A Multi-Server Two-Factor Authentication Scheme with Un-Traceability Using Elliptic Curve Cryptography

Abstract

To provide secure communication, the authentication-and-key-agreement scheme plays a vital role in multi-server environments, Internet of Things (IoT), wireless sensor networks (WSNs), etc. This scheme enables users and servers to negotiate for a common session initiation key. Our proposal first analyzes Amin et al.’s authentication scheme based on RSA and proves that it cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Secondly, we provide that Srinivas et al.’s multi-server authentication scheme is not secured against offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. To remedy such limitations and improve computational efficiency, we present a multi-server two-factor authentication scheme using elliptic curve cryptography (ECC). Subsequently, employing heuristic analysis and Burrows–Abadi–Needham logic (BAN-Logic) proof, it is proven that the presented scheme provides security against all known attacks, and in particular provides user un-traceability and perfect forward security. Finally, appropriate comparisons with prevalent works demonstrate the robustness and feasibility of the presented solution in multi-server environments.

1. Introduction

With the recent advancements in Internet and communication technology and the growing demand for sharing multiple data resources, secure and efficient communication between the involved stakeholders has become more essential in areas such as e-commerce, telecare medical information, distributed cloud storage systems, etc. Obviously, privacy protection has emerged as a vital issue for secure and trusted communication. For secure and effective communication over an insecure network, the involved parties are required to negotiate on a common session key beforehand. For such negotiations, authentication-and-key-agreement protocols serve as the only solution. The first password authentication with insecure communication was established by Lamport in 1981 [1]. Later, Frank et al. [2] presented an authentication protocol based on hypertext transport protocol in 1991. However, Yang et al. [3] identified that Frank’s proposal was insecure and provided an improved solution in 2005. In order to present a secure and efficient authentication and key agreement protocol, in the following decade, many single-, two-, and three-factor authentication protocols were constructed while employing RSA, discrete logarithm over general groups, elliptic curve cryptography (ECC), chaotic maps [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22], etc. However, some security limitations are prevailing in these protocols. By analyzing a large number of authentication protocols, we found that such shortcomings are resulted due to either improper usage of the cryptographic primitives or design defects of the protocols.

In 2011, Awasthi et al. [23] showed that the protocol of Shen et al. [24] is prone to user impersonation attack. To remedy impersonation attack, Awasthi et al. put forward a refined time stamp-based authentication-and-key-agreement protocol. However, in that protocol, the adversary can easily obtain smart card and identity parameters through an open channel. In 2014, Huang et al. [25] pointed out that the scheme presented by Awasthi et al. is unable to resist against user impersonation attack, and overlooks the password updation stage. Moreover, we remark that Awasthi et al.’s scheme also fails to ensure user anonymity. Huang et al. proposed an enhanced time stamp-based two-factor remote user authentication protocol while incorporating RSA, and claimed that the scheme can resist various attacks. However, Amin et al. [26] proved that the proposal of Huang et al., is susceptible to impersonation, offline password guessing, and insider attacks, while also having an inefficient password updation stage. Keeping in view the limitations of Huang et al.’s proposal, Amin et al. presented an authentication-and-key-agreement mechanism based on RSA.

In a multi-server environment, users interact with multiple servers. To login with different identities and passwords in such an environment is troublesome for the users. To eliminate this problem, first, users and multiple servers are registered at the registration center (RC). Subsequently, users can make an authentication-and-key-agreement with multiple servers by utilizing the unique identity and password pair. A proposed architecture of the multi-server authentication system is depicted in Figure 1. In 2013, Pippel et al. [27] employed smart cards to present a robust multi-server authentication protocol and proved it to be resistant against various known attacks. In a subsequent work, Li et al. [28] identified that the protocol presented by Pippel et al. is unable to provide correct authentication. Moreover, it cannot withstand impersonation attack and insider attack. Afterwards, Li et al. designed an improved smart card authentication protocol and proved that it can withstand perfect forward secrecy, stolen smart-card attack, offline password guessing attack, and so on. Even so, Srinivas et al. [29] provided that Li et al.’s scheme is unable to resist insider attack, denial-of-service attack, and stolen smart-card attack, and cannot provide perfect forward secrecy. However, we remark that Li et al.’s scheme addresses perfect forward secrecy. As a solution, Srinivas et al. presented an improved two-factor authentication scheme for the same multi-server architecture with reduced computation and communication cost while claiming that their protocol is susceptible to various known attacks. To the best of our knowledge, most of the schemes cannot provide perfect forward secrecy and user un-traceability, and are susceptible to key-compromise user impersonation attack and offline password guessing attack. More precisely, once an authentication-and-key-agreement mechanism fails to ensure user un-traceability, the user’s entire whereabouts are exposed to the attacker. This provides a great deal of convenience for attackers to carry out more attacks. This proposal takes the schemes of Amin et al. and Srinivas et al. as examples to depict how an adversary traces the legal user, effectively guesses the correct password, or succeeds in obtaining the session key. These security flaws usually exist in wireless sensor networks (WSNs) as well [30,31,32,33,34,35,36,37,38,39,40]. Moreover, The methods of attacking and designing we use are very useful and effective in analyzing similar vulnerabilities and designing new protocols in WSNs, respectively.

1.1. Contributions

The key contributions of our proposal are listed as follows: (1) We prove that Amin et al.’s protocol fails to ensure perfect forward secrecy and user un-traceability, and is susceptible to key-compromise user impersonation attack and offline password guessing attack. (2) It is proven that Srinivas et al.’s scheme fails to ensure user un-traceability, and is prone to key-compromise user impersonation attack and offline password guessing attack. (3) To overcome these limitations, we design a two-factor authentication-and-key-agreement scheme for multi-server architecture while incorporating ECC. (4) The presented scheme ensures perfect forward secrecy, user anonymity, and un-traceability. Moreover, it provides security against major attacks, including impersonation attack, offline password guessing attack, key-compromise user impersonation attack, etc. (5) The security analysis using Burrows–Abadi–Needham logic (BAN-Logic) provides that the proposed protocol ensures secured mutual authentication between a remote user and server.

1.2. Outline of This Paper

The remaining contents of the proposal are organized as follows: cryptographic primitive and attacker model are detailed in Section 2. The scheme of Amin et al., and its cryptanalysis are presented in Section 3 and Section 4, respectively. Section 5 and Section 6 provide the scheme of Srinivas et al., and its cryptanalysis, respectively. The improved version of the proposed scheme is provided in Section 7. The heuristic security analysis and BAN-Logic are presented in Section 8 and Section 9, respectively. Section 10 details the security and performance comparisons. Finally, Section 11 contains the concluding remarks.

2. Preliminary

We take advantage of ECC to present a two-factor authentication scheme. The following section briefly introduces the collision-resistant cryptographic one-way hash function as well as some computationally infeasible problems, including the elliptic curve computational Diffie–Hellman Problem (ECCDHP) and the elliptic curve discrete-logarithm problem (ECDLP).

Table 1. Notations and their descriptions.

Symbol	Description	Symbol	Description
$RC$	Registration center	$S_j$	Server
$U_i$	User	$S{C}_i$	Smart card of $U_i$
$I{d}_i$	Identification of user $U_i$	$P{w}_i$	Password belonging to user $U_i$
$r_i,a_i$	Random numbers of $U_i$	p	Large prime
$Q_j=r_{j}P$	Public key of $S_j$	$r_j$	Private key of $S_j$
$c_j,b_j$	Random number of $S_j$	⊕	The bitwise XOR operation
$\left|\right|$	The string concatenation operation	$H(·)$	One-way hash function
$\mathcal{A}$	The malicious adversary	$S{K}_{ij}$	Session key belonging to $U_i$ and $S_j$

depicts some notations and descriptions that are used in the proposed scheme.

2.1. Collision-Resistant One-Way Hash Function

Basically, the one-way hash function $H(·):{\{0,1\}}^{*}\to {\{0,1\}}^n$ requires an input in the form of an arbitrary length binary string $x\in {\{0,1\}}^{*}$, and yields a string in binary form $y=H(x)\in {\{0,1\}}^n$. In brief terms, a cryptographic collision-resistant one-way hash function $H(·)$ ensures the following:

• Given $y\in {\{0,1\}}^n$, it is difficult to determine the input $x\in {\{0,1\}}^{*}$ within polynomial time.
• It is difficult to determine $x^{\prime }\in {\{0,1\}}^{*}$ such that $H(x)=H(x^{\prime })$, where $x^{\prime }\ne x$.
• It is difficult to uncover a pair $(x,x^{\prime })\in {\{0,1\}}^{*}$, such that $x^{\prime }\ne x$ and $H(x)=H(x^{\prime })$ could hold.

2.2. Intractable Problems in ECC

The elliptic curve equation over a finite field $F_p$ in ECC takes the form $E_p(a,b):y^2=x^3+ax+b$$(\mathsf{mod}p)$, where $4a^3+27b\ne 0$$(\mathsf{mod}p)$ and $a,b\in F_p$ [41].

• ECDLP: The elliptic curve discrete-logarithm problem over elliptic curve $E_p(a,b)$ refers to computing $m\in F_p^{*}$ from $Q=mP$ for given $P,Q\in E_p(a,b)$.
• ECCDHP: The elliptic curve computational Diffie–Hellman problem over elliptic curve $E_p(a,b)$ refers to computing $mnP$, given points $mP,nP\in E_p(a,b)$.

2.3. Adversary Model

According to [18,42,43,44,45,46,47], the capacities of $\mathcal{A}$ in authentication and key agreement schemes, which are used in cryptanalysis of Amin et al.’s scheme, Srinivas et al.’s scheme, and our proposed scheme, are listed as follows:

• $\mathcal{A}$ is able to intercept, block, delete, modify, and resend the message contents through an open channel.
• Because identity and password have low entropy, $\mathcal{A}$ can enlist all pairs of $(P{w}_i,I{d}_i)$ simultaneously from $({\mathcal{D}}_{Pw},{\mathcal{D}}_{Id})$ within polynomial time, where ${\mathcal{D}}_{Pw}$ and ${\mathcal{D}}_{Id}$ refer to the space of passwords and identities in ${\mathcal{D}}_{Pw}$ and ${\mathcal{D}}_{Id}$, respectively.
• $\mathcal{A}$ can either acquire $P{w}_i$ of the $U_i$ via malicious device or reveal the information from $SC$, but is not permitted to use both methods together.
• $\mathcal{A}$ can acquire a server’s private key while evaluating forward secrecy or key-compromise user impersonation attack.
• $\mathcal{A}$ has the ability to reveal all parameters of the smart card when assessing stolen smart-card attack, offline password guessing attack, impersonation attack, forward secrecy, etc.

3. Brief Review of Amin et al.’s Proposal

This section provides a brief review of Amin et al.’s [26] authentication scheme for Session Initiation Protocol (SIP). The scheme presented by the authors comprises four stages: initialization, registration, login and authentication, and password updation. We omit the description of the password updation stage.

3.1. Initialization

S takes two large primes p and q as secret parameters to calculate $n=p\times q$ as a public parameter. Afterwards, S chooses a prime e to obtain d by computing $e\times d\equiv 1\mathsf{mod}(p-1)(q-1)$, such that $1<e<(p-1)(q-1)$.

3.2. Registration

• $U_i$ enters an identity $I{d}_i$ and password $P{w}_i$. Subsequently, $U_i$ randomly picks up a number r and calculates $PW{r}_i=H(P{w}_i\left|\right|u)$. Afterwards, $U_i$ transmits the registration request message $\{I{d}_i,PW{r}_i\}$ to S via secure medium.
• Upon receiving the request message $\{I{d}_i,PW{r}_i\}$ from the new user $U_i$, S calculates $CI{d}_i=H(I{d}_i\left|\right|d)$, $Re{g}_i=H(CI{d}_i\left|\right|PW{r}_i\left|\right|I{d}_i)$, and $Y_i=CI{d}_i\oplus H(PW{r}_i\left|\right|I{d}_i)$. Afterwards, S stores the contents $\{Re{g}_i,Y_i,n,e,H(·)\}$ in a new card $SC$ and sends $SC$ to $U_i$.
• Once obtaining $SC$, $U_i$ stores u into $SC$.

3.3. Login and Authentication

• To start the session with the S, $U_i$ inserts $SC$ into a card reader and inputs their login details, including $I{d}_i$ and $P{w}_i$. Subsequently, $SC$ calculates $PW{r}_i=H(P{w}_i\left|\right|r),CI{d}_i=Y_i\oplus H(PW{r}_i\left|\right|I{d}_i)$, and $Re{g}_i=H(DI{d}_i\left|\right|PW{r}_i\left|\right|I{d}_i)$. Afterwards, it verifies the value of $Re{g}_i$. In case of invalid values, the session is ended. Otherwise, $SC$ randomly chooses a number $N_1$, the current time stamp $T_u$, and calculates $D_i=H(CI{d}_i\left|\right|H(PW{r}_i\left|\right|I{d}_i)||T_u\left|\right|N_1)$ and $L_i=(I{d}_i\left|\right|D_i\left|\right|N_1{)}^e\mathsf{mod}n$. Next, $SC$ transmits the login request message $\{L_i,Y_i,T_u\}$ to S.
• Upon receiving the login request from $U_i$, S verifies the time stamp $T_u$ corresponding to the current time stamp $T_s$. In the case of valid time stamp $T_u$, it continues to execute the following steps. Otherwise, it aborts the session. Afterwards, S decrypts $L_i$ to obtain $(I{d}_i^{*}|\left|D_i^{*}\right||N_i^{*})$ and then checks whether $CI{d}_i^{*}=H(I{d}_i^{*}\left|\right|d),H(PW{r}_i\left|\right|I{d}_i{)}^{*}=Y_i\oplus CI{d}_i^{*}$ and $D_i^{**}=H(CI{d}_i^{*}\left|\right|H(PW{r}_i\left|\right|I{d}_i{)}^{*}\left|\right|T_u\left|\right|N_1^{*})$. Afterwards, S checks $D_i^{**}=?D_i^{*}$. After finishing this verification, S randomly selects a number and computes $X_i=H(N_2\left|\right|CI{d}_i),Z_i=N_i\oplus N_2$. Finally, S transmits the respond message $\{X_i,Z_i,T_s\}$ to $SC$ via public channel.
• Once receiving the response message from S, $SC$ checks the validity of $T_s$. After finishing the verification, $SC$ checks whether $N_2^{*}=N_1\oplus Z_i,X_i^{*}=H(N_2^{*}\left|\right|CI{d}_i)$ and verifies $X_i^{*}=?X_i$. If it holds, $U_i$ accepts the response message. Finally, S and $U_i$ calculate the session key: $SK=H(N_1\left|\right|CI{d}_i\left|\right|N_2^{*})=H(N_i^{*}\left|\right|CI{d}_i^{*}\left|\right|N_2).$

4. Limitations of Amin et al.’s Scheme

According to the adversary model presented in Section 2.3, in the following, we prove that Amin et al.’s scheme is unable to provide user un-traceability and perfect forward secrecy, and is prone to key-compromise user impersonation attack and offline password guessing attack.

4.1. User Un-Traceability

Observing the protocol of Amin et al., it can be found that $Y_i$ is transmitted during the login request message stage. However, $Y_i=CI{D}_i\oplus h(PW{r}_i\left|\right|I{D}_i)$ is a fixed value in $SC$, unless $U_i$ changes their password during the password updation stage. Usually, the user does not change their password after every session. Therefore, $U_i$ can be traced by the adversary using $Y_i$. Hence, Amin et al.’s protocol does not ensure user un-traceability.

4.2. Offline Password Guessing Attack

Offline password guessing attack is the main limitation for most of the presented proposals addressing authentication. If $\mathcal{A}$ somehow steals the $SC$ of $U_i$ and embeds the data $\{Re{g}_i,Y_i,r\}$ in it, then the adversary $\mathcal{A}$ can perform the following steps to obtain $I{d}_i$ and $P{w}_i$ of $U_i$.

• From the password dictionary space ${\mathcal{D}}_{PW}$, the adversary $\mathcal{A}$ randomly chooses the password $P{W}^{*}$, and picks up the identity $I{D}^{*}$ from the identity dictionary space ${\mathcal{D}}_{ID}$.
• $\mathcal{A}$ calculates $PW{r}_i^{*}=h(P{w}^{*}\left|\right|r)$.
• $\mathcal{A}$ calculates $CI{D}_i^{*}=Y_i\oplus h(PW{r}_i^{*}\left|\right|I{D}_i^{*})$.
• $\mathcal{A}$ calculates $Re{g}_i^{*}=h(CI{D}_i^{*}\left|\right|PW{r}_i^{*}\left|\right|I{D}_i^{*})$.
• To check the correctness of $P{w}^{*}$ and $I{d}^{*}$, $\mathcal{A}$ examines whether $Re{g}_i^{*}=Re{g}_i$, where $Re{g}_i$ belongs to $SC$ of $U_i$.
• If the aforementioned equality holds, $\mathcal{A}$’s guess results as successful. Otherwise, $\mathcal{A}$ repeats Steps 1–5 until it obtains the correct password and identity of $U_i$.

From the aforementioned procedure, we find that the computational time complexity of offline password guessing attack is $\mathcal{O}(|{\mathcal{D}}_{PW}|\ast |{\mathcal{D}}_{ID}|\ast 3T_h),$ where $|{\mathcal{D}}_{Pw}|,|{\mathcal{D}}_{Id}|$, and $T_h$ refer to the number of ${\mathcal{D}}_{Pw}$, the number of ${\mathcal{D}}_{Id}$, and the performing time of hash function $h(·)$, respectively. According to [48,49,50], usually, $|{\mathcal{D}}_{Id}|<|{\mathcal{D}}_{Pw}|<{10}^6$. Therefore, the aforementioned attack is very efficient. Hence, Amin et al.’s protocol is unable to resist offline password guessing attack. Actually, the verified data $Re{g}_i$ are stored in $U_i$’s smart card, which is the main reason for the success of the above attack. By computing $Re{g}_i$, the smart card is able to check the correct login of the legal user. Moreover, it also gives $\mathcal{A}$ the chance to guess password and identity. Since the identity and password have low entropy in such scenarios, $\mathcal{A}$ can guess them successfully within polynomial time.

4.3. Lacks of Perfect Forward Secrecy

Assume that the $\mathcal{A}$ obtains the long term private key d of S and eavesdrops the transmitted message $\{L_i,Y_i,T_u\},\{X_i,Z_i,T_s\}$. Having that information, $\mathcal{A}$ can easily calculate two key random numbers $\{N_1,N_2\}$. $\mathcal{A}$ undergoes the following procedure to compute $SK$ between $U_i$ and S.

• The adversary $\mathcal{A}$ computes ${(L_i)}^d\mathsf{mod}n=(I{D}_i\left|\right|D_i\left|\right|N_1)$ to obtain $\{I{D}_i,N_1\}$.
• $\mathcal{A}$ computes $CI{D}_i=h(I{D}_i\left|\right|d)$.
• $\mathcal{A}$ computes $N_2=Z_i\oplus N_1$.
• $\mathcal{A}$ computes $SK=h(N_1|\left|CI{D}_i\right||N_2)$.

The computational time overhead of the aforementioned attack is $\mathcal{O}(2T_h+T_e+T_{eor})$, where $T_e$ and $T_{eor}$ are the running time of modular exponentiation and exclusive-or operation, respectively. Therefore, the protocol of Amin et al. does not ensure perfect forward secrecy. This problem can be solved by adding an operation of public key cryptography, which slightly increases the computation load. However, it is a feasible approach in terms of the trade-off between security and practicality.

4.4. Key-Compromise User Impersonation Attack

If the long-term private key d of S is revealed to the adversary $\mathcal{A}$ in Amin et al.’s protocol, $\mathcal{A}$ can impersonate the legitimate user $U_i$ to S as follows:

• $\mathcal{A}$ computes ${(L_i)}^d\mathsf{mod}n=(I{d}_i\left|\right|D_i\left|\right|N_1)$, and subsequently calculates $CI{d}_i=H(I{d}_i\left|\right|d)$ and $A=H(PW{r}_i\left|\right|I{d}_i)=Y_i\oplus CI{d}_i$.
• $\mathcal{A}$ obtains the login request message $\{L_i,Y_i,T_u\}$ of $U_i$, randomly selects a number $N_a$, and computes $D_i^{\prime }=H(CI{d}_i\left|\right|A\left|\right|T_u^{\prime }\left|\right|N_a),L_i^{\prime }=(I{d}_i\left|\right|D_i^{\prime }\left|\right|N_a{)}^e\mathsf{mod}n.$ Afterwards, $\mathcal{A}$ transmits the forged request message $\{L_i^{\prime },Y_i,T_u^{\prime }\}$ to S.
• Upon receiving the forged message, obviously S can verify it successfully. Thus, S randomly provokes a number $N_2^{\prime }$, and computes $X_i^{\prime }=H(N_2^{\prime }\left|\right|CI{d}_i)$ and $Z_i^{\prime }=N_a\oplus N_2^{\prime }$. Finally, S sends $\{X_i^{\prime },Z_i^{\prime },T_s\}$ to $\mathcal{A}$.
• Upon receiving the response from S, $\mathcal{A}$ calculates $N_2^{\prime }=N_a\oplus Z_i^{\prime }$. Finally, the server S believes that $SK=H(N_a|\left|CI{d}_i\right||N_2)$ is the common session key between a legitimate user and itself. However, in actual terms, $\mathcal{A}$ acts as $U_i$.

Therefore, Amin et al.’s protocol is unable to resist key-compromise user impersonation attack.

5. Review of Srinivas et al.’s Scheme

The following section reviews Srinivas et al.’s protocol [29] comprising four steps: initialization, registration, login and authentication, and password updation stage.

5.1. Initialization

The trusted registration center $RC$ during this stage selects a 1024-bit large prime p, generates $g\in Z_p^{*}$, chooses a one-way hash function $H(·):{\{0,1\}}^{*}\to Z_p^{*}$, and randomly picks a number $mk$ as the master secret key.

5.2. Registration Process

5.2.1. Server Registration

$S_j(1\le j\le k)$ chooses a unique identity $SI{d}_j$ and sends $SI{d}_j$ to $RC$ through a secure-medium. Upon receiving $SI{d}_j$, $RC$ calculates $r_j=H(SI{d}_j\left|\right|mk)$, and sends $\{r_j,p,g,H(·)\}$ to $S_j$ through a secure medium.

5.2.2. User Registration

First, a new user $U_i$ selects $I{d}_i$, $P{w}_i$, and randomly chooses a number $r_i$. Subsequently, the user calculates $UI{d}_i=H(I{d}_i\left|\right|r_i),RP{w}_i=H(P{w}_i\left|\right|r_i)$ and sends $\{UI{d}_i,RP{w}_i\}$ to $RC$. Upon receiving the registration request, $RC$ calculates $v_{ij}=H(r_j\left|\right|UI{d}_i),s_{ij}=v_{ij}\oplus RP{w}_i.$ Afterwards, $RC$ sends $U_i$ a new smart card $S{C}_i$ containing $\{s_{i1},s_{i2},\cdots ,s_{ik},p,g,H()\}$ through a secure medium. Finally, upon receiving $S{C}_i$ from $RC$, $U_i$ inputs $B_i=r_i\oplus H(I{d}_i\left|\right|P{w}_i)$ to $S{C}_i$.

5.3. Login and Authentication

• $U_i$ inserts $S{C}_i$ into a card reader and inputs $I{d}_i$ and $P{w}_i$. $S{C}_i$ checks $r_i=B_i\oplus H(I{d}_i\left|\right|P{w}_i)$, $UI{d}_i=H(I{d}_i\left|\right|n)$ and $RP{w}_i=H(P{w}_i\left|\right|r_i)$. Afterwards, $S{C}_i$ randomly generates a number a, chooses the current time stamp $T_i$, and calculates $X_i=g^a\mathsf{mod}p,v_{ij}=s_{ij}\oplus H(UI{d}_i\left|\right|RP{w}_i)$ and $h_{ij}=H(v_{ij}\left|\right|UI{d}_i\left|\right|SI{d}_j\left|\right|T_i\left|\right|X_i)$. Subsequently, $S{C}_i$ transmits the login request message $\{UI{d}_i,X_i,h_{ij},T_i\}$ to $S_j$.
• $S_j$ receives the request message from $U_i$, figures out $h_{ij}^{*}=H(H(r_j\left|\right|UI{d}_i)||UI{d}_i\left|\right|SI{d}_j\left|\right|X_i\left|\right|T_i)$, and checks $h_{ij}^{*}=?h_{ij}$. $S_j$ terminates the login request if the expression does not hold. Apart from that, $S_j$ a random number b and calculates $Y_j=g^b\mathsf{mod}p,z_{ji}={(X_i)}^b\mathsf{mod}p$. Afterwards, $S_j$ picks the current time stamp $T_j$ and computes $S{K}_{ji}=H(UI{d}_i\left|\right|SI{d}_j\left|\right|T_i\left|\right|h_{ij}^{*}\left|\right|T_j\left|\right|z_{ji})$ and $R_j=H(UI{d}_i\left|\right|T_i\left|\right|H(r_j\left|\right|UI{d}_i)||T_j\left|\right|S{K}_{ji}\left|\right|Y_j)$. Finally, $S_j$ sends the response message $\{Y_j,R_j,T_j\}$ to $S{C}_i$.
• On receiving the response message, $S{C}_i$ figures out $z_{ij}={(Y_j)}^a\mathsf{mod}p,$$S{K}_{ij}=H(UI{d}_i\left|\right|SI{d}_j\left|\right|T_i\left|\right|h_{ij}\left|\right|T_j\left|\right|z_{ji})$, and $R_j^{*}=H(UI{d}_i\left|\right|T_i\left|\right|v_{ij}\left|\right|T_j\left|\right|S{K}_{ij}\left|\right|Y_j).$ Subsequently, $S{C}_i$ checks $R_j^{*}=?R_j$ and terminates this login request if the expression does not hold. Otherwise, $S{C}_i$ calculates $R_i=H(UI{d}_i\left|\right|X_i\left|\right|Y_j\left|\right|S{K}_{ij}\left|\right|v_{ij})$ and transmits it to $S_j$ through a public channel.
• Upon acquiring $R_i$, $S_j$ computes $R_i^{*}=H(UI{d}_i\left|\right|X_i\left|\right|Y_j\left|\right|S{K}_{ji}\left|\right|H(r_j\left|\right|UI{d}_i))$ and checks $R_i^{*}=?R_i$. After successful accomplishment of all steps, $S_j$ and $U_i$ believe that they have the common session key $S{K}_{ij}=S{K}_{ji}$.

5.4. Password Updation Stage

After the authentication session between $S{C}_i$ and targeted server $S_j$, $U_i$ inputs $I{d}_i,P{w}_i$, and a new password $P{w}^{new}$. Subsequently, $S{C}_i$ calculates $B_i^{new}=r_i\oplus H(I{d}_i\left|\right|P{w}_i^{new})$ and $s_{ij}^{new}=s_{ij}\oplus H(UI{d}_i\left|\right|H(P{w}_i\left|\right|r_i))\oplus H(UI{d}_i\left|\right|H(P{w}_i^{new}\left|\right|r_i))$, where $1\le j\le k$. Afterwards, $S{C}_i$ replaces $\{s_{i1},s_{i2},\cdots ,s_{ik},B_i\}$ with $\{s_{i1}^{new},s_{i2}^{new},\cdots ,s_{ik}^{new},B_i^{new}\}.$

6. Limitations of Srinivas et al.’s Protocol

According to the adversary model presented in Section 2.3, we present some possible attacks for Srinivas et al.’s protocol, including key-compromise user impersonation attack, offline password guessing attack, and lack of user un-traceability. The details are described in the following sections.

6.1. Offline Password Guessing Attack

Assume that $\mathcal{A}$ extracts the information $\{s_{i1},s_{i2},\cdots ,s_{ik},B_i,p,g,H(·)\}$ of $S{C}_i$ by side-channel attack. Now, $\mathcal{A}$ can execute the following steps to get the correct identity $I{D}_i$ and password $P{W}_i$ of user $U_i$ in polynomial time.

• From the password dictionary space ${\mathcal{D}}_{PW}$, the adversary $\mathcal{A}$ chooses the password $P{W}^{*}$, and picks up the identity $I{d}^{*}$ from the identity dictionary space ${\mathcal{D}}_{Id}$.
• $\mathcal{A}$ computes $n^{*}=B_i\oplus H(I{d}_i\left|\right|P{w}_i)$.
• $\mathcal{A}$ computes $RP{w}_i=H(P{w}_i\left|\right|n^{*})$.
• $\mathcal{A}$ computes $v_{ij}^{*}=s_{ij}\oplus H(UI{d}_i\left|\right|RP{w}_i)$.
• $\mathcal{A}$ computes $h_{ij}^{*}=H(v_{ij}^{*}\left|\right|UI{d}_i\left|\right|SI{d}_j\left|\right|X_i\left|\right|T_i)$.
• $\mathcal{A}$ verifies whether $h_{ij}^{*}=h_{ij}$, where $h_{ij}$ is acquired from smart card of $U_i$.
• If it holds, then $P{w}^{*}$ and $I{d}^{*}$ is the correct identity and password pair. Otherwise, $\mathcal{A}$ repeats Steps 1–6 until it obtains the correct identity and password of $U_i$.

We determine the computational time complexity of the aforementioned attack algorithm. That is,

$$\mathcal{O}(|{\mathcal{D}}_{Pw}|\ast |{\mathcal{D}}_{Id}|\ast 4T_h),$$

where $|{\mathcal{D}}_{Pw}|,|{\mathcal{D}}_{Id}|$, and $T_h$ are the number of ${\mathcal{D}}_{Pw}$, the number of ${\mathcal{D}}_{Id}$, and the time to compute hash function $h(·)$, respectively. According to [48,49,50], usually, $|{\mathcal{D}}_{Id}|<|{\mathcal{D}}_{Pw}|<{10}^6$. Therefore, the offline password guessing attack is very efficient. Thus, Srinivas et al.’s protocol is not resistant against offline password guessing attack.

6.2. Lack of User Un-Traceability

It can be observed from Srinivas et al.’s protocol that the attacker can get $UI{d}_i$ transmitted within the login request message. Since $UI{d}_i=H(I{d}_i\left|\right|r_i)$ is a fixed value, where $I{d}_i$ and $r_i$ are invariable, unless the user $U_i$ changes their password during the password updation stage, any adversary can trace the user $U_i$ by using $UI{d}_i$. Therefore, Srinivas et al.’s protocol cannot provide user un-traceability.

6.3. Key-Compromise User Impersonation Attack

If the long-term private key $r_j$ of $S_j$ is revealed to $\mathcal{A}$ in Srinivas et al.’s protocol, then $\mathcal{A}$ can adopt the following actions to impersonate the legitimate $U_i$ to $S_j$.

• $\mathcal{A}$ intercepts the login request message $\{UI{d}_i,X_i,h_{ij},T_i\}$ of $U_i$, and calculates $v_{ij}=H(r_j\left|\right|UI{d}_i)$.
• $\mathcal{A}$ randomly selects a number $a^{\prime }$ to compute $X_i^{\prime }=g^{a^{\prime }}\mathsf{mod}p,h_{ij}^{\prime }=H(v_{ij}\left|\right|UI{d}_i\left|\right|SI{d}_j\left|\right|X_i^{\prime }\left|\right|T_i^{\prime })$. Afterwards, $\mathcal{A}$ sends the forged login request message $\{UI{d}_i,X_i^{\prime },h_{ij},T_i^{\prime }\}$ to $S_j$.
• Obviously, the forged message can pass the verification of $S_j$. Thus, $S_j$ randomly chooses a number $b^{\prime }$ to compute $Y_j^{\prime }=g^{b^{\prime }}\mathsf{mod}p,$$z_{ji}^{\prime }={(X_i^{\prime })}^{b^{\prime }}\mathsf{mod}p$. Subsequently, $S_j$ chooses the current time stamp $T_j^{\prime }$ to compute $S{K}_{ji}^{\prime }=H(UI{d}_i\left|\right|SI{d}_j\left|\right|T_i^{\prime }\left|\right|h_{ij}^{\prime }\left|\right|T_j^{\prime }\left|\right|z_{ji}^{\prime })$ and $R_j^{\prime }=H(UI{d}_i\left|\right|T_i^{\prime }\left|\right|H(r_j\left|\right|UI{d}_i)||T_j^{\prime }\left|\right|S{K}_{ji}^{\prime }\left|\right|Y_j^{\prime })$. Finally, $S_j$ sends the response message $\{Y_j^{\prime },R_j^{\prime },T_j^{\prime }\}$ to $\mathcal{A}$.
• On receiving the response message, $\mathcal{A}$ figures out $z_{ij}^{\prime }={(Y_j^{\prime })}^{a^{\prime }}\mathsf{mod}p,S{K}_{ij}^{\prime }=H(UI{d}_i\left|\right|SI{d}_j\left|\right|T_i^{\prime }\left|\right|h_{ij}^{\prime }\left|\right|T_j^{\prime }\left|\right|z_{ij}^{\prime }).$ Subsequently, $\mathcal{A}$ calculates $R_i^{\prime }=H(UI{d}_i\left|\right|X_i^{\prime }\left|\right|Y_j^{\prime }\left|\right|S{K}_{ij}^{\prime }\left|\right|v_{ij}^{\prime })$ and transmits it to $S_j$ through a public channel.
• $S_j$ receives $R_i^{\prime }$, computes $R_i^{″}=H(UI{d}_i\left|\right|X_i^{\prime }\left|\right|Y_j^{\prime }\left|\right|S{K}_{ji}^{\prime }\left|\right|H(r_j\left|\right|UI{d}_i))$, and checks whether $R_i^{″}=?R_i^{\prime }$. After finishing all steps successfully, $S_j$ believes that it holds the common session key $S{K}_{ij}^{\prime }=S{K}_{ji}^{\prime }$ with $U_i$. Actually, however, $\mathcal{A}$ plays as $U_i$. Thus, $\mathcal{A}$ successfully impersonated $U_i$ to $S_j$ under the condition that the long-term private key of the server was leaked.

Therefore, Srinivas et al.’s protocol is prone to key-compromise user impersonation attack.

7. The Improved Scheme

The following section presents an improved mutual authentication protocol that gets motivation from Srinivas et al.’s [29] scheme to incorporate ECC. The presented solution not only remedies the limitations of Amin et al.’s [26] and Srinivas et al.’s [29] schemes, but also ensures mutual authentication and is resistant to many known attacks. The presented scheme comprises five stages: initialization, server registration, user registration, authentication-and-key-agreement, and password updating. The notations of the presented scheme are listed in Table 1. Figure 2, Figure 3 and Figure 4 depict the registration and authentication process of the proposed protocol.

7.1. Initialization

$RC$ chooses an elliptic curve $E_p(a,b)$ from $F_p$, where p is a 160-bit-long prime number. Afterwards, $RC$ selects a fixed point $P\ne \infty \in E_p(a,b)$, and one-way hash function $H():{\{0,1\}}^{*}\to Z_p^{*}$, and randomly picks a number as $mk$.

7.2. Server Registration

• $S_j$ chooses an identity $SI{d}_j$ and transmits it to $RC$ via a secure-medium.
• $RC$ receives the registration message, randomly generates a number $s_j\in Z_p^{*}$, and computes $r_j=H(SI{d}_j\left|\right|mk\left|\right|s_j),Q_j=r_{j}P.$ Subsequently, $RC$ randomly generates a number $c_j$ for $S_j$. Finally, $RC$ sends $\{r_j,Q_j,c_j,P,H(·)\}$ to $S_j$ through secure-medium.
• $S_j$ stores $\{r_j,Q_j,c_j,P,H(·)\}$ in its database.

7.3. User Registration

After the successful registration of $U_i$ with $RC$, $U_i$ can communicate with any server $S_j(1\le j\le k)$.

• $U_i$ selects $I{d}_i$, $P{w}_i$, and randomly generates a number $r_i\in Z_p^{*}$ to compute $RP{w}_i=H(I{d}_i\left|\right|P{w}_i\left|\right|r_i)$. Afterwards, $U_i$ transmits the registration request message $\{I{d}_i,RP{w}_i\}$ to $RC$ through a secure medium.
• Upon receiving the registration message, $RC$ randomly generates numbers $r_s\in Z_p^{*},2^4\le n_0\le 2^8$, and computes the following: $A_i=H((H(I{d}_i)\oplus RP{w}_i)\mathsf{mod}{n}_0),$$v_{ij}=H(r_j\left|\right|I{d}_i\left|\right|c_j),$$s_{ij}=v_{ij}\oplus H(I{d}_i\left|\right|RP{w}_i)$, where $(1\le j\le k)$. Afterwards, $RC$ inserts $\{A_i,s_{ij}(1\le j\le k)$, $n_0,Q_j,P,H(·)\}$ into a new $S{C}_i$. and sends it to $U_i$ through secure-medium.
• $U_i$ stores $r_i$ in $S{C}_i$.

7.4. Login and Mutual Authentication

$U_i$ initiates the login and authentication request for sending to $S_j$ by performing the following steps.

• $U_i$ inserts $S{C}_i$ into a card reader and inputs $I{d}_i$, $P{w}_i$. $S{C}_i$ computes $RP{w}_i=H(I{d}_i\left|\right|P{w}_i\left|\right|r_i)$, and subsequently calculates $A_i^{*}=H((H(I{d}_i)\oplus RP{w}_i)\mathsf{mod}{n}_0)$. Afterwards, $S{C}_i$ inspects the correctness of $A_i^{*}$ while comparing it with the value of $A_i$ sorted in $S{C}_i$. If $A_i^{*}=A_i$, $I{d}_i$ and $P{w}_i$ are validated. Otherwise, the session is expired. $S{C}_i$ continues to compute $v_{ij}=s_{ij}\oplus H(I{d}_i\left|\right|RP{w}_i)$ and randomly selects a number $a_i\in Z_p^{*}$ to calculate the following: $X_i=a_{i}P,X_{ij}=a_i{Q}_j,PI{d}_i=H(X_{ij})\oplus I{d}_i,h_i=h(v_{ij}\left|\right|I{d}_i\left|\right|SI{d}_j\left|\right|X_{ij}\left|\right|X_i).$ Finally, $U_i$ transmits the request $\{PI{d}_i,X_i,h_{ij}\}$ to $S_j$ via an open channel.
• After receiving $\{PI{d}_i,X_i,h_{ij}\}$, $S_j$ calculates $X_{ij}^{*}=r_j{X}_i$, $I{d}_i^{*}=PI{d}_i\oplus H(X_{ij}^{*})$ and $v_{ij}^{*}=H(r_j\left|\right|I{d}_i^{*}\left|\right|c_j).$ Afterwards, $S_j$ computes $h_i^{*}=h(v_{ij}^{*}\left|\right|I{d}_i^{*}\left|\right|SI{d}_j\left|\right|X_{ij}^{*}\left|\right|X_i).$ Then, $S_j$ verifies $h_i^{*}\stackrel{?}{=}{h}_i$. In the case of invalidation, $S_j$ terminates the session and sets the counter $N=1$. $S_j$ keeps suspending the card until $U_i$ registers again if N surpasses some threshold mark (e.g., 8). Otherwise, $S_j$ randomly selects a number $b_j$ to compute $Y_j=b_{j}P,z_{ij}=b_i{X}_i$, $S{K}_{ij}=H(I{d}_i\left|\right|SI{d}_j\left|\right|v_{ij}\left|\right|z_{ij}\left|\right|X_{ij}^{*}),$ and $R_j=H(PI{d}_i\left|\right|v_{ij}\left|\right|S{K}_{ij}\left|\right|X_i\left|\right|Y_j).$ Finally, $S_j$ sends the response message $\{Y_j,R_j\}$ to $U_i$ via open channel.
• Upon receiving the respond message $\{Y_j,R_j\}$, $U_i$ computes $z_{ij}^{*}=a_i{Y}_i$, $S{K}_{ij}^{*}=H(I{d}_i\left|\right|SI{d}_j\left|\right|v_{ij}\left|\right|z_{ij}^{*}\left|\right|X_{ij}),$ and $R_j^{*}=H(PI{d}_i\left|\right|v_{ij}\left|\right|S{K}_{ij}^{*}\left|\right|X_i\left|\right|Y_j).$ Subsequently, $U_i$ checks whether $R_j^{*}\stackrel{?}{=}{R}_j$. The session is aborted if these are not equal, . Otherwise, $S_j$ is authenticated by $U_i$ and $U_i$ accepts $S{K}_{ij}^{*}$. Afterwards, $U_i$ computes $R_i=H(v_{ij}\left|\right|X_i\left|\right|Y_j\left|\right|S{K}_{ij}^{*}\left|\right|I{d}_i).$ Finally, $U_i$ transmits the challenge message $R_i$ to $S_j$ through an open channel.
• Upon receiving the challenge message from $U_i$, $S_j$ computes $R_i^{*}=H(v_{ij}\left|\right|X_i\left|\right|Y_j\left|\right|S{K}_{ij}^{*}\left|\right|I{d}_i)$ and verifies whether $R_i^{*}\stackrel{?}{=}{R}_i$. If these are equal, then $U_i$ is authenticated successfully.

Finally, both $U_i$ and $S_j$ share the common session key $SK=S{K}_{ij}^{*}=S{K}_{ij}$.

7.5. Password Updation

$U_i$ is able to change their password whenever they want, for which $U_i$ and $S{C}_i$ have to undergo the following procedure:

• $U_i$ inserts the $S{C}_i$ into a card reader and inputs $I{d}_i$, current password $P{w}_i$, and password to be updated $P{w}_i^{*}$.
• $S{C}_i$ computes $RP{w}_i=H(I{d}_i\left|\right|P{w}_i\left|\right|r_i),$ and $A_i^{\prime }=H((H(I{d}_i)\oplus RP{w}_i)\mathsf{mod}{n}_0).$ Afterwards, $S{C}_i$ checks whether $A_i^{\prime }\stackrel{?}{=}{A}_i$. In case of inequality, $S{C}_i$ refuses $U_i$ to update the password.
• Apart from that, $S{C}_i$ randomly selects a number $r_i^{*}$ to compute $RP{w}_i^{*}=H(I{d}_i\left|\right|P{w}_i^{*}\left|\right|r_i^{*}),$$s_{ij}^{*}=s_{ij}\oplus H(I{d}_i\left|\right|RP{w}_i^{*})\oplus H(I{d}_i\left|\right|RP{w}_i^{*}).$ Subsequently, $S{C}_i$ computes $A_i^{*}=H((H(I{d}_i)\oplus RP{w}_i^{*})$$\mathsf{mod}{n}_0).$ Finally, $S{C}_i$ replaces $r_i,A_i,s_{ij}$ with $r_i^{*},A_i^{*},s_{ij}^{*}$, respectively.

Remark: As Amin et al.’s scheme and Srinivas et al.’s scheme are vulnerable to offline password guessing attack and key-compromise user impersonation attack and cannot provide user un-traceability, and because Amin et al.’s scheme cannot provide perfect forward secrecy, in the proposed scheme: (1) we employ “honey words” + “fuzzy-verifiers” to resist against offline password guessing attack [42]; (2) according to [47], to provide perfect forward secrecy, we use public key cryptosystems (e.g., ECC); (3) we store a secret parameter $c_j$ in the server database which cannot be compromised by the adversary in order to resist key-compromise user impersonation attack; and (4) to provide user un-traceability, we deploy a dynamic identity technique via a public key algorithm, that is, $PI{d}_i$.

8. Security Inspection

This section provides the details of how the presented protocol ensures the security against all known attacks, including key-compromise user impersonation attack and offline password guessing attack. Further, it also offers more comprehensive security features, in particular, user un-traceability and perfect forward secrecy under the capabilities of the adversary that were introduced in Section 2.3.

8.1. User Un-Traceability and Anonymity

During the login authentication stage, $I{d}_i$ is not sent through the public channel. Even if $\mathcal{A}$ intercepts the login request messages $\{PI{D}_i,X_i,h_{ij}\}$ from the public channel, $\mathcal{A}$ still cannot extract $I{d}_i$ from $PI{d}_i$, because $PI{d}_i$ is protected by $H(X_{ij})$ and is a dynamic identity. Thus, the proposed scheme provides the user un-traceability and anonymity.

8.2. Stolen Smart-Card Attack

In the proposed scheme, even if $\mathcal{A}$ steals $S{C}_i$ of $U_i$, then $\mathcal{A}$ can extract the parameters $\{A_i,r_i,s_{ij}(1\le j\le k),n_0,Q_j,P,H(·)\}$ stored in $S{C}_i$ utilizing power analysis technology, and captures the transmitted message over a public channel. However, as per the following details, $\mathcal{A}$ cannot execute any attack. Thus, the presented protocol is secured against stolen smart-card attack.

8.3. Offline Password Guessing Attack

Assuming that $\mathcal{A}$ steals $S{C}_i$ and extracts $\{A_i,r_i,s_{ij}(1\le j\le k),n_0,Q_j,P,H(·)\}$ stored in it. $\mathcal{A}$ intercepts all messages $\{PI{d}_i,X_i,h_{ij}\},\{Y_j,R_j\},\left\{R_i\right\}$ over a public channel. If $\mathcal{A}$ guesses an ID $I{d}_i^{\prime }$ and a password $P{w}_i^{\prime }$, $\mathcal{A}$ can calculate $RP{w}_i^{\prime }=H(I{d}_i^{\prime }\left|\right|P{w}_i^{\prime }\left|\right|r_i)$, and then figures out $A_i^{\prime }=H((H(I{d}_i)\oplus RP{w}_i^{\prime })\mathsf{mod}{n}_0)$. Afterwards, $\mathcal{A}$ examines whether $A_i^{\prime }\stackrel{?}{=}{A}_i$. According to [42], $\mathcal{A}$ can obtain the reduced password guessing space of size $\frac{\left|\mathcal{D}\right|}{n_0}$, where $\mathcal{D}$ is the space of passwords. Further, $\mathcal{A}$ can guess the correct password only by online password guessing. However, $S_j$ prevents this guessing by using a login request threshold value (e.g., 8). Once the number of online guesses exceeds the threshold value, $S_j$ will terminate communication and suspend $S{C}_i$ until $U_i$ registers again. Therefore, the presented scheme offers resistance against offline password guessing attack.

8.4. Privileged Insider Attack

If an internal attacker eavesdrops the registration information $\{I{d}_i,RP{w}_i\}$ during user registration, $\mathcal{A}$ is unable to get $P{w}_i$, because it is secured by one-way hash function $H(·)$ as well as with random number $r_i$. Thus, the presented scheme is immune to the privileged insider attack.

8.5. Key-Compromise User Impersonation Attack

If the adversary steals the long-term private key of the server, it is still unable to impersonate the user to the server. This kind of attack is referred to as a key-compromise user impersonation attack. In the presented protocol, even if $r_j$ of $S_j$ is revealed to $\mathcal{A}$, still $\mathcal{A}$ cannot determine $v_{ij}=H(r_j\left|\right|I{d}_i\left|\right|c_j)$, because $\mathcal{A}$ is unable to obtain the random number $c_j$. Therefore, $\mathcal{A}$ cannot forge the login request message $\left\{h_{ij}\right\}$, and therefore cannot be authenticated by $S_j$. That is, $\mathcal{A}$ cannot impersonate $U_i$. Thus, the presented protocol is insusceptible to key-compromise user impersonation attack. Further, it implies that the presented scheme ensures resistance against user impersonation attack.

8.6. Server Impersonation Attack

$\mathcal{A}$ intercepts the response message $\{Y_j,R_j\}$ if $\mathcal{A}$ tries to make a server impersonation attack. $\mathcal{A}$ randomly generates a number $b_j^{\prime }$ to compute $Y_j^{\prime }=b_j^{\prime }P,z_{ij}^{\prime }=b_j^{\prime }{X}_i$. Afterwards, $\mathcal{A}$ tries to compute $S{K}_{ij}^{\prime }$ and $R_j^{\prime }$. Since $\mathcal{A}$ does not know $v_{ij}$ and $X_{ij}^{*}$ computed by the secret key $\{r_j,c_j\}$ of $S_j$, $\mathcal{A}$ is unable to calculate $S{K}_{ij}^{\prime }$ and cannot forge $R_j$. Thus, $\mathcal{A}$ cannot carry out the server impersonation attack.

8.7. Replay Attack

If $\mathcal{A}$ intercepts the login message $\{PI{d}_i,X_i,h_{ij}\}$ from $U_i$, and wants to replay this message to $S_j$. This replay attack is easily captured by inspecting the freshness of $X_i$ in the presented scheme, where $X_i=a_{i}P$, and $a_i$ is a random number. Similarly, replaying the challenging message and response message is detected by either $U_i$ or $S_j$. Thereupon, it is inferred that the presented protocol is immune to replay attack.

8.8. Known Key Security

Suppose that $\mathcal{A}$ compromises the previous session key $S{K}_{ij}=H(I{d}_i\left|\right|SI{d}_j\left|\right|v_{ij}\left|\right|z_{ij}\left|\right|X_{ij})$ between $U_i$ and $S_j$. However, the next session key $S{K}_{ij}^{\prime }$ will be computed by new random numbers $a_i^{\prime }$ and $b_j^{\prime }$. That is, $S{K}_{ij}^{\prime }=H(I{d}_i\left|\right|SI{d}_j\left|\right|v_{ij}\left|\right|z_{ij}^{\prime }\left|\right|X_{ij}^{\prime })$. To calculate the new session key, $\mathcal{A}$ has to compute $a_i^{\prime },b_j^{\prime },a_i^{\prime }{b}_j^{\prime }P,a_i^{\prime }{Y}_j,b_j^{\prime }{X}_i$ from $X_i^{\prime },Y_j^{\prime }$. However, this is computationally infeasible for $\mathcal{A}$ because of $ECDLP$ and $ECCDHP$. Therefore, the presented scheme offers known key security.

8.9. Mutual Authentication

In the proposed scheme, only the legitimate $h_{ij}$ and $R_i$ can be verified by $S_j$, and only the legitimate $R_j$ can be verified as the user $U_i$. That is, the proposed scheme allows $S_j$ and $U_j$ to authenticate each other. Thus, the presented protocol ensures mutual authentication between a legitimate $U_i$ and $S_j$.

8.10. Man-in-the-Middle Attack

It is impossible for $\mathcal{A}$ in the proposed scheme to compute the correct login request and challenge message. Therefore, $\mathcal{A}$ cannot be authenticated by the server. Moreover, $\mathcal{A}$ is unable to calculate the correct response message, and thus $\mathcal{A}$ cannot pass the user verification. It is therefore inferred that the proposed scheme is immune to man-in-the-middle attack.

8.11. Denial-of-Service Attack

If $U_i$ wants the login authentication in the proposed scheme, it must input the correct $I{d}_i$ and $P{w}_i$ to pass the verification of $SC$. If $\mathcal{A}$ inputs wrong $I{d}_i$ and $P{w}_i$ into $SC$, $\mathcal{A}$ is unable to compute the correct login request message. Moreover, if $U_i$ wants to update the password, it has to pass the verification of $SC$. An incorrect or previous password cannot pass the verification. Therefore, the proposed scheme ensures resistance against denial-of-service attack.

8.12. Perfect Forward Secrecy

Suppose that $r_j$ of $S_j$ is compromised and $\mathcal{A}$ acquires $r_i$, $I{d}_i$, and $P{w}_i$. To calculate the correct $S{K}_{ij}=H(I{d}_i\left|\right|SI{d}_j\left|\right|v_{ij}\left|\right|z_{ij}\left|\right|X_{ij})$, $\mathcal{A}$ is required to calculate $z_{ij},X_{ij}$. However, it is impossible for $\mathcal{A}$ to compute $z_{ij},X_{ij}$ because of $ECDLP$ and $ECCDHP$. Thus, $\mathcal{A}$ is not capable of figuring out $S{K}_{ij}$. Therefore, the presented protocol ensures perfect forward secrecy.

9. BAN-Logic  Proof

BAN is a logic of belief. The intended use of BAN is to analyze authentication protocols by deriving the beliefs that honest principals correctly executing a protocol can come to as a result of the protocol execution. For example, a user might come to believe that a session key they have negotiated with a server is a good key for a future session [51]. This section incorporates the BAN-Logic [52] to prove the session key agreement between user $U_i$ and server $S_j$ after the execution of the improved scheme. BAN-Logic notations and Basic BAN-Logic postulates are described in

Table 2. Burrows–Abadi–Needham logic (BAN-Logic) notations.

Symbol	Description
$A|\equiv X$	A has trust on X
$A⊲X$	A acquires/observes X
$A|\sim X$	A sends X X (or A once called)
$A|\Rightarrow X$	A regulates X
$♯(X)$	X is fresh
$A\stackrel{K}{⟷}B$	A and B utilize shared key K for communication
${(X,Y)}_K$	use K as key to compute hash values of X and Y
$<X{>}_K$	X is exclusive or-ed with K

and

Table 3. Basic BAN-Logic postulates

Rule	Description
$\mathrm{Message}-\mathrm{meaning}\mathrm{rule}$	$\frac{A|\equiv A\stackrel{K}{⟷}B,A⊲{(X)}_K}{A|\equiv B|\sim X}$
$\mathrm{Nonce}\mathrm{verification}\mathrm{rule}$	$\frac{A|\equiv ♯(X),A|\equiv B|\sim X}{A|\equiv B|\equiv X}$
$\mathrm{Jurisdiction}\mathrm{rule}$	$\frac{A|\equiv B|\Rightarrow X,A|\equiv B|\equiv X}{A|\equiv X}$
$\mathrm{Freshness}\mathrm{conjuncatenation}\mathrm{rule}$	$\frac{A|\equiv ♯(X)}{A|\equiv ♯(X,Y)}$
$\mathrm{Believe}\mathrm{rule}$	$\frac{A|\equiv B|\equiv (X,Y)}{A|\equiv B|\equiv X}$, $\frac{A|\equiv X,A|\equiv Y}{A|\equiv (X,Y)}$

.

9.1. Idealized Scheme

The ideal form of the presented protocol is derived as follows:

Message 1.

$U_i\to S_j$: $X_i$, $<I{d}_i{>}_{U_i\stackrel{H(X_{ij})}{⟷}{S}_j},{(I{d}_i,SI{d}_j,X_{ij},X_i)}_{U_i\stackrel{v_{ij}}{⟷}{S}_j},{(X_i,Y_j,U_i\stackrel{SK}{⟷}{S}_j,I{d}_i)}_{U_i\stackrel{v_{ij}}{⟷}{S}_j}.$

Message 2.

$S_j\to U_i$: $Y_j$, ${(PI{d}_i,U_i\stackrel{SK}{⟷}{S}_j,X_i,Y_j)}_{U_i\stackrel{v_{ij}}{⟷}{S}_j}$.

9.2. Security Objectives

We prove that the improved scheme can satisfy the following objective:

Objective 1.

$U_i|\equiv S_j|\equiv (U_i\stackrel{SK}{⟷}{S}_j).$

Objective 2.

$U_i|\equiv (U_i\stackrel{SK}{⟷}{S}_j).$

Objective 3.

$S_j|\equiv U_i|\equiv (U\stackrel{SK}{⟷}{S}_j).$

Objective 4.

$S_j|\equiv (U_i\stackrel{SK}{⟷}{S}_j).$

9.3. Initiative Premises

For the initial status of the proposed scheme, the following assumptions are made.

IP 1.

$U_i|\equiv ♯(a_i)$.

IP 2.

$S_j|\equiv ♯(b_j)$.

IP 3.

$U_i|\equiv (U_i\stackrel{X_{ij}}{⟷}{S}_j)$.

IP 4.

$S_j|\equiv (U_i\stackrel{X_{ij}}{⟷}{S}_j)$.

IP 5.

$U_i|\equiv (U_i\stackrel{v_{ij}}{⟷}{S}_j)$.

IP 6.

$S_j|\equiv (U_i\stackrel{v_{ij}}{⟷}{S}_j)$.

IP 7.

$U_i|\equiv S_j\Rightarrow (U_i\stackrel{SK}{⟷}{S}_j)$.

IP 8.

$S_j|\equiv U_i\Rightarrow (U_i\stackrel{SK}{⟷}{S}_j)$.

9.4. Proof Procedure

The main proof steps of the proposed scheme are presented below.

Step 1.

From Message 2, it shows the following:

$$U_i⊲{(PI{d}_i,U_i\stackrel{SK}{⟷}{S}_j,X_i,Y_j)}_{U_i\stackrel{v_{ij}}{⟷}{S}_j}.$$

Step 2.

From Step 1, IP 5, and the message-meaning rule, it illustrates the following:

$$U_i|\equiv S_j|\sim (PI{d}_i,U_i\stackrel{SK}{⟷}{S}_j,X_i,Y_j).$$

Step 3.

From IP 1 and the freshness conjuncatenation rule, the following can be inferred:

$$U_i|\equiv ♯(PI{d}_i,U_i\stackrel{SK}{⟷}{S}_j,X_i,Y_j).$$

Step 4.

From Steps 2 and 3, the freshness rule, and the nonce verification rule, we obtain the following:

$$U_i|\equiv S_j|\equiv (PI{d}_i,U_i\stackrel{SK}{⟷}{S}_j,X_i,Y_j).$$

Step 5.

From Step 4 and the believe rule, we deduce the first objective as follows:

$$U_i|\equiv S_j|\equiv (U_i\stackrel{SK}{⟷}{S}_j)(\mathbf{Objective}\mathbf{1}).$$

Step 6.

From Objective 1, IP 7, and the jurisdiction rule, we accomplish the second objective as follows:

$$U_i|\equiv (U_i\stackrel{SK}{⟷}{S}_j)(\mathbf{Objective}\mathbf{2}).$$

Step 7.

From Message 1, it indicates the following:

$$S_j⊲{(X_i,Y_j,U_i\stackrel{SK}{⟷}{S}_j,I{d}_i)}_{U_i\stackrel{v_{ij}}{⟷}{S}_j}.$$

Step 8.

From Step 7, IP 6, and the message meaning rule, the following can be inferred:

$$S_j|\equiv U_i|\sim (X_i,Y_j,U_i\stackrel{SK}{⟷}{S}_j,I{d}_i).$$

Step 9.

From IP 2 and the freshness conjuncatenation rule, the following can be obtained:

$$S_j|\equiv ♯(X_i,Y_j,U_i\stackrel{SK}{⟷}{S}_j,I{d}_i).$$

Step 10.

From Steps 8 and 9, the freshness rule, and the nonce-verification rule, we determine the following:

$$S_j|\equiv U_i|\equiv (X_i,Y_j,U_i\stackrel{SK}{⟷}{S}_j,I{d}_i).$$

Step 11.

From Step 10 and the believe rule, the third objective can be achieved as follows:

$$S_j|\equiv U_i|\equiv U_i\stackrel{SK}{⟷}{S}_j(\mathbf{Objective}\mathbf{3}).$$

Step 12.

From Objective 3, IP 8, and the jurisdiction rule, the fourth objective is accomplished as follows:

$$S_j|\equiv (U_i\stackrel{SK}{⟷}{S}_j)(\mathbf{Objective}\mathbf{4}).$$

By accomplishing Objectives 1–4, both $U_i$ and $S_j$ believe that the $SK$ is settled between them. Therefore, the proposed scheme ensures mutual authentication along with key agreement.

10. Performance Comparison

This section analyzes the computational and security performance of the presented scheme while comparing it with multiple schemes, including those of Awasthi et al. [23], Huang et al. [25], Amin et al. [26], Pippal et al. [27], Li et al. [28], and Srinivas et al. [29]. The exclusive-OR operation and string concatenation are usually neglected when comparing the computational cost. However, the following operations are considered: $T_{me}$, the execution time of point multiplication operation; $T_e$, the time for execution of modular exponentiation operation; $T_h$, the running time of a hash operation; and $T_{mm}$, the running time for modular multiplication operation. More precisely, we compare the experimental results of the aforementioned operations as performed by [53,54], where $T_e$, $T_{me}$, $T_h$, and $T_{mm}$ take $3.85$ ms, $2.226$ ms, $0.0023$ ms, and $0.001855$ ms, respectively (

Table 4. The performing time of cryptographic operations (adapted from [53,54]).

Symbol	${\mathit{T}}_{\mathit{e}}$	${\mathit{T}}_{\mathit{me}}$	${\mathit{T}}_{\mathit{h}}$	${\mathit{T}}_{\mathit{mm}}$
Time	$3.85$ ms	$2.226$ ms	$0.0023$ ms	$0.001855$ ms

). Following [53,54], the aforementioned operations were executed on a computing platform having Intel Pentium Dual Core E2200 2.20 GHz processor, the Ubuntu 12.04.1 LTS 32-bits operating system, and 2048 MB of RAM.

In

Table 5. Comparison of security features.

	Schemes	Awasthi et al. [23]	Huang et al. [25]	Amin et al. [26]	Pippal et al. [27]	Li et al. [28]	Srinivas et al. [29]	Proposed Scheme
Features
$C_1$		No	No	No	No	No	No	Yes
$C_2$		No	No	No	No	No	No	Yes
$C_3$		No	No	No	No	No	No	Yes
$C_4$		No	No	Yes	No	No	Yes	Yes
$C_5$		No	No	No	No	No	No	Yes
$C_6$		No	Yes	Yes	No	No	Yes	Yes
$C_7$		Yes	Yes	Yes	Yes	Yes	Yes	Yes
$C_8$		N/A	N/A	Yes	Yes	Yes	Yes	Yes
$C_9$		Yes	Yes	Yes	Yes	Yes	Yes	Yes
$C_{10}$		No	Yes	Yes	No	No	Yes	Yes
$C_{11}$		No	No	Yes	No	No	Yes	Yes
$C_{12}$		N/A	N/A	No	Yes	Yes	Yes	Yes

$C_1$ provides user anonymity and un-traceability. $C_2$ resists stolen smart-card attack. $C_3$ resists offline password guessing attack. $C_4$ resists privileged insider attack. $C_5$ resists (key-compromised) user impersonation attack. $C_6$ resists server-impersonation attack. $C_7$ resists replay attack. $C_8$ provides known key security. $C_9$ provides mutual authentication. $C_{10}$ resists man-in-the-middle attack. $C_{11}$ resists denial-of-service attack. $C_{12}$ provides perfect forward secrecy.

, we compare the schemes of [23,25,26,27,28,29] with the presented protocol in terms of security. In Table 5, we observe that [23,25,26,27,28,29] cannot provide $[C_1-C_3,C_5]$ features. The scheme in [26] is still unable to provide perfect forward secrecy $\left[C_{12}\right]$, although the authors used RSA-based public cryptography. The proposed scheme fulfills all known security features $[C_1-C_{12}]$. Thus, the presented scheme surpasses [23,25,26,27,28,29] in terms of security.

Table 6. Comparison of computational complexity.

	Cost	User Computation	Server Computation	Total
Schemes
Awasthi et al. [23]		$3T_e+3T_{mm}+2T_h$	$3T_e+T_{mm}+3T_h$	$6T_e+4T_{mm}+5T_h\approx 23.1189$ ms
Huang et al. [25]		$2T_e+2T_h$	$3T_e+3T_h$	$5T_e+5T_h\approx 19.2615$ ms
Amin et al. [26]		$T_e+6T_h$	$T_e+4T_h$	$2T_e+10T_h\approx 7.723$ ms
Pippal et al. [27]		$3T_e+T_{mm}+4T_h$	$4T_e+T_{mm}+3T_h$	$7T_e+2T_{mm}+7T_h\approx 26.9698$ ms
Li et al. [28]		$T_e+5T_h$	$3T_e+8T_h$	$4T_e+13T_h\approx 15.4299$ ms
Srinivas et al. [29]		$2T_e+8T_h$	$2T_e+4T_h$	$4T_e+12T_h\approx 15.676$ ms
Proposed scheme		$3T_{me}+9T_h$	$3T_{me}+6T_h$	$6T_{me}+15T_h\approx 13.3905$ ms

presents the computational cost of the schemes [23,25,26,27,28,29] and the proposed scheme for login and authentication. The computational cost of the proposed protocol is comparatively lower than the schemes in [23,25,27,28,29], but slightly higher than the scheme in [26]. However, according to Table 5, the scheme in [26] cannot address $[C_1-C_3,C_5,C_{12}]$ security features. Thus, combining Table 5 and Table 6, we remark that the presented solution is more feasible for practical multi-server environments in terms of the trade-off between usability and security.

11. Conclusions

This paper first analyzes Amin et al.’s [26] scheme and proves that the considered scheme cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Second, we review Srinivas et al.’s [29] multi-server authentication scheme while proving that it cannot resist offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. Afterwards, to address the limitations of prevalent works, we put forward an enhanced multi-server two-factor authentication scheme. Heuristic analysis and BAN-Logic proof ensure that the presented scheme includes various known security features. The security and efficiency analyses display the robustness and efficiency of the presented scheme. Overall, the presented scheme is proven to be more feasible for multi-server authentication-and-key-agreement scenarios in various low-power networks. Moreover, the design and analysis methods in this paper can also be used for authentication protocols in IoT, WSNs, etc.