ITSSAKA-MS: An Improved Three-Factor Symmetric-Key Based Secure AKA Scheme for Multi-Server Environments

A variety of three-factor smart-card based schemes, specifically designed for telecare medicine information systems (TMIS) are available for remote user authentication. Most of the existing schemes for TMIS are customarily proposed for the single server-based environments and in a single-server environment. Therefore, there is a need for patients to distinctly register and login with each server to employ distinct services, so it escalates the overhead of keeping the cards and memorizing the passwords for the users. Whereas, in a multi-server environment, users only need to register once to resort various services for exploiting the benefits of a multi-server environment. Recently, Barman et al. proposed an authentication scheme for e-healthcare by employing a fuzzy commitment and asserted that the scheme can endure many known attacks. Nevertheless, after careful analysis, this paper presents the shortcoming related to its design. Furthermore, it proves that the scheme of Barman et al. is prone to many attacks including: server impersonation, session-key leakage, user impersonation, secret temporary parameter leakage attacks as well as its lacks user anonymity. Moreover, their scheme has the scalability issue. In order to mitigate the aforementioned issues, this work proposes an amended three-factor symmetric-key based secure authentication and key agreement scheme for multi-server environments (ITSSAKA-MS). The security of ITSSAKA-MS is proved formally under automated tool AVISPA along with a security feature discussion. Although, the proposed scheme requisites additional communication and computation costs. In contrast, the informal and automated formal security analysis indicate that only proposed scheme withstands several known attacks as compared to recent benchmark schemes.


I. INTRODUCTION
The use of information and communication technologies (ICT) is increasing day by day not only for the entertainment and related leisure purposes rather its' becoming a part and parcel of daily life. People are now benefiting through a large number of quality services including e-Health/telemedicine, remote surveillance, online shopping, The associate editor coordinating the review of this manuscript and approving it for publication was Guangjie Han . online banking, and online education etc. With the broad availability of the Internet everywhere and with the cheaper mobile devices, telemedicine and the e-Healthcare services are in the reach to the patients, directly despite being in remote areas [1], [2]. Moreover, e-Health can substitute the traditional clinical medical services [3], [4]. By using TMIS, the physician can access and monitor the live medical condition of the patients within no time by using open channel [5]. It becomes very crucial to block an adversary from deducing the patient's delicate information. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ Furthermore, as the adaption of e-Healthcare increases, the need of patient-privacy should be the first priority as all the communication is taking place through public channel [6], [7]. To prevent various threats, an authentication scheme can be implemented to ensure that TMIS is only accessed by legitimate users [8]- [11]. Recently, Wu et al. [12] introduced a two-factor authentication scheme by employing smart-card and password for TMIS. Debiao et al. [13] identified that Wu et al.'s scheme is prone to insider attack, impersonation attack, and the stolen smart-card attack. He et al. designed an other scheme to solve the flaws of [12]. Zhu [14] also introduced RSA-cryptosystem based authentication scheme. Many other researchers [15]- [18] presented various schemes using password and smart-card, which were later proved weak against one or other attack. Recently, in numerous studies, many researchers proposed three-factor authentication schemes to enhance the security and to ensure user privacy by combining ID/password, biometric (e.g.fingerprint, iris) and smart-card [19]- [24]. Furthermore, some other schemes compromised the users privacy by sending the identity of the user over the insecure channel, directly to the server [12]- [14], [25], [26]. Nevertheless, the privacy of the user should be insured in order to keep the identity secret from the illegal users and privacy is now being taken as a part and parcel of authentication schemes [27], [28].
To ensure user privacy/anonymity Pu et al. [29] presented an elliptic curve cryptography (ECC) based authentication scheme, but the computation, communication and storage demand in Pu et al.'s scheme is very high. An authentication based on dynamic ID with performance efficiency was proposed by Chen et al. [30]. After careful cryptanalysis, it is proved by Jiang et al. [31] that Chen et al.'s scheme is unable to ensure user anonymity and presented a scheme to overcome the flaw. In contrast, Kumari et al. [32] found that Jiang et al.s' [31] scheme is prone to password guessing attack, session-key disclosure attack, Denialof-Service (DoS) attack and user impersonation attack. Kumari et al. [32] presented an enhanced scheme to overcome the before-mentioned attacks. Chang and Chen [33] proposed another three-factor authentication scheme for multi-server environment. However, Lin et al. [34] and Mishra et al. [ [5] presented a three-factor authentication scheme for e-Healthcare in the multi-server environment by employing fuzzy commitment and stated that the scheme can cope with prominent attacks. But, the carefully analysis conducted in this paper exposes several weaknesses of Barman et al.'s scheme. This manuscript depicts that [5] suffers from design faults, and is prone to stolen verifier attack, which leads to session-key leakage, user and server impersonation attack, secret temporary parameters leakage; moreover, the Barman et al.'s scheme works in absence of user anonymity. Therefore, an improved three-factor symmetric-key based secure authentication and key agreement scheme for multi-server environments (ITSSAKA-MS) is proposed in this paper. Rest of the paper presentation is as follows: The attack model employed in this paper is outlined in Subsection I-A. Review and cryptanalysis of Barman et al.'s scheme is conducted in Section II and Section III, respectively. In Section IV different phases of the proposed ITSSAKA-MS are discussed. The security analysis of the proposed ITSSAKA-MS is performed in Section V. In Section VI performance analysis of the ITSSAKA-MS is furnished and compared with various schemes. Paper is finally concluded in Section VII.

A. ADVERSARIAL MODEL
In this manuscript, the standard adversarial model is taken into account as stated in [38]- [44] where following considerations are assumed as the power of the adversary U A : 1) U A can listen the messages exchanged through public channel. U A have the capability to listen, replay, alter, abolish or can send forges messages. 2) U A can be a dishonest system user or can be an outsider.
3) U A can extract information stored into his/stolen smartcard by performing power analysis [38], [40] or from leaked data [41]. 4) U A can be a privileged and legitimate insider, which can expose the verifier table stored in the database of the RC [45]- [48]. 5) U A can not steal the private key of the RC.

II. REVIEW OF THE SCHEME OF BARMAN et al.
This section presents the review of the scheme of Barman et al. The three phases of the scheme are described in following subsestions:

A. REGISTRATION PROCESS
Registrations of each of the server and patient are explained in following subsections:

1) SERVER REGISTRATION PROCESS
All the medical servers (MS j ) need to register themselves with RC. A MS j chooses and transmits an identity SID j to RC. RC computes W j = h(SDI j ||K RC ), for j th medical server using its secret key K RC and sends W j to medical server.

2) PATIENT REGISTRATION PROCESS
In order to register with the RC and avail medical services, every patient/user say U i selects an identity (PID i ), password (PW i ), transformation-key (T P i ) respectively and imprints his/her fingerprint-biometric (BM i ). A cancellable template (C T i = f (BM i , T P i )) is generated with a T P i using a transformation function f (.) from the users BM i . Following are the steps involved in the patients registration process: 1) An error encoding technique ψ enc is utilized to alter the arbitrary picked key K into the code-word K CW = ψ enc (K ) and saves it into The SC i finally holds the subsequent parameters

B. LOGIN AND KEY-ESTABLISHMENT PROCESS
In this phase U i gets authenticated and a session key is shared among the U i and S j by executing following steps: 1) U i enters the SC i and provides the credentials containing PID i , PW i and biometric BM * i . Smart-card . SC i finally sends the login request containing T 1 , V 4 , V 3 , V 5 to MS j . 2) Upon getting the login message from U i , MS j confirms the condition | T c − T 1 | ≤ T to verify the timeliness of the timestamp T 1 , if true continue else session terminates.MS j computes . MS j picks the arbitrary nonce R rand 2 and the present timestamp the validity of the T 2 , if false session terminates else continues and U i computes: = V 14 , if false session is terminated. SC i generates the new timestamp and calculates: V 15 = h(SK ij ||V 1 ||V 13 ||T 3 ) and transmits the message containing V 15 , T 3 to MS j at time T 3 . Upon getting the message from U i , the server calculates V 16 15 , if true, session-key SK ij is established among the MS j and U i , so that they can communicate securely.

III. CRYPTANALYSIS OF THE SCHEME OF BARMAN et al.
In this section, we demonstrate some of the critical weaknesses of the scheme of Barman et al. It is to substantiate here that a privileged insider U A having access to RC can impersonate as a legitimate U i and can launch other attacks under the capabilities mentioned in adversarial model presented in Section I-A:

A. DESIGN FAULTS
Barman et al.'s scheme suffers from design fault [49], after login user sends the message T 1 , V 3 , V 4 , V 5 to a medical server (MS j ), as it can be observed that the request message does not include the server (SID j ) identity/ address, while there are j(j : 1 ≤ j ≤ m + m ) servers. Therefore, for moving further, following two are the possibilities: The message is broadcasted, so every server receives it and the intended server processes it completely. In such case, each server partly processes the request, which can cause, unnecessary computation on each server and can cause delay in processing other legitimate requests and hence degrade the quality of service. Case 2: Alternatively, the absence of server address/identity in request message can be treated as a typo. In this case, the scheme can complete working normally but has severe security weaknesses, explained in subsequent subsections.

B. STOLEN VERIFIER AND USER ANONYMITY VIOLATION ATTACK
After successfully authenticating the Subsection III-A this message also includes servers identity/address. The message sent by SC i is transferring over the public channel so a legitimate but wicked user (U A ) of the system can intercept it and can compute users identity as follow: 1) The U A extracts the value P j from his own smartcard through power-analysis [39], [40] and computes h(SID j ||W j ) as it is the same for all the users by adopting the following procedure: 2) The U A waits for the U i to initiate a login request consisting of V 3 , V 4 , V 5 , SID j , T 1 where: 3) Then U A computes the following: where PID i is the identity of U i and stays similar for all sessions, therefore U A has successfully launched the traceability attack. Also, SID j and corresponding key W j are stored in the verifier table on the RC. So a privileged insider can access this table [50] and can compute the corresponding P j to launch the traceability attack.

C. USER IMPERSONATION ATTACK
Let U A be a legit user of the system and knows the identity of another legal user U i . Following procedure can be adopted by U A to impersonate as a U i : 1) The U A fetches W j corresponding to SID j from RC's verifier table [51], picks an arbitrary nonce R A rand 1 and calculates: 2) U A generates the current timestamp and computes: 3) Finally, U A sends the message containing The server MS j gets the message forged by the U A , MS j checks the freshness of time-stamp T A 1 , as it is fresh, hence U A passes this test. 5) MS j now computes: 6) MS j now verifies the equality: 7) MS j considers U A as genuine U i if Eq. 15 holds and process the next steps to complete the authentication process. It can be clearly seen that Eq. 15 holds, as V 8 computed by MS j in Eq. 12 is identical to V A 1 calculated by the U A in Eq. 5. Similarly, V 9 computed in Eq 13 is also the same R A rand 1 generated by U A . Therefore, U A has successfully launched impersonation attack using the stolen verifier.
D. SECRET TEMPORARY PARAMETER LEAKAGE 1) As described in Subsection III-B and III-C, U A being insider knows the identity of U i and secret-key of server W j , and computes: 2) U A can now extract the random number R rand 1 in the following way: Leakage of users random number leads to the server impersonation attack as described in the next subsection.

E. SESSION-KEY LEAKAGE AND SERVER IMPERSONATION ATTACK
U A intercepts the message V 11 , V 12 , T 2 from server to user and generates its own message in the following way: 1) As described in Subsection III-B and III-C, that U A can generate the value h(SID j ⊕ W j ), and U A also knows the identity of the U i so he/she computes: 2) U A selects an arbitrary nonce R A rand 2 , the present timestamp T A 2 and calculates: Finally, U A sends the message containing V A 11 , V A 12 , T A 2 to U i . 3) U i receives the message forged by the U A , and examines the novelty of time-stamp T A 2 , as it is fresh, hence U A passes this test. 4) Now, U i computes: 5) U i now verifies: 6) U i considers U A as genuine MS j if Eq. 28 holds and process the next steps to complete the authentication process. It can be clearly seen that Eq. 28 holds, as SK ij calculated by U i in Eq. 26 is identical to that calculated by U A in Eq. 23. Similarly, V 1 is also the same as V A 8 computed by U A in Eq. 20. Therefore, U A has successfully launched server impersonation attack using the stolen verifier.

IV. PROPOSED SCHEME
This section manifests the improved three-factor symmetrickey based secure AKA scheme for multi-server environments (ITSSAKA-MS), specifically proposed to vanquish the defects exist in [5]. The proposed scheme consists of three phases which are further divided into sub-phases. The notation utilized in the proposed scheme are depicted in Table 1. The scheme is described in the subsequent subsections:

A. REGISTRATION PROCESS
This phase explains the procedure of registering the users and servers:

1) SERVER REGISTRATION PROCESS
All of the medical servers MS j (1 ≤ j ≤ m + m ) in the proposed scheme have to register with the registration center (RC), where m are the currently registered servers and m are the servers which may be registered in the future. For registration as presented in Figure 1, each server S j (S j : 1 ≤ j ≤ m) selects it's identity SID j and sends it to the RC and the RC computes S priv j = h(SID j ||K RC ) and sends S priv j to S j , which saves it in its' database.

2) USER REGISTRATION PROCESS
All of the users U i need to register with the RC in order to avail the services. With respect to Figure 2, U i and RC performs these steps to complete the registration: RG1: User chooses his/her PID i , PWD i and imprints BIO i , computes HID i = h(PID i ) and sends registration request containing HID i to RC.

B. LOGIN AND KEY-ESTABLISHMENT PROCESS
Following are the steps performed by U i to login to MS j as discussed in Figure 3: = h(K RC ||HID i ||R rand 1 ), terminates if any of these or both are not valid. RC now computes TPID i = TPID i ⊕ HID i , R rand 2 = R rand 2 ⊕ HID i , SID j = SID j ⊕ HID i . RC generates a timestamp T 2 and computes K j = h(SID j ||K RC ),

V. SECURITY ANALYSIS
This portion elaborates the formal and informal security discussion:

A. AUTOMATED FORMAL SECURITY VERIFICATION THROUGH AVISPA
This section demonstrates that the scheme can withstand the man-in-the-middle and replay attack verified through widely used AVISPA simulation tool [52]. AVISPA simulation can be performed in the subsequent steps: Step 1: The role oriented High Level schemes Specification Language (HLPSL) [52] is used to implement the scheme, which is then interpreted into Intermediate Format (IF) through HLPSL2IF translator.
Step 2: Than the translated IF is provided to Output Format (OF) to check either the scheme is secure or not.
The simulation results shown in Figure 4a and Figure 4b exhibit that the proposed scheme is as per to the design properties, and can stand against the man-in-the-middle and replay attacks. In the OFMC backend, a total of 1480 nodes were examined in 12.76 seconds with the depth of 12 piles. The CL-AtSe backend analyzed 3 states the interpretation and computation taken for this backend are 0.40 seconds and 0.00 seconds, individually.

B. SECURITY DISCUSSION
The subsection provides a brief discussion on security features provision of the proposed ITSSAKA-MS:

1) USER ANONYMITY
In proposed ITSSAKA-MS, the user sends M sg1 R i , SID j , R rand 2 , W i , TPID i , T 1 , out of all the sent parameter only TPID i is related to user identity and it is alias identity stored in smart card, using this alias identity or anyother parameter sent on public channel may not benefit the attacker A to reveal original identity of the user, eve if A steals the smart-card and tries to recover the identity of the patient, to do this he/she needs to know PID i , PWD i of the user. Also hashed-identity is stored in A i , but to extract it A needs to know the secret-key of RC. Addition to this U i 's identity is never shared with the server, neither is send openly over the public channel. Hence the scheme provides anonymity.

2) PRIVILEGED INSIDER ATTACK
During the registration process identity of the U i is secured by hash-functions one-way property, so an insider cannot guess the U i 's identity. Also no verifier-table is stored on VOLUME 8, 2020 the RC, so an insider cannot extract any info. Additionally, if an insider steals the smart-card and tries to extract the U i 's password or identity, yet this is not possible because they are in hashed form. Hence, the said attack is not possible.

3) OFFLINE PASSWORD GUESSING ATTACK
Suppose an adversary A steals the smart-card of a legal user U i , and tries to extract the password from A i = h(PID i ||PWD i ||σ i ) and to be successful, A needs the knowledge of PID i and σ i . Therefore, the offline password guessing attack is not conceivable in the proposed scheme.

4) IMPERSONATION ATTACK
A User (U i ) or a server (S j ) may try to impersonate as an adversary A in the subsequent ways:

a: USER IMPERSONATION ATTACK
Suppose U A is a valid but dishonest user and may try to impersonate as a legal user U i . U A may generate its own random number R A rand 2 and current time-stamp T A 1 . Next he/she tries to compute , TPID A i = TPID i ⊕HID i in order to initiate a genuine login request message. However, U A needs the knowledge of PID i and K i to impersonate as a U i and form a legal message, so the scheme is secure against the said attack.

b: RESISTS SERVER IMPERSONATION ATTACK
An intruder A may impersonate as an authentic server S j towards U i . To do this A generates the timestamp T A

and has to compute SK
To produce a legal message A should have the knowledge of Y RC and T 1 . Hence, the said attack is not possible.

5) MUTUAL AUTHENTICATION
The RC authenticates the user on validation of three conditions: 1) the freshness of timestamp, 2)W i ? = h(HID i ||h(HID i ||K RC )||T 1 ), and 3) Auth i ? = h(K RC || HID i ||R rand 1 ). The verification of these 3 dependent conditions require the knowledge of K RC , HID i and R rand 1 . In similar way, S j authenticates RC on validation of two conditions: 1) the freshness of timestamp, and 2) W RC ? = h(S priv j ||T 2 ), both of these are also dependent on each other and on the knowledge of S priv j . Similarly, only valid and legal S j can generate M sg3 W S j , T 3 , TPID i as described in V-B4b. Hence, the entities of the proposed scheme can mutually authenticate each other.

6) REPLAY ATTACK
Random nonce and timestamp are generated in each session to stop the replay attack in our scheme. If an intruder A intercepts the messages M sg1 , M sg2 , M sg3 during the login and authentication phase and tries to replay it, the attacker presence can be checked by checking the freshness of the timestamp. Also, timestamp is hashed with other parameters making it hard for the A to replay the old message.

7) MAN-IN-THE-MIDDLE ATTACK
Assume an intruder A captures the message M sg1 R i , SID j , R rand 2 , W i , TPID i , T 1 and generates its own login message 1 , but to do this A needs to know HID i , R rand 2 and K i . In the same way A needs to know Y RC and T 1 to generate the message M sg3 , so said attack cannot be employed against the proposed attack.

8) STOLEN SMART-CARD ATTACK
Assume an attacker A steals the smart-card of a legal user U i and tries to extract his/her PWD i or PID i . However, because of hash functions one-way property these parameters cannot be guessed, also A needs to know σ i to correctly guess the PWD i . Hence scheme is secure against the stolen smart-card attack.

VI. PERFORMANCE ANALYSIS
This section evaluates the proposed scheme with regard to computation, communication costs and security features provision concerning other multi-server authentication schemes.

A. FUNCTIONALITY COMPARISON
The Table 2 depicts the merits and demerits of of the proposed scheme associated to related schemes [5], [7], [53], [54]. Different schemes lack various security features. In contrast, our scheme fulfills all the necessary security requirements and is secure against various attacks in multi-server environment.

B. COMPUTATION COST ANALYSIS
For computation costs comparison, different operation timings [55] are depicted in the Table 3. Table 4 depicts that though, the cost of the proposed scheme is slightly higher than [5], [7], [54] and same as [53], but it is evident that the   proposed scheme is robust and more secure than the other schemes.

C. COMMUNICATION COST ANALYSIS
The Table 5 shows the communication costs of different schemes in multi-server environment. We assumed that the hash digest (SHA-1), user identity, elliptic curve cryptobased point (x p , y p ), arbitrary number and timestamp requires respectively 160 − bits, 160 − bits, 320 − bits, 160 − bits, and 32 − bits. The proposed scheme bears an average computational cost of 2144-bits, which is slightly greater than then the other related and compared schemes [5], [7], [53], [54]; but it come up with more security features as compared to other related schemes.

VII. CONCLUSION
In this paper, we have critically analyzed the some shortcomings including vulnerabilities against user impersonation, secret key reveal, lack of anonymity and design flaws of the scheme of Barman et al. proposed specifically for multi-server environments and usable in telecare medical information systems. In contrast, our study presents an improved three-factor symmetric-key based secure authenticated key agreement scheme for multi-server environments (ITSSAKA-MS). The security of ITSSAKA-MS is proved formally through automated tool AVISPA. Moreover, the security discussion argued the robustness of ITSSAKA-MS against the known attacks. The performance analysis is presented keeping the communication and computation costs as metrics. The ITSSAKA-MS incurred slightly additional computation and communication costs, mainly to provide the better security as compared to the recent schemes. RANA  SHEHZAD ASHRAF CHAUDHRY received the master's and Ph.D. degrees (Hons.) from International Islamic University Islamabad, Pakistan, in 2009 and 2016, respectively. He is currently working as an Associate Professor with the Department of Computer Engineering, Faculty of Engineering and Architecture, Istanbul Gelisim University, Istanbul, Turkey. He has also supervised over 35 graduate students in their research. He has authored over 100 scientific publications appeared in different international journals and proceedings, including 72 in SCI/E journals. With an H-index of 23 and an I-10 index 43, his work has been cited over 1650 times. His current research interests include lightweight cryptography, elliptic/hyper elliptic curve cryptography, multimedia security, e-payment systems, MANETs, SIP authentication, smart grid security, IP multimedia subsystems, and next generation networks. He occasionally writes on issues of higher education in Pakistan. He has served as a TPC member of various international conferences. He was a recipient of the Gold Medal for achieving 4.0/4.0 CGPA in his master's degree and the Pakistan Council for Science and Technology granted him the Prestigious Research Productivity Award, while affirming him among Top Productive Computer Scientist in Pakistan. He is an Active Reviewer of many ISI indexed journals. VOLUME 8, 2020