An efficient ECC-based privacy-preserving client authentication protocol with key agreement using smart card

The authentication protocols are trusted components in a communication system in order to protect sensitive information against a malicious adversary in the client-server environment by means of providing a variety of services including users' privacy and authentication. In the cryptographic protocols, understanding the security failures is the key for both patching to the existing protocols and designing the future protocols. Recently, in 2014, Wang proposed an improved Elliptic Curve Cryptography (ECC) based anonymous remote authentication scheme using smart card and claimed that the proposed scheme is secure against password guessing attack, smart card lost/stolen verifier attack, and also preserves user anonymity and prevents credential leakage. However, in this paper, we show that Wang's scheme fails to preserve the user anonymity and does not prevent the off-line password guessing attack, credential leakage and smart card lost/stolen verifier attack. In order to withstand those security pitfalls found in Wang's scheme, we aim to propose a new secure privacy-preserving ECC-based client authentication with key agreement protocol using smart card. Through the formal and informal security analysis we show that our scheme is secure against possible known attacks including the off-line password guessing attack, credential leakage attack and smart card lost/stolen verifier attack. Our scheme also preserves the user anonymity property. In addition, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks. Our scheme provides high security along with low computational and communication costs. As a result, our scheme is practically suitable for mobile devices in the client-server environment as compared to other related schemes in the literature.

[1]  Ratna Dutta,et al.  Provably Secure Constant Round Contributory Group Key Agreement in Dynamic Setting , 2008, IEEE Transactions on Information Theory.

[2]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[3]  G. P. Biswas,et al.  Design of improved password authentication and update scheme based on elliptic curve cryptography , 2013, Math. Comput. Model..

[4]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[5]  Chunguang Ma,et al.  Cryptanalysis of a remote user authentication scheme for mobile client-server environment based on ECC , 2013, Inf. Fusion.

[6]  Hu Jin,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012 .

[7]  Fan Wu,et al.  An improved and provable remote user authentication scheme based on elliptic curve cryptosystem with user anonymity , 2015, Secur. Commun. Networks.

[8]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[9]  Debiao He Comments on a password authentication and update scheme based on elliptic curve cryptography , 2011, IACR Cryptol. ePrint Arch..

[10]  Xiong Li,et al.  Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards , 2011, J. Netw. Comput. Appl..

[11]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[12]  Ashok Kumar Das,et al.  An Improved and Effective Secure Password-Based Authentication and Key Agreement Scheme Using Smart Cards for the Telecare Medicine Information System , 2013, Journal of Medical Systems.

[13]  Vanga Odelu,et al.  A secure effective dynamic group password-based authenticated key agreement scheme for the integrated EPR information system , 2016, J. King Saud Univ. Comput. Inf. Sci..

[14]  Vanga Odelu,et al.  A Robust and Effective Smart-Card-Based Remote User Authentication Mechanism Using Hash Function , 2014, TheScientificWorldJournal.

[15]  Vanga Odelu,et al.  A secure effective key management scheme for dynamic access control in a large leaf class hierarchy , 2014, Inf. Sci..

[16]  Fengtong Wen,et al.  A Robust Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[17]  Chun-Ta Li,et al.  A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card , 2013, IET Inf. Secur..

[18]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[19]  Ashok Kumar Das,et al.  A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[20]  Stefan Mangard,et al.  One for all - all for one: unifying standard differential power analysis attacks , 2011, IET Inf. Secur..

[21]  Chunguang Ma,et al.  On the Security of an Improved Password Authentication Scheme Based on ECC , 2012, ICICA.

[22]  Palash Sarkar,et al.  A Simple and Generic Construction of Authenticated Encryption with Associated Data , 2010, TSEC.

[23]  Nevenko Zunic,et al.  Methods for Protecting Password Transmission , 2000, Comput. Secur..

[24]  Jing-Jang Hwang,et al.  Improvement on Peyravian-Zunic's Password Authentication Schemes , 2002 .

[25]  Yuh-Min Tseng,et al.  An efficient dynamic group key agreement protocol for imbalanced wireless networks , 2010, Int. J. Netw. Manag..

[26]  R. Nickalls A new approach to solving the cubic: Cardan’s solution revealed , 1993, The Mathematical Gazette.

[27]  Lili Wang Analysis and Enhancement of a Password Authentication and Update Scheme Based on Elliptic Curve Cryptography , 2014, J. Appl. Math..

[28]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[29]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[30]  B. B. Zaidan,et al.  An Enhanced Security Solution for Electronic Medical Records Based on AES Hybrid Technique with SOAP/XML and SHA-1 , 2013, Journal of Medical Systems.

[31]  Chun-Li Lin,et al.  A password authentication scheme with secure password updating , 2003, Comput. Secur..

[32]  Ashok Kumar Das,et al.  Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem , 2012, Inf. Sci..

[33]  Douglas R. Stinson,et al.  Some Observations on the Theory of Cryptographic Hash Functions , 2006, Des. Codes Cryptogr..