Comments on “ITSSAKA-MS: An Improved Three-Factor Symmetric-Key Based Secure AKA Scheme for Multi-Server Environments”

Multi-server technology is widely utilized due to its enormous applicability in fields such as telecare medicine information system (TMIS), online shopping, remote surveillance, online banking, etc. However, a malicious attacker can perform various security attacks in the multi-server environments because he/she can easily modify, insert, inject, delete, and intercept exchanged messages over a public channel. Thus, secure authentication and key agreement (AKA) schemes are indispensable to provide useful services in multi-server environments. In 2020, Ali et al. presented a three-factor symmetric key based secure AKA scheme for privacy and security in multi-server environments. Ali et al. claimed that their scheme can prevent various security attacks, and also ensure secure authentication. However, this comment shows that Ali et al.’s scheme suffers from many drawbacks, including session key exposure, man-in-the-middle (MITM), and masquerade attacks. Moreover, their scheme fails to ensure mutual authentication. Thus, we suggest the necessary security guidelines to resolve the security threats of Ali et al.’s scheme.


I. INTRODUCTION
With the development in portable device and wireless communication, users can access useful services through smart devices at anytime and anywhere in multi-server environments. Multi-server technology has become a promising alternative with its extensive applications of networks and has been used in various fields, including, telecare medicine information system (TMIS), online shopping, remote surveillance, online banking, and so on. Multi-servers allow legitimate users to access various services from multiple servers through wireless communication. Generally, a multi-server comprises of the user, the trusted registration center (RC), and a group of servers. Once the user is registered in RC, they are able to access application servers that have registered in the RC. However, in multi-server environments, an attacker can perform various security attacks because all messages are transmitted over a public channel. Thus, secure and efficient authentication and key agreement (AKA) scheme is The associate editor coordinating the review of this manuscript and approving it for publication was Jenny Mahoney. indispensable to ensure secure services for legitimate users in multi-server environments.
In 2020, Ali et al. [1] designed a biometric-based secure AKA scheme to provide secure services in multi-server environments. Ali et al. claimed that their scheme is able to resist various security threats such as impersonation, replay, session key exposure, and insider attacks. Moreover, they claimed that their scheme can ensure secure mutual authentication, anonymity, and perfect forward secrecy. However, this comment shows that their scheme is vulnerable to session key exposure, man-in-the-middle (MITM) and masquerade attacks, and also does not provide mutual authentication. Therefore, we suggest the some guidelines to resolve the security threats of Ali et al. [1].
The outline of this comment is summarized as follows. Section II briefly reviews Ali

A. ADVERSARY MODEL
We present the attack assumptions comprising the wellknown Dolev-Yao (DY) threat model [2] to examine the security of SMAP-IoV. In the DY model, the capabilities of a malicious adversary are as follows: • Referring to the DY model [2], a malicious attacker (MA) is able to eavesdrop, modify, replay, inject, or delete transmitted messages over a public channel.
• MA can steal the legal user's smart card and extract the stored secret credentials in memory by performing power analysis [3]- [5].
• MA can be a legitimate and privileged insider, which is able to reveal the verifier table stored in the RC database [1].

B. MOTIVATION AND CONTRIBUTION
The major aim of this comment is to identify the security drawbacks present in the protocol of Ali et al.. Consequently, Ali et al..'s scheme fails to ensure the required security functionalities such as ''session key exposure attack'', ''MITM attack'', ''masquerade attack'', and ''mutual authentication'', which are considered to be major requirements in multiserver environments. These facts motivated us to come up with security guidelines, which can provide security functionalities and resolve security flaws and threats that exist in multi-server environments.

II. REVIEW OF THE ALI et al.'s SCHEME
We briefly review Ali et al.'s AKA scheme for multi-server environments. Ali et al.'s scheme [1] is composed of three processes: user registration, server registration, authentication, and key establishment. The symbols utilized in this article are summarized in Table 1.

A. USER REGISTRATION PROCESS
All users U i must register with the registration center RC in order to receive useful services. We present the user registration process of Ali et al.'s scheme and the detailed steps are as below.

B. SERVER REGISTRATION PROCESS
All servers S j must register with the RC in order to provide various services. Each server S j chooses a identity SID j and sends it to RC. Then, RC computes S priv j = h(SID j ||K RC ) and sends it to S j . Finally, S j stores {S priv j } in database.

C. AUTHENTICATION AND KEY AGREEMENT PROCESS
In this process, U i requests authentication to S j in order to establish the session key SK . We describe the AKA process of Ali et al.'s scheme in Fig. 1 and the detailed steps of this process are as follows.
• AK 1: U i inserts SC and inputs ID i and PW i . Then, After that, U i validates the condition W * S j ? = W S j . If it is equal, U i and S j establish SK successfully and then save the SK for future communication.

III. CRYPTANALYSIS OF ALI et al.'s SCHEME
This comment is about ''ITSSAKA-MS: An Improved Three-Factor Symmetric-Key Based Secure AKA Scheme for Multi-Server Environments'', that is proposed by Ali et al. [1]. They claimed that their scheme can prevent various security attacks, and also ensure secure authentication. However, we prove that AKA scheme for multi-server environment by Ali et al.'s scheme [1] is susceptible to ''session key exposure'', ''MITM'', ''smart card theft'', and ''masquerade'' attacks. In addition, we also demonstrate that their scheme fails to provide mutual authentication.

A. MASQUERADE ATTACK
A MA may attempt to masquerade legal users through stolen smart card. According to Section I-A, we assume that MA can extract the stored secret credential {K * i , R * i , TID * i , Gen(.), Rep(.), τ, t} in SC. Moreover, MA can eavesdrop, modify, replay, inject, or delete the exchanged messages via a public channel. Consequently, MA can perform the impersonation as the following detailed steps.
Step 1: . After that, VOLUME 8, 2020 MA generates a random nonce R MA and calculates Step 2: Upon obtaining the message {M MA1 }, the RC calculates (Auth, R 1 , CID i ) = D K RC (R i ) and T 1 = T * 1 ⊕ CID i , and checks the condition Step 3: Upon getting message {M MA2 }, the S j decrypts (TID i , W RC , Y MA , T 1 , T 2 ) = S priv j (G RC ) and validates the condition |T 2 −T c | ≤ T . If the condition is equal, S j computes W * RC = h(S priv j ||T 2 ) and checks W *

B. SESSION KEY EXPOSURE ATTACK
Referring to Section III-A, we demonstrate that MA can masquerade legitimate user U i and computes the session key SK = h(Y RC ||SID j ||T 3 ) as follows. According to Section I-A, MA is able to extract stored secret parameters in SC, and intercept the transmitted data between U i , RC, and S j over a public channel. If so, MA computes h (PW i

IV. GUIDELINE ON ATTACK RESILIENCE
In Section III, we demonstrate that Ali et al.'s scheme suffers from many drawbacks, including session key exposure, MITM, and masquerade attacks. Moreover, their scheme fails to ensure mutual authentication. Therefore, we suggest the necessary guidelines to resolve the security threats of Ali et al. scheme.
• All participants must securely encrypt and transmit the messages using a symmetric key because a malicious attacker can easily insert, delete, intercept, and modify the transmitted messages during the AKA phase.
• The session key SK must consist of some randomly generated parameters such as random nonce and secret credential.
• In case of lost or stolen smart card, a malicious attacker can impersonate as a legitimate user or can change the password of the user. Thus, AKA scheme must store the secret credentials in encrypted form to prevent smart card theft attack.

V. CONCLUSION
This comment refers to ''ITSSAKA-MS: An Improved