Abstract
In multi-server environments, user authentication is a very important issue because it provides the authorization that enables users to access their data and services; furthermore, remote user authentication schemes for multi-server environments have solved the problem that has arisen from user’s management of different identities and passwords. For this reason, numerous user authentication schemes that are designed for multi-server environments have been proposed over recent years. In 2015, Lu et al. improved upon Mishra et al.’s scheme, claiming that their remote user authentication scheme is more secure and practical; however, we found that Lu et al.’s scheme is still insecure and incorrect. In this paper, we demonstrate that Lu et al.’s scheme is vulnerable to outsider attack and user impersonation attack, and we propose a new biometrics-based scheme for authentication and key agreement that can be used in multi-server environments; then, we show that our proposed scheme is more secure and supports the required security properties.
Highlights
Since Lamport [1] proposed the first password-based authentication scheme for insecure communications in 1981, password-based authentication schemes [2,3,4,5,6] have been extensively investigated
Lu et al proposed a biometrics-based smart card scheme for authentication and key agreement that can be used in multi-server environments, claiming that their scheme is secure against a variety of known attacks; we found that Lu et al.’s scheme is still insecure and is incorrect regarding the login and authentication phase
We concentrate on the security weaknesses of Lu et al.’s biometrics-based authentication scheme. We found that their scheme does not effectively resist outsider and impersonation attacks; to resolve these security vulnerabilities, we propose a new biometrics-based scheme for authentication and key agreement that can be used in a multi-server environment
Summary
Since Lamport [1] proposed the first password-based authentication scheme for insecure communications in 1981, password-based authentication schemes [2,3,4,5,6] have been extensively investigated. 1. A generates a random number n01 and computes M1 = K È IDi, M2 1⁄4 n01 È K, M3 = K È h (PWi k H(BIOi)) and Zi 1⁄4 hðXi k n01 k hðPWi k HðBIOiÞÞ k T10 Þ; A sends the login request message fZi; M1; M2; M3; T10 g to server Sj, where T10 is the current timestamp. 2. After receiving the registration request message from Ui, the RC generates a random number yi that is unique to Ui. the RC computes Vi = h(IDi k PWDi), Wi = h(yi k PSK) È IDi, Xi = h(IDi k x), and Yi = yi È h(PSK), followed by the storage of {Vi,Wi,Xi,Yi,h(Á),H(Á)} by the RC onto a smart card and the submission of them to Ui. Ui Sj SCi RC IDi SIDj PWi BIOi x yi PSK T h(Á) H(Á) È,k doi:10.1371/journal.pone.0145263.t002. Q has jurisdiction over and P believes that Q believes X , P believes X
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
