On The Security of A Privacy-Aware Authentication Scheme For Distributed Mobile Cloud Computing Services

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

This article has been accepted for inclusion in a future issue of this journal.

Content is final as presented, with the exception of pagination.

IEEE SYSTEMS JOURNAL 1

Short Papers
On the Security of a Privacy-Aware Authentication Scheme for Distributed
Mobile Cloud Computing Services
Qi Jiang, Jianfeng Ma, and Fushan Wei

AbstractRecently, Tsai and Lo proposed a privacy aware authentica- computing services. Therefore, it is essential to design a privacy
tion scheme for distributed mobile cloud computing services. It is claimed
that the scheme achieves mutual authentication and withstands all major
aware authentication scheme which enables users to access var-
security threats. However, we first identify that their scheme fails to achieve ious services from distinct service providers by using only one
mutual authentication, because it is vulnerable to the service provider im- single private key or password. Apart from these issues, mobile
personation attack. Beside this major defect, it also suffers from some minor
design flaws, including the problem of biometrics misuse, wrong password,
devices are relatively limited in computing capability and power
and fingerprint login, no user revocation facility when the smart card is compared with desktop computers, the scheme should be effi-
lost/stolen. Some suggestions are provided to avoid these design flaws in the cient in terms of computing. More desirably, the trusted third
future design of authentication schemes.
party, involved in user registration and service provider regis-
Index TermsAuthentication, bilinear pairing, mobile cloud computing, tration, is not required to participate in each user authentication
security, user anonymity, user untraceability. session.
Most authentication protocols [3][6], which are designed
I. INTRODUCTION for single server environment, are not suitable for distributed
services environment in which multiple servers offer a plethora
OBILE cloud computing, a new computing paradigm in-
M tegrating cloud computing into the mobile environment,
brings new types of services and facilitates mobile users to take
of services. Although traditional single sign-on (SSO) schemes
such as Passport [7] and OpenID [8] are possible solutions to
address this issue, these schemes require the trusted third party
full advantages of cloud computing [1], [2]. In mobile cloud to participate in each user authentication session, which could
computing, mobile users can access computation results, re- become the bottleneck for traditional SSO systems.
sources, applications, and services that are stored, implemented, To this end, Tsai and Lo [9] proposed an efficient authenti-
and deployed in the cloud by using mobile devices through cation scheme using identity based cryptosystem [10] for dis-
wireless networks, such as wireless local area networks, 3G/4G tributed mobile cloud computing services. Their scheme has the
telecommunication networks. following advantages. First, a mobile user can access multiple
Since wireless networks underlying mobile cloud computing services from different mobile cloud service providers using
are vulnerable to a series of attacks, such as eavesdropping, re- only one single private key. Second, no verification table is re-
play, forgery, interception, and denial of service attacks, mutual quired to be implemented at service providers or the trusted
authentication between the user and cloud service provider is third party. Third, the trusted third party is not required to be
indispensable to prevent illegal service access and defend the po- involved in regular user authentication session, thus greatly re-
tential security attacks over the insecure networks. Additionally, ducing the total user authentication processing time. Finally,
as identity threats, such as identity masquerade and identity trac- due to the usage of bilinear pairing in an elliptic curve [11],
ing, have become common attacks in wireless networks, there [12], their scheme incurs less computing resources on both the
is a growing demand to protect user identity privacy. Further- mobile devices and service providers [9].
more, a mobile user generally accesses different types of mobile It is claimed that the scheme achieves mutual authentica-
tion, key exchange, user anonymity, and user untraceability, and
Manuscript received June 22, 2015; revised November 01, 2015 and April withstands all major security threats. However, we observe that
16, 2016; accepted May 20, 2016. This work was supported in part by National their scheme fails to achieve mutual authentication, because it
Science Foundation of China (61202389, U1405255, 61309016, 61372075, is vulnerable to the service provider impersonation attack. Be-
U1536202), in part by Natural Science Basic Research Plan in Shaanxi Province
of China (2016JM6005), in part by Fundamental Research Funds for the Central side this major defect, it also suffers from some minor design
Universities (JB161501), in part by the Priority Academic Program Develop- flaws, including misuse of biometrics, wrong password and fin-
ment of Jiangsu Higher Education Institutions and Jiangsu Collaborative Inno- gerprint login, and no user revocation facility when the smart
vation Center of Atmospheric Environment and Equipment Technology, in part
by Specific project on research and development platform of Shanghai Science card is lost/stolen. We then provide some suggestions to avoid
and Technology Committee (14DZ2294400). these design flaws in the future design of authentication schemes
Q. Jiang and J. Ma are with School of Cyber Engineering, Xidian Univer- combining passwords, smart cards, and biometrics.
sity, Xian 710071, China (e-mail: [email protected]; [email protected].
edu.cn).
F. Wei is with the School of Computer and Softwar, Nanjing University
of Information Science and Technology, Nanjing 210000, and also with the II. REVIEW OF TSAI AND LOS SCHEME
State Key Laboratory of Mathematical Engineering and Advanced Computing,
Zhengzhou 450001, China (e-mail: [email protected]). In this section, we briefly review Tsai and Los scheme. The
Digital Object Identifier 10.1109/JSYST.2016.2574719 notations used in this paper are listed as follows.

1937-9234 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

2 IEEE SYSTEMS JOURNAL

1) Ui : A user i.
2) SPj : A service provider j.
3) SCG: The smart card generator.
4) P : The generator of G1 .
5) H, h: One-way hash functions.
6) H1 : Zp Zp , H2 : G2 Zp , H3 : Zp Zp ,
H4 : Zp Zp , h : Zp G1 .
7) G1 , G2 : A cyclic multiplicative group and a cyclic additive
group of the same order p, respectively.
8) e: A pairing function e : G1 G1 G2 .
9) ||: The concatenation operation.
10) s, Ppub : The master private key and the corresponding pub-
lic key of the SCG, respectively.
11) IDi (IDj ), Si (Sj ): The identity and the private key of
Ui (SPj ), respectively. Note that H1 (IDi )(H1 (IDj )) is
the public key of Ui (SPj ).
12) Kij : The session key for Ui and SPj .

A. Scheme Details
In Tsai and Los scheme, there are three types of participants:
V = {Ui |i = 1, . . . , n}, W = {SPj |j = 1, . . . , m}, and SCG.
Their scheme consists of three phases: system setup, registra-
Fig. 1. Flowchart of Tsai and Los protocol.
tion, and authentication. The details of each phase are presented
as follows.
System setup: SCG first chooses s as its master pri-
vate key and computes its public key Ppub = sP . Next, Step 5: SPj computes Di = H4 (Kij ||Z||IDi ||IDj ) and sends
SCG computes e(P, P ) and publishes the public parameters it to Ui .
{e, H1 , H2 , H3 , H4 , h, P, Ppub , e(P, P )}. Step 6: Upon receiving Di , Ui computes Di =
Registration: Each user Ui (or service provider SPj ) sends H4 (Kij ||Z||IDi ||IDj ) and checks whether Di and
the chosen identity IDi (or IDj ) to SCG. Upon receiv- Di are equivalent. If these two values are equivalent, the
ing the identity, SCG computes Ui s (or SPj s) private key validity of SPj is ensured.
Si = (s + H1 (IDi ))1 P . Next, SCG sends Si (or Sj ) back to
Ui (or SPj ) through a secure channel. When obtaining the pri- III. SECURITY WEAKNESSES AND DESIGN FLAWS
vate key, Ui computes Ei = Si h(P Wi ||fi ) and stores Ei on In this section, we demonstrate that their scheme is prone to
his/her smart card, where P Wi and fi are the password and the the service provider impersonation attack. Besides, their scheme
fingerprint of Ui , respectively. When receiving its private key, also suffers from biometrics misuse, wrong password and fin-
SPj stores it in the secure memory. gerprint login, and no user revocation mechanism.
Authentication: When Ui wants to access SPj , Ui submits
the password and fingerprint to the smart card, which computes
A. Service Provider Impersonation Attack
Si = Ei h(P Wi ||fi ). Then Ui and SPj authenticate each
other through the following steps, as is shown in Fig. 1. An adversary A can impersonate as any service provider to be
authenticated by the mobile user. In practice, this vulnerability
Step 1: Ui sends a service request to SPj . means that an adversary can cheat the mobile user to access the
Step 2: SPj computes Z = e(P, P )a , where a is a random rogue services, which severely endangers user data security and
number. Next, SPj sends Z to Ui . privacy. The detail of the attack is presented as follows, as is
Step 3: Upon receiving Z, Ui generates a random number b, and illustrated in Fig. 2.
computes Kij = H2 (Z b ) = H2 (e(P, P )ab ),
K2 = bPpub + H1 (IDj )bP, w = bPpub + H1 (IDi )bP, Step 1: Ui sends login request to SPj .
si = (b + H3 (IDi ||Z||IDj ||w||Kij ))1 Si , Step 2: After intercepting the login request, the adver-
C1 = Kij (IDi ||si ||w). sary A generates a random number a, computes Z =
Then Ui sends (K2 , C1 ) to SPj . e(Ppub + H1 (IDj )P, P )a , and sends it to Ui .
Step 4: After receiving (K2 , C1 ) from Ui , SPj computes Step 3: Upon receiving Z, Ui generates a random number b, and
Kij = H2 (e(K2 , Sj )a ) = H2 (e(P, P )ab ). Next, SPj re- computes the session key
trieves (IDi ||si ||w) = Kij C1 . Then SPj checks whether Kij = H2 (Z b ) = H2 (e(Ppub + H1 (IDj )P, P )ab ),
e(P, P ) and e(si , w + H3 (IDi ||Z||w||Kij )Qi )a are equal, K2 = bPpub + H1 (IDj )bP, w = bPpub + H1 (IDi )bP,
where Qi = Ppub + H1 (IDi )P . If these two values are si = (b + H3 (IDi ||Z||IDj ||w||Kij ))1 Si ,
equal, Ui is an authorized user. C1 = Kij (IDi ||si ||w).
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE SYSTEMS JOURNAL 3

incorrectly designed such that even the legitimate user cannot


pass the verification of biometrics.

C. Wrong Password and Fingerprint Login


As is noted in [16], it is desired that there is an authentication
test (also known as local password verification) to reject the
login request if a legal user Ui enters a wrong password. In Tsai
and Los scheme, if Ui mistakenly enters a wrong password,
say P Wi (P Wi = P Wi ), then the smart card still computes
Si = Ei h(P Wi ||fi ) instead of Si = Ei h(P Wi ||fi ). In
this case, Ui will send a wrong message (K2 , C1 ) instead of the
valid message (K2 , C1 ). Thus, no authentication test is in place
to reject wrong password. This problem also applies to the case
of wrong fingerprint.

D. No Provision for Revocation


The revocation of lost/stolen smart card is essential for
the practical deployment of smart card-based authentication
schemes [16]. If a legal users smartcard is lost or stolen, some
mechanism must be in place to prevent the misuse of lost/stolen
smartcard. To address this problem, the identity information is
Fig. 2. Flowchart of server impersonation attack. required to be maintained by the server, based on which the in-
valid smartcard will be detected [16]. However, in Tsai and Los
scheme, no such information is maintained by the SCG. There-
fore, their scheme does not take this feature into consideration,
Then Ui sends (K2 , C1 ) to SPj . and is incapable of revoking lost/stolen card.
Step 4: A intercepts (K2 , C1 ), computes
Kij = H2 (e(K2 , P )a ) = H2 (e(Ppub + H1 (IDj )P, P )ab ),
IV. POSSIBLE COUNTERMEASURES
(IDi ||si ||w) = Kij C1 , Di = H4 (Kij ||Z||IDi ||IDj ).
Then A sends Di to Ui . To the best of our knowledge, there is no direct approach
Step 5: Ui checks the validity of Di upon receiving it. to remedy the major defect of service provider impersonation
attack. To counteract this vulnerability, the scheme needs radical
As Ui and A share the same key Kij , Di computed by A improvements, which deserves a full paper. Thus, we leave it as
could pass Ui s verification. That is, the scheme is subject to the our future work.
service provider impersonation attack. Thus, the scheme fails to Regarding these minor design flaws discussed in the previous
achieve mutual authentication, which is essential for practical section, we provide some suggestions to avoid them in the future
applications. design of three-factor authentication schemes.
1) A possible countermeasure to misuse of biometrics is to
employ bio-cryptosystem, such as fuzzy extractor [17],
B. Misuse of Biometrics [18] or fuzzy vault [19], instead of directly applying hash
In the authentication phase of Tsai and Los scheme, Ui sub- function to biometrics. The basic concept of fuzzy extractor
mits the password P Wi and fingerprint fi to the smart card, is to generate the biometric key, i.e., a pair of strings (P, R),
which computes Si = Ei h(P Wi ||fi ) to retrieve the private from the biometrics, where P is the help string and R is
key of Ui . Then Ui and SPj proceed to the subsequent steps to the secret key. R can be recovered if P and a close enough
authenticate each other. As is noted in [13] and [14], biomet- biometrics are provided [20]. The error tolerance of fuzzy
ric matching is probabilistic in nature, which means that two extractor is enabled by error correcting techniques. In fuzzy
biometric samples of the same individual are never exactly the vault, a user generates a secret key and encrypt it by using
same. As a result, fi in the registration phase and fi in the au- his/her biometric template. The secret key can be recovered
thentication phase are not exactly the same. Since the outputs by providing the encrypted data and the corresponding
of the hash function are very sensitive to small perturbations biometrics [21], [22].
in their inputs [15], it is of high probability that the retrieved 2) It is desired that an authentication test is in place to verify the
private key Si of Ui is not equivalent to the original private correctness of Ui credentials, i.e., IDi , P Wi , and fi before
key Si of Ui . Although Ui can proceeds with the subsequent sending the message (K2 , C1 ). However, there is a tradeoff
steps, SPj will observe that the response (K2 , C1 ) is invalid, as between fulfilling authentication test and resisting offline
e(si , w + H3 (IDi ||Z||w||Kij )Qi )a and e(P, P ) are not equal. dictionary attack. A possible fix is to employ the concept
Thus, SPj will reject Ui s request. Actually, biometrics is of fuzzy verifier proposed by Wang et al. [23], [24]. On
misused in Tsai and Los scheme. Therefore, their scheme is one hand, it can be used to provide timely wrong password
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

4 IEEE SYSTEMS JOURNAL

and fingerprint detection when login. On the other hand, the [7] Microsoft, Windows Live ID. (2011). [Online]. Available: https://account.
adversary has to perform online guessing to determine the live.com/.
[8] OpenID Foundation, OpenID Authentication 2.0. (2007). [Online]. Avail-
correct password from as high as 212 candidates [24], which able: http://openid.net/specs/openid-authentication-2_0.html
can be relatively easily detected and thwarted by the server [9] J. L. Tsai and N. W. Lo, A privacy-aware authentication scheme for
by using rate limiting and/or lockout policy. distributed mobile cloud computing services, IEEE Syst. J., vol. 9, no. 3,
pp. 805815, Sep. 2015.
3) To facilitate revocation, the SCG maintains the identity in- [10] D. Boneh and M. Franklin, Identity-based encryption from the Weilpair-
formation in its database, based on which the invalid smart ing, in Proc. Adv. Cryptol., 2001, vol. 2139, pp. 213229.
card will be detected [16]. [11] K. Lauter, The advantages of elliptic curve cryptography for wireless
security, IEEE Wireless Commun., vol. 11, no. 1, pp. 6267, Feb. 2004.
[12] D. He, S. Zeadally, and L. Wu. Certificateless public auditing scheme
V. CONCLUSION for cloud-assisted wireless body area networks, IEEE Syst. J., 2015,
DOI: 10.1109/JSYST.2015.2428620.
We have analyzed an efficient and provably secure authen- [13] B. S. Abhilasha, S. Anna, and M. Shimon, Privacy preserving multi-
tication scheme for mobile computing services by Tsai and factor authentication with biometrics, J. Comput. Security, vol. 15, no. 5,
pp. 529560, 2007.
Lo. Although their scheme is equipped with a claimed proof [14] D. He, N. Kumar, J.-H. Lee, and R. Sherratt, Enhanced three-factor se-
of provable security, we have pointed out the scheme fails to curity protocol for USB consumer storage devices, IEEE Trans. Consum.
achieve mutual authentication by demonstrating its vulnerabil- Electron., vol. 60, no. 1, pp. 3037, Feb. 2014.
[15] D. He and D. Wang, Robust biometrics-based authentication scheme
ity to the service provider impersonation attack. Besides this for multiserver environment, IEEE Syst. J., vol. 9, no. 3, pp. 816823,
major defect, it also suffers from some minor design flaws, Sep. 2015.
including the misuse of biometrics, wrong password and fin- [16] V. Odelu, A. K. Das, and A. Goswami, A secure biometrics-based multi-
server authentication protocol using smart cards, IEEE Trans. Inf. Foren-
gerprint login, and no user revocation facility when the smart sics Secur., vol. 10, no. 9, pp. 19531966, Sep. 2015.
card is lost/stolen. We have provided some suggestions to avoid [17] X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, A generic
these design flaws in the future design of authentication schemes framework for three-factor authentication: Preserving security and privacy
in distributed systems, IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 8,
combining passwords, smart cards, and biometrics. A natural pp. 13901397, Aug. 2011.
direction for further study is to design a secure and efficient [18] Q. Jiang et al., Robust extended chaotic maps-based three-factor authen-
authentication scheme for distributed mobile cloud services. tication scheme preserving biometric template privacy, Nonlinear Dyn.,
vol. 83, no. 4, pp. 20852101, 2016.
[19] J. Yu, G. Wang, Y. Mu, and W. Gao, An efficient and improved generic
REFERENCES framework for three-factor authentication with provably secure instantia-
tion, IEEE Trans. Inf. Forensics Security, vol. 9, no. 12, pp. 23022313,
[1] H. T. Dinh et al., A survey of mobile cloud computing: Architec- Dec. 2014.
ture, applications, and approaches, Wireless Commun. Mobile Comput., [20] Y. Dodis, L. Reyzin, and A. Smith, Fuzzy extractors: How to generate
vol. 13, no. 18, pp. 15871611, 2013. strong keys from biometrics and other noisy data, in Proc. Adv. Cryptol.,
[2] N. Fernando, S. W. Loke, and W. Rahayu, Mobile cloud computing: A 2004, pp. 523540.
survey, Future Gener. Comput. Sys., vol. 29, no. 1, pp. 84106, 2013. [21] A. Juels and M. Sudan, A fuzzy vault scheme, in Proc. Int. Symp. Inf.
[3] H. Li, Y. Dai, L. Tian, and H. Yang, Identity-based authentication for Theory, 2002, p. 408.
cloud computing, in Proc. Cloud Comput., 2009, pp. 157166. [22] T. C. Clancy, Secure smartcard-based fingerprint authentication, in Proc.
[4] Q. Jiang, M. K. Khan, X. Lu, J. Ma, and D. He, A privacy preserving ACM Workshop Biometrics: Methods Appl., 2003, pp. 4552.
three-factor authentication protocol for e-health clouds, J. Supercomput., [23] D. Wang, D. He, P. Wang, and C.-H. Chu, Anonymous two-factor au-
2016. DOI: 10.1007/s11227-015-1610-x. thentication in distributed systems: Certain goals are beyond attainment,
[5] D. He, S. Zeadally, N. Kumar, and J.-H. Lee, Anonymous authentication IEEE Trans. Dependable Secure Comput., vol. 12, no. 4, pp. 428442,
for wireless body area networks with provable security, IEEE Syst. J., Jul./Aug. 2015.
2016. DOI: 10.1109/JSYST.2016.2544805. [24] D. Wang and P. Wang, On the usability of two-factor authentication, in
[6] Q. Jiang, J. Ma, X. Lu, and Y. Tian, An efficient two-factor user authen- Proc. 10th Int. Conf. Security Privacy Commun. Netw., Sep. 2426, 2014,
tication scheme with unlinkability for wireless sensor networks, Peer-to- pp. 141150.
Peer Netw. Appl., vol. 8, no. 6, pp. 10701081, 2015

You might also like