Figures
Abstract
In multi-server environments, user authentication is a very important issue because it provides the authorization that enables users to access their data and services; furthermore, remote user authentication schemes for multi-server environments have solved the problem that has arisen from user’s management of different identities and passwords. For this reason, numerous user authentication schemes that are designed for multi-server environments have been proposed over recent years. In 2015, Lu et al. improved upon Mishra et al.’s scheme, claiming that their remote user authentication scheme is more secure and practical; however, we found that Lu et al.’s scheme is still insecure and incorrect. In this paper, we demonstrate that Lu et al.’s scheme is vulnerable to outsider attack and user impersonation attack, and we propose a new biometrics-based scheme for authentication and key agreement that can be used in multi-server environments; then, we show that our proposed scheme is more secure and supports the required security properties.
Citation: Moon J, Choi Y, Jung J, Won D (2015) An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards. PLoS ONE 10(12): e0145263. https://doi.org/10.1371/journal.pone.0145263
Editor: Yongtang Shi, Nankai University, CHINA
Received: June 2, 2015; Accepted: November 30, 2015; Published: December 28, 2015
Copyright: © 2015 Moon et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited
Data Availability: All relevant data are within the paper.
Funding: This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (2014R1A1A2002775) (http://www.nrf.re.kr/nrf_eng_cms/). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
Since Lamport [1] proposed the first password-based authentication scheme for insecure communications in 1981, password-based authentication schemes [2–6] have been extensively investigated. The remote user authentication scheme is one of the most convenient authentication schemes for dealing with the transmission of secret data over insecure communication channels, and during the last two decades, many researchers have proposed different remote user authentication schemes.
A problem that occurs with respect to password-based authentication schemes, however, is that a server must maintain a password table for the verification of the legitimacy of a login user; therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby the biological characteristics of persons such as a fingerprint or an iris are used. The main advantageous property of biometrics is uniqueness, leading to the proposal of numerous remote user authentication schemes [7–13] that use biological characteristics. In 2008, Tsai [14] proposed an efficient multi-server authentication scheme using a random number and the one-way hash function; after that, a considerable succession of authenticated key agreement schemes was presented for multi-server environments [15–17]. In 2012, Li et al. [18] proposed a novel authenticated key exchange scheme for multi-server environments; unfortunately, however, Xue et al. [19] found that Li et al.’s scheme did not resist some types of known attacks such as replay, denial of service, forgery, and off-line password guessing. Xue et al. therefore proposed an improved scheme to remedy the weaknesses of Li et al.’s scheme; nevertheless, Lu et al. [20] showed that Xue et al.’s scheme is not only very insecure against impersonation and insider attacks, but that it is also vulnerable to off-line password guessing attack. To overcome the vulnerability of Xue et al.’s scheme, Lu et al. then proposed a slightly modified authentication scheme for multi-server environments. Recently, Chuang et al. [21] presented an efficient, biometrics-based, smart card authentication scheme for a multi-server environment that was previously considered as one that comprises more security properties; however, Mishra et al. [22] found that Chuang et al.’s scheme is vulnerable to a stolen smart card, server spoofing, and impersonation attacks. Mishra et al. also proposed an improved biometrics-based, multi-server authenticated key agreement scheme for which smart cards are used, and they claimed that their scheme satisfied all of the desirable security requirements; unfortunately, Lu et al. [23] showed that Mishra et al.’s scheme did not satisfy key security attributes including replay attack and the incorrect password change phase. Lu et al. then proposed a biometrics-based smart card scheme for authentication and key agreement that can be used in multi-server environments, claiming that their scheme is secure against a variety of known attacks; however, we found that Lu et al.’s scheme is still insecure and is incorrect regarding the login and authentication phase.
In this paper, we concentrate on the security weaknesses of Lu et al.’s biometrics-based authentication scheme. After a careful analysis, we found that their scheme does not effectively resist outsider and impersonation attacks; to resolve these security vulnerabilities, we propose a new biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. In addition, we demonstrate that the proposed scheme provides a strong authentication defense against a number of attacks including the attacks of the original scheme. Lastly, we compare the performance and functionality of the proposed scheme with other related schemes.
The rest of the paper is organized as follows: In section 2 and section 3, we review and analyze, respectively, Lu et al.’s scheme; in Section 4, we propose an improved authentication scheme for multi-server environments; in section 5, we present a security analysis of our scheme; section 6 shows security and performance analyses whereby our scheme is compared with previous schemes; and, our conclusion is presented in section 7.
Review of Lu et al.’s scheme
In this section, we will review Lu et al.’s biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. The following three participants are involved: the user Ui, the server Sj, and the registration center RC. The RC chooses a secret key PSK and a secret number x and shares them with Sj over a secure channel. The scheme consists of the registration, login and authentication, and password updating. For convenience, some of the notations that are used in Lu et al.’s scheme are described in Table 1.
Registration
- Ui enters his/her biometrics BIOi, identity IDi and password PWi; then, Ui sends {IDi, h(PWi ∥ H(BIOi))} to the RC.
- After receiving the message from Ui, the RC computes Xi = h(IDi ∥ x), Vi = h(IDi ∥ h(PWi ∥ H(BIOi))); then, the RC stores {Xi, Vi, h(PSK)} onto a smart card and submits them to Ui.
- Ui computes Yi = h(PSK) ⊕ y, and replaces h(PSK) with Yi, lastly, the smart card stores the values of {Xi, Yi, Vi, h(⋅)}.
Login and authentication
- Ui inserts his/her smart card into the device and enters his/her identity IDi, password PWi and biometrics BIOi; then, the smart card validates whether
is equal to the stored Vi; if validation occurs, the smart card generates a random number n1 and computes K = h((Yi ⊕ y) ∥ SIDj), M1 = K ⊕ IDi, M2 = n1 ⊕ K, M3 = h(PWi ∥ H(BIOi)) ⊕ K, and Zi = h(Xi ∥ n1 ∥ h(PWi ∥ H(BIOi)) ∥ T1). Lastly, Ui sends {Zi,M1,M2,M3,T1} to Sj over a public channel, where T1 is the current timestamp.
- After receiving the message from Ui, Sj first checks whether Tc − T1 ≤ △T and then computes K = h(SIDj ∥ h(PSK)) by using a secure pre-shared key PSK; then Sj retrieves IDi = M1 ⊕ K, n1 = M2 ⊕ K, h(PWi ∥ H(BIOi)) = M3 ⊕ K. Sj subsequently computes Xi = h(IDi ∥ x) and verifies whether
; if it holds, Sj generates a random number n2 and computes SKji = h(n1 ∥ n2 ∥ K ∥ Xi), M4 = n2 ⊕ h(n1 ∥ h(PWi ∥ H(BIOi)) ∥ Xi), and M5 = h(IDi ∥ n1 ∥ n2 ∥ K ∥ T2). Then, Sj sends back the authentication message {M4,M5,T2} to Ui, where T2 is the current timestamp.
- Upon checking the freshness of T2, Ui first computes n2 = M4 ⊕ h(n1 ∥ h(PWi ∥ H(BIOi)) ∥ Xi) and then verifies whether h(IDi ∥ n1 ∥ n2 ∥ K ∥ T2) is equal to the received M5; if they are equal, Ui computes the common session key SKij = h(n1 ∥ n2 ∥ K ∥ Xi) and sends {M6 = h(SKij ∥ IDi ∥ n2 ∥ T3), T3} to Sj, where T3 is the current timestamp.
- Sj verifies the freshness of T3 and the correctness of M6 by using SKji, and if they do not hold, Sj stops the execution; otherwise, Sj confirms the common session key SKji with Ui.
Password updating
Ui first inputs his/her smart card into the device and provides his/her identity IDi, password PWi and biometrics BIOi. The smart card then validates whether is equal to the stored Vi; if they are equal, Ui keys in the new password PWi(new), but otherwise the smart card refuses the request. Lastly, the smart card computes Vi(new) = h(IDi ∥ h(PWi(new) ∥ H(BIOi))) and replaces Vi by Vi(new).
Security analysis of Lu et al.’s scheme
According to [24, 25], in the basic adversary model, a probabilistic polynomial-time (PPT) adversary can have a full control over all communication messages. The adversary
then can read, modify or delete all communication messages transmitted between a user and the server. Furthermore, power analysis attacks [26] can extract all of the information from the smart card by using the side channel attack. Lu et al. claimed that their scheme could resist a session-key attack; however, we demonstrated that their scheme is still insecure against a session key attack. We also found that their scheme is unable to provide protection against outsider and user impersonation attacks, and it cannot support user anonymity; furthermore, a number of the phases of Lu et al.’s scheme are not correct and we point out the details of these problems in the following subsections.
Incorrect login phase
During the login phase, the user Ui inserts his/her smart card into the card reader, inputs his/her identity IDi, password PWi, and then imprints his/her biometrics BIOi at the sensor. The smart card then validates whether is equal to the stored Vi; if it holds, the smart card should compute K = h((Yi ⊕ y) ∥ SIDj), but this is actually impossible because the secret key y does not exist in the smart card. Lu et al. claimed that even if an adversary
has gathered the information {Xi,Yi,Vi,h(⋅)} that is stored in Ui’s smart card,
cannot figure out the login request message {Zi,M1,M2,M3,T1} without the secret key y; therefore, we assumed that the secret key y is entered by user Ui during the login process.
Incorrect authentication phase
During the authentication phase, the server Sj computes K = h(SIDj ∥ h(PSK)) by using a secure pre-shared key PSK; however, the value K = h(SIDj ∥ h(PSK)) cannot be made equal to K = h((Yi ⊕ y) ∥ SIDj) = h(h(PSK)∥SIDj) by computing Ui. We therefore assumed that server Sj computes K = h(h(PSK) ∥ SIDj)).
Outsider Attack
During the registration phase, the RC stores {Xi,Vi,h(PSK)} onto a smart card and submits them to Ui. After receiving the smart card, Ui computes Yi = h(PSK) ⊕ y, and replaces h(PSK) with Yi. Let who is in possession of the smart card extracted information
, be an active adversary of the legal user; then,
can easily compute K = h(h(PSK)||SIDj) that is the same for each legal user that belongs in the server Sj. Furthermore, if
intercepts his/her own login request message
, then
can also compute
.
Violation of the Session Key Security
Suppose an outsider adversary intercepts the communication between Ui and Sj and steals the smart card of Ui; then, he/she can obtain all of the messages {Zi,M1,M2,M3,M4,M5,M6,T1,T2,T3} and extract the information {Xi,Yi,Vi,h(⋅)}, thereby easily obtaining the session key that is transmitted between Ui and Sj. The details are described as follows.
-
computes n1 = M2 ⊕ K, IDi = K ⊕ M1, and h(PWi ∥ H(BIOi)) = M3 ⊕ K.
- Then,
can compute n2 = M4 ⊕ h(n1 ∥ h(PWi ∥ H(BIOi)) ∥ Xi); therefore,
can obtain the session key SKij = h(n1 ∥ n2 ∥ K ∥ Xi).
User Impersonation Attack
As described in this subsection, can also impersonate as a legal user to cheat Sj when he/she knows the value of K. The details are described as follows.
-
generates a random number
and computes M1 = K ⊕ IDi,
, M3 = K ⊕ h(PWi ∥ H(BIOi)) and
; then,
sends the login request message
to server Sj, where
is the current timestamp.
- After receiving the login request message from
who pretends to be Ui, the message can successfully pass Sj’s verification and Sj performs the subsequent scheme normally. Lastly, Sj sends the authenticated message
to
, where
and
are the random number and the current timestamp on the server side, respectively.
- Upon receiving the login response message from Sj,
computes
,
, and
, and sends the message
to Sj, where
is the current timestamp.
- Upon receiving the message from
, Sj continues to proceed with the scheme without detection. Lastly,
and Sj “successfully” agree on the session key SKij, but unfortunately Sj mistakenly believes that he/she is communicating with the legitimate, genuine Ui.
User is not anonymous
Lu et al. claimed that Ui’s identity IDi is well protected by the shared parameter K that is used as a substitute for the actual parameters. Additionally, an unauthorized server cannot obtain IDi without knowing K, since K is protected by a secret key PSK that is only known by the authorized server and is not exposed on the open channel. We found, however, that if the outsider adversary can obtain h(PSK), then he/she can compute K = h(h(PSK) ∥ SIDj); furthermore,
can also compute
without h(PSK), meaning that
can compute IDi = M1 ⊕ K. We therefore concluded that Lu et al.’s scheme cannot provide user anonymity.
Our proposed scheme
In this section, we will propose a new biometrics-based password authentication scheme for multi-server environments. In our scheme, there are also three participants, as follows: the user Ui, the server Sj, and the registration center RC. The RC chooses a secret key PSK and a secret number x, and then shares them with Sj over a secure channel. Our proposed scheme consists of the following four phases as shown in Fig 1: registration, login, authentication, and password changing. For convenience, some of the notations that are used in our proposed scheme are described in Table 2.
Registration phase
- Ui inputs his/her biometrics BIOi and selects an identity IDi and a password PWi. Then, Ui computes PWDi = h(PWi ∥ H(BIOi)) and sends {IDi, PWDi} to the RC.
- After receiving the registration request message from Ui, the RC generates a random number yi that is unique to Ui. Then, the RC computes Vi = h(IDi ∥ PWDi), Wi = h(yi ∥ PSK) ⊕ IDi, Xi = h(IDi ∥ x), and Yi = yi ⊕ h(PSK), followed by the storage of {Vi,Wi,Xi,Yi,h(⋅),H(⋅)} by the RC onto a smart card and the submission of them to Ui.
- The RC sends the smart card SCi to Ui over a secure channel and the registration phase is therefore complete.
Login phase
- Ui inserts his/her smart card into the card reader and enters identity IDi, password PWi and imprints biometrics BIOi; then, the smart card SCi computes PWDi = h(PWi ∥ H(BIOi)) to validate whether
is equal to the stored Vi. If it holds, the smart card generates a random number n1 and computes K = h((Wi ⊕ IDi) ∥ SIDj), M1 = K ⊕ IDi, M2 = n1 ⊕ K, M3 = PWDi ⊕ K, and Zi = h(Xi ∥ n1 ∥ PWDi ∥ T1).
- Ui then sends {Yi,Zi,M1,M2,M3,T1} to Sj over a public channel, where T1 is the current timestamp.
Authentication phase
- After receiving the login request message from Ui, Sj first checks whether Tc − T1 ≤ △T so that it can then compute yi = Yi ⊕ h(PSK) by using a secure pre-shared key PSK; then, Sj computes K = h(h(yi ∥ PSK) ∥ SIDj), IDi = M1 ⊕ K, n1 = M2 ⊕ K, and PWDi = M3 ⊕ K. Next, Sj computes Xi = h(IDi ∥ x) and verifies whether
. If it holds, Sj generates a random number n2 and computes SKji = h(n1 ∥ n2 ∥ K ∥ Xi), M4 = n2 ⊕ h(n1 ∥ PWDi ∥ Xi), and M5 = h(IDi ∥ n1 ∥ n2 ∥ K ∥ T2). Then, Sj sends the login response message {M4,M5,T2} to Ui where T2 is the current timestamp.
- Upon checking the freshness of T2, Ui first computes n2 = M4 ⊕ h(n1 ∥ PWDi ∥ Xi) and then verifies whether h(IDi ∥ n1 ∥ n2 ∥ K ∥ T2) is equal to the received M5. If they are equal, Ui computes the common session key SKij = h(n1 ∥ n2 ∥ K ∥ Xi) and sends {M6 = h(SKij ∥ IDi ∥ n2 ∥ T3), T3} to Sj, where T3 is the current timestamp.
- Sj verifies the freshness T3 and the correctness of M6 by using SKji; if they hold, Sj confirms the common session key SKji with Ui, but otherwise, Sj terminates this session.
Password updating
The password change is done locally without the involvement of the RC. If Ui wants to change his/her password, he/she first inserts his/her smart card into a card reader and provides his/her identity IDi, password PWi and biometrics BIOi. The smart card SCi then computes PWDi = h(PWi ∥ H(BIOi)) to validate whether is equal to the stored Vi. If they are equal, SCi accepts Ui to enter a new password PWi(new), but otherwise, the smart card rejects the password changing request. Lastly, SCi computes PWDi(new) = h(PWi(new) ∥ H(BIOi)), and Vi(new) = h(IDi ∥ PWDi(new)), and replaces Vi with Vi(new).
Security analysis of our proposed scheme
In this section, we demonstrate that our scheme, which retains the merits of Lu et al.’s scheme, can withstand several types of possible attacks, and we also show that our scheme supports several security properties. The security analysis of our proposed scheme was conducted under the following four assumptions:
- An adversary
can be either a user or a server. A registered user as well as a registered server can act as an adversary.
- An adversary
can eavesdrop on every communication across public channels. He/she can capture any message that is exchanged between a user and a server.
- An adversary
has the ability to alter, delete, or reroute a captured message.
- Information can be extracted from the a smart card by examining the power consumption of the card.
Verifying the authentication scheme with BAN logic
Burrows-Abadi-Needham(BAN) logic [27] is a set of rules for the definition and analysis of information exchange protocols. Concretely, BAN logic helps its users to decide whether exchanged information is trustworthy, whether it is secured against eavesdropping, or both. In this subsection, we use BAN logic to prove that a shared session key between a user and a server can be correctly generated during the authentication process. Some of the notations and logical postulates [28] that are used in the BAN logic are described in Table 3.
- BAN logical postulates
- Message-meaning rule:
: If principal
believes that he/she shares the secret key
with
, and
sees the statement
encrypted under
. Then
believes that
once said
.
- Nonce-verification rule:
: If principal
believes that
is fresh and
believes that
once said
, then
believes that
believes
.
- The belief rule:
: If principle
believes
and
, then
believes
.
- Freshness-conjuncatenation rule:
: If principle
believes that
is fresh, then
believes
is fresh.
- Jurisdiction rule:
: If principle
believes that
has jurisdiction over
and
believes that
believes
, then
believes
.
- Message-meaning rule:
- Idealized scheme
- Ui: 〈yi〉h(PSK), 〈n1,IDi,PWDi〉K, (n1,Xi,T1)PWDi,
- Sj: 〈n1,Xi,PWDi〉n2, (IDi,n1,n2,T2)K
- Ui: 〈yi〉h(PSK), 〈n1,IDi,PWDi〉K, (n1,Xi,T1)PWDi,
- Establishment of security goals
- g1.
- g2.
- g3.
- g4.
- g1.
- Initiative premises
- p1. Ui| ≡#n1, p2. Ui| ≡Sj ⇒ #n2, p3. Sj| ≡#n1, p4. Sj| ≡#n2,
- p5.
, p6.
, p7. Ui| ≡IDi,
- p8. Sj| ≡Ui ⇒ PWDi, p9. Sj| ≡Ui ⇒ IDi, p10. Ui| ≡Sj ⇒ Xi,
- p11.
, p12.
- Our proposed scheme analysis
- a1. By p5, Sj ⊲ 〈yi〉h(PSK), and Sj ⊲ 〈ni,IDi,PWDi〉K, we apply the message-meaning rule to drive: Sj| ≡Ui| ∼(n1,IDi,PWDi)
- a2. By a1 and p3, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: Sj|≡Ui|≡(n1,IDi,PWDi)
- a3. By a2, p3 and p8, we apply the belief rule and the jurisdiction rule to derive: Sj| ≡IDi
- a4. By a3 and
, we apply the message-meaning rule to derive:
- a5. By p4 and a4, we apply the fresh conjuncatenation rule and the nonce-verification rule to drive:
- g1. By a5, we apply the belief rule to derive:
- g2. By g1 and p1, we apply the jurisdiction rule to derive:
- a6. By p6 and Ui ⊲ (IDi,n1,n2,T2)K, we apply the message-meaning rule to derive: Ui| ≡Sj|∼(IDi,n1,n2,T2)
- a7. By p2 and a6, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: Ui| ≡Sj| ≡(IDi,n1,n2,T2)
- a8. By a7, we apply the belief rule to derive: Ui| ≡Sj| ≡n2
- a9. By p2 and a8, we apply the jurisdiction rule to derive: Ui| ≡n2
- a10. By a9 and Ui ⊲ 〈n1,Xi,PWDi〉n2, we apply the message-meaning rule to derive: Ui| ≡Sj|∼(n1,Xi,PWDi)
- a11. By a10 and p1, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: Ui| ≡Sj| ≡(n1,X1,PWDi)
- g3. By p1, p3, p4, p6, a11 and SKij = h(n1 ∥ n2 ∥ K ∥ Xi), we apply the fresh conjuncatenation rule and the nonce-verification rule to derive:
- g4. By g3 and p12, we apply the jurisdiction rule to derive:
Informal security analysis
In this subsection, we verify whether our proposed scheme is secure against a variety of known attacks.
Anonymity.
Our proposed scheme can preserve the identity anonymity since IDi cannot be derived from M1 without the knowledge of K; furthermore, K cannot be derived from Yi without the random number yi and the pre-shared secret key PSK. Also, owing to the one-way hash function, IDi cannot be derived from M5. Our proposed scheme therefore provides user anonymity.
Resisting outsider attack.
Suppose that an adversary extracts all of the information
from a smart card by using side channel attack; however, he/she cannot obtain any of the secret information of Sj.
can compute
, but the value
is a random number that is unique to the user that is selected by RC and PSK is the pre-shared secret key between the RC and Sj; therefore,
does not know and our proposed scheme can resist an outsider attack.
Resisting impersonation attack.
Suppose that an adversary intercepts all of message {Yi,Zi,M1,M2,M3,M4,M5,M6,T1,T2,T3} that are transmitted over a public channel between Ui and Sj; however,
cannot generate the legal login request message {Yi,Zi,M1,M2,M3,T1}, where Yi = yi ⊕ h(PSK), Zi = h(Xi ∥ n1 ∥ PWDi ∥ T1), M1 = K ⊕ IDi, M2 = n1 ⊕ K and M3 = PWDi ⊕ K, because the value yi is a random number that is unique to the user that is selected by the RC and n1 is a random number that is generated by Ui; furthermore,
cannot generate the login response message {M4,M5,T2} without the random number n2. Our proposed scheme can therefore resist an impersonation attack.
Session key agreement.
Suppose that an adversary intercepts all of the message {Yi,Zi,M1,M2,M3,M4,M5,M6,T1,T2,T3} that are transmitted over a public channel between Ui and Sj, steals the smart card of Ui, and then extracts the all information {Vi,Wi,Xi,Yi,h(⋅),H(⋅)}; however,
cannot compute the session key SKij = h(n1 ∥ n2 ∥ K ∥ Xi). To compute K from Wi, the Ui’s identity IDi is needed. To retrieve IDi from Vi,
needs to know PWi and H(BIOi). Since only Ui can imprint the biometrics BIOi at the sensor, an adversary
cannot attain the Ui’s identity IDi and PWi. Our proposed scheme can therefore provide session key security.
Formal security analysis
In this subsection, we demonstrate the formal security analysis of our proposed scheme and show that it is secure. First, we define the following hash function [29].
Definition 1. A secure one-way hash function h: {0, 1}* → {0, 1}n, which takes an input as an arbitrary length binary string x ∈ {0, 1}* and outputs a binary string h(x) ∈ {0, 1}n, satisfies the following requirements: a. Given y ∈ Y, it is computationally infeasible to find an x ∈ X such that y = h(x):b. Given x ∈ X, it is computationally infeasible to find another x′ ≠ x ∈ X, such that h(x′) = h(x):c. It is computationally infeasible to find a pair (x′,x) ∈ X′ × X, with x′ ≠ x, such that h(x′) = h(x).
Theorem 1. Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, then our proposed scheme is provably secure against an adversary for the protection of a user’s personal information including the identity IDi, password PWi and biometrics BIOi, a server’s secret number x that is selected by the RC and a pre-shared secret key PSK that is between the RC and Sj.
Proof. The formal security proof of our proposed scheme is similar to those in [23, 29, 30]. Using the following oracle to construct who will have the ability to derive the user Ui’s identity IDi, password PWi, biometrics BIOi, the server’s secret number x that is selected by the RC, and a pre-shared secret key PSK between the RC and Sj.
Reveal: This random oracle will unconditionally output the input x from the given hash result y = h(x).
Now, runs the experimental algorithm that is shown in Table 4,
for our proposed scheme JKMSE.
If the success probability of is defined as
, the advantage function for this experiment then becomes
, where the maximum is taken over all of
with the execution time t and the number of queries qR that are made to the Reveal oracle. Consider the experiment that is shown in Table 4 for
. If
has the ability to solve the hash function problem that is provided in Definition 1, then he/she can directly derive Ui’s identity IDi, password PWi, biometrics BIOi, the server’s secret number x that is selected by the RC and the pre-shared secret key PSK that is between the RC and Sj. In this case,
will discover the complete connections between Ui and Sj; however, it is a computationally infeasible problem to invert the input from a given hash value, i.e.,
, ∀ϵ > 0. Then, we have
, since
depends on
. As a result, there is no way for
to discover the complete connections between Ui and Sj, and, by deriving (IDi,PWi,BIOi,yi,x,PSK), our proposed scheme is provably secure against an adversary.
Functional and performance analysis
In this section, we evaluate the functionality the computational costs comparisons between our proposed scheme and the other related schemes [18–23].
Functional analysis
Table 5 lists the functionality comparisons of our proposed scheme with the other related schemes. The table shows that the proposed scheme achieves all of the security and functionality requirements and is more secure than the other related schemes.
Performance anaylsis
For the performance comparison, the definitions of TE and TH are the performance times of a symmetric encryption/decryption operation and a hash function, respectively. Recently, Xue and Hong [31] estimated the running time of different cryptographic operations whereby TE is nearly 0.45 ms on average, and TH is below 0.2 ms on average in the environment (CPU: 3.2 GHz, RAM: 3.0 G). Table 6 shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the performance comparison, the proposed scheme requires a greater amount of computation to accomplish mutual authentication and the key agreement than Chuang et al.’s scheme as the proposed scheme performs four further hash operations; however, these operations consume a very small amount of time.
Conclusion
In this paper, we analyzed the security weaknesses of a biometrics-based authentication scheme for multi-server environments by Lu et al. Lu et al. claimed that their authentication scheme is secure and provides user anonymity; however, we found that Lu et al.’s scheme is still insecure against outsider attacks and impersonation attacks. To resolve these security vulnerabilities, we proposed an improved protocol for an authentication scheme that retains the merits of Lu et al.’s scheme and also achieves a comprehensive security. The security analysis of this paper explains that the proposed scheme rectifies the weaknesses of Lu et al.’s scheme.
Acknowledgments
All authors, especially the corresponding author Dongho Won, would like to thank the anonymous reviewers for their time and invaluable comments and suggestions on this paper.
Author Contributions
Conceived and designed the experiments: JM YC JJ DW. Performed the experiments: JM YC JJ. Analyzed the data: JM YC DW. Contributed reagents/materials/analysis tools: JM DW. Wrote the paper: JM YC JJ DW. Designed the scheme: JM YC DW. Proved the security of the scheme: JM YC.
References
- 1. Lamport L. (1981) Password authentication with insecure communication. ACM Communication. 24(11): 770–772.
- 2. Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY. (2009) Improvements of Juang’s password authenticated key agreement scheme using smart cards. IEEE Transactions on Industrial Electronics. 56(6): 2284–2291.
- 3. Jeon W, Kim J, Nam J, Lee Y, Won D. (2012) An enhanced secure authentication scheme with anonymity for wireless environments. IEICE Transactions on Communications. 95(7):2505–2508.
- 4. Nam J, Choo K-KR, Kim J, Kang H, Kim J, Paik J, Won D. (2014) Password-only authenticated three-party key exchange with provable security in the standard model. The Scientific World Journal. Article ID 825072.
- 5. Kim J, Lee D, Jeon W, Lee Y, Won D. (2014) Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors. 14(4):6443–6462. pmid:24721764
- 6. Nam J, Choo K-KR, Paik J, Won D. (2015) An offline dictionary attack against abdalla and pointcheval’s key exchange in the password-only three-party setting. IEICE Transactions on Fundamentals of Electronics. 98(1):424–427.
- 7. Son K, Han D, Won D. (2015) Simple and provably secure anonymous authenticated key exchange with a binding property. IEICE Transactions on Communications. 98(1):160–170.
- 8. Nam J, Choo K-KR, Han S, Kim M, Paik J, Won D. (2015) Efficient and anonymous two-factor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation. PLoS One. 10(4):e0116709. pmid:25849359
- 9. Lu YR, Li LX, Yang YX. (2015) Robust and efficient authentication scheme for session initiation protocol. Mathematical Problems in Engineering. Article ID 894549, 9 pages.
- 10. Lu YR, Li LX, Peng HP, Yang YX. (2015) An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. Journal of Medical Systems. 39(3):1–8.
- 11. Lu YR, Li LX, Peng HP, Yang YX. (2015) A biometrics and smart cards based authentication scheme for multi-server environments. Security and Communication Networks.
- 12. Lu YR, Li LX, Peng HP, Xie D, Yang YX. (2015) Robust and efficient biometrics based password authentication scheme for telecare medicine information systems using extended chaotic maps. Journal of Medical Systems. 39(6):1–10.
- 13. Choi Y, Nam J, Lee D, Kim J, Jung J, Won D. (2015) Security enhanced anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. The Scientific World Journal. Article ID 281305, 15 pages.
- 14. Tsai JL. (2008) Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security. 27(3–4):115–121.
- 15. Lu RX, Lin XD, Zhu HJ, Liang XH, Shen XM. (2012) BECAN: a bandwidth-efficient cooperative authentication scheme for filtering injected false data in wireless sensor networks. IEEE Transactions on Parallel and Distributed Systems. 23(1):32–43.
- 16. Liao YP, Wang SS. (2009) A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 31(1):24–29.
- 17. Lee CC, Lin TH, Chang RX. (2011) A secure dynamic ID based remote user authentication scheme for multiserver environment using smart cards. Expert Systems with Applications. 38(11):13863–13870.
- 18. Li X, Ma J, Wang WD, Liu CL. (2013) A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 58:85–95.
- 19. Xue KP, Hong PL, Ma CS. (2014) A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences. 80:195–206.
- 20. Lu YR, Li LX, Peng HP, Yang X, Yang YX. (2015) A lightweight ID based authentication and key agreement protocol for multi-server architecture. International Journal of Distributed Sensor Network. Article ID 635890, 9 pages.
- 21. Chuang MC, Chen MC. (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications. 41:1411–1418.
- 22. Mishra D, Das AK, Mukhopadhyay S. (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications. 41(18):8129–8143.
- 23. Lu YR, Li LX, Yang X, Yang YX. (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS One. 10(5):e0126323. pmid:25978373
- 24.
Canetti R, Krawczyk, H. (2001) Analysis of key-exchange protocols and their use for building secure channels. Proceedings of EUROCRYPT 2001, Heidelberg, Berlin. pp. 453–474.
- 25. Odelu V, Das AK, Goswami A. (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security. 10(9):1953–1966.
- 26. Messerges T, Dabbish E, Sloan R. (2002) Examining smartcard security under the threat of power analysis attacks. IEEE Transactions on Computers. 51(5):541–552.
- 27. Burrow M, Abadi M, Needham R. (1990) A logic of authentication. ACM Transactions on Computer System. 8(1):18–36.
- 28. Zhao DW, Peng HP, Li LX, Yang YX. (2013) A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communication. 78(1):247–269.
- 29. Das AK. (2013) A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science. 2(1–2):12–27.
- 30. Das AK, Paul NR, Tripathy L. (2012) Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences. 209:80–92.
- 31. Xue K, Hong P. (2012) Security improvement on an anonymous key agreement protocol based on chaotic maps. Communication Nonlinear Science Numererical Simulation. 17(7):2969–2977.