An Enhanced User Authentication Protocol Based on Elliptic Curve Cryptosystem in Cloud Computing Environment

,


Introduction
With the development of IT technology, cloud computing has become one of the hottest research directions in recent years.As a new type of service, cloud computing is rapidly integrated into our daily lives with its high scalability, high service efficiency, and low-cost charge [1].It fundamentally changed the traditional model of service providers providing services and consumers' access to resources: as a service provider (such as Google, Microsoft, Amazon) of cloud computing, it effectively improves the utilization of resources by centralizing the demands; consumers not only gain the convenience of using resources, but also reduce the using cost through paying on demand.Therefore, more and more big firms build their own cloud platforms and provide services, including Google App Engine, Amazon Web services, and IBM SmartCloud [2].Furthermore, both the individuals and small companies enjoy the benefits of cloud services.Generally speaking, there are three kinds of cloud services: (1) Iaas, Infrastructure as a Service, which means providing user with the infrastructure such as storage and networks to use; (2) Paas, Platform as a Service, which means providing user with the platform to develop various applications; (3) Saas, Software as a Service, which means providing user with software applications [3,4].
However, with the increasing popularity of the cloud services, the security issues have become more prominent, how to protect user privacy and restrict data from being 2 Wireless Communications and Mobile Computing illegally accessed has become a challenging problem and research hotspot.The first step to solve these issues is user authentication which can verify the authenticity of communication participants.A secure user authentication scheme will firstly verify the authenticity of the user when he/she applies to access the cloud data; then to prevent a malicious cloud server trick users, the validity of the cloud server should be checked; once confirming the identity of the user and the cloud server, a session key will be established to encrypt the communication messages.
Generally speaking, there are three ways to authenticate a user, which are based on the following: (1) what you know (such as the password); (2) what you have (such as the smart card); (3) who you are (such as the biometric characteristic: fingerprint and iris).Due to its simplicity and practicality, passwords have been used more widely.While a password-based authentication protocol has natural flaws, it cannot resist against offline dictionary guessing attacks.Consequently, as a factor to help enhance security, the smart card gets used [5][6][7][8][9].A scheme combined two factors (such as the password and the smart card) is called two-factor user authentication scheme.The participants of the two-factor authentication scheme in cloud computing environment involves a user, a cloud server and a register authority.Note that among the three participants, only the register authority is trusted.At first, the user and the cloud server register to the register authority, respectively.Then the cloud server will send the user a smart card with some sensitive information and negotiate a shared secret parameter with the cloud server.Later on, when the user initiates an access request to the cloud server in login phase, the three participants will authenticate themselves to each other.If they all are authenticated, the user will be allowed to access the cloud server.
Motivations.In 2013, Yang et al. [10] devoted to design a secure authentication scheme for cloud computing environment, while their scheme is vulnerable to dictionary attack.Then Yang et al. [11] proposed a new scheme; unfortunately, Chen et al. [12] then showed this scheme is not secure to insider attack and impersonation attack and proposed a new version which once again is broken by Wang et al. [13].Wang et al. [13] pointed out that Chen et al. 's scheme [12] is subject to offline dictionary attack and impersonation attack.Most recently, Amin et al. [3] identified the security weaknesses in the schemes of Xue et al. [14] and Chuang et al. [15] by revealing the two schemes fail to provide user anonymity and forward secrecy while being not able to resist against offline password guessing attack and so on.Therefore, they designed a new scheme that claims to overcome the security flaws of the two schemes and be secure to various attacks.However, after a scrutinization of Amin et al. 's scheme, we found their scheme still cannot overcome their identified security threats.
In these years, considerable efforts have been paid for a secure and practical authentication scheme in cloud computing environment, some typical schemes including [16][17][18][19], yet most of them are found having security flaws more or less.Designing of a secure authentication scheme for cloud computing environment is still a challenge.With the widespread use of cloud computing, the potential security threats will lead to greater harm.This unsatisfactory situation motivates us to explore the inherent reasons of the failure in those schemes, find the basic method to fix the security flaws, and design a robust and efficient user authentication protocol for cloud computing environment.
Our contributions.Amin et al. 's scheme [3] is a very typical scheme which suffers from the common attacks, while the scheme's structure is widely accepted.So we take Amin et al. 's protocol as a study case to elaborate the common issues (and its corresponding solutions) in most authentication schemes and provide rationales for designing a secure cloud environment protocol.In addition, based on the analysis, we design a secure authentication protocol.In a short, our contributions can be summarized as follows: (1) We demonstrated that Amin et al. 's scheme [3] fails to achieve user anonymity and forward secrecy while being not able to resist against offline dictionary attack.
(2) We discussed the inherent reasons of the identified flaws and its corresponding solutions; furthermore, we realized the way of deploying a public key algorithm rightly is challenging.Therefore, we showed the essential points for deploying public key algorithms.
(3) We improved Amin et al. 's scheme from security and effectiveness two aspects, proved the security of our scheme via BAN logic and heuristic analysis and, finally, compared our scheme with other related schemes.The results show that our scheme is more suitable for cloud computing environment.
The remainder of this paper is organized as follows: Section 2 sketches complexity assumptions and extends adversary model; then, Amin et al. 's scheme is reviewed and analyzed in Section 3; in Section 4, we propose a secure scheme and elaborate on design rationales; Section 5 proves the security of our scheme; in Section 6, we compare our scheme with other related schemes; finally, the conclusion is drawn in Section 7.

Preliminary
This section introduces the preliminary of the whole paper, including complexity assumptions in designing a scheme and some notations and abbreviations.

Computational Problems.
Given two large primes  and , let F  be a finite field, /F  be an elliptic curve over F  , and G be a -order subgroup of /F  .For ,  ∈  *  and a point  in G, we can define the discrete logarithm problem as follows: (1) Elliptic curve discrete logarithm (ECDL) problem: given (, ), it is impossible to compute  within polynomial time.
(2) Elliptic curve computational Diffie-Hellman (ECCDH) problem: given (,), it is impossible to compute  within polynomial time.(6) know the long-term secret key  when considering forward secrecy.As both the distributed systems and the cloud computing systems have similar network environment, their adversary models are also similar too.Therefore, we adopt Wang et al. 's adversary models [20] which have been accepted by various schemes [21][22][23].

Notations and Abbreviations.
As shown in Table 1, we summarize the notations and abbreviations used in this paper.

Cryptanalysis of Amin et al.'s Scheme
After identifying the security pitfalls in other two user authentication schemes, Amin et al. [3] attempted to design a new light weight protocol in cloud computing environment.After analyzing their scheme using AVISPA tool, they claimed the new scheme achieves forward security while being resistant to various attacks.However, this section will show that, under the assumptions on adversary capabilities in Section 2.2, their scheme cannot provide forward security while being subject to two kinds of offline dictionary attacks [27] and so on.Thus their scheme is not a truly two-factor scheme.To address these issues, this section first reviews the scheme of Amin et al. and then analyzes Amin et al. 's scheme [3].

Review of Amin et al. 's Scheme.
This section briefly reviews the scheme of Amin et al. [3]; their scheme consists of five phases.As the password change phase and identity update phase have little relevance, we omit them.Furthermore, we adjust some symbols of their scheme for the ease of reading and the unity of the paper.
(2) User Registration Phase Step  [3] does not point out the adversarial model, while, according to their attack on the scheme of Xue et al. [14] and Chuang et al. [15], we can infer their adversary model which is included into our model (see Section 2.2).Although Amin et al. 's scheme [3] provides many admirable features, such as changing password locally and high efficiency, it still suffers from various attacks like most authentication protocol in cloud computing environment.Therefore, their scheme is a typical case to show the security threat in cloud environment.Through Amin et al. 's scheme, we can get insight into the inherent reasons of the failure in other authentication protocols for cloud and, based on it, learn to design a secure one.In brief, this section, on one hand, demonstrates that Amin et al. 's scheme [3] is vulnerable to various attacks and, on the other hand, indicates the failure reasons of their scheme.
Off-Line Dictionary Attack I. (i) e adversary's capability: it obtains the message {  ,   ,   , } in   's smart card.
(ii) e attack steps:the steps are as follows.
Step 1. Guess   to be  *  ,   to be  *  .Note that, it is quite realistic for A to obtain the password and identity simultaneously, because their spaces are limited [28].
Step 7. Verify the correctness of   and   by checking if ).
Step 8. Repeat steps 1 ∼ 6 until the correct values of   and   are found.

(iii) e time complexity: O(|D
, where   is the time of hash-function.
Remark.Generally speaking, achieving two-factor security is the most essential requirement of a two-factor authentication protocol; that is, any one of the factors being broken will not trigger the security of another factor, which in turn threatens the entire system.In recent years, many protocols have tried to propose a secure two-factor security protocol, but most have failed.It was not until the work of Ma et al. [29] and Wang et al. [20,30] did such a stagnant situation completely changed.In 2012, Ma et al. [29] pointed out that public key algorithm is necessary to design a secure twofactor authentication scheme; in 2015, Wang et al. [20] found that there is a conflict between changing password locally and resisting against smart card loss attack under the current technique; therefore, Wang et al. [30] put forward a way of "honeywords"+"fuzzy-verifier" to solve the conflict; in 2016, Wang et al. [27] further pointed out that there are two offline dictionary attacks and then combined with the results of [29,30] and matched the corresponding solutions for each attack.
In this paper, we follow the classification method of Wang et al. [27] and demonstrate that Amin et al. 's scheme [3] cannot resist against the two kinds of dictionary attack.Looking back at the above attack process, we can find that the key to the problem is that A can find the verification value   to check the correctness of the guessed result.According to Wang et al. [30], this issue can be settled with the integration of "fuzzy-verifier" and "honeywords": let ).The detailed explanation on this method can be found in Section IV of [30] or Section 5.2 of this paper.
(ii) e attack steps:the steps are as follows.
Step 1. Guess   to be  *  ,   to be  *  .
Step 6. Compute  *  = ℎ(  ‖   ‖  *  ‖   ‖  *  ).Note that Amin et al. [3] view   as a secret only known to the legitimate user.However, it not practical: A at least can register as a legitimate user to get   .
Step 7. Verify the correctness of   and   by checking if ( *  ==   ).
Step 8. Repeat steps 1 ∼ 6 until the correct values of   and   are found.

(iii) e time complexity:
Remark.In this attack, the pivotal parameter is   .To adversary A, the only challenge in computing   is the value of   which can be derived from (  ,   ), so once A guesses the value of (  ,   ), he/she can check the correctness of them via   .Now considering a situation where   consists of the secret shared   and an another nonpublic dynamic parameter which should not be derived from (  ,   ).In this situation, A cannot use   to check the guessed value anymore, since there is another uncertain parameter besides   .Consequently, constructing such a dynamic parameter which is known to   and  is our critical step to address this attack.Taking into account the fact that Ma et al. 's emphasizes [29] on the necessity of lightweight public-key algorithm in designing a secure authentication protocol, we then apply a lightweight public-key algorithm to construct such a dynamic parameter.In addition, our specific ideas on solving this attack are shown in Section 4.
User anonymity: these days user anonymity has become one of the security issues that people are widely concerned about, especially in the case of cloud computing and the Internet of Things that involve massive data.The adversary can acquire people's sensitive personal information via various ways including analyzing the session transcript in the open channel when the services are accessed [31].Moreover, with the development of the technology, the adversary may even trace users' movement and learn the location of their home or company, which triggers a huge potential threat [32].Under these circumstances, user anonymity is a pivotal attribute of the authentication scheme to protect user privacy.
Generally speaking, user anonymity covers two aspects [31]: (1) user identity protection; (2) user untraceability.The former requires the scheme does not expose users' identity; and the latter prevents an adversary from linking the session transcripts to a specific user or distinguishes the sessions sent by different users.This definition on user anonymity is widely applied in most authentication schemes [8,24,33,34].Unfortunately, in Amin et al. 's scheme, the parameter   that identifies the user identity is a static value exposed in the insure channel, which means the adversary can trace   via   .Consequently, Amin et al. 's scheme cannot provide user anonymity.As we can see, one of the keys to achieve user anonymity is concealing the real identity with a dynamic parameter.The way to implement this is called dynamic-ID technique [20].According to Wang et al. 's suggestion [31], we can employ the dynamic-ID technique to protect user anonymity via applying a lightweight publickey algorithm to the authentication schemes as described in Section 4.
(ii) e attack steps:the steps are as follows.

(iii) e time complexity: 𝑂(|D
Remark.In Amin et al. ' scheme [3], there are two secret keys (, ) in the register authority.We have shown that the leakage of the long-term key  will lead to the exposure of previous sessions key.In the following attack, we can see that the leakage of  leading to the same question too.As a result, the use of two system parameters is of little significance but consumes resource.
(ii) e attack steps:the steps are as follows.

(iii) e time complexity:
Remark.When considering the forward secrecy, the adversary almost has the same capacity with  except that A does not know the verifier-table.As a result, if  can compute the session key according to the processes of the scheme, then A is very likely to break the session key.For the above considerations, we do not recommend that  have the ability to calculate session keys.To achieve this, a public-key algorithm is suggested too [29].In addition, the more concrete improved methods will be explained in Section 4.
Other flaws: using timestamps to resist replay attack is not recommended.As we all know, due to the network congestion, network latency, or other issues, maintaining a consistent network clock between different systems is very difficult, which often results in the desynchronization attacks.As a matter of fact, many papers [20,30] in their evaluation criteria pointed out that a protocol using timestamps cannot resist against desynchronization attacks.Furthermore, determining an appropriate value of Δ always faces many challenges in practice: if this value is too big, a replay attack occurs; if it is too small, a valid participant may be stopped.Therefore, in protocol design, the use of random numbers is usually a more recommended way.Unfortunately, the timestamps method was applied in Amin et al. 's scheme.
Insecure identity update phase: similar to the process in "offline dictionary attack II" of Section 3.2, an adversary can carry out an offline dictionary attack via using   or   as the verification parameter when   tries to update his/her identity.

The Proposed Scheme
In this section, we design a secure, simple, and efficient user authentication scheme for cloud computing environment (as shown in Figures 1 and 2) which overcomes all the flaws of Amin et al. 's scheme [3] but provides more attractive attributes, such as updating password and identity and user reregistering with same identity.As a matter of fact, we improve Amin et al. 's scheme from two aspects, efficiency and security.The designing rationales are sketched as follows.
(i) Improvements in Security.According to our discussion in Section 3.2, the public-key algorithm is indispensable to a secure two-factor user authentication scheme [20,29,31].As a matter of fact, this theory has been widely accepted by massive new authentication schemes [26,30,35,36], while the main difficulty lies in deploying the public key algorithm properly.Consequently, we will show the subtleties of deploying a public key algorithm in detail as follows.
Note that, as its high efficiency, the elliptic curve cryptosystem has been used widely in authentication schemes [21,[37][38][39].Therefore, our scheme deploys the elliptic curve algorithm to achieve our secure authentication scheme.Under this circumstance, compared with Amin et al. 's scheme [3], our scheme adds a parameter initialization process to set the parameters of elliptic curve cryptosystem.
(1) Apply public-key algorithm to resist against offline dictionary guessing attack II.In Section 3. (4) Following Wang et al. 's way [30] of resisting against offline dictionary attack I, as the detailed explanation on this method can be found in Section IV of [30], Section 6.2.4 of [24], or Section 5.2 of this paper, we do not repeat here.
(ii) Improvements in Efficiency.Note that Amin et al. 's scheme [3] only involves some hash operation, while our scheme deploys a public-key algorithm, so the performance of our scheme is certainly not as efficient as Amin et al. 's scheme.However, except the increased cost of the publickey algorithm, we try to optimize other aspects of the performance in Amin et al. 's scheme through reducing unnecessary parameters or calculations as follows: (1) Reduce the number of random numbers selected by   to one during the user registration process.In Amin et al. ' scheme, there are two random numbers in the smart card.While they actually can derive from each other, in addition, the "ability" of computing them is the same, which means they are "equivalent".As a result, using one random number is enough, which saves the storage space and computing resources.
(2) Reduce the number of secret keys in .As we see in Section 3.2, the secret key  is of little effect in improving the security.Furthermore, it makes the register phase of   and the authentication of   more complex.Therefore, we only set one system secret parameter and simplify the register phase of   .Such changes also bring other improvements on computing performance.
4.1.Registration. selects two large primes {, } and a medium integer  0 (2 4 ≤  0 ≤ 2 8 ).Let F  be a finite field, /F  be an elliptic curve over F  , and G be a -order subgroup of /F  , then  chooses a point  in G and a long-term secret key  ∈  *  and computes its public key  as .In our cloud computing environment, the cloud server and the user registration phases are conducted as follows.
Step 3.   stores   as a secret key.

For the User𝑈 𝑖
Step 1.   ⇒ : {  ,   }.A new user   firstly selects the password   , identity   , and a random number   as his/her personal information and then computes the registration parameters as follows:   = ℎ(  ‖   ),   = ℎ(  ‖   ), and it initiates the registration phase via submitting the request {  ,   } to .
To guarantee the uniqueness of user identity,  will firstly check whether the   has been used via traverse  − .If it is available,  chooses a unique random number   for   and computes   = ℎ(  ‖  ‖   ),   = ℎ(  ‖   ‖   ) mod  0 ,   =   ⊕   , then inputs   related parameters {  ,   ,   = 0} into  − .Note that   will record the number of login failures.Finally  accepts   's registration through issuing him/she a smart card with {  ,   , ,  0 , ℎ(⋅)}.
Step 3.   inputs  into the card where  = ℎ(  ‖   )⊕   .1, if the user wants to access a cloud server,   will submit the information to prove his/her legitimacy in login phase.If the smart card has verified   's legality, it initiates the access request to  for   .In short, our login phase involves two aspects: (1) verifying the validity of   ; (2) initiating the access request.

Login phase. As shown in Figure
Step Step 2. Otherwise, the card accepts   's legitimacy and initiates an access request for   : select a random number

Authentication Phase.
Once getting the access request, the   will do some calculation to embed its unique parameters and transmit the request to  for it is unable to check the authenticity of the request.Then  will check the validity of the user and the cloud server, respectively, and help them to negotiate the session key.The whole authentication steps are as follows.
Otherwise,  authenticates   and then help them to establish the session key as follows: computes Note that   and   are used to   and   , respectively.They are used to verify the authenticity of  and then convince   /  that  2 / 2 is truly generated by   /  .
Step 4. On receiving this message,   will firstly check the valid of  via comparing ℎ( 1 ‖  2 ‖  *  ‖  2 ) with the received   .If they are equal,   trusts  and   , then he/she computes their shared session key as ). Till now, the authentication phase finishes successfully.

Password Change Phase.
Considering the security and user friendliness, our password change phase is conducted locally, which guarantees the efficiency.In other words, the user can change his/her password freely even when he/she does not connect the Internet.All in all, our password change phase is performed as follows.
Step 2. The smart card verified   's authenticity as step 1 of Section 4.2.If   is authenticated, the card will carry out the password change process as step 3; otherwise, the card will reject this request. Step

Identity Update Phase.
Considering the following occasions, a user sets the phone number as his/her identity, then when the phone number is changed, the user may also want to update the identity.Therefore, similar to password change, the user also needs to change the identity in practice, although it happens less often.Thus we provide the identity update phase as follows.
Step 2. The smart card verified   's authenticity as step 1 of Section 4.2.If   is not authenticated, the card will reject the request; otherwise the identity update process proceeds.
Step 3. As the   stored in  is related to   , the identity update phase involves the interaction with .On this occasion, the smart card submits { 2 ,   ,   ,   } to  for requesting update identity, where   is a random number, Step
Step 2.  firstly finds   in − and checks whether   's card is suspended.If so,  accepts the request and performs the register phase as Section 4.1.

Security Analysis
In this section, we analyze the security of our scheme via two popular methods.The results demonstrate that our protocol is secure and effective for the cloud computing environment.

Formal Analysis
Based on BAN Logic.In this section, we apply the BAN logic [40] which is a widely accepted way to analyze the design logic and security of the authentication scheme.Its particular notions to depict protocols are shown in Table 2.
In BAN logic, the goals of our authentication scheme are defined as follows: According to the proof steps in BAN logic, we redescribe our scheme into an idealized form: Then, some assumptions are defined as follows: on the definition above, we perform the BAN logic proof as follows: From  2 ( 2 includes  1 ), it is easy to get  1 :  ⊲ ⟨ And according to  10 ,  18 , and (3), we get  20 : In conclusion, our scheme achieves Goals 1∼4, which promises (1)  and   have got authenticated mutually and (2) they negotiate the same session key .

Informal Analysis.
Looking at the history of protocol designing, due to its simplicity and effectiveness, the heuristic method "still plays an important role" in cryptanalysis of protocols [20], though it does not have a theoretical form and relies on human experience heavily.Therefore, this section gives the security analysis via the heuristic method.
User Anonymity.As we mentioned in Section 3.2, user anonymity contains two aspects, we prove our user anonymity attribute from two points.
(1) A has no chance to acquire   .In our scheme, the identity is transmitted in a form of   where   =   ⊕ℎ( 1 ),   = ℎ(  ‖   ), it is obvious that A has two challenges in computing   : firstly, computing   from   ; then guessing   from   .The one only with   or  can compute ℎ( 1 ) successfully, while A has no way to get this two parameters.Furthermore, even with   , A still cannot conduct a guessing attack to compute   for A does not know   .4): the freshness-conjuncatenation rule.This rule will be used in the proving process.
(2) A cannot track the users: as we discussed above, the user's related unique identification is concealed in   .It consists of a dynamic parameter  1 whose value depends on   ; that is,   changes with   in every session.So A can neither links the sessions to a specific user nor tells whether the two sessions are sent by a same user.
Therefore our scheme achieves user anonymity.Forward Secrecy.Forward secrecy requires that even the lon-term secret key was exposed, the previous session is still secure.In our scheme, the session key  = ℎ( 2 ‖  2 ‖  3 ) where  3 =    2 =    2 =     .With the help of , and the intercepted parameters  2 and  2 from the open channel, if A wants to compute  3 , then he/she has to solve the ECCDH problem which cannot be finished in the polynomial time.As a matter of fact, once getting , A almost has the same capacity with .If  cannot compute  in the scheme, A is probably not able to.This again confirms our previous view: for the security consideration, we shall not let  know .All in all, our enhanced scheme provides forward security.
Mutual Authentication.Mutual authentication is the most basic requirement of a user authentication scheme.In our scheme,  firstly authenticates   through   which contains their preset shared secret parameter   and the dynamic parameter  1 generated by the public-key algorithm in step 2 of Section 4.2.Then  authenticates   through   with their shared secret value   .In a short,  authenticates   and   after this process.
If both of   and   are authenticated,  further computes   and   .Then in step 3 of Section 4.2,   checks the validity of  via   .If  is authentic, then   believes 's judgment on   , which means that   also trusts the legitimacy of   .In conclusion,   authenticates  and   via this process.
On receiving   ,   verifies  with   in step 4 of Section 4.2.If  is authenticated, then   also believes the validity of   .Therefore,   authenticates  and   .
In conclusion, our scheme achieves mutual authentication.
Privileged Insider Attack.To avoid privileged insider attack, when   registers to , he/she does not submit the identity or password directly, but a transform of them: {  ,   }.Thus the identity and password are protected by   .Even the administrator of  cannot get   to conduct an offline dictionary attack to guess the value of   and   .Therefore, our scheme is secure against privileged insider attack.
Offline Dictionary Attack.As we mentioned when analyzing Amin et al. 's scheme [3] in Section 3.2, there are two common offline dictionary attacks.So we consider two kinds of adversary here.
Suppose an adversary A acquires {  ,   , ,  0 } in the smart card, then A may conduct an offline dictionary attack as follows.
Step 1. Guess   and   to be  *  and  *  , respectively.20]).Let  0 be 32-bit long; Let   ,   , ℎ(⋅), output of symmetric encryption, timestamp, random numbers be 128-bit long; let , ,  be 1024-bit long.√ means the property is satisfied; × means the property is not satisfied.Note that the evaluation criteria in [24] are also applied to cloud computing environment when regarding   as the sensor node, while the considerations on designing authentication scheme of this two environment are quite different due to their different network attributes.
Step In conclusion, the proposed scheme is secure against dictionary attack.
Verifier-Stolen Attack.In our scheme,  only needs to maintain the  −  whose elements ({  ,   ,  }) are not security-related.Furthermore, even A steals  − , he/she will learn nothing useful information to conduct an attack.Thus our scheme is resistant to verifierstolen attack.
Replay Attack.We prevent the replay attack via the random numbers to prevent replay attack.We take one of the message flow {  ,   ,   ,  2 } as an example to explain: suppose A eavesdrops {  ,   ,   ,  2 }, then replays it to   .While A does not know   , he/she cannot compute the correct session key though the replayed message can pass the verification of .Consequently, A gain no benefits from such an attack.Equally, it makes no sense for A to replay other message flows.Accordingly, our scheme is secure against replay attack.
User Impersonation Attack.According to the definition on user impersonation attack in [24], A does not acquire the smart card (this condition is included in "offline dictionary attack") here.As we analyzed above, A with smart card can neither guess   and W  nor replay {  ,   ,   ,  2 } to impersonate   , let alone the adversary without smart card.So there is only one possible method left: constructing {  ,   ,   ,  2 }.To construct this message, A chooses   , computes { 1 ,  2 }, forges   and   , calculates {  ,   ,   ,  2 }, and finally sends it to .However, after  gets  2 , and   ,  may fail to find such a   in  −  or computes a    unequal to   , both the two conditions lead to the failure in the authentication of   .As a result,  finds that A is not a legitimate user, the attack fails.
Server Impersonation Attack.According to the above analysis, A can neither conducts the replay attack to impersonate   / nor finds ways to compute   /, so A cannot impersonate   /.

Performance Analysis
Some schemes like [41] which involve only two participants is essentially indistinguishable from the traditional clientserver architecture and does not apply to cloud computing environments with multiple servers.Some schemes like [42] which are more concerned with authentication issues between wearable and smart phone belong to entity authentication rather than the user authentication discussed in this article.These schemes are not comparable to ours.Therefore, we only compare those having similar system architectures and application scenarios including [3,25,26].
As shown in Table 3, our security performance is obviously superior to other protocols: the proposed scheme achieves all security requirements, while others have more or less security flaws.More specifically, both the schemes of Maitra et al. [25] and Amin et al. [3] fail to achieve user anonymity and forward secrecy and cannot resist against offline dictionary attack, etc.The best one is Kumari et al. 's scheme [26] which can only provide 11 items of security requirements.In terms of computation or communication performance, as we mentioned in Section 4, the schemes only involving one-way hash operation are inevitable cost less in communication and computation than those deploying the public-key algorithm, but they certainly cannot guarantee the security of authentication.Therefore, among the compared schemes, the schemes of Amin et al. [3] and Maitra et al. [25] certainly cost less communication time and load for they only involve some one-way hash operations.However, sacrificing security to achieve high performance is inadvisable in authentication protocols.As a matter of fact, certain cost is unavoidable for security.Then compared with Kumari et al. 's scheme [26] which is equipped with public-key algorithm, our scheme costs 1ms in login phase and 2ms in authentication phase, while theirs is 2.3ms and 7ms, respectively, our computation overhead is better.Furthermore, our communication cost (1408bits in login phase and 4096 bits in authentication phase) is also lower than theirs (2176 bits and 9088 bits).In conclusion, our scheme with all security attributes is more suitable for cloud computing environment.

Conclusion
The rapid development of cloud computing makes people's lives more convenient, but also brings huge security concerns.In order to ensure user's privacy and account security in the cloud environment, a large number of authentication schemes were proposed, but they were subsequently pointed out having one or more flaws.In order to explain the subtleties of designing an authentication protocol in the cloud environment, this paper took Amin et al. 's protocol as a study case to provide ideas for designing secure protocol for cloud environment through elaborating the security weaknesses existing in the protocol and its corresponding solutions.In addition, based on the analysis, we designed a secure authentication protocol, used the BAN logic and heuristic analysis method to prove the security of the protocol.When comparing it with related protocols, we found our scheme has obvious advantages.
and , it is easy to compute  1 , yet to A, there is another uncertain parameter in   , which stops A carrying out the offline dictionary attack II.(2)Apply public-key algorithm to provide user anonymity.With the help of  1 , we conceal the identity related parameter   in   as   ⊕ ℎ( 1 ).

Table 2 :
Notations in BAN logic.|≡ believes , i.e., the principal  believes the statement  is true.

Table 3 :
Performance comparison among relevant schemes in wireless sensor networks.6≈0.04 5  +14  ≈ 0.12 640 bits 1280 bits√ × √ × √ × × × √ √ × √ √ Kumari et al. (2017) [26] 2  +3  ≈ 2.3 6  +15  ≈ 7.0 2176 bits 9088 bits √ √ √ √ × √ √ × √ √ √ √ √  denotes the time of modular exponentiation operation,   denotes scalar multiplication on elliptic curve,   denotes hash computation,   denotes symmetric encryption/decryption,   ≫   ≫   >   (  ≈ 1.169,   ≈ 0.508,   ≈ 0.693,   ≈ 0.541 [ 6. Compute  *  = ℎ( *  ‖  *  ‖  *  ) mod  0 .Step 7. Verify the correctness of   and   by checking if ( *  ==   ).Repeat steps 1 ∼ 7 until the correct valued of   and   are found.Now we suppose A has found such a pair of { *  ,  *  } after the above steps.While, due to the properties of equation   , even the pair satisfies the equations, it is likely that they are not equal to {  ,   }, since there are |D  | * |D  |\ 0 ≈ 2 32 candidates of {  ,   } pair when  0 = 2 8 and |D  | = |D  | = 2 6 [30].Consequently, A needs to verify { *  ,  *  } online, but it will be restrained by  .Once the failure numbers of user login exceeds the preset value, the smart card will be suspended.Accordingly, our scheme is secure against such an attack scenario.Suppose an adversary A not only extracts the message in smart card, but also eavesdrops {  ,   ,   ,  2 } from the open channel, then A attempts to guess   and   .In this occasion, A wants to use   as the verification parameter to check the correctness of the guessed value of {  ,   }.As   consists of   ,   ,  1 and   , and according to our attack steps 1∼5 above, A can compute the value of  *  and  *  .Then A computes  *  as   ⊕ ℎ( *  ‖  2 ).Now A only needs to compute  1 .While without  or   , computing  1 is equivalent to solving the ECDL problem which cannot be finished in the polynomial time.As a result, our scheme can prevent such an adversary.