Abstract
Authentic communication is an inevitable trend in the fourth industrial revolution. In a city, the convenient administrative formalities should be quick, accurate and secure. There are many different public authorities with different functionalities, and a citizen needs to register with all agencies and keeps the various information corresponding to each service. Clearly, single and central registration is necessary because it stops us from repeatedly providing personal data to many places. In this work, we propose a provable elliptic curve cryptography-based authentication scheme in multi-server architecture, where a person registers with a trusted center once and becomes authorized to access all related service-providers which can leave and join at will without any influence on current users and different providers. Our proposed scheme is suitable for many practical applications, such as smart-city or internet of things.
Similar content being viewed by others
Data availability
All data generated or analyzed during this study are included in this published article.
References
Lamport L (1981) Password authentication with insecure communication. Commun ACM 3468:770–772
Das ML, Saxena A, Gulati VP (2004) A dynamic ID-based remote user authentication scheme. IEEE Trans Consum Electron 50(2):629–631
Liao IE, Lee CC, Hwang MS (2005) Security enhancement for a dynamic ID-based remote user authentication scheme, In: International Conference on Next Generation Web Services Practices, Seoul, Korea
Yoon EJ, Yoo KY (2006) Improving the dynamic ID-based remote mutual authentication scheme. OTM Workshops, LNCS 4277:499–507
Tian X, Wong DS, Zhu RW (2005) Analysis and improvement of authenticated key exchange protocol for sensor networks. IEEE Commun Lett 9(11):970–972
Yang JH, Chang CC (2009) An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Comput Secur 28(3–4):138–143
Yoon EJ, Yoo KY (2009) Robust ID-based remote mutual authentication with key agreement scheme for mobile devices on ECC, In: International Conference on Computational Science and Engineering, pp. 633-640
Hafizul Islam SK, Biswas GP (2011) A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve crypto-system. J Syst Softw 84(11):1892–1898
Tsaur WJ, Wu CC, Lee WB (2001) A flexible user authentication for multi-server internet services. In: International Conference on Networking, LNCS 2093:174–183
Li L, Lin I, Hwang M (2001) A remote password authentication scheme for multi-server architecture using neural networks. IEEE Trans Neural Networks 12(6):1498–1504
Juang WS (2004) Efficient multi-server password authenticated key agreement using smart cards. IEEE Trans Consum Electron 50(1):251–255
Chang CC, Lee JS (2004) An efficient and secure multi-server password authentication scheme using smart cards, In: IEEE Proceeding of the International Conference on Cyberworlds, pp 417-422
Liao YP, Wang SS (2009) A secure dynamic ID based remote user authentication scheme for multi-server environment. Comput Stand Interfaces 31(1):24–29
Hsiang HC, Shih WK (2009) Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Comput. Stand. Interfaces 31(6):1118–1123
Sood SK, Sarje AK, Singh K (2011) A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 34(2):609–618
Lee CC, Lin TH, Chang RX (2011) A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Syst Appl 38(11):13863–13870
Li X, Ma J, Wang W, Xiong Y, Zhang J (2013) A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Math Comput Model 58(1–2):85–95
Pippal RS, Jaidhar CD, Tapaswi S (2013) Robust smart card authentication scheme for multi-server architecture. Wirel Pers Commun 72(1):729–745
Yeh KH (2014) A provably secure multi-server based authentication scheme. Int J Commun Syst 79(3):1621–1634
Hafizul Islam SK (2014) A provably secure id-based mutual authentication and key agreement scheme for mobile multi-server environment Without ESL Attack. Wirel Pers Commun 79(3):1975–1991
Tsai JL, Lo NW (2015) Provably secure and efficient anonymous id-based authentication protocol for mobile devices using bi-linear pairings. Wirel Pers Commun 83(2):1273–1286
Cao X, Kou W, Dang L, Zhao B (2008) IMBAS: Identity-based multi-user broadcast authentication in wireless sensor networks. Comput Commun 31(4):659–667
Mishra D (2016) Design and analysis of a provably secure multi-server authentication scheme. Wirel Pers Commun 86(3):1095–1119
Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8:18–36
Bellare M, Rogaway P (2006) The security of triple encryption and a framework for code-based game-playing proofs. Adv Cryptol LNCS 4004:409–426
Wilson SB, Johnson D, Menezes A (1997) Key agreement protocols and their security analysis, In The 6th IMA International Conference on Cryptography and Coding, LNCS 1355, pp 30-45
Jangirala S, Mukhopadhyay S, Das AK (2017) A multi-server environment with secure and efficient remote user authentication scheme based on dynamic id using smart cards. Wireless Pers Commun 95(3):2735–2767
Hsiao-Ling W, Chang C-C, Zheng Y-Z, Chen L-S, Chen C-C (2020) A secure IoT-based authentication system in cloud computing environment. Sensors 20(19):5604. https://doi.org/10.3390/s20195604
Bouchaala M, Ghazel C, Saidane LA (2022) Enhancing security and efficiency in cloud computing authentication and key agreement scheme based on smart card. J Supercomput 78:497–522
Shamshad S, Ayub MF, Mahmood K, Kumari S, Chaudhry SA, Chen CM (2022) An enhanced scheme for mutual authentication for healthcare services. Digit Commun Netw 8(2):150–161
Park Y, Park KS, Park YH (2019) Secure user authentication scheme with novel server mutual verification for multi-server environments. Int J Commun Syst 32(7):1–17
Hankerson D, Menezes AJ, Vanstone S (2004) Guide to Elliptic Curve Cryptography, Berlin. Springer-Verlag, Germany
Li F, Xin X, Hu Y (2008) Identity-based broadcast signcryption. Comput Stand Interfaces 30(1–2):89–94
Tsai JL, Wu TC, Tsai KY (2010) New dynamic ID authentication scheme using smart cards. Int J Commun Syst 23(12):1449–1462
Shamir A (1979) How to share a secret. Commun ACM 22(11):612–613
Canetti R, Krawczyk H (2001) Analysis of key exchange schemes and their use for building secure channels. Adv Cryptol Eurocrypt LNCS 2045:451–472
Han L, Xie Q, Liu W, Wang S (2017) A new efficient chaotic maps based three factor user authentication and key agreement scheme. Wireless Pers Commun 95(3):3391–3406
Li X, Niu J, Kumari S, Islam SKH, Wu F, Khan MK, Das AK (2016) A novel chaotic maps-based user authentication and key agreement protocol for multi-server environments with provable security. Wireless Pers Commun 89(2):569–597
Acknowledgements
This study was funded by Vietnam National University, Ho Chi Minh City (VNU-HCM) under grant number C2021-18-21.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
We have no conflicts of interest to disclose.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Proofs of BAN-logic lemmas
Next, we present the full proofs of remaining lemmas
1.1 A.1 Lemma 2
If S believes that U believes its uid is shared successfully and U controls completely this uid’s sharing, S believes U’s uid is shared successfully .
Proof
Applying jurisdiction rule with lemma 1 and A\(_{4}\) to have
So, we complete the lemma 2. \(\square\)
1.2 A.2 Lemma 3
If U believes k is shared with S and its messages encrypted with k are fresh, U believes that S believes its uid is shared successfully:
Proof
Applying jurisdiction rule with A\(_{2}\) and M\(_{S}\) to have \(\frac{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}, \textit{U}\triangleleft \textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}}\). Then, applying freshness rule with A\(_{7}\) to have \(\frac{\textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k}), \textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}}{\textit{U}|\equiv \#\textit{M}_{S}}\). So, combining these results with nonce-verification rule to have \(\frac{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{S}, \textit{U}|\equiv \#\textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{S}}\). Finally, applying believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{S}}{\textit{U}|\equiv \textit{S}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{uid}}}{} \textit{S}}\). So, we prove how proposed scheme satisfies lemma 3. So, we can claim both S and U believe and share their identities successfully. Next are the similar things for session-key. \(\square\)
1.3 A.3 Lemma 4
If U believes that s\(_{j_X}\) is shared with S and its messages encrypted with k are fresh, U believes that S believes session-key sk is shared successfully .
Proof
Applying message-meaning rule with A\(_{2}\) and M\(_{US}\) to have \(\frac{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{S}, \textit{U}\triangleleft \textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{US}}\). Applying freshness rule with A\(_{7}\) and M\(_{US}\) to have \(\frac{\textit{U}|\equiv \#(\textit{r}_{S}\times \textit{k}), \textit{U}\triangleleft \textit{M}_{US}}{\textit{U}|\equiv \#\textit{M}_{US}}\). Next, we use believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\sim \textit{M}_{US}, \textit{U}|\equiv \#\textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{US}}\). Secondly, we apply believe rule to have \(\frac{\textit{U}|\equiv \textit{S}|\equiv \textit{M}_{US}}{\textit{U}|\equiv \textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}\). So, we complete the lemma 4. \(\square\)
1.4 A.4 Lemma 5
If U believes that S controls sk’s sharing and S believes sk is shared with U, then U believes sk’s sharing.
Proof
Applying jurisdiction rule with A\(_{3}\) and lemma 4 to have \(\frac{\textit{U}|\equiv \textit{S}\Rightarrow \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}, \textit{U}|\equiv \textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}{\textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}}\). So, we complete the lemma 5. \(\square\)
1.5 A.5 Lemma 6
If S believes that k is shared with U and that its messages encrypted with k are fresh, S believes that U believes sk’s sharing: \(\frac{\textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}|\equiv \#(\textit{r}_{U}\times \textit{k}))}{\textit{S}|\equiv (\textit{U}|\equiv (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}))}\)
Proof
Applying message-meaning rule with A\(_{6}\) and M\(_{US}\) to have \(\frac{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}_{j}\triangleleft \textit{M}_{US}}{\textit{S}_{j}|\equiv \textit{U}_{X}|\sim \textit{M}_{US}}\). Next, applying freshness rule with A\(_{8}\) and M\(_{US}\) to have \(\frac{\textit{S}|\equiv \#(\textit{r}_{U}\times \textit{k}), \textit{S}\triangleleft \textit{M}_{US}}{\textit{S}|\equiv \#\textit{M}_{US}}\). With these two results and nonce-verification rule, we have \(\frac{\textit{S}|\equiv \textit{U}|\sim \textit{M}_{US}, \textit{S}|\equiv \#\textit{M}_{US}}{\textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}\). Finally, we use A\(_{6}\) and believe rule to have \(\frac{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{k}}}{} \textit{U}, \textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{U}|\equiv \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}}\). So, we complete the lemma 6 \(\square\)
1.6 A.6 Lemma 7
If S believes U controls sk’s sharing, S believes sk is shared with U successfully: \(\frac{\textit{S}|\equiv (\textit{U}\Rightarrow (\textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}))}{\textit{S}|\equiv (\textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U})}\)
Proof
with A\(_{5}\) and S\(|\) \(\equiv\)U\(|\) \(\equiv\)M\(_{US}\), applying message-meaning rule to have \(\frac{\textit{S}|\equiv \textit{U}\Rightarrow \textit{U}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{S}, \textit{S}|\equiv \textit{U}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{M}_{US}}\). Finally, applying believe rule to have \(\frac{\textit{S}|\equiv \textit{M}_{US}}{\textit{S}|\equiv \textit{S}{\mathop {\leftrightarrow }\limits ^{\textit{sk}}}{} \textit{U}}\). So, we completely prove lemma 7. Eventually, we claim both S and U believe sk. \(\square\)
Appendix B: The security’s definition
Here, we present the security’s definition and some security properties: both S\(_{j}\) and U\(_{X}\) follow our scheme.
-
When S\(_{j}\) and U\(_{X}\) successfully compute session-key and receive expected messages, we call they are accepted
-
S\(_{j}\) and U\(_{X}\) are partnered if and only if:
-
1
both of them are accepted
-
2
pid\(_{U_X}\) = S\(_{j}\) and pid\(_{S_j}\) = U\(_{X}\)
-
3
sid\(_{S_j, U_X}\) = sid\(_{U_X, S_j}\)
-
1
-
S\(_{j}\) and U\(_{X}\) are fresh if satisfying three conditions:
-
1
they are partnered
-
2
no secret information of U\(_{X}\) and S\(_{j}\) is leaked before they are accepted
-
3
no session-key is leaked before they are accepted
-
1
Next, we present some queries which A, a probabilistic polynomial-time adversary attacking our scheme, denoted by P in AKE-security sense, can launch:
-
Execution query: with this query, A can extract all messages exchanged between two partners. We let q\(_{E}\) be the number of execute queries and sid\(_{S_j, U_X}\) \(\leftarrow\) Execute(U\(_{X}\), S\(_{j}\)) be the notation representing the output of this query.
-
Send query: with this query, A can interact with U\(_{X}\)/S\(_{j}\). We let q\(_{S}\) be the number of send queries and m-out \(\leftarrow\) Send(O\(^{i}\), m-in) be the notation of output and input of this query, where O\(^{i}\) \(\in\) {U\(_{X}\), S\(_{j}\)}, m-in is the input-message and m-out is the output-message.
-
Reveal query: with this query, A can know sk of U\(_{X}\) and S\(_{j}\). Also, we let q\(_{R}\) be the number of reveal queries and sk\(^{i}\) \(\leftarrow\) Reveal(O\(^{i}\)) be the notation of output this query, where O\(^{i}\) is fresh and \(\in\) {U\(_{X}^{i}\), S\(_{j}^{i}\)}.
-
Corrupt query: with this query, A can know secret information, such as long-term key or master-key, of U\(_{X}\) and S\(_{j}\). We let q\(_{C}\) be the number of corrupt queries and {UID\(_{X}\), B\(_{X}\)} \(\leftarrow\) Corrupt(U\(_{X}\), 1) and {smart-card} \(\leftarrow\) Corrupt(U\(_{X}\), 0) be the notation of the output this query. We see that A only knows smart-card or {UID\(_{X}\), B\(_{X}\)}. As for S\(_{j}\), A can know {r\(_{j}\), ASID\(_{j}\)}
-
Hash query: with this query, A can query a value m and receive random value r. If m is a new message, O\(_{Hash}\) returns random number r. Otherwise, it returns the previously generated r. We let q\(_{H}\) be the sum of number of hash queries and r \(\leftarrow\) Hash(O\(_{Hash}\), m) be the notation of output this query. Note that this description is just a general guide for all kinds of hash functions in our scheme.
Theorem 1
Within a time t\(_{A}\), if A cannot predict correct session-key of another fresh O\(^{i}\), proposed scheme P will be AKE-security. Let Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) be the A’s advantage of breaking P in AKE-security within appropriate t\(_{A}\), and A uses at most q\(_{H}\), q\(_{S}\), q\(_{E}\), q\(_{R}\) and q\(_{C}\) queries, where q\(_{H}\) > q\(_{S}\) = q\(_{E}\) = q\(_{R}\) = q\(_{C}\). We need Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) is negligible: Adv\(_{P}^{AKE}\)(A, t\(_{A}\)) \(\le\) \(\epsilon\) (\(*\))
Rights and permissions
About this article
Cite this article
Truong, TT., Tran, MT., Duong, AD. et al. Provable user authentication scheme on ECC in multi-server environment. J Supercomput 79, 725–761 (2023). https://doi.org/10.1007/s11227-022-04641-x
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-022-04641-x