A Robust IoT-Based Three-Factor Authentication Scheme for Cloud Computing Resistant to Session Key Exposure

Wang, Feifei; Xu, Guosheng; Xu, Guoai; Wang, Yuejie; Peng, Junhao

doi:https://doi.org/10.1155/2020/3805058

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Recent Advances in Security and Privacy Issues for Internet of Things Applications

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 3805058 | https://doi.org/10.1155/2020/3805058

A Robust IoT-Based Three-Factor Authentication Scheme for Cloud Computing Resistant to Session Key Exposure

Feifei Wang,¹Guosheng Xu,^1,2Guoai Xu,^1,2Yuejie Wang,³and Junhao Peng⁴

Academic Editor: Ghufran Ahmed

Received01 Nov 2019

Revised05 Jan 2020

Accepted20 Jan 2020

Published18 Feb 2020

Abstract

With the development of Internet of Things (IoT) technologies, Internet-enabled devices have been widely used in our daily lives. As a new service paradigm, cloud computing aims at solving the resource-constrained problem of Internet-enabled devices. It is playing an increasingly important role in resource sharing. Due to the complexity and openness of wireless networks, the authentication protocol is crucial for secure communication and user privacy protection. In this paper, we discuss the limitations of a recently introduced IoT-based authentication scheme for cloud computing. Furthermore, we present an enhanced three-factor authentication scheme using chaotic maps. The session key is established based on Chebyshev chaotic-based Diffie–Hellman key exchange. In addition, the session key involves a long-term secret. It ensures that our scheme is secure against all the possible session key exposure attacks. Besides, our scheme can effectively update user password locally. Burrows–Abadi–Needham logic proof confirms that our scheme provides mutual authentication and session key agreement. The formal analysis under random oracle model proves the semantic security of our scheme. The informal analysis shows that our scheme is immune to diverse attacks and has desired features such as three-factor secrecy. Finally, the performance comparisons demonstrate that our scheme provides optimal security features with an acceptable computation and communication overheads.

1. Introduction

With the rapid growth of Internet of Things (IoT) technologies, Internet-enabled devices have had a tremendous impact on people’s works and lives [1–3]. However, the Internet-enabled devices have limited storage, computing power, and communication ability. To solve this limitation, cloud computing emerged as a new service paradigm [4]. It provides a new method with high efficiency and convenience to realize information and resource sharing. The users are able to access the resources, services, or applications that are deployed in distributed cloud servers by utilizing a handheld device anywhere and anytime. And the control server is in charge of authorizing the users and distributed servers.

As the communication channel is open and unprotected, there are diverse and severe security threats for stealing sensitive data and resource in cloud computing environment [5, 6]. An authentication protocol is indispensable to prevent unauthorized access and protect the sensitive data and user privacy. From the first smart card-based authentication protocol [7] introduced by Yang and Shieh in 1999, there have been a large number of enhanced schemes proposed [2, 8–13]. Based on the authentication factors the user employs, the authentication schemes are divided into two-factor authentication schemes and three-factor authentication schemes. Based on the cryptosystem the authentication scheme adopts, the authentication schemes are divided into hash-based schemes, symmetric cryptosystem-based schemes, and public key cryptosystem-based schemes.

1.1. Related Works

In terms of authentication schemes for cloud computing, some proposals have been presented one after another to improve the security and efficiency [14–17]. In 2015, Tsai and Lo [18] put forward an anonymous authentication protocol using bilinear pairing, in which the user can directly login the distributed server without the help of control server. Afterwards, He et al. [19] revealed that their scheme is not resistant to server impersonation attack and put forward an enhanced scheme. In 2017, Kumari et al. [20] presented a biometric-based authentication protocol employing elliptic curve cryptosystem (ECC). However, their scheme cannot withstand known session-specific temporary information attack and fails to preserve three-factor secrecy. In 2018, Amin et al. [21] pointed out that two anonymous authentication schemes [22, 23] have weaknesses like forgery attack and session key disclosure attack and introduced a hash-based two-factor authentication scheme. Unfortunately, Wang et al. [24] revealed that their scheme still cannot resist session key disclosure attack. In 2019, Mo et al. [25] introduced an ECC-based single-server two-factor authentication protocol. But this protocol is not resistant to stolen-verifier attack. In the same year, Zhou et al. [26] put forward a two-factor authentication scheme employing hash function. But we observe that their scheme suffers from forgery attack and replay attack and does not preserve forward secrecy. For better understanding, we summarize these schemes in Table 1.

Among these schemes, the hash-based schemes [21–23, 26] are highly efficient, but they have diverse vulnerabilities, such as desynchronization attack, forgery attack, and failure to achieve forward secrecy and user anonymity. Wang et al. [27, 28] have demonstrated that public key technique is essential for achieving some security attributes such as user anonymity. However, the existing public key cryptosystem-based schemes [18, 20, 25] still have more or less security vulnerabilities due to design deficiencies. Besides, they have high computation overhead as time-consuming operations such as bilinear pairing and scalar multiplication are involved.

In addition, the security of the session key is a noteworthy issue. The existing schemes are not secure against various session key exposure attacks. A great many schemes such as the schemes in [20, 21, 25, 26] cannot withstand known session-specific temporary information attack. And many schemes such as the schemes in [21–23, 26] cannot provide forward secrecy. Besides, in some schemes like the scheme of Amin et al. [21], the attacker can even reveal the session key when he obtains the smart card [29].

1.2. Motivation and Contributions

The existing schemes suffer from various security defects or involve high computation overhead. The security attributes or the efficiency needs to be improved. In particular, the great majority of schemes fail to guarantee the security of session key, as they are subjected to various session key exposure attacks. It motivates us to present an enhanced authentication scheme that can meet the security requirements at minimum cost and be secure against all the possible session key exposure attacks. We sum up the contributions of the paper as below:(1)We reveal that Zhou et al.’s scheme [26] does not consider impersonation attack, known session-specific temporary information attack, and forward secrecy.(2)We put forward an enhanced three-factor authentication scheme using chaotic maps. The session key comprises of a long-term secret value and the secret key generated by Chebyshev chaotic-based Diffie–Hellman key exchange. It can prevent all kinds of session key exposure attacks. The use of Chebyshev chaotic maps contributes to the establishment of secure session key and simultaneously reduces the computation cost.(3)The Burrows–Abadi–Needham logic proof confirms the completeness of our scheme. The formal analysis under the random oracle model proves the semantic security of session key. And the informal analysis shows that our scheme can resist all kinds of potential attacks and provide desired properties like three-factor secrecy. The performance comparisons demonstrate that our scheme has high security, and its computation and communication overheads are acceptable.

1.3. Organization of the Paper

The rest of the paper is formed as below. We give some background materials in Section 2. We reveal the security defects of Zhou et al.’s scheme in Section 3. We present the enhanced three-factor authentication scheme in Section 4. We discuss the security of our scheme using several widely accepted security analysis methods in Section 5. We present the performance comparisons of our scheme and related schemes in Section 6. The conclusion is given in Section 7.

2. Preliminaries

2.1. Chebyshev Chaotic Maps

According to Zhang [30], the enhanced Chebyshev polynomial is defined as , where , , and p is a big prime. The Chebyshev polynomials satisfy commutative law, i.e., .

There is a hard mathematical problem on Chebyshev polynomials:(i)Chebyshev chaotic Diffie–Hellman problem (CHDHP): for given , , and , the computation of is infeasible.

2.2. Adversary Model

Based on [31], the abilities of adversary are summarized as below:(i)The adversary can eavesdrop, replay, block, or alter the transmitted messages in open channel(ii)When testing forward secrecy, the adversary can obtain control server’s master key or cloud server’s secret key(iii)The adversary can disclose the password or the parameters of smart card(iv)When testing three-factor secrecy, the adversary is capable of obtaining any two kinds of authentication factors

2.3. Notations

The notations of the paper are presented in Table 2.

3. Cryptanalysis of Zhou et al.’s Scheme

We briefly review Zhou et al.’s scheme [26] and point out its limitations in this section. In their scheme, the attacker can perform impersonation attack by replaying the intercepted message. Besides, their scheme is vulnerable to two kinds of session key exposure attacks.

3.1. Review of Zhou et al.’s Scheme

3.1.1. User Registration Phase

delivers an enrollment request to CS in this phase. Step 1: picks his identity , pseudoidentity , and password . Then selects a random number and calculates . Afterwards, delivers the registration request to CS via the secure channel. Step 2: after getting , CS checks if is valid. If it holds, CS computes and . CS saves in its database and returns to via the secure channel. Step 3: after receiving , computes , , and . Then, stores in the memory of a smart card.

3.1.2. Cloud Server Registration Phase

CS distributes the secret key to in this phase. Step 1: chooses its identity and pseudoidentity and delivers to CS via the secure channel. Step 2: after getting , CS computes and . CS delivers to via the secure channel. Step 3: keeps as secret.

3.1.3. Login and Authentication Phase

and authenticate each other in the assistance of CS as shown in Figure 1. Step 1: inputs and . The smart card picks a new pseudoidentity , computes , , , , , , , and , where is a nonce. The smart card delivers the login request to via the public channel. Step 2: upon receiving , picks a new pseudoidentity . computes , , , and , where is a random number. sends to CS via the public channel. Step 3: after receiving , CS computes , , , and , and verifies if . If the equation holds, CS computes , , , and , and verifies if . If it holds, proceed next step, otherwise, the protocol aborts. Step 4: CS computes , , , , , , and , where is a nonce. CS sends {} to . Step 5: after receiving , computes , , and verifies if . If it holds, computes . keeps as secret and removes . delivers to . Step 6: after receiving {}, the smart card computes , , and checks if . If they are equal, the smart card calculates , stores , and removes .

3.2. Cryptanalysis of Zhou et al.’s Scheme

In this section, we reveal that Zhou et al.’s scheme suffers from replay attack, user impersonation attack, server impersonation attack, and known session-specific temporary information attack and fails to provide forward secrecy.

3.2.1. Forward Secrecy

Forward secrecy ensures that when the long-term secret is compromised, the attacker still cannot reveal the established session key. In Zhou et al.’s scheme, with the master key s, the attacker can reveal as follows: Step 1: the attacker intercepts and from the public channel Step 2: the attacker computes , , , , and

When the long-term secret s is compromised, all the established session keys will be disclosed.

3.2.2. User Impersonation Attack

User impersonation attack denotes that the attacker can masquerade as a valid user to login the cloud server. This attack is performed as follows: Step 1: the attacker intercepts from the public channel and sends this message to . Step 2: upon receiving , handles this message and sends to CS. Step 3: CS handles the message . As , , CS sends back to . Step 4: handles . As , sends to the attacker.

and CS believe that comes from the legitimate user . Without compromising the smart card, the attacker can impersonate the user by replaying . Zhou et al.’s scheme is vulnerable to user impersonation attack.

3.2.3. Server Impersonation Attack

Server impersonation attack denotes that the attacker can masquerade as a valid cloud server to deceive the user. This attack is performed as follows: Step 1: the attacker intercepts the message from the public channel. Step 2: when intercepting a new login request from the public channel, the attacker sends to CS. Step 3: CS handles . As , , CS returns to the attacker. Step 4: the attacker delivers to . Step 5: after receiving , as , believes that the attacker is the legitimate cloud server .

In that delivers to CS, is completely independent with . CS verifies the validity of the two messages independently. It leads that the attacker can impersonate the cloud server by replaying .

3.2.4. Known Session-Specific Temporary Information Attack

This attack denotes that when the temporary secret such as random number is compromised, the attacker can reveal the established session key. With the random number , the attacker reveals the session key as follows: Step 1: the attacker intercepts and from the public channel. Step 2: when generates a new login request using and sends to . The attacker intercepts from the public channel. Step 3: the attacker computes and .

In Zhou et al.’s scheme, if the random number α is compromised, the attacker can reveal the session key. Zhou et al.’s scheme is vulnerable to known session-specific temporary information attack.

4. The Proposed Scheme

A robust three-factor authentication scheme for cloud computing is put forward in this section. The proposed scheme is described as below.

4.1. System Setup Phase

CS picks its master key . CS also selects a nonce y as its secret value. CS picks a hash function and a symmetric cryptosystem . In addition, CS publishes the Chebyshev polynomial’s parameters .

4.2. User Registration Phase

transmits the enrollment request to CS in this phase, as shown in Figure 2. Step 1: selects his identity and password as he wishes, imprints his biometric , and calculates . Then, delivers {} to CS through the secure channel. Step 2: after receiving {}, CS picks two random numbers , calculates , , , and , where the integer satisfies . CS saves into its database. Moreover, CS stores parameters in a smart card and delivers it to .

4.3. Cloud Server Registration Phase

CS issues the secret key to in this phase. Step 1: delivers its identity to CS through the secure channel. Step 2: after receiving , CS calculates . CS sends back to through the secure channel. Step 3: keeps as secret.

4.4. Login and Authentication Phase

and perform mutual authentication by the aide of CS in this phase, as shown in Figure 3. Step 1: inputs his identity and password and imprints the biometric . Then, the smart card calculates and and verifies whether is equal to . If it holds, the smart card calculates , , , and , where is a nonce and is the current timestamp. is delivered to through the open channel. Step 2: after getting , verifies whether is fresh. If it holds, generates a random number and calculates , , , and , where is the current timestamp. sends to CS via the public channel. Step 3: after receiving , CS checks the freshness of and computes , , , and and verifies , . If , , the smart card is probably compromised. For the item , CS performs . When it reaches the preset value, CS suspends . If , , CS believes the authenticity of and performs the next step. Step 4: CS computes , , , and , and verifies . If it holds, CS believes the authenticity of . Otherwise, the protocol terminates. Step 5: CS picks a nonce , computes , , , and , where is the current timestamp. CS transmits to through the open channel. Step 6: after getting , checks the freshness of and computes , and verifies . If they are equal, authenticates the user successfully. computes , , and . transmits to via the public channel. Step 7: upon receiving , the smart card checks the freshness of . Then, the smart card computes , , , , and , and checks . If it holds, authenticates the cloud server successfully. The smart card replaces with in the memory.

4.5. Password Update Phase

The original password is replaced by a new password in this phase. Step 1: enters and and imprints . The smart card calculates and , and verifies whether is equal to . If they are not equal, the protocol terminates. Step 2: keys a new password . The smart card computes , , and . The smart card replaces , with , .

5. Security Analysis

In this section, Burrows–Abadi–Needham (BAN) logic [32] proof demonstrates the completeness of our scheme. The formal analysis under the random oracle model shows that our scheme provides semantic security. Moreover, the informal analysis proves that our scheme is not susceptible to known attacks.

5.1. BAN Logic Proof

We confirm the correctness of our scheme in this section. Table 3 lists the notations and rules of BAN logic.

Our scheme ought to fulfil the goals as below. Goal 1: Goal 2: Goal 3: Goal 4:

We idealize our scheme as below: M1: M2a: M2b: M3: M4a: M4b:

The analysis of our scheme is based on the following initial assumptions: A1: A2: A3: A4: A5: A6: A7: A8: A9: A10: A11: A12:

The analysis of the proposed scheme is as follows.

According to M2a, we get(1) From (1), A1, applying Rule 1, we get(2) From (2), A2, applying Rule 2, we get(3) From (3), A3, applying Rule 3, we get(4) According to M3, we get(5) From (5), A4, applying Rule 1, we get(6) From (6), A5, applying Rule 2, we get(7) From (7), A6, applying Rule 3, we get(8) From (8), and , we get(9) Goal 1 From (9), A7, applying Rule 3, we get(10) Goal 2 According to M4a, we get(11) From (11), A8, applying Rule 1, we get(12) From (12), A9, applying Rule 2, we get(13) From (13), A10, applying Rule 3, we get(14) According to M4b, we get(15) From (14), (15), applying Rule 1, we get(16) From (16), A11, applying Rule 2, we get(17) Goal 3 From (17), A12, applying Rule 3, we get(18) Goal 4

5.2. Formal Security Analysis

Based on the security model of two-factor authentication presented by Wang and Wang [33], we put forward a security model of three-factor authentication for cloud computing. Afterwards, we prove the semantic security of our scheme in this model.

5.2.1. Formal Security Model

(1) Participants. There are multiple instances of the control server CS, the cloud server , and the user in the authentication scheme for cloud computing. We use , , and to denote these instances.

(2) Queries. The attacker is capable of making the queries as follows: Execute : by making this query, the attacker can obtain the messages delivered via the open channel. Send : by making this query, the attacker can impersonate the principal to send a message . If is valid, a response is sent back to the attacker. Reveal : by making this query, the attacker can get the session key of , if the principal involves a session key. Corrupt : by making this query, the attacker is capable of getting one or two types of user authentication information. When , the attacker acquires the password. When , the attacker acquires the smart card. When , the attacker acquires the biometric. Corrupt : by making this query, the attacker can obtain cloud server’s secret key or CS’s master key. This oracle corresponds to the forward secrecy. Test : if the principal is fresh (see below) and involves a session key , the oracle spins a coin b. When , it sends back to the attacker. When , it sends back a random string to the attacker. This oracle is used to simulate the semantic security of session key. The attacker is capable of asking this query only once.

(3) Freshness. We say is fresh, if the following conditions are met:

(1) is accepted and involves a (2)The attacker never makes Corrupt or Reveal query

(4) Semantic Security. After making the above queries, the attacker tries to reveal the value of in test query. The advantage of the attacker in breaking the semantic security is defined as follows:

If for all the attackers, is negligible, the authentication scheme provides semantic security.

5.2.2. Formal Security Analysis

Theorem 1. Let the password space be subject to Zipf distribution [34]. A polynomial-time attacker runs against our scheme. We presume can ask less than Execute queries, Send queries, Biohash queries, Hash queries, and Encryption/Decryption queries. We havewhere are the length of hash output, bio-hash output, and symmetric encryption output, respectively. is the advantage of in solving CHDHP. When using the Tianya password distribution [34], we have , , and .

Proof. In order to obtain , we define the games , where corresponds to the real attack. is the advantage of in revealing b in game . : as it simulates the real attack, we get, : in this game, a hash list is used to simulate the hash oracle. A biohash list is used to simulate the biohash oracle. And an encryption/decryption list is used to simulate the encryption/decryption oracle. For a hash query , if the hash value of already exists in , the oracle sends back the hash value. Otherwise, the oracle selects a nonce as the answer of and stores in . The biohash oracle is performed in the similar way. For an encryption query , the oracle firstly uses and to search , If there exists an tuple , it answers . Otherwise, it sends back a random string to the adversary and stores in . For an decryption query , the oracle uses and to search . If there exists a tuple , it answers . Otherwise, it sends back a random string to the adversary, and stores in . is indistinguishable from . We get : in this game, we terminate the execution when encountering some collisions.(1)The collision occurs on the outputs of hash function or biohash function with the probability of (2)The collision occurs on the outputs of symmetric encryption with the probability of (3)The collision occurs on the transcripts of messages, with the probability of We get : in this game, we terminate the execution when guesses . The probability is at most . We get : in this game, we terminate the execution when guesses user’s authentication value . The probability is less than . We obtain : in this game, we terminate the execution when has computed with the help of Corrupt .(1)When Corrupt , is able to guess the biometric with the probability of (2)When Corrupt , is able to guess the password with the probability of .(3)When Corrupt , is able to guess with the probability of . We obtain : we use the private hash oracle rather than the hash oracle to compute the session key. knows nothing about . Thus, we have : it is indistinguishable from , unless a hash query is made by . We use to denote this event. We have

If the hash query has been asked, by selecting randomly in , we can obtain with the probability of . We get

From (3)–(11), we have

5.3. Informal Security Analysis

In this section, we prove that our scheme is resistant to diverse attacks. Particularly, our scheme is secure against all kinds of session key exposure attacks, as the session key is generated based on the long-term secret and Chebyshev chaotic-based Diffie–Hellman key exchange. Besides, we demonstrate that the proposed scheme preserves desired properties such as user anonymity and three-factor secrecy.

5.3.1. User Anonymity

In our scheme, only the control server who has the secret key y can retrieve from . In addition, after authenticating , CS generates a new pseudoidentity and delivers the encrypted to . is encrypted with the secret key by CS. Only is able to compute and obtain . The attacker knows nothing about , and hence he cannot link with . It makes the user identity untraceable. Consequently, our scheme achieves user anonymity.

5.3.2. Resistance to Off-Line Guessing Attack

As the fuzzy verifier is employed in our scheme as suggested in [33], even if the attacker obtains the smart card as well as biometric at the same time, he is unable to reveal the password. With the smart card and biometric, the attacker chooses one pair of identity and password from dictionary space and checks if . However, there are a great many candidates conforming to . In order to distinguish the correct one from so many candidates, there is no alternative but to launch online guessing attack. However, we employ the “honeywords” technique [33] to prevent this attack. When the number of online guessing attacks reaches the preset value, for example, 10, is suspended. Consequently, our scheme can resist off-line guessing attack.

5.3.3. Resistance to Session Key Disclosure Attack

The session key is computed using and . is the secret key generated by the Chebyshev chaotic-based Diffie–Hellman key exchange. Only and who know the random number or are able to compute . is computed based on the long-term secret . Only and CS who have are able to compute . Besides, is transmitted to by means of symmetric encryption with the secret key . Only and CS who have are able to reveal . Both and are unavailable to the attacker. Therefore, our scheme can resist this attack.

5.3.4. Forward Secrecy

Suppose that the attacker has acquired the master key s, he is able to compute . However, is the secret key generated by the Chebyshev chaotic-based Diffie–Hellman key exchange. To reveal , there is no alternative but to solve the CHDHP. Therefore, our scheme preserves forward secrecy.

5.3.5. Resistance to Session-Specific Temporary Information Attack

Assume that the attacker has acquired the random number . To compute , is required. is encrypted using the secret key or , where and . To retrieve , the attacker needs to reveal or . Assume that the attacker has acquired the random number , the attacker can calculate . Afterwards, to derive , the attacker has to get or . However, is only known to and CS, is only known to and CS. Therefore, the attacker cannot reveal the session key when the nonce is disclosed.

5.3.6. Resistance to Forgery Attack

In our scheme, the hash values of the transmitted parameters and the secret value , are used to ensure message integrity and verify the sender’s identity. As and are unavailable to the attacker, he cannot generate a message that is verified to be valid by the recipient.

5.3.7. Resistance to Desynchronization Attack

In each message, the hash value is used to ensure that the transmitted parameters are not tampered with. If the attacker alters a parameter of a message, the receiver will find that the received hash value is not equal to the one he computes, and the protocol terminates. Besides, if the attacker blocks a message, as it does not change the long-term parameters the participants have, it does not affect the user’s next login. For instance, if the attacker blocks the message , the user fails to update his pseudoidentity. But with , the user still is able to access the cloud server.

5.3.8. Resistance to Replay Attack

In the proposed scheme, every message contains a timestamp. And the timestamps are involved in the hash values . Upon receiving a message, the receiver first verifies whether the timestamp is fresh. If it holds, the receiver continues to process the message. Otherwise, the protocol aborts.

5.3.9. Resistance to Privileged Insider Attack

The user never submits his biometric or password to CS at registration. On the other hand, the user cannot masquerade as a cloud server or CS, as is unavailable. The cloud server cannot masquerade as a user or CS, as is unavailable. Therefore, our scheme is immune to such an attack.

5.3.10. Resistance to Man-in-the-Middle Attack

In each message, the hash value of the transmitted parameters and the secret , are computed to ensure message integrity and verify the sender’s identity. As and are unavailable, the attacker is unable to generate a valid message to replace the intercepted one. Consequently, the attacker is unable to launch man-in-the-middle attack.

5.3.11. Mutual Authentication

In our scheme, based on the authentication value , CS verifies the authenticity of by checking . Based on the secret key , CS verifies the authenticity of by checking . If and , CS believes that and are legitimate and sends a response message to . After getting the response message from CS, verifies the authenticity of CS and by checking . If it holds, believes that and CS are legitimate and sends back a response message to . Afterwards, verifies the authenticity of CS and by checking . If it holds, believes that CS and are legitimate. Therefore, our scheme provides mutual authentication among CS, , and .

5.3.12. Resistance to Eavesdropping Attack

The attacker can intercept messages from public channel. However, the secret parameters such as the user authentication value , the user identity, the cloud server’s secret key , and the session key are protected with hash function and symmetric encryption. The attacker cannot acquire any useful information from the intercepted messages and uses them to launch active attacks.

5.3.13. Resistance to All Kinds of Session Key Exposure

The session key consists of two parts, and . is generated by Chebyshev chaotic-based Diffie–Hellman key exchange. is computed using the cloud server’s secret key as well as a Chebyshev polynomial. The purpose of is to make sure that our scheme can be resistant to known key attack, as well as preserve forward secrecy. The purpose of is to make sure that our scheme can withstand session-specific temporary information attack. The attacker can reveal neither nor . Hence, our scheme is resistant to all kinds of session key exposure attacks.

5.3.14. Three-Factor Secrecy

When the attacker reveals the biometric and smart card, he cannot retrieve the password as shown in 5.3.2. When the attacker reveals the smart card and password, he cannot retrieve the biometric from as the hash function is irreversible. With the biometric and password, the attacker cannot retrieve the critical data of smart card. Hence, our scheme preserves three-factor secrecy.

Most of the existing three-factor authentication schemes fail to preserve three-factory secrecy, because when the biometric and smart card is disclosed, the attacker can guess user’s password based on the verification value that is used to verify the validity of the inputted password and biometric in smart card. However, our scheme employs the fuzzy verifier and “honeywords” technique to prevent revealing of the password.

6. Performance Comparisons

We give the comparisons of our scheme and the recently proposed schemes [20, 21, 25, 26, 35, 36] with regard to security attributes, communication, and computation costs in this section.

The security comparison is given in Table 4. Note that, as Mo et al.’s scheme is designed for single-server environment, it only involves a single cloud server. Ghani et al.’s scheme does not establish session key. We summarize the security requirements of authentication protocol, and based on it, we analyzes the security properties of related schemes in Table 4. It indicates that only the proposed scheme meets all the security requirements, while the related schemes have diverse weaknesses. The security of our scheme is superior to the hash function-based schemes [21, 26], the symmetric cryptosystem-based schemes [35, 36], as well as ECC-based schemes [20, 25].

In Table 5, we presents the computation cost, the communication overhead, and the smart card storage cost of the related schemes concerning the login and authentication phase. Furthermore, the computation cost comparison, communication overhead comparison, and smart card storage cost comparison are shown in Figure 4, Figure 5, and Figure 6, respectively. As shown in Figure 4, the computation overhead of our scheme is not as good as the hash-based schemes and the symmetric cryptosystem-based schemes, as public key operations are used to guarantee the security. But it is obviously better than the ECC-based schemes. As shown in Figure 5, the communication cost of our scheme is higher than Mo et al.’s scheme and Ghani et al.’s scheme, but it is lower than the other schemes. As shown in Figure 6, the storage cost of our scheme is inferior to Amin et al.’s scheme and Ghani et al.’s scheme, but it is superior to the other schemes.

, , , and denote a hash function, a biohash function, a symmetric encryption/decryption, and a Chebyshev polynomial, respectively. and denote a point multiplication and a point addition on elliptic curve group. The computing time of lightweight operation “XOR” is negligible. In accordance with [3, 37], when performed on a smart phone with a Hisilicon kirin 960 CPU, 6 GB RAM, and the storage of 64 GB, the computations of , , , , , and take 0.5 ms, 8.7 ms, 63.075 ms, 0.262 ms, 21.02 ms, and 21.02 ms, respectively. Besides, we assume that the bit length of timestamp, random number, the user identity, the identity of cloud server, the hash value, Chebyshev polynomial, and the output of symmetric encryption are 128 bits. The point on elliptic curve group is 160 bits.

The hash-based schemes and the symmetric cryptosystem-based schemes have obvious advantage in efficiency as they just involve lightweight cryptographic operations. However, they suffer from various security vulnerabilities. In Zhou et al.’s scheme, the attacker is capable of impersonating the user and the cloud server by replaying the intercepted message. In Amin et al.’s scheme, the attacker can retrieve user’s password, disclose the session key, and impersonate the user when smart card is compromised. Martinez-Pelaez et al.’s scheme and Ghani et al.’s scheme are vulnerable to diverse and serious security weaknesses. They are unable to provide the essential security protection.

The ECC-based schemes have low efficiency. They have better security than the hash-based schemes and the symmetric cryptosystem-based schemes, but still have security flaws. In Mo et al.’s scheme, the attacker can impersonate the user when the verifier table is leaked. Kumari et al.’s scheme achieves many security features, but it does not provide three-factor secrecy.

In terms of the security of session key, only our scheme is resistant to all kinds of session key exposure attacks, as Chebyshev chaotic-based Diffie–Hellman key exchange and the long-term secret are used to establish the session key. None of the related schemes can withstand known session-specific temporary information attack. If one communication end uses unsecure random number generator, it will lead to the disclosure of the session key. The hash-based schemes and the symmetric cryptosystem-based schemes are unable to provide forward secrecy. The ECC-based schemes provide forward secrecy, as the elliptic curve-based Diffie–Hellman key exchange is employed. Furthermore, in Amin et al.’s scheme and Martinez-Pelaez et al.’s scheme, the attacker can retrieve the session key when the smart card is compromised.

To sum up, the security of our scheme is optimal. In addition, its computation and communication overheads are obviously lower than the ECC-based schemes. Hence, our scheme is more practical.

7. Conclusion

In this paper, we pointed out that Zhou et al.’s scheme is unable to provide the essential security protection for cloud computing, as it does not consider replay attack, known session-specific temporary information attack, and forward secrecy. Furthermore, we present a novel IoT-based three-factor authentication scheme for cloud computing using chaotic maps. The use of Chebyshev chaotic maps guarantees the security of session key and simultaneously reduces the computation cost. In addition, the BAN logic analysis demonstrates that our scheme achieves mutual authentication as well as session key negotiation. The formal analysis confirms the semantic security of session key. The informal analysis proves that our scheme can withstand known attacks and achieve desired attributes such as user anonymity and resistance to all kinds of session key exposure attacks. Finally, the performance comparisons show that our scheme has significant advantage compared with the related schemes. As our scheme has high security, it is especially applicable to the security-critical cloud applications such as cloud-based healthcare systems. Afterwards, on the basis of our current work, we plan to make further study on the authentication protocol for smart healthcare systems.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This research was funded by the National Key Research and Development Program of China under Grant no. 2018YFB0803600, the National Natural Science Foundation of China under Grant no. 61831003, and the National Natural Science Foundation of China under Grant no. 61873069.

References

W. Ding, X. Jing, Z. Yan, and L. T. Yang, “A survey on data fusion in Internet of Things: towards secure and privacy-preserving fusion,” Information Fusion, vol. 51, pp. 129–144, 2019.
View at: Publisher Site | Google Scholar
Q. Jiang, Y. Qian, J. Ma, X. Ma, Q. Cheng, and F. Wei, “User-centric three-factor authentication protocol for cloud-assisted wearable devices,” International Journal Communication Systems, vol. 32, no. 6, p. e3900, 2019.
View at: Publisher Site | Google Scholar
S. Roy, S. Chatterjee, A. K. Das, S. Chattopadhyay, S. Kumari, and M. Jo, “Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing internet of things,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 2884–2895, 2018.
View at: Publisher Site | Google Scholar
J. Tang, Y. Cui, Q. Li, K. Ren, J. Liu, and R. Buyya, “Ensuring security and privacy preservation for cloud data services,” ACM Computing Surveys, vol. 49, no. 1, pp. 1–39, 2016.
View at: Publisher Site | Google Scholar
W. Meng, W. H. Lee, S. R. Murali, and S. P. T. Krishnan, “Charging me and I know your secrets!: towards juice filming attacks on smartphones,” in Proceedings of the 2015 ACM Workshop on Cyber-Physical System Security, ACM, Singapore, April 2015.
View at: Google Scholar
P. Gope and A. K. Das, “Robust anonymous mutual authentication scheme for,” IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1764–1772, 2017.
View at: Publisher Site | Google Scholar
W. H. Yang and S. P. Shieh, “Password authentication schemes with smart cards,” Computers & Security, vol. 18, no. 8, pp. 727–733, 1999.
View at: Publisher Site | Google Scholar
F. Wu, L. Xu, and X. Li, “A new chaotic map-based authentication and key agreement scheme with user anonymity for multi-server environment,” in Proceedings of the International Conference on Frontiers Computing 2017, vol. 464, pp. 335–344, Osaka, Japan, July 2017.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ma, C. Yang, X. Ma, J. Shen, and S. A. Chaudhry, “Efficient end-to-end authentication protocol for wearable health monitoring systems,” Computers & Electrical Engineering, vol. 63, pp. 182–195, 2017.
View at: Publisher Site | Google Scholar
A. Ostad-Sharif, H. Arshad, M. Nikooghadam, and D. Abbasinezhad-Mood, “Three party secure data transmission in IoT networks through design of a lightweight authenticated key agreement scheme,” Future Generation Computer Systems, vol. 100, pp. 882–892, 2019.
View at: Publisher Site | Google Scholar
X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu, “Further observations on smart-card-based password-authenticated key agreement in distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 7, pp. 1767–1775, 2014.
View at: Publisher Site | Google Scholar
M. Wazid, A. K. Das, S. Kumari, X. Li, and F. Wu, “Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS,” Security and Communication Networks, vol. 9, no. 13, pp. 1983–2001, 2016.
View at: Publisher Site | Google Scholar
F. Wang, G. Xu, C. Wang, and J. Peng, “A provably secure biometrics-based authentication scheme for multiserver environment,” Security and Communication Networks, vol. 2019, Article ID 2838615, 15 pages, 2019.
View at: Publisher Site | Google Scholar
V. Odelu, A. K. Das, S. Kumari, X. Huang, and M. Wazid, “Provably secure authenticated key agreement scheme for distributed mobile cloud computing services,” Future Generation Computer Systems, vol. 68, pp. 74–88, 2017.
View at: Publisher Site | Google Scholar
P. Chandrakar and H. Om, “A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC,” Computer Communications, vol. 110, pp. 26–34, 2017.
View at: Publisher Site | Google Scholar
C. Wang, K. Ding, B. Li et al., “An enhanced user authentication protocol based on elliptic curve cryptosystem in cloud computing environment,” Wireless Communications and Mobile Computing, vol. 2018, Article ID 3048697, 13 pages, 2018.
View at: Publisher Site | Google Scholar
M. R. Ogiela and L. Ogiela, “Expert knowledge-based authentication protocols for cloud computing applications,” in Proceedings of the 10th International Conference on Intelligent Networking and Collaborative Systems, vol. 23, pp. 82–27, Oita, Japan, September 2019.
View at: Publisher Site | Google Scholar
J. L. Tsai and N. W. Lo, “A privacy-aware authentication scheme for distributed mobile cloud computing services,” IEEE Systems Journal, vol. 9, no. 3, pp. 805–815, 2015.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, M. K. Khan, L. Wang, and J. Shen, “Efficient privacy-aware authentication scheme for mobile cloud computing services,” IEEE Systems Journal, vol. 12, no. 2, pp. 1621–1631, 2018.
View at: Publisher Site | Google Scholar
S. Kumari, X. Li, F. Wu, A. K. Das, K. R. Choo, and J. Shen, “Design of a provably secure biometrics-based multi-cloud-server authentication scheme,” Future Generation Computer Systems, vol. 68, pp. 320–330, 2017.
View at: Publisher Site | Google Scholar
R. Amin, N. Kumar, G. P. Biswas, R. Iqbal, and V. Chang, “A lightweight authentication protocol for IoT-enabled devices in distributed cloud computing environment,” Future Generation Computer Systems, vol. 78, pp. 1005–1019, 2018.
View at: Publisher Site | Google Scholar
K. Xue, P. Hong, and C. Ma, “A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture,” Journal of Computer and System Sciences, vol. 80, no. 1, pp. 195–206, 2014.
View at: Publisher Site | Google Scholar
M. C. Chuang and M. C. Chen, “An anonymous multi-server authenticated key agreement scheme based on trust computing using smartcards and biometrics,” Expert Systems with Applications, vol. 41, no. 4, pp. 1411–1418, 2014.
View at: Publisher Site | Google Scholar
P. Wang, B. Li, H. Shi, Y. Shen, and D. Wang, “Revisiting anonymous two-factor authentication schemes for IoT-enabled devices in cloud computing environments,” Security and Communication Networks, vol. 2019, Article ID 2516963, 13 pages, 2019.
View at: Publisher Site | Google Scholar
J. Mo, Z. Hu, H. Chen, and W. Shen, “An efficient and provably secure anonymous user authentication and key agreement for mobile cloud computing,” Wireless Communications and Mobile Computing, vol. 2019, Article ID 4520685, 12 pages, 2019.
View at: Publisher Site | Google Scholar
L. Zhou, X. Li, K. Yeh, C. Su, and W. Chiu, “Lightweight IoT-based authentication scheme in cloud computing circumstance,” Future Generation Computer Systems, vol. 91, pp. 244–251, 2019.
View at: Publisher Site | Google Scholar
D. Wang, D. He, P. Wang, and C. Chu, “Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 4, pp. 428–442, 2015.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions,” Computer Networks, vol. 73, pp. 41–57, 2014.
View at: Publisher Site | Google Scholar
S. Chatterjee, S. Roy, A. K. Das, S. Chattopadhyay, N. Kumar, and A. V. Vasilakos, “Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 824–839, 2018.
View at: Publisher Site | Google Scholar
L. Zhang, “Cryptanalysis of the public key encryption based on multiple chaotic systems,” Chaos Solitons & Fractals, vol. 37, no. 3, pp. 669–674, 2008.
View at: Publisher Site | Google Scholar
D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Tansactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
A. Ghani, K. Mansoor, S. Mehmood, S. A. Chaudhry, A. U. Rahman, and M. N. Saqib, “Security and key management in IoT-based wireless sensor networks: an authentication protocol using symmetric key,” International Journal of Communication Systems, vol. 32, no. 16, p. e4139, 2019.
View at: Publisher Site | Google Scholar
R. Martínez-Peláez, H. Toral-Cruz, J. Parra-Michel et al., “An enhanced lightweight IoT-based authentication scheme in cloud computing circumstances,” Sensors, vol. 19, no. 9, p. 2098, 2019.
View at: Publisher Site | Google Scholar
D. Abbasinezhad-Mood and M. Nikooghadam, “Efficient anonymous password-authenticated key exchange protocol to read isolated smart meters by utilization of extended Chebyshev chaotic maps,” IEEE Transactions on Industrial Informatics, vol. 14, no. 11, pp. 4815–4828, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Feifei Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1682

Downloads

1258

Citations