An efficient ECC-based privacy-preserving client authentication protocol with key agreement using smart card

The authentication protocols are trusted components in a communication system in order to protect sensitive information against a malicious adversary in the client-server environment by means of providing a variety of services including users' privacy and authentication. In the cryptographic protocols, understanding the security failures is the key for both patching to the existing protocols and designing the future protocols. Recently, in 2014, Wang proposed an improved Elliptic Curve Cryptography (ECC) based anonymous remote authentication scheme using smart card and claimed that the proposed scheme is secure against password guessing attack, smart card lost/stolen verifier attack, and also preserves user anonymity and prevents credential leakage. However, in this paper, we show that Wang's scheme fails to preserve the user anonymity and does not prevent the off-line password guessing attack, credential leakage and smart card lost/stolen verifier attack. In order to withstand those security pitfalls found in Wang's scheme, we aim to propose a new secure privacy-preserving ECC-based client authentication with key agreement protocol using smart card. Through the formal and informal security analysis we show that our scheme is secure against possible known attacks including the off-line password guessing attack, credential leakage attack and smart card lost/stolen verifier attack. Our scheme also preserves the user anonymity property. In addition, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks. Our scheme provides high security along with low computational and communication costs. As a result, our scheme is practically suitable for mobile devices in the client-server environment as compared to other related schemes in the literature. (C) 2015 Elsevier Ltd. All rights reserved.