit size of random number, user’s identity, timestamp, ECC point, and hash output (using SHA-1 as h(·)) are 160, 160, 32, 320, 160 bits, respectively. We can observe that the proposed AMAKAS scheme requires 1280 bits to transmit \({M}_{1}\) and \({M}_{1}\), which is the less than the schemes in [23, 25, 28], while it is slightly higher than the scheme in [24] which is a little cost compared to the advantages of the proposed scheme in terms of the computation cost over the scheme in [24] which requires 190.189E + 06 ms to execute login and authentication phase.

Table 5 Communication overhead comparison
Full size table

As a result, we can state that our proposed scheme is more appropriate for multi-server environments in terms of performance and security.

Conclusion

In this paper, we have proposed a lightweight ECC based mutual authentication and key agreement scheme in multi-server environments. The proposed AMAKAS scheme employed ECC in order to obtain the advantage of ECC properties of creating small size keys with high security efficiency. The security analysis shows that the proposed AMAKAS scheme can achieve mutual authentication, user anonymity and untractability, and forward secrecy. In addition, the proposed AMAKAS scheme can resist replay attack without the need for synchronization nodes, user and server impersonation attack, stolen card attack, man-in-the-middle attack, and known session specific temporary information attack. Moreover, the proposed AMAKAS scheme decreases the computational and communication cost the other related schemes with only two messages of exchange to provide anonymous authentication and key agreement. These advantages make the proposed AMAKAS scheme more suitable and practical for multi-server environments than other related schemes.