An improved biometrics-based remote user authentication scheme with user anonymity.

The authors review the biometrics-based user authentication scheme proposed by An in 2012. The authors show that there exist loopholes in the scheme which are detrimental for its security. Therefore the authors propose an improved scheme eradicating the flaws of An's scheme. Then a detailed security analysis of the proposed scheme is presented followed by its efficiency comparison. The proposed scheme not only withstands security problems found in An's scheme but also provides some extra features with mere addition of only two hash operations. The proposed scheme allows user to freely change his password and also provides user anonymity with untraceability.

1. Introduction

In the last two decades, digital authentication has originated as a preferred method to authenticate remote users over insecure networks. After the first proposal of user authentication scheme by Lamport [1], considerable amount of research has been conducted in this field of which schemes [1-25] are few examples. In due course of time user authentication schemes underwent many changes. Initial schemes were based only on password [1-4], then schemes were based on smart card and password [5-13], and reliability of biometrics authentication over traditional password-based authentication gave rise to biometrics-based user authentication schemes [14-20].

In 2010, Li and Hwang [19] proposed a biometrics-based user authentication scheme. In 2011, Das [26] examined Li-Hwang's scheme and observed problems in login and authentication phase, in password change phase, and in biometrics verification mechanism of the scheme. Das depicted that user's smart card does not validate the inputted password during login phase which leads to useless computations in login and authentication phase. Owing to the same reason, Das further showed that the scheme suffers from incorrect password updating problem. Thus, Das proposed an improvement [26] of Li-Hwang's scheme and claimed their scheme to be free from problems observed in Li-Hwang's scheme. According to Das, their scheme [26] also provides mutual authentication. In 2012, An [27] pointed out that Das's scheme [26] deviates from the author's claim since an adversary can mount impersonation attacks and password guessing attack once he gets a chance to extract values from the smart card of the legal user. Thereby An [27] proposed an enhanced scheme to eradicate the flaws of Das's scheme.

In this paper, we review An's biometrics-based user authentication scheme. We show that An's scheme is vulnerable to the security problems to which Das's scheme is susceptible like online and offline password guessing attacks, user and server impersonation attacks, lack of mutual authentication, and lack of user anonymity. Besides, An's scheme lacks password change facility which is an important part of password-based user authentication schemes. We remove drawbacks from An's scheme by means of proposing an improved user authentication scheme. In addition, to resist various security threats, the proposed scheme incorporates features of password changing and user anonymity. The rest of this paper is arranged as follows. In Section 2, we review An's user authentication scheme. Section 3 is about cryptanalysis of An's scheme. In Section 4, we present our improved scheme. Section 5 is about security analysis of the improved scheme. In Section 6, we compare the improved scheme with related schemes. Finally, the conclusion is presented in Section 7.

2. Review of An's Scheme

The notations useful in this paper are summarized along with their description in Table 1. In this section, we review An's scheme [27] which is an enhanced version of Das's scheme [26]. It has three phases: registration phase, login phase and authentication phase. Registration phase is carried over a secure channel whereas login phase, and authentication phase are carried over an insecure channel. There are three participants in the scheme, the user (C ), the server (S ), and the registration centre (R), where R is assumed to be a trusted party. Details of each phase are given in the following subsections.

Table 1

Notations with their description.

Notations	Description
R	Trusted registration centre
S i	Server
C i	User
IDi	Identity of C i
PWi	Password of C i
B i	Biometric template of C i
SCi	Smart card of C i
K i	Random number chosen by  C i
R c	Random number generated by  SCi  of  C i
R s	Random number generated by  S i
U a	Attacker
x s  and y s	Secret keys maintained by  S i
h(·)	One-way hash function
⊕	Bitwise XOR operator
||	Concatenation operator

2.1. Registration Phase

In the beginning of scheme, the registration centre R and the user C carry out this phase involving the following steps.

C submits his identity ID and information (PW ⊕ K ) containing password to R via a secure channel. C also submits information (B ⊕ K ) containing his biometrics via the specific device to R; here K is a random number chosen by C .

Rcomputes f = h(B ⊕ K ), r = h(PW ⊕ K ) ⊕ f , and e = h(ID||x ) ⊕ r , where x is a secret key generated and maintained by S . Then R stores {ID, f , e , h(·)} in a smart card SC for user and provides it to C via a secure channel.

On receiving SC = {ID, f , e , h(·)}, the user stores the random number K into SC issued by R so that now SC = {ID, f , e , h(·)}.

2.2. Login Phase

When the user C wishes to login the server S , the user and his smart card SC perform the following steps.

C inserts his smart card into a card reader and inputs his biometrics information B on the specific device. SC computes h(B ⊕ K ) and verifies if f = h(B ⊕ K ) or not. If this biometrics information matches, C passes the biometrics verification.

C inputs his ID and PW; then SC generates a random number R and computes the following equations:

C sends the login request = {ID, M 2, M 3} to S .

2.3. Authentication Phase

On receiving the request login = {ID, M 2, M 3} from C , the server S and the user C perform the following steps to authenticate each other.

S first checks the format of ID. If ID is valid, S computes M 4 = h(ID||x ) and M 5 = M 2 ⊕ M 4.

S checks if M 3 = h(M 4||M 5) or not. If both are equal, it generates a random number R and computes the following equations: Then, S sends the reply message = {M 6, M 7} for its authentication to C .

On receiving {M 6, M 7} from S , the user C computes M 8 = M 6 ⊕ M 1 and checks if M 7 = h(M 1||M 8) or not. If both are equal, C computes M 9 = h(M 1||R ||M 8) and sends the reply message {M 9} for its authentication to S .

On receiving {M 9} from C , the server checks if M 9 = h(M 4||M 5||R ) or not. If both are equal, S accepts the login request = {ID, M 2, M 3} of C .

3. Cryptanalysis of An's Scheme

This section is about security problems in An's scheme. Here we show that an attacker U can mount different types of attacks on the scheme. Independent researches by Kocher and Messerges [28, 29] show that it is possible to extract the values stored inside a smart card. So we assume that U can extract out parameters stored inside a user's smart card.

3.1. Online Password Guessing Attack

If U obtains the smart card SC of user C and extracts [28, 29] the values {ID, f , e , K , h(·)} stored inside it, then he can mount online password guessing attack as explained below.

U computes

U guesses PW as user's possible password and computes M 1 = [e ⊕ f ] ⊕ h(PW ⊕ K ). Then U computes M 2 = M 1 ⊕ R and M 3 = h(M 1||R ), where R is the random number generated by the system of U . He sends {ID, M 2, M 3} as login request to S .

If U does not receive any response from S then he repeats step (2) with some other guess for user's password. But if U receives response message from S , then it implies that his guessed password PW is correct.

3.2. Offline Password Guessing Attack

In the scheme, U can easily identify the login request corresponding to a smart card since both contain the identity of user. If U extracts [28, 29] the values {ID, f , e , K , h(·)} from the smart card SC of user C and intercepts the login request = {ID, M 2, M 3} from open network, then he can mount offline password guessing attack as explained below.

U computes

U guesses PW as user's possible password and computes M 1 = [e ⊕ f ] ⊕ h(PW ⊕ K ).

U computes R = M 2 ⊕ M 1 and M 3 = h(M 1||R ), and finally compares M 3 with M 3. For M 3 ≠ M 3, he repeats from step (2) with some other guess for user's password. But if M 3 = M 3, then it provides U with the exact password PW of C .

3.3. User Impersonation Attack

As just discussed in previous subsections, U can guess a user's password if he obtains the smart card of user. It is noticeable that the successful process of password guessing (online or offline manner) also yields M 1 = h(ID||x ). In fact, h(ID||x ) is the key value required to compute a valid login request or valid reply messages. Further, U has easy access to user's identity ID from SC = {ID, f , e , K , h(·)} or from the login request = {ID, M 2, M 3} of C . Having h(ID||x ) and ID in hand, U can impersonate the user C as explained below.

U generates a random number R in his system and computes Then U sends the login request = {ID, M 2, M 3} to S .

On receiving {ID, M 2, M 3}, the server S first checks the format of ID. Clearly, S would proceed further because ID is the identity of a legitimate registered user and hence it is in valid format.

S computes M 4 = h(ID||x ) and M 5 = M 2 ⊕ M 4 and checks if M 3 = h(M 4||M 5); clearly it would hold. Therefore S believes that the login request = {ID, M 2, M 3} is from the legitimate user.

S generates a random number R and computes M 6 = M 4 ⊕ R and M 7 = h(M 4||R ). Then S transmits the reply message {M 6, M 7}.

On receiving {M 6, M 7} from S , the attacker U first obtains the random number R by computing M 8 = M 6 ⊕ M 1. Next, it computes M 9 = h(M 1||R ||M 8) and sends {M 9} to S .

On receiving {M 9}, the server S checks if M 9 = h(M 4||M 5||R ) or not. Clearly, this would hold, so S will accept the login request = {ID, M 2, M 3}.

3.4. Server Impersonation Attack

U can easily impersonate the legal server S to cheat the user C whose information {ID  and  M 1 = h(ID||x )} he possesses as described in Section 3.3. To masquerade as S the attacker proceeds in the following manner.

U can easily recognize the login request = {ID, M 2, M 3} of C transmitted over open channel as he possesses the identity ID of C . So when C sends his login request = {ID, M 2, M 3} to S , the attacker U intercepts and blocks it from reaching S .

U first obtains the random number R by computing M 5 = M 2 ⊕ M 1. Next, he generates a random number R in his system and computes M 6 = M 1 ⊕ R and M 7 = h(M 1||R ). Then U transmits the reply message {M 6, M 7} to C .

On receiving {M 6, M 7}, the user C first obtains the random number R by computing M 8 = M 6 ⊕ M 1, where M 1 = h(ID||x ). Next, he checks if M 7 = h(M 1||M 8) or not. Clearly, this equivalence will hold and hence C will believe that he is communicating with the intended server. However, it is the clever attacker U who is deceiving C .

3.5. Lack of Mutual Authentication

Like Das's scheme [26], the enhanced scheme by An also fails to resist user impersonation attack and server impersonation attack as described in Sections 3.3 and 3.4. In fact, if  U extracts values {ID, f , e , K , h(·)} from the smart card SC of user C and successfully obtains the secret value h(ID||x ), then he can easily craft valid login request and reply messages so as to deceive the legal user or the legal server. Therefore, the scheme loses mutual authentication feature.

3.6. Lack of User Anonymity

In An's scheme, C sends {ID, M 2, M 3} as his login request to S through an insecure channel. User's identity ID is openly available if an attacker U intercepts the login request of C from the open channel. Moreover, identity ID is also stored inside user's smart card SC. Having ID in hand, it is easy for U to craft threats against C . To the worst, U may be able to compromise user's biometrics information which would result in serious consequences. Thus, the scheme does not provide user anonymity.

4. The Proposed Scheme

In this section, we propose a new user authentication scheme which is an improvement of An's scheme. In addition to resist the security problems found in An's scheme, it also provides password change phase with which user can change his password at his will. It has four phases: registration phase, login phase, authentication phase and password change phase. Registration phase, and password change phase are carried over a secure channel whereas login phase and authentication phase are carried over an insecure channel. It also consists of three participants, the user (C ), the server (S ), and the registration centre (R). In the proposed scheme, the server maintains two secret keys x and y . Details of each phase along with Figure 1 are given in the following.

Figure 1

The proposed scheme.

4.1. Registration Phase

Before starting the scheme, the registration centre R and the user C carry out this phase involving the following steps.

C submits his identity ID and information (PW ⊕ K ) containing password to R via a secure channel. C also submits information (B ⊕ K ) containing his biometrics via a specific device to R; here K is a random number chosen by C .

R computes the following values: where R stores {c , e , h(·)} in a smart card SC for user. Then R provides SC = {c , e , h(·)} and f to the user C via a secure channel.

On receiving [SC = {c , e , h(·)}  &  f ], the user computes the following values: where C inserts g and j into SC issued by R so that now SC = {c , e , g , j , h(·)}.

4.2. Login Phase

When the user C wishes to login the server S , the user and his smart card SC perform the following steps.

C inserts his smart card into a card reader, keys in his identity ID, and password PW and inputs his biometrics information B on the specific device.

SC retrieves f ← (ID||PW) ⊕ g and K ← (ID||PW) ⊕ j . It then checks if f = h(B ⊕ K ) or not. If this biometrics information matches, C passes the biometrics verification; otherwise SC terminates the sesion. This process also verifies the correctness of inserted ID and PW.

SC generates a random number R and computes the following equations:

C sends the login request = {M 3, M 4, M 5} to S .

4.3. Authentication Phase

On receiving the request login = {M 3, M 4, M 5} from C , the server S and the user C perform the following steps to authenticate each other.

S computes the following values:

S checks the format of ID. If ID is valid, S computes M 8 = h(ID||x ). It then checks if M 5 = h(M 8||M 7). If both are equal, S generates a random number R and computes: Then, S sends the reply message = {M 9, M 10} for its authentication to C .

On receiving {M 9, M 10} from S , the user C computes M 11 = M 9 ⊕ M 2 (which is indeed R ). It then checks if M 10 = h(M 2||M 11) or not. If both are equal, C computes M 12 = h(M 2||R ||M 11) (which is indeed h[h(ID||x )||R ||R ]). Then C sends the reply message {M 12} for its authentication to S .

On receiving {M 12} from C , the server checks if M 12 = h(M 8||M 7||R ) or not. If both are equal, S accepts the login request = {M 3, M 4, M 5} of C .

4.4. Password Change Phase

When the user wishes to change his old password PW, he invokes this phase. Details of the steps required to update the smart card SC with new password (PW)new are as follows.

C inserts his smart card into a card reader, keys in his identity ID, and password PW and inputs his biometrics information B on the specific device.

SC retrieves f ← (ID||PW) ⊕ g and K ← (ID||PW) ⊕ j . It then checks if f = h(B ⊕ K ) or not. If this biometrics information matches, C passes the biometrics verification, otherwise terminates the session. This process also verifies the correctness of inserted ID and PW. Then SC allows the user to enter the new password (PW)new.

SC computes the following equations:

SC replaces e , g , and j with (e )new, (g )new and (j )new, respectively.

5. Security Analysis of the Proposed Scheme

In this section, we analyze security of the proposed scheme. We show that the scheme remains unaffected even if an attacker U extracts [28, 29] all the values stored inside a user's smart card.

5.1. Online Password Guessing Attack

On having access to user's smart card SC an attacker U can extract [28, 29] all values {c , e , g , j , h(·)} from it. In order to compute e ⊕ f and obtain [h(ID||x ) ⊕ h(PW ⊕ K )], he requires f . But U cannot obtain f from g = (ID||PW) ⊕ f as he does not know about user's identity ID and password PW. The attacker U can obtain f ⊕ K by performing g ⊕ j = [(ID||PW) ⊕ f ]⊕[(ID||PW) ⊕ K ]. Next, he can compute But U cannot compute forged M 2  ( = h(ID||x )) = [e ⊕ f ⊕ K ] ⊕ h(PW ⊕ K ) using a guessed password PW because it requires knowledge of K . It is troublesome for U to obtain K because K is not stored in plaintext inside user's smart card but is stored securely in j = (ID||PW) ⊕ K . Further U cannot obtain K from j without knowing ID and password PW. Besides, U cannot compute M 1  ( = h(x ||y )) = (c ⊕ f ) as he does not have access to f . Moreover, U does not have ID of C as ID is not stored in plaintext inside user's smart card. Thus, U cannot compute a login request {M 3, M 4, M 5} in a way so as to guess user's password in an online manner. Hence, the proposed scheme withstands online password guessing attack.

5.2. Offline Password Guessing Attack

Suppose U obtains the smart card of some user. Though U can intercept login message of any user from open channel, he cannot relate a user's smart card with its corresponding login request. This is due to the fact that, unlike An's scheme, in the proposed scheme user's identity in plaintext is neither stored inside user's smart card nor transmitted in login request. As a result, U cannot combine values extracted from a user's smart card with values of corresponding login request to guess user's password in an offline manner. If we consider the situation that U somehow happens to get the correct combination of user's smart card and login request, we show that still U cannot mount offline password guessing attack. To guess password of C and then verify the guess, U can use M 5 = h(M 2||R ) provided that he possesses the values {[h(ID||x ) ⊕ h(PW ⊕ K ) ⊕ K ], K   and  R } in hand. As explained in Section 5.1, U can obtain [h(ID||x ) ⊕ h(PW ⊕ K ) ⊕ K ] using {g , j   and  e } extracted [28, 29] from SC, but he cannot obtain the random number K . Besides, U cannot obtain the random number R using M 3 = M 1 ⊕ R without having M 1  ( = h(x ||y )) and U fails to obtain M 1  ( = h(x ||y )) as discussed in Section 5.1. Thus an attacker U cannot guess user's password in an offline manner.

5.3. User Impersonation and Server Impersonation Attack

To impersonate a legal user, U should possess M 1 = h(x ||y ) and M 2 = h(ID||x ); otherwise he cannot compute a valid login request {M 3, M 4, M 5} or a valid reply message {M 12}. The value h(ID||x ) is equally important if U wishes to masquerade as legal server. Unlike An's scheme, in the proposed scheme U is not able to obtain M 2  ( = M 8) = h(ID||x ) while making attempts of guessing user's password. This is due to the fact that password guessing is not feasible as explained in Sections 5.1 and 5.2. Moreover, U cannot obtain M 1 = h(x ||y ) (i) from M 3 = M 1 ⊕ R obtained by intercepting the login request of C because of not having random number R and (ii) from c = h(x ||y ) ⊕ f extracted from user's smart card without knowing f . Thus, the proposed scheme resists impersonation attacks.

5.4. Supporting Mutual Authentication

The success of mutual authentication in the proposed scheme follows directly from resistance against user impersonation attack and server impersonation attack as described in Section 5.3. In fact, U has many hurdles before him to act as a legal user or a legal server: (i) the secret keys x and y maintained by the server are unknown for U and (ii) U has no access to the identity ID of user C . As a result, U cannot compute h(x ||y ) and h(ID||x ) required to mount impersonation attacks. Besides, U has no method to retrieve these values either from the parameters extracted out of user's smart card or from the login request or using both. Therefore, the proposed scheme provides proper mutual authentication.

5.5. Providing User Anonymity and User Untraceability

In the proposed scheme, user's plaintext identity ID is completely out of scene; it is neither stored in user's smart card SC nor sent in any of the login-authentication messages transmitted over insecure network. If U extracts [28, 29] the values {c , e , g , j , h(·)} from SC, we explain in the following that he cannot obtain ID of C . To guess ID from g = (ID||PW) ⊕ f and from j = (ID||PW) ⊕ K , the attacker must have the knowledge of {PW, f } and {PW, K }, respectively. U cannot guess out ID from e = h(ID||x ) ⊕ r without knowing r and x . If U intercepts a login request {M 3, M 4, M 5} or the reply message {M 9, M 10}/{M 12}, he cannot guess out ID using {M 5, M 10, M 12} without the knowledge of {x , R   and  R }. Besides, it is not feasible for U to retrieve ID out of {e , M 5, M 10, M 12} due to one-way property of hash function. Moreover, each value {M 3, M 4, M 5, M 9, M 10, M 12} transmitted over insecure network is dynamic in nature by virtue of random numbers R and R which are different for each session. Thus, U can neither obtain user's identity ID nor can he trace the legal user by means of observing and analyzing some fixed parameter in the login request or the reply messages. Hence, the scheme provides user anonymity as well as user untraceability.

5.6. Providing Password Change Facility

In An's scheme, once user chooses his password during registration phase, it is fixed forever as user cannot change his password at his will. Probably the author might have opined that in the presence of biometrics verification procedure there is no need of password change facility. Undoubtedly, it is very difficult to forge copy or compromise biometrics, but once compromised then biometrics cannot be changed like passwords. So we opine that if password is employed in user authentication scheme then there should be the provision to facilitate the user to freely change his password. The proposed scheme provides password changing facility with which a user can freely (without interacting with server) change his old password to a new one whenever he feels to do so. Before updating stored values with the new password (PW)new, the smart card verifies the correctness of identity ID old password PW along with verifying the biometrics information f = h(B ⊕ K ). Thus the proposed scheme provides secure and easy password changing facility.

6. Comparison

In this section, we examine the proposed scheme by means of comparing its efficiency with Li-Hwang's scheme [19], Das's scheme [26], and An's scheme [27]. Table 2 displays comparison of security attributes and Table 3 displays comparison of computational load in terms of hash functions. Comparison in Table 2 shows that the proposed scheme resists various attacks possible on schemes [19, 26, 27] and provides additional feature of user anonymity with untraceability. Besides, it also restores password change facility which is provided by original versions [19, 26] but is missing in An's scheme [27]. As Table 3 shows, the proposed scheme carries only two additional hash operations over its immediate predecessor scheme [27]. The important aspect about the proposed scheme is minor increase of two hash functions in computational load to achieve higher efficiency as compared to other schemes [19, 26, 27].

Table 2

Comparison of security attributes.

Security attributes	Schemes
	Li-Hwang's [19]	Das's [26]	An's [27]	Ours
Resist online  PWi  guessing attack	No	No	No	Yes
Resist offline  PWi  guessing attack	No	No	No	Yes
Resist user impersonation attack	No	No	No	Yes
Resist server impersonation attack	No	No	No	Yes
Provides mutual authentication	No	No	No	Yes
Provides  PWi   change facility	Yes	Yes	No	Yes
Provides user anonymity	No	No	No	Yes

Table 3

Comparison of computational load in terms of hash functions.

Phases	Schemes
	Li-Hwang's [19]	Das's [26]	An's [27]	Ours
Registration phase	3 h(·)	3 h(·)	3 h(·)	4 h(·)
Login phase	2 h(·)	2 h(·)	3 h(·)	3 h(·)
Authentication phase	5 h(·)	8 h(·)	6 h(·)	7 h(·)
Total	10 h(·)	13 h(·)	12 h(·)	14 h(·)

7. Conclusion

This paper shows that the recently proposed biometrics-based user authentication scheme by An is susceptible to many threats. Once an attacker obtains the smart card of a legal user, he can guess user's password and impersonate the user. Further, the attacker can also cheat the user by masquerading as the legal server. Consequently, the scheme fails to provide mutual authentication. Besides, the scheme also suffers from the restriction of static password. We have proposed a new scheme based on the design of An's scheme so as to fix the problems identified in An's scheme. In the proposed scheme an attacker cannot figure out the identity of user either from the smart card or by intercepting all login-authentication messages transmitted over insecure network. Analysis and comparison show improved performance of the proposed scheme.