Advertisement

A Privacy Preserving three-factor authenticated key agreement protocol for client–server environment

  • Alavalapati Goutham Reddy
  • Ashok Kumar Das
  • Vanga Odelu
  • Awais Ahmad
  • Ji Sun Shin
Original Research
  • 141 Downloads

Abstract

Research has proven that accomplishing security properties while improving performance of an authentication protocol is a challenging task. Numerous authentication protocols proposed in the recent times are still behind in achieving the concrete objectives. Qi et al. and Lu et al. recently proposed two-factor authenticated key-agreement protocols for client–server architecture. This paper revisits their protocols and analyzes the shortcomings of such approaches. We also propose an improved authenticated key agreement protocol for client–server environment to defeat mentioned weaknesses of existing protocols that are discussed in related works. The rigorous security analysis using Burrows–Abadi–Needham logic, formal security verification using Real-OR-Random model, simulations using the Automated Validation of Internet Security Protocols and Applications tool, and the informal security analysis shows that the proposed protocol is secure. Additionally, we summarize the results to ensure that the proposed protocol is efficient compared to the existing related protocols.

Keywords

Mutual authentication Key agreement Client–server ROR model BAN logic AVISPA 

Notes

Acknowledgements

This work was supported by the faculty research fund of the Sejong University in 2017. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped us to improve the presentation and quality of the paper.

Compliance with ethical standards

Conflict of interest

The authors declare that they have no conflict of interests.

References

  1. Abdalla M, Fouque P, Pointcheval D (2005) Password-based authenticated key exchange in the three-party setting. 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, pp. 65–84Google Scholar
  2. An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. Biomed Res Int.  https://doi.org/10.1155/2012/519723 Google Scholar
  3. Armando A, Basin D… Mödersheim S (2005) The AVISPA tool for the automated validation of internet security protocols and applications. In: International Conference on Computer Aided Verification, pp. 281–285Google Scholar
  4. AVISPA Team (2006) AVISPA V1.1 User Manual, [Online]. Available: http://www.avispa-project.org/package/user-manual.pdf Accessed Dec 2015
  5. Basin D, Mödersheim S, Vigano L (2005) OFMC: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208CrossRefGoogle Scholar
  6. Burrows M, Abadi M, Needham R R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36CrossRefzbMATHGoogle Scholar
  7. Cao L, Ge W (2015) Analysis and improvement of a multi-factor biometric authentication scheme. Secur Commun Netw 8(4):617–625CrossRefGoogle Scholar
  8. Chan CK, Cheng LM (2000) Cryptanalysis of a remote user authentication scheme using smart cards. IEEE Trans Consum Electron 46(4):992–993CrossRefGoogle Scholar
  9. Chang CC, Le HD (2016) A Provably secure, efficient and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans Wireless Commun 15(1):357–366MathSciNetCrossRefGoogle Scholar
  10. Chang YF, Tai WL, Chang HC (2014) Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int J Commun Syst 27(11):3430–3440Google Scholar
  11. Chaturvedi A, Mishra D, Jangirala S, Mukhopadhyay S (2017) A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme. J Inf Secur Appl 32:15–26Google Scholar
  12. Chen CL, Lee CC, Hsu CY (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(5):585–597CrossRefGoogle Scholar
  13. Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389CrossRefGoogle Scholar
  14. Chien HY, Jan JK, Tseng YM (2001) A modified remote login authentication scheme based on geometric approach. J Syst Softw 55(3):287–290CrossRefGoogle Scholar
  15. Chou CH, Tsai KY, Lu CF (2013) Two ID-based authenticated schemes with key agreement for mobile environments. J Supercomput 66(2):973–988CrossRefGoogle Scholar
  16. Das AK (2011) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151CrossRefGoogle Scholar
  17. Das AK, Goswami A (2015) A robust anonymous biometric-based remote user authentication scheme using smart cards. J King Saud Univ-Comput Inf Sci 27(2):193–210Google Scholar
  18. Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park Y (2017) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Health Inform,  https://doi.org/10.1109/JBHI.2017.2753464 Google Scholar
  19. Debiao H, Jianhua C, Jin H (2012) An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security. Inf Fusion 13(3):223–230CrossRefGoogle Scholar
  20. Dodis Y, Reyzin L, Smith A (2004) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in cryptology-eurocrypt 2004. Interlaken, Springer-Verlag, Berlin, Heidelberg, pp 523–540Google Scholar
  21. Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208MathSciNetCrossRefzbMATHGoogle Scholar
  22. Fan CI, Lin YH (2009) Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945CrossRefGoogle Scholar
  23. Farash MS (2016) Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Netw Appl 9(1):82–91CrossRefGoogle Scholar
  24. Farash MS, Attari MA (2014) A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. J Supercomput 69(1):395–411CrossRefGoogle Scholar
  25. Gope P (2017) Enhanced secure mutual authentication and key agreement scheme with user anonymity in ubiquitous global mobility networks. J Inf Secur Appl 35:160–167Google Scholar
  26. Gope P, Das AK (2017) Robust anonymous mutual authentication scheme for n-times ubiquitous mobile cloud computing services. IEEE Internet Things J 4(5):1764–1772CrossRefGoogle Scholar
  27. Gope P, Hwang T (2016a) An efficient mutual authentication and key agreement scheme preserving strong anonymity of the mobile user in global mobility networks. J Netw Comput Appl 62:1–8CrossRefGoogle Scholar
  28. Gope P, Hwang T (2016b) Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst J 10(4):1370–1379CrossRefGoogle Scholar
  29. Goutham RA, Lee GJ, Yoo KY (2015) An anonymous ID-based remote mutual authentication with key agreement protocol on ECC using smart cards. In Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 169–174Google Scholar
  30. Han L, Tan X, Wang S, Liang X (2016) An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems. Peer-to-Peer Netw Appl 11(1): 63–73CrossRefGoogle Scholar
  31. He D (2012) An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Netw 10(6):1009–1016CrossRefGoogle Scholar
  32. Hsieh WB, Leu JS (2012) Exploiting hash functions to intensify the remote user authentication scheme. Comput Secur 31(6):791–798CrossRefGoogle Scholar
  33. Irshad A, Chaudhry SA, Kumari S, Usman M, Mahmood K, Faisal MS (2017a) An improved lightweight multiserver authentication scheme. Int J Commun Syst, 30(17)Google Scholar
  34. Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S (2017b) A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme. Multimed Tools Appl 76(15):16463–16489CrossRefGoogle Scholar
  35. Irshad A, Sher M, Ashraf MU, Alzahrani BA, Wu F, Xie Q, Kumari S (2017c) An Improved and Secure Chaotic-Map Based Multi-server Authentication Protocol Based on Lu et al. and Tsai and Lo’s Scheme. Wireless Pers Commun 95(3):3185–3208CrossRefGoogle Scholar
  36. Irshad A, Kumari S, Li X, Wu F, Chaudhry SA, Arshad H (2017d) An improved SIP authentication scheme based on server-oriented biometric verification. Wireless Pers Commun 97(2):2145–2166CrossRefGoogle Scholar
  37. Islam SH, Biswas GP (2011) A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J Syst Softw 84(11):1892–1898CrossRefGoogle Scholar
  38. Islam SH, Biswas GP (2014) Dynamic id-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography. J Electron 31(5):473–488Google Scholar
  39. Jan JK, Chen YY (1998) “Paramita wisdom” password authentication scheme without verification tables. J Syst Softw 42(1):45–57MathSciNetCrossRefGoogle Scholar
  40. Jiang Q, Ma J, Li G, Li X (2015) Improvement of robust smart-card-based password authentication scheme. Int J Commun Syst 28(2):383–393CrossRefGoogle Scholar
  41. Khan MK, Zhang J, Wang X (2008) Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices. Chaos Solitons Fractals 35(3):519–524CrossRefGoogle Scholar
  42. Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816MathSciNetCrossRefGoogle Scholar
  43. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in Cryptology—CRYPTO’99, pp 388–397Google Scholar
  44. Kumari S, Khan MK (2014) Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme’. Int J Commun Syst 27(12):3939–3955CrossRefGoogle Scholar
  45. Kumari S, Khan MK, Li X (2014) An improved remote user authentication scheme with key agreement. Comput Electr Eng 40(6):1997–2012CrossRefGoogle Scholar
  46. Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan MK (2017) An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Netw Appl 10(1):92–105CrossRefGoogle Scholar
  47. Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772MathSciNetCrossRefGoogle Scholar
  48. Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5CrossRefGoogle Scholar
  49. Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79CrossRefGoogle Scholar
  50. Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371CrossRefGoogle Scholar
  51. Li X, Niu J, Wang Z, Chen C (2014) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497Google Scholar
  52. Liao IE, Lee CC, Hwang MS (2006) A password authentication scheme over insecure networks. J Comput Syst Sci 72(4):727–740MathSciNetCrossRefzbMATHGoogle Scholar
  53. Lu Y, Li L, Peng H, Yang Y (2016) Robust anonymous two-factor authenticated key exchange scheme for mobile client-server environment. Secur Commun Netw 9(11):1331–1339CrossRefGoogle Scholar
  54. Luo M, Zhang Y, Khan MK, He D (2017) A secure and efficient identity-based mutual authentication scheme with smart card using elliptic curve cryptography. Int J Commun Syst, 30(16)Google Scholar
  55. Lv C, Ma M, Li H, Ma J, Zhang Y (2013) A novel three-party authenticated key exchange protocol using one-time key. J Netw Comput Appl 36(1):498–503CrossRefGoogle Scholar
  56. Madhusudhan R, Mittal RC (2012) Dynamic ID-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 35(4):1235–1248CrossRefGoogle Scholar
  57. Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552MathSciNetCrossRefGoogle Scholar
  58. Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129–8143CrossRefGoogle Scholar
  59. Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966CrossRefGoogle Scholar
  60. Pippa RS, Jaidhar CD, Tapaswi S (2010) Comments on symmetric key encryption based smart card authentication scheme. In 2nd IEEE International Conference on Computer Technology and Development, pp. 482–484Google Scholar
  61. Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst, 30(16)Google Scholar
  62. Reddy AG, Das AK, Odelu V, Yoo KY (2016a) An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography. PloS one 11(5):e0154308CrossRefGoogle Scholar
  63. Reddy AG, Das AK, Yoon EJ, Yoo KY (2016b) A secure anonymous authentication protocol for mobile services on elliptic curve cryptography. IEEE Access 4:4394–4407CrossRefGoogle Scholar
  64. Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2016) Secure biometric-based authentication scheme using chebyshev chaotic map for multi-server environment. IEEE Trans Dependable Secure Comput.  https://doi.org/10.1109/TDSC.2016.2616876 Google Scholar
  65. Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2017a) On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5(1):25808–25825.  https://doi.org/10.1109/ACCESS.2017.2764913 CrossRefGoogle Scholar
  66. Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumari S, Jo M (2017b) Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing internet of things. IEEE Internet Things J.  https://doi.org/10.1109/JIOT.2017.2714179 Google Scholar
  67. Song R (2010) Advanced smart card based password authentication protocol. Comput Stand Interfaces 32(5):321–325CrossRefGoogle Scholar
  68. Sood SK, Sarje AK, Singh K (2010) An improvement of Xu et al.’s authentication scheme using smart cards. In: Proceedings of the third annual ACM Bangalore conference on communications, pp. 15Google Scholar
  69. SPAN-Security Protocol Animator for AVISPA, [Online]. Available: http://www.irisa.fr/celtique/genet/span/. Accessed Dec 2016
  70. Tan K, Zhu H (1999) Remote password authentication scheme based on cross-product. Comput Commun 22(4):390–393CrossRefGoogle Scholar
  71. Tu H, Kumar N, Chilamkurti N, Rho S (2015) An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Netw Appl 8(5):903–910CrossRefGoogle Scholar
  72. Tzong-Chen W, Hung-Sung S (1996) Authenticating passwords over an insecure channel. Comput Secur 15(5):431–439CrossRefGoogle Scholar
  73. Wang D, Wang P (2015) Offline dictionary attack on password authentication schemes using smart cards. In: Desmedt Y (eds) Information Security. Lecture Notes in Computer Science, vol 7807. Springer, Cham, pp 221–237Google Scholar
  74. Wang YY, Liu JY, Xiao FX, Dan J (2009) A more efficient and secure dynamic ID-based remote user authentication scheme. Comput Commun 32(4):583–585CrossRefGoogle Scholar
  75. Wang RC, Juang WS, Lei CL (2011) Robust authentication and key agreement scheme preserving the privacy of secret key. Comput Commun 34(3):274–280CrossRefGoogle Scholar
  76. Wang D, Wang N, Wang P, Qing S (2015a) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci 321:162–178CrossRefGoogle Scholar
  77. Wang D, He D, Wang P, Chu CH (2015b) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 12(4):428–442CrossRefGoogle Scholar
  78. Wazid M, Das AK, Odelu V, Kumar N, Susilo W (2017) Secure remote user authenticated key establishment protocol for smart home environment. IEEE Trans Dependable Secure Comput.  https://doi.org/10.1109/TDSC.2017.2764083 Google Scholar
  79. Wen F, Li X (2012) An improved dynamic ID-based remote user authentication with key agreement scheme. Comput Electr Eng 38(2):381–387CrossRefGoogle Scholar
  80. Wu TC (1995) Remote login authentication scheme based on a geometric approach. Comput Commun 18(12):959–963CrossRefGoogle Scholar
  81. Wu TY, Tseng YM (2010) An efficient user authentication and key exchange protocol for mobile client–server environment. Comput Netw 54(9):1520–1530CrossRefzbMATHGoogle Scholar
  82. Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng 45:274–285CrossRefGoogle Scholar
  83. Xie Q, Dong N, Wong DS, Hu B (2016) Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. Int J Commun Syst 29(3):478–487CrossRefGoogle Scholar
  84. Xie Q, Tang Z, Chen K (2017) Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput Electr Eng 59:218–230CrossRefGoogle Scholar
  85. Xu J, Zhu WT, Feng DG (2009) An improved smart card based password authentication scheme with provable security. Comput Stand Interfaces 31(4):723–728CrossRefGoogle Scholar
  86. Yang JH, Chang CC (2009) An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Comput Secur 28(3):138–143CrossRefGoogle Scholar
  87. Yeh HL, Chen TH, Hu KJ, Shih WK (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inf Secur 7(3):247–252CrossRefGoogle Scholar
  88. Yoon EJ, Yoo KY (2009) Robust id-based remote mutual authentication with key agreement scheme for mobile devices on ECC. In: IEEE International Conference on Computational Science and Engineering CSE’09, pp 633–640Google Scholar
  89. Zhang L, Tang S, Cai Z (2014) Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. Int J Commun Syst 27(11):2691–2702Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Computer and Information SecuritySejong UniversitySeoulSouth Korea
  2. 2.Center for Security, Theory and Algorithmic ResearchInternational Institute of Information TechnologyHyderabadIndia
  3. 3.Department of Computer Convergence SoftwareKorea UniversitySejongSouth Korea
  4. 4.Department of Information and Communication EngineeringYeungnam UniversityGyeongsanSouth Korea

Personalised recommendations