Abstract
With the rapid development of mobile services, multiserver authentication protocol with its high efficiency has emerged as an indispensable security mechanism for mobile services. Recently, Ali et al. introduced a biometric-based multiserver authentication scheme and claimed the scheme is resistant to various attacks. However, after a careful examination, we find that Ali et al.’s scheme is vulnerable to various security attacks, such as user impersonation attack, server impersonation attack, privileged insider attack, denial of service attack, fails to provide forward secrecy and three-factor secrecy. To overcome these weaknesses, we propose an improved biometric-based multiserver authentication scheme using elliptic curve cryptosystem. Formal security analysis under the random oracle model proves that our scheme is provably secure. Furthermore, BAN (Burrows-Abadi-Needham) logic analysis demonstrates our scheme achieves mutual authentication and session key agreement. In addition, the informal analysis proves that our scheme is secure against all current known attacks and achieves desirable features. Besides, the performance and security comparison shows that our scheme is superior to related schemes.
Highlights
Nowadays, millions of people enjoy various mobile services such as mobile shopping, mobile entertainment, and mobile learning, by using various mobile devices
(1) We prove that Ali et al.’s scheme suffers from user impersonation attack, privileged insider attack, server impersonation attack, denial of service attack, and known session-specific temporary information attack
(2) We propose a novel biometric-based multiserver authentication scheme using elliptic curve cryptosystem (ECC)
Summary
Millions of people enjoy various mobile services such as mobile shopping, mobile entertainment, and mobile learning, by using various mobile devices. Afterwards, Chandrakar et al [21] proved Amin et al.’s scheme is susceptible to offline password guessing attack, impersonation attack, and fails to achieve user anonymity He et al [22] introduced a biometric-based multiserver authentication scheme using fuzzy extractor and ECC and claimed their scheme achieves intrinsically three-factor secrecy. The adversary A gets Ui’s identity IDi by shoulder surfing and Ui’s biometric bi by Figure 1: Login and authentication phase of Ali et al.’s scheme. In case that Ui’s smart card {DIDi, Ei, P, EKey(), Vi} and biometric bi are breached, the adversary is able to acquire Ui’s password via the following steps. Repeat Steps 1 and 2, until A finds the correct IDi and PWi. When the smart card and biometric of user are compromised, the attacker is able to breach the password. Ali et al.’s scheme fails to achieve three-factor secrecy
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call