2.1| Registration phase

During the registration phase, user U and server S do the following operations to finish registering.

1. U⇒S:{Id,HId}:
   A user U registers to server S with his/her identity Id, password Pw and secret key Up. After that, U completes VPw = h(Pw‖Up), HId = h(Id‖VPw) and transmits {Id, HId} to sever S.
2. After receiving Id and HId, S will compute N =HId⊕h(S_p) and store N into database.

2.2| Login and authentication phase

If a user U completed the registration phase successfully and wants to access request to the server S, U and S should perform the following steps.

1. U→S:{B,X,T}:
   The user U accesses server S with his or her identity Id, password Pw and secret key Up. After that U calculates VPw = h(Pw‖Up), generates a long random number r and computes HId = h(Id‖VPw), W = h(Id‖Up), X = r⋅P, Y = r⋅Q_s, B = W⊕h(HId‖Y) and T = h(B‖Y‖W). After completion of calculation, U sends {B,X,T} to server S.
2. S→U:{E,Auth_s}:
   When server S receives message {B,X,T}, it will calculate HId = N⊕h(S_p), Y = S_p⋅X, W = B⊕h(HId‖Y) and check whether T* = h(B‖Y‖W) is equal to T. If not valid, the session will be terminated by S, otherwise server S generates a long random number r′ and calculates E = r′⋅Q_s, sk_s = r′⋅Y, Auth_s = h(sk_s‖W‖Y). After that, S transmits information {E,Auth_s} to U.
3. U→S:{Auth_u}:
   Upon getting {E,Auth_s}, U calculates sk_u = r⋅E,Auth_s′= h(sk_u‖W‖Y). Then U checks whether Auth_s′ = Auth_s. If valid, then U computes Auth_u = h(sk_u‖W‖Y‖E) and sends result Auth_u to S, else terminates the session.
4. Once receiving the message {Auth_u}, S computes Auth_u′= h(sk_s‖W‖Y‖E). If Auth′_u is not equal to Auth_u, S terminates the session. After that, the user U communicates with server S based on the common session key sk = sk_u = sk_s = r⋅r′⋅Q_s.

2.3| Password update phase

For a legitimate user U, if he or she wants to change own password Pw for some reasons, the following steps will be performed.

1. U→S:{V,M}:
   U already picks a new password Pw^new and a new secret key Up^new, after that he or she inputs identity Id, password Pw and secret key Up. U computes V = h(sk‖h(Id‖h(Pw‖Up))) and M = h(Id‖sk)⊕h(Id‖h(Pw^new‖Up^new)), then U transmits message {V,M} to S.
2. After obtaining message {V,M}, S computes V* = h(sk‖N⊕h(S_p)) firstly, then S judges if the value of V* is equal to V. If holds, S will replace N with N^new by computing N^new = h(S_p)⊕h(Id‖sk)⊕M into database. If not, S fails to change password and exits the session.

3.1 | Serious mistake

In registration phase of Qiu et al.’s scheme, we notice that information N is stored into database alone. As is known to all, there should be some information like identity Id correspond to N in the database. Or else in login and authentication phase in their scheme, when S receives message from users, S cannot match corresponding N in database without the help of the corresponding information. So, the scheme of Qiu et al. is unable to carry out normally.

Perhaps Qiu et al. just forgot corresponding information, here we help them supply corresponding information on the basis of the scheme of Qiu et al. In registration, S only knows information Id, HId and N which relates to U. HId is the most important secret data during the entire protocol execution process, so the server cannot store HId in the database but stores Id. We assume a semi honest server S₀ has the ability of gaining and calculating the sensitive information in the sever. If Id corresponds to N, we notice that an adversary S₀ can obtain {Id*, Up*, Pw*} of a legitimate user U* in login and authentication phase by off-line guessing attack, the specific steps are as follows.

Step 1: According to the login and authentication process in the scheme of Qiu et al., S₀ will get the values of HId* and W* at time of calculating HId* = N*⊕h(S_p) and W* = B*⊕h(HId*⊕Y*). Besides, because Id* corresponds to N*, S₀ can get the corresponding value of Id*.

Step 2: After getting user U's sensitive information {Id*, HId*, W*}, S₀ can guess the value of Up* from the identity space by calculating W* = h(Id*||Up*). According to the same truth, S₀ can guess the value of Pw* from the identity space by calculating HId* = h(Id*||VPw*) = h(Id*||h(Pw*||Up*)). Obviously, S₀ can access {Id*, Up*, Pw*}.

Through the above steps, S₀ has successfully accessed information {Id*, Up*, Pw*} of a legal user U*.

3.2 | Insider attack

In this part, we assume that a malicious insider adversary A can obtain some sensitive information in the database of server S. In Qiu et al.’s scheme, the adversary A can achieve insider attack by registering as a legitimate user. Firstly, he masquerades as a legitimate user in registration to input identity Id*, password Pw* and secret key Up*, then S will store the corresponding value N* into database and he can get the value N* form the database of sever S. After that A has already mastered the information {Id*,Up*,Pw*,N*}. On the basis of formulas HId = h(Id‖h(Pw‖Up)) and HId = N⊕h(S_p), A can get h(S_p) = N*⊕h(Id*‖h(Pw*‖Up*)). In addition, A can get other user’s N₀ in the database, so he will get the user’s corresponding HId₀ by formula HId₀ = N₀⊕h(S_p). In login and authentication phase, A can impersonate to be the user U₀ to access sever S by corresponding N₀ and HId₀. The specific steps are as follows.

1. U₀→S:{B₀,X₀,T₀}:
   Adversary A chooses random numbers r₀, W₀ and computes X₀ = r₀⋅P, Y₀ = r₀⋅Q_s B₀ = W₀⊕h(HId₀‖Y₀) and T₀ = h(B₀‖Y₀‖W₀). After completion of calculation, U₀ sends information {B₀, X₀, T₀} to server S.
2. S→U₀: {E,Auth_s}:
   Once getting message {B₀, X₀, T₀}, S computes HId₀′ = N⊕h(S_p), Y₀′ = S_p⋅X₀ and W₀′ = B₀⊕h(HId₀′‖Y₀′). Obviously, the verification equation T₀′ = h(B₀‖Y₀′‖W₀′) is true. Next S generates random number r′ and computes E = r′⋅Q_s, sk_s = r′⋅Y₀′, Auth_s = h(sk_s‖W₀′‖Y₀′). After that, S transmits {E,Auth_s} to U₀.
3. U₀→S:{Auth_u}:
   When getting {E,Auth_s}, U₀ computes sk_u = r₀⋅E, Auth_u = h(sk_u‖W₀‖Y₀‖E) and sends {Auth_u} to S.
4. After receiving the message {Auth_u}, S computes Authu′ = h(sk_s‖W₀′‖Y₀′‖E) and gets a conclusion that Auth′_u is equal to Auth_u. Finally, the user U₀ communicates with server S based on the common session key sk = sk_u = sk_s = r₀⋅r′⋅Q_s

We draw a conclusion that A can masquerade as an arbitrary legitimate user for entering server S by insider attack.

3.3| Denial service attack

We assume that an adversary A is able to intercept message which is transmitted between U and S. At password update phase in Qiu et al.’s scheme, U sends the result values of V and M to S. The adversary A intercepts message {V, M} and forges M₀ by generating random number, then A transmits {V, M₀} to S. Apparently, A will pass verification of S by checking whether V is equal to V*. After that, S computes N^new = h(S_p)⊕h(Id‖sk)⊕M₀ and replaces N with N^new in the database. Because of the falsify of N^new, the user U will fail to pass verification in next login and authentication phase.

3.4 | Defects of practicality

In term of Qiu et al.’s scheme, we find that a user U needs to remember identity Id, password Pw and secret key Up. It is a burden for users to keep in mind with three different data. If a user U wants to change password, according to the password update phase of Qiu et al., he or she has to bear in mind with a new password Pw^new and a new secret key Up^new. For the most users, it is hard to remember so much information. Therefore, the scheme of Qiu et al. has poor practicability.

4.1| Registration phase

For a legal user U, if he or she wants to access the system, the necessary step is to register with the server S by submitting identity ID and password PW. User U and server S will perform the following steps.

1. U generates a long random number r and computes VPw = h(PW‖ID‖r) and HId = h(ID⊕r). Then U transmits {VPw,HId} to S by a secure channel.
2. After receiving the data, S computes N = VPw⊕h(S_p‖HId) and R = h(S_p⊕VPw). Then S stores {HId,N} into database and issues a smart card which contains R to U through a secure channel.
3. After receiving the smart card, U computes VR = h(PW⊕ID)⊕r and stores VR into the smart card.

4.2| Login and authentication phase

When a user U wants to acquire the service from server S, he or she should insert his or her smart card into card reader and enter his or her identity ID and password PW. U and S will perform the following steps.

1. The user U generates a random number r_a, and computes r′ = VR⊕h(PW⊕ID), HId′ = h(ID⊕r′), VPw′ = h(PW‖ID‖r′), C = h(R⊕VPw′)⊕r_a and Auth_u = h(r_a⊕HId′⊕VPw′). Then U transmits {HId′,C,Auth_u} to the server S.
2. After receiving the message, S extracts N according to corresponding HId′ from the database and calculates VPw′′ = N⊕h(S_p‖HId′), R′ = h(S_p⊕VPw′′), r_a′ = h(R′⊕VPw′′)⊕C. Then checks whether the value of Auth_u is equal to h(r_a′⊕HId′⊕VPw′′). If holds, S picks a random number r_b, computes sk_s = h(r_a′‖r_b‖HId′), D = h(R′‖VPw′′)⊕r_b, Auth_s = h(sk_s‖D) and transmits {D, Auth_s} to U. Otherwise, S terminates the session.
3. When U receives the message, U computes r_b′ = h(R‖VPw′)⊕D, sk_u = h(r_a‖r_b′‖HId′), checks whether Auth_s is equal to h(sk_u‖D). If success, user U and server S share the same session key sk_s = h(r_a′‖r_b‖HId′) = sk_u = h(r_a‖r_b′‖HId′). If not, the smart card aborts the session.

4.3| Password update phase

If a user U needs to change password PW for a number of reasons, he or she only needs to input identity ID, password PW and new password PW_new. User U and server S will perform the following steps.

1. The user U calculates r′ = VR⊕h(PW⊕ID), HId′ = h(ID⊕r′), VPw′ = h(PW‖ID‖r′), VPw_new = h(PW_new‖ID‖r′) and C1 = h(R⊕VPw′)⊕VPw_new. After generating a random number r_a, U continue computing C2 = h(VPw′⊕VPw_new)⊕r_a, Auth_u = h(r_a⊕HId′⊕VP_Wnew). After that, U transmits {C1, C2, HId′, Auth_u} to S.
2. Upon receiving the message, S computes VPw′′ = N⊕h(S_p‖HId′), R′ = h(S_p⊕VPw′′), VPw′_new = C1⊕h(R′⊕VPw′′) and r_a′ = C2⊕h(VPw′′⊕VPw′_new). Then S checks whether the value of Auth_u is equal to h(r_a′⊕HId′⊕VPw′_new). If not, S terminates this session, else continues to calculate N′ = VPw′_new⊕h(S_p‖HId′) to replace N with N' in the database. Finally, S computes R_new = h(S_p⊕VPw′_new), D = h(R′‖VPw′_new‖r_a′)⊕R_new and Auth_s = h(VPw′_new⊕R_new). After that, message {D, Auth_u} will be transmitted to U.
3. After receiving the message {D, Auth_s}, U gets R'_new by computing R′_new = D⊕h(R‖VPw_new‖r_a) and checks whether the value of Auth_s is equal to h(VPw_new⊕R′_new). If success, S computes VR′ = h(PW_new⊕ID)⊕r′ and replaces {VR, R} with {VR', R'_new}, else terminates this session.

5.1 |Insider attack

Assume that an adversary A can obtain N and HId of a legitimate user that stored in database. Because computational formulas are HId = h(ID⊕r), N = VPw⊕h(S_p‖HId), VR = h(PW⊕ID)⊕r, R = h(S_p⊕VPw) and VPw = h(PW‖ID‖r). Without the random number r, A cannot get the sensitive information ID or PW and cannot compute important secret data such as R and VPw form known data. Therefore, our scheme can resist insider attack.

5. 2|User anonymity

In the public channel, we do not send Id directly but transmit HId which is computed by means of the formula HId = h(ID⊕r). Even if A can access the value of HId, A still cannot get the sensitive information Id. Because the formula contains a random number r which A does not know. Therefore, our proposed scheme provides user anonymity.

5. 3|Replay attack

In our proposed scheme, the random numbers r_a and r_b change in every login. For an adversary A, he can intercept information {HId', C, Auth_u} and replay this message. Obviously, A can pass the verification of the server S and will receive the corresponding message {D, Auths} form sever S. Because A does not have a knowledge of the correct values R, VPw and r_a, he cannot compute r_b′ = h(R‖VPw′)⊕D and sk_u = h(r_a‖r_b′‖HId′). Therefore, our scheme is security even under replay attack.

5. 4| off-line password guessing attack

In our scheme, if an adversary A accesses exchanged information {HId', C, Auth_u, D, Auth_s} which is transmitted in a public channel [22,23]. Because of the formula HId′ = h(ID⊕r′), A is unable to guess correct ID without r′. In addition, in the formulas VPw′ = h(PW‖ID‖r′), C = h(R⊕VPw′)⊕r_a, A cannot guess PW correctly without the value ID and r'. Therefore, our scheme has an advantage of resisting off-line password guessing attack.

5. 5| Smart card lost attack

If an adversary A steals the smart card, he is able to get the VR and R which are stored in the smart card. Because the formulas are VR = r′⊕h(PW⊕ID) and C = h(R⊕h(PW‖ID‖r′))⊕r_a, without the knowledge of r’ and r_a, A cannot guess the correct identity ID and password PW. If A wants to communicate with S, he needs to structure legitimate {HId', C, Auth_u}. Because of the formulas HId′ = h(ID⊕r′), C = h(R⊕h(PW‖ID‖r′))⊕r_a, Auth_u = h(r_a⊕HId′⊕h(PW‖ID‖r′)), without identity ID and password PW, A is unable to pass through the verification of server S. Therefore, our scheme can resist smart card lost attack.

5. 6| Impersonation attack

For an adversary A, in authentication phase, if he wants to masquerade as a legal user U and login in server S, he must forge a valid login message {HId', C, Auth_u}. It is impossible for A to forge valid login message without legitimate identity ID, password PW, VR and R. The same is true, if A wants to masquerade as the server S, he has to counterfeit message {D, Auth_s}. Without valid information N, A is unable to obtain {D, Auth_s} which can pass through verification of the user U. Furthermore, in password update phase, A is unable to forge valid C1, C2 and Auth_u to pass the authentication of server S. In the same way, A is unable to forge valid D and Auth_s to pass the verification of user U. Therefore, our scheme can resist impersonation attack.

5. 7| Man-At-The-End attack

Man-At-The-End attack [24] contains widespread aspects and is difficult to model. The technical adversary is human that we call A here, he could authorize and limitless access to the target. All security protections stand up to A for a specific period of time. Because Man-At-The-End attack has concrete form in certain circumstance, one of the defense details is as follows:

A could personate a legitimate user to register and access the sensitive value of N* from the database end. His own identity ID*, password PW* are known. According to formulas h(S_p‖HId) = VPw⊕N, VPw = h(PW‖ID‖r) and HId = h(ID⊕r). Without having knowledge about the value of random number r, he will take unpractical time cost to computer S_p, by formulas h(S_p‖h(ID*⊕r)) = h(PW*‖ID*‖r)⊕N*. Our scheme offer a defense and A is unable to obtain important information S_p.

Although A could execute other forms and is hard to analyze, many protective devices have ability to against the attack, include software protection, hardware protection and digital asset protection, more details are reference no.24. Hence, our scheme can make a defense against Man-At-The-End attack.

5. 8| Perfect forward secrecy

When the system crashes in one session, an adversary can acquire information ID, PW, S_p and intercept message {HId', C, Auth_u} and {D, Auth_s}. For an adversary A, he wants to get sk_s = sk_u = h(r_a‖r_b‖HId′). But without the knowledge of the correct values VR and R, he cannot compute r_a′ = h(R′⊕VPw′′)⊕C, r_b′ = h(R‖VPw′)⊕D correctly. Finally, A still have no ability to get the session key to eavesdrop session. Hence, our scheme provides perfect forward secrecy.

Step 1 Our goals

In order to make our scheme practicable, we list some goals which need to be achieved.

Goal 1. .

Goal 2. .

Goal 3. .

Goal 4. .

Step 2 Idealized form

We show the idealized message form between user U and server S as follows.

Msg 1. .

Msg 2. .

Step 3 Initial state

We transform some premises about authentication and login phase in our scheme.

Aspt 1. U|≡#(r_a).

Aspt 2. S|≡#(r_a).

Aspt 3. .

Aspt 4. .

Aspt 5. .

Aspt 6. .

Aspt 7. .

Aspt 8. .

Aspt 9. .

Aspt 10. .

Aspt 11. .

Aspt 12. .

Step 4 Derivation process

We prove that user U and server S can set up the session key by combining with the above information.

(1) The proof of goal 1 and goal 2:

S 1.

On the basis of Msg 2, we get that , in the light of Aspt 7, we know that . Because of the message meaning rule, we get the following results:

S 2.

According to S 1 and Aspt 1, we know that and U|≡#(r_a). Owing to the nonce verification and the freshness rule, which is listed as follows.

S 3.

In line with S 2, we could achieve: and

Goal 1 is realized apparently.

S 4.

According to and Aspt 3 , By the jurisdiction rule, we confirmedly know that . According to , Aspt 5 , Aspt 9 and sk = h(r_a‖r_b‖HId), we make a representation is as follows:

So, we have achieved Goal 2.

(2) The proof of goal 3 and goal 4:

S 5.

From Msg 1, we know that , because of Aspt 8 and the message meaning rule, we can deduce that:

S 6.

On the basis of S 5 and Aspt 2, we know and S|≡#(r_a), owing to the nonce verification and the freshness rule, we obtain result what is as follows:

S 7.

According to S 6 and Aspt 4 , because of the jurisdiction rule, we could obtain . Form Aspt 6 , Aspt 10 and the formula sk = h(r_a‖r_b‖HId), we are able to get:

Goal 4 is accomplished.

S 8.

According to S 6 and Aspt 11 , Aspt 12 . Because of the formula sk = h(r_a‖r_b‖HId), we have following.

Distinctly, Goal 3 of our claim is achieved.

According to the proof above, our goals are achieved. We hold a sufficient reason to believe that both U and S believe that the session key sk which is shared between U and S.