A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Abstract Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes.

[1]  Cheng-Chi Lee,et al.  A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps , 2012, Nonlinear Dynamics.

[2]  Wei-Bin Lee,et al.  An efficient and secure multi-server authentication scheme with key agreement , 2012, J. Syst. Softw..

[3]  Chin-Chen Chang,et al.  An efficient and secure multi-server password authentication scheme using smart cards , 2004, 2004 International Conference on Cyberworlds.

[4]  Xiang Cao,et al.  Breaking a remote user authentication scheme for multi-server architecture , 2006, IEEE Communications Letters.

[5]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[6]  Ashok Kumar Das,et al.  A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[7]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[8]  Minh-Triet Tran,et al.  Robust Secure Dynamic ID Based Remote User Authentication Scheme for Multi-server Environment , 2013, ICCSA.

[9]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[10]  Christophe Rosenberger,et al.  Biohashing for Securing Minutiae Template , 2010, 2010 20th International Conference on Pattern Recognition.

[11]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[12]  Chun-Ta Li,et al.  An efficient biometrics-based remote user authentication scheme using smart cards , 2010, J. Netw. Comput. Appl..

[13]  Loris Nanni,et al.  An improved BioHashing for human authentication , 2007, Pattern Recognit..

[14]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[15]  R. Pearl Biometrics , 1914, The American Naturalist.

[16]  J. Pasquale Using expert systems to manage distributed computer systems , 1988, IEEE Network.

[17]  Chunlei Yang,et al.  Integration of Biometrics and PIN Pad on Smart Card , 2011 .

[18]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[19]  S. Hariri,et al.  An expert system for network management , 1991, [1991 Proceedings] Tenth Annual International Phoenix Conference on Computers and Communications.

[20]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[21]  Shashikala Tapaswi,et al.  Robust Smart Card Authentication Scheme for Multi-server Architecture , 2013, Wireless Personal Communications.

[22]  Debiao He Security flaws in a biometrics-based multi-server authentication with key agreement scheme , 2011, IACR Cryptol. ePrint Arch..

[23]  Meng Chang Chen,et al.  An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics , 2014, Expert Syst. Appl..

[24]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..

[25]  Palash Sarkar,et al.  A Simple and Generic Construction of Authenticated Encryption with Associated Data , 2010, TSEC.

[26]  Kuldip Singh,et al.  A secure dynamic identity based authentication protocol for multi-server architecture , 2011, J. Netw. Comput. Appl..

[27]  Stéphane Manuel,et al.  Classification and generation of disturbance vectors for collision attacks against SHA-1 , 2011, Des. Codes Cryptogr..

[28]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[29]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[30]  Eun-Jun Yoon,et al.  Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem , 2010, The Journal of Supercomputing.

[31]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[32]  Cheng-Chi Lee,et al.  Cryptanalysis of a Secure Dynamic ID Based Remote User Authentication Scheme for Multi-Server Environment , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[33]  Wen-Shenq Juang,et al.  Efficient multi-server password authenticated key agreement using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[34]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[35]  David von Oheimb The High-Level Protocol Specification Language HLPSL developed in the EU project AVISPA , 2005 .

[36]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[37]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[38]  Cheng-Chi Lee,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards , 2011, Expert Syst. Appl..

[39]  Ashok Kumar Das,et al.  Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem , 2012, Inf. Sci..

[40]  Jia-Lun Tsai,et al.  Efficient multi-server authentication scheme based on one-way hash function without verification table , 2008, Comput. Secur..

[41]  Douglas R. Stinson,et al.  Some Observations on the Theory of Cryptographic Hash Functions , 2006, Des. Codes Cryptogr..

[42]  Bo Yang,et al.  A biometric password-based multi-server authentication scheme with smart card , 2010, 2010 International Conference On Computer Design and Applications.

[43]  Min-Shiang Hwang,et al.  A remote password authentication scheme for multiserver architecture using neural networks , 2001, IEEE Trans. Neural Networks.

[44]  B. B. Zaidan,et al.  An Enhanced Security Solution for Electronic Medical Records Based on AES Hybrid Technique with SOAP/XML and SHA-1 , 2013, Journal of Medical Systems.

[45]  Debiao He,et al.  Security Flaws in a Smart Card Based Authentication Scheme for Multi-server Environment , 2012, Wireless Personal Communications.

[46]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[47]  Vanga Odelu,et al.  A secure effective key management scheme for dynamic access control in a large leaf class hierarchy , 2014, Inf. Sci..

[48]  Sagar Patil,et al.  A novel proxy signature scheme based on user hierarchical access control policy , 2013, J. King Saud Univ. Comput. Inf. Sci..

[49]  Dongho Won,et al.  Cryptanalysis and Improvement of a Biometrics-Based Multi-server Authentication with Key Agreement Scheme , 2012, ICCSA.

[50]  Muhammad Khurram Khan,et al.  On the security of an authentication scheme for multi-server architecture , 2013, Int. J. Electron. Secur. Digit. Forensics.

[51]  Ashok Kumar Das,et al.  Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards , 2011, IET Inf. Secur..

[52]  Ashok Kumar Das,et al.  An Enhanced Access Control Scheme in Wireless Sensor Networks , 2014, Ad Hoc Sens. Wirel. Networks.

[53]  Gene Tsudik,et al.  AudES - An Expert System for Security Auditing , 1990, IAAI.

[54]  Air Force Air Force Materiel Command Hq FIPS-PUB-180-1 , 1995 .

[55]  Bin Wang,et al.  A Smart Card Based Efficient and Secured Multi-Server Authentication Scheme , 2012, Wireless Personal Communications.

[56]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .