IEEE SYSTEMS JOURNAL, VOL. 12, NO.
2, JUNE 2018
Short Papers
On the Security of a Privacy-Aware Authentication Scheme for Distributed
Mobile Cloud Computing Services
Qi Jiang , Jianfeng Ma, and Fushan Wei
Abstract—Recently, Tsai and Lo proposed a privacy aware authentica-
tion scheme for distributed mobile cloud computing services. It is claimed
that the scheme achieves mutual authentication and withstands all major
security threats. However, we first identify that their scheme fails to achieve
mutual authentication, because it is vulnerable to the service provider im-
personation attack. Beside this major defect, it also suffers from some minor
design flaws, including the problem of biometrics misuse, wrong password,
and fingerprint login, no user revocation facility when the smart card is
lost/stolen. Some suggestions are provided to avoid these design flaws in the
future design of authentication schemes.
Index Terms—Authentication, bilinear pairing, mobile cloud computing,
security, user anonymity, user untraceability.
I. INTRODUCTION
M OBILE cloud computing, a new computing paradigm integrat-
ing cloud computing into the mobile environment, brings new
types of services and facilitates mobile users to take full advantages of
cloud computing [1], [2]. In mobile cloud computing, mobile users can
access computation results, resources, applications, and services that
are stored, implemented, and deployed in the cloud by using mobile de-
vices through wireless networks, such as wireless local area networks,
3G/4G telecommunication networks.
Since wireless networks underlying mobile cloud computing are vul-
nerable to a series of attacks, such as eavesdropping, replay, forgery,
interception, and denial of service attacks, mutual authentication be-
tween the user and cloud service provider is indispensable to prevent
illegal service access and defend the potential security attacks over
the insecure networks. Additionally, as identity threats, such as iden-
tity masquerade and identity tracing, have become common attacks in
wireless networks, there is a growing demand to protect user identity
privacy. Furthermore, a mobile user generally accesses different types
of mobile computing services. Therefore, it is essential to design a
Manuscript received June 22, 2015; revised November 1, 2015 and April 16,
2016; accepted May 20, 2016. Date of publication June 23, 2016; date of current
version May 2, 2018. This work was supported in part by National Science
Foundation of China (61202389, U1405255, 61309016, 61372075, U1536202),
in part by Natural Science Basic Research Plan in Shaanxi Province of China
(2016JM6005), in part by Fundamental Research Funds for the Central Uni-
versities (JB161501), in part by the Priority Academic Program Development
of Jiangsu Higher Education Institutions and Jiangsu Collaborative Innovation
Center of Atmospheric Environment and Equipment Technology, in part by
Specific project on research and development platform of Shanghai Science and
Technology Committee (14DZ2294400).
Q. Jiang and J. Ma are with School of Cyber Engineering, Xidian Univer-
sity, Xi’an 710071, China (e-mail: jiangqixdu@gmail.com; jfma@mail.xidian.
edu.cn).
F. Wei is with the School of Computer and Softwar, Nanjing University
of Information Science and Technology, Nanjing 210000, and also with the
State Key Laboratory of Mathematical Engineering and Advanced Computing,
Zhengzhou 450001, China (e-mail: weifs831020@163.com).
Digital Object Identifier 10.1109/JSYST.2016.2574719
1937-9234 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
2039
privacy aware authentication scheme which enables users to access
various services from distinct service providers by using only one sin-
gle private key or password. Apart from these issues, mobile devices
are relatively limited in computing capability and power compared with
desktop computers, the scheme should be efficient in terms of comput-
ing. More desirably, the trusted third party, involved in user registration
and service provider registration, is not required to participate in each
user authentication session.
Most authentication protocols [3]–[6], which are designed for single
server environment, are not suitable for distributed services environ-
ment in which multiple servers offer a plethora of services. Although
traditional single sign-on (SSO) schemes such as Passport [7] and
OpenID [8] are possible solutions to address this issue, these schemes
require the trusted third party to participate in each user authentica-
tion session, which could become the bottleneck for traditional SSO
systems.
To this end, Tsai and Lo [9] proposed an efficient authentication
scheme using identity based cryptosystem [10] for distributed mobile
cloud computing services. Their scheme has the following advantages.
First, a mobile user can access multiple services from different mobile
cloud service providers using only one single private key. Second, no
verification table is required to be implemented at service providers or
the trusted third party. Third, the trusted third party is not required to
be involved in regular user authentication session, thus greatly reduc-
ing the total user authentication processing time. Finally, due to the
usage of bilinear pairing in an elliptic curve [11], [12], their scheme
incurs less computing resources on both the mobile devices and service
providers [9].
It is claimed that the scheme achieves mutual authentication, key
exchange, user anonymity, and user untraceability, and withstands all
major security threats. However, we observe that their scheme fails to
achieve mutual authentication, because it is vulnerable to the service
provider impersonation attack. Beside this major defect, it also suffers
from some minor design flaws, including misuse of biometrics, wrong
password and fingerprint login, and no user revocation facility when
the smart card is lost/stolen. We then provide some suggestions to
avoid these design flaws in the future design of authentication schemes
combining passwords, smart cards, and biometrics.
II. REVIEW OF TSAI AND LO’S SCHEME
In this section, we briefly review Tsai and Lo’s scheme. The notations
used in this paper are listed as follows.
1) Ui : A user i.
2) SPj : A service provider j.
3) SCG: The smart card generator.
4) P : The generator of G1 .
5) H, h: One-way hash functions.
2040
Fig. 1. Flowchart of Tsai and Lo’s protocol.
6) H1 : Zp → Zp , H2 : G2 → Zp , H3 : Zp → Zp ,
H4 : Zp → Zp , h : Zp → G1 .
7) G1 , G2 : A cyclic multiplicative group and a cyclic additive
group of the same order p, respectively.
8) e: A pairing function e : G1 × G1 → G2 .
9) ||: The concatenation operation.
10) s, Pp u b : The master private key and the corresponding public
key of the SCG, respectively.
11) IDi (IDj ), Si (Sj ): The identity and the private key of
Ui (SPj ), respectively. Note that H1 (IDi )(H1 (IDj )) is the
public key of Ui (SPj ).
12) Ki j : The session key for Ui and SPj .
A. Scheme Details
In Tsai and Lo’s scheme, there are three types of participants:
V = {Ui |i = 1, . . . , n}, W = {SPj |j = 1, . . . , m}, and SCG. Their
scheme consists of three phases: system setup, registration, and authen-
tication. The details of each phase are presented as follows.
System setup: SCG first chooses s as its master pri-
vate key and computes its public key Pp u b = sP . Next,
SCG computes e(P, P ) and publishes the public parameters
{e, H1 , H2 , H3 , H4 , h, P, Pp u b , e(P, P )}.
Registration: Each user Ui (or service provider SPj ) sends the cho-
sen identity IDi (or IDj ) to SCG. Upon receiving the identity, SCG
computes Ui ’s (or SPj ’s) private key Si = (s + H1 (IDi ))−1 P . Next,
SCG sends Si (or Sj ) back to Ui (or SPj ) through a secure channel.
When obtaining the private key, Ui computes Ei = Si ⊕ h(P Wi ||fi )
and stores Ei on his/her smart card, where P Wi and fi are the pass-
word and the fingerprint of Ui , respectively. When receiving its private
key, SPj stores it in the secure memory.
Authentication: When Ui wants to access SPj , Ui submits the
password and fingerprint to the smart card, which computes Si =
Ei ⊕ h(P Wi ||fi ). Then Ui and SPj authenticate each other through
the following steps, as is shown in Fig. 1.
IEEE SYSTEMS JOURNAL, VOL. 12, NO. 2, JUNE 2018
Step 1: Ui sends a service request to SPj .
Step 2: SPj computes Z = e(P, P )a , where a is a random number.
Next, SPj sends Z to Ui .
Step 3: Upon receiving Z, Ui generates a random number b, and com-
putes Ki j = H2 (Z b ) = H2 (e(P, P )a b ),
K2 = bPp u b + H1 (IDj )bP, w = bPp u b + H1 (IDi )bP,
si = (b + H3 (IDi ||Z||IDj ||w||Ki j ))−1 Si ,
C1 = Ki j ⊕ (IDi ||si ||w).
Then Ui sends (K2 , C1 ) to SPj .
Step 4: After receiving (K2 , C1 ) from Ui , SPj computes
Ki j = H2 (e(K2 , Sj )a ) = H2 (e(P, P )a b ). Next, SPj retrieves
(IDi ||si ||w) = Ki j ⊕ C1 . Then SPj checks whether e(P, P )
and e(si , w + H3 (IDi ||Z||w||Ki j )Qi )a are equal, where Qi =
Pp u b + H1 (IDi )P . If these two values are equal, Ui is an autho-
rized user.
Step 5: SPj computes Di = H4 (Ki j ||Z||IDi ||IDj ) and sends it to
Ui .
Step 6: Upon receiving Di , Ui computes Di =
H4 (Ki j ||Z||IDi ||IDj ) and checks whether Di and Di are
equivalent. If these two values are equivalent, the validity of SPj is
ensured.
III. SECURITY WEAKNESSES AND DESIGN FLAWS
In this section, we demonstrate that their scheme is prone to the ser-
vice provider impersonation attack. Besides, their scheme also suffers
from biometrics misuse, wrong password and fingerprint login, and no
user revocation mechanism.
A. Service Provider Impersonation Attack
An adversary A can impersonate as any service provider to be au-
thenticated by the mobile user. In practice, this vulnerability means that
an adversary can cheat the mobile user to access the rogue services,
which severely endangers user data security and privacy. The detail of
the attack is presented as follows, as is illustrated in Fig. 2.
Step 1: Ui sends login request to SPj .
Step 2: After intercepting the login request, the adversary A generates a
random number a, computes Z = e(Pp u b + H1 (IDj )P, P )a , and
sends it to Ui .
Step 3: Upon receiving Z, Ui generates a random number b, and com-
putes the session key
Ki j = H2 (Z b ) = H2 (e(Pp u b + H1 (IDj )P, P )a b ),
K2 = bPp u b + H1 (IDj )bP, w = bPp u b + H1 (IDi )bP,
si = (b + H3 (IDi ||Z||IDj ||w||Ki j ))−1 Si ,
C1 = Ki j ⊕ (IDi ||si ||w).
Then Ui sends (K2 , C1 ) to SPj .
Step 4: A intercepts (K2 , C1 ), computes
Ki j = H2 (e(K2 , P )a ) = H2 (e(Pp u b + H1 (IDj )P, P )a b ),
(IDi ||si ||w) = Ki j ⊕ C1 , Di = H4 (Ki j ||Z||IDi ||IDj ).
Then A sends Di to Ui .
Step 5: Ui checks the validity of Di upon receiving it.
As Ui and A share the same key Ki j , Di computed by A could
pass Ui ’s verification. That is, the scheme is subject to the service
provider impersonation attack. Thus, the scheme fails to achieve mutual
authentication, which is essential for practical applications.
B. Misuse of Biometrics
In the authentication phase of Tsai and Lo’s scheme, Ui submits
the password P Wi and fingerprint fi to the smart card, which com-
putes Si = Ei ⊕ h(P Wi ||fi ) to retrieve the private key of Ui . Then
IEEE SYSTEMS JOURNAL, VOL. 12, NO. 2, JUNE 2018
Fig. 2. Flowchart of server impersonation attack.
Ui and SPj proceed to the subsequent steps to authenticate each
other. As is noted in [13] and [14], biometric matching is proba-
bilistic in nature, which means that two biometric samples of the
same individual are never exactly the same. As a result, fi in the
registration phase and fi in the authentication phase are not exactly
the same. Since the outputs of the hash function are very sensi-
tive to small perturbations in their inputs [15], it is of high prob-
ability that the retrieved private key Si of Ui is not equivalent to
the original private key Si of Ui . Although Ui can proceeds with
the subsequent steps, SPj will observe that the response (K2 , C1 )
is invalid, as e(si , w + H3 (IDi ||Z||w||Ki j )Qi )a and e(P, P ) are
not equal. Thus, SPj will reject Ui ’s request. Actually, biometrics
is misused in Tsai and Lo’s scheme. Therefore, their scheme is
incorrectly designed such that even the legitimate user cannot pass
the verification of biometrics.
C. Wrong Password and Fingerprint Login
As is noted in [16], it is desired that there is an authentication test
(also known as local password verification) to reject the login request if
a legal user Ui enters a wrong password. In Tsai and Lo’s scheme, if Ui
mistakenly enters a wrong password, say P Wi (P Wi = P Wi ), then
the smart card still computes Si = Ei ⊕ h(P Wi ||fi ) instead of Si =
Ei ⊕ h(P Wi ||fi ). In this case, Ui will send a wrong message (K2 , C1 )
instead of the valid message (K2 , C1 ). Thus, no authentication test is
in place to reject wrong password. This problem also applies to the
case of wrong fingerprint.
D. No Provision for Revocation
The revocation of lost/stolen smart card is essential for the practical
deployment of smart card-based authentication schemes [16]. If a legal
user’s smartcard is lost or stolen, some mechanism must be in place to
prevent the misuse of lost/stolen smartcard. To address this problem,
the identity information is required to be maintained by the server,
based on which the invalid smartcard will be detected [16]. However,
2041
in Tsai and Lo’s scheme, no such information is maintained by the SCG.
Therefore, their scheme does not take this feature into consideration,
and is incapable of revoking lost/stolen card.
IV. POSSIBLE COUNTERMEASURES
To the best of our knowledge, there is no direct approach to remedy
the major defect of service provider impersonation attack. To counter-
act this vulnerability, the scheme needs radical improvements, which
deserves a full paper. Thus, we leave it as our future work.
Regarding these minor design flaws discussed in the previous sec-
tion, we provide some suggestions to avoid them in the future design
of three-factor authentication schemes.
1) A possible countermeasure to misuse of biometrics is to
employ bio-cryptosystem, such as fuzzy extractor [17], [18] or
fuzzy vault [19], instead of directly applying hash function to
biometrics. The basic concept of fuzzy extractor is to generate
the biometric key, i.e., a pair of strings (P, R), from the
biometrics, where P is the help string and R is the secret key.
R can be recovered if P and a close enough biometrics are
provided [20]. The error tolerance of fuzzy extractor is enabled
by error correcting techniques. In fuzzy vault, a user generates
a secret key and encrypt it by using his/her biometric template.
The secret key can be recovered by providing the encrypted
data and the corresponding biometrics [21], [22].
2) It is desired that an authentication test is in place to verify the cor-
rectness of Ui ’ credentials, i.e., IDi , P Wi , and fi before sending
the message (K2 , C1 ). However, there is a tradeoff between ful-
filling authentication test and resisting offline dictionary attack.
A possible fix is to employ the concept of fuzzy verifier proposed
by Wang et al. [23], [24]. On one hand, it can be used to provide
timely wrong password and fingerprint detection when login. On
the other hand, the adversary has to perform online guessing to
determine the correct password from as high as 212 candidates
[24], which can be relatively easily detected and thwarted by the
server by using rate limiting and/or lockout policy.
3) To facilitate revocation, the SCG maintains the identity informa-
tion in its database, based on which the invalid smart card will
be detected [16].
V. CONCLUSION
We have analyzed an efficient and provably secure authentication
scheme for mobile computing services by Tsai and Lo. Although their
scheme is equipped with a claimed proof of provable security, we
have pointed out the scheme fails to achieve mutual authentication by
demonstrating its vulnerability to the service provider impersonation
attack. Besides this major defect, it also suffers from some minor de-
sign flaws, including the misuse of biometrics, wrong password and
fingerprint login, and no user revocation facility when the smart card is
lost/stolen. We have provided some suggestions to avoid these design
flaws in the future design of authentication schemes combining pass-
words, smart cards, and biometrics. A natural direction for further study
is to design a secure and efficient authentication scheme for distributed
mobile cloud services.
REFERENCES
[1] H. T. Dinh et al., “A survey of mobile cloud computing: Architec-
ture, applications, and approaches,” Wireless Commun. Mobile Comput.,
vol. 13, no. 18, pp. 1587–1611, 2013.
[2] N. Fernando, S. W. Loke, and W. Rahayu, “Mobile cloud computing: A
survey,” Future Gener. Comput. Sys., vol. 29, no. 1, pp. 84–106, 2013.
2042
[3] H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for
cloud computing,” in Proc. Cloud Comput., 2009, pp. 157–166.
[4] Q. Jiang, M. K. Khan, X. Lu, J. Ma, and D. He, “A privacy preserving
three-factor authentication protocol for e-health clouds,” J. Supercomput.,
2016. DOI: 10.1007/s11227-015-1610-x.
[5] D. He, S. Zeadally, N. Kumar, and J.-H. Lee, “Anonymous authentication
for wireless body area networks with provable security,” IEEE Syst. J.,
vol. 11, no. 4, pp. 2590–2601, Dec. 2017.
[6] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “An efficient two-factor user authen-
tication scheme with unlinkability for wireless sensor networks,” Peer-to-
Peer Netw. Appl., vol. 8, no. 6, pp. 1070–1081, 2015
[7] Microsoft, Windows Live ID. (2011). [Online]. Available: https://account.
live.com/.
[8] OpenID Foundation, OpenID Authentication 2.0. (2007). [Online]. Avail-
able: http://openid.net/specs/openid-authentication-2_0.html
[9] J. L. Tsai and N. W. Lo, “A privacy-aware authentication scheme for
distributed mobile cloud computing services,” IEEE Syst. J., vol. 9, no. 3,
pp. 805–815, Sep. 2015.
[10] D. Boneh and M. Franklin, “Identity-based encryption from the Weilpair-
ing,” in Proc. Adv. Cryptol., 2001, vol. 2139, pp. 213–229.
[11] K. Lauter, “The advantages of elliptic curve cryptography for wireless
security,” IEEE Wireless Commun., vol. 11, no. 1, pp. 62–67, Feb. 2004.
[12] D. He, S. Zeadally, and L. Wu. “Certificateless public auditing scheme for
cloud-assisted wireless body area networks,” IEEE Syst. J., vol. 12, no. 1,
pp. 64–73, Mar. 2018.
[13] B. S. Abhilasha, S. Anna, and M. Shimon, “Privacy preserving multi-
factor authentication with biometrics,” J. Comput. Security, vol. 15, no. 5,
pp. 529–560, 2007.
[14] D. He, N. Kumar, J.-H. Lee, and R. Sherratt, “Enhanced three-factor se-
curity protocol for USB consumer storage devices,” IEEE Trans. Consum.
Electron., vol. 60, no. 1, pp. 30–37, Feb. 2014.
IEEE SYSTEMS JOURNAL, VOL. 12, NO. 2, JUNE 2018
[15] D. He and D. Wang, “Robust biometrics-based authentication scheme
for multiserver environment,” IEEE Syst. J., vol. 9, no. 3, pp. 816–823,
Sep. 2015.
[16] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-based multi-
server authentication protocol using smart cards,” IEEE Trans. Inf. Foren-
sics Secur., vol. 10, no. 9, pp. 1953–1966, Sep. 2015.
[17] X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic
framework for three-factor authentication: Preserving security and privacy
in distributed systems,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 8,
pp. 1390–1397, Aug. 2011.
[18] Q. Jiang et al., “Robust extended chaotic maps-based three-factor authen-
tication scheme preserving biometric template privacy,” Nonlinear Dyn.,
vol. 83, no. 4, pp. 2085–2101, 2016.
[19] J. Yu, G. Wang, Y. Mu, and W. Gao, “An efficient and improved generic
framework for three-factor authentication with provably secure instantia-
tion, ” IEEE Trans. Inf. Forensics Security, vol. 9, no. 12, pp. 2302–2313,
Dec. 2014.
[20] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate
strong keys from biometrics and other noisy data,” in Proc. Adv. Cryptol.,
2004, pp. 523–540.
[21] A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proc. Int. Symp. Inf.
Theory, 2002, p. 408.
[22] T. C. Clancy, “Secure smartcard-based fingerprint authentication,” in Proc.
ACM Workshop Biometrics: Methods Appl., 2003, pp. 45–52.
[23] D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous two-factor au-
thentication in distributed systems: Certain goals are beyond attainment,”
IEEE Trans. Dependable Secure Comput., vol. 12, no. 4, pp. 428–442,
Jul./Aug. 2015.
[24] D. Wang and P. Wang, “On the usability of two-factor authentication,” in
Proc. 10th Int. Conf. Security Privacy Commun. Netw., Sep. 24–26, 2014,
pp. 141–150.