Design of a Secure Authentication and Key Agreement Scheme Preserving User Privacy Usable in Telecare Medicine Information Systems

Abstract

Authentication and key agreement schemes play a very important role in enhancing the level of security of telecare medicine information systems (TMISs). Recently, Amin and Biswas demonstrated that the authentication scheme proposed by Giri et al. is vulnerable to off-line password guessing attacks and privileged insider attacks and also does not provide user anonymity. They also proposed an improved authentication scheme, claiming that it resists various security attacks. However, this paper demonstrates that Amin and Biswas’s scheme is defenseless against off-line password guessing attacks and replay attacks and also does not provide perfect forward secrecy. This paper also shows that Giri et al.’s scheme not only suffers from the weaknesses pointed out by Amin and Biswas, but it also is vulnerable to replay attacks and does not provide perfect forward secrecy. Moreover, this paper proposes a novel authentication and key agreement scheme to overcome the mentioned weaknesses. Security and performance analyses show that the proposed scheme not only overcomes the mentioned security weaknesses, but also is more efficient than the previous schemes.

Introduction

Growth of the aging population causes an increase in the rate of chronic diseases such as diabetes, cardiovascular diseases, and mental illnesses. Such diseases require long-term treatment with the frequent hospital/clinic-based checkups, which in turn induces excessive costs and stress on the patients (due to the repeated trips to the hospital). This causes significant adverse effects on the patient’s quality of life [1]. Without regular monitoring and medical care, chronic diseases can cause critical conditions for the patients. Therefore, developing a system that can enable patients diagnosed with chronic diseases to receive remote treatment at home is useful for both the patients and the medical infrastructure (facilities, doctors, staff, etc.) [2]. In fact, providing home-based long-term medical care services for chronic patients enhances the quality of their lives.

Nowadays, information and communication technologies are increasingly used in the medical sector to improve and facilitate healthcare delivery services. For example, telecare medicine information systems (TMISs) enable patients and doctors to access medical services and information at anytime and anywhere via the Internet [3–5]. By employing TMIS, patients without leaving home can obtain the same medical services as at hospital. Specifically, patients in rural areas are no longer required to travel long distances to visit a doctor. The medical staffs can remotely monitor the health condition of the patients and physicians can treat patients in a remote place at the right time and lower cost. Therefore, TMISs provide more convenience for patients and reduce the patients’ expenses such as travel and hospitalization costs. Besides, the patients’ medical records stored in the medical servers of TMIS allow doctors to provide more accurate diagnoses and prescribe better treatments [6].

Due to the open architecture of the Internet, TMISs that work based on the Internet are subject to various security attacks [7, 8]. As shown in Fig. 1, an adversary may capture the messages exchanged between a patient and the medical server and obtain the confidential information about the patient. It is obvious that disclosure of the health information about the patient breaches the privacy of the patient. The adversary may also modify the messages exchanged between the physician and the patient and cause irreparable injury to the patient. Hence, a secure mechanism for authentication and key agreement should be employed to restrict unauthorized accesses to the medical information stored on the medical servers and exchanged between users (physicians and patients) and medical servers [9–11]. Hitherto, numerous authentication and key agreement schemes have been proposed for TMISs. Recently, Amin and Biswas [12] analyzed the security of the authentication scheme proposed by Giri et al. [13] and presented some attacks on it. Then, they proposed an improved authentication scheme for TMISs and claimed that their improved scheme provides an acceptable level of security. However, we show that Amin and Biswas’s scheme [12] is insecure against some security attacks and does not provide perfect forward secrecy. We also demonstrate that Giri et al.’s scheme [13] not only suffers from the weaknesses identified by Amin and Biswas, but it also is vulnerable to replay attacks and does not provide perfect forward secrecy. Furthermore, in order to improve the security and efficiency of the previous schemes, we propose a new authentication and key agreement scheme using the elliptic curve cryptosystem (ECC).

Fig. 1

An overall scheme of the application of TMIS

The rest of the paper is organized as follows. Related works are listed in “Related works”. “Review of Giri et al.’s scheme” briefly reviews Giri et al.’s scheme. “Weaknesses of Giri et al.’s scheme” presents the weaknesses of Giri et al.’s scheme. In “Review of Amin and Biswas’s scheme”, Amin and Biswas’s scheme is reviewed. In “Weaknesses of Amin and Biswas’s scheme”, weaknesses of Amin and Biswas’s scheme are discussed. In “The proposed scheme”, the proposed scheme is described. “Security analysis” and “Performance analysis” analyze the security and performance of the proposed scheme. Finally, a conclusion is given in “Conclusion”.

Related works

Until now, a large number of authentication and key agreement schemes have been proposed. However, most of them have been proved to be insecure against various security attacks.

In 1981, Lamport [14] proposed the first authentication scheme using one-way hash functions. Since Lamport’s scheme does not need time-consuming cryptographic operations, it is a lightweight authentication scheme. However, Lennon et al. [15] and Yen and Liao [16] demonstrated that Lamport’s scheme is vulnerable to stolen verifier attacks. The vulnerability of Lamport’s scheme lies in the fact that in the scheme, the server maintains the hashed values of the users’ passwords. Lamport’s scheme falls in the category of one-factor authentication schemes, because the server authenticates the users just through their passwords. Typically, in one-factor authentication schemes, the server maintains a table containing the verifiers of the users [17, 18]. Hence, the servers are often the favorite targets of adversaries, because if an adversary achieves the verifier of a user that is stored in the verification table, then he/she can masquerade as the victim user [19–22].

In order to overcome stolen verifier attacks and enhance the security, Hwang and Li [23] proposed another type of authentication called two-factor authentication. Typically, in two-factor authentication schemes, the server does not need to maintain the verifiers of users. Instead, the server stores some personalized information into a smart card and gives the smart card to the user at the end of the registration process. Hence, if an adversary wants to impersonate a user, he/she has to obtain both the password and smart card of the user [24, 25]. Since the scheme of Hwang and Li [23] was a two-factor authentication scheme and the security of it was based on the difficulty of solving the Discrete Logarithm Problem (DLP), Hwang and Li [23] claimed that their scheme is a secure authentication scheme. Nevertheless, Chan and Chen [26] demonstrated that Hwang and Li’s scheme [23] is defenseless against impersonation attacks. Sun et al. in [27] proposed a lightweight two-factor authentication scheme, claiming that it could resist security attacks. In [28] Chien et al. demonstrated that the scheme of Sun et al. [27] does not provide an acceptable level of the security and then suggested an improved authentication scheme. Unfortunately, Ku and Chen [29] proved that the scheme suggested by Chien et al. [28] is also susceptible to insider attacks and parallel session attacks. Ku and Chen [29] also proposed an improved authentication scheme to overcome the weaknesses of Chien et al.’s scheme [28]. However, Yoon et al. [30] pointed out that Ku and Chen’s scheme cannot resist parallel session attacks and denial of service attacks. In order to enhance the security, Yoon et al. [30] proposed a new authentication scheme. Nevertheless, in [31] it is demonstrated that both the schemes proposed in [29, 30] are susceptible to password guessing attacks, impersonation attacks, and denial of service attacks.

In 2012, in order to enhance the security of the previous schemes, Hsieh and Leu [32] proposed a novel authentication scheme. However, Wang et al. [33] demonstrated that Hsieh and Leu’s scheme is defenseless against password guessing attacks. Then, they suggested an improved scheme with the claim that it could withstand various security attacks. Chang et al. in [34] claimed that Wang et al.’s scheme [33] does not preserve user privacy because the user uses the same identity for all the sessions. Then, Chang et al. [34] proposed an improved scheme with the claim that it withstands various attacks and preserves user privacy. However, Kumari et al. [35] pointed out that the scheme proposed by Chang et al. [34] cannot withstand password guessing attacks and impersonation attacks. Moreover, they proposed a lightweight authentication scheme, claiming that it provides an acceptable level of the security. Nevertheless, in [7] it is proved that Kumari et al.’s scheme [35] is susceptible to password guessing attacks and does not preserve user privacy.

In 2015, Giri et al. [13] proposed an improved authentication and key agreement scheme [13] and claimed that their scheme could withstand various attacks. However, Amin and Biswas [12] demonstrated that Giri et al.’s scheme is vulnerable to off-line password guessing attacks and privileged insider attacks and also does not provide user anonymity. Then, in order to overcome the weaknesses of Giri et al.’s scheme, Amin and Biswas [12] proposed an improved authentication scheme for TMISs. This paper demonstrates that Amin and Biswas’s scheme [12] is vulnerable to off-line password guessing attacks and replay attacks and also does not provide perfect forward secrecy. The paper also shows that Giri et al.’s scheme [13] not only suffers from the weaknesses demonstrated by Amin and Biswas, but it also is vulnerable to replay attacks and does not provide perfect forward secrecy.

Review of Giri et al.’s scheme

This section briefly reviews Giri et al.’s authentication and key agreement scheme [13]. Giri et al.’s scheme includes five phases, i.e., initialization phase, registration phase, login phase, authentication and session key agreement phase, and password change phase. Since the password change phase of Giri et al.’s scheme is not relevant to our analysis, we only review the first four phases. The notations used in Giri et al.’s scheme are listed in Table 1.

Table 1 Notations

Initialization phase

In this phase, the server chooses two large primes p and q and computes n = p×q. Then, the server chooses a secure one-way hash function \(h(\cdot ): \{0,1\}^{*} \rightarrow Z_{q}^{*}\) and two integers e and d such that e×d mod (p−1)(q−1)=1. Finally, the server keeps d as its secret key and publishes e as its public key.

Registration phase

In this phase, as shown in Fig. 2, a new user can register with the server and obtain a personalized smart card as follows:

1. Step 1.

   The user chooses his/her identity I D _i and password P W _i and selects a random number b _i . Then, the user computes P W b _i = h(P W _i ∥b _i ) and sends a message {I D _i , P W b _i } to the server through a secure channel.

2. Step 2.

   Upon receiving the message {I D _i , P W b _i }, the server computes R _i = h(I D _i ∥d), B _i =(P W b _i ∥R _i )^e mod n, A _i = R _i ⊕P W b _i , and L _i = h(R _i ∥P W b _i ), stores {I D _i , A _i , B _i , L _i , h(⋅)} into a smart card, and sends the smart card to the user through the secure channel.

3. Step 3.

   After receiving the smart card, the user stores the random number b _i in the memory of the smart card.

Fig. 2

Registration phase of Giri et al.’s scheme

Login phase

When a user wants to login to the server, he/she inserts his/her smart card into the card reader and enters his/her identity I D _i and password P W _i . Then, the smart card computes P W b _i = h(P W _i ∥b _i ) and R _i = A _i ⊕P W b _i and checks whether h(R _i ∥P W b _i ) is equal to the stored L _i or not. If they are not equal, the smart card halts the process. Otherwise, the smart card selects a random number N ₁, computes C _i = h(P W b _i ∥N ₁∥R _i ) and D _i = P W b _i ⊕N ₁, and sends a message {I D _i , C _i , B _i , D _i } to the server through a public channel.

Authentication and session key agreement phase

In this phase, as shown in Fig. 3, the user and the server verify the authenticity of each other and negotiate a session key as follows:

1. Step 1.

   Upon receiving the message {I D _i , C _i , B _i , D _i }, the server checks whether the received identity is valid or not. If it is not a valid identity, the server ignores the received message. Otherwise, the server decrypts B _i as \((B_{i})^{d} \bmod n = (PWb_{i}^{*}\parallel R_{i}^{*})\), computes R _i = h(I D _i ∥d), and checks whether the decrypted \(R_{i}^{*}\) is equal to the computed R _i or not. If they are not equal, the server terminates the session; otherwise, it computes \(N_{1}^{*} = PWb_{i}^{*}\oplus D_{i}\) and checks whether \(h(PWb_{i}^{*}\parallel N_{1}^{*}\parallel R_{i})\) is equal to the received C _i or not. If they are not equal, the server terminates the session. Otherwise, the server authenticates the user, accepts his/her login request, selects a random number N ₂, and computes \(N_{3} = N_{1}^{*}\oplus N_{2}\) and K _i = h(R _i ∥N ₂). Finally, the server computes the session key \(SK = h(ID_{i}\parallel PWb_{i}^{*}\parallel N_{1}^{*}\parallel N_{2})\) and sends a message {N ₃, K _i } to the user through the public channel.

2. Step 2.

   After receiving the message {N ₃, K _i }, the user computes \(N_{2}^{*} = N_{3}\oplus N_{1}\) and checks whether \(h(R_{i}\parallel N_{2}^{*})\) is equal to the received K _i or not. If they are not equal, the user terminates the session. Otherwise, the user authenticates the server and computes the session key SK as \(SK = h(ID_{i}\parallel PWb_{i}\parallel N_{1}\parallel N_{2}^{*})\).

Fig. 3

Login and authentication phases of Giri et al.’s scheme

Weaknesses of Giri et al.’s scheme

Recently, Amin and Biswas [12] pointed out that Giri et al.’s scheme [13] is vulnerable to off-line password guessing attacks and does not provide user anonymity. This section demonstrates that Giri et al.’s scheme [13] not only suffers from the weaknesses pointed out by Amin and Biswas [12], but it also is vulnerable to replay attacks and does not support perfect forward secrecy. The details are as follows.

Replay attacks

Suppose an adversary has eavesdropped the communication channel between a legal user and the server and recorded the login request message {I D _i , C _i , B _i , D _i }. The adversary can login to the server as follows:

1. Step 1.

   The adversary sends the eavesdropped login request message {I D _i , C _i , B _i , D _i } to the server.

2. Step 2.

   Upon receiving the message {I D _i , C _i , B _i , D _i }, the server computes R _i = h(I D _i ∥d) and \((B_{i})^{d} \bmod n = (PWb_{i}^{*}\parallel R_{i}^{*})\) and checks whether \(R_{i}^{*}\) is equal to R _i or not. Since they are equal, the server computes \(N_{1}^{*} = PWb_{i}^{*}\oplus D_{i}\) and checks whether \(h(PWb_{i}^{*}\parallel N_{1}^{*}\parallel R_{i})\) is equal to the received C _i or not. Since they are equal, the server authenticates the adversary as a legal user and accepts his/her login request.

Therefore, the adversary can impersonate a legal user and login to the server by replaying an old login request message.

Perfect forward secrecy

Perfect forward secrecy is an important security requirement for security protocols. Perfect forward secrecy ensures that even if an adversary obtains the secret key of one party (e.g., the secret key of the server or the user’s password), he/she still cannot compute the previously negotiated session keys [19, 36, 37]. The following demonstrates that Giri et al.’s scheme [13] does not provide perfect forward secrecy.

Suppose an adversary has eavesdropped and recorded the previously transmitted messages {I D _i , C _i , B _i , D _i } and {K _i , N ₃}. If the adversary somehow obtains the secret key of the server (d), he/she can compute the previously negotiated session keys as follows:

1. Step 1.

   The adversary decrypts B _i with the obtained secret key d as \((B_{i})^{d} \bmod n = (PWb_{i}^{*}\parallel R_{i}^{*})\) and computes \(N_{1}^{*} = PWb_{i}^{*}\oplus D_{i}\) and \(N_{3} = N_{1}^{*}\oplus N_{2}\).

2. Step 2.

   The adversary computes the session key SK as \(SK = h(ID_{i}\parallel PWb_{i}^{*}\parallel N_{1}^{*}\parallel N_{2})\).

Therefore, since in Giri et al.’s scheme [13] disclosure of the server’s secret key leads to compromising old session keys, we can conclude that Giri et al.’s scheme does not provide perfect forward secrecy.

Review of Amin and Biswas’s scheme

In this section, we briefly review Amin and Biswas’s improved authentication and key agreement scheme [12]. Amin and Biswas’s scheme [12] includes six phases, i.e., initialization phase, registration phase, login phase, authentication and session key agreement phase, password change phase, and identity change phase. Since the password and identity change phases of Amin and Biswas’s scheme is not relevant to our analysis and also the initialization phase of Amin and Biswas’s scheme is the same as that of Giri et al.’s scheme (please refer to “Initialization phase”), we only review the following phases of Amin and Biswas’s scheme. The notations used in Amin and Biswas’s scheme are listed in Table 1.

Registration phase

In this phase, as shown in Fig. 4, a new user can register with the server and obtain a personalized smart card as follows:

1. Step 1.

   The user chooses his/her identity I D _i and password P W _i and selects a random number b _i . Then, the user computes P W b _i = h(P W _i ∥b _i ) and sends a registration request message {I D _i , P W b _i } to the server through a secure channel.

2. Step 2.

   Upon receiving the registration request message {I D _i , P W b _i }, the server computes R _i = h(I D _i ∥d), A _i = R _i ⊕h(P W b _i ∥I D _i ), and L _i = h(I D _i ⊕P W b _i ). Then, the server stores {A _i , L _i , n, h(⋅)} into a smart card, and sends the smart card to the user through the secure channel.

3. Step 3.

   When the user receives the smart card, he/she computes D P = b _i ⊕h(I D _i ∥P W _i ) and stores DP in the memory of the smart card.

Fig. 4

Registration phase of Amin and Biswas’s scheme

Login phase

When a user wants to login to the server, he/she inserts his/her smart card into the card reader and enters his/her identity I D _i and password P W _i . Then, the smart card computes b _i = D P⊕h(I D _i ∥P W _i ) and P W b _i = h(P W _i ∥b _i ) and checks whether h(I D _i ⊕P W b _i ) is equal to the stored L _i or not. If they are not equal, the smart card terminates the process. Otherwise, the smart card selects a random number N ₁ and computes R _i = A _i ⊕h(P W b _i ∥I D _i ), C _i = h(P W b _i ∥N ₁∥R _i ), D _i = h(I D _i ∥P W b _i )⊕N ₁, and B _i =(I D _i ∥P W b _i ∥N ₁)^e mod n. At last, the smart card sends a message {C _i , B _i , D _i } to the server through a public channel.

Authentication and session key agreement phase

In this phase, as shown in Fig. 5, the user and the server check the authenticity of each other and negotiate a session key as follows:

1. Step 1.

   Upon receiving the message {C _i , B _i , D _i }, the server decrypts B _i as (B _i )^d mod n=(I D _i ∥P W b _i ∥N ₁), computes N ₁ = h(I D _i ∥P W b _i )⊕D _i , and checks whether the decrypted N ₁ is equal to the computed N ₁ or not. If they are not equal, the server terminates the session; otherwise, it computes R _i = h(I D _i ∥d) and checks whether h(P W b _i ∥N ₁∥R _i ) is equal to the received C _i or not. If they are not equal, the server terminates the session. Otherwise, the server authenticates the user, accepts his/her login request, selects a random number N ₂, and computes N ₃ = N ₁⊕N ₂ and K _i = h(R _i ∥N ₂). At last, the server sends a message {N ₃, K _i } to the user through the public channel.

2. Step 2.

   Upon receiving the message {N ₃, K _i }, the user computes N ₂ = N ₃⊕N ₁ and checks whether h(R _i ∥N ₂) is equal to the received K _i or not. If they are not equal, the user terminates the session. Otherwise, the user authenticates the server and computes the session key SK as S K = h(I D _i ∥P W b _i ∥N ₁∥N ₂). Furthermore, the user computes S K V = h(S K∥I D _i ) and sends a message {S K V} to the server for verification of the session key.

3. Step 3.

   After receiving the message {S K V}, the server computes the session key S K = h(I D _i ∥P W b _i ∥N ₁∥N ₂) and checks whether h(S K∥I D _i ) is equal to the received SKV or not. If they are equal, the server uses the session key SK for securing the communication between itself and the user.

Fig. 5

Login and authentication phases of Amin and Biswas’s scheme

Weaknesses of Amin and Biswas’s scheme

Amin and Biswas [12] claimed that their scheme could withstand various security attacks. However, this section demonstrates that their scheme is vulnerable to off-line password guessing attacks and replay attacks and also does not provide perfect forward secrecy. The details are as follows.

Off-line password guessing attacks

Amin and Biswas [12] claimed that even if an adversary can retrieve {A _i , L _i , DP, n, h(⋅)} from a user’s smart card, he/she still cannot guess the user’s password, because he/she does not know the secret key of the server (d). However, this section demonstrates that if an adversary steals or finds a user’s smart card, he/she can guess the user’s password as follows:

1. Step 1.

   The adversary retrieves {A _i , L _i , DP, n, h(⋅)} from the memory of the smart card by using the methods proposed in [38, 39].

2. Step 2.

   The adversary selects a pair (\(ID_{i}^{*}\), \(PW_{i}^{*}\)) from two separate dictionaries D _{I D} and D _{P W} . Then, the adversary computes \(b_{i}^{*} = h(ID_{i}^{*}\parallel PW_{i}^{*})\oplus DP\), \(PWb_{i}^{*} = h(PW_{i}^{*}\parallel b_{i}^{*})\), and \(L_{i}^{*} = h(ID_{i}^{*}\oplus PWb_{i}^{*})\) and checks whether the computed \(L_{i}^{*}\) is equal to the retrieved L _i or not. If they are equal, it implies that the adversary has selected the right pair (\(ID_{i}^{*}\), \(PW_{i}^{*}\)); otherwise, the adversary repeats this step until he/she succeeds.

The off-line password guessing attack is feasible because due to the low entropy nature of the user’s identity and password, the adversary can enumerate all the pairs (\(ID_{i}^{*}\), \(PW_{i}^{*}\)) in the Cartesian product D _{I D} ×D _{P W} within polynomial time [40–45].

Replay attacks

Suppose an adversary has eavesdropped the communication channel between a legal user and the server and recorded a previous login request message {C _i , B _i , D _i }. The adversary can login to the server by sending the eavesdropped login request message {C _i , B _i , D _i } to the server. When the server receives the message {C _i , B _i , D _i }, it decrypts B _i as (B _i )^d mod n=(I D _i ∥P W b _i ∥N ₁), computes N ₁ = h(I D _i ∥P W b _i )⊕D _i , and checks whether the decrypted N ₁ is equal to the computed N ₁ or not. Since they are equal, the server computes R _i = h(I D _i ∥d) and checks whether h(P W b _i ∥N ₁∥R _i ) is equal to the received C _i or not. Since they are equal, the server authenticates the adversary as a legal user and accepts his/her login request. Furthermore, the server selects a random number N ₂, computes N ₃ = N ₁⊕N ₂ and K _i = h(R _i ∥N ₂), and sends a message {N ₃, K _i } to the user (adversary). Although the adversary cannot compute the session key SK, he/she is successful as long as the server accepts the login request. Hence, since the server authenticated the adversary as the legal user and accepted his/her login request, the adversary ignores the received message {N ₃, K _i }.

Therefore, since an adversary can impersonate a legal user and login to the server by replaying an old login request message, we can conclude that Amin and Biswas’s scheme [12] is vulnerable to replay attacks.

Perfect forward secrecy

As mentioned before, the perfect forward secrecy is an important security requirement for authentication and key agreement protocols. This section demonstrates that similar to Giri et al.’s scheme [13], Amin and Biswas’s scheme [12] also does not provide perfect forward secrecy.

Suppose an adversary has eavesdropped and recorded the previously transmitted messages {C _i , B _i , D _i } and {K _i , N ₃}. If the adversary somehow obtains the secret key of the server (d), he/she can compute the previously established session keys as follows:

1. Step 1.

   The adversary decrypts B _i with the obtained secret key d as (B _i )^d mod n=(I D _i ∥P W b _i ∥N ₁) and computes N ₁ = h(I D _i ∥P W b _i )⊕D _i and N ₂ = N ₃⊕N ₁.

2. Step 2.

   The adversary computes the session key SK as S K = h(I D _i ∥P W b _i ∥N ₁∥N ₂).

Therefore, since divulgence of the server’s secret key compromises the secrecy of the old session keys, it can be claimed that Amin and Biswas’s scheme [12] does not provide perfect forward secrecy.

The proposed scheme

In order to overcome the security weaknesses of Giri et al.’s scheme [13] and Amin and Biswas’s scheme [12], a secure and efficient authentication and key agreement scheme for TMISs is proposed in this section. The proposed scheme consists of four phases: initialization phase, registration phase, login and authentication phase, and password change phase. The notations used in the proposed scheme are listed in Table 2 and the phases are illustrated in the following subsections.

Table 2 Notations used in the proposed scheme

Initialization phase

In this phase, the server chooses an elliptic curve E [50] and selects a point P with the large order n over the elliptic curve as the base point. Then, the server selects a random number \(s \in _{R} Z_{p}^{*}\) as its secret key and a secure one-way hash function h(⋅):{0,1}^∗→{0,1}^l, where l is the length of the output. Finally, the server publishes {E, n, P, h(⋅)} and keeps s secretly.

Registration phase

As shown in Fig. 6, the user registration process is as follows:

1. Step 1.

   The user chooses his/her identity I D _i and password P W _i , selects a random number b _i , and computes P W b _i = h(P W _i ∥b _i ). At last, the user sends a registration request message {I D _i , P W b _i } to the server through a secure channel.

2. Step 2.

   Upon receiving the message {I D _i , P W b _i }, the server checks whether I D _i exists in its database or not. If it exists, the server asks the user to choose another identity. Otherwise, the server chooses a random number r, computes R _i = h(I D _i ∥s), A _i = R _i ⊕h(I D _i ∥P W b _i ), and C I D _i = E _s (I D _i ∥r), stores I D _i in its database and {A _i , C I D _i , E, P, n, h(⋅)} into a smart card, and sends the smart card to the user through the secure channel.

3. Step 3.

   When the user receives the smart card, he/she stores the random number b _i in the memory of the smart card.

Fig. 6

Registration phase of the proposed scheme

Login and authentication phase

In this phase, as shown in Fig. 7, the user and the server authenticate each other and negotiate a session key as follows:

1. Step 1.

   The user inserts his/her smart card into the card reader and enters his/her identity I D _i and password P W _i . Then, the smart card selects a random number \(k_{1}\in _{R} Z_{p}^{*}\) and computes K ₁ = k ₁ P, R _i = A _i ⊕h(I D _i ∥h(P W _i ∥b _i )), and V ₁ = h(I D _i ∥K ₁∥R _i ∥T ₁), where T ₁ is the current timestamp. At last, the smart card sends a login request message {C I D _i , K ₁, V ₁, T ₁} to the server through a public channel.

2. Step 2.

   Upon receiving the message {C I D _i , K ₁, V ₁, T ₁}, the server checks the freshness of the timestamp T ₁ by checking the condition T ₂−T ₁?≤ΔT, where T ₂ is the time when the server receives the login request message {C I D _i , K ₁, V ₁, T ₁} and ΔT denotes the maximum transmission delay. If it is not fresh, the server ignores the received login request message. Otherwise, the server computes D _s (C I D _i )=(I D _i ∥r) and checks whether the received V ₁ is equal to h(I D _i ∥K ₁∥h(I D _i ∥s)∥T ₁) or not. If they are not equal, the server terminates the session. Otherwise, the server chooses two random numbers r ^New and \(k_{2}\in _{R} Z_{p}^{*}\), computes \(CID_{i}^{New} = E_{s}(ID_{i}\parallel r^{New})\), K ₂ = k ₂ P, K = k ₂ K ₁, \(ECID_{i} = h(K)\oplus CID_{i}^{New}\), and \(V_{2} = h(K_{1}\parallel h(ID_{i}\parallel s)\parallel K_{2}\parallel CID_{i}^{New}\parallel K)\), and sends a challenge message {K ₂, E C I D _i , V ₂} to the user through the public channel. It should be noted that the server does not send the value of \(CID_{i}^{New}\) in plaintext through the public channel. Therefore, an adversary cannot establish a link between the exchanged messages over the public channel and the user (smart card) who sent/received them. In fact, the server sends the new dynamic identity of the user (\(CID_{i}^{New}\)) in a protected manner as \(ECID_{i} = h(K)\oplus CID_{i}^{New}\) in order to withstand off-line password guessing attacks as discussed in “Password guessing attacks”.

3. Step 3.

   When the user receives the message {K ₂, E C I D _i , V ₂}, he/she computes K = k ₁ K ₂ and \(CID_{i}^{New} = h(K)\oplus ECID_{i}\) and checks whether \(h(K_{1}\parallel R_{i}\parallel K_{2}\parallel CID_{i}^{New}\parallel K)\) is equal to the received V ₂ or not. If they are not equal, the user terminates the session. Otherwise, the user authenticates the server, computes V ₃ = h(R _i ∥V ₂∥K), replaces C I D _i with \(CID_{i}^{New}\) in the smart card, and sends a response message {V ₃} to the server through the public channel. Furthermore, the user computes the session key SK as S K = h(I D _i ∥K∥K ₁∥K ₂).

4. Step 4.

   After receiving the message {V ₃}, the server checks whether h(h(I D _i ∥s)∥V ₂∥K) is equal to the received V ₃ or not. If they are not equal, the server terminates the session; otherwise, the server authenticates the user and computes the session key SK as S K = h(I D _i ∥K∥K ₁∥K ₂).

Fig. 7

Login and authentication phase of the proposed scheme

Password change phase

When a user wants to change his/her password, he/she inserts his/her smart card into the card reader and keys in his/her identity I D _i , his/her current password P W _i , and a new password P W _i ^New. Then, the smart card and the server perform the following steps.

1. Step 1.

   This step is the same as Step 1 in “Login and authentication phase”.

2. Step 2.

   This step is the same as Step 2 in “Login and authentication phase”.

3. Step 3.

   After receiving the message {K ₂, E C I D _i , V ₂}, the smart card computes K = k ₁ K ₂ and \(CID_{i}^{New} = h(K)\oplus ECID_{i}\) and checks whether \(h(K_{1}\parallel R_{i}\parallel K_{2}\parallel CID_{i}^{New}\parallel K)\) is equal to the received V ₂ or not. If they are not equal, the smart card stops the process. Otherwise, the smart card computes \(A_{i}^{New}\) as \(A_{i}^{New} = A_{i}\oplus h(ID_{i}\parallel h(PW_{i}\parallel b_{i}))\oplus h(ID_{i}\parallel h(PW_{i}^{New}\parallel b_{i})) = R_{i}\oplus h(ID_{i}\parallel h(PW_{i}\parallel b_{i}))\oplus h(ID_{i}\parallel h(PW_{i}\parallel b_{i}))\oplus h(ID_{i}\parallel h(PW_{i}^{New}\parallel b_{i})) = R_{i}\oplus h(ID_{i}\parallel h(PW_{i}^{New}\parallel b_{i}))\) and replaces C I D _i and A _i with \(CID_{i}^{New}\) and \(A_{i}^{New}\), respectively.

Security analysis

In this section, the security of the proposed scheme is analyzed. In the following, first the correctness of the proposed scheme is proved and then resistance of the proposed scheme against various attacks is examined.

Authentication proof based on GNY logic

In this section, GNY (Gong-Needham-Yahalom) logic [46] is employed to prove the correctness of the proposed scheme. In order to analyze the proposed scheme, the following rules of GNY logic [46] are used, where the index numbers are based on [46]. Table 3 summarizes the notations employed in this section.

• \(T1: \frac {A \vartriangleleft \ast X}{A \vartriangleleft X}\)

• \(T3: \frac {A \vartriangleleft \{X\}_{K}, A \owns K}{A \vartriangleleft X}\)

• \(R1: \frac {A \mid \equiv \phi (X)}{A \mid \equiv \phi (X, Y), A \mid \equiv \phi (F(X))}\),

• \(R2: \frac {A \mid \equiv \phi (X), A \owns K}{A \mid \equiv \phi (\{X\}_{K}), A \mid \equiv \phi (\{X\}_{K}^{-1})}\)

• \(R5: \frac {A \mid \equiv \phi (X), A \owns X}{A \mid \equiv \phi (H(X))}\)

• \(R6: \frac {A \owns H(X)}{A \mid \equiv \phi (X)}\)

• \(P1: \frac {A \vartriangleleft X}{A \owns X}\)

• \(P4: \frac {A \owns X}{A \owns H(X)}\)

• \(P5: \frac {A \owns F(X, Y), A \owns X}{A \owns Y}\)

• \(F1: \frac {A \mid \equiv \#(X)}{A \mid \equiv \#(X, Y), A \mid \equiv \#F(X)}\)

• I1: \(\frac {A\vartriangleleft \ast \{X\}_{K}, A\owns K, A\mid \equiv A\overset {K}{\leftrightarrow }B, A \mid \equiv \phi (X), A\mid \equiv \#(X,K)}{A \mid \equiv B \mid \sim X, A \mid \equiv B \mid \sim \{X\}_{K}, A\mid \equiv B\owns K}\)

• I3: \(\frac {A \vartriangleleft \ast H(X, <S>), A\owns (X,S), A\mid \equiv A \overset {S}{\leftrightarrow } B, A \mid \equiv \#(X,S)}{A \mid \equiv B \mid \sim (X,<S>), A \mid \equiv B \mid \sim H(X,<S>)}\)

• \(I6: \frac {A \mid \equiv B \mid \sim X, A\mid \equiv \#(X)}{A \mid \equiv B \owns X}\)

• \(J1: \frac {A \mid \equiv B \mid \Rightarrow C, A\mid \equiv B\mid \equiv C}{A \mid \equiv C}\)

• J2: \(\frac {A \mid \equiv B \mid \Rightarrow B \mid \equiv \ast , A\mid \equiv B\mid \sim (X\leadsto C), A\mid \equiv \#(X)}{A \mid \equiv B \mid \equiv C}\)

Table 3 GNY-logic notations

According to GNY logic, the proposed scheme must satisfy the following goals, which are categorized into three aspects:

• Message content authentication:

  • Goal 1: S∣≡ϕ({I D _i , r} _s , k ₁ P, H(I D _i , k ₁ P, R _i , T ₁), T ₁)

  • Goal 2: U _i ∣≡ϕ(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s ))

  • Goal 3: S∣≡ϕ(H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P))

• Message origin authentication:

  • Goal 4: U _i ∣≡S∣∼(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s ))

  • Goal 5: S∣≡U _i ∣∼H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

• Session key establishment:

  • Goal 6: \(U_{i} \mid \equiv S \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\)

  • Goal 7: \(U_{i} \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\)

  • Goal 8: S∣≡U _i ∋K

  • Goal 9: \(S \mid \equiv U_{i} \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\)

In order to analyze the proposed scheme using GNY logic, the proposed scheme is specified as follows:

Message 1: U _i →S:({I D _i , r} _s , k ₁ P, H(I D _i , k ₁ P, R _i , T ₁), T ₁) Message 2: S→U _i :(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s )) Message 3: U _i →S:H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P) In addition, the following assumptions are made to analyze the proposed scheme:

• A ₁:S∋s

• A ₂:S∣≡ϕ(I D _i )

• A ₃:S∋R _i

• A ₄:U _i ∋k ₁

• A ₅:U _i ∋R _i

• A ₆:S∋k ₂

• \(A_{7}: U_{i} \mid \equiv (U_{i}U_{i}\stackrel {\mathrm {\text {\(R_{i}\)}}}{\longleftrightarrow } S)\)

• A ₈:U _i ∣≡#(k ₁)

• \(A_{9}: S \mid \equiv (U_{i}\stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\)

• A ₁₀:S∣≡#(k ₂)

• \(A_{11}: U_{i} \mid \equiv S\mid \Rightarrow (U_{i}\stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\)

According to the rules of GNY logic, the proposed scheme is analyzed as follows:

According to Message 1, the following is obtained:

• \(S \vartriangleleft \ast (\ast \{ID_{i}\), r} _s , ∗k ₁ P, ∗H(I D _i , k ₁ P, R _i , T ₁), ∗T ₁)

By applying the rule T1 to O ₁, the following is obtained:

• \(S \vartriangleleft (\{ID_{i}\), r} _s , k ₁ P, H(I D _i , k ₁ P, R _i , T ₁), T ₁)

Based on O ₂ (\(S \vartriangleleft \{ID_{i}\), r} _s ) and A ₁, the rule T3 is applied to obtain:

• \(S \vartriangleleft (ID_{i}\), r)

According to O ₂, O ₃, and the rule P1, the following is obtained:

• S∋I D _i , r, k ₁ P, T ₁

According to A ₂ and the rule R1, the following are obtained:

• S∣≡ϕ(I D _i , r)

• S∣≡ϕ(I D _i , k ₁ P, R _i , T ₁)

Based on O ₅ and A ₁, the rule R2 is applied to obtain:

• S∣≡ϕ({I D _i , r} _s )

According to O ₆, O ₄, and A ₃, the rule R5 is applied to deduce:

• S∣≡ϕ(H(I D _i , k ₁ P, R _i , T ₁))

According to O ₇, O ₈, and the rule R1, the following is obtained:

• S∣≡ϕ({I D _i , r} _s , k ₁ P, H(I D _i , k ₁ P, R _i , T ₁), T ₁) (Goal 1)

According to Message 2, the following is obtained:

• \(U_{i}\vartriangleleft \ast (\ast k_{2}P\), ∗H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), ∗ F(H(k ₁ k ₂ P), {I D _i , r ^New} _s ))

By applying the rule T1 to O ₁₀, the following is obtained:

• \(U_{i}\vartriangleleft (k_{2}P\), H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s ))

By applying the rule P1 to O ₁₁, the following is obtained:

• U _i ∋k ₂ P, F(H(k ₁ k ₂ P), {I D _i , r ^New} _s )

Based on O ₁₂ (U _i ∋k ₂ P) and A ₄, the following is deduced:

• U _i ∋k ₁ k ₂ P

By applying the rule P4 to O ₁₃, the following is obtained:

• U _i ∋H(k ₁ k ₂ P)

According to O ₁₂ (U _i ∋F(H(k ₁ k ₂ P), {I D _i , r ^New} _s )) and O ₁₄, the rule P5 is applied to obtain:

• U _i ∋{I D _i , r ^New} _s

Since U _i posses k ₁ (according to A ₄), U _i can compute k ₁ P and thus the following can be deduced:

• U _i ∋k ₁ P

By applying the rule P4 to O ₁₆, the following is obtained:

• U _i ∋H(k ₁ P)

Based on O ₁₇ and the rule R6, the following is obtained:

• U _i ∣≡ϕ(k ₁ P)

According to O ₁₈ and the rule R1, the following is obtained:

• U _i ∣≡ϕ(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P)

Based on O ₁₉, O ₁₆, O ₁₅, O ₁₃, O ₁₂ (U _i ∋k ₂ P), A ₅, and the rule R5, the following is obtained:

• U _i ∣≡ϕ H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P)

According to O ₂₀ and the rule R1, the following is obtained:

• U _i ∣≡ϕ(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s )) (Goal 2)

According to Message 3, the following is obtained:

• \(S \vartriangleleft \ast H(R_{i}\), H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

By applying the rule T1 to O ₂₂, the following is obtained:

• \(S \vartriangleleft H(R_{i}\), H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

Based on O ₂₃ and the rule P1, the following is obtained:

• S∋H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

Based on O ₂₄ and the rule R6, the following is obtained:

• S∣≡ϕ(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

Since, according to Message 2, S sends H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P) to U _i , the following can be deduced:

• S∋H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P)

Based on O ₄ (S∋k ₁ P) and A ₆, the following can be deduced:

• S∋k ₁ k ₂ P

Based on O ₂₅, O ₂₆, O ₂₇, A ₃, and the rule R5, the following is obtained:

• S∣≡ϕ H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P) (Goal 3)

According to O ₁₀, O ₁₂, O ₁₃, A ₅, A ₇, and A ₈, rules F1 and I3 are applied to obtain:

• U _i ∣≡S∣∼(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , r ^New} _s )) (Goal 4)

Based on O ₂₂, A ₃, O ₂₆, O ₂₇, A ₉, and A ₁₀, rules F1 and I3 are applied to obtain:

• S∣≡U _i ∣∼H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P) (Goal 5)

• S∣≡U _i ∣∼(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), k ₁ k ₂ P)

Based on O ₃₁, A ₁₀, K = k ₁ k ₂ P = k ₂ k ₁ P, and the rules F1 and I6, the following is obtained:

• S∣≡U _i ∋K (Goal 8)

According to GNY logic, it is assumed that U _i believes that S is honest and competent, U _i ∣≡S∣⇒S∣≡∗. Hence, based on U _i ∣≡S∣∼(k ₂ P, H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), F(H(k ₁ k ₂ P), {I D _i , \(r^{New}\}_{s}))\leadsto S \mid \equiv U_{i} \stackrel {\mathrm {\text {\(k_{1}k_{2}P\)}}}{\longleftrightarrow } S\) (O ₂₉), A ₈, and K = k ₁ k ₂ P = k ₂ k ₁ P, rules F1 and J2 are applied to obtain:

• \(U_{i} \mid \equiv S \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\) (Goal 6)

According to O ₃₃ and A ₁₁, the rule J1 is applied to obtain:

• \(U_{i} \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\) (Goal 7)

According to GNY logic, it is assumed that S believes that U _i is honest and competent, S∣≡U _i ∣⇒U _i ∣≡∗. Hence, based on S∣≡U _i ∣∼H(R _i , H(k ₁ P, R _i , k ₂ P, {I D _i , r ^New} _s , k ₁ k ₂ P), \(k_{1}k_{2}P)\leadsto U_{i} \mid \equiv U_{i} \stackrel {\mathrm {\text {\(k_{1}k_{2}P\)}}}{\longleftrightarrow } S\) (O ₃₀), A ₁₀, and K = k ₁ k ₂ P = k ₂ k ₁ P, rules F1 and J2 are applied to obtain:

• \(S \mid \equiv U_{i} \mid \equiv (U_{i} \stackrel {\mathrm {\text {\textit {K}}}}{\longleftrightarrow } S)\) (Goal 9)

Formal security verification using AVISPA tool

In this subsection, the widely accepted and used AVISPA tool [47] is used to prove the security of the proposed scheme. AVISPA is a push-button tool for automated validation of security protocols that integrates four different back-ends, which employ various automatic analysis methods. In order to analyze a protocol using the AVISPA, the protocol and its intended security properties should be described and specified by the High Level Protocol Specification Language (HLPSL) [48], which is a role-oriented language. The AVISPA translates the HLPSL specification of the protocol into the Intermediate Format (IF) using the hlpsl2if translator. Then, the intended security properties of the protocol can be formally validated by analyzing the IF codes using each of the four back-ends of the AVISPA.

In order to formally validate the proposed scheme using the AVISPA, the registration and the login and authentication phases of the proposed scheme are specified in HLPSL. The HLPSL specifications of the user and server roles in the proposed scheme are shown in Figs. 8 and 9, respectively.

Fig. 8

The HLPSL specification of the user

Fig. 9

The HLPSL specification of the server

In addition to the user and server roles, two other roles, namely the session role and the environment role should be specified in HLPSL. As shown in Fig. 10, the session role describes a session of the protocol by describing the interactions between the user and the server. The environment role describes a composition of one or more sessions and contains the intruder knowledge and the global constants. Figure 11 shows that in the environment role, the intruder, which is denoted by i, can play the role of the user and the server.

Fig. 10

The HLPSL specification of the session role

Fig. 11

The HLPSL specification of the environment role

After describing the user, the server, the session, and the environment roles, the intended security properties and goals of the proposed scheme are specified as shown in Fig. 12. In the goal section, secrecy_of g0, where g0 is a protocol id for the statement secret({PWi, Bi}, g0, Ui), means that the user’s password P W _i and the random number b _i are kept secret to the user. The goal secrecy_of g1, where g1 is a protocol id for the statement secret(K1',g1,Ui), means that the random number k ₁ is kept secret to the user. The goal secrecy_of g2, where g2 is a reference to the statement secret (IDi, g2, {Ui, S}), indicates that the real identity of the user (I D _i ) is kept secret to the user and the server. The goal secrecy_of g3, where g3 is a reference to the statement secret (K', g3, {Ui, S}), means that the key K = k ₁ k ₂ P is kept secret to the user and the server. The goal secrecy_of g4, where g4 refers to the statement secret(SK',g4,{Ui,S}), indicates that the session key SK is kept secret to the user and the server. The goal secrecy_of g5, where g5 refers to the statement secret({R', SS}, g5, S), means that the secret key of the server (s) and the random number r are kept secret to the server (SS and R denote the server’s secret key (s) and the random number r, respectively). The goal secrecy_of g6, where g6 is a reference to the statement secret(K2',g6,S), indicates that the random number k ₂ is kept secret to the server. The goal authentication_on ui_s_k1 means that the user selects a random number k ₁ and the server authenticates the user after receiving k ₁ from the messages from the user. The goal authentication_on s_ui_k2 indicates that the server selects a random number k ₂ and the user authenticates the server after receiving k ₂ from the messages from the server.

Fig. 12

The HLPSL specification of the security goals

The results of analyzing the proposed scheme using the AVISPA with the widely-accepted OFMC (On-the fly Model-Checker) back-end [49] are shown in Fig. 13. The results confirm that the stated security goals were satisfied for a bounded number of sessions as specified in the environment role. Therefore, the proposed scheme is safe and can withstand passive and active attacks.

Fig. 13

The output of the OFMC back-end

Discussion on the possible attacks

This section demonstrates that the proposed scheme withstands insider attacks, replay attacks, password guessing attacks, and impersonation attacks and provides perfect forward secrecy, user anonymity, and known-key security.

User anonymity

Generally, user anonymity includes two aspects, i.e., the protection of the user’s real identity and the untraceability of the user. In the proposed scheme, the user’s real identity I D _i is never transmitted over the public channel. If the adversary gets the user’s login request message {C I D _i , K ₁, V ₁, T ₁}, he/she cannot reveal the user’s real identity I D _i , because it is encrypted with the server’s secret key s as C I D _i = E _s (I D _i ∥r) and the adversary does not know the server’s secret key s. Therefore, it is impossible for the adversary to reveal the user’s real identity I D _i from the login and authentication messages.

Besides, in each new session, the new random numbers k ₁ and k ₂ and timestamp T ₁ are used to generate the communication messages, and the smart card information C I D _i is updated as C I D _i ^New = E _s (I D _i ∥r ^New) after each successful login. Therefore, since all values of the communication messages {C I D _i , K ₁, V ₁, T ₁}, {K ₂, E C I D _i , V ₂}, and {V ₃} in one session are different from those of any other sessions, an adversary cannot relate the session with a specific user and the proposed scheme can ensure untraceability of the user.

Therefore, it can be said that the proposed scheme can provide the property of user anonymity.

Password guessing attacks

There are two kinds of password guessing attacks, i.e., online password guessing attack and off-line password guessing attack, where in the last one the adversary tries to verify the correctness of the guessed password by using the previously transmitted messages or (and) the stolen smart card information. We first discuss the off-line password guessing attack.

Suppose an adversary steals a smart card of a user and retrieves {A _i , C I D _i , E, P, n, b _i , h(⋅)} from the memory of the smart card, where A _i = h(I D _i ∥s)⊕h(I D _i ∥h(P W _i ∥b _i )) and C I D _i = E _s (I D _i ∥r). The adversary cannot derive the user’s identity I D _i from C I D _i , because he/she does not know the server’s secret key s, with the same reason, he/she cannot guess the right I D _i and P W _i from A _i . Therefore, the adversary cannot guess the password from the information on the stolen smart card.

The adversary may use of the previously transmitted messages {C I D _i , K ₁, V ₁, T ₁}, {K ₂, E C I D _i , V ₂}, and {V ₃} to guess the password. However, since C I D _i changes after each successful login, and the random numbers k ₁ and k ₂ and timestamp T ₁ are fresh in each session, all values in the login and authentication messages of a user are different in each session (see “User anonymity”). Hence, the adversary cannot link the eavesdropped login and authentication messages to the corresponding user (or smart card), i.e., the adversary cannot distinguish which messages belong to the stolen smart card. Therefore, the adversary has no way to verify the correctness of the guessed password P W _i by using the previously transmitted login and authentication messages. It should be noted that the dynamic identity C I D _i that is stored on the smart card, has never been transmitted over the public channel previously and the server submitted it in a protected manner as E C I D _i = C I D _i ^New⊕h(k ₁ k ₂ P) to the user in the previous session. In fact, the dynamic identity C I D _i that is stored on the smart card is not included in any previously transmitted messages.

From the above analysis, it can be said that the proposed scheme could withstand off-line password guessing attacks. Besides, for the online password guessing attack, it is well known that it can be defeated by limiting the number of continuous failed login requests [4, 7, 8, 19].

Therefore, the proposed scheme could withstand password guessing attacks.

Insider attacks

During the registration phase of the proposed scheme, each user sends his/her masked password P W b _i = h(P W _i ∥b _i ) to the server. Hence, since the hash function is one-way and the random number b _i is unknown to anyone except the user, a privileged user of the server has no chance to obtain or guess the user’s password P W _i . Therefore, the proposed scheme could withstand insider attacks.

Replay attacks

An adversary may replay a previous login request message {C I D _i , K ₁, V ₁, T ₁} to the server. However, the server could detect a replay attack by checking the freshness of the timestamp T ₁ as T ₂−T ₁?≤ΔT, where T ₂ is the time when the server receives the message {C I D _i , K ₁, V ₁, T ₁} and ΔT is the maximum transmission delay. The adversary may also replay a previous challenge message {K ₂, E C I D _i , V ₂} to the user. However, since the smart card has generated a new random number k ₁ in this session, the user could detect a replay attack by checking \(h(k_{1}P\parallel R_{i}\parallel K_{2}\parallel CID_{i}^{New}\parallel k_{1}K_{2}) =? V_{2}\). Therefore, the proposed scheme could withstand replay attacks.

Impersonation attacks

In the proposed scheme, an adversary cannot produce a valid login request message {C I D _i , K ₁, V ₁, T ₁}, where C I D _i = E _s (I D _i ∥r) and V ₁ = h(I D _i ∥K ₁∥h(I D _i ∥s)∥T ₁), because he/she does not know the server’s secret key s and the user’s identity I D _i . The adversary may steal a smart card and retrieve {A _i , C I D _i , b _i } from the memory of the smart card, where A _i = h(I D _i ∥s)⊕h(I D _i ∥h(P W _i ∥b _i )) and C I D _i = E _s (I D _i ∥r). However, since the adversary does not know the user’s password P W _i , he/she cannot obtain h(I D _i ∥s) and thus he/she cannot produce a valid login request message {C I D _i , K ₁, V ₁, T ₁}. Therefore, no one can impersonate a legal user. Moreover, the adversary cannot produce a valid challenge message {K ₂, E C I D _i , V ₂}, where V ₂ = h(K ₁∥h(I D _i ∥s)∥K ₂∥h(k ₂ K ₁)⊕E C I D _i ∥k ₂ K ₁), because he/she does not know the server’s secret key s. Therefore, no one can impersonate a legal server.

Perfect forward secrecy

In the proposed scheme, the user and the server compute the session key SK as S K = h(I D _i ∥k ₁ k ₂ P∥k ₁ P∥k ₂ P), where k ₁ and k ₂ are random numbers chosen by the user and the server, respectively. Knowing the server’s secret key s or the user’s password P W _i does not help an adversary to compute previously established session keys, because the secret values s and P W _i are not utilized to compute session keys. If an adversary wants to obtain an old session key, he/she has to compute k ₁ k ₂ P. However, since the adversary does not know k ₁ or k ₂ and cannot derive them from k ₁ P and k ₂ P (due to the hardness of ECDLP [50]), he/she cannot compute k ₁ k ₂ P. Therefore, the proposed scheme provides perfect forward secrecy.

Know-key security

In the proposed scheme, if an adversary somehow obtains a session key S K = h(I D _i ∥K∥K ₁∥K ₂), he/she still cannot compute other session keys due to the randomness of K( = k ₁ k ₂ P), K ₁( = k ₁ P), and K ₂( = k ₂ P). Therefore, the proposed scheme provides know-key security.

Performance analysis

In this section, the performance and security of the proposed scheme are compared with those of Amin and Biswas’s scheme [12], Giri et al.’s scheme [13], and Bin Muhaya’s scheme [11].

For convenience to evaluate the computational cost, some notations are defined in Table 4. According to [51, 52], the computation time of an exponentiation operation, an elliptic curve point multiplication operation, a hash function operation, and a symmetric encryption/decryption operation is 0.522 s, 0.063075 s, 0.0005 s, and 0.0087 s, respectively. Moreover, it is assumed that the time for executing an exclusive-or (XOR) operation is negligible.

Table 4 Notations used in the performance analysis

In the proposed scheme, one symmetric encryption operation, one exclusive-or operation, and three hash function operations are required for the registration process. Hence, the computational cost of the registration phase of the proposed scheme is 1T _{S E D} +3T _H +1T _X , which is equivalent to 10.2 ms. Besides, four elliptic curve point multiplication operations, one symmetric encryption operation, fourteen hash function operations, one symmetric decryption operation, and three exclusive-or operations are required for the login and authentication processes. Hence, the computational cost of the login and authentication phase of the proposed scheme is 4T _{P M} +2T _{S E D} +14T _H +3T _X , which is equivalent to 276.7 ms.

Table 5 demonstrates the comparisons among the proposed scheme, Amin and Biswas’s scheme [12], Giri et al.’s scheme [13], and Bin Muhaya’s scheme [11] in terms of the computational costs and security properties. Moreover, Fig. 14 shows the running times of the proposed scheme, Amin and Biswas’s scheme [12], Giri et al.’s scheme [13], and Bin Muhaya’s scheme [11].

Fig. 14

Running times of different schemes

Table 5 Comparison of the proposed scheme with the related schemes

From Table 5, it is clear that the proposed scheme is more efficient than Amin and Biswas’s scheme [12], Giri et al.’s scheme [13], and Bin Muhaya’s scheme [11]. In the login and authentication phase, the proposed scheme is about 3.79, 1.9, and 3.8 times faster than the schemes of Bin Muhaya [11], Giri et al. [13], and Amin and Biswas [12], respectively. Moreover, the schemes proposed by Amin and Biswas [12], Giri et al. [13], and Bin Muhaya’s scheme [11] are vulnerable to password guessing attacks, whereas the proposed scheme is secure against password guessing attacks. Amin and Biswas’s scheme [12] and Giri et al.’s scheme [13] both are vulnerable to replay attacks, whereas the proposed scheme resists replay attacks. Amin and Biswas’s scheme [12], Giri et al.’s scheme [13], and Bin Muhaya’s scheme [11] do not provide perfect forward secrecy, whereas the proposed scheme provides perfect forward secrecy. Giri et al.’s scheme [13] is susceptible to privileged insider attacks and does not preserve user privacy, whereas the proposed scheme resists privileged insider attacks and preserves the privacy of the user. It is worth to mention that in comparison with the other ECC-base authentication schemes existing in the literature, the proposed scheme needs fewer scalar multiplication operations. Since the scalar multiplication operation (the elliptic curve point multiplication) is the main (time-consuming) operation in elliptic curve cryptosystems, the performance of the proposed scheme is much better than the other ECC-base authentication schemes. Therefore, the proposed is more suitable for practical applications.

Conclusion

In this paper, we have demonstrated some possible attacks on the authentication schemes proposed by Giri et al. and Amin and Biswas. We also have shown that these two schemes do not provide perfect forward secrecy. Then, in order to improve the security and efficiency, we have proposed a novel authentication and key agreement scheme for TMISs. We have employed the GNY logic to show the correctness of the proposed scheme. We also have simulated the proposed scheme for the formal verification using the well-known AVISPA tool. Security analysis demonstrates that the proposed scheme not only could withstand various attacks, but also could provide perfect forward secrecy, user anonymity, and know-key security. According to the performance analysis, the proposed scheme has a better performance than the previous schemes. Therefore, the proposed scheme is more suitable for TMISs.