A robust anonymous biometric-based remote user authentication scheme using smart cards Academic research paper on "Computer and information sciences"

Journal of King Saud University - Computer and Information Sciences (2015) xxx, xxx-xxx

King Saud University

Journal of King Saud University -Computer and Information Sciences

www.ksu.edu.sa www.sciencedirect.com

Journal of

King Saud University -

Computer and

Information Sciences

A robust anonymous biometric-based remote user authentication scheme using smart cards

Ashok Kumar Das a'*, Adrijit Goswami b

a Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India

b Department of Mathematics, Indian Institute of Technology, Kharagpur 721 302, India Received 10 October 2013; revised 10 March 2014; accepted 19 March 2014

KEYWORDS

Remote user authentication;

Biometrics;

Smart cards;

Hash function;

Cryptanalysis;

Security

Abstract Several biometric-based remote user authentication schemes using smart cards have been proposed in the literature in order to improve the security weaknesses in user authentication system. In 2012, An proposed an enhanced biometric-based remote user authentication scheme using smart cards. It was claimed that the proposed scheme is secure against the user impersonation attack, the server masquerading attack, the password guessing attack, and the insider attack and provides mutual authentication between the user and the server. In this paper, we first analyze the security of An's scheme and we show that this scheme has three serious security flaws in the design of the scheme: (i) flaw in user's biometric verification during the login phase, (ii) flaw in user's password verification during the login and authentication phases, and (iii) flaw in user's password change locally at any time by the user. Due to these security flaws, An's scheme cannot support mutual authentication between the user and the server. Further, we show that An's scheme cannot prevent insider attack. In order to remedy the security weaknesses found in An's scheme, we propose a new robust and secure anonymous biometric-based remote user authentication scheme using smart cards. Through the informal and formal security analysis, we show that our scheme is secure against all possible known attacks including the attacks found in An's scheme. The simulation results of our scheme using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool ensure that our scheme is secure against passive and active attacks. In addition, our scheme is also comparable in terms of the communication and computational overheads

* Corresponding author. Tel.: +91 40 6653 1506; fax: +91 40 6653 1413.

E-mail addresses: iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in (A.K. Das), goswami@maths.iitkgp.ernet.in (A. Goswami).

URLs: http://www.iiit.ac.in/people/faculty/ashokkdas/, https:// sites.google.com/site/iitkgpakdas/ (A.K. Das). Peer review under responsibility of King Saud University.

Production and hosting by Elsevier

http://dx.doi.org/10.1016/jjksuci.2014.03.020

1319-1578 © 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

with An's scheme and other related existing schemes. As a result, our scheme is more appropriate for practical applications compared to other approaches.

© 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction

Remote user authentication plays an important role in many applications including e-commerce and m-commerce. Several remote user authentication schemes and their enhancements are proposed in the literature to improve the various security flaws in other schemes. The security of the traditional identity-based remote user authentication schemes is based on the passwords. However, simple passwords are easy to break by simple dictionary attacks. In order to resolve such problem, biometric-based remote user authentications are considered for better alternatives since such authentications are more secure and reliable than the traditional password-based authentication schemes (Li and Hwang, 2010). The advantages of using biometric keys (for example, fingerprints, faces, irises, hand geometry, palm-prints, etc.) are (Das, 2011a; Das and Goswami, 2013; Li and Hwang, 2010)

• Biometric keys cannot be lost or forgotten.

• Biometric keys are extremely hard to forge or distribute.

• Biometric keys are extremely difficult to copy or share.

• Biometric keys cannot be guessed easily as compared to low-entropy passwords.

• Someone's biometrics is not easy to break than others.

According to the existing researches, we list some important essential requirements for evaluating a novel biometric-based remote user authentication scheme using smart cards. Security requirements

The following attacks should be prevented (Li and Hwang, 2010):

• SR1. Withstand masquerade attacksIn this attack, an adversary may try to masquerade as a legitimate user to communicate with a valid system or masquerade as a valid system in order to communicate with legal users.

• SR2. Withstand replay attacksAn attacker tries to hold up the messages between two communicating parties and then impersonate other legal party to replay the fake messages for further deceptions.

• SR3. Withstand man-in-the-middle attacksIn such attacks, an attacker may intercept the messages during transmissions and then can change or delete or modify the contents of the messages delivered to the recipients.

• SR4. Withstand denial-of-service attacksIf an attacker blocks the messages from reaching the server and the users, the server as well as the users should know about malicious dropping of such control messages.

• SR5. Withstand parallel session attacksIn a parallel session attack, an attacker may start new runs of the protocol using knowledge gathered from the initial runs of the protocol. Messages from these new runs of the protocol are replayed in the initial run (Pasca et al., 2008).

• SR6. Withstand stolen-verifier attacksAn attacker must not get/steal user's password and other secret information from the system.

• SR7. Withstand stolen smart card attacksThe smart card is usually equipped with tamper-resistant device. If the smart card of a user is lost or stolen, an attacker can still retrieve all the sensitive information stored in the stolen smart card's memory using the power analysis attack (Kocher et al., 1999; Messerges et al., 2002). Then using these retrieved information, an attacker can derive other secret information of the communicating parties (the user as well as the server).

Functionality requirements

A biometric-based remote user authentication scheme should satisfy the following functionality requirements (Li and Hwang, 2010):

• FR1. Provide mutual authentication between two communicating parties and after successful authentication, a secret session key should be established between them for future secure communication between the parties.

• FR2. Should be efficient in terms of communication and computational overheads.

• FR3. Allow users to freely choose and change the passwords locally without further contacting the server. Thus, it can reduce the communication and computational overheads, and some possible attacks between two communicating parties over an insecure network.

• FR4. Work without storing the password and verification tables in the system to withstand stolen-verifier attacks.

• FR5. Support without synchronized clocks when the communicating parties are not synchronized with their clocks.

• FR6. Provide non-repudiation because of employing personal biometrics.

Several remote user authentication schemes using smart cards have been proposed in the literature (An, 2012; Chou et al., 2013; Das, 2011a,b; He et al., 2008; Khan and Kumari, 2013; Li and Hwang, 2010, Li et al., 2011). He et al. (2008) proposed a self-certified user authentication scheme for next generation wireless network, which relies on the public-key cryptosystem. In 2010, Li and Hwang proposed an efficient biometric-based remote user authentication scheme using smart card (Li and Hwang, 2010). Though their scheme is efficient, it suffers from several security weaknesses as pointed out in Das (2011a). Li et al. (2011) also proposed an improvement on Li-Hwang's scheme (Li and Hwang, 2010). Later, Das (2011b) showed that Li et al.'s scheme (Li et al., 2011) again fails to provide proper authentication in login and authentication phases because there is no verification on user's entered password after successful verification of

his/her biometric template. Further, Das showed that due to the same password verification problem as in Li-Hwang's scheme (Li and Hwang, 2010), Li et al.'s scheme (Li et al., 2011) fails to update the new password correctly in a user's smart card locally during the password change phase. Based on assumption as used in Li-Hwang's scheme (Li and Hwang, 2010) that extracting secret information from tamper-resistant smart card is as secure as passwords, in

2011 Das (2011a) proposed an effective scheme to withstand security flaws found in Li-Hwang's scheme. However, in

2012 An (2012) showed that Das's scheme (Das, 2011a) is insecure when the secret information stored in the smart card is revealed to an attacker. To withstand those security flaws, An further proposed an enhanced efficient scheme. In 2013, Chou et al. (2013) proposed an efficient two-pass anonymous identity authentication using smart card. Khan and Kumari (2013) also proposed an improved biometrics-based remote user authentication scheme with the user anonymity property, which eliminates some weaknesses found in An's scheme. However, Khan-Kumari's scheme uses the one-way hash function for verification of user's biometrics. As pointed out in Section 4.1, we note that Khan-Kumari's scheme has design flaw in user's biometric verification during their login phase as well as password change phase due to direct application of the sensitive one-way hash function on the biometrics (Das, 2011a; Li et al., 2011). As a result, Khan-Kumari's scheme fails to provide proper authentication. In this paper, we show that An's scheme (An, 2012) is still insecure, because it has several security weaknesses and it does not protect insider attack.

1.1. Our contributions

The contributions are listed below:

• We show that recently proposed An's scheme (An, 2012) has three serious security flaws in the design of the scheme: (i) flaw in user's biometric verification during the login phase, (ii) flaw in user's password verification during the login and authentication phases, and (iii) flaw in user's password change locally at any time by the user.

• We further show that An's scheme cannot prevent insider attack.

• In order to remedy the security weaknesses found in An's scheme, we propose a new robust and secure scheme.

• Our scheme supports uniqueness and anonymity preserving properties and strong replay attack protection as compared to An's scheme.

• Through the informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in An's scheme.

• We simulate our scheme using the widely-accepted AVISPA tool for the formal security verification to ensure that our scheme is secure against passive and active attacks.

• Our scheme is also comparable to An's scheme and other related existing schemes when the communication and computational costs are considered during the various phases.

• Higher security along with efficiency of our scheme make our scheme more appropriate for practical applications when compared to An's scheme and other related existing schemes.

1.2. Organization of the paper

The rest of this paper is organized as follows. In Section 2, we briefly review the properties of one-way hash function and BioHashing for describing An's scheme and our scheme, and cryptanalysis of An's scheme in Sections 3 and 4, respectively. In Section 5, we propose a new robust and secure biometric-based remote user authentication scheme, which preserves user anonymity and uniqueness properties. In Section 6, through the informal and formal security analysis, we show that our scheme is secure against possible known attacks including the attacks found in An's scheme. The simulation results for the formal security verification of our scheme using the widely-accepted AVISPA tool are provided in Section 7. In Section 8, we compare the performance and security of our scheme with An's scheme and other related existing schemes. Finally, we conclude the paper in Section 9.

2. Mathematical preliminaries

In this section, we discuss the properties of one-way hash function and BioHashing, which are useful for describing and analyzing our scheme as well as An's scheme.

2.1. One-way hash function

A one-way hash function h : X ={0,1}* ! Y ={0,1}" takes an arbitrary-length input x 2 X, and produces a fixed-length n-bits output h(x) 2 Y, called the message digest or hash value such that from a given hash value y = h(x)2 Y and the given hash function h(-), it is computationally infeasible to derive the input x 2 X (Stallings, 2003). A hash function can be applied to the fingerprint of a file, a message, or other data blocks. One of the fundamental properties of a secure one-way hash function is that its outputs are very sensitive to a small perturbation in inputs (Das, 2011a). The cryptographic hash function cannot be applied straightforwardly when the input data are with noise such as biometrics (Jain et al., 2003; Linnartz and Tuyls, 2003; Maltoni et al., 2009; Prabhakar et al., 2003). An example of a one-way hash function is SHA-1 (Secure Hash Standard, 1995), which has the above desired properties. However, National Institute of Standards and Technology (NIST) does not recommend SHA-1 for top secret documents. Further, in 2011, Manuel (2011) showed collision attacks on SHA-1. In this paper, we use SHA-2 as the secure one-way hash function in order to achieve top security. We use only 160-bits from the hash digest output of SHA-2.

2.2. BioHashing

BioHashing is one-way and the BioCode generated using the BioHashing on biometrics of a user is also as secure as a hashed password. Jina et al. (2004) proposed a two factor authenticator based on iterated inner products between tok-enized pseudo-random number and the user specific fingerprint feature. Their approach produces a set of user specific compact code that coined as BioHashing. Lumini and Nanni (2007) further proposed an improvement on BioHashing.

BioHashing can be used to map a user's input biometric features onto user-specific random vectors in order to generate the BioCode and then discretizes the projection coefficients into zero or one (Chang et al., 2013). BioHashing is thus a very useful tool for biometric verification (Chang et al., 2013; Das and Goswami, 2013).

2.3. Perceptual hashing

Perceptual hash functions are designated as one-way conventional hash functions for multimedia contents (Perceptual Hashing, 2013). Similar to cryptographic hash functions, they are required to generate different hash values for different inputs. However, the definition of difference is changed from bitwise difference to perceptual difference in the sense that the cryptographic hash functions generate a totally different hash value even if the input is changed by a single bit, whereas the robust hash functions are expected to change the hash value only if the input is perceptually changed. For an example, the hash value of an image and its JPEG compressed version should be the same since they have no perceptual difference although their bit-string representation is completely different.

Perceptual hashes need to be robust enough to take into account transformations or attacks on a given input and yet be flexible enough to distinguish between dissimilar files. Such attacks can include rotation, skew, contrast adjustment and different compression/formats. All of these challenges make perceptual hashing an interesting field of study in computer science research. Due to security issues of the perceptual hashing, in this paper we make use of the fuzzy extractor in order to perform user's biometric verification, which is discussed in next subsection.

2.4. Key data extraction process from biometric template

In this section, we briefly describe the extraction process of key data from the biometric of a user using a fuzzy extractor.

Since the output of a conventional hash function h(-) is sensitive it may return completely different outputs even if there is a little variation in inputs. On the other hand, biometric information is prone to various noises during data acquisition and the reproduction of actual biometric is hard in common practice. To avoid this kind of problem, a fuzzy extractor (Burnett et al., 2007; Dodis et al., 2004) is used, which has the ability to extract a uniformly random string b and a public information par from the biometric template f with the error tolerance t. In the reproduction process, the fuzzy extractor recovers the original biometric data b for a noisy biometric f0 using par and t.

Suppose that M — {0,1}" be a finite v-dimensional metric space of biometric data points, d: MxM ! Z+ a distance function, which is used to calculate the distance between two points based on the metric chosen, l the number of bits of the output string bi and t the error tolerance, where Z+ is the set of all positive integers.

Definition 1. The fuzzy extractor (M, l, t) is defined by the following two algorithms:

• Gen: This is a probabilistic algorithm that takes a biometric information ft eM as input and outputs a key data h e {0,1}' and a public reproduction parameter pari. In other words, Gen(fi) — {hi,par}.

• Rep: This is a deterministic algorithm that takes a noisy bio-metric information f i e M and a public parameter part related to f i, and then it reproduces the biometric key data hi. In other words, Rep(fi,pari) — h provided that the condition d(/¡,fi) 6 t holds.

The detailed description of the fuzzy extractor and the extraction procedure can be found in Burnett et al. (2007) and Dodis et al. (2004).

3. Review of An's scheme

In this section, we review the recently proposed An's scheme (An, 2012). This scheme has three phases: registration phase, login phase, and authentication phase. However, this scheme does not specify the procedure to changing the user's password locally and freely as suggested in Li-Hwang's scheme (Li and Hwang, 2010) and Das's scheme (Das, 2011a). We use the notations in Table 1 for describing An's scheme and its cryptanalysis.

3.1. Registration phase

In this phase, a user U first needs to register to a trusted registration center Rj before he/she is allowed to login to the remote server Sj. This phase consists of the following steps:

• Step 1: Ui chooses his/her identity IDi, selects a password PWi and generates a random number K which is kept secret to him/her only. Ui then computes PWi Ф K. After that Ui inputs his/her biometric information Bi (for example, fingerprint) and submits ф K via a specific device to Rj. Ui sends the message (IDi,PWi ф K,Bi ф K) to Rj via a secure channel.

• Step 2: When Rj receives the information securely from Ui in Step 1, Rj generates a secret value Xs which is kept secret to Rj only, and then computes ft — h(Bi ф K), rt — h(PWi ф K)фfi, and e — h(IDi\\X ^ф rt.

Table 1 Notations used in this paper.

Symbol Description

Ui User i

Rj Registration center j

Sj Remote server j

IDi U's identity

PWi U's password

Bi U's biometric template

h(.) Secure collision-free one-way hash function

tf(.) Secure BioHashing function

Xs Secret information maintained by the server

K Secret information maintained by U's

smart card

A\\B Data A concatenates with data B

A © B XOR operation of A and B

• Step 3: Finally, R stores (ZD,-, h(-), /,, e,-) on the user's smart card and then sends the smart card to U,- via a secure channel. In addition, U,- stores the previously generated secret number K into his/her smart card.

3.2. Login phase

Suppose the user Ui wants to login to the remote server Sj. Then the user U needs to perform the following steps in order to send the login request message to Sj for authentication purpose:

• Step 1: Ui first inserts his/her smart card into a specific card reader and then inputs his/her biometric B,- on the specific device. The smart card then computes the hash value h(B,- ® K) using the stored secret number K and verifies whether it matches with / stored in the smart card. If so, Ui passes the biometric verification; otherwise, the login process is terminated immediately.

• Step 2: U,- enters his/her identity ZD,- and password PW,-. U,-generates a random number Rc. The smart card then computes r0 = h(PW,- ® K) ®/,M1 = e,- ® r0,M2 = M1 ® Rc, M 3 = h(M 1 ||RC).

• Step 3: Finally, Ui sends the login request message (ZD,-,M2,M3) to Sj for authentication.

3.3. Authentication phase

In this phase, the remote server Sj authenticates U after receiving the login request message (IDi, M2, M3) from Ui. Sj performs the following steps:

• Step 1: Sj first checks the format of ZD,-. If it is valid, Sj computes M4 = h(ZD,-||Xs), M5 = M2 ® M4. S_, then verifies whether the condition M3 = h(M4||M5) holds or not. If this condition holds, Sj generates a random number Rs and computes M6 — M4 ® Rs, M7 — h(M4||Rs), and sends the message (M6,M7) to the user U,-.

• Step 2: When the user U,- receives the message (M6,M7) from Sj, U,- computes M8 — M6 ® M1, and then checks if the condition M7 = h (M 1 ||M8 ) holds or not. If the condition holds, U,- further computes M9 = h(M 1||Rc||M8). U,- sends the message (M9) to Sj for mutual authentication.

• Step 3: Finally, after receiving the message (M9) from U,-, Sj verifies the condition M9 = h(M4||M5||Rs). If the condition is true, Sj will accept the user login request and Ui will be treated as a legitimate user.

4. Cryptanalysis of An's scheme

In this section, we analyze the security of An's scheme in the following subsections.

4.1. Flaw in user's biometric verification during the login phase

In the registration phase of An's scheme, the user Ui sends the message (IDi, PWi ® K, Bi ® K) securely to the registration server Rj via a secure channel. After receiving the message, Recomputes fi — h(Bi ® K) and issues a smart card with

information (IDi, h(-),fi, e,). The user Ui also stores the secret number K into the memory of the smart card. Note that the secret value K is fixed and not changed in the smart card.

When the user U, wants to login to the remote server Sj, Ui first inserts his/her smart card into a card reader and inputs his/her personal biometric pattern B*. The smart card then computes the hash value f* = h(B* ® K) using the fixed stored secret number K into the smart card. As stated in An's scheme, for biometric verification the smart card checks the condition f* = f\ using the stored value of fi. As pointed out in Das (2011a), the input biometric patterns belonging to the same person may slightly differ from time to time, for example fingerprint and voiceprint. Due to the sensitive property of the one-way hash function h(-), even if there is a small perturbation in the user's biometric input Bi* (described in Section 2) the verification condition f* = fi may never succeed. Thus, this may cause a serious issue for the legal user to pass the biometric verification during the login phase. As a result, An's scheme fails to provide the strong biometric verification procedure.

4.2. Flaw in user's password verification during the login and authentication phases

In practice, a user Ui keeps different passwords for different purposes and applications. We assume that the user Ui enters his/her password wrongly during the login phase. Let this entered password be PW*, where PW*—PWi.

During the login phase of An's scheme, the user Ui first enters his/her biometric information Bi on a specific device in order to verify whether his/her biometric verification passes or not. Suppose that the biometric verification passes. After that assume that the user Ui enters his/her password PW* by mistake (PW*—PW,). In An's scheme, the smart card never verifies the user's entered password during this login phase. Instead, even if the user Ui enters his/her password incorrectly by mistake, the smart card computes and sends the login request message to the remote server Sj. During the authentication phase, the login request is rejected by Sj. However, there is no way to know for the user Ui whether he/she entered his/her password incorrectly. This serious problem results to cause unnecessarily extra communication and computational overheads performed by the user, the smart card and the remote server during the login as well as authentication phases. The detailed mathematical cryptanaly-sis of this problem is outlined below.

Based on the identity IDi and password PW* entered by the user U,, the smart card will generate a random nonce Rc and compute the following:

r* =h(PW* ф K)®f

-h{PWi ф К)ф^ since PW*-PWi My ф r*

—h(IDi ф Х5)ф rt ф r* -h{IDi ф Xs); since PW*-PW M2 —My ф Rc

—hilDi ф ^)ф Rc, since PW*-PW,-M3 —hiMi||Rc)

—hihilDi ф Xs)||Rc), since PW*—PWt.

Now, the user Ui sends the login request message (IDi, M2, M3) to Sj for authentication of login request by the server Sj.

After receiving the login request message from Ui, Sj checks the format of IDi. If it is valid, then Sj is allowed to proceed for computing the following:

M4 —h(IDi\\Xs), (5)

M5 —M2 ® M4

—Rc, using Eqs. (3) and (5). (6)

Sj will further compute the hash value h(M4\\M5) —h(h(IDi\\Xs)\\Rc). When Sj will verify the condition M3 — h(M4\\M5), this condition will certainly fail. Thus, Sj will reject the login request message and terminate the authentication process. This leads to the server Sj to think the user Ui as a cheater, but Ui is actually an honest user. Hence, An's scheme fails to provide strong authentication during the login and authentication phases.

4.3. Flaw in user's password change

The password change by the user Ui at any time locally and freely without contacting the registration center Rj is not provided in An's scheme. However, this is extremely important that the user Ui must be allowed to change his/her password later at any time due to security reasons.

In order to support password change by the user in An's scheme, the following steps need to be executed:

X —h(PW°,d ® K)®f

—h(PW°,d ® K)®h(B, ® K) (7)

y =e, ® X, using Eq. (7)

—h(IDi\\Xs)® h(PW, ® K)® h(Bt ® K)

® h(PW°,d ® K)®h(Bi ® K) -h(ID,\\Xs), since PW—PW°,d (8)

ri —h(PWnew ® K)®f„ (9)

e" — y ® ri', using Eqs. (8) and (9) —h(ID,\\Xs)® r".

As a result, updation of et by e" will not occur correctly in the smart card's memory. As a consequence of this serious problem, when the same user will login later in the system providing his/her own biometrics and new changed correct password PWnew, the login request message of the user will always be rejected by the remote server Sj even if the user passes the bio-metric verification successfully in that time. Thus, this problem will continue in subsequent password change phases by that user also. In order to withstand such serious problem, the user will not have any other option except to issue another new smart card providing the necessary information such as his/ her identity, biometrics and new password securely to the registration center Rj as done in the registration phase. Hence, An's scheme fails completely to provide the correct password change phase.

4.4. Insider attack

• Step 1: The user Ui first inserts his/her smart card into a card reader and then enters his/her personal biometric information Bi on the specific device in order to verify user's biometric. The smart card then computes the hash value h(Bi ® K) using the stored secret number K in its memory and matches it with the stored hash value ft. If they are equal, the user passes the biometric verification.

• Step 2: The user Ui is now allowed to input his/her identity IDi, and old password PW°Id and new password PW'^ew. The smart card then computes the following:

x — h(PW°,d ® K)®f, y — et ® x,

ri — h(PWnew ® K)®fi, ei — y ® ri.

• Step 3: Finally, the smart card updates et by the new ei into its memory.

We now show that An's scheme has a very serious irrecoverable problem during the password change phase. As in Section 4.2 we also assume that the user Ui enters his/her password incorrectly by mistake. After biometric verification, let the user Ui input his/her identity IDi and old password PWfd incorrectly by mistake followed by the new changed password PWnew. Since the old password verification does not occur in this phase, the smart card proceeds with the incorrect old password as follows:

As in An's scheme, we also assume that an attacker can access a smart card and extract the secret values stored in the smart card by power analysis attack (Kocher et al., 1999; Messerges et al., 2002). Suppose the smart card has been lost and the attacker is the registration center Rj itself. During the registration phase, Rj knows the values IDt, PWi ® K and Bi ® K, but not K. Note that after issuing the smart card by Rj, the user stores the secret value K into the smart card. If the attacker (Rj) can extract information from the smart card, Rj will know K. Now, using K the registration server Rj easily retrieves not only the user's password, but also the biometric information as follows:

PWi — (PWi ® K)®K, Bi — (Bi ® K)® K.

Hence, it is clear that An's scheme also fails to protect insider attack. As a consequence, if the user Ui uses the same password for some other applications, then the attacker being the insider of the server can have access to those applications too. The main problem was that the information PWt ® K and Bi ® K were not sent as their hash values h(PWt ® K) and h(Bi ® K) to the registration server Rj via a secure channel.

5. The proposed scheme

In this section, we first describe the main motivation behind our proposed scheme. We then discuss the threat model under which we analyze the proposed scheme. We finally describe the various phases of our scheme.

5.1. Motivation

Though An's scheme (An, 2012) is efficient, it suffers from several security weaknesses such as (i) it has flaw in user's biometric verification during the login phase, (ii) it has flaw in user's password verification during the login and authentication phases, and (iii) flaw in user's password change locally at any time by the user. In addition, An's scheme fails to prevent insider attack. This motivates us that there is a great need to propose an improvement of An's scheme for making it useful for practical applications. Thus, in order to withstand the security flaws found in An's scheme, we propose a new efficient biometric-based remote user authentication scheme using smart cards. Compared to An's scheme, our scheme supports efficiently the changing of user's password locally and correctly at any time by the user without contacting the remote server, uniqueness and anonymity preserving properties, and strong replay attack protection. Through the informal and formal security analysis, we show that our scheme is secure against all possible known attacks including the attacks found in An's scheme. The simulation results of our scheme using the widely-accepted AVISPA tool ensure that our scheme is secure against passive and active attacks.

5.2. Threat model

We use the similar threat model as used in Das and Goswami (2013). We use the Dolev-Yao threat model (Dolev and Yao, 1983) in which any two communicating parties can communicate over a public insecure channel. This means that an attacker (adversary) can eavesdrop all transmitted messages, and the attacker will have the ability to modify, delete or change the contents of the transmitted messages over the public channel. The smart card of a user is generally equipped with tamper-resistant device. If the user's smart card is lost or stolen, an attacker can still know all the sensitive stored information from the memory of the smart card using the power analysis attack (Kocher et al., 1999; Messerges et al., 2002). Though some smart card manufacturers consider the risk of side-channel attacks and provide the countermeasures to deter the reverse engineering attempts, we still assume that an attacker will know all the sensitive information from the memory of the user's smart card once it is stolen or lost.

5.3. Description of the proposed scheme

In this section, four phases of our scheme, namely registration phase, login phase, authentication phase, and password change phase, are described in the following subsections. The conventional hashing is not practical for biometric verification, because biometric data (for example, fingerprint, voice, palm, etc.) change with time and environment. To address this issue researchers have suggested to use the perceptual hashing, where two biometric data of the same person should have nearly similar hash values (Perceptual Hashing, 2013). However, due to security reasons, in this paper, we have used the fuzzy extractor (Burnett et al., 2007; Dodis et al., 2004) in order to perform biometric verification of a user for our proposed scheme.

5.3.1. Registration phase

A user Ui first needs to register to a trusted registration center

Rj before he/she is allowed to login to the remote server Sj to

access services from the server Sj. The following steps are

required in order to complete the registration process:

• Step R1: At first, the user Ui inputs his/her high-entropy or strong identity ZD,-, personal biometrics B,- (for example, fingerprint) on a specific device of the terminal. U- then chooses his/her high-entropy or strong password PW,- and generates a random 1024-bit number K, which is kept secret to him/her only. Since the chosen identity ZD,- and PW,- are assumed to be high-entropy, the guessing attack on these by any attacker will be a computationally infeasible problem in our scheme.

• Step R2: U,- computes the masked password RPW,- = h(ZD,-||K||PW,-) using the one-way hash function h(-), ZD,-, K and PW,, and the masked biometrics / = H(ZD,||K ||B,) using the BioHashing H(■), ZD,-, K, and B,-. Ui then applies the Gen(-) algorithm that takes the user U,-'s personal biometric B,- as input and outputs a key data b,- and a public reproduction parameter par,,, where Gen(B,-) = (b,-,par,). U,- also computes r,- = h(RZ>W,-||/,!|b,-) and then sends the registration request message (ZD,-, r,-) to the registration center Rj via a secure channel.

• Step R3: After receiving the registration request message in Step R2, Rj computes

e, = h(IDiaXs)®rl,

where Xs is a 1024-bit secret number kept secret to the server Sj only.Rj then selects a random identity NID, for the user Ui and then computes

TDi = NIDi ® h(IDi), and

D, = TD„

as in Das and Goswami (2013) in order to provide the user anonymity property.

• Step R4: Rj issues a smart card C,- to the user U,-, which contains the information (ZD,-,D,-,h(-),Rep(-),r,-,e,-) and sends the smart card C,- to U,- via a secure channel. Note that in our scheme the smart card C,- does not contain the user identity ZD,- directly as compared to An's scheme (An, 2012). As pointed out in Das and Goswami (2013), the probability to guess a correct identity composed of exact m characters is approximately 2m. Further, to guess the password PW,- of exact n characters from r,- knowing the information /,,, the attacker has to guess the identity ZD,-of exact m characters and the biometric key b,- composed of l bits, and the probability to guess PW,- then becomes approximately 26m+16n+„ which is also negligible.

• Step R5: After receiving the smart card C,-, the user U,-stores the secret number K, the computed information /,,par,,, and a serial number SN,- = 0 into his/her smart card C,- as in Lee and Liu (2013). Note that SN,- is used to protect the parallel session attacks. Finally, the user U,-'s smart card C,- contains the information (ZD,-,D,-,h(-),Rep(-),/;,r,-, eu Par,-).

The registration phase of our scheme is summarized in Table 2.

Table 2 Registration phase of our scheme.

User Ui Registration center Rj

Chooses IDi, selects PWi and generates a random number K. Inputs Bi. Computes RPWi,f Gen(Bi) — (bi,parj), ri. {IDi, r)

(via a secure channel) Selects a random identity NIDi. Computes e,-, TDi, Di. Smart card(TDi, Di, h(-), Rep{■), ri, ei)

Stores K, fi,parj in Ci. Stores SNi — 0 in Ci. (via a secure channel)

Table 3 Login phase of our scheme.

User (Ui)/Smart card (Ci) Remote server Sj

Inputs IDi and Bi.

Computes bi — Rep(Bi,pari).

Inputs PWi, and computes

RPWi — h(ID,\\K\\PW,),

ri — h(RPWi\fi\\b')).

Checks if ri — r, ? If it holds,

selects a random nonce Rc,

increments SNi — SNi + 1,

and then computes

NIDi — h(IDi)® Di,

M1 — ei ® ri,

M2 — M1 ® SNi,

M3 — M1 ® Rc,

M4 — h(IDi\\SNi\\Rc\\M1).

{NIDi, M2, M3, M4)

5.3.2. Login phase

If a user Ui wants to login to the remote server Sj, he/she needs

to perform the following steps:

• Step L1: Ui first inserts his/her smart card Ci into a specific card reader of the terminal, and inputs his/her identity IDi and personal biometric on the specific device. Ct computes bi — Rep(Bi,pari) using the function Rep(-),Bi, and stored part in its memory.

• Step L2: Ui then enters his/her password PWi. Ci computes the masked password RPWi — h(IDi\\K\\PW,-) using entered IDt, PWi, and stored K with the help of the one-way hash function h(-). After that Ci computes iJi — h(RP>W'i\\fi\\b'i), where bi is already computed in Step L1, and checks if the condition ri — ri holds. If it holds, the user Ui passes the biometric as well as password verification simultaneously. Otherwise, this phase terminates immediately.

• Step L3: Ci selects a random nonce Rc, increments SNi by 1, that is, SNi —SNi + 1, and then computes

NIDi —h(ID,)®D„ Mi —ei ® ri

—h(ID,\\Xs), M2 — My ® SN„

—h(ID,\\Xs) ® SN„

M3 —M1 ® Rc,

—h(ID,\\Xs) ® Rc, and M4 —h(ID,\\SN,\\Rc\\M1),

—h(ID,\\SN,\\Rc\\h(ID,\\Xs)).

Ci finally sends the login request message {NIDi, M2, M3, M4) to the server Sj for authentication via a public channel.

This phase is summarized in Table 3.

5.3.3. Authentication phase

As suggested in Das and Goswami (2013), we have two cases

(Case I and Case II) for our authentication phase in order to

protect denial-of-service (DoS) attack. In Case I, the latest identities kept by Ci and Sj are matched against each other. On the other hand, in Case II, the latest random identities kept by Ci and Sj are different.

After receiving the login request message {NIDi, M2, M3, M4) from the user Ui, the following steps are executed in order to perform mutual authentication between Ui and Sj, and then establish a secret session key between Ui and Sj so that they can communicate securely after successful authentication for their future communications:

• Step A1: Sj first checks the format of the received NIDi in the login request message and then finds the entry (IDi,NIDt) in the ID table. If it is found in the ID table, Case I is executed. Otherwise, Sj proceeds for Case II to authenticate the user Ui.

Case I:

• Step A2: Sj computes

M5 —h(ID,\\Xs), and

M6 —M2 ® M5 —SNi.

Sj checks the validity of M6 by checking the condition M6 > SN, where SN is initialized to 0 and it is kept to the server Sj. Note that M6 — SNi. If this condition does not hold, Sj rejects the login request message of Ui and the phase terminates immediately. Otherwise, Sj computes

M7 —M3 ® M5

—Rc, and M8 —h(ID,\\M6\\M7\\M5 ).

Sj then checks the condition M8 — M4. If it does not hold, Sj rejects the login request of Ui and the phase terminates immediately.As in Das (2011a), we adopt the following similar strategy for resisting the replay and man-in-the-mid-dle attacks. Sj can store the pair (IDi, M7) in its database. Note that M7 — Rc. Later when Sj receives another login

request message, say (NIDi, M2, M3, M4) from the user Ui, the server Sj finds the entry (IDi, NIDi) in its ID table, computes M5 — h(ID, ||Xs) and M6 — M2 ® M5, and then checks if M6 > SN. If it does not hold, the phase terminates immediately. Otherwise, Sj further computes M7 —M3 ® M5, and M8 — h (ID,-||M6||M7||M5), and checks the condition M8 — M4. If it holds, this ensures that the login request message (NIDi, M2, M3, M4) is certainly a replay message and Sj simply discards this message. Otherwise, it is considered as a fresh message and in this case, Sj updates (IDt, M7) with (IDt, M7) in its database.

■ Step A3: Sj generates a random nonce Rs, and then computes

M9 — M5 ® Rs

—h(IDt ||X,)®Rs,

M10 —h^^M)® NIDnew

—h(Rs||Rc HSNi)®NI^Tw,

where NID\new is a random and temporary identity generated by Sj. Sj then computes

M11 —h(IDi ||M6||M7 + 1||Rs||M5||NIDnew) —h(ID, | |SN,| |R + 1||Rs||h(IDi||Xs) ||NIDnew),

and sends the authentication request message (M9, M10, M11 ) to the user Ui via a public channel.

Step A4: After receiving the authentication request message in Step A3 from the server Sj, C,- computes

M12 —M9 ® M1

—h(IDi||Xs)®Rs ® h(IDi||Xs)

—Rs;

M13 —h(Mi2||Rc ||SNi) —h(Rs||Rc ||SNi),

M14 —M13 ® M10

—NIDnw.

Ci further computes M15 —h(IDi||SNi||Rc + 1||Mi2||Mi||Mi4) and then checks if the condition M11 — M15 holds. If it does not hold, this phase terminates immediately. Otherwise, Ci updates TDt and Dt in its memory with the values Di and Di ® NIDi ® M14, respectively.

■ Step A5: C computes M16 —h(ZDI-||SNI||Rc + 1||M 12 + 1 ||Mi||Mi4) and sends the authentication acknowledgment message (M16) to the server Sj for mutual authentication. Ci also computes a secret session key shared between the user Ui and the server S, as SKU,-,Sj —h(ZD, | | SN, | |Rc | | Mi2||Mi ||M3). "

Step A6: Finally, after receiving the authentication acknowledgment message (M16) from the user U,, the server Sj computes M17 — h (ZD,- ||M6||M7 +1 ||R + 1||M5||NZDnew) and verifies whether the condition M16 — M17 holds. If it does not hold, this phase terminates immediately. Otherwise, Sj considers U as a legitimate user and computes the same secret session key shared with the user U,- as SKu,-,s, —h(ZD,-||M6||M7||Rs||M5||M3).

Case II:

• Step A7: Processes in this case are almost same as those in Case I except the following. NZD0 is obtained by computing h(ZD,)® ZD, instead of h(ZD,)® D, in Step L3 of the login phase. Further, C needs to only update D with D ® NZD 0 ® M14 without changing ZD in Step A4.

The authentication phase of our scheme is summarized in Table 4.

5.3.4. Password change phase

It is desirable for security reasons that a user Ui should change his/her password periodically. This phase describes the procedure for changing the old password of the user Ui by his/her new chosen password in the smart card locally and efficiently without contacting the remote registration server Rj. The following steps are involved in this phase:

Table 4 Authentication phase of our scheme. User (U,)/Smart card (C,) Remote server Sj (NID,, M2, M3, M4)

Verifies format of NID,. If it holds,

computes M5 = h(ID,||Xs),

M6 = M2 ® M5, and

checks if M6 > SN?

If it holds, Sj computes

M7 = M3 ® M5,

M8 = h(ID,| |M6 ||M7||M5),

and checks if M8 = M4?.

If it holds, Sj generates Rs and

computes M9 = M5 ® Rs,

M10 = h(Rs||M7||M6)® NIDnew,

M11 = h(ID,HM^M-, + 1||Rs||M5

||NIDnew).

(M9, M10, M11)

Computes M12 = M9 ® M1, M13 = h(Ml2||Rc||SN,), M14 = M13 ® M10, M15 = hiIDiHSNiHRc + 1|| M12||M1||M14), and checks if M11 = M15? If it holds, C updates TD and D , and computes M16 = hiIDiHSNiH Rc + 1||M12 + 1||M1||M14) (M16)

Computes

SKu, s, —h(IDi\\SNi

\\Rc\\M 12 \ \ My\\ M3).

Computes

M17 = h(IDi | | M6 11 M7 + 1 | | Rs + 1 11 M5 11 NIDfw) and verifies if M16 = M17? If it holds, accepts Ui as legitimate user. Computes

SKu,,Sj =h(ID, | | M6 11 M7 | | Rs | | M5 | | M3).

Step P1: The user Ui first enters his/her identity IDi and personal biometrics Bi on a specific smart card device of the terminal. Ci then computes b* —Rep(Bt, pari) using the function Rep(), entered biometrics Bi, and stored part in its memory.

Step P2: Ui then enters his/her old password PW°Id and chosen new password PW1ew. Ci computes the old masked password RPW* — h(IDi\\K\\PWiId) using the entered IDi,PWiId, and stored K with the help of the one-way hash function h(-), and r* —h(RPW*\fi\\b*) and then checks if r* — rt holds. If it does not hold, Ui enters his/her biometrics Bi and password PWfd incorrectly and the phase terminates immediately. Otherwise, Step P3 is executed. Step P3: Ci further computes

ei* —ei ® ri*

—h(IDi\\Xs)®ri ® r* —h(IDi\\Xs), since r* — ri, RPW** —h(IDi\\K\\PWnew),

r** —h(RPW*\f№)

—h(h(IDi\\K\\PWnew )\f\\bi),

e** —e* ® r**.

• Step P4: Finally, Ci updates ri with r* its memory.

and ej with e** in

Note that in our password change phase, the new password of a user is always changed correctly and locally without further contacting the remote server.

6. Security analysis of the proposed scheme

In this section, we first show the correctness of our scheme for establishing the common secret session key between the user and the server. We then show that our scheme is secure against various known attacks.

6.1. Correctness

In the following theorem, we give the correctness of our scheme.

Theorem 1. Our scheme always establishes the correct secret session key between the user U, and the server Sj during the authentication phase after a successful mutual authentication between them.

Proof. During the authentication phase of our scheme, in Steps A4 and A5, after the successful verification of the condition M11 — M15 the smart card Ci of the user Ui computes M16 and sends the authentication acknowledgment message {M16) to the server Sj. C, computes the secret session key shared between U, and S} as SK^Sj — h(/D,|\SNi\\Rc|\M12|\M1 \\M3>. Note that M1 — e, ® r, — h(IDi\\Xs),M3 — M1 ® Rc — h(ID,\\Xs)® Rc, and Mn — M9 ® M1 — Rs. Thus, SKuuSj — h(IDi\\SNi\\Rc\\Rs\\h(ID,\\Xs)\\h(IDi\\Xs)® Rc).

In Step A6, after receiving the authentication acknowledgment message {M16), the server Sj verifies the condition M16 — M17. If it holds, Sj accepts Ui as a legitimate user and computes the secret session key shared with Ui as SKju — h(IDi\\M6\\M7\\Rs\\M5\\M3). Note that M6 — M2 ® M5 — SNi, M7 — M3 ® M5 — Rc, M5 — h(IDi\\Xs), M3 — M1 ® Rc — h(ID,\\Xs)® Rc, and thus, SKSju — h(IDi\\SNi\\Rc\\Rs\\h(IDi\\Xs)\\h(IDi\\Xs)®Rc). As a result, SKuuSj — SKsju and hence the theorem. □

6.2. Informal security analysis

In this section, we show that our scheme has the ability to tolerate various known attacks, which are given in the following theorems.

Theorem 2. Our scheme is secure against stolen smart card attacks.

Proof. The smart card is usually equipped with tamper-resistant device. Assume that the smart card Ci of a user Ui is lost or stolen. Having the smart card, the attacker can still retrieve all the sensitive information stored in the stolen smart card's memory using the power analysis attack (Kocher et al., 1999; Messerges et al., 2002) as described in our threat model in Section 5.2. Thus, we assume that the attacker knows the information (TDi, Dt, h(), Rep(),ft, r,, et,par), and K and SN,. Note that TDi — NID, ® h(ID,),D, — TD,,f — H(ID,\\K\\Bi), Gen(B,) — (bi, par,), r, — h(h(ID,\\K\\PWi)\f\\bi), e, — h(ID, \\Xs) ® r,. It is also noted that the user U's identity IDi is not stored in the smart card. Using et and r,, the attacker can obtain h(IDi\\Xs) — ei ® rAs pointed out in Das and Goswami, 2013, the probability to guess a correct identity composed of exact n characters is approximately ^fe. If Xs is m bits (in our scheme, m — 1024), the probability to guess both IDt and Xs at the same time is approximately ^¿m — 2^024, which is very negligible. Further, to guess the password PW, of exact n characters from ri, the attacker has to guess the identity ID, of exact m characters and the biometric key bi composed of l bits, and the probability to guess PW, then becomes approximately 26m|6n+l, which is also negligible. In addition, the attacker has no way to obtain Bi from fi due to secure BioHashing functionH(-), since IDt is unknown to that attacker. Hence, our scheme is secure against smart card stolen attacks. □

Theorem 3. Our scheme is secure against replay attacks.

Proof. Assume that the attacker intercepts the transmitted messages {NIDi, M2, M3, M4) during the login phase, and {M9,M10,M11) and {M16) during the authentication phase in a previous session. Suppose the attacker wants to start a new session with the login request message {NIDi, M'2, M3, M4) — {NID,, M2, M3, M4). Note that M4 — h(IDi\iSN,\\Rc3\M1). In Step A2 of our authentication phase, the server Sj stores the pair (ID,, M7) in its database, where M7 — Rc. When Sj receives this login request message {NID0, M'2, M3, M4), the server Sj first finds the entry (ID,, NID0) in its ID table, and then computes M5 — h(ID,\\Xs) and M6 — M2 ® M'5. After

that Sj checks if the condition M6 > SN holds or not. If it holds, Sj further computes M- =M3 ® M'5 = Rc, and M8 = h(IDi||M6||M'7||M5), and checks the condition M8 = M\. If it holds, this ensures that the login request message (NIDi, M2, M3, M4) is certainly a replay message and Sj simply discards this message. Thus, our scheme has the ability to protect the replay attacks. □

Theorem 4. Our scheme protects impersonation attacks.

Proof. In the following, we show that an attacker does not have any ability to impersonate the remote server Sj or a legal user Ui. Assume that the attacker intercepts the transmitted messages (NIDi, M2, M3, M4) during the login phase, and (M9, M10, M11) and (M16) during the authentication phase. Suppose the attacker wants to start a new session. To start the session, the attacker needs to modify the login request message (NIDi, M2, M3, M4) in order to impersonate the server Sj, where M2 = Mx ® SNt = h(ID,||Xs)® SN,, M3 = Mx ® Rc = h(ID,||Xs)® Rc, and M4 = h(ID,|SNi|Rc||M1). Let the attacker guess the high-entropy identity IDi and serial number SN. Then the attacker can compute h(IDt||Xs)' = M2 ® SN and R'c = M3 ® h(ID,||Xs)'. After that the attacker needs to compute M'4 = h(ID\|| SN^-1| Rc ||h(ID,||Xs)') and checks if M4 = M'4 holds, if it holds, the attacker can change M2, M3 and M4. However, the probability of guessing the identity ID, composed of exact n characters and the serial number SN, composed of exact m bits is approximately 26s+m, which is negligible. Note that the attacker does not know ID,, SN, and Rc. Suppose the attacker changes M2 and M3 to M"2 = M2 ® FSN, and M'3 = M3 ® Rac, where FSN, and Rac are the fake serial number and random nonce of the user Ui generated by the attacker, respectively. Then the attacker does not have any ability to compute M4 = h(IDia(SNi ® FSNt)|| (Rc ® Rac)||M1) and as a result, the attacker cannot modify M4. The attacker does not have any ability to modify other messages (M9, M10, M11) and (M16) during the authentication phase in order to cheat the user Ui also. Hence, our scheme protects impersonation attacks. □

Theorem 5. Our scheme protects man-in-the-middle attacks.

Proof. Suppose an attacker intercepts the login request message (NIDi, M2, M3, M4) during the login phase and tries to modify the message to (NIDi, M2, M3, M4). Note that M2 = M1 ® SN, = h(ID,aXs)® SN,, M3 = Mt® Rc = h(ID, ||Xs )®Rc, and M4 = h(ID,||SN,||Rc||M1) = ^IDHSNH Rc||h(ID,||Xs)). If the attacker can guess V = h(ID,||Xs) correctly, he/she can recompute M*2 = V ® SN, M3 = V ® Rac and M4 = h(mi||SNl|Rac||V) and sends the message (NIDi, M3, M4) to the server Sj such that the authentication passes at the server side. Observe that both IDt and Xs are unknown to the attacker. Thus, the probability to guess both IDi composed of exact n characters and Xs of length exact m bits (in our scheme, m = 1024) at the same time is approximately "51+m = ^^m, which is very negligible. As a result, the attacker does not have any ability to modify properly all the transmitted messages during the login and authentication phases, and hence, our scheme is secure against man-in-the-middle attacks. □

Theorem 6. Our scheme is secure against offline guessing attacks.

Proof. Suppose an attacker tries to retrieve secret data by intercepting all transmitted messages (NIDi, M2, M3, M4) during the login phase, and (M9, M10, M11) and (M16) during the authentication phase in a previous session. If the attacker can guess V = h(ID,||Xs) correctly, he/she can compute SNt = M2 ® V and R'c = M3 ® V. However, the probability to guess both IDi composed of exact n characters and Xs of length exact m bits (in our scheme, m = 1024) at the same time is approximately "S+m = ^dm, which is very negligible. On the other hand, if we assume that the smart card of a user is lost or stolen, then from Theorem 2 it is also clear that this is a computationally infeasible problem for the attacker to derive the password PWt and personal biometrics B, of the user U,. Thus, our scheme is also secure against offline guessing attacks. □

Theorem 7. Our scheme is secure against denial-of-service attacks.

Proof. Note that in our scheme, the smart card Ci of a user Ui stores TDi and D, for the previous as well as latest random identities so that the corruption of the message (M16) is not possible. As a result, our scheme is secure against denial-of-service attacks. □

Theorem 8. Our scheme prevents parallel session attacks.

Proof. Suppose an attacker intercepts the login request message (NIDi, M2, M3, M4) during the login phase and wants to start a parallel session. Note that the server Sj computes M5 = h(IDi||Xs) and M, = M2 ® M5 = SNt. Sj then verifies the condition whether M6 > SN, where SN is kept to the server Sj. Thus, the attacker does not have ability to start a parallel session due to usage of SNi by the user U,. Hence, our scheme has the ability to prevent parallel session attacks. □

6.3. Formal security analysis

In this section, through the formal security analysis we show that our scheme is provably secure against an adversary for deriving the secret session key shared between a user and the server. For the formal security analysis, we follow the random oracle model as used in Chatterjee et al. (2014), Das et al. (2013) and Islam and Biswas (2013, 2014).

For the formal security analysis, we first define the formal definition of a one-way hash function h() as follows.

Definition 2 (One-way hash function). As in Sarkar (2010) and Stinson (2006), we define a one-way collision-resistant hash function h : {0,1}* ! {0,1}n as a deterministic algorithm that takes as input an arbitrary length binary string x 2 {0,1}* and outputs a binary string y = h(x)2{0,1 }n of fixed-length n. We formalize an adversary A's advantage in finding collision in the following manner.

AdvHASH(t) = Pr[(x, x') ( A : x-x' and h(x) = h(x')],

where Pr[X] denotes the probability of an event X, and (x, x') ( A denotes the pair (x, x') is selected randomly by A. In this case, the adversary A is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary A with the execution time t. The hash function h(-) is said to be collision-resistant if AdvHASH(t) 6 e, for any sufficiently small e > 0.

We then define the following random oracle for our analysis:

• Reveal: This random oracle will unconditionally output the input x from the corresponding hash value y — h(x).

Theorem 9. Under the assumption that the one-way collision-resistant hash function h() closely behaves like a random oracle, our scheme is provably secure against an adversary for deriving the secret session key SKUi,Sj shared between the user Ui and the server Sj.

Algorithm 1. EXPHAfHVAS

1: Eavesdrop the login request message {NIDi, M2, M3, M4) during the login phase, where

M1 = h(ID,-\\Xs), M2 = M1 © SN, = h(ID,\\Xs)© SN,, M3 = M1 © Rc = h(ID,\\Xs)© Rc, and M4 = h(ID,\\SN,\\Rc\\M1 ) = h(IDi\\SNi\\Rc\\h(IDi\\Xs )). 2: Call Reveal oracle on input M4 to retrieve the information IDi, SN,, Rc, and M1.

Let (ID,\\SN'l\\R'c\\M'1)^ Reveal(M4). 3: Compute SN! = M2 © M\ and R' = M3 © M\. If SN!

matches with SNi0 and R'0 matches with R' , accept SN0i and R' as the correct SN, and Rc, respectively. 4: Eavesdrop the authentication request message {M9, M10, M") during the authentication phase, where M9 = M5 © Rs = h(ID,\\Xs) ©Rs,M10 = h(Rs\\My\\M6)© NIDfw = h(Rs\\R'\\SN,)© NIDnew, Mn = h(ID,\\M6\\ M7 + 1\\Rs\\M5\\NIDnew) = h(ID,\\SN,\\Rc + 1\\Rs\\h(ID,-\\Xs)\\NIDnew). 5: Call reveal oracle on input Mn in order to retrieve information

ID,, M6 = SN, M7 + 1 = Rc + 1, Rs, M5 = h(ID,\ \ Xs) and NIDnew as

(id;/ \ \ M'\ \ \ M7 + 1 \ \ R's \ \ M'5 \ \ NIDnm" ) ^ Reveal(M11 ). 6: if ((M'6 = SN70) and (M7 + 1 = R'c + 1)) then 7: Compute the secret session key

SKUltSj = h(ID',\\SN,\\Rc\\Rs\\M1\\M3). 8: Accept the derived key SKUus, as the correct secret

session key between the user U, and the server Sj. 9: return 1 (Success)

10: 11 12

return 0 (Failure) end if

Proof. In this proof, we need to construct an adversary A who can derive the secret session key SKU ;Sj shared between the user U, and the server Sj. For this purpose, the adversary A runs the experimental algorithm EXPHBrUAs given in Algorithm 1 for our biometric-based remote user authentication scheme, say BRUAS.

We define the success probability for EXPHAbm^ provided in Algorithm 1 as Succ^^s — PAExpHfHuAS — 1]- 1. The advantage function for this experiment, ExpHABRRUf^ becomes Adv^RuAS^,qR1)— maxAfSuccHHBRUAS}, where the maximum is taken over all A with the execution time t1 and the number of queries qRi made to the Reveal oracle. Our scheme is then provably secure against an adversary A for deriving the secret session key SKUi;Sj shared between the user Ui and the server Sj, if AdvHASRHUAS(t1, qRl) 6 e, for any sufficiently small e > 0. '

Consider the experiment EXPHAbrUaS provided in Algorithm 1. According to this experiment, if the adversary A has the ability to solve (inverting) the one-way collision-resistant hash function h(-), he/she can derive correctly the secret session key SKUi;Sj shared between the user Ui and the server Sj and win the game. However, by Definition 1, AdvHASH(t) 6 e, for any sufficiently small e > 0. Thus, we have, AdvHABRUIAS( t1, qRi) 6 e, since it is dependent on AdvHASH(t). As a result, our scheme is provably secure against an adversary for deriving the secret session key SKUi;Sj shared between the user U, and the server S,. □

7. Simulation results for formal security verification of our scheme using AVISPA tool

In this section, we simulate our scheme for the formal security verification using the widely-accepted AVISPA tool (AVISPA, 2013a).

7.1. Overview of AVISPA

AVISPA (Automated Validation of Internet Security Protocols and Applications) is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. It integrates four back-ends which implement a variety of state-of-the-art automatic analysis techniques. The first back-end, called the On-the-fly Model-Checker (OFMC), performs several symbolic techniques to explore the state space in a demand-driven way. The second backend, called the Constraint Logic based Attack Searcher (CL-AtSe), provides a translation from any security protocol specification written as transition relation in an intermediate format into a set of constraints which are effectively used to find whether there are attacks on protocols. The third backend, called the SAT-based Model-Checker (SATMC), builds a propositional formula and then the formula is fed to a state-of-the-art SAT solver to verify whether there is an attack or not. Finally, the fourth back-end, called the Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), approximates the intruder knowledge by using regular tree languages. More details on AVISPA could be found in AVISPA (2013a).

To analyze the protocols under the AVISPA tool, they are specified in a language, called the HLPSL (High Level Protocols Specification Language), which is based on roles: basic roles for representing each participant role, and composition of roles for representing scenarios of basic roles,

where each role is independent from the other role, getting some initial information by parameters, communicating with the other roles by channels.

A HLPSL specification written from a protocol is first translated into a lower level specification by a translator, called the hlpsl2if, which in turn generates a specification in an intermediate format, called the Intermediate Format (IF). The output format (OF) of AVISPA is generated using one of the four back-ends specified above. The analysis of the OF is made as follows.

• The first printed section, called SUMMARY, indicates whether the protocol is safe, unsafe, or whether the analysis is inconclusive.

• The second section, called DETAILS, explains under what condition the protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.

• The remaining sections, called PROTOCOL, GOAL and BACKEND, are the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.

• After some possible comments and the statistics, the trace of the attack (if any) is finally printed in a standard Alice-Bob format.

The basic types available in HLPSL are (AVISPA, 2013a):

• agent: Values of type agent represent principal names. The intruder is always assumed to have the special identifier i.

• public_key: These values represent agents' public keys in a public-key cryptosystem. For example, given a public (respectively private) key pk, its inverse private (respectively public) key is obtained by ¿nu_p£.

• symmetric_key: Variables of this type represent keys for a symmetric-key cryptosystem.

• text: In HLPSL, text values are often used as nonces. These values can be used for messages. If Na is of type text (fresh), then Na' will be a fresh value which the intruder cannot guess.

• nat: The nat type represents the natural numbers in nonmessage contexts.

• const: This type represents constants.

• hash_func: The base type hash_func represents cryptographic hash functions. The base type function also represents functions on the space of messages. It is assumed that the intruder cannot invert hash functions (in essence, that they are one-way).

The space of legal messages is defined as the closure of the basic types. For a given message Msg and encryption key Key, {Msg}_Key refers to as the symmetric/ public-key encryption and the associative "■'' operator is used for concatenations.

7.2. Specifying our scheme

We have implemented the registration phase, the login phase and the authentication phase of our scheme using the HLPSL language. In our implementation, we have two basic roles, namely alice and bob, which represent the participants as the user U, and the remote server Sj, respectively. The

specification in HLPSL language for the role of the initiator, the user Ui is shown in Fig. 1. The user Ui first receives the start signal and changes its state from 0 to 1, and sends the registration request message (ID,,f, RPW,) securely to the

role alice ( Ui, Sj : agent,

SKuisj: symmetric_key, % H is hash function H: hash_func,

% BH is BioHashing function BH: hash_func, Snd, Rev: channel(dy)) played_by Ui defi=

local State : nat,

RPWi, PWi, Bi, Xs, K, IDi, NIDi, SNi, TDi, Di, Fi, Ri, Ei, Rc, Rs : text, Bui, Pari: text,

Ml, M2, M3, M4, M5, M6, M7, M8, M9, M10, Mil, M12, M13, M14, M15, M16: message, Gen, Rep: hash_func, Inc: hash_func const alice_bob_rc, bob_alice_rs,

subsl, subs2, subs3 : protocoled init State := 0 transition

1. State = 0 A Rcv(start) =l> % Registration phase

State' := 1 A Fi' := BH(IDi.K.Bi) A RPWi' := H(IDi.K.PWi) A Snd( {IDi.H(RPWi' .Fi' .Bui) }_SKuisj) A secret({Xs}, subsl, Sj)

A secret({PWi, Bi, Bui, K, SNi}, subs2, Ui) A secret({IDi}, subs3, {Ui,Sj})

2. State = 1 A Rcv({xor(NIDi',H(IDi)).xor(NIDi',H(IDi)).

H.Rep.H(H(IDi.K.PWi).BH(IDi.K.Bi).Bui). xor(H(IDi.Xs), H(H(IDi.K.PWi) .BH(IDi.K.Bi).Bui)) }_SKuisj) =l> % Login phase State' := 2 A Rc' :=new() A SNi' := Inc(SNi.l) ADi' := xor(NIDi',H(IDi)) A NIDi' := xor(H(IDi),Di') AMI' := H(IDi.Xs) AM2' :=xor(Ml',SNi') AM3' :=xor(Ml',Rc') AM4' :=H(IDi.SNi'.Rc'.Ml') A Snd(NIDi'.M2'.M3'.M4') % Ui has freshly generated the value Rc' for Sj A witness(Ui, Sj, alice_bob_rc, Rc') % Authentication phase

3. State = 2 A Rev (xor(H(IDi.Xs), Rs').

xor(H(Rs'.xor(xor(H(IDi.Xs),Rc'),H(IDi.Xs)). xor(xor(H(IDi.Xs),SNi'), H(IDi.Xs))),NIDi'). H(IDi.xor(xor(H(IDi.Xs),SNi'),H(IDi.Xs)). Inc(xor(xor(H(IDi.Xs),Rc'),H(IDi.Xs)).l). Rs'.H(IDi.Xs).NIDi')) =l> State' := 3 AM12' :=xor(xor(H(IDi.Xs),Rs'),H(IDi.Xs)) AM13' := H(M12'.Rc'.SNi') AM10' := xor(H(Rs'.xor(xor(H(IDi.Xs),Rc'),H(IDi.Xs)).

xor(xor(H(IDi.Xs),SNi'), H(IDi.Xs))),NIDi') AM 14' := xor(M13',M10')

AM16' := H(IDi.SNi'.Inc(Rc'.l).Inc(M12M).Ml.M14') A Snd(M16')

% Ui's acceptance of the value Rs' generated for Ui by Sj

A request(Sj, Ui, bob_alice_rs, Rs') end role_

Figure 1 Role specification in HLPSL for the user Ui of our scheme.

server Sj using the Snd( ) operation. The user Ut then gets a smart card issued by the server Sj with the information (TDi,D,,h(-),Rep(),r,,e) securely from Sj by the Rcv() operation. During the login phase, Ui sends the login request message {NIDi, M2, M3, M4) to Sj. After receiving the authentication request message {M9, M10, M11) from Sj, Ut finally sends the authentication acknowledgment message {M16) to Sj.

The type declaration channel(dy) declares that the channel is for the Dolev-Yao threat model (as described in our threat model in Section 5.2). In such case, the intruder, which is always denoted by i, has the ability to intercept, analyze, and/or modify messages transmitted over the insecure channel. In HLPSL specification, witness(A,B,id,E) declares for a (weak) authentication property of A by B on E, declares that agent A is witness for the information E; this goal will be identified by the constant id in the goal section (AVISPA, 2013a). On the other hand, request(B,A,id,E) is for a strong authentication property of A by B on E, declares that agent B requests a check of the value E; this goal will be identified by the constant id in the goal section (AVISPA, 2013a).

In Fig. 2, we have implemented the specification in HLPSL language for the role of the responder, the remote server Sj. During the registration phase, after receiving the registration request message {ID,, r,) securely from U,, Sj issues a smart card and sends it with the information (TD,, Dt, h(-), Rep(-), rt, et) securely to U,. In the authentication phase, after receiving the login request message {NIDi, M2, M3, M4), Sj sends the authentication request message {M9, M10, M11) to Ut. Finally, Sj waits for the authentication acknowledgment message {M16) from Ui to finish the successful mutual authentication with U,.

We have specified the roles for the session, and the goal and environment of our scheme are specified in Figs. 3 and 4. In the session segment, all the basic roles: alice and bob are instanced with concrete arguments. The top-level role (environment) is always defined in the specification of HLPSL language. This role contains the global constants and a composition of one or more sessions, where the intruder may play some roles as legitimate users. The intruder also participates in the execution of protocol as a concrete session. The declaration witness(A, B, bob_alice_rs, Rs') tells that A has freshly generated the value rs for B. The declaration request(A, B, alice_bob_rc, Rc') means that B's acceptance of the value rc generated for B by A. In other words, the agent B authenticates the agent A. The declaration secret(X, t, A) indicates that X is kept secret permanently to B. The label t (of type protocol_id) is used to identify the goal.

In our implementation, the following three secrecy goals and two authentications are verified:

• secrecy_of subs1: It represents that Xs is kept secret to the server Sj only.

• secrecy_of subs2: It indicates that PWi, Bt, bi, K, and SNi are kept secret to the user Ui only.

• secrecy_of subs3: It tells that IDi is kept secret to both Ui and Sj .

• authentication_on alice_bob_rc: Ui (Ci) generates a random nonce Rc, where Rc is only known to Ui. When the server Sj receives Rc from the messages from Ui, Sj performs strong authentication for Ui.

role bob (Ui, Sj : agent,

SKuisj : symmetric_key, % H is hash function H: hash_func,

% BH is BioHashing function BH: hash_func, Snd, Rev: channel(dy)) played_by Sj def=

local State : nat,

RPWi, PWi, Bi, Xs, K, IDi, NIDi, SNi, TDi, Di, Fi, Ri, Ei, Rc, Rs: text, Bui, Pari: text,

Ml, M2, M3, M4, M5, M6, M7, M8, M9, M10, Mil, M12, M13, M14, M15, M16: message, Gen, Rep: hash_fiuie, Inc: hash_func const alice_bob_rc, bob_alice_rs,

subsl, subs2, subs3 : protocoled init State := 0 transition

% Registration phase

1. State = 0 A Rcv({IDi.H(RPWi'.Fi'.

Bui)}_SKuisj) =l> State' := 1 A secret({Xs}, subsl, Sj)

A secret({PWi, Bi, Bui, K, SNi}, subs2, Ui) A secret({IDi}, subs3, {Ui,Sj}) A NIDi' := new() A TDi' := xor(NIDi',H(IDi)) ADi' := xor(NIDi',H(IDi)) A Fi' := BH(IDi.K.Bi) A RPWi' := H(IDi.K.PWi) ARi' := H(RPWi'.Fi'.Bui) A Ei' := xor(H(IDi.Xs), Ri') A Snd({TDi'.Di'.H.Rep.Ri'.Ei' }_SKuisj) % Login phase

2. State = 1 ARcv(xor(H(IDi),xor(NIDi',H(IDi))).

xor(H(IDi.Xs),SNi').

xor(H(IDi.Xs),Rc').

H(IDi.SNi'.Rc'.H(IDi.Xs))) =l> % Authentication phase State' := 2 A M5' := H(IDi.Xs) AM2' :=xor(M5',SNi') AM3' :=xor(M5',Rc') AM6' :=xor(M2',M5') AM7' :=xor(M3',M5') AM8' := H(IDi.M6'.M7'.M5') A Rs' := new() AM9' :=xor(M5',Rs') AM10' := xor(H(Rs'.M7'.M6'),NIDi') A Mil' := H(IDi.M6'.Inc(M7'.l).Rs'.M5'.NIDi') A Snd (M9'.M10'.M11') % Sj has freshly generated the value Rs' for Ui A witness(Sj, Ui, bob_alice_rs, Rs')

3. State = 2 A Rcv(H(IDi.SNi'.Inc(Re'.l).Inc(xor(xor(H(IDi.Xs), Rs'),H(IDi.Xs)).l).

H(IDi.Xs).xor(H(Rs' .Rc' .SNi'),

xor(H(Rs'.xor(xor(H(IDi.Xs),Rc'),

H(IDi.Xs)).

xor(xor(H(IDi.Xs),SNi'), HODi.Xs))),NIDi')))) =l> State' := 3 A request(Ui, Sj, ahce_bob_rc, Rc') % Sj's acceptance of the value Rc' generated for Sj by Ui end role

Figure 2 Role specification in HLPSL for the server Sj of our scheme.

role session(Ui, Sj: agent,

SKuisj: symmetric_key, H: hash_func, BH: hash_func)

local SI, SJ, RI, RJ: channel (dy)

composition

alice(Ui, Sj, SKuisj, H, BH, SI, RI) A bob (Ui, Sj, SKuisj, H, BH, SJ, RJ) end role_

Figure 3 Role specification in HLPSL for the session of our scheme.

role environment() def= const ui, sj: agent,

skuisj : symmetric_key, h : hash_func, bh: hash_func,

pwi, bi, xs, k, idi, nidi, rc, rs: text, alice_bob_rc, bob_alice_rs, subsl, subs2, subs3: protocol_id intruder_knowledge = {ui, sj, h, bh}

composition

session(ui, sj, skuisj, h, bh) A session(ui, sj, skuisj, h, bh) end role

goal secrecy_of subsl secrecy_of subs2 secrecy_of subs3 authentication_on alice_bob_rc authentication_on bob_alice_rs end goal

environmentQ_

Figure 4 Role specification in HLPSL for the goal and environment of our scheme.

• authentication_on bob_alice_rs: Sj generates a random nonce Rs, where Rs is only known to Sj. If the user U,-receives Rs from the messages from Sj, U,- performs strong authentication for Sj.

In the goal section of the protocol, we write

authentication_on alice_bob_rc authentication_on bob_alice_rs

to indicate that the witness and request goal facts containing those two protocol ids, alice_bob_rc and bob_alice_rs, should be taken into account.

7.3. Analysis of results

The On-the-Fly Model-Checker (OFMC) builds the infinite tree defined by the protocol analysis problem in a demand-driven way, i.e. on-the-fly, hence the name of the back-end. This backend uses a number of symbolic techniques in order to represent the state-space. OFMC can be employed not only

for efficient falsification of protocols (i.e., fast detection of attacks), but also for verification (i.e., proving the protocol correct) for a bounded number of sessions - without bounding the messages an intruder can generate (AVISPA, 2013a).

We have chosen the back-end OFMC for an execution test and a bounded number of sessions model checking (Basin et al., 2005). For the replay attack checking, the back-end checks whether the legitimate agents can execute the specified protocol by performing a search of a passive intruder. After that the back-end gives the intruder the knowledge of some normal sessions between the legitimate agents. For the Dolev-Yao model check, the back-end checks whether there is any man-in-the-middle attack possible by the intruder.

Finally, in this section we have simulated our scheme for formal security verification using the AVISPA web tool (AVISPA, 2013b) for the most widely-accepted OFMC model checker. The simulation results for the formal security verification analysis of our scheme using OFMC are shown in Fig. 5. The first printed section, SUMMARY indicates whether the protocol is safe, unsafe, or whether the analysis is inconclusive. It is clear that our scheme is safe from the printed SUMMARY section. The section, DETAILS explains under what condition the protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive. From Fig. 5, it is noted that our scheme is declared as safe, and no attack is found in our scheme. Thus, the results in this figure ensure that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks.

8. Performance comparison with related schemes

In this section, we compare the performance of our scheme with Li-Hwang's scheme (Li and Hwang, 2010), Li et al.'s scheme (Li et al., 2011), Das's scheme (Das, 2011a) and An's scheme (An, 2012).

In Table 5, we have compared the communication overhead of our scheme with that for Li-Hwang's scheme, Li et al.'s scheme, Das's scheme, and An's scheme, during the login and authentication phases. In all schemes, we assume that both identity ID, of the user U and the hash digest are 160 bits. During the login and authentication phases, the

% OFMC

% Version of 2006/02/13 SUMMARY SAFE DETAILS

BOUNDEDJNrUMBER_OF_SESSIONS PROTOCOL /home/avispa/web-interface-computation/ ./tempdir/workfileyklCVQ.if GOAL as_specified BACKEND OFMC COMMENTS STATISTICS parseTime: 0.00s searchTime: 0.18s visitedNodes: 4 nodes depth: 2 plies

Figure 5 The result of the analysis using OFMC of our scheme.

Table 5 Comparison of communication overhead between

our scheme and other schemes during the login and authentica-

tion phases.

Scheme Total number of Total number of

messages required bits required

Li-Hwang (Li and 3 800

Hwang, 2010)

Li et al. (Li et al., 2 960

Das (Das, 2011a) 3 1120

An (An, 2012) 3 960

Ours 3 1280

communication overheads for Li-Hwang's scheme, Li et al.'s scheme and Das's scheme are 800 bits, 960 bits, and 1120 bits, respectively. In An's scheme, during the login phase, the message {IDi, M2, M3) requires (160 + 160 + 160) = 480 bits, and during the authentication phase, the messages (M6, M7) and (M9) require 320 and 160 bits, respectively. Thus, An's scheme requires (480 + 320 + 160)= 960 bits. On the other hand, in our scheme, during the login phase, the message {NID', M2, M3, M4) requires (160 + 160 + 160 + 160) = 640 bits, and during the authentication phase, the messages {M9,M10,Mu) and {Mi6) require 480 and 160 bits, respectively. As a result, our scheme requires (640 + 480+ 160) = 1280 bits for communication overhead.

In Table 6, we have compared the computational overhead of our scheme with Li-Hwang's scheme, Li et al.'s scheme, Das's scheme, and An's scheme during all phases. It is clear to note that due to computational efficiency of hash function h(-) and BioHashing H(-), our scheme is comparable to An's scheme. Note that the registration phase is executed only once and the password change phase is only performed periodically (not frequently) for security reasons. In our scheme, the functions Gen(-) and Rep(-) used for biometric key generation and verification are efficient. The computational overhead for our scheme is comparable to that for Li et al.'s scheme (Li et al., 2011). Though our scheme requires little more communication and computational overheads as compared to that for Li-Hwang's scheme, Das's scheme, An's scheme, but considering

the functionality and security services provided by our scheme, we conclude that our scheme is better than those for other schemes.

Finally, in Table 7 we have compared the functionality of our scheme with Li-Hwang's scheme, Li et al.'s scheme, Das's scheme, and An's scheme. It is clear to see that our scheme supports efficiently and correctly password change

Table 7 Functionality comparison between our scheme and other schemes during all phases.

Functionality Li-Hwang Li et al. Das An Our

(Li and (Li et al., (Das, (An,

Hwang, 2011) 2011a) 2012)

Fi Yes Yes No Yes No

f2 Yes Yes No Yes No

F3 No No No No Yes

f4 No Yes Yes No Yes

F5 No No Yes No Yes

F6 No Yes No Yes Yes

f7 Yes Yes No No Yes

f8 Yes Yes No No Yes

f9 Yes Yes Yes Yes Yes

F10 No Yes Yes No Yes

Fii No Yes No No Yes

F12 No No No No Yes

Fi3 No No No No Yes

Fi4 No No No No Yes

Fi5 No No No No Yes

Notes: F1: whether flaws exist in login and authentication phase; F2: whether flaws exist in password change phase; F3: whether protects privileged insider attacks or not; F4: whether protects man-in-the-middle attacks or not; F5: whether provides proper authentication or not; F6: whether protects stolen smart card attacks or not; F7: whether protects impersonation attacks or not; F8: whether resilient against offline attacks or not; F9: whether protects DoS attacks or not; F10: whether resists replay attacks or not; Fn: whether establishes a secret session key between U and Sj after successful authentication or not; F12: whether provides formal security verification or not; F13: whether supports user anonymity property or not; F14: whether supports user auditing property or not; F15: whether provides uniqueness property or not.

Table 6 Comparison of computational overhead between our scheme and other schemes during all phases.

Phase Entity Li-Hwang (Li and Hwang, Li et al. (Li et al., Das (Das, An (An, Ours

2010) 2011) 2011a) 2012)

Registration Ui/Ci - th - - 2th + tH + tgen

Sj 3th 3 th 3th 3th 2th

Login and Ui/C¡ 3th tbiover " 7th tbiover " 5th 5th trep " 7th

authentication

Sj 4th 6 th 5th 4th 6th

Password change Ui/Ci 3th tbiover " 4th tbiover " 2th N/A trep " 4th

Sj - - - N/A -

Notes: tH: time for BioHashing operation; th: time for one-way hashing operation; tbiover: time for biometric verification using template pattern matching in Das (2011a) and Li et al. (2011); tgen: time taken for executing probabilistic Gen(-) algorithm; trep: time taken for executing deterministic Rep( ) algorithm; N/A: not applicable for the scheme.

phase by any user locally without contacting the server furthermore, whereas Li-Hwang's scheme, Li et al.'s scheme and An's scheme do not support this feature. Our scheme supports uniqueness and user anonymity properties while Li-Hwang's scheme, Li et al.'s scheme, Das's scheme and An's scheme do not provide these properties. In addition, our scheme is secure against all possible known attacks including the security weaknesses found in An's scheme and other schemes. Further, our scheme is provably secure whereas other schemes are not prov-ably secure. Li-Hwang's scheme, Li et al.'s scheme, Das's scheme, and An's scheme do not prevent insider attack, whereas our scheme is secure against such attack. In our scheme and Li et al.'s scheme, after successful mutual authentication, both the user Ui and the server Sj establish a secret session key shared between them so that they can communicate securely using that established session key. In other schemes, after mutual authentication, both the user Ui and the server Sj do not establish a secret session key shared between them. In summary, our scheme provides all the functionality requirements listed in Table 7 as compared to other related schemes, such as our scheme does not contain any flaws in the login and authentication phase as well as the password change phase, and our scheme resists privileged insider attack, man-in-the-middle attack, stolen smart card attack, impersonation attack, offline attack, DoS attack, replay attack. In addition, our scheme always provides proper authentication, establishes a secret session key between Ui and Sj after successful authentication, provides formal security verification using the widely-accepted AVISPA tool, supports user anonymity property and user auditing property, and also provides uniqueness property. As a result, considering the functionality and security services provided by our scheme, our scheme is much better than other existing schemes.

9. Conclusion

In this paper, we have reviewed the recently proposed An's scheme and shown that An's scheme has several security weaknesses. We have proposed a new robust and secure efficient biometric-based remote user authentication scheme using smart cards to withstand the security flaws found in An's scheme. Compared to An's scheme, our scheme supports efficiently the changing of user's password locally and correctly at any time by the user without contacting the remote server, uniqueness and anonymity preserving properties, and strong replay attack protection. Through the informal and formal security analysis, we show that our scheme is secure against all possible known attacks including the attacks found in An's scheme. The simulation results of our scheme using the widely-accepted AVISPA tool ensure that our scheme is secure against passive and active attacks. Hence, higher security and low communication and computational costs make our scheme much appropriate for practical applications.

Acknowledgments

The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor-in-Chief, which have improved the content and the presentation of this paper.

References

An, Y., 2012. Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. J. Biomed. Biotechnol. 2012, 1-6. Article ID 519723.

AVISPA. Automated Validation of Internet Security Protocols and Applications. <http://www.avispa-project.org/> (accessed January 2013).

AVISPA. AVISPA Web Tool. <http://www.avispa-project.org/web-interface/expert.php/> (accessed January 2013).

Basin, D., Modersheim, S., Vigano, L., 2005. OFMC: a symbolic model checker for security protocols. Int. J. Inf. Security 4 (3), 181208.

Burnett, A., Byrne, F., Dowling, T., Duffy, A., 2007. A biometric identity based signature scheme. Int. J. Netw. Security 5 (3), 317326.

Chang, Y.-F., Yu, S.-H., Shiao, D.-R., 2013. An uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37 (2), 1-9.

Chatterjee, S., Das, A.K., Sing, J.K., 2014. A novel and efficient user access control scheme for wireless body area sensor networks. J. King Saud Univ. Comput. Inf. Sci. http://dx.doi.org/10.1016/ j.jksuci.2013.10.007.

Chou, J.S., Huang, C.H., Huang, Y.S., Chen, Y., 2013. Efficient two-pass anonymous identity authentication using smart card. IACR Cryptol. ePrint Arch. 402, 2013.

Das, A.K., 2011a. Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Security 5 (3), 145-151.

Das, A.K., 2011b. Cryptanalysis and further improvement of a biometric-based remote user authentication scheme using smart cards. Int. J. Netw. Security Appl. 3 (2), 13-28.

Das, A.K., Goswami, A., 2013. A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37 (3), 1-16.

Das, A.K., Massand, A., Patil, S., 2013. A novel proxy signature scheme based on user hierarchical access control policy. J. King Saud Univ. Comput. Inf. Sci. 25 (2), 219-228.

Dodis, Y., Reyzin, L., Smith, A., 2004. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt'04), LNCS, vol. 3027, pp. 523-540.

Dolev, D., Yao, A., 1983. On the security of public key protocols. IEEE Trans. Inf. Theory 29 (2), 198-208.

Perceptual Hashing. <http://www.amsqr.com/2013/01/perceptual-hashing.html> (accessed November 2013).

He, D., Wang, J., Zheng, Y., 2008. User authentication scheme based on self-certified public-key for next generation wireless network. In: Proceedings of International Symposium on Biometrics and Security Technologies (ISBAST 2008), pp. 1-8.

Islam, S.H., Biswas, G.P., 2013. Provably secure certificateless strong designated verifier signature scheme based on elliptic curve bilinear pairings. J. King Saud Univ. Comput. Inf. Sci. 25 (1), 51-61.

Islam, S.H., Biswas, G.P., 2014. A provably secure identity-based strong designated verifier proxy signature scheme from bilinear pairings. J. King Saud Univ. Comput. Inf. Sci. 26 (1), 55-67.

Jain, A.K., Ross, A., Prabhakar, S., 2003. An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Technol. 14 (1), 4-20.

Jina, A.T.B., Linga, D.N.C., Goh, A., 2004. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognit. 37 (11), 2245-2255.

Khan, M.K., Kumari, S., 2013. An improved biometrics-based remote user authentication scheme with user anonymity. BioMed. Res. Int. 2013, 1-9. http://dx.doi.org/10.1155/2013/491289. Article ID 491289.

Kocher, P., Jaffe, J., Jun, B., 1999. Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO'99, LNCS, vol. 1666, pp. 388-397. Lee, T.-F., Liu, C.-M., 2013. A secure smart-card based authentication and key agreement scheme for telecare medicine information systems. J. Med. Syst. 37 (3), 1-8. Li, C.-T., Hwang, M.-S., 2010. An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comput. Appl.

33 (1), 1-5.

Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., 2011. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl.

34 (1), 73-79.

Linnartz, J.-P., Tuyls, P., 2003. New shielding functions to enhance privacy and prevent misuse of biometric templates. In: Proceedings of Audio and Video-Based Biometric Person Authentication, LNCS, vol. 2688, pp. 393-402. Lumini, A., Nanni, L., 2007. An improved BioHashing for human

authentication. Pattern Recognit. 40 (3), 1057-1065. Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2009. Handbook of

Fingerprint Recognition, second ed. Springer-Verlag, New York. Manuel, S., 2011. Classification and generation of disturbance vectors for collision attacks against SHA-1. Designs Codes Cryptogr. 59 (1-3), 247-263.

Messerges, T.S., Dabbish, E.A., Sloan, R.H., 2002. Examining smartcard security under the threat of power analysis attacks. IEEE Trans. Comput. 51 (5), 541-552.

Pasca, V., Jurcut, A., Dojen, R., Coffey, T., 2008. Determining a parallel session attack on a key distribution protocol using a model checker. In: Proceedings of the 6th International Conference on Advances in Mobile Computing and Multimedia (MoMM 2008), pp. 150-155.

Prabhakar, S., Pankanti, S., Jain, A.K., 2003. Biometric recognition: security and privacy concerns. IEEE Security Privacy 1 (2), 33-42.

Sarkar, P., 2010. A simple and generic construction of authenticated encryption with associated data. ACM Trans. Inf. Syst. Security 13 (4), 33.

Secure Hash Standard, 1995. FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce (April 1995).

Stallings, W., 2003. Cryptography and Network Security: Principles and Practices, third ed. Pearson Education India.

Stinson, D.R., 2006. Some observations on the theory of cryptographic hash functions. Designs Codes Cryptogr 38 (2), 259-277.