A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards

Expert Systems with Applications 41 (2014) 8129–8143

Contents lists available at ScienceDirect

Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa

A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards Dheerendra Mishra a, Ashok Kumar Das b,⇑, Sourav Mukhopadhyay a a b

Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur 721 302, India Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India

a r t i c l e

i n f o

Article history: Available online 15 July 2014 Keywords: Remote user authentication Multi-server Smart card Biometrics User anonymity Security AVISPA

a b s t r a c t Advancement in communication technology provides a scalable platform for various services, where a remote user can access the server from anywhere without moving from its place. It provides a unique opportunity for online services such that a user does not need to be physically present at the service center. These services adopt authentication and key agreement protocols in order to ensure authorized and secure access to the resources. Most of the authentication schemes proposed in the literature support a single-server environment, where the user has to register with each server. If a user wishes to access multiple application servers, he/she requires to register with each server. The multi-server authentication introduces a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on a user’s password and biometrics (Chuang and Chen, 2014). Their scheme is a lightweight, which requires the computation of only hash functions. In this paper, we first analyze Chuang and Chen’s scheme and then identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We aim to propose an efficient improvement on Chuang and Chen’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-themiddle attacks. In addition, our scheme is comparable in terms of the communication and computational overheads with Chuang and Chen’s scheme and other related existing schemes. Ó 2014 Elsevier Ltd. All rights reserved.

1. Introduction An expert system is considered as a computer system which emulates, or acts in all respects, with the decision-making capabilities of a human expert. The expert systems have several applications including network management and security auditing. Tsudik and Summers (1990) proposed an application of the expert system for security auditing, called AudES. The AudES expert system provides potential expert systems applications in the area of computer security auditing. The AudES was designed to automate manual security auditing procedures and to alleviate the burden on human auditors. Hariri and Jabbour (1991) introduced a general⇑ Corresponding author. Tel.: +91 40 6653 1506; fax.: +91 40 6653 1413. E-mail addresses: [email protected] (D. Mishra), ashok.das@iiit. ac.in, [email protected] (A.K. Das), [email protected] (S. Mukhopadhyay). http://dx.doi.org/10.1016/j.eswa.2014.07.004 0957-4174/Ó 2014 Elsevier Ltd. All rights reserved.

ized architecture for an expert system to manage the resources of a computer network and/or a distributed system. Pasquale (1998) also proposed an approach to manage distributed computer systems using the expert systems. Advances in communication technology have enhanced the quality of online services for the distributed computer networks. This provides a unique opportunity to the users, where they can access the remote servers at anytime and from anywhere. These services are highly useful in various fields such as e-commerce, emedicine, e-education, etc. The user usually interacts with a server via a public channel, which is considered to be insecure. An adversary can eavesdrop, intercept, modify, delete or replay the communication between user and server. This causes privacy and security threat. On the contrary, the authentication protocols help to protect the transmission over a public channel. The smart-card-based authentication protocols are designed and developed in order to

8130

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

provide authorized and secure communication between the remote entities. Conventional user authentication schemes are designed for single server environments. These schemes are not suitable for multi-server environment as the user has to register with each server, independently. On the other hand, multi-server authentication schemes present a unique way of registration where a single registration is sufficient to access multiple servers in the system. In the last decade, various multi-server authentication schemes have been proposed in the literature. Li, Lin, and Hwang (2001) introduced an authentication scheme for multi-server architecture using neural networks without any verification table. Lin, Hwang, and Li (2003) pointed out the drawbacks of Li et al.’s scheme and showed that Li et al.’s scheme takes a long time to train neural networks. Furthermore, they proposed an improved scheme based on the discrete logarithm problem. Later, Cao and Zhong (2006) pointed out that Lin et al.’s scheme fails to resist impersonation attack. Juang (2004) presented a multi-server authentication scheme using symmetric-key cryptosystem. Unfortunately, their scheme does not resist insider attack. Chang and Lee (2004) proposed a multi-server authentication scheme, which is a more efficient than Juang’s multi-server authentication scheme. Tsai (2008) pointed out that considering the registration center and all servers to be trustworthy, Chang and Lee’s scheme involves several security problems. Furthermore, Tsai proposed a smart-card-based multiserver authentication scheme without using a verification table. This scheme is based on the one-way hash function and does not require to store any verification table in the registration center as well as the servers. Tsaur, Li, and Lee (2012) identified that these discussed schemes use timestamp to resist the replay attack, which requires the cost of implementing clock synchronization. To overcome this problem, they presented a self-verified timestamp method to avoid the difficulty of clock synchronization implementation in multi-server environments. However, none of these schemes Li et al. (2001), Lin et al. (2003), Juang (2004), Chang and Lee (2004), Tsai (2008) and Tsaur et al. (2012) protect user anonymity property. Liao and Wang (2009) proposed a dynamic ID-based remote user authentication scheme, which was designed to protect user anonymity during authentication in a multi-server environment. However, Chen, Hwang, Lee, and Jan (2009) demonstrated that Liao and Wang’s scheme fails to achieve the forward secrecy. Later, Hsiang and Shih (2009) pointed out the vulnerability of Liao– Wang’s scheme to insider attack, server spoofing attack and user masquerade attack. Moreover, they proposed an improved scheme to overcome the weaknesses found in Liao and Wang’s scheme. Lee, Lin, and Chang (2011) pointed out that Hsiang and Shih’s scheme is also vulnerable to server spoofing attack, and fails to provide mutual authentication. Lee et al. then presented an improved scheme, and claimed that their scheme is more secure and efficient than the existing schemes. Truong, Tran, and Duong (2013) showed that Lee et al.’s scheme does not resist user impersonation attack and stolen smart card attack. Truong et al. proposed a revised scheme in order to overcome such attacks found in Lee et al.’s scheme. Unfortunately, Truong et al.’s scheme is also vulnerable to insider attack. Sood, Sarje, and Singh (2011) pointed out the weaknesses of Hsiang–Shih’s scheme and proposed an improved dynamic identity-based authentication scheme for a multi-server architecture. However, Li, Xiong, Ma, and Wang (2012) showed that Sood et al.’s scheme does not resist leak of verifier attack and stolen smart card attack. In addition, they proposed an improved smart-card based authentication scheme for multiserver architecture, which requires the involvement of a control server to achieve mutual authentication. The necessity of the control server in mutual authentication procedure makes this scheme inefficient. Wang and Ma (2013) introduced a smart-card based authentication scheme for multi-server environment. However, He and Wu (2013) showed that Wang et al.’s scheme is

vulnerable to privileged insider attack, server spoofing attack, impersonation attack and off-line password guessing attack. Recently, Pippal, Jaidhar, and Tapaswi (2013) proposed a multi-server authentication scheme using smart-card. They claimed that their scheme resists server spoofing attack, user impersonation attack, insider attack, replay attack, password guessing attack, stolen smart card attack and stolen verifier attack. However, He, Chen, Shi, and Khan (2013) demonstrated that Pippal et al.’s scheme does not resist user impersonation attack, server spoofing attack, privileged insider attack as well as off-line password guessing attack. Password-based multi-server authentication schemes use passwords and cryptographic secret keys in remote user authentication. However, password-based methods have some problems such as a long and random password cannot be used in such schemes because it is difficult to remember such long and random password for a user; otherwise that password needs to be stored somewhere. In addition, passwords can be forgotten, lost or they may be shared with other people, and there is no way to identify who is the actual user (Lee & Hsu, 2013). On the other hand, the biometric keys (fingerprint, face, iris, hand geometry and palmprint, etc.) do not need to remember. The uniqueness property of biometric increases its applications in authentication protocols. The advantages of using the biometric keys are (Li & Hwang, 2010; Das, 2011): Biometric keys can not be lost or forgotten. Biometric keys are extremely hard to forge or distribute. Biometric keys are extremely difficult to copy or share. Biometric keys can not be guessed easily as compared to lowentropy passwords.  Someone’s biometrics is not easy to break than others.    

Yang and Yang (2010) proposed a multi-server authentication scheme using biometric keys. However, their scheme does not resist insider attack, and has a high computational cost as it requires to perform exponential operations. Yoon and Yoo (2011) proposed a biometric-based authenticated key agreement scheme for multi-server environment. He (2011) pointed out that Yoon and Yoo’s scheme is vulnerable to insider attack, masquerade attack, and stolen smart card attack. Kim, Jeon, Lee, Lee, and Won (2012) also pointed out that Yoon et al.’s scheme cannot resist off-line password guessing attack. Kim et al. then proposed an improved scheme in order to prevent the off-line password guessing attack. However, their scheme is inefficient to identify the correctness of password in login and password change phases. Their scheme also fails to protect user anonymity like other previous biometric-based authentication schemes for multi-server authentication (Yang & Yang, 2010; Yoon & Yoo, 2011). Recently, Chuang and Chen (2014) proposed an anonymous multi-server authenticated key agreement scheme based on smart cards along with password and biometrics. Their scheme provides an efficient solution for multi-server environment, where a user interacts with any server using a single registration. Their scheme protects user anonymity, and has less computation overhead as compared to previous schemes Yang and Yang (2010), Yoon and Yoo (2011) and Kim et al. (2012). Unfortunately, we identify that their scheme does not resist stolen smart card attack which causes the user’s impersonation attack and server spoofing attack. We also show that their scheme fails to protect denial-of-service attack. We have provided the characteristics and drawbacks of several existing multi-server authentication schemes in Table 1. From this table, it is clear that the existing schemes have some security flaws. Thus, we feel that there is a great need to design an efficient and secure authentication scheme suited for a multi-server environment, which will satisfy all desirable security requirements.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143 Table 1 Summary of the characteristics and drawbacks of existing multi-server authentication schemes. Scheme

Characteristics

Drawbacks/Limitations

Li et al. (2001) Lin et al. (2003) Juang (2004) Chang and Lee (2004) Tsai (2008) Liao and Wang (2009) Hsiang and Shih (2009) Yang and Yang (2010) Lee et al. (2011) Yoon and Yoo (2011) Kim et al. (2012) Truong et al. (2013) Pippal et al. (2013) Chuang and Chen (2014)

DLP, HF EDS, DLP, HF SC, HF SC, HF HF HF HF DLP, HF HF ECC HF HF HF, MM HF

NA, PIA, NPCP, ILP NA, IA NA, PIA NA, PIA NA, PIA, NPCP, ILP PIA, SSA, UMA SSA, NMA PIA SSA, IA PIA, SSA, PGA ILP, IPCP, NA PIA IA, SSA, PIA, OPGA SSCA, IA, SSA, MMA

Note: PIA: Privileged insider attack; IA: Impersonation attack; NFS: No forward secrecy; SSA: Server spoofing attack; UMA: User masquerade attack; MMA: Manin-the middle attack; SSA: Stolen smart card attack; NPCP: No password change phase; ILP: Inefficient login phase; NA: No anonymity; CSP: Clock synchronization problem; NMA: No mutual authentication; IPCP: Inefficient password change phase; DLP: Discrete logarithm problem; EDS: ElGamal digital signature; SC: Symmetric cryptosystem; HF: Hash function; MM: Modular multiplication.

1.1. Threat model In this paper, we make use of the following threat model. The following assumptions are (Boyd & Mathuria, 2003; Eisenbarth et al., 2008; Kocher, Jaffe, & Jun, 1999b; Messerges, Dabbish, & Sloan, 2002b; Yang & Shieh, 1999):  An adversary is able to extract the information from the smart card by examining the power consumption or leaked information.  An adversary can eavesdrop all the communications between user and server over a public channel.  An adversary can modify, delete and resend, reroute the eavesdropped messages.  An adversary can be a legitimate user or an outsider in any system. We use the Dolev–Yao threat model (Dolev & Yao, 1983) in which any two communicating parties can communicate over a public insecure channel. In this model, an attacker (adversary) can eavesdrop all transmitted messages, and the attacker has the ability to modify, delete or change the contents of the transmitted messages over a public channel. The smart card of a user is generally equipped with tamper-resistant device. We assume that if the user’s smart card is lost or stolen, an attacker can still know all the sensitive stored information from the memory of the smart card using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b). Though some smart card manufactures consider the risk of side-channel attacks and provide the countermeasures to deter the reverse engineering attempts, we still assume that an attacker knows all the sensitive information from the memory of the user’s smart card once it is stolen or lost. 1.2. Our contributions Most of existing smart card based authentication schemes for multi-server environment fail to achieve their goals of privacy and security. These shortcomings have motivated us to study the existing authentication protocols for multi-server environment to design a scheme, which can satisfy desirable security attributes with less computation overhead. In this paper, we analyze the recently proposed Chuang and Chen’s scheme for multi-server environment and demonstrate its weaknesses. We show that

8131

Chuang and Chen’s scheme does not resist stolen smart card attack, which can cause the user’s impersonation attack and server spoofing attack. Furthermore, we present an improved scheme, which keeps the original merits of Chuang and Chen’s scheme such as anonymity and low computation overhead, and withstands all the possible attacks where Chuang and Chen’s scheme fails. Through the security analysis, we show that our scheme is secure against various known attacks including the attacks found in Chuang and Chen’s scheme. In addition, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against the replay and man-in-the-middle attacks. 1.3. Organization of the paper The rest of the paper is sketched as follows. Section 2 provides some basic preliminaries and notations used in this paper, which are useful to describe and analyze Chuang and Chen’s scheme as well as our scheme. Section 3 gives the brief review of Chuang and Chen’s scheme. Section 4 points out the weaknesses of Chuang and Chen’s scheme. Section 5 introduces our improved scheme, which withstands the security weaknesses found in Section 4. In Section 6, we provide the rigorous security analysis of our proposed scheme. In Section 7, we compare our scheme with Chuang and Chen’s scheme and other related existing schemes. Finally, we conclude the paper in Section 8. 2. Preliminaries In this section, we discuss the notations used in this paper. We also describe some mathematical preliminaries which are useful for describing and analyzing Chuang and Chen’s scheme, and our improved scheme. 2.1. Notations In Table 2, we use the notations that are listed in this table throughout the rest of the paper. 2.2. One-way hash function A one-way collision-resistant hash function h : f0; 1g ! f0; 1gn is considered as a deterministic algorithm (Sarkar, 2010; Stinson, 2006), which takes an input as an arbitrary length binary string x 2 f0; 1g and outputs a binary string hðxÞ 2 f0; 1gn of fixed-length n. The hash function may be the fingerprint of a file, a message, or other data blocks, and has the following attributes (Stallings, 2003). Table 2 Notations and their meanings. Notation

Description

Ui RC Sj E SC i IDi PW i BIOi x hðÞ HðÞ  jj MT

User i Registration center jth server Adversary Smart card of user i Identity of user i Password of user i Biometrics of user i Master key of S A secure collision-resistant one-way hash function Biohash function XOR String concatenation operation Valid time delay in message transmission

8132

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

 h can be applied to a data block of all sizes.  For any given input x, the message digest hðxÞ is easy to operate, enabling easy implementation in software and hardware.  The output length of the message digest hðxÞ is fixed.  Deriving the input x from the given hash value y ¼ hðxÞ and the given hash function hðÞ is computationally infeasible. This property is called the one-way property.  For any given input x, finding any other input y – x so that hðyÞ ¼ hðxÞ is computationally infeasible. This property is referred to as weak-collision resistant property.  Finding a pair of inputs ðx; yÞ, with x – y, so that hðxÞ ¼ hðyÞ is computationally infeasible. This property is referred to as strong-collision resistant property. The formalization of an adversary A’s advantage in finding collision is given as follows HASH

Adv A

ðtÞ ¼ Pr½ðx; x0 Þ(R A : x – x0

and hðxÞ ¼ hðx0 Þ;

where Pr½E denotes the probability of an event E in a random experiment, and ðx; x0 Þ(R A denotes the pair ðx; x0 Þ is selected randomly by A. In this case, the adversary A is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary A with the execution time t. The HASH hash function hðÞ is said to be collision-resistant if Adv A ðtÞ 6 , for any sufficiently small  > 0. An example of a secure one-way function is SHA-1 (Secure Hash Standard (2010). One of the fundamental properties of a secure one-way hash function is that its outputs are very sensitive to small perturbations in inputs (Das, 2011). Recently proposed hash algorithm, Quark (Aumasson, Henzen, Meier, & Plasencia, 2010) is an efficient hash function than SHA-1. However, at present, the National Institute of Standards and Technology (NIST) does not recommend SHA-1 for top secret documents anymore. In 2011, Manuel showed that SHA-1 is insecure against collision attacks (Manuel, 2011). In this paper, as in Das and Goswami (2013) and Das, Massand, and Patil (2013), we can use SHA-2 as the secure one-way hash function for achieving top security. However, we use only 160-bits from the hash digest output of SHA-2 in Chuang and Chen’s scheme and our improved scheme. 2.3. Biohashing The biometric provides unique identification methods for the recognition on the basic feature of a human being and it works only when the person to be authenticated to be physically present for the authentication. In general, imprint biometric characteristics (face, fingerprint, palmprint) may not be exactly same at each time. Therefore, high false rejection of valid users resulting low false acceptation, is often occurs in the evaluation of biometric systems. The failing to identify authorized users significantly impacts on the usability of the system. On the contrary, the Biohashing can reduce the probability of denial of access without losing the false acceptation performance. In order to resolve the of the high false rejection problem, Jin, Ling, and Goh (2004) presented a two-factor authenticator based on iterated inner products between tokenized pseudo-random number and the user specific fingerprint features. To achieve this, a set of user specific compact codes can be created that is called BioHash code. BioHashing technique is a mapping biometric feature randomly onto binary strings with user specific tokenized pseudo-random numbers. In recent years, many improved BioHashing algorithms for human authentication have been present for more realistic scenario (Belguechi, Rosenberger, & Ait-Aoudia, 2010; Lumini & Nanni, 2007; Yang, 2011), which are the convenient mechanisms to incorporate into small devices, such as mobile devices, smart card etc.

3. Review of Chuang and Chen’s multi-server authenticated key agreement scheme Recently, Chuang and Chen (2014) proposed a biometric-based authentication scheme using smart card to achieve anonymity and light-weight authentication. Their scheme comprises the five phases: server registration phase, user registration phase, login phase, authentication phase, and password change phase. In this section, we briefly discuss Chuang and Chen’s scheme in which we use the same terminology as presented in their paper. 3.1. Server registration phase The application server sends a registration request to the registration center, if he/she wishes to become an authorized server in the system. Then the registration center authorizes the server and provides the key PSK to the server using the Key Exchange Protocol (IKEv2) (Kaufman, 2005). Upon receiving the secret key PSK, the authorized server uses this key in order to authorize a legitimate user. 3.2. User registration phase This phase consists of the following steps: Step 1. The user U i computes hðPW i  BIOi Þ, and sends his/her registration request with the chosen identity IDi and computed hðPW i  BIOi Þ to the registration center via a secure channel. Step 2. After receiving the registration request from the user U i , the registration center computes Ai ¼ hðIDi jjxÞ; Bi ¼ hðAi Þ 2 ¼ h ðIDi jjxÞ; C i ¼ hðPW i  BIOi Þ  Bi and Di ¼ PSK  Ai . Step 3. The registration center personalizes the user’s smart card by including the parameters fIDi ; Bi ; C i ; Di ; hðÞ and provides the personalized smart card to the user via a secure channel. 3.3. Login phase To start the login session, the user U i inserts his/her smart card into the card reader of a specific terminal, inputs his/her identity IDi and password PW i , and imprints his/her biometric information BIOi at the sensor. Upon receiving the inputs, the smart card executes the login session using the following steps: Step 1. The smart card verifies IDi and Bi 9hðPW i  BIOi Þ  C i . If these verifications succeed, it executes the next step. Step 2. The smart card then generates a random number N 1 , and computes M1 ¼ hðBi Þ  N 1 ; AIDi ¼ hðN 1 Þ  IDi and M 2 ¼ hðN 1 jjAIDi jjDi Þ. Step 3. Finally, the smart card sends the authentication request hAIDi ; M 1 ; M2 ; Di i to the server Sj via a public channel. 3.4. Authentication phase After receiving the authentication request hAIDi ; M 1 ; M2 ; Di i from the user U i , the server Sj executes the following steps: Step 1. The server S uses its pre-shared key PSK and achieves Ai ¼ Di  PSK. The server also retrieves N 1 ¼ hðBi Þ  M 1 and IDi ¼ AIDi  hðN 1 Þ. Step 2. The server verifies M 2 9hðN 1 jjAIDi jjDi Þ. If this verification holds, the server generates a random number N 2 and computes the session key SK ij ¼ hðN 1 jjN 2 Þ. 2 Step 3. The server computes M 3 ¼ N 2  h ðN 1 Þ and M 4 ¼ hðSIDj jjN 2 Þ, and then responds with the message hSIDj ; M3 ; M 4 i to the smart card (user U i ) via a public channel.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

Step 4. Upon receiving the message hSIDj ; M 3 ; M 4 i, the smart card 2 retrieves the value N 2 ¼ M3  h ðN 1 Þ. Then it verifies M 4 9hðSIDj jjN 2 Þ. If the verification holds, it computes the session key SK ij ¼ hðN 1 jjN 2 Þ, which will be shared between the user U i and the server. Step 5. The smart card computes M 5 ¼ SK ij  hðN 2 Þ and sends the message hM 5 ito the server via a public channel. Step 6. Upon receiving the message hM 5 i, the server verifies hðN 2 Þ9M 5  SK ij . If the verification holds, it ensures the mutual authentication between the user U i and the server. The summary of message exchanges during the registration phase, login phase and authentication phase of Chuang and Chen’s scheme is provided in Table 3. 3.5. Password change phase A legal user U i can change his/her password at any time without the help of server Sj for security reasons using the following steps: Step 1. The user U i first inputs his/her identity IDi and password PW i , and imprints his/her biometric BIOi at the sensor. Step 2. The smart card of the user U i verifies IDi and Bi 9hðPW i  BIOi Þ  C i . If these verification do not succeed, the smart card rejects the request. Otherwise, the smart card ask the user U i to enter his/her new chosen password, say PW i . Step 3. The smart card then computes C i ¼ C i  hðPW i  BIOi Þ hðPW i  BIOi Þ and replace C i with C i in its memory. 4. Cryptanalysis of Chuang and Chen’s Scheme In this section, we analyze the recently proposed Chuang and Chen’s scheme and demonstrate that their scheme is still vulnerable to some attacks, which are described in the following subsections. These outlined attacks are based on the threat model given in Section 1.1.

The imprint biometric characteristics (for example, face, fingerprint, palmprint) may not be exactly same at each time. Therefore, high false rejection of valid users leads to low false acceptance. Moreover, the outputs of a secure one-way hash function are very sensitive to small perturbation of its input (described in Section 2.2). In Chuang and Chen’s scheme, the user U i computes hðPW i  BIOi Þ and smart card stores C i ¼ hðPW i  BIOi Þ  Bi . However, the biometrics of a user slightly differs time to time (Nanavati, 2002). As a result, imprint biometric characteristics may not be exactly same at each time. Therefore, if the imprinted personal biometrics differs even slightly in the login phase, the equation Bi 9hðPW i  BIOi Þ  C i may never hold due to the Table 3 Summary of message exchanges during the registration phase, login phase and authentication phase of Chuang and Chen’s scheme.

User registration

U i /Smart card

jth server Sj

hIDi ;hðPW i BIOi Þi

ƒƒƒƒƒ!

ðvia a secure channelÞ hSmart CardðIDi ;Bi ;C i ;Di ;hðÞÞi

ƒƒƒƒƒ

ðvia a secure channelÞ

Login

hAIDi ;M 1 ;M 2 ;Di i

ƒƒƒƒƒ!

ðvia a public channelÞ

Authentication

sensitive fundamental property of the one-way hash function hðÞ. Thus, a valid user can face the denial of service scenario. In this way, Chuang and Chen’s scheme is vulnerable to DoS attack. 4.2. Stolen smart card attack An efficient biometric based multi-server authentication protocol must not allow an adversary to misuse a user’s stolen smart card to login to the server or compute the established session keys without knowing the user’s biometric and password. In this attack, we show that Chuang and Chen’s scheme fails to resist the stolen smart card such that an adversary can achieve user’s long term secret key and can easily login to the server as a legitimate user using stolen smart card. Additionally, an adversary can also achieve previously established session keys. This creates the data security and integrity threat as an adversary can achieve all the data that have been transferred between a user U i and a server Sj using the compromised session key. The stolen smart card attack works on Chuang and Chen’s scheme as follows:  An adversary E extracts the stored parameter Bi from the smart card using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b).  E uses the previously transmitted message M1 ¼ hðBi Þ  N i and 2 M3 ¼ N 2  h ðN 1 Þ to retrieve the values N 1 ¼ M 1  hðBi Þ and 2 N 2 ¼ M 3  h ðN 1 Þ.  Using the values N 1 and N 2 , the adversary computes the session key SK ij ¼ hðN 1 jjN 2 Þ. It is thus clear that an adversary can achieve all the previously established session keys using the stolen smart card. Using the compromised session key, an adversary can also achieve all the confidential data that are transferred between the user U i and the server Sj using the established session key. 4.3. User impersonation attack In this section, we show that an adversary E can successfully login to the server Sj using the stolen smart card of a user U i as follows:

4.1. Denial-of-service (DoS) attack

Phase

8133

hSIDj ;M3 ;M 4 i

ƒƒƒƒƒ

 E extracts the stored parameters Bi from the stolen smart card using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b).  E achieves Di from previously transmitted login message hAIDi ; M 1 ; M2 ; Di i. E then computes N 1 ¼ M 1  hðBi Þ and IDi ¼ AIDi  hðN 1 Þ using retrieved value Bi from the smart card.  E generates a random number N E and computes M 1E ¼ hðBi Þ N E ; AIDE ¼ hðN E Þ  IDi and M 2E ¼ hðN E jjAIDE jjDi Þ. E then sends the modified message hAIDE ; M 1E ; M 2E ; Di i to the server Sj .  Upon receiving the message hAIDE ; M 1E ; M2E ; Di i, the server Sj computes N E ¼ hðBi Þ  M 1E and IDi ¼ AIDE  hðN E Þ. The server Sj verifies the condition M 2E 9hðN E jjAIDE jjDi Þ. This condition holds, since M 2E ¼ hðN E jjAIDE jjDi Þ. The server Sj also generates a random number N 2 and computes the session key SK 0ij ¼ hðN E jjN 2 Þ. 2  The server Sj computes M 3E ¼ N 2  h ðN E Þ and M 4 ¼ hðSIDj jjN 2 Þ, and sends the message hSIDj ; M3E ; M 4 i to the user U i .  E intercepts the message hSIDj ; M 3E ; M 4 i and retrieves the value 2 N 2 ¼ M 3E  h ðN E Þ and computes SK ij ¼ hðN E jjN 2 Þ. E responds with the message M5 ¼ SK ij  hðN 2 Þ to the server Sj .  Upon receiving M5 , the server Sj verifies the condition hðN 2 Þ9M 5  SK 0ij . If the verification holds, Sj further computes the session key SK 0ij ¼ SK ij ¼ hðN E jjN 2 Þ.

ðvia a public channelÞ hM 5 i

ƒƒƒƒƒ!

ðvia a public channelÞ

This attack clearly shows that the adversary E can successfully masquerade as a legitimate user using the stolen smart card.

8134

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

4.4. Server spoofing attack In this section, we show that Chuang and Chen’s scheme is also vulnerable to the server spoofing attack, where an adversary can impersonate the server Sj to the user U i . The detailed description of this attack is outlined below.  The adversary E eavesdrops communication between the user U i (smart card) and the server Sj . E then retrieves the server’s identity SIDj from the pensively transmitted message hSIDj ; M 3 ; M4 i.  Let the user U i send the authentication request message hAIDi ; M 1 ; M 2 ; Di i to the server Sj via a public channel and E intercepts the message. E then responds with authorized message using the achieved parameters IDi and Bi from the stolen smart card as follows: – E computes N 1 ¼ M1  hðBi Þ. – E generates a random number N E . 2 – E then computes M3E ¼ N E  h ðN 1 Þ and M 4E ¼ hðSIDj jjN 2 Þ, and responds with the message hSIDj ; M 3E ; M 4E i to the smart card of the user U i . 2  The smart card (user U i ) retrieves N 2E ¼ M3E  h ðN 1 Þ, and verifies the condition M 4E 9hðSIDj jjN 2E Þ. This condition holds, since M 4E ¼ hðSIDj jjN 2 Þ. This attack clearly shows that an adversary E can masquerade as a server Sj . 5. The proposed scheme In this section, we describe the various phases of our proposed scheme. The main purpose of our improved scheme is to withstand the security weaknesses found in Chuang and Chen (2014) (described in Section 4). Similar to Chuang and Chen’s scheme, our scheme also comprises the five phases: (i) server registration phase, (ii) user registration phase, (iii) login phase, (iv) authentication phase, and (v) password change phase. 5.1. Server registration phase This phase is similar to that in Chuang and Chen (2014). Thus, the application server sends a registration request to the registration center, if he/she wishes to become an authorized server in the system. Then the registration center authorizes the server and provides the key PSK to the server using the Key Exchange Protocol (IKEv2) (Kaufman, 2005). Upon receiving the secret key PSK, the authorized server uses this key in order to authorize a legitimate user.

5.2. User registration phase When a new user U i wishes to access services, which are granted by a set of servers fS1 ; S2 ; . . . ; Sr g; U i first selects his/her identity IDi and password PW i of his/her choice. U i then completes the registration at registration center and receives the personalized smart card. The description of the user’s registration phase of our scheme consists of the following steps: Step 1. The user U i generates a random number N i , and computes W 1 ¼ hðPW i jjN i Þ and W 2 ¼ hðIDi  N i Þ. U i then sends the registration request message hIDi ; W 1 ; W 2 i to the registration center via a secure channel. Step 2. After receiving the registration request from the user U i , the registration center computes Ai ¼ hðIDi jjxjjT r Þ; 2 Bi ¼ hðAi Þ ¼ h ðIDi jjxjjT r Þ; X i ¼ Bi  W 1 ; Y i ¼ hðPSKÞ  W 2 and Z i ¼ PSK  Ai , where T r denotes the registration time.

Step 3. The registration center personalizes the user’s smart card, SC i by including the parameters fX i ; Y i ; Z i ; hðÞg into the smart card, and provides the personalized smart card SC i to U i via a secure channel. Step 4. Upon receiving the smart card SC i ; U i imprints her/his personal biometric BIOi at the sensor, and computes N ¼ N i  HðBIOi Þ and V ¼ hðIDi jjN i jjPW i Þ. U i finally stores N and V into his/her smart card SC i . Thus, it is noted that the smart card SC i of the user U i contains the information fX i ; Y i ; Z i ; hðÞ; N; Vg. 5.3. Login phase When the user U i wishes to login to the server, say Sj , he/she inserts his/her smart card SC i into the smart card reader and inputs his/her identity IDi and password PW i , and also imprints biometric BIOi at the sensor. Then the smart card SC i executes the login session using the following steps: Step 1. SC i computes N i ¼ N  HðBIOi Þ, and then verifies whether the condition V ¼ hðIDi jjN i jjPW i Þ holds. If the verification does not hold, the session is terminated immediately. Step 2. SC i further computes W 1 ¼ hðPW i jjN i Þ; W 2 ¼ hðIDi  N i Þ; Bi ¼ X i  W 1 and hðPSKÞ ¼ Y i  W 2 . Step 3. SC i also generates a random nonce n1 , and computes M 1 ¼ hðPSKÞ  n1 ; M2 ¼ IDi  hðn1 jjBi Þ and M 3 ¼ hðIDi jjn1 jjBi Þ. Step 4. Finally, SC i sends the login request message hZ i ; M 1 ;M 2 ; M 3 i to Sj via a public channel. 5.4. Authentication phase The purpose of this phase is the mutual authentication between the user U i and the server Sj , and also to establish a secret session key between them so that they can use this established session key for their future secure communication. For this purpose, the following steps are executed: Step 1. Upon receiving the login request message hZ i ; M1 ; M 2 ; M 3 i, the server Sj uses its pre-shared master key PSK with the user U i to retrieve Ai ¼ Z i  PSK; n1 ¼ M 1  hðPSKÞ and IDi ¼ M2  hðn1 jjhðAi ÞÞ. Step 2. Sj verifies the condition M 3 9hðIDi jjn1 jjBi Þ. If this verification does not hold, the session is terminated immediately. Otherwise, Sj proceeds to generate a random nonce n2 , and compute the session secret key SK ji ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ to be shared with the user U i . Step 3. Sj computes M 4 ¼ n2  hðIDi jjn1 Þ and M 5 ¼ hðSK ji jjn1 jjn2 Þ, and then responds with the authentication request message hSIDj ; M 4 ; M 5 i to the smart card SC i of the user U i . Step 4. Upon receiving the authentication request message hSIDj ; M4 ; M 5 i; SC i retrieves the value n2 ¼ M4  hðIDi jjn1 Þ, and then computes the session key SK ij ¼ hðIDi jjSIDj jj Bi jjn1 jjn2 Þ to be shared with the server Sj . Note that SK ji ¼ SK ij . SC i verifies the session key and message authenticity using the condition M 5 9hðSK ij jjn1 jjn2 Þ. If the verification does not hold, the session is terminated, Otherwise, U i considers SK ji as the session key and Sj as authorized server. Step 5. SC i computes M 6 ¼ hðSK ij jjn2 jjn1 Þ and sends the authentication reply message hM 6 i to Sj via a public channel. Step 6. Upon receiving the authentication reply message hM 6 i; Sj verifies the verification condition M 6 9hðSK ji jjn2 jjn1 Þ. If this verification does not hold, the session is terminated immediately. Otherwise, Sj considers the session key SK ij as legitimate key and also user U i as authentic.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

The summary of message exchanges during the registration phase, login phase and authentication phase of our scheme is provided in Table 4. 5.5. Password change phase In this phase, we show the mechanism how our scheme supports changing of the password of a legal user U i locally without contacting the server Sj as well as registration center. This phase consists of the following phases: Step 1. The user U i inserts his/her smart card SC i into the smart card reader, inputs his/her identity IDi and password PW i , and then imprints his/her personal biometric BIOi at the sensor. Step 2. The smart card SC i computes N i ¼ N  HðBIOi Þ, and verifies the condition V ¼ hðIDi jjN i jjPW i Þ. If the verification does not hold, this phase is terminated immediately, because the user U i ’s old password verification fails. Otherwise, SC i asks for a new password to the user U i . Step 3. The user U i chooses his/her new password PW new . SC i computes W 1 ¼ hðPW i jjN i Þ; W new ¼ hðPW new jjN i Þ; X new ¼ Xi 1 i new new W 1 W 1 and V i ¼ hðIDi jjN i jjPW new Þ. Step 4. Finally, SC i replaces X i with X new and V i with V new in its i i memory. 6. Security analysis of our proposed scheme In this section, we analyze the strength of our proposed scheme against most common attacks through both the informal security analysis, formal security analysis, and simulation for the formal security verification using the widely-accepted AVISPA tool. 6.1. Informal security analysis In this section, through the informal security analysis we show that our scheme has the ability to prevent the following attacks.

8135

hðPSKÞ. Thus, in order to retrieve IDi , the user’s secret key Bi and server’s secret key PSK are needed by an attacker. Since Bi is protected with the password and biometric, an adversary cannot retrieve IDi from M 2 ¼ IDi  hðn1 jjBi Þ. As a result, our scheme preserves the user anonymity property. 6.1.3. Stolen smart card attack An adversary E can try to use the stolen smart card SC i of a user U i . E can extract the parameters fX i ; Y i ; Z i ; V; Ng from the stolen smart card using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b) (according to our threat model given in Section 1.1). To login to a server Sj ; E has to generate a valid login message, say hZ i ; M 01 ; M 02 ; M 03 i for a random nonce ne , where M01 ¼ hðPSKÞ  ne ; M02 ¼ IDi  hðne jjBi Þ and M 03 ¼ hðIDi jjne jjBi Þ. However, the adversary E cannot compute M03 , which is justified below:  The information IDi and Bi are needed to compute M 3 ¼ hðIDi jjn1 jjBi Þ.  The smart card SC i of U i does not store IDi . Additionally, the transmitted message protects IDi by hðn1 jjBi Þ, where n1 ¼ M1  hðPSKÞ.  The secret key Bi of U i is protected with password and biometric as Bi ¼ X i  W 1 ; W 1 ¼ hðPW i jjN i Þ and N i ¼ N  HðBIOi Þ. Since the password and biometric are only with the user U i , the adversary E cannot generate a valid login message using the stolen smart card. This shows that our proposed scheme withstands the stolen smart card attack. 6.1.4. Off-line password guessing attack A passive adversary E may try to guess a user’s password PW i in off-line. However, E cannot successfully verify the guessed password PW  by using the extracted parameters fX i ; Y i ; Z i ; N; Vg from the stolen smart card, and the achieved values Z i ; M1 ; M 2 , and M 3 from the intercepted login message. This is clear from the following observations:

6.1.1. Privileged insider attack The user U i does not submit his/her password PW i or biometrics BIOi in its original form to the registration center during the user registration phase. U i only submits W 1 ¼ hðPW i jjN i Þ and W 2 ¼ hðIDi  N i Þ instead of PW i and Bi to the registration authority, where N i is a random nonce and N i ¼ N  HðBIOi Þ. Thus, an insider can not achieve user’s password PW i and biometric BIOi . Moreover, an adversary cannot also guess the user’s password PW i as the user U i does not submit N i to the server. It shows that our proposed scheme resists insider attack.

 To verify the guessed password PW  by using the condition V9hðIDi jjN i jjPW i Þ, the user’s identity IDi and N i are required. Moreover, in order to verify the guessed password by using M3 ¼ hðIDi jjn1 jjBi Þ; E needs to compute Bi from X i and IDi from M2 , which also requires N i , because X i ¼ Bi  W 1 and W 1 ¼ hðPW i jjN i Þ.  To compute N i form N, the user’s biometric BIOi is needed, since N i ¼ N  HðBIOi Þ.  The smart card SC i does not store IDi of the user U i . Additionally, the transmitted message protects IDi by hðn1 jjBi Þ, where n1 ¼ M1  hðPSKÞ.

6.1.2. User anonymity During the login phase, the login request message hZ i ; M 1 ; M 2 ; M3 i protects IDi with hðn1 jjBi Þ. It also protects n1 with

It is clear that an adversary E cannot guess the user’s password correctly, since the user’s identity and biometric are not known to that adversary.

Table 4 Summary of message exchanges during the registration phase, login phase and authentication phase of our scheme.

6.1.5. On-line password guessing attack An active adversary may try to guess a user’s password PW i using on-line password guessing attack with the extracted information fX i ; Y i ; Z i ; N; Vg from the stolen smart card, and intercepted login message hZ i ; M 1 ; M 2 ; M 3 i. However, an adversary cannot verify the guessed password PW  with the repeated attempts of login as he/she cannot create a valid login message by using PW i . This is justified from the following arguments:

Phase User registration

U i /Smart card (SC i )

jth server Sj

hIDi ;W 1 W 2 i

ƒƒƒƒƒ!

ðvia a secure channelÞ hSmart CardðX i ;Y i ;Z i ;hðÞÞi

ƒƒƒƒƒ

ðvia a secure channelÞ

Login

hZ i ;M 1 ;M 2 ;M 3 i

ƒƒƒƒƒ!

ðvia a public channelÞ

Authentication

hSIDj ;M 4 ;M 5 i

ƒƒƒƒƒ

ðvia a public channelÞ hM 6 i

ƒƒƒƒƒ!

ðvia a public channelÞ

 To generate a login message hZ i ; M01 ; M 02 ; M03 i for the random value ne , the information Bi and IDi are needed as M3 ¼ hðIDi jjn1 jjBi Þ, where M 01 ¼ hðPSKÞ  ne ; M 02 ¼ IDi  hðne jjBi Þ and M03 ¼ hðIDi jjne jjBi Þ.

8136

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

 To compute Bi from X i , the information N i along with the guessed password PW i are needed, since X i ¼ Bi  W 1 and W 1 ¼ hðPW i jjN i Þ.  Since N i ¼ N  HðBIOi Þ, the user’s biometric BIOi is needed to compute N i from N.

– The smart card SC i does not store IDi and the transmitted messages protects IDi with hðn1 jjBi Þ. – To compute Bi from X i , both password and biometric of the user U i are needed as Bi ¼ X i  hðPW i jjN i Þ and N i ¼ N  HðBIOi Þ.

It is also clear that an attacker cannot achieve the required parameters for an on-line password guessing attack. This shows that our proposed scheme resists the on-line password guessing attack.

This shows that our scheme resists the user impersonation attack.

6.1.6. Freshness Deploying the timestamp method in order to resist the replay attack requires the cost of implementing the clock synchronization, that is, the clock time of all the registered users and the servers must not fluctuate out of a small range. To overcome this problem, our proposed scheme uses random nonces instead of timestamp to verify the freshness of message. 6.1.7. Replay and man-in-the-middle attacks An adversary E can try to use previous messages hZ i ; M1 ; M 2 ; M 3 i; hSIDj ; M 4 ; M 5 i and hM 6 i to login to the server Sj . However, our proposed scheme resists the replay and man-inthe-middle attacks. The justification is given below:  E replays the message hZ i ; M 1 ; M 2 ; M 3 i, where M1 ¼ hðPSKÞ n1 ; M 2 ¼ IDi  hðn1 jjBi Þ and M 3 ¼ hðIDi jjn1 jjBi Þ.  Upon receiving the message hZ i ; M 1 ; M 2 ; M 3 i; Sj retrieves Ai ¼ Z i PSK; n1 ¼ M1  hðPSKÞ and IDi ¼ M2  hðn1 jjhðAi ÞÞ using the pre-shared key PSK. Sj verifies the condition M 3 9hðIDi jjn1 jjBi Þ. The verification holds, since the adversary replays the user’s login message without any change.  Sj generates a random nonce n3 and computes SK 0ji ¼ hðIDi jjSIDj jjBi jjn1 jjn3 Þ;M04 ¼ n3 hðIDi jjn1 Þ and M 05 ¼ hðSK 0ji jjn1 jjn3 Þ, and then responds with the message hSIDj ;M 04 ;M 05 i to U i .  E intercepts the message hSIDj ; M 04 ; M 05 i, and tries to respond with the valid message. However, this attempt cannot succeed in our proposed scheme, which is clear from the following discussion: – When E replays the old message hM 6 i; Sj verifies the condition M 6 9hðSK 0ji jjn3 jjn1 Þ. The message verification does not hold, since M 6 ¼ hðSK ji jjn2 jjn1 Þ and n3 – n2 . – E tries to respond with the message hM 06 i, where M06 ¼ hðSK 0ji jjn3 jjn1 Þ. To compute M 06 ; E has to compute SK 0ij , which requires the knowledge of the user’s identity IDi and the secret key Bi , since SK 0ij ¼ hðIDi jjSIDj jjBi jjn1 jjn3 Þ. Thus, the adversary E cannot respond with the message hM06 i. Since the adversary E cannot respond with the valid message hM06 i, the server Sj will terminate the session. 6.1.8. User impersonation attack In this attack, an adversary E can try to masquerade as a legitimate user U i to login to the server Sj . However, our scheme can resist the user impersonation attack as follows:  An adversary E may try to login to the server using the replay attack. However, the proposed scheme resists the replay attack.  An adversary E can try to generate a valid login message hZ i ; M 01 ; M 02 ; M 03 i for a random value ne , where M 01 ¼ hðPSKÞ ne ; M 02 ¼ IDi  hðne jjBi Þ and M 03 ¼ hðIDi jjne jjBi Þ. This attempt will not succeed, since the adversary E cannot compute M03 correctly for ne , which is justified below: – To compute M 03 , the information Bi and IDi are needed as M 03 ¼ hðIDi jjejjBi Þ.

6.1.9. Server spoofing attack Under this attack, an adversary E can masquerade as a server to impersonate the server Sj . Our scheme resists this attack as follows:  When the user U i sends a login message hZ i ; M 01 ; M 02 ; M 03 i to the server Sj ; E intercepts that message, where M 01 ¼ hðPSKÞ n01 ; M 02 ¼ IDi  hðn01 jjBi Þ and M 03 ¼ hðIDi jjn01 jjBi Þ.  E can try to respond by replaying using the old message hSIDj ; M 4 ; M 5 i, where M 4 ¼ n2  hðIDi jjn1 Þ and M 5 ¼ hðSK ji jjn1 jj n2 Þ. This attempt will not succeed, since the different session uses the different random nonces, that is, n1 – n01 .  E can try to generate the valid login message hSIDj ; M 04 ; M 05 i for a random nonce ne , where M 04 ¼ ne  hðIDi jjn01 Þ and M05 ¼ hðSK 0ji jj n01 jjne Þ. To compute M 5 , the adversary E has to retrieve n01 from M01 , which requires hðPSKÞ as M 01 ¼ hðPSKÞ  n01 . However, hðPSKÞ is protected with the biometric BIOi of the user U i , and hence, E cannot respond with a valid message. 6.1.10. Mutual authentication In our scheme, the server Sj verifies the authenticity of the user U i using the condition M 6 9hðSK ji jjn2 jjn1 Þ. The user U i verifies the authenticity of the server Sj using the condition M5 9hðSK ij jj n1 jjn2 Þ. For computation of both M 5 and M 6 , one needs to compute SK ji ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ ¼ SK ij . To compute SK ji , the user identity IDi and secret key Bi are needed. The user U i and server Sj can thus correctly authenticate each other, because only the authorized participates can compute M 5 and M6 in our scheme. 6.1.11. Known key secrecy Suppose the established session key SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ between a user U i and a server Sj is compromised by an attacker. Then the compromised session key SK ij does not reveal any information about other session keys due to following reasons:  Each session key is hashed with one-way hash function hðÞ. Hence, no information can be retrieved from the session key due to the collision resistant property of the one-way hash function defined in Section 2.2.  Each session key also involves random nonces n1 and n2 , which are different key for each session. Since no information about other established session keys from the compromised session key are revealed to an attacker, our scheme achieves the known key secrecy property. 6.1.12. Forward secrecy An adversary E can try to compute the established session key SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ by using the user U i ’s long-term secret key Bi . This attempt will not succeed in our scheme due to the following reasons:  To compute the session key SK ij , the user identity IDi and shortterm session values along with the user’s secret key Bi are needed as SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

 The smart card SC i does not store the user’s identity IDi , and the transmitted message, which includes M 2 ¼ IDi  hðn1 jjBi Þ instead of IDi .  To compute IDi from M 2 , the random nonce n1 along with Bi are needed. In order to retrieve n1 from M 1 ¼ hðPSKÞ  n1 , the adversary needs to know hðPSKÞ, which is again protected W 2 ¼ hðIDi  N i Þ. To compute W 2 , the user biometric BIOi is needed, because N i ¼ N  HðBIOi Þ. Since only the user U i can imprint biometric BIOi at the sensor, no adversary can achieve the user’s identity IDi and n1 .  Finally, to retrieve the random nonce n2 from M 4 ¼ n2 hðIDi jjn1 Þ, the information IDi and n1 are also needed.

6.1.13. Known session-specific temporary information attack If the short-term secret session values n1 and n2 are compromised, an attacker may try to construct the established session key SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ. This attempt cannot be succeeded in our scheme due to the following reasons:  To compute the session key SK ij , the user’s identity IDi and the user’s secret key Bi are needed along with the short-term session values n1 and n2 , since we have SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ.  To retrieve IDi from M 2 ; E also needs Bi as IDi ¼ M2  hðn1 jjBi Þ.  To retrieve Bi from X i , the user’s password PW i and biometrics BIOi are required, since Bi ¼ X i  hðPW i jjN i Þ and N i ¼ N  HðBIOi Þ. It is thus clear that to retrieve the user’s secret key Bi , an adversary needs the user’s password as well as biometric. This shows that our scheme resists the known session-specific temporary information attack.

6.1.14. Session key agreement and verification Note that during the authentication phase of our scheme, both the user U i and the server Sj compute the session key SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ and SK ji ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ, respectively. It is clear that SK ij ¼ hðIDi jjSIDj jjBi jjn1 jjn2 Þ ¼ SK ji . Moreover, U i and Sj verify the established session key using the conditions M 5 9hðSK ij jjn1 jjn2 Þ and M 6 9hðSK ji jjn2 jjn1 Þ, respectively. Since both the session key verification conditions are the hashed output of session key along with secret random values, the user U i and the server Sj can correctly verify the session key.

8137

6.2. Formal security analysis In this section, using the formal security analysis we show that our scheme is secure. We follow the similar analysis as in Chatterjee, Das, and Sing (2014), Das, Paul, and Tripathy (2012) and Odelu, Das, and Goswami (2014). For this purpose, we define the following oracle:  Reveal: This oracle will unconditionally output the input string x from the corresponding hash value y ¼ hðxÞ. The following two theorems provide the formal security of our scheme against an adversary. Theorem 1. Under the assumption that the one-way hash function hðÞ closely behaves like an oracle, our proposed scheme is provably secure against an adversary for deriving the identity IDi of a legal user U i , the private key PSK of the server Sj , and the session key SK ij between U i and Sj .

Proof. In this proof, we construct an adversary (that is, an attacker) A who will have the ability to derive the identity IDi of a legal user U i , the private key PSK of the server Sj , and the session key SK ij between U i and Sj . The adversary A uses the Reveal oracle for running the experimental algorithm, say EXP1HASH A;BMSAKAS for our proposed biometric-based multi-server authenticated key agreement scheme, say BMSAKAS, which is provided in Algorithm 1. We define the success probability for EXP1HASH A;BMSAKAS as Succ1 ¼ jPr½EXP1HASH A;BMSAKAS ¼ 1  1j, where Pr½E represents the probability of an event E. The advantage function for this experiment then becomes Adv 1ðet1 ; qR Þ ¼ maxA fSucc1g, where the maximum is taken over all A with execution time et 1 , and the number of queries qR made to the Reveal oracle. Our scheme is said to be provably secure against an adversary A for deriving IDi ; PSK and SK ij , if Adv 1 ðet 1 ; qR Þ 6 1 , for any sufficiently small 1 > 0. According to this experiment, if the adversary A has the ability to invert the one-way hash function hðÞ, then only he/ she can easily derive IDi ; PSK and SK ij and win the game. However, it is a computationally infeasible problem to invert HASH hðÞ, that is, Adv A ðtÞ 6 , for any sufficiently small  > 0 (provided in Section 2.2). Hence, we have Adv 1 ðet1 ; qR Þ 6 1 , HASH since Adv 1 ðet 1 ; qR Þ depends on the advantage Adv A ðtÞ. This proves that our scheme is provably secure against an adversary for deriving IDi ; PSK and SK ij .

Algorithm 1. EXP1HASH A;BMSAKAS 1: Eavesdrop the login request message hZ i ; M 1 ; M 2 ; M 3 i during the login phase, where Z i ¼ PSK  Ai ; Ai ¼ hðIDi jjxjjT r Þ; M 1 ¼ hðPSKÞ  n1 ; M2 ¼ IDi  hðn1 jjBi Þ; M 3 ¼ hðIDi jjn1 jjBi Þ, and Bi ¼ hðAi Þ. Rev ealðM3 Þ. 2: Call Reveal oracle on input M 3 to retrieve IDi ; n1 and Bi as ðID0i jjn01 jjB0i Þ 3: Compute M 02 ¼ ID0i  hðn01 jjB0i Þ. 4: if ðM02 ¼ M 2 Þ then 5: Compute u ¼ M1  n01 . 6: Eavesdrop the authentication request message hSIDj ; M4 ; M5 i during the authentication phase, where M 4 ¼ n2  hðIDi jjn1 Þ and M 5 ¼ hðSK ij jjn1 jjn2 Þ. 7: Call Reveal oracle on input M 5 to retrieve SK ij ; n1 , and n2 as ðSK ij jjn1 jjn2 Þ Rev ealðM 5 Þ. 8: 9: 10: 11:

Compute n02 ¼ M4  hðID0i jjn01 Þ. if ðn2 ¼ n02 Þ then Call Reveal oracle on input u to retrieve the private key PSK of the server Sj as PSK 

Rev ealðuÞ.

Accept ID0i ; PSK  , and SK ij as the correct identity IDi of the user U i , the private key PSK of the server Sj , and the session key SK ij between U i and Sj , respectively.

12: return 1 (Success) 13: else 14: return 0 (Failure) 15: end if 16: else 17: return 0 (Failure) 18: end if

8138

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

Theorem 2. Under the assumption that the one-way hash function hðÞ closely behaves like an oracle, our proposed scheme is provably secure against an adversary for deriving the password PW i of a legal user U i , even if his/her smart card is lost or stolen. Proof. This proof is also similar to that in Theorem 1. We need to construct an adversary A who will have the ability to derive the password PW i of a legal user U i , even if his/her smart card is lost or stolen. According to our threat model in Section 1.1, the adversary A can extract all the sensitive information fX i ; Y i ; Z i ; hðÞ; N; Vg from the lost/stolen smart card of a legal user U i using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b). The adversary A uses the Reveal oracle for running the experimental algorithm, say EXP2HASH A;BMSAKAS for our proposed scheme, BMSAKAS, which is provided in Algorithm 2. The success probability for EXP2HASH A;BMSAKAS is defined by Succ2 ¼ jPr½EXP2HASH A;BMSAKAS ¼ 1  1j, and the advantage function for this experiment then becomes Adv 2ðet 2 ; qR Þ ¼ maxA fSucc2g, where the maximum is taken over all A with execution time et2 , and the number of queries qR made to the Reveal oracle. We call our scheme as provably secure against an adversary A for deriving PW i , if Adv 2 ðet2 ; qR Þ 6 2 , for any sufficiently small 2 > 0. According to this experiment, if the adversary A has the ability to invert the one-way hash function hðÞ, then only he/she can easily derive PW i , and win the game. However, it is a computationHASH ally infeasible problem to invert hðÞ, that is, Adv A ðtÞ 6 , for any sufficiently small  > 0 (provided in Section 2.2). Hence, we have Adv 2 ðet2 ; qR Þ 6 2 , since Adv 2 ðet 2 ; qR Þ depends on the advantage HASH Adv A ðtÞ. This proves that our scheme is provably secure against an adversary for deriving PW i of the user U i . h

Algorithm 2. EXP2HASH A;BMSAKAS

1: Extract all the sensitive information fX i ; Y i ; Z i ; hðÞ; N; Vg from the lost/stolen smart card of a legal user U i using the power analysis attack (Kocher et al., 1999b; Messerges et al., 2002b) as explained in our threat model in Section 1.1, where V ¼ hðIDi jjN i jjPW i Þ. 2: Call Reveal oracle on input V to retrieve IDi ; N i and PW i as Rev ealðVÞ. ðID0i jjN 0i jjPW 0i Þ 3: Eavesdrop the login request message hZ i ; M 1 ; M 2 ; M 3 i during the login phase, where M3 ¼ hðIDi jjn1 jjBi Þ. 4: Call Reveal oracle on input M 3 to retrieve IDi ; n1 and Bi as Rev ealðM 3 Þ. ðIDi jjn1 jjBi Þ 5: if ðIDi ¼ ID0i Þ 6: Accept PW 0i as the correct password PW i of the user U i . 7: return 1 (Success) 8: else 9: return 0 (Failure) 10: end if

6.3. Simulation for formal security verification using AVISPA tool In this section, we simulate our proposed improved scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool in order to show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. 6.3.1. Overview of AVISPA AVISPA is considered as a push-button tool for the automated validation of Internet security-sensitive protocols and applications. It provides a modular and expressive formal language for

specifying protocols and their security properties, and integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques (AVISPA, 2014c; Armando et al., 2005). The architecture of the AVISPA tool is shown in Fig. 1. We have used the widely-accepted AVISPA back-ends for our formal security verification (Das et al., 2013; Das & Goswami, 2013; Chatterjee et al., 2014). AVISPA currently implements four backends and abstraction-based methods, which are integrated through the high level protocol specification language, called HLPSL (von Oheimb, 2005). A static analysis is performed to check the executability of the protocol, and then the protocol and the intruder actions are compiled into an intermediate format (IF). The intermediate format is the start point for the four automated protocol analysis techniques. IF is a lower-level language than HLPSL and is read directly by the back-ends to the AVISPA tool. The first back-end, called the On-the-fly Model-Checker (OFMC), does several symbolic techniques to explore the state space in a demand-driven way (Basin, Modersheim, & Vigano, 2005). The second back-end, which is known as the CL-AtSe (Constraint-Logic-based Attack Searcher), provides a translation from any security protocol specification written as transition relation in intermediate format into a set of constraints which are effectively used to find whether there are attacks on protocols. The third back-end, called the SAT-based Model-Checker (SATMC), builds a propositional formula which is then fed to a state-of-the-art SAT solver and any model found is translated back into an attack. The fourth back-end, known as TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols), approximates the intruder knowledge by using regular tree languages. Protocols to be implemented by the AVISPA tool have to be specified in HLPSL (High Level Protocols Specification Language) (von Oheimb, 2005), and written in a file with extension hlpsl. This language is based on roles: basic roles for representing each participant role, and composition roles for representing scenarios of basic roles. Each role is independent from the others, getting some initial information by parameters, communicating with the other roles by channels. The intruder is modeled using the Dolev–Yao model (Dolev & Yao, 1983) (as described in our threat model in Section 1.1) with the possibility for the intruder to assume a legitimate role in a protocol run. The role system also defines the number of sessions, the number of principals and the roles. The output format (OF) of AVISPA is generated by using one of the four back-ends explained above. When the analysis of a protocol has been successful (by finding an attack or not), the output describes precisely what is the result, and under what conditions it has been obtained. In OF, there are the following sections.  The first printed section SUMMARY indicates that whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.  The second section, called DETAILS either explains under what condition the tested protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.  Other sections such as PROTOCOL, GOAL and BACKEND are the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.  Finally, after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice–Bob format. Some of the basic types supported by HLPSL are as follows:  agent: Values of type agent represent principal names. The intruder is always assumed to have the special identifier i.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

8139

Fig. 1. Architecture of the AVISPA tool (Source: AVISPA (2014a)).

 public_key: Variables of this type represent agents’ public keys in a public-key cryptosystem. For example, given a public (respectively private) key pk, its inverse private (respectively public) key is obtained by inv pk.  symmetric_key: Variables of this type represent keys for a symmetric-key cryptosystem.  text: text values are often used as nonces. These values can be used for messages. If Na is of type text (fresh), then Na0 will be a fresh value which the intruder cannot guess.  nat: nat type represents the natural numbers in non-message contexts.  const: It represents constants.  hash_func: The base type hash_func represents cryptographic hash functions. The base type function also represents functions on the space of messages. It is assumed that the intruder cannot invert hash functions (in essence, that they are one-way collision-resistant functions). The space of legal messages are defined as the closure of the basic types. For a given message M and encryption key K, fMg K refers to as the symmetric/public-key encryption. The associative ‘‘’’ operator is always used for concatenations. The ‘‘played_by A’’ declaration indicates that the agent named in variable A will play in a specific role. A knowledge declaration (generally in the top-level Environment role) is used to specify the intruder’s initial knowledge. Immediate reaction transitions have the form X ¼ j > Y, which relate an event X and an action Y, and it indicates that whenever we take a transition that is labeled in such a way as to make the event predicate X true, we must immediately (that is, simultaneously) execute action Y. If a variable V needs to be permanently secret, it is expressed by the goal secrecy_of V. Therefore, if V is ever obtained or derived by the intruder, a security violation will result. 6.3.2. Specifying our scheme In this section, we discuss in brief the specification of our scheme for the roles of the user U i , the server Sj , the session, and then the goal and environment. In Fig. 2, we have implemented the role for U i in HLPSL. During the user registration phase, U i first sends the registration request message hIDi ; W 1 W 2 i via a secure channel to the registration center

with the help of the Sndð Þ operation. The type declaration channel ðdyÞ means that the channel is for the Dolev–Yao threat model (Dolev & Yao, 1983). The declaration secret(IDi, subs3, Ui,Sj) indicates that IDi is kept secret permanently to both U i and Sj . The user U i then receives the smart card with the information fX i ; Y i ; Z i ; hðÞg from the registration center with the Rcv ð Þ operation. During the login phase, U i sends the login request message hZ i ; M1 ; M 2 ; M 3 i to the server Sj via a public channel. During the authentication phase, U i receives the authentication request message hSIDj ; M4 ; M 5 i from Sj via a public channel. Finally, U i sends the authentication reply message hM 6 i via a public channel. The declaration witness(Ui, Sj, alice_bob_n1, N10 ) tells that U i has freshly generated the value n1 for Sj . The declaration request(Sj, Ui, bob_alice_n2, N20 ) means that U i ’s acceptance of the value n2 generated for U i by Sj . In other words, U i authenticates the user Sj . In Fig. 3, we have provided the role for Sj (registration center) in HLPSL. During the user registration phase, the registration center first receives the registration request message hIDi ; W 1 W 2 i from the user U i via a secure channel. After that the registration center issues a the smart card with the information fX i ; Y i ; Z i ; hðÞg to the user U i via a secure channel. During the login phase, Sj receives the login request message hZ i ; M 1 ; M2 ; M 3 i from the user U i via a public channel. After that in the authentication phase, Sj sends the authentication request message hSIDj ; M4 ; M 5 i to U j i via a public channel. Finally, Sj receives the authentication reply message hM 6 i from the user U i via a public channel. In this role, the declaration witness(Sj, Ui, bob_alice_n2, N20 ) means that Sj has freshly generated the random value n2 for the user U i (the smart card SC i ). The declaration request(Ui, Sj, alice_bob_n1, N10 ) indicates that Sj ’s acceptance of the value n1 generated for Sj by U i . In other words, Sj authenticates the user U i . In Fig. 4, we have given the specifications in HLPSL for the roles of session, goal and environment. In the session segment, all the basic roles including the roles for the user U i and the server Sj are instanced with concrete arguments. The top-level role (environment) defines in the specification of HLPSL, which contains the global constants and a composition of one or more sessions, where the intruder may play some roles as legitimate users. In HLPSL, the intruder also participates in the execution of protocol as a concrete session. The current version of HLPSL supports the standard authentication and secrecy goals. In our

8140

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

Fig. 2. Role specification in HLPSL for the user U i of our scheme.

implementation, the following five secrecy goals and three authentications are verified:  secrecy_of subs1: It represents that x; PSK, and T r are kept secret to Sj .  secrecy_of subs2: It represents that PW i ; BIOi , and N i are kept secret to the user U i .  secrecy_of subs3: It represents that IDi is kept secret to both U i and Sj .  secrecy_of subs4: It represents that n1 is kept secret to U i .  secrecy_of subs5: It represents that n2 is kept secret to Sj .  authentication_on alice_bob_n1: U i generates a random nonce n1 , where n1 is only known to U i . If Sj gets n1 from the message from U i ; Sj then authenticates U i on n1 .  authentication_on bob_alice_tr: Pj generates a random registration time T r , where T r is known to Sj . When U i receives T r from the message, U i authenticates Sj based on T r .

Fig. 3. Role specification in HLPSL for the server Sj of our scheme.

 authentication_on bob_alice_n2: Sj generates a random nonce n2 , where n2 is only known to Sj . If U i receives n2 from the message from Sj ; U i authenticates Sj on n2 . 6.3.3. Analysis of results We have chosen the widely-accepted two back-ends: OFMC and CL-AtSe for the execution tests and a bounded number of sessions model checking. For the replay attack checking, the back-ends check whether the legitimate agents can execute the specified protocol by performing a search of a passive intruder. After that the back-ends give the intruder the knowledge of some normal sessions between the legitimate agents. For the Dolev–Yao model check, the back-ends check whether there is any man-in-the-middle attack possible by the intruder. We have simulated our scheme under the OFMC and CL-AtSe backends using the AVISPA web tool

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

8141

Fig. 4. Role specification in HLPSL for the session, goal and environment of our scheme.

Fig. 5. The result of the analysis using OFMC and CL-AtSe backends of our scheme.

(AVISPA, 2014b). The simulation results are shown in Fig. 5. The formal security verification analysis of our scheme clearly demonstrates that our scheme is secure against active attacks such as replay and man-in-the-middle attacks. 7. Performance comparison with other related schemes In this section, we compare the performance of our scheme with other related existing biometric based multi-server authentication

schemes such as Yang and Yang (2010), Yoon and Yoo (2011), Kim et al. (2012) and Chuang and Chen (2014). In Table 5, we have compared our scheme with Yang and Yang’s scheme, Yoon and Yoo’s scheme, Kim et al.’s scheme and Chuang and Chen’s scheme with respect to different desirable security attributes. If a scheme prevents an attack or satisfies an attribute, we have used the symbol ‘U’. Otherwise, we have used the symbol ‘’. It is clear from this table that our scheme is superior as compared to other schemes for different security attributes.

8142

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

Table 5 Comparison of the proposed scheme with related schemes for different desirable security attributes. Security attribute

Yang and Yang (2010)

Yoon and Yoo (2011)

Kim et al. (2012)

Chuang and Chen (2014)

Ours

S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15 S16 S17

 U  U U U U U U U U U U U U U 

  U U  U U  U U U U U U U U U

 U U U U U U U U U U U   U U U

U U U U   U    U U U U U U U

U U U U U U U U U U U U U U U U U

Note: S1 : User anonymity; S2 : Insider attack; S3 : On-line password guessing attack; S4 : Off-line password guessing attack; S5 : Stolen smart card attack; S6 : Denial of service attack; S7 : Known session keys attack; S8 : User impersonation attack; S9 : Server impersonation attack; S10 : Man-in-the middle attack; S11 : Replay attack; S12 : Mutual authentication; S13 : Efficient login phase; S14 : Efficient password change phase; S15 : User-friendly password change phase; S16 : Session key agreement; S17 : Session key verification.

Table 6 Notations used for analyzing the computational complexity. Notation

Description

 T EM

No computational cost Time complexity of executing an elliptic curve scalar point multiplication Time complexity of executing generation/reproduction algorithm of a fuzzy extractor Time complexity of executing a one-way hash function hðÞ Time complexity of combining the one-way transformation and 0 the secure one-way hash function h ðÞ Time complexity of executing an exponential operation

TF Th T h0 T Exp

We have finally compared our scheme with other biometric based multi-server authentication schemes for the computational complexity. We have used the notations for this purpose in Table 6. The notation ‘–’ signifies that there is no computational cost in that phase; T EM is the time complexity of executing an elliptic curve scalar point multiplication; T F is the time complexity of executing generation/reproduction algorithm of a fuzzy extractor; T h is the time complexity of executing a one-way hash function hðÞ; T h0 is the time complexity of combining the one-way transfor0 mation and the secure one-way hash function h ðÞ; and T Exp is the

time complexity of executing an exponential operation. From Table 7, it is noted that the schemes Yang and Yang (2010), Yoon and Yoo (2011), Kim et al. (2012) and Chuang and Chen (2014) require the computational complexity 13T h þ 3T F þ 6T Exp ; 21T h þ 4T EM ; 23T h þ4T h0 þ 4T EM , and 21T h , respectively. In this table, RC denotes the registration center. Our scheme requires the computational complexity 29T h . Since the one-way hash function HðÞ is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication, our scheme significantly performs better than the schemes Yang and Yang (2010), Yoon and Yoo (2011) and Kim et al. (2012). Though our scheme requires little more computational complexity as compared to that for Chuang and Chen (2014), our scheme is better by considering the security provided by our scheme while comparing with Chuang and Chen (2014). 8. Conclusion We have discussed the merits and demerits of the existing multi-server password and biometric-based authentication schemes in the literature. The analysis indicates that the existing schemes are either vulnerable to known attacks or they do not preserve user anonymity or they require high computation overhead. We have analyzed the security of recently proposed multi-server authentication scheme of Chuang and Chen. We have shown that an adversary can successfully perform the stolen smart card attack on Chuang and Chen’s scheme. We have also demonstrated that Chuang and Chen’s scheme does not resist impersonation attack, server spoofing attack and DoS attack. The cryptanalysis of Chuang and Chen’s scheme thus shows that the security of their scheme is compromised. In order to remedy the security weaknesses found in Chuang and Chen’s scheme, we have then presented a secure and efficient multi-server authentication scheme. The proposed scheme supports mutual authentication and key agreement where a user and a server can correctly identify the legitimacy of each other and can also compute the session key between them. The proposed scheme satisfies all desirable security attributes which are demonstrated in the security analysis of the proposed scheme through both informal and formal security analysis. We have simulated our proposed scheme for the formal security verification using the widely-accepted AVISPA tool and shown that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. In addition, our scheme is computationally efficient as compared to other existing approaches due to usage of only one-way hash function. Considering the security and efficiency provided by our scheme, we conclude that our scheme is more appropriate for practical applications for expert systems in network security as compared to other schemes. In the future, we aim to evaluate our scheme for the energy and communication overheads using the some network simulator for practical implementation. Further, we aim to reduce the computation

Table 7 Comparison of the proposed scheme with some biometric based multi-server authentication schemes. Phase

Entity

Yang and Yang (2010)

Yoon and Yoo (2011)

Kim et al. (2012)

Chuang and Chen (2014)

Ours

R

User RC User User Server RC User

– 3T h þ T F þ T Exp 4T h þ T F þ T Exp T h þ T Exp 2T h þ 3T Exp – 3T h þ T F

Th Th 2T h þ T EM 3T h þ T EM 5T h þ 2T EM 7T h 2T h

Th 2T h þ T h0 T h0 þ 3T h þ T EM 3T h þ T EM 5T h þ 2T EM 7T h 2T h0 þ 2T h

Th 2T h 4T h 4T h 8T h – 2T h

4T h 3T h 6T h 4T h 7T h – 5T h

Total

13T h þ 3T F þ 6T Exp

21T h þ 4T EM

23T h þ 4T h0 þ 4T EM

21T h

29T h

L A

PC

Note: R: Registration phase; L: Login phase; A: Authentication phase; PC: Password change phase.

D. Mishra et al. / Expert Systems with Applications 41 (2014) 8129–8143

overhead and improve the performance of our scheme without compromising security. Finally, our scheme could be applicable for network management in distributed computer networks using the expert systems. Acknowledgements The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor-in-Chief, Dr. Binshan Lin, which have improved significantly the content and the presentation of this paper. References Armando, A. et al. (2005). The AVISPA tool for the automated validation of internet security protocols and applications. 17th International conference on computer aided verification (CAV’05). Lecture notes in computer science (Vol. 3576, pp. 281–285). Springer-Verlag. Aumasson, J. P., Henzen, L., Meier, W., & Plasencia, M. N. (2010). Quark: A lightweight hash. In Proceedings of workshop on cryptographic hardware and embedded systems (CHES 2010). Lecture notes in computer science (Vol. 6225, pp. 1–15). Springer-Verlag. AVISPA. (2014). Automated validation of internet security protocols and applications. . AVISPA. (2014). AVISPA Web Tool. . Accessed on January 2014. AVISPA. (2014). Automated validation of internet security protocols and applications. . Accessed on March 2013. Basin, D., Modersheim, S., & Vigano, L. (2005). OFMC: A symbolic model checker for security protocols. International Journal of Information Security, 4(3), 181–208. Belguechi, R., Rosenberger, C., & Ait-Aoudia, S. (2010). Biohashing for securing minutiae template. In 2010 20th International conference on pattern recognition (ICPR) (pp. 1168–1171). IEEE. Boyd, C., & Mathuria, A. (2003). Protocols for authentication and key establishment. Springer. Cao, X., & Zhong, S. (2006). Breaking a remote user authentication scheme for multiserver architecture. IEEE Communications Letters, 10(8), 580–581. Chang, C.-C., & Lee, J.-S. (2004). An efficient and secure multi-server password authentication scheme using smart cards. In 2004 International conference on cyberworlds (pp. 417–422). IEEE. Chatterjee, S., Das, A. K., & Sing, J. K. (2014). An enhanced access control scheme in wireless sensor networks. Ad Hoc & Sensor Wireless Networks, 21(1-2), 121–149. Chen, T.-Y., Hwang, M.-S., Lee, C.-C., & Jan, J.-K. (2009). Cryptanalysis of a secure dynamic id based remote user authentication scheme for multi-server environment. In 2009 Fourth international conference on innovative computing, information and control (ICICIC) (pp. 725–728). IEEE. Chuang, M.-C., & Chen, M. C. (2014). An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications, 41(4), 1411–1418. Das, A. K. (2011). Analysis and improvement on an efficient biometric based remote user authentication scheme using smart cards. IET Information Security, 5(3), 145–151. Das, A. K., & Goswami, A. (2013). A secure and efficient uniqueness-and-anonymitypreserving remote user authentication scheme for connected health care. Journal of Medical Systems, 37(3), 1–16. Das, A. K., Massand, A., & Patil, S. (2013). A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University – Computer and Information Sciences, 25(2), 219–228. Das, A. K., Paul, N. R., & Tripathy, L. (2012). Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences, 209(C), 80–92. Dolev, D., & Yao, A. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. T. M. (2008). On the power of power analysis in the real world: A complete break of the KeeLoq code hopping scheme. In Advances in cryptology-CRYPTO 2008 (pp. 203–220). Springer. Hariri, S., & Jabbour, K. (1991). An expert system for network management. In Proceedings of tenth annual international phoenix conference on computers and communications (pp.580–586). He, D. (2011). Security flaws in a biometrics-based multi-server authentication with key agreement scheme. IACR Cryptology ePrint Archive, 365. He, D., Chen, J., Shi, W., & Khan, M. K. (2013). On the security of an authentication scheme for multi-server architecture. International Journal of Electronic Security and Digital Forensics, 5(3), 288–296. He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 1–7. Hsiang, H.-C., & Shih, W.-K. (2009). Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(6), 1118–1123.

8143

Jin, A. T. B., Ling, D. N. C., & Goh, A. (2004). Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition, 37(11), 2245–2255. Juang, W.-S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255. Kaufman, C. (2005). Internet key exchange (ikev2) protocol. Kim, H., Jeon, W., Lee, K., Lee, Y., & Won, D. (2012). Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In Computational science and its applications (ICCSA 2012) (pp. 391–406). Springer. Kocher, P., Jaffe, J., & Jun, B. (1999b). Differential power analysis. In Proceedings of advances in cryptology – CRYPTO’99. LNCS (Vol. 1666, pp. 388–397). . Lee, C.-C., & Hsu, C.-W. (2013). A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dynamics, 71(1-2), 201–211. Lee, C.-C., Lin, T.-H., & Chang, R.-X. (2011). A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870. Liao, Y.-P., & Wang, S.-S. (2009). A secure dynamic id based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(1), 24–29. Li, C.-T., & Hwang, M.-S. (2010). An efficient biometric-based remote authentication scheme using smart cards. Journal of Network and Computer Applications, 33(1), 1–5. Li, L.-H., Lin, L.-C., & Hwang, M.-S. (2001). A remote password authentication scheme for multiserver architecture using neural networks. IEEE Transactions on Neural Networks, 12(6), 1498–1504. Lin, I.-C., Hwang, M.-S., & Li, L.-H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22. Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769. Lumini, A., & Nanni, L. (2007). An improved biohashing for human authentication. Pattern Recognition, 40(3), 1057–1065. Manuel, S. (2011). Classification and generation of disturbance vectors for collision attacks against SHA-1. Designs, Codes and Cryptography, 59(1-3), 247–263. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002b). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552. Nanavati, T. (2002). Biometrics. John Wiley & Sons. Odelu, V., Das, A. K., & Goswami, A. (2014). A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Information Sciences, 269(C), 270–285. Pasquale, J. (1998). Using expert systems to manage distributed computer systems. IEEE Network, 2(5), 22–28. Pippal, R. S., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 1–17. Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security, 13(4), 33. Secure Hash Standard. (2010). FIPS PUB 180-1, National Institute of Standards and Technology (NIST). U.S. Department of Commerce, April 1995. Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618. Stallings, W. (2003). Cryptography and network security: Principles and practices (3rd ed.). India: Prentice Hall. Stinson, D. R. (2006). Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography, 38(2), 259–277. Truong, T.-T., Tran, M.-T., & Duong, A.-D. (2013). Robust secure dynamic id based remote user authentication scheme for multi-server environment. In Computational science and its applications – ICCSA 2013 (pp. 502–515). Springer. Tsai, J.-L. (2008). Efficient multi-server authentication scheme based on one-way hash function without verification table. Computers & Security, 27(3), 115–121. Tsaur, W.-J., Li, J.-H., & Lee, W.-B. (2012). An efficient and secure multi-server authentication scheme with key agreement. Journal of Systems and Software, 85(4), 876–882. Tsudik, G., & Summers, R. C. (1990). AudES – an expert system for security auditing. In Proceedings of the second conference on innovative applications of artificial intelligence (IAAI’90) (pp. 221–232). von Oheimb, D. (2005). The high-level protocol specification language hlpsl developed in the eu project avispa. In Proceedings of APPSEM 2005 workshop. Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378. Yang, C. (2011). Integration of biometrics and pin pad on smart card (Ph.D. thesis). University of Newcastle Upon Tyne. Yang, W.-H., & Shieh, S.-P. (1999). Password authentication schemes with smart cards. Computers & Security, 18(8), 727–733. Yang, D., & Yang, B. (2010). A biometric password-based multi-server authentication scheme with smart card. International conference on computer design and applications (ICCDA 2010) (Vol. 5, pp. 554–559). IEEE. Yoon, E.-J., & Yoo, K.-Y. (2011). Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. The Journal of Supercomputing, 63(1), 235–255.