Sage Journals: Discover world-class research

Abstract

Many remote user authentication schemes have been designed and developed to establish secure and authorized communication between a user and server over an insecure channel. By employing a secure remote user authentication scheme, a user and server can authenticate each other and utilize advanced services. In 2015, Cao and Ge demonstrated that An’s scheme is also vulnerable to several attacks and does not provide user anonymity. They also proposed an improved multi-factor biometric authentication scheme. However, we review and cryptanalyze Cao and Ge’s scheme and demonstrate that their scheme fails in correctness and providing user anonymity and is vulnerable to ID guessing attack and server masquerading attack. To overcome these drawbacks, we propose a security-improved authentication scheme that provides a dynamic ID mechanism and better security functionalities. Then, we show that our proposed scheme is secure against various attacks and prove the security of the proposed scheme using BAN Logic.

Keywords

Biometrics authentication cryptanalysis mobile networks anonymity

Introduction

With the rapid development of Internet technology and the smart device industry, users can access any service from anywhere.¹ In addition, the growth in network technology has made these services user-friendly and adoptable and mobile devices have become a vital part of our lives. Nowadays, people are able to easily utilize advanced services such as e-commerce, e-healthcare, and e-learning.²

Despite advantages of ubiquitous mobile computing technologies, several new threats have emerged. The transmission of data through insecure channels leads to the security challenges such as authentication, privacy, and integrity. And adversaries are considered to be sufficiently powerful to control communication over a public channel. To ensure authorized and secure communication, a user and server should verify their mutual legitimacy and exchange a session key, which can be used to transmit data securely.^3,4 Moreover, an anonymous authentication is required to provide secure communications between numerous network users while preserving privacy.

To address security and authorized access in mobile environments, various remote user authentication schemes have been designed and developed. Remote user authentication is a common approach to verify the legitimacy of users who seek service and has become an indispensable component of service access. By employing a remote user authentication scheme, a server first authenticates remote users and grants service access only to those who are legitimate and authorized while rejecting unauthorized entities whose aim is to damage network security.

Smart card–based authentication schemes were introduced initially to resolve such security issues.^5–7 Recently, a large amount of research on password-based authentication schemes using smart cards has been presented.^3,8,9 However, password-based authentication schemes are vulnerable to identity/password guessing attacks and subject to inefficient password change policies. To resolve single-password authentication problems, several biometric-based remote user authentication schemes have been proposed.^2,10–12 In contrast to passwords, biometric information, such as irises, fingerprints, and palmprints, is considered to be a unique identifier of a user and is difficult to spoof. Therefore, biometric-based remote user authentication is inherently more secure and reliable than conventional authentication schemes.¹³

Li and Hwang¹⁴ proposed an efficient biometric-based remote user authentication scheme in 2010. In 2011, Das¹⁵ cryptanalyzed and improved Li and Hwang’s¹⁴ scheme. However, An¹⁶ found out that Das’¹⁵ scheme failed to provide mutual authentication and enhanced it to support secure authentication in 2012. In 2015, Cao and Ge¹⁷ demonstrated that An’s¹⁶ scheme is vulnerable to replay attacks, in which an adversary can masquerade as the legal server. In addition, they mentioned that An’s scheme does not provide user anonymity just as most recently presented biometric-based authentication schemes are not properly addressed, so An’s scheme is insecure against user masquerading attack. Cao and Ge also proposed an improved multi-factor biometric authentication scheme to overcome the security weaknesses of An’s scheme and support user anonymity. However, we point out their scheme fails to provide re-registration and does not withstand several attacks.

This article discusses the security vulnerability of Cao and Ge’s scheme and proposes an enhanced multi-factor biometric authentication scheme with better security functionality than Cao and Ge’s scheme. We provide an analysis of the security and efficiency of our proposed scheme. The major contributions of this study are summarized as follows:

Cryptanalysis of Cao and Ge’s scheme

We cryptanalyze Cao and Ge’s scheme and demonstrate the incorrectness of their scheme in re-registration phase and the vulnerability to the off-line ID guessing attack and server masquerading attack. We illustrate that an adversary can obtain the identity of any legal user of the system once he or she obtains the smart card of the user. Hence, the scheme does not provide user anonymity.

Enhancements of Cao and Ge’s scheme

We propose an enhanced multi-factor biometric authentication scheme to overcome the security weaknesses of Cao and Ge’s scheme. Our scheme supports the dynamic identity mechanism using timestamps and resists off-line ID guessing attack and server masquerading attack. We also provide password change phase to enhance the security of the system.

Security analysis against various attacks

We analyze the proposed scheme in security. Our scheme supports better security functionality than that of Cao and Ge’s scheme. Our scheme is secure against off-line ID guessing attack, user masquerading attack, and server masquerading attack. In addition, it provides user anonymity, mutual authentication, session key agreement, efficient password change, and forward secrecy. We also prove that our scheme provides mutual authentication using Burrows–Abadi–Needham (BAN) Logic.¹⁸

Preliminaries

In this section, we present notations and then define Bio-Hashing.

Notations

The notations used throughout this article are described in Table 1.

Table 1.

Notations.

Notation	Meaning
$C_{i}$	User $i$
$R_{i}$	Trusted registration center $i$
$S_{i}$	Remote server $i$
$I D_{i}$	Actual identity of $C_{i}$
$VI D_{i}$	Virtual identity of $C_{i}$
$DI D_{i}$	Dynamic identity of $C_{i}$
$P W_{i}$	Password of $C_{i}$
$B_{i}$	Biometric template of $C_{i}$
$S C_{i}$	Smart card of user $C_{i}$
$A_{i}$	Adversary $i$
$X_{S}$	Secret key of $S_{i}$
$x$	Master key of $R_{i}$
$K$	Random number for registration of $C_{i}$
$R_{C}$	Random number generated by $C_{i}$
$R_{S}$	Random number generated by $S_{i}$
\|\|	Concatenate operation
⊕	Bitwise XOR operation
$h ()$	Secure hash function
$H ()$	Bio-Hashing function
$y_{i}$	A unique number of $C_{i}$ generated by the $R_{i}$
$T_{i}$	Timestamp

Bio-hashing

Biometric technology often attracts attention in the area of unique user authentication in general authentication systems. Especially, the use of biometric information is extending steadily in cryptosystem for authentication purpose. However, imprint biometric characteristics (such as fingerprint, palmprint, retina, and iris) may not appear exactly the same in each scan. With high probability, imprinted biometric information rejects registered, legitimate users. To resolve the high false rejection rate, Jin et al.¹⁹ proposed a two-factor authenticator on iterated inner products comprising a tokenized pseudo-random number and user-specific fingerprint features, which produces a set of user-specific compact codes; this is called Bio-Hashing. Later, Lumini and Nanni²⁰ proposed an improvement of Bio-Hashing. As noted by Chang et al.,²¹ Bio-Hashing is used to map a user’s/patient’s biometric feature onto user-specific random vectors to generate a code called a bio-code and then discretize the projection coefficients into zeroes and ones. Bio-Hashing is verified to be the most suitable and compatible technique that can be utilized in tiny smart devices such as smart cards and smart phones.²²

Review of Cao and Ge’s authentication scheme

In this section, we review Cao and Ge’s authentication scheme. It comprises four phases: registration phase, re-registration phase, login phase, and authentication phase.

Registration phase

A user $C_{i}$ first registers oneself at a trusted registration center $R_{i}$ to obtain the service from the remote server $S_{i}$ and receives a personalized smart card. A user chooses one’s identity $I D_{i}$ and password $P W_{i}$ , imprints biometric information $B_{i}$ , and then performs the following steps:

(R1) A user $C_{i}$ chooses random number $K$ and then compute $(P W_{i} \oplus K)$ and $(B_{i} \oplus K)$ . Then, $C_{i}$ submits $(I D_{i}, P W_{i} \oplus K, B_{i} \oplus K)$ to $R_{i}$ via a secure channel.

(R2) $R_{i}$ computes $f_{i} = h (B_{i} \oplus K), r_{i} = h (P W_{i} \oplus K) \oplus f_{i}, e_{i} = h (I D_{i} | | X_{S}) \oplus r_{i}$ .

(R3) $R_{i}$ creates an entry in the account database for the user $I D_{i}$ and store $n_{i} = 0$ in this entry. Then, $R_{i}$ computes $EI D_{i} = h (I D_{i}) | | n_{i}$ .

(R4) $R_{i}$ computes $v_{i} = h (h (P W_{i}) | | h (B_{i}) | | X_{S})$ .

(R5) $R_{i}$ sends a smart card that contains ${EI D_{i}, h (), f_{i}, e_{i}, n_{i}}$ to $C_{i}$ via a secure channel. Then, $C_{i}$ stores a random $K$ in the smart card.

Re-registration phase

(RR1) $C_{i}$ chooses a new random number $K^{'}$ and then submits to $R_{i}$ the identity $I D_{i}$ , password information $(P W_{i} \oplus K^{'})$ , and biometric information $(B_{i} \oplus K^{'})$ via a secure channel.

(RR2) $R_{i}$ computes $v_{i}^{'} = h (h (P W_{i}) | | h (B_{i}) | | X_{S})$ and compares it with $v_{i}$ in the account database.

(RR3) If $v_{i}^{'}$ is equal to $v_{i}$ , $R_{i}$ sets $n_{i_{new}} = n_{i} + 1$ . Then, $R_{i}$ performs the following computations; $f_{i_{new}} = h (B_{i} \oplus K^{'}), r_{i_{new}} = h (P W_{i} \oplus K^{'}) \oplus f_{i_{new}}, e_{i_{new}} = h (I D_{i} | | X_{S}) \oplus r_{i_{new}}$ . And then $EI D_{i}$ is updated as $EI D_{i} = h (I D_{i}) | | n_{i_{new}}$ .

(RR4) $R_{i}$ sends a new smart card that contains the information ${EI D_{i}, h (), f_{i_{new}}, e_{i_{new}}, n_{i_{new}}}$ to $C_{i}$ via a secure channel. Then, $C_{i}$ stores the random number $K^{'}$ in the smart card.

Login phase

In order to login to the remote server $S_{i}$ , the user $C_{i}$ performs the following steps using the smart card:

(L1) $C_{i}$ imprints one’s biometric information $B_{i}$ , then the smart card $S C_{i}$ computes $h (B_{i} \oplus K)$ and compares it with $f_{i}$ . If it is valid, $S C_{i}$ continues the following steps.

(L2) $C_{i}$ chooses a random number $R_{C}$ and inputs $(I D_{i}, P W_{i}, R_{C})$ into the smart card. Then, $S C_{i}$ computes $r_{i} = h (P W_{i} \oplus K) \oplus f_{i} \oplus h (H (B_{i}), M_{1} = e_{i} \oplus r_{i}, M_{2} = M_{1} \oplus R_{C}, M_{3} = h (M_{1} | | R_{c})$ .

(L3) $S C_{i}$ computes $EI D_{i} = h (I D_{i}) | | n_{i}$ .

(L4) $C_{i}$ sends the login request message ${EI D_{i}, M_{2}, M_{3}}$ to $S_{i}$ .

Authentication phase

The user $C_{i}$ and the remote server $S_{i}$ verify the authenticity of each other in this phase as follows:

(A1) $S_{i}$ checks the validity of the received $EI D_{i}$ by comparing $h (I D_{i}) | | n_{i}$ in the account database.

(A2) If it is valid, $S_{i}$ computes $M_{4} = h (I D_{i} | | X_{S})$ and $M_{5} = M_{2} \oplus M_{4}$ .

(A3) If $M_{3} = h (M_{4} | | M_{5})$ , $S_{i}$ chooses a random number $R_{S}$ and computes $M_{6} = M 4 \oplus R_{S}, M_{7} = h (M_{4} | | R_{S})$ .

(A4) Then, $S_{i}$ sends the message ${EI D_{i}, M_{6}, M_{7}}$ to $C_{i}$ .

(A5) $C_{i}$ computes $M_{8} = M_{6} \oplus M_{1}$ and checks whether $M_{7} = h (M_{1} | | M_{8})$ or not. If it is valid, $C_{i}$ computes $M_{9} = h (M_{1} | | R_{C} | | M_{8})$ .

(A6) $C_{i}$ sends the message ${M_{9}}$ to $S_{i}$ .

(A7) $S_{i}$ computes $M_{10} = h (M_{4} | | M_{5} | | R_{S})$ . If $M_{10} = M_{9}$ , $S_{i}$ accepts the user’s login request and sends the message ${M_{10}}$ to $C_{i}$ .

(A8) $C_{i}$ checks whether $M_{10} = h (M_{1} | | R_{C} | | M_{8})$ or not. If it is valid, $C_{i}$ accepts $S_{i}$ as the legitimate server.

Cryptanalysis of Cao and Ge’s authentication scheme

In this section, we analyze the security problems of Cao and Ge’s scheme. Cao and Ge¹⁷ cryptanalyzed Younghwa An’s¹⁶ scheme and improved it to support better security functionality. However, we found out that Cao and Ge’s remote user authentication scheme has security vulnerabilities. We assume that the capabilities of adversaries are as follows:^2,23

An adversary $A_{i}$ has total control over the communication channel connecting the users and the remote server in login/authentication phase. Thus, the adversary can intercept, insert, delete, or modify any message transmitted via a public channel.

An adversary may either steal a user’s smart card or obtain a user’s password, but not both.

An adversary can extract the information stored in a smart card by means of analyzing the power consumption of the smart card.

Incorrectness in registration phase

Younghwa An¹⁶ claimed that if the password $P W_{i}$ and biometric information $B_{i}$ of the user are revealed to the server, the insider in the server can obtain the user’s password and biometric information directly. To protect the user’s information from the insider in the server, Younghwa An concealed password and biometric information in registration phase using a XOR (⊕) operation with user’s information. Thus, the insider of the server may not know the user’s password and biometric information. Cao and Ge referred to this method too; however, they failed to provide correctness. We show that registration phase of Cao and Ge’s¹⁷ scheme fails in correctness:

The user $C_{i}$ submits $(I D_{i}, P W_{i} \oplus K, B_{i} \oplus K)$ to the server $R_{i}$ via a secure channel.

$R_{i}$ computes $v_{i} = h (h (P W_{i}) | | h (B_{i}) | | X_{S})$ .

From the received message $(I D_{i}, P W_{i} \oplus K, B_{i} \oplus K)$ , $R_{i}$ cannot extract $P W_{i}$ and $B_{i}$ . $R_{i}$ cannot compute $v_{i}$ too because it is computationally impossible to derive $h (P W_{i})$ and $h (B_{i})$ .

We showed that Cao and Ge’s scheme has fails in correctness and ultimately cannot proceed with re-registration phase because $v_{i}$ is used to check the validity of the user in re-registration phase, but $R_{i}$ cannot compute $v_{i}$ . This means that it is vulnerable to user masquerading attack as is An’s scheme. Therefore, the method of generation of $v_{i}$ or the way to update user’s identity must be revised.

Off-line identity guessing attack

The identity of a user is registered at the registration center. Users normally choose their social security ID, e-mail, phone number, and so on as their identity and are requested to input their identity, password, and biometric information in login phase. Although users attempt to keep their identities secret, identities are selected from a limited set that can be enumerated, and adversaries have sufficient power to guess from a limited set of identities in the off-line condition.²⁴ The complexity of this attack depends on the length of the identity. We show that Cao and Ge’s scheme is vulnerable to off-line identity guessing attack.

An adversary $A_{i}$ can know the information of the user $C_{i}$ stored in a smart card. $A_{i}$ extracts $n_{i}$ from the smart card.

When $C_{i}$ sends the login message to the remote server $S_{i}$ , $A_{i}$ records $EI D_{i}$ .

$A_{i}$ selects a candidate identity ${ID}_{i}^{'}$ , then computes ${EID}_{i}^{'} = h ({ID}_{i}^{'}) | | n_{i}$ . $A_{i}$ compares the computed ${EID}_{i}^{'}$ with the recorded $EI D_{i}$ . If they are equal, the adversary guesses the identity of the user $C_{i}$ correctly. Otherwise, the adversary selects another candidate identity and repeats this step.

Once the identity of the user is revealed, an adversary can recognize and trace the user before the user performs re-registration phase. However, as we mentioned in “Incorrectness in registration phase,” Cao and Ge’s scheme fails in correctness to proceed re-registration phase. Therefore, the adversary can identify and trace the user continuously.

Server masquerading attack

Cao and Ge analyzed the security of their authentication scheme against server masquerading attack by sending $M_{10}$ , because $C_{i}$ will finally find that the equation $M_{10}$ is not equal to $M_{9}$ . However, $C_{i}$ cannot know whether the sender of the message ${EI D_{i}, M_{6}, M_{7}}$ is valid or not. Thus, the message $M_{9}$ , $C_{i}$ sends to the server, can be sent to the adversary attempting to masquerade as the legal server. Finally, the adversary who sends the ${EI D_{i}, M_{6}, M_{7}}$ can obtain the message $M_{9}$ and send a valid message $M_{10}$ by replacing it with the message $M_{9}$ received right before the communication. We show that Cao and Ge’s scheme is vulnerable to server masquerading attack:

An adversary $A_{i}$ can intercept the message ${EI D_{i}, M_{6}, M_{7}}$ over the communication channel.

When a new session is opened, $A_{i}$ sends the replaying message ${EI D_{i}, M_{6}, M_{7}}$ to $C_{i}$ during the authentication phase pretending to the legal server.

$C_{i}$ sends the message $M_{9}$ to the adversary because he or she still don’t know whether the server is valid or not using the message ${EI D_{i}, M_{6}, M_{7}}$ .

$A_{i}$ responds with the message $M_{10}$ which is the received message $M_{9}$ from $C_{i}$ .

$C_{i}$ checks whether $M_{10}$ is equal to $M_{9}$ or not. Because $M_{9} = M_{10}$ , $C_{i}$ regards the adversary as the legal server.

An adversary can masquerade as the server before the user performs re-registration phase. However, as we mentioned in “Incorrectness in registration phase,” Cao and Ge’s scheme fails in correctness to proceed with re-registration phase. Therefore, the adversary can continue pretending to be the legal server.

The proposed remote user authentication scheme

We propose a dynamic ID-based multi-factor biometric authentication scheme to overcome the security problems of Cao and Ge’s remote user authentication scheme. In the proposed scheme, we use timestamps to support the dynamic identity mechanism and resist off-line ID guessing attack. We assume that the registration center and the remote server are trustworthy and share a server’s secret key $X_{S}$ and a master key of the registration center $x$ in advance. Our scheme comprises four phases: registration phase, login phase, authentication phase, and password change phase.

Registration phase

In this phase, a user $C_{i}$ chooses one’s identity $I D_{i}$ and password $P W_{i}$ , and imprints biometric information $B_{i}$ , then performs following steps:

(R1) A user $C_{i}$ chooses a random number $K$ , and then computes $(P W_{i} \oplus K)$ and $(H (B_{i}) \oplus K)$ . Then, $C_{i}$ submits $(I D_{i}, P W_{i} \oplus K, H (B_{i}) \oplus K)$ to $R_{i}$ via a secure channel.

(R2) $R_{i}$ chooses an unique number $y_{i}$ of $C_{i}$ and computes $f_{i} = h (H (B_{i}) \oplus K), r_{i} = h (P W_{i} \oplus K) \oplus f_{i}, e_{i} = h (I D_{i} | | X_{S}) \oplus r_{i}, VI D_{i} = h (y_{i} | | X_{S}) \oplus I D_{i} \oplus h (P W_{i} \oplus K | | h (H (B_{i}) \oplus K)), Z_{i} = y_{i} \oplus h (x)$ , and $G_{i} = h (h (I D_{i} | | X_{S}))$ .

(R3) $R_{i}$ creates an entry in the $I D_{i}$ and virtual identity $VI D_{i}$ in this entry.

(R4) $R_{i}$ stores ${VI D_{i}, h (), H (), f_{i}, e_{i}, Z_{i}, G_{i}}$ into the smart card $S C_{i}$ delivers it to $C_{i}$ via a secure channel.

(R5) Upon receiving $S C_{i}$ , $C_{i}$ stores a random $K$ in the smart card.

Figure 1 illustrates the registration phase of the proposed remote user authentication scheme.

Figure 1.

Registration phase.

Login phase

In order to login to the remote server $S_{i}$ , the user $C_{i}$ performs following steps using the smart card as follows:

(L1) $C_{i}$ imprints one’s biometric information $B_{i}$ and computes $H (B_{i})$ , then $S C_{i}$ computes $h (H (B_{i}) \oplus K)$ and compares it with $f_{i}$ . If it is valid, $S C_{i}$ continues the following steps.

(L2) $C_{i}$ chooses a random number $R_{C}$ and inputs $(I D_{i}, P W_{i}, R_{C})$ into the smart card. Then, $S C_{i}$ computes $r_{i}^{'} = h (P W_{i} \oplus K) \oplus f_{i}, M_{1} = e_{i} \oplus r_{i}^{'}, M_{2} = M_{1} \oplus R_{C}, M_{3} = h (M_{1} | | R_{C} | | T_{1})$ . To generate dynamic identity $DI D_{i}$ , $C_{i}$ computes $DI D_{i} = VI D_{i} \oplus h (h (y_{i} | | X_{S}) | | T_{1})$ , where $h (y_{i} | | X_{S}) = VI D_{i} \oplus I D_{i} \oplus h (P W_{i} \oplus K | | h (H (B_{i}) \oplus K))$ .

(L3) $C_{i}$ sends the login request message ${DI D_{i}, Z_{i}, M_{2}, M_{3}, T_{1}}$ to $S_{i}$ .

Authentication phase

The user $C_{i}$ and the remote server $S_{i}$ verify the authenticity of each other and generate a session key in this phase as follows.

(A1) Upon receiving ${DI D_{i}, Z_{i}, M_{2}, M_{3}, T_{1}}$ , $S_{i}$ verifies $T_{1} - T \leq Δ T$ . If the verification is failed, $S_{i}$ stops the session. Otherwise, $S_{i}$ checks the validity of the received $DI D_{i}$ by comparing ${VID}_{i}^{'} = VI D_{i}$ in the account database, where ${VID}_{i}^{'} = DI D_{i} \oplus h (h (y_{i} | | X_{S}) | | T_{1}), y_{i} = Z_{i} \oplus h (x)$ .

(A2) If the verification is failed, $S_{i}$ stops the session. Otherwise, $S_{i}$ computes $M_{4} = h (I D_{i} | | X_{S}), M_{5} = M_{2} \oplus M_{4}$ and checks whether $M_{3} = h (M_{4} | | M_{5} | | T_{1})$ or not.

(A3) If the verification is failed, $S_{i}$ stops the session. Otherwise, $S_{i}$ chooses a random number $R_{S}$ and computes $M_{6} = M_{4} \oplus R_{S}, M_{7} = h (M_{4} | | R_{S} | | T_{2})$ . And then, $S_{i}$ sends the message ${M_{6}, M_{7}, T_{2}}$ to $C_{i}$ .

(A4) $C_{i}$ verifies $T_{2} - T \leq Δ T$ . If the verification is failed, $C_{i}$ stops the session. Otherwise, $C_{i}$ computes $M_{8} = M_{1} \oplus M_{6}$ , and then checks whether $M_{7} = h (M_{1} | | M_{8} | | T_{2})$ .

(A5) If the verification is failed, $C_{i}$ stops the session. Otherwise, $C_{i}$ computes $M_{9} = h (M_{1} | | R_{C} | | M_{8} | | T_{2})$ and sends the message ${M_{9}, T_{3}}$ to $S_{i}$ . And then $C_{i}$ computes a session key $SK = h (R_{C} | | M_{8} | | T_{2} | | T_{3} | | M_{9})$ .

(A6) $S_{i}$ verifies $T_{3} - T \leq Δ T$ . If the verification is failed, $S_{i}$ stops the session. Otherwise, $S_{i}$ checks whether $M_{9} = h (M_{4} | | M_{5} | | R_{S} | | T_{2})$ or not. If the verification is failed, $S_{i}$ stops the session. Otherwise, $S_{i}$ computes a session key $S K^{'} = h (M_{5} | | R_{S} | | T_{2} | | T_{3} | | M_{9})$ and sends $h (S K^{'})$ to $C_{i}$ .

(A7) $C_{i}$ checks the validity of $h (S K^{'})$ by comparing $h (SK)$ . If the verification succeeds, $C_{i}$ authenticates $S_{i}$ . On the success of authentication, $C_{i}$ and $S_{i}$ have a common session $SK$ .

Figure 2 illustrates our proposed remote user authentication scheme.

Figure 2.

Proposed remote user authentication scheme.

Password change phase

The smart card establishes an authorized session with the user $C_{i}$ to verify the correctness of input parameters (identity, password, and biometric information). $C_{i}$ updates the password without interaction with the remote server or the registration center:

(P1) $C_{i}$ inserts the smart card $S C_{i}$ into the card reader. Then, $C_{i}$ inputs $I D_{i}, P W_{i}$ and a new password ${PW}_{i}^{new}$ , and then imprints $B_{i}$ .

(P2) $S C_{i}$ computes $f_{i}^{'} = h (H (B_{i}) \oplus K)$ and then verifies biometric information by comparing $f_{i}^{'} = f_{i}$ . If the verification is failed, the session is terminated. Otherwise, $S C_{i}$ computes $r_{i}^{'} = h (P W_{i} \oplus K) \oplus f_{i}^{'}$ , then checks the validity of $I D_{i}$ and $P W_{i}$ by comparing $G_{i} = h (h (e_{i} \oplus r_{i}^{'}))$ .

(P3) If the verification is failed, the session is terminated. Otherwise, $S C_{i}$ computes $r_{i}^{new} = h ({PW}_{i}^{new} \oplus K) \oplus f_{i}^{'}, e_{i}^{new} = e_{i} \oplus r_{i}^{'} \oplus r_{i}^{new}$ . Then, $S C_{i}$ stores $e_{i}^{new}$ in place of $e_{i}$ .

Figure 3 illustrates password change of the proposed remote user authentication scheme.

Figure 3.

Password update phase.

Analysis

In this section, we describe an analysis of our proposed authentication scheme with respect to security and performance. We assume that the capabilities of adversaries are the same as those from our cryptanalysis of Cao and Ge’s authentication scheme. We first prove the security of our proposed scheme using BAN Logic.¹⁸ Then, we show the security analysis of proposed scheme against various attacks.

Authentication proof based on BAN logic

In this section, we analyze the security of our proposed authentication scheme with BAN Logic¹⁸ which is a formal analysis method for authentication protocols. Table 2 illustrates notations used in BAN Logic.

The BAN Logic postulates

Message meaning rule concerns the interpretation of messages. They all derive beliefs about the origin of messages.

For shared keys, we postulate

\frac{P believes Q \overset{K}{\leftrightarrow} P, P sees {X}_{K}}{P believes Q said X}

That is, if $P$ believes that the key $K$ is shared with $Q$ and sees $X$ encrypted under $K$ , then $P$ believes that $Q$ once said $X$ .

Nonce-verification rule expresses the check that a message is recent, and hence, that the sender still believes in it

\frac{P believes fresh (X), P believes Q said X}{P believes Q believes X}

That is, if $P$ believes that $X$ could have been uttered only recently and that $Q$ once said $X$ , then $P$ believes that $Q$ believes $X$ .

Jurisdiction rule states that if $P$ believes that $Q$ has jurisdiction over $X$ , then $P$ trusts $Q$ on the truth of $X$

\frac{P believes Q controls X, P believes Q believes X}{P believes X}

If a principal sees a formula, then he also sees its components, provided he knows the necessary keys

\frac{P sees (X, Y)}{P sees X}, \frac{P sees {〈 X 〉}_{Y}}{P sees X}

\frac{P believes Q \overset{K}{\leftrightarrow} P (,) P sees {[X]}_{K}}{P sees X}

\frac{P believes \overset{K}{\mapsto} P, P sees {[X]}_{K}}{P sees X}

\frac{P believes \overset{K}{\mapsto} P, P sees {[X]}_{K^{- 1}}}{P sees X}

Note that if $P$ sees $X$ and $P$ sees $Y$ , it does NOT follow that $P$ sees $(X, Y)$ since that means that $X$ and $Y$ were uttered at the same time.

Freshness-conjuncatenation rule states that if one part of the formula is fresh, then the entire formula must be fresh

\frac{P believes fresh (X)}{P believes fresh (X, Y)}

Security goals. The proposed scheme will satisfy the following goals

g_{1} . C_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i}

g_{2} . S_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i}

g_{3} . C_{i} | \equiv S_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i}

g_{4} . S_{i} | \equiv C_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i}

Idealized scheme. We transform our scheme into the idealized form as follows

Ms g_{1} . C_{i} \to S_{i} : < VI D_{i} >_{h (y_{i} | | X_{S})}, (R_{C})_{h (I D_{i} | | X_{S})}, < Y_{i} >_{h (x)}

Ms g_{2} . S_{i} \to C_{i} : (R_{S})_{h (I D_{i} | | X_{S})}

Ms g_{3} . C_{i} \to S_{i} : (R_{C}, R_{S})_{h (I D_{i} | | X_{S})}

Ms g_{4} . S_{i} \to C_{i} : (R_{C}, R_{S}, C_{i} \overset{SK}{\leftrightarrow} S_{i})_{h (I D_{i} | | X_{S})}

Initiative premises. We make the assumptions about the initial state of the scheme to analyze the proposed scheme as follows

p_{1} . C_{i} | \equiv C_{i} \overset{h ((y_{i} | | X_{S}))}{\leftrightarrow} S_{i}

p_{2} . S_{i} | \equiv C_{i} \leftrightarrow^{h ((y_{i} | | X_{S}))} S_{i}

p_{3} . C_{i} | \equiv C_{i} \leftrightarrow^{h ((I D_{i} | | X_{S}))} S_{i}

p_{4} . S_{i} | \equiv C_{i} \leftrightarrow^{h ((I D_{i} | | X_{S}))} S_{i}

p_{5} . C_{i} | \equiv S_{i} | \equiv C_{i} \leftrightarrow^{h ((I D_{i} | | X_{S}))} S_{i}

p_{6} . S_{i} | \equiv C_{i} | \equiv C_{i} \leftrightarrow^{h ((I D_{i} | | X_{S}))} S_{i}

p_{7} . C_{i} | \equiv # (R_{S})

p_{8} . S_{i} | \equiv # (R_{C})

p_{9} . C_{i} | \equiv S_{i} \Rightarrow C_{i} \overset{SK}{\leftrightarrow} S_{i}

p_{10} . S_{i} | \equiv C_{i} \Rightarrow C_{i} \overset{SK}{\leftrightarrow} S_{i}

p_{11} . C_{i} | \equiv S_{i} \leftrightarrow^{h (x)} RC

Security analysis of the idealized form of the proposed scheme

$a_{1}$ . According to $Ms g_{1}$ , We could get

S_{i} ◃ < VI D_{i} >_{h (y_{i} | | X_{S})}, (R_{C})_{h (I D_{i} | | X_{S})}, < y_{i} >_{h (x)}

$a_{2}$ . According to $p_{2}$ and $p_{4}$ , we apply the message-meaning rule to obtain

S_{i} | \equiv C_{i} | ~ < VI D_{i} >_{h (y_{i} | | X_{S})}, (R_{C})_{h (I D_{i} | | X_{S})}

$a_{3}$ . According to $p_{8}$ , we apply the freshness-conjuncatenation rule to obtain

S_{i} | \equiv # (< VI D_{i} >_{h (y_{i} | | X_{S})}, (R_{C})_{h (I D_{i} | | X_{S})})

Then, we apply the nonce-verification rule to obtain

S_{i} | \equiv C_{i} | \equiv < VI D_{i} >_{h (y_{i} | | X_{S})}, (R_{C})_{h (I D_{i} | | X_{S})}

$a_{4}$ . According to $Ms g_{3}$ , we could get

S_{i} ◃ (R_{C}, R_{S})_{h (I D_{i} | | X_{S})}

$a_{5}$ . According to $p_{4}$ , we apply the message-meaning rule to obtain

S_{i} | \equiv C_{i} | ~ (R_{C}, R_{S})_{h (I D_{i} | | X_{S})}

$a_{6}$ . According to $p_{8}$ , we apply the freshness-conjuncatenation rule to obtain

S_{i} | \equiv # (R_{C}, R_{S})_{h (I D_{i} | | X_{S})}

Then, we apply the nonce-verification rule to obtain

S_{i} | \equiv C_{i} | \equiv (R_{C}, R_{S})_{h (I D_{i} | | X_{S})}

$a_{7}$ . According to $a_{6}$ and $p_{6}$ and $SK = h (R_{C}, R_{S}, h (I D_{i} | | X_{S}))$ , we could obtain

S_{i} | \equiv C_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i} (Goals 4)

$a_{8}$ . According to $a_{7}$ and $p_{9}$ , we apply the jurisdiction rule to obtain

S_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i} (Goals 2)

$a_{9}$ . According to $Ms g_{4}$ , we could get

C_{i} ◃ (R_{C}, R_{S}, C_{i} \overset{SK}{\leftrightarrow} S_{i})_{h (I D_{i} | | X_{S})}

$a_{10}$ . According to $p_{3}$ , we apply the message-meaning rule to obtain

C_{i} | \equiv S_{i} | ~ (R_{C}, R_{S}, C_{i} \overset{SK}{\leftrightarrow} S_{i})_{h (I D_{i} | | X_{S})}

$a_{11}$ . According to $p_{7}$ , we apply the freshness-conjuncatenation rule to obtain

C_{i} | \equiv # (R_{C}, R_{S}, C_{i} \overset{SK}{\leftrightarrow} S_{i})_{h (I D_{i} | | X_{S})}

Then, we apply the nonce-verification rule to obtain

C_{i} | \equiv S_{i} | \equiv (R_{C}, R_{S}, C_{i} \overset{SK}{\leftrightarrow} S_{i})_{h (I D_{i} | | X_{S})}

$a_{12}$ . According to $a_{11}$ , we apply the BAN Logic rule to break conjunctions to produce

C_{i} | \equiv S_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i} (Goals 3)

$a_{13}$ . According to $a_{12}$ and $p_{9}$ , we apply the jurisdiction rule to produce

C_{i} | \equiv C_{i} \overset{SK}{\leftrightarrow} S_{i} (Goals 1)

Table 2.

BAN logic notations.

Notations	Meaning
$P \| \equiv X$	$P$ believes $X$
$P ◃ X$	$P$ sees $X$
$P \| ~ X$	$P$ once said $X$
$P \Rightarrow X$	$P$ has jurisdiction over $X$
$# (X)$	$X$ is fresh
$P \overset{K}{\leftrightarrow} Q$	$P$ and $Q$ may use the shared key $K$
$P \overset{X}{⇌} Q$	$X$ is a secret known only to $P$ and to $Q$
$〈 X 〉_{Y}$	$X$ combined with the formula $Y$
$(X)_{K}$	$X$ hashed under the key $K$
${X}_{K}$	$X$ encrypted under the key $K$

According to (Goal 1), (Goal 2), (Goal 3), and (Goal 4), we know that $C_{i}$ and $S_{i}$ believe $SK$ is shared.

Security analysis against various attacks

Off-line ID guessing attack

The smart card and login message contain pseudo identities, $VI D_{i}$ and $DI D_{i}$ , which are random values. Suppose an adversary $A_{i}$ obtains these values and the smart card $S C_{i}$ . To derive an actual identity $I D_{i}$ from $VI D_{i}$ , the adversary is required to guess both $h (y_{i} | | X_{S})$ and $I D_{i}$ concurrently. The probability of guessing them correctly, when $I D_{i}$ is composed of $n$ characters and the hash value is taken as 160 bits, is approximately $1 / 2^{6 n + 160}$ and it is considered to be a computationally infeasible problem.^21,25 The complexity of our proposed scheme against this attack is higher than that of Cao and Ge’s scheme. To derive $I D_{i}$ from $DI D_{i}$ , $A_{i}$ is required to compute more, which means that the complexity is higher, because $DI D_{i}$ is dynamic.

User masquerading attack

$A_{i}$ is required to compute a valid login request to impersonate a legal user. $A_{i}$ may attempt to login to $S_{i}$ using the message ${DI D_{i}, Z_{i}, M_{2}, M_{3}, T_{1}}$ . However, $DI D_{i}$ is dynamic in every session, so $A_{i}$ cannot use the message repeatedly. Moreover, $A_{i}$ cannot generate a valid dynamic identity either because he or she cannot know $h (y_{i} | | X_{S})$ .

Server masquerading attack

To masquerade as a legal server, $A_{i}$ must compute messages ${M_{6}, M_{7}}$ and $h (SK)$ . An’s¹⁶ scheme and Cao and Ge’s¹⁷ scheme were vulnerable to this attack because $A_{i}$ could replay messages captured in a previous session. However, our proposed scheme is secure against this attack because we use timestamps, and the messages are fresh in each session.

User anonymity

We use pseudo identities to hide an actual identity. To derive $I D_{i}$ from $VI D_{i}$ or $DI D_{i}$ , $A_{i}$ should know $h (y_{i} | | X_{S})$ ; however, it is computationally infeasible to correctly guess $y_{i}$ and $X_{S}$ concurrently. Therefore, it is difficult for $A_{i}$ to derive $I D_{i}$ from pseudo identities.

Mutual authentication

The server verifies the legitimate user by checking the equivalence $M_{9} = h (M_{4} | | M_{5} | | R_{S} | | T_{2})$ . Likewise, the user ensures the validity of the server by checking the equivalence $h (S K^{'}) = h (SK)$ . However, $A_{i}$ can masquerade as neither the legitimate user nor the server. Therefore, the proposed scheme provides proper mutual authentication.

Forward secrecy

Suppose that the server’s secret key $X_{S}$ is compromised, the identity $I D_{i}$ is still unknown to $A_{i}$ . Therefore, $h (I D_{i} | | X_{S})$ is kept secret and $R_{C}$ and $R_{S}$ remain secure. Thus, compromise of $X_{S}$ does not allow $A_{i}$ to compute the previous session keys.

We compare the functionality features and the computational cost of the proposed scheme with those of other existing schemes. Table 3 compares the functionality features provided by our scheme with those of other existing schemes. ○ denotes the scheme provides the property; × denotes the scheme does not provide the property; NA denotes the scheme does not consider the property.

Table 3.

Comparisons of the functionality features.

	Das’s scheme¹⁵	Younghwa An’s scheme¹⁶	Cao and Ge’s scheme¹⁷	Proposed scheme
Resists ID guessing attack	NA	NA	×	○
Resists user masquerading attack	×	×	○	○
Resists server masquerading attack	×	×	×	○
and replay attack
Provides user anonymity	×	×	×	○
Provides mutual authentication	×	×	×	○
Provides session key agreement	×	×	×	○
Provides efficient password change	×	×	×	○
Provides forward secrecy	NA	NA	NA	○

Performance

In Table 4, we compare the computational cost. $T_{h}$ denotes the computation time for hash function; $T_{H}$ denotes the computation time for Bio-Hashing function. XOR operations are not considered because it can be ignored comparing with $T_{h}$ . Our scheme is constructed on one-way hash functions and XOR operations. The computation cost of ours is similar to An¹⁶ and Cao and Ge,¹⁷ but the proposed scheme provides the enhanced security functionalities and is secure against various attacks.

Table 4.

Comparisons of the computation costs.

	Das’s scheme¹⁵			Younghwa An’s scheme¹⁶			Cao and Ge’s scheme¹⁷			Proposed scheme
	User	RC	Server	User	RC	Server	User	RC	Server	User	RC	Server
Registration	0	$3 T_{h}$	0	0	$3 T_{h}$	0	0	$7 T_{h}$	0	$T_{H}$	$6 T_{h}$	0
Login	2 $T_{h}$	$0$	0	$3 T_{h}$	0	0	$4 T_{h}$	0	0	$1 T_{H} + 5 T_{h}$	0	0
Authentication	3 $T_{h}$	$3 T_{h}$	5 $T_{h}$	$2 T_{h}$	0	$4 T_{h}$	$3 T_{h}$	0	$4 T_{h}$	$4 T_{h}$	0	$8 T_{h}$
Total	5 $T_{h}$	$3 T_{h}$	5 $T_{h}$	$5 T_{h}$	$3 T_{h}$	$4 T_{h}$	$7 T_{h}$	$7 T_{h}$	$4 T_{h}$	$2 T_{H} + 9 T_{h}$	$6 T_{h}$	$8 T_{h}$

Conclusion

Users are able to access and utilize advanced services owing to the growth of Internet technology and smart devices. However, given the unsolved security problems and adversaries that are sufficiently powerful to control communication, users are exposed to malicious attacks, and extension of Internet service is limited. To ensure authorized and secure communication, a user and server should verify each other’s legitimacy.

In this article, we demonstrated the security vulnerability of Cao and Ge’s scheme and its incorrectness in re-registration phase. We noted that their scheme is vulnerable to off-line ID guessing attack and server masquerading attack and fails in correctness. In addition, we proposed an enhanced multi-factor biometric authentication scheme with better security functionality than that of Cao and Ge. Our scheme supports a dynamic identity mechanism using timestamps and resists off-line ID guessing attack and server masquerading attack. Our scheme satisfies all desirable security attributes, as demonstrated in the security analysis.

Footnotes

Academic Editor: Feng Hong

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2017R1A2B1002147).

References

Madhusudhan

Mittal

. Dynamic id-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 2012; 35(4): 1235–1248.

Mishra

Kumari

Khan

et al . An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. Int J Commun Syst 2017; 30: e2946.

Mishra

Das

Chaturvedi

et al . A secure password-based authentication and key agreement scheme using smart cards. J Inform Secur Appl 2015; 23: 28–43.

Lee

Hwang

. A remote user authentication scheme using hash functions. ACM SIGOPS Oper Syst Rev 2002; 36(4): 23–29.

Hwang

. A new remote user authentication scheme using smart cards. IEEE T Consum Electr 2000; 46(1): 28–30.

Sun

. An efficient remote use authentication scheme using smart cards. IEEE T Consum Electr 2000; 46(4): 958–961.

Chien

Jan

Tseng

. An efficient and practical solution to remote authentication: smart card. Comput Secur 2002; 21(4): 372–375.

Mishra

. On the security flaws in id-based password authentication schemes for telecare medical information systems. J Med Syst 2015; 39(1): 1–16.

Niu

Liao

et al . Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. Int J Commun Syst 2015; 28(2): 374–382.

10.

Chang

Chiang

. Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards. Electron Lett 2005; 41(5): 240–241.

11.

Chang

Lai

. An improved biometrics-based user authentication scheme without concurrency system. Int J Intell Inform Process 2010; 1(1): 41–49.

12.

Tan

. A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 2014; 38(3): 1–9.

13.

Niu

Khan

et al . Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Commun Netw 2016; 9: 1916–1927.

14.

Hwang

. An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 2010; 33(1): 1–5.

15.

Das

. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inform Secur 2011; 5(3): 145–151.

16.

. Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. BioMed Res Int 2012; 2012: 519723.

17.

Cao

. Analysis and improvement of a multi-factor biometric authentication scheme. Secur Commun Netw 2015; 8(4): 617–625.

18.

Burrows

Abadi

Needham

. A logic of authentication. P Roy Soc Lond A Mat 1989; 426: 233–271.

19.

Jin

ATB

Ling

DNC

Goh

. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn 2004; 37(11): 2245–2255.

20.

Lumini

Nanni

. An improved biohashing for human authentication. Pattern Recogn 2007; 40(3): 1057–1065.

21.

Chang

Shiao

DRS

. A uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J Med Syst 2013; 37(2): 1–10.

22.

Belguechi

Rosenberger

Ait-Aoudia

. Biohashing for securing minutiae template. In: Proceedings of the 2010 20th international conference on pattern recognition (ICPR), Istanbul, Turkey, 23–26 August 2010, pp.1168–1171. New York: IEEE.

23.

Kumari

Khan

. An improved remote user authentication scheme with key agreement. Comput Electr Eng 2014; 40(6): 1997–2012.

24.

Cao

Zhai

. Improved dynamic ID-based authentication scheme for telecare medical information systems. J Med Syst 2013; 37(2): 1–7.

25.

Das

Goswami

. A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J Med Syst 2013; 37(3): 1–16.

Security analysis and enhancements of an improved multi-factor biometric authentication scheme

Abstract

Keywords

Introduction

Cryptanalysis of Cao and Ge’s scheme

Enhancements of Cao and Ge’s scheme

Security analysis against various attacks

Preliminaries

Notations

Bio-hashing

Review of Cao and Ge’s authentication scheme

Registration phase

Re-registration phase

Login phase

Authentication phase

Cryptanalysis of Cao and Ge’s authentication scheme

Incorrectness in registration phase

Off-line identity guessing attack

Server masquerading attack

The proposed remote user authentication scheme

Registration phase

Login phase

Authentication phase

Password change phase

Analysis

Authentication proof based on BAN logic

Security analysis against various attacks

Off-line ID guessing attack

User masquerading attack

Server masquerading attack

User anonymity

Mutual authentication

Forward secrecy

Performance

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References