A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards

• Published in: IEEE transactions on information forensics and security Vol. 10; no. 9; pp. 1953 - 1966
• Main Authors: Odelu, Vanga, Das, Ashok Kumar, Goswami, Adrijit
• Format: Journal Article
• Language: English
• Published: New York IEEE 01.09.2015; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Access control to computer data; Authentication; AVISPA; BAN logic; Computational efficiency; Computer information security; Elliptic curve cryptography; Elliptic curves; Mobile communication systems; Network security; Passwords; Protocols; Revocation and re-registration; Security; Servers; Smart card; Smart cards; AVISPA; smart card; Security; revocation and re-registration; BAN logic; authentication
• ISSN: 1556-6013; 1556-6021
• DOI: 10.1109/TIFS.2015.2439964

Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we first analyze He-Wang's scheme and show that their scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user's anonymity. Furthermore, He-Wang's scheme cannot provide the user revocation facility when the smart card is lost/stolen or user's authentication parameter is revealed. Apart from these, He-Wang's scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase. We then propose a new secure multi-server authentication protocol using biometric-based smart card and ECC with more security functionalities. Using the Burrows-Abadi-Needham logic, we show that our scheme provides secure authentication. In addition, we simulate our scheme for the formal security verification using the widely accepted and used automated validation of Internet security protocols and applications tool, and show that our scheme is secure against passive and active attacks. Our scheme provides high security along with low communication cost, computational cost, and variety of security features. As a result, our scheme is very suitable for battery-limited mobile devices as compared with He-Wang's scheme.