Robust Multiple Servers Architecture Based Authentication Scheme Preserving Anonymity

Abstract

Recently, many dynamic ID based remote user authentication schemes using smart card have been proposed to improve the security in multiple servers architecture authentication systems. In 2017, Kumari and Om proposed an anonymous multi-server authenticated key agreement scheme, which is believed to be secure against a range of network attacks. Nevertheless, in this paper we reanalyze the security of their scheme, and show that the scheme is vulnerable to impersonation attack and server spoofing attack launched by any adversary without knowing any secret information of the victim users. In addition, their protocol fails to achieve the claimed user privacy protection. For handling these aforementioned shortcomings, we introduce a new biometric-based authentication scheme for multi-server architecture preserving user anonymity. Besides, Burrows—Abadi—Needham (BAN)-logic validated proof and discussion on possible attacks demonstrate the completeness and security of our scheme, respectively. Further, the comparisons in terms of security analysis and performance evaluation of several related protocols show that our proposal can provide stronger security without sacrificing efficiency.

1. Introduction

In the multiple servers architecture based authentication system, registration center, service providing servers and users are major participants. Registration center is the trusted party to administrate all the involved users and servers in the system. Servers provide network services and legitimate users can access these services. Compared with the conventional two-party authentication system, a multi-server architecture based authentication system offers registration procedure one time and allows users to access services from multiple servers. The latter obliterates the inappropriateness that users should perform stuffy reduplicative registration in each server.

In 2004, Das et al. [1] proposed a dynamic ID based remote user authentication scheme using smart card. Since then, many dynamic ID authentication schemes are published to enhance the security properties and reduce the communication and computation costs [2,3,4,5,6,7,8,9,10,11,12]. However, these schemes are designed for single-server architecture which are not suitable for a multi-server environment.

For fulfilling the particularity of the multi-server architecture, ample authentication schemes designed for the multi-server environment have been investigated by researchers. In 2009, Liao and Wang [13] proposed a remote user authentication scheme for multi-server architecture preserving user anonymity to eliminate the risk of ID-theft. Nevertheless, their scheme is proved to be susceptible to insider attack, masquerade attack and fail to provide a mutual authentication. Later on, Hsiang and Shih [14] introduced a remedied protocol to solve the above security flaws. Unfortunately, Sood et al. [15] reanalyzed their scheme and pointed out that it is vulnerable to replay attack, impersonation attack and stolen smart card attack. Meanwhile, they presented a novel multiple servers based authentication scheme. After that, many multi-server authentication schemes have been proposed to strengthen the security and improve the efficiency [16,17,18,19,20,21,22,23,24,25,26].

In 2014, Chuang and Chen [16] proposed an anonymous multi-server authentication key agreement scheme using smart cards, password and biometrics. However, Kumari and Om [23] identified the vulnerabilities of their scheme, such as being insecure against DoS attack, user/server impersonation attack, stolen smart card attack, and failing to achieve perfect forward secrecy. For obliterating the aforementioned shortcomings of Chuang et al.’s scheme, they proposed an enhanced protocol for a multiple servers authentication system, which offered non-repudiation utilizing RSA digital signature. Moreover, the authors stated that their proposal possessed all required security properties and resisted all the network attacks. Unluckily, in this paper, we reexamine the security of Kumari et al.’s RSA cryptosystem based authentication scheme and indicate that their scheme falls short to withstand impersonation attack and server spoofing attack. Specifically, any adversary could break through their scheme easily, even without the knowledge of the victim’s user information. Moreover, adversaries could create test scenarios to execute the brute force attack and reveal users’ low entropy identities. For the purpose of surmounting the identified vulnerabilities, we further devise an improved biometric-based multi-server authentication scheme with a distinctive policy compared with the original. Note that, Burrows—Abadi—Needham (BAN)-logic, one of the important formal methods focusing on evaluating the beliefs of participants in authentication system, is put forward to certify the validity of our proposal. Finally, the security and performance analysis are discussed to observe that the proposed protocol is superior to other related schemes.

This paper is organized as follows. We introduce the basic concept of fuzzy extraction in Section 2. Then, in Section 3 and Section 4 we briefly review Kumari et al.’s scheme and identify its security flaws, respectively. Next, we propose a new robust authentication scheme in Section 5 and analyze its security in Section 6. Subsequently, in Section 7 we compare the performance of our new protocol with the previous schemes. Finally, the paper is concluded in Section 8.

2. Preliminaries

In this section, we briefly introduce the basic concept of fuzzy extractor, for more details please refer to [27]. In 1999, Juels and Wattenberg fetched out the definition of fuzzy extractor which focused on verifying the legality of users by biometric template. Noticeably, it could deal with non-uniformity and error tolerance. Concretely, it could output a uniform key R with an auxiliary P and non-uniform noisy biometric input $B^{*}$ by employing reproducible extraction, which was an error tolerant approach. The auxiliary string P to recover authentication key R is a public parameter and does certainly not compromise secrecy of R. Probabilistic generation algorithm $Gen$ and deterministic reproduction algorithm $Rep$ are efficient procedures of fuzzy extractor with parameters $(m,l,t,ϵ)$, which are detailed as follows.

• $Gen$: Inputs biometric template B, outputs an authenticated value $R\in {\{0,1\}}^l$ and an auxiliary value $P\in {\{0,1\}}^{*}$.
• $Rep$: For all $B,B^{\prime }$, if $dis(B,B^{\prime })\le t$ and $\langle R,P\rangle \leftarrow Gen\left(B\right)$, then $Rep(B^{\prime },P)=R$.

We list the notations used throughout this paper in

Table 1. Notations.

$U_i$	User
$S_j$	Service providing server
$RC$	Registration center
$I{D}_i$	Identification of user
$P{W}_i$	Password of user
$SI{D}_j$	Public identification of server
$B_i$	Biometrics information of user
$X_c$	Secret key of registration center
$p,q$	Two distinct large primes
$n,\varphi \left(n\right)$	$n=p\times q$, $\varphi \left(n\right)=(p-1)\times (q-1)$
$S{K}_{ij}$	Session key shared between user and server
$H(·)$	Hash function
⊕	Exclusive-OR operation
∥	String concatenation operation

.

3. Review of Kumari and Om’s Scheme

In this section, we briefly describe Kumari and Om’s [23] multi-server architecture based authentication scheme. It consists of initialization, registration, login, authentication and password changing phases. In Figure 1, we describe in detail the login and authentication phases in the form of infographics.

3.1. Initialization Phase

Registration center $RC$ chooses a secret value $X_c$ and two distinct large prime numbers p, q. Subsequently, it calculates $n=p\times q$ and $\varphi \left(n\right)=(p-1)\times (q-1)$. $X_c$ is the master secret key and only kept by $RC$. $p,q$ could be destroyed to avoid leaking.

3.2. Registration Phase

3.2.1. Server Registration

Application server $S_j$ transmits its identification $SI{D}_j$ to $RC$ and applies for the jurisdiction to offer network services. $RC$ selects a random number $e_j\in (1,\varphi \left(n\right))$ with $gcd(e_j,\varphi \left(n\right))=1$. Then it computes and seeks out $d_i$ such that $e_j\times d_j\equiv 1mod\left(\varphi \left(n\right)\right)$. Finally, $RC$ sends the credentials $\{M{1}_j,e_j,d_j,n\}$ to $S_j$ via a secured communication channel, where $M{1}_j=H(SI{D}_j\parallel X_c)$, $d_j$ are kept secret and $e_j$, n are announced as public values.

3.2.2. User Registration

Step 1: $U_i$ firstly imprints his/her biometrics and uses fuzzy extractor to obtain authenticated value $R_i$ and auxiliary value $P_i$ such that $Gen\left(B_i\right)=(R_i,P_i)$. Then, he/she selects identity $I{D}_i$ and password $P{W}_i$ to calculate $P{B}_i=H(P{W}_i\oplus R_i)$ and sends $\{I{D}_i,P{B}_i,P_i\}$ to registration center for registration.

Step 2: Upon receiving registration request from $U_i$, $RC$ computes $HP{W}_i=H(I{D}_i\parallel P{B}_i)$, $A_i=H(I{D}_i\parallel X_c)\oplus P{B}_i$, $B_i=H(I{D}_i\oplus P{B}_i)\oplus A_i$, $C_{ij}=B_i\oplus M{1}_j^{e_j}$ and $D_{ij}=M{1}_j\oplus H(I{D}_i\parallel X_c)$. Then, $RC$ transmits the smart card contained $\{B_i,C_{ij},D_{ij},HP{W}_i,P_i,H(·)\}$ to $U_i$ securely.

3.3. Login Phase

$U_i$ inserts his/her smart card into the terminal and inputs identity $I{D}_i$, password and the biometric template $B_i$ imprinted at the sensor. The smart card will execute the following procedure.

Step 1: Performs reproduction algorithm $R_i^{*}=Rep(B_i,P_i)$ and computes $P{B}_i^{*}=H(P{W}_i\oplus R_i^{*})$, $HP{W}_i^{*}=H(I{D}_i\parallel P{B}_i^{*})$.

Step 2: Verifies the equivalence of $HP{W}_i^{*}$ and the stored value $HP{W}_i$. If they are equal, proceeds to next steps; otherwise, terminates this session immediately.

Step 3: Generates a random number $r_u$ and acquires the current timestamp $T1$ to calculate $N{1}_{ij}={(C_{ij}\oplus B_i)}^{r_u}$, $N{2}_{ij}={(D_{ij}\oplus B_i\oplus H(I{D}_i\oplus P{B}_i)\oplus P{B}_i)}^{r_u}$, $CI{D}_{ij}=I{D}_i\oplus N{2}_{ij}$, $N{3}_{ij}=H(I{D}_i\parallel (C_{ij}\oplus B_i)\parallel N{2}_{ij}\parallel T1)$.

Step 4: Submits the login request message $\{CI{D}_{ij},N{1}_{ij},N{3}_{ij},T1\}$ to $S_j$.

3.4. Authentication Phase

On receiving the login request $\{CI{D}_{ij},N{1}_{ij},N{3}_{ij},T1\}$ from $U_i$ at $T2$, $S_j$ verifies the validity of $T1$ by checking $T2-T1$ whether less or equal than the permissible time interval $△T$ for a transmission delay. If so, continues to perform the following steps; else, $S_j$ aborts the login session.

Step 1: $S_j$ computes $N{2}_{ij}={\left(N{1}_{ij}\right)}^{d_j}$, $I{D}_i=CI{D}_{ij}\oplus N{2}_{ij}$, $N{3}_{ij}=H(I{D}_i\parallel M{1}_j^{e_j}\parallel N{2}_{ij}\parallel T1)$ with the known credential $d_j$.

Step 2: Then $S_j$ verifies the computed $N{3}_{ij}$ with the received one. If the equation does not hold, terminates the session; on the contrary, continues to execute the further steps.

Step 3: $S_j$ acquires the current timestamp $T3$ and generates a random number $r_s$ to compute $M{2}_{ij}={\left(M{1}_j\right)}^{r_s·d_j}$, $M{3}_{ij}={\left(N{1}_{ij}\right)}^{r_s}$, $S{K}_{ij}=H(I{D}_i\parallel SI{D}_j\parallel M{3}_{ij}\parallel N{2}_{ij})$, $M{4}_{ij}=H(S{K}_{ij}\parallel T3)$, $CSI{D}_{ij}=SI{D}_j\oplus M{3}_{ij}$.

Step 4: Subsequently, $S_j$ responses to $U_i$ the replied mutual authentication message $\{CSI{D}_{ij},M{2}_{ij},M{4}_{ij},T3\}$.

Step 5: Upon receiving the response message from $S_j$ at $T4$, $U_i$ checks whether $T4-T3\le △T$. If it does not hold, $U_i$ gives up this login procedure; otherwise, the smart card computes $M{3}_{ij}={\left(M{2}_{ij}\right)}^{e_j^2·r_u}$, $SI{D}_j=CSI{D}_{ij}\oplus M{3}_{ij}$, $S{K}_{ij}=H(I{D}_i\parallel SI{D}_j\parallel M{3}_{ij}\parallel N{2}_{ij})$, $M{4}_{ij}=H(S{K}_{ij}\parallel T3)$.

Step 6: Afterwards, the smart card checks the equivalence of the computed $M{4}_{ij}$ and the received one. If they are not equal, the authentication fails; else, $U_i$ confirms $S_j$ is authentic and the mutual authentication is completed. Finally, $U_i$ and $S_j$ share a current session key $S{K}_{ij}$.

3.5. Password Changing Phase

In the procedure of password changing phase, $U_i$ could update her/his password offline. Firstly, he/she should insert smart card into the device and input $I{D}_i$, $P{W}_i$, the biometric template $B_i$. Then, the smart card verifies the legitimation of $U_i$ to launch the following steps.

Step 1: Computes $R_i=Rep(B_i,P_i)$, $P{B}_i=H(P{W}_i\oplus R_i)$ and compares the stored value $HP{W}_i$ equals to the computed $H(I{D}_i\parallel P{B}_i)$. If they are not equal, the smart card terminates this session; otherwise, the smart card continues to compute $A_i=B_i\oplus H(I{D}_i\oplus P{B}_i)$, $H(I{D}_i\parallel X_c)=A_i\oplus P{B}_i$, $M{1}_j^{e_j}=C_{ij}\oplus B_i$.

Step 2: Subsequently, $U_i$ is allowed to input a new password $P{W}_i^{new}$. The smart card calculates $P{B}_i^{new}=H(P{W}_i^{new}\oplus R_i)$, $HP{W}_i^{new}=H(I{D}_i\parallel P{B}_i^{new})$, $A_i^{new}=H(I{D}_i\parallel X_c)\oplus P{B}_i^{new}$, $B_i^{new}=H(I{D}_i\oplus P{B}_i^{new})\oplus A_i^{new}$, $C_{ij}^{new}=B_i^{new}\oplus M{1}_j^{e_j}$.

Step 3: Finally, the smart card replaces $\{B_i,C_{ij},HP{W}_i\}$ with the new parameters to finish the password change phase.

4. Cryptanalysis of Kumari and Om’s Scheme

In this phase, we show that Kumari and Om’s protocol is vulnerable to impersonation attack, server spoofing attack and fails to protect user anonymity. Their scheme is thoroughly broken down by any malicious user in the multi-server authentication system, even when one knows nothing about the victim user. The detailed demonstration is described as follows.

4.1. Impersonation Attacks

Consider a legitimate but malicious user $U_{\mathcal{A}}$ in the multiple servers authentication system, he/she can obtain $M{1}_j^{e_j}=C_{\mathcal{A}j}\oplus B_{\mathcal{A}}$ and $M{1}_j=D_{\mathcal{A}j}\oplus B_{\mathcal{A}}\oplus H(I{D}_{\mathcal{A}}\oplus P{B}_{\mathcal{A}})\oplus P{B}_{\mathcal{A}}$ with secret parameters stored in his/her own smart card. Then, the adversary can further impersonate any legal user (even a non-existent user) to unauthorized access $S_j$.

In the login phase, $U_{\mathcal{A}}$ randomly selects a string $I{D}_k$ with the format of identity and computes $N{1}_{kj}={(M{1}_j^{e_j})}^{r_{\mathcal{A}}}=M{1}_j^{e_j·r_{\mathcal{A}}}$, $N{2}_{kj}={\left(M{1}_j\right)}^{r_{\mathcal{A}}}$, $CI{D}_{kj}=I{D}_k\oplus N{2}_{kj}$, $N{3}_{kj}=H(I{D}_k\parallel M{1}_j^{e_j}\parallel N{2}_{kj}\parallel T{1}_k)$, where $r_{\mathcal{A}}$ and $T{1}_k$ are generated random number and acquired current timestamp respectively. Subsequently, he/she transmits the forged login request $\{CI{D}_{kj},N{1}_{kj},N{3}_{kj},T{1}_k\}$ to $S_j$.

After receiving the forged login request, $S_j$ checks the validity of $T{1}_k$ and calculates $N{2}_{kj}={\left(N{1}_{kj}\right)}^{d_j}$, $I{D}_k=CI{D}_{kj}\oplus N{2}_{kj}$, $N{3}_{kj}=H(I{D}_k\parallel M{1}_j^{e_j}\parallel N{2}_{kj}\parallel T{1}_k)$ with the known credential $d_j$. Obviously, the computed $N{3}_{kj}$ is consistent to the forged one in the login request, that is, the verification of $U_{\mathcal{A}}$ is successful and $S_j$ accepts the login request of the adversary. Subsequently, $S_j$ computes $M{2}_{kj}={\left(M{1}_j\right)}^{r_s·d_j}$, $M{3}_{kj}={\left(N{1}_{kj}\right)}^{r_s}$, $S{K}_{kj}=H(I{D}_k\parallel SI{D}_j\parallel M{3}_{kj}\parallel N{2}_{kj})$, $M{4}_{kj}=H(S{K}_{kj}\parallel T3)$, $CSI{D}_{kj}=SI{D}_j\oplus M{3}_{kj}$ with the random number $r_s$ and timestamp $T3$, and replies $\{CSI{D}_{kj},M{2}_{kj},M{4}_{kj},T3\}$ to the adversary.

After that, the adversary computes $M{3}_{kj}={\left(M{2}_{kj}\right)}^{e_j^2·r_{\mathcal{A}}}$, $SI{D}_j=CSI{D}_{kj}\oplus M{3}_{kj}$, $S{K}_{kj}=H(I{D}_k\parallel SI{D}_j\parallel M{3}_{kj}\parallel N{2}_{kj})$. Finally, $U_{\mathcal{A}}$ obtains the session key $S{K}_{kj}$ and uses it to communicate with $S_j$. Hence, the adversary successfully accesses the service providing server unauthorized.

4.2. Failure of Preserving Anonymity

As described above, a legitimate but malicious user $U_{\mathcal{A}}$ could obtain $M{1}_j^{e_j}$ with his/her own secret values. Suppose that $U_{\mathcal{A}}$ intercepts $U_i$’s login request $\{CI{D}_{ij},N{1}_{ij},N{3}_{ij},T1\}$ in a prior transaction, he/she could easily get $U_i$’s identity by the brute force attack. In the following we present the concrete procedures.

Step 1. Firstly, let $I{D}_i^{*}$ be an identity candidate in the identity space. Subsequently, the adversary computes $N{2}_{ij}^{*}=CI{D}_{ij}\oplus I{D}_i^{*}$.

Step 2. Secondly, the adversary checks $N{3}_{ij}?=H(I{D}_i^{*}\parallel M{1}_j^{e_j}\parallel N{2}_{ij}^{*}\parallel T1)$ to verify the correctness of chosen candidate $I{D}_i^{*}$.

Step 3. The adversary performs Steps 1 and 2 repeated with another candidate in the identity space until the correct $I{D}_i$ such that $N{3}_{ij}=H(I{D}_i\parallel M{1}_j^{e_j}\parallel (CI{D}_{ij}\oplus I{D}_i)\parallel T1)$ is found.

Actually, the above attack could be executed effectively since the amount of identity space is limited. The primary causes of this problem are the inherently restricted human cognition and the limitation of identity format.

4.3. Server Spoofing Attack

In Kumari and Om’s protocol, a legitimate but malicious user $U_{\mathcal{A}}$ also can masquerade as an authorized server. Based on the description in the above analysis, $U_{\mathcal{A}}$ can obtain $U_i$’s identity $I{D}_i$ by employing feasible brute force attack and record the identity $SI{D}_j$ of $S_j$ in a prior session. Furthermore, he/she also needs to intercept the mutual authentication message $\{CSI{D}_{ij},M{2}_{ij},M{4}_{ij},T3\}$ replied to $U_i$ from $S_j$ in a previous session, and records a pair values $(M{2}_{ij},M{3}_{ij})=(M{2}_{ij},CSI{D}_{ij}\oplus SI{D}_j)$. Noticeably, the adversary merely does preparatory work one time, rather than repetitively recording these values before performing each server spoofing attack. The concrete description of server spoofing attack is shown as follows.

Step 1: Suppose that $U_i$ requests to access $S_j$ with $\{CI{D}_{ij},N{1}_{ij},N{3}_{ij},T1\}$. The adversary selects a random number $r_{\mathcal{A}}$ and computes

$$M{2}_{ij}^{*}={\left(M{2}_{ij}\right)}^{r_{\mathcal{A}}}={\left(M{1}_j\right)}^{r_s·r_{\mathcal{A}}·d_j},$$

$$M{3}_{ij}^{*}={\left(M{3}_{ij}\right)}^{r_{\mathcal{A}}}={\left(N{1}_{ij}\right)}^{r_s·r_{\mathcal{A}}},$$

$$S{K}_{ij}^{*}=H(I{D}_i\parallel SI{D}_j\parallel M{3}_{ij}^{*}\parallel (CI{D}_{ij}\oplus I{D}_i)),$$

$$M{4}_{ij}^{*}=H(S{K}_{ij}^{*}\parallel T{3}_{\mathcal{A}}),$$

$$CSI{D}_{ij}^{*}=SI{D}_j\oplus M{3}_{ij}^{*}$$

with the values previously recorded. Afterwards, sends the forged response $\{CSI{D}_{ij}^{*},M{2}_{ij}^{*},M{4}_{ij}^{*},T{3}_{\mathcal{A}}\}$ to $U_i$.

Step 2: After receiving the forged reply, $U_i$ computes

$$M{3}_{ij}^{*}={\left(M{2}_{ij}^{*}\right)}^{e_j^2·r_u}={\left(M{1}_j\right)}^{e_j·r_u·r_s·r_{\mathcal{A}}}={\left(N{1}_{ij}\right)}^{r_s·r_{\mathcal{A}}},$$

$$SI{D}_j=CSI{D}_{ij}^{*}\oplus M{3}_{ij}^{*},$$

$$S{K}_{ij}^{*}=H(I{D}_i\parallel SI{D}_j\parallel M{3}_{ij}^{*}\parallel N{2}_{ij}).$$

Obviously, the computed $H(S{K}_{ij}^{*}\parallel T{3}_{\mathcal{A}})$ is equal to the received $M{4}_{ij}^{*}$. Hence, $U_i$ authenticates the adversary successfully and communicates with him/her. The major contributor of the network flaw is the allelomorphism of array $(M{2}_{ij},M{3}_{ij})$—any attacker could reconstitute these two values by performing an exponentiation with exponent $r_{\mathcal{A}}$ respectively.

5. Our Scheme

Herein, we propose a novel multiple servers architecture based authentication scheme with biometrics, which contains five phases, namely initialization phase, registration phase, login phase, authentication phase and password changing phase. Furthermore, we depict the login and authentication phases in Figure 2.

5.1. Initialization Phase

Registration center $RC$ initializes the authentication system with secret value $X_c$ and two distinct large primes p, q. Then, it keeps $\left\{X_c\right\}$ secret and publishes the public parameters $\{n,\varphi (n\left)\right\}$, where $n=p\times q$, $\varphi \left(n\right)=(p-1)\times (q-1)$. Finally, $RC$ obliterates the two values $p,q$.

5.2. Registration Phase

This segment contains two sub-phases: server registration and user registration. Service providing servers and users apply for authorization of registration center through the following procedures, respectively.

5.2.1. Server Registration

Similar to the original protocol, service providing server $S_j$ sends its identity $SI{D}_j$ to $RC$ for registration. After receiving the registration request, it seeks out two large numbers $e_j\in (1,\varphi \left(n\right))$ and $d_j$ such that $gcd(e_j,\varphi \left(n\right))=1$ and $e_j\times d_j\equiv 1mod\left(\varphi \left(n\right)\right)$, computes $s_j=H(SI{D}_j\parallel X_c)$. Afterwards, $RC$ transmits the calculated credentials $\{s_j,e_j,d_j,n\}$ to $S_j$. $S_j$ publishes $\{e_j,n\}$ and keeps $\{s_j,d_j\}$ as secret keys.

5.2.2. User Registration

Step 1: $U_i$ imprints the biometrics $B_i$ and invokes the fuzzy extractor to generate $(R_i,P_i)\leftarrow Gen\left(B_i\right)$. Subsequently, he/she calculates $I{B}_i=H(I{D}_i\parallel R_i)$ and $P{B}_i=H(P{W}_i\parallel R_i)$ with the selected identity and password. After that, $U_i$ registers in $RC$ with $\{I{B}_i,P{B}_i\}$.

Step 2: Then, $RC$ computes $K_{ij}=H(I{B}_i\parallel s_j)$ with each service providing server secret key $\{s_1,s_2,···,s_k\}$. $RC$ continues to calculate $A_{ij}={\left(K_{ij}\right)}^{e_j}\oplus H(I{B}_i\oplus P{B}_i)$, $C_{ij}=K_{ij}\oplus P{B}_i$ and $D_i=H(I{B}_i\parallel P{B}_i)$. Afterwards, $RC$ personalizes the smart card with the $\{(A_{i1},A_{i2},···,A_{ik}),(C_{i1},C_{i2},···,C_{ik}),D_i\}$ and sends it to $U_i$ via a secure channel.

5.3. Login Phase

Step 1: $U_i$ inserts his/her smart card into the card reader and inputs $I{D}_i$, $P{W}_i$, the imprinted biometric template $B_i^{\prime }$. Then the smart card recovers the value $R_i$ through $R_i\leftarrow Rep(B_i^{\prime },P_i)$, computes $I{B}_i=H(I{D}_i\parallel R_i)$, $P{B}_i=H(P{W}_i\parallel R_i)$, and verifies whether the computed $H(I{B}_i\parallel P{B}_i)$ equals to the stored $D_i$ or not. If they are consistent, continues to execute Step 2; otherwise, the login phase is aborted directly.

Step 2: The smart card generates a random number $r_i$ and calculates $M{1}_{ij}={(A_{ij}\oplus H(I{B}_i\oplus P{B}_i))}^{r_i}={\left(K_{ij}\right)}^{e_j·r_i}$, $M{2}_{ij}={(C_{ij}\oplus P{B}_i)}^{r_i}={\left(K_{ij}\right)}^{r_i}$, $CI{D}_{ij}=I{B}_i\oplus M{2}_{ij}$, $K_{ij}=C_{ij}\oplus P{B}_i$, $M{3}_{ij}=H(I{B}_i\parallel K_{ij}\parallel M{2}_{ij}\parallel T_i)$, where $T_i$ is the acquired current timestamp.

Step 3: $U_i$ accesses $S_j$ with the login request $\{CI{D}_{ij},M{1}_{ij},M{3}_{ij},T_i\}$.

5.4. Authentication Phase

Step 1: Upon receiving $U_i$’s login request at $T{1}_i$, $S_j$ checks the validity of $T_i$. If $T{1}_i-T_i\ge T$, $S_j$ rejects $U_i$’s login request; otherwise, it computes $M{2}_{ij}={\left(M{1}_{ij}\right)}^{d_j}={\left(K_{ij}\right)}^{r_i}$. Further, $S_j$ uses $M{2}_{ij}$ to recover $I{B}_i$ with $CI{D}_{ij}\oplus M{2}_{ij}$. Subsequently, it verifies the uniformity of the computed value $H(I{B}_i\parallel H(I{B}_i\parallel s_j)\parallel M{2}_{ij}\parallel T_i)$ and the received $M{3}_{ij}$. If they are equal, the legitimacy of $U_i$ is ensured; on the contrary, $S_j$ discards the session immediately.

Step 2: After that, $S_j$ acquires the current timestamp $T_j$ and generates a random integer number $r_j$ to compute $S{K}_{ij}={\left(M{1}_{ij}\right)}^{r_j·d_j}={\left(K_{ij}\right)}^{r_j·r_i}$, $V{1}_{ij}={\left(K_{ij}\right)}^{r_j·d_j}$, $V{2}_{ij}=H(SI{D}_j\parallel S{K}_{ij}\parallel K_{ij}\parallel T_j)$. Subsequently, it sends the response authentication message $\{V{1}_{ij},V{2}_{ij},T_j\}$ to $U_i$.

Step 3: Upon receiving the replied message at $T{1}_j$, the smart card verifies the validity of $T_j$. If $T{1}_j-T_j$ is less than or equal to the permissible time interval $△T$ for a transmission delay, the authentication fails. Otherwise, the smart card calculates $S{K}_{ij}={\left(V{1}_{ij}\right)}^{e_j·r_i}$ and $V{2}_{ij}^{*}=H(SI{D}_j\parallel S{K}_{ij}\parallel K_{ij}\parallel T_j)$. If $V{2}_{ij}^{*}=V{2}_{ij}$, $U_i$ confirms that $S_j$ is authentic and mutual authentication is completed successfully; on the contrary, the session will be terminated.

After finishing the above mutual authentication procedures, $S_j$ and $U_i$ agree on the session key $S{K}_{ij}$ for the future secure communication.

5.5. Password Changing Phase

These procedures are invoked whenever $U_i$ changes the overdue password with a new one.

Step 1: Similar to Step 1 of login phase, the smart card verifies the legitimacy of the card holder. If it confirms the validity of $U_i$, the smart card proceeds to Step 2; otherwise, it rejects the request of changing password.

Step 2: The smart card permits $U_i$ to enter a new password $P{W}_i^{new}$ to replace the original. Specifically, $U_i$ should enter the new one twice to prevent him/her from typing errors. Suppose that the entered passwords are unequal—the smart card requests $U_i$ to enter a new one two more times.

Step 3: After that, the smart card computes $P{B}_i^{new}=H(P{W}_i^{new}\parallel R_i)$, $A_{ij}^{new}=A_{ij}\oplus H(I{B}_i\oplus P{B}_i^{new})$, $C_{ij}^{new}=C_{ij}\oplus P{B}_i^{new}$, $D_i^{new}=H(I{B}_i\parallel P{B}_i^{new})$. Then it replaces the original values with $\{(A_{i1}^{new},A_{i2}^{new}···,A_{ik}^{new}),(C_{i1}^{new},C_{i2}^{new},···,C_{ik}^{new}),D_i^{new}\}$.

6. Security Analysis and Discussion

6.1. Authentication Proof Based on BAN-Logic

Herein, we present the demonstration for the completeness of the proposed scheme through BAN-logic [28]. BAN-logic is one of the widely employed formal proofs for analyzing the trustworthiness of involved participants in authentication protocol.

In the following, we define some notations for the further BAN-logic analysis.

• $\mathcal{P}\mid \equiv X$: The principal $\mathcal{P}$ believes a statement X or $\mathcal{P}$ would be entitled to believe X.
• $♯\left(X\right)$: The formula X is fresh.
• $\mathcal{P}\Rightarrow X$: The principal $\mathcal{P}$ has jurisdiction over the statement X.
• $\mathcal{P}◃X$: The principal $\mathcal{P}$ sees the statement X.
• $\mathcal{P}\mid \sim X$: The principal $\mathcal{P}$ once said the statement X.
• $(X,Y)$: The formula X or Y is one part of the formula $(X,Y)$.
• ${\langle X\rangle }_Y$: The formula X is combined with the formula Y.
• $\mathcal{P}\stackrel{K}{⟷}\mathcal{Q}$: The principals $\mathcal{P}$ and $\mathcal{Q}$ use the shared key K to communicate. Here, K will never be discovered by any principal except for $\mathcal{P}$ and $\mathcal{Q}$.
• $\mathcal{P}\stackrel{K}{\rightleftharpoons }\mathcal{Q}$: K is shared secret known to $\mathcal{P}$, $\mathcal{Q}$, and possibly to one trusted by them.
• $S{K}_{ij}$: The session key used in the current session.

We present several logical postulates of BAN-logic as follows.

• The message-meaning rule: $\frac{\mathcal{P}\mid \equiv \mathcal{Q}\stackrel{K}{\rightleftharpoons }\mathcal{P},\mathcal{P}◃{\langle X\rangle }_K}{\mathcal{P}\mid \equiv \mathcal{Q}\mid \sim X}$.
• The freshness-conjuncatenation rule: $\frac{\mathcal{P}\mid \equiv ♯\left(X\right)}{\mathcal{P}\mid \equiv ♯(X,Y)}$.
• The nonce-verification rule: $\frac{\mathcal{P}\mid \equiv ♯\left(X\right),\mathcal{P}\mid \equiv \mathcal{Q}\mid \sim X}{\mathcal{P}\mid \equiv \mathcal{Q}\mid \equiv X}$.
• The jurisdiction rule: $\frac{\mathcal{P}\mid \equiv \mathcal{Q}\Rightarrow X,\mathcal{P}\mid \equiv \mathcal{Q}\mid \equiv X}{\mathcal{P}\mid \equiv X}$, $\frac{\mathcal{P}\mid \equiv (X,Y)}{\mathcal{P}\mid \equiv X}$, $\frac{\mathcal{P}◃(X,Y)}{\mathcal{P}◃X}$, $\frac{\mathcal{P}\mid \equiv \mathcal{Q}\mid \sim (X,Y)}{\mathcal{P}\mid \equiv \mathcal{Q}\mid \sim X}$.

In the following, we present the verification goals based on the analytic procedures of BAN-logic.

• Goal 1: $U_i\mid \equiv (U_i\stackrel{S{K}_{ij}}{⟷}{S}_j)$
• Goal 2: $S_j\mid \equiv (U_i\stackrel{S{K}_{ij}}{⟷}{S}_j)$

Next, we present the idealized form of the proposed scheme which was arranged from generic type.

• Message 1: $U_i\to S_j$: $(CI{D}_{ij},M{1}_{ij},{\langle I{B}_i,M{2}_{ij},T_i\rangle }_{K_{ij}},T_i)$
• Message 2: $S_j\to U_i$: $(V{1}_{ij},{\langle SI{D}_j,S{K}_{ij},T_j\rangle }_{K_{ij}},T_j)$

In the following, we present some assumptions about the initial state of our proposed scheme to further analyze it.

• A.1: $U_i\mid \equiv (U_i\stackrel{K_{ij}}{\rightleftharpoons }{S}_j)$
• A.2: $S_j\mid \equiv (U_i\stackrel{K_{ij}}{\rightleftharpoons }{U}_i)$
• A.3: $U_i\mid \equiv ♯\left(T_j\right)$
• A.4: $S_j\mid \equiv ♯\left(T_i\right)$
• A.5: $S_j\mid \equiv U_i\Rightarrow (I{B}_i,M{2}_{ij},T_i)$
• A.6: $U_i\mid \equiv S_j\Rightarrow (SI{D}_j,S{K}_{ij},T_j)$
• A.7: $S_j\mid \equiv r_j$

Next, we analyze the idealized form of the proposed protocol based on the aforementioned assumptions and logical postulates—the primary proof steps of BAN-logic are described in the following:

According to Message 1, we could prove:

$S_j◃(CI{D}_{ij},M{1}_{ij},{\langle I{B}_i,M{2}_{ij},T_i\rangle }_{K_{ij}},T_i)$.

According to the jurisdiction rule, we could prove:

$S_j◃{\langle I{B}_i,M{2}_{ij},T_i\rangle }_{K_{ij}}$.

According to assumption A.2 and the message-meaning rule, we could prove:

$S_j\mid \equiv U_i\mid \sim (I{B}_i,M{2}_{ij},T_i)$.

According to the assumption A.4 and the freshness-conjuncatenation rule, we could prove:

$S_j\mid \equiv ♯(I{B}_i,M{2}_{ij},T_i)$.

According to $S_j\mid \equiv U_i\mid \sim (I{B}_i,M{2}_{ij},T_i)$ and the nonce-verification rule, we could prove:

$S_j\mid \equiv U_i\mid \equiv (I{B}_i,M{2}_{ij},T_i)$.

According to the assumption A.5 and the jurisdiction rule, we could prove:

$S_j\mid \equiv (I{B}_i,M{2}_{ij},T_i)$.

According to the jurisdiction rule, we could prove:

$S_j\mid \equiv M{2}_{ij}$.

According to $S{K}_{ij}={\left(M{2}_{ij}\right)}^{r_j}$ and the assumption A.7, we could prove:

$S_j\mid \equiv (U_i\stackrel{S{K}_{ij}}{⟷}{S}_j)$ (Goal 2).

According to Message 2, we could prove:

$U_i◃(V{1}_{ij},{\langle SI{D}_j,S{K}_{ij},T_j\rangle }_{K_{ij}},T_j)$.

According to the jurisdiction rule, we could prove:

$U_i◃{\langle SI{D}_j,S{K}_{ij},T_j\rangle }_{K_{ij}}$.

According to assumption A.1 and the message-meaning rule, we could prove:

$U_i\mid \equiv S_j\mid \sim (SI{D}_j,S{K}_{ij},T_j)$.

According to the assumption A.3 and the freshness-conjuncatenation rule, we could prove:

$U_i\mid \equiv ♯(SI{D}_j,S{K}_{ij},T_j)$.

According to $U_i\mid \equiv S_j\mid \sim (SI{D}_j,S{K}_{ij},T_j)$ and the nonce-verification rule, we could prove:

$U_i\mid \equiv S_j\mid \equiv (SI{D}_j,S{K}_{ij},T_j)$.

According to the assumption A.6 and the jurisdiction rule, we could prove:

$U_i\mid \equiv (SI{D}_j,S{K}_{ij},T_j)$.

According to the jurisdiction rule, we could prove:

$U_i\mid \equiv S{K}_{ij}$,

$U_i\mid \equiv SI{D}_j$.

According to $U_i\mid \equiv S{K}_{ij}$ and $U_i\mid \equiv SI{D}_j$, we could prove:

$U_i\mid \equiv (U_i\stackrel{S{K}_{ij}}{⟷}{S}_j)$ (Goal 1).

6.2. Discussion on Possible Attacks

In this section, we present the security analysis in regard to a series of venomous network attacks and security properties to evaluate the proposed scheme.

6.2.1. Preserve User Privacy

In the proposed scheme, $S_j$ can retrieve the identity information $I{B}_i=H(I{D}_i\parallel R_i)$ from the value $CI{D}_{ij}=I{B}_i\oplus M{2}_{ij}$ in the login request, which integrates with exponent $r_i$ of $K_{ij}$. $S_j$ keeps the secret key $d_j$ and can recover $M{2}_{ij}$ with another value $M{1}_{ij}$ in login request by computing $M{2}_{ij}=M{1}_{ij}^{d_j}$. In this way, the adversary either compromises $S_j$’s master secret key $d_j$ or solves the big integer factorization problem. Whereas, it is infeasible for him/her to obtain $I{B}_i$ in the above introduced method. Additionally, in our scheme, the dynamic identity $CI{D}_{ij}$ is invoked by a hash value $I{B}_i$ of $U_i$’s identity and biometric template, rather than a low entropy identity $I{D}_i$. Hence, the adversary could not reveal user’s $I{D}_i$ by the attack introduced for breaching Kumari and Om’ protocol. Accordingly, our proposal is secure to against ID-theft attack and achieves user privacy protection.

6.2.2. Off-Line Password Guessing Attack

The adversary could perform brute force attack to compromise the low entropy password with the eavesdropped session messages and revealed parameters stored in the smart card of victim users [29,30]. Because of this vulnerability, we introduce another security factor biometrics in our proposal. Concretely, $I{B}_i$, $P{B}_i$ are both attached with the secret value $R_i$ retrieved by legitimate biometric template $B_i$. Assume that the attacker has revealed the credential $D_i=H(I{B}_i\parallel P{B}_i)$ stored in the smart card, he/she has to guess identity $I{D}_i$, password $P{W}_i$ and secret value $R_i$ simultaneously. Notably, the length of secret value $R_i$ meets the requirements of information security. Thus, off-line password guessing attack is fruitless for our proposed scheme.

6.2.3. Impersonation Attack

Impersonation attack means that an adversary forges a login request to masquerade legitimate users for unauthorized access to network services. It is indispensable for the adversary to generate an authenticated login request message $\{CI{D}_{ij},M{1}_{ij},M{3}_{ij},T_i\}$, where $M{1}_{ij}={(A_{ij}\oplus H(I{B}_i\oplus P{B}_i))}^{r_i}={\left(K_{ij}\right)}^{e_j·r_i}$, $M{2}_{ij}={(C_{ij}\oplus P{B}_i)}^{r_i}={\left(K_{ij}\right)}^{r_i}$, $CI{D}_{ij}=I{B}_i\oplus M{2}_{ij}$, $K_{ij}=C_{ij}\oplus P{B}_i$, $M{3}_{ij}=H(I{B}_i\parallel K_{ij}\parallel M{2}_{ij}\parallel T_i)$. From computational procedure of these parameters, we can obviously see that $K_{ij}$ and $I{B}_i$ are the key values to form them. In our proposal, $K_{ij}=H(I{B}_i\parallel s_j)$ is a unique secret value contributed by secrets of server and user, instead of a static value $M{1}_j$ of $S_j$ for each user in Kumari and Om’ protocol. The measure guarantees that users cannot abuse a unitary element to access servers illegally. On the other hand, the adversary also has no ability to calculate the verified login request without knowing $K_{ij}$. Consequently, the impersonation attack is trivial in our scheme.

6.2.4. Server Spoofing Attack

Server spoofing attack indicates that someone (it could even be a legal but malicious server) pretends to be another server to deceive users. In order to perform the attack, the adversary should reply to $U_i$ a rightful authentication message $\{V{1}_{ij},V2ij,T_j\}$ likewise with the victim server, where $V{1}_{ij}={\left(K_{ij}\right)}^{r_j·d_j}$, $V{2}_{ij}=H(SI{D}_j\parallel S{K}_{ij}\parallel K_{ij}\parallel T_j)$, $S{K}_{ij}={\left(K_{ij}\right)}^{r_j·r_i}$. The value $K_{ij}$ is also the core to generate the response parameters. As described in Section 6.2.3, $K_{ij}$ is only accessible to $U_i$ and $S_j$—others could obtain it unless it compromises the secret key $X_c$ of $RC$. Therefore, server spoofing attack is meaningless in our scheme.

6.2.5. Replay Attacks

The replay attack signifies that someone spitefully resubmits repeated or delayed messages to deceive honest participants for nefarious purposes. Timestamping is one of the most widely employed techniques to prevent replay attack. In our proposal, both login request and replied authentication messages are involved in current timestamp. Both participants can verify its validity by detecting message transmitting delay. As a consequence, the replay attack is resisted effectively.

6.2.6. Forward Secrecy

Forward secrecy of information exchange protocol safeguards the past sessions to be revealed in which the long term key of $RC$ is compromised in the future, even if the adversary actively interfered. Our proposed scheme achieves forward secrecy because the session key $S{K}_{ij}={\left(K_{ij}\right)}^{r_j·r_i}$ is surrounded by $r_i$ and $r_j$. Even though the adversary calculates $K_{ij}$ with the leaked key $X_c$, he/she also is unable to further compromise $S{K}_{ij}$ computed with the contribution of one-time random numbers $\{r_i,r_j\}$.

7. Performance and Functionality Analysis

Herein, we present performance and functionality evaluation analysis of our proposed scheme and other recently related protocols, that is, Chuang et al.’s scheme [16], Kumari and Om’s scheme [23] and Jangirala et al.’s scheme [26].

Table 2. Comparisons of functionality.

	[16]	[23]	[26]	Ours
Prevention of impersonation attack	No	No	No	Yes
Prevention of off-line password guessing attack	Yes	No	Yes	Yes
Prevention of server spoofing attack	No	No	No	Yes
Preserving user privacy	Yes	No	No	Yes
Prevention of replay attack	No	Yes	Yes	Yes
Formal security proof	No	Yes	Yes	Yes
Mutual authentication	No	No	No	Yes
Smart card breach attack	Yes	No	No	Yes
Perfect forward secrecy	No	Yes	Yes	Yes

and

Table 3. Performance comparisons.

	[16]	[23]	[26]	Ours
Login phase	4$T_h$	$4T_h+2T_e$	8$T_h$	4$T_h$ + 2$T_e$
Authentication phase	13$T_h$	$5T_h+5T_e$	17$T_h$	4$T_h$ + 4$T_e$
Computation cost	17$T_h$	$9T_h+7T_e$	25$T_h$	8$T_h$ + 6$T_e$

show the comparative study in terms of security features and computational cost of the proposed scheme along with the aforementioned schemes, separately.

According to the comparisons of Table 2, we can see that our scheme satisfies all the requirements and criterion for multiple servers based authentication system. In contrast, the other three schemes suffer from more or less susceptibilities, even the superiorities claimed by the authors. In the modified scheme, we eliminate these flaws and enhance the security by targeted renovation.

In Table 3, the notations $T_h$ and $T_e$ denote the consuming time for a one-way hash function and a modular exponential operation, respectively. The evaluation shown in Table 3 focuses on the login phase, authentication phase and neglects the other three phases which do not frequently need to be performed. Chuang et al.’s and Jangirala et al.’s schemes use symmetric encryption and only perform hash function. Our proposed scheme and Kumari & Om’s scheme are employed by RSA cryptosystem and require to execute modular exponentiation. Thus, the latter two schemes need to expend more computational cost. From Table 3, the total computation cost of Chuang et al.’s scheme, Kumari & Om’s scheme, Jangirala et al.’s scheme and our scheme are 17$T_h$, $9T_h+7T_e$, 25$T_h$ and 8$T_h$ + 6$T_e$. Noticeably, our scheme can thwart many security threats identified on these schemes. Additionally, our scheme is proved formally with the BAN-logic.

8. Conclusions

This paper firstly identified that Kumari and Om’s anonymous multi-server authenticated key agreement scheme was plagued by impersonation attack, server spoofing attack and privacy disclosure. Even worse, any attacker could decipher it by launching a malicious attack without the knowledge of the victim’s secret information. Secondly, we introduce a modified multiple servers architecture based authentication scheme with biometric to rectify these security flaws. Subsequently, to evaluate the devised scheme, we present the formal proof validated by BAN-logic and logical analysis for a range of network attacks. The performance and functionality comparisons in terms of computational cost and security features show that the designed protocol is superior for multiple servers authentication system.