The concept of two-factor multiserver authentication protocol was developed to avoid multiple number of registrations using multiple smart-cards and passwords. Recently, a variety of two-factor multiserver authentication protocols have been developed. It is observed that the existing RSA-based multiserver authentication protocols are not suitable in terms of computation complexities and security attacks. To provide lower complexities and security resilience against known attacks, this article proposes a two-factor (password and smart-card) user authentication protocol with the RSA cryptosystem for multiserver environments. The comprehensive security discussion proved that the known security attacks are eliminated in our protocol. Besides, our protocol supports session key agreement and mutual authentication between the application server and the user. We analyze the proof of correctness of the mutual authentication and freshness of session key using the BAN logic model. The experimental outcomes obtained through simulation of the Automated Validation of Internet Security Protocols and Applications (AVISPA) S/W show that our protocol is secured. We consider the computation, communication, and storage costs and the comparative explanations show that our protocol is flexible and efficient compared with protocols. In addition, our protocol offers security resilience against known attacks and provides lower computation complexities than existing protocols. Additionally, the protocol offers password change facility to the authorized user.
Nowadays, network technologies and the online applications are rapidly growing; the Internet users are accessing online services to make their life more comfortable over Internet. When accessing a remote server, a session key should be negotiated between user and remote server, which would be used to encrypt the confidential messages. In this regard, two-factor authentication protocols using smart-card and password are widely used and designing a robust and efficient two-factor authentication protocol is a critical task. The concept of client-server communication over insecure networks has been introduced for single server environment, and many researchers have proposed numerous authentication protocols [
Multiserver framework used in our protocol.
User anonymity [
In the literature, numerous multiserver authentication protocols are designed to achieve strong security as well as lower complexities. In 2009, Liao and wang [
This article claims the following contributions. We have pointed out that all the existing RSA-based multiserver protocols include high computation cost and are insecure against known attacks. The main contribution of this article is the design and analysis of a lightweight and robust authentication protocol for multiserver environments. The proposed protocol is analyzed using the AVISPA S/W and its results showed that our protocol is secure. We proved that our protocol is completely protected against known security threats. Further, it solves the problem of anonymity issue. We show that the performance of our protocol is better in terms of computation and communication overheads.
Section
Based on RSA cryptosystem, this section introduces a two-factor multiserver authentication protocol using password and smart-card. Our authentication protocol includes initialization phase, registration phase for application server
This phase is executed by the
The main objective of
After receiving the registration request,
We further depict the registration phase of application server of the proposed protocol in Figure
Application server registration phase of our protocol.
To register with
After receiving
After preparing the smart-card,
Further we demonstrate the user registration phase of our protocol in Figure
User registration phase of our protocol.
At the time of enjoying remote services,
The terminal now produces a random number
Further we provide description of login phase of the proposed protocol in Figure
Login phase of our protocol.
This phase achieves a session key agreement between
After getting login message
After receiving
After receiving
After verifying
After receiving
Further we provide the description of verification phase of our protocol in Figure
Verification phase of our protocol.
In password-based remote user authentication protocol, user’s password is one of the most sensitive information pieces and must be changed whenever required. Therefore, password change phase must be rendered to the registered user. This phase requires the following actions to change the password.
After successfully verifying
Further we explained the our password change phase in Figure
Password update phase of our protocol.
This section measures security strength of our protocol by analyzing several security attacks. Generally, password-based authentication protocol suffers from different attacks. The authentication protocol must resist the known attacks and achieve mutual authentication, session key verification along with login, and password change phase efficiently. Here, we analyze that our protocol can defy all the relevant security attacks. In this regard, we define some valid assumptions [
An adversary
All messages produced by the protocol during execution are sent via insecure communication such as Internet. Therefore,
We considered that the authorized user selects dictionary word as password and identity. It is noted that
We considered that the random nonce and secret key size are significantly large (parameter with high entropy). Therefore,
Let
Assume length of identity or password is
Our multiserver authentication protocol resists smart-card stolen attack.
In smart-card stolen attack,
Our multiserver authentication protocol can defy the offline identity guessing attack.
As per Theorem
Our multiserver authentication protocol can defy the offline password guessing attack.
Similar to Theorem
Our multiserver authentication protocol can defy the insider attack.
As mentioned in [
Our multiserver authentication protocol can defy the user impersonation attack.
To impersonate
Our multiserver authentication protocol can defy the server impersonation attack.
Resembling Theorem
Our multiserver authentication protocol can defy the session key computation attack.
The protocol negotiates a session key between
Our multiserver authentication protocol can defy the known session specific temporary information attack.
It is assumed that short-term information used in the protocol is known to
Our multiserver authentication protocol can defy the stolen verifier attack.
At the time of application server registration,
This section addresses the freshness of the exchanged message and the proof of the mutual authentication based on Burrows-Abadi-Needham (BAN) logic [
The BAN statements used in this paper that are required to analyze the security of our protocol are listed in the Notations.
The logical postulates of the BAN logic are listed in Table
Logical postulates of BAN logic.
Rule | Notation | Description |
---|---|---|
Message meaning |
|
If principal |
then |
||
Freshness-conjuncatenation |
|
If |
the freshness of ( |
||
Belief |
|
If principal |
Nonce verification |
|
If |
|
||
Jurisdiction |
|
If the principal believes that |
then |
||
Session key |
|
If |
necessary parameters of session key, then |
||
session key |
In order to prove the authentication protocol is valid, a list of the following things must be processed: In language of formal logic, idealize our protocol. Find out assumptions about the initial state of our protocol. In order to deduce new predicates, use production and rules of the logic. Use logic to find out beliefs made by parties in our protocol. Based on seeing rule, we get According to According to According to According to Based on seeing rule it gets Based on Based on Based on Based on
To show our protocol is secure, it must satisfy BAN logic based goals as discussed below.
Our protocol is transformed into the idealized form:
The assumptions on initial state of the protocol are made to analyze the proposed protocol as follows:
Idealized form of the protocol is demonstrated under BAN logic with assumptions. The main proofs are as follows:
The discussion made above proves that our protocol correctly achieves the mutual authentication property.
We first briefly discuss the concept of the AVISPA and then present simulation results followed by HLPSL code of our protocol. According to literature review, the AVISPA is one of the widely used simulation tools for verifying security correction of the authentication protocol. Many earlier protocols [
It is well known that AVISPA [
The HLPSL is a role-oriented language where every party plays a role during protocol execution. Every role is free from others, retrieving some initial information through parameters and communicating with other roles by the channels. Intruder is framed using the model [
role user (Ui, RC, ASj: agent, SKey1 : symmetric_key, SKey2 : symmetric_key, H, MUL, SUB: hash_func, Snd, Rcv: channel(dy)) played_by Ui def= local State : nat, IDi, PWi, IDj, N, Ej, Yj: text, Di, Ei, Fi, Ai, Bi, Ci, Ri, M1, M2, M3, M4, M6, Rij, Rj, M5, SKi: message, Inc : hash_func const user_rserver, rserver_aserver, aserver_user, sec1, sec2, sec3, sec4, sec5, sec6: protocol_id init State ≔0 transition 1. State = 0 ∧ Rcv(start) State ∧ Snd( 2. State = 1 ∧ Rcv( State ∧ Bi ∧ Ri ∧ M1 ∧ M2 ∧ Snd(M1 ∧ secret( 3. State = 2 ∧ Rcv(Ej State ∧ M4 ∧ M5 ∧ Snd(M5 ∧ secret( ∧ witness(ASj, Ui, aserver_user, Ri) 4. State = 3 ∧ Rcv(M6 State ∧ SKi ∧ secret( end role
role rserver (RC, Ui, ASj: agent, SKey1 : symmetric_key, SKey2 : symmetric_key, H, MUL, SUB: hash_func, Snd, Rcv: channel(dy) ) played_by RC def= local State : nat, IDj, IDi, Ej, P, Q, N, W, Dj, G, Yj: text, Ai, Bi, Ci, Di, Ei, Fi, X, M1, M2, M3: message, Inc : hash_func const user_rserver, rserver_aserver, aserver_user, sec1, sec2, sec3, sec4, sec5, sec6 : protocol_id init State ≔0 transition 1. State = 0 State
2. State = 1 State
3. State = 2 State
end role
role aserver (ASj, Ui, RC: agent, SKey1 : symmetric_key, SKey2 : symmetric_key, % H is hash function H,MUL,SUB: hash_func, Snd, Rcv: channel(dy) ) played_by ASj def= local State : nat, IDi, IDj, Ej, Dj, Yj: text, M5, M9, Ri, M4, Rj, Rij, SKj, M6: message, Inc : hash_func const user_rserver, rserver_aserver, aserver_user, sec1, sec2, sec3, sec4, sec5, sec6 : protocol_id init State ≔0 transition 1. State = 0 ∧ Rcv(start) State ∧ Snd( ∧ Rcv( 2. State = 1 ∧ Rcv(M5 State ∧ M9 ∧ Yj ∧ Rj ∧ Rij ∧ SKj ∧ M6 ∧ Snd(M6 ∧ secret( ∧ witness(Ui, ASj, aserver_user, Rj) end role
role session(Ui, RC, ASj: agent, SKey1 : symmetric_key, SKey2 : symmetric_key, H, MUL,SUB: hash_func) def= local SI, SJ, RI, RJ, PI, PJ: channel (dy) composition user(Ui, RC, ASj, SKey1, SKey2, H, MUL, SUB, SI, RI) ∧ rserver(Ui, RC, ASj, SKey1, SKey2, H, MUL, SUB, SJ, RJ) ∧ aserver(Ui, RC, ASj, SKey1, SKey2, H, MUL, SUB, PI, PJ) end role role environment() def= const ui, rc, asj: agent, skey1 : symmetric_key, skey2 : symmetric_key, h,mul, sub: hash_func, idi, pwi, idj, ai, bi, ci, di, ei, fi, m1, m2, m3, m4, m5, m6, ri, rj, rij, ski, skj, n : text, user_aserver_Ri, aserver_user_Rj, sec1, sec2, sec3, sec4, sec5, sec6: protocol_id intruder_knowledge = ei, fi, n, m1, m2, idj} composition session(rc, ui, asj, skey1, skey2, h, mul, sub) ∧ session(ui, rc, asj, skey1, skey2, h, mul, sub) ∧ session(asj, ui, rc, skey1, skey2, h, mul, sub) end role goal secrecy_of sec1 secrecy_of sec2 secrecy_of sec3 secrecy_of sec4 secrecy_of sec5 secrecy_of sec6 authentication_on user_aserver_Ri authentication_on aserver_user_Rj end goal environment()
Algorithms Secrecy_of sec 1: Secrecy_of sec 2: the confidential information Secrecy_of sec 3: the session key Secrecy_of sec 4: the private key Secrecy_of sec 5: the confidential information secrecy_of sec 6: the random numbers authentication_on alice_server_Ri: authentication_on server_alice_Rj:
% OFMC % Version of 2006/02/13 SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS PROTOCOL /home/avispa/web-interface-computation/./ tempdir/workfile8Y6LVt.if GOAL as_specified BACKEND OFMC COMMENTS STATISTICS parseTime: 0.00 s searchTime: 0.19 s visitedNodes: 17 nodes depth: 2 plies
SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS TYPED_MODEL PROTOCOL /home/avispa/web-interface-computation /./tempdir/workfilegQjd7wqdOJ.if GOAL As Specified BACKEND CL-AtSe STATISTICS Analysed: 15 states Reachable: 15 states Translation: 0.32 seconds Computation: 0.00 seconds
This section discusses the performance of the proposed protocol and then compares it with the recently published protocols [
The results obtained in [
In Tables
Computation cost comparison of our protocol with other protocols.
Scheme | User | Server | Total |
---|---|---|---|
Pippal et al. [ |
|
|
|
Yeh [ |
|
|
|
Wei et al. [ |
|
|
|
Li et al. [ |
|
|
|
Proposed |
|
|
|
Execution time (ms) comparison of our protocol with other protocols.
Scheme | User | Server | Total |
---|---|---|---|
Pippal et al. [ |
5.4966 ms | 7.3235 ms | 12.8200 ms |
Yeh [ |
3.6701 ms | 7.5621 ms | 11.2322 ms |
Wei et al. [ |
3.6566 ms | 3.6562 ms | 7.3128 ms |
Li et al. [ |
1.8289 ms | 5.4839 ms | 7.3128 ms |
Proposed | 3.6562 ms | 3.7865 ms | 7.4427 ms |
Execution time (ms) of different protocols.
In Table
Communication and storage costs of our protocol and others.
Scheme | Smart-card cost (bits) | Communication cost (bits) | Number of messages |
---|---|---|---|
Pippal et al. [ |
|
|
|
Yeh [ |
|
|
|
Wei et al. [ |
|
|
|
Li et al. [ |
|
|
|
Proposed |
|
|
|
This article presents a flexible and cost-effective RSA-based multiserver authentication protocol to perform secure mutual authentication over any insecure channel with user and application server. We have then proved informally that our protocol can defy different cryptographic attacks. Moreover, the security of the mutual authentication and the freshness of the session key have been established based on BAN logic model, and AVISPA simulation results claim that proposed protocol is SAFE in CL-AtSe and OFMC models. We have then shown that the performance of our protocol is more effective than the existing protocols in terms of complexities. Our protocol is not only robust, but also flexible since it has user-friendly password change phase.
In recent times, cloud computing is also applied to the environment of mobile communication. However, the computation and storage capabilities of mobile devices are very limited. Therefore an attempt can be made to design a provably secure and lightweight multiserver authentication protocol for mobile cloud computing environments.
Registration center
Password of
Identity of
Identity of
Random number selected in login phase by the
Random number selected in authentication phase by the
Secret key of RC
Two different large prime numbers
Public key of
Private key of
Session key shared between
Cryptographic hash function
Concatenation
Bit-wise XOR operation
Symmetric key encryption using key
Message
Formula
Formula
Formula
Formula
Principals
Formula
Principal
Session key is used in the current session.
The authors declare that there are no conflicts of interest regarding the publication of this paper.
The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for funding this work through Research Group no. RG-288.