Received: 2 September 2016 Revised: 6 October 2016 Accepted: 14 October 2016

DOI 10.1002/dac.3242

RESEARCH ARTICLE

A robust ElGamal-based password-authentication protocol using

smart card for client-server communication
Tanmoy Maitra1 Mohammad S. Obaidat2 Ruhul Amin3 SK Hafizul Islam4 Shehzad
Ashraf Chaudhry5 Debasis Giri6

1 Department of Computer Science and

Engineering, Jadavpur University, Summary
Kolkata-700032, India
2 Fellow of IEEE and Fellow of SCS, Fordham
Smart card-based client-server authentication protocol is well popular for secure
University, Bronx, New York, USA data exchange over insecure and hostile networks. Recently, Lee et al. put forward
3 Department of Computer Science and
an authentication protocol by utilizing ElGamal cryptosystem and proved that it can
Engineering, Thapar University, Patiala, 147004,
withstand known security threats. This article evinces that the protocol of Lee et al.
Punjab, India
4 Department of Computer Science and is unwilling to protect various important security vulnerabilities such as forgery
Engineering, Indian Institute of Information attack and off-line password-guessing attack. To vanquish these loopholes, this arti-
Technology, Kalyani, 741235, West Bengal, India cle presents a robust authentication protocol for client-server communication over
5 Department of Computer Science & Software

Engineering, International Islamic University

any insecure networks. The security explanation of our protocol has done through
Islamabad, Pakistan the formal and informal mechanism and its outcome makes sure that the designed
6 Department of Computer Science and
protocol is strong enough to resist the known vulnerabilities. In addition, we have
Engineering, Haldia Institute of Technology,
simulated our protocol using ProVerif online software and its results certify that
Haldia, 726157, India
our protocol is safe against private information of the client and server. This paper
Correspondence
SK Hafizul Islam, Department of Computer also has made performance estimation of the presented protocol and others, and the
Science and Engineering, IIIT Kalyani, West outcome favors the presented protocol.
Bengal 741235, India.
Email: hafi786@gmail.com
KEYWORDS

authentication, forgery attack, identity, password, smart card

1 INTRODUCTION these techniques, hash function is light-weight and thus, suit-

Client-server communication is a most generic term in net-
work communication system where users’ end is treated as
client and they get many facilities and services by accessing
the services through Internet. There are lot of applications
in real world such that e-medical system,1,2 online payment
system,3 access of USB storage device,4 grid computing,5
and so on. But as communications are done through inse-
cure channel like Internet, outsider may hamper the com-
munications. Thus, in such client-server environments (see
Figure 1), to restrict unauthorized access to the remote
server by an outsider, one of the highly-accepted method is
smart card-based password authentication protocol,6–8 where
a legal client (user) and server are accomplishing mutual
authentication and then the server provides the resources or
services to the client. To design such protocol, many crypto-
graphic techniques are adopted such as, hash function,9 ellip-
tic curve,10 bilinear pairing,11 chaotic maps,12,13 Rivest Shamir
Adleman (RSA),14 and ElGamal cryptosystem.15 Among
able for low-computing environments.16 In addition, any hash
function is quite sophisticated to use and implementation is
also easier than other cryptographic operations known so far.
One of the challenges of client-server based user authenti-
cation technique is to withstand all possible security threats
against attacker over insecure networks. To enhance the secu-
rity and computational costs, lots of authentication protocols
with smart card have been put forwarded in the literature.17–24
In 2000, a smart card based mutual authentication protocol
using ElGamal cryptosystem25 is designed by Hwang and
Li,17 mentioned that the protocol can withstand several known
attacks. The main advantage of the protocol in a previous
study17 is that it does not need a password-verifier table at
the sever-end to prove the legitimacy of the authorized users
during login. Chan and Cheng18 criticized that the protocol
in a previous study17 is not fully secured because a legal user
being an attacker can obtain identity and password of other

Int J Commun Syst 2016; 1–12 wileyonlinelibrary.com/journal/dac Copyright © 2016 John Wiley & Sons, Ltd. 1
2 MAITRA ET AL.
FIGURE 1 Communications in client-server environment
valid users even if the long-term secret key of the server is
unknown. Moreover, Shen et al.20 exhibited that the proto-
col in a previous study17 is insecure against masquerading
attack, and then devised an extended protocol to remedy secu-
rity threats. After that, Leung et al.21 analyzed the protocol of
Shen et al.,20 manifested that it is insecure against the imper-
sonation attack. In 2004, Yoon et al.22 designed a client-server
password authentication protocol using smart card and gener-
alized ElGamal signature. However, Tian et al.23 claimed that
the protocol in a previous study22 is unwilling to achieve the
two-factor security, and thus, they put forwarded an improved
protocol. In 2009, Ramasamy and Muniyandi24 suggested a
smart card based authentication protocol using the ElGamal
cryptosystem, and professed that the protocol is able to with-
stand all possible security threats including denial-of-service
attack, forgery attack, and parallel session attack. Recently,
Lee et al.15 demonstrated that the protocol in a previous
study24 is not withstanding several security threats and does
not provide important security aspects. Therefore, they pre-
sented a new protocol to remove the security flaws of the
protocol in a previous study.15
1.1 Motivations and contributions
The studies and discussions of the previously designed pro-
tocols insists us to offer a robust and efficient authentication
protocol for client-server communications over insecure net-
works. Accordingly, we aimed to design such a protocol,
which is robust from all the possible known threats and
low cost in nature compared with the other protocols. The
contributions of this article is summarized below:
• We studied the protocol of Lee et al. and given some
explanations to show that it is unwilling to resist some
important security attacks, for example, forgery attack with
lost/stolen smart card, off-line password guessing attack
and smart-card forgery attack.
• We then utilize the ElGamal cryptosystem to design a
flawless and smart card based client-server authentication
protocol.
• Our formal and informal security analysis claimed the
strong resilience against possible threats known so far.
Further, we have verified our protocol using ProVerif tool.
• We have explained that the over all computation overhead
of the designed protocol is lower compared with related
protocols.
1.2 Construction of the paper
The outline of this article is as follows. Section 2 briefly
addresses the protocol of Lee et al. and its cryptanalysis
appears in Section 3. Our protocol is presented and explained
in Section 4. Cryptanalysis of our protocol is explained in
Section 5. The performance of our protocol and some earlier
protocols is tendered in Section 6. Section 7 concludes this
paper.
2 R E V I E W O F TH E P R O T O C O L O F
LEE ET AL.
In this part, a brief description of the protocol of Lee et al.15 is
presented. We watched that the protocol of Lee et al. has five
phases namely, registration phase, login phase, authentication
phase, key agreement phase, and password change phase. A
nomenclature is given in Table 1.
2.1 Registration phase
U i puts his or her IDi and pwi to S using any secure chan-
nel. S then computes Ai = h(IDi ⊕ h(x)) and Bi = Ai ⊕ pwi ,
respectively. S then issues a fresh smart card and stores ⟨Ai ,
Bi , h(·)⟩ into it. Finally, S sends the smart card to U i over any
secure channel. We further present the registration phase of
the protocol of Lee et al. in Figure 2.
2.2 Login phase
U i puts his or her smart card into the card reader and then
inputs pwi and IDi into it. The smart card then calculates
MAITRA ET AL. 3

TABLE 1 Nomenclature 2.3 Authentication phase

Symbol Description
Assume that S receives ⟨IDi , Ci , F i , T i ⟩ at time T s , S then
Ui User first verifies the validity of IDi and T i . If both are incor-
S Remote server rect, S discontinues the session; otherwise, calculates A∗i =
pwi Password of U i h(IDi ⊕ h(x)), D∗i = h(Ti ⊕ A∗i ) mod (p − 1), respec-
IDi Identity of U i ∗ D∗
tively. S then tests whether Fi (Ci Di )−1 =?A∗i i mod p. If
SK i Session key
it is false, S discontinues the session; otherwise, S calculates
h(·) One-way hash function
Gi = h(Ts ⊕ A∗i ) mod (p − 1) and Ki = Ci Gi mod p,
T Current timestamp
respectively. S now sends the message ⟨K i , T s ⟩ over a public
x Secret key of S
channel to U i .
PK Public key of S
After receiving it, the smart card of U i checks the freshness
̂
G A multiplicative group of prime order p
of T s . If it is incorrect, the smart card discontinues the session,
g Generator of group G
otherwise, computes G′i = h(Ts ⊕ A′i ) mod (p − 1), Ki′ =
‖ Concatenation operation G′
Ci i mod p and tests whether Ki =?Ki′ . If the verifica-
⊕ Bit-wise XOR operation
tion is successful, the smart card of U i get assured that S is
à Adversary/Attacker
authentic, otherwise, discontinues this session.

2.4 Key agreement phase

A′i = pwi ⊕ Bi . If A′i ≠ Ai , the smart card discontinues
r
the session; otherwise, calculates Ci = A′i i mod p, Di =
D
h(Ti ⊕ A′i ) mod (p − 1), Ei = A′i i mod p and Fi =
Ei (Ci Di ) mod p, respectively, where the number ri is cho-
sen randomly by the smart card and T i is the current login
timestamp. Finally, the smart card sends a login message ⟨IDi ,
Ci , F i , T i ⟩ to S over a public channel.
After performing the successful mutual authentication
between the smart card of U i and S, then confidential session
keys SKi = h(h(A′i ) ⊕ Ts ) and SKs = h(h(A∗i ) ⊕ Ts ) are com-
puted by the smart card of U i and S, respectively. It can be
observed that SK i = SK s . A pictorial representation of login,
authentication, and key agreement phases of the protocol in a
previous study15 is given in Figure 3.

FIGURE 2 Registration phase of the protocol of Lee et al.

FIGURE 3 Login, authentication, and key agreement phases of the protocol of Lee et al.
4 MAITRA ET AL.
2.5 Password change phase
U i puts his or her smart card into the card reader and provides
pwi and IDi . The smart card calculates A′i = pwi ⊕ Bi . If A′i ≠
Ai , then the smart card discontinues the session; otherwise,
asks U i to enter a new password. Assume that U i keys a new
password pw[new]
i
in to the smart card. Then the smart card
[new]
replaces Bi with Bi after computing B[new]
i
= A′i ⊕ pw[new]
i
. dictionary attack (brute force attack). We also assume that
3 CRYPTANALYSIS OF THE P ROTOCOL
OF LEE ET AL.
This section presents the forgery attack with lost/stolen
smart card and off-line password guessing attack of the
protocol in.15
3.1 Forgery attack with lost/stolen smart card
Assume an adversary à steals a smart card of U i and performs
the power monitoring analysis26,27 to get the parameters from
the memory of smart card.
Furthermore, Ã traps a login request message ⟨IDi , F i , Ci ,
T i ⟩, which is sent by U i to S at time T i . Therefore, Ã knows
⟨Ai , Bi , h(·), IDi ⟩. After obtaining IDi and Ai , Ã selects a
current timestamp T [a] and a random number A. ̃ Then à cal-
Ã
culates CÃ = Ai mod p, DÃ = h(T ⊕ Ai ) mod (p −
[a]
D
1), Eà = Ai à mod p and Fà = Eà (Cà Dà ) mod p.
Then à sends the forged login message Login_Req[forge] =
⟨IDi , CÃ , FÃ , T [a] ⟩ to S.
After receiving Login_Req[f orge] from à at time T s ,S tests
the validity of IDi and T [a] . Note that IDi and T [a] are always
valid. Therefore, S computes A∗i = h(IDi ⊕ h(x)), D∗Ã =
D If à gets the smart card of U i by some means or à steals the
h(T [a] ⊕ A∗i ) mod (p − 1) and tests whether FÃ (CÃ Ã ∗ )−1 =
p. They are always equal as à knows the cor-
D̃∗
?A∗i A mod
rect value of Ai from smart card. Therefore, S computes Gi =
G Furthermore, Ã traps a login request message ⟨IDi , F i , Ci , T i ⟩
h(Ts ⊕ A∗i ) mod (p − 1) and Ki = CÃ i mod p. S then
sends the message ⟨K i , T s ⟩ to U i over a public channel.
After receiving the message ⟨K i , T s ⟩ from S, Ã ver-
ifies the freshness of the timestamp T s . If it is incor-
rect, the session is discontinued; otherwise, Ã calculates
Gi = h(T s ⊕ Ai )mod(p − 1) and KÃ = CÃ Gi mod p and
tests whether KÃ =?Ki . It is always true, because, Ã knows the
correct value of Ai from smart card. Therefore, the authentic-
ity of S is verified from the message Login_Req[f orge] . Thus,
à successfully impersonating U i .
• Extension of forgery attack with lost/stolen smart card
Once à successfully executes the forgery attack
described above, it can easily continue the current session
by establishing a shard secret session key with S after
computing SKÃ = h(h(Ai ) ⊕ Ts ). Therefore, it can be
claimed that the protocol in a previous study15 failed to
achieve the forward secrecy.
3.2 Password guessing attack with lost/stolen
smart card
For convenience and easy memorization, user chooses
low-entropy password and also use the same password to
accesses different servers. Therefore, it can be reasonable
assumption that password of a user can be easily guessed by
à is allowed to know the information stored in the smart
card through monitoring power consumption.26,27 As a result,
the parameters ⟨Ai , Bi , h(·), IDi ⟩ will be known if à gets
the smart card of U i , which is lost/stolen. Accordingly, the
following calculations will be performed by à to guess the
password of U i :
̃
Step 1: Ã guesses a password pw[i A] .
̃ ̃
Step 2: Ã computes B[A] = Ai ⊕ pw[A] .
i i
̃
Step 3: Ã checks the equality of B[i A] and Bi . If the result is
̃
true, then pw[A] = pwi , and it can be concluded that Ã
i
correctly finds the password of U i by guessing, oth-
erwise, Ã repeats Step 1 and Step 2 until to find the
correct password of U i .
The time complexity of this attack is (|pw |) × Tx ≈
(|pw |), where T x is the time complexity of the bit-wise
XOR operation. From the discussion performed in a previous
study,6 we know that the password guessing attack is feasible
because the dictionary pw is small in nature, for example,
|pw | ⩽ 106 . Therefore, Ã can guess the password of U i
within polynomial time bound.
3.3 Smart card forgery attack
smart card, he/she can obtain the parameters Ai and Bi from
the smart card by performing power monitoring analysis.26,27
for the session at time T i . Based on the following steps, Ã can
create a duplicate smart card, which can be used a valid smart
card against U i .
Step 1: Ã selects a fake password pw[twin] randomly from the
i
password dictionary.
Step 2: Ã calculates B[twin] = pw[twin] ⊕ Ai .
i i
̃
Step 3: A creates a duplicate smart card after storing
⟨Ai , B[twin] , h(·)⟩ into it and used it on behalf of U i .
i
After creating a twin smart card, Ã enters the smart card
into a card reader and supplies IDi (known from trapped login
message) and pw[twin]
i
to the smart card. Note that the supplied
login credentials are valid and thus the smart card allows à to
create a login message and S will treat the login message as a
valid message, and it is sent by U i .
The above-mentioned attack will be valid until U i blocked
the lost/stolen smart card.
MAITRA ET AL.
4 PROPOSED PROTOCOL
This section presents an enhanced client-serve authentication
protocol to remove the weak points of the protocol of Lee
et al.. The enhanced protocol includes 6 phases namely, (1)
initialization, (2) user registration, (3) login, (4) authentica-
tion, (5) key agreement, and (6) password change.
4.1 Initialization phase
S selects a generator g of a multiplicative group G of prime
order p. S then selects a private key x and calculates the
corresponding public key as PK = gx mod p. S also selects
a one-way cryptographic hash function h(·): 0, 1* → 0, 1l ,
where l is a fixed length binary string. Finally, S made the
information ⟨p,g, PK, h(·)⟩ public.
4.2 User registration phase
U i submits pwi and IDi to S using a secure channel. After
receiving ⟨pwi , IDi ⟩,S calculates Ai = h(IDi ⊕ h(x)),
pwri = h(pwi ⊕ ni ),Li = Ai ⊕ pwri ,Bi = h(Ai ‖pwri ) and
ni = ni ⊕ h(IDi ⊕ pwi ), respectively, where the random num-
ber ni is chosen by S. Then S selects a fresh smart card for
U i and then stores ⟨Li , Bi , ni , h(·)⟩ into it. S sends the smart
card to U i through a secure channel and adds {h(h(Ai ))} into
its database user_list. Note that, S is a trusted party, there-
fore, no information, i.e., pwi will be disclosed from S and S
also does not apply the password to other account of users on
other server. Furthermore, S does not need to store the pass-
word into its database. As a result, it can be claimed that there
is no chance to mount insider attack on our protocol. Figure 4
explains the registration phase of our protocol.
4.3 Login phase
U i puts the smart card into a card reader and provides IDi and
pwi . The smart card computes n′i = ni ⊕ h(IDi ⊕ pwi ), pwri′ =
h(pwi ⊕ n′i ), A′i = Li ⊕ pwri′ and B′i = h(A′i ‖pwri′ ). If Bi ≠ B′i ,
then the smart card discontinues the session; otherwise, cal-
r
culates Ci1 = A′i i mod p, Ci2 = gri mod p, Di = h(Ti ⊕
Ai ) mod (p − 1), DIDi = IDi ⊕ h(PK ri mod p), Ei =
′ a new password pwri[new] into the smart card. After getting
FIGURE 4 Registration phase of the proposed protocol
5
D
A′i i mod p and Fi = Ei (Ci1 )Di mod p, where ri is a ran-
dom number chosen by the smart card and T i is the current
timestamp. Finally, the smart card of U i sends a login message
⟨DIDi , Ci1 , Ci2 , Fi , Ti ⟩ to S over a public channel.
4.4 Authentication phase
After receiving ⟨DIDi , Ci1 , Ci2 , Fi , Ti ⟩ at time T s , S first tests
the validity of T i . If the timestamp is invalid, S discon-
tinues the session; otherwise, calculates ID∗i = DIDi ⊕
h(Ci2 x mod p), A∗i = h(ID∗i ⊕ h(x)) and verifies whether
h(h(A∗i )) exists into its user_list. If h(h(A∗i )) is not found
in user_list,S stops the session; otherwise, computes D∗i =
D∗
h(Ti ⊕ A∗i ) mod (p − 1) and checks whether Fi (Ci i )−1 =
1
D∗
?A∗i i mod p. If it is false then S discontinues the ses-
sion; otherwise, computes Gi = h(Ts ⊕ A∗i ) mod p and
G
Ki = Ci i mod p. S sends the message ⟨K i ,T s ⟩ to U i over
1
a public channel.
After receiving the message ⟨K i , T s ⟩ from S, the smart card
checks the freshness of the timestamp T s . If it is invalid, the
session is discontinued; otherwise, the smart card computes
G′
G′i = h(Ts ⊕A′i ) mod (p−1), Ki′ = Ci i mod p and tests
whether Ki =?Ki′ . If true, mutual authentication is achieved;
otherwise, the smart card rejects the current session.
4.5 Key agreement phase
After performing the mutual authentication (see Section 4.4),
both S and U i agree upon a shared secret session key SKi =
h(h(A′i ) ⊕ Ts ) or SKs = h(h(A∗i ) ⊕ Ts ), respectively, and it can
be observed that SK i = SK s .
The pictorial representation of the proposed protocol is
given in Figure 5.
4.6 Password change phase
U i puts the smart card into a card reader and provides IDi and
pwi . The smart card computes n′i = ni ⊕ h(IDi ⊕ pwi ), pwri′ =
h(pwi ⊕ n′i ), A′i = Li ⊕ pwri′ and B′i = h(A′i ‖pwri′ ). If
Bi ≠ B′i , then the smart card discontinues the session; oth-
erwise, asks U i for a new password. Assume that U i keys
6 MAITRA ET AL.
FIGURE 5 Login, authentication, and key agreement phases of the proposed protocol
pw[new] from U i , the smart card further computes pwri[new] =
i
h(pw[new] ⊕n′i ), Li[new] = A′i ⊕pwri[new] , B[new] = h(A′i ‖pwri[new] )
i i
̂ and Bi = h(Ai ‖pwri ). Therefore, ni = n̂i ⊕ h(IDi ⊕ pwi )
and n[new] = n′ ⊕ h(ID ⊕ pw[new] ). The smart card then
i i i i
substitutes ⟨Bi , Li , n̂i ⟩ with ⟨B[new] ̂ ⟩.
, Li[new] , n[new]
i i
5 SECURITY DISCUSSIONS
The discussions on the security of our protocol is offered here.
It can be reasonable assumption that à may steal user_list
from S, traps the login and authentication messages, and can
use these information to find the loopholes of the proposed
protocol. Furthermore, Ã can obtain the a lost smart card
and can acquire the information from it by performing power
analysis.26,27
5.1 Informal analysis
This section presents some propositions to prove that the
presented protocol is efficient and free from possible attacks.
Proposition 1. No secret information will be extracted from
communication messages between U i and S; even though Ã
performs smart card stolen attack as well as steals user_list
from S.
Proof. According to the aforementioned assumptions, the
information ⟨h(h(Ai )), Li , Bi , n̂i , DIDi , Ci1 , Ci2 , Fi , Ti , Ki , Ts ⟩ is
known to A,̃ and he or she makes attempt to extract the
confidential information of U i and S.
• From the smart card ⟨Li , Bi , n̂i ⟩: Because Li = Ai
⊕ pwri = Ai ⊕ h(pwi ⊕ ni ) = h(IDi ⊕ h(x)) ⊕ h(pwi ⊕ ni )
will be known to à if the password pwi and identity IDi
of U i and the secret key x of S are known to him or her.
But, to solve n̂i , Ã has to guess pwi and IDi at the same
time which is infeasible within a polynomial time. As n̂i
̃ it is impossible to find x from Li
cannot be solved by A,
and Bi . Furthermore, from h(h(Ai )) = h(h(h(IDi ⊕ h(x)))),
it is hard to extract h(Ai ), Ai , IDi and x due to
one-way-ness of the hash function. Therefore, ⟨IDi , pwi ,
ni , x⟩ will not be obtained by à from smart card’s
information.
• From the login message⟨Fi , DIDi , Ti , Ci1 , Ci2 ⟩: From the
known information Ci1 = Ai ri mod p and Ci2 =
gri mod p, Ã cannot compute ri because of the hard-
ness of the Discrete Logarithm Problem (DLP)6 and
because of the unavailability of Ai . Furthermore, Ã can-
not compute h(PK ri mod p) = h(gri ·x mod p)
from PK = gx mod p and Ci2 = gri mod p because
of the hardness of the Computational Diffie-Hellman
Problem.6 As a result, Ã is unwilling to compute IDi from
DIDi = IDi ⊕ h(PK ri mod p). Furthermore, from
Fi = Ei (Ci1 )Di mod p = Ai Di (Ai )ri ·Di mod p =
Ai Di (ri +1) mod p, Ã cannot compute ri and Di because of
hardness of the DLP. However, the login message is inde-
pendent of the password of U i ; therefore, there is no chance
to extract pwi from the login message. Thus, the informa-
tion ⟨IDi , pwi , x⟩ will not be extracted by à from the login
message.
MAITRA ET AL. 7

• From the reply message⟨K i , T s ⟩: From the known infor-
mation Ki = Ci1 Gi mod p = Ci1 h(Ts ⊕Ai ) mod p, Ã
cannot retrieve Gi from K i because of the hardness of the
DLP as Ci1 is known from the trapped login message. As a
result, Ã will not be able to extract Ai . Thus, Ã fails to get
IDi and x.
Proposition 2. Ã cannot perform a forgery attack against
the proposed protocol even if he/she is allowed to mount
Proposition 4. Ã cannot trace a legal user U i even though
à keeps the information from login messages for different
sessions.
Proof. Assume that à traps all the login messages of U i
and S for different sessions; however, he or she cannot trace
that the two different sessions are executed by U i because
every parameter in the login message ⟨Fi , DIDi , Ti , Ci1 , Ci2 ⟩
is random and the login message is different for each
r

the lost/stolen smart card attack and captures the information session. More formally, Ci1 = A′i i mod p, Ci2 =
from the login and authentication messages. gri mod p, Di = h(Ti ⊕ A′i ) mod (p − 1), DIDi =
D
IDi ⊕ h(PK ri mod p), Ei = A′i i mod p, Fi =
Ei (Ci1 )Di mod p and it can be noticed that Ci1 , Ci2 , DIDi
Proof. By considering the same assumptions as demon- and F i are computed using the random number ri . If any
strated in Proposition 1, Ã tries to mount a forgery attack on parameter in the login message is static for all sessions, then
our protocol with the following step: Ã can trace the location and activities of U i . As a result,
• Guesses an identity IDà , a secret key xà , a number rà and anonymity of U i will be hampered. But, as each parameter
a fresh timestamp TÃ . is computed using the random number ri , and thus IDi can-
• Computes Aà = h(IDà ⊕ h(xà )), Cà 1 = Aà rà mod p, Cà 2 = not be retrieved by à (see Proposition 1). Therefore, it can be
grà mod p, Dà = h(Tà ⊕ Aà ) mod (p − 1), DIDà = claimed that the presented protocol provides untraceability of
D
IDà ⊕ h(PK rà mod p), Eà = Aà à mod p and Fà = user as well as preserves user anonymity.
EÃ (CÃ 1 )Di mod p. Finally, Ã sends a login message Proposition 5. Ã cannot perform the smart card forgery
⟨Fà , DIDà , Tà , Cà 1 , Cà 2 ⟩ to S. attack on the proposed protocol even though à is allowed to
• After receiving ⟨Fà , DIDà , Tà , Cà 1 , Cà 2 ⟩ from à at time execute the lost/stolen smart card attack and capture the login
T s ,S first tests the validity of TÃ , and it will always sat- and authentication messages of U i and S.
isfy as à selects it as fresh. Therefore, S further computes
ID∗Ã = DIDÃ ⊕ h(CÃ 2 x mod p), A∗Ã = h(ID∗Ã ⊕ h(x))
Proof. From the Proposition 1, it can be claimed that none
and checks whether h(h(A∗Ã )) presents into its user_list. It
of the secret information will be leaked to à from the known
is possible if IDà is a registered entity for S and à correctly parameters. However, to create a duplicate smart card, Ã
guesses the secret key of S, ie, x = xà . The above expia- has to know Ai = h(IDi ⊕ h(x)); however, Ai cannot be
tion indicates that if the identity of U i and the secret key retrieved it from the login and authentication messages, which
of S are compromised then only ⟨FÃ , DIDÃ , TÃ , CÃ 1 , CÃ 2 ⟩ is shown in the Proposition 1. Beside, Ã can guess an iden-
is considered as a valid login message. But, the secret key tity ID[twin] (as identity is not public in the proposed protocol
̃ Therefore, it can be claimed that à i
of S is unknown to A. and identity of the user cannot be traced by à as shown in the
cannot mount this kind of forgery attack. Propositions 1 and 7), a password pw[twin] , a number n[twin] ,
i i
and a secret key x[twin] of S. Then à can compute A[twin] i
=
Proposition 3. Ã cannot compute a shared session key from h(ID[twin]
i
⊕ h(x [twin] )), pwr [twin] = h(pw[twin] ⊕ n[twin] ), L[twin] =
i i i i
the proposed protocol even though à performs lost/stolen A[twin] ⊕ pwr[twin] , B[twin] = h(A[twin] ‖pwr[twin] ) and n[twin] ̂ =
i i i i i i
smart card attack, steals user_list from S and keeps the n[twin]
i
⊕ h(ID[twin]
i
⊕ pw[twin]
i
). Then à stores the parameters
information from login and authentication messages of U i ̂ , h(·) into it.
⟨L[twin] , B[twin] , n[twin]
and S. i i i
Now, if à likes to employ the duplicate smart card,
he or she puts the smart card into the card reader,
Proof. According to the Proposition 1, none of the secret and supplies ID[twin]i
and pw[twin]
i
to the smart card.
information will be leaked from the smart card as well as The smart card successfully allows à to send a login
trapped the communication messages. Because Ai is secret message. For this purpose, smart card computes
information, it cannot be computed by A. ̃ But, in our proto- Ci[twin] = A[twin]
ri
mod p, Ci[twin] = gri mod p, Dtwin =
1 i 2 i
col, the shared secret session key SKi = h(h(A′i ) ⊕ Ts ) or h(Ti ⊕ A[twin] ) mod (p − 1), DID[twin] = ID[twin] ⊕
SKs = h(h(A∗i ) ⊕ Ts ) is computed using Ai . As a result, Ã does
i i i
[twin]
D

not compute the session key. Now à has only way to disclose h(PK ri mod p), Ei[twin] = Ai
[twin] i
mod p and Fi[twin] =
D[twin]
the session key by mounting the forgery attack on our pro- Ei[twin] (Ci[twin] ) i mod p, where ri is a random number
1
tocol. But, the Proposition 3 shows that à cannot mount any chosen by the smart card and T i is the current login
forgery attack. Hence, it can be claimed that session key is timestamp of A. ̃ Finally, Ã sends a login message
secured from A.̃ ⟨DIDi [twin] [twin]
, Ci , Ci[twin] , Fi[twin] , Ti ⟩ to S over a public channel.
1 2
8 MAITRA ET AL.

After receiving ⟨DID[twin] , Ci[twin] , Ci[twin] , Fi[twin] , Ti ⟩ at T s ,S Therefore, it can be claimed that the presented protocol offers
i 1 2
first tests the validity of T i . It will always valid, therefore, robust mutual authentication between U i and S.
x
S computes ID∗i = DID[twin] i
⊕ h(Ci[twin] mod p), A∗i =
2
h(ID∗i ⊕ h(x)) and checks whether h(h(A∗i )) is present into its
user_list. But, h(h(A∗i )) will appear into its user_list if à cor- 5.2 Formal analysis
rectly guesses the identity ID[twin]i
and the secret key x[twin] . This section demonstrates the security analysis of our protocol
More formally, if à obtains the secret key x of S and the iden- based on the random oracle model, which is a generic group
tity IDi of U i , then only à can get success to mount this attack. model and it is used to analyze the security of the client-server
But, according to the Proposition 1, no secret information will authentication protocols. The random oracles are defined in
be leaked from the known parameters. Therefore, Ã has no the following:
chance to correctly guess the secret key and identity without
• racle: racle is a random oracle. If a hash value c (=
any proper knowledge. As a result, S rejects the login message
̃ Hence, Ã cannot mount the smart card forgery attack on H(m)) is given to it, it unconditionally produces m from c.
of A.
• racle: racle is a random oracle. It uncondi-
the proposed protocol.
tionally produces x from the given values g and PK = gx
mod p.
Proposition 6. In the login and password change phases of
proposed protocol, smart card correctly verifies the login Defination 1. If Adv (t ) is the advantage for the time dura-
 1
inputs of U i before generating the login message and before tion t1 of a polynomial tie bounded adversary  to choose
changing U i ’s password. c1 , c2 ∈ A so that H(c1 ) = H(c2 ) for different values of c1
and c2 , we can take into account that Adv (t ) is the proba-
 1
bility in the advantage that is calculated by  for the random
Proof. We observed that the login phase of our protocol
choices of t1 span of time. Then the hash function h(·) is said
allowed the smart card to compute n′i = n̂i ⊕ h(IDi ⊕
to be collision-resistant, if Adv (t ) ⩽ 𝜁1 , for some negligible
 1
pwi ), pwri′ = h(pwi ⊕n′i ), A′i = Li ⊕pwri′ and B′i = h(A′i ‖pwri′ )
function 𝜁 1 . Following is the representation of Adv (t ):
 1
after getting the inputs from U i , i.e., IDi and pwi . Then the [
smart card checks whether B′i =?Bi . If the verification is Adv (t ) = Pr (c1 , c2 ) ∈R A × A |
 1
unsuccessful, smart card refused to accept U i as the legal user. ] (1)
Therefore, if U i provides wrong login inputs by mistake, the (c1 ≠ c2 ) ∧ H(c1 ) = H(c2 ) ,
smart card correctly identifies this discrepancy. As a result,
where Pr[] denotes the probability of event .
there is no chance of false positive login message from user
Defination 2. The DLP is defined as follows. It is hard to
side, which reduces the communication overhead.
discover x ∈ Zp∗ from given R and g such that R = gx mod
In case of password change phase, smart card also checks
p. If AdvDLP

(t2 ) is the advantage of  to find x ∈ Zp∗ from
the wrong login inputs as mentioned above. After verifying
given Q and P such that R = gx mod p, for the time span
the login details, the smart card gives permission to the user
t2 , we can take into account that AdvDLP 
(t2 ) is the probabil-
to change the old password to new password. In addition, our
ity in the advantage that is calculated by  for the random
protocol allows the user to change the password without tak-
choices of t2 span of time. Then the DLP is called the hard
ing any help from the server. Therefore, it can be claimed
problem, if AdvDLP 
(t2 )⩽𝜁 2 , for some negligible function 𝜁 2 .
that proposed protocol achieves an efficient password change
The representation of AdvDLP 
(t2 ) is as follows:
phase. [ ]
AdvDLP
 (t 2 ) = Pr x ∈ Z ∗
p | R = g x
mod p , (2)
Note: The Proposition 1 explained that the proposed proto-
col resists the off-line password guessing attack. The Propo-
sition 3 demonstrated that our protocol is also withstanding Theorem 1. Assuming that the hash function h(·) acts like
the forgery attack. The Proposition 5 showed that our pro- true random oracle and the DLP is a hard problem, our proto-
tocol offered the resilience against the session key recovery col is provably secure against the attacker  for obtaining the
attack. Furthermore, in our protocol, the login and authenti- password pwi and the identity IDi of U i as well as the secret
cation messages are generated using timestamps and random key x of S even if  gets the information from the smart card
numbers. As a result, our protocol provides the freshness of of U i and the login and authentication messages of U i and S.
the login and authentication messages. Thus, our protocol
provides the sufficient facilities to resist the replay attack. Proof. We assume that  has the capability to extract x,pwi
Furthermore, the Proposition 7 demonstrated that our pro- and IDi from the login message and smart card information.
tocol is free from user traceable attack. The Proposition 9 We also assume that  gets the lost/stolen smart card of U i .
and Proposition 11 claimed that the presented protocol also Thus,  can obtain the information ⟨Bi , Li , n̂i , h(·)⟩ from the
provides resilience against the smart card forgery attack and smart card of U i by power analysis.26,27 We also assume that
has efficient login and password change phases, respectively.  traps the login request message ⟨DIDi , Fi , Ci1 , Ci2 , Ti ⟩ and
MAITRA ET AL. 9

the reply message ⟨K i ,T s ⟩.  runs the experiment, EXP

against our protocol to derive x, pwi and IDi of U i as described
in Algorithm 1.
by  to the oracle racle. The proposed protocol is
provably secure against  for obtaining x,pwi and IDi of
U i , if Adv

(t, qH, qDLP)⩽𝜁, for any small 𝜁 > 0. Accord-
ing to the algorithm EXP 
, if  earns success to evaluate
the inversion of h(·) and also gets success to solve the DLP,
then only he or she can successfully retrieve x, pwi and IDi

FIGURE 6 ProVerif-Declarations

The success probability for EXP


is defined as Succ

=
|2Pr[EXP = 1] − 1|. Then the advantage of EXP


is
given by Adv

(t, qH, qDLP) = max  {Succ 

}, where dur-
ing the running time t, the maximum is considered for all
; qH is the number of queries made by  to the oracle
racle, and qDLP denotes the number of queries made FIGURE 7 ProVerif-Processes
10 MAITRA ET AL.

by using the random oracles racle and racle, and ′ ′ ′

xFi,IDi ,Ai ,Di . Then ServerS computes Gi,Ki,Sks and sends
wins the game. But, from the Definitions 1 and 2, we know Ki,Ts to UserUx. Now UserUx computes xKi and checks the
that Adv

(t)⩽𝜁 1 , for any small 𝜁 1 > 0 and Adv

(t)⩽𝜁 2 , for validity of received Ki. Then UserUx computes the session
any small 𝜁 2 > 0. Hence, we get Adv 
(t, qH, qDLP)⩽𝜁, for key SKi.
any small 𝜁 > 0, because the presented protocol depends on Referring to Figure 8, in main part, two events are defined
both Adv 
(t) and Adv
(t). Therefore, the proposed proto- to verify the normal initiation and termination of the pro-
col provides security against  for obtaining x of S,pwi and cesses UserUi and ServerS. Finally, three queries are defined.
IDi of U i . Out of these, following two queries are defined to verify the
correctness of the proposed protocol

5.3 Automated security validation through ProVerif

In this section, we used the Proverif,28–32 which is a pop-
ular automated tool. The Proverif used the Pi-calculus.
The ProVerif is used to examine the security functional-
ities, for example, authentication, secrecy, anonymity, and While following query verifies session key
privacy.32 A number of cryptographic functions like, symmet-
ric/asymmetric encryption, decryption, one-way functions,
signatures and many more can be modeled in ProVerif.
All these queries are applied in main part. ProVerif con-
We model the steps of our proposed scheme (described in
siders all the constructors and destructors as black boxes
Section 4) in ProVerif to show the robustness and correctness
(unbreakable). Similarly, private item (channels, variables,
of our protocol. The validation model of ProVerif involves 3
and constants) are unknown to adversary, while all other
parts: (a) the declarations, (b) the processes, and (c) the main.
parameters are assumed to be known by the adversary. Fur-
The variables, names, public/private channels, and security
thermore, ProVerif performs an unbounded number of proto-
primitives are declared in declaration part. The process part
col execution to verify the authenticity and reachiability. The
is reserved for defining the processes and sub-processes. The
ProVerif verification results are as follows:
scrutinizing protocol is engraved in the main part.
Referring to Figure 6, we have defined two channels,
namely ChSec a private/secure channel for registration and
ChSec an insecure channel for login and authentication.
Then the variables/constants IDi,pwi,p,ri,g,PK and x are
defined as per the proposed protocol to simulate U i ’s iden-
tity, U i ’s password, modulus point, random number, a gen- The results (1). and (2). confirm that both the processes
erator of G, ̂ public key of S and secret key of S. Further, UserUx and ServerS initiated and completed successfully,
we model the hash, concatenation, modulus, modular expo- which illustrates the correctness of our authentication pro-
nent, and modular multiplication, modulus by p − 1 as tocol. Likewise, (3). demonstrates that the adversary cannot
h,XOR,CONCAT,mod,exp,mult and MinOne, respectively. stake the session key SK. Hence, proposed protocol possesses
Likewise, two processes UserUi and ServerS are defined secrecy property and is correct.
in the process part to simulate user and server activities
in processes part as shown in Figure 7. Initially, user pro-
cess UserUi requests for registration and server process 6 PERFORMANCE COMPARISON
ServerS responds as per the proposed protocol. Then for login AND DISCUSSION
and authentication UserUx computes Ci1,Ci2,Di,DIDi,Ei
and Fi and sends DIDi,Ci1,Ci2,Fi and fresh time-stamp This section calculates communication and computation com-
Ti to ServerS. Then the server process ServerS computes plexities of our protocol and the protocols in previous

FIGURE 8 ProVerif-Main
MAITRA ET AL. 11

TABLE 2 Computation cost comparison with related research

Protocol Registration cost Login cost Authentication cost Total cost Estimated time (ms)

Lee et al.15 2T h 3T e + T h + T m 4T e + 8T h 7T e + 10T h + T m 12.8070

Hwang and Li17 Te 3T e + T h 3T e + T h 7T e + 2T h 12.7891
Rama and Muni24 Te 2T e + T h 3T e + 2T h 6T e + 3T h 10.9626
Awasthi and Lal33 Te + Th 3T e + 2T h 3T e + T h 7T e + 3T h 12.7903
Our 6T h 4T e + 5T h 2T e + 10T h 6T e + 11T h 10.9658

FIGURE 9 Computation cost comparison with related research

TABLE 3 Computation cost (bits) comparison with related research

Protocol Login cost Authentication cost Total cost Remarks

Lee et al.15 2304 1152 3456 No security protection

Hwang and Li17 2280 0000 2280 No mutual authentication and no security protection
Rama and Muni24 2280 1152 3432 No security protection
Awasthi and Lal33 2280 0000 2280 No mutual authentication and no security protection
Our 3328 1152 4480 Strong security protection

studies,15,17,24,33 and then makes comparison in order for com-
parative analysis. This paper uses three cryptographic oper-
ations such as exponentiation, modular multiplication, and
hash function. According to state-of-the-art of the work in
a previous study,34 the approximate time complexity of dif-
ferent cryptographic operations are provided using MIRACL
C/C++ Library that uses 32-bit Windows 7 OS, Visual C++
2008 S/W. The time complexity of the modular exponenti-
ation (T e ), modular multiplication (T m ) and hash operation
(T h ) are 1.8269 ms, 0.0147 ms, and 0.0004 ms, respectively.
It can be observed that the security of our protocol is
completely reliant on the DLP.25 It should be kept in mind
that the cryptographic protocol should be free-from security
threats with low complexity as much as possible. Table 2 pro-
vides data related to computation cost and execution time for
protocols in previous studies15,17,24,33 and our protocol. It is
noticeable in the same table that the presented protocol uses
only two exponentiation operations, which is less compared
to the protocols on.15,17,24,33 As the exponentiation operation
is costly operation than other cryptographic operations, the
execution time of our protocol is relatively faster than the
protocols in previous studies.15,17,24,33 In Figure 9, we have
additionally provided the comparison graph of our protocol
with related research with respect to execution time.
Communication cost is another important factor for mea-
suring the performance of the protocol. To do it, this paper
considers the length of the user’s information, message digest
and timestamp are 128 bits each; and the length of the p is
1024 bits. Table 3 provides data related to communication
cost for both the protocols and noticed that our protocol takes
little more communication costs the protocols in previous
studies.15,17,24,33 However, the proposed protocol is withstand-
ing all possible security threats and additionally offers user
anonymity and untracibility.
7 CONCLUDING REMARKS
This paper demonstrates different security pitfalls of Lee et
al.’s protocol. This paper has advised a solution by designing a
new smart card based authentication protocol using ElGamal
cryptosystem. The rigorous performance analysis in terms
of security asserts that our protocol completely overcomes
all security threats found in other protocols. Moreover, the
12
Proverif tool verifies security of the private information of our
protocol. In our protocol, the execution time is relatively low,
but the communication cost is quite high compared with other
protocols. This extra communication cost of our protocol is
bearable as it accomplishes mutual authentication, password
change, and security protection against known attacks.
REFERENCES
1. He D, Zeadally S, Kumar N, Lee JH. Anonymous authentication for wire-
less body area networks with provable security. IEEE Systems Journal.
2016;(99):1–12.
2. He D, Zeadally S, Wu L. Certificateless public auditing scheme for
cloud-assisted wireless body area networks. IEEE Systems Journal.
2015;(99):1–10.
3. He D, Kumar N, Shen H, Lee J-H. One-to-many authentication for access
control in mobile pay-tv systems. Science China Information Sciences.
2016;59(5):1–14.
4. Giri D, Sherratt RS, Maitra T, Amin R. Efficient biometric and password
based mutual authentication for consumer usb mass storage devices. IEEE
Transactions on Consumer Electronics. 2015;61(4):491–499.
5. Roy S, Mukherjee N. Adaptive execution of jobs in computational
grid environment. Journal of Computer Science and Technology.
2009;24(5):925–938.
6. Islam SH. Design and analysis of an improved smartcard-based remote user
password authentication scheme. International Journal of Communication
Systems. 2016;29(11):1708–1719.
7. Islam SH, Biswas GP. Dynamic ID-based remote user mutual authentica-
tion scheme with smartcard using elliptic curve cryptography. Journal of
Electronics. 2014;31(5):473–488.
8. Amin R, Islam SH, Biswas GP, Khan MK, Leng L, Kumar N. Design of an
anonymity-preserving three-factor authenticated key exchange protocol for
wireless sensor networks. Computer Networks. 2016;101(4):42–62.
9. Maitra T, Amin R, Giri D, Srivastava PD. An efficient and robust user
authentication scheme for hierarchical wireless sensor networks with-
out tamper-proof smart card. International Journal of Network Security.
2016;18(3):553–564.
10. Amin R, Biswas GP. A secure three-factor user authentication and key agree-
ment protocol for tmis with user anonymity. Journal of Medical Systems.
2015;39(8):1–19.
11. Amin R, Biswas GP. Design and analysis of bilinear pairing based mutual
authentication and key agreement protocol usable in multi-server environ-
ment. Wireless Personal Communications. 2015;84(1):439–462.
12. Islam SH. Design and analysis of a three party password-based authenticated
key exchange protocol using extended chaotic maps. Information Sciences.
2015;312:104–130.
13. Islam SH, Khan MK, Muhaya FTB. Provably secure and anonymous pass-
word authentication protocol for roaming service in global mobility net-
works using extended chaotic maps. Wireless Personal Communications.
2015;84(3):2013–2034.
14. Giri D, Maitra T, Amin R, Srivastava PD. An efficient and robust rsa-based
remote user authentication for telecare medical information systems. Journal
of Medical Systems. 2014;39(1):1–9.
15. Lee Y-C, Hsieh Y-C, Lee P-J, You P-S. Improvement of the elgamal
based remote authentication scheme using smart cards. Journal of Applied
Research and Technology. 2014;12(6):1063–1072.
16. Gope P, Hwang T. A realistic lightweight anonymous authentication protocol
for securing real-time application data access in wireless sensor networks.
IEEE Transactions on Industrial Electronics. 2016;63(11).
MAITRA ET AL.
17. Hwang M-S, Li L-H. A new remote user authentication scheme using smart
cards. IEEE Transactions on Consumer Electronics. 2000;46(1):28–30.
18. Chan C-K, Cheng L-M. Cryptanalysis of a remote user authentication
scheme using smart cards. IEEE Transactions on Consumer Electronics.
2000;46(4):992–993.
19. Maitra T, Obaidat MS, Islam SH, Giri D, Amin R. Security analysis and
design of an efficient ecc-based two-factor password authentication scheme.
Security and Communication Networks. 2016. doi: 10.1002/sec.1596
20. Shen J-J, Lin C-W, Hwang M-S. A modified remote user authentication
scheme using smart cards. IEEE Transactions on Consumer Electronics.
2003;49(2):414–416.
21. Leung K-C, Cheng LM, Fong AS, Chan C-K. Cryptanalysis of a modified
remote user authentication scheme using smart cards. IEEE Transactions on
Consumer Electronics. 2003;49(4):1243–1245.
22. Yoon E-J, Ryu E-K, Yoo K-Y. Efficient remote user authentication scheme
based on generalized elgamal signature scheme. IEEE Transactions on Con-
sumer Electronics. 2004;50(2):568–570.
23. Tian X, Zhu RW, Wong DS. Improved efficient remote user authentication
schemes. International Journal of Network Security. 2007;4(2):149–154.
24. Ramasamy R, Muniyandi AP. New remote mutual authentication scheme
using smart cards. Transactions on Data Privacy. 2009;2(2):141–152.
25. ElGamal T. A public key cryptosystem and a signature scheme based on dis-
crete logarithms. Advances in Cryptology (CRYPTO’84), New York, USA;
1984:10–18.
26. Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology
(CRYPTO’99), Santa Barbara, California, USA; 1999:388–397.
27. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under
the threat of power analysis attacks. IEEE Transactions on Computers.
2002;51(5):541–552.
28. Abadi M, Blanchet B, Comon-Lundh H. Models and proofs of protocol
security: A progress report. Computer Aided Verification, Grenoble, France;
2009:35–49.
29. Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK. An enhanced pri-
vacy preserving remote user authentication scheme with provable security.
Security and Communication Networks. 2015;8(18):3782–3795.
30. Chaudhry SA, Farash MS, Naqvi H, Sher M. A secure and efficient authen-
ticated encryption for electronic payment systems using elliptic curve cryp-
tography. Electronic Commerce Research. 2016;16(1):113–139.
31. Qi X, Na D, Wong DS, Bin H. Cryptanalysis and security enhancement of a
robust two-factor authentication and key agreement protocol. International
Journal of Communication Systems. 2016;29(3):478–487.
32. Qi X, Bin H, Na D, Wong DS. Anonymous three-party
password-authenticated key exchange scheme for telecare medical
information systems. PLOS ONE. 2014;9(7):e102747.
33. Awasthi AK, Lal S. A remote user authentication scheme using smart
cards with forward secrecy. IEEE Transactions on Consumer Electronics.
2003;49(4):1246–1248.
34. Lili X, Fan W. Cryptanalysis and improvement of a user authentication
scheme preserving uniqueness and anonymity for connected health care.
Journal of Medical Systems. 2015;39(2):1–9.
How to cite this article: Maitra, T., Obaidat, M. S.,
Amin, R., Islam, S. H., Chaudhry, S. A., and Giri, D.
(2016), A robust ElGamal based password authentica-
tion protocol using smart card for client-server commu-
nication, Int J Commun Syst, doi:10.1002/dac.3242