A Secure Authentication Scheme for Teleservices Using Multi-Server Architecture

Abstract

The telecommunications industry covers various sectors and services such as broadband, telecom equipment, telecom infrastructure, telephone service providers, mobile virtual network operators, 5G, and the white space spectrum. Smart Cards may be chosen as one of the best mechanisms for authorized access to these services in the telecom sector. Recently, Jin Kwak proposed a scheme based on dynamic identity for authentication purposes, mentioning that the scheme does not suffer from security breaches and attacks. This paper illustrates Jin Kwak’s technique and finds that it violates the purpose contrary to his claim. Due to a design issue in his scheme, an adversary may guess the password in a polynomial time and impersonate a legal user. Furthermore, other attacks, including replay attack, are also possible, as the time stamp was not protected in this scheme. We propose an improved version of this scheme, and it is free from various attacks, including password guessing by hiding the identity of the user and replay attacks by using the time stamp securely. The results mentioned in performance and efficiency comparison show a faster scheme than many existing schemes.

1. Introduction

A significant increase in revenues and consumer numbers in the telecom industry generates more employment and contributes to India’s GDP. In addition, the tremendous growth in the wireless sector and the availability of high-speed data services allow users to increase data usability. Despite all these, further enhancement can be done in the mobile value-added services (VAS) by including various utility services, like m-governance, m-traffic management, m-education, m-shopping, m-health, etc., and to use any services, including the above services, needs an authentication scheme [1,2,3,4]. Further, sharing towers and other infrastructure among various telecom service providers to reduce the cost spent on the setup and management of the telecom infrastructure seems imminent. Furthermore, the decrease in the prices of the tariffs and the availability of more affordable smartphones will further serve as a booster for the growth of the telecom industry and [5,6,7] can be used for authentication. With time, the telecom domain will increase its reach and connect the rural areas where the telephony services are absent or have a limited presence.

As per the GSMA report, by 2025 [8], it is predicted that India will be the second-largest market in the world and will be using 1 billion smartphones. It is also believed that 88 million 5G will be installed. Currently, the trials of 5G technology are under process across the country, and 5G technology is expected to add $450 billion to the Indian Economy during 2023–2040, as per investindia.

The telecom sector proliferates and faces authentication, privacy, and data security challenges. User authentication is the most crucial task to access any services related to telecom and medical, etc. [9,10,11]. Therefore, single server and multi-servers authentication architecture [12,13] came into the picture. Multi-server architecture mainly produces more productive results. However, a few inherent challenges with multi-server authentication are replay attacks [14], session key leakages [5], and user impersonation attacks [13] during connection establishment and data transfer. In addition to the above, during the connection establishment and communication process, stealing data by sniffing and tinkering or other attacks may also raise serious concerns for multiple server architecture [1,15,16,17,18,19,20]. Therefore, we need a secure and efficient authentication scheme for a multi-server architecture environment, which removes the security vulnerabilities mentioned in [21,22].

In our proposed scheme, a user is authenticated by logging in to a specific server, named an authentication server, by inputting the credentials into a smart card, then the authentication server sends the request to the central server for final authentication. The central server and the authentication server agree to produce the same session key during this process.

We summarize our significant contributions as follows:

▪

In a review of Jin Kewak scheme, it suffers from various attacks.

▪

We propose an improved version of Jin Kewak scheme.

▪

The proposed scheme has essential features of the authentication scheme, such as user anonymity and mutual authentication, and is free from various security attacks, including user impersonation attacks, offline password guessing attacks, replay attacks, and insider attacks.

▪

We also demonstrated that our scheme takes less computational resources from various methods mentioned in [1,18,19,20].

The structure of the remaining section of the paper is as follows: In Section 2, related work was presented, Section 3 has Jin Kwak’s scheme, while Section 4 includes our proposed authentication scheme, an improvement of Jin Kwak’s scheme. Section 5 covers a security analysis of our proposed scheme, mentioning that our scheme has no vulnerabilities and is free from various attacks. The performance of our scheme and comparison with others is demonstrated in Section 6. Finally, we present the conclusion in Section 7.

2. Related Work

In [1], the authors presented an authentication scheme based on the smart card, which allows the user to initiate the authentication process through a smart card to log in to a remote server connected to the Internet of things devices. Furthermore, they have analyzed their work on the Automated Validation of Internet Security Protocols and Applications tool. However, this approach suffers from various attacks, such as offline password guessing attacks, insider attacks, and replay attacks. The authors in [18] presented an authentication scheme for Internet of Things (IoT)-enabled devices and cloud-based servers by using a hash function. This scheme uses limited computation power, a mandatory requirement of IoT-enabled technologies. However, this scheme suffers user impersonation attacks.

With the prevalent usage of IoT-based devices and to secure access to private information from the cloud, the authors in [19] proposed an authentication scheme based on a smartcard. They used AVISPA tool and BABN logic to reveal their work’s strength. The authors have also pointed out a better performance than many existing models. However, this approach did not take care of user anonymity and offline password guessing attack. With the popularity of the IoT and 5G-based heterogeneous networks, and the necessity of a multi-server-based authentication system, the authors in [20] proposed a multi-server-based authentication system for the 5G network by using a smart card. They also did a security analysis on the proposed scheme using the ProVerif tool and BAN logic and carried out an informal security analysis of the proposed work. Moreover, the proposed protocol does not suffer from any significant attacks. However, it takes more computation time and occupies more resources.

In [12], the authors have presented the improved version of Kaul and Awasthi’s approaches for authentication by using the smart card. Per their claim, this approach is free from various stacks such as insider attacks, offline password guessing attacks, and user impersonation attacks, and supports mutual authentication attacks. However, this paper does not use the session key. In [10], the authors have recommended phishing detection algorithms using a support vector machine. However, they did not mention the authentication module in their study. In the study mentioned in [23], the authors have recommended the improved version of Das’s scheme for wireless sensor networks, which removed all the shortcomings of Das’s scheme. In their scheme, they have used three factors for authentication. However, this approach takes more computational resources.

With the continuous growth of internet technologies and acceptable server-side increments to offer users multiple services, the authors in [24] mentioned authentication with the help of various servers. However, the services mentioned in the paper are used in an insecure channel that attackers easily control. This paper uses a biometric and a smart card to use three authentication factors. However, the mentioned scheme suffers from various security attacks. In [17], the authors have improved the version of Jangirala’s scheme, which was various security threats, including user impersonation and server spoofing attacks. The authors have also used BAN logic in support of their claim. However, this scheme is not computationally efficient.

The authors in the paper [25] presented a Lyapunov-based approach that dynamically selects a relevant data communication model by using a transmission queue. The proposed scheme has to minimize power consumption. In [26], the authors have presented a resolution adjustment algorithm for reducing the overhead in video processing. The authors further used the Lyapunov-based algorithm. The mentioned approach achieves approximately 50% reduction in power. The authors in [27] have presented a system based on reinforcement learning-based Multi-Objective Hyper-Heuristic for planning the route in a smart city. The algorithm mentioned in the paper is efficient and produces faster results. In [28], the authors proposed an intelligent traffic controller, which runs based on active queue length. This controller has better performance than manual traffic controllers at intersections. The application mentioned in [25,26,27,28] needs a proper authentication model. Otherwise, severe security lapses may be possible. Therefore, these applications need security solutions.

3. Crypto Analysis of Jin Kwak’s Dynamic-Identity-Based Scheme [1]

In [1], the authors used three entities: the user who needs to be authenticated (Ui), the authentication server (Sj), and the Central server (CS). Furthermore, they have used three different sections: registration, login and verification, and password change.

Table 1. Various notation used in [1].

Notation	Description
Ui	The ith User
Sj	The jth server
CS	The Central server for authentication
Idi	The identity of the user i
Pi	The used password
UIDi	The anonymous identity of the user i
SIDj	The identity of SIDj
X	The central server’s master key
TS	The used timestamp
Ni1	The random number used by the smart card
Ni2	The random number used by the server Sj
Ni3	The random number used by the Center server
SK	Session key among all the parties
h(*)	Used hash function, the one-way collision-free hash function
⊕	Exclusive or gate operation
||	The concatenation operation used to concatenate two strings

represents the various parameters used in [1].

We consider the following significant assumptions made by Xu et al. [29], Kocher et al. [30], and Messages et al. [13] for presenting the threat model before analyzing Jin Kwak’s dynamic-identity-based method:

(1)

An adversary, who may take control of the communication channel as the channel is public, may perform an inserting or listening operation.

(2)

An adversary may get the lost smart card.

(3)

An adversary may obtain the stored parameters by analyzing the card’s power consumption.

We present the security flaws of Jin Kwak’s dynamic-identity-based scheme in the remaining part of Section 3.

3.1. User Impersonation Attack

As per the scheme [1], smart card SC_i stores Userinfor_i, UID_i, Encpass_i, h(x) and h(*). If the adversary steals the card, the adversary may easily extract these parameters by analyzing power consumption and recover the A_i, Veru_i, UID_i, and Ts parameters during the transmission at the login phase.

As per the scheme, the random numbers are stored at the server for meaningful computation. The adversary uses Ni1 and sends the following parameters:

{A_i, Veru_i, UID_i, Ts new}

Whereas A_i = Userinfor_i ⊕ h(x) ⊕ N_i1

(1)

Veru_i = h(h(x) || N_i1)

(2)

where Ts new is the new timestamp.

At this moment, Verui (Computed) and the Verui (Received) are the same. Therefore, the adversary request is accepted by the server. Moreover, the adversary may generate their random number, say N_i1*.

Then, the adversary may compute,

A_i* = Userinfor_i ⊕ N_i1* ⊕ h(x)

(3)

As the parameters, Userinfor_i and h(x) are already stored in the card, now

Veru_i* = h(h(x) || N_i1*)

(4)

Now, the adversary user sends {A_i*, Veru_i*, UID_i, and Ts*}.

Now, CS compares the received Veru_i* and computed Veru_i*. The parameters are the same as received Veru_i*, and calculated Veru_i* uses the exact computations.

In general, CS authenticates the request if the adversary generates a new random number every time, uses the latest timestamp, and applies the formulas mentioned above.

Therefore, the adversary may impersonate the legal user.

3.2. Replay Attack

As per Section 3.1, the adversary may easily extract stored parameters, and the adversary may also get A_i, Veru_i, UID_i, Ts.

Since Ai is computed as A_i = Userinfor_i ⊕ h(x) ⊕ N_i1 and Veru_i are computed as: Veru_i = h(h(x) || N_i1). CS compares received Veru_i and computed Veru_i. If both the parameters are the same, then CS authenticates the user. Since authentication is based on the value of Veru_i, it does not depend on the timestamp. CS maintains the verifiable table, and random numbers are not stored at the table, so a previously used random number can be reused.

Therefore, adversary may replay the login request A_i, Veru_i, UID_i, Ts latest by changing the value of Tslatest, where Tslatest is the variable that contains the latest timestamp.

After storing Ni1 is stored, a replay attack is possible.

3.3. Insider Attack

Any insider may get parameters from CS named as {(ID_i, EncPass_i*), UID}. After getting these parameters, an insider may guess the password from EncPass_i = h(ID_i || h(P_i*)), where P_i* is guessed password. If EncPass_i*= EncPass_i, then the insider comes to know about the correct password of U_i.

4. Proposed Authentication Protocol

After reviewing Jin Kwak’s scheme in Section 3, we need to make a more secure scheme that removes all the shortcomings mentioned in Section 3. Our proposed authentication protocol, similar to other schemes [1,18,19,20,26], has three entities named as the user who needs to be authenticated (Ui), the authentication server (S_j), and the trustworthy Centre server (CS). Initially, Ui inputs his credentials, then these credentials are authenticated by the smart card, followed by the smart card authentication by S_j, and finally, Sj is authenticated by CS. Figure 1 describes Registration phase, Figure 2 presents Log-in and authentication phase, while Figure 3 represents password change phase.

4.1. Registration Phase

The registration phase is the very first stage of our work and covers the registration process of U_i and S_j with CS. We used a secure channel for the registration phase. After that, CS provides a smart card for the user, sharing the required login details with S_j. The

Table 2. Notation used in the authentication protocol.

Notation	Description
Ui	The ith User
Sj	The jth server
CS	The Central server for authentication
Idi	The identity of the user i
Pi	The used password
UIDi	The anonymous identity of the user i
SIDj	The identity of SIDj
X	The central server’s master key
TS	The used timestamp
Ni1	The random number used by the smart card
SK	Session key among all the parties
h(*)	Used hash function, the one-way collision-free hash function
⊕	Exclusive or gate operation
||	The concatenation operation used to concatenate two strings
digsig(CS)	Digital Signature of Central Server

has various notations used in our prosed scheme. The following steps are used in this phase.

4.2. Registration Phase

Step 1. In step 1, the authentication server S_j transmits the identification value, SID_j, to the CS over a secure communication medium. After that, CS evaluates the Serveinf_j from SID_j and x by following the equation and sending it to S_j via a secure channel. Finally, S_j stores the Serverinfo_j value.

Serveinf_j = h(SID_j || x)

(5)

Step 2. In this step, U_i picks the user identification (ID_i) and password (P_i,) and evaluates A_i as per the following equation:

A_i = h(ID_i || h(P_i))

(6)

Step 3. Ui sends ID_i, A_i to the CS, and CS computes B_i. SC_i (Card) stores A_i, B_i, hash function h(*), Ekpub (ID_i), where Ekpub is a public key of the CS.

B_i = A_i ⊕ h(x)

(7)

After successful of the above steps, CS issues the card (SC_i) to U_i.

4.3. Log-In and Authentication Phase

After completion of the registration phases, the login and authentication process will start to access the server to get various services offered. U_i gives his credentials, which are authenticated by the smart card, followed by authentication of the smart card by the server S_j, and CS authenticates to server S_j. The following steps are used in this phase.

Step 1. U_i puts a given smart card in the card reader by providing his credentials, ID_i and Pi.

Now, the smart card finds A_i′ = h (ID_i || h (P_i)). Computed value is compared with the stored value. If both are the same, the smart card authenticates to the user.

If both the values are different, the session is frozen.

Step 2. SC_i sends C_i and current timestamp (T1) to the server S_j with the help of the public key of server S_j.

Now compute, C_i = {Ekpub (ID_i), h (ID_i || T1), Bi*, Bi, T1}.

Bi* = h (IDi || T1 || Bi)

(8)

Step 3. S_j checks whether T1 is a valid timestamp or not. If valid, S_j sends Di to the CS; otherwise, the session is frozen.

Now Compute, D_i = {C_i, S_j, h (h (S_j || x) || T2), T2}

(9)

Step 4. After receiving D_i, CS checks whether T2 is a valid timestamp or not; if valid, then compute E_i = h (h (S_j || x) || T2), otherwise ignore.

If computed E_i and received E_i are the same, then CS authenticates to S_j.

Step 5. Now from D_i = {C_i, S_j, h (h (S_j || x) || T2), T2}, CS computes the valid timestamp from C_i. If it is valid, then CS computes B_i* = h (ID_i || T1 || B_i). If computed B_i* and received B_i* are equal, then it is alright; otherwise, terminate the connection.

Step 6. Now CS computes A_i, computes A_i*. CS then sends F_i to the server S_j.

A_i = B_i ⊕ h(x)

(10)

A_i* = h(A_i || ID_i || T4)

(11)

F_i = {A_i*, digsig(CS), T4},

where digsig(CS) is the digital signature of the center server authorized by competitive authority.

Step 7. S_j verifies the digital signature of CS, digsig(CS), and valid timestamp from T4. If both are alright, then Fi is forwarded to (SC_i).

Step 8. SCi computes the A_i* = h(A_i || ID_i || T4) and check timestamp T4, if computed.

If A_i* and received A_i* are equal, SC_i authenticates to the server.

4.4. Password Change Phase

The following steps are mentioned in our password change phase:

Step 1. The U_i scans the smart card through ID_i and P_i credentials, and the smart card (SC_j) finds A_i′.

A_i′ = h(ID_i || h(P_i))

(12)

Step 2. If A_i′ = A_i, entered ID_i and P_i are valid; otherwise, this phase ends.

Step 3. The U_i provides a new password P_{i new}, and computes A_{i new} and B_{i new} where

A_{i new} = h(ID_i || h (P_{i new}))

(13)

B_{i new} = A_{i new} ⊕ h(x)

(14)

Step 4. Card SC_i stores A_{i new}, B_{i new}, h(*), Ekpub (ID_i).

5. Security Analysis of Our Scheme

5.1. Free from an Insider Attack

In our scheme, CS does not store passwords, other parameters, and verifiable tables. Therefore, the insider does not have any additional information to find or guess the same password. Hence, our scheme is wholly protected from insider attacks.

5.2. Resists Online Password Guessing Attack

Suppose an adversary gets the smart card and can not make multiple login attempts as the number of attempts is limited to a total of three. However, if they try to log in repeatedly, the smart card will be blocked, and reactivation will be required. Hence, the proposed scheme is safe against an online password guessing attack.

5.3. Resists Offline Password Guessing Attack

It is assumed that if an adversary steals the user’s card, the adversary can compute a few parameters as SC_i stores A_i, B_i, hash function h(*), Ekpub (ID_i). The adversary may get either a password or an ID but not in polynomial time. Hence, an offline attack is not possible in our approach.

5.4. Resists User Impersonation

The card, authentication server, and central server should authenticate the adversary for claiming as a legal user. As per the login step, we have:

To authenticate the card, an adversary enters ID_i, and P_i, and the smart card finds the value of A_i′ as per the below-mentioned equation and compares it with stored A_i. If both values are equal, the adversary may be treated as a genuine user.

It is computed as: A_i′ = h(ID_i || h(P_i)).

As mentioned in Section 4.2, either ID or password may be found in polynomial time, but A_i′ depends on both parameters. Therefore, the adversary can not be interpreted as a legal use. Furthermore, there is no need to check the authenticity of the authentication server and central server.

5.5. Resists Server Masquerading Attack

The adversary should be able to compute the following steps as impersonate a legal authentication server or central server:

Step 1. S_i verifies the digital signature of the Central Server, digsig(CS), and valid timestamp from T4. If both are correct, then F_i is forwarded to (SC_i). We know that nobody can make the digital signature of others. Therefore, the adversary cannot be interpreted as a central server.

Step 2. Additionally, SC_i computes the A_i* = h (A_i || ID_i || T4) and checks timestamp T4. Here, the adversary can not compute A_i* as it depends on ID_i, and P_i. Both are known to the adversary.

Hence, the proposed system provides a safeguard against masquerading server attacks.

5.6. Resists Replay Attack

In our approach, we have login request: C_i = {Ekpub (ID_i), h(ID_i || T1), B_i*, B_i, T1}. Suppose an adversary changes the value of T1 to get a new timestamp, but the adversary may not compute the new value of h(IDi || T1) as ID_i is known. Therefore, no new timestamp can not be created. Hence, our scheme provides complete protection against replay attacks.

5.7. Resists Stolen Verifier Attack

S_j maintains no record in our scheme as a verifiable table is not created. Upon receiving a login request at S_j, the S_j uses the secret key, x, to find out the secret number, N_i1, received from the card. Therefore, our scheme resists the stolen verifier attack.

6. Performance and Efficiency Comparison

We compare our approach with recent techniques, as in

Table 3. Comparisons of our scheme with others based on various security parameters.

Schemes→ ↓Security Characteristics	[1]	[18]	[19]	[20]	Our Proposed Scheme
User Anonymity	Yes	Yes	No	Yes	Yes
Mutual Authentication	Yes	Yes	Yes	Yes	Yes
User impersonation attack	Yes	Yes	Yes	No	No
Offline Password Guessing Attack	No	No	Yes	No	No
Replay attack	Yes	No	No	No	No
Server impersonation attack	No	No	No	No	No
Insider Attack	Yes	No	No	No	No

and

Table 4. Comparisons of performance analysis based on computation time with other state-of-art works (T′: Computation time to compute the one hash function, T′: Time in encryption and decryption algorithms, T‴ Time in digital signature.

Computation Cost	[1]	[18]	[19]	[20]	Our Proposed Scheme
Operations on the User side	5T′/0.0258	11T′/0.056	9T′/0.0465	T′/0.0672	4T′ + 1T″/0.0314
Operation on the Server side	20T′/0.1034	25T′/0.1293	14T′/0.0723	27T′/0.1397	8T′ + 1T″ + 2T‴/0.0568
Total	25T′/0.1292	36T′/0.1853	23T′/0.1188	40T′/0.2069	12T′ + 2T″ + 2T″/0.0882

. Table 3 has a comparison of our work based on security parameters, while Table 4 has a comparison based on computation speed.

As per Table 3, our approach maintains user anonymity and mutual authentication and is free from various attacks, including insider guessing attacks, offline password guessing attacks, user impersonation attacks, replay attacks, and server impersonation attacks. While scheme [1] suffered from replay, insider, and user impersonation attacks, Ref. [18] sustained user impersonation attacks, and Ref. [19] did not maintain user anonymity and suffered from user impersonation and offline password guessing attacks. However, Ref. [20] does not suffer from any attack, but takes more computation time.

Table 4 shows that our proposed algorithm takes 12T′ + 2T″ + 2T″ computation efforts with 0.0882 ms, while the algorithm mentioned in [1] takes 25T′ computation efforts with 0.1292 ms time, Ref. [18] takes 36 T′ Computation efforts with 0.1853 ms, Ref. [19] takes 23 T′ computation time with 0.1188 ms time, and [20] takes 40T′ computation efforts with 0.2069 ms time. Therefore, we can claim that our proposed algorithm takes less time. However, we did not consider our operation and concentration operations, as these two operations take minimal time.

Figure 4 explains the computational cost of [1,18,19,20] and our proposed scheme. The figure shows that our scheme takes a total of 0.0882 ms while others take 0.1292, 0.1853, 0.1188, and 0.2069 ms. On the client side, the computational cost of our scheme is 0.0314, while others take 0.0258, 0.056, 0.0465, and 0.0772 ms. Similarly, on the server side, our scheme runs in 0.0568 ms, while others execute in 0.1034, 0.1293, 0.0723, and 0.1397 ms. The result shows that our scheme is efficient and has less computational time to authenticate to the user.

7. Conclusions

This paper presented an efficient and secure authentication scheme by using a multi-server scheme to access any teleservice. Through the reasoning mentioned in the paper, we claim that our proposed scheme does not suffer from security attacks, including insider attacks, offline password guess attacks, impersonating legal user attacks, server masquerade attacks, and replay attacks. We have also computed that our scheme supports efficient operations for both the operations on the user side and server side. Therefore, the proposed verification protocol supports instant authentication and resists various security attacks.