Research Article  Open Access
A Provably Secure BiometricsBased Authentication Scheme for Multiserver Environment
Abstract
With the rapid development of mobile services, multiserver authentication protocol with its high efficiency has emerged as an indispensable security mechanism for mobile services. Recently, Ali et al. introduced a biometricbased multiserver authentication scheme and claimed the scheme is resistant to various attacks. However, after a careful examination, we find that Ali et al.’s scheme is vulnerable to various security attacks, such as user impersonation attack, server impersonation attack, privileged insider attack, denial of service attack, fails to provide forward secrecy and threefactor secrecy. To overcome these weaknesses, we propose an improved biometricbased multiserver authentication scheme using elliptic curve cryptosystem. Formal security analysis under the random oracle model proves that our scheme is provably secure. Furthermore, BAN (BurrowsAbadiNeedham) logic analysis demonstrates our scheme achieves mutual authentication and session key agreement. In addition, the informal analysis proves that our scheme is secure against all current known attacks and achieves desirable features. Besides, the performance and security comparison shows that our scheme is superior to related schemes.
1. Introduction
Nowadays, millions of people enjoy various mobile services such as mobile shopping, mobile entertainment, and mobile learning, by using various mobile devices. Due to the openness of mobile network, when the users are enjoying great conveniences brought by mobile services, they simultaneously face a great deal of security threatens, such as diverse network attacks and privacy leaks. Authentication protocol plays a great role in protecting the security and privacy of users as an indispensable security mechanism for various mobile services. It provides mutual authentication, user anonymity, and establishes secure session key for server and users [1].
With the continuous expansion of the scale of mobile services, multiserver mode has been widely adopted by numerous mobile service application systems [2]. When the traditional singleserver authentication schemes are applied to multiserver environment, it is extremely inconvenient for user to register himself with every server and keep many pairs of identity and password. To overcome this problem, multiserver authentication schemes have been introduced [3–10]. These schemes make the user registers once with registration center and keeps one pair of identity and password to obtain all the services. Multiserver authentication schemes are more attractive as high efficiency and convenience. But on the other hand, multiserver authentication schemes have more requirements for security. The user employs the same authentication information to access diverse servers. If the authentication information is compromised, it will bring tremendous damage to user’s assets. Besides, the malicious server may masquerade another server to defraud the user or impersonate user to access server based on the secret it has. This privileged insider attack should be overcome.
In the past 20 years, many multiserver authentication schemes using password and smart card have been put forward [11–16]. However, the smart card may be lost or stolen, and the malicious attacker can retrieve the data in smart card by side channel attack. It increases the risk of security breach [17]. To overcome this weakness, biometric authentication element has been added in authentication schemes in recent years because of its good characteristics. Threefactor authentication schemes that adopt password, smart card, and biometric facilitate better security.
Recently, some threefactor multiserver authentication schemes have been introduced. In 2010, Yoon et al. [18] introduced an efficient biometricbased multiserver authentication scheme using elliptic curve cryptosystem (ECC). Later on, Kim et al. [19] pointed out Yoon et al.’s scheme cannot resist smart card loss attack, forgery attack, and fails to provide forward secrecy. In 2015, Amin et al. [20] proposed a threefactor multiserver authentication scheme using bilinear pairing. Afterwards, Chandrakar et al. [21] proved Amin et al.’s scheme is susceptible to offline password guessing attack, impersonation attack, and fails to achieve user anonymity. He et al. [22] introduced a biometricbased multiserver authentication scheme using fuzzy extractor and ECC and claimed their scheme achieves intrinsically threefactor secrecy. But we observed He et al.’s scheme is susceptible to known sessionspecific temporary information attack and cannot detect wrong password and biometric immediately. In 2016, Wang et al. [23] presented a threefactor multiserver authentication scheme using hash function and fuzzy extractor. But Yang et al. [24] pointed out Wang et al.’s scheme cannot resist user impersonation attack and fails to achieve forward secrecy. In 2017, Kumari et al. [25] proposed a biometricbased multicloudserver authentication scheme using ECC and biohash function. However, Feng et al. [26] demonstrated that Kumari et al.’s scheme suffers from server impersonation attack and introduced an enhanced scheme. Unfortunately, we found Feng et al.’s scheme fails to achieve threefactor secrecy and suffers from known sessionspecific temporary information attack. Ali et al. [27] introduced a threefactor multiserver authentication scheme using symmetric encryption and ECC and claimed their scheme is resistant to a variety of security attacks. However, we found that Ali et al.’s scheme is not as secure as it claimed by demonstrating their scheme is vulnerable to a variety of serious security attacks.
Either the existing threefactor multiserver authentication schemes [18–30] have more or less vulnerabilities, or their communication and computation costs need to be improved. This moves us to design a secure threefactor multiserver authentication scheme with higher efficiency. Our contributions are summed up as follows.(1)We prove that Ali et al.’s scheme suffers from user impersonation attack, privileged insider attack, server impersonation attack, denial of service attack, and known sessionspecific temporary information attack. Besides, the scheme fails to achieve forward secrecy and threefactor secrecy.(2)We propose a novel biometricbased multiserver authentication scheme using ECC. Formal security analysis under the random oracle model proves our scheme is provably secure. BAN logic proof proves the completeness of our scheme. Moreover, informal analysis demonstrates our scheme achieves various desirable features and is resistant to all known attacks.(3)In addition, the performance and security comparison shows that our scheme achieves superior security properties. Moreover, our scheme has the least communication overhead and computation cost.
1.1. Adversary Model
When evaluating a threefactor multiserver authentication scheme, the capacities of adversary are described as follows.(1) may be an external attacker or a privileged insider.(2) can fully control the public channel; namely, is able to interrupt, eavesdrop, forge, and modify the messages transmitted via public channel.(3) is able to enumerate all the values in in polynomial time, where denotes the password space and denotes the identity space [31].(4) is able to get user’s password by shoulder surfing. can retrieve the data in smart card by power consumption analysis. is able to get the biometric of user by a malicious terminal [32].(5)When evaluating threefactor secrecy, is able to get any two kinds of authentication elements at the same time but cannot get all [26].(6)When evaluating forward secrecy, can get the master key of RC or the secret key of server.
The user tends to choose an easytoremember password with low strength. The user identity usually is based on the predefined format. The identity and password may be of low entropy and can be easily guessed. According to the adversary model presented by Wang et al. [31], we assume the adversary is able to enumerate all the values in in polynomial time.
Threefactor secrecy denotes that if any two kinds of authentication elements are compromised, the attacker still cannot breach the other one and damage the security of the system [26]. Such a consideration is of practical significance. The adversary may get user’s password by shoulder surfing or the data in smart card via side channel attack. Moreover, the adversary is able to obtain the biometric of user by a malicious biometricbased terminal.
1.2. The Organization of Paper
The structure of this paper is arranged as follows. We brief review and cryptanalyze Ali et al.’s scheme in Sections 2 and 3. Section 4 introduces a novel biometricbased authentication scheme for multiserver environment. We give the security proof and informal security analysis of the proposed scheme in Sections 5 and 6. Section 7 is security and performance comparison of the relevant schemes. Section 8 concludes the paper. In addition, we sum up the notations of this paper in Table 1.

2. Review of Ali et al.’s Scheme
Ali et al.’s scheme consists of four phases: initial phase, server registration phase, user registration phase, login and authentication phase.
2.1. Initial Phase
RC chooses its master key x. Then RC selects an elliptic curve group and a generator of .
2.2. Server Registration Phase
enrolls with RC in the following steps.
Step 1. The server picks its identity and sends as a registration request to RC through the reliable channel.
Step 2. Upon receiving from , RC computes and returns to through the reliable channel.
Step 3. keeps as secret.
2.3. User Registration Phase
enrolls with RC in the following steps.
Step 1. picks his identity and password freely and imprints his biometric . sends the registration request to RC through the reliable channel.
Step 2. Upon receiving from , RC computes , , , , where is a random number. RC stores in a smart card and transmits it to through the reliable channel.
Step 3. calculates and stores in his smart card.
2.4. Login and Authentication Phase
and authenticate each other and establish a session key drawing support from RC as shown in Figure 1.
Step 1. attaches the smart card to a terminal, inputs and , and imprints . The smart card calculates and checks if . If the equation holds, proceed to the next step.
Step 2. computes , , , , where is a random number. sends to RC through the public communication channel.
Step 3. After receiving , RC computes , , , , and compares with . If they are equal, proceed to the next step.
Step 4. RC computes , , , , , where is a random number. RC sends to .
Step 5. Upon receiving , computes , , and checks if . If it holds, computes , , , where is a random number. sends to .
Step 6. Upon receiving , computes , , and checks if . If the equation holds, computes , . replaces with in his smart card and sends to .
Step 7. Upon receiving , computes , and checks if . If the equation holds, and authenticate each other and establish a session key successfully.
3. Cryptanalysis of Ali et al.’s Scheme
In this section, we demonstrate that Ali et al.’s scheme is susceptible to several security attacks. Note that, we cryptanalyze Ali et al.’s scheme on the basis of the adversary capacities mentioned in Section 1.
3.1. Forward Secrecy
The adversary compromises the master key x, and intercepts and from public channel. Then is able to retrieve the session key in the following steps.
Step 1. Compute , .
Step 2. Compute .
Step 3. Compute .
Step 4. Compute .
3.2. User Impersonation Attack
The adversary gets ’s identity by shoulder surfing and ’s biometric by a malicious terminal and intercepts from public channel. Then performs user impersonation attack in the following steps.
Step 1. computes, , , , where is a random number. sends to RC.
Step 2. Upon receiving , RC computes ), , , , obviously =. Then RC computes , , , , , where is a random number. RC sends to .
Step 3. Upon receiving , computes , , , obviously . Then computes , , , where is a random number. sends to .
Step 4. Upon receiving , computes , , , and sends to .
Step 5. Upon receiving , computes , , obviously . regards as legitimate user .
3.3. Server Impersonation Attack
The adversary obtains ’s biometric and intercepts from public channel. Afterwards, performs server impersonation attack in the following steps.
Step 1. chooses two random numbers and computes , , , , , , , where is a random binary string whose length is equal with . sends to .
Step 2. Upon receiving , computes , , , obviously ; regards as the server . computes , . replaces with in his smart card, sends to .
Step 3. Upon receiving , computes . establishes a session key with successfully.
3.4. Denial of Service Attack
In the process of server impersonation attack, the adversary delivers a forged dynamic identity to . believes its validity and stores it in the smart card. When intends to access the server, sends a login request with to RC. As is a random binary string rather than the encryption results of and a random number, RC rejects the login request. In addition, cannot login any server, unless reregister with RC.
3.5. Privileged Insider Attack
In authentication phase of Ali et al.’s scheme, and new dynamic identity is exposed to . With and , who acts as a privileged insider can masquerade user to access server or impersonate the other server to defraud . As their attack procedures are the same with aforementioned user impersonation attack and server impersonation attack, we omit it.
3.6. Known SessionSpecific Temporary Information Attack
Known sessionspecific temporary information attack is a cryptanalysis under the circumstance the temporary secret value such as random number is leaked and the adversary tries to breach the current session key. Suppose that obtains ’s biometric and intercepts from public channel. In the case that random number is compromised. can get the session key in the following steps.
Step 1. Compute .
Step 2. Compute .
Step 3. Compute .
Step 4. Compute .
Step 5. Compute .
3.7. ThreeFactor Secrecy
In case that ’s smart card and biometric are breached, the adversary is able to acquire ’s password via the following steps.
Step 1. Guess the value of to be from identity dictionary space; guess the value of to be from identity dictionary space.
Step 2. Compute ; check if . If the equation holds, it shows that is ’s real identity and is ’s correct password.
Step 3. Repeat Steps 1 and 2, until finds the correct and .
When the smart card and biometric of user are compromised, the attacker is able to breach the password. On the other hand, is able to impersonate user successfully as long as he gets the biometric of user. Ali et al.’s scheme fails to achieve threefactor secrecy.
4. The Proposed Scheme
In this section, we present a biometricbased remote user authentication scheme for multiserver environment. The proposed scheme includes the following five phases.
4.1. Initial Phase
RC chooses an elliptic curve group of order p and a generator of . RC generates a random number and computes . RC publishes and keeps as secret.
4.2. Server Registration Phase
The server registers with RC in the following steps.
Step 1. picks its identity freely and delivers to RC through the reliable channel.
Step 2. Upon receiving , RC calculates and returns to via the reliable channel.
Step 3. keeps as secret.
4.3. User Registration Phase
The user registers with RC in the following steps. As described in Figure 2.
Step 1. chooses his identity and password freely and imprints his biometric . calculates , where is a random number. Afterwards, is transmitted to RC through the reliable channel.
Step 2. Upon receiving , RC computes , , , where . RC stores in a smart card and transmits it to via the reliable communication channel.
Step 3. stores in the smart card.
4.4. Login and Authentication Phase
The user and the server authenticate each other and establish a session key by the aide of RC in the following steps. As shown in Figure 3.
Step 1. attaches the smart card to a terminal, enters and , and imprints . Then the smart card calculates , and checks if . If this equation holds, the smart card computes , , , , where is a random number. is transmitted to RC via the public channel.
Step 2. After receiving , RC computes , , and checks if . If the equation holds, RC computes , , . is transmitted to .
Step 3. After receiving , computes , and checks if is equal to . If it holds, computes , , ), , where is a random number. is transmitted to .
Step 4. After receiving , computes , , and checks if . If the equation holds, computes and sends to .
Step 5. After receiving , computes and checks if . If the equation holds, establishes a session key with successfully.
4.5. Password Update Phase
changes his original password to a new one in the following steps. As described in Figure 4.
Step 1. attaches his smart card to a terminal, enters and , and imprints . The smart card calculates , and checks . If it holds, the smart card asks the user to input a new password.
Step 2. enters his new password . Then the smart card calculates , , . The smart card stores in the smart card and removes .
5. Security Proof
5.1. Formal Security Analysis
We describe the formal security model for threefactor multiserver authentication schemes proposed by Feng at al. [26] and prove the proposed scheme is provably secure in this model.
5.1.1. Security Model
Participants. There are three types of principals in multiserver authentication scheme, that is, the user , the server , and the registration center RC. Every kind of participant has many instances. We use , , and denote them.
Queries. The abilities of adversary are modeled by asking the following queries.
Execute . The query simulates the eavesdropping attack. It returns the transcripts of the transmitted messages in public channel to the adversary.
Send . It allows the adversary masquerades as a principal to send a message . The oracle handles the message and gives a response to the adversary.
Reveal . This query discloses the session key of instance or to the adversary. However, if instance or does not establish a session key, it returns an invalid symbol .
Corrupt (). This query reveals one or two authentication factors of user to the adversary. Note that the adversary cannot get all the three authentication factors at the same time, as he has no difference with a legitimate user.
When , it returns the password of to the adversary.
When , it returns the data in ’s smart card.
When , it returns the biometric of .
Corrupt . This query simulates the forward secrecy attack; it answers the master key x or the secret key to the adversary.
Test . The query is used to evaluate the semantic security of session key. The adversary is allowed to make the query no more than once. If the instance or is fresh (see below), the oracle flips a coin . If , it returns the session key to the adversary. If , it returns a random string of the same size to the adversary.
Freshness. The instance or is fresh, if the following conditions are satisfied.(1)The instance is accepted and establishes a session key.(2)The instance and its partner that belongs to the same session are never made a reveal query.(3)The adversary never asks the Corrupt () query.(4)The adversary never makes a Corrupt () query.
Semantic Security. The adversary makes a series of aforementioned queries in polynomial time. Eventually, the adversary deduces the value of involved in test query to be . We denote the advantage that the adversary breaches the semantic security of our scheme as Our protocol is secure, if for any adversary the advantage is negligible.
5.1.2. Formal Security Proof
The formal security proof of the proposed scheme relies on the presumed hardness of the elliptic curve Diffie–Hellman problem defined below.
The Elliptic Curve Diffie–Hellman Problem (ECDHP). Let be an elliptic curve group of order p. And P is a generator of . For given , where , , it is infeasible to compute in polynomial time.
Theorem 1. We use P to denote the proposed scheme. There is an adversary who tries to break the semantic security of our scheme. We assume that is able to make at most Sendqueries, Execute queries, Hash queries, Biohash queries, and Encryption/Decryption queries in polynomial time t. Then we havewhere is the bit length of hash output. is the bit length of Biohash output. is the bit length of symmetric encryption output. The password dictionary space is . is the probability that the adversary solves the in polynomial time t.
The Proof. The advantage of breaking our scheme is deduced via a series of games from to . denotes the event that the adversary correctly guesses the value of involved in test query in game . And is the probability of the event .
: it represents the real attack; obviously, we have
By a further transformation, we have
: in this game, the hash oracle, biohash oracle, and encryption/decryption oracle are simulated by maintaining a hash list , a biohash list , and an encryption/ decryption list . For a hash query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a random number , returns to the adversary, and adds the item () to . The biohash oracle is simulated in the same way. For an encryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from cipher text space, returns to the adversary, and adds the item () to . For a decryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from plaintext space, returns to the adversary, and adds the item () to . Besides, all oracles involved in security model are simulated in this game. Obviously, this game has no difference with . We have
: we avoid the occurrence of some collisions in this game. is indistinguishable from , unless the following conditions occur.(1)A collision happens in the output of hash function; the probability is less than .(2)A collision happens in the output of biohash; the probability is no more than .(3)A collision happens in the output of symmetric encryption; the probability is less than .(4)A collision happens on or ; the probability is no more than .
So we have
: in this game, we avoid the situation that the adversary correctly guesses or without making the corresponding hash query. The probability is at most . Thus,
: this game averts the execution when the adversary correctly guesses the authentication value directly. The probability is at most . We get
: in this game, we avoid the occurrence that the adversary has computed the authentication value with the help of Corrupt (). The following three cases are included.
Case 1. The adversary queries Corrupt () and Corrupt (). To derive , the adversary still needs to get the biometric. The probability that he correctly guesses the biometric is at most
Case 2. The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the password is less than .
Case 3. The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the parameter is no more than .
The probability that the adversary gets is less than . We have
: in this game, we compute the session key using the private oracles instead of the hash oracle . As the private oracles is unknown to the adversary. We have
has no difference with , unless the adversary makes a hash query ; we denote the event as . We have
: we simulate the random selfreducibility of ECDHP in this game. For , through selecting randomly in , we can obtain the item containing with the probability . Since the event denotes that the adversary makes a hash query . We have
Through the series of games above, we have
5.2. Security Proof Using BAN Logic
In this section, we use BAN logic [33] to prove that our scheme achieves mutual authentication and establishes a secure session key. Table 2 describes the symbols and rules of BAN logic.

The goals that our scheme should achieve are as follows. Goal 1: Goal 2: Goal 3: Goal 4:
We idealized the proposed scheme as follows. M1: M2: M3: M4:
The initiative assumption of our scheme is given as follows. S1: S2: S3: S4: S5: S6: S7: S8: S9: S10: S11:
The proof of our scheme is performed as follows.
From M1, we have(1)
According to S1, (1) and message meaning rule, we obtain(2)
According to S2, (2) and nonceverification rule, we obtain(3)
According to S3, (3) and jurisdiction rule, we obtain(4)
From M2, we have(5)
According to S4, (5) and message meaning rule, we obtain(6)
According to S5, (6) and nonceverification rule, we obtain(7)
According to S6, (7) and jurisdiction rule, we obtain(8)
From M3, we have(9)
According to S7, (9) and message meaning rule, we obtain(10)
According to S8, (10) and nonceverification rule, we obtain(11)(Goal 1)
According to S9, (11) and jurisdiction rule, we obtain(12)(Goal 2)
From M4, we have(13)
According to (8), (13) and message meaning rule, we obtain(14)
According to S10, (14) and nonceverification rule, we obtain(15)(Goal 3)
According to S11, (15) and jurisdiction rule, we obtain(16)(Goal 4)
6. Informal Security Analysis
In this section, we demonstrate that our scheme achieves user anonymity, forward secrecy, and threefactor secrecy and is resistant to several known attacks.
6.1. User Anonymity
In our scheme, user’s identity is protected with symmetric encryption. As the key and is unavailable. cannot get any information about from the transmitted messages in public channel. In addition, cannot link two distinct messages to one user due to the existence of random number. Our scheme achieves user anonymity.
6.2. Forward Secrecy
Suppose that compromises the master key of RC and intercepts , from public channel. Then tries to compute the session key . can get and by computing , . To get , needs to derive from ,. It means that has to solve the elliptic curve Diffie–Hellman problem. It is absolutely impossible. Our scheme achieves forward secrecy.
6.3. Offline Password Guessing Attack
In the case that extracts from ’s smart card and obtains ’s biometric , tries to acquire the password of in the following steps.
Step 1. Choose an identity from identity dictionary space and a password from password dictionary space.
Step 2. Compute . Check .
Step 3. Repeat Steps 1 and 2, until finds a pair of satisfying .
However, even if finds a pair of satisfying , he cannot determine whether they are the real identity and password of . The proposed scheme employs the fuzzy validation of inputted authentication information. When and the identity and password both are 64 bits, there will be pairs of identity and password satisfying . The probability that each candidate is equal to the pair of identity and password of is , this is negligible. In our scheme, it is unable to reveal the identity and password of user even if both the smart card and biometric are compromised.
6.4. User Impersonation Attack
Assume that tries to impersonate user and forge a login requested message