Security and Communication Networks

Security and Communication Networks / 2019 / Article

Research Article | Open Access

Volume 2019 |Article ID 2838615 | 15 pages | https://doi.org/10.1155/2019/2838615

A Provably Secure Biometrics-Based Authentication Scheme for Multiserver Environment

Academic Editor: Carmen Fernandez-Gago
Received09 Mar 2019
Accepted09 Jun 2019
Published25 Jun 2019

Abstract

With the rapid development of mobile services, multiserver authentication protocol with its high efficiency has emerged as an indispensable security mechanism for mobile services. Recently, Ali et al. introduced a biometric-based multiserver authentication scheme and claimed the scheme is resistant to various attacks. However, after a careful examination, we find that Ali et al.’s scheme is vulnerable to various security attacks, such as user impersonation attack, server impersonation attack, privileged insider attack, denial of service attack, fails to provide forward secrecy and three-factor secrecy. To overcome these weaknesses, we propose an improved biometric-based multiserver authentication scheme using elliptic curve cryptosystem. Formal security analysis under the random oracle model proves that our scheme is provably secure. Furthermore, BAN (Burrows-Abadi-Needham) logic analysis demonstrates our scheme achieves mutual authentication and session key agreement. In addition, the informal analysis proves that our scheme is secure against all current known attacks and achieves desirable features. Besides, the performance and security comparison shows that our scheme is superior to related schemes.

1. Introduction

Nowadays, millions of people enjoy various mobile services such as mobile shopping, mobile entertainment, and mobile learning, by using various mobile devices. Due to the openness of mobile network, when the users are enjoying great conveniences brought by mobile services, they simultaneously face a great deal of security threatens, such as diverse network attacks and privacy leaks. Authentication protocol plays a great role in protecting the security and privacy of users as an indispensable security mechanism for various mobile services. It provides mutual authentication, user anonymity, and establishes secure session key for server and users [1].

With the continuous expansion of the scale of mobile services, multiserver mode has been widely adopted by numerous mobile service application systems [2]. When the traditional single-server authentication schemes are applied to multiserver environment, it is extremely inconvenient for user to register himself with every server and keep many pairs of identity and password. To overcome this problem, multiserver authentication schemes have been introduced [310]. These schemes make the user registers once with registration center and keeps one pair of identity and password to obtain all the services. Multiserver authentication schemes are more attractive as high efficiency and convenience. But on the other hand, multiserver authentication schemes have more requirements for security. The user employs the same authentication information to access diverse servers. If the authentication information is compromised, it will bring tremendous damage to user’s assets. Besides, the malicious server may masquerade another server to defraud the user or impersonate user to access server based on the secret it has. This privileged insider attack should be overcome.

In the past 20 years, many multiserver authentication schemes using password and smart card have been put forward [1116]. However, the smart card may be lost or stolen, and the malicious attacker can retrieve the data in smart card by side channel attack. It increases the risk of security breach [17]. To overcome this weakness, biometric authentication element has been added in authentication schemes in recent years because of its good characteristics. Three-factor authentication schemes that adopt password, smart card, and biometric facilitate better security.

Recently, some three-factor multiserver authentication schemes have been introduced. In 2010, Yoon et al. [18] introduced an efficient biometric-based multiserver authentication scheme using elliptic curve cryptosystem (ECC). Later on, Kim et al. [19] pointed out Yoon et al.’s scheme cannot resist smart card loss attack, forgery attack, and fails to provide forward secrecy. In 2015, Amin et al. [20] proposed a three-factor multiserver authentication scheme using bilinear pairing. Afterwards, Chandrakar et al. [21] proved Amin et al.’s scheme is susceptible to offline password guessing attack, impersonation attack, and fails to achieve user anonymity. He et al. [22] introduced a biometric-based multiserver authentication scheme using fuzzy extractor and ECC and claimed their scheme achieves intrinsically three-factor secrecy. But we observed He et al.’s scheme is susceptible to known session-specific temporary information attack and cannot detect wrong password and biometric immediately. In 2016, Wang et al. [23] presented a three-factor multiserver authentication scheme using hash function and fuzzy extractor. But Yang et al. [24] pointed out Wang et al.’s scheme cannot resist user impersonation attack and fails to achieve forward secrecy. In 2017, Kumari et al. [25] proposed a biometric-based multi-cloud-server authentication scheme using ECC and bio-hash function. However, Feng et al. [26] demonstrated that Kumari et al.’s scheme suffers from server impersonation attack and introduced an enhanced scheme. Unfortunately, we found Feng et al.’s scheme fails to achieve three-factor secrecy and suffers from known session-specific temporary information attack. Ali et al. [27] introduced a three-factor multiserver authentication scheme using symmetric encryption and ECC and claimed their scheme is resistant to a variety of security attacks. However, we found that Ali et al.’s scheme is not as secure as it claimed by demonstrating their scheme is vulnerable to a variety of serious security attacks.

Either the existing three-factor multiserver authentication schemes [1830] have more or less vulnerabilities, or their communication and computation costs need to be improved. This moves us to design a secure three-factor multiserver authentication scheme with higher efficiency. Our contributions are summed up as follows.(1)We prove that Ali et al.’s scheme suffers from user impersonation attack, privileged insider attack, server impersonation attack, denial of service attack, and known session-specific temporary information attack. Besides, the scheme fails to achieve forward secrecy and three-factor secrecy.(2)We propose a novel biometric-based multiserver authentication scheme using ECC. Formal security analysis under the random oracle model proves our scheme is provably secure. BAN logic proof proves the completeness of our scheme. Moreover, informal analysis demonstrates our scheme achieves various desirable features and is resistant to all known attacks.(3)In addition, the performance and security comparison shows that our scheme achieves superior security properties. Moreover, our scheme has the least communication overhead and computation cost.

1.1. Adversary Model

When evaluating a three-factor multiserver authentication scheme, the capacities of adversary are described as follows.(1) may be an external attacker or a privileged insider.(2) can fully control the public channel; namely, is able to interrupt, eavesdrop, forge, and modify the messages transmitted via public channel.(3) is able to enumerate all the values in in polynomial time, where denotes the password space and denotes the identity space [31].(4) is able to get user’s password by shoulder surfing. can retrieve the data in smart card by power consumption analysis. is able to get the biometric of user by a malicious terminal [32].(5)When evaluating three-factor secrecy, is able to get any two kinds of authentication elements at the same time but cannot get all [26].(6)When evaluating forward secrecy, can get the master key of RC or the secret key of server.

The user tends to choose an easy-to-remember password with low strength. The user identity usually is based on the predefined format. The identity and password may be of low entropy and can be easily guessed. According to the adversary model presented by Wang et al. [31], we assume the adversary is able to enumerate all the values in in polynomial time.

Three-factor secrecy denotes that if any two kinds of authentication elements are compromised, the attacker still cannot breach the other one and damage the security of the system [26]. Such a consideration is of practical significance. The adversary may get user’s password by shoulder surfing or the data in smart card via side channel attack. Moreover, the adversary is able to obtain the biometric of user by a malicious biometric-based terminal.

1.2. The Organization of Paper

The structure of this paper is arranged as follows. We brief review and cryptanalyze Ali et al.’s scheme in Sections 2 and 3. Section 4 introduces a novel biometric-based authentication scheme for multiserver environment. We give the security proof and informal security analysis of the proposed scheme in Sections 5 and 6. Section 7 is security and performance comparison of the relevant schemes. Section 8 concludes the paper. In addition, we sum up the notations of this paper in Table 1.


SymbolsDescription

user
Server
RCRegistration center
Malicious adversary
xMaster key of RC
, , Identity, password and biometric of
Identity of
A generator of elliptic curve group
Symmetric encryption/decryption algorithm with key
Session key between and
The string concatenation operation
The bitwise XOR operation
Hash function
Bio-hash function, it maps the biometric and a tokenised random number to a random binary string

2. Review of Ali et al.’s Scheme

Ali et al.’s scheme consists of four phases: initial phase, server registration phase, user registration phase, login and authentication phase.

2.1. Initial Phase

RC chooses its master key x. Then RC selects an elliptic curve group and a generator of .

2.2. Server Registration Phase

enrolls with RC in the following steps.

Step 1. The server picks its identity and sends as a registration request to RC through the reliable channel.

Step 2. Upon receiving from , RC computes and returns to through the reliable channel.

Step 3. keeps as secret.

2.3. User Registration Phase

enrolls with RC in the following steps.

Step 1. picks his identity and password freely and imprints his biometric . sends the registration request to RC through the reliable channel.

Step 2. Upon receiving from , RC computes , , , , where is a random number. RC stores in a smart card and transmits it to through the reliable channel.

Step 3. calculates and stores in his smart card.

2.4. Login and Authentication Phase

and authenticate each other and establish a session key drawing support from RC as shown in Figure 1.

Step 1. attaches the smart card to a terminal, inputs and , and imprints . The smart card calculates and checks if . If the equation holds, proceed to the next step.

Step 2. computes , , , , where is a random number. sends to RC through the public communication channel.

Step 3. After receiving , RC computes , , , , and compares with . If they are equal, proceed to the next step.

Step 4. RC computes , , , , , where is a random number. RC sends to .

Step 5. Upon receiving , computes , , and checks if . If it holds, computes , , , where is a random number. sends to .

Step 6. Upon receiving , computes , , and checks if . If the equation holds, computes , . replaces with in his smart card and sends to .

Step 7. Upon receiving , computes , and checks if . If the equation holds, and authenticate each other and establish a session key successfully.

3. Cryptanalysis of Ali et al.’s Scheme

In this section, we demonstrate that Ali et al.’s scheme is susceptible to several security attacks. Note that, we cryptanalyze Ali et al.’s scheme on the basis of the adversary capacities mentioned in Section 1.

3.1. Forward Secrecy

The adversary compromises the master key x, and intercepts and from public channel. Then is able to retrieve the session key in the following steps.

Step 1. Compute , .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

3.2. User Impersonation Attack

The adversary gets ’s identity by shoulder surfing and ’s biometric by a malicious terminal and intercepts from public channel. Then performs user impersonation attack in the following steps.

Step 1. computes, , , , where is a random number. sends to RC.

Step 2. Upon receiving , RC computes ), , , , obviously =. Then RC computes , , , , , where is a random number. RC sends to .

Step 3. Upon receiving , computes , , , obviously . Then computes , , , where is a random number. sends to .

Step 4. Upon receiving , computes , , , and sends to .

Step 5. Upon receiving , computes , , obviously . regards as legitimate user .

3.3. Server Impersonation Attack

The adversary obtains ’s biometric and intercepts from public channel. Afterwards, performs server impersonation attack in the following steps.

Step 1. chooses two random numbers and computes , , , , , , , where is a random binary string whose length is equal with . sends to .

Step 2. Upon receiving , computes , , , obviously ; regards as the server . computes , . replaces with in his smart card, sends to .

Step 3. Upon receiving , computes . establishes a session key with successfully.

3.4. Denial of Service Attack

In the process of server impersonation attack, the adversary delivers a forged dynamic identity to . believes its validity and stores it in the smart card. When intends to access the server, sends a login request with to RC. As is a random binary string rather than the encryption results of and a random number, RC rejects the login request. In addition, cannot login any server, unless reregister with RC.

3.5. Privileged Insider Attack

In authentication phase of Ali et al.’s scheme, and new dynamic identity is exposed to . With and , who acts as a privileged insider can masquerade user to access server or impersonate the other server to defraud . As their attack procedures are the same with aforementioned user impersonation attack and server impersonation attack, we omit it.

3.6. Known Session-Specific Temporary Information Attack

Known session-specific temporary information attack is a cryptanalysis under the circumstance the temporary secret value such as random number is leaked and the adversary tries to breach the current session key. Suppose that obtains ’s biometric and intercepts from public channel. In the case that random number is compromised. can get the session key in the following steps.

Step 1. Compute .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

3.7. Three-Factor Secrecy

In case that ’s smart card and biometric are breached, the adversary is able to acquire ’s password via the following steps.

Step 1. Guess the value of to be from identity dictionary space; guess the value of to be from identity dictionary space.

Step 2. Compute ; check if . If the equation holds, it shows that is ’s real identity and is ’s correct password.

Step 3. Repeat Steps 1 and 2, until finds the correct and .

When the smart card and biometric of user are compromised, the attacker is able to breach the password. On the other hand, is able to impersonate user successfully as long as he gets the biometric of user. Ali et al.’s scheme fails to achieve three-factor secrecy.

4. The Proposed Scheme

In this section, we present a biometric-based remote user authentication scheme for multiserver environment. The proposed scheme includes the following five phases.

4.1. Initial Phase

RC chooses an elliptic curve group of order p and a generator of . RC generates a random number and computes . RC publishes and keeps as secret.

4.2. Server Registration Phase

The server registers with RC in the following steps.

Step 1. picks its identity freely and delivers to RC through the reliable channel.

Step 2. Upon receiving , RC calculates and returns to via the reliable channel.

Step 3. keeps as secret.

4.3. User Registration Phase

The user registers with RC in the following steps. As described in Figure 2.

Step 1. chooses his identity and password freely and imprints his biometric . calculates , where is a random number. Afterwards, is transmitted to RC through the reliable channel.

Step 2. Upon receiving , RC computes , , , where . RC stores in a smart card and transmits it to via the reliable communication channel.

Step 3. stores in the smart card.

4.4. Login and Authentication Phase

The user and the server authenticate each other and establish a session key by the aide of RC in the following steps. As shown in Figure 3.

Step 1. attaches the smart card to a terminal, enters and , and imprints . Then the smart card calculates , and checks if . If this equation holds, the smart card computes , , , , where is a random number. is transmitted to RC via the public channel.

Step 2. After receiving , RC computes , , and checks if . If the equation holds, RC computes , , . is transmitted to .

Step 3. After receiving , computes , and checks if is equal to . If it holds, computes , , ), , where is a random number. is transmitted to .

Step 4. After receiving , computes , , and checks if . If the equation holds, computes and sends to .

Step 5. After receiving , computes and checks if . If the equation holds, establishes a session key with successfully.

4.5. Password Update Phase

changes his original password to a new one in the following steps. As described in Figure 4.

Step 1. attaches his smart card to a terminal, enters and , and imprints . The smart card calculates , and checks . If it holds, the smart card asks the user to input a new password.

Step 2. enters his new password . Then the smart card calculates , , . The smart card stores in the smart card and removes .

5. Security Proof

5.1. Formal Security Analysis

We describe the formal security model for three-factor multiserver authentication schemes proposed by Feng at al. [26] and prove the proposed scheme is provably secure in this model.

5.1.1. Security Model

Participants. There are three types of principals in multiserver authentication scheme, that is, the user , the server , and the registration center RC. Every kind of participant has many instances. We use , , and denote them.

Queries. The abilities of adversary are modeled by asking the following queries.

Execute . The query simulates the eavesdropping attack. It returns the transcripts of the transmitted messages in public channel to the adversary.

Send . It allows the adversary masquerades as a principal to send a message . The oracle handles the message and gives a response to the adversary.

Reveal . This query discloses the session key of instance or to the adversary. However, if instance or does not establish a session key, it returns an invalid symbol .

Corrupt (). This query reveals one or two authentication factors of user to the adversary. Note that the adversary cannot get all the three authentication factors at the same time, as he has no difference with a legitimate user.

When , it returns the password of to the adversary.

When , it returns the data in ’s smart card.

When , it returns the biometric of .

Corrupt . This query simulates the forward secrecy attack; it answers the master key x or the secret key to the adversary.

Test . The query is used to evaluate the semantic security of session key. The adversary is allowed to make the query no more than once. If the instance or is fresh (see below), the oracle flips a coin . If , it returns the session key to the adversary. If , it returns a random string of the same size to the adversary.

Freshness. The instance or is fresh, if the following conditions are satisfied.(1)The instance is accepted and establishes a session key.(2)The instance and its partner that belongs to the same session are never made a reveal query.(3)The adversary never asks the Corrupt () query.(4)The adversary never makes a Corrupt () query.

Semantic Security. The adversary makes a series of aforementioned queries in polynomial time. Eventually, the adversary deduces the value of involved in test query to be . We denote the advantage that the adversary breaches the semantic security of our scheme as Our protocol is secure, if for any adversary the advantage is negligible.

5.1.2. Formal Security Proof

The formal security proof of the proposed scheme relies on the presumed hardness of the elliptic curve Diffie–Hellman problem defined below.

The Elliptic Curve Diffie–Hellman Problem (ECDHP). Let be an elliptic curve group of order p. And P is a generator of . For given , where , , it is infeasible to compute in polynomial time.

Theorem 1. We use P to denote the proposed scheme. There is an adversary who tries to break the semantic security of our scheme. We assume that is able to make at most Send-queries, Execute queries, Hash queries, Bio-hash queries, and Encryption/Decryption queries in polynomial time t. Then we havewhere is the bit length of hash output. is the bit length of Bio-hash output. is the bit length of symmetric encryption output. The password dictionary space is . is the probability that the adversary solves the in polynomial time t.

The Proof. The advantage of breaking our scheme is deduced via a series of games from to . denotes the event that the adversary correctly guesses the value of involved in test query in game . And is the probability of the event .

: it represents the real attack; obviously, we have

By a further transformation, we have

: in this game, the hash oracle, bio-hash oracle, and encryption/decryption oracle are simulated by maintaining a hash list , a bio-hash list , and an encryption/ decryption list . For a hash query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a random number , returns to the adversary, and adds the item () to . The bio-hash oracle is simulated in the same way. For an encryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from cipher text space, returns to the adversary, and adds the item () to . For a decryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from plaintext space, returns to the adversary, and adds the item () to . Besides, all oracles involved in security model are simulated in this game. Obviously, this game has no difference with . We have

: we avoid the occurrence of some collisions in this game. is indistinguishable from , unless the following conditions occur.(1)A collision happens in the output of hash function; the probability is less than .(2)A collision happens in the output of bio-hash; the probability is no more than .(3)A collision happens in the output of symmetric encryption; the probability is less than .(4)A collision happens on or ; the probability is no more than .

So we have

: in this game, we avoid the situation that the adversary correctly guesses or without making the corresponding hash query. The probability is at most . Thus,

: this game averts the execution when the adversary correctly guesses the authentication value directly. The probability is at most . We get

: in this game, we avoid the occurrence that the adversary has computed the authentication value with the help of Corrupt (). The following three cases are included.

Case 1. The adversary queries Corrupt () and Corrupt (). To derive , the adversary still needs to get the biometric. The probability that he correctly guesses the biometric is at most

Case 2. The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the password is less than .

Case 3. The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the parameter is no more than .

The probability that the adversary gets is less than . We have

: in this game, we compute the session key using the private oracles instead of the hash oracle . As the private oracles is unknown to the adversary. We have

has no difference with , unless the adversary makes a hash query ; we denote the event as . We have

: we simulate the random self-reducibility of ECDHP in this game. For , through selecting randomly in , we can obtain the item containing with the probability . Since the event denotes that the adversary makes a hash query . We have

Through the series of games above, we have

5.2. Security Proof Using BAN Logic

In this section, we use BAN logic [33] to prove that our scheme achieves mutual authentication and establishes a secure session key. Table 2 describes the symbols and rules of BAN logic.


A principal
A statement
KA key
P sees X, P receives a message containing X
P said X, P sent a message including X
believes is true
P and Q share a secret
X is fresh
P and Q share a key K
is encrypted under the key K
X is combined with a secret Y
P has jurisdiction over
Message meaning rule or
Belief rule
Nonce-verification rule
Jurisdiction rule

The goals that our scheme should achieve are as follows.Goal 1: Goal 2: Goal 3: Goal 4:

We idealized the proposed scheme as follows.M1: M2: M3: M4:

The initiative assumption of our scheme is given as follows.S1: S2: S3: S4: S5: S6: S7: S8: S9: S10: S11:

The proof of our scheme is performed as follows.

From M1, we have(1)

According to S1, (1) and message meaning rule, we obtain(2)

According to S2, (2) and nonce-verification rule, we obtain(3)

According to S3, (3) and jurisdiction rule, we obtain(4)

From M2, we have(5)

According to S4, (5) and message meaning rule, we obtain(6)

According to S5, (6) and nonce-verification rule, we obtain(7)

According to S6, (7) and jurisdiction rule, we obtain(8)

From M3, we have(9)

According to S7, (9) and message meaning rule, we obtain(10)

According to S8, (10) and nonce-verification rule, we obtain(11)(Goal 1)

According to S9, (11) and jurisdiction rule, we obtain(12)(Goal 2)

From M4, we have(13)

According to (8), (13) and message meaning rule, we obtain(14)

According to S10, (14) and nonce-verification rule, we obtain(15)(Goal 3)

According to S11, (15) and jurisdiction rule, we obtain(16)(Goal 4)

6. Informal Security Analysis

In this section, we demonstrate that our scheme achieves user anonymity, forward secrecy, and three-factor secrecy and is resistant to several known attacks.

6.1. User Anonymity

In our scheme, user’s identity is protected with symmetric encryption. As the key and is unavailable. cannot get any information about from the transmitted messages in public channel. In addition, cannot link two distinct messages to one user due to the existence of random number. Our scheme achieves user anonymity.

6.2. Forward Secrecy

Suppose that compromises the master key of RC and intercepts , from public channel. Then tries to compute the session key . can get and by computing , . To get , needs to derive from ,. It means that has to solve the elliptic curve Diffie–Hellman problem. It is absolutely impossible. Our scheme achieves forward secrecy.

6.3. Offline Password Guessing Attack

In the case that extracts from ’s smart card and obtains ’s biometric , tries to acquire the password of in the following steps.

Step 1. Choose an identity from identity dictionary space and a password from password dictionary space.

Step 2. Compute . Check .

Step 3. Repeat Steps 1 and 2, until finds a pair of satisfying .

However, even if finds a pair of satisfying , he cannot determine whether they are the real identity and password of . The proposed scheme employs the fuzzy validation of inputted authentication information. When and the identity and password both are 64 bits, there will be pairs of identity and password satisfying . The probability that each candidate is equal to the pair of identity and password of is , this is negligible. In our scheme, it is unable to reveal the identity and password of user even if both the smart card and biometric are compromised.

6.4. User Impersonation Attack

Assume that tries to impersonate user and forge a login requested message