A Secure Biometric based Multi-Server Authentication ...

Multimedia tools and applications manuscript No. (will be inserted by the editor)

A Secure Biometric based Multi-Server Authentication Scheme for Social Multimedia Networks Shehzad Ashraf Chaudhry

November 12, 2015

Abstract Social networking is one of the major source of massive data. Such data is not only difficult to store, manipulate and maintain but it’s open access makes it security prone. Therefore, robust and efficient authentication should be devised to make it invincible against the known security attacks. Moreover, social networking services are intrinsically multi-server environments, therefore compatible and suitable authentication should be designed accordingly. Sundry authentication protocols are being utilized at the moment and many of them are designed for single server architecture. This type of remote architecture restrict each user to get itself register with each server if multiple servers are employed to offer online social services. Recently multi-server architecture for authentication has replaced the single server architecture, and it enable users to register once and procure services from multiple servers. A short time ago, Lu et al. presented two authentication schemes based on three factors. Furthermore, both Lu et al.’s schemes are designed for multi-server architecture. Lu et al. claimed the schemes to be invincible against the known attacks. However, this paper shows that one of the Lu et al.’s scheme is susceptible to user anonymity violation and impersonation attacks, whereas Lu et al.’s second scheme is susceptible to user impersonation attack. Therefore an enhanced scheme is introduced in this paper. The proposed scheme is more robust than subsisting schemes. The proposed scheme is thoroughly verified and validated with formal and informal security discussion, and through the popular automated tool ProVerif. The in-depth analysis affirms that proposed scheme is lightweight in terms of computations while attaining mutual authentication and is invincible against the known attacks, hence is more suitable for automated big data analysis for social multimedia networking environments. Keywords Social multimedia networking · Big data analysis · Biometrics · Authentication · Multi server · Impersonation attack · Anonymity · ProVerif

1 introduction Big data refers to the huge amount of data with complicated and diverse structure to be stored and analyzed for retrieving results. This kind of result retrieval is known as big data analysis, which is performed by disclosing concealed pattern and correlations present in the colossal data. Big data analysis is playing a vital role in present day businesses and contemporary science, because it helps organizations and companies to attain competitive benefits through deeper and wealthier insights into precious gigantic data. There are numerous sources for such gigantic data, social networking interaction is one of them. Huge social networking data storage, manipulation and transfer becomes difficult to manage and can be compromised by various security attacks therefore efficient authentication mechanism should be developed to make it more secure and reliable. Moreover social networking services are inherently multi-server environments, therefore authentication schemes must be specifically designed for multi-server architecture in order to maintain compatibility. The first step was taken up by Lamport [1], by proposing password based authentication scheme. After that researchers proposed numerous authentication schemes based on password for various applications [2–5]. Although password based authentication schemes are susceptible to a number of attacks but they laid the foundation for advance research in this area. Therefore, two factor authentication scheme are introduced in order to mitigate the security concerns of single factor authentication schemes [6–30]. Two factor authentication utilize smart card along with password. Moreover, three factor authentication schemes are also introduced not only to improve the security of the transmission between the authentic users but also to provide the integrity and authenticity of the exchanged messages [31–38]. Three factor authentication is achieved by utilizing biometrics along with smart card and password. However most Shehzad Ashraf Chaudhry Department of Computer Science and Software Engineering, International Islamic University Islamabad,Pakistan Tel.: +92-333-5123308 E-mail: [email protected]

† Copyright © 2016 Springer Science+Business Media New York. This is the accepted version published in Multimedia Tools and Applications. The final publication is available at http://link.springer.com/article/10.1007/s11042-015-3194-0 This material is posted here with permission of the Springer.

2

Shehzad Ashraf Chaudhry

Table 1 Notation Guide Notations RC, Sy , Ux , A SIDy , IDux , P Wux , BIOux xux , P ubsy , P risy yrs , P SKrs SCux , h(.), H(.), k, ⊕

Description Registration center, Server, User, Attacker identities of Sy , Ux , Ux ’s password, and Biometrics Ux ’s secret key, Public and private key pair of Sy RC’s secret key, Secret key between Sy and RC Ui ’s smart card, Hash, BioHash functions, Concatenation, Xor operators

of the authentication schemes are designed specifically for single server architecture which become incompatible for multi-server architecture. Therefore, new authentication schemes are introduced for multi-server environments. In 2014 [39] Chuang et al. introduced authentication scheme utilizing biometrics and smart card. They declared the scheme to be secure against the known attacks. Soon, Mishra et al. [40] identified that Chuang et al.’s scheme is not invincible to server spoofing, smart card stolen and impersonation attacks. Mishra et al. proposed authentication scheme using smart card and biometric and declared it to be secure against all security threats. Later on, Lu et al. [41, 42] recognized that Mishra et al.’s scheme is vulnerable to server spoofing and impersonation attacks and fails to provide forward secrecy. In response to Mishra et al.’s scheme Lu et al. introduced two independent three factors authentication schemes [41, 42] for multi-server architecture. Furthermore, Lu et al. declared that their schemes are invincible against the known attacks. However, this paper provide an evidence that Lu et al.’s both schemes can be compromised by the known attacks. We show that Lu et al.’s scheme-1 [41] is insecure against user anonymity violation and impersonation attacks, whereas Lu et al.’s scheme-2 [42] is insecure against user impersonation attack. This paper exhibits that by knowing the public identity of any other user, the unfair user of the system can impersonate him easily. Rest of the paper is structured as follows: Section 2 presents notations used within the paper and primitive notions concerning one-way hash functions, BioHashing, basics of elliptic curve cryptography and the considered adversarial model. Section 3 presents review of two Lu et al.’s authentication schemes based on three factor for multi server environments, followed by their cryptanalysis performed in Section 4. The proposed scheme is discussed in Section 5. The formal and informal security analysis is performed in section 6 followed by automated security validation in section 7. The performance evaluation is shown in Section 8. The paper is concluded in Section 9.

2 Preliminaries This section elaborates the notations user through out the paper and some basics relating to hash functions, BioHashing, elliptic curve cryptography and the common adversarial model.

2.1 Notations We have listed all the notations used in the paper in Table 1.

2.2 BioHashing The biometrics is the unique and quantifiable characteristic commonly utilized to identify and designate or recognize a particular human. Biometric is practically utilized for authentication purpose and demands the physical presence of a particular person in order to be authenticated. At each imprint, biometric features (such as fingerprint, retina, face recognition and iris recognition etc) may faintly differ from the actual one, leading towards frequent false rejections of legitimate user. Frequent false rejections of legitimate user in turn degrade the performance of the latent system. In 2004, Jin et al. [43] proposed a scheme to tenacity the problem of false rejection. Jin et al.’s scheme implements two factor authentication based on iterated inner product amid biometric characteristics and tokenized pseudo-random number. Moreover, in order to implement Jin et al.’s scheme multiple and explicit user codes are engendered and these explicit user codes are designated as BioHash codes. Recently, numerous BioHashing schemes has been introduced [44, 45]. BioHashing is verified to be the most suitable and compatible technique that can be utilized in tiny smart devices such as smart card and smart phone etc.

2.3 Hash functions A collision resistant hash function H : {0, 1}∗ → Zq∗ takes arbitrary size string Str as input and produces a fixed length code/value V = H(Str). A secure hash function should posses following attributes: – A minor change in input (Str) results a substantial change in out put V .

A Secure Biometric based Multi-Server Authentication Scheme for Social Multimedia Networks

3

– It is computationally easy to find V = H(Str), given H(.) and Str. – For given hash code V = H(Str) and hash function H(.), finding the input Str is computationally infeasible. – It is difficult to find two inputs Str1 6= Str2 such that H(Str1 ) = H(Str2 ). This property is known as collision resistance property. Definition 1 [Collision resistant property for secure hash functions] Given a collision resistant secure hash function H(.). The probability that an adversary A can find a pair (Str1 6= Str2 ) such that H(Str1 ) = H(Str2 ) is defined as HASH AdvA (t) = P rb[(Str1 , Str2 ) ⇐r A : (Str1 6= Str2 ) and H(Str1 ) = H(Str2 )], where A is allowed to select a pair (Str1 , Str2 ) at random. A’s advantage is computed over the random choices made during polynomial time (t). The HASH collision resistant property implies that AdvA (t) ≤ for any sufficiently small > 0.

2.4 Elliptic Curve Cryptography A non singular elliptic cure y 2 = x3 +ax+b mod p is the set of finite solutions Ep (a, b) such that (x, y) ∈ Zp∗ ×Zp , a, b are chosen carefully to accommodate 4a3 + 27b2 mod p 6= 0 while p is a selected large prime number such that|p|≥ 160 bits. The scalar multiplication over the curve is solicited as repeated addition i.e. kS = S + S + S + ...... + S (k times), for a given point S and a scalar k. The parameters (a, b, p, S, k) must belong to finite field Fp . E is considered as abelian group and a point at infinity O is termed as the identity element. Definition 2 [Elliptic curve discrete logarithm problem (ECDLP)] Given two random point U, V ∈ Ep (a, b), find a scalar x such that U = xV . The probability that a polynomial time (t) bound adversary A can compute x is as follows: ECDLP ECDLP AdvA (t) = P rb[(A(U = xV, V ) = x : x ∈ Zp ]. The ECDLP assumption implies that AdvA (t) ≤ .

2.5 Adversarial Model In this paper, we consider the common adversarial model as mentioned in [18, 46–48]. Where according to capabilities of the adversary A, following assumptions are made: 1. A completely controls the public communication link. A is able to intercept, replay, modify, remove or can send a new fabricated message. 2. The information stored in a smart card can be extracted by A using power analysis [49,50] provided he has possession of the card. 3. A may be some outsider or some dishonest user of the system and knows all public parameters. 4. A knows the identities and public keys of the registered users and servers. 5. It is assumed that all servers of the system are honest and A is not allowed to compromise any server.

3 Review of Lu et al.’s schemes In this section, we briefly review Lu et al.’s multi server biometric based authentication schemes [41, 42] in subsection 3.1 and 3.2 respectively.

3.1 Review of Lu et al.’s Scheme-1 [41] Lu et al.’s biometric based authentication scheme for multi server environments [41] is illustrated in Fig. 1 and is elaborated in following three phases:

3.1.1 Registration Phase Ux selects his identity IDux , password P Wux and imprints his biometrics BIOux . Further Ux sends {IDux , h(P Wux kH(BIOux ))} to RC on a private channel. Upon reception, RC computes Xux = h(IDux kyrs ) and Vux = h(IDux kh(P Wux kH(BIOux ))) and stores Xux , h(P SKrs ) and Vux in the smart card SCux . RC sends smart card (SCux ) to Ux . Upon reception of smart card, Ux computes Yux = h(P SKrs ) ⊕ xux . Finally smart card contains {Xux , Yux , Vux , h(.)}.

4


U ser Ux Enter IDux , P Wux and BIOux

Server Sy

?

Vux = h(IDux kh(P Wux kH(BIOux ))) K = h(Yux ⊕ xux )kSIDsy ) M1 = K ⊕ IDux Generate nux M2 = nux ⊕ K M3 = K ⊕ h(P Wux kH(BIOux )) Zux = h(Xux knux kh(P Wux kH(BIOux )kT1 )) {Zux ,M1 ,M2 ,M3 ,T1 }

− −−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Check freshness of T1 K = h(h(P SKrs )kSIDsy ) nux = M2 ⊕ K IDux = K ⊕ M1 Xux = h(IDux kyrs ) h(P Wux kH(BIOux )) = M3 ⊕ K ?

Zux = h(nux kXux kh(P Wux kH(BIOux ))) Generate nsy M4 = nsy ⊕ h(nux kXux kh(P Wux kH(BIOux ))) M5 = h(IDux knux knsy kKkT2 ) SKyx = h(IDux knux knsy kK) {M4 ,M5 ,T2 }

←−−−−−−−−−−−−−−−−−−−−−−

Check freshness of T2 nsy = M4 ⊕ h(nux kXux kh(P Wux kH(BIOux ))) ?

M5 = h(IDux knux knsy kKkT2 ) SKxy = h(IDux knux knsy kK) M6 = h(SKxy kIDux knsy kT3 ) {M6 ,T3 }

−−−−−−−−−−−−−−−−−−−−−−−→ Check freshness of T3 ?

M6 = h(SKyx kIDux knsy kT3 ) ←−−−−−−−−−−−−−−−

SKxy = h(nux knsy kh(P Wux kNux )) = SKyx

−−−−−−−−−−−−−−−→

Fig. 1 Lu et al.’s Scheme-1 [41]

3.1.2 Login and authentication Phase Ux enters his smart card in specialized reader and inputs his biometric BIOux , password P Wux and identity IDux . Following steps are performed between the smart card (SCux ) and the server Sy : ?

Step L1A1: SCux checks Vux = h(IDux kh(P Wux kH(BIOux ))), if it is not true, session is aborted by SCux . Otherwise SCux computes K = h(Yux ⊕ xux )kSIDsy ) and M1 = K ⊕ IDux . Then SCux generates a nonce M2 = nux ⊕ K, M3 = K ⊕ h(P Wux kH(BIOux )) and Zux = h(Xux knux kh(P Wux kH(BIOux )kT1 )), where T1 is the fresh time stamp. Step L1A2: Smart card SCux sends {M1 , M2 , M3 , Zux , T1 } to Sy . Step L1A3: Sy upon receiving login message checks the freshness of T1 , aborts the session if T1 is not fresh. Otherwise, computes K = h(h(P SKrs )kSIDsy ), nux = M2 ⊕ K, IDux = K ⊕ M1 , Xux = h(IDux kyrs ) and h(P Wux kH(BIOux )) = M3 ⊕ K. ?

Step L1A4: Sy verifies Zux = h(nux kXux kh(P Wux kH(BIOux ))), if it is not true Sy aborts the session. Otherwise, Sy selects a random number nsy and computes M4 = nsy ⊕ h(nux kXux kh(P Wux kH(BIOux ))), M5 = h(IDux knux knsy kKkT2 ) and the session key SKyx = h(nux knsy kh(P Wux kNux )). Further Sy sends {M4 , M5 , T2 } to Ux , where T2 is current time stamp. Step L1A5: Upon reception, Ux checks the freshness of T2 , if T2 is fresh Ux computes nsy = M4 ⊕ h(nux kXux kh(P Wux k ?

H(BIOux ))) and checks validity of M5 = h(IDux knux knsy kKkT2 ). If it is not valid Ux aborts the session. Otherwise, Ux computes the session key SKxy = h(IDux knux knsy kK) and M6 = h(SKxy kIDux knsy kT3 ). Finally Ux sends M6 , T3 to Sy , where T3 is current time stamp. ?

Step L1A6: Sy upon receiving the message checks M6 = h(SKyx kIDux knsy kT3 ) if it holds, Sy considers Ux as authenticated. The session key shared among both is:

SKxy = h(IDux knux knsy kK) = SKyx

(1)


5

3.1.3 Password Change Phase To change password, Ux enters his smart card in the reader, then inputs his password P Wux , identity IDux and ? biometrics BIOux . The smart card verifies Vux = h(IDux kh(P Wux kH(BIOux ))), if it is true Ux is asked to enter his new new new new password P Wux the smart card computes Vux = h(IDux kh(P Wux kH(BIOux ))) and replaces Vux by Vux .

3.2 Review of Lu et al.’s Scheme-2 [42] In this section, we briefly review Lu et al.’s scheme-2 [42] . Lu et al. employed public key techniques to achieve user anonymity and forward secrecy. Their scheme involves three participants: a user Ux , a server Sy and the registration center RC. The scheme is illustrated in Fig. 2. We further elaborate Lu et al.’s scheme by following three phases: 3.2.1 Registration Phase Registration involves following three steps: Ux selects his identity IDux , password P Wux , a random number Nux along with his master private key xux . Then Ux scans his biometrics BIOux . Further Ux sends {IDux , h(P Wux , Nux )} to RC on a private channel. RC computes Rux = h(IDux kh(P Wux kNux )) and personalizes the smart card SCux by {Rux , h(P SKrs )}, where P SKrs is the shared secret key between RC and Sy . RC using private channel sends SCux to Ux . Upon receiving smart card, Ux computes Xux = h(P SKrs ) ⊕ xux , Bux = Nux ⊕ H(BIOux ). Then Ux deletes h(P SKrs ) from smart card (SCux ) and stores Xux and Bux in the smart card (SCux ). Finally the smart card (SCux ) contains {Rux , Xux , Bux , h()}. 3.2.2 Login and authentication Phase During login phase Ux inserts his SCux into card reader, imprints his biometrics (BIOux ) and submits IDux and P Wux . The steps performed by SCux and Sy are as follows: 0 Step L2A1: SCux computes Nux = Bux ⊕ H(BIOux ) and Rux = h(IDux kh(P Wux kNux )). ?

Step L2A2: SCux verifies Rux = h(IDux kh(P Wux kNux )), if not true, SCux aborts the session. Step L2A3: SCux generates a random number nsy and computes M1 = EP ubsy (IDux , nux , h(P Wux kNux )) and M2 = h((Xux ⊕ xux )knux kh(P Wux kNux )) Step L2A4: Further, SCux sends login message {M1 , M2 } to Sy . Step L2A5: For the received login message, Sy using his private key decrypts M1 to get (IDux , nux , h(P Wux kNux )). ?

Step L2A6: Sy checks whether M2 = h(h(P SKrs )knux kh(P Wux kNux )), if not true Sy aborts the session. Otherwise, Sy selects a random number nsy and computes M3 = nsy ⊕ h(nux kIDux kh(P Wux kNux )), the session key SKyx = h(nux knsy kh(P Wux kNux )) and M4 = h(IDux knux kSKyx kh(P Wux kNux )). Further Sy sends {M3 , M4 } to Ui . Step L2A7: For the received login message, Ux computes nsy = M3 ⊕ h(nux kIDux kh(P Wux kNux )) and session key ?

SKxy = h(nux knsy kh(P Wux kNux )). Ux then checks M4 = h(IDux knux kSKxy kh(P Wux kNux )). If it holds, Ux ponders Sy as authenticated. Step L2A8: Finally, Ux computes and sends M5 = h(SKxy kIDux knsy kh(P Wux kNux )) to Sy . ?

Step L2A9: Sy checks M5 = h(h(SKyx kIDux knsy kh(P Wux kNux )) if it holds, Sy ponders Ux as authenticated. The computed shared key between Ux and Sy is: SKxy = h(nux knsy kh(P Wux kNux )) = SKyx

(2)

3.2.3 Password Change Phase Ux inserts his smart card (SCux ) in specialized reader. Ux then inputs IDux , P Wux and BIOux . SCux computes Nux = Bux ⊕ H(BIOux ) and checks Rux = h(IDux kh(P Wux kNux )), if it holds SCux asks for new password. Ux inputs new new new new new password P Wux . SCux computes Rux = h(IDux kh(P Wux kNux )). Finally SCux replaces Rux by Rux .

4 Cryptanalysis of Lu et al.’s Schemes This section performs cryptanalysis of Lu et al.’s schemes. We show that Lu et al’s scheme-1 is vulnerable to: (1) user anonymity violation attack and (2) user impersonation attack. Likewise, we show that Lu et al.’s scheme-2 is vulnerable to user impersonation attack.

6


U ser Ux Enter IDux , P Wux and BIOux Compute Nux = Bux ⊕ H(BIOux )

Server Sy

?

Rux = h(IDux kh(P Wux kNux )) Generate nux M1 = EP ubsy (IDux , nux , h(P Wux kNux )) M2 = h((Xux ⊕ xux )knux kh(P Wux kNux )) {M1 ,M2 }

−−−−−−−−−−−−−−−−−−−−→ (IDux , nux , h(P Wux kNux )) = DP risy (M1 ) ?

M2 = h(h(P SKrs )knux kh(P Wux kNux )) Generate nsy M3 = nsy ⊕ h(nux kIDux kh(P Wux kNux )) SKyx = h(nux knsy kh(P Wux kNux )) M4 = h(IDux knux kSKyx kh(P Wux kNux )) {M3 ,M4 }

←−−−−−−−−−−−−−−−−−−−− nsy = M3 ⊕ h(nux kIDux kh(P Wux kNux )) SKxy = h(nux knsy kh(P Wux kNux )) ?

M4 = h(IDux knux kSKxy kh(P Wux kNux )) M5 = h(SKxy kIDux knsy kh(P Wux kNux )) {M5 }

−−−−−−−−−−−−−−−−−−−−→ ?

M5 = h(h(SKyx kIDux knsy kh(P Wux kNux )) ←−−−−−−−−−−−−−−−−−−

SKxy = h(nux knsy kh(P Wux kNux ))

−−−−−−−−−−−−−−−−−−→

Fig. 2 Lu et al.’s Scheme-2 [42]

4.1 Weaknesses of Lu et al.’s scheme-1 4.1.1 User anonymity violation attack Here, we prove that Lu et al.’s scheme-1 is vulnerable to user anonymity violation attack. To mount a successful user impersonation attack, initially an attacker A selects his identity IDua , password P Wua , biometrics BIOua and his own secret key xua . Then A registers to the system and obtains a smart card containing Xua = h(IDua kyrs ), Vua = h(IDua kh(P Wua kH(BIOua ))) and Yua = h(P SKrs ) ⊕ xua . A performs following steps for the successful anonymity violation attack: Step UAV1: A extracts h(P SKrs ) as follows: h(P SKrs ) = xua ⊕ Yua

(3)

Step UAV2: When Ux initiates the authentication requests by sending Zux , M1 , M2 , M3 , T1 to Sy . A intercepts the message and computes: K = h(h(P SKrs kSIDsy ))

(4)

nux = M2 ⊕ K

(5)

IDux = K ⊕ M1

(6)

In eq. 6 IDux is the real identity of user Ux . Hence A has successfully break the anonymity of Ux . 4.1.2 User impersonation Here, we prove that Lu et al.’s scheme-1 is vulnerable to impersonation attack. We show that an adversary A can impersonate any other registered user of the system if he becomes able to steal his smart card. Initially A extracts Xux = h(IDux kyrs ) out of a stolen smart card. Then he performs following steps to impersonate himself as Ux : Step IA1: A computes: K = h(h(P SKrs kSIDsy ))

(7)

M1 = K ⊕ IDux

(8)


7

Step IA2: A generates two random numbers nua and Pua . Then generates time stamp T1 and computes: M2 = nua ⊕ K

(9)

M3 = K ⊕ Pua

(10)

Zua = h(Xux knua kPua kT1 )

(11)

Step IA3: A sends Zua , M1 , M2 , M3 , T1 to Sy . Step IA4: Sy upon receiving login message, checks the freshness of T1 , as T1 is freshly generated so Sy computes: K = h(h(P SKrs )kSIDsy )

(12)

nua = M2 ⊕ K

(13)

IDux = K ⊕ M1

(14)

Xux = h(IDux kyrs )

(15)

Pua = M3 ⊕ K

(16)

?

Step IA5: Sy verifies Zux = h(nua kXux kPua ) and finds it true. Sy then selects a random number nsy and computes: M4 = nsy ⊕ h(nua kXux kPua ))

(17)

M5 = h(IDux knua knsy kKkT2 )

(18)

SKyx = h(nua knsy kPua ))

(19)

Step IA6: Further Sy sends {M4 , M5 , T2 } to Ux , where T2 is current time stamp. Step IA7: Upon reception A computes: nsy = M4 ⊕ h(nua kXux kP ua)

(20)

SKxy = h(IDux knua knsy kK)

(21)

M6 = h(SKxy kIDux knsy kT3 )

(22)

Step IA8: Finally A sends M6 , T3 to Sy , where T3 is current time stamp. Sy upon receiving the message checks ?

M6 = h(SKyx kIDux knsy kT3 ) and finds it true. Hence A has successfully deceives Sy by impersonating himself as Ux . The session key shared among both is: SKxy = h(IDux knua knsy kK)

(23)

4.2 Weaknesses of Lu et al.’s scheme-2 This section elaborates the weaknesses of Lu et al.’s scheme-2 against user impersonation attack. We show that a dishonest legal user A can easily masquerade himself as an other honest user Ux considering the common adversarial model as mentioned in subsection 2.5. 4.2.1 User impersonation attack Here, we show that Lu et al.’s scheme can not resist a forgery attack by a legal user to impersonate himself as another user of the system. Let A be a legal user having smart card SCua and wants to impersonate himself as another user Ux . Following steps will be performed by A for a successful forgery attack to Sy . Step IA 1: A extracts the information stored in SCua and computes: h(P SKrs ) = Xua ⊕ xua

(24)

Step IA 2: A generates two random number nua and Pua and computes: M¯1 = EP ubsy (IDux , nua , Pua )

(25)

M¯2 = h((Xua ⊕ xua )knua kPua )

(26)

Step IA 3: A sends M¯1 and M¯2 as login message to Sj .

8


Step IA 4: For the received login message, Sy decrypts M¯2 to obtain: (IDux , nua , Pua ) = DP risy

(27)

?

Step IA 5: Sy further verifies M¯2 = h(h(P SKrs )knua kPua ) and finds it to be true. Step IA 6: Sy further selects nsy and computes: M3 = nsy ⊕ h(nua kIDux kPua )

(28)

SKyx = h(nux knsy kPua )

(29)

M4 = h(IDux knua kSKyx kPua )

(30)

Step IA 7: Sy sends M3 and M4 to Ux as response message. Step IA 8: A intercepts the message and computes: nsy = M3 ⊕ h(nua kIDux kPua )

(31)

SKxy = h(nua knsy kPua )

(32)

M5 = h(SKxy kIDux knsy kPua )

(33)

Step IA 9: A sends M5 to Sy . ?

Step IA 10: Sy checks M5 = h(h(SKyx kIDux knsy kPua ) and finds it to be true. Hence A successfully deceived Sy by impersonating himself as Ux . The shared key between A and Sy is: SKxy = h(nua knsy kPua ) = SKyx

(34)

5 Proposed Scheme In this section, we propose an improved and secure biometric based three factor authentication scheme for social multimedia networks to overcome the weaknesses of Lu et al.’s schemes. The proposed scheme is depicted in figure 3 and is explained in following four subsections: 5.1 Initialization In this phase system parameters are selected by registration server. Initially registration server RC selects an elliptic curve Ep (a, b) mod p, a base point P over Ep (a, b), a one way hash function h(.), biometric hashing H(.) and a shared key with all servers P SKrs . Finally RC publishes system public parameters Ep (a, b), h(.), H(.). 5.2 Registration Phase In this phase both the users and servers registers with the registration server. Following two subsections describes the process of registration: 5.2.1 Server Registration To register with the system, a server Sy selects his identity SIDsy and his private key P risy . Then Sy computes his public key P ubsy = P risy .P and sends his identity SIDsy and his public key P ubsy to RC. Upon reception, RC shares the secret key P SKrs with Sy and publishes Sy ’s public key P ubsy . 5.2.2 User Registration User registration involves following three steps: Step PR 1: Ux selects his identity IDux , password P Wux and scans his biometrics BIOux . Further Ux sends {IDux , h(P Wux kH(BIOux ))} to RC on a private channel. Step PR 2: Upon reception, RC computes Vux = h(IDux kh(P Wux kH(BIOux ))) and h(P SKrs kIDux ) and stores h(P SKrs kIDux ) and Vux in the smart card SCux . RC sends smart card (SCux ) to Ux . Step PR 3: Upon reception of smart card, Ux computes Yux = h(P SKrs kIDux ) ⊕ h(P Wux kIDux kH(BIOux )). Finally smart card contains {Yux , Vux , h(.)}.


U ser Ux Enter IDux , P Wux and BIOux

9

Server Sy

?

Vux = h(IDux kh(P Wux kH(BIOux ))) Generate a random number rux K = rux .P ubsy M1 = rux .P M2 = IDux ⊕ K Generate nux M3 = nux ⊕ h(Yux ⊕ h(P Wux kIDux kH(BIOux ))kSIDsy ) Zux = h(h(P SKrs kIDux )knux kKkT1 ) {Zux ,M1 ,M2 ,M3 ,T1 }

−−−−−−−−−−−−−−−−−−−−−−−−−−→ Check freshness of T1 K = M1 .P risy IDux = M2 ⊕ K nux = M3 ⊕ h(h(P SKrs kIDux )kSIDsy ) ?

Zux = h(h(P SKrs kIDux )knux kKkT1 ) Generate nsy M4 = nsy ⊕ K M5 = h(IDux knux knsy kKkT2 ) SKyx = h(IDux knux knsy kK) {M4 ,M5 ,T2 }

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Check freshness of T2 nsy = M4 ⊕ K ?

M5 = h(IDux knux knsy kKkT2 ) SKxy = h(IDux knux knsy kK) M6 = h(SKxy kIDux knsy kT3 ) {M6 ,T3 }

−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Check freshness of T3 ?

M6 = h(SKyx kIDux knsy kT3 ) ←−−−−−−−−−−−−−−−

SKxy = h(nux knsy kh(P Wux kNux )) = SKyx

−−−−−−−−−−−−−−−→

Fig. 3 Proposed Scheme

5.3 Login and authentication Phase Login phase starts when any user Ux enters his SCux into card reader, embosses his biometrics (BIOux ) and enters IDux and P Wux . The subsequent steps accomplished by SCux and Sy are as under: ?

Step LA1: SCux calculates h(IDux kh(P Wux kH(BIOux ))) and confirms Vux = h(IDux kh(P Wux kH(BIOux ))) , if condition does not hold, SCux terminates the session. Step LA2: SCux produces a random number rux and calculates K = rux .P ubsy , M1 = rux .P and M2 = IDux ⊕ K. Step LA3: Moreover, SCux produces a random number nux and calculates M3 = nux ⊕h(Yux ⊕h(P Wux kIDux kH(BIOux ))k SIDsy ) and Zux = h(h(P SKrs kIDux )knux kKkT1 ). Step LA4: Thereafter, SCux transmits login message {Zux , M1 , M2 , M3 , T1 } to Sy . Step LA5: On getting login message, Sy verifies freshness of T1 . Step LA6: Sy calculates K = M1 .P risy with his private key and also calculates IDux = M2 ⊕ K and nux = M3 ⊕ h(h(P SKrs kIDux )kSIDsy ). ?

Step LA7: Sy verifies Zux = h(h(P SKrs kIDus )knux kKkT1 ), if not holds, Sy terminates the session. Otherwise Sy generates a random number nsy and calculates M4 = nsy ⊕ K, M5 = h(IDux knux knsy kKkT2 ) and the session key SKyx = h(IDux knux knsy kK). Further Sy sends {M4 , M5 , T2 } to Ux . ?

Step LA8: On receiving login message, Ux verifies freshness of T2 . computes nsy = M4 ⊕ K and confirms M5 = h(IDux knux knsy kKkT2 ), if holds, Ux cogitates Sy as authenticated. Then session key is computed as SKxy = h(IDux knux knsy kK). Step LA9: After that, Ux calculates M6 = h(SKxy kIDux knsy kT3 ) and and transmits {M6 , T3 } to Sy . ?

Step LA10: Sy checks the freshness of T3 and verifies M6 = h(SKyx kIDux knsy kT3 ) if it holds, Sy cogitates Ux as authenticated. The derived shared key between Ux and Sy is: SKxy = h(nux knsy kh(P Wux kNux )) = SKyx

(35)

10


5.4 Password Change Phase Ux inserts his smart card (SCux ) in specialized reader. Ux then inputs IDux , P Wux and BIOux . SCux computes Nux = Bux ⊕ H(BIOux ) and checks Rux = h(IDux kh(P Wux kNux )), if it hold SCux asks for new password. Ux inputs new new new new new password P Wux . SCux computes Rux = h(IDux kh(P Wux kNux )) and Xux = Xux ⊕ h(P Wux kIDux kNux ) ⊕ new new new new h(P Wux kIDux kNux ) Finally, SCux replaces Rux and Xux by Rux and Xux .

6 Security Analysis The formal security analysis followed by security discussion is performed in this section. Further, protocol verification thorough automated toll ProVerif is also substantiated here.

6.1 Formal Security To demonstrate formally, that proposed scheme is secure, we adopted the same analysis as mentioned in [40, 51]. Following oracles are defined for analysis purpose: – Reveal: This oracle unconditionally outputs a string S from the one way hash function R = h(S). – Extract: This oracle unconditionally outputs the scalar multiplier k out of a given elliptic curve points O = kP and P . Theorem 1 The proposed biometric based multi server authentication scheme is secure for an attacker A to stanch Ux ’s identity (IDux ), the parameter K, the session key SKxy and the shared key P SKrs between RC and Sy considering one way hash function as random oracle and under the hardness assumption of ECDLP . Proof 1 Let A be an adversary having capabilities to compute Ux ’s IDux , the secret session parameter K the session key SKxy and the shared key P SKrs between RC and Sy . A simulates both oracles Reveal and Extract to run the algorithmic experiment EXP E1HASH,ECDLP against our proposed three factor biometric bases authentication scheme A,T F BAM S for multi server environments (T F BAM S). The success probability for the mentioned experiment is defined as Succe1 = |P rb[EXP E1HASH,ECDLP = 1] − 1|. A’s advantage is solicited as Advt1HASH,ECDLP (t, qrev , qext ) = maxA (Succe1 ), A,T F BAM S A,T F BAM S where A is allowed to make at maximum qrev Reveal and qext Extract queries. Referring to the experiment A can compute IDux , K, SKxy and P SKrs , if he can (i) invert the hash function and (ii) solve the ECDLP. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function, similarly by Definition 2 it is computationally infeasible to solve ECDLP. Hence, we have Advt1HASH,ECDLP (t, qrev , qext ) ≤ . Therefore, A,T F BAM S proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary A to computes Ux ’s IDux , the secret session parameter K the session key SKxy and the shared key P SKrs between RC and Sy . Theorem 2 The proposed biometric based multi server authentication scheme is secure for an attacker A to stanch Ux ’s biometrics H(BIOux ), identity (IDux ), password P Wux and the security parameter h(P SKrs kIDux ) considering one way hash function as random oracle for the stolen smart card attack. Proof 2 Let A be an adversary having capabilities to stanch Ux ’s biometrics H(BIOux ), identity (IDux ), password P Wux and the security parameter h(P SKrs kIDux ) out of a stolen smart card. A simulates Reveal oracle to run the algorithmic experiment EXP E2HASH A,T F BAM S against our proposed three factor biometric bases authentication scheme for multi server environments (T F BAM S). The success probability for the mentioned experiment is defined as Succe2 = HASH |P rb[EXP E2HASH A,T F BAM S = 1] − 1|. A’s advantage is solicited as Advt2A,T F BAM S (t, qrev = maxA (Succe2 ), where A is allowed to make at maximum qrev Reveal queries. Referring to the experiment A can compute H(BIOux ), IDux , P Wux and P SKrs , if he can invert the hash function. However, referring to Definition 1 it is computationally infeasible to invert a secure one way hash function. Hence, we have Advt2HASH A,T F BAM S (t, qrev ) ≤ . Therefore, proposed three factor biometric bases authentication scheme for multi server environments is secure against an adversary A to computes Ux ’s biometrics H(BIOux ), identity (IDux ), password P Wux and the security parameter h(P SKrs kIDux ) out of a stolen smart card.

6.2 Further security discussion In this subsection, we informally describes the security functionalities provided by proposed scheme.


11

Algorithm 1 EXP E1HASH,ECDLP A,T F BAM S 1: Eavesdrop the login message Zux , M1 , M2 , M3 , T1 , Where M1 = rux .P , M2 = IDux ⊕K, M3 = nux ⊕h(h(P SKrs kIDu x)kSIDsy ) and Zux = h(h(P SKrs kIDux )knux kKkT1 ) 0 2: Call Extract oracle on M1 and P to obtain rux ← Extract(M1 , P ) 0 3: Compute K 0 = rux ⊕ P ubsy and IDux = K 0 ⊕ M2 4: Call Reveal on Zux to get h(P SKrs kIDux )0 kn0ux kK 00 kT10 ) ← Reveal(Zux ) 5: if (K 00 = K 0 ) then 0 kID 00 ) ← Reveal(h(P SK kID 0 6: Call Reveal on h(P SKrs kIDux )0 and get (P SKrs rs ux ) ) ux 0 00 ) then 7: if (IDux = IDux 0 0 along with session specific parameters n0 0 8: Accept IDux and P SKrs ux and K 9: Eavesdrop challenge message M4 , M5 , T2 , where M4 = nsy ⊕ K and M5 = h(IDux knux knsy kKkT2 ) 0 = h(ID 0 kn0 kn0 kK) 10: Compute n0sy = M40 oplusK 0 and SKxy ux ux sy 11: Eavesdrop response message M6 , T3 0 0 0 0 12: Compute M6 = h(SKxy kIDux knsy kT3 ) 13: if (M60 = M6 ) then 0 14: Accept SKxy 15: else 16: return Fail 17: end if 18: else 19: return Fail 20: end if 21: else 22: return Fail 23: end if

Algorithm 2 EXP E2HASH A,T F BAM S 2: 4: 6: 8: 10:

Extract the parameters Yux , Vux from stolen smart card using the methods mentioned in [49, 50] Where Yux = h(P SKrs kIDux ) ⊕ h(P Wux kIDux kH(BIOux )) and Vux = h(IDux kh(P Wux kH(BIOux ))) 0 kh(P W 0 Call Reveal oracle on Vux and obtain (IDux ux kH(BIOux )) ) ← Reveal(Vux ) 0 kH(BIO 0 0 Call Reveal on h(P Wux kH(BIOux ))0 to get (P Wux ux ) ) ← Reveal(h(P Wux kH(BIOux )) ) 0 kID 0 kH(BIO 0 ) and T = Y h(P SK kID ) Compute W = h(P Wux ) ⊕ W = ux ux rs ux ux 0 kID 00 ) ← Reveal(T ) Call Reveal on T and obtain (P SKrs ux 00 0 if (IDux = IDux ) then 0 and H(BIO 0 Accept P SKrs , P Wux ux ) else return Fail end if

Table 2 Comparison of Security parameters Scheme: Anonymity and privacy Mutual Authentication and key agreement Resists Impersonation attack Resists Smart card theft attack Resists Replay attack Provides Forward secrecy Resists Insider and Stolen verifier attacks Resists password guessing attack Provided No clock synchronization

Proposed Yes Yes Yes Yes Yes Yes Yes Yes Yes

[42] Yes Yes No Yes Yes Yes Yes Yes Yes

[41] No Yes No Yes Yes Yes Yes Yes Yes

[40] Yes Yes No Yes Yes No Yes Yes Yes

[39] Yes Yes No No Yes Yes Yes Yes Yes

6.2.1 Anonymity and privacy In our proposed biometric scheme the user Ux ’s identity IDux is not sent over public network rather M1 and M2 are sent to Sy . These two parameters are freshly generated for each session. The anonymity can only be broken if an adversary can compute K, but it can be seen that K can be computed only be the use of Sy ’s private key. Hence proposed scheme preserves anonymity and untraceability. 6.2.2 Mutual authentication ?

Sy authenticates Ux by checking Zux = h(h(P SKrs kIDux )knux kKkT1 ). Computation of Zux involves h(P SKrs kIDux ) which requires the smart card as well as password P Wux and the biometrics BIOux of Ux . Therefore to deceive Sy , the adversary needs Ux ’s password, biometric as well as his smart card. Likewise, Ux authenticates Sy by checking ?

M5 = h(IDux knux knsy kKkT2 ) which requires the computation of Ux ’s identity IDux , the session parameter nux and K. IDux and K can be computed only by using Sy ’s private key as mentioned in subsection 6.2.1, while nux can be computed by using h(h(P SKrs kIDux )kSIDsy ) which requires the shared secret key between Sy and RC. So in order

12


to deceive Ux , the adversary needs Sy ’s private key P risy as well as the shared key h(P SKrs ) between Sy and RC. Hence only legal user can pass authentication test from server and vice versa. Therefore, proposed scheme provides proper mutual authentication. 6.2.3 User and server impersonation attacks Only legal user can generate legal authentication request message {Zux , M1 , M2 , M3 , T1 } and response message {M6 , T3 }, similarly only legal server can respond with challenge message {M4 , M5 , T2 } as proved in subsection 6.2.2. Hence user and server impersonation attacks are not feasible on proposed scheme. 6.2.4 Smart card theft/stolen attack Let us assume, the adversary by using some means becomes able to acquire Ux ’s smart card. The adversary further extracts the parameters Vux = h(IDux kh(P Wux kH(BIOux ))), Yux = h(P SKrs kIDux ) ⊕ h(P Wux kIDux kH(BIOux )) and h(.). Then to compute the secret parameter h(P SKrs kIDux ), the adversary needs P Wux and BIOux . Hence the stolen smart card will not benefit the adversary for forgery. 6.2.5 Replay attack If some adversary after intercepting the login request message {Zux , M1 , M2 , M3 , T1 }, replays it later on. The server Sy after receiving the message will check the freshness of time stamp T1 , as the time stamp is old dated, Sy will simply discard the message. Therefore replay attack is not viable on proposed scheme. 6.2.6 Perfect forward secrecy The computed session key between Sy and Ux contains share (nsy , nux ) from both the participants respectively. So even if the long term private key of Sy or Ux ’s password is revealed to the attacker it will not benefit to compute previous session keys. Therefore, proposed scheme possesses perfect forward secrecy. 6.2.7 Insider and stolen verifier and attacks For the proposed scheme, Sy does not store any parameter related to Ux ’s password (P Wux ) or his biometrics (BIOux ), as there is no verifier table so no stolen verifier attack is possible. Likewise, Ux does not send his password (P Wux ) or his biometrics BIOux in plain text , hence no insider will have any advantage to expose his password or biometrics. 6.2.8 Password guessing attack For the proposed scheme, the information relating to Ux ’s password is protected by his identity IDux , BioHashed biometrics H(BIOux ) further it enclosed by exclusive or with h(P SKrs kIDux ). Moreover, there is no parameter stored in smart card to check the validity of guessed password by adversary. Hence no offline password guessing attack is feasible on proposed scheme. Likewise, the system incorporates built in maximum number of login requests, which ensures no on line password guessing attack. 7 Verification through ProVerif The purpose of verification tools for cryptographic protocols is to confirm the robustness of the protocols against active and passive adversaries having some knowledge of the cryptographic parameters. ProVerif is an applied π calculus based automated verification tool to validate the security of cryptographic protocols against knowledgeable attackers. ProVerif can prove a number of security properties like: reachability, secrecy, authentication and so on. [18, 52, 53]. We have implemented the login and authentication steps of the proposed protocol as illustrated in Fig. 3 and explained in subsection 5.3. The formal verification model of ProVerif consists of following three parts. (1) Declaration is used for defining names, constants, variables and cryptographic operations. We have shown declaration part in Fig. 4(a). (2) Process part is reserved for defining processes involved in protocol execution. As illustrated in Fig. 4(b) we have defined two processes: server process (ServerSy) and user process (UserUx). (3) Main part simulates the protocol execution, as shown in Fig. 4(c), we simulate parallel execution of two processes along with definition of two events to verify reach-ability property. Finally, we simulate three queries. The results are as follows: 1. RESULT inj-event(end_Serversy(id)) ==> inj-event(begin_Serversy(id)) is true. 2. RESULT inj-event(end_Userux(id_1114)) ==> inj-event(begin_Userux(id_1114)) is true. 3. RESULT not attacker(SKxy[]) is true.

The results (1) and (2) validates that both user and server processes started and terminated normally, which confirms the correctness and reach-ability properties. While (3) verifies that the session key (SKxy[]) is not exposed to adversary. Hence Proposed protocol possesses reach-ability as well as secrecy and authentication properties.


( ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ Channels ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) f r e e Ch_Pub : c h a n n e l . ( ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ Names & V a r i a b l e s ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) f r e e IDux : b i t s t r i n g . f r e e PWux: b i t s t r i n g . f r e e Yux : b i t s t r i n g . f r e e BIOux : b i t s t r i n g [ private ] . f r e e Vux : b i t s t r i n g [ private ] . const P : b i t s t r i n g . f r e e Pubsy : b i t s t r i n g . f r e e PSKrs : b i t s t r i n g [ private ] . f r e e SIDsy : b i t s t r i n g [ private ] . (∗∗ Constructors ∗ d e s t r u c t o r s ∗ Equations ∗∗) fun h ( b i t s t r i n g ) : b i t s t r i n g . f u n H( b i t s t r i n g ) : b i t s t r i n g . f u n mult ( b i t s t r i n g , b i t s t r i n g ) : b i t s t r i n g . fun concat ( b i t s t r i n g , b i t s t r i n g ) : b i t s t r i n g . f u n xor ( b i t s t r i n g , b i t s t r i n g ) : b i t s t r i n g . equation f o r a l l a : bi tst ri ng , b : b i t s t r i n g ; xor ( xor ( a , b ) , b )=a . (a). Declarations

( ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ Events ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) e v e n t begin_Userux ( b i t s t r i n g ) . e v e n t end_Userux ( b i t s t r i n g ) . event begin_Serversy ( b i t s t r i n g ) . e v e n t end _Serv ersy ( b i t s t r i n g ) . (∗∗∗∗∗∗∗∗ Process R e p l i c a t i o n ∗∗∗∗∗∗∗∗∗∗∗∗) process ( ( ! ServerSy ) | ( ! UserUx ) ) (∗∗∗∗∗∗∗∗∗∗∗∗∗∗ ∗ q u e r i e s ∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗) f r e e SKxy : b i t s t r i n g [ private ] . query a t t a c k e r ( SKxy ) . query i d : b i t s t r i n g ; i n j e v e n t ( end_Userux ( i d ) ) ==> i n j e v e n t ( begin_Userux ( i d ) ) . query i d : b i t s t r i n g ; i n j e v e n t ( end_Serversy ( i d ) ) ==> i n j e v e n t ( b e g i n _ S e r v e r s y ( i d ) ) .

13

(∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗ p r o c e s s e s ∗∗∗∗∗∗∗∗∗∗∗∗∗∗) ( ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ User ux ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) l e t UserUx = ( ∗ Login and A u t h e n t i c a t i o n Phase ∗ ) l e t Vux ’=h ( c o n c a t ( IDux , h ( c o n c a t (PWux,H( BIOux ) ) ) ) ) i n new rux : b i t s t r i n g ; l e t K=mult ( rux , Pubsy ) i n l e t M1=mult ( rux , P) i n l e t M2=x o r ( IDux ,K) i n new nux : b i t s t r i n g ; new T1 : b i t s t r i n g ; l e t M3=x o r ( nux , h ( x o r ( Yux , c o n c a t ( h ( c o n c a t ( PWux, ( IDux ,H( BIOux ) ) ) ) , SIDsy ) ) ) ) i n l e t Zux=h ( c o n c a t ( h ( c o n c a t ( PSKrs , IDux ) ) , ( nux , K, T1 ) ) ) i n out (Ch_Pub , ( Zux , M1, M2, M3, T1 ) ) ; i n (Ch_Pub , ( xM4 : b i t s t r i n g , xM5 : b i t s t r i n g , xT2 : bitstring )) ; new T2 : b i t s t r i n g ; l e t nsy=x o r (xM4 ,K) i n l e t M5=h ( c o n c a t ( IDux , ( nux , nsy , K, T2 ) ) ) i n i f (M5=xM5) then l e t SKxy=h ( c o n c a t ( IDux , ( nux , nsy ,K) ) ) i n new T3 : b i t s t r i n g ; l e t M6=h ( c o n c a t ( SKxy , ( IDux , nsy , T3 ) ) ) i n out (Ch_Pub , ( M6, T3 ) ) else 0. ( ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ S e r v e r Sy ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ) l e t S e r v e r S y= new P r i s y : b i t s t r i n g ; l e t Pubsy=mult ( P r i s y , P) i n i n (Ch_Pub , ( xZux : b i t s t r i n g , xM1 : b i t s t r i n g , xM2 : b i t s t r i n g , xM3 : b i t s t r i n g , xT1 : b i t s t r i n g ) ); new T1 : b i t s t r i n g ; l e t K=mult (xM1 , P r i s y ) i n l e t IDux ’=xor (xM2 ,K) i n l e t nux=xor (xM3 , h ( c o n c a t ( h ( c o n c a t ( PSKrs , IDux ’ ) ) , SIDsy ) ) ) i n l e t Zux=h ( c o n c a t ( h ( c o n c a t ( PSKrs , IDux ’ ) ) , ( nux , K, T1 ) ) ) i n i f ( Zux=xZux ) then new nsy : b i t s t r i n g ; new T2 : b i t s t r i n g ; l e t M4=xor ( nsy ,K) i n l e t M5=h ( c o n c a t ( IDux ’ , ( nux , nsy , K, T2 ) ) ) i n l e t SKxy=h ( c o n c a t ( IDux ’ , ( nux , nsy ,K) ) ) i n out (Ch_Pub , ( M4, M5, T2 ) ) ; i n (Ch_Pub , ( xM6 : b i t s t r i n g , xT3 : b i t s t r i n g ) ) ; new T3 : b i t s t r i n g ; l e t M6=h ( c o n c a t ( SKxy , ( IDux ’ , nsy , T3 ) ) ) i n i f (M6=xM6) then 0 .

(c). Main

(b). Processes

Fig. 4 ProVerif Code

8 Performance comparisons This section presents performance assessment of the proposed scheme against two Lu et al.’s schemes pertinent schemes. Recently, Lu et al. presented two schemes based on biometrics for multi-server environments and professed that their schemes provide security against the known threats. This paper suggest that Lu et al.’s schemes do not provide invincibility against few well known attacks. The first scheme of Lu et al fails retaliate against user anonymity violation and impersonation attacks, whereas their second scheme is vulnerable against impersonation attack. The the proposed scheme’s performance is equated with both the schemes of Lu et al. in Table 3. Following Notations are used for computation cost analysis: – TOh refers to accumulated execution time of one-way hash operation.

14


– TRe refers to accumulated execution time of RSA encryption. – TRd refers to accumulated execution time of RSA decryption. – TEpm refers to elliptic curve point multiplication. As per Kilinc and Yanik [54] experiment on a personal computer involving a processor with Dual CPU E2200 2.20 GHz along with RAM size of 2048MB, the computation cost for TOh is approximately 0.0023ms, TRe is 3.8500ms, TRd is 0.1925ms and TEpm is 2.229ms. Kilinc and Yanik [54] experiment was performed on the Ubuntu Operating system and using PBC Library. Table 3 Computation cost comparison Scheme Chuang et al. [39] Mishra et al. [40] Lu et al. [41] Lu et al. [42] Proposed Scheme

User Side 8TOh 10TOh 9TOh 8TOh + 3TRe 9TOh + 2TEpm

Server Side 8TOh 7TOh 8TOh 8TOh + 3TRd 7TOh + 1TEpm

Total Execution time 16TOh ≈ 0.0368 17TOh ≈ 0.0391 17TOh ≈ 0.0391ms 16TOh + 3TRe + 3TRd ≈ 12.1643ms 16TOh + 3TEpm ≈ 6.7148ms

The comparison presented in Table 3 reveals that the proposed scheme is computationally inexpensive than scheme in [42]. While the proposed scheme is quite expensive than rest of the schemes [39–41]. Moreover proposed scheme provide invincibility against the known threats. It is further declared that only the proposed scheme resists the known attacks, while rest of the competing schemes [39–42] are vulnerable to impersonation and/or other related attacks.

9 Conclusion In this paper, we have cryptanalyzed two most recent biometric based multi factor authentication schemes proposed by Lu et al. We have proved both of their schemes to be vulnerable to impersonation attacks, additionally we have also showed that one of their scheme is also vulnerable to anonymity violation attack. Then we proposed an improved biometric based multi factor authentication scheme. The proposed scheme is proved to be robust against all known attacks. We have substantiated the security of proposed scheme using famous automated security validation tool ProVerif.

Acknowledgements Author would like to thank the anonymous reviewers and the editor for their valuable suggestions to improve the quality, correctness, presentation and readability of the manuscript.

References 1. Lamport L. Password authentication with insecure communication. Communications of the ACM 1981; 24(11):770–772. 2. Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY. Improvements of juang’s password-authenticated key agreement scheme using smart cards. Industrial Electronics, IEEE Transactions on 2009; 56(6):2284–2291. 3. Lu R, Lin X, Liang X, Shen X. A dynamic privacy-preserving key management scheme for location-based services in vanets. Intelligent Transportation Systems, IEEE Transactions on 2012; 13(1):127–139. 4. Zhao D, Peng H, Li L, Yang Y. A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications 2014; 78(1):247–269. 5. Lu Y, Li L, Yang Y. Robust and efficient authentication scheme for session initiation protocol. Math. Probl. Eng 2015; 2015. 6. He D, Zeadally S. Authentication protocol for an ambient assisted living system. Communications Magazine, IEEE 2015; 53(1):71–77. 7. He D, Kumar N, Chen J, Lee CC, Chilamkurti N, Yeo SS. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Systems 2013; 21(1):49–60. 8. He D. An efficient remote user authentication and key agreement protocol for mobile client–server environment from pairings. Ad Hoc Networks 2012; 10(6):1009–1016. 9. Farash MS, Attari MA. A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. The Journal of Supercomputing 2014; 69(1):395–411. 10. Farash MS, Attari MA. An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards. International Journal of Communication Systems 2014; doi:10.1002/dac.2848. 11. Farash MS, Attari MA. Cryptanalysis and improvement of a chaotic map-based key agreement protocol using chebyshev sequence membership testing. Nonlinear Dynamics 2014; 76(2):1203–1213. 12. Irshad A, Sher M, Faisal MS, Ghani A, Ul Hassan M, Ch SA. A secure authentication scheme for session initiation protocol by using ecc on the basis of the tang and liu scheme. Security and Communication Networks 2013; . 13. Irshad A, Sher M, Rehman E, Ch SA, Hassan MU, Ghani A. A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications 2013; :1–18.


15

14. Islam S, Khan M. Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. Journal of Medical Systems 2014; 38(10):135, doi:10.1007/s10916-014-0135-9. 15. Chaudhry S, Naqvi H, Shon T, Sher M, Farash M. Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems. Journal of Medical Systems 2015; 39(6):66, doi:10.1007/s10916-015-0244-0. 16. Jiang Q, Ma J, Tian Y. Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of zhang et al. International Journal of Communication Systems 2014; :n/a–n/adoi:10.1002/dac.2767. 17. Zhang L, Tang S, Cai Z. Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol-based communications. IET Communications 2014; 8(1):83–91. 18. Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK. An enhanced privacy preserving remote user authentication scheme with provable security. Security and Communication Networks 2015; :1–13doi:10.1002/sec.1299. 19. Islam SH. Design and analysis of a three party password-based authenticated key exchange protocol using extended chaotic maps. Information Sciences 2015; 312:104–130. 20. Islam SH. Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps. Nonlinear Dynamics 2014; 78(3):2261–2276. 21. Islam SH. A provably secure id-based mutual authentication and key agreement scheme for mobile multi-server environment without esl attack. Wireless Personal Communications 2014; 79(3):1975–1991. 22. Islam S, Khan MK. Provably secure and pairing-free identity-based handover authentication protocol for wireless mobile networks. International Journal of Communication Systems 2014; . 23. He D, Kumar N, Chilamkurti N. A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Information Sciences 2015; . 24. He D, Wang D. Robust biometrics-based authentication scheme for multiserver environment 2015; 9(3):816–823. 25. Chaudhry SA, Mahmood K, Naqvi H, Sher M. A secure authentication scheme for session initiation protocol based on elliptic curve cryptography. The 13th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC 2015), IEEE, 2015; 1–5. 26. Chaudhry SA, Mahmood K, Naqvi H, Khan MK. An improved and secure biometric authentication scheme for telecare medicine information systems based on elliptic curve cryptography. Journal of Medical Systems 2015; :66doi:10.1007/s10916-015-0335-y. 27. Chaudhry SA, Naqvi H, Sher M, Farash MS, Hassan Mu. An improved and provably secure privacy preserving authentication protocol for sip. Peer-to-Peer Networking and Applications 2015; :1–14doi:10.1002/ppna.1299. 28. Ul Amin N, Asad M, Din N, Ch SA. An authenticated key agreement with rekeying for secured body sensor networks based on hybrid cryptosystem. Networking, Sensing and Control (ICNSC), 2012 9th IEEE International Conference on, IEEE, 2012; 118–121. 29. Mehmood Z, uddin N, Ch SA, Nasar W, Ghani A. An efficient key agreement with rekeying for secured body sensor networks. Digital Information Processing and Communications (ICDIPC), 2012 Second International Conference on, IEEE, 2012; 164–167. 30. Heydari M, Sadough SMS, Farash MS, Chaudhry SA, Mahmood K. A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography. Wireless Personal Communications 2015; doi:10.1007/s11277-015-3123-6. 31. Lu Y, Li L, Peng H, Yang Y. An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. Journal of medical systems 2015; 39(3):1–8. 32. Awasthi AK, Srivastava K. A biometric authentication scheme for telecare medicine information systems with nonce. Journal of medical systems 2013; 37(5):1–4. 33. Li X, Niu J, Khan MK, Liao J, Zhao X. Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Security and Communication Networks 2014; :n/a–n/adoi:10.1002/sec.961. URL http://dx.doi.org/10.1002/sec.961. 34. Zhang M, Zhang J, Zhang Y. Remote three-factor authentication scheme based on fuzzy extractors. Security and Communication Networks 2015; 8(4):682–693, doi:10.1002/sec.1016. URL http://dx.doi.org/10.1002/sec.1016. 35. Mishra D, Kumari S, Khan MK, Mukhopadhyay S. An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. International Journal of Communication Systems 2015; :n/a–n/adoi:10.1002/dac.2946. URL http://dx.doi.org/10.1002/dac.2946. 36. Das AK. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. International Journal of Communication Systems 2015; :n/a–n/adoi:10.1002/dac.2933. URL http://dx.doi.org/10.1002/dac.2933. 37. Li X, Khan M, Kumari S, Liao J, Liang W. Cryptanalysis of a robust smart card authentication scheme for multiserver architecture. Biometrics and Security Technologies (ISBAST), 2014 International Symposium on, 2014; 120–123, doi: 10.1109/ISBAST.2014.7013106. 38. He D, Kumar N, Lee JH, Sherratt R. Enhanced three-factor security protocol for consumer usb mass storage devices. Consumer Electronics, IEEE Transactions on February 2014; 60(1):30–37, doi:10.1109/TCE.2014.6780922. 39. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications 2014; 41(4):1411–1418. 40. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications 2014; 41(18):8129–8143. 41. Lu Y, Li L, Yang X, Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PloS ONE 2015; 10(5), doi:e0126323. doi:10.1371/journal.pone.0126323. 42. Lu Y, Li L, Peng H, Yang Y. A biometrics and smart cards-based authentication scheme for multi-server environments. Security and Communication Networks 2015; :1–10doi:10.1002/sec.1246. 43. Jin ATB, Ling DNC, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern recognition 2004; 37(11):2245–2255. 44. Lumini A, Nanni L. An improved biohashing for human authentication. Pattern recognition 2007; 40(3):1057–1065. 45. Belguechi R, Rosenberger C, Ait-Aoudia S. Biohashing for securing minutiae template. Pattern Recognition (ICPR), 2010 20th International Conference on, IEEE, 2010; 1168–1171. 46. Eisenbarth T, Kasper T, Moradi A, Paar C, Salmasizadeh M, Shalmani M. On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. Advances in Cryptology, CRYPTO 2008, Lecture Notes in Computer Science, vol. 5157, Wagner D (ed.). Springer Berlin Heidelberg, 2008; 203–220, doi:10.1007/978-3-540-85174-5_12. URL http://dx.doi.org/10.1007/978-3-540-85174-5_12. 47. Dolev D, Yao AC. On the security of public key protocols. Information Theory, IEEE Transactions on Mar 1983; 29(2):198–208, doi:10.1109/TIT.1983.1056650. 48. Cao X, Zhong S. Breaking a remote user authentication scheme for multi-server architecture. Communications Letters, IEEE Aug 2006; 10(8):580–581, doi:10.1109/LCOMM.2006.1665116. 49. Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology CRYPTO 99, Springer, 1999; 388–397.

16


50. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. Computers, IEEE Transactions on 2002; 51(5):541–552. 51. Mir O, Nikooghadam M. A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wireless Personal Communications ; :1–23. 52. Xie Q, Dong N, Wong DS, Hu B. Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol. International Journal of Communication Systems 2014; :n/a–n/adoi:10.1002/dac.2858. 53. Chaudhry S, Farash M, Naqvi H, Sher M. A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography. Electronic Commerce Research 2015; :1–27doi:10.1007/s10660-015-9192-5. URL http://dx.doi.org/10.1007/s10660-015-9192-5. 54. Kilinc HH, Yanik T. A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials, IEEE 2014; 16(2):1005–1023.