A secure biometric based multi-server authentication scheme for social multimedia networks

Abstract

Social networking is one of the major source of massive data. Such data is not only difficult to store, manipulate and maintain but it’s open access makes it security prone. Therefore, robust and efficient authentication should be devised to make it invincible against the known security attacks. Moreover, social networking services are intrinsically multi-server environments, therefore compatible and suitable authentication should be designed accordingly. Sundry authentication protocols are being utilized at the moment and many of them are designed for single server architecture. This type of remote architecture resists each user to get itself register with each server if multiple servers are employed to offer online social services. Recently multi-server architecture for authentication has replaced the single server architecture, and it enable users to register once and procure services from multiple servers. A short time ago, Lu et al. presented two authentication schemes based on three factors. Furthermore, both Lu et al.’s schemes are designed for multi-server architecture. Lu et al. claimed the schemes to be invincible against the known attacks. However, this paper shows that one of the Lu et al.’s scheme is susceptible to user anonymity violation and impersonation attacks, whereas Lu et al.’s second scheme is susceptible to user impersonation attack. Therefore an enhanced scheme is introduced in this paper. The proposed scheme is more robust than subsisting schemes. The proposed scheme is thoroughly verified and validated with formal and informal security discussion, and through the popular automated tool ProVerif. The in-depth analysis affirms that proposed scheme is lightweight in terms of computations while attaining mutual authentication and is invincible against the known attacks, hence is more suitable for automated big data analysis for social multimedia networking environments.

1 Introduction

Big data refers to the huge amount of data with complicated and diverse structure to be stored and analyzed for retrieving results. This kind of result retrieval is known as big data analysis, which is performed by disclosing concealed pattern and correlations present in the colossal data. Big data analysis is playing a vital role in present day businesses and contemporary science, because it helps organizations and companies to attain competitive benefits through deeper and wealthier insights into precious gigantic data. There are numerous sources for such gigantic data, social networking interaction is one of them. Huge social networking data storage, manipulation and transfer becomes difficult to manage and can be compromised by various security attacks therefore efficient authentication mechanism should be developed to make it more secure and reliable. Moreover social networking services are inherently multi-server environments, therefore authentication schemes must be specifically designed for multi-server architecture in order to maintain compatibility.

The first step was taken up by Lamport [35], by proposing password based authentication scheme. After that researchers proposed numerous authentication schemes based on password for various applications [36, 37, 49, 52]. Although password based authentication schemes are susceptible to a number of attacks but they laid the foundation for advance research in this area. Therefore, two factor authentication scheme are introduced in order to mitigate the security concerns of single factor authentication schemes [3–7, 14–22, 24–31, 44, 50, 53]. Two factor authentication utilize smart card along with password. Moreover, three factor authentication schemes are also introduced not only to improve the security of the transmission between the authentic users but also to provide the integrity and authenticity of the exchanged messages [1, 11, 23, 38–40, 45, 54]. Three factor authentication is achieved by utilizing biometrics along with smart card and password. However most of the authentication schemes are designed specifically for single server architecture, making it incompatible for multi-server architectures.

In 2014 [8] Chuang et al. introduced authentication scheme utilizing biometrics and smart card. They declared the scheme to be secure against the known attacks. Soon, Mishra et al. [46] identified that Chuang et al.’s scheme is not invincible to server spoofing, smart card stolen and impersonation attacks. Mishra et al. proposed authentication scheme using smart card and biometric and declared it to be secure against all security threats. Later on, Lu et al. [41, 42] recognized that Mishra et al.’s scheme is vulnerable to server spoofing and impersonation attacks and fails to provide forward secrecy. In response to Mishra et al.’s scheme Lu et al. introduced two independent three factors authentication schemes [41, 42] for multi-server architecture. Furthermore, Lu et al. declared that their schemes are invincible against the known attacks. However, this paper provide an evidence that Lu et al.’s both schemes can be compromised by the known attacks. We show that Lu et al.’s scheme-1 [41] is insecure against user anonymity violation and impersonation attacks, whereas Lu et al.’s scheme-2 [42] is insecure against user impersonation attack. This paper exhibits that by knowing the public identity of any other user, the unfair user of the system can impersonate him easily.

Rest of the paper is structured as follows: Section 2 presents notations used within the paper and primitive notions concerning one-way hash functions, BioHashing, basics of elliptic curve cryptography and the considered adversarial model. Section 3 presents review of two Lu et al.’s authentication schemes based on three factor for multi server environments, followed by their cryptanalysis performed in Section 4. The proposed scheme is discussed in Section 5. The formal and informal security analysis is performed in Section 6 followed by automated security validation in Section 7. The performance evaluation is shown in Section 8. The paper is concluded in Section 9.

2 Preliminaries

This section elaborates the notations user through out the paper and some basics relating to hash functions, BioHashing, elliptic curve cryptography and the common adversarial model.

2.1 Notations

We have listed all the notations used in the paper in Table 1.

Table 1 Notation guide

2.2 BioHashing

The biometrics is the unique and quantifiable characteristic commonly utilized to identify and designate or recognize a particular human. Biometric is practically utilized for authentication purpose and demands the physical presence of a particular person in order to be authenticated. At each imprint, biometric features (such as fingerprint, retina, face recognition and iris recognition etc) may faintly differ from the actual one, leading towards frequent false rejections of legitimate user. Frequent false rejections of legitimate user in turn degrade the performance of the latent system. In 2004, Jin et al. [32] proposed a scheme to tenacity the problem of false rejection. Jin et al.’s scheme implements two factor authentication based on iterated inner product amid biometric characteristics and tokenized pseudo-random numbers. Moreover, in order to implement Jin et al.’s scheme multiple and explicit user codes are engendered and these explicit user codes are designated as BioHash codes. Recently, numerous BioHashing schemes has been introduced [2, 43]. BioHashing is verified to be the most suitable and compatible technique that can be utilized in tiny smart devices such as smart card and smart phone etc.

2.3 Hash functions

A collision resistant hash function \(H : \{0, 1\}^{*}\rightarrow Z_{q}^{*}\) takes arbitrary size string S t r as input and produces a fixed length code/value V = H(S t r). A secure hash function should posses following attributes:

• A minor change in input (S t r) results a substantial change in out put V.

• It is computationally easy to find V = H(S t r), given H(.) and S t r.

• For given hash code V = H(S t r) and hash function H(.), finding the input S t r is computationally infeasible.

• It is difficult to find two inputs S t r ₁ ≠ S t r ₂ such that H(S t r ₁) = H(S t r ₂). This property is known as collision resistance property.

Definition 1

[Collision resistant property for secure hash functions] Given a collision resistant secure hash function H(.). The probability that an adversary \(\mathcal {A}\) can find a pair (S t r ₁ ≠ S t r ₂) such that H(S t r ₁) = H(S t r ₂) is defined as \(Adv^{HASH}_{\mathcal {A}}(t)=Prb[(Str_{1},Str_{2}) \Leftarrow _{r} \mathcal {A} : (Str_{1}\neq Str_{2})\ and\ H(Str_{1})=H(Str_{2}) ]\), where \(\mathcal {A}\) is allowed to select a pair (S t r ₁, S t r ₂) at random. \(\mathcal {A}\)’s advantage is computed over the random choices made during polynomial time (t). The collision resistant property implies that \(Adv^{HASH}_{\mathcal {A}}(t)\leq \epsilon \) for any sufficiently small 𝜖 > 0.

2.4 Elliptic curve cryptography

A non singular elliptic cure y ² = x ³ + a x + b mod p is the set of finite solutions E _p (a, b) such that \((x,y)\in Z_{p}^{*} \times Z_{p}\), a, b are chosen carefully to accommodate 4a ³ + 27b ² mod p ≠ 0 while p is a selected large prime number such that |p| ≥ 160 b i t s. The scalar multiplication over the curve is solicited as repeated addition i.e. k S = S + S + S + ......+S(k t i m e s), for a given point S and a scalar k. The parameters (a, b, p, S, k) must belong to finite field F _p . E is considered as abelian group and a point at infinity O is termed as the identity element.

Definition 2

[Elliptic curve discrete logarithm problem (ECDLP)] Given two random point U, V ∈ E _p (a, b), find a scalar x such that U = x V. The probability that a polynomial time (t) bound adversary \(\mathcal {A}\) can compute x is as follows: \(Adv_{\mathcal {A}}^{ECDLP}(t) = Prb[(\mathcal {A}(U=xV, V) = x: x\in Z_{p}]\). The ECDLP assumption implies that \(Adv_{\mathcal {A}}^{ECDLP}(t)\leq \epsilon \).

2.5 Adversarial model

In this paper, we consider the common adversarial model as mentioned in [4, 9, 12, 13]. Where according to capabilities of the adversary \(\mathcal {A}\), following assumptions are made:

1. 1.

   \(\mathcal {A}\) completely controls the public communication link. \(\mathcal {A}\) is able to intercept, replay, modify, remove or can send a new fabricated message.

2. 2.

   The information stored in a smart card can be extracted by \(\mathcal {A}\) using power analysis [33, 47] provided he has possession of the card.

3. 3.

   \(\mathcal {A}\) may be some outsider or some dishonest user of the system and knows all public parameters.

4. 4.

   \(\mathcal {A}\) knows the identities and public keys of the registered users and servers.

5. 5.

   It is assumed that all servers of the system are honest and \(\mathcal {A}\) is not allowed to compromise any server.

3 Review of Lu et al.’s schemes

In this section, we briefly review Lu et al.’s multi-server biometric based authentication schemes [41, 42] in Subsections 3.1 and 3.2 respectively.

3.1 Review of Lu et al.’s scheme-1 [41]

Lu et al.’s biometric based authentication scheme for multi-server environments [41] is illustrated in Fig. 1 and is elaborated in following three phases:

Fig. 1

Lu et al.’s Scheme-1[41]

3.1.1 Registration phase

\(\mathcal {U}_{x}\) selects his identity I D _{u x} , password P W _{u x} and imprints his biometrics B I O _{u x} . Further \(\mathcal {U}_{x}\) sends {I D _{u x} , h(P W _{u x} ∥H(B I O _{u x} ))} to RC on a private channel. Upon reception, RC computes X _{u x} = h(I D _{u x} ∥y _{r s} ) and V _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))) and stores X _{u x} , h(P S K _{r s} ) and V _{u x} in the smart card S C _{u x} . RC sends smart card (S C _{u x} ) to \(\mathcal {U}_{x}\). Upon reception of smart card, \(\mathcal {U}_{x}\) computes Y _{u x} = h(P S K _{r s} ) ⊕ x _{u x} . Finally, smart card contains {X _{u x} , Y _{u x} , V _{u x} , h(.)}.

3.1.2 Login and authentication phase

\(\mathcal {U}_{x}\) enters his smart card in specialized reader and inputs his biometric B I O _{u x} , password P W _{u x} and identity I D _{u x} . Following steps are performed between the smart card (S C _{u x} ) and the server \(\mathcal {S}_{y}\):

1. Step L1A1:

   S C _{u x} checks \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is not true, session is aborted by S C _{u x} . Otherwise, S C _{u x} computes K = h(Y _{u x} ⊕ x _{u x} )∥S I D _{s y} ) and M ₁ = K⊕I D _{u x} . Then S C _{u x} generates a nonce M ₂ = n _{u x} ⊕ K, M ₃ = K⊕h(P W _{u x} ∥H(B I O _{u x} )) and Z _{u x} = h(X _{u x} ∥n _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} )∥T ₁)), where T ₁ is the fresh time stamp.

2. Step L1A2:

   Smart card S C _{u x} sends {M ₁, M ₂, M ₃, Z _{u x} , T ₁} to \(\mathcal {S}_{y}\).

3. Step L1A3:

   \(\mathcal {S}_{y}\) upon receiving login message, checks the freshness of T ₁, aborts the session if T ₁ is not fresh. Otherwise, computes K = h(h(P S K _{r s} )∥S I D _{s y} ), n _{u x} = M ₂ ⊕ K, I D _{u x} = K⊕M ₁, X _{u x} = h(I D _{u x} ∥y _{r s} ) and h(P W _{u x} ∥H(B I O _{u x} )) = M ₃ ⊕ K.

4. Step L1A4:

   \(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(n_{ux}\|X_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is not true, \(\mathcal {S}_{y}\) aborts the session. Otherwise, \(\mathcal {S}_{y}\) selects a random number n _{s y} and computes M ₄ = n _{s y} ⊕ h(n _{u x} ∥X _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))), M ₅ = h(I D _{u x} ∥n _{u x} ∥n _{s y} ∥K∥T ₂) and the session key S K _{y x} = h(n _{u x} ∥n _{s y} ∥h(P W _{u x} ∥N _{u x} )). Further \(\mathcal {S}_{y}\) sends {M ₄, M ₅, T ₂} to \(\mathcal {U}_{x}\), where T ₂ is current time stamp.

5. Step L1A5:

   Upon reception, \(\mathcal {U}_{x}\) checks the freshness of T ₂, if T ₂ is fresh \(\mathcal {U}_{x}\) computes n _{s y} = M ₄ ⊕ h(n _{u x} ∥X _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))) and checks validity of \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\). If it is not valid \(\mathcal {U}_{x}\) aborts the session. Otherwise, \(\mathcal {U}_{x}\) computes the session key S K _{x y} = h(I D _{u x} ∥n _{u x} ∥n _{s y} ∥K) and M ₆ = h(S K _{x y} ∥I D _{u x} ∥n _{s y} ∥T ₃). Finally \(\mathcal {U}_{x}\) sends M ₆, T ₃ to \(\mathcal {S}_{y}\), where T ₃ is current time stamp.

6. Step L1A6:

   \(\mathcal {S}_{y}\) upon receiving the message checks \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) if it holds, \(\mathcal {S}_{y}\) considers \(\mathcal {U}_{x}\) as authenticated. The session key shared among both is:

   $$ SK_{xy}=h(ID_{ux}\|n_{ux}\|n_{sy}\|K)=SK_{yx} $$

   (1)

3.1.3 Password change phase

To change password, \(\mathcal {U}_{x}\) enters his smart card in the reader, then inputs his password P W _{u x} , identity I D _{u x} and biometrics B I O _{u x} . The smart card verifies \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\), if it is true \(\mathcal {U}_{x}\) is asked to enter his new password \(PW_{ux}^{new}\) the smart card computes \(V_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\) and replaces V _{u x} by \(V_{ux}^{new}\).

3.2 Review of Lu et al.’s scheme-2 [42]

In this section, we briefly review Lu et al.’s scheme-2 [42] . Lu et al. employed public key techniques to achieve user anonymity and forward secrecy. Their scheme involves three participants: a user \(\mathcal {U}_{x}\), a server \(\mathcal {S}_{y}\) and the registration center RC. The scheme is illustrated in Fig. 2. We further elaborate Lu et al.’s scheme by following three phases:

Fig. 2

Lu et al.’s scheme-2 [42]

3.2.1 Registration phase

Registration involves following three steps: \(\mathcal {U}_{x}\) selects his identity I D _{u x} , password P W _{u x} , a random number N _{u x} along with his master private key x _{u x} . Then \(\mathcal {U}_{x}\) scans his biometrics B I O _{u x} . Further \(\mathcal {U}_{x}\) sends {I D _{u x} , h(P W _{u x} , N _{u x} )} to RC on a private channel. RC computes R _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥N _{u x} )) and personalizes the smart card S C _{u x} by {R _{u x} , h(P S K _{r s} )}, where P S K _{r s} is the shared secret key between RC and \(\mathcal {S}_{y}\). RC using private channel sends S C _{u x} to \(\mathcal {U}_{x}\). Upon receiving smart card, \(\mathcal {U}_{x}\) computes X _{u x} = h(P S K _{r s} )⊕x _{u x} , B _{u x} = N _{u x} ⊕ H(B I O _{u x} ). Then \(\mathcal {U}_{x}\) deletes h(P S K _{r s} ) from smart card (S C _{u x} ) and stores X _{u x} and B _{u x} in the smart card (S C _{u x} ). Finally the smart card (S C _{u x} ) contains {R _{u x} , X _{u x} , B _{u x} , h()}.

3.2.2 Login and authentication phase

During login phase \(\mathcal {U}_{x}\) inserts his S C _{u x} into card reader, imprints his biometrics (B I O _{u x} ) and submits I D _{u x} and P W _{u x} . The steps performed by S C _{u x} and \(\mathcal {S}_{y}\) are as follows:

1. Step L1A1:

   S C _{u x} computes N _{u x} = B _{u x} ⊕ H(B I O _{u x} ) and \(R_{ux}^{\prime }=h(ID_{ux}\|h(PW_{ux}\|N_{ux}))\).

2. Step L1A2:

   S C _{u x} verifies \(R_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|N_{ux}))\), if not true, S C _{u x} aborts the session.

3. Step L1A3:

   S C _{u x} generates a random number n _{s y} and computes \(M_{1}=E_{Pub_{sy}}(ID_{ux},n_{ux},h(PW_{ux}\|N_{ux}))\) and M ₂ = h((X _{u x} ⊕ x _{u x} )∥n _{u x} ∥h(P W _{u x} ∥N _{u x} ))

4. Step L1A4:

   Further, S C _{u x} sends login message {M ₁, M ₂} to \(\mathcal {S}_{y}\).

5. Step L1A5:

   For the received login message, \(\mathcal {S}_{y}\) using his private key decrypts M ₁ to get (I D _{u x} , n _{u x} , h(P W _{u x} ∥N _{u x} )).

6. Step L1A6:

   \(\mathcal {S}_{y}\) checks whether \(M_{2}\underset {=}{?}h(h(PSK_{rs})\|n_{ux}\|h(PW_{ux}\|N_{ux}))\), if not true \(\mathcal {S}_{y}\) aborts the session. Otherwise, \(\mathcal {S}_{y}\) selects a random number n _{s y} and computes M ₃ = n _{s y} ⊕ h(n _{u x} ∥I D _{u x} ∥h(P W _{u x} ∥N _{u x} )), the session key S K _{y x} = h(n _{u x} ∥n _{s y} ∥h(P W _{u x} ∥N _{u x} )) and M ₄ = h(I D _{u x} ∥n _{u x} ∥S K _{y x} ∥h(P W _{u x} ∥N _{u x} )). Further \(\mathcal {S}_{y}\) sends {M ₃, M ₄} to \(\mathcal {U}_{x}\).

7. Step L1A7:

   For the received login message, \(\mathcal {U}_{x}\) computes n _{s y} = M ₃ ⊕ h(n _{u x} ∥I D _{u x} ∥ h(P W _{u x} ∥N _{u x} )) and session key S K _{x y} = h(n _{u x} ∥n _{s y} ∥h(P W _{u x} ∥N _{u x} )). \(\mathcal {U}_{x}\) then checks \(M_{4} \underset {=}{?}h(ID_{ux}\|n_{ux}\|SK_{xy}\|h(PW_{ux}\|N_{ux}))\). If it holds, \(\mathcal {U}_{x}\) ponders \(\mathcal {S}_{y}\) as authenticated.

8. Step L1A8:

   Finally, \(\mathcal {U}_{x}\) computes and sends M ₅ = h(S K _{x y} ∥I D _{u x} ∥n _{s y} ∥h(P W _{u x} ∥N _{u x} )) to \(\mathcal {S}_{y}\).

9. Step L1A9:

   \(\mathcal {S}_{y}\) checks \(M_{5} \underset {=}{?} h(h(SK_{yx}\|ID_{ux}\|n_{sy}\|h(PW_{ux}\|N_{ux}))\) if it holds, \(\mathcal {S}_{y}\) ponders \(\mathcal {U}_{x}\) as authenticated.

The computed shared key between \(\mathcal {U}_{x}\) and \(\mathcal {S}_{y}\) is:

$$ SK_{xy}=h(n_{ux}\|n_{sy}\|h(PW_{ux}\|N_{ux}))=SK_{yx} $$

(2)

3.2.3 Password change phase

\(\mathcal {U}_{x}\) inserts his smart card (S C _{u x} ) in specialized reader. \(\mathcal {U}_{x}\) then inputs I D _{u x} , P W _{u x} and B I O _{u x} . S C _{u x} computes N _{u x} = B _{u x} ⊕ H(B I O _{u x} ) and checks R _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥N _{u x} )), if it holds S C _{u x} asks for new password. \(\mathcal {U}_{x}\) inputs new password \(PW_{ux}^{new}\). S C _{u x} computes \(R_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}^{new}\|N_{ux}))\). Finally S C _{u x} replaces R _{u x} by \(R_{ux}^{new}\).

4 Cryptanalysis of Lu et al.’s schemes

This section performs cryptanalysis of Lu et al.’s schemes. We show that Lu et al’s scheme-1 is vulnerable to: (1) user anonymity violation attack and (2) user impersonation attack. Likewise, we show that Lu et al.’s scheme-2 is vulnerable to user impersonation attack.

4.1 Weaknesses of Lu et al.’s scheme-1

4.1.1 User anonymity violation attack

To mount a successful user impersonation attack, initially an attacker \(\mathcal {A}\) selects his identity I D _{u a} , password P W _{u a} , biometrics B I O _{u a} and his own secret key x _{u a} . Then \(\mathcal {A}\) registers to the system and obtains a smart card containing X _{u a} = h(I D _{u a} ∥y _{r s} ), V _{u a} = h(I D _{u a} ∥h(P W _{u a} ∥H(B I O _{u a} ))) and Y _{u a} = h(P S K _{r s} )⊕x _{u a} . \(\mathcal {A}\) performs following steps for the successful anonymity violation attack:

1. Step L1A1:

   \(\mathcal {A}\) extracts h(P S K _{r s} ) as follows:

   $$ h(PSK_{rs})=x_{ua}\oplus Y_{ua} $$

   (3)
2. Step L1A2:

   When \(\mathcal {U}_{x}\) initiates the authentication requests by sending Z _{u x} , M ₁, M ₂, M ₃, T ₁ to \(\mathcal {S}_{y}\). \(\mathcal {A}\) intercepts the message and computes:

   $$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs}\|SID_{sy})) \end{array} $$

   (4)
   $$\begin{array}{@{}rcl@{}} &&n_{ux}=M_{2}\oplus K \end{array} $$

   (5)
   $$\begin{array}{@{}rcl@{}} &&ID_{ux}=K\oplus M_{1} \end{array} $$

   (6)

In (6) I D _{u x} is the real identity of user \(\mathcal {U}_{x}\). Hence \(\mathcal {A}\) has successfully break the anonymity of \(\mathcal {U}_{x}\).

4.1.2 User impersonation attack

Here, we prove that Lu et al.’s scheme-1 is vulnerable to impersonation attack. We show that an adversary \(\mathcal {A}\) can impersonate any other registered user of the system if he becomes able to steal his smart card. Initially \(\mathcal {A}\) extracts X _{u x} = h(I D _{u x} ∥y _{r s} ) out of a stolen smart card. Then he performs following steps to impersonate himself as \(\mathcal {U}_{x}\):

1. Step L1A1:

   \(\mathcal {A}\) computes:

   $$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs}\|SID_{sy})) \end{array} $$

   (7)
   $$\begin{array}{@{}rcl@{}} &&M_{1}= K \oplus ID_{ux} \end{array} $$

   (8)
2. Step L1A2:

   \(\mathcal {A}\) generates two random numbers n _{u a} and P _{u a} . Then generates time stamp T ₁ and computes:

   $$\begin{array}{@{}rcl@{}} &&M_{2}=n_{ua}\oplus K \end{array} $$

   (9)
   $$\begin{array}{@{}rcl@{}} &&M_{3}= K \oplus P_{ua} \end{array} $$

   (10)
   $$\begin{array}{@{}rcl@{}} &&Z_{ua}= h(X_{ux}\|n_{ua}\|P_{ua}\|T_{1}) \end{array} $$

   (11)
3. Step L1A3:

   \(\mathcal {A}\) sends {Z _ua , M ₁, M ₂, M ₃, T ₁} to \(\mathcal {S}_{y}\).

4. Step L1A4:

   \(\mathcal {S}_{y}\) upon receiving login message, checks the freshness of T ₁, as T ₁ is freshly generated so \(\mathcal {S}_{y}\) computes:

   $$\begin{array}{@{}rcl@{}} &&K=h(h(PSK_{rs})\|SID_{sy}) \end{array} $$

   (12)
   $$\begin{array}{@{}rcl@{}} &&n_{ua}=M_{2}\oplus K \end{array} $$

   (13)
   $$\begin{array}{@{}rcl@{}} &&ID_{ux}=K\oplus M_{1} \end{array} $$

   (14)
   $$\begin{array}{@{}rcl@{}} &&X_{ux}=h(ID_{ux}\|y_{rs}) \end{array} $$

   (15)
   $$\begin{array}{@{}rcl@{}} &&P_{ua}=M_{3}\oplus K \end{array} $$

   (16)
5. Step L1A5:

   \(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(n_{ua}\|X_{ux}\|P_{ua})\) and finds it true. \(\mathcal {S}_{y}\) then selects a random number n _{s y} and computes:

   $$\begin{array}{@{}rcl@{}} &&M_{4}=n_{sy} \oplus h(n_{ua}\|X_{ux}\|P_{ua})) \end{array} $$

   (17)
   $$\begin{array}{@{}rcl@{}} &&M_{5}=h(ID_{ux}\|n_{ua}\|n_{sy}\|K\|T_{2}) \end{array} $$

   (18)
   $$\begin{array}{@{}rcl@{}} &&SK_{yx}=h(n_{ua}\|n_{sy}\|P_{ua})) \end{array} $$

   (19)
6. Step L1A6:

   Further \(\mathcal {S}_{y}\) sends {M ₄, M ₅, T ₂} to \(\mathcal {U}_{x}\), where T ₂ is current time stamp.

7. Step L1A7:

   Upon reception, \(\mathcal {A}\) computes:

   $$\begin{array}{@{}rcl@{}} &&n_{sy}=M_{4}\oplus h(n_{ua}\|X_{ux}\|P{ua}) \end{array} $$

   (20)
   $$\begin{array}{@{}rcl@{}} &&SK_{xy}=h(ID_{ux}\|n_{ua}\|n_{sy}\|K) \end{array} $$

   (21)
   $$\begin{array}{@{}rcl@{}} &&M_{6}=h(SK_{xy}\|ID_{ux}\|n_{sy}\|T_{3}) \end{array} $$

   (22)
8. Step L1A8:

   Finally \(\mathcal {A}\) sends M ₆, T ₃ to \(\mathcal {S}_{y}\), where T ₃ is current time stamp. \(\mathcal {S}_{y}\) upon receiving the message checks \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) and finds it true.

Hence, \(\mathcal {A}\) has successfully deceived \(\mathcal {S}_{y}\) by impersonating himself as \(\mathcal {U}_{x}\). The session key shared among both is:

$$ SK_{xy}=h(ID_{ux}\|n_{ua}\|n_{sy}\|K) $$

(23)

4.2 Weaknesses of Lu et al.’s scheme-2

This section elaborates the weaknesses of Lu et al.’s scheme-2 against user impersonation attack. We show that a dishonest legal user \(\mathcal {A}\) can easily masquerade himself as an other honest user \(\mathcal {U}_{x}\) considering the common adversarial model as mentioned in Subsection 2.5.

4.2.1 User impersonation attack

Let \(\mathcal {A}\) be a legal user having smart card S C _{u a} and wants to impersonate himself as another user \(\mathcal {U}_{x}\). Following steps will be performed by \(\mathcal {A}\) for a successful forgery attack to \(\mathcal {S}_{y}\):

1. Step L1A1:

   \(\mathcal {A}\) extracts the information stored in S C _{u a} and computes:

   $$ h(PSK_{rs})= X_{ua}\oplus x_{ua} $$

   (24)
2. Step L1A2:

   \(\mathcal {A}\) generates two random number n _{u a} and P _{u a} and computes:

   $$\begin{array}{@{}rcl@{}} &&M_{\bar{1}}=E_{Pub_{sy}}(ID_{ux},n_{ua},P_{ua}) \end{array} $$

   (25)
   $$\begin{array}{@{}rcl@{}} &&M_{\bar{2}}=h((X_{ua}\oplus x_{ua})\|n_{ua}\|P_{ua}) \end{array} $$

   (26)
3. Step L1A3:

   \(\mathcal {A}\) sends \(M_{\bar {1}}\) and \(M_{\bar {2}}\) as login message to \(\mathcal {S}_{j}\).

4. Step L1A4:

   For the received login message, \(\mathcal {S}_{y}\) decrypts \(M_{\bar {2}}\) to obtain:

   $$\begin{array}{@{}rcl@{}} (ID_{ux},n_{ua},P_{ua})=D_{Pri_{sy}}(M_{\bar{1}}) \end{array} $$

   (27)
5. Step L1A5:

   \(\mathcal {S}_{y}\) further verifies \(M_{\bar {2}}\underset {=}{?} h(h(PSK_{rs})\|n_{ua}\|P_{ua})\) and finds it to be true.

6. Step L1A6:

   \(\mathcal {S}_{y}\) further selects n _{s y} and computes:

   $$\begin{array}{@{}rcl@{}} && M_{3}=n_{sy} \oplus h(n_{ua}\|ID_{ux}\|P_{ua}) \end{array} $$

   (28)
   $$\begin{array}{@{}rcl@{}} && SK_{yx}=h(n_{ux}\|n_{sy}\|P_{ua}) \end{array} $$

   (29)
   $$\begin{array}{@{}rcl@{}} && M_{4}=h(ID_{ux}\|n_{ua}\|SK_{yx}\|P_{ua}) \end{array} $$

   (30)
7. Step L1A7:

   \(\mathcal {S}_{y}\) sends M ₃ and M ₄ to \(\mathcal {U}_{x}\) as response message.

8. Step L1A8:

   \(\mathcal {A}\) intercepts the message and computes:

   $$\begin{array}{@{}rcl@{}} &&n_{sy}=M_{3}\oplus h(n_{ua}\|ID_{ux}\|P_{ua}) \end{array} $$

   (31)
   $$\begin{array}{@{}rcl@{}} &&SK_{xy}=h(n_{ua}\|n_{sy}\|P_{ua}) \end{array} $$

   (32)
   $$\begin{array}{@{}rcl@{}} &&M_{5}=h(SK_{xy}\|ID_{ux}\|n_{sy}\|P_{ua}) \end{array} $$

   (33)
9. Step L1A9:

   \(\mathcal {A}\) sends M ₅ to \(\mathcal {S}_{y}\).

10. Step L1A10:

    \(\mathcal {S}_{y}\) checks \(M_{5} \underset {=}{?} h(h(SK_{yx}\|ID_{ux}\|n_{sy}\|P_{ua})\) and finds it to be true.

Hence, \(\mathcal {A}\) successfully deceived \(\mathcal {S}_{y}\) by impersonating himself as \(\mathcal {U}_{x}\). The shared key between \(\mathcal {A}\) and \(\mathcal {S}_{y}\) is:

$$ SK_{xy}=h(n_{ua}\|n_{sy}\|P_{ua})=SK_{yx} $$

(34)

5 Proposed scheme

In this section, we propose an improved and secure biometric based three factor authentication scheme for social multimedia networks to overcome the weaknesses of Lu et al.’s schemes. The proposed scheme is depicted in Fig. 3 and is explained in following four subsections:

Fig. 3

Proposed scheme

5.1 Initialization

In this phase system parameters are selected by registration server. Initially registration server RC selects an elliptic curve E _p (a, b) mod p, a base point P over E _p (a, b), a one way hash function h(.), BioHashing H(.) and a shared key with all servers P S K _{r s} . Finally RC publishes system public parameters E _p (a, b),h(.),H(.).

5.2 Registration phase

In this phase both the users and servers registers with the registration server. Following two subsections describes the process of registration:

5.2.1 Server registration

To register with the system, a server \(\mathcal {S}_{y}\) selects his identity S I D _{s y} and his private key P r i _{s y} . Then \(\mathcal {S}_{y}\) computes his public key P u b _{s y} = P r i _{s y} .P and sends his identity S I D _{s y} and his public key P u b _{s y} to RC. Upon reception, RC shares the secret key P S K _{r s} with \(\mathcal {S}_{y}\) and publishes \(\mathcal {S}_{y}\)’s public key P u b _{s y} .

5.2.2 User registration

User registration involves following three steps:

1. Step L1A1:

   \(\mathcal {U}_{x}\) selects his identity I D _{u x} , password P W _{u x} and scans his biometrics B I O _{u x} . Further \(\mathcal {U}_{x}\) sends {I D _{u x} , h(P W _{u x} ∥H(B I O _{u x} ))} to RC on a private channel.

2. Step L1A2:

   Upon reception, RC computes V _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))) and h(P S K _{r s} ∥I D _{u x} ) and stores h(P S K _{r s} ∥I D _{u x} ) and V _{u x} in the smart card S C _{u x} . RC sends smart card (S C _{u x} ) to \(\mathcal {U}_{x}\).

3. Step L1A3:

   Upon reception of smart card, \(\mathcal {U}_{x}\) computes Y _{u x} = h(P S K _{r s} ∥I D _{u x} )⊕h(P W _{u x} ∥I D _{u x} ∥H(B I O _{u x} )). Finally, smart card contains {Y _{u x} , V _{u x} , h(.)}.

5.3 Login and authentication Phase

Login phase starts when a user \(\mathcal {U}_{x}\) enters his S C _{u x} into card reader, embosses his biometrics (B I O _{u x} ) and enters I D _{u x} and P W _{u x} . The subsequent steps accomplished by S C _{u x} and \(\mathcal {S}_{y}\) are as under:

1. Step L1A1:

   S C _{u x} calculates h(I D _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))) and confirms \(V_{ux}\underset {=}{?}h(ID_{ux}\|h(PW_{ux}\|H(BIO_{ux})))\) , if condition does not hold, S C _{u x} terminates the session.

2. Step L1A2:

   S C _{u x} produces a random number r _{u x} and calculates K = r _{u x} .P u b _{s y} , M ₁ = r _{u x} .P and M ₂ = I D _{u x} ⊕ K.

3. Step L1A3:

   Moreover, S C _{u x} produces a random number n _{u x} and calculates M ₃ = n _{u x} ⊕ h(Y _{u x} ⊕ h(P W _{u x} ∥I D _{u x} ∥H(B I O _{u x} ))∥S I D _{s y} ) and Z _{u x} = h(h(P S K _{r s} ∥I D _{u x} )∥n _{u x} ∥K∥T ₁).

4. Step L1A4:

   Thereafter, S C _{u x} transmits login message {Z _{u x} , M ₁, M ₂, M ₃, T ₁} to \(\mathcal {S}_{y}\).

5. Step L1A5:

   On getting login message, \(\mathcal {S}_{y}\) verifies freshness of T ₁.

6. Step L1A6:

   \(\mathcal {S}_{y}\) calculates K = M ₁.P r i _{s y} with his private key and also calculates I D _{u x} = M ₂ ⊕ K and n _{u x} = M ₃ ⊕ h(h(P S K _{r s} ∥I D _{u x} )∥S I D _{s y} ).

7. Step L1A7:

   \(\mathcal {S}_{y}\) verifies \(Z_{ux}\underset {=}{?}h(h(PSK_{rs}\|ID_{us})\|n_{ux}\|K\|T_{1})\), if not holds, \(\mathcal {S}_{y}\) terminates the session. Otherwise, \(\mathcal {S}_{y}\) generates a random number n _{s y} and calculates M ₄ = n _{s y} ⊕ K, M ₅ = h(I D _{u x} ∥n _{u x} ∥n _{s y} ∥K∥T ₂) and the session key S K _{y x} = h(I D _{u x} ∥n _{u x} ∥n _{s y} ∥K). Further \(\mathcal {S}_{y}\) sends {M ₄, M ₅, T ₂} to \(\mathcal {U}_{x}\).

8. Step L1A8:

   On receiving login message, \(\mathcal {U}_{x}\) verifies freshness of T ₂. computes n _{s y} = M ₄ ⊕ K and confirms \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\), if holds, \(\mathcal {U}_{x}\) cogitates \(\mathcal {S}_{y}\) as authenticated. Then session key is computed as S K _{x y} = h(I D _{u x} ∥n _{u x} ∥n _{s y} ∥K).

9. Step L1A9:

   After that, \(\mathcal {U}_{x}\) calculates M ₆ = h(S K _{x y} ∥I D _{u x} ∥n _{s y} ∥T ₃) and and transmits {M ₆, T ₃} to \(\mathcal {S}_{y}\).

10. Step L1A10:

    \(\mathcal {S}_{y}\) checks the freshness of T ₃ and verifies \(M_{6} \underset {=}{?} h(SK_{yx}\|ID_{ux}\|n_{sy}\|T_{3})\) if it holds, \(\mathcal {S}_{y}\) cogitates \(\mathcal {U}_{x}\) as authenticated.

The derived shared key between \(\mathcal {U}_{x}\) and \(\mathcal {S}_{y}\) is:

$$ SK_{xy}=h(n_{ux}\|n_{sy}\|h(PW_{ux}\|N_{ux}))=SK_{yx} $$

(35)

5.4 Password change phase

\(\mathcal {U}_{x}\) inserts his smart card (S C _{u x} ) in specialized reader. \(\mathcal {U}_{x}\) then inputs I D _{u x} , P W _{u x} and B I O _{u x} . S C _{u x} computes N _{u x} = B _{u x} ⊕ H(B I O _{u x} ) and checks R _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥N _{u x} )), if it hold S C _{u x} asks for new password. \(\mathcal {U}_{x}\) inputs new password \(PW_{ux}^{new}\). S C _{u x} computes \(R_{ux}^{new}=h(ID_{ux}\|h(PW_{ux}^{new}\|N_{ux}))\) and \(X_{ux}^{new}=X_{ux}\oplus h(PW_{ux}\|ID_{ux}\|N_{ux})\oplus h(PW_{ux}^{new}\|ID_{ux}\|N_{ux}^{new})\) Finally, S C _{u x} replaces R _{u x} and X _{u x} by \(R_{ux}^{new}\) and \(X_{ux}^{new}\).

6 Security analysis

The formal security analysis followed by security discussion is performed in this section. Further, protocol verification thorough automated tool ProVerif is also substantiated here.

6.1 Formal security

To demonstrate formally, that proposed scheme is secure, we adopted the same analysis as mentioned in [46, 48]. Following oracles are defined for analysis purpose:

• Reveal: This oracle unconditionally outputs a string S from the one way hash function R = h(S).

• Extract: This oracle unconditionally outputs the scalar multiplier k out of a given elliptic curve points O = k P and P.

Theorem 1

The proposed biometric based multi server authentication scheme is secure for an attacker \(\mathcal {A}\) to stanch \(\mathcal {U}_{x}\) ’s identity (ID _ux ), the parameter K, the session key SK _xy and the shared key PSK _rs between RC and \(\mathcal {S}_{y}\) considering one way hash function as random oracle and under the hardness assumption of ECDLP.

Proof

Let \(\mathcal {A}\) be an adversary having capabilities to compute \(\mathcal {U}_{x}\)’s I D _{u x} , the secret session parameter K the session key S K _{x y} and the shared key P S K _{r s} between RC and \(\mathcal {S}_{y}\). \(\mathcal {A}\) simulates both oracles Reveal and Extract to run the algorithmic experiment \(EXPE1^{HASH,ECDLP}_{\mathcal {A},TFBAMS}\) against our proposed three factor biometric based authentication scheme for multi server environments (TFBAMS). The success probability for the mentioned experiment is defined as \(Succe_{1}=|Prb[EXPE1^{HASH,ECDLP}_{\mathcal {A},TFBAMS}=1]-1|\). \(\mathcal {A}\)’s advantage is solicited as \(Advt1_{\mathcal {A},TFBAMS}^{HASH,ECDLP}(t,q_{rev},q_{ext})=max_{\mathcal {A}}(Succe_{1})\), where \(\mathcal {A}\) is allowed to make at maximum q _{r e v} Reveal and q _{e x t} Extract queries. Referring to the experiment \(\mathcal {A}\) can compute I D _{u x} , K, S K _{x y} and P S K _{r s} , if he can (i) invert the hash function and (ii) solve the ECDLP. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function, similarly by Definition 2 it is computationally infeasible to solve ECDLP. Hence, we have \(Advt1_{\mathcal {A},TFBAMS}^{HASH,ECDLP}(t,q_{rev},q_{ext})\leq \epsilon \). Therefore, proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary \(\mathcal {A}\) to computes \(\mathcal {U}_{x}\)’s I D _{u x} , the secret session parameter K the session key S K _{x y} and the shared key P S K _{r s} between RC and \(\mathcal {S}_{y}\). □

Theorem 2

The proposed biometric based multi server authentication scheme is secure for an attacker \(\mathcal {A}\) to stanch \(\mathcal {U}_{x}\) ’s biometrics H(BIO _ux ), identity (ID _ux ), password PW _ux and the security parameter h(PSK _rs ∥ID _ux ) considering one way hash function as random oracle for the stolen smart card attack.

Proof

Let \(\mathcal {A}\) be an adversary having capabilities to stanch \(\mathcal {U}_{x}\)’s biometrics H(B I O _{u x} ), identity (I D _{u x} ), password P W _{u x} and the security parameter h(P S K _{r s} ∥I D _{u x} ) out of a stolen smart card. \(\mathcal {A}\) simulates Reveal oracle to run the algorithmic experiment \(EXPE2^{HASH}_{\mathcal {A},TFBAMS}\) against our proposed three factor biometric bases authentication scheme for multi server environments (TFBAMS). The success probability for the mentioned experiment is defined as \(Succe_{2}=|Prb[EXPE2^{HASH}_{\mathcal {A},TFBAMS}=1]-1|\). \(\mathcal {A}\)’s advantage is solicited as \(Advt2_{\mathcal {A},TFBAMS}^{HASH}(t,q_{rev}=max_{\mathcal {A}}(Succe_{2})\), where \(\mathcal {A}\) is allowed to make at maximum q _{r e v} Reveal queries. Referring to the experiment, \(\mathcal {A}\) can compute H(B I O _{u x} ), I D _{u x} , P W _{u x} and P S K _{r s} , if he can invert the hash function. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function. Hence, we have \(Advt2_{\mathcal {A},TFBAMS}^{HASH}(t,q_{rev})\leq \epsilon \). Therefore, proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary \(\mathcal {A}\) to computes \(\mathcal {U}_{x}\)’s biometrics H(B I O _{u x} ), identity (I D _{u x} ), password P W _{u x} and the security parameter h(P S K _{r s} ∥I D _{u x} ) out of a stolen smart card. □

6.2 Further security discussion

In this subsection, we informally describes the security functionalities provided by proposed scheme. Table 2 illustrates a security comparison of proposed scheme with related existing schemes [8, 41, 42, 46].

6.2.1 Anonymity and privacy

In our proposed biometric scheme the user \(\mathcal {U}_{x}\)’s identity I D _{u x} is not sent over public network rather M ₁ and M ₂ are sent to \(\mathcal {S}_{y}\). These two parameters are freshly generated for each session. The anonymity can only be broken if an adversary can compute K, but it can be seen that K can be computed only be the use of \(\mathcal {S}_{y}\)’s private key. Hence, proposed scheme preserves anonymity and untraceability Table 2.

Table 2 Comparison of security parameters

6.2.2 Mutual authentication

\(\mathcal {S}_{y}\) authenticates \(\mathcal {U}_{x}\) by checking \(Z_{ux}\underset {=}{?}h(h(PSK_{rs}\|ID_{ux})\|n_{ux}\|K\|T_{1})\). Computation of Z _{u x} involves h(P S K _{r s} ∥I D _{u x} ) which requires the smart card as well as password P W _{u x} and the biometrics B I O _{u x} of \(\mathcal {U}_{x}\). Therefore to deceive \(\mathcal {S}_{y}\), the adversary needs \(\mathcal {U}_{x}\)’s password, biometric as well as his smart card. Likewise, \(\mathcal {U}_{x}\) authenticates \(\mathcal {S}_{y}\) by checking \(M_{5} \underset {=}{?}h(ID_{ux}\|n_{ux}\|n_{sy}\|K\|T_{2})\) which requires the computation of \(\mathcal {U}_{x}\)’s identity I D _{u x} , the session parameter n _{u x} and K. I D _{u x} and K can be computed only by using \(\mathcal {S}_{y}\)’s private key as mentioned in Subsection 6.2.1, while n _{u x} can be computed by using h(h(P S K _{r s} ∥I D _{u x} )∥S I D _{s y} ) which requires the shared secret key between \(\mathcal {S}_{y}\) and RC. So in order to deceive \(\mathcal {U}_{x}\), the adversary needs \(\mathcal {S}_{y}\)’s private key P r i _{s y} as well as the shared key h(P S K _{r s} ) between \(\mathcal {S}_{y}\) and RC. Hence only legal user can pass authentication test from server and vice versa. Therefore, proposed scheme provides proper mutual authentication.

6.2.3 User and server impersonation attacks

Only legal user can generate legal authentication request message {Z _{u x} , M ₁, M ₂, M ₃, T ₁} and response message {M ₆, T ₃}, similarly only legal server can respond with challenge message {M ₄, M ₅, T ₂} as proved in Subsection 6.2.2. Hence, user and server impersonation attacks are not feasible on proposed scheme.

6.2.4 Smart card theft/stolen attack

Let us assume, the adversary by using some means becomes able to acquire \(\mathcal {U}_{x}\)’s smart card. The adversary further extracts the parameters V _{u x} = h(I D _{u x} ∥h(P W _{u x} ∥H(B I O _{u x} ))), Y _{u x} = h(P S K _{r s} ∥I D _{u x} )⊕h(P W _{u x} ∥I D _{u x} ∥H(B I O _{u x} )) and h(.). Then to compute the secret parameter h(P S K _{r s} ∥I D _{u x} ), the adversary needs P W _{u x} and B I O _{u x} . Hence, the stolen smart card will not benefit the adversary for forgery.

6.2.5 Replay attack

If some adversary after intercepting the login request message {Z _{u x} , M ₁, M ₂, M ₃, T ₁}, replays it later on. The server \(\mathcal {S}_{y}\) after receiving the message will check the freshness of time stamp T ₁, as the time stamp is old dated, \(\mathcal {S}_{y}\) will simply discard the message. Therefore, replay attack is not viable on proposed scheme.

6.2.6 Perfect forward secrecy

The computed session key between \(\mathcal {S}_{y}\) and \(\mathcal {U}_{x}\) contains share (n _{s y} , n _{u x} ) from both the participants respectively. So even if the long term private key of \(\mathcal {S}_{y}\) or \(\mathcal {U}_{x}\)’s password is revealed to the attacker it will not benefit to compute previous session keys. Therefore, proposed scheme possesses perfect forward secrecy.

6.2.7 Insider and stolen verifier and attacks

For the proposed scheme, \(\mathcal {S}_{y}\) does not store any parameter related to \(\mathcal {U}_{x}\)’s password (P W _{u x} ) or his biometrics (B I O _{u x} ), as there is no verifier table so no stolen verifier attack is possible. Likewise, \(\mathcal {U}_{x}\) does not send his password (P W _{u x} ) or his biometrics B I O _{u x} in plain text. Hence, no insider will have any advantage to expose his password or biometrics.

6.2.8 Password guessing attack

For the proposed scheme, the information relating to \(\mathcal {U}_{x}\)’s password is protected by his identity I D _{u x} , BioHashed biometrics H(B I O _{u x} ) further it is XORed with h(P S K _{r s} ∥I D _{u x} ). Moreover, there is no parameter stored in smart card to check the validity of guessed password by adversary. Hence no offline password guessing attack is feasible on proposed scheme. Likewise, the system incorporates built in maximum number of login requests, which ensures no online password guessing attack.

7 Verification through ProVerif

The purpose of verification tools for cryptographic protocols is to confirm the robustness of the protocols against active and passive adversaries having some knowledge of the cryptographic parameters. ProVerif is an applied π calculus based automated verification tool to validate the security of cryptographic protocols against knowledgeable attackers. ProVerif can prove a number of security properties like: reachability, secrecy, authentication and so on. [4, 10, 51]. We have implemented the login and authentication steps of the proposed protocol as illustrated in Fig. 3 and explained in Subsection 5.3. The formal verification model of ProVerif consists of following three parts. (1) Declaration is used for defining names, constants, variables and cryptographic operations. We have shown declaration part in Fig. 4a. (2) Process part is reserved for defining processes involved in protocol execution. As illustrated in Fig. 4b we have defined two processes: server process (ServerSy) and user process (UserUx). (3) Main part simulates the protocol execution, as shown in Fig. 4c, we simulate parallel execution of two processes along with definition of two events to verify reach-ability property. Finally, we simulate three queries. The results are as follows:

1. 1.

   RESULT inj-event(end_Serversy(id)) ==> inj-event(begin_Serversy(id)) is true.

2. 2.

   RESULT inj-event(end_Userux(id₁114)) ==> inj-event(begin_Userux(id ₁114)) is true.

3. 3.

   RESULT not attacker(SKxy[]) is true.

Fig. 4

ProVerif code

The results (1) and (2) validates that both user and server processes started and terminated normally, which confirms the correctness and reach-ability properties. While (3) verifies that the session key (SKxy[]) is not exposed to adversary. Hence Proposed protocol possesses reach-ability as well as secrecy and authentication properties.

8 Performance comparisons

This section presents performance assessment of the proposed scheme against two Lu et al.’s pertinent schemes. Recently, Lu et al. presented two schemes based on biometrics for multi-server environments and professed that their schemes provide security against the known threats. This paper suggests that Lu et al.’s schemes do not provide invincibility against few known attacks. The first scheme of Lu et al fails retaliate against user anonymity violation and impersonation attacks, whereas their second scheme is vulnerable against impersonation attack. The the proposed scheme’s performance is equated with both the schemes of Lu et al. in Table 3. Following Notations are used for computation cost analysis:

• T _{O h} refers to accumulated execution time of one-way hash operation.

• T _{R e} refers to accumulated execution time of RSA encryption.

• T _{R d} refers to accumulated execution time of RSA decryption.

• T _{E p m} refers to elliptic curve point multiplication.

As per Kilinc and Yanik [34] experiment on a personal computer involving a processor with Dual CPU E2200 2.20 GHz along with RAM size of 2048MB, the computation cost for T _{O h} is approximately 0.0023m s, T _{R e} is 3.8500m s, T _{R d} is 0.1925m s and T _{E p m} is 2.229m s. Kilinc and Yanik [34] experiment was performed on the Ubuntu Operating system and using PBC Library.

Table 3 Computation cost comparison

The comparison presented in Table 3 reveals that the proposed scheme is computationally inexpensive than scheme in [42]. While the proposed scheme is quite expensive than rest of the schemes [8, 41, 46]. Moreover proposed scheme provide invincibility against the known threats. It is further declared that only the proposed scheme resists the known attacks, while rest of the competing schemes [8, 41, 42, 46] are vulnerable to impersonation and/or other related attacks.

9 Conclusion

In this paper, we have cryptanalyzed two most recent biometric based multi factor authentication schemes proposed by Lu et al. We have proved both of their schemes to be vulnerable to impersonation attacks, additionally we have also showed that one of their scheme is also vulnerable to anonymity violation attack. Then we proposed an improved biometric based multi factor authentication scheme. The proposed scheme is proved to be robust against all known attacks. We have substantiated the security of proposed scheme using famous automated security validation tool ProVerif.