Sage Journals: Discover world-class research

Abstract

With the wide deployment of new computing paradigms, such as cloud computing and edge computing, the people can access services provided by remote servers more conveniently via the Internet. To preserve the security of those messages transmitted over the public channel, remote user authentication protocols are popularly implemented in various information systems. Recently, Park et al. pointed that Cao and Ge’s three-factor authentication scheme suffers from offline identity guessing attack and server impersonation attack. They also proposed a new scheme after presenting the corresponding cryptanalysis. However, we found that Park et al.’s scheme is vulnerable to offline password guessing attack, which is the most serious threat against this kind of authentication scheme. In addition, their scheme cannot provide complete correctness due to the misuse of bio-hashing and also fails to achieve user untraceability and perfect forward secrecy. To conquer these security pitfalls, we put forward a password, smart card, and biometrics-based three-factor remote user authentication scheme using the extended Chebyshev chaotic maps. The security analysis indicates that the proposed scheme can withstand various well-known attacks including offline guessing attack, impersonation attack, and so on. The performance evaluation shows that the proposed scheme provides stronger security guarantee at the cost of acceptable computation overhead. Thus, the proposed scheme is more desirable for securing communication in mobile networks.

Keywords

Multi-factor authentication cryptanalysis chaotic maps mobile networks

Introduction

The emergence of new computing paradigms (e.g. cloud computing and edge computing) brings great convenience for the daily life of human being, such as cloud-assisted e-healthcare that employs sensors to collect health information. This enables users to remotely access these services and transmit data at anytime and anywhere through wireless sensor networks connected to the Internet. To ensure services are legally accessed and users’ private information transmitted over the public channel are well protected, remote user authentication protocols^1–5 are essential for these information systems.

Informally, with the help of a remote user authentication scheme, a user (or a sensor node) and the remote server can check the validity of each other. That is, the user can be sure that the server is the intended server rather than a malicious one, and the remote server can ensure that the user is a registered legal user. In addition, after they authenticate each other, a shared session key can be established to secure subsequent communications between them. Early remote user authentication protocols^6,7 only use human-rememberable passwords and thus are inherently vulnerable to offline password guessing attack and insider attack.

To further strengthen the security of remote authentication scheme, smart card–based password authentication scheme^8,9 was introduced. In the setting of this kind of authentication scheme, a user holds a password and a smart card containing related secret values. Only those users, who provide correct password and the corresponding smart card simultaneously, can pass through the authentication of the remote server. Meanwhile, the remote server no longer needs to maintain a verification table. Since the introduction of password and smart card–based two-factor authentication scheme, toward to different application environments, many related schemes^10–16 have been presented. On the other hand, due to the uniqueness of biometrics (e.g. fingerprint and irides), biometrics are recently introduced into the design of smart card and password-based authentication scheme, as the third authentication factor. Such a scheme is named as three-factor remote user authentication scheme. Naturally, biometric-based three-factor authentication scheme is more secure than previous authentication schemes.

In 2010, Li and Hwang¹⁷ used hash function to construct a three-factor authentication scheme with low computation overhead. But Das¹⁸ found that Li-Hwang’s scheme suffers from various attacks and presented an improved scheme. However, An¹⁹ pointed out that Das’ scheme also cannot withstand impersonation attack and server spoofing attack. Although An¹⁹ put forward a new three-factor authentication scheme, Khan and Kumari²⁰ demonstrated that this scheme cannot resist offline guessing attack, Cao and Ge²¹ showed that this scheme is vulnerable to replay attack. Subsequently, Yeh et al.²² and Wu et al.²³ further analyzed the security of these schemes.

Recently, Park et al.²⁴ pointed out that Cao and Ge’s²¹ authentication scheme suffers from off-line identity guessing attack and server masquerading attack. Then, a new three-factor authentication scheme with user untraceability was put forward after criticizing. Unfortunately, we found that Park et al.’s²⁴ scheme is vulnerable to offline password/identity guessing attack and in fact fails to achieve untraceability and perfect forward secrecy. In addition, their authentication scheme has serious shortage in terms of correctness and usability owning to the misuse of bio-hashing. To overcome these security pitfalls in Park et al.’s scheme, we propose a security-enhanced three-factor remote user authentication scheme based on the extended Chebyshev chaotic maps. We show that the proposed scheme can withstand various well-known attacks including offline password guessing attack, impersonation attack, replay attack, and so on. In addition, the proposed scheme also enjoys several desirable security properties, such as mutual authentication, key agreement, and perfect forward secrecy. The performance discussion indicates that the proposed scheme provides stronger security guarantees, at the cost of accepted computation overhead. Thus, it is more desirable for securing communications in mobile networks.

Preliminaries

In this section, we briefly review the preliminaries used in the proposed scheme.

Notations

Assume that $U_{i}$ is a user, and S is the remote sever. Table 1 summarizes the notation used throughout this article.

Table 1.

The notations used throughout this article.

Notation	Description
S	The remote server
$α, β$	The master secret key of S
$U_{i}$	The ith system user
$I D_{i}$	The user U_i’s identity
$P W_{i}$	The user U_i’s password
$B_{i}$	The biometric template of the user $U_{i}$
$M_{bio} (\cdot, \cdot)$	A biometric matching algorithm
$h (\cdot)$	Secure one-way hash function
$H (\cdot)$	Bio-hashing function
⊕	The exclusive or operation
\|\|	The concatenation operation
$x, y$	Random integers picked by $U_{i}$ and S
$S K_{i, s}, S K_{s, i}$	Secret valued computed by $U_{i}$ and S
$T_{i, 1}, T_{s, 1}$	The timestamps on sides of $U_{i}$ and S
$Δ T$	The maximum delay allowed

Chebyshev chaotic maps

The chaotic map has been widely used in the literature of cryptography, for example, chaotic map–based encryption,²⁵ digital signature,²⁶ and authentication protocols.^27,28

Specifically speaking, the Chebyshev polynomial $T_{x} (u)$ is a polynomial with degree x and is defined as²⁹

T_{x} (u) = \cos (x \cdot θ), where u = \cos θ

Moreover, the recurrence relation of $T_{x} (u)$ is defined as

T_{x} (u) = 2 u T_{x - 1} (u) - T_{x - 2} (u)

for any integer $x \geq 2$ , with $T_{0} (u) = 1$ and $T_{1} (u) = u$ .

The Chebyshev polynomial also features of the semigroup property and satisfies

T_{x} (T_{y} (u)) \equiv T_{x y} (u) \equiv T_{y} (T_{x} (u)) \mod p

for any positive integers x and y and large prime p.

The security of the proposed three-factor authentication scheme is built upon the intractability of the chaotic map–based discrete logarithm problem (DLP) and the chaotic map–based computational Diffie–Hellman problem (CDHP), which are defined as follows

Property 1 (Chaotic map–based DLP)

Given u, r, and p, it is hard to find an integer x satisfying $T_{x} (u) = r mod p$ .

Property 2 (Chaotic map–based CDHLP)

Given $T_{x} (u)$ , $T_{y} (u)$ , $T (\cdot)$ , u, and p, where $x, y \geq 2$ , $u \in (- \infty, + \infty)$ , and p is a large prime, it is hard to compute $T_{xy} (u) \equiv T_{x} (T_{y} (u)) \equiv T_{y} (T_{x} (u)) mod p$ .

Bio-hashing

Jin et al.³⁰ combined fingerprint and pseudo-random number to achieve two-factor authentication. Specifically speaking, a user’s fingerprint image $B_{i}$ is first transformed to a vector, which is further used to perform inner product with a set of pseudo-random number. Then, depending on a given threshold value, each inner product is mapped to 0 or 1. This results in a binary string $b_{i}$ , that is, $H (B_{i}) = b_{i}$ , where $H (\cdot)$ is the concrete bio-hashing algorithm. Lumini and Nanni³¹ further put forward improved bio-hashing. Now, bio-hashing has been widely used in the design of human authentication schemes.^32–34

From a perspective of practicability, fingerprints imprinted from the same person are different from each other, thus the resulted bio-hashing values are also slightly different. But given a matching algorithm $M_{bio} (\cdot, \cdot)$ and two fingerprints $B_{i}$ , $B_{i}^{'}$ from the same user, the matching result $M_{bio} (H (B_{i}), H (B'_{i}))$ is smaller than a given threshold value $τ$ with overwhelming probability.

Review of Park et al.’s scheme

In this section, we briefly review Park et al.’s²⁴ authentication scheme, which comprises four phases, namely, system user registration phase, login phase, authentication phase, and password change phase, which are performed as follows.

Registration phase

Each system user $U_{i}$ needs to register with the remote server S for legally accessing the provided service. To this end, the user $U_{i}$ and the server S execute the following procedure.

1. The user $U_{i}$ freely chooses a personal password $P W_{i}$ and an identity $I D_{i}$ , and also imprints his or her biometrics $B_{i}$ via a sensor. Moreover, $U_{i}$ chooses a random number K and calculates $RP W_{i} = P W_{i} \oplus K$ , $R B_{i} = H (B_{i}) \oplus K$ . Then, the user $U_{i}$ sends the registration request message ${RM}_{i} = {I D_{i}, RP W_{i}, R B_{i}}$ to the server S through a secure channel.

2. Upon receiving the registration request message ${RM}_{i}$ , the server S picks a unique random number $λ_{i}$ for $U_{i}$ , and further successively computes

\begin{matrix} f_{i} = h (R B_{i}), r_{i} = h (RP W_{i}) \oplus f_{i}, e_{i} = h (I D_{i} | | α) \oplus r_{i} \\ Z_{i} = λ_{i} \oplus h (β), G_{i} = h (h (I D_{i} | | α)) \\ VI D_{i} = h (λ_{i} | | α) \oplus I D_{i} \oplus h (RP W_{i} | | f_{i}) \end{matrix}

Then, the server S writes ${VI D_{i}, h (\cdot), H (\cdot), f_{i}, e_{i}, Z_{i}, G_{i}}$ into a new smart card, which is later issued to the user $U_{i}$ in a secure way. In addition, the server S stores the tuple $(I D_{i}, VI D_{i})$ into the registration table.

3. After receiving the smart card issued by the server S, the user $U_{i}$ rewrites the random number K into the smart card.

Login phase

A user $U_{i}$ logins into the remote server S by conducting the following steps:

The user $U_{i}$ inserts the smart card into a card reader, and imprints his or her biometric information $B'_{i}$ . Then, the smart card computes $h (H (B'_{i}) \oplus K)$ and checks that if it is equal to $f_{i}$ . If not, the smart card terminates the login process. Otherwise, the smart card goes to the next step.

The user $U_{i}$ inputs the corresponding password $P W_{i}$ and the identity $I D_{i}$ . Then, the smart card chooses a random number $x_{i}$ and computes

\begin{matrix} r'_{i} = h (P W_{i} \oplus K) \oplus f_{i}, m_{1} = e_{i} \oplus r'_{i}, m_{2} = m_{1} \oplus x_{i} \\ h (λ_{i} | | α) = VI D_{i} \oplus I D_{i} \oplus h (P W_{i} \oplus K | | h (H (B_{i'}) \oplus K)) \\ m_{3} = h (m_{1} | | x_{i} | | T_{i, 1}), DI D_{i} = VI D_{i} \oplus h (h (λ_{i} | | α) | | T_{i, 1}) \end{matrix}

where $T_{i, 1}$ is the current timestamp.

Finally, the smart card sends the login request message ${LM}_{i} = {DI D_{i}, Z_{i}, m_{2}, m_{3}, T_{i, 1}}$ to the server S via a public channel.

Authentication phase

After finishing the login process, the user $U_{i}$ and the server S need to further run the authentication procedure for verifying the validity of each other and establishing a shared session key. As indicated in Figure 1, the details of this procedure are specified as follows:

Upon receiving the login request message ${LM}_{i}$ from the user $U_{i}$ , the server S checks that if $T_{s, 1} - T_{i, 1} \leq Δ T$ , where $T_{s, 1}$ is the current timestamp. If not, S terminates the authentication procedure. Otherwise, S further computes $λ_{i} = Z_{i} \oplus h (β)$ , $VI D_{i'} = DI D_{i} \oplus h (h (λ_{i} | | α) | | T_{i, 1})$ , and checks if $VI D_{i'}$ is equal to some $VI D_{i}$ stored in the registration table in the form of $(VI D_{i}, I D_{i})$ . If not, the server S rejects the session. Otherwise, the serve S goes to the next step.

The server S computes $m'_{1} = h (I D_{i} | | α)$ , $x'_{i} = m_{2} \oplus m'_{1}$ , and $m'_{3} = h (h (I D_{i} | | α) | | x'_{i} | | T_{i, 1})$ and checks if $m'_{3} = m_{3}$ . If not, the server S terminates this session. Otherwise, S selects a random number $y_{s}$ and calculates $m_{4} = m_{1'} \oplus y_{s}$ , $m_{5} = h (m'_{1} | | y_{s} | | T'_{s, 1})$ , where $T'_{s, 1}$ is the current timestamp. Then, the server S returns the authentication response message ${AM}_{s} = {m_{4}, m_{5}, T'_{s, 1}}$ to the user $U_{i}$ .

After receiving the response message from the server S, the smart card checks that if $T'_{i, 1} - T'_{s, 1} \leq Δ T$ , where $T'_{i, 1}$ is the current timestamp. If not, the smart card terminates this session. Otherwise, it further computes $y'_{s} = m_{4} \oplus m_{1}$ and $m_{5'} = h (m_{1} | | y'_{s} | | T'_{s, 1})$ and verifies if $m_{5'} = m_{5}$ . If not, the smart card terminates the session. Otherwise, the smart card computes $m_{6} = h (m_{1} | | x_{i} | | y_{s'} | | T_{i, 2})$ and sends the response message ${AM}_{i} = {m_{6}, T_{i, 2}}$ to the server S, where $T_{i, 2}$ is the current timestamp. Meanwhile, it computes a shared session key $S K_{i} = h (x_{i} | | y'_{s} | | T'_{s, 1} | | T_{i, 2} | | m_{6})$ .

When receiving the message ${AM}_{i}$ from the user $U_{i}$ , the server S checks if $T_{s, 2} - T_{i, 2} \leq Δ T$ , where $T_{s, 2}$ is the current timestamp. If not, the server S stops the session. Otherwise, it computes $m'_{6} = h (m'_{1} | | x'_{i} | | y_{s} | | T_{i, 2} | | m_{6})$ and checks if $m_{6'} = m_{6}$ . If not, the server S also terminates the session. Otherwise, it computes a shared session key $S K_{s} = h (x'_{i} | | y_{s} | | T'_{s, 1} | | T_{i, 2})$ and sends ${AM'}_{s} = {h (S K_{s})}$ to the user $U_{i}$ .

After getting the message ${AM}_{s}$ , the smart card verifies the validity of $h (S K_{s})$ by comparing it with $h (S K_{i})$ . If they are equal, then the server S is authenticated by the user $U_{i}$ , and a common session key $S K_{s} = S K_{i}$ has been shared between them.

Figure 1.

Password change phase

In this phase, a user $U_{i}$ is allowed to freely update the original password by conducting the following steps:

The user $U_{i}$ inserts the smart card into a card reader and then inputs the original password $P W_{i}$ , a new password ${PW}_{i}^{new}$ as well as the identity $I D_{i}$ . In addition, the user $U_{i}$ imprints his or her biometrics ${B_{i}}^{'}$ via a sensor.

The smart card recomputes $f'_{i} = h (H (B'_{i}) \oplus K)$ and checks if $f'_{i} = f_{i}$ . If not, the smart card stops the update procedure. Otherwise, it computes $r'_{i} = h (P W_{i} \oplus K) \oplus f'_{i}$ and $G'_{i} = h (h (e_{i} \oplus r'_{i}))$ and further checks if $G'_{i} = G_{i}$ . If not, the smart card also terminates the update process. Otherwise, the smart card goes to the next step.

The smart card recomputes $r_{i}^{new} = h ({PW}_{i}^{new} \oplus K) \oplus {f_{i}}^{'}$ , $e_{i}^{new} = e_{i} \oplus r_{i'} \oplus r_{i}^{new}$ , $G_{i}^{new} = h (h (e_{i}^{new} \oplus r_{i}^{new}))$ . Then, the smart card replaces $e_{i}$ and $G_{i}$ with $e_{i}^{new}$ and $G_{i}^{new}$ , respectively.

Cryptanalysis of Park et al.’s scheme

In this section, we first demonstrate that Park et al.’s²⁴ scheme cannot be implemented in practical applications due to the incorrect usage of user biometrics. Moreover, we point out that this scheme even suffers from offline password/identity guessing attack and impersonation attack and therefore fails to provide the claimed security properties. In addition, Park et al.’s scheme cannot preserve user anonymity and provide perfect forward secrecy.

Before giving the details of the above-mentioned attacks, we capture the capacity of an adversary $A$ by the following attack model, which is widely accepted and adopted in the literature of multi-factor authentication scheme. Specifically, in this attack model, the adversary $A$ is allowed to perform the following operations:

The adversary $A$ completely controls the communication channels between any user and the remote server. This implies that $A$ can eavesdrop any message transmitted over these public channels. Moreover, it can intercept, modify, replay, and insert any message in these public channels.

The adversary $A$ can get any user’s either password or smart card, but not the both. In addition, after obtaining the smart card, the adversary $A$ can extract those secret values stored in the smart card using some particular technologies.^35,36

An insider user or server might be malicious. That is, the adversary $A$ can collude with such a malicious one.

Correctness and usability of Park et al.’s scheme

We note that in the login phase of Park et al.’s scheme, the user $U_{i}$ is required to imprint his or her biometrics $B'_{i}$ via a sensor. Then, the smart computes $f_{i'} = h (H (B'_{i}) \oplus K)$ and checks if it is equal to $f_{i} = h (H (B_{i}) \oplus K)$ , where $B_{i}$ is U_i’s biometrics imprinted in the registration phase. If not, the smart card will stop the login procedure.

Now we recall that $h (\cdot)$ is assumed to be a one-way secure hash function. This implies that it is sensitive of its inputs. In other words, if $f'_{i} = f_{i}$ then it must be $H (B_{i}) = H (B'_{i})$ . However, by the property of the bio-hashing function $H (\cdot)$ , we have that the equality $H (B_{i}) = H (B'_{i})$ only holds with a low probability when $B_{i} \neq B'_{i}$ . On the other hand, from the perspective of practicability, it is intractable for the sensor to capture the same biometrics every time. Therefore, the correctness of Park et al.’s scheme requires a user to imprint the same biometrics in each login instance and makes it unusable in practical applications. So we conclude that the correctness and usability of Park et al.’s scheme collide with each other.

Offline guessing attack

To launch offline password guessing attack against an insider registered user $U_{i}$ , the adversary $A$ needs to record these messages ${LM}_{i}$ , ${AM}_{s}$ , ${AS}_{i}$ , ${AM'}_{s}$ transmitted in an instance of the login and authentication procedure executed between $U_{i}$ and the remote server S. Then, the adversary $A$ obtains the user U_i’s smart card, from which the adversary $A$ can further extract ${VI D_{i}, h (\cdot), H (\cdot), f_{i}, e_{i}, Z_{i}, G_{i}, K}$ using particular technologies.^35,36 After that, the adversary $A$ performs the attack by conducting the following steps:

Step 1. Establish the candidate password set $P_{i}$ according to the user U_i’s personal information.

Step 2. Select a candidate password ${PW}_{i}^{*}$ from the set $P_{i}$ and successively compute $r_{i}^{*} = h ({PW}_{i}^{*} \oplus K) \oplus f_{i}$ , $h (I D_{i} | | α)^{*} = e_{i} \oplus r_{i}^{*}$ , $G_{i}^{*} = h (h (I D_{i} | | α)^{*})$ .

Step 3. Check that if $G_{i}^{*}$ is equal to $G_{i}$ . If yes, the user U_i’s password is correctly recovered as ${PW}_{i}^{*}$ . Otherwise, repeat Step 1 and Step 2 until the correct one is captured.

In fact, the adversary $A$ can also utilize those publicly transmitted messages to launch the offline password guessing attack. Specifically speaking, the adversary $A$ first computes $x_{i}^{*} = m_{2} \oplus h (I D_{i} | | α)^{*}$ and $m_{3}^{*} = h (h (I D_{i} | | α)^{*} | | x_{i}^{*} | | T_{i, 1})$ . Then, $A$ can check the validity of ${PW}_{i}^{*}$ by verifying if it holds that $m_{3}^{*} = m_{3}$ .

Denote by $T_{h}$ the running time of one hash operation and $T_{x}$ the running time of one XOR operation. Then, we can see that the computation cost of one loop of the above attack is roughly $O (3 T_{x} + 3 T_{h})$ , and the complexity of completing the offline password guessing attack is $O (3 | P_{i} | (T_{x} + 3 T_{h}))$ , where $| P_{i} |$ is the size of the candidate set $P_{i}$ . This implies that the adversary $A$ can correctly recover U_i’s password in polynomial time, which may be only several minutes on a PC.

After recovering the correct password $P W_{i}$ , the adversary $A$ can further extract the user U_i’s real identity by launching offline identity guessing attack. Specifically, $A$ first selects a candidate identity ${ID}_{i}^{*}$ from the candidate identity set $I_{i}$ and computes $h (λ_{i} | | α)^{*} = VI D_{i} \oplus {ID}_{i}^{*} \oplus h (RP W_{i} | | f_{i})$ . Then, it further calculates ${DID}_{i}^{*} = VI D_{i} \oplus h (h (λ_{i} | | α)^{*} | | T_{i, 1})$ . As a result, the adversary $A$ can verify the validity of ${ID}_{i}^{*}$ by checking if ${DID}_{i}^{*} = DI D_{i}$ . Similarly, the adversary $A$ can get the user U_i’s identity $I D_{i}$ in minutes on a PC. In practice, the establishment of the candidate password set is related to personal information and depends on social engineering.

Other security pitfalls

First, with the recovered password $P W_{i}$ and the identity $I D_{i}$ as well as the knowledge of the smart card, the adversary $A$ can naturally impersonate the $U_{i}$ just by running the original scheme regularly. Second, although a user $U_{i}$ uses a different dynamic identity $DI D_{i}$ in each authentication instance, the value $Z_{i}$ is the same in all instances. Thus, the scheme in fact fails to provide untraceability. In addition, the server S is required to maintain a registration table for verifying the identity validity of system users, which would make the scheme vulnerable to insider attack. Third, we note that the generated session key is derived from the random numbers contributed by the protocol participants with the hash function $h (\cdot)$ . Thus, the scheme cannot provide perfect forward secrecy. That is, once either the user’s secret values or the master secret key of the server S get exposed, those previously shared session keys would be recovered, which will result in the disclosure of the private information transmitted over those secure channels based on these session keys.

The proposed three-factor authentication scheme

In this section, we propose a new three-factor authentication scheme to overcome the above-mentioned security pitfalls in Park et al.’s²⁴ scheme. Informally, we utilize chaotic map–based Diffie–Hellman key exchange to achieve perfect forward secrecy and mutual authentication. In addition, the smart card no longer locally checks the validity of the user password, which prevents the proposed scheme from being vulnerable to offline password guessing attack. The collision-resistant hash function and timestamp are used to guarantee the freshness of transmitted messages. Particularly, we do not consider user anonymity. In fact, this can be achieved by extending our scheme with a symmetric cryptosystem, as illustrated in existing schemes.^14,37,38

Specifically, the proposed scheme consists of four phases, that is, initialization, registration, login and authentication, and password change. The details of these phases are as follows.

Initialization phase

Initially, the remote server S picks a large prime p and defines Chebyshev polynomial $T (\cdot)$ . In addition, it chooses a random number u to compute the polynomial $T (u)$ , and let the master secret key be $α$ . Moreover, the remote server S selects a cryptographically secure hash function $h (\cdot)$ , and a bio-hashing function $H (\cdot)$ associated with a matching algorithm $M_{bio} (\cdot, \cdot)$ .

Registration phase

In this phase, as indicated in Figure 2, each system user $U_{i}$ needs to register with the remote server S by conducting the following steps:

The user $U_{i}$ selects an identity $I D_{i}$ and a password $P W_{i}$ that are both easy to remember, and imprints biometrics $B_{i}$ via a sensor. Then, $U_{i}$ picks a random number $N_{i}$ , and computes $R P_{i} = h (P W_{i} | | I D_{i} | | N_{i})$ , $R B_{i} = H (B_{i}) \oplus h (N_{i})$ . Moreover, the user $U_{i}$ sends the registration information ${RM}_{i} = {R P_{i}, R B_{i}, I D_{i}}$ to the remote server S via a secure channel.

Upon receiving the registration requirement from $U_{i}$ , the remote server S checks U_i’s validity, and then computes $W_{i} = h (I D_{i} | | α) \oplus R P_{i}$ , $Z_{i} = h (I D_{s} | | h (I D_{i} | | α)) \oplus R B_{i}$ . The server S further writes ${W_{i}, Z_{i}, h (\cdot), H (\cdot), T (u), I D_{s}}$ into a new smart card and issues it to $U_{i}$ in a secure way.

After obtaining the smart card, the user $U_{i}$ rewrites the random number $N_{i}$ into it. This completes the registration procedure.

Figure 2.

User registration phase of the proposed scheme.

Login and authentication phase

If a registered user $U_{i}$ wants to access the service provided by the server S, then they have to interactively perform the login and authentication process to check the validity of each other. Meanwhile, a shared session key would be established to secure subsequent communications between them. More precisely, as illustrated in Figure 3, this process is specified as follows:

1. The user $U_{i}$ attaches his or her smart card to a card reader and inputs the password $P W_{i}$ and identity $I D_{i}$ . At the same time, $U_{i}$ imprints his or her biometrics $B'_{i}$ via a sensor.

2. The smart card successively recomputes

R P'_{i} = h (I D_{i} | | P W_{i} | | N'_{i}), r'_{i} = W_{i} \oplus P R'_{i} = h (I D_{i} | | α)

H (B_{i}) = Z_{i} \oplus h (I D_{s} | | h (I D_{i} | | α)) \oplus h (N_{i})

Then, the smart card performs the matching algorithm $M_{bio} (H (B_{i}), H (B_{i'}))$ and checks if the result is beyond the given threshold value $τ$ . If yes, the smart card stops this session. Otherwise, it goes to the next step.

3. The smart card selects a random integer x and computes $X_{i} = T_{x} (u)$ , $X'_{i} = X_{i} \oplus r'_{i}$ and $M_{i, 1} = h (I D_{i} | | I D_{s} | | X_{i'} | | T_{i, 1})$ , where $T_{i, 1}$ is the current timestamp. Then, the smart card sends the login message ${LM}_{i} = {M_{i, 1}, X'_{i}, I D_{i}, T_{i, 1}}$ to the remote server via a public channel.

4. Upon the receipt of the login request from $U_{i}$ , the server S checks if it holds that $h (I D_{i} | | I D_{s} | | X'_{i} | | T_{i, 1}) = M_{i, 1}$ and $| T_{s, 1} - T_{i, 1} | \leq Δ T$ , where $T_{s, 1}$ is the current timestamp. If not, the server S terminates this session. Otherwise, it selects a random integer y and computes

r_{i} = h (I D_{i} | | α), {X ″}_{i} = X_{i'} \oplus r_{i}, K_{s, i} = T_{y} ({X ″}_{i})

Y_{s} = T_{y} (u), M_{s, 1} = h (I D_{i} | | I D_{s} | | {X ″}_{i} | | Y_{s} | | K_{s, i} | | T'_{s, 1})

where $T'_{s, 1}$ is the current timestamp. Then, S further sends the login response message ${RM}_{s} = {Y_{s}, M_{s, 1}, T'_{s, 1}}$ to the user $U_{i}$ .

5. After receiving the response from the server S, the smart card first checks the validity of $T'_{s, 1}$ in a similar way. If it cannot pass through the check, the smart card terminates this session. Otherwise, it recomputes $K_{i, s} = T_{x} (Y_{s})$ and $M'_{s, 1} = h (I D_{i} | | I D_{s} | | X_{i} | | Y_{s} | | K_{i, s} | | T'_{s, 1})$ . Then, if verifies that if $M'_{s, 1}$ is equal to $M_{s, 1}$ . If not, the smart card also stops the session. Otherwise, the remote sever S is authenticated by the user $U_{i}$ . The smart card further computes $M_{i, 2} = h (X_{i} | | Y_{s} | | K_{i, s} | | T_{i, 2})$ and sends the authentication message ${AM}_{i} = {M_{i, 2}, T_{i, 2}}$ to the sever S.

6. Upon receiving the authentication message from $U_{i}$ , the server directly checks if $h ({X ″}_{i} | | Y_{s} | | K_{s, i} | | T_{i, 2}) = M_{i, 2}$ and $| T_{i, 2} - T_{s, 2} | \leq Δ T$ , where $T_{s, 2}$ is the current timestamp. If yes, then the user $U_{i}$ is authenticated by the remote server. Finally, both $U_{i}$ and S computes a shared session key $SK = h (I D_{i} | | I D_{s} | | X_{i} | | Y_{s} | | K_{i, s})$ . This completes the procedure of login and authentication.

Figure 3.

Password change phase

In this phase, a system user $U_{i}$ is allowed to update his or her original password in an online way. That is, the user $U_{i}$ first passes through the authentication of the remote server S and then conducts the following steps to update the password:

The user $U_{i}$ inputs the currently used password $P W_{i}$ , the identity $I D_{i}$ , and a new password ${PW}_{i}^{new}$ .

The smart card chooses a new random number $N_{i}^{new}$ and computes

{RP}_{i}^{new} = h (I D_{i} | | {PW}_{i}^{new} | | N_{i}^{new}), R P_{i} = h (I D_{i} | | P W_{i} | | N_{i})

Z_{i}^{new} = h (I D_{s} | | W_{i} \oplus R P_{i}) \oplus h (N_{i}) \oplus h (N_{i}^{new})

W_{i}^{new} = W_{i} \oplus {RP}_{i}^{new} \oplus R P_{i}

Then, the smart card replaces $W_{i}$ , $Z_{i}$ , and $N_{i}$ with $W_{i}^{new}$ , $Z_{i}^{new}$ , and $N_{i}^{new}$ respectively.

Formal proof

In this section, we formally prove the security of the improved protocol in the random oracle model. We first specify the security model and then provide proof details.

Security analysis

In this section, we demonstrate that the proposed three-factor authentication scheme can withstand various attacks, including offline password guessing attack, impersonation attack, known-key attack, and so on. We also illustrate that the proposed authentication scheme captures several desirable security properties, such as mutual authentication and perfect forward secrecy. Although the formal security proof is more desirable, it is still difficult to formalize the scheme within well-studied security models.^39–41 This is mainly because that the computation capacity of the smart card is limited, and we employ different design principles to decrease the computation overhead. In fact, if there are no such restrictions, we can directly employ those authentications proved to be secure in CK model. On the other hand, we also note the security of some protocols^{24,28,42–48} are discussed with the BAN logic or AVISPA. However, the BAN logic and AVISPA also cannot guarantee the security of the protocol. For example, although Park et al.’s²⁴ protocol is proved to be secure with the BAN logic, we show that it still has security flaws. To this end, we utilize an informal and heuristic manner to discuss the security of the proposed authentication scheme. Such a manner is widely accepted and used in the literature of multi-factor authentication scheme.^{10–13,49–52}

Offline password guessing attack

If an adversary $A$ wants to launch the offline password guessing attack against the proposed scheme, then it has to obtain a related value to verify the validity of a candidate password. Now we show that the adversary $A$ cannot get such a value, even it holds those secret values stored in the smart card.

First, in the login message ${LM}_{i} = {M_{i, 1}, X'_{i}, I D_{i}, T_{i, 1}}$ , the value $M_{i, 1}$ is the output of the hash function $h (\cdot)$ on input of $I D_{i}$ , $I D_{s}$ , $X'_{i}$ , and $T_{i, 1}$ , which are all transmitted on the public channel. Thus, $M_{i, 1}$ cannot be used to verify the correctness of a candidate password. On the other hand, we note that the value $X'_{i}$ is derived from the user’s password $P W_{i}$ , namely, $X_{i'} = X_{i} \oplus r_{i'} = T_{x} (u) \oplus W_{i} \oplus h (I D_{i} | | P W_{i} | | N_{i})$ . When the adversary $A$ corrupts the user’s smart card, it can get the values $W_{i}, Z_{i}, N_{i}$ . However, if $A$ wants to utilize $X'_{i}$ to check the validity of a candidate password ${PW}_{i}^{*}$ , it has to know the value $X_{i} = T_{u} (x)$ , which is not directly transmitted over the channel. Moreover, to get the value $X_{i}$ , the adversary has to obtain the master secret key $α$ of the server and recover it as $X_{i} = X'_{i} \oplus h (I D_{u} | | α)$ . But when the master secret key $α$ is disclosed, the attack is trivial.

Second, in the response message ${RM}_{s} = {Y_{s}, M_{s, 1}, T'_{s, 1}}$ from the remote server S, we can see that although the value $M_{s, 1} = h (I D_{i} | | I D_{s} | | X'_{i} | | Y_{s} | | K_{s, i} | | T'_{s, 1})$ contains the value of $X_{i}$ , the adversary $A$ cannot employ it to verify the validity of a candidate password since the value $K_{s, i} = T_{y} (X_{i}) = T_{y} (T_{x} (u))$ is unknown to it. In fact, if $A$ can compute $K_{s, i}$ , then it breaks the chaotic map–based Diffie–Hellman assumption. Similarly, the adversary $A$ also cannot use the message ${AM}_{i}$ to check the validity of a candidate password. Therefore, the proposed scheme can be free from the offline password guessing attack.

Impersonation attack

If an adversary $A$ wants to impersonate a registered system user $U_{i}$ , then it needs to generate a correct login message and response message that can pass through the verification of the remote server S. However, without the knowledge of the password $P W_{i}$ , the adversary $A$ cannot compute a secret value $K_{i, s}$ equal to $K_{s, i}$ that is computed by the remote server S, since the computation of $K_{s, i}$ involves $h (I D_{i} | | α)$ and the adversary $A$ cannot compute it correctly. Thus, the adversary $A$ fails to impersonate a registered user, and the proposed scheme can withstand user impersonation attack.

On the other hand, if the adversary $A$ tries to impersonate the remote server S, then it has to generate correct response message ${AM}_{s}$ . From the protocol flow, we can see that the adversary $A$ has to correctly recover $X_{i}$ with the value $h (I D_{i} | | α)$ , otherwise it cannot pass through the verification of the user $U_{i}$ . However, without the knowledge of the master key $α$ or the user U_i’s password, it is intractable for $A$ to correctly compute $h (I D_{i} | | α)$ . Thus, the adversary cannot impersonate the remote server, and the proposed scheme can withstand server impersonation attack.

Replay attack

In the attack model, an adversary $A$ is allowed to eavesdrop any messages transmitted over the public channel. To prevent the adversary $A$ from launching a replay attack by resetting these messages ${LM}_{i}$ , ${LM}_{s}$ , and ${LM}_{i}$ , the proposed scheme uses random nonces and timestamps to ensure the freshness of these messages.

Specifically speaking, if the adversary $A$ directly replays the message ${LM}_{i}$ , then it fails to pass through the verification of the server S since the timestamp $T_{i, 1}$ would be obsolete. Alternatively, if the adversary $A$ chooses to replay a modified message ${LM}_{i'}$ by employing the current timestamp, then it has to produce a new message $M_{i, 1}$ . However, as explained above, without the knowledge of the password $P W_{i}$ , the adversary $A$ subsequently cannot produce a correct response message ${AM'}_{i}$ and thus cannot pass through the verification of the remote server S. Consequently, the proposed scheme is secure against replay attack.

Insider attack

In the context of insider attack, a malicious service provider tries to obtain registered users’ private information, such as password. In the registration phase of the proposed scheme, a user sends the message ${RM}_{i} = {R P_{i}, R B_{i}, I D_{i}}$ to the server S, where $R P_{i} = h (I D_{i} | | P W_{i} | | N_{i})$ and $R B_{i} = H (B_{i}) \oplus h (N_{i})$ . We can see that the remote server S cannot get any information about the user U_i’s password $P W_{i}$ and biometrics $B_{i}$ without the knowledge of the random number $N_{i}$ . In addition, the remote server S also does not hold and store any information about registered users’ password. Thus, the proposed scheme can resist insider attack.

Known-key attack

In the setting of known-key attack, an adversary $A$ can obtain the information of other session keys from a corrupted session key. In the proposed authentication scheme, a session key is computed as $SK = h (I D_{i} | | I D_{s} | | X_{i} | | Y_{s} | | K_{i, s})$ , which is derived from fresh values $X_{i}$ , $Y_{s}$ , and $K_{i, s} = T_{x} (T_{y} (u))$ , where x and y are random numbers. Hence, all session keys are independent of each other. This implies that the revelation of a session key does not influence the security of other session keys, and the proposed authentication scheme can be free from known-key attack.

Mutual authentication and key agreement

Mutual authentication requires that the protocol participants check the validity of each other. In the proposed scheme, when a user $U_{i}$ sends the login message ${LM}_{i}$ to the server S, he or she in fact launches a challenge. That is, only the one that holds the master secret key $α$ can correctly recover the value $X_{i}$ . As a result, if the response message ${AM}_{s}$ generated by the remote server S can pass through U_i’s verification, then $U_{i}$ ensures that the remote server is the authorized one. Similarly, if the user $U_{i}$ can produce a correct response message $A M_{i}$ , then the remote server S can be sure that $U_{i}$ is a registered legitimate user. Thus, they authenticate each other and the proposed scheme achieves mutual authentication.

From the generation way of the session key, we can see that both a user $U_{i}$ and the remote server S contribute to the derivation of the session key, where $X_{i}$ is a random value produced by the user $U_{i}$ and $Y_{s}$ is a random value independently generated by the remote server S. This implies that neither the user $U_{i}$ nor the remote server S can control the value of the session key. Therefore, the proposed authentication scheme realizes the functionality of key agreement.

Perfect forward secrecy

Perfect forward secrecy ensures that the disclosure of a user’s secret information (password and smart card) and the master secret key of the remote server S does not affect the security of those previously established session keys. In the proposed authentication scheme, the session key is calculated as $SK = h (I D_{i} | | I D_{s} | | X_{i} | | Y_{s} | | K_{i, s})$ , where $K_{i, s} = T_{x} (T_{y} (u))$ . After either the user U_i’s password and the smart card get exposed, or the master secret key $α$ is revealed, an adversary $A$ can recover the values $X_{i}$ and $Y_{s}$ . However, due to the intractability of the chaotic map–based Diffie–Hellman problem, it is impossible for $A$ to compute $K_{i, s} = T_{x} (T_{y} (u))$ . As a consequence, even if the master secret key gets exposed, the adversary cannot recover those previously used session keys, which implies that the proposed scheme features of perfect forward secrecy.

Three-factor authentication

The proposed authentication scheme provides the security guarantee of three-factor authentication. More precisely, in the login and authentication phase of the proposed scheme, a user $U_{i}$ is required to provide correct password $P W_{i}$ , actual biometrics $B'_{i}$ , and the corresponding smart card containing secret values. Now we show that if the user $U_{i}$ fails to provide one of the three authentication factors, then he or she cannot pass through the authentication of the server S.

First, if the password $P W_{i}$ is not correct, then the value $r'_{i} = W_{i} \oplus h (I D_{i} | | P W_{i} | | N_{i})$ will not be equal to $r_{i} = h (I D_{i} | | α)$ , which is directly computed by the remote server S. Second, if the smart card does not match inputted password $P W_{i}$ , then the user $U_{i}$ also cannot pass through the authentication due to the same reason. Moreover, if the imprinted biometrics $B_{i'}$ is not sampled from the same user $U_{i}$ , then it must be that $M_{bio} (H (B_{i}), H (B'_{i})) > τ$ , and the smart card will terminate the login process. Therefore, the proposed scheme achieves three-factor authentication and provides stronger security guarantee than two-factor authentication scheme.

Performance evaluation

In this section, we briefly evaluate the performance of the proposed authentication scheme by comparing it with several existing schemes in terms of computation cost and security properties.

As illustrated in Table 2, early three-factor authentication schemes^18,19 directly employ biometrics as an authentication factor and do not consider the security properties of session key agreement and perfect forward secrecy. Yeh et al.²² used elliptic curve cryptography to achieve the functionalities of mutual authentication and perfect forward secrecy. However, Wu et al.²³ pointed out that this scheme fails to achieve the claimed security goals. In Cao and Ge’s²¹ scheme and Park et al.’s²⁴ scheme, the login and authentication procedure only involves cryptographic hash operations, and thus they cannot provide perfect forward secrecy. In addition, as discussed previously, Park et al.’s scheme suffers from offline password guessing attack and fails to achieve the security requirement of three-factor authentication scheme. In short, we can see that only our scheme can withstand various well-known attacks, without missing several desirable security functionalities, such as mutual authentication, key agreement, and perfect forward secrecy.

Table 2.

Comparisons of security properties with existing schemes.

Security properties	Das¹⁸	An¹⁹	Yeh et al.²²	Cao and Ge²¹	Park et al.²⁴	Ours
Insider attack	✘	✘	✓	✘	✘	✓
Replay attack	✘	✓	✓	✓	✓	✓
Known-key attack	✓	✓	✓	✓	✓	✓
Mutual authentication	✘	✘	✘	✘	✓	✓
Session key agreement	✘	✘	✘	✘	✓	✓
Perfect forward secrecy	✘	✘	✘	✘	✘	✓
Three-factor authentication	✘	✘	✘	✘	✘	✓
User impersonation attack	✘	✘	✘	✘	✘	✓
Server impersonation attack	✘	✘	✘	✘	✓	✓
Offline password guessing attack	✘	✘	✘	✘	✘	✓

✓ denotes the scheme provides the corresponding security property, and ✘ denotes the scheme does not provide the corresponding security property.

Table 3 summarizes the computation cost of these listed schemes. As performed in Kocarev and Lian,²⁹ $T_{h} \approx 0.5 ms$ , $T_{e} \approx 63.08 ms$ , and $T_{c} \approx T_{H} \approx 21.02 ms$ (on an Intel Pentium4 2600 MHz processor with 1 GB RAM). Since the registration procedure is performed in an offline manner, we only consider the computation overhead of the login and authentication process. In addition, the running time of XOR operation is rather low, and we thus ignore the timing results. We can see that previous schemes^18,19,21 are more efficient than other schemes since they do not use Diffie–Hellman key exchange. Compared with Park et al.’s²⁴ scheme, our scheme consumes more computation resources for providing stronger security guarantee, but we think the additional computation cost is acceptable and worthwhile. In addition, our scheme is more efficient than Yeh et al.’s²² scheme. In conclusion, Tables 2 and 3 indicate that the proposed three-factor authentication scheme provides stronger and desirable security guarantees, at the cost of acceptable computation overhead.

Table 3.

Comparisons of computation cost with existing schemes.

Computation party	Das¹⁸	An¹⁹	Yeh et al.²²	Cao and Ge²¹	Park et al.²⁴	Ours
User side	$5 T_{h} + 4 T_{x}$	$5 T_{h} + 6 T_{x}$	$2 T_{e} + T_{x}$	$7 T_{h} + 6 T_{x}$	$T_{H} + 9 T_{h} + 8 T_{x}$	$7 T_{h} + T_{H} + 3 T_{x} + 2 T_{c}$
Server side	$5 T_{h} + 2 T_{x}$	$4 T_{h} + 2 T_{x}$	$2 T_{h} + 2 T_{e} + 2 T_{x}$	$4 T_{h} + 2 T_{x}$	$9 T_{h} + 4 T_{x}$	$4 T_{h} + 2 T_{c} + T_{x}$
Total	$10 T_{h} + 6 T_{xor}$	$9 T_{h} + 6 T_{x}$	$2 T_{h} + 4 T_{e} + 3 T_{x}$	$11 T_{h} + 8 T_{x}$	$18 T_{h} + T_{H} + 12 T_{x}$	$11 T_{h} + T_{H} + 4 T_{c} + 4 T_{x}$
Time (ms)	$\approx 5.0$	$\approx 4.5$	$\approx 253.32$	$\approx 5.5$	$\approx 30.02$	$\approx 110.6$

$T_{h}$ indicates the running time of one hash operation. $T_{x}$ indicates the running time of one XOR operation. $T_{e}$ indicates the running time of one modular exponentiation over elliptic curve groups. $T_{c}$ indicates the running time of one Chebyshev map operation. $T_{H}$ indicates the running time of one bio-hashing operation.

Conclusion

With the wide use of remote services (e.g. e-healthcare, e-learning) through the Internet, the remote user authentication scheme is absolutely essential for securing communications over the public channel. Three-factor remote user authentication schemes can provide stronger security guarantees than traditional authentication schemes and attract much attention in recent years. Although lots of such schemes have been proposed, most of them suffer from various attacks. In this article, we pointed out that Park et al.’s three-factor remote user authentication scheme is vulnerable to offline password guessing attack and also fails to provide several necessary security properties. Moreover, we put forward a security enhanced scheme to overcome these security flaws. By presenting security analysis and performance evaluation, we demonstrate that the proposed scheme is more suitable for practical applications.

Footnotes

Handling Editor: José Camacho

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by National Natural Science Foundation of China (No. 61372172).

ORCID iD

Yan Zhao

References

Das

Saxena

Gulati

et al . A novel remote user authentication scheme using bilinear pairings. Comput Secur 2006; 25(3): 184–189.

Chen

Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dynam 2012; 69(3): 1149–1157.

Niu

Wang

et al . Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 2014; 7(10): 1488–1497.

Liu

Ning

Multilevel μTESLA: broadcast authentication for distributed sensor networks. ACM T Embed Comput S 2004; 3(4): 800–836.

Shi

Gong

A new user authentication protocol for wireless sensor networks using elliptic curves cryptography. Int J Distrib Sens N 2013; 9(4): 730831.

Lamport

Password authentication with insecure communication. Commun ACM 1981; 24(11): 770–772.

Sandirigama

Shimizu

Noda

MT.

Simple and secure password authentication protocol (SAS). IEICE T Commun 2000; 83(6): 1363–1365.

Yang

Shieh

SP.

Password authentication schemes with smart cards. Comput Secur 1999; 18(8): 727–733.

Hwang

LH.

A new remote user authentication scheme using smart cards. IEEE T Consum Electr 2000; 46(1): 28–30.

10.

Liao

Wang

SS.

A secure dynamic ID based remote user authentication scheme for multi-server environment. Comp Stand Inter 2009; 31(1): 24–29.

11.

Wei

Liu

Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture. Wireless Pers Commun 2014; 77(3): 2255–2269.

12.

Xue

Hong

A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J Comput Syst Sci 2014; 80(1): 195–206.

13.

Wei

Liu

Secure control protocol for universal serial bus mass storage devices. IET Comput Digit Tec 2015; 9(6): 321–327.

14.

Wang

et al . Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE T Depend Secure 2015; 12(4): 428–442.

15.

Kumari

et al . A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Gener Comp Sy 2016; 63: 56–75.

16.

Kumari

Khan

Atiquzzaman

User authentication schemes for wireless sensor networks: a review. Ad Hoc Netw 2015; 27: 159–194.

17.

Hwang

MS.

An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 2010; 33(1): 1–5.

18.

Das

AK.

Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inform Secur 2011; 5(3): 145–151.

19.

Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. Biomed Res Int 2012; 2012: 519723.

20.

Khan

Kumari

An improved biometrics-based remote user authentication scheme with user anonymity. Biomed Res Int 2013; 2013: 491289.

21.

Cao

Analysis and improvement of a multi-factor biometric authentication scheme. Secur Commun Netw 2015; 8(4): 617–625.

22.

Yeh

Chen

et al . Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inform Secur 2013; 7(3): 247–252.

23.

Kumari

et al . A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks. Comput Electr Eng 2015; 45: 274–285.

24.

Park

Lee

et al . Security analysis and enhancements of an improved multi-factor biometric authentication scheme. Int J Distrib Sens N 2017; 13(8). DOI: 10.1177/1550147717724308.

25.

Jakimoski

Kocarev

Chaos and cryptography: block encryption ciphers based on chaotic maps. IEEE T Circuits: I 2001; 48(2): 163–169.

26.

Chain

Kuo

WC.

A new digital signature scheme based on chaotic maps. Nonlinear Dynam 2013; 74(4): 1003–1012.

27.

Kumar

Chen

et al . Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Syst 2015; 21(1): 49–60.

28.

Jiang

Wei

et al . Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy. Nonlinear Dynam 2016; 83(4): 2085–2101.

29.

Kocarev

Lian

Chaos-based cryptography: theory, algorithms and applications, vol. 354. Berlin; Heidelberg: Springer, 2011.

30.

Jin

ATB

Ling

DNC

Goh

Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn 2004; 37(11): 2245–2255.

31.

Lumini

Nanni

An improved biohashing for human authentication. Pattern Recogn 2007; 40(3): 1057–1065.

32.

Mishra

Das

Mukhopadhyay

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 2014; 41(18): 8129–8143.

33.

Kumari

et al . Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Future Gener Comp Sy 2017; 68: 320–330.

34.

Jiang

Zeadally

et al . Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 2017; 5: 3376–3392.

35.

Kocher

Jaffe

Jun

Differential power analysis. In: Wiener

(ed.) Advances in cryptology—CRYPTO’99: 19th annual international cryptology conference, Santa Barbara, California, USA, August 15-19, 1999 proceedings. Berlin; Heidelberg: Springer, pp.388–397.

36.

Messerges

Dabbish

Sloan

RH.

Examining smart-card security under the threat of power analysis attacks. IEEE T Comput 2002; 51(5): 541–552.

37.

Jiang

Wei

et al . An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks. J Netw Comput Appl 2016; 76: 37–48.

38.

Kumari

et al . A user anonymous mutual authentication protocol. KSII T Internet Inf 2016; 10(9): 4508–4528.

39.

Canetti

Krawczyk

. Analysis of key-exchange protocols and their use for building secure channels. In: Proceedings of the international conference on the theory and applications of cryptographic techniques: advances in cryptology (EUROCRYPT’01), Innsbruck, 6–10 May 2001, pp.453–474. London: Springer.

40.

Wei

Liu

Two-factor authentication scheme using attribute and password. Int J Commun Syst 2017; 30(1): e2915.

41.

Odelu

Das

Wazid

et al . Provably secure authenticated key agreement scheme for smart grid. IEEE T Smart Grid 2018; 9(3): 1900–1910.

42.

Zhang

et al . An extended chaotic maps-based three-party password-authenticated key agreement with user anonymity. PLoS ONE 2016; 11(4): e0153870.

43.

Lee

Hsiao

Hwang

et al . Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps. PLoS ONE 2017; 12(7): e0181744.

44.

Gao

Peng

Tian

et al . A chaotic maps-based authentication scheme for wireless body area networks. Int J Distrib Sens N 2016; 12(7). DOI: 10.1177/155014772174720.

45.

Zhang

Tan

Remote three-factor authentication protocol with strong robustness for multi-server environment. China Commun 2017; 14(6): 126–136.

46.

Dhillon

Kalra

Secure multi-factor remote user authentication scheme for internet of things environments. Int J Commun Syst 2017; 30(16): e3323.

47.

Sun

Zhong

Kou

et al . A lightweight multi-factor mobile user authentication scheme. In: Proceedings of the IEEE INFOCOM 2018 – IEEE conference on computer communications workshops (INFOCOM WKSHPS), Honolulu, HI, 15–19 April 2018, pp.831–836. New York: IEEE.

48.

Sharma

Kalra

A lightweight multi-factor secure smart card based remote user authentication scheme for cloud-IoT applications. J Inform Secur Appl 2018; 42: 95–106.

49.

Kumari

et al . An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment. J Netw Comput Appl 2017; 89: 72–85.

50.

Wang

Liu

Xiao

et al . A more efficient and secure dynamic ID-based remote user authentication scheme. Comput Commun 2009; 32(4): 583–585.

51.

Odelu

Das

Goswami

An effective and robust secure remote user authenticated key agreement scheme using smart cards in wireless communication systems. Wireless Pers Commun 2015; 84(4): 2571–2598.

52.

Yeh

KH.

A provably secure multi-server based authentication scheme. Wireless Pers Commun 2014; 79(3): 1621–1634.

Security-enhanced three-factor remote user authentication scheme based on Chebyshev chaotic maps

Abstract

Keywords

Introduction

Preliminaries

Notations

Chebyshev chaotic maps

Property 1 (Chaotic map–based DLP)

Property 2 (Chaotic map–based CDHLP)

Bio-hashing

Review of Park et al.’s scheme

Registration phase

Login phase

Authentication phase

Password change phase

Cryptanalysis of Park et al.’s scheme

Correctness and usability of Park et al.’s scheme

Offline guessing attack

Other security pitfalls

The proposed three-factor authentication scheme

Initialization phase

Registration phase

Login and authentication phase

Password change phase

Formal proof

Security analysis

Offline password guessing attack

Impersonation attack

Replay attack

Insider attack

Known-key attack

Mutual authentication and key agreement

Perfect forward secrecy

Three-factor authentication

Performance evaluation

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References