A Privacy-Preserved E2E Authenticated Key Exchange Protocol for Multi-Server Architecture in Edge Computing Networks

Edge computing has played an important role in enabling 5G technology which supports a great number of connected narrow-band IoT devices. In an edge computing architecture enabled with global mobile network, edge or IoT devices are wirelessly connected to the edge of the network. Data acquisition and processing will be handled at or close to the edge of the network in a distributed way. Since edge computing is a heterogeneous distributed interactive system with multiple domains and entities, it might suffer from potential attacks and threats. To provide a trusted edge computing, there must have a robust scheme that allows all participants to mutually authenticate in a secure and privacy-preserved way. With the rapid development of IoT technologies, mobile networks and edge computing architecture, single server has been unable to meet the needs of users. In this paper, we propose a privacy-preserved end-to-end password-based authenticated key exchange protocol for multi-server architecture in edge computing networks. Our protocol allows an end user to use an easy-to-remember password to login to the server, then through foreign agent compute a shared key with another end user for specific use of services. The proposed protocol provides strong user anonymity during communication process. Besides, the proposed protocol is proved to be secure using BAN logic and AVISPA tool. Furthermore, performance analysis shows that the proposed protocol gains stronger security and better computational efficiency. Providing lightweight computation with short key size of ECC, our work is a solution to lower latency and improve efficiency in edge computing networks.

enables powerful collaborative computation, data processing, and rich service interface for the devices. However, traditional centralized cloud computing model for IoE will inefficiently support IoE-based application services due to the following problems: (i) Multi-sources data processing requirements of massive data at the edge of network might not be met. (ii) The communicational bandwidth and speed might be a bottleneck due to large scale of user access. (iii) It is a big challenge to deal with user privacy and users' sensitive data in edge devices. Therefore, it is desired to combine existing cloud computing and edge computing to efficiently deal with the massive data processing problems at the edge of the network [2].
In an edge computing architecture, data acquisition and processing will be handled at or close to the edge of the network in a distributed way. It can offload the computation and communication burden and gain better quality of service. In the other word, edge computing enables storing and processing data at the edge of the network [4]. Thereby, edge computing addresses heavyweight computation problem from cloud computing [5]. Thus, edge computing has played an important role in enabling 5G technology, where narrow-band (NB) IoT devices are the essential entity. However, since edge computing is a heterogeneous distributed interactive system with multiple domains and entities, it might suffer from potential security issues and challenges in processing massive data. These issues and challenges include data security, secure computation, secure transmission, entity authentication, access control, privacy protection [2]. To provide a trusted edge computing, it should allow all participants to mutually authenticate for withstanding potential threats. Figure 1 presents communication in an edge computing network. Users may ask request to use services from providers (home servers or foreign agents). Besides, end users can communicate with each other to compute conversation key for specific purpose. Since this communication is carried out via a public channel, it is threatened to various attacks, such as man-in-the-middle attack [6], replay attack [7], impersonation attack [8], stolen verifier attack [9] and so on. An adversary can access message and steal desired information. Besides, identity anonymity [10] is very important to user. Therefore, a robust authentication scheme securing this communication is essential. Recently, a lot of works have been conducted to address security and privacy for sensitive information distributed using IoT devices in mobility networks or edge computing networks [11]- [15].
An edge computing architecture enabled with global mobility network provides effective global roaming services for personal communicating users and IoT devices. Through the universal roaming technology, legitimate mobile users can enjoy ubiquitous services [16] and manage IoT devices. A global mobility network includes three communicating parties: mobile user, home server and foreign agent. Mobile user in global mobility networks access service provider using IoT devices. User can directly use service from home server. Besides, he/she can communicate with foreign agent to obtain the service through home server [17]. With the rapid development of mobility network technology, people can use various services through mobile devices anytime and anywhere with edge computing. In order to address user security and privacy, lots of authentication and key exchange protocols used for global mobility networks have been introduced [18]- [21]. For instance, replay attack was prevented in [22], [23]. Furthermore, Sood [24] proposed a smart identity authentication protocol based on a dynamic identity card, which is obtained from improvement of Bellovin and Merritt [25]'s protocol. Sood used congruent multiplication and exponent to calculate user identity and password, then stores these in a verification table. However, Sood's protocol is not free from stolen verifier attack when attacker steals the verification table. Therefore, some scholars have proposed passwordbased authentication mechanism without verification table to withstand this attack [26], [27].
Recently, Gope and Hwang [16] proposed a strong anonymity mutual authentication and key agreement scheme for global mobile networks. Mobile communication architecture introduced in their work provided user a cross-domain server mutual authentication method. However, server in Gope and Hwang' protocol needs to maintain a verification table at registration center, which causes certain threats. Their work did not introduce a strong two-factor authentication. Besides, Gope and Hwang's scheme cannot achieve the goal of end-to-end communication.
With the rapid development of IoT technologies, global mobile networks and edge computing networks, single server has been unable to meet the needs of users. The number of servers has increased remarkably to provide more services for the end user [28]. The conventional schemes allow user to access service only with a single server. More servers will lead to more identities and passwords that user must remember, which causes considerable inconvenience. It is not secure that user uses the same set of identities and passwords to register with different servers. Therefore, many researchers have proposed identity authentication mechanism suitable for a multi-server environment so that user can obtain services from multiple servers using a single password. A multi-server architecture in the edge computing network allows users to access service without complicated registration and authentication. For instance, Li et al. [29] proposed a secure dynamic identity based authentication protocol with smart card for multi-server architecture.
In this paper, we propose a privacy-preserved end-toend authenticated key exchange protocol for multi-server architecture in distributed edge computing networks. The proposed protocol allows a mobile user to use an easyto-remember password to login and authenticate different servers in the network. Edge computing network enables 5G technology architecture that supports a massive number of connected NB-IoT devices. The users of these devices may want to directly connect to each other for specific purposes such as sharing services, establishing common subscriptions, etc. To this end, our proposed scheme allows end users to communicate with each other and compute a shared key through the help of home server and foreign agent. User privacy is protected during communication process. Multiserver architecture introduced in our work deals with the overhead. Besides, Elliptic Curve Cryptography (ECC) with small key size is employed in our scheme. Hence, the proposed scheme favors end-to-end communication and is well suited for 5G enabled edge computing networks. Our proposed scheme is favored by the help of smart card, which can provide personal identification, authentication, data storage, and application processing [30].
The rest of this paper is organized as follows. Section II, we briefly review Gope and Hwang's scheme. Section III, we propose a privacy-preserved end-to-end authenticated key exchange protocol for multi-server architecture in edge computing networks. Section IV and Section V, we respectively present formal and informal security analysis of the proposed protocol. Section VI, we compare performance of the proposed protocol with its related works. Section VII, an implementation of the proposed protocol is described. Finally, the conclusions and future research directions are given in Section VIII.

II. REVIEW OF GOPE AND HWANG'S SCHEME
In this section, we briefly describe Gope and Hwang's scheme, which consists of three phases: registration phase, mutual authentication and key agreement phase, and password update phase. After that, we point out some weaknesses of their protocol.

A. REGISTRATION PHASE
Step 1 -Mobile user (MU) sends registration information to home agent (HA). They perform the following sub-steps.
Step 1-1: MU submits his/her identity ID M to HA via a secure channel.
Step 1-2: HA generates a random number n h and then com- Step 1-3: HA generates a set of unlinkable pseudo-IDs PID = {pid 1 , pid 2 , . . .}, where for each pid j ∈PID, pid j = h(ID M ||r i K uh ), r i a random number.
Step 1-4: HA generates a unique track sequence number Tr seq , which is basically a sequence number of 64bit.
Step 1-5: HA stores K uh and ID M in its database.
Step 1-6: HA stores K uh , PID, Tr seq , h(·) in the smart card and sends smart card to MU.
Step 2 -The shared key K uh between mobile user MU and home agent HA is stored in smart card.
Step 2-1: MU chooses a password PSW M and submits it to the smart card. Step 1 -Smart card computes the shared key K uh of mobile user MU and home agent HA with the legitimate ID M and PSW M , and sends an authentication request to foreign agent FA.
Step 1-1: MU inserts his/her smart card into the reader and enters his/her identity ID M and password PSW M .
Step 1-2: Smart card generates two random numbers N m , N m and computes P = N m ⊕ N m . Step 1-3: Smart card computes K uh = K * uh ⊕h(ID M ||PSW M ), AID M = h(ID M ||K uh ||N m ||Tr seq ), where Tr seq denotes the most recent track sequence number, received from the home agent HA. In case of loss of synchronization, the user needs to choose one of the unused pid * j then submits his/her identity ID M and password PSW M and computes VOLUME 8, 2020 Step 2-1: FA generates two random numbers N f , N f and Tr seq , {N f ||E K uh , V 1 }, and send M B 2 to HA.
Step 3 -After receiving the M B 2 , HA verifies the legitimacy of the mobile user MU and the foreign agent FA. HA performs the following sub-steps.
Step 3-1: HA checks whether the track sequence number Tr seq is valid.
shared key K uh and K fh . Step 3-3: HA computes and verifies the parameters V 1 , Step 4 -After receiving M B 3 transmitted by HA, FA authenticates HA and establishes a conversation key with MU. FA performs the following sub-steps.
Step 4-1: FA decrypts x using K fh , checks the integrity of x, and verifies N f by computing and comparing V *

C. PASSWORD UPDATE PHASE
Step 1 -MU needs to insert his/her identity ID M and current password PSW M to smart card, then computes . After verifying user's legitimacy, MU enters the new password PSW * M .
Step 2 -Using the new password, smart card com- Step 3 -The device will replace K * uh with K * * uh , PID * with PID * * , then store them for further communication.

D. WEAKNESSES OF GOPE AND HWANG'S SCHEME
Gope and Hwang [16] claimed that their protocol can resist various known attacks. However, we found that their protocol has certain weaknesses as follows: • Unsecure against man-in-the-middle attack: This attack happens when an attacker attempts to intercept the message transmitted between the sender and the receiver who believe that they are directly communicating with each other. He/she tries to impersonate legitimate parties or obtain secret information. At the registration phase of Gope & Hwang's scheme, the home agent (HA) personalizes a smart card with {K uh , PID, Tr seq , h(·)} and issues it to MU and then stores a copy of K uh in its database for further communication. An adversary in registration center may use this parameter to impersonate the user and obtain his/her service from foreign agent.
• Unsecure against stolen-verifier attack: Similarly, Gope & Hwang's scheme needs a verification table at registration center. This table may be leaked out and the adversary can use it to impersonate the legitimate user.
• Lacks strong two-factor authentication: This mechanism includes password and smart card in authentication process so as to enhance security. In Gope & Hwang's scheme, MU inserts his/her smart card into the reader and enters his/her identity ID M and password PSW M . However, smart card registration was not available. The smart card then was not used to verify the user by confirming the input information. Therefore, their scheme doesn't achieve strong two-factor authentication.
• Lacks user end-to-end communication: in Gope & Hwang's scheme, user is only able to communicate with the foreign agent to obtain its service. An endto-end communication between user and user was not introduced in their work. In many scenarios, users want to communicate with each other to compute the shared key for further purposes. Thus, a robust authentication scheme that secures this communication is essential.

III. THE PROPOSED PROTOCOL
Our proposed protocol includes four roles/actors: user U i , user U j , remote server S m and remote server S n . The proposed protocol consists of six phases: system initialization phase, smart card registration phase, server registration phase, login phase, mutual authentication & key exchange phase, and password update phase. During the protocol, all of the parties including U i , FA p , S m , U j , FA q , S n participate in the communication that lets the user U i and U j compute a conversation key. For simplicity, only communication among U i , FA p , S m is described. Table 1 describes notations and cryptographic functions used in this paper.

A. SYSTEM INITIALIZATION PHASE
In system intialization phase, based on elliptic curve cryptography proposed by the National Institute of Standards and Technology (NIST) [31], the system generates a curve Ep (a, b) : . It then computes public key for each server using the secret key k, V = kG. Besides, f is the symmetric key the home server and the foreign agent. Home server registers to certificate authority CA and obtains their own certificate, signature, public key and private key.

B. SMART CARD REGISTRATION PHASE
The user U i sends registration information to the smart card, the user U i and the smart card performs following steps (shown in Figure 2).
Step 1 -U i enters ID U i , PW U i to smart card.
Step 2 -Smart card generates r i , then computes Step 3 -Smart card stores r i and A i .

C. SERVER REGISTRATION PHASE
The user first logins to the smart card then performs server registration. As shown in Figure 3, the user U i and the server S m perform the following steps.
Step 1 -U i transmits the registration information to S m through smart card. U i and S m perform the following substeps.
Step 1-1: U i enters SID i,m to smart card.
Step 1-2: Smart card generates random number SPW i,m , then computes Step 1-3: U i transmits SID i,m and SA i,m to server S m .
Step 2 -S m computes a shared value with U i . Step 2-2: S m transmits B m,i to the user U i .
Step 2-3: U i stores B m,i and SA i,m in flash drive and smart card respectively.

D. LOGIN PHASE
In login phase, the user U i first logins to smart card for verification. As shown in Figure 4, the user U i logs in to the server S m , then the user U i , the smart card, the foreign agent FA p , and the server S m jointly perform the following steps to complete the procedure in which the user U i can login to the server S m and compute conversation key with the user U j . Step Step 3 -Smart card compares A i and its A i , then verifies the legitimacy of user U i .
Step 4 -User U i inserts his/her smart card, then enters SID i,m . Using B m,i from flash drive, smart card calculates shared secret number u i,m = B m,i ⊕ SA i,m .
Step 5 -Smart card generates two random numbers a i,m , s i,m . Step Step 7 -User U i transmits C i,m1 , C i,m2 , T i,m to foreign agent FA p .
Step 8 -Foreign agent FA p generates two random numbers Nf p , Nf p , computes Q p = Nf p ⊕ Nf p , m21 , c i,m22 , c i,m23 ) , and transmits { C i,m1 , C i,m2 , T i,m , θ p,m } to server S m .

E. MUTUAL AUTHENTICATION AND KEY EXCHANGE PHASE 1) MUTUAL AUTHENTICATION AND EXCHANGE PHASE BETWEEN SERVERS
As shown in Figure 5, mutual authentication and key exchange process between two servers is described as follows.
Step 1 -Server S m and S n respectively authenticate the legitimacy of user U i and U j . The following sub-steps are performed by server S m .
Step 1-2: S m decrypts θ p,m to get Q p , Nf p , and computes c i,m21 = c i,m21 ⊕ Nf p . = u i,m to verify user U i 's legitimacy. If there is a match, U i is confirmed to be a legitimate user.
Step 1-6: S m employs the Elliptic Curve Cryptography to Step 2 -After S m and S n authenticate the legitimacy of U i and U j , Server S m performs the following sub-steps.
Step 2-1: S m chooses random number b m,i and computes Step 2-3: S m calculates signature δ m = Sig k m (Y m,i ).
Step 2-4: S m transmits δ m , Cert m to S n for verification.
Step 3 -Server S m first verifies δ n , Cert n received from the server S n . After verifying S n 's identity, server S m uses received numbers to compute the following computations.

2) AUTHENTICATION PHASE AMONG SERVER, FOREIGN AGENT AND USER
As shown in Figure 6, authentication process among the server, foreign agent and user is described as follows.
Step 1 -Server S m transmits θ m,p to foreign agent FA p .
Step 2 -FA p computes θ m,i = D f p,m (θ m,p ) , and transmits θ m,i , Q p to U i .
Step 3 -U i and U j respectively verify S m and S n , then compute a conversation key. User U i performs the following sub-steps.
Step 3-3: U i computes: Step 3-5: U i compares β i,m with the received β m,i . If there is a match, the server S m is legitimate. VOLUME 8, 2020  Step 3-6: Using K m,i sent by S m , U i computes his/her conversation key K i = Nf p * a i,m * K m,i = Nf p * Nf q * a i,m * a j,n * b n,j * b m,i * G. K j is similarly computed by U j at the same time.

F. PASSWORD UPDATE PHASE
As shown in Figure 7, the user U i and his/her smart card perform the following steps to complete password update phase.
Step 1 -U i enters ID U i , PW U i , then smart card computes

. After that, A i and A i are compared to verify the legitimacy of U i .
Step 2 -U i enters a new password PW U i . Smart card

A. LOGICAL ANALYSIS USING BAN LOGIC
This section describes the logical analysis of the proposed protocol by using BAN logic, which was defined and presented by [32], [33]. Table 2, Table 3 and Table 4 [32]- [34] respectively defines the notations, assumptions and rules used in this analysis. On the basis of the assumptions and logical analyses, the proposed protocol must realize the following four goals of authentication and key agreement as follows.
(G1) U i ≡ U i K i ←→ U j : User U i believes that K i is a symmetric key shared between U i and U j .
(G2) U j ≡ U i K i ←→ U j : User U j believes that K i is a symmetric key shared between U i and U j .
←→ U j : User U i believes that U j is convinced of K j is a symmetric shared key between U i and U j .
←→ U j : User U j believes that U i is convinced of K j is a symmetric shared key between U i and U j .
To accomplish Goal 1, firstly, we must prove a i,m , Nf p , and K m,i are trusted by U i . According to [32]- [34], the proposed protocol is described in logic with the following steps.
Step 1 -FA p (s i,m * G, y i,m1 * (u i,m ||SID i,m )⊕T i,m mod p, y i,m2 * r i,m1 mod p, y i,m2 * r i,m2 mod p, T i,m Step Step must hold because of interpretation (I3) and assumption (A5). Next, to accomplish Eq (2.1) and (2.2), we have that and must hold because of assumptions (A3), (A6) and the rationality rule (R1). To accomplish Eq (4.1), (4.2), (4.3) and (4.4) we have that and must hold because of the freshness rules (F1), (F2) and assumption (A4). To accomplish Eq (5.1), (5.2), (5.3) and (6.1), we have that and must hold because of the interpretation rule (I1), the seeing rules (S1), (S2), assumptions (A1), (A2). By using interpretation rule (I3), we have U i ≡ K i = a i,m * Nf p * K m,i . Subsequently, using the same arguments of assumptions, rules, sysmetric keys, we have K m,i = b m,i * Y n,j trusted by S m , and Y n,j = Nf q * R j,n * b n,j trusted by S n . Particularly for Y n,j , the trust from Certificate Authority is needed, which is regarded as an assumption.
Finally, we have that the proposed protocol realizes Goal 1: ←→ U j Similarly, we have that the proposed scheme realizes Goal 2: U j ≡ U i K i ←→ U j by using the same arguments of Goal 1.
To accomplish Goal 3, we have that (10) and must hold because of the rationality rule (R1) and assumption (A3). To accomplish Eq (11), we have that must hold because of the freshness rules (F1), (F2) and assumption (A4). To accomplish Eq (12), we have that VOLUME 8, 2020  and must hold because of the interpretation rule (I1), the assumptions (A1), (A2) and the seeing rules (S1) and (S2). Thus, the proposed protocol realizes Similarly, using the same arguments of Goal 3, the proposed protocol realizes Goal 4: U j ≡ U i ≡U i K j ←→ U j . Therefore, our proposed protocol realizes Goal 1, 2, 3 and 4.

B. SECURITY VERIFICATION USING AVISPA TOOL
We verify our scheme using widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [35]. AVISPA tool executes the simulated protocol specified by HLPSL language [36]. For verifying cryptographic protocol, AVISPA tool includes four backends as follows.
• On-the-fly Model-Checker (OFMC) • Constraint Logic based Attack Searcher (CL-AtSe) • SAT-based ModelChecker (SATMC) • Tree Automata based on automatic approximations for the analysis of security protocols (TA4SP) In accordance with our proposed protocol, three roles including the user U i , the server S j and the foreign agent FA p are defined in the specification, HLPSL of which are shown in Figure 8, Figure 9 and Figure 10 respectively. Besides, session role, environment role and goals are also specified in HLPSL (shown in Figure 11). Since elliptic curve key generation is not supported in AVISPA, public key, private key and session key of ECC are predefined as Ks, inv(Ks) and Rus respectively. We consider six secrecy goals and two authentication properties for verification of our scheme. These goals and authentication properties are described as follows.
• secrecy_of g1: SIDim is kept secret to the U and the S. • secrecy_of g2: SAim' is kept secret to the U and the S. • secrecy_of g3: SPWim' is kept secret to the U. • secrecy_of g4: Bmi' is kept secret to the U and the S. • secrecy_of g5: Nfp' is kept secret to the U, the S and the F.
• secrecy_of g6: Nfp1' is kept secret to the U, the S and the F.
• authentication_on u_s_tim: The server S authenticates the user U based on Tim' received from the message of the user U.
• authentication_on s_u_b1mi: The user U authenticates the user U based on B1mi' received from the message of the server S. As show in Figure 12, the analysis results of the proposed protocol using OFMC confirm that the stated security properties are satisfied for a bounded number of sessions as specified in the environment role. Therefore, the proposed protocol is safe against various attacks, which are specifically described in Section V.

V. INFORMAL SECURITY ANALYSIS
The primary purpose of our propose protocol is to provide conversation key for two users. In other words, the secure shared key K of the user U i , U j and is computed through verification and authentication of the home servers S m , S n and foreign agents FA p , FA q . The details of semantic security analysis of our proposed protocol are presented as follows.

A. PROVIDES ROBUST VERIFICATION
In Step 1 of login phase, the smart card computes A i = H (PW U i ) ⊕ H (r i ||ID U i ), then confirms A i and A i . The user is verified to be legitimate if there is match, otherwise the smart  card rejects the request. In Step 1 of the mutual authentication and key exchange phase, the server S m decrypts C i,m1 and C i,m2 using k m to obtain u i,m and SID i,m . The server S m then computes u m,i = H (SID i,m ||x m ) using x m and confirms u m,i ? =u i,m . Similarly, if there is a match, legitimate user is confirmed. Besides, in Step 2 of the mutual authentication and key exchange phase, public key of the server S n is verified by using certificate Cert n . In Step 5 of the mutual authentication and key exchange phase, the user uses R i,m to decrypt θ m,i then obtains W m,i . After that, he/she calculates . The user then confirms β i,m and β m,i to verify the server S m . Hence, our protocol provides a robust verification of communicating participants.

B. PROVIDES MUTUAL AUTHENTICATION
In Step 1 of the mutual authentication and key exchange phase, u m,i is computed to verify the user. Also, in this phase, both of the servers' signatures are verified by the corresponding certificates. In Step 5 of the mutual authentication and key exchange phase, the user decrypts θ m,i and computes The user then confirms β m,i and  β i,m to verify the legitimacy of the server S m . Hence, our work provides a full mutual authentication during proposed protocol.

C. PROVIDES STRONG USER ANONYMITY
The ID U i of the user is securely stored in the smart card at registration, and only used when the smart card verify legitimacy of the user by computing A i = H (PW U i ) ⊕ H (r i ||ID U i ). Even the server does not know of ID U i . The user registers and logins to the server using SID i,m instead of his/her original ID U i . After that, the server uses SID i,m to compute u m,i and B m,i for further authentication. The identity SID i,m is not available openly and is only known to the user and server. Even if A i or SA i,m are leaked out, attacker cannot obtain ID U i or SID i,m respectively since these identities are protected by one-way hash function. On the other hand, in the mutual authentication phase, the attack does not know of k m , so he/she cannot decrypt C i,m21 to obtain SID i,m . Besides, suppose the attacker compromises β i,m , he/she still cannot know of SID i,m since β i,m is a hash value. Hence, our scheme provides a strong user anonymity.

D. PROVIDES FORWARD SECRECY
Assume Y m,i or Y i,m is known to the attacker. Owning to discrete logarithm problem, the secret numbers a i,m , b m,i will not be calculated. Moreover, a i,m and b m,i are randomly generated to compute session key and conversation key. These keys are different in every login time. Therefore, the attacker cannot derive correct keys from previous ones. Hence, this protocol achieves the forward secrecy.

E. PROVIDES PASSWORD UPDATE
In the proposed protocol, we provide password update facility. In password update phase, the user enters current PW U i for verification. After that, he/she can enter PW U i to update his/her password. The user is recommended to update his/her periodically for better security.

F. RESISTS PASSWORD GUESSING ATTACK
In this case, the attacker tries to guess the password from known parameters. Suppose the attacker obtains A i in the smart card. He/she then tries to guess PW U i from A i = H (PW U i ) ⊕ H (r i ||ID U i ). However, due to one-way hash value, it is not possible for the attacker to guess the correct password PW U i . Hence, our scheme can resist password guessing attack.

G. RESISTS IMPERSONATION ATTACK
Assume the attacker knows of identity of the user and attempts to send a login request to the server S m . Unless the attacker simultaneously steals SA i,m (stored in the smart VOLUME 8, 2020  card), and B m,i (stored in the flash drive), he/she cannot compute correct u i,m . He/she cannot impersonate the user without correct PW U i for smart card verification in the beginning. In another case, the attacker obtains the server's identity and tries to impersonate it by generating a session key to encrypt a forged θ m,i . However, session key R i,m cannot be computed without correct random number a i,m and s i,m . Furthermore, Nf p and Nf p are unknown to the attacker, he/she cannot calculate Q p . The user will terminate the process if Q p is not correct. Therefore, impersonation attack is resisted in our proposed protocol.

H. RESISTS MAN-IN-THE-MINDDLE ATTACK
In this case, the attacker tries to tamper with C i,m1 , C i,m2 , T i,m of login request message. However, due to aforesaid impersonation attack resistance, he/she cannot generate correct u i,m , and then the server S m will reject the login request. Besides, in the mutual authentication and key exchange phase, assume the attacker attempts to access θ m,i , but he/she does not have R i,m to decrypt θ m,i , and b m,i to compute β m,i respectively. Therefore, the attacker cannot act as a middleman in any cases, and our protocol is secure against man-inthe-middle attack.

I. RESISTS REPLAY ATTACK
Replay attack occurs when the attacker intercepts the message stolen from the last session then retransmits it to the server. In Step 1 of the mutual authentication and key exchange phase of our scheme, timestamp T i,m is used to resist replay attack. Specifically, c i,m21 is generated with T i,m by XOR operation. The sever uses T i,m included in the message to check whether the message is resent. Only one message including the correct timestamp within c i,m21 is accepted. Besides, the server will reject any message with incorrect timestamps. Therefore, our proposed protocol is free from replay attack.

J. RESISTS STOLEN SMART CARD ATTACK
Smart card stores random numbers r i , A i and SA i,m . In some cases, the smart card may be lost or stolen. However, the attack cannot impersonate the user since he/she does not have correct password PW U i . As mentioned, our protocol can provide anonymous identity and resist password guessing attack. Therefore, the stolen smart card is useless without correct ID U i and PW U i . On the other hand, even if the attacker obtains r i , A i , SA i,m , unless he/she can steal B m,i stored in the flash drive at the same time, the attacker cannot impersonate the legitimate user to send the login request. Hence, stolen smart card attack is avoided in the proposed protocol.

VI. PERFORMANCE ANALYSIS
In this section, the proposed scheme is compared with the related works to judge its competence and functioning. According to Table 5, we can see that Sood [24] and Li et al. [29] cannot resist stolen smart card attack, which is resisted by our proposed protocol. Besides, our proposed protocol can resist man-in-the-middle attack, which is a threat in the protocols of Sood [24], Jiang et al. [20], Li et al. [29] and Gope and Hwang [16]. Our proposed protocol is secure against replay attack to which Jiang et al. [20] and Li et al. [29]'s protocols are vulnerable. Unlike ours, Sood [24], Li et al. [29] and Gope and Hwang [16] lacks a strong two-factor authentication. In addition, Jiang et al. [20], Li et al. [29] and Gope and Hwang [16] cannot prevent stolen verifier attack. Unlike Li et al. [29], our proposed protocol can resist server impersonation attack. Also, our proposed protocol can resist user impersonation attack that is a threat to Sood [24] and Li et al. [29]. Other than immense properties of security, our scheme bears a reasonable computational cost. As shown Figure 13, the logarithm to base 2 is defined as the running time of each scheme obtained from Table 6. Specifically, the comparative value is log 2 x, where x is the rough estimation of running time of each scheme when n (number of servers) increases from 1 to 1000. When n gradually increases, our proposed protocol is explicitly more efficient than protocols of Sood [24], Jiang et al. [20] and Gope and Hwang [16], which were designed for single-server architecture. Only protocol of Li et al. [29], which was also proposed for multi-server architecture, has less running time than ours. However, as mentioned above, Li et al. [29]'s protocol is not accomplished, which is unsafe against wellknown attacks. Our scheme is even more efficient than Sood [24]'s in single-server architecture environment. Unlike all of the previous work, our protocol can favor the end-to-end communication between the end users. Therefore, such computational cost is rational.

VII. IMPLEMENTATION OF THE PROPOSED PROTOCOL
In this section, our proposed protocol is implemented with user-controlled single sign-on mechanism. Single sign-on (SSO) is a property that allows user to authenticate mobile application or web application with single username and password to access multiple applications that uses the same authentication provider [37]. SSO is consistent with multi-server architecture introduced in this paper, where user can access multiple edge servers to obtain services. In this scenario, we describe user interface of SSO system designed by Ubiquitous Security and Applications Laboratory (USA Lab.), Chang Gung University (CGU). The library of this system is written using Go Programming Language. Our system illustration includes four phases, namely, smart card registration phase, smart card login phase, server creation phase and account registration phase. In smart card  registration phase (shown in Figure 14), user creates an account with identity d0540011, which is subsequently used for smart card login phase (shown in Figure 15). After having smart card login to system, the user has to create server. As shown in Figure 16, we use smart card's identity and password to create the server CGMH. After that, the user creates some more servers, namely, CGMH blockchain, CGU, GOOGLE, etc. (shown in Figure 17). Finally, in account registration phase, he/she uses ID, password and arbitrary IDs to register accounts for multiple servers so as to use potential applications developed by CGU (the applications were not described in this illustration). As show in Figure 18, smart card identity d0540011, password and user identity 01011992 are used to create an account. The user can also check the detailed information of the created accounts. Figure 19 shows that he/she has created eight accounts with two identities 01011992 and 29071991, and four servers CGU, CGMH, YAHOO and GOOGLE. The password for each account was automatically generated by the SSO system. Furthermore, system interfaces of mutual authentication and key exchange phase, and password update phase are being developed. Thereby, end user can establish conversation key and update their passwords in accordance with our proposed protocol.

VIII. CONCLUSION
In this paper, we propose a privacy-preserved end-to-end authenticated key exchange protocol for multi-server architecture in edge computing networks. The proposed protocol is implemented with single sign-on (SSO) property and multiserver architecture. Our protocol allows mobile users to use a single easy-to-remember password to login to multiple servers then compute a conversation key for themselves during their end-to-end communication in 5G enabled NB-IoT networks. User privacy is preserved during communication process in our proposed protocol. As compared with previous works, the proposed protocol gains stronger security and better efficiency. Moreover, Elliptic Curve Cryptography with small key size is employed in our protocol. Thereby, our proposed protocol is suitable to edge computing.
Edge computing architecture plays an important role in enabling 5G technology. Thereby, security and privacy in edge computing network attract more and more attention from research community. Biometric-based authentication protocol is a good direction for providing a higher security level of communication. Also, with the increasing number of IoT or edge devices, secure authentication protocol for group communication or conference key distribution in 5G-IoT is an interesting topic for future work.