A Privacy Preserving three-factor authenticated key agreement protocol for client–server environment

Abstract

Research has proven that accomplishing security properties while improving performance of an authentication protocol is a challenging task. Numerous authentication protocols proposed in the recent times are still behind in achieving the concrete objectives. Qi et al. and Lu et al. recently proposed two-factor authenticated key-agreement protocols for client–server architecture. This paper revisits their protocols and analyzes the shortcomings of such approaches. We also propose an improved authenticated key agreement protocol for client–server environment to defeat mentioned weaknesses of existing protocols that are discussed in related works. The rigorous security analysis using Burrows–Abadi–Needham logic, formal security verification using Real-OR-Random model, simulations using the Automated Validation of Internet Security Protocols and Applications tool, and the informal security analysis shows that the proposed protocol is secure. Additionally, we summarize the results to ensure that the proposed protocol is efficient compared to the existing related protocols.

1 Introduction

Despite the long rigorous research efforts, designing a perfect authentication protocol for two-party communication remains an interesting topic. The rapid evolution of handheld devices and communication technologies has entailed the installation of different authentication methods. Smartcard with password based authentication is one of the modest and inexpensive methods, which is believed to be safe and sound than passwords alone. On the contrary, studies have shown that two-factor authentication techniques are still vulnerable under several scenarios such as faulty protocol design, and when the passwords are guessed, and the smartcard stored data is leaked out (Kocher et al. 1999; Messerges et al. 2002; Wang and Wang 2015). The ascribed limitations of two-factor authentication methods necessitated additional security called biometrics. The properties of biometric keys (iris, face, finger print, palm print etc.) such as uniqueness, non-transferability and unforgeability makes it robust (Li and Hwang 2010; Mishra et al. 2014).

1.1 Related work

A mobile client–server communication prototype enables multiple clients to avail the services offered by a single server irrespective of geographical location. Authentication of such parties happening over public channels must be secured through a feasible means. Several researchers have followed various approaches during the past three decades, namely, knowledge-based (Lamport 1981; Wu 1995; Tzong-Chen and Hung-Sung 1996; Jan and Chey 1998; Tan and Zhu 1999; Chan and Cheng 2000; Chien et al. 2001; Liao et al. 2006), token-based (Wang et al. 2009, 2011, 2015; Xu et al. 2009; Yang and Chang 2009; Yoon and Yoo 2009; Song 2010; Pippa et al. 2010; Sood et al. 2010; Wu and Tseng 2010; Islam and Biswas 2011, 2014; Debiao et al. 2012; He 2012; Hsieh and Leu 2012; Madhusudhan and Mittal 2012; Wen and Li 2012; Chou et al. 2013; Li et al. 2013; Chang et al. 2014; Chen et al. 2014; Farash and Attari 2014; Kumari and Khan 2014; Kumari et al. 2014, 2017; Zhang et al. 2014; Goutham et al. 2015; Jiang et al. 2015; Tu et al. 2015; Farash 2016; Lu et al. 2016; Xie et al. 2016; Luo et al. 2017; Qi and Chen 2017), biometrics-based (Khan et al. 2008, 2014; Fan and Lin 2009; Das 2011; Li et al. 2011, 2014; Chen et al. 2012; An 2012; Yeh et al. 2013; Cao and Ge 2015; Das and Goswami 2015; Wu et al. 2015; Han et al. 2016; Chaturvedi et al. 2017; Xie et al. 2017). This paper’s main aim is to study and analyze the two-factor authentication methods, and then to fix the shortcomings by proposing and examining a new three-factor authentication method.

Xu et al. (2009) proposed a smartcard based authentication protocol and stated that their protocol remain safe though the smartcard stored data is extracted. Conversely, Song (2010) proved that Xu et al.’s protocol is vulnerable to user impersonation attacks when the data on the smartcard is gathered. Then they proposed an efficient smartcard with password based protocol, which was later indicated by Pippa et al. (2010) that Song et al.’s protocol cannot afford forward secrecy. In the same year, Sood et al. (2010) found that Xu et al.’s protocol is even prone to forgery attacks when the valid login request is intercepted, and they put forward an improved protocol over Xu et al.’s protocol. Yet Chen et al. (2014) reviewed Xu et al. (2009), Sood et al. (2010) and Song’s (2010) protocols, and presented various flaws such as user impersonation attacks, improper mutual authentication and stolen smartcard attacks. Chen et al. proposed an enhanced robust two-factor authentication protocol while considering the merits and demerits of all three aforementioned protocols. However, Li et al. (2013), Jiang et al. (2015), and Xie et al. (2016) have analyzed Chen et al.’s (2014) protocol, independently. They demonstrated that Chen et al.’s protocol is susceptible to password guessing attacks, smartcard stolen attacks and user impersonation attacks. Besides, Chen et al.’s protocol cannot hold perfect forward secrecy, login verification and efficient password changing phase. Nonetheless, Xie et al. (2016) also proposed an authentication protocol based on smartcard with password. However, Lu et al. (2016) asserted that Xie et al.’s protocol consists of several drawbacks such as prone to insider attacks, trace attacks, user impersonation attacks and no login verification. Several other authentication protocols (Irshad et al. 2017a, b, c, d; Gope and Das 2017; Gope 2017; Gope and Hwang 2016a, b; Reddy et al. 2016) have been proposed recently in the literature in order to improve the efficiency and security over the existing protocols.

Lu et al. (2016), and Qi et al. (2017) proposed two-factor authenticated key-agreement protocols for client–server architecture using various approaches. They claimed that their protocol is secure against attacks and provides distinguished properties. Conversely, the cryptanalysis section of this paper shows the drawbacks of Lu et al.’s protocol such as prone to server impersonation attacks, privileged insider attacks, and lack of user anonymity; Qi et al.’s protocol such as prone to user impersonation attacks, session-specific ephemeral secret leakage attacks, insider attacks, and lack of user anonymity.

1.2 Research contributions

• We revisit and provide the cryptanalysis of recently proposed Qi et al. and Lu et al.’s protocols.

• We put forward an anonymous three-factor mutually authenticated key agreement protocol for client–server architecture on elliptic curve cryptography (ECC).

• The formal security of the proposed protocol is verified using ROR model, AVISPA simulation tool, and the mutual authentication using BAN logic.

• The analysis of the paper evident that the proposed protocol performs better compared to its counterparts.

1.3 Threat model

A threat modeling is an imperative module of the designing an authenticated key agreement protocol. The threat modeling is a process for enhancing security by classifying vulnerabilities and objectives, and then defining preventive measures of threats to the system. In this framework, a threat is a potential malicious attack that would be perpetrated by an adversary, say Ӕ that can cause damage to the assets. The threat model of this paper is built on following assumptions.

• Ӕ has partial/complete control over the messages that were transmitted over the public channels. This includes to intercept, modify, and delete any communicated message. Under this case, the Dolev-Yao (DY) threat model is followed (Dolev and Yao 1983).

• Ӕ is capable to extract the parameters that are stored on a smartcard issued to a user.

• Ӕ can try to obtain sensitive information of users such as password by performing offline/online password guessing attacks.

• Ӕ may also try to gain access to the authorized system with the stolen smartcard while constantly guessing the credentials. The low-entropy passwords could make Ӕ job even easier.

• Ӕ can trace the users’ activities using the obtained information from the transmitted messages via open channels.

• Ӕ at the server end, called the privileged-insider user, can perform malicious activities using the data that was received during the registration phase.

1.4 Paper organization

Section 2 revisits Qi et al.’s protocol. Section 3 cryptanalyses Qi et al.’s protocol. Section 4 revisits Lu et al.’s protocol. Section 5 cryptanalyses Lu et al.’s protocol. Section 6 portrays the proposed protocol. Section 7 analyzes the security of the proposed protocol. Section 8 affords comparisons with the related protocols. Finally, Sect. 9 concludes the paper.

2 Revisiting Qi et al.’s protocol

This section revisits Qi et al.’s (2017) two-party authenticated key-agreement protocol for mobile architecture. Their scheme comprises of four phases, namely, system initialization phase, user registration phase (over a secure channel), login and mutually authenticated key-agreement phase (over a public channel), and password changing phase (over a secure channel). Here, we present only the first three phases as the drawbacks lies in these phases.

2.1 System initialization phase

In this phase, server S chooses an elliptic curve E/F_p defined over finite field F_p of prime order p, a base point P in E/F_p of order q, a long-term private key k_s, corresponding public key Q_s = k_sP, and cryptographic hash functions h₁(), h₂().

2.2 User registration phase

Step 1: User U sends chosen credentials {ID_u, PW_u} to the server S.

Step 2: S checks the validity of ID_u, and verifies h₂(ID_u) if it exists in the database. S computes secret key l = h₁(d_s) ⊕ h₂(ID_u || PW_u) and delivers it to U, where d_s is server’s long-term private key.

S follows two approaches: online and offline to deliver the secret key. Online uses transport layer security channel in the https mode, and offline uses a smartcard stored l in it.

2.3 Login and mutually authenticated key-agreement phase

In this phase, U and S can authenticate each other and make a session key as shown in Fig. 1.

Fig. 1

Login and authenticated key-agreement phase of Qi et al.’s protocol

Step 1: U enters his/her ID_u, PW_u then chooses a random number r_u∈Z_n^*, and computes R_u = r_uP, R = r_uQ_s, CID_u = ID_u ⊕ l ⊕ h₂ (ID_u || PW_u), and Auth_u = h₂ (ID_u || R || l ⊕ h₂ (ID_u || PW_u)). U sends {Auth_u, CID_u, R_u} to S.

Step 2: S computes ID_u = CID_u ⊕ h₁(d_s), R^* = d_sR_u, and Auth_u^* = h₂(ID_u || R^* || h₁(d_s)). S verifies if Auth_u^* = Auth_u. If not, the process aborts. S generates a random number r_s∈Z_n^* and computes R_s = r_sP, SK_s = r_sR_u, and Auth_s = h₂(ID_u || R^*|| SK_s). S sends {Auth_s, R_s} to U.

Step 3: U computes SK_u = r_uR_s, and Auth_s^* = h₂(ID_u || R || SK_u). U verifies if Auth_s^* = Auth_s. If not, the process aborts. U further computes the session key SK = kdf(ID_u || SK_u) and Auth_us = h₂(R || SK_u), and sends Auth_us to S, where kdf is key derivation function.

Step 4: S computes Auth_us^* = h₂(R^* || SK_u) and verifies if Auth_us^* = Auth_us. If yes, S computes the session key SK = kdf(ID_u || SK_s) and allows the further communication.

3 Cryptanalysis of Qi et al.’s protocol

This section demonstrates the security drawbacks of Qi et al.’s protocol (2017) such as prone to user impersonation attacks, insider attacks, session-specific ephemeral secret leakage attacks, and lack of user anonymity.

3.1 Lack of anonymity

Step 1: Assume an adversary Ӕ is a registered user with valid credentials l = h₁(d_s) ⊕ h₂(ID_Ӕ || PW_Ӕ). Ӕ can retrieve h₁(d_s) = l ⊕ h₂(ID_Ӕ || PW_Ӕ).

Step 2: Let Ӕ intercept the message {Auth_u, CID_u, R_u} of U to S. Now Ӕ can compute the identity of U using h₁(d_s) = l ⊕ h₂(ID_u || PW_u) and CID_u = ID_u ⊕ l ⊕ h₂(ID_u || PW_u) as ID_u = CID_u ⊕ h₁(d_s).

Thus, it violates user anonymity and does not prevent traceability.

3.2 Prone to user impersonation attacks

Assume Ӕ knows the identity ID_u of a legitimate U, then Ӕ can impersonate U as follows:

Step 1: Ӕ chooses a random number r_a∈Z_n^*, and computes R_a = r_aP, R = r_aQ_s, CID_a = ID_u ⊕ h₁(d_s), and Auth_a = h₂(ID_u || R || h₁(d_s)). Ӕ sends M₁ = {Auth_a, CID_a, R_a} to S.

Step 2: S computes ID_u^* = CID_a ⊕ h₁(d_s), R^* = d_sR_a, and Auth_a^* = h₂(ID_u^* || R^*|| h₁(d_s)). S verifies if Auth_a* = Auth_a. If not, the process aborts. S generates a random number r_s∈Z_n^* and computes R_s = r_sP, SK_s = r_sR_a, and Auth_s = h₂(ID_u || R^*|| SK_s). S sends M₂ = {Auth_s, R_s} to Ӕ.

Step 3: Ӕ computes SK_a = r_aR_s, and Auth_s^* = h₂(ID_u || R || SK_a). U verifies if Auth_s^* = Auth_s. If not, the process aborts. Ӕ further computes the session key SK = kdf(ID_u || SK_a) and Auth_as = h₂(R || SK_a), and sends M₃ = {Auth_as} to S.

Step 4: S computes Auth_as^* = h₂(R^* || SK_a) and verifies if Auth_as^* = Auth_as. If yes, S computes the session key SK = kdf(ID_u || SK_s) and allows the further communication.

Since no password required to compute the session key and confirmation message, Ӕ can successfully compute the subsequent valid response messages and establish a session on behalf of U as elucidated above.

3.3 Prone to session-specific ephemeral secret leakage attacks

Assume that Ӕ intercepts the massages M₁ = {Auth_u, CID_u, R_u}, M₂ = {Auth_s, R_s}, and M₃ = {Auth_us} transmitted between U and S. Let session ephemeral secret r_u^′ of U is revealed to Ӕ. Ӕ now can launch offline identity attacks using these parameters as follows:

Step 1: Ӕ computes R_a = r_aP, R = r_aQ_s.

Step 2: Ӕ guesses ID_u^* and then compare Auth_s ?= h₂(ID_u^* || R || SK_u). Repeat the step until correct match is found.

Remark 1

Once identity of U is known to Ӕ using the above steps, Ӕ can also compute the secret parameter h₁(d_s) = CID_u ⊕ ID_u^*, which is static and commonly shared to all registered users. Consequently, Ӕ can impersonate all the users. Ӕ then establish a session with S without U’s password as follows:

Step 1: Ӕ computes R_u′ = r_u′P and then compare R_u′ with R_u in intercepted message M₁. If both matches, Ӕ confirms that r_u′ is corresponding to M₁ and R_u′ = R_u.

Step 2: Ӕ computes R_a = r_aP, and replays M₁ = {Auth_u′ CID_u′ R_u} to S. Note that Ӕdoes not know the credentials of U.

Step 3: S computes ID_u^* = CID_u ⊕ h₁(d_s), R^* = d_sR_u, and Auth_u^* = h₂(ID_u^* || R^* || h₁(d_s)). S verifies if Auth_u* = Auth_u. If not, the process aborts. S generates a random number r_s∈Z_n^* and computes R_s = r_sP, SK_s = r_sR_u, and Auth_s = h₂(ID_u^* || R^* || SK_s). S sends M₂ = {Auth_s, R_s} to Ӕ.

Step 4: Ӕ computes SK_a = r_uR_s, and Auth_s^* = h₂(ID_u^* || R || SK_a). U verifies if Auth_s^* = Auth_s. If not, the process aborts. Ӕ further computes the session key SK = kdf(ID_u^* || SK_a) and Auth_as = h₂(R || SK_a), and sends M₃ = {Auth_as} to S.

Step 5: S computes Auth_as^* = h₂(R^* || SK_s) and verifies if Auth_as^* = Auth_as. If yes, S computes the session key SK = kdf(ID_u^* || SK_s) and allows the further communication.

3.4 Prone to insider attacks

Qi et al.’s protocol is susceptible to the insider attacks as the plain credentials of the users {ID_u, PW_u} are shared with the server during the registration phase. In addition, their scheme does not offer user revocation and re-registration phases.

4 Revisiting Lu et al.’s protocol

This section revisits Lu et al.’s (2016) two-factor authenticated key-agreement protocol for mobile client–server architecture. Their scheme comprises of three phases, namely, user registration phase (over a secure channel), login and mutually authenticated key-agreement phase (over a public channel), and password changing phase (over a secure channel). Here, we discuss only the first two phases as the drawbacks lies in these phases.

4.1 User registration phase

Step 1: User U_i chooses an identity ID_a, password PW_a and computes PWD = h(PW_a || r_a), where h(.) is a one-way hash function. Then U_i sends a registration request < ID_a, PWD >  to the server S.

Step 2: S computes W = h((ID_a)^rs mod q) ⊕ PWD, U = x ⊕ r_s, X = ID_a ⊕ r_s, where r_s is a random nonce. Then S stores the parameters {W, U, X, p, q, h(.)} on a smartcard SC that will be delivered to U_i.

Step 3: U_i computes L = h(h(ID_a || h(PW_a || r_a)) mod n), and adds L and r_a to the SC. Thus, the SC contains {W, L, r_a, U, X, p, q, h(.)}.

4.2 Login and mutually authenticated key-agreement phase

In this phase, U_i and S can authenticate each other and make a session key as shown in Fig. 2.

Fig. 2

Login and authenticated key-agreement phase of Lu et al.’s protocol

Step 1: U_i inserts the SC and enters his/her ID_a, PW_a and checks the login condition L = h(h(ID_a || PWD) mod n). If it generates positive result, SC computes M = (g^αmod q) ⊕ W ⊕ h(PW_a || r_a), C = h((g^αmod q) || ID_a || T_a) and transmits login request < M, C, U, X, T_a> to S, where α is a random nonce and T_a is current timestamp generated by U_i.

Step 2: S checks the received T_aif it is valid. S then computes r_s= x ⊕ U, ID_a= X ⊕ r_s and g^α = M ⊕ h((ID_a)^rs mod q) and verifies the condition C = h((g^αmod q) || ID_a || T_a). If it holds, S computes sk = (g^α)^β, N = h((ID_a)^rs mod q) ⊕ g^β, D = h(sk || ID_a || T_s || h((ID_a)^rs mod q)), where βis a random number. S sends the response < N, D, T_s> toU_i.

Step 3: U_i checks the validity of T_s and derives g^β = W ⊕ N ⊕ h(PW_a || r_a). U_i computes the session key sk = (g^β)^α and verifies the condition D = h(sk || ID_a || T_s || h((ID_a)^rs mod q)). If it holds, U_i starts communication using the computed session key sk = (g^α)^β= (g^β)^α.

5 Cryptanalysis of Lu et al.’s protocol

This section demonstrates the security drawbacks of Lu et al.’s protocol (2016) such as prone to insider attacks, server impersonation attacks and lack of user anonymity.

5.1 Prone to server impersonation attack

In Lu et al.’s protocol, another legitimate user U_i′ with x value turned as an adversary Ӕ can mimic a legitimate S as exposed here. During the login and session key establishment phase, U_i transmits the login message < M, C, U, X, T_a>. Assume Ӕ captures this message, then he/she can impersonate the S as follows.

Step 1: During the registration phase, all users (U_i′) receives the values {W, U, X, p, q, h(.)} on a SC. U_i′ can extract server’s secret key x using his/her ID_a, U = x ⊕ r_s and X = ID_a ⊕ r_s values as shown below:

U ⊕ X ⊕ ID_a = x ⊕ r_s ⊕ ID_a ⊕ r_s ⊕ ID_a = x.

Step 2: If U_i′ turns as an adversary Ӕ, Ӕ can derive r_s, ID_a, and g^α values from < M, C, U, X, T_a> by computing r_s= x ⊕ U, ID_a= X ⊕ r_s and g^α = h((ID_a)^rs mod q).

Step 3: Ӕ chooses a random number β and computes sk = (g^α)^β, N = h((ID_a)^rs mod q) ⊕ g^β, D = h(sk || ID_a || T_s || h((ID_a)^rs mod q)). Ӕ sends < N, D, T_s> toU_i.

Step 4: A checks the validity of T_s and derives g^β = W ⊕ N ⊕ h(PW_a || r_a). Then, U_i computes the session key sk = (g^β)^α and verifies the condition D ≟ h(sk || ID_a || T_s || h((ID_a)^rs mod q)). U_i treats Ӕ as legitimate S since the condition D holds.

5.2 Lack of user anonymity

During the login phase, U_i transmits < M, C, U, X, T_a> to S via a public channel. The parameters U = x ⊕ r_s and X = ID_a ⊕ r_s in the message < M, C, U, X, T_a> are unique and static during all logins for each user. This results in failure of providing perfect user anonymity that could eventually lead to trace attacks.

5.3 Prone to privileged insider attack

Consider a consequence where an insider of the server S acts as an adversary and knows the registration information ID_a and PWD of a valid U_i. Further, assume that the same adversary possesses the extracted information{W, r_a, U, X, L, p, q, h(.)} from the stolen smartcard of U_i. Now, the adversary Ӕ applies the offline-password guessing attack to guess correctly the user’s low-entropy PW_a as follows.

Step 1: Ӕ guesses a password PW_a′ and computes PWD′ = h(PW_a || r_a).

Step 2: Ӕ checks if PWD′ = PWD. If it is valid, Ӕ is successful to guess the correct password PW_a′ (= PW_a). Otherwise, Ӕ repeats from Step 1 until he/she gets success.

Thus, a privileged-insider being an adversary at the server S can guess the correct PW_a of a legal U_i.

6 The proposed protocol

This section puts forward a three-factor mutually authenticated key agreement protocol for client–server architecture based on elliptic curve cryptography (ECC). The proposed protocol comprises two participants and four phases. The notations used in the proposed protocol are listed in Table 1. To provide strong biometric verification locally, we apply the fuzzy extractor method (Dodis et al. 2004), which is composed of the following two functions:

Table 1 Notations of the protocols

Table 2 Notations of the BAN logic

• Gen: It is a probabilistic generation function in nature, which takes user biometrics BIO_U as inputs and then results a pair (σ_U, θ_U) as biometric secret key and public reproduction parameter, that is, (σ_U, θ_U) = Gen(BIO_U).

• Rep: It is deterministic function in nature, which has the ability to reproduce the original biometric key σ_U from the user biometrics BIO_U′ and θ_U, that is, σ_U = Rep(BIO_U′,θ_U) provided that the Hamming distance between BIO_U′ and BIO_U is less than or equal to a predefined error tolerance threshold value (Dodis et al. 2004).

To protect the replay attack against an adversary, we apply the current timestamp along with the random nonce. For this issue, we assume that the entities are synchronized with their clocks as it is a reasonable assumption used in designing other authentication protocols (Wazid et al. 2017; Das et al. 2017; Roy et al. 2017a, b, 2016; Chang and Le 2016).

6.1 User registration phase

A new user U_i registers at the server S and obtains a smartcard as shown in Fig. 3.

Fig. 3

Summary of user registration phase

Step 1: U_i chooses ID_U, PW_U, r, r_u and scans BIO_U, and then computes RPW = h(PW_U || r_u) ⊕ r. U_i sends a registration request message < ID_U, RPW > to S via a secure channel.

Step 2: S computes MID_U = E_k(ID_U || n), M = h(ID_U || ID_S || k), and N = M ⊕ RPW.

Step 3: U_i receives a SC with the parameters {MID_U,N, P, h(.)} from S through a secure channel.

Step 4: U_i computes (σ_U, θ_U) = Gen(BIO_U), E = r_u ⊕ h(σ_U), N′ = N ⊕ r, G = h(ID_U || h(PW_U || r_u)) and then stores {E, N′, G} on the received SC after deleting N from the SC. SC now holds the parameters {MID_U, E, N′, G, P,θ_U, h(.)}.

6.2 Login and authenticated key agreement phase

This phase allows U_i and S to mutually authenticate and make a session key for subsequent communication through public channel as illustrated in Fig. 4.

Fig. 4

Summary of mutual authentication and key-agreement phase

Step 1: SC \(\to\) S: Msg₁ = < MID_U, αP, C, T_u>. SC computes σ_U = Rep(BIO_U, θ_U), r_u = h(σ_U) ⊕ E and verifies the condition G_U ≟ h(ID_U || h(PW_U || r_u)). If it produces positive result, the SC generates α, T_u and calculates M = N′ ⊕ h(PW_U || r_u), αP, C = h(MID_U || αP || M || T_u). SC sends the login request message < MID_U, αP, C, T_u > to S via public channel.

Step 2: Upon receiving the login request, S first verifies the received T_u by the condition T_u^* − T_u < ΔT, where T_u^* is time when the message is received by S. If it is valid, S then decrypts MID_U and obtains ID_U of U_i. S computes M = h(ID_U || ID_S || k) and verifies the condition C = h(MID_U || αP || M || T_u). S authenticates U_i only if the condition holds. Else, the process can be terminated.

Step 3: S\(\to\)SC: Msg₂ = < βP, D, F, T_s>. S further generates β, T_s and computes MID_U′ = E_k(ID_U || n′), SK = h(ID_U || βαP || M), D = h(MID_U′ || SK || T_s), F = MID_U′ ⊕ h(SK). S sends < βP, D, F, T_s> to SC via public channel.

Step 4: SC first verifies the received T_s by the condition T_s^* − T_s < ΔT, where T_s^*is time when the message is received by U_i. If it holds, SC computes SK = h(ID_U || αβP || M), MID_U′ = F ⊕ h(SK)and verifies the condition D = h(MID_U′ || SK || T_s). If the condition holds, U_i authenticates S and updates MID_U with MID_U′; else, the process can be dropped.

Step 5: SC \(\to\) S: Msg₃ = < Z, T_u′>. SC generates the current timestamp T_u′, computes Z = h(βP || SK), and sends the message < Z, T_u′> to S. S first verifies the received T_u′by the condition T_u′^* − T_u′ < ΔT, where T_u′^*is time when the message is received by S. If it is valid, S then verifies Z = h(βP || SK) and reconfirms the authenticity of U_i, if the condition holds.

6.3 Password and biometrics update phase

In this phase, U_i can update his/her existing PW_U and BIO_U without involvement of S as follows.

Step 1: U_i inserts SC and passes ID_U, PW_U and BIO_U. SC computes σ_U = Rep(BIO_U, θ_U), r_u = h(σ_U) ⊕ E and verifies G ≟ h(ID_U || h(PW_U || r_u)). If the condition holds, U_i can change existing PW_U and BIO_U; otherwise, the request can be rejected.

Step 2: U_i passes new BIO_U^# and PW_U^#, and computes M = N’′⊕ h(PW_U || r_u), N′^# = M ⊕ h(PW_U^# || r_u), (σ_U^#, θ_U^#) = Gen(BIO_U^#), E^#=r_u ⊕ h(σ_U^#),and G^#=h(ID_U || h(PW_U^# || r_u)).

Step 3: U_i replaces N′, E and G_U with N′^#, E^# and G_U^# on the SC, respectively. SC now holds the updated information {MID_U, E^#, N′^#, G^#, P, θ_U^#, h(.)}.

6.4 User revocation/re-registration phase

Users can revoke or re-register when their smartcard is lost by proving their authenticity in following way.

Step 1: U_i chooses revoke/re-register option and sends existing ID_U^prev to S via a secure channel.

Step 2: S verifies ID_U^prev existence and replies U_i asking the new credentials.

Step 3: U_i chooses ID_U, PW_U, r, r_u and scans BIO_U, and then computes RPW = h(PW_U || r_u) ⊕ r. U_i sends a registration request message < ID_U, RPW > to S via a secure channel.

Step 4: S computes MID_U = E_k(ID_U || n), M = h(ID_U || ID_S || k), and N = M ⊕ RPW.

Step 5: U_i receives a SC with the parameters {MID_U,N, P, h(.)} from S through a secure channel.

Step 6: U_i computes (σ_U, θ_U) = Gen(BIO_U), E = r_u ⊕ h(σ_U), N′ = N ⊕ r, G = h(ID_U || h(PW_U || r_u)) and then stores {E, N′, G} on the received SC after deleting N from the SC. SC now holds the parameters {MID_U, E, N′, G, P, θ_U, h(.)}.

7 Security analysis

This section demonstrates the mutual authentication using BAN logic, formal and informal security analyses of the proposed authentication protocol. The proposed scheme is shown that a user U_i and the server S mutually authenticate among each with the help of the widely-used Burrows–Abadi–Needham logic (BAN logic) (Burrows et al. 1990) (see Sect. 7.2). We then prove the session key security (SK-security) of the proposed scheme under the broadly-accepted Real-Or-Random (ROR) model (Abdalla et al. 2005) (see Sect. 7.1). Moreover, the proposed scheme is shown to be secure against various other known attacks informally (see Sect. 7.3). In addition, the formal security verification using the broadly-accepted AVISPA tool (AVISPA Team 2006) assures that the scheme is secure against replay and man-in-the-middle attacks (see Sect. 7.4). Wang et al. (Wang et al. 2015a, b) observed the following interesting point: the widely used formal methods (for example, random oracle model, BAN logic) cannot always capture some structural mistakes, and therefore, assuring soundness of authentication protocols still remains an open issue. Due to this, we need the security analysis informally as well as formal security verification using AVISPA tool to ensure that the proposed scheme can be made more secure with high probability.

7.1 Formal security analysis using Real-OR-Random (ROR) model

In this section, through the widely-accepted Real-Or-Random (ROR) model (Abdalla et al. 2005), we prove the session key (SK) security of the proposed scheme. Recently, the ROR model based formal security analysis has drawn much attention in analyzing the formal security in many authentication protocols (Wazid et al. 2017; Das et al. 2017; Roy et al. 2017a, b, 2016; Chang and Le 2016).

7.1.1 ROR model

Two participants, namely user U_i and the server S are associated with the proposed scheme. We have the following components associated with the ROR model (Abdalla et al. 2005).

• Participants The instances t₁ and t₂ of U_i and S are denoted by \(\pi _{U}^{{{t_1}}}{\text{~and}}~\pi _{S}^{{{t_2}}}\), respectively, which are also termed as oracles (Chang and Le 2016).

• Accepted state If an instance \({\pi ^t}\) makes transition to an accept state after receiving the last expected protocol message, it is said to be in accepted state. The session identification (sid) of \({\pi ^t}\) for present session is constituted by the ordered concatenation of all communicated (sent and received) messages by \({\pi ^t}\).

• Partnering Let \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) are two instances. They are partners to each other when the following three criteria are simultaneously fulfilled: (1) \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) in accepted state; (2) both \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) mutually authenticate each other, and share the same sid; and (3) both \({\pi ^{{t_1}}}\) and \({\pi ^{{t_2}}}\) are mutual partners.

• Freshness If the session key SK between U_i and S is not divulged to an adversary A with the help of the following defined reveal oracle query Reveal (\({\pi ^t}\)), \(\pi _{U}^{{{t_1}}}{\text{or~}}\pi _{S}^{{{t_2}}}\) is said to be fresh.

• Adversary Under the ROR model, the adversary A cannot only read the transmitted messages, but also can modify, delete or change the message contents during the communication. In other words, A is allowed to have full control over the communication. Moreover, A will have access to the following queries (Chang and Le 2016):

• Execute (\({\pi ^{{t_1}}}\), \({\pi ^{{t_2}}}\)) With the help of this query, the transmitted messages between the valid parties U_i and S are intercepted by A. It is modeled as an eavesdropping attack.

• Reveal (\({\pi ^t}\)) This query allows A to compromise the present session key SK_ij created by \({\pi ^t}\) (and its partner).

• Send (\({\pi ^t},{\text{~}}m\)) This query helps a participant instance \({\pi ^t}\) to transmit a message m and also receives a message, which is further modeled as an active attack.

• CorruptSmartcard (\(\pi _{U}^{{{t_1}}}\)) It implements the smart card SC lost/stolen attack. With the help of this query, the secret credentials stored in SC are revealed to A.

• Test (\({\pi ^t}\)) The semantic security of session key SK between U_i and S following the indistinguishability in the ROR model (Abdalla et al. 2005) is implemented under this query. At first, an unbiased coin c is flipped prior to beginning of the game, whose output result is only secret to A. This value is later used to verify whether the output of the Test query is consistent. If A executes this query and it is found that the session key SK is fresh, \({\pi ^t}\) delivers SK when c = 1 or a random number when c = 0; otherwise, it delivers \(~ \bot ~\) (null).

A restriction for A is imposed here in order to acquire only limited number of CorruptSmartcard (\(\pi _{U}^{{{t_1}}}\)) queries. However, A is permitted to acquire Test (\({\pi ^t}\)) query as many times as he/she can have.

• Semantic security of session key The ROR model (Abdalla et al. 2005) demands that the adversary A requires to distinguish between an instance’s actual session key and a random secret key. A can make the Test queries to either \(\pi _{U}^{{{t_1}}}{\text{~or}}~\pi _{S}^{{{t_2}}}\) and its output is checked for consistency against the random bot c. After the game is completed, A judges a guessed bit c′ for winning purpose. A wins the game when c′ = c. The advantage \(Adv_{{(A)}}^{{AKAP}}\) of A in breaking the semantic security of the proposed authenticated key agreement protocol, say AKAP for deriving the session key SK between U_i and S is defined by \(Adv_{{(A)}}^{{AKAP}}=\left| {2.Pr\left[ {Succ} \right] - 1} \right|\), where Succ represents an event that A can win the game.

• Random oracle The communicating entities U_i and S along with A will have access to a collision resistant one-way cryptographic hash function h(‧), which is further modeled by a random oracle, say H.

7.1.2 Security proof

To prove the semantic security of the proposed scheme, we first define collision-resistant one-way hash function h(.) and the Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP). We then provide the proof in Theorem 1.

Definition 1

(Collision-resistant one-way hash function) A collision-resistant one-way hash function h: {0, 1}^*→ {0, 1}ⁿ is a deterministic mathematical function that takes a variable length input string and produces a fixed length output string of n bits. If \(Adv_{{(A)}}^{{HASH}}\) (rt) denote the advantage of an adversary A in finding a hash collision,

$$Adv_{{(A)}}^{{HASH}}\left( {rt} \right)\,=\,Pr[\left( {{i_{\text{1}}},{i_{\text{2}}}} \right){ \in _R}A:{i_{\text{1}}}\, \ne \,{i_{\text{2}}},h\left( {{i_{\text{1}}}} \right)\,=\,h\left( {{i_{\text{2}}}} \right)],$$

where the probability of a random event X is denoted by Pr[X], and the pair (i₁, i₂) ∈_RA means the input strings i₁ and i₂ are generated randomly by A. An (\(\psi ,\)rt)-adversary A attacking the collision resistance of h(.) means the runtime of A will be at most rt and that \(Adv_{{(A)}}^{{HASH}}\) (rt) \(\leqslant \psi\).

An elliptic curve y² = x³ + ax + b over the finite field GF(p) is the set E_p(a, b), which contains the solutions (x, y) ∈Z_p×Z_p to the congruence y² \(~ \equiv ~\) x³ + ax + b (mod p), where p being a large prime and a, b ∈ Z_p are two constants, together with a special point O, called the point at infinity or zero point, and Z_p = {0, 1,…, p\(-\)1}. E_p(a, b) is called non-singular if the condition 4a³ + 27b² \(\ne ~\) 0 (mod p) is satisfied. The elliptic curve decisional Diffie-Hellman problem (ECDDHP) is defined as follows.

Definition 2

(Elliptic curve decisional Diffie-Hellman problem (ECDDHP)) Let P∈E_p(a, b) be a point on E_p(a, b). The ECDDHP states that given a quadruple (P, k₁.P, k₂.P, k₃.P), to decide whether k₃ = k₁k₂ or a uniform value.

Theorem 1

Suppose A is an adversary running in polynomial time t against the proposed scheme AKAP in the ROR model. If PD is a uniformly distributed password dictionary, l is the number of bits in the biometrics key σ_U\(Adv_{{(A)}}^{{ECDDHP}}\) (t) is the advantage of breaking the ECDDHP in time t by A, and q_h, q_send, \(|Hash|\)and\(|PD|\)are respectively the number of H queries, send queries, range space of h(.) and the size of PD, A’s advantage in breaking semantic security of the proposed scheme AKAP for deriving the session key SK between U_iand S in time t is given by

\(Adv_{A}^{{AKAP}}\left( t \right) \leqslant \frac{{q_{h}^{2}}}{{\left| {Hash} \right|}}+\frac{{{q_{send}}}}{{{2^{l - 1}}.\left| {PD} \right|}}+2Adv_{A}^{{ECDDHP}}(t)\)

Proof

We follow the similar proof as executed in other authentication protocols (Wazid et al. 2017; Das et al. 2017; Chang and Le 2016). A sequence of five games, say Gam_i (i = 0, 1, 2, 3, 4) are essential in this proof in which Succ_i is the winning probability of A in game Gam_i where A can guess the random bit c correctly. The detailed description of all these games is given below.

• Gam₀ It is considered as an actual attack by A against the proposed scheme AKAP in the ROR model. Since the bit c needs to be chosen at the start of Gam₀, it is clear that

$$Adv_{A}^{{AKAP}}\left( t \right)=\left| {2.\Pr \left[ {Suc{c_0}} \right] - 1} \right|.$$

(1)

• Gam₁ This game is modeled as an eavesdropping attack in which A intercepts the transmitted messages Msg₁= < MID_U, αP, C, T_u>, Msg₂= < βP, D, F, T_s> and Msg₃= < Z, T_u^’> during the mutual authentication and key agreement phase of AKAP. Under this game, A makes Execute (\({\pi ^{{t_1}}}\), \({\pi ^{{t_2}}}\)) query. After that A makes the Test query and its result is checked to verify whether it is the real session key SK or a random number. In AKAP, SK is calculated as SK = h(ID_U|| αβP || M), where M = N ⊕ h(PW_U|| r_u) = E_k(ID_U|| n). Therefore, computation of SK clearly demands for the leakage of secret credentials ID_U, α,β and M, and these credentials are unknown to A. In a nutshell, A’s winning the game Gam₁ by eavesdropping of messages is not increased, and thus, we have,

$$\Pr \left[ {Suc{c_1}} \right]=~\Pr \left[ {Suc{c_0}} \right].$$

(2)

• Gam₂ The difference between this game and the previous game Gam₁ is that the simulations of the Send and H queries are included in Gam₂. It is therefore treated as an active attack where A can try to fool a legitimate entity to accept an illegal message. Since all the intercepted messages Msg₁, Msg₂ and Msg₃ are constructed using random secrets α, β and timestamps T_u, T_s and T^’_u, no hash collision occurs when A makes Send query with the help of H query. The birthday paradox results provide the following result:

$$\left| {Pr\left[ {Suc{c_2}} \right] - Pr\left[ {Suc{c_1}} \right]} \right| \leqslant ~\frac{{q_{h}^{2}}}{{2\left| {Hash} \right|}}$$

(3)

• Gam₃ The simulation CorruptSmartcard is added into the Gam₃, which differs from Gam₂.A then knows the information {MID_U, E, N′, G, P,θ_U, h(.)}. stored in the smart card SC of U_i. In AKAP, a user U_i uses both password PW_U and personal biometrics BIO_U. Due to use of fuzzy extractor, guessing the biometric key σ_U∈{0, 1}^l from public reproduction parameter θ_U with the help of Rep(‧) function has the probability approximately \(\frac{1}{{{2^l}}}\) (Odelu et al. 2015). Moreover, A can try to guess low-entropy passwords using the password dictionary attacks. If we impose a restriction on the limited number of wrong password inputs in the system by A to guess correct U_i’s password PW_U, it then follows that

$$\left| {Pr\left[ {Suc{c_3}} \right] - Pr\left[ {Suc{c_2}} \right]} \right| \leqslant \frac{{{q_{send}}}}{{{2^l}.\left| {PD} \right|}}$$

(4)

• Gam₄ This is the final game, where A attempts to derive the correct session key SK shared between U_i and S. It is worth noticing that SK is calculated by both the parties U_i and S as SK = h(ID_U|| αβP || M). Now, computation of αβP from the eavesdropped αP in Msg₁ and βP in Msg₂ is equivalent to solving the intractable ECDDHP in polynomial time t. In addition, A requires secret credentials ID_U and M. Hence, we have,

$$\left| {Pr\left[ {Suc{c_4}} \right] - Pr\left[ {Suc{c_3}} \right]} \right| \leqslant ~Adv_{A}^{{ECDDHP}}\left( t \right).$$

(5)

Since all the queries are made by A, it is left only with guessing the bit c to win the game after the Test query is made by A. It follows that.

$$\left| {Pr\left[ {Suc{c_4}} \right]} \right|=~\frac{1}{2}$$

(6)

Equations (1) and (2) give the following:

$$\frac{1}{2}Adv_{A}^{{AKAP}}\left( t \right)=\left| {Pr\left[ {Suc{c_0}} \right] - \frac{1}{2}} \right|=~\left| {Pr\left[ {Suc{c_1}} \right] - \frac{1}{2}} \right|$$

(7)

Equations (6) and (7) give the following:

$$\frac{1}{2}Adv_{A}^{{AKAP}}\left( t \right)=\left| {Pr\left[ {Suc{c_1}} \right] - \frac{1}{2}} \right|=~\left| {Pr\left[ {Suc{c_1}} \right] - Pr\left[ {Suc{c_4}} \right]} \right|$$

(8)

The triangular inequality gives the following

$$\begin{aligned} & \left| {Pr\left[ {Suc{c_1}} \right] - Pr\left[ {Suc{c_4}} \right]} \right| \leqslant ~\left| {Pr\left[ {Suc{c_1}} \right] - Pr\left[ {Suc{c_2}} \right]} \right|+~\left| {Pr\left[ {Suc{c_2}} \right] - Pr\left[ {Suc{c_4}} \right]} \right| \\ \leqslant & \left| {Pr\left[ {Suc{c_1}} \right] - Pr\left[ {Suc{c_2}} \right]} \right|+~\left| {Pr\left[ {Suc{c_2}} \right] - Pr\left[ {Suc{c_3}} \right]} \right| \\ + & ~\left| {Pr\left[ {Suc{c_3}} \right] - Pr\left[ {Suc{c_4}} \right]} \right|. \\ \end{aligned}$$

(9)

From Eqs. (3), (4), (5) and (9), we get,

$$\left| {Pr\left[ {Suc{c_1}} \right] - Pr\left[ {Suc{c_4}} \right]} \right| \leqslant \frac{{q_{h}^{2}}}{{2\left| {Hash} \right|}}+\frac{{{q_{send}}}}{{{2^l}.\left| {PD} \right|}}+Adv_{A}^{{ECDDHP}}(t)$$

(10)

Equations (8) and (10) give the following result:

$$\frac{1}{2}Adv_{A}^{{AKAP}}\left( t \right) \leqslant \frac{{q_{h}^{2}}}{{2\left| {Hash} \right|}}+\frac{{{q_{send}}}}{{{2^l}.\left| {PD} \right|}}+Adv_{A}^{{ECDDHP}}\left( t \right).$$

(11)

Finally, multiplying both sides of Eq. (11) by a factor of 2, we obtain the required result:

$$Adv_{A}^{{AKAP}} \left( t \right) \le \frac{{q_{h}^{2} }}{{\left| {Hash} \right|}} + \frac{{q_{{send}} }}{{2^{{l - 1}} \cdot \left| {PD} \right|}} + 2Adv_{A}^{{ECDDHP}} \left( t \right).$$

7.2 Mutual authentication verification using BAN logic

Mutual authentication between U_i and S of the proposed protocol is proved using widely-accepted Burrows–Abadi–Needham (BAN) logic (Burrows et al. 1990).

Various notations along with their descriptions are provided in Table 2. Following four rules are used to substantiate the mutual authentication between U_i and S in the proposed protocol:

• Rule 1 Message-meaning rule: \(\frac{{R~| \equiv R\mathop \leftrightarrow \limits^{Y} S,{\text{~~~}}R~ \triangleleft ~<X{>_Y}}}{{R| \equiv S~|\sim ~X}}\)

• Rule 2 Nonce-verification rule: \(\frac{{R| \equiv {\text{~}}\# (X),\;R~| \equiv S~|\sim ~X}}{{R| \equiv S~| \equiv ~X}}\)

• Rule 3 Jurisdiction rule: \(\frac{{R~| \equiv S~| \Rightarrow X,{\text{~~~}}R~| \equiv S~| \equiv ~X}}{{R| \equiv ~X}}\)

• Rule 4 Freshness-conjuncatenation rule: \(\frac{{R~| \equiv {\text{~}}\# (X)}}{{R| \equiv {\text{~}}\# (X,Y)}}\)

The following three goals are expected to be achieved to show the mutual authentication between a node R in the cluster C_i and TM:

• Goal1 \({U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\)

• Goal2 \(S| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\)

• Goal3 \({U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{MI{D_U}{\prime}}} S\)

Generic form

The generic forms of the communicated messages between U_i and S in the proposed protocol are specified below:

• M1. \(U_{i} \to S:C = \left\langle {MID_{U} ,\alpha P,T_{u} } \right\rangle _{M}\)

• M2. \(S \to U_{i} :D = \left\langle {MID_{U}^{\prime } ,~~SK,~T_{u} } \right\rangle\), where SK = h(ID_U, αβP, M)

We rewrite D as \(D = \left\langle {MID_{U}^{\prime } ,ID_{U} ,~\alpha \beta P,~T_{u} } \right\rangle _{M}\)

• M3. \(U_{i} \to S:Z = \left\langle {\beta P,~SK} \right\rangle ~\), where SK = h(ID_U, αβP, M)

We rewrite Z as \(Z = \left\langle {\beta P,~\alpha \beta P} \right\rangle _{M}\).

Idealized form

The idealized forms of the communicated messages between U_i and S in the proposed protocol are as follows:

M1. \(U_{i} \to S:\left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).

M2. \(~S \to \left\langle {U_{i} :U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,T_{s} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).

M3. \(U_{i} \to S:\left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\).

Hypotheses

The initial assumptions of the proposed protocol are as follows:

$${\text{H1}}:{U_i}| \equiv \# ({T_u}),{\text{ }}\# ({T_s})$$

$${\text{H2}}:S| \equiv \# (\beta P),{\text{ }}\# ({T_u})$$

$${\text{H3}}:{U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{M} S$$

$${\text{H4}}:S| \equiv {U_i}\mathop \leftrightarrow \limits^{M} S$$

$${\text{H5}}:{U_i}| \equiv S| \Rightarrow {U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S$$

$${\text{H6}}:S| \equiv {U_i}| \Rightarrow {U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S$$

$${\text{H7}}:{U_i}| \equiv S| \Rightarrow {U_i}\mathop \leftrightarrow \limits^{{MID_{U}^{{\prime}}}} S.$$

Note that the identity of user is assumed to be shared between U_i and S.

The following steps proves that the proposed protocol achieves mutual authentication between U_i and S using above hypotheses and rules

• From M1, we have, \(~{\text{S1}}:S \triangleleft \left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\)

• From S1, H4, and Rule 1, we get, \({\text{S2}}:S| \equiv U_{i} |\sim \left\langle {MID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha P~}} S,T_{u} } \right\rangle\)

• From S2, H2, Rule 2, and Rule 4, we get, \({\text{S3}}:S| \equiv {U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{\alpha P~}} S\)

• From M2, we have, S4: \({U_i} \triangleleft {U_i}\mathop \leftrightarrow \limits^{{MID_{U}^{{\prime}}}} S,~I{D_U},{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,{T_s}_{{{U_i}\mathop \leftrightarrow \limits^{M} S}}\)

• From S4, H3, and Rule 1, we have, S5: \(U_{i} \left| { \equiv S} \right|\sim \left\langle {U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S,T_{s} } \right\rangle\)

• From S5, H1, Rule 2, and Rule 4, we get, S6: \(U_{i} | \equiv ~S| \equiv \left\langle {U_{i} \mathop \leftrightarrow \limits^{{MID_{U}^{\prime } }} S,~ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle\)

• From S6, H7 and Rule 3, we obtain, S7: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{MID_{U}^{{\prime}}}} S\) (Goal 3)

• From S6, H5 and Rule 3, we obtain, S8: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)

• From S8 and H3, we obtain, S9: \({U_i}| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{SK}} S\) (Goal 1) From M3, we have, S10: \(~S \triangleleft \left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle _{{U_{i} \mathop \leftrightarrow \limits^{M} S}}\)

• From S10, H4, and Rule 1, we have, S11: \(S| \equiv U_{i} |\sim \left\langle {\beta P,ID_{U} ,U_{i} \mathop \leftrightarrow \limits^{{\alpha \beta P~}} S} \right\rangle\)

• From S11, H2, Rule 2, and Rule 4, we get S12: \(S| \equiv {\text{~}}{U_i}| \equiv {U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)

• From S12, H6, and Rule 3, we get S13: \(S| \equiv {\text{~}}{U_i}\mathop \leftrightarrow \limits^{{\alpha \beta P}} S\)

• Finally, from S13 and H4, we obtain, S14: \(S| \equiv {U_i}\mathop \leftrightarrow \limits^{{SK}} S\) (Goal 2)

The above goals 1–3 clearly indicate the proposed scheme achieves the mutual authentication between U_i and S.

7.3 Informal security analysis

In this section, the security properties satisfied by the proposed protocol in the following propositions.

Proposition 1

The proposed protocol provides user anonymity and untraceability properties.

Proof

In the proposed protocol, user’s real identity ID_U is enciphered with server’s secret key k. In order to retrieve ID_U from MID_U = E_k(ID_U || n), k is essential which is known only to the server. Thus, the real ID_U value is available only with U_i and S. Though the users’ identity is anonymous, the chances of tracing the user still exist when other transmitting parameters are static. During the login phase, U_i sends authentication request message < MID_U, L, C, T_u> to S, where L = αP ⊕ M, C = h(MID_U || αP || M || T_u). All the parameters in the message are dynamic due to the incorporation of random numbers αand n. Hence, the proposed protocol offers user anonymity and untraceability.

Proposition 2

The proposed protocol withstands replay attack.

Proof

Consider a scenario where Ӕ tries to gain access to the system by mitigating a registered user with the previous transmitted message < MID_U, L, C, T_u>. The proposed scheme can identify it as a malicious attempt if Ӕ performs this due to the following reasons.

• Case 1: If Ӕ replays the message < MID_U, L, C, T_u>, S can classify it as a malicious attempt when it finds the condition T_u^* − T_u < ΔT is not valid. Similarly, U_i can also recognize replay attacks on < βP, D, F, T_s> using the condition T_s^* − T_s < ΔT.

• Case 2: In the mutual authentication with key-agreement phase, the server S obtains (ID_U, αP) by computing (ID_U || n) = D_k{MID_U}, αP = M ⊕ L, and stores it in its database. Note that α is a randomly generated number and varies for each session. When Ӕ sends the captured message < MID_U, L, C, T_u>, S extracts (ID_U^#, αP^#) values and compares with the stored values in the database and subsequently drops the request when it notices (ID_U^#, αP^#) == (ID_U, αP).

Proposition 3

The proposed protocol withstands privileged insider and stolen token attacks.

Proof

Assume that an insider who knows the registration information ID_U and RPW of a valid U_i turns as Ӕ, and reads the stolen smartcard information {MID_U, E, N′, G, P, θ_U, h(.)} by using power analysis methods (Kocher et al. 1999; Messerges et al. 2002; Wang and Wang 2015). Ӕ may now try to obtain some useful information such as credentials of U_i. However, Ӕ cannot succeed due to the reason described here. All the obtained parameters such as MID_U, E, N′, G, where MID_U = E_k(ID_U || n), (σ_U, θ_U) = Gen(BIO_U), E = r_u ⊕ h(σ_U), N′ = N ⊕ r, G = h(ID_U || h(PW_U || r_u)) are safeguarded using either one-way has function or symmetric encryption. In order to extract PW_U from RPW = h(PW_U || r_u)⊕ r, Ӕ requires r_u and r values. The r_u and r values are stored on the SC in association with biometrics and N values, respectively. It is impossible to obtain r_u and r without passing valid biometrics, moreover, biometrics can neither be stolen nor forged. On the other hand, guessing both r_u and r values simultaneously is impractical. In this way, the proposed protocol can resist privileged insider attacks and stolen smartcard attacks.

Proposition 4

The proposed protocol withstands password guessing attacks.

Proof

Online password guessing attacks: Ӕ may try to login using the stolen smartcard, while guessing the user’s PW_U. In order to perform this, Ӕ requires to satisfy the login condition G = h(ID_U || h(PW_U || r_u)) which entails r_u and BIO_U. Unless Ӕ passes valid BIO_U; r_u value cannot be extracted from E and consequently leads to failure of satisfying the login condition G = h(ID_U || h(PW_U || r_u)).

Offline password guessing attacks

Ӕ can attempt to guess the password using the extracted parameters {MID_U, E, N′, G, P, θ_U, h(.)} from the stolen smartcard. Note that the password PW_U is not stored on the SC in the plaintext form, but in N′ = M ⊕ h(PW_U || r_u) shielded with one-way hash function. Moreover, Ӕ needs r_u value to verify the guessed password N′ ≟ M ⊕ h(PW_U^Ӕ || r_u). However, there are no means to obtain r_u value without valid BIO_U. Thus, the proposed protocol is resistant to offline password guessing attacks.

Proposition 5

The proposed protocol is resilient against user impersonation attack.

Proof

If Ӕ wants to masquerade U_i, he/she needs to form a login message < MID_U, L, C >, where MID_U = E_k(ID_U || n), L = αP ⊕ M, C = h(MID_U || αP || M || T_u). Conversely, Ӕ can barely compute g^αmod q, but not L and C due to the unavailability of valid PW_U and BIO_U. In case if Ӕ sends captured message < MID_U, L, C, T_u>, then S can easily identify it as a replay attack and would drop the session as elaborated in replay attacks section.

Proposition 6

The proposed protocol is secure against server impersonation attack.

Proof

If Ӕ wants to masquerade S, he/she needs to construct a valid response message < βP, D, F>, where MID_U′ = E_k(ID_U || n′), SK = h(ID_U || βαP || M), F = MID_U′ ⊕ h(SK), D = h(MID_U′ || SK || T_s). Assume that Ӕ replies the message < βP^Ӕ, D^Ӕ, F^Ӕ, T_s^Ӕ>, where MID_U′^Ӕ = E_k^Ӕ(ID_U || n′), SK^Ӕ= h(ID_U^Ӕ || α^Ӕβ^ӔP || M^Ӕ), F^Ӕ= MID_U′^Ӕ ⊕ h(SK^Ӕ), D^Ӕ = h(MID_U′^Ӕ || SK^Ӕ || T_s^Ӕ). Despite the fact that U_i cannot be able to check the correctness of received MID_U′^Ӕ due to unavailability of real server’s secret key k, U_i can definitely detect it as a fake response as described here. Upon receiving the message, U_i computes SK = h(ID_U || αβ^ӔP || M), MID_U′ = F^Ӕ ⊕ h(SK), D = h(MID_U′ || SK || T_s) and verifies whether D≟D^Ӕ. It is obvious that the condition cannot hold because Ӕ has computed SK with wrong ID_U and αP, which result in h(ID_U || αβP || M) ≠ h(ID_U^Ӕ || αβ^ӔP || M^Ӕ).

Proposition 7

The proposed protocol is secure against ephemeral secret leakage (ESL) attack.

Proof

The shared session key between U_i and S during the mutual authentication and key-agreement phase is computed as SK = h(ID_U || βαP || M), where M = h(ID_U|| ID_S|| k) and k is the secret key of the server S. In the proposed protocol, the session key security (SK-security) depends on the following two cases:

• Case 1. Let the ephemeral (short term) secrets alpha and beta are leaked to an adversary A. Even then without having the long-term secrets ID_U, ID_S and k, it is computationally infeasible for Ӕ to calculate SK.

• Case 2. Let the long-term secrets ID_U, ID_S and k are revealed to Ӕ. However, without the ephemeral secrets α and β, it is difficult for Ӕ to calculate SK.

In summary, Ӕ can only calculate SK when the ephemeral secrets as well as long-term secrets are known to him/her. It is worth noticing that even if the current SK is revealed to Ӕ in a particular session, all other session keys in previous and future sessions are distinct since both long-term secrets and fresh ephemeral random nonces are applied in the construction of the session keys. Hence, the leakage of a session key will have no effect on the security of other previous and future sessions for secure communications. As a result, the proposed scheme provides forward and backward secrecy, and it also provides the SK-security. Thus, the proposed scheme protects ESL attack.

7.4 Formal security verification using AVISPA tool: simulation study

This section provides a brief overview of the AVISPA tool, the various roles implemented, and the final simulation results of the proposed protocol.

7.4.1 AVISPA overview

AVISPA is a widely-accepted push-button tool for the automated validation of Internet security-sensitive protocols and applications (Armando et al. 2005; AVISPA Team 2006). AVISPA is used to formally verify whether a cryptographic protocol is secure or vulnerable against active and passive attacks including the man-in-the-middle and replay attacks. In AVIPSA, a security protocol is implemented using HLPSL (High Level Protocols Specification Language). HLPSL is translated using HLPSL2IF translator to convert to the intermediate format (IF). IF is fed into one of the four back-ends: Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), On-the- fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), and SAT-based Model-Checker (SATMC). The proposed protocol is simulated under the CL-AtSe and OFMC back-ends using the SPAN (Security Protocol ANimator) for AVISPA (SPAN-Security Protocol Animator for AVISPA 2016). Both back-ends are chosen for an execution test and a bounded number of sessions model checking (Basin et al. 2005).

7.4.2 Various roles implemented in HLPSL

The implementation details of the roles of user, server, session, and goal and environment are performed as evident in the Figs. 5 and 6, and provided the final results in Fig. 7.

Fig. 5

Role specification of User and Server

Fig. 6

Role specification of session, goal, and environment

Fig. 7

The result of the analysis using OFMC backend

The HLPSL specification of the basic role of user U_i is provided in Fig. 5. In this role, after receiving the start signal, it sends the registration request to the server for registration purpose, and updates its state (maintained by the variable State) from 0 to 1. Once U_i receives the smart card SC from the server S, it also changes its state from 1 to 3. During the mutual authentication and key agreement phase, U_i sends the login request to S. U_i declares a witness of freshly generated random number and timestamp T_u by the declarations witness(Ui, S, ui_s_alpha, Alpha′) and witness(Ui, S, ui_s_tu, Tu′). After that U_i receives the authentication request from S and finally, Ui also sends authentication reply to S. At the end, U_i authenticates S based on the random number and timestamp T_s by the declarations request(S, Ui, s_ui_beta, Beta’) and request(S, Ui, s_ui_ts, Ts’). Similarly, the HLPSL role specification of the sever S is also defined in Fig. 5. The roles of session, goal and environment are mandatory roles in AVISPA. In these roles, the secrecy and authentication goals need to be specified in order to check whether the protocol is safe or unsafe.

7.4.3 Analysis of simulation results

The proposed protocol is verified in following aspects as described in (Lv et al. 2013; Reddy et al. 2016):

• Executabiltiy check Here, unexpected modeling errors may sometimes cause the incomplete execution of protocol. Accordingly, the OFMC may not find an attack when the model is not able to reach the attack happening state. Thus, the executability test is indispensable in AVISPA as described in (AVISPA Team 2006).

• Replay attack check OFMC back-end offered information regarding some normal sessions between legitimate parties to the intruder. The simulation result furnished in Fig. 7 ensures that the proposed protocol can withstand replay attacks.

• Dolev-Yao model check During this check (Dolev and Yao 1983), the possibilities of man-in-the-middle attacks are also verified by the OFMC. As illustrated in simulation results (Fig. 7), the depth of search is 4, and the total number of searched nodes is 16 which require 0.04 s. Simulation results also substantiate that the proposed protocol attains the design standards and is secure against replay and man-in-the-middle attacks.

8 Performance analysis

This section summarizes the performance of the proposed protocol in terms of security properties, computational cost, and communication cost. The comparison follows between the proposed protocol and some of the recently published two-factor and three-factor protocols as depicted in the Tables 3, 4, 5 and 6.

Table 3 Comparison of security properties with two-factor authentication protocols

Table 4 Comparison of performance with two-factor authentication protocols

Table 5 Comparison of security properties with three-factor authentication protocols

Table 6 Comparison of performance with three-factor authentication protocols

To analyze the computational cost, few symbolizations are given for the comprised actions in the existing two-factor and three-factor protocols and the proposed protocol in following way: T_m: time complexity of an elliptic curve point division or multiplication operation; T_a: time complexity of an elliptic curve point addition or subtraction operation; T_f: time complexity of a symmetric key encryption or decryption function; T_h: time complexity of a one-way hash function; T_b: time complexity of a biometrics extraction function; T_e: time complexity of a modular exponentiation operation.

To analyze the communication cost, we consider 32-bits for a timestamp, 160-bits for a random number, 80-bits for a human-memorable identity, 160-bits for each co-ordinate of an elliptic curve point, 160-bit for a modular prime number operation, 160-bits for a SHA-1 output, and 128-bits key for an AES algorithm of cipher block chaining (CBC) mode.

8.1 Comparison with the two-factor authentication protocols

The security properties between Li et al. (2013), Chen et al. (2014), Jiang et al. (2015), Lu et al. (2016), Qi et al. (2017) and the proposed protocol are summarized in Table 3. It is evident from Table 3 that the proposed protocol is secure against all the renowned threats and achieves diverse features. As presented in Table 4, the proposed protocol deploys 1T_b + 13T_h + 4T_m + 2T_f, whereas Li et al., Chen et al., Jiang et al., and Lu et al., Qi et al. uses 9T_h + 7T_e + 1T_m, 9T_h + 3T_e + 3T_m, 9T_h + 5T_e + 1T_m, 9T_h + 5T_e, and 12T_h + 4T_m, respectively. The computational cost of the proposed protocol is reasonably equal or slightly higher compared to other protocols. On other hand, the proposed protocol requires more bandwidth compared to the other protocols. But, it is well worth deploying additional computations and communication cost to afford enhanced security level.

8.2 Comparison with the three-factor authentication protocols

The security properties between Yeh et al. (2013), Li et al. (2014), Wu et al. (2015), Han et al. (2016), Xie et al. (2017) and the proposed protocol are summarized in Table 5. It is evident from Table 5 that the proposed protocol is secure against all the renowned threats and achieves diverse features. As presented in Table 6, the proposed protocol deploys 1T_b + 13T_h + 4T_m + 2T_f, whereas Yeh et al., Li et al., Wu et al., Han et al., Xie et al. uses 1T_b + 2T_h + 5T_m+ 12T_a, 1T_b + 13T_h + 4T_e, 1T_b + 11T_h + 4T_m + 4T_f, 12T_h + 4T_m + 2T_f, and 1T_b + 14T_h + 4T_m + 4T_f, respectively. The computational cost of the proposed protocol is lesser than the other protocols. On other hand, the proposed protocol requires less bandwidth compared to Yeh et al., Wu et al., Han et al., Xie et al., and more bandwidth compared to Li et al.

9 Conclusion remarks

This paper aimed to study and analyze some of recently proposed two-factor authentication protocols for client–server architecture and proposed a new solution to overcome the existing pitfalls. We believe that two-factor authentication mechanisms are still vulnerable under various phenomena. Thus, we proposed a three-factor authentication mechanism which improves the security with an additional factor known as biometrics. The proposed three-factor authenticated key agreement protocol is not only secure from numerous attacks but also achieve the eminent security properties such as user anonymity, mutual authentication, biometrics deployment, perfect forward secrecy. The comparisons between the proposed protocol and the other related protocols prove that our protocol is robust and efficient.