With the agile development of the Internet era, starting from the message transmission to money transactions, everything is online now. Remote user authentication (RUA) is a mechanism in which a remote server verifies the user’s correctness over the shared or public channel. In this paper, we analyze an RUA scheme proposed by Chen for the multi-server environment and prove that their scheme is not secured. We also find numerous vulnerabilities such as password guessing attack, replay attack, Registration Center (RC) spoofing attack, session key verification attack, and perfect forward secrecy attack for Chen’s scheme. After performing the cryptanalysis of Chen’s scheme, we propose a biometric-based RUA scheme for the same multi-server environment. We prove that the proposed authentication scheme achieves higher security than Chen’s scheme with the use of informal security analysis as well as formal security analysis. The formal security analysis of the proposed scheme is done using a widely adopted random oracle method.
AoshimaT., TasakaM. and TakedaK., One-time logon method for distributed computing systems, US Patent7 (2006), 136–996. URL: http://www.google.tl/patents/US7136996.
4.
Yih -LeeN. and ChiuY.-C., Improved remote authentication scheme with smart card. In: Computer Standards and Interfaces27(2) (2005), pp. 177–180. ISSN:0920-5489.
5.
ChengR.C.H., Van OorschotP.C. and HillierS.W., Sys-tems and methods providing interactions between multiple servers and an end use device, US Patent7 (2006), 010–582. URL:https://www.google.com/patents/US7010582
6.
KhanM.K. and ZhangJ., An Efficient and Practical Fingerprint-Based Remote User Authentication Scheme with Smart Cards. In:Information Security Practice and Experience: Second International Conference, ISPEC 2006, Hangzhou, China, April 11-14, 2006. Proceedings. Ed. by Kefei Chen et al. Berlin, Hei-delberg: Springer Berlin Heidelberg, 2006, pp. 260–268.ISBN: 978-3-540-33058-5.DOI:10.1007/1168952224. URL: https://doi.org/10.1007/1168952224.
7.
XuJ., ZhuW.-T. and FengD.-G., An improved smart card based password authentication scheme with provable security. In: Computer Standards and Interfaces31(4) (2009), pp. 723–728. ISSN:0920-5489. DOI: https://doi.org/10.1016/j.csi.2008.09.006. URL: http://www.sciencedirect.com/science/article/pii/S0920548908001165
8.
ChenC.T., Anonymity authentication method for global mobility networks, US Patent9 (2015), 021–265.
9.
LiC.-T. and HwangM.-S., An efficient biometricsbased remote user authentication scheme us-ing smart cards. In: Journal of Network and Computer Applications33(1) (2010), pp. 1–5. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2009.08.001. URL: http://www.sciencedirect.com/science/article/pii/S1084804509001192.
10.
LiX., et al., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme us-ing smart cards. In: Journal of Network and Computer Applications34(1) (2011), pp. 73–79. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2010.09.003. URL: http://www.sciencedirect.com/science/article/pii/S1084804510001657.
11.
ChaturvediA., MishraD. and MukhopadhyayS., Improved Biometric-Based Three-factor Remote User Authentication Scheme with Key Agreement Using Smart Card. In: Information Systems Security: 9th International Conference, ICISS 2013, Kolkata, India, December 16-20, 2013. Proceedings. Ed. by Aditya Bagchi and Indrakshi Ray. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 63–77. ISBN: 978-3-642-45204-8. DOI: 10.1007/978-3-642-45204-85. URL: https://doi. org/10.1007/978-3-642-45204-85.
12.
HeD. and WangD., Robust Biometrics-Based Authentication Scheme for Multiserver Environment. In: IEEE Systems Journal9(3) (2015), pp. 816–823. ISSN: 1932-8184. DOI:10.1109/JSYST.2014.2301517
13.
LiX., et al., An enhanced biometrics-based user authentication scheme for multi-server environments in critical systems. In: Journal of Ambient Intelligence and Humanized Computing7(3) (2016), pp. 427–443. ISSN: 1868-5145. DOI: 10.1007/s12652-015-0338-z. URL: https://doi.org/10.1007/s12652-015-0338-z.
14.
SarvabhatlaM., GiriM. and VoruguntiC.S., Crypt-analysis of a robust and effective smart card-based remote user authentication mechanism using hash function. In: 2014 International Conference on Computer and Communication Technology (ICCCT). 2014, pp. 123–128. DOI: 10.1109/ICCCT.2014.7001479
15.
MishraD., Design and Analysis of a Provably Secure Multi-server Authentication Scheme. In: Wireless Personal Communications86(3) (2016), pp. 1095–1119. ISSN: 1572-834X. DOI: 10.1007/s11277-015-2975-0. URL: https://doi.org/10.1007/s11277-015-2975-0.
16.
NikooghadamM., JahantighR. and ArshadH., A lightweight authentication and key agreement protocol preserving user anonymity. In: Multimedia Tools and Applications76(11) (2017), pp. 13401–13423In. ISSN: 1573-7721. DOI: 10.1007/s11042-016-3704-8. URL: https://doi.org/10.1007/s11042-016-3704-8.
17.
OdeluV., DasA.K. and GoswamiA., A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards. In: IEEE Transactions on Informa-tion Forensics and Security10(9) (2015), pp. 1953–1966. ISSN: 1556-6013.
18.
YoonE.-J. and YooK.-Y., Robust biometricsbased multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. In: The Journal of Supercomputing63(1) (2013), pp. 235–255. ISSN: 1573-0484. DOI: 10.1007/s11227-010-0512-1. URL: https://doi.org/10.1007/s11227-010-0512-1.
19.
ChuangM.-C. and ChenM.C., An anony-mous multi-server authenticated key agreement scheme based on trust computing using smart cards and biomet-rics. In: Expert Systems with Applications41(4) (2014), pp. 1411–1418. ISSN: 0957-4174. DOI: https:7//doi.org/10.1016/j.eswa.2013.08.040. URL: http://www.sciencedirect.com/science/article/pii/S0957417413006611.
20.
IrshadA., et al., An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre. In: The Journal of Supercomputing72(4) (2016), pp. 1623–1644. ISSN: 1573-0484. DOI: 10.1007/s11227-016-1688-9. URL: https://doi.org/10.1007/s11227-016-1688-9.
21.
ReddyA.G., et al., A Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptog-raphy, IEEE Access4 (2016), pp. 2169–3536. ISSN: 2169-3536.
22.
ShaikC., Password self encryption method and system and encryption by keys generated from personal secret information, US Patent App 12/402,786. 2009. URL: https://www.google.tl/patents/US20090296927.
23.
ChenL. and MajumdarS., Password-based cryptographic method and apparatus, US Patent8 (2013), 464–058.
24.
ShenH., et al., New biometrics-based authentication scheme for multi-server environment in critical systems. In: Journal of Ambient Intelligence and Humanized Com-puting6(6) (2015), pp. 825–834. ISSN: 1868-5145. DOI: 10.1007/s12652-015-0305-8. URL: https://doi.org/10.1007/s12652-015-0305-8.
25.
ChenZ., et al., Flexible neural trees based early stage identification for IP traffic. In: Soft Computing21(8) (2017), pp. 2035–2046. ISSN: 1433-7479. DOI: 10.1007/s00500-015-1902-3. URL: https ://doi.org/10.1007/s00500-015-1902-3.
26.
LiuQ., et al., Preserving Privacy with Probabilistic Indistinguishability in Weighted Social Networks. In: IEEE Transactions on Parallel and Distributed Systems28(5) (2017), pp. 1417–1429. ISSN: 1045-9219. DOI: 10.1109/TPDS.2016.2615020.
27.
LiuY., et al., Finger vein secure biometric template generation based on deep learning. In: Soft Computing22(7) (2018), pp. 2257–2265. ISSN: 1433-7479. DOI: 10.1007/s00500-017-2487-9. URL: https://doi.org/10.1007/s00500-017-2487-9.
28.
PengT., et al., Collaborative trajectory privacy preserving scheme in location-based services. In: Information Sciences387 (2017), pp. 165–179. ISSN: 0020-0255. DOI: https://doi.org/10.1016/j.ins.2016.08.010. URL: http://www.sciencedirect.com/science/article/pii/S0020025516305801.
29.
ChenW., LeiH. and QiK., Lattice-based linearly homomorphic signatures in the standard model, The-oretical Computer Science634 (2016), pp. 47–54. ISSN: 0304-3975.
30.
TianH. and LiJ., A short non-delegatable strong designated verifier signature. In: Frontiers of Computer Science8(3) (2014), pp. 490–502. ISSN: 2095-2236. DOI: 10.1007/s11704-013-3120-4. URL: https://doi.org/10.1007/s11704-013-3120-4.
31.
LiJ., et al., Securely Outsourcing Attribute-Based Encryp-tion with Checkability, IEEE Transactions on Parallel and Distributed Systems25(8) (2014), pp. 2201–2210. ISSN: 1045-9219. DOI: 10.1109/TPDS.2013.271
32.
LinQ., et al., An ID-Based Linearly Homomorphic Signature Scheme and Its Application in Blockchain. In: IEEE Access6 (2018), pp. 20632–20640. DOI: 10.1109/ACCESS.2018.2809426
33.
JhaveriR.H., et al., Sensitivity Analysis of an Attack-Pattern Discovery Based Trusted Routing Scheme for Mo-bile Ad-Hoc Networks in Industrial IoT, In: IEEE Access6 (2018), pp. 20085–20103. DOI: 10.1109/ACCESS.2018.2822945
34.
WangC., et al., A Novel Security Scheme Based on Instant Encrypted Transmission for Internet of Things, in: Security and Communication Networks2018 (2018), pp. 10179–10188. DOI: https://doi.org/10.1155/2018/3680851.
35.
MengW., et al., When Intrusion Detection Meets Blockchain Technology: A Review. In: IEEE Access6 (2018), pp. 10179–10188. DOI: 10.1109/ACCESS.2018.2799854
36.
XuJ., et al., Dynamic Fully Homomorphic encryption-based Merkle Tree for lightweight streaming authenticated data structures. In: Journal of Network and Computer Applications107 (2018), pp. 1084–8045. ISSN: 1084-8045. DOI: https://doi.org/10.1016/j.jnca.2018.01.014. URL: http://www.sciencedirect.com/science/article/pii/S1084804518300286.
37.
YangL., et al., A remotely keyed file encryption scheme under mobile cloud computing. In: Journal of Network and Computer Applications106 (2018), pp. 90–99. ISSN: 1084-8045.
38.
YanH., et al., Centralized Duplicate Removal Video Storage System with Privacy Preservation in IoT. In: Sensors18(6) (2018).
39.
LiuZ., et al., Cloud-based electronic health record system supporting fuzzy keyword search. In: Soft Computing20(8) (2016), pp. 3243–3255. ISSN: 1433-7479. DOI: 10.1007/s00500-015-1699-0. URL: https://doi.org/10.1007/s00500-015-1699-0.
40.
CaiZ., et al., Towards Secure and Flexible HER Sharing in Mobile Health Cloud Under Static Assumptions. In: Cluster Computing20(3) (Sept. 2017), pp. 2415–2422. ISSN: 1386-7857. DOI: 10.1007/s10586-017-0796-5. URL: https://doi.org/10.1007/s10586-017-0796-5.
41.
AbdallaM., FouqueP.A. and PointchevalD., Password-based authenticated key ex-change in the three-party setting. In:Vaudenay, S. (ed.) PublicKey Cryptography- PKC 2005. pp. 65–84. Springer Berlin Heidelberg, Berlin, Heidelberg (2005).
42.
RoyS., ChatterjeeS., DasA.K., ChattopadhyayS., KumariS. and JoM., Chaoticmap-based anonymous user authentication scheme with user biometrics and fuzzyextractor for crowdsourcing internet of things, IEEE Internet of Things Journal5(4) (2018), 2884–2895.
43.
RajanR.A. and KumaranP., Multi-biometric cryptosystem using graph for secure cloud authentication. Journal of Intelligent and Fuzzy Systems, (Preprint), 1–8.
44.
KumarD., ChandS. and KumarB., A PKC-based user authentication scheme without smart card, Journal of Intelligent and Fuzzy Systems35(5) (2018), 5379–5390.
45.
RoyS., ChatterjeeS. and MahapatraG., An efficient biometric based remote user authentication scheme for secure internet of things environment, Journal of Intelligent Fuzzy Systems34(3) (2018), 1403–1410.
46.
HwangM.-S. and LiL.-H., A new remote user authentication scheme using smart cards, IEEE Transactions on consumer Electronics46(1) (2000), 28–30.
