A Multi-Server Two-Factor Authentication Scheme with Un-Traceability Using Elliptic Curve Cryptography

To provide secure communication, the authentication-and-key-agreement scheme plays a vital role in multi-server environments, Internet of Things (IoT), wireless sensor networks (WSNs), etc. This scheme enables users and servers to negotiate for a common session initiation key. Our proposal first analyzes Amin et al.’s authentication scheme based on RSA and proves that it cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Secondly, we provide that Srinivas et al.’s multi-server authentication scheme is not secured against offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. To remedy such limitations and improve computational efficiency, we present a multi-server two-factor authentication scheme using elliptic curve cryptography (ECC). Subsequently, employing heuristic analysis and Burrows–Abadi–Needham logic (BAN-Logic) proof, it is proven that the presented scheme provides security against all known attacks, and in particular provides user un-traceability and perfect forward security. Finally, appropriate comparisons with prevalent works demonstrate the robustness and feasibility of the presented solution in multi-server environments.

[1]  Xiong Li,et al.  Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography , 2018, J. Ambient Intell. Humaniz. Comput..

[2]  Ping Wang,et al.  On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions , 2014, Comput. Networks.

[3]  SrinivasJangirala,et al.  A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card , 2017 .

[4]  Donghoon Lee,et al.  Security Enhanced User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography , 2014, Sensors.

[5]  Guoai Xu,et al.  An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy , 2018, PloS one.

[6]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[7]  Ping Wang,et al.  On the Implications of Zipf's Law in Passwords , 2016, ESORICS.

[8]  Alfredo De Santis,et al.  An Efficient and Transparent One-Time Authentication Protocol with Non-interactive Key Scheduling and Update , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.

[9]  Naveen K. Chilamkurti,et al.  A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks , 2015, Inf. Sci..

[10]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[11]  Wei Liang,et al.  An Enhancement of a Smart Card Authentication Scheme for Multi-server Architecture , 2015, Wirel. Pers. Commun..

[12]  Min-Shiang Hwang,et al.  Security enhancement for the timestamp-based password authentication scheme using smart cards , 2003, Comput. Secur..

[13]  YoHan Park,et al.  Three-Factor User Authentication and Key Agreement Using Elliptic Curve Cryptosystem in Wireless Sensor Networks , 2016, Sensors.

[14]  Qi Xie A new authenticated key agreement for session initiation protocol , 2012, Int. J. Commun. Syst..

[15]  Morteza Nikooghadam,et al.  An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC , 2014, Multimedia Tools and Applications.

[16]  Henning Schulzrinne,et al.  The Impact of TLS on SIP Server Performance: Measurement and Modeling , 2010, IEEE/ACM Transactions on Networking.

[17]  Peng Gong,et al.  A New User Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography , 2013, Int. J. Distributed Sens. Networks.

[18]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[19]  Chou Chen Yang,et al.  Secure authentication scheme for session initiation protocol , 2005, Comput. Secur..

[20]  Jianfeng Ma,et al.  An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks , 2015, Peer-to-Peer Netw. Appl..

[21]  Muhammad Khurram Khan,et al.  A provably secure anonymous authentication scheme for Session Initiation Protocol , 2016, Secur. Commun. Networks.

[22]  Mahmoud Ahmadian-Attari,et al.  An Enhanced Authenticated Key Agreement for Session Initiation Protocol , 2013, Inf. Technol. Control..

[23]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[24]  Nassar Ikram,et al.  Elliptic curve cryptography based mutual authentication scheme for session initiation protocol , 2011, Multimedia Tools and Applications.

[25]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[26]  Muhammad Sher,et al.  Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems , 2015, Journal of Medical Systems.

[27]  Ping Wang,et al.  Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity , 2015, Inf. Sci..

[28]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[29]  Muhammad Khurram Khan,et al.  Fingerprint Biometric-based Self-Authentication and Deniable Authentication Schemes for the Electronic World , 2009 .

[30]  Guoai Xu,et al.  A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems , 2018, IEEE Access.

[31]  Tugrul Yanik,et al.  A Survey of SIP Authentication and Key Agreement Schemes , 2014, IEEE Communications Surveys & Tutorials.

[32]  Debiao He,et al.  An efficient remote user authentication and key agreement protocol for mobile client-server environment from pairings , 2012, Ad Hoc Networks.

[33]  Jongho Moon,et al.  Efficient and Security Enhanced Anonymous Authentication with Key Agreement Scheme in Wireless Sensor Networks , 2017, Sensors.

[34]  Sourav Mukhopadhyay,et al.  A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card , 2017, Wirel. Pers. Commun..

[35]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[36]  Naveen K. Chilamkurti,et al.  A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography , 2014, Multimedia Tools and Applications.

[37]  Hsin-Wen Wei,et al.  A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography , 2011, Sensors.

[38]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[39]  Ping Wang,et al.  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound , 2018, IEEE Transactions on Dependable and Secure Computing.

[40]  Ping Wang,et al.  Measuring Two-Factor Authentication Schemes for Real-Time Data Access in Industrial Wireless Sensor Networks , 2018, IEEE Transactions on Industrial Informatics.

[41]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[42]  Muhammad Khurram Khan,et al.  A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security , 2017, Int. J. Commun. Syst..

[43]  Hui-Feng Huang,et al.  Enhancement of Timestamp-based User Authentication Scheme with Smart Card , 2014, Int. J. Netw. Secur..

[44]  Miao Zhang,et al.  Cryptanalysis and improvement of 2 mutual authentication schemes for Session Initiation Protocol , 2018, Int. J. Commun. Syst..

[45]  Jari Arkko,et al.  Security Mechanism Agreement for SIP Sessions , 2003 .

[46]  Paul F. Syverson,et al.  The Logic of Authentication Protocols , 2000, FOSAD.

[47]  Chuan-Ming Liu,et al.  Enhanced Two-Factor Authentication and Key Agreement Using Dynamic Identities in Wireless Sensor Networks , 2015, Sensors.

[48]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[49]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[50]  Ping Wang,et al.  Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks , 2014, Ad Hoc Networks.

[51]  R. C. Mittal,et al.  An improved timestamp-based remote user authentication scheme , 2011, Comput. Electr. Eng..

[52]  Muhammad Khurram Khan,et al.  Cryptanalysis and Improvement of Authentication and Key Agreement Protocols for Telecare Medicine Information Systems , 2014, Journal of Medical Systems.

[53]  Ping Wang,et al.  Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment , 2015, IEEE Transactions on Dependable and Secure Computing.

[54]  Jianhua Chen,et al.  A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography , 2012, Secur. Commun. Networks.

[55]  Tanmoy Maitra,et al.  Cryptanalysis and Improvement of an RSA Based Remote User Authentication Scheme Using Smart Card , 2017, Wirel. Pers. Commun..