Keywords

1 Introduction

In 1981, Lamport [1] proposed the first remote password authentication scheme under insecure network. However, his scheme is proved to be insecure against guessing attacks. Therefore, smart card based scheme were considered as a solution and came into sight. By utilizing smart cards, instead of keeping a verification table, participants are allowed to store secret information into a smart card which improves security to a new level. After that, other novel schemes [2, 3] which adopt biometrics were introduced for further enhancement. However, all aforementioned schemes [1,2,3] are designed for single-server environment which makes users extremely inconvenient to access resource from servers because they must register to each server separately. To solve this problem, a new authentication structure for multi-server environment was introduced and several related schemes have been proposed [4,5,6,7,8].

In 2010, Yang and Yang [4] proposed a biometric password-based multi-server authentication scheme using smart card which enables users to register for only once and then be qualified to access all servers. Unfortunately, their scheme costs vast computational resource due to the heavy use of modular exponentiation operations. In the same year, Yoon and Yoo [5] proposed an improved scheme based on elliptic curve cryptosystem. He [6] demonstrated that their scheme cannot resist privileged-insider attack, masquerade attack and stolen smart card attack. In 2014, Chuang and Chen [7] presented a scheme under the assumption that all servers are trusted and achieves both high efficiency and security. However, Chang et al. [8] proved that Chuang and Chen’s scheme is insecure against stolen smart card attack, forgery attack and has privacy preservation issue. Furthermore, Chang et al. indicated that in traditional biometric-based scheme the authentication may fails due to the slight difference between imprinted biometrics and original ones. Therefore, they adopted functions defined in Dodis et al.’s work [9] and proposed an enhanced scheme, claiming that their scheme satisfies all desirable security requirements. In this paper, after careful analysis, we find that Chang et al.’s scheme is vulnerable to outsider attack and session key derived attack. In addition, both malicious user and server can carry out user impersonation attack in their scheme. To resolve these vulnerabilities, we propose a new biometric-based authentication scheme that is suitable for multi-server environment. In particular, the comparison on security level between our scheme and other related schemes [2,3,4,5, 8] implies that our scheme can defend against a number of attacks including the ones of Chang et al.’s scheme.

The rest of the paper is organized as follows: In Sect. 2, we introduce basic concepts of secure sketch presented by Dodis et al. In Sects. 3 and 4, we review and cryptanalyze Chang et al.’s scheme. Section 5 describes the proposed scheme. Sections 6 and 7 gives a detailed security and performance analysis where our scheme is compared with related schemes, respectively. Finally, in Sect. 7, we conclude this paper.

2 Secure Sketch

The major problem of biometrics-based authentication scheme is that the imprinted biometric can slightly differentiate with the original template since some noise are unavoidably introduced into the reproducing process. To rectify this weakness, Chang et al. [8] adopted Dodis et al.’s function [9] which is defined that a \( \left( {{\mathcal{M}},\text{ }m,m^{{\prime }} ,t} \right) \) secure sketch is a randomized map \( SS:{ \mathcal{M}} \to \{ 0,1\}^{*} \) in which \( m \) is min-entropy, \( m^{{\prime }} \) is the lower bound of average \( m \) and \( t \) refers to the number of tolerated errors.

For distance function \( dis \) and vectors \( w,w^{{\prime }} \in {\mathcal{M}} \), a deterministic recovery function \( Rec\left( {w^{{\prime }} ,SS\left( w \right)} \right) = w \) exists which allows to recover \( w \) from its sketch \( SS\left( w \right) \) and \( w^{{\prime }} \) that is close to \( w \) as long as \( dis\left( {w,w^{{\prime }} } \right) < t \) is satisfied. According to this definition, for any given binary \( \left[ {n,k,2t + 1} \right] \) error correcting code \( E \), we set randomized map \( SS \) as a \( ({\mathcal{M}},\text{ }m, m + k - n,t) \)-secure sketch and \( SS\left( {W;X} \right) = W \oplus E\left( X \right) \), where \( n \) is string length, \( k \) indicates the dimension of codeword, \( W \) is uniform and \( X \) is a random parameter. There is a decoding function \( D \) can correct \( t \) errors maximum that \( dis\left( {W,W^{{\prime }} } \right) < t \). \( D \) works as \( D\left( {W^{{\prime }} ,S\left( {W;X} \right)} \right) = X \). Lastly, we can set the recovery function \( Rec\left( {W^{{\prime }} ,S\left( {W;X} \right)} \right) = SS\left( {W;X} \right) \oplus E\left( {D\left( {W^{{\prime }} \oplus SS\left( {W;X} \right)} \right)} \right) = W \).

3 Review of Chang et al.’s Scheme

In this section, we briefly review the advanced anonymous and biometrics-based multi-server authentication scheme of Chang et al. [8]. Their scheme consists of following phases: server registration, user registration, login, authentication and password change. The notations used in this paper are described in Table 1.

Table 1. Notations
Full size table

3.1 Server Registration Phase

\( S_{j} \) sends a registration request to \( RC \) via a secure channel. \( RC \) accepts \( S_{j} \) and computes \( k_{1} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \) and \( k_{2} = h\left( {x\parallel y} \right) \). Finally, \( RC \) sends \( k_{1} \) and \( k_{2} \) back to \( S_{j} \).

3.2 User Registration Phase

  1. 1.

    \( U_{i} \) freely chooses his/her identity \( ID_{i} \), password \( PW_{i} \), and imprints his/her personal biometric information \( BIO_{i} \) into a special device. \( U_{i} \) randomly generates a number \( r_{i} \) that is only retained by himself/herself and computes \( \upalpha_{i} = BIO_{i} \oplus E(r_{i} ) \), \( V_{i} = h\left( {PW_{i} } \right) \oplus\upalpha_{i} \) and \( R_{i} = h\left( {PW_{i} \oplus r_{i} } \right) \). Afterwards, \( U_{i} \) transmits \( \left\{ {ID_{i} , V_{i} , R_{i} } \right\} \) to \( RC \) via a secure channel.

  2. 2.

    After receiving the registration request message from \( U_{i} \), \( RC \) calculates \( A_{i} = h\left( {ID_{i} \parallel x} \right) \), \( B_{i} = h\left( {ID_{i} \parallel R_{i} } \right) \), \( C_{i} = h^{2} \left( {R_{i} } \right) \oplus h\left( y \right) \), \( D_{i} = h\left( {R_{i} } \right) \oplus A_{i} \oplus h\left( {x\parallel y} \right) \) and \( E_{i} = h\left( {A_{i} \parallel h\left( {x\parallel y} \right)} \right) \oplus h\left( {R_{i} } \right) \).

  3. 3.

    Lastly, \( RC \) stores \( \left\{ {V_{i} ,B_{i} ,C_{i} ,D_{i} ,E_{i} ,h\left( . \right)} \right\} \) into \( SC_{i} \) and sends it to \( U_{i} \).

3.3 Login Phase

  1. 1.

    \( U_{i} \) inserts his/her \( SC_{i} \) into a card reader, inputs his/her \( ID_{i}^{*} \) and \( PW_{i}^{*} \), imprints personal biometric information \( BIO_{i}^{*} \) via a special device.

  2. 2.

    \( SC_{i} \) employs inputted information to compute \( R_{i}^{*} = h\left( {PW_{i}^{*} \oplus D\left( {V_{i} \oplus h\left( {PW_{i}^{*} } \right) \oplus BIO_{i}^{*} } \right)} \right) \) and verifies whether \( h\left( {ID_{i}^{*} \parallel R_{i}^{*} } \right) \) equals to \( B_{i} \). \( SC_{i} \) only proceeds to the next step when they are equal.

  3. 3.

    \( SC_{i} \) generates a random nonce \( n_{i} \) and computes \( h\left( y \right) = C_{i} \oplus h^{2} \left( {R_{i}^{*} } \right) \), \( M_{1} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i} \), \( CID_{i} = D_{i} \oplus h\left( {R_{i}^{*} } \right) \oplus h\left( {n_{i} } \right) \), \( G_{i} = E_{i} \oplus h\left( {R_{i}^{*} } \right) \) and \( CHECK_{1} = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i} \parallel G_{i} } \right) \).

  4. 4.

    \( SC_{i} \) sends login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) to \( S_{j} \).

3.4 Authentication Phase

  1. 1.

    Upon receiving the login request message from \( U_{i} \), \( S_{j} \) first employs its secret \( k_{1} \) to compute random nonce \( n_{i} = M_{1} \oplus k_{1} \) to check its freshness. If \( n_{i} \) is fresh, \( S_{j} \) subsequently computes \( A_{i} = CID_{i} \oplus h\left( {n_{i} } \right) \oplus k_{2} \) and verifies whether \( h\left( {k_{1} \parallel n_{i} \parallel h\left( {A_{i} \parallel k_{2} } \right)} \right) \) equals to \( CHECK_{1} \). If it holds, \( S_{j} \) considers \( U_{i} \) as valid user.

  2. 2.

    \( S_{j} \) generates a random number \( n_{j} \) and computes \( M_{2} = n_{j} \oplus n_{i} \oplus k_{1} \), \( SK = h\left( {h\left( {A_{i} \parallel k_{2} } \right)\parallel n_{i} \parallel n_{j} } \right) \) and \( CHECK_{2} = h\left( {SK} \right) \), followed by sending a response message \( \left\{ {M_{2} ,CHECK_{2} } \right\} \) to \( U_{i} \) via a public channel.

  3. 3.

    \( SC_{i} \) retrieves random nonce \( n_{j} \) by computing \( n_{j} = M_{2} \oplus h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i} \) and checks its freshness. If \( n_{j} \) is fresh, \( SC_{i} \) then computes \( SK = h\left( {G_{i} \parallel n_{i} \parallel n_{j} } \right) \) and checks if \( h\left( {SK} \right) \) equals to \( CHECK_{2} \). If the verification succeeds, \( SC_{i} \) computes \( CHECK_{3} = h\left( {SK\parallel n_{j} } \right) \) and sends it to \( S_{j} \) via a public channel.

  4. 4.

    After receiving \( CHECK_{3} \) from \( U_{i} \), \( S_{j} \) verifies whether \( h\left( {SK\parallel n_{j} } \right) \) equals to \( CHECK_{3} \) to reconfirm the authenticity of \( U_{i} \). Then, \( U_{i} \) and \( S_{j} \) can start to communicate with the other party using the shared session key.

3.5 Password Change Phase

  1. 1.

    \( U_{i} \) inserts his/her \( SC_{i} \) into a card reader and inputs \( ID_{i} \), \( PW_{i} \) and \( BIO_{i} \).

  2. 2.

    \( SC_{i} \) computes \( \upalpha_{i} = V_{i} \oplus h\left( {PW_{i} } \right) \), \( r_{i} = D\left( {BIO_{i} \oplus\upalpha_{i} } \right) \) and \( R_{i} = h\left( {PW_{i} \oplus r_{i} } \right) \), and verifies the condition \( h\left( {id_{i} \parallel R_{i} } \right) = ?B_{i} \). If the it holds, \( SC_{i} \) asks \( U_{i} \) to submit a new password, otherwise password change request can be dropped.

  3. 3.

    \( U_{i} \) submits a new password \( PW_{i}^{new} \) and then \( SC_{i} \) employs it to compute \( V_{i}^{new} = V_{i} \oplus h\left( {PW_{i} } \right) \oplus h\left( {PW_{i}^{new} } \right) \), \( R_{i}^{new} = h\left( {PW_{i}^{new} \oplus r_{i} } \right) \), \( B_{i}^{new} = h\left( {ID_{i} \parallel R_{i}^{new} } \right) \), \( C_{i}^{new} = C_{i} \oplus h^{2} \left( {R_{i} } \right) \oplus h^{2} \left( {R_{i}^{new} } \right) \), \( D_{i}^{new} = D_{i} \oplus h\left( {R_{i} } \right) \oplus h\left( {R_{i}^{new} } \right) \) and \( E_{i}^{new} = E_{i} \oplus h\left( {R_{i} } \right) \oplus h\left( {R_{i}^{new} } \right) \). Finally, \( SC_{i} \) replaces \( V_{i} \), \( B_{i} \), \( C_{i} \), \( D_{i} \) and \( E_{i} \) with \( V_{i}^{new} \), \( B_{i}^{new} \), \( C_{i}^{new} \), \( D_{i}^{new} \) and \( E_{i}^{new} \).

4 Cryptanalysis of Chang et al.’s Scheme

In this section, we cryptanalyze Chang et al.’s scheme [8] and demonstrate that their scheme possesses some security vulnerabilities. According to the threat model described in [10,11,12], an adversary can eavesdrop, modify and intercept any message in the public channel, and that an adversary can extract all information stored in the smart card by carrying out power analysis [11]. Under these two assumptions, the scheme has the following security problems and the descriptions are given below.

4.1 Outsider Attack

A malicious server \( {\mathcal{A}} \) is aware of secrets \( k_{1} \) and \( k_{2} \) that are authenticated from \( RC \) and can retrieve \( A_{i} \) and \( n_{i} \) after receiving login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) from \( U_{i} \) during the authentication phase. If \( {\mathcal{A}} \) steals \( SC_{i} \) which belong to the user he/she is communicating with and extracts parameters \( \left\{ {C_{i} ,D_{i} } \right\} \) from it, he/she can compute \( h\left( {R_{i} } \right) = D_{i} \oplus A_{i} \oplus k_{2} \) and then obtains the encrypted secret number of \( RC \) by calculating \( h\left( y \right) = C_{i} \oplus h^{2} \left( {R_{i} } \right) \), which is the same for each user. Therefore, \( {\mathcal{A}} \) may be able to launch other attacks with the knowledge of RC’s secret \( h\left( y \right) \).

4.2 Session Key Derived Attack

Suppose a malicious server \( {\mathcal{A}} \) obtains RC’s secret \( h\left( y \right) \) in the previous attack. He/she can easily compute the session key that is transmitted between any user and server. The attack proceeds as follows:

  1. 1.

    \( {\mathcal{A}} \) eavesdrops login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) between \( U_{i} \) and \( S_{j} \), and computes \( n_{i} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus \) \( M_{1} \) and \( A_{i} = CID_{i} \oplus h\left( {n_{i} } \right) \) \( \oplus \;k_{2} \).

  2. 2.

    Then, \( {\mathcal{A}} \) eavesdrops \( S_{j} \)’s response message \( \left\{ {M_{2} ,CHECK_{2} } \right\} \), retrieves the nonce \( n_{j} \) by computing \( n_{j} = M_{2} \oplus h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i} \). Afterwards, \( {\mathcal{A}} \) can obtain the session key by computing \( SK = h\left( {h\left( {A_{i} \parallel k_{2} } \right)\parallel n_{i} \parallel n_{j} } \right) \).

4.3 User Impersonation Attack

Although Chang et al. [8] claim that their scheme can endure user impersonation attack, however after careful analysis we find that an adversary \( {\mathcal{A}} \) can still impersonate as a legitimate user to cheat with \( S_{j} \). Especially in Chang et al.’s scheme, \( {\mathcal{A}} \) can either be a malicious server or user. Suppose \( {\mathcal{A}} \) is a malicious server who obtains RC’s secret \( h\left( y \right) \) by means of the attack we described in Sect. 4.1. In addition, each server is allocated with same secret value \( k_{2} \) from RC. He/she can perform this attack by follows:

  1. 1.

    \( {\mathcal{A}} \) intercepts the login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) sent from legal \( U_{i} \) to \( S_{j} \) and computes \( n_{i} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus \) \( M_{1} \) and \( A_{i} = CID_{i} \oplus h\left( {n_{i} } \right) \oplus k_{2} \).

  2. 2.

    \( {\mathcal{A}} \) generates a random number \( n_{i}^{*} \), then computes \( M_{1}^{*} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i}^{*} \), \( CID_{i}^{*} = A_{i} \oplus k_{2} \oplus h\left( {n_{i}^{*} } \right) \) and \( CHECK_{1}^{*} = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i}^{*} \parallel h\left( {A_{i} \parallel K_{2} } \right)} \right) \) and sends the forged login request message \( \left\{ {M_{1}^{*} , CID_{i}^{*} , CHECK_{1}^{*} } \right\} \) to \( S_{j} \).

  3. 3.

    \( S_{j} \) retrieves \( n_{i}^{*} = M_{1}^{*} \oplus k_{1} \) using the request message. Since \( n_{i}^{*} \) is chosen within valid time interval, \( S_{j} \) proceeds to compute \( A_{i} = CID_{i} \oplus h\left( {n_{i}^{*} } \right) \oplus k_{2} \) and verify the condition \( h\left( {k_{1} \parallel n_{i} \parallel h\left( {A_{i} \parallel k_{2} } \right)} \right) = ?CHECK_{1} \). Obviously, the condition holds, therefore \( S_{j} \) authenticates \( {\mathcal{A}} \) as legal user and computes \( M_{2} = n_{j} \oplus n_{i}^{*} \oplus k_{1} \), \( SK = h\left( {h\left( {A_{i} \parallel k_{2} } \right)\parallel n_{i}^{*} \parallel n_{j} } \right) \) and \( CHECK_{2} = h\left( {SK} \right) \), where \( n_{j} \) is the random number generated by \( S_{j} \). Finally, \( S_{j} \) reply \( {\mathcal{A}} \) with \( \left\{ {M_{2} ,CHECK_{2} } \right\} \).

  4. 4.

    After receiving the response message, \( {\mathcal{A}} \) retrieves \( n_{j} = m_{2} \oplus h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i}^{*} \), \( SK = h\left( {A_{i} \oplus k_{2} \parallel n_{i}^{*} \parallel n_{j} } \right) \) and computes \( CHECK_{3} = h\left( {SK\parallel n_{j} } \right) \). Afterwards, \( {\mathcal{A}} \) sends mutual authentication message \( CHECK_{3} \) to \( S_{j} \).

  5. 5.

    Upon receiving the authentication message from \( {\mathcal{A}} \), \( S_{j} \) continues to proceed the scheme. Lastly, \( S_{j} \) is mistakenly convinced that \( {\mathcal{A}} \) is a legitimate user and agrees on the session key \( SK \) with him/her.

If \( {\mathcal{A}} \) is a malicious user, he/she still can launch this attack by follows:

  1. 1.

    \( {\mathcal{A}} \) obtains RC’s secret \( h\left( y \right) \) by calculating \( h\left( y \right) = C_{a} \oplus h^{2} (R_{a} ) \), where \( C_{a} \) is stored in \( {\mathcal{A}} \)’s smart card and \( R_{a} \) can be recovered from \( R_{a} = h(PW_{a} \oplus D(V_{a} \oplus h(PW_{a} ) \oplus BIO_{a} )) \). by using his/her \( PW_{a} \) and \( BIO_{a} \).

  2. 2.

    \( {\mathcal{A}} \) intercepts the login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) sent from \( U_{i} \) to \( S_{j} \) and computes \( n_{i} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus M_{1} \) and \( A_{i} \oplus k_{2} = CID_{i} \oplus h\left( {n_{i} } \right) \).

  3. 3.

    \( {\mathcal{A}} \) steals \( SC_{i} \) and extracts \( \left\{ {V_{i} ,B_{i} ,C_{i} ,D_{i} ,E_{i} ,h\left( . \right)} \right\} \) from it by using power analysis. Then, \( {\mathcal{A}} \) calculates \( h\left( {R_{i} } \right) = D_{i} \oplus A_{i} \oplus k_{2} \) and \( G_{i} = E_{i} \oplus h\left( {R_{i} } \right) \).

  4. 4.

    \( {\mathcal{A}} \) computes \( M_{1}^{*} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i}^{*} \), \( CID_{i}^{*} = A_{i} \oplus k_{2} \oplus h\left( {n_{i}^{*} } \right) \) and \( CHECK_{1}^{*} = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i}^{*} \parallel h\left( {A_{i} \parallel k_{2} } \right)} \right) \), where random number \( n_{i}^{*} \) is chosen by \( {\mathcal{A}} \) freely. Then \( {\mathcal{A}} \) forges login request message \( \left\{ {M_{1}^{*} , CID_{i}^{*} , CHECK_{1}^{*} } \right\} \) and sends it to \( S_{j} \).

  5. 5.

    Upon receiving the message from \( {\mathcal{A}} \) who manages to impersonate as legal user \( U_{i} \), the message can successfully pass \( S_{j} \)’s verification.

  6. 6.

    Perform steps 3 to 5 in aforementioned attack that \( {\mathcal{A}} \) is a malicious server. Finally, \( S_{j} \) authenticates \( {\mathcal{A}} \) and shares the same session key with him/her.

5 The Proposed Scheme

This section proposes an improved biometrics-based authentication scheme that is suitable for use in multi-server environment. The proposed scheme comprises three participants: user (\( U_{i} \)), server (\( S_{j} \)), registration center (\( RC \)), and five phases: server registration, user registration, login, authentication, and password change.

5.1 Server Registration Phase

The server registration phase of proposed scheme is same as Chang et al.’s scheme [8].

5.2 User Registration Phase

  1. 1.

    \( U_{i} \) conducts in the same method as described in step 1 in Sect. 3.2.

  2. 2.

    Upon receiving the registration request message from \( U_{i} \), \( RC \) computes \( A_{i} = h\left( {ID_{i} \parallel x} \right) \), \( B_{i} = h\left( {ID_{i} \parallel R_{i} } \right) \), \( C_{i} = h\left( {R_{i} } \right) \oplus h\left( y \right) \), \( D_{i} = A_{i} \oplus h\left( {x\parallel y} \right) \) and \( E_{i} = h\left( {A_{i} \parallel h\left( {x\parallel y} \right)} \right) \oplus h\left( {R_{i} \parallel h\left( y \right)} \right) \).

  3. 3.

    \( RC \) issues \( SC_{i} \) which contains \( \left\{ {V_{i} ,B_{i} ,C_{i} ,D_{i} ,E_{i} ,h\left( . \right)} \right\} \) and sends it to \( U_{i} \).

5.3 Login Phase

  1. 1.

    \( U_{i} \) inserts \( SC_{i} \) into a card reader, inputs \( ID_{i}^{*} \), \( PW_{i}^{*} \) and \( BIO_{i}^{*} \). \( SC_{i} \) first computes \( R_{i}^{*} = h\left( {PW_{i}^{*} \oplus D\left( {V_{i} \oplus h\left( {PW_{i}^{*} } \right) \oplus BIO_{i}^{*} } \right)} \right) \) and verifies whether \( h\left( {ID_{i}^{*} \parallel R_{i}^{*} } \right) \) equals to \( B_{i} \). If it generates negative result, this phase can be terminated.

  2. 2.

    \( SC_{i} \) generates a random nonce \( n_{i} \) and computes \( h\left( y \right) = C_{i} \oplus h\left( {R_{i}^{*} } \right) \), \( M_{1} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i} \), \( CID_{i} = D_{i} \oplus h\left( {n_{i} } \right) \), \( G_{i} = E_{i} \oplus h\left( {R_{i}^{*} \parallel h\left( y \right)} \right) \) and \( CHECK_{1} = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i} \parallel G_{i} } \right) \).

  3. 3.

    \( SC_{i} \) sends the request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) to \( S_{j} \).

5.4 Authentication Phase

  1. 1.

    \( S_{j} \) first checks the validity of the request message by verifying the freshness of random nonce \( n_{i} = M_{1} \oplus k_{1} \). If it holds, \( S_{j} \) computes \( A_{i} = CID_{i} \oplus h\left( {n_{i} } \right) \) and verifies whether \( h\left( {k_{1} \parallel n_{i} \parallel h\left( {A_{i} \parallel k_{2} } \right)} \right) \) equals to \( CHECK_{1} \). If the condition holds, \( S_{j} \) authenticates \( U_{i} \). Otherwise, the session is aborted.

  2. 2.

    \( S_{j} \) further generates a random number \( n_{j} \) and computes \( M_{2} = n_{j} \oplus n_{i} \oplus k_{1} \), \( SK = h\left( {h\left( {A_{i} \parallel k_{2} } \right)\parallel n_{i} \parallel n_{j} } \right) \) and \( CHECK_{2} = h\left( {SK} \right) \). Then, \( S_{j} \) sends the response message \( \left\{ {M_{2} ,CHECK_{2} } \right\} \) to \( U_{i} \).

  3. 3.

    The rest of the authentication phase is same as Chang et al.’s scheme.

5.5 Password Change Phase

  1. 1.

    \( U_{i} \) inserts his/her \( SC_{i} \) into a card reader, then keys his/her \( ID_{i} \) and \( PW_{i} \), and imprints personal biometric information \( BIO_{i} \) via a special device.

  2. 2.

    \( SC_{i} \) retrieves \( \upalpha_{i} = V_{i} \oplus h\left( {PW_{i} } \right) \), \( r_{i} = D\left( {BIO_{i} \oplus\upalpha_{i} } \right) \) and \( R_{i} = h\left( {PW_{i} \oplus r_{i} } \right) \), and verifies the whether \( h\left( {id_{i} \parallel R_{i} } \right) \) is equal to \( B_{i} \). If it holds, \( U_{i} \) is allowed to type a new password, otherwise this phase can be aborted.

  3. 3.

    \( U_{i} \) types a new password \( PW_{i}^{new} \). \( SC_{i} \) calculates \( h\left( y \right) = C_{i} \oplus h\left( {R_{i} } \right) \), \( V_{i}^{new} = V_{i} \oplus h\left( {PW_{i} } \right) \oplus h\left( {PW_{i}^{new} } \right) \), \( R_{i}^{new} = h\left( {PW_{i}^{new} \oplus r_{i} } \right) \), \( B_{i}^{new} = h\left( {ID_{i} \parallel R_{i}^{new} } \right) \), \( C_{i}^{new} = C_{i} \oplus h\left( {R_{i} } \right) \oplus h\left( {R_{i}^{new} } \right) \) and \( E_{i}^{new} = E_{i} \oplus h\left( {R_{i} \parallel h\left( y \right)} \right) \oplus h\left( {R_{i}^{new} \parallel h\left( y \right)} \right) \). Lastly, \( SC_{i} \) replaces \( V_{i} \), \( B_{i} \), \( C_{i} \) and \( E_{i} \) with \( V_{i}^{new} \), \( B_{i}^{new} \), \( C_{i}^{new} \) and \( E_{i}^{new} \).

6 Cryptanalysis of Proposed Scheme

In this section, we cryptanalyze the proposed scheme and examines its security against various attacks. As described in Sect. 5, to achieve least increase on computational cost, our scheme modifies little in user registration phase and login phase based on Chang et al.’s scheme [8] and provides higher security. Therefore, all security features mentioned in [8] are also met in our scheme. In addition, we comparatively give an analysis between our scheme and previous schemes [2,3,4,5, 8], which is illustrated in Table 2.

Table 2. Comparison on security level between proposed scheme and related schemes
Full size table

6.1 Resistance to Outsider Attack

Assume an adversary \( {\mathcal{A}} \) is a malicious server who is aware of \( k_{1} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \) and \( k_{2} = h\left( {x\parallel y} \right) \), however he/she cannot obtain \( h\left( y \right) \) by computing \( h\left( y \right) = h\left( {R_{i} } \right) \oplus C_{i} \), where \( C_{i} \) is stored in \( SC_{i} \). Only possessing correct \( ID_{i} \), \( PW_{i} \) and \( BIO_{i} \) can retrieve random number \( r_{i} \) and further compute \( R_{i} \). The possibility that \( {\mathcal{A}} \) obtains \( ID_{i} \) and \( PW_{i} \) simultaneously is extremely small, and \( BIO_{i} \) cannot be forged or obtained since it is imprinted by \( U_{i} \) via a special device. Furthermore, \( h\left( {R_{i} } \right) \) is only applied to constitute \( C_{i} \), which means \( {\mathcal{A}} \) is not capable of obtaining it from operating with any other parameters. Therefore, our scheme prevents \( {\mathcal{A}} \) from launching outsider attack.

6.2 Resistance to Session Key Derived Attack

The session key is computed as \( SK = h\left( {h\left( {A_{i} \parallel k_{2} } \right)\parallel n_{i} \parallel n_{j} } \right) \), where \( A_{i} = h(ID_{i} \parallel x) \), \( k_{2} = h\left( {x\parallel y} \right) \), random numbers \( n_{i} \) and \( n_{j} \) are generated by \( U_{i} \) and \( S_{j} \), respectively. Assume an adversary \( {\mathcal{A}} \) somehow obtains \( ID_{i} \), he/she cannot compute \( SK \) without the knowledge of secrets \( x \) and \( y \) that are only known by \( RC \). \( {\mathcal{A}} \) cannot retrieve random numbers \( n_{i} \) and \( n_{j} \) neither, since they must be computed by using \( h\left( y \right) \) and \( k_{1} \), which indicates that only legal user and server can compute these two random nonces. Therefore, \( {\mathcal{A}} \) cannot reveal session key \( SK \) by any means in the proposed scheme.

6.3 Resistance to User Impersonation Attack

Assume that an adversary \( {\mathcal{A}} \) intercepts all messages \( \left\{ {M_{1} ,M_{2} , M_{3} , CID_{i} , CHECK_{1} , CHECK_{2} , CHECK_{3} } \right\} \) between \( U_{i} \) and \( S_{j} \) through a public network, steals \( SC_{i} \) and extracts all information \( \left\{ {V_{i} ,B_{i} ,C_{i} ,D_{i} ,E_{i} ,h\left( . \right)} \right\} \). However, \( {\mathcal{A}} \) cannot forge login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \), where \( M_{1} = h\left( {SID_{j} \parallel h\left( y \right)} \right) \oplus n_{i} \), \( CID_{i} = D_{i} \oplus h\left( {n_{i} } \right) = A_{i} \oplus h\left( {x\parallel y} \right) \oplus h\left( {n_{i} } \right) \) and \( CHECK_{1} = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i} \parallel G_{i} } \right) = h\left( {h\left( {SID_{j} \parallel h\left( y \right)} \right)\parallel n_{i} \parallel h\left( {A_{i} \parallel h\left( {x\parallel y} \right)} \right)} \right) \), because secrets \( x \) and \( y \) are only known to \( RC \), \( n_{i} \) is a random nonce that is generated by \( U_{i} \). Furthermore, \( {\mathcal{A}} \) cannot generate \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) without \( A_{i} \), which can be exclusively obtained by \( S_{j} \). If the adversary \( {\mathcal{A}} \) is a malicious user or server, he/she is capable of retrieving some parameters within \( \{ n_{i} , h\left( {SID_{j} \parallel h\left( y \right)} \right) \), \( h\left( {x\parallel y} \right) \), \( h\left( y \right)\} \). However, as described in Subsects. 6.1 and 6.2, it is impossible for \( {\mathcal{A}} \) to obtain all parameters that form a valid login request message \( \left\{ {M_{1} , CID_{i} , CHECK_{1} } \right\} \) to impersonate as a legitimate user. Hence, our scheme can resist user impersonation attack.

7 Performance Analysis

In this section, we compare our scheme with other related schemes [2,3,4,5, 8] on computational cost during login and authentication phase, which is illustrated in detail in Table 3. Notations used in this section are described as follows. \( T_{h} \) refers to the time to execute a one-way hash function for a single time. \( T_{E} \) and \( T_{D} \) are defined as the time taken to perform one encoding or decoding operation based on Dodis et al.’s definition [9]. \( T_{ecc} \) is the computation time that one elliptic curve operation requires. \( T_{e} \) indicates the computation time for one modular exponentiation operation. The computational parameter \( T_{f} \) indicates the computation time to execute fuzzy extractor for once. Although our scheme requires one more hash operation during login phase compared with Chang et al.’s scheme, however it consumes an extremely small amount of time. Considering the security enhancement of proposed scheme, the increased computation cost is worthy.

Table 3. Comparison of computational cost in login and authentication phase between proposed scheme and related schemes
Full size table

8 Conclusions

In this paper, we analyze Chang et al.’s scheme and demonstrate that it possesses a number of security vulnerabilities including outsider attack, session key derived attack and user impersonation attack. To overcome these flaws, we propose an improved biometrics-based authentication scheme which retains the merits of Chang et al.’s scheme and also achieves a variety of security features. In addition, the cryptanalysis of this paper shows that our scheme rectifies weaknesses of Chang et al.’s scheme.