An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics
Introduction
In recent years, wireless communications and network technologies have undergone rapid development (Dondi et al., 2008, Gil-Castineira et al., 2008, Hwang et al., 2007, Lazar and Carari, 2008, Liu et al., 2007, Marino et al., 2009), and many people now use mobile devices (e.g., PDAs, mobile phones, and notebooks) at anytime and from anywhere to access all kinds of application services from the Internet, such as network attached storage (NAS), Web-browsing, VoIP, video conferencing, and multimedia applications.
However, this mobile computing situation calls for an authentication mechanism to protect the valid user from attacks. The smart card based remote user authentication scheme is one of the simplest and most convenient authentication mechanisms for insecure networks. Lamport (1981) first introduced a password authentication scheme for communication through insecure channels, where the server has to maintain a password table. However, this scheme cannot prevent a stolen-verifier attack. Although many later papers (Fan et al., 2005, Juang et al., 2008, Sun et al., 2009) proposed improved password-based authentication schemes for resisting such attacks, password-based remote user authentication schemes are unfortunately still easily broken by simple dictionary attacks given the password’s low entropy value. Therefore, more and more research (Chang and Lin, 2004, Fan and Lin, 2009, Khan and Zhang, 2006, Khan et al., 2008, Ku et al., 2005, Lee et al., 2002, Li and Hwang, 2010, Lin and Lai, 2004, Mitchell and Tang, 2005, Xu et al., 2008) has combined a user’s biometrics (e.g., fingerprints, irises, and hand geometry) with a password and a smart card to design a remote user authentication scheme that enhances the level of the security (i.e., a secret key that has a value of high entropy Fan, 2009). While Lee et al. (2002) put forward a fingerprint-based remote user authentication scheme using smart cards in 2002, a number of studies (Chang and Lin, 2004, Ku et al., 2005, Lin and Lai, 2004) thereafter pointed out that this scheme cannot resist masquerade attacks and server spoofing attacks. Lin and Lai (2004) thus combined password and fingerprint minutiae templates into super passwords and provided an off-line password change scheme, but Mitchell and Tang (2005) observed that the process of the password change is vulnerable because the smart card did not have enough information to check the correctness of the old passwords. Fan and Lin (2009) then suggested a three-factor authentication scheme which combines biometrics with a password and smart card to provide high-security remote authentication, and they proved the security of their scheme. Khan and Zhang (2006) proposed an improved scheme to enhance the security, but this scheme turned out to be susceptible to a parallel session attack (Khan et al., 2008, Xu et al., 2008, Xu et al., 2008), in which an adversary without knowing a legal user’s password can impersonate the user by somehow crafting a valid login message from eavesdropped communications between the user and the server. Whereas Li and Hwang’s (2010) biometric-based remote user authentication scheme using smart cards was efficient, it used biometrics-based schemes (Chang and Lin, 2004, Fan and Lin, 2009, Khan and Zhang, 2006, Khan et al., 2008, Ku et al., 2005, Lee et al., 2002, Li and Hwang, 2010, Lin and Lai, 2004, Mitchell and Tang, 2005, Xu et al., 2008) that only supported a single server environment, which is a limitation insofar as there are many kinds of application servers on the Internet. Fig. 1 shows that a user accesses multiple application servers at the same time. If the designed authentication scheme does not consider the multi-server environment, the user performs the registration procedure many times and results in a high overhead at the registration center (RC) and the network. Some research (Chang and Lee, 2004, Juang, 2004, Liao and Wang, 2009, Tsai, 2008) has supported multi-server environments but since their schemes were only based on smart cards and passwords. The authentication system was insecure when both the user’s smart card and password were stolen; moreover, the schemes (Chang and Lee, 2004, Juang, 2004, Tsai, 2008) did not provide anonymous authentication. More recently, Yang and Yang, 2010, Yoon and Yoo, 2010 introduced biometric-based multi-server authentication schemes, but they still did not consider the user anonymity. Further, Yang’s scheme (Yang & Yang, 2010) needs to perform exponential operations that entails high computational cost, while Yoon et al.’s scheme (Yoon & Yoo, 2010) was demonstrated by He (2011) to be vulnerable to privileged insider attacks, masquerade attacks and loss of smart card attacks.
In this paper, we propose an anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards, password, and biometrics. Our scheme not only is a lightweight authentication scheme which only uses the nonce and a hash function but also satisfies all of the following security properties: anonymity, absence of verification tables, mutual authentication, resistance to forgery attack, absence of clock synchronization problem, resistance to modification attacks, resistance to replay attacks, fast error detection, resistance to off-line guessing attacks, resistance to insider attacks, simple and secure password choice and modification, biometric template protection, and session key agreement.
The remainder of this paper is organized as follows. Section 2 introduces some preliminaries. In Section 3, we describe the proposed scheme in detail, and the analyses of the security, computation costs, and comparisons are presented in Section 4. Consequently, we summarize our conclusions in Section 5.
Section snippets
Preliminaries
This section describes the common user requirements, the security requirements of the system, the advantage of using biometrics, and the feature of the hash function.
Proposed scheme
This section describes the proposed anonymous multi-server authenticated key agreement scheme which involves five procedures: server registration, user registration, login, authentication, and change password. All notations are summarized in Table 1.
Security analysis
We use the same scheme as (Lin and Lai, 2004, Chang and Lee, 2004, Juang, 2004, Khan et al., 2008, Li and Hwang, 2010, Liao and Wang, 2009, Crypto++ Library, xxxx, Tsai, 2008, Xu et al., 2008, Yang and Yang, 2010, Yoon and Yoo, 2010) to present the security analysis.
- (1)
Anonymity: Under the proposed scheme, the original identity of a user is always converted into an alias that is based on a random number (i.e., AIDi = h(N1) ⊕ IDi). Therefore, an adversary cannot determine the original identity of the
Conclusions and future work
In this paper, we propose a secure remote user authentication scheme which not only supports the multi-server environment to reduce the overhead of the RC but also possesses high security properties to protect the valid user against attacks with minimal computational cost. Our scheme is suitable for real-life applications because it is a true lightweight authentication scheme that only uses the hash function. Moreover, our scheme satisfies the following security properties: anonymity, no
References (50)
- et al.
A lightweight mutual authentication mechanism for network mobility in IEEE 802.16e wireless networks
Computer Networks
(2011) - et al.
Robust remote authentication scheme with smart cards
Computer Security
(2005) - et al.
Aminutia-based partial fingerprint recognition system
Pattern Recognition
(2005) - et al.
Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices
Chaos, Solitons and Fractals
(2008) - et al.
An efficient biometrics-based remote user authentication scheme using smart cards
Journal of Network and Computer Applications
(2010) - et al.
A secure dynamic ID based remote user authentication scheme for multi-server environment
Computer Standards & Interfaces
(2009) - et al.
A flexible biometrics remote user authentication scheme
Computer Standards & Interfaces
(2004) - et al.
A novel hierarchical fingerprint matching approach
Pattern Recognition
(2011) - et al.
the utilization of a Taylor series-based transformation in fingerprint verification
Pattern Recognition Letters
(2006) - et al.
Local relative location error descriptor-based fingerprint minutiae matching
Pattern Recognition Letters
(2008)
Efficient multi-server authentication scheme based on one-way hash function without verification table
Computers & Security
Fingerprint alignment using a two stage optimization
Pattern Recognition Letters
Dynamic registration selection for fingerprint verification
Pattern Recognition
Fingerprint matching based on global alignment of multiple reference minutiae
Pattern Recognition
Remarks on fingerprint-based remote user authentication scheme using smart cards
ACM SIGOPS Operating Systems Review
SF-PMIPv6: A secure fast handover mechanism for proxy mobile IPv6 networks
Journal of Systems and Software
SPAM: A secure password authentication mechanism for seamless handover in proxy mobile IPv6 networks
IEEE Systems Journal
Modeling and optimization of a solar energy harvester system for self-powered wireless sensor networks
IEEE Transactions on Industrial Electronics
Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics
IEEE Transactions on Information Forensics and Security
Extending vehicular CAN fieldbuses with delay-tolerant networks
IEEE Transactions on Industrial Electronics
Network-based fuzzy decentralized sliding-mode control for car-like mobile robots
IEEE Transactions on Industrial Electronics
Cited by (211)
An efficient key agreement and anonymous privacy preserving scheme for vehicular ad-hoc networks with handover authentication
2024, Concurrency and Computation: Practice and ExperienceRotating behind security: an enhanced authentication protocol for IoT-enabled devices in distributed cloud computing architecture
2023, Eurasip Journal on Wireless Communications and NetworkingCloud-Assisted Secure and Cost-Effective Authenticated Solution for Remote Wearable Health Monitoring System
2023, IEEE Transactions on Network Science and EngineeringA Dynamic C-V2X anonymous authentication and group keyagreement protocol
2023, Research SquareA Blockchain-Assisted Lightweight Anonymous Authentication Scheme for Medical Services in Internet of Medical Things
2023, Wireless Personal Communications