A Lightweight Anonymous Client–Server Authentication Scheme for the Internet of Things Scenario: LAuth

Abstract

The Internet of Things (IoT) connects different kinds of devices into a network, and enables two-way communication between devices. A large amount of data are collected by these devices and transmitted in this network, it is necessary to ensure secure communications between these devices, to make it impossible for an adversary to undermine this communication. To ensure secure communication, many authentication protocols have been proposed, in this study, a fully anonymous authentication scheme for the Internet of things scenario has been proposed, it enables the remote client to anonymously connect to the server and being serviced by the server. The proposed scheme has been verified by AVISPA and BAN Logic, and the result shows that it is safe. Besides, the simulation shows that the proposed scheme is more efficient in computation cost and communication cost.

1. Introduction

The Internet of Things is a network that connects all kinds of sensors, actuators, and other embedded devices. These devices can exchange data remotely via the network. A significant amount of data are collected by these devices and transmitted in this network. Among these data, there are many personal data, for example, blood pressure, pulse, and electrocardiogram, as well as home environment data, home humidity, and home temperature, etc. People are reluctant to let any party use the data without authorization. There is a need for an authentication scheme to make sure that the data is only accessible to authorized members. Authentication schemes have been studied in the past to solve this problem.

However, in some cases, mutual authentication is not sufficient for protecting the privacy of the clients. In the healthcare environment, an adversary can eavesdrop the information flow and find out which patient’s data is being transmitted. The client’s medical condition is revealed in this way. In this study, a light weighted authentication and key establishment scheme was proposed, which enables the remote client to be authenticated anonymously by the server. In the proposed scheme, we only used some light weighted security operations: XOR operations, hash functions and a minimal amount of asymmetric encryptions to fulfill perfect forward secrecy, as discussed in the previous work, these operations are relatively light weighted ones, we will continue to discuss this problem in Section 7.1. As energy consumption is of paramount importance in the context where energy are provided by small batteries, there is a high demand for a lightweight authentication scheme [1,2]. For these two reasons, we come up with this authentication scheme. Our contributions are mainly three- fold:

• We propose a lightweight anonymous authentication for the Internet of things scenario; the scheme achieves various security features: perfect forward privacy, user anonymity, resistance to an offline dictionary attack, etc. In addition, to verify the security features of the proposed scheme, the proposed scheme is also verified by AVISPA and the BAN Logic.
• We specially design the password changing phase, making it more efficient compared to that in the related works.
• We simulate the proposed scheme and other related schemes using C++. The results show the communication cost and the computation cost are reduced compared with related proposals.

In Section 2, we discussed the related works, in Section 3, we introduced the proposed scheme, Section 4 and Section 5 are security analyses using AVISPA and BAN logic, Section 6 is the formal security analysis section. In Section 7, we compared the proposed scheme with related works. In Section 8, we analyzed the security features. Section 9 is the conclusion part.

2. Related Work

Tu et al. proposed an authentication protocol based on a smart card; the protocol is a two-factor authentication scheme based on an elliptic curve [3]. However, this scheme is found to be vulverable to impersonation attacks; an attacker can impersonate as a legal server according to Farash [4]. Ibrahim et al. proposed secure anonymous mutual authentication for star two-tier wireless body area networks [5]. Chaudhry et al. proposed a remote user authentication scheme using elliptic curve cryptography that can withstand various attacks in the internet of things scenario, for example, smart card lost attack, replay attack [6]. Kumari analyzed the scheme of Farash [7], and they found that Farash’s scheme is vulnerable to various attacks, for example, impersonation attack, password guessing attack and temporary session specific information reveal attack, etc.

Jing et al. proposed an authentication between user and server, which could protect well the identity privacy of the user [8], however, their scheme requires extra storage capacity at the server side. In the scheme of Xiong [9], only registered users can authenticate each other and build a shared key, besides, this shared key is only known by the two registered users and the network manager could not know this shared key. According to the public information transmitted between the two users, an adversary is unable to learn this shared key. The scheme of Jing et al. is a scheme equipped with elliptic curve cryptographic primitives. Their scheme achieves anonymity regardless of network infrastructure. Their scheme enables the server to provide various services for a client more than once with a negligible computational cost [10]. Idrissi proposed a security scheme for mobile agent based on two techniques: anonymous authentication and intrusion detection [11]. In the work of Xiong et al. [12], the anonymity is enabled, however the gateway has to store a lot of the identity and key pairs.

In some schemes, the gateway assigns a random number, and a unique key based on this number to the clients. This number is used as an indicator of the key, the user encrypts his identity with this key. Many other schemes use this way to protect the identity of the users, for example, the scheme in the works of [13,14,15,16,17,18]. Biometrics are used in the scheme of Wu et al. [19], Odelu et al. [20], Wang et al. [21] and Islam et al. [22]. Human beings’ biometrics are extracted as random strings by using the fuzzy extractor.

The partial public key method is a popular method that has been used. He et al. proposed an efficient identity-based privacy-preserving authentication scheme for vehicular ad hoc networks [23], batch verification is used in this study. The concept of partial public key is also used in the scheme of Islam et al. [24]. In their scheme, a user register at the server several times, in order to get more than one authentication keys, then the user can use different keys for authentication to achieve anonymity. The scheme of Porambage et al. [25] also used the partial public key concept. Tsai et al. proposed a scheme for distributed mobile cloud computing services [26], the security strength of their scheme is based on bilinear pairing and dynamic nonce generation. There are other schemes that based on the elliptic curve security [27,28,29].

3. The Proposed Scheme

3.1. Structure of the Scheme

There are two types of entities in the scheme: remote clients and the server, which is shown in Figure 1.

• A client is the one who wants to access the services provided by the server. A client first registers at the server, after the registration, he can conduct a mutual authentication with the server, after authentication, the two can build a shared key, the client can access to the server’s service using this key.
• A server is the one that provides different kinds of services to the client. A server is also responsible for the registration and password modification for the client. Before the server provides a service to a client, the server has to make sure if the client is a registered one or not.

The proposed scheme is a mutual authentication scheme between the client and the server. The scheme consists of three phases: registration phase of the client, mutual authentication and key establishment phase and the phase for a client to change his password.

3.2. System Initialization

In the beginning, the server $S$ generates and publicizes the parameters of an elliptic curve, which is $\left\{p,a,b,P,n,h\right\}$. After that, $S$ generates its private key $X_{GWN}$, and keeps it as a secret. The symbols that will be used in this study are summarized in

Table 1. Symbols used in this study.

Symbols	Meaning
S	The server
$C_i$	The $i_{th}$ client
$I{D}_i$	The $i_{th}$ client’s identity
||	String connector, connecting two strings
⊕	XOR operation
P	The generator of ECC
$T_1$	Timestamp
h	The SHA-256 hash function
$h_1$	A hash a string to a random number function

.

3.3. Registration Phase

All the clients have to register at the server, a client $C_i$ with identity $I{D}_i$ generates a registration request message, and sends this request to the server $S$.

• Client $C_i$ chooses a random number $r_i$.
• Client $C_i$ calculates a hash message $M{P}_i=h\left(r_i\left|\right|I{D}_i\left|\right|P{W}_i\right)$.
• Client $C_i$ sends $\left\{I{D}_i,M{P}_i\right\}$ to the server.

When the server $S$ receives the message, server $S$ generates the keys for client $C_i$, after that, the server $S$ sends these keys to the client $C_i$.

Table 2. Registration phase.

Client	Server
$I{D}_i,P{W}_i$	master key $X_{GWN}$
random number $r_i$
$M{P}_i=h\left(r_i\left|\right|I{D}_i\left|\right|P{W}_i\right)$
$\left\{I{D}_i,M{P}_i\right\}$	$d_i=h\left(I{D}_i\right|\left|X_{GWN}\right)$ $f_i=d_i\oplus M{P}_i$ random number $k_i$
	$e_i=h\left(k_i\right|\left|X_{GWN}\right)$
	$h_i=e_i\oplus M{P}_i$
Stores $\left\{f_i,h_i,k_i\right\}$	$\left\{f_i,h_i,k_i\right\}$

is a description of the process.

• Server $S$ calculates a hash message $d_i=h\left(I{D}_i\right|\left|X_{GWN}\right)$.
• Server $S$ calculates $f_i=d_i\oplus M{P}_i$.
• Server $S$ chooses a random number $k_i$.
• Server $S$ calculates a hash message $e_i=h\left(k_i\right|\left|X_{GWN}\right)$.
• Server $S$ calculates $h_i=e_i\oplus M{P}_i$.
• Server $S$ sends $\left\{f_i,h_i,k_i\right\}$ and other system parameters to the client $C_i$.

3.4. Authentication Phase

If a client $C_i$ with identity $I{D}_i$ wants to ask a service from the server $S$, first, the two have to authenticate each other and build a shared key. The client $C_i$ inserts the smart card into a card reader, inputs his identity $I{D}_i^{\prime }$ and password $P{W}_i^{\prime }$. The smart card (SC) prepares the following message and sends it to the server $S$.

• The client $C_i$ inserts its smart card into a card reader, inputs his identity $I{D}_i^{\prime }$ and password $P{W}_i^{\prime }$.
• SC computes: $M{P}_i^{\prime }=h\left(r_i\left|\right|I{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\right)$.
• SC uses $M{P}_i^{\prime }$ to get $d_i=f_i\oplus M{P}_i^{\prime }$ and $e_i=h_i\oplus M{P}_i^{\prime }$.
• SC gets the current timestamp $T_1$ and the random number $k_i$.
• SC gets a random number $k_1$ ∈ [1, n − 1], and calculates $A_1=k_1·P$.
• SC gets the hash $M_1=h\left(A_1\left|\right|I{D}_i^{\prime }\left|\right|k_i\left|\right|d_i\left|\right|T_1\right)$.
• SC computes $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$.
• Finally, SC sends {$k_i,A_1,M_2,T_1$} to the server $S$.

When the server $S$ receives the incoming message, it first checks the correctness of the message, after the verification, the server will generate the shared key between himself and the client. Then the server prepares the message for sending back to the client.

• Server $S$ checks the freshness of the $T_1$, if $T_1$ is not fresh, server $S$ abandons the incoming message, the scheme ends here.
• Server $S$ calculates the key $h\left(k_i\right|\left|X_{GWN}\right)$ based on $k_i$.
• Server $S$ uses the key $h\left(k_i\right|\left|X_{GWN}\right)$ to decrypt $M_2$ to get $I{D}_i^{\prime }\left|\right|M_1^{\prime }$, $I{D}_i^{\prime }\left|\right|M_1^{\prime }=h\left(k_i\right|\left|X_{GWN}\right)\oplus M_2$.
• Server $S$ calculates $d_i^{\prime }=h\left(I{D}_i^{\prime }\right|\left|X_{GWN}\right)$ based on the identity $I{D}_i^{\prime }$.
• Server $S$ checks if $M_1^{\prime }=h(A_1\left|\right|I{D}_i^{\prime }\left|\right|k_i\left|\right|d_i^{\prime }\left|\right|T_1)$, if they are equal, the server accepts the incoming message, otherwise, the scheme terminates here.
• Server $S$ gets a random number $k_2$ ∈ [1, n − 1], and calculates $B_2=k_2·P$.
• Server $S$ calculates the shared key $SK=h(k_2·A_1|\left|T_1\right)$.
• Server $S$ calculates a new random number $k_{inew}=h_1\left(SK\right|\left|T_1\right)$.
• Server $S$ calculates a hash message $e_{inew}=h\left(k_{inew}\right|\left|X_{GWN}\right)$.
• Server $S$ calculates $M_3=h\left(B_2\left|\right|e_{inew}\left|\right|k_{inew}\left|\right|d_i^{\prime }\left|\right|SK\right)$.
• Server $S$ computes $M_4=\left(e_{inew}\right|\left|M_3\right)\oplus h\left(d_i^{\prime }\right|\left|T_1\right)$.
• Server $S$ sends $\left\{B_2,M_4\right\}$ to the client $C_i$.

When client $C_i$ gets the message $\left\{B_2,M_4\right\}$, $C_i$ will do the following steps to authenticate the incoming message, if the client verifies the message, he will build a shared key with the server.

• Client $C_i$ computes the shared key as $S{K}^{\prime }=h(k_1·B_2|\left|T_1\right)$.
• Client $C_i$ decrypts $M_4$ to get $e_{inew}^{\prime }\left|\right|M_3^{\prime }=M_4\oplus h\left(d_i\right|\left|T_1\right)$.
• Client $C_i$ computes the random number $k_{inew}^{\prime }=h_1\left(S{K}^{\prime }\right|\left|T_1\right)$.
• Client $C_i$ checks if $M_3^{\prime }=h\left(B_2\left|\right|e_{inew}^{\prime }\left|\right|k_{inew}^{\prime }\left|\right|d_i\left|\right|S{K}^{\prime }\right)$, if they are equal, $C_i$ accepts the shared key $S{K}^{\prime }$, and now client $C_i$ and the server $S$ can communicate using the shared key $SK=S{K}^{\prime }$, otherwise the scheme terminates here.
• Client $C_i$ updates $h_i=e_{inew}^{\prime }\oplus M{P}_i^{\prime }$ and $k_i=k_{inew}^{\prime }$.

Now the client $C_i$ and the server $S$ have authenticated each other and built a shared key. The

Table 3. Authentication phase.

Client	Server
$\mathit{I}{\mathit{D}}_{\mathit{i}},\mathit{P}{\mathit{W}}_{\mathit{i}}$	Master Key${\mathit{X}}_{\mathit{G}\mathit{W}\mathit{N}}$
User: inserts SC into the terminal
User: input $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$
SC: $M{P}_i^{\prime }=h\left(r_i\left|\left|I{D}_i^{\prime }\right|\right|P{W}_i^{\prime }\right)$
SC: $d_i=f_i\oplus M{P}_i^{\prime }$
SC: $e_i=h_i\oplus M{P}_i^{\prime }$
SC: gets timestamp $T_1$, $k_i$
Random number $k_1$, $A_1=k_1·P$
SC: gets $M_1=h\left(A_1\left|\left|I{D}_i^{\prime }\left|\left|k_i\right|\right|d_i\right|\right|T_1\right)$
SC: $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$
$\left\{k_i,A_1,M_2,T_1\right\}$	Checks the freshness of $T_1$ $I{D}_i^{\prime }\left|\right|M_1^{\prime }=h\left(k_i\right|\left|X_{GWN}\right)\oplus M_2$
	$d_i^{\prime }=h\left(I{D}_i^{\prime }\right|\left|X_{GWN}\right)$
	Check if $M_1^{\prime }=h\left(A_1\left|\left|I{D}_i^{\prime }\left|\left|k_i\right|\right|d_i^{\prime }\right|\right|T_1\right)$
	Random number $k_2$, $B_2=k_2·P$
	$SK=h(k_2·A_1|\left|T_1\right)$
	$k_{inew}=h_1\left(SK\right|\left|T_1\right)$
	$e_{inew}=h\left(k_{inew}\right|\left|X_{GWN}\right)$
	$M_3=h\left(B_2\left|\left|e_{inew}\right|\right|k_{inew}\left|\left|d_i^{\prime }\right|\right|SK\right)$
	$M_4=\left(e_{inew}\right|\left|M_3\right)\oplus h\left(d_i^{\prime }\right|\left|T_1\right)$
$S{K}^{\prime }=h(k_1·B_2|\left|T_1\right)$ $e_{inew}^{\prime }\left|\right|M_3^{\prime }=M_4\oplus h\left(d_i\right|\left|T_1\right)$	$\left\{B_2,M_4\right\}$
$k_{inew}^{\prime }=h_1\left(S{K}^{\prime }\right|\left|T_1\right)$
Check if $M_3^{\prime }=h\left(B_2\left|\left|e_{inew}^{\prime }\right|\right|k_{inew}^{\prime }\left|\left|d_i\right|\right|S{K}^{\prime }\right)$
$h_i=e_{inew}^{\prime }\oplus M{P}_i^{\prime }$, $k_i=k_{inew}^{\prime }$
Agree on the key $SK=S{K}^{\prime }$

below depicts the whole process.

3.5. Password Change Phase

When a client $C_i$ wants to change his password, he can send a request to the server $S$, this request is sent in public channel.

Table 4. Password change phase.

Client	Server
$\mathit{I}{\mathit{D}}_{\mathit{i}},\mathit{P}{\mathit{W}}_{\mathit{i}}$	Master Key${\mathit{X}}_{\mathit{G}\mathit{W}\mathit{N}}$
User: inserts SC into the terminal
User: input $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$
SC: $M{P}_i^{\prime }=h\left(r_i\left|\left|I{D}_i^{\prime }\right|\right|P{W}_i^{\prime }\right)$
SC: $d_i=f_i\oplus M{P}_i^{\prime }$
SC: $e_i=h_i\oplus M{P}_i^{\prime }$
SC: gets timestamp $T_1$, $k_i$
SC: gets $M_1=h\left(I{D}_i^{\prime }\left|\left|k_i\right|\right|d_i\right|\left|T_1\right)$
SC: $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$
$\left\{k_i,M_2,T_1\right\}$	Check the freshness of ${\mathrm{T}}_1$ $I{D}_i^{\prime }\left|\right|M_1^{\prime }=h\left(k_i\right|\left|X_{GWN}\right)\oplus M_2$
	$d_i^{\prime }=h\left(I{D}_i^{\prime }\right|\left|X_{GWN}\right)$
	Check if $M_1^{\prime }=h\left(I{D}_i^{\prime }\left|\left|k_i\right|\right|d_i^{\prime }\right|\left|T_1\right)$
	$M_3=h\left(I{D}_i^{\prime }\right|\left|d_i^{\prime }\left|\left|k_i\right|\right|T_1\right)$.
Check if $M_3=h\left(I{D}_i^{\prime }\left|\left|d_i\right|\right|k_i\right|\left|T_1\right)$ $d_i=f_i\oplus M{P}_i^{\prime }$	$\left\{M_3\right\}$
$e_i=h_i\oplus M{P}_i^{\prime }$
$M{P}_i^{*}=h\left(r_i\left|\left|I{D}_i\right|\right|P{W}_i^{*}\right)$
$f_i^{\prime }=d_i\oplus M{P}_i^{*}$
$h_i^{\prime }=e_i\oplus M{P}_i^{*}$

is a description of this process.

• The client $C_i$ inserts his smart card into a card reader, inputs his identity and password $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$.
• SC computes: $M{P}_i^{\prime }=h\left(r_i\left|\right|I{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\right)$.
• SC uses $M{P}_i^{\prime }$ to get $d_i=f_i\oplus M{P}_i^{\prime }$ and $e_i=h_i\oplus M{P}_i^{\prime }$.
• SC gets the current timestamp $T_1$ and the random number $k_i$.
• SC gets the hash $M_1=h\left(I{D}_i^{\prime }\left|\right|k_i\left|\right|d_i\right|\left|T_1\right)$.
• SC computes $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$.
• Finally, SC sends {$k_i,M_2,T_1$} to the server $S$.

When the server $S$ receives the message, server $S$ will verify if the message is from a legitimate client, after that, the server $S$ sends a replay to the client $C_i$.

• Server $S$ checks the freshness of the $T_1$, if $T_1$ is not fresh, server $S$ abandons the incoming message.
• Server $S$ calculates the key $h\left(k_i\right|\left|X_{GWN}\right)$ based on $k_i$.
• Server $S$ uses the key $h\left(k_i\right|\left|X_{GWN}\right)$ to decrypt $M_2$ to get $I{D}_i^{\prime }\left|\right|M_1^{\prime }$, $I{D}_i^{\prime }\left|\right|M_1^{\prime }=h\left(k_i\right|\left|X_{GWN}\right)\oplus M_2$.
• Server $S$ calculates $d_i^{\prime }=h\left(I{D}_i^{\prime }\right|\left|X_{GWN}\right)$ based on the identity $I{D}_i^{\prime }$.
• Server $S$ checks if $M_1^{\prime }=h\left(I{D}_i^{\prime }\left|\right|k_i\left|\right|d_i^{\prime }\right|\left|T_1\right)$, if they are equal, the server verifies the incoming message, otherwise, the scheme terminates here.
• Server $S$ calculates $M_3=h\left(I{D}_i^{\prime }\right|\left|d_i^{\prime }\right|\left|k_i\right|\left|T_1\right)$.
• Server $S$ sends $\left\{M_3\right\}$ to the client $C_i$.

When a client $C_i$ receives the replay message from the server $S$, the smart card checks the correctness of this message, if it is from the server $S$, then the smart card will allow the client $C_i$ to input his new password.

• SC checks if $M_3=h\left(I{D}_i^{\prime }\left|\right|d_i\left|\right|k_i\right|\left|T_1\right)$, if they are equal, then the client is allowed to change his password.
• $SC$ computes $d_i=f_i\oplus M{P}_i^{\prime }$ using the stored $f_i$ and the old $M{P}_i^{\prime }$.
• $SC$ computes $e_i=h_i\oplus M{P}_i^{\prime }$ using the stored $h_i$ and the old $M{P}_i^{\prime }$
• Client $C_i$ inputs the new password $P{W}_i^{*}$.
• $SC$ updates $M{P}_i^{\prime }$ to be $M{P}_i^{*}=h\left(r_i\left|\right|I{D}_i\left|\right|P{W}_i^{*}\right)$.
• $SC$ uses this new $M{P}_i^{*}$ to update the stored version of $f_i$ and $h_i$ to get $f_i^{\prime }=d_i\oplus M{P}_i^{*}$, $h_i^{\prime }=e_i\oplus M{P}_i^{*}$.

4. Security Analysis by AVISPA

Automated Validation of Internet Security Protocols and Applications (AVISPA) is “a push-button tool for the automated validation of Internet security-sensitive protocols and applications” [30]. To test security features of the scheme in this study, we write the scheme in a role-based language called High-Level Protocols Specification Language (HLPSL), which is used for describing protocols and specifying their intended security features. The HLPSL code is listed in Appendix A.

We run the security check by using the CL-based Model-Checker [31], and the checker of On- the-Fly Model-Checker (OFMC) [32,33]. The simulation result shown in

Table 5. Simulation results of AVISPA.

CL-AtSe Back-End	OFMC
SUMMARY	% OFMC
SAFE	% Version of 2006/02/13
DETAILS	SUMMARY
BOUNDED_NUMBER_OF_SESSIONS	SAFE
TYPED_MODEL	DETAILS
PROTOCOL	BOUNDED_NUMBER_OF_SESSIONS
/home/iotdev/avispa/avispa-1.1/testsuite/results/light.if	PROTOCOL
	/home/iotdev/avispa/avispa-1.1/testsuite/results/light.if
GOAL	GOAL
As Specified	as_specified
	BACKEND
BACKEND	OFMC
CL-AtSe	COMMENTS
	STATISTICS
STATISTICS	parseTime: 0.00s
	searchTime: 0.01s
Analysed: 1 states	visitedNodes: 4 nodes
Reachable: 0 states	depth: 2 plies
Translation: 0.00 s
Computation: 0.00 s

demonstrates that the proposed scheme is safe.

5. Security Analysis Using BAN Logic

We conducted a security analysis of the proposed scheme using Burrows-Abadi-Needham Logic (BAN logic) [34]. By using BAN logic, we can determine whether the exchanged information is trustworthy, secure against eavesdropping. For more information on the symbols and primary postulates of BAN logic, please refer to our previous work [35].

5.1. The Premise and Proof Goals

Suppose there are two entities in the system: client $C_i$ and the server $S$. Before we start the proof, we first translate the messages into an idealized form of BAN logic, the results are shown in

Table 6. The idealized form of the messages.

Message	Flow	Idealized Form
1	$C_i\to S$	$\left\{k_i,A_1,{\left\{A_1,I{D}_i,k_i,T_1\right\}}_{d_i},T_1\right\}$
2	$S\to C_i$	$\{B_2,{\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}}_{h\left(d_i\right|\left|T_1\right)}\}$

.

The goals in BAN Logic are described below. These goals can ensure $C_i$ and $S$ to agree on a shared key $SK$.

$$1.C_i|\equiv C_i\stackrel{SK}{\leftrightarrow }S2.S|\equiv S\stackrel{SK}{\leftrightarrow }{C}_i$$

5.2. Assumptions

We make some assumptions to help us to prove the protocol; assumptions are listed in

Table 7. Assumptions.

Number	Assumptions	Number	Assumptions
A1	$C_i|\equiv \#\left(T_1\right)$	A2	$S|\equiv \#\left(T_1\right)$
A3	$C_i|\equiv \#\left(B_2\right)$	A4	$S|\equiv \#\left(A_1\right)$
A5	$C_i\equiv S\stackrel{h\left(d_i\right|\left|T_1\right)}{\leftrightarrow }{C}_i$	A6	$S\equiv C_i\stackrel{d_i}{\leftrightarrow }S$
A7	$C_i|\equiv S⟾B_2$	A8	$S|\equiv C_i⟾A_1$

. First, we show the proof of assumption A1 and A3.

• According to the “$\#\left(\right)$-introduction” rule, client $C_i$ creates $T_1$

  $$C_i|\equiv \#\left(T_1\right)$$

  (1)
• According to (1) and the “promotion $\#$” rule:

  $$C_i|\equiv \#\left(M_4\right)$$

  (2)
• According to (2) and the “promotion $\#$” rule:

  $$C_i|\equiv \#\left(B_2,M_4\right)$$

  (3)
• According to (3) and the “elimination of multipart messages” rule:

  $$C_i|\equiv \#\left(B_2\right)$$

  (4)

In this part, we show the proof of assumption A2 and A4. By checking the timestamp $T_1$, the server $S$ can judge if $T_1$ is fresh or not, if $T_1$ is not fresh, the server $S$ will abandon the message and the scheme ends here. Thus, we only consider the situation that server $S$ believes timestamp $T_1$ is fresh, which is $S|\equiv \#\left(T_1\right)$.

5.

According to the “promotion $\#$” rule:

$$S|\equiv \#\left(k_i,A_1,M_2,T_1\right).$$

(5)

6.

According to (5) and the “elimination of multipart messages” rule:

$$S|\equiv \#\left(A_1\right)$$

(6)

After registration, both server $S$ and the client $C_i$ believe that they have a shared key $d_i$. Translating into BAN Logic, we get assumptions A6: $S|\equiv C_i\stackrel{d_i}{\leftrightarrow }S$ and $C_i|\equiv S\stackrel{d_i}{\leftrightarrow }{C}_i$. We can get assumptions A5: $C_i|\equiv S\stackrel{h\left(d_i\right|\left|T_1\right)}{\leftrightarrow }{C}_i$ based on $C_i|\equiv S\stackrel{d_i}{\leftrightarrow }{C}_i$. Assumption A7 says that client $C_i$ believes server $S$ has complete control over the data $B_2$, assumption A8 says that server $S$ believes client $C_i$ has complete control over the data $A_1$.

5.3. The Proof of the Proposed Scheme

In this section, we start the proof. According to the message $\left\{k_i,A_1,{\left\{A_1,I{D}_i,k_i,T_1\right\}}_{d_i},T_1\right\}$, which the client $C_i$ sends to server $S$, we can get the followings:

7.

According to the message $\left\{k_i,A_1,{\left\{A_1,I{D}_i,k_i,T_1\right\}}_{d_i},T_1\right\}$:

$$S⨞\left\{k_i,A_1,{\left\{A_1,I{D}_i,k_i,T_1\right\}}_{d_i},T_1\right\}$$

(7)

8.

According to (7) and “ ‘,’-elimination” rule:

$$S⨞{\left\{A_1,I{D}_i,k_i,T_1\right\}}_{d_i}$$

(8)

9.

According to (8), A6 and “|∼ introduction” rule:

$$S\left|\equiv C_i\right|~\left\{A_1,I{D}_i,k_i,T_1\right\}$$

(9)

10.

According to (9) and “ ‘,’-elimination” rule:

$$S\left|\equiv C_i\right|~A_1$$

(10)

11.

According to A4, (10), and “|∼elimination” rule:

$$S\left|\equiv C_i\right|\equiv A_1$$

(11)

12.

According to A8, (11), and “jurisdiction or control” rule:

$$S|\equiv A_1$$

(12)

13.

As $k_2$ is randomly created by $S$, according to “#()- introduction” rule:

$$S|\equiv \#\left(k_2\right)$$

(13)

14.

According to (13), A2, A4, and “#()- promotion” rule:

$$S|\equiv \#\left(SK\right)$$

(14)

15.

According to (11), (14), and “$\stackrel{k}{\leftrightarrow }$ introduction” rule:

$$S|\equiv S\stackrel{SK}{\leftrightarrow }{C}_i$$

(15)

Now we have proved the second goal, we will begin to prove the first goal by analyzing the message server $S$ sends to client $C_i$: $\{B_2,{\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}}_{h\left(d_i\right|\left|T_1\right)}\}$.

16.

According to the message $\{B_2,{\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}}_{h\left(d_i\right|\left|T_1\right)}\}$:

$$C_i⨞\{B_2,{\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}}_{h\left(d_i\right|\left|T_1\right)}\}$$

(16)

17.

According to (16) and “ ‘,’-elimination” rule:

$$C_i⨞{\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}}_{h\left(d_i\right|\left|T_1\right)}$$

(17)

18.

According to (17), A5 and “|∼ introduction” rule:

$$C_i|\equiv S|~\left\{e_{inew},B_2,k_{inew},d_i,SK\right\}$$

(18)

19.

According to (18) and “ ‘,’-elimination” rule:

$$C_i\left|\equiv S\right|~B_2$$

(19)

20.

According to A3, (19), and “|∼elimination” rule:

$$C_i\left|\equiv S\right|\equiv B_2$$

(20)

21.

According to A7, (20), and “jurisdiction or control” rule:

$$C_i|\equiv B_2$$

(21)

22.

As $k_1$ is randomly created by $C_i$, according to “#()- introduction” rule:

$$C_i|\equiv \#\left(k_1\right)$$

(22)

23.

According to (22), A1, A3, and “#()- promotion” rule:

$$C_i|\equiv \#\left(SK\right)$$

(23)

24.

According to (20), (23), and “$\stackrel{k}{\leftrightarrow }$ introduction” rule:

$$C_i|\equiv C_i\stackrel{SK}{\leftrightarrow }S$$

(24)

Now, we have proved the two goals of the scheme. We can say that the proposed scheme is secure under BAN logic.

6. Formal Security Analysis

Suppose $G_1$ is a cyclic additive group of prime order $q$, $P$ is the generator of $G_1$, the Elliptic Curve Computational Diffie–Hellman (ECCDH) problem is thought to be a computational hardness. The security of the shared key of the proposed scheme is based on the computational hardness of the ECCDH problem.

Definition 1.

ECCDH problem. For any$a,b,c\in Z_q^{*}$, given an instance$<aP,bP>$, it is computationally intractable to compute$cP=abP$.

Theorem 1.

The proposed scheme achieves shared key security if and only if the ECCDH problem is unable to be solved in polynomial time.

We define the shared key security as that an adversary is unable to get the shared key between the client $C_i$ and server $S$ based on the messages transferred publicly between them.

Proof. 

 

(⇒) Suppose there is an efficient algorithm ${\mathcal{O}}_I$ which could break the ECCDH problem in probabilistic polynomial time. The adversary is able to get the messages publicly sent between the client $C_i$ and the server $S$: $\left\{k_i,A_1,M_2,T_1\right\}$, and $\left\{B_2,M_4\right\}$. Suppose $a·P=A_1=k_1·P$ and $P=B_2=k_2·P$, adversary ${\mathcal{A}}_{\mathcal{I}}$ is able to get the $cP=k_1·k_2·P$ by using efficient algorithm ${\mathcal{O}}_I$, the adversary is able to break the security of the shared key and get the shared key $h(k_1·k_2·P|\left|T_1\right)$.

(⇐) Suppose there is an efficient algorithm ${\mathcal{O}}_{II}$ which could get the shared key between client $C_i$ and server $S$, as the hash operation is secure, the adversary has to get the shared key by calculating $k_1·k_2·P$. This means given $A_1=k_1·P$ and $B_2=k_2·P$, an adversary ${\mathcal{A}}_{II}$ is able to get $k_1·k_2·P$. For the ECCDH problem, suppose $a·P=A_1=k_1·P$ and $b·P=B_2=k_2·P$, the adversary is able to get $c·P=a·b·P=k_1·k_2·P$. This apparently contradicts the hardness of the ECCDH problem. □

Theorem 2.

The proposed scheme achieves perfect forward privacy if and only if the ECCDH problem is unable to solve in polynomial time.

Proof. 

 

The proof of perfect forward privacy is similar to Theorem 1. Even if the private key of the client is leaked to the adversary. What the adversary get is the same public information $\left\{k_i,A_1,M_2,T_1\right\}$ and $\left\{B_2,M_4\right\}$. Thus it is unable to get the past session key, neither. □

7. Comparison

In this section, we compared our scheme with related works in computation cost, computation at the registration phase and the authentication phase. The schemes are implemented in C++, the running codes have been upload to a public repository in the github.com [36]. The MIRACL C/C++ Library is used in this study [37], the library can be accessed at github.com [38]. The experiment is conducted in Visual Studio C++ 2017 on a 64-bits Windows 7 operating system, 3.5 GHz processor, 8 GB memory. The hash function is SHA-256, the symmetric encryption/decryption function is AES in MR_PCFB1 form, the 256-bit long key for symmetric encryption/decryption function is generated by SHA-256 hash operation. The Koblitz curve secp256k1 which is recommended by NIST is used in this study [39]. The parameters of this curve are listed in Appendix B. The code is compiled in x86 form, this simulation does not take into account the transmission of the data.

7.1. Computational Performance Analysis

First, we compared the computation costs of these schemes in the form of operation per phase, T_H, T_MUL, T_ADD, T_E/D are used for the computation cost for SHA-256 operation, element multiplication operation of $G_1$, element addition operation of $G_1$, and AES symmetric encryption/decryption operation. The results are listed at

Table 8. Computation costs in the form of operation per phase.

Reference	Registration Phase	Authentication Phase	Password Change Phase
Tu et al. [3]	2TH + 1TMUL	10TH + 7TMUL + 1TADD	6TH + 1TMUL + 4TE/D
Chaudhry et al. [6]	5TH + 1TMUL	14TH + 6TMUL + 1TADD	---
Wu et al. [19]	4TH	12TH + 4TMUL + 4TE/D	9TH + 1TMUL + 2TE/D
Our scheme	3TH	14TH + 4TMUL	9TH

. As shown in the table, we can find that in all conditions, the computation cost of the proposed scheme is the minimal, as T_MUL > T_H and T_E/D > T_H. Thus, the proposed scheme has an advantage in the computation cost and energy consumption compared to related works. To test the analysis of the computation cost, we also simulated the schemes in the aforementioned environment respectively.

First, we run the registration phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation times are shown in Figure 2. The horizontal axis represents the number of runs of the experiment, the vertical axis represents the time required for the experiment to run, and the unit is milliseconds. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and that of Tu et al. [3] cost more computation time. This is mainly because the proposed scheme and the scheme of Wu et al. [19] only need lightweight operations, SHA-256 hash operations and XOR operation, while for the scheme of Chaudhry et al. [6], and that of Tu et al. [3], symmetric encryption/decryption operations are required, these operations cost more computation time.

Second, we run the authentication and key establishment phase of different schemes 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 3. The horizontal axis represents the number of running the experiment, the vertical axis stands for the number of milliseconds to accomplish the experiment. The computation cost of Wu et al. [19] and that of the proposed scheme are relatively smaller, while the scheme of Chaudhry et al. [6], and the scheme of Tu et al. [3] cost more computation time. The computation cost of the proposed scheme is the minimal.

Third, we run the password change phase 5, 10, 15, 20 and 25 times separately. The computation costs are shown in Figure 4. In this figure, the horizontal axis indicates the number of times the experiment was run; the vertical axis indicates the number of milliseconds to accomplish the experiment. The computation cost of the proposed is the minimal, the computation cost of Wu et al. [19], and that of Tu et al. [3] are much higher, this is because in the proposed scheme only SHA-256 hash operations and XOR operation are needed, while in the scheme of Wu et al. [19], and in the scheme of Tu et al. [3], symmetric encryption/decryption, and elliptic curve operation are needed, these operations cost more computation time.

7.2. Communication Performance Analysis

In this part, we compared all the schemes in communication cost. We use the same criteria as that in the study of Jing et al. [8], the identity costs 2 bytes. The general hash operation in this study is SHA-256, the result of a hash operation is set to be 32 bytes. In this study, the random number is set to be 4 bytes, the timestamp is set to be 4 bytes. The element of the $G_1$ of the Koblitz curve secp256k1 is 64 bytes. The order $\left|q\right|$ of $G_1$ is 32 bytes long.

At the registration phase, the client sends $\left\{I{D}_i,M{P}_i\right\}$ to the server, $M{P}_i$ is a result of hash, it is 32 bytes long. The length of this message is 2 + 32 = 34 byte. The server sends $\left\{f_i,h_i,k_i\right\}$, $f_i$ is 32 byte long, $h_i$ is also 32 byte long. $k_i$ is 4 bytes a random number. The length of this message is 32 + 32 + 4 = 68 byte long. In the registration phase, the communication cost is 34 + 68 = 102 byte.

At the authentication phase, the client has to send $\left\{k_i,A_1,M_2,T_1\right\}$ to the server, $k_i$ is a random number of be 4 bytes, $A_1$ is an element of $G_1$, it is 64 bytes long, $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$, $I{d}_i^{\prime }$ is an identity, it is 2 bytes long, $M_1$ is the result of an hash operation, it is 32 bytes long, the length of $M_2$ is 32 + 2 = 34 byte. $T_1$ is a 4 bytes long timestamp. The length of this message is 4 + 64 + 34 + 4 = 106. The server has to send $\left\{B_2,M_4\right\}$ back to the client, $B_2$ is an element of $G_1$, it is 64 bytes long. $M_4=\left(e_{inew}\right|\left|M_3\right)\oplus h\left(d_i^{\prime }\right|\left|T_1\right)$, $e_{inew}$ and $M_3$ are the results of hash, they are both 32 bytes long, the length of $M_4$ is 32 + 32 = 64 byte. The length of this message is 64 + 64 = 128 byte long. The communication cost of is 106 + 128 = 234 byte.

At the password change phase, the client has to send $\left\{k_i,M_2,T_1\right\}$ to the server, $k_i$ is a random number of be 4 bytes, $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$, $I{d}_i^{\prime }$ is an identity, it is 2 bytes long, $M_1$ is the result of an hash operation, it is 32 bytes long, the length of $M_2$ is 32 + 2 = 34 byte. $T_1$ is a 4 bytes long timestamp. The length of this message is 4 + 34 + 4 = 42. The server has to send $\left\{M_3\right\}$ back to the client, $M_3$ is the result of hash, it is 32 bytes long, the length of this message is 32 byte long. The communication cost of this phase is 42 + 32 = 74 byte.

The communication costs of other schemes are computed in the same way, note that, in the scheme of Tu et al. [3], to change a client’s password, the client and the server has to build a shared key in advance, thus, the communication cost of the password change phase is calculated as the communication cost of the authentication phase and the messages sent during the password change process. The scheme of Chaudhry et al. [6] does not have a password change phase; we did not calculate their scheme’s communication cost. The result is shown in

Table 9. Communication costs of different schemes.

Reference	Registration Phase	Authentication Phase	Password Change Phase
Tu et al. [3]	98 byte	230 byte	456 byte
Chaudhry et al. [6]	130 byte	226 byte	---
Wu et al. [19]	102 byte	238 byte	138 byte
Our scheme	102 byte	234 byte	74 byte

.

8. Security Feature Analyses

In this section, we analyzed the security features of different schemes. At the end of this section, we concluded the results into a table.

8.1. Client Anonymity

Regarding client anonymity, in the proposed scheme, the identity of the user is encrypted by a shared key between the client and the server, the adversary is unable to find out the real identity of the client. In the scheme of Tu et al. [3], the identity of the user is transmitted transparently; the adversaries can get the identity easily. In the scheme of Chaudhry et al. [6] and Wu et al. [19], the identity is encrypted, too.

8.2. Perfect Forward Privacy

Perfect forward privacy means that even when an adversary gets the private key of the client or the server, it is unable to recover the past session key based on this private key and the publicly transmitted messages. As we have proved in Section 5, the proposed scheme gains perfect forward privacy.

Meanwhile, the scheme of Chaudhry et al. [6] cannot ensure perfect forward privacy, if the adversary gets the private key $msk$ and the session related messages $DI{D}_{ua},EI{D}_{ua},Q_{ua}$ and $T_{sb},H_{sb}$. The adversary is able to compute the past session key in the following manner:

$$M_{ua}^{\prime }=msk·Q_{ua}$$

$$EI{D}_{ua}=M_{ua}^{\prime }\oplus DI{D}_{ua}$$

$$TI{D}_{ua}^{\prime }=H_1\left(msk\oplus I{D}_{ua}\right)·P$$

$$Q_{sb}^{\prime }=T_{sb}\oplus M_{ua}^{\prime }$$

$$SK=H_5\left(Q_{ua}\oplus TI{D}_{ua}^{\prime }\oplus M_{ua}^{\prime }\oplus TI{D}_{ua}^{\prime }\right)$$

8.3. Reply Attack

In the proposed scheme, there is a timestamp $T_1$ in the message $\left\{k_i,A_1,M_2,T_1\right\}$, and the timestamp $T_1$ is also concealed in the hash message $M_1=h\left(A_1\left|\right|D_i^{\prime }\left|\right|k_i\left|\right|d_i\left|\right|T_1\right)$. If an adversary sends a former message to the server, the server will abandon this message after checking the timestamp. However, if the adversary replaces the timestamp $T_1$ with a new one, the server can still find it out by checking the hash message $M_1=h\left(A_1\left|\right|D_i^{\prime }\left|\right|k_i\left|\right|d_i\left|\right|T_1\right)$. Thus, an adversary is unable to launch a replay attack. For the scheme of Chaudhry et al. [6], if an adversary sends a former message to the server, the server is unable to judge if the message is a previous one or not, therefore, their scheme is subjected to replay attack.

8.4. Offline Dictionary Attack

In the proposed scheme, if the adversary gets the message in the smartcard $\left\{f_i,h_i,k_i,r_i\right\}$. The adversary could conduct an offline dictionary attack in the following steps:

• The adversary insert the smart card into a card reader, inputs a random identity and password pair $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$.
• SC computes: $M{P}_i^{\prime }=h\left(r_i\left|\right|I{D}_i^{\prime }\left|\right|P{W}_i^{\prime }\right)$.
• SC uses $M{P}_i^{\prime }$ to get $d_i=f_i\oplus M{P}_i^{\prime }$ and $e_i=h_i\oplus M{P}_i^{\prime }$.
• SC gets the current timestamp $T_1$, and gets $k_i$.
• SC gets a random number $k_1$ ∈ [1, n − 1], and calculates $A_1=k_1·P$.
• SC gets the hash $M_1=h\left(A_1\left|\right|I{D}_i^{\prime }\left|\right|k_i\left|\right|d_i\left|\right|T_1\right)$.
• SC computes $M_2=\left(I{D}_i^{\prime }\right|\left|M_1\right)\oplus e_i$.
• Finally, SC sends {$k_i,A_1,M_2,T_1$} to the server $S$.
• If the server sends back a replay message, the identity and password pair is correct, otherwise, go to step 1.

Now, $q_{send}$ is used as the number of times an adversary can send a message to the server $S$ in a time period, the server will set a limit on $q_{send}$, if the $q_{send}$ exceeds this preset limit, The server will no longer process the incoming messages from this adversary, the adversary cannot continuing the dictionary attack in this time period. The $\left|D_{id}\right|$, $\left|D_{pass}\right|$ are used as the dictionary size of the identity and the password. Thus the probability $p_{adv}$ that adversary correctly guesses the identity and password pair correctly is:

$$p_{adv}=\frac{q_{send}}{\left|D_{id}\right|\ast \left|D_{pass}\right|}$$

Set $\left|D_{id}\right|$, $\left|D_{pass}\right|$ to be large enough, the $p_{adv}$ will be a small value, the aforementioned analysis is based on the authentication phase, the attack on the password changing phase is the same.

Meanwhile, in the scheme of Chaudhry et al. [6], the adversary could conduct an offline dictionary attack in the following steps:

• The adversary inserts the smart card into a card reader, inputs a random identity and password pair $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$.
• The adversary waits for the computation of the smart card.
• If the smart card sends out a message, the identity and password pair is correct, otherwise, goes to step 1.

As there is not a limit, the adversary can try as many times as he wants, thus the adversary will finally get the correct identity and password pair. This also means our scheme can withstand the smart card lost attack, when the smart card is lost, the adversary cannot launch an offline dictionary attack to get the private key of the client.

8.5. Impersonation Attack

In the scheme of Tu et al. [3], an adversary can impersonate the server. Given the message a user sends to the server, $\left\{username,V,W\right\}$, an adversary can forge the following message, the user is unable to find out if this message is coming from an adversary or the server:

$$\mathrm{Generate}\mathrm{random}\mathrm{numnber}c,r\in Z_{n}C=c·P,K=c·V$$

$$SK=h_1\left(K\left|\right|r\left|\right|username\right)$$

$$Aut{h}_s=h_2\left(K\right|\left|W\right|\left|r\right|\left|SK\right)$$

However, in the proposed scheme, if an adversary wants to impersonate the server, it has to get $d_i^{\prime }=h\left(I{D}_i^{\prime }\right|\left|X_{GWN}\right)$, the probablity that an adversary correctly guesses $d_i^{\prime }$ is $p_{d_i}=1/\left(\left|D_{id}\right|\ast \left|D_{X_{GWN}}\right|\right)$, where $\left|D_{X_{GWN}}\right|$ means the dictionary size of the server’s private key.

8.6. Secret Information Leakage Problem

In the scheme of Tu et al. [3], if an adversary accidentally get the session ephemeral information $b$. The adversary is able to get the secret information $h\left(username\right|\left|s\right)·P$ in the following manner:

$$h\left(username\right|\left|s\right)·P=b^{-1}·V^{\prime }$$

With this secret information, the adversary can impersonate a legitimate client. However, in the proposed scheme, even the session ephemeral information is leaked, the adversary is unable to get the client’s secret information.

Finally, we get

Table 10. Security features comparison.

Security Feature	Tu et al. [3]	Chaudhry et al. [6]	Wu et al. [19]	Our Scheme
Client anonymity	×	√	√	√
Client being tracked	×	√	√	√
Reply attack	×	×	×	√
Impersonation attack	×	√	√	√
Offline dictionary attack	√	×	√	√
Smart card lost attack	√	×	√	√
Changing password	√	×	√	√
Secret information leakage problem	×	√	√	√
Perfect forward privacy	√	×	√	√

, we find that the proposed scheme has more security features than the schemes in the related works.

9. Conclusions

In this study, an authentication and key establishment scheme between remote clients and a server is proposed. The proposed scheme has been verified by AVISPA and BAN Logic, the verification results show that the proposed scheme can withstand various attacks. The proposed scheme has been simulated in C++, by comparison, it shows clearly that the proposed scheme is more efficient compared to the related works regarding the computation cost and the communication cost. Besides, the proposed has more security features compared to the related works. Our work is part of the LifeWear project, in which we focus on the safety of data transmission and identity privacy problem.