Abstract
The advancement in communication and computation technologies has paved a way for connecting large number of heterogeneous devices to offer specified services. Still, the advantages of this advancement are not realized completely due to inherent security issues. Most of the existing authentication mechanisms ensure the legitimacy of requesting user thorough single server leading towards multiple registrations and corresponding credentials storage on user side. Intelligent multimedia networks (IMN) may encompass wide range of networks and applications. However, the privacy and security of IMN cannot be apprehended through traditional multi sign on/single server authentication systems. The multi-server authentication systems can enable a user to acquire services from multiple servers using single registration and with single set of credentials (i.e.Password/smart card etc.) and can be accomplish IMN security and privacy needs. In 2018, Barman et al. proposed a multi-server authentication protocol using fuzzy commitment. The authors claimed that their protocol provides anonymity while resisting all known attacks. In this paper, we analyze that Barman et al.’s protocol is still vulnerable to anonymity violation attack and impersonation based on stolen smart card attack; moreover, it has incomplete login request and is prone to scalability issues. We then propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s scheme. The security of the proposed protocol is verified using BAN logic and widely accepted automated AVISPA tool. The BAN logic and automated AVISPA along with the informal analysis ensure the robustness of the scheme against all known attacks.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
The multi-server environment provides convenient and suitable online services. Unlike conventional single server authentication, the multi-server environment provides single sign-on without registering with multiple servers and keeping the multiple secrets of passwords and identities. The multi-server architecture works using the centralized trusted registration authority, responsible for registering the servers and users, in return it enables both the servers and users to get hassle free communication with each other. The users keeps only one secret password and one identity. The common use of a multi-server environment requires an efficient and robust user authentication protocol to establish a secure connection between both the requesting user and service providers. In 1981, Lamport [27] presented the first authentication protocol based on a server database containing the passwords of each registered user. Due to storage of the verifier in server database Lamport’s protocol is subjected to the stolen verifier attack. Over time, many researchers proposed their protocols to resolve the issues of stolen verifier attack [4, 22].Wu et al.’s [48] presented a smart card-based authentication protocol; later He et al. [14] noticed that the protocol of Wu is vulnerable to insider attack and impersonation attack. Wu et al.’s [48] then presented an improved and enhanced protocol based on He et al.’s protocol. later Zhu et al. [49] found that the protocol of He et al. still has some weaknesses like offline password guessing attack. Anticipating the failure and/or unsuitability of two factor authentication protocols, many researchers proposed fingerprint-based three factor authentication protocols to enhance the security [20, 21, 28, 29, 37]. Lee et al. [28] presented fingerprint-based authentication. Lee et al. enhanced the security using three factors including: 1)smart card, 2)fingerprint minutiae, and 3)user Password. Later Lin et al.’s [29] claimed that Lee et al.’s protocol has weaknesses against spoofing and masquerade attacks. So they proposed an enhanced protocol based on Lee et al.’s protocol. Regretfully, Mitchell et al. [37] noticed that Lin et al.’s protocol still has some weaknesses. Mir and Nikooghadam [35] presented an enhanced biometrics-based authentication protocol and claimed their protocol provides security against well-known attacks like (user anonymity and untraceability, impersonation attacks, Online Password Guessing attacks, etc.) Later Chaudhry et al. [10] noticed that Mir and Nikooghadam [35] suffers from user anonymity attack as well as stolen smart attack. Unfortunately, Qi et al. [40] claimed Chaudhry et al.’s [10] protocol still has some weaknesses including non-resilience against denial of service attack; moreover, protocol in [10] is lacking perfect forward secrecy. In 2016, Wang et al. [47] proposed another biometric-based multi-server authentication and key agreement protocol based on Mishra et al.’s protocol. Wang et al. claimed their protocol provides various security features along-with user revocation/re-registration and biometric information protection. Soon, Reddy et al. [44] showed that Wang et al.’s [47] protocol is vulnerable to server impersonation, user impersonation and insider attacks, as their protocol share user credential to the server. Qi et al.’s [39] proposed yet another key-exchange authentication protocol and claimed it to provide security against well-known attacks. later Reddy et al.’s [43] noticed some vulnerabilities like session key leakage attack, user impersonation attack, insider attack, and user anonymity in the protocol of Qi et al. Some other developments were also proved either incorrect or insecure in [16, 19, 30, 33, 38, 42].
In 2018, Barman et al. [6] proposed a multi-server authentication protocol using fuzzy commitment. The authors in [6] claimed that their protocol provides various security features like confidentiality of user identity/biometric data, mutual authentication and session key establishment between user and servers, besides this authors also claimed their protocol to provide security against the known attacks. However, the in-depth analysis in this article shows that the protocol of Barman et al. is facing some serious security threats. It is to show that the protocol proposed by Barman et al. is vulnerable to anonymity violation attack and impersonation attack based on stolen smart-card. Moreover, their protocol is not practicable owing to the scalability Issues. Then we propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s protocol. We analyze the security of our proposed protocol through formal and informal analysis. In the formal analysis, we use BAN Logic and widely accepted AVISPA tool (a well known and widely accepted automated tool for security analysis). The informal security features analysis also shows the robustness of the proposed protocol.
2 Preliminaries
A brief review of the basics relating to fuzzy commitment technique, one-way hash function, error correction coding, and revocable template generation, is solicited in following subsections:
2.1 Fuzzy commitment
The fuzzy commitment as proposed by Juels and Wattenberg [23] is a method to hide the secrets under the witness and then release the conceal secrets later in the presence of a witness. In the Registration/enrollment phase a randomly generated key Kc is cipher with codeword Cw = ℵenc(Kc). ℵenc is an error correction technique and it helps in a noisy channel to recover equivalent match. When a user imprints his biometric then the binary string is generated against the biometric, \(C_{T_{u}}\) is used to conceal the key with binary string through XOR operation [\(C_{T_{u}} \oplus C_{w} = H_{public}\)]. The system contain only Hpublic and the hash of key (h(Kc)). In the authentication phase this Hpublic is available, so every legitimate user imprints his/her biometric to unlock Cw.
2.2 Hash function
Hash function \(h:\ X\ \xrightarrow {}\ Y\) is deterministic mapping set X = {0,1}∗ of strings having variable length to another set Y = {0, 1}t of strings of fixed length, properties include:
-
The input value say, a ∈ X it is easy to computes h(a), in polynomial times; moreover, h(.) function is deterministic in nature.
-
The small change in input value a ∈ X results in a completely uncorrelated with h(a).
-
One − way property : It is difficult to find the actual message a given the message digest h(a) of a ∈ X.
-
Weak − Collision resistant property: Any given value input a ∈ X. it is difficult to find another a∗∈ X such that h(a) = h(a∗).
-
Strong − Collision resistance property: h(a) = h(a∗) for any a, a∗∈ X and a≠a∗, this property states that, it is also difficult to find any two inputs a,a∗∈ X such that a≠a∗ with h(a) = h(a∗).
2.3 Revocable template generation
A revocable template [41], provides the privacy and revocability of user biometric. By using transformation parameter TPu and transformation function, f(⋅), user biometric data is converted into a cancel-able template CTu = f(BIOu,TPu) with following properties:
-
1.
Collision-free property: If CTu = f(BIOu,TPu) and CTk = f(BIOk,TPk), then CTu≠CTk. for BIOu≠BIOk. Moreover, if CTn = f(BIO,TPn) and CTm = f(BIO,TPm), then CTn≠CTm for TPn≠TPm.
-
2.
Intra-user variability property : This property states; two different templates CTu = f(BIOu,TPu), \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\) can be generated form same fingerprint.
-
3.
Revocation of biometric: If user biometric is comprised, then new template can be generated by using new transformation parameter \(TP^{new}_{u}\) with same transformation function f(⋅).
-
4.
User privacy: Cancel-able template should protect the confidentiality of user, moreover template should protect the information about original biometric of a user.
2.4 Error correction technique
In the biometric template, the intra-user variation is considered an error. To remove the errors in the user biometric template, error correction technique [17] is used for noisy biometric image. In the time of enrollment/registration \(CT_{enrol_{u}} = f(BIO_{enrol_{u}},TP_{u})\) is generated, which is match with query template \(CT_{query_{u}} = f(BIO_{query_{u}},TP_{u})\), at the authentication time. So the difference can be calculated through Hamming distance \( e = HamDis(CT_{enrol_{u}}, CT_{query_{u}})\).
2.5 Threat model
According to the well known and widely accepted Dolev-Yao threat (DY) model [15], an attacker not only listens to the communication between two participants but also the attacker can change the entire message or delete the message as well on open channel. An attacker can also extract the secret credential of legitimate user form stolen smart card through power analysis attack [25, 34]. Second adversarial model is Canetti and Krawczyk model (CK-model). In authentication and key exchange protocol, it is considered as defacto standard. According to [9], CK-adversary model not only fallows Dolev-Yao threat (DY) model but in CK model the adversary is also able to get the session key and session states as well. Precisely, the adversary with following capabilities [11, 12] is considered:
-
1.
The channel is under full control of Adversary, who can intercept the communicated messages and can replay original message or can modify it. The adversary can also generate and transmit a fake message.
-
2.
User and server identities are public.
-
3.
Adversary can launch power analysis attack and has abilities to steal verifier stored on server/gateway etc.
-
4.
The private keys of all participants are considered as non-compromised.
2.6 The contributions
-
1.
We have cryptanalyzed the recent multi-server authentication protocol proposed by Barman et al. [6] to show its security issues and vulnerabilities.
-
2.
We propose an enhanced authentication protocol using only symmetric cryptography operations and fuzzy commitment.
-
3.
The security of the proposed protocol is checked through BAN logic and widely accepted AVISPA.
-
4.
The security discussion and security features comparison of the proposed protocol with related protocols including Barman et al.’s protocol is explained.
-
5.
We have also provided the comparative computation and communication costs analysis of the proposed protocol with competing related protocols
3 Review of the protocol of Barman et al.
This section briefly reviews Barman et al.’s protocol [6]. The phases of the protocol are detailed in below subsections and the notations used in this paper are provided in Fig. 1.
3.1 Server registration phase
In Barman et al.’s protocol, initially, all the servers Sk : {1 ≤ k ≤ n} gets register with RC. Sk selects its’ identity SIDk and dispatches a registration request to the RC. RC computes and sends a secret key PSKK = \(h(SID_{k}||X_{c})\) to each Sk. RC may also consider another \(n_{'}\) servers, which may get register with the RC in future. Therefore, the RC chooses identities SIDS for each of the future server and generates the shared keys PSKS = \(h(SID_{S} || X_{c})\) for \(n+1 \leq S\leq n + n^{\prime }\) The server identities (for \(n + n^{\prime }\) server) along with their corresponding key pairs \({(SID_{k},PSK_{k})|1 \leq k \leq n + n_{'}}\) are stored in RC database.
3.2 User registration phase
The detail steps of the user registration phase are defined below:
-
1.
Initially, Uu registers with the RC to get the services, via a protected channel. Uu selects IDu, PWu, and transformation parameter \(T_{P_{u}}\) alongwith a random number Rcu. Uu also imprints his BIOu.
-
2.
Uu produces the cancel-able biometric template using transformation function CTu = f(BIOu,TPu) and computes RPWu = h(PWu||CTu), ru = h(Rcu||IDu||PWu). Uu then generates a random secret ku and sends the registration request 〈IDu,RPWu ⊕ ku〉 to the RC, via a protected channel.
-
3.
After checking validity of IDu, RC computes USk = h(IDu||PSKk), AMk = USk ⊕ (RPWu ⊕ ku), SVk = h(SIDk||PSKk) and BMk = SVk ⊕ RPWu ⊕ ku (for all servers). RC Issues a smart card SCu having \(\{(SID_{k}, AM_{k}, BM_{k})| 1 \leq k \leq (n + n^{\prime })\}\) and sends it to Uu, via a protected channel.
-
4.
Using error correction technique ε, Uu encodes Rcu produces codeword Rcod = εenc(Rcu), computes Hu = CTu ⊕ Rcod, R = h(Rcu) and P = h(ru). Uu then computes AMuk = (AMk ⊕ ku) ⊕ ru and BMuk = (BMk ⊕ ku) ⊕ ru (for all servers). Uu then stores \(\{(AM_{uk}, BM_{uk})\} | 1 \leq k \leq (n + n^{\prime }),\) TPu,Hu,R, P,h(⋅),ℵenc(⋅),ℵdec(⋅)} in smart card SCu. Uu removes the Rcu,BIOu,CTu,ru,AMk and BMk for security reasons.
3.3 Login phase
The detail steps of login request are as under:
-
1.
Uu inserts the smart card into the terminal and provides the credentials IDu,PWu and \(BIO^{\prime }_{u}\) for authentication.
-
2.
The smart card SCu generates the cancel-able fingerprint \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\), and extracts \(R^{\prime }_{cod} = H_{u} \oplus CT^{\prime }_{u} \) and then decodes \(R^{\prime }_{cod}\) using error correction technique, \(Rc^{\prime }_{u} = \aleph _{dec}(R^{\prime }_{cod})\). SCu compares both values, \(h(Rc^{\prime }_{u})\) with R which is stored in SCu. If they are equal than proceed further else terminates the session.
-
3.
SCu computes \(r^{\prime }_{u} = h(Rc_{u} || ID_{u} || PW_{u})\) and checks if \(h(r^{\prime }_{u}) = h(r_{u})\), proceeds further; otherwise, SCu terminates the session.
-
4.
SCu computes \(US_{k} = AM_{uk} \oplus h(PW_{u} || CT_{u}) \oplus r^{\prime }_{u} = h(ID_{u} || PSK_{k}) \) and \(SV_{k} = BM_{uk} \oplus h(PW_{u} || CT_{u}) \oplus r^{\prime }_{u} = h(SID_{k} || PSK_{k})\). SCu selects Ru, generates T1, and computes \(M^{\prime }_{1} = h(ID_{u}||US_{k}),M^{\prime }_{2} = ID_{u} \oplus h(SV_{k}||T_{1}), M_{3} = M_{1} \oplus R_{u}, M_{4} = h(ID_{u}||M^{\prime }_{1}||M^{\prime }_{2} || T_{1}||R_{u})\).
-
5.
Finally, SCu sends the request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1} \rangle \) to the server Sk.
3.4 Mutual authentication and key agreement phase
The mutual authentication and key agreement consists of the following steps:
-
1.
Sk receives login request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1} \rangle \) at time \(T^{\prime }_{1}\) and after verifying the allowable time delay, \(|T^{\prime }_{1} - T_{1}|\), Sk computes \(M^{\prime }_{5} = M^{\prime }_{2} \oplus h(h(SID_{k}||\) \(PSK_{k})||T_{1}), M^{\prime }_{6} = h(M^{\prime }_{5}||h(M^{\prime }_{5}||PSK_{k})) \) \(M^{\prime }_{7} = M^{\prime }_{3} \oplus M^{\prime }_{6} = R_{u}\) and \(M^{\prime }_{8} = h(M^{\prime }_{5}||M^{\prime }_{6}||M^{\prime }_{2}||T_{1}||M^{\prime }_{7})\). Check if \(M^{\prime }_{8} \neq M^{\prime }_{4}\), Sk cancels the login request, else proceeds further.
-
2.
Sk select a random number Rs and generates T3 then computes \(M^{\prime }_{9} = h(h(M^{\prime }_{5}||PS_{k})||R_{u}) \oplus R_{s}\), and session key \(SK_{uk} = h(M^{\prime }_{5}||h(SID_{k}||PSK_{k})||R_{u}||R_{s}||T_{1}||T_{3})\), \(M^{\prime }_{10} = h(h(M^{\prime }_{5}||PSK_{k})||SK_{uk}||T_{3}||R_{s})\) and sends \( \langle M^{\prime }_{9},M^{\prime }_{10},T_{3} \rangle \) to Uu.
-
3.
The Uu receives \( \langle M^{\prime }_{9}, M^{\prime }_{10},T_{3} \rangle \). After checking the delay \(|T^{}_{3} \leq T_{c}|\). SCu computes \(R^{\prime }_{s} = M^{\prime }_{9} \oplus h(US_{k}||R_{u})\), the session key \(SK^{\prime }_{uk} = h(ID_{u}||SV_{k}||R_{u}||R_{s}||T_{1}||T_{3})\) shared with Sk and \(M^{\prime }_{11} = h(US_{k}||SK^{\prime }_{uk}||T_{3}||R^{\prime }_{s})\). SCu check the condition if \(M^{\prime }_{11} \neq M^{\prime }_{10}\) terminates the session. Otherwise, the session key SKuk is established between Uu and Sk.
3.5 Password and biometric template update phase
Uu provides the current credentials IDu,PWu BIOu and extracts feature \(BIO^{\prime }_{u}\) from the BIOu. SCu then computes \(CT^{\prime }_{u} = f(BIO^{\prime }_{u},TP_{u})\) and \(Rc^{\prime }_{u} = \aleph _{dec}(H_{u} \oplus CT^{\prime }_{u})\) and then checks if \(h(Rc^{\prime }_{u}) = R, SC_{u}\) further computes \(r^{\prime }_{u} = h(Rc^{\prime }_{u}||ID_{u}||PW_{u})\) check if \(h(r^{\prime }_{u}) = P\) proceeds further; otherwise, terminates the request. SCu then asks Uu to modify their password and biometric template:
-
1.
To update the password, Uu inputs \(PW^{new}_{u}\), SCu computes \(r^{new}_{u} = h(Rc^{\prime }_{u}||ID_{u}|| \) \( PW^{new}_{u}), AM^{new}_{uk}\) = \(AM_{uk} \oplus r^{\prime }_{u} \oplus r^{new}_{u} = h(ID_{u}||PSK_{u}) \oplus h(PW^{\prime }_{new}||CT_{u}) \oplus \) \(h(Rc^{\prime }_{u} \) \( ||ID_{u}||PW^{new}_{u})\), \( BM^{new}_{uk}\) = \(BM_{uk} \oplus r^{\prime }_{u} \oplus r^{new}_{u} = \) h(SIDk||PSKk) ⊕ h(PWnew||CTu) ⊕ \( h(Rc^{\prime }_{u} \) ||IDu \( ||PW^{new}_{u})\) for \(1 \leq k \leq (n + n^{\prime })\) and \(P^{new} = h(r^{new}_{u}). SC_{u}\) updates its parameters {AMuk,BMuk,} with the newly computed values \(\{AM^{new}_{uk} , BM^{new}_{uk} \),Pnew} and stored in the SCu.
-
2.
To update the biometric template, SCu requests Uu for a new transformation parameter TPu. SCu have the old TPu and then set new \(TP^{new}_{u} = TP_{u}\) and new cancel-able template \(CT^{new}_{u} = f(BIO^{\prime }_{u},TP^{new}_{u})\) is produced. SCu also computes \(RPW^{new}_{u} = h(PW_{u}||CT^{new}_{u})\), \(AM^{new}_{uk} = AM_{uk} \oplus RPW_{u} \oplus RPW^{new}_{u}\) = h(IDu|| PSKk) ⊕ h(PWu \( ||CT^{new}_{u} ) r^{\prime }_{u}, BM^{new}_{uk} = BM_{uk} \oplus RPW_{u} \oplus \) \(RPW^{new}_{u}\) = h(SIDk|| \( PSK_{k}) \oplus h(PW_{u}||CT^{new}_{u})\oplus r^{\prime }_{u}\), and the new helper data \(H^{new}_{u} = CT^{new}_{u} \oplus \aleph _{enc}(Rc^{\prime }_{u})\). Accordingly, the information {AMuk,BMuk,Hu} is replaced by \(\{AM^{new}_{ij}\) \(BM^{new}_{uk}, H^{new}_{u}\}\) stored in the SCu.
3.6 Smart card revocation phase
If the SCu of a authorized Uu is damaged, lost or stolen, then Uu can get a new SCu from the RC. Uu provides IDu and PWu and to imprints BIOu, Steps are:
-
1.
Uu computes \(CT^{\prime }_{u} = f(BIO_{u},TP_{u})\) and \(RPW_{u} =h(PW_{u}||CT^{\prime }_{u})\), Uu generates a random number \(k^{\prime }_{u}\), then computes a parameter \(RPW^{\prime }_{u} = RPW_{u} \oplus k^{\prime }_{u}\) and then sends the request \( \langle ID_{u}, RPW^{\prime }_{u} \rangle \) to the RC via a protected channel for a new \(SC^{new}_{u}\)
-
2.
RC computes \(AM_{k} = h(ID_{u}||PSK_{k}) \oplus RPW^{\prime }_{u}, BM_{k} = h(SID_{k}||PSK_{k}) \oplus RPW^{\prime }_{u}\) for \(k = 1,2,,,,,,(n+n^{\prime })\) and Issue a new \(SC^{new}_{u}\) containing \(\{(SID_{k}, AM_{k}, BM_{k})| 1 \leq k \leq n +n_{'} \}\). \(SC^{new}_{u}\) sends to these parameter to Uu via a protected channel.
-
3.
Uu generates a new random number \(R^{new}_{u}\) and computes \(r_{u} = h(R^{new}_{u} || ID_{u} || PW_{u}), H^{new}_{u} = CT^{\prime }_{u} \oplus \aleph _{enc} (R^{new}_{u}), AM_{uk} = (AM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, BM_{uk} = (BM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, R = h(Rc^{new}_{u}), P = h(r_{u})\) and stores these values in \(SC^{new}_{u},\) memory. Uu also stores {TPu,ℵenc(⋅),ℵdec(⋅),h(⋅)} in \(SC^{new}_{u} \) memory.
4 Cryptanalysis of the Protocol of Barman et al.
The in depth analysis in following subsections proves that Barman et al.’s protocol [6] entails serious security flaws:
4.1 Incomplete login request
The login message, \(\{M^{\prime }_{2} , M^{\prime }_{3}, M^{\prime }_{4}, T_{1}\}\) sent by user Uu to the server Sk is incomplete, because the identity of server SIDk is not included in the login request, which is the most important parameter for communication [32] and without the server identity, the RC cannot direct the request of Uu to his intended server. This crucial mistake can be treated as typing mistake. The protocol can only work if the login message contains the identity of the server.
4.2 User anonymity violations attack
Here, we show that the protocol of Barman et al. is vulnerable to user anonymity violation attack. Let Ua be a legal but dishonest user of the system and wants to violate user anonymity. In the Mutual Authentication phase of Barman et al.’s protocol user Uu sends the message \(\{M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k}\}\) to the server SIDk on public channel. During the communication, let Ua intercepts the message and using \(M^{\prime }_{2} = ID_{u} \oplus h(SV_{k}\| T_{1})\), Ua can easily extract the IDu of every users. Because all the users connected to the SIDk has SVk(secret identifier generated by RC for SIDk) stored in the smart card. Ua can extract the identity of user as follows:
-
Step AV 1:
Uu sends the login message to SIDk. During the communication, let user Ua intercepts the message \(\{M^{\prime }_{2} , M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k}\}\).
-
Step AV 2:
Ua using his own smart card, enters his credentials including: IDa, PWa and BIOa. Ua extracts {BMak,AMak} pair from his own smart card and then computes CTa = f(BIOa,TPa), \(R^{\prime }_{cod}=H_{a}\oplus CT_{a}\), \(Rc^{\prime }_{a} = \aleph _{dec}(R^{\prime }_{cod})\), ra = h(Rcu||IDa||PWa), similar to login steps. Ua then computes:
$$ \begin{array}{@{}rcl@{}} &US_{k_{a}}=AM_{ak}\oplus h(PW_{a}||CT_{a})\oplus r_{a} \end{array} $$(1)$$ \begin{array}{@{}rcl@{}} &SV_{k} = BM_{ak} \oplus h(PW_{a} || CT_{a}) \oplus r^{\prime}_{a} = h(SID_{k} || PSK_{k}) \end{array} $$(2)$$ \begin{array}{@{}rcl@{}} &Z=h(SV_{k}||T_{1}) \end{array} $$(3) -
Step AV 3:
Based on SVk, Z and the \(M^{\prime }_{2}\) from login request, Ua computes:
$$ \begin{array}{@{}rcl@{}} ID_{u}&=M^{\prime}_{2}\oplus Z \end{array} $$(4)
In Eq.4, the IDu is the real identity of Uu. Therefore, Ua has successfully broken the user anonymity.
4.3 User impersonation attack based on stolen smart-card
Using the stolen smart card of some user say Uu, another legal but dishonest user of the system can launch user impersonation attack in Barman et al.’s protocol. Let Ua be a legal user, gets his card SCa containing \(\{SID_{k}, AM_{a_{k}},BM_{a_{k}} | 1 \leq k \leq (n + n^{\prime })\}\) along with {TPa,Ha,P,h(⋅),ℵenc,ℵdec} and steals the smart card SCu. Ua performs following steps to impersonate on behalf of Uu:
-
Step ISC 1:
Ua enters his credential IDa,PWa and biometric BIOa. Ua now computes \(US_{k}, CT^{\prime }_{a}, r^{\prime }_{a} \), \(SV_{k} = BM_{uk} \oplus h(PW_{a} || CT_{a}) \oplus r^{\prime }_{a} = h(SID_{k} || PSK_{k})\). As SVk is common in all smart cards.
-
Step ISC 2:
Extracts AMuk = USuk ⊕ (RPWu ⊕ uk) and BMuk = SVk ⊕ (RPWu ⊕ uk) form Uu’s stolen smart card SCu.
-
Step ISC 3:
Ua using SVk computes:
$$ \begin{array}{@{}rcl@{}} X&= AM_{uk} \oplus BM_{uk} = \{US_{uk} \oplus (RPW_{u} \oplus uk)\} \oplus \{SV_{k} \oplus (RPW_{u} \oplus uk)\} \end{array} $$(5)$$ \begin{array}{@{}rcl@{}} &= US_{uk} \oplus SV_{k} \end{array} $$(6)$$ \begin{array}{@{}rcl@{}} US_{uk} &= X \oplus SV_{k} \end{array} $$(7) -
Step ISC 4:
Ua has SVk and USuk of Uu with IDu. Uu generates a random number Ru and time stamp T1 computes:
$$ \begin{array}{@{}rcl@{}} M^{\prime}_{1} &= h(ID_{u} || US_{k}) \end{array} $$(8)$$ \begin{array}{@{}rcl@{}} M^{\prime}_{2} &= ID_{u} \oplus h(SV_{k} || T_{1}) \end{array} $$(9)$$ \begin{array}{@{}rcl@{}} M^{\prime}_{3} &= M^{\prime}_{1} \oplus R_{u} \end{array} $$(10)$$ \begin{array}{@{}rcl@{}} M^{\prime}_{4} &= h(ID_{u} || M^{\prime}_{1} || M^{\prime}_{2} || T_{1} || R_{u}) \end{array} $$(11) -
Step ISC 5:
Ua sends the login request message \( \langle M^{\prime }_{2}, M^{\prime }_{3}\), \(M^{\prime }_{4}, T_{1}\), SIDk〉 to the Sk. Sk receives the login request \( \langle M^{\prime }_{2}, M^{\prime }_{3}, M^{\prime }_{4}, T_{1}, SID_{k} \rangle \) after checking time delay, \(|T^{\prime }_{1} - TS_{1}|\), computes following:
$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{5} = M^{\prime}_{2} \oplus h(h(SID_{k}||PSK_{k})||T_{1}) = (ID_{u}) \end{array} $$(12)$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{6} = h(M^{\prime}_{5}||h(M^{\prime}_{5}||PSK_{k})) \end{array} $$(13)$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{7} = M^{\prime}_{3} \oplus M^{\prime}_{6} = R_{u} \end{array} $$(14)$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{8} = h(M^{\prime}_{5}||M^{\prime}_{6}||M^{\prime}_{2}||T_{1}||M^{\prime}_{7}) \end{array} $$(15) -
Step ISC 6:
Sk checks if \(M^{\prime }_{8} = M^{\prime }_{4}\), Ua will pass this test because \(M^{\prime }_{8}\) and \(M^{\prime }_{4}\) both have same values. Sk selects a nonce Rs, generates current timestamp T3, and computes:
$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{9} = h(h(M^{\prime}_{5}||PS_{k})||R_{u}) \oplus R_{s} \end{array} $$(16)$$ \begin{array}{@{}rcl@{}} &SK_{uk} =h(M^{\prime}_{5}||h(SID_{k}||PSK_{k})||R_{u}||R_{s}||T_{1}||T_{3}) \end{array} $$(17)$$ \begin{array}{@{}rcl@{}} & M^{\prime}_{10} = h(h(M^{\prime}_{5}||PSK_{k})||SK_{uk}||T_{3}||R_{s}) \end{array} $$(18) -
Step ISC 7:
Then, Sk sends \( \langle M^{\prime }_{9},\) \( M^{\prime }_{10}, T_{3} \rangle \) to Ua. Ua receives the authentication reply message \( \langle M^{\prime }_{9}, M^{\prime }_{10}, T_{3} \rangle \) at time \(T^{\prime }_{3}\) and computes:
$$ \begin{array}{@{}rcl@{}} &R_{s} = M^{\prime}_{9} \oplus h(US_{k}||R_{u}) \end{array} $$(19)$$ \begin{array}{@{}rcl@{}} &SK^{\prime}_{uk} = h(ID_{u}||SV_{k}||R_{u}||R_{s}||T_{1}||T_{3}) \end{array} $$(20)$$ \begin{array}{@{}rcl@{}} &M^{\prime}_{11} = h(US_{k}||SK^{\prime}_{uk}||T_{3}||R_{s}) \end{array} $$(21)
The session key as computed by Ua in Eq. 20 is same as computed by Sk in Eq.17. Therefore, Ua has succesffuly established a secure connection with Sk by impersonating on behalf of Ua.
4.4 Scalability problems
In the registration phase of Barman et al.’s protocol smart card stores AMk. As in multi-server environment, there may be several servers and users. So it is inefficient to store (AMk) against every server within smart card due to its small magnetic chip which has limited storage. This protocol is not practical, suppose we have n servers, so we need to store USk and SVk of n servers within the smart card, each of size 160 bits. For large number of servers like 100, the bits stored for USk and SVk in the smart card are 32000 bits, which can be problematic due to its storage restrictions. Moreover, authors did not mention the procedure to update the smart card if some new servers are added, AMuk = (AMk ⊕ ku) ⊕ ru and BMuk = (BMk ⊕ ku) ⊕ ru for \( 1 \leq k \leq (n + n^{\prime } )\).
5 Proposed protocol
This section details the proposed scheme consisting of three entities including, users, servers and the registration center (RC). The details are in following subsections:
5.1 Server registration phase
Every Sk along with its particular identity SIDk must send a registration request to the RC, if they are willing to provide services to the legitimate users Uu. RC computes \(X_{RS_{k}} = h(SID_{k}||X{c})\) and \(M_{k} = E_{X_{c}}(X_{RS_{k}}) \) and stores \((SID_{k},E_{X_{c}}(X_{RS_{k}}))\) in the database of Rc and send the share key to the server \((X_{RS_{k}})\).
5.2 User registration phase
Uu chooses IDu,PWu,TPu, then imprints BIOu and selects random number N1. Uu computes CTu = f(BIOu,TPu),Au = h(N1||PWu||IDu||CTu) and sends Au,IDu to the RC. On receiving, RC computes Xu = h(IDu||Xc) and Yu = Xu ⊕ Au, generates a random number ro and computes the pseudo identity \(PID_{u} = E_{X_{c}}(ID_{u}||r_{o})\oplus A_{u}\). RC then store Yu,PIDu,h(.) in smart card and sends the smart card to user using some secure channel. On receiving smart card, Uu computes Rc = ℵenc(Rcu),Hu = CTu ⊕ Rcod,R = h(Rcu), ru = (Rcu||IDu||PWu), P = h(ru) and Eu = N1 ⊕ ru. Uu stores {TPu,Hu,R,P,h(.), ℵenc(⋅),ℵdec(⋅),Yu, PIDu,Eu} in the smart card. The Server User registration phases are also illustrated in Fig. 2.
5.3 Login and authentication phase
The following steps as shown in Fig. 3, explain the login and authentication phase briefly:
-
Step AP 1:
User need to insert the smart card provides the credentials \(ID_{u}, PW_{u}, BIO^{\prime }_{u}\) and calculates \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\), \(R^{\prime }_{cod} = H_{u} \oplus CT^{\prime }_{u}\), \(Rc^{\prime }_{u} = \aleph _{dec}(R^{\prime }_{cod})\), and check if \(h(Rc^{\prime }_{u}) \neq R\), terminates the session, otherwise calculates \(r^{\prime }_{u} = h(Rc^{\prime }_{u}||ID_{u}||PW_{u})\), and check again if \(h(r^{\prime }_{u}) \neq h(r_{u})\) terminates the session, else computes N1 = (Eu ⊕ ru), \(A^{\prime }_{u} = h(ID_{u}||PW_{u}||N_{1}||CT_{u})\), \(X_{u} = (Y_{u} \oplus A^{\prime }_{u})\), \(DID_{u} = (PID_{u}\oplus A^{\prime }_{u})\), generates a random no Ru and time stamp T1, and to get the services of server needs the address SIDk, and computes Gu = Ru ⊕ h(Xu||IDu||SIDk||T1), Hu = h(IDu||Gu||Xu||Ru||T1||SIDk), sends {DIDu,Hu, Gu,T1,SIDk} to the RC on public channel.
-
Step AP 2:
RC receives the login request and checks the time delay (Tc − T1 ≤ δT). RC decrypts \((ID_{u}||r_{o}) = D_{X_{c}}(PID_{u})\) using Xc and computes Xu = h(IDu||Xc) Ru = Gu ⊕ h(Xu||IDu||SIDk||T1) \(H^{\prime }_{u} = h(ID_{u}||G_{u}||X_{u}||R_{u}||T_{1}||SID_{k})\). RC then check \( H^{\prime }_{u} \stackrel {?}{=} H_{u} \) if not true, terminates the session. Otherwise, RC verifies user successfully. RC then extracts \(X_{RS_{k}} \) from verifier table, generates time stamp T2, computes \(X^{\prime }_{u} = h(X_{u}||ID_{u}||SID_{k}||T_{1})\), \(H_{R_{c}} = \) and \( h(X_{RS_{k}}||X^{\prime }_{u}||ID_{u}||SID_{k}||T_{2})\). RC now encrypts the parameters \( (X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1})\) using share secret key \(X_{RS_{k}}\) and sends \(E_{X_{RS_{k}}} (X^{\prime }_{u}\) \(R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1}), T_{2}, SID_{k}\) to the server over public channel.
-
Step AP 3:
On receiving the message, Sk after checking the time delay (Tc − T2 ≤ δT), decrypts \( D_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}},\) SIDk,T1) using the shared key \({X_{RS_{k}}}\). Sk then computes \(H^{\prime }_{R_{c}} = h (X_{RS_{k}}||\) \( X^{\prime }_{u}||ID_{u}||SID_{k}||T_{2})\) and checks the equality \(H^{\prime }_{R_{c}} \stackrel {?}{=} H_{R_{c}} \) if condition is true, Sk verifies RC successfully. Further Sk generates Rs, T3 and computes \(M_{x} = R_{s}\oplus h (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3})\) \(H^{\prime \prime }_{R_{c}} = h(R_{s}||M_{x}|| T_{u}||ID_{u}|| \) T3). Sk further sends \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u},\}\) to the RC, which in turn checks (Tc − T3 ≤ δT) and on successful verification computes \(R_{s} = M_{x}\oplus (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3})\) \(H^{\prime \prime \prime }_{R_{c}} = h(R_{s}||M_{x}||T_{u}||ID_{u}||T_{3})\). RC then checks \(H^{\prime \prime \prime }_{R_{c}} \stackrel {?}{=} H^{\prime \prime }_{R_{c}} \) and on successful verification computes new dynamic identity \(RID_{u}=E_{X_{c}}(ID_{u}||r_{n})\oplus R_{s}\) for Uu and forwards \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}, RID_{u}\}\) to the legitimate user Uu.
-
Step AP 4:
Uu on receiving the message, checks T3 ≤ δTc and on success, Uu computes \(R_{s} = M_{x}\oplus (ID_{u}||X^{\prime }_{u}||R_{u}||T_{3}) \), \( H^{\prime \prime \prime \prime }_{R_{c}} = h(R_{s}|| M_{x}||T_{u}||ID_{u}||T_{3})\) and checks whether \(H^{\prime \prime \prime \prime }_{R_{c}} \) \( \stackrel {?}{=} H^{\prime \prime }_{R_{c}}\) if true then session key SKuk = \(h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) is established between user and server.
5.4 Password and biometric update phase
In this section, we also proposed the Password change and biometric template update Process of our protocol, the Uu will need to log in successfully to change their current Password and update their biometric template, The detailed steps are described below:
-
Step CPB 1:
Uu provides the credentials IDu,PWu, and BIOu after inserting the smart-card into a card reader to login. \(BIO^{\prime }_{u}\) is extracted from the captured BIOu. SCu then computes \(CT^{\prime }_{u} = f(BIO^{\prime }_{u}, TP_{u})\) and \(R^{\prime }_{cu} = \varepsilon _{dec}(H_{u}\oplus CT^{\prime }_{u})\). Checks if \(h(R^{\prime }_{cu}) = R\), then SCu computes \(r^{\prime }_{i} = h(R^{\prime }_{cu}||ID_{u}||PW_{u})\), and check if \(h(r^{\prime }_{i}) = P\), smart card then asks users Uu to change the password and update the biometric template.
-
Step CPB 2:
For Password change, SCu asks Uu for a new Password. Uu inputs the new Password \(PW^{new}_{u}\). SCu computes \(r^{new}_{u} = h(R^{\prime }_{cu}||ID_{u}||PW^{new}_{u}), E^{new}_{u} = N_{1}\oplus r^{new}_{u}\) and \(P^{new} = h(r^{new}_{i})\). SCu updates its parameters stored {TPu,Hu,R, \( P^{new}, h(\cdot ), \varepsilon _{enc}(\cdot ), \varepsilon _{dec}(\cdot ), Y_{u}, PID_{u}, E^{new}_{u}\}\) in smart card.
-
Step CPB 3:
To update the biometric template, SCu asks Uu for a new transformation parameter \(TP^{new}_{i}\). The new cancel-able template is generated as \(CT^{new}_{i} = f(BIO_{u}, TP^{new}_{i})\), along-with helper data \(H^{new}_{i} = CT^{new}_{i}\oplus \varepsilon _{enc}(R^{\prime }_{ci})\). Then \(CT^{new}_{i} = f(BIO_{u}, TP^{new}_{i})\) and \(H^{new}_{i} = CT^{new}_{i}\oplus \varepsilon _{enc}(R^{\prime }_{ci})\) are stored in memory of SCu.
5.5 Smart card revocation procedure
If SCu of the legitimate user Uu is damaged, lost or stolen, then RC will Issue the new smart card. For this Process, the user provides their credential IDu,PWu,BIOu. The following steps are esential to complete this procedure:
-
Step SCR 1:
Uu computes \(CT^{\prime }_{i} = f(BIO_{i}, TP_{i})\) and generates a 160-bit secret \(N^{\prime }_{1}\). Then Uu computes \(A^{\prime }_{u} = h(N^{\prime }_{1}||PW_{u}||ID_{u}||\) \( CT^{\prime }_{u})\), and transmits the request message \(\{A^{\prime }_{u},ID_{u}\}\) to the RC via a protected channel for \(SC^{new}_{u}\).
-
Step SCR 2:
RC computes \(X_{u} = h(ID_{u}||Xc), Y^{\prime }_{u} = X_{u}\oplus A^{\prime }_{u}\), generates random \(r^{\prime }_{o}\) and computes \(PID^{\prime }_{u} = E_{X_{c}}(IDu||r^{\prime }_{o})\oplus A^{\prime }_{u}\) store \(Y^{\prime }_{u}, PID^{\prime }_{u}, h(.)\) in SCu, then Issue a \(SC^{new}_{i}\) containing the credentials \(,Y_{u}, PID^{\prime }_{u}, h(.)\). \(SC^{new}_{i}\) is then sent to Uu via some protected channel.
-
Step SCR 3:
Uu computes \(r^{\prime }_{u} = h(Rc^{new}_{i}||ID_{u}||PW_{u})\), \(H^{u}_{new} = CT^{\prime }_{u} \oplus \varepsilon _{enc}(Rc^{new}_{u}), , R = h(Rc^{new}_{u}), P = h(r_{u})\) and stores these values in \(SC^{new}_{i}\) memory.
6 Security analysis
This section provides the formal and informal security analysis of the proposed scheme. Moreover, automated formal security proof using popular tool AVISPA is also provided in this section:
6.1 Formal analysis using BAN logic
For formal analysis, Burrows-Abadi-Needham (BAN) logic [8] is applied in this subsection to verify the mutual authentication between user Uu and server Sk with the help of RC. Fig. 4 presents the notation guide for BAN logic.
6.2 Rules of BAN-Logic
-
Rule 1: Message Meaning \(\frac {P|\equiv P\overset {K}\longleftrightarrow Q.P\lhd <X>_{K}} {P|\equiv Q|\sim X}\) It shows that if P obtain the X encoded with Key K and P deems K is fine key to communicate with Q, and then P believes Q said X.
-
Rule 2: Nonce Verification \(\frac {P |\equiv \#(X),P |\equiv Q|\sim X}{P |\equiv Q|\equiv X}\) When a principal P trusted that X is new/fresh also then principal Q only once time sends X after that Principal after that P believe Q held X.
-
Rule 3: Jurisdiction \(\frac {P |\equiv Q\Rightarrow X, P|\equiv Q|\equiv X}{P|\equiv X}\) Principal P believes that Q have control/jurisdiction on X also P believes that Q believes X, after that P trusted that X is right.
-
Rule 4: Acceptance Conjuncatenation \(\frac {P |\equiv \ X,P |\equiv Y}{P |\equiv (X,Y)}\) If a principal P is believes X as well as Y, subsequently then principal P also believes on (X, Y).
-
Rule 5: Freshness Conjuncatenation \(\frac {P |\equiv \#(X)} {P |\equiv \#(X,Y)} \) If a principal P confident that X is a fresh, after that a principal P also believes newness / freshness of (X, Y).
-
Rule 6: Session Key \(\frac {P |\equiv \#(X),P|\equiv Q\equiv X} {P|\equiv \ P\overset {K}\longleftrightarrow Q}\) If a principal P believe the fresh session key also then principal P as well ‘Q’ also believes on X which is the essential constraint of a session key, next principal P also believes that he/she share a session key ‘K’ with Q.
6.3 Assumptions
We assume that the following holds at the beginning of every run of our protocol.
-
A1: Uu|≡ #(Ru,T1)
-
A2: RC|≡ #(T2,rn)
-
A3: Sk ≡ #(Rs,T3)
-
A4: \(U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)
-
A5: \(RC|\equiv U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)
-
A6: \(S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)
-
A7: \(RC|\equiv S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)
-
A8: Uu|⇒ Ru
-
A9: RC|⇒ rn
-
A10: Sk|⇒ Rs
6.4 Goals
-
G1: \(S_{k}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k}) \)
-
G2: \(S_{k}|\equiv U_{u}|\equiv (U_{u} \overset {SK_{uk}}\longleftrightarrow S_{k} )\)
-
G3: \(U_{u}|\equiv (U_{u}\overset {SK_{uk}}\longleftrightarrow S_{k})\)
-
G4: \(U_{u}|\equiv S_{k}|\equiv (U_{u} \overset {SK_{uk}}\longleftrightarrow S_{k} )\)
The protocol’s generic form is illustrated as under:
-
Messages(1)\(U_{u} \xrightarrow {} RC\):{DIDu,Hu,Gu,T1,SIDk}
-
Messages(2)\(RC \xrightarrow {} S_{k}\):\(\{E_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k},\) T1),T2,SIDk}
-
Messages(3)\(S_{k} \xleftarrow {} RC\):\(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}\}\)
-
Messages(4)\(RC \xleftarrow {} U_{u}\):\(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u}, RID_{u}\}\)
The idealized forms of the protocol are designed as follows:
-
Considering the message 1 and applying seeing rule,
$$ \begin{array}{@{}rcl@{}} S_{1}: RC \lhd \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$(22) -
Considering the message 2 and applying the seeing rule,
$$ \begin{array}{@{}rcl@{}} S_{2}: S_{k} \lhd \{X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{k}}}, T_{2}, SID_{k} \} \end{array} $$(23) -
Considering the message 3 and applying the seeing rule,
$$ \begin{array}{@{}rcl@{}} S_{3}: RC \lhd \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$(24) -
Considering the message 4 and applying seeing rule,
$$ \begin{array}{@{}rcl@{}} S_{4}: U_{u} \lhd \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$(25)
6.5 Protocol analysis
The main security proofs are consist of the following steps:
-
According to (S1,A5) and message meaning rule,
$$ \begin{array}{@{}rcl@{}} BN1: RC|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$(26) -
According to (BN1,A1), freshness conjuncatenation and nonce verification rule,
$$ \begin{array}{@{}rcl@{}} BN2: RC|\equiv U_{u}|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$(27) -
According to (A8,BN1,BN2) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN3: RC|\equiv \{(PID_{u})_{A_{u}}, (ID_{u}, G_{u}, R_{u}, T_{1}, SID_{k}, X_{u}), (X_{u}, ID_{u}, SID_{k}, T_{1})_{R_{u}}, T_{1}, SID_{k} \} \end{array} $$(28) -
According to (S2,A5) and message meaning rule,
$$ \begin{array}{@{}rcl@{}} BN4: S_{k}|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$(29) -
According to (A2,BN4), freshness conjuncatenation and nonce Verification rule,
$$ \begin{array}{@{}rcl@{}} BN5: S_{k}|\equiv RC|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$(30) -
According to (BN4,BN5) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN6: S_{k}|\equiv \{(X^{\prime}_{u}, R_{u}, ID_{u}, H_{Rc}, SID_{k}, T_{1})_{X_{RS_{j}}}, T_{2}, SID_{k} \} \end{array} $$(31) -
According to (A4,BN5,BN6) and session key rule,
$$ \begin{array}{@{}rcl@{}} BN7: S_{k}|\equiv U_{u}|\equiv (U_{u} \overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 2}} \end{array} $$(32) -
According to (A8,BN7) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN8: S_{k}|\equiv (U_{u}\overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 1}} \end{array} $$(33) -
According to (S3,A7) and message meaning rule,
$$ \begin{array}{@{}rcl@{}} BN9: RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$(34) -
According to (A3,BN9) freshness conjuncatenation and nonce verification rule,
$$ \begin{array}{@{}rcl@{}} BN10: RC|\equiv S_{k}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$(35) -
According yo (A10,BN9,BN10) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN11: RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u} \} \end{array} $$(36) -
According to (S4,A7) and message meaning rule,
$$ \begin{array}{@{}rcl@{}} BN12: U_{u}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$(37) -
According to (A2,BN12), freshness conjuncatenation and nonce verification rule,
$$ \begin{array}{@{}rcl@{}} BN13: U_{u}|\equiv RC|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$(38) -
According to (A9,BN12,BN13) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN14: U_{u}|\equiv \{(ID_{u}, X_{u}, R_{u}, T_{3})_{R_{s}}, (R_{s}, M_{x}, T_{u}, ID_{u}, T_{3}), T_{3}, T_{u}, (ID_{u}, r_{n})_{X_{c}}\} \end{array} $$(39) -
According to (A6,BN13,BN14) and session key rule,
$$ \begin{array}{@{}rcl@{}} BN15: U_{u}|\equiv S_{k}|\equiv (U_{u} \overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 4}} \end{array} $$(40) -
According to (A9,BN15) and jurisdiction rule,
$$ \begin{array}{@{}rcl@{}} BN16: U_{u}|\equiv (U_{u}\overset{SK_{uk}}\longleftrightarrow S_{k}) \thinspace \thickspace {\textbf{Goal 3}} \end{array} $$(41)
6.6 Discusion on functional security
Following subsection solicit brief discussions on several security features and resistance to known attacks provided by the proposed scheme.
6.6.1 Anonymity and untraceability
In the authentication protocol, user anonymity and untraceability are substantial aspects and if anonymity is broken, an adversary Aadv can easily recover sensitive information of the legitimate user like his current location, moving tracks, a personal record and social circle, etc. In the registration phase RC encrypt the identity with random number \(E_{X_{c}}(ID_{u}||r_{o})\) by using his own secret key Xc. SCu does not store this pseudo identity directly, as it is hidden by PIDu, So even if the smart card was stolen by Aadv he will still be incapable to get the identity of the user. Moreover, after each successful authentication request, this pseudo-identity is dynamically changed. Therefore, the proposed protocol provides anonymity and untreceability.
6.6.2 Impersonation attacks
To act as RC an Aadv required the secret key Xc of RC, which is hash with user identity h(IDu||Xc), to computes the session key \(SK = h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) an Aadv also requires to first computes Xu = h(IDu||Xc). In addition Xu is also used in the construction of RC signature that is, \(X^{\prime }_{u} = h(X_{u}||ID_{u}||SID_{k}||T_{1})\). So without secret key Xc an Aadv does not impersonate themselves as RC. Similarly to act as legitimate user an Aadv will required a valid login request that is,{DIDu,Hu,Gu,T1,SIDk}. To get all these values an Aadv needs the user credential like Password PWu as well as biometric BIOu.
6.6.3 Replay attack
Our protocol combat replay attack against all the login and authentication Messages. Suppose an Aadv replays a past message that is {DIDu,Hu,Gu,T1,SIDk}. then on receiving side RC will always check the time-stamp T1, as T1 is outdated, RC will considered as replay, they neglect the message request.
6.6.4 Stolen verifier attack
Our protocol is fully secured against stolen verifier attack. RC encrypt shared key \(E_{X_{c}}(X_{RS_{k}})\) using their own secret key Xc to handle stored verifier table, so adversary does not extract anything without knowing the Xc.
6.6.5 Privileged insider attack
The proposed protocol successfully prevents a privilege insider attack. In the registration phase IDu and Au = h(N1||PWu||IDu||CTu) are sent to RC, where Password PWu identity IDu a random number N1 and cancel able template CTu are protected by one way hash function. So it is impossible for an insider to guess these value.
6.6.6 Password guessing attacks
The proposed protocol is fully secured against the Password Guessing attack. Suppose RC take the screen shot of the user sensitive parameters like {TPu,Hu,R,P,h(.)ℵenc(⋅),ℵdec(⋅) Yu,PIDu,Eu} which is stored on user smart card. Then they still requires the cancel-able transformation parameter CTu along with N1. Moreover, an Aadv still needs to guess identity IDu and Password PWu of user, if they unfortunately gets the N1 and CTu.
6.6.7 Denial of services attack
Our protocol is fully protected against the denial of services. SCu checks the validity of identity IDu, Password PWu and template CTu. If Aadv or legitimate user try to enter the incorrect values, then the SCu just simply cancel the request.
6.6.8 Perfect forward secrecy
The proposed protocol poses the prefect forward secrecy. The shared session key \(SK_{uk} = h(X^{\prime }_{u}||ID_{u}||SID_{k}||R_{s}||R_{u})\) incorporate a random number Ru used by the user. Suppose if RC signature \(X^{\prime }_{c}\) is exposed to some Aadv he will not be able to computes previously shared session keys.
6.6.9 Resolve the scalability issues
In previous protocol the smart card store the \(AM_{uk} = (AM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}, BM_{uk} = (BM_{k} \oplus k^{\prime }_{u}) \oplus r_{u}\) for every server \( 1 \leq k \leq (n + n^{\prime } )\), which is insufficient to store (AMk) within smart card due to its small magnetic chip which has limited storage. In the proposed protocol there is no such parameter which stored the information of a server.
6.7 AVISPA based security simulation
In this section, we analyze proposed protocol security using formal simulation tool AVISPA [3]. AVISPA is used for security verification.
AVISPA implements the HLPSL language which is then translated into the intermediate format (IF) with the help of translator known as “hlpsl2if”. Four back ends are used by IF, to check security goals, is satisfied or disrupt. The output shows safe, unsafe or unsatisfactory. Details are mentioned in [3]. We define the three basic role i.e. role of user Uu, role of registration center RC and role of server Sk along with the session (between these participant), environment role and goals Fig. 5, 6, 7 and 8 are stated in HLPSL. The results of AVISPA are shown in Fig. 9 which tells that proposed protocol is secure against man in the middle attack as well as replay attack. The OFMC back end shows the parse time: 0.00 seconds, the search time: 42.16 seconds, the number of visited nodes is 3344 and the depth 12 plies. whereas ATSE analyzes 8 states, the translation time is 0.98 seconds. Hence, form this results it is shown our protocol provides better security against Barman et al.’s protocol [6]. The search and translation time is slightly high compared to Barman et al.’s protocol, because the number of visited nodes depth of proposed protocol is greater than the previous protocol.
7 Comparisons
In this section, we show the performance and security comparisons of the proposed protocol with some related multi-server authentication protocols [1, 2, 6, 13, 18, 31, 36, 46]. attacks.
7.1 Security and functionality comparisons
The security and functionality comparison of proposed scheme with related schemes is solicited in Table 1 under the DY and CK adversarial model as described in subsection 2.5. The security comparisons show that only proposed scheme provides resistance to all known attacks and fulfills related security features; whereas, all the competing schemes either lacks one or more security features or vulnerable to some security attacks.
7.2 Computation cost
In this subsection, we compare our protocol with the existing multi-server authentication protocols considering the computation cost of login and authentication phases. The following notation used for computation cost describe below:
-
RTh: one-way cryptographic hash cost
-
RTbh: bio-hashing cost
-
RTfe: fuzzy extractor cost
-
RTfcs: fuzzy commitment cost
-
RTecm: ecc point multiplication cost
-
RTasm: asymmetric key encryption/decryption cost
-
RTsed: cost of block cipher encryption
As per the experimental results disclosed in [24], RTh = 0.0023 ms, RTsed = 0.0046 ms, RTecm = 2.226 ms and RTasm = 0.0046 ms. Furthermore, RTfe = RTecm, we also assume RTbh = RTecm and RTfcs = RTecm. Although our protocol has slightly high computation cost compared to Barman et al. [6], but the security level of our protocol is high. The comparisons are briefly shown in Table 2.
7.3 Communication cost
In this subsection, we evaluate and compare the communication cost of proposed with existing protocols. During the login and authentication phases, the communication cost is computed by the total number of bits which is transmitted to other parties in the network, over a protected channel. We are assuming the “SHA-1” hash function is used, which has the cost of 160 bits [7], in the symmetric key encryption/decryption, has the cost of 256 bits of length [26], time stamp is 32 bits of length, an elliptic curve point P = (Pa,Pb) is 160 length of bits, where Pa and Pb is x and y coordinate of P point. Furthermore the security of RSA [45] public key cryptosystem is 1024-bit which is comparable to ECC (elliptic curve cryptography) of 160-bits of length [5]. In the proposed protocol, the communication cost for the login request message {DIDu,Hu,Gu,T1,SIDk}, which is transmitted from a user Uu to theRC has cost of (160 + 160+ 160 + 32+ 32) = 544 bits of length and the message \(\{E_{X_{RS_{k}}}(X^{\prime }_{u}, R_{u}, ID_{u}, H_{R_{c}}, SID_{k}, T_{1}), SID_{k}, T_{2}\}\) transmitted to server Sk from RC is (256 + 32+ 32) = 332 bits and the message transmitted to RC from server Sk is \(\{M_{x}, H^{\prime \prime }_{R_{c}}, T_{3}, T_{u},\}\) (160 + 160+ 32 + 32) = 384 bits and message transmitted to Uu from RC is \(\{M_{x}, H^{\prime \prime }_{R_{c}},T_{3},T_{u}, RID_{u }\}\) (160 + 160+ 32 + 32+ 160) = 544 bits hence, the total number of bits for communication is (544 + 332+ 384 + 544) = 1804 bits. The comparison results are shown in Table 2. The high communication cost as compared with Barman et al. is due to the communication of dynamic identity from server to user in each authentication request inorder to provide user anonymity.
8 Conclusion
The single signin/multiserver environments can apprehend the security and privacy needs of intelligent multimedia networks to encompass large number of applications/networks using single credentials. In 2018, Barman et al. proposed such multi-server authentication system. In this article, we proved some security weaknesses of Barman et al.’s protocol. We then proposed a new enhanced authentication scheme for multi-server scenarios. Based on three factors including biometrics, the proposed scheme makes use of fuzzy commitment for correcting errors in imprinted biometrics in noisy environments. Proposed scheme provides anonymity and privacy alongwith other security properties and resists the known attacks. The BAN logic based formal as well as informal security discussion proves the robustness of the proposed scheme. Moreover, the automated AVISPA protocol also validates the security claims. The proposed scheme completes an authentication cycle in just 2.2789 milli seconds.
References
Ali R, Pal AK (2017) Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment. Arab J Sci Eng 42 (8):3655–3672
Amin R, Biswas G (2015) A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis. Journal of medical systems 39(3):33
Armando A, Basin D, Cuellar J, Rusinowitch M, Viganò L (2006) Avispa: automated validation of internet security protocols and applications ERCIM News 64(January)
Arshad H, Nikooghadam M (2016) An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc. Multimedia Tools and Applications 75(1):181–197
Barker E, Barker W, Burr W, Polk W, Smid M (2012) Recommendation for key management part 1: General (revision 3). NIST special publication 800(57):1–147
Barman S, Das AK, Samanta D, Chattopadhyay S, Rodrigues JJ, Park Y (2018) Provably secure multi-server authentication protocol using fuzzy commitment. IEEE Access 6(38):578–38,594
Burrows J (2015) Secure hash standard. fips pub 180-1, national institute of standards and technology (nist), us department of commerce april 1995
Burrows M, Abadi M, Needham RM (1989) A logic of authentication. Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences 426(1871):233–271
Canetti R, Krawczyk H (2001) Analysis of key-exchange protocols and their use for building secure channels. In: International conference on the theory and applications of cryptographic techniques, pp 453–474. Springer
Chaudhry SA, Naqvi H, Khan MK (2018) An enhanced lightweight anonymous biometric based authentication scheme for tmis. Multimedia Tools and Applications 77(5):5503–5524
Chen CM, Wang KH, Yeh KH, Xiang B, Wu TY (2019) Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. Journal of Ambient Intelligence and Humanized Computing 10(8):3133–3142
Chen CM, Xiang B, Liu Y, Wang KH (2019) A secure authentication protocol for internet of vehicles. IEEE Access 7(12):047–12,057
Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications 41(4):1411–1418
Debiao H, Jianhua C, Rui Z (2012) A more secure authentication scheme for telecare medicine information systems. Journal of medical systems 36 (3):1989–1995
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Transactions on information theory 29(2):198–208
Ghani A, Mansoor K, Mehmood S, Chaudhry SA, Rahman AU, Najmus Saqib M (2019) Security and key management in iot-based wireless sensor networks: an authentication protocol using symmetric key. Int J Commun Syst 32 (16):e4139
Hao F, Anderson R, Daugman J (2006) Combining crypto with biometrics effectively. IEEE transactions on computers 55(9):1081–1088
He D, Wang D (2014) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823
Hussain S, Chaudhry SA (2019) Comments on “biometrics-based privacy-preserving user authentication scheme for cloud-based industrial internet of things deployment”. IEEE Internet of Things Journal 6(6):10,936–10, 940
Irshad A, Sher M, Chaudhry SA, Xie Q, Kumari S, Wu F (2018) An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimedia Tools and Applications 77(1):1167–1204
Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S, et al. (2017) A secure and provable multi-server authenticated key agreement for tmis based on amin. scheme. Multimedia Tools and Applications 76(15):16,463–16,489
Juang WS, Chen ST, Liaw HT (2008) Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans Ind Electron 55(6):2551–2556
Juels A, Wattenberg M (1999) A fuzzy commitment scheme. In: Proceedings of the 6th ACM conference on Computer and communications security, pp 28–36. ACM
Kilinc HH, Yanik T (2014) A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials, IEEE 16(2):1005–1023
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual international cryptology conference, pp 388–397. Springer
Kumar V, Ahmad M, Kumari A, Kumari S, Khan M (2019) Sebap: a secure and efficient biometric-assisted authentication protocol using ecc for vehicular cloud computing. Int J Commun Syst, pp e4103. https://doi.org/10.1002/dac.4103
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Lee J, Ryu S, Yoo K (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555
Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Computer Standards & Interfaces 27(1):19–23
Lin H, Wen F, Du C (2017) An anonymous and secure authentication and key agreement scheme for session initiation protocol. Multimedia Tools and Applications 76(2):2315–2329
Lu Y, Li L, Yang X, Yang Y (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS One 10(5):e0126,323
Lwamo NM, Zhu L, Xu C, Sharif K, Liu X, Zhang C (2019) Suaa: a secure user authentication scheme with anonymity for the single & multi-server environments. Information Sciences 477:369–385
Mansoor K, Ghani A, Chaudhry SA, Shamshirband S, Ghayyur SAK (2019) Securing iot based RFID systems: a robust authentication protocol using symmetric cryptography. Sensors 19:21. https://doi.org/10.3390/s19214752
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE transactions on computers 51(5):541–552
Mir O, Nikooghadam M (2015) A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wirel Pers Commun 83(4):2439–2461
Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129– 8143
Mitchell CJ, Tang Q (2005) Security of the lin-lai smart card based user authentication scheme Technical Report
Nguyen NT, Chang CC (2018) A biometric-based authenticated key agreement scheme for session initiation protocol in ip-based multimedia networks. Multimedia Tools and Applications 77(18):23,909–23,947
Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst 30(16):e3341
Qi M, Chen J (2018) New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography. Multimedia Tools and Applications 77(18):23,335–23,351
Ratha NK, Chikkerur S, Connell JH, Bolle RM (2007) Generating cancelable fingerprint templates. IEEE Transactions on pattern analysis and machine intelligence 29(4):561–572
Ravanbakhsh N, Nazari M (2018) An efficient improvement remote user mutual authentication and session key agreement scheme for e-health care systems. Multimedia Tools and Applications 77(1):55–88
Reddy AG, Das AK, Odelu V, Ahmad A, Shin JS (2018) A privacy preserving three-factor authenticated key agreement protocol for client–server environment. Journal of Ambient Intelligence and Humanized Computing 10(2):661–680
Reddy AG, Yoon EJ, Das AK, Odelu V, Yoo KY (2017) Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE access 5:3622–3639
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126
Sood SK, Sarje AK, Singh K (2011) A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 34(2):609–618
Wang C, Zhang X, Zheng Z (2016) Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. Plos one 11(2) e0149:173
Wu ZY, Lee YC, Lai F, Lee HC, Chung Y (2012) A secure authentication scheme for telecare medicine information systems. Journal of medical systems 36(3):1529–1535
Zhu Z (2012) An efficient authentication scheme for telecare medicine information systems. Journal of medical systems 36(6):3833–3838
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Rehman, H.U., Ghani, A., Chaudhry, S.A. et al. A secure and improved multi server authentication protocol using fuzzy commitment. Multimed Tools Appl 80, 16907–16931 (2021). https://doi.org/10.1007/s11042-020-09078-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-020-09078-z