Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments

  • Li Yang ,

    Roles Conceptualization, Data curation, Formal analysis, Funding acquisition, Investigation, Methodology, Project administration, Resources, Software, Supervision, Validation, Visualization, Writing – original draft, Writing – review & editing

    yangli73@buaa.edu.cn (LY); zzheng@pku.edu.cn (ZMZ)

    Affiliations Key Laboratory of Mathematics, Informatics and Behavioral Semantics, Ministry of Education, Beihang University, Beijing, China, School of Mathematics and Systems Science, Beihang University, Beijing 100191, China

  • Zhiming Zheng

    Roles Conceptualization, Data curation, Investigation, Validation, Visualization, Writing – review & editing

    yangli73@buaa.edu.cn (LY); zzheng@pku.edu.cn (ZMZ)

    Affiliations Key Laboratory of Mathematics, Informatics and Behavioral Semantics, Ministry of Education, Beihang University, Beijing, China, School of Mathematics and Systems Science, Beihang University, Beijing 100191, China

Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments

  • Li Yang, 
  • Zhiming Zheng
PLOS
x

Abstract

According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Introduction

Tremendous advancements in the wireless technologies enhance the quality of on-line services in the distributed networks. It makes plenty of web users enjoy a variety of helpful on-line services in many aspects, for example, on-line work, on-line medicine, on-line shopping and so on [1, 2]. However, there remains a significant problem, namely, how to help web users enjoy so many on-line services while ensuring the confidentiality of their sensitive datas over an insecure channel. Thus, data protection becomes more and more important for every communication participant in the distributed networks. As a remedy, authenticated key establishment protocols are applied for safeguarding the information and defying the threats, which help web users submit their credentials and acquire various on-line services from a number of remote network servers subsequently [3, 4]. Specifically, mutual authentication that makes network servers check the legality of web users and vice-versa minimizes the risk of internet fraud. As a next step, key agreement helps communication participants establish a common session key to ensure their subsequent communication in the open networks [5].

Over the four decades, there are three kinds of typical factors to design an authenticated key establishment protocol, that is, knowledge factor (password), possession factor (smart card) and inherence factor (biometric information), respectively [69]. In last few years, Khan [10] presented two biometric-based authentication schemes which possessed the self-authentication and deniability, respectively. In 2013, Kumari and Khan [11] put forward an improved smart card-based authentication protocol with user anonymity for remote users. In recent years, Farash et al. [12] proposed a lightweight authentication scheme which was applied for consumer roaming. Over the last two years, Kumari et al. [13] presented a smart card-based authentication protocol for session initiation service.

More specifically, Lamport [7] put forward the first authentication scheme which was based on password and was unable to provide the key agreement in 1981. However, his protocol maintained some password-verification tables that made stolen verification tables attack feasible. Afterwards, a sequence of improved password-based authentication and key establishment schemes have been presented [1416]. There are some common shortcomings in these authenticated key exchange protocols which only adopt the password, such as, weak password, dictionary attack, stolen verification tables attack and so on. Thus, it is necessary to add the possession factor to design a novel kind of authenticated key agreement schemes, which makes them more robust [1719].

Later on, two-factor authentication and key establishment protocols which apply both password and smart card have been deployed widely in the distributed networks. In order to log in the expected remote network servers, web users need to insert their smart card into a smart card reader and enter their password. In 1991, Chang et al. [20] presented a password-based authentication scheme with smart card. Since then, a series of cryptanalysis and improvements have been put forward [2125]. However, it is practicable to acquire some datas stored in the smart card through side channel attacks [26]. Therefore, a lost or stolen smart card makes authenticated key agreement protocols vulnerable [2730].

In order to solve these aforementioned problems, biometric information (e.g. facial expressions, retina and finger prints and so on) as an inherence factor has been added to propose a variety of three-factor authenticated key establishment protocols. Different from knowledge factor and possession factor, biometric information which possesses the uniqueness further enhances the security of sensitive datas [31, 32]. Besides, it is exceedingly difficult for adversary to forge the biometrics of web users. Also it does not request web users to remember their biometric information which is hard to be forgotten or lost. Thus, biometric information is combined with both password and smart card mentioned above to make a battery of three-factor authenticated key agreement schemes appear [3338]. In practice, biometric datas imprinted by web users are not the same each time so that directly adopting them usually results in a low success rate for valid web users [39]. To meet this problem, biometric-based fuzzy extractor which is convenient to be implemented by a smart card is introduced to reduce the failure rate [40]. Besides, Bio-Hash code, namely, user specific code is another way to accommodate this problem [41].

Furthermore, earlier authentication and key establishment protocols are only applied for single-server environments, which don’t consider the applicability of multi-server environments. Specifically, it is inefficient for single-server authentication schemes to be directly adopted in the multi-server environments. With a rapid augmentation of different network servers, web users not only register and login each individual server repeatedly, but also maintain massive credentials about identities and passwords. In 2001, Li et al. [42] put forward the first multi-server authenticated protocol which coped up with this problem mentioned above. In particular, Li et al. [42] efficiently applied a registration center to achieve the single registration in the multi-server architectures. During the past two decades, a large amount of multi-server authentication schemes have been presented, in which some protocols adopt the two-factor [4346] and others are based on three-factor [4756].

The multi-server authentication mechanism requires the higher security. Since legal users adopt the same credentials to log into a variety of individual network servers, it is practical for adversaries to make many protocols vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack by tracing web users [47, 57, 58]. As typical multi-server architectures, expert systems which benefit from decision-making capability of human experts have a great deal of applications, for example, security auditing and network management. Particularly, Tsudik and Summers [59] introduced an security auditing expert system called AudES which automated a great deal of manual security auditing procedures in order to alleviate the burden of human auditors. For network management expert systems, Hariri and Jabbour [60] designed a generalized architecture to manage plenty of resources in a distributed computer network. Recently, Mishra et al. [50] put forward an anonymous three-factor multi-server authenticated scheme with key agreement for expert systems which was adopted to ensure the communications between web user and network server. They declared that their protocol provided a high security. However, Wang et al. [61] indicated that Mishra et al.’s scheme was vulnerable to several common attacks and presented an improved protocol to enhance the security. Unfortunately, due to cryptanalysis described below, we claim that Wang et al.’s scheme is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Besides, their scheme fails to provide the perfect forward secrecy.

As a remedy of these aforementioned problems, we propose a biometric-based authentication and key agreement protocol for multi-server architectures in order to ensure the confidentiality of sensitive datas while web user enjoys some decision-making services, such as security auditing and network management in the expert systems. When web user wants to login the network server to acquire these services, our protocol is performed between web user and network server. Concretely, web user submits his login request message to network server. Next, network server tries to authenticate web user with the message received from web user and the beforehand information saved during the registration phase. Also network server issues his authentication request message to web user. Then, web user tries to authenticate network server in a similar way and delivers his authentication reply to network server. Finally, web user and network server apply our protocol to achieve the mutual authentication and key agreement. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented protocol requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Above all, our protocol is more appropriate in the distributed networks.

The remaining of this paper is organized in seven sections as below. Next section introduces the collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor, respectively. Section 3 reviews Wang et al.’s scheme. Section 4 discusses some weaknesses of Wang et al.’s scheme. Section 5 describes the proposed biometrics-based authenticated key agreement protocol in details. And then section 6 provides the security analysis, functionality analysis and efficiency analysis of our protocol, and compares our protocol with others in these aforementioned respects. Last section gives the conclusion.

Preliminaries

During this section, we briefly describe some concepts relating to collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor as follows.

Collision-resistant hash function

According to an arbitrary length binary string, collision-resistant hash function outputs a fixed-length binary string, that is, h = h(x) : 0, 1* → 0, 1n [62]. Furthermore, retrieving this arbitrary length input from a given output is computationally infeasible. Thus, collision resistant property is explained as below. For a given input x, it is computationally infeasible to find any input yx makes h(x) = h(y).

Threat assumptions

During this subsection, we introduce some common threat assumptions which includes the Dolev-Yao threat model [63] and the risk of side-channel attacks [27]. More details about these threat assumptions are described as below.

1. Adversary E might be a malicious user or an outside hacker.

2. Adversary E has an ability to eavesdrop all communication messages between participants via an open channel.

3. Adversary E can modify, delete, resend and reroute all eavesdropped messages.

4. Adversary E is able to extract all stored datas from a lost or stolen smart card by examining the power consumption.

Biometrics-based fuzzy extractor

We briefly introduce the mechanism of biometrics-based fuzzy extractor in this subsection. A biometrics-based fuzzy extractor which converts the biometric information into two available and unpredictable values consist of two procedures, namely, Gen and Rep [40]. More specifically, details about this mechanism are illustrated in Fig 1. Based on the biometric information BIO, procedure Gen which is a probabilistic generation function outputs an unpredictable binary string R ∈ {0, 1}l and an auxiliary binary string P ∈ {0, 1}*. With the help of this auxiliary string P and another biometric information BIO*, procedure Rep which is a deterministic reproduction function recovers a corresponding unpredictable binary string R. When Gen(BIO) → 〈R, P〉 and dis(BIO, BIO*) ≤ t hold, then we have Rep(BIO*, P) → R. Otherwise, there is no output provided by procedure Rep. Furthermore, error-tolerant makes it more robust to recover a corresponding unpredictable binary string R, as long as this biometric information BIO* keeps reasonable close to an initial biometrics BIO.

Since biometric features vary slightly at every imprint, another way to extract the biometric features is applying the Bio-Hash codes. In recent times, many Bio-Hashing authentication schemes with key agreement are presented [41, 64, 65]. Similarly, Bio-Hashing is also a convenient technique, which is usable in many small devices.

Review of Wang et al.’s scheme

During this section, we review Wang et al.’s biometrics-based authentication and key agreement scheme for multi-server environments which is described in Ref. [61]. Their scheme includes six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. There are the following three participants in their scheme, that is, registration center RC, server Sj and user Ui. Suppose that registration center RC is a trusted third party. In Wang et al.’s scheme, registration center RC is responsible for user registration and server registration. For convenience, symbols and corresponding notions which are applied in their scheme are respectively shown in Table 1.

Server registration phase

1. Server Sj submits a join request message to registration center RC, which helps server Sj become an authorized server in the expert system.

2. Upon receiving this join request message, registration center RC sends server Sj a pre shared key PSK to server Sj over a secure channel.

User registration phase

1. Firstly, user Ui imprints his personal biometric information BIOi at a sensor. Then sensor sketches BIOi to extract an unpredictable binary string Ri and an auxiliary binary string Pi from Gen(BIOi) → (Ri, Pi). After that, sensor stores this corresponding auxiliary string Pi in the memory. Next, user Ui enters his identity IDi and password PWi, and calculates RPWi = h(PWi||Ri). Finally, user Ui issues his registration request message {IDi, RPWi} to registration center RC through a secure channel.

2. Upon obtaining this registration request message, registration center RC adds a novel entry 〈IDi, Ni = 1〉 to an internal database for user Ui, in which Ni stands for the times of user registration. And then registration center RC successively calculates Ai = h(IDi||x||Tr), Bi = RPWih(Ai), Ci = Bih(PSK), Di = PSKAih(PSK) and Vi = h(IDi||RPWi), where Tr is registration time.

3. Registration center RC sends user Ui a smart card SCi which contains {Bi, Ci, Di, Vi} via a secure channel.

4. After receiving his smart card SCi, user Ui stores his auxiliary string Pi mentioned above into his smart card SCi.

Login phase

1. User Ui inserts his smart card SCi into the smart card reader. Then he inputs his identity IDi and password PWi. Next, user Ui imprints his biometric information at a sensor. After that, sensor sketches user Ui’s biometric information and recovers the unpredictable binary string Ri from .

2. Smart card SCi computes RPWi = h(PWi||Ri) and checks whether h(IDi||RPWi) = Vi is valid. If it is valid, smart card SCi further computes h(PSK) = BiCi.

3. Smart card SCi generates a random number N1 to calculate AIDi = IDih(N1), M1 = RPWiN1h(PSK) and M2 = h(AIDi||N1||RPWi||SIDj||Ti), in which Ti is an additional timestamp.

4. Smart card SCi delivers user Ui’s login request message {AIDi, M1, M2, Bi, Di, Ti} to server Sj over an open channel.

Authentication phase

1. Upon receiving user Ui’s login request message, server Sj verifies whether TiTj ≤ ΔT holds, in which ΔT is a suitable time interval and Tj is the time when server Sj obtains user Ui’s login request message. If this verification holds, server Sj continues to execute his next step. Otherwise, user Ui’s login request is rejected by server Sj.

2. Server Sj retrieves Ai = DiPSKh(PSK), RPWi = Bih(Ai) and N1 = RPWiM1h(PSK) in order to check whether h(AIDi||N1||RPWi||SIDj||Ti) is consistent with M2.

3. If it holds, server Sj generates a random number N2 to calculate their session secret key SKij = h(AIDi||SIDj||N1||N2).

4. Server Sj computes M3 = N2h(AIDi||N1) ⊕ h(PSK) and M4 = h(SIDj||N2||AIDi) in order to send his authentication request message {SIDj, M3, M4} to user Ui through an open channel.

5. After receiving server Sj’s authentication request message, smart card SCi retrieves N2 = M3h(AIDi||N1) ⊕ h(PSK) and SKij = h(AIDi||SIDj||N1||N2) to verify whether h(SIDj||N2||AIDi) = M4 holds. If it holds, smart card SCi calculates M5 = h(SKij||N1||N2) in order to submit user Ui’s authentication reply {M5} to server Sj over an open channel.

6. Server Sj checks whether h(SKij||N1||N2) = M5 is valid. If this verification is valid, server Sj further applies this session key SKij to communicate with user Ui in the following communication. Otherwise, authentication phase is rejected by server Sj.

Password change phase

1. User Ui enters his identity IDi and password PWi, and imprints his biometric information at a sensor. After that, sensor sketches user Ui’s biometric information and recovers the unpredictable binary string Ri from .

2. Smart card SCi computes RPWi = h(PWi||Ri) and verifies whether h(IDi||RPWi) = Vi is valid. If this verification is valid, smart card SCi asks user Ui for a new password. Otherwise, password change phase is terminated immediately by smart card SCi.

3. User Ui enters his new password and smart card SCi further calculates , , and .

4. In the memory, smart card SCi respectively replaces Bi with , Ci with and Vi with .

User revocation/re-registration phase

1. When user Ui wants to revoke his privilege, he submits a revocation request message, his smart card SCi and verification message {RPWi} to registration center RC via a secure channel. Registration center RC checks whether user Ui is valid. If user Ui is valid, registration center RC further modifies a corresponding entry by setting 〈IDi, Ni = 0〉.

2. Similarly, after receiving a re-registration request message through a secure channel, registration center RC performs these steps mentioned in the subsection 3.2 and replaces 〈IDi, Ni = Ni + 1〉 with 〈IDi, Ni〉 to help user Ui re-register.

Cryptanalysis of Wang et al.’s scheme

In this section, we propose a cryptanalysis of Wang et al.’s scheme. In particular, results demonstrate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their scheme fails to achieve the perfect forward secrecy. More details of these problems are shown in the following subsections.

User impersonation attack

Suppose that adversary E is an outside hacker who steals user Ui’s smart card SCi and eavesdrops all communications between user Ui and server Sj. Specifically, adversary E has an ability to extract the stored datas {Bi, Ci, Di, Vi, Pi} from user Ui’s smart card SCi by side-channel attacks. Also he is able to collect user Ui’s login request message {AIDi, M1, M2, Bi, Di, Ti}. Thus Wang et al.’s scheme is vulnerable to user impersonation attack. More narrowly, adversary E can impersonate as a legal user so that he is authenticated by server Sj. More details are explained as below.

1. Firstly, adversary E computes h(PSK) = BiCi. Then he generates a random number and further calculates , , and , in which is a current timestamp. Finally, adversary E delivers his login request message to server Sj over an open channel.

2. When obtaining this login request message from adversary E, server Sj verifies whether holds, where is the time when server Sj receives adversary E’s login request message. Thus adversary E passes server Sj’s verification successfully and server Sj continues to execute the subsequent steps normally.

3. Server Sj retrieves , and to check whether holds. Next server Sj generates a random number and further calculate , and . Lastly, server Sj sends his authentication request message to adversary E through an open channel as usual.

4. Upon receiving server Sj’s authentication request message, adversary E retrieves and in order to calculate and submit his authentication reply to server Sj.

5. Server Sj checks whether is valid.

Thus server Sj authenticates adversary E and they both apply the session key in the following communication. Unfortunately, server Sj mistakenly believes that he communicates with user Ui. Therefore Wang et al.’s scheme becomes vulnerable to the user impersonation attack.

Privileged insider attack

As shown in this subsection, adversary E who is a privileged insider can impersonate as user Ui if he steals user Ui’s smart card SCi and eavesdrops all communications between user Ui and registration center RC. Similarly, adversary E is able to acquire these datas {Bi, Ci, Di, Vi, Pi} from smart card SCi. And he has an ability to collect user Ui’s registration request message {IDi, RPWi}. So Wang et al.’s scheme is also vulnerable to the privileged insider attack. More details are described as follows.

1. Firstly, adversary E computes h(PSK) = BiCi and generates a random number N1E. Then he calculates AIDiE = IDih(N1E), M1E = RPWiN1Eh(PSK) and M2E = h(AIDiE||N1E||RPWi||SIDj||TiE), where TiE is a current timestamp. Lastly, adversary E issues his login request message {AIDiE, M1E, M2E, Bi, Di, TiE} to server Sj over an open channel.

2. After acquiring this login request message, server Sj verifies whether TiETjE ≤ ΔT holds, where TjE is the time when server Sj acquire adversary E’s login request message. Unfortunately, adversary E’s verification is valid.

3. Server Sj retrieves Ai = DiPSKh(PSK), RPWi = Bih(Ai) and N1E = RPWiM1Eh(PSK) in order to verify whether h(AIDiE||N1E||RPWi||SIDj||TiE) is consistent with M2E. Then server Sj generates a random number N2E and further calculates SKijE = h(AIDiE||SIDj||N1E||N2E), M3E = N2Eh(AIDiE||N1E) ⊕ h(PSK) and M4E = h(SIDj||N2E||AIDiE). Finally, server Sj submits his authentication request message {SIDj, M3E, M4E} to adversary E via an open channel without any suspicion.

4. When receiving server Sj’s authentication request message, adversary E retrieves N2E = M3Eh(AIDiE||N1E) ⊕ h(PSK) and SKijE = h(AIDiE||SIDj||N1E||N2E). Then he calculates M5E = h(SKijE||N1E||N2E) and sends his authentication reply {M5E} to server Sj.

5. Server Sj checks whether h(SKijE||N1E||N2E) = M5E holds as usual.

So server Sj further applies the session key SKijE to communicate with adversary E and authenticates adversary E who is a privileged insider and impersonates as user Ui. Unfortunately, Wang et al.’s scheme is unable to resist the privileged insider attack.

Server spoofing attack

In this subsection, we suppose that adversary E who is an insider but isn’t another server Sk has an ability to eavesdrop user Ui’s registration request message {IDi, RPWi} and steal user Ui’s smart card SCi. Furthermore, adversary E is able to collect some datas, for example, {Bi, Ci, Di, Vi, Pi}. Thus adversary E can masquerade as server Sj to cheat user Ui. Therefore Wang et al.’s scheme becomes vulnerable to the server spoofing attack. More details are shown as below.

1. Firstly, adversary E calculates h(PSK) = BiCi and eavesdrops user Ui’s login request message {AIDi, M1, M2, Bi, Di, Ti}.

2. Secondly, adversary E computes N1 = RPWiM1h(PSK) and generates a fresh random number .

3. Next adversary E further computes and .

4. Finally adversary E issues his authentication request message to user Ui over a public channel.

Furthermore, this fake authentication request message is successfully checked. Particularly, adversary E is treated as server Sj by user Ui without any doubt. In conclusion, Wang et al.’s scheme can’t resist the server spoofing attack.

No perfect forward secrecy

During this subsection, we point out that Wang et al.’s scheme does not possess the perfect forward secrecy. Suppose that adversary E is a privileged insider who eavesdrops user Ui’s registration request message {IDi, RPWi} and steals user Ui’s smart card SCi. Particularly, adversary E can extract these datas which include Bi, Ci, Di, Vi and Pi from smart card SCi. More details are described as follows.

1. Firstly, adversary E computes h(PSK) = BiCi and collects user Ui’s login request message {AIDi, M1, M2, Bi, Di, Ti}.

2. Secondly, adversary E calculates N1 = RPWiM1h(PSK) and further collects server Sj’s authentication request message .

3. Finally adversary E computes N2 = M3h(AIDi||N1) ⊕ h(PSK) in order to retrieve SKij = h(AIDi||SIDj||N1||N2).

Therefore it is demonstrated that Wang et al.’s scheme is unable to achieve the perfect forward secrecy.

The proposed scheme

During this section, we propose a novel biometrics-based authentication and key agreement scheme for multi-server environments which is based on cryptanalysis of Wang et al.’s scheme. Our protocol is built by applying the collision-resistant hash function, EOR operation and concatenation operation. The presented scheme consists of six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. And there are three participants in our algorithm, that is, registration center RC, server Sj and user Ui. In our protocol, server Sj and user Ui are able to join the network by registering with registration center RC. Besides, mutual authentication only carries out between server Sj and user Ui without intervening registration center RC. For convenience, symbols and corresponding notions which are applied in our scheme are respectively shown in Table 2.

In particular, our proposed scheme enhances Wang et al.’s scheme in these aspects: 1) it resists the user impersonation attack, 2) it prevents the privileged insider attack, 3) it is secure against the server spoofing attack and 4) it provides the perfect forward secrecy. More details are described in these following subsections.

Server registration phase

New server Sj needs to execute the server registration phase with registration center RC through a secure channel. More specifically, server registration phase of the proposed scheme is shown in the Fig 2 and details are described as below.

1. If it wants to be an authorized server in the multi-server environment, server Sj issues a join request message to registration center RC.

2. When obtaining this join request message, registration center RC authorizes server Sj and replies with a pre shared key PSK and a master secret key s to server Sj by applying the Key Exchange Protocol (IKEv2) via a secure channel.

3. After receiving a pre shared key PSK and a master secret key s, authorized server Sj adopts these shared datas, such as PSK and h(PSK), to verify user Ui’s legitimacy in the authentication phase.

User registration phase

New user Ui should perform the user registration phase with registration center RC over a secure channel. As details, user registration phase of ours is illustrated in the Fig 3 and explained as follows.

1. Firstly, user Ui enters his personal biometric information BIOi at a sensor. And then, sensor sketches user Ui’s biometrics BIOi, extracts (Ri, Pi) from Gen(BIOi) → (Ri, Pi), and stores user Ui’s auxiliary binary string Pi in the memory. Next, user Ui chooses his identity IDi and password PWi, and calculates RPWi = h(Ri||PWi). Finally, user Ui submits his registration request message {IDi, RPWi} to registration center RC through a secure channel.

2. Upon obtaining this registration request message, registration center RC adds a novel entry 〈IDi, Ni = 1〉 to his internal database, in which Ni denotes the times of user registration for user Ui. Then registration center RC selects a random number ui, and calculates Ai = h(IDi||s), Bi = h(PSK) ⊕ ui, Ci = h(PSK||ui) ⊕ IDi and Vi = h(IDi||RPWi).

3. Registration center RC sends user Ui’s smart card SCi which includes {Ai, Bi, Ci, Vi, h(⋅)} via a secure channel.

4. After receiving this smart card SCi, user Ui computes Ei = Bih(Ri) and replaces Bi with Ei. Finally, Ui stores his auxiliary binary string Pi into his smart card SCi, and initializes the login and authentication environments.

Login phase

In the login phase, smart card SCi is able to find the errors immediately by applying user Ui’s identity, password, and biometric information. Specifically, login phase is shown in the Fig 4 and details are described as follows.

1. User Ui inserts his smart card SCi into a smart card reader, enters his identity IDi and password PWi, and imprints his biometrics at a sensor. And then, sensor sketches user Ui’s personal biometric information and recovers Ri from with the assistance of auxiliary binary string Pi.

2. Smart card SCi computes RPWi = h(Ri||PWi) and verifies whether h(IDi||RPWi) = Vi is valid. If it is valid, smart card SCi further computes Ki = h(SIDj||(IDiCi)).

3. Smart card SCi generates a random number N1, and calculates M1 = N1Ki, M2 = IDiKi, M3 = RPWiKi, Bi = Eih(Ri) and Di = h(N1||RPWi||Ai||Ti), in which Ti is an additional timestamp.

4. Smart card SCi submits his login request message {M1, M2, M3, Bi, Di, Ti} to server Sj over an open channel.

Authentication phase

During the authentication phase, server Sj has an ability to confirm the destination and freshness of login request message. More details, authentication phase is illustrated in the Fig 5 and explained as below.

1. After receiving user Ui’s login request message, server Sj checks whether TiTj ≤ ΔT holds, in which ΔT is a suitable time interval and Tj is the time when server Sj receives user Ui’s login request message. If it holds, server Sj continues to perform the following steps. Otherwise, this login request is rejected by server Sj.

2. Server Sj retrieves ui = Bih(PSK), Ki = h(SIDj||h(PSK||ui)), N1 = KiM1, IDi = KiM2, RPWi = KiM3 and Ai = h(IDi||s) to verify whether h(N1||RPWi||Ai||Ti) = Di is valid.

3. If this verification is valid, server Sj generates another random number N2, and calculates their session secret key SKij = h(IDi||SIDj||N1||N2) between user Ui and server Sj.

4. Server Sj computes M4 = N2h(Ai||RPWi||N1) and M5 = h(SIDj||N1||N2||IDi), and issues his authentication request message {M4, M5} to user Ui through an open channel.

5. When obtaining server Sj’s authentication request message, smart card SCi retrieves N2 = h(Ai||RPWi||N1) ⊕ M4 and checks whether h(SIDj||N1||N2||IDi) is consistent with M5. If they are consistent, smart card SCi calculates SKij = h(IDi||SIDj||N1||N2) and M6 = h(SKij||N1||N2). And then smart card SCi delivers his authentication reply {M6} to server Sj over a public channel.

6. Server Sj further verifies whether h(SKij||N1||N2) = M6 is valid. If it is valid, server Sj adopts this session key SKij to communicate with user Ui in the following communication. Otherwise, authentication will be rejected by Sj.

Password change phase

In the password change phase, user Ui is able to update his password without any help from server Sj or registration center RC. More specifically, password change phase includes these following steps.

1. User Ui inputs his identity IDi and password PWi, and imprints his biometrics at a sensor. And then, sensor sketches user Ui’s personal biometric information and recovers Ri from with the assistance of auxiliary binary string Pi.

2. Smart card SCi computes RPWi = h(Ri||PWi) and verifies whether h(IDi||RPWi) = Vi is valid. If this verification holds, smart card SCi asks user Ui for a new password. Otherwise, smart card SCi terminates the password change phase immediately.

3. User Ui enters his new password , and smart card SCi further calculates and .

4. Smart card SCi replaces Vi with without any help from server Sj or registration center RC in the memory.

User revocation/re-registration phase

If his smart card SCi is stolen or lost, user revocation/re-registration helps user Ui revoke his privilege or re-register which makes our scheme more robust in the functionality.

1. When user Ui wants to revoke his privilege, he issues his revocation request message, smart card SCi and verification message {RPWi} to registration center RC through a secure channel. Registration center RC checks whether user Ui is valid. If user Ui is valid, registration center RC further sets 〈IDi, Ni = 0〉 to modify the corresponding entry.

2. Similarly, after obtaining a re-registration request message over a secure channel, registration center RC performs these steps mentioned in the subsection 5.2 and helps user Ui re-register by replacing 〈IDi, Ni = Ni + 1〉 with 〈IDi, Ni〉.

Analysis of the proposed scheme

In a multi-server architecture, there are three important requirements for an authentication and key agreement protocol, namely, security, functionality and efficiency. In this section, discussions are performed and results show that our scheme satisfies these requirements mentioned above. Furthermore we compare the proposed protocol with others in respect of security, functionality and efficiency, respectively.

Informal security analysis

Before the formal security analysis, we analyze the resistance of our scheme against these following attacks by informal security analysis. Remark that adversary E has an ability assumed in the threat assumptions to execute these attacks described as follows.

Resistance to replay attack.

The proposed scheme applies the timestamp and random nonce to endure the replay attack. Though adversary E eavesdrops user Ui’s previous login request message {M1, M2, M3, Bi, Di, Ti} and issues it to server Sj as always, server Sj checks the legality of this message by verifying the timeliness of timestamp Ti and correctness of random nonce N1 as below. in which both timestamp Ti and random nonce N1 are different for each session. Thus adversary E is rejected by server Sj. Therefore our protocol prevents the replay attack.

Resistance to Denial-of-Service attack.

Adversary E tries to diminish or eliminate server Sj’s capability by eavesdropping and repeatedly sending user Ui’s previous login request message. However, server Sj verifies the freshness of timestamp Ti and checks whether Di = h(N1||RPWi||Ai||Ti) holds. So server Sj treats adversary E as a malicious hacker and terminates this session. Furthermore the presented scheme introduces a biometrics-based fuzzy extractor to meet the applicability of biometric information. Consequently, our protocol resists the Denial-of-Service attack.

Resistance to password guessing attack.

With the assistance of power consumption, adversary E applies the side-channel attacks, such as SPA or DPA, to extract the sensitive datas Ai, Ci, Ei, Vi and Pi from user Ui’s smart card SCi. But he is unable to verify whether user Ui’s password PWi is correct in the on-line or off-line environment without biometric information BIOi, pre shared key PSK, master secret key s and random nonce N1. Specifically unpredictable binary string Ri which possesses a high entropy protects user Ui’s password PWi in the proposed scheme. In conclusion, our protocol is secure against the password guessing attack.

Resistance to smart card attack.

Without the password PWi or biometric information BIOi, adversary E launches the smart card attack in order to collect some sensitive datas stored in the smart card SCi and achieve server Sj’s authentication. In the presented scheme, adversary E is able to acquire user Ui’s sensitive datas Ai, Ci, Ei, Vi and Pi which are saved in the smart card SCi by SPA or DPA. Also a session key SKij between user Ui and server Sj is calculated as follows.

It is feasible for adversary E to obtain M1 and M4 through a public channel. However, it is pretty difficult for him to retrieve the random nonces N1 or N2. As a result, our protocol withstands the smart card attack.

Resistance to user impersonation attack.

Under the user impersonation attack, adversary E who is an outside hacker tries to impersonate user Ui without the password PWi or biometric information BIOi. In the proposed scheme, adversary E is unable to acquire h(PSK) even if he eavesdrops user Ui’s previous login request message {M1, M2, M3, Bi, Di, Ti} and extracts user Ui’s sensitive datas from smart card SCi by SPA or DPA. Thus, adversary E cannot retrieve the random numbers N1, N2 or session key SKij. Therefore, our protocol is secure against the user impersonation attack.

Resistance to privileged insider attack.

Adversary E who is a malicious insider and has a privilege to access an authorized system attempts to impersonate user Ui. In order to achieve this goal, adversary E collects user Ui’s registration request message {IDi, RPWi} and steals his smart card SCi. However, it is impossible to obtain h(PSK) and Bi for adversary E. Even if sensitive datas Ai, Ci, Ei, Vi and Pi are extracted from user Ui’s smart card SCi, adversary E is unable to deliver a correct login request message {M1, M2, M3, Bi, Di, Ti}. Furthermore, he cannot retrieve the password PWi or biometric information BIOi. In conclusion, our protocol resists the privileged insider attack.

Resistance to server spoofing attack.

Under the assumption that adversary E who is a malicious insider but isn’t another server Sk is able to steal user Ui’s smart card SCi and eavesdrop his registration request message {IDi, RPWi}. Adversary E tries to masquerade as server Sj to spoof user Ui by collecting the sensitive datas Ai, Ci, Ei, Vi and Pi. But it is hard to retrieve h(PSK) so that adversary E is unable to be authenticated by user Ui successfully. He cannot acquire the random number N1 and valid authentication request message {M4, M5}. Thus adversary E’s attempt fails. Consequently, our protocol prevents the server spoofing attack.

Resistance to modification attack.

Though adversary E attempts to modify some intercepted messages for further authentication, the proposed protocol is able to check whether the received messages are valid with the assistance of collision-resistant hash function. And adversary E does not have a capability to retrieve N1, N2 or h(PSK) from any intercepted message. Thus he cannot generate a legitimate authentication message. As a result, our protocol is secure against the modification attack.

Resistance to stolen-verifier attack.

In the proposed protocol, both server Sj and registration center RC possess no information about user Ui’s password or biometrics. Concretely, there is no password-verifier or biometrics-verifier in the database of server Sj and registration center RC. Thus, adversary E cannot launch the stolen-verifier attack even if he has an authority to access the database. Consequently, our protocol withstands the stolen-verifier attack.

Possession of anonymity.

During the login phase of the proposed scheme, user Ui calculates his dynamic identity M2 = IDiKi, in which Ki cannot be retrieved by adversary E from any request or reply message. Thus, adversary E has no ability to acquire user Ui’s identity IDi. However, upon receiving user Ui’s login request message, authorized server Sj calculates ui = Bih(PSK) and further computes Ki = h(SIDj||h(PSK||ui)) so that user Ui achieves server Sj’s authentication anonymously. In other words, user Ui’s real identity IDi is not disclosed by any unauthorized participant. Therefore our protocol provides the anonymity.

Possession of perfect forward secrecy.

Perfect forward secrecy protects the session keys even if long-term key is retrieved. Specifically, session key SKij in the proposed scheme is generated as follows.

Though the long-term key h(PSK) is calculated by adversary E, it is impossible to compute some sensitive datas, such as RPWi, Ki and PSK. Thus adversary E is unable to obtain the random numbers N1 or N2. Also it is hard for adversary E to retrieve the session key SKij between user Ui and server Sj. Therefore, our protocol provides the perfect forward secrecy.

Formal security analysis

During this subsection, we provide a formal security analysis and demonstrate that the proposed scheme is secure. In order to achieve this purpose, we define the oracle Reveal as below. It unconditionally retrieves the original input x from the collision-resistant hash function y = h(x). More details relating to this formal security analysis are shown in the following theorem.

Theorem. Suppose that the collision-resistant hash function h(⋅) operates closely like the oracle Reveal, our protocol is provably secure to protect the sensitive datas which include registration center RC’s master secret key s, pre shared key PSK between registration center RC and server Sj, user Ui’s identity IDi and password PWi.

Proof. With the assistance of the oracle Reveal, we make an assumption that adversary E has a capacity to retrieve registration center RC’s master secret key s, pre shared key PSK between registration center RC and server Sj, user Ui’s identity IDi and password PWi. Adversary E executes the following experimental algorithm , in which AKAS means the presented scheme. More details about the Algorithm are explained in the Table 3

Furthermore, we define a success probability about as . Thus advantage function of algorithm is Adv(et, qReveal) = maxE{Success}, namely, maximum for adversary E relies on the execution time et and query counts qReveal which are made to this oracle Reveal. If Adv(et, qReveal) ≤ ε, our protocol is secure against adversary E for any sufficiently small ε > 0. It enables adversary E to win this game if it is possible to retrieve the original input x from the collision-resistant hash function y = h(x). However, it is a computationally infeasible problem for retrieving the original input x. Therefore, for any sufficiently small ε > 0, maxE{Success} = Adv(et, qReveal) ≤ ε. As a result, our protocol is provably secure to protect registration center RC’s master secret key s, pre shared key PSK between registration center RC and server Sj, user Ui’s identity IDi and password PWi.

Security analysis with BAN logic

As an important verification tool, Burrows-Abadi-Needham (BAN) logic has a set of rules [66]. In the security analysis, BAN logic is used for defining and analyzing the information exchange schemes, especially authentication and key agreement protocols. Particularly, BAN logic is able to verify whether exchanged information is trustworthy [67]. During this subsection, we apply BAN logic to prove that session key SKij between server Sj and user Ui is correctly generated during the authentication phase of our protocol. For convenience, symbols and corresponding notions about BAN logic are respectively shown in Table 4.

The BAN logical postulates.

1. The message-meaning rule, namely, . Particularly, if principal A believes that principal A and principal B share session key K, and principal A sees that statement X is encrypted by session key K, then principal A believes that principal B once said the statement X.

2. The nonce-verification rule, namely, . Specifically, if principal A believes that statement X is fresh and principal B once said the statement X, then principal A believes that principal B believes the truth of statement X.

3. The belief rule, namely, . In particular, if principal A believes the truth of statement X and statement Y, then principal A believes the truth of (X, Y).

4. The freshness-conjuncatenation rule, namely, . Concretely, if principal A believes that statement X is fresh, then principal A believes that (X, Y) is fresh.

5. The jurisdiction rule, namely, . Especially, if principal A believes that principal B has a jurisdiction over the truth of statement X and principal B believes the truth of statement X, then principal A believes the truth of statement X.

The idealized scheme.

Ui: <N1, IDi, RPWi>Ki, (N1, Ai, Ti)RPWi and .

Sj: <Ai, RPWi, N1>N2 and (IDi, N1, N2)SIDj.

The establishment of security goals.

g1.

g2.

g3.

g4.

The initiative premises.

p1. Ui| ≡ #N1

p2. Ui| ≡ Sj ⇒ #N2

p3. Sj| ≡ #N1

p4. Sj| ≡ #N2

p5.

p6.

p7. Ui| ≡ IDi

p8. Sj| ≡ UiRPWi

p9. Sj| ≡ UiIDi

p10.

p11.

p12.

The security analysis.

a1. Because of p5 and Sj ⊲ <N1, IDi, RPWi>Ki, we execute the message-meaning rule to obtain Sj| ≡ Ui| ∼ (N1, IDi, RPWi).

a2. Since p3 and a1, we adopt both freshness-conjuncatenation rule and nonce-verification rule to acquire Sj| ≡ Ui| ≡ (N1, IDi, RPWi).

a3. Because of p10 and , we use the message-meaning rule to derive .

a4. Since p4 and a3, we apply both freshness-conjuncatenation rule and nonce-verification rule to get .

g3. Because of a4, we execute the belief rule to obtain .

g4. Since p11 and g3, we adopt the jurisdiction rule to acquire .

a5. Because of p6 and Ui ⊲ (IDi, N1, N2)SIDj, we use the message-meaning rule to derive Ui| ≡ Sj|∼(IDi, N1, N2).

a6. Since p2 and a5, we apply both freshness-conjuncatenation rule and nonce-verification rule to get Ui| ≡ Sj| ≡ (IDi, N1, N2).

a7. Because of a6, we execute the belief rule to obtain Ui| ≡ Sj| ≡ N2.

a8. Since p2 and a7, we adopt the jurisdiction rule to acquire Ui| ≡ N2.

a9. Because of p8, p9 and a2, we execute both belief rule and jurisdiction rule to obtain Sj| ≡ IDi.

g1. Since p1, p3, p4, p6, p7, a8, a9 and SKij = h(IDi||SIDj||N1||N2), we adopt both freshness-conjuncatenation rule and nonce-verification rule to acquire .

g2. Because of g1 and p12, we use the jurisdiction rule to derive .

Above all, results mentioned above demonstrate that our protocol enables to generate the shared session key SKij correctly between server Sj and user Ui.

Functionality analysis

It is necessary to meet the functionality requirements which include mutual authentication, session key agreement, user revocation/re-registration and biometric information protection. In this section, we demonstrate that our protocol provides all functionality mentioned above. More details relating to functionality analysis are shown as below.

Mutual authentication.

In the presented scheme, both user Ui and server Sj authenticate each other by taking advantage of some sensitive datas, for example N1, N2, Ki, Ti and SKij. In particular, server Sj checks whether h(N1||RPWi||Ai||Ti) = Di and h(SKij||N1||N2) = M6 are valid. Similarly, user Ui verifies whether h(SIDj||N1||N2||IDi) is consistent with M5. As a result, our protocol achieves the mutual authentication.

Session key agreement.

During the authentication phase, session key SKij = h(IDi||SIDj||N1||N2) between server Sj and user Ui is established to protect the subsequent communications. Especially, both N1 and N2 change in every authentication phase so that session key SKij is different during each session. Furthermore it is hard to retrieve their session key SKij for adversary E. In conclusion, our protocol possesses the session key agreement.

User revocation/re-registration.

It is necessary for user Ui to revoke or re-register his privilege. In the presented scheme, registration center RC helps user Ui achieve the user revocation/re-registration by modifying the entry 〈IDi, Ni〉 when obtaining user Ui’s revocation or re-registration request message via a secure channel. Above all, our protocol achieves the user revocation/re-registration.

Biometric information protection.

In some conventional schemes, user Ui’s biometric information BIOi is directly stored in his smart card SCi without appropriate protection. Thus adversary E is able to extract user Ui’s biometrics BIOi from a lost or stolen smart card SCi through side channel attacks. In order to solve this problem, we apply a high error-tolerant mechanism to save user Ui’s biometric information BIOi. Besides, collision-resistant hash function protects the unpredictable binary string Ri. So it is impossible for adversary E to extract user Ui’s biometric information BIOi. In conclusion, our protocol possesses the biometric information protection.

Efficiency analysis

In this subsection, we estimate the storage requirement, communication overhead and computational cost of the presented scheme. More details about efficiency analysis are shown as below.

Storage requirement.

For the storage requirement, we apply these messages which are stored in user Ui’s smart card SCi as storage overhead. Particularly, byte length of nonce both N1 and N2 is 20, byte length of user Ui’s identity IDi is 20, byte length of timestamp Ti is 2 and byte length of collision-resistant hash function’s output is 20 if we apply the SHA-1. Thus, we are able to calculate the byte length of stored datas in the proposed scheme. As a result, all saved messages {Ai, Ci, Ei, Vi, Pi} require 20 + 20 + 20 + 20 + 20 = 100 bytes in respect of storage need.

Communication overhead.

In order to estimate the communication overhead, we consider user Ui’s login request message {M1, M2, M3, Bi, Di, Ti} which is submitted to server Sj in the stage of login. According to assumption described above, length of this message is 20 + 20 + 20 + 20 + 20 + 2 = 102 bytes. Similarly, communication overhead that includes server Sj’s authentication request message {M4, M5} and user Ui’s authentication reply {M6} is 20 + 20 + 20 = 60 bytes during the authentication phase. Therefore, total communication overhead of our protocol is 102 + 60 = 162 bytes.

Computational cost.

Considering the computational complexity, we apply the frequency of collision-resistant hash function as computational cost. Besides, it is practicable to ignore the computational complexity of XOR operation which requires very little time. In the environment where CPU is 2.20 GHz and RAM is 2048 MB, it takes 0.0023 ms to execute the collision-resistant hash function on average [55, 68]. In the presented scheme, we execute the collision-resistant hash function four times and thirteen times in the login phase and authentication phase, respectively. Above all, our protocol requires 0.0115 + 0.0299 = 0.0414 ms for computational cost.

Comparisons with related schemes

During this section, we compare the proposed protocol with other related schemes in terms of security, functionality and efficiency. In particular, our protocol is compared with some multi-server authentication schemes, such as Mishra et al.’s scheme [50], Lin et al.’s scheme [53], Wang et al.’s scheme [61], Chaudhry et al.’s scheme [64], Chaudhry et al.’s scheme [41] and Khan et al.’s scheme [65]. Results ensure that the presented protocol is efficient in these aspects mentioned above.

In particular, Table 5 lists the security comparison between various authentication schemes and ours. For convenience, we define some following notations in the Table 5, where R1 represents the resistance to replay attack, R2 represents the resistance to Denial-of-Service attack, R3 represents the resistance to password guessing attack, R4 represents the resistance to smart card attack, R5 represents the resistance to user impersonation attack, R6 represents the resistance to privileged insider attack, R7 represents the resistance to server spoofing attack, R8 represents the resistance to modification attack, R9 represents the resistance to stolen-verifier attack, R10 represents the possession of anonymity and R11 represents the possession of perfect forward secrecy. Concretely, Mishra et al.’s scheme [50] cannot resist the replay attack, Denial-of-Service attack, smart card attack, user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to provide the anonymity and perfect forward secrecy. According to the cryptanalysis in Ref. [69], Lin et al.’s scheme [53] is insecure against the user impersonation attack and server spoofing attack. And their scheme fails to possess the anonymity. Wang et al.’s scheme [61] cannot prevent the user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to achieve the perfect forward secrecy. Due to the cryptanalysis in Ref. [70], Chaudhry et al.’s scheme [64] is insecure against the Denial-of-Service attack and cannot provide the perfect forward secrecy. Consequently, result demonstrates that our protocol achieves all security properties.

Besides, Table 6 shows the functionality comparison between some related schemes and ours. Also we further compare our protocol with Reddy et al.’s scheme [69] and Irshad et al.’s scheme [71] which are other improved schemes. In the Table 6, we apply some following notations, where F1 represents the mutual authentication, F2 represents the session key agreement, F3 represents the user revocation/re-registration and F4 represents the biometric information protection. Concretely, Mishra et al.’s scheme [50] cannot provide the user revocation/re-registration. Similarly, Lin et al.’s scheme [53] fails to achieve the user revocation/re-registration. As a result, our protocol provides more functionality properties.

Specifically, Table 7 and Fig 6 indicate the computational cost comparison between various related schemes and ours involved in both login phase and authentication phase. As a convenience, we define some following notations in the Table 7, where C1 represents the computational cost during the login phase, C2 represents the execution overhead during the login phase, C3 represents the computational cost during the authentication phase, C4 represents the execution overhead during the authentication phase and C5 represents the total execution overhead. Besides, Th represents the computation time for collision-resistant hash function, Tp represents the computation time for point multiplication based on elliptic curve, Ts represents the computation time for symmetric encryption/decryption and Tc represents the computation time for Chebyshev chaotic map. According to the execution overhead given in [55] and [68], in the environment where CPU is 2.20 GHz and RAM is 2048 MB, it spends about 2.2260 ms, 0.0046 ms and 0.0045 ms to execute the point multiplication based on elliptic curve, symmetric encryption/decryption and Chebyshev chaotic map, respectively. Compared with other schemes, result indicates that our protocol requires the lower computational cost.

Furthermore, Table 8 and Fig 7 show the comparisons regarding on communication overhead and storage requirement. Similarly, we adopt some following notations in the Table 8, where S1 represents the communication overhead during the login phase, S2 represents the communication overhead during the authentication phase, S3 represents the total communication overhead and S4 represents the storage requirement. With the same level of storage requirement, our protocol shows a satisfactory performance on the communication overhead.

thumbnail
Table 8. The communication overhead and storage requirement comparison.

https://doi.org/10.1371/journal.pone.0194093.t008

Both Reddy et al. [69] and Irshad et al. [71] who proposed other improvements of Wang et al.’s scheme also have done well jobs. In this sense, we are in the same field with these groups. However, there are notable characters to distinguish our work. After the cryptanalysis of Wang et al.’s scheme, we have applied novel methods to remedy their weaknesses, which is not included in other improved schemes. For example, we have adopted new ways to resist the user impersonation attack, privileged insider attack and server spoofing attack, and provide the perfect forward secrecy, respectively. Furthermore, our work is focus on reducing the computational complexity and providing more functionalities in a distinct way. In particular, compared with other improved works, our scheme has obvious advantages in the computational complexity with the same level of communication overhead and storage requirement.

Conclusion

This paper cryptanalyzes Wang et al.’s scheme. In particular, we indicate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol fails to provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Our protocol improves Wang et al.’s scheme. Discussions relating to security, functionality and efficiency are performed. Furthermore, results show that the proposed scheme satisfies these requirements mentioned above. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented scheme requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Consequently, we conclude that our protocol is more appropriate in the multi-server environments.

References

  1. 1. Khan MK, Zhang JS. Improving the security of’a flexible biometrics remote user authentication scheme’. Computer Standards & Interfaces. 2007; 29(1): 82–85.
  2. 2. He DB, Kumar N, Khan MK, Lee JH. Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Transactions on Consumer Electronics. 2013; 59(4): 811–817.
  3. 3. Diffie W, Van Oorschot PC, Wiener MJ. Authentication and authenticated key exchanges. Designs, Codes and Cryptography. 1992; 2(2): 107–125.
  4. 4. Mishra D. Design and analysis of a provably secure multi-server authentication scheme. Wireless Personal Communications. 2016; 86(3): 1095–1119.
  5. 5. Mitchell JC. Finite-state analysis of security protocols. International Conference on Computer Aided Verification. Springer, Berlin, Heidelberg. 1998; 71–76.
  6. 6. Moon J, Choi Y, Jung J, Won D. An improvement of robust biometrics-based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015; 10(12): e0145263. pmid:26709702
  7. 7. Lamport L. Password authentication with insecure communication. Communications of the ACM. 1981; 24(11): 770–772.
  8. 8. Farash MS, Attari MA. A secure and efficient identity-based authenticated key exchange protocol for mobile client-server networks. The Journal of Supercomputing. 2014; 69(1): 395–411.
  9. 9. Xie Q, Hu B, Dong N, Wong DS. Anonymous three-party password-authenticated key exchange scheme for telecare medical information systems. PLoS ONE. 2014; 9(7): e102747. pmid:25047235
  10. 10. Khan MK. Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world. IETE Technical Review. 2009; 26(3): 191–195.
  11. 11. Kumari S, Khan MK. More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks. 2014; 7(11): 2039–2053.
  12. 12. Farash MS, Chaudhry SA, Heydari M, Sadough S, Mohammad S, Kumari S, Khan MK. A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems. 2017; 30(4).
  13. 13. Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan MK. An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications. 2017; 10(1): 92–105.
  14. 14. Bellovin SM, Merritt M. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. Proceedings of the 1st ACM Conference on Computer and Communications Security. 1993; 244–250.
  15. 15. Chang TY, Hwang MS, Yang WP. A communication-efficient three-party password authenticated key exchange protocol. Information Sciences. 2011; 181(1): 217–226.
  16. 16. Lee TF, Hwang T. Simple password-based three-party authenticated key exchange without server public keys. Information Sciences. 2010; 180(9): 1702–1714.
  17. 17. Wang S, Wang J, Xu M. Weaknesses of a password-authenticated key exchange protocol between clients with different passwords. ACNS. 2004; 4: 414–425.
  18. 18. Ku WC, Chen CM, Lee HL. Weaknesses of Lee-Li-Hwang’s hash-based password authentication scheme. ACM SIGOPS Operating Systems Review. 2003; 37(4): 19–25.
  19. 19. Ding Y, Horster P. Undetectable on-line password guessing attacks. ACM SIGOPS Operating Systems Review. ACM. 1995; 29(4): 77–86.
  20. 20. Chang CC, Wu TC. Remote password authentication with smart cards. IEE Proceedings E (Computers and Digital Techniques). 1991; 138(3): 165–168.
  21. 21. Mishra D, Chaturvedi A, Mukhopadhyay S. Design of a lightweight two-factor authentication scheme with smart card revocation. Journal of Information Security and Applications. 2015; 23: 44–53.
  22. 22. Reddy AG, Yoon EJ, Das AK, Yoo KY. Lightweight authentication with key-agreement protocol for mobile network environment using smart cards. IET Information Security. 2016; 10(5): 272–282.
  23. 23. Kumari S, Li X, Wu F, Das AK, Arshad H, Khan MK. A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Generation Computer Systems. 2016; 63: 56–75.
  24. 24. Karuppiah M, Kumari S, Das AK, Li X, Wu F, Basu S. A secure lightweight authentication scheme with user anonymity for roaming service in ubiquitous networks. Security and Communication Networks. 2016; 9(17): 4192–4209.
  25. 25. Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK. An enhanced privacy preserving remote user authentication scheme with provable security. Security and Communication Networks. 2015; 8(18): 3782–3795.
  26. 26. Wang CQ, Zhang X, Zheng ZM. An improved biometrics based authentication scheme using extended chaotic maps for multimedia medicine information systems. Multimedia Tools and Applications. 2017; 76(22): 24315–24341.
  27. 27. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011; 1(1): 5–27.
  28. 28. Ma CG, Wang D, Zhao SD. Security flaws in two improved remote user authentication schemes using smart cards. International Journal of Communication Systems. 2014; 27(10): 2215–2227.
  29. 29. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE transactions on computers. 2002; 51(5): 541–552.
  30. 30. Wang D, Wang P. Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Networks. 2014; 20: 1–15.
  31. 31. Li CT, Hwang MS. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications. 2010; 33(1): 1–5.
  32. 32. Li X, Niu JW, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications. 2011; 34(1): 73–79.
  33. 33. Odelu V, Das AK, Kumari S, Huang X, Wazid M. Provably secure authenticated key agreement scheme for distributed mobile cloud computing services. Future Generation Computer Systems. 2017; 68: 74–88.
  34. 34. Wazid M, Das AK, Kumari S, Li X, Wu F. Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS. Security and Communication Networks. 2016; 9(13): 1983–2001.
  35. 35. Amin R, Islam SH, Biswas GP, Khan MK, Leng L, Kumar N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Computer Networks. 2016; 101: 42–62.
  36. 36. Fan CI, Lin YH. Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Transactions on Information Forensics and Security. 2009; 4(4): 933–945.
  37. 37. Lee JK, Ryu SR, Yoo KY. Fingerprint-based remote user authentication scheme using smart cards. Electronics Letters. 2002; 38(12): 554–555.
  38. 38. Khan MK, Zhang JS. An efficient and practical fingerprint-based remote user authentication scheme with smart cards. Information Security Practice and Experience. 2006; 260–268.
  39. 39. Benhammadi F, Bey KB. Password hardened fuzzy vault for fingerprint authentication system. Image and Vision Computing. 2014; 32(8): 487–496.
  40. 40. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A. Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets. IEEE Transactions on Information Theory. 2012; 58(9): 6207–6222.
  41. 41. Chaudhry SA, Naqvi H, Farash MS, Shon T, Sher M. An improved and robust biometrics-based three factor authentication scheme for multiserver environments. The Journal of Supercomputing. 2015; 1–17.
  42. 42. Li LH, Lin LC, Hwang MS. A remote password authentication scheme for multiserver architecture using neural networks. IEEE Transactions on Neural Networks. 2001; 12(6): 1498–1504. pmid:18249979
  43. 43. Li CT, Lee CC, Weng CY, Fan CI. An Extended Multi-Server-Based User Authentication and Key Agreement Scheme with User Anonymity. KSII Transactions on Internet & Information Systems. 2013; 7(1): 119–131.
  44. 44. Li X, Ma J, Wang WD, Xiong YP, Zhang JS. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 2013; 58(1): 85–95.
  45. 45. Chen CT, Lee CC. A two-factor authentication scheme with anonymity for multi-server environments. Security and Communication Networks. 2015; 8(8): 1608–1625.
  46. 46. Gupta PC, Dhar J. Hash based multi-server key exchange protocol using smart card. Wireless Personal Communications. 2016; 87(1): 225–244.
  47. 47. Yoon EJ, Yoo KY. Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. The Journal of supercomputing. 2013; 63(1): 235–255.
  48. 48. Kim H, Jeon W, Lee K, Lee Y, Won D. Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. Computational Science and Its Applications-ICCSA 2012. 2012; 391–406.
  49. 49. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications. 2014; 41(4): 1411–1418.
  50. 50. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications. 2014; 41(18): 8129–8143.
  51. 51. Amin R, Biswas GP. Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wireless Personal Communications. 2015; 84(1): 439–462.
  52. 52. He DB, Wang D. Robust biometrics-based authentication scheme for multiserver environment. IEEE Systems Journal. 2015; 9(3): 816–823.
  53. 53. Lin H, Wen FT, Du CX. An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Personal Communications. 2015; 84(4): 2351–2362.
  54. 54. Lu YR, Li LX, Yang X, Yang YX. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015; 10(5): e0126323. pmid:25978373
  55. 55. Odelu V, Das AK, Goswami A. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security. 2015; 10(9): 1953–1966.
  56. 56. Reddy AG, Das AK, Odelu V, Yoo KY. An enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography. PLoS ONE. 2016; 11(5): e0154308. pmid:27163786
  57. 57. Zhu HF. A provable one-way authentication key agreement scheme with user anonymity for multi-server environment. KSII Transactions on Internet and Information Systems. 2015; 9(2): 811–829.
  58. 58. Li X, Niu JW, Kumari S, Liao JG, Liang W. An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Personal Communications. 2015; 80(1): 175–192.
  59. 59. Tsudik G, Summers RC. AudES-An Expert System for Security Auditing. In Proceedings of the second conference on innovative applications of artificial intelligence. 1990; 221–232.
  60. 60. Hariri S, Jabbour K. An expert system for network management. In Proceedings of tenth annual international phoenix conference on computers and communications. 1991; 580–586.
  61. 61. Wang CQ, Zhang X, Zheng ZM. Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE. 2016; 11(2): e0149173. pmid:26866606
  62. 62. Dang Q. Changes in Federal Information Processing Standard (FIPS) 180-4, secure hash standard. Cryptologia. 2013; 37(1): 69–73.
  63. 63. Dolev D, Yao A. On the security of public key protocols. IEEE Transactions on Information Theory. 1983; 29(2): 198–208.
  64. 64. Chaudhry SA, Naqvi H, Khan MK. An enhanced lightweight anonymous biometric based authentication scheme for TMIS. Multimedia Tools and Applications. 2017; 1–22.
  65. 65. Khan I, Chaudhry SA, Sher M, Khan JI, Khan MK. An anonymous and provably secure biometric-based authentication scheme using chaotic maps for accessing medical drop box data. The Journal of Supercomputing. 2016; 1–19.
  66. 66. Burrow M, Abadi M, Needham RM. A logic of authentication. ACM Transactions on Computer System. 1990; 8(1): 18–36.
  67. 67. Moon J, Choi Y, Jung J, Won D. An improvement of robust biometrics-based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015; 10(12): e0145263. pmid:26709702
  68. 68. Kilinc HH, Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Communications Surveys & Tutorials. 2014; 16(2): 1005–1023.
  69. 69. Reddy AG, Yoon EJ, Das AK, Odelu V, Yoo KY. Design of Mutually Authenticated Key Agreement Protocol Resistant to Impersonation Attacks for Multi-Server Environment. IEEE Access. 2017; 5: 3622–3639.
  70. 70. Qi MP, Chen JH. New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography. Multimedia Tools and Applications. 2018; 1–17.
  71. 71. Irshad A, Chaudhry SA, Kumari S, Usman M, Mahmood K, Faisal MS. An improved lightweight multiserver authentication scheme. International Journal of Communication Systems. 2017; 30(17).