Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards

Biometrics authenticated schemes using smart cards have attracted much attention in multi-server environments. Several schemes of this type where proposed in the past. However, many of them were found to have some design flaws. This paper concentrates on the security weaknesses of the three-factor authentication scheme by Mishra et al. After careful analysis, we find their scheme does not really resist replay attack while failing to provide an efficient password change phase. We further propose an improvement of Mishra et al.’s scheme with the purpose of preventing the security threats of their scheme. We demonstrate the proposed scheme is given to strong authentication against several attacks including attacks shown in the original scheme. In addition, we compare the performance and functionality with other multi-server authenticated key schemes.


Introduction
With the swift development of wireless communications and network technologies, more and more people use wireless handheld devices (e.g.PDA, notebook and mobile phone, etc) to enjoy mobile services almost anytime and anywhere. However, open nature of networks demands for security concern of paid and protected resources available over the network [1][2][3][4][5]. Authentication mechanism becomes an essential need before a remote user can access the services. Since then Lamport [6] proposed the first authentication scheme, a number of authentication schemes have been put forward for different applications [7][8][9][10][11][12][13].
However, most of the existing password authentication schemes are based on a single-server environment which are unfit for the multi-server environments. Recently, a large number of smart cards based remote user authentication schemes for multi-server environments have been proposed. In addition, compared with other authentication schemes, schemes that only use random numbers and a hash function were getting much more attention because of their low computation costs. In 2008, Tsai [14] proposed an efficient multi-server authentication scheme using the random number and one-way hash function. After that, numerous authenticated key agreement schemes were presented for multi-server environments one after another [15][16][17]. In 2012, Li et al. [18] proposed a novel authenticated key exchange scheme for multi-server environments. Unfortunately, Xue et al. [19] showed that Li et al.'s scheme did not resist some types of known attacks, such as vulnerability to verifier stolen, off-line password guess, replay, denial of service and forgery attacks. Then, Xue et al. proposed an improved scheme to remedy the weaknesses of Li et al.'s scheme. Nevertheless, Lu et al. [20] observed that Xue et al.'s scheme was not only really insecure against masquerade and insider attacks but also was vulnerable to off-line password guessing attack. To improve the shortcomings of Xue et al.'s scheme, Lu et al. proposed a slight modified authentication scheme for multiserver environments.
All above mentioned authentication schemes are based on password and smart cards. Note that the password cannot be considered as a unique identity identifier and it's needed to be remembered. Moreover, possibility of password guessing attack is also a concern. Compared with cryptographic keys and passwords, biometric keys (e.g.fingerprint, face, iris, hand geometry and palm-print, etc.) have many advantages [21], for example, they are difficult to lose or forget; they are difficult to copy or share; they are difficult to forge or distribute biometrics; they are difficult to guess; they are more difficult to break biometric keys. Recently, Chuang et al. [22] presented an efficient biometrics based authentication scheme using smart cards for multi-server environments, which was previously considered to be have more security properties. However, Mishra et al. [23] showed that Chuang et al.'s scheme was vulnerable to stolen smart card attack, server spoofing attack and impersonation attack. In addition, they proposed an improved biometrics-based multi-server authenticated key agreement scheme using smart cards and they claimed that their scheme satisfied all desirable security requirements. Unfortunately, this paper will demonstrate that the scheme cannot really resist replay attack and cannot provide an efficient password change phase.
In this paper, we concentrate on the security weaknesses of the three-factor authentication scheme by Mishra et al. After carefully analysis, we find their scheme does not really resist replay attack while fails to provide an efficient password change phase. We further propose an improvement of Mishra et al.'s scheme with the purpose of preventing the security threats of their scheme. We demonstrate the proposed scheme is given to strong authentication against several attacks including attacks showed in the original scheme. In addition, we compare the performance and functionality with other related schemes.
The rest of paper is organized as follows: In Section 2 and Section 3, we review and analyze the Mishra et al.'s scheme. In Section 4, we propose an enhancement authentication scheme for multi-sever environments. In Section 5, we present a security analysis of our scheme. Section 6 shows security and performance analyses by comparing our scheme with previous schemes. We conclude in Section 7.

Review of Mishra et al.'s scheme
There are three phases relating to Mishra et al.'s scheme which consists of the registration, login and authentication and password updating. Table 1 lists the notations used in this paper.
3. Upon receiving the secret key PSK, S j stores it with aim to authorize a legitimate user.
User registration.

RC computes
3. Upon receiving SC i , U i enters his personal biometric BIO i at the sensor and computes N = Login and authentication 1. U i inserts SC i into the terminal and inputs his identity ID i , password PW i and imprints his biometrics BIO i at the sensor. 4. SC i first computes n 2 = M 4 Èh(ID i jjn 1 ), SK ij = h(ID i jjSID j jjB i jjn 1 jjn 2 ) and then checks whether h(SK ij jjn 1 jjn 2 ) is consistent with M 5 . If it is true, SC i computes M 6 = h(SK ij jjn 1 jjn 2 ) and delivers it to S j .
5. S j verifies the verification condition M 6 ¼ ? hðSK ji jj n 1 jj n 2 Þ. If this verification holds, S j can now use the keys SK ji to communicate with U i securely.

Security analysis of Mishra et al.'s scheme
This section presents a cryptanalysis of a recently scheme proposed by Mishra et al. We show their scheme does not satisfy the key security attribute such as vulnerability to replay attack and incorrect password change phase. We assume that a malicious adversary A has totally supervised the communication channel in login and session key establishment phases. In other words, A has the capacity to intercept, insert, delete, refresh or update any information delivered between U i and S j [6].

Not withstanding the replay attack
Suppose an adversary A has intercepted a past login message {Z i , M 1 , M 2 , M 3 }. He is able to launch a replay attack and login to the server by resending the eavesdropped message {Z i , M 1 , M 2 , M 3 } to S j . In other words, the adversary without running the "Login phase", sends the eavesdropped message {Z i , M 1 , M 2 , M 3 } to S j . In the "Login and authentication", upon receiving 3 are equal, S j will authenticate A and A will be able to login to S j . Thus, A can easily login to S j by re-sending an old login message. Since S j does not check the freshness of the received login message {Z i , M 1 , M 2 , M 3 } and authenticate U i in (3) of the "Login and authentication", S j will not be able to discover replay attack.

Incorrect password change phase
The user U i inserts his smart card into a card reader and enters his identity ID i , password PW i and imprints his personal biometric BIO i at the sensor corresponding to his smart card. Then smart card computes N i = NÈh(BIO i ), V 0 i ¼ hðID i jj N i jj PW i Þ and compares V 0 i with the stored value of V in its memory to verify the legitimacy of U i . Once the authenticity of cardholder is verified then U i can instruct smart card to change his password. Afterwards, smart card asks the cardholder to resubmit a new password PW new

The proposed scheme
In this section, we will present our robust biometrics based authentication scheme using smart cards for multi-sever environments. In our scheme, there are also three participants, the user U i , the server S j and the registration center RC. RC chooses the secret key PSK and a secret number x and shares them with S j via a secure channel. We will describe all the phases relating to our scheme in the subsections, i.e. registration, login and authentication, and password update, where registration and login and authentication phases are shown in

Security analysis of the proposed scheme
In this section, we first adopt Burrows-Abadi-Needham (BAN)Logic [24] to demonstrate the completeness of the proposed scheme. Then, we conduct discussion and a cryptanalysis of the proposed scheme through both the informal and formal analyses.
Verifying the proposed scheme with BAN logic BAN logic [24] is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. First, we introduce some notations and logical postulates of BAN logic in Table 2 e. Jurisdiction rule: AjB)X ;AjBj$X

AjX
: if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.

Idealized scheme
U i :< n 1 ; ID i ; hðPW i kHðBIO i ÞÞ> K ; ðn 1 ; X i ; T 1 Þ hðPW i kHðBIO i ÞÞ ; ðn 2 ; U i $ SK ij S j ; T 3 Þ ID i S j : < n 1 , X i , h(PW i jjH(BIO i )) > n 2 , (ID i , n 1 , n 2 , T 2 ) K 4. Initiative premises p 1 . U i j #n 1 p 2 . U i j S j ) #n 2 p 3 . S j j #n 1 p 4 . S j j #n 2 Scheme analysis a 1 . By p 5 and S j ⊲ < n 1 , ID i , h(PW i jjBIO i ) > K, we apply the message-meaning rule to derive: S j j U i j * (n 1 , ID i , h(PW i jjH(BIO i ))) a 2 . By a 1 and p 3 , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: S j j U i j (n 1 , ID i , h(PW i jjH(BIO i ))) a 3 . By a 2 , p 3 and p 8 , we apply the belief rule and the jurisdiction rule to derive: S j j ID i a 4 . By a 3 and S j ⊲ðn 2 ; U i $ SK ij S j ; T 3 Þ ID i , we apply the message-meaning rule to derive: S j j U i j$ ðn 2 ; U i $ SK ij S j ; T 3 Þ a 5 . By p 4 and a 4 , we apply the fresh conjuncatennation rule and the nonce-verification rule The formula X or Y is one part of the formula (X, Y) doi:10.1371/journal.pone.0126323.t002 to derive: S j j U i j ðn 2 ; U i $ SK ij S j ; T 3 Þ g 1 . By a 5 , we apply the belief rule to derive: S j j U i j U i $ SK ij S j g 2 . By g 1 and p 11 , we apply the jurisdiction rule to derive: S j j U i $ SK ij S j a 6 . By p 6 and U i ⊲(ID i , n 1 , n 2 , T 2 ) K , we apply the message-meaning rule to derive: U i j S j j * (ID i , n 1 , n 2 , T 2 ) a 7 . By p 2 and a 9 , we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U i j S j j (ID i , n 1 , n 2 , T 2 ) a 8 . By a 7 , we apply the belief rule to derive: U i j S j j n 2 a 9 . By p 2 and a 8 , we apply the jurisdiction rule to derive: U i j n 2 a 10 . By a 9 and U i ⊲ < n 1 , X i , h(PW i jjBIO i ) > n 2 , we apply the message-meaning rule to derive: U i j S j j * (n 1 , X i , h(PW i jjBIO i )) a 11 . By a 10 and p 1 , we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: U i j S j j (n 1 , X i , h(PW i jjBIO i )) g 3 . By p 1 , p 3 , p 4 , p 6 , a 11 and SK ji = h(n 1 jjn 2 jjKjjX i ), we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: U i j S j j U i $ SK ij S j g 4 . By g 3 and p 12 , we apply the jurisdiction rule to derive:

Informal security analysis
This subsection verifies whether the proposed scheme is secure against various kinds of known attacks. We assume that a malicious adversary A has totally supervised the communication channel in login and session key establishment phases. In other words, A has the capacity to intercept, insert, delete, refresh or update any information delivered between U i and S j [6].
Anonymity. U i 's identity ID i is well protected by the shared secret parameter K as a substitute for real ones, A can not get users' real identities. In addition, the unauthorized server cannot get ID i without knowing K since K is protected by the secret key PSK only known by the authorized server and is not exposed in the open channel. Thus, our scheme provides user anonymity, which can prevent the leakage of private user identities to malicious attackers.
Mutual authentication. In order to authenticate U i , S j has to verify validity of the evidence Z i = h(X i jjn 1 jjh(PW i jjH(BIO i ))). The evidence is computed with the common secret parameter K only known U i and S j . In other words, (n 1 , ID i , h(PW i jjH(BIO i ))) are derived from the valid login message {Z i , M 1 , M 2 , M 3 , T 1 } through K, no one can counterfeit the evidence. In addition, to compute X i , secret key x is needed but only known by S j . Moreover, checking h(SK ij jjID i jjn 2 ) to further assist S j in authenticating U i because the session key is only known by U i and S j . To authenticate S j , U i needs to verify whether M 5 ¼ ? hðID i jj n 1 jj n 2 jj KÞ. Because ID i and K are only known by U i and S j , no one can forge a valid {M 4 , M 5 , T 2 } without them. Hence, mutual authentication between U i and S j is achieved.
Resist stolen smart card attack. Even if A has gathered [25] the information {X i , Y i , V i , h (Á)} stored in the smart card, A cannot figure out the login request message {Z i , M 1 , M 2 , M 3 , T 1 } without the secret key y. Moreover, A cannot get the identity ID i and PW i since they are protected by hash functions with the U i 's biometrics BIO i . Hence, A still cannot succeed if he steals the smart card.
Session key agreement. We provide the session key SK = h(n 1 jjn 2 jjKjjX i ) to protect the message communication between U i and S j , where (n 1 , n 2 , K, X i ) are known to anybody but U i and S j . In addition, SK is different in each session, A has obtained a known session key cannot be used to calculate the value of the next session key.
Resist replay attack. Assume A has intercepted all the communication message {Z i , M 1 , M 2 , M 3 , T 1 , M 4 , M 5 , T 2 , M 6 , T 3 ,} and tried to replay them to U i or S j to obtain authentication. However, it is impossible to come true since all the authenticated messages imply the timesstamp which is also exposed in public channel. If A resends the transmitted messages, the receiver will immediately detect the attack through the authenticated message. Hence, our scheme can withstand replay attack.
Resist stolen verifier and insider attacks. In the registration phase, RC does not directly get the U i 's password PW i and biometrics information BIO i . Hence, A performs a stolen verifier attack or insider attack will be hard.
Resist off-line guessing attack. In our proposed scheme, trying to launch an off-line passsword guessing attack with the information stored in the smart card and the eavesdropped messages is trying to solve the input from the given hash value. Since the identity ID i and the random number N i are required with the purposed of knowing PW i , both the secrets are protected by the hash function and known by the user himself.

Formal security analysis of the proposed scheme
This subsection presents the formal security analysis of our scheme and shows that it is secure. For this, we first define the following hash function [26].
Definition 1. A secure one-way hash function h:{0, 1} Ã ! {0, 1} n , which takes an input as an arbitrary length binary string x 2 {0,1} Ã and outputs a binary string h(x) 2 {0,1} n and satisfies the following requirements: a. Given y 2 Y, it is computationally infeasible to find an x 2 X such that y = h(x); b. Given x 2 X, it is computationally infeasible to find another Theorem 1. Under the assumption that the one-way hash function h(Á) closely behaves like an oracle, then our scheme is provably secure against an attacker A for protecting user's personal information including identity ID i , password PW i and biometrics BIO i , sever's private key x and PSK.
Proof. The formal security proof of our scheme is similar to that as in [27][28]. Using the following oracle to construct A who will have the ability to derive the user's ID i , password PW i , biometrics BIO i , sever's private key x and PSK.
Reveal: This random oracle will unconditionally output the input x from the given hash value y = h(x).
A runs the experimental algorithm showed in Table 3 , where the maximum is taken over all A with execution time t and the number of queries q R made to the Reveal oracle. Consider the experiment showed in Table 3 for A. If A has the ability to solve the hash function problem provided in Definition 1, then he can directly derive U i 's identity ID i , password PW i , biometrics BIO i , and S j 's private key x and PSK. In this case, A will discover the complete connections between U i and S j . However, it is a computationally infeasible problem to invert the input from a given hash value, i.e., ðtÞ. As a result, there is no way for A to discover the complete connections between U i and S j and our scheme is provably secure against an adversary for deriving (ID i , PW i , BIO i , x, PSK).
For performance analysis, we compare the computational primitives involved in login and authentication phases of our scheme and other related schemes. To analyze the computational complexity of the schemes, we use hashing operation as the time complexity since XOR operations require very little computations. Fig 2 shows comparison regarding the performance. From this comparison, we can see that our proposed scheme has better efficiency in comparison with other schemes.

Conclusion and future work
In this paper, we presented a cryptanalysis of a recently proposed Mishra et al.'scheme and showed that their scheme was susceptible to replay attack while failed to provide an efficient password change phase. An improved scheme is proposed that inherits the merits of Mishra et al.'s scheme and resists different possible attacks. The proposed scheme is practical and efficient compared with other related schemes. Comprehensive security analysis proves that the robustness of our scheme is more secure than other related schemes. Among the open problems to be faced in the near future we can mention the study of specific applications and practical limitations of our scheme for mutual authentication using smart cards based on biometrics and their large-scale implementation in real multi-sever environments.