Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme

  • Chengqi Wang,

    Affiliation Key Laboratory of Mathematics, Informatics and Behavioral Semantics, Ministry of Education, and School of Mathematics and Systems Science, Beihang University, Beijing 100191, China

  • Xiao Zhang ,

    09621@buaa.edu.cn (XZ); zzheng@pku.edu.cn (ZMZ)

    Affiliation Key Laboratory of Mathematics, Informatics and Behavioral Semantics, Ministry of Education, and School of Mathematics and Systems Science, Beihang University, Beijing 100191, China

  • Zhiming Zheng

    09621@buaa.edu.cn (XZ); zzheng@pku.edu.cn (ZMZ)

    Affiliation Key Laboratory of Mathematics, Informatics and Behavioral Semantics, Ministry of Education, and School of Mathematics and Systems Science, Beihang University, Beijing 100191, China

Abstract

With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we propose a novel biometric-based multi-server authentication and key agreement scheme which is based on the cryptanalysis of Mishra et al.’s scheme. The informal and formal security analysis of our scheme are given, which demonstrate that our scheme satisfies the desirable security requirements. The presented scheme provides a variety of significant functionalities, in which some features are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. Compared with several related schemes, our scheme has more secure properties and lower computation cost. It is obviously more appropriate for practical applications in the remote distributed networks.

Citation: Wang C, Zhang X, Zheng Z (2016) Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme. PLoS ONE 11(2): e0149173. https://doi.org/10.1371/journal.pone.0149173

Editor: Muhammad Khurram Khan, King Saud University, Kingdom of Saudi Arabia, SAUDI ARABIA

Received: August 2, 2015; Accepted: December 28, 2015; Published: February 11, 2016

Copyright: © 2016 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This research is supported by the National Natural Science Foundation of China (No. 61402030, http://isisn.nsfc.gov.cn/egrantindex/funcindex/prjsearch-list, Xiao Zhang, Beihang University) and the Major Program of National Natural Science Foundation of China (No. 11290141, http://isisn.nsfc.gov.cn/egrantindex/funcindex/prjsearch-list, Zhiming Zheng, Beihang University). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

Introduction

With the rapid development of Internet, advances in the information and communication technology enhance the quality of online services for distributed networks, which provide the highly useful services to users in a variety of aspects, such as online medicine, online education, online shopping and internet banking [1, 2]. Also there is always interaction between users and servers over a public channel so that design and analysis of secure and efficient authentication scheme have received a considerable attention nowadays [3]. Since the first one was proposed by Lamport, a great number of authentication schemes have been presented, which provide authorized communication between remote entities [49]. According to the evidences adopted in the authentication, the existing schemes are divided into two categories: certificate-based and identity-based [1016]. The former category requires the high computation cost and large storage space for the management of certificate store. Although elliptic curve cryptosystem is introduced, they do not simplify the certificate management so that certificate-based schemes are unacceptable in a real-time application such as multi-media and video conference. To solve the aforementioned problems, Shamir proposed an identity-based public key cryptosystem [17]. But integer factorization problem applied in the Shamir’s scheme is difficult to be implemented efficiently [18]. And then some other identity-based schemes are presented, which are also based on the pairing operation or elliptic curve [1924]. However, most of them are inefficient because of complicated structures [2528]. Therefore, secure identity-based authentication schemes that only apply the random numbers and hash function are considered as optimum designs for mobile users and real-time applications.

Furthermore, there are some security vulnerabilities to identity-based authentication schemes in the compromise of passwords and tokens [2935]. In particular, it is difficult to remember long and random passwords for users, and short passwords are easily broken by simple dictionary attacks because of low entropy. Also it is feasible to extract the information stored in the smart cards by side channel attacks, such as SPA or DPA [36]. To solve these problems, many researchers have combined the biometrics, passwords and tokens to enhance the security of authentication schemes [3739]. The uniqueness of biometrics in the authentication scheme makes it difficult for adversary to forge the biometric information [40, 41]. And authentication does not request users to remember the biometrics. In fact, biometric characteristics imprinted by users are not exactly the same every time so that directly using them always results in low acceptation of valid users in the biometric-based authentication schemes [42]. Since the failure to authorized users significantly impacts on the availability of schemes, we introduce the fuzzy extractor to reduce the probability of rejection effectively, which is a convenient mechanism to be implemented in the smart card [43, 44].

Meanwhile, conventional authentication schemes are not suitable for the multi-server environment [45, 46]. When single server authenticated schemes are adopted in the multi-server environment, users not only login and access to different remote servers with repetitive registration, but also remember different information about identities and passwords for each server. It decreases the adoption of large network based on the applications. With the assistance of registration center, single registration helps the remote distributed system allow users to access the resources efficiently and conveniently, which is an important consideration in the multi-server architecture. Besides, authentication mechanism is required to achieve a higher level of security in the multi-server environment [47]. There are defects in many multi-server authentication schemes, since users apply the same identities and passwords to login the different servers [4850]. It gives adversaries opportunities to trace legal users, which usually makes schemes vulnerable to insider attack, masquerade attack and server spoofing attack. For example, Chuang and Chen [51] proposed an anonymous multi-server authenticated key agreement scheme in 2014, and claimed that their scheme not only supported multiple servers but also achieved various security requirements. However, Choi et al. [52] pointed out that Chuang and Chen’s scheme was vulnerable to the smart card attack, user impersonation attack, masquerade attack, DoS attack, and did not achieve the perfect forward secrecy. To achieve the security and efficiency, an authentication scheme for the multi-server environment should meet the following requirements: 1) registration center should be avoided in the authentication phase to avoid the bottlenecks, 2) multiple secret keys in the smart card should not be required to reduce the storage requirement, 3) servers can be easily added on the later stage, and 4) all involved servers may not be trusted [3]. Thus, more work about authenticated key agreement schemes based on the multi-server needs to be studied.

Recently, a user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards is proposed by Mishra et al. [53], which is applicable for expert systems to achieve the anonymous authentication in multi-server environment. Expert systems have several applications such as security auditing and network management, which emulate or act in all respects with decision-making capabilities of human experts. And Mishra et al. claimed that their scheme satisfied the all security attributes. Unfortunately, according to the cryptanalysis given in this paper, we identify that their scheme does not resist the masquerade attack, replay attack and Denial-of-Service (DoS) attack. We also find that their scheme fails to achieve the perfect forward secrecy. In addition, there is no consideration of the revocation or re-registration phase in the most of existing authentication schemes. To solve these problems, we propose a robust biometric-based multi-server authentication and key agreement scheme. Our scheme improves the Mishra et al.’s scheme and satisfies the desirable security requirements. Also presented scheme provides a variety of significant functionalities, such as anonymity, mutual authentication, session key agreement, perfect forward secrecy, user revocation or re-registration, and biometric information protection. In addition, comparison results show that our scheme has more secure properties, more functionalities and lower computation cost, which make our scheme more appropriate for practical applications in the remote distributed networks.

The remaining of the paper is organized as follows. Next section briefly introduces the threat assumptions, fuzzy extractor and one-way collision-resistant hash function which are adopted in our scheme. Section 3 reviews the Mishra et al.’s scheme. Section 4 mainly discusses the weaknesses of Mishra et al.’s scheme. Section 5 describes the proposed scheme in detail. And then section 6 provides the security, functionality and performance analysis of our algorithm. The last section gives the conclusion.

Preliminaries

In this section, we describe some concepts about threat assumptions, fuzzy extractor and one-way collision-resistant hash function, which are useful in our scheme.

Threat assumptions

In this paper, we introduce the Dolev-Yao threat model [54] and consider the risk of side-channel attacks [55] to construct the threat assumptions which are described as follows:

  1. Adversary E eavesdrops all the communications between user and server over a public channel.
  2. Adversary E modifies, deletes, resends and reroutes the eavesdropped messages.
  3. Adversary E may be a malicious user or an outsider in this system.
  4. Adversary E extracts the sensitive stored information from lost or stolen smart card by examining the power consumption.

Fuzzy extractor

The mechanism of fuzzy extractor consists of two procedures (Gen, Rep), which is illustrated in Fig 1.

thumbnail
Download:
Fig 1. The mechanism of fuzzy extractor.

https://doi.org/10.1371/journal.pone.0149173.g001

The function Gen is a probabilistic generation procedure, which extracts biometric input BIO, and outputs a nearly random binary string R ∈ {0, 1}l and an auxiliary binary string P ∈ {0, 1}*. Also the function Rep is a deterministic reproduction procedure allowing to recover R with the assistance of corresponding auxiliary string P and biometric BIO*. If dis(BIO, BIO*) ≤ t and Gen(BIO) → 〈R, P〉, then we have Rep(BIO*, P) = R. Otherwise, there is no guarantee provided by function Rep. The error-tolerant makes it dependable to recover nearly uniform randomness R with auxiliary string P from biometric input BIO*, as long as it remains reasonably close to original input BIO. More details about fuzzy extractor are described in the literature [43, 44].

One-way collision-resistant hash function

The one-way collision-resistant hash function h = h(x) : {0, 1}* → {0, 1}n is a deterministic algorithm, which outputs a fixed-length binary string {0, 1}n based on the arbitrary length binary string {0, 1}* [56]. It is computationally infeasible to retrieve the input x from given hash value and hash function, which is called the one-way property. Also hash function possesses weak/strong collision resistant property. For a given input x, finding any input yx so that h(x) = h(y) is computationally infeasible. For a given pair of inputs (x, y) with xy, then h(x) = h(y) is computationally infeasible. The well-known example of hash function is SHA-1. However, Manuel showed that SHA-1 is insecure against the collision attacks in 2011 [57]. So we apply the SHA-2 as secure hash function in our scheme.

Review of Mishra et al.’s scheme

Recently, Mishra et al. proposed a biometric-based multi-server key agreement scheme using smart cards to achieve the light-weight authentication and user anonymity. There are five phases relating to Mishra et al.’s scheme, which are the server registration phase, user registration phase, login phase, authentication phase and password change phase, respectively. Suppose that RC is the trusted third party, which is responsible for the registration of users and servers. Table 1 lists the notations used in their scheme.

thumbnail
Download:
Table 1. Symbols and notions in Mishra et al.’s scheme.

https://doi.org/10.1371/journal.pone.0149173.t001

Server registration phase

  1. The server Sj sends a join message to the RC.
  2. After receiving the join message, RC replies with the pre shared key (PSK) to the server Sj through a secure channel.
  3. Upon receiving the PSK, the authorized server Sj uses this key to authorize the legitimate users.

User registration phase

  1. The new user Ui selects the identity IDi and password PWi. Then Ui generates a random number Ni, computes W1 = h(PWi||Ni) and W2 = h(IDiNi), and sends the registration request message {IDi, W1, W2} to the RC via a secure channel.
  2. After receiving the registration request message, RC computes Ai = h(IDi||x|Tr|), Bi = h(Ai), Xi = BiW1, Yi = h(PSK) ⊕ W2 and Zi = PSKAi, where Tr is the registration time. And RC issues the smart card SCi to the user Ui, which contains {Xi, Yi, Zi, h(⋅)} via a secure channel.
  3. Upon receiving the SCi, Ui imprints the personal biometrics BIOi at the sensor, and computes N = NiH(BIOi), V = h(IDi||Ni||PWi). Finally, the user Ui stores {Xi, Yi, Zi, N, V, h(⋅)} into the SCi.

Login phase

  1. Ui inserts the SCi into the smart card reader and inputs the identity IDi and password PWi, and imprints the biometrics BIOi at the sensor.
  2. SCi computes Ni = NH(BIOi) and checks whether h(IDi||Ni||PWi) = V holds. If it holds, SCi further compute W1 = h(PWi||Ni), W2 = h(IDiNi), Bi = XiW1 and h(PSK) = YiW2.
  3. SCi generates a random number n1, and computes M1 = h(PSK) ⊕ n1, M2 = IDih(n1||Bi) and M3 = h(IDi||n1||Bi).
  4. Ui sends the login request message {Zi, M1, M2, M3} to Sj over a public channel.

Authentication phase

  1. When receiving the login request message from SCi, Sj immediately computes Ai = ZiPSK, n1 = M1h(PSK), IDi = M2h(n1||h(Ai)), and verifies whether h(IDi||n1||Bi) is consistent with M3. If this verification holds, Sj generates a random number n2 and computes the session secret key SKji = h(IDi||SIDj||Bi||n1||n2), M4 = n2h(IDi||n1), M5 = h(SKji||n1||n2). Then Sj sends the authentication request message {SIDj, M4, M5} to SCi via a public channel.
  2. Upon receiving the authentication request message, SCi retrieves n2 = M4h(IDi||N1), SKij = h(IDi||SIDj||Bi||n1||n2) and then checks whether h(SKij||n1||n2) = M5 holds. If it holds, SCi computes M6 = h(SKij||n2||n1) and delivers the authentication reply {M6} to Sj via a public channel.
  3. Sj verifies whether h(SKij||n2||n1) = M6 holds. If this verification holds, Sj can now use the session key SKij to communicate with Ui.

Password change phase

  1. Ui inputs the IDi, PWi and imprints his biometrics BIOi at the sensor. SCi computes Ni = Nh(BIOi) and checks whether h(IDi||Ni||PWi) = V holds.
  2. If the verification holds, Ui choose the new password . SCi computes W1 = h(PWi||Ni), , and .
  3. SCi replaces Xi with and Vi with in the memory.

Cryptanalysis of Mishra et al.’s scheme

This section presents a cryptanalysis of Mishra et al.’s scheme and demonstrates that their scheme is still vulnerable to the masquerade attack, replay attack and Denial-of-Service attack. Also their scheme fails to achieve the perfect forward secrecy. Furthermore, Mishra et al.’s scheme does not provide the functionality of revocation/re-registration for user’s requirements.

Masquerade attack

Mishra et al.’s scheme is vulnerable to the masquerade attack. More narrowly, adversary E can be authenticated by another server Sk using the messages that user Ui sends to the server Sj for the authentication. Fig 2 shows the masquerade attack on Mishra et al.’s scheme.

thumbnail
Download:
Fig 2. The masquerade attack on Mishra et al.’s scheme.

https://doi.org/10.1371/journal.pone.0149173.g002

First, Ui inserts the smart card and sends a login request message (1) to the Sj when he wants to be authenticated by Sj. After intercepting the login request message, E sends it to another server Sk. The message (1) does not include the information about the Sj as follows. where Zi = PSKh(IDi||x||Tr), M1 = h(PSK) ⊕ n1, M2 = IDih(n1||Bi) and M3 = h(IDi||n1||Bi). Therefore Sk executes the operation (2) and sends the authentication request message (3) to the E without any suspicion of the attack.

Then E transmits the message (3) to the Ui. And Ui does not check the identity of the server. He only checks the sameness with the SIDk in the M5 and the SIDk in the message (3) as follows. where M4 = n2h(IDi||n1), M5 = h(SKki||n1||n2) and SKki = h(IDi||SIDk||Bi||n1||n2). So Ui also executes the operation (4) and sends the authentication reply message (5) to the Sj without any suspicion of the attack.

Finally, E intercepts the message (5) and transmits it to the Sk. Therefore E can be authenticated by Sk. In conclusion, adversary E can masquerade as a legitimate user to log in to the server Sk so that Mishra et al.’s scheme becomes vulnerable to the masquerade attack.

In their scheme, Sk cannot check whether Ui wants to be authenticated by Sk. Thus Sk authenticates all legitimate messages though these message are not sent to Sk. Similarly, Ui does not check whether Sk wants to be authenticated with Ui. He only checks whether SID in the message (3) and SID in the M5 are the same.

To meet these challenges, the destination of message needs to be added to the login request message (1) and the authentication request message (3). So we add the information about SIDj of server Sj to the message (1), which means that Ui want to be authenticated by Sj, not Sk. Meanwhile, the information about AIDi of user Ui needs to be added to the message (3), which means that Sj wants to be authenticated by anonymous Ui.

Replay attack

In the same way, Mishra et al.’s scheme is vulnerable to the replay attack. In particular, adversary E logs into the server Sj with previous login request message (1). Upon receiving previous message (1), Sj calculates Ai = ZiPSK, n1 = MP1h(PSK), IDi = MP2h(n1||h(Ai)), and verifies whether h(IDi||n1||Bi) = MP3 holds without any suspicion of the attack. Since the verification holds, Sj authenticates E and E logs into the server Sj. Thus Mishra et al.’s scheme becomes vulnerable to the replay attack.

In their scheme, Sj does not check the freshness of login request message. So Sj authenticates all legitimate login request messages though these messages are not fresh.

As a practical solution to prevent the replay attack, adding the timestamp to the message (1) helps server Sj verify the freshness of login request message.

Denial-of-Service attack

Although the means and targets may vary, DoS attack is generally an attempt to make network resource or machines unavailable for intended users, which temporarily or indefinitely interrupts or suspends the services of a host connected to the networks. In the Mishra et al.’s scheme, an adversary E can carry out the DoS attack without difficulty. Fig 3 describes the procedure and effect of the DoS attack on Mishra et al.’s scheme.

thumbnail
Download:
Fig 3. The DoS attack on Mishra et al.’s scheme.

https://doi.org/10.1371/journal.pone.0149173.g003

In particular, E collects the previous login request message {Zi, MP1, MP2, MP3} from the user Ui and then forwards it to the server Sj. Upon receiving the login request, Sj, as always, executes the operation (2) which includes producing the random number once, sending message once, calculating the XOR operation 4 times, and performing the hash function 7 times. By applying the intercepted login request messages repeatedly, adversary E can make the services of network resource or servers unavailable. Therefore Mishra et al.’s scheme becomes vulnerable to the DoS attack.

The reason for this result is that server Sj cannot check the freshness of login request message from the user Ui. Sj does not know whether the received messages are outdated so that it executes the operation (2) once receiving the login request message.

To resist the DoS attack, the timestamp needs to be added to the login request message. So we add the timestamp to the message (1), which helps the servers check the freshness of messages.

No perfect forward secrecy

The perfect forward secrecy means that if one of long-term keys is compromised, a session key which is derived from these long-term keys will not be compromised in the future [58]. Unfortunately, Mishra et al.’s scheme does not achieve the perfect forward secrecy. So adversary E can calculate all session keys between the user Ui and server Sj if he knows one of long-term keys, such as Ai.

First, E intercepts the Zi, SIDj, MP1, MP2and MP4 from message (1) and message (3) in the previous communication between Ui and Sj. Next, adversary knows one of long-term keys Ai so that he can compute PSK from PSK = AiZi and Bi from Bi = h(Ai). Then, E further calculate nP1 from nP1 = MP1h(PSK), IDi from IDi = MP2h(nP1||Bi), and nP2 from nP2 = MP4h(IDi||NP1). Finally, adversary E acquires the all previous session keys from SKPji = h(IDi||SIDj||Bi||n1||n2). Therefore Mishra et al.’s scheme does not achieve the perfect forward secrecy.

In their scheme, Ai is a shared key between RC and Ui, which is calculated from Ai = h(IDi||x||Tr). RC stores the information about Ai and h(Ai) in the smart card SCi. The value of Ai is invariable even if Ui updates the password. So Ai is treated as one of long-term keys. From the above, it is demonstrated that there are some defects during the generation of session keys.

To solve this problem, we need to add another secret information, such as PSK, to the generation of session keys. Also it is necessary to prevent adversary E from calculating all session keys by using long-term key Ai and information in the public channel.

No user revocation/re-registration phase

There is no user revocation/re-registration phase in the Mishra et al.’s scheme so that user Ui cannot revoke his privilege or re-register when his smart card SCi is stolen or lost. To promote the functionality of scheme, we design the corresponding revocation/re-registration phase for the user’s requirements. And more details are showed in the Section 5.6.

The proposed scheme

Based on the cryptanalysis of Mishra et al.’s scheme, we present a novel robust biometric-based multi-server authentication and key agreement scheme which consists of six phases: server registration phase, user registration phase, login phase, authentication phase, password change phase and revocation/re-registration phase. There are also three participants, user Ui, server Sj and registration center RC. Table 2 lists the notations applied in our scheme.

thumbnail
Download:
Table 2. Symbols and notions in our scheme.

https://doi.org/10.1371/journal.pone.0149173.t002

The proposed scheme improves the Mishra et al.’s scheme in the several aspects: 1) it resists the masquerade attack by adding the destination of messages, 2) it appends the timestamp to prevent the Denial-of-Service (DoS) attack, 3) it introduces pre shared key (PSK) into generation of session keys to achieve the perfect forward secrecy, 4) it provides the revocation/re-registration phase for user’s requirements, and 5) it enhances the performance of scheme, especially login phase. The details are described in the following subsections.

Server registration phase

The server registration phase is illustrated in Fig 4 and explained as follows.

  1. The server Sj sends a join request message to the registration center RC, if it wants to become an authorized server in the system.
  2. After receiving the join request message, RC authorizes the server and replies with the pre shared key (PSK) to the server Sj by applying the Key Exchange Protocol (IKEv2) through a secure channel.
  3. Upon receiving the secret key PSK, authorized server Sj uses the shared information, such as PSK and h(PSK), to check the user’s legitimacy in the authentication phase.

thumbnail
Download:
Fig 4. The server registration phase.

https://doi.org/10.1371/journal.pone.0149173.g004

User registration phase

The new user Ui needs to execute the user registration phase with the registration center RC via a secure channel. The user registration phase is showed in Fig 5 and described as follows.

  1. First, Ui imprints the personal biometric information BIOi at the sensor. After that, sensor sketches BIOi, extracts (Ri, Pi) from Gen(BIOi) → (Ri, Pi), and stores Pi in the memory. Next, Ui selects the identity IDi and password PWi, and computes RPWi = h(PWi||Ri). Finally, Ui sends the registration request message {IDi, RPWi} to the RC via a secure channel.
  2. After receiving the registration request message, RC adds a novel entry 〈IDi, Ni = 1〉 to the database, where Ni means the times of user registration. And then RC computes Ai = h(IDi||x||Tr), Bi = RPWih(Ai), Ci = Bih(PSK), Di = PSKAih(PSK) and Vi = h(IDi||RPWi), where Tr is the registration time.
  3. RC issues the smart card SCi to the user Ui, which contains {Bi, Ci, Di, Vi} over a secure channel.
  4. Upon receiving the SCi, Ui stores Pi into the SCi and initializes the authentication environments.

thumbnail
Download:
Fig 5. The user registration phase.

https://doi.org/10.1371/journal.pone.0149173.g005

Login phase

During the login phase, smart card SCi can check an error event immediately by using the identification, password, and biometric information. The login phase is illustrated in Fig 6 and explained as follows.

  1. Ui inserts the SCi into the smart card reader, inputs the identity IDi and password PWi, and imprints the biometrics at the sensor. After that, sensor sketches and recovers Ri from .
  2. SCi calculates RPWi = h(PWi||Ri) and checks whether h(IDi||RPWi) = Vi holds. If it holds, SCi further calculates h(PSK) = BiCi.
  3. SCi generates a random number N1, and computes AIDi = IDih(N1), M1 = RPWiN1h(PSK) and M2 = h(AIDi||N1||RPWi||SIDj||Ti), where Ti is additional timestamp.
  4. SCi sends the login request message {AIDi, M1, M2, Bi, Di, Ti} to Sj via a public channel.

thumbnail
Download:
Fig 6. The login phase.

https://doi.org/10.1371/journal.pone.0149173.g006

Authentication phase

In the authentication phase, server Sj confirms the destination and freshness of login request message. The authentication phase is showed in Fig 7 and described as follows.

  1. When receiving the login request message from Ui, server Sj verifies whether TiTjΔT is valid, where ΔT is the time interval and Tj is the time when Sj receives the login request message. If it holds, Sj continues to perform the next step. Otherwise, the login request will be rejected by Sj.
  2. Sj retrieves Ai = DiPSKh(PSK), RPWi = Bih(Ai), N1 = RPWiM1h(PSK), and verifies whether h(AIDi||N1||RPWi||SIDj||Ti) is consistent with M2.
  3. If this verification holds, Sj generates a random number N2, and computes the session secret key SKij = h(AIDi||SIDj||N1||N2).
  4. Sj calculates M3 = N2h(AIDi||N1) ⊕ h(PSK) and M4 = h(SIDj||N2||AIDi), and sends the authentication request message {SIDj, M3, M4} to Ui via a public channel.
  5. Upon receiving the authentication request, SCi retrieves N2 = M3h(AIDi||N1) ⊕ h(PSK), SKij = h(AIDi||SIDj||N1||N2) and then checks whether h(SIDj||N2||AIDi) = M4 holds. If it holds, SCi computes M5 = h(SKij||N1||N2) and delivers the authentication reply {M5} to Sj via a public channel.
  6. Sj verifies whether h(SKij||N1||N2) = M5 holds. If this verification holds, Sj uses the session key SKij to communicate with Ui. Otherwise, authentication will be rejected by Sj.

thumbnail
Download:
Fig 7. The authentication phase.

https://doi.org/10.1371/journal.pone.0149173.g007

Password change phase

During the password change phase, Ui updates the password without any assistance from server Sj and registration center RC. This phase consists of the following steps.

  1. Ui inputs IDi and PWi, and imprints his biometrics at sensor. After that, the sensor sketches and recovers Ri from .
  2. SCi calculates RPWi = h(PWi||Ri) and checks whether h(IDi||RPWi) = Vi holds. If the verification holds, SCi asks Ui for a new password. Otherwise, password change phase is terminated immediately by SCi.
  3. Ui inputs new password and SCi further computes , , and .
  4. SCi replaces Bi with , Ci with and Vi with in the memory.

User revocation/re-registration phase

The functionality of user revocation/re-registration helps user Ui revoke his privilege or re-register when his smart card SCi is stolen or lost. If Ui wants to revoke his privilege, he needs to send a revocation request message, his smart card and verification message {RPWi} to the registration center RC over a secure channel. RC verifies whether Ui is valid. If it holds, RC further modifies the corresponding entry by setting 〈IDi, Ni = 0〉. Similarly, upon receiving a re-registration request message via a secure channel, RC executes the steps described in the section 5.2 and replaces 〈IDi, Ni = Ni + 1〉 with 〈IDi, Ni〉 to help Ui re-register. The user revocation or re-registration phase makes our scheme more robust than other related schemes in the functionality.

Analysis of our scheme

An authentication and key agreement scheme has three important requirements: security, functionality and performance. It is necessary to analyze the proposed scheme from three aspects mentioned above. In this section, we explain how the proposed scheme is satisfied with these requirements, and compare our scheme with other related multi-server authentication and key agreement schemes.

Informal security analysis

In this section, we assume that adversary E has the capacity which is assumed in Section 2.1. Also we analyze the strength of the proposed scheme against the following common attacks through informal security analysis.

Resistance to replay attack.

The replay attack means that adversary E intercepts the transmitted messages for making use of these data in some manner, which involves copying and possibly altering the data in various ways. Although adversary E intercepts the previous login request message {AIDi, M1, M2, Bi, Di, Ti} and sends it to server Sj repeatedly, Sj verifies the legality of message by checking Ti and N1 as follows. where Ti and N1 are different in every session so that E is not authenticated by Sj. So our scheme is secure against the replay attack by adding the timestamp Ti and random nonce N1.

Resistance to modification attack.

Though adversary E intercepts the transmitted messages and attempts to modify them for authentication, proposed scheme verifies whether received messages are modified with the help of one-way hash function. And E cannot retrieve N1, N2 and PSK from intercepted messages so that he does not have the capabilities to generate a legitimate authentication message. Therefore, our scheme prevents the modification attack.

Resistance to stolen-verifier attack.

In the proposed scheme, Registration center RC and servers do not possess the user’s password or biometrics so that adversary E cannot steal the password-verifier or biometrics-verifier about legitimate users even if he has the authority to access the database of the RC and servers. Thus, our scheme resists the stolen-verifier attack.

Resistance to off-line guessing attack.

With the assistance of the side-channel attacks such as SPA or DPA, adversary E obtains Bi, Ci, Di and Vi. But he cannot verify the user’s password in the off-line environment without BIOi, PSK, x and N1. Also user’s password is protected by one-way hash function, such as, h(PWi||Ri), where Ri possesses high entropy. Moreover, there is no the same biometric templates between any two people. In conclusion, our scheme is secure against the off-line guessing attack.

Resistance to forgery attack.

The forgery attack means that legitimate yet malicious user E attempts to forge another legitimate user for login and authentication. In the communication between server Sj and user Ui, Ui’s real identity IDi is protected by anonymous identity AIDi, such as AIDi = IDih(N1). Furthermore, random nonce N1 changes in every session. So malicious user E cannot acquire another legitimate user’s real identity IDi. As a result, our scheme prevents the forgery attack.

Resistance to insider attack.

Malicious insider E is familiar with system policies or procedures, and has an authorized system access, who tries to obtain user’s private information such as password and biometrics. RC cannot retrieve the password PWi or biometrics BIOi from RPWi = h(PWi||Ri). Moreover RC does not store RPWi in the database. Thus, our scheme resists the insider attack.

Resistance to masquerade attack.

Under this attack, adversary E is authenticated by server Sj with a fake or real identity. In Mishra et al.’s scheme, E applies the transmitted messages between Sj and Ui to acquire the access of server Sk. To meet this problem, destination of message is added to the login request message and authentication request message, such as M2 = h(AIDi||N1||RPWi||SIDj||Ti) and M4 = h(SIDj||N2||AIDi), so that Ui and Sj verify whether the one wants to be authenticated by the other one. At the same time, E cannot compute M2 or M4 without N1 or N2. Therefore, our scheme is secure against the masquerade attack.

Resistance to smart card attack.

In the smart card attack, adversary E tries to apply the information obtained from smart card SCi to be authenticated by server Sj without the password or biometrics. With SPA or DPA, E obtains Bi, Ci, Di and Vi which are stored in SCi. In the proposed scheme, a session key between user Ui and server Sj is generated as follow.

Although E obtains M1 and M3 via public channels, it is difficult for him to retrieve N1, N2 and AIDi without PSK. Above all, our scheme prevents the smart card attack.

Resistance to user impersonation attack.

The user impersonation attack means that adversary E impersonates user Ui using only smart card SCi but without the password or biometrics. The proposed scheme applies h(PSK) to protect N1, N2 and AIDi even if E acquires Bi, Ci, Di and Vi by side channel attacks. Thus, E cannot calculate the session keys to impersonate the user Ui. In conclusion, our scheme resists the user impersonation attack.

Resistance to DoS attack.

The DoS attack diminishes or eliminates the server’s expected capability to make the server unavailable. With the help of timestamp Ti, server Sj checks the freshness and legality of M2 = h(AIDi||N1||RPWi||SIDj||Ti) in the login request message. The current timestamp does not match the previous M2 which is sent by adversary E. Moreover, our scheme applies the fuzzy extractor to satisfy the usage requirements of biometrics. As a result, our scheme is secure against the DoS attack.

Resistance to server spoofing attack.

Upon receiving the login request message from Ui, adversary E tries to spoof as server Sj by replaying the old authentication request message , where and . This attempt fails, since Ui uses different random numbers during different sessions, that is, . Furthermore, E cannot acquire RPWi to retrieve N1 from N1 = RPWiM1h(PSK). Therefore, our scheme prevents the server spoofing attack.

Formal security analysis

With the help of the formal security analysis, we demonstrate that our scheme is secure against adversary E. For this purpose, we define oracle Reveal as follows: it unconditionally outputs x from one-way hash function y = h(x). The following two theorems provide the formal security analysis for our scheme.

Theorem 1. Under the assumption that one-way hash function h(⋅) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the identity IDi of user Ui, pre shared key PSK of server Sj, and session key SKij between Ui and Sj.

Proof. We need to construct adversary E who has the capacity to retrieve the identity IDi of user Ui, pre shared key PSK of server Sj, and session key SKij between Ui and Sj. Adversary E applies the oracle Reveal to execute the experimental algorithm , where the BMAKAS means proposed biometric-based multi-server authentication and key agreement scheme. The details of Algorithm 1 are described in the Table 3.

thumbnail
Download:
Table 3. Algorithm .

https://doi.org/10.1371/journal.pone.0149173.t003

And we define the success probability of as , where P(⋅) means the probability of . The advantage function for algorithm becomes Adv1(et1, qReveal) = max{Success1}, where the maximum for adversary E depends on the execution time et1 and number of queries qReveal made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv1(et1, qReveal) ≤ ε1, for any sufficiently small ε1 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the identity IDi, pre shared key PSK and session key SKij to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So maxE{Success1} = Adv1(et1, qReveal) ≤ ε1, for any sufficiently small ε1 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the identity IDi of user Ui, pre shared key PSK of server Sj, and session key SKij between Ui and Sj.

Theorem 2. Under the assumption that one-way hash function h(⋅) closely behaves like oracle Reveal, our scheme is provably secure against adversary E for retrieving the password PWi of user Ui, even if smart card SCi is stolen.

Proof. We need to construct the adversary E who has the capacity to retrieve the password PWi. Adversary E extracts all the information {Bi, Ci, Di, Vi} from stolen smart card SCi and applies the oracle Reveal to execute the experimental algorithm . The details of Algorithm 2 are described in the Table 4.

thumbnail
Download:
Table 4. Algorithm .

https://doi.org/10.1371/journal.pone.0149173.t004

Also we define the success probability of as , where P(⋅) means the probability of . The advantage function for algorithm becomes Adv2(et2, qReveal) = maxE{Success2}, where the maximum for adversary E depends on the execution time et2 and number of queries qReveal made to the oracle Reveal. Our scheme is provably secure against adversary E, if Adv2(et2, qReveal) ≤ ε2, for any sufficiently small ε2 > 0. If adversary E has the ability to retrieve x from one-way hash function y = h(x), then he can easily derive the password PWi to win the game. However, it is a computationally infeasible problem to retrieve the inputs of one-way hash function. So maxE{Success2} = Adv2(et2, qReveal) ≤ ε2, for any sufficiently small ε2 > 0. In conclusion, our scheme is provably secure against adversary E for retrieving the password PWi of user Ui.

Functionality analysis

Various functionality requirements for a multi-server authentication and key agreement scheme have been suggested in previous studies. In this section, we show that our scheme provides these functionalities.

Anonymity.

The anonymity means that user’s real identity is not disclosed to an unauthorized party. In the presented scheme, Ui calculate the dynamic identity AIDi from AIDi = IDih(N1), and N1 does not leak out from the messages over public channels. Thus, adversary E cannot compute the user’s identity IDi without N1. The authorized server Sj retrieves Ai = DiPSKh(PSK) and RPWi = Bih(Ai), and further calculates N1 from N1 = RPWiM1h(PSK). So only authorized servers confirm the real identity of Ui. As a result, adversary E cannot acquire the user’s real identity, but user Ui is authenticated anonymously by server Sj.

Mutual authentication.

The mutual authentication is achieved when two parties authenticate each other. In our scheme, users and servers authenticate each other by using N1, N2, h(PSK), Di and Ti. During the authentication phase, server Sj verifies whether M2 is consistent with h(AIDi||N1||RPWi||SIDj||Ti) to authenticate the user Ui. And Ui authenticates Sj by checking whether h(SIDj||N2||AIDi) = M4 holds. In conclusion, our scheme provides the mutual authentication.

Session key agreement.

The session key agreement means that users and servers securely establish a session key which is applied for protecting the subsequent communication. In the proposed scheme, a session key SKij = h(AIDi||SIDj||N1||N2) is generated by user Ui and server Sj, where N1 and N2 are different in every session. Therefore, session keys are different in each session so that it is difficult for adversary E to retrieve the previous session keys from the intercepted messages.

Perfect forward secrecy.

The perfect forward secrecy means that a session key will not be compromised if the user’s long-term key is compromised in the future [11, 15]. In our scheme, a session key between user Ui and server Sj is calculated as follow.

Although user’s long-term key h(PSK) is compromised, adversary E cannot calculate RPWi and PSK so that he cannot retrieve N1 and N2 to generate the session keys between Ui and Sj. Above all, our scheme achieves the perfect forward secrecy.

User revocation/re-registration.

The user Ui needs to send a revocation or re-registration request message to the registration center RC over a secure channel if he wants to revoke his privilege or re-register. RC help Ui revoke his privilege or re-register by modifying 〈IDi, Ni〉 in the database. The functionality of user revocation/re-registration meets the requirements of practical applications. It also makes our scheme more robust than other related schemes.

Biometric information protection.

In conventional scheme, biometric information of user is directly stored in the smart card SCi so that adversary E obtains biometrics from lost smart card with the assistance of side channel attacks. We adopt a high security mechanism to solve this problem. The nearly random string Ri is protected by one-way hash function, which is extracted from biometric information BIOi by fuzzy extractor. And more details are described in Section 2.2. So it makes impossible for E to obtain the biometric information. In conclusion, our scheme provides the biometric information protection.

Efficiency analysis

The efficiency is an important consideration in the aspect of evaluating the schemes. The efficiency of a multi-server authentication and key agreement scheme can be measured by the following metrics, single registration, secure and simple password modification, fast error detection, and low computational cost.

Single registration.

The single registration means that a single point of registration allows users to acquire the access to all servers in the system. In the proposed scheme, user Ui registers with registration center RC only once to be authenticated with every server and apply the server’s services anonymously. So our scheme achieves the single registration.

Secure and simple password modification.

The secure and simple password modification demands that users change their passwords without the assistance of any third trusted party and the authenticity of the users is verified by their smart card. In our scheme, user Ui changes the password conveniently and does not require any communication with registration center RC. Furthermore, smart card SCi checks whether h(IDi||RPWi) = Vi holds for every password modification so that adversary E cannot change the password even if he acquires the smart card and password. In conclusion, proposed scheme provides the secure and simple password modification.

Fast error detection.

It is necessary to provide the fast error detection, which means that smart card SCi checks the incorrect passwords or any other discrepancies quickly. In the login and password change phases, SCi detects the errors immediately, such as inaccurate identities, incorrect passwords and false biometrics without the help of registration center RC and server Sj. Therefore, our scheme achieves the fast error detection.

Low computational cost.

The computational cost of the scheme should be minimized in practice. As the major parties of communication, Ui and Sj produce the random number twice, calculate the XOR operation 12 times, and perform the hash function 15 times to complete the login and authentication phases. As a result, computational cost of our scheme is a little lower than other related schemes.

Comparisons with related schemes

In this section, we compare the resistance, functionality and performance of our scheme with other related existing biometric-based multi-server authentication and key agreement schemes, such as Chuang et al.’s scheme [51], Mishra et al.’s scheme [53], Xue et al.’s scheme [59] and Li et al.’s scheme [60].

Table 5 lists the resistance comparison of various biometric-based multi-sever authenticated key agreement schemes. We define the following notations: R1: resistance to replay attack, R2: resistance to modification attack, R3: resistance to stolen-verifier attack, R4: resistance to off-line guessing attack, R5: resistance to forgery attack, R6: resistance to insider attack, R7: resistance to masquerade attack, R8: resistance to smart card attack, R9: resistance to user impersonation attack, R10: resistance to DoS attack and R11: resistance to server spoofing attack in the Table 5. The result indicates that our scheme is more secure and achieves the all resistance requirements.

thumbnail
Download:
Table 5. The resistance comparison.

https://doi.org/10.1371/journal.pone.0149173.t005

Table 6 shows the functionality comparison of proposed scheme with other related schemes. In the Table 6, we use the following notations: F1: anonymity, F2: mutual authentication, F3: session key agreement, F4: perfect forward secrecy, F5: user revocation/re-registration and F6: biometric information protection. And we further compare our scheme with Lu et al.’s scheme [24] which is another improved scheme. It can be seen that our scheme provides more functionality requirements than other related schemes.

thumbnail
Download:
Table 6. The functionality comparison.

https://doi.org/10.1371/journal.pone.0149173.t006

We compare our scheme with other biometric-based multi-sever authentication and key agreement schemes for computational overhead, communication overhead and storage requirement involved in the login and authentication phases. In order to measure the computational complexity, we apply the number of hash function operations as time complexity since the XOR operation requires very little computational cost, where Th stands for the computation time for hash function. According to the Xue et al.’s work [61], we learn that the average running time of a one-way secure hash function operation is about 0.2 ms. As shown in the Table 7 and Fig 8, we demonstrate the comparison among our scheme and other related schemes in terms of the computation overhead. In the Table 7, we use the following notations: S1: computation overhead in the login phase, S2: execution overhead in the login phase, S3: computation overhead in the authentication phase, S4: execution overhead in the authentication phase and S5: total execution overhead. The proposed scheme requires lower computation overhead than other schemes.

thumbnail
Download:
Table 7. The computation cost comparison.

https://doi.org/10.1371/journal.pone.0149173.t007

thumbnail
Download:
Fig 8. The computation cost comparison.

https://doi.org/10.1371/journal.pone.0149173.g008

To estimate the communication efficiency, we assume that the length of security parameters, such as the bit length of random number Ni is 160, the bit length of user identity is 160, the bit length of timestamp Ti is 16 and the output length of hash function is 160 if we follow the SHA-1 which is applied in the most of previous schemes. In our scheme, Ui transmits the request message {AIDi, M1, M2, Bi, Di, Ti} to Sj during the login phase, and its length is (160 + 160 + 160 + 160 + 160 + 16)/8 = 102bytes. And in the stage of authentication, communication overhead is (160 + 160 + 160 + 160)/8 = 80bytes, which contains the authentication request message {SIDj, M3, M4} and authentication reply {M5}. So total communication overhead of proposed scheme is 102 + 80 = 182bytes. Analogously, we measure the communication overhead of related schemes. In order to estimate the storage requirement, we consider the messages stored in the smart card as the storage overhead and calculate the byte length of stored information. In our scheme, the stored message {Bi, Ci, Di, Vi, Pi,} requires (160 + 160 + 160 + 160 + 160)/8 = 100bytes. Similarly, we estimate the storage requirement of other schemes. Table 8 and Fig 9 show the comparisons regarding on the communication and storage costs of various multi-sever authentication and key agreement schemes. We provide the following notations: C1: communication cost in the login phase, C2: communication cost in the authentication phase, C3: total communication cost and C4: storage cost in the Table 8. With the same level of communication overhead and storage requirement, our scheme obviously has advantages in the computational complexity by considering the computation cost of these related schemes. From the results of comparisons given above, we conclude that our scheme has better efficiency between resistance, functionality and performance than other related schemes.

thumbnail
Download:
Table 8. The communication and storage costs comparison.

https://doi.org/10.1371/journal.pone.0149173.t008

thumbnail
Download:
Fig 9. The communication and storage costs comparison.

https://doi.org/10.1371/journal.pone.0149173.g009

Conclusion

With the security requirements of networks, biometrics authenticated schemes which are applied in the multi-server environment come to be more crucial and widely deployed. In this paper, we analyze the security of Mishra et al.’s scheme. Based on the cryptanalysis of their scheme, we propose a novel biometric-based multi-server authentication and key agreement scheme. The presented scheme improves the Mishra et al.’s scheme, and satisfies the desirable security requirements which are demonstrated through informal and formal security analysis respectively. Also our scheme provides some significant functionalities which are not considered in the most of existing authentication schemes, such as, user revocation or re-registration and biometric information protection. In addition, comparisons in the security, functionality and performance between proposed scheme and several related ones are given. The results show that our scheme has more secure properties, more functionalities and lower computation cost with the same level of communication overhead and storage requirement. We conclude that our scheme is obviously more appropriate for practical applications in the remote distributed networks.

Author Contributions

Conceived and designed the experiments: CQW XZ ZMZ. Performed the experiments: CQW XZ ZMZ. Analyzed the data: CQW XZ ZMZ. Contributed reagents/materials/analysis tools: CQW XZ ZMZ. Wrote the paper: CQW XZ ZMZ.

References

  1. 1. Khan MK, Zhang J. Improving the security of’a flexible biometrics remote user authentication scheme’. Computer Standards & Interfaces. 2007; 29(1): 82–85.
  2. 2. He D, Kumar N, Khan MK, Lee JH. Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Transactions on Consumer Electronics. 2013; 59(4): 811–817.
  3. 3. Mishra D. Design and analysis of a provably secure multi-server authentication scheme. Wireless Personal Communications. 2015.
  4. 4. Lamport L. Password authentication with insecure communication. Communications of the ACM. 1981; 24(11): 770–772.
  5. 5. Farash MS, Attari M. A secure and efficient identity-based authenticated key exchange protocol for mobile client-server networks. The Journal of Supercomputing. 2014; 69(1): 395–411.
  6. 6. Xiong H, Chen Z, Li FG. New identity-based three-party authenticated key agreement protocol with provable security. Journal of Network and Computer Applications. 2013; 36(2): 927–932.
  7. 7. Xie Q, Hu B, Dong N, Wong DS. Anonymous three-party password-authenticated key exchange scheme for telecare medical information systems. PLoS ONE. 2014; 9(7): e102747. pmid:25047235
  8. 8. Du WB, Wu ZX, Cai KQ. Effective usage of shortest paths promotes transportation efficiency on scale-free networks. Physica A. 2013; 392(17): 3505–3512.
  9. 9. Li XW, Zhang YQ, Zhang GF. A new certificateless authenticated key agreement protocol for SIP with different KGCs. Security and Communication Networks. 2013; 6(5): 631–643.
  10. 10. Kounga G, Mitchell CJ, Walter T. Generating certification authority authenticated public keys in ad hoc networks. Security and Communication Networks. 2012; 5(1): 87–106.
  11. 11. Mishra D, Kumari S, Khan MK, Mukhopadhyay S. An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. Journal International Journal of Communication Systems. 2015.
  12. 12. Ustaoǧlu B. Integrating identity-based and certificate-based authenticated key exchange protocols. International Journal of Information Security. 2011; 10(4): 201–212.
  13. 13. Lu YR, Li LX, Peng HP, Yang YX. A biometrics and smart cards-based authentication scheme for multi-server environments. Security and Communication Networks. 2015.
  14. 14. Chang YF, Tai WL, Chang HC. Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. International Journal of Communication Systems. 2014; 27(11): 3430–3440.
  15. 15. Mishra D, Das AK, Chaturvedic A, Mukhopadhyay S. A secure password-based authentication and key agreement scheme using smart cards. Journal of Information Security and Applications. 2015; 23: 28–43.
  16. 16. Huang H, Cao ZF. IDOAKE: Strongly secure ID-based one-pass authenticated key exchange protocol. Security and Communication Networks. 2011; 4(10): 1153–1161.
  17. 17. Shamir A. Identity-based cryptosystems and signature schemes. Advances in Cryptology. 1985; 196: 47–53.
  18. 18. He DB, Chen JH, Hu J. An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security. Information Fusion. 2012; 13(3): 223–230.
  19. 19. Yang JH, Chang CC. An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. Computers & Security. 2009; 28(3-4): 138–143.
  20. 20. Hsu CL, Chuang YH, Kuo CL. A Novel Remote User Authentication Scheme from Bilinear Pairings Via Internet. Wireless Personal Communications. 2015; 83(1): 163–174.
  21. 21. Yoon EJ, Yoo KY. Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. The Journal of Supercomputing. 2013; 63(1): 235–255.
  22. 22. Islam SKH. A provably secure ID-based mutual authentication and key agreement scheme for mobile multi-server environment without ESL attack. Wireless Personal Communications. 2014; 79(3): 1975–1991.
  23. 23. Baruah KC, Banerjee S, Dutta MP, Bhunia CT. An improved biometric-based multi-server authentication scheme using smart card. International Journal of Security and Its Applications. 2015; 9(1): 397–408.
  24. 24. Lu Y, Li L, Yang X, Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015; 10(5): e0126323. pmid:25978373
  25. 25. Xiong H, Qin ZG. Revocable and Scalable Certificateless Remote Authentication Protocol With Anonymity for Wireless Body Area Networks. IEEE Transactions on Information Forensics and Security. 2015; 10(7): 1442–1455.
  26. 26. Nam J, Choo KKR, Han S, Kim M, Paik J, Won D. Efficient and anonymous two-factor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation. PLoS ONE. 2015; 10(4): e0116709. pmid:25849359
  27. 27. Cao LL, Ge WC. Analysis and improvement of a multi-factor biometric authentication scheme. Security and Communication Networks. 2015; 8(4): 617–625.
  28. 28. Mishra D, Mukhopadhyay S. Cryptanalysis of pairing-free identity-based authenticated key agreement. Information Systems Security. 2013; 8303: 247–254.
  29. 29. Sun HM, Leu MC. An efficient authentication scheme for access control in mobile pay-TV systems. IEEE Transactions on Multimedia. 2009; 11(5): 947–959.
  30. 30. Ku WC, Chen SM. Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics. 2004; 50(1): 204–207.
  31. 31. Mishra D. Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. Journal of medical systems. 2015; 39(3): 1–8.
  32. 32. Hsiang HC, Shih WK. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 2009; 31(6): 1118–1123.
  33. 33. Leung KC, Cheng LM, Fong AS, Chan CK. Cryptanalysis of a modified remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics. 2003; 49(4): 1243–1245.
  34. 34. Ma CG, Wang D, Zhao SD. Security flaws in two improved remote user authentication schemes using smart cards. International Journal of Communication Systems. 2014; 27(10): 2215–2227.
  35. 35. Mishra D. On the security flaws in id-based password authentication schemes for telecare medical information systems. Journal of medical systems. 2015; 39(1): 1–16.
  36. 36. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers. 2002; 51(5): 541–552.
  37. 37. Das AK. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Information Security. 2011; 5(3): 145–151.
  38. 38. Islam SKH. Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps. Nonlinear Dynamics. 2014; 78(3): 2261–2276.
  39. 39. Zhang M, Zhang JS, Zhang Y. Remote three-factor authentication scheme based on fuzzy extractors. Security and Communication Networks. 2015; 8(4): 682–693.
  40. 40. Li CT, Hwang MS. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications. 2010; 33(1): 1–5.
  41. 41. Li X, Niu JW, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications. 2011; 34(1): 73–79.
  42. 42. Farid B, Kadda BB. Password hardened fuzzy vault for fingerprint authentication system. Image and Vision Computing. 2014; 32(8): 487–496.
  43. 43. Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in Cryptology—EUROCRYPT 2004. 2004; 3027: 523–540.
  44. 44. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A. Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets. IEEE Transactions on Information Theory. 2012; 58(9): 6207–6222.
  45. 45. He DB, Wang D. Robust Biometrics-Based Authentication Scheme for Multiserver Environment. IEEE Systems Journal. 2015; 9(3): 816–823.
  46. 46. Zhang JS, Ma J, Li X, Wang WD. A secure and efficient remote user authentication scheme for multi-server environments using ECC. KSII Transactions on Internet and Information Systems. 2014; 8(8): 2930–2947.
  47. 47. Liao YP, Wang SS. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 2009; 31(1): 24–29.
  48. 48. Yoon EJ, Yoo KY. Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. The Journal of Supercomputing. 2013; 63(1): 235–255.
  49. 49. Zhu HF. A provable one-way authentication key agreement scheme with user anonymity for multi-server environment. KSII Transactions on Internet and Information Systems. 2015; 9(2): 811–829.
  50. 50. Li X, Niu JW, Kumari S, Liao JG, Liang W. An enhancement of a smart card authentication scheme for multi-server architecture. Wireless Personal Communications. 2015; 80(1): 175–192.
  51. 51. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications. 2014; 41(4): 1411–1418.
  52. 52. Choi YS, Nam JH, Lee DH, Kim JY, Jung JW, Won DH. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics. The Scientific World Journal. 2014; 281305. pmid:25276847
  53. 53. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications. 2014; 41(18): 8129–8143.
  54. 54. Dolev D, Yao AC. On the security of public key protocols. IEEE Transactions on Information Theory. 1983; 29(2): 198–208.
  55. 55. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011; 1(1): 5–27.
  56. 56. Dang Q. Changes in Federal Information Processing Standard (FIPS) 180-4, secure hash standard. Cryptologia. 2013; 37(1): 69–73.
  57. 57. Manuel S. Classification and generation of disturbance vectors for collision attacks against SHA-1. Designs, Codes and Cryptography. 2011; 59(1-3): 247–263.
  58. 58. Zhu HF, Hao X. A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps. Nonlinear Dynamics. 2015; 81(1-2): 311–321.
  59. 59. Xue KP, Hong PL, Ma CS. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences. 2014; 80(1): 195–206.
  60. 60. Li X, Ma J, Wang WD, Xiong YP, Zhang JS. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 2013; 58(1-2): 85–95.
  61. 61. Xue KP, Hong PL. Security improvement on an anonymous key agreement protocol based on chaotic maps. Communications in Nonlinear Science and Numerical Simulation. 2012; 17(7): 2969–2977.