- Email: [email protected]
Design of a provably secure biometrics-based multi-cloud-server authentication scheme
Accepted Manuscript Design of a provably secure biometrics-based multi-cloud-server authentication scheme Saru Kumari, Xiong Li, Fan Wu, Ashok Kumar Das, Kim-Kwang Raymond Choo, Jian Shen PII: DOI: Reference:
S0167-739X(16)30377-6 http://dx.doi.org/10.1016/j.future.2016.10.004 FUTURE 3176
To appear in:
Future Generation Computer Systems
Received date: 28 July 2016 Revised date: 21 September 2016 Accepted date: 4 October 2016 Please cite this article as: S. Kumari, X. Li, F. Wu, A.K. Das, K.-K.R. Choo, J. Shen, Design of a provably secure biometrics-based multi-cloud-server authentication scheme, Future Generation Computer Systems (2016), http://dx.doi.org/10.1016/j.future.2016.10.004 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Highlights (for review)
We devise a biometrics-based authentication scheme for multi-cloud-server environment.
It uses bio-hashing and ECC
We analyze it through informal discussions as well as give formal security proof.
We evaluate it through comparison with related contemporary schemes.
*Revised Manuscript with source files (Word document)
Design of a Provably Secure Biometrics-based Multi-cloud-server Authentication Scheme Saru Kumari 1, Xiong Li 2,7, Fan Wu 3, Ashok Kumar Das 4, Kim-Kwang Raymond Choo 5,6, Jian Shen 7 1
Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India [email protected]; [email protected] 2 School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China [email protected] 3 Department of Computer Science and Engineering, Xiamen Institute of Technology, Huaqiao University, Xiamen 361021, China [email protected] 4 Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500032, India [email protected]; [email protected] 5 Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249, USA [email protected] 6 School of Information Technology & Mathematical Sciences, University of South Australia, Adelaide, SA 5001, Australia 7 School of Computer and Software, Nanjing University of Information Science and Technology,Nanjing 210044, China
[email protected]; [email protected]; [email protected]
Abstract: Big Data and Cloud of Things (CoT) are two inter-related research trends in our data-driven society, and one research challenge is to design efficient security solution that enables access to resources, services and data out-sourced to the cloud without compromising the user’s privacy. A viable solution is user authentication set-up for multi-cloud-server designed to function as an expert system permitting its users to obtain the desired services and resources (e.g. accessing data stored in a cloud storage account) from a cloud-server up on registration with a registration authority. Biometrics is a widely used authentication mechanism (e.g. in biometric passport); thus, in this paper, we devise a biometrics-based authentication scheme for multi-cloud-server environment deployment. To improve the accuracy of biometric pattern matching, we make use of bio-hashing. We then analyse the performance and efficiency of our scheme to demonstrate its utility. Keywords: Authentication, Cloud of Things, Multi-cloud-server, Biometrics, ECC. 1. Introduction In the Internet of Things (IoT) paradigm, we have a wide range of digital devices connected over the Internet which allows us to connect, coordinate, compute and communicate between devices in real-time with no geographical constraints [1]. IoT devices can also be used to collect and compile information from the surroundings (e.g. sensors deployed on a site to collect readings of nitrogen dioxide and carbon monoxide concentrations, which is then relayed back to a central server).
Figure 1: An example of CoT implementation
Deployments of IoT technologies can be found in healthcare, home monitoring, smart home/cities (e.g. for security and surveillance purposes), offshore rigs (also known as oil platform), etc. With the trend of deploying IoT over the cloud (also referred to as Cloud of Things – CoT) and the digitalization of our society, we are witnessing a significant increase in the volume, variety, velocity and veracity of data (i.e. “Big Data” [2]). Figure 1 depicts an example CoT implementation. As with any popular consumer technology, security is a key concern and has attracted the attention of the research community devoted to the field of security. A number of user authentication schemes have been proposed, and generally for a single server environment [3-11]. However, single server authentication schemes are not suitable for real-world deployments. For example, such schemes (designed for a single server environment) are generally not scalable as they require a user to keep in memory as many identity-password pairs as is the number of servers from where the user accesses the services. In fact, a user has to register with every single server from which the user wishes to use. This is analogous to the old Elsevier journal submission system where an author has to register for every single journal where the author has an author, reviewer or editor role. In recent times, Elsevier has migrated to the consolidated server where a user needs only one account for all Elsevier journals and roles. There are three authentication factors, namely (i) what you know (e.g. some secret information such as a password), (ii) what you have (e.g. something in our possession such as a smart card), and (iii) what you are (e.g. unique biometric characteristic such as fingerprint, hand geometry, iris, which forms the basis for the design of any user authentication scheme. The first and the second factors complement each other in the sense that if the item in possession is protected by some secret known only to the user then, in general, leakage of the secret is useless for an adversary unless the adversary has access to the item and knows the associated secret. Since biometrics is something we are, a three-factor authentication (3FA) scheme is generally regarded as very secure if implemented correctly. Unsurprisingly, a number of biometrics-based authentication schemes have been proposed in recent years. In 2010, for example, Yoon and Yoo [12] proposed a biometrics-based authentication scheme for multiserver scenario based on the elliptic curve cryptosystem (ECC). However, He and Wang [13] revealed that in Yoon and Yoo’s scheme, an adversary is able to impersonate the user if the adversary acquires both the smart card and the password; thus, violating 3FA. Therefore, He and Wang [13] proposed another biometrics-based authentication scheme for multi-server scenario, also based on ECC. Odelu et al. [14] studied He and Wang’s scheme and found that the scheme is vulnerable to impersonation, known session specific temporary information leakage, weak user anonymity, wrong password login/update attacks. Thus, a new multi-server authentication protocol using biometric and ECC is presented. In 2014, Chuang and Chen [15] proposed a biometrics-based authentication scheme for multi- server scenario, which is claimed to be user anonymous and satisfy a number of security features. However, in 2014 and 2015, Mishra et al. [16] and Lin et al. [17] respectively revealed that the scheme of Chuang and Chen suffers from user impersonation, server spoofing and denial-of-service attacks [16] and does not offer any protection for a user’s identity and session key [17]. Two improved schemes were then presented. In 2015, however, Lu et al. [18] pointed out that Mishra et al.’s scheme is vulnerable to server spoofing and impersonation attacks, and the scheme does not provide forward secrecy. A revised scheme is then presented. We observe that the schemes in [15, 16, 18] do not provide forward secrecy unlike [19]. It is clear from the literature that designing efficient and secure user authentication schemes for multicloud-server (see Figure 2) remains a research challenge (similar to the troubled history of key establishment protocols [37-40]). This is the gap we seek to address in this paper.
Figure2: An example multi-cloud server architecture
Specifically in this paper, we propose a user-friendly and efficient multi-cloud-server authentication scheme. The scheme is designed to facilitate users accessing data from any server of their choice upon a once-off registration with a registration authority RA. Our scheme ensures user anonymity without involving the use of symmetric encryption/decryption techniques. In our scheme,
RA maintains a record of the identities of registered users and servers securely. The RA also restricts multiple registrations by a single identity.
The authenticity of a smart card’s user will be verified during the login/password update process to prevent impersonation.
During authentication, RA verifies the legitimacy of both user and cloud server CS. This disjoint verification process reduces the chance of any registered but malicious servers impersonating as a legitimate user.
Our scheme permits the session key sk to be established between CS and the user such that sk is unknown even to RC. Moreover, sk satisfies both backward and forward secrecy properties.
In addition, we remark that our scheme does not use any computationally expensive complex operations such as modular exponentiation, without compromising on security; thus, making it suitable for real-world applications. Organization of the Paper: The remainder of this paper is organized as follows. Section 2 presents background materials. In Section 3, we describe our biometrics based authenticated key agreement scheme for multi-cloudserver environment. We present both an informal security analysis and a formal security proof in Sections 4 and 5, respectively. In Section 6, we evaluate the performance of the proposed scheme. Finally, we conclude the paper in Section 7. 2. Background In this section, we describe the background materials necessary to understand the rest of this paper. 2.1 User Specific Considerations To enhance the user’s quality of experience, our scheme has the following features:
Once a user is registered with a registration authority, the user is able to access all participating cloud-servers (similar to our earlier discussion about the consolidated Elsevier journal accounts).
A user can choose and change a password at the user’s convenience.
During the entire authentication process, the user remains anonymous even if an adversary is observing or intercepts messages exchanged during the process.
2.2 Security Requirements and Considerations for a Multi-Cloud-Server Authentication Scheme In our increasingly digitized and data-driven society, cloud architectures are becoming a norm for both organizational and individual users. There are known security and privacy concerns associated with cloud adoption [20,21,41,42], such as the following:
Only authorized parties should have the ability to access data, services or resources from cloud service providers. The attack vector is amplified due to the large number of users (e.g. during data creation, modification and dissemination), end-points (e.g. client and intermediary devices and nodes), configuration and implementation settings, etc. While our scheme is not designed to address all security and privacy concerns, our scheme allows the mutual verification of involved participants. Mutual authentication is accomplished between a user (seeking services or requesting access to data) and the cloud server (providing services or access to data) with the help of the registration authority. Cloud resources should be accessible to an authorized user. Our scheme is designed to provide both forward and backward secrecy. Therefore, even if an adversary learns the long term secrets of the cloudserver and the service seeking user, the adversary is unable to obtain previously established or future session keys using the intercepted messages between participating entities.
2.3 Cryptographic Considerations Following cryptographic operations/functions are adopted for the high efficiency of the proposed scheme:
Collision-free one-way hash function takes a variable input and returns a fixed-size output [23-24]. It is also computationally infeasible to deduce the input from a known output.
When a user presents his biometric information on a scanner, the pattern may vary due to a number of reasons (e.g. fingerprint verification fails due to user’s dry or cracked skin); thus, causing false rejections for a genuine user. This is a reason why a simple hash operation is not practical for biometrics-based applications [25]. In 2004, for example, Jin et al. [26] proposed the use of Bio-hashing to resolve the issue of false rejection. Biohashing is a mapping which randomly assigns a binary string to a biometric feature with user-specific tokenized pseudo-random numbers [27, 28]. It has been demonstrated that Bio-hashing is an effective tool for biometricsbased authentication schemes (e.g. [16]). Thus, in this paper, we use Bio-hashing in our scheme wherever biometrics are used.
Elliptic Curve Cryptography (ECC) [29, 30] is used to establish a session-key with forward secrecy property, due to its capacity to provide a high level of security with a smaller key-size. We refer the interested reader to [43] to derive an ECC-based protocols from Diffie-Hellman-based protocols.
We now briefly review ECC. The elliptic curve (EC) is given by Ep(a, b) : y2 = x3 + ax + b (mod p) over a finite field Fp of prime order p > 3, where, a, b∈Fp and 4a3 + 27b2 ≠ 0 (mod p). Given a random integer a∈Fp* and a point P∈Ep(a, b), the EC point multiplication a∙P over Ep(a, b) is defined as a∙P = P +P +...+P (a times). The security of ECC relies on the following two intractable problems: Elliptic Curve Discrete Logarithm Problem (ECDLP): For given P,Q∈Ep(a, b), finding an integer k∈Fp*such that Q = k∙P is a hard problem.
Elliptic Curve Diffie-Hellman Problem (ECDHP): For given P, k∙P, l∙P∈Ep(a, b) with k, l∈Fp*, finding k∙l∙P belonging to Ep(a, b) is a hard problem. 2.4 Network Model The network model for the proposed protocol for multi-cloud-server environment is shown in Figure 3. It involves three entities, i.e. user Ui, cloud-server CSj, and the registration authority RA.
Figure3: Network model for proposed multi-cloud-server scheme
RA is a trusted authority, which is responsible for producing all system parameters, and registering users and cloudservers. Upon registration, a user receives a smart card SCi loaded with some confidential values and a cloud-server receives a secret value specific to a unique identity of CSj. Ui and CSj authenticate each other and establish a session key with the assistance of RA so that Ui can access services from CSj. A summary of notations is presented in Table 1. Table 1: Summary of notations Notations Description Ui Registered user RA Registration authority CS/CSj/Sj Cloud-servers/jth cloud-server / jth server Reci /Reccs Record maintained by RA for users/cloud-servers E An adversary/attacker IDi/IDcsj Identity of Ui/jth cloud-server PWi Password of Ui BiOi Biometric characteristic of Ui SCi Smart card of Ui S,PuB= sP Secret key of RA,public key of RA (Q)x /(Q)y xth / yth co-ordinate of an elliptic curve point Q. a, ri Random strings generated at the user side during the registration process b, sj Random string generated by SNj/GWN for the registration of SNj Ri (Ki)/Kg/Ks Random strings generated at Ui/GWN/SNj during login-authentication process SKw-z Session key established between the entities w and z Enk(.)/Dnk(.) Encryption/Decryption using key k G The additive group (of order n) on a finite field Fp p A large prime number Zp Ring of integers modulo p Zp* Multiplicative group of Zp G Generator of Zp* lb Length of the biometric sample collected by the sensor Exclusive-OR operator which operates bitwise A one-way hash function h(.) A one-way Bio-hash function H(.) Concatenation operator ||
3. Proposed Scheme Now, we present our scheme which has four phases, namely: initialization phase, user registration phase, login phase, authentication & key agreement phase, and password change phase. Figure 4 depicts the initialization and user registration phases. The login-authentication phase and the password change phase are presented in Figures 5 and 6, respectively. 3.1 Initialization and Specification Phase At the start of the scheme, RA chooses a large prime p, and a finite field GF(p). Then, RA selects an elliptic curve Ep over GF(p) with base point P ∈ G, where G is an additive cyclic group having n elements on Ep. RA selects s to compute PuB= sP, uses s as its private key and makes P &Ep public along with the public key PuB= sP. The biometric sample collected by the sensor is to be of a specific length lb [31]. 3.2 Registration Phase 3.2.1UserRegistration Phase This phase is for user registration at RA which is carried over a secure channel with the following steps: 1) Ui chooses its identity IDi, password PWi, provides its biometric BiOi at the sensor. 2) Ui computes its bio-password BPWi = H(BiOi||PWi) and securely submits {IDi, BPWi} to RA. 3) RA checks if h(s||IDi) is present in Reci. If not present, then RA rejects the request and directs Ui to apply with some other identity. Otherwise, RA computes Ni= h(IDi||s)BPWi and stores it in a smart card SCi. RA then delivers SCi loaded with {Ni, P, h(.), H(.)} securely to Ui. RA stores h(s||IDi) in Reci. 4) Ui computes Zi = H(IDi||PWi||BiOi) and loads it in SCi; thus, SCi is loaded with {Zi, Ni,P, PuB,h(.), H(.)}.
RA Initialization Phase: Selects p, GF(p), Ep&s Computes PuB= sP User (Ui) User Registration Phase: Chooses IDi, PWi, imprints BiOi BPWi = H(BiOi||PWi)
RA
{IDi, BPWi}
SCi = {Ni, P, h(.), H(.)} Zi = H(IDi||PWi||BiOi) Inserts Zi in SCi so that SCi = {Zi, Ni, P, PuB,h(.), H(.)} Cloud-server (CSj) Cloud-server Registration Phase: Chooses IDcsj
For unique h(s||IDi) in Reci Ni = h(IDi||s)BPWi Stores h(s||IDi) in Reci
RA {IDcsj} {Lj} using IKEv2
For unique h(s||IDcsj) in Reccs Lj = h(IDcsj||s) Stores h(s||IDcsj) in Reccs
Keeps Lj secret Figure 4: Initialization, user registration and cloud-server registration phase of the proposed scheme 3.2.2 Cloud-server Registration Phase Cloud-server registration at RA takes place with the following steps: 1) CSj securely submits its selected identity {IDcsj} to RA. 2) RA checks if h(s||IDcsj) is present in Reccs. If not present, then RA rejects the request and directs CSj to apply with
some other identity. Otherwise, RA computes Lj= h(IDcsj||s) and sends {Lj} to CSj using, say the Key Exchange Protocol (IKEv2) [32]. RA stores h(s||IDcsj) in Reccs. CSj keeps Lj secretly. User (Ui) Login Phase: U: Inserts IDi,PWi and provides BiOi SCi: Zi*= H(IDi||PWi||BiOi) For Zi*= Zi BPWi = H(BiOi||PWi) Ri = [=h(IDi||s)] = Ni BPWi Vi = vP, Vi* = vPuB = ((Vi*)x, (Vi*)y) ∈Ep GIDi = IDi(Vi*)x li = h(IDi||(Vi*)y||Vi||IDcsj||Ri) M1={Vi, GIDi, li}
CSj
RA
Wj = wP, Wj* = wPuB = ((Wj*)x, (Wj*)y)∈Ep GIDcsj = IDcsj(Wj*)x mj = h(Vi||GIDi||li||Wj||(Wj*)y||IDcsj||Lj) M2={Vi, GIDi, li, Wj, GIDcsj, mj} Wr* =sWj =swP = wPuB =((Wr*)x, (Wr*)y)∈Ep IDcsj = GIDcsj(Wr*)x Lj = h(IDcsj||s) mj* = h(Vi||GIDi||li||Wj||(Wr*)y||IDcsj||Lj) For mj* = mj Vr* =sVi =svP =vPuB =((Vr*)x, (Vr*)y)∈Ep IDi = GIDi(Vr*)x, Ri = h(IDi||s) li* = h(IDi||(Vr*)y||Vi||IDcsj||Ri) For li * = li JIDi = IDi(Wr*)x mr = h(JIDi||IDi||IDcsj||Lj||(Wr*)y) JIDcsj = IDcsj(Vr*)x , lr = h(JIDcsj||IDi||IDcsj||Ri||(Vr*)y) M3={JIDi, JIDcsj, mr, lr} IDi = JIDi(Wj*)x mr* = h(JIDi||IDi||IDcsj||Lj||(Wj*)y) For mr* = mr* skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) nj = h(skcsj-u ||Vi ||Wj ||lr ||IDi ||IDcsj) M4={JIDcsj, lr, Wj ,nj}
IDcsj= JIDcsj(Vi*)x sku-csj = h(Vi||Wj||vWj ||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj) nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj). For nj* = nj lr* = h(JIDcsj||IDi||IDcsj||Ri||(Vi*)y). For lr * = lr pi = h(sku-csj ||IDi ||IDcsj||Vi || lr ||Wj ) M5={pi} pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ) For pi * = pi, we are assured of the authenticity of Ui Figure 5: Login-authentication and session key-agreement phase of the proposed scheme
3.3 Login Phase To obtain services from jth cloud-server, Ui performs the following steps: 1) Ui inserts its SCi into the card reader, inputs IDi, PWi and provides its biometric BiOi. 2) SCi computes Zi*= H(IDi||PWi||BiOi). For Zi*= Zi, SCi computes BPWi = H(BiOi||PWi) to retrieve Ri[=h(IDi||s)] = Ni BPWi. Then, SCi generates a random nonce v, computes Vi = vP, Vi* = vPuB = ((Vi*)x, (Vi*)y) ∈Ep. Next, SCi computes Ui’s masked identity GIDi = IDi(Vi*)x and li = h(IDi||(Vi*)y||Vi||IDcsj||Ri). 3) SCi sends the login request M1 = {Vi, GIDi, li} to CSj. 3.4 Authentication & Session Key Agreement Phase In this phase, Ui and CSj verify each other and establish a session key with the help of RA as below: 1) On receiving M1={Vi, GIDi, li} from Ui, the cloud-server CSj connects with RA after completing the required calculations. CSj generates a random nonce w, and computes Wj = wP, Wj* = wPuB = ((Wj*)x, (Wj*)y)∈Ep. Next, CSj computes GIDcsj = IDcsj(Wj*)xand mj = h(Vi||GIDi||li||Wj||(Wj*)y||IDcsj||Lj). 2) CSj transmits M2={Vi, GIDi, li, Wj, GIDcsj, mj} to RA. 3) RA computes Wr* = sWj = swP = wPuB = ((Wr*)x, (Wr*)y)∈Ep to retrieve IDcsj = GIDcsj(Wr*)x. Next, RA computes Lj = h(IDcsj||s) and mj* = h(Vi||GIDi||li||Wj||(Wr*)y||IDcsj||Lj). For mj* = mj , RA is ensured of the legitimacy of CSj. 4) RA computes Vr* = sVi = svP = vPuB = ((Vr*)x, (Vr*)y)∈Ep to retrieve IDi = GIDi(Vr*)x. Then, RA computes Ri = h(IDi||s) and li* = h(IDi||(Vr*)y||Vi||IDcsj||Ri). For li * = li , RA is ensured of the legitimacy of Ui. 5) RA computes JIDi = IDi(Wr*)x , mr = h(JIDi||IDi||IDcsj||Lj||(Wr*)y), JIDcsj = IDcsj(Vr*)x, and lr = h(JIDcsj||IDi||IDcsj||Ri||(Vr*)y). Finally, RA transmits M3={JIDi, JIDcsj, mr, lr} to CSj. 6) On receiving M3={JIDi, JIDcsj, mr, lr}, CSj retrieves IDi = JIDi(Wj*)x to compute mr* = * * * h(JIDi||IDi||IDcsj||Lj||(Wj )y). For mr = mr , CSj computes the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) and nj = h(skcsj-u ||Vi ||Wj||lr ||IDi ||IDcsj). Then, CSj sends M4={JIDcsj, lr, Wj ,nj}to Ui. 7) On receiving M4={JIDcsj, lr, Wj ,nj}, Ui retrieves IDcsj= JIDcsj(Vi*)x to compute the session key sku-csj = h(Vi||Wj||vWj ||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj) and nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj). For nj* = nj, Ui is assured of the authenticity of the cloud-server CSj and computes lr* = h(JIDcsj||IDi||IDcsj||Ri||(Vi*)y). For lr * = lr, Ui is assured of the authenticity of RA and computes pi = h(sku-csj ||IDi ||IDcsj||Vi || lr ||Wj ). Then, Ui sends M5={pi}to CSj. 8) On receiving M5={pi}, CSj computes pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ). For pi * = pi, the cloud-server is assured of the authenticity of Ui. 3.5 Password and Biometrics Change Phase In this phase, Ui performs password and biometrics changing activity as described below: 1) Ui inserts SCi into the card reader, inputs IDi, PWi and provides BiOi. 2) SCi computes Zi*= H(IDi||PWi||BiOi). For Zi*= Zi, Ui enters a new password PWinew. 3) SCi computes Ninew= NiH(BiOi||PWi)H(BiOi||PWinew), Zinew= H(IDi||PWinew||BiOi). 4) SCi replaces Zi and Ni with Zi new and Ninew, respectively. User (Ui)
Smart Card (SCi)
Password Change Phase: Inserts IDi , PWi& imprints BiOi
Zi*= H(IDi||PWi||BiOi) For Zi*= Zi Demands new password PWinew
Ninew= NiH(BiOi||PWi)H(BiOi||PWinew) Zinew= H(IDi||PWinew|| BiOi) ZinewZi, NinewNi
Figure 6: Password change phase of the proposed scheme
4. Informal Security Analysis 4. Privileged-insider Attack Resilience For the registration purpose, Ui submits {IDi, BPWi} to RA. One would note that the submitted values do not contain PWi in plaintext. Since BPWi = H(BiOi||PWi) protects PWi under the uniqueness of Ui’s BiOi and no one except Ui can insert the correct BiOi, the privileged-insider at RA is not capable of revealing the password of Ui through guessing attack. 4.2 User Anonymity During the login and authentication phase, Ui never transmit his identity in plaintext. In the login request M1={Vi, GIDi, li}, the middle value contains IDi protected with (Vi*)x which is the x-coordinate of the elliptic curve point Vi* = vPuB. An adversary E needs to know the random nonce v in order to compute IDi from GIDi. However, E is unable to deduce v from Vi due to the underlying ECDLP. Similarly, E is not able to deduce IDi from the transmitted message M3={JIDi, JIDcsj, mr, lr}. 4.3. Off-line Password Guessing Attack Resilience Assume that E manages to extract all information from Ui’s SCi = {Zi, Ni, P, PuB,h(.), H(.)} [33, 34]. To correctly guess PWi from Ni = h(IDi||s)H(BiOi||PWi), E needs to know Ui’s IDi and BiOi as well as RA’s secret key s. In addition, the knowledge of Ui’s IDi and BiOi is also necessary to correctly guess PWi from Zi = H(IDi||PWi||BiOi). However, only Ui can provide its BiOi, only Ui, CSj and RA involved in the authentication process know and can recover IDi, and only the RA knows its secret key s. 4.4 User Impersonation Attack Resilience To login as Ui, an adversary E needs to have IDi and RA’s secret key s; otherwise, it is not computationally feasible to compute a valid login request. As our scheme is user anonymous (see Section 4.2), thus, no one except RA has s. Therefore, E cannot impersonate Ui. 4.5 Replay Attack Resilience Whatever message (say M1={Vi, GIDi, li}) E replays, the success of replay relies on the ability to establish a common session key with CSj. E can do so if somehow E learns the random nonce v involved in Vi = vP. This is, however, not infeasible due to the underlying ECDLP. 4.6 Cloud-server Impersonation Attack Resilience To impersonate a cloud-server in verifying Ui’s login messageM1={Vi, GIDi, li}, E must know IDcsj used in the computation of li = h(IDi||(Vi*)y||Vi||IDcsj||Ri). Otherwise, E is not able to compute a valid GIDcsj and would fail in the verification test at RA (i.e. equivalence check mj* = mj). Note that IDcsj used in computing li is protected under the one-way property of hash function. 4.7 Mutual Authentication During the authentication process, RA verifies the legitimacy ofCSj via equivalence check mj* = mj in step-3, and then verifies the legitimacy of Ui via equivalence check li * = li in step-4. Thus, RA uses its secret key s to recover the identities of Ui and CSj, which are required to compute JIDi and JIDcsj. Then, CSj verifies the legitimacy of RA via equivalence check mr* = mr in step-6 for which it recovers IDi from JIDi. Next, Ui verifies the legitimacy of CSj via equivalence check nj* = nj and the legitimacy of RA via equivalence check lr * = lr in step-7. For the former, Ui recovers IDcsj and computes sku-csj. For the latter, Ui uses IDi , IDcsj and Ri = h(IDi||s). Finally, CSj verifies the legitimacy of Ui via equivalence check pi * = pi in step-8. Therefore, Ui, CSj and RA mutually verify the legitimacy of each other.
4.8 Backward and Forward Secrecy We consider the simultaneous leakage of secrets such as PWi, and examine its impact on the secrecy of previously established or future session key. We observe that the computation of the session key in any session requires knowledge of random nonce v and w chosen by CSj and Ui respectively. Although Vi = vP and Wj = wP can be intercepted from the public channel, no one can recover v or w from Vi or Wj due to the intractability of ECDLP. Further, it is not possible to compute wvP or vwP or knowing Vi = vP and Wj = wP due to the intractability of ECDHP. We remark that the computation of wvP or vwP has nothing to do with the secrets such as PWi and s. Thus, the scheme offers both backward and forward secrecy. 4.9 Known Session-specific Temporary Information Attack Resilience If the random nonce v or w is known to an adversary E, he can compute vWj (=vwP) or wVi (=wvP) respectively. However, having wvP or vwP is not sufficient for the computation of the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj). It also requires the knowledge of IDi and IDcsj. Our scheme provides user anonymity (as described in Section 4.2); therefore, E does not have IDi. E is also unable to obtain IDcsj from li = h(IDi||(Vi*)y||Vi||IDcsj||Ri) due to the one–way property of hash operation. Further, GIDcsj available in message M2={Vi, GIDi, li, Wj, GIDcsj, mj} over public channel contains IDcsj protected with (Wj*)x which is the x-coordinate of the elliptic curve point Wj* = wPuB. E must know the random nonce w to compute IDcsj from GIDcsj. However, E is unable to deduce w from Wj* due to the intractability of ECDLP. Similaly, E cannot deduce IDcsj from JIDcsj in the transmitted message M3={JIDi, JIDcsj, mr, lr}. 4.10 Session Key Agreement and Verification The service-seeker Ui and the service-provider CSj independently compute the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj)= h(Vi||Wj||vWj ||IDi ||IDcsj) = sku-csj. Ui verifies that the session key sku-csj matches the session key computed by CSj via the equivalence nj* = nj, where nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj) in step-7 of Section-3.4. CSj verifies that skcsj-u matches the session key computed by Ui via the equivalence pi * = pi, where pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ). 5. Formal Security Analysis 5.1 Security Model Adopting the proof approach in [22, 35–36], we assume that there are three participants in the protocol P, a user Ui, a cloud-server CSj and a registration authority RA. We consider the data {IDi, IDcsj, P, PuB and n} to be public and the following secret: Ui’s PWi, BiOi and smart card, CSj’s Lj, and RA’s s. When we do not need to distinguish between the entities, we use I to collectively denote them. Every participant has many instances and each of these instances has a number. We use the symbol to denote the ath instance. Similarly, , and uses the same labelling convention. Each instance can also be treated as an oracle. There are three results for the oracles: accept, reject and . If an oracle obtains the right message, then accept appears. If an oracle obtains a wrong message, then reject is the result. If no answer is output, then . Once either or reaches accept and a session key is established, it has the following information: its identity or , its partner’s identity or and its session key
or
. If
and
, it implies both entities have established the same session key, they
are partners of each other, and either one reaches the state Partnering. Also, we know =
and
=
=
,
=
,
.
We suppose that the attacker E can use the simulator to ask the following queries to learn the session key.
Send(I, , m): The participant I transmits message m to the oracle . If m is correct and is ready to receive it, then the simulator will generate the required response according to P. Otherwise, this query will be ignored. Execute( , , ): It simulates the authentication phase. E can eavesdrop all transcript between , , and . Reveal( ): E can ask for a session key via this query.
Corrupt( ,z): It denotes the loss of MU’s information. Three cases can be shown: 1. z= 0: E obtains PWi via the query. 2. z= 1: E obtains all data from ’s smart card via the query. 3. z= 2: E obtains ’s biometrics via the query. Corrupt( ): This notion is used to model forward security [36], where E can obtain all secret data of . Test( ): E performs a challenge in a session for entity I (i.e. or ). If is not suitable for accept or sfsfresh which is demonstrated below, will be output by the simulator. Otherwise, a bit c will be used. If c= 1,the real session key sk will be output. Otherwise if c=0, E will get a binary string as long as sk. According to [36], some definitions are listed here. s fsfresh(strong forward security-fresh): This notion is for and . is sfsfresh unless any of the cases appears: 1. A Reveal( ) or Reveal( ) appears. 2. Corrupt( ) or Corrupt( ) happens before Test( ). 3. For , Corrupt( ,z= 0, 1, 2) are all queried. s f ssecure(strong forward security-secure): We define E’s ability of wrecking is the probability of guessing the coin c accurately after Test( ).The symbol (E) = 2Pr[c= c′]1 is E’s advantage where c′ is the bit output by E. The quantity of passwords is |D| and qs is the number of Send queries. If (E)is ignorably larger than max
withls as the security length,
is considered to bes f
ssecure. 5.2 Formal Proof Theorem 1. An additional cyclic group G is on elliptic curve E(Fp), with a great prime order n. The quantity of Ui’s passwords is finite, at most j|D|. l is the length of the extracted biometric secret bit string, lb is the length of collected biometrics and ls is the length of random numbers and hash values. is the probability for the case “false positive”. Any malicious attacker E has chances, containing qs Send queries, qe Execute queries, qh hash queries and qH biohash queries, to break the in upper-bound time t. And E’s advantage of breaking the s f s secure protocol is: (E)
where in G.
=
+
and
denotes the time cost of an elliptic curve point multiplication
Proof: We employ six successive games from G0 to G5 to describe the proof. The symbol Si denotes the probability for E guessing the coin c accurately ingame Gi. According to the initial premise, E need not guess ID i because there is only one user. Game G0: This game describes the real protocols with random oracles. It is easy to know that (E) = 2Pr[S0]1. c′ is a supplementary bit as E’s answer if E uses more time or queries than upper-bound or the game aborts without answer from E. Game G1: All queries mentioned in Section 2.1 are simulated. Here the Send queries include six cases: Send(init, , ), Send( , ;M1), Send( , ,M2), Send( , ,M3), Send( , ,M4)and Send( , ,M5).They are corresponding to the operation of Section 3.3 and 3.4. Furthermore, there are three lists in the proof: – : All the transcripts in the simulations should be stored in . – Lh: It is for the hash function, storing the pair of the original stringand hash value. – LE: If the hash query is asked by E, the pair is stored in LE. We describe how the hash oracle works: if str is a string and h(str) is queried, the simulator first searches the record (str, r)in Lh. If the record is found, r is the returning value. Also, for the biohash function, the record is (H, str, r). Otherwise, the simulator generates a random bit string r ∈ , returns r and writes (str, r) or (H, str, r) in Lh. Thus, E cannot tell apart G1 and G0 and Pr[S1] = Pr[S0].
Game G2: The collisions are considered in this game. Two sorts of collisions exist and based on birthday paradox, we demonstrate them below: 1. The maximum probability is
for collision of hash result. Also, forbiohash the probability is
2. The maximum probability is
for collision of random numbers vand w.
So, G2 and G1 cannot be distinguishable unless the above cases appear and
Game G3: We consider that the probability for E faking the messages without random oracles. Note that in Game G3, * specifies that the receiver does not know the correct string in the position. – For Send( , , M1), the simulator should check if M1 ∈ and(IDi||||Vi||IDcsj||,li) ∈LE. Also, since does not know BiOi and PWi, (H,BiOi||PWi,BPWi) ∈LE cannot be verified. The probability of forging (IDi||||Vi||IDcsj||,li)is –
For (IDi||
and forging (H,BiOi||PWi,BPWi)is
Send( , ,M3), the ||Vi||IDcsj||,li),(Vi||GIDi||li||Wj||
.
simulator should verify if ||GIDcsj,mj) ∈ LE. Also,
M1,M2 ∈ it cannot
(H,BiOi||PWi,BPWi)∈LE. The probabilities for forging the first two hash queries are both isstill –
and check
and the last
.
For Send( (JIDi||IDi||IDcsj||Lj||
,
,M3), the simulator should verify if M1,M2,M3 ∈ and ,mr),(JIDcsj||IDi||IDcsj|||| , lr),(IDcsj||,Lj),(IDi||,)∈LE. The probabilities for
forging the first twoare both – For Send(
,
and the last two are
.
,M4), the simulator should check ifM1,M2,M3,M4 ∈
and (JIDcsj||IDi||IDcsj||||
lr),(||Vi||Wj||lr||IDi||IDcsj,nj),(IDi||, Ri) ∈LE. The probabilities for forging the first two are both thelast is – For Send(
, and
. ,
,M5), the simulator should check ifM1,M2,M3,M4,M5∈
pi),(JIDcsj||IDi||||
, lr),(IDi||,)∈LE. The probability for the first is
So Pr[S3] = Pr[S2]unless the above forgeries appear. The probability is
and (skcsju||IDi||IDcsj||Vi||lr||Wj, and the last two are both
.
, that is,
for E’s guessing.
Game G4: In this game, E can use random oracles, and we add ECDH problem in it. Once E obtains the right session key, we consider the ECDH problem is solved. In other words, h(vP||wP||vwP||)should be queried. Here we use h(vP||wP||vwP)for short. According to the premise, E can getat most two factors. However, if E only obtains BiOi and PWi, he can do nothing to break the session key. So Corrupt( ,1) is necessary for E and we consider E has queried it. The following analysis is divided into three cases. 1. Suppose E queries Corrupt( ,2)and his aim is to guess the real password. Since there are qs chances for Send query and |D| passwords, the probability is . 2. Suppose E queries Corrupt( ,0)and his aim is to crack BiOi. Two subcases can be considered: (a) E guesses BiOi within qs Send queries. And the probability is . (b) E uses his own biometrics to try the case of “false positive” with Send queries. The probability is Obviously the above two cases cannot exist simultaneously. So the probability for them is max
. .
3. Either Corrupt( ,0)or Corrupt( ,2)can be asked by E, and in this case Execute processes are used. If E breaks the session key,(vP||wP||vwP,)∈LE should be true and the probability is at most. There are two ways to finish Execute: (a) E uses Execute queries directly and the probability for this sub-case is O(qh) (b) E uses Send queries successively and the probability for this sub-case is O(qh)
(t +O(qe)tm). (t +O(qs)tm).
We define that = t +(O(qe+qs))tm, and we can see |Pr[S4]Pr[S3]| max
+O(qh)
( ).
Game G5: The property strong forward security is added in this game. Based on the notion of s f s fresh, Corrupt(Ik)can only be asked after Test(Ik), so this game only affects old simulations. That is to say, the answers to E’s queries are obtained from the old transcripts. Similar as the third case of G4, if (vP||wP||vwP, ) can be found in LE, the probability for vP and wP in the same session is and we see |Pr[S5]Pr[S4]| O(qh
)
( ). At last E has no advantage to win and Pr[S5] = and the theorem is proved.
6. Performance Evaluation We evaluate the performance of the proposed scheme with related biometrics-based schemes in the literature, namely: those of Yoon and Yoo [12], Mishra et al. [16], Wu et al. [11], Shen et al. [19] and Odelu et al. [14]. The notations used in the evaluation are described in Table 2. Table 2: Summary of notation used in evaluation Description Computational complexity to execute a one-way hash function Computational complexity to execute a bio-hashing operation Computational complexity to execute an elliptic curve scalar point multiplication Computational complexity to execute a fuzzy extraction operation Computational complexity to execute a symmetric key en(de)cryption User registration phase Login-authentication phase Password change phase
Notation th tH tm tf ts UAP LAP PCP
A comparative summary of the schemes in terms of computational complexity is presented in Table 3. We observe that Wu et al.’s scheme is designed for a single server environment while the remaining schemes are designed for a multi-server environment. Thus, RA in Wu et al.’s scheme is the server itself. Therefore, in the login-authentication phase, the computational load at RA is shown as not applicable (N/A). Yoon and Yoo’s scheme has the lowest computational complexity in most of the phases with the exception of login-authentication. In Mishra et al.’s scheme, there is no notion of RA. Shen et al.’s scheme has one elliptic curve scalar point multiplication less at the server. During the user registration phase, Mishra et al.’s scheme has the highest computational complexity at Ui (i.e. 1tH +3th), while the computational complexity 2th of our scheme at RA is lower than those in schemes of [14, 16, 19]. During the login-authentication phase, the computational complexity at each participant is lower than that in Odelu et al.’s scheme as our scheme does not use symmetric key encryption/decryption. During the password change phase, the computational complexity at Ui is lower than those in schemes of [11, 14, 16]. Table 3: A Comparative Summary: Computational Complexity Phases
Entity
UAP
Ui RA/S Ui CSj /Sj/S RA Ui S/RA
LAP
PCP
Yoon and Yoo [12] 1th 1th 5th +2tm 4th +2tm 7th 2th No role
Mishra et al. [16] 1tH +3th 3th 1tH +9th 7th No role 1tH +4th No role
Wu et al. [11] 1th +1tf 1th 7th +1tf+2ts+1tm 6th +2ts+1tm N/A 6th +1tf+1ts+1tm 4th
Shen et al. [19] 1th 2th +1tm 5th +3tm 4th +1tm 8th +2tm 2th No role
Odelu et al. [14] 1th +1tf 3th 8th +1tf+1ts+3tm 6th +2ts+2tm 11th +3ts+1tm 4th +1tf No role
Ours 2tH 2th 2tH +5th +3tm 5th +3tm 6th +2tm 4tH No role
A comparative summary of the schemes in terms of security features is presented in Table 4. It is clear that the schemes of Yoon and Yoo, Mishra et al. and Odelu et al. do not fulfil a number of essential security features. Our scheme, on the other hand, satisfies all ten security features. In addition, in Wu et al.’s scheme, a user has to interact with the server whenever the user wishes to change his password; whereas in other schemes, a user can freely
change his password without the need to interact with the server or RA (hence, the need for RA during the password change phase in Wu et al.’s scheme). Table 4: A Comparative Summary: Security Features Yoon Mishra Wu Shen Odelu and et al. et al. et al. et al. Yoo [16] [11] [19] [14] [12] Resists privileged-insider attack No Yes Yes Yes Yes Provides user anonymity No Yes Yes No Yes Resists off-line password guessing attack Yes Yes No Yes Yes Resists user impersonation attack No No No Yes No Resists replay attack Yes Yes Yes Yes Yes Resists cloud-server impersonation attack Yes No Yes Yes Yes Provides mutual authentication Yes Yes Yes No Yes Provides backward and forward secrecy Yes No Yes Yes Yes Resists known session-specific temporary No Yes Yes Yes Yes information attack Provides session key agreement and Yes Yes Yes Yes Yes verification Provides freely password changing Yes Yes No Yes Yes facility Security Features
Ours
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
7. Conclusion CoT is a trend that is unlike to fade in the foreseeable future, and ensuring the security of the users and data is of paramount importance. In this paper, we proposed a multi-cloud-server authentication scheme using biometrics and ECC as the building blocks. We then proved the security of the scheme, and demonstrated the utility of the scheme in terms of its performance and security attributes. Future work includes evaluating the proposed scheme in a simulated or real-world environment, which will allow us to identify areas that may need refinement. References [1] K. Ashton, That ’internet of things’ thing, RFiD Journal 22(7) (2009) 97–114. [2] R.F. Chong, Changing the world: Big data and the cloud, 〈http:// www.theatlantic.com/sponsored/ibm-cloudrescue/archive/2012/ 09/changing-the-world-big-data-and-the-cloud/262065/〉 (2012). [3] D. He, N. Kumar, J. H. Lee, Enhanced three-factor security protocol for USB consumer storage devices, IEEE Transactions on Consumer Electronics, 60(1) (2014) 30-37. [4] S. Kumari, M. K. Khan, X. Li, An improved remote user authentication scheme with key agreement, Computers and Electrical Engineering 40(6) (2014) 1997–2012. [5] N. Y. Lee, Y. C. Chiu, Improved remote authentication scheme with smart card, Computer Standards & Interfaces 27(2) (2005) 177–180. [6] S. Kumari, M. K. Khan, Cryptanalysis and improvement of ‘A robust smart-card-based remote user password authentication scheme’, International Journal of Communication Systems 27(12) (2014) 3939-3955.. [7] C. C. Chang, H. D. Le, C. H. Chang, Novel untraceable authenticated key agreement protocol suitable for mobile communication, Wireless Personal Communications 71(1) (2013) 425–437. [8] S. Kumari, M. K. Khan, More secure smart card based remote user password authentication scheme with user anonymity, Security and Communication Networks 7(11) (2014) 2039-2053. [9] X. Li, J. Niu, J. Ma, W. Wang, C. Liu, Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards, Journal of Network and Computer Applications 34(1) (2011) 73-79.
[10] S. kumari, S. A. Chaudhry, F. Wu, X. Li, M. S. Farash, M. K. Khan, An improved smart card based authentication scheme for session initiation protocol, Peer-to-Peer Networking and Applications, (2015) DOI 10.1007/s12083-015-0409-0. [11] F. Wu, L. Xu, S. Kumari, X. Li, A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks, Computers & Electrical Engineering 45 (2015) 274285. [12] E. Yoon, K. Yoo, Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem, Journal of Supercomputing 63(1) (2013) 235–255. [13] D. He, D. Wang, Robust biometrics-based authentication scheme for multiserver environment, IEEE Systems Journal 9(3) (2015) 816-823. [14] V. Odelu, A. K. Das, A. Goswami, A secure biometrics-based multi-server authentication protocol using smart cards, IEEE Transactions on Information Forensics and Security 10(9) (2015) 1953-1966. [15] M. C. Chuang, M. C. Chen, An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics, Expert Systems with Applications 41(4) (2014) 1411–1418. [16] D. Mishra, A. K. Das, S. Mukhopadhyay, A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards, Expert Systems with Applications 41(18) (2014) 8129– 8143. [17] H. Lin, F. Wen, C. Du, An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics, Wireless Personal Communications 84(4) (2015) 2351-2362. [18] Y. Lu, L. Li, H. Peng, Y. Yang, A biometrics and smart cards-based authentication scheme for multi-server environments, Security and Communication Networks 8(17) (2015) 3219–3228. [19] H. Shen, C.Z. Gao, D.D. He, L.B. Wu, New biometrics-based authentication scheme for multi-server environment in critical systems, Journal of Ambient Intelligence and Humanized Computing (2015), DOI:10.1007/s12652-015-0305-8. [20] D. Zissis, D. Lekkas, Addressing cloud computing security issues, Future Generation Computer Systems, 28 (2012) 583–592 [21] Cloud Security Alliance. Top threats to cloud computing, Cloud Security Alliance, 2010. [22]C.-I. Fan, Y.-H. Lin, Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics, IEEE Transactions on Information Forensics and Security 4 (2009) 933–945. [23] W. Stallings, Cryptography and Network Security: Principles and Practices. 3rd Edition. Prentice Hall, India 2003. [24] D. R. Stinson, Some Observations on the Theory of Cryptographic Hash Functions. Designs, Codes and Cryptography 38(2) (2006) 259–277. [25] T. Nanavati, Biometrics. John Wiley & Sons (2002). [26] A. T. B. Jin, D. N. C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number, Pattern recognition, 37(11) (2004) 2245–2255. [27]R. Belguechi, C. Rosenberger, S. Ait-Aoudia, Biohashing for securing minutiae template, In 20th IEEE International Conference on Pattern Recognition (ICPR), 23-26 Aug. 2010, Istanbul (2010) 1168–1171. [28] A. Lumini, L. Nanni, An improved biohashing for human authentication, Pattern Recognition 40 (3) (2007) 1057–1065. [29] N. Koblitz, Elliptic curve cryptosystem. Mathematics of Computation, American Mathematical Society, 48 (1987) 203–209 [30] V. S. Miller, Use of elliptic curves in cryptography. In: Advances in cryptology, proceedings of CRYPTO’85, LNCS, Springer-Verlag, 218 (1986) 417–426 [31] A. Nagar, K. Nandakumar, A. K. Jain, A hybrid biometric cryptosystem for securing fingerprint minutiae templates, Pattern Recognition Letters 31 (2010) 733–741. [32] Kaufman, C., Internet key exchange (IKEV2) protocol (2005). [33] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, In: Proceedings of Advances in Cryptology CRYPTO’99, LNCS, Springer-Verlag, 1666 (1999) 388–397. [34] T. S. Messerges, E. A. Dabbish, R. H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers 51(5) (2002) 541–552. [35] E. Bresson, O. Chevassut, D. Pointcheval, Security proofs for an efficient password-based key exchange, In: Proceedings of the 10th ACM conference on Computer and communications security, ACM, (2003) 241–250. [36] L. Xu, F. Wu, An improved and provable remote user authentication scheme based on elliptic curve cryptosystem with user anonymity, Security and Communication Networks, 8(2), (2015) 245–260.
[37] K-K R Choo, Secure Key Establishment. Advances in Information Security Book series Volume 41. Springer Science+Business Media, 2008. [38] K-K R Choo, C Boyd, Y Hitchcock, The Importance of Proofs of Security for Key Establishment Protocols: Formal Analysis of Formal Analysis of Jan--Chen, Yang--Shen--Shieh, Kim--Huh--Hwang--Lee, Lin--Sun-Hwang, & Yeh--Sun Protocols, Computer Communications, 29(15), (2006) 2788-2797. [39] K-K R Choo, C Boyd, Y Hitchcock, Errors in Computational Complexity Proofs for Protocols, In: Proceedings of Advances in Cryptology – Asiacrypt 2005, Volume 3788/2005 of Lecture Notes in Computer Science (pp. 624–643), 2005. [40] Choo K-K R, Boyd C and Hitchcock Y 2005. Examining Indistinguishability-Based Proof Models for Key Establishment Protocols, In: Proceedings of Advances in Cryptology – Asiacrypt 2005, Volume 3788/2005 of Lecture Notes in Computer Science (pp. 585–604), 2005. [41] K-K R Choo, Cloud computing: Challenges and future directions, Trends & Issues in Crime and Criminal Justice, 400, (2010) 1-6. http://www.aic.gov.au/media_library/publications/tandi_pdf/tandi400.pdf [42] N H Ab Rahman, K-K R Choo, A survey of information security incident handling in the cloud, Computers & Security 49 (2015) 45-69. [43] K-K R Choo, J Nam, D Won, A mechanical approach to derive identity-based protocols from Diffie-Hellmanbased protocols, Information Sciences 281 (2014) 182-200.
*Biographies (Text)
Dr. Saru Kumari is currently an Assistant Professor with the Department of Mathematics, C.C.S. University, Meerut, U.P, India. She received Ph.D. degree in Mathematics in 2012 from C.C.S. University, Meerut, Uttar Pradesh, India. She has published 68 papers in international journals and conferences including 52 research publications in SCI indexed journals. Her research field is cryptology.
Dr. Xiong Li now is an associate professor at School of Computer Science and Engineering of the Hunan University of Science and Technology (HNUST), China. He received his master’s degree in mathematics and cryptography from Shaanxi Normal University (SNNU), China in 2009 and Ph.D. degree in computer science and technology from Beijing University of Posts and Telecommunications (BUPT), China in 2012. He has published more than 40 referred journal papers in his research interests, which include cryptography and information security, etc. He has served on TPC member of several international conferences on information security and reviewer for more than 20 ISI indexed journals. He is a winner of the 2015 Journal of Network and Computer Applications Best Research Paper Award.
Mr. Fan Wu received the Bachelor degree in Computer Science from Shandong University, Jinan, China in 2003, and received Master degree in Computer Software and Theory from Xiamen University, Xiamen, China in 2008. Now he is a lecturer in Xiamen Institute of Technology, Huaqiao University. His current research interests include information security, internet protocols, and network management.
Dr. Ashok Kumar Das received the Ph.D. degree in Computer Science and Engineering, the M.Tech. degree in Computer Science and Data Processing, and the M.Sc. degree in Mathematics, all from IIT Kharagpur, India. He is currently an Assistant Professor with the Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. He has authored over 80 papers in international journals and conferences in his research areas. His current research interests include cryptography, wireless sensor network security, proxy signature, hierarchical access control, data mining and remote user authentication.
Kim-Kwang Raymond Choo received the Ph.D. in Information Security from Queensland University of Technology, Australia. He currently holds the Cloud Technology Endowed Professorship at The University of Texas at San Antonio, and is an associate professor at University of South Australia and a guest professor at China University of Geosciences. He was named one of 10 Emerging Leaders in the Innovation category of The Weekend Australian Magazine / Microsoft's Next 100 series in 2009, and is the recipient of various awards including ESORICS 2015 Best Research Paper Award, Highly Commended Award from Australia New Zealand Policing Advisory Agency, British Computer Society's Wilkes Award, Fulbright Scholarship, and 2008 Australia Day Achievement Medallion. He is a Fellow of the Australian Computer Society, and a Senior Member of IEEE.
Dr. Jian Shen received the M.E. and Ph.D. degrees in Computer Science from Chosun University, Korea, in 2009 and 2012, respectively. Since late 2012, he has been a professor at Nanjing University of Information Science and Technology, Nanjing, China. His research interests include computer networking, and information security systems.
S0167-739X(16)30377-6 http://dx.doi.org/10.1016/j.future.2016.10.004 FUTURE 3176
To appear in:
Future Generation Computer Systems
Received date: 28 July 2016 Revised date: 21 September 2016 Accepted date: 4 October 2016 Please cite this article as: S. Kumari, X. Li, F. Wu, A.K. Das, K.-K.R. Choo, J. Shen, Design of a provably secure biometrics-based multi-cloud-server authentication scheme, Future Generation Computer Systems (2016), http://dx.doi.org/10.1016/j.future.2016.10.004 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Highlights (for review)
We devise a biometrics-based authentication scheme for multi-cloud-server environment.
It uses bio-hashing and ECC
We analyze it through informal discussions as well as give formal security proof.
We evaluate it through comparison with related contemporary schemes.
*Revised Manuscript with source files (Word document)
Design of a Provably Secure Biometrics-based Multi-cloud-server Authentication Scheme Saru Kumari 1, Xiong Li 2,7, Fan Wu 3, Ashok Kumar Das 4, Kim-Kwang Raymond Choo 5,6, Jian Shen 7 1
Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India [email protected]; [email protected] 2 School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China [email protected] 3 Department of Computer Science and Engineering, Xiamen Institute of Technology, Huaqiao University, Xiamen 361021, China [email protected] 4 Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500032, India [email protected]; [email protected] 5 Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249, USA [email protected] 6 School of Information Technology & Mathematical Sciences, University of South Australia, Adelaide, SA 5001, Australia 7 School of Computer and Software, Nanjing University of Information Science and Technology,Nanjing 210044, China
[email protected]; [email protected]; [email protected]
Abstract: Big Data and Cloud of Things (CoT) are two inter-related research trends in our data-driven society, and one research challenge is to design efficient security solution that enables access to resources, services and data out-sourced to the cloud without compromising the user’s privacy. A viable solution is user authentication set-up for multi-cloud-server designed to function as an expert system permitting its users to obtain the desired services and resources (e.g. accessing data stored in a cloud storage account) from a cloud-server up on registration with a registration authority. Biometrics is a widely used authentication mechanism (e.g. in biometric passport); thus, in this paper, we devise a biometrics-based authentication scheme for multi-cloud-server environment deployment. To improve the accuracy of biometric pattern matching, we make use of bio-hashing. We then analyse the performance and efficiency of our scheme to demonstrate its utility. Keywords: Authentication, Cloud of Things, Multi-cloud-server, Biometrics, ECC. 1. Introduction In the Internet of Things (IoT) paradigm, we have a wide range of digital devices connected over the Internet which allows us to connect, coordinate, compute and communicate between devices in real-time with no geographical constraints [1]. IoT devices can also be used to collect and compile information from the surroundings (e.g. sensors deployed on a site to collect readings of nitrogen dioxide and carbon monoxide concentrations, which is then relayed back to a central server).
Figure 1: An example of CoT implementation
Deployments of IoT technologies can be found in healthcare, home monitoring, smart home/cities (e.g. for security and surveillance purposes), offshore rigs (also known as oil platform), etc. With the trend of deploying IoT over the cloud (also referred to as Cloud of Things – CoT) and the digitalization of our society, we are witnessing a significant increase in the volume, variety, velocity and veracity of data (i.e. “Big Data” [2]). Figure 1 depicts an example CoT implementation. As with any popular consumer technology, security is a key concern and has attracted the attention of the research community devoted to the field of security. A number of user authentication schemes have been proposed, and generally for a single server environment [3-11]. However, single server authentication schemes are not suitable for real-world deployments. For example, such schemes (designed for a single server environment) are generally not scalable as they require a user to keep in memory as many identity-password pairs as is the number of servers from where the user accesses the services. In fact, a user has to register with every single server from which the user wishes to use. This is analogous to the old Elsevier journal submission system where an author has to register for every single journal where the author has an author, reviewer or editor role. In recent times, Elsevier has migrated to the consolidated server where a user needs only one account for all Elsevier journals and roles. There are three authentication factors, namely (i) what you know (e.g. some secret information such as a password), (ii) what you have (e.g. something in our possession such as a smart card), and (iii) what you are (e.g. unique biometric characteristic such as fingerprint, hand geometry, iris, which forms the basis for the design of any user authentication scheme. The first and the second factors complement each other in the sense that if the item in possession is protected by some secret known only to the user then, in general, leakage of the secret is useless for an adversary unless the adversary has access to the item and knows the associated secret. Since biometrics is something we are, a three-factor authentication (3FA) scheme is generally regarded as very secure if implemented correctly. Unsurprisingly, a number of biometrics-based authentication schemes have been proposed in recent years. In 2010, for example, Yoon and Yoo [12] proposed a biometrics-based authentication scheme for multiserver scenario based on the elliptic curve cryptosystem (ECC). However, He and Wang [13] revealed that in Yoon and Yoo’s scheme, an adversary is able to impersonate the user if the adversary acquires both the smart card and the password; thus, violating 3FA. Therefore, He and Wang [13] proposed another biometrics-based authentication scheme for multi-server scenario, also based on ECC. Odelu et al. [14] studied He and Wang’s scheme and found that the scheme is vulnerable to impersonation, known session specific temporary information leakage, weak user anonymity, wrong password login/update attacks. Thus, a new multi-server authentication protocol using biometric and ECC is presented. In 2014, Chuang and Chen [15] proposed a biometrics-based authentication scheme for multi- server scenario, which is claimed to be user anonymous and satisfy a number of security features. However, in 2014 and 2015, Mishra et al. [16] and Lin et al. [17] respectively revealed that the scheme of Chuang and Chen suffers from user impersonation, server spoofing and denial-of-service attacks [16] and does not offer any protection for a user’s identity and session key [17]. Two improved schemes were then presented. In 2015, however, Lu et al. [18] pointed out that Mishra et al.’s scheme is vulnerable to server spoofing and impersonation attacks, and the scheme does not provide forward secrecy. A revised scheme is then presented. We observe that the schemes in [15, 16, 18] do not provide forward secrecy unlike [19]. It is clear from the literature that designing efficient and secure user authentication schemes for multicloud-server (see Figure 2) remains a research challenge (similar to the troubled history of key establishment protocols [37-40]). This is the gap we seek to address in this paper.
Figure2: An example multi-cloud server architecture
Specifically in this paper, we propose a user-friendly and efficient multi-cloud-server authentication scheme. The scheme is designed to facilitate users accessing data from any server of their choice upon a once-off registration with a registration authority RA. Our scheme ensures user anonymity without involving the use of symmetric encryption/decryption techniques. In our scheme,
RA maintains a record of the identities of registered users and servers securely. The RA also restricts multiple registrations by a single identity.
The authenticity of a smart card’s user will be verified during the login/password update process to prevent impersonation.
During authentication, RA verifies the legitimacy of both user and cloud server CS. This disjoint verification process reduces the chance of any registered but malicious servers impersonating as a legitimate user.
Our scheme permits the session key sk to be established between CS and the user such that sk is unknown even to RC. Moreover, sk satisfies both backward and forward secrecy properties.
In addition, we remark that our scheme does not use any computationally expensive complex operations such as modular exponentiation, without compromising on security; thus, making it suitable for real-world applications. Organization of the Paper: The remainder of this paper is organized as follows. Section 2 presents background materials. In Section 3, we describe our biometrics based authenticated key agreement scheme for multi-cloudserver environment. We present both an informal security analysis and a formal security proof in Sections 4 and 5, respectively. In Section 6, we evaluate the performance of the proposed scheme. Finally, we conclude the paper in Section 7. 2. Background In this section, we describe the background materials necessary to understand the rest of this paper. 2.1 User Specific Considerations To enhance the user’s quality of experience, our scheme has the following features:
Once a user is registered with a registration authority, the user is able to access all participating cloud-servers (similar to our earlier discussion about the consolidated Elsevier journal accounts).
A user can choose and change a password at the user’s convenience.
During the entire authentication process, the user remains anonymous even if an adversary is observing or intercepts messages exchanged during the process.
2.2 Security Requirements and Considerations for a Multi-Cloud-Server Authentication Scheme In our increasingly digitized and data-driven society, cloud architectures are becoming a norm for both organizational and individual users. There are known security and privacy concerns associated with cloud adoption [20,21,41,42], such as the following:
Only authorized parties should have the ability to access data, services or resources from cloud service providers. The attack vector is amplified due to the large number of users (e.g. during data creation, modification and dissemination), end-points (e.g. client and intermediary devices and nodes), configuration and implementation settings, etc. While our scheme is not designed to address all security and privacy concerns, our scheme allows the mutual verification of involved participants. Mutual authentication is accomplished between a user (seeking services or requesting access to data) and the cloud server (providing services or access to data) with the help of the registration authority. Cloud resources should be accessible to an authorized user. Our scheme is designed to provide both forward and backward secrecy. Therefore, even if an adversary learns the long term secrets of the cloudserver and the service seeking user, the adversary is unable to obtain previously established or future session keys using the intercepted messages between participating entities.
2.3 Cryptographic Considerations Following cryptographic operations/functions are adopted for the high efficiency of the proposed scheme:
Collision-free one-way hash function takes a variable input and returns a fixed-size output [23-24]. It is also computationally infeasible to deduce the input from a known output.
When a user presents his biometric information on a scanner, the pattern may vary due to a number of reasons (e.g. fingerprint verification fails due to user’s dry or cracked skin); thus, causing false rejections for a genuine user. This is a reason why a simple hash operation is not practical for biometrics-based applications [25]. In 2004, for example, Jin et al. [26] proposed the use of Bio-hashing to resolve the issue of false rejection. Biohashing is a mapping which randomly assigns a binary string to a biometric feature with user-specific tokenized pseudo-random numbers [27, 28]. It has been demonstrated that Bio-hashing is an effective tool for biometricsbased authentication schemes (e.g. [16]). Thus, in this paper, we use Bio-hashing in our scheme wherever biometrics are used.
Elliptic Curve Cryptography (ECC) [29, 30] is used to establish a session-key with forward secrecy property, due to its capacity to provide a high level of security with a smaller key-size. We refer the interested reader to [43] to derive an ECC-based protocols from Diffie-Hellman-based protocols.
We now briefly review ECC. The elliptic curve (EC) is given by Ep(a, b) : y2 = x3 + ax + b (mod p) over a finite field Fp of prime order p > 3, where, a, b∈Fp and 4a3 + 27b2 ≠ 0 (mod p). Given a random integer a∈Fp* and a point P∈Ep(a, b), the EC point multiplication a∙P over Ep(a, b) is defined as a∙P = P +P +...+P (a times). The security of ECC relies on the following two intractable problems: Elliptic Curve Discrete Logarithm Problem (ECDLP): For given P,Q∈Ep(a, b), finding an integer k∈Fp*such that Q = k∙P is a hard problem.
Elliptic Curve Diffie-Hellman Problem (ECDHP): For given P, k∙P, l∙P∈Ep(a, b) with k, l∈Fp*, finding k∙l∙P belonging to Ep(a, b) is a hard problem. 2.4 Network Model The network model for the proposed protocol for multi-cloud-server environment is shown in Figure 3. It involves three entities, i.e. user Ui, cloud-server CSj, and the registration authority RA.
Figure3: Network model for proposed multi-cloud-server scheme
RA is a trusted authority, which is responsible for producing all system parameters, and registering users and cloudservers. Upon registration, a user receives a smart card SCi loaded with some confidential values and a cloud-server receives a secret value specific to a unique identity of CSj. Ui and CSj authenticate each other and establish a session key with the assistance of RA so that Ui can access services from CSj. A summary of notations is presented in Table 1. Table 1: Summary of notations Notations Description Ui Registered user RA Registration authority CS/CSj/Sj Cloud-servers/jth cloud-server / jth server Reci /Reccs Record maintained by RA for users/cloud-servers E An adversary/attacker IDi/IDcsj Identity of Ui/jth cloud-server PWi Password of Ui BiOi Biometric characteristic of Ui SCi Smart card of Ui S,PuB= sP Secret key of RA,public key of RA (Q)x /(Q)y xth / yth co-ordinate of an elliptic curve point Q. a, ri Random strings generated at the user side during the registration process b, sj Random string generated by SNj/GWN for the registration of SNj Ri (Ki)/Kg/Ks Random strings generated at Ui/GWN/SNj during login-authentication process SKw-z Session key established between the entities w and z Enk(.)/Dnk(.) Encryption/Decryption using key k G The additive group (of order n) on a finite field Fp p A large prime number Zp Ring of integers modulo p Zp* Multiplicative group of Zp G Generator of Zp* lb Length of the biometric sample collected by the sensor Exclusive-OR operator which operates bitwise A one-way hash function h(.) A one-way Bio-hash function H(.) Concatenation operator ||
3. Proposed Scheme Now, we present our scheme which has four phases, namely: initialization phase, user registration phase, login phase, authentication & key agreement phase, and password change phase. Figure 4 depicts the initialization and user registration phases. The login-authentication phase and the password change phase are presented in Figures 5 and 6, respectively. 3.1 Initialization and Specification Phase At the start of the scheme, RA chooses a large prime p, and a finite field GF(p). Then, RA selects an elliptic curve Ep over GF(p) with base point P ∈ G, where G is an additive cyclic group having n elements on Ep. RA selects s to compute PuB= sP, uses s as its private key and makes P &Ep public along with the public key PuB= sP. The biometric sample collected by the sensor is to be of a specific length lb [31]. 3.2 Registration Phase 3.2.1UserRegistration Phase This phase is for user registration at RA which is carried over a secure channel with the following steps: 1) Ui chooses its identity IDi, password PWi, provides its biometric BiOi at the sensor. 2) Ui computes its bio-password BPWi = H(BiOi||PWi) and securely submits {IDi, BPWi} to RA. 3) RA checks if h(s||IDi) is present in Reci. If not present, then RA rejects the request and directs Ui to apply with some other identity. Otherwise, RA computes Ni= h(IDi||s)BPWi and stores it in a smart card SCi. RA then delivers SCi loaded with {Ni, P, h(.), H(.)} securely to Ui. RA stores h(s||IDi) in Reci. 4) Ui computes Zi = H(IDi||PWi||BiOi) and loads it in SCi; thus, SCi is loaded with {Zi, Ni,P, PuB,h(.), H(.)}.
RA Initialization Phase: Selects p, GF(p), Ep&s Computes PuB= sP User (Ui) User Registration Phase: Chooses IDi, PWi, imprints BiOi BPWi = H(BiOi||PWi)
RA
{IDi, BPWi}
SCi = {Ni, P, h(.), H(.)} Zi = H(IDi||PWi||BiOi) Inserts Zi in SCi so that SCi = {Zi, Ni, P, PuB,h(.), H(.)} Cloud-server (CSj) Cloud-server Registration Phase: Chooses IDcsj
For unique h(s||IDi) in Reci Ni = h(IDi||s)BPWi Stores h(s||IDi) in Reci
RA {IDcsj} {Lj} using IKEv2
For unique h(s||IDcsj) in Reccs Lj = h(IDcsj||s) Stores h(s||IDcsj) in Reccs
Keeps Lj secret Figure 4: Initialization, user registration and cloud-server registration phase of the proposed scheme 3.2.2 Cloud-server Registration Phase Cloud-server registration at RA takes place with the following steps: 1) CSj securely submits its selected identity {IDcsj} to RA. 2) RA checks if h(s||IDcsj) is present in Reccs. If not present, then RA rejects the request and directs CSj to apply with
some other identity. Otherwise, RA computes Lj= h(IDcsj||s) and sends {Lj} to CSj using, say the Key Exchange Protocol (IKEv2) [32]. RA stores h(s||IDcsj) in Reccs. CSj keeps Lj secretly. User (Ui) Login Phase: U: Inserts IDi,PWi and provides BiOi SCi: Zi*= H(IDi||PWi||BiOi) For Zi*= Zi BPWi = H(BiOi||PWi) Ri = [=h(IDi||s)] = Ni BPWi Vi = vP, Vi* = vPuB = ((Vi*)x, (Vi*)y) ∈Ep GIDi = IDi(Vi*)x li = h(IDi||(Vi*)y||Vi||IDcsj||Ri) M1={Vi, GIDi, li}
CSj
RA
Wj = wP, Wj* = wPuB = ((Wj*)x, (Wj*)y)∈Ep GIDcsj = IDcsj(Wj*)x mj = h(Vi||GIDi||li||Wj||(Wj*)y||IDcsj||Lj) M2={Vi, GIDi, li, Wj, GIDcsj, mj} Wr* =sWj =swP = wPuB =((Wr*)x, (Wr*)y)∈Ep IDcsj = GIDcsj(Wr*)x Lj = h(IDcsj||s) mj* = h(Vi||GIDi||li||Wj||(Wr*)y||IDcsj||Lj) For mj* = mj Vr* =sVi =svP =vPuB =((Vr*)x, (Vr*)y)∈Ep IDi = GIDi(Vr*)x, Ri = h(IDi||s) li* = h(IDi||(Vr*)y||Vi||IDcsj||Ri) For li * = li JIDi = IDi(Wr*)x mr = h(JIDi||IDi||IDcsj||Lj||(Wr*)y) JIDcsj = IDcsj(Vr*)x , lr = h(JIDcsj||IDi||IDcsj||Ri||(Vr*)y) M3={JIDi, JIDcsj, mr, lr} IDi = JIDi(Wj*)x mr* = h(JIDi||IDi||IDcsj||Lj||(Wj*)y) For mr* = mr* skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) nj = h(skcsj-u ||Vi ||Wj ||lr ||IDi ||IDcsj) M4={JIDcsj, lr, Wj ,nj}
IDcsj= JIDcsj(Vi*)x sku-csj = h(Vi||Wj||vWj ||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj) nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj). For nj* = nj lr* = h(JIDcsj||IDi||IDcsj||Ri||(Vi*)y). For lr * = lr pi = h(sku-csj ||IDi ||IDcsj||Vi || lr ||Wj ) M5={pi} pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ) For pi * = pi, we are assured of the authenticity of Ui Figure 5: Login-authentication and session key-agreement phase of the proposed scheme
3.3 Login Phase To obtain services from jth cloud-server, Ui performs the following steps: 1) Ui inserts its SCi into the card reader, inputs IDi, PWi and provides its biometric BiOi. 2) SCi computes Zi*= H(IDi||PWi||BiOi). For Zi*= Zi, SCi computes BPWi = H(BiOi||PWi) to retrieve Ri[=h(IDi||s)] = Ni BPWi. Then, SCi generates a random nonce v, computes Vi = vP, Vi* = vPuB = ((Vi*)x, (Vi*)y) ∈Ep. Next, SCi computes Ui’s masked identity GIDi = IDi(Vi*)x and li = h(IDi||(Vi*)y||Vi||IDcsj||Ri). 3) SCi sends the login request M1 = {Vi, GIDi, li} to CSj. 3.4 Authentication & Session Key Agreement Phase In this phase, Ui and CSj verify each other and establish a session key with the help of RA as below: 1) On receiving M1={Vi, GIDi, li} from Ui, the cloud-server CSj connects with RA after completing the required calculations. CSj generates a random nonce w, and computes Wj = wP, Wj* = wPuB = ((Wj*)x, (Wj*)y)∈Ep. Next, CSj computes GIDcsj = IDcsj(Wj*)xand mj = h(Vi||GIDi||li||Wj||(Wj*)y||IDcsj||Lj). 2) CSj transmits M2={Vi, GIDi, li, Wj, GIDcsj, mj} to RA. 3) RA computes Wr* = sWj = swP = wPuB = ((Wr*)x, (Wr*)y)∈Ep to retrieve IDcsj = GIDcsj(Wr*)x. Next, RA computes Lj = h(IDcsj||s) and mj* = h(Vi||GIDi||li||Wj||(Wr*)y||IDcsj||Lj). For mj* = mj , RA is ensured of the legitimacy of CSj. 4) RA computes Vr* = sVi = svP = vPuB = ((Vr*)x, (Vr*)y)∈Ep to retrieve IDi = GIDi(Vr*)x. Then, RA computes Ri = h(IDi||s) and li* = h(IDi||(Vr*)y||Vi||IDcsj||Ri). For li * = li , RA is ensured of the legitimacy of Ui. 5) RA computes JIDi = IDi(Wr*)x , mr = h(JIDi||IDi||IDcsj||Lj||(Wr*)y), JIDcsj = IDcsj(Vr*)x, and lr = h(JIDcsj||IDi||IDcsj||Ri||(Vr*)y). Finally, RA transmits M3={JIDi, JIDcsj, mr, lr} to CSj. 6) On receiving M3={JIDi, JIDcsj, mr, lr}, CSj retrieves IDi = JIDi(Wj*)x to compute mr* = * * * h(JIDi||IDi||IDcsj||Lj||(Wj )y). For mr = mr , CSj computes the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) and nj = h(skcsj-u ||Vi ||Wj||lr ||IDi ||IDcsj). Then, CSj sends M4={JIDcsj, lr, Wj ,nj}to Ui. 7) On receiving M4={JIDcsj, lr, Wj ,nj}, Ui retrieves IDcsj= JIDcsj(Vi*)x to compute the session key sku-csj = h(Vi||Wj||vWj ||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj) and nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj). For nj* = nj, Ui is assured of the authenticity of the cloud-server CSj and computes lr* = h(JIDcsj||IDi||IDcsj||Ri||(Vi*)y). For lr * = lr, Ui is assured of the authenticity of RA and computes pi = h(sku-csj ||IDi ||IDcsj||Vi || lr ||Wj ). Then, Ui sends M5={pi}to CSj. 8) On receiving M5={pi}, CSj computes pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ). For pi * = pi, the cloud-server is assured of the authenticity of Ui. 3.5 Password and Biometrics Change Phase In this phase, Ui performs password and biometrics changing activity as described below: 1) Ui inserts SCi into the card reader, inputs IDi, PWi and provides BiOi. 2) SCi computes Zi*= H(IDi||PWi||BiOi). For Zi*= Zi, Ui enters a new password PWinew. 3) SCi computes Ninew= NiH(BiOi||PWi)H(BiOi||PWinew), Zinew= H(IDi||PWinew||BiOi). 4) SCi replaces Zi and Ni with Zi new and Ninew, respectively. User (Ui)
Smart Card (SCi)
Password Change Phase: Inserts IDi , PWi& imprints BiOi
Zi*= H(IDi||PWi||BiOi) For Zi*= Zi Demands new password PWinew
Ninew= NiH(BiOi||PWi)H(BiOi||PWinew) Zinew= H(IDi||PWinew|| BiOi) ZinewZi, NinewNi
Figure 6: Password change phase of the proposed scheme
4. Informal Security Analysis 4. Privileged-insider Attack Resilience For the registration purpose, Ui submits {IDi, BPWi} to RA. One would note that the submitted values do not contain PWi in plaintext. Since BPWi = H(BiOi||PWi) protects PWi under the uniqueness of Ui’s BiOi and no one except Ui can insert the correct BiOi, the privileged-insider at RA is not capable of revealing the password of Ui through guessing attack. 4.2 User Anonymity During the login and authentication phase, Ui never transmit his identity in plaintext. In the login request M1={Vi, GIDi, li}, the middle value contains IDi protected with (Vi*)x which is the x-coordinate of the elliptic curve point Vi* = vPuB. An adversary E needs to know the random nonce v in order to compute IDi from GIDi. However, E is unable to deduce v from Vi due to the underlying ECDLP. Similarly, E is not able to deduce IDi from the transmitted message M3={JIDi, JIDcsj, mr, lr}. 4.3. Off-line Password Guessing Attack Resilience Assume that E manages to extract all information from Ui’s SCi = {Zi, Ni, P, PuB,h(.), H(.)} [33, 34]. To correctly guess PWi from Ni = h(IDi||s)H(BiOi||PWi), E needs to know Ui’s IDi and BiOi as well as RA’s secret key s. In addition, the knowledge of Ui’s IDi and BiOi is also necessary to correctly guess PWi from Zi = H(IDi||PWi||BiOi). However, only Ui can provide its BiOi, only Ui, CSj and RA involved in the authentication process know and can recover IDi, and only the RA knows its secret key s. 4.4 User Impersonation Attack Resilience To login as Ui, an adversary E needs to have IDi and RA’s secret key s; otherwise, it is not computationally feasible to compute a valid login request. As our scheme is user anonymous (see Section 4.2), thus, no one except RA has s. Therefore, E cannot impersonate Ui. 4.5 Replay Attack Resilience Whatever message (say M1={Vi, GIDi, li}) E replays, the success of replay relies on the ability to establish a common session key with CSj. E can do so if somehow E learns the random nonce v involved in Vi = vP. This is, however, not infeasible due to the underlying ECDLP. 4.6 Cloud-server Impersonation Attack Resilience To impersonate a cloud-server in verifying Ui’s login messageM1={Vi, GIDi, li}, E must know IDcsj used in the computation of li = h(IDi||(Vi*)y||Vi||IDcsj||Ri). Otherwise, E is not able to compute a valid GIDcsj and would fail in the verification test at RA (i.e. equivalence check mj* = mj). Note that IDcsj used in computing li is protected under the one-way property of hash function. 4.7 Mutual Authentication During the authentication process, RA verifies the legitimacy ofCSj via equivalence check mj* = mj in step-3, and then verifies the legitimacy of Ui via equivalence check li * = li in step-4. Thus, RA uses its secret key s to recover the identities of Ui and CSj, which are required to compute JIDi and JIDcsj. Then, CSj verifies the legitimacy of RA via equivalence check mr* = mr in step-6 for which it recovers IDi from JIDi. Next, Ui verifies the legitimacy of CSj via equivalence check nj* = nj and the legitimacy of RA via equivalence check lr * = lr in step-7. For the former, Ui recovers IDcsj and computes sku-csj. For the latter, Ui uses IDi , IDcsj and Ri = h(IDi||s). Finally, CSj verifies the legitimacy of Ui via equivalence check pi * = pi in step-8. Therefore, Ui, CSj and RA mutually verify the legitimacy of each other.
4.8 Backward and Forward Secrecy We consider the simultaneous leakage of secrets such as PWi, and examine its impact on the secrecy of previously established or future session key. We observe that the computation of the session key in any session requires knowledge of random nonce v and w chosen by CSj and Ui respectively. Although Vi = vP and Wj = wP can be intercepted from the public channel, no one can recover v or w from Vi or Wj due to the intractability of ECDLP. Further, it is not possible to compute wvP or vwP or knowing Vi = vP and Wj = wP due to the intractability of ECDHP. We remark that the computation of wvP or vwP has nothing to do with the secrets such as PWi and s. Thus, the scheme offers both backward and forward secrecy. 4.9 Known Session-specific Temporary Information Attack Resilience If the random nonce v or w is known to an adversary E, he can compute vWj (=vwP) or wVi (=wvP) respectively. However, having wvP or vwP is not sufficient for the computation of the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj). It also requires the knowledge of IDi and IDcsj. Our scheme provides user anonymity (as described in Section 4.2); therefore, E does not have IDi. E is also unable to obtain IDcsj from li = h(IDi||(Vi*)y||Vi||IDcsj||Ri) due to the one–way property of hash operation. Further, GIDcsj available in message M2={Vi, GIDi, li, Wj, GIDcsj, mj} over public channel contains IDcsj protected with (Wj*)x which is the x-coordinate of the elliptic curve point Wj* = wPuB. E must know the random nonce w to compute IDcsj from GIDcsj. However, E is unable to deduce w from Wj* due to the intractability of ECDLP. Similaly, E cannot deduce IDcsj from JIDcsj in the transmitted message M3={JIDi, JIDcsj, mr, lr}. 4.10 Session Key Agreement and Verification The service-seeker Ui and the service-provider CSj independently compute the session key skcsj-u = h(Vi||Wj||wVi ||IDi ||IDcsj) = h(vP||wP||wvP||IDi ||IDcsj) = h(vP||wP||vwP||IDi ||IDcsj)= h(Vi||Wj||vWj ||IDi ||IDcsj) = sku-csj. Ui verifies that the session key sku-csj matches the session key computed by CSj via the equivalence nj* = nj, where nj* = h(sku-csj ||Vi ||Wj ||lr ||IDi ||IDcsj) in step-7 of Section-3.4. CSj verifies that skcsj-u matches the session key computed by Ui via the equivalence pi * = pi, where pi* = h(skcsj-u ||IDi ||IDcsj||Vi || lr ||Wj ). 5. Formal Security Analysis 5.1 Security Model Adopting the proof approach in [22, 35–36], we assume that there are three participants in the protocol P, a user Ui, a cloud-server CSj and a registration authority RA. We consider the data {IDi, IDcsj, P, PuB and n} to be public and the following secret: Ui’s PWi, BiOi and smart card, CSj’s Lj, and RA’s s. When we do not need to distinguish between the entities, we use I to collectively denote them. Every participant has many instances and each of these instances has a number. We use the symbol to denote the ath instance. Similarly, , and uses the same labelling convention. Each instance can also be treated as an oracle. There are three results for the oracles: accept, reject and . If an oracle obtains the right message, then accept appears. If an oracle obtains a wrong message, then reject is the result. If no answer is output, then . Once either or reaches accept and a session key is established, it has the following information: its identity or , its partner’s identity or and its session key
or
. If
and
, it implies both entities have established the same session key, they
are partners of each other, and either one reaches the state Partnering. Also, we know =
and
=
=
,
=
,
.
We suppose that the attacker E can use the simulator to ask the following queries to learn the session key.
Send(I, , m): The participant I transmits message m to the oracle . If m is correct and is ready to receive it, then the simulator will generate the required response according to P. Otherwise, this query will be ignored. Execute( , , ): It simulates the authentication phase. E can eavesdrop all transcript between , , and . Reveal( ): E can ask for a session key via this query.
Corrupt( ,z): It denotes the loss of MU’s information. Three cases can be shown: 1. z= 0: E obtains PWi via the query. 2. z= 1: E obtains all data from ’s smart card via the query. 3. z= 2: E obtains ’s biometrics via the query. Corrupt( ): This notion is used to model forward security [36], where E can obtain all secret data of . Test( ): E performs a challenge in a session for entity I (i.e. or ). If is not suitable for accept or sfsfresh which is demonstrated below, will be output by the simulator. Otherwise, a bit c will be used. If c= 1,the real session key sk will be output. Otherwise if c=0, E will get a binary string as long as sk. According to [36], some definitions are listed here. s fsfresh(strong forward security-fresh): This notion is for and . is sfsfresh unless any of the cases appears: 1. A Reveal( ) or Reveal( ) appears. 2. Corrupt( ) or Corrupt( ) happens before Test( ). 3. For , Corrupt( ,z= 0, 1, 2) are all queried. s f ssecure(strong forward security-secure): We define E’s ability of wrecking is the probability of guessing the coin c accurately after Test( ).The symbol (E) = 2Pr[c= c′]1 is E’s advantage where c′ is the bit output by E. The quantity of passwords is |D| and qs is the number of Send queries. If (E)is ignorably larger than max
withls as the security length,
is considered to bes f
ssecure. 5.2 Formal Proof Theorem 1. An additional cyclic group G is on elliptic curve E(Fp), with a great prime order n. The quantity of Ui’s passwords is finite, at most j|D|. l is the length of the extracted biometric secret bit string, lb is the length of collected biometrics and ls is the length of random numbers and hash values. is the probability for the case “false positive”. Any malicious attacker E has chances, containing qs Send queries, qe Execute queries, qh hash queries and qH biohash queries, to break the in upper-bound time t. And E’s advantage of breaking the s f s secure protocol is: (E)
where in G.
=
+
and
denotes the time cost of an elliptic curve point multiplication
Proof: We employ six successive games from G0 to G5 to describe the proof. The symbol Si denotes the probability for E guessing the coin c accurately ingame Gi. According to the initial premise, E need not guess ID i because there is only one user. Game G0: This game describes the real protocols with random oracles. It is easy to know that (E) = 2Pr[S0]1. c′ is a supplementary bit as E’s answer if E uses more time or queries than upper-bound or the game aborts without answer from E. Game G1: All queries mentioned in Section 2.1 are simulated. Here the Send queries include six cases: Send(init, , ), Send( , ;M1), Send( , ,M2), Send( , ,M3), Send( , ,M4)and Send( , ,M5).They are corresponding to the operation of Section 3.3 and 3.4. Furthermore, there are three lists in the proof: – : All the transcripts in the simulations should be stored in . – Lh: It is for the hash function, storing the pair of the original stringand hash value. – LE: If the hash query is asked by E, the pair is stored in LE. We describe how the hash oracle works: if str is a string and h(str) is queried, the simulator first searches the record (str, r)in Lh. If the record is found, r is the returning value. Also, for the biohash function, the record is (H, str, r). Otherwise, the simulator generates a random bit string r ∈ , returns r and writes (str, r) or (H, str, r) in Lh. Thus, E cannot tell apart G1 and G0 and Pr[S1] = Pr[S0].
Game G2: The collisions are considered in this game. Two sorts of collisions exist and based on birthday paradox, we demonstrate them below: 1. The maximum probability is
for collision of hash result. Also, forbiohash the probability is
2. The maximum probability is
for collision of random numbers vand w.
So, G2 and G1 cannot be distinguishable unless the above cases appear and
Game G3: We consider that the probability for E faking the messages without random oracles. Note that in Game G3, * specifies that the receiver does not know the correct string in the position. – For Send( , , M1), the simulator should check if M1 ∈ and(IDi||||Vi||IDcsj||,li) ∈LE. Also, since does not know BiOi and PWi, (H,BiOi||PWi,BPWi) ∈LE cannot be verified. The probability of forging (IDi||||Vi||IDcsj||,li)is –
For (IDi||
and forging (H,BiOi||PWi,BPWi)is
Send( , ,M3), the ||Vi||IDcsj||,li),(Vi||GIDi||li||Wj||
.
simulator should verify if ||GIDcsj,mj) ∈ LE. Also,
M1,M2 ∈ it cannot
(H,BiOi||PWi,BPWi)∈LE. The probabilities for forging the first two hash queries are both isstill –
and check
and the last
.
For Send( (JIDi||IDi||IDcsj||Lj||
,
,M3), the simulator should verify if M1,M2,M3 ∈ and ,mr),(JIDcsj||IDi||IDcsj|||| , lr),(IDcsj||,Lj),(IDi||,)∈LE. The probabilities for
forging the first twoare both – For Send(
,
and the last two are
.
,M4), the simulator should check ifM1,M2,M3,M4 ∈
and (JIDcsj||IDi||IDcsj||||
lr),(||Vi||Wj||lr||IDi||IDcsj,nj),(IDi||, Ri) ∈LE. The probabilities for forging the first two are both thelast is – For Send(
, and
. ,
,M5), the simulator should check ifM1,M2,M3,M4,M5∈
pi),(JIDcsj||IDi||||
, lr),(IDi||,)∈LE. The probability for the first is
So Pr[S3] = Pr[S2]unless the above forgeries appear. The probability is
and (skcsju||IDi||IDcsj||Vi||lr||Wj, and the last two are both
.
, that is,
for E’s guessing.
Game G4: In this game, E can use random oracles, and we add ECDH problem in it. Once E obtains the right session key, we consider the ECDH problem is solved. In other words, h(vP||wP||vwP||)should be queried. Here we use h(vP||wP||vwP)for short. According to the premise, E can getat most two factors. However, if E only obtains BiOi and PWi, he can do nothing to break the session key. So Corrupt( ,1) is necessary for E and we consider E has queried it. The following analysis is divided into three cases. 1. Suppose E queries Corrupt( ,2)and his aim is to guess the real password. Since there are qs chances for Send query and |D| passwords, the probability is . 2. Suppose E queries Corrupt( ,0)and his aim is to crack BiOi. Two subcases can be considered: (a) E guesses BiOi within qs Send queries. And the probability is . (b) E uses his own biometrics to try the case of “false positive” with Send queries. The probability is Obviously the above two cases cannot exist simultaneously. So the probability for them is max
. .
3. Either Corrupt( ,0)or Corrupt( ,2)can be asked by E, and in this case Execute processes are used. If E breaks the session key,(vP||wP||vwP,)∈LE should be true and the probability is at most. There are two ways to finish Execute: (a) E uses Execute queries directly and the probability for this sub-case is O(qh) (b) E uses Send queries successively and the probability for this sub-case is O(qh)
(t +O(qe)tm). (t +O(qs)tm).
We define that = t +(O(qe+qs))tm, and we can see |Pr[S4]Pr[S3]| max
+O(qh)
( ).
Game G5: The property strong forward security is added in this game. Based on the notion of s f s fresh, Corrupt(Ik)can only be asked after Test(Ik), so this game only affects old simulations. That is to say, the answers to E’s queries are obtained from the old transcripts. Similar as the third case of G4, if (vP||wP||vwP, ) can be found in LE, the probability for vP and wP in the same session is and we see |Pr[S5]Pr[S4]| O(qh
)
( ). At last E has no advantage to win and Pr[S5] = and the theorem is proved.
6. Performance Evaluation We evaluate the performance of the proposed scheme with related biometrics-based schemes in the literature, namely: those of Yoon and Yoo [12], Mishra et al. [16], Wu et al. [11], Shen et al. [19] and Odelu et al. [14]. The notations used in the evaluation are described in Table 2. Table 2: Summary of notation used in evaluation Description Computational complexity to execute a one-way hash function Computational complexity to execute a bio-hashing operation Computational complexity to execute an elliptic curve scalar point multiplication Computational complexity to execute a fuzzy extraction operation Computational complexity to execute a symmetric key en(de)cryption User registration phase Login-authentication phase Password change phase
Notation th tH tm tf ts UAP LAP PCP
A comparative summary of the schemes in terms of computational complexity is presented in Table 3. We observe that Wu et al.’s scheme is designed for a single server environment while the remaining schemes are designed for a multi-server environment. Thus, RA in Wu et al.’s scheme is the server itself. Therefore, in the login-authentication phase, the computational load at RA is shown as not applicable (N/A). Yoon and Yoo’s scheme has the lowest computational complexity in most of the phases with the exception of login-authentication. In Mishra et al.’s scheme, there is no notion of RA. Shen et al.’s scheme has one elliptic curve scalar point multiplication less at the server. During the user registration phase, Mishra et al.’s scheme has the highest computational complexity at Ui (i.e. 1tH +3th), while the computational complexity 2th of our scheme at RA is lower than those in schemes of [14, 16, 19]. During the login-authentication phase, the computational complexity at each participant is lower than that in Odelu et al.’s scheme as our scheme does not use symmetric key encryption/decryption. During the password change phase, the computational complexity at Ui is lower than those in schemes of [11, 14, 16]. Table 3: A Comparative Summary: Computational Complexity Phases
Entity
UAP
Ui RA/S Ui CSj /Sj/S RA Ui S/RA
LAP
PCP
Yoon and Yoo [12] 1th 1th 5th +2tm 4th +2tm 7th 2th No role
Mishra et al. [16] 1tH +3th 3th 1tH +9th 7th No role 1tH +4th No role
Wu et al. [11] 1th +1tf 1th 7th +1tf+2ts+1tm 6th +2ts+1tm N/A 6th +1tf+1ts+1tm 4th
Shen et al. [19] 1th 2th +1tm 5th +3tm 4th +1tm 8th +2tm 2th No role
Odelu et al. [14] 1th +1tf 3th 8th +1tf+1ts+3tm 6th +2ts+2tm 11th +3ts+1tm 4th +1tf No role
Ours 2tH 2th 2tH +5th +3tm 5th +3tm 6th +2tm 4tH No role
A comparative summary of the schemes in terms of security features is presented in Table 4. It is clear that the schemes of Yoon and Yoo, Mishra et al. and Odelu et al. do not fulfil a number of essential security features. Our scheme, on the other hand, satisfies all ten security features. In addition, in Wu et al.’s scheme, a user has to interact with the server whenever the user wishes to change his password; whereas in other schemes, a user can freely
change his password without the need to interact with the server or RA (hence, the need for RA during the password change phase in Wu et al.’s scheme). Table 4: A Comparative Summary: Security Features Yoon Mishra Wu Shen Odelu and et al. et al. et al. et al. Yoo [16] [11] [19] [14] [12] Resists privileged-insider attack No Yes Yes Yes Yes Provides user anonymity No Yes Yes No Yes Resists off-line password guessing attack Yes Yes No Yes Yes Resists user impersonation attack No No No Yes No Resists replay attack Yes Yes Yes Yes Yes Resists cloud-server impersonation attack Yes No Yes Yes Yes Provides mutual authentication Yes Yes Yes No Yes Provides backward and forward secrecy Yes No Yes Yes Yes Resists known session-specific temporary No Yes Yes Yes Yes information attack Provides session key agreement and Yes Yes Yes Yes Yes verification Provides freely password changing Yes Yes No Yes Yes facility Security Features
Ours
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
7. Conclusion CoT is a trend that is unlike to fade in the foreseeable future, and ensuring the security of the users and data is of paramount importance. In this paper, we proposed a multi-cloud-server authentication scheme using biometrics and ECC as the building blocks. We then proved the security of the scheme, and demonstrated the utility of the scheme in terms of its performance and security attributes. Future work includes evaluating the proposed scheme in a simulated or real-world environment, which will allow us to identify areas that may need refinement. References [1] K. Ashton, That ’internet of things’ thing, RFiD Journal 22(7) (2009) 97–114. [2] R.F. Chong, Changing the world: Big data and the cloud, 〈http:// www.theatlantic.com/sponsored/ibm-cloudrescue/archive/2012/ 09/changing-the-world-big-data-and-the-cloud/262065/〉 (2012). [3] D. He, N. Kumar, J. H. Lee, Enhanced three-factor security protocol for USB consumer storage devices, IEEE Transactions on Consumer Electronics, 60(1) (2014) 30-37. [4] S. Kumari, M. K. Khan, X. Li, An improved remote user authentication scheme with key agreement, Computers and Electrical Engineering 40(6) (2014) 1997–2012. [5] N. Y. Lee, Y. C. Chiu, Improved remote authentication scheme with smart card, Computer Standards & Interfaces 27(2) (2005) 177–180. [6] S. Kumari, M. K. Khan, Cryptanalysis and improvement of ‘A robust smart-card-based remote user password authentication scheme’, International Journal of Communication Systems 27(12) (2014) 3939-3955.. [7] C. C. Chang, H. D. Le, C. H. Chang, Novel untraceable authenticated key agreement protocol suitable for mobile communication, Wireless Personal Communications 71(1) (2013) 425–437. [8] S. Kumari, M. K. Khan, More secure smart card based remote user password authentication scheme with user anonymity, Security and Communication Networks 7(11) (2014) 2039-2053. [9] X. Li, J. Niu, J. Ma, W. Wang, C. Liu, Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards, Journal of Network and Computer Applications 34(1) (2011) 73-79.
[10] S. kumari, S. A. Chaudhry, F. Wu, X. Li, M. S. Farash, M. K. Khan, An improved smart card based authentication scheme for session initiation protocol, Peer-to-Peer Networking and Applications, (2015) DOI 10.1007/s12083-015-0409-0. [11] F. Wu, L. Xu, S. Kumari, X. Li, A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks, Computers & Electrical Engineering 45 (2015) 274285. [12] E. Yoon, K. Yoo, Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem, Journal of Supercomputing 63(1) (2013) 235–255. [13] D. He, D. Wang, Robust biometrics-based authentication scheme for multiserver environment, IEEE Systems Journal 9(3) (2015) 816-823. [14] V. Odelu, A. K. Das, A. Goswami, A secure biometrics-based multi-server authentication protocol using smart cards, IEEE Transactions on Information Forensics and Security 10(9) (2015) 1953-1966. [15] M. C. Chuang, M. C. Chen, An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics, Expert Systems with Applications 41(4) (2014) 1411–1418. [16] D. Mishra, A. K. Das, S. Mukhopadhyay, A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards, Expert Systems with Applications 41(18) (2014) 8129– 8143. [17] H. Lin, F. Wen, C. Du, An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics, Wireless Personal Communications 84(4) (2015) 2351-2362. [18] Y. Lu, L. Li, H. Peng, Y. Yang, A biometrics and smart cards-based authentication scheme for multi-server environments, Security and Communication Networks 8(17) (2015) 3219–3228. [19] H. Shen, C.Z. Gao, D.D. He, L.B. Wu, New biometrics-based authentication scheme for multi-server environment in critical systems, Journal of Ambient Intelligence and Humanized Computing (2015), DOI:10.1007/s12652-015-0305-8. [20] D. Zissis, D. Lekkas, Addressing cloud computing security issues, Future Generation Computer Systems, 28 (2012) 583–592 [21] Cloud Security Alliance. Top threats to cloud computing, Cloud Security Alliance, 2010. [22]C.-I. Fan, Y.-H. Lin, Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics, IEEE Transactions on Information Forensics and Security 4 (2009) 933–945. [23] W. Stallings, Cryptography and Network Security: Principles and Practices. 3rd Edition. Prentice Hall, India 2003. [24] D. R. Stinson, Some Observations on the Theory of Cryptographic Hash Functions. Designs, Codes and Cryptography 38(2) (2006) 259–277. [25] T. Nanavati, Biometrics. John Wiley & Sons (2002). [26] A. T. B. Jin, D. N. C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number, Pattern recognition, 37(11) (2004) 2245–2255. [27]R. Belguechi, C. Rosenberger, S. Ait-Aoudia, Biohashing for securing minutiae template, In 20th IEEE International Conference on Pattern Recognition (ICPR), 23-26 Aug. 2010, Istanbul (2010) 1168–1171. [28] A. Lumini, L. Nanni, An improved biohashing for human authentication, Pattern Recognition 40 (3) (2007) 1057–1065. [29] N. Koblitz, Elliptic curve cryptosystem. Mathematics of Computation, American Mathematical Society, 48 (1987) 203–209 [30] V. S. Miller, Use of elliptic curves in cryptography. In: Advances in cryptology, proceedings of CRYPTO’85, LNCS, Springer-Verlag, 218 (1986) 417–426 [31] A. Nagar, K. Nandakumar, A. K. Jain, A hybrid biometric cryptosystem for securing fingerprint minutiae templates, Pattern Recognition Letters 31 (2010) 733–741. [32] Kaufman, C., Internet key exchange (IKEV2) protocol (2005). [33] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, In: Proceedings of Advances in Cryptology CRYPTO’99, LNCS, Springer-Verlag, 1666 (1999) 388–397. [34] T. S. Messerges, E. A. Dabbish, R. H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers 51(5) (2002) 541–552. [35] E. Bresson, O. Chevassut, D. Pointcheval, Security proofs for an efficient password-based key exchange, In: Proceedings of the 10th ACM conference on Computer and communications security, ACM, (2003) 241–250. [36] L. Xu, F. Wu, An improved and provable remote user authentication scheme based on elliptic curve cryptosystem with user anonymity, Security and Communication Networks, 8(2), (2015) 245–260.
[37] K-K R Choo, Secure Key Establishment. Advances in Information Security Book series Volume 41. Springer Science+Business Media, 2008. [38] K-K R Choo, C Boyd, Y Hitchcock, The Importance of Proofs of Security for Key Establishment Protocols: Formal Analysis of Formal Analysis of Jan--Chen, Yang--Shen--Shieh, Kim--Huh--Hwang--Lee, Lin--Sun-Hwang, & Yeh--Sun Protocols, Computer Communications, 29(15), (2006) 2788-2797. [39] K-K R Choo, C Boyd, Y Hitchcock, Errors in Computational Complexity Proofs for Protocols, In: Proceedings of Advances in Cryptology – Asiacrypt 2005, Volume 3788/2005 of Lecture Notes in Computer Science (pp. 624–643), 2005. [40] Choo K-K R, Boyd C and Hitchcock Y 2005. Examining Indistinguishability-Based Proof Models for Key Establishment Protocols, In: Proceedings of Advances in Cryptology – Asiacrypt 2005, Volume 3788/2005 of Lecture Notes in Computer Science (pp. 585–604), 2005. [41] K-K R Choo, Cloud computing: Challenges and future directions, Trends & Issues in Crime and Criminal Justice, 400, (2010) 1-6. http://www.aic.gov.au/media_library/publications/tandi_pdf/tandi400.pdf [42] N H Ab Rahman, K-K R Choo, A survey of information security incident handling in the cloud, Computers & Security 49 (2015) 45-69. [43] K-K R Choo, J Nam, D Won, A mechanical approach to derive identity-based protocols from Diffie-Hellmanbased protocols, Information Sciences 281 (2014) 182-200.
*Biographies (Text)
Dr. Saru Kumari is currently an Assistant Professor with the Department of Mathematics, C.C.S. University, Meerut, U.P, India. She received Ph.D. degree in Mathematics in 2012 from C.C.S. University, Meerut, Uttar Pradesh, India. She has published 68 papers in international journals and conferences including 52 research publications in SCI indexed journals. Her research field is cryptology.
Dr. Xiong Li now is an associate professor at School of Computer Science and Engineering of the Hunan University of Science and Technology (HNUST), China. He received his master’s degree in mathematics and cryptography from Shaanxi Normal University (SNNU), China in 2009 and Ph.D. degree in computer science and technology from Beijing University of Posts and Telecommunications (BUPT), China in 2012. He has published more than 40 referred journal papers in his research interests, which include cryptography and information security, etc. He has served on TPC member of several international conferences on information security and reviewer for more than 20 ISI indexed journals. He is a winner of the 2015 Journal of Network and Computer Applications Best Research Paper Award.
Mr. Fan Wu received the Bachelor degree in Computer Science from Shandong University, Jinan, China in 2003, and received Master degree in Computer Software and Theory from Xiamen University, Xiamen, China in 2008. Now he is a lecturer in Xiamen Institute of Technology, Huaqiao University. His current research interests include information security, internet protocols, and network management.
Dr. Ashok Kumar Das received the Ph.D. degree in Computer Science and Engineering, the M.Tech. degree in Computer Science and Data Processing, and the M.Sc. degree in Mathematics, all from IIT Kharagpur, India. He is currently an Assistant Professor with the Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. He has authored over 80 papers in international journals and conferences in his research areas. His current research interests include cryptography, wireless sensor network security, proxy signature, hierarchical access control, data mining and remote user authentication.
Kim-Kwang Raymond Choo received the Ph.D. in Information Security from Queensland University of Technology, Australia. He currently holds the Cloud Technology Endowed Professorship at The University of Texas at San Antonio, and is an associate professor at University of South Australia and a guest professor at China University of Geosciences. He was named one of 10 Emerging Leaders in the Innovation category of The Weekend Australian Magazine / Microsoft's Next 100 series in 2009, and is the recipient of various awards including ESORICS 2015 Best Research Paper Award, Highly Commended Award from Australia New Zealand Policing Advisory Agency, British Computer Society's Wilkes Award, Fulbright Scholarship, and 2008 Australia Day Achievement Medallion. He is a Fellow of the Australian Computer Society, and a Senior Member of IEEE.
Dr. Jian Shen received the M.E. and Ph.D. degrees in Computer Science from Chosun University, Korea, in 2009 and 2012, respectively. Since late 2012, he has been a professor at Nanjing University of Information Science and Technology, Nanjing, China. His research interests include computer networking, and information security systems.