In the digital information world, users can easily obtain various kind of services from the distributed networks anywhere and anytime such as online shopping, online bank and payTV. Ordinary user authentication protocols are fit to tackle security issues for the single user/server design scenarios. Nowadays, authentication protocols for multi-server architectures play a prime role in the Internet world. The multi-server system contains three participants, including users, servers, and the registration centre. The registration centre as the relied third-party, administers all registered servers and users. A multi-server authentication scheme offers services to be accessed from different servers with one time registration.

Ali and Pal [ 1 ] presented a three factor-based authentication scheme in a multi-server environment using ECC. This paper reviews Ali and Pal’s protocol [ 1 ] and shows its weaknesses, such as session-specific temporary information leakage attack and replay attack. To conquer specific weaknesses, we design an amended protocol.

Table 1 shows symbols and their meaning. 3. Review of Ali and Pal’s protocol

Ali and Pal’s protocol includes six phases. Beginning from initialization phase, they discussed server enrollment phase, user enrollment phase, login phase, authentication and key agreement phase and password change phase. 3.1.

To boot up the system, RC selects a generator P of elliptic curve and chooses a secret key y as the system parameter. 3.2.

The server enrolls itself at the registration center RC. Server selects its own identity SIDj and transfers {SIDj} to RC through open channel. When the message {SIDj} is received by RC from the server, then RC evaluates AH = h(SIDj || y). RC transmits the information {AH} to the server through secure channel. 3.3.

First, user selects his/her identity UIDi, imprints Bi and forwards the message {UIDi, H(Bi)} to RC through open channel. When a request message is received form the user then RC selects a random number J and evaluates HIDi = Ench(x) (UIDi || J), Mi = H(Bi)·P, Ei = h(UIDi || y)·P, Hi = Mi + Ei. Now RC inserts all information {Hi, HIDi, P, Ek/Dk, h(·), H(·)} into SC and forwards {SC} to the user. After receiving the message {SC} from RC, user evaluates Zi = h(UIDi || PWi || H(Bi)) and also inserts Zi into SC.

User embeds SC and enters UIDj*, PWi* and imprints Bi*. Now SC evaluates Zi* = h(UIDi*||PWi*||H(Bi*)) and checks Zi* =? Zi. If the equality does not hold then the connection is disrupted by the user. Otherwise, the user chooses a random number Jc and evaluates A1 = Jc·P, A2 = H(B1)·P + A1, A3 = h(UIDi || A1 || SIDj || Hi) and user transmits the login message {HIDi, Hi, A2, A3} to RC through open channel.

When the login request message {HIDi, Hi, A2, A3} is received from the user then RC evaluates Dech(x)(HIDi) = [UIDi, J], Mi* = Hi – h(UIDi || y)·P, A1* = A2 – Mi*, A3* = h(UIDi || A1* || SIDj || Hi) and checks A3* =? A3. If the equality does not hold then the request is dropped by RC. Otherwise, RC chooses an arbitrary number Js and evaluates HIDinew = Ench(x)(UIDi || Jsc), Xi = Ench(SIDj||y)[UIDj || A1 || H(Bi)], A4 = Jsc·P, A5 = A4 + H(Bi) ·P, A6 = h(A4 || HIDinew || SIDj) and transmits the message{A5, A6, HIDinew, Xi} to the server through open channel.

After receiving the message {A5, A6, HIDinew, Xi} from RC, server evaluates Dech(SIDj||y)(Xi) = [UIDi || A1 || H(Bi)], A4* = A5 – H(Bi)·P, A6* = h(A4* || HIDinew || UIDi || SIDj) and checks A6* =? A6. If the equality does not hold then the connection is disrupted by the server. Otherwise, server chooses Js and evaluates A7 = Js·P, A8 = A7 + A1, A9 = h(HIDinew || A7 || A4 || H(Bi)·P) and transmits the message {HIDinew, A9, A8, A5} to the user.

After receiving the message {HIDinew, A9, A8, A5} from the server, user evaluates A7* = A8 – A1, A4* = A5 – H(Bi)·P, A9* = h(HIDinew || A7* || A4* || H(Bi)·P) and checks A9* =? A9. If the equality does not hold then the connection is disrupted by the user. Otherwise, user evaluates SK = h(Jc·P || Jsc·P || Js·P), Ni = SK·P + h(IDi || H(Bi))·P. Now the user transmits message {Ni} to the server through open channel. Note that the user changes HIDinew with HIDi into SC to avoid user untraceability attack.

After receiving the message {Ni} from the user, the server evaluates SK* = h(Jc·P || Jsc·P || Js·P), Ni* = SK*·P + h(UIDi || H(Bi)·P) and checks Ni* =? Ni. If the equality does not hold then the connection is disrupted by the server. Otherwise, the connection is created. 3.6.

User can modify his/her password easily without interfering with the server. First, user inserts his/her smartcard into a card reader and enters UIDj*, PWi* and also imprints Bi*. Now, the smartcard reader evaluates Zi* = h(UIDj* || PWi* || H(Bi*)) and verifies Vi* =? Vi. If the equality does not hold then the connection is ended. Otherwise, the user selects new password PWinew and evaluates Zinew = h(UIDi || PWinew || H(Bi*)). Finally, it interchanges Zi with Zinew in memory of the smartcard. 4. Cryptanalysis of Ali and Pal’s

In this phase, we describe the weaknesses of Ali and Pal’s protocol.

Ali and Pal’s protocol suffers from session-specific temporary information attack as the explanation follows. Suppose, if random number Jc is compromised by any attacker ℋ, then ℋ can harm the valid user. ℋ can compute easily other random numbers Jsc, Js by some mechanism. By using the information about Jc·P, Jsc·P, and Js·P, ℋ can compute SK = h(Jc·P || Jsc·P || Js·P). It is a very serious flaw in their protocol.

Suppose temporary random number Jc is leaked somehow, then ℋ can evaluate session key easily from the known temporary random number in the following steps (also shown in Fig.1).

Step 1: First, ℋ eavesdrops the login request message {HIDi, Hi, A2, A3} and also other request messages {A5, A6, HIDinew, Xi}, {HIDinew, A9, A8, A5} at the time of authentication and key agreement phase. Step 2: After this ℋ computes A1 = Jc·P and H(Bi)*·P = A1 – A2. A2 is taken from eavesdropped message {HIDi, Hi, A2, A3}. Step 3: ℋ also uses eavesdropped message {A5, A6, HIDinew, Xi} to get A5, which is sent by registration center to the server. Now ℋ evaluates A4* = H(Bi)*·P – A5 = Jsc·P. Here, Jsc is a random number, chosen by RC.

Step 4: Now ℋ wants to compute Js. A8 is retrieved from eavesdropped message {HIDinew, A9, A8, A5}, which is transmitted by the server to the user. After getting the information A8, ℋ can compute A7* = A1* – A8 = Js·P.

Step 5: After evaluating all the temporary random numbers Jsc and Js from Jc, ℋ can find out SK = h(Jc·P || Jsc·P || Js·P) by using these information. Therefore, Ali and Pal’s protocol is suffers from session-specific temporary information attack.

Assuming that the login request message {HIDi, Hi, A2, A3} is eavesdropped by ℋ, which was sent by a legal user to the legal server. After some time, ℋ transmits the same login request message {HIDi, Hi, A2, A3} to the legal server. When the login request message is received then the server cannot recognize the freshness of the message and evaluates Dech(y)(HIDi) = [UIDi, J], Mi* = Hi – h(UIDi || y)·P, A1* = A2 – Mi*, A3* = h(UIDi || A1* || SIDj || Hi) and checks A3* =? A3. Obviously, the equality will hold and the server accepts the login request of the ℋ. The freshness of the login request message is not check by the server in Ali and Pal’s protocol. Therefore, Ali and Pal’s protocol is suffering from replay attack.

Our proposed protocol includes six phases: initialization phase, server enrollment phase, user enrollment phase, login phase, authentication and key agreement phase and password change phase.

In this phase, the server enrolls itself at the registration center RC. The server selects its own identity SIDj and transmits the message {SIDj} to RC through open channel. When SIDj is picked up from the server then RC evaluates AH = h(SIDj || y) and RC transmits the message {AH} to the server through open channel as shown in Figure 2.

Sj Select SIDj RC {SIDj} {MK}

Compute MK = h(SIDj || y)

First, user selects his/her identity UIDi, imprints Bi and transmits the message {UIDi, H(Bi)} to RC through open channel. When the request message is received from the user then RC selects a random number J and evaluates HIDi = Ench(x) (UIDi || J), Mi = H(Bi)·P, Ei = h(UIDi || y)·P, Hi = Mi + Ei. Now, RC inserts all information {Hi, HIDi, P, Ek/Dk, h(·), H(·)} into SC and transmits {SC} to the user. After receiving {SC} from RC, user evaluates Zi = h(UIDi || PWi || H(Bi)) and inserts Zi into SC as shown in Figure 3.

User embeds SC into the card reader and enters UIDj*, PWi* and imprints Bi*. Now SC evaluates Zi* = h(UIDi*||PWi*||H(Bi*)) and checks Zi* =? Zi. If the equality does not hold then the connection is stopped. Otherwise, user chooses a random number Jc and evaluates A1 = Jc·P, A2 = H(B1)·P + A1, A3 = h(UIDi || A1 || SIDj || Hi). Now, user transmits the login request message {HIDi, Hi, A2, A3, T1} to RC through open channel as shown in Figure 4.

Uj Select UIDi and imprint Bi

RC {UIDi, H(Bi)}

Choose J HIDi = Ench(x) (UIDi || J) Mi = H(Bi)·P Ei = h(UIDi || y)·P Hi = Mi + Ei

Insert {Hi, HIDi, P, Ek/Dk, h(·), H(·)}

into SC {SC} Zi = h(UIDi || PWi || H(Bi))

Insert into Zi into SC Figure 2. User Enrollment Phase of the proposed protocol

Uj Insert SC Enter UIDi*, PWj* and imprint Bi* Calculate Zi* = h(UIDi*||PWi*||H(Bi*)) Check Zi* =? Zi.

Choose Jc Compute A1 = Jc·P A2 = H(B1)·P + A1 A3 = h(UIDi || A1 || SIDj || Hi) {HIDi, Hi, A2, A3, T1} RC

After receiving the login request message {HIDi, Hi, A2, A3, T1} from the user, RC checks T2 – T1 ≤ ∆T and evaluates Dech(x)(HIDi) = [UIDi, J], Mi* = Hi – h(UIDi || y)·P, A1* = A2 – Mi*, A3* = h(UIDi || A1* || SIDj || Hi) and checks A3* =? A3. If the equality does not hold then the connection is stopped by RC. Otherwise, RC chooses Js and evaluates HIDinew = Ench(x)(UIDi || Jsc), Xi = Ench(SIDj||y)[UIDj || A1 || H(Bi)], A4 = Jsc·P, A5 = A4 + H(Bi) ·P, A6 = h(A4 || HIDinew || SIDj). RC transmits the message {A5, A6, HIDinew, Xi, T2} to the server through open channel.

When the message {A5, A6, HIDinew, Xi, T2} is picked up from RC then server checks T3 – T2 ≤ ∆T and evaluates Dech(SIDj||y)(Xi) = [UIDi || A1 || H(Bi)], A4* = A5 – H(Bi)·P, A6* = h(A4* || HIDinew || UIDi || SIDj) and checks A6* =? A6. If the equality does not hold then the connection is stopped by the server. Otherwise, server chooses Js and evaluates A7 = Js·P, A8 = A7 + A1, A9 = h(HIDinew || A7 || A4 || H(Bi)·P). Now, server transmits the message {HIDinew, A9, A8, A5, T3} to the user.

After receiving the message {HIDinew, A9, A8, A5, T3} from the server, user checks T4 – T3 ≤ ∆T and evaluates A7* = A8 – A1, A4* = A5 – H(Bi)·P, A9* = h(HIDinew || A7* || A4* || H(Bi)·P) and checks A9* =? A9. If the equality does not hold then the connection is stopped by the user. Otherwise, user evaluates SK = h(Jc·P || Jsc·P || Js·P || UIDi), Ni = SK·P + h(UIDi || H(Bi))·P. Now, user transmits the message {Ni, T4} to the server through open channel. Note that the user replaces HIDinew with HIDi into SC to avoid user untraceability attack.

After receiving the message {Ni, T4} from the user, server checks T5 – T4 ≤ ∆T and evaluates SK* = h(Jc·P || Jsc·P || Js·P || UIDi), Ni* = SK*·P + h(UIDi || H(Bi)·P). After that, the server checks Ni* =? Ni. If the equality does not hold then the connection is stopped by the server. Otherwise, the connection is established between the user and the server as shown in Figure 5. 5.6.

User can modify his/her password easily without interacting with the server. First, user injects his/her smartcard into a card reader and chooses UIDi*, PWi* and also imprints Bi*. Now, the card reader evaluates Vi* = h(UIDi* || PWi* || H(Bi*)) and verifies Vi* =? Vi. If it is not satisfied, then the connection is ended. Otherwise, user selects a new Password PWinew and evaluates Vinew = h(UIDi || PWinew || H(Bi*)). Finally, it displaces Vi with Vinew in the memory of the smartcard.

Suppose the temporary arbitrary number Jc is leaked by the server to the attacker ℋ then ℋ will try to evaluate session key from the known temporary random number in the following manner. First, ℋ computes A1* = Jc•P, H(Bi)*•P = A1* – A2, A4* = H(Bi)*•P – A5 = Jsc•P and A7* = A1* – A8 = Js•P. After evaluating the all temporary random numbers Jsc and Js from Jc, But the session key SK = h(Jc•P || Jsc•P || Js•P || UIDj) could not calculate by ℋ without knowing UIDj. Therefore, our proposed protocol prevents session- specific temporary information attack.

Uj

RC Sj Check T2 – T1 ≤ ∆T Evaluate Dech(x)(HIDi) = [UIDi, J] Mi* = Hi – h(UIDi || y)·P A1* = A2 – Mi* A3* = h(UIDi || A1* || SIDj || Hi) Check A3* =? A3.

Choose Js and Evaluate HIDinew = Ench(x)(UIDi || Jsc) Xi = Ench(SIDj||y)[UIDi || A1 || H(Bi)] A4 = Jsc·P, A5 = A4 + H(Bi) ·P A6 = h(A4 || HIDinew || SIDj) {A5, A6, HIDinew, Xi, T2}

Check T3 – T2 ≤ ∆T

Evaluate Dech(SIDj||y)(Xi) = [UIDi || A1 || H(Bi)]

A4* = A5 – H(Bi)·P A6* = h(A4* || HIDinew || UIDi || SIDj) Check A6* =? A6 Choose Js and Evaluate A7 = Js·P A8 = A7 + A1

A9 = h(HIDinew || A7 || A4 || H(Bi)·P) {HIDinew, A9, A8, A5, T3} Check T4 – T3 ≤ ∆T Evaluate A7* = A8 – A1 A4* = A5 – H(Bi)·P A9* = h(HIDinew || A7* || A4* || H(Bi)·P) Check A9* =? A9.

Evaluate SK = h(Jc·P || Jsc·P || Js·P || UIDi) Ni = SK·P + h(UIDi || H(Bi)·P) changes HIDinew with HIDi into SC

{Ni, T4} Check T5 – T4 ≤ ∆T Evaluate SK* = h(Jc·P || Jsc·P || Js·P || UIDi) Ni* = SK*·P + h(UIDi || H(Bi)·P)

Check Ni* =? Ni Figure 5. Authentication and Key Agreement Phase ✓ ✓ Computation cost of registration phase Computation cost of

login and authentication phase Total computation cost 4TH + 2TPM +

1TS

˟ ˟

Assume that the previous login request message {HIDi, Hi, A2, A3, T1} is eavesdropped by an adversary, which was sent by a legal user to the legal server. After some time, ℋ transmits the same login request message {HIDi, Hi, A2, A3, T1} to the legal server. When the login request message is received by the server then the server checks the freshness of the timestamp and stops the connection if T1 is not fresh. Therefore, our proposed protocol prevents the replay attack.

This section describes the performance and security comparison, along with other related protocols [ 1 ]. Some notations are defined as TH indicates one way hash function, TPM means scalar point multiplication and TS indicates symmetric decryption/encryption functions, as shown in Table 2.

Table 2 shows the computation cost comparison of the proposed protocol with the protocols in [ 1 ]. Ali and Pal’s protocol needs to perform total 17 hash functions, 11 scalar multiplication operations and 5 symmetric encryption/decryption functions i.e., 17TH + 11TPM + 5TS. On the other hand, our proposed protocol needs to perform 15 hash functions, 11 scalar multiplication operations and 5 symmetric encryption/decryption functions, i.e., 15TH + 11TPM + 5TS. According to Table 2, our proposed protocol’s computation overhead, and Ali and Pal’s protocol are identical. The only change is the reduction of 2 hash functions in our proposed protocol. Nevertheless, our protocol is secure against the attacks to which Ali and Pal’s protocol is not resistant.

Table 3 compares the proposed protocol's security features with the protocols in [ 1 ]. As shown in Table 3, our protocol gives security against replay attack and session-specific temporary information leakage attack. Still, Ali and Pal's protocol doesn't offer protection against the above vulnerabilities. Therefore, our proposed protocol is more effective and secure than the protocol in [ 1 ].

In this paper, we have investigated Ali and Pal’s protocol. We have revealed that their protocol is suffering from replay attack and session-specific temporary information leakage attack. To reduce these vulnerabilities, we have proposed an improved protocol. We have used timestamps in our proposed protocol to prevent replay attack. Our proposed protocol is more robust than Pal and Ali’s scheme, and there is no extra computation needed in our scheme. We will propose a lightweight scheme for multiserver environment with low computation cost and better security in future work.

The first author gratefully acknowledges the financial support received from CSIR (India) in the form of Junior Research Fellowship CSIR award no. 09/113(0020)/2018-EMR-I.