1.1 Motivation

By creating and maintaining a telework security plan, protecting conversations and data saved on client devices, and assuring that remote servers/peripherals are appropriately accessed, a robust authentication of all participating entities is needed that can guarantee secure communication—also, keeping in view the fundamental security features like privacy protection, remotely working in a secure environment, time management, non-physical work environments at home, and intrinsic and extrinsic workload, etc. motives us to design a security system (remote authentication of all the participants in a secure manner) for such a vulnerable environment. And how various genders adapt to a work-life balance without annoying the traditional family culture. The proposed security system could help companies to reorganize their structures with greater flexibility.

1.2 Challenges and contributions

Employees who work remotely may be isolated from one another, which could inhibit their ability to react to security threats. Furthermore, there may be dangers associated with needing to have control over how sensitive data is used, stored, and deleted across different applications. Insufficient data security in teleworking environments can lead to data breaches, where hackers can take advantage of weak authentication schemes and compromise the confidentiality, integrity and authorization of data. Weak authentication can create severe repercussions from such breaches, including malware attacks and harm to one’s reputation (traceability and unprotected privacy). To combat these security challenges, some governments and corporations have restricted the physical involvement of their workers while keeping their output the same. These organizations have been responsible for providing a secure environment to their workers for working from home in the teleworking environment, which will rely heavily on the Internet. So far, this research offers a security mechanism for a teleworking environment that tackles the aforementioned major issues and challenges of security. In this regard, we have designed a strong authentication for the remote monitoring of teleworkers, which offers protection against unprotected connections. The main contributions of this research work are as follows:

• To propose a lightweight and secure authentication protocol that can protect critical resources of the teleworking environment and mitigate all known threats due to giving unsecured external access to critical data/resources.
• To design a protocol with lightweight operations causing no delay in responding to security vulnerability and offering low computation and communication costs and robust security.
• To verify the security of the proposed authentication protocol both formally and informally by showing a delicate balance of security with performance, as these are opposing features often missing in previous protocols.
• To comparatively analyze it with state-of-the-art works in terms of security functionalities, performance metrics, communication, and computation overheads.

By successfully conducting the proposed research work, the following questions that a layperson can raise will be answered. Recently, people haven’t felt secure due to the availability of strong adversaries–they didn’t work remotely in a safe environment.

• How can a teleworking environment be secure?
• How can the attention of skilled people be catered to?
• How can it take less time for greater output?
• How fast can the work be done?
• How can energy-saving techniques for an organization be materialized?

The remaining paper is organized as in section 2, which contains the literature survey, we have also presented reviewe analysis of baseline scheme and cryptanalyzed it. The result of cryptanalysis shows that the scheme suffers from insider, bias, inaccuracy, and heavyweight; section 3 confesses the system model, threat models, design goals and key highlights; section 4 demonstrates the proposed authentication scheme, and in 5, we analyzed the security of the proposed protocol both formally using the random oracle model (ROM) and ProVerif simulation and informally using attacks’ discussion; section 6 contains performance measurement of the proposed scheme, and in section 7, we have concluded the work.

2.1 Review analysis of baseline scheme

Recently, [17] proposed a novel authentication scheme based on the bilinear mapping technique. They have taken two groups, namely |G|, |G_T|, and Z_p*, of key sizes 1024, 1024, and 160 bits, respectively. They have designed their scheme using SHA-256, symmetric encryption/decryption, and biometric Gen(.)/Rep(.) functions. Their scheme consisted of two phases, i.e., registration and login and authentication. The registration phase is accomplished at the following points:

1. The user selects identity MID_i, and transmits it to the registration center.
2. The RC chooses r_i, x_i, computes TMID_i = h(MID_i||r_i), B_i = TMID_i⊕h(K_RC||x_i), stores {B_i, x_i} and transmits {TMID_i, B_i, h(.)} back towards the user smart card.
3. The user enters his/her PW_i, generates biometrics BIO_i, chooses n_i, computes Gen(BIO_i) = (σ_i, τ_i), C_i = n_i⊕h(MID_i||PW_i||σ_i), Auth_i = h(MID_i||PW_i||σ_i||n), TMID_i* = TMID_i⊕h(n||PW_i||σ_i), replace TMID_i with TMID_i* and injects {C_i, Auth_i, Gen(.), Rep(.), τ_i) in the memory of mobile smart card.
4. Now, the server first chooses identity and transmits it to the registration center.
5. The RC also chooses two orbitaray numbers r_j, and x_j, computes PSID_j = h(SID_j||r_j), secret key of server K_S = h(h(SID_j||K_RC), Q_j = h(SID_j||x_j), F_j = r_j⊕Q_j, stores {F_j, PSID_j, x_j} and transmits {K_S, r_j} back towards the server for also storing in its memory.

The login and authentication phase of the scheme [17] takes the following round-trips to complete. These are as follows:

1. The user insert their smart card, provides MID_i, PW_i, generates BIO_i^/ and computes Rep(BIO_i^/, τ_i) = σ_i^/, n_j^/ = C_i⊕h(MID_i||PW_i||σ_i^/), checks Auth_i = h(MID_i||PW_i|| σ_i^/||n_i^/), if confirmed, user choses a number r₁, time T₁, computes TMID_i = TMID_i*⊕h(n_i||PW_i||σ_i^/), r₁^/ = r₁⊕h(SID_j||TMID_i), D₁ = SID_j⊕h(TMID_i||T₁), D₂ = h(SID_j||TMID_i||r₁||T₁) and transmits {r₁^/, B_i, D₁, D₂, T₁} towards RC over a public network channel.
2. The RC checks the time space T₁-T_c≤ΔT, computes TMID_i = B⊕h(K_RC||x_i), SID_j = D₁⊕h(TMID_i||T₁), r₁ = r₁^/⊕h(SID_j||TMID_i), D₂^/ = h(SID_j||TMID_i||r₁||T₁), checks D^/₂? = D₂, if becomes successful, RC selects a random number r₂ and time T₂, computes D₃ = h(PSID_j||r₂)⊕h(h(SID_j||K_RC)), Q_j = h(SID_j||x_j), r_j = F_j⊕Q_j, TMID_i^/ = h(PSID_j||r_j)⊕TMID_i, D₄ = h(h(PSID_j||r₂||SID_j||T₂) and transmits {r₁^/, T₂, TMID_i^/, D₃, D₄} towards server over a public network channel. 4
3. The server checks the time validity T₂-T_c≤ΔT, computes h(PSID_j||r₂) = D₃⊕h(K_S), D₄^/ = h(h(PSID_j||r₂||SID_j||T₂), verify D₄^/ = D₄, if passes, selects a random number r₃ and time T₃ and computes PSID_j = h(SID_j||r_j), TMID_i = TMID_i^/⊕h(PSID_j||r_j), r₁ = r₁^/⊕h(SID_j||TMID_i), SK = h(h(PSID_j||r₂)||r₁||r₃||TMID_i), r₃^/ = r₃⊕h(r₁||SID_j), D₅ = h(r₁||r₃||T₃), D₆ = h(SK||h(PSID_j||r₂||r₁) and transmits {r₃^/, T₃, D₅, D₆} back towards RC over an open channel.
4. The RC verify the time threshold, selects T₄, computes r₃ = r₃^/⊕h(r₁|\SID_j), D₅^/ = h(r₁||r₃||T₃), verify D₅^/ = D₅, if validated, computes D₇ = h(PSID_j||r₂)⊕h(r₁||TMID₁), D₈ = h(h(PSID_j||r₂||r₃||T₄) and transmits {r₃^/, T₄, D₆, D₇, D₈} to user over open channel.
5. The user check time space T₄-T_c≤ΔT, computes r₃ = r₃^/⊕h(r₁||SID_j), h(PSID_j||r₂ = D₇⊕h(r₁||TMID_i), D₈^/ = h(h(PSID_j||r₂||r₃||T₄), checks D₈^/ = D₈, if validated, computes SK = h(h(PSID_j||r₂)||r₁||r₃||TMID_i), D₆^/ = h(SK||h(PSID_j||r₂)||r₁), confirms D₆^/ = D₆, if matched, keep SK is secret session key for upcoming communication.

2.2 Cryptanalysis of baseline scheme

Upon thoroughly analyzing [17], the following vulnerabilities have been noticed:

1) Prone to Privileged Insider Threat: Many random numbers are extracted in each round trip of the protocol, which has a big chance for privileged insider threats. Similarly, in the scheme [17], the parameters stored in the smart card are {C_i, Auth_i, Gen(.), Rep(.),τ_i} in which a privileged user can select a random number r_A, computes C_A = r_A⊕MID_i, Auth_i = MID_i⊕C_A and TMID_A = MID_A||PW_A⊕C_A. After finding an identity, he/she can then easily launch a privileged insider attack. If we consider the same attack for the server, the credentials stored are {r_j, K_s}, whereas r_j is a random number while K_s = h(SID_j||s), which a privileged user can find easily. Therefore, [17] is prone to privileged insider threats.

2) Bias: The protocol presented in [17] minimizes biometric demographic bias for such a resource-limited environment. The biometrics used in [17] demonstrate notable variations in their functionality while engaging with distinct user demographics; they are deemed to be biased. As a result, some user groups enjoy privileges while others suffer disadvantages. They didn’t explain anything about bias and effectiveness in the user biometrics while authenticating or generating cryptographic keys.

3) Inaccuracy: The fuzzy extractor relies too much on expert knowledge and needs more capacity to gain insight from data. Therefore, the Gen(.) and Rep(.) functions can still have the chance of false rejection/accepting a legitimate user for entering the system credentials. The scheme presented is fuzzy extractor-based, in which a user authentication of biometrics is performed many times (fuzzy extractor is a challenge-response verification method), which causes heavy computation and communication costs. Also, a legitimate user can easily trace through biometrics/facial recognition/thumb extraction.

4) Stolen-Verifier Attack: Suppose an attacker steals the smart card and uses power analysis or reverse engineering techniques, chooses two random numbers L_A, L_B computes M_A = h(MID_i||L_A), B_A = M_A⊕h(L_A||L_B), obtain {B_A, L_A} which means can reaches the identity and password, and then uses it malicious deeds like launching replay, DoS, masquerade, impersonation, ESL, MITM, side-channel and other attacks. Therefore, a stolen verifier attack is possible on the scheme [17].

Considering all the drawbacks mentioned above, it has been concluded that [17] is a weaker scheme.

5) Tracebality, DoS and Replay Attacks: In the login and authentication phase of the protocol, the first message transmitted from the mobile user towards the registration centre is M1 = {r₁^/, B₁, D₁, D₂, T₁}. This message contains server identity SID_j, which an attacker can easily capture/identify in D₁ = SID_j⊕h(TMID_i||T₁) and violate the system’s privacy. Similarly, attacker can also use this server identity (SID_j) to launch replays and DoS attacks on the system. Therefore, the Wu et al. [17] scheme suffers from privacy issues and is vulnerable to traceability, DoS and Reply attacks.

6) Lack of Password Changing Phase: Despite using passwords by a user in the login and authentication phase of Wu et al.’s [17] scheme, they do not provide a facility for a legitimate user to change his/her password freely and securely.

All these vulnerabilities shall be mitigated by designing a robust, lightweight, and probable secure system for the teleworking environment.

3.1 Design goals

The following goals can be achieved by designing a security mechanism [32,33] for teleworking environment protection:

• G1: Message authentication and integrity: mobile user/end-user (MU) mandatorily verifies the jurisdiction of the received message without being altered, modified, or forged by someone.
• G2: Confidentiality and Authorization: The request sent to the server or the response received by the end user must be confidential. No one can figure out its internal contents, and both peers must confirm the authenticity of each other and the message exchanged.
• G3: Conditional Privacy-Preserving: Except for the organization server, no other participants can trace the identity of the other participants.
• G4: Untraceability: Two sessions mandatorily will always start on a different key. Each session’s key must differ from other sessions; otherwise, a malicious user can easily trace the legitimate user.
• G5: Physical Protection: Protection of the system from active and passive attacks means the system is protected physically.
• G6: Resilience to Insider Threat: The server is accessible from any storage table; anyone accessing the internal credentials must not extract helpful information from memory. The internally stored credentials will be available to the attacker in a non-readable format to avoid any future hazard to the system.
• G7: Mutual Authentication: Each peer must mutually authenticate before starting data broadcasting. Each participant can verify the legality of messages and identities from other entities. If the verification fails, there may be a forgery attack.
• G8: Perfect Forward Secrecy: The 160-bit long keys cannot compute session keys without knowing hash values. It means that the secrecy of the previous session is not forward secrecy affected, even if the can identify the long-term secret key, but still, A cannot succeed for hashed and encrypted values. Therefore, the proposed key agreement protocol satisfies the perfect feature.
• G9: Resists Man-in-the-Middle Attack: The security mechanism must be able to detect intruders. Each round trip must contain a random check to avoid a man-in-the-middle attack.
• G10: Resists Denial-of-Service (DoS) Attack: Message freshness, randomization, and pre-determined time threshold can deny any reply attack or DoS attack.

3.2 Threat model

This work adopted the threat model Dolev-Yao called DY-model [34]. According to this model, an attacker has the following capabilities:

• Attacker can easily capture messages from the public network channel.
• Attacker can modify the recorded message.
• Attacker can delete the full or some part of a message captured from an open network channel.
• The attacker can easily launch a reply attack.
• Attacker can also divert the route of a message.
• Attacker can guess different credentials from a publically transmitted message.
• An attacker can steal the mobile device and obtain useful credentials using reverse engineering techniques.
• Attacker might be a privileged insider sitting on the system.

4.1 Teleworking Server (TS) registration phase

This phase is accomplished in the following steps:

TS1: The teleworking server first generates ID_TS, and sends them towards the registration center.

TS2: The registration center (RC) generates its secret key s, random numbers r_TS, x_TS, computes A = h(ID_TS||r_TS), B = h(ID_TS||s), C = h(ID_TS||x_TS), D = r_TS⊕C, store {A, D, and x_TS}, and sends (r_TS, B) back towards teleworking server over a private channel.

TS3: The teleworking, upon receiving (r_TS, B), also stores it in its database, as shown in Fig 3.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 3. Teleworking Sever (TS) registration phase.

https://doi.org/10.1371/journal.pone.0298276.g003

4.2 Mobile User (MU) registration phase

This phase is completed in the following steps:

MU1: The mobile user generates its identity ID_MU and sends it toward the registration center over a secure path.

MU2: The registration center (RC) first chooses its secret values s random numbers r_MU, x_MU, computes A^/ = h(ID_MU||r_MU), B^/ = A^/⊕h(s||x_MU), stores {A^/, B^/, h(.)} and transmits (A^/, B^/) back towards the mobile user (MU) over a private channel.

MU3: When receiving (A^/, B^/), the mobile user also stores it in its memory, as shown in Fig 4.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 4. Mobile User (MU) registration phase.

https://doi.org/10.1371/journal.pone.0298276.g004

4.3 Login and authentication phase

The protocol’s most essential and logical phase is the login and authentication phase. This phase is completed in the following steps.

LA1: The mobile user (MU), first, provides their identity ID_MU, password PW, computes D = (A^/||B^/)⊕h(ID_MU||PW||r₁), E = ID_MU⊕h(D||PW||r₁), r₁^/ = r₁⊕h(ID_TS||ID_MU), record T₁, compute: F = ID_TS⊕h(ID_MU||T₁), G = h(ID_TS||ID_MU||r₁||T₁), and transmits (B^/, r₁^/, F, G, T₁) towards registration center (RC) over an open network channel.

LA2: The RC, first checks the time interval with the maximum available time threshold T_C-T₁≤ΔT; if it doesn’t validate, the potential reply attack is considered; otherwise, checkB^/? = B^/ = A^/⊕h(s||x_MU), it doesn’t match, the process will be denied, else compute: J = F⊕h(ID_MU||T₁), r₁^/ = r₁⊕h(ID_TS||ID_MU), G^/ = h(ID_TS||ID_MU||r₁||T₁), and confirms G? = G^/, if becomes valid, the onward computation performed, otherwise, the process is terminated for potential DoS attack. The RC now retrieves A and selects T₂ and r₂. Computes Q₁ = h(A||r₂)⊕h(h(ID_TS||s)), Q₂ = h(ID_TS||x_TS), r₂^/ = D⊕Q₂, A^// = h(A||r₂^/)⊕A^/, Q₃ = h(h(A||r₂||ID_TS||T₂), and transmits (r₁^/, A^//, Q₂, Q₃, T₂) towards teleworking server (TS) over the open path.

LA3: The TS first checks the time interval with the maximum available time threshold T_C-T₁≤ΔT; if it doesn’t validate, the potential reply attack is considered; otherwise, computes h(A||r₂) = Q₁⊕h(B), Q₃^/ = h(h(A||r₂||ID_TS||T₂), checks Q₃? = Q₃^/, if validated, the TS selects T₃, r₃ and computes A = h(ID_TS||x_TS), A^/ = A^//⊕h(ID_TS||x_TS), r₁^/ = r₁⊕h(ID_TS||A), SK = h(h(A||r₂||r₁||r₃||A^/), r₃^/ = r₃⊕h(r₁||ID_TS), Q₄ = h(r₁||r₃||T₃), Q₅ = h(SK||h(A||r₂)||r₁), and broadcast (r₃^/, Q₄, Q₅, T₃) back towards RC, over an insecure channel.

LA4: The RC, first checks the time interval with the maximum available time threshold T_C-T₃≤ΔT; if it doesn’t validate, the potential reply attack is considered; otherwise, record timestamp T₄, computes Q₄ = h(r₁||r₃||T₃), confirm Q₄? = Q₄^/, if found valid, computes r₃^/ = r₃⊕h(r₁||ID_TS), SK = h(h(A||r₂||r₁||r₃||A^/), Q^/₅ = h(SK||h(A||r₂)||r₁), check Q^/₅? = Q^/₅, compute: Q₆ = h(A||r₂)⊕h(r₁||A^/), Q₇ = h(h(A||r₂)||r₃||T₄) and sends (r₃^/, Q₅, Q₆, Q₇, T₄) to end-user via open channel.

LA5: The MU, first checks the time interval with the maximum available time threshold T_C-T₄≤ΔT; if it doesn’t validate, the potential reply attack is considered; otherwise, computes r₃^/ = r₃⊕h(r₁||ID_TS), h(A||r₂) = Q₆⊕h(r₁||A), Q₇^/ = h(h(A||r₂)||r₃||T₄), confirms Q₇? = Q₇^/, if fund valid, calculates SK = h(h(A||r₂||r₁||r₃||A^/), Q₅ = h(SK||h(A||r₂)||r₁), checks Q₅? = Q₅^/, if validates, keeps it the secret session key for future communication as shown in Fig 5.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 5. Login & authentication phase.

Remark: The clock synchronization issue can be addressed by configuring each participant to the global clock so that it will establish the start and finish time slot as well as correct the offset and drift rate of the participants’ clock w.r.t global time.

https://doi.org/10.1371/journal.pone.0298276.g005

4.4 Password change phase

If the mobile user (MU) desires to change their password, the proposed protocol offers the facility of changing it securely. In this regard, MU enters their identity ID_MU, password PW and calculates: A^m = h(ID_MU||PW)⊕A, A^/m = h(ID_MU||PW)⊕A^m, chooses a random number r₅∈Z*_n and calculates: A^/m = h(A^/m||r₅)⊕A^m. If A^/m? = A^m, asked the MU to enter a new password PW^new, upon provision of the new password PW^new, locally computes: A = h(ID_MU||s), A^/ = h(PW^new||r₅), A^new = h(ID_MU||PW^new)⊕A, A^/new = h(ID_MU||PW^new)⊕A^new and replaces {A^m, A^/m} with {A^new, A^/new}, as shown in Fig 6.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 6. Password change phase.

https://doi.org/10.1371/journal.pone.0298276.g006

5 Security analysis

In this section, the security of the proposed protocol can be analyzed using the random oracle model (ROM) [35] and ProVerif2.03 [36], which is also used by [18,21,26,28,30]. These are described one by one as follows:

5.1 ROM analysis

A standard formal security analysis method, namely the ROM, is used to analyse the proposed protocol’s shared session key between MU and RC and then RC and TS against an adversary . For achieving this goal, we first will go for the semantic approach and session key security. The different queries executed by an adversary are discussed below; however, the collision-resistant one-way hash function will also be one of the participants for , which can be demonstrated as H A S H, so by keeping these, the ROR model performed numerous elements, including RC, TS, MU in which MU and TS are engaged for mutual authentication apart from RC which primarily involved in the registration phase of the protocol. Let and identify the b₁ and b₂ instances of MU and TS correspondingly, also called random oracle instances.

1) Execute (): eavesdrop on their own message among the shared message between MU and TS using this query.

2) Corrupt (): forge parameters from the memory of a compromised MU using this query.

3) Reveal(∏^b): can disclose the secret session key SK between MU and RC, RC, MU and other participants using this query.

4) Test(∏^b): can test by calling ∏^b to check the originality of SK, and ∏^b received should be random for , and will definitely be flipped a coin, say d (Accepted Instance); in such a case, the following three cases will happen.

• and accepted state
• and session identification state
• and mutual participation state

5) Semantic Security: Let be fully authorized to run the Test(.) query and try to interfere Ƥ by polynomial tries. Individually, the three algorithms, i.e., Execute(.), Send(.), and Hash(.), are run in q_E, q_S, and q_H. The Test(.) query once at most. Let l_h be the length in a bit for a collision-resistant one-way hash function, and be the average length of hash operation for another transcript in Ƥ. Then the advantage with in breaking Ƥ by polynomial times attempt can be expressed as: To pretend the different attacks on Ƥ, we justify through different games. The event matching to these games means that completes its goal in that specific game, which is defined one by one as under:

Game 0: In this environment, launch a genuine attack on Ƥ. To do so, the probability with in cracking Ƥ is represented in Eq (1). (1) Game 1: In this environment, launches Execute(.) and Test(.) queries for verifying the obtained results according to protocol’s Ƥ transcripts (B^/, r₁^/, F, G, T₁) which is related to session secret key SK. Conversely, due to random numbers for each round trip, doesn’t diagnose the relationship of (B^/, r₁^/, F, G, T₁) with their obtained result through Test(.) query. However, the probability with in identifying the relationship of Ƥ’s transcripts is represented in Eq (2). (2) Game 2: Here calculates the session secret key SK from the messages transmitted over a public network channel, i.e. SK = h(h(A||r₂||r₁||r₃||A^/), but due to using SHA1 of key size 156-bits, difficult for ; however, the probability with in computing SK from the openly transmitted messages of Ƥ is represented in Eq (3). (3) Game 3: In this environment, runs Execute(.) and Send(.) queries to launch a hash image collision attack. According to the birthday paradox [32], the risk of hash collision is . Meanwhile, the collision probability of other transcripts is . Therefore, the probability with for hash collision in Ƥ is represented in Eq (4). (4) Similarly, in the random bit r∈(0, 1), the probability with of guessing the random number of Ƥ is represented in Eq (4). (5) Now, combine Eqs (1)–(5), we get (6) Eq (6) can also be expressed as:

5.2 Security model

This model consists of two peers–the Adversary and–the Responder Ɽ. communicate either mobile user (MU) or TS or RC, but we denote all of them a Ë^σ which means σ^th instance of any of them either MU, TS or RC. launches the queries, and responses received from Responder Ɽ are shown in Table 2.

• Ë^Sn means impersonate MU, TS, RC by forcing r ₁ or r₂
• Ë^Ns means forges r₃ or r₄ from the participants
• Ë_SS means overcomes the semantic security of the protocol.

Download:

• PNG
  larger image
• TIFF
  original image

Table 2. Queries and their response.

https://doi.org/10.1371/journal.pone.0298276.t002

5.3 ProVerif2.03 simulation

This is a formal security analysis method in which we will check the key’s robustness, key’s secrecy, confidentiality, and reachability; a programming verification toolkit ProVerif2.03 [36] is in S1 Appendix of this article. However, upon running the code, the result shows that the attacker couldn’t crack the secret session key at any computation stage. The status of SK is secure, and its confidentiality and reachability are preserved as shown under:

————————————————

Verification summary:

Query not attacker(SK[]) is true.

Query inj-event(end_MU(IDmu[])) = = > inj-event(start_MU(IDmu[])) is true.

Query inj-event(end_RC(IDrc[])) = = > inj-event(start_RC(IDrc[])) is true.

Query inj-event(end_TS(IDts[])) = = > inj-event(start_TS(IDts[])) is true.

————————————————

5.4 GNY logic analysis

The GNY logic [37] is a formal method of security analysis which Gong-Needham-Yahalom first introduced for the formal proof of a security protocol. The different formulae and statements used in this logic are shown in Table 3.

Download:

• PNG
  larger image
• TIFF
  original image

Table 3. Formulas and statements used in GNY logic.

https://doi.org/10.1371/journal.pone.0298276.t003

Now, we are using GNY logic for the proposed protocol and make assumptions which are as follows: (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) We transformed the proposed scheme to P→Q: (X) from fill-in GNY logic and made some changes to notations.

Using GNY logic, the proposed scheme can be represented as: (21) (22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33) (34) (35) (36) The mobile user keeps ID_MU, and PW_MU in its memory and can extract r₁ during computations, so by applying the GNY logic and Eq (7), we have (37) Eqs (12) and (37), we have (38) Eqs (17) and (38), we have (39) (40) Eqs (37) and (39) become: (41) Eq (41) becomes: (42) (43) Keeping Eqs (42) and (43), and the credentials checking by mobile-user in which each part/parameter of the message passed/verified to and from RC, as shown as under: (44) (45) (46) (47) Keeping Eqs (46) and (47), and the credentials checking by teleworking-server in which each part/parameter of the message passed/verified to and from RC, as shown under: (48) (49) (50) (51) From Eqs (44) and (45), we have: (52) (53) Goal 1 Achieved

From Eqs (48)-to-(51), the same for RC, as RC has full control over the message in, and out , so we have (54) (55) (56) Goal 2 Achieved

From Eqs (52)-to-(56), again for RC because the RC has complete control over the message in, and out , so we have (57) (58) (59) (60) (61) (62) Like RC (Eqs (57)-to-(62), we will use the GNY logic for a mobile user, as MU also sees and , messages, so, we have : (63) (64) (65) (66) Goal 3 Achieved

5.5 Informal security analysis

Assume an adversary has complete control over the open network and can intercept, manipulate, delete, or update the communication transmission between participants. Then, there’s how the presented authentication system will withstand identified weaknesses. In this section of the study, we shall address such assumptions one by one as follows:

6.1 Computation costs analysis

Suppose T_E is the time consumed when a random number is extracted, T_h is the time for a collision-free one-way hash function, and T_XoR is the time of XOR operation, as shown in Table 4 and diagrammatically is shown in Fig 7. According to [38,39], the different times for different cryptographic operations are as follows:

• Computation time for extracting random numbers T_E = 2.011ms
• Computation time for one-way hash function T_h = 0.09ms
• Computation time for bit-wise XOR Operation T_XoR≈0ms

Download:

• PNG
  larger image
• TIFF
  original image

Fig 7. Computation costs in milliseconds.

https://doi.org/10.1371/journal.pone.0298276.g007

Download:

• PNG
  larger image
• TIFF
  original image

Table 4. Computation cost in milliseconds.

https://doi.org/10.1371/journal.pone.0298276.t004

It is worth mentioning that only the cost calculated in the login authentication phase can be considered as computation costs, which is 6T_E+42T_h+18T_XOR = 6(2.011)+42(0.09)+0 = 12.066+3.78 = 15.786ms, while the computation costs of registration phase should be discarded.

6.2 Communication costs analysis

The messages transmitted during the login and authentication phase among different participating entities are {B^/, r₁^/, F, G, T₁}, {r₁^/, A^//, Q₂, Q₃, T₂}, {r₃^/, Q₄, Q₅, T₃}, and {r₃^/, Q₅, Q₆, Q₇, T₄}. According to [38,39], identity takes 60 bits of space, timestamp 56, random number 64 bits, and one-way to function is 156 bits of memory space; then the communication costs of the proposed protocol in bits are shown in Table 5, while diagrammatically as shown in Fig 8.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 8. Communication costs in bits.

https://doi.org/10.1371/journal.pone.0298276.g008

Download:

• PNG
  larger image
• TIFF
  original image

Table 5. Communication costs in bits.

https://doi.org/10.1371/journal.pone.0298276.t005

6.3 Comparative analysis

By comparing the proposed protocol in terms of extra security features with Chall et al. [22], Wazid et al. [23], Shuai et al. [24], and Oh et al. [25], which is shown in Table 6. The result shows that our protocol is resisting all the design goals discussed in section II of the paper.

Download:

• PNG
  larger image
• TIFF
  original image

Table 6. Security functionalities comparison.

https://doi.org/10.1371/journal.pone.0298276.t006

Similarly, to compare the proposed scheme with Xia et al. [7], Wazid et al. [23], Ding et al. [26], and Yang et al. [40] in terms of computation and communication costs, as shown in Table 7. The results show that the proposed security mechanism is lightweight, fast, secure, and suitable for practical implementation in the teleworking environment. The comparison in computation and communication overheads are diagrammatically depicted in Figs 9 and 10, respectively.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 9. Communication cost comparison graph.

https://doi.org/10.1371/journal.pone.0298276.g009

Download:

• PNG
  larger image
• TIFF
  original image

Fig 10. Computation cost comparison graph.

https://doi.org/10.1371/journal.pone.0298276.g010

Download:

• PNG
  larger image
• TIFF
  original image

Table 7. Performance metrics comparison.

https://doi.org/10.1371/journal.pone.0298276.t007

Furthermore, the proposed protocol has better performance than its competitors, i.e. Xia et al. [7], Wazid et al. [23], Ding et al. [26], and Yang et al. [40]. The percentage improvement of the proposed protocol with the mentioned schemes is shown in Table 8.

Download:

• PNG
  larger image
• TIFF
  original image

Table 8. Percentage improvement in our protocol.

https://doi.org/10.1371/journal.pone.0298276.t008

Table 8 argued that the proposed protocol is 8.94% better in communication costs than the Xia et al. [7] scheme, 20.66% from the Wazid et al. [23] scheme, 34.4% from the Ding et al. [26] and 33.22% from the Yang et al. [40] scheme. The maximum improvement in communication costs is 34.4%, and the minimum is 8.94%. Similarly, the percentage improvement of our scheme in terms of computation costs is 73.17% with Xia et al. [7], 66.09% with Wazid et al. [23], 3.89% with Ding et al. [26] and 66.49% with Yang et al. [40] scheme. The maximum improvement is 73.17%, and the minimum is 3.89%. It is keeping in view that our scheme is superior to its competitors.