AN EFFICIENT TWO-SERVER AUTHENTICATION AND KEY EXCHANGE PROTOCOL FOR ACCESSING SECURE CLOUD SERVICES


(Received: 2017-12-14, Revised: 2018-02-13 , Accepted: 2018-02-28)
To avail cloud services; namely, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), …etc. via insecure channel, it is necessary to establish a symmetric key between end user and remote Cloud Service Server (CSS). In such a provision, both the end parties demand proper auditing so that resources are legitimately used and privacies are maintained. To achieve this, there is a need for a robust authentication mechanism. Towards the solution, a number of single server authenticated key agreement protocols have been reported recently. However, they are vulnerable to many security threats, such as identity compromization, impersonation, man-in-the-middle, replay, byzantine, offline dictionary and privileged-insider attacks. In addition to this, most of the existing protocols adopt the single server-based authentication strategy, which are prone to single point of vulnerability and single point of failure issues. This work proposes an efficient password-based two-server authentication and key exchange protocol addressing the major limitations in the existing protocols. The formal verification of the proposed protocol using Automated Validation of Internet Security Protocols and Applications (AVISPA) proofs that it is provably secure. The informal security analysis substantiates that the proposed scheme has successfully addressed the existing issues. The performance study contemplates that the overhead of the protocol is reasonable and comparable with those of other schemes. The proposed protocol can be considered as a robust authentication protocol for a secure access to the cloud services.

[1] X. Yi, S. Ling and H. Wang, "Efficient Two-server Password-only Authenticated Key Exchange," Transactions on Parallel and Distributed systems, IEEE, vol. 24, no. 9, pp. 1773-1782, 2013.

[2] X. Yi, F. Y. Rao, Z. Tari, F. Hao, E. Bertino, I. Khalil and A. Y. Zomaya, "ID2S Password-authenticated Key Exchange Protocols, " Transactions on Computers, IEEE, vol. 65, no. 12, pp. 3687-3701, 2016.

[3] V. Boyko, P. MacKenzie and S. Patel, "Provably Secure Password-authenticated Key Exchange Using Diffie-Hellman, " in Advances in Cryptology–Eurocrypt, Springer Berlin/Heidelberg, pp. 156-171, 2000.

[4] M. Abdalla and D. Pointcheval, "Simple Password-based Encrypted Key Exchange Protocols, "in Cryptographers’ Track at the RSA Conference, Springer, pp. 191-208, 2005.

[5] M. Bellare and P. Rogaway, "The AuthA Protocol for Password-based Authenticated Key Exchange, " Technical Report, IEEE, vol. 1363, 2000.

[6] W. Diffie and M. Hellman, "New Directions in Cryptography, " Transactions on Information Theory, IEEE, vol. 32, no. 2, pp. 644-654, 1976.

[7] X. Yi, F. Hao and E. Bertino, "ID-based Two-server Password Authenticated Key Exchange, "in Proceedings of the European Symposium on Research in Computer Security, Springer, pp. 257-276, 2014.

[8] Y. Yang, R. H. Deng and F. Bao, "A Practical Password-based Two-server Authentication and Key Exchange System, " Transaction on Dependable and Secure Computing, IEEE, vol. 3, no. 2, pp. 105-114, 2006.

[9] Y. Yang, R. H. Deng and F. Bao, "Fortifying Password Authentication in Integrated Healthcare Delivery Systems, "in Proceedings of the ACM Symposium on Information, Computer and Communications Security, ACM, pp. 255-265, 2006.

[10] E. Bresson, O. Chevassut and D. Pointcheval, "Security Proofs for an Efficient Password-based Key Exchange," in Proceedings of the 10th ACM Conference on Computer and Communications Security, ACM, pp. 241-250, 2003.

[11] S. Bellovin and M. Merritt, "Encrypted Key Exchange: Password-based Protocol Secure against Dictionary Attack, "in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72-84, 1992.

[12] R. P. Gallant, R. J. Lambert and S. A. Vanstone, "Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms, "in Annual International Cryptology Conference, Springer, pp. 190-200, 2001.

[13] P. A. Fouque, A. Joux and M. Tibouchi, "Injective Encodings to Elliptic Curves," in: Australasian Conference on Information Security and Privacy, Springer, pp. 203-218, 2013.

[14] NIST white paper, "Recommended Elliptic Curves for Federal Government Use, "[Online], Available: http://csrc.nist.gov/groups/ST/toolkit/documents/dss/NISTReCur.pdf, 1999, Last accessed: 2nd April, 2017.

[15] H. Jin, D. S. Wong and Y. Xu, "An Efficient Password-only Two-server Authenticated Key Exchange System," Proceeding of 9th International Conference of Information and Communication Security, Springer, pp. 44-56, 2007.

[16] P. Sarkar, "A Simple and Generic Construction of Authenticated Encryption with Associated Data, " ACM Transactions on Information and System Security, vol. 13, no. 4, pp. 33, 2010.

[17] Secure Hash Standard, FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995,[Online], Available: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST. FIPS.180-4.pdf. Accessed in September 2017.

[18] R. W. D. Nickalls, "A New Approach to Solving the Cubic: Cardan’s Solution Revealed, "The Mathematical Gazette, vol. 77, no. 480, pp. 354-359, 1993.

[19] N. Koblitz, "Elliptic Curves Cryptosystems, " Mathematics of Computation, vol. 48, pp. 203-209, 1987. 

[20] D. Dolev and A. Yao, "On the Security of Public Key Protocols, " Transactions on Information Theory, IEEE, vol. 29, no. 2, pp. 198-208, 1983.

[21] A. Armando, D. Basin, Y. Boichut et al., "The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, "International Conference on Computer-Aided Verification, Springer, pp. 281-285, 2005.

[22] L. Vigan`o, "Automated Security Protocol Analysis with the AVISPA Tool," Electronic Notes in Theoretical Computer Science, Elsevier, vol. 155, pp. 61-86, 2006.

[23] D. V. Oheimb, "The High-level Protocol Specification Language HLPSL Developed in the EU Project AVISPA, " Proceedings of APPSEM Workshop, pp. 1-17, 2005.

[24] B. De Decker, "Unix Security and Kerberos, " Computer Security and Industrial Cryptography, Springer, pp. 257-274, 1993.

[25] S. Blake-Wilson and A. Menezes, "Authenticated Diffie-Hellman Key Agreement Protocols, "International Workshop on Selected Areas in Cryptography, Springer, pp. 339-361, 1998.

[26] H. Krawczyk, "HMQV: A High-performance Secure Diffie-Hellman Protocol, " Annual International Cryptology Conference, Springer, pp. 546-566, 2005.

[27] L. Harn, W. J. Hsin and M. Mehta, "Authenticated Diffie–Hellman key agreement protocol using a single cryptographic assumption," IEE Proceedings-Communications, vol. 152, no. 4, pp. 404-410, 2005. 

[28] B. LaMacchia, K. Lauter and A. Mityagin, "Stronger Security of Authenticated Key Exchange, " International Conference on Provable Security, Springer, pp. 1-16, 2007.

[29] C. Neuman, S. Hartman, T. Yu and K. Raeburn, "The Kerberos Network Authentication Service (V5), " RFC 4120,[Online], Available: https://tools.ietf.org/pdf/rfc4120.pdf, 2005.

[30] B. C. Neuman, T. Ts’o and Kerberos, "An Authentication Service for Computer Networks," IEEE Communications Magazine, vol. 32, no. 9, pp. 33-38, 1994.

[31] R. M. Needham and M. D. Schroeder, "Using Encryption for Authentication in Large Networks of Computers, " Communications of the ACM, vol. 21, no. 12, pp. 993-999, 1978.

[32] L. O’gorman, A. Bagga and J. Bentley, "Query-directed passwords, " Computers & Security, Elsevier, vol. 24, no. 7, pp. 546-560, 2005.

[33] J. H. Yang and P. Y. Lin, "An ID-based User Authentication Scheme for Cloud Computing," IEEE 10th Inter. Conf. on Intell. Inform. Hiding and Multimedia Signal Processing (IIH-MSP), pp. 98-101, 2014.

[34] T. H. Chen, H. L. Yeh and W. K. Shih, "An Advanced ECC Dynamic ID-based Remote Mutual Authentication Scheme for Cloud Computing," IEEE 5th International Conference on Multimedia and Ubiquitous Engineering (MUE), pp. 155-159, 2011.

[35] D. Wang, Y. Mei, C. G. Ma and Z. S. Cui, "Comments on an Advanced Dynamic ID-based Authentication Scheme for Cloud Computing, " International Conference, WISM, vol. 7529, Lecture Notes in Computer Science, Springer, pp. 246-253, 2012.

[36] Z. Hao, S. Zhong and N. Yu, "A Time-bound Ticket-based Mutual Authentication Scheme for Cloud Computing, " International Journal of Computers, Communications and Control, vol. 6, no. 2, pp. 227- 235, 2011.

[37] C. D. Jaidhar, "Enhanced Mutual Authentication Scheme for Cloud Architecture," IEEE 3rd International Advance Computing Conference (IACC), pp. 70-75, 2013.

[38] M. Wazid, A. K. Das, S. Kumari, X. Li and F. Wu, "Provably Secure Biometric-based User Authentication and Key Agreement Scheme in Cloud Computing, " Security and Communication Networks, vol. 9, no. 17, pp. 4103-4119, 2016.

[39] P. Gope and A. K. Das, "Robust Anonymous Mutual Authentication Scheme for n-times Ubiquitous Mobile Cloud Computing Services, "Internet of Things Journal, IEEE, pp. 1-9, DOI: 10.1109/JIOT.2017.2723915, 2017.

[40] V. Odelu, A. K. Das, S. Kumari, X. Huang and M. Wazid, "Provably Secure Authenticated Key Agreement Scheme for Distributed Mobile Cloud Computing Services, " Future Generation Computer Systems, vol. 68, pp. 74–88, 2017.

[41] J. L. Tsai and N. W. Lo, "A Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services, " IEEE Systems Journal, vol. 9, no. 3, pp. 805-815, 2015. 

[42] I. E. Liao, C. C. Lee and M. S. Hwang, "A Password Authentication Scheme over Insecure Networks, " Journal of Computer and System Sciences, vol. 72, no. 4, pp. 727-740, 2006.

[43] S. M. Bellovin and M. Merritt, "Limitations of the Kerberos Authentication System, " ACM SIGCOMM Computer Communication Review, vol. 20, no. 5, pp. 119-132, 1990.

[44] G. S. Sadasivam, K. A. Kumari and S. Rubika, "A Novel Authentication Service for Hadoop in Cloud Environment, " IEEE International Conference on Cloud Computing in Emerging Markets (CCEM), pp. 1-6, 2012.

[45] R. Canetti and H. Krawczyk, "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, "International Conference on the Theory and Applications of Cryptographic Techniques, Springer, pp. 453-474, 2001.

[46] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, "An Efficient Protocol for Authenticated Key Agreement, " Designs, Codes and Cryptography, Springer, vol. 28, no. 2, pp. 119-134, 2003.

[47] S. K. Sood, A. K. Sarje and K. Singh, "A Secure Dynamic Identity-based Authentication Protocol for Multi-server Architecture, " Journal of Network and Computer Applications, Elsevier, vol. 34, no. 2, pp. 609-618, 2011.

[48] S. Kumari, M. Karuppiah, A. K. Das, X. Li, F. Wu and N. Kumar, "A Secure Authentication Scheme Based on Elliptic Curve Cryptography for Iot and Cloud Servers," Journal of Supercomputing, Springer, DOI: 10.1007/s11227-017-2048-0, pp. 1-26, 2017. 

[49] F. Wu, L. Xu, S. Kumari, X. Li, A. K. Das and J. Shen, "A Lightweight and Anonymous RFID Tag Authentication Protocol with Cloud Assistance for E-Healthcare Applications," Journal of Ambient Intelligence and Humanized Computing, Springer, DOI: 10.1007/s12652-017-0485-5, pp. 1-12, 2017.

[50] S. Kumari, X. Li, F. Wu, A. K. Das, K. R. Choo and J. Shen, "Design of a Provably Secure Biometrics- based Multi-cloud-server Authentication Scheme," Future Generation Computer Systems, Elsevier, vol. 68, pp. 320-330, 2017.

[51] M. H. Ibrahim, S. Kumari, A. K. Das and V. Odelu,"Attribute-based Authentication on the Cloud for Thin Clients," The J. of Supercomputing, Springer, DOI: 10.1007/s11227-016-1948-8, pp. 1-33, 2017.

[52] D. Chattaraj, M. Sarma and A. K. Das, "A New Two-server Authentication and Key Agreement Protocol for Accessing Secure Cloud Services," Computer Networks, Elsevier, DOI: 10.1016/j.comnet.2017.12.007, vol. 131, pp. 144-164, 2018.

[53] S. Kalra and S. K. Sood, "Secure Authentication Scheme for IoT and Cloud Servers," Pervasive and Mobile Computing, vol. 24, pp. 210-223, 2015.

[54] V. Odelu, A. K. Das and A. Goswami, "A Secure Biometrics-based Multi-Server Authentication Protocol Using Smart Cards," IEEE Trans. Inf. Forensics Secur., vol. 10, no. 9, pp. 1953-1966, 2015.

[55] H. Shen, C. Z. Gao, D. D. He and L. B. Wu, "New Biometrics-based Authentication Scheme for Multi- server Environment in Critical Systems," J. Ambient Intell. Hum. Comput., vol. 6, no. 6, pp. 825-834, 2015.

[56] F. Wu, L. Xu, S. Kumari and X. Li, "A Novel and Provably Secure Biometrics-based Three-factor Remote Authentication Scheme for Mobile Client-Server Networks," Comput. Electr. Eng., Elsevier, vol. 45, pp. 274-285, 2015.

[57] D. Mishra, A. K. Das and S. Mukhopadhyay, "A Secure User Anonymity Preserving Biometrics-based Multi-server Authenticated Key Agreement Scheme Using Smart Cards," Expert Syst. Appl., Elsevier, vol. 41, no. 18, pp. 8129-8143, 2014.

[58] E. Yoon and K. Yoo, "Robust Biometrics-based Multi-server Authentication with Key Agreement Scheme for Smart Cards on Elliptic Curve Cryptosystem," J. Supercomput, Springer, vol. 63, no. 1, pp. 235-255, 2013.

[59] D. He and D. Wang, "Robust Biometrics-based Authentication Scheme for Multi-server Environment," IEEE System Journal, vol. 9, no. 3, pp. 816-823, 2015.