In this section, informal and formal security analysis are presented. The security analysis highlights that the proposed scheme is safe and secure against various possible attacks.
Informal security
In this section, a comprehensive informal security analysis of contributed protocol is presented.
Correct notion of user anonymity
In several authentication schemes for multi-server environment, the server is usually unable to identify the identity of a user requesting for login. In our view, such notion of perfect anonymity is erroneous and not desirable in any environment, because if the server is unable to know a user’s identity, he will be unable to provide the specific services to the user. In fact in this, any user can continue to get the services provided by the service provider even if he is not registered to the network or his lease has been expired. However, in proposed protocol, instead of user’s identity \(ID_{u}\), a dynamic-pseudo identity \(PID_u\) is sent during each authentication request message, to \(S_j\). Furthermore, user’s identity \(ID_u\) can only be extracted using server’s private key s. In addition, by analyzing two different session, an adversary will remain unable to guess whether the same user has initiated session. Hence, in this way our introduced protocol provides user’s anonymity and untraceability.
Replay attack
In this flaw, the retrieved messages are restored without endure transformation to deceive any legitimate user [31,32,33,34]. Adversary can get the parameters \({PID_u, DID_{u}, O_p, Q_{uj}, T_u, V_j}\) and try to endure these parameters in request to forge the legal member. However, if an adversary retrieves contents, he cannot initiate an attack because \(C_{u}\) and \(D_{j}\) is created by legitimate member for every session. Similarly, if an adversary endeavors to replay \(M_1\)= \({PID_u, DID_{u},O_p}\) toward server, server verifies the validity of user in \(M_3\), in reply to the challenge based on \(D_{j}\). Synchronously, the legitimate user validates \(S_j\) in \(M_2\) to response to the \(M_1\) based challenge \(C_{u}\). Hence the contributed protocol thwart replay attack.
Stolen smart card attack with offline dictionary
In stolen smart card attack with offline dictionary, the attacker tries different sequences of dictionary ingredients using stolen SC credentials [35,36,37]. An attacker may attempts to exploit with its feasible parameters of SC i.e \(h(), Y_{u}, F_{u}\). For estimating the \(PW_{u}\) from \(Y_{u}\) and \(F_{u}\) parameters, adversary needs to perceive \(ID_{u}\), a and \(B_{u}\) to estimate \(PW_u\) from TW where \(TW=h(a \oplus h(B_{u}\Vert PW_{u}))\). Furthermore, this attack cannot initiate in polynomial time using smart card.
Known-key security
Known-key security provides the confidentiality of private keys even with exposed session key for a particular session [38, 39]. Given that the specific session-key \(SK_{uj}= h(ID_u\Vert C_uP\Vert D_j\Vert X_u\Vert ID_j)\) does not hold \(U_{u}'s\) password \(PW_{u}'s\) as a parameter. Owing it to, the adversary may not discover the parameters from derived session key. Hence, the contributed protocol offers known-key security.
Mutual authentication
Mutual authentication is provided by the enhanced scheme because the legitimate participants verify each other and thus it ensure mutual authentication strongly. This property makes our protocol secure and provides the early detection of possible attacks like replay attacks.
Masquerading attack
According to this attack, an attacker can masquerade one member of a specific session, if it reveals another member’s key of the current session. The contributed protocol is immune to key-compromise impersonation threat in contrary to scheme, [23] as the contents of stolen card will not help the attacker to get other constructive parameters, such as \(X_{u}\). Hence, the attacker cannot obtain newly generated \(Q_{uj}\) factor and ultimately impersonation attack cannot be initiated.
Stolen verifier attack
The adversary misuses valued data which is stored at server’s side and user’s privates like passwords or other parameter, masquerade as legal users. The contributed protocol offers mutual authentication without maintaining repository on \(S_j\) and RC’s side. This shows that our scheme is withstand stolen verifier attack.
Password guessing attack
The guessing attack is applicable, if an adversary accesses the parameters \({PID_u, DID_{u}, O_p, Q_{uj}, T_u, V_j}\) on little analysis of any open channel. Nonetheless, an adversary cannot extract the password, after all it is not use as a factor for the computation of any contents, hence it minimizes the chances of estimating the consistent factors.
Modification attacks
The adversary changes the retrieving parameters and submit to promise party. In case, the scheme is designed to resist against modification threat. If the adversary attempts to change the public contents \({PID_u, DID_{u}, O_p, Q_{uj}, T_u, V_j}\), adversary will not able reassemble following parameters \({PID_u, DID_{u}, O_p}\) by introducing recent session arbitrary variables, since to assemble these parameters acquires the information of secret key and \(X_u\) which knows to legal member. Consequently, the legal member can expose any venomous member easily. So, the enhanced scheme can easily discourage this attack.
Formal security analysis
We have described model of security for presented protocol in this section. Furthermore, using given model of security the presented protocol is proved safe against known attacks. At the end, the proposed protocol is described to fulfill all the necessary requirements that relates to the security of the presented protocol.
Theorem THM1
Consider\(D_i\)as a uniformly distributed dictionary consists of various possible passwords. |D| denotes the size of\(D_i\). Consider A as an adversary against semantic security within a time bound t. Suppose a ECCDHproblem stands, then we have
\(D_i\) is considered as evenly distributed dictionary which consists of numerous passwords that can be possible. The size of \(D_i\) is denoted by |D|. A is considered as an adversary against syntactic security in a time bound t. If a ECCDH problem occurs, then we have
$$\begin{aligned}A_{\Pi ,D}(A) &\le \frac{(q_{hsh}+q_{exe})^2 }{2p}+\frac{q^2_{hsh}}{p}\\&\quad +\frac{q_{hsh}}{p}+{q_{hsh}A^{ECCDH}_{\Pi }(A)}\\&\quad +\frac{q_{hsh}}{p}+\frac{q^2_{snd}}{D}. \end{aligned}$$
(1)
where the possibility of solving the ECCDH problem by A, is denoted by \(A^{ECCDH}_{\Pi }\). The number of Execute, Random-oracle and Send query are \(\{q_{exe}, q_{hsh}, q_{snd}\}\), respectively.
Proof
In order to give the proof of Theorem THM1, six composite games are considered from game \(G_1\) to \(G_6\). The game will be started where the real attack is simulated and a game will be ended where adversary A has no advantage. The possibility of successfully guessing the random bit b in test-query by A is denoted by \(Suc_i\) for each game \(G_i\), where \(1 {\mathop {\le }\limits ^{}} i {\mathop {\le }\limits ^{}} 6\).
- GAME\(G_1\)::
-
In this random oracle model, the real attacks are simulated with the help of this game. In game \(G_1\), every instance like \(U_u\), \(S_j\) and RC will be modeled as authentic executions. As per the definition of Suc1, we get following equation.
$$\begin{aligned} \begin{aligned} A^{ECCDH}_{\Pi ,D}(A)=2Pr(Suc1)-1. \end{aligned} \end{aligned}$$
(2)
- GAME\(G_2\)::
-
Multiple oracles like hash oracle h Execute, Corrupt, Reveal, Send and Test are simulated with \(G_2\). Hash oracle is simulated by game \(G_2\) by maintaining a hash list \(h_{list}\), \(h_{list}\) comprises on queries entries as (input, output). When a hash query is answered by hash oracle, then it returns the corresponding output if there is any existing query (input, output) in \(h_{list}\), else it will return value from 0, 1. Moreover, corrupt, reveal, send and Test queries will be run as real attacks. Thread model is used to specify the actual actions of all these queries. This simulation indicates that game \(G_2\) is perfectly secured from the real attacks. Thus, we have
$$\begin{aligned} \begin{aligned} Pr(Suc2)=Pr(Suc1) \end{aligned} \end{aligned}$$
(3)
- GAME\(G_3\)::
-
This game consists on all possible executions of ROM as elaborated in game \(G_2\) except that it will be discarded when some collision occured in the simulation of all hash queries, that are inquired by the adversary A. So, this game helps to avoid from collision to be occurred in ciphertext, password and output of Send-queries. By the definition of birthday paradox, the chances of occuring collision in hash oracle is \(\frac{q^2_{exe}}{2p}\). Thats why the chances of occuring collision in game \(G_3\) is \(\frac{(q_{hsh}+q_{exe})^2}{2p}\). For this simulations, we achieved following equation
$$\begin{aligned} \begin{aligned} |Pr(Suc3)- Pr(Suc2)| {\mathop {\le }\limits ^{}} \frac{(q_{hsh}+q_{exe})^2}{2p}+ \frac{q_{exe}}{2p}. \end{aligned} \end{aligned}$$
(4)
- GAME\(G_4\)::
-
This game consists on all possible executions of ROM as elaborated in game \(G_3\) but it will be discarded after the successful guessing of \(X_u\) by adversary A without asking the hash oracle h. This game is similar all previous games unless the instances \(\Pi ^i_U\) and \(\Pi ^j_{S}\)\(S_j\) reject the actual authentication value. From game \(G_4\), we get following equation
$$\begin{aligned} \begin{aligned} |Pr(Suc4)- Pr(Suc3)| {\mathop {\le }\limits ^{}} \frac{q_{hsh}}{p} \end{aligned} \end{aligned}$$
(5)
- GAME\(G_5\)::
-
This game indicates that if adversary guesses the session key directly without knowing and inquiring about hash oracle h then this game will be terminated. It enables the session key to be independent with \(\{PW_u, B_u\}\) and random numbers as well as point multiplication \(C_u, D_j, P\). \(G_4\). This game will be aborted after the inquiring common value \(X_u\). Thus, \(A^{ECCDH}_{\Pi }(A){\mathop {\le }\limits ^{}} \frac{1}{q_{hsh}}|Pr(Suc5)- Pr(Suc4)|-\frac{1}{p}\) and we have
$$\begin{aligned} \begin{aligned} |Pr(Suc5)- Pr(Suc4)| {\mathop {\le }\limits ^{}} q_{h}A^{ECCDH}_{\Pi }(A)+\frac{q_{hsh}}{p}. \end{aligned} \end{aligned}$$
(6)
- GAME\(G_6\)::
-
This game consists on all possible executions of ROM as elaborated in game \(G_5\) except the rule if follow in Test query. \(G_5\) will be aborted when A queries about hash oracle that is identical values \(C_u, D_j, P\). The chance of adversary A getting the correct session-key by hash-query is at most \(\frac{q^2_{hsh}}{2p}\). Thus, we have
$$\begin{aligned} \begin{aligned} |Pr(Suc6)- Pr(Suc5)| {\mathop {\le }\limits ^{}} \frac{q^2_{hsh}}{2p}. \end{aligned} \end{aligned}$$
(7)
Until adversary A does not enter correct value into the random oracle h, the random oracle will remain indistinguishable against real attack. That’s why A does not have any advantage of identifying the legal session key from random oracle attempt. Furthermore, when corrupt query is performed, not more than 3 queries can be performed simultaneously. It means that if smart card corrupt and biometric corrupt (\(\Pi ^{i}_U\),3), (\(\Pi ^{i}_U\),4) are performed then password corrupt ((\(\Pi ^{i}_U\),2)) cannot be performed this is the reason that success rate of off-line password guessing attack is \(\frac{q^2_{snd}}{D}\). By combining all the equations from \(G_1\) to \(G_6\), we get following equation
$$\begin{aligned} \begin{aligned}A_{\Pi ,D}(A)&\le \frac{(q_{hsh}+q_{exe})^2}{2p}+\frac{q^2_{hsh}}{p}\\&\quad +\frac{q_{hsh}}{p}+q_{h}A^{ECCDH}_{\Pi }(A) \\&\quad +\frac{q_{hsh}}{p}+\frac{q^2_{snd}}{D}. \end{aligned} \end{aligned}$$
(8)