A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme

Abstract Advancement in Internet of Things (IOT) and remote user communication is facilitated, where a user need not be physically present. However, security and privacy challenges arrive as client–server communication is done via public network. To lower down the security and privacy threats, authentication and key agreement (AKA) protocols are being designed and analyzed. AKA protocols' goal is to ensure authorized and secure access of recourses. Recently, Li et al. proposed a biometric based three-factor remote user authentication scheme for client–server environment. Their scheme uses biometric identifier to resist guessing attacks. In this article, we discussed the security of Li et al.'s scheme, and show its vulnerability to known session specific temporary information attack. Additionally, it does not provide three-factor authentication and user's privacy. It also has some flows in authentication phase. We proposed a novel AKA protocol, which can overcome the weaknesses of Li et al.'s scheme without losing its original merits. Through the analysis, we show that our scheme is secure against various known attacks including the attacks found in Li et al.'s scheme. Furthermore, we demonstrate the validity of the proposed scheme using the BAN (Burrows, Abadi, and Needham) logic. Our scheme is also comparable in terms of computation overheads with Li et al.'s scheme and other related schemes.

[1]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[2]  Jin Kwak,et al.  Construction of a secure two-factor user authentication system using fingerprint information and password , 2014, J. Intell. Manuf..

[3]  Cheng-Chi Lee,et al.  Towards secure and efficient user authentication scheme using smart card for multi-server environments , 2013, The Journal of Supercomputing.

[4]  Younghwa An Improved Biometrics-Based Remote User Authentication Scheme with Session Key Agreement , 2012, FGIT-GDC/IESH/CGAG.

[5]  Muhammad Khurram Khan,et al.  Cryptanalysis and Improvement of "An Efficient and Secure Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems" , 2014, Secur. Commun. Networks.

[6]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[7]  Alfred Menezes,et al.  Authenticated Diffie-Hellman Key Agreement Protocols , 1998, Selected Areas in Cryptography.

[8]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[9]  Ya-Fen Chang,et al.  Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update , 2014, Int. J. Commun. Syst..

[10]  Gongping Yang,et al.  Finger Vein Recognition Based on (2D)2 PCA and Metric Learning , 2012, Journal of biomedicine & biotechnology.

[11]  Ding Wang,et al.  Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards , 2012 .

[12]  Younghwa An,et al.  Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards , 2012, Journal of biomedicine & biotechnology.

[13]  Mohammad Sabzinejad Farash Cryptanalysis and improvement of an efficient mutual authentication RFID scheme based on elliptic curve cryptography , 2014, The Journal of Supercomputing.

[14]  Yu-Chung Chiu,et al.  Improved remote authentication scheme with smart card , 2005, Comput. Stand. Interfaces.

[15]  Muhammad Khurram Khan,et al.  Fingerprint Biometric-based Self-Authentication and Deniable Authentication Schemes for the Electronic World , 2009 .

[16]  Byunggi Kim,et al.  Secure Mutual Authentication for Ad hoc Wireless Networks , 2005, J. Supercomput..

[17]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[18]  Muhammad Khurram Khan,et al.  A key agreement algorithm with rekeying for wireless sensor networks using public key cryptography , 2010, 2010 International Conference on Anti-Counterfeiting, Security and Identification.

[19]  Kee-Young Yoo,et al.  Improvement of Chien et al.'s remote user authentication scheme using smart cards , 2005, Comput. Stand. Interfaces.

[20]  Wei Liang,et al.  Cryptanalysis of a dynamic identity‐based remote user authentication scheme with verifiable password update , 2015, Int. J. Commun. Syst..

[21]  R. Saravanan,et al.  Cryptanalysis and an Improvement of New Remote Mutual Authentication Scheme using Smart Cards , 2015 .

[22]  Chun-Ta Li,et al.  An efficient biometrics-based remote user authentication scheme using smart cards , 2010, J. Netw. Comput. Appl..

[23]  Debiao He,et al.  Anonymous two-factor authentication for consumer roaming service in global mobility networks , 2013, IEEE Transactions on Consumer Electronics.

[24]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[25]  Kuldip Singh,et al.  An improvement of Xu et al.'s authentication scheme using smart cards , 2010, Bangalore Compute Conf..

[26]  Ruhul Amin,et al.  A Secure Three-Factor User Authentication and Key Agreement Protocol for TMIS With User Anonymity , 2015, Journal of Medical Systems.

[27]  E. Kirubakaran,et al.  Smart card based remote user authentication schemes — Survey , 2012 .

[28]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[29]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[30]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[31]  Ashok Kumar Das,et al.  Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards , 2011, IET Inf. Secur..

[32]  Jenq-Shiou Leu,et al.  An anonymous mobile user authentication protocol using self-certified public keys based on multi-server architectures , 2014, The Journal of Supercomputing.

[33]  Xiong Li,et al.  Applying biometrics to design three-factor remote user authentication scheme with key agreement , 2014, Secur. Commun. Networks.

[34]  Minh-Triet Tran,et al.  Robust Biometrics-Based Remote User Authentication Scheme Using Smart Cards , 2012, 2012 15th International Conference on Network-Based Information Systems.

[35]  Xiong Li,et al.  An enhanced smart card based remote user password authentication scheme , 2013, J. Netw. Comput. Appl..

[36]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[37]  Rajaram Ramasamy,et al.  New Remote Mutual Authentication Scheme using Smart Cards , 2009, Trans. Data Priv..

[38]  Eun-Jun Yoon,et al.  Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem , 2010, The Journal of Supercomputing.

[39]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[40]  Xiong Li,et al.  Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards , 2011, J. Netw. Comput. Appl..

[41]  Jong Hyuk Park An authentication protocol offering service anonymity of mobile device in ubiquitous environment , 2010, The Journal of Supercomputing.

[42]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[43]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[44]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[45]  Cheng-Chi Lee,et al.  Improvement of Li-Hwang's biometrics-based remote user authentication scheme using smart cards , 2011 .

[46]  R. Saravanan,et al.  A secure remote user mutual authentication scheme using smart cards , 2014, J. Inf. Secur. Appl..

[47]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[48]  Muhammad Khurram Khan,et al.  More secure smart card-based remote user password authentication scheme with user anonymity , 2014, Secur. Commun. Networks.

[49]  Sourav Mukhopadhyay,et al.  Improved Biometric-Based Three-factor Remote User Authentication Scheme with Key Agreement Using Smart Card , 2013, ICISS.

[50]  Muhammad Khurram Khan,et al.  Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing , 2015, Secur. Commun. Networks.

[51]  Debiao He,et al.  An efficient remote user authentication and key agreement protocol for mobile client-server environment from pairings , 2012, Ad Hoc Networks.