Abstract
The widespread adoption of cloud computing enables the end-users to leverage convenient sharing, unlimited storage and on-demand access to big data. The extensive combination of servers, networks, users and resources necessitate secure mutual authentication protocol to verify the legitimacy of users for cloud services. Recently, Sahoo et al. and Chen et al. proposed multi-factor mutual authentication and key agreement (MAKA) protocols. However, we identify that Sahoo et al.’s protocol is prone to user linkability, replay and denial-of-service (DoS) attacks. Also, Chen et al.’s protocol is vulnerable to user linkability and known session-specific temporary information (KSSTI) attack. To mitigate these vulnerabilities, we propose a novel elliptic curve cryptography (ECC) based provably secure and privacy-preserving multi-factor authentication protocol for cloud environment. Our protocol delivers user anonymity, unlinkability, perfect forward secrecy, session key security as security and privacy authentication features. The security of our protocol is proved theoretically under Real-Or-Random (ROR) model. We validate the correctness properties of our protocol under Scyther security verification tool. The informal security analysis illustrates that our protocol resists various security attacks such as replay, DoS, KSSTI, user impersonation, server spoofing, password-guessing and privileged insider. Finally, we compare our protocol with Sahoo et al., Chen et al. and other existing relevant protocols regarding security features, communication, and computation overheads. The results illustrate that our protocol exhibits high security with reasonable communication and computational overheads than other existing relevant protocols.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig6_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-021-01041-6/MediaObjects/607_2021_1041_Fig7_HTML.png)
Similar content being viewed by others
References
Subramanian N, Jeyaraj A (2018) Recent security challenges in cloud computing. Computers Electric Eng 71:28–42. https://doi.org/10.1016/j.compeleceng.2018.06.006
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2017) On the design of provably secure lightweight remote user authentication scheme for mobile cloud computing services. IEEE Access 5:25808–25825. https://doi.org/10.1109/ACCESS.2017.2764913
Ibrahim M, Iqbal MA, Aleem M, Islam MA (2018) Sim-cumulus: an academic cloud for the provisioning of network-simulation-as-a-service (nsaas), IEEE Access 6:27313–27323
Ibrahim M, Imran M, Jamil F, Lee YJ, Kim D-H (2021) Eama: efficient adaptive migration algorithm for cloud data centers (cdcs). Symmetry 13(4):690
Arasan A, Sadaiyandi R, Al-Turjman F, Rajasekaran AS, Karuppuswamy KS (2021) Computationally efficient and secure anonymous authentication scheme for cloud users. Pers Ubiquitous Comput. https://doi.org/10.1007/s00779-021-01566-9
Prabha KM, Saraswathi PV (2020) Suppressed k-anonymity multi-factor authentication based schmidt-samoa cryptography for privacy preserved data access in cloud computing. Computer Commun 158:85–94. https://doi.org/10.1016/j.comcom.2020.04.057
Singh A, Chatterjee K (2017) Cloud security issues and challenges: a survey. J Netw Computer Appl 79:88–115. https://doi.org/10.1016/j.jnca.2016.11.027
Tabrizchi H, Rafsanjani MK (2020) A survey on security challenges in cloud computing: issues, threats, and solutions. J Supercomput 76(12):9493–9532. https://doi.org/10.1007/s11227-020-03213-1
Gwoboa H (1995) Password authentication without using a password table. Information Process Lett 55(5):247–250. https://doi.org/10.1016/0020-0190(95)00087-S
Fan L, Li JH, Zhu HW (2002) An enhancement of timestamp-based password authentication scheme. Computers Secur 21(7):665–667. https://doi.org/10.1016/S0167-4048(02)01118-5
Lin CW, Tsai CS, Hwang MS (2006) A new strong-password authentication scheme using one-way hash functions. J Computer Syst Sci Int 45(4):623–626. https://doi.org/10.1134/S1064230706040137
Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70(2):1002–1022. https://doi.org/10.1007/s11227-014-1273-z
Jia X, He D, Kumar N, Choo KKR (2019) Authenticated key agreement scheme for fog-driven IoT healthcare system. Wirel Netw 25(8):4737–4750. https://doi.org/10.1007/s11276-018-1759-3
Yang Y, Deng RH, Bao F (2006) A practical password-based two-server authentication and key exchange system. IEEE Transactions Depend Secure Comput 3(2):105–114. https://doi.org/10.1109/TDSC.2006.16
Kim HS, Choi JY (2009) Enhanced password-based simple three-party key exchange protocol. Computers Electric Eng 35(1):107–114. https://doi.org/10.1016/j.compeleceng.2008.05.007
Amin R, Biswas G (2015) Cryptanalysis and design of a three-party authenticated key exchange protocol using smart card. Arabian J Sci Eng 40(11):3135–3149. https://doi.org/10.1007/s13369-015-1743-5
Tsai JL, Lo NW, Wu TC (2012) Novel anonymous authentication scheme using smart cards. IEEE Transactions Indus Informatics 9(4):2004–2013. https://doi.org/10.1109/TII.2012.2230639
Leu JS, Hsieh WB (2013) Efficient and secure dynamic id-based remote user authentication scheme for distributed systems using smart cards. IET Information Secur 8(2):104–113. https://doi.org/10.1049/iet-ifs.2012.0206
Chen BL, Kuo WC, Wuu LC (2014) Robust smart-card-based remote user password authentication scheme. Int J Commun Syst 27(2):377–389. https://doi.org/10.1002/dac.2368
Giri D, Maitra T, Amin R, Srivastava P (2015) An efficient and robust rsa-based remote user authentication for telecare medical information systems. J Med Syst 39(1):1–9. https://doi.org/10.1007/s10916-014-0145-7
Maitra T, Obaidat MS, Islam SH, Giri D, Amin R (2016) Security analysis and design of an efficient ECC-based two-factor password authentication scheme. Secur Commun Netw 9(17):4166–4181. https://doi.org/10.1002/sec.1596
Sun HM (2000) An efficient remote use authentication scheme using smart cards. IEEE Transactions Consumer Electron 46(4):958–961. https://doi.org/10.1109/30.920446
Lu R, Cao Z (2005) Efficient remote user authentication scheme using smart card. Computer Netw 49(4):535–540. https://doi.org/10.1016/j.comnet.2005.01.013
Xu J, Zhu WT, Feng DG (2009) An improved smart card based password authentication scheme with provable security. Computer Stand Interfaces 31(4):723–728. https://doi.org/10.1016/j.csi.2008.09.006
Guo D, Wen F (2014) Analysis and improvement of a robust smart card based-authentication scheme for multi-server architecture. Wirel Pers Commun 78(1):475–490. https://doi.org/10.1007/s11277-014-1762-7
Tan Z (2016) A privacy-preserving multi-server authenticated key-agreement scheme based on chebyshev chaotic maps. Secur Commun Netw 9(11):1384–1397. https://doi.org/10.1002/sec.1424
Ma CG, Wang D, Zhao SD (2014) Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst 27(10):2215–2227. https://doi.org/10.1002/dac.2468
**e Q, Wong DS, Wang G, Tan X, Chen K, Fang L (2017) Provably secure dynamic id-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Transactions Information Forensic Secur 12(6):1382–1392. https://doi.org/10.1109/TIFS.2017.2659640
Wen F, Susilo W, Yang G (2015) Analysis and improvement on a biometric-based remote user authentication scheme using smart cards. Wirel Pers Commun 80(4):1747–1760. https://doi.org/10.1007/s11277-014-2111-6
Irshad A, Sher M, Chaudhry SA, **e Q, Kumari S, Wu F (2018) An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimedia Tools Appl 77(1):1167–1204. https://doi.org/10.1007/s11042-016-4236-y
Chaudhry SA, Naqvi H, Farash MS, Shon T, Sher M (2018) An improved and robust biometrics-based three factor authentication scheme for multiserver environments. J Supercomput 74(8):3504–3520. https://doi.org/10.1007/s11227-015-1601-y
Masdari M, Ahmadzadeh S (2017) A survey and taxonomy of the authentication schemes in telecare medicine information systems. J Netw Computer Appl 87:1–19. https://doi.org/10.1016/j.jnca.2017.03.003
He D, Kumar N, Chilamkurti N, Lee JH (2014) Lightweight ECC based RFID authentication integrated with an id verifier transfer protocol. J Med Syst 38(10):1–6. https://doi.org/10.1007/s10916-014-0116-z
Singh S, Jeong YS, Park JH (2016) A survey on cloud computing security: issues, threats, and solutions. J Netw Computer Appl 75:200–222. https://doi.org/10.1016/j.jnca.2016.09.002
Fan CI, Lin YH (2009) Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Transactions Information Forensics Secur 4(4):933–945. https://doi.org/10.1109/TIFS.2009.2031942
Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Computer Appl 33(1):1–5. https://doi.org/10.1016/j.jnca.2009.08.001
Li X, Niu JW, Ma J, Wang W-D, Liu CL (2011) Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J Netw Computer Appl 34(1):73–79. https://doi.org/10.1016/j.jnca.2010.09.003
Das AK (2011) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Information Secur 5(3):145–151. https://doi.org/10.1049/iet-ifs.2010.0125
An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. J Biomed Biotechnol. https://doi.org/10.1155/2012/519723
Li X, Niu J, Khan MK, Liao J, Zhao X (2016) Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Commun Netw 9(13):1916–1927. https://doi.org/10.1002/sec.961
Mishra D, Kumari S, Khan MK, Mukhopadhyay S (2017) An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. Int J Commun Syst. https://doi.org/10.1002/dac.2946
Zhou L, Li X, Yeh KH, Su C, Chiu W (2019) Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Gener Computer Syst 91:244–251. https://doi.org/10.1016/j.future.2018.08.038
Martínez-Peláez R, Toral-Cruz H, Parra Michel JR, García V, Mena LJ, Félix VG, Ochoa Brust A (2019) An enhanced lightweight iot-based authentication scheme in cloud computing circumstances. Sensors 19(9):2098. https://doi.org/10.3390/s19092098
Wang F, Xu G, Xu G, Wang Y, Peng J (2020) A robust IoT-based three-factor authentication scheme for cloud computing resistant to session key exposure. Wireless Commun Mobile Comput. https://doi.org/10.1155/2020/3805058
Lee H, Kang D, Lee Y, Won D (2021) Secure three-factor anonymous user authentication scheme for cloud computing environment. Wireless Commun Mobile Comput. https://doi.org/10.1155/2021/2098530
Kumari A, Jangirala S, Abbasi MY, Kumar V, Alam M (2020) ESEAP: ECC based secure and efficient mutual authentication protocol using smart card. J Information Secur Appl. https://doi.org/10.1016/j.jisa.2019.102443
Safkhani M, Bagheri N, Kumari S, Tavakoli H, Kumar S, Chen J (2020) RESEAP: an ECC-based authentication and key agreement scheme for IoT applications. IEEE Access 8:200851–200862. https://doi.org/10.1109/ACCESS.2020.3034447
Ali Z, Hussain S, Rehman RHU, Munshi A, Liaqat M, Kumar N, Chaudhry SA (2020) ITSSAKA-MS: an improved three-factor symmetric-key based secure aka scheme for multi-server environments. IEEE Access 8:107993–108003. https://doi.org/10.1109/ACCESS.2020.3000716
Yu S, Park Y (2020) Comments on “ITSSAKA-MS: An improved three-factor symmetric-key based secure aka scheme for multi-server environments’’. IEEE Access 8:193375–193379. https://doi.org/10.1109/ACCESS.2020.3032959
Chen CL, Lee CC, Hsu CY (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(5):585–597. https://doi.org/10.1002/dac.1277
Yeh HL, Chen TH, Hu KJ, Shih WK (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Information Secur 7(3):247–252. https://doi.org/10.1049/iet-ifs.2011.0348
Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816. https://doi.org/10.1007/s00607-013-0308-2
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks. Computers Electric Eng 45:274–285. https://doi.org/10.1016/j.compeleceng.2015.02.015
Jiang Q, Khan MK, Lu X, Ma J, He D (2016) A privacy preserving three-factor authentication protocol for e-health clouds. J Supercomput 72(10):3826–3849. https://doi.org/10.1007/s11227-015-1610-x
Mir O, Nikooghadam M (2015) A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wirel Pers Commun 83(4):2439–2461. https://doi.org/10.1007/s11277-015-2538-4
Chaudhry SA, Naqvi H, Khan MK (2018) An enhanced lightweight anonymous biometric based authentication scheme for tmis. Multimedia Tools Appl 77(5):5503–5524. https://doi.org/10.1007/s11042-017-4464-9
Qi M, Chen J (2018) New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography. Multimedia Tools Appl 77(18):23335–23351. https://doi.org/10.1007/s11042-018-5683-4
Sahoo SS, Mohanty S, Majhi B (2020) Improved biometric-based mutual authentication and key agreement scheme using ECC. Wirel Pers Commun 111(2):991–1017. https://doi.org/10.1007/s11277-019-06897-8
Chen Y, Chen J (2021) A secure three-factor-based authentication with key agreement protocol for e-health clouds. J Supercomput 77(4):3359–3380. https://doi.org/10.1007/s11227-020-03395-8
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Transactions Information Theory 29(2):198–208. https://doi.org/10.1109/TIT.1983.1056650
Sahoo SS, Mohanty S, Majhi B (2021) A secure three factor based authentication scheme for health care systems using IoT enabled devices. J Ambient Intell Humanized Comput 12(1):1419–1434. https://doi.org/10.1007/s12652-020-02213-6
Dua A, Kumar N, Das AK, Susilo W (2017) Secure message communication protocol among vehicles in smart city. IEEE Transactions Veh Technol 67(5):4359–4373. https://doi.org/10.1109/TVT.2017.2780183
He D, Kumar N, Lee JH (2016) Privacy-preserving data aggregation scheme against internal attackers in smart grids. Wirel Netw 22(2):491–502. https://doi.org/10.1007/s11276-015-0983-3
Cremers C J (2008) The Scyther Tool: verification, falsification, and analysis of security protocols, in: International Conference on Computer Aided Verification, Springer, pp. 414–418, https://doi.org/10.1007/978-3-540-70545-1_38
Cremers CJF (2006) Scyther: Semantics and verification of security protocols, Eindhoven university of Technology Eindhoven. Netherlands. https://doi.org/10.6100/IR614943
Funding
No funding was received to assist with the preparation of this manuscript.
Author information
Authors and Affiliations
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Shukla, S., Patel, S.J. A novel ECC-based provably secure and privacy-preserving multi-factor authentication protocol for cloud computing. Computing 104, 1173–1202 (2022). https://doi.org/10.1007/s00607-021-01041-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-021-01041-6