10.1007 - s11042 016 4236 y

See
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/312260698
An improved and secure chaotic map based

authenticated key agreement in multi-server
architecture
Article in Multimedia Tools and Applications January 2017

DOI: 10.1007/s11042-016-4236-y
CITATIONS READS
0 44
6 authors, including:
Azeem Irshad Muhammad Sher

PMAS - Arid Agriculture University International Islamic University, Islamabad
33 PUBLICATIONS 127 CITATIONS 105 PUBLICATIONS 551 CITATIONS
SEE PROFILE SEE PROFILE
Shehzad Ashraf Chaudhry Saru Kumari

International Islamic University, Islamabad Chaudhary Charan Singh University
48 PUBLICATIONS 320 CITATIONS 86 PUBLICATIONS 658 CITATIONS
SEE PROFILE SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Advanced lightweight authentication protocols View project
VANETS View project
All content following this page was uploaded by Azeem Irshad on 13 January 2017.
The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
An improved and secure chaotic map based
authenticated key agreement in multi-
server architecture
Azeem Irshad, Muhammad Sher,

Shehzad Ashraf Chaudhry, Qi Xie, Saru
Kumari & Fan Wu
Multimedia Tools and Applications

An International Journal
ISSN 1380-7501
Multimed Tools Appl

DOI 10.1007/s11042-016-4236-y
1 23
Your article is protected by copyright and all
rights are held exclusively by Springer Science
+Business Media New York. This e-offprint is
for personal use only and shall not be self-
archived in electronic repositories. If you wish
to self-archive your article, please use the
accepted manuscript version for posting on
your own website. You may further deposit
the accepted manuscript version in any
repository, provided it is only made publicly
available 12 months after official publication
or later and provided acknowledgement is
given to the original source of publication
and a link is inserted to the published article
on Springer's website. The link must be
accompanied by the following text: "The final
publication is available at link.springer.com.
1 23
Author's personal copy
Multimed Tools Appl
DOI 10.1007/s11042-016-4236-y
An improved and secure chaotic map based authenticated

key agreement in multi-server architecture
Azeem Irshad 1 & Muhammad Sher 1 &

Shehzad Ashraf Chaudhry 1 & Qi Xie 2 &
Saru Kumari 3 & Fan Wu 4
Received: 28 May 2016 / Revised: 13 October 2016 / Accepted: 30 November 2016

# Springer Science+Business Media New York 2017
Abstract Multi-Server Authentication (MSA) provides the user an efficient way to avail
multiple services of various multimedia service providers, once after getting registered from
a registration centre. Previously, a user had to register all servers individually to use their
respective service; which proves to be a redundant and inefficient procedure in comparison
with MSA. Many MSA-based techniques have been put forward by researchers, so far,
however with proven pitfalls. In the last few years, the focus has been shifted towards a more
flexible and efficient Chebyshev cryptographic technique. In this regard, recently Tans
scheme presented a chaotic map based multi-server authentication scheme with a focus on
* Azeem Irshad
irshadazeem2@gmail.com
Muhammad Sher
m.sher@iiu.edu.pk
Shehzad Ashraf Chaudhry
shahzad@iiu.edu.pk
Qi Xie
qixie68@126.com
Saru Kumari
saryusiirohi@gmail.com
Fan Wu
conjurer1981@gmail.com
1
Computer Science Department, International Islamic University, Islamabad, Pakistan
2
Hangzhou Key Laboratory of Cryptography and Network Security, Hangzhou Normal University,
Hangzhou, China
3
Chaudhary Charan Singh University, Meerut, Uttar Pradesh 250004, India
4
Xiamen Institute of Technology, Xiamen, China
Multimed Tools Appl
login scalability. Nonetheless, Tans scheme has been found vulnerable to insider (impersonation
attack) and stolen smart card attacks. Besides, the Tans scheme fails to differentiate the login
requests between the two presented cases. The current study work is based on improving the
Tans technique in terms of security in almost an equivalent cost. The security for proposed work
is evaluated in the performance evaluation section, while it shows that the security is provable
under formal security model, as well as using BAN Logic.
Keywords Multi-server authentication . Chebyshev chaotic map . Cryptography .

Authentication key agreement
1 Introduction
The authentication techniques have evolved from single-factor schemes to multi-factor

schemes, from hash-based schemes to complex cryptographic tools-based schemes that have
helped in enhancing the security of a subscriber from multilateral aspects. In this regard, chaos
cryptography as one of the light-weight cryptographic tools has been developed for its cost
efficiency, unpredictability, and the sensitivity to initial parameters. In this study, we analyze
the security aspects of current multi-server authentication schemes, particularly, Tans scheme.
First, we brief the several MSA-based techniques as presented in the last decade. The Lin and
Hwang scheme [17] can be regarded as pioneer scheme for putting forward a multi-server
architecture using neural networks. The scheme [17] is deemed to be inefficient for much
training time it takes [21]. Afterwards, another MSA-based scheme by Juang [12] was
presented using symmetric cryptography, however, with security loop-holes. The MSA-
based schemes can be roughly categorized into hash-based schemes [4, 20, 24, 27, 48],
symmetric cryptography-based schemes [810, 12, 35], and public key-cryptography based
schemes [36]. The hash-based MSA schemes are more cost-efficient; however do not provide
anonymity [12, 17, 21, 32]. Later, Liao and Wang [20] presented a dynamic ID-based MSA
scheme, which was found vulnerable to insider attack, masquerading and server spoofing
attack by Hsiang and Shih [7]. The new scheme presented by Hsiang and Shih [7] was found
as insecure by Sandeep et al. [29], who came up with an improved scheme. Afterwards, Tans
scheme [30] found that Sandeep et al. scheme doesnt provide perfect forward security and
login scalability. Thereafter, Li et al. [18] presented a novel dynamic identity technique for
protecting the users privacy. Then, Wang and Ma et al. [37] presented a smart-card based
MSA scheme, which was found prone to under privileged insider attack, server spoofing
attack, impersonation attack, and offline password guessing attack by He and Wu [5]. Another
MSA-based scheme by Chen et al. [2] was introduced on the concept of scalability login,
employing elliptic curve cryptography, however was found prone to perfect forward secrecy
violation, impersonation attack, and lacking mutual authentication. Using chaotic cryptogra-
phy, Zhu et al. [50] and Tsai et al. [33] presented MSA-based schemes, however [50] was
found vulnerable to malicious insider attack by [16, 33] is prone to malicious insider attack and
stolen smart card attack as proven by [22]. Lately, Li et al. [19] and Lu et al. [22] presented
MSA-based schemes; however these schemes do not consider login scalability, like traditional
schemes. More recently, Tans scheme [31] presented an improved chaotic map based MSA
scheme that not only takes into account the login scalability, but also attempts to reduce cost
for authenticated session establishment, if the user needs to get the service from the same
server again. However, the Tans scheme has been found vulnerable to stolen smart card attack
Multimed Tools Appl
and malicious insider/impersonation attack. We have proposed an improved secure model in

almost an equivalent cost, which has been duly verified in the following sections. The
proposed scheme is a multi-server authentication technique based on Chebyshev chaotic
map [28, 41, 49]. The proposed technique employs biometric inputs to enhance the security
of Tans protocol. Additionally, in comparison with Tans scheme, the proposed scheme
provides a tighter control over subscribers while providing login scalability. In this study,
we review the Tans scheme and evaluate the performance along with the formal security
analysis using random oracle model and BAN logic.
As for the outline of current work, the section 2 deals with the preliminaries, describing
chebyshev map and bio-hash function. The section 3 describes the working and review
analysis of Tans scheme. Section 4 presents the cryptanalysis for Tans scheme. Section 5
presents our proposed model. The section 6 exhibits the security analysis. Section 7 presents
performance efficiency analysis. Section 8 concludes the findings.
2 Preliminaries
This section presents a brief overview of Chebyshev Chaotic Map and bio-hashing function as
follows.
2.1 Chebyshev chaotic maps
We define some salient properties of Chebyshev polynomial and chaotic maps [3, 6, 13, 15,
25, 26, 3840, 42, 4447] as under:
1. We presume n as an integer, and x as a variable with the interval [1, 1]. While,
we my characterize the Chebyshev polynomial Tn(x): [1, 1] [1, 1] as
Tn(x) = cos(n arccos(x)). A recurrent relation can be used to define Chebyshev polynomial
map Tn: R R of degree n, by specifying the following equation.
Tn x 2xTn1 xTn2 x;
Given n > =2, T0(x) = 1, and T1(x) = x.

The first few Chebyshev polynomials are listed as below:
T2 x 2x2 1
T3 x 4x3 3x
T4 x 8x4 8x2 1
2. Chebyshev polynomial has two features:
The chaotic feature: For n > =1, the Chebyshev polynomial map Tn(x): [1, 1] [1, 1]
p
of degree n indicates a chaotic map with an invariant density f*(x) = 1/( 1x2 ) for all
positive Lyapunov exponent ln n.
Multimed Tools Appl
The semi-group feature [14]: The semi-group feature of Chebyshev polynomial can be
defined on an interval [ , + ] as defined below:
Tn x 2xTn1 xTn2 xmodp
Given that n > =2, x | [ , + ], and p be a large range prime number. Besides,
Ta Tb x Tab xTb Ta xmodp
3. Chaotic maps-based discrete logarithm problem (CMDLP): It is a hard problem to locate s,

such that Ts(a) = b
4. Chaotic maps-based Diffie-Hellman problem (CMDHP): It is hard problem to compute
Tab(x), given that Ta(x), Tb(x), and x.
2.2 Bio-hashing
The Bio-hashing function [23] is used to capture the intrinsic aspects of a human being like
finger impression that has to be physically present on the spot to imprint and proceed for
authentication. Jin et al. [11], in 2004 proposed a two-factor authenticator composed of iterated
inner products lying between user-specific fingerprint attributes and tokenized pseudorandom
number, which duly provides a user specific compact code, that can be termed as bio-hashing.
Later, an improved Bio-hashing function was presented by Lumini et al. [23]. Basically, this
function maps a users biometric attributes on unique random vectors for generating a Bio-
code, which further discretizes the projection coefficients, while this code can be treated as a
secure hashed password. Some of the notations as used in the paper are defined in Table 1.
Table 1 Notations description
Notations Description
Ui/Sj/RC: ith user, jth server, Registration Centre

IDi/SIDi: Identity of user Ui and Server
PWi, BIOi: Uis password and Biometric Input
H(.)/ h(): Biohash function, simple hash function
TK(.): Chebyshev chaotic map
Flag: A word string set to Second login for proposed scheme
x: Seed generating Chebyshev chaotic map
Ek(.)/ Dk(.): Symmetric key encryption/decryption
p: A large prime number
v, v0: Master secret of RC, secret of service providing server Sj
vi , vj Random numbers generated
SK Shared session key between Ui and Sj
The adversary
SC Smart Card
ToS Terms of service
T1, Tm, Tc T1: Start time, Tm: Maximum hours permitted, Tc: Current time stamp
, || XOR, Concatenation function
Multimed Tools Appl
3 Review of Tans protocol
In this section, we take a brief review of Tans multi-server authentication scheme. The Tans
scheme introduced a concept of multi-server authentication without relying on two-level
servers. The Tans scheme is based on login scalability that enables the users to opt between
the two cases of logins (I and II). The user may switch to case II for subsequent logins
to get direct services form service provider after mutual authentication. In this manner, the
user can not only save the round delay (communication cost) but also minimize session
establishment cost. The Tans scheme comprises three participants, i.e. registration centre,
server and user. The Tans scheme initializes the system with few pre-selected parameters,
such as v the master secret of RC, x ( to +), which is a chosen seed for
Chebyshev chaotic map, while p is selected to be large prime number. The Tans protocol
[31] is composed of four phases: server registration, user registration phase, login and
authentication phase, and password update.
3.1 Server registration phase
In this phase, the server registration is carried out by the RC. Initially, Sj sends its identity SIDj
to RC for registration. The registration centre (RC) computes Nj = h(v || SIDj) and sends the
parameters {Nj, x, p, W, h(.)} to Sj, where W = Tv(x) is already pre-computed by RC. Here, Sj
further, selects a random integer v0, computes W0 = Tv0 (x) mod p, while p be a large prime
number. Then, the server stores the parameters {Nj, x, p, W, h(.)} safely. The server registration
procedure is also shown in Fig. 1.
Server (Sj ) Registration Centre (RC)
SERVER REGISTRATION
SIDj
1. Selects SIDj
Secure channel 2. Nj =h(v || SIDj )
3. Sj selects a random integer v0, { Nj, x, p, W, h(.)}

computes Tv0(x) mod p and stores
Secure channel
{ Tv0(x), Nj, x, p, W, h(.)} safely.
User (Ui) Registration Centre (RC)
USER REGISTRATION
{ IDi , f0 }
1. Select IDi, PWi, random no. n
Computes f0 = h(PWi || IDi) 2. c = h(IDi || v ) f0
Secure channel
Stores {c, x, p, W, h(.)} to a
3. computes f1= c n SC smart card
f2=h(IDi || PWi)
Replace c with {f1, f2}
Fig. 1 Registration phase of Tans protocol

Multimed Tools Appl
3.2 User registration phase
Likewise, user registration is performed with RC to get registered and avail the permitted
services of service providers Sj as shown in Fig. 1. The steps involved in this phase are given
as follows:
1. The user inputs IDi, PWi, random number n, and computes f0 = h(PWi || IDi). Then, it
sends {IDi, f0 } to RC. RC computes c = h(IDi || v ) f0 and stores {c, x, p, W, h(.)} in a
smart card, then it sends the smart card to user.
2. The user computes f1 = c n and f2 = h(IDi || PWi) and replaces c in smart card with {f1, f2}
3.3 Login and authentication phase (case-I)
Step-1. In this phase, the user inputs IDi and PWi, and checks for f2 ? = h(IDi ||PWi). If true,
it computes Mi = f1 h(PWi || IDi), Wi1 Tvi (x) mod p, Wi2 T vi (W) mod p,
A1 = h(Wi2) IDi, and A2 = h(Mi || SIDj || Wi1 || Wi2 || A1). Then, it sends { Wi1,
A1, A2} to the server as shown in Fig. 2.
Step-2. Next, Sj after receiving {Wi1, A1, A2} computes Wj1 T v j (x) mod p, Wj2 T v j (W)
mod p, B1 = h(Wj2) SIDi, B2 = h(Wj1 || Wj2 ||Wi1|| B1|| A2|| Nj), and sends {Wi1,
A1, A2, Wj1, B1, B2} to RC for verification as shown in Fig. 3.
Step-3. After receiving {Wi1, A1, A2, Wj1, B1, B2} from Sj, RC computes Wi2* Tv(Wi1)
mod p, IDi* = h(Wi2*) A1, Mi* = h(IDi* || v), Wj2* Tv(Wj1) mod p,
SIDj* = h(Wj2*) B1and Nj* = h(v || SIDj*). Then, it computes A2 = h(Mi* ||
User (Ui) Server (Sj) RC
LOGIN AND AUTHENTICATION
The user inputs IDi, PWi and Checks

f2 ?=h(IDi ||PWi)
Mi = f1 h(PWi || IDi)
W v (x) mod p
i
W vi(W) mod p
A1=h(Wi2) IDi
A2 =h(Mi || SIDj || Wi1 || Wi2 || A1)
{ Wi1, A1, A2}
W vj(x) mod p
W vj(W) mod p
B1=h(Wj2) SIDi
B2 =h(Wj1 || Wj2 ||Wi1|| B1|| B2|| Nj)
{Wi1, A1, A2, Wj1, B1, B2}
Fig. 2 Login phase of Tans protocol

Multimed Tools Appl
AUTHENTICATION PHASE:
W v(Wi1) mod p
IDi* = h(Wi2*) A1
Mi* = h(IDi* || v)
W v(Wj1) mod p
SIDj * = h(Wj2*) B1
Nj* = h(v || SIDj*)
(2) A2 ?=h(Mi* ||SIDj* || Wi1 || Wi2* || A1)
B2 ?=h(Wj1 || Wj2* ||Wi1|| B1|| A2|| Nj)
Ci =h(Wi1 || Wj1 ||Wi1|| SIDj*|| Mi*|| A2)
Cj =h(Nj* || Wi1|| Wj1||Ci)
{ Ci, Cj}
Cj =h(Nj || Wi1|| Wj1||Ci)

V0= W0 h(Tvj(Wi1))
Vij= CIDi h(Tvj(Wi1) || W0)
Vi= h(CIDi || Nj) h(CIDi ||h(Tvj(Wi1)))
Vj= h(Ci || Tvj(Wi1) ||CIDi || W0 || Vi)
{ Wj1, V0, Vij, Vi, Vj}
Ci*=h( Wi1|| Wj1||SIDj || Mi || A2)

W0* = V0 h(Tvi(Wj1))
CIDi = Vij h(Tvi(Wj1) || W0*)
Vj ?= h(Ci* || Tvi(Wj1) ||CIDi || W0*|| Vi)
V = Vi h(CIDi || h(Tvi(Wj1)))
X= h(SIDj || Wi1 || Wj1 || V || Tvi(Wj1))
g= h(SIDj || PWi || IDi) V
SK = (Tvi(Wj1)|| SIDj || CIDi)
{X}
X ?= h(SIDj || Wi1 || Wj1 || h(CIDi || Nj) ||Tvj(Wi1))
SK = (Tvj(Wi1)|| SIDj || CIDi)
Fig. 3 Authentication Phase Tans protocol (Case-I)
SIDj* || Wi1 || Wi2* || A1) and compares B2? = h(Wj1 || Wj2* ||Wi1|| B1|| A2|| Nj). If
true, then further computes Ci = h(Wi1 || Wj1 ||Wi1|| SIDj*|| Mi*|| A2) , Cj = h(Nj* ||
Wi1|| Wj1||Ci) and sends {Ci, Cj} towards Sj.
Step-4. Sj, on the receipt of message {Ci, Cj}, computes and compares the equation
Cj? = h(Nj || Wi1|| Wj1||Ci). If true, then further computes V0 = W0 h(T v j (Wi1)),
Vij = CIDi h(T v j (Wi1) || W0), Vi = h(CIDi || Nj) h(CIDi ||h(T v j (Wi1))), and
Vj = h(Ci ||T v j (Wi1) ||CIDi || W0 || Vi). Then, it sends the message { Wj1, V0, Vij, Vi,
Vj} to the user for verification.
Step-5. The user receives the message { Wj1, V0, Vij, Vi, Vj} and computes Ci* = h( Wi1||
Wj1||SIDj || Mi || A2), W0* = V0 h(T vi (Wj1)), CIDi = Vij h(T vi (Wj1) || W0*), and
compares equation Vj? = h(Ci* || T vi (Wj1) ||CIDi || W0*|| Vi). If the match occurs, it
further computes V = Vi h(CIDi ||T vi (Wj1)), X = h(SIDj || Wi1 || Wj1 || V ||
T vi (Wj1)), g = h(SIDj || PWi || IDi) V, and SK = (T vi (Wj1)|| SIDj || CIDi). Next,
it sends {X} towards Sj for final verification of session key.
Multimed Tools Appl
Step-6. The Sj receives the message, computes and compares the eq. X? = h(SIDj || Wi1 ||
Wj1 || h(CIDi || Nj) ||T vi (Wj1)). If the match is valid, it finally generates the session
key as SK = (T v j (Wi1)|| SIDj || CIDi).
3.4 Login phase (case-II)
In this phase, the user inputs IDi and PWi, and checks the equality h(IDi || PWi) ? = f2. If
positive, then computes V = g h(SIDj || PWi || IDi), Wi1 T vi (x) mod p, Wi2 T vi (W) mod
p, A1 = h(Wi2) IDi, and A2 = h(Mi || SIDj || Wi1 || Wi2 || A1). Then, it sends {Wi1, A1, A2}
to the server as shown in Fig. 4.
3.5 Authentication phase (case-II)
Step-1. Next, Sj after receiving {Wi1, A1, A2} computes CIDi* = A1 h(T v0 (Wi1)) and checks
the eq. A2 ? = h(CIDi *|| SIDj || Wi1 || h(CIDi || Nj)). After the check succeeds, it further
computes Vj = h(Ci || T v j (Wi1) ||CIDi || W0 || Vi), Wj1 T v j (x) mod p, B1 = h(Wi1 ||
h(CIDi*|| Nj)) Wj1, and B2 = h(Wj1 || Wi1|| h(CIDi* || Nj)|| B1|| T v j (Wi1)||CIDi*).
Then it sends {B1, B2} towards user as a challenge as shown in Fig. 5.
Step-2. After receiving { B1, B2} from Sj, Ui computes Wj1* = h(Wi1|| V) B1, and checks
the eq. B2 = h(Wj1 || Wi1|| h(CIDi*|| Nj)|| B1|| T vi (Wj1)||CIDi*). If the check fails, it
aborts the session, otherwise, computes X = h(SIDj || Wi1 ||Wj1*|| V||B1|| T vi (Wj1*))
and SK = h(T vi (Wj1*) || SIDj || CIDi). Then, it sends {X} towards Sj for verification.
Step-3. Sj, on the receipt of message {X}, computes and compares the eq. X? = h(SIDj || Wi1
||Wj1*|| h(CIDi*|| Nj)||B1|| T v j (Wi1)). If the check succeeds, it computes the session
key as SK = h(T v j (Wi1*) || SIDj || CIDi). Otherwise, aborts the session.
3.6 Password modification
If a user Ui wants to modify its password, then it may change it without consulting the RC by
employing the following steps.
1. The Ui inputs IDi, PWiold into the smart card. The smart card computes and checks the
equality for f2? = h(IDi || PWiold). Upon successful match, it enables the user to input a
new password PWinew, otherwise, terminates.
User (Ui) Server (Sj)
USER LOGIN PHASE
1. Check if h(IDi || PWi) ?=f2

2. V=g h(SIDj || PWi || IDi)
W vi(x) mod p
A1= CIDi Tvi(W0) { Wi1, A1, A2 }

A2 =h(CIDi || SIDj || Wi1 || V)
Fig. 4 Subsequent Login Phase of Tans protocol

Multimed Tools Appl
CIDi *= A1 h(Tv0(Wi1))
A2 ?= h(CIDi *|| SIDj || Wi1 || h(CIDi || Nj))
W v (x) mod p
j
B1=h(Wi1 || h(CIDi*|| Nj)) Wj1
B2 =h(Wj1 || Wi1|| h(CIDi* || Nj)|| B1|| Tvj(Wi1)||CIDi* )
{ B1, B2}
Wj1* = h(Wi1|| V) B1
B2 ?=h(Wj1 || Wi1|| h(CIDi* || Nj)|| B1|| Tvi(Wj1)||CIDi* )
X =h(SIDj || Wi1 ||Wj1*|| V||B1|| Tvi(Wj1*))
SK = h(Tvi(Wj1*) || SIDj || CIDi)
{ X}
X ?=h(SIDj || Wi1 ||Wj1*|| h(CIDi *|| Nj)||B1|| Tvj(Wi1))

SK = h(Tvj(Wi1*) || SIDj || CIDi)
Fig. 5 Authentication and key agreement in Tans protocol (Case-II)
2. After taking the PWinew as input, the SC computes
f 1 new f 1 hPWiold kIDihPWinew kIDi;

f 2 new hIDik PWinew
3. Next, SC replaces the {f1, f2} with {f1new, f2new}.
4 Inefficiencies and flaws of the Tans authentication scheme
The following inefficiencies have been reported in Tans protocol [31].
4.1 Privileged insider attack/user impersonation attack
The Tans scheme has been found vulnerable to impersonation or forgery attack by a malicious
insider, simply due to the access of same W0 parameter to all legal users. For launching the
attack, any malicious insider or adversary may adopt the following steps.
1. An adversary intercepts the Case-I authentication message {Wj1, V0, Vij, Vi, Vj}, sent
from Sj towards Ui, on an insecure channel.
2. Next, extracts h(T v j (Wi1)) and CIDi by computing Eq. (1) and (2).

h T v j Wi1 W 0 V 0 ; 1

CIDi V ij h T v j Wi1kW 0 ; 2
Multimed Tools Appl
3. Further, it computes V by computing

V V i h CIDi kh T v j Wi1 3
4. Next, the adversary may generate a login request for the authentication phase (Case-II)
by generating a random number va and computing
W a1 T va xmodp 4
A1 CIDi T va W 0 5
A2 hCIDi jj SIDj jjW a1 kV 6
5. Then, sends the login request {Wa1, A1, A2 } to Sj for verification.

6. Sj, then computes CIDi * = A1 h(T v0 (Wi1)), and checks A2? = h(CIDi *|| SIDj || Wa1 ||
h(CIDi || Nj)). If succeeds, then computes Vj = h(Ci || Tvj(Wa1) ||CIDi || W0 || Vi),
Wj1 T v j (x) mod p, B1 = h(Wa1|| h(CIDi* || Nj)) Wj1, and B2 = h(Wj1 || Wa1||
h(CIDi*||Nj)|| B1|| T v j (Wa1)||CIDi*). Finally it sends the message {B1, B2} towards for
verification.
7. Next, the adversary receives {B1, B2} message and computes Wj1* = h(Wa1|| V) B1,
X = h(SIDj|| Wa1||Wj1*||V||B1||T vi (Wj1*)) and SK = h(T vi (Wj1*) || SIDj || CIDi). Finally,
it sends the message {X} towards Sj.
8. Finally, Sj computes and checks the eq. X? = h(SIDj || Wa1 ||Wj1*|| h(CIDi* || Nj)||B1||
T v j (Wa1)). If it succeeds, it establishes the session key with adversary as SK = h(T v j (Wa1*)
|| SIDj || CIDi).
4.2 Stolen smart card attack
An adversary may steal smart card and get its contents, or may perform differential power
analysis on a smart card to approach the contents. In Tans protocol, the smart card bears {f1, f2}
parameters, which an adversary may utilize for its malicious intentions. Assume, an adversary
accesses the {f1, f2} parameters, it may employ the following steps to guess the users password
PWi as a password guessing attack, and launching an impersonation attack.
1. If the users identity IDi becomes known to the adversary, the latter might attempt to
compute the PWi by using several password combinations PWi* as an offline-dictionary
attack, given as follows.
hIDi kPWi*? f 2 7
Wherever, the Eq. (7) is satisfied during repeated attempts, the PWi will be traced by the
adversary.
2. Once, the PWi is guessed by the adversary, it may launch an impersonation attack by
computing a parameter Mi h(IDi || v ) = h(IDi || PWi) f1, and then further computing
the following messages after generating a random number va.
W a1 T va xmodp 8
Multimed Tools Appl
Wi2T va W modp 9
A1 hWi2IDi 10
A2 hMi jj SIDj jjW a1 jj Wi2 jjA1 11
Next, the adversary could generate a fake but untraceable login request as {Wa1 , Wi2, A1}.
Likewise, following the procedures as defined in section 3.3, an adversary may generate a valid
session key SK = (T va (Wj1)||SIDj||CIDi), duly shared with the service provider Sj.
4.3 Server cannot differentiate between the two logins (case-I and case-II)
In Tans scheme, the server has no way to differentiate between the logins of two cases Case-I
and Case-II. The server could not decide, whether the user Ui wants to get authenticated on the
basis of first login through RC (Case-I), or on the basis of second login through server without
getting involved the RC entity. Since, the login request message {Wi1, A1, A2} remains the
same for both cases (Case I and Case II).
5 Proposed model
The motivation behind the proposed scheme was to come up with a multi-server authentication
scheme that not only provides login scalability but also resistant to identified threats, as posed
to Tans scheme (See Section 4). Another motivation was to bring the subscribers into stricter
bounds of a central authority (RC) so that the later may revoke the privileges of a user that was
supposed to get the service directly from service provider after mutual authentication. We
ensured this introducing a novel ToS-based feature in the system that necessitates the user to
revisit RC for authentication after getting the services for a stipulated time period directly from
service providers. The proposed model comprises three phases on the whole, i.e. the server and
user registration phase, login and authentication phase, and password update phase. However,
the login and authentication phases are demonstrated separately for two cases I and II as in
Tans scheme. The case-I corresponds to the first login and authentication phase as performed
by the user immediately after registration is performed. While, case-II relates to subsequent
login and authentication phases, initiated by the user towards Sj to acquire its services directly
without involving RC. The introduction of case-II protocol aims to reduce the costly RC
engagements during each mutual authentication phase between Ui and Sj, and minimize the
session establishment cost, as remarked by Tans scheme [31].
5.1 Server registration phase
In this phase, the server registration is carried out by the RC. Initially, Sj sends its identity SIDj
to RC for registration. The RC computes Nj = h(v || SIDj) and sends the parameters {Nj, x, p,
W, h(.)} to Sj. The Sj, further, selects a random integer v0, computes W0 = Tv0 (x) mod p and
stores {W0, Nj, x, p, W, h(.)} safely as shown in Fig. 6.
Multimed Tools Appl
Server (Sj ) Registration Centre (RC)

SERVER REGISTRATION
SIDj
1. Selects SIDj
Secure channel 2. Nj =h(v || SIDj )
3. Sj selects a random integer v0, { Nj, x, p, W, h(.)}

computes Tv0(x) mod p and stores Secure channel
{W0=Tv0(x), Nj, x, p, W, h(.)} safely.
User (Ui) Registration Centre (RC)

USER REGISTRATION
{ IDi , f0 n}
2. Selects IDi, PWi, BIOi and random no. n
computes f = h(H(BIOi)||PWi || IDi) 2. c = h(IDi || v ) f0 n
0 Secure channel
Stores {c, x, p, W, h(.)} in
3. Computes f1= c n smart card
SC
f2=h(H(BIOi)||h(IDi ||PWi))
Replace c with {f1, f2}
LOGIN AND AUTHENTICATION

The user inputs IDi, PWi and imprints BIOi,
Checks f2 ?=h(H(BIOi)||h(IDi ||PWi))

Mi = f1 h(H(BIOi)||PWi || IDi)
W vi(x) mod p
W vi(W) mod p
A1=h(Wi2) IDi
A2 =h(Mi || SIDj || Wi1 || Wi2 || A1)
{ Wi1, A1, A2}
W vj(x) mod p
W vj(W) mod p
B1=h(Wj2) SIDi
B2 =h(Wj1 || Wj2 ||Wi1|| B1|| B2|| Nj)
{ Wi1, A1, A2, Wj1, B1, B2}
Fig. 6 Registration and login phase of proposed scheme
5.2 User registration phase
Likewise, user registration is performed with RC to get registered and avail the services of
service providers Sj. The steps involved in user registration are given as follows:
1. The user selects IDi, PWi, BIOi, and generates a random number n and computes
f0 = h(H(BIOi)||PWi || IDi).
Multimed Tools Appl
2. Then, it sends {IDi , f0 n} to RC. RC computes c = h(IDi || v ) f0 n and stores {c, x,

p, W, h(.)} in a smart card, then it sends smart card to user.
3. The user computes f1 = c n and f2 = h(H(BIOi)||h(IDi ||PWi)) and replaces c in smart
card with {f1, f2}.
5.3 Login and authentication phase (case-I)
This phase comprises the following steps:
Step-1. In this phase, the user inputs IDi, PWi, and imprints BIOi, then it computes and
checks f2 ? = h(H(BIOi)||h(IDi ||PWi)). On positive check, the smart card computes
Mi = f1 h(H(BIOi)||PWi || IDi), Wi1 T vi (x) mod p, Wi2 T vi (W) mod p,
A1 = h(Wi2) IDi, and A2 = h(Mi || SIDj || Wi1 || Wi2 || A1). Then, it sends {Wi1,
A1, A2} to the server as shown in Fig. 7.
Step-2. Next, Sj after receiving {Wi1, A1, A2} computes Wj1 T v j (x) mod p, Wj2 T v j (W)
mod p, B1 = h(Wj2) SIDi, B2 = h(Wj1 || Wj2 ||Wi1|| B1|| A2|| Nj), and sends {Wi1,
A1, A2, Wj1, B1, B2} to RC for verification.
Step-3. After receiving {Wi1, A1, A2, Wj1, B1, B2} from Sj, RC computes Wi2* Tv(Wi1) mod
p, IDi* = h(Wi2*) A1, Mi* = h(IDi* || v), Wj2* T v (Wj1) mod p,
SIDj* = h(Wj2*) B1 and Nj* = h(v || SIDj*). Then, it computes A2 = h(Mi* || SIDj*
|| Wi1 || Wi2* || A1) and compares B2? = h(Wj1 || Wj2* ||Wi1|| B1||A2||Nj). If true, then
further computes Ci = h(Wi1||Wj1||Wi1||SIDj*||Mi*|| A2), Cj = h(Nj*||Wi1 ||Wj1||Ci),
Ck = Eh(Nj || Wi1){h(Wi1||Mi)||Ci ||Wi1||ToS } and sends {Cj, Ck, Wi1} towards Sj.
Step-4. Sj, on the receipt of message {Cj, Ck, Wi1}, computes (h(Wi1||Mi)|| Ci||Wi1||ToS) =
Dh(Nj || Wi1){Ck} and compares the equation Cj? = h(Nj || Wi1|| Wj1||Ci). If true, then
further computes V0 = W0 h(T v j (Wi1)) h(Wi1||Mi), Vij = (CIDi||ToS) h(T v j (Wi1)
|| W0), Vi = h(CIDi ||ToS || Nj) h(CIDi ||h(T v j (Wi1))), and Vj = h(Ci ||T v j (Wi1) ||CIDi
|| W0 || Vi). Then, it sends the message { Wj1, V0, Vij, Vi, Vj} to the user for verification.
Step-5. The user receives the message { Wj1, V0, Vij, Vi, Vj} and computes Ci* = h( Wi1||
Wj1|| ToS ||SIDj || Mi || A2), W0* = V0 h(T vi (Wj1)) h(Wi1||Mi), (CIDi ||
ToS) = Vij h(T vi (Wj1) || W0*), and compares the equation Vj? = h(Ci* ||T vi (Wj1)
||CIDi || W0*|| Vi). If the match is positive, then further computes V = Vi h(CIDi
||T vi (Wj1)), X = h(SIDj || Wi1 || Wj1 || V || T vi (Wj1)), g = h(SIDj || PWi || IDi) V,
and SK = (T vi (Wj1)|| SIDj || CIDi). Next, it sends the message {X} towards Sj for
final verification of session key.
Step-6. The Sj receives the message, computes and compares the eq. X? = h(SIDj || Wi1 ||
Wj1 || h(CIDi ||ToS|| Nj) ||Tvj(Wi1)). If the match is valid, it finally generates the
session key as SK = (T v j (Wi1)|| SIDj || CIDi).
5.4 Login phase (case-II)
In this phase, the user inputs IDi, PWi, and BIOi then it compares and computes the check f2
? = h(H(BIOi)||h(IDi ||PWi)). On successful match, the Ui computes V = g h(SIDj || PWi ||
Multimed Tools Appl
User Server RC
AUTHENTICATION PHASE: (1) W v(Wi1) mod p

IDi* = h(Wi2*) A1
Mi* = h(IDi* || v)
W v(Wj1) mod p
SIDj * = h(Wj2*) B1
Nj* = h(v || SIDj*)
(2) A2 ?=h(Mi* ||SIDj* || Wi1 || Wi2* || A1)
B2 ?=h(Wj1 || Wj2* ||Wi1|| B1|| A2|| Nj)
Ci =h(Wi1 || Wj1 ||ToS || SIDj*|| Mi*|| A2)
Cj =h(Nj* || Wi1|| Wj1||Ci)

Ck =Eh(Nj || Wi1){h(Wi1||Mi)||Ci ||Wi1||ToS }
{Cj, Ck, Wi1 }
(h(Wi1||Mi)|| Ci||Wi1||ToS) =Dh(Nj || Wi1){Ck}

V0= W0 h(Tvj(Wi1)) h(Wi1||Mi)
Cj ?=h(Nj || Wi1|| Wj1||Ci)

Vij= (CIDi || ToS) h(Tvj(Wi1) || W0)
Vi= h(CIDi || ToS ||Nj) h(CIDi ||h(Tvj(Wi1)))
{ Wj1, V0, Vij, Vi, Vj}
Ci*=h( Wi1|| Wj1||ToS||SIDj || Mi || A2)
W0* = V0 h(Tvi(Wj1)) h(Wi1||Mi)

(CIDi || ToS) = Vij h(Tvi(Wj1) || W0*)
Vj ?= h(Ci* || Tvi(Wj1) ||CIDi || W0*|| Vi)

V = Vi h(CIDi || h(Tvi(Wj1)))
X= h(SIDj || Wi1 || Wj1 || V || Tvi(Wj1))
g= h(SIDj || PWi || IDi) V
SK = (Tvi(Wj1)|| SIDj || CIDi)
{ X}
X ?= h(SIDj || Wi1 || Wj1 || h(CIDi || ToS ||Nj) ||Tvj(Wi1))

SK = (Tvj(Wi1)|| SIDj || CIDi)

ToS=(Sl, T1, Tm)
{Sl=Service level, T1=start time, Tm =maximum hours allowed, Tc =current time}
Fig. 7 Authentication phase of proposed protocol (Case-I)
IDi), Wi1 Tvi (x) mod p, A1 = (CIDi|| ToS || Wi1) Tvi (W0), and A2 = h(CIDi||SIDj||Wi1|| V
||ToS|| Flag). Then, it sends {Flag, Wi1, A1, A2} to the server as shown in Fig. 8.
5.5 Authentication phase (case-II)
Step-1. Next, Sj after receiving {Wi1, A1, A2} computes (CIDi*||ToS*||Wi1) = A1 h(Tv0 (Wi1))
and checks If (T1 + Tm) > Tc, then validates ToS. Here, T1 being the start time, Tm being
the maximum hours and Tc being the current time or threshold. While, Sj confirms that
the users allowed number of hours or time period still remains valid. Further computes
and checks the eq. A2 ? = h(CIDi*|| SIDj || Wi1 || h(CIDi* || ToS*|| Nj)|| ToS*|| Flag).
Multimed Tools Appl
USER LOGIN PHASE
1. The user inputs IDi, PWi and imprints BIOi,

f2 ?=h(H(BIOi)||h(IDi ||PWi))
2. V=g h(SIDj || PWi || IDi)
W vi(x) mod p
A1= (CIDi|| ToS || Wi1) Tvi(W0)

A2 =h(CIDi || SIDj || Wi1 || V ||ToS || Flag) {Flag, Wi1, A1, A2 }
Fig. 8 Subsequent login phase of proposed protocol
After the check succeeds, it further computes Vj = h(Ci || T v j (Wi1) ||CIDi || W0 || Vi),
Wj1 T v j (x) mod p, B1 = h(Wi1 || h(CIDi *|| ToS*|| Nj)) Wj1, and B2 = h(Wj1 ||
Wi1|| h(CIDi *|| ToS*|| Nj)|| B1|| T v j (Wi1)||CIDi*). Then it sends {B1, B2} towards
user as a challenge as shown in Fig. 9.
Step-2. After receiving { B1, B2} from Sj, Ui computes Wj1* = h(Wi1|| V) B1, and checks
the eq. B2? = h(Wj1 || Wi1|| h(CIDi*|| Nj)|| B1|| Tvi (Wj1)||CIDi*). If the check fails,
it aborts the session, otherwise, computes X = h(SIDj || Wi1 ||Wj1*|| V||B1||
T vi (Wj1*)) and SK = h(T vi (Wj1*) || SIDj || CIDi). Then, it sends {X} towards Sj
for verification.
Step-3. Sj, on the receipt of message {X}, computes and compares the eq. X? = h(SIDj || Wi1
||Wj1*|| h(CIDi* || ToS* || Nj)||B1|| T v j (Wi1)). If the check succeeds, it computes the
session key as SK = h(T v j (Wi1*) || SIDj || CIDi). Otherwise, aborts the session.
(CIDi*|| ToS* || Wi1*) = A1 h(Tv0(Wi1))
If (T1+Tm) > Tc, then validates ToS, and compares
A2 ?= h(CIDi *|| SIDj || Wi1 ||h(CIDi *|| ToS*|| Nj)|| ToS*||Flag)
W vj(x) mod p
B1=h(Wi1 || h(CIDi *|| ToS*|| Nj)) Wj1

B2 =h(Wj1 || Wi1|| h(CIDi *|| ToS*|| Nj)|| B1|| Tvj(Wi1)||CIDi* )
{ B1, B2}
Wj1* = h(Wi1|| V) B1
B2 ?=h(Wj1 || Wi1|| V|| B1|| Tvi(Wj1)||CIDi* )
X =h(SIDj || Wi1 ||Wj1*|| V||B1|| Tvi(Wj1*))
SK = h(Tvi(Wj1*) || SIDj || CIDi)
{ X}
X ?=h(SIDj || Wi1 ||Wj1*|| h(CIDi || ToS ||Nj)||B1|| Tvj(Wi1))

SK = h(Tvj(Wi1*) || SIDj || CIDi)
Fig. 9 Authentication and key agreement in proposed protocol (Case-II)

Multimed Tools Appl
5.6 Password modification
If a user Ui wants to modify its password, it may change it without consulting the RC by
employing the following steps.
1. The Ui inputs IDi, BIOi, PWiold into the smart card. The smart card computes and checks
the equality for f2? = h(H(BIOi)||h(IDi||PWiold)). Upon successful match, it enables the
user to input a new password PWinew, otherwise, it terminates.
2. After taking the PWinew as input, the SC computes
f 1 new f 1 hH BIOikPWiold kIDi

hH BIOi kPWinew kIDi
;

f 2 h H BIOi h IDi PWinew
new
3. Next, SC replaces the {f1, f2} with { f1new, f2new }
6 Security analysis
This section describes the security properties and formal security analysis using Random
Oracle Model and BAN logic.
6.1 Security properties
The security properties of the proposed scheme are elaborated as below:
6.1.1 Mutual authentication
The mutual authentication defines that entities authenticate one another in the same authenti-
cation protocol. In case-I of proposed scheme, Ui authenticates both RC and Sj on the basis of
validating the equation Vj? = h(Ci* || T vi (Wj1) ||CIDi || W0*|| Vi) after having computed the
Ci* = h( Wi1|| Wj1||SIDj || Mi || A2),W0* = V0 h(T vi (Wj1)) h(Wi1||Mi), and CIDi = Vij
h(T vi (Wj1) || W0*) parameters. Since, Ui knows that the factor Ci can only be constructed by
the RC due to the access of Mi. Similarly, Sj authenticates Ui on the basis of validating the
equation Cj? = h(Nj || Wi1|| Wj1||Ci) after decrypting Ck and recovering
(h(Wi1||Mi)||Ci||Wi1||ToS) = Dh(Nj || Wi1){Ck}. Eventually, Sj authenticates Ui by comparing
X? = h(SIDj || Wi1 || Wj1 || h(CIDi || ToS ||Nj) ||T v j (Wi1)), since it knows that the factors
h(CIDi || ToS ||Nj) and T v j (Wi1) are only possessed by the Ui, and nobody else.
Likewise, for case-II of the proposed scheme, Sj authenticates Ui on account of two
comparisons as shown in Eq. (12) and (13), without any involvement of RC or message delay
as associated with case-I.
A2? hCIDi *jj SIDj jjWi1khCIDi *kToS*kNjkToS*kFlag 12

X ? h SIDjjjWi1 jjWj1*khCIDi kToS kNjjjB1jjT v j Wi1 13
Multimed Tools Appl
Since, the factor h(CIDi *|| ToS*|| Nj) is only possessed by Ui and nobody else, hence,
Sj can safely rely on Eq. (12) and (13) for verifying the Uis authenticity. Thus, in
proposed scheme both entities mutually authenticate one another in the same authentica-
tion protocol.
6.1.2 Resistance to impersonation attack/malicious insider attack (proposed feature)
This attack could be initiated by an attacker who attempts to deceive other participant by
falsely portraying it to be a legitimate participant. The proposed scheme stands secure to
impersonation or malicious insider attacks for both cases of proposed architecture. For Case-I,
in proposed scheme, an adversary cannot construct A2 = h(Mi || SIDj || Wi1 || Wi2 || A1) for
not having the factor Mi which is owned by legitimate Ui. RC authenticates the Ui and Sj on
account of verification of A2 = h(Mi* ||SIDj* || Wi1 || Wi2* || A1) and B2? = h(Wj1 || Wj2*
||Wi1|| B1|| A2|| Nj), respectively. Unlike Tans scheme, no malicious insider having W0, may
recover h(T vi (Wj1)) from V0 and CIDi ultimately. Sj verifies the RCs sent message authenticity
by checking the equality for Cj? = h(Nj || Wi1|| Wj1||Ci), while, an attacker may not be able to
construct Cj for not having the factor Nj. Likewise, Ui knows the fact, that Vj and Ci can only
be constructed by RC, and not any adversary, therefore, Ui validates Sj on account of
verification of the factor Vj.
Likewise, for case-II, the proposed scheme has been secure against user and server
impersonation attack, since an adversary may not be able to generate a valid login request
{Flag, Wi1, A1, A2 }. If an adversary tries to replay this message, the Sj thwarts this attack on
matching the equality for X? = h(SIDj || Wi1 ||Wj1*|| h(CIDi*|| Nj)||B1|| T v j (Wi1)). At the
same time, the user may successfully foil the user impersonation attack, if the matching
equality for B2? = h(Wj1 || Wi1|| V|| B1|| T vi (Wj1)||CIDi* ) fails.
6.1.3 Replay attack
The replay attacks can be launched while an attacker replays the intercepted message to
impersonate any legitimate participant. This attack in our proposed model can be easily foiled
by the user on the basis of verifying the equality checks for Vj? = h(Ci* || T vi (Wj1) ||CIDi || W0*||
Vi) and B2? = h(Wj1 || Wi1|| V|| B1|| T vi (Wj1)||CIDi* ). The login request on the part of user
comprises Wi1, which is constructed in every session by generating a new random number vi. The
user aborts the session when the matching of Vj or B2 fails on the basis of replayed messages.
Similarly, the server foils the replayed attacks by comparing the message X? = h(SIDj || Wi1 ||
Wj1 || h(CIDi || ToS ||Nj) ||T v j (Wi1)) for both the cases in proposed scheme.
6.1.4 Known-key security
The known-key security signifies towards inability to guess the private secret keys of the
involved participants, provided the session key has been compromised. If the shared session
key SK = (T v j (Wi1)|| SIDj || CIDi) = (T vi (Wj1)|| SIDj || CIDi) of the proposed scheme gets
exposed, it will not lead to any extraction or guessing of secret values vi, vj, PWi, Mi, Nj, and v
etc. of user, server and RC. If by any means the parameter CIDi along with the session key gets
exposed, the adversary may not be able to recover T v j (Wi1) or vj, since it requires an adversary
to solve the hard problems, CMDHP and CMDLP.
Multimed Tools Appl
6.1.5 Perfect forward secrecy
A scheme is said to maintain perfect forward secrecy and ensure the secrecy of previous
session keys, if the master-key (v) of RC or private key (Nj) of server gets compromised.
The proposed scheme maintains the property of perfect forward secrecy, since the
disclosure of the v can only help the adversary extracting Mi of the user or at most
the values h(T v j (Wi1)) or h(T vi (Wj1)) in the worst case. However, the session key being
as formed SK = h(T v j (Wi1)|| SIDj || CIDi) = h(T vi (Wj1)|| SIDj || CIDi) cannot be
constructed, as an adversary may not be able to calculate T v j (Wi1) from h(T v j (Wi1)).
Hence, the proposed scheme provides perfect forward secrecy.
6.1.6 Offline-password guessing attacks (proposed feature)
For password guessing attacks, an adversary attempts to approach all public messages
available; which are exchanged on insecure channel among concerned parties, and try to
derive information with the input of all possible combinations by applying brute force attack.
Besides, an adversary may try to steal smart card contents for guessing the password; however,
the proposed scheme has been quite secure, since an adversary cannot recover the factor
f2 = h(H(BIOi)|| h(IDi||PWi)) from the stolen smart card. Until, the parameters BIOi and IDi
are accessed, the PWi could never be guessed in polynomial time by the adversary [43]. Hence,
the proposed scheme provides resistance to any form of password guessing attempts on the
part of adversary.
6.1.7 Anonymity
The scheme is anonymous if it provides identity-based privacy to the subscribers during

mutual authentication phase. The proposed scheme is anonymous since an adversary
may not be able to trace the users IDi from the login request {Wi1, A1, A2}. No other
entity except RC can construct Wi2 Tv(Wi1) mod p because of the knowledge of
secret key v as held by RC. Hence, our proposed scheme provides anonymity to the users or
subscribers.
6.1.8 Login scalability (proposed feature)
The login scalability feature enables the users and subscribers to login directly to service providers
without engaging control server (RC) for every authentication session. This feature saves extra
messages on the part of users or service providers, leads to furnishing quick delivery of
services, since at times, the central authority like RC may become a bottleneck for large
number of pending login requests. The proposed scheme provides login scalability in the
same manner as Tans protocol provided. However, the Tans scheme offers this scalability
without providing any defense to impersonation attacks. The proposed scheme not only
provides this feature but is also immune to the impersonation and privileged insider attacks.
For this purpose, the CIDi parameter and RCs furnished ToS string is communicated to the
user during the first login, as Vij = (CIDi || ToS) h(T v j (Wi1) || W0). Following that, Sj
authenticates the user in subsequent login and authentication phases (case-II) on the basis of
CIDi and ToS parameters as communicated during the authentication phase (case-I).
Multimed Tools Appl
6.1.9 RC control over service provisioning (proposed feature)
In Tans scheme the RC provides a loose control over Sj for login scalability, where a user may
acquire the Sj-based services for infinite number of times, without any check of RC. In
proposed scheme, RC communicates a ToS to Sj in accordance with the service levels of the
subscribers. For instance, a user of premium package may seek the services of a server for
more number of times than an ordinary subscriber. This is ensured by a triplet string
ToS = (Sl, T1, Tm) as named ToS, comprising service level of a user Sl, start time T1
indicating the time where from the maximum hours allowed shall be counted, Tm
represents the maximum hours past till T1. In this way, the RC bounds the service
providers to furnish the services to the verified users according to ToS. Besides, another
objective for adding the ToS was to discourage the subscriber turn loose and eventually
come into the tighter bounds of RC unlike Tans scheme. Otherwise, it would have been
difficult for RC to revoke the rights of a particular Ui, if it wants to, and in that case Ui
would infinitely be availing the services of a service provider.
6.1.10 Stolen-verifier attacks
The verifiers database is maintained at the servers end for verifying the authenticity of a user.
An attack could be launched by an adversary if it steals those verifiers. However, the proposed
scheme is resistant to stolen-verifier attacks, since it does not maintain any database on either
RC or service providers end.
6.1.11 Logins differentiation (proposed feature)
The proposed scheme can differentiate between the two logins (case-I and case-II) success-
fully. This feature was missing in the Tans scheme.
6.2 Formal security analysis
The formal security analysis initially describes adversarial model and then further formal
proofs.
6.2.1 Adversarial model
In this sub-section, we present a formal adversarial model of the proposed authentication

scheme based on the following assumptions:
& Ui, Sj and RC are three participating entities in the system model. The user Ui selects the
password PWi and employs BIOi as a biometric to get authenticated from the smart card.
Further we assume v is the master secret key of RC, while v0 represents the Sjs secret,
while vi and vj being the random numbers generated. At the time, x represents the seed that
helps in the generation of Chebyshev chaotic map TK(x).
& Let us assume that the attacker is probabilistic polynomial time adversary. may interact
with either of the legal participating entities (i.e. Ui or Sj or RC) by executing oracle
queries that could lead the attacker with the capability of launching attack on the
protocol. We represent the t-instance of the participant with t .
Multimed Tools Appl
& , having a control on communication channel, could intercept, inject, modify and block
the messages (among Ui, Sj and RC) intended to pass through insecure public channels.
i.e. These messages are exchanged among Ui, Sj and RC via .
& Likewise, might steal smart card contents through power consumption analysis, and
reverse engineering procedures. Following this, could guess the PWi and attempt to
initiate possible attacks.
may interact with participating entity using the following oracle queries, which could
make the adversary capable enough to model a factual attack. simulates the following oracle
queries to break the security of proposed multi-server authentication protocol:
Send t ; x) issues the Send oracle query for sending the message x to the instance t
and receives the response from a particular participant .
Execution lU i ; nCS ; m
Sj ) could launch passive attacks using Execution query. This query could output
the exchanged messages during the actual execution of protocol by the
participants. Since, could intercept the messages after initiating this query
among the legal participants.
Reveal t ) The Reveal query might be used by attacker to misuse the session keys. may
send the reveal query towards t , the later then outputs session key between
it and its partner, if the session key is accepted, or else, it returns null value.
Corrupt t ; ) This query is used by to compromise and corrupt the instance t , and could
recover the secret key in case: if = 1, it shall return password of user; or else,
it returns master key of RC.
Test t This query returns session key SK, if SK is computed between t and its partner,
otherwise, a null value is returned. can only send a single oracle Test query
to any t , which flips an unbiased coin b and it will output a valid session
key as computed among the participants if b=1. On the other hand, it returns
a random value as response from {0, 1}*.
Definition 1 According to this definition, an instance t is regarded as accepted if it comes

into accept state once after having received the anticipating message.
Definition 2 The instances lU i and mSj are termed as partnered if, on the first hand, they
both happened to come in accepted state after mutual authentication and establishing the
shared session key. Secondly, if both partners share common identity pid. Thirdly, if lU i and
mS j are both each others partners. The mutual session identifier pid represents all of the
messages sent or received from the instance t .
Definition 3 The instance t is said to be fresh if, firstly t is in accepted state, that is,
t and its other partner construct a commonly shared session key after mutually authenticating
each other. Secondly, Reveal queries are not supposed to be ever submitted to t or its partner.
Thirdly, one or no Corrupt queries is supposed to be submitted to t s partner, if is a foreign
agent based instance.
Definition 4 We take z as the security parameter for multi-server authentication

protocol. The attacker is assumed to be capable of making Execution, Send,
Corrupt and Reveal queries with in polynomial time z, while it can only send the Test query
once to the fresh oracle.
Multimed Tools Appl
If represents the s output and be the hidden bit as being used by the Test query, and
then we can define the s advantage for launching an attack on the proposed scheme as given
below.
14
Our ISCAMS protocol can be regarded as secure, if the advantage for any
probabilistic polynomial time attacker is negligible.
In the following we prove that our proposed scheme is secure under the assumption of
CMDHP property of Chebyshev chaotic map in random oracle model (ROM).
Theorem 1 Assuming, be an adversary in AbdallaFouquePointcheval (AFP) based

random oracle model against our proposed scheme (ISCAMS) bounded by time t.
Assuming, qsd, qet, and qh represent the number of Send query, Execution query and
Hash query, we say
15
Where, the advantage denotes the probability of success for solving the
CMDHP problem instances regarding chaotic maps. Here, 1 and 2 indicates the length of a
participants identity and password, while p is a large prime number. The participant could be
either user or a server.
6.2.2 Theorem proof (using attack games)
In this sub-section, we will prove the theorem by developing a series of attack games Gn,
where n = {0n6}. While, for each game Gn, we define an event En , where n = {0n6}, so
that successfully guesses the bit b involved in Test query.
Game G0 This is a real attack in the ROM model, while the simulation for this game is the
same, hence we can say that
16
Game G1 This games is much alike G0, however it simulates the hash oracle by maintaining
the hash list Lh. Here, the actual execution of the authentication protocol and simulation of G1
game are much indistinguishable, in view of the fact that the oracles queries including Send,
Hash, Execute, Corrupt, Reveal and Test are simulated just like an actual attack. The simula-
tions of various polynomial numbers of queries as inquired by the adversary are depicted in
Tables 2, 3, 4, 5, 6, 7 and 8. Therefore, we have
PrE 1 PrE 0 17
Game G2 This Game G2 is identical to the game G1 except that if the adversary is able to
guess password and identities of participants, given that the hash functions of messages {IDi
Multimed Tools Appl
Table 2 Simulation of Random

hash oracle queries Initially, the oracle maintains an empty hash based list Lh, which
becomes populated with the tuples of {a, b}, where b = h(a)
represents output against the input a. If a tuple {a, b} exists on that
list Lh, the output of hash value h is returned. On the other hand, it
selects a number b, given that no such tuple exists already in the
list of the form {.,b} and finally returns b to . It also adds a new
tuple {a, b} into the list Lh.
Table 3 Specifics of Send query simulation
for Query sent (lUi ; start) - Case I

Choose a random number vi to compute Wi1 Tvi (x) mod p , Wi2 T vi (W) mod p, A1 = h(Wi2) IDi,
A2 = h(Mi || SIDj || Wi1 || Wi2 || A1). Next, it returns
<Wi1, A1, A2> to proceed with the query.
for Query sent (lUi ; Sj; RC; Wj1; V0 ; Vij ; Vi ; V j )
It will computes Ci* = h( Wi1|| Wj1||ToS||SIDj || Mi || A2), W0* = V0 h(T vi (Wj1)) h(Wi1||Mi) and (CIDi
|| ToS) = Vij h(T vi (Wj1) || W0*). Next, it compares the equality Vj ? = h(Ci* || T vi (Wj1) ||CIDi || W0*||
Vi). If it does not hold true, the instance lU i aborts. Otherwise computes V = Vi h(CIDi || h(T vi (Wj1))),
X = h(SIDj || Wi1 || Wj1 || V || T vi (Wj1)), g = h(SIDj || PWi || IDi) V and SK = (T vi (Wj1)|| SIDj || CIDi).
Ultimately, the instance lU i would return <X>.
for Query sent (m S j ; Wi1; A1; A2 )
The instance computes Wj1 T v j (x) mod p, Wj2 T v j (W) mod p, B1 = h(Wj2) SIDi and B2 = h(Wj1 ||
Wj2 ||Wi1|| B1|| B2|| Nj). Finally, it returns <Wi1, A1, A2, Wj1, B1, B2>.
for Query sent (lUi ; start) - Case II
Initially, the smart card checks the equation f2? = h(H(BIOi)||h(IDi ||PWi))after inputting IDi, PWi and BIOI. If
it does not hold true, the instance aborts. Otherwise, chooses a random number vi to compute
V = g h(SIDj || PWi || IDi), Wi1 Tvi(x) mod p, A1 = (CIDi|| ToS || Wi1) T vi (W0) and A2 = h(CIDi ||
SIDj || Wi1 || V ||ToS || Flag). Next, it returns <Flag, Wi1, A1, A2> to proceed with the query.
for Query sent (lUi ; Sj; B1; B2)
It computes Wj1* = h(Wi1|| V) B1 and verifies the equality for B2 ? = h(Wj1 || Wi1|| V|| B1|| T vi (Wj1)||
CIDi* ). Here, the instance lU i would terminate if equation does not match. Otherwise, it computes
X = h(SIDj || Wi1 ||Wj1*|| V||B1|| T vi (Wj1*)) and SK = h(T vi (Wj1*) || SIDj || CIDi). Then, the instance
lU i shall output <X> to proceed with the query.
for Query sent (m S j ; Flag; Wi1; A1; A2 )
Initially, it computes (CIDi*|| ToS* || Wi1*) = A1 h(T v0 (Wi1)). Then, it checks CIDi* in pseudonym list, and
the criteria i.e. If (T1 + Tm) > Tc, then validates ToS, and finally compares the equality for A2? = h(CIDi *||
SIDj || Wi1 ||h(CIDi *|| ToS*|| Nj)|| ToS*||Flag). If these three stipulations hold, it further generates vj and
computes Wj1 T v j (x) mod p, B1 = h(Wi1 || h(CIDi *|| ToS*|| Nj)) Wj1, B2 = h(Wj1 || Wi1|| h(CIDi *||
ToS*|| Nj)|| B1|| T v j (Wi1)||CIDi* ). Ultimately, it returns <B1, B2> to proceed with the query.
for Query sent (m S j ; RC; Cj; Ck; Wi1 )
Initially, it computes (h(Wi1||Mi)|| Ci||Wi1||ToS) = Dh(Nj || Wi1){Ck} and V0 = W0 h(T v j (Wi1)) h(Wi1||Mi).
Next, it compares the equation Cj? = h(Nj || Wi1|| Wj1||Ci). If true, then further computes Vij = (CIDi ||
ToS) h(T v j (Wi1) || W0) , Vi = h(CIDi || ToS ||Nj) h(CIDi ||h(T v j (Wi1))) and would return < Wj1, V0, Vij,
Vi, Vj> .
for Query sent (m Sj; X )
It computes and checks the equality match for X? = h(SIDj || Wi1 || Wj1 || h(CIDi || ToS ||Nj) ||T v j (Wi1)). If it
does not hold true, the instance aborts. Otherwise, it accepts and finalizes the session key as
SK = (T v j (Wi1)|| SIDj || CIDi).
for Query sent (nRC ; Wi1; A1; A2; Wj1; B1; B2 )
Initially, it computes Wi2* Tv(Wi1) mod p, IDi* = h(Wi2*) A1, Mi* = h(IDi* || v), Wj2* Tv(Wj1) mod
p, SIDj * = h(Wj2*) B1 and Nj* = h(v || SIDj*). Next, it compares the equality for A2? = h(Mi* ||SIDj*
|| Wi1 || Wi2* || A1) and B2? = h(Wj1 || Wj2* ||Wi1|| B1|| A2|| Nj). If the equalities hold true, then further
computes Ci = h(Wi1 || Wj1 ||ToS || SIDj*|| Mi*|| A2), Cj = h(Nj* || Wi1|| Wj1||Ci) and Ck = Eh(Nj ||
Wi1){h(Wi1||Mi)||Ci ||Wi1||ToS}. Finally, it returns the tuple <Cj, Ck, Wi1> to proceed further.
Multimed Tools Appl
Table 4 Simulation of execution

oracle query (Three participants) for execution lU i ; nCS ; m Sj )
The execution query is responded with the simulation of send
queries, i.e. sent (lU i ; start), sent (m
S j ; Wi1; A1; A2 ), sent
(nRC ; Wi1; A1; A2; Wj1; B1; B2 ), sent (m S j ; RC; Cj; Ck; Wi1 ),
sent (lU i ; Sj; RC; Wj1; V 0 ; V ij ; V i ; V j ) and sent (m
S j ; X ).
||PWi}, {H(BIOi)|| (IDi||PWi)}, {SIDj||(IDi|| PWi)} find a match with real values, the execu-
tions are simply aborted. Due to shorter length of {IDi ||PWi}, {H(BIOi)||(IDi||PWi)}, {SIDj||
(IDi|| PWi)} messages than |p|, the guessing probability without querying of hash oracles is not
qsd et qsd
more than q2et12 + 2q212 . Therefore, we conclude
qet qsd qe t qs d
jPrE2 PrE 1 j 18
212 2212
Game G3 This Game G3 is identical to the game G2 due to similar use of oracles, except that the
G2 becomes halt on the occurrence of any collision during simulation of protocol for the messages
{IDi ||PWi}, {H(BIOi)|| (IDi||PWi)}, {SIDj||(IDi||PWi)}. According to the birthday attack, the
q2
collisions probability of the hash queries simulation is not more than 2ph where qh signifies to
maximum number of queries of hash oracles. Likewise, the probability of collisions for the
message transcripts (Mi || SIDj || Wi1 || Wi2 || A1), h(Wj1 || Wj2 ||Wi1|| B1|| B2|| Nj), h(Nj* ||
Wi1|| Wj1||Ci), h(CIDi || ToS ||Nj) h(CIDi ||h(T v j (Wi1))), h(Ci || T v j (Wi1) ||CIDi || W0 || Vi) and
2
h(SIDj || Wi1 || Wj1 || V || T vi (Wj1)) is not more than qsd qet 2p . Here, we conclude
q2h q qet 2
jPrE 2 PrE 1 j sd 19
2p 2p
Game G4 This Game G4 is identical to the game G3 except that the executions will be aborted
if attacker is able to rightly guessing the authenticators, i.e. A2, B2, Cj, Vj and X. Here, the
adversary obtains authenticated parameters without consulting the related hash oracle. Until,
the rejection of valid authenticators, the games G3 and G4 remains identical. Hence, we say
q

PrE4 PrE3 sd 20
2p
Game G5 The simulation of game G5 is similar to game G4 with the exception that query
execution will be aborted if adversary is able to guess the parameters i.e. A2, B2, Cj, Vj and X. The
adversary might compute those parameters by guessing Mi, Nj, T vi (Wj1), T v j (Wi1) values and
querying the hash oracles for (Mi || SIDj || Wi1 || Wi2 || A1), h(Wj1 || Wj2 ||Wi1|| B1|| B2|| Nj),
Table 5 Simulation of execution

oracle query (Two participants) for execution lU i ; mSj )
The execution query is responded with the simulation of send
queries, i.e. sent (lU i ; start), sent (m
S j ; Flag; Wi1; A1; A2 ), sent
S j ; Wi1; A1; A2 ), sent (U i ; Sj; B1; B2) and sent (S j ; X ).

(m l m
Multimed Tools Appl
Table 6 Simulation of reveal ora-

cle query for reveal t )
For the simulation of reveal t ) instance, if the ts instance of
participant t ) accepts, then it returns the agreed session
key SK between t and its partner, or else returns null value.
h(Nj* || Wi1|| Wj1||Ci), h(CIDi || ToS ||Nj) h(CIDi ||h(T v j (Wi1))), h(Ci || T v j (Wi1) ||CIDi ||
W0 || Vi) and h(SIDj || Wi1 || Wj1 || V || T vi (Wj1)). The guessing probability for the above
parameters is not more than 2qph .
2q

PrE5 PrE4 h 21
p
Game G6 In this game, the adversary may guess the session key without even querying the
related hash oracle. Hence, we can say the session key remains independent of hash oracles
and other known parameters, i.e. T vi (Wj1), T v j (Wi1).
22
Now, we can remark about the probability that attacker would be able to correctly guess, i.e.
1
Pr E 6 23
2
Based on Eqs. (15)(22), we can say
24
On the basis of Eqs. (13) to (21), we get (24) that sufficiently proves the theorem.
6.3 Security analysis (BAN logic)
This section covers the formal security analysis of our proposed protocol under Burrows-
Abadi-Needham logic (BAN) logic [1], while, this model analyzes the security based on
mutual authentication, key distribution, and the strength against session key disclosure. Some
notations, as used in the BAN logic are described as follows.
Principals are such agents that are involved in a protocol.

Keys are to be used for symmetric message encryption.
Table 7 Simulation of corrupt or-

acle query for corrupt t ; )
For the simulation of corrupt t ) query, if = 1, it returns the
users password, else returns master key of RC.
Multimed Tools Appl
Few notations that have been used in the BAN security analysis are given as follows:
P | X: The principal P believes X, or alternatively, P believes the statement X.

P X: P sees X. P receives some message X and may read or repeat it in any message.
P| ~ X: P once said X. Earlier in time; P had sent some message X and P believed that
message when sent.
P X: P has got jurisdiction over X; or P has authority over X and could be trusted.
(X): The message X may be treated as fresh.
(X, Y): X or Y being the part of message (X, Y).
<X>Y: The formulae X is combined with formulae Y.
{X, Y}K: X or Y is encrypted with the key K.
(X, Y)K: X or Y is hashed with the key K.
P ! K
Q: P and Q can communicate with the shared key K.
Some rules or logical postulates used in the BAN Logic are given as follows:
PjP !
K
Q;PX Y
Rule 1. Message meaning rule: PjQ jX
Rule 2. Nonce verification rule: PjPXjQ ;PjQ jX

jX
;PjQ jX
Rule 3. Jurisdiction rule: PjQXPjX
PjX
Rule 4. Freshness conjuncatenation rule: Pj X;Y
PjX ;PjY
Rule 5. Belief rule: PjX ;Y
X;PjQ jX
Rule 6. Session keys rule: PjPjP !
K Q
CASE-I of proposed scheme The proposed protocol needs to satisfy the following goals to
ensure its security under BAN logic, using the above assumptions and postulates.
Goal 1: Sj | Sj SK ! Ui
Goal 2: Sj | Ui | Sj SK
! Ui
Goal 3: Ui | Sj SK ! Ui
Goal 4: Ui | Sj | Sj SK
! Ui
Goal 5: RC | RC Wi2;IDi
! Ui
Goal 6: RC | Ui | RC Wi2;IDi
! Ui
Initially, the messages exchanged in the proposed protocol can be transformed into idealized
form in the following manner.
M1: Ui Sj: Wi1, A1, A2:

{Wi1, <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}
M2: Sj RC: Wi1, A1, A2, Wj1, B1, B2:
{Wi1, A1, A2, Wj1, <SIDj>h(Wj2), <IDi, Wi1, Wj1, Wj2>Nj}
M3: RC Sj: Cj, Ck, Wi1:
{<Wi1|| Wj1||Ci>Nj, <h(Wi1||Mi)||Ci ||Wi1||ToS>h(Nj || Wi1), Wi1}
M4: Sj Ui: Wj1, V0, Vij, Vi, Vj:
Multimed Tools Appl
Table 8 Simulation of Test oracle

query for test t )
In the simulation of test t ) query, it receives the session key SK
from reveal t ) query and then flips an unbiased coin with the
result b. If b = 1, it returns SK, otherwise derives a random number
from Zp* and returns it.

fWj1; < W 0 h T v j Wi1 > hWi1jjMi ; CIDi jjToS hT v Wi1jjW0 ;
j
hCIDi jj ToS jjNjhCIDi jjhT v Wi1 ; V jg

n j
o
M5 : UiSj : X : < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
Secondly, the following premises have been established to prove the security of proposed
protocol.
P1: Ui | vi
P2: Sj | vj
P3: RC | v
P4: Ui | Ui Mi! RC
Ci;CIDi
P5: Ui | Ui ! Sj
Ci;CIDi
P6: Sj | Sj ! Ui
Nj
P7: Sj | Sj ! RC
Mi
P8: RC | RC ! Ui
Nj
P9: RC | RC ! Sj
P10: Ui | Sj Wj1, Vj
P11: Sj | Ui Wi1, X
P12: RC | Ui A2, Wi1
P13: Sj | RC Cj
P14: RC | Sj B2, Wj1
P15: Ui | RC Ci
Thirdly, the idealized form i.e., M1-M5 of the proposed protocol can be examined and
verified in the light of above mentioned postulates and assumptions.
Considering the M1 and M2 of the idealized form:
M1: Ui Sj: Wi1, A1, A2: {Wi1, <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}
M2: Sj RC: Wi1, A1, A2, Wj1, B1, B2: {Wi1, A1, A2, Wj1, <SIDj>h(Wj2), <IDi, Wi1,
Wj1, Wj2>Nj}
By applying seeing rule for M1 and M2, we get
D1: Sj Wi1, A1, A2:

{Wi1 , <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}
D2: RC Wi1, A1, A2, Wj1, B1, B2:
{Wi1, A1, A2, Wj1, <SIDj>h(Wj2), <IDi, Wi1, Wj1, Wj2>Nj}
Multimed Tools Appl
According to D1, D2, P8, P9 and message meaning rule, we get
D3: RC | Ui ~ { Wi1, <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}

D4: RC | Sj ~ { Wj1, <SIDj>h(Wj2), <IDi, Wi1, Wj1, Wj2>Nj}
According to D3, P1, freshness conjucatenation and nonce verification rules we get
D5: RC | Ui | { Wi1, <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}
D6: RC | Sj | { Wj1, <SIDj>h(Wj2), <IDi, Wi1, Wj1, Wj2>Nj}
According to D5, P12, and Jurisdiction rule
D7: RC | { Wi1, <IDi>h(Wi2), <SIDj || Wi1 || Wi2 || A1>Mi}
According to D6, P14, and Jurisdiction rule
D8: RC | { Wj1, <SIDj>h(Wj2), <IDi, Wi1, Wj1, Wj2>Nj}
According to D5, D7 and session key rule, we get
Wi2;IDi
D9: RC | RC ! Ui (Goal 5 )
According to D5, D7, P8 and nonce-verification rule, we get
Wi2;IDi
D10: RC | Ui | RC ! Ui (Goal 6):
Considering the M3 of the idealized form:
M3: RC Sj: Cj, Ck, Wi1: { <Wi1|| Wj1||Ci> Nj, <h(Wi1||Mi)||Ci ||Wi1||ToS>h(Nj || Wi1), Wi1}
By applying seeing rule for M3, we get
D11: Sj Cj, Ck, Wi1: {<Wi1|| Wj1||Ci> Nj, <h(Wi1||Mi)||Ci ||Wi1||ToS>h(Nj || Wi1), Wi1}
According to D11, P7 and message meaning rule, we get
D12: Sj | Ui ~ {Wi1}
According to D12, P3, P6, P13, freshness conjucatenation and nonce verification rules we get
D13: Sj | Ui | {Wi1}
Multimed Tools Appl
Next, considering M4 idealized message
M4: Sj Ui: Wj1, V0, Vij, Vi, Vj:

fWj1; < W 0 h T v j Wi1 > hWi1jjMi ; CIDi jjToS hT v Wi1jjW0 ;
j
hCIDi jj ToS jjNjhCIDi jjhT v ; V j g

j Wi1

D14 : UifWj1; V 0 ; V ij ; V i ; V j : Wj1; < W 0 h T v j Wi1 > hWi1jjMi ; CIDi jjToS hT v Wi1jjW0 ;
j
hCIDi jj ToS jjNjhCIDi jjhT v ; V j g

j Wi1
According to D14, P4, P5 and message meaning rule, we get
D15: Ui | Sj ~ {Wj1, CIDi}
According to D15, P2, P3, freshness conjucatenation and nonce verification rules we get
D16: Ui | Sj | { Wj1, CIDi }
According to D16, P10, P15 and jurisdiction rule, we get
D17: Ui | { Wj1, CIDi }
According to D17, we apply the session key rule as
D18: Ui | Sj ! Ui (Goal 3)
SK
According to D18, P1 we apply the session key rule as
D19: Ui | Sj | Sj ! Ui (Goal 4)
SK
Next, considering M5 idealized message

n o

n o
D20 : SjX : < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
According to D20, P6, P7 and message meaning rule, we get

n o
D21 : SjjUi < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
Multimed Tools Appl
n o
D22 : SjjUij < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
According to D22, P11 and jurisdiction rule, we get

n o
According to D23, we apply the session key rule as
D24: Sj | Sj ! Ui (Goal 1)
SK
D25: Sj | Ui | Sj ! Ui (Goal 2)
SK
The above BAN logic analysis formally proves that the proposed protocol for case-I
achieves mutual authentication and the session key SK is mutually established between Ui
and Sj.
CASE-II of proposed scheme
Goal1 : Sj | Sj SK ! Ui
Goal2 : Sj | Ui | Sj SK
! Ui
Goal3 : Ui | Sj SK ! Ui
Goal4 : Ui | Sj | Sj SK
! Ui
Idealized form

M1 : UiSj : Wi1; A1; A2 : Flag; Wi1; < CIDi jjToS jjWi1 > T v j W0; < SIDjjjWi1 jj V jjToS jjFlag>CIDi

M2 : SjUi : B1; B2 : < Wj1 > hWi1 jj hCIDi*jj ToS*jj Nj; < Wj1 jj Wi1jjB1 T v j Wi1 CIDi * > hCIDi*jj ToS*jj Nj

Considering the M1 and M3 of the idealized form:

M1 : UiSj : Wi1; A1; A2 : Wi1; < CIDi jj ToS jjWi1 > T v j W0; < SIDj jj Wi1 jj V jjToS jjFlag > CIDi

By applying seeing rule, we get

n o
D1 : SjWi1; A1; A2 : Wi1; < CIDi jj ToS jjWi1 > T v j W0 ; < SIDj jj Wi1 jj V jjToS jjFlag > CIDi

D2 : SjX : < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
Multimed Tools Appl
According to D1, D2, P5 and message meaning rule, we get

D3 : SjjUi Wi1; < CIDi jj ToS jjWi1 > T v j W0; < SIDj jj Wi1 jj V jjToS jjFlag > CIDi

D4 : SjjUi < SIDj jj Wi1 jj Wj1 > hCIDi jj ToS jjNj jjT v j Wi1
According to D3, D4, P1, freshness conjucatenation and nonce verification rules we get

D5 : SjjUij Wi1; < CIDijj ToS jjWi1 > T v j W0; < SIDj jj Wi1 jj V jjToS jjFlag > CIDi

According to D5, D6, P11 and jurisdiction rule, we get

D7 : SjjUij Wi1; < CIDi jj ToS jjWi1 > T v j W0; < SIDj jj Wi1 jj V jjToSjjFlag > CIDi

D8 : SjjUij < SIDj jj Wi1 jj Wj1 >; h; CIDi jj ToS jjNj; jjT v j ; Wi1
According to D7, D8 and session key rule, we get
SK
D10: Sj | Ui | Sj ! Ui (Goal 2)
SK
Next, again considering M2 of the idealized form:
M2: Sj Ui: B1, B2: {<Wj1> h(Wi1 || h(CIDi *|| ToS*|| Nj)), <Wj1 || Wi1||B1|| T v j (Wi1)||
CIDi *>h(CIDi *|| ToS*|| Nj)}.
By applying seeing rule, we get
D11: Ui {<Wj1> h(Wi1 || h(CIDi *|| ToS*|| Nj)), <Wj1 || Wi1||B1|| T v j (Wi1)|| CIDi *>
h(CIDi *|| ToS*|| Nj)}
According to D11, P6 , message meaning rule, we get
D12: Ui | Sj ~ {<Wj1> h(Wi1 || h(CIDi *|| ToS*|| Nj)), <Wj1 || Wi1||B1|| T v j (Wi1)|| CIDi *>
D13: Ui | Sj | {<Wj1> h(Wi1 || h(CIDi *|| ToS*|| Nj)), <Wj1 || Wi1||B1|| T v j (Wi1)|| CIDi *>
Multimed Tools Appl
According to D13, P10 and jurisdiction rule, we get
D14: Ui | Sj | {<Wj1> h(Wi1 || h(CIDi *|| ToS*|| Nj)), <Wj1 || Wi1||B1|| T v j (Wi1)|| CIDi *>
According to D14 and session key rule, we get
SK
D16: Sj | Ui | Sj ! SK Ui (Goal 4)
The above BAN logic analysis formally proves that the proposed protocol for case-II
achieves mutual authentication and the session key SK is mutually established between Ui
and Sj.
7 Performance efficiency analysis
The Chebyshev polynomial computation provides lesser key sizes with fast computation, and
requires less memory and bandwidth consumption. Hence, in our scheme, there are no
modular exponentiations or elliptic curve based scalar multiplications, and employed chaotic
map in the proposed MSA-based technique. This section deals with threat analysis and
functionality evaluation of proposed scheme with different protocols.
A few notations used in the comparison are as follows:
TH: The time taken for the hash operation;

TSYM: Time for symmetric key cryptography;
TECM: Time for elliptic curve based scalar multiplication;
TCCM: Time for executing Chebyshev Chaotic polynomial mapping Tn(x) mod p follow-
ing the algorithm [34].
Here, we compare the costs on the basis of estimation of running times for various crypto-
graphic operations (based on the PBC library, Ubuntu 12.04.1 32 bit operating system, with
2.4 GHz CPU, and 2.0 GB RAM). On the basis of above experiment, we take the computational
time of hash-based operation, symmetric encryption or decryption, elliptic curve scalar multipli-
cation and Chebyshev polynomial operation as 0.00058 s, 0.0086 s, 0.063165 s and 0.02104 s
respectively. The XOR operation cost is negligible as compared to other cryptographic operations,
hence, could be ignored. The Table 9 depicts the vulnerability analysis for the proposed model
with Li et al., Lu et al., Chen et al., Zhu, Tsai and Lo, and Tans protocols.
The Table 10 shows the result of cost estimation for the various protocols, i.e., Li et al. [19],
Lu et al. [22], Chen et al. [2], Zhu [50], Tsai and Lo [33], Tans scheme [31], and proposed
scheme. The registration cost for the compared schemes varies from 0.00116 s to 0.00348 s,
which can be treated as equivalent for all schemes. However, the login and authentication
Multimed Tools Appl
Table 9 Security properties of compared schemes
Li et al. Lu et al. Chen Zhu Tsai and Lo Tan [31] Ours

[19] [22] et al. [2] [50] [33]
Anonymity Yes Yes Yes Yes Yes Yes Yes

Mutual Authentication Yes Yes No Yes Yes No Yes
Resist Malicious Insider Attack Yes Yes No No No No Yes
RCs control over subscriber Yes Yes Yes Yes Yes No Yes
Resist offline password guessing Yes Yes Yes Yes No No Yes
attack
Resistance to stolen smart card Yes Yes Yes Yes No No Yes
attack
Login scalability No No Yes No No Yes Yes
Resist Replay attack Yes Yes Yes Yes Yes Yes Yes
Session key agreement Yes Yes Yes Yes No No Yes
Perfect forward secrecy Yes Yes No Yes Yes Yes Yes
Known key secrecy Yes Yes Yes Yes Yes Yes Yes
phase costs are different for various schemes. The total cost of Li et al. [19] and Lu et al. [22]
schemes amounts to 0.13726 s and 0.13494 s, respectively, however these schemes do not
provide login scalability. The Chen et al. scheme makes a use of login scalability; however it is a
costly scheme for taking 0.38769 s and 0.25614 s for both cases (First login phase and Subsequent
login phase). The Tsai and Lo scheme takes the total time as 0.05832 s which is quite economical
if compared with other schemes, however, it is vulnerable to impersonation and stolen card attack
[22]. The Zhu et al. takes the total time as 0.14214 s, which is less than proposed scheme case-I,
but more than case-II time delay. The Zhus scheme is also found recently as vulnerable to
malicious insider attack [16]. Finally, the Tans schemes time delay is calculated as 0. 14,132 s
and 0.09228 s for both cases, however, the scheme has been found prone to impersonation, stolen
card and password guessing attacks, as identified in the previous sections.
Hence, in the light of above performance analysis, we can say that the proposed scheme not
only provides more security than Tans scheme but also provides a firm control of RC over
subscribers during login scalability. The proposed scheme provides a mechanism to treat the
premium users differently than an ordinary subscriber. Obviously, a premium subscriber may
receive service more number of times than ordinary ones. In this manner, the RC may be able
to revoke the ordinary user earlier than a premium user. Hence, we can say that the Tans
scheme provides a loose control over the subscribers while providing login scalability, and the
proposed scheme provides a tight control over subscribers without letting them avail the
services unchecked and uncontrolled. Here, one thing needs to be noted, that other schemes
might be having less time delay than proposed scheme; however these are not resistant to the
threats as identified above.
8 Conclusion
A multi-server authentication framework enables the provision of server-based services to

subscribers by employing a one-time registration of a registration centre. Recently, an MSA-
based Tans scheme is presented with the objective of reducing cost for authenticated session
establishment, if the user needs to get the service from the same server again. The Tans
scheme also provides login scalability, however, that scheme is found vulnerable to malicious
insider attack and stolen smart card attack. We proposed an improved scheme in an equivalent
Multimed Tools Appl
Table 10 Estimated time cost
Li et al. [19] Lu et al. [22] Chen et al. [2] Tsai and Lo [33] Zhu [50] Tan [31] Ours
Registration 3TH 0.00174 s 2TH 0.00116 s 3TH 0.00174 s 6TH 0.00348 s 3TH 0.00174 s 3TH 0.00174 s 5TH 0.0029 s
Authentication (Case-I) 19TH + 6TCCM 15TH + 6TCCM 15TH + 6TECM 28TH + 2TCCM 11TH + 4TCCM + 6 26TH + 6TCCM 30TH + 2 TSYM + 6
0.13726 0.13494 0.38769 s 0.05832 s TSYM 0.14214 s 0.14132 s TCCM 0.16084 s
Authentication (Case-II) - - 6TH + 4TECM - - 14TH + 4TCCM 14TH + 4TCCM
0.25614 s 0.09228 s 0.09228 s
Multimed Tools Appl
cost, which not only counters all those threats as identified in Tans scheme, but also provides a
tighter control over subscribers as demonstrated above. The security features are formally
proved in the performance evaluation and security analysis sections.
References
1. Burrow M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8:1836
2. Chen YL, Huang CH, Chou JS (2009) A novel multi-server authentication scheme. Cryptology ePrint
Archive 91:161190
3. Cheong KY, Koshiba T (2007) More on security of public key cryptosystems based on Chebyshev
polynomials. IEEE T Circuits-II 54(9):795799
4. Chuang M-C, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on
trust computing using smart cards and biometrics. Expert Syst Appl 41:14111418
5. He D, Wu S (2013) Security flaws in a smart card based authentication scheme for multi-server environ-
ment. Wirel Pers Commun 70:17
6. He DB, Chen YT, Chen JH (2012) Cryptanalysis and improvement of an extended chaotic maps-based key
agreement protocol. Nonlinear Dynamics 69:11491157
7. Hsiang H-C, Shih W-K (2009) Improvement of the secure dynamic id based remote user authentication
scheme for multi-server environment. Computer Standards & Interfaces 31(6):11181123
8. Irshad A, Sher M, Faisal MS, Ghani A, Ul Hassan M, Ashraf Ch S (2014) A secure authentication scheme
for session initiation protocol by using ECC on the basis of the tang and Liu scheme. Security and
Communication Networks 7(8):12101218
9. Irshad A, Sher M, Rehman E, Ch SA, Hassan MU, Ghani A (2015) A single round-trip SIP authentication
scheme for voice over internet protocol using smart card. Multimedia Tools and Applications 74(11):39673984
10. Irshad A, Sher M, Chaudhary SA, Naqvi H, Farash MS (2016) An efficient and anonymous multi-server
authenticated key agreement based on chaotic map without engaging registration Centre. J Supercomput 72:
122
11. Jin ATB, Ling DNC, Goh A (2004) Bio-hashing: two factor authentication featuring fingerprint data and
tokenised random number. Pattern Recogn 37(11):22452255
12. Juang WS (2004) Efficient multi-server password authenticated key agreement using smart cards. IEEE
Trans Consum Electron 50(1):251255
13. Kanso A, Yahyaoui H, Almulla M (2012) Keyed hash function based on a chaotic map. Inf Sci 186:249
264
14. Lai H, Xiao J, Li L, Yang Y (2012) Applying semi-group property of enhanced Chebyshev polynomials to
anonymous authentication protocol. Math Probl Eng. doi:10.1155/2012/454823
15. Lee TF (2015) Enhancing the security of password authenticated key agreement protocols based on chaotic
maps. Inf Sci 290:6371
16. Li C-T (2016) A secure chaotic maps-based privacy-protection scheme for multi-server environments.
Security and Communication Networks 9:2276
17. Li L, Lin I, Hwang M (2001) A remote password authentication scheme for multi-server architecture using
neural networks. IEEE Trans Neural Netw 12(6):14981504
18. Li X, Xiong YP, Ma J, Wang WD (2012) An efficient and secure dynamic identity based authentication
protocol for multi-server architecture using smart cards. J Netw Comput Appl 35(2):763769
19. Li X, Niu J, Kumari S, Islam SH, Wu F, Khan MK, Das AK (2016) A novel chaotic maps-based user
authentication and key agreement protocol for multi-server environments with provable security. Wirel Pers
Commun 89:129
20. Liao YP, Wang SS (2009) A secure dynamic ID based remote user authentication scheme for multi-server
environment. Computer Standards & Interfaces 31(1):2429
21. Lin C, Hwang MS, Li LH (2003) A new remote user authentication scheme for multi-server architecture.
Futur Gener Comput Syst 1(19):1322
22. Lu Y, Li L, Peng H, Yang Y (2016) Cryptanalysis and improvement of a chaotic maps-based anonymous
authenticated key agreement protocol for multi-server architecture. Security and Communication Networks
9:1321
23. Lumini A, Loris N (2007) An improved bio-hashing for human authentication. Pattern Recogn 40(3):1057
1065
24. Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-
server authenticated key agreement scheme using smart cards. Expert Syst Appl 41:81298143
Multimed Tools Appl
25. Niu Y, Wang X (2011) An anonymous key agreement protocol based on chaotic maps. Commun Nonlinear
Sci Numer Simul 16:19861992
26. zkaynak F, Yavuz S (2013) Designing chaotic S-boxes based on time-delay chaotic system. Nonlinear
Dynamics 74:551557
27. Pippal RS, Jaidhar C, Tapaswi S (2013) Robust smart card authentication scheme for multi-server
architecture. Wirel Pers Commun 72:117
28. Qi J, Fushan W, Shuai F, Jianfeng M, Guangsong L, Abdulhameed A (2016) Robust extended chaotic
maps-based three-factor authentication scheme preserving biometric template privacy. Nonlinear Dynamics
83(4):20852101
29. Sandeep KS, Sarje AK, Singh K (2011) A secure dynamic identity based authentication protocol for multi-
server architecture. J Netw Comput Appl 34(2):609618
30. Tan Z (2012) Improvement of smart card based password authentication scheme for multi-server environ-
ments. Turk J Electr Eng Comput Sci 20(6):881900
31. Tan Z (2016) A privacy-preserving multi-server authenticated key-agreement scheme based on Chebyshev
chaotic maps. Security and Communication Networks. doi:10.1002/sec.1424
32. Tsai JL (2008) Efficient multi-server authentication scheme based on one-way hash function without
verification table. Computer Security 27(34):115121
33. Tsai JL, Lo NW (2015) A chaotic map-based anonymous multi-server authenticated key agreement protocol
using smart card. Int J Commun Syst 28(13):19551963
34. Tsai JL, Lo NW, Wu TC (2013) A new password-based multi-server authentication scheme robust to
password guessing attacks. Wireless Personal Communications, accepted for publication. doi:10.1007
/s11277-012-0918-6.8
35. Tsaur WJ, Wu CC, Lee WB (2004) A smart card-based remote scheme for password authentication in
multiserver internet services. Computer Standards & Interfaces 27:3951
36. Tsuar WJ, Wu CC, Lee WB (2001) A flexible user authentication scheme for multi-server internet services.
In: Proceedings of first international conference on networking Colmar France, July 913, lecture notes in
computer science, vol 2093. Springer-Verlag, Berlin, pp. 174183
37. Wang B, Ma M (2013) A smart card based efficient and secured multi-server authentication scheme. Wirel
Pers Commun 68(2):361378
38. Wang X, Zhao J (2010) An improved key agreement protocol based on chaos. Commun Nonlinear Sci
Numer Simul 15:40524057
39. Wang X, Zhang W, Guo W, Zhang J (2013) Secure chaotic system with application to chaotic ciphers. Inf
Sci 221:555570
40. Wong K-W (2003) A combined chaotic cryptographic and hashing scheme. Phys Lett A 307:292298
41. Xiao D, Liao X, Deng S (2005a) One-way hash function construction based on the chaotic map with
changeable parameter. Chaos, Solitons Fractals 24:6571
42. Xiao D, Liao X, Wong K (2005b) An efficient entire chaos based scheme for deniable authentication.
Chaos, Solitons Fractals 23:13271331
43. Xiong L, Jianwei N, Zhibo W, Caisen C (2014) Applying biometrics to design three-factor remote
user authentication scheme with key agreement. Security and Communication Networks 7(10):1488
1497
44. Xiong L, Jianwei N, Saru K, Junguo L, Wei L (2015a) An enhancement of a smart card authentication
scheme for multi-server architecture. Wirel Pers Commun 80(1):175192
45. Xiong L, Jianwei N, Saru K, Muhammad KK, Junguo L, Wei L (2015b) Design and analysis of a chaotic
maps-based three-party authenticated key agreement protocol. Nonlinear Dynamics 80(3):12091220
46. Xue KP, Hong PL (2012) Security improvement on an anonymous key agreement protocol based on chaotic
maps. Commun Nonlinear Sci Numer Simul 17:29692977
47. Yoon EJ (2012) Efficiency and security problems of anonymous key agreement protocol based on chaotic
maps. Commun Nonlinear Sci Numer Simul 17:27352740
48. Zhang L (2008) Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos,
Solitons Fractals 37(3):669674
49. Zhao F, Gong P, Li S, Li M, Li P (2013) Cryptanalysis and improvement of a three-party key agreement
protocol using enhanced Chebyshev polynomials. Nonlinear Dynamics. doi:10.1007/s11071-013-0979-4
50. Zhu H (2015) A provable privacy-protection system for multi-server environment. Nonlinear Dynamics
82(12):835849
Multimed Tools Appl
Azeem Irshad received Masters degree from Arid Agriculture University, Rawalpindi, Pakistan. Currently, he is
persuing his PhD in security for multi-server architectures, from International Islamic University, Islamabad,
Pakistan. He authored more than 27 international journal and conference publications, including 11 SCI-E journal
publications. His research interests include strengthening of authenticated key agreements in SIP multimedia,
IoT, WBAN, TMIS, WSN, Ad hoc Networks, e-health clouds and multi-server architectures.
Muhammad Sher is a Professor having more than 120 scientific publications. He is chairman of the Department
of Computer Science & Software Engineering, International Islamic University. He is also Dean of the Faculty of
Basic & Applied Sciences. He did his Ph.D. Computer Science from TU Berlin, Germany and M. Sc. from
Quaid-e-Azam University, Islamabad. His research interests include Next Generation Networks and Network
Security.
Multimed Tools Appl
Shehzad Ashraf Chaudhry received distinction in his Masters and PhD from International Islamic University
Islamabad, Pakistan in 2009 and 2016 respectively. He was awarded Gold Medal for achieving 4.0/4.0 CGPA in
his Masters. Currently, he is working as an Assistant Professor at the Department of Computer Science &
Software Engineering, International Islamic University, Islamabad. He authored more than 45 scientific publi-
cations appeared in different international journals and proceedings including 32 in SCI/E journals. His research
interests include Lightweight Cryptography, Elliptic/Hyper Elliptic Curve Cryptography, Multimedia Security, E-
Payment systems, MANETs, SIP authentication, Smart Grid Security, IP Multimedia sub-system and Next
Generation Networks.
Qi Xie is a professor in Hangzhou Key Laboratory of Cryptography and Network Security, Hangzhou Normal
University, China. He received his PhD degree in applied mathematics from Zhejiang University, China, in 2005.
He was a visiting scholar between 2009 and 2010 at Department of Computer Science, University of Birming-
ham in UK, and a visiting scholar to the Department of Computer Science at City University of Hong Kong in
2012. His research area is applied cryptography, including digital signatures, authentication and key agreement
protocols etc. He has published over 60 research papers in international journals and conferences, and served as
general co-chair of ISPEC2012 and ASIACCS2013, and a reviewer for over 20 international journals.
Multimed Tools Appl
Saru Kumari is currently an Assistant Professor with the Department of Mathematics, Ch. Charan Singh
University, Meerut, Uttar Pradesh, India. She received her Ph.D. degree in Mathematics in 2012 from CCS
University, Meerut, UP, India. She has published more than 82 research papers in reputed International journals
and conferences, including 65 publications in SCI-Indexed Journals. She is a reviewer of more than a dozen of
reputed Journals including SCI-Indexed such as IEEE-Transactions on Dependable and Secure computing, IEEE
Security and Privacy, Computer Networks, Journal of Network and Computer Applications, Computer and
Electrical Engineering, Wireless Personal Communications, Cryptologia, Security and Communication Net-
works, International Journal of Distributed Sensor Networks, International Journal of Ad Hoc and Ubiquitous
Computing, Nonlinear Dynamics and Journal of Medical Systems. She is an Associate Editor of well-reputed
journal KSII Transactions on Internet and Information Systems. Her research interest includes Cryptography
and Information Security.
Fan Wu received Master degree in Computer Software and Theory from Xiamen University, Xiamen, China in
2008. Now he works in Xiamen Institute of Technology. His current research interests include information
security, internet protocols, and security of wireless communication.
View publication stats

10.1007 - s11042 016 4236 y

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10.1007 - s11042 016 4236 y

Uploaded by

Copyright:

Available Formats

See

An improved and secure chaotic map based

Article in Multimedia Tools and Applications January 2017

Azeem Irshad Muhammad Sher

SEE PROFILE SEE PROFILE

Shehzad Ashraf Chaudhry Saru Kumari

SEE PROFILE SEE PROFILE

Advanced lightweight authentication protocols View project

VANETS View project

Azeem Irshad, Muhammad Sher,

Multimedia Tools and Applications

Multimed Tools Appl

An improved and secure chaotic map based authenticated

Azeem Irshad 1 & Muhammad Sher 1 &

Received: 28 May 2016 / Revised: 13 October 2016 / Accepted: 30 November 2016

Keywords Multi-server authentication . Chebyshev chaotic map . Cryptography .

The authentication techniques have evolved from single-factor schemes to multi-factor

and malicious insider/impersonation attack. We have proposed an improved secure model in

2.1 Chebyshev chaotic maps

Given n > =2, T0(x) = 1, and T1(x) = x.

2. Chebyshev polynomial has two features:

Tn x 2xTn1 xTn2 xmodp

Ta Tb x Tab xTb Ta xmodp

3. Chaotic maps-based discrete logarithm problem (CMDLP): It is a hard problem to locate s,

Table 1 Notations description

Ui/Sj/RC: ith user, jth server, Registration Centre

3 Review of Tans protocol

3.1 Server registration phase

Server (Sj ) Registration Centre (RC)

3. Sj selects a random integer v0, { Nj, x, p, W, h(.)}

User (Ui) Registration Centre (RC)

Fig. 1 Registration phase of Tans protocol

3.2 User registration phase

3.3 Login and authentication phase (case-I)

User (Ui) Server (Sj) RC

LOGIN AND AUTHENTICATION

The user inputs IDi, PWi and Checks

{ Wi1, A1, A2}

{Wi1, A1, A2, Wj1, B1, B2}

Fig. 2 Login phase of Tans protocol

User (Ui) Server (Sj) RC

Cj =h(Nj || Wi1|| Wj1||Ci)

{ Wj1, V0, Vij, Vi, Vj}

Ci*=h( Wi1|| Wj1||SIDj || Mi || A2)

Fig. 3 Authentication Phase Tans protocol (Case-I)

3.4 Login phase (case-II)

3.5 Authentication phase (case-II)

3.6 Password modification

User (Ui) Server (Sj)

USER LOGIN PHASE

1. Check if h(IDi || PWi) ?=f2

A1= CIDi Tvi(W0) { Wi1, A1, A2 }

Fig. 4 Subsequent Login Phase of Tans protocol

User (Ui) Server (Sj)

X ?=h(SIDj || Wi1 ||Wj1*|| h(CIDi *|| Nj)||B1|| Tvj(Wi1))

Fig. 5 Authentication and key agreement in Tans protocol (Case-II)

2. After taking the PWinew as input, the SC computes

f 1 new f 1 hPWiold kIDihPWinew kIDi;

3. Next, SC replaces the {f1, f2} with {f1new, f2new}.

4 Inefficiencies and flaws of the Tans authentication scheme

The following inefficiencies have been reported in Tans protocol [31].

4.1 Privileged insider attack/user impersonation attack

3. Further, it computes V by computing

X ?=h(SIDj || Wi1 ||Wj1|| h(CIDi || Nj)||B1|| Tvj(Wi1))

B1=h(Wi1 || h(CIDi || ToS|| Nj)) Wj1

A2? hCIDi jj SIDj jjWi1khCIDi kToSkNjkToSkFlag 12