Lightweight Mutual Authentication Scheme for Protecting Identity in Insecure Environment

Xu Wu, Jin Xu,＊, Binxing Fang

1 School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China

2 Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing 100876, China

I. INTRODUCTION

Authentication is the first security gate between the user and the remote server. It plays an important role in protecting network assets. Before establishing a shared session in insecure environment, both side requests to authenticate the identity of the other side.Smart card, as the ownership factor, solves drawbacks of using static password as only authentication factor [1]. Authentication scheme based on smart card has great potential for application, and gradually becomes a research hotspot [2].

Hwang et al. [3] proposed a simple remote user authentication scheme in 2002. But Liao et al. [4] pointed out that Hwang et al.’s scheme can’t achieve mutual authentication,and they proposed a password based authentication scheme based on discrete logarithm problem and one-way hash function. In 2011,Kumar et al [5] improved Liao et al.’s [4]scheme and proposed a security enhanced scheme. However, Wang et al.’s [6] cryptanalysis showed that Kumar et al.’s scheme has poor practicality and failed to achieve forward secrecy. Moreover, there existed a security risk by using static-ID in the login and verification phase. Users’ identity became traceable[7], once current session being intercepted.To achieve user anonymity [8], Liao et al. [9]and Wang et al. [10] respectively proposed the authentication scheme using dynamic-ID. In 2012, Wen et al. [11] demonstrated that Wang et al.’s scheme can’t resist impersonation attack and insider attack, then proposed an improved scheme. However, Tang et al. [12]and Ma et al. [13] both pointed out that Wen et al.’s scheme neither preserves user anonymity or achieves forward secrecy. But, they didn’t give any solution. In 2014, Chang et al. [14]improved Wang et al.’s scheme, and proposed a scheme using only hash function and bitwise operation. Limbasiya et al. [15] demonstrated that Chang et al.’s scheme can’t resist common attacks, such as smart card loss attack and denial of service attack. Kumari et al. [16] also found that Chang et al.’s scheme lacks mutual authentication and session key agreement, then proposed an improved scheme. In 2015, Shi et al. [17] demonstrated that Kumari et al.’s scheme can’t resist smart card loss attack, impersonation attack, etc. Later, Chen et al. [18]identified that Shi et al.’s scheme failed to provides user anonymity, then proposed a scheme for application environment. Kaul et al. [19]demonstrated a lethal flaw in Kumari et al.’s scheme. Parameters can be easily obtained by properties of bitwise operation. However, in Kaul et al. scheme, plain-text identity can be parsed from the login request.

Some researches [3-5,10,11,14,16-20]pointed out the flaws in the former one,then gave an improved scheme. The others[6,12,13,15] only gave the cryptanalysis. It seemed to fall into a strange loop [21], which was scheme → flaws → improved scheme→ flaws→ further improved scheme → ??.Reasons for this phenomenon are various [22].Before designing a new scheme, mathematical foundation and the summary of security requirements is lacking. Designers tend to ignore goal oriented and top-bottom design principle. Meanwhile, testers lack a reliable measurement, and a formal security validation tool. To overcome the above problems, this article proposes a lightweight mutual authentication scheme.

To remedy security flaws in existing schemes, a lightweight mutual authentication scheme with session-key agreement is proposed in this article.

The rest of this article is organized as follows. Security requirements for designing and evaluating a new scheme is introduced in Section II. The proposed lightweight mutual authentication scheme is presented in Section III. Security analysis of the proposed scheme is demonstrated in Section IV. Performance and efficiency comparison with other schemes is given in Section V. Finally, the conclusion is drawn in Section VI.

II. SECURITY REQUIRMENTS

A lightweight mutual authentication is a procedure that both parties can mutually authenticate each other’s identity with low computation, short communication, and high security.However, the backdoor and loopholes hidden in the defective authentication scheme give the attackers an opportunity. It’s hard to find or patch these loopholes, unless further comprehensive cryptanalysis is performed. Hence, for designing and evaluating a new lightweight mutual authentication scheme, five primary principles are introduced.

PP1: Perfect forward secrecy. The compromise of one message doesn’t compromise others as well. There is no one particular value will compromise multiple messages.

PP2: User anonymity. The identity of the user can’t be retrieved. This means no passwords or verification tables are stored, and no plain-text identity is transmitted during the authentication procedure.

PP3: Mutual verification. The scheme should provide verification mechanism for both sides, i.e., the server can verify the identity of the user and vice versa.

PP4: Session key agreement. The scheme should provide session key for subsequent message exchange.

PP5: Public key method. At least one kind of public key method should be used in the scheme.

Subsequently, on the basis of analyzing popular attack modes [23-26], nine security requirements are given. It’s the abilities to resist internal and external attacks.

RA1: Resist online password guessing attack

RA2: Resist offline password guessing attack

RA3: Resist smart card loss attack

RA4: Resist denial of service (DoS) attack

RA5: Resist insider attack

RA6: Resist server masquerading attack

RA7: Resist forgery attack and impersonation attack

RA8: Resist replay attack and parallel session attack

RA9: Resist modification attack

III. THE PROPOSED SCHEME

An improved secure and efficient authentication scheme is proposed in this section. The notations used throughout this article are indi-cated in Table I.

Table I. The notations useful throughout this article.

Fig. 1. Framework of the proposed authentication scheme.

Before the scheme begins, the remote serverSneeds to establish the domain parameter set, and issues the set to the user. The domain parameter set is defined over a finite cyclic groupG=of orderp, wheregis a generator ofGandpshould be a large prime number. Security is based on Discrete Logarithm Problem, known as DLP. The proposed scheme also defines two kind of hash function.One is secure one-way hash functionh1(),h2(),h3(), mapping from {0,1 }*→ {0,1 }li, whereliis the bit length of hash output, e.g.li=256bit,andi=1,2,3. The other is keyed-hash functionhk(), using keykas part of hash input. The domain parameter set contains {p,g,h1(),h2(),hk()}, which can be made public or stored in the smart card. As to be noticed, hash functionh3() is secretly maintained by the serverS.

Framework of the proposed authentication scheme is shown in figure 1. The proposed scheme contains four phases: the registration phase, the login phase, the verification phase and the password change phase.

The remote serverShas an identifierIDSand chooses a random numberxas its secret key, then computes the corresponding public keyy=gxmodp. The secret keyxmust be safely stored and maintained byS, however,the public keyyand the identityIDScan be made public or pre stored in a blank smartcard. The userUhas the ability to generate the random stringbof a certain length.

3.1 Registration phase

Through this phase, the userUcan register himself to the serverS. As shown in figure 2,the specific process performs as follows:

R1:Uchooses his/her identityIDUand passwordPWU. Then,Ugenerates a random stringb, whose bit lengthlbshouldn’t be too short, e.g.lb≥200bit. After that,UcomputesPE=h1(PWU||b).

R2:Usends the registration request {IDU,PE} toSvia a secure channel.U?S: {IDU,PE}. A secure channel means a pre encrypted channel, or face to face submission process.

R3: Upon receiving the request {IDU,PE}at timeTreg,Sfirst checks whetherIDUis legitimate and identifiable. Secondly,Sgenerates a unique random stringaof bit lengthlaforU. The stringamust be different for each user throughout the system, which can be generated by one-dimensional logistic chaotic sequences. If it’s the initial registration ofU, thenScreates a new entity forIDUand stores {IDU,a,Treg,Tvalid} in the account database, whereTvalidis the validity date assigned toIDUbyS. IfIDUexists, thenSupdates {a,Treg,Tvalid} with new values. At last,Scomputes as follows:KS=h3(x||IDU||Treg||Tvalid),UV=h2(a||PE||h1(IDU)),AE=a⊕h2(IDU||PE),KE=KS⊕h2(UV||a).

R4:Sstores [AE,UV,KE,y,g,p,h1(),h2(),hk()] into the smart cardSC, and distributes it toUvia a secure channel.S?U:SC=[AE,UV,KE,y,g,p,h1(),h2(),hk()].

R5: After receivingSC,UstoresRE=b⊕h2(IDU||PWU) intoSCand erasesb.Now,SCcontains [AE,BE,UV,KE,y,g,p,h1(),h2(),hk()].

3.2 Login phase

As shown in Fig 3, a registered userU, who wants to login into the serverS, can generate the login request in this phase.

L1:Uinserts his/her smart cardSCinto the card reader, then inputs his/her identityIDUand passwordPWU.SCretrieves parameters as follows:b=BE⊕h2(IDU||PWU),PE=h1(PWU||b),a=AE⊕h2(IDU||PE).

L2:SCcomputesUV′=h2(a||PE||h1(IDU)),and checks whether the computedUV′ equals to the storedUV. Only ifUV′=UV, which means correct combination of identity and passwordhas been entered, thenSCproceeds to next step. If the equation doesn’t hold,SCrequiresUto reenter his/her identity and password, and repeats from step L1. Meanwhile,SCwill be blocked ifUrepeats more than five times.Uneeds to use his PUK (Personal Unblocking Key) to reactive the smart card.

L3: After checking the accuracy of inputtedIDUandPWU,SCretrievesKS=KE⊕h2(UV||a).Then,SCacquires the current timeTUand computes:c=h2(IDU||TU||salt),d=gcmodp,k1=ycmodp,TID=(IDU||a)⊕h2(d||k1),TV=hk1(IDU||KS||a||TU), wheresaltrepresents a small random string.

L4:SCgenerates the login request {d,TID,TV,TU}, and sends it toSvia a common channel.U→S: {d,TID,TV,TU}.

3.3 verification phase

Upon receiving the login request, the serverSand the smart cardSCperforms as follows to mutually authentication each other, as shown in figure 3.

Fig. 2. The registration phase of the proposed scheme.

Fig. 3. The login phase and the verification phase of the proposed scheme.

V1:Sreceives the login request {d,TID,TV,TU} at timeTS. Firstly,Sneeds to ensure the freshness ofTUby checking ifTS?TU≤ΔT.If the equation holds,Sfurther ensures there is no login request using same parameters {d,TID,TV} within the time period from (TU?ΔT)to (TU+ΔT). The login request will be rejected if same parameters have been found or the equation doesn’t hold.

V2:Sretrieves parameters as follows:The bit length ofa′ isla, so it’s easy to separateIDUanda′ fromIDU||a′. Then,Sretrieves {a,Treg,Tvalid} ofIDUfrom the account database.

V3: Next,Sneeds to ensure the receivedIDUdoesn’t beyond its validity period. To do so,Schecks the validity ofTUby verifyingTreg(?ΔT)≤TU≤Tvalid+Treg(+ΔT). If the equation doesn’t hold,SrequiresUto re-registration.If the equation is true,Shas to further check whethera′=a. Ifa′≠a,Swill reject this login request, else proceed to next step.

V4:Scomputes as follows:KS′=h3(x||If the computedTV′ equals to the receivedTV,thenSsuccessfully authenticatesU’s identity and proceeds to the next step. IfTV′≠TV, thenSrecords the number of cumulative failed requests, meanwhile, requiresUto re-authenticate his/her identity. If continuous login requests ofIDUauthenticate failed more than three times in a short time period, e.g. 2*ΔT,thenSwill ignore following login requests within a guard interval.

Fig. 4. The password change phase of the proposed scheme.

V5: After authenticatingU’s identity,Sobtains the current time, then computes:

V6: To realizing mutual authentication,Sgenerates the response message {f,SV,}, and sends it toUvia a common channel.S→U: {f,SV,}.

V7: Upon receiving the response message{f,SV,} at time,Ufirst checks the freshness and validity ofthenSCproceeds to next step. If the equation doesn’t hold, thenSCdrops this session and try to re-authenticateIDUfrom step L3.

V8: Next,SCcomputes as follows:If the computedSV′ equals to the receivedSV,thenUauthenticatesSsuccessfully. Otherwise,SCcloses the current session and informsUto re-authentication.

V9: After mutual authenticating each other successful,UandScan generate common session key independently, which is

the server end. Session key can be used for exchanging secret information in the following communication.

3.4 Password change phase

In this phase, the userUcan change his/her password freely without interacting with the serverS, as shown in figure 4.

C1:Uinserts his/her smart cardSCinto the card reader, and requestsSCto update his/her password.Uenters his/her identityIDUand passwordPWU.

C2:SCrestores parameters as follows:b=BE⊕h2(IDU||PWU),PE=h1(PWU||b),a=AE⊕h2(IDU||PE).

C3: Next,SCverifies the correctness of the inputtedIDUandPWU.SCcomputesUV′=h2(a||PE||h1(IDU)). IfUV′=UV, thenSCallowsUto change password and proceeds to next step. If the computedUV′ doesn’t equal to the storedUV,SCrequiresUto reenter his/her identity and password, and repeats from step C2.SCwill be locked onceUfails this verification more than five times.Uneeds PUK to reactivateSC.

C4:Uenters the new passwordPWnewtwice for confirmation.

C5:SCfirst retrievesKS=KE⊕h2(UV||a). N e x t,S Cc o m p u t e sPEnew=h1(PWnew||b),BEnew=b⊕h2(IDU||PWnew),A En e w=a⊕h2(I DU||P En e w),U Vn e w=h2(a||P En e w||h1(I DU)),KEnew=KS⊕h2(UVnew||a).

C6: Then,SCupdates parameters [AE,BE,UV,KE] by[AEnew,BEnew,UVnew,KEnew]. Now,SCcontains [AEnew,BEnew,UVnew,KEnew,y,g,p,h1(),h2(),hk()].

IV. SECURITY ANALYSIS OF THE PROPOSED SCHEME

Both informal and formal security analysis of the proposed scheme is given in this section.All security analysis is based on three assumptions:

Assumption 1:The adversaryAmay either obtains a user’s password or steals a smart card, but not both ways. By means of power consumption analysis [27] or side-channel attack techniques [28,29], secret information can be extracted from the smart card.

Assumption 2:The adversaryAhas total control over the common channel, i.e.,Acan eavesdrop, intercept, insert, modify or delete any messages transmitted in the common channel.

Assumption 3:The adversaryAcan enumerate the password in of fline environment.Acan also build a password dictionary targeted for specific person, because the user always prefers choosing short and easily remembered password for convenience.

4.1 Informal security analysis

On basis of security requirements and design principles mentioned in section II, detailed cryptanalysis of the proposed scheme is demonstrated in this subsection.

1) Resists online password guessing attack

Before further interacting with the remote server, the smart cardSCwill check if the inputted identity and password are matching. If an adversaryAwants to guess the password online, he first needs to pass the verification mechanism inSC. However, there is only five attempts beforeSCbeing blocked. In this case,the proposed scheme resists online password guessing attack.

2) Resists off line password guessing attack

Suppose that an adversaryAsteals a smart cardSCand extracts parameters [AE,BE,UV,KE,y,g,p,h1(),h2(),hk()] fromSC. Guessing the password or other secret in off line environment,Aneeds at least two values to find a successful match. Even more,Ahas intercepted a series of login requests {d,TID,TV,TU}and response messages {f,SV,}. But, it’s meaningless because there is no corresponding relation betweenSCand these messages.

3) Resists smart card loss attack

Once the smart cardSCis lost, the userUshouldre-register to the serverSimmediately,withdraw the oldSCand request for a new one.U’s identityIDUand relatedawill be marked as expired inS’s account database,meanwhile, login request usingIDUandawill be marked illegal and ignored. IfSCis picked up by an adversaryAbefore being withdraw.Acan extract [AE,BE,UV,KE,y,g,p,h1(),h2(),hk()] fromSCby power consumption analysis or other methods. Having no knowledge aboutU’s password or identity, according to assumption 1,Acan only try to combine above parameters, which will be reward-less and useless.

4) Resists denial of service attack

On one hand, the smart card only generates fresh login request after checking the correctness of inputted identity and password. So that, the proposed scheme doesn’t face denial of service attack by generating enormous login requests. On the other hand, the login request beyond time period from (TS?ΔT) to(TS+ΔT) will be declined, and those requests using same parameters will be ignored. So the adversary is unlikely to launch denial of service attack by using replay requests or parallel session.

5) Resists insider attack

The user chooses his/her passwordPWU,then submits his/her registration request {IDU,PE} to the server, wherePE=h1(PWU||b) and the random stringbwill be erased at the end of registration phase. Hence, a privileged insider can’t know or obtainborPWU, and it’s impossible to guess two values simultaneously in polynomial time.

6) Resists server masquerading attack

Server masquerading attack mainly happens in one-way authentication schemes, which means only the server can authenticate user’s identity, but not the other way around. In our proposed schemes, let’s suppose that the adversary has already intercepted a login request{d,TID,TV,TU}. To masquerading as the server,Ashould have the ability to produce dummy response message {f,SV,}. Secret parametersKS′ andaare needed to generatewhich can be retrieved by using the secret keyxof the server.However,xis safely kept at the server.

7) Resists forgery attack and impersonation attack

In the proposed scheme, one secret stringacan be only used for one identity. If an adversaryAtries to fool the server by using fake identityIDA, he will be declined immediately due to no registration information at the account database. Even ifIDAappears to be a legal,Astill needs to guessingaandKSrelated toIDA. However, the login request will be rejected because the guessingadoesn’t match with the stored one.

IfAwants to impersonate a registered userU’s identityIDU,Ashould have the ability to generate fresh login request related toIDU. To do so,Ahas to know some key parameters related to specificIDU, such asKSanda. It’s impossible forAto obtain these parameter, only ifAlunched a successful password guessing attack. All in all,Acan’t impersonate a registered user.

8) Resists replay attack and parallel session attack

Upon receiving the login request {d,TID,TV,TU} at timeTS, the serverSfirst checks the freshness of timestampTU. The login request will be rejected ifTUTS+ΔT.Next,Sfurther checks if there exists login request using same parameters {d,TID,TV}within time period from (TU?ΔT) to (TU+ΔT).Session will be closed once identical login request being detected. Meanwhile, if continuous login requests, using sameIDU, authenticate failed more than three times in a short time period, then the following login request will be ignored. Likewise, there is similar check mechanism for the response message.After all, the proposed scheme can well withstand replay attack and parallel session attack.

9) Resists modification attack

The parameterin the login request {d,TID,TV,TU} not only can authenticate user’s identity, but also can authenticate the other three parameters. Even the adversaryAhas intercepted a series of login requests and response messages,Astill can’t analyze the secret hidden in those messages. So that,Acan’t generate the rightTVby using the modifiedd,TIDandTU, which meansAcan’t create an effective login request by patching or modification. The parameterin the response messages {f,SV,} also has same function.

10) Provides forward secrecy and user anonymity

In the login and verification phase of our proposed scheme, before the message being transmitted via a common channel, all the key parameters are encrypted, including the identity of the user. On one hand, the proposed scheme achieves forward secrecy. There is no relevance between two different message,which means even one message being compromised will not expose all session. On the other hand, the proposed scheme provides user anonymity. User’s identity is preserved in the parameterTID=(IDU||a)⊕h2(d||k1). In this way,user’s identity can’t be traced during the authentication.

11) Provides mutual verification and session key agreement

The proposed scheme provides authentication method for both the userUand the serverS.SverifiesUthrough the login request, andUverifiesSthrough the response message. After mutual authentication, common session key

be generated by both side separately. This session key can be only used for one time due to ephemeral keyk1andk2.

4.2 Formal security analysis by using AVISPA

Security simulation of the proposed scheme employs the widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [19,30,31]. AVISPA comprises four back-ends [32-34]: On-the- fly Model Checker (OFMC), CL-based Attacker Searcher (CL-AtSe), SAT-based Model Checker (SATMC) and Tree Automata-based Protocol Analyzer (TA4SP). Two backends, OFMC and CL-AtSe, support bitwise operation, which can be used to validate our proposed scheme. The result in figure 5 show it clearly that the proposed scheme is secure against these back-ends.

V. PERFORMANCE AND EFFICIENCY COMPARISON

For purposes of comparison, four typical and recently published authentication schemes are chosen, including Kumari et al.’s scheme [16],Shi et al.’s scheme [17], Chen et al.’s scheme[18] and Kaul et al.’s scheme [19]. They all claim to have security upgraded and performance improved.

Fig. 5. Validation result by using OFMC (a) and CL-AtSe (b).

Assuming that the one-way hash function maps from arbitrary size to 256bit, i.e.h1()maps from {0, 1}*to {0, 1}256, and the length of each parameter is unified to 256bit. Computational cost shows in Table II, which contains memory space cost and communication cost.The former one counts the memory usage of key parameters stored in the smart card. The proposed scheme and Kaul et al.’s scheme needs 4*256bits, the others need 5*256bits.Communication cost is generated in login and verification phase. In the login phase,Shi et al.’s scheme and Chen et al.’s scheme both use 6*256bits, following by Kumari et al.’s scheme 5*256bits. Kaul et al.’s scheme and our proposed scheme uses the smallest,which is 4*256bits. In the verification phase,ours’s scheme needs 3*256bits, the others use 2*256bits. The total communication cost of allfive schemes is roughly the same 7*256bits.

Table III describes comparison of computational time complexity. In the registration phase, the complexity at the user side is roughly the same. At the server side, our proposedscheme needs less bitwise operation but more hash function. But, the total time complexity of the proposed scheme is approximately the same with the others, even less.

Table II. Computational cost comparison.

During the login and authentication phase,our scheme needs much less bitwise operation than others. The proposed scheme needs 4t⊕at the user side, less than average 11t⊕, and 1t⊕at the server side, less than average 5t⊕. The total complexity of hash function is similar to oth-ers, which is average 9that the user side and 5that the server side. Reducing the computational pressure at the server side is helpful to provide a wider range of service capabilities.Hence, in order to fulfill the security requirements, our proposed scheme imports modular exponentiation, which adds 3tgat both side.For overall time complexity, it’s observable that Shi et al.’s scheme (16t⊕+15th) and Kaul et al.’s scheme (17t⊕+14th) is higher than Kumari et al.’s scheme (13t⊕+12th), and Chen et al.’s scheme (13t⊕+15th+2tE) needs extra symmetric encryption. The total complexity of the proposed scheme is 5t⊕+15th+6tg, which uses less bitwise operation, average hash function and extra modular exponentiation than others.Fast modular exponentiation algorithm, e.g.,Montgomerie algorithm, can be imported for reducing the total computation time.

Table III. Computational time complexity*2 comparison.

Table IV. Security characteristics achieved by each schemes.

In Table IV, security characteristic comparison is given, which evaluates each scheme on security requirements described in Section II. It shows clear that security characteristics hasn’t been achieved as they claimed in other four schemes. The major problem in their scheme is smart card loss attack and offline password guessing attack. However, the proposed scheme satisfies all the security characteristics.

VI. CONCLUSION

Authentication is an essential security guarantee for both the user and the server. To remedy security flaws in existing schemes,a lightweight mutual authentication scheme with session-key agreement is proposed in this article. Ingenious design of the login request and the response message makes user’s identity untraceable. Comparing to other schemes,the proposed scheme needs average computational cost. Its computational time complexity is lower than others, and can be decreased by using fast modular exponentiation algorithm.Security analysis shows it clear that the proposed scheme withstands off line password guess attack, smart card loss attack and denial of service attack, etc. Furthermore, Formal security simulation of the proposed scheme is verified by using OFMC backend and CLAtSe backend of AVISPA tool. Future work is to replace the finite field with the elliptic curvefiled, which can achieve higher security.

ACKNOWLEDGEMENTS

The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work is supported by the National Key Research and Development Program of China (No. 2017YFC0820603).Thanks for the great help.

[1] A.K Sahu, A Kumar, T Gupta, “Survey of Remote User Password Authentication Scheme Using Smart Cards,”International Journal of Advanced Research, vol. 3, no. 5, 2015, pp. 1107-1116.

[2] C.S Tsai, C.C Lee, M.S Hwang, “Password Authentication Schemes: Current Status and Key Issues,”International Journal of Network Security, vol. 3, no. 2, 2006, pp. 101-115.

[3] M.S Hwang, C.C Lee, Y.L Tang, “A Simple Remote User Authentication Scheme,”Mathematical and Computer Modelling, vol. 36, no. 1-2, 2002,pp. 103-107.

[4] I.E Liao, C.C Lee, M.S Hwang, “A Password Authentication Scheme over Insecure Network,”Journal of Computer and System Sciences, vol.72, no. 4, 2006, pp. 727-740.

[5] M Kumar, M.K Gupta, S Kumari, “An Improved Efficient Remote Password Authentication Scheme with Smart Card over Insecure Networks,”International Journal of Network Security, vol. 13, no. 3, 2011, pp. 167-177.

[6] Y Wang, X Peng, “Cryptanalysis of Two Efficient Password-based Authentication Schemes Using Smart Cards,”International Journal of Network Security, vol. 17, no. 6, 2015, pp. 728-735.

[7] R Madhusudhan, R.C Mittal, “Dynamic ID-based Remote User Password Authentication Schemes Using Smart Cards: A Review,”Journal of Network and Computer Applications, vol. 35, no. 4,2012, pp. 1235-1248.

[8] C.C Lee, M.S Hwang, I.E Liao, “Security Enhancement On a New Authentication Scheme with Anonymity for Wireless Environments,”IEEE Transactions on Industrial Electronics, vol. 53,no. 5, 2006, pp. 1683-1687.

[9] I.E Liao, C.C Lee, M.S Hwang, “Security Enhancement for A Dynamic ID-based Remote User Authentication Scheme,”Proc. IEEE International Conference on Next Generation Web ServicesPractices, 2005, pp. 437-440.

[10] Y.Y Wang, J.Y Liu, F.X Xiao, et al., “A More Effi-cient and Secure Dynamic ID-based Remote User Authentication Scheme,”Computer communications, vol. 32, no. 4, 2009, pp. 583-585.

[11] F Wen, X Li, “An Improved Dynamic ID-based Remote User Authentication with Key Agreement Scheme,”Computers & Electrical Engineering, vol. 38, no. 2, 2012, pp. 381-387.

[12] H Tang, X Liu, “Cryptanalysis of a Dynamic ID-based Remote User Authentication with Key Agreement Scheme,”International Journal of Communication Systems, vol. 25, no. 12, 2012,pp. 1639-1644.

[13] C.G Ma, D Wang, S.D Zhao, “Security Flaws in Two Improved Remote User Authentication Schemes Using Smart Cards,”International Journal of Communication Systems, vol. 27, no.10, 2014, pp. 2215-2227.

[14] Y.F Chang, W.L Tai, H.C Chang, “Untraceable Dynamic-identity-based Remote User Authentication Scheme with Verifiable Password Update,”International Journal of Communication Systems, vol. 27, no. 11, 2014, pp. 3430-3440.

[15] T Limbasiya, N Doshi, “Analysis of Untraceable Dynamic Identity Based Remote User Authentication Scheme,”Proc. IEEE International Conference on Communication Network, 2015, pp.388-390.

[16] S Kumari, M.K Khan, X Li, “An Improved Remote User Authentication Scheme with Key Agreement,”Computers & Electrical Engineering, vol.40, no. 6, 2014, pp. 1997-2012.

[17] Y.J Shi, H Shen, Y.Y Zhang, et al., “An Improved Anonymous Remote User Authentication Scheme with Key Agreement based on Dynamic Identity,”International Journal of Security and Its Applications, vol. 9, no. 5, 2015, pp. 255-268.

[18] H.R Chen, J.H Chen, H Shen, “An Enhanced Dynamic-ID-based Remote User Authentication Protocol with Smart Card,”International Journal of Engineering and Advanced Research Technology, vol. 2, no. 4, 2016, pp. 49-57.

[19] S.D Kaul, A.K Awasthi, “Security Enhancement of an Improved Remote User Authentication Scheme with Key Agreement,”Wireless Personal Communications, vol. 89, no. 2, 2016, pp. 621-637.

[20] M Zhang, J.S Zhang, W.R Tan, “Remote Three-Factor Authentication Protocol with Strong Robustness for Multi-Server Environment,”China Communications, vol. 14, no. 6,2017, pp. 126-136.

[21] D Wang, P Wang, “Two Birds with One Stone:Two-Factor Authentication with Security Beyond Conventional Bound,”IEEE Transactions on Dependable and Secure Computing, to be published, DOI: 10.1109/TDSC.2016.2605087.

[22] D Wang, Q.C Gu, H.B Cheng, et al., “The Request for Better Measurement: A Comparative Eval-uation of Two-factor Authentication Schemes,”Proc. 11th ACM on Asia Conference on Computer and Communications Security, 2016, pp. 475-486.

[23] T Limbasiya, N Doshi, “A Survey On Attacks in Remote User Authentication Scheme,”Proc.IEEE International Conference on Computational Intelligence and Computing Research, 2014,pp.1157-1160.

[24] J.X Zhai, T.J Cao, X.Q Chen, et al., “Security on Dynamic ID-based Authentication Schemes,”International Journal of Security and Its Applications, vol. 9, no. 1, 2015, pp. 387-396.

[25] D Wang, P Wang, “Offline Dictionary Attack On Password Authentication Schemes Using Smart Cards,”Proc. 16th Information Security Conference, 2013, pp. 1-16.

[26] X.L Li, Q.Y Wen, H Zhang, et al., “Offline Password Guessing Attacks on Smart-card-based Remote User Authentication Schemes,”Proc.6th International Asia Conference on Industrial Engineering and Management Innovation, 2016,pp. 81-89.

[27] H.J Mahanta, A.K Azad, A.K Khan, “Power Analysis Attack: A Vulnerability to Smart Card Security,”Proc. IEEE International Conference on Signal Processing and Communication Engineering Systems, 2015, pp. 506-510.

[28] D Oswald, “Side-Channel Attacks on SHA-1-Based Product Authentication ICs,”Proc. International Conference on Smart Card Research and Advanced Applications, 2015, pp. 3-14.

[29] Y Li, M.T Chen, J Wang. “Introduction to Side-Channel Attacks and Fault Attacks,”Proc.IEEE Asia-Pacific International Symposium on Electromagnetic Compatibility, 2016, pp. 573-575.

[30] D Mishra, A.K Das, A Chaturvedi, et al., “A Secure Password-based Authentication and Key Agreement Scheme Using Smart Cards,”Journal of Information Security and Applications, vol. 23,2015, pp. 28-43.

[31] R Amin, S.K.H Islam, A Karati, et al., “Design of an Enhanced Authentication Protocol and Its Verification Using AVISPA,”Proc. IEEE 3rd International Conference on Recent Advances in Information Technology, 2016, pp. 404-409.

[32] A.H Shinde, A.J Umbarkar, “Analysis of Cryptographic Protocols AKI, ARPKI and OPT using ProVerif and AVISPA,”International Journal of Computer Network and Information Security,vol. 8, no. 3, 2016, pp. 34-40.

[33] L Viganò, “Automated security protocol analysis with the AVISPA tool,”Electronic Notes in Theoretical Computer Science, vol. 155, 2006, pp. 61-86.

[34] J.A.H Alegría, M.C Bastarrica, A Bergel, “AVISPA:a tool for analyzing software process models,”Journal of Software: Evolution and Process, vol.26, no. 4, 2014, pp. 434-450.