A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks

A user authentication in the distributed computer networks (DCNs) plays a crucial rule to verify whether the user is a legal user and can therefore be granted access to the requested services to that user. In recent years, several RSA-based single sign-on mechanisms have been proposed in DCNs. However, most of them cannot preserve the user anonymity when possible attacks occur. The user devices are usually battery limited (e.g., cellular phones) and the elliptic-curve cryptosystem is much efficient than RSA cryptosystem for the battery-limited devices. In this paper, we aim to propose a new secure elliptic-curve cryptosystem-based single sign-on mechanism for user authentication and key establishment for the secure communications in a DCNs using biometric-based smart card. In our scheme, a user only needs to remember a private password and his or her selected unique identity to authenticate and agree on a high-entropy cryptographic one-time session key with a provider to communicate over untrusted public networks. Through formal and informal security analysis, we show that our scheme prevents other known possible attacks. In addition, we perform simulation on our scheme for the formal security verification using the widely-accepted Automated Validation of Internet Security Protocols and Applications tool. The simulation results ensure that our scheme is secure against replay and man-in-the-middle attacks. Furthermore, our scheme provides high security along with lower computational cost and communication cost, and as a result, our scheme is much suitable for the battery-limited devices as compared to other related RSA-based schemes. Copyright (c) 2014 John Wiley & Sons, Ltd.