Security enhanced multi-factor biometric authentication scheme using bio-hash function.

With the rapid development of personal information and wireless communication technology, user authentication schemes have been crucial to ensure that wireless communications are secure. As such, various authentication schemes with multi-factor authentication have been proposed to improve the security of electronic communications. Multi-factor authentication involves the use of passwords, smart cards, and various biometrics to provide users with the utmost privacy and data protection. Cao and Ge analyzed various authentication schemes and found that Younghwa An's scheme was susceptible to a replay attack where an adversary masquerades as a legal server and a user masquerading attack where user anonymity is not provided, allowing an adversary to execute a password change process by intercepting the user's ID during login. Cao and Ge improved upon Younghwa An's scheme, but various security problems remained. This study demonstrates that Cao and Ge's scheme is susceptible to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and that their scheme cannot provide session key agreement. Then, to address all weaknesses identified in Cao and Ge's scheme, this study proposes a security enhanced multi-factor biometric authentication scheme and provides a security analysis and formal analysis using Burrows-Abadi-Needham logic. Finally, the efficiency analysis reveals that the proposed scheme can protect against several possible types of attacks with only a slightly high computational cost.

Introduction

Distributed, networked system’s allow users to efficiently access resources at their convenience. Web services such as on-line shopping and Internet banking have become common in today’s technological world, and this has given rise to serious demand for remote authentication processes that ensure transactions between users and servers are secure. In various server environments, user authentication schemes are required to implemented elevated levels of ownership. The first password-based scheme was introduced by Lamport in 1981, and since then, various studies have been carried out on the security, efficiency, and costs of authentication schemes. Existing remote authentication schemes are mainly implemented using a public key system, and in most cases, these can be divided into traditional certificate-based authentication schemes and identity-based authentication schemes according to the type of evidence they adopt for authentication. [1-9].

Various identity-based schemes have been proposed to provide secure, efficient, and practical authentication. One class is based on a pairing operation, which is practical but inefficient since a high computational cost is needed to carry out the pairing operation. The second is based on a particular hash function through which identity information is mapped to a point on an elliptic curve, resulting in a complicated structure. The third is a direct ID-based scheme that uses a general cryptographic hash function with a structure that is more simple than that of the second class. Due to this structure’s simplicity, authentication can be accomplished only through a three-way handshake. However, it is still easy for a malicious person to cary out an attack. When all of the problems of the three categories mentioned above are taken into account, secure direct identity-based authentication schemes provide the optimum design for mobile device users and real-time applications. [10-20].

Recently, identity-based authentication schemes with a hash function were further divided into three categories according to the methods used in the authentication procedure: (1) knowledge-based scheme, (2) object-based scheme, and (3) biometrics-based scheme. However, each type has its own outstanding performance and limitations [21-37]:

knowledge-based authentication is simple, convenient, and efficient, but it is weak to information leaks to malicious persons due to the adoption of a password,

object-based authentication, based on the physical possession of a device such as a smart card, allows an adversary to impersonate legitimate users in a situation where the smart card is lost,

biometrics-based authentication shows better results than the two types described above. The biometric keys, such as fingerprints or facial features, cannot be lost and forgotten. However, biometric samples, such as facial images, can be captured in various system databases, so biometric keys can remain insecure.

Multi-factor biometric authentication combines the use of a password, biometrics, and smart card protection to improve security and prevent various types of attacks, and it is not affected by the aforementioned defects. Such schemes have recently become a focal point of research, mainly reflected in the work put forward by various researchers. In 2010, Li and Hwang proposed a novel scheme using identity and a public key system, and then Das extended the work of Li et al. and made improvements to their weak scheme in 2011. Younghwa An showed that Das’s proposed protocol failed to achieve mutual authentication for the server and user in 2012. However, Younghwa An allows for an adversary to masquerade as a legal server or as a user since mutual authentication is not provided. Cao and Ge attempted to improve on Younghwa An’s scheme, but their scheme also has various security problems. We show that Cao and Ge’s scheme is vulnerable to a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, a DoS attack, and also lacks session key agreement. This study then proposes a scheme to provide improved security by resolving the issues inherent to Cao and Ge’s scheme [38-44].

The remainder of this paper is organized as follows. Section 2 briefly introduces related work on the bio-hash function and smart card information to help better understand the details of this paper. Section 3 briefly introduces Cao and Ge’s scheme. Section 4 mainly discusses its weaknesses. Section 5 describes countermeasures to solve its problems. Section 6 details the countermeasures to protect against all attacks. Section 7 is devoted to a formal security analysis of the modified scheme by using Burrows-Abadi-Needham logic (BAN-logic), and it compares the results of a security analysis and efficiency analysis with the modified scheme and some existing authentication schemes. The results indicate that the modified scheme has a slightly high computational cost and can protect against several possible attacks. Section 8 then concludes this paper.

Related works

In this section, the adversary’s capability, bio-hash function and information for a smart card are explained to have a better understanding of the content of this paper.

Adversary’s capability

In this paper, we assume the following about a probabilistic, polynomial-time adversary to properly capture the security requirements of a multi-factor biometric authentication scheme that uses smart cards during the registration phase, password change phase, and login and authentication phase [45].

The adversary is able to have complete control over all message exchanges between the protocol participants, including a user and a server. That is, the adversary can intercept, insert, modify, delete, and eavesdrop on messages exchanged among the two parties at will.

The adversary can (1) extract sensitive information from the smart card of a user through a power analysis attack or (2) determine the user’s password, possibly via shoulder-surfing or by employing a malicious card reader. However, the adversary cannot compromise both the information of the smart card and the password of the user. It is otherwise clear that there is no way to prevent the adversary from impersonating the user if both factors have been compromised.

Bio-hash function

A hash function refers to a one-way transformation function. The hash function takes an arbitrary input and returns a string with a fixed size, which is referred to as a hash value or as a message digest.

Due to the peculiarity and ability of biometrics to differentiate a particular person from others, various systems have adopted methods to solve authentication and verification problems. However, a small change in biometric data (a little information missing from the biometric, noise, or a change in the order of the data input) may result in a momentous change in the hash value due to the uncertainty inherent to the retrieval of biometric features. In other words, general hash functions result in large differences due to slight differences in input, and recognition errors easily result from slight biometric changes. To resolve this problem, a bio-function system is proposed and studied. In various studies on bio-hashing systems, the bio-hash function must adhere to the following properties:

similar biometric information should have similar hash values,

different biometric information should not have similar hashes,

rotation and translation of the original template should not have a substantial impact on hash values,

partial biometric information (with missing core and delta) should be matched if sufficient detailed matters are present.

The hash function’s certain class can be formulated to be everlasting to the order in which the input pattern is presented to the hash function, and such hash functions are known as bio-hash function or symmetric hash. So, the bio-hash function can resolve the recognition error of general hash function and can authenticate a legal user even if the user’s biometric information changes a little [46, 47].

Smart card information

Various researchers have shown that physically monitoring the power consumption can extract confidential information stored in all smart cards, such as by using a simple power analysis and a differential power analysis. When a user forgets an own smart card, an adversary can analyze it and extract all information stored within. Variations of such schemes are weak to password acquisition attacks off-line where an adversary can be authenticated to the server without separately obtaining the user’s information for login and authentication, such as their ID, password and biometrics. Therefore, the security-enhanced authentication scheme needs to be studied even if all the information of a user’s smart card is revealed [48, 49].

Review of Cao and Ge’s authentication scheme

The process for Cao and Ge’s authentication scheme is reviewed before conducting the security analysis. Their scheme includes three phases: registration phase, password change phase, and login and authentication phase. The server S stores a secret value X and a user account database, which includes the legal user’s authentication information [50]. For convenience, the notation used throughout this paper are summarized in Table 1.

Table 1

Notation.

Notation	Description	Notation	Description
Ui	User	Bi	Ui’s biometric template
Si	Server	h(⋅)	General hash function
IDi	User’s identity	H(⋅)	Bio-hash function
PWi	User’s password	ni	Counter number
Rc	A random number generated by Ui	⊕	Bitwise XOR operation
Rs	A random number generated by Si	‖	Concatenation operation
Xs	Secret key generated by Si	Ti	ith timestamp

Registration phase

This phase is the first to be performed once the U registers itself with the server S. Fig 1 describes the registration phase for Cao and Ge’s scheme.

Fig 1

Registration phase for Cao and Ge’s authentication scheme.

U selects ID, PW and imprints its own B, and generates K. Then, U sends the identity ID, password information (PW ⊕ K), and biometric information (B ⊕ K) to the server S by using a secure channel.

S computes f = h(B ⊕ K), r = h(PW ⊕ K) ⊕ f, and e = h(ID‖X) ⊕ r.

S creates an entry for user ID and stores n on this entry in database. Then, S computes EID = h(ID)‖n and stores EID to the entry.

S computes v = h(PW ⊕ B‖X).

S sends a smart card to U. It contains 〈EID, h(⋅), f, e, n〉 using a secure channel. Then U stores K in the smart card.

Password change phase

The password change phase is carried out when U wants to change the password or the smart card is lost. Fig 2 describes the password change phase on Cao and Ge’s scheme.

Fig 2

Password change phase on Cao and Ge’s authentication scheme.

U submits the ID to S, password information (PW ⊕ K′), and biometric information (B ⊕ K′) via a secure channel, K′ is the new random number.

S computes and compares with v in the account database. If they are not the same, this phase is terminated.

Otherwise, S computes n = n+1. Then, S performs the following computations; f = h(B ⊕ K′), r = h(PW ⊕ K′) ⊕ f, e = h(ID ⊕ X) ⊕ r.

S sends U a new smart card that contains 〈EID, h(⋅), f, e, n〉 by using secure channel. Then U stores the random number K′ in the smart card.

Login and authentication phase

U executes the following steps when U wants to authenticate remote S. Fig 3 describes the login and authentication phase on Cao and Ge’s scheme.

Fig 3

Login and authentication phase for Cao and Ge’s authentication scheme.

U imprints B using a biological feature extraction device, and it computes the information h(B ⊕ K) using K stored in the smart card. U can proceed only if h(B ⊕ K) matches f.

U inputs the ID and PW and then, the smart card computes

The login request message 〈EID, M2, M3〉 is then sent from U to S.

The server S executes the authentication phase when the message is received.

S makes sure that EID satisfies the original format using the database entry and checks the ID for the authentication phase.

If the ID is valid when compared with database of S, S computes

If M3 is the same as h(M4‖M5), S computes Then, S sends the message 〈M6, M7〉 to U.

U computes M8 and verifies whether M7 = h(M1‖M8) or not. If they are equal, U calculates M9.

U sends the message 〈M9〉 to S.

After receiving 〈M9〉, S makes sure that M9 is equal to M10 = h(M4‖M5‖R) and then accepts the user’s login request. S sends M10 to U.

Upon receiving 〈M10〉, U makes sure that M10 is equal to h(M1‖R‖M8) and then regards S as a legal server.

Cryptanalysis of Cao and Ge’s authentication scheme

We analyze Cao and Ge’s authentication scheme and identify various security vulnerabilities, including a biometric recognition error, slow wrong password detection, off-line password attack, user impersonation attack, ID guessing attack, DoS attack, and a lack of session key agreement.

Biometric recognition error

Cao and Ge’s authentication scheme only uses a general hash function to provide checking biometrics. However, the hash function has a property that causes a slight difference in the input data to result in a very large difference in the output data. Fig 4 describes the biometric recognition error in Cao and Ge’s scheme. The output of the imprinted biometrics is not always constant, so biometrics generally have instances of false acceptance and false rejection. Therefore, even when U imprints biometrics in the device, it is possible to output a different . Therefore, the same user can generate a different output, such as that with B during the registration phase and during the login phase. The differences between B and can result in big differences in f and , and this difference between f and results in a biometric recognition error in the login phase. Therefore, a normal user does not pass the user biometric verification stage because the smart card compares the computed to f, which is stored within the smart card. Therefore, even though U imprints his/her own biometrics, a biometric recognition error can occur. Thus, the smart card needs to be implemented using more advanced techniques, such as a bio-hash function, to improve the biometrics verification process [51].

Fig 4

Biometric recognition error on Cao and Ge’s authentication scheme.

Slow wrong password detection

Slow wrong password detection refers to instances in which the user cannot know of a mistake immediately when inputing the wrong password, and the user can know when server S notifies there is a wrong user password. In Cao and Ge’s authentication scheme, the user’s smart card cannot verify the accuracy of the user password during the login phase. Only S verifies a legal user by comparing the similarities between M3 and h(M4‖M5) during authentication phase. Fig 5 specifically describes how slowly the wrong password is detected in Cao and Ge’s scheme. Concretely, U inputs ID and PW after the biometric verification, then if U selects a wrong password , the smart card is unaware that the password is incorrect. The smart card does not check the , and it only computes various values using for login and authentication. The smart card then sends .

Fig 5

Slow wrong password detection on Cao and Ge’s authentication scheme.

S is unable to immediately confirm the wrong password after receiving the messages . First, S verifies the received EID using EID in the database, and then computes M4 = h(ID‖X) and . Then, because is same as , S eventually confirms that the received messages are not normal, and maybe U could have input the wrong password. Basically, S sends the wrong password notification to U. In detail, Cao and Ge’s scheme requires a lengthy phase that includes value computation and message transmission before confirming that the user input the wrong password. Therefore, a smart card is needed to provide a fast wrong password detection technique during login. When U inputs the wrong password during the login phase, the smart card needs to quickly identify the incorrect password and should immediately notify U of the mistake.

Off-line password attack

In Cao and Ge’s scheme, an adversary can compute the user’s password by using public messages and the user’s smart card, obtaining M2 and M3 from public messages between the user and the server. Fig 6 provides a detailed description of the off-line password attack for Cao and Ge’s scheme. Kocher et al. and Messerges et al. claim that the all confidential information that is generally stored in smart cards could be extracted through various forms, such as monitoring the power consumption. Therefore, if a user loses a smart card, all of the information in the smart card can be revealed by an adversary. The smart card stores various types of information, including user login and authentication, so the adversary can acquire the e, f, K, and hash function h(⋅) values from the user’s smart card. The adversary knows the formula for all values used in Cao and Ge’s scheme as follows: The adversary uses the determined values, messages, and formula to compute the M3 formula, as follows: The adversary then knows all values in this formula, except for PW. Therefore, the adversary can easily determine the user’s password PW by mounting an off-line password guessing attack because the password PW is not long enough and has a low level of entropy. If the adversary knows the PW, various attacks can be facilitated by using the user’s password. Therefore, the password needs to be protected by using other values that are not stored in the smart the card with a high entropy, such as biometric information [52].

Fig 6

Off-line password attack on Cao and Ge’s authentication scheme.

User impersonation attack

In Cao and Ge’s scheme, an adversary can be authenticated with the server by using the user’s smart card and the password without access to the user’s biometric information. Fig 7 describes in detail a user impersonation attack for Cao and Ge’s authentication scheme. In further detail, when an adversary obtains or steals a user’s smart card and figures out the user’s password, the legitimate user can be easily impersonated. In section 1, an adversary is shown to compute the user’s password by using a smart card and public messages. Therefore, this scheme is critically deficient in that the adversary can be authenticated by the server without the user’s biometrics.

Fig 7

User impersonation attack on Cao and Ge’s authentication scheme.

As described in Fig 6, the adversary can illegally extract all values including K, f, e, and EID from the user’s smart card by monitoring the power consumption. It then computes PW using an off-line password attack computing r using PW, K, f as follows:

Even if U successfully executes the password change process, the adversary can still use these to impersonate a legal user, authenticate S without knowing the B values, and then compute normal authentication messages using r, e, EID as follows:

After S receives the messages , and , then, S checks the legitimacy of the messages. However, S cannot distinguish between a normal M9 and an abnormal M9 because the adversary used accurate values like h(ID‖X), but the adversary normally computes h(ID‖X) using r, e.

Then, S sends the authentication messages 〈EID, M6, M7〉 for U. These are then used by the adversary to compute the next authentication message for S as follows,

Next, S checks that the received is the same as . However, S cannot distinguish it from a normal M9 because the adversary uses accurate values like M1h(ID‖X) and , which is used for . Then, S accepts the login request for the adversary.

The adversary can be authenticated at S because he determined EID, e and r through an off-line password attack, so S cannot distinguish between the adversary and a legitimate user. Since the user’s biometric information is not used during the login and authentication phase, S authenticates the adversary as a normal user. S cannot store and check the password and biometric information during the login and authentication phase due to the user’s privacy. Thus, to solve this problem, it is necessary to modify the way in which the authentication values h(ID‖X) are computed for the user. This value cannot be stored on the smart card, and it can only be computed by a legitimate user when the user simultaneously inputs the password and biometrics during the login and authentication phase.

ID guessing attack

Cao and Ge’s authentication scheme uses EID to protect the user’s ID in order to ensure user anonymity during public communication. However, the adversary can determine the user’s ID by using the user’s smart card and the public communication message EID. Fig 8 describes in detail how to compute the user’s ID for Cao and Ge’s authentication scheme.

Fig 8

ID guessing attack on Cao and Ge’s authentication scheme.

When an adversary obtains or steals a user’s smart card, he can extract EID, n and h(⋅). Then, the adversary can compute the user ID from the formula EID = h(ID)‖n because he knows all values except for the ID. In general, a user ID has a low entropy so the adversary is able to easily compute the user ID. Basically, if an adversary fails to extract EID from the smart card, he can acquire EID from public communication. Therefore, even though the adversary extracts n and h(⋅) from the user’s smart card, he can determine the ID from EID = h(ID)‖n. The user’s ID can be used for another attack, and therefore, the user’s ID needs to be protected using another value that the adversary cannot determine from the user’s smart card or from public communication.

Vulnerability to a DoS attack

A DoS attack is such where an adversary attempts to make a server or network resource become unavailable to prevent legitimate users from accessing the normal service. Although there are various ways to accomplish a DoS attack, the server’s system or configuration have to prepare for defenses against it. However, in Cao and Ge’s scheme, an adversary can execute a DoS attack without difficulty. Fig 9 describes the DoS attack for Cao and Ge’s authentication scheme.

Fig 9

Vulnerability to a DoS attack on Cao and Ge’s authentication scheme.

An adversary can collect the previous messages 〈EID, M, M〉 from a legitimate user U and a server S. Then, the adversary sends the messages to S without modification. The S unavoidably executes all operations of (2) and sends the (3) messages 〈EID, M6, M7〉 to the U. This is the reason why S cannot verify the freshness of the (1) messages 〈EID, M, M〉. This operation involves the generation of a random nonce once, executing the hash function twice, calculating the exclusive-or operation twice, conducting the similarities checking function twice, and then, sending (3) messages 〈EID, M6, M7〉.

Therefore, the adversary can easily attempt to carry out a DoS attack targeting the server to see if he can obtain an intercepted number from a previous messages. Cao and Ge’s scheme does not check the freshness of an authentication message. Therefore, when an adversary sends previous authentication messages to S, S cannot verify whether the received messages are current or not, and S is obligated to execute various operations. In order to defend against a DoS attack, this scheme needs to check the freshness of the messages by considering the timestamps.

Lack of session key agreement

In general, the session key refers to a symmetric key that is used to encrypt all messages in the communication session. Therefore, it can be computed and used for secure communications among communication members after successfully finishing the authentication phase. Fig 10 describes in detail the lack of session key agreement for Cao and Ge’s authentication scheme. As described in Fig 10, U and S finally authenticate each other using M9 and M10, and then they are accepted and regarded to be legal members. However, secure communication between M9 and M10 is not provided because these do not have a session key after all phases have finished. Therefore, it is necessary to modify the login and authentication phase to provide session key agreement. Moreover, to ensure the security of the scheme, the session key has to be changed for each session and must be secured against various forms of attack.

Fig 10

Lack of session key agreement on Cao and Ge’s authentication scheme.

Countermeasures

The reason why Cao and Ge’s scheme is vulnerable to the biometric recognition errors is that,

even if the same user inputs his/her own biometrics to a scanner device, this device can generate slightly different outputs due to the general characteristics of the biometric information;

the general hash function produces very large differences in the output data from slight differences in the input data.

Thus, a general hash function results in a legal user failing during the login phase when using his/her own biometrics. To prevent a biometric recognition error, we suggest modifying the registration phase from 〈ID, PW ⊕ K, B ⊕ K〉 to H(⋅) is a bio-hash function that produces consistent output for the same biometric information, even if the user’s biometric input is slightly different. So, during the login phase, the values need to be modified from f = h(B ⊕ K) to

However, by only modifying the scheme to use a bio-hash function, Cao and Ge’s authentication scheme is still vulnerable to the slow detection of a wrong password. This type of problem results from,

the smart card not checking the user’s password during the login phase;

the server can confirm whether a user inputs the wrong password and computes the wrong M3 during the authentication phase only after extensive computations;

Adding a password verification step during the login phase is suggested to solve the slow wrong password detection problem. Thus, the computations are modified for f from f from f = h(H(B) ⊕ K) to

However, even with the f modified above, an off-line password attack can still be carried out. This vulnerability is due to the fact that;

an adversary can know and compute all formulas and values except for PW;

it is necessary to check PW with values, which the adversary cannot know and compute, such as H(B);

Since we check the user’s password in f, we suggest modifying r from r = h(PW ⊕ K) ⊕ f to

With such a modification, we can also defend against a user impersonation attack because the adversary cannot impersonate the user without the user’s password. In other words, the adversary cannot compute r without PW and then figure out h(ID‖X) to conduct a user impersonation attack due to the lack of a legal M1.

Next, the possible mechanism to eliminate the vulnerability in Cao and Ge’s scheme for an ID guessing attack is presented. This vulnerability is due to the fact that,

the adversary can obtain the user’s ID from EID using the value n stored in the user’s smart card.

Even if EID is a public communication message, Cao and Ge’s scheme does not provide sufficient protection for EID.

To address to the problem on ID guessing attack, we suggest modifying EID from EID = h(ID)‖n to

h(ID‖X) is not stored in a smart card, and it can be easily computed by S. Even if the adversary knows EID and n, he cannot compute ID from EID due to the ignorance on h(ID‖X).

However, with the modifications explained above, Cao and Ge’s scheme is still vulnerable to a DoS attack. The cause for this vulnerability on DoS attacks is that.

U and S perform all operations without checking the freshness of the received authentication messages.

Moreover, S unwillingly executes extensive computations per message before S discovers the fault of the received authentication message.

To address the vulnerability of the DoS attack, we suggest using timestamps (T1, T2, T3, T4) and adding them to the authentication messages. So we propose to modify the computations for M3, M3, M3, and M10 from M3 = h(M1‖R), M7 = h(M4‖R), M9 = h(M1‖R‖M8), M10 = h(M4‖M5‖R) to

In advance, all transmission messages need to include timestamps to check the freshness, such as from 〈EID, M2, M3〉 to

T1 and M3 are thus computed by a legal user, and the adversary cannot compute M3 without T1, which is current and matched with M3. So S can check the message freshness using T1, and S can verify the the message integrity and freshness by easily checking M3 = h(M1‖R‖T1). In this manner, it is possibly to effectively prevent the DoS attack.

Finally, the problem regarding a lack of a session key is resolved by adding a session key agreement during the login and authentication phase. The session key needs to change for every session in order to enhance the security of the authentication scheme, so computing the session key agreement is proposed as follows; For the session key agreement, h(ID‖X), R and R are computed only by the legal user and the server. T3 and T4 can be used to confirm the freshness of the session key. Therefore, this session key can change every session and can prevent various attacks.

Security enhanced multi-factor biometric authentication scheme

To solve the problems inherent to Cao and Ge’s scheme, a security enhanced multi-factor biometric authentication scheme is proposed and divided into three phases: registration phase, password change phase, and login and authentication phase. Before our scheme is executed, S generates the server’s secure value X for security.

The registration phase of the proposed scheme is described in Fig 11. U needs to perform the registration phase with S by using a secure channel.

Fig 11

Registration phase for the proposed scheme.

U selects ID, PW; imprints the biometric impression B; and generates K. U sends the identity ID, h(PW) ⊕ K using the general hash function, and H(B) ⊕ K using bio-hash function to S through a secure channel.

After receiving these, S computes f, r, and e as follows;

Then, S creates an entry of database for the user ID and generates n.

S computes EID and v as below, then S stores EID, ID, n, v for ID as an entry in a database.

S sends a smart card to U. The smart card contains 〈h(⋅), H(⋅), f, e, n〉 through a secure channel. Then U stores K in the smart card.

For the proposed scheme, the password change phase is executed when U loses the smart card or wants to update the password. In order to change the password, U sends both the old password PW and new password PW. Fig 12 describes the password change phase for the proposed scheme.

Fig 12

Password change phase for the proposed scheme.

U selects and inputs ID, PW, and PW. U imprints its own biometric impression B and generates a new random value K′. Then, U submits 〈ID, h(PW) ⊕ K′, h(PW) ⊕ K′, H(B) ⊕ K′〉 to S through a secure channel.

After S receives these, S checks the database for the ID, and acquires the user’s data including EID, ID, n, and v. Then, S computes and compares with v in the database.

S sets n = n + 1. Then, S carries out the computations as follows:

S computes EID = h(ID‖h(ID‖X)‖n), then S stores EID, ID, n for ID to the entry of database.

S sends a new smart card to U that contains 〈h(⋅), H(⋅), f, e, n〉 by using a secure channel. Then U stores a new K′ in the smart card.

Fig 13 describes the login and authentication phase for the proposed scheme. U executes the following steps when U wants to authenticate a remote S. In this phase, the smart card checks the legitimacy of the user using ID, PW and B.

Fig 13

Login and authentication phase for the proposed scheme.

U inputs the ID and PW; U imprints B using a biological feature extraction device; computes h(PW) using the general hash function and H(B) using the bio-hash function. Then, the smart card computes f, and is verified as follows,

If they are the same, U generates the current timestamp T and a random number R. Then, U computes r, M1, M2, M3, EID using the user’s input values and the smart card storing values as follows;

U sends the login request message 〈EID, M2, M3, T1〉 to S.

The server S executes the authentication phase when the message is received.

S checks that the EID satisfies the original format.

If the ID is valid when compared with the user’s entry in the database in S, S computes M4 and M5, and then verifies M3 as follows,

If M3 is accurate, S generates the current timestamp T2 and computes M6 and M7. Then, S sends the message 〈EID, M6, M7, T2〉 to U.

U computes M8 = M6 ⊕ M1 and verifies whether M7 = h(M1‖M8‖T2) or not. If they are equal, U generate a timestamp T3 and computes M9. Then U computes sk as follows.

U sends the message 〈M9, T3〉 to S.

After receiving 〈M9〉, S verifies that M9 is equal to h(M4‖M5‖R‖T3) and then accepts the user’s login request. S computes M10 = h(M4‖M5‖R‖T4) and sk. Then, S sends 〈M10, T4〉 to U.

After receiving 〈M10, T4〉, U verifies that M10 is equal to h(M1‖R‖M8‖T4) and regards S as a legal server.

Therefore, U and S share the same session key after all phases have finished.

Analysis

Several analyses were carried out to confirm that the proposed scheme with a bio-hash function improves the security of the authentication process. Ding Wang et al. analyzed various smart-card-based password authentication methods and introduced a good solution using the principle of the security-usability trade-off to prevent off-line password attacks. Ding Wang et al. proposed that a fuzzy verifier can resolve the trade-off between the security requirement of resistance to smart card loss attack and the usability goal of a local password change [35-37].

In this paper, the proposed scheme uses a bio-hash function, which is similar to a fuzzy verifier to secure the system against various types of off-line guessing attacks. The proposed scheme is investigated by conducting a security analysis, a formal analysis, and an efficiency analysis. Then, the proposed scheme is compared to other authentication schemes, including Cao and Ge’s scheme. We follow a security definition with strong secret values (B, x) with a high entropy that cannot be guessed in polynomial time and a secure one-way hash function y = h(x). Given x to compute y is easy but y to compute x is much more difficult.

Security analysis

This section describes a security analysis to confirm the security of the proposed scheme.

[Replay attack] In the proposed scheme, even if an adversary intercepts the messages like 〈EID, M2, M3, T1〉 and 〈M9, T3〉 over public communication and replays 〈EID, M2, M3, T1〉 to S, he cannot authenticate with S. First, it is hard for the adversary to respond within the allowable time for timestamp T1, and even though the adversary passes the time limit, he cannot execute the appropriate response for 〈EID, M6, M7, T2〉. The adversary has only the previous 〈M9, T3〉, which is not appropriate for the response because he cannot know the new R. Only a legal user can know the new R using h(ID‖X). Therefore, the adversary cannot succeed in the replay attack due to the timestamps and the lack of knowledge of h(ID‖X) [53].

[Server masquerading attack] If an adversary wants to masquerade as a legal server, he has to send the appropriate response to the user’s request. When the user sends 〈M9, T3〉 to the adversary, he has to compute the appropriate 〈M10, T4〉 to look like a legal server. However, if the adversary wants to compute 〈M10, T4〉 using M9, T3 and T4, he has to know the R and h(ID‖X). Only a legal server can compute 〈M10, T4〉 because the legal server stored X and R in the database and the adversary cannot know them. Therefore, the adversary cannot succeed in masquerading as a legal server.

[Mutual authentication] Mutual authentication means that a user and a server authenticate each other. In the proposed scheme, U and S authenticate each other by checking for a mutual random number, which is possible for a legal user and server because only they know h(ID‖X). Specifically, S authenticates U according to the 〈M9, T3〉 that is received because only a legal U can compute M9 using S’s M6. U authenticates S by 〈M10, T4〉, and only the server can compute M10 from 〈M9, T3〉 because only the legal server can know the user’s random number R using h(ID‖X), R = M2 ⊕ h(ID‖X) [54].

[Biometric recognition error] The proposed scheme uses a bio-hash function to prevent a biometric recognition error. Cao and Ge’s scheme uses a general hash function to verify the user’s biometrics, so a biometric recognition error happens as a result of the general hash function’s behavior. However, the proposed scheme uses a bio-hash function for the user’s biometric information because the bio-hash function provides consistent output for the same biometric information, even when a user’s biometrics are input a little differently.

[Slow wrong password detection] Unlike Cao and Ge’s scheme, the proposed scheme can check the user’s password during the login phase. Therefore, it is possible to verify whether or not the user has input an accurate password. In the proposed scheme, when a user wants to login and authenticate on a server, he inputs his own ID, PW, and B. Using these, the smart card computes f = h(ID ⊕ h(PW) ⊕ H(B)) and computes it with f, which is stored in a smart card. If the user inputs the wrong password, the computed f and stored f will be different, so the user can immediately know whether he needs to input the correct password again.

[Off-line password attack] An adversary can extract all information stored in the user’s smart card by using a side-channel attack, such as by physically monitoring the power consumption. However, in the proposed scheme, the user’s password is always used with the user’s ID and the biometrics information H(B) like f = h(ID ⊕ h(PW) ⊕ H(B). The user’s ID is protected by EID = h(ID‖h(ID‖X)‖n). Moreover, B has a high entropy, so the adversary cannot carry out the computation. Therefore, even if the adversary extracts f using a side channel attack, he cannot compute the user’s password because he cannot know both ID and H(B).

[User impersonation attack] To successfully carry out a user impersonation attack, an adversary needs to know the user’s h(ID‖X). In order to compute h(ID‖X), the adversary must know r using f and e; f = h(ID ⊕ h(PW) ⊕ H(B)), e = h(ID‖X) ⊕ r.

However, r is protected by h(H(B) ⊕ K), and the adversary cannot know H(B). Therefore the proposed scheme prevents a user impersonation attack.

[ID guessing attack] Unlike for EID = h(ID‖n) in Cao and Ge’s scheme, the proposed scheme uses EID = h(ID‖h(ID‖X)‖n) to protect the user’s ID. An adversary can extract n from the smart card and can obtain EID from public communications. However, if h(ID‖X) is not stored in a smart card and can only be easily computed by a legal U and S, then the adversary cannot compute h(ID‖X). Therefore, even if the adversary knows EID and n, he cannot compute ID from EID due to the ignorance of h(ID‖X).

[Vulnerability to a DoS attack] The proposed scheme checks the freshness of all messages using a timestamp T1, T2, T3, T4, so it is useless for an adversary to send the previous messages to the server. Moreover, U and S authenticate each other using the messages including current timestamps; M3 = h(M1‖R‖T1), M7 = h(M4‖R‖T2), M9 = h(M1‖R‖M8‖T3), M10 = h(M4‖M5‖R‖T4). For example, S can check the freshness and legality of M3 because M3 and the timestamp T1 do not match, even if the adversary sends the previous M3 with the current timestamp. Therefore, the proposed scheme is more secure than Cao and Ge’s authentication scheme against a DoS attack.

[Lack of session key agreement] Cao and Ge’s authentication scheme does not provide a session key agreement, so it cannot establish secure communications with an encryption after all phases have finished. To resolve the problem of the lack of a session key, a session key agreement is provided during the login and authentication phase. In order to share the session key sk = h(h(ID‖X)‖R‖R|T2‖T3). h(ID‖X), R and R are computed only by a legal U and S. T2 and T3 can be used to confirm the freshness of the session key, and the session key of the proposed scheme can be changed at every session to prevent various forms of attack [55].

Table 2 shows a comparison of the security analysis for various multi-factor authentication schemes, including our proposed scheme [14, 38, 39, 50, 56–58].

Table 2

Security analysis for various authentication schemes.

Attack resistance	[14]	[38]	[39]	[50]	[56]	[57]	[58]	Ours
Replay attack	O	O	O	O	O	O	O	O
Server masquerading attack	X	X	X	O	X	O	X	O
Mutual authentication	O	O	O	O	X	X	X	O
Biometric recognition error	X	X	X	X	X	X	X	O
Slow wrong password detection	X	X	X	X	O	O	O	O
Off-line password attack	X	O	O	X	X	X	X	O
User impersonation attack	X	O	O	X	X	X	X	O
ID guessing attack	X	X	X	X	X	X	X	O
Vulnerability to a DoS attack	X	X	X	X	X	O	X	O
Lack of session key agreement	X	X	X	X	O	O	O	O

Formal analysis

BAN logic (Burrows-Abadi-Needham logic) was introduced by Burrows M, and it has consistently drawn attention due to the simplicity and straightforwardness of the analysis of authentication schemes, and in this section, we analyze the proposed scheme using BAN-logic with symbols P and Q representing principals and X and Y representing statements. The main notation of the logic is presented in BAN’s paper and main inference rules. The analysis of an authentication scheme using the BAN-logic tool consists of four steps, and the formal analysis of the security of the proposed scheme is described as follows. The analysis shows that a session key can be generated correctly between the communicating parties during authentication. First, the notation of BAN logic being used in this scheme is introduced [59-62].

P∣≡ X: The principal P believes statement X. This means that P believes that in the current run of the scheme, the statement X is true.

P ⊲ X: The principal P sees the statement X, which means that P has received a message containing X.

P∣∼X: The principal P once said the statement X, which means that P∣≡X when P sent it.

P ⇒ X: The principal P has jurisdiction over statement X. This means that P has complete control on the formula X.

: The formula X is fresh. This means that formula X has not been used before.

: P believes that the principal P and Q communicate with each other using K.

: K is shared secret information between P and Q. The secret key K is known only to P and Q, and K is a secret between both parties.

{X}: The formula X is encrypted using the secret key K.

〈X〉: The formula X is combined including the secret key K.

(X): The formula X is hashed including the secret key K.

sk: The session key used in the current session.

To describe the logical postulates of BAN logic, we present the following rules:

Message-meaning rule: : if the principal P believes he/she shares the secret key K with Q, P sees the statement X hashed to include the K. Then P believes that Q once said X.

Nonce-verification rule: : if principal P believes that X is fresh and P believes Q once said X, then P believes that Q believes X.

The belief rule: : if principal P believes both X and Y, then P believes (X, Y).

Freshness-conjuncatenation rule: : if principal P believes X is fresh, then P believes (X, Y) is fresh.

Jurisdiction rule: : if principal P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.

According to the analytic procedures of BAN logic and using previously described logical postulates, the proposed scheme needs to satisfy the following goals:

Goal 1: .

Goal 2: .

Goal 3: .

Goal 4: .

The generic type of proposed scheme is as follows:

Message 1.

U → S: h(ID‖h(ID‖X)‖n), h(ID‖X) ⊕ R, h(h(ID‖X)‖R‖T1), T1

Message 2.

S → U: h(ID‖h(ID‖X)‖n), h(ID‖X) ⊕ R, h(h(ID‖X)‖R‖T2), T2

Message 3.

U → S: h(h(ID‖X)‖R‖R‖T3), T3

Message 4.

S → U: h(h(ID‖X)‖R‖R‖T4), T4

The idealized form of proposed scheme is as follows:

Message 1. U → S: (ID, n), 〈R〉, (R, T1), T1

Message 2. S → U: (ID, n), 〈R〉, (R, T2), T2

Message 3. U → S:

Message 4. S → U:

We make the following assumptions for the initial state of the protocol to analyze the proposed protocol:

A1: U ∣≡ ♯(T1)

A2: S ∣≡ ♯(T2)

A3: U ∣≡ ♯(T3)

A4: S ∣≡ ♯(T4)

A5:

A6:

A7:

A8:

The idealized form of the proposed protocol based on BAN logic rules and assumptions is analyzed. The main proofs are described as follows.

According to Message 3, we could obtain:

S1:

According to the assumption A6 and the message meaning rule, we obtain:

S2:

According to the assumption A3 and the freshness conjuncatenation rule, we can obtain:

S3:

According to the assumption S2, S3 and the nonce verification rule, we obtain:

S4:

According to S4, we apply the belief rule, we obtain:

S5: , We satisfy (Goal 3.

According to the assumption A8, S5 and the jurisdiction rule, we can obtain the conclusion as follows:

S6: , We satisfy (Goal 1.

According to the message 4, we obtain:

S7:

According to the assumption A5 and the message meaning rule, we obtain:

S8:

According to the assumption A4 and the freshness conjuncatenation rule, we obtain:

S9:

According to assumption S8, S9 and the nonce verification rule, we obtain:

S10:

According to S10, we apply the belief rule, we obtain:

S11: , We satisfy (Goal 4.

According to the assumption A7, S11 and the jurisdiction rule, we can obtain the conclusion as follows:

S12: , We satisfy (Goal 2.

Efficiency analysis

The computational costs of the modified scheme and others are calculated in Table 3. T stands for the computation time of the hash function while the computation time for the exclusive OR operation T does not appear in the table because it can be ignored when compared to T.

Table 3

Computational costs.

Phases	[14]	[38]	[39]	[50]	[56]	[57]	[58]	Ours
Registration phase	3 Th	3 Th	3 Th	7 Th	5 Th	7 Th	4 Th	7 Th
Login phase	2 Th	3 Th	2 Th	4 Th	11 Th	4 Th	4 Th	4 Th
Authentication phase	5 Th	6 Th	8 Th	7 Th	4 Th	11 Th	13 Th	9 Th

According to the results obtained in [63], T needs a time of about 0.20 ms (T ≈ 0.20 ms) on a system using 3.0 GB RAM with a Pentium IV 3.2 GHz processor. Table 4 shows the efficiency for various authentication scheme obtained through a simulation.

Table 4

Efficiency simulation.

Authentication scheme	[14]	[38]	[39]	[50]	[56]	[57]	[58]	Ours
Execution time (millisecond)	2.0	2.4	2.6	3.6	4.0	4.4	4.2	4.0

As shown in Tables 3 and 4, the modified scheme requires a slightly higher computational cost than the others, but mainly in the registration phase [38–40, 50]. However, the modified scheme can provide all security properties shown in Table 2.

Conclusions

This paper discusses possible attacks for Cao and Ge’s authentication scheme, and a modified scheme is proposed to improve security and protect against various attacks. A security analysis and efficiency analysis are carried out to compare the results of the modified scheme to those of other schemes. In addition, the modified scheme is verified by conducting a formal security analysis using BAN-logic. The results indicate that the modified scheme has a slightly higher computational cost but that it is more secure than some of the other related schemes. The proposed scheme uses a bio-hash function for multi-factor biometric authentication to improve security. We also intend to conduct further studies on verification techniques, such as a fuzzy verifier and bio-hash function, to resolve the security-usability trade-off.