Provably Secure Multi-Server Authentication Protocol Using Fuzzy Commitment (original) (raw)
Related papers
A Secure Authentication Protocol for Multi-server-based e-Healthcare using a Fuzzy Commitment Scheme
Smart card-based remote authentication schemes are widely used in multi-medicalserver-based telecare medicine information systems (TMISs). Biometric is one of the most trustworthy authenticators and is presently being advocated to use in the remote authentication of TMIS. However, most of the existing TMISs consider a single-server-environment-based authentication system. Therefore, patients need to register and log into every server separately for different services. Furthermore, these schemes do not employ error correction technique to remove the errors from biometric data. Also, biometrics are inherent and demand diversification to generate a revocable template from inherent biometric data. In this paper, we propose a mutual authentication and key agreement scheme for a multi-medical server environment to overcome the limitations of the existing schemes. In the proposed scheme, a cancelable transformation of the raw biometric data is used to provide the privacy and the diversification of biometric data. The errors of the biometric data are corrected with error-correction techniques under the fuzzy commitment mechanism. A formal security analysis using the widely accepted real-or-random model, the Burrows-Abadi-Needham logic, and the automated validation of Internet security protocols and applications tool concludes that the proposed scheme is safe against known attacks. We also compare the computation and communication costs of our scheme to evaluate the performance with the others. INDEX TERMS Telecare medicine information system (TMIS), fuzzy commitment scheme, BAN logic, real-or-random (ROR), AVISPA tool.
Authentication protocols for multi-server architectures have gained momentum in recent times due to advancements in computing technologies and associated constraints. Lu et al. recently proposed a biometrics and smartcards-based authentication scheme for multi-server environment. The careful analysis of this paper demonstrates Lu et al.'s protocol is susceptible to user impersonation attacks and comprises insufficient data. In addition, this paper proposes an improved authentication with key-agreement protocol for multi-server architecture based on biometrics and smartcards. The formal security of the proposed protocol is verified using the widely accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool to ensure that our protocol can withstand active and passive attacks. The formal and informal security analysis, and performance analysis sections determines that our protocol is robust and efficient compared to Lu et al.'s protocol and existing similar protocols.
A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards
IEEE Transactions on Information Forensics and Security, 2015
Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we first analyze He-Wang's scheme and show that their scheme is vulnerable to a known sessionspecific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user's anonymity. Furthermore, He-Wang's scheme cannot provide the user revocation facility when the smart card is lost/stolen or user's authentication parameter is revealed. Apart from these, He-Wang's scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase. We then propose a new secure multi-server authentication protocol using biometric-based smart card and ECC with more security functionalities. Using the Burrows-Abadi-Needham logic, we show that our scheme provides secure authentication. In addition, we simulate our scheme for the formal security verification using the widely accepted and used automated validation of Internet security protocols and applications tool, and show that our scheme is secure against passive and active attacks. Our scheme provides high security along with low communication cost, computational cost, and variety of security features. As a result, our scheme is very suitable for battery-limited mobile devices as compared with He-Wang's scheme.
Three-factor mutually authenticated key agreement protocols for multi-server environments have gained momentum in recent times due to advancements in wireless technologies and associated constraints. Several authors have put forward various authentication protocols for multi-server environment during the past decade. Wang et al. recently proposed a biometric-based authentication with key agreement protocol for multi-server environment and claimed that their protocol is efficient and resistant to prominent security attacks. The careful investigation of this paper shows that Wang et al. protocol's users are sharing personal identifiable information with the application servers during the registration and authentication process. This nature of disclosing credentials leads to severe threats particularly insider attacks, user impersonation attacks, and server impersonation attacks. As a remedy of the aforementioned problems, this paper proposes a novel biometric-based mutually authenticated key agreement protocols for multi-server architecture based on elliptic curve cryptography. We prove that the proposed protocol achieves secure mutual authentication property using the broadly used Burrows–Abadi–Needham logic. The formal security of the proposed protocol is verified using the widely accepted automated validation of Internet security protocols and applications tool to show that our protocol can withstand active and passive attacks including the replay and man-in-the-middle attacks. The proposed protocol is robust and efficient compared with the existing related protocols.
An Improved Biometric-based Multi-server Authentication Scheme Using Smart Card
International Journal of Security and Its Applications, 2015
To protect the resources from unauthorized users, the remote user authentication have become an essential part in the communication network. Currently, smart card-based remote user authentication for multi-server environment is a widely used and researched method. Remote user authentication for multi-server environment has resolved the problem of users to manage the different identities and passwords. Recently, Mishra et al. proposed a multi-server authenticated key agreement scheme using smart cards, where they claim that their scheme is secure enough and could resist the various well known attacks. However, in this paper, we have shown that their scheme is not secure as they have claimed and can suffer from impersonation attacks and stolen smart card attack. Later in the paper, we propose an improved multi-server authentication scheme using smart cards, which not only overcomes the mentioned weaknesses but also can provide more functionality features.
Biometric based authentication protocols for multi-server architectures have gained momentum in recent times due to advancements in wireless technologies and associated constraints. Lu et al. recently proposed a robust biometric based authentication with key agreement protocol for a multi-server environment using smart cards. They claimed that their protocol is efficient and resistant to prominent security attacks. The careful investigation of this paper proves that Lu et al.'s protocol does not provide user anonymity, perfect forward secrecy and is susceptible to server and user impersonation attacks, man-in-middle attacks and clock synchronization problems. In addition, this paper proposes an enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography using smartcards. We proved that the proposed protocol achieves mutual authentication using Burrows-Abadi-Needham (BAN) logic. The formal security of the proposed protocol is verified using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool to show that our protocol can withstand active and passive attacks. The formal and informal security analyses and performance analysis demonstrates that the proposed protocol is robust and efficient compared to Lu et al.'s protocol and existing similar protocols.
A Novel Secure Remote User Authentication Protocol using Three Factors
2014
According to the recent work done in the area of remote user authentication, biometrics based password authentication using smart card is the most interesting and upcoming technology. Many protocols has been designed aiming to combine three authentication factors efficiently in order secure the process of remote user authentication, but failed to do so. One of the many possible reasons is biometrics comparison. Basically, biometric is used to uniquely identify the user. It has been observed that, the biometrics comparison during the verification is done using its hash value, which is infeasible due to it’s avalanch effect property. Moreover, impersonation, server spoofing, man-in-the-middle, denial-of-service etc attacks needs to handle properly to guarantee the security of the protocol. The main objective of this paper is to focus on biometrics comparison and making the protocol immune to above mentioned attacks.
Design of a Secure Mutually Authenticated Key-Agreement Protocol for Multi-server Architecture
Journal of Computers
Authentication with key-agreement protocols for multi-server architecture are emerging as a solution to conquer the traditional client-server architecture's limitations such as repeated registrations with distinct tokens and credentials. Since Li et al.'s first proposed authentication protocol for multi-server architecture, several liken protocols have tailed this queue. Majority of these protocols have been designed while the users sharing their plain or digested credentials with the servers during either registration or authentication phases. This weakens the security by making it vulnerable to severe security threats called privileged insider attacks, user impersonation attacks and server impersonation attacks. To overcome the aforementioned problems, this paper put forwards an authentication with key-agreement protocol for multi-server architecture based on biometrics. The proposed protocol is absolutely lightweight due to its design mainly based on one-way hash function. The analysis section of this paper shows that the proposed protocol performs better than related protocols and makes it suitable for practical applications.
Cryptanalysis on ‘Robust Biometrics-Based Authentication Scheme for Multi-server Environment’
Authentication plays an important role in an open network environment in order to authenticate two communication parties among each other. Authentication protocols should protect the sensitive information against a malicious adversary by providing a variety of services, such as authentication, user credentials' privacy, user revocation and re-registration, when the smart card is lost/stolen or the private key of a user or a server is revealed. Unfortunately, most of the existing multi-server authentication schemes proposed in the literature do not support the fundamental security property such as the revocation and re-registration with same identity. Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we analyze the He-Wang's scheme and show that He-Wang's scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user's anonymity. Furthermore, He-Wang's scheme cannot support the revocation and re-registration property. Apart from these, He-Wang's scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase.