2PAKEP: Provably Secure and Efficient Two-Party Authenticated Key Exchange Protocol for Mobile Environment

With the increasing use of mobile devices, a secure communication and key exchange become the significant security issues in mobile environments. However, because of open network environments, mobile user can be vulnerable to various attacks. Therefore, the numerous authentication and key exchange schemes have been proposed to provide the secure communication and key exchange. Recently, Qi and Chen proposed an efficient two-party authentication key exchange protocol for mobile environments in order to overcome the security weaknesses of the previous authentication and key exchange schemes. However, we demonstrate that Qi and Chen’s scheme is vulnerable to various attacks such as impersonation, offline password guessing, password change, and privileged insider attacks. We also show that Qi and Chen’s scheme does not provide anonymity, efficient password change mechanism, and secure mutual authentication. In this paper, to overcome the outlined abovementioned security vulnerabilities, we propose a secure and efficient two-party authentication key exchange protocol, called 2PAKEP, that hides user’s real identity from an adversary using a secret parameter. 2PAKEP also withstands various attacks, guarantees anonymity, and provides efficient password change mechanism and secure mutual authentication. In addition, we prove that 2PAKEP provides the secure mutual authentication using the broadly accepted Burrows–Abadi–Needham logic and the session key security using the formal security analysis under the widely accepted real-or-random model. Moreover, the formal security verification using the popular simulated software tool, Automated Validation of Internet Security Protocols and Applications, on 2PAKEP shows that the replay and man-in-the-middle attacks are protected. In addition, we also analyze the performance and security and functionality properties of 2PAKEP and compare these with the related existing schemes. Overall, 2PAKEP provides better security and functionality features, and also the communication and computational overheads are comparable with the related schemes. Therefore, 2PAKEP is applicable to mobile environment efficiently.

[1]  Eun-Jun Yoon,et al.  Robust ID-Based Remote Mutual Authentication with Key Agreement Scheme for Mobile Devices on ECC , 2009, 2009 International Conference on Computational Science and Engineering.

[2]  Yixian Yang,et al.  Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards , 2015, PloS one.

[3]  Cheng-Chi Lee,et al.  A simple remote user authentication scheme , 2002 .

[4]  Jianhua Chen,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012, Inf. Fusion.

[5]  Kuo-Yu Tsai,et al.  Two ID-based authenticated schemes with key agreement for mobile environments , 2013, The Journal of Supercomputing.

[6]  Kim-Kwang Raymond Choo,et al.  Design of Secure and Lightweight Authentication Protocol for Wearable Devices Environment , 2018, IEEE Journal of Biomedical and Health Informatics.

[7]  Samiran Chattopadhyay,et al.  Provably Secure Fine-Grained Data Access Control Over Multiple Cloud Servers in Mobile Cloud Computing Based Healthcare Applications , 2019, IEEE Transactions on Industrial Informatics.

[8]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[9]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[10]  Jianhua Chen,et al.  An efficient two‐party authentication key exchange protocol for mobile environment , 2017, Int. J. Commun. Syst..

[11]  YoHan Park,et al.  Secure biometric-based authentication scheme with smart card revocation/reissue for wireless sensor networks , 2016, Int. J. Distributed Sens. Networks.

[12]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[13]  Ashok Kumar Das,et al.  Provably Secure and Efficient Authentication Protocol for Roaming Service in Global Mobility Networks , 2017, IEEE Access.

[14]  David von Oheimb The High-Level Protocol Specification Language HLPSL developed in the EU project AVISPA , 2005 .

[15]  Willy Susilo,et al.  Secure Message Communication Protocol Among Vehicles in Smart City , 2018, IEEE Transactions on Vehicular Technology.

[16]  Ronald L. Rivest,et al.  Responses to NIST's proposal , 1992, CACM.

[17]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[18]  Jianfeng Ma,et al.  Improvement of robust smart-card-based password authentication scheme , 2015, Int. J. Commun. Syst..

[19]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[20]  Mohammad Peyravian,et al.  Secure remote user access over insecure networks , 2006, Comput. Commun..

[21]  Chun-Ta Li,et al.  A More Secure and Efficient Authentication Scheme with Roaming Service and User Anonymity for Mobile Communications , 2012, Inf. Technol. Control..

[22]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Chin-Chen Chang,et al.  An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem , 2009, Comput. Secur..

[24]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[25]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[26]  Jongho Moon,et al.  An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards , 2015, PloS one.

[27]  Joel J. P. C. Rodrigues,et al.  Cloud Centric Authentication for Wearable Healthcare Monitoring System , 2019, IEEE Transactions on Dependable and Secure Computing.

[28]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[29]  Kee-Young Yoo,et al.  Improvement of Chien et al.'s remote user authentication scheme using smart cards , 2005, Comput. Stand. Interfaces.

[30]  Cheng-Chi Lee,et al.  An Efficient User Authentication and User Anonymity Scheme with Provably Security for IoT-Based Medical Care System , 2017, Sensors.

[31]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[32]  Athanasios V. Vasilakos,et al.  Design and analysis of authenticated key agreement scheme in cloud-assisted cyber-physical systems , 2020, Future Gener. Comput. Syst..

[33]  Eun-Jun Yoon,et al.  Secure Signature-Based Authenticated Key Establishment Scheme for Future IoT Applications , 2017, IEEE Access.

[34]  Yuanyuan Zhang,et al.  An Improved Two-Party Authentication Key Exchange Protocol for Mobile Environment , 2015, Wirel. Pers. Commun..

[35]  Athanasios V. Vasilakos,et al.  A Novel Authentication and Key Agreement Scheme for Implantable Medical Devices Deployment , 2018, IEEE Journal of Biomedical and Health Informatics.

[36]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[37]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[38]  Hu Jin,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012 .