Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards

  • Yanrong Lu,

    Affiliations Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China, National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

  • Lixiang Li ,

    li_lixiang2006@163.com

    Affiliations Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China, National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

  • Xing Yang,

    Affiliations Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China, National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

  • Yixian Yang

    Affiliations Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China, National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards

  • Yanrong Lu, 
  • Lixiang Li, 
  • Xing Yang, 
  • Yixian Yang
PLOS
x

Abstract

Biometrics authenticated schemes using smart cards have attracted much attention in multi-server environments. Several schemes of this type where proposed in the past. However, many of them were found to have some design flaws. This paper concentrates on the security weaknesses of the three-factor authentication scheme by Mishra et al. After careful analysis, we find their scheme does not really resist replay attack while failing to provide an efficient password change phase. We further propose an improvement of Mishra et al.’s scheme with the purpose of preventing the security threats of their scheme. We demonstrate the proposed scheme is given to strong authentication against several attacks including attacks shown in the original scheme. In addition, we compare the performance and functionality with other multi-server authenticated key schemes.

Introduction

With the swift development of wireless communications and network technologies, more and more people use wireless handheld devices (e.g.PDA, notebook and mobile phone, etc) to enjoy mobile services almost anytime and anywhere. However, open nature of networks demands for security concern of paid and protected resources available over the network [15]. Authentication mechanism becomes an essential need before a remote user can access the services. Since then Lamport [6] proposed the first authentication scheme, a number of authentication schemes have been put forward for different applications [713].

However, most of the existing password authentication schemes are based on a single-server environment which are unfit for the multi-server environments. Recently, a large number of smart cards based remote user authentication schemes for multi-server environments have been proposed. In addition, compared with other authentication schemes, schemes that only use random numbers and a hash function were getting much more attention because of their low computation costs. In 2008, Tsai [14] proposed an efficient multi-server authentication scheme using the random number and one-way hash function. After that, numerous authenticated key agreement schemes were presented for multi-server environments one after another [1517]. In 2012, Li et al. [18] proposed a novel authenticated key exchange scheme for multi-server environments. Unfortunately, Xue et al.[19] showed that Li et al.’s scheme did not resist some types of known attacks, such as vulnerability to verifier stolen, off-line password guess, replay, denial of service and forgery attacks. Then, Xue et al. proposed an improved scheme to remedy the weaknesses of Li et al.’s scheme. Nevertheless, Lu et al.[20] observed that Xue et al.’s scheme was not only really insecure against masquerade and insider attacks but also was vulnerable to off-line password guessing attack. To improve the shortcomings of Xue et al.’s scheme, Lu et al. proposed a slight modified authentication scheme for multi-server environments.

All above mentioned authentication schemes are based on password and smart cards. Note that the password cannot be considered as a unique identity identifier and it’s needed to be remembered. Moreover, possibility of password guessing attack is also a concern. Compared with cryptographic keys and passwords, biometric keys (e.g.fingerprint, face, iris, hand geometry and palm-print, etc.) have many advantages [21], for example, they are difficult to lose or forget; they are difficult to copy or share; they are difficult to forge or distribute biometrics; they are difficult to guess; they are more difficult to break biometric keys. Recently, Chuang et al.[22] presented an efficient biometrics based authentication scheme using smart cards for multi-server environments, which was previously considered to be have more security properties. However, Mishra et al. [23] showed that Chuang et al.’s scheme was vulnerable to stolen smart card attack, server spoofing attack and impersonation attack. In addition, they proposed an improved biometrics-based multi-server authenticated key agreement scheme using smart cards and they claimed that their scheme satisfied all desirable security requirements. Unfortunately, this paper will demonstrate that the scheme cannot really resist replay attack and cannot provide an efficient password change phase.

In this paper, we concentrate on the security weaknesses of the three-factor authentication scheme by Mishra et al. After carefully analysis, we find their scheme does not really resist replay attack while fails to provide an efficient password change phase. We further propose an improvement of Mishra et al.’s scheme with the purpose of preventing the security threats of their scheme. We demonstrate the proposed scheme is given to strong authentication against several attacks including attacks showed in the original scheme. In addition, we compare the performance and functionality with other related schemes.

The rest of paper is organized as follows: In Section 2 and Section 3, we review and analyze the Mishra et al.’s scheme. In Section 4, we propose an enhancement authentication scheme for multi-sever environments. In Section 5, we present a security analysis of our scheme. Section 6 shows security and performance analyses by comparing our scheme with previous schemes. We conclude in Section 7.

Review of Mishra et al.’s scheme

There are three phases relating to Mishra et al.’s scheme which consists of the registration, login and authentication and password updating. Table 1 lists the notations used in this paper.

Registration

Suppose RC is the trusted third party responsible for registration of Ui and Sj.

Server registration.

  1. Sj sends the registration request to RC;
  2. After receiving the request, RC sends the key PSK to Sj through a secure channel;
  3. Upon receiving the secret key PSK, Sj stores it with aim to authorize a legitimate user.

User registration.

  1. Ui selects his identity IDi, password PWi and keys his biometrics BIOi. Then, Ui generates a random number Ni, computes W1 = h(PWi∣∣Ni), W2 = h(IDiNi) and sends the registration message {IDi, W1, W2} to RC via a secure channel.
  2. RC computes Ai = h(IDi∣∣x∣∣Tr), Bi = h(Ai), Xi = WiBi, Yi = h(PSK)⊕W2 and Zi = PSKAi, where Tr is the registration time. Then, RC issues the smart card SCi to Ui which contains {Xi, Yi, Zi, h(⋅)} over a secure channel.
  3. Upon receiving SCi, Ui enters his personal biometric BIOi at the sensor and computes N = NiH(BIOi), V = h(IDi∣∣Ni∣∣PWi). Finally, Ui stores {Xi, Yi, Zi, N, V, h(⋅)} into SCi.

Login and authentication

  1. Ui inserts SCi into the terminal and inputs his identity IDi, password PWi and imprints his biometrics BIOi at the sensor.
  2. SCi computes Ni = Nh(BIOi) and checks h(IDiNiPWi)=?V. If it holds, SCi continues to compute W1 = h(PWi∣∣Ni), W2 = h(IDiNi), Bi = XiWi and h(PSK) = YiW2. Then, SCi generates a random number n1 and computes M1 = h(PSK)⊕n1, M2 = IDih(n1∣∣Bi) and M3 = h(IDi∣∣n1∣∣Bi). Finally, Ui sends {Zi, M1, M2, M3} to Sj.
  3. When receiving the message from SCi, Sj immediately computes Ai = ZiPSK, n1 = M1h(PSK), IDi = M2h(n1∣∣h(Ai)) and checks whether h(n1BiIDi)=?M3. If it is equal, Sj generates a random number n2 and computes SKji = h(IDi∣∣SIDj∣∣Bi∣∣n1∣∣n2), M4 = n2h(IDi∣∣n1), M5 = h(SKji∣∣n1∣∣n2). Then, Sj sends {SIDj, M4, M5} to SCi.
  4. SCi first computes n2 = M4h(IDi∣∣n1), SKij = h(IDi∣∣SIDj∣∣Bi∣∣n1∣∣n2) and then checks whether h(SKij∣∣n1∣∣n2) is consistent with M5. If it is true, SCi computes M6 = h(SKij∣∣n1∣∣n2) and delivers it to Sj.
  5. Sj verifies the verification condition M6=?h(SKjin1n2). If this verification holds, Sj can now use the keys SKji to communicate with Ui securely.

Password updating

Ui inputs his IDi, PWi and imprints his biometrics BIOi at the sensor. SCi computes Ni = Nh(BIOi) and checks h(IDiNiPWi)=?V. If SCi determines that they are equal, then Ui can key the new password PWinew. Subsequently, SCi computes W1new=h(PWinewNi),Xinew=XiW1W1new,Vinew=h(IDiNiPWinew) and replaces Xi and Vi with Xinew and Vinew, respectively.

Security analysis of Mishra et al.’s scheme

This section presents a cryptanalysis of a recently scheme proposed by Mishra et al. We show their scheme does not satisfy the key security attribute such as vulnerability to replay attack and incorrect password change phase. We assume that a malicious adversary 𝓐 has totally supervised the communication channel in login and session key establishment phases. In other words, 𝓐 has the capacity to intercept, insert, delete, refresh or update any information delivered between Ui and Sj [6].

Not withstanding the replay attack

Suppose an adversary 𝓐 has intercepted a past login message {Zi, M1, M2, M3}. He is able to launch a replay attack and login to the server by resending the eavesdropped message {Zi, M1, M2, M3} to Sj. In other words, the adversary without running the “Login phase”, sends the eavesdropped message {Zi, M1, M2, M3} to Sj. In the “Login and authentication”, upon receiving the message {Zi, M1, M2, M3}, Sj computes Ai = ZiPSK, n1 = M1h(PSK), IDi = M2h(n1∣∣h(Ai)), M3=h(n1BiIDi) and checks whether M3 is equal to the received M3 or not. Since M3 and M3 are equal, Sj will authenticate 𝓐 and 𝓐 will be able to login to Sj. Thus, 𝓐 can easily login to Sj by re-sending an old login message. Since Sj does not check the freshness of the received login message {Zi, M1, M2, M3} and authenticate Ui in (3) of the “Login and authentication”, Sj will not be able to discover replay attack.

Incorrect password change phase

The user Ui inserts his smart card into a card reader and enters his identity IDi, password PWi and imprints his personal biometric BIOi at the sensor corresponding to his smart card. Then smart card computes Ni = Nh(BIOi), Vi=h(IDiNiPWi) and compares Vi with the stored value of V in its memory to verify the legitimacy of Ui. Once the authenticity of cardholder is verified then Ui can instruct smart card to change his password. Afterwards, smart card asks the cardholder to resubmit a new password PWinew, then Xi = Bih(PWi∣∣Ni) and V = h(IDi∣∣Ni∣∣PWi) stored in the smart card can be updated with Xinew=XiW1W1new and Vinew=h(IDiNiPWinew), where W1new=h(PWinewNi). The Xinew value contains older password PWi in h(PWi∣∣Ni). Therefore, the modified Xinew is not correct.

The proposed scheme

In this section, we will present our robust biometrics based authentication scheme using smart cards for multi-sever environments. In our scheme, there are also three participants, the user Ui, the server Sj and the registration center RC. RC chooses the secret key PSK and a secret number x and shares them with Sj via a secure channel. We will describe all the phases relating to our scheme in the subsections, i.e. registration, login and authentication, and password update, where registration and login and authentication phases are shown in Fig 1.

Registration

  1. Ui keys his biometrics BIOi, identity IDi and password PWi. Then, Ui sends {IDi, h(PWi∣∣H(BIOi))} to RC.
  2. Upon receiving the message from Ui, RC computes Xi = h(IDi∣∣x), V = h(IDi∣∣h(PWi∣∣H(BIOi))). Then, RC stores {Xi, Vi, h(PSK)} into a smart card and submits them to Ui.
  3. Ui computes Yi = h(PSK)⊕y, and replaces h(PSK) with Yi. Finally, the smart card stores the values of {Xi, Yi, Vi, h(⋅)}.

Login and authentication

  1. Ui inserts his smart card into device and enters his identity IDi, password PWi and biometrics BIOi. Then, the smart card validates whether Vi = h(IDi∣∣h(PWi∣∣H(BIOi))) is equal to the stored V. If it holds, the smart card generates a random number n1 and computes K = h((yYi)∣∣SIDj), M1 = KIDi, M2 = n1K, M3 = h(PWi∣∣H(BIOi))⊕K, Zi = h(Bi∣∣n1∣∣h(PWi∣∣H(BIOi))∣∣T1). Finally, Ui submits {Zi, M1, M2, M3, T1} to Sj, where T1 is the current timestamp.
  2. Upon receiving the message from Ui, Sj first checks whether TcT1 ≤ ΔT and then computes K = h(SIDj∣∣h(PSK)) by using a secure pre-shared key PSK. Then, Sj retrieves IDi = M1K, n1 = M2K, h(PWi∣∣BIOi) = M3K. Now, Sj computes Xi = h(IDi∣∣x) and verifies whether h(Xin1h(PWiH(BIOi)))=?Zi. If it holds, Sj generates a random number n2 and computes SKji = h(n1∣∣n2∣∣K∣∣Xi), M4 = n2h(n1∣∣h(PWi∣∣H(BIOi))∣∣Xi), M5 = h(IDi∣∣n1∣∣n2∣∣K∣∣T2). Then, Sj sends back authentication message {M4, M5, T2} to Ui, where T2 is the current timestamp.
  3. After checking the freshness of T2, Ui first computes n2 = M4h(n1∣∣h(PWi∣∣H(BIOi))∣∣Xi) and then verifies whether h(IDi∣∣n1∣∣n2∣∣K) is equal to the received M5. If they are equal, Ui computes the common session key SKij = h(n1∣∣n2∣∣K∣∣Xi) and sends {M6 = h(SKij∣∣IDi∣∣n2∣∣T3), T3} to Sj, where T3 is the current timestamp.
  4. Sj verifies the freshness T3 and the correctness of M6 by using SKji. If they do not hold, Sj stops the execution; Otherwise, Sj confirms the common session key SKji with Ui.

Password updating

Ui first inputs his smart card into the device and provides his identity IDi, password PWi and biometrics BIOi. Then, the smart card validates whether Vi = h(IDi∣∣h(PWi∣∣H(BIOi))) is equal to the stored Vi. If they are not equal, the smart card refuses the request; Otherwise, Ui keys in the new password PWinew. Finally, the smart card computes Vinew=h(IDih(PWinewH(BIOi))) and replaces Vi by Vinew.

Security analysis of the proposed scheme

In this section, we first adopt Burrows-Abadi-Needham (BAN)Logic [24] to demonstrate the completeness of the proposed scheme. Then, we conduct discussion and a cryptanalysis of the proposed scheme through both the informal and formal analyses.

Verifying the proposed scheme with BAN logic

BAN logic [24] is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. First, we introduce some notations and logical postulates of BAN logic in Table 2.

  1. BAN logical postulates
    1. Message-meaning rule: AAKB,A<X>KABX: if A believes that the key K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.
    2. Fresh conjuncatenation rule: A#(X)A#(X,Y): if A believes freshness of X, then A believes freshness of the (X, Y).
    3. Belief rule: AX,AYA(X,Y): if A believes X and Y, then A believes (X, Y).
    4. Nonce-verification rule: A#(X),ABXABX: if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.
    5. Jurisdiction rule: ABX,ABXAX: if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.
  2. Establishment of security goals
    g1.SjUiUiSKijSj
    g2.SjUiSKijSj
    g3.UiSjUiSKjiSj
    g4.UiUiSKjiSj
  3. Idealized scheme
    Ui:<n1,IDi,h(PWiH(BIOi))>K,(n1,Xi,T1)h(PWiH(BIOi)),(n2,UiSKijSj,T3)IDi
    Sj: < n1, Xi, h(PWi∣∣H(BIOi)) > n2, (IDi, n1, n2, T2)K
  4. Initiative premises
    p1. Ui∣ ≡ #n1 p2. Ui∣ ≡ Sj ⇒ #n2 p3. Sj∣ ≡ #n1 p4. Sj∣ ≡ #n2
    p5.SjUiKSjp6.UiUiKSj
    p7. Ui∣ ≡ IDi p8. Sj∣ ≡ Uih(PWi∣∣BIOi)
    p9. Sj∣ ≡ UiIDi p10. Ui∣ ≡ SjXi
    p11. SjUiUiSKijSjp12. UiSjUiSKijSj
  5. Scheme analysis
    a1. By p5 and Sj⊲ < n1, IDi, h(PWi∣∣BIOi) > K, we apply the message-meaning rule to derive: Sj∣ ≡ Ui∣ ∼ (n1, IDi, h(PWi∣∣H(BIOi)))
    a2. By a1 and p3, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: Sj∣ ≡ Ui∣ ≡ (n1, IDi, h(PWi∣∣H(BIOi)))
    a3. By a2, p3 and p8, we apply the belief rule and the jurisdiction rule to derive: Sj∣ ≡ IDi
    a4. By a3 and Sj(n2,UiSKij,Sj,T3)IDi, we apply the message-meaning rule to derive: SjUi(n2,UiSKijSj,T3)
    a5. By p4 and a4, we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: SjUi(n2,UiSKijSj,T3)
    g1. By a5, we apply the belief rule to derive: SjUiUiSKijSj
    g2. By g1 and p11, we apply the jurisdiction rule to derive: SjUiSKijSj
    a6. By p6 and Ui⊲(IDi, n1, n2, T2)K, we apply the message-meaning rule to derive: Ui∣ ≡ Sj∣ ∼ (IDi, n1, n2, T2)
    a7. By p2 and a9, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: Ui∣ ≡ Sj∣ ≡ (IDi, n1, n2, T2)
    a8. By a7, we apply the belief rule to derive: Ui∣ ≡ Sj∣ ≡ n2
    a9. By p2 and a8, we apply the jurisdiction rule to derive: Ui∣ ≡ n2
    a10. By a9 and Ui⊲ < n1, Xi, h(PWi∣∣BIOi) > n2, we apply the message-meaning rule to derive: Ui∣ ≡ Sj∣ ∼ (n1, Xi, h(PWi∣∣BIOi))
    a11. By a10 and p1, we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: Ui∣ ≡ Sj∣ ≡ (n1, Xi, h(PWi∣∣BIOi))
    g3. By p1, p3, p4, p6, a11 and SKji = h(n1∣∣n2∣∣K∣∣Xi), we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: UiSjUiSKjiSj
    g4. By g3 and p12, we apply the jurisdiction rule to derive: UiUiSKjiSj

Informal security analysis

This subsection verifies whether the proposed scheme is secure against various kinds of known attacks. We assume that a malicious adversary 𝓐 has totally supervised the communication channel in login and session key establishment phases. In other words, 𝓐 has the capacity to intercept, insert, delete, refresh or update any information delivered between Ui and Sj [6].

Anonymity.

Ui’s identity IDi is well protected by the shared secret parameter K as a substitute for real ones, 𝓐 can not get users’ real identities. In addition, the unauthorized server cannot get IDi without knowing K since K is protected by the secret key PSK only known by the authorized server and is not exposed in the open channel. Thus, our scheme provides user anonymity, which can prevent the leakage of private user identities to malicious attackers.

Mutual authentication.

In order to authenticate Ui, Sj has to verify validity of the evidence Zi = h(Xi∣∣n1∣∣h(PWi∣∣H(BIOi))). The evidence is computed with the common secret parameter K only known Ui and Sj. In other words, (n1, IDi, h(PWi∣∣H(BIOi))) are derived from the valid login message {Zi, M1, M2, M3, T1} through K, no one can counterfeit the evidence. In addition, to compute Xi, secret key x is needed but only known by Sj. Moreover, checking h(SKij∣∣IDi∣∣n2) to further assist Sj in authenticating Ui because the session key is only known by Ui and Sj. To authenticate Sj, Ui needs to verify whether M5=?h(IDin1n2K). Because IDi and K are only known by Ui and Sj, no one can forge a valid {M4, M5, T2} without them. Hence, mutual authentication between Ui and Sj is achieved.

Resist stolen smart card attack.

Even if 𝓐 has gathered [25] the information {Xi, Yi, Vi, h(⋅)} stored in the smart card, 𝓐 cannot figure out the login request message {Zi, M1, M2, M3, T1} without the secret key y. Moreover, 𝓐 cannot get the identity IDi and PWi since they are protected by hash functions with the Ui’s biometrics BIOi. Hence, 𝓐 still cannot succeed if he steals the smart card.

Session key agreement.

We provide the session key SK = h(n1∣∣n2∣∣K∣∣Xi) to protect the message communication between Ui and Sj, where (n1, n2, K, Xi) are known to anybody but Ui and Sj. In addition, SK is different in each session, 𝓐 has obtained a known session key cannot be used to calculate the value of the next session key.

Resist replay attack.

Assume 𝓐 has intercepted all the communication message {Zi, M1, M2, M3, T1, M4, M5, T2, M6, T3,} and tried to replay them to Ui or Sj to obtain authentication. However, it is impossible to come true since all the authenticated messages imply the timesstamp which is also exposed in public channel. If 𝓐 resends the transmitted messages, the receiver will immediately detect the attack through the authenticated message. Hence, our scheme can withstand replay attack.

Resist stolen verifier and insider attacks.

In the registration phase, RC does not directly get the Ui’s password PWi and biometrics information BIOi. Hence, 𝓐 performs a stolen verifier attack or insider attack will be hard.

Resist off-line guessing attack.

In our proposed scheme, trying to launch an off-line passsword guessing attack with the information stored in the smart card and the eavesdropped messages is trying to solve the input from the given hash value. Since the identity IDi and the random number Ni are required with the purposed of knowing PWi, both the secrets are protected by the hash function and known by the user himself.

Formal security analysis of the proposed scheme

This subsection presents the formal security analysis of our scheme and shows that it is secure. For this, we first define the following hash function [26].

Definition 1. A secure one-way hash function h:{0, 1}* → {0, 1}n, which takes an input as an arbitrary length binary string x ∈ {0,1}* and outputs a binary string h(x) ∈ {0,1}n and satisfies the following requirements: a. Given yY, it is computationally infeasible to find an xX such that y = h(x); b. Given xX, it is computationally infeasible to find another x′ ≠ xX, such that h(x′) = h(x); c. It is computationally infeasible to find a pair (x′, x) ∈ X′ × X, with x′ ≠ x, such that h(x′) = h(x).

Theorem 1. Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, then our scheme is provably secure against an attacker 𝓐 for protecting user’s personal information including identity IDi, password PWi and biometrics BIOi, sever’s private key x and PSK.

Proof. The formal security proof of our scheme is similar to that as in [2728]. Using the following oracle to construct 𝓐 who will have the ability to derive the user’s IDi, password PWi, biometrics BIOi, sever’s private key x and PSK.

Reveal: This random oracle will unconditionally output the input x from the given hash value y = h(x).

𝓐 runs the experimental algorithm showed in Table 3, EXPHASH,𝓐BAKASSCMSE for our biometrics based authentication and key agreement scheme using smart cards for multi-server environments, say BAKASSCMSE.

Define the success probability for EXPHASH,𝓐BAKASSCMSE is SuccHASH,𝓐BAKASSCMSE=Pr[EXPHASH,𝓐BAKASSCMSE=1]1 and the advantage function for this experiment then becomes AdvHASH,𝓐BAKASSCMSE(t,qR)=max𝓐\SuccHASH,𝓐BAKASSCMSE, where the maximum is taken over all 𝓐 with execution time t and the number of queries qR made to the Reveal oracle. Consider the experiment showed in Table 3 for 𝓐. If 𝓐 has the ability to solve the hash function problem provided in Definition 1, then he can directly derive Ui’s identity IDi, password PWi, biometrics BIOi, and Sj’s private key x and PSK. In this case, 𝓐 will discover the complete connections between Ui and Sj. However, it is a computationally infeasible problem to invert the input from a given hash value, i.e., AdvHASH,𝓐BAKASSCMSE(t)ϵ, ∀ϵ > 0. Hence, we have AdvHASH,𝓐BAKASSCMSE(t,qR)ϵ, since AdvHASH,𝓐BAKASSCMSE(t,qR) depends on AdvHASH,𝓐BAKASSCMSE(t). As a result, there is no way for 𝓐 to discover the complete connections between Ui and Sj and our scheme is provably secure against an adversary for deriving (IDi, PWi, BIOi, x, PSK).

Performance and functionality analysis

In this section, we compare our scheme with other existing multi-server authenticated schemes ([1820], [2223]) regarding security and performance. Table 4 lists the functionality comparisons of our proposed scheme with other related schemes. It can be seen that the proposed scheme achieves all security and functionality requirements and is more secure than other related schemes.

For performance analysis, we compare the computational primitives involved in login and authentication phases of our scheme and other related schemes. To analyze the computational complexity of the schemes, we use hashing operation as the time complexity since XOR operations require very little computations. Fig 2 shows comparison regarding the performance. From this comparison, we can see that our proposed scheme has better efficiency in comparison with other schemes.

Conclusion and future work

In this paper, we presented a cryptanalysis of a recently proposed Mishra et al.’scheme and showed that their scheme was susceptible to replay attack while failed to provide an efficient password change phase. An improved scheme is proposed that inherits the merits of Mishra et al.’s scheme and resists different possible attacks. The proposed scheme is practical and efficient compared with other related schemes. Comprehensive security analysis proves that the robustness of our scheme is more secure than other related schemes. Among the open problems to be faced in the near future we can mention the study of specific applications and practical limitations of our scheme for mutual authentication using smart cards based on biometrics and their large-scale implementation in real multi-sever environments.

Author Contributions

Conceived and designed the experiments: YRL LXL XY YXY. Performed the experiments: YRL LXL XY YXY. Analyzed the data: YRL LXL XY YXY. Contributed reagents/materials/analysis tools: YRL LXL XY YXY. Wrote the paper: YRL LXL XY YXY.

References

  1. 1. Liu C, Du WB, Wang WX. Particle Swarm Optimization with Scale-Free Interactions. PLoS One 9(5). 2014.
  2. 2. Du WB, Wu ZX, Cai KQ. Effective usage of shortest paths promotes transportation efficiency on scale-free networks. Physica A. 2013; 392(17): 3505–3512.
  3. 3. Wang Z, Perc M. Aspiring to the fittest and promotion of cooperation in the prisoner’s dilemma game. Physical Review E. 2010; 82(2), 021115.
  4. 4. Boccaletti S, Bianconi G, Criado R, del Genio CI, Gómez-Gardeñes J, Romance M, et al. The structure and dynamics of multilayer networks. Physics Reports. 2014; 544(1): 1–122.
  5. 5. Zhao DW, Peng HP, Li LX, Yang YX, Li SD. An efficient patch dissemination strategy for mobile networks. Mathematical Problems in Engineering. 2013; Article ID 896187, 13 pages., 2013.
  6. 6. Lamport L. Password authentication with insecure communication. ACM Communication. 1981; 24(11): 770–772.
  7. 7. Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY. Improvements of Juang’s password authenticated key agreement scheme using smart cards. IEEE Transactions on Industrial Electronics. 2009; 56(6): 2284–2291.
  8. 8. Lu RX, Lin XD, Liang XH, Shen XM A dynamic privacy-preserving key management scheme for location-based services in vanets. IEEE Transactions on Intelligent Transportation Systems. 2012; 13(1): 127–139.
  9. 9. Zhao DW, Peng HP, Li LX, Yang YX. A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications. 2013; 78: 247–269.
  10. 10. Lu, YR, Li, LX, Yang, YX. Robust and efficient authentication scheme for session initiation protocol. Mathematical Problems in Engineering. 2015; 2015, Article ID 894549, 9 pages.
  11. 11. Lu YR, Li LX, Peng HP, Yang YX. An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. Journal of Medical Systems. 2015; 39(3): 1–8.
  12. 12. Lu YR, Li LX, Peng HP, Yang YX. Robust and efficient biometrics based password authentication scheme for telecare medicine information systems using extended chaotic maps. Journal of Medical Systems. 2015.
  13. 13. Lu, YR, Li, LX, Peng, HP, Yang, YX. A biometrics and smart cards based authentication scheme for multi-server environments. Security and Communication Networks. 2015;
  14. 14. Tsai JL. Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security. 2008; 27(3–4): 115–121.
  15. 15. Lu RX, Lin XD, Zhu HJ, Liang XH, Shen XM. BECAN: a bandwidth-efficient cooperative authentication scheme for filtering injected false data in wireless sensor networks. IEEE Transactions on Parallel and Distributed Systems. 2012; 23(1): 32–43.
  16. 16. Liao YP, Wang SS. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 2009; 31(1): 24–29.
  17. 17. Lee CC, Lin TH, Chang RX. A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications. 2011; 38(11): 13863–13870
  18. 18. Li X, Ma J, Wang WD, Liu CL. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 2013; 58: 85–95.
  19. 19. Xue KP, Hong PL, Ma CS. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences. 2014; 80: 195–206.
  20. 20. Lu YR, Li LX, Peng HP, Yang X, Yang YX. A lightweight ID based authentication and key agreement protocol for multi-server architecture. International Journal of Distributed Sensor Network. 2015, Article ID 635890, 9 pages.
  21. 21. Li CT, Hwang MS. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications. 2010; 33(1): 1–5.
  22. 22. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications. 2014; 41: 1411–1418.
  23. 23. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications. 2014; 41(18): 8129–8143.
  24. 24. Burrow M, Abadi M, Needham R. A logic of authentication, ACM Transactions on Computer System. 1990; 8(1): 18–36.
  25. 25. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers. 2002; 51(5): 541–552.
  26. 26. Stallings W. Cryptography and Network Security: Principles and Practices, third ed. Prentice Hall. 2003.
  27. 27. Das AK. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science. 2013; 2(1–2): 12–27.
  28. 28. Das AK, Paul NR, Tripathy L. Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences. 2012; 209: 80–92.