Two-Factor User Authentication with Key Agreement Scheme Based on Elliptic Curve Cryptosystem

A password authentication scheme using smart card is called two-factor authentication scheme. Two-factor authentication scheme is the most accepted and commonly usedmechanism that provides the authorized users a secure and efficient method for accessing resources over insecure communication channel. Up to now, various two-factor user authentication schemes have been proposed. However, most of them are vulnerable to smart card loss attack, offline password guessing attack, impersonation attack, and so on. In this paper, we design a password remote user authentication with key agreement scheme using elliptic curve cryptosystem. Security analysis shows that the proposed scheme has high level of security. Moreover, the proposed scheme is more practical and secure in contrast to some related schemes.


Introduction
Due to the rapid growth of Internet technology, more and more people use the network to acquire desired services and exchange data.Remote user authentication is one of the most important mechanisms to identify the legal user over insecure communication network.Since Lamport [1] proposed the first password-based remote user authentication scheme, many password-based single-factor authentication schemes [2][3][4][5][6][7] have been proposed in the literatures.However, most of password-based single-factor authentication schemes have various security pitfalls.In order to provide better security of the system, Hwang and Li [8] developed a two-factor authentication scheme in 2000.Two-factor authentication scheme is that the authentication schemes are based on the user's password and smart card.In the two-factor authentication scheme, when the user wants to access resources on a server, he/she inserts the smart card into a card reader and inputs his/her password.Then the smart card using the user's password generates a login request message and sends the request to the server.When receiving the login request, the server verifies the validity of the request message.In 2009, Xu et al. [9] proposed a smart-card-based password authentication scheme.They claimed that their scheme could resist stolen smart card attack.But, in 2010, Sood et al. [10] and Song [11] pointed out that Xu et al. 's scheme was vulnerable to impersonation attack and internal attack.And they proposed the improved scheme, respectively.In 2012, Chen et al. [12] analyzed Xu et al. 's scheme and pointed out that any user can impersonate other users and fool the service providing server.Meanwhile, Chen et al. [12] pointed out the security flaws of Sood et al. [10] and Song's [11] scheme.According to Chen et al. [12], Sood et al. 's scheme [10] does not guarantee mutual authentication during authentication phase, and Song's scheme is susceptible to an internal offline guessing attack.Then, an improved scheme is presented in Chen et al. 's scheme paper.Unfortunately, in 2013, Kumari and Khan [13] pointed out that Chen et al. 's scheme cannot withstand user impersonation attack, server spoofing attack, and offline password guessing attack.Besides, Chen et al. 's scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card.Also in 2013, Jiang et al. [14] still pointed out that Chen et al. was insecure against offline dictionary attacks and proposed an improved authentication protocol without using smart card.

Journal of Electrical and Computer Engineering
In 2009, Yang and Chang [15] proposed an ID-based remote mutual authentication with key agreement scheme on ECC.In their scheme, the server and the user accomplish mutual authentication through the user's unique identity.And they claimed that the computation costs and the number of communication costs of their scheme are less than some related schemes.Nevertheless, Islam and Biswas [16] stated that Yang and Chang's scheme [15] is vulnerable to replay attack, known session-specific temporary information attack.Besides, Yang and Chang's scheme [15] does not provide user's anonymity and session key forward secrecy.Islam and Biswas further found that Yang and Chang's scheme does not define how to revoke the authentication key with same identity.Later, Truong et al. [17] pointed out that Islam and Biswas's [16] scheme still cannot resist known session-specific temporary information attack.In this paper, we present a two-factor user authentication with key agreement scheme using elliptic curve cryptosystem based on Yang and Islam's scheme.Security analysis shows that our proposed scheme can resist various attacks.
The rest of the paper is organized as follows.Section 2 introduces some preliminaries.In Section 3, the proposed two-factor authentication with key agreement scheme is described; the corresponding security analysis is given in Section 4. Finally, we conclude this paper in Section 5.

Preliminaries
In this section, we will introduce the basic concepts of elliptic curve cryptosystem (ECC).In all elliptic curve cryptosystem, the elliptic curve equation is defined as the form of   (, ):  2 =  3 +  + (mod).Given an integer  ∈  *  and a point  ∈   (, ), the point multiplication  over   (, ) can be defined as  ⋅  =  +  +  + ⋅ ⋅ ⋅ +  ( times).Generally, the security of ECC relies on the difficulties of the following problems.

The Proposed Scheme
In this section, we will propose a two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem.The notations used in proposed scheme are listed in notations.And the detailed information is described as follows and shown in Figure 1.Our scheme includes five phases: system initializing phase, the registration phase, login phase, authentication phase, and password change phase.The details of these phases are as follows.

System Initializing Phase
Step 1.The server  chooses an elliptic curve equation   (, ) and a base point  with the order  over   (, ).

Registration Phase.
If the user  wants to become a legal user of the system, he has to submit the related information to the server .The detail of the registration phase is described in the following steps.
Step 1.The user  generates his own identity ID  and PW  and a random number   ∈ [1, −1]; then the user  submits ID  and  1 (PW  ‖   ) ⋅  to the server  over a secure communication channel.
Step 2. The server Step 3. The server  stores {AID  , BID  } into a smart card and issues the smart card to the user  via a secure channel.
Step 4. On receiving the smart card, the user  enters the random   into the smart card, and the smart card contains {AID  , BID  ,   }.

Login Phase.
When the user  wants to login to the server , he/she inserts his smart card into the card reader of a terminal and inputs ID  and PW  .Then, the smart card performs the following steps for login.
Step 1.The user computes BID   =  2 ( 1 (ID  ) ‖ ( 1 (PW  ‖   ) ⋅ )) and checks if BID   = BID  .If it holds, it means that the user  inputs the correct identity and password.Otherwise, the smart card terminates the session.
Step 3. The user submits the login request message  1 = {CID  , DID  , EID  , } to the server .

Authentication and Key Agreement
Phase.Upon receiving the login message  1 = {CID  , DID  , EID  , } from the user , the server  performs the following steps to mutual authentication.
Step 1.The server  computes Session key sk = H 3 (ID u ‖ TID u ‖ r u • S) ID  = CID  ⊕  2 (  ‖ TID   ) and then checks whether  3 (ID  ‖   ‖ ) ?= EID  .If they are equal, the validity of the user  is authenticated by the server .Otherwise, the session is terminated by the server .
Step 3. The server  sends the authentication message  2 = {,   } to the user .Step 5. On receiving the message {  }, the server  computes    =  2 ( ‖ ) and compares it with received   .If it holds, the server and the user achieve mutual authentication.Otherwise, the smart card terminates the session.

Password Change Phase.
When the user  wants to change his/her password PW  to a new one PW new  , the user  can update his/her password by performing the following steps without the help of the server .
Step 1.The user  inserts his smart card into a card reader and inputs ID  and PW  .The smart card computes BID   =  2 ( 1 (ID  ) ‖ ( 1 (PW  ‖   ) ⋅ )) and checks if the BID   is the same as BID  .If both values are the same, the user inputs a new password PW new  .
Step 2. The smart card computes AID new Step 3. At last, the smart card replaces AID  and BID  with AID new  and BID new  , respectively.

Security Analysis of Our Scheme
At first, we discuss the security features of the proposed authentication with key agreement scheme in this section.
Then we evaluate the performance of the proposed scheme and make comparisons with some related works.

Mutual Authentication with Session Key
Agreement.In the proposed scheme, the user sends the login request message  1 = {CID  , DID  , EID  , } to ; after receiving the message  1 , the server authenticates the user by checking if the equation  3 (ID  ‖   ‖ ) = EID  holds or not.If the computed value  3 (ID  ‖   ‖ ) equals the received value EID  , the server confirms that the user is valid.Then the server replies the message  2 = {,  } to the user.When the user receives the message, he/she authenticates the server by comparing the computed value    =  2 ( ‖ TID  ) with the received value   .If it is equal, the user confirms that the server is legitimate.At last, the server  authenticates the user  after checking if the equation  2 ( ‖ ) =   holds or not.Only when all previous equations are satisfied, the session continues and the communication parties share a session key  =  3 (ID  ‖ TID  ‖   ⋅ ) =  3 (ID  ‖ TID  ‖   ⋅ ).During the aforementioned discussion, the proposed scheme can achieve mutual authentication with session key agreement.

Forward Secrecy.
Forward secrecy means that if the long-term private keys related to participating entities (e.g., the server's secret key   and user's password PW  ) are compromised, the secrecy of the previous session keys should not be affected.In the proposed scheme, the session key  =  3 (ID  ‖ TID  ‖   ⋅ ) =  3 (ID  ‖ TID   ‖   ⋅ ), where   ⋅  =   ⋅  =   ⋅ r  ⋅ , relies on the random values   and   .  and   are independently generated in each session and they have no relation with the server's secret key   and user's password PW  .So, the attacker cannot compute any previous  without the random value   chosen by the user  and the random value   chosen by the server .On the other hand, even if the attacker knows  =   ⋅  and  =   ⋅  from the public channel, he/she still cannot get the session key  because he/she will face solving the computational Diffie-Hellman problem.Thus, the proposed scheme provides forward secrecy.

User Anonymity.
In the proposed scheme, user's identity is not stored in smart card and is also not transmitted via plain text form.In fact, user's identity is submitted with CID  = ID  ⊕  2 ( ‖ TID  ), which is changed for each login phase.Even if the attacker eavesdrops the login request message  1 = {CID  , DID  , EID  , } and the authentication messages  2 = {,   } and  3 = {  }, the attacker has no way to know the user's identity ID  .This is because the attacker cannot procedure ID  out of CID  = ID  ⊕  2 ( ‖ TID  ) without knowing the server's secret key   and user's password PW  .Thus, the proposed scheme provides the user anonymity.

4.4.
Resisting Server Spoofing Attack.In the proposed scheme, if the attacker wants to masquerade as the remote server  to cheat the user , he/she has to generate a valid message  2 = {,   }, where  =  +   ,   =  2 ( ‖ TID   ).That is to say, the attacker must get the values   and TID   to compute a valid message {,   }.However, the attacker cannot compute the values   =   ⋅  and TID   =   ⋅  1 (PW  ‖   ) ⋅  without knowing the private key of the server  and user's password PW  .Therefore, our scheme is secure against the server spoofing attack.

Resisting Insider Attack.
Insider attack means that the user  may register to more than one server with the same identity and password; then a privileged insider of the server can impersonate the user and access the other servers by making a valid login quest.In the registration of the proposed scheme, the user  freely chooses his/her identity ID  and password PW  and submits ID  and  1 (PW  ‖   ) ⋅  to the server .The server  cannot obtain the password PW  from  1 (PW  ‖   ) ⋅  since he/she will face CDL (computational discrete logarithm) problem.Therefore, the proposed scheme can resist insider attack.

Resisting Smart Card Loss Attack.
Assume that the user 's smart card is lost or stolen, and the attacker can extract the information {AID  , BID  ,   } stored in the smart card, where ).On the one hand, the attacker cannot guess user's password PW  from AID  and BID  since it is protected by one-way hash function.On the other hand, the attacker cannot fabricate a valid login request message or compute the session key using the stolen smart card.Besides, it is impossible for the attacker to update the user's password.This is because the attacker must have the real identity ID  and PW  to pass the verification BID   ?= BID  .Therefore, the proposed scheme is secure against the stolen smart card attack.

Resisting Impersonation Attack.
If the attacker wants to impersonate as a legitimate user  to pass the authentication of the server , he/she has to forge a valid login request message  1 = {CID  , DID  , EID  , }.Assume that the attacker possesses the user's smart card and intercepts the user's previous login request message, the attacker attempts to impersonate the user  and sends the login message login message (CID   , DID   , EID   ,   ).However, this impersonation attempt will fail in step 1 of the authentication phase, since he/she has no way to obtain the values of ID  ,   , and TID  .Therefore, the proposed scheme is secure against impersonate attack.

No Key Control.
In proposed scheme, the session key consists of ID  , TID  , and   ⋅   ⋅ , where   and   are, respectively, provided by the user and the server.Therefore, the fairness of the session key is guaranteed and either party is in vain attempting to preselect or control the session key.This is because the adversary has no way to know ID  and TID  .Hence, the proposed scheme can resist known sessionspecific temporary information attack.

Performance and Functionality Analysis
In this section, we compare the efficiency and security properties of the proposed scheme with related schemes proposed by Yang and Chang [15] and Islam and Biswas [16].
Table 1 is about the computation cost comparison between our proposed scheme and other related schemes.We only consider ECC multiplication operation, ECC addition/subtraction operation, and hash operation.And the computation cost of XOR operation can be ignored when compared to these operations.According to Table 1, the cost of our proposed scheme is slightly higher than other schemes.However, our proposed scheme can achieve all security properties as mentioned in Table 2.We summarize security properties comparisons between the proposed scheme and two previous schemes in Table 2.It is easy to draw that our proposed scheme can achieve all security requirements.So, the proposed scheme has stronger security.

Conclusion
In this paper, we have proposed a two-factor user authentication with key agreement scheme based on elliptic curve cryptosystem.The analysis shows that the computation costs of our proposed scheme are slightly higher than other schemes; however, our scheme can accomplish most desired security goals compared with some related schemes.As a result, our scheme is more secure and practical for real-life use.
and Choose ID u , PW u , b u

Table 2 :
Security properties comparison.  and   are the random numbers that are selected by the user  and the server , respectively.And they are different for each session.So, the messages exposed in public channel are different in each session.Thus, the proposed scheme can prevent replay attack.Known session-specific temporary information attack means that if the session ephemeral secrets are exposed to an adversary accidentally, this exposure should not compromise the generated session key.In the proposed scheme, if the session ephemeral secrets   and   are leaked, the adversary cannot obtain the session key  =  3 (ID  ‖ TID  ‖   ⋅  ⋅).