Security improvement on a biometrics-based authentication protocol for multi-server environment

Recently, an biometrics-based multi-server authentication protocol was proposed by Odelu et al. It was proved that the scheme is secure against different possible known attacks and satisfies attractive security properties. In this paper, however, we prove that Odelu et al.'s scheme suffers from offline password guessing attack and fails to provide three-factor security. Further, we propose an improved scheme by applying fuzzy verifier to local password verification and employing Chebyshev chaotic map-based cryptography. Security analysis shows that our scheme not only maintains the advantages of the Odelu et al.'s scheme but also withstand the offline password guessing attack. As a result, our improved scheme can provide three-factor security and has better performance compared with Odelu et al.'s scheme.

[1]  Jianfeng Ma,et al.  A privacy preserving three-factor authentication protocol for e-Health clouds , 2016, The Journal of Supercomputing.

[2]  Ping Wang,et al.  Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment , 2015, IEEE Transactions on Dependable and Secure Computing.

[3]  Wen-Shenq Juang,et al.  Efficient password authenticated key agreement using bilinear pairings , 2008, Math. Comput. Model..

[4]  Eun-Jun Yoon,et al.  Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem , 2010, The Journal of Supercomputing.

[5]  P. V. Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  Wei-Kuan Shih,et al.  Security enhancement on an improvement on two remote user authentication schemes using smart cards , 2011, Future Gener. Comput. Syst..

[7]  Yixian Yang,et al.  Robust Biometrics Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards , 2015, PloS one.

[8]  Peng Gong,et al.  Cryptanalysis and improvement of a three-party key agreement protocol using enhanced Chebyshev polynomials , 2013, Nonlinear Dynamics.

[9]  Vanga Odelu,et al.  A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards , 2015, IEEE Transactions on Information Forensics and Security.

[10]  Ljupco Kocarev,et al.  Public-key encryption based on Chebyshev maps , 2003, Proceedings of the 2003 International Symposium on Circuits and Systems, 2003. ISCAS '03..

[11]  Dongho Won,et al.  Cryptanalysis and Improvement of a Biometrics-Based Multi-server Authentication with Key Agreement Scheme , 2012, ICCSA.

[12]  Jia-Lun Tsai,et al.  Efficient multi-server authentication scheme based on one-way hash function without verification table , 2008, Comput. Secur..

[13]  Min-Shiang Hwang,et al.  A new remote user authentication scheme for multi-server architecture , 2003, Future Gener. Comput. Syst..

[14]  Jia-Lun Tsai,et al.  New dynamic ID authentication scheme using smart cards , 2010, Int. J. Commun. Syst..

[15]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[16]  Liping Zhang,et al.  Privacy Protection for Telecare Medicine Information Systems Using a Chaotic Map-Based Three-Factor Authenticated Key Agreement Scheme , 2017, IEEE Journal of Biomedical and Health Informatics.

[17]  Wen-Shenq Juang,et al.  Efficient password authenticated key agreement using smart cards , 2004, Comput. Secur..

[18]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[19]  Ching-Hsiang Chang,et al.  Novel Untraceable Authenticated Key Agreement Protocol Suitable for Mobile Communication , 2013, Wirel. Pers. Commun..

[20]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[21]  Linhua Zhang Cryptanalysis of the public key encryption based on multiple chaotic systems , 2008 .

[22]  I. C. Lin,et al.  (IEEE Transactions on Neural Networks,12(6):1498-1504)A Remote Password Authentication Scheme for Multi-Server Architecture Using Neural Network , 2001 .

[23]  Debiao He Security flaws in a biometrics-based multi-server authentication with key agreement scheme , 2011, IACR Cryptol. ePrint Arch..

[24]  Alfredo De Santis,et al.  Security of public-key cryptosystems based on Chebyshev polynomials , 2004, IEEE Transactions on Circuits and Systems I: Regular Papers.

[25]  Jia-Lun Tsai,et al.  Secure Delegation-Based Authentication Protocol for Wireless Roaming Service , 2012, IEEE Communications Letters.

[26]  Wei-Bin Lee,et al.  A smart card-based remote scheme for password authentication in multi-server Internet services , 2004, Comput. Stand. Interfaces.