Abstract
Social networking is one of the major source of massive data. Such data is not only difficult to store, manipulate and maintain but it’s open access makes it security prone. Therefore, robust and efficient authentication should be devised to make it invincible against the known security attacks. Moreover, social networking services are intrinsically multi-server environments, therefore compatible and suitable authentication should be designed accordingly. Sundry authentication protocols are being utilized at the moment and many of them are designed for single server architecture. This type of remote architecture resists each user to get itself register with each server if multiple servers are employed to offer online social services. Recently multi-server architecture for authentication has replaced the single server architecture, and it enable users to register once and procure services from multiple servers. A short time ago, Lu et al. presented two authentication schemes based on three factors. Furthermore, both Lu et al.’s schemes are designed for multi-server architecture. Lu et al. claimed the schemes to be invincible against the known attacks. However, this paper shows that one of the Lu et al.’s scheme is susceptible to user anonymity violation and impersonation attacks, whereas Lu et al.’s second scheme is susceptible to user impersonation attack. Therefore an enhanced scheme is introduced in this paper. The proposed scheme is more robust than subsisting schemes. The proposed scheme is thoroughly verified and validated with formal and informal security discussion, and through the popular automated tool ProVerif. The in-depth analysis affirms that proposed scheme is lightweight in terms of computations while attaining mutual authentication and is invincible against the known attacks, hence is more suitable for automated big data analysis for social multimedia networking environments.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Big data refers to the huge amount of data with complicated and diverse structure to be stored and analyzed for retrieving results. This kind of result retrieval is known as big data analysis, which is performed by disclosing concealed pattern and correlations present in the colossal data. Big data analysis is playing a vital role in present day businesses and contemporary science, because it helps organizations and companies to attain competitive benefits through deeper and wealthier insights into precious gigantic data. There are numerous sources for such gigantic data, social networking interaction is one of them. Huge social networking data storage, manipulation and transfer becomes difficult to manage and can be compromised by various security attacks therefore efficient authentication mechanism should be developed to make it more secure and reliable. Moreover social networking services are inherently multi-server environments, therefore authentication schemes must be specifically designed for multi-server architecture in order to maintain compatibility.
The first step was taken up by Lamport [35], by proposing password based authentication scheme. After that researchers proposed numerous authentication schemes based on password for various applications [36, 37, 49, 52]. Although password based authentication schemes are susceptible to a number of attacks but they laid the foundation for advance research in this area. Therefore, two factor authentication scheme are introduced in order to mitigate the security concerns of single factor authentication schemes [3–7, 14–22, 24–31, 44, 50, 53]. Two factor authentication utilize smart card along with password. Moreover, three factor authentication schemes are also introduced not only to improve the security of the transmission between the authentic users but also to provide the integrity and authenticity of the exchanged messages [1, 11, 23, 38–40, 45, 54]. Three factor authentication is achieved by utilizing biometrics along with smart card and password. However most of the authentication schemes are designed specifically for single server architecture, making it incompatible for multi-server architectures.
In 2014 [8] Chuang et al. introduced authentication scheme utilizing biometrics and smart card. They declared the scheme to be secure against the known attacks. Soon, Mishra et al. [46] identified that Chuang et al.’s scheme is not invincible to server spoofing, smart card stolen and impersonation attacks. Mishra et al. proposed authentication scheme using smart card and biometric and declared it to be secure against all security threats. Later on, Lu et al. [41, 42] recognized that Mishra et al.’s scheme is vulnerable to server spoofing and impersonation attacks and fails to provide forward secrecy. In response to Mishra et al.’s scheme Lu et al. introduced two independent three factors authentication schemes [41, 42] for multi-server architecture. Furthermore, Lu et al. declared that their schemes are invincible against the known attacks. However, this paper provide an evidence that Lu et al.’s both schemes can be compromised by the known attacks. We show that Lu et al.’s scheme-1 [41] is insecure against user anonymity violation and impersonation attacks, whereas Lu et al.’s scheme-2 [42] is insecure against user impersonation attack. This paper exhibits that by knowing the public identity of any other user, the unfair user of the system can impersonate him easily.
Rest of the paper is structured as follows: Section 2 presents notations used within the paper and primitive notions concerning one-way hash functions, BioHashing, basics of elliptic curve cryptography and the considered adversarial model. Section 3 presents review of two Lu et al.’s authentication schemes based on three factor for multi server environments, followed by their cryptanalysis performed in Section 4. The proposed scheme is discussed in Section 5. The formal and informal security analysis is performed in Section 6 followed by automated security validation in Section 7. The performance evaluation is shown in Section 8. The paper is concluded in Section 9.
2 Preliminaries
This section elaborates the notations user through out the paper and some basics relating to hash functions, BioHashing, elliptic curve cryptography and the common adversarial model.
2.1 Notations
We have listed all the notations used in the paper in Table 1.
2.2 BioHashing
The biometrics is the unique and quantifiable characteristic commonly utilized to identify and designate or recognize a particular human. Biometric is practically utilized for authentication purpose and demands the physical presence of a particular person in order to be authenticated. At each imprint, biometric features (such as fingerprint, retina, face recognition and iris recognition etc) may faintly differ from the actual one, leading towards frequent false rejections of legitimate user. Frequent false rejections of legitimate user in turn degrade the performance of the latent system. In 2004, Jin et al. [32] proposed a scheme to tenacity the problem of false rejection. Jin et al.’s scheme implements two factor authentication based on iterated inner product amid biometric characteristics and tokenized pseudo-random numbers. Moreover, in order to implement Jin et al.’s scheme multiple and explicit user codes are engendered and these explicit user codes are designated as BioHash codes. Recently, numerous BioHashing schemes has been introduced [2, 43]. BioHashing is verified to be the most suitable and compatible technique that can be utilized in tiny smart devices such as smart card and smart phone etc.
2.3 Hash functions
A collision resistant hash function \(H : \{0, 1\}^{*}\rightarrow Z_{q}^{*}\) takes arbitrary size string S t r as input and produces a fixed length code/value V = H(S t r). A secure hash function should posses following attributes:
-
A minor change in input (S t r) results a substantial change in out put V.
-
It is computationally easy to find V = H(S t r), given H(.) and S t r.
-
For given hash code V = H(S t r) and hash function H(.), finding the input S t r is computationally infeasible.
-
It is difficult to find two inputs S t r 1 ≠ S t r 2 such that H(S t r 1) = H(S t r 2). This property is known as collision resistance property.
Definition 1
[Collision resistant property for secure hash functions] Given a collision resistant secure hash function H(.). The probability that an adversary \(\mathcal {A}\) can find a pair (S t r 1 ≠ S t r 2) such that H(S t r 1) = H(S t r 2) is defined as \(Adv^{HASH}_{\mathcal {A}}(t)=Prb[(Str_{1},Str_{2}) \Leftarrow _{r} \mathcal {A} : (Str_{1}\neq Str_{2})\ and\ H(Str_{1})=H(Str_{2}) ]\), where \(\mathcal {A}\) is allowed to select a pair (S t r 1, S t r 2) at random. \(\mathcal {A}\)’s advantage is computed over the random choices made during polynomial time (t). The collision resistant property implies that \(Adv^{HASH}_{\mathcal {A}}(t)\leq \epsilon \) for any sufficiently small 𝜖 > 0.
2.4 Elliptic curve cryptography
A non singular elliptic cure y 2 = x 3 + a x + b mod p is the set of finite solutions E p (a, b) such that \((x,y)\in Z_{p}^{*} \times Z_{p}\), a, b are chosen carefully to accommodate 4a 3 + 27b 2 mod p ≠ 0 while p is a selected large prime number such that |p| ≥ 160 b i t s. The scalar multiplication over the curve is solicited as repeated addition i.e. k S = S + S + S + ......+S(k t i m e s), for a given point S and a scalar k. The parameters (a, b, p, S, k) must belong to finite field F p . E is considered as abelian group and a point at infinity O is termed as the identity element.
Definition 2
[Elliptic curve discrete logarithm problem (ECDLP)] Given two random point U, V ∈ E p (a, b), find a scalar x such that U = x V. The probability that a polynomial time (t) bound adversary \(\mathcal {A}\) can compute x is as follows: \(Adv_{\mathcal {A}}^{ECDLP}(t) = Prb[(\mathcal {A}(U=xV, V) = x: x\in Z_{p}]\). The ECDLP assumption implies that \(Adv_{\mathcal {A}}^{ECDLP}(t)\leq \epsilon \).
2.5 Adversarial model
In this paper, we consider the common adversarial model as mentioned in [4, 9, 12, 13]. Where according to capabilities of the adversary \(\mathcal {A}\), following assumptions are made:
-
1.
\(\mathcal {A}\) completely controls the public communication link. \(\mathcal {A}\) is able to intercept, replay, modify, remove or can send a new fabricated message.
-
2.
The information stored in a smart card can be extracted by \(\mathcal {A}\) using power analysis [33, 47] provided he has possession of the card.
-
3.
\(\mathcal {A}\) may be some outsider or some dishonest user of the system and knows all public parameters.
-
4.
\(\mathcal {A}\) knows the identities and public keys of the registered users and servers.
-
5.
It is assumed that all servers of the system are honest and \(\mathcal {A}\) is not allowed to compromise any server.
3 Review of Lu et al.’s schemes
In this section, we briefly review Lu et al.’s multi-server biometric based authentication schemes [41, 42] in Subsections 3.1 and 3.2 respectively.
3.1 Review of Lu et al.’s scheme-1 [41]
Lu et al.’s biometric based authentication scheme for multi-server environments [41] is illustrated in Fig. 1 and is elaborated in following three phases:
3.1.1 Registration phase
\(\mathcal {U}_{x}\) selects his identity I D u x , password P W u x and imprints his biometrics B I O u x . Further \(\mathcal {U}_{x}\) sends {I D u x , h(P W u x ∥H(B I O u x ))} to RC on a private channel. Upon reception, RC computes X u x = h(I D u x ∥y r s ) and V u x = h(I D u x ∥h(P W u x ∥H(B I O u x ))) and stores X u x , h(P S K r s ) and V u x in the smart card S C u x . RC sends smart card (S C u x ) to \(\mathcal {U}_{x}\). Upon reception of smart card, \(\mathcal {U}_{x}\) computes Y u x = h(P S K r s ) ⊕ x u x . Finally, smart card contains {X u x , Y u x , V u x , h(.)}.
3.1.2 Login and authentication phase
\(\mathcal {U}_{x}\) enters his smart card in specialized reader and inputs his biometric B I O u x , password P W u x and identity I D u x . Following steps are performed between the smart card (S C u x ) and the server \(\mathcal {S}_{y}\):
-
Step L1A1:
S C u x checks \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is not true, session is aborted by S C u x . Otherwise, S C u x computes K = h(Y u x ⊕ x u x )∥S I D s y ) and M 1 = K⊕I D u x . Then S C u x generates a nonce M 2 = n u x ⊕ K, M 3 = K⊕h(P W u x ∥H(B I O u x )) and Z u x = h(X u x ∥n u x ∥h(P W u x ∥H(B I O u x )∥T 1)), where T 1 is the fresh time stamp.
-
Step L1A2:
Smart card S C u x sends {M 1, M 2, M 3, Z u x , T 1} to \(\mathcal {S}_{y}\).
-
Step L1A3:
\(\mathcal {S}_{y}\) upon receiving login message, checks the freshness of T 1, aborts the session if T 1 is not fresh. Otherwise, computes K = h(h(P S K r s )∥S I D s y ), n u x = M 2 ⊕ K, I D u x = K⊕M 1, X u x = h(I D u x ∥y r s ) and h(P W u x ∥H(B I O u x )) = M 3 ⊕ K.
-
Step L1A4:
\(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(n_{ux}\|X_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is not true, \(\mathcal {S}_{y}\) aborts the session. Otherwise, \(\mathcal {S}_{y}\) selects a random number n s y and computes M 4 = n s y ⊕ h(n u x ∥X u x ∥h(P W u x ∥H(B I O u x ))), M 5 = h(I D u x ∥n u x ∥n s y ∥K∥T 2) and the session key S K y x = h(n u x ∥n s y ∥h(P W u x ∥N u x )). Further \(\mathcal {S}_{y}\) sends {M 4, M 5, T 2} to \(\mathcal {U}_{x}\), where T 2 is current time stamp.
-
Step L1A5:
Upon reception, \(\mathcal {U}_{x}\) checks the freshness of T 2, if T 2 is fresh \(\mathcal {U}_{x}\) computes n s y = M 4 ⊕ h(n u x ∥X u x ∥h(P W u x ∥H(B I O u x ))) and checks validity of \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\). If it is not valid \(\mathcal {U}_{x}\) aborts the session. Otherwise, \(\mathcal {U}_{x}\) computes the session key S K x y = h(I D u x ∥n u x ∥n s y ∥K) and M 6 = h(S K x y ∥I D u x ∥n s y ∥T 3). Finally \(\mathcal {U}_{x}\) sends M 6, T 3 to \(\mathcal {S}_{y}\), where T 3 is current time stamp.
-
Step L1A6:
\(\mathcal {S}_{y}\) upon receiving the message checks \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) if it holds, \(\mathcal {S}_{y}\) considers \(\mathcal {U}_{x}\) as authenticated. The session key shared among both is:
$$ SK_{xy}=h(ID_{ux}\|n_{ux}\|n_{sy}\|K)=SK_{yx} $$(1)
3.1.3 Password change phase
To change password, \(\mathcal {U}_{x}\) enters his smart card in the reader, then inputs his password P W u x , identity I D u x and biometrics B I O u x . The smart card verifies \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is true \(\mathcal {U}_{x}\) is asked to enter his new password \(PW_{ux}^{new}\) the smart card computes \(V_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\) and replaces V u x by \(V_{ux}^{new}\).
3.2 Review of Lu et al.’s scheme-2 [42]
In this section, we briefly review Lu et al.’s scheme-2 [42] . Lu et al. employed public key techniques to achieve user anonymity and forward secrecy. Their scheme involves three participants: a user \(\mathcal {U}_{x}\), a server \(\mathcal {S}_{y}\) and the registration center RC. The scheme is illustrated in Fig. 2. We further elaborate Lu et al.’s scheme by following three phases:
3.2.1 Registration phase
Registration involves following three steps: \(\mathcal {U}_{x}\) selects his identity I D u x , password P W u x , a random number N u x along with his master private key x u x . Then \(\mathcal {U}_{x}\) scans his biometrics B I O u x . Further \(\mathcal {U}_{x}\) sends {I D u x , h(P W u x , N u x )} to RC on a private channel. RC computes R u x = h(I D u x ∥h(P W u x ∥N u x )) and personalizes the smart card S C u x by {R u x , h(P S K r s )}, where P S K r s is the shared secret key between RC and \(\mathcal {S}_{y}\). RC using private channel sends S C u x to \(\mathcal {U}_{x}\). Upon receiving smart card, \(\mathcal {U}_{x}\) computes X u x = h(P S K r s )⊕x u x , B u x = N u x ⊕ H(B I O u x ). Then \(\mathcal {U}_{x}\) deletes h(P S K r s ) from smart card (S C u x ) and stores X u x and B u x in the smart card (S C u x ). Finally the smart card (S C u x ) contains {R u x , X u x , B u x , h()}.
3.2.2 Login and authentication phase
During login phase \(\mathcal {U}_{x}\) inserts his S C u x into card reader, imprints his biometrics (B I O u x ) and submits I D u x and P W u x . The steps performed by S C u x and \(\mathcal {S}_{y}\) are as follows:
-
Step L1A1:
S C u x computes N u x = B u x ⊕ H(B I O u x ) and \(R_{ux}^{\prime }=h(ID_{ux}\|h(PW_{ux}\|N_{ux}))\).
-
Step L1A2:
S C u x verifies \(R_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|N_{ux}))\), if not true, S C u x aborts the session.
-
Step L1A3:
S C u x generates a random number n s y and computes \(M_{1}=E_{Pub_{sy}}(ID_{ux},n_{ux},h(PW_{ux}\|N_{ux}))\) and M 2 = h((X u x ⊕ x u x )∥n u x ∥h(P W u x ∥N u x ))
-
Step L1A4:
Further, S C u x sends login message {M 1, M 2} to \(\mathcal {S}_{y}\).
-
Step L1A5:
For the received login message, \(\mathcal {S}_{y}\) using his private key decrypts M 1 to get (I D u x , n u x , h(P W u x ∥N u x )).
-
Step L1A6:
\(\mathcal {S}_{y}\) checks whether \(M_{2}\underset {=}{?}h(h(PSK_{rs})\|n_{ux}\|h(PW_{ux}\|N_{ux}))\), if not true \(\mathcal {S}_{y}\) aborts the session. Otherwise, \(\mathcal {S}_{y}\) selects a random number n s y and computes M 3 = n s y ⊕ h(n u x ∥I D u x ∥h(P W u x ∥N u x )), the session key S K y x = h(n u x ∥n s y ∥h(P W u x ∥N u x )) and M 4 = h(I D u x ∥n u x ∥S K y x ∥h(P W u x ∥N u x )). Further \(\mathcal {S}_{y}\) sends {M 3, M 4} to \(\mathcal {U}_{x}\).
-
Step L1A7:
For the received login message, \(\mathcal {U}_{x}\) computes n s y = M 3 ⊕ h(n u x ∥I D u x ∥ h(P W u x ∥N u x )) and session key S K x y = h(n u x ∥n s y ∥h(P W u x ∥N u x )). \(\mathcal {U}_{x}\) then checks \(M_{4} \underset {=}{?}h(ID_{ux}\|n_{ux}\|SK_{xy}\|h(PW_{ux}\|N_{ux}))\). If it holds, \(\mathcal {U}_{x}\) ponders \(\mathcal {S}_{y}\) as authenticated.
-
Step L1A8:
Finally, \(\mathcal {U}_{x}\) computes and sends M 5 = h(S K x y ∥I D u x ∥n s y ∥h(P W u x ∥N u x )) to \(\mathcal {S}_{y}\).
-
Step L1A9:
\(\mathcal {S}_{y}\) checks \(M_{5} \underset {=}{?} h(h(SK_{yx}\|ID_{ux}\|n_{sy}\|h(PW_{ux}\|N_{ux}))\) if it holds, \(\mathcal {S}_{y}\) ponders \(\mathcal {U}_{x}\) as authenticated.
The computed shared key between \(\mathcal {U}_{x}\) and \(\mathcal {S}_{y}\) is:
3.2.3 Password change phase
\(\mathcal {U}_{x}\) inserts his smart card (S C u x ) in specialized reader. \(\mathcal {U}_{x}\) then inputs I D u x , P W u x and B I O u x . S C u x computes N u x = B u x ⊕ H(B I O u x ) and checks R u x = h(I D u x ∥h(P W u x ∥N u x )), if it holds S C u x asks for new password. \(\mathcal {U}_{x}\) inputs new password \(PW_{ux}^{new}\). S C u x computes \(R_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}^{new}\|N_{ux}))\). Finally S C u x replaces R u x by \(R_{ux}^{new}\).
4 Cryptanalysis of Lu et al.’s schemes
This section performs cryptanalysis of Lu et al.’s schemes. We show that Lu et al’s scheme-1 is vulnerable to: (1) user anonymity violation attack and (2) user impersonation attack. Likewise, we show that Lu et al.’s scheme-2 is vulnerable to user impersonation attack.
4.1 Weaknesses of Lu et al.’s scheme-1
4.1.1 User anonymity violation attack
To mount a successful user impersonation attack, initially an attacker \(\mathcal {A}\) selects his identity I D u a , password P W u a , biometrics B I O u a and his own secret key x u a . Then \(\mathcal {A}\) registers to the system and obtains a smart card containing X u a = h(I D u a ∥y r s ), V u a = h(I D u a ∥h(P W u a ∥H(B I O u a ))) and Y u a = h(P S K r s )⊕x u a . \(\mathcal {A}\) performs following steps for the successful anonymity violation attack:
-
Step L1A1:
\(\mathcal {A}\) extracts h(P S K r s ) as follows:
$$ h(PSK_{rs})=x_{ua}\oplus Y_{ua} $$(3) -
Step L1A2:
When \(\mathcal {U}_{x}\) initiates the authentication requests by sending Z u x , M 1, M 2, M 3, T 1 to \(\mathcal {S}_{y}\). \(\mathcal {A}\) intercepts the message and computes:
$$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs}\|SID_{sy})) \end{array} $$(4)$$\begin{array}{@{}rcl@{}} &&n_{ux}=M_{2}\oplus K \end{array} $$(5)$$\begin{array}{@{}rcl@{}} &&ID_{ux}=K\oplus M_{1} \end{array} $$(6)
In (6) I D u x is the real identity of user \(\mathcal {U}_{x}\). Hence \(\mathcal {A}\) has successfully break the anonymity of \(\mathcal {U}_{x}\).
4.1.2 User impersonation attack
Here, we prove that Lu et al.’s scheme-1 is vulnerable to impersonation attack. We show that an adversary \(\mathcal {A}\) can impersonate any other registered user of the system if he becomes able to steal his smart card. Initially \(\mathcal {A}\) extracts X u x = h(I D u x ∥y r s ) out of a stolen smart card. Then he performs following steps to impersonate himself as \(\mathcal {U}_{x}\):
-
Step L1A1:
\(\mathcal {A}\) computes:
$$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs}\|SID_{sy})) \end{array} $$(7)$$\begin{array}{@{}rcl@{}} &&M_{1}= K \oplus ID_{ux} \end{array} $$(8) -
Step L1A2:
\(\mathcal {A}\) generates two random numbers n u a and P u a . Then generates time stamp T 1 and computes:
$$\begin{array}{@{}rcl@{}} &&M_{2}=n_{ua}\oplus K \end{array} $$(9)$$\begin{array}{@{}rcl@{}} &&M_{3}= K \oplus P_{ua} \end{array} $$(10)$$\begin{array}{@{}rcl@{}} &&Z_{ua}= h(X_{ux}\|n_{ua}\|P_{ua}\|T_{1}) \end{array} $$(11) -
Step L1A3:
\(\mathcal {A}\) sends {Z ua , M 1, M 2, M 3, T 1} to \(\mathcal {S}_{y}\).
-
Step L1A4:
\(\mathcal {S}_{y}\) upon receiving login message, checks the freshness of T 1, as T 1 is freshly generated so \(\mathcal {S}_{y}\) computes:
$$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs})\|SID_{sy}) \end{array} $$(12)$$\begin{array}{@{}rcl@{}} &&n_{ua}=M_{2}\oplus K \end{array} $$(13)$$\begin{array}{@{}rcl@{}} &&ID_{ux}=K\oplus M_{1} \end{array} $$(14)$$\begin{array}{@{}rcl@{}} &&X_{ux}=h(ID_{ux}\|y_{rs}) \end{array} $$(15)$$\begin{array}{@{}rcl@{}} &&P_{ua}=M_{3}\oplus K \end{array} $$(16) -
Step L1A5:
\(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(n_{ua}\|X_{ux}\|P_{ua})\) and finds it true. \(\mathcal {S}_{y}\) then selects a random number n s y and computes:
$$\begin{array}{@{}rcl@{}} &&M_{4}=n_{sy} \oplus h(n_{ua}\|X_{ux}\|P_{ua})) \end{array} $$(17)$$\begin{array}{@{}rcl@{}} &&M_{5}=h(ID_{ux}\|n_{ua}\|n_{sy}\|K\|T_{2}) \end{array} $$(18)$$\begin{array}{@{}rcl@{}} &&SK_{yx}=h(n_{ua}\|n_{sy}\|P_{ua})) \end{array} $$(19) -
Step L1A6:
Further \(\mathcal {S}_{y}\) sends {M 4, M 5, T 2} to \(\mathcal {U}_{x}\), where T 2 is current time stamp.
-
Step L1A7:
Upon reception, \(\mathcal {A}\) computes:
$$\begin{array}{@{}rcl@{}} &&n_{sy}=M_{4}\oplus h(n_{ua}\|X_{ux}\|P{ua}) \end{array} $$(20)$$\begin{array}{@{}rcl@{}} &&SK_{xy}=h(ID_{ux}\|n_{ua}\|n_{sy}\|K) \end{array} $$(21)$$\begin{array}{@{}rcl@{}} &&M_{6}=h(SK_{xy}\|ID_{ux}\|n_{sy}\|T_{3}) \end{array} $$(22) -
Step L1A8:
Finally \(\mathcal {A}\) sends M 6, T 3 to \(\mathcal {S}_{y}\), where T 3 is current time stamp. \(\mathcal {S}_{y}\) upon receiving the message checks \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) and finds it true.
Hence, \(\mathcal {A}\) has successfully deceived \(\mathcal {S}_{y}\) by impersonating himself as \(\mathcal {U}_{x}\). The session key shared among both is:
4.2 Weaknesses of Lu et al.’s scheme-2
This section elaborates the weaknesses of Lu et al.’s scheme-2 against user impersonation attack. We show that a dishonest legal user \(\mathcal {A}\) can easily masquerade himself as an other honest user \(\mathcal {U}_{x}\) considering the common adversarial model as mentioned in Subsection 2.5.
4.2.1 User impersonation attack
Let \(\mathcal {A}\) be a legal user having smart card S C u a and wants to impersonate himself as another user \(\mathcal {U}_{x}\). Following steps will be performed by \(\mathcal {A}\) for a successful forgery attack to \(\mathcal {S}_{y}\):
-
Step L1A1:
\(\mathcal {A}\) extracts the information stored in S C u a and computes:
$$ h(PSK_{rs})= X_{ua}\oplus x_{ua} $$(24) -
Step L1A2:
\(\mathcal {A}\) generates two random number n u a and P u a and computes:
$$\begin{array}{@{}rcl@{}} &&M_{\bar{1}}=E_{Pub_{sy}}(ID_{ux},n_{ua},P_{ua}) \end{array} $$(25)$$\begin{array}{@{}rcl@{}} &&M_{\bar{2}}=h((X_{ua}\oplus x_{ua})\|n_{ua}\|P_{ua}) \end{array} $$(26) -
Step L1A3:
\(\mathcal {A}\) sends \(M_{\bar {1}}\) and \(M_{\bar {2}}\) as login message to \(\mathcal {S}_{j}\).
-
Step L1A4:
For the received login message, \(\mathcal {S}_{y}\) decrypts \(M_{\bar {2}}\) to obtain:
$$\begin{array}{@{}rcl@{}} (ID_{ux},n_{ua},P_{ua})=D_{Pri_{sy}}(M_{\bar{1}}) \end{array} $$(27) -
Step L1A5:
\(\mathcal {S}_{y}\) further verifies \(M_{\bar {2}}\underset {=}{?} h(h(PSK_{rs})\|n_{ua}\|P_{ua})\) and finds it to be true.
-
Step L1A6:
\(\mathcal {S}_{y}\) further selects n s y and computes:
$$\begin{array}{@{}rcl@{}} && M_{3}=n_{sy} \oplus h(n_{ua}\|ID_{ux}\|P_{ua}) \end{array} $$(28)$$\begin{array}{@{}rcl@{}} && SK_{yx}=h(n_{ux}\|n_{sy}\|P_{ua}) \end{array} $$(29)$$\begin{array}{@{}rcl@{}} && M_{4}=h(ID_{ux}\|n_{ua}\|SK_{yx}\|P_{ua}) \end{array} $$(30) -
Step L1A7:
\(\mathcal {S}_{y}\) sends M 3 and M 4 to \(\mathcal {U}_{x}\) as response message.
-
Step L1A8:
\(\mathcal {A}\) intercepts the message and computes:
$$\begin{array}{@{}rcl@{}} &&n_{sy}=M_{3}\oplus h(n_{ua}\|ID_{ux}\|P_{ua}) \end{array} $$(31)$$\begin{array}{@{}rcl@{}} &&SK_{xy}=h(n_{ua}\|n_{sy}\|P_{ua}) \end{array} $$(32)$$\begin{array}{@{}rcl@{}} &&M_{5}=h(SK_{xy}\|ID_{ux}\|n_{sy}\|P_{ua}) \end{array} $$(33) -
Step L1A9:
\(\mathcal {A}\) sends M 5 to \(\mathcal {S}_{y}\).
-
Step L1A10:
\(\mathcal {S}_{y}\) checks \(M_{5} \underset {=}{?} h(h(SK_{yx}\|ID_{ux}\|n_{sy}\|P_{ua})\) and finds it to be true.
Hence, \(\mathcal {A}\) successfully deceived \(\mathcal {S}_{y}\) by impersonating himself as \(\mathcal {U}_{x}\). The shared key between \(\mathcal {A}\) and \(\mathcal {S}_{y}\) is:
5 Proposed scheme
In this section, we propose an improved and secure biometric based three factor authentication scheme for social multimedia networks to overcome the weaknesses of Lu et al.’s schemes. The proposed scheme is depicted in Fig. 3 and is explained in following four subsections:
5.1 Initialization
In this phase system parameters are selected by registration server. Initially registration server RC selects an elliptic curve E p (a, b) mod p, a base point P over E p (a, b), a one way hash function h(.), BioHashing H(.) and a shared key with all servers P S K r s . Finally RC publishes system public parameters E p (a, b),h(.),H(.).
5.2 Registration phase
In this phase both the users and servers registers with the registration server. Following two subsections describes the process of registration:
5.2.1 Server registration
To register with the system, a server \(\mathcal {S}_{y}\) selects his identity S I D s y and his private key P r i s y . Then \(\mathcal {S}_{y}\) computes his public key P u b s y = P r i s y .P and sends his identity S I D s y and his public key P u b s y to RC. Upon reception, RC shares the secret key P S K r s with \(\mathcal {S}_{y}\) and publishes \(\mathcal {S}_{y}\)’s public key P u b s y .
5.2.2 User registration
User registration involves following three steps:
-
Step L1A1:
\(\mathcal {U}_{x}\) selects his identity I D u x , password P W u x and scans his biometrics B I O u x . Further \(\mathcal {U}_{x}\) sends {I D u x , h(P W u x ∥H(B I O u x ))} to RC on a private channel.
-
Step L1A2:
Upon reception, RC computes V u x = h(I D u x ∥h(P W u x ∥H(B I O u x ))) and h(P S K r s ∥I D u x ) and stores h(P S K r s ∥I D u x ) and V u x in the smart card S C u x . RC sends smart card (S C u x ) to \(\mathcal {U}_{x}\).
-
Step L1A3:
Upon reception of smart card, \(\mathcal {U}_{x}\) computes Y u x = h(P S K r s ∥I D u x )⊕h(P W u x ∥I D u x ∥H(B I O u x )). Finally, smart card contains {Y u x , V u x , h(.)}.
5.3 Login and authentication Phase
Login phase starts when a user \(\mathcal {U}_{x}\) enters his S C u x into card reader, embosses his biometrics (B I O u x ) and enters I D u x and P W u x . The subsequent steps accomplished by S C u x and \(\mathcal {S}_{y}\) are as under:
-
Step L1A1:
S C u x calculates h(I D u x ∥h(P W u x ∥H(B I O u x ))) and confirms \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\) , if condition does not hold, S C u x terminates the session.
-
Step L1A2:
S C u x produces a random number r u x and calculates K = r u x .P u b s y , M 1 = r u x .P and M 2 = I D u x ⊕ K.
-
Step L1A3:
Moreover, S C u x produces a random number n u x and calculates M 3 = n u x ⊕ h(Y u x ⊕ h(P W u x ∥I D u x ∥H(B I O u x ))∥S I D s y ) and Z u x = h(h(P S K r s ∥I D u x )∥n u x ∥K∥T 1).
-
Step L1A4:
Thereafter, S C u x transmits login message {Z u x , M 1, M 2, M 3, T 1} to \(\mathcal {S}_{y}\).
-
Step L1A5:
On getting login message, \(\mathcal {S}_{y}\) verifies freshness of T 1.
-
Step L1A6:
\(\mathcal {S}_{y}\) calculates K = M 1.P r i s y with his private key and also calculates I D u x = M 2 ⊕ K and n u x = M 3 ⊕ h(h(P S K r s ∥I D u x )∥S I D s y ).
-
Step L1A7:
\(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(h(PSK_{rs}\|ID_{us})\|n_{ux}\|K\|T_{1})\), if not holds, \(\mathcal {S}_{y}\) terminates the session. Otherwise, \(\mathcal {S}_{y}\) generates a random number n s y and calculates M 4 = n s y ⊕ K, M 5 = h(I D u x ∥n u x ∥n s y ∥K∥T 2) and the session key S K y x = h(I D u x ∥n u x ∥n s y ∥K). Further \(\mathcal {S}_{y}\) sends {M 4, M 5, T 2} to \(\mathcal {U}_{x}\).
-
Step L1A8:
On receiving login message, \(\mathcal {U}_{x}\) verifies freshness of T 2. computes n s y = M 4 ⊕ K and confirms \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\), if holds, \(\mathcal {U}_{x}\) cogitates \(\mathcal {S}_{y}\) as authenticated. Then session key is computed as S K x y = h(I D u x ∥n u x ∥n s y ∥K).
-
Step L1A9:
After that, \(\mathcal {U}_{x}\) calculates M 6 = h(S K x y ∥I D u x ∥n s y ∥T 3) and and transmits {M 6, T 3} to \(\mathcal {S}_{y}\).
-
Step L1A10:
\(\mathcal {S}_{y}\) checks the freshness of T 3 and verifies \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) if it holds, \(\mathcal {S}_{y}\) cogitates \(\mathcal {U}_{x}\) as authenticated.
The derived shared key between \(\mathcal {U}_{x}\) and \(\mathcal {S}_{y}\) is:
5.4 Password change phase
\(\mathcal {U}_{x}\) inserts his smart card (S C u x ) in specialized reader. \(\mathcal {U}_{x}\) then inputs I D u x , P W u x and B I O u x . S C u x computes N u x = B u x ⊕ H(B I O u x ) and checks R u x = h(I D u x ∥h(P W u x ∥N u x )), if it hold S C u x asks for new password. \(\mathcal {U}_{x}\) inputs new password \(PW_{ux}^{new}\). S C u x computes \(R_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}^{new}\|N_{ux}))\) and \(X_{ux}^{new}=X_{ux}\oplus h(PW_{ux}\|ID_{ux}\|N_{ux})\oplus h(PW_{ux}^{new}\|ID_{ux}\|N_{ux}^{new})\) Finally, S C u x replaces R u x and X u x by \(R_{ux}^{new}\) and \(X_{ux}^{new}\).
6 Security analysis
The formal security analysis followed by security discussion is performed in this section. Further, protocol verification thorough automated tool ProVerif is also substantiated here.
6.1 Formal security
To demonstrate formally, that proposed scheme is secure, we adopted the same analysis as mentioned in [46, 48]. Following oracles are defined for analysis purpose:
-
Reveal: This oracle unconditionally outputs a string S from the one way hash function R = h(S).
-
Extract: This oracle unconditionally outputs the scalar multiplier k out of a given elliptic curve points O = k P and P.
Theorem 1
The proposed biometric based multi server authentication scheme is secure for an attacker \(\mathcal {A}\) to stanch \(\mathcal {U}_{x}\) ’s identity (ID ux ), the parameter K, the session key SK xy and the shared key PSK rs between RC and \(\mathcal {S}_{y}\) considering one way hash function as random oracle and under the hardness assumption of ECDLP.
Proof
Let \(\mathcal {A}\) be an adversary having capabilities to compute \(\mathcal {U}_{x}\)’s I D u x , the secret session parameter K the session key S K x y and the shared key P S K r s between RC and \(\mathcal {S}_{y}\). \(\mathcal {A}\) simulates both oracles Reveal and Extract to run the algorithmic experiment \(EXPE1^{HASH,ECDLP}_{\mathcal {A},TFBAMS}\) against our proposed three factor biometric based authentication scheme for multi server environments (TFBAMS). The success probability for the mentioned experiment is defined as \(Succe_{1}=|Prb[EXPE1^{HASH,ECDLP}_{\mathcal {A},TFBAMS}=1]-1|\). \(\mathcal {A}\)’s advantage is solicited as \(Advt1_{\mathcal {A},TFBAMS}^{HASH,ECDLP}(t,q_{rev},q_{ext})=max_{\mathcal {A}}(Succe_{1})\), where \(\mathcal {A}\) is allowed to make at maximum q r e v Reveal and q e x t Extract queries. Referring to the experiment \(\mathcal {A}\) can compute I D u x , K, S K x y and P S K r s , if he can (i) invert the hash function and (ii) solve the ECDLP. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function, similarly by Definition 2 it is computationally infeasible to solve ECDLP. Hence, we have \(Advt1_{\mathcal {A},TFBAMS}^{HASH,ECDLP}(t,q_{rev},q_{ext})\leq \epsilon \). Therefore, proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary \(\mathcal {A}\) to computes \(\mathcal {U}_{x}\)’s I D u x , the secret session parameter K the session key S K x y and the shared key P S K r s between RC and \(\mathcal {S}_{y}\). □
Theorem 2
The proposed biometric based multi server authentication scheme is secure for an attacker \(\mathcal {A}\) to stanch \(\mathcal {U}_{x}\) ’s biometrics H(BIO ux ), identity (ID ux ), password PW ux and the security parameter h(PSK rs ∥ID ux ) considering one way hash function as random oracle for the stolen smart card attack.
Proof
Let \(\mathcal {A}\) be an adversary having capabilities to stanch \(\mathcal {U}_{x}\)’s biometrics H(B I O u x ), identity (I D u x ), password P W u x and the security parameter h(P S K r s ∥I D u x ) out of a stolen smart card. \(\mathcal {A}\) simulates Reveal oracle to run the algorithmic experiment \(EXPE2^{HASH}_{\mathcal {A},TFBAMS}\) against our proposed three factor biometric bases authentication scheme for multi server environments (TFBAMS). The success probability for the mentioned experiment is defined as \(Succe_{2}=|Prb[EXPE2^{HASH}_{\mathcal {A},TFBAMS}=1]-1|\). \(\mathcal {A}\)’s advantage is solicited as \(Advt2_{\mathcal {A},TFBAMS}^{HASH}(t,q_{rev}=max_{\mathcal {A}}(Succe_{2})\), where \(\mathcal {A}\) is allowed to make at maximum q r e v Reveal queries. Referring to the experiment, \(\mathcal {A}\) can compute H(B I O u x ), I D u x , P W u x and P S K r s , if he can invert the hash function. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function. Hence, we have \(Advt2_{\mathcal {A},TFBAMS}^{HASH}(t,q_{rev})\leq \epsilon \). Therefore, proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary \(\mathcal {A}\) to computes \(\mathcal {U}_{x}\)’s biometrics H(B I O u x ), identity (I D u x ), password P W u x and the security parameter h(P S K r s ∥I D u x ) out of a stolen smart card. □
6.2 Further security discussion
In this subsection, we informally describes the security functionalities provided by proposed scheme. Table 2 illustrates a security comparison of proposed scheme with related existing schemes [8, 41, 42, 46].
6.2.1 Anonymity and privacy
In our proposed biometric scheme the user \(\mathcal {U}_{x}\)’s identity I D u x is not sent over public network rather M 1 and M 2 are sent to \(\mathcal {S}_{y}\). These two parameters are freshly generated for each session. The anonymity can only be broken if an adversary can compute K, but it can be seen that K can be computed only be the use of \(\mathcal {S}_{y}\)’s private key. Hence, proposed scheme preserves anonymity and untraceability Table 2.
6.2.2 Mutual authentication
\(\mathcal {S}_{y}\) authenticates \(\mathcal {U}_{x}\) by checking \(Z_{ux}\underset {=}{?}h(h(PSK_{rs}\|ID_{ux})\|n_{ux}\|K\|T_{1})\). Computation of Z u x involves h(P S K r s ∥I D u x ) which requires the smart card as well as password P W u x and the biometrics B I O u x of \(\mathcal {U}_{x}\). Therefore to deceive \(\mathcal {S}_{y}\), the adversary needs \(\mathcal {U}_{x}\)’s password, biometric as well as his smart card. Likewise, \(\mathcal {U}_{x}\) authenticates \(\mathcal {S}_{y}\) by checking \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\) which requires the computation of \(\mathcal {U}_{x}\)’s identity I D u x , the session parameter n u x and K. I D u x and K can be computed only by using \(\mathcal {S}_{y}\)’s private key as mentioned in Subsection 6.2.1, while n u x can be computed by using h(h(P S K r s ∥I D u x )∥S I D s y ) which requires the shared secret key between \(\mathcal {S}_{y}\) and RC. So in order to deceive \(\mathcal {U}_{x}\), the adversary needs \(\mathcal {S}_{y}\)’s private key P r i s y as well as the shared key h(P S K r s ) between \(\mathcal {S}_{y}\) and RC. Hence only legal user can pass authentication test from server and vice versa. Therefore, proposed scheme provides proper mutual authentication.
6.2.3 User and server impersonation attacks
Only legal user can generate legal authentication request message {Z u x , M 1, M 2, M 3, T 1} and response message {M 6, T 3}, similarly only legal server can respond with challenge message {M 4, M 5, T 2} as proved in Subsection 6.2.2. Hence, user and server impersonation attacks are not feasible on proposed scheme.
6.2.4 Smart card theft/stolen attack
Let us assume, the adversary by using some means becomes able to acquire \(\mathcal {U}_{x}\)’s smart card. The adversary further extracts the parameters V u x = h(I D u x ∥h(P W u x ∥H(B I O u x ))), Y u x = h(P S K r s ∥I D u x )⊕h(P W u x ∥I D u x ∥H(B I O u x )) and h(.). Then to compute the secret parameter h(P S K r s ∥I D u x ), the adversary needs P W u x and B I O u x . Hence, the stolen smart card will not benefit the adversary for forgery.
6.2.5 Replay attack
If some adversary after intercepting the login request message {Z u x , M 1, M 2, M 3, T 1}, replays it later on. The server \(\mathcal {S}_{y}\) after receiving the message will check the freshness of time stamp T 1, as the time stamp is old dated, \(\mathcal {S}_{y}\) will simply discard the message. Therefore, replay attack is not viable on proposed scheme.
6.2.6 Perfect forward secrecy
The computed session key between \(\mathcal {S}_{y}\) and \(\mathcal {U}_{x}\) contains share (n s y , n u x ) from both the participants respectively. So even if the long term private key of \(\mathcal {S}_{y}\) or \(\mathcal {U}_{x}\)’s password is revealed to the attacker it will not benefit to compute previous session keys. Therefore, proposed scheme possesses perfect forward secrecy.
6.2.7 Insider and stolen verifier and attacks
For the proposed scheme, \(\mathcal {S}_{y}\) does not store any parameter related to \(\mathcal {U}_{x}\)’s password (P W u x ) or his biometrics (B I O u x ), as there is no verifier table so no stolen verifier attack is possible. Likewise, \(\mathcal {U}_{x}\) does not send his password (P W u x ) or his biometrics B I O u x in plain text. Hence, no insider will have any advantage to expose his password or biometrics.
6.2.8 Password guessing attack
For the proposed scheme, the information relating to \(\mathcal {U}_{x}\)’s password is protected by his identity I D u x , BioHashed biometrics H(B I O u x ) further it is XORed with h(P S K r s ∥I D u x ). Moreover, there is no parameter stored in smart card to check the validity of guessed password by adversary. Hence no offline password guessing attack is feasible on proposed scheme. Likewise, the system incorporates built in maximum number of login requests, which ensures no online password guessing attack.
7 Verification through ProVerif
The purpose of verification tools for cryptographic protocols is to confirm the robustness of the protocols against active and passive adversaries having some knowledge of the cryptographic parameters. ProVerif is an applied π calculus based automated verification tool to validate the security of cryptographic protocols against knowledgeable attackers. ProVerif can prove a number of security properties like: reachability, secrecy, authentication and so on. [4, 10, 51]. We have implemented the login and authentication steps of the proposed protocol as illustrated in Fig. 3 and explained in Subsection 5.3. The formal verification model of ProVerif consists of following three parts. (1) Declaration is used for defining names, constants, variables and cryptographic operations. We have shown declaration part in Fig. 4a. (2) Process part is reserved for defining processes involved in protocol execution. As illustrated in Fig. 4b we have defined two processes: server process (ServerSy) and user process (UserUx). (3) Main part simulates the protocol execution, as shown in Fig. 4c, we simulate parallel execution of two processes along with definition of two events to verify reach-ability property. Finally, we simulate three queries. The results are as follows:
-
1.
RESULT inj-event(end_Serversy(id)) ==> inj-event(begin_Serversy(id)) is true.
-
2.
RESULT inj-event(end_Userux(id1114)) ==> inj-event(begin_Userux(id 1114)) is true.
-
3.
RESULT not attacker(SKxy[]) is true.
The results (1) and (2) validates that both user and server processes started and terminated normally, which confirms the correctness and reach-ability properties. While (3) verifies that the session key (SKxy[]) is not exposed to adversary. Hence Proposed protocol possesses reach-ability as well as secrecy and authentication properties.
8 Performance comparisons
This section presents performance assessment of the proposed scheme against two Lu et al.’s pertinent schemes. Recently, Lu et al. presented two schemes based on biometrics for multi-server environments and professed that their schemes provide security against the known threats. This paper suggests that Lu et al.’s schemes do not provide invincibility against few known attacks. The first scheme of Lu et al fails retaliate against user anonymity violation and impersonation attacks, whereas their second scheme is vulnerable against impersonation attack. The the proposed scheme’s performance is equated with both the schemes of Lu et al. in Table 3. Following Notations are used for computation cost analysis:
-
T O h refers to accumulated execution time of one-way hash operation.
-
T R e refers to accumulated execution time of RSA encryption.
-
T R d refers to accumulated execution time of RSA decryption.
-
T E p m refers to elliptic curve point multiplication.
As per Kilinc and Yanik [34] experiment on a personal computer involving a processor with Dual CPU E2200 2.20 GHz along with RAM size of 2048MB, the computation cost for T O h is approximately 0.0023m s, T R e is 3.8500m s, T R d is 0.1925m s and T E p m is 2.229m s. Kilinc and Yanik [34] experiment was performed on the Ubuntu Operating system and using PBC Library.
The comparison presented in Table 3 reveals that the proposed scheme is computationally inexpensive than scheme in [42]. While the proposed scheme is quite expensive than rest of the schemes [8, 41, 46]. Moreover proposed scheme provide invincibility against the known threats. It is further declared that only the proposed scheme resists the known attacks, while rest of the competing schemes [8, 41, 42, 46] are vulnerable to impersonation and/or other related attacks.
9 Conclusion
In this paper, we have cryptanalyzed two most recent biometric based multi factor authentication schemes proposed by Lu et al. We have proved both of their schemes to be vulnerable to impersonation attacks, additionally we have also showed that one of their scheme is also vulnerable to anonymity violation attack. Then we proposed an improved biometric based multi factor authentication scheme. The proposed scheme is proved to be robust against all known attacks. We have substantiated the security of proposed scheme using famous automated security validation tool ProVerif.
References
Awasthi AK, Srivastava K (2013) A biometric authentication scheme for telecare medicine information systems with nonce. J Med Syst 37(5):1–4
Belguechi R, Rosenberger C, Ait-Aoudia S (2010) Biohashing for securing minutiae template. In: 20th International Conference on Pattern Recognition (ICPR), 2010. IEEE, pp 1168–1171
Chaudhry S, Naqvi H, Shon T, Sher M, Farash M (2015) Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems. J Med Syst 39(6):66. doi:10.1007/s10916-015-0244-0
Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK (2015) An enhanced privacy preserving remote user authentication scheme with provable security. Secur Commun Netw 1–13. doi:10.1002/sec.1299
Chaudhry SA, Mahmood K, Naqvi H, Sher M (2015) A secure authentication scheme for session initiation protocol based on elliptic curve cryptography. In: The 13th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2015). IEEE, pp 1–5
Chaudhry SA, Mahmood K, Naqvi H, Khan MK (2015) An improved and secure biometric authentication scheme for telecare medicine information systems based on elliptic curve cryptography. Journal of Medical Systems 66. doi:10.1007/s10916-015-0335-y
Chaudhry SA, Naqvi H, Sher M, Farash MS, HassanM(2015) An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Netw Appl. doi:10.1007/s12083-015-0400-9
Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst Appl 41(4):1411–1418
Cao X, Zhong S (2006) Breaking a remote user authentication scheme for multi-server architecture. IEEE Commun Lett 10(8):580–581. doi:10.1109/LCOMM.2006.1665116
Chaudhry S, Farash M, Naqvi H, Sher M (2015) A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography. Electron Commer Res:1–27. doi:10.1007/s10660-015-9192-5
Das AK (2015) A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int J Commun Syst. doi:10.1002/dac.2933
Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208. doi:10.1109/TIT.1983.1056650
Eisenbarth T, Kasper T, Moradi A, Paar C, Salmasizadeh M, Shalmani M (2008) On the power of power analysis in the real world: A complete break of the KeeLoq code hopping scheme. In: Advances in Cryptology, CRYPTO 2008, Lecture Notes in Computer Science, vol 5157, pp 203–220, DOI doi:10.1007/978-3-540-85174-5
Farash MS, Attari MA (2014) A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. J Supercomput 69(1):395–411
Farash MS, Attari MA (2014) An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards. Int J Commun Syst. doi:10.1002/dac.2848
Farash MS, Attari MA (2014) Cryptanalysis and improvement of a chaotic map-based key agreement protocol using chebyshev sequence membership testing. Nonlinear Dyn 76(2):1203–1213
He D, Zeadally S (2015) Authentication protocol for an ambient assisted living system. IEEE Commun Mag 53(1):71–77
He D, Kumar N, Chen J, Lee CC, Chilamkurti N, Yeo SS (2013) Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed Syst 21(1):49–60
He D (2012) An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Netw 10(6):1009–1016
He D, Kumar N, Chilamkurti N (2015) A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf Sci 321:263–277. doi:10.1016/j.ins.2015.02.010.
He D, Wang D (2015) Robust biometrics-based authentication scheme for multi server environment. IEEE Syst J 9(3):816–823
Heydari M, Sadough SMS, Farash MS, Chaudhry SA, Mahmood K (2015) A secure and efficient authenti-cated encryption for electronic payment systems using elliptic curve cryptography. Wirel Person Comm 2015. doi:10.1007/s11277-015-3123-6
He D, Kumar N, Lee JH, Sherratt R (2014) Enhanced three-factor security protocol for consumer usb mass storage devices. IEEE Trans Consum Electron 60(1):30–37. doi:10.1109/TCE.2014.6780922
Irshad A, Sher M, Faisal MS, Ghani A, Hassan M, Ch SA (2013) A secure authentication scheme for session initiation protocol by using ecc on the basis of the Tang and Liu scheme. Secur Commun Netw 7(8):1210–1218. doi:10.1002/sec.834
Irshad A, Sher M, Rehman E, Ch SA, Hassan M, Ghani A (2014) A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimed Tools Appl 74(11):3967–3984. doi:10.1007/s11042-013-1807-z
Islam S, Khan M (2014) Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J Med Syst 38 (10):135. doi:10.1007/s10916-014-0135-9
Islam SH (2015) Design and analysis of a three party password-based authenticated key exchange protocol using extended chaotic maps. Inf Sci 312:104–130
Islam SH (2014) Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps. Nonlinear Dyn 78(3):2261–2276
Islam SH (2014) A provably secure id-based mutual authentication and key agreement scheme for mobile multi-server environment without esl attack. Wirel Person Commun 79(3):1975–1991
Islam S, Khan MK (2014) Provably secure and pairing-free identity-based handover authentication protocol for wireless mobile networks. Int J Commun Syst. doi:10.1002/dac.2847
Jiang Q, Ma J, Tian Y (2014) Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of zhang et al. Int J Commun Syst. doi:10.1002/dac.2767
Jin ATB, Ling DNC, Goh Ax (2004) Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn 37(11):2245–2255
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in Cryptology CRYPTO 99, Springer, pp 388–397
Kilinc HH, Yanik T (2014) A survey of sip authentication and key agreement schemes. IEEE Commun Surv Tutorials 16(2):1005–1023
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Lu R, Lin X, Liang X, Shen X. (2012) A dynamic privacy-preserving key management scheme for location-based services in vanets. IEEE Trans Intell Trans Syst 13(1):127–139
Lu Y, Li L, Yang Y (2015) Robust and efficient authentication scheme for session initiation protocol. Math Probl Eng. doi:10.1155/2015/894549
Lu Y, Li L, Peng H, Yang Y (2015) An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J Med Syst 39(3):1–8
Li X, Niu J, Khan MK, Liao J, Zhao X (2014) Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Comm Netw. doi:10.1002/sec.961
Li X, Khan M, Kumari S, Liao J, Liang W (2014) Cryptanalysis of a robust smart card authentication scheme for multi-server architecture. In: International Symposium on Biometrics and Security Technologies (ISBAST), 2014,. doi:10.1109/ISBAST.2014.7013106, pp 120–123
Lu Y, Li L, Yang X, Yang Y (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PloS ONE 10(5). doi:10.1371/journal.pone.0126323
Lu Y, Li L, Peng H, Yang Y (2015) A biometrics and smart cards-based authentication scheme for multi-server environments. Secur Commun Netw 1–10. doi:10.1002/sec.1246
Lumini A, Nanni L (2007) An improved biohashing for human authentication. Pattern Recogn 40(3):1057–1065
Mehmood Z, uddin N, Ch SA, Nasar W, Ghani A (2012) An efficient key agreement with rekeying for secured body sensor networks. In: Second International Conference on Digital Information Processing and Communications (ICDIPC), 2012. IEEE, pp 164–167
Mishra D, Kumari S, Khan MK, Mukhopadhyay S (2015) An anonymous biometric-based remote user authenticated key agreement scheme for multimedia systems. Int J Commun Syst. doi:10.1002/dac.2946
Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129– 8143
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Mir O, Nikooghadam M (2015) A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wirel Person Comm 83(4):2439–2461
Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY (2009) Improvements of juang’s password-authenticated key agreement scheme using smart cards. IEEE Trans Indust Electron 56(6):2284–2291
Ul Amin N, Asad M, Din N, Ch SA (2012) An authenticated key agreement with rekeying for secured body sensor networks based on hybrid cryptosystem. In: 9th IEEE International Conference on Networking, Sensing and Control (ICNSC), 2012. IEEE, pp 118–121
Xie Q, Dong N, Wong DS, Hu B (2014) Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. Int J Commun Syst. doi:10.1002/dac.2858
Zhao D, Peng H, Li L, Yang Y (2014) A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wirel Person Commun 78(1):247–269
Zhang L, Tang S, Cai Z (2014) Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol-based communications. IET Commun 8(1):83– 91
Zhang M, Zhang J, Zhang Y (2015) Remote three-factor authentication scheme based on fuzzy extractors. Secur Commun Netw 8 (4):682–693. doi:10.1002/sec.1016
Acknowledgments
Author would like to thank Prof. Muhammad Arshad Zia, Mr, Shahzad Saddique Chaudhry, the anonymous reviewers and the editor for their valuable suggestions to improve the quality, correctness, presentation and readability of the manuscript.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chaudhry, S.A. A secure biometric based multi-server authentication scheme for social multimedia networks. Multimed Tools Appl 75, 12705–12725 (2016). https://doi.org/10.1007/s11042-015-3194-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-015-3194-0