Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

Security enhanced multi-factor biometric authentication scheme using bio-hash function

Abstract

With the rapid development of personal information and wireless communication technology, user authentication schemes have been crucial to ensure that wireless communications are secure. As such, various authentication schemes with multi-factor authentication have been proposed to improve the security of electronic communications. Multi-factor authentication involves the use of passwords, smart cards, and various biometrics to provide users with the utmost privacy and data protection. Cao and Ge analyzed various authentication schemes and found that Younghwa An’s scheme was susceptible to a replay attack where an adversary masquerades as a legal server and a user masquerading attack where user anonymity is not provided, allowing an adversary to execute a password change process by intercepting the user’s ID during login. Cao and Ge improved upon Younghwa An’s scheme, but various security problems remained. This study demonstrates that Cao and Ge’s scheme is susceptible to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and that their scheme cannot provide session key agreement. Then, to address all weaknesses identified in Cao and Ge’s scheme, this study proposes a security enhanced multi-factor biometric authentication scheme and provides a security analysis and formal analysis using Burrows-Abadi-Needham logic. Finally, the efficiency analysis reveals that the proposed scheme can protect against several possible types of attacks with only a slightly high computational cost.

Citation: Choi Y, Lee Y, Moon J, Won D (2017) Security enhanced multi-factor biometric authentication scheme using bio-hash function. PLoS ONE 12(5): e0176250. https://doi.org/10.1371/journal.pone.0176250

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: January 26, 2017; Accepted: April 8, 2017; Published: May 1, 2017

Copyright: © 2017 Choi et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R0126-15-1111, The Development of Risk-based Authentication Access Control Platform and Compliance Technique for Cloud Security).

Competing interests: The authors have declared that no competing interests exist.

Introduction

Distributed, networked system’s allow users to efficiently access resources at their convenience. Web services such as on-line shopping and Internet banking have become common in today’s technological world, and this has given rise to serious demand for remote authentication processes that ensure transactions between users and servers are secure. In various server environments, user authentication schemes are required to implemented elevated levels of ownership. The first password-based scheme was introduced by Lamport in 1981, and since then, various studies have been carried out on the security, efficiency, and costs of authentication schemes. Existing remote authentication schemes are mainly implemented using a public key system, and in most cases, these can be divided into traditional certificate-based authentication schemes and identity-based authentication schemes according to the type of evidence they adopt for authentication. [19].

Various identity-based schemes have been proposed to provide secure, efficient, and practical authentication. One class is based on a pairing operation, which is practical but inefficient since a high computational cost is needed to carry out the pairing operation. The second is based on a particular hash function through which identity information is mapped to a point on an elliptic curve, resulting in a complicated structure. The third is a direct ID-based scheme that uses a general cryptographic hash function with a structure that is more simple than that of the second class. Due to this structure’s simplicity, authentication can be accomplished only through a three-way handshake. However, it is still easy for a malicious person to cary out an attack. When all of the problems of the three categories mentioned above are taken into account, secure direct identity-based authentication schemes provide the optimum design for mobile device users and real-time applications. [1020].

Recently, identity-based authentication schemes with a hash function were further divided into three categories according to the methods used in the authentication procedure: (1) knowledge-based scheme, (2) object-based scheme, and (3) biometrics-based scheme. However, each type has its own outstanding performance and limitations [2137]:

  • knowledge-based authentication is simple, convenient, and efficient, but it is weak to information leaks to malicious persons due to the adoption of a password,
  • object-based authentication, based on the physical possession of a device such as a smart card, allows an adversary to impersonate legitimate users in a situation where the smart card is lost,
  • biometrics-based authentication shows better results than the two types described above. The biometric keys, such as fingerprints or facial features, cannot be lost and forgotten. However, biometric samples, such as facial images, can be captured in various system databases, so biometric keys can remain insecure.

Multi-factor biometric authentication combines the use of a password, biometrics, and smart card protection to improve security and prevent various types of attacks, and it is not affected by the aforementioned defects. Such schemes have recently become a focal point of research, mainly reflected in the work put forward by various researchers. In 2010, Li and Hwang proposed a novel scheme using identity and a public key system, and then Das extended the work of Li et al. and made improvements to their weak scheme in 2011. Younghwa An showed that Das’s proposed protocol failed to achieve mutual authentication for the server and user in 2012. However, Younghwa An allows for an adversary to masquerade as a legal server or as a user since mutual authentication is not provided. Cao and Ge attempted to improve on Younghwa An’s scheme, but their scheme also has various security problems. We show that Cao and Ge’s scheme is vulnerable to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and also lacks session key agreement. This study then proposes a scheme to provide improved security by resolving the issues inherent to Cao and Ge’s scheme [3844].

The remainder of this paper is organized as follows. Section 2 briefly introduces related work on the bio-hash function and smart card information to help better understand the details of this paper. Section 3 briefly introduces Cao and Ge’s scheme. Section 4 mainly discusses its weaknesses. Section 5 describes countermeasures to solve its problems. Section 6 details the countermeasures to protect against all attacks. Section 7 is devoted to a formal security analysis of the modified scheme by using Burrows-Abadi-Needham logic (BAN-logic), and it compares the results of a security analysis and efficiency analysis with the modified scheme and some existing authentication schemes. The results indicate that the modified scheme has a slightly high computational cost and can protect against several possible attacks. Section 8 then concludes this paper.

Related works

In this section, the adversary’s capability, bio-hash function and information for a smart card are explained to have a better understanding of the content of this paper.

Adversary’s capability

In this paper, we assume the following about a probabilistic, polynomial-time adversary to properly capture the security requirements of a multi-factor biometric authentication scheme that uses smart cards during the registration phase, password change phase, and login and authentication phase [45].

  • The adversary is able to have complete control over all message exchanges between the protocol participants, including a user and a server. That is, the adversary can intercept, insert, modify, delete, and eavesdrop on messages exchanged among the two parties at will.
  • The adversary can (1) extract sensitive information from the smart card of a user through a power analysis attack or (2) determine the user’s password, possibly via shoulder-surfing or by employing a malicious card reader. However, the adversary cannot compromise both the information of the smart card and the password of the user. It is otherwise clear that there is no way to prevent the adversary from impersonating the user if both factors have been compromised.

Bio-hash function

A hash function refers to a one-way transformation function. The hash function takes an arbitrary input and returns a string with a fixed size, which is referred to as a hash value or as a message digest.

Due to the peculiarity and ability of biometrics to differentiate a particular person from others, various systems have adopted methods to solve authentication and verification problems. However, a small change in biometric data (a little information missing from the biometric, noise, or a change in the order of the data input) may result in a momentous change in the hash value due to the uncertainty inherent to the retrieval of biometric features. In other words, general hash functions result in large differences due to slight differences in input, and recognition errors easily result from slight biometric changes. To resolve this problem, a bio-function system is proposed and studied. In various studies on bio-hashing systems, the bio-hash function must adhere to the following properties:

  • similar biometric information should have similar hash values,
  • different biometric information should not have similar hashes,
  • rotation and translation of the original template should not have a substantial impact on hash values,
  • partial biometric information (with missing core and delta) should be matched if sufficient detailed matters are present.

The hash function’s certain class can be formulated to be everlasting to the order in which the input pattern is presented to the hash function, and such hash functions are known as bio-hash function or symmetric hash. So, the bio-hash function can resolve the recognition error of general hash function and can authenticate a legal user even if the user’s biometric information changes a little [46, 47].

Smart card information

Various researchers have shown that physically monitoring the power consumption can extract confidential information stored in all smart cards, such as by using a simple power analysis and a differential power analysis. When a user forgets an own smart card, an adversary can analyze it and extract all information stored within. Variations of such schemes are weak to password acquisition attacks off-line where an adversary can be authenticated to the server without separately obtaining the user’s information for login and authentication, such as their ID, password and biometrics. Therefore, the security-enhanced authentication scheme needs to be studied even if all the information of a user’s smart card is revealed [48, 49].

Review of Cao and Ge’s authentication scheme

The process for Cao and Ge’s authentication scheme is reviewed before conducting the security analysis. Their scheme includes three phases: registration phase, password change phase, and login and authentication phase. The server Si stores a secret value Xs and a user account database, which includes the legal user’s authentication information [50]. For convenience, the notation used throughout this paper are summarized in Table 1.

thumbnail
Download:
Table 1. Notation.

https://doi.org/10.1371/journal.pone.0176250.t001

Registration phase

This phase is the first to be performed once the Ui registers itself with the server Si. Fig 1 describes the registration phase for Cao and Ge’s scheme.

thumbnail
Download:
Fig 1. Registration phase for Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g001

  1. (R1). Ui selects IDi, PWi and imprints its own Bi, and generates K. Then, Ui sends the identity IDi, password information (PWiK), and biometric information (BiK) to the server Si by using a secure channel.
  2. (R2). Si computes fi = h(BiK), ri = h(PWiK) ⊕ fi, and ei = h(IDiXs) ⊕ ri.
  3. (R3). Si creates an entry for user IDi and stores ni on this entry in database. Then, Si computes EIDi = h(IDi)‖ni and stores EIDi to the entry.
  4. (R4). Si computes vi = h(PWiBiXs).
  5. (R5). Si sends a smart card to Ui. It contains 〈EIDi, h(⋅), fi, ei, ni〉 using a secure channel. Then Ui stores K in the smart card.

Password change phase

The password change phase is carried out when Ui wants to change the password or the smart card is lost. Fig 2 describes the password change phase on Cao and Ge’s scheme.

thumbnail
Download:
Fig 2. Password change phase on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g002

  1. (RR1). Ui submits the IDi to Si, password information (PWiK′), and biometric information (BiK′) via a secure channel, K′ is the new random number.
  2. (RR2). Si computes and compares with vi in the account database. If they are not the same, this phase is terminated.
  3. (RR3). Otherwise, Si computes ninew = ni+1. Then, Si performs the following computations; finew = h(BiK′), rinew = h(PWiK′) ⊕ finew, einew = h(IDiXs) ⊕ rinew.
  4. (RR4). Si sends Ui a new smart card that contains 〈EIDi, h(⋅), finew, einew, ninew〉 by using secure channel. Then Ui stores the random number K′ in the smart card.

Login and authentication phase

Ui executes the following steps when Ui wants to authenticate remote Si. Fig 3 describes the login and authentication phase on Cao and Ge’s scheme.

thumbnail
Download:
Fig 3. Login and authentication phase for Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g003

  1. (L1). Ui imprints Bi using a biological feature extraction device, and it computes the information h(BiK) using K stored in the smart card. Ui can proceed only if h(BiK) matches fi.
  2. (L2). Ui inputs the IDi and PWi and then, the smart card computes
  3. (L3). The login request message 〈EIDi, M2, M3〉 is then sent from Ui to Si.

The server Si executes the authentication phase when the message is received.

  1. (A1). Si makes sure that EIDi satisfies the original format using the database entry and checks the IDi for the authentication phase.
  2. (A2). If the IDi is valid when compared with database of Si, Si computes
  3. (A3). If M3 is the same as h(M4M5), Si computes Then, Si sends the message 〈M6, M7〉 to Ui.
  4. (A4). Ui computes M8 and verifies whether M7 = h(M1M8) or not. If they are equal, Ui calculates M9.
  5. (A5). Ui sends the message 〈M9〉 to Si.
  6. (A6). After receiving 〈M9〉, Si makes sure that M9 is equal to M10 = h(M4M5Rs) and then accepts the user’s login request. Si sends M10 to Ui.
  7. (A7). Upon receiving 〈M10〉, Ui makes sure that M10 is equal to h(M1RcM8) and then regards Si as a legal server.

Cryptanalysis of Cao and Ge’s authentication scheme

We analyze Cao and Ge’s authentication scheme and identify various security vulnerabilities, including a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, DoS attack, and a lack of session key agreement.

Biometric recognition error

Cao and Ge’s authentication scheme only uses a general hash function to provide checking biometrics. However, the hash function has a property that causes a slight difference in the input data to result in a very large difference in the output data. Fig 4 describes the biometric recognition error in Cao and Ge’s scheme. The output of the imprinted biometrics is not always constant, so biometrics generally have instances of false acceptance and false rejection. Therefore, even when Ui imprints biometrics in the device, it is possible to output a different . Therefore, the same user can generate a different output, such as that with Bi during the registration phase and during the login phase. The differences between Bi and can result in big differences in fi and , and this difference between fi and results in a biometric recognition error in the login phase. Therefore, a normal user does not pass the user biometric verification stage because the smart card compares the computed to fi, which is stored within the smart card. Therefore, even though Ui imprints his/her own biometrics, a biometric recognition error can occur. Thus, the smart card needs to be implemented using more advanced techniques, such as a bio-hash function, to improve the biometrics verification process [51].

thumbnail
Download:
Fig 4. Biometric recognition error on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g004

Slow wrong password detection

Slow wrong password detection refers to instances in which the user cannot know of a mistake immediately when inputing the wrong password, and the user can know when server Si notifies there is a wrong user password. In Cao and Ge’s authentication scheme, the user’s smart card cannot verify the accuracy of the user password during the login phase. Only Si verifies a legal user by comparing the similarities between M3 and h(M4M5) during authentication phase. Fig 5 specifically describes how slowly the wrong password is detected in Cao and Ge’s scheme. Concretely, Ui inputs IDi and PWi after the biometric verification, then if Ui selects a wrong password , the smart card is unaware that the password is incorrect. The smart card does not check the , and it only computes various values using for login and authentication. The smart card then sends .

thumbnail
Download:
Fig 5. Slow wrong password detection on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g005

Si is unable to immediately confirm the wrong password after receiving the messages . First, Si verifies the received EIDi using EIDi in the database, and then computes M4 = h(IDiXs) and . Then, because is same as , Si eventually confirms that the received messages are not normal, and maybe Ui could have input the wrong password. Basically, Si sends the wrong password notification to Ui. In detail, Cao and Ge’s scheme requires a lengthy phase that includes value computation and message transmission before confirming that the user input the wrong password. Therefore, a smart card is needed to provide a fast wrong password detection technique during login. When Ui inputs the wrong password during the login phase, the smart card needs to quickly identify the incorrect password and should immediately notify Ui of the mistake.

Off-line password attack

In Cao and Ge’s scheme, an adversary can compute the user’s password by using public messages and the user’s smart card, obtaining M2 and M3 from public messages between the user and the server. Fig 6 provides a detailed description of the off-line password attack for Cao and Ge’s scheme. Kocher et al. and Messerges et al. claim that the all confidential information that is generally stored in smart cards could be extracted through various forms, such as monitoring the power consumption. Therefore, if a user loses a smart card, all of the information in the smart card can be revealed by an adversary. The smart card stores various types of information, including user login and authentication, so the adversary can acquire the ei, fi, K, and hash function h(⋅) values from the user’s smart card. The adversary knows the formula for all values used in Cao and Ge’s scheme as follows: The adversary uses the determined values, messages, and formula to compute the M3 formula, as follows: The adversary then knows all values in this formula, except for PWi. Therefore, the adversary can easily determine the user’s password PWi by mounting an off-line password guessing attack because the password PWi is not long enough and has a low level of entropy. If the adversary knows the PWi, various attacks can be facilitated by using the user’s password. Therefore, the password needs to be protected by using other values that are not stored in the smart the card with a high entropy, such as biometric information [52].

thumbnail
Download:
Fig 6. Off-line password attack on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g006

User impersonation attack

In Cao and Ge’s scheme, an adversary can be authenticated with the server by using the user’s smart card and the password without access to the user’s biometric information. Fig 7 describes in detail a user impersonation attack for Cao and Ge’s authentication scheme. In further detail, when an adversary obtains or steals a user’s smart card and figures out the user’s password, the legitimate user can be easily impersonated. In section 1, an adversary is shown to compute the user’s password by using a smart card and public messages. Therefore, this scheme is critically deficient in that the adversary can be authenticated by the server without the user’s biometrics.

thumbnail
Download:
Fig 7. User impersonation attack on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g007

As described in Fig 6, the adversary can illegally extract all values including Ki, fi, ei, and EIDi from the user’s smart card by monitoring the power consumption. It then computes PWi using an off-line password attack computing ri using PWi, Ki, fi as follows:

Even if Ui successfully executes the password change process, the adversary can still use these to impersonate a legal user, authenticate Si without knowing the Bi values, and then compute normal authentication messages using ri, ei, EIDi as follows:

After Si receives the messages , and , then, Si checks the legitimacy of the messages. However, Si cannot distinguish between a normal M9 and an abnormal M9 because the adversary used accurate values like h(IDiXs), but the adversary normally computes h(IDiXs) using ri, ei.

Then, Si sends the authentication messages 〈EIDi, M6, M7〉 for Ui. These are then used by the adversary to compute the next authentication message for Si as follows,

Next, Si checks that the received is the same as . However, Si cannot distinguish it from a normal M9 because the adversary uses accurate values like M1h(IDiXs) and , which is used for . Then, Si accepts the login request for the adversary.

The adversary can be authenticated at Si because he determined EIDi, ei and ri through an off-line password attack, so Si cannot distinguish between the adversary and a legitimate user. Since the user’s biometric information is not used during the login and authentication phase, Si authenticates the adversary as a normal user. Si cannot store and check the password and biometric information during the login and authentication phase due to the user’s privacy. Thus, to solve this problem, it is necessary to modify the way in which the authentication values h(IDiXs) are computed for the user. This value cannot be stored on the smart card, and it can only be computed by a legitimate user when the user simultaneously inputs the password and biometrics during the login and authentication phase.

ID guessing attack

Cao and Ge’s authentication scheme uses EID to protect the user’s IDi in order to ensure user anonymity during public communication. However, the adversary can determine the user’s IDi by using the user’s smart card and the public communication message EIDi. Fig 8 describes in detail how to compute the user’s IDi for Cao and Ge’s authentication scheme.

thumbnail
Download:
Fig 8. ID guessing attack on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g008

When an adversary obtains or steals a user’s smart card, he can extract EIDi, ni and h(⋅). Then, the adversary can compute the user IDi from the formula EID = h(ID)‖ni because he knows all values except for the IDi. In general, a user IDi has a low entropy so the adversary is able to easily compute the user IDi. Basically, if an adversary fails to extract EIDi from the smart card, he can acquire EID from public communication. Therefore, even though the adversary extracts ni and h(⋅) from the user’s smart card, he can determine the IDi from EID = h(ID)‖ni. The user’s IDi can be used for another attack, and therefore, the user’s IDi needs to be protected using another value that the adversary cannot determine from the user’s smart card or from public communication.

Vulnerability to a DoS attack

A DoS attack is such where an adversary attempts to make a server or network resource become unavailable to prevent legitimate users from accessing the normal service. Although there are various ways to accomplish a DoS attack, the server’s system or configuration have to prepare for defenses against it. However, in Cao and Ge’s scheme, an adversary can execute a DoS attack without difficulty. Fig 9 describes the DoS attack for Cao and Ge’s authentication scheme.

thumbnail
Download:
Fig 9. Vulnerability to a DoS attack on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g009

An adversary can collect the previous messages 〈EIDpi, Mp2, Mp3〉 from a legitimate user Ui and a server Si. Then, the adversary sends the messages to Si without modification. The Si unavoidably executes all operations of (2) and sends the (3) messages 〈EIDpi, M6, M7〉 to the Ui. This is the reason why Si cannot verify the freshness of the (1) messages 〈EIDpi, Mp2, Mp3〉. This operation involves the generation of a random nonce once, executing the hash function twice, calculating the exclusive-or operation twice, conducting the similarities checking function twice, and then, sending (3) messages 〈EIDpi, M6, M7〉.

Therefore, the adversary can easily attempt to carry out a DoS attack targeting the server to see if he can obtain an intercepted number from a previous messages. Cao and Ge’s scheme does not check the freshness of an authentication message. Therefore, when an adversary sends previous authentication messages to Si, Si cannot verify whether the received messages are current or not, and Si is obligated to execute various operations. In order to defend against a DoS attack, this scheme needs to check the freshness of the messages by considering the timestamps.

Lack of session key agreement

In general, the session key refers to a symmetric key that is used to encrypt all messages in the communication session. Therefore, it can be computed and used for secure communications among communication members after successfully finishing the authentication phase. Fig 10 describes in detail the lack of session key agreement for Cao and Ge’s authentication scheme. As described in Fig 10, Ui and Si finally authenticate each other using M9 and M10, and then they are accepted and regarded to be legal members. However, secure communication between M9 and M10 is not provided because these do not have a session key after all phases have finished. Therefore, it is necessary to modify the login and authentication phase to provide session key agreement. Moreover, to ensure the security of the scheme, the session key has to be changed for each session and must be secured against various forms of attack.

thumbnail
Download:
Fig 10. Lack of session key agreement on Cao and Ge’s authentication scheme.

https://doi.org/10.1371/journal.pone.0176250.g010

Countermeasures

The reason why Cao and Ge’s scheme is vulnerable to the biometric recognition errors is that,

  • even if the same user inputs his/her own biometrics to a scanner device, this device can generate slightly different outputs due to the general characteristics of the biometric information;
  • the general hash function produces very large differences in the output data from slight differences in the input data.

Thus, a general hash function results in a legal user failing during the login phase when using his/her own biometrics. To prevent a biometric recognition error, we suggest modifying the registration phase from 〈IDi, PWiK, BiK〉 to H(⋅) is a bio-hash function that produces consistent output for the same biometric information, even if the user’s biometric input is slightly different. So, during the login phase, the values need to be modified from fi = h(BiK) to

However, by only modifying the scheme to use a bio-hash function, Cao and Ge’s authentication scheme is still vulnerable to the slow detection of a wrong password. This type of problem results from,

  • the smart card not checking the user’s password during the login phase;
  • the server can confirm whether a user inputs the wrong password and computes the wrong M3 during the authentication phase only after extensive computations;

Adding a password verification step during the login phase is suggested to solve the slow wrong password detection problem. Thus, the computations are modified for fi from fi from fi = h(H(Bi) ⊕ K) to

However, even with the fi modified above, an off-line password attack can still be carried out. This vulnerability is due to the fact that;

  • an adversary can know and compute all formulas and values except for PWi;
  • it is necessary to check PWi with values, which the adversary cannot know and compute, such as H(Bi);

Since we check the user’s password in fi, we suggest modifying ri from ri = h(PWiK) ⊕ fi to

With such a modification, we can also defend against a user impersonation attack because the adversary cannot impersonate the user without the user’s password. In other words, the adversary cannot compute ri without PWi and then figure out h(IDiXs) to conduct a user impersonation attack due to the lack of a legal M1.

Next, the possible mechanism to eliminate the vulnerability in Cao and Ge’s scheme for an ID guessing attack is presented. This vulnerability is due to the fact that,

  • the adversary can obtain the user’s IDi from EIDi using the value ni stored in the user’s smart card.
  • Even if EIDi is a public communication message, Cao and Ge’s scheme does not provide sufficient protection for EIDi.

To address to the problem on ID guessing attack, we suggest modifying EIDi from EIDi = h(IDi)‖ni to

h(IDiXs) is not stored in a smart card, and it can be easily computed by Si. Even if the adversary knows EIDi and ni, he cannot compute IDi from EIDi due to the ignorance on h(IDiXs).

However, with the modifications explained above, Cao and Ge’s scheme is still vulnerable to a DoS attack. The cause for this vulnerability on DoS attacks is that.

  • Ui and Si perform all operations without checking the freshness of the received authentication messages.
  • Moreover, Si unwillingly executes extensive computations per message before Si discovers the fault of the received authentication message.

To address the vulnerability of the DoS attack, we suggest using timestamps (T1, T2, T3, T4) and adding them to the authentication messages. So we propose to modify the computations for M3, M3, M3, and M10 from M3 = h(M1Rc), M7 = h(M4Rs), M9 = h(M1RcM8), M10 = h(M4M5Rs) to

In advance, all transmission messages need to include timestamps to check the freshness, such as from 〈EIDi, M2, M3〉 to

T1 and M3 are thus computed by a legal user, and the adversary cannot compute M3 without T1, which is current and matched with M3. So Si can check the message freshness using T1, and Si can verify the the message integrity and freshness by easily checking M3 = h(M1RcT1). In this manner, it is possibly to effectively prevent the DoS attack.

Finally, the problem regarding a lack of a session key is resolved by adding a session key agreement during the login and authentication phase. The session key needs to change for every session in order to enhance the security of the authentication scheme, so computing the session key agreement is proposed as follows; For the session key agreement, h(IDiXs), Rc and RS are computed only by the legal user and the server. T3 and T4 can be used to confirm the freshness of the session key. Therefore, this session key can change every session and can prevent various attacks.

Security enhanced multi-factor biometric authentication scheme

To solve the problems inherent to Cao and Ge’s scheme, a security enhanced multi-factor biometric authentication scheme is proposed and divided into three phases: registration phase, password change phase, and login and authentication phase. Before our scheme is executed, Si generates the server’s secure value Xs for security.

Registration phase

The registration phase of the proposed scheme is described in Fig 11. Ui needs to perform the registration phase with Si by using a secure channel.

thumbnail
Download:
Fig 11. Registration phase for the proposed scheme.

https://doi.org/10.1371/journal.pone.0176250.g011

  1. (R1). Ui selects IDi, PWi; imprints the biometric impression Bi; and generates K. Ui sends the identity IDi, h(PWi) ⊕ K using the general hash function, and H(Bi) ⊕ K using bio-hash function to Si through a secure channel.
  2. (R2). After receiving these, Si computes fi, ri, and ei as follows;
  3. (R3). Then, Si creates an entry of database for the user IDi and generates ni.
  4. (R4). Si computes EIDi and vi as below, then Si stores EIDi, IDi, ni, vi for IDi as an entry in a database.
  5. (R5). Si sends a smart card to Ui. The smart card contains 〈h(⋅), H(⋅), fi, ei, ni〉 through a secure channel. Then Ui stores K in the smart card.

Password change phase

For the proposed scheme, the password change phase is executed when Ui loses the smart card or wants to update the password. In order to change the password, Ui sends both the old password PWi and new password PWinew. Fig 12 describes the password change phase for the proposed scheme.

thumbnail
Download:
Fig 12. Password change phase for the proposed scheme.

https://doi.org/10.1371/journal.pone.0176250.g012

  1. (RR1). Ui selects and inputs IDi, PWi, and PWinew. Ui imprints its own biometric impression Bi and generates a new random value K′. Then, Ui submits 〈IDi, h(PWi) ⊕ K′, h(PWinew) ⊕ K′, H(Bi) ⊕ K′〉 to Si through a secure channel.
  2. (RR2). After Si receives these, Si checks the database for the ID, and acquires the user’s data including EIDi, IDi, ni, and vi. Then, Si computes and compares with vi in the database.
  3. (RR3). Si sets ninew = ni + 1. Then, Si carries out the computations as follows:
  4. (RR4). Si computes EIDinew = h(IDih(IDiXs)‖ninew), then Si stores EIDinew, IDi, ninew for IDi to the entry of database.
  5. (RR5). Si sends a new smart card to Ui that contains 〈h(⋅), H(⋅), finew, einew, ninew〉 by using a secure channel. Then Ui stores a new K′ in the smart card.

Login and authentication phase

Fig 13 describes the login and authentication phase for the proposed scheme. Ui executes the following steps when Ui wants to authenticate a remote Si. In this phase, the smart card checks the legitimacy of the user using IDi, PWi and Bi.

thumbnail
Download:
Fig 13. Login and authentication phase for the proposed scheme.

https://doi.org/10.1371/journal.pone.0176250.g013

  1. (L1). Ui inputs the IDi and PWi; Ui imprints Bi using a biological feature extraction device; computes h(PWi) using the general hash function and H(Bi) using the bio-hash function. Then, the smart card computes fi, and is verified as follows,
  2. (L2). If they are the same, Ui generates the current timestamp Ti and a random number Rc. Then, Ui computes ri, M1, M2, M3, EIDi using the user’s input values and the smart card storing values as follows;
  3. (L3). Ui sends the login request message 〈EIDi, M2, M3, T1〉 to Si.

The server Si executes the authentication phase when the message is received.

  1. (A1). Si checks that the EIDi satisfies the original format.
  2. (A2). If the IDi is valid when compared with the user’s entry in the database in Si, Si computes M4 and M5, and then verifies M3 as follows,
  3. (A3). If M3 is accurate, Si generates the current timestamp T2 and computes M6 and M7. Then, Si sends the message 〈EIDi, M6, M7, T2〉 to Ui.
  4. (A4). Ui computes M8 = M6M1 and verifies whether M7 = h(M1M8T2) or not. If they are equal, Ui generate a timestamp T3 and computes M9. Then Ui computes sk as follows.
  5. (A5). Ui sends the message 〈M9, T3〉 to Si.
  6. (A6). After receiving 〈M9〉, Si verifies that M9 is equal to h(M4M5RsT3) and then accepts the user’s login request. Si computes M10 = h(M4M5RsT4) and sk. Then, Si sends 〈M10, T4〉 to Ui.
  7. (A7). After receiving 〈M10, T4〉, Ui verifies that M10 is equal to h(M1RcM8T4) and regards Si as a legal server.
  8. (A8). Therefore, Ui and Si share the same session key after all phases have finished.

Analysis

Several analyses were carried out to confirm that the proposed scheme with a bio-hash function improves the security of the authentication process. Ding Wang et al. analyzed various smart-card-based password authentication methods and introduced a good solution using the principle of the security-usability trade-off to prevent off-line password attacks. Ding Wang et al. proposed that a fuzzy verifier can resolve the trade-off between the security requirement of resistance to smart card loss attack and the usability goal of a local password change [3537].

In this paper, the proposed scheme uses a bio-hash function, which is similar to a fuzzy verifier to secure the system against various types of off-line guessing attacks. The proposed scheme is investigated by conducting a security analysis, a formal analysis, and an efficiency analysis. Then, the proposed scheme is compared to other authentication schemes, including Cao and Ge’s scheme. We follow a security definition with strong secret values (Bi, x) with a high entropy that cannot be guessed in polynomial time and a secure one-way hash function y = h(x). Given x to compute y is easy but y to compute x is much more difficult.

Security analysis

This section describes a security analysis to confirm the security of the proposed scheme.

  1. [Replay attack] In the proposed scheme, even if an adversary intercepts the messages like 〈EIDi, M2, M3, T1〉 and 〈M9, T3〉 over public communication and replays 〈EIDi, M2, M3, T1〉 to Si, he cannot authenticate with Si. First, it is hard for the adversary to respond within the allowable time for timestamp T1, and even though the adversary passes the time limit, he cannot execute the appropriate response for 〈EIDi, M6, M7, T2〉. The adversary has only the previous 〈M9, T3〉, which is not appropriate for the response because he cannot know the new Rc. Only a legal user can know the new Rc using h(IDiXs). Therefore, the adversary cannot succeed in the replay attack due to the timestamps and the lack of knowledge of h(IDiXs) [53].
  2. [Server masquerading attack] If an adversary wants to masquerade as a legal server, he has to send the appropriate response to the user’s request. When the user sends 〈M9, T3〉 to the adversary, he has to compute the appropriate 〈M10, T4〉 to look like a legal server. However, if the adversary wants to compute 〈M10, T4〉 using M9, T3 and T4, he has to know the Rc and h(IDXs). Only a legal server can compute 〈M10, T4〉 because the legal server stored Xs and Rc in the database and the adversary cannot know them. Therefore, the adversary cannot succeed in masquerading as a legal server.
  3. [Mutual authentication] Mutual authentication means that a user and a server authenticate each other. In the proposed scheme, Ui and Si authenticate each other by checking for a mutual random number, which is possible for a legal user and server because only they know h(IDiXs). Specifically, Si authenticates Ui according to the 〈M9, T3〉 that is received because only a legal Ui can compute M9 using Si’s M6. Ui authenticates Si by 〈M10, T4〉, and only the server can compute M10 from 〈M9, T3〉 because only the legal server can know the user’s random number Rc using h(IDiXs), Rc = M2h(IDiXs) [54].
  4. [Biometric recognition error] The proposed scheme uses a bio-hash function to prevent a biometric recognition error. Cao and Ge’s scheme uses a general hash function to verify the user’s biometrics, so a biometric recognition error happens as a result of the general hash function’s behavior. However, the proposed scheme uses a bio-hash function for the user’s biometric information because the bio-hash function provides consistent output for the same biometric information, even when a user’s biometrics are input a little differently.
  5. [Slow wrong password detection] Unlike Cao and Ge’s scheme, the proposed scheme can check the user’s password during the login phase. Therefore, it is possible to verify whether or not the user has input an accurate password. In the proposed scheme, when a user wants to login and authenticate on a server, he inputs his own IDi, PWi, and Bi. Using these, the smart card computes fi = h(IDih(PWi) ⊕ H(Bi)) and computes it with fi, which is stored in a smart card. If the user inputs the wrong password, the computed fi and stored fi will be different, so the user can immediately know whether he needs to input the correct password again.
  6. [Off-line password attack] An adversary can extract all information stored in the user’s smart card by using a side-channel attack, such as by physically monitoring the power consumption. However, in the proposed scheme, the user’s password is always used with the user’s IDi and the biometrics information H(Bi) like fi = h(IDih(PWi) ⊕ H(Bi). The user’s IDi is protected by EIDi = h(IDih(IDXs)‖ni). Moreover, Bi has a high entropy, so the adversary cannot carry out the computation. Therefore, even if the adversary extracts fi using a side channel attack, he cannot compute the user’s password because he cannot know both IDi and H(Bi).
  7. [User impersonation attack] To successfully carry out a user impersonation attack, an adversary needs to know the user’s h(IDiXi). In order to compute h(IDiXi), the adversary must know ri using fi and ei; fi = h(IDih(PWi) ⊕ H(Bi)), ei = h(IDiXs) ⊕ ri.

    However, ri is protected by h(H(Bi) ⊕ K), and the adversary cannot know H(Bi). Therefore the proposed scheme prevents a user impersonation attack.
  8. [ID guessing attack] Unlike for EIDi = h(IDini) in Cao and Ge’s scheme, the proposed scheme uses EIDi = h(IDih(IDiXs)‖ni) to protect the user’s IDi. An adversary can extract ni from the smart card and can obtain EIDi from public communications. However, if h(IDiXs) is not stored in a smart card and can only be easily computed by a legal Ui and Si, then the adversary cannot compute h(IDiXs). Therefore, even if the adversary knows EIDi and ni, he cannot compute IDi from EIDi due to the ignorance of h(IDiXs).
  9. [Vulnerability to a DoS attack] The proposed scheme checks the freshness of all messages using a timestamp T1, T2, T3, T4, so it is useless for an adversary to send the previous messages to the server. Moreover, Ui and Si authenticate each other using the messages including current timestamps; M3 = h(M1RcT1), M7 = h(M4RsT2), M9 = h(M1RcM8T3), M10 = h(M4M5RsT4). For example, Si can check the freshness and legality of M3 because M3 and the timestamp T1 do not match, even if the adversary sends the previous M3 with the current timestamp. Therefore, the proposed scheme is more secure than Cao and Ge’s authentication scheme against a DoS attack.
  10. [Lack of session key agreement] Cao and Ge’s authentication scheme does not provide a session key agreement, so it cannot establish secure communications with an encryption after all phases have finished. To resolve the problem of the lack of a session key, a session key agreement is provided during the login and authentication phase. In order to share the session key sk = h(h(IDiXs)‖RcRs|T2T3). h(IDiXs), Rc and RS are computed only by a legal Ui and Si. T2 and T3 can be used to confirm the freshness of the session key, and the session key of the proposed scheme can be changed at every session to prevent various forms of attack [55].

Table 2 shows a comparison of the security analysis for various multi-factor authentication schemes, including our proposed scheme [14, 38, 39, 50, 5658].

thumbnail
Download:
Table 2. Security analysis for various authentication schemes.

https://doi.org/10.1371/journal.pone.0176250.t002

Formal analysis

BAN logic (Burrows-Abadi-Needham logic) was introduced by Burrows M, and it has consistently drawn attention due to the simplicity and straightforwardness of the analysis of authentication schemes, and in this section, we analyze the proposed scheme using BAN-logic with symbols P and Q representing principals and X and Y representing statements. The main notation of the logic is presented in BAN’s paper and main inference rules. The analysis of an authentication scheme using the BAN-logic tool consists of four steps, and the formal analysis of the security of the proposed scheme is described as follows. The analysis shows that a session key can be generated correctly between the communicating parties during authentication. First, the notation of BAN logic being used in this scheme is introduced [5962].

  • P∣≡ X: The principal P believes statement X. This means that P believes that in the current run of the scheme, the statement X is true.
  • PX: The principal P sees the statement X, which means that P has received a message containing X.
  • P∣∼X: The principal P once said the statement X, which means that P∣≡X when P sent it.
  • PX: The principal P has jurisdiction over statement X. This means that P has complete control on the formula X.
  • : The formula X is fresh. This means that formula X has not been used before.
  • : P believes that the principal P and Q communicate with each other using K.
  • : K is shared secret information between P and Q. The secret key K is known only to P and Q, and K is a secret between both parties.
  • {X}K: The formula X is encrypted using the secret key K.
  • XK: The formula X is combined including the secret key K.
  • (X)K: The formula X is hashed including the secret key K.
  • sk: The session key used in the current session.

To describe the logical postulates of BAN logic, we present the following rules:

  1. Message-meaning rule: : if the principal P believes he/she shares the secret key K with Q, P sees the statement X hashed to include the K. Then P believes that Q once said X.
  2. Nonce-verification rule: : if principal P believes that X is fresh and P believes Q once said X, then P believes that Q believes X.
  3. The belief rule: : if principal P believes both X and Y, then P believes (X, Y).
  4. Freshness-conjuncatenation rule: : if principal P believes X is fresh, then P believes (X, Y) is fresh.
  5. Jurisdiction rule: : if principal P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.

According to the analytic procedures of BAN logic and using previously described logical postulates, the proposed scheme needs to satisfy the following goals:

  • Goal 1: .
  • Goal 2: .
  • Goal 3: .
  • Goal 4: .

The generic type of proposed scheme is as follows:

  • Message 1.
    US: h(IDih(IDiXs)‖ni), h(IDiXs) ⊕ Rc, h(h(IDiXs)‖RcT1), T1
  • Message 2.
    SU: h(IDih(IDiXs)‖ni), h(IDiXs) ⊕ Rs, h(h(IDiXs)‖RsT2), T2
  • Message 3.
    US: h(h(IDiXs)‖RcRsT3), T3
  • Message 4.
    SU: h(h(IDiXs)‖RcRsT4), T4

The idealized form of proposed scheme is as follows:

  • Message 1. US: (IDi, ni)h(IDiXs), 〈Rch(IDiXs), (Rc, T1)h(IDiXs), T1
  • Message 2. SU: (IDi, ni)h(IDiXs), 〈Rsh(IDiXs), (Rs, T2)h(IDiXs), T2
  • Message 3. US:
  • Message 4. SU:

We make the following assumptions for the initial state of the protocol to analyze the proposed protocol:

  • A1: U ∣≡ ♯(T1)
  • A2: S ∣≡ ♯(T2)
  • A3: U ∣≡ ♯(T3)
  • A4: S ∣≡ ♯(T4)
  • A5:
  • A6:
  • A7:
  • A8:

The idealized form of the proposed protocol based on BAN logic rules and assumptions is analyzed. The main proofs are described as follows.

According to Message 3, we could obtain:

  • S1:
    According to the assumption A6 and the message meaning rule, we obtain:
  • S2:
    According to the assumption A3 and the freshness conjuncatenation rule, we can obtain:
  • S3:
    According to the assumption S2, S3 and the nonce verification rule, we obtain:
  • S4:
    According to S4, we apply the belief rule, we obtain:
  • S5: , We satisfy (Goal 3.
    According to the assumption A8, S5 and the jurisdiction rule, we can obtain the conclusion as follows:
  • S6: , We satisfy (Goal 1.

According to the message 4, we obtain:

  • S7:
    According to the assumption A5 and the message meaning rule, we obtain:
  • S8:
    According to the assumption A4 and the freshness conjuncatenation rule, we obtain:
  • S9:
    According to assumption S8, S9 and the nonce verification rule, we obtain:
  • S10:
    According to S10, we apply the belief rule, we obtain:
  • S11: , We satisfy (Goal 4.
    According to the assumption A7, S11 and the jurisdiction rule, we can obtain the conclusion as follows:
  • S12: , We satisfy (Goal 2.

Efficiency analysis

The computational costs of the modified scheme and others are calculated in Table 3. Th stands for the computation time of the hash function while the computation time for the exclusive OR operation TXOR does not appear in the table because it can be ignored when compared to Th.

thumbnail
Download:
Table 3. Computational costs.

https://doi.org/10.1371/journal.pone.0176250.t003

According to the results obtained in [63], Th needs a time of about 0.20 ms (Th ≈ 0.20 ms) on a system using 3.0 GB RAM with a Pentium IV 3.2 GHz processor. Table 4 shows the efficiency for various authentication scheme obtained through a simulation.

thumbnail
Download:
Table 4. Efficiency simulation.

https://doi.org/10.1371/journal.pone.0176250.t004

As shown in Tables 3 and 4, the modified scheme requires a slightly higher computational cost than the others, but mainly in the registration phase [3840, 50]. However, the modified scheme can provide all security properties shown in Table 2.

Conclusions

This paper discusses possible attacks for Cao and Ge’s authentication scheme, and a modified scheme is proposed to improve security and protect against various attacks. A security analysis and efficiency analysis are carried out to compare the results of the modified scheme to those of other schemes. In addition, the modified scheme is verified by conducting a formal security analysis using BAN-logic. The results indicate that the modified scheme has a slightly higher computational cost but that it is more secure than some of the other related schemes. The proposed scheme uses a bio-hash function for multi-factor biometric authentication to improve security. We also intend to conduct further studies on verification techniques, such as a fuzzy verifier and bio-hash function, to resolve the security-usability trade-off.

Acknowledgments

All authors, especially the corresponding author Dongho Won, would like to thank the anonymous reviewers for their time and invaluable comments and suggestions on this paper. This work was supported by Institute for Information and communications Technology Promotion(IITP) grant funded by the Korea government(MSIP) (No.R0126-15-1111, The Development of Risk-based Authentication·Access Control Platform and Compliance Technique for Cloud Security).

Author Contributions

  1. Conceptualization: YC YL JM DW.
  2. Data curation: YC YL.
  3. Formal analysis: YC JM DW.
  4. Funding acquisition: YC DW.
  5. Investigation: YC YL DW.
  6. Methodology: YC YL DW.
  7. Project administration: YC YL DW.
  8. Resources: YC YL DW.
  9. Software: YC JM.
  10. Supervision: YC JM.
  11. Validation: YC JM.
  12. Visualization: YC JM.
  13. Writing – original draft: YC YL.
  14. Writing – review & editing: YC JM DW.

References

  1. 1. Choi Y, Nam J, Lee D, Kim J, Jung J, and Won D. Security Enhanced Anonymous Multiserver Authenticated Key Agreement Scheme Using Smart Cards and Biometrics. The Scientific World Journal. 2014.
  2. 2. Huang H, and Cao Z. IDOAKE: strongly secure ID-based one-pass authenticated key exchange protocol. Security and Communication Networks. 2013: 1153–1161.
  3. 3. Rivest RL, Shamir A and Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM. 1978: 120–126.
  4. 4. Lamport L. Password authentication with insecure communication. Communications of the ACM. 1981;24(11); 770–772.
  5. 5. ElGamal T. (1985, January). A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in cryptology. Springer Berlin Heidelberg. 10–18.
    • 6. Choi Y, Lee D, Kim J, Jung J, Nam J, and Won D. Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors. 2014;14(6): 10081–10106. pmid:24919012
    • 7. Koblitz N. Elliptic curve cryptosystems. Mathematics of computation. 1987;48(177): 203–209.
    • 8. Debiao H, Jianhua C, and Jin H. An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Information Fusion. 2012;13(3): 223–230.
    • 9. Chaum D, Rivest RL, and Sherman AT. Advances in cryptology. In Proceedings of CRYPTO. 1983;82: 279–303.
    • 10. Shieh WG, and Wang JM. Efficient remote mutual authentication and key agreement. computers and security. 2006;25(1): 72–77.
    • 11. Lin CH, and Lai YY. A flexible biometrics remote user authentication scheme. Computer Standards and Interfaces. 2004;27(1): 19–23.
    • 12. Hwang MS, Lee CC, and Tang YL. A simple remote user authentication scheme. Mathematical and Computer Modelling. 2002;36(1): 103–107.
    • 13. Das ML, Saxena A, and Gulati VP. A dynamic ID-based remote user authentication scheme. Consumer Electronics. IEEE Transactions on. 2004;50(2): 629–631.
    • 14. Hwang MS, and Li LH. A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics. 2000;46(1): 28–30.
    • 15. Yoon EJ, and Yoo KY. Robust id-based remote mutual authentication with key agreement scheme for mobile devices on ecc. In Computational Science and Engineering. CSE’09. International Conference on. 2009;2: 633–640.
      • 16. Yang JH, and Chang CC. An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Computers and security. 2009;28(3): 138–143.
      • 17. Islam SH, and Biswas GP. Comments on ID-based client authentication with key agreement protocol on ECC for mobile client-server environment. In Advances in Computing and Communications. Springer Berlin Heidelberg. 2011; 628–635.
        • 18. Zhang F, and Kim K. Efficient ID-based blind signature and proxy signature from bilinear pairings. In Information Security and Privacy. Springer Berlin Heidelberg. 2003; 312–323.
          • 19. Shim K. Efficient ID-based authenticated key agreement protocol based on Weil pairing. Electronics Letters. 2003;39(8): 653–654.
          • 20. Paterson KG. ID-based signatures from pairingson elliptic curves. Electronics Letters. 2002;38(18): 1025–1026.
          • 21. Nandakumar K. Multibiometric systems: Fusion strategies and template security. ProQuest. 2008.
          • 22. Wu M, Chen J, Zhu W, and Yuan Z. Security analysis and enhancements of a multi-factor biometric authentication scheme. International Journal of Electronic Security and Digital Forensics. 2016;8(4): 352–365.
          • 23. Amin R, Islam SH, Biswas GP, Khan MK., and Li X. (2015). Cryptanalysis and enhancement of anonymity preserving remote user mutual authentication and session key agreement scheme for e-health care systems. Journal of medical systems, 39(11), 140. pmid:26342492
          • 24. Islam SK, Obaidat MS, and Amin R. An anonymous and provably secure authentication scheme for mobile user. International Journal of Communication Systems. 2016.
          • 25. Amin R, Kumar N, Biswas GP, Iqbal R, and Chang V. A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment. Future Generation Computer Systems. 2016.
          • 26. Amin R, and Biswas GP. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Networks. 2016;36: 58–80.
          • 27. Amin R, and Biswas GP. Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wireless Personal Communications. 2015;84(1): 439–462.
          • 28. Amin R, Islam SH, Biswas GP, Khan MK, Leng L, and Kumar N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Computer Networks. 2016;101: 42–62.
          • 29. Amin R, and Biswas GP. Cryptanalysis and design of a three-party authenticated key exchange protocol using smart card. Arabian Journal for Science and Engineering. 2015;40(11): 3135–3149.
          • 30. Amin R. Cryptanalysis and Efficient Dynamic ID Based Remote User Authentication Scheme in Multi-server Environment Using Smart Card. IJ Network Security. 2016;18(1): 172–181.
          • 31. Li X, Niu JW, Ma J, Wang WD, and Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications, 2011;34(1): 73–79.
          • 32. Li X, Niu J, Khan MK, and Liao J. An enhanced smart card based remote user password authentication scheme. Journal of Network and Computer Applications. 2013;36(5): 1365–1371.
          • 33. Li X, Niu J, Wang Z, and Chen C. Applying biometrics to design three factor remote user authentication scheme with key agreement. Security and Communication Networks. 2014;7(10): 1488–1497.
          • 34. Li X, Niu J, Khan MK, Liao J, and Zhao X. Robust three factor remote user authentication scheme with key agreement for multimedia systems. Security and Communication Networks. 2014.
          • 35. He D, and Wang D. Robust biometrics-based authentication scheme for multiserver environment. IEEE Systems Journal. 2015;9(3): 816–823.
          • 36. Ma CG, Wang D, and Zhao SD. Security flaws in two improved remote user authentication schemes using smart cards. International Journal of Communication Systems. 2014;27(10): 2215–2227.
          • 37. Wang D, Ma CG, and Wu P. Secure password-based remote user authentication scheme with non-tamper resistant smart cards. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer Berlin Heidelberg. 2012; 114–121.
            • 38. An Y. Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. BioMed Research International. 2012.
            • 39. Das AK. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. Information Security. IET. 2011;5(3): 145–151.
            • 40. Li CT, and Hwang MS. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and computer applications, 2010;33(1): 1–5.
            • 41. Al-Assam H, and Jassim SA. Multi-factor challenge/response approach for remote biometric authentication. In SPIE Defense, Security, and Sensing. International Society for Optics and Photonics. 2011; 80630V–80630V.
              • 42. Sarier ND. Improving the accuracy and storage cost in biometric remote authentication schemes. Journal of Network and Computer Applications. 2010;33(3): 268–274.
              • 43. Cox IJ, Miller ML, Bloom JA, and Honsinger C. Digital watermarking. San Francisco: Morgan Kaufmann. 2002;53.
                • 44. Pointcheval D, and Zimmer S. Applied Cryptography and Network Security. Proceedings. Springe: Berlin. 2008;277–295.
                  • 45. Choi Y, Lee D, Kim J, Jung J, Nam J, and Won D. Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors. 2014;14(6): 10081–10106. pmid:24919012
                  • 46. KAMAL K, GHANY A, MONEIM MA, GHALI NI, HASSANIEN AE, and HEFNY HA. A Symmetric Bio-Hash Function Based On Fingerprint Minutiae And Principal Curves Approach. 2011.
                    • 47. Teoh AB, Goh A, and Ngo DC. Random multispace quantization as an analytic mechanism for biohashing of biometric and random identity inputs. Pattern Analysis and Machine Intelligence. IEEE Transactions on. 2006;28(12): 1892–1901.
                    • 48. Kim J, Lee D, Jeon W, Lee Y, and Won D. Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors. 2014;14(4): 6443–6462. pmid:24721764
                    • 49. Nam J, Choo KKR, Kim M, Paik J, and Won D. Dictionary attacks against password-based authenticated three-party key exchange protocols. KSII Transactions on Internet and Information Systems (TIIS). 2013;7(12): 3244–3260.
                    • 50. Cao L, and Ge W. Analysis and improvement of a multi-factor biometric authentication scheme. Security and Communication Networks. 2015;8(4): 617–625.
                    • 51. Choi Y, Nam J, Lee Y, Jung S, and Won D. Cryptanalysis of Advanced Biometric-Based User Authentication Scheme for Wireless Sensor Networks. In Computer Science and its Applications. Springer Berlin Heidelberg. 2015;1367–1375.
                      • 52. Nam J, Choo KKR, Kim M, Paik J, and Won D. An Offline Dictionary Attack against Abdalla and Pointcheval’s Key Exchange in the Password-Only Three-Party Setting. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences. 2015;98(1): 424–427.
                      • 53. Syverson P. A taxonomy of replay attacks [cryptographic protocols]. In Computer Security Foundations Workshop VII. CSFW 7. Proceedings. IEEE. 1994; 187–191.
                        • 54. Otway D, and Rees O. Efficient and timely mutual authentication. ACM SIGOPS Operating Systems Review. 1987;21(1): 8–10.
                        • 55. Blake-Wilson S, Johnson D, and Menezes A. Key agreement protocols and their security analysis. Springer Berlin Heidelberg. 1997; 30–45.
                          • 56. Wen F, and Li X. An improved dynamic ID-based remote user authentication with key agreement scheme. Computers and Electrical Engineering. 2012;38(2): 381–387.
                          • 57. Chou JS, Huang CH, Huang YS, and Chen Y. Efficient Two-Pass Anonymous Identity Authentication Using Smart Card. IACR Cryptology ePrint Archive. 2013;402.
                          • 58. Das AK, and Goswami A. A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. Journal of medical systems. 2013;37(3): 9948. pmid:23660745
                          • 59. Boyd C, and Mao W. On a limitation of BAN logic. In Advances in Cryptology-EUROCRYPT’93. Springer Berlin Heidelberg. 1994;240–247.
                            • 60. Bleeker A, and Meertens L. A semantics for BAN logic. In Proceedings of the DIMACS Workshop on Design and Formal Verification of Security Protocols. 1997.
                              • 61. Burrows M, Abadi M, and Needham RM. A logic of authentication. In Proceedings of the Royal Society of London A: Mathematical. Physical and Engineering Sciences. The Royal Society. 1989;426: 233–271.
                                • 62. Abadi M, and Needham R. Prudent engineering practice for cryptographic protocols. IEEE transactions on Software Engineering. 1996;1: 6–15.
                                • 63. Xue K, and Hong P. Security improvement on an anonymous key agreement protocol based on chaotic maps. Communications in Nonlinear Science and Numerical Simulation. 2012;17(7): 2969–2977.