2.2 Review of Mishra et al.’s Scheme In this section, we review Mishra et al.’s scheme [12], which contains five phases: serverregistration, user registration, login, authentication, and
Trang 1指導教授:張真誠
中 華 民 國 一 百 零 七 年 六 月
Trang 5First of all, I would like to express my sincere thanks to my supervisor, ProfessorChin-Chen Chang at Fengchia University, for his invaluable advice, and heartfelt andtimely encouragement during my time at MSN Lab Without his guiding inputs both
in academic knowledge and in research procedures, I would not be able to complete
And last but not least, I am grateful to my family – to my wife, Doan Thi Diem,
my son, Nguyen The Duc Anh, for their love, understanding and sacrifice during myseven years away from home; and to my parents for being my anchor as always
Nguyen Ngoc Tu
Trang 6摘 摘要 要
公開通道上的私人連接成為分佈式網絡中的重要組成部分。由於經濟價格,可接受的通訊質量和廣泛的可用性等巨大優勢,通信變得越來越普遍。然而,公開通道的脆弱性為參與者的隱私和交換信息帶來了各式各樣的潛在風險。本研
性,即機密性,完整性,真實性和隱私。多因素(包括密碼,智能卡和生物識別信息)已被用來為多種網絡模型提供高級安全協議,例如:多服務器環境,三方
對於多服務器環境,我們採用生物哈希技術來生成加密的生物哈希碼,並且用漢明距離來驗證用戶的輸入資訊。 拉格朗日多項式插值法和公鑰技術也
利用生物散列模板和一次性密碼為具有高度動態用戶的系統設計一個健壯的協
哈希代碼來加密所有敏感信息。最終用戶能夠使用一個短期令牌直接與其他用戶和多媒體服務器建立安全會話。在移動衛星方案中,我們利用用戶密碼,智能卡,秘密身份和公共身份等多種因素加強系統安全。我們還採用生物哈希技
直接與其他用戶和應用服務器進行會話密鑰的驗證和協商。
模型中都被證明是安全的。所提出的協議不僅可以抵禦大部分已知的攻擊,還可以為參與者提供許多理想的功能,包括匿名,隱私,訪問控制,撤銷,生物統計錯誤抵抗和長期秘鑰更新。
不可分割性,多服務器網絡,三方協議,會話發起協議,移動衛
iv
Trang 7Private connections over a public channel become an essential block in modern tributed networks With tremendous advantages such as economical price, accept-able quality, and widespread availability, the communication has been more and moreprevalent The vulnerability of the public channels, however, has posed different po-tential risks to participants’ privacy as well as their exchanged information This studyfocused on designing robust authenticated key agreement protocols to equip the systemwith the essential security features, namely confidentiality, integrity, authenticity, andprivacy Multi-factors, including a password, a smart card, and biometric informationhave been employed to propose high-level security protocols for diverse network mod-els, such as multi-server environments, three-party communications, session initiationprotocols (SIP), and mobile satellite networks
dis-For multi-server scenarios, we adopted Biohashing techniques to generate crypted Biohash codes, and Hamming distance to verify user inputs The Lagrangepolynomial interpolation and public-key technique were also employed to control users’access and to provide participants with revocation mechanisms In the three-party AKEschemes, along with Biohashing template, a random one-time password was utilized
en-to design a robust proen-tocol for systems with highly dynamic users In the SIP thenticated key agreement protocol, one-time random seeds were utilized to generaterefreshed PalmHash codes from user’s palmprint to encrypt all sensitive information
au-An end user could utilize only one short-term token to establish secured sessions rectly either with other end-users and with multimedia servers In the mobile satellitescheme, multiple factors, involving user’s password, smart card, secret identity, andpublic identity were utilized to strengthen the system security It also employed theBiohashing template to encode sensitive data and to verify user’s inputs The short-term tokens were exploited to facilitate users to authenticate and negotiate session keysdirectly with other end users and with application servers
di-Informal analyses were carried out for all the protocols mentioned above tionally, the last three schemes are provably secure in random oracle model Not onlywere they thus can resist most of the known attacks but also provide participants withmany desirable features, including anonymity, template privacy, access control, revo-cation, biometric error resistance, and long-term secret update
Addi-Keywords: Authentication, key agreement, biometric, Biohashing, smart card,
anonymity,anonymity, untractability, multi-server networks, party protocols, session initiation protocols, mobile satellite networks
Trang 8three-Table of Contents
1.1 Research Motivation 1
1.2 Thesis Objectives 2
1.3 Organization 3
2 An Untraceable Biometric-based Multi-server Authenticated Key Agree-ment Protocol with Revocation 4 2.1 Introduction 4
2.2 Review of Mishra et al.’s Scheme 6
2.2.1 Server registration 7
2.2.2 User registration 7
2.2.3 User login 7
2.2.4 Authentication 7
2.2.5 Password change 8
2.3 Cryptanalysis of Mishra et al.’s Scheme 8
2.3.1 Biohashing limitation 8
2.3.2 Traceable user attack 9
2.3.3 Denial-of-service and impersonation attacks 9
2.3.4 User access control and pre-shared key attack 9
2.4 The Proposed Scheme 10
2.4.1 Initial phase 10
2.4.2 Server registration 10
2.4.3 User registration 11
2.4.4 User login 12
vi
Trang 92.4.5 Authentication 12
2.4.6 Password and biohashing update 13
2.4.7 User access control and revocation 14
2.5 Security Analysis 14
2.5.1 User untraceability 15
2.5.2 Mutual authentication 15
2.5.3 Session key agreement and verification 15
2.5.4 Biohash code error resistance 16
2.5.5 Relay and man-in-the-middle attacks 16
2.5.6 Denial-of-service attack 17
2.5.7 Off–line password guessing attack 17
2.5.8 Stolen smart card and user impersonation attack 18
2.5.9 Known session key attack 18
2.5.10 Online password guessing attack 18
2.5.11 Known session-specific temporary information attack 19
2.5.12 Privileged insider attack 19
2.5.13 Server spoofing attack 19
2.5.14 Known pre-key shared attack 20
2.5.15 Forward secrecy 20
2.6 Performance Comparisons 20
2.6.1 Security performance 20
2.6.2 Computation performance 20
2.7 Chapter Summary 22
3 Untraceable Biometric-based Three-party Authenticated Key Exchange For Dynamic Systems 23 3.1 Introduction 23
3.2 Review of Yoon and Yoo’s Scheme 26
3.2.1 Registration 26
3.2.2 Authenticated key agreement 27
3.2.3 Password update 27
3.3 Cryptanalysis of Yoon and Yoo’s Scheme 28
3.3.1 Key compromised impersonation attack 28
3.3.2 Biometric weaknesses 28
3.3.3 Traceable attack 28
3.3.4 Known session-specific temporary information attack 29
Trang 103.4 Review of Islam’s Scheme 29
3.4.1 System initialization phase 29
3.4.2 User registration phase 29
3.4.3 Authenticated key exchange phase 30
3.4.4 Password update phase 31
3.4.5 Lost smart card revocation 31
3.5 Cryptanalysis of Islam’s Scheme 32
3.5.1 Off-line password guessing attack from the lost smart card 32
3.5.2 Key compromised impersonation attack 32
3.5.3 Traceable attack 33
3.6 The Proposed Scheme 33
3.6.1 Biohashing function 33
3.6.2 Setup phase 34
3.6.3 Registration phase 34
3.6.4 Authenticated key exchange 35
3.6.5 Password and biohashing update 37
3.6.6 User revocation 37
3.6.7 Lost smart card revocation 39
3.7 Security Analysis 39
3.7.1 Informal security analysis 39
3.7.2 Formal security analysis 45
3.8 Performance Comparisons 51
3.8.1 Security performance 51
3.8.2 Computation comparisons 51
3.9 Chapter Summary 53
4 A Biometric-based Authenticated Key Agreement Scheme for Session Initiation Protocol in IP-based Multimedia Networks 54 4.1 Introduction 54
4.2 Biometric Code 57
4.2.1 PalmHash function 58
4.2.2 PalmHash code verification 59
4.2.3 Exclusive-OR operations on matrices and PalmHash codes 59
4.3 The Proposed Scheme 60
4.3.1 Setup phase 60
4.3.2 Registration phase 61
viii
Trang 114.3.3 Authenticated key agreement process between a user and the
authorization server and short-term token updates 61
4.3.4 Authenticated key agreement process between end-users 64
4.3.5 Authenticated key agreement process between users and mul-timedia servers 65
4.3.6 Group authenticated key agreement process 66
4.3.7 Password and biometric code updates 68
4.3.8 Revocation and access control 68
4.3.9 Long-term secret update 68
4.4 Security Analysis 69
4.4.1 Formal security analysis 69
4.4.2 Informal security analysis 79
4.5 Security and Performance Comparisons 88
4.5.1 Cryptanalysis some recently proposed schemes and security comparisons 88
4.5.2 Implementation and computation comparisons 91
4.5.3 Application discussions 91
4.6 Chapter Summary 92
5 A Biometric-based Authenticated Key Agreement Protocol for User-to-User Communications in Satellite Mobile Networks 94 5.1 Introduction 94
5.1.1 Related works 94
5.1.2 Our contribution 96
5.2 The Proposed Scheme 98
5.2.1 Biohashing function 98
5.2.2 Setup phase 99
5.2.3 Registration 100
5.2.4 Authenticated key agreement phase 101
5.2.5 Handover 103
5.2.6 Token update 104
5.2.7 Password and biohash code update 106
5.2.8 Access control and revocations 107
5.2.9 Long-term secret update 107
5.3 Security Analysis 107
5.3.1 Formal analyses 107
Trang 125.3.2 Informal security analyses 115
5.4 Security and Performance Comparisons 122
5.4.1 Security comparisons 122
5.4.2 Implementation and computation cost comparisons 123
5.5 Chapter Summary 124
6 Conclusions and Future Works 125 6.1 Conclusions 125
6.2 Future Works 125
x
Trang 13List of Figures
Figure 3.1 Authenticated key exchange phase of the proposed protocol 38
Figure 4.1 Typical communications in SIP-based multimedia networks 58
Figure 4.2 The registration process 62
Figure 4.3 AKA process between a user and the authorization server 63
Figure 4.4 User-user authenticated key agreement process 64
Figure 5.1 The simple mobile satellite communication system 97
Figure 5.2 Registration process 100
Figure 5.3 Authenticated key agreement process 102
Figure 5.4 Handover process 104
Figure 5.5 Token update process 105
Trang 14List of Tables
Table 2.1 Security feature comparisons 21
Table 2.2 Computation overhead comparisons 21
Table 3.1 Security feature performance 52
Table 3.2 Execution time of related operations 52
Table 3.3 Computation cost performance 53
Table 4.1 Comparisons of security features 89
Table 4.2 Cryptographic operation implementation 91
Table 4.3 The execution time of the authenticated key agreement phases 92
Table 5.1 Comparisons of security and other features 123
Table 5.2 Execution time of some cryptographic operations 123
Table 5.3 Computation cost comparisons 124
Trang 15Chapter 1 Introduction 1.1 Research Motivation
In recent decades, we have been experiencing the evolutionary network development ofboth wired and wireless systems These infrastructures have brought users with tremen-dous advances in communications and information exchanges An end-user may accessnumerous online services and connect other end-users anytime, anywhere With advan-tages of low price and availability, communications over public channels have been moreand more interested Such insecure networks, however, have posed various potential risksfor user and server privacy as well as their sensitive exchanged data [1 6] This studyconsiders security issues of such communications, including confidentiality, integrity, au-thenticity, and privacy
In network security context, the confidentiality is a property that information is notexposed to any entities unless they have been allowed to access it The integrity is a fea-ture whereby data has not been changed in an unauthorized manner The authenticity is
a process of verifying the identity or other attributes claimed by or assumed of an tity These three properties are usually completed together to ensure that only legitimateparties can accurately, entirely obtain their authorized information To fulfill the require-ments, not only exchanged data need to be encrypted but participants also require to beauthenticated These processes ensure that no entities can retrieve meaningful informa-tion except the legal partners with private session keys Furthermore, in highly demandingprivacy applications, online banking, e-health services, and military systems, for instance,sensitive data related to users such as identity, system’s participation, and communicationhistory are also required to keep secret from outside parties Focusing on such securityrequirements, in recent years, various authenticated key agreement (AKA) protocols havebeen proposed for different scenarios such as multi-server environments [7 15], three-party AKAs [16–30], session initiation protocols (SIP) [31–42], end-to-end satellite com-munications [43–52] They may be divided into three groups relying on security factors,namely password-based, smart card-based, and biometric-based AKA schemes
en-The first group, password-based protocols, utilize pre-shared secrets generated from
a user password to provide systems with AKA processes [7, 8, 16–23, 31–35, 43–48,
51, 52] In this simple approach, a server or a trusted party have to store sensitive rameters related to passwords in their back-end database to verify users’ authorities later.Although these protocols can achieve certain advantages such as lightweight computationcost, scalability, and simple implementation, they are potentially vulnerable to variousattacks End-users tend to use only an easy-to-remember password for multiple applica-tions If the server’s database is compromised, adversaries may launch dictionary attacks
Trang 16pa-to reveal both users and the server’s secret parameters To overcome the drawbacks,the smart card-based protocols migrate the storage of sensitive data from server sides topersonal devices [9 11, 24–26, 36, 37, 39, 49, 50] The sensitive data in smart cards,however, are still susceptible to multiple attacks Even if the schemes are carefully de-signed, the low-entropy password is not robust enough to generate strong parameters toprotect other secret information [27–29,38–40,51,52] More recently, some three-factorAKA protocols have been proposed [12–15,30,41,42] Along with the user’s password,biometric data is employed to create a robust parameter to encrypt long-term sensitiveinformation Biometric templates have high entropy and large keyspace, and thus ad-versary cannot guess the values using dictionary attacks However, biometric informationinherits some specific weaknesses, including inconsistency and unchangeability of a com-promised once Meanwhile, several protocols [12,13,15,30] did not take into account theinevitable noises introduced by sensor devices and extraction algorithms Consequently,these schemes are susceptible to high rates of false acceptance and false rejection Someother schemes [14, 41] adopted fuzzy extractor to generate a consistent string from thenoisy data to cope up with the input variations Computation costs and error resistances
of fuzzy extractors, however, heavily depend on an error-correcting code metric space.Unfortunately, the authors do not consider any implementations that are acceptable forauthentication protocols
In summary, the security issues of private communications through public networksremain challenging The existing schemes more or less have their weaknesses, such asbeing vulnerable to known attacks, without privacy protection, lack of user access control,and without revocation mechanisms Motivation from these points, we adopt multiple se-cure factors, namely a password, a secret identity, a smart card, and biometric information
to design high-level security protocols as well as provide the systems with many desiredfeatures
1.2 Thesis Objectives
In this dissertation, we propose four three-factor AKA protocols for different scenarios,namely multi-server environments, three-party communications, session initiation proto-cols, and end-to-end satellite communications The schemes can achieve these followinggoals:
Trang 17- Their security features can formal prove in random oracle model (ROR).
• Privacy
- The protocols can provide users with an anonymous or untraceable property Theidentities and communication histories can keep secret from outside entities
- The processes can provide users with biometric privacy
• User and network functions
- The protocol can provide users and servers with desired features such as accesscontrols, revocations, and long-term secret updates
1.3 Organization
The rest of this thesis is organized as follows: Chapter 2 presents a secure AKA tocol for multi-server scenario, namely “An untraceable biometric-based multi-serverauthenticated key agreement protocol with revocation” Chapter 3 focuses on user-to-user communications with the help of a trusted party, entitled “Untraceable biometric-based three-party authenticated key exchange for dynamic systems” In Chapter 4, “Abiometric-based authenticated key agreement scheme for session initiation protocol in IP-based multimedia networks”, the IP-based multimedia communications including user-to-user, user-to-authorization server, user-to-multimedia server, and a group of users arefully considered Chapter 5 studies end-to-end protocols with the help of space devices,named “A biometric-based authenticated key agreement protocol for user-to-user com-munications in mobile satellite networks” The last chapter presents our conclusions andfuture research
Trang 18pro-Chapter 2 An Untraceable Biometric-based Multi-server
Authenticated Key Agreement Protocol with
Revocation 2.1 Introduction
Wireless systems have a variety of applications in almost all aspects of social life Theyrange from complex systems for monitoring and controlling processes, for e-business,and for health care management to simple systems for personal usage With a focus onarchitecture, many of these applications are deployed as online protocols to provide diver-sified services to the end-users at anytime and anywhere via public channels Althoughthis architecture brings great benefits to customers, its public communication always risksleaking information to adversaries on both the remote server and the user side Aiming
to provide data integrity and user privacy, numerous mechanisms have been introduced toprovide a mechanism for authenticating relevant parties as well as establishing a crypto-graphic protocol to protect exchanged messages
The first password-based authentication scheme was introduced by Lamport [53].Since then, various improvements have been proposed to enhance security and reducepayload and computation costs Among them, some schemes utilize only a user password
to encrypt secret parameters They are called password-based authentication schemes.Unfortunately, all of the password-based schemes are insecure due to the weaknesses ofhaving a verification table that is stored somewhere Adversaries may delete, modify
or steal the values from the table to pass the authentication step as legitimate users aswell as launch a dictionary attack to guess low-entropy human-memorable passwords
To overcome these drawbacks, many authors have introduced multi-factor schemes thatutilize a smart card to store verifying parameters and a user’s biometric to protect theweak password However, almost all of these authentication schemes are designed forsingle server environments where users are required to register their personal informationwith each server to subscribe to their services It makes difficult for users to remembermany passwords, store smart cards as well as prevent leakage of the user’s biometric data
In this era of increasingly on-demand online services, it is indispensable to have a singleregister for multiple applications
Focusing on the multi-server environment, in the last decade, some authors haveintroduced smart card based authentication schemes which migrate verification parame-ters to a personal device [54–63] Lin et al [54] proposed an offline password changingscheme utilizing time stamps and the discrete logarithm problem However, this schemesuffers from various attacks, pointed out by Ku et al [55] Also, it provides no keyagreement mechanism or mutual authentication Juang [56] introduced a mutual authen-
Trang 19tication and key agreement protocol using a nonce and symmetric encryption A yearlater, Ku et al [57] showed that Juang’s scheme was irreparable and unable to resist someknown attacks, such as the offline password guessing attack, the server impersonationattack, the parallel session attack, the forward secrecy attack and the privileged insiderattack Since then, many improved schemes have been proposed to overcome the securityweaknesses as well as reduce computation and payload Tsaur et al [58] introduced aself-verified timestamp scheme to eliminate clock synchronization His scheme can re-sist against some attacks, such as the man-in-the-middle attacks Unfortunately, Tsaur
et al.’s scheme is susceptible to the privileged insider attack, the known-plaintext attack,and the forward secrecy attack, as pointed out by Li et al Wang et al [59] In serialpublications concerning overcoming security drawbacks, Wang and Ma [60] endeavored
to remove the inessential keys in the previously proposed schemes to achieve a secureauthentication mechanism However, later, He and Wu [61] showed that Wang and Ma’sscheme was also insecure Recently, Islam [62] proposed a scheme utilizing the pairings
on an elliptic curve to prevent the leakage of ephemeral secret parameters However, none
of those schemes [54–58, 60–62] provide user anonymity, which is desirable in severalapplications including military, health care and business systems
Recently, some two-factor authentication mechanisms have been introduced to vide users with anonymity Liao and Wang [64] proposed a lightweight dynamic IDscheme using hash functions and random numbers to hide the user credentials The user
pro-ID is encrypted and refreshed each time communication occurs to prevent the leakage ofinformation to adversaries However, Liao and Wang’s scheme does not support mutualauthentication and is susceptible to various attacks, such as the privileged insider attack,the masquerade attack, the server spoofing attack, and the registration center spoofing at-tack, as demonstrated in [65] From 2009 to 2013, many studies focused on addressing thesecurity weaknesses and reducing computation costs [66–74], but none of these can resistall known attacks Recently, Wang and Wang [75] showed that none of the two-factorauthentication schemes using the lightweight symmetric cryptographic techniques in theliterature have achieved both anonymity and security requirements The security weak-ness often comes from parameters related to low entropy human-memorable passwords,stored in smart cards or servers
Since 2010, several there-factor authentication protocols have been proposed to come the limitations of smart card-based and password-based schemes In a series ofworks [13, 15, 76–80], the authors utilized one-way hash values of biometric data toprotect sensitive parameters However, this technique is impractical due to the extremesensitivity of the hash function to variation inputs All of the verification equations re-lated to the biometric hash values have failed sine the input value could not reproduce
Trang 20over-precisely at each time it is measured Recently, Mishra et al [12] proposed an improvedprotocol utilizing the Biohashing technique, which can reduce errors of output hash val-ues Unfortunately, we found that their scheme still suffers from many attacks, includingthe denial-of-service attack, the traceable user attack, the impersonation attack, and thepre-shared key attack In the other works [14, 81–83], the authors adopted the fuzzy ex-tractor technique to generate a random key from biometric data to mask the secret param-eters Yang and Yang [81] proposed the first scheme for multi-server environments using
a random key extracted from biometric information However, this protocol is vulnerable
to several attacks as it does not provide identity privacy and lets the registration centerextract all the user’s password and biometric data Jiang et al [14] proposed anotheranonymous biometric-base scheme However, this protocol is also vulnerable to severalattacks, including the privileged insider attack, the impersonation attack, the traceable at-tack, and the known session-specific temporary attack He and Wang [82] proposed animprovement scheme to overcome the weakness of Yang and Yang’s protocol Unfortu-nately, He and Wang’s scheme is still susceptible to the known session-specific temporaryinformation attack and the impersonation attack, as was pointed out in [83] Additionally,error-tolerance fuzzy extractor could generate a unique random key from noisy data, but
it does not address the issue of misrecognition measurements in biometric-based systems
In this chapter, we identify the drawbacks of [12] and propose an untraceable factor mutual authentication and key agreement protocol with a user revocation mech-anism The Biohashing technique in [84] and [85] is adopted to generate at least 80-bitBiohash code from biometric data and a predefined random vector called a “Biohash key.”This code is protected by a hashed password to achieve zero equal error rate, even thoughthe Biohash key is compromised Besides, biometric data can be reused by changingthe Biohash key to generate a new output value Our scheme may not only revoke usersimmediately but also resist most known attacks The rest of this chapter is organized asfollows: Section 2.2 presents a review of [12], the weaknesses of this scheme are clarified
three-in Section 2.3, Sections 2.4, and 2.5 provide our proposed scheme and secure analysis,the performance comparison is given in Section 2.6, and the last Section is the chapterconclusion
2.2 Review of Mishra et al.’s Scheme
In this section, we review Mishra et al.’s scheme [12], which contains five phases: serverregistration, user registration, login, authentication, and password change
Trang 212.2.1 Server registration
When an application server wants to join the system, it sends a registration message to theregistration center The center authorizes the server, and then assigns a unique identitySIDjand a pre-key shared PSK to the server utilizing the key exchange protocol (IKEv2).All application servers in the system employ the same secret key PSK to authenticate thelegitimate user
2.2.2 User registration
If a new user would like to subscribe to the system service, they do the following:
Step 1 The user Uigenerates a random number Ni, and then computes W1=h(PWikNi),
W2=h(IDi⊕Ni)and sends a registration message hIDi,W1,W2ito the registrationcenter via a secure channel
Step 2 After receiving the request, the registration center checks the validation of IDi
and computes Ai = h(IDikxkTr),Bi =h(Ai) = h2 IDikxkTr),Xi =Bi⊕W1,Yi =h(PSK) ⊕ W2, and Zi =PSK ⊕ Ai, where Tr is the registration time Then, thecenter writes {Xi,Yi,Zi,h(.)} to the smart card SCiand sends it to the user Ui via asecure channel
Step 3 Upon receiving the smart card SCi, the user Ui imprints their biometric BIOi atthe sensor, and then computes N = Ni⊕H(BIOi),V = h(IDikNikPWi)and stores
N, V into SCi
2.2.3 User login
To log onto the application server Sj, the user Ui inserts the smart card SCi into a cardreader, then inputs {IDi,PWi}and imprints their biometric BIOiat the sensor The smartcard does the following:
Step 1 SCicomputes Ni=N ⊕ H(BIOi),and verifies V =? h(IDikNikPWi) If it does nothold, the session is terminated
Step 2 Next, SCi computes W1 = h(PWikNi),W2 = h(IDi⊕Ni),Bi = Xi⊕W1, andh(PSK) = Yi⊕W2 Finally, it computes and sends a login message hZi,M1,M2,M3i
to the server Sjvia a public channel, where n1is a random number, M1=h(PSK)⊕
n1,M2=IDi⊕h(n1kBi), and M3=h(IDikn1kBi)
2.2.4 Authentication
In this phase, the server Sjand the user Uimutually authenticate each other and establish
a session key The detailed steps are as follows:
Trang 22Step 1 Upon receiving hZi,M1,M2,M3i, Sjcomputes Ai=Zi⊕PSK,n1=M1⊕h(PSK),and IDi=M2⊕h(n1kh(Ai))using the pre-shared key PSK.
Step 2 Sj verifies M3=? h(IDikn1kh(Ai)) If the verification does not hold, the session
is terminated Otherwise, Sjgenerates a random nonce n2, and computes a sessionkey SKji =h(IDikSIDjkBikn1kn2 , then sends a message hSIDj,M4,M5i to thesmart card SCi,where M4=n2⊕h(IDikn1 and M5=h(SKjikn1kn2
Step 3 Upon receiving the message from the server, SCjcomputes n2=M4⊕h(IDikn1 ,
SKi j =h(IDikSIDjkBikn1kn2 , then verifies the session key M5=? h(SKi jkn1kn2
If this equation does not hold, the session is terminated Otherwise, the user Uisiders SKi j as a session key and Sj as the authorized server Finally, SCi computes
con-M6=h(SKi jkn2kn1 and sends it to Sj via a public channel
Step 4 To verify the session key, the server Sjtakes SKji,n1, and n2as inputs and checks
M6=? h(SKjikn1kn2 If the equation does not hold, the session is terminated erwise, the server Sj considers the user Uias legitimate and SKjias credible
Oth-2.2.5 Password change
To change the password, the user runs a protocol offline as follows:
Step 1 The user Uiinserts the smart card into a card reader, and then inputs {IDi,PWi}and imprints their biometric at a sensor
Step 2 The smart card computes Ni=N ⊕ H(BIOi), and verifies V =? h(IDikNikPWi)
If the verification does not hold, this phase is terminated immediately Otherwise,
SCiasks the user Uifor a new password
Step 3 The user Ui keys her new password PWinew Then, the smart card SCi putes W1=h(PWikNi),Wnew
2.3 Cryptanalysis of Mishra et al.’s Scheme
In this section, we point out some weaknesses of Mishra et al.’s scheme, including theBiohashing drawback, the traceable user attack, the denial-of-service attack, the imper-sonation attack, and the pre-shared key attack
2.3.1 Biohashing limitation
As in some existing works, Mishra et al.’s scheme employed H(BIOi)to protect the dom number Ni using N = Ni⊕H(BIOi) The biohashing technique may reduce output
Trang 23ran-error, but hardly generates a unique value H(BIOti) from the biometric data BIOti of theuser Uiat different input times Thus, the extracted value N0
i=N ⊕H(BIOti)is completelydifferent from the original Ni The verification V = h(IDikNikPWi)=? h(IDikN0
ikPWi)
in the login phase does not hold Hence, the scheme suffers from a high rate of falserejection
2.3.2 Traceable user attack
In various applications, users wish to keep secret their identity and login history frommalicious users However, in Mishra et al.’s scheme, the value Zi=PSK ⊕ Ai remainsunchanged each time sending the login message Thus, attackers can track the message
Ziat the login phase to find out all communication sessions between the user Uiand theserver Sj This may help attackers to learn user identity, user behavior, and other secretinformation
2.3.3 Denial-of-service and impersonation attacks
An attacker intercepts the login message hZi,M1,M2,M3iat a communication session tween a user Ui and a server Sj To launch impersonation attacks, the attacker sends
be-hZi,M1,M2,M3ito an arbitrary server of the system Upon receiving the login message,the server executes Steps 1 and 2 in the authentication phase In Step 3, the attacker ran-domly selects a session key SK0
i jand replies with the message M6=M5=h(SKjikn1kn2
to the server Since the verification M6=? h(SKjikn1kn2 in Step 4 holds, the attacker cessfully impersonates the user Ui to communicate to the server Sj even if it does notknow the real session key SKji On the other hand, attackers can simultaneously send thelogin message hZi,M1,M2,M3i to a server Sj in order to run a denial-of-service attack.Since the protocol fails to verify the session key, the server cannot distinguish the loginmessage sent by the attackers from the one sent by the legitimate users Consequently,attackers successfully communicate with the server Sj using different fake keys Thisgreatly affects the distributed systems, that utilize data sent from users to execute theirservices, such as decision-making systems and heath care systems, among others
suc-2.3.4 User access control and pre-shared key attack
In an online architecture, a system may have multiple servers providing various services.Users were granted access to only a subset of the servers based on their roles or theservices to which they have subscribed However, Mishra et al.’s protocol allows users toaccess to all servers of the system, as these servers utilize the same key to decrypt andverify secret parameters The scheme does not support user access control
Trang 24On the other hand, an insider attacker E at a server S0
j may extract the pre-sharedkey PSK between S0
j and registration center Then, E could launch a user impersonationattacks or could retrieve all session keys establish between Ui and Sj The details are asfollows:
• E may intercept the messages sent via a public channel Zi=Ai⊕PSK, M1=n1⊕h(PSK), M2 =IDi⊕h(n1kh(Ai)), and M4 = n2⊕h(IDikn1 , and then retrieves
Ai,n1,IDi, and n2 using the pre-shared key PSK Next, E could compute the sion key SKi j =h(IDikSIDjkh(Ai)kn1kn2 established by user Ui and server Sj.The scheme fails to establish a secret session key
ses-• The protocol also suffers from a user impersonation attack As in the precedingattack, E may retrieve Ai and IDi from the messages sent via public channel Zi=
Ai⊕PSK, M1 =n1⊕h(PSK), and M2= IDi⊕h(n1kh(Ai)) Then, the attackercomputes a login message hZi,M1,M2,M3i, where Zi=Ai⊕PSK, M1=h(PSK) ⊕
n1,M2=IDi⊕h(n1kBi), and M3=h(IDikn1kBi), and impersonates the user Uitolog onto any server of the system at any time
Finally, many other protocols [76–78,81] are also vulnerable to the pre-shared key attack
as in Mishra et al.’s scheme An insider attacker at an application server may mise the server’s pre-shared key to launch user impersonation attacks or retrieve all otherestablished session keys We name this kind of attack a pre-shared key attack
compro-2.4 The Proposed Scheme
In this section, we propose a novel scheme that can resist all known attacks and achievesgreat efficiency in providing user access control The scheme is comprised of sevenphases: (i) initial phase, (ii) server registration, (iii) user registration, (iv) user login, (v)authentication, (vi) password and Biohashing update, and (vii) User access control andrevocation
2.4.1 Initial phase
To initialize the system, the registration center (RC) selects a strong prime number p andthree hash functions h : {0,1}∗→ {0,1}l, h1: {0,1}∗→ {0,1}2(s+1).L, and h2: {0,1}∗→
Zp, where secure parameter l is greater than or equal to 512 as recommended in [86], and
s is greater than the number of authorized servers of the system
2.4.2 Server registration
In this phase, an application server executes a registration process to become an authorizedserver of the system To overcome the weaknesses of the common pre-shared key PSK
Trang 25between servers and the registration center, we employ a mechanism similar to the RSAprotocol to assign a secret key to a server However, all parameters are kept secret fromother servers The registration phase includes the following steps:
Step 1 The server Sj selects identity SIDj, two strong prime numbers pj,qj, and a pair(ej,dj) such that 0 < ej < ϕ(Nj) = ϕ(pj.qj) = (pj − 1)(qj − 1),gcd(ej, ϕ(Nj)) =1, and ej.dj=1 mod ϕ(Nj)
Step 2 Sj establishes a secure communication channel with the registration center, such
as IKEv2, and then sends a request message hNj,ej,SIDjito the registration center.Step 3 Upon receiving hNj,ej,SIDji, the RC authorizes the server Sj, and then replieswith the 2l-bit pre-shared key PSK and a secret number nujto Sj Next, RC com-putes Ey(Nj,nuj,ej)using symmetric encryption E and the long-term secret key y,and then stores SIDjand Ey(Nj,nuj,ej)to the back-end database
2.4.3 User registration
In this phase, assume that a new user Ui would like to subscribe to services offered by
a subset of authorized servers {Si,1,Si,2, ,Si,k} in time intervals {t1,t2, ,tk}, tively The user Uifirst selects their identity IDi, a password pwre
respec-i , and a random Biohashkey Biokey, and then completes the following steps:
Step 1 Uigenerates a random number n0and imprints their biometric BIOre
i at a sensor,and then computes Mre
i,∗kai,∗ and 02
i,∗kf (ai,∗)have the same L-bit length
Step 3 The registration center computes Ai=h(IDikxkrikTr),Bi=h(Ai), Z0=PSK ⊕
ri⊕ (AikMre
i ), Z1=h1 0kPSK) ⊕ (Pi,1kPi,2k kPi,kkPi,k+1), Xi=h(PSK) ⊕ PWre
i ,and Yi=Bi⊕PWire, where Tr =t1⊕t2⊕ ⊕tk Next, RC records {Z0,Z1,Xi,
Trang 26Yi,h(.),h1(.), (Ni, j,ei, j)}to the smart card SCiand provides it to the user Ui Finally,
RC establishes a secure channel and sends hIDi,ti, jito server Si, j, and then stores{IDi,REi=h1 RIDknur) ⊕ (Si,1kt1kSi,2kt2k kSi,kktk)}to its backend database.Step 4 To complete the registration phase, the user Ui inserts SCi to a card reader andinputs the number n0 The SCi computes X1=Xi⊕n0=h(PSK) ⊕ PWiand Y1=
Yi⊕n0=Bi⊕PWi Then, SCireplaces Xi and Yiwith X1and Y1, respectively, andstores Ki=Biokey⊕h1 1kpwrei )into the smart card
Explanation: In this scheme, we only keep the values (Nj,ej)of the server Sjsecret fromthe other authorized servers of the system Thus, SCimay store these values in plain-textform to reduce computation cost of the smart card To enhance security, SCi may storethese parameters in an encrypted form h1 1kIDikpwi)⊕(Ni,1kei,1kNi,2kei,2k kNi,kkei,k)
In addition, the server Si, j should store ti, j in encrypted form to prevent modificationattack
Step 2 SCi computes messages {M0,N0,M1,M2,M3}, where M0 =Z0⊕h1 n1 , N0=
Z1⊕h1 SIDi, jkn1 , M1=h(PSK) ⊕ n1, j, M2=IDi⊕h(n1kBi), and M3=h(IDikn1
kBi) ⊕Mt
i.Step 2 The smart card sends the login messages hM0,N0,M1,M2,M3ito the server Si, j
via a public channel
h1 SIDi, jkn1 and extracts k + 1 points (ai,1,f (ai,1)), ,(ai,k+1,f (ai,k+1)) Then,
Si, j computes the Lagrange interpolation polynomial f (x) using k + 2 points
Trang 27{(ai,1,f (ai,1)), , (ai,k+1,f (ai,k+1)), (h2 SIDi, j),nui, j)} and retrieves the secret
ri = f (0) Thereupon, the server decrypts Ai and Mire from (AikMire) =M0⊕
h1 n1) ⊕PSK ⊕ ri, and then computes Bi=h(Ai), IDi=M2⊕h(nikBi), and Mt
M3⊕h(IDikn1kBi) Finally, the server Si, j decrypts the back-end database to trieve ti, j and checks the legitimation of the user IDi If the time has expired, thesession is immediately terminated
re-Step 2 Si, j verifies a condition |H|1 d(Mre
is terminated immediately Otherwise, the server generates the random number n2
and computes a session key SKj,i=h(IDikSIDi, jkn1kn2kBi)
Step 3 The server Si, j computes M4 = n2⊕h(IDikSIDi, jkn1 , M5 = h(0kSKj,ikIDikSIDi, jkn2 and sends hSIDi, j,M4,M5ito the smart card SCiof the user Ui
Step 4 Upon receiving hSIDi, j,M4,M5i, the smart card SCicomputes n2=M4⊕h(IDikSIDi, jkn1 , SKi, j = h(IDikSIDi, jkn1kn2kBi), and then verifies M5 =? h(0k
SKi, jkIDikSIDi, jkn2 If this verification does not hold, the session is immediatelyterminated Otherwise, the user Uiaccepts the session key SKi, j and considers Si, j
as the authenticated server
Step 5 The user Uicomputes and sends the message M6=h(1kSKi, jkIDikSIDi, jkn1kn2
to the server Si, j
Step 6 Upon receiving the message M6, the server verifies M6=? h(1kSKj,ikIDikSIDi, jk
n1kn2 If the verification does not hold, the session is immediately terminated.Otherwise, the server SCi, j accepts the session key SKi, j and considers Ui as thelegitimate user
2.4.6 Password and biohashing update
When the user Uiwishes to change their password and Biohash code H(BIOrei ), they insert
SCi into a card reader that then inputs {IDi,pwi,pwi,new}to the smart card and imprintstheir biometric BIOt
iat the sensor The smart card generates a new Biohash key Biokey,new,computes Mt
i=H(BIOt
i)⊕h(IDikpwi), Mre
i,new=Hnew(BIOre
i )⊕h(IDikpwi,new), and pletes the following steps:
com-Step 1 (Online) SCiexecutes the user login phase and authentication phase to establish
a session key SKi,rcwith the registration center (RC) All of the steps are as in sections 2.4.4 and 2.4.5, but the RC utilizes {(ai,1,f (ai,1)), ,(ai,k+1,f (ai,k+1)),(h2 CID),nur)}to retrieve the Lagrange interpolation polynomial f (x)
Trang 28sub-Step 2 (Online) The smart card computes and sends the message M7=Mi,newre ⊕h1 SKi,rc)
to the registration center, which then computes Mi,newre =M7⊕h1 SKi,rc)and Z0,new=
PSK ⊕ ri⊕ (AikMre
smart card SCi
Step 3 (Offline) Upon receiving M8, SCicomputes Z0,new=M8⊕h(0kSKi,rc), PWi,new=
h(0kIDikpwi,new),X1,new=X1⊕PWi⊕PWi,new,Y1,new=Y1⊕PWi⊕PWi,new, and
Ki,new=Bioi,new⊕h(1kpwi,new) Then, it replaces {Z0,X1,Y1,Ki}with {Z0,new,X1,new,
Y1,new,Ki,new}, respectively
2.4.7 User access control and revocation
This phase aims to help the user Ui to change their access list Li= {(Si,1,t1), (Si,2,t2), , (Si,k,tk)}, which may include withdrawing access, extending the subscribed time in-terval or subscribing to a new service To perform this phase, Ui inserts SCi into a cardreader, inputs {IDi,pwi} to a smart card, and imprints their biometric BIOti at a sensor.The smart card does the following steps:
Step 1 SCiestablishes a session key SKi,rcwith the registration center, as in the passwordand Biohashing update phase
Step 2 Thereafter, SCi extracts the changed list Li,up = {(S0
i,1,t0
1), (S0 i,2,t0
2), ,(S0
2k kS0
i,k 0kt0
k 0)to the registration center
Step 3 Upon receiving M9, the registration center first extracts the list Li,up and Lifrom
M9and REi, respectively, and updates a new list Li,new=Li,up∪Li Then, it ates a new random number ri,newand computes {Z0,new,Z1,new,REi,new}, as in Steps
gener-2 and 3 in the user registration phase
Step 4 The registration center computes and sends M10 = Z0,new⊕h1 0kSKi,rc) and
channel and sends update values hIDi,t0
i, jito server S0
i, j and stores {IDi,REi,new}
to its backend database
Step 5 Upon receiving the response message from the registration center, the smart card
SCi computes Z0,new=M10⊕h1 0kSKi,rc) and Z1,new=M11⊕h1 1kSKi,rc), andthen replaces the old values Z0and Z1with Z0,newand Z1,new, respectively
2.5 Security Analysis
In this section, we show that our scheme can not only resist most known attacks, but alsoavoid errors of verifying biometric data
Trang 292.5.1 User untraceability
In the login phase, all values of the login message hM0,N0,M1,M2,M3i are refreshedusing the random seed n1 The identity of the user Ui is concealed in M2 =IDi⊕h(n1kBi) During the execution of the protocol, the number n1is a hash input except in
ni, j=n1ei, j mod Ni, j It is not feasible to retrieve n1from its hash outputs as well as from
ni, j=n1e i, j, due to the one-way property of a hash function and the difficulty of tion Thus, the value IDiis protected Moreover, in all other phases, the random numbers
factoriza-n1and n2are employed to freshen the values {M4,M5,M6,M7,M8,M9,M10,M11} fore, adversaries cannot trace the user identity or login history
M1 =h(PSK) ⊕ (n1e i, j mod Ni, j), and only the server Si, j knows the key PSK and di, j
to decrypt the value Hence, the user correctly communicates with the intended server
2.5.3 Session key agreement and verification
In our protocol, the user Ui and the server Si, j negotiate the session key Ki, j =Kj,i=h(IDikSIDi, jkn1kn2kBi) This key takes the input values at both sides to prevent maliciousclients from learning other secret values kept by the servers and the registration center.Only the user Uican retrieve the input value Bi=Y1⊕h(0kIDikpwre
i )using their IDiand
pwre
i In addition, only the server Si, j can compute the input n1 from M1 =h(PSK) ⊕(n1ei, j mod Ni, j)using secret keys PSK and nui, j Thus, no other parties can compute thesession key Ki, j except for Ui and Si, j On the other hand, the session key is verified onboth the user side and the server side via the equations M5=? h(0kSKi, jkIDikSIDi, jkn2and M6=? h(1kSKi, jkIDikSIDi, jkn1kn2 , correspondingly It is impossible for attackers
to compute Ki, j from M5and M6due to the one-way property of the hash function
Trang 302.5.4 Biohash code error resistance
In our scheme, the Biohash code is verified using the Hamming distance to avoid falseacceptance and false rejection errors As in [84], we can assign ε(H) = 0.05 when
|H|≥ 80 to achieve zero FAR and FRR errors Even in the worst case, where the hash key and/or the user biometric are stolen, attackers cannot correctly guess H(BIOti) ⊕h(IDikpwi)without IDiand pwidue to the extreme sensitivity of the one-way hash func-tion to its inputs Thus, our scheme is secure unless the smart card, password, and bio-metric are all stolen
Bio-2.5.5 Relay and man-in-the-middle attacks
An adversary E may intercept the messages hM0,N0,M1,M2,M3i, hSIDi, j,M4,M5i, M5,and M6, exchanged between a user Uiand a server Si, jduring the execution of the protocol
in order to launch a relay attack, a parallel session attack or another man-in-the-middleattack However, our scheme can resist all of these attacks since all of the exchangedmessages are refreshed using the random numbers and Biohash code The details are asfollows:
• The adversary E intercepts the login messages hM0,N0,M1,M2,M3i, where M0=
Z0⊕h1 n1 , N0=Z1⊕h1 SIDi, jkn1 , M1=h(PSK) ⊕ n1, j, M2=IDi⊕h(n1kBi),and M3=h(IDikn1kBi) ⊕Mt
i
• To launch the attacks, E may modify the login message, and then sends the newone hM00,N00,M10,M20,M30ito a server S0
i, j
• Upon receiving the login request, the server S0
i, j executes the authentication phase
as follows:
Case 1: S0
i, j6=Si, j
In this, the server S0
i, jcannot decrypt the original value n1from M1=h(PSK)⊕
n1, j using its secret key d0
i, j The verification condition |H|1 d(Mre
i ,Mt
i) ≤
ε (H) does not hold because Mt
i =M3⊕h(IDikn1kBi)is totally different fromthe ordinal one Mire The session is immediately terminated
Trang 31the server Thus, the verification condition |H|1 d(Mire,Mit) ≤ ε(H) holds, sothe server S0
i, jsends the message hSIDi, j,M0
5isent from the server
Si, j, but cannot pass the verification on the user side Ui The details are asfollows:
(i) If one of the messages SIDi, j,M0
4and M0
5has been modified or replaced,
at least one of the values SIDi, j,n3, and M0
5will be changed Hence, theverification M0
5=? h(0kSKi, jkIDikSIDi, jkn3 does not hold The session
is immediately terminated
(ii) If the adversary E just relays then sends hSIDi, j,M0
4,M0
5ito the user Ui,the verification condition M0
5=? h(0kSKj,ikIDikSIDi, jkn3 holds Thus,the smart card replies M0
6=h(1kSKi, jkIDikSIDi, jkn1kn3 to the server
Si, j In this scenario, the adversary E may intercept the message M0
6.However, the message M0
6 is different from all previously exchangedmessages; the adversary cannot reuse the old one or alter M0
6to pass theverification M6=? h(1kSKj,ikIDikSIDi, jkn1kn3 in order to open a newsession to the server Si, j
2.5.6 Denial-of-service attack
In [12], the weaknesses are resulting from the verified messages M5 and M6 In ourscheme, the random numbers n1 and n2 are employed to generate distinct exchangedmessages As analyzed in sub-section 2.5.5, an attacker cannot relay or modify thesemessages to successfully establish a new session to a server Si, j Therefore, our protocolcompletely detects denial-of-service attacks
2.5.7 Off–line password guessing attack
In the worst case, an attacker may steal the smart card SCi and the biometric BIOi,and then try to guess the user password pwre
i using password-related parameters Z0=
• The value Z0=PSK ⊕ri⊕ (AikMire)is computed from at least two secrets PSK and
ri, so it is also strong secure
Trang 32• The three parameters Y1=Bi⊕PWi,Biokey⊕h1 1kpwrei ), and X1=h(PSK) ⊕ PWi
are all secure since they are protected by long term secret Bi=h(h(IDikxkrikTr)),the random vector Biokey, and the strong pre-shared key PSK, respectively
From the preceding discussion, our proposed scheme can resist the off-line passwordguessing attack
2.5.8 Stolen smart card and user impersonation attack
An adversary E may steal the smart card SCi, then extract the data {Z0,Z1,X1,Y1,(Ni, j,ei, j),Biokey⊕h1 1kpwre
i )}in order to impersonate the user Ui to log onto a server
Si, j or compute other long term secret keys However, the attacker impossibly generatesthe login messages hM0,N0,M1,M2,M3ior decrypts the secret values The details are asfollows:
• To log onto a server Si, j, the attacker needs to know the secret input parameters{IDi,pwre
i ,BIOi,Biokey}to compute M2=IDi⊕h(n1kBi)and M3=h(IDikn1kBi)⊕
2.5.9 Known session key attack
In this attack, the adversary may compromise a session key Ki, j=h(IDikSIDi, jkn1kn2kBi)and try to launch an impersonation attack or compromise other session keys
• The attacker learns nothing about other session keys since Ki, j is refreshed usingthe random numbers n1and n2
• Ki, j is an output of the one-way hash function h : {0,1}∗→ {0,1}l, so the attackercannot learn any useful information to launch an impersonation attack
2.5.10 Online password guessing attack
In the worst case, assume that an adversary E has data extracted from a stolen smartcard SCi and a biometric BIOi Then, E may try to get ID∗
Trang 33i and the key Biokey=Ki⊕h(1kpwi), respectively.
2.5.11 Known session-specific temporary information attack
In this attack, an adversary may know the temporary random numbers n1 and n2and try
to guess the session key Ki, j=h(IDikSIDi, jkn1kn2kBi) However, it is impossible for theattacker to extract Bito compute Ki, j for the following reasons:
• Except for Y1=Bi⊕h(0kIDikpwi), it is not feasible to retrieve the input Bifromthe related values
• The attacker also cannot extract h(0kIDikpwi)from X1=h(PSK) ⊕ h(0kIDikpwi)and other related parameters to compute Bifrom Y1
2.5.12 Privileged insider attack
In our scheme, the user Ui sends PWre
i )to the server Si, j Since PWre
i =h(0kIDikpwi) ⊕n0is protected by a randomnumber n0, the insider cannot possibly extract h(0kIDikpwi)to learn the password pwre
i ,and then compute H(BIOrei )from Mire Hence, both BIOrei and pwrei are secure against theinsider attack Furthermore, as H(BIOrei ) is generated using the random key Biokey, Mire
is totally different for each registration Thus, an inside attacker cannot use this to login
to other systems
2.5.13 Server spoofing attack
In this scenario, the adversary E may pretend to be a server Si, j to communicate with auser Ui Our scheme is also secure against this attack as follows:
• The adversary intercepts a login message hM0,N0,M1,M2,M3isent from a user Ui
and tries to send an old message hSIDj,M4old,M5oldi back to the user Ui, where
1 , theverification M5=? h(0kSKold
i, j kIDikSIDi, jknold
2 )does not hold The session is diately terminated
imme-• E may try to generate the reply message M4new =nnew2 ⊕h(IDikSIDi, jknnew1 ) and
M5new=h(0kSKi, jnewkIDikSIDi, jknnew2 ); however, the value nnew1 is hidden in n1, j=
n1ei, j, so the attacker cannot extract nnew1 to compute hSIDj,M4new,M5newicorrectly.The session is immediately terminated
Trang 342.5.14 Known pre-key shared attack
In this proposed protocol, the server Si, jretrieves the nonce n1from M1=h(PSK)⊕n1e i, j
using its own secret key di, j None of the other parties can correctly compute n1, and thenretrieve the session key Si, j Our protocol can overcome the weaknesses of the pre-sharedkey PSK in Mistra et al.’s protocol
2.5.15 Forward secrecy
In this section, an attacker E may try to compute SKi, j=h(IDikSIDi, jkn1kn2kBi)usingthe long term secret values Bi=h(Ai) =h2 IDikxkrikTr) In the worst case, we assumethat E may have the data {Z0,Z1,X1,Y1, (Ni, j,ei, j),Biokey⊕h1 1kpwre
i )} extracted fromthe stolen smart card SCi, and intercept all messages exchanged between the user Uiandthe server Si, j The following discussion shows that our scheme is secure against theforward secrecy attack:
• It is impossible for the attacker to compute n1from M1=h(PSK) ⊕ n1e i, j and otherrelated hashed values
• The value IDialso cannot be computed from M2=IDi⊕h(n1kBi)without the value
n1or from other related hashed values
• The attacker cannot correctly compute SKi, j=h(IDikSIDi, jkn1kn2kBi)without thetwo inputs IDiand n1
2.6 Performance Comparisons
2.6.1 Security performance
Tables 2.1 summarizes the security comparison of our proposed protocol with other ing three-factor authentication schemes [12, 14,15,76–78, 81,83] Clearly, our schemecould not only resist most known attacks, but also provide many desirable features, includ-ing user access control, user revocation, biometric reusability, and zero error Biometricverification
exist-2.6.2 Computation performance
Table 2.2 demonstrates the comparison of the computation performance of our proposedprotocol with most recently proposed biometric-based authentication schemes As thesubscribed services k is a small number, the execution time of polynomial interpolationoperation TLP in our scheme is small The computation costs of fuzzy extractors TF in[14, 81,83] depend heavily on the error-correcting code metric space ϒ = Γn However,
Trang 35Table 2.1: Security feature comparisons
[ 76 ] [ 77 ] [ 78 ] [ 15 ] [ 12 ] [ 81 ] [ 14 ] [ 83 ] Our
Privileged insider attack resistance No No No Yes No No No Yes Yes On-line password guessing attack resistance Yes Yes Yes Yes Yes No Yes Yes Yes Off-line password guessing attack resistance Yes Yes Yes Yes Yes Yes Yes Yes Yes Stolen smart card attack resistance Yes No No Yes Yes Yes No Yes Yes Denial-of-service attack resistance Yes Yes No Yes No Yes Yes Yes Yes Known session keys attack resistance Yes Yes Yes Yes Yes Yes Yes Yes Yes User impersonation attack resistance No No No No No No Yes Yes Yes Server spoofing attack resistance Yes Yes No Yes Yes Yes Yes Yes Yes Man-in-the middle attack resistance Yes Yes No Yes Yes Yes Yes Yes Yes Replay attack resistance Yes Yes Yes Yes Yes Yes Yes Yes Yes
K session-specific temporary attack resistance No No No Yes No Yes No Yes Yes Known pre-shared key attack resistance No No No Yes No No Yes Yes Yes
Mutual authentication Yes Yes Yes Yes Yes Yes Yes Yes Yes Efficient authenticated key agreement phase No No No Yes Yes Yes No No Yes Efficient password change phase No Yes Yes Yes Yes Yes Yes Yes Yes User-friendly password change phase Yes Yes Yes Yes Yes Yes Yes Yes Yes Secret session key agreement Yes Yes Yes Yes No Yes Yes Yes Yes Session key verification Yes Yes Yes Yes Yes No No Yes Yes
the authors did not consider how to reduce the execution time of this function itively, the execution time of our scheme is faster than that of [14, 81, 83] Moreover,
Intu-as our protocol does not need to communicate with the registration center to cate and negotiate a session key, it could avoid the single point of failure as well as thecomputational burden on RC Finally, since our protocol utilizes some more parameters
authenti-to construct the revocation and access control mechanism, its computation cost is a bithigher than that of [12,15,77,78] This is a trade-off between security and computationperformances
Table 2.2: Computation overhead comparisons
Trang 362.7 Chapter Summary
In this chapter, we point out the drawbacks of [12] and propose a novel three-factor thenticated key agreement protocol with revocation for multi-server architecture To en-hance security, Mishra et al adopted a Biohash code and a smart card to protect param-eters related to human-memorable password However, as in existing biometric-basedschemes, his proposed scheme suffers from weaknesses due to unavoidable biometricvariation at each time of input The common pre-shared key for all authorized servers isalso vulnerable to multiple attacks To overcome these security problems, we employ theHamming distance to verify the Biohashing output and the Lagrange polynomial interpo-lation to control access to the system This proposed scheme not only secures against allknown attacks but also provides many desirable security features The computation per-formance of our scheme is slightly higher than those of other schemes as a legitimate userhas to execute the login and authentication phases to change password and Biohashingcode This problem will be solved in our future studies to enhance computation perfor-mance
Trang 37au-Chapter 3 Untraceable Biometric-based Three-party
Authenticated Key Exchange For Dynamic Systems 3.1 Introduction
Communication over public channels has currently become primary and extensive indiversities of applications Notable progressions in infrastructure and technology havebrought participants the capability to reach online services and directly exchange in-formation wherever at any time Nevertheless, the insecure channels also pose severalrisks for the related entities To fulfill security requirements, the systems must provideparticipants with mutual authentication and negotiation a secret session key to encryptexchanged data Since the Lamport’s pioneering work in 1981, numerous schemes fordifferent network environments have been proposed to enhance security as well as reducecomputation overhead Conventionally, pre-shared values between two users or a userand a trusted server are employed to design the end-to-end AKA protocols In the dy-namic and large-scale network environment, the user-server-user model is more efficientregarding the management of the pre-shared keys An end-user may negotiate sessionkeys with all other authorized users using only secrets shared with the server Focus-ing on how to protect the sensitive parameter, it may divide the existing schemes intothree groups: password-based, smart card-based, and biometric-based protocols In thesucceeding, we briefly review the security analyses of the three-party authenticated keyagreement (3AKA) protocols for all the three categories
The simple approach is utilized user’s pre-shared password to authenticate and tiate fresh session keys In 1995, Steiner et al [87] placed a foundation stone of design-ing three-party password-based authenticated key agreement (3PAKA) protocols In hiswork, the shared passwords are adopted hide a group element which is utilized to generateElGamal-like session keys Nonetheless, Steiner et al.’s scheme is vulnerable to severalattacks, including off-line password guessing attacks [88], undetectable online passwordguessing attacks [89], privileged insider attacks, among others After that, numerous3PAKA schemes have been introduced to enhance security and reduce communicationand computation overhead Though these protocols have obtained notable enhancements,the most recent 3PAKA schemes [16–20, 23,90, 91] still inherited several flaws Xiong
nego-et al [17] demonstrated that 3PAKA schemes without public keys are susceptible toseveral attacks, including key compromise impersonation attacks and dictionary attacks.Farash and Attari [18] pointed out the weaknesses of Tso’s scheme [16], and then intro-duced an enhancement version to defeat the shortcomings Unfortunately, Wei et al [23]showed that the scheme is still vulnerable to many attacks Lin and Lee [19] introduced
a 3PAKA protocol for telecare medicine networks The lack of the public key technique
Trang 38in the authentication process of the schemes, however, leads to several potential securityrisks, as explained in [17] Tu et al [20] suggested an enhancement scheme to avoidthe weaknesses of Li et al [90] Nam et al [91] introduced a general 3PAKA schemewhich was formed of any two PAKA protocols However, those above password-basedonly schemes are not secure due to the drawbacks of having verification tables on un-fully secure servers Adversaries may compromise the verification table, and then extractthe secret data to launch several attacks, such as stolen verification table attacks, priv-ileged insider attacks, off-line password guessing attacks, among others Additionally,none of the protocols [16–21,23,90,91] provides end-users with identity privacy , which
is the desired feature in various network systems, including healthcare, e-commerce, andpeer-to-peer systems To address the latency issue, some protocols [22, 27–29, 92–95]have recently proposed utilizing the semigroup of extended Chebyshev polynomials over
a finite field However, none of these schemes could resist all currently known attacks.Although Lee et al.’s scheme [92] could achieve low computation and communicationcosts, it is still vulnerable to several weaknesses, including the modification attack [27],the man-in-the-middle attack, and the user anonymity attack [28] Very recently, Xie and
Wu [29] pointed out that Farash and Attari’s schemes [93] could not resist the ation attack and the off-line password guessing attack Nevertheless, their improvementscheme does not provide users with the anonymous property Islam [22] proposed animproving scheme to overcome the weaknesses of Zhao et al.’s protocols [94] and manyother existing schemes Unfortunately, we found that Islam’s protocol is still vulnera-ble to the off-line password guessing attack, the key compromise impersonation attack,and the traceable attack In terms of computational complexity, on the other hand, noefficient implementation of Extended Chebyshev polynomial has been introduced in theliterature Time-consuming of computing the recursive formula over a prime finite field
imperson-in the best algorithm [96] is no better than evaluating modular exponential over the samefield Eventually, all protocols based on the extended chaotic maps have not achieved thegoal of reducing computation costs
In the efforts of finding solutions to improve the security of the existing 3PAKAschemes, various researcher have introduced smart card-based protocols to eliminate thestorage of verification tables in the mediated server and employ more security parameters
to protect low-entropy human-memorable passwords In 2004, Jaung [97] first proposed
a three-party smart card-based authenticated key exchange (3SAKA) protocol using onlyhash functions and symmetric encryption The protocol achieves several remarkable prop-erties, including freely choosing and changing user passwords, no verification tables inthe trusted server, low communication costs, and mutual user authentication However, itdoes not provide users with password verification, and also cannot prevent the server from
Trang 39stealing users’ passwords and session keys Thus, the scheme is susceptible to several tacks, such as the denial-of-service attack, the user impersonation attack, the privilegedinsider attack, and the key compromise impersonation attack Kwon et al [24] and Yoon[98] proposed the improvement versions of Jaung’s protocol to enhance security Even
at-so, these schemes still inherit vulnerabilities, as in the previous protocol, which allowsnot only the server to learn passwords and session keys, but also an adversary to extractthe explicit form of the pre-shared secret from a stolen smart card Wu [99] adopted theDiffie-Hellman technique on an elliptic curve to design an enhancement scheme to pre-vent the leakage of the session key to unrelated parties However, the scheme does notprovide any mechanisms to verify the password and the session key Zhao et al [100]employed server public key techniques to construct an improvement scheme to overcomethe limitations of [101] Nevertheless, it still is vulnerable to the off-line password guess-ing attack, the privileged insider attack, and the stolen smart card attack, as was pointedout in [102] Some other protocols [26, 103] have recently been proposed to overcomethe existing security weaknesses Unfortunately, Park and Park [103] specified that Yang
et al.’s work [26] could not resist the off-line password guessing attack from the lost smartcard and the privileged insider attack Furthermore, none of the schemes [24,26,26,97–
103] take into account the identity privacy to prevent adversaries from tracing the userbehavior and historical communications to gain advantages and launch other attacks.While focusing on providing user anonymity, Park and Park [103], and Li et al [25]have recently proposed two smart card-based anonymous protocols employing the com-putational Diffie-Hellman assumptions on an elliptic curve group and a generic group,respectively In Li et al.’s scheme, the authors adopted a server’s public-key to concealuser identities and an elliptic curve cryptosystem to exchange session keys Nevertheless,the protocol is vulnerable to several unpublished attacks, including the user impersonationattack and the denial-of-service attack due to the identicalness of the challenge messagesand the lack of password verification On the other hand, the scheme does not truly pro-vide users with anonymity, since it ignores sending a session request message containingthe identity of the initiator Park and Park [103] introduced an improvement protocol
to eliminate the limitations of Yang et al.’s work [26] However, the scheme does notproperly provide mutual authentication since the successor user B could not retrieve theidentity of the initiator user A Severely, Park and Park’s protocol suffers from the imper-sonation attack to a considerable degree Any maliciously registered users in the systemmay masquerade as the successor B to the initiator A by generating the similar messagesusing their secret keys Furthermore, the scheme is vulnerable to password guessing at-tack from the lost smart cards since hackers may guess the relatively easy to rememberpassword and the systematic identity
Trang 40Although 3SAKA protocols could migrate the storage of sensitive information from
a remote server to smart cards, most of the existing schemes can only resist off-line tacks with difficulty if the smart card is compromised Conventionally, two-factor proto-cols retrieve the long-term secret shared and other related parameters using low-entropyhuman-memorable inputs Also, the identity is a systematic value, so it is easy to guessfrom a tiny key space Therefore, if data in smart cards are stolen, the hacker may runoffline algorithms to guess both the two inputs and then launch other attacks to gain ad-vantages It should thus employ more security factors to construct more robust 3AKAprotocols To the best of our knowledge, there has been only Yoon and Yoo’s 3AKAscheme until the present, which utilized a password, a smart card, and a user’s biometricinformation, to protect other sensitive parameters Unfortunately, we showed that Yoonand Yoo’s scheme is still not only vulnerable to the traceable attack and the key com-promise impersonation attack, but also suffered from a high false rejection rate (FRR)
at-As the aforementioned presentation, none of the existing 3AKA protocols could resist allknown attacks as well as provide users with identity privacy and revocation mechanisms
In this study, we analyze the weaknesses of a very recently introduced smart card-basedscheme [22] and three-factor protocol [30] We then employed a user’s biometric data andone-time random passwords to construct an untraceable authenticated agreement protocolwith user revocation and smart card revocation Our scheme not only resist all currentlyknown attacks but also overcome the limitations of the biometric information The rest ofthis work is organized as follows: Sections 3.2 and 3.3 present the reviews and analyses
of the schemes [22,30]; the proposed scheme is given in Section 3.4; Section 3.5 and 3.6provide secure analysis and performance comparison; and the last section is the chapterconclusion
3.2 Review of Yoon and Yoo’s Scheme
In this section, we briefly reviewed the biometric-based three-party authenticated keyexchange protocol [30] In this work, the authors adopted a password, a token and user’sbiometric data to model an authenticated key agreement protocol between A and B withthe aid of a server S The proposed protocol includes three phases: (i) Registration, (ii)Authenticated key agreement, and (iii) Password update
3.2.1 Registration
Step 1 When a user U wants to join the system, they freely choose an identity IDU and
a password pwUre, and imprint their biometric bUre at a sensor Next, U submitshIDU,pwreU⊕bUre,h(pwU,bUre)ito the server S via a secure channel
Step 2 Upon receiving the registration message, the server S computes vU=h(IDU,x) and