A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments.

In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.'s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.'s scheme still has weaknesses. In this paper, we show that Moon et al.'s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.

1 Introduction

Nowadays security has becoming an urgent issue for the distributed networks. The remote user authentication scheme allows the transmission of secret data via public channels, thus is an important cryptographic tool for distributed networks. In 1981, Lamport [1] proposed the first password-based authentication scheme. After that, considerable amount of work on password-based authentication schemes have been put forward for different applications [2, 3]. However, passwords are vulnerable to be broken in a short time by using dictionary guessing attack. To solve this problem, smart cards with password-based authentication schemes [4-12] are introduced to enhance the security of user authentication. Unfortunately, there are still some problems when the smart card is stolen and the stored data is leaked [13-15].

The biometric keys, such as fingerprint and iris, are considered to be a unique identifier of a user, thus have many advantages. For example, the biometric keys cannot be forgotten or lost, are difficult to copy or share, and are not easy to forge or guess. Additionally, one can carry biometric keys at anytime and from anywhere. With the security requirements of the distributed networks and the good security performance and advantages of the biological characteristic, biometrics authentication protocols come to be more crucial and widely deployed [16-36]. In 2002, Lee et al. [16] designed the first biometrics-based remote user authentication scheme. In 2004, Lin-Lai [17] demonstrated that Lee et al.’s scheme cannot resist impersonation attack and designed a protocol without verification table to fix the flaws of Lee et al.’s scheme. In 2007, Khang-Zhang [18] pointed out that Lin-Lai’s scheme is insecure against server spoofing attack and illustrated an improved scheme. Rhee [19] demonstrated that Khang-Zhang’s scheme is vulnerable to impersonation attack and offline password guessing attack. Later, Li-Wang [20] designed an efficient three-factor remote user authentication scheme which only uses symmetric cryptographic primitive and the hash operation. However, in 2011, Das [21] exhibited that Li-Wang’s scheme is insecure against man-in-the-middle attack and does not provide proper certification. Furthermore, he designed a new certification scheme based on biometric characteristics. In 2014, Li et al. [25] pointed out that Das et al.’s scheme is vulnerable to forgery attack and stolen smart card attack, and put forward a three-factor remote user authentication scheme. After that, Chaturvedi et al. [26] demonstrated that Li et al.’s scheme doesn’t resist known session specific temporary information attack and doesn’t protect user’s privacy. They also proposed a novel authentication and key agreement protocol to overcome the weaknesses of Li et al.’s scheme.

In 2014, Chuang-Chen [27] proposed an efficient lightweight three-factor authentication protocol for multi-server environment which requires only the hash operation. After that, Mishra et al. [28] showed that Chuang-Chen’s scheme is insecure against the denial-of-service attack, smart card stolen attack, server spoofing attack and impersonation attack. In addition, they proposed a new biometric-based multi-server authentication protocol so as to overcome the weaknesses of Chuang-Chen’s scheme. In 2015, Lu et al. [29] illustrated that Mishra et al.’s scheme is insecure against server spoofing attack and impersonation attack, and can not provide forward secrecy. They introduced two independent three-factor authentication schemes [29, 31] for multi-server architecture, and claimed that the improved scheme has strong security. Unfortunately, Moon et al. [30] showed that Lu et al.’s scheme [29] is vulnerable to outsider attack and user impersonation attack, and put forward an enhanced protocol which fixes the flaws of Lu et al.’s scheme.

Unfortunately, we found that Moon et al.’s biometric-based remote user authentication scheme still has some flaws. In this paper, we firstly showed that Moon et al.’s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Moreover, we exhibited that their scheme is not anonymous for the user. Then we proposed an improved authentication scheme for multi-server environment to fix their design flaws. After that, we show that our scheme is robust against all known attacks through the formal and informal security analysis. Finally we demonstrate that the improved scheme has the best secure functionality and is computational efficient.

The rest of the paper is organized as follows. In section 2, we introduce some preliminary knowledge. Section 3 briefly reviews Moon et al.’s biometric-based remote user authentication scheme. Section 4 shows the design flaws in Moon et al.’s scheme. In order to eliminate the shortcomings discussed in section 4, we propose an enhancement authentication protocol in section 5. Section 6 analyzes the security of the proposed scheme, and Section 7 compares the performance of the enhanced scheme with other related schemes. Finally, we conclude in section 8.

2 Preliminaries

This section elaborates the definitions of one-way hash function and BioHashing, and the security model.

2.1 Definition

One-way hash function. A one-way hash function h: {0, 1}* → {0, 1} takes an arbitrary-length input x ∈ {0, 1}*, and produces a fixed-length output h(x) ∈ {0, 1}, called the message digest. The hash function has the following attributes:

Computationally, it is easy to compute y = h(x) if x and h(⋅) are specified.

It is almost impossible through polynomial time t to know two inputs x1 and x2, such that h(x1) = h(x2).

BioHashing. BioHashing technique [37] is designed to reduce the probability of denial of access while keeping the false acceptation performance. Inputing the biometric feature set and a seed which represents the “Hash key”, BioHashing generates a vector of bits. More precisely, with the help of a uniform distributed pseudo-random numbers generated by giving a secret seed, the biometric vector data x ∈ R is reduced down to a bit vector b ∈ {0, 1} with l the length of the bit string (l ≤ n) through BioHashing.

2.2 Security model

In this paper, we adopt the security model proposed by Abdalla et al. [38] to prove the security of our protocol.

Participants. An oracle denotes an instance t of a party S, denotes the instance u of U, and denotes the instance v of RS.

Partnering. The partner of an instance of U is the instance of S and conversely. The partial transcript of all exchanged messages between U and S is unique, and is said as a session ID for the present session in which participates.

Freshness. or is fresh, only if the session key SK is not leaked to .

Adversary. In the ROR model, models the real attack via the following oracle queries. To breach the security of the authentication protocol, is able to access the queries given below:

Execute(π, π): The Execute query helps obtain the messages transmitted between two honest participants; this query models an eavesdropping attack.

Send(π; x): The Send query corresponds to an active attack. π executes the protocol and responds with an outgoing message after receiving a message x from .

Reveal(π): The executes Reveal query to reveal of session keys. If the session has been accepted, π returns the session key SK as its response that is computed between π and its partner, otherwise returns a null value.

CorruptSC(π): It is about modeling smart card loss attack and outputs the information stored in SC.

Test(π): At some point, the adversary can make a Test query to an oracle Π. Π flips an unbiased coin b and responds with the real agreed session key SK if SK is established and fresh, if b = 1; otherwise it returns a random sample generated according to the distribution of the session key. Otherwise, it returns ⊥.

Semantic security of the session key. In an experiment, the adversary is challenged to differentiate between an instance’s real session key SK and a random key. can continue querying Test queries to either the server instance or the user instance. The outcome of Test query must be consistent with the random bit b. Eventually, terminates the game simulation and outputs a bit b′ for b. we say wins if the adversary guesses the correct b.

Let E denotes the event that wins the game. Then, the advantage of breaches the semantic security of our proposed authenticated key-agreement (AKE) protocol, say , is computed as . We say that the protocol is a secure multi-server authentication and key agreement protocol in the ROR sense if is negligible.

Random oracle. To prove the security of the proposed protocol, the one-way hash function h(⋅) is treated as a random oracle(say Hash oracle), and is provided to the adversary and every participant. The Hash oracle is simulated by a two-tuple (u, v) table of binary strings. When a hash query h(u) is made, the Hash oracle returns v if u is found in the table; otherwise, it returns a uniformly random string v and stores the pair (u, v) in the table.

3 Review of Moon et al.’s scheme

In this section, we briefly review Moon et al.’s scheme, which consists of four phases: registration phase, login phase, authentication phase and password change phase. Table 1 summarizes the notations used in this paper.

Table 1

Notations.

Notations	Description
Ui	An ith user
AS	Application server
RS	Registration server
IDi	Identity of Ui
PWi	Password of Ui
SC	smart card
SIDj	Identity of AS
PSK	Secret keys chosen by RS for AS
E{}, D{}	Encryption and decryption operations
P_ub_s, P_ri_s	Public and private keys of AS
n1, n2	Random numbers chosen by Ui and AS
h(⋅)	A secure one-way hash function
H(⋅)	A bio-hash function
⊕	An exclusive-OR operation
||	The concatenation operation

Table 1 summarizes the notations used in this paper.

3.1 Registration phase

The registration and authentication phases are shown in Fig 1. In order to get the access to different services provided by the servers, a user must register himself through the registration server. U firstly selects an identity ID and password PW and inputs biometrics BIO.

Fig 1

Registration and authentication phases of Moon et al.’s scheme.

Registration and authentication phases of Moon et al.’s scheme.

Using the password and the biometrics, the smart card computes PWD = h(PW||H(BIO)) and sends < ID, PWD > to the registration server through a secure channel.

Upon receiving the message < ID, PWD >, the registration server computes V = h(ID||PWD), W = h(y||PSK) ⊕ ID, X = h(ID||x), Y = y⊕ h(PSK). Then RS stores < V, W, X, Y, h(⋅), H(⋅) > onto a smart card and sends the smart card to U.

3.2 Login phase

During the login phase, the user U inserts his smart card into the smart card reader, inputs his identity ID and password PW, and imprints biometric information BIO. Upon receiving an input, the smart card uses the following steps to perform a login session:

The smart card computes PWD = h(PW||H(BIO)) and verifies V? = h(ID|| PWD). If succeeds, it executes the next step. Otherwise the session aborts.

The smart card generates a random number n1 and computes K = h((W ⊕ ID)|| SID), M1 = ID ⊕ K, M2 = n1 ⊕ K, M3 = PWD ⊕ K, Z = h(X||n1|| PWD||T).

The smart card transmits the login request message < Y, Z, M1, M2, M3, T1 > to the server S through a public channel, where T1 is the current timestamp.

3.3 Authentication phase

After receiving the authentication request < Y, Z, M1, M2, M3, T1 > from the user U, the server S executes the following steps to authenticate each other.

The server S firstly checks whether |T − T1| < ΔT, then uses its pre-shared key PSK and achieves y = Y ⊕ h(PSK). The server also retrieves K = h(h(y||PSK)||SID), n1 = M2 ⊕ K, ID = M1 ⊕ K, PWD = M3 ⊕ K, X = h(ID||x) and verifies Z? = h(X||n1||PWD||T1). If they are not equal, S rejects the login request and terminates the session. Otherwise, the server generates a random number n2 and computes M4 = n2 ⊕ h(n1||PWD||X), M5 = h(ID||n1||n2||K||T2), SK = h(n1||n2||K||T2) and then responds with the message < M4, M5, T2 > to the smart card (user U) over a public channel.

Upon receiving the message < M4, M5, T2 > and checking the freshness of T2, the smart card retrieves the value n2 = M4 ⊕ h(n1||PWD||X). Then it verifies M5? = h(ID||n1||n2||K||T2). If the verification holds, it computes the session key SK = h(n1||n2||K||X), which would be shared between U and S. Finally, the smart card computes M6 = h(SK||ID||n2||T3) and sends the message < M6, T3 > to S via a public channel.

Upon receiving the message < M6, T3 >, S checks the freshness of T3 and verifies h(SK||ID||n2||T3)? = M6. If the equation holds, the server ensures the identity of U. Otherwise, the server aborts the session.

3.4 Password updating

In this phase, U can change his password any time when he wants. In order to change password, the user performs the following steps:

U inserts his smart card into the smart card reader and then inputs ID and PW and biometrics BIO.

The smart card SC computes PWD = h(PW||H(BIO)), then checks if Vi′ = h(ID||PWD) is the same as the stored V. If they are the same, SC accepts U to enter a new password .

SC computes and , and replaces V with .

4 Security analysis of Moon et al.’s scheme

Although Moon et al. claimed that their scheme satisfies the required security requirements, we found that their scheme still has some weakness, i.e., fail to resist the insider attack, server spoofing attack, guessing attack and impersonation attack. Moreover, their scheme is not anonymous for users.

4.1 Lack of user anonymity

User anonymity means that the adversary cannot obtain or track the identity of the user according to the message transmitted via the public channel, which is an important property to protect the privacy of users. In Moon et al.’s scheme, during authentication phase, U sends < Y, Z, M1, M2, M3, T1 > as authentication request message to S. Note that all the information transmitted in public channel can be intercepted by the adversary. The parameter M1 = K ⊕ ID where K = h((W ⊕ ID)||SID)) in the message < Y, Z, M1, M2, M3, T1 >, is unique and static for each user during all logins to the same server. Thus anyone has ability to track the activities of a legal user, if he captures the value of M1.

4.2 Insider attack

Insider attack means that an insider can get the sensitive credentials from the information stored in RS. In Moon et al.’s scheme, during user registration phase, U submits his identity ID and PWD to RS. In order to prevent duplicate user registration, RS has to store the user’s ID. If an adversary obtains the list of ID, it would cause great devastation. The adversary can impersonate himself as U as described in the following user impersonation attack.

4.3 Server spoofing attack

In Moon et al.’s protocol, RS shares the same secret information (x, PSK) with all the application severs. The compromised sever can impersonate as another legitimate server to deceive any legal user. Now we show the reason why Moon et al.’s scheme cannot withstand this kind of server spoofing attack.

When U submits his login request message < Y, Z, M1, M2, M3, T1 > to S, the legal but malicious server S can intercept this message and compute y = Y ⊕ h(PSK), K = h(h(y||PSK)||SID), n1 = M2 ⊕ K, ID = M1 ⊕ K, PWD = M3 ⊕ K, X = h(ID||x) and to check Z? = h(X||n1||PWD||T1).

S generates a random number n2 and computes M4 = n2 ⊕ h(n1||PWD||X), M5 = h(ID||n1||n2||K||T2), SK = h(n1||n2||K||T2), then sends < M4, M5, T2 > to U.

U computes n2 = M4 ⊕ h(n1||PWD||X), M5 = h(ID||n1||n2||K||T2) and compares it with M5. It is obvious that the values are the same, thus U responds with the message M6 = h(SK||ID||n2||T3).

U computes the session key SK = h(n1||n2||K||T2) and believes that he is communicating with S.

Therefore, a legal but malicious server S can masquerade as another server S to fool any legal user and Moon et al.’s scheme is vulnerable to server spoofing attack.

4.4 Guessing attack

Moon et al.’s scheme is vulnerable to identity guessing attack, which is a critical concern in their scheme. If the adversary can extract the secret value W from the legal user’s smart card by some means and get the value of M1 from public channel, the adversary can easily find out by performing the guessing attack, in which each guess ID can be verified as the following steps.

The adversary chooses and computes .

The adversary verifies the correctness of by checking .

The adversary repeats the above steps until a correct is found.

4.5 User impersonation attack

In a remote user communication scheme, anyone should be considered as a legal user if a user has valid authentication credentials or could be capable of constructing an effective authentication request message. In Moon et al.’s protocol, an adversary can impersonate a valid user as described below.

As enlightened in insider attack and guessing attack mentioned above, an adversary obtains U’s personal identifiable information ID. He also extracts the secret values W and X from the legal user’s smart card by some means.

The adversary intercepts a valid login request message < Y, Z, M1, M2, M3, T1 > which is sent from ID via the public channel, then the adversary computes K = ID ⊕ M1, PWD = K ⊕ M3, chooses random number n1, and calculates M1 = ID ⊕ K, M2 = n1 ⊕ K, M3 = PWD ⊕ K, Z = h(X||n1||PWD|| . Now, the malicious adversary sends the forged login request message < Y, to S by masquerading as legal user U.

After the authentication of the login request message, the server S generates a random number n2, computes M4 = n2 ⊕ h(n1||PWD||X), M5 = h(ID||n1 ||n2||K||T2) and responds with the message < M4, M6, T2 > to the adversary who is masquerading as U.

The masquerading adversary verifies the correctness of M4 with the values of n1 and K. Then the masquerading user U computes n2 = M4 ⊕ h(n1||PWD||X), SK = h(n1||n2||K||T2), M6 = h(SK||ID||n2||T3), and sends the message < M6, T3 > back to the server S.

The server S computes M6 = h(SK||ID||n2||T3) and verifies it with the received value of M6. It is obvious that they are equal, so the sever authenticates successfully the legitimacy of the user U and the login request message information is accepted.

After mutual authentication, the server S and the malicious adversary who masquerades as the user U agree on the common session key as SK = h(n1|| n2||K||X).

5 Our proposed scheme

In this section, we propose an improved remote user authentication scheme to fix the drawbacks in Moon et al.’s scheme. Our proposed protocol consists of four phases: registration, login, mutual authentication with key-agreement and password change. Fig 2 describes our proposed scheme.

Fig 2

Registration and authentication phases of our scheme.

Registration and authentication phases of our scheme.

5.1 Registration phase

When the remote user authentication scheme starts, the user U and the server S need to perform the following steps to register with the registration server(RS).

5.1.1 Server registration

To register with the system, a server S submits his identity SID and his public key Pub which can be obtained by all the users. Then S sends his identity SID and his public key Pub to RS. Upon reception, RS shares the secret key PSK with S and publishes S’s public key Pub.

U freely selects his identity ID which uniquely identifies the user’s identity, password PW and scans his biometrics BIO. Then U computes IDB = h(ID ||H(BIO)), PWD = h(PW||H(BIO)) and sends < h(ID), IDB, PWD > to RS on a secure channel.

Upon reception, RS computes V = h(h(ID)||PWD), W = h(h(ID)||PSK) ⊕ IDB and stores < V, W, h(⋅), H(⋅) > in the smart card SC.

RS sends SC to U over a secure channel.

U sends the login request by inserting smart card (SC), and inputting ID, PW and BIO.

SC computes PWD = h(PW||H(BIO)) and then checks whether the condition V? = h(h(ID)||PWD). If the result is negative, the login session can be aborted. Otherwise, SC generates a random number n1 and computes K = h((W ⊕ IDB) ⊕ h(ID||n1)), , Z = h(n1||ID||K||T1) and sends < M1, Z, T1 > to the server S as the login request message.

On getting login message, S checks freshness of T1. S computes (ID||n1) = , K = h(h(h(ID)||PSK) ⊕ h(ID||n1)) and verifies if Z? = h(n1|| ID||K||T1). If they are same, S authenticates U. Otherwise the session is terminated.

S further generates a random number n2, and computes M2 = n2 ⊕ K, M3 = h(ID||n1||n2||K||T2), SK = h(n1||n2||K||ID). S sends < M2, M3, T2 > to SC.

On checking the freshness of T2, SC computes n2 = M2 ⊕ K and verifies the condition M3? = h(ID||n1||n2||K||T2). If the condition holds, U authenticates S. Otherwise the process is terminated. Then, SC computes SK = h(n1||n2 ||K||ID) and M4 = h(SK||ID||n2||T3), then sends < M4, T3 > to S.

S checks the freshness of T3. S verifies M4? = h(SK||ID||n2||T3) and reconfirms the authenticity of U. Now, U and S share with the computed session key SK = h(n1||n2||K||ID) for further communication.

5.4 Password changing phase

This procedure is invoked whenever a user (U) wants to update his password with a new password , without through a private channel or communicating with RS.

U inserts smart card SC and inputs ID, PW and BIO.

SC computes PWD = h(PW||H(BIO)) and then verifies the condition V? = h(ID||PWD). If the condition doesn’t hold, the request can be dropped.

U chooses a new password and then computes , . Thus the smart card finally contains the parameters .

6 Security analysis of the proposed scheme

In this section, we use Burrows-Abadi-Needham logic (BAN-logic) [39] to verify the completeness of our scheme, then we prove the security of the scheme through formal and informal analysis.

6.1 Verifying the proposed scheme with BAN logic

The BAN logic introduced by Burrows et al. is a formal method of analyzing the security features of the information exchange protocol. It helps determine whether the exchanged information is credible, whether it can prevent eavesdropping or both. In this paper, we use BAN logic to prove that a user and a server share a session key after successfully running the protocol. We first introduce the BAN logic notations used in this paper in Table 2.

Table 2

BAN logic notations.

Notations	Description
P| ≡ X	P believes the statement X is true
P ⊲ X	P sees X
P| ∼ X	P once said that X or has sent a message containing X
P ⇒ X	P has control over X
#X	X is fresh
P↔KQ	P and Q can communicate using the shared key K, only P, Q or a trusted third party know K
(X)k	The formula X is hashed by K
{X}k	The formula X is encrypted by K
→KS_j	K is the public key of P, only P know the corresponding secret key K−1

BAN logical postulates

Message-meaning rule: : If P believes that K is the shared key of P and Q, and P receives the message X encrypted with K, then P believe that Q has sent message X.

Jurisdiction rule: : If P believes that Q has the right to control X and P believes that Q also trusts X, then P trusts X.

Nonce-verification rule: : If P believes that X is fresh and P believes that Q has sent X, then P believes that Q believes X.

Freshness-conjuncatenation rule: : If P believes that X is new, then the information of (X, Y) is also fresh.

Belief rule: : If P believes X and Y, then P believes (X, Y).

Establishment of security goals

g1:

g2:

g3:

g4:

Initiative premises

p1. U| ≡ #n1. p2. U| ≡ S ⇒ #n2.

p3. S| ≡ #n1. p4. S| ≡ #n2.

p5. . p6. .

p7. U| ≡ ID. p8. S| ≡ U ⇒ ID.

p9. . p10. .

Scheme analysis

a0.

Since , only S can get the value of ID and n1. One can get the value of K unless he has the true Pri and PSK at the same time.

a1. S ⊲ (n1, ID, T1), T1

We employ Message-meaning rule according to p5 and a1 to drive:

a2. S| ≡ U| ∼ (n1, ID, T1)

According to a2 and p3, we apply the Freshness-conjuncatenation rule and Nonce-verification rule to get the following information:

a3. S| ≡ U| ≡ (n1, ID, T1)

According to a3 and p8, we employ Jurisdiction rule and belief rule to obtain:

a4. S| ≡ ID

According to a4 and , we employ Message-meaning rule to obtain:

a5.

According to a5 and p4, we apply Nonce-verification rule and Freshness- conjuncatenation rule to obtain:

a6.

Finally, we employ The belief rule to obtain:

g1. .

According to g1 and p9, we utilize Jurisdiction rule to obtain:

g2. .

According to p6 and U ⊲ (ID, n1, n2, T2), we employ Message-meaning rule to obtain:

a7. U| ≡ S| ∼ (ID, n1, n2, T2)

According to a7 and p1 we apply Nonce-verification rule and Freshness- conjuncatenation rule to derive:

a8. U| ≡ S| ≡ (ID, n1, n2, T2)

According to a8 and p1, p3, p4, p6 and SK = h(n1||n2||K||ID), we apply Freshness-conjuncatenation rule and Nonce-verification rule to derive:

g3. .

According to g3 and p10 we utilize Jurisdiction rule to obtain:

g4. .

6.2 Formal analysis

We use provable security to prove the security of our scheme. The security proof is based on the model of RSA-based password authentication.

Theorem 1. Let be an adversary that run in polynomial time t against our protocal in the random oracle, D be a uniformly distributed password dictionary and l denotes the number of bits in the biometric key BIO, |Hash| and|D| denotes the range space of hash function and the size of D, respectively. If an attacker makes q Hash queries, q Send queries, then, the advantage of of breaking the SK-security of is , where Adv(t) is the advantage that an adversary solves the problem about the factor decomposed of great number.

Proof. The proof is finished by executing a sequence of hybrid games G. For each game G, let E denote the event that the adversary succeeds in guessing the bit b in game G.

Game G0: This game corresponds to the real attack in the random oracle model. Thus, we can write

Game G1: By querying Execute oracle, this game simulates ’s eavesdropping attack. After that, the adversary queries Test oracle, and decides whether the outcome of the Test oracle is the real session key SK or a random number, where SK is computed from SK = h(n1||n2||K||ID). Note that PSK and IDB are secret to S and U. The adversary has no knowledge about PSK, IDB and ID, thus eavesdropping of message can not increase the chance of winning for the adversary in G1. So we have

Game G2: The difference between G2 and G1 is that we add the simulations of the Send and the Hash oracles. G2 models an active attack where tries to decide a participant into accepting a forged message. can make several Hash queries to find the collisions. Note that the messages {M1, Z, T1} and {M2, M3, T2} are associated with timestamp T1, T2, random numbers n1 and n2, and ID of U, hence there is no collision when querying the Send oracle. According to the birthday paradox, we have

Game G3: In this game, G3 simulates the CorruptSC oracle which models the smart card lost attack. Since the chosen password has low entropy, may try online dictionary attack with the information obtained from the smart card. In addition, may try to obtain biometrics key B from information collected from the smart card SC. Our protocol uses BioHash, which extracts at most l nearly random bits, therefore the probability of guessing biometric key B ∈ {0, 1} by is approximated as . If the number of wrong password inputs is limited by the system, probabilities can be estimated as follows:

Game G4: This game models an attack wherein has to compute the real session key SK = h(n1||n2||K||ID) using K, ID from the eavesdropping messages {M1, Z, T1} and {M2, M3, T2}. can not compute K = h((W ⊕ IDB) ⊕ h(ID||n1)) and as ID, Pri and IDB are unknown. also needs to derive n1 and n2 from M1 and M2, respectively. We then have

Additionally, since all session keys are random and independent and no information about the value of c is revealed to , Then,

From Eqs (1)–(6), the following result is obtained:

6.3 Informal security analysis

This subsection describes the security analysis of our scheme. To evaluate the security of the improved scheme, we assume that the adversary might access the smart card of legal user and extract the information stored in the smart card and intercept information transmitted over the public channel.

6.3.1 Mutual authentication

After receiving the login request information from U, S checks if Z? = h(n1||ID ||K||T1) holds or not. The adversary who masquerades as the legal user cannot forge Z without knowing ID and the biometrics BIO of U. Likewise, upon receiving the message M3, U checks M3? = h(ID||n1||n2||K||T2), where K = h(h(h(ID)|| PSK) ⊕ h(ID||n1)), which requires the computation of U’s identity ID, the random number n1 and PSK. Only the server who has the private key Pri can compute ID and n1 so as to get the value of K. Hence only legal user can share the session key with corresponding server. Therefore, our proposed scheme can provide proper mutual authentication.

6.3.2 Anonymity

In the proposed scheme, the login request message < M1, Z, T1 > is dynamic for every login and does not disclose any information about U, since it is associated with random number n1. The identity is protected by the encrypted message using Pub. The adversary cannot obtain ID without having the knowledge of Pri. In addition, the unauthorized server cannot decrypt the user’s authentication message successfully since it does not own the private key Pri. As a result, the user’s real identity cannot be retrieved. Thus our protocol can achieve the anonymity property of users as well as protect the privacy of users.

6.3.3 Off-line password guessing attack

An adversary may try to guess the password PW from the extracted smart card stored parameters < V, W, h(⋅), H(⋅) >. The stored parameter contains the password PW in the form V = h(h(ID)||PWD) where PWD = h(PW||H(BIO)). An adversary attempts to verify the condition V? = h(h(ID)||h(PW||H(BIO)) while constantly guessing PW. Adversary needs the value of ID and BIO of U in order to achieve the password guessing attack. However, the value of BIO is nowhere stored and an adversary cannot get the value of ID without knowing the private key Pri. As a result, the adversary cannot guess the correct password PW. Therefore, our proposed improved protocol can withstand this kind of attack.

6.3.4 Insider attack

In our proposed protocol, U does not send his ID, password PW or his biometrics BIO in plain text during user registration phase. U submits only h(ID), IDB and PWD to RS instead of original credentials, where PWD = h(PW||H(BIO)), IDB = h(ID||H(BIO)). Hence, an insider cannot obtain the original sensitive information of any user. On the other hand, the authentication of entities is being done by verifying message like Z? = h(n1||ID||K||T1) in which ID is necessary. Moreover, RS doesn’t participate in the authentication process. Therefore, the proposed protocol attains resistance to insider attack.

6.3.5 Stolen smart card attack

The adversary can extract the information < V, W, h(⋅), H(⋅) > stored in the smart card by means of power analysis. Assume a legal user’s smart card is stolen by an adversary and the stored information < V, W, h(⋅), H(⋅) > on it are extracted. Then, the adversary may try to get ID, PW, BIO from the extracted information. However, adversary cannot obtain any valuable information from these values, where V = h(h(ID)||PWD) and W = h(h(ID)||PSK) ⊕ IDB, since all the important parameters such as ID and PW are protected by a one-way hash function. The adversary cannot obtain any login information using the smart card stored parameters V and W. At the same time guessing the real identity ID and password PW is impractical. Therefore, the proposed protocol is secure against smart card stolen attack.

6.3.6 Replay attack

If an adversary has intercepted all the communication message < M1, Z, T1 > and < M2, M3, T2 >, he tries to replay them to U or S to masquerade as a legal user. However, once the message is replayed, the server can immediately detect the attack and reject the request due to the apply of timestamp. Hence, our scheme is secure against replay attack.

6.4 No verification table

In the proposed scheme, the registration server and application servers do not store the password and the biometrics database of the user. Therefore, even if an adversary steals the information stored in RS, he still cannot get ID, PW, BIO or other valid information of users. S does not store the password or the biometrics table of users as well. Therefore, even if an adversary steals the database from RS, he still cannot obtain user’s sensitive information of users.

6.4.1 User masquerade attack

Assume an adversary steals a smart card from a legal user and wants to get service by perpetrating user impersonation attack. If an adversary forges messages so as to impersonate as U, he needs to build a login request message < M1, Z, T1 > firstly, where , Z = h(n1||ID||K||T1). Conversely, the adversary cannot compute the messages M1 and Z without user’s private information ID and H(BIO). At the same time, the adversary has to go through login phase before sending login request information. During login phase, SC computes PWD = h(PW||H(BIO)) and then verifies if V? = h(ID||PWD) is correct. Unless the adversary enters the correct credentials, the process will be terminated. Therefore, the adversary certainly requires ID, PW and BIO for any furthermore computations. However, the probability of obtaining correct ID, PW and BIO is negligible.

6.4.2 Server impersonation attack

Unlike Moon et al.’s protocol, the server S not only keeps unique long-term key PSK, but also contains the key pair < Pub, Pri >. Note that the key pair of each server is distinctive, and Pri is known to only server S. Consider a scenario where an adversary captures < M1, Z, T1 > and tries to impersonate valid server by responding with message < M2, M3, T2 >. The values of ID, K and n1 are prerequisite. However, adversary cannot yield either of the values without having the knowledge of Pri. Though, the adversary cannot get the right values of ID, K and n1, if the adversary forges the massage < M2, M3, T2 >. Upon receiving the response message < M2, M3, T2 >, U can identify it as a malicious attempt due to the non-equivalence of message . Thus, our proposed protocol is secure against server impersonation attack.

6.4.3 Forward secrecy

In our improved protocol, the session key is SK = h(n1||n2||K||ID), and the values of the long term private key of the servers vary from server to server and are not shared with any registered U. Assume that the adversary has obtained the long term key PSK, he still cannot compute a valid session key without the secret parameters ID and n1, which are protected by Pub and are decryptable only with Pri. Moreover, the parameters n1 and n2 are random for each session. Therefore, the session key is considered to be safe even though the long term private key of the server is compromised.

7 Functional and performance analysis

In this section, we compare our proposed scheme with the other related schemes in term of the functionality, including Chuang et al.’s scheme, Mishra et al.’s scheme and Lu et al.’s scheme.

7.1 Functional analysis

We perform a comparative analysis of previous schemes, which is illustrated in Table 3. From the table, we can find that the proposed scheme is more secure and provides more functionality requirements than the other related schemes. Moreover, the proposed scheme achieves all resistance requirements.

Table 3

Functionality comparison.

Scheme	Chuang [27]	Mishra [28]	Lu [29]	Lu [31]	Moon [30]	our
Provide mutual authentication	No	Yes	Yes	Yes	Yes	Yes
User anonymity	Yes	Yes	No	No	No	Yes
Resist insider attack	Yes	Yes	Yes	Yes	No	Yes
Resist off-line guessing attack	Yes	Yes	Yes	Yes	No	Yes
Resist smart card theft attack	No	Yes	Yes	Yes	Yes	Yes
Resist replay attack	No	No	No	Yes	Yes	Yes
Resist Impersonation attack	No	No	No	No	No	Yes
Session key agreement	Yes	Yes	Yes	Yes	Yes	Yes
Provides Forward secrecy	Yes	No	Yes	Yes	Yes	Yes
Efficient password change phase	No	No	Yes	Yes	Yes	Yes
Resist verifier attack	Yes	Yes	Yes	Yes	Yes	Yes

7.2 Performance analysis

Now we compare the computational costs and execution time between the proposed scheme and the other related schemes. For the evaluation of the computational costs, let T, T, T, T and T refer to the execution time of one-way hash, RSA encryption, RSA decryption, symmetric key encryption/decryption operation and complexity of executing an elliptic curve point multiplication operation. According to Kilinc et al.’s [40] estimation, the average running time of T is about 0.0023ms, T is 3.8500ms, T is 0.1925ms, T is 0.1303 ms and T is 2.229ms. Table 4 illustrates the comparative performance of our improved scheme and previously proposed schemes.

Table 4

Computation costs comparison.

Scheme	Login	Authentication	Total	Time(ms)
Chuang et al.’s [27]	4Th	13Th	17Th	0.0391
Mishra et al.’s [28]	4Th	11Th	15Th	0.0345
Lu et al.’s [29]	6Th	12Th	18Th	0.0414
Moon et al.’s [30]	5Th	13Th	18Th	0.0414
Lu et al.’s [31]	4Th + 3TRe	14Th + 3TRd	18Th + 3TRe + 3TRd	12.1689
Mishra’s [32]	6Th + 2Tepm	10Th + 1Tepm	16Th + 3Tepm	6.7148
Chaudhry’s [33]	2Th + 3Tepm	6Th + 5Tepm	8Th + 8Tepm	17.8504
Jiang’s [34]	3Th + 1Tepm + Tsym	6Th + 3Tepm + 3Tsym	9Th + 6Tepm + 4Tsym	13.9159
our scheme	7Th + 1TRe	11Th + 1TRd	18Th + TRe + TRd	4.0866

The time consumption of our proposed scheme and of the other related schemes is listed in Table 4. The results shows that the proposed scheme is the most computationally inexpensive one among those schemes based on public key cryptography [31-34]. Note that although our proposed scheme costs more time than rest of the schemes [27-30], it is more secure than these schemes. To sum up, only the proposed scheme provides both the computation efficiency to accomplish mutual authentication and key agreement, and the basic security properties against the known threats. The rest of schemes either are vulnerable to various attacks [27-31], or need more time than our scheme [31-34].

8 Conclusion

In this paper, we firstly analyzed the security of Moon et al’s scheme, and demonstrated that their scheme is vulnerable to the known internal attack, guess attack and impersonation attack. Moreover, their scheme is found not anonymous for the user. To withstand these drawbacks, we proposed an improved biometric-based authentication scheme for multi-server environment and proved that the improved scheme provides secure authentication through the formal security analysis using Burrows-Abadi-Needham logic (BAN-logic) and random oracle model. Moreover, we have shown that our scheme is robust against all known attacks through the informal security analysis. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.