Improved ECC-Based Three-Factor Multiserver Authentication Scheme

A multiserver environment can improve the efficiency of mobile network services more effectively than a single server in managing the increase in users. Because of the large number of users, the security of users’ personal information and communication information is more important in a multiserver environment. Recently, Wang et al. proposed a multiserver authentication scheme based on biometrics and proved the security of their scheme. However, we first demonstrate that their scheme is insecure against a known session-specific temporary information attacks, user impersonation attacks, and server impersonation attacks. To solve the security weakness, we propose an improved scheme based on Wang et al.’s scheme. +e security of our improved scheme is also validated based on the formal security analysis, Burrows–Abadi–Needham (BAN) logic, ProVerif, and informal security analysis. Security and performance comparisons prove the security and efficiency of our scheme.


Introduction
With the development of information technologies [1][2][3][4][5][6][7][8] and the widespread application of the Internet of ings [9][10][11][12], mobile communication has emerged in many network communication environments. e multiserver environments in mobile communication improve the efficiency of user communications; therefore, it is more popular than single-server environments for users. e multiserver environment overcomes the limited storage and computing of the single-server environment and can provide more remote services. A typical multiserver environment is shown in Figure 1.
Owing to the convenience of multiserver environments, authentication problems in the communication process cannot be disregarded. To date, three methods can be used to achieve user authentication in the environment. e first is password-based authentication [13][14][15][16][17]. is is the simplest method to perform authentication; however, an attacker can easily guess or steal a password from a party and impersonate as a valid user. e second is two-factor authentication, which is based on a password and a smart card [18][19][20][21][22][23][24]. Compared with password-based authentication, two-factor authentication improves security. However, if the smart card is stolen, then the information stored in the smart card may be recovered. is will result in well-known attacks, such as offline guessing attacks. In the past few years, Wang et al. have proposed some two-factor authentication schemes in different application scenarios. In 2014, they proposed an anonymous two-factor authentication scheme in a distributed system [19]. In the same year, they proposed an anonymous two-factor authentication scheme in a wireless sensor network [20]. In 2016, Wang et al. [25] compared and evaluated some representative two-factor authentication schemes and proposed a new evaluation standard for two-factor authentication schemes. In 2018, Wang et al. [26] proposed an evaluation framework for a two-factor authentication scheme for real-time data access in industrial wireless sensor networks and evaluated the relevant schemes. e third is three-factor authentication, which is based on passwords, smart cards, and biometrics [27][28][29][30][31][32][33][34][35][36][37][38][39]. In a public channel, an attacker may eavesdrop, modify, or replay transmitted messages. is poses a significant threat to the security of users. Because only the password-or smart card-based authentication scheme exhibits low security, applying biometrics to authentication schemes can overcome the insecurity of password-or smart card-based schemes. erefore, a secure and efficient authentication scheme based on biometrics must be designed.
Compared with Rivest-Shamir-Adleman (RSA) or ElGaml cryptosystems, elliptic curve cryptography (ECC) provides a small key size and computation efficiency under the same security level. In recent years, several biometricbased authentication schemes based on ECC have been proposed. In 2013, Pippal et al. [27] proposed a three-factor authentication scheme in a multiserver environment and claimed that their scheme can overcome all types of network attacks. In 2014, He and Wang [28] proposed a multiserver environment authentication scheme based on robust biometrics, claiming that their scheme was the first three-factor authentication scheme applicable to multiserver environments. In 2015, Odelu et al. [30] reported that the scheme proposed in [28] was vulnerable to a known session-specific temporary information attack and an impersonation attack and hence did not provide strong user anonymity; therefore, they proposed a secure multiserver authentication protocol based on biometric technology using smart cards. In the same year, Li et al. [31] discovered that Pippal et al.' s [27] scheme can provide incorrect authentication but could not overcome impersonation, stolen smart card, and internal attacks. erefore, Li et al. [31] proposed an improved scheme to overcome the problems above. In 2017, Kumari et al. [32] proposed a provable secure multicloud server authentication scheme based on biometrics. However, in 2018, Feng et al. [33] discovered that the scheme presented in [32] could not guarantee user anonymity, three-factor security, perfect forward security, etc.; hence, they proposed a multiserver environment authentication scheme based on anonymous biometrics. In the same year, Ali and Pal [34] analyzed Li et al.'s [31] scheme and discovered that it could not overcome password-guessing, user impersonation, insider, and smart card theft attacks nor could they guarantee user anonymity.
Ali and Pal [34] proposed a three-factor multiserver authentication scheme based on an elliptic curve cryptosystem to solve the abovementioned issues. Unfortunately, Wang et al. [36] discovered that the scheme presented in [34] was vulnerable to user impersonation, server impersonation, privileged insider, and denial-of-service attacks, among others, and could not provide both forward and three-factor confidentiality. erefore, Wang et al. proposed an improved multiserver authentication scheme based on biometrics and claimed that their scheme can overcome offline passwordguessing, user impersonation, server impersonation, known specific session temporary information, three-factor security, user anonymity, and privileged internal attacks. Some important related works are summarized in Table 1.
In this study, we investigated Wang et al.'s scheme subject to known session-specific temporary information, user impersonation, and server impersonation attacks. To overcome the abovementioned attacks, we refer to Wang et al.'s scheme and propose an improved authentication scheme. Finally, we demonstrate that our scheme is semantically secure in the ROR model and overcome known attacks using the ProVerif tool and the BAN logic. e remainder of this paper is organized as follows. A simple review and cryptanalysis of the scheme proposed by Wang et al. is discussed in Sections 2 and 3, respectively. Section 4 elaborates the proposed scheme in detail. Section 5 demonstrates the security analysis of the proposed scheme. Section 6 presents a comparison of performance and security. Section 7 summarizes the paper.

Review of Wang et al.'s Scheme
Wang et al.'s scheme includes initialization, server and user registration, and login authentication phases. eir scheme involves three types of entities: users, servers, and a registration center. e notations used in the scheme and their descriptions are shown in Table 2.

Initialization.
In this phase, the registration center (RC) selects an elliptic curve E q , and the basic point P of E q defines two hash functions H(·) and h(·). Subsequently, the RC selects a random number x and computes the public key P pub � xP, where x is the RC's secret key and publishes E q , P, P pub , H(·), h(·) .

Server and User
Registration. e server Server j selects its identity SID j and sends its identity to the RC through a secure channel. e RC receives this message, computes SM j � H( SID j ‖ x ), and sends SM j to Server j . When Server j receives SM j , it stores it as the secret key. e user User i selects his ID i and PW i and imprints b i . Subsequently, User i selects a random number r i , computes P i � H( PW i ||h(b i )||r i ), and sends ID i , P i to the RC. e RC receives this message and calculates the following: where 2 4 ≤ n ≤ 2 8 . Note that H(P i ⊕H(ID i )) is the technique of fuzzy-verifier [40]. e RC stores B i , V i , E key (·), P, P pub , n in the smart card (SC) and then sends the SC to User i in a secure channel. Subsequently, User i stores r i in the SC.

Login and Authentication.
In this phase, User i and Server j complete a mutual authentication and establish a session key (SK) with the aid of the RC.
Step 1 User i enters ID i and PW i , imprints b i , and logins the SC. Subsequently, the SC computes and verifies if V i ′ � V i . If they are equal, then User i generates a random number N 1 and computes Next, User i sends R i , L i to the RC in the public channel.

Scheme Cryptographic techniques Limitations
Pippal et al. [27] (1) Utilized one-way hash function (2) Based on Diffie-Hellman problem (3) Based on smart card (1) Does not resist impersonation attacks (2) Does not resist internal attacks Li et al. [31] (1) Utilized one-way hash function (2) Based on Diffie-Hellman problem (3) Based on smart card (1) Does not resist password-guessing attacks (2) Does not resist impersonation attacks (3) Does not resist internal attacks (4) Does not resist smart card theft attacks (5) Does not support user anonymity Kumari et al. [32] (1) Based on biometrics (2) Utilized one-way hash function (3) Based on anonymous authentication (1) Does not support user anonymity (2) Does not resist man-in-the-middle attacks Feng et al. [33] (1) Utilized ECC (2) Based on smart card (3) Based on biometrics (1) Does not provide three-factor secrecy (2) Does not resist known session-specific temporary information attack Ali and Pal [34] (1) Utilized ECC (2) ree-factor security (3) Based on data encryption scheme (1) Does not resist impersonation attacks (2) Does not resist internal attacks (3) Does not provide forward secrecy (4) Does not provide three-factor secrecy (5) Does not resist known session-specific temporary information attack Wang et al. [36] (1) Utilized ECC (2) Based on biometrics (3) Based on data encryption scheme (1) Does not resist impersonation attacks (2) Does not resist known session-specific temporary information attack E key (·)/D key (·) Symmetric encryption/decryption algorithm with key Step 2 After the RC receives R i , L i , it computes and verifies if A i ′ � A i . If they are equal, then the RC computes Next, the RC sends M i to Server j in the public channel.
Step 3 After Server j receives M i , it computes and verifies if Y i ′ � Y i . If they are equal, then Server j generates a random number N 2 and computes Subsequently, Server j sends R s , F i to User i in the public channel.
Step 4 After User i receives R s , F i , he computes and verifies if F i ′ � F i . If they are equal, then User i computes Next, User i sends Q i to Server j in the public channel.
Step 5 After Server j receives Q i , it computes and verifies if Q i ′ � Q i . If they are equal, then SK i � SK j is the session key for User i and Server j .

Cryptanalysis of Wang et al.'s Scheme
In this section, we demonstrate Wang et al.'s scheme subject to three security attacks. In our proposed attacks, we assumed that the attacker A is a legitimate user and has already registered with the RC.

Known Session-Specific Temporary Information Attack.
A known session-specific temporary information attack refers to a security attack in which an attacker attempts to obtain the current SK when temporary secret values such as random numbers are disclosed [41].
In this attack, we assume that the attacker A obtains temporary information N 1 and captures R i , L i and R s , F i , which are transmitted over the public channel. Based on the above, A can compute . Furthermore, based on the formulas above, A can obtain the user's ID i ; in other words, the user's anonymity is not protected.

User Impersonation Attack
Step 1 Based on Section 3.1, A can obtain ID i ,A i ′ , and SID j . Subsequently, A generates a random number N A and computes A fakes User i to send R A , L A to the RC.
Step 2 Upon receiving R A , L A , the RC computes

It is clear that
and sends M A to Server j . Step 3 After receiving M A , Server j computes

Security and Communication Networks
It is clear that Y i ′ � Y i . Next, Server j generates a random number N 2 and computes and sends R S , F A to User i .
Step 4 A intercepts the massage R S , F A and computes and sends Q A to Server j .
Step 5 Upon receiving During this process, the server regards A as User i .

Server Impersonation Attack.
is attack is also based on C i , ID i , A i ′ , and SID j in Section 3.1. When User i sends R i , L i to the RC, A eavesdrops the message. Subsequently, when RC sends M i to Server j , A intercepts the message. A generates a random number N A and computes and sends R A , F A to User i . Upon receiving R A , F A , User i computes It is clear that and sends Q A to Server j . At this point, A intercepts the message and computes It is clear that Q A ′ � Q A . During the entire process, the user regards A as Server j .

Improved Scheme
To overcome the attacks, we proposed an improved scheme based on Wang et al.'s scheme in this section. Our scheme still operates in a multiserver environment, including the initialization, modified server and user registration, and modified login and authentication phases. It is noteworthy that the initialization phase in our scheme is the same as that in Wang et al.'s scheme, and we used a rectangle to denote our modifications.

Modified Server and User Registration.
e server Server j selects its identity SID j and sends its identity to the RC through a secure channel. e RC receives this message and selects a random number e j . Subsequently, the RC computes SM j � H( SID j ||x||e j ), stores SID j , e j , and sends SM j to Server j . When Server j receives SM j , it stores it in the database.
e user User i selects his ID i and PW i and imprints b i . Subsequently, User i selects a random number r i and computes and sends HID i , ID i , P i to the RC. e RC receives this message, selects a random number d i , and computes where 2 4 ≤ n ≤ 2 8 . e RC stores HID i , ID i , d i in the database, stores B i , V i , E key (·), P, P pub , n in the SC, and sends the SC to User i in a secure channel. Next, User i stores r i in the SC. e complete registration process is shown in Figure 2.

Modified Login and Authentication.
In this phase, User i and Server j complete a mutual authentication and use the RC as an information center to establish an SK. e complete login and authentication processes are shown in Figure 3.
Step 1 User i enters ID i and PW i , imprints b i , and logins the SC. Next, the SC computes and verifies if V i ′ � V i . If they are equal, User i generates a random number N 1 and computes

User i RC Server j
Login and authentication phase :

Security and Communication Networks
Subsequently, User i sends M 1 � D i , HID i ′ , L i to the RC in the public channel.
Step 2 After the RC receives M 1 , it retrieves HID i ′ , ID i , d i in the database and computes and verifies if A i ′ � A i ″ . If they are equal, the RC computes Next, the RC sends M 2 � M i to Server j in the public channel.
Step 3 After Server j receives M 2 , it computes and verifies if Y i ′ � Y i . If they are equal, Server j generates a random number N 2 and computes Subsequently, Server j sends M 3 � R s , F i to User i in the public channel.
Step 4 After User i receives M 3 , it computes and verifies if F i ′ � F i . If they are equal, SK is the session key for User i and Server j .

Formal Security Analysis.
In this section, we show the security analysis of our improved scheme in the random oracle model [42]. First, we define the adversarial model [25,26,[43][44][45][46][47] and simulate the adversary capabilities in a real attack. In the proposed scheme, three participants, User i , Server j , and RC, are involved. We use x U , y S , and z RC to represent the xth communication of User i , the y th communication of Server j , and the z th communication of RC, respectively. To perform a formal security analysis, we defined the following query model for the attacker A.
Execute( x U , y S , z RC ): A performs this query to eavesdrop and record the messages transmitted on the public channel, such as the messages between the U and the RC, the messages between the RC and the S, and the messages between the S and the U Hash (  , and C i , so the probability of GM 1 is the same as that of GM 0 , that is, Adv P A,GM 1 � Adv P A,GM 0 . Game GM 2 : GM 2 has added Hash and Send queries, E i , A i , and C i , which are all protected by ℎ (•). But E i , A i , and C i are not directly obtained in the transmission channel, and according to the birthday paradox, we can get |Adv P A,GM 1 − Adv P A,GM 2 | ≤ (q 2 h /2|Hash|). Game GM 3 : Corrupt query is added in GM 3 and A can get the information B i , V i , r i , E key (·), P, P pub , n in the smart card. e User i uses the password and biometric information to register, and A wants to guess P i � H(PW i ‖ h(b i )‖ r i ), but the probability of guessing the biometrics is 1/2 l [49], which is almost negligible. Using Zipf's law [48], we can get |Adv P A,GM 2 − Adv P A,GM 3 | ≤ max C ′ · q s send , (q send /2 l ) . Game GM 4 : GM 4 is the last part of the game. At this time, A attempts to decrypt the information L i , M i and uses the obtained information B i , V i , r i , E key (·), P, P pub , n} to infer SK. Without the master key x of RC, . According to the security of Ω symmetric encryption algorithm, we can obtain |Adv P A,GM 3 − Adv P A,GM 4 | ≤ Adv P Ω (k). All queries are performed by A. After querying the test query, only the coin c of GM 4 is left. us, the probability of guessing coin c is Adv P A,GM 4 � 1/2. In summary, we can deduce erefore, the advantage of A breaking the scheme is Adv P A ≤ (q 2 h /|Hash|) + 2 max C ′ · q s send , (q send /2 l ) + 2 Adv P Ω (k).

Formal Security Analysis by BAN Logic.
In this subsection, we demonstrate through the BAN logic that after our scheme verifies the authenticity of each other's identity and that the determined SK will not be obtained by others. In fact, the BAN logic is a rule used to define and analyze the communication process between two parties. Specifically, the conclusions obtained by the BAN logic are through rigorous logic analysis, which further explains the confidentiality and credibility of the communication information. e notations and rules of the BAN logic used in the BAN logic calculation performed in this study are cited in [24,27,28,30,31,36,50,51]. e proof of our scheme is as follows:

e Proof of Our Proposed Scheme. For Goal 1 By
S . Based on A 2 and rule (4), S . Using S 3 , S 2 , and rule (1),

Security Verification by ProVerif.
We used the verification tool ProVerif to test the security of our proposed scheme. ProVerif is an important verification tool for verifying security fundamentals such as authentication, confidentiality, anonymity, and privacy [11,24,51,52]. Furthermore, ProVerif can automatically verify the security of a scheme. It handles basic elements such as public key cryptography and the Diffie-Hellman mechanism. e definition of the ProVerif code is shown in Figure 4. Our scheme comprised three entities: User i , RC, and Server j . Figures 5-7 show the user, RC, and server processes in our code, respectively. Five events were involved: UserAuthed, UserStarted, RCAcUser, ServerAcRC, and UserAcServer. Event UserAuthed means that User i has been successfully authenticated. Event UserStarted means that User i has started authentication. Event RCAcUser means that the RC has successfully authenticated the User i . Event ServerAcRC means that Server j has successfully authenticated the RC. Event UserAcServer means that User i has successfully authenticated Server j .
Next, we used ProVerif to query whether the attacker can obtain the identities of User i and Server j as well as the SK and whether the events above were executed in sequence. Figure 8 shows the events and queries in the code.

Known Session-Specific Temporary Information
Attacks. Upon completing the login and authentication phase, if N 1 or N 2 is compromised, then A intercepts information R s , F i and computes erefore, A cannot compute the SK, and the scheme successfully overcomes known session-specific temporary information attacks.

User Impersonation Attacks.
Assume that the A pretends to be a user and forges a message M 1 � D i , HID i , L i . Even if A forges a random number N 1 ′ , it cannot compute A i to forge D i and L i . A cannot obtain A i for two reasons. First, upon completing the login and entering the authentication phase, A i is encrypted by C i , and A cannot compute C i to decrypt A i ; therefore, A i cannot be obtained. Second, in the registration phase, if the SC is stolen by a malicious user, then A can obtain B i . However, because erefore, the scheme successfully overcomes user impersonation attacks.

Man-in-the-Middle
Attacks. Upon completing the login and authentication phase, the A intercepts the messages transmitted between User i and Server j to impersonate the user or server. e A may intercept M 3 to impersonate Server j .
However, A cannot compute F i � H(HID i ‖ SK j ‖ tR S ‖ nSID j ); therefore, the session is terminated. In another case, A may intercept M 1 , M 2 to impersonate User i . However, A cannot compute A i ; therefore, it cannot pass the RC verification. erefore, the scheme can overcome man-in-the-middle attacks.

Replay Attacks.
Suppose that message M 1 , M 2 , or M 3 is replayed by A. However, our scheme overcomes this attack by refreshing random numbers N 1 , N 2 . By replaying one of the messages M 1 , M 2 , M 3 , the mutual authentication values F i for the user will not pass, and the session will be terminated. erefore, this scheme can overcome replay attacks.

Stolen SC Attacks.
Suppose that the SC is stolen by a malicious user A who will obtain B i , V i , E key (·), P, P pub , n, r i }. However, based on those values, A cannot compute A i � H(x‖ HID i ‖ tID i ‖ nd i ). In addition, A cannot obtain N 1 to compute erefore, the scheme can overcome privileged insider attacks.

Perfect Forward Secrecy.
Suppose that A obtains the RC's long-term key x and attempts to obtain the SK. If A obtains N 1 and intercepts R s , F i , then it computes erefore, this scheme provides perfect forward secrecy.

User Anonymity.
In the registration phase of the improved scheme, User i computes HID i � H(ID i ⊕r i ) to protect the real identity of the user. In the authentication phase, the user transmits the virtual identity HID i , and the attacker cannot obtain the real identity of the user. erefore, our scheme provides user anonymity.

ree-Factor Secrecy.
e three factors refer to the password, SC, and biometrics. Based on a previous analysis, A i and C i are the key parameters for launching an attack to compute the SK. A obtains two of the three factors, i.e., the password and SC. Even if A obtains the password and extracts the parameters from the SC, it cannot compute A i and C i to perform any attack. Passwords and biometrics: if A obtains the password and biometrics to calculate A i , it must obtain B i and P i . However, B i is stored in an SC, whereas P i is protected by a random number. Biometrics and smart cards: if A obtains the biometrics and SC to calculate P i , it must obtain the PW i . erefore, A cannot compute After analyzing the security of our improved scheme, we can conclude that our proposed scheme is "provably secure" against several well-known attacks with a higher probability. However, it not means that our scheme is a "perfectly secure" authentication scheme because many special attack approaches or tricks exist [19].

Performance Comparison
In this section, we compare our improved scheme with those of Ali and Pal [34] and Wang et al. [36] in terms of security and efficiency. Table 3 presents a comparison of security among the abovementioned schemes. It is evident that our scheme is secure against well-known attacks. Ali and Pal's scheme [34] could not overcome known sessionspecific temporary information, user impersonation, and server impersonation attacks, nor could it provide threefactor and perfect forward secrecy. Although Wang et al.'s scheme [36] guaranteed perfect forward secrecy, it could not overcome known session-specific temporary information, user impersonation, and server impersonation attacks. Hence, it is clear that only our proposed protocol successfully overcame all known attacks and achieved a certain degree of security.
A comparison of the computational costs is shown in Table 4. We used JPBC-2.0.0 (Pairing-Based Cryptography Library) [53], IntelliJ IDEA 2020.2.1 community edition, and a Windows 10 computer with a 2.3 GHz Intel (R) Core i5 processor and 16 GB of memory to simulate the computational costs. It is noteworthy that a widely accepted Type A pairing was constructed on the curve y 2 � x 3 + x over F q , where q is a prime satisfying q � 3 mod 4. In our experimental results, T m was 13.5 ms, T p was 0.48 ms, and T s was 0.12 ms. As shown in Table 4, the computational cost of our scheme was lower than that of the scheme in [34], whereas it was 13.5 ms higher than that of the scheme in [36]. However, when our scheme was utilized in a practical application, the 13.5 ms difference was almost negligible. Meanwhile, the scheme in [36] was subject to known session-specific temporary information, user impersonation, and server impersonation attacks. However, our improved scheme overcame all known attacks. Table 5 shows a comparison of the communication costs. We assumed that the ECC points accounted for 320 bits because two 160-bit parameters form an ECC point. e hash operation was considered to be 256 bits, and the identity was 64 bits. e length of the ciphertext for a symmetric encryption was 256 bits. In Ali  rough the analysis of computation cost and communication cost, the communication cost of our scheme is significantly lower than [34,36] and the computation cost is also acceptable. Combined with the previous security   analysis mentioned in Table 3, our scheme also has strong security. Hence, our scheme is worthy of being adopted in secure three-factor authentication.

Conclusion
In this study, we performed a security analysis of Wang et al.'s scheme and discovered that their scheme could not overcome known session-specific temporary information, user impersonation, and server impersonation attacks. Additionally, we have proven the security of our proposed scheme through formal and informal security analysis. Subsequently, the communication security of our scheme was validated by the ProVerif tool, and the BAN logic indicated that mutual authentication can be completed safely. Finally, through a comparison of performance and security, the security and efficiency of our proposed scheme was proven. However, the computational cost of our scheme is still high. It will lead us to design lightweight authentication schemes in the future.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare no conflicts of interest.