Contributions of the paper

Recently, Chaudhry et al. [32] proposed a privacy-preserving password-based authentication scheme for roaming in ubiquitous networks to solve the security issues of Farash et al.’s scheme [29]. They claimed that their scheme is secure against the various known attacks and is lightweight compared with the earlier scheme of Farash et al. [29]. However, We found that Chaudhry et al.’s scheme [32] is still vulnerable to several attacks; therefore, in this paper, we provide the proof that Chaudhry et al.’s scheme [32] is vulnerable to stolen-mobile devices and user impersonation attacks, and has drawbacks to the absence of the incorrect login-input detection, incorrect password change phase, and the absence of the revocation-process provision. To fix the security flaw of the scheme of Chaudhry et al. [32], we present an improved biometric-based authentication scheme for roaming in ubiquitous networks in this paper. In addition, to achieve the three-factor authentication that protects the user’s biometrics, a bio-hash technique is applied in the proposed scheme whenever the user imprints his/her biometrics on a mobile device. Furthermore, we perform formal and informal analyses to prove that the proposed scheme meets the various security requirements, and conduct the comparisons in terms of the computational and communication cost to show the efficiency of the proposed scheme.

Organization of the paper

The remainder of this paper is organized as follows. In Section 2, a number of preliminaries are introduced. A brief review of the scheme of Chaudhry et al. [32] is presented in Section 3, and a cryptanalysis of Chaudhry et al. [32]’s scheme is presented in Section 4. The proposed scheme is presented in Section 5. The proposed scheme is analyzed in terms of formal and informal security in Section 6. Data from the comparisons of the performance of the proposed scheme with other related works are presented in Section 7. The conclusion of this paper is provided in Section 8.

User authentication in ubiquitous networks

To enable the roaming service in ubiquitous networks, MN and FA perform a mutual authentication and share the session key with the support of the HA. The brief description of the user authentication process that is depicted in Fig 1 is as follows:

1. MN sends a login and authentication request message to FA while it visits foreign networks.
2. After it receives the request message from MN, FA transmits it to HA for the authentication of MN.
3. HA authenticates MN by checking the received message from FA, and it responds accordingly to FA.
4. FA sends a response to MN, and then both MN and FA authenticate each other.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. User authentication process in ubiquitous networks.

https://doi.org/10.1371/journal.pone.0193366.g001

Adversarial model

For the analysis of the security of Chaudhry et al. and the proposed scheme in this paper, we consider the adversarial model with following the capacity of adversary:

1. The adversary has full control over the public communication channel, which means that can eavesdrop, insert, delete, alter, or intercept any of the transmitted messages of the public channel.
2. If obtains a stolen or lost mobile device of a user in some way, he/she is able to extract the secret parameters from the device using side-channel attacks [33–36].
3. is capable of enumerating off-line all of the possible items in the Cartesian product within polynomial time, where and denote the dictionary spaces of the identity and password, respectively [37, 38].

Security requirements

Based on recent research efforts [6, 39–41], a biometrics-based authentication scheme for roaming in ubiquitous networks should meet the following security requirements against the adversarial model and the functional requirements to provide user-friendliness:

1. User anonymity: The scheme must ensure the user anonymity to preserve the privacy of MN, i.e., should not be able to discover the real identity of MN.
2. Unlinkability: To provide greater security for the user’s privacy, the scheme should ensure unlinkability, i.e., should not be able to trace the user’s actions.
3. Mutual authentication: The schemes should support mutual authentication to ensure the legitimacy of each participant, i.e., MN, FA, and HA are capable of authenticating each other in the authentication phase.
4. Session key agreement: When the scheme permits the establishment of a session key between each of the participants, the session key that is used to encrypt and decrypt messages in the future communications should be fresh and provide the forward secrecy.
5. Three-factor secrecy: To ensure the secrecy of the user’s private keys, the scheme should provide three-factor (e.g., identity, password, and biometrics) secrecy. The should not be able to extract one secret value from the remaining two factors.
6. Resilience to various attacks: The scheme should provide all major security goals and should be resistant to different types of the known attacks.

Bio-hash function

The biometrics provides a unique identification method to solve the security vulnerabilities of passwords, pins, and tokens that are easy to forget or can be stolen. The imprint biometric characteristics may be slightly different each time due to a variety of reasons such as the user’s dry or cracked skin, and the presence of dirt on the imprint sensor [42]. Therefore, high false rejection of genuine users that results in a denial of access often occur in the evaluation of biometric systems, and this consequently impacts on the usability of a system [43]. To resolve the problem of high false rejection instances, Jin et al. [44] proposed a two-factor authenticator in 2004 that is based on the iterated inner products between a tokenized pseudorandom number and the user-specific fingerprint features. To achieve this, a set of user-specific compact codes called the bio-hash code can be created. The bio-hash is a random mapping of biometric feature onto binary strings with user-specific tokenized pseudorandom numbers. In recent times, many authentication schemes using bio-hash have been proposed [45–47]. According to the recent bio-hash researches [48–51], the execution times of bio-hash are considered to be the same as the one-way hash function. In contrast, the execution time of the fuzzy extractor that is also generally used in biometric-system is considered to be the same as the elliptic-curve cryptography (ECC) [52]. Bio-hash is an effective technique for biometrics-based authentication schemes [53], and it is convenient mechanisms for small devices such as smart cards and mobile devices.

Registration phase

In the registration phase, MN_i registers with HA_k and the following operations are performed:

1. MN_i → HA_k: ID_mi, h(PW_mi||r_A||ID_mi)
   MN_i selects his/her identity ID_mi and password PW_mi, and generates r_A. MN_i then computes h(PW_mi||r_A||ID_mi) and sends a registration request message 〈ID_mi, h(PW_mi||r_A||ID_mi)〉 to HA_k via a secure channel.
2. HA_k → MN_i: PID_mi, A_mi
   HA_k verifies whether MN_i’s ID_mi is valid. If it is valid, HA_k computes the following equations: (1) (2) HA_k then sends EID_mi and A_mi to MN_i via a secure channel.
3. MN_i retains the secret parameters EID_mi, A_mi and r_A in the mobile device.

Login and authentication phase

In this phase, MN_i and FA_j perform a mutual authentication to establish a session key with the support of MN_i’s HA_k. It is assumed that each pair of FA_j and HA_k share pre-shared key K_F,H. The details of the login and authentication procedure, which are depicted in Fig 2 are as follows:

1. MN_i → FA_j: M₁ = 〈PID_mi, MV₂, MV₃, T_mi, ID_hk〉
   MN_i enters his/her ID_mi and PW_mi, generates the random number n_mi, and computes the following equations: (3) (4) (5) MN_i sends the login request message M₁ = 〈EID_mi, MV₂, MV₃, T_mi, ID_hk〉 to FA_j via a public channel.
2. FA_j → HA_k: M₂ = 〈ID_fj, EM₁)〉
   FA_j checks the freshness of T_mi. If it is fresh, FA_j generates the random number n_fj and computes as follows: (6) FA_j then sends the message M₂ = 〈ID_fj, EM₁)〉 to HA_k.
3. HA_k → FA_j: M₃ = 〈EM₂)〉
   HA_k checks ID_fj and finds its corresponding K_F,H. To obtain M₁ and n_fj, HA_k decrypts EM₁ and computes the following equations: (7) (8) (9) (10) Then, HA_k checks the validity of the following equation: (11) If Eq (11) does not hold, this phase is terminated; otherwise, HA_k computes as follows: (12) (13) Lastly, HA_k sends the message M₃ = 〈EM₂〉 to FA_j.
4. FA_j → MN_i: M₄ = 〈ID_fj, FV₁, n_fj〉
   To obtain SK_fj, FA_j decrypts the received message EM₂ and computes as follows: (14) (15) Then, FA_j sends the message M₄ = 〈ID_fj, FV₁, n_fj〉 to MN_i.
5. To check validity of the session key, MN_i computes the following equations: (16) (17) If Eq (17) does not hold, MN_i terminates connection; otherwise, MN_i accepts FA_j as legal and authenticated.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The login and authentication phase of Chaudhry et al.’scheme.

https://doi.org/10.1371/journal.pone.0193366.g002

Password change phase

MN_i inputs ID_mi, a old password and a new password into his/her mobile device. The mobile device then computes the following equations: (18) (19) Lastly, the mobile device replaces A_mi with .

Stolen-mobile device attack

Under the previously explained adversarial model, it is assumed that somehow acquires MN_i’s mobile device, extracts the secret parameters, and captures the login request message M₁. Using the extracted parameters and the captured messages, can attempt to guess MN_i’s identity and password until the correct identity and password are found.

In [33, 34, 37, 38, 54], the identity and password can be guessed simultaneously after the user’s device is stolen by ; therefore, it is prudent to consider off-line identity and password guessing attacks.

Based on [37], . The time complexity to determine a identity and password is linear to and because the more candidate data the attacker has, the more that matching operations are required to determine the desired value.

To demonstrate the vulnerability of Chaudhry et al.’s scheme [32] to the stolen-mobile device attack, the following scenario is used:

1. eavesdrops the previous login messages M₁ = 〈EID_mi, MV₂, MV₃, T_mi〉, and compromises the secret parameters 〈A_mi, EID_mi, r_A〉 from the mobile device.
2. selects any of the identity and password candidates and .
3. computes .
4. compares .
5. If the comparison shows they are equal, successfully guesses the correct ID_mi and PW_mi. Otherwise, selects another identity and password, and repeats the steps 3 and 4 until he/she finds the correct identity and password.

In Chaudhry et al.’s scheme [32], the time complexity of the guessing attack process is , where T_h is the execution time of the hash operation and T_XOR is the execution time of the exclusive-or operation. Therefore, the time complexity of the guessing attack in Chaudhry et al.’s scheme is not negligible, and their scheme is consequently vulnerable to the stolen-mobile device attack.

User impersonation attack

This subsection presents a demonstration of the way that Chaudhry et al.’s scheme [32] allows to impersonate a legal user if obtains the MN_i’s identity and password through a guessing attack, as presented in the previous subsection, as follows:

1. obtains the secret parameters 〈A_mi, EID_mi, r_A〉, correctly guessing the identity and password of MN_i by completing the stolen-mobile device attack.
2. The mobile device of generates the random number n_ai, and computes the following equation: sends the login request message to FA_j, where T_A is the current timestamp of .
3. Because of the validation of , FA_j and HA_k successfully proceed the subsequent steps of the authentication phase. Lastly, FA_j sends the message M₄ = 〈ID_fj, FV₁, n_fj〉 to MN_i, but receives M₄ and computes the following equations: (20) (21) If Eq (21) holds, has successfully established a session key with FA_j.

Therefore, Chaudhry et al.’s scheme [32] is vulnerable to the user impersonation attack.

Absence of the incorrect login-input detection

The detection of the incorrect login inputs must be performed at the beginning of the login phase. However, Chaudhry et al.’s scheme [32] does not support the incorrect input detection during the login and authentication phase. In their scheme, the MN_i sends the message M₁ without verifying the correctness of the ID_mi and PW_mi. Even if MN_i mistakenly enters the wrong and , the mobile device can still compute , and . As a result, an invalid form of the login request message, M₁, is transmitted to HA_k through FA_j, thereby resulting in unnecessary computations and communication costs.

Incorrectness of the password change phase

Chaudhry et al.’s scheme [32] allows the user to change his/her password easily without any server assistance. However, in the password change phase, the mobile device does not check the accuracy of the old password when MN_i enters the old and new passwords to replace the old password with a new password. If MN_i enters the old password incorrectly, an incorrect MV₁ is computed with Eq (18), and an incorrect is also computed with Eq (19). As a result, h(K_H ⊕ ID_mi) will be damaged beyond the possibility of a restoration, thereby causing HA_k’s rejection of MN_i in the future authentication phase.

No provision for revocation

The revocation of a stolen or lost mobile device is essential for the practical deployment of smart card-based authentication schemes [55]. If a legal MN_i’s mobile device is lost or stolen, some kind of mechanism must be in place to prevent the misuse of the mobile device. To address this problem, the server needs to maintain the identity information that will serve as the basis for the detection of the invalid mobile device [56]. However, Chaudhry et al.’s scheme [32] scheme does not take this feature into consideration.

Registration phase

The registration phase for the mobile user MN_i that are illustrated in Fig 3 involves the following operations:

1. MN_i → HA_k: ID_mi, PWB_mi
   MN_i selects his/her ID_mi and PW_mi and inputs BIO_mi. MN_i then computes the following equation: (22) MN_i subsequently sends a registration request message 〈ID_mi, PWB_mi〉 to HA_k via a secure channel.
2. HA_k → MN_i: PID_mi, A_mi, B_mi, r_A
   HA_k then verifies the identity of MN_i and computes the following equation: (23) HA_k searches RID_mi in the database to verify the presence of an already registered user with the same ID_mi; if this is verified, HA_k requests a new identity from MN_i. Otherwise HA_k gernerates r_A and r_D, and computes the following equations: (24) (25) (26) If MN_i is a new user, HA_k sets I_mi to zero, otherwise, I_mi = I_mi + 1. HA_k then stores I_mi, PID_mi, and RID_mi as a tuple in the database, and it sends 〈PID_mi, A_mi, B_mi, r_A〉 to MN_i via a secure channel.
3. MN_i stores all of the received parameters into the mobile device.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. The registration phase of the proposed scheme.

https://doi.org/10.1371/journal.pone.0193366.g003

Login and authentication phase

In this phase, MN_i and FA_j perform a mutual authentication to establish a session key with the support of MN_i’s HA_k. It is assumed here that each pair of FA_j and HA_k share the pre-shared key K_F,H. The details of the login and authentication procedure that are illustrated in Fig 4 are as follows:

1. MN_i → FA_j: M₁ = 〈PID_mi, MV₂, MV₃, ID_hk〉
   MN_i enters his/her ID_mi, PW_mi, and BIO_mi, and it then computes as follows: (27) HA_k then checks the validity of: (28) If Eq (28) does not hold, MN_i terminates the user’s login request. Otherwise, MN_i generates n_mi and computes the following equations: (29) (30) (31) MN_i then sends the login request message M₁ = 〈PID_mi, MV₂, MV₃, ID_hk〉 to FA_j.
2. FA_j → HA_k: M₂ = 〈ID_fj, FV₂, FV₃, M₁〉
   FA_j generates the random number n_fj and computes the following equations: (32) (33) (34) FA_j sends the message M₂ = 〈ID_fj, FV₂, FV₃, M₁〉 to HA_k.
3. 
   HA_k checks ID_fj to find its corresponding K_F,H and computes the following equations: (35) (36) (37) If Eq (37) does not hold, this phase is terminated; otherwise, HA_k accepts FA_j as legitimate. HA_k then computes the following equations: (38) (39) (40) (41) If Eq (41) does not hold, this phase is terminated; otherwise, HA_k accepts MN_i as legitimate. HA_k then generates and computes the following equations: (42) (43) (44) (45) HA_k then replaces PID_mi with , and it then sends the message to FA_j.
4. 
   FA_j computes the following equations: (46) (47) If Eq (47) does not hold, FA_j terminates the connection; otherwise, FA_j computes the following equation: (48) FA_j then sends the message to MN_i.
5. MN_i computes the following equations to check the validity of the session key: (49) (50) (51) If Eq (51) does not hold, MN_i terminates the connection; otherwise, MN_i accepts FA_j as legal and authenticated. That is, MN_i, FA_j and HA_j have all successfully established the same session key, SK. Lastly, MN_i replaces PID_mi with .

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. The login and authentication phase of the proposed scheme.

https://doi.org/10.1371/journal.pone.0193366.g004

Password change phase

In this phase, MN_i changes its password on the mobile device without the help of the HA. The details of the password change phase that are illustrated in Fig 5 are as follows:

1. MN_i inputs ID_mi, BIO_mi, a old password and a new password into his/her mobile device. MN_i then computes the following equations: (52) (53) If Eq (57) does not hold, MN_i terminates this phase; otherwise, MN_i computes the following equations: (54) (55) (56) (57) Finally, MN_i replaces and with and , respectively.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. The password change phase of the proposed scheme.

https://doi.org/10.1371/journal.pone.0193366.g005

Mobile device revocation phase

To recover a stolen/lost mobile device or a long-term key of MN_i, the mobile device revocation mechanism that is illustrated in Fig 6 is activated as follows:

1. 
   If MN_i wants to revoke and reissue a secret parameter, MN_i selects an old identity and a new identity , inputs a new password and BIO_mi into his/her mobile device. MN_i then computes the following equation: (58) MN_i subsequently sends a revocation request message to HA_k via a secure channel.
2. HA_k → MN_i: A_mi, B_mi
   HA_k then verifies the identity of MN_i and computes the following equation: (59) HA_k searches in the database to verify the presence of a registered user. If this is the case, HA_k generates the new random nonces and , and computes the following equations: (60) (61) (62) HA_k updates I_mi, PID_mi, and RID_mi with , and , respectively. It then sends to MN_i via a secure channel.
3. Finally, MN_i stores all of the received parameters into the mobile device.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. The revocation phase of the proposed scheme.

https://doi.org/10.1371/journal.pone.0193366.g006

Formal verification using ProVerif

ProVerif is an automatic tool for analyzing cryptographic protocols according to the formal model (the so-called Dolev–Yao model). It supports a wide range of cryptographic primitives that are defined by rewrite rules or equations, as follows: asymmetric and symmetric en/decryption, digital signatures, and hash functions. This tool can prove the various security properties as follows: secrecy, authentication, and process equivalences of the protocol with unlimited sessions and message space [57].

The verification structure of ProVerif is illustrated in Fig 7. First, ProVerif takes as its input a protocol description to perform a verification in a dialect of the applied pi calculus, which is an extension of the pi-calculus and is a language for describing and analyzing protocols.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Structure of ProVerif.

https://doi.org/10.1371/journal.pone.0193366.g007

It also takes an input the security properties that are being proven here. It then automatically translates this protocol description into Horn clauses and the security properties into derivability queries on these clauses, and it determines whether a fact can be proved from these clauses using an algorithm that is based on a resolution with a free selection. If the fact is not derivable, the corresponding security properties are proved. If the fact is derivable, the protocol may be vulnerable to an attack against the corresponding security properties. Actually, the derivation either corresponds to a real attack or a false attack, since the problem of the protocol verifications for an unbounded number of sessions is not decidable.

Recently, many researchers [58–61] have used ProVerif to verify the security of the schemes for the key agreement and authentication. In this section, the security of the proposed scheme is proven using ProVerif, where the ProVerif code is introduced as a description of the proposed scheme, and the analysis results are then provided.

The definitions for the process of the proposed scheme are shown in Fig 8, wherein the following identifiers are used: “cha” denotes the private channel between the MN_i and HA_k; “chb” and “chc” denote the public channels between the MN_i and FA_j and the FA_j and HA_k, respectively; “IDmi”, “PWmi”, and “BIOmi” denote the private MN identity, password, and biometrics, respectively; “IDfj” and “IDhk” denote the public identity of FA_j and HA_k, respectively. “KH” denotes the HA_k’s private key; “KFH” denotes the pre-shared key between the FA_j and HA_k; “SKfj” denotes a HA_k-generated session key that is transmitted to the FA_j; and “SKmi” denotes an MN_i-generated session key. The constructors for the operations of the concatenation, symmetric cryptography, exclusive-or, one-way hash, and bio-hash are defined from the lines 18 to 22. In addition, the destructors for the symmetric decryption and exclusive-or operations are defined in the lines 23 and 24. In the lines 26 to 31, six events that indicate the start and end of each node are defined to verify the correspondence relations for the messages of each node.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. ProVerif code for definitions.

https://doi.org/10.1371/journal.pone.0193366.g008

Fig 9 shows the code for the entire MN_i process. The MN_i process of the registration phase is modeled in the lines 34 to 36. The MN_i process of the login and authentication phase is modeled in the lines 37 to 50.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. ProVerif code for entire MN process.

https://doi.org/10.1371/journal.pone.0193366.g009

Fig 10 shows the code for the entire FA_j process. The FA_j process of the login and authentication phase is modeled in the lines 53 to 70.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 10. ProVerif code for entire FA process.

https://doi.org/10.1371/journal.pone.0193366.g010

Fig 11 shows the code for the entire HA_k process. The HA_k process of the registration phase is modeled in the lines 73 to 80. The HA_k process of the login and authentication phase is modeled in the lines 81 to 101.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 11. ProVerif code for entire HA process.

https://doi.org/10.1371/journal.pone.0193366.g011

The code for the modeling of the adversary capabilities and the verifying of the interprocess equivalences is shown in Fig 12. The lines 103 to 104 prove that the session keys SKfj and SKmi are secret and unknown to the adversary. The lines 105 to 107 verify the internodal relationships to determine the execution of the proposed scheme in the correct order.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 12. ProVerif code for adversary capabilities and verifying equivalences verification.

https://doi.org/10.1371/journal.pone.0193366.g012

When the code that defines the elements that are needed to configure the protocol is run, ProVerif prints the results in the following format:

1. RESULT inj–event[Event] ==> inj–event[Event] is true: The event is proved; for example, the authentication of A to B or the others hold.
2. RESULT inj–event[Event] ==> inj–event[Event] is false: The event is not proved; that is, the authentication of A to B or the others does not hold
3. RESULT [Query] is true: The query is proved, so there is no attack. In this case, ProVerif displays no attack derivation and no attack trace.
4. RESULT [Query] is false: The query is false, as ProVerif has discovered an attack against the desired security property. The attack traces with the attack derivations, which represent the real attack, are displayed.

The execution of the ProVerif code for the verification of the security and the authentication of the proposed scheme produces the simulation result, as shown in Fig 13, thereby verifying the accuracy of the results for all of the events and queries. That is, the successful mutual authentication of the proposed scheme has been achieved as the mutual communication with all of the authentication factors among MN_i, FA_j, and HA_k, as defined by the previously mentioned events. Furthermore, the session keys of the proposed scheme are secure against the adversary; therefore, the proposed scheme can be considered as secure against simulated attacks.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 13. ProVerif simulation result of the proposed scheme.

https://doi.org/10.1371/journal.pone.0193366.g013

Formal verification using the random oracle model

In this section, the formal security analysis of the proposed scheme is demonstrated using the random oracle model. For this, we define a hash function and symmetric cryptography as follows:

Definition 1. A hash function h: {0, 1}* → {0, 1}ⁿ is a one-way function that takes an input x ∈ {0, 1}* of an arbitrary length and outputs a bit string with a fixed-length h(x) ∈ {0, 1}ⁿ and it satisfies the following three security requirements:

• It is computationally infeasible to find an input x such that y = h(x).
• It is computationally infeasible to find another input x′ ≠ x such that the h(x′) = h(x).
• It is computationally infeasible to find the inputs (x, x′), with x′ ≠ x, such that h(x′) = h(x).

Definition 2. A symmetric cryptography ∏ = (E, K, KSPC, MSPC) is a pair of algorithms that is associated with the finite sets, KSPC(k) and MSPC(k), {0, 1}*, for k ∈ N.

• E, called the encryption algorithm, is a deterministic algorithm that takes a pair of the strings, a and x and produces y = E_a(x).
• D, called the decryption algorithm, is a deterministic algorithm that takes a pair of the strings, a and y and outputs the string x = D_a(y)

It is required here, for any k ∈ N, if a ∈ KSPC(k), x ∈ MSPC, any y = E_a(x), then D_a(y) = x.

Theorem 1. Under the assumption that the one-way hash function and the symmetric cryptography closely behave like an oracle, then the proposed scheme is provably secure against for the protection of the identity ID_mi of MN_i, and the private key K_H of HA_k.

Reveal: Given the hash result y = h(x), this random oracle will unconditionally output the input x.

Extract: Given the cipher text C = E_Kx(P), this random oracle will unconditionally output the plain text P.

Proof. A method for the formal security proof that is similar to that used in [62–64] is applied in the proposed scheme. For the proof, it is assumed that is able to derive ID_mi and K_H. For this, runs the experimental algorithm that is shown in Algorithm 1, for the proposed improved and anonymous user authentication scheme, called IAUAS. The success probability of is defined by the following equation: (63) The advantage function for this experiment becomes as following equation: (64) in which the maximum is determined by all of with the execution time t and the number of queries q_R and q_E that are made to the Reveal and Extract oracles, respectively. If is able to invert the hash function and the symmetric cryptography that are provided in Definitions 1 and 2, can directly derive ID_mi and K_H. Consider the attack experiment that is shown in Algorithm 1. In this case, will discover the complete connections between all of the participants. However, it is computationally infeasible to invert the input from the given hash and encrypted values, i.e., , ∀ϵ > 0. Then, is obtained, because it depends on . Since is negligible, is also negligible. As a result, cannot compute the ID_mi and K_H and the proposed scheme is provably secure against for the deriving of them.

Algorithm 1: Algorithm

1. Eavesdrop login request message 〈PID_mi, MV₂, MV₃, ID_hk〉 during the login and authentication phase.

2. Call the Reveal oracle. Let

3. Call the Extract oracle. Let

4. Computes

5. if then

6.  Call the Reveal oracle. Let

7.  if then

8.   Compute

9.    if then

10.    Accept as the correct secret key K_H of HA_k

11.    Accept as the correct secret key ID_mi of MN_i

12.    return 1 (Success)

13.   else

14.    return 0

15.   end if

16.  else

17.   return 0

18.  end if

19. else

20.  return 0

21. end if

Theorem 2. Under the assumption that the one-way hash function and the symmetric cryptography closely behave like an oracle, then the proposed scheme is provably secure against for the protection of ID_mi, PW_mi, and BIO_mi of MN_i, and the private key K_H of HA_k.

Proof. For this proof, it is assumed that is able to derive ID_mi, PW_mi, BIO_mi and K_H after extracting the secret parameters A_mi, B_mi, and C_mi that are stored in the mobile device using side-channel attacks [33, 34, 65]. runs the experimental algorithm that is shown in Algorithm 2. The success of the probability of is defined as the following equation: (65) The advantage function for this experiment becomes as following equation: (66) in which the maximum is determined by all of with the execution time t₂ and the number of queries q_R and q_E that are made to the Reveal and Extract oracles, respectively. If is able to invert the hash function and the symmetric cryptography, can directly derive ID_mi, PW_mi, BIO_mi, and K_H. Consider the attack experiment that is shown in Algorithm 2. It is computationally infeasible to invert the input from given hash and encrypted values, i.e., , ∀ϵ > 0). Then, is obtained, because it depends on . Since is negligible, is also negligible. As a result, cannot compute the ID_mi, PW_mi, BIO_mi, and K_H, and the proposed scheme is provably secure against for deriving them even if the mobile device is stolen by .

Algorithm 2: Algorithm

1. Extract the information {PID_mi, A_mi, B_mi, r_A, h(⋅), H(⋅)} that is stored in the mobile device through a physical monitoring of its power consumption.

2. Call the Reveal oracle. Let

3. Call the Reveal oracle. Let

4. Computes

5. if then

6.  Accepts and as the correct PW_mi and BIO_mi of MN_i

7.  Call the Extract oracle. Let

8.  if then

9.   Compute

10.   Compute

11.   Call the Reveal oracle. Let

12.   if then

13.    Accepts as the correct ID_i of user MN_i

14.    Compute

15.    if then

16.     Accept as the correct secret key K_H of HA_k

17.     return 1 (Success)

18.    else

19.     return 0

20.    end if

21.   else

22.    return 0

23.   end if

24.  else

25.   return 0

26.  end if

27. else

28.  return 0

29. end if

Informal verification

In this section, we perform an informal security analysis of the proposed scheme to prove that it is secure against the various security threats. According to the adversarial model that is described in the preliminary knowledge section, can perform the following attacks to undermine the security of the proposed scheme.

1. has full control over the public communication channel, eavesdropping on the messages M₁, M₂, M₃, and M₄, and then inserting new values or removing a value.
2. If obtains a stolen or lost mobile device of a user in some way, he/she is able to extract the PID_mi, A_mi, B_mi, and r_A from the device using side-channel attacks [33, 34].
3. has the ability to make an offline guessing attack within a polynomial time and can try to threaten the privacy of the user by enumerating the eavesdropped messages and the extracted parameters.

Table 2 shows the analysis summary of the comparison of the proposed scheme with the related schemes [26–29, 32].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Comparative summary: Security requirements.

https://doi.org/10.1371/journal.pone.0193366.t002

User anonymity

In the proposed scheme, the pseudo-identity PID_mi = E_h(KH)(ID_mi||r_D) that varies each session by r_D is used. After MN_i is authenticated by HA_k in Eq (41), HA_k replaces the existing PID_mi with a new using a new . Then, is transmitted to MN_i that has been encrypted with HA_k’s private key K_H in Eq (42). Therefore, even if obtains PID_mi by eavesdropping the public messages or extracting the secret parameters stored in the mobile device, the proposed scheme guarantees the user anonymity because it is not possible for to know the real identity ID_mi of MN_i.

User untraceability

In the login and authentication phase, MN_i sends PID_mi, MV₂ and MV₃ via a public channel. They contain n_mi and r_D, which are changed for each session. That is, cannot trace MN_i’s actions in the proposed scheme because these parameters are computed each time with a different value. Therefore, the proposed scheme ensures the user untraceability.

Stolen-mobile device attack

With the proposed scheme, needs to know K_H to guess ID_mi and PW_mi; however, K_H is not stored in the mobile device directly, nor it is transmitted via the public channel as plaintext. Also, even if finds this value somehow, he/she still cannot guess PW_mi without H(BIO_mi) that is unique to only MN_i. Therefore, the proposed scheme withstands the stolen-mobile device attack.

Mutual authentication

In the proposed scheme, MN_i and FA_j authenticate each other with the assistance of HA_k. Only a legitimate MN_i can compute MV₁ that cannot compute because of PWB_mi. Accordingly, HA_k authenticates only the legitimate MN_i using Eq (41). Also, only the legitimate HA_k is authenticated by MN_i through the verification of , as shown in Eq (51). Only FA_j and HA_k that share K_F,H can verify each other using the same key to compute valid messages, and only they can compute and obtain a valid session key, SK. Therefore, the adversary or invalid participants cannot carry out the login and authentication phase. Furthermore, FA_j authenticates HA_k by performing Eq (47). After it receives M₄, MN_i can verify that using Eq (51) to authenticate FA_j and to establish the session key, SK. Therefore, the proposed scheme achieves the mutual authentication.

Session key agreement

After the login and authentication process, FA_j receives HV₁ and obtains the session key SK_fj from HA_k, and MN_i generates the session key SK_mi. As a result, only the legitimate MN_i and FA_j establish the same session key SK_mi = h(MV₁||ID_mi||ID_fj||n_mi) = SK_fj. Therefore, the proposed scheme provides a secure session key agreement.

User impersonation attack

With the proposed scheme, the user impersonation attack is prevented by the mutual authentication, local user-verification process, and prevention of the stolen-mobile-device attack. Furthermore, the proposed scheme provides a secure session key agreement. Therefore, the proposed scheme ensures the prevention of the user impersonation attack.

Replay attack

might replay an old login request message M₁ to FA_j and receive the message M₄ from FA_j. However, still cannot compute the correct session key SK as he/she is not capable of computing ID_mi and n_mi without K_H. Furthermore, cannot derive the session key, SK, without K_F,H. Therefore, the proposed scheme is secure against the replay attack.

Local user verification process

With the proposed scheme, mobile devices verify the legality of the user. Only a user who enters the correct ID_mi, PW_mi, and BIO_mi can pass the user-verification process, as given by Eq (28). In addition, since BIO_mi of each individual user is unique, cannot attempt an illegal access.

Stolen-verifier attack

In the login and authentication phase of the proposed scheme, HA_k does not store and receive any of the credentials of MN_i such as PW_mi and H(BIO_mi). Furthermore, HA_k retains RID_mi in the database; however, cannot know the real identity of MN_i even if steals the user registration information from HA_k’s database. Therefore, the proposed scheme withstands the stolen-verifier attack.

Privileged-insider attack

In the registration phase of the proposed scheme, MN_i sends ID_mi and PWB_mi to HA_k. Here, PWB_mi contains H(BIO_mi). The insider of HA_k cannot derive MN_i’s password PW_mi. Therefore, he/she cannot try to impersonate MN_i to access FA_j. Furthermore, MN_i can change his/her password, PWB_mi, without the assistance of HA_k in the password change phase. Since it is not possible for the insider to know the MN_i’s password, PW_mi, the proposed scheme resists the privileged-insider attack.

User-friendly password change

Generally, it is recommended that the performance of the password change process is without any server involvement, thereby providing a user-friendliness and an improvement of the computational efficiency. In the password change phase of the proposed scheme, the existing user password is self-verified in the user’s mobile device, and it is replaced by the new password only if it passes the verification process. Therefore, the proposed scheme supports an efficient password change phase.

Forward secrecy

In the proposed scheme, even though the generated session key between all of the participants can be compromised by , he/she cannot recover any earlier session keys because the session key SK_mi = h(MV₁||ID_mi||ID_fj||n_mi) = SK_fj is different each time. Consequently, a significant correlation was not found between the past, current, and future session keys. Therefore, the proposed scheme ensures the forward secrecy.

Foreign bypass attack

During the authentication phase of the proposed scheme, may try to construct the messages M₁ and M₂ using the parameters that are stored in a stolen mobile device and transmitted over a public channel to impersonate a legitimate FA_j. However, cannot compute FV₁, because K_F,H is not public information. Thus, cannot construct a sufficient message to cheat HA_k. Eventually, is unable to impersonate a valid FA_j.

Does not need time synchronization

In many authentication schemes, timestamps are used to resist the replay attack. However, by using the timestamp in the authentication scheme, the clocks of MN_i and HA_k must be synchronized beforehand. In the synchronization process, there is the possibility that time synchronization error occurs; therefore, to prevent this problem, the proposed scheme only uses random-number-based authentication mechanism instead of timestamps.

Provision of the revocation phase

In the proposed scheme, if MN_i’s mobile device is stolen/lost or a secret parameter/authentication factor is revealed, HA_k can issues new secret parameters to MN_i for the purpose of recovery. HA_k retains RID_mi that is encrypted with the real identity of MN_i, in the database. When HA_k receives a revocation request with ID_m i from MN_i, HA_k computes and compares it with the existing RID_mi that is stored in the database to verify that MN_i is registered and legitimate. Therefore, the proposed scheme can cope with unexpected problems by supporting the revocation phase.

Comparisons of the computational costs

We consider four cryptographic operations: hash function T_h, the symmetric en/decryption T_s, the ECC-based asymmetric en/decryption T_e, and the modular exponent operation T_m were considered. The authors [66] measured the approximate execution time of each cryptographic operation on the following central processing unit (CPU): Intel(R) Core(TM)2T6570 2.1GHz, 4G memory, OS:Win7 32-bit, and Visual C++ 2008 software using the MIRACL C/C++ library. The authors considered the 1024-bit Rivest–Shamir–Adleman (RSA) algorithm, the 320-bit ECC algorithm, the 128-bit Advanced Encryption Standard (AES) algorithm, and the 160-bit Secure Hash Algorithm 1 (SHA-1) hash function, and the experiment the results are T_m ≈ 1.8269ms, T_e ≈ 1.6003ms, T_s ≈ 0.1303ms, and T_h ≈ 0.0004ms, respectively. The registration and password change phases were excluded from the comparison because the registration phase of the mobile node occurs only once and the password change phase can be executed only within MN. Therefore, only the login and authentication phase was considered in the comparison, because this phase frequently occurs during the intercommunication between participants when the mobile node accesses the ubiquitous networks and the roaming occurs.

Table 3 shows the comparative summary in terms of the computational costs of MN, FA, and HA, as well as the total cost of the different participants. The result of the proposed scheme is 0.2614ms, while the results of the schemes of Jiang et al., Wen et al., Farash et al., Gope and Hwang, Wu et al., and Chaudhry et al. are 3.6543ms, 7.3081ms, 0.5217ms, 3.6543ms, 6.9232ms, and 0.6519ms, respectively. The Table 3 highlights that the computational cost of the proposed scheme is lowest in comparison with the related schemes.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Comparative summary: Computational cost.

https://doi.org/10.1371/journal.pone.0193366.t003

Comparisons of the communication costs

For the communication costs, a comparison of the login and authentication phases that referred to [67, 68] was performed, and it is assumed that the lengths of the identity, random number, and timestamp are 128 bits, 64 bits, and 32 bits, respectively. The hash function and the symmetric-key encryption produce 160 bits and 256 bits, respectively. For the asymmetric-key encryption, the modular prime operation and the scalar multiplication operation on the elliptic curve produces 1024 bits and 320bits, respectively.

Table 4 provides the data of the comparisons of the communication costs of the login and authentication phases of the proposed scheme with the other existing schemes. The total communication cost of proposed scheme is 2976 bits, while the schemes of Jiang et al., Wen et al., Farash et al., Gope and Hwang, Wu et al., and Chaudhry et al. are 3200 bits, 3072 bits, 1696 bits, 3072 bits, 3936 bits, and 1824 bits, respectively. Although the total communication costs of the scheme of Farash et al. and Chaudhry et al. are less than that of the proposed scheme, their schemes are insecure, as previously mentioned. Therefore, the proposed scheme is a more practical option for the ubiquitous network environment.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Comparative summary: Communication cost.

https://doi.org/10.1371/journal.pone.0193366.t004