Documente Academic
Documente Profesional
Documente Cultură
org
Published in IET Information Security
Received on 11th December 2011
Revised on 5th October 2012
Accepted on 21st November 2012
doi: 10.1049/iet-ifs.2011.0348
ISSN 1751-8709
Institute of Information System and Applications, National Tsing Hua University, Hsinchu 30013, Taiwan
Department of Computer Science, National Tsing Hua University, Hsinchu 30013, Taiwan
E-mail: s9865805@m98.nthu.edu.tw
Abstract: Recently, to achieve privacy protection using biometrics, Fan and Lin proposed a three-factor authentication scheme
based on password, smart card and biometrics. However, the authors have found that Fan and Lins proposed scheme (i) has aws
in the design of biometrics privacy, (ii) fails to maintain a verication table, making it vulnerable to stolen-verier attack and
modication attack, and (iii) is vulnerable to insider attacks. Thus, the authors propose an elliptic curve cryptography-based
authentication scheme that is improved with regard to security requirements. The authors proposed scheme overcomes the
aws of Fan and Lins scheme and is secured from attacks. Furthermore, the authors have presented a security analysis of
their scheme to show that their scheme is suitable for the biometric systems.
Introduction
www.ietdl.org
elliptic curve cryptography (ECC). We propose a more secure
and practical authentication scheme.
The remainder of this paper is organised as follows. In
Section 2, we review the Fan and Lin scheme including
cryptanalysis of their scheme. In Section 3, we present the
ECC preliminaries for our scheme. In Section 4, we
propose a robust three-factor biometric-based authentication
scheme with ECC. Then, in Section 5, we provide the
security analysis and comparisons. Finally, we present some
concluding remarks in Section 6.
2.1
Initialisation phase
Registration phase
2.3
During the login phase, Ui inserts a smart card into the card
reader and then enters a PWi* and allows to scan his/her
iris biometric characteristic in order to login to the remote
server. Then, the smart card performs the following
operations:
Step 1: Ui inputs the personal biometrics, Si*, and the random
string r is decrypted by the sketch Si (r) function using Si* to
retrieve (r = A(Si (r), Si*). Then, the smart card will compute
the value SSi* = r(Si*) = r Si*.
Step 2: Ui Server: {C0 = epk(IDi|| yi ||u)}
Ui randomly chooses string u to derive the C0 = epk(IDi|| yi ||
u) where epk() denotes the public key encryption function of
the server with the pk.
During the authentication phase, the server executes the
following operations to verify the legitimacy.
Step 1: The server checks whether the IDi is legitimacy.
According to the records of a verication table, the server
can verify whether IDi is legitimacy. First, the server must
decrypt the C0 message to obtain yi with the private key sk
and then the (IDi|| h(PWi) ||SSi) is derived from secret key x.
Step 2: Then, checks whether the value IDi of C0 and yi is
equal. If the validity of IDi is assured, the server can use
the h(PWi || SSi) later and proceed the remaining step.
Step 3: Server Ui: {C1 = Eu(SID||v)}.
The server randomly chooses the v and derives the u from
above step, besides it computes the C1 = Eu(SID||v), where
SID denotes the servers identity. Then, the server sends the
C1 message to Ui.
Step 4: After receiving the C1 message, the Ui can decrypt the
C1 to obtain (SID||v). Then, Uis smart card checks whether
the C1 come from the server or not and obtains the value of
v to proceed the next step.
Step 5: Ui Server: {C2 = Ev(IDi || h(PWi*) || SSi*)}.
Ui sends the {C2 = Ev(IDi || h(PWi*) || SSi*)}to the server.
Step 6: Checks h(PWi)? = h(PWi*) and veries if (SSi*, SSi)
is within the threshold.
When server checks that h(PWi) = h(PWi*) and the (SSi*,
SSi) is within the dened threshold, it means that the server
will accept the login request and the process is authorised.
Here, denotes the biometric matching algorithm.
2.4
www.ietdl.org
and utilises Trojan Horse program to steal the login
information of a user. Further, the yi = Ex(IDi|| h(PWi)|| SSi)
will be easily retrieved by the adversary. Owing to the
encrypted data (yi) is easy to break by simple dictionary
attacks. The adversary may try to be derived the encrypted
data with mapping the identity or biometric data. In
addition, this property that need of a verication table may
not able to resist the stolen-verier attack and modication
attack [12]. Therefore a verication table is stored inside
computer and suffers easily from an adversarys attacks.
Assumption 2: During the authentication phase, the server has
own identity symbol and encrypts a message with a random
string. Then, the servers identity can be inspected using
users smart card. In a word, the user successfully logins
the server and proceeds the remaining operation.
Assume that the adversary uses the SID* to impersonate SID
and replays messages to the remote server to encrypt C1* with
a random string v. Then, the adversary sends the messages to
the user. Until the users smart card accepts the pretended
SID*. Thus, a user will encrypt the function with the
adversarys random string v and send the encryption
messages to the adversary. Since the adversary owns the
password and biometric data, the remote server can accept
by the adversarys login request.
Assumption 3: In registration phase, a user Ui has an identity
IDi to register the license for remote server. The privileged
server has the ownership of the user Uis authentication
key. Additionally, the Fan and Lins scheme must record
IDi to a verication table inside remote server. Assuming
remote server can perform to check whether IDi is
legitimacy and performing some steps of Fan and Lins
scheme in the authentication phase.
When Ui want to register to more than one server with the
same identity IDi and authentication key h(PWi), any server
can impersonate the eligible user and access other servers to
obtain a login request. The registration in Fan and Lins
scheme, a user Ui has the same authentication key for each
system or server with the same password. When an
adversary obtain Uis identity IDi and authentication key,
he/she can impersonate Ui to access the authentication
server. Once a users login information is stolen, the server
will accept the adversary login request. Furthermore, the
adversary can request to login and possibly pass the
authentication. Obviously, the insider attack is possible in
the assumption.
ECC preliminaries
Initiation phase
Registration phase
www.ietdl.org
4.3
Login phase
Authentication phase
After receiving the login request from the user, the detail
descriptions of the authentication phase are described in the
following operations.
Step 1: Ui Server: m1 = {Q1, Qu, Mu}
The Ui randomly chooses a private key qu = ri* and
computes Qu = qu P, where Qu is Uis public key (Here,
let the random string ri convert to ri* Zp*, ri* < n). Then
Ui computes the following formulas for the authentication
procedure. Recall that QS is the servers public key in the
system initiation phase.
Q1 = qu QS
Mu = Nu + Qu + Q1, where Nu is chosen by SSi* which is
provided by Ui.
Then, Ui sends the m1 = {Q1, Qu, Mu} to the server.
Step 2: Server verify whether the m1 message come from Ui.
After receiving the m1 message, the server computes
IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252
doi: 10.1049/iet-ifs.2011.0348
www.ietdl.org
equal, then sends the m2 message {TS, MS, QS*} to user Ui.
That is, the user Ui is a legal user. Then the user Ui checks
the condition whether Nu** = Nu. Finally, the server
validates whether NS** is equal to NS. This enables both
communicating parties to be assured of the eligible identity.
5.3
Comparisons
Recall that the scheme of Fan and Lin [9] and other [47, 15,
16], we compare our scheme with other referenced schemes in
security properties and computation cost. Table 1 summarises
the comparisons among our scheme and other referenced
schemes.
Obviously, our scheme can overcome the security aws
of Fan and Lin and other schemes. As for computation
cost, the exclusive-OR operation is negligible because it
usually requires few computation. We can divide the ECC
computation time of our scheme into two parts: the scalar
multiplication operation and point addition operation. Our
Our scheme
LinLai scheme
[3]
KhanZhang
scheme [4]
FanLi scheme
[9]
LiHwangs
scheme [5]
yes
yes
yes
no
yes
no
es
yes
yes
yes
no
no
no
yes
yes
yes
yes
2H + PA
TA + H + 7PA +
4PM
yes
yes
1H + 1E
3H + 4E
yes
no
2H
7H
no
yes
H + Tmec
TA + 7Tmec
yes
yes
3H
7H
H, the time spent in hashing operation; PM, the time spent in scalar multiplication operation of elliptic curve; PA, the time spent in
point addition operation of elliptic curve; E, the exponent polynomial computation time; Tmec, the computation time for private key
computation and public key with nameless method; TA, the time spent in extracting algorithm.
IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252
doi: 10.1049/iet-ifs.2011.0348
251
www.ietdl.org
scheme requests only three hash operations and 12 ECC
computations. We can realise that PA, PM calculates a
cubic equation at most and H calculates a linear equation
or quadratic equation at most. Besides, our proposed
scheme is computed through combination of point
addition and point multiplication, point multiplication is
dened by repeated addition. Note that the computation
costs of Tmec and E are relatively higher than PA, PM
because Tmec calculates a nameless function and E needs
polynomial computation cost. Thus, our computation cost
is relatively low compared with the referenced schemes
except KhanZhang and LiHwangs scheme. In terms of
the requirements for a remote user authentication scheme,
our proposed scheme solves all listed table problems.
Conclusions
252
& The Institution of Engineering and Technology 2013
References