A Multipurpose Key Agreement Scheme in Ubiquitous Computing Environments

Due to the rapid advancement of cryptographic techniques, the smart card has recently become a popular device because it is capable of storing and computing essential information with such properties as tamper resistance. However, many service providers must satisfy the user’s desire to be able to access services anytime and anywhere with the smart card computing devices. Therefore, multipurpose smart cards have become very popular identification tokens. In 2011, Wang et al. proposed an authentication and key agreement scheme for smart card use. Even so, twodrawbacks still exist; that is, (1) the security requirement ofmutual authentication has not been satisfied and (2) the authentication scheme cannot be used for multipurpose smart cards. In this paper, we propose an efficient and secure multipurpose, authenticated, key agreement scheme in which the user is required to register only once and can be authenticated without any registration center. Furthermore, the proposed scheme can be used in ubiquitous environments because of its low computation and communication overhead.


Introduction
Currently, the uses of smart cards include shopping, taking buses or subway, paying bills, parking cars, and passing through guarded gates.When the smart card is embedded in a mobile phone, many commercial transactions can be performed in ubiquitous computing environments.Therefore, multipurpose smart cards are very popular identification tokens, and service providers must satisfy the user's desire to be able to access services anytime and anywhere with the smart card computing devices.However, in the ubiquitous computing environment, the communication channels are insecure and may suffer from eavesdropping, interception, and impersonation attacks [1].Hence, we must simultaneously consider both service and security requirements to protect the rights and the privacy of users and providers [2].These ubiquitous computing devices usually are small with limited computation and communication capabilities.Therefore, it is a difficult challenge to deploy comprehensive security mechanisms in the ubiquitous computing environment.
Although the smart card can be used to authenticate a user's identity and perform electronic transactions, we must still consider the risk of accidental loss of the cards.Therefore, establishing a password is the most popular method for protecting the user.
In general, people choose words that are easy to remember or word strings with special meanings as passwords, but just using a password for authentication can easily make the user vulnerable to security breaches.Hence, the smart card is applied to improve the authentication security.As a result, most e-commercial transactions use both the smart cards and the passwords to ensure authentication and maintain security.Over the past two decades, many schemes have been proposed to achieve both user authentication and confidentiality of messages based on smart cards.In 1981, Lamport [3] proposed the well-known remote user authentication scheme with password tables.In 1993, to provide better security, Chang and Hwang proposed a novel multiserver authentication scheme [4] without password tables.Afterwards, many related research essays [5][6][7][8][9][10][11] have been proposed to improve the security and performance of authentication.
In 2004, Das et al. proposed a dynamic ID-based remote user authentication scheme [6] using smart cards.However, it had a serious security flaw; that is, if a malicious attacker gets the smart card, he or she can freely choose passwords to be authenticated by the server.In 2009, Wang et al. proposed an improved scheme [12] to enhance Das et al. 's scheme, but Khan et al. [13] found that Wang et al. 's scheme is infeasible because it cannot provide a secure communication channel between users and servers.Thus, Khan et al. proposed an enhanced scheme [13] to overcome these weaknesses.However, Khan et al. 's scheme cannot be applied in multipurpose and ubiquitous environments.
In 2011, Wang et al. proposed an improved scheme [14] to solve the problems associated with losing a smart card and the known-key attacks, which are vulnerabilities that exist in Wang et al. 's scheme [15] in 2007.They claimed that their scheme can achieve the following criteria [14]: (C1) No verification table: no verification or password table is stored at the server's end.
(C2) Freely chosen password: users can arbitrarily choose and change their passwords.
(C3) The server administrator being not able to derive the user's passwords: even the administrator will not obtain privilege to derive the user's passwords.
(C4) No one being able to impersonate a valid user: the authentication scheme must completely resist impersonation attacks.
(C5) No clock synchronization or time-delay problems: it can get higher performance and better reduce synchronization cost than others.
(C7) Session key agreement: the server and the user must negotiate a session key for protecting subsequent communications.
(C8) Low computation and communication cost: due to the constrained power and the limited memory of the smart card, high computation operations should be reduced to achieve bandwidth demands.
(C9) The user's ability to revoke the smart card rather than the user's identity: even if the user losses her or his smart card, her or his identity can be unchanged.
(C10) The smart card loss protection: the scheme can protect the lost smart card from impersonation or guessing attacks.
(C11) The smart card's possibility to be used in a multipurpose environment: the smart card can be used to log in to many servers that provide a variety of services.
After a thorough analysis of Wang et al. 's scheme [14], we found some security issues; that is, (1) a malicious attacker can easily impersonate the legitimate server to deceive the user, but the user cannot be conscious of this attack.So, the fooled user may submit his privacy information to an attacker and (2) the scheme cannot achieve the multipurpose smart card requirement because it only has single-server authentication.In this paper, we propose a novel approach for solving these problems and improving the security strength.Furthermore, our scheme can be applied to the multipurpose, smart card environment; that is, the smart card can be authenticated by multipurpose servers.In addition, our scheme ensures computation efficiency, so it can be easily implemented in ubiquitous computing environments.
The rest of this paper is organized as follows.In Section 2, we review Wang et al. 's user authentication scheme and demonstrate the security drawback.Then, in Section 3, we present our scheme, that is, the multipurpose, smart card authenticated key agreement scheme, followed by the security and efficiency analyses shown in Section 4. Finally, concluding remarks are presented in Section 5.

Review of Wang et al.'s Scheme
In this section, we briefly review Wang et al. 's authentication and key agreement scheme [14] and demonstrate that their scheme cannot satisfy mutual authentication (C6) against the impersonation attack.Notations used throughout this paper are described in Section 2.1.The details and the drawbacks of Wang et al. 's scheme are demonstrated in Sections 2.2 and 2.3, respectively.

Notations
: the set of users,  = { 1 ,  2 , . . .,   }, : the set of registered servers,  = { 1 ,  2 , . . .,   }, RC: the registration center, : the server's master key, the length of which is sufficient to resist the brute force attack, UID: the identity of the user, CID: the identity of the smart card, SID: the identity of the server, PW: the password of the user, ℎ(): a secure one-way hash function [16,17]    (): the ciphertext of , which is the product of  encrypted using the key  in the secure symmetric cryptosystem [18,19], (): the plaintext of , which is the product of  decrypted using the key  in the secure symmetric cryptosystem [18,19], CRL: the smart card revocation list.

Review of Wang et al. 's Scheme.
In this subsection, we briefly review and discuss Wang et al. 's scheme [14].There are two participants involved, that is, the user and the server.Let UID, CID, and SID be the unique identification of the user, server, and smart card, respectively.
Wang et al. 's scheme comprises several phases, that is, registration phase, authentication phase, password changing phase, revoking smart card phase, user eviction phase, and user anonymity phase, but we only discuss the first two phases.The other phases of their scheme basically conform to the above-mentioned security requirements.
Before the scheme starts, it must set some system parameters, which must satisfy the elliptic curve cryptosystem requirements [20], for example,  > 2 160 , 4 3 + 27 2 , and mod  ̸ = 0. We assume that all system parameters conform to the security requirements.
Registration Phase.In this phase, all messages are delivered in a secure channel, since the smart card cannot be transmitted in the network.When a new user  wants to access a server's services, he/she must first submit his/her identity (UID) to the server for registration.If the server accepts the application, it then takes the following steps.
Step 2. The server stores (UID, , ,   ) in the smart card and issues it to .
Step 3. The server maintains the (UID, CID) table .Step 4. After receiving the smart card,  inputs her or his password (PW) into the smart card.The smart card computes   =  ⊕ ℎ(PW).Then it replaces  with   in the smart card.As a result, the smart card stores (UID,   , ,   ): The user The sever session key   .
2   → session key . ( Authentication Phase.We illustrate this phase in (1) and explain the details as follows.When  wants to log in to the server, he/she inserts the smart card into the card reader and inputs his/her password PW into the device.The user  performs the following steps.
Step 2.  delivers (UID,  1 ,  2 ) to the server.The server receives the above message and then executes the steps as follows.
Step 4. The server checks   2 with  2 .If they are equal, then the user's identity can be sure.Otherwise,  terminates this procedure.
After receiving ( 3 ,  1 ),  enforces the steps to validate the server's identity and generate a session key as follows.
Step 8.  checks   1 with  1 .If they are equal, then the server's identity is valid.Otherwise,  terminates this procedure.
Step 10.If  2 passes the validation with ℎ(  2 ‖   + 1), then the server and  can obtain a session key .Otherwise, the server will give up on this authentication.

Drawbacks of the Reviewed Scheme.
After analyzing the above protocol, we can easily derive the session key  =   = ℎ(××) to keep data secrecy in further communications.However, we find that it still has two drawbacks.First, their scheme cannot be applied in the smart card multipurpose requirements because it is only designed for a single-server authentication environment.In addition, it has a security flaw.The malicious attacker can impersonate a legal server to cheat the user.Hence, it cannot satisfy the mutual authentication requirement.We show how the attacker can impersonate a legitimate server in the authentication phase as follows.
Assume that a malicious attacker Mary can intercept all transmitted messages between the user and the server.Then, she counterfeits a legal server to perform authentication with the user.First, the user sends (UID,

The Proposed Scheme
In this section, we first list the superiorities of our scheme over Wang et al. 's scheme in Section 3.1.Then, the details of our novel scheme are presented in Section 3.2.

Superiorities of Our Scheme
3.1.1.Mutual Authentication.Our protocol ensures mutual authentication between  and  without a password table.

Multipurpose Smart Cards.
The smart card can satisfy the multipurpose requirement.The smart card can be used to access multiple servers on the user's demand.

Efficiency and Practicability.
The user can dynamically choose or remove services, as he or she chooses.The user's changing of her or his demands will not affect any service server.In addition, the transmission rounds and computation load are simplified in the authentication phase.Therefore, our scheme can be easily implemented for ubiquitous environments.

Our Proposed Scheme.
In our scheme, the user can use the smart card to dynamically access many kinds of services.Therefore, the registration center RC is a necessary participant to manage adding or removing the services of the users.
The proposed scheme consists of five phases, that is, (1) the initialization phase, (2) the registration phase, (3) the authentication phase, (4) the demands-changing phase, and (5) the card-revoking phase.Note that  is the RC's secret key in our scheme.The details are shown as follows.

Initialization Phase
Step 1.If the server   wants to join this service group, it must submit its identity SID  and its secret prime number   to RC for registration.

Registration Phase
Step 1.   arbitrarily chooses a large prime   > 2  and sends (UID  ,   ) to RC for registration and asks a set   of services, where   ⊆ .
(2.2) RC expands the length of each ℎ(UID  ‖   ) to be +1 by setting the most significant bit to be 1.
Step 3. RC stores (UID  ,   ,   ) in the smart card.Then, RC issues this smart card to   .
Step 4. After receiving the smart card,   inputs her or his password PW  into the smart card.The smart card computes    =   ⊕ ℎ(PW  ).Then it replaces   with    in the smart card.As a result, the smart card stores (UID  ,    ,   ).
Authentication Phase.We illustrate this phase in (2) and explain the details as follows.When   wants to log in to   , where   ∈   , he/she inserts the smart card into the card reader and inputs his/her password PW  into the device.The user   performs the steps as follows.
receives the above message and then executes the steps as follows.
Step 5.   checks the UID   , SID   , and CID  .If UID   and SID   pass the validation and CID  does not belong to CRL, then the user's identity can be sure.Otherwise,   terminates this procedure.
Step 9.   checks SID   and   1 + 1 with the received SID  and  1 + 1.If they are valid, then the server's identity can be sure, and the session key SK = .Otherwise,   terminates this procedure: The user The sever checks SID  and   1 + 1, SK = .
(2) Demands-Changing Phase.When the user   changes her mind, she wants to increase or remove some services.She must perform the registration phase again.She chooses a new services combination set   ⊆ .Then RC and   perform Steps 2 through 4. Afterwards, RC gets a new set (UID  ,   ,   ), and the smart card stores a new (UID  ,    ,   ).Other participants will not be affected by these changes.
Card-Revoking Phase.When the user   loses his smart card, he must apply to RC for a new one.RC will record the lost card's CID into CRL and publish the CRL to all registered servers.Then, RC will perform the same steps in the registration phase to issue a new smart card to the user.

Security and Efficiency Analyses
In this section, we discuss several significant attacks and analyze the efficiency of our scheme.The security analyses are shown in Section 4.1.Then, we demonstrate that the proposed scheme can achieve the computation and communication efficiency listed in Section 4.2.

Choosing the Session Key.
Because the session key  is a modular, it must be less than all ℎ(UID  ‖    )'s of   .Otherwise, the server will not derive the correct session key .However, for security reasons, we expect the  value to be as large as possible.To achieve these two requirements, the session key  must satisfy 2 −1 <  < min{  , (UID  ‖   ) |  ∈   } ≤ 2  .Otherwise, there is a possibility that an incorrect number  will be derived in the server.To ensure that the above equation holds, we expand the length of each ℎ(UID  ‖   ) to be  + 1 and set the most significant bit as 1.Meanwhile, the system must check whether 2 −1 − 1 ≤  ≤ 2  − 1.Therefore, the availability of our scheme can be sure.

Session Key Security.
If an attacker collects many  1 's and tries to derive the next session , it will be impossible.Due to the process of generating the session key in the authentication phase, each session key is independent and different.

The Server's Secrecy Protection.
Although the user knows   =   ∏ ∈  ℎ(UID  ‖   ), the server's secrecy   can still be protected.The user cannot compute any   , since ℎ() is a secure one-way hash function [16,17].In addition, each ℎ(UID  ‖   ) may not be a prime, so it can resist the collusion attacks of several legitimate subscribers.The malicious user will get nothing to calculate   /  because both   and   are two products of many respective different factors.It is hard to find any common divisor among them, since ℎ(UID  ‖   ) and ℎ(UID  ‖   ) are different.

Impersonating Attacks.
No adversary can impersonate the eligible user in our scheme.When the adversary tries to impersonate the eligible user, he/she uses the fake message (UID  ,   1 ,   2 ) to log in to the server and will get stuck in the authentication process.Since he/she does not know   and   of   , he/she cannot compute   1 and   2 .On the other hand, if the attacker impersonates the service server, the user will detect that someone is trying to impersonate the server in Step 9 of authentication phase.This is because the adversary cannot compute  without the true    .As a result, he/she cannot respond with the correct messages   1 + 1 and  3 to the user.Even if a legal subscriber  wants to impersonate a legal subscriber , it is still very difficult because the user  cannot derive the ℎ(UID  ‖    ) from  1 .Hence, no one can impersonate the eligible user or the service server in our scheme.
4.1.5.Reply Attacks.Both   and   must check nonce  1 ; meanwhile, they are protected by the secure key  encryption, since the attacker cannot change it arbitrarily.This way, we can eliminate the possibility of a replay attack.
4.1.6.Password-Guessing Attacks.If a malicious attacker tries to guess the password of a lost smart card, he will fail.The password is stored neither in the smart card nor on the server's disk.His incorrect guesses of the password will be rejected in Step 5 of the authentication phase, since the incorrect   is used.
4.1.7.Known-Key Attacks.Each session key is different from all others, since the session key  is randomly generated during each iteration.Hence, our scheme can achieve forward secrecy and backward secrecy.

Smart Card Loss Attacks.
If any user loses his smart card, he can apply for a new one and revoke the lost smart card in the card-revoking phase.If an attacker deploys a lost smart card to log in to the server, it will fail because the server will check CID in Step 5 of authentication phase.Therefore, our scheme can satisfy (C9) and (C10) of the aforementioned criteria.

Efficiency Analyses
Property 1 (the scheme needs no password and encrypted key table).Since the server and the user can compute  in the authentication phase without the help of the encrypted key table or the password table, the challenge-response interactive authentication can be ensured.Property 2 (the scheme provides mutual authentication without RC's support).As shown in our scheme, when the new server and the user join this system, RC does not need to transmit any message to each user and the server.Since the smart card and   compute the session key, RC is not involved.On the other hand, RC only takes charge of the registration of new users or new servers.Hence, our proposed scheme can reduce RC's overhead.Property 3 (the scheme provides higher security and computation efficiency).Wang et al. 's scheme is based on the difficulty of solving the elliptic curve discrete logarithm problem with a 160-bit key; the security is quite solid, for now.However, our scheme deploys a symmetric cryptosystem and key length with at least 128 bits.According to Table 1 [14], our scheme will provide higher security than ECC-160 bits and provide greater computation efficiency because it can estimate an account of a symmetric key encryption (DES or AES functions) 1000 times faster than the asymmetric key encryption (ECC) speed, according to Schneier's book [20].Therefore, our scheme fits for low computation devices and ubiquitous environments.
Property 4 (the scheme provides both communication and round efficiencies).It is assumed that both the output size of the secure one-way hashing function [16] and the block size of the secure symmetric cryptosystems are 160 bits.We list the comparisons of communication cost between our scheme and the related schemes in Table 2. Obviously, our scheme's communication efficiency is better than Wang et al. 's scheme [14].Moreover, both of Wang et al. 's schemes [14,15] are insecure.In addition, our scheme only needs two-round interactions to complete authentication and key agreement negotiation.That is the smallest number of rounds in any of the related schemes.
Property 5 (the scheme is practical).In Table 3, comparisons of the criteria between our scheme and the related schemes are shown.
According to Table 3, our scheme proposes a solution to enhance the security drawback of Wang et al. 's scheme, and it also satisfies the multipurpose smart card requirement.Moreover, the numbers of different kinds of computation operations required by our scheme are smaller than those required by Wang et al. 's scheme [14], so the computation load of our scheme is lighter than the others.In addition, among aforementioned schemes, ours is the only one that can be used in the distributed authentication architecture.It is obvious that our proposed scheme is superior to both of Wang et al. 's schemes [14,15] in terms of both round efficiency and computation efficiency.

Conclusions
In this paper, we have proposed a multipurpose key agreement scheme using smart cards.The proposed scheme enhances Wang et al. 's scheme.Moreover, it provides better functionality and efficiency.According to the analyses in the above section, our scheme can be practically used in ubiquitous computing environments.

3 ⊕
with an -bit output, : a nonce value, , : two large primes,   : an elliptic curve equation over  of the server, : a generator point of   with a large order , , : two integer elements,   : a large prime generated by   , where   > 2  , , : two random numbers, SK: the session key, Mobile Information Systems : the exclusive-or operation done for two-bit strings, ‖: the string concatenation operator,

Table 2 :
Comparisons of communication cost.

Table 3 :
Criteria comparisons between our scheme and the related schemes.