1 Introduction

With the rapid growth of the Internet and information technology, the human society has begun to move toward the information network era. People can obtain information or engage in online financial transactions, such as bank transfer, payment, and shopping, through the internet, using mobile devices any time. Given the openness of networks, transactions over the network are vulnerable to various kinds of attacks, which lead to leakage of sensitive user information or economic losses. Identity authentication technology can prevent network threats from illegal attackers by identifying users before they obtain system services. Meanwhile, the user can also identify the legitimacy of the servers to prevent server fraud attacks. Therefore, user authentication has become one of the important and effective means of ensuring the security of authentication systems, especially over an open network environment.

Since Lamport et al. [1] first put forward the authentication scheme based on username and password in 1981, many researchers have been working in this field and proposed numerous password-based authentication schemes [2, 3]. However, these schemes require the server to keep the identity information and passwords of users. Meanwhile, many schemes require users to communicate with the register server to update their passwords periodically given the lack of a password updating process, thereby adding to the burden of the register server. Ordinary users are most likely to use weak passwords, such as birthdays, ID numbers, phone numbers, or other strings, that are easy to remember and thus vulnerable to offline dictionary or exhaustive attacks. Hence, the security of this type of authentication schemes is weak.

To improve the safety of user authentication schemes, the smart card is introduced to the authentication process. In 1991, Chang CC et al. [4] first presented a user authentication scheme that uses a smart card. Subsequently, several scholars proposed various authentication protocols based on smart cards [5,6,7,8,9,10,11,12,13,14]. With the development of technology, authentication protocols have become vulnerable to attacks on smart cards, such as information extraction attacks [15] and smart card thefts. To compensate for these smart card shortcomings, personal biometrics-based solutions have emerged.

Combined with the user’s personal biological signs, such as voice, fingerprint, face, and retina recognition, as the third element of authentication, this type of schemes is generally called three-factor user authentication schemes. Given the uniqueness and unforgeability of personal biometrics, even if the password of a user is compromised or the information stored in a smart card is extracted, the security of the entire system is still guaranteed. Therefore, researchers have proposed many biometrics-based authenticated key agreement schemes [16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32].

In 2010, Li et al. [17] proposed a biometrics-based user authentication scheme. Unfortunately, their scheme has two limitations in practical application and cannot achieve forward security. Later, Huang et al. [19] presented an improved three-factor authentication scheme for distributed systems. Afterwards, Khan et al. [29] designed an anonymity three-factor user authentication scheme and claimed that it can provide robust mutual authentication between communication parties even when the secret information is extracted from a smart card. However, Wen et al. [30] indicted that Khan et al.’s scheme cannot achieve anonymity and mutual authentication and is vulnerable to several attacks and presented an improved scheme.

In 2014, Li et al. [31] put forward a three-factor authentication scheme that employs the Elliptic Curve Cryptosystem (ECC) to enhance security. Nevertheless, Mishra et al. [26] demonstrated that the scheme in [31] cannot prevent off-line password guessing and replay attacks. Then, they presented an anonymous ID-based authentication scheme using light weight cryptographic technology. At the same year, Mishra et al. [33] designed an efficient biometrics-based authentication scheme for multi-server environments and claimed that it satisfies all security requirements. But, Lu et al. [34, 35] found that their scheme has several weaknesses and cannot resist replay, forgery, and server masquerading attacks. Hence, they proposed two different three-factor schemes to address these flaws. However, Chaudhry et al. [36] indicated that the schemes in [34, 35] cannot resist impersonation attack and preserve user anonymity. Chaudhry et al. [54] then presented an enhanced and lightweight authentication scheme and proved its security with ProVerif. Later, Moon et al. [37] also found that the scheme in [35] cannot prevent outsider and impersonation attacks and implement efficient authentication during login and the authentication phase. Then they provided a robust solution using biometrics and smart cards to address the weakness. Later, Guo et al. [38] demonstrated that Moon et al.’s scheme is still insecure and vulnerable to various attacks from the server or user side. To overcome these shortcomings, Guo et al. put forward a novel biometrics-based authentication scheme for multi-server architecture. After that, Fan et al. [20] presented an ECC-based three-factor user authentication scheme and given a formal security proof. However, Jiang et al. [9] observed that Fan et al.’s scheme still have some flaws.

In 2017, Shingala et al. [28] recognized that the scheme in [30] cannot protect user privacy and is vulnerable to some known network attacks. Thus, an improved scheme was developed to address these drawbacks. In the same year, He et al. [32] summarized the advantages of biometric keys and proposed a three-party authentication scheme based on ECC. However, the authentication process of their scheme requires the assistance of a register center, which leads to high complexity and low-efficiency.

In 2019, Tomar et al. [39] designed an ECC-based authentication scheme which suitable for the scenario that the users and servers belong to the different registration center (multi-registration center). The mutual authentication of the user and the visited server require the participation of registration centers of both parties, which is highly inefficient and costly Later in the same year, another three-factor key agreement scheme using ECC was put forward by Qi et al. [40]. But their scheme have the same problem of the previous one. The participation of registration center results in low efficiency of computation. Later on, Sudhakar et al. [41] put forward a three-factor authentication scheme for multi-server environments by employing fuzzy embedder and hash function. However their scheme is still vulnerable to server fraud attack and denial of service (DoS) attack, and lack of new user registration process. A malicious server can easily fake the legal user identity to access other servers.

A lot of researches on the designing of authenticate protocol under multi-server architecture have been put forward since 2020. Chuang et al. [42] surveyed lots of three-factor authentication protocols and presented a secure user anonymity scheme with strong privacy preserving. However, their scheme does not suitable for wireless network environment due to using the time-consuming ECC algorithm and bilinear map. During the same period, Mo et al. [43] pointed out that the scheme in [44] is insecure to offline password guessing attacks and replay attack, they then presented an improved one for multi-server environments. After that, Wong et al. [45] proposed a lightweight time-bound authentication scheme with user anonymity for electronic healthcare (e-health) system in 5G wireless sensor networks. In Wong et al.’s scheme, the absence of registration center and universal registry service led to the user have to register to every server before getting the network service. Later Kandar et al. [46] considered how to provide personalized service to users and presented a remote authentication scheme in multi-server environments against conspiracy attack. But the authentication process of their scheme is complex and inefficient due to the participation of the registration center.

More recently, Le and HSU [47] introduced a key distribution scheme for group healthcare services by employing Rabin cryptosystem. Besides, Inam et al. [48] also presented a hash-based lightweight authentication scheme by improving the scheme in [49], and claimed that their scheme can resist key compromise impersonation attack. By using the cryptography characteristic of chebyshev chaotic map, Kumar and Om [50] designed an authentication protocol for multi-server environments with the support of server scalability. Later, Wang et al. [51] proposed a blockchain-assisted remote authentication protocol for intelligent telehealth system (ITS) based on edge computing architecture, which can offer user strong anonymity and continuous authentication among multiple servers.

In this study, we find a common security problem in some studies [33,34,35,36,37,38], that is, the server in these schemes authenticates users only through user identity and shared secret keys. Thus, a hostile server can easily launch a user impersonation attack. Then, we focus on one of these schemes, that is, Guo et al.’s scheme [38], which was published recently. After a careful analysis of Guo et al.’s scheme, we discovered that it does not prevent impersonation attacks and is also vulnerable to replay attacks. To compensate for these drawbacks and enhance the security of the original scheme, we introduce digital signature, which can effectively solve this common problem, and propose a new improvement authentication scheme that can be used in a multi-server environments. Based on previous research [52], schemes that use symmetric encryption cannot achieve user anonymity. Thus, the proposed scheme adopts asymmetric encryption to enhance system security. Meanwhile, the new scheme also simplifies the authentication procedure and reduces energy consumption, computation cost, and communication cost. Security analysis indicates that the proposed scheme can not only resist several known attacks but is also efficient and low-cost. Furthermore, we introduce the Burrows-Abadi-Needham(BAN) [53] logic to prove the security of the proposed scheme.

The rest of this paper is arranged as follows. Section 2 introduces the network and adversary models. Section 3 discusses Guo et al.’s scheme and Sect. 4 analyzes its security weaknesses. In Sect. 5, we present a detailed description of the proposed authenticated scheme, and its security features are analyzed and formal security proof is given in Sect. 6. In Sect. 7, we compare the performance of the new scheme with those of three related works and draw some conclusions in Sect. 8.

2 Network Model and Adversary Model

2.1 Network Model

We assume that the network model consists of three parties: a register center (RC), a user with smart card (\( U_{i} \)), and a visited server (\( S_{j} \)), as shown in Fig. 1. RC is responsible for generating a secret key (PSK), which is shared by all registered servers, and providing a smart card to the registered user that contains user authentication information and hash functions. Each user should register and obtain a smart card before accessing any servers. Meanwhile, each server should register to the RC and obtain the shared secret key. Each server and user generates a public/private key pair for use in asymmetry encryption (e.g., RSA [56]) and in the digital signature algorithm (e.g., SHA-2 [55]). Finally, the RC publishes the public keys of users and servers and other related information (e.g., hash functions) as public parameters.

Fig. 1
figure 1

Network model

Full size image

2.2 Adversary Model

We assume that the adversary model is as follows:

  • The adversary controls the public channel and can obtain all the messages transmitted in it.

  • The adversary can extract the information stored in the smart card using power analysis [15].

  • RC is a trusted third party.

  • All servers in the system are untrusted entities.

  • The hash function and asymmetric cryptosystem have sufficient security and cannot be compromised by the adversary.

  • The adversary cannot obtain the password, biometrics, or private key of a user simultaneously.

3 Review of the Guo et al’s Scheme

Some notations used in this paper are listed in Table 1. The scheme presented by Guo et al. involves three phases, namely, the registration phase, the login and authentication phase and the password change phase.

Table 1 Notations
Full size table

3.1 Registration

3.1.1 Server Registration

  1. 1.

    \( S_{j} \) first generates a public/private key pair \(\{ pk_{j}, sk_{j} \} \), and then sends his/her identity and public key \(\{ SID_{j}, pk_{j} \} \) to RC.

  2. 2.

    Upon receiving the information, RC then shares the secret key PSK with \( S_{j} \).

  3. 3.

    RC publishes \(\{ SID_{j}, pk_{j} \} \) as public parameters.

3.1.2 User Registration

  1. 1.

    \( U_{i} \) randomly selects his/her identity (\( ID_{i} \)) and password (\( PW_{i} \)) and extracts biometrical features (\( BIO_{i} \)) through a special device. Then, \( U_{i} \) sends \(\{ h(ID_{i}), IDB_{i}, PW_{i} \} \) to RC where \( IDB_{i} = h(ID_{i} \parallel H(BIO_{i})) \) and \( PW_{i} = h(PW_{i} \parallel H(BIO_{i})) \).

  2. 2.

    After receiving the data from \( U_{i} \), RC calculates \( V_{i} = h(h(ID_{i}) \parallel PW_{i}) \) and \( W_{i} = h(h(ID_{i}) \parallel PSK) \oplus IDB_{i} \), then saves \(\{ V_{i}, W_{i}, h(), H() \} \) into the smart card (SC) and sends it to \( U_{i} \).

3.2 Login and Authentication

  1. 1.

    \( U_{i} \) inputs \( ID_{i}, PW_{i} \), and \( BIO_{i} \) into the terminal that contains the SC. Then, SC computes \( PW_{i} = h(PW_{i} \parallel H(BIO_{i})) \) and compares \( V_{i} \) with \( h(h(ID_{i}) \parallel PW_{i}) \). If they are the same, then SC generates a random number (\( n_{1} \)) and calculates \( K = h((W_{i} \oplus IDB_{i}) \oplus h(ID_{i} \parallel n_{1})), M_{1}=E_{pk_{j}}(ID_{i} \parallel n_{1}) \) and \( Z_{i}= h(n_{1} \parallel ID_{i} \parallel K \parallel T_{1}) \). Lastly, \( U_{i} \) generates the current timestamp \( T_{1} \) and sends \(\{ M_{1}, Z_{i}, T_{1} \} \) to \( S_{j} \).

  2. 2.

    When receiving \(\{ M_{1}, Z_{i}, T_{1} \} \), \( S_{j} \) first verifies \( T_{1} \) and drops the message if it is not fresh. Otherwise, \( S_{j} \) decrypts \( M_{1} \) to obtain \(\{ ID_{i}, n_{1} \}\)) and computes \( K=h(h(h(ID_{i}) \parallel PSK) \oplus h(ID_{i} \parallel n_{1})) \). Then, \( S_{j} \) verifies whether \( Z_{i} ?= h(n_{1} \parallel ID_{i} \parallel K \parallel T_{1}) \). If they are equal, \( U_{i} \) is authorized by \( S_{j} \). Then, \( S_{j} \) chooses a random number \( n_{2} \) and calculates \( M_{2} = n_{2} \oplus K, M_{3} = h(ID_{i} \parallel n_{1} \parallel n_{2} \parallel K \parallel T_{2}) \) and \( SK_{ij} = h(n_{1} \parallel n_{2} \parallel K \parallel ID_{i}) \). Finally, \( S_{j} \) obtains the current timestamp \( T_{2} \) and sends \(\{ M_{2}, M_{3}, T_{2} \} \) to \( U_{i} \).

  3. 3.

    Upon receipt of the reply information, \( U_{i} \) verifies the freshness of \( T_{2} \) and aborts the message if it is not fresh. Next, \( U_{i} \) computes \( n_{2} = M_{2} \oplus K \) and checks whether \( M_{3}? = h(ID_{i} \parallel n_{1} \parallel n_{2} \parallel K \parallel T_{2}) \) holds. If it holds, \( S_{j} \) is authorized by \( U_{i} \). Then, \( U_{i} \) computes \( SK_{ij} = h(n_{1} \parallel n_{2} \parallel K \parallel ID_{i}) \) and \( M_{4} = h(SK_{ij} \parallel ID_{i} \parallel n_{2} \parallel T_{3}) \). Lastly, \( U_{i} \) chooses a timestamp \( T_{3} \) and submits \(\{ M_{4}, T_{3} \} \) to \( S_{j} \).

  4. 4.

    After verifying the validity of \(T_{3}\), \( S_{j} \) then checks whether \( M_{4} ?= h(SK_{ij} \parallel ID_{i} \parallel n_{2} \parallel T_{3}) \). If they are equal, then the authenticity of \( U_{i} \) and \( SK_{ij} \) is reconfirmed by \( S_{j} \).

3.3 Password Changing Phase

  1. 1.

    \( U_{i} \) first enters the his/her identity \( ID_{i} \) and password \( PW_{i} \) and imprints his/her \( BIO_{i} \) at the sensor.

  2. 2.

    The SC calculates \( PW_{i} = h(PW_{i} \parallel H(BIO_{i})) \) and checks \( V_{i} ?= h(ID_{i} \parallel PW_{i}) \). If the two values are different, the password updating procedure will be terminated.

  3. 3.

    \( U_{i} \) randomly selects a new password \( PW_{i}^{*} \) and enters it to the SC. The SC generates \( PW_{i}^{*}=h(PW_{i}^{*} \parallel H(BIO_{i})),V_{i}^{*}= h(h(ID_{i}) \parallel PW_{i}^{*}) \) and replaces \( V_{i} \) with \( V_{i}^{*} \).

4 Cryptanalysis of Guo et al’s Scheme

This section analyzes the safety of Guo et al.’s scheme detail and enumerates two attacks on their scheme. Despite Guo et al. claimed that their scheme is secure and resists many known attacks, we found that their scheme still suffers from user impersonation and message replay attacks. The following two subsections describe the attack procedures in detail.

4.1 User Impersonation Attack

4.1.1 Servers Can Pretend to any User to Access Another Server

In Guo et al.’s scheme and some other schemes, a hostile server (\( S_{j} \)) can masquerade as any users to access another server (e.g., \( S_{m} \)). The following steps describe this procedure in detail.

  1. 1.

    \( S_{j} \) first randomly chooses an identity (e.g., \( ID_{A} \)) and a number (\( n_{1} \)), and then computes \( K=h(h(ID_{A} \parallel PSK) \oplus h(ID_{A} \parallel n_{1})) \). Next, \( S_{j} \) chooses a timestamp \( T_{1} \) and computes \( M_{1}=E_{pk_{m}}(ID_{A} \parallel n_{1}) \) and \( Z_{i}= h(n_{1} \parallel ID_{i} \parallel K \parallel T_{1}) \), and then sends \(\{ M_{1}, Z_{i}, T_{1} \} \) to \( S_{m} \).

  2. 2.

    Upon receipt of the login message, \( S_{m} \) checks if \( T_{1} \) is valid. If it is valid, \( S_{m} \) then computes \((ID_{A} \parallel n_{1}) = D(M_{1}), K=h(h(h(ID_{A}) \parallel PSK) \oplus h(ID_{A} \parallel n_{1})) \) and verifies \( Z_{i}?=h(n_{1} \parallel ID_{A} \parallel K \parallel T_{1}) \). Obviously, \( Z_{i} \) is equal to \( h(n_{1} \parallel ID_{A} \parallel K \parallel T_{1}) \) because all servers have the PSK, which is generated and distributed by RC. Then, \( S_{m} \) generates \( n_{2} \) and computes \( M_{2}=n_{2} \oplus K, M_{3} = h(ID_{A} \parallel n_{1} \parallel n_{2} \parallel K \parallel T_{2}) \) and \( SK_{ij} = h(n_{1} \parallel n_{2} \parallel K \parallel ID_{A}) \) and sends \( {M_{2}, M_{3}, T_{2}} \) to \( S_{j} \) as a response message.

  3. 3.

    \( S_{j} \) verifies the information after receipt of the response message and calculates \( SK_{ij} = h(n_{1} \parallel n_{2} \parallel K \parallel ID_{A}) \) and \( M_{4} = h(SK_{ij} \parallel ID_{A} \parallel n_{2} \parallel T_{3}) \), and then submits \(\{ M_{4}, T_{3} \} \) to \( S_{m} \).

  4. 4.

    Finally, \( S_{m} \) checks whether \( M_{4} ?= h(SK_{ij} \parallel IDA \parallel n_{2} \parallel T_{3}) \). If the two are equal, \( S_{m} \) considers \( S_{j} \) as a legitimate user and provides services to \( S_{j} \).

4.1.2 Legitimate User can Impersonate any User to Access Another Server

We found that if a legitimate user (e.g. \( U_{i} \)) can fetch the data from smart card, he/she could impersonate other users by performing the following steps:

  1. 1.

    \( U_{i} \) obtains \( W_{i} \) from his/her smart card by some means.

  2. 2.

    \( U_{i} \) inputs \( ID_{i} \) and \( BIO_{i} \) and calculates \( IDB_{i}=h(ID_{i} \parallel H(BIO_{i})), W_{i}^{*}=W_{i} \oplus IDB_{i}=h(h(ID_{i}) \parallel PSK) \).

  3. 3.

    With the \( ID_{i} \) and \( W_{i}^{*}, U_{i} \) can easily get the PSK through offline key guessing attacks.

  4. 4.

    After obtaining the \( PSK, U_{i} \) can impersonate any users as in the previous subsection.

4.2 Replay Attack

When a user \( U_{i} \) submits a login request message to a hostile server \( S_{j} \), \( S_{j} \) can launch a replay attack by forwarding this message to another server (e.g. \( S_{m} \)). The main steps are as follows.

\( U_{i} \) first sends the login data to \( S_{j} \). When the login message \(\{ M_{1}, Z_{i}, T_{1} \} \) is received , \( S_{j} \) calculates \( (ID_{i} \parallel n_{1}) = D(M_{1}) \) and \( M_{1}^{*}=E_{pk_{m}}(ID_{i} \parallel n_{1}) \), and then forward \(\{ M_{1}^{*}, Z_{i}, T_{1} \} \) to \( S_{m} \) by pretending to be the user \( U_{i} \). Due to the transported message does not contain the server information, the \( S_{m} \) take it for granted that the message is sent from \( U_{i} \) rather than other parties. Then, according to the response message from \( S_{m} \), \( S_{j} \) can generate the same session key for \( U_{i} \) and \( S_{m} \) that equals to \( h(n_{1} \parallel n_{2} \parallel K \parallel ID_{i}) \). Therefore in the lifetime of \( T_{1} \), Guo et al.’s scheme can not prevent replay attacks.

It must be noted that it is difficult to choose a suitable time stamp lifetime, and this security issue must be seriously considered.

5 The Proposed Scheme

We will propose a new biometrics-based authenticated key agreement scheme for multi-server environments in this section. The new scheme involves in three parties: the RC, the \( U_{i} \), and the \( S_{j} \). In the new scheme there are also three phases: the registration, login and authentication and password change phases. Fig. 2 shows the details of the first two phases.

5.1 Registration

When \( U_{i} \) or \( S_{j} \) joins the authentication system, they must register on the RC first and obtain the related registration information. The main registration steps are as follows.

5.1.1 Server Registration

  1. 1.

    \( S_{j} \) generates a public/private key pair \(\{ pk_{j}, sk_{j} \} \) and submits his/her identity and public key \(\{ SID_{j}, pk_{j} \} \) to RC.

  2. 2.

    When receiving the register information, RC returns the shared secret key PSK to \( S_{j} \).

  3. 3.

    RC publishes the identity and public key of \( S_{j} \).

5.1.2 User Registration

  1. 1.

    \( U_{i} \) chooses an \( ID_{i} \) and a \( PW_{i} \) randomly, and then generates his/her \( BIO_{i} \) and public/private key pair. Lastly, \( U_{i} \) sends \(\{ ID_{i}, PW_{i}^{*},pk_{i} \} \) to RC as a registration message where \( PW_{i}^{*} = h(PW_{i} \parallel H(BIO_{i})) \).

  2. 2.

    Upon receipt of the message, RC calculates \( V_{i} = h(ID_{i} \parallel PW_{i}^{*}), W_{i} = h( PSK \parallel ID_{i}) \oplus PW_{i}^{*} \) and stores \(\{ V_{i}, W_{i}, h(), H() \} \) into a SC and sends it to \( U_{i} \).

  3. 3.

    RC publishes the public key of \( U_{i} \).

Fig. 2
figure 2

Registration and authentication phases of the proposed scheme

Full size image

5.2 Login and Authentication

  1. 1.

    \( U_{i} \) enters \( ID_{i}, PW_{i} \), and \( BIO_{i} \) to the terminal device with a SC. Then, SC computes \( PW_{i}^{*} = h(PW_{i} \parallel H(BIO_{i})) \) and checks \( V_{i}?=h(ID_{i} \parallel PW_{i}^{*}) \). If the two values are equal, then SC randomly chooses a number \( n_{1} \in Z^{*} \) and calculates \( E_{1}=E_{pk_{j}}(ID_{i} \parallel SID_{j} \parallel n_{1}), Sig_{U_{i}}=Sig_{sk_{i}}(h(ID_{i} \parallel SID_{j} \parallel n_{1})), K_{ij} = h((W_{i} \oplus PW_{i}^{*}) \parallel SID_{j} \parallel n_{1}))\) and \(M_{1}=h(ID_{i} \parallel n_{1} \parallel K_{ij} \parallel T_{1})\). Finally, \( U_{i} \) sends \(\{ E_{1},Sig_{U_{i}},M_{1}, T_{1} \} \) to \( S_{j} \) where \( T_{1} \) is the current timestamp.

  2. 2.

    Upon receipt of \(\{ E_{1},Sig_{U_{i}},M_{1}, T_{1} \} \), \( S_{j} \) verifies the validation of \( T_{1} \) and terminates the procedure if it is invalid. Otherwise, \( S_{j} \) decrypts \( E_{1} \) to obtain \( ID_{i}^{*}, SID_{j}^{*}\) and \( n_{1}^{*} \) using his/her private key, and then verifies signatures \( Sig_{U_{i}} \) and \( SID_{j}^{*} \). If the two values are valid, then \( S_{j} \) computes \( K_{ij} = h(h(PSK \parallel ID_{i}^{*}) \parallel SID_{j} \parallel n_{1}^{*})) \) and verifies whether \( M_{1}?=h(ID_{i}^{*} \parallel n_{1}^{*} \parallel K_{ij} \parallel T_{1}) \). If they are equal, \( U_{i} \) is authorized by \( S_{j} \). Then, \( S_{j} \) randomly chooses a number \( n_{2} \in Z^{*} \) and calculates \( M_{2} = n_{2} \oplus h(K_{ij}) \) and the shared session key \( SK_{ij} = h(ID_{i}^{*} \parallel SID_{j} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2}) \). Lastly, \( S_{j} \) chooses a timestamp \( T_{2} \) and computes \( M_{3}=h(ID_{i}^{*} \parallel SID_{j} \parallel SK_{ij} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2} \parallel T_{2}) \), and then submits \(\{ M_{2}, M_{3}, T_{2} \} \) back to \( U_{i} \).

  3. 3.

    After receiving \(\{ M_{2}, M_{3}, T_{2} \} \), \( U_{i} \) first verifies the freshness of \( T_{2} \) and aborts the message if \( T_{2} \) is not fresh. Then, \( U_{i} \) computes \( n_{2}^{*} = M_{2} \oplus h(K_{ij}) \) and \( SK_{ij}=h(ID_{i}^{*} \parallel SID_{j} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2}) \). Next, \( U_{i} \) checks whether \( M_{3}? =h(ID_{i} \parallel SID_{j} \parallel SK_{ij} \parallel K_{ij} \parallel n_{1} \parallel n_{2}^{*} \parallel T_{2}) \). If it holds, \( S_{j} \) is authorized by \( U_{i} \). Then, the mutual authentication procedure is finished, and the shared session key \( SK_{ij} \) between \( U_{i} \) and \( S_{j} \) is established.

5.3 Password Changing Phase

  1. 1.

    \( U_{i} \) first puts the smart card into the terminal device, and then enters \( ID_{i}, PW_{i} \), and \( BIO_{i} \).

  2. 2.

    SC computes \( PW_{i}^{*} = h(PW_{i} \parallel H(BIO_{i})) \) and compares \( V_{i} \) with \( h(ID_{i} \parallel PW^{*}) \). If they are unequal, the phase is cancelled.

  3. 3.

    SC asks \( U_{i} \) for the new \( PW_{i}^{*} \).

  4. 4.

    Upon receiving \( PW_{i}^{*} \), SC calculates \( PW_{i}^{*}=h(PW_{i}^{*} \parallel H(BIO_{i}^{*})),V_{i}^{*}= h(h(ID_{i}) \parallel PW_{i}^{*}) \) and replaces \( V_{i} \) with \( V_{i}^{*} \).

6 Security Analysis

In this section, we first give an informal security analysis of the proposed scheme, and then provide a formal proof using the BAN logic [53].

6.1 Informal Security Analysis

We discuss several common security functionalities of our scheme in the subsection below. The informal security analysis reveals that the our scheme is secure against many known attacks, thereby protecting the user’s privacy.

Mutual Authentication

In the proposed protocol, the identity of \( U_{i} \) can be verified by \( S_{j} \) through \( E_{1} \) and \( Sig_{U_{i}} \) because only a legal \( U_{i} \) can generate the correct signature \( Sig_{U_{i}}=Sig_{sk_{i}}(h(ID_{i} \parallel SID_{j} \parallel n_{1})) \) by using his/her private key \( sk_{i} \). Through checking whether \( M_{1} \) is equal to \( h(ID_{i} \parallel n_{1} \parallel K_{ij} \parallel T_{1}) \), \( S_{j} \) can quickly verify the legitimacy of \( U_{i} \) because an adversary cannot simultaneously obtain \( ID_{i} \) and \( n_{1} \) through \( h(ID_{i} \parallel SID_{j}\parallel n_{1}) \). Meanwhile, \( U_{i} \) can extract \( n_{2} \) from \( M_{2} \) and generate the session key \( SK_{ij} = h(ID_{i} \parallel SID_{j} \parallel K_{ij} \parallel n_{1} \parallel n_{2}^{*}) \). Then, the legitimacy of \( S_{j} \) can be verified by \( U_{i} \) through equation \( M_{3}=h(ID_{i} \parallel SID_{j} \parallel SK_{ij} \parallel K_{ij} \parallel n_{1} \parallel n_{2}^{*} \parallel T_{2}) \) because only a legal \( S_{j} \) can generate a valid \( K_{ij} = h(h(PSK \parallel ID_{i}^{*}) \parallel SID_{j} \parallel n_{1}^{*})) \) in which PSK is a secret value, and \( ID_{i} \) and \( n_{1} \) are extracted from \( E_{1} \) with \( S_{j} \)’s private key \( sk_{j} \). Then, \( S_{j} \) can compute the same shared session key \( SK_{ij} = h(ID_{i}^{*} \parallel SID_{j} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2}) \), and authentication message \( M_{3}=h(ID_{i}^{*} \parallel SID \parallel SK_{ij} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2} \parallel T_{2}) \) by using \( K_{ij} \) and \( SK_{ij} \). Given that only a valid \( U_{i} \) can obtain \( n_{2} \) and generate the correct session key \( SK_{ij} \), mutual authentication between user and server can be achieved in our proposed scheme.

User Anonymity and Untraceability

In the proposed scheme, user anonymity and untraceability can be achieved because the true identification of \( U_{i} \) is included in \( E_{1}, Sig_{U_{i}}, M_{1} \), and \( M_{3} \). Obviously, the \( ID_{i} \) cannot be extracted from the hash value \( M_{1} = h(ID_{i} \parallel n_{1} \parallel K_{ij} \parallel T_{1}), M_{3} = h(ID_{i}^{*} \parallel SID_{j} \parallel SK_{ij} \parallel K_{ij} \parallel n_{1}^{*} \parallel n_{2} \parallel T_{2}) \), and \( Sig_{U_{i}} \). Meanwhile, the adversary cannot obtain \( ID_{i} \) by decrypting \( E_{1} \) without the private key of \( S_{j} \). Every login request message and response message contain the randomly selected number (i.e., \( n_{1} \) and \( n_{2} \)). Given that the two random numbers in the communication messages \(\{ E_{1},Sig_{U_{i}},M_{1},T_{1} \} \) and \(\{ M_{2},M_{3},T_{2} \} \) are different every time and unlinkable, even if the adversary intercepts all the transmitted information, a message directory cannot be associated with a user, and the actions trajectory and location information of the user will not be compromised. Therefore, user anonymity and untraceability can be achieved in the proposed scheme.

Resistance to Impersonate Attack

User impersonation attack If an attacker, such as a hostile person, an illegal user, or an illegal server, wants to impersonate a legal user (e.g., \( U_{i} \)) to communicate with \( S_{j} \), he/she should generate a legal request message \(\{ E_{1},Sig_{U_{i}},M_{1},T_{1} \} \). The public/private key pair of each user is randomly selected by the user independently. Thus, the \( sk_{i} \) is known to only user \( U_{i} \). Obviously, without the \( sk_{i} \), these attackers cannot generate a legal \( Sig_{U_{i}} \) and login request message. This can be achieved by verifying \( Sig_{U_{i}} \) on the server side.

Server impersonation attack Suppose an adversary (e.g. A) attempts to masquerade as a server (\( S_{j} \)) and intercepts the login request message \(\{ E_{1},Sig_{U_{i}},M_{1},T_{1} \} \) of \( U_{i} \), A cannot extract \(\{ ID_{i},SID_{j},n_{1} \} \) from \( E_{1} \) without the private key of \( S_{j} \). Hence, A also cannot generate the correct \( K_{ij} \) and \( SK_{ij} \) without \( ID_{i} \) and \( n_{1} \). Finally, A cannot compute a legal \( M_{2} \) and \( M_{3} \). \( U_{i} \) can detect this kind of attack by verifying \( M_{3}? =h(ID_{i} \parallel SID \parallel SK_{ij} \parallel K_{ij} \parallel n_{1} \parallel n_{2}^{*} \parallel T_{2}) \).

Above all, no forged messages can pass validation during the authentication phase. Thus, the new scheme can efficiently prevent the above two types of impersonation attacks.

Resistance to Replay Attack

Given that \( T_{1} \) is contained in the login request message \(\{ E_{1},Sig_{U_{i}},M_{1},T_{1} \} \) and \( M_{1} \), so \( T_{1} \) tampering or replay attacks can be easily detected by the server. In addition, if a login request message is replayed by an adversary when the timestamp is still valid, the server who received the message can also easily detect this type of attack by verifying the signature \( Sig_{U_{i}} \) because it contains the identity of the original server, which is different from that of the replayed server. On the user side, the reply information includes the random number \( n_{1} \) that is generated by the user. Thus, the user can immediately detect a replay attack by verifying these data.

Resistance to Off-line Guessing Attack

If an adversary obtains all the information transmitted between \( U_{i} \) and \( S_{j} \), then the adversary cannot obtain the data in \( E_{1} \) without the private key of \( S_{j} \) or obtain other useful information from hash values \( M_{1}, M_{2}\), and \( M_{3} \) because they are protected by the one-way hash function. Therefore, the adversary cannot launch an off-line guessing attack due to the adoption of the cryptography method. Therefore, the proposed scheme is able to resist off-line guessing attack.

Resistance to Stolen Smart Card Attack

When the SC of \( U_{i} \) is stolen and the information (i.e., \( V_{i}, W_{i} \)) in the SC is extracted by an adversary, he/she cannot obtain \( h(PSK \parallel ID_{i}) \) without the \( PW_{i} \) and the \( BIO_{i} \) of \( U_{i} \). Furthermore, he/she cannot generate a legal \( Sig_{U_{i}} \) without the private key of \( U_{i} \). Hence, our proposed scheme can prevent this kind of attack.

Perfect Forward Secrecy

The numbers (i.e., \( n_{1} \) and \( n_{2} \)) in the communication messages are randomly chosen by the \( U_{i} \) and \( S_{j} \) during the login and authentication phase and are different every time, thereby effectively protecting the safety of the shared session key. Even if the current session key is compromised, the adversary still cannot link the session key with previous session keys or the secret key of the system. Hence, our scheme can provide a perfect forward secrecy.

6.2 Formal Security Analysis

In this section, we provide a formal security proof of the proposed scheme with the BAN logic [53], which can prove whether a protocol can reach the target and help with the further improvement of the protocol.

Some notations of BAN logic are given bellow:

\( P |\!\!\equiv X \): P believes X;

\(\#(X)\): X is fresh;

\(P \Rightarrow X \): P controls X;

\(P \triangleleft X \): P receives X;

\(P |\!\!\sim X\): P sends X;

(XY): X or Y is one part of (XY);

\((X)_{K}\): X is hash with the key K;

\(\{X\}_{K}\): X is cipher with the key K;

\(\langle X \rangle _{K}\): X with the secret K;

\(P {\mathop {\longleftrightarrow }\limits ^{K}} Q\): K is the shared key between P and Q;

\( {\mathop {\longrightarrow }\limits ^{K}} P\): K is the public key of P.

To implement the BAN logic usually need to complete four steps: idealize the proposed scheme, make assumption, setting goal and analysis of the protocol.

  • (1) The idealized form of the transmitted messages:

  • \(M_{1}: U_{i} \rightarrow S_{j}: \{ID_{i}, SID_{j}, n_{1}\}_{pk_{j}} , Sig_{sk_{i}}(h(ID_{i},SID_{j}, n_{1})), \{ID_{i},SID_{j},n_{1},T_{1}\}_{K}, T_{1} \)

  • \(M_{2}: S_{j} \rightarrow U_{i}: \{ID_{i}, SID_{j}, U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}, n_{1},n_{2},T_{2}\}_{K}\)

  • (2) Initiative premises:

  • \(p_{1}: U_{i}\ |\!\!\equiv \#(n_{2})\).

  • \(p_{2}: S_{j}\ |\!\!\equiv \#(n_{1}) \).

  • \(p_{3}: U_{i} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{K}} S_{j} \).

  • \(p_{4}: S_{j} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{K}} S_{j} \).

  • \(p_{5}: U_{i} \ |\!\!\equiv S_{j} \Rightarrow U_{i} {\mathop {\longleftrightarrow }\limits ^{K}} S_{j} \).

  • \(p_{6}: S_{j} \ |\!\!\equiv U_{i} \Rightarrow U_{i} {\mathop {\longleftrightarrow }\limits ^{K}} S_{j} \).

  • \(p_{7}: U_{i} \ |\!\!\equiv S_{j} \Rightarrow U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \).

  • \(p_{8}: S_{j} \ |\!\!\equiv U_{i} \Rightarrow U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \).

  • \(p_{9}: S_{j} \ |\!\!\equiv U_{i} \Rightarrow ID_{i} \).

  • (3) Establishment of security goals:

  • \(G_{1}: U_{i} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \)

  • \(G_{2}: U_{i} \ |\!\!\equiv S_{j} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \)

  • \(G_{3}: S_{j} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \)

  • \(G_{4}: S_{j} \ |\!\!\equiv U_{i} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j} \)

  • (4) Scheme analysis:

  • From \( M_{1} \), we have

  • \(S_{0}: S_{j} \triangleleft Sig_{sk_{i}}(h(ID_{i}, SID_{j},n_{1}))\)

  • Since \( {\mathop {\longrightarrow }\limits ^{pk_{i}}} U_{i}\), only \( U_{i} \) has correct \( ID_{i}, n_{1} \) and generates signature \( Sig_{sk_{i}}(h(ID_{i}, SID_{j},n_{1})) \), we have

  • \(S_{1}: S_{j}\ |\!\!\equiv U_{i} |\!\!\sim Sig_{sk_{i}}(h(ID_{i}, SID_{j}, n_{1})) \)

  • From \( S_{1} \) and \( p_{2} \) and the freshness conjuncatenation rule, we have

  • \(S_{2}: S_{j}\ |\!\!\equiv U_{i} |\!\!\equiv Sig_{sk_{i}}(h(ID_{i}, SID_{j}, n_{1})) \)

  • From \( S_{2} \) and \( p_{9} \) and jurisdiction rule, we have

  • \(S_{3}: S_{j}\ |\!\!\equiv Sig_{sk_{i}}(h(ID_{i}, SID_{j}, n_{1})) \)

  • From \( M_{1} \), we have

  • \(S_{4}: S_{j} \triangleleft \{ID_{i}, SID_{j}, n_{1}\}_{pk_{j}} \)

  • Since \( {\mathop {\longrightarrow }\limits ^{pk_{j}}} S_{j}\), only \( S_{j} \) can get the value of \( ID_{i}, SID_{j} \) and \( n_{1} \). Only when it is combined with \( sk_{j} \) and PSK can an attacker compute the correct \( K_{ij} \).

  • \(S_{5}: S_{j} \triangleleft \{ID_{i},n_{1},T_{1}\}_{K_{ij}}, T_{1} \)

  • From \( S_{5} \) and \( p_{6} \) and the message-meaning rule, we have

  • \(S_{6}: S_{j} |\!\!\equiv U_{i} |\!\!\sim \{ID_{i},n_{1},T_{1}\} \)

  • From \( S_{6} \) and \( p_{2} \) and the freshness conjuncatenation rule, we have

  • \(S_{7}: S_{j} |\!\!\equiv U_{i} |\!\!\equiv \{ID_{i},n_{1},T_{1}\} \)

  • From \( S_{7} \) and \( S_{3} \), we have

  • \(S_{8}: S_{j}\ |\!\!\equiv ID_{i} \)

  • According to \( S_{7},S_{8} \) and \( p_{2},p_{4} \) and \( SK_{ij}=h(ID_{i},SID_{j},K_{ij},n_{1},n_{2}) \), we apply freshness conjuncatenation rule and nonce verification rule to derive

  • \(S_{9}: S_{j} \ |\!\!\equiv U_{i} \equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}\) \((G_{4})\)

  • From \( S_{9} \) and \( p_{8} \), we have

  • \(S_{10}: S_{j} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}\) \((G_{3})\)

  • From \( M_{2} \), we have

  • \(S_{11}: U_{i} \triangleleft \{ID_{i}, SID_{j},U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}, n_{1},n_{2},T_{2}\}_{K}\)

  • According to \( S_{11} \) and \( p_{3} \) and message-meaning rule, we have

  • \(S_{12}: U_{i} |\!\!\equiv S_{j} |\!\!\sim \{ID_{i}, SID_{j}, U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}, n_{1},n_{2},T_{2}\}\)

  • According to \( S_{12} \) and \( p_{1} \) and freshness conjuncatenation rule, we have

  • \(S_{13}: U_{i} |\!\!\equiv S_{j} |\!\!\equiv \{ID_{i}, SID_{j}, U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}, n_{1},n_{2},T_{2}\}\)

  • Finally, according to \( S_{13} \) and belief rule, we have

  • \(S_{14}: U_{i} \ |\!\!\equiv S_{j} \ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}\) \((G_{2})\)

  • According to \( S_{14} \) and \( p_{7} \) we have

  • \(S_{15}: U_{i}\ |\!\!\equiv U_{i} {\mathop {\longleftrightarrow }\limits ^{SK_{ij}}} S_{j}\) \((G_{1})\)

7 Functional and Performance Comparison

This section gives a analysis of the functional and performance between the proposed scheme and three recently works.

7.1 Functional Analysis

Table 2 presents a functional comparison between our scheme and other related works [35, 37, 38]. As can be seen from this table, our protocol satisfies all the functionality requirements, which are better security and robustness.

Table 2 Functionality comparison
Full size table

7.2 Performance Analysis

By computer simulation, we provide a simple performance comparison of our protocol and related works. To show the performance comparisons, some notations are introduced below:

  • \( T_{AE} \): The time for an asymmetric encryption operation.

  • \( T_{AD} \): The time for an asymmetric decryption operation.

  • \( T_{Sign} \): The time for a digital signature operation.

  • \( T_{Ver} \): The time for a signature verification operation.

  • \( T_{H} \): The time for a one-way hash operation.

Table 3 shows the execution time of the related operations using OpenSSL library (v1.1.1a) [57]. We use the 1024-bit RSA algorithm to implement asymmetric encryption/decryption and digital signature/verification operations, which are common in real communication scenarios. The operating system is Ubuntu 18.04 with Intel Core i5 2.4 GHz processor and 4 GB of RAM.

Table 4 presents the performance comparison result between our improved scheme and three other relevant studies. The table indicates that the new scheme has a higher computation cost than the scheme proposed by Lu et al. and Moon et al.. By only employing a one-way hash function, the performance time of Lu et al.’s scheme and Moon et al.’s scheme only requires 0.036 ms, but their security is poor and vulnerable to malicious attacks, such as replay and impersonation attacks. The time consumption of the new protocol is slightly higher than that of Guo et al.’s scheme because digital signature and verification operation are added during the authentication process. But it also is worthwhile, because it addresses the common security problem and improve the security of the authentication system.

Table 3 Time cost of related operations(ms)
Full size table
Table 4 The comparisons of computation cost(ms)
Full size table

8 Conclusion

In this paper, we first provide a brief introduction of the development of the authentication scheme under a multi-server environments and the unique advantages of biological feature recognitions. Then, we review recent biometrics-based authentication schemes and highlight the similar security drawback of some of those schemes that leads to impersonation attack. Subsequently, we analyze a latest scheme of them and show that this scheme not only suffers from user impersonation attack but apt to replay attacks, although the authors claimed their scheme can resist known attacks. A hostile server or an illegitimate user can impersonate a legal user to access another server and obtain network service illegally. We then proposed an improved scheme to address the common security problem and other security weaknesses. The new scheme has a simplified authentication procedure and improved efficiency. The result of security analysis and performance comparison illustrates that the new proposed scheme has good security and robustness, prevents various network menaces, and thus suited for multi-server environments.