An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards.

In multi-server environments, user authentication is a very important issue because it provides the authorization that enables users to access their data and services; furthermore, remote user authentication schemes for multi-server environments have solved the problem that has arisen from user's management of different identities and passwords. For this reason, numerous user authentication schemes that are designed for multi-server environments have been proposed over recent years. In 2015, Lu et al. improved upon Mishra et al.'s scheme, claiming that their remote user authentication scheme is more secure and practical; however, we found that Lu et al.'s scheme is still insecure and incorrect. In this paper, we demonstrate that Lu et al.'s scheme is vulnerable to outsider attack and user impersonation attack, and we propose a new biometrics-based scheme for authentication and key agreement that can be used in multi-server environments; then, we show that our proposed scheme is more secure and supports the required security properties.

Introduction

Since Lamport [1] proposed the first password-based authentication scheme for insecure communications in 1981, password-based authentication schemes [2-6] have been extensively investigated. The remote user authentication scheme is one of the most convenient authentication schemes for dealing with the transmission of secret data over insecure communication channels, and during the last two decades, many researchers have proposed different remote user authentication schemes.

A problem that occurs with respect to password-based authentication schemes, however, is that a server must maintain a password table for the verification of the legitimacy of a login user; therefore, the server requires additional memory space to store the password table. For this reason, many researchers have proposed a new type of remote user authentication scheme whereby the biological characteristics of persons such as a fingerprint or an iris are used. The main advantageous property of biometrics is uniqueness, leading to the proposal of numerous remote user authentication schemes [7-13] that use biological characteristics. In 2008, Tsai [14] proposed an efficient multi-server authentication scheme using a random number and the one-way hash function; after that, a considerable succession of authenticated key agreement schemes was presented for multi-server environments [15-17]. In 2012, Li et al. [18] proposed a novel authenticated key exchange scheme for multi-server environments; unfortunately, however, Xue et al. [19] found that Li et al.’s scheme did not resist some types of known attacks such as replay, denial of service, forgery, and off-line password guessing. Xue et al. therefore proposed an improved scheme to remedy the weaknesses of Li et al.’s scheme; nevertheless, Lu et al. [20] showed that Xue et al.’s scheme is not only very insecure against impersonation and insider attacks, but that it is also vulnerable to off-line password guessing attack. To overcome the vulnerability of Xue et al.’s scheme, Lu et al. then proposed a slightly modified authentication scheme for multi-server environments. Recently, Chuang et al. [21] presented an efficient, biometrics-based, smart card authentication scheme for a multi-server environment that was previously considered as one that comprises more security properties; however, Mishra et al. [22] found that Chuang et al.’s scheme is vulnerable to a stolen smart card, server spoofing, and impersonation attacks. Mishra et al. also proposed an improved biometrics-based, multi-server authenticated key agreement scheme for which smart cards are used, and they claimed that their scheme satisfied all of the desirable security requirements; unfortunately, Lu et al. [23] showed that Mishra et al.’s scheme did not satisfy key security attributes including replay attack and the incorrect password change phase. Lu et al. then proposed a biometrics-based smart card scheme for authentication and key agreement that can be used in multi-server environments, claiming that their scheme is secure against a variety of known attacks; however, we found that Lu et al.’s scheme is still insecure and is incorrect regarding the login and authentication phase.

In this paper, we concentrate on the security weaknesses of Lu et al.’s biometrics-based authentication scheme. After a careful analysis, we found that their scheme does not effectively resist outsider and impersonation attacks; to resolve these security vulnerabilities, we propose a new biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. In addition, we demonstrate that the proposed scheme provides a strong authentication defense against a number of attacks including the attacks of the original scheme. Lastly, we compare the performance and functionality of the proposed scheme with other related schemes.

The rest of the paper is organized as follows: In section 2 and section 3, we review and analyze, respectively, Lu et al.’s scheme; in Section 4, we propose an improved authentication scheme for multi-server environments; in section 5, we present a security analysis of our scheme; section 6 shows security and performance analyses whereby our scheme is compared with previous schemes; and, our conclusion is presented in section 7.

Review of Lu et al.’s scheme

In this section, we will review Lu et al.’s biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment. The following three participants are involved: the user U , the server S , and the registration center RC. The RC chooses a secret key PSK and a secret number x and shares them with S over a secure channel. The scheme consists of the registration, login and authentication, and password updating. For convenience, some of the notations that are used in Lu et al.’s scheme are described in Table 1.

Table 1

Notations used in Lu et al.’s scheme.

U i, S j	User and a server
RC	The registration center
ID i, SID j	Identity of U i and S j
PW i, BIO i	Password and a biometrics of U i
x, y	Secret number selected by the RC and U i
PSK	Secure key shared by the RC and S j
T	Timestamp
h(⋅)	One-way hash function
H(⋅)	Biohash function
⊕, ∥	Exclusive-or operation and concatenation operation

U enters his/her biometrics BIO , identity ID and password PW ; then, U sends {ID , h(PW ∥ H(BIO ))} to the RC.

After receiving the message from U , the RC computes X = h(ID ∥ x), V = h(ID ∥ h(PW ∥ H(BIO ))); then, the RC stores {X , V , h(PSK)} onto a smart card and submits them to U .

U computes Y = h(PSK) ⊕ y, and replaces h(PSK) with Y , lastly, the smart card stores the values of {X , Y , V , h(⋅)}.

U inserts his/her smart card into the device and enters his/her identity ID , password PW and biometrics BIO ; then, the smart card validates whether is equal to the stored V ; if validation occurs, the smart card generates a random number n 1 and computes K = h((Y ⊕ y) ∥ SID ), M 1 = K ⊕ ID , M 2 = n 1 ⊕ K, M 3 = h(PW ∥ H(BIO )) ⊕ K, and Z = h(X ∥ n 1 ∥ h(PW ∥ H(BIO )) ∥ T 1). Lastly, U sends {Z ,M 1,M 2,M 3,T 1} to S over a public channel, where T 1 is the current timestamp.

After receiving the message from U , S first checks whether T − T 1 ≤ △T and then computes K = h(SID ∥ h(PSK)) by using a secure pre-shared key PSK; then S retrieves ID = M 1 ⊕ K, n 1 = M 2 ⊕ K, h(PW ∥ H(BIO )) = M 3 ⊕ K. S subsequently computes X = h(ID ∥ x) and verifies whether ; if it holds, S generates a random number n 2 and computes SK = h(n 1 ∥ n 2 ∥ K ∥ X ), M 4 = n 2 ⊕ h(n 1 ∥ h(PW ∥ H(BIO )) ∥ X ), and M 5 = h(ID ∥ n 1 ∥ n 2 ∥ K ∥ T 2). Then, S sends back the authentication message {M 4,M 5,T 2} to U , where T 2 is the current timestamp.

Upon checking the freshness of T 2, U first computes n 2 = M 4 ⊕ h(n 1 ∥ h(PW ∥ H(BIO )) ∥ X ) and then verifies whether h(ID ∥ n 1 ∥ n 2 ∥ K ∥ T 2) is equal to the received M 5; if they are equal, U computes the common session key SK = h(n 1 ∥ n 2 ∥ K ∥ X ) and sends {M 6 = h(SK ∥ ID ∥ n 2 ∥ T 3), T 3} to S , where T 3 is the current timestamp.

S verifies the freshness of T 3 and the correctness of M 6 by using SK , and if they do not hold, S stops the execution; otherwise, S confirms the common session key SK with U .

Password updating

U first inputs his/her smart card into the device and provides his/her identity ID , password PW and biometrics BIO . The smart card then validates whether is equal to the stored V ; if they are equal, U keys in the new password PW , but otherwise the smart card refuses the request. Lastly, the smart card computes V = h(ID ∥ h(PW ∥ H(BIO ))) and replaces V by V .

Security analysis of Lu et al.’s scheme

According to [24, 25], in the basic adversary model, a probabilistic polynomial-time (PPT) adversary can have a full control over all communication messages. The adversary then can read, modify or delete all communication messages transmitted between a user and the server. Furthermore, power analysis attacks [26] can extract all of the information from the smart card by using the side channel attack. Lu et al. claimed that their scheme could resist a session-key attack; however, we demonstrated that their scheme is still insecure against a session key attack. We also found that their scheme is unable to provide protection against outsider and user impersonation attacks, and it cannot support user anonymity; furthermore, a number of the phases of Lu et al.’s scheme are not correct and we point out the details of these problems in the following subsections.

Incorrect login phase

During the login phase, the user U inserts his/her smart card into the card reader, inputs his/her identity ID , password PW , and then imprints his/her biometrics BIO at the sensor. The smart card then validates whether is equal to the stored V ; if it holds, the smart card should compute K = h((Y ⊕ y) ∥ SID ), but this is actually impossible because the secret key y does not exist in the smart card. Lu et al. claimed that even if an adversary has gathered the information {X ,Y ,V ,h(⋅)} that is stored in U ’s smart card, cannot figure out the login request message {Z ,M 1,M 2,M 3,T 1} without the secret key y; therefore, we assumed that the secret key y is entered by user U during the login process.

Incorrect authentication phase

During the authentication phase, the server S computes K = h(SID ∥ h(PSK)) by using a secure pre-shared key PSK; however, the value K = h(SID ∥ h(PSK)) cannot be made equal to K = h((Y ⊕ y) ∥ SID ) = h(h(PSK)∥SID ) by computing U . We therefore assumed that server S computes K = h(h(PSK) ∥ SID )).

Outsider Attack

During the registration phase, the RC stores {X ,V ,h(PSK)} onto a smart card and submits them to U . After receiving the smart card, U computes Y = h(PSK) ⊕ y, and replaces h(PSK) with Y . Let who is in possession of the smart card extracted information , be an active adversary of the legal user; then, can easily compute K = h(h(PSK)||SID ) that is the same for each legal user that belongs in the server S . Furthermore, if intercepts his/her own login request message , then can also compute .

Violation of the Session Key Security

Suppose an outsider adversary intercepts the communication between U and S and steals the smart card of U ; then, he/she can obtain all of the messages {Z ,M 1,M 2,M 3,M 4,M 5,M 6,T 1,T 2,T 3} and extract the information {X ,Y ,V ,h(⋅)}, thereby easily obtaining the session key that is transmitted between U and S . The details are described as follows.

computes n 1 = M 2 ⊕ K, ID = K ⊕ M 1, and h(PW ∥ H(BIO )) = M 3 ⊕ K.

Then, can compute n 2 = M 4 ⊕ h(n 1 ∥ h(PW ∥ H(BIO )) ∥ X ); therefore, can obtain the session key SK = h(n 1 ∥ n 2 ∥ K ∥ X ).

User Impersonation Attack

As described in this subsection, can also impersonate as a legal user to cheat S when he/she knows the value of K. The details are described as follows.

generates a random number and computes M 1 = K ⊕ ID , , M 3 = K ⊕ h(PW ∥ H(BIO )) and ; then, sends the login request message to server S , where is the current timestamp.

After receiving the login request message from who pretends to be U , the message can successfully pass S ’s verification and S performs the subsequent scheme normally. Lastly, S sends the authenticated message to , where and are the random number and the current timestamp on the server side, respectively.

Upon receiving the login response message from S , computes , , and , and sends the message to S , where is the current timestamp.

Upon receiving the message from , S continues to proceed with the scheme without detection. Lastly, and S “successfully” agree on the session key SK , but unfortunately S mistakenly believes that he/she is communicating with the legitimate, genuine U .

User is not anonymous

Lu et al. claimed that U ’s identity ID is well protected by the shared parameter K that is used as a substitute for the actual parameters. Additionally, an unauthorized server cannot obtain ID without knowing K, since K is protected by a secret key PSK that is only known by the authorized server and is not exposed on the open channel. We found, however, that if the outsider adversary can obtain h(PSK), then he/she can compute K = h(h(PSK) ∥ SID ); furthermore, can also compute without h(PSK), meaning that can compute ID = M 1 ⊕ K. We therefore concluded that Lu et al.’s scheme cannot provide user anonymity.

Our proposed scheme

In this section, we will propose a new biometrics-based password authentication scheme for multi-server environments. In our scheme, there are also three participants, as follows: the user U , the server S , and the registration center RC. The RC chooses a secret key PSK and a secret number x, and then shares them with S over a secure channel. Our proposed scheme consists of the following four phases as shown in Fig 1: registration, login, authentication, and password changing. For convenience, some of the notations that are used in our proposed scheme are described in Table 2.

Fig 1

Our proposed authentication and key agreement protocol for multi-server environments.

Table 2

Notations used in our proposed scheme.

U i	The i th user
S j	The j th server
SC i	The smart card of the i th user
RC	The registration center
ID i	Identity of the i th user
SID j	Identity of the j th server
PW i	Password of the i th user
BIO i	Biometrics of the i th user
x	A secret number selected by RC
y i	A random number unique to user selected by RC
PSK	Secure key pre-shared by RC and S j
T	A timestamp
h(⋅)	A one-way hash function
H(⋅)	Biohash function
⊕, ∥	Exclusive-or operation and concatenation operation

U inputs his/her biometrics BIO and selects an identity ID and a password PW . Then, U computes PWD = h(PW ∥ H(BIO )) and sends {ID , PWD } to the RC.

After receiving the registration request message from U , the RC generates a random number y that is unique to U . Then, the RC computes V = h(ID ∥ PWD ), W = h(y ∥ PSK) ⊕ ID , X = h(ID ∥ x), and Y = y ⊕ h(PSK), followed by the storage of {V ,W ,X ,Y ,h(⋅),H(⋅)} by the RC onto a smart card and the submission of them to U .

The RC sends the smart card SC to U over a secure channel and the registration phase is therefore complete.

U inserts his/her smart card into the card reader and enters identity ID , password PW and imprints biometrics BIO ; then, the smart card SC computes PWD = h(PW ∥ H(BIO )) to validate whether is equal to the stored V . If it holds, the smart card generates a random number n 1 and computes K = h((W ⊕ ID ) ∥ SID ), M 1 = K ⊕ ID , M 2 = n 1 ⊕ K, M 3 = PWD ⊕ K, and Z = h(X ∥ n 1 ∥ PWD ∥ T 1).

U then sends {Y ,Z ,M 1,M 2,M 3,T 1} to S over a public channel, where T 1 is the current timestamp.

After receiving the login request message from U , S first checks whether T − T 1 ≤ △T so that it can then compute y = Y ⊕ h(PSK) by using a secure pre-shared key PSK; then, S computes K = h(h(y ∥ PSK) ∥ SID ), ID = M 1 ⊕ K, n 1 = M 2 ⊕ K, and PWD = M 3 ⊕ K. Next, S computes X = h(ID ∥ x) and verifies whether . If it holds, S generates a random number n 2 and computes SK = h(n 1 ∥ n 2 ∥ K ∥ X ), M 4 = n 2 ⊕ h(n 1 ∥ PWD ∥ X ), and M 5 = h(ID ∥ n 1 ∥ n 2 ∥ K ∥ T 2). Then, S sends the login response message {M 4,M 5,T 2} to U where T 2 is the current timestamp.

Upon checking the freshness of T 2, U first computes n 2 = M 4 ⊕ h(n 1 ∥ PWD ∥ X ) and then verifies whether h(ID ∥ n 1 ∥ n 2 ∥ K ∥ T 2) is equal to the received M 5. If they are equal, U computes the common session key SK = h(n 1 ∥ n 2 ∥ K ∥ X ) and sends {M 6 = h(SK ∥ ID ∥ n 2 ∥ T 3), T 3} to S , where T 3 is the current timestamp.

S verifies the freshness T 3 and the correctness of M 6 by using SK ; if they hold, S confirms the common session key SK with U , but otherwise, S terminates this session.

The password change is done locally without the involvement of the RC. If U wants to change his/her password, he/she first inserts his/her smart card into a card reader and provides his/her identity ID , password PW and biometrics BIO . The smart card SC then computes PWD = h(PW ∥ H(BIO )) to validate whether is equal to the stored V . If they are equal, SC accepts U to enter a new password PW , but otherwise, the smart card rejects the password changing request. Lastly, SC computes PWD = h(PW ∥ H(BIO )), and V = h(ID ∥ PWD ), and replaces V with V .

Security analysis of our proposed scheme

In this section, we demonstrate that our scheme, which retains the merits of Lu et al.’s scheme, can withstand several types of possible attacks, and we also show that our scheme supports several security properties. The security analysis of our proposed scheme was conducted under the following four assumptions:

An adversary can be either a user or a server. A registered user as well as a registered server can act as an adversary.

An adversary can eavesdrop on every communication across public channels. He/she can capture any message that is exchanged between a user and a server.

An adversary has the ability to alter, delete, or reroute a captured message.

Information can be extracted from the a smart card by examining the power consumption of the card.

Verifying the authentication scheme with BAN logic

Burrows-Abadi-Needham(BAN) logic [27] is a set of rules for the definition and analysis of information exchange protocols. Concretely, BAN logic helps its users to decide whether exchanged information is trustworthy, whether it is secured against eavesdropping, or both. In this subsection, we use BAN logic to prove that a shared session key between a user and a server can be correctly generated during the authentication process. Some of the notations and logical postulates [28] that are used in the BAN logic are described in Table 3.

Table 3

Notations used in BAN Logic.

P|≡X	The principal P believes the statement X.
#(X)	The formula X is fresh.
P⇒X	The principal P has jurisdiction over the statement X.
P↔KQ	The principals P and Q may use the shared key K.
P◃X	The principal P sees the statement X.
P|∼X	The principal P once said the statement X.
{X}_K	The formula X encrypted under the key K.
(X)_K	The formula X hashed under the key K.
〈X〉_Y	The formula X combined with the key Y.
P⇔XQ	The formula X is a secret known only to P and Q.

BAN logical postulates

Message-meaning rule: : If principal believes that he/she shares the secret key with , and sees the statement encrypted under . Then believes that once said .

Nonce-verification rule: : If principal believes that is fresh and believes that once said , then believes that believes .

The belief rule: : If principle believes and , then believes .

Freshness-conjuncatenation rule: : If principle believes that is fresh, then believes is fresh.

Jurisdiction rule: : If principle believes that has jurisdiction over and believes that believes , then believes .

Idealized scheme

U: 〈y 〉, 〈n 1,ID ,PWD 〉, (n 1,X ,T 1),

S: 〈n 1,X ,PWD 〉, (ID ,n 1,n 2,T 2)

Establishment of security goals

Initiative premises

U | ≡#n 1, p 2. U | ≡S ⇒ #n 2, p 3. S | ≡#n 1, p 4. S | ≡#n 2,

, p 6. , p 7. U | ≡ID ,

S | ≡U ⇒ PWD , p 9. S | ≡U ⇒ ID , p 10. U | ≡S ⇒ X ,

, p 12.

Our proposed scheme analysis

By p 5, S ⊲ 〈y 〉, and S ⊲ 〈n ,ID ,PWD 〉, we apply the message-meaning rule to drive: S | ≡U | ∼(n 1,ID ,PWD )

By a 1 and p 3, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: S |≡U |≡(n 1,ID ,PWD )

By a 2, p 3 and p 8, we apply the belief rule and the jurisdiction rule to derive: S | ≡ID

By a 3 and , we apply the message-meaning rule to derive:

By p 4 and a 4, we apply the fresh conjuncatenation rule and the nonce-verification rule to drive:

By a 5, we apply the belief rule to derive:

By g 1 and p 1, we apply the jurisdiction rule to derive:

By p 6 and U ⊲ (ID ,n 1,n 2,T 2), we apply the message-meaning rule to derive: U | ≡S |∼(ID ,n 1,n 2,T 2)

By p 2 and a 6, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U | ≡S | ≡(ID ,n 1,n 2,T 2)

By a 7, we apply the belief rule to derive: U | ≡S | ≡n 2

By p 2 and a 8, we apply the jurisdiction rule to derive: U | ≡n 2

By a 9 and U ⊲ 〈n 1,X ,PWD 〉, we apply the message-meaning rule to derive: U | ≡S |∼(n 1,X ,PWD )

By a 10 and p 1, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U | ≡S | ≡(n 1,X 1,PWD )

By p 1, p 3, p 4, p 6, a 11 and SK = h(n 1 ∥ n 2 ∥ K ∥ X ), we apply the fresh conjuncatenation rule and the nonce-verification rule to derive:

By g 3 and p 12, we apply the jurisdiction rule to derive:

Informal security analysis

In this subsection, we verify whether our proposed scheme is secure against a variety of known attacks.

Anonymity

Our proposed scheme can preserve the identity anonymity since ID cannot be derived from M 1 without the knowledge of K; furthermore, K cannot be derived from Y without the random number y and the pre-shared secret key PSK. Also, owing to the one-way hash function, ID cannot be derived from M 5. Our proposed scheme therefore provides user anonymity.

Resisting outsider attack

Suppose that an adversary extracts all of the information from a smart card by using side channel attack; however, he/she cannot obtain any of the secret information of S . can compute , but the value is a random number that is unique to the user that is selected by RC and PSK is the pre-shared secret key between the RC and S ; therefore, does not know and our proposed scheme can resist an outsider attack.

Resisting impersonation attack

Suppose that an adversary intercepts all of message {Y ,Z ,M 1,M 2,M 3,M 4,M 5,M 6,T 1,T 2,T 3} that are transmitted over a public channel between U and S ; however, cannot generate the legal login request message {Y ,Z ,M 1,M 2,M 3,T 1}, where Y = y ⊕ h(PSK), Z = h(X ∥ n 1 ∥ PWD ∥ T 1), M 1 = K ⊕ ID , M 2 = n 1 ⊕ K and M 3 = PWD ⊕ K, because the value y is a random number that is unique to the user that is selected by the RC and n 1 is a random number that is generated by U ; furthermore, cannot generate the login response message {M 4,M 5,T 2} without the random number n 2. Our proposed scheme can therefore resist an impersonation attack.

Session key agreement

Suppose that an adversary intercepts all of the message {Y ,Z ,M 1,M 2,M 3,M 4,M 5,M 6,T 1,T 2,T 3} that are transmitted over a public channel between U and S , steals the smart card of U , and then extracts the all information {V ,W ,X ,Y ,h(⋅),H(⋅)}; however, cannot compute the session key SK = h(n 1 ∥ n 2 ∥ K ∥ X ). To compute K from W , the U ’s identity ID is needed. To retrieve ID from V , needs to know PW and H(BIO ). Since only U can imprint the biometrics BIO at the sensor, an adversary cannot attain the U ’s identity ID and PW . Our proposed scheme can therefore provide session key security.

Formal security analysis

In this subsection, we demonstrate the formal security analysis of our proposed scheme and show that it is secure. First, we define the following hash function [29].

Definition 1. A secure one-way hash function h: {0, 1}* → {0, 1}, which takes an input as an arbitrary length binary string x ∈ {0, 1}* and outputs a binary string h(x) ∈ {0, 1}, satisfies the following requirements: a. Given y ∈ Y, it is computationally infeasible to find an x ∈ X such that y = h(x):b. Given x ∈ X, it is computationally infeasible to find another x′ ≠ x ∈ X, such that h(x′) = h(x):c. It is computationally infeasible to find a pair (x′,x) ∈ X′ × X, with x′ ≠ x, such that h(x′) = h(x).

Theorem 1. Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, then our proposed scheme is provably secure against an adversary for the protection of a user’s personal information including the identity ID , password PW and biometrics BIO , a server’s secret number x that is selected by the RC and a pre-shared secret key PSK that is between the RC and S .

Proof. The formal security proof of our proposed scheme is similar to those in [23, 29, 30]. Using the following oracle to construct who will have the ability to derive the user U ’s identity ID , password PW , biometrics BIO , the server’s secret number x that is selected by the RC, and a pre-shared secret key PSK between the RC and S .

Reveal: This random oracle will unconditionally output the input x from the given hash result y = h(x).

Now, runs the experimental algorithm that is shown in Table 4, for our proposed scheme JKMSE.

Table 4

Algorithm .

1. Eavesdrop login request message {Y i,Z i,M 1,M 2,M 3,T 1}

2. Call the Reveal oracle. Let (n1′,Xi′,PWDi′)←Reveal(Z_i)

3. Eavesdrop login response message {M 4,M 5,T 2}

4. Call the Reveal oracle. Let (IDi′,n1′′,n2′,K^′,T_2)←Reveal(M_5)

5. if (n1′=n1′′) then

6.  Call the Reveal oracle. Let (PWi′,BIO^′)←Reveal(PWDi′)

7.  Call the Reveal oracle. Let (IDi′,x^′)←Reveal(Xi′)

8.  Compute K^′′=M_2⊕n1′

9.   if (K′ = K′′) then

10.    Call the Reveal oracle. Let (h^′(yi′||PSK^′),SID_j)←Reveal(K)

11.    Compute n2′′=M_4⊕h(n1′∥X_i∥PWDi′)

12.    if (n2′=n2′′) then

13.     Call the Reveal oracle. Let (yi′||PSK^′)←Reveal(h^′(y_i||PSK))

14.     Accept IDi′, PWi′, BIOi′, yi′ as the correct ID i, PW i,BIO i and y i of U i,x′ and PSK′ as the correct secret number of S j and pre-shared secret key between RC and S j

15.     return 1

16.    else

17.     return 0

18.    end if

19.   else

20.    return 0

21.   end if

22. else

23.  return 0

24. end if

If the success probability of is defined as , the advantage function for this experiment then becomes , where the maximum is taken over all of with the execution time t and the number of queries q that are made to the Reveal oracle. Consider the experiment that is shown in Table 4 for . If has the ability to solve the hash function problem that is provided in Definition 1, then he/she can directly derive U ’s identity ID , password PW , biometrics BIO , the server’s secret number x that is selected by the RC and the pre-shared secret key PSK that is between the RC and S . In this case, will discover the complete connections between U and S ; however, it is a computationally infeasible problem to invert the input from a given hash value, i.e., , ∀ϵ > 0. Then, we have , since depends on . As a result, there is no way for to discover the complete connections between U and S , and, by deriving (ID ,PW ,BIO ,y ,x,PSK), our proposed scheme is provably secure against an adversary.

Functional and performance analysis

In this section, we evaluate the functionality the computational costs comparisons between our proposed scheme and the other related schemes [18-23].

Functional analysis

Table 5 lists the functionality comparisons of our proposed scheme with the other related schemes. The table shows that the proposed scheme achieves all of the security and functionality requirements and is more secure than the other related schemes.

Table 5

Functionality comparison.

	Ours	[23]	[22]	[21]	[20]	[19]	[18]
Provide mutual authentication	Yes	Yes	Yes	No	Yes	Yes	Yes
User anonymity	Yes	No	Yes	Yes	Yes	Yes	Yes
Resist insider attack	Yes	Yes	Yes	Yes	Yes	No	Yes
Resist off-line guessing attack	Yes	Yes	Yes	Yes	Yes	No	Yes
Resist stolen smart card attack	Yes	No	Yes	No	-	Yes	Yes
Resist replay attack	Yes	Yes	No	No	No	No	No
Resist verifier attack	Yes	Yes	Yes	Yes	-	No	Yes
Session key agreement	Yes	No	Yes	Yes	Yes	No	Yes
Efficient password change phase	Yes	Yes	No	No	Yes	No	No

Performance anaylsis

For the performance comparison, the definitions of T and T are the performance times of a symmetric encryption/decryption operation and a hash function, respectively. Recently, Xue and Hong [31] estimated the running time of different cryptographic operations whereby T is nearly 0.45 ms on average, and T is below 0.2 ms on average in the environment (CPU: 3.2 GHz, RAM: 3.0 G). Table 6 shows a comparison of the computational costs of the proposed scheme with the other related schemes. In the performance comparison, the proposed scheme requires a greater amount of computation to accomplish mutual authentication and the key agreement than Chuang et al.’s scheme as the proposed scheme performs four further hash operations; however, these operations consume a very small amount of time.

Table 6

Computational costs comparison.

Schemes	Registration	Login	Authentication	Total	Time(ms)
Li et al. [18]	6T H	6T H	12T H	24T H	4.8
Xue et al. [19]	7T H	6T H	17T H	30T H	6.0
Lu et al. [20]	6T H	5T H	13T H	24T H	4.8
Chuang et al. [21]	3T H	4T H	13T H	20T H	4.0
Mishra et al. [22]	7T H	4T H	11T H	22T H	4.4
Lu et al. [23]]	5T H	6T H	12T H	23T H	4.6
Our proposed	5T H	5T H	13T H	23T H	4.6

T : hash function evaluation

Conclusion

In this paper, we analyzed the security weaknesses of a biometrics-based authentication scheme for multi-server environments by Lu et al. Lu et al. claimed that their authentication scheme is secure and provides user anonymity; however, we found that Lu et al.’s scheme is still insecure against outsider attacks and impersonation attacks. To resolve these security vulnerabilities, we proposed an improved protocol for an authentication scheme that retains the merits of Lu et al.’s scheme and also achieves a comprehensive security. The security analysis of this paper explains that the proposed scheme rectifies the weaknesses of Lu et al.’s scheme.