An efficient and secure three-factor based authenticated key exchange scheme using elliptic curve cryptosystems

Abstract

Recently, many authentication schemes have been provided which are based on biometrics with password and smart cards. The three-factor schemes can provide high security for remote authentication between a user and a server. In 2015, Lu et al. proposed a three-factor authentication scheme based on elliptic curve cryptography. However, we show that Lu et al’s scheme leaks user’s identity and is vulnerable to impersonation attacks. To enhance the scheme’s security, we propose a new efficient three-factor authentication scheme. Furthermore, we give a formal security proof under BAN logic and random orale model. From comparative results of some recent ones, our scheme is efficient and secure for practical applications.

1 Introduction

With the rapid development of internet, authentication schemes are used to establish a secure communication over any insecure channel. After executing the authenticated protocol, the remote legal user can login and authenticate from a server, and access to special services. The server must reject the unauthorized or malicious entity who wants to use resources and services offered by the server. Researchers have studied two-factor authentication schemes based on password and a memory device. A user who has a smart card and a correct password can login and authenticate the special system. The user and the server agree on the same session key which is only known for both parties and is used to encrypt the message transmitted over a insecure internet.

Furthermore, many researchers consider biometrics as another factor to improve the security of authentication schemes, and the biometric contains face, fingerprint and iris and so on. The authentication schemes which are based on password, biometric and memory devices are generally called three-factor based schemes. Up to now, there are many various authentication schemes proposed to utilize in different applications. However, people also have presented many attacks against password based authentication schemes, such as password guessing attack, replay attack, impersonation attack, denial of service attack, etc. The legal user does not want to leak his/her identity to other parties except the server. Usually, the user’s password is very short in order to remember easily. Hence, the secure scheme must resist password guessing attack. Moreover, the legal party can not impersonate as any entity to deceive a server or as a server to cheat a legal user. In a word, a secure and efficient authentication scheme must protect the user’s privacy and reject a malicious adversary to access the services.

In 1981, Lamport [17] proposed the first password authentication scheme with one-way hash function. Password based protocols may suffer from password leakage attacks, insider attacks and server-spoofing attacks and require verification table to improve the security. Chang et al. [3, 4] presented a user authentication based on two factor password and smart card. Since then, many authors proposed different two-factor authentication schemes for various applications [9, 11, 13, 16, 26–28]. In 2004, Das et al. [9] proposed an dynamic ID-based authentication scheme with user anonymity. But Das et al.’s scheme is susceptible to impersonation attack by Ku and Chen [16] and insider attack and server spoofing attack by [27]. Wang et al. [26] proposed an improved authentication scheme. Khan et al. showed their scheme cannot protect user’s anonymity in [13]. Wu et al. [28] proposed an efficient authentication scheme using smart card with pre-computation. However, He et al. [11] found that Wu et al.’s scheme is not secure against impersonation attacks and insider attacks.

All above mentioned authentication schemes are based on two factors password and smart cards. Lately, researchers focused on three factor based authentication and key agreement schemes by employing biometrics [1, 6, 14, 18, 25, 29, 30]. In 2013, Yeh et al. [30] showed that Fan et al.’s scheme is insecure against insider attack and presented an improved biometric based authentication scheme using elliptic curve cryptosystem (ECC). Wu et al. [29] gave a new smart card authentication protocol for telecare medicine information systems (TMIS) and claimed it’s secure against offline password guessing attack, and impersonation attack and replay attack. Siddiqui et al. in [25] pointed out Wu et al.’s scheme is vulnerable to the mentioned attacks. Chen et al. [6] presented a new three factor authentication protocol based mobile devices. However, Chen et al.’s scheme was insecure against replay attack, forgery attack and can’t provide user anonymity. Khan et al. [14] proposed an improved scheme based on Chen et al’s scheme. In 2014, Arshad et al. [1] gave a new three factor based authentication scheme. Recently, Lu et al. [18] pointed out the security flaws of of Arshad et al.’s scheme, and proposed an biometric-based authentication schemes using elliptic curve cryptosystems.

Recently, some researchers proposed other different three-factor authentication schemes [7, 19, 23, 24] for other application scenarios such as session initial protocol and cloud computing.

In this paper, we demonstrate that Lu et al.’s scheme fails to protect patient’s anonymity. Additionally, we show that a legal user can impersonate any user of the system to communicate with the server, and disguise as a legitimate server to deceive a user. Furthermore, we put forward an improved biometric based authentication scheme to deal with the weakness of Lu et al.’s scheme. Our proposed scheme is robustly proven secure by Burrows-Abadi-Needham (BAN) logic and random oracle model of cryptography. Compared to some previous authentication schemes, the new scheme employs low computational cost in login and authentication phases.

The remainder of this paper is organized as follows: In first section, we introduce some notations and definitions used in this paper. Section 2 will review the biometric -based authentication scheme by Lu et al. Section 3 analyzes the security problems of Lu et al.’s protocol. We present a new biometric-based authentication scheme based on ECC in Section 4. Section 5 will prove the robust correctness and security of our scheme by BAN logic and ransom model method, respectively. And Section 6 give a comparison of our scheme and some previous authentication schemes in the aspect of security and efficiency. Finally, we give a conclusion in the last section.

1.1 Notations

In this section we will give some notations and definitions used throughout this paper, and introduce some cryptographic tools such as bio-hashing.

Table 1 lists the notations that will be appeared in this paper.

Table 1 Notations

In Table 1, one-way hash function h(⋅) maps an arbitrary long string of to a string with fixed length which is denoted as hashed value. It can be represented as h:{0,1}^∗→{0,1}ⁿ. Such hash function is easy to compute the output value with each input, but is hard to find the preimage given the hashed value.

When we compute hash function and ⊕ operation with the elliptic curve point P=(x,y), we represent the point P as a value x||y.

1.2 Bio-hashing

Recently, people add the biometrics in authentication schemes to prove the user be genuine. However, imprint biometric characteristics such as fingerprint and face may not be exactly same at each time. Therefore, high false rejection of valid users often occurs in the verification of biometric schemes. In order to resolve this problem, Jin et al. [12] proposed a two-factor authenticator on iterated inner products between tokenised pseudo-random number and the user specific fingerprint features, which produces a set of user specific compact code that coined as Bio-Hashing. Bio-Hashing maps user’s biometric onto specific random vectors in order to generate a code (called biocode), and then it discretizes the projection coefficients into zero and one. More details refer to the references [5, 20].

2 Review of Lu et al.’s scheme

In this section we review Lu et al.’s three-factor authentication scheme based on elliptic curve cryptography [18], which is based on Arshad et al.’s scheme [1]. It consists of four phases: registration, login, authentication, password change. We will introduce these phases briefly in the following.

2.1 Registration phase

When a user U _i want to registers to the server S, S issues the personalized smart card via the following steps:

• The user U _i inputs his biometric B _i , selects an identity I D _i , a password P W _i . The he computes M P _i = P W⊕H(B _i ), and submits {I D _i ,M P _i } to the server S through a secure channel.

• S computes A I D _i = I D _i ⊕h(x) and V _i = h(I D _i ||M P _i ), where x is S ’s secret key. S issues a smart card S C _i containing {A I D _i ,V _i ,h(⋅),H(⋅)} to the user U _i .

2.2 Login and authentication phase

• U _i first inserts smart card S C _i into a device reader, and enters his identity I D _i , password P W _i and imprints biometric B _i at the sensor. Then S C _i verifies whether h(I D _i ||P W _i ⊕H(B _i )) = V _i . If correct, goto next step. Otherwise, reject the request.

• S C _i selects a random number d _u , and computes K = h(I D _i ||I D _i ⊕A I D _i ), M ₁ = K⊕d _u P and M ₂ = h(I D _i ||d _u P||T ₁). The smartcard S C _i sends the message { M ₁,M ₂, A I D _i ,T ₁ } to S.

• After receiving the request, S first checks whether |T _c −T ₁|<ΔT, where T _c is current time stamp. If true, S use his private key x to extract I D _i by computing A I D _i ⊕h(x). Then he computes d _u P = h(I D _i ||h(x))⊕M ₁ and verifies whether M ₂ = h(I D _i ||d _u P||T ₁). If it holds, S generates a random d _s , and computes M ₃ = K⊕d _s P, S K = d _s (d _u P), M ₄ = h(K||d _u P||S K||T ₂), where T ₂ is the current time. Then, S submits {M ₃,M ₄,T ₂} to U _i .

• Upon receiving the message from S, S C _i checks T ₂’s validity. Then, U extracts d _s P by computing M ₃⊕K. The he calculates S K = d _u (d _s P), \(M^{\prime }_{4}=h(K||d_{u}P||SK||T_{2})\). It checks whether \(M^{\prime }_{4}=M_{4}\) holds. If correct, S C _i computes M ₅ = h(K||d _s P||S K||T ₃) and then sends the response {M ₅,T ₃}.

• S checks T ₃, and verifies \(h(K||d_{s}P||SK||T_{3})\stackrel {?}{=}M_{5}\). If both correct, S authenticates U _i and accepts SK as a session key.

2.3 Password change phase

If a user U _i wants to change his password, U _i inserts the smart card into card reader and keys in I D _i ,P W _i and B _i . Then, S C _i checks \(h(ID_{i}||PW_{i}\oplus H(B_{i}))\stackrel {?}{=}V_{i}\). If holds, U _i inputs a new password \(PW^{new}_{i}\), S C _i computes \(V_{i}^{new}=h(ID_{i}||PW^{new}_{i}\oplus H(B_{i}))\) and then it replaces V _i by \(V_{i}^{new}\).

3 Security weakness of Lu et al.’s scheme

This section shows that Lu et al.’s scheme fails to achieve the security goals they claimed. In attack model, we assume that an adversary could obtain the information which is stored into a user’s smartcard by monitoring the power consumption as in [15, 21]. An adversary has the ability of controlling over the communication channel that he can extract and modify the transmitting message between U _i and S. In the following, we will discuss the security of Lu et al.’s scheme in detail.

3.1 User’s identity leakage

In Lu et al.’s scheme, the user’s identity is obscured by computing A I D _i = I D _i ⊕h ₂(x), which is transmitted by public channel in login phase. For external adversary, it’s very difficult to recover the patient’s identity without knowledge of the secret value x. However, for a legal but malicious user U _j , he can retrieve h(x) using his own identity I D _j and the value A I D _j stored in smart card. Then, U _j can compute any other patient’s identity by computing I D = A I D⊕h(x), where AID is intercepted by U _j in initiating login phase. Therefore, Lu et al.’s scheme does not protect user anonymity since a user’s identity is leaked to a malicious user.

3.2 Server impersonation attack

Lu et al. claimed their scheme could withstand various attacks. Now, we demonstrate a legitimate user U _j can impersonate as a legal sever. He perform the following steps to impersonate as a legal server.

• (1). U _j extracts the secret information {V _i ,A I D _i ,h(⋅),H(⋅)} stored into his smart card by executing the power attack. U _j retrieve h(x) by computing A I D _i ⊕I D _i using his password PW.

• (2). When a user U _i performs the login and authentication process and sends {M ₁,M ₂,A I D _i ,T ₁} to S. U _j intercepts the login message.

• (3). U _j computes A I D _i ⊕h(x) using h(x) to extract the identity of U _i . Then U _j chooses a random \(d^{\prime }_{s}\in Z^{*}_{p}\), and computes \(M^{\prime }_{3}=h(ID_{i}||h(x))\oplus d^{\prime }_{s}P\), \(SK^{\prime }=d^{\prime }_{s}(d_{u}P)\), \(M^{\prime }_{4}=h(K|T_{2}||SK^{\prime }||d_{u}P|)\), where T ₂ is current time stamp. U _j returns the responding message \(\{M^{\prime }_{3}, M^{\prime }_{4}, T_{2}\}\) to U _i

• (4). U _i verifies T ₂ ’s freshness. Then He computes \(K\oplus M^{\prime }_{3}=d^{\prime }_{s}P\), \(SK=d_{u}(d^{\prime }_{s}P),M^{*}_{4}=h(K||d_{u}P||SK||T_{2})\stackrel {?}{=}M^{\prime }_{4}\). U _i accepts the session key SK and believes U _j as a legitimate sever.

Therefore, a legal patient can simulate as a legitimate sever to all other users.

3.3 User impersonation attack

This subsection shows a malicious user can impersonate to be any other user to communicate with a server. The sever does not identify the communication party’s true identity.

• (1). U _j can get h(x) by computing A I D _i ⊕I D _i as similar as step 1 in server impersonation, where A I D _i is retrieved in his his smart card.

• (2). When another patient U _i initiates the login process and transmits the request {M ₁,M ₂,A I D _i ,T ₁} to S. U _j extracts A I D _i from the request message and computes I D _i = A I D _i ⊕h(x). The adversary U _j terminates this session.

• (3). U _j selects a random nonce \(d^{\prime }_{u}\in Z^{*}_{p}\), current time stamp T ₁, calculates K = h(I D _i ||h ₂(x)), \(M^{\prime }_{1}=K\oplus d^{\prime }_{u}P\) and \(M^{\prime }_{2}=h(ID_{i}||T_{1}||d^{\prime }_{u}P)\). Then U _j sends the login message \(\{M^{\prime }_{1}, M^{\prime }_{2}, AID_{i}, T_{1}\}\) as the login message of U _i to S.

• (4). After receiving the login message, S verifies whether |T ₁−T _s |≤Δ. If not true, S aborts the session. Otherwise, S computes I D _i = A I D _i ⊕h(x). Then U _j chooses a random number \(d_{s}\in Z^{*}_{p}\), and computes M ₃ = h(I D _i ||h(x))⊕d _s P, S K = d _s (d _u P), M ₄ = h ₁(K|T ₂||S K ^′||d _u P|), where T ₂ is the current time stamp. U _j sends {M ₃,M ₄,T ₂} to U _i

• (5). U _j computes K⊕M ₃ = d _s P, S K = d _u (d _s P). Then checks whether \(M^{*}_{4}=h(K||d_{u}P||SK||T_{2})\stackrel {?}{=}M^{\prime }_{4}\). U _j computes M ₅ = h(K||d _s P||S K||T ₃) and then sends the message {M ₃,T ₃} to S.

• (6). S checks the freshness of T ₃ from the received message, and verifies \(M^{\prime }_{5}=h(K||d_{s}P||SK||T_{3})\stackrel {?}{=}M_{5}\). S authenticates U _j as U _i and accepts SK as the session key.

From the above discussion, Lu et al.’s scheme is vulnerable to user impersonation attack.

4 Proposed scheme

In this section, we propose an improved three-factor authentication scheme. One achievement is that we replace the hashed value h(x) with h(I D _i ||x) which can prevent to be leaked. Each user has different hashed value. In the following, we will describe the proposed scheme in details, which has four phases (Figs. 1, 2 and 3).

Fig. 1

Registration Phase of Proposed Scheme

Fig. 2

Login and Authentication Phase of Proposed Scheme

Fig. 3

Password Change Phase of Proposed Scheme

4.1 Registration phase

A user U _i selects his identity and password and then registers his identity to the server S. Server registers the user and provides the valid smart card in return.

• The patient U _i generates a random number r, and chooses his identity I D _i , password P W _i and his biometric B _i . He computes M P _i = P W _i ⊕H(B _i )⊕r, and sends {I D _i ,M P _i } to the server S through a secure channel.

• The sever S computes A I D _i = h(I D _i ||x), K _i = h(A I D _i ), V _i = A I D _i ⊕M P _i . Then, S generates a number a randomly and computes C I D _i = E _x (I D _i ||a). The server issues a smartcard S C _i to the patient U _i which is stored by {K _i ,V _i ,C I D _i ,h(⋅),H(⋅)}.

• Upon receiving the smart card, U _i computes R _i = r⊕h(I D _i ||P W _i ||H(B _i )), and stores R _i into S C _i .

4.2 Login and authentication phase

A legal user with valid smart card can establish secure and authorized session with the server. In this phase, user and server first authenticate each other and then agree on a session key that can be used for the secure transmission of data.

• U _i first inserts S C _i into the card reader, and enters his identity I D _i , password P W _i and biometric B _i . Then, smart card S C _i computes r = R _i ⊕h(I D _i ||P W _i ||H(B)), M P _i = P W _i ⊕H(B _i )⊕r, and A I D _i = V _i ⊕M P _i . The card checks whether \(h(AID_{i})\stackrel {?}{=}K_{i}\). If it holds, go to next step.

• S C _i generates a random nonce d _u ∈Z _p , and computes D = d _u P, M ₁ = A I D _i ⊕D and M ₂ = h(A I D _i ||D||T ₁). S C _i transmits {M ₁,M ₂,C I D _i ,T ₁} to the server.

• After receiving the login request {M ₁,M ₂,C I D _i ,T ₁}, S first checks the freshness of T ₁ by verifies whether |T _c −T ₁|<ΔT, where T _c is the current time. If true, S retrieves I D _i by decrypting C I D _i , and computes A I D _i = h(I D _i ||x). Then he calculates D = A I D _i ⊕M ₁ and verifies whether M ₂ = h(A I D _i ||D||T ₁) holds. If correct, the sever generates a ^′ and d _s ∈Z _p randomly, and computes E = d _s P, \(CID^{\prime }_{i}=E_{x}(ID_{i},a^{\prime })\), M ₃ = A I D _i ⊕E, S K = h(A I D _i ||d _s (D)||C I D _i ), \(M_{4}=h(CID^{\prime }_{i}||SK||E||T_{2})\), where T ₂ is the current time. Then, S sends \(\{M_{3}, M_{4}, CID^{\prime }_{i}, T_{2}\}\) to U.

• Upon receiving \(\{ M_{3}, M_{4}, CID^{\prime }_{i}, T_{2}\}\), S C _i checks the freshness of T ₂. Then, U extracts E from computing M ₃⊕A I D _i , and computes S K = h(A I D _i || d _u (E)||C I D _i ), \(M^{\prime }_{4}=h(CID^{\prime }_{i}||SK||E||T_{2})\). Then, check whether \(M^{\prime }_{4}=M_{4}\) holds. If correct, S C _i replaces C I D _i with \(CID^{\prime }_{i}\), and computes M ₅ = h(E||S K||T ₃) and then sends the message {M ₅,T ₃} to S.

• S checks the validity of T ₃, and verifies \(h(E||SK||T_{3})\stackrel {?}{=}M_{5}\). If both are correct, S authenticates U and accepts SK as the session key.

4.3 Password change phase

A valid user with smart card can change the password of the smart card as follows:

• U _i inserts the smart card into the device and inputs the I D _i ,P W _i and B _i .

• S C _i computes r = R _i ⊕h(I D _i ||P W _i ||H(B _i )), M P _i = P W _i ⊕H(B _i )⊕r, A I D _i = V _i ⊕M P _i and checks \(h(AID_{i})\stackrel {?}{=}K_{i}\). If holds, U _i inputs a new password \(PW^{new}_{i}\), biometric \(B^{new}_{i}\) and a new random number r ^new.

• S C _i computes \(MP_{i}^{new}=PW^{new}_{i}\oplus H(B^{new}_{i})\oplus r^{new}\), \(V_{i}^{new}=AID_{i}\oplus MP_{i}^{new}\), \(R^{new}_{i}=r^{new}\oplus h(ID_{i}||PW^{new}_{i}||H(B^{new}_{i}))\). Finally, it replaces R _i ,V _i by \(R_{i}^{new}, V_{i}^{new}\) respectively.

5 Security

This section shows our proposed scheme gives the robust proof of the security of our new authentication scheme.

5.1 Proof by BAN-logic

BAN logic in [2] is a rule set for analyzing the belief which focuses on the beliefs of the legitimate principals involved in the protocol. Many researchers has analyzed the security of authentication schemes using BAN logic such as . In this section, we demonstrate that the proposed scheme is working correctly by achieving the authentication goals using BAN logic. The notations used in BAN logic analysis are defined as follows:

• P|≡X: The principal P believes a statement X or P would be entitled to believe X.

• ♯ (X): The formula X is fresh.

• P⇒X: The principal P has jurisdiction over the statement X.

• P⊲X: The principal P sees the statement X.

• P|∼X: The principal P once said the statement X.

• (X,Y): The formula X or Y is one part of the formula (X,Y).

• 〈X〉 _Y : The formula X is xored with the formula Y.

• (X) _Y : The formula X is hashed under the key Y.

• \(P \stackrel {K}{\longleftrightarrow } Q\): The principal P and Q share the key K.

Some main logical postulates of BAN logic are defined as follows:

• the message-meaning rule: \( \frac {P|\equiv Q \stackrel {K}{\longleftrightarrow } P, P\triangleleft \langle X\rangle _{K}} {P|\equiv Q |\sim X} \)

• the freshness-conjuncatenation rule: \( \frac {P|\equiv \sharp (X)} {P|\equiv \sharp (X,Y)}\)

• the nonce-verification rule: \( \frac {P|\equiv \sharp (X), P|\equiv Q |\sim X} {P|\equiv Q |\equiv X} \)

• the jurisdiction rule: \( \frac {P|\equiv \Rightarrow X, P|\equiv Q |\equiv X} {P|\equiv X}\), \(\frac {P|\equiv (X,Y)} {P|\equiv X}\), \(\frac {P|\triangleleft (X,Y)} {P|\triangleleft X}\)

(2) Idealized scheme:

\(U: \langle D\rangle _{U\overset {AID}{\longleftrightarrow }S}, (U\overset {SK}{\longleftrightarrow }S, D, T_{1})_{U\overset {AID}{\longleftrightarrow }S}, T_{1}, (U\overset {SK}{\longleftrightarrow }S, T_{3})_{U\overset {AID}{\longleftrightarrow }S} \)

\(S: \langle E\rangle _{U\overset {AID}{\longleftrightarrow }S}, (U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})_{U\overset {AID}{\longleftrightarrow }S}, T_{2}\)

(3) Security goals

\(\text { G1: } U |\equiv S |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G2: } U |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G3: } S |\equiv U |\equiv (U\overset {SK}{\longleftrightarrow } S)\) \( \text { G4: } S |\equiv (U\overset {SK}{\longleftrightarrow } S)\)

(4) Initiative premises

A.1 U |≡♯(T ₂) A.2 S |≡♯(T ₁) A.3 S |≡♯(T ₃) A.4 \(U\ |\equiv U\overset {AID}{\longleftrightarrow } S\) A.5 \(S\ |\equiv U\overset {AID}{\longleftrightarrow } S\) A.6 \(U\ |\equiv S\Rightarrow (U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})\) A.7 \(S\ |\equiv U\Rightarrow (U\overset {SK}{\longleftrightarrow }S, T_{3})\)

(5) Scheme AnalysisBased on the above-mentioned assumptions and rules of BAN logic, we analyze the idealized form of the proposed scheme and the main procedures of proof as follows:

s1. According to the message \(S\triangleleft (U\overset {SK}{\longleftrightarrow }S, T_{3})_{U \overset {AID}{\longleftrightarrow } S}\) and A.5, we apply the message-meaning rule to obtain:

$$S\equiv U\sim (U\overset{SK}{\longleftrightarrow}S, T_{3})$$

s2. Since A.3 and s1, based on the fresh conjuncatenation rule and nonce-verification rule we get:

$$S\equiv U\equiv (U\overset{SK}{\longleftrightarrow}S, T_{3})$$

G3. Since s2, we achieve the third goal by applying the belief rule:

$$S\equiv U\equiv U\overset{SK}{\longleftrightarrow}S$$

G4. Using A.7 and G3, we obtain:

$$S\equiv U\overset{SK}{\longleftrightarrow}S$$

s3. Since the message \((U\overset {SK}{\longleftrightarrow }S, CID^{\prime }_{i}, E, T_{2})_{U \overset {AID}{\longleftrightarrow }S}\) and A.4, applying the message-meaning rule we obtain:

$$U |\equiv S|\sim (U\overset{SK}{\longleftrightarrow}S, CID^{\prime}_{i}, E, T_{2})$$

s4. Since the Assumption A.1 and s3, we use the freshness-conjuncatenation rule and the nonce-verification rule to prove

$$U |\equiv S \equiv (U\overset{SK}{\longleftrightarrow}S, CID^{\prime}_{i}, E, T_{2})$$

G1. Since s4, according to the belief rule, we obtain:

$$U |\equiv S |\equiv U\overset{SK}{\longleftrightarrow}S$$

G2. According to the assumption A.6 andG2, we obtain:

$$U |\equiv U\overset{SK}{\longleftrightarrow}S$$

Hence, we apply the BAN logic to analyze the security of our proposed scheme. The results demonstrate that our authentication scheme can achieve mutual authentication between the user U and the server S.

5.2 Formal security analysis

In this section, we demonstrate that our proposed scheme is provably secure against a probabilistic polynomial-time adversary under the random oracle model, which means that the new scheme is secure for \(\mathcal {A}\) to derive the session key between a user and a server. We use the method of contradiction in [8] to give the formal security proof. The the similar proof is followed as in [10, 22]. It is noted that one can also give the formal security proof in the standard model. However, in this literature, we have performed the formal security analysis under the generic group model of cryptography.

In order to apply the technique of contradiction proof, we assume the following oracle exists for an adversary \(\mathcal {A}\).

• R e v e a l: This oracle will unconditionally output the input string x from the corresponding hash function y = h(x)

Theorem 1

Under the assumption that one-way hash function closely behaves like an random oracle, our proposed authentication scheme is secure against an adversary \(\mathcal {A}\) for deriving the user U _i ’s identity ID _i and the session key SK between U _i and S.

Proof

In our proof, we first construct an adversary \(\mathcal {A}\) who can derive a legal user U _i ’s identity I D _i and the session key SK between U _i and the server S. The adversary \(\mathcal {A}\) uses the R e v e a l oracle run the in the experiment \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) provided in Algorithm 1 for our new secure and efficient user anonymity-preserving three-factor authentication scheme, define as SEUATPAS. The successful probability of \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) is defined as \(Succ1=|Pr[EXP1^{HASH}_{\mathcal {A},SEUATPAS}=1]-1|\). We define the advantage function for this experiment as \(Adv1(et_{1},q_{R})=\max _{\mathcal {A}}{Succ1}\), where the maximum is taken over all \(\mathcal {A}\) with execution time e t ₁, and query time q _R to R e v e a l. Our protocol is proven to be secure against \(\mathcal {A}\) for deriving U _i ’s identity I D _i and the session key SK, if A d v1≤𝜖, for any sufficiently small 𝜖>0. \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\)

Consider the experiment \(EXP1^{HASH}_{\mathcal {A},SEUATPAS}\) in Algorithm 1. Based on this experiment, \(\mathcal {A}\) has the ability to derive the identity I D _i and the session key SK between U _i and S, if \(\mathcal {A}\) has access to the oracle R e v e a l. But it is a computationally infeasible problem due to collision-resistant property, that is \(Adv_{\mathcal {A}}^{HASH}(t)\leq \epsilon 1\) for any small 𝜖1>0. Therefore, our scheme is provably secure against \(\mathcal {A}\) for a user’s identity I D _i and the session key SK between a user and the server. □

6 Comparison

In this section we discuss the security attributes and performance of our proposed scheme and give a comparison between our scheme and some previous schemes in [1, 18, 29, 30]. Table 2 lists that the flaws of security and efficiency for biometric based authentication schemes.

Table 2 Security attributes comparison of biometric based authentication schemes

In the literature, we use √ to represent the scheme prevents attack or satisfies the attribute and × represents the scheme fails to prevent attack or does not satisfy the attribute. From Table 2, The schemes [1, 29, 30] are vulnerable to off-line password guessing attack. That means that an adversary can derive the correct password by an off-line exhaustive search since password is short in order to remember easily. Arshad et al.’s schemes [1] can not protect user anonymity and the identity of an entity is leaked to the attacker. Therefore, an ID-based authentication scheme should ensure user anonymity and provide unlinkability. Wu et al.’s scheme [29] and Lu et al.’s scheme [18] can not resist impersonation attack, which means that an adversary could impersonate as a legal user to access any services.

From Table 2, in Yeh et al.’scheme [30] and Arshad et al.’scheme [1], it’s clear that if the server’s master key is leaked, the malicious people can compute all previous session key between a user and a server. They does not provide the security attribute of strong forward secrecy. In Yeh et al.’s scheme [30], the sever and the user do not verify the correctness of the session key. In general, an scheme with session key verification needs to transmit the messages by three times attack.

Table 3 discusses the computation overhead of these schemes in login and authentication phase, where T _{s y m} , T _h , T _{m m} , T _M and T _A denote the time complexity of symmetric encryption/decryption, hash function, the biometric function, modular multiplication, elliptic curve point multiplication and point addition, respectively. It is noted that, T _M >T _A >T _{m m} >T _{s y m} >T _h . Since the login and authentication phases are executed for each session while the registration and password change phases occur once, we only discuss the computational cost of the login and authentication phases. Table 3 shows our scheme costs less computation to achieve the mutual authentication and key agreement than the schemes [1, 18, 29] and takes almost identical to the protocol [30].

Table 3 Performance evaluation of biometric based authentication schemes

7 Conclusions

In this paper, we analyzed the security of Lu et al.’s biometric based authentication scheme. We showed that their scheme is unable to protect user anonymity and is insecure against impersonation attacks which leads an adversary could impersonate as a legal user to access any services provided by the server, and cheat an honest user as a legal server. Moreover, we employ bio-hash functions and elliptic curve Diffie-Hellman problem to propose a secure and efficient three factor based authentication protocol. Our new scheme is proven accurate by BAN logic tool and robustly secure under a random oracle model. Finally, we give a comparison of our new authentication protocol and others in efficiency and security attributes.