Secure user authentication scheme with novel server mutual verification for multiserver environments

The fast growth of mobile services and devices has made the conventional single‐server architecture ineffective from the point of its functional requirements. To extend the scalability and availability of mobile services to various applications, it is required to deploy multiserver architecture. In 2016, Moon et al insisted that Lu et al's scheme is weak to insiders and impersonation attack, then they proposed a biometric‐based scheme for authentication and key agreement of users in multiserver environments. Unfortunately, we analyze Moon et al's scheme and demonstrate that their scheme does not withstand various attacks from a malicious registered server. We propose a user authentication scheme with server mutual verification to overcome these security drawbacks. The proposed scheme withstands an attack from malicious insiders in multiserver environments. We use a threshold cryptography to strengthen the process of server authorization and to provide better security functionalities. We then prove the authentication and session key of the proposed scheme using Burrows‐Abadi‐Needham (BAN) logic and show that our proposed scheme is secure against various attacks.


INTRODUCTION
The rapid development of mobile devices and wireless networks allows users to access various services conveniently. 1 And the changes that those developments have brought on to the daily lives of human beings are enormous. The proliferation of the network technologies enables people to utilize advanced services such as e-healthcare. 2 Wireless body area networks (WBANs) are used to check the physical conditions of patients constantly. 3 The telecare medical information system (TMIS) is also one of the advanced information medical system. 4,5 Medical sensor devices become intelligent and informative. Those powerful sensors are interconnected with medical servers, other devices, and medical staff. 6,7 For the efficiency and convenience of medical system, conventional single-server architecture also should be changed. To extend the availability of medical services, it is required to deploy multiserver architecture. On the other hand, for the open nature of mobile networks, the increase in number of mobile devices and services brings about several security concerns. 8 Especially, user authentication is a prerequisite among all the security concerns. Hence, it is necessary to provide an authentication process between a user and service providers before permitting a user to access the services, especially in multiserver environments. 9 Lamport 10 first presented an authentication scheme for users over an insecure channel in 1983. After that, several user authentication schemes, which use passwords, smart cards, biometrics, or combinations of those, have been proposed in a single-server environment. 11,12 In a single-server environment, a user is required to register with each server independently to access, and it could limit the extension of mobile services. Not only do users experience inconvenience to register with servers separately, but capacity of a server for handling all users may be exceeded. 13 To solve this problem, a multiserver structure was proposed, and several multiserver schemes for user authentication have been proposed. [14][15][16][17][18][19][20][21][22] In 2005, Tian et al 14 analyzed a previous work and proposed an enhanced authenticated key exchange protocol on elliptic curve cryptosystem (ECC). However, Yang and Chang 15 claimed that Tian et al's scheme causes the computation loads and the energy costs of mobile devices very high. Then, they proposed an ID-based remote mutual authentication on ECC, which is more practical and efficient for mobile devices. In 2010, Yoon and Yoo 16 analyzed a previous work and pointed out that it is vulnerable to insider and impersonation attack. Then, they proposed a secure user authentication on ECC using biometrics to fit multiserver environments. They insisted that their scheme is secure and suitable in distributed multiserver environments by using biometrics. In 2012, He and Wang 17 proposed an ID-based client authentication for mobile client-server environment on ECC. But, Odelu et al 18 showed design flaws of He and Wang's scheme, then proposed a secure biometrics-based scheme. Recently, Chuang and Chen 19 proposed a multiserver authenticating key agreement scheme with anonymity based on trust computing which resists several kinds of attacks. However, Mishra et al. 20 found out that their scheme is vulnerable to several attacks such as stolen smart card, server forgery, and impersonation attacks. Then, they proposed a security-enhanced multiserver authenticated scheme with anonymity combining smart cards and biometrics. In 2015, Lu et al 21 found that Mishra et al's scheme is weak against replay attacks and does not provide an appropriate password change. They proposed a security-enhanced authentication scheme and demonstrated that the proposed scheme withstands various attacks. In 2016, Moon et al 22 insisted that Lu et al's scheme is prone to insiders and impersonation attack. They also proposed a user authentication scheme using biometrics for authentication and key agreement in multiserver environments. In 2017, Guo et al 23 demonstrated that Moon et al's scheme still has security weaknesses, such as lack of anonymity, insider attack, server spoofing attack, ID guessing attack, and user impersonation attack. And they proposed a robust anonymous biometric-based authenticated key agreement scheme. However, they used public key cryptosystem (PKC) to overcome the security flaws of Moon et al's scheme, and the computation and communication overheads have increased.
In this paper, we demonstrate that Moon et al's scheme still fails to provide security against a number of attacks especially from a malicious server. We cryptanalyze Moon et al's scheme considering a malicious server and show the vulnerabilities of Moon et al's scheme such as lack of anonymity, perfect forward secrecy, and impersonation attack. We further propose a user authentication scheme on ECC with server mutual verification to provide robustness to a malicious server in multiserver environments. The proposed scheme is secure against various security threats from malicious insider users and registered servers by using ECC-based public key, 24 fuzzy extractor, 25,26 and threshold cryptography. 27 The server mutual verification phase strengthens the process of server authorization and provides secure user authentication against a malicious server. Our scheme is also suitable for mobile networks because it performs XOR, hash, and simple ECC operations. Finally, we prove the reasonability of mutual authentication and session key of the proposed scheme using BAN Logic. 28 The rest of the paper is organized as follows. In section 2, we review Moon et al's scheme followed by the cryptanalysis of Moon et al's scheme in section 3. The proposed scheme is presented in section 4, and security and efficiency are analyzed in section 5. Finally, section 6 concludes the paper.

REVIEW OF MOON ET AL'S SCHEME
In this section, we review Moon et al's authentication scheme. It is composed of four phases: registration, login, authentication, and password updating. Password updating is out of our scope, so we leave it out of here and introduce first three phases only in this paper. Table 1

RC stores the authentication parameters
, H(·) > in a smart card SC i . Then, RC sends SC i via a secure channel to U i .

Login and authentication
1. U i chooses ID i and PW i and imprints biometrics BIO i , then SC i computes PWD i and V * i using bio-hash function and compares V * i with V i as follows: 2. SC i generates a random number n 1 and computes K, M 1 , M 2 , and M 3 as follows: 3. U i picks up T 1 and computes Z i = h(X i ||n 1 ||PWD i ||T 1 ). Then, 4. S j retrieves T ′ and checks T ′ − T 1 ≤ ΔT. If it is true, S j computes (y i , n 1 , K, ID i , PWD i , X i ) using preshared key PSK and checks the validity of Z i by comparing it with Z i 5. S j generates a random number n 2 and picks up a current timestamp T 2 . Then, S j computes M 4 , M 5 , and a session key SK ij as follows: Then, S j sends messages < M 4 , M 5 , T 2 > to U i . 6. U i retrieves T ′ and checks T ′ − T 2 ≤ ΔT. If it is true, U i computes (n 2 , M 5 , SK ij ) and verifies the validity of the received = h(ID i ||n 1 ||n 2 ||K||T 2 ) as follows

CRYPTNALYSIS OF MOON ET AL'S SCHEME
We cryptanalyze the security weaknesses of Moon et al's scheme. 22 Even though Moon et al proclaimed that their suggestion withstands several types of attacks against a malicious registered server, however, we found out that their authentication scheme is still insecure. We assume that a registered server can act as an adversary  as the assumption of Moon et al. The capabilities of  are as follows 22,29 : •  can be either a user or a server. A registered user as well as a registered server can act as an adversary. •  has total control over the public communication channel. Thus,  can intercept, insert, delete, or modify any message transmitted via a public channel. •  may steal a user's smart card and extract the information stored in a smart card by means of analyzing the power consumption of the smart card.

Lack of user anonymity
We assumed that a registered server of the system can act as an adversary and try to get the information of users. This server would then be a powerful adversary because  knows PSK and x and use these information as triggers to derive other information. Moon et al though insisted their scheme provides user anonymity because of the property of hash function and the encryption by XOR operations, however, we show that Moon et al 22 cannot provide anonymity property against a malicious registered server.  can compute ID i of U i as follows.
1.  who knows shared secret value PSK and x intercepts the message Then,  extracts ID i as follows:

Impersonation attack
Moon et al insisted that their scheme is strong against impersonation attack because  cannot generate the messages But we show that Moon et al 22 are prone to server impersonation attack and user impersonation attack. A malicious registered server  can act as a legal user or a server as follows. Server impersonation attack 1.  who knows shared secret value PSK and x intercepts the messages 3.  generates a random number n a and a timestamp T a , then computes the message {M 4 , M 5 , T 2 } as follows: Then, U i checks the validity of S j as follows: Finally,  has successfully deceived U i as a legal server S j .
User impersonation attack 1.  who knows shared secret value PSK and x gets the smart card of U i and extracts Y i from it. 2.  computes (n 1 , ID i , PWD i , X i ) as mentioned above.
3.  generates a random number n a and a timestamp T a , then computes the login request response message as follows: Then, U i checks the validity of S j by comparing Z a with the computed value h(X i ||n a ||PWD i ||T a ). 6. Finally,  has successfully deceived S j as a legal user U i .

Man-in-the-middle attack
Moon et al's scheme is vulnerable to man-in-the-middle attack while  knows user's personal data such as n 1 , ID i , and PWD i .  who knows shared secret value PSK and x can cause damage to the system.  can compute n 1 , ID i , and PWD i , which are unique values of the user. Then,  can obtain messages from the communication channel, which is established between the user and , and  and the server.

SECURE USER AUTHENTICATION SCHEME WITH NOVEL SERVER MUTUAL VERIFICATION
We propose a biometric-based authentication scheme based on ECC, which is secure against a malicious registered server.
And RC distribute shares of PSK to the server, which wants to provide services in the networks using Shamir's secret sharing scheme. 27 In the proposed scheme, we use a public key of a server to provide the security against various attacks of an adversary. The proposed scheme comprises six phases: initialization, registration, server mutual verification, login, authentication, and password change. The notations used in the proposed scheme is described in Table 2.

Network model
In order to enhance security and protect multiserver system against malicious servers, we classify the server into two grades: registered server RS and trusted server TS. We envision a multiserver network consisting of n registered servers without any authority relation or prior trust. The network size may be changed dynamically with servers joining, leaving, or failing over time. In reality, it is reasonable to assume that communications are not reliable since any entity can become

FIGURE 1
Novel network model of multiserver environments unreachable and turned off at any time. Therefore, it is important to recognize that communications are insecure and prone to error potentially. We assume that compromised servers will eventually exhibit detectable misbehavior. Garcia et al and Mishra et al 30,31 give explanations in detail how to detect misbehavior nodes or intrusions. Our scheme operates on the assumption that no more than (t − 1) out of n servers are compromised in a given time period, and (t − 1) must be smaller than n∕2. The novel network model for multiserver environments is shown in Figure 1. A user can login only to the trusted servers and not to the registered servers as illustrated in Figure 1A. The registered server has to pass a server mutual verification phase by receiving K j from other servers, then the registered server gets a credentials by reconstructing PSK using the received K j . The server mutual verification process is illustrated in Figure 1B. Four types of participants are in multiserver architecture: user U i , registered server RS j , trusted server TS l , and registration center RS.
• U i : a user who gets a smart card from RC and utilizes it to obtain authentication from servers. If a user gets a verification from TS l , he/she can get mobile services. • RS j : a registered server, which gets a secret share from RC. It chooses a private key and publishes a corresponding public key. RS j does not provide services to users. RS j cannot provide a service to U i . • TS l : a trusted server, which is considered trustworthy. RS j becomes TS j by obtaining at least t or more than t trusts from other servers. TS l provides various services to verified users. • RC: a trusted third party, which generates system parameters. RC issues smart cards to users and forwards preshared keys to servers.

Initialization phase
RC initializes the system parameters as follows: 1. RC chooses G 1 with an order q.
2. RC chooses P as a generator of G 1 .

Registration phase
• Server registration A server RS j sends a registration request to RC to register itself. Figure 2 illustrates the server registration phase, which performs as follows:  1. RS j chooses an identity SID j and a private key s ∈ Z * p , then computes a public key P j = s j P and sends a registration request < SID j , P j > to RC through a secure channel. 2. RC stores SID j , P j in its database. 3. RC generates a secret key PSK ∈ Z * p . Then, RC determines a random polynomial, (x) = PSK + ∑ t−1 i=1 a i x i (mod q). 4. RC computes sid j = h(SID j ) and the secret share K j = f(sid j ). Then, RC sends K j to RS j through a secure channel.
• User registration A user U i registers with RC to take advantage of services. Figure 3 illustrates the user registration phase, which performs as follows: 3. RC computes the parameters as follows:

Server mutual verification
As noted by Moon et al 22 and Reddy et al, 29 servers can act maliciously, then, these should be power adversaries in multiserver environments. Therefore, malicious servers should be considered as adversaries when designing a user authentication scheme. We use a threshold scheme based on Shamir's secret sharing 27 as a countermeasure against a malicious server.
A registered server RS j , which passed the server registration phase may still be untrustworthy, therefore RS j should not be allowed to accept users and provides services. RS j is required to get trusts from other servers. When RS j gets trusts (secret shares) from at least t or more than t servers through secure channels, then RS j can reconstruct a secret key PSK and become a trusted server TS j . TS j is considered trustworthy and allowed to accept users and provides services to them. The server mutual verification performs as follows: 1. RS j sends verification requests to other servers. 2. RS ′ , (t ≤ |RS ′ | ≤ n, ′ ≠ ), evaluate the suitability of RS j based on the misbehavior detection methods. If RS ′ confirm the suitability of RS j , proceed to the next step. If not confirmed, stop the server mutual verification. 3. RS ′ send their secret shares K ′ to RS j through secure channels. 4. RS j , which gets t or more than t secret shares from RS ′ reconstructs the polynomials f(x) and computes a secret key PSK as follows: .
The secret key PSK can be reconstructed by computing f(0). 5. RS j , which reconstructs PSK is considered trustworthy and becomes a trusted server TS j .

Login and authentication phase
U i and TS j authenticate and generate a session key. Figure 4 illustrates the authentication phase, which performs as follows: 2. U i generates a random number a ∈ Z * p and picks up a timestamp T 1 . Then, U i computes AI D i , X i , C i as follows:

U i sends the login request message
If it is true, TS j computes D i , ID i , C * i , and checks the validity of C i by comparing it with C * i as follows: 5. TS j generates a random number b ∈ Z * p and picks up a timestamp T 2 . Then, TS j computes Y i , J i , and a session key SK ij as follows:

FIGURE 4 Login and authentication phase
, then checks the validity of the received J i by comparing it with J * i as follows:

Password change phase
The password change is performed without the aid of RC. If U i tries to change the password, he/she inserts his/her smart card and inputs ID i , PW i , and B i . Then,  Figure 5 illustrates password change phase.

ANALYSIS
We analyze security and efficiency of the proposed authentication scheme. We assume that practically not every registered server can be adversaries, but a specific server, which is designed perfunctorily to know PSK for malicious purposes and does not open to users can be.

Security proof based on BAN Logic
We analyze the mutual authentication and session key of the scheme with BAN Logic. 24 Table 3  2. Security goals. The proposed scheme will satisfy the following goals: 3. Idealized scheme. We transform our scheme into the idealized form as follows: 4. Initiative premises. We make the assumptions about the initial state of the scheme as follows: 5. Security analysis of the idealized form of the proposed scheme a 1 . According to Msg 1 , we could get a 2 . According to p 1 , we apply the message-meaning rule to obtain a 3 . According to p 6 , we apply the freshness-conjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain a 4 . According to Msg 2 , we could get a 5 . According to p 2 , we apply the message-meaning rule to obtain a 6 . According to p 5 , we apply the the freshness-conjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain a 7 . According to Msg 3 , we could get a 8 . According to p 1 , we apply the message-meaning rule to obtain a 9 . According to p 6 , we apply the the freshness-conjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain a 10 . According to a 9 , we apply the BAN Logic rule to break conjunctions to produce a 11 . According to a 10 and p 7 , we apply the jurisdiction rule to produce a 12 . According to a 6 , p 2 , and SK = h(ID i , D i , aY i , h(ID i ||PSK)), we could obtain a 13 . According to a 12 and p 8 , we apply the jurisdiction rule to produce

Security
User anonymity and untraceability. Our scheme does not send a real identity ID i in public channels.  is required to compute D i to derive ID i from AID i , however,  cannot obtain D i because of the difficulty of ECDLP. And , which intercepts the login request message and the login response message can trace the user by keeping watching those values. However, all values in the login request message and the login response message are changing in every session. Therefore, our scheme provides user anonymity and untraceability.

Mutual authentication. S j authenticates U i by checking Q i
.  needs to compute SK ij , however, only legal user can compute D i and K. Similarly, U i authenticates S j by checking J i = h(AID i ||M i ||T 2 ).  needs to compute M i , which requires ID i , PSK, and D i , however, only the corresponding server S j can compute D i using him/her private key s j and ID i using the computed D i . Therefore, our scheme provides proper mutual authentication. Resisting user impersonation attack. , which obtains a smart card SC i of U i and tries to access S j is needed to generate and send a valid login request message {AID i , X i , C i , T 1 } to S j . To compute those values,  needs to know ID i and compute M i , however,  does not know ID i and PWD i . Thus,  cannot compute M i and finally C i . Therefore, our scheme withstands the user impersonation attack. Resisting server impersonation attack.  needs to compute a valid login response message J i = h(AID i ||M i ||T 2 ) to masquerade as a server, however, he/she cannot compute a valid M i . Even though a malicious registered server knows PSK, still he/she cannot compute D i using X i because of difficulty of ECDLP and finally cannot generate a valid J i . Therefore, our scheme withstands the server impersonation attack.
Resisting malicious server attack. Servers would be a powerful adversary  in multiserver environments because  can know secret values, such as s j and PSK and use them as triggers to derive other secret information. We classify servers into the two groups: registered servers and trusted servers. Then, we give secret shares of PSK to registered servers, and they can reconstruct PSK when successfully performing server mutual verification phase. Therefore, only trusted servers, which get guarantees from t or more than t other trusted server can know PSK and provide services to users. In addition,  may attempt to compute an identity of a user and masquerade as a user or a server. However,  cannot guess or compute ID i correctly because he/she cannot obtain B i and compute PWD i . In addition,  is required to compute a login request message {AID i , X i , C i , T 1 } to masquerade as a user. However,  cannot obtain ID i , PWD i , and compute M i , C i . Likewise,  is required to compute a login response message {J, Y i , T 2 } to masquerade as a server. However,  cannot obtain a private key s j of the other server and compute ID i , D i , M i . Therefore, unlike Moon et al's scheme, our proposed scheme provides anonymity and withstands user/server impersonation attack against a malicious server. Resisting man-in-the-middle attack. , which knows public channel information between U i and S j and has a smart card SC i can establish a secure channel when  knows unique information of U i , such as ID i , a, b, D i , and J i . However, as we mentioned above,  cannot compute those values because of the difficulty of ECDLP and the one-way hash function. Therefore, our proposal withstands the man-in-the-middle attack. Resisting off-line ID guessing attack.  may attempt to guess ID i from V i and W i . Suppose  obtains these values and a smart card SC i . To find ID i from V i ,  have to guess both ID i and PWD i concurrently. The guessing probability, when ID i consist of n characters and the hash value is 160 bits, is roughly 1∕2 6n + 160 , and it is a computationally infeasible problem. 32 The probability of guessing ID i using W i is similar as above. Therefore, it is infeasible to guess an identity correctly in our scheme. Resisting off-line password guessing attack.  may attempt to guess PW i from V i and W i . The probability of guessing PW i from V i and W i is same as above.  gets PWD i is also required to guess PW i and R i concurrently, and the probability is same as above. Therefore, it is infeasible to guess a password correctly. Resisting stolen smart card attack. , which somehow possesses a valid smart card SC i of U i may attempt to get authentication credentials. But,  cannot have any advantage because all the parameters are protected with a one way has function.  also cannot obtain or compute any login information using SC i without ID i and PW i . At the same time, guessing ID i and PW i is impractical as mentioned above. Therefore, our scheme withstands the stolen smart card attack. Forward secrecy and session key exposure. Session key SK ij is computed as h(AID i ||J ||D i ||abP||T 2 ). Although  knows the private key s j and PSK, he/she cannot compute previous session keys because abP are still impossible to compute because of the difficulty of ECDLP. Likewise,  somehow obtains the present session key SK ij cannot compute previous or future session keys due to the freshness of X i and Y i and the difficulty of ECDLP. Therefore, our scheme provides forward secrecy and withstands the session key exposure and the replay attack.
We compare the functionality features of the proposed scheme with previously presented schemes in Table 4. • indicates the scheme, provides the property, or is secure against the attack; × indicates the scheme does not provide the property or is vulnerable to the attack.

Computation overheads
We compare the cost of computation in Table 5. T h indicates the computation time for hash function; T H indicates Bio-Hashing function; T F indicates fuzzy extraction; T Re indicates RSA encryption; T Rd indicates RSA decryption; T E indicates ECC multiplication. XOR are not considered because it can be ignored comparing with T h . The cost of T F and T H is similar to T h , thus we count T F and T H as T h .
The computation cost of the proposed scheme is relative a bit higher than Chuang and Chen, Mishra and Das, Lu et al, and Moon et al [19][20][21][22] and similar to Guo et al. 23 However, our scheme enhances the security and proposes a noble server mutual verification. And ECC operations are broadly used in user authentication schemes for multiserver, [16][17][18]29 and our proposed scheme is considered to be operationally viable.

Communication overheads
Finally, we compare the communication overheads in Table 6. We assume that an identity is 160 bits, the output of hash function is 160 bits, a random number is 160 bits, timestamps are 32 bits, and elliptic curve point requires 320 bits, RSA requires 1024 bits, respectively.   During login and authentication phase, three messages Each message need (160 + 320 + 160 + 32) = 672 bits, (160 + 320 + 32) = 512 bits, and (160 + 32) = 192 bits, respectively. The total communication overhead is (672 + 512 + 192) = 1376 bits. It is efficient compared with Guo et al 23 and comparable with other schemes.

CONCLUSIONS
Several multifactor user authentication schemes using smart card and biometrics have been proposed in the last few years. Those schemes were extended to multiserver environments to overcome the limitations of single-server environments and to provide better security functionalities and mobile services. Unfortunately, most of them could not provide secure authentication and suffer from various attacks. User and server should verify their legitimacy to ensure authorization and secure communication.
This paper showed the security flaws of Moon et al's scheme. We noted that their scheme is vulnerable to attempts by the registered server to gain users' secret information using its credential. Moon et al's scheme is prone to lack of privacy, impersonation attack, session key exposure, and man-in-the-middle attack. We proposed a secure user authentication scheme with novel server mutual verification for better security functionality than that of Moon et al. Our scheme provides the server mutual verification phase to strengthen the process of server authorization and to provide secure authentication against a malicious server. In addition, the proposed scheme provides a dynamic identity mechanism and withstands various attacks by the malicious server. For further works, we plan to apply the server mutual verification to other user authentication schemes in multiserver environments and improve the security against malicious servers.