Abstract
Research has proven that accomplishing security properties while improving performance of an authentication protocol is a challenging task. Numerous authentication protocols proposed in the recent times are still behind in achieving the concrete objectives. Qi et al. and Lu et al. recently proposed two-factor authenticated key-agreement protocols for client–server architecture. This paper revisits their protocols and analyzes the shortcomings of such approaches. We also propose an improved authenticated key agreement protocol for client–server environment to defeat mentioned weaknesses of existing protocols that are discussed in related works. The rigorous security analysis using Burrows–Abadi–Needham logic, formal security verification using Real-OR-Random model, simulations using the Automated Validation of Internet Security Protocols and Applications tool, and the informal security analysis shows that the proposed protocol is secure. Additionally, we summarize the results to ensure that the proposed protocol is efficient compared to the existing related protocols.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
1 Introduction
Despite the long rigorous research efforts, designing a perfect authentication protocol for two-party communication remains an interesting topic. The rapid evolution of handheld devices and communication technologies has entailed the installation of different authentication methods. Smartcard with password based authentication is one of the modest and inexpensive methods, which is believed to be safe and sound than passwords alone. On the contrary, studies have shown that two-factor authentication techniques are still vulnerable under several scenarios such as faulty protocol design, and when the passwords are guessed, and the smartcard stored data is leaked out (Kocher et al. 1999; Messerges et al. 2002; Wang and Wang 2015). The ascribed limitations of two-factor authentication methods necessitated additional security called biometrics. The properties of biometric keys (iris, face, finger print, palm print etc.) such as uniqueness, non-transferability and unforgeability makes it robust (Li and Hwang 2010; Mishra et al. 2014).
1.1 Related work
A mobile client–server communication prototype enables multiple clients to avail the services offered by a single server irrespective of geographical location. Authentication of such parties happening over public channels must be secured through a feasible means. Several researchers have followed various approaches during the past three decades, namely, knowledge-based (Lamport 1981; Wu 1995; Tzong-Chen and Hung-Sung 1996; Jan and Chey 1998; Tan and Zhu 1999; Chan and Cheng 2000; Chien et al. 2001; Liao et al. 2006), token-based (Wang et al. 2009, 2011, 2015; Xu et al. 2009; Yang and Chang 2009; Yoon and Yoo 2009; Song 2010; Pippa et al. 2010; Sood et al. 2010; Wu and Tseng 2010; Islam and Biswas 2011, 2014; Debiao et al. 2012; He 2012; Hsieh and Leu 2012; Madhusudhan and Mittal 2012; Wen and Li 2012; Chou et al. 2013; Li et al. 2013; Chang et al. 2014; Chen et al. 2014; Farash and Attari 2014; Kumari and Khan 2014; Kumari et al. 2014, 2017; Zhang et al. 2014; Goutham et al. 2015; Jiang et al. 2015; Tu et al. 2015; Farash 2016; Lu et al. 2016; Xie et al. 2016; Luo et al. 2017; Qi and Chen 2017), biometrics-based (Khan et al. 2008, 2014; Fan and Lin 2009; Das 2011; Li et al. 2011, 2014; Chen et al. 2012; An 2012; Yeh et al. 2013; Cao and Ge 2015; Das and Goswami 2015; Wu et al. 2015; Han et al. 2016; Chaturvedi et al. 2017; Xie et al. 2017). This paper’s main aim is to study and analyze the two-factor authentication methods, and then to fix the shortcomings by proposing and examining a new three-factor authentication method.
Xu et al. (2009) proposed a smartcard based authentication protocol and stated that their protocol remain safe though the smartcard stored data is extracted. Conversely, Song (2010) proved that Xu et al.’s protocol is vulnerable to user impersonation attacks when the data on the smartcard is gathered. Then they proposed an efficient smartcard with password based protocol, which was later indicated by Pippa et al. (2010) that Song et al.’s protocol cannot afford forward secrecy. In the same year, Sood et al. (2010) found that Xu et al.’s protocol is even prone to forgery attacks when the valid login request is intercepted, and they put forward an improved protocol over Xu et al.’s protocol. Yet Chen et al. (2014) reviewed Xu et al. (2009), Sood et al. (2010) and Song’s (2010) protocols, and presented various flaws such as user impersonation attacks, improper mutual authentication and stolen smartcard attacks. Chen et al. proposed an enhanced robust two-factor authentication protocol while considering the merits and demerits of all three aforementioned protocols. However, Li et al. (2013), Jiang et al. (2015), and Xie et al. (2016) have analyzed Chen et al.’s (2014) protocol, independently. They demonstrated that Chen et al.’s protocol is susceptible to password guessing attacks, smartcard stolen attacks and user impersonation attacks. Besides, Chen et al.’s protocol cannot hold perfect forward secrecy, login verification and efficient password changing phase. Nonetheless, Xie et al. (2016) also proposed an authentication protocol based on smartcard with password. However, Lu et al. (2016) asserted that Xie et al.’s protocol consists of several drawbacks such as prone to insider attacks, trace attacks, user impersonation attacks and no login verification. Several other authentication protocols (Irshad et al. 2017a, b, c, d; Gope and Das 2017; Gope 2017; Gope and Hwang 2016a, b; Reddy et al. 2016) have been proposed recently in the literature in order to improve the efficiency and security over the existing protocols.
Lu et al. (2016), and Qi et al. (2017) proposed two-factor authenticated key-agreement protocols for client–server architecture using various approaches. They claimed that their protocol is secure against attacks and provides distinguished properties. Conversely, the cryptanalysis section of this paper shows the drawbacks of Lu et al.’s protocol such as prone to server impersonation attacks, privileged insider attacks, and lack of user anonymity; Qi et al.’s protocol such as prone to user impersonation attacks, session-specific ephemeral secret leakage attacks, insider attacks, and lack of user anonymity.
1.2 Research contributions
-
We revisit and provide the cryptanalysis of recently proposed Qi et al. and Lu et al.’s protocols.
-
We put forward an anonymous three-factor mutually authenticated key agreement protocol for client–server architecture on elliptic curve cryptography (ECC).
-
The formal security of the proposed protocol is verified using ROR model, AVISPA simulation tool, and the mutual authentication using BAN logic.
-
The analysis of the paper evident that the proposed protocol performs better compared to its counterparts.
1.3 Threat model
A threat modeling is an imperative module of the designing an authenticated key agreement protocol. The threat modeling is a process for enhancing security by classifying vulnerabilities and objectives, and then defining preventive measures of threats to the system. In this framework, a threat is a potential malicious attack that would be perpetrated by an adversary, say Ӕ that can cause damage to the assets. The threat model of this paper is built on following assumptions.
-
Ӕ has partial/complete control over the messages that were transmitted over the public channels. This includes to intercept, modify, and delete any communicated message. Under this case, the Dolev-Yao (DY) threat model is followed (Dolev and Yao 1983).
-
Ӕ is capable to extract the parameters that are stored on a smartcard issued to a user.
-
Ӕ can try to obtain sensitive information of users such as password by performing offline/online password guessing attacks.
-
Ӕ may also try to gain access to the authorized system with the stolen smartcard while constantly guessing the credentials. The low-entropy passwords could make Ӕ job even easier.
-
Ӕ can trace the users’ activities using the obtained information from the transmitted messages via open channels.
-
Ӕ at the server end, called the privileged-insider user, can perform malicious activities using the data that was received during the registration phase.
1.4 Paper organization
Section 2 revisits Qi et al.’s protocol. Section 3 cryptanalyses Qi et al.’s protocol. Section 4 revisits Lu et al.’s protocol. Section 5 cryptanalyses Lu et al.’s protocol. Section 6 portrays the proposed protocol. Section 7 analyzes the security of the proposed protocol. Section 8 affords comparisons with the related protocols. Finally, Sect. 9 concludes the paper.
2 Revisiting Qi et al.’s protocol
This section revisits Qi et al.’s (2017) two-party authenticated key-agreement protocol for mobile architecture. Their scheme comprises of four phases, namely, system initialization phase, user registration phase (over a secure channel), login and mutually authenticated key-agreement phase (over a public channel), and password changing phase (over a secure channel). Here, we present only the first three phases as the drawbacks lies in these phases.
2.1 System initialization phase
In this phase, server S chooses an elliptic curve E/Fp defined over finite field Fp of prime order p, a base point P in E/Fp of order q, a long-term private key ks, corresponding public key Qs = ksP, and cryptographic hash functions h1(), h2().
2.2 User registration phase
Step 1: User U sends chosen credentials {IDu, PWu} to the server S.
Step 2: S checks the validity of IDu, and verifies h2(IDu) if it exists in the database. S computes secret key l = h1(ds) ⊕ h2(IDu || PWu) and delivers it to U, where ds is server’s long-term private key.
S follows two approaches: online and offline to deliver the secret key. Online uses transport layer security channel in the https mode, and offline uses a smartcard stored l in it.
2.3 Login and mutually authenticated key-agreement phase
In this phase, U and S can authenticate each other and make a session key as shown in Fig. 1.
Step 1: U enters his/her IDu, PWu then chooses a random number ru∈Zn*, and computes Ru = ruP, R = ruQs, CIDu = IDu ⊕ l ⊕ h2 (IDu || PWu), and Authu = h2 (IDu || R || l ⊕ h2 (IDu || PWu)). U sends {Authu, CIDu, Ru} to S.
Step 2: S computes IDu = CIDu ⊕ h1(ds), R* = dsRu, and Authu* = h2(IDu || R* || h1(ds)). S verifies if Authu* = Authu. If not, the process aborts. S generates a random number rs∈Zn* and computes Rs = rsP, SKs = rsRu, and Auths = h2(IDu || R*|| SKs). S sends {Auths, Rs} to U.
Step 3: U computes SKu = ruRs, and Auths* = h2(IDu || R || SKu). U verifies if Auths* = Auths. If not, the process aborts. U further computes the session key SK = kdf(IDu || SKu) and Authus = h2(R || SKu), and sends Authus to S, where kdf is key derivation function.
Step 4: S computes Authus* = h2(R* || SKu) and verifies if Authus* = Authus. If yes, S computes the session key SK = kdf(IDu || SKs) and allows the further communication.
3 Cryptanalysis of Qi et al.’s protocol
This section demonstrates the security drawbacks of Qi et al.’s protocol (2017) such as prone to user impersonation attacks, insider attacks, session-specific ephemeral secret leakage attacks, and lack of user anonymity.
3.1 Lack of anonymity
Step 1: Assume an adversary Ӕ is a registered user with valid credentials l = h1(ds) ⊕ h2(IDӔ || PWӔ). Ӕ can retrieve h1(ds) = l ⊕ h2(IDӔ || PWӔ).
Step 2: Let Ӕ intercept the message {Authu, CIDu, Ru} of U to S. Now Ӕ can compute the identity of U using h1(ds) = l ⊕ h2(IDu || PWu) and CIDu = IDu ⊕ l ⊕ h2(IDu || PWu) as IDu = CIDu ⊕ h1(ds).
Thus, it violates user anonymity and does not prevent traceability.
3.2 Prone to user impersonation attacks
Assume Ӕ knows the identity IDu of a legitimate U, then Ӕ can impersonate U as follows:
Step 1: Ӕ chooses a random number ra∈Zn*, and computes Ra = raP, R = raQs, CIDa = IDu ⊕ h1(ds), and Autha = h2(IDu || R || h1(ds)). Ӕ sends M1 = {Autha, CIDa, Ra} to S.
Step 2: S computes IDu* = CIDa ⊕ h1(ds), R* = dsRa, and Autha* = h2(IDu* || R*|| h1(ds)). S verifies if Autha* = Autha. If not, the process aborts. S generates a random number rs∈Zn* and computes Rs = rsP, SKs = rsRa, and Auths = h2(IDu || R*|| SKs). S sends M2 = {Auths, Rs} to Ӕ.
Step 3: Ӕ computes SKa = raRs, and Auths* = h2(IDu || R || SKa). U verifies if Auths* = Auths. If not, the process aborts. Ӕ further computes the session key SK = kdf(IDu || SKa) and Authas = h2(R || SKa), and sends M3 = {Authas} to S.
Step 4: S computes Authas* = h2(R* || SKa) and verifies if Authas* = Authas. If yes, S computes the session key SK = kdf(IDu || SKs) and allows the further communication.
Since no password required to compute the session key and confirmation message, Ӕ can successfully compute the subsequent valid response messages and establish a session on behalf of U as elucidated above.
3.3 Prone to session-specific ephemeral secret leakage attacks
Assume that Ӕ intercepts the massages M1 = {Authu, CIDu, Ru}, M2 = {Auths, Rs}, and M3 = {Authus} transmitted between U and S. Let session ephemeral secret ru′ of U is revealed to Ӕ. Ӕ now can launch offline identity attacks using these parameters as follows:
Step 1: Ӕ computes Ra = raP, R = raQs.
Step 2: Ӕ guesses IDu* and then compare Auths ?= h2(IDu* || R || SKu). Repeat the step until correct match is found.
Remark 1
Once identity of U is known to Ӕ using the above steps, Ӕ can also compute the secret parameter h1(ds) = CIDu ⊕ IDu*, which is static and commonly shared to all registered users. Consequently, Ӕ can impersonate all the users. Ӕ then establish a session with S without U’s password as follows:
Step 1: Ӕ computes Ru′ = ru′P and then compare Ru′ with Ru in intercepted message M1. If both matches, Ӕ confirms that ru′ is corresponding to M1 and Ru′ = Ru.
Step 2: Ӕ computes Ra = raP, and replays M1 = {Authu′ CIDu′ Ru} to S. Note that Ӕdoes not know the credentials of U.
Step 3: S computes IDu* = CIDu ⊕ h1(ds), R* = dsRu, and Authu* = h2(IDu* || R* || h1(ds)). S verifies if Authu* = Authu. If not, the process aborts. S generates a random number rs∈Zn* and computes Rs = rsP, SKs = rsRu, and Auths = h2(IDu* || R* || SKs). S sends M2 = {Auths, Rs} to Ӕ.
Step 4: Ӕ computes SKa = ruRs, and Auths* = h2(IDu* || R || SKa). U verifies if Auths* = Auths. If not, the process aborts. Ӕ further computes the session key SK = kdf(IDu* || SKa) and Authas = h2(R || SKa), and sends M3 = {Authas} to S.
Step 5: S computes Authas* = h2(R* || SKs) and verifies if Authas* = Authas. If yes, S computes the session key SK = kdf(IDu* || SKs) and allows the further communication.
3.4 Prone to insider attacks
Qi et al.’s protocol is susceptible to the insider attacks as the plain credentials of the users {IDu, PWu} are shared with the server during the registration phase. In addition, their scheme does not offer user revocation and re-registration phases.
4 Revisiting Lu et al.’s protocol
This section revisits Lu et al.’s (2016) two-factor authenticated key-agreement protocol for mobile client–server architecture. Their scheme comprises of three phases, namely, user registration phase (over a secure channel), login and mutually authenticated key-agreement phase (over a public channel), and password changing phase (over a secure channel). Here, we discuss only the first two phases as the drawbacks lies in these phases.
4.1 User registration phase
Step 1: User Ui chooses an identity IDa, password PWa and computes PWD = h(PWa || ra), where h(.) is a one-way hash function. Then Ui sends a registration request < IDa, PWD > to the server S.
Step 2: S computes W = h((IDa)rs mod q) ⊕ PWD, U = x ⊕ rs, X = IDa ⊕ rs, where rs is a random nonce. Then S stores the parameters {W, U, X, p, q, h(.)} on a smartcard SC that will be delivered to Ui.
Step 3: Ui computes L = h(h(IDa || h(PWa || ra)) mod n), and adds L and ra to the SC. Thus, the SC contains {W, L, ra, U, X, p, q, h(.)}.
4.2 Login and mutually authenticated key-agreement phase
In this phase, Ui and S can authenticate each other and make a session key as shown in Fig. 2.
Step 1: Ui inserts the SC and enters his/her IDa, PWa and checks the login condition L = h(h(IDa || PWD) mod n). If it generates positive result, SC computes M = (gαmod q) ⊕ W ⊕ h(PWa || ra), C = h((gαmod q) || IDa || Ta) and transmits login request < M, C, U, X, Ta> to S, where α is a random nonce and Ta is current timestamp generated by Ui.
Step 2: S checks the received Taif it is valid. S then computes rs= x ⊕ U, IDa= X ⊕ rs and gα = M ⊕ h((IDa)rs mod q) and verifies the condition C = h((gαmod q) || IDa || Ta). If it holds, S computes sk = (gα)β, N = h((IDa)rs mod q) ⊕ gβ, D = h(sk || IDa || Ts || h((IDa)rs mod q)), where βis a random number. S sends the response < N, D, Ts> toUi.
Step 3: Ui checks the validity of Ts and derives gβ = W ⊕ N ⊕ h(PWa || ra). Ui computes the session key sk = (gβ)α and verifies the condition D = h(sk || IDa || Ts || h((IDa)rs mod q)). If it holds, Ui starts communication using the computed session key sk = (gα)β= (gβ)α.
5 Cryptanalysis of Lu et al.’s protocol
This section demonstrates the security drawbacks of Lu et al.’s protocol (2016) such as prone to insider attacks, server impersonation attacks and lack of user anonymity.
5.1 Prone to server impersonation attack
In Lu et al.’s protocol, another legitimate user Ui′ with x value turned as an adversary Ӕ can mimic a legitimate S as exposed here. During the login and session key establishment phase, Ui transmits the login message < M, C, U, X, Ta>. Assume Ӕ captures this message, then he/she can impersonate the S as follows.
Step 1: During the registration phase, all users (Ui′) receives the values {W, U, X, p, q, h(.)} on a SC. Ui′ can extract server’s secret key x using his/her IDa, U = x ⊕ rs and X = IDa ⊕ rs values as shown below:
U ⊕ X ⊕ IDa = x ⊕ rs ⊕ IDa ⊕ rs ⊕ IDa = x.
Step 2: If Ui′ turns as an adversary Ӕ, Ӕ can derive rs, IDa, and gα values from < M, C, U, X, Ta> by computing rs= x ⊕ U, IDa= X ⊕ rs and gα = h((IDa)rs mod q).
Step 3: Ӕ chooses a random number β and computes sk = (gα)β, N = h((IDa)rs mod q) ⊕ gβ, D = h(sk || IDa || Ts || h((IDa)rs mod q)). Ӕ sends < N, D, Ts> toUi.
Step 4: A checks the validity of Ts and derives gβ = W ⊕ N ⊕ h(PWa || ra). Then, Ui computes the session key sk = (gβ)α and verifies the condition D ≟ h(sk || IDa || Ts || h((IDa)rs mod q)). Ui treats Ӕ as legitimate S since the condition D holds.
5.2 Lack of user anonymity
During the login phase, Ui transmits < M, C, U, X, Ta> to S via a public channel. The parameters U = x ⊕ rs and X = IDa ⊕ rs in the message < M, C, U, X, Ta> are unique and static during all logins for each user. This results in failure of providing perfect user anonymity that could eventually lead to trace attacks.
5.3 Prone to privileged insider attack
Consider a consequence where an insider of the server S acts as an adversary and knows the registration information IDa and PWD of a valid Ui. Further, assume that the same adversary possesses the extracted information{W, ra, U, X, L, p, q, h(.)} from the stolen smartcard of Ui. Now, the adversary Ӕ applies the offline-password guessing attack to guess correctly the user’s low-entropy PWa as follows.
Step 1: Ӕ guesses a password PWa′ and computes PWD′ = h(PWa || ra).
Step 2: Ӕ checks if PWD′ = PWD. If it is valid, Ӕ is successful to guess the correct password PWa′ (= PWa). Otherwise, Ӕ repeats from Step 1 until he/she gets success.
Thus, a privileged-insider being an adversary at the server S can guess the correct PWa of a legal Ui.
6 The proposed protocol
This section puts forward a three-factor mutually authenticated key agreement protocol for client–server architecture based on elliptic curve cryptography (ECC). The proposed protocol comprises two participants and four phases. The notations used in the proposed protocol are listed in Table 1. To provide strong biometric verification locally, we apply the fuzzy extractor method (Dodis et al. 2004), which is composed of the following two functions:
-
Gen: It is a probabilistic generation function in nature, which takes user biometrics BIOU as inputs and then results a pair (σU, θU) as biometric secret key and public reproduction parameter, that is, (σU, θU) = Gen(BIOU).
-
Rep: It is deterministic function in nature, which has the ability to reproduce the original biometric key σU from the user biometrics BIOU′ and θU, that is, σU = Rep(BIOU′,θU) provided that the Hamming distance between BIOU′ and BIOU is less than or equal to a predefined error tolerance threshold value (Dodis et al. 2004).
To protect the replay attack against an adversary, we apply the current timestamp along with the random nonce. For this issue, we assume that the entities are synchronized with their clocks as it is a reasonable assumption used in designing other authentication protocols (Wazid et al. 2017; Das et al. 2017; Roy et al. 2017a, b, 2016; Chang and Le 2016).
6.1 User registration phase
A new user Ui registers at the server S and obtains a smartcard as shown in Fig. 3.
Step 1: Ui chooses IDU, PWU, r, ru and scans BIOU, and then computes RPW = h(PWU || ru) ⊕ r. Ui sends a registration request message < IDU, RPW > to S via a secure channel.
Step 2: S computes MIDU = Ek(IDU || n), M = h(IDU || IDS || k), and N = M ⊕ RPW.
Step 3: Ui receives a SC with the parameters {MIDU,N, P, h(.)} from S through a secure channel.
Step 4: Ui computes (σU, θU) = Gen(BIOU), E = ru ⊕ h(σU), N′ = N ⊕ r, G = h(IDU || h(PWU || ru)) and then stores {E, N′, G} on the received SC after deleting N from the SC. SC now holds the parameters {MIDU, E, N′, G, P,θU, h(.)}.
6.2 Login and authenticated key agreement phase
This phase allows Ui and S to mutually authenticate and make a session key for subsequent communication through public channel as illustrated in Fig. 4.
Step 1: SC \(\to\) S: Msg1 = < MIDU, αP, C, Tu>. SC computes σU = Rep(BIOU, θU), ru = h(σU) ⊕ E and verifies the condition GU ≟ h(IDU || h(PWU || ru)). If it produces positive result, the SC generates α, Tu and calculates M = N′ ⊕ h(PWU || ru), αP, C = h(MIDU || αP || M || Tu). SC sends the login request message < MIDU, αP, C, Tu > to S via public channel.
Step 2: Upon receiving the login request, S first verifies the received Tu by the condition Tu* − Tu < ΔT, where Tu* is time when the message is received by S. If it is valid, S then decrypts MIDU and obtains IDU of Ui. S computes M = h(IDU || IDS || k) and verifies the condition C = h(MIDU || αP || M || Tu). S authenticates Ui only if the condition holds. Else, the process can be terminated.
Step 3: S\(\to\)SC: Msg2 = < βP, D, F, Ts>. S further generates β, Ts and computes MIDU′ = Ek(IDU || n′), SK = h(IDU || βαP || M), D = h(MIDU′ || SK || Ts), F = MIDU′ ⊕ h(SK). S sends < βP, D, F, Ts> to SC via public channel.
Step 4: SC first verifies the received Ts by the condition Ts* − Ts < ΔT, where Ts*is time when the message is received by Ui. If it holds, SC computes SK = h(IDU || αβP || M), MIDU′ = F ⊕ h(SK)and verifies the condition D = h(MIDU′ || SK || Ts). If the condition holds, Ui authenticates S and updates MIDU with MIDU′; else, the process can be dropped.
Step 5: SC \(\to\) S: Msg3 = < Z, Tu′>. SC generates the current timestamp Tu′, computes Z = h(βP || SK), and sends the message < Z, Tu′> to S. S first verifies the received Tu′by the condition Tu′* − Tu′ < ΔT, where Tu′*is time when the message is received by S. If it is valid, S then verifies Z = h(βP || SK) and reconfirms the authenticity of Ui, if the condition holds.
6.3 Password and biometrics update phase
In this phase, Ui can update his/her existing PWU and BIOU without involvement of S as follows.
Step 1: Ui inserts SC and passes IDU, PWU and BIOU. SC computes σU = Rep(BIOU, θU), ru = h(σU) ⊕ E and verifies G ≟ h(IDU || h(PWU || ru)). If the condition holds, Ui can change existing PWU and BIOU; otherwise, the request can be rejected.
Step 2: Ui passes new BIOU# and PWU#, and computes M = N’′⊕ h(PWU || ru), N′# = M ⊕ h(PWU# || ru), (σU#, θU#) = Gen(BIOU#), E#=ru ⊕ h(σU#),and G#=h(IDU || h(PWU# || ru)).
Step 3: Ui replaces N′, E and GU with N′#, E# and GU# on the SC, respectively. SC now holds the updated information {MIDU, E#, N′#, G#, P, θU#, h(.)}.
6.4 User revocation/re-registration phase
Users can revoke or re-register when their smartcard is lost by proving their authenticity in following way.
Step 1: Ui chooses revoke/re-register option and sends existing IDUprev to S via a secure channel.
Step 2: S verifies IDUprev existence and replies Ui asking the new credentials.
Step 3: Ui chooses IDU, PWU, r, ru and scans BIOU, and then computes RPW = h(PWU || ru) ⊕ r. Ui sends a registration request message < IDU, RPW > to S via a secure channel.
Step 4: S computes MIDU = Ek(IDU || n), M = h(IDU || IDS || k), and N = M ⊕ RPW.
Step 5: Ui receives a SC with the parameters {MIDU,N, P, h(.)} from S through a secure channel.
Step 6: Ui computes (σU, θU) = Gen(BIOU), E = ru ⊕ h(σU), N′ = N ⊕ r, G = h(IDU || h(PWU || ru)) and then stores {E, N′, G} on the received SC after deleting N from the SC. SC now holds the parameters {MIDU, E, N′, G, P, θU, h(.)}.
7 Security analysis
This section demonstrates the mutual authentication using BAN logic, formal and informal security analyses of the proposed authentication protocol. The proposed scheme is shown that a user Ui and the server S mutually authenticate among each with the help of the widely-used Burrows–Abadi–Needham logic (BAN logic) (Burrows et al. 1990) (see Sect. 7.2). We then prove the session key security (SK-security) of the proposed scheme under the broadly-accepted Real-Or-Random (ROR) model (Abdalla et al. 2005) (see Sect. 7.1). Moreover, the proposed scheme is shown to be secure against various other known attacks informally (see Sect. 7.3). In addition, the formal security verification using the broadly-accepted AVISPA tool (AVISPA Team 2006) assures that the scheme is secure against replay and man-in-the-middle attacks (see Sect. 7.4). Wang et al. (Wang et al. 2015a, b) observed the following interesting point: the widely used formal methods (for example, random oracle model, BAN logic) cannot always capture some structural mistakes, and therefore, assuring soundness of authentication protocols still remains an open issue. Due to this, we need the security analysis informally as well as formal security verification using AVISPA tool to ensure that the proposed scheme can be made more secure with high probability.
7.1 Formal security analysis using Real-OR-Random (ROR) model
In this section, through the widely-accepted Real-Or-Random (ROR) model (Abdalla et al. 2005), we prove the session key (SK) security of the proposed scheme. Recently, the ROR model based formal security analysis has drawn much attention in analyzing the formal security in many authentication protocols (Wazid et al. 2017; Das et al. 2017; Roy et al. 2017a, b, 2016; Chang and Le 2016).
7.1.1 ROR model
Two participants, namely user Ui and the server S are associated with the proposed scheme. We have the following components associated with the ROR model (Abdalla et al. 2005).
-
Participants The instances t1 and t2 of Ui and S are denoted by \(\pi _{U}^{{{t_1}}}{\text{~and}}~\pi _{S}^{{{t_2}}}\), respectively, which are also termed as oracles (Chang and Le 2016).
-
Accepted state If an instance \({\pi ^t}\) makes transition to an accept state after receiving the last expected protocol message, it is said to be in accepted state. The session identification (sid) of \({\pi ^t}\) for present session is constituted by the ordered concatenation of all communicated (sent and received) messages by \({\pi ^t}\).
-
Partnering Let \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) are two instances. They are partners to each other when the following three criteria are simultaneously fulfilled: (1) \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) in accepted state; (2) both \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) mutually authenticate each other, and share the same sid; and (3) both \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) are mutual partners.
-
Freshness If the session key SK between Ui and S is not divulged to an adversary A with the help of the following defined reveal oracle query Reveal (\({\pi ^t}\)), \(\pi _{U}^{{{t_1}}}{\text{or~}}\pi _{S}^{{{t_2}}}\) is said to be fresh.
-
Adversary Under the ROR model, the adversary A cannot only read the transmitted messages, but also can modify, delete or change the message contents during the communication. In other words, A is allowed to have full control over the communication. Moreover, A will have access to the following queries (Chang and Le 2016):
-
Execute (\({\pi ^{{t_1}}}\), \({\pi ^{{t_2}}}\)) With the help of this query, the transmitted messages between the valid parties Ui and S are intercepted by A. It is modeled as an eavesdropping attack.
-
Reveal (\({\pi ^t}\)) This query allows A to compromise the present session key SKij created by \({\pi ^t}\) (and its partner).
-
Send (\({\pi ^t},{\text{~}}m\)) This query helps a participant instance \({\pi ^t}\) to transmit a message m and also receives a message, which is further modeled as an active attack.
-
CorruptSmartcard (\(\pi _{U}^{{{t_1}}}\)) It implements the smart card SC lost/stolen attack. With the help of this query, the secret credentials stored in SC are revealed to A.
-
Test (\({\pi ^t}\)) The semantic security of session key SK between Ui and S following the indistinguishability in the ROR model (Abdalla et al. 2005) is implemented under this query. At first, an unbiased coin c is flipped prior to beginning of the game, whose output result is only secret to A. This value is later used to verify whether the output of the Test query is consistent. If A executes this query and it is found that the session key SK is fresh, \({\pi ^t}\) delivers SK when c = 1 or a random number when c = 0; otherwise, it delivers \(~ \bot ~\) (null).
A restriction for A is imposed here in order to acquire only limited number of CorruptSmartcard (\(\pi _{U}^{{{t_1}}}\)) queries. However, A is permitted to acquire Test (\({\pi ^t}\)) query as many times as he/she can have.
-
Semantic security of session key The ROR model (Abdalla et al. 2005) demands that the adversary A requires to distinguish between an instance’s actual session key and a random secret key. A can make the Test queries to either \(\pi _{U}^{{{t_1}}}{\text{~or}}~\pi _{S}^{{{t_2}}}\) and its output is checked for consistency against the random bot c. After the game is completed, A judges a guessed bit c′ for winning purpose. A wins the game when c′ = c. The advantage \(Adv_{{(A)}}^{{AKAP}}\) of A in breaking the semantic security of the proposed authenticated key agreement protocol, say AKAP for deriving the session key SK between Ui and S is defined by \(Adv_{{(A)}}^{{AKAP}}=\left| {2.Pr\left[ {Succ} \right] - 1} \right|\), where Succ represents an event that A can win the game.
-
Random oracle The communicating entities Ui and S along with A will have access to a collision resistant one-way cryptographic hash function h(‧), which is further modeled by a random oracle, say H.
7.1.2 Security proof
To prove the semantic security of the proposed scheme, we first define collision-resistant one-way hash function h(.) and the Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP). We then provide the proof in Theorem 1.
Definition 1
(Collision-resistant one-way hash function) A collision-resistant one-way hash function h: {0, 1}*→ {0, 1}n is a deterministic mathematical function that takes a variable length input string and produces a fixed length output string of n bits. If \(Adv_{{(A)}}^{{HASH}}\) (rt) denote the advantage of an adversary A in finding a hash collision,
where the probability of a random event X is denoted by Pr[X], and the pair (i1, i2) ∈RA means the input strings i1 and i2 are generated randomly by A. An (\(\psi ,\)rt)-adversary A attacking the collision resistance of h(.) means the runtime of A will be at most rt and that \(Adv_{{(A)}}^{{HASH}}\) (rt) \(\leqslant \psi\).
An elliptic curve y2 = x3 + ax + b over the finite field GF(p) is the set Ep(a, b), which contains the solutions (x, y) ∈Zp×Zp to the congruence y2 \(~ \equiv ~\) x3 + ax + b (mod p), where p being a large prime and a, b ∈ Zp are two constants, together with a special point O, called the point at infinity or zero point, and Zp = {0, 1,…, p\(-\)1}. Ep(a, b) is called non-singular if the condition 4a3 + 27b2 \(\ne ~\) 0 (mod p) is satisfied. The elliptic curve decisional Diffie-Hellman problem (ECDDHP) is defined as follows.
Definition 2
(Elliptic curve decisional Diffie-Hellman problem (ECDDHP)) Let P∈Ep(a, b) be a point on Ep(a, b). The ECDDHP states that given a quadruple (P, k1.P, k2.P, k3.P), to decide whether k3 = k1k2 or a uniform value.
Theorem 1
Suppose A is an adversary running in polynomial time t against the proposed scheme AKAP in the ROR model. If PD is a uniformly distributed password dictionary, l is the number of bits in the biometrics key σU\(Adv_{{(A)}}^{{ECDDHP}}\) (t) is the advantage of breaking the ECDDHP in time t by A, and qh, qsend, \(|Hash|\)and\(|PD|\)are respectively the number of H queries, send queries, range space of h(.) and the size of PD, A’s advantage in breaking semantic security of the proposed scheme AKAP for deriving the session key SK between Uiand S in time t is given by
\(Adv_{A}^{{AKAP}}\left( t \right) \leqslant \frac{{q_{h}^{2}}}{{\left| {Hash} \right|}}+\frac{{{q_{send}}}}{{{2^{l - 1}}.\left| {PD} \right|}}+2Adv_{A}^{{ECDDHP}}(t)\)
Proof
We follow the similar proof as executed in other authentication protocols (Wazid et al. 2017; Das et al. 2017; Chang and Le 2016). A sequence of five games, say Gami (i = 0, 1, 2, 3, 4) are essential in this proof in which Succi is the winning probability of A in game Gami where A can guess the random bit c correctly. The detailed description of all these games is given below.
-
Gam0 It is considered as an actual attack by A against the proposed scheme AKAP in the ROR model. Since the bit c needs to be chosen at the start of Gam0, it is clear that
-
Gam1 This game is modeled as an eavesdropping attack in which A intercepts the transmitted messages Msg1= < MIDU, αP, C, Tu>, Msg2= < βP, D, F, Ts> and Msg3= < Z, Tu’> during the mutual authentication and key agreement phase of AKAP. Under this game, A makes Execute (\({\pi ^{{t_1}}}\), \({\pi ^{{t_2}}}\)) query. After that A makes the Test query and its result is checked to verify whether it is the real session key SK or a random number. In AKAP, SK is calculated as SK = h(IDU|| αβP || M), where M = N ⊕ h(PWU|| ru) = Ek(IDU|| n). Therefore, computation of SK clearly demands for the leakage of secret credentials IDU, α,β and M, and these credentials are unknown to A. In a nutshell, A’s winning the game Gam1 by eavesdropping of messages is not increased, and thus, we have,
-
Gam2 The difference between this game and the previous game Gam1 is that the simulations of the Send and H queries are included in Gam2. It is therefore treated as an active attack where A can try to fool a legitimate entity to accept an illegal message. Since all the intercepted messages Msg1, Msg2 and Msg3 are constructed using random secrets α, β and timestamps Tu, Ts and T’u, no hash collision occurs when A makes Send query with the help of H query. The birthday paradox results provide the following result:
-
Gam3 The simulation CorruptSmartcard is added into the Gam3, which differs from Gam2.A then knows the information {MIDU, E, N′, G, P,θU, h(.)}. stored in the smart card SC of Ui. In AKAP, a user Ui uses both password PWU and personal biometrics BIOU. Due to use of fuzzy extractor, guessing the biometric key σU∈{0, 1}l from public reproduction parameter θU with the help of Rep(‧) function has the probability approximately \(\frac{1}{{{2^l}}}\) (Odelu et al. 2015). Moreover, A can try to guess low-entropy passwords using the password dictionary attacks. If we impose a restriction on the limited number of wrong password inputs in the system by A to guess correct Ui’s password PWU, it then follows that
-
Gam4 This is the final game, where A attempts to derive the correct session key SK shared between Ui and S. It is worth noticing that SK is calculated by both the parties Ui and S as SK = h(IDU|| αβP || M). Now, computation of αβP from the eavesdropped αP in Msg1 and βP in Msg2 is equivalent to solving the intractable ECDDHP in polynomial time t. In addition, A requires secret credentials IDU and M. Hence, we have,
Since all the queries are made by A, it is left only with guessing the bit c to win the game after the Test query is made by A. It follows that.
Equations (1) and (2) give the following:
Equations (6) and (7) give the following:
The triangular inequality gives the following
From Eqs. (3), (4), (5) and (9), we get,
Equations (8) and (10) give the following result:
Finally, multiplying both sides of Eq. (11) by a factor of 2, we obtain the required result:
7.2 Mutual authentication verification using BAN logic
Mutual authentication between Ui and S of the proposed protocol is proved using widely-accepted Burrows–Abadi–Needham (BAN) logic (Burrows et al. 1990).
Various notations along with their descriptions are provided in Table 2. Following four rules are used to substantiate the mutual authentication between Ui and S in the proposed protocol:
-
Rule 1 Message-meaning rule: \(\frac{{R~| \equiv R\mathop \leftrightarrow \limits^{Y} S,{\text{~~~}}R~ \triangleleft ~<X{>_Y}}}{{R| \equiv S~|\sim ~X}}\)
-
Rule 2 Nonce-verification rule: \(\frac{{R| \equiv {\text{~}}\# (X),\;R~| \equiv S~|\sim ~X}}{{R| \equiv S~| \equiv ~X}}\)
-
Rule 3 Jurisdiction rule: \(\frac{{R~| \equiv S~| \Rightarrow X,{\text{~~~}}R~| \equiv S~| \equiv ~X}}{{R| \equiv ~X}}\)
-
Rule 4 Freshness-conjuncatenation rule: \(\frac{{R~| \equiv {\text{~}}\# (X)}}{{R| \equiv {\text{~}}\# (X,Y)}}\)
The following three goals are expected to be achieved to show the mutual authentication between a node R in the cluster Ci and TM:
-
Goal1 \({U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\)
-
Goal2 \(S| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\)
-
Goal3 \({U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{MI{D_U}{\prime}}} S\)
Generic form
The generic forms of the communicated messages between Ui and S in the proposed protocol are specified below:
-
M1. \(U_{i} \to S:C = \left\langle {MID_{U} ,\alpha P,T_{u} } \right\rangle _{M}\)
-
M2. \(S \to U_{i} :D = \left\langle {MID_{U}^{\prime } ,~~SK,~T_{u} } \right\rangle\), where SK = h(IDU, αβP, M)
We rewrite D as \(D = \left\langle {MID_{U}^{\prime } ,ID_{U} ,~\alpha \beta P,~T_{u} } \right\rangle _{M}\)
-
M3. \(U_{i} \to S:Z = \left\langle {\beta P,~SK} \right\rangle ~\), where SK = h(IDU, αβP, M)
We rewrite Z as \(Z = \left\langle {\beta P,~\alpha \beta P} \right\rangle _{M}\).
Idealized form
The idealized forms of the communicated messages between Ui and S in the proposed protocol are as follows:
M1. \(U_{i} \to S:\left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).
M2. \(~S \to \left\langle {U_{i} :U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,T_{s} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).
M3. \(U_{i} \to S:\left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).
Hypotheses
The initial assumptions of the proposed protocol are as follows:
Note that the identity of user is assumed to be shared between Ui and S.
The following steps proves that the proposed protocol achieves mutual authentication between Ui and S using above hypotheses and rules
-
From M1, we have, \(~{\text{S1}}:S \triangleleft \left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\)
-
From S1, H4, and Rule 1, we get, \({\text{S2}}:S| \equiv U_{i} |\sim \left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle\)
-
From S2, H2, Rule 2, and Rule 4, we get, \({\text{S3}}:S| \equiv {U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{\alpha P~}} S\)
-
From M2, we have, S4: \({U_i} \triangleleft {U_i}\mathop \leftrightarrow \limits^{{MID_{U}^{{\prime}}}} S,~I{D_U},{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,{T_s}_{{{U_i}\mathop \leftrightarrow \limits^{M} S}}\)
-
From S4, H3, and Rule 1, we have, S5: \(U_{i} \left| { \equiv S} \right|\sim \left\langle {U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,T_{s} } \right\rangle\)
-
From S5, H1, Rule 2, and Rule 4, we get, S6: \(U_{i} | \equiv ~S| \equiv \left\langle {U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle\)
-
From S6, H7 and Rule 3, we obtain, S7: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{MID_{U}^{{\prime}}}} S\) (Goal 3)
-
From S6, H5 and Rule 3, we obtain, S8: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)
-
From S8 and H3, we obtain, S9: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{SK}} S\) (Goal 1) From M3, we have, S10: \(~S \triangleleft \left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\)
-
From S10, H4, and Rule 1, we have, S11: \(S| \equiv U_{i} |\sim \left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle\)
-
From S11, H2, Rule 2, and Rule 4, we get S12: \(S| \equiv {\text{~}}{U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)
-
From S12, H6, and Rule 3, we get S13: \(S| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)
-
Finally, from S13 and H4, we obtain, S14: \(S| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\) (Goal 2)
The above goals 1–3 clearly indicate the proposed scheme achieves the mutual authentication between Ui and S.
7.3 Informal security analysis
In this section, the security properties satisfied by the proposed protocol in the following propositions.
Proposition 1
The proposed protocol provides user anonymity and untraceability properties.
Proof
In the proposed protocol, user’s real identity IDU is enciphered with server’s secret key k. In order to retrieve IDU from MIDU = Ek(IDU || n), k is essential which is known only to the server. Thus, the real IDU value is available only with Ui and S. Though the users’ identity is anonymous, the chances of tracing the user still exist when other transmitting parameters are static. During the login phase, Ui sends authentication request message < MIDU, L, C, Tu> to S, where L = αP ⊕ M, C = h(MIDU || αP || M || Tu). All the parameters in the message are dynamic due to the incorporation of random numbers αand n. Hence, the proposed protocol offers user anonymity and untraceability.
Proposition 2
The proposed protocol withstands replay attack.
Proof
Consider a scenario where Ӕ tries to gain access to the system by mitigating a registered user with the previous transmitted message < MIDU, L, C, Tu>. The proposed scheme can identify it as a malicious attempt if Ӕ performs this due to the following reasons.
-
Case 1: If Ӕ replays the message < MIDU, L, C, Tu>, S can classify it as a malicious attempt when it finds the condition Tu* − Tu < ΔT is not valid. Similarly, Ui can also recognize replay attacks on < βP, D, F, Ts> using the condition Ts* − Ts < ΔT.
-
Case 2: In the mutual authentication with key-agreement phase, the server S obtains (IDU, αP) by computing (IDU || n) = Dk{MIDU}, αP = M ⊕ L, and stores it in its database. Note that α is a randomly generated number and varies for each session. When Ӕ sends the captured message < MIDU, L, C, Tu>, S extracts (IDU#, αP#) values and compares with the stored values in the database and subsequently drops the request when it notices (IDU#, αP#) == (IDU, αP).
Proposition 3
The proposed protocol withstands privileged insider and stolen token attacks.
Proof
Assume that an insider who knows the registration information IDU and RPW of a valid Ui turns as Ӕ, and reads the stolen smartcard information {MIDU, E, N′, G, P, θU, h(.)} by using power analysis methods (Kocher et al. 1999; Messerges et al. 2002; Wang and Wang 2015). Ӕ may now try to obtain some useful information such as credentials of Ui. However, Ӕ cannot succeed due to the reason described here. All the obtained parameters such as MIDU, E, N′, G, where MIDU = Ek(IDU || n), (σU, θU) = Gen(BIOU), E = ru ⊕ h(σU), N′ = N ⊕ r, G = h(IDU || h(PWU || ru)) are safeguarded using either one-way has function or symmetric encryption. In order to extract PWU from RPW = h(PWU || ru)⊕ r, Ӕ requires ru and r values. The ru and r values are stored on the SC in association with biometrics and N values, respectively. It is impossible to obtain ru and r without passing valid biometrics, moreover, biometrics can neither be stolen nor forged. On the other hand, guessing both ru and r values simultaneously is impractical. In this way, the proposed protocol can resist privileged insider attacks and stolen smartcard attacks.
Proposition 4
The proposed protocol withstands password guessing attacks.
Proof
Online password guessing attacks: Ӕ may try to login using the stolen smartcard, while guessing the user’s PWU. In order to perform this, Ӕ requires to satisfy the login condition G = h(IDU || h(PWU || ru)) which entails ru and BIOU. Unless Ӕ passes valid BIOU; ru value cannot be extracted from E and consequently leads to failure of satisfying the login condition G = h(IDU || h(PWU || ru)).
Offline password guessing attacks
Ӕ can attempt to guess the password using the extracted parameters {MIDU, E, N′, G, P, θU, h(.)} from the stolen smartcard. Note that the password PWU is not stored on the SC in the plaintext form, but in N′ = M ⊕ h(PWU || ru) shielded with one-way hash function. Moreover, Ӕ needs ru value to verify the guessed password N′ ≟ M ⊕ h(PWUӔ || ru). However, there are no means to obtain ru value without valid BIOU. Thus, the proposed protocol is resistant to offline password guessing attacks.
Proposition 5
The proposed protocol is resilient against user impersonation attack.
Proof
If Ӕ wants to masquerade Ui, he/she needs to form a login message < MIDU, L, C >, where MIDU = Ek(IDU || n), L = αP ⊕ M, C = h(MIDU || αP || M || Tu). Conversely, Ӕ can barely compute gαmod q, but not L and C due to the unavailability of valid PWU and BIOU. In case if Ӕ sends captured message < MIDU, L, C, Tu>, then S can easily identify it as a replay attack and would drop the session as elaborated in replay attacks section.
Proposition 6
The proposed protocol is secure against server impersonation attack.
Proof
If Ӕ wants to masquerade S, he/she needs to construct a valid response message < βP, D, F>, where MIDU′ = Ek(IDU || n′), SK = h(IDU || βαP || M), F = MIDU′ ⊕ h(SK), D = h(MIDU′ || SK || Ts). Assume that Ӕ replies the message < βPӔ, DӔ, FӔ, TsӔ>, where MIDU′Ӕ = EkӔ(IDU || n′), SKӔ= h(IDUӔ || αӔβӔP || MӔ), FӔ= MIDU′Ӕ ⊕ h(SKӔ), DӔ = h(MIDU′Ӕ || SKӔ || TsӔ). Despite the fact that Ui cannot be able to check the correctness of received MIDU′Ӕ due to unavailability of real server’s secret key k, Ui can definitely detect it as a fake response as described here. Upon receiving the message, Ui computes SK = h(IDU || αβӔP || M), MIDU′ = FӔ ⊕ h(SK), D = h(MIDU′ || SK || Ts) and verifies whether D≟DӔ. It is obvious that the condition cannot hold because Ӕ has computed SK with wrong IDU and αP, which result in h(IDU || αβP || M) ≠ h(IDUӔ || αβӔP || MӔ).
Proposition 7
The proposed protocol is secure against ephemeral secret leakage (ESL) attack.
Proof
The shared session key between Ui and S during the mutual authentication and key-agreement phase is computed as SK = h(IDU || βαP || M), where M = h(IDU|| IDS|| k) and k is the secret key of the server S. In the proposed protocol, the session key security (SK-security) depends on the following two cases:
-
Case 1. Let the ephemeral (short term) secrets alpha and beta are leaked to an adversary A. Even then without having the long-term secrets IDU, IDS and k, it is computationally infeasible for Ӕ to calculate SK.
-
Case 2. Let the long-term secrets IDU, IDS and k are revealed to Ӕ. However, without the ephemeral secrets α and β, it is difficult for Ӕ to calculate SK.
In summary, Ӕ can only calculate SK when the ephemeral secrets as well as long-term secrets are known to him/her. It is worth noticing that even if the current SK is revealed to Ӕ in a particular session, all other session keys in previous and future sessions are distinct since both long-term secrets and fresh ephemeral random nonces are applied in the construction of the session keys. Hence, the leakage of a session key will have no effect on the security of other previous and future sessions for secure communications. As a result, the proposed scheme provides forward and backward secrecy, and it also provides the SK-security. Thus, the proposed scheme protects ESL attack.
7.4 Formal security verification using AVISPA tool: simulation study
This section provides a brief overview of the AVISPA tool, the various roles implemented, and the final simulation results of the proposed protocol.
7.4.1 AVISPA overview
AVISPA is a widely-accepted push-button tool for the automated validation of Internet security-sensitive protocols and applications (Armando et al. 2005; AVISPA Team 2006). AVISPA is used to formally verify whether a cryptographic protocol is secure or vulnerable against active and passive attacks including the man-in-the-middle and replay attacks. In AVIPSA, a security protocol is implemented using HLPSL (High Level Protocols Specification Language). HLPSL is translated using HLPSL2IF translator to convert to the intermediate format (IF). IF is fed into one of the four back-ends: Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), On-the- fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), and SAT-based Model-Checker (SATMC). The proposed protocol is simulated under the CL-AtSe and OFMC back-ends using the SPAN (Security Protocol ANimator) for AVISPA (SPAN-Security Protocol Animator for AVISPA 2016). Both back-ends are chosen for an execution test and a bounded number of sessions model checking (Basin et al. 2005).
7.4.2 Various roles implemented in HLPSL
The implementation details of the roles of user, server, session, and goal and environment are performed as evident in the Figs. 5 and 6, and provided the final results in Fig. 7.
The HLPSL specification of the basic role of user Ui is provided in Fig. 5. In this role, after receiving the start signal, it sends the registration request to the server for registration purpose, and updates its state (maintained by the variable State) from 0 to 1. Once Ui receives the smart card SC from the server S, it also changes its state from 1 to 3. During the mutual authentication and key agreement phase, Ui sends the login request to S. Ui declares a witness of freshly generated random number and timestamp Tu by the declarations witness(Ui, S, ui_s_alpha, Alpha′) and witness(Ui, S, ui_s_tu, Tu′). After that Ui receives the authentication request from S and finally, Ui also sends authentication reply to S. At the end, Ui authenticates S based on the random number and timestamp Ts by the declarations request(S, Ui, s_ui_beta, Beta’) and request(S, Ui, s_ui_ts, Ts’). Similarly, the HLPSL role specification of the sever S is also defined in Fig. 5. The roles of session, goal and environment are mandatory roles in AVISPA. In these roles, the secrecy and authentication goals need to be specified in order to check whether the protocol is safe or unsafe.
7.4.3 Analysis of simulation results
The proposed protocol is verified in following aspects as described in (Lv et al. 2013; Reddy et al. 2016):
-
Executabiltiy check Here, unexpected modeling errors may sometimes cause the incomplete execution of protocol. Accordingly, the OFMC may not find an attack when the model is not able to reach the attack happening state. Thus, the executability test is indispensable in AVISPA as described in (AVISPA Team 2006).
-
Replay attack check OFMC back-end offered information regarding some normal sessions between legitimate parties to the intruder. The simulation result furnished in Fig. 7 ensures that the proposed protocol can withstand replay attacks.
-
Dolev-Yao model check During this check (Dolev and Yao 1983), the possibilities of man-in-the-middle attacks are also verified by the OFMC. As illustrated in simulation results (Fig. 7), the depth of search is 4, and the total number of searched nodes is 16 which require 0.04 s. Simulation results also substantiate that the proposed protocol attains the design standards and is secure against replay and man-in-the-middle attacks.
8 Performance analysis
This section summarizes the performance of the proposed protocol in terms of security properties, computational cost, and communication cost. The comparison follows between the proposed protocol and some of the recently published two-factor and three-factor protocols as depicted in the Tables 3, 4, 5 and 6.
To analyze the computational cost, few symbolizations are given for the comprised actions in the existing two-factor and three-factor protocols and the proposed protocol in following way: Tm: time complexity of an elliptic curve point division or multiplication operation; Ta: time complexity of an elliptic curve point addition or subtraction operation; Tf: time complexity of a symmetric key encryption or decryption function; Th: time complexity of a one-way hash function; Tb: time complexity of a biometrics extraction function; Te: time complexity of a modular exponentiation operation.
To analyze the communication cost, we consider 32-bits for a timestamp, 160-bits for a random number, 80-bits for a human-memorable identity, 160-bits for each co-ordinate of an elliptic curve point, 160-bit for a modular prime number operation, 160-bits for a SHA-1 output, and 128-bits key for an AES algorithm of cipher block chaining (CBC) mode.
8.1 Comparison with the two-factor authentication protocols
The security properties between Li et al. (2013), Chen et al. (2014), Jiang et al. (2015), Lu et al. (2016), Qi et al. (2017) and the proposed protocol are summarized in Table 3. It is evident from Table 3 that the proposed protocol is secure against all the renowned threats and achieves diverse features. As presented in Table 4, the proposed protocol deploys 1Tb + 13Th + 4Tm + 2Tf, whereas Li et al., Chen et al., Jiang et al., and Lu et al., Qi et al. uses 9Th + 7Te + 1Tm, 9Th + 3Te + 3Tm, 9Th + 5Te + 1Tm, 9Th + 5Te, and 12Th + 4Tm, respectively. The computational cost of the proposed protocol is reasonably equal or slightly higher compared to other protocols. On other hand, the proposed protocol requires more bandwidth compared to the other protocols. But, it is well worth deploying additional computations and communication cost to afford enhanced security level.
8.2 Comparison with the three-factor authentication protocols
The security properties between Yeh et al. (2013), Li et al. (2014), Wu et al. (2015), Han et al. (2016), Xie et al. (2017) and the proposed protocol are summarized in Table 5. It is evident from Table 5 that the proposed protocol is secure against all the renowned threats and achieves diverse features. As presented in Table 6, the proposed protocol deploys 1Tb + 13Th + 4Tm + 2Tf, whereas Yeh et al., Li et al., Wu et al., Han et al., Xie et al. uses 1Tb + 2Th + 5Tm+ 12Ta, 1Tb + 13Th + 4Te, 1Tb + 11Th + 4Tm + 4Tf, 12Th + 4Tm + 2Tf, and 1Tb + 14Th + 4Tm + 4Tf, respectively. The computational cost of the proposed protocol is lesser than the other protocols. On other hand, the proposed protocol requires less bandwidth compared to Yeh et al., Wu et al., Han et al., Xie et al., and more bandwidth compared to Li et al.
9 Conclusion remarks
This paper aimed to study and analyze some of recently proposed two-factor authentication protocols for client–server architecture and proposed a new solution to overcome the existing pitfalls. We believe that two-factor authentication mechanisms are still vulnerable under various phenomena. Thus, we proposed a three-factor authentication mechanism which improves the security with an additional factor known as biometrics. The proposed three-factor authenticated key agreement protocol is not only secure from numerous attacks but also achieve the eminent security properties such as user anonymity, mutual authentication, biometrics deployment, perfect forward secrecy. The comparisons between the proposed protocol and the other related protocols prove that our protocol is robust and efficient.
References
Abdalla M, Fouque P, Pointcheval D (2005) Password-based authenticated key exchange in the three-party setting. 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, pp. 65–84
An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. Biomed Res Int. https://doi.org/10.1155/2012/519723
Armando A, Basin D… Mödersheim S (2005) The AVISPA tool for the automated validation of internet security protocols and applications. In: International Conference on Computer Aided Verification, pp. 281–285
AVISPA Team (2006) AVISPA V1.1 User Manual, [Online]. Available: http://www.avispa-project.org/package/user-manual.pdf Accessed Dec 2015
Basin D, Mödersheim S, Vigano L (2005) OFMC: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208
Burrows M, Abadi M, Needham R R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36
Cao L, Ge W (2015) Analysis and improvement of a multi-factor biometric authentication scheme. Secur Commun Netw 8(4):617–625
Chan CK, Cheng LM (2000) Cryptanalysis of a remote user authentication scheme using smart cards. IEEE Trans Consum Electron 46(4):992–993
Chang CC, Le HD (2016) A Provably secure, efficient and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans Wireless Commun 15(1):357–366
Chang YF, Tai WL, Chang HC (2014) Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. Int J Commun Syst 27(11):3430–3440
Chaturvedi A, Mishra D, Jangirala S, Mukhopadhyay S (2017) A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme. J Inf Secur Appl 32:15–26
Chen CL, Lee CC, Hsu CY (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(5):585–597
Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389
Chien HY, Jan JK, Tseng YM (2001) A modified remote login authentication scheme based on geometric approach. J Syst Softw 55(3):287–290
Chou CH, Tsai KY, Lu CF (2013) Two ID-based authenticated schemes with key agreement for mobile environments. J Supercomput 66(2):973–988
Das AK (2011) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151
Das AK, Goswami A (2015) A robust anonymous biometric-based remote user authentication scheme using smart cards. J King Saud Univ-Comput Inf Sci 27(2):193–210
Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park Y (2017) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Health Inform, https://doi.org/10.1109/JBHI.2017.2753464
Debiao H, Jianhua C, Jin H (2012) An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security. Inf Fusion 13(3):223–230
Dodis Y, Reyzin L, Smith A (2004) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in cryptology-eurocrypt 2004. Interlaken, Springer-Verlag, Berlin, Heidelberg, pp 523–540
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Fan CI, Lin YH (2009) Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945
Farash MS (2016) Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Netw Appl 9(1):82–91
Farash MS, Attari MA (2014) A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. J Supercomput 69(1):395–411
Gope P (2017) Enhanced secure mutual authentication and key agreement scheme with user anonymity in ubiquitous global mobility networks. J Inf Secur Appl 35:160–167
Gope P, Das AK (2017) Robust anonymous mutual authentication scheme for n-times ubiquitous mobile cloud computing services. IEEE Internet Things J 4(5):1764–1772
Gope P, Hwang T (2016a) An efficient mutual authentication and key agreement scheme preserving strong anonymity of the mobile user in global mobility networks. J Netw Comput Appl 62:1–8
Gope P, Hwang T (2016b) Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst J 10(4):1370–1379
Goutham RA, Lee GJ, Yoo KY (2015) An anonymous ID-based remote mutual authentication with key agreement protocol on ECC using smart cards. In Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 169–174
Han L, Tan X, Wang S, Liang X (2016) An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems. Peer-to-Peer Netw Appl 11(1): 63–73
He D (2012) An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Netw 10(6):1009–1016
Hsieh WB, Leu JS (2012) Exploiting hash functions to intensify the remote user authentication scheme. Comput Secur 31(6):791–798
Irshad A, Chaudhry SA, Kumari S, Usman M, Mahmood K, Faisal MS (2017a) An improved lightweight multiserver authentication scheme. Int J Commun Syst, 30(17)
Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S (2017b) A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme. Multimed Tools Appl 76(15):16463–16489
Irshad A, Sher M, Ashraf MU, Alzahrani BA, Wu F, Xie Q, Kumari S (2017c) An Improved and Secure Chaotic-Map Based Multi-server Authentication Protocol Based on Lu et al. and Tsai and Lo’s Scheme. Wireless Pers Commun 95(3):3185–3208
Irshad A, Kumari S, Li X, Wu F, Chaudhry SA, Arshad H (2017d) An improved SIP authentication scheme based on server-oriented biometric verification. Wireless Pers Commun 97(2):2145–2166
Islam SH, Biswas GP (2011) A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J Syst Softw 84(11):1892–1898
Islam SH, Biswas GP (2014) Dynamic id-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography. J Electron 31(5):473–488
Jan JK, Chen YY (1998) “Paramita wisdom” password authentication scheme without verification tables. J Syst Softw 42(1):45–57
Jiang Q, Ma J, Li G, Li X (2015) Improvement of robust smart-card-based password authentication scheme. Int J Commun Syst 28(2):383–393
Khan MK, Zhang J, Wang X (2008) Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices. Chaos Solitons Fractals 35(3):519–524
Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in Cryptology—CRYPTO’99, pp 388–397
Kumari S, Khan MK (2014) Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme’. Int J Commun Syst 27(12):3939–3955
Kumari S, Khan MK, Li X (2014) An improved remote user authentication scheme with key agreement. Comput Electr Eng 40(6):1997–2012
Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan MK (2017) An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Netw Appl 10(1):92–105
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5
Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79
Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371
Li X, Niu J, Wang Z, Chen C (2014) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497
Liao IE, Lee CC, Hwang MS (2006) A password authentication scheme over insecure networks. J Comput Syst Sci 72(4):727–740
Lu Y, Li L, Peng H, Yang Y (2016) Robust anonymous two-factor authenticated key exchange scheme for mobile client-server environment. Secur Commun Netw 9(11):1331–1339
Luo M, Zhang Y, Khan MK, He D (2017) A secure and efficient identity-based mutual authentication scheme with smart card using elliptic curve cryptography. Int J Commun Syst, 30(16)
Lv C, Ma M, Li H, Ma J, Zhang Y (2013) A novel three-party authenticated key exchange protocol using one-time key. J Netw Comput Appl 36(1):498–503
Madhusudhan R, Mittal RC (2012) Dynamic ID-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 35(4):1235–1248
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129–8143
Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966
Pippa RS, Jaidhar CD, Tapaswi S (2010) Comments on symmetric key encryption based smart card authentication scheme. In 2nd IEEE International Conference on Computer Technology and Development, pp. 482–484
Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst, 30(16)
Reddy AG, Das AK, Odelu V, Yoo KY (2016a) An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography. PloS one 11(5):e0154308
Reddy AG, Das AK, Yoon EJ, Yoo KY (2016b) A secure anonymous authentication protocol for mobile services on elliptic curve cryptography. IEEE Access 4:4394–4407
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2016) Secure biometric-based authentication scheme using chebyshev chaotic map for multi-server environment. IEEE Trans Dependable Secure Comput. https://doi.org/10.1109/TDSC.2016.2616876
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2017a) On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5(1):25808–25825. https://doi.org/10.1109/ACCESS.2017.2764913
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumari S, Jo M (2017b) Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing internet of things. IEEE Internet Things J. https://doi.org/10.1109/JIOT.2017.2714179
Song R (2010) Advanced smart card based password authentication protocol. Comput Stand Interfaces 32(5):321–325
Sood SK, Sarje AK, Singh K (2010) An improvement of Xu et al.’s authentication scheme using smart cards. In: Proceedings of the third annual ACM Bangalore conference on communications, pp. 15
SPAN-Security Protocol Animator for AVISPA, [Online]. Available: http://www.irisa.fr/celtique/genet/span/. Accessed Dec 2016
Tan K, Zhu H (1999) Remote password authentication scheme based on cross-product. Comput Commun 22(4):390–393
Tu H, Kumar N, Chilamkurti N, Rho S (2015) An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Netw Appl 8(5):903–910
Tzong-Chen W, Hung-Sung S (1996) Authenticating passwords over an insecure channel. Comput Secur 15(5):431–439
Wang D, Wang P (2015) Offline dictionary attack on password authentication schemes using smart cards. In: Desmedt Y (eds) Information Security. Lecture Notes in Computer Science, vol 7807. Springer, Cham, pp 221–237
Wang YY, Liu JY, Xiao FX, Dan J (2009) A more efficient and secure dynamic ID-based remote user authentication scheme. Comput Commun 32(4):583–585
Wang RC, Juang WS, Lei CL (2011) Robust authentication and key agreement scheme preserving the privacy of secret key. Comput Commun 34(3):274–280
Wang D, Wang N, Wang P, Qing S (2015a) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci 321:162–178
Wang D, He D, Wang P, Chu CH (2015b) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 12(4):428–442
Wazid M, Das AK, Odelu V, Kumar N, Susilo W (2017) Secure remote user authenticated key establishment protocol for smart home environment. IEEE Trans Dependable Secure Comput. https://doi.org/10.1109/TDSC.2017.2764083
Wen F, Li X (2012) An improved dynamic ID-based remote user authentication with key agreement scheme. Comput Electr Eng 38(2):381–387
Wu TC (1995) Remote login authentication scheme based on a geometric approach. Comput Commun 18(12):959–963
Wu TY, Tseng YM (2010) An efficient user authentication and key exchange protocol for mobile client–server environment. Comput Netw 54(9):1520–1530
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng 45:274–285
Xie Q, Dong N, Wong DS, Hu B (2016) Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. Int J Commun Syst 29(3):478–487
Xie Q, Tang Z, Chen K (2017) Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput Electr Eng 59:218–230
Xu J, Zhu WT, Feng DG (2009) An improved smart card based password authentication scheme with provable security. Comput Stand Interfaces 31(4):723–728
Yang JH, Chang CC (2009) An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Comput Secur 28(3):138–143
Yeh HL, Chen TH, Hu KJ, Shih WK (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inf Secur 7(3):247–252
Yoon EJ, Yoo KY (2009) Robust id-based remote mutual authentication with key agreement scheme for mobile devices on ECC. In: IEEE International Conference on Computational Science and Engineering CSE’09, pp 633–640
Zhang L, Tang S, Cai Z (2014) Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. Int J Commun Syst 27(11):2691–2702
Acknowledgements
This work was supported by the faculty research fund of the Sejong University in 2017. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions that helped us to improve the presentation and quality of the paper.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interests.
Rights and permissions
About this article
Cite this article
Reddy, A.G., Das, A.K., Odelu, V. et al. A Privacy Preserving three-factor authenticated key agreement protocol for client–server environment. J Ambient Intell Human Comput 10, 661–680 (2019). https://doi.org/10.1007/s12652-018-0716-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-018-0716-4