Keywords

1 Introduction

In the era of modern technology, biometrics are used to either generate [1,2,3] or exchange a cryptographic key [4,5,6] for better network security. Now a user can access remote servers through a smart card in a public channel. Smart cards which contain the biometric data are vulnerable towards common attacks like stolen smart card, password update in the server without a secure channel, privileged insider attack, user impersonation attack, replay attack, and also offline password guessing attack. Multi-server environment provides a better solution as the user can communicate with any server by doing one-time registration. Mishra et al. [7] provided a secure and resilient scheme for a multi-server environment which was developed to deal with the user and server impersonation attack and stolen smart card attack of the previously available schemes. Later, Lu et al. [8] addressed the drawbacks of Mishra et al.’s scheme like forgery and server masquerading and lacks password forward secrecy. So they projected a scheme to overcome the issues. Lu et al. also pointed out the vulnerability towards replay attack and also incapability of password update phase. Then, they developed an improved authentication scheme. Thereafter, Chaudhry [9] found that Lu et al.’s scheme [8] prone to impersonation attack and is not facilitated to user anonymity. Similarly, Guo–Wen [10] proposed a more reliable and robust authentication protocol in a multi-server environment. However, this scheme is prone to fall prey to password and identity guessing attack, new smart card issue threat, user impersonation threat, known session key temporary information attack, and insider attack. To overcome these problems, Ali–Pal [11] came up with an enhanced and resilient three-factor-based confidentiality-preserving remote authentication scheme in multi-server environment. They addressed the pitfalls of previous schemes like new smart card issue attack, identity guessing attack, and known session key attack. Computation cost and estimated time are minimized in [11]. However, we find that there are still some threats to this scheme. For example, one of the random nonce can be computed from intercepted message. Moreover, Ali–Pal’s scheme [11] is also vulnerable to insider attack.

We propose an improved scheme to surmount these drawbacks. Our scheme provides mutual authentication in multi-server environment. Moreover, in this paper, we use pi-calculus [12]-based formal verification tool ProVerif [13] to prove authentication and security of the proposed protocol.

2 Our Contribution

  • We cryptanalysis of the Ali–Pal’s scheme [11].

  • We improved the scheme [11] to overcome the drawback and also add some new features. We simulate our scheme for the formal security analysis using ProVerif tool and show that proposed scheme is protected from different security attacks.

  • We also compare communication cost and performance of the proposed scheme with other existing schemes.

3 Literature Review

Ali–Pal [11] addressed an improvement to Guo–Wen’s [10] scheme. In this section, we reviewed the Ali–Pal’s scheme [11]. The symbols and its meanings are given in Table 1.

Table 1 Meaning of notations
Full size table

3.1 Server Registration

\(S_{j}\) selects own identity \(SID_{j}\) and sends it to RC via a trustworthy channel. Then RC computes \(X_{j} = h(d_{j}||SID_{j})\) and transfers \(X_{j}\), \(d_{j}\) to the server \(S_{j}\) via secure channel.

3.2 User Registration

In this phase, \(U_{i}\) selects own identity \(ID_{i}\), password \(PW_{i}\) and imprints biometric \(BIO_{i}\) and then calculates \(RPW_{i}= h(PW_{i}|| H(BIO_{i}))\). Then \(U_{i}\) transfers \(ID_{i}\), \(RPW_{i}\) to RC via trustworthy channel. Then RC computes \(A_{i} = X_{j}\oplus h(RPW_{i})\), \(B_i=h(ID_{i}||RPW_{i}||X_{j})\) and issues a smart card holding parameters \(\langle A_{i},B_{i},h(.),H(.)\rangle \). RC finally sends smart card to \(U_{i}\) via secure channel.

3.3 Login and Authentication

\(U_{i}\) inserts smart card into a smart card reader and inputs own \(ID_{i}\), password \(PW_{i}\) and imprints biometric \(BIO_{i}\). Then smart card calculates \(RPW_{i} = h (PW_{i} || H(BIO_{i}))\), \(F_{i} = h(ID_{i})\), \(X'_{j} = A_{i} \oplus h(RPW_{i})\) and \(B'_{i} = h (ID_{i}||RPW_{i}||X'_{j})\). Now, if \(B'_{i} =B_{i}\), \(U_{i}\) chooses a random nonce \(R_{1}\) and computes \(RPW_{ij} = h (RPW_{i}||SID_{j})\), \(M_{1} = (F_{i}||R_{1}||SID_{j})^e_{j}\) mod \(n_{j}\), \(M_{2} = R_{1} \oplus RPW_{ij} \oplus ID_{i}\) and \(M_{3} = h (RPW_{ij}||F_{i}||X_{j}||R_{1})\) and then \(M_{1}\), \(M_{2}\), \(M_{3}\) is sent to \(S_{j}\) via a public channel. After getting the login message \(M_{1}\), \(M_{2}\), \(M_{3}\) from \(U_{i}\), \(S_{j}\) decrypts \((F_{i}||R_{1}||SID_{j}) =M_{1}^{d_{j}}\) mod \(n_{j}\) and computes \(RPW'_{ij} = M_{2} \oplus R_{1} \oplus F_{i}\) and \(M'_{3} = h (RPW_{ij}||F_{i}||X_{j}||SID_{j})\) and compares with \(M_{3}\). If \(M'_{3}\) is equals to \(M_{3}\), then \(S_{j}\) believes that \(U_{i}\) is legal; otherwise, the session is expired. Now, \(S_{j}\) Selects a random nonce \(R_{2}\) and computes \(M_{4} = h (RPW_{ij}||R_{1}) \oplus R_{2}\), \(SK = h (R_{1}||R_{2}||X_{j}||ID_{i})\) and \(M_{5} = h (RPW_{ij} || SK)\) and transmits \(M_{4}\), \(M_{5}\) via a public channel. After receiving \(M_{4}\), \(M_{5}\), \(U_{i}\) computes \(R'_{2} = M_{4} \oplus h (RPW_{ij}||R_{1})\), \(SK' = h (R_{1}||R'_{2} || X_{j}||F_{i})\) and \(M'_{5} = h (RPW_{ij} || SK)\). If \(M'_{5}\) is not equals to \(M_{5}\), then session is terminated. Otherwise, \(U_{i}\) believes on the legitimacy of \(S_{j}\) and mutual authentication holds.

4 Cryptanalysis of Ali–Pal’s Scheme

In the Ali–Pal’s scheme, \(ID_{i}\), \(H(BIO_{i}\)) are fixed for every communication initiated by \(U_i\) to any server \(S_k\). \(X_{j}\), \(R^{j}_{1}\) are varied for different servers (i.e., \(S_j\) and \(j=1,2,...\) and \(S_k \ne S_j\)). From received message, \(S_j\) can extract \(ID_i, R^{j}_1\) from message \(M^{j}_1\) and subsequently, \(S_j\) can computes \(H(BIO_i)\) from message \(M^{k}_2\), that is, \(H(BIO_{i}=M^{j}_{2}\oplus R^{j}_{1}\oplus ID_{i}\). Now, \(S_j\) can act as an insider attacker and may try to know some information for communication of \(U_i\) with other server \(S_k\). Attacker \(S_j\) intercepts login messages (say, \(M^{k}_2\)) from public channels. From the knowledge \(ID_i, H(BIO_i)\) and publicly shared message \(M^{k}_2\) (shared by \(U_i\) with \(S_k\)), attacker can reveal \(R^k_{1}\) from \(M^{k}_2\), that is, \(R^{k}_{1} = M^{k}_{2} \oplus ID_{i} \oplus H(BIO_{i})\). Moreover, Ali–Pal’s does not consider the biometrics change phase.

5 Proposed Scheme

We present a three-factor-based authentication protocol. This can be used in multi-server environment. Our scheme consists of five phases (i) system setup, (ii) registration, (iii) login and authentication, (iv) password change, and (v) biometrics change.

5.1 System Setup

In this phase, the system setup is carried out following the similar process of Ali–Pal’s scheme [11]. The detailed description is given below. Step 1: Registration center RC selects two large prime numbers, i.e., \(p_{j}\) and \(q_{j}\) for m servers where j=1 to m. After that RC computes \(n_{j} = p_{j} \times q_{j}\), where \(p{j}\ne q_{j}\).

Step 2: RC chooses \(1< e_{j} < \phi (n_{j})\) where \(\phi (n_{j}) = (p_{j} - 1) x (q_{j} - 1)\) and calculates \(d_{j}\). Where \(d_{j} = e_{j}-1 \text { mod}\phi (n_{j})\) and issues \((e_{1},n_{1}\)), (\(e_{2}\), \(n_{2}\)), ..., (\(e_{m}\), \(n_{m}\)) as public key and \(d_{1}\), \(d_{2}\), ..., \(d_{m}\) as private key.

5.2 Registration

This phase consists of two phases server and user registration.

  1. 1.

    Server Registration: Step 1. Server selects own identity \(SID_{j}\) and computes \(C_{j}=h(SID_{j}\)). \(C_{j}\) is transferred to RC via secure channel.

    Step 2. After getting \(C_{j}\), RC computes \(X_{j}=h(d_{j}||C_{j}\)). Now RC transmits \(X_{j}\), \(d_{j}\) to server via a secure channel.

  2. 2.

    User Registration: An user \(U_{i}\) can register by the following ways: Step 1. \(U_{i}\) selects an \(ID_{i}\), password \(PW_{i}\) and imprints biometric \(BIO_{i}\). Then \(U_{i}\) computes \(RPW_{i}=h(PW_{i}|| H(BIO_{i})\) and \(F_{i}=h(ID_{i})\) and transfers \(F_{i}\), \(RPW_{i}\) to RC via a secure channel.

    Step 2. Upon receiving \(F_{i}\), \(RPW_{i}\), RC computes \(A_{i}=X_{j} \oplus h(RPW_{i})\), \(B_{i}=h(F_{i}||RPW_{i}||X_{j})\) and stores the values \(A_{i},B_{i},h(.),H(.)\) into a smart card. Finally, RC transmits smart card to \(U_{i}\) via a secure channel. We elaborate the user registration phase in Table 2.

5.3 Login and Authentication

User \(U_{i}\) is authenticated by the smart card reader to access the remote server. Then the smart card reader sends a login message to the server \(S_{j}\) via a public channel. This phase is given Fig. 1. Detailed description is given below.

  1. Step 1.

    \(U_{i}\) inserts smart card into a smart card reader and inputs own \(ID_{i}\), password \(PW_{i}\) and imprints biometric \(BIO_{i}\).Then smart card calculates \(RPW_{i} = h (PW_{i} || H(BIO_{i}))\), \(F_{i} = h(ID_{i})\), \(X'_{j} = A_{i} \oplus h(RPW_{i} )\) and \(B'_{i} = h (ID_{i}||RPW_{i}||X'_{j})\). Now, smart card compares \(B'_{i}\) with \(B_{i}\). If \(B'_{i}\) is not equals to \(B_{i}\), then \(U_{i}\) is rejected.

  2. Step 2.

    Otherwise, \(U_{i}\) chooses a random nonce \(R_{1}\) and computes \(RPW_{ij} = h(RPW_{i}||SID_{j})\), \(M_{1} = (F_{i}||R_{1}||SID_{j})^e_{j} \text { mod} n_{j}\), \(M_{2} = R_{1} \oplus RPW_{ij} \oplus ID_{i}\) and \(M_{3} = h (RPW_{ij}||F_{i}||X_{j}||R_{1})\) and then \(M_{1}\), \(M_{2}\), \(M_{3}\) is sent to \(S_{j}\) via a public channel.

  3. Step 3.

    After getting the login message \(M_{1}\), \(M_{2}\), \(M_{3}\) from \(U_{i}\), \(S_{j}\) decrypts \((F_{i}||R_{1}||SID_{j}) =M_{1}^{d_{j}} \text { mod} n_{j}\) and computes \(RPW'_{ij} = M_{2} \oplus R_{1} \oplus F_{i}\) and \(M'_{3} = h (RPW_{ij}||F_{i}||X_{j}||SID_{j})\) and compares with \(M_{3}\). If \(M'_{3}\) is equals to \(M_{3}\), then \(S_{j}\) believes that \(U_{i}\) is legal otherwise the session is expired.

  4. Step 4.

    Now, \(S_{j}\) Selects a random nonce \(R_{2}\) and computes \(M_{4} = h (RPW_{ij}||R_{1}) \oplus R_{2}\), \(SK = h (R_{1}||R_{2}||X_{j}||ID_{i})\) and \(M_{5} = h (RPW_{ij} || SK)\) and transmits \(M_{4}\), \(M_{5}\) via a public channel.

  5. Step 5.

    After receiving \(M_{4}\), \(M_{5}\), \(U_{i}\) computes \(R'_{2} = M_{4} \oplus h (RPW_{ij}||R_{1})\), \(SK' = h (R_{1}||R'_{2} || X_{j}||F_{i})\) and \(M'_{5} = h (RPW_{ij} || SK)\). If \(M'_{5}\) is not equals to \(M_{5}\), then session is terminated. Otherwise, \(U_{i}\) believes on the legitimacy of \(S_{j}\) and mutual authentication holds.

Fig. 1
figure 1

Login and authentication protocol

Full size image

5.4 Password Change

Changing of password in a varied time interval is a good habit which incurs the security. If the user wants to change his/her password, he/she can easily do that through simple steps.

  1. Step 1.

    \(U_{i}\) touches own smart card into a terminal, input his/her \(ID_{i}\) and \(PW_{i}\) and also imprints \(BIO_{i}\). After that the smart card computes \(RPW'_{i} {=} h(PW_{i} || H(BIO_{i}))\), \(X'_{j} = A_{i} \oplus h(RPW'_{i})\), \(B'_{i} = h(h(ID_{i}) || RPW'_{i} || X'_{j})\). Then it checks \(B'_{i}\) is equals to \(B_{i}\) or not. If it is true, it means that the input for the user \(U_{i}\) ’s identification is authorized that means \(U_{i}\) is a authorized user for that smart card and then smart card allows the user \(U_{i}\) to change his/her password and asks to input new password \(PW^{new}_{i}\). Otherwise rejects.

  2. Step 2.

    Now smart card calculates \(RPW^{new}_i = h(PW^{new}_i || H(BIO_{i}))\), \(A^{new}_i = X'_{j} \oplus h(RPW^{new}_i)\), \(B^{new}_i = h(h(ID_{i}) || RPW^{new}_i || X'_{j})\). Finally, smart card replaces \(A_{i}\), \(B_{i}\) with the new \(A^{new}_i\), \(B^{new}_i\) and stored it into the smart card.

5.5 Biometric Change

Suppose any user wants to update the biometric data. Then, authentication of the user is done by the same way as discussed in the password change phase. If the authentication holds, smart card allows the user \(U_{i}\) to change his/her biometric with the new biometric and asks to input new biometric \(BIO^{new}_{i}\). Otherwise rejects. Now, smart card calculates \(RPW^{new}_i = h(PW_{i} || H(BIO^{new}_{i}))\), \(A^{new}_i = X'_{j} \oplus h(RPW^{new}_{i})\), \(B^{new}_i = h(h(ID_{i}) || RPW^{new}_i || X'_{j})\). Finally, smart card replaces \(A_{i}\), \(B_{i}\) with the new \(A^{new}_i\), \(B^{new}_i\) and stored it into the smart card.

6 Security Analysis

The security of the proposed scheme is analyzed with formal as well as informal security analysis. We have verified our proposed protocol using ProVerif simulator.

6.1 Formal Security Analysis

In order to prove the security of cryptographic protocols, ProVerif is a widely used formal verification tool [9, 12, 13]. In this section, we prove secrecy and authentication using ProVerif, because it is performed automatically and efficiently and can detect errors easily. ProVerif makes use of Dolev–Yao model [14] and supports many cryptographic primitives, including digital signature, symmetric and asymmetric encryption, hash function.

The user and the server communicate among themselves through a public channel, which is defined as below:

free Ch_Pub:channel.

The variables used in the protocol are defined as follows:

free IDi:bitstring.

free PWi:bitstring.

free BIOi:bitstring [private].

free RPWi:bitstring [private].

const dj:bitstring[private].

const nj:bitstring.

const ej:bitstring.

free SIDj:bitstring [private].

free Ai:bitstring [private].

free Bi:bitstring [private].

free \(X_{j}\):bitstring [private].

free SK:bitstring [private].

free SK’:bitstring [private].

The functions (xor(), exp(), mod(), mult(), and concat() represent exclusive-OR, exponent function, modulo operation, scalar multiplication, and string concatenation, respectively) used in the protocol are defined as follows:

fun h(bitstring):bitstring.

fun H(bitstring):bitstring.

fun xor(bitstring,bitstring):bitstring.

fun mod(bitstring,bitstring):bitstring.

fun exp(bitstring,bitstring):bitstring.

fun mult(bitstring,bitstring):bitstring.

fun concat(bitstring,bitstring):bitstring.

The algebraic properties of the functions are defined as below:

equation for all a:bitstring,b:bitstring; xor(xor(a,b),b)=a.

According to the protocol, the user Ui computes and sends M1, M2, M3 to the Server Sj and then waits until he receives M4, M5 from the Server Sj. So, the user Ui is defined as follows:

let UserUi=

let RPWi=h(concat(PWi,H(BIOi))) in

let Fi=h(IDi) in

let \(X_{j}\)’=xor(Ai,h(RPWi)) in

let Bi’=h(concat(Fi,concat(RPWi,Xj))) in

if (Bi’=Bi) then

new R1:bitstring;

let RPWij=h(concat(RPWi,SIDj)) in

let M1=mod(exp(concat(Fi,concat(R1,SIDj)),ej),nj) in

let M2=xor(R1,xor(RPWij,Fi)) in

let M3=h(concat(RPWij,concat(Fi,concat(Xj’,R1)))) in

out(Ch_Pub,(M1,M2,M3));

in(Ch_Pub,(xM4:bitstring,xM5:bitstring));

let R2’= xor(xM4,h(concat(RPWij,R1))) in

let SK’=h(concat(R1,concat(R2’,concat(Xj’,Fi)))) in

let M5’=h(concat(RPWij,SK’)) in

if (M5’=xM5) then 0.

According to the protocol, the server Sj receives {M1,M2,M3} from the user Ui, then computes and sends {M4,M5} to the user Ui. We can define the server Sj as follows:

let ServerSj=

let Xj=h(concat(dj,SIDj)) in

in(Ch_Pub,(xM1:bitstring,xM2:bitstring,xM3:bitstring));

new R1’:bitstring;

new Fi’:bitstring;

let RPWij’=xor(xM2,xor(R1’,Fi’)) in

let M3’=h(concat(RPWij’,concat(Fi’,concat(Xj,SIDj)))) in

if (xM3=M3’) then

new R2:bitstring;

let M4=xor(h(concat(RPWij’,R1’)),R2) in

let SK=h(concat(R1’,concat(R2,concat(Xj,Fi’)))) in

let M5=h(concat(RPWij’,SK)) in

out(Ch_Pub,(M4,M5))

else 0.

In order to ensure mutual authentication, we define events as follows:

event begin_UserUi(bitstring).

event end_UserUi(bitstring).

event begin_ServerSj(bitstring).

event end_ServerSj(bitstring).

The process can be defined by:

process ((!UserUi) \(\vert \) (ServerSj)

To verify mutual authentication and session key’s security, we define the following queries:

query attacker(SK).

query attacker(SK’).

query id:bitstring; event(end_UserUi(id)) ==> event(begin_UserUi(id)).

query id:bitstring; event(end_ServerSj(id)) ==> event(begin_ServerSj(id)).

When the above code is performed in ProVerif, we find that both the correspondence queries are true and both the (not)attacker queries are true, thus indicating that both the mutual authentication property and session key security are satisfied for our proposed scheme.

Table 2 Security features comparison
Full size table

6.2 Informal Security Analysis

In this section, we elaborate informal security analysis of our scheme and prove that our protocol is able to protect from different types of security vulnerabilities.

  1. 1.

    Password and identity guessing attack: We assume an adversary can eavesdrop all communication messages \(M_{1}\), \(M_{2}\), \(M_{3}\), \(M_{4}\), \(M_{5}\) and extract all information \(A_{i}\), \(B_{i}\) from smart card. But still \(\mathcal {A}\) is not able to calculate P\(W_{i}\) and I\(D_{i}\) from \(A_{i}\). \(A_{i} = X_{j}\oplus h(RPW_{i}\)), where \(X_{j}= h(SID_{j}||d_{j}\)) and \(RPW_{i} = h(PW_{i}|| H(BIO_{i}))\). To calculate \(PW_{i}\), \(\mathcal {A}\) needs to know \({BIO_{i}}\), \(SID_{j}\), \(d_{j}\) at one time which is infeasible in polynomial time. \(\mathcal {A}\) is not able to calculate \(PW_{i}\) from \(B_{i} = (F_{i}|| RPW_{i}||X_{j}\)), where \(F_{i} = h(ID_{i})\). For computing \(PW_{i}\), \(\mathcal {A}\) has to know the parameters \(H(BIO_{i}\)), \(ID_{i}\), \(SID_{j}\), \(d_{j}\) at one time which is impossible. \(\mathcal {A}\) also cannot evaluate \(ID_{i}\) from \(B_{i}\). \(\mathcal {A}\) cannot obtain \(ID_{i}\) from \(M_{1}\), \(M_{2}\), \(M_{3}\), and \(M_{5}\) because of hash function where \(M_{1} = (F_{i}||R_{1} || SID_{j})^{e_{j}} \text {mod} n_{j}\), \(M_{2} = R_{1} \oplus RPW_{ij} \oplus F_{i}\), \(M_{3}= h (RPW_{ij}||F_{i}||X_{j}||R_{1}\)) \(M_{5} = h (RPW_{ij}|| SK)\), \(RPW_{ij} = h (RPW_{i}|| SID_{j}\)) and \(SK = h (R_{1}||R_{2}||X_{j}||F_{i})\).

  2. 2.

    Impersonation attack: We assume an attacker \(\mathcal {A}\) intercepts all communication messages, and then he modifies all messages and tries to imitate as a legal server or user. But, in our protocol it is not possible for some reasons like \(\mathcal {A}\) cannot calculate \(M_{1} = (F_{i}||R_{1} || SID_{j})^e_{j}\) mod\(n_{j}\) where \(R_{1}\) is a random nonce because A is unable to obtain I\(D_{i}\). \(M_{2} = R_{1} \oplus RPW_{ij} \oplus F_{i}\) and \(M_{3} = h (RPW_{ij}||F_{i}||X_{j}||R_{1})\) where \(RPW_{ij} = h (RPW_{i} || SID_{j})\) and \(RPW_{i} = h(PW_{i} || H(BIO_{i}))\). To compute \(M_{2}\), \(\mathcal {A}\) has to know \(BIO_{i}\), \(ID_{i}\), \(PW_{i}\), and \(SID_{j}\) at same time, which is not possible. For calculating \(M_{3}\), \(\mathcal {A}\) has to know \(PW_{i}\), \(ID_{i}\), \(BIO_{i}\) and \(X_{j}\) which is not feasible. \(M_{4} = h (RPW_{ij}||R_{1}) \oplus R_{2}\) and \(M_{5} = h (RPW_{ij} || SK)\) where \(SK = h (R_{1} || R_{2} || X_{j}||F_{i})\). So, \(\mathcal {A}\) has to know \(PW_{i}\), \(BIO_{i}\), \(SID_{j}\), \(X_{j}\), \(ID_{i}\) at one time to calculate \(M_{4}\) and \(M_{5}\) which is not possible.

  3. 3.

    User untraceability attack: In this type of threat, an attacker intercepts two communication messages and tries to extract identity of user or server by matching values of each parameter. But, our protocol is able to protect this type of attack. In \(M_{1} = (F_{i}||R_{1} || SID_{j})^e_{j}\) mod\(n_{j}\), user \(ID_{i}\) is secured using hash function and \(R_{1}\) is a random nonce. So, value of \(M_{1}\) is different in each session due to uniqueness property of \(R_{1}\). \(M_{2} = R_{1} \oplus RPW_{ij} \oplus F_{i}\) and \(M_{3} = h (RPW_{ij}||F_{i}||X_{j}||R_{1})\) are also different in each session due to uniqueness property of \(R_{1}\). Therefore, our protocol resists user untraceability attack.

  4. 4.

    Replay attack: Our protocol resists replay attack by using random nonce \(R_{1}\) and \(R_{2}\).

  5. 5.

    Insider attack: Our scheme is not vulnerable to insider attack because user \(U_{i}\) sends \(RPW_{i} = h(PW_{i} || H(BIO_{i}))\) to RC. So, an insider of system cannot obtain password because of hash function. Though attacker guesses \(PW_{i}\) but still he/she is unable to validate password without knowledge of biometrics \(BIO_{i}\).

  6. 6.

    Known session key temporary information attack: In our scheme, attacker cannot compute session key \(SK = h (R_{1} || R_{2} || X_{j}||F_{i})\) with the knowledge of random nonce \(R_{1}\) and \(R_{2}\). Because, SK also depends on \(X_{j}\) and \(F_{i}\).

  7. 7.

    Smart card stolen attack: Suppose attacker gets the smart card of an user and extracts parameters \(A_{i} = X_{j} \oplus h(RPW{i})\) and \(B_{i} = (F_{i} || RPW_{i} || X_{j})\), where \(RPW_{i} = h(PW_{i} || H(BIO_{i}))\), \(X_{j} = h(SID_{j} || d_{j})\) and \(F_{i} = h(ID_{i})\). But, attacker is unable to calculate \(ID_{i}\) from \(F_{i}\) and \(PW_{i}\) from \(A_{i}\), \(B_{i}\).

  8. 8.

    Forward secrecy: Our scheme facilitates forward secrecy property. With the knowledge of a session key, attacker is not able to compute other session key.

We compare our scheme along with other schemes with respect to different security attacks and given in Table 2.

7 Performance

In this section, we compare our scheme with other existing schemes based on communication cost and estimated time.

7.1 Communication Cost

In Table 3, we represent comparison of communication cost of our scheme with respect to other existing schemes. Here, we assume lengths of \(ID_i\), \(PW_i\), random nonce and hash functions are 160 bits. \(e_j\), \(d_j\) are 1024 bits and symmetric encryption, decryption is of 512 bits for each.

7.2 Estimated Time

To calculate estimated time, we have used the following notations, Th: time complexity of hash function, Ts: symmetric encryption or decryption, Te: modular exponentiation, and Tm: point multiplication of elliptic curve. We calculate estimated time in seconds. The time complexity of our scheme is \((\text {28Th} + \text {2Te}) = 28 \times 0.0005 + 2 \times 0.522 = 1.058\). The comparison of computation time of our scheme with other scheme is given in Table 3.

Table 3 Estimated time comparison and communication cost
Full size table

8 Conclusion

In this paper, we found some faults of Ali–Pal’s scheme and overcome the drawbacks of the same scheme. We use ProVerif to verify the security of our scheme. Communication cost and estimated time of our scheme are comparatively better than other schemes. In our scheme, a legal user can change his/her password and biometrics without help of server’s involvement.