Sage Journals: Discover world-class research

Abstract

The authors first review the recently proposed Das's biometric-based remote user authentication scheme, and then show that Das's scheme is still insecure against some attacks and has some problems in password change phase. In order to overcome the design flaws in Das's scheme, an improvement of the scheme is further proposed. Cryptanalysis shows that our scheme is more efficient and secure against most of attacks; moreover, our scheme can provide strong mutual authentication by using verifying biometric, password as well as random nonces generated by the user and server.

1. Introduction

In a client/server system, the validity of remote user is necessary to assure the security of the system. Traditional remote identity-based authentication schemes [1–9] are based on passwords only. However, simple passwords are always easy to break by using simple dictionary attacks since they have low entropy. To overcome this problem, cryptographic secret keys and passwords are used in the remote user authentication schemes. But the long and random cryptographic keys are difficult to memorize and hence they must be stored somewhere [10]; it is expensive to maintain the long cryptographic keys. Furthermore, both passwords and cryptographic keys are unable to provide nonrepudiation because they can be forgotten or lost or when they are shared with other people, there is no-way to know who the actual user is [11]. A biometric system operates by acquiring biometric data from an individual, extracting a feature set from the acquired data and comparing this feature set against the template set in the database [12–14]. In [3], the authors propose an online $(t, n)$ threshold secret sharing scheme based on biometric verification and threshold password authentication. In [15], a continuous user authentication scheme based on biometric verification by fusing hard and soft traits is proposed irrespective of user posture in front of the system. In [16], a BIO3G protocol based on biometric authentication for 3G mobile environments is proposed to provide real end to end strong user authentication. In [17], the author analyzes the security of Das's biometric-based authentication scheme and shows that the scheme is still insecure against some attacks and does not provide mutual authentication between the user and server. In [18], the author proposes an enhanced scheme based on biometric verification and smart card to remove the security weakness of Das's scheme analyzed in [17]. However, the proposed scheme in [18] cannot withstand the replay attack between the user and the remote server. In the abovementioned schemes, biometric verification allows one to confirm or establish an individual identity. Therefore, biometric keys are proposed which are based on physiological and behavioral characteristics of persons such as fingerprints, faces, irises, hand geometry, and palm prints. Some advantages of biometric keys are described as follows [19, 20]. (i)

Biometric keys cannot be lost or forgotten.

(ii)

Biometric keys are very difficult to copy or share.

(iii)

Biometric keys are extremely hard to forge or distribute.

(iv)

Biometric keys cannot be guessed easily.

(v)

Someone's biometrics is not easier to break than others.

As a result, biometric-based remote user authentications are inherently more reliable and secure than usual traditional password-based remote user authentication schemes.

In this paper, we propose an improvement of Das's biometric-based remote user authentication scheme using smart cards in order to withstand his design flaws. The remainder of this paper is organized as follows. In Section 2, we briefly review the Das's biometric-based remote user authentication scheme using smart cards [21]. In Section 3, we analyze the design flaws in Das's scheme. In Section 4, we propose an improvement of the scheme in order to eliminate the design flaws discussed in Section 3. Security analysis of our scheme and performance comparison with other related schemes are implemented in Section 5. Finally, we conclude the paper in Section 6.

2. Review of DAS's Biometric-Based Remote User Authentication Scheme

In this section, we review in brief Das's biometric-based remote user authentication scheme [21]. For describing the Das's scheme [21], we use the notations shown in Table 1. Das's scheme consists of the following four phases, namely, registration phase, login phase, authentication phase, and change password phase. Details of each phase are given in the following subsections.

Table 1

Notations used in the proposed scheme.

Notation	Description
$C_{i}$	Client
$R_{i}$	Trusted registration center
$S_{i}$	Server
${PW}_{i}$	Password shared between $C_{i}$ and $S_{i}$
${ID}_{i}$	Identity of the user $C_{i}$
$B_{i}$	Biometric template of the user $C_{i}$
$d (\cdot)$	Symmetric parametric function
τ	Predetermined threshold for biometric verification
$h (\cdot)$	A secure one-way hash function
$X_{s}$	A secret information maintained by the server
$R_{c}$	A random number chosen by $C_{i}$
$R_{s}$	A random number chosen by $S_{i}$
$A ∥ B$	Data A concatenates with data B
$A \oplus B$	XOR operation of A and B

2.1. Registration Phase

In order to login to the system, the remote user $C_{i}$ needs to perform the following stages, as shown in Algorithm 1.

Algorithm 1: Registration phase of Das's scheme.

$C_{i}$ $S_{i}$

(1) $\overset{{ID}_{i} B_{i} {PW}_{i}}{\to}$

(2) Computes $r_{i}$ and $e_{i}$

$f_{i} = h (B_{i})$

$r_{i} = h ({PW}_{i}) \oplus f_{i}$

$e_{i} = h ({ID}_{i} ∥ X_{s}) \oplus r_{i}$

(3) $\overset{Smart card ({ID}_{i}, h (\cdot), f_{i}, r_{i}, e_{i})}{\leftarrow}$

Step 1. The user inputs his/her personal biometric $B_{i}$ on a specific device and offers his/her password ${PW}_{i}$ and the identity ${ID}_{i}$ of the user to the registration center $R_{i}$ in person.

Step 2. The registration center $R_{i}$ then computes $f_{i} = h (B_{i})$ , $r_{i} = h ({PW}_{i}) \oplus f_{i}$ , and $e_{i} = h ({ID}_{i} ∥ X_{s}) \oplus r_{i}$ . Here $X_{s}$ is secret information generated by the server.

Step 3. Finally, the registration center $R_{i}$ loads $({ID}_{i}, h (\cdot), f_{i}, e_{i}, r_{i})$ on the user's smart card and sends the information to the user $C_{i}$ via a secure channel.

2.2. Login Phase

In this phase, if a user $C_{i}$ wants to login to the server $S_{i}$ , he/she needs to perform the following steps, as shown in Algorithm 2.

Algorithm 2: Login phase of Das's scheme.

$C_{i}$ $S_{i}$

(1) Inserts the smart card and $B_{i}$

(2) Verifies whether $B_{i}$ matches with template stored in system?

(3) If it holds, then $C_{i}$ inputs his/her password ${PW}_{i}$

(4) Computes $r_{i}^{'} = h ({PW}_{i}) \oplus f_{i}$

(5) Checks if $r_{i}^{'} = r_{i}$ ?

(6) If it holds, the smart card computes the following:

$M_{1} = e_{i} \oplus r_{i}^{'}$

$M_{2} = M_{1} \oplus R_{c}$

$M_{3} = h$ ( $R_{c}$ )

(7) $\overset{〈 {ID}_{i}, M_{2}, M_{3} 〉}{\to}$

Step 1. $C_{i}$ first inserts his/her smart card into the smart card reader of a terminal and offers his/her personal biometric template, $B_{i}$ , on the specific device to verify his/her biometric.

Step 2. Next, the user's personal biometric template $B_{i}$ is matched against the template stored in the system.

Step 3. If the above verification does not hold, then $C_{i}$ does not pass the biometric verification and, as a result, the remote user authentication is terminated. Otherwise, on the other hand, if the abovementioned verification holds, $C_{i}$ passes the biometric verification and $C_{i}$ then inputs his/her password ${PW}_{i}$ to perform Step 4.

Step 4. The smart card computes $r_{i}^{'} = h ({PW}_{i}) \oplus f_{i}$ . If $r_{i}^{'} \neq r_{i}$ , then password verification fails, and the client terminates the session.

Step 5. If $r_{i}^{'} = r_{i}$ , the smart card computes $M_{1} = e_{i} \oplus r_{i}^{'}$ , which is equal to $h ({ID}_{i} ∥ X_{s})$ , $M_{2} = M_{1} \oplus R_{c}$ , which is equal to $h (I D_{i} ∥ X_{s}) \oplus R_{c}$ , and $M_{3} = h (R_{c})$ , where $R_{c}$ is a random number generated by the user.

Step 6. Finally, $C_{i}$ sends the message $〈 {ID}_{i}, M_{2}, M_{3} 〉$ to the remote server $S_{i}$ .

2.3. Authentication Phase

After receiving the login request message $〈 {ID}_{i}, M_{2}, M_{3} 〉$ , $S_{i}$ performs the following steps, as shown in Algorithm 3, in order to authenticate whether the user $C_{i}$ is legal or not.

Algorithm 3: Authentication phase of Das's scheme.

$C_{i}$ $S_{i}$

(1) Checks whether the format of $C_{i}^{'} s$ ${ID}_{i}$ is valid or not.

If above holds, $S_{i}$ computes the following:

$M_{4} = h ({ID}_{i} ∥ X_{S})$

$M_{5} = M_{2} \oplus M_{4}$

(2) Verifies whether $h (M_{5}) = M_{3}$ ?

If it holds, then computes

$M_{6} = M_{4} \oplus R_{s}$

$M_{7} = h (M_{2} ∥ M_{5})$

$M_{8} = h (R_{s})$

(3) $\overset{〈 M_{7}, M_{6}, M_{8} 〉}{\leftarrow}$

(4)Verifies whether $M_{7} = h (M_{2} ∥ R_{c})$ ?

(5) If above holds, $C_{i}$ computes

$M_{9} = M_{6} \oplus M_{1}$

Verifies whether $h (M_{9}) = M_{8} ?$

If it does not hold, $S_{i}$ is rejected by $C_{i}$

Otherwise, if it holds, then computes

$M_{10} = h (M_{6} ∥ M_{9})$

(6) $\overset{〈 M_{10} 〉}{\to}$

(7) Verifies whether $M_{10} = h (M_{6} ∥ R_{s})$ ?

(8) If it holds, $S_{i}$ accepts $C_{i}^{'} s$ login request

(9) Otherwise, $S_{i}$ rejects $C_{i}^{'} s$ login request

Step 1. $S_{i}$ first checks the format of $C_{i}$ 's ${ID}_{i}$ .

Step 2. If the above format is valid, $S_{i}$ then computes $M_{4} = h ({ID}_{i} ∥ X_{s})$ , $M_{5} = M_{2} \oplus M_{4}$ and then verifies whether $h (M_{5}) = M_{3} .$ If it does not hold, then $S_{i}$ rejects $C_{i}$ 's login request. In case the verification is successful, then $S_{i}$ computes $M_{6} = M_{4} \oplus R_{s}$ , $M_{7} = h (M_{2} ∥ M_{5})$ , and $M_{8} = h (R_{s})$ .

Step 3. $S_{i}$ then sends the message $〈 M_{7}, M_{6}, M_{8} 〉$ to $C_{i}$ .

Step 4. After receiving the message in Step 3, $C_{i}$ verifies whether $M_{7} = h (M_{2} ∥ R_{c}) .$ Thus, if the verification does not pass, $C_{i}$ terminates the session. Otherwise, $C_{i}$ proceeds as follows by computing $M_{9} = M_{6} \oplus M_{1} (= R_{s})$ and verifying further whether $h (M_{9}) = M_{8} .$ If $h (M_{9}) \neq M_{8}$ , $C_{i}$ terminates the session. On the other hand, $C_{i}$ computes $M_{10} = h (M_{6} ∥ M_{9})$ and sends the message $〈 M_{10} 〉$ to the server $S_{i}$ .

Step 5. After receiving $C_{i}$ 's message, $S_{i}$ verifies whether $M_{10} = h (M_{6} ∥ R_{s}) .$

Step 6. If the abovementioned does not hold, $S_{i}$ rejects $C_{i}$ 's login request.

Step 7. In case the verification is successful, then only $S_{i}$ accepts $C_{i}$ 's login request.

2.4. Password Change

The password change phase of Das's scheme [21] has the following steps.

Step 1. It inserts the smart card into the card reader and offers $B_{i}$ .

Step 2. It verifies whether the user's personal biometric template $B_{i}$ matches against the template stored in the system.

Step 3. If $C_{i}$ passes the biometric verification, then only $C_{i}$ enters his/her old password ${PW}_{i}^{old}$ and new changed password ${PW}_{i}^{new}$ .

Step 4. The smart card then computes $r_{i}^{'} = h ({PW}_{i}^{old}) \oplus f_{i}$ ; if $r_{i}^{'} \neq r_{i}$ , the password change phase is terminated. If $r_{i}^{'} = r_{i}$ , then only smart card computes $r_{i}^{''} = h ({PW}_{i}^{new}) \oplus f_{i}$ , $e_{i}^{'} = e_{i} \oplus r_{i} (= h (I D_{i} ∥ X_{s}))$ , and $e_{i}^{''} = e_{i}^{'} \oplus r_{i}$ .

Step 5. Finally, replace $e_{i}$ with $e_{i}^{''}$ and $r_{i}$ with $r_{i}^{''}$ on the smart card.

3. Cryptanalysis of Das's Scheme

This section demonstrates that Das's scheme [21] has some drawbacks: denial-of-service attack, user impersonation attack, replay attack, and password change problem.

3.1. Denial-of-Service Attack

One of fundamental properties of a secure one-way hash function is that its outputs are very sensitive to small perturbations in their inputs. The cryptographic hash function cannot be applied straightforwardly when the input data are with noise such as biometrics [22]. Then the predetermined threshold for biometric verification cannot be used to measure outputs of hash functions. In the registration phase of Das's scheme, the register center $R_{i}$ computes $f_{i} = h (B_{i})$ and $r_{i} = h ({PW}_{i}) \oplus f_{i}$ and then stores $f_{i}$ and $r_{i}$ in the smart card. In the login phase, $C_{i}$ inserts his/her smart card into the card reader and provides his/her personal biometrics $B_{i}$ on a specific device to verify the users biometrics by verifying whether $h (B_{i}) = f_{i}$ or not. In Step 4 of login phase, password verification is performed by verifying whether $r_{i}^{'} = r_{i}$ . However, both the biometric verification and password verification procedures may result in serious flaws because $h (B_{i}) = f_{i}$ may never succeed, since the inputted biometrics belonging to the same person may differ slightly from time to time [22], so the next login and authentication procedure will be terminated. As a result, this may cause the legal user to be unable to pass biometric verification at the login phase of Das's scheme. Therefore, Das's scheme is vulnerable to the denial-of-service attack.

3.2. User Impersonation Attack

We see from the login and authentication phase of Das's scheme that an attacker can impersonate a legal user to access to the server. In the login phase of Das's scheme, since the user $C_{i}$ sends the message $〈 {ID}_{i}, M_{2}, M_{3} 〉$ to the remote server $S_{i}$ where $C_{i}$ identity is not masked, this will result in user impersonation attack as follows.

When an attack denoted as $A_{i}$ wants to access the remote server, he/she can eavesdrop the message $〈 {ID}_{i}, M_{2}, M_{3} 〉$ by tapping communication lines or wireless link between the legal user $C_{i}$ and the remote server $S_{i}$ . Once $A_{i}$ derives the message $〈 {ID}_{i}, M_{2}, M_{3} 〉$ he can send the eavesdropped message to the remote server $S_{i}$ . Since the legal user's ID is not masked, so the check of user's validity can easily pass. We can clearly see that when $S_{i}$ computes $M_{4}^{'} = h ({ID}_{i} ∥ X_{s})$ and $M_{5}^{'} = M_{2} \oplus M_{4}^{'}$ , the verification of $h (M_{5}^{'}) = M_{3}$ is successful. Then $S_{i}$ computes $M_{6}^{'} = M_{4} \oplus R_{s}$ , $M_{7}^{'} = h (M_{2} ∥ M_{5}^{'})$ , and $M_{8}^{'} = h (R_{s})$ and then sends message $〈 M_{7}^{'}, M_{6}^{'}, M_{8}^{'} 〉$ to $C_{i}$ . The attack $A_{i}$ may eavesdrops the message $〈 M_{7}^{'}, M_{6}^{'}, M_{8}^{'} 〉$ and modifies the $M_{7}^{'}$ , replaces it with $M_{7}^{′′}$ , and then sends a forged message $〈 M_{7}^{′′}, M_{6}^{'}, M_{8}^{'} 〉$ to $C_{i}$ . Obviously $M_{7}^{′′} \neq h (M_{2} ∥ R_{c})$ , so $C_{i}$ terminates the session. However, the attacker $A_{i}$ will pass the verification $〈 M_{7}^{'}, M_{6}^{'}, M_{8}^{'} 〉$ , and $A_{i}$ computes $M_{9}^{'} = M_{6}^{'} \oplus M_{1} = M_{6}^{'} \oplus M_{4}$ . Since the attack $A_{i}$ can verify $M_{9}^{'} = M_{8}^{'}$ , he proceeds as follows by computing $M_{10}^{'} = h (M_{6}^{'} ∥ M_{9}^{'})$ and sends message $〈 M_{10}^{'} 〉$ to the remote server $S_{i}$ . On receiving the message, the remote server $S_{i}$ will verify whether $M_{10}^{'} = h (M_{6} ∥ R_{s})$ or not. We can see obviously that the above equation holds, so the remote $S_{i}$ accepts the attacker's login request and the user impersonation attack will occur sequentially.

3.3. Replay Attack

In Das's scheme, the replay and man-in-the-middle attack is withstood by checking whether $M_{5}^{'} (= M_{2} \oplus M_{4}) = M_{5}$ , where $M_{5}$ is equal to $R_{c}$ and is stored in the database of remote server $S_{i}$ . It is noted that $M_{5} = M_{2} \oplus M_{4} = M_{1} \oplus R_{c} \oplus M_{4} = R_{c} (M_{1} = M_{4})$ is disclosed to any user when one breaks the remote server $S_{i}$ . When the remote server $S_{i}$ is compromised by an attacker, he/she can change $〈 {ID}_{i}, M_{5} 〉$ in the database of the remote server $S_{i}$ . Obviously, once $M_{5}$ is changed, the replayed message $〈 {ID}_{i}, M_{2}^{'}, M_{3}^{'} 〉$ will not be discarded and $M_{5}$ will be replaced by $M_{5}^{'}$ .

3.4. Password Change

In password change procedure of Das's scheme, if remote user $C_{i}$ wants to change his/her password, he/she must pass biometric verification by verifying $h (B_{i}) = f_{i}$ . However, the inputted biometrics belonging to the same person may differ slightly from time to time [22], so the password change procedure will be terminated. In addition, for more time, since $h (B_{i}) \neq f_{i}$ , then $r_{i}^{'} = h ({PW}_{i}^{old}) \oplus f_{i}$ computed by smart card is not equal to $r_{i}$ stored in the smart card, so the password change procedure will also be terminated. According to the above analysis, Das's scheme cannot realize the password change freely.

4. Proposed Scheme

In this section, we propose an improvement of the Das's biometric-based remote user authentication scheme [21] using smart cards in order to withstand the flaws discussed in Section 3. For convenience, we use the same notations used as in Das's scheme shown in Table 1.

4.1. Registration Phase

In order to login to the system, the remote user $C_{i}$ needs to perform the following steps, as shown in Algorithm 4.

Algorithm 4: Registration phase of our scheme.

$C_{i}$ $S_{i}$

(1) $\overset{{ID}_{i} B_{i} {PW}_{i}}{\to}$

(2) computes $f_{i}, g_{i}, r_{i}$ and $e_{i}$

$f_{i} = h (B_{i})$

$g_{i} = h ({ID}_{i})$

$r_{i} = h ({PW}_{i}) \oplus f_{i}$

$e_{i} = h (g_{i} ∥ X_{s}) \oplus r_{i}$

(3) $\overset{Smart card (h (\cdot), f_{i}, g_{i}, e_{i}, r_{i}, τ, d (\cdot))}{\leftarrow}$

Step 1. The user $C_{i}$ inputs his/her personal biometric $B_{i}$ on a specific device and offers his/her password ${PW}_{i}$ and the identity ${ID}_{i}$ to the registration center $R_{i}$ in person.

Step 2. The registration center $R_{i}$ then computes $f_{i} = h (B_{i})$ , $g_{i} = h ({ID}_{i})$ , $r_{i} = h ({PW}_{i}) \oplus f_{i}$ , and $e_{i} = h (g_{i} ∥ X_{s}) \oplus r_{i}$ . Here $X_{s}$ is secret information generated by the server. We note that $X_{s}$ and passwords of the corresponding users are not disclosed to any others for all secure future communications.

Step 3. Finally, the registration center $R_{i}$ loads $(h (\cdot), f_{i}, g_{i}, e_{i}, r_{i}, τ, d (\cdot))$ on the user's smart card and sends this information to the user $C_{i}$ via a secure channel.

4.2. Login Phase

In order to login to the system, the remote user $C_{i}$ needs to perform the following stages, as shown in Algorithm 5.

Algorithm 5: Login phase of our scheme.

$C_{i}$ $S_{i}$

(1) Inserts the smart card and inputs $B_{i}^{'}$

(2) Verifies whether $d (B_{i}, B_{i}^{'}) < τ$ ?

(3) If it holds, then $C_{i}$ inputs his/her password ${PW}_{i}$

(4) Computes $r_{i}^{'} = h ({PW}_{i}) \oplus f_{i}$ and verifies whether $d (r_{i}, r_{i}^{'}) < τ$ ?

(5) If it holds, the smart card computes

$M_{1} = e_{i} \oplus r_{i}^{'}$

$M_{2} = h (R_{c} ∥ T)$

$M_{3} = M_{1} \oplus M_{2}$

(6) $\overset{〈 g_{i}, M_{2}, M_{3}, T 〉}{\to}$

Step 1. $C_{i}$ first inserts his/her smart card into the card reader of a terminal and offers his/her personal biometric template, $B_{i}^{'}$ , on the specific device. If $d (B_{i}, B_{i}^{'}) > τ$ , the remote user authentication is terminated. Otherwise, $C_{i}$ passes the biometric verification and then inputs his/her password ${PW}_{i}$ to perform Step 2.

Step 2. The smart card computes $r_{i}^{'} = h ({PW}_{i}) \oplus f_{i}$ . If $d (r_{i}^{'}, r_{i}) > τ$ , then password verification fails, and the system terminates the session; otherwise, the smart card computes $M_{1} = e_{i} \oplus r_{i}^{'}$ , which is equal to $h (g_{i} ∥ X_{s})$ , $M_{2} = h (R_{c} ∥ T)$ , where $R_{c}$ is a random number generated by the user $C_{i}$ and T is the current timestamp of $C_{i}$ 's system, and $M_{3} = M_{1} \oplus M_{2}$ .

Step 3. Finally, the user $C_{i}$ sends the message $〈 g_{i}, M_{2}, M_{3}, T 〉$ to the remote server $S_{i}$ .

4.3. Authentication Phase

When the remote server $S_{i}$ receives the login request $〈 g_{i}, M_{2}, M_{3}, T 〉$ at time $T^{*}$ , it will perform the following steps as shown in Algorithm 6 to authenticate whether the user $C_{i}$ is legal or not.

Algorithm 6: Authentication phase of our scheme.

$C_{i}$ $S_{i}$

(1) When receiving $〈 g_{i}, M_{2}, M_{3}, T 〉$ ,

$S_{i}$ checks $(T^{*} - T) > Δ T$ ?

(2) $S_{i}$ computes $M_{4} = h (g_{i} ∥ X_{s})$ ,

$M_{5} = M_{4} \oplus M_{3}$ , and verifies whether $M_{5} = M_{2}$ ?

(3) $S_{i}$ computes $M_{6} = h (R_{s} ∥ T_{s})$ ,

$M_{7} = M_{4} \oplus M_{6}$ ,

$\overset{〈 M_{4}, M_{6}, M_{7}, T_{s} 〉 .}{\leftarrow}$

(4) When receiving $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$

at $T^{* *}$ , $C_{i}$ checks $(T^{* *} - T) > Δ T$ ?

computes $M_{8} = M_{4} \oplus M_{7}$ , then verifies $M_{8} = M_{6}$ ?

(5) $C_{i}$ computes $M_{9} = M_{4} \oplus M_{6}$ , then verifies $M_{9} = M_{7}$ ? computes $M_{10} = h (R_{c} ∥ T^{'})$ , and

then $M_{11} = M_{7} \oplus M_{10}$ ,

$\overset{〈 M_{11}, R_{c}, T^{'} 〉 .}{\to}$

(6) When receiving $〈 M_{11}, R_{c}, T^{'} 〉$ at $T^{* * *}$ , $S_{i}$ verifies $(T^{* * *} - T) > Δ T$ ?

then computes $M_{12} = h (R_{c} ∥ T^{'})$ ,

$M_{13} = M_{4} \oplus M_{6} \oplus M_{12}$ , then verifies $M_{13} = M_{11}$ ?

If it holds, $S_{i}$ accepts $C_{i}^{'} s$ login request.

Step 1. Verify T. If $(T^{*} - T) > Δ T$ , the authentication phase aborts, where $Δ T$ is the expected time interval for the transmission delay of the system. On the contrary, if $(T^{*} - T) \leq Δ T$ , the next step will be performed.

Step 2. $S_{i}$ checks the format of $C_{i}$ 's ${ID}_{i}$ . It computes $M_{4} = h (g_{i} ∥ X_{s})$ using the secret value $X_{s}$ maintained by the server $S_{i}$ and then computes $M_{5} = M_{4} \oplus M_{3}$ and verifies whether $M_{5} = M_{2}$ . If it does not hold, then $S_{i}$ rejects $C_{i}$ 's login request. In case the verification is successful, the next step will be performed.

Step 3. $S_{i}$ computes $M_{6} = h (R_{s} ∥ T_{s})$ and $M_{7} = M_{4} \oplus M_{6}$ , where $T_{s}$ is the current timestamp of the server $S_{i}$ , and then $S_{i}$ sends message $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$ to the user $C_{i}$ .

Step 4. After receiving the message $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$ at time $T^{* *}$ , $C_{i}$ first checks the freshness of $T_{s}$ by verifying $(T^{* *} - T_{s}) > Δ T .$ If it holds, the following session is terminated; otherwise $C_{i}$ computes $M_{8} = M_{4} \oplus M_{7}$ and then verifies whether $M_{8} = M_{6} .$ If it does not hold, $C_{i}$ terminates the session. Otherwise, it goes to the next step.

Step 5. $C_{i}$ computes $M_{9} = M_{4} \oplus M_{6}$ and then verifies whether $M_{9} = M_{7} .$ If it does not hold, $S_{i}$ is rejected by $C_{i}$ ; otherwise, if it holds, $C_{i}$ computes $M_{10} = h (R_{c} ∥ T^{'})$ , where $T^{'}$ is the current timestamp of the user $C_{i}$ , and then computes $M_{11} = M_{7} \oplus M_{10}$ and sends the message $〈 M_{11}, R_{c}, T^{'} 〉$ to the remote server $S_{i}$ .

Step 6. When $S_{i}$ receives the message $〈 M_{11}, R_{c}, T^{'} 〉$ at time $T^{* * *}$ , it verifies $(T^{* * *} - T^{'}) > Δ T$ . If it holds, the authentication phase is terminated. Otherwise, if it does not hold, $S_{i}$ computes $M_{12} = h (R_{c} ∥ T^{'})$ and then computes $M_{13} = M_{4} \oplus M_{6} \oplus M_{12}$ . After computing $M_{13}$ , then $S_{i}$ verifies whether $M_{13} = M_{11} .$ If it holds, $S_{i}$ accepts $C_{i}$ 's login request; otherwise, $S_{i}$ rejects the login request.

4.4. Password Change

In our scheme, user $C_{i}$ can freely change the password ${PW}_{i}^{old}$ to a new one ${PW}_{i}^{new}$ . The password change procedure is performed as follows.

Step 1. $C_{i}$ inserts the smart card into the card reader and offers his/her personal biometrics $B_{i}^{'}$ ; then the smart card computes $f_{i}^{'} = h (B_{i}^{'})$ and verifies it by checking $d (f_{i}^{'}, f_{i}) \leq τ .$ where $f_{i} = h (B_{i})$ is the information stored in the smart card.

Step 2. If it holds, $C_{i}$ inserts old password ${PW}_{i}^{old}$ and new password ${PW}_{i}^{new}$ ; otherwise the password change procedure is terminated.

Step 3. Smart card performs $r_{i}^{'} = h ({PW}_{i}^{old}) \oplus f_{i}^{'}$ and checks $d (r_{i}^{'}, r_{i}) \leq τ .$ where $r_{i}$ is the information stored in the smart card.

Step 4. If it holds, the smart card computes $r_{i}^{′′} = h ({PW}_{i}^{new}) \oplus f_{i}$ , $e_{i}^{'} = e_{i} \oplus r_{i} (= h ({ID}_{i} ∥ X_{s}))$ , and $e_{i}^{''} = e_{i}^{'} \oplus r_{i}$ .

Step 5. Finally, replace $e_{i}$ with $e_{i}^{''}$ and $r_{i}$ with $r_{i}^{′′}$ on the smart card.

5. Security Analysis and Performance of the Proposed Scheme

5.1. Security Analysis

If a legal user lost his/her smart card, it is extremely hard for an adversary to derive the user's sensitive information such as user's identity, password, and biometrics because the extraction of parameters from the smart card is quite difficult. Furthermore, the adversary cannot change the password because he/she cannot pass the biometric verification.

5.1.1. Denial-of-Service Attack

In our proposed protocol, we take into account hash function's sensitivity to small perturbations in its inputs. In the login phase, user's biometric verification is performed by checking $d (B_{i}, B_{i}^{'}) > τ$ instead of checking $h (B_{i}^{'}) = f_{i}$ . Moreover, the password verification is performed by checking $d (r_{i}^{'}, r_{i}) > τ$ instead of $r_{i}^{'} = r_{i}$ . So denial-of-service attack caused by hash function's fundamental properties can be withstood.

5.1.2. Stolen-Verifier Attack

Our scheme can resist stolen-verifier attack because the scheme is free from the verifier/password table. In our protocol, the remote server $S_{i}$ does not keep password tables. Therefore, an attacker cannot steal user's password from $S_{i}$ . Moreover, the password is masked by hash function in the procedure of message transfer between the user $C_{i}$ and remote server $S_{i}$ .

5.1.3. Many Logged-In Users Attack

Most systems, which maintain the password table to verify user login, are vulnerable to this kind of threat. Our scheme can resist the threat since our scheme requires on-card computation for login to the remote server $S_{i}$ , and once the smart card is removed, the login process will be aborted.

5.1.4. Guessing Attack

Our protocol can resist guessing attack, which is a critical concern in password-based systems, since the password in our protocol is transmitted as a digest of some other secret information. The attacker cannot guess the user's password from the digest because of the one-way characteristic of the hash function, even if the attacker may get the digest which contains the password.

5.1.5. Replay Attack

Replaying an intercepted message can be prevented in our proposed protocol. If an attacker intercepts $〈 {ID}_{i}, M_{2}, M_{3}, T 〉$ and tries to login to the remote server $S_{i}$ via replaying the same message, he/she cannot pass the verification of the login request due to $(T^{*} - T) > Δ T$ , where $T^{*}$ is the system time when the remote server $S_{i}$ receives the replayed message. Moreover, if an attacker intercepts $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$ and tries to replay the message to the user $C_{i}$ , this kind of attack also can be prevented due to $(T^{* *} - T_{s}) > Δ T$ .

5.1.6. User Impersonation Attack

In the login phase of our scheme, the message sent to remote server $S_{i}$ is $〈 g_{i}, M_{2}, M_{3}, T 〉$ instead of $〈 {ID}_{i}, M_{2}, M_{3}, T 〉$ , where the user's identity ${ID}_{i}$ is masked by hash function. Even though an attacker eavesdrops the message $〈 g_{i}, M_{2}, M_{3}, T 〉$ , he cannot derive the user's identity, ${ID}_{i}$ , due to the one-way characteristic of hash function. In the authentication phase, when the remote server $S_{i}$ receives the login request message $〈 g_{i}, M_{2}, M_{3}, T 〉$ , it will check the validity of user's identity. Since the attacker cannot derive legal user's identity, the check of user's identity cannot pass which will result in the termination of authentication phase. Through the above analysis, we can see that user impersonation attack can be avoided in our scheme.

5.1.7. Server Masquerading Attack

If an attack $A_{i}$ attempts to masquerade as the legitimate server $S_{i}$ , he/she must make the forged replay message to the user when receiving the user's login request message $〈 g_{i}, M_{2}, M_{3}, T 〉$ . However, the forged replay message is more difficult to fake since the time-stamped message $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$ is sent to the user $C_{i}$ when the remote server $S_{i}$ is receiving $C_{i}$ 's login request message $〈 g_{i}, M_{2}, M_{3}, T 〉$ . Moreover, the attacker $A_{i}$ cannot masquerade as the server by forging the replay message $〈 M_{4}, M_{6}, M_{7}, T_{s} 〉$ , because $A_{i}$ cannot compute $(M_{4}, M_{7})$ sending to the user $C_{i}$ without knowing the secret value $X_{s}$ kept by the server $S_{i}$ . Hence, the attacker $A_{i}$ cannot masquerade as the legal server to the user by launching the server masquerading attack.

5.1.8. Insider Attack

In the registration phase, if the user's password ${PW}_{i}$ and the biometrics information $B_{i}$ are revealed to the server $S_{i}$ , the insider of the server may directly obtain ${PW}_{i}$ and $B_{i}$ , and the insider impersonates as the user $C_{i}$ to access the user's other accounts in the server. But in the login phase of our scheme, if the insider wants to access $C_{i}$ 's other accounts, he/she must input his/her smart card to the card reader and provide his biometric information $B_{i}^{'}$ in order to pass the verification $d (B_{i}, B_{i}^{'}) < τ$ . Since the insider cannot provide the user $C_{i}$ 's smart card, the biometric verification will be aborted. So the insider attack can be prevented.

5.1.9. Mutual Authentication

As described above, our scheme can withstand the user impersonation attack and server masquerading attack; consequently our scheme can provide mutual authentication between the user $C_{i}$ and remote server $S_{i}$ .

5.1.10. Man-in-the-Middle Attack

Man-in-the-middle attack means that an active attacker intercepts the communication line between a legal user and the server and uses some means to successfully masquerade as both the server to the user and the user to the server. Then, the user will believe that he is talking to the intended server and vice versa. In our scheme, when a user $C_{i}$ wants to login to the remote server $S_{i}$ , mutual authentication between the user $C_{i}$ and remote server $S_{i}$ is performed, so man-in-the-middle attack can be prevented.

5.2. Performance of the Proposed Scheme

In this subsection, we compare the performances of our improved scheme with those for Li-Hwang's scheme [11] and Das's scheme [21]. It is worth recalling that the protocol of Li-Hwang's scheme [11] has security weaknesses against denial-of-service attack, replay attack, user impersonation attack, and man-in-the-middle attack. It is noted that Das's scheme [21] has security weaknesses against denial-of-service attack, user impersonation attack, replay attack, server masquerading attack, and insider attack. The security comparisons between our scheme and the schemes proposed by Li and Hwang [11] and Das [21] are summarized in Table 2. For the convenience of evaluating the efficiency of related scheme, we define the notation $T_{h}$ , the time of executing a one-way hash function. The efficiency comparison with related schemes is shown in Table 3. From the table, we can see that our scheme is more efficient than Das's scheme [21]. Though our scheme is less efficient than Li-Hwang's scheme [11], it can provide better security against most attacks.

Table 2

Security comparisons among related protocols.

Item	Our scheme	Li-Hwang's scheme [11]	Das's scheme [21]
Avoiding denial-of-service attack	Yes	No	No
Avoiding stolen-verifier attack	Yes	Yes	Yes
Avoiding many logged-in users attack	Yes	Yes	Yes
Avoiding guessing attack	Yes	Yes	No
Avoiding replay attack	Yes	No	No
Avoiding user impersonation attack	Yes	No	No
Avoiding server masquerading attack	Yes	No	No
Avoiding man-in-the-middle attack	Yes	No	Yes
Avoiding insider attack	Yes	No	No
Mutual authentication	Yes	No	No
Having flaws in password change	No	Yes	Yes

Table 3

Efficiency comparison with related schemes.

Different phase	Li-Hwang's Scheme [11]	Das's scheme [21]	Our scheme
Registration
User computation cost	2 $T_{h}$	—	4 $T_{h}$
Server computation cost	—	3 $T_{h}$	—
Login
User computation cost	3 $T_{h}$	3 $T_{h}$	3 $T_{h}$
Server computation cost	—	—	—
Authentication
User computation cost	2 $T_{h}$	3 $T_{h}$	$T_{h}$
Server computation cost	3 $T_{h}$	5 $T_{h}$	3 $T_{h}$

6. Conclusion

This paper presents a biometric-based user authentication scheme for client/server system. The method employs biometric keys and resists the threats of stolen-verifier, of which many are logged-in users with the same login identity, denial-of-service attack, guessing attack, insider attack, replay attack, user impersonation attack, server masquerading attack, and man-in-the-middle attack. Moreover, the improved scheme can realize mutual authentication between the user and remote server. The proposed scheme uses only hash function and XOR operation, which is efficient compared with that of related protocols. In addition, the user's password can be changed freely using the proposed scheme. Our proposed scheme provides strong authentication with the help of verifying biometrics, passwords, and random nonces generated by the user and server as compared to that of related schemes.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the valuable comments and suggestions of the reviewers. This work is supported in part by National Natural Science Foundation of China (no. 61370223) and by Science Research Project of Hubei Provincial Department of Education (XD2012374 and B2013024).

References

Hwang

M. S.

Liu

C. Y.

Authenticated encryption schemes: current status and key issues

International Journal of Network Security 2005 1 2 61 73

Lee

N.-Y.

Chiu

Y.-C.

Improved remote authentication scheme with smart card

Computer Standards and Interfaces 2005 27 2 177 180

2-s2.0-9544232528

10.1016/j.csi.2004.06.001

C. T.

An enhanced remote user authentication scheme providing mutual authen- tication and key agreement with Smart Cards

Proceedings of the 5th International IEEE Computer Society Conference on Information Assurance and Security

2009

Xi'an, China

517 520

Kim

Koc

C. K.

A simple attack on a recently introduced hash-based strong-password authentication scheme

International Journal of Network Security 2005 1 2 77 80

Wong

K. H. M.

Yuan

Jiannong

Shengwei

A dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC ′06)

June 2006

Taichung, Taiwan

244 251

2-s2.0-33845458336

10.1109/SUTC.2006.1636182

Tseng

H.-R.

Jan

R.-H.

Yang

An improved dynamic user authentication scheme for wireless sensor networks

Proceedings of the 50th Annual IEEE Global Telecommunications Conference (GLOBECOM ′07)

November 2007

Washington, DC, USA

986 990

2-s2.0-39349093196

10.1109/GLOCOM.2007.190

Lee

T. H.

Simple dynamic user authen- tication protocols for wireless sensor networks

Proceedings of the 2nd International Conference on Sensor Technologies and Application (SENSOR COMM ′08)

August 2008

Cap Esterel, France

657 660

L.-C.

A novel dynamic user authentication scheme for wireless sensor networks

Proceedings of the IEEE International Symposium on Wireless Communication Systems (ISWCS ′08)

October 2008

Reykjavik, Iceland

608 612

2-s2.0-62449290253

10.1109/ISWCS.2008.4726128

Vaidya

Rodrigues

J. J.

Park

J. H.

User authentication schemes with pseudonymity for ubiquitous sensor network in NGN

International Journal of Communication Systems 2010 23 9-10 1201 1222

2-s2.0-77956388579

10.1002/dac.1097

10.

Daemen

Rijndael

R. V.

The advanced encryption standard

Dr. Dobb's Journal 2001 26 3 137 139

11.

C.-T.

Hwang

M.-S.

An efficient biometrics-based remote user authentication scheme using smart cards

Journal of Network and Computer Applications 2010 33 1 1 5

2-s2.0-70349792182

10.1016/j.jnca.2009.08.001

12.

Jain

A. K.

Ross

Prabhakar

An introduction to biometric recognition

IEEE Transactions on Circuits and Systems for Video Technology 2004 14 1 4 20

2-s2.0-0742290133

10.1109/TCSVT.2003.818349

13.

Maltoni

Maio

Jain

A. K.

Prabhakar

Handbook of Fingerprint Recognition 2009

New York, NY, USA

Springer

14.

Prabhakar

Pankanti

Jain

A. K.

Biometric recognition: security and privacy concerns

IEEE Security and Privacy 2003 1 2 33 42

2-s2.0-0742302036

10.1109/MSECP.2003.1193209

15.

Prakash

A biometric approach for continuous user authentication by fusing hard and soft traits

International Journal of Network Security 2014 16 1 65 70

16.

Dimitriadis

C. K.

Shaikh

S. A.

A biometric authentication protocol for 3G mobile systems: modelled and validated using CSP and rank functions

International Journal of Network Security 2007 5 1 99 111

17.

Yang

Security weaknesses and improvements of a fingerprint-based remote user authentication scheme using smart cards

International Journal of Advancements in Computing Technology 2012 4 3 21 28

2-s2.0-84856658957

10.4156/ijact.vol4.issue1.2

18.

Younghwa

A. N.

Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards

Journal of Biomedicine and Biotechnology 2012 2012 6

519723

10.1155/2012/519723

19.

Lin

C.-H.

Lai

Y.-Y.

A flexible biometrics remote user authentication scheme

Computer Standards and Interfaces 2004 27 1 19 23

2-s2.0-4043139259

10.1016/j.csi.2004.03.003

20.

C.-T.

Hwang

M.-S.

An efficient biometrics-based remote user authentication scheme using smart cards

Journal of Network and Computer Applications 2010 33 1 1 5

2-s2.0-70349792182

10.1016/j.jnca.2009.08.001

21.

Das

A. K.

Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards

IET Information Security 2011 5 3 145 151

2-s2.0-81855227196

10.1049/iet-ifs.2010.0125

22.

Linnartz

J. P.

Tuyls

New shielding functions to enhance privacy and prevent misuse of biometric templates

2688

Proceedings of the Audio and Video-Based Biometric Person Authentication

2003

393 402 Lecture Notes in Computer Science

An Improved Biometric-Based User Authentication Scheme for C/S System

Abstract

1. Introduction

2. Review of DAS's Biometric-Based Remote User Authentication Scheme

2.1. Registration Phase

Algorithm 1: Registration phase of Das's scheme.

2.2. Login Phase

Algorithm 2: Login phase of Das's scheme.

2.3. Authentication Phase

Algorithm 3: Authentication phase of Das's scheme.

2.4. Password Change

3. Cryptanalysis of Das's Scheme

3.1. Denial-of-Service Attack

3.2. User Impersonation Attack

3.3. Replay Attack

3.4. Password Change

4. Proposed Scheme

4.1. Registration Phase

Algorithm 4: Registration phase of our scheme.

4.2. Login Phase

Algorithm 5: Login phase of our scheme.

4.3. Authentication Phase

Algorithm 6: Authentication phase of our scheme.

4.4. Password Change

5. Security Analysis and Performance of the Proposed Scheme

5.1. Security Analysis

5.1.1. Denial-of-Service Attack

5.1.2. Stolen-Verifier Attack

5.1.3. Many Logged-In Users Attack

5.1.4. Guessing Attack

5.1.5. Replay Attack

5.1.6. User Impersonation Attack

5.1.7. Server Masquerading Attack

5.1.8. Insider Attack

5.1.9. Mutual Authentication

5.1.10. Man-in-the-Middle Attack

5.2. Performance of the Proposed Scheme

6. Conclusion

Footnotes

Conflict of Interests

Acknowledgments

References