1 Introduction

Cloud couputing is the most promising paradigm in recent years. It contributes in the appearance and the evolution of new concepts and technologies. It offers on demand a fragrance of measured services accessible through heterogeneous platform and devices. Cloud users outsource their assets to remote cloud servers. Preserving privacy and fine-grained access are important concerns in security fields. We mean by privacy the fact that an eavesdropper cannot intercept exchanged messages. To do so, cloud provider should ensure anonymity and untraceability for users. Authentication ensures that unauthorized user cannot fraudulently access to cloud services.

Authentication protocols can be regrouped to four main fields namely password, cryptography, biometric, and smart cards. All these approaches deal with some limitations due to the capabilities of public and remote environments. In our work, we will focus only in authentication method based on smart cards. Smart cards are considered as a secure micro-controllers that can support cryptographic and storage operation. These cards are increasingly used in information technology and in everyday life. They assure exchange and authentication without using a password management server. Smart cards offer a strong authentication solution. It is considered two-factor by the way that a user should know authentication credentials and should also have the chips. Despite these advantages, smart cards suffer from low computational capacity. Moreover, public key authentication solutions are not supported. It is necessary to apply a low computational method based mainly on hash functions and symmetric encryption operations. For the opportunities offered by these cards, we propose in this work a new anonymous, lightweight, secure, efficient, and smart-card-based authentication and key agreement protocol that withstand various known attacks.

In this paper, we first analyze Huang et al.’s authentication method, and we find that this scheme in insecure against impersonation attacks. It does not ensure anonymity and consequently privacy. Finally, Huang does not detail the possibility of revoking smart cards in case of lost or theft. Then, we propose a new two-factor scheme as an extension of drawbacks raised in Huang solution. Finally, we prove our proposal in terms of security and performance.

The rest of the paper is structured as follows. In Sect. 2, we discuss some related works in remote cloud computing environment. Section 3 studies some preliminaries. Section 4 details the proposed solution. Section 5 provides a formal and informal security verification and validation. Section 6 evaluates the performance of the proposed solution. Brief summary and concluding remarks are presented in sect. 7.

2 Related work

In the literature, many authentication approaches are used such as passwords, tokens, digital signatures, smart cards, biometrics. Single-factor authentication (SFA) is a way of using only one category of these approaches.

As first attempt in research field, authors use identity and password [1,2,3] in authentication process. When a cloud user want to access, he sends the identity and the password to cloud server. If the request matches with one of the available records in the authentication database, user will be identified and access is authorized. In order to secure the authentication request, a hash function is used to slat the user password. Single-factor mechanisms are not strong, and it presents in the most of case a security hole for launching attacks such as offline/online guessing attacks.

Image-based authentication systems [4,5,6] deal with some mathematical transforms, codes and selections. Authors combine sometimes fractional Fourier transform (FFT) or wavelet packet transform (WPT) and other times Hamming code technique, graphics and image selection with one-time password (OTP). These works offer an efficient and strong authentication solution. Yet, they provide only user authentication mechanisms and does not deal with key agreement between Cloud user and server. As a result, they does not ensure mutual authentication.

Smart cards present a strong authentication model due to the hardness of reveling keys and secrets because they are protected logically and physically. In the literature, a wide number of authentication methods based on smart cards have been proposed. In the case of cloud computing, a cloud server embeds the authentication parameters into a smart car, and then delivers it to the cloud user. Authors in [7] discuss smart card-based authentication scheme. They identify and classify several attacks launched in proposed solution in research fields.

To resolve the issues related to smart cards, DAS proposed in [8] a two-factor authentication model for wireless sensor network (WSN). For this purpose, he uses both password and smart card. He proves that this solution improves security and communication cost but it presents a start point of discussions and works in this field. Papers [9, 10] identify that DAS’s scheme suffers from several security issues namely password-guessing attack, impersonation attack, and insider attack.

In 2018, Preeti in [11] relies on Rabin cryptosystem which is based on prime integer factorization. This solution is proved efficient in the terms of performance evaluation. It improves smart card storage cost, communication and computation cost and execution time. Yet, in term of security, the Rabin cryptosystem-based solutions are not yet proved indistinguishable against chosen plaintext attacks.

In [12], authors work on preserving user anonymity in a lightweight two-factor authentication protocol. This solution ensures that the proposed scheme provides the session key (SK) security and resolves the problem of offline password-guessing attacks. In 2018, Trupil [13] reviews Nikooghadam et al.’s scheme and proves that it suffers from replay, password-guessing, and insider attack. Trupil improves the authentication system by the remedy of these attacks.

Elliptic curve cryptography (ECC) provides an efficient solution for the improvement of authentication models. It provides the same security level compared to existing solutions under the constraint of reducing key length and computational cost. For example, 160-bit ECC offers the same security level compared to 1024-bit RSA. Consequently, it is highly deployed in cloud computing environment. For these reasons, we will review in this section different works proposing two-factor authentication solutions based on ECC.

Juan et al. proposed in [14] a password and smart card authentication solution with key agreement using elliptic curve. This proposal overcomes many security weaknesses. However, several works provide a cryptanalysis of this solution and prove that it does not withstand some security attacks. In 2015, Huang et al. [15] showed that Juan’s solution suffers from impersonation, smart card loss, and password-guessing attacks. They propose a new enhanced key agreement solution for authentication. In 2016, Chaudhry et al. [16] demonstrated that this scheme has a correctness issues. Furthermore, they suggested an improved solution to overcome the security issues. In addition, Maitra et al. proposed an extension of Huang proposal to solve some issues [17]. They present an ECC-based mutual authentication scheme. The proposed solution ensures efficient login and authentication phases and makes possible password update. Unforntantly, Wang et al. showed that solution proposed in [17] does not resist offline password-guessing attack and insider attack, and it does not ensure perfect forward secrecy. To overcome those issues, Wang et al. [18] proposed an improved construction integrating the discrete logarithm problem with RSA cryptosystem to achieve security goals. In 2019, authors in [19] analyzed Wang solution [18] and showed that two majors security attributes are not verified namely resisting to offline password-guessing attack and impersonation attack. Consequently, an extension based on elliptic curve cryptography (ECC) was proposed. Authors assume that all exchanged messages in registration, authentication, and login phases are sent over a public communication channel. Yet, the proposed solution greatly increases communication and computation cost.

Independently, Chou et al. [20] dealt with the problem of secure communication between interactive parties. Authors apply elliptic curve cryptosystems in a two-identity key agreement and exchange solution. In 2014, Farash et al. [21] showed that chou’s solution is vulnerable to impersonation and key-compromise attacks. They propose an improved identity-based scheme based on ECC and resolve these issues. Lu et al. [22] enhanced the security issues presented in Farash’s solution. They proposed an improved anonymous scheme based on ECC to eliminate key-compromise masquerading and off-line guessing attacks.

However, these previous solutions does not ensure privacy and user anonymity. Memon et al. [23] ensured user location privacy by using asymmetric cryptography scheme. They propose an anonymous communication for location

based service. In 2016, work [24] proved that Memon’s solution is insecure against compromised impersonation and insider attack. It provides an imperfect mutual authentication. Consequently, Reddy et al. [24] implemented an enhanced secure and two-factor authentication protocol. This solution provides a perfect mutual authentication with key-agreement phase. Xi et al. [25] proposed the use of a dynamic user ID in two-factor authenticated solution. They introduce in addition revocation and password update algorithms. Authors claimed that their solution ensures user anonymity and overcomes smart card loss attack.

In recent years, the use of smart card-based systems for mutual authentication and key agreement solution devolves considerably. This approach is applied in various fields in particular telecare medical information systems [26], Internet of Thing (IoT) [27, 28], etc. For this reason, hardware producers work to improve devices and make keyboards with built-in card readers.

In summary, the use of smart cards, Elliptic-curve and others cryptography operations in authentication protocols for remote computing environment presents a promising axis in research fields. It improves significantly security and provides key agreement approaches. Yet, they require a third party between cloud user and the cloud server. For this reason, the communication and computation overhead of the overall system is substantially higher. We add also that such system does not preserve privacy for users. It tracks some sensitive information such as identity and location that maybe deployed by attackers. In order to resolve the aforementioned issues, we will implement an efficient authentication and key agreement solution for cloud computing.

3 Elliptic curve cryptography

An elliptic curve \(E: y^2 = x^3+ ax + b\) mod p represents the set of limited keys \(E_p(a,b)\) that adjust the discriminant \(\Delta = 4a^3+ 27b^2\) mod p. Given P a specified point in Keys solution and n a multiplier, the scalar multiplication is computed as P.n = P +P + P+.....+P (n times).

The strength of ECC security comes back to these following mathematical problems:

  1. 1.

    Given P and Q two arbitrary points \(\in E_p(a,b)\), the elliptic curve computational Diffie–Hellman logarithm problem (ECDLP) is to find an integer n \(\in\) \(Z^*_p\) such that P = n Q.

  2. 2.

    Given three points P, n.P and m.P \(\in E_p(a,b)\) for n and m \(\in\) \(Z^*_p\) , the computational Diffie–Hellman problem (CDLP) is to find the point (mn)P \(\in E_p(a,b)\).

  3. 3.

    Given two points P and Q, with Q = n.P + m.P \(\in E_p(a,b)\) the elliptic curve factorization problem (ECFP) is to find two points n.P and m.P.

For the purpose of security analyses of Huang protocol, we expose valid assumptions used in authentication model. We will use the common adversial model used in [29, 30].

Definition 1

The adversary A can control all messages transmitted through public communication link. A can intercept, interrupt, delete, modify, and retransmit a new forged message.

Definition 2

Adversary A can retrieve the smart card information by conducting power consumption monitoring methods.

Definition 3

The registered user always uses dictionary word to define password and identity. \(The adversary \mathtt{A}\) cannot retrieve user identity and password within polynomial time even if he can intercept h(ID||PW). Based on work in [30], the probability of guessing user password is \(\frac{1}{2^{6n}}\) with n presents the number of password characters.

Definition 4

In cryptography, we assume that secret key and random are large enough. Consequently, A cannot guess these information in polynomial time.

Definition 5

Let \(B = B_1 \oplus B_2\). A cannot find \(B_1\) and \(B_2\) in polynomial time even if he can retrieve the value of B.

After analyzing Huang et al.’s authentication protocol and based on solution proposed in [17], we deduce that the scheme is exposed against impersonation attack and suffer from incorrect notion of perfect anonymity. Let A be a malicious user. After registration, A performs following steps:

Step 1:

Let A a smart card with \(AID_{{A }}; \;\;BID_{{A }}\) and \(r_{{A }}\). By using \(PW_{{A }}, ID_{{A }}\) and the stored values in the smart card, the adversary computes \(TID_{{A }}\) = \(AID_{{A }}\) - \(H_1\) \((PW_{{A }}\) || \(ID_{{A }}||r_{{A }})\) .O and \(XID_{{A }}= TID_{{A }}\). \(H_1\) \((PW_{{A }}\) \(||ID_{{A }}||\) \(r_{{A }})^{-1}\) \(= H_1(msk) \times O\) .

Step 2:

The adversary firstly selects a random y and computes Y = y \(\times\) O. Then, A he computes \(M_A\) = y.mpk, \(CID_A\) = \(H_4(ID_{cu}||\) \(M_A )\) \(\oplus H_2(M_A\) \(||TID_A ),\) \(EID_A\)= \(H_3(H_4(ID_{cu}||\) \(M_A )||\) \(Y||M_A )\). Next, he selects an arbitrary number alea with the same length of hash function \(H_1\) and computes \(DID_A\) \(= M_A \oplus alea \times O\). Finally, he sends \(\langle CID_A , DID_A , EID_A , Y \rangle\) to cloud server.

Step 3:

The server will compute in turn these following equations: \(M^{\prime} _A =Y.mpk, alea.O= DID_A .M^{\prime} _A ,\) \(TID^{\prime} _A = H_1(msk).(DID_A \oplus M^{\prime} _A ) , H_4(ID_{cu}||\) \(M_A )=\) \(CID_A \oplus\) \((M^{\prime} _A\) \(||TID^{\prime} _A )\) and \(EID^{\prime} _A =H_3(H_4(ID_{cu}||\) \(M_A )||\) \(Y||M^{\prime} _A )\)

Step 4:

The cloud server verifies \(EID^{\prime} _A {\mathop {=}\limits ^{?}} EID_A\). If it holds, it generates a random number \(r_A\) and computes \(R_A = r_A \times Y, T=(R_A \oplus M_A ), H_A = H_3(EID^{\prime} _A || R_A ||\) \(TID^{\prime} _A )\). Finally, it sends to the user \(R_A\) and \(H_A\).

Step 5:

The adversary will compute \(T^{\prime} _A\)= \(R_A \oplus M_A\) and \(H^{\prime} _A = H_3(EID_A ||T^{\prime} _A\) \(||TID_A )\).

Conclusion The adversary A has impersonated successfully the server. It succeeded in the phase of negotiation and generation of a shared session key based on the identity of the user cu. This key is computed as follows: SK = \(H_5(R_A ||Y||M_A ||TID_A )\). We add also that user’s authentication credentials are not protected efficiency. A malicious user can intercept the user identity. Hence, anonymity and privacy are not ensured. Finally, we add also that the aforementioned solution does not deal with the case of smart cards lost or theft. They does not propose a revocation algorithm.

4 Proposed smart card-based authentication scheme description

In this section, we will propose an improvement of the solution proposed in [15]. Our construction is composed by five main algorithms in particular setup, registration, mutual authentication, password update and card revocations. To do so, we will expose notations used in these algorithms. After that, we expose security requirements. Finally, we develop all algorithms.

4.1 Security requirements

In our construction, we define these assumptions.

  • We assume that in registration phase cloud server and cloud user are honest.

  • In registration phase, all information provided by both parties are correct and trusted.

  • In registration phase, the channel assuring communication between user and server is secure.

  • In authentication phase, the channel assuring communication between user and server is no longer secure.

  • Smartcards and communications standards are secure.

  • Both server and user should authenticate each others before authorizing access.

  • Cloud sever must not get the user password in any condition.

  • In password update phase, the cloud user can change at any time the password seamlessly without informing the cloud server.

  • Any password in a correct format should be taken.

4.2 Notations

Some notations related to elliptic curve and cryptography of our solution are announced in Table 1.

Table 1 Notations
Full size table

4.3 Setup phase

This algorithm generates public and secret parameters used in other algorithms. It outputs master secret key, public key, and fuzzy parameter.

Step 1:

Fix on an elliptic curve \(E_q\) over a finite field \(F_p\).

Step 2:

Choose a master key \(s_k\) \(\in Z_q^*\) and compute the public parameter PP = \(s_k\) \(P_g\).

Step 3:

Publish public parameters \(\langle F_p, E_q, P_g, PP, G, h\rangle\) and kept in secret master key \(s_k\) .

Step 4:

Select a fuzzy parameter fuzzy \(\in \left[ 2^{4}, 2^{8} \right]\). This value extends classical Boolean logic with partial truth values. We use this parameter to have a wide set of real instead of 0 and 1. Thereafter, fuzzy allows to increase the complexity of computation.

4.4 Registration phase

In this section, we expose bidirectional exchange information between a cloud user with identity \(ID_u\) and a remote cloud server. Figure 1 exposes the different corresponding steps.

Step 1:

The user selects a random \(r_i\) and computes \(PW=h(r_i\parallel PASS_u)\) in order to ensure collusion and preimage resistance.

Step 2:

Remote cloud server chooses a random \(b_i\). It stores the registration time \(T_i\), the user identity \(ID_u\), the random \(b_i\) and the smart card number \(ID_{card}\).

Step 3:

Remote cloud server computes \(A_1=h(h(ID_u\parallel b_i \parallel T_i \parallel ID_{card})\) mod fuzzy) \(\oplus\) PW. It sends a smart cart to cloud user containing \(\langle A_1, ID_s, h(),\) \(P_g, PP, fuzzy \rangle\)

Step 4:

Cloud user computes and stores into smart card \(A_2 = r_i \oplus h(ID_u)\parallel PW)\) mod fuzzy.

Fig. 1
figure 1

Proposed registration algorithm

Full size image
Fig. 2
figure 2

Proposed login and authentication algorithm

Full size image

4.5 Authentication phase

Figure 2 illustrates the steps of login and authentication of the proposed solution. In our protocol, we divide this party to three sub-algorithms. First, the cloud user uses his smart card and sends an authentication request to the remote cloud server. Then, the cloud server verifies the legitimacy of the received request. Finally, both parties will generates a shared session key after mutual authentication and key negotiation.

4.5.1 Cloud user CU login request

The credentials of a user u are composed by an identity and a password, respectively, noted by \(ID_u\) and \(PASS_u\).

Step 1:

The cloud user inserts a smart card.

Step 2:

The card should compute \(A_2^{*} = r_i \oplus h(ID_u \parallel PW)\) mod fuzzy.

Step 3:

It compares \(A_2^{*}\) and \(A_2\) delivered by the cloud user. If equal, the user will be accepted. Else authentication process is canceled and an error message will be sent.

Step 4:

The card selects a random \(r_m \in Z_q^*\). Three components should be computed : \(B_1 = r_m P_g, B_2 = r_m PP, B_3 = B_1 + B_2, C_1= A_1 \oplus PW, PID_u=(ID_u\parallel C_1) \oplus h(B_1 \parallel B_3)\) and \(C_2= h(ID_u\parallel B_2 \parallel PID_u)\)

Step 5:

Cloud user constructs and sends a login request \(\lbrace PID_u, B_1, C_2\rbrace\).

4.5.2 Cloud server login response

The cloud server uses its secret key \(s_k\) to compute some values.

Step 1:

It determines \({B_2}^{\prime} = S_k B_1\) , \({B_3}^{\prime} = B_1 + {B_2}^{\prime}\) , \(({ID_u}^{\prime} \parallel {C_1}^{\prime} )= PID_u \oplus h(B_1 \parallel {B_3}^{\prime}\) and \({C_2} ^{\prime} = h({ID_u}^{\prime} \parallel {B_2}^{\prime} \parallel PID_u )\)

Step 2:

Cloud server checks if \({C_2}^{\prime} {\mathop {=}\limits ^{?}} C_2\). If it is not, it aborts the current session.

Step 3:

Otherwise, it authenticates the user and finds the record \(\langle T_i, B_i, ID_{card} \rangle\). The cloud server computes \({C_1}^{\prime} = h(ID_u \parallel b_i \parallel T_i \parallel ID_{card})\) mod fuzzy. Finally it checks \({C_1}^{\prime} {\mathop {=}\limits ^{?}} C_1\). If it is not, it terminates the session

Step 4:

Else, it chooses a random \(r_s \in Z_q^*\) and sets D = \(r_s P_g\), \(K_1\) = \(r_s B_1\), \(Sk_1\) = h(\({ID_u} ^{\prime} \parallel ID_s \parallel {B_2} ^{\prime} \parallel D \parallel K_1 )\) and \(C_3 = h({ID_u}^{\prime} \parallel ID_s \parallel {B_1}^{\prime} \parallel {B_2} ^{\prime} \parallel D \parallel K_1)\)

Step 4:

Cloud server sends \(\langle\) D, \(C_3 \rangle\) to cloud user CU.

4.5.3 Mutual verification and session key negotiation

In this section, cloud user and cloud server will exchange and verify credentials.

  • The user computes \(k_2 = r_m D\), \(C_3^{\prime} = h(ID_u\parallel ID_s \parallel B_1 \parallel B2 \parallel D \parallel k_2)\)

  • He compares \(C_3^{\prime}\) to \(C_3\). If equal, he computes \(SK_2 = h(ID_u \parallel ID_s \parallel B_2 \parallel D \parallel K_2)\) and \(C_4= h(ID_U\parallel ID_s \parallel B_2 \parallel D \parallel K_2 \parallel SK_2)\). He sends only \(C_4\) to cloud server. Else, session is aborted.

  • In turn, cloud server will compute \(C_4^{\prime} = h(ID_u^{\prime} \parallel ID_s \parallel B_2^{\prime} \parallel K_1 \parallel SK_1)\).

  • If the received value and the computed one do not match, then session key is refused. Otherwise, it sets up \(SK_1\) = \(SK_2\) = \(h(ID_u \parallel ID_s \parallel B_2 \parallel D \parallel K_1)\) and the latter will be considered as the shared session key.

4.6 Update phase

Update phase consists of modifying user password. The cloud user should insert the smart card and key \((ID_u, PASS_u)\).

Step 1:

The card computes \(A_2^{\prime} = r_i \oplus h(ID_u \parallel (h(r_i\parallel PASS_u))\)

Step 2:

It checks \(A_2 {\mathop {=}\limits ^{?}} A_2^{\prime}\). If not, the request will be rejected else the user inputs a new password \(PASS^{new}\).

Step 3:

The smart card replaces \((A_1, A_2)\) by \((A_1^{new}\), \(A_2^{new})\). To do so, it firstly computes \(PW^{new}\) = \(h(r_i\parallel PASS^{new})\), then he sets \(A_1^{new}\)= \(A_1\) \(\oplus PW^{\prime}\) \(\oplus PW^{new}\) and finally, it computes \(A_2^{new}= r_i \oplus h(ID_u\parallel PW^{new})\) mod fuzzy.

4.7 Card revocation phase

For one reason or another, a cloud user can revoke its smart card. First, he must authenticate and send revocation request to the cloud server. This request should contain user ID, \(B_1\) and \(C_2\). In turn, cloud server sets registration values to NULL. Strictly speaking, the registration time \(T_i\), the random number \(b_i\) and the card number \(ID_{card}\).

5 Security analyses

In this section, we will provide security validation formally and informally. In informal validation, we will use authentication key exchange model (AKE) and SCYTHER tool. In informal validation, we will discuss some security requirements and adversary games.

5.1 Formal validation

In this section, we develop formal validation based on AKE model and by using Scyther tool.

5.1.1 Authentication Key Exchange (AKE) security model

In this section, we provide a formal security analysis of our solution based on a random oracle model [31]. We will adjust the security model proposed in [32] to adapt it to our scheme. All the participants are modelled as probabilistic polynomial time (PPT) Turing machines. The \(i^{th}\) instance of a participant \(\mathtt {P}\) is denoted by Pi. The adversary \(\mathtt {A}\) can make the following oracle queries:

Execute:

This oracle query harvests the passive eavesdrop ability of the adversary. \(\mathtt {A}\) will capture all the public transcripts of Pi.

Send:

Contrary to the execute query, the latter can capture the active attack ability of the adversary. \(\mathtt {A}\) injects a modified or forged message m into an instance Pi. The participant instance Pi will generate a message m+1 after receiving the message m. Consequently, \(\mathtt {A}\) will capt it.

Corrupt-pass:

By this query, the adversary \(\mathtt {A}\) can corrupt the cloud user’s password. It cannot take control or compromise the victim credential.

Corrupt-cred:

In this case, \(\mathtt {A}\) can extract and corrupt the credential delivered by the agent and control the user’s terminal. It can have any idea about the password.

Reveal:

This query is used to find out whether the instance Pi has a session key or not. If the instance accepts the query, it outputs a session key and the adversary will corrupt it. Otherwise, it generates the symbol \(\perp\).

Test:

This query tests the strength of the session key security in an instance Pi. In turn, it sends a Boolean result. If “1”, the instance will return to the adversary a real session key ELSE the simulator generates a random session key. The adversary should guess if the received key is the current one or a random delivered from the simulator.

Theorem 1

Let’s S our proposed cloud computing authentication scheme and P the password space. Suppose that all passwords follow the Zipf’s law as frequency distribution and \(\mathtt {A}\) is a probabilistic polynomial time (PPT) adversary. We assume that \(\mathtt {A}\) sends a huge number of send queries

\(send_{max}\) with execution time \(t_{send}\). The ability of an adversary to break AKE security of the above configuration is modeled as follows: \(ADV^{AKE}_{\mathbf{S },\mathbf{P }}(\mathtt {A})\).

Let’s our scheme hash function behaves like a random oracle and the signature scheme is unforgeable against adaptive chosen message attacks. Under the difficult assumption of CDH problem, we have:

$$\begin{aligned} ADV^{AKE}_{\mathbf{S },\mathbf{P }}(\mathtt {A})\le C.send_{max}^{c'}.\varepsilon (l) \end{aligned}$$
(1)

Proof

In order to proof theorem 1, we eject seven experiment \(EXP_{i}\) (with i=0,1,2,3,4,5,6). In each experiment, the adversary \(\mathtt {A}\) will launch a Test query to guess a real bit. The event of collecting a correct bit is denoted by \(EV_i\) and the corresponding probability is Pr \(\left[ EV_i \right]\). \(\square\)

  • Experiment 0 This experiment launches a real attack scenario under a random oracle model similar to [32] security evaluation model. Consequently, the adversary advantage is:

    $$\begin{aligned} ADV^{AKE}_{\mathbf{S },\mathbf{P }}(\mathtt {A})=Pr\left[ EV_0 \right] \end{aligned}$$
    (2)

  • Experiment 1 This experiment, we simulate the hash function h() and it elaborates a hash list \(List_h\). Since hash function can be simulated perfectly in a probabilistic polynomial time, the probability of this experiment is indistinguishable from experiment 1. Thus, we have

    $$\begin{aligned} \vert Pr\left[ EV_1 \right] -Pr\left[ EV_0 \right] \vert \le \varepsilon (l) \end{aligned}$$
    (3)

  • Experiment 2 In this experiment, we eliminate all sessions in which a collision event takes place. If random oracle queries can collude with current session during the simulation of hash function or transcript of the following outputs \(\lbrace\) \(PID_u\),\(B_1\),\(C_2\), C,\(C_3\), \(C_4\) \(\rbrace\), the adversary \(\mathtt {A}\) wins the game. To define the advantage of \(\mathtt {A}\), we call the birthday paradox. Consequently, we have:

    $$\begin{aligned} \vert Pr\left[ EV_2 \right] -Pr\left[ EV_1 \right] \vert \le \varepsilon (l) \end{aligned}$$
    (4)

  • Experiment 3 In this experiment, we use a hash function \(h^{\prime} ()\) instead of h() in order to guess the session key in passive session. A passive session in which Diffie–Hellman keys are removed and collisions in hash function and transcripts are ruled out. In our case, \(K_1\) and \(K_2\) are removed from \(SK= h^{\prime} (ID_u||ID_s||D||B_2||D)\) and \(C_3 = h^{\prime} (ID_u||ID_s|| B_1||B_2||D)\). The adversary \(\mathtt {A}\) can distinguish the experiment 2 and 3 only if he can computes \(K_1\) and \(K_2\) and sends a query \((ID_u||ID_s||D||B_2||D||K_1)\) to oracle hash function. Seen that we have a CDH problem, this assumption is computationally hard.

Proof

Given a CDH instance (A,B), we can use the self-reducibility problem to simulate passive session. Let’s \(a_0, b_0, a_1, b_1 \in Z^{*}_p\) , for each passive session we set \(X=a_0A+b_0P_g\) and \(Y=a_1B+b_1P_g\) where (\(P_g\) is the generator of an additive cyclic group). If the adversary \(\mathtt {A}\) can deliver \(\frac{K_1- (a_0b_1A) -(a_1b_0B) - (b_0b_1P_g)}{a_0a_1}\) as an answer to (A,B) and distinguish the experiment 3 and 2 with non-negligible advantage we have :

$$\begin{aligned} \vert Pr\left[ EV_3 \right] -Pr\left[ EV_2 \right] \vert \le \varepsilon (l) \end{aligned}$$
(5)

\(\square\)

  • Experiment 4 In this case, an adversary have to guess the secret key \(k_2\) in order to impersonate the cloud user. Consequently, it will construct \(C^{\prime} _4 = h(ID_u||\) \(ID_s\) || \(K_2||SK_2)\) (we speak about an active session). If \(C^{\prime} _4\) and \(C_4\) are equals, the cloud server will return a record \((\lbrace PID_u , B_1, C_2 \rbrace , \lbrace D, C_3 \rbrace , \lbrace c_4 \rbrace )\). Due to the hardness of CDH problem, we have:

    $$\begin{aligned} \vert Pr\left[ EV_4 \right] -Pr\left[ EV_3 \right] \vert \le \varepsilon (l) \end{aligned}$$
    (6)

  • Experiment 5 In this experience, an adversary will handle the active session and guess \(k_1\) without asking the hash query. He will send to the cloud user the values of \((D, C_3)\). To do so, we modify the sent query and we search in the hash list any record \((\star ||ID_u||\star ||k_1)\). If the result is \(\perp\) the game finishes else the session key and \(C_3\) are computed as follows: \(SK=h(ID_u||ID_s||B_2||D||k_1)\), \(C_3 = h(ID_u|| ID_s||B_1||B_2||D||k_1)\). If the adversary \(\mathtt {A}\) can guess the secret \(k_1\) without using the hash function h(), he wins with the probability of:

    $$\begin{aligned} \vert Pr\left[ EV_5 \right] -Pr\left[ EV_4 \right] \vert \le \varepsilon (l) \end{aligned}$$
    (7)

  • Experiment 6 In the last experiment, we modify another time the send query. When Send (CS, \(\lbrace PID_u,\) \(B_1,\) \(C_2\rbrace\)) query is ejected, the cloud server should compute \(ID_u, C_1, C^{\prime} _2, B_2 and B_3\). Then, it verifies that \(C^{\prime} _2\) and \(C_2\) are equals. If the submitted query is correct, the adversary \(\mathtt {A}\) wins. Based on previous experiment, we announce that the success probability of forging authenticator \(C_2\) is negligible.

    $$\begin{aligned} \vert Pr\left[ EV_6 \right] -Pr\left[ EV_5 \right] \vert \le \varepsilon (l) \end{aligned}$$
    (8)

In the sixth experiment, the only possibility for the adversary \(\mathtt {A}\) to win the game is to corrupt the smart card and guess the password. Thanks to Zipf’s law, the adversary has no advantage to obtain the user password. As consequence,

$$\begin{aligned} Pr\left[ EV_6 \right] \le C.send_{max}^{c'} \end{aligned}$$
(9)

Finally, the theorem 1 is proved by equations (2)-(9).

Theorem 2

Let’s \(\mathbf{S }\) the proposed scheme and \(\mathtt {A}\) a probabilistic polynomial time (PPT) adversary. \(\mathtt {A}\) wins to break the anonymity of \(\mathbf{S }\) with an advantage of:

$$\begin{aligned} ADV^{ANONYM}_{\mathbf{P }}(\mathtt {A}) \le \varepsilon (l) \end{aligned}$$
(10)

Proof

Suppose that \(\mathtt {A}\) can break the anonymity of the proposed scheme with a non-negligible advantage under the assumption of CDH problem.

Based on registration algorithm, we select \(r_m, r_{test} \in Z_q^{*}\) and we input (\(P_g\), \(r_mP_g\), \(s_kP_g\), \(r_ms_kP_g\)) and (\(P_g\), \(r_m P_g\), \(s_kP_g\), \(r_{test})\) with \(s_{k}\) is the private key of the cloud server. Suppose that cu is a legitimate user with a valid smart card and password and exchanges some authentication information with the cloud server (as illustrated in the authentication and registration algorithm in section 4.2).

Step 1:

In the first session \(Skey^i_{cu}\), the cloud user computes and sends \(B_1(cu)=r_mP_g, B_2(cu)=r_ms_kP_g\).

Step 2:

In the second session \(Skey^j_{cu}\), the cloud user computes and sends \(B_1(cu)=r_mP_g, B_2(cu)=r_{test}\). To make these session keys uniform and have the same structure, a user can choose \(r_s \in Z_q^{*}\) and select two random bit strings for \(C_3\) and \(C_4\).

Step 3:

In third time, we select a random \(r^{\prime} _m\), compute \(B_1(cu)\) \(=r^{\prime} _mP_g, B_2(cu)=r^{\prime} _ms_kP_g\) and we have a session denoted \(Skey^k_{cu}\).

Step 4:

The adversary \(\mathtt {A}\) will check the anonymity of \(\lbrace Skey^k_{cu}\), \(Skey^j_{cu}\rbrace\) and \(\lbrace Skey^i_{cu}\),\(Skey^k_{cu}\rbrace\). He launches a test anonymity query and returns two bits x and y. These bits can have different combinations:

  • x=0 and y=0 \(\Rightarrow\) Any Diffie-Hellman tuple is found.

  • x=0 and y=1 \(\Rightarrow\) \(B_1\) and \(B_2\) of the first session \(Skey^k=i_{cu}\) presents a Diffie–Hellman tuple.

  • x=1 and y=0 \(\Rightarrow\) \(B_1\) and \(B_2\) of the second session \(Skey^j_{cu}\) presents a Diffie–Hellman tuple.

  • x=1 and y=1 \(\Rightarrow\) both are Diffie-Hellman tuples.

In this scenario \(S_kP_g\) is fixed and \(r_mP_g\) changes in every launch of this protocol. Based on the self-reducibility of CDH problem, we have

$$\begin{aligned} \begin{array}{l} ADV_{CDH, S} = |Pr\left[ cu(P_g, r_mP_g , s_kP_g, r_ms_kP_g)\right] - \\ Pr\left[ cu(P_g, r_m P_g, s_kP_g, r_{test})\right] =1| \end{array} \end{aligned}$$
(11)

As consequence, we obtain: \(ADV_{CDH, S} \ge |Pr\left[ ANONYM(Skey^i_{cu}, Skey^j_{cu})=1\right] - Pr\left[ ANONYM(Skey^i_{cu}, Skey^k_{cu})=1 \right] |\) As a conclusion, the adversary \(\mathtt {A}\) has to solve the CDH problem to break untraceability. But resolving this problem is computationally hard. Therefore, the theorem 2 is proved.

\(\square\)

Fig. 3
figure 3

SPDL code of registration algorithm

Full size image
Fig. 4
figure 4

User claims

Full size image
Fig. 5
figure 5

Automatic claims

Full size image

5.1.2 Formal security verification and validation with Scyther tool

In this section, we analyze the security of our scheme using a formal anlysis security protocols based on “Scyther tool” [33]. Scyther offers a simple graphic user interface incorporating the scyther command line and python interface. It requires protocol description and parameters and outputs reports. It also visualizes for each attacks a detailed graph. The description and detail of a scenario is written in SPDL language.

In scyther tool, three protocol verification ways are possible:

  • Automatic claims scyther tool possesses a default claim patterns. If any claim events is defined, scyther will automatically generates and verifies claims.

  • Verification claim if a user defines a set of security properties. Scyther will just checks the falsifiers claims.

  • Characterization each protocol role can be characterized.

In Scyther tool, the security specifications are expressed in the form of “claims”. We use in our simulation the list below:

  • Secret ensures that an entity X has kept secret a key x \(\rightarrowtail\) claim (X, Secret, x). If, in addition, we want the key x to be a session key, we should check with the SKR (Session Key Reveal) property \(\rightarrowtail\) claim (X, SKR, x)

  • Alive allows to check the authenticity of an entity X \(\rightarrowtail\) claim (X, Alive).

  • Nisynch verifies that all messages sent by the sender X are received by the receiver Y in the appropriate order \(\rightarrowtail\) claim (X, Nisynch)

  • Niagree ensures that the execution of a protocol between two entities X and Y is completed and that the contents of the messages are the same at X and at Y \(\rightarrowtail\) claim (X, Niagree)

  • Running specifies a data agreement between two entities X and Y on a parameter or key x \(\rightarrowtail\) claim (X, Running, Y, x)

In Fig. 3, we model our protocol in Security Protocol Description Language(SPDL). We define two entities namely cloud user CU and cloud server CS. Each entity is represented by a separated role. Figure 4 shows the set of claims that we have defined so that the Fig. 5 illustrates the set of automatic launched claims. It is clear in both cases that our proposed solution guarantees all security properties. First, all exchanged values and keys are proved secure. Second, it guarantees the aliveness of the proposed nodes, Non-injective synchronization (Nisynch), authentication and traceability, and Non-injective agreement (Niagree).

5.2 Informal validation

Table 2 Security comparison
Full size table

In order to achieve a robust and efficient authentication solution, many security requirements should be verified. Therefore, we compare in Table 2 various security properties against our solution and related authentication mechanisms. We will also discuss in-depth some security requirements as follows:

  • Mutual authentication we design by mutual authentication the fact that cloud server and cloud user checks and verifies the identity of each other. This propriety is assumed based on \(C_2\) and \(C_3\) values. The cloud server checks and verifies the validity of \(C_2\) component and authenticate the cloud user if it passes the test. In the opposite way, the cloud user will verify the legitimacy of a server by checking \(C_3\).

  • Privacy our scheme ensures both anonymity and non traceability. These two properties are the basis of privacy definition [34]. In our solution, anonymity and privacy are verified by the fact that the attacker cannot reveal the identity of the sender and cannot distinguish whether the set of stolen messages are delivered from the same user. To compute the \(PID_u\), the card should at each session compute the hash function of \(B_1\) and \(B_3\). Notice that \(B_3\) value changes in each session due to the change of the random \(r_m\) (\(PID_u=(ID_u\parallel C_1) \oplus (B_1 \parallel B_3)\) ). Thus, an attacker cannot retrieve the identity of the cloud user because he/she has no knowledge of \(r_m\) and \(s_k\).

  • Replay attacks to withstand with this issue, both cloud user and cloud server compute different values generated by random number mechanism, respectively \(r_m\) and \(r_s\).

  • Forward secrecy The session key \(SK_{1}=SK_{2}\) = \(h(ID_u \parallel ID_s \parallel B_2 \parallel D \parallel K_2)\) is generated based on partial components (\(B_2 =r_mPP\), D =\(r_sP_g\), \(K_2=r_mD\)=\(r_mr_sP_g\)) delivered simultaneously by cloud user and server. Although an attacker intercepts \(P_g\), PP and D from the public channel, he cannot compute \(B_2\) or \(B^{\prime} _2\) components because they are one of the randoms \(r_m\)/\(r_s\) or the session key \(s_k\). This assumption is hard based on elliptic curve discrete logarithm and computational Diffie–Hellman problem.

  • Privileged insider attack In the registration phase, a user send \(\lbrace ID_u,\) \(h(r_i\parallel PASS_u \rbrace\) to cloud remote sever. Even an attacker can intercept this message, he cannot retrieve the password because it is blinded by the value of \(r_i\) such the password is computed as follows: \((PW=h(r_i\parallel PASS_u))\).

  • Verifier-stolen attack In our solution, we store (\(ID_u,\) \(b_i, T_i\) and \(ID_{card}\)) in cloud server. If an attacker compromises this table, any attack can be launched. This is due to the fact that these records are non security-related.

  • Known-key security It means that an attacker cannot calculate the current session key even though he has some previous session keys. In our scheme, the session key Sk = h(\(\bar{ID_u} \parallel ID_s \parallel \bar{B_2} \parallel B \parallel K_1\) = h(\(\bar{ID^{\prime} _u} \parallel ID_s \parallel \bar{B_2} \parallel D \parallel K_2\). Seeing that we use one-way hash function, an attacker cannot takeout \((B_2, K_2)\) or \((B^{\prime} _2, K_1)\) from the session key. Consequently, disclosure of some old session key does not result in the revelation of current session key.

  • Offline dictionary attack When the smart card of the cloud user is lost or stolen, an attacker can have some secret information by launching side-channel attack [35]. He can reveals \(A_1\), \(A_2\), \(ID_s\), PP , \(P_g\), h() and the master key \(s_k\). Here, an adversary can launches dictionary attack on two ways:

    \(*\) The adversary will use \(A_2\) to launch the attack

    1. 1.

      He selects from the dictionary space of the user identity and password a pair \((ID_u^*, PW_i^*)\) to start the game.

    2. 2.

      The adversary executes the steps in authentication phase. Namely he computes \(PW^*=h(r_i \parallel PASS_u^*)\) and \(A_2^*\) =\(r_i\) \(\oplus\) \((h(ID_u||\) \(h(r_i)||\) \(PW^*)\) mod m).

    3. 3.

      He checks the correctness of these credentials by verifying if \(A_2\) and \(A_2*\) are equal. If it holds, the divined pair (ID,password) is considered correct. Otherwise, the adversary will repeat steps (1)-(3) until he falls in a correct pair or leaves.

    However, the adversary fails to find this assumption because the identity and the password are strongly dependent on \(r_i\) which is large enough to prevent the adversary from guessing the value. Even if he can find the value of \(r_i\) satisfying these equations, fuzzy verifier mechanism brings up an important number of pairs \((ID_u^*,PASS_u^*)\) up to \(2^{64}\). It is large enough to make this attack unattainable.

    \(*\) The adversary will use \(C_2\) to launch the attack

    Even if the adversary success to guess \(C_2\) and obtains \(ID_u\) from h(\(ID_u||\) \(B_2||\) \(PID_u\)), he cannot calculate \(B_2\)= \(r_mPP\) because he has no idea about the Nonce \(r_m\). Therefore, this attack cannot be successful.

  • Fraud In order to prevent fraud, we implement in the proposed solution a mutual authentication process. The cloud server and cloud user should authenticate each others.

  • User impersonation attack If the adversary want to impersonate the cloud server, he should guess either the pair (\(ID_u\), \(Pass_u\)) or the login request \(\lbrace PID_u\), \(B_1\), \(C_2 \rbrace\). Furthermore, if he/she selects a random \(r_{attack}\) and computes B1attack = \(r_{attack}\).Pg, he/she forges

    \(PID_{attack}\) and \(C2_{attack}\) and constructs the login request \(\lbrace\) \(PID_{attack}\), \(B1_{attack}\), \(C2_{attack}\) \(\rbrace\). However, the cloud sever cannot extract the appropriate user ID \(ID_u\) from the table. We add also that when he tries to compute \(C^{\prime} 2_{attack}\), the result will be different from the received value. As consequence, our solution can withstand this attack.

6 Simulation experiments

We develop our proposal with java programming language. The experiments are performed using a machine with an Intel Core i7 processor 8th generation and 16 GB total memory. We call Java Pairing-Based Cryptography Library (JPBC) and Java card development kit in particular javax.smartcardio API. We have created three data centers. Each unit is made up of two powerful servers of the hp ProLiant ML110 g5 type. Each server contains 50 homogeneous AWS (EC2) instances.

In order to evaluate the efficiency of the proposed solution, we provide in the first time a comparison with related schemes in terms of computational and communication cost. Some competitive works used in this section are [14,15,16,17,18,19, 21, 23]. All the simulation results are retrieved among a mean of 100 trials.

Our basic goal is to improve security of the authentication scheme. In some cases, it requires a little bit increase in simulation metrics. We mention that all simulation experiments are only in login and authentication phase. We will not take into consideration registration, update and card revocation phases because they are respectively onetime or sometimes process. The following notations are used:

  • \(T_m\) : the time cost of a point multiplication

  • \(T_a\) : the time cost of a point addition

  • \(T_h\) : the time cost of a hash operation

  • \(l_{id}\) : the length of an identity

  • \(l_{point}\) the length of a point

  • \(l_{hash}\) : the length of a one-way hash value

  • \(l_t\) : the length of a timestamp

Based on the study [36], the time of performing a concatenate operation and an Exclusive-OR operation (XOR) can be negligible because they are much less than a hash function.

6.1 Computation cost

Table 3 Computation cost in cloud user and cloud server sides
Full size table
Table 4 Different operation’s cost
Full size table
Table 5 Execution time in cloud user and cloud server sides
Full size table

Total computation cost is the sum of the computation cost in cloud user and server.

Most of the related work do not differentiate between the computation cost in the user side and in the server side. In our evaluation, we study computation cost in each entity separately in order to be able to judge the robustness and efficiency of our solution. We assume that in the context of cloud computing, the operations of multiplication, hashing as well as addition have different costs in server and user side. This is due to the different configuration of the hardware devices. The main objective is to provide a secure, mutual but above all lightweight authentication and key agreement solution to be adapted to actual requirement in which a cloud user can accomplish different tasks with mobile devices.

Table 3 shows the different operations performed by each entity separately . Computation cost is the sum of different operations of addition, multiplication and basically hash functions. Table 4 reveals the execution time of these operations in our simulation environment in both user and server side. We deduce that the powerful servers execute the operations in terms of ms while the client finishes different tasks in approximately one second. Table 5 computes execution time in different related works both in user and in server sides.

6.2 Communication overhead

Table 6 Simulation parameters
Full size table
Table 7 Communication cost
Full size table

In our solution, we set the length of metrics used in simuation environment as illustrated in Table 6. We compute for the proposed solution and related works the number of exchanged messages, the length of communication messages and the communication cost. Table 7 shows that the discussed schemes exchange mainly three messages in the authentication phase with the exception [19, 23]. The total length of these messages is expressed in bits. We can deduce with the same number of exchanged messages we can obtain different communication length. In view of the highest length of a point, we have worked in our solution to minimize the number of this operation.

6.3 Discussion

In this section, we will discuss the security, computation cost and communication overhead results of the proposed solution.

Fig. 6
figure 6

User side

Full size image
Fig. 7
figure 7

Server side

Full size image
Fig. 8
figure 8

Communication cost

Full size image

First of all, we can observe that in term of computation cost, our scheme requires a half of second in user side and 3.57 ms in server side based on Table 5 and Figs. 6 and 7. Our solution is just slightly higher that what is obtained in [23] in both user and server sides, has extra time compared to [18] only on the server side and it is much less than solutions proposed in [14,15,16,17, 19, 21] in both user and server sides. From the discussion above, we can confirm that our solution is efficient and presents the best computation cost comparing to most of the related works.

Thereafter, we note from Table 7 that our solution consumes 336 bytes in communication process. We can see that it outperforms schemes [14,15,16,17,18,19, 23]. Works discussed in [21] and [17] present a communication overhead of eight-bytes less compared to the proposed solution.

We can also deduce from the aforementioned table that the number of exchanged messages in the login and authentication is three and equal in all schemes except [23] and [19]. From this study, we can note that the more the number of messages, the more the communication overhead becomes greater. We add also that by keeping the same number of exchanged messages, communication length differs from one solution to another and this is explained by the fact that it depends on the type of operations. In brief, we success to keep the same number of messages and to reduce the communication overhead in our work.

Figure 8 shows the communication cost of the related works and proposed solution incremantally. It shows that compared to similar proposals, our solution is located in third position after [21] and [17] that do not meet several security properties. From this side, the proposed solution can be considered efficient and it offers acceptable results.

Finally, we are going back to security evaluation presented in Table 5. We will study the relation between security and performance evaluation. We start by solution proposed in [23] which outperforms the proposed scheme in terms of computation cost. We mention that this solution does not ensure mutual authentication. We add also that it does not resist to insider and user impersonation attacks. Move to scheme [21] that have better communication overhead. This solution does not establish user anonymity and untraceability. It suffers also from password-guessing attack and smart card loss/stolen attack. Now, we can understand why our solution presents a little bit increase in performance metrics. For the rest of related works, our scheme outshines in terms of security and performance.

In summary, based on this discussion, we can draw a conclusion that our solution is in the first hand efficient in terms of communication overhead and computation cost. In the second hand, it withstands various attacks and more secure compared to related works. Finally, it present a lightweight, anonymous, mutual and secure two-factor authentication and key agreement scheme which can be deployed in the context of cloud computing environment.

7 Conclusion

This paper proposes an efficient and secure authentication and key agreement solution for cloud computing. This contribution presents a marriage of approaches, in particular, fuzzy verifier, Elliptic Curve Cryptography, two-factor authentication, etc. The formal validation with scyther tool and informal validation proves that our solution can withstand to various attacks, such as impersonation attack, privileged insider attack, replay attack and others. Based on random oracle model, the proposed scheme is proved provably secure under CDH and ECDL problem. The performance evaluation shows that our solution shows that our solution is efficient and robust compared to related works. As a perspective, we will be using temporary identities and trusted parties to get rid of the assumption that the cloud user must be honest.