Remote Login Authentication Scheme based on Bilinear Pairing and Fingerprint

Abstract

The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.

1. Introduction

In the realm of computer networks, we save time and money by accessing the resources and services online. For innumerable day-to-day activities, we depend on the internet that makes our life much easier, for example, using ATM instead of waiting in long bank queues, booking e-tickets for train and flights, shopping through e-Commerce websites. Though these facilities are easily available and widely used all around the world, yet for accessing these services or resources, we depend on the transmission of data through the insecure channels. It involves a high risk of eavesdropping and intercepting of messages/resources by an adversary or enemy for his benefit. Thus, there is a need for a remote login authentication mechanism which can verify the legitimacy of a user and the service provider before exchanging the actual services.

In this paper, we propose a remote user authentication scheme that uses the bilinear property of an elliptic point and the biometric characteristics of the user. The bilinear property of an elliptic point and the user biometric can provide stronger security. The biometric enhances the security of the scheme as these characteristics of a person cannot easily be copied, guessed, stolen, forged or forgotten and are unique for every user. Thus, use of biometric with smart card and password provides three way authentication. Our proposed scheme checks the correctness of a password before sending the authentication message and as a result it avoids the communication cost in case a legal user or an adversary enters wrong password. In password change phase, it does not require the server’s involvement; thus, avoiding the communication cost. It hides the user identity, making it suitable for the applications where the user does not want to disclose his identity. Furthermore, it can resist many security attacks, such as replay attack, impersonation attack, password guessing attack, known key secrecy, denial of service attack, etc.

In order to design an efficient user authentication and key agreement protocol for accessing either a single server or multiserver system, the following security aspects should be achieved:

 

2. Related Works

Remote login authentication has wide applications, especially in today’s scenario, where most of the transactions are done using computer networks. This has led several researchers to develop secure schemes that can achieve all the security goals and requirements. Since the development of the remote scheme by Lamport [1], several schemes [2-22,28,32] have been discussed that use various approaches. These schemes have some pros and cons as far as the security features and security breaches are concerned. Now-a-days, bio-cryptography is emerging as a powerful solution for user authentication, which can combine the advantages of both conventional cryptography and biometric security [32]. Li and Hwang have discussed a biometric based remote user authentication scheme that uses the user biometric information to prove the legality of user [2]. In [3], Das points out the flaw of the scheme [2] and proposes a new security protocol. In [4], Lee et al. discuss a scheme by removing the security flaws in the Li et al.’s scheme [2]. The paper [5] shows that the Das’s scheme [3] does not resist the insider attack, password guessing, user and server impersonation attacks, and fails to achieve mutual authentication. Li et al. show that the Das’s scheme is vulnerable to the forgery and stolen smart card attacks and have enhanced the scheme in [7]. In [8], Chaturvedi et al. report that the schemes [5,7] are inefficient in the login phase as the user password has no role in these schemes; moreover, they cannot resist the replay attack and known session specific temporary information attack. The Chaturvedi et al.’s scheme [8] is based on the exponential computation, which makes it costly as it needs more bits for transmitting the authentication messages. There have been developed some schemes by using the elliptic curve property, which reduces the computational and communication costs as less number of bits is required to compute the elliptic curve points. The paper [9] discusses a scheme for smart card authentication using bilinear pairings that provides the users a facility to choose and change their passwords by their own choices. However, the papers [10-13] report its vulnerability. Juang et al. [10] report that the scheme [9] suffers from different attacks like replay attack, password guessing attack, forgery attack, etc. Furthermore, it lacks mutual authentication and verification of the old password in the password change phase. Fang et al. [11] improve the scheme [9] by removing its weaknesses. Giri and Srivastava [12] discuss an improvement over the Fang et al.’ scheme. Awashthi [13] shows that the Giri and Srivastava’s scheme is still insecure against the theft and on-line attack and discusses a better scheme. The Awasthi’s scheme [13], however, lacks the mutual authentication feature and cannot resist some important attacks. Yoon et al. [14] discuss an important authentication scheme. This scheme, as reported by Xie [15] scheme cannot resist the stolen-verifier attack, off-line password guessing attack. Xie [15] discusses an authentication scheme using the elliptic curve cryptography (ECC). Farash et al. [16] find that the Xie’s scheme [15] is also susceptible to the impersonation attack and off-line password guessing attack.

The above mentioned schemes do not provide the user anonymity. Based on the Farash et al.’s work [16], Zhang et al. [17] have recently discussed an authentication scheme with anonymity. Islam and Biswas discuss an ECC-based password authentication and key agreement scheme using a smart card [18]. Li [19] points out that the Islam and Biswas’s scheme [18] cannot resist the off-line password guessing attack, stolen-verifier attack, and insider attack and overcomes its drawbacks in his scheme. Lee et al. [20] discover that both the original and modified schemes [18,19] are vulnerable to the insider attack and they have overcome this problem in their scheme.

Tang et al. [21] discuss a scheme based on ECC; however, it does not check the password correctness before sending the authentication message, resulting in wastage of the communication cost. Karuppiah et al. [22] present a scheme, which is claimed to be more secure. It however uses exponentiation to compute the authentication messages; thus, increasing the cost of communication.

In this paper, we propose a new authentication scheme based on ECC and biometric, which fulfills all the security requirements, and also prevents the waste of communication cost. The rest of the paper is organized as follows. Section 3 gives the attacker model, which defines the capabilities of an adversary on an insecure channel. Section 4 provides preliminaries that are required for further discussion in the paper. In Section 5, we discuss our proposed scheme. Section 6 presents its security analysis and section 7 presents the security proof using BAN Logic. In section 8, we present the simulation of our scheme using the AVISPA tool and in section 9 the comparative performance of our scheme along with the related schemes is given. Finally, section 10 concludes the paper.

 

3. Attacker Model

In this section, we describe the risk of the authentication schemes. As an authentication protocol is executed over an insecure channel, the attacker has several advantages or capabilities. In the following, we present some valid assumptions:

 

4. Preliminaries

In this section, we briefly review the basic concepts of fuzzy extraction, ECC, bilinear pairings, and the related mathematical problems.

4.1 Fuzzy Extractor

A fuzzy extractor deals with non-uniformity and error tolerance [24-25,29-31]. It reliably alters biometric input information in a uniformly random string R in an error tolerant approach.

Therefore, it may be appropriate for the cryptographic schemes which use biometric. If the input changes, but remains closed, the extracted R remains the same. To assist in recovering R from the entered biometric, a fuzzy extractor outputs a public string P. P, known as Helper data, is derived only from the biometric template and the cryptographic key R is generated from the helper data and the biometric query B. If the biometric template and query are from the same user, then the generated keys will be the same with overwhelming probability [31]. A fuzzy extractor consists of a pair of efficient randomized procedures, Gen and Rep, which mean ‘generate’ and ‘reproduce’, respectively, as given below:

where B is biometric information, R and P are random strings generated by Gen.

where B* is biometric information and P is a public string used by Rep to reproduce R*.

To reproduce the same R, i.e., R=R*, the metric space distance between B and B* has to satisfy the verification threshold.

4.2 Elliptic Curve

The equation of a non-singular elliptic curve Eq(a, b) over a finite field Zq (q is a large prime number greater than 3) can be written as follows:

where a and b are constants such that 4a3+27b3 ≠ 0 mod q, which must be satisfied for its non-singularity.

Any point Q(x, y) ∈ Eq(a, b), x, y ∈ Zq together with O, called ‘point at infinity’ forms an additive cyclic group E = {(x, y) ∈ Eq(a, b)} ∪ {O},where O serves as the additive identity element of the group. The point addition and scalar multiplication with a point are defined as follows:

a. Point Addition

If Q(x1,y1) and R(x2,y2) are two points on an elliptic curve, the resultant point S(x3, y3) = Q + R is computed as follows:

b. Point Multiplication with a scalar value

The point multiplication with a scalar k is computed by repeated addition of k times as follows:

4.3 Bilinear Pairings

Let G1 denote an additive cyclic group of prime order q, and G2 a multiplicative cyclic group of the same order. A pairing is a map ê: G1 × G1 → G2, which satisfies the following properties:

4.4 Computational Problems

Definition 1: Elliptic Curve Discrete Logarithm Problem (ECDLP)

Definition 2: Computational Diffie–Hellman Problem (CDHP)

Definition 3: Decisional Diffie–Hellman Problem (DDHP)

 

5. Proposed Scheme

In this section, we propose an efficient remote login authentication scheme using fingerprint. There are two kinds of participants in our scheme: the login users and server. Each legitimate user can get services from the server only when he has registered with the server. So, a new user must register himself with the server to access the services. The scheme has five phases: initialization phase, registration phase, login phase, authentication phase, and password change phase. In the initialization phase, the server computes its public and private parameters. In the registration phase, the new user requests the server for registration and after some initial verification, the server registers the new user and provides a smart card to him. The smart card contains some user’s parameters. In login phase, a user must enter his secret values like identity, password, and biometric in the device attached to the system along with the smart card. In this phase, the correctness of the values entered by the user are first checked and then a login message is sent to the server. In authentication phase, the server first verifies the user’s legitimacy and then sends an authentication message to him. After receiving the authentication message, the user also verifies the server’s authenticity. Additionally, a session key is computed by both the participants, i.e. the user and server, for further communication in current login session. A password change phase is a feature provided in the scheme for giving a facility for a user to change his password whenever he wishes. Figs. 1 and 2 illustrate the proposed scheme and Table 1 consists of the notations used in our scheme. The detailed description of all the steps involved in the scheme is given below.

Table 1.Notations used in the Paper

Fig. 1.User Registration Phase

Fig. 2.Mutual Authentication and Key agreement

5.1 Initialization Phase

This is the setup phase of the system in which the server computes the public and secret parameters.

The server chooses G1 as an additive cyclic group of a prime order q, and G2 as a multiplicative cyclic group of the same order. It defines a bilinear mapping ê: G1 × G1 → G2. It also defines a cryptographic one-way hash function H and a Elliptic curve Eq(a,b).

The server selects a Base Point G on the elliptic curve and a secret key d and then computes the corresponding public key Qd = d⋅G. Finally, it publishes the system parameters {G1, G2, ê, q, G, Qd, H} and keeps d secret.

5.2 Registration Phase

This phase is used to register a new user with the server as only the registered users can access the server. To register himself as a new user, the user Ui first chooses his identity IDi and password PWi and then he registers his fingerprints Bi using a fuzzy extractor such that Gen(Bi) = (Ri, Pi), where Ri and Pi are random strings generated by Gen function. The PBi = H(PWi || Ri) is computed and the message {IDi, PBi, Pi} is sent to the server through a secure channel.

The server computes CIDi = (d||IDi)⋅G, HPWi = CIDi + PBi⋅Qd and A1i = (PBi ||IDi)⋅G.

The values {HPWi, A1i, G, Qd, q, Pi, H, Eq(a,b)} are stored in the smart card and it is sent to the user securely.

The user registration phase is summarized in Fig. 1.

5.3 Login Phase

When a user wants to log into the system, he inserts his smart card into the terminal attached with the system and keys in his IDi* and password PWi* into the terminal and also provides his fingerprint into the device.

The smart card computes Ri* = Rep(Bi*,Pi), PBi* = H(PWi* || Ri*) and A1i* = (PBi*||IDi*)⋅G.

If A1i* ≠ A1i, terminate request; otherwise, the smart card computes CIDi* = HPWi – (PBi*⋅Qd).

Proof: CIDi* = HPWi – PBi*⋅Qd = CIDi + PBi ⋅ Qd – PBi*⋅Qd = CIDi

The smart card generates a random number ru and computes A2i = ru⋅G, NIDi = IDi* + ru⋅Qd and A3i = ê((T1⋅ru⋅CIDi* + A2i), Qd), where T1 is the current time of login and it is assumed that the system is time synchronized.

The smart card sends the login message {NIDi, A2i, T1, H(A3i)} to server.

5.4 Authentication phase

The server receives a login message {NIDi, A2i, T1, H(A3i)} at time T2. It checks if (T2-T1) <ΔT, where ΔT is legal tolerant time. If (T2-T1) > ΔT, terminate a login session; otherwise, continue.

The server computes IDi** = NIDi – (d⋅A2i) and checks the format and existence of IDi**

It also computes CIDi** = (d||IDii**)⋅G and A3i* = ê(CIDi**,A2i)T1.d ⋅ ê(d⋅A2i,G).

Then the server compares H(A3i*) ?= H(A3i). If they are equal, the server authenticates the user; otherwise terminate login session.

Proof:

A3i* = ê(CIDi**, A2i)T1.d⋅ ê(d⋅A2i,G)

Further, the server chooses a random number rs and computes B1 = rs⋅G, B2 = rs⋅A2i, SK = H(CIDi** || SIDj⋅d⋅A2i || T3⋅B2), and B3 = H(SK||T3||CID**||S2), where SIDj is server’s identity and T3 is a time when the server sent the authentication message.

The server sends an authentication message {SIDj, B1, B3, T3} to smart card, which is received at time T4.

The smart card checks if (T4 – T3)<ΔT. If true, the smart card computes B2* = ru⋅B1, SK* =H( CIDi* || SIDj⋅ru⋅Qd || T3⋅B2*), and B3* = H(SK*||T3||CID*||B2*).

Finally, the smart card compares B3* = B3. If both are equal, the smart card authenticates the server; otherwise, login session is terminated.

Mutual authentication and key agreement feature of the scheme are summarized in Fig. 2.

Note: SK* = SK is a session key computed by both the user and server for this session.

5.5 Password Change Phase

In this section, we provide the password change procedure for a registered user of the system. If a user wants to change his password for any reason, he inserts his smart card into the terminal and keys in his IDi* and password PWi* into the terminal, and also gives his fingerprints into the device.

The smart card computes Ri* = Rep(Bi*,Pi), PBi* = H(PWi* || Ri*), and A1i* = (PBi*||IDi*)⋅G.

If A1i* ≠ A1i, then the process is terminated; otherwise, the smart card computes CIDi* = HPWi – PBi*⋅Qd, and the user is asked to enter new Password PWnew.

The smart card computes PBnew = H(PWnew || Ri*), A1new = (PBnew||IDi*)⋅G and HPWnew = CIDi* + PBnew⋅Qd.

Replace HPWi with HPWnew and A1i with A1new in the smart card. The password is successfully changed.

 

6. Informal Security Analysis of Proposed Scheme

Security analysis of a scheme determines its efficacy and robustness. In order to achieve all security requirements, this section presents the security features that our scheme provides, followed by all security attacks that our scheme can resist. Based on the capabilities of an attacker as mentioned in the attacker model in section 3, we assume that an adversary has the smart card information {HPWi, A1i, G, Qd, q, H, Eq(a,b)} and he also traps the communication messages {NIDi, A2i, T1, H(A3i)} and {SIDj, B1, B3, T3} between the user and server. Here we present the security analysis of our scheme and claim that it is highly secure against the attacks.

6.1 No Verification Table is Needed

In our scheme, the server does not store any secret value in its database. So, in case an adversary somehow accesses the database, there is no chance for him to get/alter the secret values of the user. Thus, due to absence of verification table, our scheme resists the stolen verifier attack.

6.2 Efficient Login Phase

In our scheme, before sending any authentication request to the server, the smart card checks the correctness of IDi and password PWi entered by the user. If a legal user by mistake enters the wrong password PWi*, the smart card itself terminates the login session. Thus, there is no wastage of computation as well as communication cost.

If PWi* ≠ PWi, then PBi* = H (PWi* || Ri) ≠ PBi

Therefore, A1i* = (PBi*||IDi*)⋅G ≠ A1i.

It means that when a smart card compares the computed A1i* with the stored A1i and finds the inequality, it stops further computation and terminates the login session. In this way, it reduces the extra overload on the communication channel. Thus, our scheme provides efficient login phase.

6.3 Efficient Password Change Phase

To change the password, the correctness of the password PWi, user identity IDi, and Ri are first checked by comparing A1i* with A1i by the smart card itself in a similar way as discussed above. If they match, the user is asked to give new password. The smart card then computes new values of HPWi and A1i and replaces the old values with new ones. In our scheme, the server is not involved in password change phase. Thus, there is no communication cost for changing the password and the user is free to change his password whenever he wishes.

6.4 Mutual Authentication

In mutual authentication, the user and the server both authenticate each other. They use their own secret keys to compute the authentication messages, which are used to verify their authenticity. In authentication phase, the server computes the following message to authenticate the user by using his private key d as CIDi** = NIDi – d⋅A2i, A3i* = ê(CIDi**,A2i)T1.d ⋅ ê(d⋅A2i,G). If H(A3i*) = H(A3i), the user is authenticated.

To authenticate the server, the smart card computes the following message using the user’s private value PWi*=PWi and Ri*=Ri as Ri* = Rep(Bi*,Pi), PBi* = H(PWi* || Ri*), CIDi* = HPWi – PBi*⋅Qd, B2* = ru⋅B1, SK* =H( CIDi* || SIDj⋅ru⋅Qd || T3⋅B2*) and B3* = H(SK*||T3)||CID*||B2*). If B3* = B3, the server is authenticated.

6.5 Session Key Agreement

In our scheme, we compute a session key for the current session when a user wishes to communicate with the server. It is to be noted here that the session key is a temporary value, which is accepted in a particular session and it is of no use in any other login session for the user. The session key depends on the temporary value selected by the user and the server. The SK = H(CIDi** || SIDj⋅d⋅A2i || T3⋅B2) is the session key computed by the server and the SK* =H(CIDi* || SIDj⋅ru⋅Qd || T3⋅B2*) is computed by the user. It may be noted that SK* = SK (proved). The unique key construction for each session ensures the key freshness property.

6.6 Resistance to Denial of Service Attack

In denial of service (DOS) attack, an adversary attempts to prevent a legal user from accessing the services. The adversary usually sends huge forged messages to make the network or server busy all the time. In our scheme, the correctness of the user’s secret values are checked before sending the login message for authentication. Furthermore, there is no role of the server in password change phase; thus, reducing the server load and network congestion as well. Thus, there is no chance of the denial of service attack.

6.7 User Anonymity Preservation

In our scheme, the user identity is stored in the encrypted form in the smart card as HPWi = CIDi + PBi⋅Qd, where CIDi = (IDi||d)⋅G. Finding IDi from (IDi||d)⋅G is a problem of the ECDLP, which is intractable. If somehow the data of the smart card are extracted by the adversary, even then he cannot recover the value of the IDi. The user identity is also encrypted in authentication message, which is sent on an insecure channel to the server as NIDi = IDi* + ru⋅Qd. If the adversary intercepts the message and finds NIDi, then, due to the problem of ECDLP, he cannot extract the random number ru and without knowing ru he cannot compute IDi*. Moreover, knowing A2i = ru⋅G and Qd =d⋅G, getting d⋅A2i is not feasible due to the CDHP problem. Thus, our scheme preserves user anonymity.

6.8 Resistance to Offline Password/Identity Guessing Attack

In our scheme, the IDi and PWi of a user are stored in the smart card in encrypted form and it is not easy to extract them. Therefore, to find the values of IDi and PWi, the adversary performs guessing both the values. We have already mentioned that an adversary can get lots of parameters (HPWi, A1i, NIDi, A2i, B1, B3,) from the smart card and the communicating messages during execution of the protocol. Our claim is that the attacker cannot guess and derive both IDi and PWi in polynomial time as discussed below.

6.9 Resistance to User-server Impersonation Attacks

As mentioned in the attacker model (section 3), we assume that an attacker can catch the transmitting messages as and when it is conveyed through the public channel and after making some alteration in a message, he can re-transmit the message for verification. If the re-transmitted message is somehow verified, the attacker can break the security system and access the server, which isnot possible in our scheme as discussed below.

The above discussion clearly states that our scheme is well protected against the user-server impersonation attacks and an adversary cannot build any valid messages for transmission to the desired entity.

6.10 Resistance to Privileged Insider Attack

Due to insider attack, several security systems had been broken. It is therefore essential to keep the user’s confidential information secret from the server (though the server is trusted). Some insider of the system (system manager or administrator) may use that information with other accounts on other server, as most of the users use the same password for a set of accounts. In our scheme, a user submits the hashed value PBi = H (PWi || Ri) to the server instead of the original PWi in the registration phase. Thus, an insider cannot extract the user’s password due to non-invertible one way function. Moreover, guessing the password is also infeasible due to two unknown parameters, as discussed earlier.

6.11 Resistance to Replay Attack

When an adversary uses the information that he intercepted from the previous transmission to impersonate as a legal user, it is called as a replay attack. In our scheme, we use timestamp as well as random numbers for sending the authentication messages {IDi, A2i, H(A3i),T1} and {SIDj, B1, B3, T3)}. The adversary cannot extract random numbers from the messages due to the ECDLP problem.

Case 1: If the adversary sends the same authentication message, the tolerable time delay ΔT will be exceeded and the session will be terminated.

Case 2: When the adversary intercepts the message and later sends it at current time T1' such as {NIDi, A2i, H(A3i),T1'}. The server accepts it and computes IDi** = NIDi – d⋅A2i, CIDi** = (IDi**||d)⋅G and A3i' = ê(CIDi**, A2i)T1'.d⋅ê(d⋅A2i,G). Here, H(A3i') ≠ H(A3i), due to different timestamps T1'≠T1. Thus, the login session will be terminated by the server and the replay attack is forbidden in our scheme.

6.12 Resistance to Known Session Specific Temporary Information Attack

In our scheme, the session key SK upon which the user and server agreed in a particular session does not leave any information. Thus, it is not easy for an adversary to compute another session key. The session key is not transmitted as a plaintext on an insecure channel, rather it is computed by the server and the user using their private keys. So, getting SK is very hard for the adversary without the knowledge of the private keys and random values. However, if the adversary somehow gets ru and rs, he cannot compute SK without CIDi.

If the adversary somehow gets the session specific temporary values SK, ru, and rs, it cannot affect other session keys. Extracting information from the session key is again a problem of the ECDLP. To compute the session key, the adversary needs a fresh random value of the current session and the secret value of the server. Thus, knowing the temporary value of any session, the adversary cannot find the keys of another session.

6.13 Perfect Forward/Backward Secrecy

In perfect forward/backward secrecy, a session key derived from a set of long-term keys (i.e. IDi and d) will not be compromised even if one of the long-term keys is compromised in future. Here, we assume that the long-term secret key d of the server is disclosed by some means to an attacker and he tries to compute the previous session key SK = H(CIDi** || SIDj⋅d⋅A2i || T3⋅B2) = H(CIDi* || SIDj⋅ru⋅Qd || T3⋅B2*), where CIDi** = (d||IDi)⋅G and B2 = rs A2i = ru⋅B1. However, knowing only the secret key d, the attacker cannot compute the previous session key due to other secret parameters, namely, IDi, rs and ru as it has already been proved that extracting these values is not possible due to the ECDLP computational problem. Furthermore, if we assume that the session key of the protocol is compromised to the attacker, the attacker tries to compute the previous session key. The attacker cannot extract any secret parameters such as d and B2 from the session key SK=H(CIDi* || SIDj⋅ru⋅Qd || T3⋅B2) = H(CIDi** || SIDj⋅d⋅A2i || T3⋅B2) due to non-invertible one way hash function and hence he cannot compute the previous session key. Thus, our scheme preserves the perfect forward/backward secrecy property.

6.14 Resistance to Stolen Smart Card Attack

Suppose an attacker steals the smart card and somehow extracts the smart card parameters {HPWi, A1i, G, Qd, p, H, Eq(a,b)} and wants to generate a login message {NIDi, A2i, H(A3i),T1}. To compute A3i, the attacker needs CIDi* = HPWi – PBi*⋅Qd and for computing PBi*, the user IDi, password, and biometric value are needed. In some schemes, if the adversary finds the smart card, he can change the password by password guessing attack. However, in our scheme, IDi is also kept secret and it has already been proved that guessing attack is infeasible to guess IDi, PWi, and Bi. It means that even after getting the smart card’s parameters the adversary cannot extract the correct values of IDi, PWi and Ri to generate any valid message. Thus, the stolen smart card's attack is not effective in our scheme.

 

7. Authentication Proof based on BAN logic

In this section, we apply the BAN logic, a tool for analyzing authentication schemes [26]. The BAN - logic uses three objects: principals, encryption keys, and formulas (also called statements for identifying messages with a statement). We use symbols M and N as principals, X and Y range over statements, and K represents the cryptographic key.

We use same notations as in the BAN-logic for our demonstration.

M|≡X : The principal M believes a statement X.

M◁X: The principal M sees the statement X.

M|~X: M once said X.

M⇒X: M has jurisdiction over X. (Used when the principal has delegated authority over some statement).

#(X): X is fresh, that is, no principal sent X in a message before the current run of the protocol.

: M and N communicate using shared K. Moreover, K will never be discovered by any principal except M and N, or a principal trusted by either M or N.

{X}K : This stands for X encrypted under the K.

Y : This stands for X combined with Y.

(X)K : This stands for X hashed with key K.

K|→M : K is the public key of M and M has a corresponding secret key K-1.

Besides, we present some main logical BAN-logic postulates for proving our scheme.

Message meaning rule:Message meaning rule:

Nonce verification rule:

Jurisdiction rule:

Freshness rule:

Believe rule:

All authentication schemes need to achieve four main goals between user Ui and server Sj. Following are the required goals:

Following are the assumptions made about the initial state of the scheme to analyze the proposed scheme:

We now analyze our scheme’s idealized form based on the BAN logic rules and the assumptions:

Message 1: Ui →Sj :

According to seeing rule

R1: Sj ◁ <{IDi}Qd, A2, ({T1, A2i}CIDi), T1>

According to A5 and R1 and message meaning rule, we get

R2: Sj |≡ Ui |~(IDi,T1 ,A2i)

According to A1, A4 and R2 and freshness-conjuncatenation rule and nonce verification rule is applied, we get

R3: Sj |≡ Ui |≡( IDi,T1 ,A2i)

According to A5, A6, A9 and R3 and Believe rule

According to A10 and R4 and Jurisdiction rule

Message 2: Sj →Ui: < SIDj, B1, B3, T3>

According to seeing rule

According to A6, A7 and R6 and message meaning rule, we get

According to A2, A3 and R7 and freshness-conjuncatenation rule and nonce verification rule is applied, we get

Therefore, according to Believe rule:

According to A11 and R9 and Jurisdiction rule

According to A12, A9 and R8 and Jurisdiction rule

R12: Ui |≡ (SIDi, B2)

Since, CIDi, SIDj, B2i are the main factors to compute, SK for smart card, According to R12, A6, A7 and message meaning rule

According to A10 and R13 and Jurisdiction rule

The above discussion clearly proves the stated objectives using the BAN logic and it is also proved that the proposed protocol achieves mutual authentication and session key agreement between the Ui and Sj.

 

8. Simulation of Proposed Scheme using AVISPA Tool

We first briefly discuss about the AVISPA tool and then followed by the basic specification and simulation result of the proposed scheme.

8.1 Brief Description of AVISPA Tool

The Automated Validation of Internet Security Protocols and Applications (AVISPA) [33] is a freeware tool for formal security verification of the security protocols to check if a given security protocol is SAFE or UNSAFE. The basic architecture of the AVISPA tool is shown in Fig. 3.

Fig. 3.Basic Architecture of AVISPA Tool

The AVISPA, a role-oriented language, is based on the Dolev-Yao [34] intruder model in which each participant plays a role during the protocol execution. It implements four different back-ends and abstraction based methods, called as On-the fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on Automatic Approximations, for the Analysis of Security Protocol (TA4SP). Based on these four back-ends, the output format (OF) is generated and the successful execution OF reports if the protocol is safe or unsafe and under what condition the output is obtained. The specifications for the protocol to be evaluated are written in High Level Protocol Specification Language (HLPSL) and they are translated into a low-level specification by a translator, called hlpsl2if, that generates the specifications into an intermediate format, called intermediate format (IF), a lower level language, that can directly be read by the back-ends of the AVISPA tool. To analyze a given cryptographic protocol with the AVISPA, the following steps are executed:

8.2 Brief Specification of Proposed Scheme

To validate and examine the security properties of our proposed scheme, we implement it using the HLPSL language in the AVISPA tool. The role specifications of the user Ui and server Sj are given in Figs. 4 & 5, respectively. The proposed scheme is analyzed in the OFMC and CL-AtSe back-ends, and the corresponding results are given in Figs. 7 & 8. From these simulation results, the proposed scheme indeed shows its strong security assurance against both the passive and active attacks. The type declaration channel(dy) means that the channel is for the Dolev-Yao threat model [34]. The Bilinear, Product, Subtract, Add, Mul, and H represents bilinear operation, scalar point multiplication, Point subtraction, point addition, scalar multiplication, and hash functions, respectively.

Fig. 4.Role specification in HLPSL for user Ui of our scheme

Fig. 5.Role specification in HLPSL for the server Sj of our scheme

In Fig. 4, we have presented the role for the user Ui. Here, Transition 1 starts with the registration of the user. For this, the Ui initially sends the registration message Snd(IDi'.PBi'.Pi') to server Sj through a secure channel using Snd() operation and symmetric key SK1. The declaration secret({IDi}, subs1, {Ui,Sj}) specifies that the {IDi} is known to user and server only, whereas the secret({PWi, Bi, Ri}, subs2, Ui) specifies that the (PWi, Bi, Ri) is known only to user Ui. In transition 2, the user Ui receives the smart card information Rcv({HPWi.A1i.G.Qd.Pi}_SK1) using Rcv() operation securely and generates a random nonce Ru' and timestamp T1' using new() operation. The user Ui sends Snd(NIDi,A2i,T1,H(A3i) to server Sj through a public channel.

The declaration witness(Ui,Sj,user_server,Ru') indicates that the user Ui freshly generated the value Ru' for Sj and the declaration request(Ui,Sj,user_server,Ru') means that the Sj authenticates user Ui. Furthermore, the declaration secret({Ru'},subs3,{Ui}) says that the random number Ru' is only known to Ui and the declaration secret({A3i},subs4,{Ui,Sj}) says that {A3i} is known to {Ui, Sj} only. In transition 3, it says about the authentication phase, the user Ui receives Rcv(SIDj,B1,B3,T3) through a public channel and after receiving it, the user Ui computes the session key SK':= H(CIDi.Product(SIDj,Product(Ru,Qd)).Product(T3,B2)) of the protocol.

In Fig. 5, we have presented the role of the Server Sj. In transition 1, the Sj chooses a generator G and generates own secret D' using new() operation and computes the public key Qd = Product(D.G). In transition 2, Sj receives Rcv({IDi'.PBi'.Pi'}_SK1) securely from the user Ui as the registration request. After computing the smart card parameters, Sj sends Snd({HPWi.A1i.G.Qd.Pi}_SK1) securely to user Ui. The declaration secret({D},subs5,{Sj}) shows that D is secretly known only to Sj.

In transaction 3, the Sj receives (NIDi,A2i,T1,H(A3i)) from the user Ui through a public channel. After computing the secret values, it generates a random number Rs' and timestamp T3' with the help of new() operation. The Sj computes authentication message and sends Snd(SIDj,B1',B3',T3') to the user Ui through a public channel. Here, the declaration secret({Rs'},subs6,{Sj}) says that the parameter Rs' is known only to Sj. Moreover, witness(Sj,Ui,server_user,Rs') shows that Sj freshly generates Rs' for the user Ui and request(Ui.Sj,server_user,Rs) shows that the Sj authenticates Ui.

In Fig. 6, we have presented the role for the session, and the roles for the goal and environment. In session segment, all the basic roles including the roles for Ui and Sj are given along with actual arguments. The environment section contains the global constant and composition of one or more sessions. The intruder knowledge is also given in this section. It is clearly shown that all the transmitted messages between the entities and smart card parameters are provided. To make this protocol SAFE, 7 secrecy goals and two authentications are provided between the goal and the end goal that are to be verified in the environment section, which is given as follows:

Fig. 6.Role specification in HLPSL for the session and environment of our scheme

Security Goals

Authentication goal

8.3 Simulation Results

The simulation results for formal security verification of our scheme using OFMC and CL-AtSe back-end are shown in Figs. 7 and 8, respectively. It is clear from the SUMMARY (Figs. 7&8) of results under OFMC and CL-AtSe back-ends that our method is SAFE. As a result, our scheme is secure against the passive and active attacks such as the replay and man-in-the-middle attacks.

Fig. 7.Simulation result for OFMC back-end

Fig. 8.Simulation result for CL-AtSe back-end

 

9. Performance Analysis

In this section, we present a comparative study of our scheme along with other related schemes. The measure of our comparisons is the communication cost (refer Fig.9), computation cost (refer Table 2), and security features (refer Table 3).

Fig. 9.Graphical representation of communication cost of various schemes

Table 2.Computational cost in Login and Authentication phases of various schemes

Table 3.Here, Y = Yes, N =No, - =Not Applicable

For 163-bits elliptic curve cryptosystems and 1024-bits RSA security level, one scalar multiplication of elliptic curve point is roughly 5–15 times as fast as the RSA signing operation depending on the optimization and platform [23]. Also, one MD5/SHA operation is roughly 10 times as fast as one DES encryption/decryption operation and one DES encryption/decryption operation is roughly 1000 times as fast as the 1024-bit RSA signing operation. For fair comparisons, we assume that the identifications can be represented with 32 bits, the size of a timestamp is 32 bits, a point on an elliptic curve can be represented with 163 × 2 = 326 bits, the output size of the secure one-way hash functions is 160 bits, the size of a random number is 64 bits, and the size of an exponent result is 1024 bits. Thus, the communication cost of our scheme is 326+326+32+160 +32+326+160+32 =1394 (refer Fig.9). We find that our scheme needs very less communication cost as compared to the schemes [8,22] since we have used the ECC to compute the authentication message. The ECC takes fewer bits as compared to the RSA because it uses exponential function. However, our scheme requires higher cost as compared to the schemes [9,10,13,17,21] since these schemes have not considered the following attacks such as replay attack, insider attack, forward secrecy attack, and denial of service attack. Moreover, the schemes [9,13] do not provide mutual authentication between a user and the server (refer Table 3). In authentication schemes, the security is of prime concerned; therefore, paying a little more cost for gaining more security is justifiable.

In Table 2, we have presented the computational cost of our scheme along with other related schemes [8-10,13,17,18,20-22]. Here, PM, PA, H, C, BP, EN, X, E represent the time Complexity of point multiplication on the Elliptic Curve, point addition on Elliptic Curve, Hash function, Concatenation, Pairing operation, Enc/Dec, XOR operation and Exponentiation, respectively.

In Table 3, we have presented a comparative study of the security features for our scheme and other related schemes. As evident from Table 3, our scheme provides maximum security features as compared to the schemes under consideration. We can also see that the schemes having same security features in Table 3 [8,22] take much more communication cost (refer Fig. 9) to achieve these security goals, which makes our scheme better than other schemes.

 

10. Conclusion

In this paper, we have discussed a new remote login authentication scheme using the bilinear property of a elliptic point and fingerprint that achieves various secure goals and requirements. In this scheme, a user and the sever both authenticate each other to enhance its security. A user can choose and change his password at any time, whenever he wishes. No wastage of communication cost takes place in our scheme if wrong password is entered and the communication cost is also saved during the password change phase. Using elliptic point computation makes the scheme fast as it needs fewer bits as compared to the exponentiation. The bilinear property, use of biometric, and the design of algorithm make it very secure. It is suitable for the applications where high security is required.