|Computers, Materials & Continua |
A Provably Secure and Efficient Remote Password Authentication Scheme Using Smart Cards
1Department of Mathematical Sciences, Faculty of Science and Technology, Universiti Kebangsaan Malaysia, UKM Bangi, 43600, Selangor, Malaysia
2Department of Mathematics, Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA Pahang, Raub Campus, Raub, 27600, Pahang, Malaysia
*Corresponding Author: Eddie Shahril Ismail. Email: firstname.lastname@example.org
Received: 18 August 2021; Accepted: 06 December 2021
Abstract: Communication technology has advanced dramatically amid the 21st century, increasing the security risk in safeguarding sensitive information. The remote password authentication (RPA) scheme is the simplest cryptosystem that serves as the first line of defence against unauthorised entity attacks. Although the literature contains numerous RPA schemes, to the best of the authors’ knowledge, only few schemes based on the integer factorisation problem (IFP) and the discrete logarithm problem (DLP) that provided a provision for session key agreement to ensure proper mutual authentication. Furthermore, none of the previous schemes provided formal security proof using the random oracle model. Therefore, this study proposed an improved RPA scheme with session key establishment between user and server. The design of the proposed RPA scheme is based on the widely established Dolev-Yao adversary model. Moreover, as the main contribution, a novel formal security analysis based on formal definitions of IFP and DLP under the random oracle model was presented. The proposed scheme's performance was compared to that of other similar competitive schemes in terms of the transmission/computational cost and time complexity. The findings revealed that the proposed scheme required higher memory storage costs in smart cards. Nonetheless, the proposed scheme is more efficient regarding the transmission cost of login and response messages and the total time complexity compared to other scheme of similar security attributes. Overall, the proposed scheme outperformed the other RPA schemes based on IFP and DLP. Finally, the potential application of converting the RPA scheme to a user identification (UI) scheme is considered for future work. Since RPA and UI schemes are similar, the proposed approach can be expanded to develop a provably secure and efficient UI scheme based on IFP and DLP.
Keywords: Authentication scheme; discrete logarithm; factorisation; password; provable security
In the 21st century, anything is possible on the internet by using applications and services, like operational networks, databases, banking services, and e-commerce, that are available to anyone, anywhere. Although users can enjoy access to the services remotely, the convenience offered is not without a cost. The communication between users and service providers often involves sensitive data dan messages being transmitted through insecure public channel. Furthermore, communication technology has progressed rapidly, thereby increasing the security risk security to protect private information. The remote password authentication (RPA) scheme is a cryptosystem that allows authorised users access to securely communicate with the service providers. Therefore, the RPA scheme serves as the first line of defence against dangerous security threats.
1.1 Related Works
In 1999, Yang et al.  proposed two RPA schemes with smart cards, using timestamp and nonce (random number used once). The schemes adopted the concept of an ID-based signature scheme by Shamir  without the need to maintain a password verification table. Furthermore, the schemes enabled users to easily select their passwords and demonstrated resistance to replay and forged login attacks. The schemes’ security foundation was grounded on two cryptographic primitives: Integer Factorisation Problem (IFP) and Discrete Logarithm Problem (DLP). Nevertheless, some improved schemes [3–9] have been proposed to overcome the security concerns of Yang et al.  scheme while still maintaining the cryptographic primitives of IFP and DLP.
Fig. 1 presents the literature development of RPA schemes based on Yang et al.  scheme. The related works are defined as studies that have proposed improvements of RPA schemes and maintained the security foundation of IFP and DLP. These works are selected from the lists of citations and references of the previous studies. As an example, from Fig. 1, the enhancement scheme proposed by Shen et al.  was designed based on cryptanalysis of Yang et al.  scheme.
Shen et al.  provided one of the most significant enhancements to scheme by Yang et al. , arguing that adversaries could exploit users’ sensitive data through fake servers. As a result, the problem was rectified by incorporating mutual authentication between user and server. Nevertheless, the scheme was shown to be vulnerable to existing and novel security attacks, such as replay, secret-key guessing, and forgery attacks [10–13]. From there, numerous modifications [10–16] have been proposed. These studies reported their schemes to be more practical and efficient than earlier comparable schemes while maintaining a security basis of similar cryptographic primitives (i.e., IFP and DLP) during mutual authentication. Notably, Liu et al.  developed a novel nonce-based RPA scheme that could prevent forged login without incurring additional computational cost on the smart card.
Another notable contribution is the improved scheme by Yang et al. , which could withstand forgery, password-guessing, smart card loss, and replay attacks. Subsequently, Kim et al.  demonstrated that Yang et al.  scheme could not withstand previous forgery attacks. Later, Khan  demonstrated the vulnerabilities in  and presented an enhanced scheme with mutual authentication to address the problem. Nevertheless, other studies ,  have shown that Kim et al.  is vulnerable to forgery attacks. As a result, Giri et al.  proposed a new scheme to resist the forgery attacks, as well as other types of threats, such as password-guessing, smart card loss, and replay attacks. The most recent related study by Ismail et al.  presented a new attack and proposed modifications to address the new threats.
Awasthi et al.  demonstrated that the scheme by Shen et al.  is vulnerable to forged login attacks and presented additional security concerns about the scheme by Liu et al. . Hence, Awasthi et al.  proposed an enhanced scheme for resisting forgery attacks with reduced smart card memory storage cost. Unfortunately, the scheme was shown to be vulnerable to impersonation, insider, and password-guessing attacks by An , which also suggested improvements to make the scheme more secure to resist all of the mentioned attacks while supporting mutual authentication. Furthermore, Kumari et al.  highlighted that scheme proposed by Awasthi et al.  could not resist the claimed attacks. Therefore, they recommended a three-factor scheme authentication improvement with the added security of the user's fingerprint.
Kumari et al.  proposed the latest RPA scheme construction based on IFP and DLP. The study was the first to introduce a scheme that included a shared session key between the user and the server to eliminate the man-in-the-middle attack, accompanied by the most comprehensive and informal security analysis. The proposed scheme was shown to be resistant to many security attacks, including the smart card loss, replay, impersonation, forgery, offline password-guessing, denial-of-service, insider, and stolen verifier attacks. Nevertheless, the scheme's computational and communication costs were the highest among all the schemes in Fig. 1.
1.2 Motivation and Contributions
Security analysis, like that of other cryptosystems, is imperative in developing new RPA schemes. Although numerous RPA schemes based on IFP and DLP have been proposed in the literature, none of them provides security proof under the random oracle model. The security proof requirement has been fulfilled by many schemes constructed based on other cryptographic primitives in the literature, such as IFP , Elliptic Curve Discrete Logarithm Problem (ECDLP) , and chaotic maps . Although the study by Kumari et al.  featured many security attributes, no formal security proof of its scheme was presented. Consequently, despite being the most secure among similar works, the proposed scheme had to sacrifice its performance efficiency. Therefore, the purpose of this study is two-fold. First, the aim of this study is to propose an efficient RPA scheme with session key agreement based on two cryptographic primitives (IFP and DLP). Next, the main contribution of this study is to present a formal security analysis based on the formal definitions of IFP and DLP under the random oracle model to prove the security of the proposed scheme.
1.3 Organisation of the Paper
The remainder of this paper is organised as follows. Section 2 presents the mathematical and security preliminaries. Section 3 then explains the newly proposed scheme. Section 4 presents the proposed scheme's formal and informal security analyses. Section 5 provides a comparative study of the previous schemes of [4,15,16], and the present scheme. Section 6 discusses how the RPA scheme could be used to develop a user identification (UI) scheme. Finally, Section 7 presents the conclusion and recommendation.
This section provides a brief overview of the mathematical concepts that served as the security foundation in the development of the proposed scheme in this study, including the definitions of IFP , DLP , and the one-way hash function (e.g., MD5  or SHA-256 ). The adversary model and security goals were also considered. Tab. 1 shows the notations and descriptions used in this paper.
Given a 2048-bit integer , find the primes p and q that are each at least 1024-bit length. If p and q are known, it will be easy to compute n. Finding p and q given n, on the other hand, is a computationally intractable problem.
Assume that g is a primitive element of a finite field with order p. Consider the equation,
Given g, , and p, calculating the modular exponentiation is trivial. However, finding the exponent given g, , and p, it is computationally infeasible.
DLP is defined over a multiplicative group where of order . Consider the equation,
If the factorisation of order is known and has (small) prime factors, an instance of the DLP in can be reduced to two instances of the DLP in and using Pohlig et al.  algorithm. Nevertheless, it is believed that finding the exponent is intractable for DLP in the multiplicative groups of finite fields .
2.3 Hash Function
A cryptographic one-way hash function has the following properties.
■ The function h takes an arbitrary length input and returns a fixed -bit length message digest .
■ The function h is one-way; that is, given the input x, computing is trivial. However, given y, it is computationally infeasible to find the inverse .
■ The function h is collision-resistant, which means that finding two inputs such that is computationally infeasible.
The SHA-256 hash function was adopted for the proposed scheme. Other secure hash algorithms, such as SHA-1, SHA-224, SHA-384, SHA-512, and SHA-512/256 , can also be implemented.
2.4 Adversary Model
For communications over an insecure public channel, the Dolev et al.  adversary model was considered. Accordingly, the following assumptions were made.
■ Assumption A1: An adversary can trap, delete, or alter the transmitted messages.
■ Assumption A2: An adversary can obtain the stored information in the smart card using power monitoring techniques [32,33].
■ Assumption A3: An adversary can guess the identity or password using the dictionary attack. However, the adversary cannot guess the identity and password simultaneously using any online/offline attacks within polynomial time .
According to this adversary model, the following two cases as per  were also taken into account.
■ Case 1: An adversary can be a non-registered user who tries to perform various attacks against the authentication system.
■ Case 2: An adversary can be a registered user who tries to obtain the secret parameters of the server by which he/she can mount various attacks against the authentication system.
2.5 Security Goals
The following are the security goals of an ideal RPA scheme defined in this study that should be achieved, as listed in .
■ Mutual authentication: Both the server and the user can verify the legitimacy of each other. Furthermore, no illegal users or servers can impersonate a legal user or server.
■ Session key agreement: A session key should be created at the end of a successful mutual authentication process. Subsequently, the data transmitted between both entities should be encrypted to ensure confidentiality and secrecy.
■ User anonymity: During data transmission over a public channel, a user's valid identity should be concealed. Even if adversary can analyse login information or gain access to services, user anonymity protects user's sensitive data, such as personal details, financial information, and social circles, from unauthorised parties.
3 Proposed Scheme
This section presents the proposed RPA scheme based on the security of IFP and DLP and consisted of five phases: (1) initialisation phase, (2) registration phase, (3) login phase, (4) authentication phase, and (5) password change phase. Furthermore, three entities were also considered: KIC, user , and server S. In this scheme, the KIC is a trusted authority responsible for generating global parameters, computing user and server secret information, and providing new users with smart cards.
3.1 Initialisation Phase
The KIC sets up the server's public and secret parameters during the initialisation phase.
1. Generate two large primes and of 1024-bit length, where and are both primes.
2. Compute and .
3. Find a prime number e and integer d such that , where e is the server 's public-key and d is the corresponding private key.
4. Find an integer g, which is a primitive element for both finite prime fields and .
5. Decide on a secret parameter or for server S and the format for identity of a user.
The private key d, secret parameter x, and format of a user's should be safely provided to the server S. KIC is no longer needed once the system is set up, except during the registration phase when new users request to join. The integer pair p and q will not be used anymore and should be disposed of securely.
3.2 Registration Phase
In the registration phase, a new user performs the following steps.
1. Choose the identity and the password .
2. Generate a random integer of 160-bit length.
The KIC then performs the following steps.
5. Generate .
6. Compute and .
7. Compute and .
8. Compute .
9. KIC .
After receiving the smart card , performs the following steps.
10. Compute .
11. Update the smart card .
Fig. 2 depicts an overview of the proposed RPA scheme's phases.
3.3 Login Phase
When a registered user wants to access the server S, the user inserts the smart card into a remote terminal. The user then enters the identity and password . The following steps are taken by the smart card .
1. Extract by computing .
2. Compute .
3. Check . If the equation holds, server S believes that the user is a valid user. Otherwise, the login request should be aborted.
4. Extract w by computing .
5. Generate a random integer of 160-bit length.
6. Compute dynamic identity of , .
7. Compute and , where is the timestamp of the user when the login request is submitted.
8. Login message .
3.4 Authentication Phase
Once the server S receives the login message request at the time , it proceeds with the following steps.
1. Check , where is the allowed time transmission. If the time difference does not hold, the login request is rejected.
2. Compute .
3. Extract by computing .
4. Check the validity of the format for . If the format of is invalid, the login request is rejected.
5. Compute .
6. Check . If the equation does not hold, the login request is rejected.
7. Otherwise, compute and .
8. Response message .
Once the user receives the response message at the time , the user then performs the following steps.
9. Check . Disconnect from the server S if the time difference does not hold.
10. Compute .
11. Check . Disconnect from the server S if the equation does not hold.
12. If mutual authentication is successful, the session key is agreed upon between the user and server S.
Once the session key is established, the user and server S can communicate with each other immediately. This step completes the mutual authentication process and eliminates the risk of the man-in-the-middle attack.
3.5 Password Change Phase
This phase enables the user to change or update the password independently without interacting with the KIC or the server S. When changing the password, the user inserts the smart card into the terminal and enters the identity and password . The following steps are conducted by the smart card .
1. Extract by computing .
2. Compute .
3. Check . If the equation holds, the smart card believes the user is a valid user and requests for a new password . Otherwise, the password change request is rejected.
Once the user enters the new password , the smart card performs the following steps.
4. Generate a random integer of 160-bit length.
5. Compute and .
6. Compute and .
7. Replace , , and with , , and , respectively.
8. Update the smart card .
If user 's smart card is lost or stolen, the user must re-register with the KIC. Then, the KIC should issue a new smart card for the user following the steps outlined in the registration phase.
3.6 Proof of Correctness
The propositions and proofs of correctness are presented below for the sake of completeness of the proposed scheme.
Proposition 1. If user enters the correct identity and password , and Steps 1 and 2 of the login phase run well, the local user verification equation in Step 3 of the login phase will always hold. The proof is shown below.
Proposition 2. If all the login phase steps and Steps 1–5 of the authentication phase run well, and the login message is properly generated, then the user authentication equation in Step 6 of the authentication phase will always hold, as shown below.
Proposition 3. If all the steps in the authentication phase (Steps 1–10) run well and the response message is properly generated, then the server authentication equation in Step 11 of the authentication phase will always be true, as shown below.
4 Security Analysis of the Proposed Scheme
This section presents the formal security proof that the proposed scheme is provably secure against an adversary for deriving the private key d, secret parameter x, identity , password , and shared session key . The proposed scheme is also shown to provide the desired security attributes.
4.1 Formal Security Proof
The formal security analysis of the proposed scheme, which is based on the random oracle model, is explained below. Specifically, the proposed scheme's formal security proof adopted the approach taken by [22,37–39]. To begin, the formal definitions of the collision-resistant cryptographic one-way hash function , IFP  and DLP [40,41] are given.
Definition 1. A secure collision-resistant one-way hash function
is a deterministic algorithm that takes an arbitrary length input binary string and yields a fixed-length -bit binary string output .
An adversary 's advantage in finding a collision is given as
where is the probability of an event E in a random experiment and denotes a randomly selected pair by the adversary . As a result, the adversary can be probabilistic. The adversary computes the probability in the advantage over the random choices with the execution time . If , for any sufficiently small , the one-way function is collision-resistant.
Definition 2. Assume that is a polynomial time algorithm with input security parameter and outputs , where , and p and q are -bit distinct primes. Given n, the integer factorisation assumption relative to states that it is computationally infeasible to derive the prime factors p and q, except with a negligible probability in .
For any adversary of probabilistic-polynomial time (PPT), its factorisation advantage is given by
The integer factorisation assumption states that is negligible in for every PPT adversary . That is, the -IFP assumption holds if , for any sufficiently small with its running time is at most .
Definition 3. Let G be an order n cyclic group, g be a generator of G, and A be an algorithm that returns an integer in . The following experiment in Algorithm 1 is considered.
The DLP advantage of algorithm A with execution time t is defined as
If the DLP advantage of any adversary in terms of time complexity is small, the DLP is hard in G. Hence, DLP is computationally infeasible if , for any sufficiently small .
For this security proof, the adversary is assumed to have access to the following three random oracles listed below.
■ This oracle outputs the string x from a hash value .
■ This oracle outputs the private key d of the server S from the values n and e.
■ This oracle outputs the value from the value , where g is the generator in G of order n.
The three theorems and proof of formal security analysis are then presented as follows.
Theorem 1. If the cryptographic one-way hash function behaves like a true random oracle, and integer factorisation and discrete logarithm are computationally hard problems, then the proposed RPA scheme is provably secure against an adversary for deriving the private key d and secret parameter x of server S.
Proof. Initially, an adversary is constructed with the ability to derive private key d and secret parameter x of the server S by running the algorithm , as shown in Algorithm 2 for the proposed RPA scheme. By Assumption A2, suppose that the adversary can extract from the smart card using power monitoring techniques. By Assumption A1, it is further assumed that the adversary intercepts login message and response message at the time and , respectively.
The success probability of is given by . Additionally, the advantage for is given by , where the maximum of all adversary is taken with execution time t and the number of queries , , and made to , , and , respectively.
According to , if an adversary could obtain the inverse of the cryptographic one-way hash function and solve the IFP and DLP, then the adversary can successfully find the private key d and secret parameter x of server S using the oracles , , and , and wins the game. However, it is computationally infeasible for the adversary as the advantage is negligible in polynomial time. By Definitions 1, 2, and 3, , , and , for any sufficiently small . Since depends on all , , and , it must be that , for any sufficiently small . As a result, the theorem is proven.
Theorem 2. If the cryptographic one-way hash function behaves like a true random oracle, then the proposed RPA scheme is provably secure against an adversary for deriving the identity and password of user .
Proof. An adversary is constructed who can derive the identity and password of user by running the algorithm of the proposed RPA scheme, as presented in Algorithm 3. Suppose that the adversary can obtain the secret values stored in a lost or stolen smart card, as shown in Theorem 1.
The success probability of is defined as and its advantage is , where the maximum of all adversary is taken with execution time t and the number of queries made to .
Consider given in Algorithm 3, the adversary will successfully obtain identity and password , and will thus win the game only if the adversary can calculate the inverse of the cryptographic one-way hash function . Nevertheless, it is a computationally infeasible problem for any adversary due to the collision-resistant property of . Since for any sufficiently small by Definition 1, then it must be that , for any sufficiently small . Therefore, the proposed RPA scheme is provably secure against an adversary for deriving identity and of user .
Theorem 3. If the cryptographic one-way hash function behaves like a true random oracle, then the proposed RPA scheme is provably secure against an adversary for deriving the shared session key between user and server S.
Proof. Suppose that an adversary can derive the shared session key by running the algorithm against the proposed RPA scheme, as described in Algorithm 4. As in Theorem 1 and Theorem 2, suppose that the adversary can extract the information from a lost or stolen smart card, and intercept login message and response message .
Given the success probability of is , and the advantage as , where the maximum of all adversary is taken with execution time t and the number of queries made to .
Based on , if the adversary can evaluate the inverse of a collision-resistant one-way hash function , the adversary can successfully derive the shared session key by using and wins the game. Nevertheless, Definition 1 states that for any sufficiently small . Then, it must be that , for any sufficiently small , since it depends on . Hence, the proposed RPA scheme is shown to be provably secure against an adversary for deriving shared session key between the user and server S.
4.2 Security Attributes
This section further analyses the security attributes offered by the proposed RPA scheme.
4.2.1 No Data Storage in Server
The proposed scheme preserves the “no data storage” feature of Kumari et al.  scheme. By using the information provided by the login message request, private key d, and secret parameter x, the server S can perform all the calculations to authenticate the validity of the user .
4.2.2 Mutual Authentication
The proposed scheme includes mutual authentication steps for verifying the legitimacy of the user and server S. The server S authenticates the user by checking the user authentication equation . A valid user will pass the authentication since the identity must follow the specified format.
Next, the user checks the legitimacy of server S by verifying . Since the user's identity is not transmitted explicitly in the public channel, the adversary does not know the value of . Therefore, any malicious user cannot compute the value of . As a result, the proposed scheme can attain mutual authentication.
4.2.3 Session Key Agreement
After completing the mutual authentication process, both the user and server S will establish a shared session key . Since the adversary does not know , , and w, the session key cannot be directly computed due to the cryptographic collision-resistant one-way hash function. As a result, the proposed scheme can protect the secrecy of shared session keys.
4.2.4 User Anonymity
According to Assumption A2, the adversary may extract information from the smart card . The identity is contained in the parameters , , , and . Nevertheless, the adversary is unable to derive identity since the adversary needs to invert the output of a collision-resistant one-way hash function. This is only possible for an adversary with a negligible probability in polynomial time, as proven in Theorem 2. As a result, the proposed scheme can preserve user anonymity.
4.2.5 Local Password Verification
The proposed scheme offers an incorrect input detection feature. Before logging into the server S, the smart card verifies the legality of identity and password . The verification equation will detect if a user inputs the identity or password , or both incorrectly by mistake. Without knowing , , and , the adversary is unable to correctly calculate and subsequently, the verification will fail. Therefore, the proposed scheme can block illegal access using local password verification.
4.2.6 Password Changeability
The extra “password change” phase in the proposed scheme grants users the convenience to change or update their passwords locally. This phase can be done without interacting with the KIC or the server S.
The proposed scheme permits the user to freely choose the identity and password . The user can easily change or update the password without communicating with server S within minimal time without having to go through the registration phase. As a result, the proposed scheme is hassle-free and user-friendly.
5 Performance Comparison and Analysis
The endorsement of a new RPA scheme should be supported by careful analysis of its performance. For this purpose, the proposed scheme was compared with similar RPA schemes [4,15,16]. These schemes are chosen according to the security attributes offered, which are mutual authentication and no data storage in the server. Furthermore, since the aim of this study is to propose an efficient RPA scheme, it is considerable to compare its performance to the most recent scheme by Kumari et al.  that is found in the literature. The security attributes and efficiency of all schemes considered are investigated in this section.
Tab. 2 compares all schemes based on the security attributes discussed in Section 4. According to Tab. 2, the proposed scheme and the scheme by Kumari et al.  outperformed the schemes by Shen et al.  and Awasthi et al. . All of the security attributes of  were retained in the proposed scheme, including no storage of data in server S, mutual authentication, session key agreement, user anonymity, local password verification, password changeability, and user-friendliness. Furthermore, unlike the other schemes, the proposed scheme includes a formal security analysis. As a result, the proposed RPA scheme outperformed other considered schemes in terms of security attributes.
The assessment assumptions for the efficiency analysis were based on [17,29]. Assuming that each value of is 160-bit long, the output message digests of secure one-way hash function (SHA-256 ) are 256-bit long, and the timestamps are 32-bit long. The modular operation of is 2048-bit long, and the modular exponentiation is regarded as the most expensive operation. Hence, the values are 2048-bit and are 1024-bit. The exclusive OR () operation involves very few computations and hence is negligible. The time complexity with the exponential operation (), modular multiplication operation (), hashing operation (), and exclusive OR operation () can be roughly expressed as . For ease of time complexity comparison between schemes, the approximation of execution time complexity of and in terms of is assumed as and . Tab. 3 shows the transmission/computational cost and time complexity for all considered schemes.
In the proposed scheme, the parameters are stored within the smart card . The memory storage required for the smart card is 9984-bit, which is the highest among other schemes, particularly 352-bit more than Shen et al. . The transmission cost is the memory space of the login message, and response message, that are exchanged during the login and authentication phases. For the proposed scheme, its 10560-bit, which is the lowest among other schemes, particularly 928-bit less than Awasthi et al. . The computational cost is the total time complexity of operations executed during the registration phase, . The computational cost of smart card and server S are and , respectively (exhibit the time spent during the authentication phase and session key agreement).
Based on Tab. 3, the total computational costs () of the schemes of Shen et al.  and Awasthi et al.  are both . While, the total computational costs for schemes of Kumari et al.  and the proposed scheme are and , respectively. Compared with the schemes by Shen et al.  and Awasthi et al. , the proposed scheme is less efficient with 14 higher computational cost. In Fig. 3, the bar chart presents the efficiency of the proposed scheme over other considered schemes. It is clear that the proposed scheme is more efficient than Kumari et al. . The total computational cost of Kumari et al.  has been significantly reduced by 20% in the proposed scheme.
As provided in Tab. 2, both the proposed scheme and Kumari et al.  require extra steps for session key agreement, which explains the higher computational cost when compared to the schemes by Shen et al.  and Awasthi et al.  in Tab. 3. It is worth noting that, as shown in Tab. 3, the proposed scheme requires larger smart card memory storage, particularly 3480-bit more than Kumari et al. . However, this is justified because the proposed RPA scheme significantly reduced the transmission cost by 1024-bit as compared to Kumari et al. . Additionally, the total computational cost improved to 1945 , which is 488 less than Kumari et al. . Based on the security attributes, communication cost, and time complexity, it can be concluded that the proposed scheme outperformed all other schemes considered.
This section discusses the proposed approach's potential applicability in developing a UI scheme. The UI scheme can be considered a simpler algorithm used to distinguish unique users prior to the authentication process. Most RPA schemes require two or more factors (e.g., password, smart card, and fingerprint), whereas UI schemes just need the user's identity. Figs. 4a and 4b show the flowcharts for the RPA and UI schemes, respectively. At a glance, the phases in the RPA and UI schemes appear similar, except that the UI scheme does not require a login phase. Some parameters can be removed while retaining the cryptographic primitives of IFP and DLP, depending on the security goals and purposes. Therefore, it would be interesting to investigate the prospect of converting the proposed RPA scheme into an improved UI scheme with provable security.
The aim of this study is to primarily propose an efficient RPA scheme that offers session key establishment between user and server. The widely established Dolev-Yao adversary model was considered in the development of the proposed scheme, which attained the desired security attributes of Kumari et al., such as no data storage in server S, user anonymity, local password verification, password changeability, and user-friendliness. Furthermore, as the main contribution, a formal security proof of the proposed scheme was presented based on the random oracle model using formal definitions of IFP and DLP. Although the proposed scheme required higher smart card memory than other similar schemes by Shen et al., Awasthi et al. and Kumari et al., this was acceptable owing to its much-reduced transmission/computation cost and time complexity than Kumari et al.'s scheme. The performance analysis proved that the proposed RPA scheme is noticeably better than Kumari et al., given that it can provide the same security attributes. Future work will investigate the use of two cryptographic primitives (IFP and DLP) in the development of UI schemes. Since the phases in RPA and UI schemes are similar, it would be interesting to examine the potential application, particularly in terms of security and performance. Expectantly, this should aid in the design of an efficient and provably secure UI scheme.
Acknowledgement: Authors are grateful for the support from Universiti Teknologi MARA (UiTM) and Universiti Kebangsaan Malaysia (UKM) for providing the facilities and resources, and UiTM/KPT-SLAB scholarship from the Ministry of Higher Education Malaysia (MOHE). In addition, the authors would like to thank anonymous reviewers for their comments and suggestions to improve this manuscript.
Funding Statement: This research is funded by UKM under Grant No. GUP-2020-029.
Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.
|This work is licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.|