Registration

Suppose RC is the trusted third party responsible for registration of U_i and S_j.

Login and authentication

1. U_i inserts SC_i into the terminal and inputs his identity ID_i, password PW_i and imprints his biometrics BIO_i at the sensor.
2. SC_i computes N_i = N⊕h(BIO_i) and checks $h(I{D}_i\mid \mid N_i\mid \mid P{W}_i)\stackrel{?}{=}V$. If it holds, SC_i continues to compute W₁ = h(PW_i∣∣N_i), W₂ = h(ID_i⊕N_i), B_i = X_i⊕W_i and h(PSK) = Y_i⊕W₂. Then, SC_i generates a random number n₁ and computes M₁ = h(PSK)⊕n₁, M₂ = ID_i⊕h(n₁∣∣B_i) and M₃ = h(ID_i∣∣n₁∣∣B_i). Finally, U_i sends {Z_i, M₁, M₂, M₃} to S_j.
3. When receiving the message from SC_i, S_j immediately computes A_i = Z_i⊕PSK, n₁ = M₁⊕h(PSK), ID_i = M₂⊕h(n₁∣∣h(A_i)) and checks whether $h(n_1\mid \mid B_i\mid \mid I{D}_i)\stackrel{?}{=}{M}_3$. If it is equal, S_j generates a random number n₂ and computes SK_ji = h(ID_i∣∣SID_j∣∣B_i∣∣n₁∣∣n₂), M₄ = n₂⊕h(ID_i∣∣n₁), M₅ = h(SK_ji∣∣n₁∣∣n₂). Then, S_j sends {SID_j, M₄, M₅} to SC_i.
4. SC_i first computes n₂ = M₄⊕h(ID_i∣∣n₁), SK_ij = h(ID_i∣∣SID_j∣∣B_i∣∣n₁∣∣n₂) and then checks whether h(SK_ij∣∣n₁∣∣n₂) is consistent with M₅. If it is true, SC_i computes M₆ = h(SK_ij∣∣n₁∣∣n₂) and delivers it to S_j.
5. S_j verifies the verification condition $M_6\stackrel{?}{=}h(S{K}_{ji}\mid \mid n_1\mid \mid n_2)$. If this verification holds, S_j can now use the keys SK_ji to communicate with U_i securely.

Password updating

U_i inputs his ID_i, PW_i and imprints his biometrics BIO_i at the sensor. SC_i computes N_i = N⊕h(BIO_i) and checks $h(I{D}_i\mid \mid N_i\mid \mid P{W}_i)\stackrel{?}{=}V$. If SC_i determines that they are equal, then U_i can key the new password $P{W}_i^{new}$. Subsequently, SC_i computes $W_1^{new}=h(P{W}_i^{new}\mid \mid N_i),X_i^{new}=X_i\oplus W_1\oplus W_1^{new},V_i^{new}=h(I{D}_i\mid \mid N_i\mid \mid P{W}_i^{new})$ and replaces X_i and V_i with $X_i^{new}$ and $V_i^{new}$, respectively.

Not withstanding the replay attack

Suppose an adversary 𝓐 has intercepted a past login message {Z_i, M₁, M₂, M₃}. He is able to launch a replay attack and login to the server by resending the eavesdropped message {Z_i, M₁, M₂, M₃} to S_j. In other words, the adversary without running the “Login phase”, sends the eavesdropped message {Z_i, M₁, M₂, M₃} to S_j. In the “Login and authentication”, upon receiving the message {Z_i, M₁, M₂, M₃}, S_j computes A_i = Z_i⊕PSK, n₁ = M₁⊕h(PSK), ID_i = M₂⊕h(n₁∣∣h(A_i)), $M_3^{\prime }=h(n_1\mid \mid B_i\mid \mid I{D}_i)$ and checks whether $M_3^{\prime }$ is equal to the received M₃ or not. Since M₃ and $M_3^{\prime }$ are equal, S_j will authenticate 𝓐 and 𝓐 will be able to login to S_j. Thus, 𝓐 can easily login to S_j by re-sending an old login message. Since S_j does not check the freshness of the received login message {Z_i, M₁, M₂, M₃} and authenticate U_i in (3) of the “Login and authentication”, S_j will not be able to discover replay attack.

Incorrect password change phase

The user U_i inserts his smart card into a card reader and enters his identity ID_i, password PW_i and imprints his personal biometric BIO_i at the sensor corresponding to his smart card. Then smart card computes N_i = N⊕h(BIO_i), $V_i^{\prime }=h(I{D}_i\mid \mid N_i\mid \mid P{W}_i)$ and compares $V_i^{\prime }$ with the stored value of V in its memory to verify the legitimacy of U_i. Once the authenticity of cardholder is verified then U_i can instruct smart card to change his password. Afterwards, smart card asks the cardholder to resubmit a new password $P{W}_i^{new}$, then X_i = B_i⊕h(PW_i∣∣N_i) and V = h(ID_i∣∣N_i∣∣PW_i) stored in the smart card can be updated with $X_i^{new}=X_i\oplus W_1\oplus W_1^{new}$ and $V_i^{new}=h(I{D}_i\mid \mid N_i\mid \mid P{W}_i^{new})$, where $W_1^{new}=h(P{W}_i^{new}\mid \mid N_i)$. The $X_i^{new}$ value contains older password PW_i in h(PW_i∣∣N_i). Therefore, the modified $X_i^{new}$ is not correct.

Registration

1. U_i keys his biometrics BIO_i, identity ID_i and password PW_i. Then, U_i sends {ID_i, h(PW_i∣∣H(BIO_i))} to RC.
2. Upon receiving the message from U_i, RC computes X_i = h(ID_i∣∣x), V = h(ID_i∣∣h(PW_i∣∣H(BIO_i))). Then, RC stores {X_i, V_i, h(PSK)} into a smart card and submits them to U_i.
3. U_i computes Y_i = h(PSK)⊕y, and replaces h(PSK) with Y_i. Finally, the smart card stores the values of {X_i, Y_i, V_i, h(⋅)}.

Login and authentication

1. U_i inserts his smart card into device and enters his identity ID_i, password PW_i and biometrics BIO_i. Then, the smart card validates whether V_i = h(ID_i∣∣h(PW_i∣∣H(BIO_i))) is equal to the stored V. If it holds, the smart card generates a random number n₁ and computes K = h((y⊕Y_i)∣∣SID_j), M₁ = K⊕ID_i, M₂ = n₁⊕K, M₃ = h(PW_i∣∣H(BIO_i))⊕K, Z_i = h(B_i∣∣n₁∣∣h(PW_i∣∣H(BIO_i))∣∣T₁). Finally, U_i submits {Z_i, M₁, M₂, M₃, T₁} to S_j, where T₁ is the current timestamp.
2. Upon receiving the message from U_i, S_j first checks whether T_c−T₁ ≤ ΔT and then computes K = h(SID_j∣∣h(PSK)) by using a secure pre-shared key PSK. Then, S_j retrieves ID_i = M₁⊕K, n₁ = M₂⊕K, h(PW_i∣∣BIO_i) = M₃⊕K. Now, S_j computes X_i = h(ID_i∣∣x) and verifies whether $h(X_i\mid \mid n_1\mid \mid h(P{W}_i\mid \mid H(BI{O}_i)))\stackrel{?}{=}{Z}_i$. If it holds, S_j generates a random number n₂ and computes SK_ji = h(n₁∣∣n₂∣∣K∣∣X_i), M₄ = n₂⊕h(n₁∣∣h(PW_i∣∣H(BIO_i))∣∣X_i), M₅ = h(ID_i∣∣n₁∣∣n₂∣∣K∣∣T₂). Then, S_j sends back authentication message {M₄, M₅, T₂} to U_i, where T₂ is the current timestamp.
3. After checking the freshness of T₂, U_i first computes n₂ = M₄⊕h(n₁∣∣h(PW_i∣∣H(BIO_i))∣∣X_i) and then verifies whether h(ID_i∣∣n₁∣∣n₂∣∣K) is equal to the received M₅. If they are equal, U_i computes the common session key SK_ij = h(n₁∣∣n₂∣∣K∣∣X_i) and sends {M₆ = h(SK_ij∣∣ID_i∣∣n₂∣∣T₃), T₃} to S_j, where T₃ is the current timestamp.
4. S_j verifies the freshness T₃ and the correctness of M₆ by using SK_ji. If they do not hold, S_j stops the execution; Otherwise, S_j confirms the common session key SK_ji with U_i.

Password updating

U_i first inputs his smart card into the device and provides his identity ID_i, password PW_i and biometrics BIO_i. Then, the smart card validates whether V_i = h(ID_i∣∣h(PW_i∣∣H(BIO_i))) is equal to the stored V_i. If they are not equal, the smart card refuses the request; Otherwise, U_i keys in the new password $P{W}_i^{new}$. Finally, the smart card computes $V_i^{new}=h(I{D}_i\mid \mid h(P{W}_i^{new}\mid \mid H(BI{O}_i)))$ and replaces V_i by $V_i^{new}$.

Verifying the proposed scheme with BAN logic

BAN logic [24] is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. First, we introduce some notations and logical postulates of BAN logic in Table 2.

1. BAN logical postulates
   1. Message-meaning rule: $\frac{A\mid \equiv A\stackrel{K}{\leftrightarrow }B,A⊲<X{>}_K}{A\mid \equiv \mid B\sim X}$: if A believes that the key K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.
   2. Fresh conjuncatenation rule: $\frac{A\mid \equiv \#(X)}{A\mid \equiv \#(X,Y)}$: if A believes freshness of X, then A believes freshness of the (X, Y).
   3. Belief rule: $\frac{A\mid \equiv X,A\mid \equiv Y}{A\mid \equiv (X,Y)}$: if A believes X and Y, then A believes (X, Y).
   4. Nonce-verification rule: $\frac{A\mid \equiv \#(X),A\mid \equiv B\mid \sim X}{A\mid \equiv B\mid \equiv X}$: if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.
   5. Jurisdiction rule: $\frac{A\mid \equiv B\Rightarrow X,A\mid \equiv B\mid \sim X}{A\mid \equiv X}$: if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.
2. Establishment of security goals
   $g_1.S_j\mid \equiv U_i\mid \equiv U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j$
   $g_2.S_j\mid \equiv U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j$
   $g_3.U_i\mid \equiv S_j\mid \equiv U_i\stackrel{S{K}_{ji}}{\leftrightarrow }{S}_j$
   $g_4.U_i\mid \equiv U_i\stackrel{S{K}_{ji}}{\leftrightarrow }{S}_j$
3. Idealized scheme
   $U_i:<n_1,I{D}_i,h(P{W}_i\Vert H(BI{O}_i)){>}_K,{(n_1,X_i,T_1)}_{h(P{W}_i\Vert H(BI{O}_i))},{(n_2,U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j,T_3)}_{I{D}_i}$
   S_j: < n₁, X_i, h(PW_i∣∣H(BIO_i)) > n₂, (ID_i, n₁, n₂, T₂)_K
4. Initiative premises
   p₁. U_i∣ ≡ #n₁ p₂. U_i∣ ≡ S_j ⇒ #n₂ p₃. S_j∣ ≡ #n₁ p₄. S_j∣ ≡ #n₂
   $p_5.S_j\mid \equiv U_i\stackrel{K}{\leftrightarrow }{S}_j{p}_6.U_i\mid \equiv U_i\stackrel{K}{\leftrightarrow }{S}_j$
   p₇. U_i∣ ≡ ID_i p₈. S_j∣ ≡ U_i ⇒ h(PW_i∣∣BIO_i)
   p₉. S_j∣ ≡ U_i ⇒ ID_i p₁₀. U_i∣ ≡ S_j ⇒ X_i
   p₁₁. $S_j\mid \equiv U_i\Rightarrow U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j{p}_{12}$. $U_i\mid \equiv S_j\Rightarrow U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j$
5. Scheme analysis
   a₁. By p₅ and S_j⊲ < n₁, ID_i, h(PW_i∣∣BIO_i) > K, we apply the message-meaning rule to derive: S_j∣ ≡ U_i∣ ∼ (n₁, ID_i, h(PW_i∣∣H(BIO_i)))
   a₂. By a₁ and p₃, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: S_j∣ ≡ U_i∣ ≡ (n₁, ID_i, h(PW_i∣∣H(BIO_i)))
   a₃. By a₂, p₃ and p₈, we apply the belief rule and the jurisdiction rule to derive: S_j∣ ≡ ID_i
   a₄. By a₃ and $S_j⊲{(n_2,U_i\stackrel{S{K}_{ij},}{\leftrightarrow }{S}_j,T_3)}_{I{D}_i}$, we apply the message-meaning rule to derive: $S_j\mid \equiv U_i\mid \sim (n_2,U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j,T_3)$
   a₅. By p₄ and a₄, we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: $S_j\mid \equiv U_i\mid \equiv (n_2,U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j,T_3)$
   g₁. By a₅, we apply the belief rule to derive: $S_j\mid \equiv U_i\mid \equiv U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j$
   g₂. By g₁ and p₁₁, we apply the jurisdiction rule to derive: $S_j\mid \equiv U_i\stackrel{S{K}_{ij}}{\leftrightarrow }{S}_j$
   a₆. By p₆ and U_i⊲(ID_i, n₁, n₂, T₂)_K, we apply the message-meaning rule to derive: U_i∣ ≡ S_j∣ ∼ (ID_i, n₁, n₂, T₂)
   a₇. By p₂ and a₉, we apply the fresh conjuncatenation rule and the nonce-verification rule to derive: U_i∣ ≡ S_j∣ ≡ (ID_i, n₁, n₂, T₂)
   a₈. By a₇, we apply the belief rule to derive: U_i∣ ≡ S_j∣ ≡ n₂
   a₉. By p₂ and a₈, we apply the jurisdiction rule to derive: U_i∣ ≡ n₂
   a₁₀. By a₉ and U_i⊲ < n₁, X_i, h(PW_i∣∣BIO_i) > n₂, we apply the message-meaning rule to derive: U_i∣ ≡ S_j∣ ∼ (n₁, X_i, h(PW_i∣∣BIO_i))
   a₁₁. By a₁₀ and p₁, we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: U_i∣ ≡ S_j∣ ≡ (n₁, X_i, h(PW_i∣∣BIO_i))
   g₃. By p₁, p₃, p₄, p₆, a₁₁ and SK_ji = h(n₁∣∣n₂∣∣K∣∣X_i), we apply the fresh conjuncatennation rule and the nonce-verification rule to derive: $U_i\mid \equiv S_j\mid \equiv U_i\stackrel{S{K}_{ji}}{\leftrightarrow }{S}_j$
   g₄. By g₃ and p₁₂, we apply the jurisdiction rule to derive: $U_i\mid \equiv U_i\stackrel{S{K}_{ji}}{\leftrightarrow }{S}_j$

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. BAN logic notations.

https://doi.org/10.1371/journal.pone.0126323.t002

Informal security analysis

This subsection verifies whether the proposed scheme is secure against various kinds of known attacks. We assume that a malicious adversary 𝓐 has totally supervised the communication channel in login and session key establishment phases. In other words, 𝓐 has the capacity to intercept, insert, delete, refresh or update any information delivered between U_i and S_j [6].

Formal security analysis of the proposed scheme

This subsection presents the formal security analysis of our scheme and shows that it is secure. For this, we first define the following hash function [26].

Definition 1. A secure one-way hash function h:{0, 1}* → {0, 1}ⁿ, which takes an input as an arbitrary length binary string x ∈ {0,1}* and outputs a binary string h(x) ∈ {0,1}ⁿ and satisfies the following requirements: a. Given y ∈ Y, it is computationally infeasible to find an x ∈ X such that y = h(x); b. Given x ∈ X, it is computationally infeasible to find another x′ ≠ x ∈ X, such that h(x′) = h(x); c. It is computationally infeasible to find a pair (x′, x) ∈ X′ × X, with x′ ≠ x, such that h(x′) = h(x).

Theorem 1. Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, then our scheme is provably secure against an attacker 𝓐 for protecting user’s personal information including identity ID_i, password PW_i and biometrics BIO_i, sever’s private key x and PSK.

Proof. The formal security proof of our scheme is similar to that as in [27–28]. Using the following oracle to construct 𝓐 who will have the ability to derive the user’s ID_i, password PW_i, biometrics BIO_i, sever’s private key x and PSK.

Reveal: This random oracle will unconditionally output the input x from the given hash value y = h(x).

𝓐 runs the experimental algorithm showed in Table 3, $EX{P}_{HASH,𝓐}^{BAKASSCMSE}$ for our biometrics based authentication and key agreement scheme using smart cards for multi-server environments, say BAKASSCMSE.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Algorithm .

https://doi.org/10.1371/journal.pone.0126323.t003

Define the success probability for $EX{P}_{HASH,𝓐}^{BAKASSCMSE}$ is $Suc{c}_{HASH,𝓐}^{BAKASSCMSE}=\mid Pr[EX{P}_{HASH,𝓐}^{BAKASSCMSE}=1]-1\mid$ and the advantage function for this experiment then becomes $Ad{v}_{HASH,𝓐}^{BAKASSCMSE}(t,q_R)=ma{x}_{𝓐}\backslash Suc{c}_{HASH,𝓐}^{BAKASSCMSE}$, where the maximum is taken over all 𝓐 with execution time t and the number of queries q_R made to the Reveal oracle. Consider the experiment showed in Table 3 for 𝓐. If 𝓐 has the ability to solve the hash function problem provided in Definition 1, then he can directly derive U_i’s identity ID_i, password PW_i, biometrics BIO_i, and S_j’s private key x and PSK. In this case, 𝓐 will discover the complete connections between U_i and S_j. However, it is a computationally infeasible problem to invert the input from a given hash value, i.e., $Ad{v}_{HASH,𝓐}^{BAKASSCMSE}(t)\le ϵ$, ∀ϵ > 0. Hence, we have $Ad{v}_{HASH,𝓐}^{BAKASSCMSE}(t,q_R)\le ϵ$, since $Ad{v}_{HASH,𝓐}^{BAKASSCMSE}(t,q_R)$ depends on $Ad{v}_{HASH,𝓐}^{BAKASSCMSE}(t)$. As a result, there is no way for 𝓐 to discover the complete connections between U_i and S_j and our scheme is provably secure against an adversary for deriving (ID_i, PW_i, BIO_i, x, PSK).