Abstract
Online access has been widely adopted to distribute diversified services to customers. In this architecture, public channels are utilized to exchange information between end users and remote servers at anytime and anywhere. To achieve confidentiality and integrity for transferred data, the related parties have to authenticate each other and negotiate a secret session key to encrypt and decrypt exchanged messages. Since the Lamport’s pioneering authentication work in 1981, numerous mechanisms have been proposed to enhance security as well as reduce computation and payload data. Recently, Chuang and Chen proposed a multi-server authenticated agreement protocol employing a smart card and biometric data to eliminate the weaknesses caused by parameters related to low-entropy human-memorable passwords that are stored in a physical location. However, Mishra et al. showed that Chuang and Chen’s protocol is not only vulnerable to multiple attacks but also suffers from the drawback of variation of biometric data. To overcome these weaknesses, they proposed an enhanced three-factor authenticated key agreement protocol using the low-error rate Biohashing technique. Unfortunately, we found that Mishra et al.’s scheme is also vulnerable to the denial-of-service attack, the traceable user attack, the impersonation attack, and the pre-shared key attack. Furthermore, the protocol does not provide any user revocation mechanism to control user accesses. In this novel untraceable authenticated key agreement scheme, we adopt the Hamming distance to verify encrypted Biohash codes and a public-key technique to construct the revocation mechanism. Our scheme achieves not only zero errors of biometric verification but also secure against all known attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770–772.
Lin, I.-C., Hwang, M.-S., & Li, L.-H. (2003). A new remote user authentication scheme for multi-server architecture. Future Generation Computer Systems, 19(1), 13–22.
Ku, W.-C., Chang, S.-T., & Chiang, M.-H. (2005). Weaknesses of a remote user authentication scheme using smart cards for multi-server architecture. IEICE Transactions on Communications, E88B(8), 3451–3454.
Juang, W.-S. (2004). Efficient multi-server password authenticated key agreement using smart cards. IEEE Transactions on Consumer Electronics, 50(1), 251–255.
Ku, W.-C., Chuang, H.-M., & Chiang, M.-H. (2005). Cryptanalysis of a multi-server password authenticated key agreement scheme using smart cards. IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, E88A(11), 3235–3238.
Tsaur, W.-J., Li, J.-H., & Lee, W.-B. (2012). An efficient and secure multi-server authentication scheme with key agreement. Journal of Systems and Software, 85(4), 876–882.
Li, C.-T., Lee, C.-C., Weng, C.-Y., & Fan, C.-I. (2013). An extended multi-server-based user authentication and key agreement scheme with user anonymity. KSII Transactions on Internet and Information Systems, 7(1), 119–131.
Wang, B., & Ma, M. (2013). A smart card based efficient and secured multi-server authentication scheme. Wireless Personal Communications, 68(2), 361–378.
He, D., & Wu, S. (2013). Security flaws in a smart card based authentication scheme for multi-server environment. Wireless Personal Communications, 70(1), 323–329.
Islam, S. H. (2014). A provably secure ID-based mutual authentication and key agreement scheme for mobile multi-server environment without esl attack. Wireless Personal Communications, 79(3), 1975–1991.
Lee, C.-C., Lou, D.-C., Li, C.-T., & Hsu, C.-W. (2014). An extended chaotic-maps-based protocol with key agreement for multiserver environments. Nonlinear Dynamics, 76(1), 853–866.
Liao, Y.-P., & Wang, S.-S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, 31(1), 24–29.
Hsiang, H.-C., & Shih, W.-K. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards and Interfaces, 31(6), 1118–1123.
Sood, S. K., Sarje, A. K., & Singh, K. (2011). A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications, 34(2), 609–618.
Lee, C.-C., Lin, T.-H., & Chang, R.-X. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38(11), 13863–13870.
Li, X., Xiong, Y., Ma, J., & Wang, W. (2012). An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications, 35(2), 763–769.
Shao, M.-H., & Chin, Y.-C. (2012). A privacy-preserving dynamic ID-based remote user authentication scheme with access control for multi-server environment. IEICE Transactions on Information and Systems, E95D(1), 161–168.
He, D., Chen, J., Shi, W., & Khan, M. K. (2013). On the security of an authentication scheme for multiserver architecture. International Journal of Electronic Security and Digital Forensics, 5(3–4), 288–296.
He, D. B., & Hu, H. (2013). Cryptanalysis of a dynamic ID-based remote user authentication scheme with access control for multi-server environments. IEICE Transactions on Information and Systems, 96(1), 138–140.
Li, X., Ma, J., Wang, W., Xiong, Y., & Zhang, J. (2013). A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling, 58(1), 85–95.
Pippal, R. S., Jaidhar, C., & Tapaswi, S. (2013). Robust smart card authentication scheme for multi-server architecture. Wireless Personal Communications, 72(1), 729–745.
Tao, W., Nan, J., & Jianfeng, M. (2014). Cryptanalysis of two dynamic identity based authentication schemes for multi-server architecture. China Communications, 11(11), 125–134.
Wang, D., & Wang, P. (2014). On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Computer Networks, 73, 41–57.
Kim, H., Jeon, W., Lee, K., Lee, Y., & Won, D. (2012). Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In Computational science and its applications—ICCSA 2012 (Vol. 7335, pp. 391–406). Berlin: Springer.
Yoon, E.-J., & Yoo, K.-Y. (2013). Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. Journal of Supercomputing, 63(1), 235–255.
Chuang, M.-C., & Chen, M. C. (2014). An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications, 41(4), 1411–1418.
Choi, Y., Nam, J., Lee, D., Kim, J., Jung, J., & Won, D. (2014). Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics. Scientific World Journal, 2014, 1–15.
Maitra, T., & Giri, D. (2014). An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. Journal of Medical Systems, 38(12), 1–19.
Tan, Z. W. (2014). A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. Journal of Medical Systems, 38(3), 1–9.
Lin, H., Wen, F., & Du, C. (2015). An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Personal Communications, 84(4), 2351–2362.
Mishra, D., Das, A. K., & Mukhopadhyay, S. (2014). A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Systems with Applications, 41(18), 8129–8143.
Yang, D., & Yang, B. (2010). A biometric password-based multi-server authentication scheme with smart card. In International conference on computer design and applications (ICCDA), 2010 (Vol. 5, pp. V5-554–V5-559). IEEE.
Jiang, P., Wen, Q., Li, W., Jin, Z., & Zhang, H. (2015). An anonymous and efficient remote biometrics user authentication scheme in a multi-server environment. Frontiers of Computer Science, 9(1), 142–156.
He, D., & Wang, D. (2014). Robust biometrics-based authentication scheme for multiserver environment. IEEE Systems Journal, 9(3), 816–823.
Odelu, V., Das, A. K., & Goswami, A. (2015). A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security, 10(9), 1953–1966.
Jin, A. T. B., Ling, D. N. C., & Goh, A. (2004). Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognition, 37(11), 2245–2255.
Lumini, A., & Nanni, L. (2007). An improved biohashing for human authentication. Pattern Recognition, 40(3), 1057–1065.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chang, CC., Nguyen, NT. An Untraceable Biometric-Based Multi-server Authenticated Key Agreement Protocol with Revocation. Wireless Pers Commun 90, 1695–1715 (2016). https://doi.org/10.1007/s11277-016-3418-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-016-3418-2