Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme

With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.’s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.


Introduction
With the rapid development of Internet, advances in the information and communication technology enhance the quality of online services for distributed networks, which provide the highly useful services to users in a variety of aspects, such as online medicine, online education, online shopping and internet banking [1,2]. Also there is always interaction between users and servers over a public channel so that design and analysis of secure and efficient authentication scheme have received a considerable attention nowadays [3]. Since the first one was proposed by Lamport, a great number of authentication schemes have been presented, which provide authorized communication between remote entities [4][5][6][7][8][9]. According to the evidences adopted in the authentication, the existing schemes are divided into two categories: certificate-based and identity-based [10][11][12][13][14][15][16]. The former category requires the high computation cost and large storage space for the management of certificate store. Although elliptic curve cryptosystem is introduced, they do not simplify the certificate management so that certificate-based schemes are unacceptable in a real-time application such as multi-media and video conference. To solve the aforementioned problems, Shamir proposed an identity-based public key cryptosystem the cryptanalysis given in this paper, we identify that their scheme does not resist the masquerade attack, replay attack and Denial-of-Service (DoS) attack. We also find that their scheme fails to achieve the perfect forward secrecy. In addition, there is no consideration of the revocation or re-registration phase in the most of existing authentication schemes. To solve these problems, we propose a robust biometric-based multi-server authentication and key agreement scheme. Our scheme improves the Mishra et al.'s scheme and satisfies the desirable security requirements. Also presented scheme provides a variety of significant functionalities, such as anonymity, mutual authentication, session key agreement, perfect forward secrecy, user revocation or re-registration, and biometric information protection. In addition, comparison results show that our scheme has more secure properties, more functionalities and lower computation cost, which make our scheme more appropriate for practical applications in the remote distributed networks.
The remaining of the paper is organized as follows. Next section briefly introduces the threat assumptions, fuzzy extractor and one-way collision-resistant hash function which are adopted in our scheme. Section 3 reviews the Mishra et al.'s scheme. Section 4 mainly discusses the weaknesses of Mishra et al.'s scheme. Section 5 describes the proposed scheme in detail. And then section 6 provides the security, functionality and performance analysis of our algorithm. The last section gives the conclusion.

Preliminaries
In this section, we describe some concepts about threat assumptions, fuzzy extractor and oneway collision-resistant hash function, which are useful in our scheme.

Threat assumptions
In this paper, we introduce the Dolev-Yao threat model [54] and consider the risk of side-channel attacks [55] to construct the threat assumptions which are described as follows: 1. Adversary E eavesdrops all the communications between user and server over a public channel.
3. Adversary E may be a malicious user or an outsider in this system. 4. Adversary E extracts the sensitive stored information from lost or stolen smart card by examining the power consumption.

Fuzzy extractor
The mechanism of fuzzy extractor consists of two procedures (Gen, Rep), which is illustrated in Fig 1. The function Gen is a probabilistic generation procedure, which extracts biometric input BIO, and outputs a nearly random binary string R 2 {0, 1} l and an auxiliary binary string P 2 {0, 1} Ã . Also the function Rep is a deterministic reproduction procedure allowing to recover R with the assistance of corresponding auxiliary string P and biometric BIO Ã . If dis(BIO, BIO Ã ) t and Gen(BIO) ! hR, Pi, then we have Rep(BIO Ã , P) = R. Otherwise, there is no guarantee provided by function Rep. The error-tolerant makes it dependable to recover nearly uniform randomness R with auxiliary string P from biometric input BIO Ã , as long as it remains reasonably close to original input BIO. More details about fuzzy extractor are described in the literature [43,44].

One-way collision-resistant hash function
The one-way collision-resistant hash function h = h(x) : {0, 1} Ã ! {0, 1} n is a deterministic algorithm, which outputs a fixed-length binary string {0, 1} n based on the arbitrary length binary string {0, 1} Ã [56]. It is computationally infeasible to retrieve the input x from given hash value and hash function, which is called the one-way property. Also hash function possesses weak/strong collision resistant property. For a given input x, finding any input y 6 ¼ x so that h(x) = h(y) is computationally infeasible. For a given pair of inputs (x, y) with x 6 ¼ y, then h (x) = h(y) is computationally infeasible. The well-known example of hash function is SHA-1. However, Manuel showed that SHA-1 is insecure against the collision attacks in 2011 [57]. So we apply the SHA-2 as secure hash function in our scheme.

Review of Mishra et al.'s scheme
Recently, Mishra et al. proposed a biometric-based multi-server key agreement scheme using smart cards to achieve the light-weight authentication and user anonymity. There are five phases relating to Mishra et al.'s scheme, which are the server registration phase, user registration phase, login phase, authentication phase and password change phase, respectively. Suppose that RC is the trusted third party, which is responsible for the registration of users and servers. Table 1 lists the notations used in their scheme.
Server registration phase 1. The server S j sends a join message to the RC.
2. After receiving the join message, RC replies with the pre shared key (PSK) to the server S j through a secure channel.

Masquerade attack
Mishra et al.'s scheme is vulnerable to the masquerade attack. More narrowly, adversary E can be authenticated by another server S k using the messages that user U i sends to the server S j for the authentication. First, U i inserts the smart card and sends a login request message (1) to the S j when he wants to be authenticated by S j . After intercepting the login request message, E sends it to another server S k . The message (1) does not include the information about the S j as follows.
. Therefore S k executes the operation (2) and sends the authentication request message (3) to the E without any suspicion of the attack.
Then E transmits the message (3) to the U i . And U i does not check the identity of the server. He only checks the sameness with the SID k in the M 5 and the SID k in the message (3) as follows.
where M 4 = n 2 È h(ID i ||n 1 ), M 5 = h(SK ki ||n 1 ||n 2 ) and SK ki = h(ID i ||SID k ||B i ||n 1 ||n 2 ). So U i also executes the operation (4) and sends the authentication reply message (5) to the S j without any suspicion of the attack.
Finally, E intercepts the message (5) and transmits it to the S k . Therefore E can be authenticated by S k . In conclusion, adversary E can masquerade as a legitimate user to log in to the server S k so that Mishra et al.'s scheme becomes vulnerable to the masquerade attack.
In their scheme, S k cannot check whether U i wants to be authenticated by S k . Thus S k authenticates all legitimate messages though these message are not sent to S k . Similarly, U i does not check whether S k wants to be authenticated with U i . He only checks whether SID in the message (3) and SID in the M 5 are the same.
To meet these challenges, the destination of message needs to be added to the login request message (1) and the authentication request message (3). So we add the information about SID j of server S j to the message (1), which means that U i want to be authenticated by S j , not S k . Meanwhile, the information about AID i of user U i needs to be added to the message (3), which means that S j wants to be authenticated by anonymous U i .

Replay attack
In the same way, Mishra et al.'s scheme is vulnerable to the replay attack. In particular, adversary E logs into the server S j with previous login request message (1). Upon receiving previous message (1), S j calculates A i = Z i È PSK, n 1 = M P1 È h(PSK), ID i = M P2 È h(n 1 ||h(A i )), and verifies whether h(ID i ||n 1 ||B i ) = M P3 holds without any suspicion of the attack. Since the verification holds, S j authenticates E and E logs into the server S j . Thus Mishra et al.'s scheme becomes vulnerable to the replay attack.
In their scheme, S j does not check the freshness of login request message. So S j authenticates all legitimate login request messages though these messages are not fresh.
As a practical solution to prevent the replay attack, adding the timestamp to the message (1) helps server S j verify the freshness of login request message.

Denial-of-Service attack
Although the means and targets may vary, DoS attack is generally an attempt to make network resource or machines unavailable for intended users, which temporarily or indefinitely interrupts or suspends the services of a host connected to the networks. In the Mishra et al.'s In particular, E collects the previous login request message {Z i , M P1 , M P2 , M P3 } from the user U i and then forwards it to the server S j . Upon receiving the login request, S j , as always, executes the operation (2) which includes producing the random number once, sending message once, calculating the XOR operation 4 times, and performing the hash function 7 times. By applying the intercepted login request messages repeatedly, adversary E can make the services of network resource or servers unavailable. Therefore Mishra et al.'s scheme becomes vulnerable to the DoS attack.
The reason for this result is that server S j cannot check the freshness of login request message from the user U i . S j does not know whether the received messages are outdated so that it executes the operation (2) once receiving the login request message.
To resist the DoS attack, the timestamp needs to be added to the login request message. So we add the timestamp to the message (1), which helps the servers check the freshness of messages.

No perfect forward secrecy
The perfect forward secrecy means that if one of long-term keys is compromised, a session key which is derived from these long-term keys will not be compromised in the future [58]. Unfortunately, Mishra et al.'s scheme does not achieve the perfect forward secrecy. So adversary E can calculate all session keys between the user U i and server S j if he knows one of long-term keys, such as A i .
First, E intercepts the Z i , SID j , M P1 , M P2 and M P4 from message (1) and message (3) in the previous communication between U i and S j . Next, adversary knows one of long-term keys A i so that he can compute PSK from PSK = A i È Z i and B i from B i = h(A i ). Then, E further calculate n P1 from n P1 = M P1 È h(PSK), ID i from ID i = M P2 È h(n P1 ||B i ), and n P2 from n P2 = M P4 È h(ID i ||N P1 ). Finally, adversary E acquires the all previous session keys from SK Pji = h(ID i ||SID j || B i ||n 1 ||n 2 ). Therefore Mishra et al.'s scheme does not achieve the perfect forward secrecy. In their scheme, A i is a shared key between RC and U i , which is calculated from A i = h(ID i || x||T r ). RC stores the information about A i and h(A i ) in the smart card SC i . The value of A i is invariable even if U i updates the password. So A i is treated as one of long-term keys. From the above, it is demonstrated that there are some defects during the generation of session keys.
To solve this problem, we need to add another secret information, such as PSK, to the generation of session keys. Also it is necessary to prevent adversary E from calculating all session keys by using long-term key A i and information in the public channel.

No user revocation/re-registration phase
There is no user revocation/re-registration phase in the Mishra et al.'s scheme so that user U i cannot revoke his privilege or re-register when his smart card SC i is stolen or lost. To promote the functionality of scheme, we design the corresponding revocation/re-registration phase for the user's requirements. And more details are showed in the Section 5.6.

The proposed scheme
Based on the cryptanalysis of Mishra et al.'s scheme, we present a novel robust biometric-based multi-server authentication and key agreement scheme which consists of six phases: server registration phase, user registration phase, login phase, authentication phase, password change phase and revocation/re-registration phase. There are also three participants, user U i , server S j and registration center RC. Table 2 lists the notations applied in our scheme.
The proposed scheme improves the Mishra et al.'s scheme in the several aspects: 1) it resists the masquerade attack by adding the destination of messages, 2) it appends the timestamp to prevent the Denial-of-Service (DoS) attack, 3) it introduces pre shared key (PSK) into generation of session keys to achieve the perfect forward secrecy, 4) it provides the revocation/re-registration phase for user's requirements, and 5) it enhances the performance of scheme, especially login phase. The details are described in the following subsections.

Server registration phase
The server registration phase is illustrated in Fig 4 and explained as follows.
1. The server S j sends a join request message to the registration center RC, if it wants to become an authorized server in the system.
2. After receiving the join request message, RC authorizes the server and replies with the pre shared key (PSK) to the server S j by applying the Key Exchange Protocol (IKEv2) through a secure channel. 3. Upon receiving the secret key PSK, authorized server S j uses the shared information, such as PSK and h(PSK), to check the user's legitimacy in the authentication phase.

User registration phase
The new user U i needs to execute the user registration phase with the registration center RC via a secure channel. The user registration phase is showed in Fig 5 and described as follows.
1. First, U i imprints the personal biometric information BIO i at the sensor. After that, sensor 4. Upon receiving the SC i , U i stores P i into the SC i and initializes the authentication environments.

Login phase
During the login phase, smart card SC i can check an error event immediately by using the identification, password, and biometric information. The login phase is illustrated in Fig 6 and explained as follows.
1. U i inserts the SC i into the smart card reader, inputs the identity ID i and password PW i , and imprints the biometrics BIO Ã i at the sensor. After that, sensor sketches BIO Ã i and recovers 3. SC i generates a random number N 1 , and computes

Authentication phase
In the authentication phase, server S j confirms the destination and freshness of login request message. The authentication phase is showed in Fig 7 and described as follows. 1. When receiving the login request message from U i , server S j verifies whether T i − T j ΔT is valid, where ΔT is the time interval and T j is the time when S j receives the login request message. If it holds, S j continues to perform the next step. Otherwise, the login request will be rejected by S j .

S j retrieves
3. If this verification holds, S j generates a random number N 2 , and computes the session secret 6. S j verifies whether h(SK ij ||N 1 ||N 2 ) = M 5 holds. If this verification holds, S j uses the session key SK ij to communicate with U i . Otherwise, authentication will be rejected by S j .

Password change phase
During the password change phase, U i updates the password without any assistance from server S j and registration center RC. This phase consists of the following steps.
in the memory.

User revocation/re-registration phase
The functionality of user revocation/re-registration helps user U i revoke his privilege or re-register when his smart card SC i is stolen or lost. If U i wants to revoke his privilege, he needs to send a revocation request message, his smart card and verification message {RPW i } to the registration center RC over a secure channel. RC verifies whether U i is valid. If it holds, RC further modifies the corresponding entry by setting hID i , N i = 0i. Similarly, upon receiving a re-registration request message via a secure channel, RC executes the steps described in the section 5.2 and replaces hID i , N i = N i + 1i with hID i , N i i to help U i re-register. The user revocation or reregistration phase makes our scheme more robust than other related schemes in the functionality.

Analysis of our scheme
An authentication and key agreement scheme has three important requirements: security, functionality and performance. It is necessary to analyze the proposed scheme from three aspects mentioned above. In this section, we explain how the proposed scheme is satisfied with these requirements, and compare our scheme with other related multi-server authentication and key agreement schemes.

Informal security analysis
In this section, we assume that adversary E has the capacity which is assumed in Section 2.1. Also we analyze the strength of the proposed scheme against the following common attacks through informal security analysis.
Resistance to replay attack. The replay attack means that adversary E intercepts the transmitted messages for making use of these data in some manner, which involves copying and possibly altering the data in various ways. Although adversary E intercepts the previous login request message {AID i , M 1 , M 2 , B i , D i , T i } and sends it to server S j repeatedly, S j verifies the legality of message by checking T i and N 1 as follows.
where T i and N 1 are different in every session so that E is not authenticated by S j . So our scheme is secure against the replay attack by adding the timestamp T i and random nonce N 1 .
Resistance to modification attack. Though adversary E intercepts the transmitted messages and attempts to modify them for authentication, proposed scheme verifies whether received messages are modified with the help of one-way hash function. And E cannot retrieve N 1 , N 2 and PSK from intercepted messages so that he does not have the capabilities to generate a legitimate authentication message. Therefore, our scheme prevents the modification attack.
Resistance to stolen-verifier attack. In the proposed scheme, Registration center RC and servers do not possess the user's password or biometrics so that adversary E cannot steal the password-verifier or biometrics-verifier about legitimate users even if he has the authority to access the database of the RC and servers. Thus, our scheme resists the stolen-verifier attack.
Resistance to off-line guessing attack. With the assistance of the side-channel attacks such as SPA or DPA, adversary E obtains B i , C i , D i and V i . But he cannot verify the user's password in the off-line environment without BIO i , PSK, x and N 1 . Also user's password is protected by one-way hash function, such as, h(PW i ||R i ), where R i possesses high entropy. Moreover, there is no the same biometric templates between any two people. In conclusion, our scheme is secure against the off-line guessing attack.
Resistance to forgery attack. The forgery attack means that legitimate yet malicious user E attempts to forge another legitimate user for login and authentication. In the communication between server S j and user U i , U i 's real identity ID i is protected by anonymous identity AID i , such as AID i = ID i È h(N 1 ). Furthermore, random nonce N 1 changes in every session. So malicious user E cannot acquire another legitimate user's real identity ID i . As a result, our scheme prevents the forgery attack.
Resistance to insider attack. Malicious insider E is familiar with system policies or procedures, and has an authorized system access, who tries to obtain user's private information such as password and biometrics. RC cannot retrieve the password PW i or biometrics BIO i from RPW i = h(PW i ||R i ). Moreover RC does not store RPW i in the database. Thus, our scheme resists the insider attack.
Resistance to masquerade attack. Under this attack, adversary E is authenticated by server S j with a fake or real identity. In Mishra et al.'s scheme, E applies the transmitted messages between S j and U i to acquire the access of server S k . To meet this problem, destination of message is added to the login request message and authentication request message, such as M 2 = h(AID i ||N 1 ||RPW i ||SID j ||T i ) and M 4 = h(SID j ||N 2 ||AID i ), so that U i and S j verify whether the one wants to be authenticated by the other one. At the same time, E cannot compute M 2 or M 4 without N 1 or N 2 . Therefore, our scheme is secure against the masquerade attack.
Resistance to smart card attack. In the smart card attack, adversary E tries to apply the information obtained from smart card SC i to be authenticated by server S j without the password or biometrics. With SPA or DPA, E obtains B i , C i , D i and V i which are stored in SC i . In the proposed scheme, a session key between user U i and server S j is generated as follow.
Although E obtains M 1 and M 3 via public channels, it is difficult for him to retrieve N 1 , N 2 and AID i without PSK. Above all, our scheme prevents the smart card attack.
Resistance to user impersonation attack. The user impersonation attack means that adversary E impersonates user U i using only smart card SC i but without the password or biometrics. The proposed scheme applies h(PSK) to protect N 1 , N 2 and AID i even if E acquires B i , C i , D i and V i by side channel attacks. Thus, E cannot calculate the session keys to impersonate the user U i . In conclusion, our scheme resists the user impersonation attack.
Resistance to DoS attack. The DoS attack diminishes or eliminates the server's expected capability to make the server unavailable. With the help of timestamp T i , server S j checks the freshness and legality of M 2 = h(AID i ||N 1 ||RPW i ||SID j ||T i ) in the login request message. The current timestamp does not match the previous M 2 which is sent by adversary E. Moreover, our scheme applies the fuzzy extractor to satisfy the usage requirements of biometrics. As a result, our scheme is secure against the DoS attack.
Resistance to server spoofing attack. Upon receiving the login request message from U i , adversary E tries to spoof as server S j by replaying the old authentication request message This attempt fails, since U i uses different random numbers during different sessions, that is, N old . Therefore, our scheme prevents the server spoofing attack.

Formal security analysis
With the help of the formal security analysis, we demonstrate that our scheme is secure against adversary E. For this purpose, we define oracle Reveal as follows: it unconditionally outputs x from one-way hash function y = h(x). The following two theorems provide the formal security analysis for our scheme.
Theorem 1. Under the assumption that one-way hash function h(Á) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the identity ID i of user U i , pre shared key PSK of server S j , and session key SK ij between U i and S j .
Proof. We need to construct adversary E who has the capacity to retrieve the identity ID i of user U i , pre shared key PSK of server S j , and session key SK ij between U i and S j . Adversary E applies the oracle Reveal to execute the experimental algorithm EXP1 HASH E;BMAKAS , where the BMA-KAS means proposed biometric-based multi-server authentication and key agreement scheme. The details of Algorithm 1 are described in the Table 3. And we define the success probability of EXP1 HASH E;BMAKAS as Success1 ¼ jPðEXP1 HASH E;BMAKAS ¼ 1Þ À 1j, where P(Á) means the probability of EXP1 HASH E;BMAKAS . The advantage function for algorithm EXP1 HASH E;BMAKAS becomes Adv1(et 1 , q Reveal ) = max{Success1}, where the maximum for adversary E depends on the execution time et 1 and number of queries q Reveal made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv1 (et 1 , q Reveal ) ε 1 , for any sufficiently small ε 1 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the identity ID i , pre shared key PSK and session key SK ij to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So max E {Success1} = Adv1(et 1 , q Reveal ) ε 1 , for any sufficiently small ε 1 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the identity ID i of user U i , pre shared key PSK of server S j , and session key SK ij between U i and S j .
Theorem 2. Under the assumption that one-way hash function h(Á) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the password PW i of user U i , even if smart card SC i is stolen.
Proof. We need to construct the adversary E who has the capacity to retrieve the password PW i . Adversary E extracts all the information {B i , C i , D i , V i } from stolen smart card SC i and applies the oracle Reveal to execute the experimental algorithm EXP2 HASH E;BMAKAS . The details of Algorithm 2 are described in the Table 4.

Apply the oracle
2. Apply the oracle Reveal to retrieve AID I i , N I 1 , RPW I i , SID I j and T I i from Apply the oracle Reveal to retrieve PSK I from Reveal(H 1 ) ! (PSK I ).
6. Eavesdrop the authentication request message {SID j , M 3 , M 4 } during the authentication phase, where 7. Further apply the oracle Reveal to retrieve AID II i , N II 2 and SID II j from Apply the oracle Reveal to retrieve PSK II from Reveal(H 2 ) ! (PSK II ).

13.
Accept ID I i , PSK I and SK Ã ij as the identity ID i of user U i , pre shared key PSK of server S j , and session key SK ij between U i and S j , respectively. 14.
return 1 (Success) 15. Also we define the success probability of EXP2 HASH E;BMAKAS as Success2 ¼ jPðEXP2 HASH E;BMAKAS ¼ 1Þ À 1j, where P(Á) means the probability of EXP2 HASH E;BMAKAS . The advantage function for algorithm EXP2 HASH E;BMAKAS becomes Adv2(et 2 , q Reveal ) = max E {Success2}, where the maximum for adversary E depends on the execution time et 2 and number of queries q Reveal made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv2(et 2 , q Reveal ) ε 2 , for any sufficiently small ε 2 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the password PW i to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So max E {Success2} = Adv2(et 2 , q Reveal ) ε 2 , for any sufficiently small ε 2 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the password PW i of user U i .

Functionality analysis
Various functionality requirements for a multi-server authentication and key agreement scheme have been suggested in previous studies. In this section, we show that our scheme provides these functionalities.
Anonymity. The anonymity means that user's real identity is not disclosed to an unauthorized party. In the presented scheme, U i calculate the dynamic identity AID i from AID i = ID i È h(N 1 ), and N 1 does not leak out from the messages over public channels. Thus, adversary E cannot compute the user's identity ID i without N 1 . The authorized server S j retrieves A i = D i È PSK È h(PSK) and RPW i = B i È h(A i ), and further calculates N 1 from N 1 = RPW i È M 1 È h (PSK). So only authorized servers confirm the real identity of U i . As a result, adversary E cannot acquire the user's real identity, but user U i is authenticated anonymously by server S j .
Mutual authentication. The mutual authentication is achieved when two parties authenticate each other. In our scheme, users and servers authenticate each other by using N 1 , N 2 , h (PSK), D i and T i . During the authentication phase, server S j verifies whether M 2 is consistent with h(AID i ||N 1 ||RPW i ||SID j ||T i ) to authenticate the user U i . And U i authenticates S j by checking whether h(SID j ||N 2 ||AID i ) = M 4 holds. In conclusion, our scheme provides the mutual authentication.
Session key agreement. The session key agreement means that users and servers securely establish a session key which is applied for protecting the subsequent communication. In the proposed scheme, a session key SK ij = h(AID i ||SID j ||N 1 ||N 2 ) is generated by user U i and server S j , where N 1 and N 2 are different in every session. Therefore, session keys are different in each session so that it is difficult for adversary E to retrieve the previous session keys from the intercepted messages.
Perfect forward secrecy. The perfect forward secrecy means that a session key will not be compromised if the user's long-term key is compromised in the future [11,15]. In our scheme, a session key between user U i and server S j is calculated as follow.
Although user's long-term key h(PSK) is compromised, adversary E cannot calculate RPW i and PSK so that he cannot retrieve N 1 and N 2 to generate the session keys between U i and S j . Above all, our scheme achieves the perfect forward secrecy.
User revocation/re-registration. The user U i needs to send a revocation or re-registration request message to the registration center RC over a secure channel if he wants to revoke his privilege or re-register. RC help U i revoke his privilege or re-register by modifying hID i , N i i in the database. The functionality of user revocation/re-registration meets the requirements of practical applications. It also makes our scheme more robust than other related schemes.
Biometric information protection. In conventional scheme, biometric information of user is directly stored in the smart card SC i so that adversary E obtains biometrics from lost smart card with the assistance of side channel attacks. We adopt a high security mechanism to solve this problem. The nearly random string R i is protected by one-way hash function, which is extracted from biometric information BIO i by fuzzy extractor. And more details are described in Section 2.2. So it makes impossible for E to obtain the biometric information. In conclusion, our scheme provides the biometric information protection.

Efficiency analysis
The efficiency is an important consideration in the aspect of evaluating the schemes. The efficiency of a multi-server authentication and key agreement scheme can be measured by the following metrics, single registration, secure and simple password modification, fast error detection, and low computational cost.
Single registration. The single registration means that a single point of registration allows users to acquire the access to all servers in the system. In the proposed scheme, user U i registers with registration center RC only once to be authenticated with every server and apply the server's services anonymously. So our scheme achieves the single registration.
Secure and simple password modification. The secure and simple password modification demands that users change their passwords without the assistance of any third trusted party and the authenticity of the users is verified by their smart card. In our scheme, user U i changes the password conveniently and does not require any communication with registration center RC. Furthermore, smart card SC i checks whether h(ID i ||RPW i ) = V i holds for every password modification so that adversary E cannot change the password even if he acquires the smart card and password. In conclusion, proposed scheme provides the secure and simple password modification.
Fast error detection. It is necessary to provide the fast error detection, which means that smart card SC i checks the incorrect passwords or any other discrepancies quickly. In the login and password change phases, SC i detects the errors immediately, such as inaccurate identities, incorrect passwords and false biometrics without the help of registration center RC and server S j . Therefore, our scheme achieves the fast error detection.
Low computational cost. The computational cost of the scheme should be minimized in practice. As the major parties of communication, U i and S j produce the random number twice, calculate the XOR operation 12 times, and perform the hash function 15 times to complete the login and authentication phases. As a result, computational cost of our scheme is a little lower than other related schemes.

Comparisons with related schemes
In this section, we compare the resistance, functionality and performance of our scheme with other related existing biometric-based multi-server authentication and key agreement schemes,  [60]. Table 5 lists the resistance comparison of various biometric-based multi-sever authenticated key agreement schemes. We define the following notations: R1: resistance to replay attack, R2: resistance to modification attack, R3: resistance to stolen-verifier attack, R4: resistance to offline guessing attack, R5: resistance to forgery attack, R6: resistance to insider attack, R7: resistance to masquerade attack, R8: resistance to smart card attack, R9: resistance to user impersonation attack, R10: resistance to DoS attack and R11: resistance to server spoofing attack in the Table 5. The result indicates that our scheme is more secure and achieves the all resistance requirements. Table 6 shows the functionality comparison of proposed scheme with other related schemes. In the Table 6, we use the following notations: F1: anonymity, F2: mutual authentication, F3: session key agreement, F4: perfect forward secrecy, F5: user revocation/re-registration and F6: biometric information protection. And we further compare our scheme with Lu et al.'s scheme [24] which is another improved scheme. It can be seen that our scheme provides more functionality requirements than other related schemes.
We compare our scheme with other biometric-based multi-sever authentication and key agreement schemes for computational overhead, communication overhead and storage requirement involved in the login and authentication phases. In order to measure the computational complexity, we apply the number of hash function operations as time complexity since the XOR operation requires very little computational cost, where T h stands for the computation time for hash function. According to the Xue et al.'s work [61], we learn that the average running time of a one-way secure hash function operation is about 0.2 ms. As shown in the Table 7 and Fig 8, we demonstrate the comparison among our scheme and other related schemes in terms of the computation overhead. In the Table 7, we use the following notations: S1: computation overhead in the login phase, S2: execution overhead in the login phase, S3: computation overhead in the authentication phase, S4: execution overhead in the authentication phase and S5: total execution overhead. The proposed scheme requires lower computation overhead than other schemes.
To estimate the communication efficiency, we assume that the length of security parameters, such as the bit length of random number N i is 160, the bit length of user identity is 160, the bit length of timestamp T i is 16 and the output length of hash function is 160 if we follow the SHA-1 which is applied in the most of previous schemes. In our scheme, U i transmits the request message {AID i , M 1 , M 2 , B i , D i , T i } to S j during the login phase, and its length is (160 + 160 + 160 + 160 + 160 + 16)/8 = 102bytes. And in the stage of authentication, communication overhead is (160 + 160 + 160 + 160)/8 = 80bytes, which contains the authentication request message {SID j , M 3 , M 4 } and authentication reply {M 5 }. So total communication overhead of proposed scheme is 102 + 80 = 182bytes. Analogously, we measure the communication overhead of related schemes. In order to estimate the storage requirement, we consider the messages stored in the smart card as the storage overhead and calculate the byte length of stored information. In our scheme, the stored message {B i , C i , D i , V i , P i ,} requires (160 + 160 + 160 + 160 + 160)/8 = 100bytes. Similarly, we estimate the storage requirement of other schemes. Table 8 and Fig 9 show the comparisons regarding on the communication and storage costs of various multi-sever authentication and key agreement schemes. We provide the following notations: C1: communication cost in the login phase, C2: communication cost in the authentication phase, C3: total communication cost and C4: storage cost in the Table 8.
With the same level of communication overhead and storage requirement, our scheme obviously has advantages in the computational complexity by considering the computation cost of these related schemes. From the results of comparisons given above, we conclude that our scheme has better efficiency between resistance, functionality and performance than other related schemes.

Conclusion
With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we analyze the security of Mishra et al.'s scheme. Based on the cryptanalysis of their scheme, we propose a novel biometric-based multi-server authentication and key agreement scheme. The presented scheme improves the Mishra et al.'s scheme, and satisfies the desirable security requirements which are demonstrated through informal and formal security analysis respectively. Also our scheme provides some significant functionalities which are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. In addition, comparisons in the security, functionality and performance between proposed scheme and several related ones are given. The results show that our scheme has more secure properties, more functionalities and lower computation cost with the same level of communication overhead and storage requirement. We conclude that our scheme is obviously more appropriate for practical applications in the remote distributed networks.