1 Introduction

With regard to the client/server system, the password-based authentication scheme is an essential technique used in order to identify the validity of a remote user [3, 11, 12, 25, 29]. Sun et al. [28] pointed out that password-based authentication schemes have a major problem in that humans are not experts in memorizing text strings. Hence, most users would probably choose easy-to-remember passwords even if they know the passwords might be unsafe. In 2005, Hwang and Liu [7] and Lee and Chiu [14] proposed respectively their traditional remote identity-based authentication schemes. The security of their schemes is only based on the passwords. Consequently, the adversary can use brute force attacks or dictionary attacks to break the passwords if users select weak passwords [13, 15, 16, 26]. In order to solve this problem, cryptographic secret keys and passwords are used in remote user authentication schemes. But the cryptographic secret keys and passwords still have some problems such as the use of long and random keys which are difficult to memorize so that the keys must be stored somewhere, and maintaining the long cryptographic keys is expensive. The cryptographic secret keys and passwords also cannot provide non-repudiation. Because the keys may be forgotten, lost or they may be shared with other people, there is no way to know who the actual user is.

Recently, some biometric-based remote user authentication schemes have been proposed by researches [9, 18, 20]. The biometric system is basically a pattern recognition system which operates by obtaining biometric data from an individual, extracting a feature set from the obtained data and comparing this feature set with the template set in the database [8, 19, 21, 24]. Das [2] pointed out the following advantages of biometric keys:

  • Biometric keys cannot be lost or forgotten.

  • They are very difficult to copy or share.

  • They are extremely hard to forge or distribute.

  • They cannot be guessed easily.

  • They are not easy to break.

As mentioned above, biometric-based remote user authentication schemes are more reliable and secure than traditional password-based remote user authentication schemes. In 2010, Li and Hwang [18] proposed an efficient biometric-based remote authentication scheme using smart cards. Later, Das [2] pointed out that Li and Hwang’s scheme has some flaws and proposed an improvement of Li and Hwang’s scheme to remedy their flaws. Unfortunately, we found that the Das’s scheme was vulnerable to privileged insider attacks, off-line password guessing attacks and also cannot provide user anonymity. To overcome these weaknesses, we propose a secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. In recent years, cryptography based on chaos theory has been studied widely, such as symmetric encryption schemes [27, 32, 33], S-boxes [31], and hash functions [34, 35]. The proposed a scheme based on chaos theory that can allow the user to anonymously communicate with the server and provide mutual authentication between user and server. The security and performance analysis show that the proposed scheme has low computation and communication cost and also can resist these attacks, which was found in the Das’s scheme.

The remainder of this paper is organized as follows. In Sect. 2 we introduce the definitions of Chebyshev chaotic maps and review the Das’s scheme, and in Sect. 3 we will show the weaknesses of the Das’s scheme. Then the proposed scheme is presented in Sect. 4. Next, we analyze the proposed scheme and show that the scheme can resist several attacks in Sect. 5. Our conclusion is given in Sect. 6.

2 Preliminaries

In this section, we briefly introduce the Chebyshev polynomial used in the proposed scheme and review the Das’s scheme.

2.1 Chebyshev chaotic maps

From now on, we briefly describe the Chebyshev polynomials [22] as follows. The Chebyshev polynomial T n (x) is a polynomial in x of degree n. Let n be an integer, and let x be a variable taking value over the interval [−1, 1]. The Chebyshev polynomial T n (x): [−1, 1]→[−1, 1] is defined as

The recurrence relation of the Chebyshev polynomial is defined as

The cos(x) and arccos(x) are the trigonometric functions [1]. They are defined as cos: R→[−1,1] and arccos: [−1,1]→[0,π].

The Chebyshev polynomials exhibit the following two important properties [4, 17]: the semigroup property and the chaotic property.

  1. (1)

    The semigroup property:

    where r and s are positive numbers and x∈[−1, 1].

  2. (2)

    The chaotic property:

    When the degree n>1, the Chebyshev polynomial map T n (x): [−1, 1]→[−1, 1] of degree n is a chaotic map with its invariant density \(f^{*}(x)=1/(\pi\sqrt{1-x^{2}})\), for positive Lyapunov exponent λ=lnn>0.

In 2008, Zhang [36] proved that the semigroup property holds for the Chebyshev polynomials defined on interval (−∞,+∞), which can enhance the property, as follows:

where n≥2, x∈(−∞,+∞), and p is a large prime number. Evidently,

so the semigroup property still holds and the enhanced Chebyshev polynomials also commute under composition.

The Chebyshev polynomials have the following two problems, which are assumed to be difficult to handle within polynomial time:

  1. (1)

    Given two elements x and y, the task of the discrete logarithm problem (DLP) is to find the integer r, such that T r (x)=y.

  2. (2)

    Given three elements x, T r (x), and T s (x), the task of the Diffie–Hellman problem (DHP) is to compute the element T rs (x).

2.2 Review of the Das’s scheme

In this section, we describe the Das’s scheme [2]. The notation throughout the Das’s scheme is summarized in Table 1.

Table 1 The notation used in the Das’s scheme
Full size table

There are four phases in the Das’s scheme including the registration phase, login phase, authentication phase, and password change phase. The Das’s scheme uses the biometric template pattern matching to perform the user’s biometric verification [8]. The user’s biometric will be matched against the template pattern stored in the system when the user inputs his/her biometric template. The user will pass the biometric verification if there is a match. We explain the details of each phase in the following.

2.2.1 Registration phase

When the remote user C i wants to login into the system, as shown in Fig. 1, he/she needs to perform the following steps:

  1. (1)

    The user inputs his/her personal biometric B i on a specific device and offers his/her password PW i and the identity ID i of the user to the registration center R i in person.

  2. (2)

    The registration center R i computes the following:

    X s is a secret information generated by the server and is not disclosed to any other for all secure future communications.

  3. (3)

    R i embedded (ID i ,h(.),f i ,e i ,r i ) in the user’s smart card and sends the card to the user C i via a secure channel.

Fig. 1
figure 1

Registration phase of the Das’s scheme

Full size image

2.2.2 Login phase

In this phase, when a user C i wants to login into the server S i , as shown in Fig. 2, he/she needs to perform the following steps:

  1. (1)

    C i inserts his/her smart card into the card reader of a terminal and offers his/her personal biometric template B i on a specific device to verify the biometric.

  2. (2)

    C i verifies whether B i matches with the template stored in the system or not.

  3. (3)

    If the above verification does not hold, then C i does not pass the biometric verification. As a result, the remote user authentication is terminated. Otherwise, if the above verification holds, C i passes the biometric verification and inputs his/her password PW i to perform the following step 4.

  4. (4)

    The smart card computes \(r_{i}'=h(\mathit{PW}_{i})\oplus f_{i}\). The client terminates the session if \(r_{i}'\neq r_{i}\).

  5. (5)

    If \(r_{i}'=r_{i}\), the smart card computes the following:

    \(M_{1}=e_{i}\oplus r_{i}'\), which is equal to h(ID i X s ),

    M 2=M 1R c , which is equal to h(ID i X s )⊕R c and

    M 3=h(R c ), where R c is a random number generated by the user.

  6. (6)

    Finally, C i sends the message 〈ID i ,M 2,M 3〉 to the remote server S i .

Fig. 2
figure 2

Login phase of the Das’s scheme

Full size image

2.2.3 Authentication phase

After receiving the login request messages 〈ID i ,M 2,M 3〉, the server S i performs the following steps, as shown in Fig. 3.

  1. (1)

    S i first checks the format of C i ’s ID i .

  2. (2)

    If the format is valid, S i then computes the following:

    M 4=h(ID i X s ) using the secret value maintained by the server.

    M 5=M 2M 4, which needs to be R c .

    S i verifies h(M 5)?=M 3. If it does not hold, S i rejects C i ’s login request. Otherwise, if the verification is successful, S i computes the following:

    M 6=M 4R s (=h(ID i X s )⊕R s ),

    M 7=h(M 2M 5)(=h((h(ID i X s )⊕R c )∥R c )),

    M 8=h(R s ).

  3. (3)

    S i sends the messages 〈M 7,M 6,M 8〉 to C i .

  4. (4)

    After receiving the messages 〈M 7,M 6,M 8〉, C i verifies M 7?=h(M 2R c ). Thus, C i terminates the session if the verification does not pass. Otherwise, C i computes M 9=M 6M 1 and verifies h(M 9)?=M 8. If h(M 9)≠M 8, C i terminates the session. Otherwise, C i computes M 10=h(M 6M 9)(=h((h(ID i X s )⊕R s )∥R s )) and sends the message 〈M 10〉 to the server S i .

  5. (5)

    After receiving C i ’s message, S i verifies M 10?=h(M 6R s ).

  6. (6)

    S i rejects C i ’s login request if the above mentioned does not hold.

  7. (7)

    Thus, S i accepts C i ’s login request if the verification is successful.

Fig. 3
figure 3

Authentication phase of the Das’s scheme

Full size image

2.2.4 Password change phase

In this phase, the smart card always verifies the old entered password by the user before updating the new changed password. In order to change the password, the user performs the following steps:

  1. (1)

    Inserts the smart card and offers B i .

  2. (2)

    Verifies whether B i matches with the template stored in the system or not.

  3. (3)

    If C i passes the biometric verification, C i enters his/her old password \(\mathit{PW}_{i}^{\mathrm{old}}\) and a new changed password \(\mathit{PW}_{i}^{\mathrm{new}}\).

  4. (4)

    The smart card computes the following:

    If \(r_{i}'\neq r_{i}\), it means that C i enters the wrong old password and the password change phase is terminated. If \(r_{i}'=r_{i}\), then the smart card computes

  5. (5)

    Finally, replaces the e i with \(e_{i}''\) and r i with \(r_{i}''\) on the smart card.

3 Weaknesses of the Das’s scheme

In this section, we analyze the security of the Das’s scheme. We show that the Das’s scheme is vulnerable to privileged insider attack and the off-line password guessing attack. In addition, the Das’s scheme cannot provide a user anonymity. We now describe the details in the following.

3.1 Privileged insider attack

In a real environment, it is a common practice that many users use the same password to access different applications or servers for convenience in remembering long passwords and ease-of-use whenever required [6]. However, if a privileged insider of the registration center knows the password of the user C i , he/she may try to impersonate C i for accessing other servers where C i could be a registered user. In the Das’s scheme, the user C i sends his/her real identity ID i and password PW i to the registration center R i directly in the registration phase. Hence, the privileged insider could get C i ’s password and use it to impersonate C i for accessing different applications or servers. Consequently, the Das’s scheme is vulnerable to the privileged insider attack.

3.2 Off-line password guessing attack

Kocher et al. [10] and Messerges et al. [23] have pointed out that all the information in smart cards could be extracted by the side channel attack. We assume that an adversary has stolen user C j ’s smart card and extracted the information (ID j ,h(.),f j ,e j ,r j ) of the smart card in the Das’s scheme. Using the extracted f j and r j , the adversary could find the password PW j of user C j through the following steps.

  1. (1)

    The adversary uses f j and r j to compute h(PW j )=f j r j .

  2. (2)

    Then, the adversary chooses a password \(\mathit{PW}_{j}'\) and verifies \(h(\mathit{PW}_{j}')?=h(\mathit{PW}_{j})\).

  3. (3)

    If \(h(\mathit{PW}_{j}')=h(\mathit{PW}_{j})\), the guess was correct. Otherwise, the adversary can make another guess and repeat the process.

As mentioned above, we show that an adversary can get the password of user C j and use it to impersonate C i for accessing different applications or servers. Hence, the Das’s scheme is vulnerable to off-line password guessing attack.

3.3 Inability of providing user anonymity

In the Das’s scheme, the user C i sends his/her real identity ID i to the server S i directly in the login phase. All other users also send their real identity to the server S i directly in the login phase. Hence, an adversary can get the real identity of any user by intercepting the messages {ID i ,M 2,M 3} transmitted between the user and the server. Consequently, the Das’s scheme cannot provide user anonymity.

4 The proposed scheme

In this section, we present our proposed scheme using extended chaotic maps. The notation used in our scheme is summarized in Table 2.

Table 2 The notation used in our scheme
Full size table

In the beginning, the registration center R i selects a random number s, a random integer X s , and computes \(\mathit{SPUB}\equiv T_{X_{s}}(s)\ \mathrm{mod}\ p\). The registration center R i keeps the master secret key X s secretly. There are four phases in our scheme: the registration phase, login phase, authentication phase, and password change phase. The detailed steps of these phases are described in the following subsections.

4.1 Registration phase

When the remote user C i wants to register and become a new legal user in the system, as shown in Fig. 4, he/she needs to perform the following steps:

  1. (1)

    The user offers his/her password PW i , the identity ID i , generates a random number N, and also inputs his/her personal biometric B i on a specific device and computes f i =h(B i ). C i then sends {ID i ,f i =h(B i ),h(PW i B i N)} to the registration center R i via secure channel.

  2. (2)

    The registration center R i computes the following:

    R i embedded (ID i ,h(.),e i ,s,SPUB,p) in the user’s smart card and sends the card to the user C i via a secure channel.

  3. (3)

    After receiving the smart card, C i computes BPW=B i h(PW i ) and inserts the random number N and BPW into the smart card and finishes the registration.

Fig. 4
figure 4

Registration phase of our scheme

Full size image

4.2 Login phase

In this phase, when a legal user C i wants to access the server S i , as shown in Fig. 5, he/she needs to perform the following steps:

  1. (1)

    C i inserts his/her smart card into the card reader and offers both his/her personal biometric template B i and password PW i on a specific device.

  2. (2)

    The smart card computes \(B_{i}'=\mathit{BPW}\oplus h(\mathit{PW}_{i})\) and verifies \(B_{i}?=B_{i}'\). If \(B_{i}\neq B_{i}'\), the smart card rejects the request.

  3. (3)

    The smart card generates a random integer R c and computes

  4. (4)

    The user C i sends {NID i ,M 1,α,t 1} to S i .

Fig. 5
figure 5

Login phase of our scheme

Full size image

4.3 Authentication phase

After receiving the login request messages, the server S i performs the following steps to access mutual authentication, as shown in Fig. 6.

  1. (1)

    Upon receiving {NID i ,M 1,α,t 1}, S i first checks the validity of t 1 by checking whether the equation t′−t 1t holds, where t′ is the time when the server receives the messages from C i . and Δt denotes the predetermined legal time interval of transmission delay. If the equation holds, S i rejects C i .

  2. (2)

    S i computes \(M_{2}'\equiv T_{X_{s}}(M_{1})\ \mathrm{mod}\ p\), \(\mathit{ID}_{i}'=\mathit{NID}_{i}\oplus h(M_{1}\parallel M_{2}')\) and checks the validity of \(\mathit{ID}_{i}'\).

  3. (3)

    S i computes \(P_{i}''=h(\mathit{ID}_{i}'\parallel X_{s})\) and \(\alpha'=h(\mathit{ID}_{i}'\parallel \mathit{NID}_{i}\parallel P_{i}''\parallel M_{1}\parallel M_{2}'\parallel t_{1})\).

  4. (4)

    Then S i verifies whether α′ equals to α. If α′≠α, S i stops the session.

  5. (5)

    If α′=α, S i randomly chooses an integer R s and computes \(M_{3}\equiv T_{R_{s}}(s)\ \mathrm{mod}\ p\) and \(\beta =h(\mathit{ID}_{i}'\parallel P_{i}''\parallel M_{2}'\parallel M_{3}\parallel t_{2})\). Then, S i sends {M 3,β,t 2} to C i .

  6. (6)

    After receiving {M 3,β,t 2}, C i first checks the validity of t 2 by checking whether the equation t′−t 2t holds. If the equation holds, C i rejects S i .

  7. (7)

    C i computes \(\beta'=h(\mathit{ID}_{i}\parallel P_{i}'\parallel M_{2}\parallel M_{3}\parallel t_{2})\) and verifies whether β′?=β. If they are not equal, C i stops the session. Otherwise, C i computes \(M_{4}\equiv T_{R_{c}}(M_{3})\equiv T_{R_{c}R_{s}}(s)\ \mathrm{mod}\ p\) and \(\gamma =h(\mathit{ID}_{i}\parallel P_{i}'\parallel M_{2}\parallel M_{4}\parallel t_{3})\). C i then sends {γ,t 3} to S i .

  8. (8)

    Upon receiving {γ,t 3}, S i first checks the validity of t 3 by checking whether the equation t′−t 3t holds. If the equation holds, S i rejects C i . Otherwise, S i computes \(M_{4}'\equiv T_{R_{s}}(M_{1})\equiv T_{R_{c}R_{s}}(s)\ \mathrm{mod}\ p\) and \(\gamma'=h(\mathit{ID}_{i}'\parallel P_{i}''\parallel M_{2}'\parallel M_{4}'\parallel t_{3})\) and checks whether γ′?=γ.

  9. (9)

    If it holds, S i accepts C i ’s login request and the verification is successful. Then both C i and S i can use the session keys M 4 and \(M_{4}'\) to communicate with each other by using a symmetric cryptosystem.

Fig. 6
figure 6

Authentication phase of our scheme

Full size image

Since \(\mathit{SPUB}\equiv T_{X_{s}}(s)\ \mathrm{mod}\ p\), \(M_{1}\equiv T_{R_{c}}(s)\ \mathrm{mod}\ p\), \(M_{2}\equiv T_{R_{c}}(\mathit{SPUB})\ \mathrm{mod}\ p\), and \(M_{3}\equiv T_{R_{s}}(s)\ \mathrm{mod}\ p\), so we can derive

and

Therefore, the correctness of the scheme is proved.

4.4 Password change phase

In this phase, the smart card always verifies the old entered password by the user before updating the new changed password. In order to change the password, the user C i performs the following steps:

  1. (1)

    Inserts the smart card and offers both the biometric template B i and old password PW i .

  2. (2)

    The smart card computes \(B_{i}'=\mathit{BPW}\oplus h(\mathit{PW}_{i})\) and verifies \(B_{i}?=B_{i}'\). If \(B_{i}\neq B_{i}'\), it means that C i enters the wrong old password or the wrong biometric template. Then, the smart card rejects the request.

  3. (3)

    If C i passes the biometric verification, C i enters his/her new password \(\mathit{PW}_{i}^{\mathrm{new}}\).

  4. (4)

    The smart card computes the following:

  5. (5)

    Finally, replaces the e i with \(e_{i}'\) on the smart card.

5 Analysis of the proposed scheme

In this section, we analyze the security and performance of our proposed scheme and show it could overcome the security weaknesses of the Das’s scheme. Then, we will describe the details as in the following.

5.1 Security analysis

Here, we describe several security analyses in our proposed scheme.

Privileged insider attack

In the registration phase of our scheme, the remote user C i sends h(PW i B i N) to the registration center R i . The privileged insider cannot derive the password PW i without B i and N. Therefore, our scheme can resist the privileged insider attack.

Replay attack

The attacker may intercept the communication messages from C i and replay them to the server S i in next run. However, the attacker cannot pass the verification with the incorrect timestamps. Hence, our scheme is secure against the replay attack by using the timestamps t 1,t 2, and t 3.

Off-line password guessing attack

The attacker may intercept the messages {NID i ,M 1,α,t 1} and {M 3,β,t 2}. The attacker may also get e i stored in the smart card. Then he/she could try to guess the password \(\mathit{PW}_{i}'\). But the attacker cannot verify the correctness of the password \(\mathit{PW}_{i}'\) since he/she does not know the elements r i , f i , B i and P i . If the attacker wants to derive the random integers R c and R s , he/she will also face the DHP. Therefore, our scheme can resist the off-line password guessing attack.

User anonymity

The attacker may eavesdrop on the communication between user C i and server S i , and try to track the user’s real identity to find some information of the user. In our scheme, the real identity ID i is protected by \(M_{2}\equiv M_{2}'\equiv T_{X_{s}}(T_{R_{c}}(s))\ \mathrm{mod}\ p\) from \(PUB\equiv T_{X_{s}}(s)\ \mathrm{mod}\ p\) and \(M_{1}\equiv T_{R_{c}}(s)\ \mathrm{mod}\ p\). In order to compute M 2, the attacker will face the DHP. Therefore, our scheme can provide the user anonymity.

Mutual authentication

Our scheme can achieve mutual authentication between user C i and server S i . In the authentication phase of our scheme, server S i has to verify the validity of α and γ in order to authenticate C i . The user C i ’s smart card also has to verify the validity of β in order to authenticate S i . If there is an attacker who wants to forge the messages, he/she will face the DLP and the DHP. Hence, both the user and the server can authenticate with each other, and mutual authentication between them is achieved.

Stolen-verifier attack

The stolen-verifier attack means that an attacker steals the security-sensitive verification table from the server and uses it to masquerade as a legitimate user in the authentication phase. The server in our scheme does not need to maintain any security-sensitive verification table. Hence, our scheme can resist the stolen-verifier attack.

Lost smart card

Assume that an attacker can extract all the information from the smart card by the side channel attack [10, 23]. The attacker may try to derive the password from the information, but the password is protected by the elements r i , f i , B i and P i that the attacker does not know. Besides, the attacker also cannot pass the biometric verification without the user’s biometric template B i . Therefore, our scheme is secure against the smart card loss problem.

5.2 Performance analysis

Here, we discuss the performance of our proposed scheme. We compare the security properties of our scheme with Tseng et al.’s scheme [30], Lee et al.’s scheme [17], He et al.’s scheme [5], and the Das’s scheme [2] in Table 3. We also define some notation as follows:

  • T X : time for performing an XOR operation.

  • T H : time for performing a one-way hash function.

  • T E : time for performing a symmetric encryption operation.

  • T D : time for performing a symmetric decryption operation.

  • T C : time for performing a Chebyshev chaotic map operation.

Table 3 Comparison of security properties
Full size table

In Table 3, we can see that our scheme is more secure than other schemes. We also compare the performance of our scheme with other schemes in Table 4. The costs of our scheme are slightly higher than of the Das’s scheme. However, the Das’s scheme is vulnerable to the privileged insider attack, the off-line password guessing attack, and also cannot provide user anonymity. As a result, our proposed scheme can overcome the weaknesses of the Das’s scheme. Hence, our scheme is more secure than the Das’s scheme.

Table 4 Comparison of performance
Full size table

6 Conclusions

In this article, we presented a cryptanalysis of the Das’s scheme and pointed out its security weaknesses. We have shown that the Das’s scheme is vulnerable to the privileged insider attack, the off-line password guessing attack, and also cannot provide user anonymity. To solve these problems, we proposed a secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. The proposed scheme not only can resist the above-mentioned attacks, but also provide user anonymity. As a result, our scheme could solve the security problems found in the Das’s scheme at the cost of increasing the computational costs slightly.