A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments

Hua Guo; Pei Wang; Xiyong Zhang; Yuanfei Huang; Fangchao Ma

doi:10.1371/journal.pone.0187403

Abstract

In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.’s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.’s scheme still has weaknesses. In this paper, we show that Moon et al.’s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.

Citation: Guo H, Wang P, Zhang X, Huang Y, Ma F (2017) A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments. PLoS ONE 12(11): e0187403. https://doi.org/10.1371/journal.pone.0187403

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: April 12, 2017; Accepted: September 25, 2017; Published: November 9, 2017

Copyright: © 2017 Guo et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This research was supported by the National Natural Science Foundation of China (No. 61300172, 61572027, 61402037), http://www.nsfc.gov.cn/. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

Nowadays security has becoming an urgent issue for the distributed networks. The remote user authentication scheme allows the transmission of secret data via public channels, thus is an important cryptographic tool for distributed networks. In 1981, Lamport [1] proposed the first password-based authentication scheme. After that, considerable amount of work on password-based authentication schemes have been put forward for different applications [2, 3]. However, passwords are vulnerable to be broken in a short time by using dictionary guessing attack. To solve this problem, smart cards with password-based authentication schemes [4–12] are introduced to enhance the security of user authentication. Unfortunately, there are still some problems when the smart card is stolen and the stored data is leaked [13–15].

The biometric keys, such as fingerprint and iris, are considered to be a unique identifier of a user, thus have many advantages. For example, the biometric keys cannot be forgotten or lost, are difficult to copy or share, and are not easy to forge or guess. Additionally, one can carry biometric keys at anytime and from anywhere. With the security requirements of the distributed networks and the good security performance and advantages of the biological characteristic, biometrics authentication protocols come to be more crucial and widely deployed [16–36]. In 2002, Lee et al. [16] designed the first biometrics-based remote user authentication scheme. In 2004, Lin-Lai [17] demonstrated that Lee et al.’s scheme cannot resist impersonation attack and designed a protocol without verification table to fix the flaws of Lee et al.’s scheme. In 2007, Khang-Zhang [18] pointed out that Lin-Lai’s scheme is insecure against server spoofing attack and illustrated an improved scheme. Rhee [19] demonstrated that Khang-Zhang’s scheme is vulnerable to impersonation attack and offline password guessing attack. Later, Li-Wang [20] designed an efficient three-factor remote user authentication scheme which only uses symmetric cryptographic primitive and the hash operation. However, in 2011, Das [21] exhibited that Li-Wang’s scheme is insecure against man-in-the-middle attack and does not provide proper certification. Furthermore, he designed a new certification scheme based on biometric characteristics. In 2014, Li et al. [25] pointed out that Das et al.’s scheme is vulnerable to forgery attack and stolen smart card attack, and put forward a three-factor remote user authentication scheme. After that, Chaturvedi et al. [26] demonstrated that Li et al.’s scheme doesn’t resist known session specific temporary information attack and doesn’t protect user’s privacy. They also proposed a novel authentication and key agreement protocol to overcome the weaknesses of Li et al.’s scheme.

In 2014, Chuang-Chen [27] proposed an efficient lightweight three-factor authentication protocol for multi-server environment which requires only the hash operation. After that, Mishra et al. [28] showed that Chuang-Chen’s scheme is insecure against the denial-of-service attack, smart card stolen attack, server spoofing attack and impersonation attack. In addition, they proposed a new biometric-based multi-server authentication protocol so as to overcome the weaknesses of Chuang-Chen’s scheme. In 2015, Lu et al. [29] illustrated that Mishra et al.’s scheme is insecure against server spoofing attack and impersonation attack, and can not provide forward secrecy. They introduced two independent three-factor authentication schemes [29, 31] for multi-server architecture, and claimed that the improved scheme has strong security. Unfortunately, Moon et al. [30] showed that Lu et al.’s scheme [29] is vulnerable to outsider attack and user impersonation attack, and put forward an enhanced protocol which fixes the flaws of Lu et al.’s scheme.

Unfortunately, we found that Moon et al.’s biometric-based remote user authentication scheme still has some flaws. In this paper, we firstly showed that Moon et al.’s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Moreover, we exhibited that their scheme is not anonymous for the user. Then we proposed an improved authentication scheme for multi-server environment to fix their design flaws. After that, we show that our scheme is robust against all known attacks through the formal and informal security analysis. Finally we demonstrate that the improved scheme has the best secure functionality and is computational efficient.

The rest of the paper is organized as follows. In section 2, we introduce some preliminary knowledge. Section 3 briefly reviews Moon et al.’s biometric-based remote user authentication scheme. Section 4 shows the design flaws in Moon et al.’s scheme. In order to eliminate the shortcomings discussed in section 4, we propose an enhancement authentication protocol in section 5. Section 6 analyzes the security of the proposed scheme, and Section 7 compares the performance of the enhanced scheme with other related schemes. Finally, we conclude in section 8.

2 Preliminaries

This section elaborates the definitions of one-way hash function and BioHashing, and the security model.

2.1 Definition

One-way hash function. A one-way hash function h: {0, 1}* → {0, 1}ⁿ takes an arbitrary-length input x ∈ {0, 1}*, and produces a fixed-length output h(x) ∈ {0, 1}ⁿ, called the message digest. The hash function has the following attributes:

Computationally, it is easy to compute y = h(x) if x and h(⋅) are specified.
It is almost impossible through polynomial time t to know two inputs x₁ and x₂, such that h(x₁) = h(x₂).

BioHashing. BioHashing technique [37] is designed to reduce the probability of denial of access while keeping the false acceptation performance. Inputing the biometric feature set and a seed which represents the “Hash key”, BioHashing generates a vector of bits. More precisely, with the help of a uniform distributed pseudo-random numbers generated by giving a secret seed, the biometric vector data x ∈ Rⁿ is reduced down to a bit vector b ∈ {0, 1}^l with l the length of the bit string (l ≤ n) through BioHashing.

2.2 Security model

In this paper, we adopt the security model proposed by Abdalla et al. [38] to prove the security of our protocol.

Participants. An oracle denotes an instance t of a party S_j, denotes the instance u of U_i, and denotes the instance v of RS.
Partnering. The partner of an instance of U_i is the instance of S_j and conversely. The partial transcript of all exchanged messages between U_i and S_j is unique, and is said as a session ID for the present session in which participates.
Freshness. or is fresh, only if the session key SK is not leaked to .
Adversary. In the ROR model, models the real attack via the following oracle queries. To breach the security of the authentication protocol, is able to access the queries given below:
- Execute(π^t, π^u): The Execute query helps obtain the messages transmitted between two honest participants; this query models an eavesdropping attack.
- Send(π^t; x): The Send query corresponds to an active attack. π^t executes the protocol and responds with an outgoing message after receiving a message x from .
- Reveal(π^t): The executes Reveal query to reveal of session keys. If the session has been accepted, π^t returns the session key SK as its response that is computed between π^t and its partner, otherwise returns a null value.
- CorruptSC(π^t): It is about modeling smart card loss attack and outputs the information stored in SC_i.
- Test(π^t): At some point, the adversary can make a Test query to an oracle Π^t. Π^t flips an unbiased coin b and responds with the real agreed session key SK if SK is established and fresh, if b = 1; otherwise it returns a random sample generated according to the distribution of the session key. Otherwise, it returns ⊥.

Semantic security of the session key. In an experiment, the adversary is challenged to differentiate between an instance’s real session key SK and a random key. can continue querying Test queries to either the server instance or the user instance. The outcome of Test query must be consistent with the random bit b. Eventually, terminates the game simulation and outputs a bit b′ for b. we say wins if the adversary guesses the correct b.

Let E denotes the event that wins the game. Then, the advantage of breaches the semantic security of our proposed authenticated key-agreement (AKE) protocol, say , is computed as . We say that the protocol is a secure multi-server authentication and key agreement protocol in the ROR sense if is negligible.

Random oracle. To prove the security of the proposed protocol, the one-way hash function h(⋅) is treated as a random oracle(say Hash oracle), and is provided to the adversary and every participant. The Hash oracle is simulated by a two-tuple (u, v) table of binary strings. When a hash query h(u) is made, the Hash oracle returns v if u is found in the table; otherwise, it returns a uniformly random string v and stores the pair (u, v) in the table.

3 Review of Moon et al.’s scheme

In this section, we briefly review Moon et al.’s scheme, which consists of four phases: registration phase, login phase, authentication phase and password change phase. Table 1 summarizes the notations used in this paper.

Download:

Table 1. Notations.

https://doi.org/10.1371/journal.pone.0187403.t001

3.1 Registration phase

The registration and authentication phases are shown in Fig 1. In order to get the access to different services provided by the servers, a user must register himself through the registration server. U_i firstly selects an identity ID_i and password PW_i and inputs biometrics BIO_i.

Download:

Fig 1. Registration and authentication phases of Moon et al.’s scheme.

Registration and authentication phases of Moon et al.’s scheme.

https://doi.org/10.1371/journal.pone.0187403.g001

Using the password and the biometrics, the smart card computes PWD_i = h(PW_i||H(BIO_i)) and sends < ID_i, PWD_i > to the registration server through a secure channel.
Upon receiving the message < ID_i, PWD_i >, the registration server computes V_i = h(ID_i||PWD_i), W_i = h(y_i||PSK) ⊕ ID_i, X_i = h(ID_i||x), Y_i = y_i⊕ h(PSK). Then RS stores < V_i, W_i, X_i, Y_i, h(⋅), H(⋅) > onto a smart card and sends the smart card to U_i.

3.2 Login phase

During the login phase, the user U_i inserts his smart card into the smart card reader, inputs his identity ID_i and password PW_i, and imprints biometric information BIO_i. Upon receiving an input, the smart card uses the following steps to perform a login session:

The smart card computes PWD_i = h(PW_i||H(BIO_i)) and verifies V_i? = h(ID_i|| PWD_i). If succeeds, it executes the next step. Otherwise the session aborts.
The smart card generates a random number n₁ and computes K = h((W_i ⊕ ID_i)|| SID_j), M₁ = ID_i ⊕ K, M₂ = n₁ ⊕ K, M₃ = PWD_i ⊕ K, Z_i = h(X_i||n₁|| PWD_i||T_i).
The smart card transmits the login request message < Y_i, Z_i, M₁, M₂, M₃, T₁ > to the server S_j through a public channel, where T₁ is the current timestamp.

3.3 Authentication phase

After receiving the authentication request < Y_i, Z_i, M₁, M₂, M₃, T₁ > from the user U_i, the server S_j executes the following steps to authenticate each other.

The server S_j firstly checks whether |T_c − T₁| < ΔT, then uses its pre-shared key PSK and achieves y_i = Y_i ⊕ h(PSK). The server also retrieves K = h(h(y_i||PSK)||SID_j), n₁ = M₂ ⊕ K, ID_i = M₁ ⊕ K, PWD_i = M₃ ⊕ K, X_i = h(ID_i||x) and verifies Z_i? = h(X_i||n₁||PWD_i||T₁). If they are not equal, S_j rejects the login request and terminates the session. Otherwise, the server generates a random number n₂ and computes M₄ = n₂ ⊕ h(n₁||PWD_i||X_i), M₅ = h(ID_i||n₁||n₂||K||T₂), SK_ij = h(n₁||n₂||K||T₂) and then responds with the message < M₄, M₅, T₂ > to the smart card (user U_i) over a public channel.
Upon receiving the message < M₄, M₅, T₂ > and checking the freshness of T₂, the smart card retrieves the value n₂ = M₄ ⊕ h(n₁||PWD_i||X_i). Then it verifies M₅? = h(ID_i||n₁||n₂||K||T₂). If the verification holds, it computes the session key SK_ij = h(n₁||n₂||K||X_i), which would be shared between U_i and S_j. Finally, the smart card computes M₆ = h(SK_ij||ID_i||n₂||T₃) and sends the message < M₆, T₃ > to S_j via a public channel.
Upon receiving the message < M₆, T₃ >, S_j checks the freshness of T₃ and verifies h(SK_ij||ID_i||n₂||T₃)? = M₆. If the equation holds, the server ensures the identity of U_i. Otherwise, the server aborts the session.

3.4 Password updating

In this phase, U_i can change his password any time when he wants. In order to change password, the user performs the following steps:

U_i inserts his smart card into the smart card reader and then inputs ID_i and PW_i and biometrics BIO_i.
The smart card SC_i computes PWD_i = h(PW_i||H(BIO_i)), then checks if Vi′ = h(ID_i||PWD_i) is the same as the stored V_i. If they are the same, SC_i accepts U_i to enter a new password .
SC_i computes and , and replaces V_i with .

4 Security analysis of Moon et al.’s scheme

Although Moon et al. claimed that their scheme satisfies the required security requirements, we found that their scheme still has some weakness, i.e., fail to resist the insider attack, server spoofing attack, guessing attack and impersonation attack. Moreover, their scheme is not anonymous for users.

4.1 Lack of user anonymity

User anonymity means that the adversary cannot obtain or track the identity of the user according to the message transmitted via the public channel, which is an important property to protect the privacy of users. In Moon et al.’s scheme, during authentication phase, U_i sends < Y_i, Z_i, M₁, M₂, M₃, T₁ > as authentication request message to S_j. Note that all the information transmitted in public channel can be intercepted by the adversary. The parameter M₁ = K ⊕ ID_i where K = h((W_i ⊕ ID_i)||SID_j)) in the message < Y_i, Z_i, M₁, M₂, M₃, T₁ >, is unique and static for each user during all logins to the same server. Thus anyone has ability to track the activities of a legal user, if he captures the value of M₁.

4.2 Insider attack

Insider attack means that an insider can get the sensitive credentials from the information stored in RS. In Moon et al.’s scheme, during user registration phase, U_i submits his identity ID_i and PWD_i to RS. In order to prevent duplicate user registration, RS has to store the user’s ID. If an adversary obtains the list of ID, it would cause great devastation. The adversary can impersonate himself as U_i as described in the following user impersonation attack.

4.3 Server spoofing attack

In Moon et al.’s protocol, RS shares the same secret information (x, PSK) with all the application severs. The compromised sever can impersonate as another legitimate server to deceive any legal user. Now we show the reason why Moon et al.’s scheme cannot withstand this kind of server spoofing attack.

When U_i submits his login request message < Y_i, Z_i, M₁, M₂, M₃, T₁ > to S_j, the legal but malicious server S_k can intercept this message and compute y_i = Y_i ⊕ h(PSK), K = h(h(y_i||PSK)||SID_j), n₁ = M₂ ⊕ K, ID_i = M₁ ⊕ K, PWD_i = M₃ ⊕ K, X_i = h(ID_i||x) and to check Z? = h(X_i||n₁||PWD_i||T₁).
S_k generates a random number n₂ and computes M₄ = n₂ ⊕ h(n₁||PWD_i||X_i), M₅ = h(ID_i||n₁||n₂||K||T₂), SK_ij = h(n₁||n₂||K||T₂), then sends < M₄, M₅, T₂ > to U_i.
U_i computes n₂ = M₄ ⊕ h(n₁||PWD_i||X_i), M₅ = h(ID_i||n₁||n₂||K||T₂) and compares it with M₅. It is obvious that the values are the same, thus U_i responds with the message M₆ = h(SK_ij||ID_i||n₂||T₃).
U_i computes the session key SK_ij = h(n₁||n₂||K||T₂) and believes that he is communicating with S_j.

Therefore, a legal but malicious server S_k can masquerade as another server S_j to fool any legal user and Moon et al.’s scheme is vulnerable to server spoofing attack.

4.4 Guessing attack

Moon et al.’s scheme is vulnerable to identity guessing attack, which is a critical concern in their scheme. If the adversary can extract the secret value W_i from the legal user’s smart card by some means and get the value of M₁ from public channel, the adversary can easily find out by performing the guessing attack, in which each guess ID_i can be verified as the following steps.

The adversary chooses and computes .
The adversary verifies the correctness of by checking .
The adversary repeats the above steps until a correct is found.

4.5 User impersonation attack

In a remote user communication scheme, anyone should be considered as a legal user if a user has valid authentication credentials or could be capable of constructing an effective authentication request message. In Moon et al.’s protocol, an adversary can impersonate a valid user as described below.

As enlightened in insider attack and guessing attack mentioned above, an adversary obtains U_i’s personal identifiable information ID_i. He also extracts the secret values W_i and X_i from the legal user’s smart card by some means.
The adversary intercepts a valid login request message < Y_i, Z_i, M₁, M₂, M₃, T₁ > which is sent from ID_i via the public channel, then the adversary computes K = ID_i ⊕ M₁, PWD_i = K ⊕ M₃, chooses random number n₁, and calculates M_1m = ID_i ⊕ K, M_2m = n₁ ⊕ K, M_3m = PWD_i ⊕ K, Z_im = h(X_i||n₁||PWD_i|| . Now, the malicious adversary sends the forged login request message < Y_i, to S_j by masquerading as legal user U_i.
After the authentication of the login request message, the server S_j generates a random number n₂, computes M_4m = n₂ ⊕ h(n₁||PWD_i||X_i), M_5m = h(ID_i||n₁ ||n₂||K||T₂) and responds with the message < M_4m, M_6m, T₂ > to the adversary who is masquerading as U_i.
The masquerading adversary verifies the correctness of M_4m with the values of n₁ and K. Then the masquerading user U_i computes n₂ = M_4m ⊕ h(n₁||PWD_i||X_i), SK_ij = h(n₁||n₂||K||T₂), M_6m = h(SK_ij||ID_i||n₂||T₃), and sends the message < M_6m, T₃ > back to the server S_j.
The server S_j computes M_6m = h(SK_ij||ID_i||n₂||T₃) and verifies it with the received value of M_6m. It is obvious that they are equal, so the sever authenticates successfully the legitimacy of the user U_i and the login request message information is accepted.
After mutual authentication, the server S_j and the malicious adversary who masquerades as the user U_i agree on the common session key as SK_ij = h(n₁|| n₂||K||X_i).

5 Our proposed scheme

In this section, we propose an improved remote user authentication scheme to fix the drawbacks in Moon et al.’s scheme. Our proposed protocol consists of four phases: registration, login, mutual authentication with key-agreement and password change. Fig 2 describes our proposed scheme.

Download:

Fig 2. Registration and authentication phases of our scheme.

Registration and authentication phases of our scheme.

https://doi.org/10.1371/journal.pone.0187403.g002

5.1 Registration phase

When the remote user authentication scheme starts, the user U_i and the server S_j need to perform the following steps to register with the registration server(RS).

5.1.1 Server registration.

To register with the system, a server S_j submits his identity SID_j and his public key Pub_j which can be obtained by all the users. Then S_j sends his identity SID_j and his public key Pub_j to RS. Upon reception, RS shares the secret key PSK with S_j and publishes S_j’s public key Pub_j.

5.1.2 User registration.

U_i freely selects his identity ID_i which uniquely identifies the user’s identity, password PW_i and scans his biometrics BIO_i. Then U_i computes IDB_i = h(ID_i ||H(BIO_i)), PWD_i = h(PW_i||H(BIO_i)) and sends < h(ID_i), IDB_i, PWD_i > to RS on a secure channel.
Upon reception, RS computes V_i = h(h(ID_i)||PWD_i), W_i = h(h(ID_i)||PSK) ⊕ IDB_i and stores < V_i, W_i, h(⋅), H(⋅) > in the smart card SC.
RS sends SC to U_i over a secure channel.

5.2 Login phase

U_i sends the login request by inserting smart card (SC), and inputting ID_i, PW_i and BIO_i.
SC computes PWD_i = h(PW_i||H(BIO_i)) and then checks whether the condition V_i? = h(h(ID_i)||PWD_i). If the result is negative, the login session can be aborted. Otherwise, SC generates a random number n₁ and computes K = h((W_i ⊕ IDB_i) ⊕ h(ID_i||n₁)), , Z_i = h(n₁||ID_i||K||T₁) and sends < M₁, Z_i, T₁ > to the server S_j as the login request message.

5.3 Authentication phase

On getting login message, S_j checks freshness of T₁. S_j computes (ID_i||n₁) = , K = h(h(h(ID_i)||PSK) ⊕ h(ID_i||n₁)) and verifies if Z_i? = h(n₁|| ID_i||K||T₁). If they are same, S_j authenticates U_i. Otherwise the session is terminated.
S_j further generates a random number n₂, and computes M₂ = n₂ ⊕ K, M₃ = h(ID_i||n₁||n₂||K||T₂), SK_ij = h(n₁||n₂||K||ID_i). S_j sends < M₂, M₃, T₂ > to SC.
On checking the freshness of T₂, SC computes n₂ = M₂ ⊕ K and verifies the condition M₃? = h(ID_i||n₁||n₂||K||T₂). If the condition holds, U_i authenticates S_j. Otherwise the process is terminated. Then, SC computes SK_ij = h(n₁||n₂ ||K||ID_i) and M₄ = h(SK_ij||ID_i||n₂||T₃), then sends < M₄, T₃ > to S_j.
S_j checks the freshness of T₃. S_j verifies M₄? = h(SK_ij||ID_i||n₂||T₃) and reconfirms the authenticity of U_i. Now, U_i and S_j share with the computed session key SK_ij = h(n₁||n₂||K||ID_i) for further communication.

5.4 Password changing phase

This procedure is invoked whenever a user (U_i) wants to update his password with a new password , without through a private channel or communicating with RS.

U_i inserts smart card SC and inputs ID_i, PW_i and BIO_i.
SC computes PWD_i = h(PW_i||H(BIO_i)) and then verifies the condition V_i? = h(ID_i||PWD_i). If the condition doesn’t hold, the request can be dropped.
U_i chooses a new password and then computes , . Thus the smart card finally contains the parameters .

6 Security analysis of the proposed scheme

In this section, we use Burrows-Abadi-Needham logic (BAN-logic) [39] to verify the completeness of our scheme, then we prove the security of the scheme through formal and informal analysis.

6.1 Verifying the proposed scheme with BAN logic

The BAN logic introduced by Burrows et al. is a formal method of analyzing the security features of the information exchange protocol. It helps determine whether the exchanged information is credible, whether it can prevent eavesdropping or both. In this paper, we use BAN logic to prove that a user and a server share a session key after successfully running the protocol. We first introduce the BAN logic notations used in this paper in Table 2.

Download:

Table 2. BAN logic notations.

https://doi.org/10.1371/journal.pone.0187403.t002

BAN logical postulates
1. Message-meaning rule: : If P believes that K is the shared key of P and Q, and P receives the message X encrypted with K, then P believe that Q has sent message X.
2. Jurisdiction rule: : If P believes that Q has the right to control X and P believes that Q also trusts X, then P trusts X.
3. Nonce-verification rule: : If P believes that X is fresh and P believes that Q has sent X, then P believes that Q believes X.
4. Freshness-conjuncatenation rule: : If P believes that X is new, then the information of (X, Y) is also fresh.
5. Belief rule: : If P believes X and Y, then P believes (X, Y).
Establishment of security goals
1. g1:
2. g2:
3. g3:
4. g4:
Initiative premises
1. p1. U_i| ≡ #n₁. p2. U_i| ≡ S_j ⇒ #n₂.
2. p3. S_j| ≡ #n₁. p4. S_j| ≡ #n₂.
3. p5. . p6. .
4. p7. U_i| ≡ ID_i. p8. S_j| ≡ U_i ⇒ ID_i.
5. p9. . p10. .
Scheme analysis
1. a₀.
  Since , only S_j can get the value of ID_i and n₁. One can get the value of K unless he has the true Pri_j and PSK at the same time.
2. a₁. S_j ⊲ (n₁, ID_i, T₁)_K, T₁
  We employ Message-meaning rule according to p₅ and a₁ to drive:
3. a₂. S_j| ≡ U_i| ∼ (n₁, ID_i, T₁)
  According to a₂ and p₃, we apply the Freshness-conjuncatenation rule and Nonce-verification rule to get the following information:
4. a₃. S_j| ≡ U_i| ≡ (n₁, ID_i, T₁)
  According to a₃ and p₈, we employ Jurisdiction rule and belief rule to obtain:
5. a₄. S_j| ≡ ID_i
  According to a₄ and , we employ Message-meaning rule to obtain:
6. a₅.
  According to a₅ and p₄, we apply Nonce-verification rule and Freshness- conjuncatenation rule to obtain:
7. a₆.
  Finally, we employ The belief rule to obtain:
8. g₁. .
  According to g₁ and p₉, we utilize Jurisdiction rule to obtain:
9. g₂. .
  According to p₆ and U_i ⊲ (ID_i, n₁, n₂, T₂)_K, we employ Message-meaning rule to obtain:
10. a₇. U_i| ≡ S_j| ∼ (ID_i, n₁, n₂, T₂)
  According to a₇ and p₁ we apply Nonce-verification rule and Freshness- conjuncatenation rule to derive:
11. a₈. U_i| ≡ S_j| ≡ (ID_i, n₁, n₂, T₂)
  According to a₈ and p₁, p₃, p₄, p₆ and SK_ij = h(n₁||n₂||K||ID_i), we apply Freshness-conjuncatenation rule and Nonce-verification rule to derive:
12. g₃. .
  According to g₃ and p₁₀ we utilize Jurisdiction rule to obtain:
13. g₄. .

6.2 Formal analysis

We use provable security to prove the security of our scheme. The security proof is based on the model of RSA-based password authentication.

Theorem 1. Let be an adversary that run in polynomial time t against our protocal in the random oracle, D be a uniformly distributed password dictionary and l denotes the number of bits in the biometric key BIO_i, |Hash| and|D| denotes the range space of hash function and the size of D, respectively. If an attacker makes q_h Hash queries, q_send Send queries, then, the advantage of of breaking the SK-security of is , where Adv^RSA(t) is the advantage that an adversary solves the problem about the factor decomposed of great number.

Proof. The proof is finished by executing a sequence of hybrid games G_i. For each game G_i, let E_i denote the event that the adversary succeeds in guessing the bit b in game G_i.

Game G₀: This game corresponds to the real attack in the random oracle model. Thus, we can write (1)

Game G₁: By querying Execute oracle, this game simulates ’s eavesdropping attack. After that, the adversary queries Test oracle, and decides whether the outcome of the Test oracle is the real session key SK or a random number, where SK_ij is computed from SK_ij = h(n₁||n₂||K||ID_i). Note that PSK and IDB_i are secret to S_j and U_i. The adversary has no knowledge about PSK, IDB_i and ID_i, thus eavesdropping of message can not increase the chance of winning for the adversary in G₁. So we have (2)

Game G₂: The difference between G₂ and G₁ is that we add the simulations of the Send and the Hash oracles. G₂ models an active attack where tries to decide a participant into accepting a forged message. can make several Hash queries to find the collisions. Note that the messages {M₁, Z_i, T₁} and {M₂, M₃, T₂} are associated with timestamp T₁, T₂, random numbers n₁ and n₂, and ID_i of U_i, hence there is no collision when querying the Send oracle. According to the birthday paradox, we have (3)

Game G₃: In this game, G₃ simulates the CorruptSC oracle which models the smart card lost attack. Since the chosen password has low entropy, may try online dictionary attack with the information obtained from the smart card. In addition, may try to obtain biometrics key B_i from information collected from the smart card SC_i. Our protocol uses BioHash, which extracts at most l nearly random bits, therefore the probability of guessing biometric key B_i ∈ {0, 1}^l by is approximated as . If the number of wrong password inputs is limited by the system, probabilities can be estimated as follows: (4)

Game G₄: This game models an attack wherein has to compute the real session key SK_ij = h(n₁||n₂||K||ID_i) using K, ID_i from the eavesdropping messages {M₁, Z_i, T₁} and {M₂, M₃, T₂}. can not compute K = h((W_i ⊕ IDB_i) ⊕ h(ID_i||n₁)) and as ID_i, Pri_j and IDB_i are unknown. also needs to derive n₁ and n₂ from M₁ and M₂, respectively. We then have (5)

Additionally, since all session keys are random and independent and no information about the value of c is revealed to , Then, (6)

From Eqs (1)–(6), the following result is obtained: (7)

6.3 Informal security analysis

This subsection describes the security analysis of our scheme. To evaluate the security of the improved scheme, we assume that the adversary might access the smart card of legal user and extract the information stored in the smart card and intercept information transmitted over the public channel.

6.3.1 Mutual authentication.

After receiving the login request information from U_i, S_j checks if Z_i? = h(n₁||ID_i ||K||T₁) holds or not. The adversary who masquerades as the legal user cannot forge Z_i without knowing ID_i and the biometrics BIO_i of U_i. Likewise, upon receiving the message M₃, U_i checks M₃? = h(ID_i||n₁||n₂||K||T₂), where K = h(h(h(ID_i)|| PSK) ⊕ h(ID_i||n₁)), which requires the computation of U_i’s identity ID_i, the random number n₁ and PSK. Only the server who has the private key Pri_j can compute ID_i and n₁ so as to get the value of K. Hence only legal user can share the session key with corresponding server. Therefore, our proposed scheme can provide proper mutual authentication.

6.3.2 Anonymity.

In the proposed scheme, the login request message < M₁, Z_i, T₁ > is dynamic for every login and does not disclose any information about U_i, since it is associated with random number n₁. The identity is protected by the encrypted message using Pub_j. The adversary cannot obtain ID_i without having the knowledge of Pri_j. In addition, the unauthorized server cannot decrypt the user’s authentication message successfully since it does not own the private key Pri_j. As a result, the user’s real identity cannot be retrieved. Thus our protocol can achieve the anonymity property of users as well as protect the privacy of users.

6.3.3 Off-line password guessing attack.

An adversary may try to guess the password PW_i from the extracted smart card stored parameters < V_i, W_i, h(⋅), H(⋅) >. The stored parameter contains the password PW_i in the form V_i = h(h(ID_i)||PWD_i) where PWD_i = h(PW_i||H(BIO_i)). An adversary attempts to verify the condition V_i? = h(h(ID_i)||h(PW_i||H(BIO_i)) while constantly guessing PW_i. Adversary needs the value of ID_i and BIO_i of U_i in order to achieve the password guessing attack. However, the value of BIO_i is nowhere stored and an adversary cannot get the value of ID_i without knowing the private key Pri_j. As a result, the adversary cannot guess the correct password PW_i. Therefore, our proposed improved protocol can withstand this kind of attack.

6.3.4 Insider attack.

In our proposed protocol, U_i does not send his ID_i, password PW_i or his biometrics BIO_i in plain text during user registration phase. U_i submits only h(ID_i), IDB_i and PWD_i to RS instead of original credentials, where PWD_i = h(PW_i||H(BIO_i)), IDB_i = h(ID_i||H(BIO_i)). Hence, an insider cannot obtain the original sensitive information of any user. On the other hand, the authentication of entities is being done by verifying message like Z_i? = h(n₁||ID_i||K||T₁) in which ID_i is necessary. Moreover, RS doesn’t participate in the authentication process. Therefore, the proposed protocol attains resistance to insider attack.

6.3.5 Stolen smart card attack.

The adversary can extract the information < V_i, W_i, h(⋅), H(⋅) > stored in the smart card by means of power analysis. Assume a legal user’s smart card is stolen by an adversary and the stored information < V_i, W_i, h(⋅), H(⋅) > on it are extracted. Then, the adversary may try to get ID_i, PW_i, BIO_i from the extracted information. However, adversary cannot obtain any valuable information from these values, where V_i = h(h(ID_i)||PWD_i) and W_i = h(h(ID_i)||PSK) ⊕ IDB_i, since all the important parameters such as ID_i and PW_i are protected by a one-way hash function. The adversary cannot obtain any login information using the smart card stored parameters V_i and W_i. At the same time guessing the real identity ID_i and password PW_i is impractical. Therefore, the proposed protocol is secure against smart card stolen attack.

6.3.6 Replay attack.

If an adversary has intercepted all the communication message < M₁, Z_i, T₁ > and < M₂, M₃, T₂ >, he tries to replay them to U_i or S_j to masquerade as a legal user. However, once the message is replayed, the server can immediately detect the attack and reject the request due to the apply of timestamp. Hence, our scheme is secure against replay attack.

6.4 No verification table

In the proposed scheme, the registration server and application servers do not store the password and the biometrics database of the user. Therefore, even if an adversary steals the information stored in RS, he still cannot get ID_i, PW_i, BIO_i or other valid information of users. S_j does not store the password or the biometrics table of users as well. Therefore, even if an adversary steals the database from RS, he still cannot obtain user’s sensitive information of users.

6.4.1 User masquerade attack.

Assume an adversary steals a smart card from a legal user and wants to get service by perpetrating user impersonation attack. If an adversary forges messages so as to impersonate as U_i, he needs to build a login request message < M₁, Z_i, T₁ > firstly, where , Z_i = h(n₁||ID_i||K||T₁). Conversely, the adversary cannot compute the messages M₁ and Z_i without user’s private information ID_i and H(BIO_i). At the same time, the adversary has to go through login phase before sending login request information. During login phase, SC computes PWD_i = h(PW_i||H(BIO_i)) and then verifies if V_i? = h(ID_i||PWD_i) is correct. Unless the adversary enters the correct credentials, the process will be terminated. Therefore, the adversary certainly requires ID_i, PW_i and BIO_i for any furthermore computations. However, the probability of obtaining correct ID_i, PW_i and BIO_i is negligible.

6.4.2 Server impersonation attack.

Unlike Moon et al.’s protocol, the server S_j not only keeps unique long-term key PSK, but also contains the key pair < Pub_j, Pri_j >. Note that the key pair of each server is distinctive, and Pri_j is known to only server S_j. Consider a scenario where an adversary captures < M₁, Z_i, T₁ > and tries to impersonate valid server by responding with message < M₂, M₃, T₂ >. The values of ID_i, K and n₁ are prerequisite. However, adversary cannot yield either of the values without having the knowledge of Pri_j. Though, the adversary cannot get the right values of ID_i, K and n₁, if the adversary forges the massage < M₂, M₃, T₂ >. Upon receiving the response message < M₂, M₃, T₂ >, U_i can identify it as a malicious attempt due to the non-equivalence of message . Thus, our proposed protocol is secure against server impersonation attack.

6.4.3 Forward secrecy.

In our improved protocol, the session key is SK_ij = h(n₁||n₂||K||ID_i), and the values of the long term private key of the servers vary from server to server and are not shared with any registered U_i. Assume that the adversary has obtained the long term key PSK, he still cannot compute a valid session key without the secret parameters ID_i and n₁, which are protected by Pub_j and are decryptable only with Pri_j. Moreover, the parameters n₁ and n₂ are random for each session. Therefore, the session key is considered to be safe even though the long term private key of the server is compromised.

7 Functional and performance analysis

In this section, we compare our proposed scheme with the other related schemes in term of the functionality, including Chuang et al.’s scheme, Mishra et al.’s scheme and Lu et al.’s scheme.

7.1 Functional analysis

We perform a comparative analysis of previous schemes, which is illustrated in Table 3. From the table, we can find that the proposed scheme is more secure and provides more functionality requirements than the other related schemes. Moreover, the proposed scheme achieves all resistance requirements.

Download:

Table 3. Functionality comparison.

https://doi.org/10.1371/journal.pone.0187403.t003

7.2 Performance analysis

Now we compare the computational costs and execution time between the proposed scheme and the other related schemes. For the evaluation of the computational costs, let T_h, T_Re, T_Rd, T_sym and T_epm refer to the execution time of one-way hash, RSA encryption, RSA decryption, symmetric key encryption/decryption operation and complexity of executing an elliptic curve point multiplication operation. According to Kilinc et al.’s [40] estimation, the average running time of T_h is about 0.0023ms, T_Re is 3.8500ms, T_Rd is 0.1925ms, T_sym is 0.1303 ms and T_epm is 2.229ms. Table 4 illustrates the comparative performance of our improved scheme and previously proposed schemes.

Download:

Table 4. Computation costs comparison.

https://doi.org/10.1371/journal.pone.0187403.t004

The time consumption of our proposed scheme and of the other related schemes is listed in Table 4. The results shows that the proposed scheme is the most computationally inexpensive one among those schemes based on public key cryptography [31–34]. Note that although our proposed scheme costs more time than rest of the schemes [27–30], it is more secure than these schemes. To sum up, only the proposed scheme provides both the computation efficiency to accomplish mutual authentication and key agreement, and the basic security properties against the known threats. The rest of schemes either are vulnerable to various attacks [27–31], or need more time than our scheme [31–34].

8 Conclusion

In this paper, we firstly analyzed the security of Moon et al’s scheme, and demonstrated that their scheme is vulnerable to the known internal attack, guess attack and impersonation attack. Moreover, their scheme is found not anonymous for the user. To withstand these drawbacks, we proposed an improved biometric-based authentication scheme for multi-server environment and proved that the improved scheme provides secure authentication through the formal security analysis using Burrows-Abadi-Needham logic (BAN-logic) and random oracle model. Moreover, we have shown that our scheme is robust against all known attacks through the informal security analysis. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.

References

1. Lamport L. Password authentication with insecure communication[J]. Communications of the Acm, 1981, 24(24):770–772.
- View Article
- Google Scholar
2. Harn L, Huang D, Laih C S. Password authentication using public-key cryptography[J]. Computers & Mathematics with Applications, 1989, 18(12):1001–1017.
- View Article
- Google Scholar
3. Shieh S P, Yang W H, Sun H M. An authentication protocol without trusted third party[J]. IEEE Communications Letters, 1997, 1(3):87–89.
- View Article
- Google Scholar
4. Sun H M. An efficient remote use authentication scheme using smart cards[J]. IEEE Transactions on Consumer Electronics, 2000, 46(4):958–961.
- View Article
- Google Scholar
5. Chien H Y, Jan J K, Tseng Y M. An Efficient and Practical Solution to Remote Authentication: Smart Card[J]. Computers & Security, 2002, 21(4):372–375.
- View Article
- Google Scholar
6. Das M L, Saxena A, Gulati V P. A dynamic ID-based remote user authentication scheme[J]. IEEE Transactions on Consumer Electronics, 2004, 50(2):629–631.
- View Article
- Google Scholar
7. Islam S H. Design and analysis of an improved smartcard-based remote user password authentication scheme[J]. International Journal of Communication Systems, 2014, 29(11):n/a–n/a.
- View Article
- Google Scholar
8. Song R. Advanced smart card based password authentication protocol[J]. 2010, 32(5-6):321–325.
- View Article
- Google Scholar
9. Mishra D, Chaturvedi A, Mukhopadhyay S. Design of a lightweight two-factor authentication scheme with smart card revocation[J]. Journal of Information Security & Applications, 2015, 23(C):44–53.
- View Article
- Google Scholar
10. Srinivas J, Mukhopadhyay S, Mishra D. A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card[J]. Wireless Personal Communications, 2017:1–25.
- View Article
- Google Scholar
11. Maitra T, Islam S H, Amin R, Giri D, Khan M K, Kumar N. An enhanced multiserver authentication protocol using password and smart card: cryptanalysis and design[J]. Security & Communication Networks, 2016, 9(17):4615–4638.
- View Article
- Google Scholar
12. Amin R, Islam SH, Khan MK, Karati A, Giri D, Kumari S. A Two-factor RSA-based Robust Authentication System for Multi-Server Environments[J]. Security and Communication Networks. 2017, 13(1):74–84.
- View Article
- Google Scholar
13. Messerges T S, Dabbish E, Sloan R H. Examining smart-card security under the threat of power analysis attacks[J]. IEEE Transactions on Computers, 2002, 51(5):541–552.
- View Article
- Google Scholar
14. Kocher P C, Jaffe J, Jun B. Differential Power Analysis[C]// International Cryptology Conference on Advances in Cryptology. Springer-Verlag, 1999:388-397.
15. Wang D, Wang P. Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards[M]// Information Security. Springer International Publishing, 2015:1212-1217.
16. Lee J K, Ryu S R, Yoo K Y. Fingerprint-based remote user authentication scheme using smart cards[J]. Electronics Letters, 2002, 38(12):554–555.
- View Article
- Google Scholar
17. Lin C H, Lai Y Y. A flexible biometrics remote user authentication scheme[J]. Computer Standards & Interfaces, 2004, 27(1):19–23.
- View Article
- Google Scholar
18. Khan M K, Zhang J. Improving the Security of ‘A Flexible Biometrics Remote User Authentication Scheme’[J]. Computer Standards & Interfaces, 2007, 29(1):82–85.
- View Article
- Google Scholar
19. Rhee H S, Kwon J O, Lee D H. A remote user authentication scheme without using smart cards[J]. Computer Standards & Interfaces, 2009, 31(1):6–13.
- View Article
- Google Scholar
20. Li C T, Hwang M S. An efficient biometrics-based remote user authentication scheme using smart cards[J]. Journal of Network & Computer Applications, 2010, 33(1):1–5.
- View Article
- Google Scholar
21. Das A K. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards[J]. Iet Information Security, 2011, 5(3):145–151.
- View Article
- Google Scholar
22. Li X, Niu J W, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications, 34(1), 73-79[J]. Journal of Network & Computer Applications, 2011, 34(1):73–79.
- View Article
- Google Scholar
23. Li X, Niu J, Kumari S, Wu F, Wu F, Khan M K, et al. A Novel Chaotic Maps-Based User Authentication and Key Agreement Protocol for Multi-server Environments with Provable Security[J]. Wireless Personal Communications, 2016, 89(2):569–597.
- View Article
- Google Scholar
24. Kumari S, Das A K, Li X, Wu F, Khan M K, Jiang Q, et al. A provably secure biometrics-based authenticated key agreement scheme for multi-server environments[J]. Multimedia Tools & Applications, 2017:1–31.
- View Article
- Google Scholar
25. Li X, Niu J, Wang Z, Chen C. Applying biometrics to design three-factor remote user authentication scheme with key agreement[J]. Security & Communication Networks, 2014, 7(10):1488–1497.
- View Article
- Google Scholar
26. Chaturvedi A, Mishra D, Jangirala S, Mukhopadhyayet S. A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme[J]. Journal of Information Security & Applications, 2016.
- View Article
- Google Scholar
27. Chuang M C, Chen M C. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics[J]. Expert Systems with Applications, 2014, 41(4):1411–1418.
- View Article
- Google Scholar
28. Mishra D, Das A K, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards[J]. Expert Systems with Applications, 2014, 41(18):8129–8143.
- View Article
- Google Scholar
29. Lu Y, Li L, Yang X, Yang Y. Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards[J]. Plos One, 2015, 10(5):e0126323 pmid:25978373
- View Article
- PubMed/NCBI
- Google Scholar
30. Moon J, Choi Y, Jung J, Won D. An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards.[J]. Plos One, 2015, 10(12):e0145263. pmid:26709702
- View Article
- PubMed/NCBI
- Google Scholar
31. Lu Y, Li L, Peng H, Yang W. A biometrics and smart cards-based authentication scheme for multi-server environments[J]. Security & Communication Networks, 2015, 8(17):3219–3228.
- View Article
- Google Scholar
32. Mishra D. Design and Analysis of a Provably Secure Multi-server Authentication Scheme[J]. Wireless Personal Communications, 2016, 86(3):1–25.
- View Article
- Google Scholar
33. Chaudhry S A. A secure biometric based multi-server authentication scheme for social multimedia networks[M]. Kluwer Academic Publishers, 2016.
34. Jiang Q, Khan M K, Lu X, Ma J, He D. A privacy preserving three-factor authentication protocol for e-Health clouds[J]. Journal of Supercomputing, 2016, 72(10):3826–3849.
- View Article
- Google Scholar
35. Li X, Niu J, Kumari S, Wu F, Choo KK R. A robust biometrics based three-factor authentication scheme for Global Mobility Networks in smart city[J]. Future Generation Computer Systems, 2017.
- View Article
- Google Scholar
36. Li X, Ibrahim M H, Kumari S, Sangaiah A K, Gupta V, Choo KK R. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks[J]. Computer Networks, 2017.
- View Article
- Google Scholar
37. Jin A T B, Ling D N C, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number[J]. Pattern Recognition, 2004, 37(11):2245–2255.
- View Article
- Google Scholar
38. Abdalla M, Fouque P A, Pointcheval D. Password-Based authenticated key exchange in the three-party setting[C]// International Workshop on Public Key Cryptography. Springer Berlin Heidelberg, 2005:65-84.
39. Burrows M, Abadi M, Needham R. A logic of authentication[J]. Proceedings of the Royal Society A Mathematical Physical & Engineering Sciences, 1990, 8(5):18–36.
- View Article
- Google Scholar
40. Kilinc H H, Yanik T. A Survey of SIP Authentication and Key Agreement Schemes[J]. IEEE Communications Surveys & Tutorials, 2014, 16(2):1005–1023.
- View Article
- Google Scholar

[ref1] 1. Lamport L. Password authentication with insecure communication[J]. Communications of the Acm, 1981, 24(24):770–772.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Harn L, Huang D, Laih C S. Password authentication using public-key cryptography[J]. Computers & Mathematics with Applications, 1989, 18(12):1001–1017.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Shieh S P, Yang W H, Sun H M. An authentication protocol without trusted third party[J]. IEEE Communications Letters, 1997, 1(3):87–89.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Sun H M. An efficient remote use authentication scheme using smart cards[J]. IEEE Transactions on Consumer Electronics, 2000, 46(4):958–961.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Chien H Y, Jan J K, Tseng Y M. An Efficient and Practical Solution to Remote Authentication: Smart Card[J]. Computers & Security, 2002, 21(4):372–375.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Das M L, Saxena A, Gulati V P. A dynamic ID-based remote user authentication scheme[J]. IEEE Transactions on Consumer Electronics, 2004, 50(2):629–631.
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Islam S H. Design and analysis of an improved smartcard-based remote user password authentication scheme[J]. International Journal of Communication Systems, 2014, 29(11):n/a–n/a.
View Article
Google Scholar

[20] View Article

[21] Google Scholar

[ref8] 8. Song R. Advanced smart card based password authentication protocol[J]. 2010, 32(5-6):321–325.
View Article
Google Scholar

[23] View Article

[24] Google Scholar

[ref9] 9. Mishra D, Chaturvedi A, Mukhopadhyay S. Design of a lightweight two-factor authentication scheme with smart card revocation[J]. Journal of Information Security & Applications, 2015, 23(C):44–53.
View Article
Google Scholar

[26] View Article

[27] Google Scholar

[ref10] 10. Srinivas J, Mukhopadhyay S, Mishra D. A Self-Verifiable Password Based Authentication Scheme for Multi-Server Architecture Using Smart Card[J]. Wireless Personal Communications, 2017:1–25.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref11] 11. Maitra T, Islam S H, Amin R, Giri D, Khan M K, Kumar N. An enhanced multiserver authentication protocol using password and smart card: cryptanalysis and design[J]. Security & Communication Networks, 2016, 9(17):4615–4638.
View Article
Google Scholar

[32] View Article

[33] Google Scholar

[ref12] 12. Amin R, Islam SH, Khan MK, Karati A, Giri D, Kumari S. A Two-factor RSA-based Robust Authentication System for Multi-Server Environments[J]. Security and Communication Networks. 2017, 13(1):74–84.
View Article
Google Scholar

[35] View Article

[36] Google Scholar

[ref13] 13. Messerges T S, Dabbish E, Sloan R H. Examining smart-card security under the threat of power analysis attacks[J]. IEEE Transactions on Computers, 2002, 51(5):541–552.
View Article
Google Scholar

[38] View Article

[39] Google Scholar

[ref14] 14. Kocher P C, Jaffe J, Jun B. Differential Power Analysis[C]// International Cryptology Conference on Advances in Cryptology. Springer-Verlag, 1999:388-397.

[ref15] 15. Wang D, Wang P. Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards[M]// Information Security. Springer International Publishing, 2015:1212-1217.

[ref16] 16. Lee J K, Ryu S R, Yoo K Y. Fingerprint-based remote user authentication scheme using smart cards[J]. Electronics Letters, 2002, 38(12):554–555.
View Article
Google Scholar

[43] View Article

[44] Google Scholar

[ref17] 17. Lin C H, Lai Y Y. A flexible biometrics remote user authentication scheme[J]. Computer Standards & Interfaces, 2004, 27(1):19–23.
View Article
Google Scholar

[46] View Article

[47] Google Scholar

[ref18] 18. Khan M K, Zhang J. Improving the Security of ‘A Flexible Biometrics Remote User Authentication Scheme’[J]. Computer Standards & Interfaces, 2007, 29(1):82–85.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref19] 19. Rhee H S, Kwon J O, Lee D H. A remote user authentication scheme without using smart cards[J]. Computer Standards & Interfaces, 2009, 31(1):6–13.
View Article
Google Scholar

[52] View Article

[53] Google Scholar

[ref20] 20. Li C T, Hwang M S. An efficient biometrics-based remote user authentication scheme using smart cards[J]. Journal of Network & Computer Applications, 2010, 33(1):1–5.
View Article
Google Scholar

[55] View Article

[56] Google Scholar

[ref21] 21. Das A K. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards[J]. Iet Information Security, 2011, 5(3):145–151.
View Article
Google Scholar

[58] View Article

[59] Google Scholar

[ref22] 22. Li X, Niu J W, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications, 34(1), 73-79[J]. Journal of Network & Computer Applications, 2011, 34(1):73–79.
View Article
Google Scholar

[61] View Article

[62] Google Scholar

[ref23] 23. Li X, Niu J, Kumari S, Wu F, Wu F, Khan M K, et al. A Novel Chaotic Maps-Based User Authentication and Key Agreement Protocol for Multi-server Environments with Provable Security[J]. Wireless Personal Communications, 2016, 89(2):569–597.
View Article
Google Scholar

[64] View Article

[65] Google Scholar

[ref24] 24. Kumari S, Das A K, Li X, Wu F, Khan M K, Jiang Q, et al. A provably secure biometrics-based authenticated key agreement scheme for multi-server environments[J]. Multimedia Tools & Applications, 2017:1–31.
View Article
Google Scholar

[67] View Article

[68] Google Scholar

[ref25] 25. Li X, Niu J, Wang Z, Chen C. Applying biometrics to design three-factor remote user authentication scheme with key agreement[J]. Security & Communication Networks, 2014, 7(10):1488–1497.
View Article
Google Scholar

[70] View Article

[71] Google Scholar

[ref26] 26. Chaturvedi A, Mishra D, Jangirala S, Mukhopadhyayet S. A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme[J]. Journal of Information Security & Applications, 2016.
View Article
Google Scholar

[73] View Article

[74] Google Scholar

[ref27] 27. Chuang M C, Chen M C. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics[J]. Expert Systems with Applications, 2014, 41(4):1411–1418.
View Article
Google Scholar

[76] View Article

[77] Google Scholar

[ref28] 28. Mishra D, Das A K, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards[J]. Expert Systems with Applications, 2014, 41(18):8129–8143.
View Article
Google Scholar

[79] View Article

[80] Google Scholar

[ref29] 29. Lu Y, Li L, Yang X, Yang Y. Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards[J]. Plos One, 2015, 10(5):e0126323 pmid:25978373
View Article
PubMed/NCBI
Google Scholar

[82] View Article

[83] PubMed/NCBI

[84] Google Scholar

[ref30] 30. Moon J, Choi Y, Jung J, Won D. An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards.[J]. Plos One, 2015, 10(12):e0145263. pmid:26709702
View Article
PubMed/NCBI
Google Scholar

[86] View Article

[87] PubMed/NCBI

[88] Google Scholar

[ref31] 31. Lu Y, Li L, Peng H, Yang W. A biometrics and smart cards-based authentication scheme for multi-server environments[J]. Security & Communication Networks, 2015, 8(17):3219–3228.
View Article
Google Scholar

[90] View Article

[91] Google Scholar

[ref32] 32. Mishra D. Design and Analysis of a Provably Secure Multi-server Authentication Scheme[J]. Wireless Personal Communications, 2016, 86(3):1–25.
View Article
Google Scholar

[93] View Article

[94] Google Scholar

[ref33] 33. Chaudhry S A. A secure biometric based multi-server authentication scheme for social multimedia networks[M]. Kluwer Academic Publishers, 2016.

[ref34] 34. Jiang Q, Khan M K, Lu X, Ma J, He D. A privacy preserving three-factor authentication protocol for e-Health clouds[J]. Journal of Supercomputing, 2016, 72(10):3826–3849.
View Article
Google Scholar

[97] View Article

[98] Google Scholar

[ref35] 35. Li X, Niu J, Kumari S, Wu F, Choo KK R. A robust biometrics based three-factor authentication scheme for Global Mobility Networks in smart city[J]. Future Generation Computer Systems, 2017.
View Article
Google Scholar

[100] View Article

[101] Google Scholar

[ref36] 36. Li X, Ibrahim M H, Kumari S, Sangaiah A K, Gupta V, Choo KK R. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks[J]. Computer Networks, 2017.
View Article
Google Scholar

[103] View Article

[104] Google Scholar

[ref37] 37. Jin A T B, Ling D N C, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number[J]. Pattern Recognition, 2004, 37(11):2245–2255.
View Article
Google Scholar

[106] View Article

[107] Google Scholar

[ref38] 38. Abdalla M, Fouque P A, Pointcheval D. Password-Based authenticated key exchange in the three-party setting[C]// International Workshop on Public Key Cryptography. Springer Berlin Heidelberg, 2005:65-84.

[ref39] 39. Burrows M, Abadi M, Needham R. A logic of authentication[J]. Proceedings of the Royal Society A Mathematical Physical & Engineering Sciences, 1990, 8(5):18–36.
View Article
Google Scholar

[110] View Article

[111] Google Scholar

[ref40] 40. Kilinc H H, Yanik T. A Survey of SIP Authentication and Key Agreement Schemes[J]. IEEE Communications Surveys & Tutorials, 2014, 16(2):1005–1023.
View Article
Google Scholar

[113] View Article

[114] Google Scholar

Figures

Abstract

1 Introduction

2 Preliminaries

2.1 Definition

2.2 Security model

3 Review of Moon et al.’s scheme

3.1 Registration phase

3.2 Login phase

3.3 Authentication phase

3.4 Password updating

4 Security analysis of Moon et al.’s scheme

4.1 Lack of user anonymity

4.2 Insider attack

4.3 Server spoofing attack

4.4 Guessing attack

4.5 User impersonation attack

5 Our proposed scheme

5.1 Registration phase

5.1.1 Server registration.

5.1.2 User registration.

5.2 Login phase

5.3 Authentication phase

5.4 Password changing phase

6 Security analysis of the proposed scheme

6.1 Verifying the proposed scheme with BAN logic

6.2 Formal analysis

6.3 Informal security analysis

6.3.1 Mutual authentication.

6.3.2 Anonymity.

6.3.3 Off-line password guessing attack.

6.3.4 Insider attack.

6.3.5 Stolen smart card attack.

6.3.6 Replay attack.

6.4 No verification table

6.4.1 User masquerade attack.

6.4.2 Server impersonation attack.

6.4.3 Forward secrecy.

7 Functional and performance analysis

7.1 Functional analysis

7.2 Performance analysis

8 Conclusion

References