Abstract
Research has proven that accomplishing security properties while improving performance of an authentication protocol is a challenging task. Numerous authentication protocols proposed in the recent times are still behind in achieving the concrete objectives. Qi et al. and Lu et al. recently proposed two-factor authenticated key-agreement protocols for client–server architecture. This paper revisits their protocols and analyzes the shortcomings of such approaches. We also propose an improved authenticated key agreement protocol for client–server environment to defeat mentioned weaknesses of existing protocols that are discussed in related works. The rigorous security analysis using Burrows–Abadi–Needham logic, formal security verification using Real-OR-Random model, simulations using the Automated Validation of Internet Security Protocols and Applications tool, and the informal security analysis shows that the proposed protocol is secure. Additionally, we summarize the results to ensure that the proposed protocol is efficient compared to the existing related protocols.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abdalla M, Fouque P, Pointcheval D (2005) Password-based authenticated key exchange in the three-party setting. 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, pp. 65–84
An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. Biomed Res Int. https://doi.org/10.1155/2012/519723
Armando A, Basin D… Mödersheim S (2005) The AVISPA tool for the automated validation of internet security protocols and applications. In: International Conference on Computer Aided Verification, pp. 281–285
AVISPA Team (2006) AVISPA V1.1 User Manual, [Online]. Available: http://www.avispa-project.org/package/user-manual.pdf Accessed Dec 2015
Basin D, Mödersheim S, Vigano L (2005) OFMC: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208
Burrows M, Abadi M, Needham R R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36
Cao L, Ge W (2015) Analysis and improvement of a multi-factor biometric authentication scheme. Secur Commun Netw 8(4):617–625
Chan CK, Cheng LM (2000) Cryptanalysis of a remote user authentication scheme using smart cards. IEEE Trans Consum Electron 46(4):992–993
Chang CC, Le HD (2016) A Provably secure, efficient and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans Wireless Commun 15(1):357–366
Chang YF, Tai WL, Chang HC (2014) Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int J Commun Syst 27(11):3430–3440
Chaturvedi A, Mishra D, Jangirala S, Mukhopadhyay S (2017) A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme. J Inf Secur Appl 32:15–26
Chen CL, Lee CC, Hsu CY (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(5):585–597
Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389
Chien HY, Jan JK, Tseng YM (2001) A modified remote login authentication scheme based on geometric approach. J Syst Softw 55(3):287–290
Chou CH, Tsai KY, Lu CF (2013) Two ID-based authenticated schemes with key agreement for mobile environments. J Supercomput 66(2):973–988
Das AK (2011) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151
Das AK, Goswami A (2015) A robust anonymous biometric-based remote user authentication scheme using smart cards. J King Saud Univ-Comput Inf Sci 27(2):193–210
Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park Y (2017) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Health Inform, https://doi.org/10.1109/JBHI.2017.2753464
Debiao H, Jianhua C, Jin H (2012) An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security. Inf Fusion 13(3):223–230
Dodis Y, Reyzin L, Smith A (2004) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in cryptology-eurocrypt 2004. Interlaken, Springer-Verlag, Berlin, Heidelberg, pp 523–540
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Fan CI, Lin YH (2009) Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945
Farash MS (2016) Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Netw Appl 9(1):82–91
Farash MS, Attari MA (2014) A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. J Supercomput 69(1):395–411
Gope P (2017) Enhanced secure mutual authentication and key agreement scheme with user anonymity in ubiquitous global mobility networks. J Inf Secur Appl 35:160–167
Gope P, Das AK (2017) Robust anonymous mutual authentication scheme for n-times ubiquitous mobile cloud computing services. IEEE Internet Things J 4(5):1764–1772
Gope P, Hwang T (2016a) An efficient mutual authentication and key agreement scheme preserving strong anonymity of the mobile user in global mobility networks. J Netw Comput Appl 62:1–8
Gope P, Hwang T (2016b) Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst J 10(4):1370–1379
Goutham RA, Lee GJ, Yoo KY (2015) An anonymous ID-based remote mutual authentication with key agreement protocol on ECC using smart cards. In Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 169–174
Han L, Tan X, Wang S, Liang X (2016) An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems. Peer-to-Peer Netw Appl 11(1): 63–73
He D (2012) An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Netw 10(6):1009–1016
Hsieh WB, Leu JS (2012) Exploiting hash functions to intensify the remote user authentication scheme. Comput Secur 31(6):791–798
Irshad A, Chaudhry SA, Kumari S, Usman M, Mahmood K, Faisal MS (2017a) An improved lightweight multiserver authentication scheme. Int J Commun Syst, 30(17)
Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S (2017b) A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme. Multimed Tools Appl 76(15):16463–16489
Irshad A, Sher M, Ashraf MU, Alzahrani BA, Wu F, Xie Q, Kumari S (2017c) An Improved and Secure Chaotic-Map Based Multi-server Authentication Protocol Based on Lu et al. and Tsai and Lo’s Scheme. Wireless Pers Commun 95(3):3185–3208
Irshad A, Kumari S, Li X, Wu F, Chaudhry SA, Arshad H (2017d) An improved SIP authentication scheme based on server-oriented biometric verification. Wireless Pers Commun 97(2):2145–2166
Islam SH, Biswas GP (2011) A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J Syst Softw 84(11):1892–1898
Islam SH, Biswas GP (2014) Dynamic id-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography. J Electron 31(5):473–488
Jan JK, Chen YY (1998) “Paramita wisdom” password authentication scheme without verification tables. J Syst Softw 42(1):45–57
Jiang Q, Ma J, Li G, Li X (2015) Improvement of robust smart-card-based password authentication scheme. Int J Commun Syst 28(2):383–393
Khan MK, Zhang J, Wang X (2008) Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices. Chaos Solitons Fractals 35(3):519–524
Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in Cryptology—CRYPTO’99, pp 388–397
Kumari S, Khan MK (2014) Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme’. Int J Commun Syst 27(12):3939–3955
Kumari S, Khan MK, Li X (2014) An improved remote user authentication scheme with key agreement. Comput Electr Eng 40(6):1997–2012
Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan MK (2017) An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Netw Appl 10(1):92–105
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5
Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79
Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371
Li X, Niu J, Wang Z, Chen C (2014) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497
Liao IE, Lee CC, Hwang MS (2006) A password authentication scheme over insecure networks. J Comput Syst Sci 72(4):727–740
Lu Y, Li L, Peng H, Yang Y (2016) Robust anonymous two-factor authenticated key exchange scheme for mobile client-server environment. Secur Commun Netw 9(11):1331–1339
Luo M, Zhang Y, Khan MK, He D (2017) A secure and efficient identity-based mutual authentication scheme with smart card using elliptic curve cryptography. Int J Commun Syst, 30(16)
Lv C, Ma M, Li H, Ma J, Zhang Y (2013) A novel three-party authenticated key exchange protocol using one-time key. J Netw Comput Appl 36(1):498–503
Madhusudhan R, Mittal RC (2012) Dynamic ID-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 35(4):1235–1248
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129–8143
Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966
Pippa RS, Jaidhar CD, Tapaswi S (2010) Comments on symmetric key encryption based smart card authentication scheme. In 2nd IEEE International Conference on Computer Technology and Development, pp. 482–484
Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst, 30(16)
Reddy AG, Das AK, Odelu V, Yoo KY (2016a) An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography. PloS one 11(5):e0154308
Reddy AG, Das AK, Yoon EJ, Yoo KY (2016b) A secure anonymous authentication protocol for mobile services on elliptic curve cryptography. IEEE Access 4:4394–4407
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2016) Secure biometric-based authentication scheme using chebyshev chaotic map for multi-server environment. IEEE Trans Dependable Secure Comput. https://doi.org/10.1109/TDSC.2016.2616876
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2017a) On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5(1):25808–25825. https://doi.org/10.1109/ACCESS.2017.2764913
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumari S, Jo M (2017b) Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing internet of things. IEEE Internet Things J. https://doi.org/10.1109/JIOT.2017.2714179
Song R (2010) Advanced smart card based password authentication protocol. Comput Stand Interfaces 32(5):321–325
Sood SK, Sarje AK, Singh K (2010) An improvement of Xu et al.’s authentication scheme using smart cards. In: Proceedings of the third annual ACM Bangalore conference on communications, pp. 15
SPAN-Security Protocol Animator for AVISPA, [Online]. Available: http://www.irisa.fr/celtique/genet/span/. Accessed Dec 2016
Tan K, Zhu H (1999) Remote password authentication scheme based on cross-product. Comput Commun 22(4):390–393
Tu H, Kumar N, Chilamkurti N, Rho S (2015) An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Netw Appl 8(5):903–910
Tzong-Chen W, Hung-Sung S (1996) Authenticating passwords over an insecure channel. Comput Secur 15(5):431–439
Wang D, Wang P (2015) Offline dictionary attack on password authentication schemes using smart cards. In: Desmedt Y (eds) Information Security. Lecture Notes in Computer Science, vol 7807. Springer, Cham, pp 221–237
Wang YY, Liu JY, Xiao FX, Dan J (2009) A more efficient and secure dynamic ID-based remote user authentication scheme. Comput Commun 32(4):583–585
Wang RC, Juang WS, Lei CL (2011) Robust authentication and key agreement scheme preserving the privacy of secret key. Comput Commun 34(3):274–280
Wang D, Wang N, Wang P, Qing S (2015a) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci 321:162–178
Wang D, He D, Wang P, Chu CH (2015b) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 12(4):428–442
Wazid M, Das AK, Odelu V, Kumar N, Susilo W (2017) Secure remote user authenticated key establishment protocol for smart home environment. IEEE Trans Dependable Secure Comput. https://doi.org/10.1109/TDSC.2017.2764083
Wen F, Li X (2012) An improved dynamic ID-based remote user authentication with key agreement scheme. Comput Electr Eng 38(2):381–387
Wu TC (1995) Remote login authentication scheme based on a geometric approach. Comput Commun 18(12):959–963
Wu TY, Tseng YM (2010) An efficient user authentication and key exchange protocol for mobile client–server environment. Comput Netw 54(9):1520–1530
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng 45:274–285
Xie Q, Dong N, Wong DS, Hu B (2016) Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. Int J Commun Syst 29(3):478–487
Xie Q, Tang Z, Chen K (2017) Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput Electr Eng 59:218–230
Xu J, Zhu WT, Feng DG (2009) An improved smart card based password authentication scheme with provable security. Comput Stand Interfaces 31(4):723–728
Yang JH, Chang CC (2009) An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Comput Secur 28(3):138–143
Yeh HL, Chen TH, Hu KJ, Shih WK (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inf Secur 7(3):247–252
Yoon EJ, Yoo KY (2009) Robust id-based remote mutual authentication with key agreement scheme for mobile devices on ECC. In: IEEE International Conference on Computational Science and Engineering CSE’09, pp 633–640
Zhang L, Tang S, Cai Z (2014) Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. Int J Commun Syst 27(11):2691–2702
Acknowledgements
This work was supported by the faculty research fund of the Sejong University in 2017. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped us to improve the presentation and quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interests.
Rights and permissions
About this article
Cite this article
Reddy, A.G., Das, A.K., Odelu, V. et al. A Privacy Preserving three-factor authenticated key agreement protocol for client–server environment. J Ambient Intell Human Comput 10, 661–680 (2019). https://doi.org/10.1007/s12652-018-0716-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-018-0716-4