Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme.

With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.'s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Introduction

With the rapid development of Internet, advances in the information and communication technology enhance the quality of online services for distributed networks, which provide the highly useful services to users in a variety of aspects, such as online medicine, online education, online shopping and internet banking [1, 2]. Also there is always interaction between users and servers over a public channel so that design and analysis of secure and efficient authentication scheme have received a considerable attention nowadays [3]. Since the first one was proposed by Lamport, a great number of authentication schemes have been presented, which provide authorized communication between remote entities [4-9]. According to the evidences adopted in the authentication, the existing schemes are divided into two categories: certificate-based and identity-based [10-16]. The former category requires the high computation cost and large storage space for the management of certificate store. Although elliptic curve cryptosystem is introduced, they do not simplify the certificate management so that certificate-based schemes are unacceptable in a real-time application such as multi-media and video conference. To solve the aforementioned problems, Shamir proposed an identity-based public key cryptosystem [17]. But integer factorization problem applied in the Shamir’s scheme is difficult to be implemented efficiently [18]. And then some other identity-based schemes are presented, which are also based on the pairing operation or elliptic curve [19-24]. However, most of them are inefficient because of complicated structures [25-28]. Therefore, secure identity-based authentication schemes that only apply the random numbers and hash function are considered as optimum designs for mobile users and real-time applications.

Furthermore, there are some security vulnerabilities to identity-based authentication schemes in the compromise of passwords and tokens [29-35]. In particular, it is difficult to remember long and random passwords for users, and short passwords are easily broken by simple dictionary attacks because of low entropy. Also it is feasible to extract the information stored in the smart cards by side channel attacks, such as SPA or DPA [36]. To solve these problems, many researchers have combined the biometrics, passwords and tokens to enhance the security of authentication schemes [37-39]. The uniqueness of biometrics in the authentication scheme makes it difficult for adversary to forge the biometric information [40, 41]. And authentication does not request users to remember the biometrics. In fact, biometric characteristics imprinted by users are not exactly the same every time so that directly using them always results in low acceptation of valid users in the biometric-based authentication schemes [42]. Since the failure to authorized users significantly impacts on the availability of schemes, we introduce the fuzzy extractor to reduce the probability of rejection effectively, which is a convenient mechanism to be implemented in the smart card [43, 44].

Meanwhile, conventional authentication schemes are not suitable for the multi-server environment [45, 46]. When single server authenticated schemes are adopted in the multi-server environment, users not only login and access to different remote servers with repetitive registration, but also remember different information about identities and passwords for each server. It decreases the adoption of large network based on the applications. With the assistance of registration center, single registration helps the remote distributed system allow users to access the resources efficiently and conveniently, which is an important consideration in the multi-server architecture. Besides, authentication mechanism is required to achieve a higher level of security in the multi-server environment [47]. There are defects in many multi-server authentication schemes, since users apply the same identities and passwords to login the different servers [48-50]. It gives adversaries opportunities to trace legal users, which usually makes schemes vulnerable to insider attack, masquerade attack and server spoofing attack. For example, Chuang and Chen [51] proposed an anonymous multi-server authenticated key agreement scheme in 2014, and claimed that their scheme not only supported multiple servers but also achieved various security requirements. However, Choi et al. [52] pointed out that Chuang and Chen’s scheme was vulnerable to the smart card attack, user impersonation attack, masquerade attack, DoS attack, and did not achieve the perfect forward secrecy. To achieve the security and efficiency, an authentication scheme for the multi-server environment should meet the following requirements: 1) registration center should be avoided in the authentication phase to avoid the bottlenecks, 2) multiple secret keys in the smart card should not be required to reduce the storage requirement, 3) servers can be easily added on the later stage, and 4) all involved servers may not be trusted [3]. Thus, more work about authenticated key agreement schemes based on the multi-server needs to be studied.

Recently, a user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards is proposed by Mishra et al. [53], which is applicable for expert systems to achieve the anonymous authentication in multi-server environment. Expert systems have several applications such as security auditing and network management, which emulate or act in all respects with decision-making capabilities of human experts. And Mishra et al. claimed that their scheme satisfied the all security attributes. Unfortunately, according to the cryptanalysis given in this paper, we identify that their scheme does not resist the masquerade attack, replay attack and Denial-of-Service (DoS) attack. We also find that their scheme fails to achieve the perfect forward secrecy. In addition, there is no consideration of the revocation or re-registration phase in the most of existing authentication schemes. To solve these problems, we propose a robust biometric-based multi-server authentication and key agreement scheme. Our scheme improves the Mishra et al.’s scheme and satisfies the desirable security requirements. Also presented scheme provides a variety of significant functionalities, such as anonymity, mutual authentication, session key agreement, perfect forward secrecy, user revocation or re-registration, and biometric information protection. In addition, comparison results show that our scheme has more secure properties, more functionalities and lower computation cost, which make our scheme more appropriate for practical applications in the remote distributed networks.

The remaining of the paper is organized as follows. Next section briefly introduces the threat assumptions, fuzzy extractor and one-way collision-resistant hash function which are adopted in our scheme. Section 3 reviews the Mishra et al.’s scheme. Section 4 mainly discusses the weaknesses of Mishra et al.’s scheme. Section 5 describes the proposed scheme in detail. And then section 6 provides the security, functionality and performance analysis of our algorithm. The last section gives the conclusion.

Preliminaries

In this section, we describe some concepts about threat assumptions, fuzzy extractor and one-way collision-resistant hash function, which are useful in our scheme.

Threat assumptions

In this paper, we introduce the Dolev-Yao threat model [54] and consider the risk of side-channel attacks [55] to construct the threat assumptions which are described as follows:

Adversary E eavesdrops all the communications between user and server over a public channel.

Adversary E modifies, deletes, resends and reroutes the eavesdropped messages.

Adversary E may be a malicious user or an outsider in this system.

Adversary E extracts the sensitive stored information from lost or stolen smart card by examining the power consumption.

Fuzzy extractor

The mechanism of fuzzy extractor consists of two procedures (Gen, Rep), which is illustrated in Fig 1.

Fig 1

The mechanism of fuzzy extractor.

The function Gen is a probabilistic generation procedure, which extracts biometric input BIO, and outputs a nearly random binary string R ∈ {0, 1} and an auxiliary binary string P ∈ {0, 1}*. Also the function Rep is a deterministic reproduction procedure allowing to recover R with the assistance of corresponding auxiliary string P and biometric BIO*. If dis(BIO, BIO*) ≤ t and Gen(BIO) → 〈R, P〉, then we have Rep(BIO*, P) = R. Otherwise, there is no guarantee provided by function Rep. The error-tolerant makes it dependable to recover nearly uniform randomness R with auxiliary string P from biometric input BIO*, as long as it remains reasonably close to original input BIO. More details about fuzzy extractor are described in the literature [43, 44].

One-way collision-resistant hash function

The one-way collision-resistant hash function h = h(x) : {0, 1}* → {0, 1} is a deterministic algorithm, which outputs a fixed-length binary string {0, 1} based on the arbitrary length binary string {0, 1}* [56]. It is computationally infeasible to retrieve the input x from given hash value and hash function, which is called the one-way property. Also hash function possesses weak/strong collision resistant property. For a given input x, finding any input y ≠ x so that h(x) = h(y) is computationally infeasible. For a given pair of inputs (x, y) with x ≠ y, then h(x) = h(y) is computationally infeasible. The well-known example of hash function is SHA-1. However, Manuel showed that SHA-1 is insecure against the collision attacks in 2011 [57]. So we apply the SHA-2 as secure hash function in our scheme.

Review of Mishra et al.’s scheme

Recently, Mishra et al. proposed a biometric-based multi-server key agreement scheme using smart cards to achieve the light-weight authentication and user anonymity. There are five phases relating to Mishra et al.’s scheme, which are the server registration phase, user registration phase, login phase, authentication phase and password change phase, respectively. Suppose that RC is the trusted third party, which is responsible for the registration of users and servers. Table 1 lists the notations used in their scheme.

Table 1

Symbols and notions in Mishra et al.’s scheme.

Symbol	Notion
Ui, Sj	ith user and jth server
RC, E	The registration center and adversary
IDi, SIDj	Ui’s identity and Sj’s identity
SCi, PWi, BIOi	Ui’s smart card, password and biometrics
PSK, x	Pre shared key and master secret key
h(⋅), H(⋅)	Hash function and biohash function
⊕, ||	XOR operation and concatenation operation

Server registration phase

The server S sends a join message to the RC.

After receiving the join message, RC replies with the pre shared key (PSK) to the server S through a secure channel.

Upon receiving the PSK, the authorized server S uses this key to authorize the legitimate users.

User registration phase

The new user U selects the identity ID and password PW. Then U generates a random number N, computes W1 = h(PW||N) and W2 = h(ID ⊕ N), and sends the registration request message {ID, W1, W2} to the RC via a secure channel.

After receiving the registration request message, RC computes A = h(ID||x|T|), B = h(A), X = B ⊕ W1, Y = h(PSK) ⊕ W2 and Z = PSK ⊕ A, where T is the registration time. And RC issues the smart card SC to the user U, which contains {X, Y, Z, h(⋅)} via a secure channel.

Upon receiving the SC, U imprints the personal biometrics BIO at the sensor, and computes N = N ⊕ H(BIO), V = h(ID||N||PW). Finally, the user U stores {X, Y, Z, N, V, h(⋅)} into the SC.

Login phase

U inserts the SC into the smart card reader and inputs the identity ID and password PW, and imprints the biometrics BIO at the sensor.

SC computes N = N ⊕ H(BIO) and checks whether h(ID||N||PW) = V holds. If it holds, SC further compute W1 = h(PW||N), W2 = h(ID ⊕ N), B = X ⊕ W1 and h(PSK) = Y ⊕ W2.

SC generates a random number n1, and computes M1 = h(PSK) ⊕ n1, M2 = ID ⊕ h(n1||B) and M3 = h(ID||n1||B).

U sends the login request message {Z, M1, M2, M3} to S over a public channel.

Authentication phase

When receiving the login request message from SC, S immediately computes A = Z ⊕ PSK, n1 = M1 ⊕ h(PSK), ID = M2 ⊕ h(n1||h(A)), and verifies whether h(ID||n1||B) is consistent with M3. If this verification holds, S generates a random number n2 and computes the session secret key SK = h(ID||SID||B||n1||n2), M4 = n2 ⊕ h(ID||n1), M5 = h(SK||n1||n2). Then S sends the authentication request message {SID, M4, M5} to SC via a public channel.

Upon receiving the authentication request message, SC retrieves n2 = M4 ⊕ h(ID||N1), SK = h(ID||SID||B||n1||n2) and then checks whether h(SK||n1||n2) = M5 holds. If it holds, SC computes M6 = h(SK||n2||n1) and delivers the authentication reply {M6} to S via a public channel.

S verifies whether h(SK||n2||n1) = M6 holds. If this verification holds, S can now use the session key SK to communicate with U.

Password change phase

U inputs the ID, PW and imprints his biometrics BIO at the sensor. SC computes N = N ⊕ h(BIO) and checks whether h(ID||N||PW) = V holds.

If the verification holds, U choose the new password . SC computes W1 = h(PW||N), , and .

SC replaces X with and V with in the memory.

Cryptanalysis of Mishra et al.’s scheme

This section presents a cryptanalysis of Mishra et al.’s scheme and demonstrates that their scheme is still vulnerable to the masquerade attack, replay attack and Denial-of-Service attack. Also their scheme fails to achieve the perfect forward secrecy. Furthermore, Mishra et al.’s scheme does not provide the functionality of revocation/re-registration for user’s requirements.

Masquerade attack

Mishra et al.’s scheme is vulnerable to the masquerade attack. More narrowly, adversary E can be authenticated by another server S using the messages that user U sends to the server S for the authentication. Fig 2 shows the masquerade attack on Mishra et al.’s scheme.

Fig 2

The masquerade attack on Mishra et al.’s scheme.

First, U inserts the smart card and sends a login request message (1) to the S when he wants to be authenticated by S. After intercepting the login request message, E sends it to another server S. The message (1) does not include the information about the S as follows. where Z = PSK ⊕ h(ID||x||T), M1 = h(PSK) ⊕ n1, M2 = ID ⊕ h(n1||B) and M3 = h(ID||n1||B). Therefore S executes the operation (2) and sends the authentication request message (3) to the E without any suspicion of the attack.

Then E transmits the message (3) to the U. And U does not check the identity of the server. He only checks the sameness with the SID in the M5 and the SID in the message (3) as follows. where M4 = n2 ⊕ h(ID||n1), M5 = h(SK||n1||n2) and SK = h(ID||SID||B||n1||n2). So U also executes the operation (4) and sends the authentication reply message (5) to the S without any suspicion of the attack.

Finally, E intercepts the message (5) and transmits it to the S. Therefore E can be authenticated by S. In conclusion, adversary E can masquerade as a legitimate user to log in to the server S so that Mishra et al.’s scheme becomes vulnerable to the masquerade attack.

In their scheme, S cannot check whether U wants to be authenticated by S. Thus S authenticates all legitimate messages though these message are not sent to S. Similarly, U does not check whether S wants to be authenticated with U. He only checks whether SID in the message (3) and SID in the M5 are the same.

To meet these challenges, the destination of message needs to be added to the login request message (1) and the authentication request message (3). So we add the information about SID of server S to the message (1), which means that U want to be authenticated by S, not S. Meanwhile, the information about AID of user U needs to be added to the message (3), which means that S wants to be authenticated by anonymous U.

Replay attack

In the same way, Mishra et al.’s scheme is vulnerable to the replay attack. In particular, adversary E logs into the server S with previous login request message (1). Upon receiving previous message (1), S calculates A = Z ⊕ PSK, n1 = M ⊕ h(PSK), ID = M ⊕ h(n1||h(A)), and verifies whether h(ID||n1||B) = M holds without any suspicion of the attack. Since the verification holds, S authenticates E and E logs into the server S. Thus Mishra et al.’s scheme becomes vulnerable to the replay attack.

In their scheme, S does not check the freshness of login request message. So S authenticates all legitimate login request messages though these messages are not fresh.

As a practical solution to prevent the replay attack, adding the timestamp to the message (1) helps server S verify the freshness of login request message.

Denial-of-Service attack

Although the means and targets may vary, DoS attack is generally an attempt to make network resource or machines unavailable for intended users, which temporarily or indefinitely interrupts or suspends the services of a host connected to the networks. In the Mishra et al.’s scheme, an adversary E can carry out the DoS attack without difficulty. Fig 3 describes the procedure and effect of the DoS attack on Mishra et al.’s scheme.

Fig 3

The DoS attack on Mishra et al.’s scheme.

In particular, E collects the previous login request message {Z, M, M, M} from the user U and then forwards it to the server S. Upon receiving the login request, S, as always, executes the operation (2) which includes producing the random number once, sending message once, calculating the XOR operation 4 times, and performing the hash function 7 times. By applying the intercepted login request messages repeatedly, adversary E can make the services of network resource or servers unavailable. Therefore Mishra et al.’s scheme becomes vulnerable to the DoS attack.

The reason for this result is that server S cannot check the freshness of login request message from the user U. S does not know whether the received messages are outdated so that it executes the operation (2) once receiving the login request message.

To resist the DoS attack, the timestamp needs to be added to the login request message. So we add the timestamp to the message (1), which helps the servers check the freshness of messages.

No perfect forward secrecy

The perfect forward secrecy means that if one of long-term keys is compromised, a session key which is derived from these long-term keys will not be compromised in the future [58]. Unfortunately, Mishra et al.’s scheme does not achieve the perfect forward secrecy. So adversary E can calculate all session keys between the user U and server S if he knows one of long-term keys, such as A.

First, E intercepts the Z, SID, M, Mand M from message (1) and message (3) in the previous communication between U and S. Next, adversary knows one of long-term keys A so that he can compute PSK from PSK = A ⊕ Z and B from B = h(A). Then, E further calculate n from n = M ⊕ h(PSK), ID from ID = M ⊕ h(n||B), and n from n = M ⊕ h(ID||N). Finally, adversary E acquires the all previous session keys from SK = h(ID||SID||B||n1||n2). Therefore Mishra et al.’s scheme does not achieve the perfect forward secrecy.

In their scheme, A is a shared key between RC and U, which is calculated from A = h(ID||x||T). RC stores the information about A and h(A) in the smart card SC. The value of A is invariable even if U updates the password. So A is treated as one of long-term keys. From the above, it is demonstrated that there are some defects during the generation of session keys.

To solve this problem, we need to add another secret information, such as PSK, to the generation of session keys. Also it is necessary to prevent adversary E from calculating all session keys by using long-term key A and information in the public channel.

No user revocation/re-registration phase

There is no user revocation/re-registration phase in the Mishra et al.’s scheme so that user U cannot revoke his privilege or re-register when his smart card SC is stolen or lost. To promote the functionality of scheme, we design the corresponding revocation/re-registration phase for the user’s requirements. And more details are showed in the Section 5.6.

The proposed scheme

Based on the cryptanalysis of Mishra et al.’s scheme, we present a novel robust biometric-based multi-server authentication and key agreement scheme which consists of six phases: server registration phase, user registration phase, login phase, authentication phase, password change phase and revocation/re-registration phase. There are also three participants, user U, server S and registration center RC. Table 2 lists the notations applied in our scheme.

Table 2

Symbols and notions in our scheme.

Symbol	Notion
Ui, Sj	ith user and jth server
RC, E	The registration center and adversary
IDi, AIDi, SIDj	Ui’s identity, dynamic identity and Sj’s identity
SCi, PWi, BIOi	Ui’s smart card, password and biometrics
Ri, Pi	Ui’s nearly random binary string and auxiliary binary string
PSK, x	Pre shared key and master secret key
h(⋅), ⊕, ||	Hash function, XOR operation and concatenation operation

The proposed scheme improves the Mishra et al.’s scheme in the several aspects: 1) it resists the masquerade attack by adding the destination of messages, 2) it appends the timestamp to prevent the Denial-of-Service (DoS) attack, 3) it introduces pre shared key (PSK) into generation of session keys to achieve the perfect forward secrecy, 4) it provides the revocation/re-registration phase for user’s requirements, and 5) it enhances the performance of scheme, especially login phase. The details are described in the following subsections.

The server registration phase is illustrated in Fig 4 and explained as follows.

Fig 4

The server registration phase.

The server S sends a join request message to the registration center RC, if it wants to become an authorized server in the system.

After receiving the join request message, RC authorizes the server and replies with the pre shared key (PSK) to the server S by applying the Key Exchange Protocol (IKEv2) through a secure channel.

Upon receiving the secret key PSK, authorized server S uses the shared information, such as PSK and h(PSK), to check the user’s legitimacy in the authentication phase.

The new user U needs to execute the user registration phase with the registration center RC via a secure channel. The user registration phase is showed in Fig 5 and described as follows.

Fig 5

The user registration phase.

First, U imprints the personal biometric information BIO at the sensor. After that, sensor sketches BIO, extracts (R, P) from Gen(BIO) → (R, P), and stores P in the memory. Next, U selects the identity ID and password PW, and computes RPW = h(PW||R). Finally, U sends the registration request message {ID, RPW} to the RC via a secure channel.

After receiving the registration request message, RC adds a novel entry 〈ID, N = 1〉 to the database, where N means the times of user registration. And then RC computes A = h(ID||x||T), B = RPW ⊕ h(A), C = B ⊕ h(PSK), D = PSK ⊕ A ⊕ h(PSK) and V = h(ID||RPW), where T is the registration time.

RC issues the smart card SC to the user U, which contains {B, C, D, V} over a secure channel.

Upon receiving the SC, U stores P into the SC and initializes the authentication environments.

During the login phase, smart card SC can check an error event immediately by using the identification, password, and biometric information. The login phase is illustrated in Fig 6 and explained as follows.

Fig 6

The login phase.

U inserts the SC into the smart card reader, inputs the identity ID and password PW, and imprints the biometrics at the sensor. After that, sensor sketches and recovers R from .

SC calculates RPW = h(PW||R) and checks whether h(ID||RPW) = V holds. If it holds, SC further calculates h(PSK) = B ⊕ C.

SC generates a random number N1, and computes AID = ID ⊕ h(N1), M1 = RPW ⊕ N1 ⊕ h(PSK) and M2 = h(AID||N1||RPW||SID||T), where T is additional timestamp.

SC sends the login request message {AID, M1, M2, B, D, T} to S via a public channel.

In the authentication phase, server S confirms the destination and freshness of login request message. The authentication phase is showed in Fig 7 and described as follows.

Fig 7

The authentication phase.

When receiving the login request message from U, server S verifies whether T − T ≤ ΔT is valid, where ΔT is the time interval and T is the time when S receives the login request message. If it holds, S continues to perform the next step. Otherwise, the login request will be rejected by S.

S retrieves A = D ⊕ PSK ⊕ h(PSK), RPW = B ⊕ h(A), N1 = RPW ⊕ M1 ⊕ h(PSK), and verifies whether h(AID||N1||RPW||SID||T) is consistent with M2.

If this verification holds, S generates a random number N2, and computes the session secret key SK = h(AID||SID||N1||N2).

S calculates M3 = N2 ⊕ h(AID||N1) ⊕ h(PSK) and M4 = h(SID||N2||AID), and sends the authentication request message {SID, M3, M4} to U via a public channel.

Upon receiving the authentication request, SC retrieves N2 = M3 ⊕ h(AID||N1) ⊕ h(PSK), SK = h(AID||SID||N1||N2) and then checks whether h(SID||N2||AID) = M4 holds. If it holds, SC computes M5 = h(SK||N1||N2) and delivers the authentication reply {M5} to S via a public channel.

S verifies whether h(SK||N1||N2) = M5 holds. If this verification holds, S uses the session key SK to communicate with U. Otherwise, authentication will be rejected by S.

During the password change phase, U updates the password without any assistance from server S and registration center RC. This phase consists of the following steps.

U inputs ID and PW, and imprints his biometrics at sensor. After that, the sensor sketches and recovers R from .

SC calculates RPW = h(PW||R) and checks whether h(ID||RPW) = V holds. If the verification holds, SC asks U for a new password. Otherwise, password change phase is terminated immediately by SC.

U inputs new password and SC further computes , , and .

SC replaces B with , C with and V with in the memory.

User revocation/re-registration phase

The functionality of user revocation/re-registration helps user U revoke his privilege or re-register when his smart card SC is stolen or lost. If U wants to revoke his privilege, he needs to send a revocation request message, his smart card and verification message {RPW} to the registration center RC over a secure channel. RC verifies whether U is valid. If it holds, RC further modifies the corresponding entry by setting 〈ID, N = 0〉. Similarly, upon receiving a re-registration request message via a secure channel, RC executes the steps described in the section 5.2 and replaces 〈ID, N = N + 1〉 with 〈ID, N〉 to help U re-register. The user revocation or re-registration phase makes our scheme more robust than other related schemes in the functionality.

Analysis of our scheme

An authentication and key agreement scheme has three important requirements: security, functionality and performance. It is necessary to analyze the proposed scheme from three aspects mentioned above. In this section, we explain how the proposed scheme is satisfied with these requirements, and compare our scheme with other related multi-server authentication and key agreement schemes.

Informal security analysis

In this section, we assume that adversary E has the capacity which is assumed in Section 2.1. Also we analyze the strength of the proposed scheme against the following common attacks through informal security analysis.

Resistance to replay attack

The replay attack means that adversary E intercepts the transmitted messages for making use of these data in some manner, which involves copying and possibly altering the data in various ways. Although adversary E intercepts the previous login request message {AID, M1, M2, B, D, T} and sends it to server S repeatedly, S verifies the legality of message by checking T and N1 as follows. where T and N1 are different in every session so that E is not authenticated by S. So our scheme is secure against the replay attack by adding the timestamp T and random nonce N1.

Resistance to modification attack

Though adversary E intercepts the transmitted messages and attempts to modify them for authentication, proposed scheme verifies whether received messages are modified with the help of one-way hash function. And E cannot retrieve N1, N2 and PSK from intercepted messages so that he does not have the capabilities to generate a legitimate authentication message. Therefore, our scheme prevents the modification attack.

Resistance to stolen-verifier attack

In the proposed scheme, Registration center RC and servers do not possess the user’s password or biometrics so that adversary E cannot steal the password-verifier or biometrics-verifier about legitimate users even if he has the authority to access the database of the RC and servers. Thus, our scheme resists the stolen-verifier attack.

Resistance to off-line guessing attack

With the assistance of the side-channel attacks such as SPA or DPA, adversary E obtains B, C, D and V. But he cannot verify the user’s password in the off-line environment without BIO, PSK, x and N1. Also user’s password is protected by one-way hash function, such as, h(PW||R), where R possesses high entropy. Moreover, there is no the same biometric templates between any two people. In conclusion, our scheme is secure against the off-line guessing attack.

Resistance to forgery attack

The forgery attack means that legitimate yet malicious user E attempts to forge another legitimate user for login and authentication. In the communication between server S and user U, U’s real identity ID is protected by anonymous identity AID, such as AID = ID ⊕ h(N1). Furthermore, random nonce N1 changes in every session. So malicious user E cannot acquire another legitimate user’s real identity ID. As a result, our scheme prevents the forgery attack.

Resistance to insider attack

Malicious insider E is familiar with system policies or procedures, and has an authorized system access, who tries to obtain user’s private information such as password and biometrics. RC cannot retrieve the password PW or biometrics BIO from RPW = h(PW||R). Moreover RC does not store RPW in the database. Thus, our scheme resists the insider attack.

Resistance to masquerade attack

Under this attack, adversary E is authenticated by server S with a fake or real identity. In Mishra et al.’s scheme, E applies the transmitted messages between S and U to acquire the access of server S. To meet this problem, destination of message is added to the login request message and authentication request message, such as M2 = h(AID||N1||RPW||SID||T) and M4 = h(SID||N2||AID), so that U and S verify whether the one wants to be authenticated by the other one. At the same time, E cannot compute M2 or M4 without N1 or N2. Therefore, our scheme is secure against the masquerade attack.

Resistance to smart card attack

In the smart card attack, adversary E tries to apply the information obtained from smart card SC to be authenticated by server S without the password or biometrics. With SPA or DPA, E obtains B, C, D and V which are stored in SC. In the proposed scheme, a session key between user U and server S is generated as follow.

Although E obtains M1 and M3 via public channels, it is difficult for him to retrieve N1, N2 and AID without PSK. Above all, our scheme prevents the smart card attack.

Resistance to user impersonation attack

The user impersonation attack means that adversary E impersonates user U using only smart card SC but without the password or biometrics. The proposed scheme applies h(PSK) to protect N1, N2 and AID even if E acquires B, C, D and V by side channel attacks. Thus, E cannot calculate the session keys to impersonate the user U. In conclusion, our scheme resists the user impersonation attack.

Resistance to DoS attack

The DoS attack diminishes or eliminates the server’s expected capability to make the server unavailable. With the help of timestamp T, server S checks the freshness and legality of M2 = h(AID||N1||RPW||SID||T) in the login request message. The current timestamp does not match the previous M2 which is sent by adversary E. Moreover, our scheme applies the fuzzy extractor to satisfy the usage requirements of biometrics. As a result, our scheme is secure against the DoS attack.

Resistance to server spoofing attack

Upon receiving the login request message from U, adversary E tries to spoof as server S by replaying the old authentication request message , where and . This attempt fails, since U uses different random numbers during different sessions, that is, . Furthermore, E cannot acquire RPW to retrieve N1 from N1 = RPW ⊕ M1 ⊕ h(PSK). Therefore, our scheme prevents the server spoofing attack.

Formal security analysis

With the help of the formal security analysis, we demonstrate that our scheme is secure against adversary E. For this purpose, we define oracle Reveal as follows: it unconditionally outputs x from one-way hash function y = h(x). The following two theorems provide the formal security analysis for our scheme.

Theorem 1. Under the assumption that one-way hash function h(⋅) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the identity ID of user U, pre shared key PSK of server S, and session key SK between U and S.

Proof. We need to construct adversary E who has the capacity to retrieve the identity ID of user U, pre shared key PSK of server S, and session key SK between U and S. Adversary E applies the oracle Reveal to execute the experimental algorithm , where the BMAKAS means proposed biometric-based multi-server authentication and key agreement scheme. The details of Algorithm 1 are described in the Table 3.

Table 3

Algorithm .

1. Eavesdrop the login request message {AIDi, M1, M2, Bi, Di, Ti} during the login phase, where AIDi = IDi ⊕ h(N1), M1 = RPWi ⊕ N1 ⊕ h(PSK) and M2 = h(AIDi||N1||RPWi||SIDj||Ti).

2. Apply the oracle Reveal to retrieve AIDiI, N1I, RPWiI, SIDjI and TiI from Reveal(M_2)→(AIDiI||N1I||RPWiI||SIDjI||TiI).

3. if (AIDiI=AID_i) then

4.  Calculate IDiI=AIDiI⊕h(N1I) and H_1=RPWiI⊕N1I⊕M_1.

5.  Apply the oracle Reveal to retrieve PSKI from Reveal(H1) → (PSKI).

6.  Eavesdrop the authentication request message {SIDj, M3, M4} during the authentication phase, where M3 = N2 ⊕ h(AIDi||N1) ⊕ h(PSK) and M4 = h(SIDj||N2||AIDi).

7.  Further apply the oracle Reveal to retrieve AIDiII, N2II and SIDjII from Reveal(M_4)→(AIDiII||N2II||SIDjII).

8.  if (SID_j=SIDjII) and (AID_i=AIDiII) then

9.   Calculate H_2=N2II⊕h(AIDiI||N1I)⊕M_3.

10.   Apply the oracle Reveal to retrieve PSKII from Reveal(H2) → (PSKII).

11.   if (PSKI = PSKII) then

12.    Calculate SKij*=h(AID_i||SID_j||N1I||N2II).

13.    Accept IDiI, PSKI and SKij* as the identity IDi of user Ui, pre shared key PSK of server Sj, and session key SKij between Ui and Sj, respectively.

14.    return 1 (Success)

15.   else

16.    return 0 (Failure)

17.   end if

18.  else

19.   return 0 (Failure)

20.  end if

21. else

22.  return 0 (Failure)

23. end if

And we define the success probability of as , where P(⋅) means the probability of . The advantage function for algorithm becomes Adv1(et1, q) = max{Success1}, where the maximum for adversary E depends on the execution time et1 and number of queries q made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv1(et1, q) ≤ ε1, for any sufficiently small ε1 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the identity ID, pre shared key PSK and session key SK to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So max{Success1} = Adv1(et1, q) ≤ ε1, for any sufficiently small ε1 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the identity ID of user U, pre shared key PSK of server S, and session key SK between U and S.

Theorem 2. Under the assumption that one-way hash function h(⋅) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the password PW of user U, even if smart card SC is stolen.

Proof. We need to construct the adversary E who has the capacity to retrieve the password PW. Adversary E extracts all the information {B, C, D, V} from stolen smart card SC and applies the oracle Reveal to execute the experimental algorithm . The details of Algorithm 2 are described in the Table 4.

Table 4

Algorithm .

1. Extract all the information {Bi, Ci, Di, Vi} from stolen smart card SCi with the help of side channel attacks, where Vi = h(IDi||RPWi) and RPWi = h(PWi||Ri).

2. Apply the oracle Reveal to retrieve IDiI and RPWiI from Reveal(V_i)→(IDiI||RPWiI).

3. Eavesdrop the login request message {AIDi, M1, M2, Bi, Di, Ti} during the login phase, where AIDi = IDi ⊕ h(N1) and M2 = h(AIDi||N1||RPWi||SIDj||Ti).

4. Apply the oracle Reveal to retrieve AIDiII, N1II, RPWiII, SIDjII and TiII from Reveal(M_2)→(AIDiII||N1II||RPWiII||SIDjII||TiII).

5. Calculate IDiII=AIDiII⊕h(N1II).

6. if (IDiI=IDiII) then

7.  Apply the oracle Reveal to retrieve PWiI and RiI from Reveal(RPWiI)→(PWiI||RiI).

8.  Accept PWiI as the password PWi of user Ui.

9.  return 1 (Success)

10. else

11.  return 0 (Failure)

12. end if

Also we define the success probability of as , where P(⋅) means the probability of . The advantage function for algorithm becomes Adv2(et2, q) = max{Success2}, where the maximum for adversary E depends on the execution time et2 and number of queries q made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv2(et2, q) ≤ ε2, for any sufficiently small ε2 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the password PW to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So max{Success2} = Adv2(et2, q) ≤ ε2, for any sufficiently small ε2 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the password PW of user U.

Functionality analysis

Various functionality requirements for a multi-server authentication and key agreement scheme have been suggested in previous studies. In this section, we show that our scheme provides these functionalities.

Anonymity

The anonymity means that user’s real identity is not disclosed to an unauthorized party. In the presented scheme, U calculate the dynamic identity AID from AID = ID ⊕ h(N1), and N1 does not leak out from the messages over public channels. Thus, adversary E cannot compute the user’s identity ID without N1. The authorized server S retrieves A = D ⊕ PSK ⊕ h(PSK) and RPW = B ⊕ h(A), and further calculates N1 from N1 = RPW ⊕ M1 ⊕ h(PSK). So only authorized servers confirm the real identity of U. As a result, adversary E cannot acquire the user’s real identity, but user U is authenticated anonymously by server S.

Mutual authentication

The mutual authentication is achieved when two parties authenticate each other. In our scheme, users and servers authenticate each other by using N1, N2, h(PSK), D and T. During the authentication phase, server S verifies whether M2 is consistent with h(AID||N1||RPW||SID||T) to authenticate the user U. And U authenticates S by checking whether h(SID||N2||AID) = M4 holds. In conclusion, our scheme provides the mutual authentication.

Session key agreement

The session key agreement means that users and servers securely establish a session key which is applied for protecting the subsequent communication. In the proposed scheme, a session key SK = h(AID||SID||N1||N2) is generated by user U and server S, where N1 and N2 are different in every session. Therefore, session keys are different in each session so that it is difficult for adversary E to retrieve the previous session keys from the intercepted messages.

Perfect forward secrecy

The perfect forward secrecy means that a session key will not be compromised if the user’s long-term key is compromised in the future [11, 15]. In our scheme, a session key between user U and server S is calculated as follow.

Although user’s long-term key h(PSK) is compromised, adversary E cannot calculate RPW and PSK so that he cannot retrieve N1 and N2 to generate the session keys between U and S. Above all, our scheme achieves the perfect forward secrecy.

User revocation/re-registration

The user U needs to send a revocation or re-registration request message to the registration center RC over a secure channel if he wants to revoke his privilege or re-register. RC help U revoke his privilege or re-register by modifying 〈ID, N〉 in the database. The functionality of user revocation/re-registration meets the requirements of practical applications. It also makes our scheme more robust than other related schemes.

Biometric information protection

In conventional scheme, biometric information of user is directly stored in the smart card SC so that adversary E obtains biometrics from lost smart card with the assistance of side channel attacks. We adopt a high security mechanism to solve this problem. The nearly random string R is protected by one-way hash function, which is extracted from biometric information BIO by fuzzy extractor. And more details are described in Section 2.2. So it makes impossible for E to obtain the biometric information. In conclusion, our scheme provides the biometric information protection.

Efficiency analysis

The efficiency is an important consideration in the aspect of evaluating the schemes. The efficiency of a multi-server authentication and key agreement scheme can be measured by the following metrics, single registration, secure and simple password modification, fast error detection, and low computational cost.

Single registration

The single registration means that a single point of registration allows users to acquire the access to all servers in the system. In the proposed scheme, user U registers with registration center RC only once to be authenticated with every server and apply the server’s services anonymously. So our scheme achieves the single registration.

Secure and simple password modification

The secure and simple password modification demands that users change their passwords without the assistance of any third trusted party and the authenticity of the users is verified by their smart card. In our scheme, user U changes the password conveniently and does not require any communication with registration center RC. Furthermore, smart card SC checks whether h(ID||RPW) = V holds for every password modification so that adversary E cannot change the password even if he acquires the smart card and password. In conclusion, proposed scheme provides the secure and simple password modification.

Fast error detection

It is necessary to provide the fast error detection, which means that smart card SC checks the incorrect passwords or any other discrepancies quickly. In the login and password change phases, SC detects the errors immediately, such as inaccurate identities, incorrect passwords and false biometrics without the help of registration center RC and server S. Therefore, our scheme achieves the fast error detection.

Low computational cost

The computational cost of the scheme should be minimized in practice. As the major parties of communication, U and S produce the random number twice, calculate the XOR operation 12 times, and perform the hash function 15 times to complete the login and authentication phases. As a result, computational cost of our scheme is a little lower than other related schemes.

Comparisons with related schemes

In this section, we compare the resistance, functionality and performance of our scheme with other related existing biometric-based multi-server authentication and key agreement schemes, such as Chuang et al.’s scheme [51], Mishra et al.’s scheme [53], Xue et al.’s scheme [59] and Li et al.’s scheme [60].

Table 5 lists the resistance comparison of various biometric-based multi-sever authenticated key agreement schemes. We define the following notations: R1: resistance to replay attack, R2: resistance to modification attack, R3: resistance to stolen-verifier attack, R4: resistance to off-line guessing attack, R5: resistance to forgery attack, R6: resistance to insider attack, R7: resistance to masquerade attack, R8: resistance to smart card attack, R9: resistance to user impersonation attack, R10: resistance to DoS attack and R11: resistance to server spoofing attack in the Table 5. The result indicates that our scheme is more secure and achieves the all resistance requirements.

Table 5

The resistance comparison.

	Chuang et al.’s [51]	Mishra et al.’s [53]	Xue et al.’s [59]	Li et al.’s [60]	Ours
R1	No	No	No	No	Yes
R2	Yes	Yes	Yes	Yes	Yes
R3	Yes	Yes	No	No	Yes
R4	Yes	Yes	No	No	Yes
R5	Yes	Yes	Yes	Yes	Yes
R6	Yes	Yes	No	Yes	Yes
R7	No	No	No	No	Yes
R8	No	Yes	Yes	No	Yes
R9	No	Yes	Yes	Yes	Yes
R10	No	No	Yes	Yes	Yes
R11	Yes	Yes	No	Yes	Yes

Table 6 shows the functionality comparison of proposed scheme with other related schemes. In the Table 6, we use the following notations: F1: anonymity, F2: mutual authentication, F3: session key agreement, F4: perfect forward secrecy, F5: user revocation/re-registration and F6: biometric information protection. And we further compare our scheme with Lu et al.’s scheme [24] which is another improved scheme. It can be seen that our scheme provides more functionality requirements than other related schemes.

Table 6

The functionality comparison.

	Chuang et al.’s [51]	Mishra et al.’s [53]	Xue et al.’s [59]	Li et al.’s [60]	Lu et al.’s [48]	Ours
F1	Yes	Yes	Yes	Yes	Yes	Yes
F2	No	Yes	Yes	Yes	Yes	Yes
F3	Yes	Yes	Yes	Yes	Yes	Yes
F4	No	No	Yes	Yes	Yes	Yes
F5	No	No	No	No	No	Yes
F6	No	Yes	No	No	Yes	Yes

We compare our scheme with other biometric-based multi-sever authentication and key agreement schemes for computational overhead, communication overhead and storage requirement involved in the login and authentication phases. In order to measure the computational complexity, we apply the number of hash function operations as time complexity since the XOR operation requires very little computational cost, where T stands for the computation time for hash function. According to the Xue et al.’s work [61], we learn that the average running time of a one-way secure hash function operation is about 0.2 ms. As shown in the Table 7 and Fig 8, we demonstrate the comparison among our scheme and other related schemes in terms of the computation overhead. In the Table 7, we use the following notations: S1: computation overhead in the login phase, S2: execution overhead in the login phase, S3: computation overhead in the authentication phase, S4: execution overhead in the authentication phase and S5: total execution overhead. The proposed scheme requires lower computation overhead than other schemes.

Table 7

The computation cost comparison.

	Chuang et al.’s [51]	Mishra et al.’s [53]	Xue et al.’s [59]	Li et al.’s [60]	Lu et al.’s [48]	Ours
S1	4Th	7Th	5Th	7Th	4Th	4Th
S2	0.8ms	1.4ms	1.0ms	1.4ms	1.0ms	0.8ms
S3	13Th	11Th	14Th	16Th	13Th	11Th
S4	2.6ms	2.2ms	2.8ms	3.2ms	2.6ms	2.2ms
S5	3.4ms	3.6ms	3.8ms	4.6ms	3.6ms	3.0ms

Fig 8

The computation cost comparison.

To estimate the communication efficiency, we assume that the length of security parameters, such as the bit length of random number N is 160, the bit length of user identity is 160, the bit length of timestamp T is 16 and the output length of hash function is 160 if we follow the SHA-1 which is applied in the most of previous schemes. In our scheme, U transmits the request message {AID, M1, M2, B, D, T} to S during the login phase, and its length is (160 + 160 + 160 + 160 + 160 + 16)/8 = 102bytes. And in the stage of authentication, communication overhead is (160 + 160 + 160 + 160)/8 = 80bytes, which contains the authentication request message {SID, M3, M4} and authentication reply {M5}. So total communication overhead of proposed scheme is 102 + 80 = 182bytes. Analogously, we measure the communication overhead of related schemes. In order to estimate the storage requirement, we consider the messages stored in the smart card as the storage overhead and calculate the byte length of stored information. In our scheme, the stored message {B, C, D, V, P,} requires (160 + 160 + 160 + 160 + 160)/8 = 100bytes. Similarly, we estimate the storage requirement of other schemes. Table 8 and Fig 9 show the comparisons regarding on the communication and storage costs of various multi-sever authentication and key agreement schemes. We provide the following notations: C1: communication cost in the login phase, C2: communication cost in the authentication phase, C3: total communication cost and C4: storage cost in the Table 8. With the same level of communication overhead and storage requirement, our scheme obviously has advantages in the computational complexity by considering the computation cost of these related schemes. From the results of comparisons given above, we conclude that our scheme has better efficiency between resistance, functionality and performance than other related schemes.

Table 8

The communication and storage costs comparison.

	Chuang et al.’s [51]	Mishra et al.’s [53]	Xue et al.’s [59]	Li et al.’s [60]	Lu et al.’s [48]	Ours
C1	80bytes	80bytes	83bytes	80bytes	82bytes	102bytes
C2	80bytes	80bytes	259bytes	60bytes	64bytes	80bytes
C3	160bytes	160bytes	342bytes	140bytes	146bytes	182bytes
C4	80bytes	100bytes	60bytes	100bytes	60bytes	100bytes

Fig 9

The communication and storage costs comparison.

Conclusion

With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we analyze the security of Mishra et al.’s scheme. Based on the cryptanalysis of their scheme, we propose a novel biometric-based multi-server authentication and key agreement scheme. The presented scheme improves the Mishra et al.’s scheme, and satisfies the desirable security requirements which are demonstrated through informal and formal security analysis respectively. Also our scheme provides some significant functionalities which are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. In addition, comparisons in the security, functionality and performance between proposed scheme and several related ones are given. The results show that our scheme has more secure properties, more functionalities and lower computation cost with the same level of communication overhead and storage requirement. We conclude that our scheme is obviously more appropriate for practical applications in the remote distributed networks.