Security enhanced multi-factor biometric authentication scheme using bio-hash function

With the rapid development of personal information and wireless communication technology, user authentication schemes have been crucial to ensure that wireless communications are secure. As such, various authentication schemes with multi-factor authentication have been proposed to improve the security of electronic communications. Multi-factor authentication involves the use of passwords, smart cards, and various biometrics to provide users with the utmost privacy and data protection. Cao and Ge analyzed various authentication schemes and found that Younghwa An’s scheme was susceptible to a replay attack where an adversary masquerades as a legal server and a user masquerading attack where user anonymity is not provided, allowing an adversary to execute a password change process by intercepting the user’s ID during login. Cao and Ge improved upon Younghwa An’s scheme, but various security problems remained. This study demonstrates that Cao and Ge’s scheme is susceptible to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and that their scheme cannot provide session key agreement. Then, to address all weaknesses identified in Cao and Ge’s scheme, this study proposes a security enhanced multi-factor biometric authentication scheme and provides a security analysis and formal analysis using Burrows-Abadi-Needham logic. Finally, the efficiency analysis reveals that the proposed scheme can protect against several possible types of attacks with only a slightly high computational cost.


Introduction
Distributed, networked system's allow users to efficiently access resources at their convenience. Web services such as on-line shopping and Internet banking have become common in today's technological world, and this has given rise to serious demand for remote authentication processes that ensure transactions between users and servers are secure. In various server environments, user authentication schemes are required to implemented elevated levels of PLOS  ownership. The first password-based scheme was introduced by Lamport in 1981, and since then, various studies have been carried out on the security, efficiency, and costs of authentication schemes. Existing remote authentication schemes are mainly implemented using a public key system, and in most cases, these can be divided into traditional certificate-based authentication schemes and identity-based authentication schemes according to the type of evidence they adopt for authentication. [1][2][3][4][5][6][7][8][9]. Various identity-based schemes have been proposed to provide secure, efficient, and practical authentication. One class is based on a pairing operation, which is practical but inefficient since a high computational cost is needed to carry out the pairing operation. The second is based on a particular hash function through which identity information is mapped to a point on an elliptic curve, resulting in a complicated structure. The third is a direct ID-based scheme that uses a general cryptographic hash function with a structure that is more simple than that of the second class. Due to this structure's simplicity, authentication can be accomplished only through a three-way handshake. However, it is still easy for a malicious person to cary out an attack. When all of the problems of the three categories mentioned above are taken into account, secure direct identity-based authentication schemes provide the optimum design for mobile device users and real-time applications. [10][11][12][13][14][15][16][17][18][19][20].
Recently, identity-based authentication schemes with a hash function were further divided into three categories according to the methods used in the authentication procedure: (1) knowledge-based scheme, (2) object-based scheme, and (3) biometrics-based scheme. However, each type has its own outstanding performance and limitations [21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37]: • knowledge-based authentication is simple, convenient, and efficient, but it is weak to information leaks to malicious persons due to the adoption of a password, • object-based authentication, based on the physical possession of a device such as a smart card, allows an adversary to impersonate legitimate users in a situation where the smart card is lost, • biometrics-based authentication shows better results than the two types described above.
The biometric keys, such as fingerprints or facial features, cannot be lost and forgotten. However, biometric samples, such as facial images, can be captured in various system databases, so biometric keys can remain insecure.
Multi-factor biometric authentication combines the use of a password, biometrics, and smart card protection to improve security and prevent various types of attacks, and it is not affected by the aforementioned defects. Such schemes have recently become a focal point of research, mainly reflected in the work put forward by various researchers. In 2010, Li and Hwang proposed a novel scheme using identity and a public key system, and then Das extended the work of Li et al. and made improvements to their weak scheme in 2011. Younghwa An showed that Das's proposed protocol failed to achieve mutual authentication for the server and user in 2012. However, Younghwa An allows for an adversary to masquerade as a legal server or as a user since mutual authentication is not provided. Cao and Ge attempted to improve on Younghwa An's scheme, but their scheme also has various security problems. We show that Cao and Ge's scheme is vulnerable to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and also lacks session key agreement. This study then proposes a scheme to provide improved security by resolving the issues inherent to Cao and Ge's scheme [38][39][40][41][42][43][44].
The remainder of this paper is organized as follows. Section 2 briefly introduces related work on the bio-hash function and smart card information to help better understand the details of this paper. Section 3 briefly introduces Cao and Ge's scheme. Section 4 mainly discusses its weaknesses. Section 5 describes countermeasures to solve its problems. Section 6 details the countermeasures to protect against all attacks. Section 7 is devoted to a formal security analysis of the modified scheme by using Burrows-Abadi-Needham logic (BAN-logic), and it compares the results of a security analysis and efficiency analysis with the modified scheme and some existing authentication schemes. The results indicate that the modified scheme has a slightly high computational cost and can protect against several possible attacks. Section 8 then concludes this paper.

Related works
In this section, the adversary's capability, bio-hash function and information for a smart card are explained to have a better understanding of the content of this paper.

Adversary's capability
In this paper, we assume the following about a probabilistic, polynomial-time adversary to properly capture the security requirements of a multi-factor biometric authentication scheme that uses smart cards during the registration phase, password change phase, and login and authentication phase [45].
• The adversary is able to have complete control over all message exchanges between the protocol participants, including a user and a server. That is, the adversary can intercept, insert, modify, delete, and eavesdrop on messages exchanged among the two parties at will.
• The adversary can (1) extract sensitive information from the smart card of a user through a power analysis attack or (2) determine the user's password, possibly via shoulder-surfing or by employing a malicious card reader. However, the adversary cannot compromise both the information of the smart card and the password of the user. It is otherwise clear that there is no way to prevent the adversary from impersonating the user if both factors have been compromised.

Bio-hash function
A hash function refers to a one-way transformation function. The hash function takes an arbitrary input and returns a string with a fixed size, which is referred to as a hash value or as a message digest. Due to the peculiarity and ability of biometrics to differentiate a particular person from others, various systems have adopted methods to solve authentication and verification problems. However, a small change in biometric data (a little information missing from the biometric, noise, or a change in the order of the data input) may result in a momentous change in the hash value due to the uncertainty inherent to the retrieval of biometric features. In other words, general hash functions result in large differences due to slight differences in input, and recognition errors easily result from slight biometric changes. To resolve this problem, a biofunction system is proposed and studied. In various studies on bio-hashing systems, the biohash function must adhere to the following properties: • similar biometric information should have similar hash values, • different biometric information should not have similar hashes, • rotation and translation of the original template should not have a substantial impact on hash values, • partial biometric information (with missing core and delta) should be matched if sufficient detailed matters are present.
The hash function's certain class can be formulated to be everlasting to the order in which the input pattern is presented to the hash function, and such hash functions are known as biohash function or symmetric hash. So, the bio-hash function can resolve the recognition error of general hash function and can authenticate a legal user even if the user's biometric information changes a little [46,47].

Smart card information
Various researchers have shown that physically monitoring the power consumption can extract confidential information stored in all smart cards, such as by using a simple power analysis and a differential power analysis. When a user forgets an own smart card, an adversary can analyze it and extract all information stored within. Variations of such schemes are weak to password acquisition attacks off-line where an adversary can be authenticated to the server without separately obtaining the user's information for login and authentication, such as their ID, password and biometrics. Therefore, the security-enhanced authentication scheme needs to be studied even if all the information of a user's smart card is revealed [48,49].

Review of Cao and Ge's authentication scheme
The process for Cao and Ge's authentication scheme is reviewed before conducting the security analysis. Their scheme includes three phases: registration phase, password change phase, and login and authentication phase. The server S i stores a secret value X s and a user account database, which includes the legal user's authentication information [50]. For convenience, the notation used throughout this paper are summarized in Table 1.

Registration phase
This phase is the first to be performed once the U i registers itself with the server S i . (R1) U i selects ID i , PW i and imprints its own B i , and generates K. Then, U i sends the identity ID i , password information (PW i È K), and biometric information (B i È K) to the server S i by using a secure channel.
(R3) S i creates an entry for user ID i and stores n i on this entry in database. Then, S i computes EID i = h(ID i )kn i and stores EID i to the entry.

Password change phase
The password change phase is carried out when U i wants to change the password or the smart card is lost. Fig 2 describes the password change phase on Cao and Ge's scheme.
(RR1) U i submits the ID i to S i , password information (PW i È K 0 ), and biometric information (B i È K 0 ) via a secure channel, K 0 is the new random number.
(RR2) S i computes v 0 i ¼ hðhðPW i Þ È hðB i Þ È X s Þ and compares v 0 i with v i in the account database. If they are not the same, this phase is terminated.
(RR3) Otherwise, S i computes n inew = n i +1. Then, S i performs the following computations; (RR4) S i sends U i a new smart card that contains hEID i , h(Á), f inew , e inew , n inew i by using secure channel. Then U i stores the random number K 0 in the smart card. (L2) U i inputs the ID i and PW i and then, the smart card computes  The server S i executes the authentication phase when the message is received.
(A1) S i makes sure that EID i satisfies the original format using the database entry and checks the ID i for the authentication phase.
(A2) If the ID i is valid when compared with database of S i , S i computes Then, S i sends the message hM 6 , M 7 i to U i .
(A4) U i computes M 8 and verifies whether M 7 = h(M 1 kM 8 ) or not. If they are equal, U i calculates M 9 .
(A6) After receiving hM 9 i, S i makes sure that M 9 is equal to M 10 = h(M 4 kM 5 kR s ) and then accepts the user's login request. S i sends M 10 to U i .
Upon receiving hM 10 i, U i makes sure that M 10 is equal to h(M 1 kR c kM 8 ) and then regards S i as a legal server.

Cryptanalysis of Cao and Ge's authentication scheme
We analyze Cao and Ge's authentication scheme and identify various security vulnerabilities, including a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, DoS attack, and a lack of session key agreement.

Biometric recognition error
Cao and Ge's authentication scheme only uses a general hash function to provide checking biometrics. However, the hash function has a property that causes a slight difference in the input data to result in a very large difference in the output data. Fig 4 describes the biometric recognition error in Cao and Ge's scheme. The output of the imprinted biometrics is not always constant, so biometrics generally have instances of false acceptance and false rejection. Therefore, even when U i imprints biometrics in the device, it is possible to output a different B Ã i . Therefore, the same user can generate a different output, such as that with B i during the registration phase and B Ã i during the login phase. The differences between B i and B Ã i can result in big differences in f i and f Ã i , and this difference between f i and f Ã i results in a biometric recognition error in the login phase. Therefore, a normal user does not pass the user biometric verification stage because the smart card compares the computed f Ã i to f i , which is stored within the smart card. Therefore, even though U i imprints his/her own biometrics, a biometric recognition error can occur. Thus, the smart card needs to be implemented using more advanced techniques, such as a bio-hash function, to improve the biometrics verification process [51].

Slow wrong password detection
Slow wrong password detection refers to instances in which the user cannot know of a mistake immediately when inputing the wrong password, and the user can know when server S i notifies there is a wrong user password. In Cao and Ge's authentication scheme, the user's smart card cannot verify the accuracy of the user password during the login phase. Only S i verifies a legal user by comparing the similarities between M 3 and h(M 4 kM 5 ) during authentication phase. Fig 5 specifically  S i is unable to immediately confirm the wrong password after receiving the messages First, S i verifies the received EID i using EID i in the database, and then com- Then, because M Ã 3 is same as hðM 4 k M Ã 5 Þ, S i eventually confirms that the received messages are not normal, and maybe U i could have input the wrong password. Basically, S i sends the wrong password notification to U i . In detail, Cao and Ge's scheme requires a lengthy phase that includes value computation and message transmission before confirming that the user input the wrong password. Therefore, a smart card is needed to provide a fast wrong password detection technique during login. When U i inputs the wrong password during the login phase, the smart card needs to quickly identify the incorrect password and should immediately notify U i of the mistake.

Off-line password attack
In Cao and Ge's scheme, an adversary can compute the user's password by using public messages and the user's smart card, obtaining M 2 and M 3 from public messages between the user and the server.  Security enhanced authentication scheme using bio-hash function is generally stored in smart cards could be extracted through various forms, such as monitoring the power consumption. Therefore, if a user loses a smart card, all of the information in the smart card can be revealed by an adversary. The smart card stores various types of information, including user login and authentication, so the adversary can acquire the e i , f i , K, and hash function h(Á) values from the user's smart card. The adversary knows the formula for all values used in Cao and Ge's scheme as follows: The adversary uses the determined values, messages, and formula to compute the M 3 formula, as follows: The adversary then knows all values in this formula, except for PW i . Therefore, the adversary can easily determine the user's password PW i by mounting an off-line password guessing attack because the password PW i is not long enough and has a low level of entropy. If the adversary knows the PW i , various attacks can be facilitated by using the user's password. Therefore, the password needs to be protected by using other values that are not stored in the smart the card with a high entropy, such as biometric information [52].

User impersonation attack
In Cao and Ge's scheme, an adversary can be authenticated with the server by using the user's smart card and the password without access to the user's biometric information. Security enhanced authentication scheme using bio-hash function describes in detail a user impersonation attack for Cao and Ge's authentication scheme. In further detail, when an adversary obtains or steals a user's smart card and figures out the user's password, the legitimate user can be easily impersonated. In section 1, an adversary is shown to compute the user's password by using a smart card and public messages. Therefore, this scheme is critically deficient in that the adversary can be authenticated by the server without the user's biometrics.
As described in Fig 6, the adversary can illegally extract all values including K i , f i , e i , and EID i from the user's smart card by monitoring the power consumption. It then computes PW i using an off-line password attack computing r i using PW i , K i , f i as follows: Even if U i successfully executes the password change process, the adversary can still use these to impersonate a legal user, authenticate S i without knowing the B i values, and then compute normal authentication messages EID i ; M a 2 ; M a 3 using r i , e i , EID i as follows: After S i receives the messages EID i ; M a 2 , and M a 3 , then, S i checks the legitimacy of the messages. However, S i cannot distinguish between a normal M 9 and an abnormal M 9 because the adversary used accurate values like h(ID i kX s ), but the adversary normally computes h(ID i kX s ) using r i , e i .
Then, S i sends the authentication messages hEID i , M 6 , M 7 i for U i . These are then used by the adversary to compute the next authentication message M a 9 for S i as follows, Next, S i checks that the received M a 9 is the same as M a 10 ¼ hðM 4 k M a 5 k R s Þ. However, S i cannot distinguish it from a normal M 9 because the adversary uses accurate values like M 1 h(ID i kX s ) and R a c , which is used for hEID i ; M a 2 ; M a 3 i. Then, S i accepts the login request for the adversary.
The adversary can be authenticated at S i because he determined EID i , e i and r i through an off-line password attack, so S i cannot distinguish between the adversary and a legitimate user. Since the user's biometric information is not used during the login and authentication phase, S i authenticates the adversary as a normal user. S i cannot store and check the password and biometric information during the login and authentication phase due to the user's privacy. Thus, to solve this problem, it is necessary to modify the way in which the authentication values h(ID i kX s ) are computed for the user. This value cannot be stored on the smart card, and it can only be computed by a legitimate user when the user simultaneously inputs the password and biometrics during the login and authentication phase.

ID guessing attack
Cao and Ge's authentication scheme uses EID to protect the user's ID i in order to ensure user anonymity during public communication. However, the adversary can determine the user's ID i by using the user's smart card and the public communication message EID i . Fig 8 describes in detail how to compute the user's ID i for Cao and Ge's authentication scheme.
When an adversary obtains or steals a user's smart card, he can extract EID i , n i and h(Á). Then, the adversary can compute the user ID i from the formula EID = h(ID)kn i because he knows all values except for the ID i . In general, a user ID i has a low entropy so the adversary is able to easily compute the user ID i . Basically, if an adversary fails to extract EID i from the smart card, he can acquire EID from public communication. Therefore, even though the adversary extracts n i and h(Á) from the user's smart card, he can determine the ID i from EID = h(ID)kn i . The user's ID i can be used for another attack, and therefore, the user's ID i needs to be protected using another value that the adversary cannot determine from the user's smart card or from public communication.

Vulnerability to a DoS attack
A DoS attack is such where an adversary attempts to make a server or network resource become unavailable to prevent legitimate users from accessing the normal service. Although there are various ways to accomplish a DoS attack, the server's system or configuration have to prepare for defenses against it. However, in Cao and Ge's scheme, an adversary can execute a DoS attack without difficulty. Fig 9 describes the DoS attack for Cao and Ge's authentication scheme.
An adversary can collect the previous messages hEID pi , M p2 , M p3 i from a legitimate user U i and a server S i . Then, the adversary sends the messages to S i without modification. The S i unavoidably executes all operations of (2) and sends the (3) messages hEID pi , M 6 , M 7 i to the U i . This is the reason why S i cannot verify the freshness of the (1) messages hEID pi , M p2 , M p3 i. This operation involves the generation of a random nonce once, executing the hash function twice, calculating the exclusive-or operation twice, conducting the similarities checking function twice, and then, sending (3) messages hEID pi , M 6 , M 7 i. Therefore, the adversary can easily attempt to carry out a DoS attack targeting the server to see if he can obtain an intercepted number from a previous messages. Cao and Ge's scheme does not check the freshness of an authentication message. Therefore, when an adversary sends previous authentication messages to S i , S i cannot verify whether the received messages are current or not, and S i is obligated to execute various operations. In order to defend against a DoS attack, this scheme needs to check the freshness of the messages by considering the timestamps.

Lack of session key agreement
In general, the session key refers to a symmetric key that is used to encrypt all messages in the communication session. Therefore, it can be computed and used for secure communications among communication members after successfully finishing the authentication phase. Fig 10  describes in detail the lack of session key agreement for Cao and Ge's authentication scheme. As described in Fig 10, U i and S i finally authenticate each other using M 9 and M 10 , and then they are accepted and regarded to be legal members. However, secure communication between M 9 and M 10 is not provided because these do not have a session key after all phases have finished. Therefore, it is necessary to modify the login and authentication phase to provide session key agreement. Moreover, to ensure the security of the scheme, the session key has to be changed for each session and must be secured against various forms of attack. Security enhanced authentication scheme using bio-hash function

Countermeasures
The reason why Cao and Ge's scheme is vulnerable to the biometric recognition errors is that, • even if the same user inputs his/her own biometrics to a scanner device, this device can generate slightly different outputs due to the general characteristics of the biometric information; • the general hash function produces very large differences in the output data from slight differences in the input data.
Thus, a general hash function results in a legal user failing during the login phase when using his/her own biometrics. To prevent a biometric recognition error, we suggest modifying the registration phase from hID i , PW i È K, B i È Ki to hID i ; hðPW i Þ È K; HðB i Þ È Ki H(Á) is a bio-hash function that produces consistent output for the same biometric information, even if the user's biometric input is slightly different. So, during the login phase, the values need to be modified from However, by only modifying the scheme to use a bio-hash function, Cao and Ge's authentication scheme is still vulnerable to the slow detection of a wrong password. This type of problem results from, • the smart card not checking the user's password during the login phase; Security enhanced authentication scheme using bio-hash function • the server can confirm whether a user inputs the wrong password and computes the wrong M 3 during the authentication phase only after extensive computations; Adding a password verification step during the login phase is suggested to solve the slow wrong password detection problem. Thus, the computations are modified for f i from f i from However, even with the f i modified above, an off-line password attack can still be carried out. This vulnerability is due to the fact that; • an adversary can know and compute all formulas and values except for PW i ; • it is necessary to check PW i with values, which the adversary cannot know and compute, such as H(B i ); Since we check the user's password in f i , we suggest modifying r i from With such a modification, we can also defend against a user impersonation attack because the adversary cannot impersonate the user without the user's password. In other words, the adversary cannot compute r i without PW i and then figure out h(ID i kX s ) to conduct a user impersonation attack due to the lack of a legal M 1 .
Next, the possible mechanism to eliminate the vulnerability in Cao and Ge's scheme for an ID guessing attack is presented. This vulnerability is due to the fact that, • the adversary can obtain the user's ID i from EID i using the value n i stored in the user's smart card.
• Even if EID i is a public communication message, Cao and Ge's scheme does not provide sufficient protection for EID i .
To address to the problem on ID guessing attack, we suggest modifying EID i from EID i = h(ID i )kn i to is not stored in a smart card, and it can be easily computed by S i . Even if the adversary knows EID i and n i , he cannot compute ID i from EID i due to the ignorance on h(ID i kX s ).
However, with the modifications explained above, Cao and Ge's scheme is still vulnerable to a DoS attack. The cause for this vulnerability on DoS attacks is that.
• U i and S i perform all operations without checking the freshness of the received authentication messages.
• Moreover, S i unwillingly executes extensive computations per message before S i discovers the fault of the received authentication message.
To address the vulnerability of the DoS attack, we suggest using timestamps (T 1 , T 2 , T 3 , T 4 ) and adding them to the authentication messages. So we propose to modify the computations for M 3 In advance, all transmission messages need to include timestamps to check the freshness, such as from hEID i , M 2 , M 3 i to hEID i ; M 2 ; M 3 ; T 1 i T 1 and M 3 are thus computed by a legal user, and the adversary cannot compute M 3 without T 1 , which is current and matched with M 3 . So S i can check the message freshness using T 1 , and S i can verify the the message integrity and freshness by easily checking M 3 = h(M 1 kR c kT 1 ). In this manner, it is possibly to effectively prevent the DoS attack.
Finally, the problem regarding a lack of a session key is resolved by adding a session key agreement during the login and authentication phase. The session key needs to change for every session in order to enhance the security of the authentication scheme, so computing the session key agreement is proposed as follows; For the session key agreement, h(ID i kX s ), R c and R S are computed only by the legal user and the server. T 3 and T 4 can be used to confirm the freshness of the session key. Therefore, this session key can change every session and can prevent various attacks.

Security enhanced multi-factor biometric authentication scheme
To solve the problems inherent to Cao and Ge's scheme, a security enhanced multi-factor biometric authentication scheme is proposed and divided into three phases: registration phase, password change phase, and login and authentication phase. Before our scheme is executed, S i generates the server's secure value X s for security.

Registration phase
The registration phase of the proposed scheme is described in Fig 11. U i needs to perform the registration phase with S i by using a secure channel.
(R1) U i selects ID i , PW i ; imprints the biometric impression B i ; and generates K. U i sends the identity ID i , h(PW i ) È K using the general hash function, and H(B i ) È K using bio-hash function to S i through a secure channel.
(R2) After receiving these, S i computes f i , r i , and e i as follows; (R3) Then, S i creates an entry of database for the user ID i and generates n i .
Security enhanced authentication scheme using bio-hash function (R4) S i computes EID i and v i as below, then S i stores EID i , ID i , n i , v i for ID i as an entry in a database.
(R5) S i sends a smart card to U i . The smart card contains hh(Á), H(Á), f i , e i , n i i through a secure channel. Then U i stores K in the smart card.

Password change phase
For the proposed scheme, the password change phase is executed when U i loses the smart card or wants to update the password. In order to change the password, U i sends both the old password PW i and new password PW inew . Fig 12 describes the password change phase for the proposed scheme.
(RR1) U i selects and inputs ID i , PW i , and PW inew . U i imprints its own biometric impression B i and generates a new random value K 0 . Then, (RR2) After S i receives these, S i checks the database for the ID, and acquires the user's data including EID i , ID i , n i , and v i . Then, S i computes v 0 i ¼ hðhðPW i Þ È HðB i Þ k X s Þ and compares v 0 i with v i in the database. (RR3) S i sets n inew = n i + 1. Then, S i carries out the computations as follows: (RR4) S i computes EID inew = h(ID i kh(ID i kX s )kn inew ), then S i stores EID inew , ID i , n inew for ID i to the entry of database. Security enhanced authentication scheme using bio-hash function (RR5) S i sends a new smart card to U i that contains hh(Á), H(Á), f inew , e inew , n inew i by using a secure channel. Then U i stores a new K 0 in the smart card. Fig 13 describes the login and authentication phase for the proposed scheme. U i executes the following steps when U i wants to authenticate a remote S i . In this phase, the smart card checks the legitimacy of the user using ID i , PW i and B i .
(L1) U i inputs the ID i and PW i ; U i imprints B i using a biological feature extraction device; computes h(PW i ) using the general hash function and H(B i ) using the bio-hash function. Then, the smart card computes f i , and is verified as follows, (L2) If they are the same, U i generates the current timestamp T i and a random number R c . Then, U i computes r i , M 1 , M 2 , M 3 , EID i using the user's input values and the smart card storing values as follows; The server S i executes the authentication phase when the message is received.
(A1) S i checks that the EID i satisfies the original format.
(A2) If the ID i is valid when compared with the user's entry in the database in S i , S i computes M 4 and M 5 , and then verifies M 3 as follows, (A3) If M 3 is accurate, S i generates the current timestamp T 2 and computes M 6 and M 7 . Then, S i sends the message hEID i , M 6 , M 7 , T 2 i to U i .
(A4) U i computes M 8 = M 6 È M 1 and verifies whether M 7 = h(M 1 kM 8 kT 2 ) or not. If they are equal, U i generate a timestamp T 3 and computes M 9 . Then U i computes sk as follows. (A5) U i sends the message hM 9 , T 3 i to S i .
(A6) After receiving hM 9 i, S i verifies that M 9 is equal to h(M 4 kM 5 kR s kT 3 ) and then accepts the user's login request. S i computes M 10 = h(M 4 kM 5 kR s kT 4 ) and sk. Then, S i sends hM 10 , T 4 i to U i .
(A7) After receiving hM 10 , T 4 i, U i verifies that M 10 is equal to h(M 1 kR c kM 8 kT 4 ) and regards S i as a legal server.
(A8) Therefore, U i and S i share the same session key after all phases have finished.

Analysis
Several analyses were carried out to confirm that the proposed scheme with a bio-hash function improves the security of the authentication process. Ding Wang et al. analyzed various smart-card-based password authentication methods and introduced a good solution using the principle of the security-usability trade-off to prevent off-line password attacks. Ding Wang et al. proposed that a fuzzy verifier can resolve the trade-off between the security requirement of resistance to smart card loss attack and the usability goal of a local password change [35][36][37].
In this paper, the proposed scheme uses a bio-hash function, which is similar to a fuzzy verifier to secure the system against various types of off-line guessing attacks. The proposed scheme is investigated by conducting a security analysis, a formal analysis, and an efficiency analysis. Then, the proposed scheme is compared to other authentication schemes, including Cao and Ge's scheme. We follow a security definition with strong secret values (B i , x) with a high entropy that cannot be guessed in polynomial time and a secure one-way hash function y = h(x). Given x to compute y is easy but y to compute x is much more difficult.

Security analysis
This section describes a security analysis to confirm the security of the proposed scheme.

[Replay attack]
In the proposed scheme, even if an adversary intercepts the messages like hEID i , M 2 , M 3 , T 1 i and hM 9 , T 3 i over public communication and replays hEID i , M 2 , M 3 , T 1 i to S i , he cannot authenticate with S i . First, it is hard for the adversary to respond within the allowable time for timestamp T 1 , and even though the adversary passes the time limit, he cannot execute the appropriate response for hEID i , M 6 , M 7 , T 2 i. The adversary has only the previous hM 9 , T 3 i, which is not appropriate for the response because he cannot know the new R c . Only a legal user can know the new R c using h(ID i kX s ). Therefore, the adversary cannot succeed in the replay attack due to the timestamps and the lack of knowledge of h(ID i kX s ) [53].

[Server masquerading attack]
If an adversary wants to masquerade as a legal server, he has to send the appropriate response to the user's request. When the user sends hM 9 , T 3 i to the adversary, he has to compute the appropriate hM 10 , T 4 i to look like a legal server. However, if the adversary wants to compute hM 10 , T 4 i using M 9 , T 3 and T 4 , he has to know the R c and h(IDkX s ). Only a legal server can compute hM 10 , T 4 i because the legal server stored X s and R c in the database and the adversary cannot know them. Therefore, the adversary cannot succeed in masquerading as a legal server.

[Mutual authentication]
Mutual authentication means that a user and a server authenticate each other. In the proposed scheme, U i and S i authenticate each other by checking for a mutual random number, which is possible for a legal user and server because only they know h(ID i kX s ). Specifically, S i authenticates U i according to the hM 9 , T 3 i that is received because only a legal U i can compute M 9 using S i 's M 6 . U i authenticates S i by hM 10 , T 4 i, and only the server can compute M 10 from hM 9 , T 3 i because only the legal server can know the user's random number R c using h(ID i kX s ), R c = M 2 È h(ID i kX s ) [54].

[Biometric recognition error]
The proposed scheme uses a bio-hash function to prevent a biometric recognition error. Cao and Ge's scheme uses a general hash function to verify the user's biometrics, so a biometric recognition error happens as a result of the general hash function's behavior. However, the proposed scheme uses a bio-hash function for the user's biometric information because the bio-hash function provides consistent output for the same biometric information, even when a user's biometrics are input a little differently.

[Slow wrong password detection]
Unlike Cao and Ge's scheme, the proposed scheme can check the user's password during the login phase. Therefore, it is possible to verify whether or not the user has input an accurate password. In the proposed scheme, when a user wants to login and authenticate on a server, he inputs his own ID i , PW i , and B i . Using these, the smart card computes and computes it with f i , which is stored in a smart card. If the user inputs the wrong password, the computed f i and stored f i will be different, so the user can immediately know whether he needs to input the correct password again.

[Off-line password attack]
An adversary can extract all information stored in the user's smart card by using a side-channel attack, such as by physically monitoring the power consumption. However, in the proposed scheme, the user's password is always used with the user's ID i and the biometrics information . The user's ID i is protected by EID i = h(ID i kh(IDkX s )kn i ). Moreover, B i has a high entropy, so the adversary cannot carry out the computation. Therefore, even if the adversary extracts f i using a side channel attack, he cannot compute the user's password because he cannot know both ID i and H(B i ).

[User impersonation attack]
To successfully carry out a user impersonation attack, an adversary needs to know the user's h(ID i kX i ). In order to compute h(ID i kX i ), the adversary must know r i using f i and e i ;  [55]. Table 2 shows a comparison of the security analysis for various multi-factor authentication schemes, including our proposed scheme [14,38,39,50,[56][57][58].

Formal analysis
BAN logic (Burrows-Abadi-Needham logic) was introduced by Burrows M, and it has consistently drawn attention due to the simplicity and straightforwardness of the analysis of authentication schemes, and in this section, we analyze the proposed scheme using BAN-logic with symbols P and Q representing principals and X and Y representing statements. The main notation of the logic is presented in BAN's paper and main inference rules. The analysis of an authentication scheme using the BAN-logic tool consists of four steps, and the formal analysis of the security of the proposed scheme is described as follows. The analysis shows that a session key can be generated correctly between the communicating parties during authentication. First, the notation of BAN logic being used in this scheme is introduced [59][60][61][62].
• Pj X: The principal P believes statement X. This means that P believes that in the current run of the scheme, the statement X is true.
• P ⊲ X: The principal P sees the statement X, which means that P has received a message containing X. • Pj*X: The principal P once said the statement X, which means that Pj X when P sent it.
• P ) X: The principal P has jurisdiction over statement X. This means that P has complete control on the formula X.
• ]ðX Þ: The formula X is fresh. This means that formula X has not been used before.
• P j Q ! K P: P believes that the principal P and Q communicate with each other using K.
• P ! K X : K is shared secret information between P and Q. The secret key K is known only to P and Q, and K is a secret between both parties.
• {X} K : The formula X is encrypted using the secret key K.
• hXi K : The formula X is combined including the secret key K.
• (X) K : The formula X is hashed including the secret key K.
• sk: The session key used in the current session.
To describe the logical postulates of BAN logic, we present the following rules: 1. Message-meaning rule: : if the principal P believes he/she shares the secret key K with Q, P sees the statement X hashed to include the K. Then P believes that Q once said X.

PjQjX
: if principal P believes that X is fresh and P believes Q once said X, then P believes that Q believes X.

The belief rule: PjX ;PjY
PjðX ;Y Þ : if principal P believes both X and Y, then P believes (X, Y).

PjX
: if principal P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.
According to the analytic procedures of BAN logic and using previously described logical postulates, the proposed scheme needs to satisfy the following goals: • Goal 1: S j ðU ! sk SÞ.
The generic type of proposed scheme is as follows: • Message 1. According to the assumption A5 and the message meaning rule, we obtain: • S8: U j S j$ fðR c ; R s ; T 4 Þ hðID i kX s Þ ; T 4 ; U ! sk Sg According to the assumption A4 and the freshness conjuncatenation rule, we obtain: • S9: U j ]fðR c ; R s ; T 4 Þ hðID i kX s Þ ; T 4 ; U ! sk Sg According to assumption S8, S9 and the nonce verification rule, we obtain: • S10: U j S j fðR c ; R s ; T 4 Þ hðID i kX s Þ ; T 4 ; U ! sk Sg According to S10, we apply the belief rule, we obtain: • S11: U j S j ðU ! sk SÞ, We satisfy (Goal 4. U j S j ðU ! sk S Þ According to the assumption A7, S11 and the jurisdiction rule, we can obtain the conclusion as follows: • S12: U j ðU ! sk SÞ, We satisfy (Goal 2. U j ðU ! sk SÞ Þ

Efficiency analysis
The computational costs of the modified scheme and others are calculated in Table 3. T h stands for the computation time of the hash function while the computation time for the exclusive OR operation T XOR does not appear in the table because it can be ignored when compared to T h . According to the results obtained in [63], T h needs a time of about 0.20 ms (T h % 0.20 ms) on a system using 3.0 GB RAM with a Pentium IV 3.2 GHz processor. Table 4 shows the efficiency for various authentication scheme obtained through a simulation.
As shown in Tables 3 and 4, the modified scheme requires a slightly higher computational cost than the others, but mainly in the registration phase [38][39][40]50]. However, the modified scheme can provide all security properties shown in Table 2.

Conclusions
This paper discusses possible attacks for Cao and Ge's authentication scheme, and a modified scheme is proposed to improve security and protect against various attacks. A security analysis and efficiency analysis are carried out to compare the results of the modified scheme to those of other schemes. In addition, the modified scheme is verified by conducting a formal security analysis using BAN-logic. The results indicate that the modified scheme has a slightly higher computational cost but that it is more secure than some of the other related schemes. The proposed scheme uses a bio-hash function for multi-factor biometric authentication to improve security. We also intend to conduct further studies on verification techniques, such as a fuzzy verifier and bio-hash function, to resolve the security-usability trade-off.