Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments

According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.


Introduction
Tremendous advancements in the wireless technologies enhance the quality of on-line services in the distributed networks. It makes plenty of web users enjoy a variety of helpful on-line services in many aspects, for example, on-line work, on-line medicine, on-line shopping and so on [1,2]. However, there remains a significant problem, namely, how to help web users enjoy so many on-line services while ensuring the confidentiality of their sensitive datas over an insecure channel. Thus, data protection becomes more and more important for every communication participant in the distributed networks. As a remedy, authenticated key establishment protocols are applied for safeguarding the information and defying the threats, which help web users submit their credentials and acquire various on-line services from a number of remote network servers subsequently [3,4]. Specifically, mutual authentication that makes network PLOS  servers check the legality of web users and vice-versa minimizes the risk of internet fraud. As a next step, key agreement helps communication participants establish a common session key to ensure their subsequent communication in the open networks [5]. Over the four decades, there are three kinds of typical factors to design an authenticated key establishment protocol, that is, knowledge factor (password), possession factor (smart card) and inherence factor (biometric information), respectively [6][7][8][9]. In last few years, Khan [10] presented two biometric-based authentication schemes which possessed the self-authentication and deniability, respectively. In 2013, Kumari and Khan [11] put forward an improved smart card-based authentication protocol with user anonymity for remote users. In recent years, Farash et al. [12] proposed a lightweight authentication scheme which was applied for consumer roaming. Over the last two years, Kumari et al. [13] presented a smart card-based authentication protocol for session initiation service.
More specifically, Lamport [7] put forward the first authentication scheme which was based on password and was unable to provide the key agreement in 1981. However, his protocol maintained some password-verification tables that made stolen verification tables attack feasible. Afterwards, a sequence of improved password-based authentication and key establishment schemes have been presented [14][15][16]. There are some common shortcomings in these authenticated key exchange protocols which only adopt the password, such as, weak password, dictionary attack, stolen verification tables attack and so on. Thus, it is necessary to add the possession factor to design a novel kind of authenticated key agreement schemes, which makes them more robust [17][18][19].
Later on, two-factor authentication and key establishment protocols which apply both password and smart card have been deployed widely in the distributed networks. In order to log in the expected remote network servers, web users need to insert their smart card into a smart card reader and enter their password. In 1991, Chang et al. [20] presented a password-based authentication scheme with smart card. Since then, a series of cryptanalysis and improvements have been put forward [21][22][23][24][25]. However, it is practicable to acquire some datas stored in the smart card through side channel attacks [26]. Therefore, a lost or stolen smart card makes authenticated key agreement protocols vulnerable [27][28][29][30].
In order to solve these aforementioned problems, biometric information (e.g. facial expressions, retina and finger prints and so on) as an inherence factor has been added to propose a variety of three-factor authenticated key establishment protocols. Different from knowledge factor and possession factor, biometric information which possesses the uniqueness further enhances the security of sensitive datas [31,32]. Besides, it is exceedingly difficult for adversary to forge the biometrics of web users. Also it does not request web users to remember their biometric information which is hard to be forgotten or lost. Thus, biometric information is combined with both password and smart card mentioned above to make a battery of three-factor authenticated key agreement schemes appear [33][34][35][36][37][38]. In practice, biometric datas imprinted by web users are not the same each time so that directly adopting them usually results in a low success rate for valid web users [39]. To meet this problem, biometric-based fuzzy extractor which is convenient to be implemented by a smart card is introduced to reduce the failure rate [40]. Besides, Bio-Hash code, namely, user specific code is another way to accommodate this problem [41].
Furthermore, earlier authentication and key establishment protocols are only applied for single-server environments, which don't consider the applicability of multi-server environments. Specifically, it is inefficient for single-server authentication schemes to be directly adopted in the multi-server environments. With a rapid augmentation of different network servers, web users not only register and login each individual server repeatedly, but also maintain massive credentials about identities and passwords. In 2001, Li et al. [42] put forward the first multi-server authenticated protocol which coped up with this problem mentioned above. In particular, Li et al. [42] efficiently applied a registration center to achieve the single registration in the multi-server architectures. During the past two decades, a large amount of multiserver authentication schemes have been presented, in which some protocols adopt the twofactor [43][44][45][46] and others are based on three-factor [47][48][49][50][51][52][53][54][55][56].
The multi-server authentication mechanism requires the higher security. Since legal users adopt the same credentials to log into a variety of individual network servers, it is practical for adversaries to make many protocols vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack by tracing web users [47,57,58]. As typical multiserver architectures, expert systems which benefit from decision-making capability of human experts have a great deal of applications, for example, security auditing and network management. Particularly, Tsudik and Summers [59] introduced an security auditing expert system called AudES which automated a great deal of manual security auditing procedures in order to alleviate the burden of human auditors. For network management expert systems, Hariri and Jabbour [60] designed a generalized architecture to manage plenty of resources in a distributed computer network. Recently, Mishra et al. [50] put forward an anonymous three-factor multiserver authenticated scheme with key agreement for expert systems which was adopted to ensure the communications between web user and network server. They declared that their protocol provided a high security. However, Wang et al. [61] indicated that Mishra et al.'s scheme was vulnerable to several common attacks and presented an improved protocol to enhance the security. Unfortunately, due to cryptanalysis described below, we claim that Wang et al.'s scheme is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Besides, their scheme fails to provide the perfect forward secrecy.
As a remedy of these aforementioned problems, we propose a biometric-based authentication and key agreement protocol for multi-server architectures in order to ensure the confidentiality of sensitive datas while web user enjoys some decision-making services, such as security auditing and network management in the expert systems. When web user wants to login the network server to acquire these services, our protocol is performed between web user and network server. Concretely, web user submits his login request message to network server. Next, network server tries to authenticate web user with the message received from web user and the beforehand information saved during the registration phase. Also network server issues his authentication request message to web user. Then, web user tries to authenticate network server in a similar way and delivers his authentication reply to network server. Finally, web user and network server apply our protocol to achieve the mutual authentication and key agreement. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented protocol requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Above all, our protocol is more appropriate in the distributed networks.
The remaining of this paper is organized in seven sections as below. Next section introduces the collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor, respectively. Section 3 reviews Wang et al.'s scheme. Section 4 discusses some weaknesses of Wang et al.'s scheme. Section 5 describes the proposed biometrics-based authenticated key agreement protocol in details. And then section 6 provides the security analysis, functionality analysis and efficiency analysis of our protocol, and compares our protocol with others in these aforementioned respects. Last section gives the conclusion.

Preliminaries
During this section, we briefly describe some concepts relating to collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor as follows.

Collision-resistant hash function
According to an arbitrary length binary string, collision-resistant hash function outputs a fixed-length binary string, that is, h = h(x) : 0, 1 Ã ! 0, 1 n [62]. Furthermore, retrieving this arbitrary length input from a given output is computationally infeasible. Thus, collision resistant property is explained as below. For a given input x, it is computationally infeasible to find any input y 6 ¼ x makes h(x) = h(y).

Threat assumptions
During this subsection, we introduce some common threat assumptions which includes the Dolev-Yao threat model [63] and the risk of side-channel attacks [27]. More details about these threat assumptions are described as below.
1. Adversary E might be a malicious user or an outside hacker. 2. Adversary E has an ability to eavesdrop all communication messages between participants via an open channel.
3. Adversary E can modify, delete, resend and reroute all eavesdropped messages. 4. Adversary E is able to extract all stored datas from a lost or stolen smart card by examining the power consumption.

Biometrics-based fuzzy extractor
We briefly introduce the mechanism of biometrics-based fuzzy extractor in this subsection. A biometrics-based fuzzy extractor which converts the biometric information into two available and unpredictable values consist of two procedures, namely, Gen and Rep [40]. More specifically, details about this mechanism are illustrated in Fig 1. Based on the biometric information BIO, procedure Gen which is a probabilistic generation function outputs an unpredictable binary string R 2 {0, 1} l and an auxiliary binary string P 2 {0, 1} Ã . With the help of this auxiliary string P and another biometric information BIO Ã , procedure Rep which is a deterministic reproduction function recovers a corresponding unpredictable binary string R. When Gen(BIO) ! hR, Pi and dis(BIO, BIO Ã ) t hold, then we have Rep(BIO Ã , P) ! R. Otherwise, there is no output provided by procedure Rep. Furthermore, error-tolerant makes it more robust to recover a corresponding unpredictable binary string R, as long as this biometric information BIO Ã keeps reasonable close to an initial biometrics BIO.
Since biometric features vary slightly at every imprint, another way to extract the biometric features is applying the Bio-Hash codes. In recent times, many Bio-Hashing authentication schemes with key agreement are presented [41,64,65]. Similarly, Bio-Hashing is also a convenient technique, which is usable in many small devices.

Review of Wang et al.'s scheme
During this section, we review Wang et al.'s biometrics-based authentication and key agreement scheme for multi-server environments which is described in Ref. [61]. Their scheme includes six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. There are the following three participants in their scheme, that is, registration center RC, server S j and user U i . Suppose that registration center RC is a trusted third party. In Wang et al.'s scheme, registration center RC is responsible for user registration and server registration. For convenience, symbols and corresponding notions which are applied in their scheme are respectively shown in Table 1.

Server registration phase
1. Server S j submits a join request message to registration center RC, which helps server S j become an authorized server in the expert system.
2. Upon receiving this join request message, registration center RC sends server S j a pre shared key PSK to server S j over a secure channel. Similarly, after receiving a re-registration request message through a secure channel, registration center RC performs these steps mentioned in the subsection 3.2 and replaces hID i , N i = N i + 1i with hID i , N i i to help user U i re-register.

Cryptanalysis of Wang et al.'s scheme
In this section, we propose a cryptanalysis of Wang et al.'s scheme. In particular, results demonstrate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their scheme fails to achieve the perfect forward secrecy. More details of these problems are shown in the following subsections.

User impersonation attack
Suppose that adversary E is an outside hacker who steals user U i 's smart card SC i and eavesdrops all communications between user U i and server S j . Specifically, adversary E has an ability to extract the stored datas over an open channel. 2. When obtaining this login request message from adversary E, server S j verifies whether DT holds, where T Ã j is the time when server S j receives adversary E's login request message. Thus adversary E passes server S j 's verification successfully and server S j continues to execute the subsequent steps normally.

Server S j retrieves
Lastly, server S j sends his authentication request message fSID j ; M Ã 3 ; M Ã 4 g to adversary E through an open channel as usual.
4. Upon receiving server S j 's authentication request message, adversary E retrieves Thus server S j authenticates adversary E and they both apply the session key SK Ã ij in the following communication. Unfortunately, server S j mistakenly believes that he communicates with user U i . Therefore Wang et al.'s scheme becomes vulnerable to the user impersonation attack.

Privileged insider attack
As shown in this subsection, adversary E who is a privileged insider can impersonate as user U i if he steals user U i 's smart card SC i and eavesdrops all communications between user U i and registration center RC. Similarly, adversary E is able to acquire these datas 2. After acquiring this login request message, server S j verifies whether T iE − T jE ΔT holds, where T jE is the time when server S j acquire adversary E's login request message. Unfortunately, adversary E's verification is valid.

Server S j retrieves
Then server S j generates a random number N 2E and further calculates

Server spoofing attack
In this subsection, we suppose that adversary E who is an insider but isn't another server S k has an ability to eavesdrop user U i 's registration request message {ID i , RPW i } and steal user U i 's smart card SC i . Furthermore, adversary E is able to collect some datas, for example, Thus adversary E can masquerade as server S j to cheat user U i . Therefore Wang et al.'s scheme becomes vulnerable to the server spoofing attack. More details are shown as below.
1. Firstly, adversary E calculates h(PSK) = B i È C i and eavesdrops user U i 's login request Furthermore, this fake authentication request message is successfully checked. Particularly, adversary E is treated as server S j by user U i without any doubt. In conclusion, Wang et al.'s scheme can't resist the server spoofing attack.

No perfect forward secrecy
During this subsection, we point out that Wang et al.'s scheme does not possess the perfect forward secrecy. Suppose that adversary E is a privileged insider who eavesdrops user U i 's registration request message {ID i , RPW i } and steals user U i 's smart card SC i . Particularly, adversary E can extract these datas which include B i , C i , D i , V i and P i from smart card SC i . More details are described as follows.
1. Firstly, adversary E computes h(PSK) = B i È C i and collects user U i 's login request mes- 2. Secondly, adversary E calculates N 1 = RPW i È M 1 È h(PSK) and further collects server Therefore it is demonstrated that Wang et al.'s scheme is unable to achieve the perfect forward secrecy.

The proposed scheme
During this section, we propose a novel biometrics-based authentication and key agreement scheme for multi-server environments which is based on cryptanalysis of Wang et al.'s scheme. Our protocol is built by applying the collision-resistant hash function, EOR operation and concatenation operation. The presented scheme consists of six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. And there are three participants in our algorithm, that is, registration center RC, server S j and user U i . In our protocol, server S j and user U i are able to join the network by registering with registration center RC. Besides, mutual authentication only carries out between server S j and user U i without intervening registration center RC. For convenience, symbols and corresponding notions which are applied in our scheme are respectively shown in Table 2.
In particular, our proposed scheme enhances Wang et al.'s scheme in these aspects: 1) it resists the user impersonation attack, 2) it prevents the privileged insider attack, 3) it is secure against the server spoofing attack and 4) it provides the perfect forward secrecy. More details are described in these following subsections.

Server registration phase
New server S j needs to execute the server registration phase with registration center RC through a secure channel. More specifically, server registration phase of the proposed scheme is shown in the Fig 2 and details are described as below.
1. If it wants to be an authorized server in the multi-server environment, server S j issues a join request message to registration center RC.
2. When obtaining this join request message, registration center RC authorizes server S j and replies with a pre shared key PSK and a master secret key s to server S j by applying the Key Exchange Protocol (IKEv2) via a secure channel.
3. After receiving a pre shared key PSK and a master secret key s, authorized server S j adopts these shared datas, such as PSK and h(PSK), to verify user U i 's legitimacy in the authentication phase.

User registration phase
New user U i should perform the user registration phase with registration center RC over a secure channel. As details, user registration phase of ours is illustrated in the Fig 3 and explained as follows.
1. Firstly, user U i enters his personal biometric information BIO i at a sensor. And then, sensor sketches user U i 's biometrics BIO i , extracts (R i , P i ) from Gen(BIO i ) ! (R i , P i ), and stores user U i 's auxiliary binary string P i in the memory. Next, user U i chooses his identity ID i and password PW i , and calculates RPW i = h(R i ||PW i ). Finally, user U i submits his registration request message {ID i , RPW i } to registration center RC through a secure channel.
2. Upon obtaining this registration request message, registration center RC adds a novel entry hID i , N i = 1i to his internal database, in which N i denotes the times of user registration for user U i . Then registration center RC selects a random number u i , and calculates

Login phase
In the login phase, smart card SC i is able to find the errors immediately by applying user U i 's identity, password, and biometric information. Specifically, login phase is shown in the 3. Smart card SC i generates a random number N 1 , and calculates

Authentication phase
During the authentication phase, server S j has an ability to confirm the destination and freshness of login request message. More details, authentication phase is illustrated in the Fig 5 and explained as below.
1. After receiving user U i 's login request message, server S j checks whether T i − T j ΔT holds, in which ΔT is a suitable time interval and T j is the time when server S j receives user U i 's login request message. If it holds, server S j continues to perform the following steps. Otherwise, this login request is rejected by server S j .
2. Server S j retrieves 3. If this verification is valid, server S j generates another random number N 2 , and calculates their session secret key SK ij = h(ID i ||SID j ||N 1 ||N 2 ) between user U i and server S j . 4  And then smart card SC i delivers his authentication reply {M 6 } to server S j over a public channel.
6. Server S j further verifies whether h(SK ij ||N 1 ||N 2 ) = M 6 is valid. If it is valid, server S j adopts this session key SK ij to communicate with user U i in the following communication.
Otherwise, authentication will be rejected by S j .

Password change phase
In the password change phase, user U i is able to update his password without any help from server S j or registration center RC. More specifically, password change phase includes these following steps.

User revocation/re-registration phase
If his smart card SC i is stolen or lost, user revocation/re-registration helps user U i revoke his privilege or re-register which makes our scheme more robust in the functionality.
1. When user U i wants to revoke his privilege, he issues his revocation request message, smart card SC i and verification message {RPW i } to registration center RC through a secure channel. Registration center RC checks whether user U i is valid. If user U i is valid, registration center RC further sets hID i , N i = 0i to modify the corresponding entry.
2. Similarly, after obtaining a re-registration request message over a secure channel, registration center RC performs these steps mentioned in the subsection 5.2 and helps user U i reregister by replacing hID i , N i = N i + 1i with hID i , N i i.

Analysis of the proposed scheme
In a multi-server architecture, there are three important requirements for an authentication and key agreement protocol, namely, security, functionality and efficiency. In this section, discussions are performed and results show that our scheme satisfies these requirements mentioned above. Furthermore we compare the proposed protocol with others in respect of security, functionality and efficiency, respectively.

Informal security analysis
Before the formal security analysis, we analyze the resistance of our scheme against these following attacks by informal security analysis. Remark that adversary E has an ability assumed in the threat assumptions to execute these attacks described as follows.
Resistance to replay attack. The proposed scheme applies the timestamp and random nonce to endure the replay attack. Though adversary E eavesdrops user U i 's previous login request message {M 1 , M 2 , M 3 , B i , D i , T i } and issues it to server S j as always, server S j checks the legality of this message by verifying the timeliness of timestamp T i and correctness of random nonce N 1 as below.
in which both timestamp T i and random nonce N 1 are different for each session. Thus adversary E is rejected by server S j . Therefore our protocol prevents the replay attack.
Resistance to Denial-of-Service attack. Adversary E tries to diminish or eliminate server S j 's capability by eavesdropping and repeatedly sending user U i 's previous login request message. However, server S j verifies the freshness of timestamp T i and checks whether D i = h(N 1 || RPW i ||A i ||T i ) holds. So server S j treats adversary E as a malicious hacker and terminates this session. Furthermore the presented scheme introduces a biometrics-based fuzzy extractor to meet the applicability of biometric information. Consequently, our protocol resists the Denialof-Service attack.
Resistance to password guessing attack. With the assistance of power consumption, adversary E applies the side-channel attacks, such as SPA or DPA, to extract the sensitive datas A i , C i , E i , V i and P i from user U i 's smart card SC i . But he is unable to verify whether user U i 's password PW i is correct in the on-line or off-line environment without biometric information BIO i , pre shared key PSK, master secret key s and random nonce N 1 . Specifically unpredictable binary string R i which possesses a high entropy protects user U i 's password PW i in the proposed scheme. In conclusion, our protocol is secure against the password guessing attack.
Resistance to smart card attack. Without the password PW i or biometric information BIO i , adversary E launches the smart card attack in order to collect some sensitive datas stored in the smart card SC i and achieve server S j 's authentication. In the presented scheme, adversary E is able to acquire user U i 's sensitive datas A i , C i , E i , V i and P i which are saved in the smart card SC i by SPA or DPA. Also a session key SK ij between user U i and server S j is calculated as follows.
It is feasible for adversary E to obtain M 1 and M 4 through a public channel. However, it is pretty difficult for him to retrieve the random nonces N 1 or N 2 . As a result, our protocol withstands the smart card attack.
Resistance to user impersonation attack. Under the user impersonation attack, adversary E who is an outside hacker tries to impersonate user U i without the password PW i or biometric information BIO i . In the proposed scheme, adversary E is unable to acquire h(PSK) even if he eavesdrops user U i 's previous login request message {M 1 , M 2 , M 3 , B i , D i , T i } and extracts user U i 's sensitive datas from smart card SC i by SPA or DPA. Thus, adversary E cannot retrieve the random numbers N 1 , N 2 or session key SK ij . Therefore, our protocol is secure against the user impersonation attack.
Resistance to privileged insider attack. Adversary E who is a malicious insider and has a privilege to access an authorized system attempts to impersonate user U i . In order to achieve this goal, adversary E collects user U i 's registration request message {ID i , RPW i } and steals his smart card SC i . However, it is impossible to obtain h(PSK) and B i for adversary E. Even if sensitive datas A i , C i , E i , V i and P i are extracted from user U i 's smart card SC i , adversary E is unable to deliver a correct login request message {M 1 , M 2 , M 3 , B i , D i , T i }. Furthermore, he cannot retrieve the password PW i or biometric information BIO i . In conclusion, our protocol resists the privileged insider attack.
Resistance to server spoofing attack. Under the assumption that adversary E who is a malicious insider but isn't another server S k is able to steal user U i 's smart card SC i and eavesdrop his registration request message {ID i , RPW i }. Adversary E tries to masquerade as server S j to spoof user U i by collecting the sensitive datas A i , C i , E i , V i and P i . But it is hard to retrieve h (PSK) so that adversary E is unable to be authenticated by user U i successfully. He cannot acquire the random number N 1 and valid authentication request message {M 4 , M 5 }. Thus adversary E's attempt fails. Consequently, our protocol prevents the server spoofing attack.
Resistance to modification attack. Though adversary E attempts to modify some intercepted messages for further authentication, the proposed protocol is able to check whether the received messages are valid with the assistance of collision-resistant hash function. And adversary E does not have a capability to retrieve N 1 , N 2 or h(PSK) from any intercepted message. Thus he cannot generate a legitimate authentication message. As a result, our protocol is secure against the modification attack.
Resistance to stolen-verifier attack. In the proposed protocol, both server S j and registration center RC possess no information about user U i 's password or biometrics. Concretely, there is no password-verifier or biometrics-verifier in the database of server S j and registration center RC. Thus, adversary E cannot launch the stolen-verifier attack even if he has an authority to access the database. Consequently, our protocol withstands the stolen-verifier attack.

Possession of anonymity.
During the login phase of the proposed scheme, user U i calculates his dynamic identity M 2 = ID i È K i , in which K i cannot be retrieved by adversary E from any request or reply message. Thus, adversary E has no ability to acquire user U i 's identity ID i . However, upon receiving user U i 's login request message, authorized server S j calculates u i = B i È h(PSK) and further computes K i = h(SID j ||h(PSK||u i )) so that user U i achieves server S j 's authentication anonymously. In other words, user U i 's real identity ID i is not disclosed by any unauthorized participant. Therefore our protocol provides the anonymity.
Possession of perfect forward secrecy. Perfect forward secrecy protects the session keys even if long-term key is retrieved. Specifically, session key SK ij in the proposed scheme is generated as follows.
Though the long-term key h(PSK) is calculated by adversary E, it is impossible to compute some sensitive datas, such as RPW i , K i and PSK. Thus adversary E is unable to obtain the random numbers N 1 or N 2 . Also it is hard for adversary E to retrieve the session key SK ij between user U i and server S j . Therefore, our protocol provides the perfect forward secrecy.

Formal security analysis
During this subsection, we provide a formal security analysis and demonstrate that the proposed scheme is secure. In order to achieve this purpose, we define the oracle Reveal as below. It unconditionally retrieves the original input x from the collision-resistant hash function y = h (x). More details relating to this formal security analysis are shown in the following theorem.
Theorem. Suppose that the collision-resistant hash function h(Á) operates closely like the oracle Reveal, our protocol is provably secure to protect the sensitive datas which include registration center RC's master secret key s, pre shared key PSK between registration center RC and server S j , user U i 's identity ID i and password PW i .
Proof. With the assistance of the oracle Reveal, we make an assumption that adversary E has a capacity to retrieve registration center RC's master secret key s, pre shared key PSK between registration center RC and server S j , user U i 's identity ID i and password PW i . Adversary E executes the following experimental algorithm EXP HASH E;AKAS , in which AKAS means the presented scheme. More details about the Algorithm EXP HASH E;AKAS are explained in the  Reveal ) ε, our protocol is secure against adversary E for any sufficiently small ε > 0. It enables adversary E to win this game if it is possible to retrieve the original input x from the collision-resistant hash function y = h(x). However, it is a computationally infeasible problem for retrieving the original input x. Therefore, for any sufficiently small ε > 0, max E {Success} = Adv(et, q Reveal ) ε. As a result, our protocol is provably secure to protect registration center RC's master secret key s, pre shared key PSK between registration center RC and server S j , user U i 's identity ID i and password PW i .

Security analysis with BAN logic
As an important verification tool, Burrows-Abadi-Needham (BAN) logic has a set of rules [66]. In the security analysis, BAN logic is used for defining and analyzing the information exchange schemes, especially authentication and key agreement protocols. Particularly, BAN logic is able to verify whether exchanged information is trustworthy [67]. During this subsection, we apply BAN logic to prove that session key SK ij between server S j and user U i is correctly generated during the authentication phase of our protocol. For convenience, symbols and corresponding notions about BAN logic are respectively shown in Table 4.
The BAN logical postulates. 1. The message-meaning rule, namely, Aj A ! K B;A⊴fXg K Aj Bj$X . Particularly, if principal A believes that principal A and principal B share session key K, and principal A sees that statement X is encrypted by session key K, then principal A believes that principal B once said the statement X.

Apply this oracle
Apply this oracle Reveal to extract some values SID I j and h(PSK||u i ) I from RevealðK I i Þ ! ðSID I j jjhðPSKjju i Þ I Þ.

12.
Further apply this oracle Reveal to extract some values PSK I and u I i from RevealðhðPSKjju i Þ I Þ ! ðPSK I jju I i Þ.

13.
Calculate Accept s I , PSK I , ID I i and PW I i as registration center RC's master secret key s, pre shared key PSK between registration center RC and server S j , user U i 's identity ID i and password PW i , respectively. . Especially, if principal A believes that principal B has a jurisdiction over the truth of statement X and principal B believes the truth of statement X, then principal A believes the truth of statement X.
The idealized scheme.
The establishment of security goals. g1.
The security analysis. a1. Because of p5 and S j ⊲ <N 1 , ID i , RPW i > K i , we execute the message-meaning rule to obtain S j | U i | * (N 1 , ID i , RPW i ). A ) X Principal A has a jurisdiction over the truth of statement X.
#X Statement X is fresh.
A ⊲ X Principal A sees the statement X.
A| * X Principal A once said the statement X.
{X, Y} K Statement X and statement Y are encrypted by session key K.
(X, Y) K Statement X and statement Y are hashed by session key K.
a3. Because of p10 and S j ⊴ðU i ! SK ij S j ; N 2 Þ N 1 , we use the message-meaning rule to derive a4. Since p4 and a3, we apply both freshness-conjuncatenation rule and nonce-verification g3. Because of a4, we execute the belief rule to obtain S j j U i j U i ! SK ij S j .
g4. Since p11 and g3, we adopt the jurisdiction rule to acquire S j j U i ! SK ij S j .
a5. Because of p6 and U i ⊲ (ID i , N 1 , N 2 ) SID j , we use the message-meaning rule to derive a6. Since p2 and a5, we apply both freshness-conjuncatenation rule and nonce-verification rule to get U i | S j | (ID i , N 1 , N 2 ).
a7. Because of a6, we execute the belief rule to obtain U i | S j | N 2 . a8. Since p2 and a7, we adopt the jurisdiction rule to acquire U i | N 2 . a9. Because of p8, p9 and a2, we execute both belief rule and jurisdiction rule to obtain S j | ID i . g1. Since p1, p3, p4, p6, p7, a8, a9 and SK ij = h(ID i ||SID j ||N 1 ||N 2 ), we adopt both freshnessconjuncatenation rule and nonce-verification rule to acquire g2. Because of g1 and p12, we use the jurisdiction rule to derive Above all, results mentioned above demonstrate that our protocol enables to generate the shared session key SK ij correctly between server S j and user U i .

Functionality analysis
It is necessary to meet the functionality requirements which include mutual authentication, session key agreement, user revocation/re-registration and biometric information protection. In this section, we demonstrate that our protocol provides all functionality mentioned above. More details relating to functionality analysis are shown as below.
Mutual authentication. In the presented scheme, both user U i and server S j authenticate each other by taking advantage of some sensitive datas, for example N 1 , N 2 , K i , T i and SK ij . In particular, server S j checks whether h(N 1 ||RPW i ||A i ||T i ) = D i and h(SK ij ||N 1 ||N 2 ) = M 6 are valid. Similarly, user U i verifies whether h(SID j ||N 1 ||N 2 ||ID i ) is consistent with M 5 . As a result, our protocol achieves the mutual authentication.
Session key agreement. During the authentication phase, session key SK ij = h(ID i ||SID j || N 1 ||N 2 ) between server S j and user U i is established to protect the subsequent communications. Especially, both N 1 and N 2 change in every authentication phase so that session key SK ij is different during each session. Furthermore it is hard to retrieve their session key SK ij for adversary E. In conclusion, our protocol possesses the session key agreement.
User revocation/re-registration. It is necessary for user U i to revoke or re-register his privilege. In the presented scheme, registration center RC helps user U i achieve the user revocation/re-registration by modifying the entry hID i , N i i when obtaining user U i 's revocation or re-registration request message via a secure channel. Above all, our protocol achieves the user revocation/re-registration.
Biometric information protection. In some conventional schemes, user U i 's biometric information BIO i is directly stored in his smart card SC i without appropriate protection. Thus adversary E is able to extract user U i 's biometrics BIO i from a lost or stolen smart card SC i through side channel attacks. In order to solve this problem, we apply a high error-tolerant mechanism to save user U i 's biometric information BIO i . Besides, collision-resistant hash function protects the unpredictable binary string R i . So it is impossible for adversary E to extract user U i 's biometric information BIO i . In conclusion, our protocol possesses the biometric information protection.

Efficiency analysis
In this subsection, we estimate the storage requirement, communication overhead and computational cost of the presented scheme. More details about efficiency analysis are shown as below.
Storage requirement. For the storage requirement, we apply these messages which are stored in user U i 's smart card SC i as storage overhead. Particularly, byte length of nonce both N 1 and N 2 is 20, byte length of user U i 's identity ID i is 20, byte length of timestamp T i is 2 and byte length of collision-resistant hash function's output is 20 if we apply the SHA-1. Thus, we are able to calculate the byte length of stored datas in the proposed scheme. As a result, all saved messages {A i , C i , E i , V i , P i } require 20 + 20 + 20 + 20 + 20 = 100 bytes in respect of storage need.
Communication overhead. In order to estimate the communication overhead, we consider user U i 's login request message {M 1 , M 2 , M 3 , B i , D i , T i } which is submitted to server S j in the stage of login. According to assumption described above, length of this message is 20 + 20 + 20 + 20 + 20 + 2 = 102 bytes. Similarly, communication overhead that includes server S j 's authentication request message {M 4 , M 5 } and user U i 's authentication reply {M 6 } is 20 + 20 + 20 = 60 bytes during the authentication phase. Therefore, total communication overhead of our protocol is 102 + 60 = 162 bytes.
Computational cost. Considering the computational complexity, we apply the frequency of collision-resistant hash function as computational cost. Besides, it is practicable to ignore the computational complexity of XOR operation which requires very little time. In the environment where CPU is 2.20 GHz and RAM is 2048 MB, it takes 0.0023 ms to execute the collision-resistant hash function on average [55,68]. In the presented scheme, we execute the collision-resistant hash function four times and thirteen times in the login phase and authentication phase, respectively. Above all, our protocol requires 0.0115 + 0.0299 = 0.0414 ms for computational cost.

Comparisons with related schemes
During this section, we compare the proposed protocol with other related schemes in terms of security, functionality and efficiency. In particular, our protocol is compared with some multiserver authentication schemes, such as Mishra [65]. Results ensure that the presented protocol is efficient in these aspects mentioned above.
In particular, Table 5 lists the security comparison between various authentication schemes and ours. For convenience, we define some following notations in the Table 5, where R1 represents the resistance to replay attack, R2 represents the resistance to Denial-of-Service attack, R3 represents the resistance to password guessing attack, R4 represents the resistance to smart card attack, R5 represents the resistance to user impersonation attack, R6 represents the resistance to privileged insider attack, R7 represents the resistance to server spoofing attack, R8 represents the resistance to modification attack, R9 represents the resistance to stolen-verifier attack, R10 represents the possession of anonymity and R11 represents the possession of perfect forward secrecy. Concretely, Mishra et al.'s scheme [50] cannot resist the replay attack, Denial-of-Service attack, smart card attack, user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to provide the anonymity and perfect forward secrecy. According to the cryptanalysis in Ref. [69], Lin et al.'s scheme [53] is insecure against the user impersonation attack and server spoofing attack. And their scheme fails to possess the anonymity. Wang et al.'s scheme [61] cannot prevent the user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to achieve the perfect forward secrecy. Due to the cryptanalysis in Ref. [70], Chaudhry et al.'s scheme [64] is insecure against the Denial-of-Service attack and cannot provide the perfect forward secrecy. Consequently, result demonstrates that our protocol achieves all security properties.
Besides, Table 6 shows the functionality comparison between some related schemes and ours. Also we further compare our protocol with Reddy et al.'s scheme [69] and Irshad et al.'s scheme [71] which are other improved schemes. In the Table 6, we apply some following notations, where F1 represents the mutual authentication, F2 represents the session key agreement, F3 represents the user revocation/re-registration and F4 represents the biometric information protection. Concretely, Mishra et al.'s scheme [50] cannot provide the user revocation/re-registration. Similarly, Lin et al.'s scheme [53] fails to achieve the user revocation/re-registration. As a result, our protocol provides more functionality properties.
Specifically, Table 7 and Fig 6 indicate the computational cost comparison between various related schemes and ours involved in both login phase and authentication phase. As a convenience, we define some following notations in the Table 7, where C1 represents the computational cost during the login phase, C2 represents the execution overhead during the login phase, C3 represents the computational cost during the authentication phase, C4 represents the execution overhead during the authentication phase and C5 represents the total execution overhead. Besides, T h represents the computation time for collision-resistant hash function, T p represents the computation time for point multiplication based on elliptic curve, T s represents the computation time for symmetric encryption/decryption and T c represents the computation time for Chebyshev chaotic map. According to the execution overhead given in [55] and [68], in the environment where CPU is 2.20 GHz and RAM is 2048 MB, it spends about 2.2260 ms, 0.0046 ms and 0.0045 ms to execute the point multiplication based on elliptic curve, symmetric encryption/decryption and Chebyshev chaotic map, respectively. Compared with other schemes, result indicates that our protocol requires the lower computational cost. Furthermore, Table 8 and Fig 7 show the comparisons regarding on communication overhead and storage requirement. Similarly, we adopt some following notations in the Table 8, where S1 represents the communication overhead during the login phase, S2 represents the communication overhead during the authentication phase, S3 represents the total communication overhead and S4 represents the storage requirement. With the same level of storage requirement, our protocol shows a satisfactory performance on the communication overhead. Both Reddy et al. [69] and Irshad et al. [71] who proposed other improvements of Wang et al.'s scheme also have done well jobs. In this sense, we are in the same field with these groups. However, there are notable characters to distinguish our work. After the cryptanalysis of Wang et al.'s scheme, we have applied novel methods to remedy their weaknesses, which is not included in other improved schemes. For example, we have adopted new ways to resist the user impersonation attack, privileged insider attack and server spoofing attack, and provide the perfect forward secrecy, respectively. Furthermore, our work is focus on reducing the computational complexity and providing more functionalities in a distinct way. In particular, compared with other improved works, our scheme has obvious advantages in the computational complexity with the same level of communication overhead and storage requirement.

Conclusion
This paper cryptanalyzes Wang et al.'s scheme. In particular, we indicate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol fails to provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Our protocol improves Wang et al.'s scheme. Discussions relating to security, functionality and efficiency are performed. Furthermore, results show that the proposed scheme satisfies these requirements mentioned above. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented scheme requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Consequently, we conclude that our protocol is more appropriate in the multi-server environments.