Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments.

According to advancements in the wireless technologies, study of biometrics-based multi-server authenticated key agreement schemes has acquired a lot of momentum. Recently, Wang et al. presented a three-factor authentication protocol with key agreement and claimed that their scheme was resistant to several prominent attacks. Unfortunately, this paper indicates that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol cannot provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Compared with various related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the proposed protocol shows the satisfactory performances in respect of storage requirement, communication overhead and computational cost. Thus, our protocol is suitable for expert systems and other multi-server architectures. Consequently, the proposed protocol is more appropriate in the distributed networks.

Introduction

Tremendous advancements in the wireless technologies enhance the quality of on-line services in the distributed networks. It makes plenty of web users enjoy a variety of helpful on-line services in many aspects, for example, on-line work, on-line medicine, on-line shopping and so on [1, 2]. However, there remains a significant problem, namely, how to help web users enjoy so many on-line services while ensuring the confidentiality of their sensitive datas over an insecure channel. Thus, data protection becomes more and more important for every communication participant in the distributed networks. As a remedy, authenticated key establishment protocols are applied for safeguarding the information and defying the threats, which help web users submit their credentials and acquire various on-line services from a number of remote network servers subsequently [3, 4]. Specifically, mutual authentication that makes network servers check the legality of web users and vice-versa minimizes the risk of internet fraud. As a next step, key agreement helps communication <span class="Species">participants establish a common session key to ensure their subsequent communication in the open networks [5].

Over the four decades, there are three kinds of typical factors to design an authenticated key establishment protocol, that is, knowledge factor (password), possession factor (smart card) and inherence factor (biometric information), respectively [6-9]. In last few years, Khan [10] presented two biometric-based authentication schemes which possessed the self-authentication and deniability, respectively. In 2013, Kumari and Khan [11] put forward an improved smart card-based authentication protocol with user anonymity for remote users. In recent years, Farash et al. [12] proposed a lightweight authentication scheme which was applied for consumer roaming. Over the last two years, Kumari et al. [13] presented a smart card-based authentication protocol for session initiation service.

More specifically, Lamport [7] put forward the first authentication scheme which was based on password and was unable to provide the key agreement in 1981. However, his protocol maintained some password-verification tables that made stolen verification tables attack feasible. Afterwards, a sequence of improved password-based authentication and key establishment schemes have been presented [14-16]. There are some common shortcomings in these authenticated key exchange protocols which only adopt the password, such as, weak password, dictionary attack, stolen verification tables attack and so on. Thus, it is necessary to add the possession factor to design a novel kind of authenticated key agreement schemes, which makes them more robust [17-19].

Later on, two-factor authentication and key establishment protocols which apply both password and smart card have been deployed widely in the distributed networks. In order to log in the expected remote network servers, web users need to insert their smart card into a smart card reader and enter their password. In 1991, Chang et al. [20] presented a password-based authentication scheme with smart card. Since then, a series of cryptanalysis and improvements have been put forward [21-25]. However, it is practicable to acquire some datas stored in the smart card through side channel attacks [26]. Therefore, a lost or stolen smart card makes authenticated key agreement protocols vulnerable [27-30].

In order to solve these aforementioned problems, biometric information (e.g. facial expressions, retina and finger prints and so on) as an inherence factor has been added to propose a variety of three-factor authenticated key establishment protocols. Different from knowledge factor and possession factor, biometric information which possesses the uniqueness further enhances the security of sensitive datas [31, 32]. Besides, it is exceedingly difficult for adversary to forge the biometrics of web users. Also it does not request web users to remember their biometric information which is hard to be forgotten or lost. Thus, biometric information is combined with both password and smart card mentioned above to make a battery of three-factor authenticated key agreement schemes appear [33-38]. In practice, biometric datas imprinted by web users are not the same each time so that directly adopting them usually results in a low success rate for valid web users [39]. To meet this problem, biometric-based fuzzy extractor which is convenient to be implemented by a smart card is introduced to reduce the failure rate [40]. Besides, Bio-Hash code, namely, user specific code is another way to accommodate this problem [41].

Furthermore, earlier authentication and key establishment protocols are only applied for single-server environments, which don’t consider the applicability of multi-server environments. Specifically, it is inefficient for single-server authentication schemes to be directly adopted in the multi-server environments. With a rapid augmentation of different network servers, web users not only register and login each individual server repeatedly, but also maintain massive credentials about identities and passwords. In 2001, Li et al. [42] put forward the first multi-server authenticated protocol which coped up with this problem mentioned above. In particular, Li et al. [42] efficiently applied a registration center to achieve the single registration in the multi-server architectures. During the past two decades, a large amount of multi-server authentication schemes have been presented, in which some protocols adopt the two-factor [43-46] and others are based on three-factor [47-56].

The multi-server authentication mechanism requires the higher security. Since legal users adopt the same credentials to log into a variety of individual network servers, it is practical for adversaries to make many protocols vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack by tracing web users [47, 57, 58]. As typical multi-server architectures, expert systems which benefit from decision-making capability of human experts have a great deal of applications, for example, security auditing and network management. Particularly, Tsudik and Summers [59] introduced an security auditing expert system called AudES which automated a great deal of manual security auditing procedures in order to alleviate the burden of <span class="Species">human auditors. For network management expert systems, Hariri and Jabbour [60] designed a generalized architecture to manage plenty of resources in a distributed computer network. Recently, Mishra et al. [50] put forward an anonymous three-factor multi-server authenticated scheme with key agreement for expert systems which was adopted to ensure the communications between web user and network server. They declared that their protocol provided a high security. However, Wang et al. [61] indicated that Mishra et al.’s scheme was vulnerable to several common attacks and presented an improved protocol to enhance the security. Unfortunately, due to cryptanalysis described below, we claim that Wang et al.’s scheme is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Besides, their scheme fails to provide the perfect forward secrecy.

As a remedy of these aforementioned problems, we propose a biometric-based authentication and key agreement protocol for multi-server architectures in order to ensure the confidentiality of sensitive datas while web user enjoys some decision-making services, such as security auditing and network management in the expert systems. When web user wants to login the network server to acquire these services, our protocol is performed between web user and network server. Concretely, web user submits his login request message to network server. Next, network server tries to authenticate web user with the message received from web user and the beforehand information saved during the registration phase. Also network server issues his authentication request message to web user. Then, web user tries to authenticate network server in a similar way and delivers his authentication reply to network server. Finally, web user and network server apply our protocol to achieve the mutual authentication and key agreement. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented protocol requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Above all, our protocol is more appropriate in the distributed networks.

The remaining of this paper is organized in seven sections as below. Next section introduces the collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor, respectively. Section 3 reviews Wang et al.’s scheme. Section 4 discusses some weaknesses of Wang et al.’s scheme. Section 5 describes the proposed biometrics-based authenticated key agreement protocol in details. And then section 6 provides the security analysis, functionality analysis and efficiency analysis of our protocol, and compares our protocol with others in these aforementioned respects. Last section gives the conclusion.

Preliminaries

During this section, we briefly describe some concepts relating to collision-resistant hash function, threat assumptions and biometrics-based fuzzy extractor as follows.

Collision-resistant hash function

According to an arbitrary length binary string, collision-resistant hash function outputs a fixed-length binary string, that is, h = h(x) : 0, 1* → 0, 1 [62]. Furthermore, retrieving this arbitrary length input from a given output is computationally infeasible. Thus, collision resistant property is explained as below. For a given input x, it is computationally infeasible to find any input y ≠ x makes h(x) = h(y).

Threat assumptions

During this subsection, we introduce some common threat assumptions which includes the Dolev-Yao threat model [63] and the risk of side-channel attacks [27]. More details about these threat assumptions are described as below.

1. Adversary E might be a malicious user or an outside hacker.

2. Adversary E has an ability to eavesdrop all communication messages between participants via an open channel.

3. Adversary E can modify, delete, resend and reroute all eavesdropped messages.

4. Adversary E is able to extract all stored datas from a lost or stolen smart card by examining the power consumption.

Biometrics-based fuzzy extractor

We briefly introduce the mechanism of biometrics-based fuzzy extractor in this subsection. A biometrics-based fuzzy extractor which converts the biometric information into two available and unpredictable values consist of two procedures, namely, Gen and Rep [40]. More specifically, details about this mechanism are illustrated in Fig 1. Based on the biometric information BIO, procedure Gen which is a probabilistic generation function outputs an unpredictable binary string R ∈ {0, 1} and an auxiliary binary string P ∈ {0, 1}*. With the help of this auxiliary string P and another biometric information BIO*, procedure Rep which is a deterministic reproduction function recovers a corresponding unpredictable binary string R. When Gen(BIO) → 〈R, P〉 and dis(BIO, BIO*) ≤ t hold, then we have Rep(BIO*, P) → R. Otherwise, there is no output provided by procedure Rep. Furthermore, error-tolerant makes it more robust to recover a corresponding unpredictable binary string R, as long as this biometric information BIO* keeps reasonable close to an initial biometrics BIO.

Fig 1

The mechanism of fuzzy extractor.

Since biometric features vary slightly at every imprint, another way to extract the biometric features is applying the Bio-Hash codes. In recent times, many Bio-Hashing authentication schemes with key agreement are presented [41, 64, 65]. Similarly, Bio-Hashing is also a convenient technique, which is usable in many small devices.

Review of Wang et al.’s scheme

During this section, we review Wang et al.’s biometrics-based authentication and key agreement scheme for multi-server environments which is described in Ref. [61]. Their scheme includes six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. There are the following three participants in their scheme, that is, registration center RC, server S and user U. Suppose that registration center RC is a trusted third party. In Wang et al.’s scheme, registration center RC is responsible for user registration and server registration. For convenience, symbols and corresponding notions which are applied in their scheme are respectively shown in Table 1.

Table 1

Symbols and corresponding notions in Wang et al.’s scheme.

Symbol	Notion
RC	Registration center
Sj	jth server
Ui	ith user
SCi	User Ui’s smart card
IDi	User Ui’s identity
AIDi	User Ui’s dynamic identity
PWi	User Ui’s password
BIOi	User Ui’s biometric information
Ri	User Ui’s unpredictable binary string
Pi	User Ui’s auxiliary binary string
SIDj	Server Sj’s identity
PSK	Pre shared key
X	Master secret key
h(⋅)	Collision-resistant hash function
⊕	XOR operation
||	Concatenation operation

Server registration phase

1. Server S submits a join request message to registration center RC, which helps server S become an authorized server in the expert system.

2. Upon receiving this join request message, registration center RC sends server S a pre shared key PSK to server S over a secure channel.

User registration phase

1. Firstly, user U imprints his personal biometric information BIO at a sensor. Then sensor sketches BIO to extract an unpredictable binary string R and an auxiliary binary string P from Gen(BIO) → (R, P). After that, sensor stores this corresponding auxiliary string P in the memory. Next, user U enters his identity ID and password PW, and calculates RPW = h(PW||R). Finally, user U issues his registration request message {ID, RPW} to registration center RC through a secure channel.

2. Upon obtaining this registration request message, registration center RC adds a novel entry 〈ID, N = 1〉 to an internal database for user U, in which N stands for the times of user registration. And then registration center RC successively calculates A = h(ID||x||T), B = RPW ⊕ h(A), C = B ⊕ h(PSK), D = PSK ⊕ A ⊕ h(PSK) and V = h(ID||RPW), where T is registration time.

3. Registration center RC sends user U a smart card SC which contains {B, C, D, V} via a secure channel.

4. After receiving his smart card SC, user U stores his auxiliary string P mentioned above into his smart card SC.

Login phase

1. User U inserts his smart card SC into the smart card reader. Then he inputs his identity ID and password PW. Next, user U imprints his biometric information at a sensor. After that, sensor sketches user U’s biometric information and recovers the unpredictable binary string R from .

2. Smart card SC computes RPW = h(PW||R) and checks whether h(ID||RPW) = V is valid. If it is valid, smart card SC further computes h(PSK) = B ⊕ C.

3. Smart card SC generates a random number N1 to calculate AID = ID ⊕ h(N1), M1 = RPW ⊕ N1 ⊕ h(PSK) and M2 = h(AID||N1||RPW||SID||T), in which T is an additional timestamp.

4. Smart card SC delivers user U’s login request message {AID, M1, M2, B, D, T} to server S over an open channel.

Authentication phase

1. Upon receiving user U’s login request message, server S verifies whether T − T ≤ ΔT holds, in which ΔT is a suitable time interval and T is the time when server S obtains user U’s login request message. If this verification holds, server S continues to execute his next step. Otherwise, user U’s login request is rejected by server S.

2. Server S retrieves A = D ⊕ PSK ⊕ h(PSK), RPW = B ⊕ h(A) and N1 = RPW ⊕ M1 ⊕ h(PSK) in order to check whether h(AID||N1||RPW||SID||T) is consistent with M2.

3. If it holds, server S generates a random number N2 to calculate their session secret key SK = h(AID||SID||N1||N2).

4. Server S computes M3 = N2 ⊕ h(AID||N1) ⊕ h(PSK) and M4 = h(SID||N2||AID) in order to send his authentication request message {SID, M3, M4} to user U through an open channel.

5. After receiving server S’s authentication request message, smart card SC retrieves N2 = M3 ⊕ h(AID||N1) ⊕ h(PSK) and SK = h(AID||SID||N1||N2) to verify whether h(SID||N2||AID) = M4 holds. If it holds, smart card SC calculates M5 = h(SK||N1||N2) in order to submit user U’s authentication reply {M5} to server S over an open channel.

6. Server S checks whether h(SK||N1||N2) = M5 is valid. If this verification is valid, server S further applies this session key SK to communicate with user U in the following communication. Otherwise, authentication phase is rejected by server S.

Password change phase

1. User U enters his identity ID and password PW, and imprints his biometric information at a sensor. After that, sensor sketches user U’s biometric information and recovers the unpredictable binary string R from .

2. Smart card SC computes RPW = h(PW||R) and verifies whether h(ID||RPW) = V is valid. If this verification is valid, smart card SC asks user U for a new password. Otherwise, password change phase is terminated immediately by smart card SC.

3. User U enters his new password and smart card SC further calculates , , and .

4. In the memory, smart card SC respectively replaces B with , C with and V with .

User revocation/re-registration phase

1. When user U wants to revoke his privilege, he submits a revocation request message, his smart card SC and verification message {RPW} to registration center RC via a secure channel. Registration center RC checks whether user U is valid. If user U is valid, registration center RC further modifies a corresponding entry by setting 〈ID, N = 0〉.

2. Similarly, after receiving a re-registration request message through a secure channel, registration center RC performs these steps mentioned in the subsection 3.2 and replaces 〈ID, N = N + 1〉 with 〈ID, N〉 to help user U re-register.

Cryptanalysis of Wang et al.’s scheme

In this section, we propose a cryptanalysis of Wang et al.’s scheme. In particular, results demonstrate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their scheme fails to achieve the perfect forward secrecy. More details of these problems are shown in the following subsections.

User impersonation attack

Suppose that adversary E is an outside hacker who steals user U’s smart card SC and eavesdrops all communications between user U and server S. Specifically, adversary E has an ability to extract the stored datas {B, C, D, V, P} from user U’s smart card SC by side-channel attacks. Also he is able to collect user U’s login request message {AID, M1, M2, B, D, T}. Thus Wang et al.’s scheme is vulnerable to user impersonation attack. More narrowly, adversary E can impersonate as a legal user so that he is authenticated by server S. More details are explained as below.

1. Firstly, adversary E computes h(PSK) = B ⊕ C. Then he generates a random number and further calculates , , and , in which is a current timestamp. Finally, adversary E delivers his login request message to server S over an open channel.

2. When obtaining this login request message from adversary E, server S verifies whether holds, where is the time when server S receives adversary E’s login request message. Thus adversary E passes server S’s verification successfully and server S continues to execute the subsequent steps normally.

3. Server S retrieves , and to check whether holds. Next server S generates a random number and further calculate , and . Lastly, server S sends his authentication request message to adversary E through an open channel as usual.

4. Upon receiving server S’s authentication request message, adversary E retrieves and in order to calculate and submit his authentication reply to server S.

5. Server S checks whether is valid.

Thus server S authenticates adversary E and they both apply the session key in the following communication. Unfortunately, server S mistakenly believes that he communicates with user U. Therefore Wang et al.’s scheme becomes vulnerable to the user impersonation attack.

Privileged insider attack

As shown in this subsection, adversary E who is a privileged insider can impersonate as user U if he steals user U’s smart card SC and eavesdrops all communications between user U and registration center RC. Similarly, adversary E is able to acquire these datas {B, C, D, V, P} from smart card SC. And he has an ability to collect user U’s registration request message {ID, RPW}. So Wang et al.’s scheme is also vulnerable to the privileged insider attack. More details are described as follows.

1. Firstly, adversary E computes h(PSK) = B ⊕ C and generates a random number N1. Then he calculates AID = ID ⊕ h(N1), M1 = RPW ⊕ N1 ⊕ h(PSK) and M2 = h(AID||N1||RPW||SID||T), where T is a current timestamp. Lastly, adversary E issues his login request message {AID, M1, M2, B, D, T} to server S over an open channel.

2. After acquiring this login request message, server S verifies whether T − T ≤ ΔT holds, where T is the time when server S acquire adversary E’s login request message. Unfortunately, adversary E’s verification is valid.

3. Server S retrieves A = D ⊕ PSK ⊕ h(PSK), RPW = B ⊕ h(A) and N1 = RPW ⊕ M1 ⊕ h(PSK) in order to verify whether h(AID||N1||RPW||SID||T) is consistent with M2. Then server S generates a random number N2 and further calculates SK = h(AID||SID||N1||N2), M3 = N2 ⊕ h(AID||N1) ⊕ h(PSK) and M4 = h(SID||N2||AID). Finally, server S submits his authentication request message {SID, M3, M4} to adversary E via an open channel without any suspicion.

4. When receiving server S’s authentication request message, adversary E retrieves N2 = M3 ⊕ h(AID||N1) ⊕ h(PSK) and SK = h(AID||SID||N1||N2). Then he calculates M5 = h(SK||N1||N2) and sends his authentication reply {M5} to server S.

5. Server S checks whether h(SK||N1||N2) = M5 holds as usual.

So server S further applies the session key SK to communicate with adversary E and authenticates adversary E who is a privileged insider and impersonates as user U. Unfortunately, Wang et al.’s scheme is unable to resist the privileged insider attack.

Server spoofing attack

In this subsection, we suppose that adversary E who is an insider but isn’t another server S has an ability to eavesdrop user U’s registration request message {ID, RPW} and steal user U’s smart card SC. Furthermore, adversary E is able to collect some datas, for example, {B, C, D, V, P}. Thus adversary E can masquerade as server S to cheat user U. Therefore Wang et al.’s scheme becomes vulnerable to the server spoofing attack. More details are shown as below.

1. Firstly, adversary E calculates h(PSK) = B ⊕ C and eavesdrops user U’s login request message {AID, M1, M2, B, D, T}.

2. Secondly, adversary E computes N1 = RPW ⊕ M1 ⊕ h(PSK) and generates a fresh random number .

3. Next adversary E further computes and .

4. Finally adversary E issues his authentication request message to user U over a public channel.

Furthermore, this fake authentication request message is successfully checked. Particularly, adversary E is treated as server S by user U without any doubt. In conclusion, Wang et al.’s scheme can’t resist the server spoofing attack.

No perfect forward secrecy

During this subsection, we point out that Wang et al.’s scheme does not possess the perfect forward secrecy. Suppose that adversary E is a privileged insider who eavesdrops user U’s registration request message {ID, RPW} and steals user U’s smart card SC. Particularly, adversary E can extract these datas which include B, C, D, V and P from smart card SC. More details are described as follows.

1. Firstly, adversary E computes h(PSK) = B ⊕ C and collects user U’s login request message {AID, M1, M2, B, D, T}.

2. Secondly, adversary E calculates N1 = RPW ⊕ M1 ⊕ h(PSK) and further collects server S’s authentication request message .

3. Finally adversary E computes N2 = M3 ⊕ h(AID||N1) ⊕ h(PSK) in order to retrieve SK = h(AID||SID||N1||N2).

Therefore it is demonstrated that Wang et al.’s scheme is unable to achieve the perfect forward secrecy.

The proposed scheme

During this section, we propose a novel biometrics-based authentication and key agreement scheme for multi-server environments which is based on cryptanalysis of Wang et al.’s scheme. Our protocol is built by applying the collision-resistant hash function, EOR operation and concatenation operation. The presented scheme consists of six phases, namely, server registration phase, user registration phase, login phase, authentication phase, password change phase and user revocation/re-registration phase. And there are three participants in our algorithm, that is, registration center RC, server S and user U. In our protocol, server S and user U are able to join the network by registering with registration center RC. Besides, mutual authentication only carries out between server S and user U without intervening registration center RC. For convenience, symbols and corresponding notions which are applied in our scheme are respectively shown in Table 2.

Table 2

Symbols and corresponding notions in our scheme.

Symbol	Notion
RC	Registration center
Sj	jth server
Ui	ith user
SCi	User Ui’s smart card
IDi	User Ui’s identity
PWi	User Ui’s password
BIOi	User Ui’s biometric information
Ri	User Ui’s unpredictable binary string
Pi	User Ui’s auxiliary binary string
SIDj	Server Sj’s identity
PSK	Pre shared key
s	Master secret key
h(⋅)	Collision-resistant hash function
⊕	XOR operation
||	Concatenation operation

In particular, our proposed scheme enhances Wang et al.’s scheme in these aspects: 1) it resists the user impersonation attack, 2) it prevents the privileged insider attack, 3) it is secure against the server spoofing attack and 4) it provides the perfect forward secrecy. More details are described in these following subsections.

New server S needs to execute the server registration phase with registration center RC through a secure channel. More specifically, server registration phase of the proposed scheme is shown in the Fig 2 and details are described as below.

Fig 2

The server registration phase.

1. If it wants to be an authorized server in the multi-server environment, server S issues a join request message to registration center RC.

2. When obtaining this join request message, registration center RC authorizes server S and replies with a pre shared key PSK and a master secret key s to server S by applying the Key Exchange Protocol (IKEv2) via a secure channel.

3. After receiving a pre shared key PSK and a master secret key s, authorized server S adopts these shared datas, such as PSK and h(PSK), to verify user U’s legitimacy in the authentication phase.

New user U should perform the user registration phase with registration center RC over a secure channel. As details, user registration phase of ours is illustrated in the Fig 3 and explained as follows.

Fig 3

The user registration phase.

1. Firstly, user U enters his personal biometric information BIO at a sensor. And then, sensor sketches user U’s biometrics BIO, extracts (R, P) from Gen(BIO) → (R, P), and stores user U’s auxiliary binary string P in the memory. Next, user U chooses his identity ID and password PW, and calculates RPW = h(R||PW). Finally, user U submits his registration request message {ID, RPW} to registration center RC through a secure channel.

2. Upon obtaining this registration request message, registration center RC adds a novel entry 〈ID, N = 1〉 to his internal database, in which N denotes the times of user registration for user U. Then registration center RC selects a random number u, and calculates A = h(ID||s), B = h(PSK) ⊕ u, C = h(PSK||u) ⊕ ID and V = h(ID||RPW).

3. Registration center RC sends user U’s smart card SC which includes {A, B, C, V, h(⋅)} via a secure channel.

4. After receiving this smart card SC, user U computes E = B ⊕ h(R) and replaces B with E. Finally, U stores his auxiliary binary string P into his smart card SC, and initializes the login and authentication environments.

In the login phase, smart card SC is able to find the errors immediately by applying user U’s identity, password, and biometric information. Specifically, login phase is shown in the Fig 4 and details are described as follows.

Fig 4

The login phase.

1. User U inserts his smart card SC into a smart card reader, enters his identity ID and password PW, and imprints his biometrics at a sensor. And then, sensor sketches user U’s personal biometric information and recovers R from with the assistance of auxiliary binary string P.

2. Smart card SC computes RPW = h(R||PW) and verifies whether h(ID||RPW) = V is valid. If it is valid, smart card SC further computes K = h(SID||(ID ⊕ C)).

3. Smart card SC generates a random number N1, and calculates M1 = N1 ⊕ K, M2 = ID ⊕ K, M3 = RPW ⊕ K, B = E ⊕ h(R) and D = h(N1||RPW||A||T), in which T is an additional timestamp.

4. Smart card SC submits his login request message {M1, M2, M3, B, D, T} to server S over an open channel.

During the authentication phase, server S has an ability to confirm the destination and freshness of login request message. More details, authentication phase is illustrated in the Fig 5 and explained as below.

Fig 5

The authentication phase.

1. After receiving user U’s login request message, server S checks whether T − T ≤ ΔT holds, in which ΔT is a suitable time interval and T is the time when server S receives user U’s login request message. If it holds, server S continues to perform the following steps. Otherwise, this login request is rejected by server S.

2. Server S retrieves u = B ⊕ h(PSK), K = h(SID||h(PSK||u)), N1 = K ⊕ M1, ID = K ⊕ M2, RPW = K ⊕ M3 and A = h(ID||s) to verify whether h(N1||RPW||A||T) = D is valid.

3. If this verification is valid, server S generates another random number N2, and calculates their session secret key SK = h(ID||SID||N1||N2) between user U and server S.

4. Server S computes M4 = N2 ⊕ h(A||RPW||N1) and M5 = h(SID||N1||N2||ID), and issues his authentication request message {M4, M5} to user U through an open channel.

5. When obtaining server S’s authentication request message, smart card SC retrieves N2 = h(A||RPW||N1) ⊕ M4 and checks whether h(SID||N1||N2||ID) is consistent with M5. If they are consistent, smart card SC calculates SK = h(ID||SID||N1||N2) and M6 = h(SK||N1||N2). And then smart card SC delivers his authentication reply {M6} to server S over a public channel.

6. Server S further verifies whether h(SK||N1||N2) = M6 is valid. If it is valid, server S adopts this session key SK to communicate with user U in the following communication. Otherwise, authentication will be rejected by S.

In the password change phase, user U is able to update his password without any help from server S or registration center RC. More specifically, password change phase includes these following steps.

1. User U inputs his identity ID and password PW, and imprints his biometrics at a sensor. And then, sensor sketches user U’s personal biometric information and recovers R from with the assistance of auxiliary binary string P.

2. Smart card SC computes RPW = h(R||PW) and verifies whether h(ID||RPW) = V is valid. If this verification holds, smart card SC asks user U for a new password. Otherwise, smart card SC terminates the password change phase immediately.

3. User U enters his new password , and smart card SC further calculates and .

4. Smart card SC replaces V with without any help from server S or registration center RC in the memory.

If his smart card SC is stolen or lost, user revocation/re-registration helps user U revoke his privilege or re-register which makes our scheme more robust in the functionality.

1. When user U wants to revoke his privilege, he issues his revocation request message, smart card SC and verification message {RPW} to registration center RC through a secure channel. Registration center RC checks whether user U is valid. If user U is valid, registration center RC further sets 〈ID, N = 0〉 to modify the corresponding entry.

2. Similarly, after obtaining a re-registration request message over a secure channel, registration center RC performs these steps mentioned in the subsection 5.2 and helps user U re-register by replacing 〈ID, N = N + 1〉 with 〈ID, N〉.

Analysis of the proposed scheme

In a multi-server architecture, there are three important requirements for an authentication and key agreement protocol, namely, security, functionality and efficiency. In this section, discussions are performed and results show that our scheme satisfies these requirements mentioned above. Furthermore we compare the proposed protocol with others in respect of security, functionality and efficiency, respectively.

Informal security analysis

Before the formal security analysis, we analyze the resistance of our scheme against these following attacks by informal security analysis. Remark that adversary E has an ability assumed in the threat assumptions to execute these attacks described as follows.

Resistance to replay attack

The proposed scheme applies the timestamp and random nonce to endure the replay attack. Though adversary E eavesdrops user U’s previous login request message {M1, M2, M3, B, D, T} and issues it to server S as always, server S checks the legality of this message by verifying the timeliness of timestamp T and correctness of random nonce N1 as below. in which both timestamp T and random nonce N1 are different for each session. Thus adversary E is rejected by server S. Therefore our protocol prevents the replay attack.

Resistance to Denial-of-Service attack

Adversary E tries to diminish or eliminate server S’s capability by eavesdropping and repeatedly sending user U’s previous login request message. However, server S verifies the freshness of timestamp T and checks whether D = h(N1||RPW||A||T) holds. So server S treats adversary E as a malicious hacker and terminates this session. Furthermore the presented scheme introduces a biometrics-based fuzzy extractor to meet the applicability of biometric information. Consequently, our protocol resists the Denial-of-Service attack.

Resistance to password guessing attack

With the assistance of power consumption, adversary E applies the side-channel attacks, such as SPA or <span class="Chemical">DPA, to extract the sensitive datas A, C, E, V and P from user U’s smart card SC. But he is unable to verify whether user U’s password PW is correct in the on-line or off-line environment without biometric information BIO, pre shared key PSK, master secret key s and random nonce N1. Specifically unpredictable binary string R which possesses a high entropy protects user U’s password PW in the proposed scheme. In conclusion, our protocol is secure against the password guessing attack.

Resistance to smart card attack

Without the password PW or biometric information BIO, adversary E launches the smart card attack in order to collect some sensitive datas stored in the smart card SC and achieve server S’s authentication. In the presented scheme, adversary E is able to acquire user U’s sensitive datas A, C, E, V and P which are saved in the smart card SC by SPA or <span class="Chemical">DPA. Also a session key SK between user U and server S is calculated as follows.

It is feasible for adversary E to obtain M1 and M4 through a public channel. However, it is pretty difficult for him to retrieve the random nonces N1 or N2. As a result, our protocol withstands the smart card attack.

Resistance to user impersonation attack

Under the user impersonation attack, adversary E who is an outside hacker tries to impersonate user U without the password PW or biometric information BIO. In the proposed scheme, adversary E is unable to acquire h(PSK) even if he eavesdrops user U’s previous login request message {M1, M2, M3, B, D, T} and extracts user U’s sensitive datas from smart card SC by SPA or <span class="Chemical">DPA. Thus, adversary E cannot retrieve the random numbers N1, N2 or session key SK. Therefore, our protocol is secure against the user impersonation attack.

Resistance to privileged insider attack

Adversary E who is a malicious insider and has a privilege to access an authorized system attempts to impersonate user U. In order to achieve this goal, adversary E collects user U’s registration request message {ID, RPW} and steals his smart card SC. However, it is impossible to obtain h(PSK) and B for adversary E. Even if sensitive datas A, C, E, V and P are extracted from user U’s smart card SC, adversary E is unable to deliver a correct login request message {M1, M2, M3, B, D, T}. Furthermore, he cannot retrieve the password PW or biometric information BIO. In conclusion, our protocol resists the privileged insider attack.

Resistance to server spoofing attack

Under the assumption that adversary E who is a malicious insider but isn’t another server S is able to steal user U’s smart card SC and eavesdrop his registration request message {ID, RPW}. Adversary E tries to masquerade as server S to spoof user U by collecting the sensitive datas A, C, E, V and P. But it is hard to retrieve h(PSK) so that adversary E is unable to be authenticated by user U successfully. He cannot acquire the random number N1 and valid authentication request message {M4, M5}. Thus adversary E’s attempt fails. Consequently, our protocol prevents the server spoofing attack.

Resistance to modification attack

Though adversary E attempts to modify some intercepted messages for further authentication, the proposed protocol is able to check whether the received messages are valid with the assistance of collision-resistant hash function. And adversary E does not have a capability to retrieve N1, N2 or h(PSK) from any intercepted message. Thus he cannot generate a legitimate authentication message. As a result, our protocol is secure against the modification attack.

Resistance to stolen-verifier attack

In the proposed protocol, both server S and registration center RC possess no information about user U’s password or biometrics. Concretely, there is no password-verifier or biometrics-verifier in the database of server S and registration center RC. Thus, adversary E cannot launch the stolen-verifier attack even if he has an authority to access the database. Consequently, our protocol withstands the stolen-verifier attack.

Possession of anonymity

During the login phase of the proposed scheme, user U calculates his dynamic identity M2 = ID ⊕ K, in which K cannot be retrieved by adversary E from any request or reply message. Thus, adversary E has no ability to acquire user U’s identity ID. However, upon receiving user U’s login request message, authorized server S calculates u = B ⊕ h(PSK) and further computes K = h(SID||h(PSK||u)) so that user U achieves server S’s authentication anonymously. In other words, user U’s real identity ID is not disclosed by any unauthorized participant. Therefore our protocol provides the anonymity.

Possession of perfect forward secrecy

Perfect forward secrecy protects the session keys even if long-term key is retrieved. Specifically, session key SK in the proposed scheme is generated as follows.

Though the long-term key h(PSK) is calculated by adversary E, it is impossible to compute some sensitive datas, such as RPW, K and PSK. Thus adversary E is unable to obtain the random numbers N1 or N2. Also it is hard for adversary E to retrieve the session key SK between user U and server S. Therefore, our protocol provides the perfect forward secrecy.

Formal security analysis

During this subsection, we provide a formal security analysis and demonstrate that the proposed scheme is secure. In order to achieve this purpose, we define the oracle Reveal as below. It unconditionally retrieves the original input x from the collision-resistant hash function y = h(x). More details relating to this formal security analysis are shown in the following theorem.

Theorem. Suppose that the collision-resistant hash function h(⋅) operates closely like the oracle Reveal, our protocol is provably secure to protect the sensitive datas which include registration center RC’s master secret key s, pre shared key PSK between registration center RC and server S, user U’s identity ID and password PW.

Proof. With the assistance of the oracle Reveal, we make an assumption that adversary E has a capacity to retrieve registration center RC’s master secret key s, pre shared key PSK between registration center RC and server S, user U’s identity ID and password PW. Adversary E executes the following experimental algorithm , in which AKAS means the presented scheme. More details about the Algorithm are explained in the Table 3

Table 3

Algorithm .

01. Eavesdrop user Ui’s login request message {M1, M2, M3, Bi, Di, Ti} in the login phase,

in which Bi = Ei ⊕ h(Ri), Di = h(N1||RPWi||Ai||Ti), M1 = N1 ⊕ Ki, M2 = IDi ⊕ Ki and M3 = RPWi ⊕ Ki.

02. Apply this oracle Reveal to extract some values N1I, RPWiI, AiI and TiI from Reveal(D_i)→(N1I||RPWiI||AiI||TiI).

03. Eavesdrop server Sj’s authentication request message {M4, M5} during the authentication phase,

in which M4 = N2 ⊕ h(Ai||RPWi||N1) and M5 = h(SIDj||N1||N2||IDi).

04. Apply this oracle Reveal to extract some values SIDjII, N1II, N2II and IDiII from Reveal(M_5)→(SIDjII||N1II||N2II||IDiII).

05. if (N1I=N1II) then

06.  Apply this oracle Reveal to extract some values RiI and PWiI from Reveal(RPWiI)→(RiI||PWiI).

07.  Further apply this oracle Reveal to extract some values IDiI and sI from Reveal(AiI)→(IDiI||s^I).

08.  Calculate KiI=M_1⊕N1I.

09.  Further calculate KiII=M_1⊕N1II.

10.  if (KiI=KiII) then

11.   Apply this oracle Reveal to extract some values SIDjI and h(PSK||ui)I from Reveal(KiI)→(SIDjI||h(PSK||u_i)^I).

12.   Further apply this oracle Reveal to extract some values PSKI and uiI from Reveal(h(PSK||u_i)^I)→(PSK^I||uiI).

13.   Calculate N2I=h(AiI||RPWiI||N1I)⊕M_4.

14.   if (N2I=N2II) then

15.    Accept sI, PSKI, IDiI and PWiI as registration center RC’s master secret key s,

pre shared key PSK between registration center RC and server Sj, user Ui’s identity IDi and password PWi, respectively.

16.    return 1 (Success)

17.   else

18.    return 0 (Failure)

19.   end if

20.  else

21.   return 0 (Failure)

22.  end if

23. else

24.  return 0 (Failure)

25. end if

Furthermore, we define a success probability about as . Thus advantage function of algorithm is Adv(et, q) = max{Success}, namely, maximum for adversary E relies on the execution time et and query counts q which are made to this oracle Reveal. If Adv(et, q) ≤ ε, our protocol is secure against adversary E for any sufficiently small ε > 0. It enables adversary E to win this game if it is possible to retrieve the original input x from the collision-resistant hash function y = h(x). However, it is a computationally infeasible problem for retrieving the original input x. Therefore, for any sufficiently small ε > 0, max{Success} = Adv(et, q) ≤ ε. As a result, our protocol is provably secure to protect registration center RC’s master secret key s, pre shared key PSK between registration center RC and server S, user U’s identity ID and password PW.

Security analysis with BAN logic

As an important verification tool, Burrows-Abadi-Needham (BAN) logic has a set of rules [66]. In the security analysis, BAN logic is used for defining and analyzing the information exchange schemes, especially authentication and key agreement protocols. Particularly, BAN logic is able to verify whether exchanged information is trustworthy [67]. During this subsection, we apply BAN logic to prove that session key SK between server S and user U is correctly generated during the authentication phase of our protocol. For convenience, symbols and corresponding notions about BAN logic are respectively shown in Table 4.

Table 4

Symbols and corresponding notions in the BAN logic.

Symbol	Notion
A| ≡ X	Principal A believes the truth of statement X.
A⟷KB	Principal A and principal B share session key K.
A ⇒ X	Principal A has a jurisdiction over the truth of statement X.
#X	Statement X is fresh.
A ⊲ X	Principal A sees the statement X.
A|∼X	Principal A once said the statement X.
{X, Y}K	Statement X and statement Y are encrypted by session key K.
(X, Y)K	Statement X and statement Y are hashed by session key K.
<X>K	Statement X is XORed by session key K.

The BAN logical postulates

1. The message-meaning rule, namely, . Particularly, if principal A believes that principal A and principal B share session key K, and principal A sees that statement X is encrypted by session key K, then principal A believes that principal B once said the statement X.

2. The nonce-verification rule, namely, . Specifically, if principal A believes that statement X is fresh and principal B once said the statement X, then principal A believes that principal B believes the truth of statement X.

3. The belief rule, namely, . In particular, if principal A believes the truth of statement X and statement Y, then principal A believes the truth of (X, Y).

4. The freshness-conjuncatenation rule, namely, . Concretely, if principal A believes that statement X is fresh, then principal A believes that (X, Y) is fresh.

5. The jurisdiction rule, namely, . Especially, if principal A believes that principal B has a jurisdiction over the truth of statement X and principal B believes the truth of statement X, then principal A believes the truth of statement X.

The idealized scheme

U: , (N1, A, T) and .

S: and (ID, N1, N2).

The establishment of security goals

g1.

g2.

g3.

g4.

The initiative premises

p1. U| ≡ #N1

p2. U| ≡ S ⇒ #N2

p3. S| ≡ #N1

p4. S| ≡ #N2

p5.

p6.

p7. U| ≡ ID

p8. S| ≡ U ⇒ RPW

p9. S| ≡ U ⇒ ID

p10.

p11.

p12.

The security analysis

a1. Because of p5 and S ⊲ , we execute the message-meaning rule to obtain S| ≡ U| ∼ (N1, ID, RPW).

a2. Since p3 and a1, we adopt both freshness-conjuncatenation rule and nonce-verification rule to acquire S| ≡ U| ≡ (N1, ID, RPW).

a3. Because of p10 and , we use the message-meaning rule to derive .

a4. Since p4 and a3, we apply both freshness-conjuncatenation rule and nonce-verification rule to get .

g3. Because of a4, we execute the belief rule to obtain .

g4. Since p11 and g3, we adopt the jurisdiction rule to acquire .

a5. Because of p6 and U ⊲ (ID, N1, N2), we use the message-meaning rule to derive U| ≡ S|∼(ID, N1, N2).

a6. Since p2 and a5, we apply both freshness-conjuncatenation rule and nonce-verification rule to get U| ≡ S| ≡ (ID, N1, N2).

a7. Because of a6, we execute the belief rule to obtain U| ≡ S| ≡ N2.

a8. Since p2 and a7, we adopt the jurisdiction rule to acquire U| ≡ N2.

a9. Because of p8, p9 and a2, we execute both belief rule and jurisdiction rule to obtain S| ≡ ID.

g1. Since p1, p3, p4, p6, p7, a8, a9 and SK = h(ID||SID||N1||N2), we adopt both freshness-conjuncatenation rule and nonce-verification rule to acquire .

g2. Because of g1 and p12, we use the jurisdiction rule to derive .

Above all, results mentioned above demonstrate that our protocol enables to generate the shared session key SK correctly between server S and user U.

Functionality analysis

It is necessary to meet the functionality requirements which include mutual authentication, session key agreement, user revocation/re-registration and biometric information protection. In this section, we demonstrate that our protocol provides all functionality mentioned above. More details relating to functionality analysis are shown as below.

Mutual authentication

In the presented scheme, both user U and server S authenticate each other by taking advantage of some sensitive datas, for example N1, N2, K, T and SK. In particular, server S checks whether h(N1||RPW||A||T) = D and h(SK||N1||N2) = M6 are valid. Similarly, user U verifies whether h(SID||N1||N2||ID) is consistent with M5. As a result, our protocol achieves the mutual authentication.

Session key agreement

During the authentication phase, session key SK = h(ID||SID||N1||N2) between server S and user U is established to protect the subsequent communications. Especially, both N1 and N2 change in every authentication phase so that session key SK is different during each session. Furthermore it is hard to retrieve their session key SK for adversary E. In conclusion, our protocol possesses the session key agreement.

User revocation/re-registration

It is necessary for user U to revoke or re-register his privilege. In the presented scheme, registration center RC helps user U achieve the user revocation/re-registration by modifying the entry 〈ID, N〉 when obtaining user U’s revocation or re-registration request message via a secure channel. Above all, our protocol achieves the user revocation/re-registration.

Biometric information protection

In some conventional schemes, user U’s biometric information BIO is directly stored in his smart card SC without appropriate protection. Thus adversary E is able to extract user U’s biometrics BIO from a lost or stolen smart card SC through side channel attacks. In order to solve this problem, we apply a high error-tolerant mechanism to save user U’s biometric information BIO. Besides, collision-resistant hash function protects the unpredictable binary string R. So it is impossible for adversary E to extract user U’s biometric information BIO. In conclusion, our protocol possesses the biometric information protection.

Efficiency analysis

In this subsection, we estimate the storage requirement, communication overhead and computational cost of the presented scheme. More details about efficiency analysis are shown as below.

Storage requirement

For the storage requirement, we apply these messages which are stored in user U’s smart card SC as storage overhead. Particularly, byte length of nonce both N1 and N2 is 20, byte length of user U’s identity ID is 20, byte length of timestamp T is 2 and byte length of collision-resistant hash function’s output is 20 if we apply the SHA-1. Thus, we are able to calculate the byte length of stored datas in the proposed scheme. As a result, all saved messages {A, C, E, V, P} require 20 + 20 + 20 + 20 + 20 = 100 bytes in respect of storage need.

Communication overhead

In order to estimate the communication overhead, we consider user U’s login request message {M1, M2, M3, B, D, T} which is submitted to server S in the stage of login. According to assumption described above, length of this message is 20 + 20 + 20 + 20 + 20 + 2 = 102 bytes. Similarly, communication overhead that includes server S’s authentication request message {M4, M5} and user U’s authentication reply {M6} is 20 + 20 + 20 = 60 bytes during the authentication phase. Therefore, total communication overhead of our protocol is 102 + 60 = 162 bytes.

Computational cost

Considering the computational complexity, we apply the frequency of collision-resistant hash function as computational cost. Besides, it is practicable to ignore the computational complexity of XOR operation which requires very little time. In the environment where CPU is 2.20 GHz and RAM is 2048 MB, it takes 0.0023 ms to execute the collision-resistant hash function on average [55, 68]. In the presented scheme, we execute the collision-resistant hash function four times and thirteen times in the login phase and authentication phase, respectively. Above all, our protocol requires 0.0115 + 0.0299 = 0.0414 ms for computational cost.

Comparisons with related schemes

During this section, we compare the proposed protocol with other related schemes in terms of security, functionality and efficiency. In particular, our protocol is compared with some multi-server authentication schemes, such as Mishra et al.’s scheme [50], Lin et al.’s scheme [53], Wang et al.’s scheme [61], Chaudhry et al.’s scheme [64], Chaudhry et al.’s scheme [41] and Khan et al.’s scheme [65]. Results ensure that the presented protocol is efficient in these aspects mentioned above.

In particular, Table 5 lists the security comparison between various authentication schemes and ours. For convenience, we define some following notations in the Table 5, where R1 represents the resistance to replay attack, R2 represents the resistance to Denial-of-Service attack, R3 represents the resistance to password guessing attack, R4 represents the resistance to smart card attack, R5 represents the resistance to user impersonation attack, R6 represents the resistance to privileged insider attack, R7 represents the resistance to server spoofing attack, R8 represents the resistance to modification attack, R9 represents the resistance to stolen-verifier attack, R10 represents the possession of anonymity and R11 represents the possession of perfect forward secrecy. Concretely, Mishra et al.’s scheme [50] cannot resist the replay attack, Denial-of-Service attack, smart card attack, user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to provide the anonymity and perfect forward secrecy. According to the cryptanalysis in Ref. [69], Lin et al.’s scheme [53] is insecure against the user impersonation attack and server spoofing attack. And their scheme fails to possess the anonymity. Wang et al.’s scheme [61] cannot prevent the user impersonation attack, privileged insider attack and server spoofing attack. Also their scheme is unable to achieve the perfect forward secrecy. Due to the cryptanalysis in Ref. [70], Chaudhry et al.’s scheme [64] is insecure against the Denial-of-Service attack and cannot provide the perfect forward secrecy. Consequently, result demonstrates that our protocol achieves all security properties.

Table 5

The security comparison.

	Ref. [50]	Ref. [53]	Ref. [61]	Ref. [64]	Ref. [41]	Ref. [65]	Ours
R1	No	Yes	Yes	Yes	Yes	Yes	Yes
R2	No	Yes	Yes	No	Yes	Yes	Yes
R3	Yes	Yes	Yes	Yes	Yes	Yes	Yes
R4	No	Yes	Yes	Yes	Yes	Yes	Yes
R5	No	No	No	Yes	Yes	Yes	Yes
R6	No	Yes	No	Yes	Yes	Yes	Yes
R7	No	No	No	Yes	Yes	Yes	Yes
R8	Yes	Yes	Yes	Yes	Yes	Yes	Yes
R9	Yes	Yes	Yes	Yes	Yes	Yes	Yes
R10	No	No	Yes	Yes	Yes	Yes	Yes
R11	No	Yes	No	No	Yes	Yes	Yes

Besides, Table 6 shows the functionality comparison between some related schemes and ours. Also we further compare our protocol with Reddy et al.’s scheme [69] and Irshad et al.’s scheme [71] which are other improved schemes. In the Table 6, we apply some following notations, where F1 represents the mutual authentication, F2 represents the session key agreement, F3 represents the user revocation/re-registration and F4 represents the biometric information protection. Concretely, Mishra et al.’s scheme [50] cannot provide the user revocation/re-registration. Similarly, Lin et al.’s scheme [53] fails to achieve the user revocation/re-registration. As a result, our protocol provides more functionality properties.

Table 6

The functionality comparison.

	Ref. [50]	Ref. [53]	Ref. [61]	Ref. [64]	Ref. [41]	Ref. [65]	Ref. [69]	Ref. [71]	Ours
F1	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
F2	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
F3	No	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
F4	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Specifically, Table 7 and Fig 6 indicate the computational cost comparison between various related schemes and ours involved in both login phase and authentication phase. As a convenience, we define some following notations in the Table 7, where C1 represents the computational cost during the login phase, C2 represents the execution overhead during the login phase, C3 represents the computational cost during the authentication phase, C4 represents the execution overhead during the authentication phase and C5 represents the total execution overhead. Besides, T represents the computation time for collision-resistant hash function, T represents the computation time for point multiplication based on elliptic curve, T represents the computation time for symmetric encryption/decryption and T represents the computation time for Chebyshev chaotic map. According to the execution overhead given in [55] and [68], in the environment where CPU is 2.20 GHz and RAM is 2048 MB, it spends about 2.2260 ms, 0.0046 ms and 0.0045 ms to execute the point multiplication based on elliptic curve, symmetric encryption/decryption and Chebyshev chaotic map, respectively. Compared with other schemes, result indicates that our protocol requires the lower computational cost.

Table 7

The computational cost comparison.

	Ref. [50]	Ref. [53]	Ref. [61]	Ref. [64]	Ref. [41]	Ref. [65]	Ref. [69]	Ref. [71]	Ours
C1	7Th	3Th + 1Tp + 2Ts	4Th	5Th	4Th + 1Ts	4Th + 2Tc	6Th + 1Tp	9Th	5Th
C2	0.0161 ms	2.2421 ms	0.0092 ms	0.0115 ms	0.0138 ms	0.0182 ms	2.2398 ms	0.0207 ms	0.0115 ms
C3	11Th	5Th + 3Tp + 3Ts	11Th	7Th + 2Ts	8Th + 1Ts	6Th + 4Tc	9Th + 3Tp	12Th + 2Ts	13Th
C4	0.0253 ms	6.7033 ms	0.0253 ms	0.0253 ms	0.0230 ms	0.0318 ms	6.6987 ms	0.0368 ms	0.0299 ms
C5	0.0414 ms	8.9454 ms	0.0345 ms	0.0368 ms	0.0368 ms	0.0500 ms	8.9385 ms	0.0575 ms	0.0414 ms

Fig 6

The computation cost comparison.

Furthermore, Table 8 and Fig 7 show the comparisons regarding on communication overhead and storage requirement. Similarly, we adopt some following notations in the Table 8, where S1 represents the communication overhead during the login phase, S2 represents the communication overhead during the authentication phase, S3 represents the total communication overhead and S4 represents the storage requirement. With the same level of storage requirement, our protocol shows a satisfactory performance on the communication overhead.

Table 8

The communication overhead and storage requirement comparison.

	Ref. [50]	Ref. [53]	Ref. [61]	Ref. [64]	Ref. [41]	Ref. [65]	Ref. [69]	Ref. [71]	Ours
S1	80 bytes	80 bytes	102 bytes	62 bytes	40 bytes	62 bytes	80 bytes	60 bytes	102 bytes
S2	80 bytes	80 bytes	80 bytes	62 bytes	60 bytes	40 bytes	80 bytes	80 bytes	60 bytes
S3	160 bytes	160 bytes	182 bytes	124 bytes	100 bytes	102 bytes	160 bytes	140 bytes	162 bytes
S4	100 bytes	80 bytes	100 bytes	100 bytes	60 bytes	100 bytes	100 bytes	100 bytes	100 bytes

Fig 7

The communication overhead and storage requirement comparison.

Both Reddy et al. [69] and Irshad et al. [71] who proposed other improvements of Wang et al.’s scheme also have done well jobs. In this sense, we are in the same field with these groups. However, there are notable characters to distinguish our work. After the cryptanalysis of Wang et al.’s scheme, we have applied novel methods to remedy their weaknesses, which is not included in other improved schemes. For example, we have adopted new ways to resist the user impersonation attack, privileged insider attack and server spoofing attack, and provide the perfect forward secrecy, respectively. Furthermore, our work is focus on reducing the computational complexity and providing more functionalities in a distinct way. In particular, compared with other improved works, our scheme has obvious advantages in the computational complexity with the same level of communication overhead and storage requirement.

Conclusion

This paper cryptanalyzes Wang et al.’s scheme. In particular, we indicate that their protocol is still vulnerable to the user impersonation attack, privileged insider attack and server spoofing attack. Furthermore, their protocol fails to provide the perfect forward secrecy. As a remedy of these aforementioned problems, we propose a biometrics-based authentication and key agreement scheme for multi-server environments. Our protocol improves Wang et al.’s scheme. Discussions relating to security, functionality and efficiency are performed. Furthermore, results show that the proposed scheme satisfies these requirements mentioned above. Compared with other related schemes, our protocol achieves the stronger security and provides more functionality properties. Besides, the presented scheme requires the lower computational cost and shows a satisfactory performance on the communication overhead with the same level of storage requirement. Thus, the proposed protocol is suitable for expert systems and other multi-server architectures, such as, on-line medicine systems, on-line shopping systems and so on. Consequently, we conclude that our protocol is more appropriate in the multi-server environments.