Abstract
In mobile multi-server authentication, a client can access different servers over an insecure channel like Internet and wireless networks for numerous online applications. In the literature, several multi-server authentication schemes for mobile clients have been devised. However, most of them are insecure against ephemeral secret leakage (ESL) attack and other vulnerabilities. For mutual authentication and key agreement, mobile client and server used ephemeral secrets (random numbers) and leakage of these secrets may be possible in practice. Since these are generated by an external source that may be controlled by an adversary. Also they are generally pre-computed and stored in insecure devices. Thus, if the secrets are leaked then the session key would turn out to be known and the private keys of client and server may be compromised from the eavesdropped messages. This phenomenon is called ESL attack. To defeat the weaknesses, in this paper, we design an ESL attack-free identity-based mutual authentication and key agreement scheme for mobile multi-server environment. The proposed scheme is analyzed and proven to be provably secure in the random oracle model under the Computational Diffie–Hellman assumption.
Similar content being viewed by others
References
He, D. (2012). Cryptanalysis of an authenticated key agreement protocol for wireless mobile communications. ETRI Journal, 34(3), 482–484.
He, D. (2012). An efficient remote user authentication and key exchange protocol for mobile client-server environment from pairings. Ad Hoc Networks, 10(6), 1009–1016.
He, D., Chen, J., & Hu, J. (2012). An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Information Fusion, 13(3), 223–230.
He, D., Chen, J., & Zhang, R. (2012). A more secure authentication scheme for telecare medicine information systems. Journal of Medical Systems, 36(3), 1989–1995.
He, D., Chen, J., & Hu, J. (2011). Further improvement of Juang et al. ’s password-authenticated key agreement scheme using smart cards. Kuwait Journal of Science & Engineering, 38(2A), 55–68.
He, D., Chen, J., & Hu, J. (2012). Improvement on a smart card based password authentication scheme. Journal of Internet Technology, 13(3), 405–410.
He, D., Chen, J., & Chen, Y. (2012). A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Security and Communication Networks. doi:10.1002/sec.506.
He, D., Chen, Y., & Chen, J. (2012). Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dynamics, 69(3), 1149–1157.
Tsai, J. L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers and Security, 27(3–4), 115–121.
Geng, J., & Zhang, L. (2008). A dynamic ID-based user authentication and key agreement scheme for multi-server environment using bilinear pairings. In Proceedings of the power electronics and intelligent transportation system, pp. 33–37.
Liao, Y. P., & Wang, S. S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(1), 24–29.
Hsiang, H. C., & Shih, W. K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.
Lee, C.-C., Lin, T.-H., & Chang, R.-X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38, 13863–13870.
Lee, S. G. (2009). Cryptanalysis of multiple-server password-authenticated key agreement scheme using smart cards. Cryptology ePrint Archive 2009; Report 2009/490.
Chuang, Y. H., & Tseng, Y. M. (2009). Security weaknesses of two dynamic ID-based user authentication and key agreement schemes for multi-server environment. In Proceedings of the national computer symposium (NCS2009), vol. 5, pp. 250–257.
Sood, S. K., Sarje, A., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34, 609–618.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and secure dynamic identity based authentication protocol for multi-server architecture using smartcards. Journal of Network and Computer Applications, 35, 763–769.
Han, W. (2012). Weaknesses of a dynamic identity based authentication protocol for multi-server architecture. arXiv preprint archive 2012. http://arxiv.org/ftp/arxiv/papers/1201/1201.0883.pdf.
Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58, 85–95.
Zhaoa, D., Peng, H., Li, S., & Yang, Y. (2013). An efficient dynamic ID based remote user authentication scheme using self-certified public keys for multi-server environment. arXiv preprint archive 2013. http://arxiv.org/pdf/1305.6350.pdf.
Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68, 361–378.
He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70, 323–329.
Chuang, Y.-H., & Tseng, Y.-M. (2013). Towards generalized ID-based user authentication for mobile multi-server environment. Intrnational Journal of Communication Systems, 25, 447–406.
Han, W., & Zhu, Z. (2013). An ID-based mutual authentication with key agreement protocol for multi-server environment on elliptic curve cryptosystem. Intrnational Journal of Communication Systems. doi:10.1002/dac.2405.
Cao, X., & Zhong, S. (2006). Breaking a remote user authentication scheme for multi-server architecture. IEEE Communications Letters, 10(8), 580–581.
Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In Proceedings of the advances in cryptology (CRYPTO’84), LNCS 196, Springer, Berlin, pp. 47–53.
Boneh, D., & Franklin, M. (2003). Identity-based encryption from the Weil pairing. SIAM Journal on Computing, 32, 586–615.
Tseng, Y.-M., Tsai, T.-T., & Huang, S.-S. (2013). Leakage-free ID-based signature. The Computer Journal. doi:10.1093/comjnl/bxt116.
Canetti, R., & Krawczyk, H. (2001). Analysis of key exchange protocols and their use for building secure channels. In Proceedings of advances in cryptology (Eurocrypt’01), LNCS, pp. 453–474.
Cheng, Z., Nistazakis, M., Comley, R., & Vasiu, L. (2005). On the indistinguishability-based security model of key agreement protocols-simple cases, Cryptology ePrint Archieve, Report 2005/129.
Mandt, T., & Tan, C. (2008). Certificateless authenticated two-party key agreement protocols. In Proceedings of the ASIAN’08, LNCS 4435, pp. 37–44.
Islam, S. H., & Biswas, G. P. (2011). Comments on ID-based client authentication with key agreement protocol on ECC for mobile client-server environment. In Proceedings of the international conference on advanced in computing and communications (ACC 2011), CCIS 191, Springer, Berlin, pp. 628–635.
Islam, S. H., & Bisws, G. P. (2011). A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Journal of Systems and Software, 84, 1892–1898.
LaMacchia, B., Lauter, K., & Mityagin, A. (2007). Stronger security of authenticated key exchange. In Proceeding of the ProvSec’07, pp. 1–16.
Swanson, C. M. (2008). Security in key agreement: Two-party certificateless schemes. Master’s thesis, University of Waterloo, Canada.
Islam, S. H., & Biswas, G. P. (2013). Design of improved password authentication and update scheme based on elliptic curve cryptography. Mathematical and Computer Modelling, 57, 2703–2717.
Islam, S. H., & Biswas, G. P. (2012). A pairing-free identity-based authenticated group key agreement protocol for imbalanced mobile networks. Annals of Telecommunications, 67(11–12), 547–558.
Hou, M., Xu, Q., Shanqing, G., & Jiang, H. (2010). Cryptanalysis of identity-based authenticated key agreement protocols from parings. Journal of Networks, 5(7), 826–855.
Ballare, M., & Rogaway, P. (1993). Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on computer and communications security (CCS’93), pp. 62–73.
Pippal, R. S., Jaidhar, C. D., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72, 729–745.
Tsai, J.-L., Lo, N.-W., & Wu, T.-C. (2013). A new password-based multi-server authentication scheme robust to password guessing attacks. Wireless Personal Communications, 71, 1977–1988.
Miller, V. S. (1985). Use of elliptic curves in cryptography. In Proceeding of the advances in cryptology (Crypto’85), pp. 417–426.
Koblitz, N. (1987). Elliptic curve cryptosystem. Journal of Mathematics of Computation, 48(177), 203–209.
Pointcheval, D., & Stern, J. (2000). Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13, 361–396.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Islam, S.H. A Provably Secure ID-Based Mutual Authentication and Key Agreement Scheme for Mobile Multi-Server Environment Without ESL Attack. Wireless Pers Commun 79, 1975–1991 (2014). https://doi.org/10.1007/s11277-014-1968-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-014-1968-8