An Energy Efficient Remote User Authentication Scheme Preserving User Anonymity

Surekha Bapana K. Lakshmi Narayana Chandra Sekhar Vorugunti

Asst Professor,CSE Asst Professor, CSE Dhirubhai Ambani Institute of ICT
NBKRIST SITAMS Gandhinagar,
Nellore-524413, A.P Chittoor, A.P -517127 Gujarat, 382007
suri.bapana@gmail.com kodavali.lakshmi@gmail.com vorugunti_chandra_sekhar@daiict.ac.in

Abstract— Internet of Things (IoT), is an interconnection of al.[2] scheme still cannot preserve user anonymity and also
heterogeneous devices in terms of computational, vulnerable to offline password guessing attack, stolen verifier
communication, energy efficient competences over public attack and proposed an improved scheme. In this paper we
insecure communication channel called Internet. Through will show that C.G MA et al. [3] scheme still cannot preserve
advancement in mobile and communication technologies, users user anonymity under their assumption and still vulnerable to
can connect to remote servers ubiquitously through a 'thing' or stolen verifier attack.
device which is a part of IoT. Insecure nature of Internet and
resource constrained nature of devices or things which are part The remainder of this paper is organized as follows: In
of IoT demands for remote user authentication protocols which section 2, we briefly review C.G MA et al. [3] authentication
are extremely secure, light weight and energy efficient. In this scheme. Section 3 describes the weaknesses of C.G MA et al.
context, C.G MA et al proposed a new dynamic ID based scheme. In Section 4, our improved scheme is presented and
authentication scheme. In this manuscript we will illustrate that its security analysis is discussed in section 5.The comparison
C.G MA et al. scheme cannot preserve user anonymity under of the performance of our scheme with other related schemes
their hypothesis and susceptible to stolen verifier attack. In is shown in section 6 and section 7 concludes the paper..
addition, we will confirm that their scheme is heavy weight and
needs more energy. We then present our improved scheme which
is a generalized one, which is secure, light weight and energy II. ASSESSMENT OF CHUN-GUANG MA ET AL. SCHEME
efficient, while protecting the merits of different dynamic identity In this section, we examine the improved authentication
based authentication schemes. scheme proposed by C.G MA et al. [3] in 2012. The scheme is
composed of four phases: the registration, login, verification
Keywords—Energy Efficient computing, Authentication and session key agreement phase and password alter stage.
protocol, User Anonymity, Dynamic ID, Smart Card, Remote user The representations used in C.G MA et al. [3] scheme are
authentication.
listed below:
I. INTRODUCTION Ui: The user trying to access the remote server resources
IDi: The identity of Ui
Accessing server resources securely through open insecure
Pi: The password of Ui
communication networks is one of the common scenarios in
S: The remote server or system
client-server applications. The primary requirement for these
kinds of scenarios is to authenticate the remote user, whether a X: The secret key of S
valid smart card holder is having the rights and privileges to yi: Secret number of the system, stored in the smart card of
access the server resources. To solve this problem lots of each registered user Ui
researchers proposed remote user authentication schemes with ْ: The exclusive - OR (XOR) operation.
smartcards [1-7,11-19] to authenticate a legitimate user, but ||: String concatenation operator.
none of them can address all possible security problems and A*: ‘A’ calculated value
with-stand all possible attacks [1,3-5,9,14-19,21]. In addition x1, x2 : Secret keys of server S
most of the schemes proposed [13, 17, 18] do not preserve bi : Random number chosen by user Ui
user anonymity. Most of the proposed schemes assume that
the smart card is tamper resistant i.e., (not possible to extract Registration Phase
the protected software and user specific data from smartcard The server S performs following operations in registration
processors). Some schemes [8,9,10] shown that the secret data phase.
stored in the smart card can be extracted by means such as R1.Produce two large prime numbers p and q. Computes:
Micro probing, Software attacks, Eaves dropping, Fault
n=p.q.
generation and monitoring the power consumption etc. The
above mentioned attacks clears that the adversary can tamper R2. Picks prime number e, d such that e.d = 1 mod (p-1)(q-1)
and extract the data from the tamper-resistant smart cards. R3. ‘S’ makes e, n public and p,q,d known only to server S.
R4. Server ‘S’ authenticates itself to the user Uu using its
In 2011Sood et al. [2] shown that the Wang et al. [1] public key certificate. Uu generates and encrypts the session
scheme is vulnerable to impersonation attack, stolen smart key SS with the public key (PK) of the server as (SS)PK
card attack, offline password guessing attack and proposed an R5. Ui->S:(SS)PK,(IDi)SS, (Pi)SS.
improved scheme and claimed that their scheme is efficient R6. In receipt of the registration communication from Uu, S
and can overcome all the identified security drawbacks of decrypts the session key (SS) using its public key (PK) and
Wang et al.’s scheme even if the data stored in the smart card decrypts (IDu)SS, (Pu)SS using the session key.
is leaked out. In 2012 C.G MA et al.[3] shown that Sood et

978-1-4799-6629-5/14/$31.00 2014
c IEEE 1296
R7. Server pick out an arbitrary value yu and frames Nu = value yu assigned by the server to him as follows: yu = Buْ
h(IDu|| Pu)ْh(d), Au = h(Pu||IDu)ْh(yu), Bu = yuْIDuْPu, IDuْPu.
Du = h(h(IDu||yu)ْd). S chooses yu corresponding to each user
3.2 Fails toResists Stolen Verifier Attack
to make Du unique for each user. The server S stores yuْ
h(h(d)||d)and IDuْh(d||yu) corresponding to each Du in the In this type of attack, as discussed in [3,19] if the
database. malignant legal user ‘Uu’ steals the verification table or got
R8. S issues a smart card to user Uu enclosing access to it, ‘Uu’ can find out the secret unknown values
(Nu,Au,Bu,n,e,h(.)) over a secure communication channel. corresponding to users of the system. In C.G. MA et al.[3]
scheme, server ‘S’ stores yuْh(h(d)||d) and IDuْh(d||yu)
Login Stage corresponding to each Du in the database, where Du =
When user Uu tries to login into the system, the following h(h(IDu||yu)ْd) and S chooses yu corresponding to each user
operations are performed. to make Du unique for each user, where u = 1,2,….n. The
L1. Uu inserts his/her smart card into the card reader and value yuْh(h(d)||d) contains yu and h(h(d)||d) in which
inputs IDu* and Pu*. h(h(d)||d) is same for all users. As discussed in (3.1), ‘Uu’ can
L2. Smart card computes yu*= BuْIDu*ْPu*, uses yu* to get yu from the values stored in his smart card and can
compute Au* = h(Pu*||IDu*)ْh(yu*), and check whether intercept h(h(d)||d) from yuْh(h(d)||d) as h(h(d)||d) =
computed Au* equals to the cached Au. If both are equal, then (yuْh(h(d)||d)) ْ yu (Uu knows his yu). Now the malicious
the smart card proceeds by choosing a random number Ru and legal user after getting h(h(d)||d), which is same for all users
computes h(d) = Nuْh(IDu||Pu). S frames CIDu = h(IDu||yu) can get yk value of any legal user Uk by performing
ْh(h(d)||Ru||T), Ci= Rue mod n, and Mi= h(IDu||h(d)|| Fkْh(h(d)||d) = yk where Fk = ykْh(h(d)||d). By this fashion,
yu||T||Ru), where T is the current date and time. Otherwise, the a legal user can get yi, values of all users in the system and use
session is terminated. those values for further cryptanalysis.
L3.Ui->S: {CIDu,Cu,Mu,T}. 3.3 Fails toResists Offline Password Guessing Attack
Verification and Session Agreement Stage An attacker or opponent ‘E’ who is a legal insider, having
Once the login request is acquired from user Uu, the server intercepted the yi values of all the users as discussed in 3.2 can
S implement the succeeding operations. get the password Pu and the identity IDu of Uu is as follows.
Assume that ‘E’ got the smart card of a legal user Uu for a
A1.Server S authorizes the validity of time interval by while or stolen it, ‘E’ will get Nu, Au, Bu where Nu = h(IDu||
checking (T’-T) <= ¨t, where T’ is date and time at which the Pu)ْh(d), Au = h(Pu||IDu)ْh(yu), Bi = yuْIDuْPu. ‘E’ can
request is acknowledged by server S and ¨t is accepted time perform the following steps:
interval. The server S decrypts the arbitrary number Ru from Step1: frame Au = h(Pu ||Buْ yuْPu)ْh(yu) from Buْ yuْ
Cu using its private key d using Ru, it computes Du* = Pu = IDu
h(CIDuْh(h(d)||Ru||T)ْd) and finds corresponding row for Step 2: Guess a password Pu* from a uniformly distributed
Du*. Now the server S computes yu from yuْh(h(d)||d) and IDu dictionary and compute Au* = h(Pu* ||BuْyuْPu*)ْh(yu) and
from IDuْh(d||yu) as server knows the value of d. audit whether Au* = Au. If yes, the correct password is Pu* else
A2. The server S computes Mu* = h(IDu||h(d)||yu||T||Ru) and ‘E’ rerun the execution of step2. After getting correct Pu of
equates the computed Mu* with the received Mu. If both are Uu, ‘E’ can get IDu from Bu as follows. IDu = BuْyuْPu. So
equivalent, the server S authenticates the user Uu and a legal user by getting the verifier table and smart card of user
connection is established else the connection is finished. Uu can get yu ,Pu and IDu.
A3. The user Uu and the server S agree on the common session
key SK = h(h(d)||IDu||T||yu). The supplementary data 3.4 Fails toResists User Impersonation Attack
transmitted between the user Uu and S is encrypted with SK. An attacker ‘E’ who is a legal user can impersonate another
legal user Uu of Server S as follows. After capturing the Uu’s
III. CRYPTANALYSIS OF C.G MA ET AL. SCHEME login request message i.e.,{CIDu, Cu, Mu, T}.Whenever ‘E’
In this segment, we will exhibit that Chun-Guang MA et wants to impersonate Uu, ‘E’ can direct a counterfeit login
al. scheme cannot restrain any of the attacks they allege that request message CIDu*, Cu*, Mu* to S where CIDu*=h(IDu||yu)
their scheme will block and still unsafe to various major ْh(h(d)||Ru1||T*), Cu* = Ru1e mod n. Mu*=h(IDu||h(d)|| yu||T* ||
attacks as examined below. Ru1) with suitable T*, the login request will clear Step A1 of S.
Only value attacker needs to take attention is T. ‘E’ can find
3.1 Revealing of Secret Key of Server to Legal User out the valid T by eaves dropping the communication between
A legal user Uu who is having a legitimate access to the Uu and S.
system can achieve the secret data cached in his smart card by 3.5 Fails toResists Server Masquerading Attack
some means [8, 9,10] then he can acquire the private key h(d)
of server S as shown. Once Uu extracted Nu, Nu=h(IDu||Pu) ْ To masquerade as remote server S, an attacker ‘E’ must
h(d), as Uu already realize his identity IDu and password Pu, Uu capable to frame, encrypt and decrypt the messages with the
can achieve h(d) = Nuْh(IDu||Pu). Similarly Uu can derive the session key between Uu and S. Once the attacker ‘E’ upon
capturing the login message {CIDu,Cu,Mu,T}, analyzes all the

2014 International Conference on Contemporary Computing and Informatics (IC3I) 1297

critical values of a legal user Ui as mentioned above. ‘E’ can 4.2 Login Stage
frame the session key SK=h(h(d)||IDu||T||yu||Ru) shared Whenever user Ui desires to login into the remote server S,
between Ui and S as ‘E’ knows all the values required to frame he push-in his smart card into the terminal and submits his IDi,
SK. Hence, C.G MA et al.'s scheme is defenseless to Pi and bi. Then the smart card accomplishes the succeeding
masquerading server attack. tasks.
As examined above C.G MA et al scheme is defenseless to L1. Smart card computes (yi||x2) = Biْh(bi||IDi||Pi), and
offline password guessing attack, user impersonation and concatenates bi and (yi||x2)to get (bi||yi||x2). Calculates Ai
server masquerade attack therefore C.G MA et al fails to using (bi||yi||x2) i.e., Ai*= h(Pi||bi||IDi)ْ(bi|| yi||x2). Smart card
provide strong mutual authentication among the user Ui and checks Ai*= Ai i.e., Ai computed = Ai received. If both are
remote server S. equal, then the user is authenticated and the smart card
3.6 Fails toResists Framing of the Session key by Adversary continues by computing (yi||x1) = Niْh(IDi||Pi||bi) and
One of the biggest drawbacks C.G MA et al scheme is that concatenate (yi||x1) and bi to get (yi||x1||bi), CIDi = h(IDi||yi
the attacker can frame the session key between a legal user Uu ||x1||bi||T)ْT, Mi = h( bi || yi ||x1||IDi ||yi||x2||T), where T is the
and server S. In C.G MA et al scheme, session key SK=h(h(d) current date and time else the session is terminated.
||IDu||T||yu||Ru). As conversed above, the attacker ‘E’ can L2. SC->Server: {CIDi,Mi,T}
achieve all the parameters i.e h(d), IDu, T, yu, Ru and can frame 4.3 Verification and Session Key Agreement Stage
the session key. Therefore, In C.G MA et al scheme the
In receipt of the login request message at time T* from Ui,
attacker can frame the current and past session keys which are
S achieves the resulting tasks:
framed between Uu and S. Hence, C.G MA et al scheme is A1. Verify: T*-T ” ǻt, if yes, then continues for further
break down to resist perfect forward secrecy. Therefore, the computation.
fundamental requirement from a secure authentication A2.Compute: h(IDi||yi||x1||bi||T) = CIDiْT. Search for h(IDi||
protocol is not satisfied in C.G MA et al scheme. yi||x1||bi||T) in the database and extract (bi||yi)ْh(x1||x2),
(IDi||yi)ْh(x2||x1). As the server knows his two secret keys
IV. OUR IMPROVED SCHEME
x1, x2, h(x1||x2), h(x2||x1), it extracts (bi||yi) from (bi||yi)ْ
In this segment we present our enhanced scheme over C.G h(x1||x2), and (IDi||yi) from (IDi||yi)ْh(x2||x1).
MA et al. [3] scheme as remedy for the security failings A3. Compute: Mi* = h(bi||yi||x1||IDi|| yi ||x2||T). Authenticate
mentioned above, while protective their merits. The proposed Mi* computed = Mi received over login request. If both are
scheme is divided into four phases: the registration, login, equal, then server S advances to establish the session key, else
authentication, and password change phases. The password rejects the login request from user Ui and ends the connection.
change phase is similar to C.G MA et al., scheme. A4. S and Ui decide upon the session key, SK = h(yi||x1
4.1 Registration Stage ||bi||IDi||yi||x2||T) for advance secure data communication.
This phase is raised whenever a user Ui desires to register V. SECURITY ANALYSIS OF OUR IMPROVED SCHEME
first time with the remote server S. The subsequent steps are In this segment, we converse and exhibit how our proposed
achieved. scheme fixes the susceptibilities found in C.G Ma et al.[3]
R1. Server S authenticates itself to the user Ui using its public scheme while preserving the assets of their scheme.
key certificate. The user Ui picks his identity IDi, password Pi,
and a random number bi. Then Ui produces and encrypts the 5.1 Prevention of Revealing of Secret Key of Server to Legal
session key (SS) with the public key (PK) of the server S as User
(SS)PK. A legal user Ui knows his identity IDi, bi, and password
R2. Ui-->S: (SS)PK, (IDi)SS, (Pi)SS, (bi)SS. Pi. Ui can excerpt Ni,Ai,Bi from the smart card memory by
R3. In receipt of the registration message from Ui, the server S some means mentioned in [8, 9,10]. A legal user from the
decrypts the session key (SS) using its private key. extracted values of Ni,Ai,Bi can achieve following operations
Subsequently, the server S decrypts the identity (IDi)SS, Compute (yi ||x2)=Biْh(IDi|Pi|bi),Compute (yi||x1) = Ni ْ h
password (Pi)SS and the arbitrary number (bi)SS. The server S (IDi ||Pi||bi). In our scheme the values (x1||yi), (x2||yi), (yi||x1),
computes Ni = h(IDi||Pi||bi) ْ (yi||x1), Ai = h(Pi||bi||IDi) ْ (yi||x2) are unique to each legal user. So it is not possible for
(bi||yi||x2), Bi= h(bi ||IDi||Pi) ْ(yi||x2),where x1, x2 are the two the legal user Ui to use (x1||yi) and (x2||yi) etc. to find out
secret keys of server S and yi is the secret value chosen by unknown values of another legal user Uk or secret keys of
server S for each user Ui such that any combination of x1, x2, server and also it’s not probable for the legal user to guess
yi i.e., (x1||yi), (x2||yi), (yi||x1) and (yi||x2) are unique for each three unknown variables x1, yi, x2 correctly in real polynomial
user Ui. The server stores (bi||yi)ْh(x1||x2), (IDi||yi)ْ time. In case of a legal adversary E as shown in fig 1, the
h(x2||x1) corresponding to h(IDi||yi||x1||bi||T) in its database. number of unknown variables needs to find is six, which is not
R4. S->Ui, a smart card containing (Ni,Ai,Bi, h(.)) to the user possible to compute in real time. Hence, in our scheme the
Ui over a secure communication channel. secret keys of the servers (x1, x2, yi) is not known even to
legal user and the values IDi, Pi, bi values of Ui is not revealed
to other users of the system.

1298 2014 International Conference on Contemporary Computing and Informatics (IC3I)

Registration Phase:
User Ui Remote Server Si

Select IDi, PWi and a random number bi,

Ui generates: (SS)PK
Submit { (SS)PK, (IDi)SS, (Pi)SS, (bi)SS } to S

{(SS)PK, (IDi)SS, (Pi)SS, (bi)SS }

Decrypts (SS) using its private key.

Decrypts the (IDi)SS, (Pi)SS , (bi)SS.
The server S computes:
Ni = h(IDi||Pi||bi)ْ(yi||x1)
Ai=h(Pi||bi||IDi)ْ(bi||yi||x2)
Bi= h(bi ||IDi||Pi)ْ(yi||x2)
The server stores (bi||yi)ْh(x1||x2),
(IDi||yi)ْh(x2||x1), corresponding to
h(IDi||yi||x1||bi||T) in its database.
Si Issues a smart card to Ui.
Smart card{Ni,Ai,Bi, h(.)}

Login Phase:

Smart Card S.C Remote Server Si

Ui enters IDi*, PWi*

Compute: (yi||x2)=Biْh(bi||IDi||Pi),
Concatenate: bi and (yi||x2)to get (bi||yi||x2).
Calculates Ai using (bi||yi||x2) i.e., Ai*= h(Pi||bi||IDi)ْ(bi|| yi||x2).
Check: Ai*= Ai i.e., Ai computed = Ai received.
Ui computes:
(yi||x1) = Niْ h(IDi||Pi||bi).
Concatenate: (yi||x1) and bi to get (yi||x1||bi),
CIDi = h(IDi||yi||x1||bi||T)ْT, Mi = h( bi || yi || x1 || IDi ||yi||x2||T),
where T is the current date and time else the session is terminated.
{ CIDi,Mi,T}

Receive the request at time T*

Verify: T*-T ” ǻt,
Compute: h(IDi||yi||x1||bi||T) = CIDiْT.
Search for h(IDi||yi||x1||bi||T).
Extract: (bi||yi)ْh(x1||x2),
(IDi||yi) ْ h(x2 ||x1).
As the server knows his two secret keys
x1, x2, h(x1||x2), h(x2||x1).
Extract: (bi||yi) from (bi||yi)ْ h(x1||x2),
(IDi||yi) from (IDi||yi)ْ h(x2||x1).
Compute: Mi* = h(bi||yi||x1||IDi|| yi ||x2||T).
Verify Mi* = Mi.
S and Ui frame: SK = h(yi||x1||bi|| IDi ||yi || x2||T)
Fig. 1. Graphical view of our proposed scheme.

2014 International Conference on Contemporary Computing and Informatics (IC3I) 1299

 TABLE I. THE BELOW TABLE SHOWS THE TYPES OF USER AND THE VALUES THEY KNOW.

TYPES OF USER VALUES KNOWN TO THE USER VALUES DOESN’T KNOWN TO THE USER

Legal user (Ui): A user who

is legitimated and trying to A legal user knows his own IDi, Pi, bi,
x1, x2, yi
access the system with his CIDi,Mi.
own smart card.
A legal adversary ‘UE’ knows all his
own values as mentioned above,
IDi, Pi, bi x1, x2, yi,,yk are the values of user Ui which are not possible for an
apart from that, ‘E’ is assumed to
Legal Adversary (UE): A legal adversary ‘UE’ to get even though the following values of Ui are available to ‘UE’.
know :
user, who is trying to
1. The smart card values of user Ui.
impersonate as another legal 1. {Ni, Ai, Bi, h(.) }.
2. The intermediate communication
user Ui. 2.{CIDi, Mi, T}
messages exchanged between Ui and
3.{ (bi||yi)ْh(x1||x2), (IDi||yi)ْh(x2||x1}
S.
3. Data base values stored for Ui by S.

5.2 Prevention of Stolen Verifier Attack VI. COST AND SECURITY ANALYSIS
In the proposed scheme h(IDi||yi||x1||bi||T) acts as an index In this section we scrutinize communication and
into the server database. Corresponding to h(IDi||yi||x1||bi||T), S computation cost requisite by our protocol and we equate the
stores (bi||yi)ْh(x1||x2) and (IDi||yi) ْh(x2||x1). The same with significant protocols. The IDi,Time stamp all are
adversary can frame h(IDi||yi||x1||bi||T) from CIDi of Ui i.e., 128 bits long. The output of Hash function is 128-bit. n,e,d
h(IDi||yi||x1||bi||T)=CIDiْT and can index into the database to requires 1024 bits [19]. H, E, S designates the time complexity
get (bi||yi)ْh(x1||x2) and (IDi||yi)ْh(x2||x1). As discussed, an for hash function, exponential operation and symmetric key
adversary doesn’t know either (bi||yi), (IDi||yi) of user Ui and encryption correspondingly. The cost and energy efficiency
(x1||x2), (x2||x1) of S. Hence it’s not probable for an adversary assessment of the proposed scheme with the correlated smart
to find out any value of Ui. In case of a legal user himself card based authentication schemes is concise in Table 3. The
trying to perform stolen verifier attack can frame h(IDi||yi proposed scheme has less computation cost and more energy
||x1||bi||T) from his own CIDi and by indexing can get (bi efficient compared to latest scheme proposed by C.G MA et
||yi)ْh(x1||x2) and (IDi||yi)ْh(x2||x1).We have shown that al. [3] and other related dynamic ID-based schemes.
even legal user doesn’t know his own yi, hence, it’s not
possible even for legal user to find out any unknown value. VII. CONCLUSION
Therefore, in our scheme either legal user or legal adversary Recently C.G MA et al. scheduled an authentication
cannot find out any unknown value from stolen verifier attack. scheme using smart cards. In this paper we have presented that
5.3 Resistance to User Impersonation Attack C.G MA et al. scheme unsafe to all leading cryptographic
attacks. In inclusion, we have put forward our augmented
To impersonate a user Ui, a legal adversary ‘E’ must scheme which is secure, even the adversary pick up the smart
counterfeit a login message CIDi*,Mi*,T*to the remote server S card and the server data base. We also correlate our scheme
by altering CIDi,Mi,T of Ui. ‘E’ must identify the IDi, yi,bi of with Sood et al., Khan et al. and other consistent smart card
Ui and x1,x2 of server ‘S’ to frame a valid CIDi*,Mi*. As authentication protocols and presented that our scheme
shown in 5.1, 5.2 it is computationally infeasible for E to obligates minimum computation and communication cost and
intercept the unknown values of Ui. Hence, in our scheme it is yield high level of security and energy efficiency which makes
impossible for anyone to impersonate a legal user Ui. our scheme eligible to use in practical scenarios.
5.4 Resistance to Server Masquerade Attack TABLE II. COMPARISON OF SECURITY FEATURES
To masquerade as remote server S,a legal adversary E Ours [3] [2] 17] [18]
must frame a session key SK = h(yi||x1||bi||IDi||yi||x2||T) shared Provides User
Y N N N N
between S and Ui. As shown in 5.1, 5.2, 5.3 it is Anonymity
computationally infeasible for E to derive IDi, yi,bi of Ui and Resists offline
password guessing Y N N N N
x1,x2 of server S. Hence, in our scheme it is impossible for attack
anyone to masquerade as server. Therefore, from 5.3 and 5.4, Resists user
Y N N N N
we can accomplish that our scheme counterattacks Man in the impersonation attack
Middle attack. Resists user server
Y N N N N
masquerade attack
5.5 Resistance to Framing of the Session key by an Adversary
In our scheme, the session key S.K = h(yi||x1 Stolen verifier attack Y N N N N
||bi||IDi||yi||x2||T). To frame the session key, the attacker ‘E’
Resists replay attack Y N N N N
requires yi, x1, bi, IDi, yi, x2, T. As shown in 5.1, 5.2, it is
computationally infeasible for E to capture the unknown Resists Denial-of-
Y N N N N
Service attack
values of Ui. Hence, in our scheme it is incredible for an Provides strong
adversary to frame the session key. Y N N N N
mutual authentication

1300 2014 International Conference on Contemporary Computing and Informatics (IC3I)

 TABLE III. EFFICIENCY COMPARISON AMONG VARIOUS SMART CARD SCHEMES

Cost Type Our [2] [3] [17] [18] [25]

2E+12H 4E+6H+4S
Computation Cost 10H 12H = 2*60+12 10H = 4*60+6+4*10
109H
= 132H = 286H
Total Energy required 10*5.9 12*5.9 132*5.9 286*5.9 109*5.9
59 ȝ J
for computations = 59 ȝ J = 70.8 ȝ J =778.8 ȝ J = 507.4 ȝ J = 643.1 ȝ J
% Energy Efficiency
compared to [3] in 92.42% 90.90% - 92.42% 34.84% 17.42%
communication
Communication
48 48 176 96 432 112
Overhead Cost (bytes)
Total Energy required
48*1.56 48*1.56 176*1.56 96*1.56 432*1.56 112*1.56
for communication per
= 74.88 ȝ J = 74.88 ȝ J = 274.56 ȝ J = 149.76 ȝ J = 673.93 ȝ J = 174.72 ȝ J
byte
% Energy Efficiency
compared to [3] in 72.72% 72.72% - 45.45% -145.45% 36.37%
computation
Storage Cost (bytes) 48 48 304 48 352 48
Energy required per bye of hash output = 5.9 ȝ Joules [20], Energy required to transfer 1 byte is 1.56 ȝ Joule [22], TExponential =60 THash [23,24]
Agreement Using Smart Card." Information Systems Security, Lecture
REFERENCES Notes in Computer Science Volume 8303, pp 63-77, 2013.
[1] Y.Wang, J. Liu, F. Xiao, and J. Dan, “A more efficient and secure
Dynamic ID-based Remote User Authentication scheme”, Computer [15] J. Mun, J.Kim, W.Jeon, Y.Lee, and D. Won, "Cryptanalysis of
Communications, vol.32,no. 4,pp.583-585,March 2009. Encrypted Remote User Authentication Scheme by Using Smart
[2] S.K Sood, “Secure Dynamic Identity-Based Authentication Scheme Card."Advances in Computer Science and its Applications, Lecture
Using Smart Cards”, Information Security Journal: A Global Perspective Notes in Electrical Engineering Volume 279, pp 423-428, 2014.
20(2),67-77, 2011. [16] H.F.Huang, H.W. Chang, and P.K.Yu, "Enhancement of Timestamp-
[3] C.G. Ma, D.Wang, and D.Zhang, “Cryptanalysis and Improvement of based User Authentication Scheme with Smart Card", International
Sood et al.’s Dynamic ID-Based Authentication Scheme”. Journal of Network Security, Vol.16, No.4, PP.385-389, Jan 2014.
In:Ramanujam, R., Ramaswamy, R.(Eds.): ICDCIT 2012. [17] M.K Khan, S.K. Kim, and K. Alghathbar, “Cryptanalysis and security
LNCS,vol.7154, pp.141-152. Springer,Heidelberg,2012. enahcement of a more efficient & secure dynamic ID-based remote user
[4] S.K Sood, “An Improved and Secure Smart Card Based Dynamic authentication scheme”. Computer Communications 34(3), 305-309,
Identity Authentication Protocol”, International Journal of Network 2011.
Security. Vol.14, No.1, PP.39-46, Jan. 2012 [18] L.L Hu, Y.X. Yang, and X.Y.Niu, “Improved remote user authentication
[5] Q.Jiang, J. Ma, G. Li, and Li. Yang, "Robust Two-factor Authentication scheme preserving user anonymity”. In: Fifth Annual conference on
and Key Agreement Preserving User Privacy.", International Journal of Communication Networks and Services Research, pp.323-328. IEEE
Network Security, Vol.16, No.4, PP.321-332, feb 2014. Computer society, Los Alamitos. 2007.
[6] R. Ramasamy, and A.P. Muniyandi, “An Efficient Password [19] S.S Sood, A.K Sarje, and K.Singh, “Inverse Cookie-based Virtual
Authentication Scheme for Smart Card”, International Journal of Password Authentication Protocol”, International Journal of Network
Network Security, Vol.14, No.3, PP. 180-186, Apr 2012. Security, Vol.13, No.2, PP.98–108, Sept. 2011.
[7] M.L. Das, A.Saxena, and V.P. Gulati, “A dynamic ID-based remote user [20] D.He, J.Chen and H.Jin, "An ID-based proxy signature schemes without
authentication scheme”, IEEE Transactions on Consumer Electronics, bilinear pairings.", springer: annals of telecommunications - annales des
Vol. 50, No. 2, pp. 629-631, 2004. télécommunications., Vol 66, pp 657-662,December 2011.
[8] E. Brier, C.Clavier, and F.Oliver , “Correlation power analysis with a [21] J.Wei, W. Liu, and X.Hu, "Cryptanalysis and Improvement of a Robust
leakage model”, Lecture Notes in Computer Science, Vol. 3156, pp. Smart Card Authentication Scheme for Multi-server Architecture." ,
135-152, 2004. springer:Wireless Personal Communications, vol 77, pp 2255-2269, Jul
2014.
[9] A.A.Yassin, H.Jin, A. Ibrahim, and D.Zou, "Encrypted Remote User
Authentication Scheme by Using Smart Card.", WISM 2012. LNCS, [22] E.A. A. A. Hagras, D. E.Saied, and H.H. Aly, "Energy Efficient Key
vol. 7529, pp. 314–323. Springer, Heidelberg, 2012. Management Scheme Based on Elliptic Curve Signcryption for Wireless
Sensor Networks”, 28th NATIONAL RADIO SCIENCE
[10] T.S.Messerges, E.A.Dabbish and R.H.Sloan, “Examing smartcard CONFERENCE (NRSC 2011) , National Telecommunication Institute,
security under the threat of power analysis attacks,” IEEE Transactions Egypt , April 26-28, 2011.
on Computers, vol. 5, no. 3, pp. 514-522, 2002.
[23] N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve
[11] L. Lamport, “Password Authentication with Insecure Communication”, cryptography,” Des. Codes Crypto, vol. 19, no. 2-3, March, 173-193,
Communication of the ACM, 24, no. 11, pp. 770-772, 1981. 2000.
[12] H.Tu, N. Kumar, N. Chilamkurti, and S. Rho, "An improved
[24] S. Contini, A. K. Lenstra, and R. Steinfeld, “VSH, an Efficient and
authentication protocol for session initiation protocol using smart
Provable Collision-Resistant Hash Function,” Advances in Cryptology
card",springer jounral on Peer-to-Peer Networking and Applications, – EUROCRYPT 2006, Saint Petersburg, Russia, 2006, pp. 165-182.
2014.
[25] D.He, N.Kumar, J.Chen, C.C.Lee, N.Chilamkurti, and S.S.Yeo, "Robust
[13] J.Wei, W.Liu, and X. Hu, "Cryptanalysis and Improvement of a Robust
anonymous authentication protocol for health-care applications using
Smart Card Authentication Scheme for Multi-server Architecture",
wireless medical sensor networks.", springer journal of Multimedia
springer journal of Wireless Personal Com- munications, February 2014.
Systems,December 2013.
[14] A. Chaturvedi, D. Mishra, and S. Mukhopadhyay, "Improved Biometric-
Based Three-factor Remote User Authentication Scheme with Key

2014 International Conference on Contemporary Computing and Informatics (IC3I) 1301