[ieee 2012 ieee 26th international conference on advanced information networking and applications...
TRANSCRIPT
Robust mobile device integration of a fingerprint biometricremote authentication scheme
Toan-Thinh TRUONG∗, Minh-Triet TRAN† & Anh-Duc DUONG†∗Smart Digital Content, SDCEmail: [email protected]
†Faculty of Information Technology, University of Science, VNU-HCMEmail: {tmtriet,daduc}@fit.hcmus.edu.vn
Abstract—Communications in the wireless environmentssuch as GSM, CDPD, 3G, and 4G are very popular. There-fore, it is necessary to have a secure authentication schemeto protect transactions between users and servers fromillegal adversaries. Especially, users are people vulnerableto attacks and there are many authentication schemes withsmart cards proposed to guarantee them. Recently, Chenet al have proposed a scheme integrated with fingerprintof users to enhance security for authentication. With thisidea, Chen et al.’s scheme truly is more secure than previousones. However, their scheme is easy to be compromised byreplay attack. Furthermore, attackers can steal identity tore-register to obtain secret key to fake users and servers. Inthis paper, we present an improvement to their scheme inorder to isolate such problems.
Keywords-Authentication, Password, Dynamic ID, Smartcard, Impersonation, Session key, Biometric-based
I. INTRODUCTION
In wireless environments, remote authentication
schemes play an important role in communicating
between partners. To keep faith and security, schemes not
only must protect legal users and servers from illegitimate
adversaries, but they also prevent legal partners from
masquerading to cheat each other.
There are many solutions to satisfy above requirements,
and one of the solutions that many schemes have employed
is password authentication which has many advantages
such as simplicity, efficiency, and convenience. However,
many schemes[1][2][3][4][5] based on password use static
identity, which is vulnerable to leaking information to
attackers. One solution to identity theft is making it vary
for each login. Later, a number of papers[6][7][8][9][10]
have put forward many ideas to protect user anonymity
by applying random value or time-stamp to vary user
identity for each session. However, these schemes issue
a smart card for each user and assume that the contents
of smart card can not be revealed. This is not practical
because users can lost or be stolen smart card. So, when
attackers have smart card, they completely have capability
to impersonate users.
Recently, there has been a combination between
authentication schemes and biometrics such as
fingerprint, face and voice characteristics. Obviously,
combining authentication with personal characteristics
makes schemes be more securely and there are some
papers[11][12][13][14][15][16] that proposed biometric-
based schemes. In 2008, Khan et al.[11] proposed a
hash-based biometric remote authentication scheme,
using a mobile device instead of a smart card. They
claimed that their scheme provides secure, robust, and
trustworthy remote authentication of mobile users over
insecure network. However, in 2010, Chen et al.[12]
pointed out that Khan et al.’s scheme is vulnerable to
impersonation attack by using information leaked from
mobile device. Unlike Chen et al.’s claimed, in this
paper, we demonstrate that Chen et al.’s scheme is still
vulnerable to replay attack, server and user spoofing
attack and can not protect user’s anonymity.
According to the descriptions mentioned, we sum up
some requirements of the authentication scheme for a
mobile device and supply some necessary conditions
which a protocol should have.
1) Efficiency: We know that mobile device has a lim-
ited power and resource, so authentication protocol
should have low computational cost to save en-
ergy and extend the executing time of the mobile
device[17].
2) Anonymity: User’s anonymity is one of important
properties which a protocol must have because it can
protect privacy and prevent other adversaries from
masquerading legal users[18][19][20].
3) Mutual Authentication: To protect the security of
legitimate parties and prevent adversaries from com-
promising and impersonating, an authentication pro-
tocol designed must provide mutual authentication
for user and server to guarantee that all checked
objects are safe in insecure environment.
4) Session Establishment: After authenticating success-
fully, there is a need of transmitting data between
server and user. So, an authentication protocol
should include key exchange phase to satisfy this
requirement[21].
5) Scalability: Authentioncation scheme without stor-
ing verification table on server is suitable for extend-
ing a number of users. In such scheme, server only
confirms validity of user by checking identity. So,
server can increase profits especially in electronic
applications[22][23][24]
6) Mechanism of changing password: We know pass-
word of another user is vulnerable to password
guessing attack. User has the tendency to set pass-
word related with his/her information for example
2012 26th IEEE International Conference on Advanced Information Networking and Applications
1550-445X/12 $26.00 © 2012 IEEE
DOI 10.1109/AINA.2012.47
678
birthday, name or address. So, there is a need of
changing password of user for security. A standard
authentication scheme must provide a mechanism of
changing password to satisfy this requirement.
Our main ideas are using a random value for each user
instead of providing the same key for the same per-
son when he/she re-rvegisters and three-way challenge-
response handshake technique to satisfy above require-
ments and resist replay attack better[25]. And in later
sections we present an improvement to the scheme to
isolate such problems.
The remainder of this paper is organized as follows: sec-
tion 2 quickly reviews Chen et al.’s scheme and discusses
its weaknesses. Then, our proposed scheme is presented
in section 3, while section 4 discusses the security and
efficiency of the proposed scheme. Our conclusions are
presented in section 5.
II. REVIEW AND CRYPTANALYSIS OF CHEN, LEE AND
HSU’S SCHEME
In this section, we review Chen, Lee and Hsu’s Mo-
bile device integration of a fingerprint biometric remote
authentication scheme[12] and show that their scheme is
vulnerable to replay attack, and spoofing attack. Further-
more, it can not protect user’s anonymity.
A. Review of Chen, Lee and Hsu’s Scheme
In this subsection, we review Chen, Lee and Hsu’s
scheme. Their scheme includes four phases: registration
phase, login phase, authentication phase and password
change phase. Some important notations in this scheme
are listed as follow:
• Ui: ith user.
• IDi: Unique identification of Ui.
• PWi: Unique password of Ui.
• Fi: The personal fingerprint of the Ui.
• S: The remote server.
• x: The private key of the remote server.
• h(.): A cryptographic one-way hash function.
• hk(.): A cryptographic one-way hash function with a
secret key k.
• T: The timestamp.
• N: The nonce.
• ⊕: The exclusive-or operation.
• ‖: The concatenation operation.
1) Registration Phase: When the user Ui wants to
access resource of a remote server, he/she has to submit
his/her identity IDi, h(PWi ⊕ N) and fingerprint Fi to
server through a secure channel, where PWi is user’s
password and N is a nonce chosen by user. Figure 1
illustrates the steps of the registration phase.
• Step R1. Ui ⇒ S: IDi, h(PWi ⊕ N), Fi. Ui freely
chooses his/her identity IDi, PWi and imprints his/her
fingerprint biometric on the sensor. Then, Ui com-
putes h(PWi ⊕ N), where N is a random number
generated by Ui and sends IDi, h(PWi ⊕ N) and Fi
to the S for registration through a secure channel.
• Step R2. S computes hpw = h(PWi ⊕ N) ⊕ Fi, Ri
= h(IDi ⊕ x) ⊕ hpw, and Vi = hh(IDi⊕x)(Fi).• Step R3. S ⇒ Ui: (Ri, Vi, h(.), hk(.)). S sends the
secret information to Ui through a secure channel.
• Step R4. Ui stores information transmitted from Sand keys N into his/her mobile device.
Figure 1. Chen, Lee, and Hsu’s registration phase
In their registration phase, we see that there are three
advantages: another user can choose password PW and
identity ID freely. Furthermore, user also can hide his/her
password from server by sending a hash value h(PW ⊕ N)instead of only PW. Especially, this phase also uses user’s
fingerprint to enhance security. And at these points, our
scheme proposed later completely inherits them. However,
due to preparation for our authentication scheme, we only
modify our registration phase a little bit by adding a
random value e for each user’s registration.2) Login Phase: After receiving secret information
from S, Ui can use it when he/she wants to login to S.
Fig 2 illustrates the steps of login phase.
• Step L1. Ui inputs IDi, PWi and imprints his/her
fingerprint Fi on the sensor. Then the mobile device
computes hpw = h(PWi ⊕ N) ⊕ Fi, Ai = Ri ⊕hpw and then checks if the hAi
(Fi) is the same as
Vi stored in mobile device. If they are the same,
mobile device allows Ui to continue to go the next
step and temporarily saves the fingerprint template Fi
until the end of the authentication phase; otherwise,
it terminates the session.
• Step L2. The mobile device generates a nonce N′
and computes C1 = N′ ⊕ Ai and C2 = hAi (N
′) to
challenge the remote server S.
• Step L3. Ui ⇒ S: IDi, C1, C2. The user sends the
login message to a remote server through common
channel.
In their login phase, we see that user generates a random
value N to challenge server S. This guarantees no one
except S can know h(IDi ⊕ x) of user U. However,
drawback of this phase is IDi is transmitted in plain-text,
so we will fix this weak point of their phase.3) Authentication Phase: After receiving the login re-
quest sent from Ui, S performs the following tasks to
authenticate the users login request. Fig 2 illustrates the
steps of authentication phase.
• Step A1. On receiving the login request (IDi, C1, C2)
from Ui, S checks IDi to determine its validity.
• Step A2. S computes h(IDi ⊕ x) to obtain Bi(Bi =C1 ⊕ h(IDi ⊕ x)), then checks if hh(IDi⊕x)(Bi) ?=
679
Figure 2. Chen, Lee and Hsu’s login and authentication phase
C2. If they are not equal, S rejects the login request;
otherwise, the identity of the user is assured and the
login request is accepted. S stores IDi until the end
of the session.
• Step A3. S → Ui: (S1). The server computes S1 =h(h(IDi ⊕ x) ‖ Bi) and sends it back to the user.
• Step A4. On receiving this message (S1) from S,
Ui verifies if h(Ai ‖ N′) ?= S1. If they are equal,
the server is authenticated and Ui replaces N with a
selected N′′
, Ri with R′i
1; otherwise, this session is
terminated.
In their authentication phase, we see that server S does
not generate any random value to re-challenge user U. So,
S can not know whether user is communicating is legal
or not. At this point we use user three-way challenge-
response handshake technique to recover. With that tech-
nique, S can know legitimation of users. In addition, at the
end of this phase, we see that mobile device must choose a
new random value N′′
to update Ri = Ri ⊕ hpw ⊕ h(PW⊕ N
′′) ⊕ Fi. This update is useless because it do not
contribute to make change the way of login or package
transmitted to server S. So, in our authentication phase
proposed later, we will eliminate this useless proceduce
to decrease computational cost.
4) Password Change Phase: In this phase, Ui can
change his/her password anytime when he/she wants.
Figure 3 illustrates the steps of the password change phase.
• Step P1. Ui enters his/her identity IDi, password PWand imprints fingerprint Fi into the mobile devide.
• Step P2. The mobile device computes hpw = h(PW⊕ N) ⊕ Fi, and verifies whether hR⊕hpw(Fi) =Vi. If they are not equal, then Ui’s mobile device
rejects the password change request and terminates
the operation. Otherwise, the user chooses the new
password PW∗ and submits in the mobile device.
1R′i = Ri ⊕ hpw ⊕ hpw
′, where hpw
′= h(PW ⊕ N
′′) ⊕ Fi
• Step P3. Ui’s mobile device computes hpw∗ = h(PW∗
⊕ N) ⊕ Fi, R∗i = Ri ⊕ hpw ⊕ hpw∗ and stores R∗
i
to replace Ri.
Figure 3. Chen, Lee and Hsu’s password change phase
In their password change phase, we see that only legal
users can change password because this proceduce needs
identity IDi, password PW and fingerprint Fi of users.
So, this is the only phase we inherit without modification.
Especially, we use arrows in figure 3 in order to symbolize
because there is no channel between users and their mobile
device.
B. Cryptanalysis of Chen, Lee and Hsu’s Scheme
In this subsection, we present our results on Chen, Lee
and Hsu’s scheme. We will show that their scheme is vul-
nerable to replay attack, user and server spoofing attack.
Besides, their scheme do not protect user anonymity.
1) Inability To Protect User Anonymity: In Chen, Lee
and Hsu’s scheme, we see that anyone can know who
is authenticating with server. In the authentication phase,
mobile device directly sends IDi in plaintext to server Sand adversary can obtain this IDi. Clearly, their scheme
can not provide user’s anonymity.
2) User And Server Spoofing: In Chen, Lee and Hsu’s
scheme, we see that stealing identity of another legal user
will cause a bad result for that legal user. Because attacker
A has IDi of another U, attacker A can re-register to S by
680
sending (IDi, h(PWnew ⊕ Nnew), Finew). Then, S will
send (Ri, Vi, h(.), hk(.)) back to U. When obtaining Ri, Aeasily to get h(IDi ⊕ x) by performing Ri ⊕ h(PWnew
⊕ Nnew) ⊕ Finew. With h(IDi ⊕ x) in hand, A can
impersonate U owning IDi. A will compute C1 = N′ ⊕
h(IDi ⊕ x), C2 =hh(IDi⊕x)(N′), where N
′is a random
value chosen by A. So, A will send (IDi, C1, C2) to S to
masquerade U. Furthermore, with h(IDi ⊕ x) in hand, Acompletely fakes S to cheat that U. When U owing IDi
stolen by A sends (IDi, C1, C2) to S, A blocks this package
and computes N′
= C1 ⊕ h(IDi ⊕ x), S1 = h(h(IDi ⊕ x)‖ N
′). Then, S sends S1 to U. On receiving S1 from A,
U compares h(h(IDi ⊕ x) ‖ N′) with S1. Clearly, they are
equal and A cheats U successfully.
3) Replay Attack: In Chen, Lee and Hsu’s scheme, we
see that anyone can save (IDi, C1, C2). So, at anytime
adversary also resends (IDi, C1, C2) to S. On receiving this
package, S computes Bi = C1 ⊕ h(IDi ⊕ x) and checks
C2 ?= hh(IDi⊕x)(Bi). Clearly, everything will be correct.
So, S assumes that legal user is communicating. Finally,
S sends S1 to A. Obviously, their scheme can not resist
replay attack.
III. PROPOSED SCHEME
In this section, we will propose an revised scheme of
Chen, Lee and Hsu’s scheme that removes the security
problems described in the previous section. Our improved
scheme not only inherits the advantages of their scheme,
it also enhances the security of it.
Before entering into each phase, we will present gen-
eral ideas in our scheme more detailed. In registration
phase, our main goal is achieving h(IDi ⊕ h(x ‖ e)).Random value e helps to resist re-registration of attackers,
with the same identity but various authentication keys
at different time. In login and authentication phases, we
use two random value N′
and V for server and user to
challenge each other. Furthermore, we employ three-way
challenge-response handshake technique to resist replay or
impersonation attacks. And it is very important to have the
same session key for user and server after authenticating
sucessfully.
Our scheme is also divided into the four phases of regis-
tration, login, mutual authentication and password change
phase. However, we do not present password change phase
because it does not change in our scheme.
A. Registration Phase
Before we continue to present, we list three require-
ments for a registration phase: secrecy for information
transmitted between user and server, the true password
of user should not shown to anyone even the server,
and difference between keys provided for each time of
registration by server. Easily, we see that Chen et al.’s
scheme achieved first two requirements but not the last.
So, we will recover this point to accomplish a good
registration phase.
When one user Ui wants to register to the service provider
S, he/she has to submit his/her identity IDi, h(PW ⊕ N)
and his/her fingerprint by imprinting on the sensor to S,
where PW is Ui’s password and N is a nonce chosen by
Ui. Figure 4 illustrates the steps of the registration phase.
1) Generating a random value e.
2) Computing hpw = h(PW ⊕ N) ⊕ Fi, Ei = hpw ⊕h(x ‖ e), Ri = h(IDi ⊕ h(x ‖ e)) ⊕ hpw and Vi =hh(IDi⊕h(x‖e))(Fi).
3) Sending (Ri, Vi, Ei, e, h(.), hk(.)) to the user’s
mobile device through a secure channel.
Figure 4. Proposed registration phase
B. Login Phase
The user Ui types his/her identity IDi, password PWi
and the fingerprint Fi by imprinting on sensor to login the
service provider S, and then the mobile device performs
the following steps:
1) Computing hpw = h(PW ⊕ N) ⊕ Fi, Ai = Ri ⊕ hpw.
Then, mobile device checks if hAi(Fi) = Vi. If they
are not equal, the mobile device terminates session;
otherwise, it allows user to go to the next step.
Mobile device generates a nonce N′
and computes
C1 = N′ ⊕ Ei ⊕ hpw, C2 = hAi (N
′) and CID = IDi
⊕ N′.
2) Sending the login request message (CID, C1, C2) to
S.
C. Mutual Authentication And Session Key AgreementPhase
Similarly, we also propose three requirements that help
authentication be more secure: user must use a random
value to challenge server, server must use a random value
to re-challenge user. And user and server share a secret
session key. In Chen et al.’s scheme, only user use a
random value to challenge server but not vice versa and
no session key is generate after authenticating successfully.
Our phase will fix these weak points.
In this sesstion, the service provider S will receive the
login request message (CID, C1, C2) from Ui in the login
phase. Figure 5 illustrates the steps that S authenticates
the user Ui.
1) Computing N′
= h(x ‖ e) ⊕ C1, IDi = CID ⊕ N′
and S checking validity of IDi. Then, S continues
to checks if C2 = hh(IDi⊕h(x‖e))(N′). If they are
equal, S accepts Ui. Otherwise, it rejects Ui. Then,
S generates a random value V and computes S1 =h(h(IDi ⊕ h(x ‖ e)) ‖ V ‖ Bi). S sends (V, S1) to U.
681
Figure 5. Proposed login, mutual authentication and session key agreement phase
2) On receiving the message(V, S1), the user Ui checks
if S1 = h(Ai ‖ V ‖ N′). If they are not equal, mobile
device terminates session; otherwise, it computes S2
= h((Ei ⊕ hpw) ‖ V) and sends (S2) to S.
3) On receiving the message(S2), the server S checks
if S2 = h(h(x ‖ e) ‖ V). If they are not equal, Sterminates session; otherwise, it computes session
key SK = h(h(IDi ⊕ h(x ‖ e)) ‖ h(x ‖ e) ‖ V ‖ Bi).Similarly, U also computes SK = h(Ai ‖ (Ei ⊕ hpw)‖ V ‖ N
′).
IV. SECURITY AND EFFICIENCY ANALYSIS
In this section, we review weak point and strong point
of our scheme and analyze it on two aspects: security and
efficiency. Our scheme includes four phases, registration,
login, authentication and session-key agreement, and
password change phase.
• Registration phase: User U sends (IDi, h(PW ⊕ N),Fi) to server S and U receives (Ri, Vi, Ei, e, h(.),hk(.)). Finally, U enters N into mobile device. The ad-
vantage of this our phase is user will receive different
information at different time, and the drawback is PWchosen by U. That PW may be a weak password[26],
which has a value of low entropy and can be guessed
in polynomial time.
• Login phase: User U enters (ID, h(PW ⊕ R), Fi)
into mobile device. Then, mobile device computes
hRi⊕(h(PW⊕N)⊕Fi) and checks if that value is equal
to Vi stored in mobile device. Finally, mobile device
sends (CID, e, C1, C2) to server S.
• Authentication and session-key agreement phase: Af-
ter receiving (CID, e, C1, C2) from user U. S com-
putes V, S1 and sends it to U. Then, S waits to receive
S2 from U to confirm. The advantage of this our
phase is all information depends on master key x,
a strong key[26] of S, which has a value of high
entropy and can not be guessed in polynomial time.
And the drawback of this our phase is using more
hash operation than previous ones.
• Password change phase: At this phase, we do not
recall due to inheriting all from Chen et al.’s scheme.
A. Security Analysis
In this subsection, we present these security analyses
of our scheme and show that proposed scheme can resist
many kinds of attack. Assume that wireless communica-
tions are insecure amd that there exists an attacker. He/she
has capability to intercept all messages communicated
between server and user. Furthermore, we assume that
the attacker can obtain or steal information of legal user’s
mobile device.
1) Replay Attack: The replay attack is replaying the
same message of the receiver or the sender again. Our
scheme uses nonce and three-way challenge-response
handshake technique instead of time stamp to withstand
replay attacks. For example, another attacker A resends
(CID, e, C1, C2) to S. Then, S will send V, S1 to attacker
A. Without knowing h(x ‖ e) and nonce N′, A can not
compute S2 to send to S. So, S recognizes someone is
impersonating U and S will terminate the session.
2) User And Server Spoofing Attack: Our scheme re-
sists user and server spoofing attacks because identity of
users is protected. If an attacker A wants to fake another
user to cheat server, he/she must have h(x ‖ e) of that
user. Without knowing PW and nonce N, or master key
x, attacker can not compute h(x ‖ e). Furthermore, If an
attacker A wants to fake server to cheat other users, she/he
must have h(x ‖ e) and nonce N which is sent from users
to compute S1. So, proposed schemes resist this attack
successfully.
3) Stolen Verifier Attack: Because S does not store
any password verification table, the proposed scheme
can withstand stolen-verifier attacks. In our scheme, Sgenerates a random value e for each user. Therefore, when
authenticating with S, U only needs to send e to S and S
682
uses master key x to re-construct h(x ‖ e) of that user. So,
S does not need to keep U’s password in the storage space
when a new user is added in the system.
4) Stolen Informaton From Mobile Device Attack:Our scheme resists stolen information from mobile device
attack. With (Ri, Vi, Ei, N, e), attacker can not compute
h(x ‖ e) from those information to fake user. Consequently,
proposed scheme is secure against to stolen informaton
from mobile device attack.
5) Known-key Attack: The known-key security means
that compromise of a past session key can not derive any
further session key. In our scheme, the session key SKis associated with IDi and h(x ‖ e), which are unknown
to the adversary. Even though the past session key SK is
disclosed, the attacker can not derive IDi and h(x ‖ e)based on the security of one-way hash function. Thus, the
attacker can not obtain any further session key.
6) User Anonymity Protected: The user Ui will send
the login request(CIDi, C1, C2, e) to the server S in each
login. Thus, the attacker might incept and analyze the
login message. It is infeasible to know IDi from the login
message. Furthermore, the login message is dynamic in
each login. Among the parameters of login message, CIDi
is associated with nonce N′
and dynamically changed.
Consequently, an adversary can not identify the person
who is trying to login. In other words, our scheme can
protect user’s anonymity.
7) Password guessing attack: In our scheme, if the
user’s mobile device is stolen, attacker can not compute
to have user’s password. We see information in mobile
device (Ri, Vi, Ei, e, h(.), hk(.)) can not help attacker to
know more. Vi is a hash value, so attacker do not exploit
from this value. Attacker can perform Ei ⊕ Ri to obtain
h(x ‖ e) ⊕ h(IDi ⊕ h(x ‖ e)). So, without having master
key x of remote server, attacker has no way to compute
to know more information. Thus, our scheme can resist
password guessing attack efficiently.
8) Denial-of-service attack: Denial-of-service attack
means that another adversary can update wrong verifi-
cation information of another legitimate user. Then, that
legal user can not login to remote server successfully.
We see that there is no verification table stored in the
remote server. Furthermore, in password change phase, the
mobile device can know right away the user’s legitimacy
without waiting remote server (hRi⊕hpw(Fi) ?= Vi, where
hpw = h(PW ⊕ N) ⊕ Fi). Clearly, in the case of losing
mobile device, attacker must have correct password PWand fingerprint Fi to make change user’s information. At
this kind of attack, our scheme inherits from Chen et al.’s
scheme due to not modifying their this phase.
9) Mutual Authentication: In registration phase in our
scheme, S return a key h(x ‖ e) for each user. With it
in hand, user U can compute C1 and C2 to send to S.
Server S with master key x can compute random value N′
of U to obtain hh(IDi⊕h(x‖e))(N′). With this value, S can
authenticate U. Then, S randomizes value V to challenge
U. If user is a legal user, he/she will have h(x ‖ e) to
compute S2 to send it back to S.
10) Session-key Agreement: In our scheme, after fin-
ishing mutual authentication successfully, both user and
server share a session key SK to encrypt message later.
So, our scheme not only satisfies mutual authentication
but also provides session key to partners.
Our scheme is a revised version of Chen et al.’s scheme, so
it can also resist two-factor attack[13][27][28], reflection
and parallel session attack. In case of two-factor attack,
if user U losts his/her mobile device or even password,
attacker still can not login to impersonate U due to finger-
print of U. So, by employing fingerprint into authentication
scheme, we see that we easy to eliminate two-factor attack.
Morever, C2, S1, and S2 in our authentication scheme are
different about quantity of elements participating in hash
function. So, attacker can not reuse them to resend to
server or user. So, our scheme can resist reflection attack.
Finally, due to inheriting the way of storing the user’s
identity until the end of session to check the same identity
login. Thus, our scheme can also withstand a parallel
session attack like Chen et al.’s scheme.
B. Efficiency Analysis
To compare efficiency between our scheme and the
previous schemes proposed by Chen et al and Khan et
al, we reuse approach used in that previous scheme to
analyze computational complexity. That is, we calculate
the number of one-way hash function execution. Let Th
be the time to compute one-way hash function. In addition,
similarly to Chen et al.’s scheme, we also ignore exclusive-
or(⊕) operation because it requires very few computations.
In table 1, there are our scheme, Chen, Lee and Hsu’s
scheme and Khan et al.’s scheme. Chen et al.’s scheme
needs 3 x Th in registration phase, and 3 x Th in login
phase and 5 x Th in authentication phase. Khan et al.’s
scheme needs 2 x Th in registration phase, and 2 x Th
in login phase and 5 x Th in authentication phase. Our
scheme needs 4 x Th in registration phase and 3 x Th in
login phase and 7 x Th in authentication phase.
Clearly, proposed scheme needs more computational
amount than Chen et al.’s scheme and Khan et al.’s
scheme. However, those costs are necessary to protect
user’s anonymity and provide session key for partners.
In short, proposed scheme does not add many additional
computational costs and the proposed scheme also en-
hances security.
In table 2, we list the comparisons between our improved
scheme and Chen et al.’s scheme for withstanding various
attacks. We see that Chen et al.’s scheme can not resist to
server and user spoofing, stolen information from mobile,
and replay attacks. In addition, their scheme does not guar-
antee user’s anonymity. It can be seen that our proposed
scheme is more secure against various attacks.
In table 3, we list the comparisons between our im-
proved scheme and Chen et al.’s scheme for achieving
some necessary requirements to be a secure authentication
mentioned in introduction section. Our scheme not only
satisfies all Chen et al.’s does but also supplies two
important requirements which their scheme lacks. These
683
Table IA COMPARISON OF COMPUTATION COSTS
Computational type Authentication phase Login phase Registration phaseKhan et al.’s scheme[11] 5 x Th 2 x Th 2 x Th
Chen et al.’s scheme[12] 5 x Th 3 x Th 3 x Th
Our scheme 7 x Th 3 x Th 4 x Th
Table IITHE COMPARISON BETWEEN OUR SCHEME AND THE CHEN ET AL.’S FOR WITHSTANDING VARIOUS ATTACKS
Chen et al.’s scheme[12] Our schemeServer spoofing No YesUser spoofing No YesTwo-factor security Yes YesPassword guessing attack Yes YesReflection and parallel session attack Yes YesReplay attack No YesKnown-key attack No YesDenial-of-service attack Yes YesStolen information from mobile device Yes Yes
two properties are user’s anonymity and session key agree-
ment. If user’s anonymity is revealed, attacker may use it
to re-register to obtain other important information of legal
user such as password or authentication key provided from
server. And session key shared between user and server
play an another important role to encrypt transmitted data
later. We see that Chen et al.’s scheme fails to protect
user’s anonymity and do not have session key agreement
between user and server.
Table IIITHE COMPARISON BETWEEN OUR SCHEME AND THE CHEN ET AL.’S
FOR ACHIEVING NECESSARY REQUIREMENTS
Chen et al.’s scheme[12] Our schemeEfficiency Yes YesMutual authentication Yes YesSession key establishment No YesNo verification table Yes YesUser anonymity No YesScalability Yes YesPassword change phase Yes Yes
V. CONCLUSIONS
In this paper, we review mobile device integration of
a fingerprint biometric remote authentication scheme of
Chen et al. Although their scheme can withstand some
attacks, such as password guessing, denial-of-service, par-
allel session and reflection, and impersonation while the
content of the user’s device is revealed. However, we
see that their scheme is still vulnerable to replay attack,
server and user spoofing. Morever, their scheme can not
guarantee user’s anonymity. Consequently, we propose an
improved scheme to eliminate such problems.
Compared with related schemes, the proposed scheme has
the following main advantages; (1) User can choose the
password freely. (2) It provides secure user anonymity. (3)
It does not hold the password verification table for mobile
users. (4) It provides mutual authentication. As a result,
the proposed scheme is able to provide greater security
and be practical in wireless communication systems.
In the future, however, we will research a remote
biometric-based mutual authentication scheme for mobile
device on elliptic curve cryptosystem (ECC) which is very
suitable for device with limited energy[25] to enhance
security more and apply to more applications in electronic
transactions.
REFERENCES
[1] L. Lamport, “Password authentication with inse-
cure communication,” Communications of the ACM,
vol. 24, pp. 770–772, 1981.
[2] L. H. Li, I. C. Lin, and M. S. Hwang, “A remote
password authentication scheme for multi-server ar-
chitecture using neural networks,” IEEE Transactionson Neural Network, vol. 12, no. 6, pp. 1498–1504,
2001.
[3] J. J. Shen, C. W. Lin, and M. S. Hwang, “A modi-
fied remote user authentication scheme using smart
cards,” IEEE Transactions on Consumer Electronics,
vol. 49, no. 2, pp. 414–416, 2003.
[4] M. S. Hwang, C. C. Lee, and Y. L. Tang, “A simple
remote user authentication scheme,” Mathematicaland Computer Modelling, vol. 36, pp. 103–107,
2002.
[5] C. C. Lee, M. S. Hwang, and W. P. Yang, “Flexi-
ble remote user authentication scheme using smart
cards,” IEEE Transactions on Neural Network,
vol. 36, no. 3, pp. 46–52, 2002.
[6] I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “Security
enhancement for a dynamic id-based remote user
authentication scheme,” IEEE Transactions on Con-sumer Electronics, vol. 50, pp. 629–631, 2004.
[7] E. J. Yoon and K. Y. Yoo, “Improving the dynamic
id-based remote mutual authentication scheme,” FirstInternational Workshop on Information Security, vol.
4277, pp. 499–507, 2006.
[8] Y. Y. Wang, J. Y. Kiu, F. X. Xiao, and J. Dan, “A
more efficient and secure dynamic id-based remote
user authentication scheme,” Computer Communica-tions, vol. 32, pp. 583–585, 2009.
[9] C.-C. Lee, T.-H. Lin, and R.-X. Chang, “A secure
684
dynamic id based remote user authentication scheme
for multi-server environment using smart cards,” Ex-pert Syst. Appl., vol. 38, no. 11, pp. 13 863–13 870,
2011.
[10] I. E. Liao, C. C. Lee, and M. S. Hwang, “Security
enhancement for a dynamic id-based remote user
authentication scheme,” International Conference onNext Generation Web Services Practices, vol. 6,
no. 2, pp. 517–522, 2005.
[11] M. K. Khan, J. Zhang, and X. Wang, “Chaotic hash-
based fingerprint biometric remote user authentica-
tion scheme on mobile devices,” Chaos, Solitons &Fractals, vol. 35, no. 3, pp. 519 – 524, 2008.
[12] C.-L. Chen, C.-C. Lee, and C.-Y. Hsu, “Mobile
device integration of a fingerprint biometric remote
authentication scheme,” International Journal ofCommunication Systems, 2011. [Online]. Available:
http://dx.doi.org/10.1002/dac.1277
[13] J. K. Lee, S. R. Ryu, and K. Y. Yoo, “Fingerprint-
based remote user authentication scheme using smart
cards,” Electronics Letters, vol. 38, pp. 554–555.
[14] C.-H. Lin and Y.-Y. Lai, “A flexible biometrics
remote user authentication scheme,” Computer Stan-dards & Interfaces, vol. 27, no. 1, pp. 19–23, 2004.
[15] M. K. Khan and J. Zhang, “Improving the security
of ’a flexible biometrics remote user authentication
scheme’,” Comput. Stand. Interfaces, vol. 29, pp. 82–
85, January 2007.
[16] J. Yuan, C. Jiang, and Z. Jiang, “A
biometric-based user authentication for wireless
sensor networks,” Wuhan University Journal ofNatural Sciences, vol. 15, pp. 272–276, 2010,
10.1007/s11859-010-0318-2. [Online]. Available:
http://dx.doi.org/10.1007/s11859-010-0318-2
[17] T. H. Chen, Y. C. Chen, W. K. Shih, and H. W. Wei,
“An efficient anonymous authentication protocol for
mobile pay-tv,” vol. 34, pp. 1131–1137, 2011.
[18] H.-C. Hsiang and W.-K. Shih, “Improvement
of the secure dynamic id based remote user
authentication scheme for multi-server environment,”
Comput. Stand. Interfaces, vol. 31, pp. 1118–
1123, November 2009. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1595894.1596057
[19] Y.-P. Liao and S.-S. Wang, “A secure dynamic id
based remote user authentication scheme for multi-
server environment,” Comput. Stand. Interfaces,
vol. 31, pp. 24–29, January 2009. [Online]. Avail-
able: http://dx.doi.org/10.1016/j.csi.2007.10.007
[20] M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic
id-based remote user authentication scheme,” IEEETransactions on Consumer Electronics, vol. 50, no. 2,
pp. 629–631, 2004.
[21] H. Debiao, C. Jianhua, and H. Jin, “An id-based
client authentication with key agreement protocol for
mobile clientserver environment on ecc with provable
security,” Information Fusion, 2011.
[22] J.-H. Yang and C.-C. Chang, “An id-based remote
mutual authentication with key agreement scheme
for mobile devices on elliptic curve cryptosystem,”
Computers & Security, vol. 28, no. 3-4, pp. 138–143,
2009.
[23] E.-J. Yoon and K.-Y. Yoo, “Robust id-based remote
mutual authentication with key agreement scheme
for mobile devices on ecc,” Computational Scienceand Engineering, IEEE International Conference on,
vol. 2, pp. 633–640, 2009.
[24] J. Zhang and F. Deng, “The authentication and
key agreement protocol based on ecc for wireless
communications,” 2009 International Conference onManagement and Service Science, pp. 1–4, 2009.
[25] S. H. Islam and G. P. Biswas, “A more efficient
and secure id-based remote mutual authentication
with key agreement scheme for mobile devices on
elliptic curve cryptosystem,” Journal of Systems andSoftware, vol. 84, no. 11, pp. 1892–1898, 2011.
[26] A. J. Menezes, P. C. Oorschot, and S. A. Vanstone,
“Handbook of applied cryptograph,” 1997.
[27] H.-S. Kim, S.-W. Lee, and K.-Y. Yoo, “Id-based
password authentication scheme using smart cards
and fingerprints,” SIGOPS Oper. Syst. Rev., vol. 37,
pp. 32–41, October 2003. [Online]. Available:
http://doi.acm.org/10.1145/958965.958969
[28] C.-H. Lin, T.-S. Lin, H.-H. Lin, and Y.-Y. Lai,
“On the security of id-based password authentication
scheme using smart cards and fingerprints,” in ITRE2005 - 3rd International Conference on InformationTechnology: Research and Education, June 27-302005, Hsinchu, Taiwan, Proceedings. IEEE, 2005,
pp. 230–232.
685