More efficient key-hash based fingerprint remote authentication scheme using mobile device

Abstract

Today, the world is taking large leaps of progress in technology. The technology is turning the vision of achieving transparency, speed, accuracy, authenticity, friendliness and security in various services and access control mechanisms, into reality. Consequently, new and newer ideas are coming forth by researchers throughout the world. Khan et al. (Chaos Solitons Fractals 35(3):519–524, 2008) proposed remote user authentication scheme with mobile device, using hash-function and fingerprint biometric. In 2012, Chen et al. pointed out forged login attack through loss of mobile device on Khan et al.’s scheme and subsequently proposed a scheme to improve on this drawback. Truong et al. (Proceedings of 26th IEEE International Conference on Advanced Information Networking and Applications, pp 678–685, 2012) demonstrated that in Chen et al.’s scheme, an adversary can successfully replay an intercepted login request. They also showed that how an adversary can make fool of both the participants of Chen et al.’s protocol by taking advantage of the fact that the user is not anonymous in scheme. Further, they proposed an improvement to Chen et al.’s scheme to cut off its problems. Through this paper, we show that Chen et al.’s scheme has some other drawbacks too and the improvement proposed by Truong et al. is still insecure and vulnerable. We also propose an improved scheme which overcomes the flaws and inherits the goodness of both the schemes, Chen et al.’s scheme and Truong et al.’s scheme.

1 Introduction

In this era of rapidly developing and changing variety of communication technologies, remote authentication schemes have been important tools to communicate between entities. Since 1981, when Lamport [1] proposed the first remote authentication scheme using one-time password, many new proposals and improvements have been proposed [2–6] in this field. In 2000, Hwang and Li [7] proposed the first remote authentication scheme with smart card. After this many schemes [8–15] were proposed employing smart cards. Recently, biometric characteristics (fingerprint, face, voice, etc.) have joined the family of authentication factors (password, smart card, etc.), and are playing crucial role in enhancing the security of authentication mechanisms [16–25]. With rapidly growing mobile technology, mobile devices such as mobile phones, PDAs, personal navigation device, etc, are being widely used in day-to-day life. In 2008, Khan et al. [16] proposed biometric based remote user authentication scheme making use of mobile device. In 2010, Chen et al. [17] identified that Khan et al.’s scheme is attackable by an adversary by extracting secret information from mobile device; they also proposed a scheme to mend this shortcoming. In 2012, Truong et al. [26] demonstrated that Chen et al.’s scheme fails to withstand replay attack, server and user spoofing attack and lacks user’s anonymity; they also proposed an enhancement of Chen et al.’s scheme to get rid of these attacks. We identified [27] that Chen et al.’s scheme [17] has some drawbacks other than those pointed out by Truong et al. In [27] we continued Truong et al.’s ‘user and server spoofing attack’ to apply password guessing attack and described how three-factor security falls ineffective in Chen et al.’s scheme [17].

With this paper, we display that both the schemes [17, 26] suffer from pitfalls. We reveal that Chen et al.’s scheme is susceptible to password guessing attack if an attacker obtains the mobile device of a user. Afterward, we crypt analyze the improvement of Chen et al.’s scheme proposed by Truong et al. We exhibit, how an adversary can impersonate user and server, using information extracted from mobile device of user and an intercepted login request. Moreover, we explain that these impersonation attacks are feasible with only an intercepted login request in hand. We show that the improved scheme still cannot resist password guessing attack. Besides, the anonymity provided to user is imperfect in the sense that any two (or more) login requests or a login request and the corresponding mobile device belonging to the same user can be traced in Truong et al.’s scheme. Further, we explain that the improved scheme by Truong et al. suffers from the same drawbacks which Chen et al.’s scheme has, like violation of three factor security; server’s secret key is at risk etc. Accordingly, we propose a scheme to get rid of security pitfalls of both the schemes [17, 26].

The remainder of the paper is organized as follows: in the next two sections, we review Chen et al.’s scheme and Truong et al.’s scheme, respectively. In Sect. 4, we show the security weaknesses of Chen et al.’s scheme and Truong et al.’s scheme. It is Sect. 5, where we propose our protocol. In Sect. 6, the proposed scheme is analyzed for its security and usability aspects. Section 7 is about performance analysis of the proposed scheme. We conclude the paper with Sect. 8.

2 Review of Chen et al.’s scheme

The scheme consists of four phases: the registration phase, the login phase, the authentication phase and the password change phase. Each of these phases is described as follows:

2.1 Registration phase

This phase is meant to register the user with server \(S\). It is conducted over a secure channel indicated by ‘\(\Rightarrow \)’. The description of the phase is as follows:

1. 1.

   \(U_{i}\) chooses its identity \(ID_{i,}\) password PW, and a random nonce \(N\).

2. 2.

   Then computes \(h (PW\, \oplus \, N)\) and gives the imprint of his fingerprint on the sensor.

3. 3.

   \(U_{i} \Rightarrow S\): registration request = \(\{ID_{i}, h(PW \oplus N), F_{i})\}\), here \(F_{i}\) is the fingerprint template of \(U_{i}\).

On receiving the registration request of \(U_{i}\), the server performs the following steps using his secret key \(x\), cryptographic hash function \(h\)(.) and cryptographic keyed-hash function \(h_{k}(.)\) with a secret key \(k\).

1. 4.

   Computes \(hpw=h(PW \oplus N) \oplus F_{i}, R_{i}=h(ID_{i} \oplus x) \oplus hpw\) and \(V_{i}=h_{h(IDi\oplus x)}(F_{i})\).

2. 5.

   \(S \Rightarrow U_{i}\): secret information = \(\{R_{i}, V_{i}, h(.), h_{k}(.)\}\).

On receiving this secret information from server, \(U_{i}\) performs as follows:

1. 6.

   \(U_{i}\) stores \(\{R_{i}, V_{i}, h(.), h_{k}(.)\}\) and \(N\) into his mobile device.

2.2 Login phase

This phase facilitates user to login to the server \(S\). For this, \(U_{i}\) inserts his identity \(ID_{i,}\) password PW and imprints his fingerprint \(F_{i}\) on the sensor. Then the mobile device of \(U_{i}\) performs the following steps.

1. 1.

   Computes \(hpw= h(PW \oplus N) \oplus F_{i}\) and \(A_{i}=R_{i} \oplus hpw\).

2. 2.

   Verifies if \(h_{Ai}(F_{i})=V_{i}\). If so, then the mobile device proceeds to next step and stores the fingerprint template \(F_{i}\) until the end of session; otherwise, it lapse the session.

3. 3.

   Generates a random nonce \(N_{U}\), and calculates \(C_{1}=N_{U} \oplus A_{i}\) and \(C_{2}=h_{Ai}(N_{U})\) to challenge \(S\).

4. 4.

   \(U_{i} \rightarrow S\): login request = \(\{ID_{i}, C_{1}, C_{2}\}\).

2.3 Authentication phase

In this phase, both, the server and the user, verify the authenticity of each other. Description of the steps performed is as follows:

1. 1.

   On receiving the login request of \(U_{i},S\) checks the validity of \(ID_{i}\) format.

2. 2.

   If \(ID_{i}\) format is correct, then \(S\) computes \(h(ID_{i}\oplus x)\) and retrieves \(B_{i}=C_{1} \oplus h (ID_{i} \oplus x))\), which must be \(N_{U}\) indeed.

3. 3.

   Next, \(S\) verifies if \(h_{h(IDi\oplus { x)}}(B_{i})=C_{2}\). If not so, rejects the login request; otherwise, accepts login request and temporarily stores \(ID_{i}\) till the end of the session.

4. 4.

   \(S \rightarrow U_{i}:\{S_{1}\}\). The server computes \(S_{1}=h(h(ID_{i}\oplus x) || B_{i})\) and sends \(S_{1}\) to \(U_{i}\).

On receiving \(\{S_{1}\}\) from \(S\), the user performs the following steps to authenticate the server:

1. 5.

   Verifies whether \(h(A_{i} || N_{U})=S_{1}\). If so, then the legitimacy of server gets confirmed.

2. 6.

   Chooses a new random nonce \(N^{*}\), computes \(hpw^{*}=h(PW \oplus N^{*})\oplus F_{i}\) and \(R_{i}^{*}=R_{i} \oplus hpw \oplus hpw^{*}\)

3. 7.

   Replaces \(N\) and \(R_{i}\) with \(N^{*}\) and \(R_{i}^{*}\) respectively.

2.4 Password change phase

The password change phase facilitates the user to change his password PW to a new one, say \(PW^{*}\). Following are the steps performed by the user and its mobile device:

1. 1.

   \(U_{i}\) inserts his identity \(ID_{i},\) password PW and imprints his fingerprint \(F_{i}\) into its mobile device.

2. 2.

   The mobile device computes \(hpw= h(PW \oplus N) \oplus F_{i}\), and checks if \(h_{(Ri\oplus {hpw)}}(F_{i})=V_{i}\). If not so, then the mobile device stops further action. Otherwise, allows \(U_{i}\) to insert a new password \(PW^{*}\).

3. 3.

   The mobile device computes \(hpw^{*}=h(PW^{*} \oplus N)\oplus F_{i},\; R_{i}^{*}=R_{i} \oplus {hpw} \oplus hpw^{*}\) and replace\(R_{i}\) with \(R_{i}^{*}\).

3 Review of Truong et al.’s scheme

The scheme consists of four phases: the registration phase, the login phase, the mutual authentication and session key agreement phase, and the password change phase. Each of the phases is described as follows:

3.1 Registration phase

This phase is meant to register the user with server \(S\). It is conducted over a secure channel. The description of the phase is as follows:

1. 1.

   \(U_{i}\) chooses its identity \(ID_{i,}\) password PW, and a random nonce \(N\).

2. 2.

   Then computes \(h(PW \oplus N)\) and gives the imprint of his fingerprint on the sensor.

3. 3.

   \(U_{i} \Rightarrow S\): Registration request = \(\{ID_{i}, h(PW \oplus N), F_{i})\}\), here \(F_{i}\) is the fingerprint template of \(U_{i}\).

On receiving the registration request of \(U_{i}\), the server performs the following steps:

1. 4.

   Generates a random value \(e\). Computes \(hpw = h( PW \oplus N) \oplus F_{i}, E_{i}= hpw \oplus h(x \,||\, e), R_{i}= h(ID_{i} \oplus h(x \,||\, e)) \oplus hpw\) and \(V_{i} = h_{{h(IDi } \oplus {h(x\,||\, e))}}(F_{i})\).

2. 5.

   \(S \Rightarrow U_{i}\): secret information = \(\{R_{i}, V_{i}, E_{i}, e, h(.), h_{k}(.)\}\).

On receiving this secret information from server, \(U_{i}\) performs as follows:

1. 6.

   Stores \(\{R_{i}, V_{i}, E_{i}, e, h(.), h_{k}(.)\}\) and \(N\) into his mobile device.

3.2 Login phase

This phase facilitates user to login to the server \(S\). For this, \(U_{i}\) inserts his identity \(ID_{i,}\) password PW and imprints his fingerprint \(F_{i}\) on the sensor. Then the mobile device of \(U_{i }\) performs the following steps:

1. 1.

   Computes \(hpw = h(PW \oplus N) \oplus F_{i}\) and \(A_{i}= R_{i} \oplus hpw\).

2. 2.

   Verifies if \(h_{Ai}(F_{i})= V_{i}\). If so, then the mobile device proceeds to next step; otherwise, it lapse the session.

3. 3.

   Generates a random nonce \(N_{U}\) and calculates \(C_{1} = N_{U}\oplus E_{i} \oplus hpw, C_{2} = h_{Ai}(N_{U})\) and \(CID=ID_{i}\oplus N_{U}\).

4. 4.

   \( U_{i} \rightarrow S\): login request = \(\{CID,\; e,\; C_{1},\; C_{2}\}\), where ‘\(\rightarrow \)’ denotes a public channel.

3.3 Mutual authentication and session key agreement phase

In this phase, both, the server and the user, verify the authenticity of each other. Description of the steps performed by user and server is as follows:

On receiving the login request of \(U_{i,}\) first \(S\) performs the following steps:

1. 1.

   Retrieves \(B_{i} (=N_{U})=h(x \,||\, e) \oplus C_{1}, ID_{i} = CID \oplus N_{U}\) and checks the validity of \(ID_{i }\) format.

2. 2.

   Check if \(C_{2}=h_{h(IDi \oplus {h(x \,||\, e))}}(N_{U})\). If not so, rejects the login request; otherwise, accepts login request and temporarily stores \(ID_{i}\) till the end of the session.

3. 3.

   Generates a random nonce \(N_{S}\) and computes \(S_{1}=h(h(ID_{i} \oplus h(x \,||\, e)) \,||\, N_{S} \,||\, B_{i})\).

4. 4.

   \(S \rightarrow U_{i}: \{N_{S}, S_{1}\}\).

On receiving \(\{N_{S}, S_{1}\}\), from \(S\), the user performs the following steps to authenticate the server:

1. 5.

   Verifies if \(S_{1}=h(A_{i} \,||\, N_{S} \,||\, N_{U})\). If so, then the legitimacy of server gets confirmed; otherwise lapse the session.

2. 6.

   \(U_{i} \rightarrow S: \{S_{2}\}\). Computes \(S_{2}= h((E_{i}\oplus hpw)\,||\, N_{S})\).

On receiving \(\{S_{2}\}\) from \(U_{i}\), the server \(S\) performs the following:

1. 7.

   Verifies whether \(S_{2} = h(h(x \,||\, e) \,||\, N_{S})\). If so, authenticity of \(U_{i}\) is confirmed; otherwise this session is lapsed.

At the end of the session both \(U_{i}\) and \(S\) independently compute the session key. \(S\) computes the session key as \(SK=h(h(ID_{i} \oplus h(x \,||\, e)) \,||\, h(x \,||\, e) \,||\,N_{S}\,||\,\;B_{i})\) and \(U\) as \(SK= h(A_{i}\,||\, (E_{i} \oplus hpw) \,||\, N_{S} \,||\, N_{U})\).

3.4 Password change phase

The password change phase facilitates the user to change his password PW to a new one, say \(PW^{*}\). Following are the steps performed by the user and its mobile device:

1. 1.

   \(U_{i}\) inserts his identity \(ID_{i,}\) password PW and imprints his fingerprint \(F_{i}\) into its mobile device.

2. 2.

   The mobile device computes \(hpw= h(PW \oplus N) \oplus F_{i}\), and checks if \(h_{(Ri \oplus {hpw)}}(F_{i})=V_{i}\). If not so, then the mobile device stops further action. Otherwise, allows the user to insert a new password \(PW^{*}\).

3. 3.

   The mobile device computes \(hpw^{*}=h(PW^{*} \oplus N) \oplus F_{i}, R_{i}^{*}=R_{i} \oplus hpw \oplus hpw^{*}, E_{i}^{*}=E_{i} \oplus hpw \oplus hpw^{*}\) and replace \(R_{i}\) and \(E_{i}\) with \(R_{i}^{*}\) and \(E_{i}^{*}\) respectively.

4 Cryptanalysis of Chen et al.’s scheme and Truong et al.’s scheme

According to Rhee et al. [28], the mobile devices such as PCs, mobile phones, USBs, etc, are not perfectly tamper-resistant. In addition, some literature [29–31] indicates that the stored information of a mobile device may not be secure. Thus, we can assume that an attacker \(U_{A}\) can extract the information stored inside a mobile device.

4.1 Cryptanalysis of Chen et al.’s scheme

First of all we describe an attack by Truong et al. on Chen et al.’s scheme. It is given as follows:

4.1.1 User and server spoofing attack by Truong et al.

In Chen et al.’s scheme, using \(ID_{i}\) of \(U_{i}\), an attacker \(U_{A}\) can re-register to \(S\) by sending \(\{ID_{i}, h(PW_{new} \oplus N_{new}), F_{inew})\). Then, \(S\) sends back the information \(= \{R_{i}, V_{i}, h(.), h_{k}(.)\}\). On obtaining \(R_{i}\), the attacker \(U_{A}\) can easily obtain \(h(IDi \oplus x)\) by computing \(R_{i} \oplus h (PW_{new} \oplus N_{new})\oplus F_{inew}\). With values \(=\{ID_{i}\) and \(h(ID_{i}\oplus x)\}\) corresponding to \(U_{i}\), the attacker \(U_{A}\) can successfully login \(S\) as \(U_{i}\). For this, \(U_{A}\) computes \(C_{1}= N_{A} \oplus h(ID_{i}\oplus x), C_{2} =h_{h(IDi \oplus _x)}(N_{A})\), here \(N_{A}\) is a random nonce selected by \(U_{A }\). Then, \(U_{A}\) sends \(\{ ID_{i}, C_{1}, C_{2}\}\) to \(S\), to impersonate \(U_{i}\). Moreover, having \(h (ID_{i} \oplus x)\), the attacker \(U_{A}\) can successfully imitate \(S\) to deceive \(U_{i}\). When \(U_{i}\) sends the login request \(= \{ID_{i}, C_{1}, C_{2}\}\) to \(S\), the attacker \(U_{A}\) blocks this package and computes \(N_{U}= C_{1} \oplus h (ID_{i} \oplus x), S_{1} =h (h(ID_{i} \oplus x)\,||\, N_{U})\), and sends \(\{S_{1}\}\) to \(U_{i}\). On receiving \(\{S_{1}\}\) from \(U_{A,}\) the user \(U_{i}\) compares \(h (h(ID_{i}\oplus x)\,||\, N_{U})\) with \(S_{1}\); obviously, both of these are equal. In this way, \(U_{A}\) successfully makes fool of \(U_{i}\).

Now, further cryptanalysis of Chen et al.’s scheme by us is presented below:

4.1.2 Password guessing attack

This attack is an extension of ‘user and server spoofing attack’ proposed by Truong et al. [26] on Chen et al.’s scheme. As explained by Truong et al., an attacker \(U_{A}\) can obtain the value \(h(ID_{i} \oplus x)\) by registering to \(S\) using identity \(ID_{i}\) of \(U_{i}\) transmitted in login request. We consider the situation when this attacker gets the mobile device corresponding to the identity \(ID_{i}\), and he extracts the information \(\{R_{i}, V_{i}, h(.), h_{k}(.), N\}\) stored inside the mobile device. Then, \(U_{A}\) can guess password PW and can obtain imprint of fingerprint \(F_{i}\) of \(U\) as explained below:

1. 1.

   \(U_{A}\) computes \(R_{i} \oplus h(ID_{i} \oplus x)\) which needs to be \(hpw= h(PW\oplus N) \oplus F_{i}\).

2. 2.

   Guesses a password \(PW^{*}\), computes \(h(PW^{*} \oplus N)\) using \(N\) and obtains \(F_{i}^{*} = hpw \oplus h(PW^{*} \oplus N)\).

3. 3.

   Checks if \(h_{h(IDi \oplus {x)}}(F_{i}^{*})=V_{i}\). If so, then \(U_{A }\)now possesses PW as well as the imprint of fingerprint \(F_{i}\) of \(U_{i}\).

\(U_{A}\) may use these values of \(U_{i}\) to access other servers on behalf of \(U_{i}\) as it is convenient for a user to keep same password for different servers.

4.1.3 Scheme lacks three-factor authentication

Three-factor security is about employing three independent factors (what someone knows—like password, what someone possesses—like token or card or a small device, what someone is—like fingerprint or voice pattern) to test legitimacy and provide the entitled services to a login user. In Chen et al.’s scheme if an entity obtains \(ID_{i}\) and \(A_{i}=h(ID_{i} \oplus x)\), then there is no need of password, fingerprint and mobile device. Without knowing password of \(U_{i}\), without having mobile device of \(U_{i}\), and being other than the legitimate user, that is, without the fingerprint of legitimate user, one can easily pass the mutual authentication. Therefore, the entire exercise of employing three factors to secure the scheme goes in vain.

4.1.4 Server’s secret key is at risk

After obtaining \(h(ID_{i} \oplus x)\) as described by Truong, an attacker \(U_{A}\) may try to guess the secret key \(x\) of \(S\), as he knows \(ID_{i}\) of \(U\). A malicious user \(U_{K}\) can also try to guess \(x\) as he knows his \(ID_{i}\) and can easily extract \(A_{i}=h (ID_{i} \oplus x)\) from his mobile device.

4.2 Cryptanalysis of Truong et al.’s scheme

4.2.1 User and server impersonation attack using only an intercepted login request via ID guessing

Suppose \(U_{A}\) intercepts a login request \(\{ CID, e, C_{1}, C_{2}\}\) of \(U_{i}\). Now, \(U_{A}\) performs the following steps:

1. 1.

   Computes \(CID \oplus C_{1}\), which needs to be \(ID_{i} \oplus h(x \,||\, e)\).

2. 2.

   Computes the hash of \(ID_{i} \oplus h(x \,||\,e)\) and thus obtains \(A_{i} = h(ID_{i} \oplus h(x \,||\, e))\), which is a secret shared between \(U_{i}\) and \(S\). The value \(A_{i}\) acts as key for keyed hash function \(h_{k}(.)\).

3. 3.

   Guesses \(ID_{i}^{*}\) as identity of \(U_{i,}\) computes \(h^{*}(x \,||\, e) = ID_{i}^{*} \oplus [ID_{i} \oplus h(x \,||\, e)\)] and obtains \(N^{*}=C_{1} \oplus h^{*}(x \,||\, e)\).

4. 4.

   Computes \(C_{2}^{*}=h_{Ai}(N^{*})\) and checks if \(C_{2}=C_{2}^{*}\). If so, it implies that he has correctly guessed the identity of \(U_{i}\) and has correctly obtained the value \(h(x \,||\, e)\).

Now, \(U_{A}\) possess \(A_{i}= h( ID_{i} \oplus h(x \,||\, e))\) and \(h(x \,||\, e)\). Thus, he can easily mount user and server impersonation attack on the scheme in the following manner:

1. 1.

   \(U_{A}\) generates a random nonce \(N_{A}\) and computes \(C_{A1}=N_{A} \oplus h(x \,||\, e), C_{A2}=h_{Ai}(N_{A})\) and \(CID_{A}= ID_{i} \oplus N_{A}\).

2. 2.

   \(U_{A } \rightarrow S\): login request \(\{CID_{A}, e, C_{A1}, C_{A2}\}\).

On receiving \(\{CID_{A}, e, C_{A1}, C_{A2}\}\), the server \(S\) performs the following steps:

1. 3.

   Obtains \(N_{A} = C_{A1 } \oplus h(x \,||\, e), ID_{i} = CID_{A} \oplus N_{A}\), and checks \(ID_{i}\), which is obviously valid.

2. 4.

   Checks if \(h_{h(IDi \oplus {h(x \,||\, e))}}(N_{A})=C_{A2}\), which obviously holds. \(S\) generates a random nonce \(N_{AS}\), and computes \(S_{A1}=h(h(ID_{i} \oplus h(x||e))\,||\, N_{AS} \,||\, N_{A})\) and sends \(\{N_{AS}, S_{A1}\}\).

On receiving \(\{N_{AS}, S_{A1}\}\), the attacker \(U_{A}\) performs as follows:

1. 5.

   Computes \(S_{A2} = h(h(x \,||\, e)) \,||\, N_{AS})\) and sends it to \(S\).

On receiving \(S_{A2}\), the server \(S\), performs the following

1. 6.

   Computes \(h(h(x \,||\, e)) \,||\, N_{AS})\) and checks if it is equal to the received \(S_{A2}\), which obviously holds. At last, \(U_{A}\) computes \(SK = h(A_{i}\,||\, h(x \,||\, e) \,||\, N_{AS} \,||\, N_{A})\), which is exactly the same session key that the server calculates.

In this way, \(U_{A}\) can successfully impersonate \(U_{i }\) and \(S\) without knowing password of \(U_{i}\), without having mobile device of \(U_{i}\), and without the imprint of fingerprint \(F_{i}\) of \(U_{i}\).

4.2.2 User and server impersonation attack using information extracted from mobile device of \(U_{i}\) and an intercepted login request

In Truong et al.’s scheme, it is very easy to relate a mobile device with its corresponding login request \(\{CID, e, C_{1}, C_{2}\}\) because the random value \(e\) is common in both. Consider the situation when an attacker \(U_{A}\) successfully extracts the information \(\{R_{i}, V_{i}, E_{i}, e, h(.), h_{k}(.), N\}\) from mobile device of \(U_{i}\). Now, using the values extracted from mobile device and one of its corresponding intercepted login requests, \(U_{A}\) can obtain secret values shared between \(U_{i}\) and \(S\) in the following manner:

1. 1.

   Obtains \(I=h (ID_{i} \oplus h(x \,||\, e)) \oplus h(x \,||\, e)=E_{i} \oplus R_{i}\), using values from mobile device.

2. 2.

   Obtains \(L = ID_{i} \oplus h(x \,||\, e)=C_{1} \oplus CID\), using values from login request.

3. 3.

   Computes \(A_{i} = h(L)=h (ID_{i}\oplus h(x \,||\, e))\), which is a secret shared between \(U_{i}\) and \(S\). The value \(A_{i}\) acts as key for keyed hash function \(h_{k}(.)\).

4. 4.

   Computes \(h(x \,||\, e)=I \oplus A_{i} = [h(ID_{i} \oplus h(x \,||\, e)) \oplus h(x \,||\, e)] \oplus A_{i}\), which is another secret value embedded in the mobile device of \(U_{i}\). The value \(h(x \,||\, e)\) has key role in the entire login-authentication phase and legally only \(S\) can compute it.

Now, \(U_{A}\) possess \(A_{i}= h(ID_{i} \oplus h(x \,||\, e))\) and \(h(x \,||\, e)\). Thus, he can easily mount user and server impersonation attack on the scheme in similar way as demonstrated in previous subsection.

4.2.3 Password guessing attack

We further extend the previous scenario to password guessing attack. \(U_{A}\) having the values \(\{R_{i}, V_{i}, e, h(.), h_{k}(.), N\}\) extracted from the mobile device and possessing \(A_{i} = h (ID_{i} \oplus h(x \,||\, e))\) and \(h(x \,||\, e)\) can easily guess the password of \(U_{i}\) as explained below:

1. 1.

   Computes \(h(x \,||\, e) \oplus E_{i}\) which needs to be \(hpw= h(PW \oplus N) \oplus F_{i}\).

2. 2.

   Guesses a password \(PW^{*}\), computes \(h(PW^{*}\oplus N)\) using \(N\) and obtains \(F_{i}^{*} = hpw \oplus h(PW^{*} \oplus N)\).

3. 3.

   Checks if \(h_{h(IDi \oplus h(x\,||\,e))}(F_{i}^{*})=V_{i}\). If so, then \(U_{A}\) now possesses PW as well as the imprint of fingerprint \(F_{i}\) of \(U_{i}\).

\(U_{A}\) may use these values of \(U_{i}\) to access other servers on behalf of \(U_{i}\) as it is convenient for a user to keep same password for different servers.

4.2.4 Three-factor security and three way challenge response in scheme is at risk

In Truong et al.’s scheme, we observe that once an attacker \(U_{A}\) intercepts a login request, then he does not need password of \(U_{i}\), mobile device of \(U_{i}\), and even imprint of fingerprint \(F_{i}\) of \(U_{i}\); he can successfully pass the entire login-authentication phase to enjoy the privileges meant for \(U_{i}\) and makes fool of \(S\). Besides, he can also calculate the current session key and even any previous session key (using the corresponding intercepted login-authentication messages). With the session key obtained (previous or current), he can know about the secret communication held between \(U_{i}\) and \(S\) and may take further advantage. In this way, three-factor security and three-way challenge-response handshake technique employed in the scheme proves to be useless.

4.2.5 Server’s secret key is at risk

A malicious user \(U_{K}\) can easily extract values \(\{R_{i}, V_{i}, E_{i}, e, h(.), h_{k}(.), N\}\) from his mobile device. Then, he can guess the secret key \(x\) of \(S\) in the following manner:

1. 1.

   Computes \(hpw= h(PW \oplus N) \oplus F_{i}\), and obtains \(h(x \,||\, e)=E_{i} \oplus hpw\).

2. 2.

   Guesses \(x^{*}\), computes \(h(x^{*} \,||\, e)\) and checks if \(h(x \,||\, e)=h(x^{*} \,||\, e)\). If so, it implies his success.

Apart from a malicious user \(U_{K}\), an adversary \(U_{A}\) can also guess the secret key of \(S\). As described in Sects. 4.2.1 and 4.2.2, \(U_{A}\) can obtain \(h(x \,||\, e)\) and he has \(e\) from intercepted login request; so he can guess the secret key \(x\) of \(S\) in similar way as in step-2 by \(U_{K}\).

5 The proposed scheme

In this section we propose an improvement of Chen et al.’s scheme and Truong et al.’s scheme. Our proposed scheme remedies the flaws and maintains the advantages of both the original versions. The scheme is divided into the four phases of registration, login, mutual authentication and key agreement phase, and password change phase.

General idea of the proposed scheme

• Instead of \(h(x \,||\, e)\) used in Truong et al.’s scheme, we make use of \(h(x \,||\, e \,||\, IDS)\), where IDS is the secret identity of server \(S\) known only to \(S\). Unlike \(h(x \,||\, e),\) the value \(h(x \,||\, e \,||\, IDS)\) contains two unknown values \(\{x, IDS\}\). This resists anyone from guessing the secret key and the secret identity of server \(S\) from \(h(x \,||\, e \,||\, IDS)\).

• Unlike Truong et al.’s scheme, in the proposed scheme, \(U_{i}\) does not stores random nonce \(N\) in plaintext inside its mobile device. This resists the password guessing attack in case of mobile device loss.

• While computing \(hpw= h(PW\,||\, N) \otimes F_{i,}\) we make use of bitwise NOR operator \(\otimes \) instead of exclusive OR operator \(\oplus \). This restricts any adversary from extracting the values \(\{h(PW\,||\, N), F_{i}\}\) out of hpw from a lost mobile device. With this little modification, guessing attempt is not possible in the proposed scheme by the way similar to password guessing attempt in Chen et al.’s scheme as shown in Sect. 4.1.2.

• Unlike Truong et al.’s scheme, in the proposed scheme, the random value \(e\) (generated by \(S\) for each user) is neither stored in plaintext inside \(U_{i}\)’s mobile device nor sent in plaintext through each login request. This resists anyone from tracing two (or more) login requests belonging to a particular user. Moreover, it prohibits anyone from relating a lost mobile device with its corresponding login request. This very feature safeguards our scheme from various attacks that can be mounted on a dynamic ID-based scheme. A few of such attacks are as follows:

• Attacks using two login requests belonging to the same user as shown in [32] on Gao-Tu’s scheme [33].

• Attacks using lost mobile device/smart card and its corresponding login request as we confirmed mobile device loss attack and offline password guessing attack on Truong et al.’s scheme.

Besides, it imparts strong user anonymity which some schemes [26, 33] lack even after using dynamic ID for each new login attempt.

• We modify the value \(CID= ID\oplus N_{U}\) of Truong et al.’s scheme to \(RCID = ID \oplus h(N_{U}) \oplus e\) in the proposed scheme. This modification resists guessing of user’s ID and subsequent impersonation attacks using only an intercepted login request as in [26].

Now, we describe the proposed scheme with its four phases along with Fig. 1, depicting the entire protocol in a sequence.

Fig. 1

The proposed scheme

5.1 Registration phase

When a user \(U_{i}\) wants to register to the server \(S\), he has to submit his identity \(ID_{i}, h(PW || N)\) and his fingerprint \(F_{i}\) by imprinting on the sensor to \(S\), where \(PW\) is \(U_{i}\)’s password and \(N\) is a nonce chosen by \(U_{i }\). The details are described as follows:

1. 1.

   \(S\) generates a random value \(e\). Computes \(hpw = h(PW\,||\, N) \otimes F_{i}, B_{i}= hpw \oplus e, C_{i}=hpw \oplus h(x \,||\,IDS), E_{i}=hpw \oplus h(x \,||\, e \,||\, IDS), R_{i} = h (ID_{i} \oplus h(x \,||\, e \,||\, IDS)) \oplus hpw\) and \(V_{i}= h_{h(IDi \oplus h(x \,||\, e \,||\, IDS))}(F_{i})\); here IDS is the secret identity of \(S\) and \(\otimes \) is bitwise NOR operator.

2. 2.

   \(S \Rightarrow U_{i}: \{B_{i}, C_{i}, E_{i}, R_{i}, V_{i}, h(.), h_{k}(.)\}\) to the user’s mobile device through a secure channel.

3. 3.

   Upon receiving the message from server, \(U_{i}\) stores it and enters \(ID_{i} \oplus N\) into his mobile device.

5.2 Login phase

The user \(U_{i}\) types his identity \(ID_{i}\) and password PW, and imprints his fingerprint \(F_{i}\) on sensor, to login \(S\). Then the mobile device performs the following steps:

1. 1.

   Extracts \(N= (ID_{i} \oplus N) \oplus ID_{i}\) and computes \(hpw = h(PW \,||\, N) \otimes F_{i}\). Extracts \(A_{i} = R_{i} \oplus hpw\) and checks if \(h_{Ai}(F_{i})= V_{i}\). If they are not equal, the mobile device terminates session; otherwise, it allows user to go to the next step.

2. 2.

   Retrieves \(e = hpw \oplus B_{i}\) and generates a random nonce \(N_{U}\). Computes \(C_{1} = N_{U} \oplus E_{i} \oplus hpw, RCID =ID_{i} \oplus h(N_{U}) \oplus e, C_{2} =B_{i} \oplus C_{i}\) and \(C_{3}=h_{Ai}(N_{U} \,||\, e)\).

3. 3.

   \(U_{i} \rightarrow S\): login request = \(\{RCID, C_{1}, C_{2}, C_{3}\}\), where ‘\(\rightarrow \)’ denotes a public channel.

5.3 Mutual authentication and session key agreement phase

When the server \(S\) receives the login request \(\{RCID,\;C_{1},\; C_{2},\; C_{3}\}\) from \(U_{i}\), then the following steps are performed by \(U_{i}\) and \(S\) to achieve mutual authentication.

1. 1.

   \(S\) retrieves \(e=C_{2 } \oplus h(x \,||\, IDS), N_{U}=C_{1 } \oplus h(x \,||\, e \,||\,IDS), ID_{i} = RCID \oplus h(N_{U}) \oplus e \) and checks the validity of \(ID_{i}\). Then, \(S\) computes \(h(ID_{i} \oplus h(x \,||\, e \,||\, IDS))\) and checks if \(C_{3}=h_{h(IDi \oplus h(x \,||\, e \,||\, IDS))}(N_{U}\,||\, e)\). If they are equal, \(S\) accepts \(U_{i}\)’s request, otherwise rejects. Then, \(S\) generates a random nonce \(N_{S}\), computes \(S_{1} = h(h(ID_{i} \oplus h(x \,||\, e \,||\, IDS)) \,||\, N_{S} \,||\, N_{U} \,||\, e \,||\, ID_{i})\) and \(D_{1}=N_{S} \oplus e. \;S\) sends \(\{D_{1}, S_{1}\}\) to \(U_{i}\).

2. 2.

   On receiving the message (\(D_{1}, S_{1})\), the user \(U_{i}\) retrieves \(N_{S}=D_{1} \oplus e\) checks if \(S_{1}=h(A_{i} \,||\, N_{S} \,||\, N_{U} \,||\, e \,||\, ID_{i})\). If they are not equal, mobile device terminates session; otherwise, it computes \(S_{2}= h((E_{i} \oplus hpw) \,||\, N_{S} \,||\, h(x \,||\, IDS)).\; U_{i}\) sends \(\{S_{2}\}\) to \(S\).

3. 3.

   On receiving the message \(\{S_{2}\}\), the server \(S\) checks if \(S_{2}\!=\! h(h(x \,||\, e \,||\, IDS) \,|| N_{S} || h(x \,||\,IDS))\). If they are not equal, \(S\) terminates session; otherwise, it computes session key \(SK = h(h(ID_{i} \oplus h(x \,||\, e \,||\,IDS)) \,||\, N_{S} \,||\, e \,||\,ID_{i} \,||\, h(x \,||\, e \,||\, IDS) \,||\) \( N_{U})\). Similarly, \(U_{i}\) also computes \(SK= h(A_{i} \,||\, N_{S} \,||\, e \,||\, ID_{i}\,||\, (E_{i} \oplus hpw)\,||\, N_{U})\).

5.4 Password change phase

This phase is mainly invoked whenever the user wants to change his password PW to the new password \(PW^{*}\). With this phase \(U_{i}\) can not only change his password PW to the new password \(PW^{*}\), he can also change the random nonce \(N\) to a new random nonce \(N^{*}\) and his fingerprint \(F_{i}\) to some other fingerprint \(F_{i}^{*}\) (that is, some other finger can be used to imprint a different fingerprint). Following are the detailed steps for this phase:

1. 1.

   \(U_{i}\) enters his identity \(ID_{i,}\) password PW and imprints his fingerprint \(F_{i}\) into the mobile device and request to change password (and random nonce and fingerprint).

2. 2.

   \(U_{i}\)’s mobile device extracts \(N= (ID_{i} \oplus N) \oplus ID_{i}\), computes \(hpw = h(PW\,||\, N) \otimes F_{i}\), and continues to check if \(h_{(Ri \oplus { hpw)}}(F_{i})=V_{i}\). If they are not equal, then \(U_{i}\) ’s mobile device rejects the request and terminates the operation. Otherwise, extracts \(h(ID_{i} \oplus h(x \,||\, e \,||\, IDS)) = R_{i} \oplus hpw\) and \(U_{i}\) is allowed to enter new values. \(U_{i}\) chooses new password \((PW^{*})\), new random nonce \((N^{*})\) and decides another fingerprint \((F_{i}^{*})\). Then \(U_{i}\) submits \(\{PW^{*}, N^{*}\}\) and imprints \(F_{i}^{*}\) on the sensor.

3. 3.

   \(U_{i}\)’s mobile device computes \(hpw^{*}=h (PW^{*} \,||\,N^{*}) \otimes F_{i}^{*}, B_{i}^{*}=B_{i} \oplus hpw \oplus hpw^{*}, C_{i}^{*}=C_{i} \oplus hpw \oplus hpw^{*}, E_{i}^{*}=E_{i} \oplus hpw \oplus hpw^{*}, R_{i}^{*}=R_{i} \oplus hpw \oplus hpw^{*}, V_{i}^{*}=h_{h(IDi \oplus h(x \,||\, e \,||\, IDS))}(F_{i}^{*})\); and stores \(B_{i}^{*}, C_{i}^{*}, E_{i}^{*}, R_{i}^{*}\) and \(V_{i}^{*}\) to replace \(B_{i}, C_{i}, E_{i}, R_{i}\) and \(V_{i}\) respectively.

6 Security analysis of the proposede scheme

The proposed scheme is an improvement of both schemes: Chen et al.’s scheme and Truong et al.’s scheme. Thus, we analyze the security of proposed scheme mainly under the following categories:

• Resistance to attacks pointed out by Truong et al. on Chen et al.’s scheme.

• Resistance to attacks pointed out by us on Chen et al.’s scheme.

• Resistance to attacks pointed out by us on Truong et al.’s scheme.

• Resistance to some other attacks.

At the end of this section, we would also describe a few important usable features accomplished by the proposed scheme.

• Usability

6.1 Resistance to attacks pointed out by Truong et al. on Chen et al.’s scheme

We have inherited the basic structure of the proposed scheme from Truong et al.’s scheme. Our scheme uses RCID instead of plaintext identity in login request, provides very strong user anonymity and employs three-way challenge response handshake technique. Truong et al.’s scheme is an improvement of Chen et al.’s scheme so as to resist the attacks verified by Truong et al. Therefore, attacks demonstrated by Truong et al. on Chen et al.’s scheme are not applicable on the proposed scheme.

6.2 Resistance to attacks pointed out by us on Chen et al.’s scheme

Attacks that we have pointed out on Chen et al.’s scheme are due to static identity of \(U_{i}\). Unlike Chen et al.’s scheme, in the proposed scheme, identity \(ID_{i}\) of \(U_{i}\) is not available in plaintext form through an intercepted login request; also neither an adversary \(U_{A}\) nor a malicious user \(U_{K}\) can obtain sufficient values to calculate a valid login request and other subsequent authentication messages so as to pass the login-authentication phase. For this reason, password guessing attack, server’s secret key guessing attack by an adversary \(U_{A}\), etc, cannot be mounted on the proposed scheme in way similar to that is employed for Chen et al.’s scheme.

6.3 Resistance to attacks pointed out by us on Truong et al.’s scheme

6.3.1 Resists user and server impersonation attack using an intercepted login request via IDi guessing

Unlike Truong et al.’s scheme, in the proposed scheme, \(U_{A}\) cannot obtain \(ID_{i} \oplus h(x \,||\, e \,||\, IDS)\) from an intercepted login request by performing \(C_{1} \oplus RCID (=N_{U} \oplus h(x \,||\, e \,||\,IDS) \oplus ID_{i} \oplus h(N_{U}) \oplus e)\). Thus, here guessing \(ID_{i}^{*}\), retrieving \(N_{U}^{*}\) and verifying the guess using \(C_{3}\) is not possible. Consequently, \(U_{A}\) cannot obtain the secret values \(A_{i}=h (ID_{i} \oplus h(x \,||\, e \,||\, IDS))\) and \(h(x \,||\, e \,||\, IDS)\). In addition, \(U_{A}\) cannot calculate a valid login request without knowing \(h(x \,||\, IDS)\). Therefore, impersonation attacks using an intercepted login request via \(ID_{i}\) guessing are not feasible in the proposed scheme.

6.3.2 Resistance to mobile device loss attack

Suppose an attacker steals/finds mobile device of \(U_{i}\) and somehow [29–31] extracts all information stored inside it. But \(U_{A}\) can neither make any guess nor can he obtain any secret value shared between user and server. \(U_{A}\) cannot obtain hpw from any of the values \(\{B_{i}, C_{i}, E_{i}, R_{i}\}\) without knowing the values \(\{e, h(x \,||\, IDS), h(x \,||\, e \,||\, IDS), h(ID_{i} \oplus h(x \,||\, e \,||\,IDS))\}\). Even if he somehow obtains hpw, he cannot guess the password PW from \(hpw = h(PW\,||\, N) \otimes F_{i}\) for the following reasons:

• Bitwise NOR operator \(\otimes \) is used in hpw instead of bitwise XOR operator \(\oplus \). It defends the values \(\{h(PW\,||\, N), F_{i}\}\) from extraction out of hpw.

• \(U_{A}\) cannot extract random nonce \(N\) from \(ID_{i} \oplus N\) without knowing \(ID_{i}\).

• \(U_{A}\) cannot imprint the fingerprint \(F_{i}\) of \(U_{i}\).

Furthermore, unlike Truong et al.’s scheme, here it’s not possible to relate a lost mobile device \(= \{B_{i}, C_{i}, E_{i}, R_{i}, V_{i}, ID_{i} \oplus N, h(.), h_{k}(.)\}\) with its corresponding login request = \(\{RCID, C_{1}, C_{2}, C_{3}\}\), because no value is common between them. We recall that in Truong et al.’s scheme, the random value \(e\) is common between mobile device \(= \{R_{i}, V_{i}, E_{i}, e, N, h(.), h_{k}(.)\}\) and login request \(=\{CID, e, C_{1}, C_{2}\}\).

Let us consider the situation, when somehow \(U_{A}\) manages to obtain the login request corresponding to a lost mobile device. Still he cannot be successful in obtaining any value helpful to break through the security of the proposed scheme. With values extracted from mobile device he can obtain \(h(x\,||\, e \,||\, IDS) \oplus h (ID_{i} \oplus h(x \,||\, e \,||\,IDS))\) by performing \(E_{i} \quad \oplus \quad R_{i}\) . But, unlike Truong et al.’s scheme, \(U_{A}\) cannot obtain \(ID_{i} \oplus h(x \,||\, e \,||\,IDS)\) using values from corresponding intercepted login request. So, he cannot continue to calculate \(A_{i}=h (ID_{i} \oplus h(x \,||\, e \,||\, IDS))\) and hence not \(h(x \,||\, e \,||\,IDS)\). Without these values, \(U_{A}\) cannot compute a valid login request to impersonate \(U_{i}\), as is obvious from the construction of \(C_{1} = N_{U} \oplus E_{i} \oplus hpw (= N_{U} \oplus h(x \,||\, e \,||\, IDS))\) and \(C_{3} \quad = h_{Ai}(N_{U} \,||\, e)\). Besides, it is not possible to obtain the values \(\{A_{i}=h(ID_{i} \oplus h(x \,||\, e \,||\,IDS)), h(x \,||\, e \,||\,IDS), e, ID_{i}\}\) in some other way: by combining values either from mobile device or from the intercepted login request or from both. Therefore, we can say that the proposed scheme is secure even if all the values from the mobile device are extracted.

6.3.3 Resistance to password guessing attack

We explained in previous sub-section that it is far from being possible for \(U_{A}\) to obtain the value hpw either from the mobile device alone or simultaneously employing the corresponding intercepted login request. Undoubtedly, \(U_{A}\) can perform \(E_{i} \oplus R_{i}\) to obtain \(h(x \,||\, e \,||\,IDS) \oplus h (ID_{i} \quad \oplus \quad h(x \,||\, e \,||\,IDS))\). But, without having master key \(x\) of \(S\), secret identity IDS of \(S\), random value \(e\) of \(U_{i}\), and the identity \(ID_{i}\) of \(U_{i}\), an attacker \(U_{A}\) cannot compute any such value with which PW can be guessed. Besides, password of \(U_{i}\) is very well protected by the random nonce \(N\) and imprint of fingerprint \(F_{i }\) of \(U_{i}\). Unlike Truong et al.’s scheme, in the proposed scheme the random nonce \(N\) is not stored in plaintext inside the mobile device; rather \(N\) is stored as ID \(_{i} \quad \oplus \quad N.\) Also, identity \(ID_{i}\) of \(U_{i}\) is not transmitted in plaintext in login request. In this way, unavailability of \(N\) makes it impossible for \(U_{A}\) to guess PW. Further, due to use of bitwise NOR operator \(\otimes \) instead of bitwise XOR operator \(\oplus \) in hpw, correctness of any guess for PW cannot be verified using \(V_{i}\).

6.3.4 Server’s secret key is not at risk

Even if a malicious legal user \(U_{K}\) extracts all information from his mobile device, he cannot guess the secret key of \(S\). Certainly, \(U_{K}\) can obtain \(h(x \,||\, IDS)\) and \(h(x \,||\, e \,||\, IDS)\) from \(C_{i}\) and \(E_{i}\) by performing \(C_{i} \oplus hpw\) and \(E_{i} \oplus hpw\) respectively. Although \(U_{K}\) knows its random value \(e\), yet it is not possible to guess two values \(\{x\) and \(IDS \}\) simultaneously in real polynomial time. Here, identity IDS of \(S\) is secret and known to \(S\) only.

Also, \(U_{A}\) cannot guess the secret key \(x\) of \(S\), either using a stolen mobile device alone or an intercepted login request alone or both. This is due to the fact that whatever value or combination of values \(U_{A}\) tries to guess \(x\), each of these values (like \(\{h(x\,||\, e \,||\, IDS) \oplus h(ID_{i} \oplus h(x \,||\, e \,||\,IDS))\}\) by performing \(\{E_{i} \oplus R_{i}\}\) or \(\{N_{U} \oplus h(x \,||\, e \,||\, IDS) \oplus ID_{i} \oplus h(N_{U}) \oplus e\}\) by performing \(\{C_{1 } \oplus RCID\}\) or \(\{N_{U} \oplus h(x \,||\, e \,||\,IDS) \oplus hpw \oplus h(x \,||\, IDS)\}\) by performing \(\{C_{1} \oplus C_{i}\}\), etc) require at least two unknown values to guess simultaneously; which is not possible in real polynomial time. For instance, \(U_{A}\) cannot guess the secret key \(x\) from \(h(x \,||\, e \,||\,IDS) \oplus h (ID_{i}\oplus h(x \,||\, e \,||\, IDS))\) without knowing the values \(\{e, IDS, ID_{i} \}\).

6.4 Resistance to some other attacks

This category also involves security analysis concerning the attacks which Truong et al.’s scheme withstands.

6.4.1 Resistance to malicious user attack

A legitimate but malicious user \(U_{K}\) can obtain the values \(\{e, h(x || IDS), h(x || e ||IDS),\) \( h(ID_{i} \oplus h(x \,||\,e \,||\,IDS))\}\) from his mobile device. Among these values only \(h(x \,||\, IDS\)) is common for all users; and rest of the values are user-specific due to identity \(ID_{i}\) and random value \(e\) (which are different for each user). However, to calculate a valid login request on behalf of some other legitimate user \(U_{L}\), malicious user \(U_{K}\) must know the values \(\{e_{L}, h(x \,||\, e_{L} \,||\,IDS), h(ID_{L} \oplus h(x \,||\, e_{L} \,||\, IDS))\}\). Besides, if \(U_{K}\) tries to calculate an arbitrary but valid login request on behalf of an arbitrary identity \(ID_{f}\) and an arbitrary random value \(e_{f}\), then he cannot achieve success in such effort without separately knowing the secret key \(x\) and secret identity IDS of \(S\). Subsequently, \(U_{K}\) cannot make fool of \(S\) by acting as a legitimate user \(U_{L}\), or an arbitrary user \(U_{f}\). For similar reasons, \(U_{K}\) cannot make fool of \(U_{i}\) by acting as \(S\).

6.4.2 Resistance to replay attack

In this attack, an attacker replays previously intercepted messages of the communication participants of a scheme. Like Truong et al., we also make use of random nonce (\(N_{U}\) is used by the user and \(N_{S}\) is used by the server) and three-way challenge response handshake technique to withstand replay attacks. Suppose, \(U_{A}\) replays the login request \(= \{RCID, C_{1}, C_{2}, C_{3}\}\) to \(S\), then \(S\) will send the response message \(\{D_{1}, S_{1}\}\) to \(U_{A}\). Without knowing \(\{e, h(x \,||\, IDS), h(x \,||\, e \,||\,IDS)\}\), here \(e\) is needed to retrieve the random nonce \(N_{S }\) from \(D_{1}\), the attacker \(U_{A}\) cannot compute \(S_{2} = h(h(x \,||\, e \,||\,IDS) \,||\, N_{S} \,||\, h(x \,||\,IDS))\) to respond to \(S\). Consequently, \(S\) will pick out this forged login attempt when it will not receive any response to the message \(\{D_{1}, S_{1}\}\) and will terminate the session. Hence, in the proposed scheme \(U_{A}\) cannot login successfully by replaying current or an old intercepted login request.

6.4.3 Resistance to known-key attack

Resistance to known-key attack ensures that compromise of a past session key will not result in deriving any further session key. In the proposed scheme, none of the values involved in computing the session key \(SK= h(A_{i} \,||\, N_{S} \,||\, e \,||\,ID_{i} \,||\, h(x \,||\, e \,||\,IDS) \,||)\) \(( N_{U})\) is available in plaintext. If \(U_{A}\) somehow obtains a previous/past session key, he cannot gain \(\{A_{i}, e, ID_{i}, h(x \,||\, e \,||\,IDS)\}\) due to the one-way property of hash function. Moreover, the random nonce \(\{N_{U}, N_{S}\}\) impart dynamic nature to the session key; and an attacker cannot predict what random nonce to be used in a future session key. Thus, \(U_{A}\) cannot derive any future session key.

6.4.4 Resistance to denial-of-service attack

In this attack, an attacker can update false verification information of a valid user, then this legal user cannot login \(S\) successfully anymore. Like Truong et al.’s scheme, mounting this attack through password change phase is not possible in the proposed scheme because mobile device can authenticate the legitimacy of user by verifying \(h_{(Ri} \oplus _{hpw)}(F_{i}) = V_{i}\), where \(hpw = h(PW\,||\, N) \otimes F_{i }\). Undoubtedly, \(U_{A}\) cannot change or update user’s information inside a lost mobile device, without having correct password and without being able to imprint the corresponding fingerprint \(F_{i}\). Besides, the scheme caries the legacy of no verification table or database maintained at \(S\), from its parent versions. So, the proposed scheme is free from denial-of-service attack.

6.4.5 Resistance to stolen verifier attack

Like Chen et al.’s scheme and Truong et al.’s scheme, in the proposed scheme \(S\) does not need to store anything with it. During registration phase, the server securely sends secret information \(= \{B_{i}, C_{i}, E_{i}, R_{i}, V_{i}, h(.), h_{k}(.)\}\) to \(U_{i}\), which the user saves in its mobile device. On receiving the login request \(= \{RCID, C_{1}, C_{2}, C_{3}\}, \; S\) uses its secret key \(x\) and secret identity IDS to retrieve values needed to verify the legitimacy of \(U_{i}\). As \(S\) does not maintains any verification table or database with it, so the stolen verifier attack is not applicable on the proposed scheme.

6.4.6 Resistance to man-in-the-middle attack, parallel session attack and reflection attack

Man-in-the-middle attack is a form of attack in which an attacker acts as a mid-man between user and server so that he can masquerade both of them by intercepting and modifying the communicated messages [34]. In this attack, user and server believe that they are communicating with each other; however, each of them communicates with the man-in-the-middle, that is, the attacker. In parallel session attack, an adversary can complete an authentication session with server by initiating one or more sessions simultaneously; illustrations of parallel session attack are available in [35–37]. Reflection attack is applicable on authentication schemes employing challenge-response technique for mutual authentication when same challenge-response protocol is used by each entity to authenticate the other entity. With this attack the targeted entity is tricked to provide response to its own challenge. To get rid of these attacks, our improved scheme inherits the remedy from its parent schemes, that is, \(S\) stores identity \(ID_{i}\) of \(U_{i}\), until the end of the session. When \(S\) receives the login request \(= \{RCID, C_{1}, C_{2}, C_{3}\}\) of \(U_{i},\) it authenticates the legitimacy of \(U_{i}\). As soon as \(U_{i}\) is authenticated, \(S\) stores the identity \(ID_{i}\) of \(U_{i}\), and keeps it until the end of the session to recognize the same identity login. \(U_{A}\) can immediately start a parallel session just after \(U_{i}\) sends its login request \(= \{RCID, C_{1}, C_{2}, C_{3}\}\) to \(S\) or \(U_{A}\) can send a currently intercepted login request immediately after observing the response message \(\{D_{1}, S_{1}\}\) from \(S\) as in [10, 11]. But in both the cases, the request from \(U_{A}\), will not be entertained by \(S\) because such requests will reach \(S\) before the end of the legal user \(U_{i}\)’s session. Therefore, on obtaining a value of \(ID_{i}\) similar to one which is stored, \(S\) will identify it as a false login attempt by some fraud entity and will terminate the corresponding session.

6.5 Usability

6.5.1 Strong user anonymity

We can see that in Truong et al.’s scheme, the random value \(e\) is common in all login requests of a particular user; and \(e\) is also stored in plaintext inside the mobile device of user. In the proposed scheme, \(U_{i}\) sends the login request \(\{RCID, C_{1}, C_{2}, C_{3}\}\) to \(S\). Here, \(U_{A}\) cannot know about the user of an intercepted login request as it does not contain the identity \(ID_{i}\) of \(U_{i}\) in plaintext. In addition, each value of login request is new for a new login. Unlike Truong et al.’s scheme, no one can identify that any two login requests belong to the same user. Besides, no value is common between mobile device and login request generated from it. For this reason, it is near impossible to co-relate a lost mobile device and its corresponding login request. As a result, we can say that the proposed scheme provides strong user anonymity as compared to that provided in Truong et al.’s scheme.

6.5.2 Mutual authentication

In the proposed scheme, \(U_{i}\) receives \(h(x \,||\, e \,||\, IDS)\) and random value \(e\), embedded within \(E_{i}\) and \(B_{i}\) respectively, during registration phase. With the key \(h(x \,||\, e \,||\,IDS)\), user \(U_{i}\) can compute \(C_{1}\) and \(C_{3}\); and with \(e\) he can compute RCID. Server \(S\) with secret key \(x\), secret identity IDS can retrieve random value \(e\). Then using \(\{x, IDS, e\}, S\) can retrieve random nonce \(N_{U }\) to compute \(h_{h(IDi\oplus { h(x \,||\, e \,||\,IDS))}}(N_{U} \,||\, e)\). With this value, \(S\) can authenticate the legitimacy of \(U\). Then \(S\) generates a random nonce \(N_{S}\) to send the response message \(\{D_{1}, S_{1}\}\) to \(U_{i}\). Only a legal user \(U_{i}\) can have values {\(h(x \) ||  \(IDS), h(x \,||\, e \,||\,IDS)\}\) to suitably respond to \(S\) with correct \(S_{2}\). In this way, like Truong et al.’s scheme, we also use random nonce and three-way challenge response handshake technique to achieve mutual authentication.

6.5.3 Session-key agreement

Like Truong et al.’s scheme, in the proposed scheme \(U_{i}\) and \(S\) independently calculate a common session key SK to ensure confidentiality of subsequent messages. The values \(\{h( ID_{i} \oplus h(x \,||\, e \,||\,IDS)), N_{S,} e, ID_{i}, h(x \,||\, e \,||\,IDS), N_{U}\}\) included in session key \(SK=h(h(ID_{i} \oplus h(x \,||\, e \,||\,IDS)) \,||\, N_{S} \,||\, e \,||\,ID_{i} \,||\, h(x \,||\, e \,||\,IDS) \,||\, N_{U})\) are such that only legal partners (user and server) can calculate it.

7 Performance analysis VIA comparison

Now, we judge the proposed scheme for ease and efficiency by conducting a comparative analysis with Chen et al.’s scheme and Truong et al.’s scheme. Comparisons within the respective fields are conducted below along with corresponding table depicting the results in a nutshell.

7.1 Comparison of computational complexity, memory space required and communication cost

We compile Table 1 for comparison of computational complexity, memory space required and communication cost. Each of the three schemes use hash function \(h\)(.), bitwise XOR operator \(\oplus \), and string concatenation operator \(||\). We make use of an additional operator, that is, bitwise NOR operator \(\otimes \), in our scheme. Except hash function \(h\)(.), all other operators require only few computations, so we neglect them and consider only hash function \(h\)(.) for comparison of computational complexity. Findings of Table 1 are as follows:

Table 1 Comparison of computational complexity, memory space required and communication cost

• Extra computational load on mobile device is nominal: During registration phase and authentication phase, same number of hash functions is used in all the three schemes. The proposed protocol uses an extra hash function only during the login phase. Thus, we put nominal burden of only one hash function on mobile device. Consequently, our scheme is suitable for low computation power mobile device.

• Extra computational load on remote server is quite less: On comparing our scheme with Truong et al.’s scheme, we find that the number of hash functions used during registration phase is same. We also observe that during the authentication phase, increment in the number of hash functions from Chen et al.’s scheme to Truong et al.’s scheme and from Truong et al.’s scheme to the proposed scheme are same, which is two. We use only two more hash functions than the Truong et al.’s scheme. If we look-up the extra load at server side, then it is clear that Truong et al.’s scheme needs three hash functions more than those in Chen et al.’s scheme; but our scheme needs two hash functions more than those in Truong et al.’s scheme.

• Total extra computational load is low: In totality, Chen et al.’s scheme uses 12\(h\)(.), Truong et al.’s scheme uses 15\(h\)(.) and the proposed scheme uses 18\(h\)(.). Thus, in all three extra hash functions are required to achieve the aimed security and friendly features.

To compare the proposed scheme for memory space required and communication cost, we assume all the values \(\{ID,PW, x, e\}\) and output of hash function to be 128-bit long. In the proposed scheme, the parameters \(\{B, C, E, R, V\}\) are required to be stored inside the mobile device, accordingly the required memory space is 5*128 = 640 bits. Further messages transmitted during login-authentication phase are (\(\{RCID, C_{1}, C_{2}, C_{3}\}, \{D_{1}, S_{1}\}, \{S_{1}\}\)), so that the communication cost comes out to be 7*128 = 896 bits. It is clear from Table 1 that when compared to Truong et al.’s scheme, the proposed scheme requires no extra memory space and the communication cost is also same.

7.2 Comparison regarding susceptibility to different attacks

We compile Table 2 for comparison regarding susceptibility to different attacks. Table 2 showcases two main aspects of attack analysis:

Table 2 Comparison for susceptibility to different attacks

• Undoubtedly, Truong et al.’s scheme is an improvement over Chen et al.’s scheme as it withstands two more attacks—ID-theft and replay attack; but it falls weaker than Chen et al.’s scheme for attacks via intercepted login request and via lost mobile device. Thus, Truong et al.’s scheme moves forward by two steps and at the same time retreats back again by two steps, thereby strengthening on one end but weakening on the other.

• The proposed scheme is resistant to larger number of attacks as compared to the other two schemes under consideration. It mends the security pitfalls of Chen et al.’s scheme as well as Truong et al.’s scheme.

7.3 Comparison regarding admired friendly features

We compile Table 3 to compare three schemes for the number of friendly features they achieve. Table 3 shows a remarkable increase in usable features as we move horizontally from Chen et al.’s scheme to the proposed scheme through Truong et al.’s scheme. In addition to user anonymity, our scheme also provides user un-traceability without which the anonymity of user may be at risk as in Truong et al.’s scheme. If login requests or messages pertaining to a particular user can be traced and further it is possible to relate them with the corresponding mobile device then it becomes quite easy to trace the legal user. As a result, scheme becomes vulnerable to the attacks, which were mended by avoiding the static identity. Furthermore, the proposed scheme provides three-factor security at which the other two schemes are weak.

Table 3 Comparison for providing admired friendly features

From the entire comparison, we observe that the minor addition of three hash functions is worth achieving added security features and admired usable features. Thus, the proposed scheme is more advanced in all ways- cost, complexity, resistance to attacks and usability.

8 Conclusion

Through this paper, we highlight the susceptibility of Chen et al.’s scheme and Truong et al.’s scheme to different attacks. We carried on Truong et al.’s spoofing attack to mount password guessing attack on Chen et al.’s scheme; and also elucidated some more of its flaws. Though the authors patched up the flaws of Chen et al.’s scheme in terms of an improved version, we showed that the improved protocol by Truong et al. is still feeble to defy impersonation attacks and password guessing attack. We explain that both the schemes fail to take advantage of employed three-factor security. Thus, we show that the improvement of Chen et al.’s scheme by Truong et al. does not successfully eradicate the loopholes of the original scheme; and both the schemes are insecure with the arguments what authors had considered. To dispose of the vulnerabilities of both the schemes, we further proposed an improved scheme. We profoundly analyzed the security of the proposed protocol to ensure its resistance to various attacks including those to which its original versions are open. We have also conducted a comparative study of the three schemes to analyze the strength of our proposed scheme over Chen et al.’s scheme and Truong et al.’s scheme. Through comparison, we have shown that the proposed scheme is more robust and yet maintains the simplicity of design regarding cost and complexity.