Abstract

An anonymous user authentication scheme allows a user, who wants to access a remote application server, to achieve mutual authentication and session key establishment with the server in an anonymous manner. To enhance the security of such authentication schemes, recent researches combined user’s biometrics with a password. However, these authentication schemes are designed for single server environment. So when a user wants to access different application servers, the user has to register many times. To solve this problem, Chuang and Chen proposed an anonymous multiserver authenticated key agreement scheme using smart cards together with passwords and biometrics. Chuang and Chen claimed that their scheme not only supports multiple servers but also achieves various security requirements. However, we show that this scheme is vulnerable to a masquerade attack, a smart card attack, a user impersonation attack, and a DoS attack and does not achieve perfect forward secrecy. We also propose a security enhanced anonymous multiserver authenticated key agreement scheme which addresses all the weaknesses identified in Chuang and Chen’s scheme.

1. Introduction

With the rapid growth of internet technology, a system providing various services using the network often consists of many different servers around the world. The distribution of the remote system hardware allows its users to access resources efficiently and conveniently. In multiple server environments, an authentication mechanism is required to achieve a high level of security [1]. Lamport [2] first proposed a password authentication scheme for communication through an insecure channel. However, Lamport’s scheme requires the server to manage a password table and is, thus, vulnerable to stolen-verifier attacks. To resist this attack, several researchers proposed improved password-based authentication schemes using smart cards. But, these schemes are still easily broken by simple dictionary attacks due to the low entropy of passwords and because the information stored in smart cards could be extracted by physically monitoring power consumption [3, 4]. Therefore, many other researchers have combined users’ biometrics and passwords to enhance the security of their user authentication schemes for multiserver environments; see, for example, references [5–7] for earlier work in this domain. Every human being has a different biometrics, and thus, it is difficult for the adversary to compute the biometric information [8, 9].

Relatively recently, D. Yang and B. Yang [10] and Yoon and Yoo [11] independently introduced a biometric-based multiserver authentication scheme. But, these schemes still do not consider user anonymity which has been identified as a major security property for privacy protection in many applications, including location-based services, anonymous web browsing, e-voting, and mobile roaming services. Moreover, D. Yang and B. Yang’s scheme requires users to perform expensive exponentiation operations, while Yoon and Yoo’s scheme, as demonstrated by He [12], is vulnerable to a privileged insider attack, a masquerade attack, and a stolen smart card attack.

Recently, Chuang and Chen [13] proposed an anonymous multiserver authenticated key agreement scheme to address the weaknesses in the D. Yang and B. Yang’s scheme [10] and the Yoon-Yoo scheme [11]. This scheme is based on nonces and is very efficient in that it only requires users to perform hash function evaluations. Chuang and Chen claimed that their scheme satisfies all the desired security-related properties: anonymity, absence of verification tables, mutual authentication, resistance to forgery attack, resistance to modification attacks, resistance to replay attacks, fast error detection, resistance to off-line guessing attacks, resistance to insider attacks, simple and secure password choice and modification, biometric template protection, and session key agreement. However, we found that Chuang and Chen’s scheme has various security problems. According to our analysis given in this paper, Chuang and Chen’s scheme is vulnerable to a masquerade attack, a smart card attack, a user impersonation attack, and a denial-of-service (DoS) attack and does not achieve perfect forward secrecy. To solve these security problems with Chuang and Chen’s scheme, we propose an improved anonymous multiserver authenticated key agreement scheme using a smart card together with biometrics and passwords.

The remainder of this paper is organized as follows. Section 2 describes security and efficiency requirements for anonymous user authentication schemes in multiserver environments. Section 3 briefly reviews Chuang and Chen’s authentication scheme, while Section 4 provides a detailed security analysis on the scheme. Section 5 presents our security-enhanced authentication scheme and shows how the security weaknesses of Chuang and Chen’s scheme are addressed in our scheme. Section 6 analyzes our scheme in terms of both security and efficiency. Section 7 concludes the paper.

2. Requirements for Multiserver Authentication Schemes

Most conventional password authentication methods, when they are deployed in a multiple server environment, require each network user not only to log into various remote servers repetitively but also to remember many sets of identities and passwords. Such inefficiency and complexity easily lead to the exposure of users’ identities and passwords and necessarily make it difficult to manage the shared secret keys among the involved participants. Moreover, those conventional authentication methods usually do not provide user anonymity. In contrast, an anonymous multiserver authentication scheme is designed to allow users to be authenticated by multiple servers via only one registration with the registration center [1]. Figure 1 shows a framework of an anonymous user authentication system in a multiserver environment.

Figure 1 

Framework of a multiserver authentication system.

2.1. Security Properties

Various security requirements for a multiserver authentication scheme have been suggested in the previous studies [1, 7, 10, 13–24]. The most essential security properties include the following.(S1)Anonymity: anonymity is of increasing importance and is achieved when the user’s identity is not disclosed to an unauthorized party.(S2)Mutual authentication: mutual authentication means that the two parties, user and server, authenticate each other. That is, both user and server are assured of each other’s identity.(S3)Session key agreement: the user and server securely agree on a session key to be used for protecting their subsequent communications.(S4)Perfect forward secrecy: perfect forward secrecy means that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future.

2.2. Attack Resistance

To achieve these security properties, a multiserver authentication scheme has to resist various kinds of attacks. The most typical attacks include the following(A1)Replay attack: an adversary intercepts data transmissions for the purpose of making use of that data in some manner. Typically, this type of attack involves copying and possibly altering the data in various ways before releasing it for delivery to the intended recipient.(A2)Modification attack: an adversary intercepts the authentication message and attempts to modify it for illegal authentication.(A3)Stolen-verifier attack: an adversary steals the password-verifier from the server and directly uses it to masquerade as a legitimate user.(A4)Off-line guessing attack: an adversary guesses a password and verifies it in an off-line environment. The information stored in the smart card is often used in such an attack.(A5)Forgery attack: a malicious yet legitimate user attempts to forge an authentication message of another legitimate user.(A6)Insider attack: an insider attack literally means an attack mounted by a malicious insider. Malicious insiders have a distinct advantage over external adversaries because they have an authorized system access and also may be familiar with the network architecture and system policies/procedures. Typically, malicious insiders want to acquire users’ private information such as their password and biometrics.(A7)Masquerade attack: an adversary is authenticated by the server using a fake user ID.(A8)Smart card attack: an adversary is authenticated by the server by using only the information obtained from a user’s smart card but without the password or biometrics of the user.(A9)User impersonation attack: an adversary impersonates a legitimate user using only the user’s smart card but without the password or biometric of the user.(A10)DoS attack: a DoS attack is any event that diminishes or eliminates a network’s capability of performing its expected function. In other words, an adversary mounts a DoS attack to make the server unavailable.

2.3. Efficiency Measures

Efficiency is an important consideration in evaluating any schemes or protocols. The efficiency of a multiserver authentication scheme can be measured by the following metrics.(E1) Single registration: a single point of registration ought to allow users to gain access to all the servers in the system.(E2) Simple and secure password modification: the system should allow users to choose and change their passwords easily and securely. In other words, each user should be able to change their passwords without the help of any third trusted party once the authenticity of the user is verified by its smart card.(E3) Fast error detection: the smart card needs to check the user’s incorrect password or any other discrepancy quickly.(E4) Low computational cost: the computational cost incurred by the scheme should be minimized for the participants.

3. A Review of Chuang and Chen’s Scheme

This section describes Chuang and Chen’s anonymous multiserver authenticated key agreement scheme which involves four phases: server registration, user registration, login and authentication, and password change. For convenience, the notations used throughout this paper are summarized in Notation Section.

3.1. The Server Registration Phase

The application server sends the RC a join message if it would like to become an authorized server. Then, the RC replies with the key (PSK) to the server through a secure channel. And then, the authorized server uses the PSK to check the user’s authentication message. If the server needs to obtain the PSK from the RC to perform the authentication phase every session, authentication delay and the communication cost between the RC and the servers will increase substantially, but this scheme and proposed scheme register only once so they are efficient.

3.2. The User Registration Phase

For a user , this phase is performed only once when registers itself with the registration center RC.(1) chooses his identity and password freely and inputs his biometrics and sends the identity and to RC via a secure channel.(2)RC computes and and and and issues a smart card loaded with .

3.3. The Login and Authentication Phase

In this phase, logs in to the smart card and is authenticated by  . In login phase, is executed to check the user’s legality. The smart card can detects an error event immediately using the user’s identification, password, and biometrics information. And then, the smart card computes for the authentication. In authentication phase, the smart card sends authentication messages to the after the finishes the login phase successfully. The smart card never send user’s real identity to execute the authentication phase for providing the user’s anonymity. During the phase, the session-key establishment is conducted between and . Algorithm 1 depicts how the login and authentication phase works.

3.4. The Password Change Phase

One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. Chuang and Chen’s scheme allows legitimate users to freely change their passwords:(1) inserts his smart card into a card reader and enters both the current password and the new password .(2)The smart card checks and .(3)The smart card computes and replaces with .

4. Security Vulnerabilities in Chuang and Chen’s Scheme

We analyze Chuang and Chen’s scheme and figure out some security vulnerabilities. Their scheme is vulnerable to the masquerade attack, smart card attack, user impersonation attack, and DoS attack and does not achieve perfect forward secrecy.

4.1. A Masquerade Attack

Chuang and Chen’s scheme is vulnerable to user masquerade attack. An adversary can be authenticated to another using the messages that sends to for authentication. Figure 2 describes the masquerade attack on Chuang and Chen’s scheme. When the wants to be authenticate with , the logs on the smart card and then sends a message (1) to the . After an adversary intercepts the message (1), the adversary will send it to another server . This is because that message (1) does not include about the as follows:

Figure 2 

Masquerade attack on Chuang and Chen’s scheme.

So the executes operation (2) and sends the message (3) to the adversary without any suspicion of the attack. The adversary forwards the message (3) to the . The does not check the of the . It only checks the sameness with the of and the of the message (3) as follows:

So the executes operation (4) and sends message (5) to without any suspicion of the attack. Then, an adversary intercepts the message (5) and sends it to another . Finally, the adversary can be authenticated with . Therefore, the adversary can masquerade as a legitimate user to . In this way, the scheme becomes vulnerable to the masquerade attack.

The cannot check whether wants to be authenticated by or not. Thus authenticates all legitimate messages though these message are not sent to . And does not check whether wants to be authenticated with . Thus authenticates all legitimate messages though these message are sent by . The only checks whether in message (3) and in are the same or not. To solve this problem, the destination of message is added to authentication messages. So the information about of has to be added to the message (1), and this means that want to be authenticated with , not . And the information about of has to be added to message (3); it means that the wants to be authenticated with anonymous .

4.2. A Smart Card Attack

When an adversary gets or steals the user’s smart card, the adversary can compute the session key between the and without the user’s password or biometric information. So the adversary can decrypt the all encrypted communications between the and because the adversary can compute all previous session keys. Algorithm 3 describes the smart card attack on Chuang and Chen’s scheme.

(i) gets(steals) user’s smart card.  ⇒ Extracting the information of smart card.    (Using SPA and DPA…etc) ⇒ Obtains (ii) gets and in public channel.  ⇒  ⇒  ⇒ (iii) can compute the session key between and .

Algorithm 3 

Smart card attack on Chuang and Chen’s scheme.

When the adversary obtains the user’s smart card, the adversary can extract information about the smart card using a side-channel attack such as SPA (simple power analysis) or DPA (differential power analysis). The adversary can obtain in the user’s smart card and , in the public communication channel. Then, the adversary can compute using and and using and . Finally, the adversary can determine the session key user and server using and . This scheme uses the combination values with a password and biometrics, so the adversary cannot compute the user’s password. However, using the smart card attack, the adversary can compute the session key between the and the without the information about user’s password or biometrics.

Kocher et al. and Messerges et al. pointed out that confidential information stored in all existent smart cards could be extracted by physically monitoring power consumption [3, 4]. If a user loses his smart card, all secrets in the smart card may be revealed to the adversary. Using this information, the adversary can determine the session key between the and . To solve this problem, it is necessary to add authentication value that adversary cannot reveal using the side-channel attack. In other words, it is necessary to add the value that only legitimate user and server can compute using the secret information, which the adversary cannot know or compute.

4.3. A User Impersonation Attack

In Chuang and Chen’s scheme, an adversary can be authenticated with the server using user’s smart card without user’s password or biometrics, so the adversary can impersonate the legitimate user. It is critical problem that the adversary can be authenticated with the server using user’s smart card only. Figure 3 describes the user impersonation attack on Chuang and Chen’s scheme. As described above, the adversary can illegally extract the secret values including from the user’s smart card by some means. And he can intercept the message (1) = and acquire the , , and .

Figure 3 

User impersonation attack on Chuang and Chen's scheme.

Next procedure for user impersonation attack occurs in the following steps. The adversary computes the using and . And then, he can figure out the using and . Next, the adversary generates another random nonce and computes , , and . Next, the adversary sends , , , and to . The adversary can be authenticate to because he knows , , and and the cannot figure out the difference between the adversary and legitimate user. The user’s password and biometric information are not used in authentication phase, so authenticates the adversary without doubt. does not store user’s password or biometric information because Chuang and Chen’s scheme is designed for anonymous user. Therefore, server cannot check the password or biometric information for authentication. To solve this problem, it is necessary to add the shared value between the user and servers. The share value can be computed by only the legitimate user using user’s password and biometircs in login and authentication phase, and never be stored in the smart card.

4.4. A DoS Attack

The DoS attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out motives for and targets of the DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the networks. In Chuang and Chen’s scheme, an adversary can implement the DoS attack without difficulty. Figure 4 describes DoS attack on Chuang and Chen’s scheme. The adversary gets the previous message (1) from a legitimate user and sends it to the . Then, the executes operation (2) and sends message (3) to the . The processes of operation (2) include executing the hash function 7 times, calculating the exclusive-or operation 3 times, and generating a random nonce once. The adversary can attempt to make the server or network resource unavailable if he uses a lot of intercepted authentication messages.

Figure 4 

DoS attack on Chuang and Chen’s scheme.

In Chuang and Chen’s scheme, does not check the freshness of authentication message from . Thus, when an adversary sends the intercepted authentication messages to , the cannot know whether the message is current or outdated. So, executes a lot of operations. To resist the DoS attack, the has to check the freshness of messages using the timestamp or other means.

4.5. No Perfect Forward Secrecy

Perfect forward secrecy means that a session key derived from a set of long-term keys will not be compromised if one of the long-term keys is compromised in the future. Chuang and Chen’s scheme does not achieve perfect forward secrecy. So the adversary can compute the all session key between the and if the adversary knows the one of long-term keys in future. Algorithm 2 describes why Chuang and Chen’s scheme does not achieve perfect forward secrecy. First, the adversary got and in previous communication between and . Next, the adversary knows one of user’s long-term secrets . So the adversary can calculate from and from . Finally, the adversary can compute the previous session key using and Therefore, this scheme does not achieve perfect forward secrecy.

In Chuang and Chen’s scheme, is a secure shared key among and authenticated . The computes using and secret value . And then, The sends the to within user’s smart card. The is unchanged even if changes his password. So is one of the long-term keys. If an adversary got the and in previous public channel and knows at present, the adversary can compute the previous session key between the and . To solve this problem, it is needed that the adversary cannot compute the and using only . By adding another secret information, it is necessary that the adversary cannot compromise the session key between and .

5. Our Proposed Scheme

Our proposed scheme improves Chuang and Chen’s scheme in various aspects: (1) it checks the destination of messages and so it prevents the masquerade attack, (2) it withstands the smart card attack and the user impersonation attack even when the information in the smart card is disclosed, (3) it resists DoS attacks by checking the freshness of messages, and (4) it protects the security of previously-established session keys even when the adversary knows the long-term key , thereby achieving perfect forward secrecy.

5.1. Countermeasures

The vulnerability of Chuang and Chen’s scheme to the masquerade attack is due to the fact that(i)there is no way for to check whether the user wants to be authenticated with it or with another server, ;(ii) cannot check whether the server wants to be authenticated with him or with another user, .This design flaw allows the adversary to be authenticated with using ’s message directed to . Therefore, to prevent the masquerade attack, we suggest to modify the computations of and from and to The server ID, , and the anonymous user ID, , are now included as part of the inputs of the hash function. The inclusion of and allows and to confirm the destination of the messages and , respectively, and therefore effectively prevents the masquerade attack.

The Dos attack is possible because performs all its operations without checking the freshness of incoming messages, and thus it can be prevented by modifying the computation of to where is the timestamp retrieved by and sent to . The inclusion of the timestamp to the computation of enables to check and confirm the freshness of the user’s authentication message and prevents the DoS attack. Due to this modification, the authentication message of should be also modified as follows:

We next present a possible way of eliminating the vulnerability of Chuang and Chen’s scheme to the smart card attack. Recall that this vulnerability is due to that the value stored in the smart card together with and exchanged between and enables the adversary to compute and and thereby to derive the session key . Therefore, to prevent the smart card attack, we suggest to modify the computations of and from and to With this modification, the adversary now cannot compute and without the hash value . To make this countermeasure work, we add a new value to ’s smart card so that only can extract from its password and biometrics.

However, with the modifications described above, Chuang and Chen’s scheme is still vulnerable to the user impersonation attack as the adversary can obtain from and which are stored in the smart card. To prevent the user impersonation attack, we modify the computation of to The adversary now cannot calculate as it does not know .

Finally, to provide the perfect forward secrecy in our proposed scheme, we modify the computation of from to With this modification, the adversary cannot derive from the long-term key and, thus, cannot compute , , and the previous session key .

The password update phase should be also modified for consistency purpose (see Section 5.5 for details). Combining all the modifications above together yields an improved authentication scheme described in the following subsections.

5.2. The Server Registration Phase

The application server sends a message for join to the when they want to become an authorized server. Then, the sends the key to the server using secure communication. And then, the server is ready to compute for user authentication. Next, the authorized server uses the shared information like and to check the user’s legitimacy in authentication phase.

5.3. The User Registration Phase

The registration phase of proposed scheme is described in Algorithm 4. needs to perform the user registration phase with the registration center using a secure channel. In this phase, sends to the information about and . is included in . can be authenticated with using but cannot compute the PSK and even if he knows the and . And can calculate the using user’s password and biometrics from . In other words, the receives the hidden and in and , respectively, included in smart card for user’s login and authentication. Detailed steps are explained as follows.(1)The sends and to the through a secure channel.(2)After receiving the ’s information, the computes the authentication parameters for the as follows: (3)The stores these authentication parameters , , , , , in a smart card and sends the smart card to via a secure channel.

The does not store the user’s password or biometrics information. Therefore, our proposed scheme is secure against a stolen-verifier attack. The registered user cannot fake another legitimate user successfully though the user obtains these parameters . This is because that the user does not know the secret value and . The authenticated user can only compute using his password and biometrics.

5.4. The Login and Authentication Phases

The login and authentication phases for the proposed scheme are described in Algorithm 5. In the login phase, the smart card checks the legitimacy of the user. The smart card checks an error event immediately using identification, password, and biometric information. Detailed steps of the login phase are explained as follows.(1)The inserts his smart card into a card reader and enters his and . Then, the inputs his biometric information using the sensor.(2)The smart card checks the and confirms that in smart card is same to . If all information is accurate, then the smart card generates a random nonce and a timestamp and computes the using and . Next the smart card computes the following: