doi: 10.3934/amc.2020103

Cryptanalysis and enhancement of multi factor remote user authentication scheme based on signcryption

1. 

Department of CSE, Kongu Engineering College, Erode, India

2. 

Department IT and Department of CT-UG, Kongu Engineering College, Erode, India

* Corresponding author: Vani Rajasekar

Received  December 2019 Revised  May 2020 Published  August 2020

The major need of remote user authentication is to verify the authenticity of the user through insecure channel. Till today enormous remote user authentication schemes have been proposed but still some security flaws remains. Some of them are vulnerable to password guessing attack, Id guessing attack, client and server impersonation attack, replay attack, Denial of Service (DoS) attack etc. Besides the security issues many such schemes are supposed to have higher computational and communicational cost. To overcome these challenges a lightweight cryptographic scheme called signcryption has evolved. Signcryption is a logical combination of encryption and digital signature in single step. Thereby it provides necessary security features in less computational cost of 0.97 ms and communication cost of 824 bits. The proposed research work outlines the weakness in Dharminder et al's authentication scheme which is prone to biometric recognition error, offline password guessing attack, impersonation attack and replay attack. Furthermore the proposed study provides a secure multifactor authentication scheme using signcryption based on Hyper Elliptic Curve Cryptography (HECC) and Bio-hash function. The formal security analysis of proposed scheme is done using Burrows-Abadi-Needham logic. The analysis reveals that the proposed scheme is computational and communication efficient and satisfies all the needed security goals. The scheme is also been formally verified using AVISPA tool that confirms that it is resilient to security attacks.

Citation: Vani Rajasekar, Premalatha Jayapaul, Sathya Krishnamoorthi. Cryptanalysis and enhancement of multi factor remote user authentication scheme based on signcryption. Advances in Mathematics of Communications, doi: 10.3934/amc.2020103
References:
[1]

M. BurrowsM. Abadi and R. M. Needham, A logic of authentication, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences, 426 (1989), 233-271.  doi: 10.1098/rspa.1989.0125.  Google Scholar

[2]

S. Q. CaoQ. Sun and L. Cao, Security analysis and enhancements of a remote user authentication scheme, IJ Network Security, 21 (2019), 661-669.  doi: 10.1109/tsipn.2019.2932678.  Google Scholar

[3]

S. A. ChM. SherA. GhaniH. Naqvi and A. Irshad, An efficient signcryption scheme with forward secrecy and public verifiability based on hyper elliptic curve cryptography, Multimedia Tools and Applications, 74 (2015), 1711-1723.   Google Scholar

[4]

S. A. Ch and M. Sher, Public verifiable signcryption schemes with forward secrecy based on hyperelliptic curve cryptosystem, in International Conference on Information Systems, Technology and Management, (Springer, Berlin, Heidelberg), (2012), 135–142. Google Scholar

[5]

P. Chandrakar and H. Om, An efficient two–factor remote user authentication and session key agreement scheme using rabin cryptosystem, Arabian Journal for Science and Engineering, 43 (2018), 661-673.   Google Scholar

[6]

A. ChaturvediD. MishraS. Jangirala and S. Mukhopadhyay, A privacy preserving biometric–based three–factor remote user authenticated key agreement scheme, Information Security and Applications, 32 (2017), 15-16.   Google Scholar

[7]

Y. Choi, Y. Lee, J. Moon and D. Won, Security enhanced multi–factor biometric authentication scheme using bio–hash function, PloS One, 12 (2017), e0176250. Google Scholar

[8]

A. K. Das and A. Goswami, A robust anonymous biometric–based remote user authentication scheme using smart cards, Journal of King Saud University–Computer and Information Sciences, 27 (2015), 193-210.   Google Scholar

[9]

A. K. DasA. K. SutralaV. Odelu and A. Goswami, A secure smartcard–based anonymous user authentication scheme for healthcare applications using wireless medical sensor networks, Wireless Personal Communications, 94 (2017), 1899-1933.   Google Scholar

[10]

D. DharminderD. MishraJ. J. RodriguesR. de AL Rabelo and K. Saleem, PSSCC: Provably secure communication framework for crowdsourced industrial Internet of Things environments, Software: Practice and Experience, (2020), 1-12.  doi: 10.1002/spe.2826.  Google Scholar

[11]

D. Dharminder, M. Obaidat, D. Mishra and A. K. Das, FEEC: Provably secure signcryption–based big data security framework for energy–efficient computing environment, IEEE Systems Journal, (2020). Google Scholar

[12]

L. HanX. TanS. Wang and X. Liang, An efficient and secure three–factor based authenticated key exchange scheme using elliptic curve cryptosystems, Peer–to–peer Networking and Applications, 11 (2018), 63-73.   Google Scholar

[13]

M. S. Hwang, E. Cahyadi, C. Yang and S. F. Chiou, An improvement of the remote authentication scheme for anonymous users using an elliptic curve cryptosystem, in 2018 IEEE 4th International Conference on Computer and Communications (ICCC), IEEE, (2018), 1872–1877. Google Scholar

[14]

S. KumarV. SinghV. Sharma and V. P. Singh, Advance remote user authentication using smart card, Telecommunications and Radio Engineering, 78 (2019), 8-10.   Google Scholar

[15]

C. T. Li, C. C. Lee, C. Y. Weng and S. J. Chen, A secure dynamic identity and chaotic maps based user authentication and key agreement scheme for e–healthcare systems, Journal of Medical Systems, 40 (2016), 233. Google Scholar

[16]

T. LimbasiyaM. Soni and S. K. Mishra, Advanced formal authentication protocol using smart cards for network applicants, Computers and Electrical Engineering, 66 (2018), 50-63.   Google Scholar

[17]

M. NikooghadamR. Jahantigh and H. Arshad, A lightweight authentication and key agreement protocol preserving user anonymity, Multimedia Tools and Applications, 76 (2017), 13401-13423.   Google Scholar

[18]

V. OdeluA. K. Das and A. Goswami, A secure effective key management scheme for dynamic access control in a large leaf class hierarchy, Information Sciences, 269 (2014), 270-285.  doi: 10.1016/j.ins.2013.10.022.  Google Scholar

[19]

D. Otway and O. Rees, Efficient and timely mutual authentication, ACM SIGOPS Operating Systems Review, 1 (1987), 8-10.   Google Scholar

[20]

J. PremalathaR. Vani and K. Sathya, Biometric signcryption using hyperelliptic curve and cryptographically secure random number, Asian Journal of Research in Social Sciences and Humanities, 6 (2016), 462-472.   Google Scholar

[21]

V. RajasekarJ. Premalatha and K. Sathya, An efficient signcryption scheme for secure authentication using hyper elliptic curve cryptography and Keccak hashing, International Journal of Recent technology and Engineering, 8 (2019), 1593-1598.   Google Scholar

[22]

K. Sathya, J. Premalatha and V. Rajasekar, Sensor–seeded cryptographically secure random number generation, Indian Journal of Science, (2019). Google Scholar

[23]

G. Sharma and S. Kalra, Advanced lightweight multi–factor remote user authentication scheme for cloud–IoT applications, Journal of Ambient Intelligence and Humanized Computing, 11 (2020), 1771-1794.   Google Scholar

[24]

K. SiddiqueZ. Akhtar and Y. Kim, Biometrics vs passwords: A modern version of the tortoise and the hare, Computer Fraud and Security, 1 (2017), 13-17.   Google Scholar

[25]

A. K. SutralaA. KDasV. OdeluM. Wazid and S. Kumari, Secure anonymity–preserving password–based user authentication and session key agreement scheme for telecare medicine information systems, Computer Methods and Programs in Biomedicine, 135) (2016), 167-185.   Google Scholar

[26]

T. Y. TehY. S. LeeZ. Y. Cheah and J. J. Chin, IBI–Mobile Authentication: A prototype to facilitate access control using identity–based identification on mobile smart devices, Wireless Personal Communications, 94 (2017), 127-144.   Google Scholar

[27]

X. A. Wang, Y. Liu, J. Zhang, X. Yang and M. Zhang, Improved group–oriented proofs of cloud storage in IoT setting, Concurrency and Computation: Practice and Experience, 30 (2018), e4781. Google Scholar

[28]

K. Xue and P. Hong, Security improvement on an anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation, 17 (2012), 2969-2977.  doi: 10.1016/j.cnsns.2011.11.025.  Google Scholar

[29]

B. Ying and A. Nayak, Lightweight remote user authentication protocol for multi–server 5G networks using self–certified public key cryptography, journal of Network and Computer Applications, 131 (2019), 66-74.   Google Scholar

show all references

References:
[1]

M. BurrowsM. Abadi and R. M. Needham, A logic of authentication, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences, 426 (1989), 233-271.  doi: 10.1098/rspa.1989.0125.  Google Scholar

[2]

S. Q. CaoQ. Sun and L. Cao, Security analysis and enhancements of a remote user authentication scheme, IJ Network Security, 21 (2019), 661-669.  doi: 10.1109/tsipn.2019.2932678.  Google Scholar

[3]

S. A. ChM. SherA. GhaniH. Naqvi and A. Irshad, An efficient signcryption scheme with forward secrecy and public verifiability based on hyper elliptic curve cryptography, Multimedia Tools and Applications, 74 (2015), 1711-1723.   Google Scholar

[4]

S. A. Ch and M. Sher, Public verifiable signcryption schemes with forward secrecy based on hyperelliptic curve cryptosystem, in International Conference on Information Systems, Technology and Management, (Springer, Berlin, Heidelberg), (2012), 135–142. Google Scholar

[5]

P. Chandrakar and H. Om, An efficient two–factor remote user authentication and session key agreement scheme using rabin cryptosystem, Arabian Journal for Science and Engineering, 43 (2018), 661-673.   Google Scholar

[6]

A. ChaturvediD. MishraS. Jangirala and S. Mukhopadhyay, A privacy preserving biometric–based three–factor remote user authenticated key agreement scheme, Information Security and Applications, 32 (2017), 15-16.   Google Scholar

[7]

Y. Choi, Y. Lee, J. Moon and D. Won, Security enhanced multi–factor biometric authentication scheme using bio–hash function, PloS One, 12 (2017), e0176250. Google Scholar

[8]

A. K. Das and A. Goswami, A robust anonymous biometric–based remote user authentication scheme using smart cards, Journal of King Saud University–Computer and Information Sciences, 27 (2015), 193-210.   Google Scholar

[9]

A. K. DasA. K. SutralaV. Odelu and A. Goswami, A secure smartcard–based anonymous user authentication scheme for healthcare applications using wireless medical sensor networks, Wireless Personal Communications, 94 (2017), 1899-1933.   Google Scholar

[10]

D. DharminderD. MishraJ. J. RodriguesR. de AL Rabelo and K. Saleem, PSSCC: Provably secure communication framework for crowdsourced industrial Internet of Things environments, Software: Practice and Experience, (2020), 1-12.  doi: 10.1002/spe.2826.  Google Scholar

[11]

D. Dharminder, M. Obaidat, D. Mishra and A. K. Das, FEEC: Provably secure signcryption–based big data security framework for energy–efficient computing environment, IEEE Systems Journal, (2020). Google Scholar

[12]

L. HanX. TanS. Wang and X. Liang, An efficient and secure three–factor based authenticated key exchange scheme using elliptic curve cryptosystems, Peer–to–peer Networking and Applications, 11 (2018), 63-73.   Google Scholar

[13]

M. S. Hwang, E. Cahyadi, C. Yang and S. F. Chiou, An improvement of the remote authentication scheme for anonymous users using an elliptic curve cryptosystem, in 2018 IEEE 4th International Conference on Computer and Communications (ICCC), IEEE, (2018), 1872–1877. Google Scholar

[14]

S. KumarV. SinghV. Sharma and V. P. Singh, Advance remote user authentication using smart card, Telecommunications and Radio Engineering, 78 (2019), 8-10.   Google Scholar

[15]

C. T. Li, C. C. Lee, C. Y. Weng and S. J. Chen, A secure dynamic identity and chaotic maps based user authentication and key agreement scheme for e–healthcare systems, Journal of Medical Systems, 40 (2016), 233. Google Scholar

[16]

T. LimbasiyaM. Soni and S. K. Mishra, Advanced formal authentication protocol using smart cards for network applicants, Computers and Electrical Engineering, 66 (2018), 50-63.   Google Scholar

[17]

M. NikooghadamR. Jahantigh and H. Arshad, A lightweight authentication and key agreement protocol preserving user anonymity, Multimedia Tools and Applications, 76 (2017), 13401-13423.   Google Scholar

[18]

V. OdeluA. K. Das and A. Goswami, A secure effective key management scheme for dynamic access control in a large leaf class hierarchy, Information Sciences, 269 (2014), 270-285.  doi: 10.1016/j.ins.2013.10.022.  Google Scholar

[19]

D. Otway and O. Rees, Efficient and timely mutual authentication, ACM SIGOPS Operating Systems Review, 1 (1987), 8-10.   Google Scholar

[20]

J. PremalathaR. Vani and K. Sathya, Biometric signcryption using hyperelliptic curve and cryptographically secure random number, Asian Journal of Research in Social Sciences and Humanities, 6 (2016), 462-472.   Google Scholar

[21]

V. RajasekarJ. Premalatha and K. Sathya, An efficient signcryption scheme for secure authentication using hyper elliptic curve cryptography and Keccak hashing, International Journal of Recent technology and Engineering, 8 (2019), 1593-1598.   Google Scholar

[22]

K. Sathya, J. Premalatha and V. Rajasekar, Sensor–seeded cryptographically secure random number generation, Indian Journal of Science, (2019). Google Scholar

[23]

G. Sharma and S. Kalra, Advanced lightweight multi–factor remote user authentication scheme for cloud–IoT applications, Journal of Ambient Intelligence and Humanized Computing, 11 (2020), 1771-1794.   Google Scholar

[24]

K. SiddiqueZ. Akhtar and Y. Kim, Biometrics vs passwords: A modern version of the tortoise and the hare, Computer Fraud and Security, 1 (2017), 13-17.   Google Scholar

[25]

A. K. SutralaA. KDasV. OdeluM. Wazid and S. Kumari, Secure anonymity–preserving password–based user authentication and session key agreement scheme for telecare medicine information systems, Computer Methods and Programs in Biomedicine, 135) (2016), 167-185.   Google Scholar

[26]

T. Y. TehY. S. LeeZ. Y. Cheah and J. J. Chin, IBI–Mobile Authentication: A prototype to facilitate access control using identity–based identification on mobile smart devices, Wireless Personal Communications, 94 (2017), 127-144.   Google Scholar

[27]

X. A. Wang, Y. Liu, J. Zhang, X. Yang and M. Zhang, Improved group–oriented proofs of cloud storage in IoT setting, Concurrency and Computation: Practice and Experience, 30 (2018), e4781. Google Scholar

[28]

K. Xue and P. Hong, Security improvement on an anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation, 17 (2012), 2969-2977.  doi: 10.1016/j.cnsns.2011.11.025.  Google Scholar

[29]

B. Ying and A. Nayak, Lightweight remote user authentication protocol for multi–server 5G networks using self–certified public key cryptography, journal of Network and Computer Applications, 131 (2019), 66-74.   Google Scholar

Figure 1.  Registration phase
Figure 2.  Password change phase
Figure 3.  Password change phase
Figure 4.  Computational time analysis on various schemes
Figure 5.  Communication cost analysis on various schemes
Figure 6.  Simulation result of AVISPA in OFMC backend
Table 1.  Notions and its description
S.No Parameter used Description
1 $ C_i $ Client/User
2 $ S_i $ Server/Receiver
3 $ Bi $ Biometric template of Client
4 $ Id_i $ Client's Identity
5 $ Pw_i $ Client's password
6 $ H_{Bi}(.) $ Bio hash function
7 $ h(.) $ General Keccak hash function
8 $ r_c $ Random number generated by Client
9 $ r_s $ random number generated by Server
10 $ K_C $ Secret key generated by Client
11 $ K_S $ Secret key generated by Server
12 $ N_i $ Counter number
13 $ t_i $ Time stamp value of ith tuple
14 $ \oplus $ Bitwise XOR operation
15 $ || $ Concatenation operator
16 $ (C,r,S) $ Signcrypted tuple
17 $ bk $ Session key used by Client and Server
S.No Parameter used Description
1 $ C_i $ Client/User
2 $ S_i $ Server/Receiver
3 $ Bi $ Biometric template of Client
4 $ Id_i $ Client's Identity
5 $ Pw_i $ Client's password
6 $ H_{Bi}(.) $ Bio hash function
7 $ h(.) $ General Keccak hash function
8 $ r_c $ Random number generated by Client
9 $ r_s $ random number generated by Server
10 $ K_C $ Secret key generated by Client
11 $ K_S $ Secret key generated by Server
12 $ N_i $ Counter number
13 $ t_i $ Time stamp value of ith tuple
14 $ \oplus $ Bitwise XOR operation
15 $ || $ Concatenation operator
16 $ (C,r,S) $ Signcrypted tuple
17 $ bk $ Session key used by Client and Server
Table 2.  Cryptanalysis on various authentication schemes
Remote user authentication schemes A1 A2 A3 A4 A5 A6 A7 A8 A9 A10
Dharminder et al [11] No No Yes No No No No No Yes Yes
Chaturadevi et al [6] Yes No Yes No No No No No No Yes
Nikooghadam et al [17] Yes No Yes No Yes No Yes Yes Yes Yes
Chandrakar et al [5] No Yes No No No No No No No Yes
Sutrala et al [25] Yes No Yes No Yes Yes Yes Yes Yes Yes
Dharminder et al [10] Yes No Yes No Yes Yes Yes Yes Yes Yes
Li et al [15] Yes No Yes No No No Yes Yes Yes Yes
Das et al [8] Yes No Yes No No No Yes Yes Yes Yes
Sharma et al [23] No No Yes Yes Yes Yes Yes Yes Yes Yes
Proposed Scheme No No No No No No No No No No
A1: Server masquerading attack A2: Replay attack A3: Biometric recognition error A4:Mutual Authentication A5: Client Impersonation attack A6: Offline password guessing attack A7: Slow wrong password detection A8: Prone to DoS attack A9: Id Guessing attack A10: Lack of session key agreement
Remote user authentication schemes A1 A2 A3 A4 A5 A6 A7 A8 A9 A10
Dharminder et al [11] No No Yes No No No No No Yes Yes
Chaturadevi et al [6] Yes No Yes No No No No No No Yes
Nikooghadam et al [17] Yes No Yes No Yes No Yes Yes Yes Yes
Chandrakar et al [5] No Yes No No No No No No No Yes
Sutrala et al [25] Yes No Yes No Yes Yes Yes Yes Yes Yes
Dharminder et al [10] Yes No Yes No Yes Yes Yes Yes Yes Yes
Li et al [15] Yes No Yes No No No Yes Yes Yes Yes
Das et al [8] Yes No Yes No No No Yes Yes Yes Yes
Sharma et al [23] No No Yes Yes Yes Yes Yes Yes Yes Yes
Proposed Scheme No No No No No No No No No No
A1: Server masquerading attack A2: Replay attack A3: Biometric recognition error A4:Mutual Authentication A5: Client Impersonation attack A6: Offline password guessing attack A7: Slow wrong password detection A8: Prone to DoS attack A9: Id Guessing attack A10: Lack of session key agreement
Table 3.  Cryptanalysis on various authentication schemes
Remote user authentication schemes Registration phase Password change phase Login and Authentication phase
Dharminder et al [11] $ 2T_{su}+1T_h $ $ 2T_{bk}+1T_h $ $ 3T_{su}+2T_h+1T_{bk} $
Chaturadevi et al [6] $ 3T_h $ $ 2T_{bk}+2T_h $ $ 6T_{su}+2T_h+3T_{bk} $
Nikooghadam et al [17] $ 3T_h $ $ 2T_{bk}+3T_h $ $ 5T_{su}+3T_h+2T_{bk} $
Chandrakar et al [5] $ 5T_h $ $ 2T_{bk}+6T_h $ $ 5T_{su}+6T_h+2T_{bk} $
Sutrala et al [25] $ 5T_h + 2T_{su} $ $ 3T_{bk}+4T_h $ $ 6T_{su}+4T_h+1T_{bk} $
Dharminder et al [10] $ 2T_h+1T_{su} $ $ 1T_{bk}+4T_h $ $ 6T_{su}+4T_h+1T_{bk} $
Li et al [15] $ 5T_h $ $ 2T_{bk}+3T_h $ $ 4T_{su}+2T_h+1T_{bk} $
Das et al [8] $ 1T_h+2T_{su} $ $ 2T_{bk}+2T_h $ $ 3T_{su}+2T_h+1T_{bk} $
Sharma et al [23] $ 3T_h $ $ 2T_{bk}+2T_h $ $ 6T_{su}+2T_h+3T_{bk} $
Proposed Scheme $ 1T_h+1T_{su} $ $ 1T_h $ $ 1T_{su}+1T_h+1T_{bk} $
Remote user authentication schemes Registration phase Password change phase Login and Authentication phase
Dharminder et al [11] $ 2T_{su}+1T_h $ $ 2T_{bk}+1T_h $ $ 3T_{su}+2T_h+1T_{bk} $
Chaturadevi et al [6] $ 3T_h $ $ 2T_{bk}+2T_h $ $ 6T_{su}+2T_h+3T_{bk} $
Nikooghadam et al [17] $ 3T_h $ $ 2T_{bk}+3T_h $ $ 5T_{su}+3T_h+2T_{bk} $
Chandrakar et al [5] $ 5T_h $ $ 2T_{bk}+6T_h $ $ 5T_{su}+6T_h+2T_{bk} $
Sutrala et al [25] $ 5T_h + 2T_{su} $ $ 3T_{bk}+4T_h $ $ 6T_{su}+4T_h+1T_{bk} $
Dharminder et al [10] $ 2T_h+1T_{su} $ $ 1T_{bk}+4T_h $ $ 6T_{su}+4T_h+1T_{bk} $
Li et al [15] $ 5T_h $ $ 2T_{bk}+3T_h $ $ 4T_{su}+2T_h+1T_{bk} $
Das et al [8] $ 1T_h+2T_{su} $ $ 2T_{bk}+2T_h $ $ 3T_{su}+2T_h+1T_{bk} $
Sharma et al [23] $ 3T_h $ $ 2T_{bk}+2T_h $ $ 6T_{su}+2T_h+3T_{bk} $
Proposed Scheme $ 1T_h+1T_{su} $ $ 1T_h $ $ 1T_{su}+1T_h+1T_{bk} $
[1]

Yifan Chen, Thomas Y. Hou. Function approximation via the subsampled Poincaré inequality. Discrete & Continuous Dynamical Systems - A, 2021, 41 (1) : 169-199. doi: 10.3934/dcds.2020296

[2]

Bahaaeldin Abdalla, Thabet Abdeljawad. Oscillation criteria for kernel function dependent fractional dynamic equations. Discrete & Continuous Dynamical Systems - S, 2020  doi: 10.3934/dcdss.2020443

[3]

Lingfeng Li, Shousheng Luo, Xue-Cheng Tai, Jiang Yang. A new variational approach based on level-set function for convex hull problem with outliers. Inverse Problems & Imaging, , () : -. doi: 10.3934/ipi.2020070

[4]

Mohammed Abdulrazaq Kahya, Suhaib Abduljabbar Altamir, Zakariya Yahya Algamal. Improving whale optimization algorithm for feature selection with a time-varying transfer function. Numerical Algebra, Control & Optimization, 2021, 11 (1) : 87-98. doi: 10.3934/naco.2020017

2019 Impact Factor: 0.734

Article outline

Figures and Tables

[Back to Top]