Abstract
Recently, many authentication schemes have been provided which are based on biometrics with password and smart cards. The three-factor schemes can provide high security for remote authentication between a user and a server. In 2015, Lu et al. proposed a three-factor authentication scheme based on elliptic curve cryptography. However, we show that Lu et al’s scheme leaks user’s identity and is vulnerable to impersonation attacks. To enhance the scheme’s security, we propose a new efficient three-factor authentication scheme. Furthermore, we give a formal security proof under BAN logic and random orale model. From comparative results of some recent ones, our scheme is efficient and secure for practical applications.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
With the rapid development of internet, authentication schemes are used to establish a secure communication over any insecure channel. After executing the authenticated protocol, the remote legal user can login and authenticate from a server, and access to special services. The server must reject the unauthorized or malicious entity who wants to use resources and services offered by the server. Researchers have studied two-factor authentication schemes based on password and a memory device. A user who has a smart card and a correct password can login and authenticate the special system. The user and the server agree on the same session key which is only known for both parties and is used to encrypt the message transmitted over a insecure internet.
Furthermore, many researchers consider biometrics as another factor to improve the security of authentication schemes, and the biometric contains face, fingerprint and iris and so on. The authentication schemes which are based on password, biometric and memory devices are generally called three-factor based schemes. Up to now, there are many various authentication schemes proposed to utilize in different applications. However, people also have presented many attacks against password based authentication schemes, such as password guessing attack, replay attack, impersonation attack, denial of service attack, etc. The legal user does not want to leak his/her identity to other parties except the server. Usually, the user’s password is very short in order to remember easily. Hence, the secure scheme must resist password guessing attack. Moreover, the legal party can not impersonate as any entity to deceive a server or as a server to cheat a legal user. In a word, a secure and efficient authentication scheme must protect the user’s privacy and reject a malicious adversary to access the services.
In 1981, Lamport [17] proposed the first password authentication scheme with one-way hash function. Password based protocols may suffer from password leakage attacks, insider attacks and server-spoofing attacks and require verification table to improve the security. Chang et al. [3, 4] presented a user authentication based on two factor password and smart card. Since then, many authors proposed different two-factor authentication schemes for various applications [9, 11, 13, 16, 26–28]. In 2004, Das et al. [9] proposed an dynamic ID-based authentication scheme with user anonymity. But Das et al.’s scheme is susceptible to impersonation attack by Ku and Chen [16] and insider attack and server spoofing attack by [27]. Wang et al. [26] proposed an improved authentication scheme. Khan et al. showed their scheme cannot protect user’s anonymity in [13]. Wu et al. [28] proposed an efficient authentication scheme using smart card with pre-computation. However, He et al. [11] found that Wu et al.’s scheme is not secure against impersonation attacks and insider attacks.
All above mentioned authentication schemes are based on two factors password and smart cards. Lately, researchers focused on three factor based authentication and key agreement schemes by employing biometrics [1, 6, 14, 18, 25, 29, 30]. In 2013, Yeh et al. [30] showed that Fan et al.’s scheme is insecure against insider attack and presented an improved biometric based authentication scheme using elliptic curve cryptosystem (ECC). Wu et al. [29] gave a new smart card authentication protocol for telecare medicine information systems (TMIS) and claimed it’s secure against offline password guessing attack, and impersonation attack and replay attack. Siddiqui et al. in [25] pointed out Wu et al.’s scheme is vulnerable to the mentioned attacks. Chen et al. [6] presented a new three factor authentication protocol based mobile devices. However, Chen et al.’s scheme was insecure against replay attack, forgery attack and can’t provide user anonymity. Khan et al. [14] proposed an improved scheme based on Chen et al’s scheme. In 2014, Arshad et al. [1] gave a new three factor based authentication scheme. Recently, Lu et al. [18] pointed out the security flaws of of Arshad et al.’s scheme, and proposed an biometric-based authentication schemes using elliptic curve cryptosystems.
Recently, some researchers proposed other different three-factor authentication schemes [7, 19, 23, 24] for other application scenarios such as session initial protocol and cloud computing.
In this paper, we demonstrate that Lu et al.’s scheme fails to protect patient’s anonymity. Additionally, we show that a legal user can impersonate any user of the system to communicate with the server, and disguise as a legitimate server to deceive a user. Furthermore, we put forward an improved biometric based authentication scheme to deal with the weakness of Lu et al.’s scheme. Our proposed scheme is robustly proven secure by Burrows-Abadi-Needham (BAN) logic and random oracle model of cryptography. Compared to some previous authentication schemes, the new scheme employs low computational cost in login and authentication phases.
The remainder of this paper is organized as follows: In first section, we introduce some notations and definitions used in this paper. Section 2 will review the biometric -based authentication scheme by Lu et al. Section 3 analyzes the security problems of Lu et al.’s protocol. We present a new biometric-based authentication scheme based on ECC in Section 4. Section 5 will prove the robust correctness and security of our scheme by BAN logic and ransom model method, respectively. And Section 6 give a comparison of our scheme and some previous authentication schemes in the aspect of security and efficiency. Finally, we give a conclusion in the last section.
1.1 Notations
In this section we will give some notations and definitions used throughout this paper, and introduce some cryptographic tools such as bio-hashing.
Table 1 lists the notations that will be appeared in this paper.
In Table 1, one-way hash function h(⋅) maps an arbitrary long string of to a string with fixed length which is denoted as hashed value. It can be represented as h:{0,1}∗→{0,1}n. Such hash function is easy to compute the output value with each input, but is hard to find the preimage given the hashed value.
When we compute hash function and ⊕ operation with the elliptic curve point P=(x,y), we represent the point P as a value x||y.
1.2 Bio-hashing
Recently, people add the biometrics in authentication schemes to prove the user be genuine. However, imprint biometric characteristics such as fingerprint and face may not be exactly same at each time. Therefore, high false rejection of valid users often occurs in the verification of biometric schemes. In order to resolve this problem, Jin et al. [12] proposed a two-factor authenticator on iterated inner products between tokenised pseudo-random number and the user specific fingerprint features, which produces a set of user specific compact code that coined as Bio-Hashing. Bio-Hashing maps user’s biometric onto specific random vectors in order to generate a code (called biocode), and then it discretizes the projection coefficients into zero and one. More details refer to the references [5, 20].
2 Review of Lu et al.’s scheme
In this section we review Lu et al.’s three-factor authentication scheme based on elliptic curve cryptography [18], which is based on Arshad et al.’s scheme [1]. It consists of four phases: registration, login, authentication, password change. We will introduce these phases briefly in the following.
2.1 Registration phase
When a user U i want to registers to the server S, S issues the personalized smart card via the following steps:
-
The user U i inputs his biometric B i , selects an identity I D i , a password P W i . The he computes M P i = P W⊕H(B i ), and submits {I D i ,M P i } to the server S through a secure channel.
-
S computes A I D i = I D i ⊕h(x) and V i = h(I D i ||M P i ), where x is S ’s secret key. S issues a smart card S C i containing {A I D i ,V i ,h(⋅),H(⋅)} to the user U i .
2.2 Login and authentication phase
-
U i first inserts smart card S C i into a device reader, and enters his identity I D i , password P W i and imprints biometric B i at the sensor. Then S C i verifies whether h(I D i ||P W i ⊕H(B i )) = V i . If correct, goto next step. Otherwise, reject the request.
-
S C i selects a random number d u , and computes K = h(I D i ||I D i ⊕A I D i ), M 1 = K⊕d u P and M 2 = h(I D i ||d u P||T 1). The smartcard S C i sends the message { M 1,M 2, A I D i ,T 1 } to S.
-
After receiving the request, S first checks whether |T c −T 1|<ΔT, where T c is current time stamp. If true, S use his private key x to extract I D i by computing A I D i ⊕h(x). Then he computes d u P = h(I D i ||h(x))⊕M 1 and verifies whether M 2 = h(I D i ||d u P||T 1). If it holds, S generates a random d s , and computes M 3 = K⊕d s P, S K = d s (d u P), M 4 = h(K||d u P||S K||T 2), where T 2 is the current time. Then, S submits {M 3,M 4,T 2} to U i .
-
Upon receiving the message from S, S C i checks T 2’s validity. Then, U extracts d s P by computing M 3⊕K. The he calculates S K = d u (d s P), \(M^{\prime }_{4}=h(K||d_{u}P||SK||T_{2})\). It checks whether \(M^{\prime }_{4}=M_{4}\) holds. If correct, S C i computes M 5 = h(K||d s P||S K||T 3) and then sends the response {M 5,T 3}.
-
S checks T 3, and verifies \(h(K||d_{s}P||SK||T_{3})\stackrel {?}{=}M_{5}\). If both correct, S authenticates U i and accepts SK as a session key.
2.3 Password change phase
If a user U i wants to change his password, U i inserts the smart card into card reader and keys in I D i ,P W i and B i . Then, S C i checks \(h(ID_{i}||PW_{i}\oplus H(B_{i}))\stackrel {?}{=}V_{i}\). If holds, U i inputs a new password \(PW^{new}_{i}\), S C i computes \(V_{i}^{new}=h(ID_{i}||PW^{new}_{i}\oplus H(B_{i}))\) and then it replaces V i by \(V_{i}^{new}\).
3 Security weakness of Lu et al.’s scheme
This section shows that Lu et al.’s scheme fails to achieve the security goals they claimed. In attack model, we assume that an adversary could obtain the information which is stored into a user’s smartcard by monitoring the power consumption as in [15, 21]. An adversary has the ability of controlling over the communication channel that he can extract and modify the transmitting message between U i and S. In the following, we will discuss the security of Lu et al.’s scheme in detail.
3.1 User’s identity leakage
In Lu et al.’s scheme, the user’s identity is obscured by computing A I D i = I D i ⊕h 2(x), which is transmitted by public channel in login phase. For external adversary, it’s very difficult to recover the patient’s identity without knowledge of the secret value x. However, for a legal but malicious user U j , he can retrieve h(x) using his own identity I D j and the value A I D j stored in smart card. Then, U j can compute any other patient’s identity by computing I D = A I D⊕h(x), where AID is intercepted by U j in initiating login phase. Therefore, Lu et al.’s scheme does not protect user anonymity since a user’s identity is leaked to a malicious user.
3.2 Server impersonation attack
Lu et al. claimed their scheme could withstand various attacks. Now, we demonstrate a legitimate user U j can impersonate as a legal sever. He perform the following steps to impersonate as a legal server.
-
(1). U j extracts the secret information {V i ,A I D i ,h(⋅),H(⋅)} stored into his smart card by executing the power attack. U j retrieve h(x) by computing A I D i ⊕I D i using his password PW.
-
(2). When a user U i performs the login and authentication process and sends {M 1,M 2,A I D i ,T 1} to S. U j intercepts the login message.
-
(3). U j computes A I D i ⊕h(x) using h(x) to extract the identity of U i . Then U j chooses a random \(d^{\prime }_{s}\in Z^{*}_{p}\), and computes \(M^{\prime }_{3}=h(ID_{i}||h(x))\oplus d^{\prime }_{s}P\), \(SK^{\prime }=d^{\prime }_{s}(d_{u}P)\), \(M^{\prime }_{4}=h(K|T_{2}||SK^{\prime }||d_{u}P|)\), where T 2 is current time stamp. U j returns the responding message \(\{M^{\prime }_{3}, M^{\prime }_{4}, T_{2}\}\) to U i
-
(4). U i verifies T 2 ’s freshness. Then He computes \(K\oplus M^{\prime }_{3}=d^{\prime }_{s}P\), \(SK=d_{u}(d^{\prime }_{s}P),M^{*}_{4}=h(K||d_{u}P||SK||T_{2})\stackrel {?}{=}M^{\prime }_{4}\). U i accepts the session key SK and believes U j as a legitimate sever.
Therefore, a legal patient can simulate as a legitimate sever to all other users.
3.3 User impersonation attack
This subsection shows a malicious user can impersonate to be any other user to communicate with a server. The sever does not identify the communication party’s true identity.
-
(1). U j can get h(x) by computing A I D i ⊕I D i as similar as step 1 in server impersonation, where A I D i is retrieved in his his smart card.
-
(2). When another patient U i initiates the login process and transmits the request {M 1,M 2,A I D i ,T 1} to S. U j extracts A I D i from the request message and computes I D i = A I D i ⊕h(x). The adversary U j terminates this session.
-
(3). U j selects a random nonce \(d^{\prime }_{u}\in Z^{*}_{p}\), current time stamp T 1, calculates K = h(I D i ||h 2(x)), \(M^{\prime }_{1}=K\oplus d^{\prime }_{u}P\) and \(M^{\prime }_{2}=h(ID_{i}||T_{1}||d^{\prime }_{u}P)\). Then U j sends the login message \(\{M^{\prime }_{1}, M^{\prime }_{2}, AID_{i}, T_{1}\}\) as the login message of U i to S.
-
(4). After receiving the login message, S verifies whether |T 1−T s |≤Δ. If not true, S aborts the session. Otherwise, S computes I D i = A I D i ⊕h(x). Then U j chooses a random number \(d_{s}\in Z^{*}_{p}\), and computes M 3 = h(I D i ||h(x))⊕d s P, S K = d s (d u P), M 4 = h 1(K|T 2||S K ′||d u P|), where T 2 is the current time stamp. U j sends {M 3,M 4,T 2} to U i
-
(5). U j computes K⊕M 3 = d s P, S K = d u (d s P). Then checks whether \(M^{*}_{4}=h(K||d_{u}P||SK||T_{2})\stackrel {?}{=}M^{\prime }_{4}\). U j computes M 5 = h(K||d s P||S K||T 3) and then sends the message {M 3,T 3} to S.
-
(6). S checks the freshness of T 3 from the received message, and verifies \(M^{\prime }_{5}=h(K||d_{s}P||SK||T_{3})\stackrel {?}{=}M_{5}\). S authenticates U j as U i and accepts SK as the session key.
From the above discussion, Lu et al.’s scheme is vulnerable to user impersonation attack.
4 Proposed scheme
In this section, we propose an improved three-factor authentication scheme. One achievement is that we replace the hashed value h(x) with h(I D i ||x) which can prevent to be leaked. Each user has different hashed value. In the following, we will describe the proposed scheme in details, which has four phases (Figs. 1, 2 and 3).
4.1 Registration phase
A user U i selects his identity and password and then registers his identity to the server S. Server registers the user and provides the valid smart card in return.
-
The patient U i generates a random number r, and chooses his identity I D i , password P W i and his biometric B i . He computes M P i = P W i ⊕H(B i )⊕r, and sends {I D i ,M P i } to the server S through a secure channel.
-
The sever S computes A I D i = h(I D i ||x), K i = h(A I D i ), V i = A I D i ⊕M P i . Then, S generates a number a randomly and computes C I D i = E x (I D i ||a). The server issues a smartcard S C i to the patient U i which is stored by {K i ,V i ,C I D i ,h(⋅),H(⋅)}.
-
Upon receiving the smart card, U i computes R i = r⊕h(I D i ||P W i ||H(B i )), and stores R i into S C i .
4.2 Login and authentication phase
A legal user with valid smart card can establish secure and authorized session with the server. In this phase, user and server first authenticate each other and then agree on a session key that can be used for the secure transmission of data.
-
U i first inserts S C i into the card reader, and enters his identity I D i , password P W i and biometric B i . Then, smart card S C i computes r = R i ⊕h(I D i ||P W i ||H(B)), M P i = P W i ⊕H(B i )⊕r, and A I D i = V i ⊕M P i . The card checks whether \(h(AID_{i})\stackrel {?}{=}K_{i}\). If it holds, go to next step.
-
S C i generates a random nonce d u ∈Z p , and computes D = d u P, M 1 = A I D i ⊕D and M 2 = h(A I D i ||D||T 1). S C i transmits {M 1,M 2,C I D i ,T 1} to the server.
-
After receiving the login request {M 1,M 2,C I D i ,T 1}, S first checks the freshness of T 1 by verifies whether |T c −T 1|<ΔT, where T c is the current time. If true, S retrieves I D i by decrypting C I D i , and computes A I D i = h(I D i ||x). Then he calculates D = A I D i ⊕M 1 and verifies whether M 2 = h(A I D i ||D||T 1) holds. If correct, the sever generates a ′ and d s ∈Z p randomly, and computes E = d s P, \(CID^{\prime }_{i}=E_{x}(ID_{i},a^{\prime })\), M 3 = A I D i ⊕E, S K = h(A I D i ||d s (D)||C I D i ), \(M_{4}=h(CID^{\prime }_{i}||SK||E||T_{2})\), where T 2 is the current time. Then, S sends \(\{M_{3}, M_{4}, CID^{\prime }_{i}, T_{2}\}\) to U.
-
Upon receiving \(\{ M_{3}, M_{4}, CID^{\prime }_{i}, T_{2}\}\), S C i checks the freshness of T 2. Then, U extracts E from computing M 3⊕A I D i , and computes S K = h(A I D i || d u (E)||C I D i ), \(M^{\prime }_{4}=h(CID^{\prime }_{i}||SK||E||T_{2})\). Then, check whether \(M^{\prime }_{4}=M_{4}\) holds. If correct, S C i replaces C I D i with \(CID^{\prime }_{i}\), and computes M 5 = h(E||S K||T 3) and then sends the message {M 5,T 3} to S.
-
S checks the validity of T 3, and verifies \(h(E||SK||T_{3})\stackrel {?}{=}M_{5}\). If both are correct, S authenticates U and accepts SK as the session key.
4.3 Password change phase
A valid user with smart card can change the password of the smart card as follows:
-
U i inserts the smart card into the device and inputs the I D i ,P W i and B i .
-
S C i computes r = R i ⊕h(I D i ||P W i ||H(B i )), M P i = P W i ⊕H(B i )⊕r, A I D i = V i ⊕M P i and checks \(h(AID_{i})\stackrel {?}{=}K_{i}\). If holds, U i inputs a new password \(PW^{new}_{i}\), biometric \(B^{new}_{i}\) and a new random number r new.
-
S C i computes \(MP_{i}^{new}=PW^{new}_{i}\oplus H(B^{new}_{i})\oplus r^{new}\), \(V_{i}^{new}=AID_{i}\oplus MP_{i}^{new}\), \(R^{new}_{i}=r^{new}\oplus h(ID_{i}||PW^{new}_{i}||H(B^{new}_{i}))\). Finally, it replaces R i ,V i by \(R_{i}^{new}, V_{i}^{new}\) respectively.
5 Security
This section shows our proposed scheme gives the robust proof of the security of our new authentication scheme.
5.1 Proof by BAN-logic
BAN logic in [2] is a rule set for analyzing the belief which focuses on the beliefs of the legitimate principals involved in the protocol. Many researchers has analyzed the security of authentication schemes using BAN logic such as . In this section, we demonstrate that the proposed scheme is working correctly by achieving the authentication goals using BAN logic. The notations used in BAN logic analysis are defined as follows:
-
P|≡X: The principal P believes a statement X or P would be entitled to believe X.
-
♯ (X): The formula X is fresh.
-
P⇒X: The principal P has jurisdiction over the statement X.
-
P⊲X: The principal P sees the statement X.
-
P|∼X: The principal P once said the statement X.
-
(X,Y): The formula X or Y is one part of the formula (X,Y).
-
〈X〉 Y : The formula X is xored with the formula Y.
-
(X) Y : The formula X is hashed under the key Y.
-
\(P \stackrel {K}{\longleftrightarrow } Q\): The principal P and Q share the key K.
Some main logical postulates of BAN logic are defined as follows:
-
the message-meaning rule: \( \frac {P|\equiv Q \stackrel {K}{\longleftrightarrow } P, P\triangleleft \langle X\rangle _{K}} {P|\equiv Q |\sim X} \)
-
the freshness-conjuncatenation rule: \( \frac {P|\equiv \sharp (X)} {P|\equiv \sharp (X,Y)}\)
-
the nonce-verification rule: \( \frac {P|\equiv \sharp (X), P|\equiv Q |\sim X} {P|\equiv Q |\equiv X} \)
-
the jurisdiction rule: \( \frac {P|\equiv \Rightarrow X, P|\equiv Q |\equiv X} {P|\equiv X}\), \(\frac {P|\equiv (X,Y)} {P|\equiv X}\), \(\frac {P|\triangleleft (X,Y)} {P|\triangleleft X}\)
(2) Idealized scheme:
\(U: \langle D\rangle _{U\overset {AID}{\longleftrightarrow }S}, (U\overset {SK}{\longleftrightarrow }S, D, T_{1})_{U\overset {AID}{\longleftrightarrow }S}, T_{1}, (U\overset {SK}{\longleftrightarrow }S, T_{3})_{U\overset {AID}{\longleftrightarrow }S} \)
\(S: \langle E\rangle _{U\overset {AID}{\longleftrightarrow }S}, (U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})_{U\overset {AID}{\longleftrightarrow }S}, T_{2}\)
(3) Security goals
\(\text { G1: } U |\equiv S |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G2: } U |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G3: } S |\equiv U |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G4: } S |\equiv (U\overset {SK}{\longleftrightarrow } S)\)
(4) Initiative premises
A.1 U |≡♯(T 2) A.2 S |≡♯(T 1) A.3 S |≡♯(T 3) A.4 \(U\ |\equiv U\overset {AID}{\longleftrightarrow } S\) A.5 \(S\ |\equiv U\overset {AID}{\longleftrightarrow } S\) A.6 \(U\ |\equiv S\Rightarrow (U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})\) A.7 \(S\ |\equiv U\Rightarrow (U\overset {SK}{\longleftrightarrow }S, T_{3})\)
(5) Scheme AnalysisBased on the above-mentioned assumptions and rules of BAN logic, we analyze the idealized form of the proposed scheme and the main procedures of proof as follows:
s1. According to the message \(S\triangleleft (U\overset {SK}{\longleftrightarrow }S, T_{3})_{U \overset {AID}{\longleftrightarrow } S}\) and A.5, we apply the message-meaning rule to obtain:
s2. Since A.3 and s1, based on the fresh conjuncatenation rule and nonce-verification rule we get:
G3. Since s2, we achieve the third goal by applying the belief rule:
G4. Using A.7 and G3, we obtain:
s3. Since the message \((U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})_{U \overset {AID}{\longleftrightarrow }S}\) and A.4, applying the message-meaning rule we obtain:
s4. Since the Assumption A.1 and s3, we use the freshness-conjuncatenation rule and the nonce-verification rule to prove
G1. Since s4, according to the belief rule, we obtain:
G2. According to the assumption A.6 andG2, we obtain:
Hence, we apply the BAN logic to analyze the security of our proposed scheme. The results demonstrate that our authentication scheme can achieve mutual authentication between the user U and the server S.
5.2 Formal security analysis
In this section, we demonstrate that our proposed scheme is provably secure against a probabilistic polynomial-time adversary under the random oracle model, which means that the new scheme is secure for \(\mathcal {A}\) to derive the session key between a user and a server. We use the method of contradiction in [8] to give the formal security proof. The the similar proof is followed as in [10, 22]. It is noted that one can also give the formal security proof in the standard model. However, in this literature, we have performed the formal security analysis under the generic group model of cryptography.
In order to apply the technique of contradiction proof, we assume the following oracle exists for an adversary \(\mathcal {A}\).
-
R e v e a l: This oracle will unconditionally output the input string x from the corresponding hash function y = h(x)
Theorem 1
Under the assumption that one-way hash function closely behaves like an random oracle, our proposed authentication scheme is secure against an adversary \(\mathcal {A}\) for deriving the user U i ’s identity ID i and the session key SK between U i and S.
Proof
In our proof, we first construct an adversary \(\mathcal {A}\) who can derive a legal user U i ’s identity I D i and the session key SK between U i and the server S. The adversary \(\mathcal {A}\) uses the R e v e a l oracle run the in the experiment \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) provided in Algorithm 1 for our new secure and efficient user anonymity-preserving three-factor authentication scheme, define as SEUATPAS. The successful probability of \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) is defined as \(Succ1=|Pr[EXP1^{HASH}_{\mathcal {A},SEUATPAS}=1]-1|\). We define the advantage function for this experiment as \(Adv1(et_{1},q_{R})=\max _{\mathcal {A}}{Succ1}\), where the maximum is taken over all \(\mathcal {A}\) with execution time e t 1, and query time q R to R e v e a l. Our protocol is proven to be secure against \(\mathcal {A}\) for deriving U i ’s identity I D i and the session key SK, if A d v1≤𝜖, for any sufficiently small 𝜖>0. \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\)
Consider the experiment \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) in Algorithm 1. Based on this experiment, \(\mathcal {A}\) has the ability to derive the identity I D i and the session key SK between U i and S, if \(\mathcal {A}\) has access to the oracle R e v e a l. But it is a computationally infeasible problem due to collision-resistant property, that is \(Adv_{\mathcal {A}}^{HASH}(t)\leq \epsilon 1\) for any small 𝜖1>0. Therefore, our scheme is provably secure against \(\mathcal {A}\) for a user’s identity I D i and the session key SK between a user and the server. □
6 Comparison
In this section we discuss the security attributes and performance of our proposed scheme and give a comparison between our scheme and some previous schemes in [1, 18, 29, 30]. Table 2 lists that the flaws of security and efficiency for biometric based authentication schemes.
In the literature, we use √ to represent the scheme prevents attack or satisfies the attribute and × represents the scheme fails to prevent attack or does not satisfy the attribute. From Table 2, The schemes [1, 29, 30] are vulnerable to off-line password guessing attack. That means that an adversary can derive the correct password by an off-line exhaustive search since password is short in order to remember easily. Arshad et al.’s schemes [1] can not protect user anonymity and the identity of an entity is leaked to the attacker. Therefore, an ID-based authentication scheme should ensure user anonymity and provide unlinkability. Wu et al.’s scheme [29] and Lu et al.’s scheme [18] can not resist impersonation attack, which means that an adversary could impersonate as a legal user to access any services.
From Table 2, in Yeh et al.’scheme [30] and Arshad et al.’scheme [1], it’s clear that if the server’s master key is leaked, the malicious people can compute all previous session key between a user and a server. They does not provide the security attribute of strong forward secrecy. In Yeh et al.’s scheme [30], the sever and the user do not verify the correctness of the session key. In general, an scheme with session key verification needs to transmit the messages by three times attack.
Table 3 discusses the computation overhead of these schemes in login and authentication phase, where T s y m , T h , T m m , T M and T A denote the time complexity of symmetric encryption/decryption, hash function, the biometric function, modular multiplication, elliptic curve point multiplication and point addition, respectively. It is noted that, T M >T A >T m m >T s y m >T h . Since the login and authentication phases are executed for each session while the registration and password change phases occur once, we only discuss the computational cost of the login and authentication phases. Table 3 shows our scheme costs less computation to achieve the mutual authentication and key agreement than the schemes [1, 18, 29] and takes almost identical to the protocol [30].
7 Conclusions
In this paper, we analyzed the security of Lu et al.’s biometric based authentication scheme. We showed that their scheme is unable to protect user anonymity and is insecure against impersonation attacks which leads an adversary could impersonate as a legal user to access any services provided by the server, and cheat an honest user as a legal server. Moreover, we employ bio-hash functions and elliptic curve Diffie-Hellman problem to propose a secure and efficient three factor based authentication protocol. Our new scheme is proven accurate by BAN logic tool and robustly secure under a random oracle model. Finally, we give a comparison of our new authentication protocol and others in efficiency and security attributes.
References
Arshad H, Nikooghadam M (2014) Three-Factor Anonymous authentication and key agreement scheme for telecare medicine information systems. J Med Syst 38(12):136–147
Burrow M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8:18–36
Chang C-C, Wu T-C (1991) Remote password authentication with smart cards. Comput Digit Tech IEE Proc E 138(3):165–168
Chang C-C, Hwang S-J (1993) Using smart cards to authenticate remote passwords. Comput Math Appl 26(7):19–27
Chang YF, Yu SH, Shiao DR (2013) An uniqueness and anonymity-preserving remote user authentication scheme for connected health care. J Med Syst 37(12):9902–9910
Chen C, Lee C, Hsu C (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(2):585–597
Chiou S-Y, Ying Z, Liu J (2016) Improvement of a privacy authentication scheme based on cloud for medical environment. J Med Syst 40:101
Chuang YH, Tseng YM (2010) An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int J Netw Manag 20(4):167–180
Das ML, Saxena A, Gulati VP (2004) A dynamic ID-based remote user authentication scheme. IEEE Trans Consum Electron 50(2):629–631
Das AK (2015) A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-peer Netw Appl 9(1):223–244
He DB, Chen JH, Zhang R (2012) A more secure authentication scheme for telecare medicine information systems. J Med Syst 36(2):1989–1995
Jin AT, Ling D, Goh A (2004) Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn 37(11):2245–2255
Khan MK, Kim KS, Alghathbar K (2010) Cryptanalysis and security enhancement of a more efficient secure dynamic idbased remote user authentication scheme. Comput Commun 34(3):305–309
Khan M, Kuman C, Gupta M (2014) More efficient key-hash based fingerprint remote authentication scheme using device. Computing 96(9):793–816
Kocher P, Jaffe J, Jun B (1999) Differential power analysis, Proceedings of 19th Annual International Cryptology conference(CRYPTO’99). LNCS 1666:388–397
Ku W, Chen S (2004) Impersonation attack on a dynamic ID based remote user authentication using smartcards. IEICE Trans Commun E88-B:2165–2167
Lamport (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Lu Y, Li L, Peng H, Yang Y (2015) An enhanced Biometric-Based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J Med Syst 39(2):1–9
Lu Y, Li L, Peng H, Yang Y (2016) A secure and efficient mutual authentication scheme for session initiation protocol. Peer-to-Peer Netw Appl 9(1):449–459
Lumini A, Nanni L (2007) Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn 40(3):1057–1065
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smartcard security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Mir O, Munilla J, Kumari S (2015) Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks. Peer-to-Peer Netw Appl:1–13
Mishra D, Das AK, Mukhopadhyay S (2016) A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card. Peer-to-Peer Netw Appl 9(1):171–192
Moon J, Choi Y, Kim J, Won D (2016) An improvement of robust and efficient biometrics based password authentication scheme for telecare medicine information systems using extended chaotic maps. J Med Syst 40:70
Siddiqui Z, Abdullah A-H, Khan M-K, Lee H-C, Alghamdi A-S (2015) Cryptanalysis and improvement of ’a secure authentication scheme for telecare medical information system’ with nonce verification, Peer-to-Peer Netw Appl, pp 1–13. doi:10.1007/s12083-015-0364-9
Wang YY, Kiu JY, Xiao FX, Dan J (2009) A more efficient secure dynamic ID-based remote user authentication. Comput Commun 32:583–585
Wang XM, Zhang WF, Zhang JS, Khan MK (2007) Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards. Comput Stander Interface 29:507–512
Wu Z-Y, Lee Y-C, Lai F, Lee H-C, Chung Y (2012) A secure authentication scheme for telecare medicine information systems. J Med Syst 36(3):1529–1535
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client server networks. Comput Electr Eng 45(C):274285
Yeh H-L, Chen T-H, Hu K-J, Shih W-K (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inf Secur 7(3):247252
Acknowledgments
This research is supported by National Basic Research Program of China (Grant No. 2013CB834205), Natural Science Foundation of Zhejiang Province (Grant No. LZ12F02005) and Opening project of Key Laboratory of Public Security Information Application Based on Big-data Architecture, Ministry of Public Security (Grant No. 2014DSJSY004).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Han, L., Tan, X., Wang, S. et al. An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems. Peer-to-Peer Netw. Appl. 11, 63–73 (2018). https://doi.org/10.1007/s12083-016-0499-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12083-016-0499-3