A secure and improved multi server authentication protocol using fuzzy commitment

Abstract

The advancement in communication and computation technologies has paved a way for connecting large number of heterogeneous devices to offer specified services. Still, the advantages of this advancement are not realized completely due to inherent security issues. Most of the existing authentication mechanisms ensure the legitimacy of requesting user thorough single server leading towards multiple registrations and corresponding credentials storage on user side. Intelligent multimedia networks (IMN) may encompass wide range of networks and applications. However, the privacy and security of IMN cannot be apprehended through traditional multi sign on/single server authentication systems. The multi-server authentication systems can enable a user to acquire services from multiple servers using single registration and with single set of credentials (i.e.Password/smart card etc.) and can be accomplish IMN security and privacy needs. In 2018, Barman et al. proposed a multi-server authentication protocol using fuzzy commitment. The authors claimed that their protocol provides anonymity while resisting all known attacks. In this paper, we analyze that Barman et al.’s protocol is still vulnerable to anonymity violation attack and impersonation based on stolen smart card attack; moreover, it has incomplete login request and is prone to scalability issues. We then propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s scheme. The security of the proposed protocol is verified using BAN logic and widely accepted automated AVISPA tool. The BAN logic and automated AVISPA along with the informal analysis ensure the robustness of the scheme against all known attacks.

1 Introduction

The multi-server environment provides convenient and suitable online services. Unlike conventional single server authentication, the multi-server environment provides single sign-on without registering with multiple servers and keeping the multiple secrets of passwords and identities. The multi-server architecture works using the centralized trusted registration authority, responsible for registering the servers and users, in return it enables both the servers and users to get hassle free communication with each other. The users keeps only one secret password and one identity. The common use of a multi-server environment requires an efficient and robust user authentication protocol to establish a secure connection between both the requesting user and service providers. In 1981, Lamport [27] presented the first authentication protocol based on a server database containing the passwords of each registered user. Due to storage of the verifier in server database Lamport’s protocol is subjected to the stolen verifier attack. Over time, many researchers proposed their protocols to resolve the issues of stolen verifier attack [4, 22].Wu et al.’s [48] presented a smart card-based authentication protocol; later He et al. [14] noticed that the protocol of Wu is vulnerable to insider attack and impersonation attack. Wu et al.’s [48] then presented an improved and enhanced protocol based on He et al.’s protocol. later Zhu et al. [49] found that the protocol of He et al. still has some weaknesses like offline password guessing attack. Anticipating the failure and/or unsuitability of two factor authentication protocols, many researchers proposed fingerprint-based three factor authentication protocols to enhance the security [20, 21, 28, 29, 37]. Lee et al. [28] presented fingerprint-based authentication. Lee et al. enhanced the security using three factors including: 1)smart card, 2)fingerprint minutiae, and 3)user Password. Later Lin et al.’s [29] claimed that Lee et al.’s protocol has weaknesses against spoofing and masquerade attacks. So they proposed an enhanced protocol based on Lee et al.’s protocol. Regretfully, Mitchell et al. [37] noticed that Lin et al.’s protocol still has some weaknesses. Mir and Nikooghadam [35] presented an enhanced biometrics-based authentication protocol and claimed their protocol provides security against well-known attacks like (user anonymity and untraceability, impersonation attacks, Online Password Guessing attacks, etc.) Later Chaudhry et al. [10] noticed that Mir and Nikooghadam [35] suffers from user anonymity attack as well as stolen smart attack. Unfortunately, Qi et al. [40] claimed Chaudhry et al.’s [10] protocol still has some weaknesses including non-resilience against denial of service attack; moreover, protocol in [10] is lacking perfect forward secrecy. In 2016, Wang et al. [47] proposed another biometric-based multi-server authentication and key agreement protocol based on Mishra et al.’s protocol. Wang et al. claimed their protocol provides various security features along-with user revocation/re-registration and biometric information protection. Soon, Reddy et al. [44] showed that Wang et al.’s [47] protocol is vulnerable to server impersonation, user impersonation and insider attacks, as their protocol share user credential to the server. Qi et al.’s [39] proposed yet another key-exchange authentication protocol and claimed it to provide security against well-known attacks. later Reddy et al.’s [43] noticed some vulnerabilities like session key leakage attack, user impersonation attack, insider attack, and user anonymity in the protocol of Qi et al. Some other developments were also proved either incorrect or insecure in [16, 19, 30, 33, 38, 42].

In 2018, Barman et al. [6] proposed a multi-server authentication protocol using fuzzy commitment. The authors in [6] claimed that their protocol provides various security features like confidentiality of user identity/biometric data, mutual authentication and session key establishment between user and servers, besides this authors also claimed their protocol to provide security against the known attacks. However, the in-depth analysis in this article shows that the protocol of Barman et al. is facing some serious security threats. It is to show that the protocol proposed by Barman et al. is vulnerable to anonymity violation attack and impersonation attack based on stolen smart-card. Moreover, their protocol is not practicable owing to the scalability Issues. Then we propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s protocol. We analyze the security of our proposed protocol through formal and informal analysis. In the formal analysis, we use BAN Logic and widely accepted AVISPA tool (a well known and widely accepted automated tool for security analysis). The informal security features analysis also shows the robustness of the proposed protocol.

2 Preliminaries

A brief review of the basics relating to fuzzy commitment technique, one-way hash function, error correction coding, and revocable template generation, is solicited in following subsections:

2.1 Fuzzy commitment

The fuzzy commitment as proposed by Juels and Wattenberg [23] is a method to hide the secrets under the witness and then release the conceal secrets later in the presence of a witness. In the Registration/enrollment phase a randomly generated key K_c is cipher with codeword C_w = ℵ_enc(K_c). ℵ_enc is an error correction technique and it helps in a noisy channel to recover equivalent match. When a user imprints his biometric then the binary string is generated against the biometric, \(C_{T_{u}}\) is used to conceal the key with binary string through XOR operation [\(C_{T_{u}} \oplus C_{w} = H_{public}\)]. The system contain only H_public and the hash of key (h(K_c)). In the authentication phase this H_public is available, so every legitimate user imprints his/her biometric to unlock C_w.

2.2 Hash function

Hash function \(h:\ X\ \xrightarrow {}\ Y\) is deterministic mapping set X = {0,1}^∗ of strings having variable length to another set Y = {0, 1}^t of strings of fixed length, properties include:

• The input value say, a ∈ X it is easy to computes h(a), in polynomial times; moreover, h(.) function is deterministic in nature.

• The small change in input value a ∈ X results in a completely uncorrelated with h(a).

• One − way property : It is difficult to find the actual message a given the message digest h(a) of a ∈ X.

• Weak − Collision resistant property: Any given value input a ∈ X. it is difficult to find another a^∗∈ X such that h(a) = h(a^∗).

• Strong − Collision resistance property: h(a) = h(a^∗) for any a, a^∗∈ X and a≠a^∗, this property states that, it is also difficult to find any two inputs a,a^∗∈ X such that a≠a^∗ with h(a) = h(a^∗).

2.3 Revocable template generation

A revocable template [41], provides the privacy and revocability of user biometric. By using transformation parameter TP_u and transformation function, f(⋅), user biometric data is converted into a cancel-able template CT_u = f(BIO_u,TP_u) with following properties:

1. 1.

   Collision-free property: If CT_u = f(BIO_u,TP_u) and CT_k = f(BIO_k,TP_k), then CT_u≠CT_k. for BIO_u≠BIO_k. Moreover, if CT_n = f(BIO,TP_n) and CT_m = f(BIO,TP_m), then CT_n≠CT_m for TP_n≠TP_m.

2. 2.

   Intra-user variability property : This property states; two different templates CT_u = f(BIO_u,TP_u), \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\) can be generated form same fingerprint.

3. 3.

   Revocation of biometric: If user biometric is comprised, then new template can be generated by using new transformation parameter \(TP^{new}_{u}\) with same transformation function f(⋅).

4. 4.

   User privacy: Cancel-able template should protect the confidentiality of user, moreover template should protect the information about original biometric of a user.

2.4 Error correction technique

In the biometric template, the intra-user variation is considered an error. To remove the errors in the user biometric template, error correction technique [17] is used for noisy biometric image. In the time of enrollment/registration \(CT_{enrol_{u}} = f(BIO_{enrol_{u}},TP_{u})\) is generated, which is match with query template \(CT_{query_{u}} = f(BIO_{query_{u}},TP_{u})\), at the authentication time. So the difference can be calculated through Hamming distance \( e = HamDis(CT_{enrol_{u}}, CT_{query_{u}})\).

2.5 Threat model

According to the well known and widely accepted Dolev-Yao threat (DY) model [15], an attacker not only listens to the communication between two participants but also the attacker can change the entire message or delete the message as well on open channel. An attacker can also extract the secret credential of legitimate user form stolen smart card through power analysis attack [25, 34]. Second adversarial model is Canetti and Krawczyk model (CK-model). In authentication and key exchange protocol, it is considered as defacto standard. According to [9], CK-adversary model not only fallows Dolev-Yao threat (DY) model but in CK model the adversary is also able to get the session key and session states as well. Precisely, the adversary with following capabilities [11, 12] is considered:

1. 1.

   The channel is under full control of Adversary, who can intercept the communicated messages and can replay original message or can modify it. The adversary can also generate and transmit a fake message.

2. 2.

   User and server identities are public.

3. 3.

   Adversary can launch power analysis attack and has abilities to steal verifier stored on server/gateway etc.

4. 4.

   The private keys of all participants are considered as non-compromised.

2.6 The contributions

1. 1.

   We have cryptanalyzed the recent multi-server authentication protocol proposed by Barman et al. [6] to show its security issues and vulnerabilities.

2. 2.

   We propose an enhanced authentication protocol using only symmetric cryptography operations and fuzzy commitment.

3. 3.

   The security of the proposed protocol is checked through BAN logic and widely accepted AVISPA.

4. 4.

   The security discussion and security features comparison of the proposed protocol with related protocols including Barman et al.’s protocol is explained.

5. 5.

   We have also provided the comparative computation and communication costs analysis of the proposed protocol with competing related protocols

3 Review of the protocol of Barman et al.

This section briefly reviews Barman et al.’s protocol [6]. The phases of the protocol are detailed in below subsections and the notations used in this paper are provided in Fig. 1.

Fig. 1

Notations

3.1 Server registration phase

In Barman et al.’s protocol, initially, all the servers S_k : {1 ≤ k ≤ n} gets register with RC. S_k selects its’ identity SID_k and dispatches a registration request to the RC. RC computes and sends a secret key PSK_K = \(h(SID_{k}||X_{c})\) to each S_k. RC may also consider another \(n_{'}\) servers, which may get register with the RC in future. Therefore, the RC chooses identities SID_S for each of the future server and generates the shared keys PSK_S = \(h(SID_{S} || X_{c})\) for \(n+1 \leq S\leq n + n^{\prime }\) The server identities (for \(n + n^{\prime }\) server) along with their corresponding key pairs \({(SID_{k},PSK_{k})|1 \leq k \leq n + n_{'}}\) are stored in RC database.

3.2 User registration phase

The detail steps of the user registration phase are defined below:

1. 1.

   Initially, U_u registers with the RC to get the services, via a protected channel. U_u selects ID_u, PW_u, and transformation parameter \(T_{P_{u}}\) alongwith a random number Rc_u. U_u also imprints his BIO_u.

2. 2.

   U_u produces the cancel-able biometric template using transformation function CT_u = f(BIO_u,TP_u) and computes RPW_u = h(PW_u||CT_u), r_u = h(Rc_u||ID_u||PW_u). U_u then generates a random secret k_u and sends the registration request 〈ID_u,RPW_u ⊕ k_u〉 to the RC, via a protected channel.

3. 3.

   After checking validity of ID_u, RC computes US_k = h(ID_u||PSK_k), AM_k = US_k ⊕ (RPW_u ⊕ k_u), SV_k = h(SID_k||PSK_k) and BM_k = SV_k ⊕ RPW_u ⊕ k_u (for all servers). RC Issues a smart card SC_u having \(\{(SID_{k}, AM_{k}, BM_{k})| 1 \leq k \leq (n + n^{\prime })\}\) and sends it to U_u, via a protected channel.

4. 4.

   Using error correction technique ε, U_u encodes Rc_u produces codeword R_cod = ε_enc(Rc_u), computes H_u = CT_u ⊕ R_cod, R = h(Rc_u) and P = h(r_u). U_u then computes AM_uk = (AM_k ⊕ k_u) ⊕ r_u and BM_uk = (BM_k ⊕ k_u) ⊕ r_u (for all servers). U_u then stores \(\{(AM_{uk}, BM_{uk})\} | 1 \leq k \leq (n + n^{\prime }),\) TPu,H_u,R, P,h(⋅),ℵ_enc(⋅),ℵ_dec(⋅)} in smart card SC_u. U_u removes the Rc_u,BIO_u,CTu,r_u,AM_k and BM_k for security reasons.

3.3 Login phase

The detail steps of login request are as under:

1. 1.

   U_u inserts the smart card into the terminal and provides the credentials ID_u,PW_u and \(BIO^{\prime }_{u}\) for authentication.

2. 2.

   The smart card SC_u generates the cancel-able fingerprint \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\), and extracts \(R^{\prime }_{cod} = H_{u} \oplus CT^{\prime }_{u} \) and then decodes \(R^{\prime }_{cod}\) using error correction technique, \(Rc^{\prime }_{u} = \aleph _{dec}(R^{\prime }_{cod})\). SC_u compares both values, \(h(Rc^{\prime }_{u})\) with R which is stored in SC_u. If they are equal than proceed further else terminates the session.

3. 3.

   SC_u computes \(r^{\prime }_{u} = h(Rc_{u} || ID_{u} || PW_{u})\) and checks if \(h(r^{\prime }_{u}) = h(r_{u})\), proceeds further; otherwise, SC_u terminates the session.

4. 4.

   SC_u computes \(US_{k} = AM_{uk} \oplus h(PW_{u} || CT_{u}) \oplus r^{\prime }_{u} = h(ID_{u} || PSK_{k}) \) and \(SV_{k} = BM_{uk} \oplus h(PW_{u} || CT_{u}) \oplus r^{\prime }_{u} = h(SID_{k} || PSK_{k})\). SC_u selects R_u, generates T₁, and computes \(M^{\prime }_{1} = h(ID_{u}||US_{k}),M^{\prime }_{2} = ID_{u} \oplus h(SV_{k}||T_{1}), M_{3} = M_{1} \oplus R_{u}, M_{4} = h(ID_{u}||M^{\prime }_{1}||M^{\prime }_{2} || T_{1}||R_{u})\).

5. 5.

   Finally, SC_u sends the request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1} \rangle \) to the server S_k.

3.4 Mutual authentication and key agreement phase

The mutual authentication and key agreement consists of the following steps:

1. 1.

   S_k receives login request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1} \rangle \) at time \(T^{\prime }_{1}\) and after verifying the allowable time delay, \(|T^{\prime }_{1} - T_{1}|\), S_k computes \(M^{\prime }_{5} = M^{\prime }_{2} \oplus h(h(SID_{k}||\) \(PSK_{k})||T_{1}), M^{\prime }_{6} = h(M^{\prime }_{5}||h(M^{\prime }_{5}||PSK_{k})) \) \(M^{\prime }_{7} = M^{\prime }_{3} \oplus M^{\prime }_{6} = R_{u}\) and \(M^{\prime }_{8} = h(M^{\prime }_{5}||M^{\prime }_{6}||M^{\prime }_{2}||T_{1}||M^{\prime }_{7})\). Check if \(M^{\prime }_{8} \neq M^{\prime }_{4}\), S_k cancels the login request, else proceeds further.

2. 2.

   S_k select a random number R_s and generates T₃ then computes \(M^{\prime }_{9} = h(h(M^{\prime }_{5}||PS_{k})||R_{u}) \oplus R_{s}\), and session key \(SK_{uk} = h(M^{\prime }_{5}||h(SID_{k}||PSK_{k})||R_{u}||R_{s}||T_{1}||T_{3})\), \(M^{\prime }_{10} = h(h(M^{\prime }_{5}||PSK_{k})||SK_{uk}||T_{3}||R_{s})\) and sends \( \langle M^{\prime }_{9},M^{\prime }_{10},T_{3} \rangle \) to U_u.

3. 3.

   The U_u receives \( \langle M^{\prime }_{9}, M^{\prime }_{10},T_{3} \rangle \). After checking the delay \(|T^{}_{3} \leq T_{c}|\). SC_u computes \(R^{\prime }_{s} = M^{\prime }_{9} \oplus h(US_{k}||R_{u})\), the session key \(SK^{\prime }_{uk} = h(ID_{u}||SV_{k}||R_{u}||R_{s}||T_{1}||T_{3})\) shared with S_k and \(M^{\prime }_{11} = h(US_{k}||SK^{\prime }_{uk}||T_{3}||R^{\prime }_{s})\). SC_u check the condition if \(M^{\prime }_{11} \neq M^{\prime }_{10}\) terminates the session. Otherwise, the session key SK_uk is established between U_u and S_k.

3.5 Password and biometric template update phase

U_u provides the current credentials ID_u,PW_u BIO_u and extracts feature \(BIO^{\prime }_{u}\) from the BIO_u. SC_u then computes \(CT^{\prime }_{u} = f(BIO^{\prime }_{u},TP_{u})\) and \(Rc^{\prime }_{u} = \aleph _{dec}(H_{u} \oplus CT^{\prime }_{u})\) and then checks if \(h(Rc^{\prime }_{u}) = R, SC_{u}\) further computes \(r^{\prime }_{u} = h(Rc^{\prime }_{u}||ID_{u}||PW_{u})\) check if \(h(r^{\prime }_{u}) = P\) proceeds further; otherwise, terminates the request. SC_u then asks U_u to modify their password and biometric template:

1. 1.

   To update the password, U_u inputs \(PW^{new}_{u}\), SC_u computes \(r^{new}_{u} = h(Rc^{\prime }_{u}||ID_{u}|| \) \( PW^{new}_{u}), AM^{new}_{uk}\) = \(AM_{uk} \oplus r^{\prime }_{u} \oplus r^{new}_{u} = h(ID_{u}||PSK_{u}) \oplus h(PW^{\prime }_{new}||CT_{u}) \oplus \) \(h(Rc^{\prime }_{u} \) \( ||ID_{u}||PW^{new}_{u})\), \( BM^{new}_{uk}\) = \(BM_{uk} \oplus r^{\prime }_{u} \oplus r^{new}_{u} = \) h(SID_k||PSK_k) ⊕ h(PW^new||CT_u) ⊕ \( h(Rc^{\prime }_{u} \) ||ID_u \( ||PW^{new}_{u})\) for \(1 \leq k \leq (n + n^{\prime })\) and \(P^{new} = h(r^{new}_{u}). SC_{u}\) updates its parameters {AM_uk,BM_uk,} with the newly computed values \(\{AM^{new}_{uk} , BM^{new}_{uk} \),P^new} and stored in the SC_u.

2. 2.

   To update the biometric template, SC_u requests U_u for a new transformation parameter TP_u. SC_u have the old TP_u and then set new \(TP^{new}_{u} = TP_{u}\) and new cancel-able template \(CT^{new}_{u} = f(BIO^{\prime }_{u},TP^{new}_{u})\) is produced. SC_u also computes \(RPW^{new}_{u} = h(PW_{u}||CT^{new}_{u})\), \(AM^{new}_{uk} = AM_{uk} \oplus RPW_{u} \oplus RPW^{new}_{u}\) = h(ID_u|| PSK_k) ⊕ h(PW_u \( ||CT^{new}_{u} ) r^{\prime }_{u}, BM^{new}_{uk} = BM_{uk} \oplus RPW_{u} \oplus \) \(RPW^{new}_{u}\) = h(SID_k|| \( PSK_{k}) \oplus h(PW_{u}||CT^{new}_{u})\oplus r^{\prime }_{u}\), and the new helper data \(H^{new}_{u} = CT^{new}_{u} \oplus \aleph _{enc}(Rc^{\prime }_{u})\). Accordingly, the information {AM_uk,BM_uk,H_u} is replaced by \(\{AM^{new}_{ij}\) \(BM^{new}_{uk}, H^{new}_{u}\}\) stored in the SC_u.

3.6 Smart card revocation phase

If the SC_u of a authorized U_u is damaged, lost or stolen, then U_u can get a new SC_u from the RC. U_u provides ID_u and PW_u and to imprints BIO_u, Steps are:

1. 1.

   U_u computes \(CT^{\prime }_{u} = f(BIO_{u},TP_{u})\) and \(RPW_{u} =h(PW_{u}||CT^{\prime }_{u})\), U_u generates a random number \(k^{\prime }_{u}\), then computes a parameter \(RPW^{\prime }_{u} = RPW_{u} \oplus k^{\prime }_{u}\) and then sends the request \( \langle ID_{u}, RPW^{\prime }_{u} \rangle \) to the RC via a protected channel for a new \(SC^{new}_{u}\)

2. 2.

   RC computes \(AM_{k} = h(ID_{u}||PSK_{k}) \oplus RPW^{\prime }_{u}, BM_{k} = h(SID_{k}||PSK_{k}) \oplus RPW^{\prime }_{u}\) for \(k = 1,2,,,,,,(n+n^{\prime })\) and Issue a new \(SC^{new}_{u}\) containing \(\{(SID_{k}, AM_{k}, BM_{k})| 1 \leq k \leq n +n_{'} \}\). \(SC^{new}_{u}\) sends to these parameter to U_u via a protected channel.

3. 3.

   U_u generates a new random number \(R^{new}_{u}\) and computes \(r_{u} = h(R^{new}_{u} || ID_{u} || PW_{u}), H^{new}_{u} = CT^{\prime }_{u} \oplus \aleph _{enc} (R^{new}_{u}), AM_{uk} = (AM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, BM_{uk} = (BM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, R = h(Rc^{new}_{u}), P = h(r_{u})\) and stores these values in \(SC^{new}_{u},\) memory. U_u also stores {TP_u,ℵ_enc(⋅),ℵ_dec(⋅),h(⋅)} in \(SC^{new}_{u} \) memory.

4 Cryptanalysis of the Protocol of Barman et al.

The in depth analysis in following subsections proves that Barman et al.’s protocol [6] entails serious security flaws:

4.1 Incomplete login request

The login message, \(\{M^{\prime }_{2} , M^{\prime }_{3}, M^{\prime }_{4}, T_{1}\}\) sent by user U_u to the server S_k is incomplete, because the identity of server SID_k is not included in the login request, which is the most important parameter for communication [32] and without the server identity, the RC cannot direct the request of U_u to his intended server. This crucial mistake can be treated as typing mistake. The protocol can only work if the login message contains the identity of the server.

4.2 User anonymity violations attack

Here, we show that the protocol of Barman et al. is vulnerable to user anonymity violation attack. Let U_a be a legal but dishonest user of the system and wants to violate user anonymity. In the Mutual Authentication phase of Barman et al.’s protocol user U_u sends the message \(\{M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k}\}\) to the server SID_k on public channel. During the communication, let U_a intercepts the message and using \(M^{\prime }_{2} = ID_{u} \oplus h(SV_{k}\| T_{1})\), U_a can easily extract the ID_u of every users. Because all the users connected to the SID_k has SV_k(secret identifier generated by RC for SID_k) stored in the smart card. U_a can extract the identity of user as follows:

1. Step AV 1:

   U_u sends the login message to SID_k. During the communication, let user U_a intercepts the message \(\{M^{\prime }_{2} , M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k}\}\).

2. Step AV 2:

   U_a using his own smart card, enters his credentials including: ID_a, PW_a and BIO_a. U_a extracts {BM_ak,AM_ak} pair from his own smart card and then computes CT_a = f(BIO_a,TP_a), \(R^{\prime }_{cod}=H_{a}\oplus CT_{a}\), \(Rc^{\prime }_{a} = \aleph _{dec}(R^{\prime }_{cod})\), r_a = h(Rc_u||ID_a||PW_a), similar to login steps. U_a then computes:

   $$ \begin{array}{@{}rcl@{}} &US_{k_{a}}=AM_{ak}\oplus h(PW_{a}||CT_{a})\oplus r_{a} \end{array} $$

   (1)
   $$ \begin{array}{@{}rcl@{}} &SV_{k} = BM_{ak} \oplus h(PW_{a} || CT_{a}) \oplus r^{\prime}_{a} = h(SID_{k} || PSK_{k}) \end{array} $$

   (2)
   $$ \begin{array}{@{}rcl@{}} &Z=h(SV_{k}||T_{1}) \end{array} $$

   (3)
3. Step AV 3:

   Based on SV_k, Z and the \(M^{\prime }_{2}\) from login request, U_a computes:

   $$ \begin{array}{@{}rcl@{}} ID_{u}&=M^{\prime}_{2}\oplus Z \end{array} $$

   (4)

In Eq.4, the ID_u is the real identity of U_u. Therefore, U_a has successfully broken the user anonymity.

4.3 User impersonation attack based on stolen smart-card

Using the stolen smart card of some user say U_u, another legal but dishonest user of the system can launch user impersonation attack in Barman et al.’s protocol. Let U_a be a legal user, gets his card SC_a containing \(\{SID_{k}, AM_{a_{k}},BM_{a_{k}} | 1 \leq k \leq (n + n^{\prime })\}\) along with {TP_a,H_a,P,h(⋅),ℵ_enc,ℵ_dec} and steals the smart card SC_u. U_a performs following steps to impersonate on behalf of U_u:

1. Step ISC 1:

   U_a enters his credential ID_a,PW_a and biometric BIO_a. U_a now computes \(US_{k}, CT^{\prime }_{a}, r^{\prime }_{a} \), \(SV_{k} = BM_{uk} \oplus h(PW_{a} || CT_{a}) \oplus r^{\prime }_{a} = h(SID_{k} || PSK_{k})\). As SV_k is common in all smart cards.

2. Step ISC 2:

   Extracts AM_uk = US_uk ⊕ (RPW_u ⊕ uk) and BM_uk = SV_k ⊕ (RPW_u ⊕ uk) form U_u’s stolen smart card SC_u.

3. Step ISC 3:

   U_a using SV_k computes:

   $$ \begin{array}{@{}rcl@{}} X&= AM_{uk} \oplus BM_{uk} = \{US_{uk} \oplus (RPW_{u} \oplus uk)\} \oplus \{SV_{k} \oplus (RPW_{u} \oplus uk)\} \end{array} $$

   (5)
   $$ \begin{array}{@{}rcl@{}} &= US_{uk} \oplus SV_{k} \end{array} $$

   (6)
   $$ \begin{array}{@{}rcl@{}} US_{uk} &= X \oplus SV_{k} \end{array} $$

   (7)
4. Step ISC 4:

   U_a has SV_k and US_uk of U_u with ID_u. U_u generates a random number R_u and time stamp T₁ computes:

   $$ \begin{array}{@{}rcl@{}} M^{\prime}_{1} &= h(ID_{u} || US_{k}) \end{array} $$

   (8)
   $$ \begin{array}{@{}rcl@{}} M^{\prime}_{2} &= ID_{u} \oplus h(SV_{k} || T_{1}) \end{array} $$

   (9)
   $$ \begin{array}{@{}rcl@{}} M^{\prime}_{3} &= M^{\prime}_{1} \oplus R_{u} \end{array} $$

   (10)
   $$ \begin{array}{@{}rcl@{}} M^{\prime}_{4} &= h(ID_{u} || M^{\prime}_{1} || M^{\prime}_{2} || T_{1} || R_{u}) \end{array} $$

   (11)
5. Step ISC 5:

   U_a sends the login request message \( \langle M^{\prime }_{2}, M^{\prime }_{3}\), \(M^{\prime }_{4}, T_{1}\), SID_k〉 to the S_k. S_k receives the login request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k} \rangle \) after checking time delay, \(|T^{\prime }_{1} - TS_{1}|\), computes following:

   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{5} = M^{\prime}_{2} \oplus h(h(SID_{k}||PSK_{k})||T_{1}) = (ID_{u}) \end{array} $$

   (12)
   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{6} = h(M^{\prime}_{5}||h(M^{\prime}_{5}||PSK_{k})) \end{array} $$

   (13)
   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{7} = M^{\prime}_{3} \oplus M^{\prime}_{6} = R_{u} \end{array} $$

   (14)
   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{8} = h(M^{\prime}_{5}||M^{\prime}_{6}||M^{\prime}_{2}||T_{1}||M^{\prime}_{7}) \end{array} $$

   (15)
6. Step ISC 6:

   S_k checks if \(M^{\prime }_{8} = M^{\prime }_{4}\), U_a will pass this test because \(M^{\prime }_{8}\) and \(M^{\prime }_{4}\) both have same values. S_k selects a nonce R_s, generates current timestamp T₃, and computes:

   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{9} = h(h(M^{\prime}_{5}||PS_{k})||R_{u}) \oplus R_{s} \end{array} $$

   (16)
   $$ \begin{array}{@{}rcl@{}} &SK_{uk} =h(M^{\prime}_{5}||h(SID_{k}||PSK_{k})||R_{u}||R_{s}||T_{1}||T_{3}) \end{array} $$

   (17)
   $$ \begin{array}{@{}rcl@{}} & M^{\prime}_{10} = h(h(M^{\prime}_{5}||PSK_{k})||SK_{uk}||T_{3}||R_{s}) \end{array} $$

   (18)
7. Step ISC 7:

   Then, S_k sends \( \langle M^{\prime }_{9},\) \( M^{\prime }_{10}, T_{3} \rangle \) to U_a. U_a receives the authentication reply message \( \langle M^{\prime }_{9}, M^{\prime }_{10}, T_{3} \rangle \) at time \(T^{\prime }_{3}\) and computes:

   $$ \begin{array}{@{}rcl@{}} &R_{s} = M^{\prime}_{9} \oplus h(US_{k}||R_{u}) \end{array} $$

   (19)
   $$ \begin{array}{@{}rcl@{}} &SK^{\prime}_{uk} = h(ID_{u}||SV_{k}||R_{u}||R_{s}||T_{1}||T_{3}) \end{array} $$

   (20)
   $$ \begin{array}{@{}rcl@{}} &M^{\prime}_{11} = h(US_{k}||SK^{\prime}_{uk}||T_{3}||R_{s}) \end{array} $$

   (21)

The session key as computed by U_a in Eq. 20 is same as computed by S_k in Eq.17. Therefore, U_a has succesffuly established a secure connection with S_k by impersonating on behalf of U_a.

4.4 Scalability problems

In the registration phase of Barman et al.’s protocol smart card stores AM_k. As in multi-server environment, there may be several servers and users. So it is inefficient to store (AM_k) against every server within smart card due to its small magnetic chip which has limited storage. This protocol is not practical, suppose we have n servers, so we need to store US_k and SV_k of n servers within the smart card, each of size 160 bits. For large number of servers like 100, the bits stored for US_k and SV_k in the smart card are 32000 bits, which can be problematic due to its storage restrictions. Moreover, authors did not mention the procedure to update the smart card if some new servers are added, AM_uk = (AM_k ⊕ k_u) ⊕ r_u and BM_uk = (BM_k ⊕ k_u) ⊕ r_u for \( 1 \leq k \leq (n + n^{\prime } )\).

5 Proposed protocol

This section details the proposed scheme consisting of three entities including, users, servers and the registration center (RC). The details are in following subsections:

5.1 Server registration phase

Every S_k along with its particular identity SID_k must send a registration request to the RC, if they are willing to provide services to the legitimate users U_u. RC computes \(X_{RS_{k}} = h(SID_{k}||X{c})\) and \(M_{k} = E_{X_{c}}(X_{RS_{k}}) \) and stores \((SID_{k},E_{X_{c}}(X_{RS_{k}}))\) in the database of Rc and send the share key to the server \((X_{RS_{k}})\).

5.2 User registration phase

U_u chooses ID_u,PW_u,TP_u, then imprints BIO_u and selects random number N₁. U_u computes CT_u = f(BIO_u,TP_u),A_u = h(N₁||PW_u||ID_u||CT_u) and sends A_u,ID_u to the RC. On receiving, RC computes X_u = h(ID_u||X_c) and Y_u = Xu ⊕ A_u, generates a random number r_o and computes the pseudo identity \(PID_{u} = E_{X_{c}}(ID_{u}||r_{o})\oplus A_{u}\). RC then store Y_u,PID_u,h(.) in smart card and sends the smart card to user using some secure channel. On receiving smart card, U_u computes R_c = ℵ_enc(Rc_u),H_u = CT_u ⊕ R_cod,R = h(Rc_u), r_u = (Rc_u||ID_u||PW_u), P = h(r_u) and E_u = N₁ ⊕ r_u. U_u stores {TP_u,H_u,R,P,h(.), ℵ_enc(⋅),ℵ_dec(⋅),Y_u, PID_u,E_u} in the smart card. The Server User registration phases are also illustrated in Fig. 2.

Fig. 2

Registration phase of Sever and User

5.3 Login and authentication phase

The following steps as shown in Fig. 3, explain the login and authentication phase briefly:

1. Step AP 1:

   User need to insert the smart card provides the credentials \(ID_{u}, PW_{u}, BIO^{\prime }_{u}\) and calculates \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\), \(R^{\prime }_{cod} = H_{u} \oplus CT^{\prime }_{u}\), \(Rc^{\prime }_{u} = \aleph _{dec}(R^{\prime }_{cod})\), and check if \(h(Rc^{\prime }_{u}) \neq R\), terminates the session, otherwise calculates \(r^{\prime }_{u} = h(Rc^{\prime }_{u}||ID_{u}||PW_{u})\), and check again if \(h(r^{\prime }_{u}) \neq h(r_{u})\) terminates the session, else computes N₁ = (E_u ⊕ r_u), \(A^{\prime }_{u} = h(ID_{u}||PW_{u}||N_{1}||CT_{u})\), \(X_{u} = (Y_{u} \oplus A^{\prime }_{u})\), \(DID_{u} = (PID_{u}\oplus A^{\prime }_{u})\), generates a random no R_u and time stamp T₁, and to get the services of server needs the address SID_k, and computes G_u = R_u ⊕ h(X_u||ID_u||SID_k||T₁), H_u = h(ID_u||G_u||X_u||R_u||T₁||SID_k), sends {DID_u,H_u, G_u,T₁,SID_k} to the RC on public channel.

2. Step AP 2:

   RC receives the login request and checks the time delay (T_c − T₁ ≤ δT). RC decrypts \((ID_{u}||r_{o}) = D_{X_{c}}(PID_{u})\) using X_c and computes X_u = h(ID_u||X_c) R_u = G_u ⊕ h(X_u||ID_u||SID_k||T₁) \(H^{\prime }_{u} = h(ID_{u}||G_{u}||X_{u}||R_{u}||T_{1}||SID_{k})\). RC then check \( H^{\prime }_{u} \stackrel {?}{=} H_{u} \) if not true, terminates the session. Otherwise, RC verifies user successfully. RC then extracts \(X_{RS_{k}} \) from verifier table, generates time stamp T₂, computes \(X^{\prime }_{u} = h(X_{u}||ID_{u}||SID_{k}||T_{1})\), \(H_{R_{c}} = \) and \( h(X_{RS_{k}}||X^{\prime }_{u}||ID_{u}||SID_{k}||T_{2})\). RC now encrypts the parameters \( (X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1})\) using share secret key \(X_{RS_{k}}\) and sends \(E_{X_{RS_{k}}} (X^{\prime }_{u}\) \(R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1}), T_{2}, SID_{k}\) to the server over public channel.

3. Step AP 3:

   On receiving the message, S_k after checking the time delay (T_c − T₂ ≤ δT), decrypts \( D_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}},\) SID_k,T₁) using the shared key \({X_{RS_{k}}}\). S_k then computes \(H^{\prime }_{R_{c}} = h (X_{RS_{k}}||\) \( X^{\prime }_{u}||ID_{u}||SID_{k}||T_{2})\) and checks the equality \(H^{\prime }_{R_{c}} \stackrel {?}{=} H_{R_{c}} \) if condition is true, S_k verifies RC successfully. Further S_k generates R_s, T₃ and computes \(M_{x} = R_{s}\oplus h (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3})\) \(H^{\prime \prime }_{R_{c}} = h(R_{s}||M_{x}|| T_{u}||ID_{u}|| \) T₃). S_k further sends \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u},\}\) to the RC, which in turn checks (T_c − T₃ ≤ δT) and on successful verification computes \(R_{s} = M_{x}\oplus (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3})\) \(H^{\prime \prime \prime }_{R_{c}} = h(R_{s}||M_{x}||T_{u}||ID_{u}||T_{3})\). RC then checks \(H^{\prime \prime \prime }_{R_{c}} \stackrel {?}{=} H^{\prime \prime }_{R_{c}} \) and on successful verification computes new dynamic identity \(RID_{u}=E_{X_{c}}(ID_{u}||r_{n})\oplus R_{s}\) for U_u and forwards \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}, RID_{u}\}\) to the legitimate user U_u.

4. Step AP 4:

   U_u on receiving the message, checks T₃ ≤ δT_c and on success, U_u computes \(R_{s} = M_{x}\oplus (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3}) \), \( H^{\prime \prime \prime \prime }_{R_{c}} = h(R_{s}|| M_{x}||T_{u}||ID_{u}||T_{3})\) and checks whether \(H^{\prime \prime \prime \prime }_{R_{c}} \) \( \stackrel {?}{=} H^{\prime \prime }_{R_{c}}\) if true then session key SK_uk = \(h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) is established between user and server.

Fig. 3

Login and Authentication Phase

5.4 Password and biometric update phase

In this section, we also proposed the Password change and biometric template update Process of our protocol, the U_u will need to log in successfully to change their current Password and update their biometric template, The detailed steps are described below:

1. Step CPB 1:

   U_u provides the credentials ID_u,PW_u, and BIO_u after inserting the smart-card into a card reader to login. \(BIO^{\prime }_{u}\) is extracted from the captured BIO_u. SC_u then computes \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\) and \(R^{\prime }_{cu} = \varepsilon _{dec}(H_{u}\oplus CT^{\prime }_{u})\). Checks if \(h(R^{\prime }_{cu}) = R\), then SC_u computes \(r^{\prime }_{i} = h(R^{\prime }_{cu}||ID_{u}||PW_{u})\), and check if \(h(r^{\prime }_{i}) = P\), smart card then asks users U_u to change the password and update the biometric template.

2. Step CPB 2:

   For Password change, SC_u asks U_u for a new Password. U_u inputs the new Password \(PW^{new}_{u}\). SC_u computes \(r^{new}_{u} = h(R^{\prime }_{cu}||ID_{u}||PW^{new}_{u}), E^{new}_{u} = N_{1}\oplus r^{new}_{u}\) and \(P^{new} = h(r^{new}_{i})\). SC_u updates its parameters stored {TP_u,H_u,R, \( P^{new}, h(\cdot ), \varepsilon _{enc}(\cdot ), \varepsilon _{dec}(\cdot ), Y_{u}, PID_{u}, E^{new}_{u}\}\) in smart card.

3. Step CPB 3:

   To update the biometric template, SC_u asks U_u for a new transformation parameter \(TP^{new}_{i}\). The new cancel-able template is generated as \(CT^{new}_{i} = f(BIO_{u}, TP^{new}_{i})\), along-with helper data \(H^{new}_{i} = CT^{new}_{i}\oplus \varepsilon _{enc}(R^{\prime }_{ci})\). Then \(CT^{new}_{i} = f(BIO_{u}, TP^{new}_{i})\) and \(H^{new}_{i} = CT^{new}_{i}\oplus \varepsilon _{enc}(R^{\prime }_{ci})\) are stored in memory of SC_u.

5.5 Smart card revocation procedure

If SC_u of the legitimate user U_u is damaged, lost or stolen, then RC will Issue the new smart card. For this Process, the user provides their credential ID_u,PW_u,BIO_u. The following steps are esential to complete this procedure:

1. Step SCR 1:

   U_u computes \(CT^{\prime }_{i} = f(BIO_{i}, TP_{i})\) and generates a 160-bit secret \(N^{\prime }_{1}\). Then U_u computes \(A^{\prime }_{u} = h(N^{\prime }_{1}||PW_{u}||ID_{u}||\) \( CT^{\prime }_{u})\), and transmits the request message \(\{A^{\prime }_{u},ID_{u}\}\) to the RC via a protected channel for \(SC^{new}_{u}\).

2. Step SCR 2:

   RC computes \(X_{u} = h(ID_{u}||Xc), Y^{\prime }_{u} = X_{u}\oplus A^{\prime }_{u}\), generates random \(r^{\prime }_{o}\) and computes \(PID^{\prime }_{u} = E_{X_{c}}(IDu||r^{\prime }_{o})\oplus A^{\prime }_{u}\) store \(Y^{\prime }_{u}, PID^{\prime }_{u}, h(.)\) in SC_u, then Issue a \(SC^{new}_{i}\) containing the credentials \(,Y_{u}, PID^{\prime }_{u}, h(.)\). \(SC^{new}_{i}\) is then sent to U_u via some protected channel.

3. Step SCR 3:

   U_u computes \(r^{\prime }_{u} = h(Rc^{new}_{i}||ID_{u}||PW_{u})\), \(H^{u}_{new} = CT^{\prime }_{u} \oplus \varepsilon _{enc}(Rc^{new}_{u}), , R = h(Rc^{new}_{u}), P = h(r_{u})\) and stores these values in \(SC^{new}_{i}\) memory.

6 Security analysis

This section provides the formal and informal security analysis of the proposed scheme. Moreover, automated formal security proof using popular tool AVISPA is also provided in this section:

6.1 Formal analysis using BAN logic

For formal analysis, Burrows-Abadi-Needham (BAN) logic [8] is applied in this subsection to verify the mutual authentication between user U_u and server S_k with the help of RC. Fig. 4 presents the notation guide for BAN logic.

Fig. 4

Notations and Concepts in BAN-Logic

6.2 Rules of BAN-Logic

• Rule 1: Message Meaning \(\frac {P|\equiv P\overset {K}\longleftrightarrow Q.P\lhd <X>_{K}} {P|\equiv Q|\sim X}\) It shows that if P obtain the X encoded with Key K and P deems K is fine key to communicate with Q, and then P believes Q said X.

• Rule 2: Nonce Verification \(\frac {P |\equiv \#(X),P |\equiv Q|\sim X}{P |\equiv Q|\equiv X}\) When a principal P trusted that X is new/fresh also then principal Q only once time sends X after that Principal after that P believe Q held X.

• Rule 3: Jurisdiction \(\frac {P |\equiv Q\Rightarrow X, P|\equiv Q|\equiv X}{P|\equiv X}\) Principal P believes that Q have control/jurisdiction on X also P believes that Q believes X, after that P trusted that X is right.

• Rule 4: Acceptance Conjuncatenation \(\frac {P |\equiv \ X,P |\equiv Y}{P |\equiv (X,Y)}\) If a principal P is believes X as well as Y, subsequently then principal P also believes on (X, Y).

• Rule 5: Freshness Conjuncatenation \(\frac {P |\equiv \#(X)} {P |\equiv \#(X,Y)} \) If a principal P confident that X is a fresh, after that a principal P also believes newness / freshness of (X, Y).

• Rule 6: Session Key \(\frac {P |\equiv \#(X),P|\equiv Q\equiv X} {P|\equiv \ P\overset {K}\longleftrightarrow Q}\) If a principal P believe the fresh session key also then principal P as well ‘Q’ also believes on X which is the essential constraint of a session key, next principal P also believes that he/she share a session key ‘K’ with Q.

6.3 Assumptions

We assume that the following holds at the beginning of every run of our protocol.

• A1: U_u|≡ #(R_u,T₁)

• A2: RC|≡ #(T₂,r_n)

• A3: S_k ≡ #(R_s,T3)

• A4: \(U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)

• A5: \(RC|\equiv U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)

• A6: \(S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)

• A7: \(RC|\equiv S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)

• A8: U_u|⇒ R_u

• A9: RC|⇒ r_n

• A10: S_k|⇒ R_s

6.4 Goals

• G1: \(S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)

• G2: \(S_{k}|\equiv U_{u}|\equiv (U_{u} \overset {SK_{uk}}\longleftrightarrow S_{k} )\)

• G3: \(U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)

• G4: \(U_{u}|\equiv S_{k}|\equiv (U_{u} \overset {SK_{uk}}\longleftrightarrow S_{k} )\)

The protocol’s generic form is illustrated as under:

• Messages(1)\(U_{u} \xrightarrow {} RC\):{DID_u,H_u,G_u,T₁,SID_k}

• Messages(2)\(RC \xrightarrow {} S_{k}\):\(\{E_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k},\) T₁),T₂,SID_k}

• Messages(3)\(S_{k} \xleftarrow {} RC\):\(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}\}\)

• Messages(4)\(RC \xleftarrow {} U_{u}\):\(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}, RID_{u}\}\)

The idealized forms of the protocol are designed as follows:

• Considering the message 1 and applying seeing rule,

  $$ \begin{array}{@{}rcl@{}} S_{1}: RC \lhd \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$

  (22)

• Considering the message 2 and applying the seeing rule,

  $$ \begin{array}{@{}rcl@{}} S_{2}: S_{k} \lhd \{X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{k}}}, T_{2}, SID_{k} \} \end{array} $$

  (23)

• Considering the message 3 and applying the seeing rule,

  $$ \begin{array}{@{}rcl@{}} S_{3}: RC \lhd \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$

  (24)

• Considering the message 4 and applying seeing rule,

  $$ \begin{array}{@{}rcl@{}} S_{4}: U_{u} \lhd \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$

  (25)

6.5 Protocol analysis

The main security proofs are consist of the following steps:

• According to (S₁,A5) and message meaning rule,

  $$ \begin{array}{@{}rcl@{}} BN1: RC|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$

  (26)

• According to (BN1,A1), freshness conjuncatenation and nonce verification rule,

  $$ \begin{array}{@{}rcl@{}} BN2: RC|\equiv U_{u}|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$

  (27)

• According to (A8,BN1,BN2) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN3: RC|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$

  (28)

• According to (S₂,A5) and message meaning rule,

  $$ \begin{array}{@{}rcl@{}} BN4: S_{k}|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$

  (29)

• According to (A2,BN4), freshness conjuncatenation and nonce Verification rule,

  $$ \begin{array}{@{}rcl@{}} BN5: S_{k}|\equiv RC|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$

  (30)

• According to (BN4,BN5) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN6: S_{k}|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$

  (31)

• According to (A4,BN5,BN6) and session key rule,

  $$ \begin{array}{@{}rcl@{}} BN7: S_{k}|\equiv U_{u}|\equiv (U_{u} \overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 2}} \end{array} $$

  (32)

• According to (A8,BN7) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN8: S_{k}|\equiv (U_{u}\overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 1}} \end{array} $$

  (33)

• According to (S₃,A7) and message meaning rule,

  $$ \begin{array}{@{}rcl@{}} BN9: RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$

  (34)

• According to (A3,BN9) freshness conjuncatenation and nonce verification rule,

  $$ \begin{array}{@{}rcl@{}} BN10: RC|\equiv S_{k}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$

  (35)

• According yo (A10,BN9,BN10) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN11: RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$

  (36)

• According to (S₄,A7) and message meaning rule,

  $$ \begin{array}{@{}rcl@{}} BN12: U_{u}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$

  (37)

• According to (A2,BN12), freshness conjuncatenation and nonce verification rule,

  $$ \begin{array}{@{}rcl@{}} BN13: U_{u}|\equiv RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$

  (38)

• According to (A9,BN12,BN13) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN14: U_{u}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$

  (39)

• According to (A6,BN13,BN14) and session key rule,

  $$ \begin{array}{@{}rcl@{}} BN15: U_{u}|\equiv S_{k}|\equiv (U_{u} \overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 4}} \end{array} $$

  (40)

• According to (A9,BN15) and jurisdiction rule,

  $$ \begin{array}{@{}rcl@{}} BN16: U_{u}|\equiv (U_{u}\overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 3}} \end{array} $$

  (41)

6.6 Discusion on functional security

Following subsection solicit brief discussions on several security features and resistance to known attacks provided by the proposed scheme.

6.6.1 Anonymity and untraceability

In the authentication protocol, user anonymity and untraceability are substantial aspects and if anonymity is broken, an adversary A_adv can easily recover sensitive information of the legitimate user like his current location, moving tracks, a personal record and social circle, etc. In the registration phase RC encrypt the identity with random number \(E_{X_{c}}(ID_{u}||r_{o})\) by using his own secret key X_c. SC_u does not store this pseudo identity directly, as it is hidden by PID_u, So even if the smart card was stolen by A_adv he will still be incapable to get the identity of the user. Moreover, after each successful authentication request, this pseudo-identity is dynamically changed. Therefore, the proposed protocol provides anonymity and untreceability.

6.6.2 Impersonation attacks

To act as RC an A_adv required the secret key X_c of RC, which is hash with user identity h(ID_u||X_c), to computes the session key \(SK = h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) an A_adv also requires to first computes X_u = h(ID_u||X_c). In addition X_u is also used in the construction of RC signature that is, \(X^{\prime }_{u} = h(X_{u}||ID_{u}||SID_{k}||T_{1})\). So without secret key X_c an A_adv does not impersonate themselves as RC. Similarly to act as legitimate user an A_adv will required a valid login request that is,{DID_u,H_u,G_u,T₁,SID_k}. To get all these values an A_adv needs the user credential like Password PW_u as well as biometric BIO_u.

6.6.3 Replay attack

Our protocol combat replay attack against all the login and authentication Messages. Suppose an A_adv replays a past message that is {DID_u,H_u,G_u,T₁,SID_k}. then on receiving side RC will always check the time-stamp T₁, as T₁ is outdated, RC will considered as replay, they neglect the message request.

6.6.4 Stolen verifier attack

Our protocol is fully secured against stolen verifier attack. RC encrypt shared key \(E_{X_{c}}(X_{RS_{k}})\) using their own secret key X_c to handle stored verifier table, so adversary does not extract anything without knowing the X_c.

6.6.5 Privileged insider attack

The proposed protocol successfully prevents a privilege insider attack. In the registration phase ID_u and A_u = h(N₁||PW_u||ID_u||CT_u) are sent to RC, where Password PW_u identity ID_u a random number N₁ and cancel able template CT_u are protected by one way hash function. So it is impossible for an insider to guess these value.

6.6.6 Password guessing attacks

The proposed protocol is fully secured against the Password Guessing attack. Suppose RC take the screen shot of the user sensitive parameters like {TP_u,H_u,R,P,h(.)ℵ_enc(⋅),ℵ_dec(⋅) Y_u,PID_u,E_u} which is stored on user smart card. Then they still requires the cancel-able transformation parameter CT_u along with N₁. Moreover, an A_adv still needs to guess identity ID_u and Password PW_u of user, if they unfortunately gets the N₁ and CT_u.

6.6.7 Denial of services attack

Our protocol is fully protected against the denial of services. SC_u checks the validity of identity ID_u, Password PW_u and template CT_u. If A_adv or legitimate user try to enter the incorrect values, then the SC_u just simply cancel the request.

6.6.8 Perfect forward secrecy

The proposed protocol poses the prefect forward secrecy. The shared session key \(SK_{uk} = h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) incorporate a random number R_u used by the user. Suppose if RC signature \(X^{\prime }_{c}\) is exposed to some A_adv he will not be able to computes previously shared session keys.

6.6.9 Resolve the scalability issues

In previous protocol the smart card store the \(AM_{uk} = (AM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, BM_{uk} = (BM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}\) for every server \( 1 \leq k \leq (n + n^{\prime } )\), which is insufficient to store (AM_k) within smart card due to its small magnetic chip which has limited storage. In the proposed protocol there is no such parameter which stored the information of a server.

6.7 AVISPA based security simulation

In this section, we analyze proposed protocol security using formal simulation tool AVISPA [3]. AVISPA is used for security verification.

AVISPA implements the HLPSL language which is then translated into the intermediate format (IF) with the help of translator known as “hlpsl2if”. Four back ends are used by IF, to check security goals, is satisfied or disrupt. The output shows safe, unsafe or unsatisfactory. Details are mentioned in [3]. We define the three basic role i.e. role of user U_u, role of registration center RC and role of server S_k along with the session (between these participant), environment role and goals Fig. 5, 6, 7 and 8 are stated in HLPSL. The results of AVISPA are shown in Fig. 9 which tells that proposed protocol is secure against man in the middle attack as well as replay attack. The OFMC back end shows the parse time: 0.00 seconds, the search time: 42.16 seconds, the number of visited nodes is 3344 and the depth 12 plies. whereas ATSE analyzes 8 states, the translation time is 0.98 seconds. Hence, form this results it is shown our protocol provides better security against Barman et al.’s protocol [6]. The search and translation time is slightly high compared to Barman et al.’s protocol, because the number of visited nodes depth of proposed protocol is greater than the previous protocol.

Fig. 5

Role specification of user

Fig. 6

Role specification of server

Fig. 7

Role specification of Rc

Fig. 8

Role specification of session/Goal

Fig. 9

Results of OFMC and CL-AtSe backends

7 Comparisons

In this section, we show the performance and security comparisons of the proposed protocol with some related multi-server authentication protocols [1, 2, 6, 13, 18, 31, 36, 46]. attacks.

7.1 Security and functionality comparisons

The security and functionality comparison of proposed scheme with related schemes is solicited in Table 1 under the DY and CK adversarial model as described in subsection 2.5. The security comparisons show that only proposed scheme provides resistance to all known attacks and fulfills related security features; whereas, all the competing schemes either lacks one or more security features or vulnerable to some security attacks.

Table 1 Security and functionality features comparison

7.2 Computation cost

In this subsection, we compare our protocol with the existing multi-server authentication protocols considering the computation cost of login and authentication phases. The following notation used for computation cost describe below:

• RT_h: one-way cryptographic hash cost

• RT_bh: bio-hashing cost

• RT_fe: fuzzy extractor cost

• RT_fcs: fuzzy commitment cost

• RT_ecm: ecc point multiplication cost

• RT_asm: asymmetric key encryption/decryption cost

• RT_sed: cost of block cipher encryption

As per the experimental results disclosed in [24], RT_h = 0.0023 ms, RT_sed = 0.0046 ms, RT_ecm = 2.226 ms and RT_asm = 0.0046 ms. Furthermore, RT_fe = RT_ecm, we also assume RT_bh = RT_ecm and RT_fcs = RT_ecm. Although our protocol has slightly high computation cost compared to Barman et al. [6], but the security level of our protocol is high. The comparisons are briefly shown in Table 2.

Table 2 Computation costs comparison

7.3 Communication cost

In this subsection, we evaluate and compare the communication cost of proposed with existing protocols. During the login and authentication phases, the communication cost is computed by the total number of bits which is transmitted to other parties in the network, over a protected channel. We are assuming the “SHA-1” hash function is used, which has the cost of 160 bits [7], in the symmetric key encryption/decryption, has the cost of 256 bits of length [26], time stamp is 32 bits of length, an elliptic curve point P = (P_a,P_b) is 160 length of bits, where P_a and P_b is x and y coordinate of P point. Furthermore the security of RSA [45] public key cryptosystem is 1024-bit which is comparable to ECC (elliptic curve cryptography) of 160-bits of length [5]. In the proposed protocol, the communication cost for the login request message {DID_u,H_u,G_u,T₁,SID_k}, which is transmitted from a user U_u to theRC has cost of (160 + 160+ 160 + 32+ 32) = 544 bits of length and the message \(\{E_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1}), SID_{k}, T_{2}\}\) transmitted to server S_k from RC is (256 + 32+ 32) = 332 bits and the message transmitted to RC from server S_k is \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u},\}\) (160 + 160+ 32 + 32) = 384 bits and message transmitted to U_u from RC is \(\{M_{x}, H^{\prime \prime }_{R_{c}},T_{3},T_{u}, RID_{u }\}\) (160 + 160+ 32 + 32+ 160) = 544 bits hence, the total number of bits for communication is (544 + 332+ 384 + 544) = 1804 bits. The comparison results are shown in Table 2. The high communication cost as compared with Barman et al. is due to the communication of dynamic identity from server to user in each authentication request inorder to provide user anonymity.

8 Conclusion

The single signin/multiserver environments can apprehend the security and privacy needs of intelligent multimedia networks to encompass large number of applications/networks using single credentials. In 2018, Barman et al. proposed such multi-server authentication system. In this article, we proved some security weaknesses of Barman et al.’s protocol. We then proposed a new enhanced authentication scheme for multi-server scenarios. Based on three factors including biometrics, the proposed scheme makes use of fuzzy commitment for correcting errors in imprinted biometrics in noisy environments. Proposed scheme provides anonymity and privacy alongwith other security properties and resists the known attacks. The BAN logic based formal as well as informal security discussion proves the robustness of the proposed scheme. Moreover, the automated AVISPA protocol also validates the security claims. The proposed scheme completes an authentication cycle in just 2.2789 milli seconds.