1 Introduction

Modern day’s Internet is connecting different types of devices which are communicating with each other in different types of distributed networks. In distributed networks secure communication is challenging as the network is based on client server model where the server may possibly be distributed and replicated. Thus, if a remote user wants to get services, he must authenticate himself in the network.

On the basis of the Lamport’s [1] authentication scheme, many single servers authentication protocols are found in the literature. However, his scheme required verification tables, which can be hacked by hackers. When the user access services from more than one server, the single-server authentication schemes become highly inconvenient in a distributed environment. Hence, many multi-server user authentication schemes have been proposed by the researchers [212]. Among these protocols, some suffers from the parallel session attack [10, 12] and the server spoofing attack and some does not resist replay attack, impersonation attack and fails to proof perfect forward security [9, 11]. The concept of dynamic ID-based authentication scheme are found in literature [1317]. These schemes uses smart cards for distributed systems. Sood et al. scheme [15] is based on elliptic curve cryptography which protects all such attacks. Such authentication schemes based on public key cryptography are very difficult to comprise because of the inherent strength of public key systems, but these schemes are very expensive as the use of public key cryptography involves calculation of exponential operations, which needs a lot of processing time. So, the computational cost and efficiency will increases in such cases.

From the literature, it can be summaries that a multi-server authentication scheme must have mutual authentication with no verification table and low computation and communication cost. Also, the remote user authentication will able to resist following security attack such as insider attack, impersonation attack, replay attack, password guessing attack, stolen-verifier attack and server spoofing attack.

To support these features, the paper proposes a multi-server authentication scheme for remote user, which utilizes three factor- a smart card, a password and a token for authenticating user. It also provide easy password change phase to user without replacing card. This scheme can resist many attacks such as insider attack, impersonation attack, replay attack, password guessing attack, stolen-verifier attack and server spoofing attack.

The rest of the paper is organized as follows: Sect. 2 discusses cryptanalysis of Chen et al. scheme, Sect. 3 discusses proposed mutual authentication protocol based on Diffie-hellman key agreement, Sect. 4 discusses the security and performance of the recommended system. Finally, the paper concludes in Sect. 5.

2 Cryptanalysis of Chen et al. scheme

The section of this paper discusses cryptanalysis of Chen et al. scheme [9], that is shown in Figs. 1 and 2. Researchers assumed that two main capabilities must be considered while check the security strength of the smart-card based authentication. First, the communication link is under the control of the adversary so that he can insert, delete, and modify messages and second, the attacker will able to extracts the secrets of the smart card or both of them.

Impersonation Attack. This protocol fails to protect from impersonation attack. During registration process the attacker extracts the user identity \(ID_{u}\) and password \(PW_{u}\). Now from the next communication, he extracts \(C_{1}\)=h(\(SID_{j}\) \(||\) \(R_{u}\))\(\oplus \) \(N_{c}\)=h(\(SID_{j}\) \(||\)h(\(ID_{u}\) \(||\)X))\(\oplus \) \(N_{c}\). He keep this values. Now, the attacker sends \(ID_{u}\), \(SID_{j}\), \(C_{1}\) to AC and \(ID_{u}\), \(C_{1}\) to the server \(S_{j}\). After that the attacker receives the token from AC and from \(C_{3}\)= \(N_{rc1}\) \(\oplus \)h(SID||h(ID||X) he get \(N_{rc1}\). Now he generates \(C_{7}\)= h(\(N_{rc1}\) \(||\) \(N_{c}\) \(||\)ID) and verify himself to AC. After that he receives \(C_{9}\)= h(ID||h(SID||Y)\(||\) \(N_{s}\)+1\(||\) \(N_{rc2}\)+2)\(\oplus \)h(SID||h(ID||X)\(||\) \(N_{c}\)+1\(||\) \(N_{rc1}\)+2). After completing the mutual authentication he can generate the session key which is equal to h(ID||h(SID||Y)\(||\) \(N_{s}\)+1\(||\) \(N_{rc2}\)+2)||h(SID||h(ID||X)\(||\) \(N_{c}\)+1||\(N_{rc1}\)+2\(||\) \(N_{s2}\)+1\(||\) \(N_{c2}\)+2). After that the attacker can impersonate as a valid user and exchange messages with server.

Replay Attack. This protocol fails to resist replay attack. The protocol does not check the validity of the nonce \(C_{1}\), \(C_{2}\) which are coming from the user and target server respectively. Also, AC uses these nonce \(C_{1}\), \(C_{2}\) for the generation of two other nonce \(N_{c}\), \(N_{s}\). If the attacker manages to know the value of \(R_{u}\), then he can able to know the value of \(N_{c}\). All other nonce values can be retrieved from this value. Later, by the attacker can replay the message \(C_{1}\) for further authentication. There is no validity checking of each message packet. So, he can easily perform replay attack to gather the knowledge of authentication exchange.

Man-in-Middle Attack. This attack can easily perform in this scheme. Suppose, an attacker listen all the communication between the user and AC. Also, he has capture the message carrying the token \(C_{9}\)= h(ID||h(SID||Y)\(||\) \(N_{s}\)+1\(||\) \(N_{rc2}\) +2)\(\oplus \)h(SID ||h(ID||X)\(||\) \(N_{c}\)+1|| \(N_{rc1}\)+2). Now, he wants to set the session key for communication. The attacker also captures the message \(C_{10}\)=\(N_{s2}\) \(\oplus \)h(SID||h(ID||X)\(||\) \(N_{c}\) +1\(||\) \(N_{rc1}\)+2) and \(C_{11}\)=\(N_{c2}\) \(\oplus \)h(ID||h(SID||Y)\(||\) \(N_{s}\)+1|| \(N_{rc2}\)+2) which user and server exchanged during mutual authentication phase. Now following operations, he performed for getting the value of \(N_{c2}\), \(N_{s2}\). He can perform \(C_{9}\) \(\oplus \) \(C_{10}\) \(\oplus \) \(C_{11}\) to get the value of \(N_{s2}\) \(\oplus \) \(N_{c2}\). Now using differential cryptanalysis he can able to find the value of \(N_{s2}\), \(N_{c2}\). After that he can easily get: \(C_{10}\) \(\oplus \) \(N_{s2}\) = h(SID ||h(ID || X) || \(N_{c}\) +1 || \(N_{rc1}\) +2), \(C_{11}\) \(\oplus \) \(N_{c2}\) = h(ID ||h(SID || Y) || \(N_{s}\) +1 || \(N_{rc2}\)+2) Hence, can calculate session key: \(K_{s}\)= h(ID||h(SID||Y)||]\(N_{s}\)+1\(||\) \(N_{rc2}\)+2)||h(SID||h(ID||X)\(||\) \(N_{c}\)+1\(||\) \(N_{rc1}\)+2\(||\) \(N_{s2}\)+1\(||\) \(N_{c2}\)+2) Now, all the encrypted message will come to the attacker, he can modify and send to the server.

Dictionary Attack. This protocol cannot resist the off line dictionary attack. Suppose, an attacker capture the smart card of the user, now the attacker is interested in finding the password. For example, he gathers the information, the password is 6 digits. He can list of numbers and then apply hash function to every number. A rainbow table is used to attack a hashed password in reverse. That means the attacker has a table with possible hashes and look up a matching password. After a match, the attacker goes for online and use the password to access the system. So, require a password change phase for changing the password.

Fig. 1.
figure 1

Message transfer in authentication process in Xie et al. scheme

Full size image
Fig. 2.
figure 2

Message transfer in mutual authentication in Xie et al. scheme

Full size image

Perfect Forward Secrecy. In this scheme, we have seen that if the attacker knows the password and stole the smart card, he can retrieve the value \(R_{u}\) = h(\(ID_{u}\) \(||\)X) from \(C_{0}\)= \(R_{u}\) \(\oplus \)h(\(PW_{u}\)). Now from previous session, he can get the nonce value \(N_{c}\) from \(C_{1}\)=h(\(SID_{j}\) \(||\)h(\(ID_{u}\) \(||\)X))\(\oplus \) \(N_{c}\). Similarly, he can get \(N_{s}\) from \(C_{2}\)=h(\(ID_{u}\) \(||\)h(\(SID_{j}\) \(||\)Y))\(\oplus \) \(N_{s}\) and from \(C_{3}\)=\(N_{rc1}\) \(\oplus \)h(SID||h(ID||X) he get \(N_{rc1}\). In such a way the attacker extract all the nonce and calculate the session key. Hence, no perfect forward secrecy is maintained in this protocol.

3 Proposed Authentication Protocol

Our proposed scheme is applied in distributed networks where N number of clients with M number of servers. Initially, all servers and users are registered on the authentication server. After successfully login and authentication, the user and target server directly communicate with each other without interference of authentication server. The user and server authenticate each other and generate the session key for secure communication. Lastly, a password change phase is added. The whole scheme is shown in Fig. 3 (Table 1).

Table 1. Description of notation used in proposed scheme
Full size table
Fig. 3.
figure 3

Proposed mutual authentication protocol

Full size image
Table 2. Flow of proposed mutual authentication scheme
Full size table
  1. 1.

    User and Server Registration Phase During this phase all legal users and all servers get registered through the AS. At the time of server registration phase, all steps are given in Table 2.

    1. (a)

      In this steps, the server sends a request message containing her/his identity ‘SID’ to the AS by a communication channel.

    2. (b)

      AS selects a secret number Y to calculate h(SID||Y) and send it to S.

    3. (c)

      During the user registration phase, the user fills all personal information with UID and PW to the application page of AS. The AS will produce hashed salted password, but never store it. Now AS performs following computation on them.

    4. (d)

      On receiving the UID and hashed salted password AS computes: \(R_{u}\) = h(UID||X) and \(C_{0}\) = \(R_{u}\) \(\oplus \)h(PW\(\oplus \)R). Now, AS stores \(R_{u}\) in a smart card and issue it to user. Also AS sends a reply message contains token (\(C_{0}\)) to the user through e-mail. AS also preserves the values of \(R_{u}\) of all registered users. Hence, the user authentication depends upon three factor like, \(R_{u}\), \(C_{0}\) and password.

  2. 2.

    Login and Authentication Phase This phase discusses process of login and authentication of a user. The registered user login to the AS and AS checks that the user is a valid user or not. The steps involve in this process is explained below:

    1. (a)

      The user enters his/her smart card to the system and the card reader extracts the value of \(R_{u}\), UID. Now, he enter the password, \(C_{0}\) and the target server ID SID with which user desires to communicate. The card reader computes \(R_{u}\)=\(C_{0}\) \(\oplus \)h(PW\(\oplus \)R) and check the two values of \(R_{u}\). If it is valid then user is connected to the AS through the system. Now, the user randomly chooses a random variable ‘a’\(\in \) \(Z_{p}^{*}\) and computes: \(C_{1}\)=(\(g^{a}\)) mod p and \(C_{2}\)=h(\(R_{u}\) \(||\)SID\(||\) \(C_{1}\)). After computing C\({}_{1}\) and C\({}_{2}\), user sends UID, SID, C\({}_{1}\), C\({}_{2}\) and timestamp to AS.

    2. (b)

      The AS sends UID to target server S. On receiving user request, in the form of UID, the server ‘S’ randomly selects ‘b’\(\in \) \(Z_{p}^{*}\) and compute: \(C_{3}\)=(\(g^{b}\)) mod p and \(C_{4}\)=h(h(SID||Y)||UID\(||\) \(C_{3}\)). After that target server S sends UID, SID, C\({}_{3}\), C\({}_{4}\) to the AS.

    3. (c)

      On receiving messages from user and the server, AS first calculate the timestamp values. If \(T_{2}\)-\(T_{1}\) \(\le \) \(\bigtriangleup \)T, then the AS checks whether h (h(UID||X)||SID\(||\) \(C_{1}\)) is equal to \(C_{2}\) and h(h(SID||Y)||UID\(||\) \(C_{3}\)) is equal to \(C_{4}\) or not. If two values are equal, then AS authenticates the user and the server, otherwise AS terminates the session. After authenticating, AS chooses randomly ‘c’\(\in \) \(Z_{p}^{*}\) and‘d’\(\in \) \(Z_{p}^{*}\) computes:C\({}_{5 }\)= (g\({}^{c}\))(mod p), K\({}_{1 }\)= (C\({}_{1}\))\({}^{c}\)(mod p) = (g\({}^{ac}\))(mod p), C\({}_{6 }\)= h(K\({}_{1}\)||h(UID||X)||SID), C\({}_{7 }\)= (g\({}^{d}\))(mod p), K\({}_{2}\)= (C\({}_{3}\))\({}^{d}\)(mod p) = (g\({}^{bd}\))(mod p), C\({}_{8 }\)= h(K\({}_{2}\)||h(SID||Y)||UID). Then, AS transfers C\({}_{5}\), C\({}_{6}\) to the user and C\({}_{7}\), C\({}_{8}\) to the target server ‘S’. Each message contains present timestamps value.

    4. (d)

      After receiving the messages from AS, the user checks timestamp and calculates K\({}_{1}\) as, K\({}_{1 }\)= (C\({}_{5}\))\({}^{a}\)(mod p) = (g\({}^{ac}\))(mod p). Now user verifies received C\({}_{6}\) as follows, h(K\({}_{1}\)||h(UID||X)||SID)=C\({}_{6}\)?. If the two values are equal, the user authenticates AS, the user computes C\({}_{9 }\) and send it to AS. C\({}_{9 }\)=h(K \({}_{1}\)+1). Similarly, the target server ‘S’ checks timestamp and computes K\({}_{2}\): K\({}_{2 }\)= (C\({}_{7}\))\({}^{b}\)(mod p) = (g\({}^{bd}\))(mod p). Now, server verifies received C\({}_{8}\) as follows: h(K\({}_{2}\)||h(SID||Y)||UID)=C\({}_{8}\)?. If the two values are equal, the server authenticates the AS and computes C\({}_{10}\): C\({}_{10 }\)= h(K\({}_{2}\)+1). After completion of above operation, server sends C\({}_{10}\).

    5. (e)

      When AS receives C\({}_{9}\) and C\({}_{10}\), it verifies and calculates: h(K\({}_{1}\)+1)=C\({}_{9}\)? h(K\({}_{2}\)+1)=C\({}_{10}\)?. If the two values are equal, AS ensures authenticity and calculates: C\({}_{11}\)=h(h(UID||X)||SID||K\({}_{1}\)+2) \(\oplus \) h(h(SID||Y)||UID||K\({}_{2}\)+2). Once the C\({}_{11}\) is computed, AS sends it to user and server with timestamp. This step marks the end of AS involvement.

  3. 3.

    Mutual Authentication and Session Key Generation Phase

    In the session key generation phase, the authenticate user and target server communicate directly and generate secure session key given in Table 2. Details of each step are as follows:

    1. (a)

      On receiving \(C_{11}\) from AS, the user checks timestamp and computes \(C_{12}\)=\(C_{11}\) \(\oplus \) \(C_{6}\). The user transmits (UID\(||\) \(C_{1}\) \( ||\) \( C_{12}\)) to server S through the public network.

    2. (b)

      Receiving \(C_{12}\) target server computes \(C_{6}\) from \(C_{12}\)=\(C_{11}\) \(\oplus \) \(C_{6}\) and compare the received value of \(C'_{6}\) with the stored value \(C_{6}\) which AS has sent previously. If it matches than the target server ‘S’ computes, \(C_{13}\)=\(C_{11}\) \(\oplus \) \(C_{8}\). The server transmits (SID\(||\) \(C_{3}\) \(||\) \(C_{13}\)) to user through the public network. It also calculates secret key K= (\(C_{1})^{b}\) mod p.

    3. (c)

      When user receives \(C_{13}\), it computes \(C_{8}\) from \(C_{13}\)=\(C_{11}\) \(\oplus \) \(C_{8}\) and compare the received value of \(C'_{8}\) with the stored value C8 which AS has sent previously. If it matches than the user computes: E = h (\(C_{12}\) \(\oplus \) \(C_{13}\)) and send the response message to target server S. It also calculate secret key K= (\(C_{3})^{a}\) mod p. After mutual authentication both of them generate common session key: \(K_{s}\)=h(h(ID||X)||SID||K+2)||h(h(SID||Y)||K+2)\(||\) \(C_{13}\)+2\(||\) \(C_{12}\)+2) Now user and target server will exchange messages using symmetric encryption (AES) where they use session key \(K_{s}\) for encryption for session time \(T_{s}\).

  4. 4.

    Password Change Phase

    The user insert the card, the values UID, \(R_{u}\) is retrieved from the card and \(C_{0}\), PW is taken from user. The card reader computes \(R_{u}\), and also compute \(R'_{u}\)=\(C_{0}\) \(\oplus \)h(PW\(\oplus \)R) from stored value. It compares the stored value with the computed value and if \(R_{u}\)=\(R'_{u}\), then the system will accept the user as a valid user. Now, after entering the new password the system will generate the new \(X_{new}\) =h(\(PW_{new}\) \(\oplus \)R) and sends it to AS. As the value of \(R_{u}\) remain unchanged, so no new card will be issued to the user. Only AS compute new C\({}_{0 }\)= R\({}_{u}\) \(\oplus \) h(PW\({}_{new}\) \(\oplus \) R), send it to user’s e-mail. Next time the user will authenticate himself by using the new C\({}_{0}\). In this way the user can change the password without involving AS.

4 Security and Performance of the Proposed Authentication Scheme

This section discusses the security of the proposed authentication protocol, which resists the following attacks:

Dictionary Attack. The system will give limited chances for login. After that it will lock the system for security. Moreover, it is not possible to guess token and password correctly at the same time. During login, the user enters UID, her/his password (PW) and the target server ID (SID). The user terminal computes R\({}_{u}\), where R\({}_{u }\)= C\({}_{0}\) \(\oplus \) h(PW \(\oplus \) R). Even if the attacker knows C\({}_{0}\), then also very difficult to calculate password and salt. Hence, this protocol will resist offline and online password guessing attack.

Replay Attack. The valid and fresh messages completely resists the replay attack. The freshness in messages is because of the use of randomly chosen a, b, c, d, from Z*\({}_{p}\). Also each message carrying a fresh nonce which is checked the validity of the message. For example, the AS perform following calculation for user and server authentication. h(h(UID||X)||SID||C\({}_{1}\)) =? C\({}_{2}\) and h(h(SID||Y)||UID||C\({}_{3}\)) =? C\({}_{4}\). The user verifies received C\({}_{6}\) as follows, h(K\({}_{1}\)||h(UID||X)||SID)=C\({}_{6}\)?. Also the server verifies received C\({}_{8}\) as follows, h(K\({}_{2}\)||h(SID||Y)||UID)=C\({}_{8}\)?. So, the proposed remote user authentication scheme can withstand replay attack till the adversary doesn’t know the value of h(SID||Y) or h(ID||X).

Impersonation Attack. Suppose, the attacker track the message (UID\(||\) \(C_{0}\)), which the AS sends the user where \(C_{0}\)=\(R_{u}\) \(\oplus \)h(PW\(\oplus \)R). Now, the attacker has to insert the correct password to the card reader. The terminal calculate the value of \(R_{u}\). It is impossible for the attacker to show as a valid user. The attacker can done the mutual authentication, but not able to set the key \(K_{1}\), \(K_{2}\). Hence, if the attacker imitates as the valid user, he cannot get the session key without knowing the h(SID||Y) or h(ID||X) values. Thus, the attacker will not get a correct authentication key. So, the proposed protocol resists impersonation attack.

Insider Attack. During user registration with the authentication server the user provide her/his password in the form of (PW\(\oplus \)R) instead of simply providing as (PW). The value of ‘R’, generated randomly by the application site. The AS never stores the token \(C_{0}\) = \(R_{u}\) \(\oplus \)h(PW\(\oplus \)R) or the salted password. So, any insider in the AS won’t be able to know the actual password as well as salted password. Hence, the proposed scheme can successfully resists the insider attack.

Man-in Middle Attack. The attacker intercepts the messages through which AS communicates \(C_{5}\), \(C_{6}\) to the user and \(C_{7}\), \(C_{8}\) to the target server ‘S’ on the public network. Now the attacker replace the value of \(C_{5}\), \(C_{6}\) by \(C'_{5}\), \(C'_{6}\) and \(C_{7}\), \(C_{8}\) by \(C'_{7}\), \(C'_{8}\). Now, the attacker computes the value \(K^{'}_{1}\), \(K^{'}_{2}\) for the intension to listen all messages. But, the session key actually depends on the following factors: \(K_{s}\)=h(h(ID||X)||SID||K+2)||h(h(SID||Y)||K+2)\(||\) \(C_{13}\)+2\(||\) \(C_{12}\)+2). The adversary does not have the values of ‘X’ and ‘Y’. Hence, he will not be able to set a common session key. Thus, this attack is not possible in this scheme.

Table 3. The functionality comparison of our proposed protocol with previous existing protocols
Full size table

Mutual Authentication. This scheme provides mutual authentication to the user and the target server. The user transmits (UID\(||\) \(C_{1}\) \(||\) \(C_{12}\)) to server S through the public network. The target server computes \(C_{6}\) from \(C_{12}\)=\(C_{11}\) \(\oplus \) \(C_{6}\) and compare the received value of \(C^{'}_{6}\) with the stored value \(C_{6}\) which AS has sent previously. If it matches than the target server transmits (SID\(||\) \(C_{3}\) \(||\) \(C_{13}\)) to user through the public network. It also calculates secret key K= (\(C_{1})^{b}\) mod p. When a user receives \(C_{13}\), it computes \(C_{8}\) from \(C_{13}\)=\(C_{11}\) \(\oplus \) \(C_{8}\) and compare the received value of \(C^{'}_{8}\) with the stored value \(C_{8}\) which AS has sent previously. If it matches, then the user computes: \(e_{1}\) = h(\(C_{12}\) \(\oplus \) \(C_{13}\)) and send the response message to target server S. In this way the scheme provides mutual authentication between the user and target server.

Server Spoofing Attack. In proposed protocol, the attacker not be able to provide authenticity of any user cause of servers do not keep any password table, To authenticate the user, server first needs to get authentication from authentication server and can then communicate with the user. The attacker can get the SID of the target server, but it is impossible to know the value of Y because it is randomly generated by the AS and kept secret. Therefore, this scheme resists server spoofing attack.

Perfect Forward Secrecy. The scheme is maintaining perfect forward secrecy. Even if the password of the past session is disclosed, then also the attacker cannot able to calculate the past session key. Assume that the attacker knows \(C_{12}\), \(C_{13}\). Now to generate the past session key, the attacker must know the values of h(SID||Y) and h(ID||X), which depend on two secret values X, Y. Now consider anyway the attacker knows these values. Then he has to calculate the value of K where K = (\(g^{ab})\) mod p. Here, the attacker must know a and b to get the key. The attacker will not be able to guess them accurately and get the session key. Hence, it is proved that the scheme is maintaining perfect forward secrecy.

Performance Analysis. The functionality comparison in Table 3 shows that our scheme is more secure, robust, take less amount of time for authentication operations. The notation \(T_{h}\), \(T_{X}\) and \(T_{exp}\) are shows as the time complexity for hashing function, time complexity for Ex-or operation and time complexity for exponential operation respectively.

5 Conclusions

This paper proposes an advanced and secure technique for remote users in distributed networks over an insecure channel. It resist all possible attacks in distributed networks. The scheme provides mutual authentication between target server and user and also generate different session key for different server. The weakness in Xie and Chen [9] scheme have been successfully removed by our scheme. The security analysis and comparison of the proposal proven that the proposed remote user authentication scheme is efficient, secure and takes less amount of time for essential authentication operation and can resist the major attacks.