Abstract

The authors review the biometrics-based user authentication scheme proposed by An in 2012. The authors show that there exist loopholes in the scheme which are detrimental for its security. Therefore the authors propose an improved scheme eradicating the flaws of An’s scheme. Then a detailed security analysis of the proposed scheme is presented followed by its efficiency comparison. The proposed scheme not only withstands security problems found in An’s scheme but also provides some extra features with mere addition of only two hash operations. The proposed scheme allows user to freely change his password and also provides user anonymity with untraceability.

1. Introduction

In the last two decades, digital authentication has originated as a preferred method to authenticate remote users over insecure networks. After the first proposal of user authentication scheme by Lamport [1], considerable amount of research has been conducted in this field of which schemes [125] are few examples. In due course of time user authentication schemes underwent many changes. Initial schemes were based only on password [14], then schemes were based on smart card and password [513], and reliability of biometrics authentication over traditional password-based authentication gave rise to biometrics-based user authentication schemes [1420].

In 2010, Li and Hwang [19] proposed a biometrics-based user authentication scheme. In 2011, Das [26] examined Li-Hwang’s scheme and observed problems in login and authentication phase, in password change phase, and in biometrics verification mechanism of the scheme. Das depicted that user’s smart card does not validate the inputted password during login phase which leads to useless computations in login and authentication phase. Owing to the same reason, Das further showed that the scheme suffers from incorrect password updating problem. Thus, Das proposed an improvement [26] of Li-Hwang’s scheme and claimed their scheme to be free from problems observed in Li-Hwang’s scheme. According to Das, their scheme [26] also provides mutual authentication. In 2012, An [27] pointed out that Das’s scheme [26] deviates from the author’s claim since an adversary can mount impersonation attacks and password guessing attack once he gets a chance to extract values from the smart card of the legal user. Thereby An [27] proposed an enhanced scheme to eradicate the flaws of Das’s scheme.

In this paper, we review An’s biometrics-based user authentication scheme. We show that An’s scheme is vulnerable to the security problems to which Das’s scheme is susceptible like online and offline password guessing attacks, user and server impersonation attacks, lack of mutual authentication, and lack of user anonymity. Besides, An’s scheme lacks password change facility which is an important part of password-based user authentication schemes. We remove drawbacks from An’s scheme by means of proposing an improved user authentication scheme. In addition, to resist various security threats, the proposed scheme incorporates features of password changing and user anonymity. The rest of this paper is arranged as follows. In Section 2, we review An’s user authentication scheme. Section 3 is about cryptanalysis of An’s scheme. In Section 4, we present our improved scheme. Section 5 is about security analysis of the improved scheme. In Section 6, we compare the improved scheme with related schemes. Finally, the conclusion is presented in Section 7.

2. Review of An’s Scheme

The notations useful in this paper are summarized along with their description in Table 1. In this section, we review An’s scheme [27] which is an enhanced version of Das’s scheme [26]. It has three phases: registration phase, login phase and authentication phase. Registration phase is carried over a secure channel whereas login phase, and authentication phase are carried over an insecure channel. There are three participants in the scheme, the user (), the server (), and the registration centre (), where is assumed to be a trusted party. Details of each phase are given in the following subsections.

2.1. Registration Phase

In the beginning of scheme, the registration centre and the user carry out this phase involving the following steps. (1) submits his identity and information containing password to via a secure channel. also submits information containing his biometrics via the specific device to ; here is a random number chosen by .(2)computes , , and , where is a secret key generated and maintained by . Then stores in a smart card for user and provides it to via a secure channel.(3)On receiving , the user stores the random number into issued by so that now .

2.2. Login Phase

When the user wishes to login the server , the user and his smart card perform the following steps.(1) inserts his smart card into a card reader and inputs his biometrics information on the specific device. computes and verifies if or not. If this biometrics information matches, passes the biometrics verification.(2) inputs his and ; then generates a random number and computes the following equations: (3) sends the login request = to .

2.3. Authentication Phase

On receiving the request login = from , the server and the user perform the following steps to authenticate each other.(1) first checks the format of . If is valid, computes and .(2) checks if or not. If both are equal, it generates a random number and computes the following equations: Then, sends the reply message for its authentication to .(3)On receiving from , the user computes and checks if or not. If both are equal, computes and sends the reply message for its authentication to .(4)On receiving from , the server checks if or not. If both are equal, accepts the login request = of .

3. Cryptanalysis of An’s Scheme

This section is about security problems in An’s scheme. Here we show that an attacker can mount different types of attacks on the scheme. Independent researches by Kocher and Messerges [28, 29] show that it is possible to extract the values stored inside a smart card. So we assume that can extract out parameters stored inside a user’s smart card.

3.1. Online Password Guessing Attack

If obtains the smart card of user and extracts [28, 29] the values stored inside it, then he can mount online password guessing attack as explained below.(1) computes (2) guesses as user’s possible password and computes . Then computes and , where is the random number generated by the system of . sends as login request to . (3)If does not receive any response from then he repeats step with some other guess for user’s password. But if receives response message from , then it implies that his guessed password is correct.

3.2. Offline Password Guessing Attack

In the scheme, can easily identify the login request corresponding to a smart card since both contain the identity of user. If extracts [28, 29] the values from the smart card of user and intercepts the login request from open network, then he can mount offline password guessing attack as explained below.(1) computes (2) guesses as user’s possible password and computes . (3) computes and , and finally compares with . For , he repeats from step (2) with some other guess for user’s password. But if , then it provides with the exact password of .

3.3. User Impersonation Attack

As just discussed in previous subsections, can guess a user’s password if he obtains the smart card of user. It is noticeable that the successful process of password guessing (online or offline manner) also yields . In fact, is the key value required to compute a valid login request or valid reply messages. Further, has easy access to user’s identity from or from the login request = of . Having and in hand, can impersonate the user as explained below. (1) generates a random number in his system and computes Then sends the login request = to . (2)On receiving , the server first checks the format of . Clearly, would proceed further because is the identity of a legitimate registered user and hence it is in valid format. (3) computes and and checks if ; clearly it would hold. Therefore believes that the login request = is from the legitimate user.(4) generates a random number and computes and . Then transmits the reply message .(5)On receiving from , the attacker first obtains the random number by computing . Next, it computes and sends to .(6)On receiving , the server checks if or not. Clearly, this would hold, so will accept the login request = .

3.4. Server Impersonation Attack

can easily impersonate the legal server to cheat the user whose information he possesses as described in Section 3.3. To masquerade as the attacker proceeds in the following manner.(1) can easily recognize the login request = of transmitted over open channel as he possesses the identity of . So when sends his login request = to , the attacker intercepts and blocks it from reaching . (2) first obtains the random number by computing . Next, he generates a random number in his system and computes and . Then transmits the reply message to . (3)On receiving , the user first obtains the random number by computing , where . Next, he checks if or not. Clearly, this equivalence will hold and hence will believe that he is communicating with the intended server. However, it is the clever attacker who is deceiving .

3.5. Lack of Mutual Authentication

Like Das’s scheme [26], the enhanced scheme by An also fails to resist user impersonation attack and server impersonation attack as described in Sections 3.3 and 3.4. In fact, if?? extracts values from the smart card of user and successfully obtains the secret value , then he can easily craft valid login request and reply messages so as to deceive the legal user or the legal server. Therefore, the scheme loses mutual authentication feature.

3.6. Lack of User Anonymity

In An’s scheme, sends as his login request to through an insecure channel. User’s identity is openly available if an attacker intercepts the login request of from the open channel. Moreover, identity is also stored inside user’s smart card . Having in hand, it is easy for to craft threats against . To the worst, may be able to compromise user’s biometrics information which would result in serious consequences. Thus, the scheme does not provide user anonymity.

4. The Proposed Scheme

In this section, we propose a new user authentication scheme which is an improvement of An’s scheme. In addition to resist the security problems found in An’s scheme, it also provides password change phase with which user can change his password at his will. It has four phases: registration phase, login phase, authentication phase and password change phase. Registration phase, and password change phase are carried over a secure channel whereas login phase and authentication phase are carried over an insecure channel. It also consists of three participants, the user (), the server (), and the registration centre (). In the proposed scheme, the server maintains two secret keys and . Details of each phase along with Figure 1 are given in the following.

4.1. Registration Phase

Before starting the scheme, the registration centre and the user carry out this phase involving the following steps. (1) submits his identity and information containing password to via a secure channel. also submits information containing his biometrics via a specific device to ; here is a random number chosen by .(2) computes the following values: where stores in a smart card for user. Then provides and to the user via a secure channel.(3)On receiving , the user computes the following values: where inserts and into issued by so that now .

4.2. Login Phase

When the user wishes to login the server , the user and his smart card perform the following steps.(1) inserts his smart card into a card reader, keys in his identity , and password and inputs his biometrics information on the specific device. (2) retrieves and . It then checks if or not. If this biometrics information matches, passes the biometrics verification; otherwise terminates the sesion. This process also verifies the correctness of inserted and .(3) generates a random number and computes the following equations: (4) sends the login request = to .

4.3. Authentication Phase

On receiving the request login from , the server and the user perform the following steps to authenticate each other.(1) computes the following values: (2) checks the format of . If is valid, computes . It then checks if . If both are equal, generates a random number and computes: Then, sends the reply message for its authentication to .(3)On receiving from , the user computes (which is indeed ). It then checks if or not. If both are equal, computes (which is indeed . Then sends the reply message for its authentication to .(4)On receiving from , the server checks if or not. If both are equal, accepts the login request of .

4.4. Password Change Phase

When the user wishes to change his old password , he invokes this phase. Details of the steps required to update the smart card with new password are as follows.(1) inserts his smart card into a card reader, keys in his identity , and password and inputs his biometrics information on the specific device. (2) retrieves and . It then checks if or not. If this biometrics information matches, passes the biometrics verification, otherwise terminates the session. This process also verifies the correctness of inserted and . Then allows the user to enter the new password .(3) computes the following equations: (4) replaces , , and with , and , respectively.

5. Security Analysis of the Proposed Scheme

In this section, we analyze security of the proposed scheme. We show that the scheme remains unaffected even if an attacker extracts [28, 29] all the values stored inside a user’s smart card.

5.1. Online Password Guessing Attack

On having access to user’s smart card an attacker can extract [28, 29] all values from it. In order to compute and obtain , he requires . But cannot obtain from as he does not know about user’s identity and password . The attacker can obtain by performing . Next, he can compute But cannot compute forged using a guessed password because it requires knowledge of . It is troublesome for to obtain because is not stored in plaintext inside user’s smart card but is stored securely in . Further cannot obtain from without knowing and password . Besides, cannot compute as he does not have access to . Moreover, does not have of as is not stored in plaintext inside user’s smart card. Thus, cannot compute a login request in a way so as to guess user’s password in an online manner. Hence, the proposed scheme withstands online password guessing attack.

5.2. Offline Password Guessing Attack

Suppose obtains the smart card of some user. Though can intercept login message of any user from open channel, he cannot relate a user’s smart card with its corresponding login request. This is due to the fact that, unlike An’s scheme, in the proposed scheme user’s identity in plaintext is neither stored inside user’s smart card nor transmitted in login request. As a result, cannot combine values extracted from a user’s smart card with values of corresponding login request to guess user’s password in an offline manner. If we consider the situation that somehow happens to get the correct combination of user’s smart card and login request, we show that still cannot mount offline password guessing attack. To guess password of and then verify the guess, can use provided that he possesses the values in hand. As explained in Section 5.1, can obtain using extracted [28, 29] from , but he cannot obtain the random number . Besides, cannot obtain the random number using without having and fails to obtain as discussed in Section 5.1. Thus an attacker cannot guess user’s password in an offline manner.

5.3. User Impersonation and Server Impersonation Attack

To impersonate a legal user, should possess and ; otherwise he cannot compute a valid login request or a valid reply message . The value is equally important if wishes to masquerade as legal server. Unlike An’s scheme, in the proposed scheme is not able to obtain while making attempts of guessing user’s password. This is due to the fact that password guessing is not feasible as explained in Sections 5.1 and 5.2. Moreover, cannot obtain (i) from obtained by intercepting the login request of because of not having random number and (ii) from extracted from user’s smart card without knowing . Thus, the proposed scheme resists impersonation attacks.

5.4. Supporting Mutual Authentication

The success of mutual authentication in the proposed scheme follows directly from resistance against user impersonation attack and server impersonation attack as described in Section 5.3. In fact, has many hurdles before him to act as a legal user or a legal server: (i) the secret keys and maintained by the server are unknown for and (ii) has no access to the identity of user . As a result, cannot compute and required to mount impersonation attacks. Besides, has no method to retrieve these values either from the parameters extracted out of user’s smart card or from the login request or using both. Therefore, the proposed scheme provides proper mutual authentication.

5.5. Providing User Anonymity and User Untraceability

In the proposed scheme, user’s plaintext identity is completely out of scene; it is neither stored in user’s smart card nor sent in any of the login-authentication messages transmitted over insecure network. If extracts [28, 29] the values from , we explain in the following that he cannot obtain of . To guess from and from , the attacker must have the knowledge of and , respectively. cannot guess out from without knowing and . If intercepts a login request or the reply message , he cannot guess out using without the knowledge of . Besides, it is not feasible for to retrieve out of due to one-way property of hash function. Moreover, each value transmitted over insecure network is dynamic in nature by virtue of random numbers and which are different for each session. Thus, can neither obtain user’s identity nor can he trace the legal user by means of observing and analyzing some fixed parameter in the login request or the reply messages. Hence, the scheme provides user anonymity as well as user untraceability.

5.6. Providing Password Change Facility

In An’s scheme, once user chooses his password during registration phase, it is fixed forever as user cannot change his password at his will. Probably the author might have opined that in the presence of biometrics verification procedure there is no need of password change facility. Undoubtedly, it is very difficult to forge copy or compromise biometrics, but once compromised then biometrics cannot be changed like passwords. So we opine that if password is employed in user authentication scheme then there should be the provision to facilitate the user to freely change his password. The proposed scheme provides password changing facility with which a user can freely (without interacting with server) change his old password to a new one whenever he feels to do so. Before updating stored values with the new password , the smart card verifies the correctness of identity old password along with verifying the biometrics information . Thus the proposed scheme provides secure and easy password changing facility.

6. Comparison

In this section, we examine the proposed scheme by means of comparing its efficiency with Li-Hwang’s scheme [19], Das’s scheme [26], and An’s scheme [27]. Table 2 displays comparison of security attributes and Table 3 displays comparison of computational load in terms of hash functions. Comparison in Table 2 shows that the proposed scheme resists various attacks possible on schemes [19, 26, 27] and provides additional feature of user anonymity with untraceability. Besides, it also restores password change facility which is provided by original versions [19, 26] but is missing in An’s scheme [27]. As Table 3 shows, the proposed scheme carries only two additional hash operations over its immediate predecessor scheme [27]. The important aspect about the proposed scheme is minor increase of two hash functions in computational load to achieve higher efficiency as compared to other schemes [19, 26, 27].

7. Conclusion

This paper shows that the recently proposed biometrics-based user authentication scheme by An is susceptible to many threats. Once an attacker obtains the smart card of a legal user, he can guess user’s password and impersonate the user. Further, the attacker can also cheat the user by masquerading as the legal server. Consequently, the scheme fails to provide mutual authentication. Besides, the scheme also suffers from the restriction of static password. We have proposed a new scheme based on the design of An’s scheme so as to fix the problems identified in An’s scheme. In the proposed scheme an attacker cannot figure out the identity of user either from the smart card or by intercepting all login-authentication messages transmitted over insecure network. Analysis and comparison show improved performance of the proposed scheme.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project no. RGP-VPP-288.