Lightweight and privacy-preserving multi-server authentication scheme based on PUF and biometrics

Abstract

With the development of wireless communication technology and the rapid increase of user data, multi-server key agreement authentication scheme has been widely used. In order to protect users’ privacy and legitimate rights, a two-factor multi-server authentication scheme based on device PUF and users’ biometrics is proposed. The users’ biometrics are combined with the physical characteristics of the Physically Unclonable Functions (PUF) as authentication factors, which not only ensures the security of the scheme, but it also is user-friendly without a password. The proposed scheme can be applied to telemedicine, smart home, Internet of Vehicles and other fields to achieve mutual authentication and key agreement between users and servers. In order to prove the security of the proposed scheme, the widely accepted ROR model and BAN logic are used for formal security analysis. The scheme can effectively resist various security attacks, and the comparison with existing schemes shows that it has better performance in terms of communication cost and computational complexity.

Keywords

Multi-server physical unclonable function password-free mutual authentication biometric security and privacy

1 Introduction

1.1 Related work

With the in-depth development of mobile network technology, all kinds of online services bring great convenience to people’s life. Online office, online teaching and remote medical treatment can be realized without leaving home. In the case of the COVID-19 outbreak in 2020, these services not only minimized the impact of the epidemic on people’s normal life, but also reduced face-to-face contact between people, which brought the epidemic under control quickly. In order to meet the needs of work and life, users and servers transmit information through a common channel to obtain various application services. Because public channels are open to all, these communications are vulnerable to be intercepted, wiretapped or modified by adversaries. In order to ensure the security of communication content between legitimate users and servers, the key agreement authentication scheme is proposed. The authentication scheme can ensure that only the communication parties can crack the messages encrypted by the session key. Even if the adversary obtains these messages, he can not know the real content of the communication between the two parties.

Since Lamport [1] proposed the first password-based key agreement authentication scheme in 1981, various single-server authentication schemes have been proposed successively. Most password-based authentication schemes require a password table to verify the validity of the user identity. However, protecting the security and integrity of password tables is a particularly difficult task. In addition, the password-based single factor authentication scheme can only realize one-way authentication between the server and the user, and the user cannot verify whether the server is legitimate, which leads to many network fraud events. ElGamal et al. [2] found that the existing password-based authentication schemes are difficult to resist the attack of replaying previously intercepted login requests and proposed an improved scheme, which is based on digital signature and does not need the system to maintain password files. Later, smart cards and biometrics were added to the authentication scheme [3–7] to further protect the security of users’ private data and the ability of the scheme to resist various security attacks.

With the rapidly increasing of Internet users and the diversification of network service resources, in order to achieve resource sharing and data communication in a secure way, the single-server user identity authentication schemes are unable to meet people’s needs, and the multi-server authentication scheme have been widely used [8–11]. The authentication schemes consist of three entities: user, server, and registration center (RC). After registering in the RC, users can access all registered servers.

Based on employed cryptographic mechanisms, the existing multi-server authentication schemes can be divided into the following six categories [12]: Finite Field Cryptography(FFC), Integer Factorization Cryptography(IFC), Chaotic-map-based cryptography, Elliptic Curve Cryptography(ECC), pairing-based cryptography and One-way hash and symmetric encryption. Except for the schemes based on one-way hash and symmetric encryption, other authentication schemes are based on the mathematical problems of asymmetric cryptography.

The authentication schemes based on FFC assume that the discrete logarithm problem(DLP) is difficult to solve. In 2013, Pippal et al. [13] proposed a multi-server authentication scheme based on smart card, which omitted the use of password table and allowed registered users to access the services provided by all authorized servers. Burrows-Abadi-Needham (BAN) logic was used for formal security analysis of the proposed scheme, so as to prove the security of their proposed scheme. Several researchers [14–17] have found that the scheme is difficult to resist offline password guessing attack, masquerading attack, privileged internal attack and other security defects, and put forward improved schemes for this scheme. However, [18] found that the improved scheme [16] still has security vulnerabilities such as denial of service attack, privileged insider attack and password guessing attack.

The security of authentication schemes based on integer factorization cryptography depends on the intractability of factoring a large integer. TsaurW et al. [19] proposed the first multi-server authentication scheme based on IFC. However, their scheme can only complete the mutual authentication between the user and the server, and cannot realize the key agreement. Since then, a large number of IFC-based authentication schemes [20–22] have been proposed.

Chaotic map-based conditional privacy- preserving authentication scheme is widely used in smart grid [23], healthcare telemedicine services [24], wireless sensor network [25], vehicle network and other fields [26]. The security of such schemes depends on the DLP and Diffie-hellman conundrum. Meshram et al. [27] proposed and promoted a multi-server authentication and key agreement protocol based on Mittag-Leffler-Chebyshev Summation Chaotic Map (MLCSCM). MLCSCM is used to replace the random number or time stamp in the traditional multi-server authentication scheme to realize the function of resisting replay attacks. Vivekanandan et al. [28] combined fuzzy extraction, elliptic curve encryption and chebyshev chaotic map techniques to propose a multi-server authentication scheme, which is applied to mobile cloud environment and includes three stages: registration stage, mutual authentication and key agreement stage and update stage.

The security of elliptic curve-based authentication schemes depends on the difficulty of solving elliptic curve DLP (ECDLP) and elliptic curve Diffie-hellman problem (ECDHP). Compared with FFC-based cryptosystem and IFC-based cryptosystem, elliptic curve cryptography(ECC) has more compact key length and more efficient operation [29–32], so it can save more storage space and have higher operation efficiency. The difficulty of solving Diffie-hellman problem on elliptic curve determines the security of pair-based cryptography schemes. Sengupta et al. [33] proposed a multi-server authentication scheme based on elliptic curve and bilinear pairing. In their scheme, user password and smart card update function are provided to solve the security problems caused by password leakage or smartcard loss of user privacy data.

In terms of computing speed and complexity, hash function is more advantageous than ECC, dot product operation, bilinear pairing operation, RSA encryption and decryption operation, chaotic mapping and other methods [34, 35]. Kumar-Om [36] proposed a hash-based multi-server key agreement authentication scheme and claimed that this scheme can resist all well-known security attacks. Haq et al. [37] found that Kumar-Om’s scheme had incorrect login stage, and can’t resist tracking attack, the session-specific temporary information attack and key compromise impersonation attack, and put forward an improved scheme. However, we find that the scheme of Haq et al. is still not resistant to server simulation attack, session key attack and offline identity guessing attack when a server is leaked. To solve this problem, we propose a further improvement scheme. In the improved scheme, the key compromise impersonation attack is solved. Meanwhile, the uniqueness of user’s biological characteristics is combined with the physical uniqueness of device PUF, which enhances the security of the scheme and facilitates user’s use without password. Both formal and non-formal methods are used to prove that the proposed scheme has good performance in security and computational complexity.

The rest of the paper are organized as follows. In the second section, we briefly introduce fuzzy extractor, one-way hash function and physical unclonable function. The third and fourth sections briefly review and analyze the safety of Haq scheme. The fifth section describes our scheme in detail. In sixth section, the formal and informal security analysis of our scheme is carried out. The seventh section compares the security and cost of the proposed scheme with some existing schemes. The eighth section summarizes the whole paper. The Figs. 1 and 2 shows the proposed system model and system flow chart in multi-server environment.

Fig. 1

System model.

Fig. 2

System flow chart.

1.2 Adversarial model

All users and servers are untrusted. The RC is completely trusted, and the keys stored in the RC are secure over the long term.

All cryptographic primitives used are secure. The channels used to transmit user and server information is open to adversaries, who can modify, store, delete, and retransmit all information on the channel.

Adversaries can steal the smart cards of legitimate users and obtain useful information stored on the smart cards by launching side-channel attack.

Users and servers that have registered with RC can impersonate adversaries.

An adversary can launch an attack by combining the information intercepted from the channel with the information stolen from the smart card.

1.3 Contributions

We briefly summarize the scheme proposed by Haq et al. [37], and find that their scheme is still unable to resist key compromise impersonation attack, and analyze the reasons for the defects of Haq’s scheme.

An improvement of Haq’s scheme is proposed, which can effectively solve the security defects of their scheme.

A password-free scheme is proposed. In this scheme the user’s biometric key K_u is used as the challenge of the device PUF, and the uniqueness of the user is combined with the uniqueness of the physical device to make the scheme have higher security. The proposed scheme is convenient for users and saves the storage space of the server.

The widely accepted BAN logic and ROR are used to formally prove the security of the proposed protocol. At the same time, the informal analysis proves that the proposed protocol is secure.

The proposed protocol is compared with some multi-service authentication schemes in terms of computational complexity, communication overhead and security, which proves that the proposed scheme is lightweight and secure.

2 Preliminaries

2.1 Fuzzy extractor

Due to the influence of angle, age, stains and other factors, there are differences between the feature templates obtained by a certain feature of the same user. If the difference is within the given hamming distance threshold, the two biometric templates are taken as input and the same biometric key can be obtained by using a fuzzy extractor [38]. The fuzzy extractor consists of two parts: Gen and Rep, in which Gen is a probabilistic function and Rep is a deterministic function.

Gen: Defined as (K, hd) ← Gen(B). The meaning of these symbols are as follows: B represents the binary string generated by the user’s biometrics. K is the generated biometric key, which is classified and does not need to be saved. hd stands for auxiliary data, which is public and used to assist in generating biometric key K during user authentication.

Rep: Defined as (K) ← Rep(B’, hd). When the difference between the biometric string B’ given when user authentication and the biometric string B at the time of registration is within a given Hamming distance threshold, the biometric key K can be restored with the help of auxiliary data hd.

2.2 One-way hash function

The binary string of arbitrary length generated by the user’s biometric template is input into the one-way hash function H(·), and the length of the output binary string is fixed. If one bit of the input string changes, the output string will change completely. In addition, the one-way hash function also has the following features:

Preimage resistance: Input the arbitrary length string m into the one-way hash function H(·) to obtain a uniform random string n of fixed length, that is, H(m)=n. Even if H(·) and n are known, it is not feasible to calculate m.

Weakly collision resistance: Given the string m, it is computationally infeasible to find another unequal string M’ satisfying H(m)=H(M’).

Strong collision resistance: It is computationally infeasible to find two unequal strings M₁ and M₂, which satisfy the condition H(M₁)=H(M₂).

2.3 Physical Unclonable Function (PUF)

PUF can be defined as the unique and non-reproducible physical characteristics generated by the influence of temperature, voltage, electromagnetic interference and other factors in the manufacturing process of integrated circuits [39]. In the Challenge/ Response Mechanism, the same challenge input into different PUF will produce different responses. Different challenge inputs into the same PUF will produce different responses. The same response will be generated if the challenges and PUF used are the same twice. This physical property is irreversible, so the challenge cannot be obtained inversely from the response, which is difficult to be simulated by mathematical function. Therefore, PUF is often regarded as a one-way physical function [40], which is widely used in key generation, identification and authentication.

Besides, the symbols commonly used in the rest of the paper are given in Table 1.

Table 1
Notations

Symbol Description

U_i i^th user

S_j j^th server

RC Registration Center

SID_j Identity of server S_j

ID_i Identity of user U_i

Bio_i Biometric data of user U_i

G_i Response of the PUF_i for R_i

b_i Random nonce genereated by RC for SID_j

P ₁ RC’s private key

P ₂ RC’s private key

h(·) One-way hash function

|| Concatenation operation

⊕ Exclusive-OR operation

FE Fuzzy extractor

PUF_i Physically uncloneable functions of U_i

SD_i The intelligent terminal of U_i

RD Remote Database

Symbol	Description
U_i	i^th user
S_j	j^th server
RC	Registration Center
SID_j	Identity of server S_j
ID_i	Identity of user U_i
Bio_i	Biometric data of user U_i
G_i	Response of the PUF_i for R_i
b_i	Random nonce genereated by RC for SID_j
P ₁	RC’s private key
P ₂	RC’s private key
h(·)	One-way hash function
\|\|	Concatenation operation
⊕	Exclusive-OR operation
FE	Fuzzy extractor
PUF_i	Physically uncloneable functions of U_i
SD_i	The intelligent terminal of U_i
RD	Remote Database

3 Review the Haq scheme

The application server registration phase, user registration phase, login and mutual authentication phase, Password & biometric change phase in Haq [37] scheme are described as follows:

3.1 Application server registration phase

The application server S_j sends a registration request to the RC through a secure channel. RC randomly selects a unique identity SID_j for S_j, and computes secret key h(SID_j||Q) by using RC’s private key, and sends {h(SID_j||Q),h(Q)} to S_j. Finally, S_j safely stores the received values.

3.2 User registration stage

U_i selects ID_i, a_i and PW_i as his unique identity, random number and password, inputs his biometric template bio_i into the generation function of the fuzzy extractor and calculates Gen(Bio_i)=(pr_i, pu_i) to obtain the key pu_i, then computes MPW_i = h(PW_i ||pr_i) and MID_i = h(ID_i||a_i). Subsequently, U_i sends the registration request containing {MPW_i,MID_i} to RC through secure channel. RC first calculates X_i = h(MID_i||Q), Y_i = X_i⊕MPW_i⊕MID_i, V_i = h(Q)⊕ h(X_i) and Z_i = h(X_i||h(Q)), then gets the values of A_ij = h(h(SID_j|| Q)||MID_i) and E_ij = A_ij⊕X_i for each registered server. Next, RC stores {Y_i, Z_i,V_i,(SID_j, E_ij)|1≤j≤n} in the smart card SC_i and sends it to U_i. Finally, U_i calculates R_i = MPW_i⊕a_i, and stores {R_i, pu_i} in SC_i.

3.3 Login phase

U_i inserts SC_i into the terminal and provides his credentials {ID_i^*, PW_i^*,Bio_i^*}. Firstly, SC_i calculates pr_i^*=Rep(Bio_i^*,pu_i), MPW_i^*=h(PW_i^*|| pr_i^*), a_i^*=R_i⊕MPW_i, MID_i^*=h(ID_i||a_i), X_i =MPW_i^*⊕Y_i ⊕ MID_i^*, h(Q)=h(X_i^*)⊕V_i and Z_i^*=h(X_i^*||h(Q)). Then SC_i compares whether the calculated Z_i^* and the stored Z_i are equal. If not, SC_i will reject the user U_i. Otherwise, SC_i calculates A_ij^*=E_ij⊕X_i^*, W_i = h(A_ij^*||β _i ), N_i = W_i⊕α _i , CID_i = MID_i^*⊕β _i ⊕h(Q) and M₁ = h(MID_i^*||β_i||α _i ), where α _i , β _i is two random numbers. Finally, U_i sends the login request {CID_i, N_i,M₁,β _i } to S_j over a common channel.

3.4 Mutual authentication & key agreement phase

S_j computes MID_i^*=CID_i⊕h(Q)⊕β _i , W_i = h(h(h(SID_j||Q)||MID_i^*)||β _i ), α _i ^* =W_i^*⊕N_i and M₁^*=h (MID_i^* ||β_i||α _i ^* ), eventually gets the M₁^*. Then it compares M₁^* and M₁. If they are not equal, S_j terminates the session. Otherwise, S_j generates a random number α _j and calculates Ns_j=α _j ⊕W_i^*, session key SK_ij = h(MID_i^*||SID_j|| α_i^*||α_j||h(h(SID_j||Q)||MID_i^*)) and M₂ = h(α_i^*||α_j|| SK_ij). Next, {Ns_j,M₂} is sent by S_j to U_i through a common channel. U_i calculates α_j^*=Ns_j⊕W_i and SK_ij = h(MID_i||SID_j||α_i||α_j^*||A_ij^*), and then he checks whether h(α_i||α_j^*||SK_ij) and received M₂ are equal. If they are equal, U_i will believe that S_j is credible. Finally, U_i takes the calculated M₃ = h(SK_ij||α_j^*||α _i ) sent to S_j via common channel. After receiving the information sent by U_i, S_j calculates M₃^*=h(SK_ij||α_j||α _i ^* ). S_j compares M₃^* with M₃, if they satisfy the requirements of equality, S_j believes that U_i is legal. U_i and S_j successfully established session key SK_ij.

4 Cryptographic analysis of Haq scheme

When the keys h(Q) and h(SID_j^c||Q) stored in server S_j^c are unfortunately leaked, the Haq scheme may suffer the following attacks:

4.1 Server impersonation attack

In order to disguise as server S_k, the adversary needs to know the long-term secret value A_ik between U_i and S_k. A_ik is related to the user’s MID_i, the server’s SID_k and RC’s private key Q. It is difficult for an adversary to obtain the private key Q of the RC, therefore the adversary cannot obtain A_ik through calculate directly. But the adversary can obtain h(Q) and h(SID_j^c||Q) from the compromised server S_j^c. The adversary steals U_i’s smart card and uses side-channel attack technology to extract all information {Y_i,Z_i,V_i,R_i, pu_i,(SID_i,E_ij)|1≤j≤n} stored in it. In addition, the adversary can eavesdrop a login message {CID_i,N_i,M₁,β _i } of U_i to any application server. Then,the adversary can obtain the X_i value of the U_i by the following calculation: $\begin{matrix} {MID}_{i} = {CID}_{i} \oplus h (Q) \oplus β_{i} \\ A_{ij} = h (h ({SID}_{j}^{c} ∥ Q) ∥ {MID}_{i}) \\ Xi = Eij \oplus Aij \end{matrix}$

The private key Q of RC is the same for all servers and users. Therefore, for different servers, the private key X_i = h(MID_i||Q) of the same user U_i is same.After calculating the private key X_i of user U_i, the adversary can use the information {(SID_i,E_ij)|1≤j≤n} stolen from the smart card to calculate the shared secret value A_ik = X_i⊕E_ik between U_i and any other servers S_k(k≠j|1≤j≤n). Therefore, an adversary can impersonate S_k to communicate with U_i.

4.2 Session key attack

From the analysis of 4.1, we can know that when the keys h(Q) and h(SID_j^c||Q) stored in the S_j^c are leaked, the adversary can calculate U_i’s pseudo identity MID_i and the shared secret value A_ik between U_i and another servers S_k. The adversary intercepts the interaction information {CID_i, Nu_i, M₁, β _i } and {Ns_j, M₂} between U_i and S_k, and computes α _i =h(A_ij||β _i )⊕Nu_i and α_k=Ns_j⊕h(A_ik||β _i ). Finally, the adversary can obtain the session key SK_ik = h(MID_i||SID_k||α_i||α_k^*||A_ik^*) between U_i and S_k.

4.3 Offline identity guess attack

Although Haq et al. [37] claimed that their scheme has strong user anonymity, we found that their scheme is difficult to resist offline identity guessing attack after the key of a certain server is leaked.

According to the scheme of Haq et al. [26], the adversary can’t know the identity ID_i of U_i. Because only MID_i = h(ID_i ||a_i) is related to ID_i and the one-way hash function is irreversible, it is impossible for an adversary to obtain ID_i from MID_i through inverse hash operation.

On the basis of the analysis of 4.1 and 4.2, the adversary can use the stolen values to obtain {MID_i,A_ij,E_ij,Y_i,R_i} through calculation. Using these values can calculate MPW_i = MID_i⊕A_ij⊕E_ij⊕Y_i, the adversary can obtain the pseudo-password MPW_i of U_i. In addition, the value of a_i can be obtained by calculating a_i = MPW_i⊕R_i.

The adversary selects an ID_i^* from the identity dictionary, calculates MID_i^*=h(ID_i^*||a_i), and then compares whether MID_i^* and MID_i are equal. If they are equal, the user identity ID_i can be known. Otherwise, repeat this step.

Based on the above analysis, we can know the reason why Haq [37] scheme cannot resist the key compromise impersonation attack is that the hash value h(Q) of RC’s private key saved by all servers is same. Moreover, the private keys of the U_i to different servers is the same X_i. The adversary uses the information {h(SID_j||Q),h(Q)} leaked by a server can infer the private key X_i of user U_i. Because { (SID_i,E_ij)|1≤j≤n}is stored in the smart card. Once an adversary gets the smart card, he can use the X_i and (SID_i, E_ij|1≤j≤n) to get shared key A_ij between U_i and other servers. Adversary can use the A_ij to launch server impersonation attack, session key attack and offline identity guessing attack.

5 The proposed scheme

5.1 Server registration phase

At this stage, in order to become an authorized service provider, S_j sends a registration request containing a unique identity SID_j to RC(registration center). RC calculates Ks_j = h(SID_j||P₂), K =h(P₁||P₂) and h(P₂), where P₁ and P₂ are the private keys of RC. Then, RC sends Ks_j, K and h(P₂) to S_j. Upon receiving the message, S_j securely stores {Ks_j, K, h(P₂)}. At this stage all information is transmitted over a secure channel. Figure 3 shows the detailed process of server registration.

Fig. 3

Server registration process.

5.2 User registration phase

When U_i registers with RC, who needs to provide his unique identity ID_i and biometric template Bio_i. U_i encrypts the above information by using PUF embedded in the intelligent terminal SD_i, fuzzy extractor and one-way hash function, and then sends the encrypted identity MID_i and pseudo-password MPW_i to RC through a secure channel. RC sends the information needed by U_i, which lays the foundation for subsequent mutual authentication between U_i and S_j. Afterwards, U_i stores the received information in SD_i and remote database RD. Figure 4 shows the process of user registration. The specific process is as follows:

U_i selects the unique identity ID_i and gets the biometric template Bio_i by using the Biometric extractor. Then U_i uses the generating function of the fuzzy extractor to calculate (K_u,hd)=FE.Gen(Bio_i),and obtains the user’s biometric key K_u and auxiliary information hd. Among them, K_u is unique and can only be generated by Bio_i. After that, Ku_i is used as the challenge of the device PUF_i to obtain the response value a_i, that is, a_i = PUF_i(Ku_i). By doing so, the uniqueness of the user’s biometrics is perfectly combined with the physical uniqueness of the device PUF_i. Lastly, U_i calculates the pseudo-password MPW_i = h(Ku_i||a_i) and anonymous identity MID_i = h(ID_i|| a_i), and sends them to RC through a secure channel.

After receiving MPW_i and MID_i, RC generates a random number b_i. Then RC calculates U_i’s private key X_i = h(MID_i||P₁), KX_i = h(X_i||b_i), Y_i = KX_i⊕MPW_i, V_i = h(KX_i)⊕h(P₂), A_i = h(K||b_i|| MID_i), E_i = A_i⊕KX_i, Z_i = h(KX_i||h(P₂)|| MID_i) and F_ij = b_i⊕h(SID_j||P₂)(1≤j≤n). Finally, RC sends {Y_i,V_i,Z_i, E_i,(SID_j, F_ij|1≤j≤n)} to U_i through a secure channel.

U_i stores{Y_i,V_i,Z_i,E_i,hd_i} in SD_i. By computing Vb_ij = h(Ku_i)⊕F_ij for every server, U_i encrypts the sensitive data F_ij with h(Ku_i) and stores {SID_j,Vb_ij| 1≤j≤n} in RD. Even if the data {SID_j,Vb_ij| 1≤j≤n} in RD is compromised, without user’s biometric key h(Ku_i), F_ij is not advisable to adversary.

Fig. 4

User registration proces.

5.3 Login phase

Figure 5 shows the login and mutual authentication process, which proceeds according to the following steps:

When the U_i wants to obtain services from the authorized server S_j, he needs to input the certificate {ID_i, Bio_i^*} used during registration.

U_i takes the auxiliary information hd_i stored in SD_i as the input of the Rep function to calculate the biometric key K_u^*, namely, K_u^*=FE.Rep(Bio_i^*,hd_i). Then U_i takes the obtained K_u^* as the challenge of PUF _i in the intelligent terminal SD_i to obtain the response a_i^*, that is, a_i^*=PUF_i(Ku_i^*). Subsequently, U_i gets Vb_ij from RD and computes MPW_i^* =h(Ku_i^*||a_i^*), MID_i^* =h(ID_i||a_i^*), F_ij^*=Vb_ij⊕h(Ku_i^*), KX_i^* =Y_i⊕ MPW_i^*, h(P₂)^*=V_i⊕h(KX_i^*) and Z_i^*=h(KX_i^*|| h(P₂)^*||MID_i^*), and contrasts Z_i^* with Z_i generated in the registration phase. If they are not equal, SD_i terminates the conversation. In the opposite situation, U_i continues with the following operations.

In our scheme, Ku_i^* can only be obtained from the biological characteristics of U_i. In addition, the uniqueness of user’s biometrics is combined with the physical uniqueness of PUF_i, the response obtained by inputting Ku_i^* into different PUF is different. Only by inputting Ku_i^* into PUF_i (embedded in SD_i), U_i can get a_i^*. When the user’s biometrics are leaked, without PUF_i, even if the adversary obtains Ku_i^* he cannot obtain a_i^*. Similarly, if an adversary steals PUF_i, it is not feasible to calculate a_i^* without Ku_i^*. Although no password is used, the combination of biometrics and device PUF can ensure the sufficient security of the scheme.

U_i selects two random numbers σ_i and β_i, then calculates A_i = E_i⊕KX_i^*, W_i=β _i ⊕h(P₂)^*, Nu_i = h(A_i)⊕σ _i , CID_i = F_ij^*⊕β _i , P_i = MID_i⊕β _i and M₁ = h(MID_i^*||σ _i ||β_i|| h(P₂)^*). Finally, {CID_i, Nu_i, M₁, P_i, W_i} are sent to S_j through the common channel.

Fig. 5

5.4 Mutual authentication and key agreement phase

After receiving the login message sent by U_i, S_j first calculates β _i ^*=W_i⊕h(P₂) and the encrypted identity MID_i^* =P_i⊕β _i ^* of U_i, and gets M₁^* through a series of calculations b_i^*=CID_i ⊕Ks_j⊕β _i ^*, A_i^*=h(K||b_i||MID_i^*), σ _i ^*=Nu_i⊕h(A_i^*) and M₁^*=h(MID_i^*||σ _i ^*||β _i ^*||h(P₂)), and compares whether the calculated M₁^* and the received M₁ are equal. If they meet equal requirements, S_j believes that U_i is a legitimate user and generates numbers δ _j randomly. Finally, S_j computes Ns_j=δ _j ⊕h(A_i^*) and M₂ =h (σ _i ^*||δ _j ||A_i^*), and sends them to U_i

U_i computes δ _j ^*=Ns_j⊕h(A_i) and M₂^*=h(σ _i ||δ _j ^*||A_i)) by using the received {Ns_j,M₂}. Then U_i compares whether the calculated M₂^* and the received M₂ are equal. If not, he terminates the session.

If M₂^* equals M₂, S_j succeeds in authentication at U_i, U_i calculates the session key SK_ij = h(MID_i^*||SID_j||σ _i || δ _j ^*||A_i) and M₃ = h(SK_ij|| δ _j ^*||σ _i ). Finally, M₃ is sent to S_j.

Firstly, S_j calculates session key SK_ij = h(MID_i^*||SID_j||σ _i ^*||δ _j ||A_i^*) and M₃^*=h(SK_ij|| δ _j ^*||σ _i ). Subsequently he compares whether M₃^* and M₃ are equal. If they are equal, U_i and S_j successfully establish the session key SK_ij. Subsequent sessions of U_i and S_j will be encrypted with the negotiated session key SK_ij.

6 Security analysis

6.1 Informal security analysis

6.1.1 Key compromise impersonation attack resistance

We assume that A has compromised server S_j^c. As a result, A can steal {Ks_j^c, K^c, h(P₂) ^c } from S_j^c. Based on 4.1, we can know that Haq et al.’s [33] can not resist key compromise impersonation attack. However, our scheme can ensure that A can not launch an impersonation attack or get the session key of other participants even if the keys of S_j^c are compromised:

(1) Server impersonation attack resistance

The values of {K, h(P₂)} is common in all application servers, but every server has different Ks. According to the proposed scheme we can know that Ks_k =h(SID_k||P₂). Because P₂ is RC’s private key, which is not available to him, $A$ cannot compute Ks_k. In addition, although Ks_j^c is known, the adversary cannot infer anything from it about Ks_k. Hence, the adversary $A$ can not impersonate any legal server S_k after compromising the S_j^c.

(2) User impersonation attack resistance

In order to fabricate the legitimate user U_k, the adversary needs to know A_k. On the one hand, an adversary needs to calculate h(K||b_k||MID_k) to get the value of A_k. As can be seen from the proposed scheme, b is different for different users. The adversary cannot obtain b_k, so this method is not effective. On the other hand, according to Nu_k = h(A _k)⊕σ _k , thus the adversary needs to know Nu_k. We know that the channel is open to adversaries, who can steal any message transmitted on the channel. We suppose the adversary intercepts the login message {CID_k,Nu_k,M₁,P_k,W_k} of user U_k, because certification σ _k is different in each session, it is impossible for the adversary to get the h(A_k). Even if the adversary obtains the h(A_k) in some way, it cannot obtain A_k because of the unidirectionality of the hash function. Therefore, in the case of key disclosure, the adversary cannot forge any legitimate user.

(3) Session key security

According to the proposed scheme, session key SK_ij = h(MID_i||SID_j||σ _i ||δ _j ||A_i). To calculate the session key SK_ij, an adversary needs to know MID_i, SID_j, σ _i , δ _j and A_i. And σ_i =Nu_i⊕h(A_i), δ_j =Ns_j⊕h(A_i), A_i = h(K||b_i||MID_i). Assume that the adversary intercepts all the messages {CID_i, Nu_i, M₁, W_i, P_i}, {Ns_j, M₂}, {M₃} on the channel during user login and authentication. According to 6.1.1 (2), even if server S_j^c is leaked, the adversary cannot steal the A_i value of legitimate user U_i, so the session key SK_ij established by legitimate user U_i and server S_j is secure.

6.1.2 User anonymity and untraceability

In our scheme, the user’s identity ID_i is encrypted by the secret value a_i to generate the user’s anonymous identity MID_i. According to the irreversibility of one-way hash function and MID_i = h(ID_i||a_i), ID_i cannot be obtained even if MID_i is known. In the login phase, U_i generates different σ _i and β _i during each session, and CID_i, Nu_i, M₁ are related to them, so the same user sends different {CID_i, Nu_i, M₁, W_i,P_i} to the same server each time. The adversary cannot track the user’s behavior with the help of multiple intercepted messages {CID_i, Nu_i, M₁, W_i,P_i}. In conclusion the proposed protocol can ensure user anonymity and resist user tracing attack.

6.1.3 Replay attack resistance

In the proposed scheme, a new random number is used for each session message to prevent replay attack. The adversary resends the message {CID_i, Nu_i, M₁, W_i,P_i} intercepted from the public channel to pretend to be a legitimate user U_i and establishs a connection with S_j. First, S_j will continue to execute according to the normal process and send {Ns_j,M₂} to the adversary, but without the correct A_i, the adversary cannot calculate the correct M₃. The server S_j will directly terminate this session when discovery that M₃ is not equal to h(SK_ij||δ _j *||σ _i ). Similarly, the adversary resends {Ns_j, M₂} or {M₃} will cause the mutual authentication be suspended. In addition, because the valid message contains the biometric key K_u, it is difficult for the adversary to get K_u and construct a new message. So, the replay attack will not work.

6.1.4 Mutual authentication

For both sides of communication, mutual authentication is required. Only by ensuring that the entity communicating with them is legal can the session key be established. In our schemes, the legitimacy of server and user identity are verified by comparing the equality relation between M₂ and h(σ _i ||δ _j ^*||A_i^*) and between M₃ and h(SK_ij||δ _j *||σ _i ). Therefore, our scheme provides the function of mutual authentication between communication parties.

6.1.5 Stolen smart card attack resistance

Assume that the adversary stoles the information {Y_i,V_i,Z_i,E_i,hd_i} stored by the legitimate user in the smart terminal SD_i. Among them,V_i=h(KX_i)⊕h(P₂), A_i = h(K||b_i||MID_i), E_i = A_i ⊕KX_i and Z_i = h(KX_i||h(P₂)||MID_i). The adversary cannot use the obtained parameters to calculate the user’s identity ID_i and biometric key K_u. Therefore, our scheme can resist smart card attacks.

6.1.6 Offline password guessing attack resistance

If the user’s password is too short, the security is poor and it is easy to be guessed by the adversary. On the contrary, if it is too long, it is not convenient for users to remember. In addition, in a multi-server authentication scheme that contains passwords, storing passwords takes up storage space of the server. Our scheme does not need a password, which is not only convenient for users, but also saves the storage space of the server. Because no password is required in this scheme, it can resist password guessing attack.

6.1.7 Privileged-insider attack resistance

At the user registration stage MPW_i = h(Ku_i ||a_i) and MID_i = h(ID_i|| a_i), the user biometric key K_u and identity identifier ID_i are encrypted with hash and hidden in MPW_i and MID_i, and they are sent to the registration center RC. a_i is the response obtained by inputting the user’s biometric key K_u into the device PUF. The adversary cannot obtain K_u and PUF at the same time, so a_i cannot be obtained. Even a_i is known, because the one-way hash function is irreversible, insiders cannot calculate K_u and ID_i values in polynomial time to forge the legitimate user U_i.

6.1.8 Perfect forward secrecy

At each session, user and server randomly select σ _i and δ _j to establish session secret key SK_ij = h(MID_i^*||SID_j||σ _i ||δ _j ^*||A_i^*), therefore, σ _i and δ _j values in all session keys are different. When a session key SK_ij^c is leaked, the adversary cannot obtain the values of σ _k and δ _k about other session keys and cannot obtain the session key SK_km. It can be seen that our proposed scheme has perfect forward secrecy.

6.1.9 Denial-of-service attack resistance

In the user login phase, the smart terminal SD_i calculates Z_i^* according to the biometric template Bio_i and identifier ID_i provided by the user, and then verifies whether Z_i^* is equal to the stored Z_i. When Z_i^* differs from Z_i, the SD_i discards the user’s login request. So, there is no risk of denial of service attack in our scheme.

6.2 Formal analysis

6.2.1 Formal Security Analysis Using Burrows-Abadi-Needham (BAN) Logic

BAN logic [41] has the virtue of simplicity and effectiveness, so it is widely used in the formal analysis of security protocols. In the formal analysis of BAN logic, firstly, the known assumptions and security objectives of the protocol should be determined according to the actual situation. Secondly, the information exchanged between the subjects in the protocol are transformed into formulas in accordance with the logical form of BAN logic, that is, message idealization. Finally, with the help of inference rule of BAN logic, based on the known assumptions and idealized messages logical reasoning is carried out. If the inference result is consistent with the security objective, the analyzed protocol is secure. Otherwise, there are defects and loopholes in the protocol. (1) Basic symbols of BAN logic

P| ≡ X: P believes statement X

P) X: P sees statement X

P| ∼ . X: P once said statement X

#(X): X is fresh, X has not been sent before the agreement

P⇒X: P has jurisdiction over X

{ X } _K: The result of X being encrypted by key K

$P^{Sa} Q$ :Sa is the shared secret between P and Q

$P \overset{K}{\leftrightarrow}$ Q: K is t shared key between P and Q

(2) The main rules of BAN logic are given below:

R1. Message meaning rule: $\frac{P | \equiv P \overset{K}{\leftrightarrow} Q, P) {X}_{K}}{P | \equiv Q | \sim X}$

R2. Nonce verification rule: $\frac{P | \equiv # (X), P | \equiv Q | \sim (X)}{P | \equiv Q | \equiv X}$

R3. Seeing rules: $\frac{P) (X, Y)}{P) X}$

R4. Arbitration rule: $\frac{P | \equiv Q \Rightarrow X, P | \equiv Q | \equiv X}{P | \equiv X}$

R5. Freshness rule: $\frac{P | \equiv # (X)}{P | \equiv # (X, Y)}$

R6. Belief rule: $\frac{P | \equiv Q | \equiv (X, Y)}{P | \equiv Q | \equiv (X)}$ , $\frac{P | \equiv X, P | \equiv Y}{P | \equiv (X, Y)}$

(3) Initial assumption:

A1:U_i| ≡ # σ_i A2:S_j| ≡ # δ_j

A3: $U_{i} | \equiv S_{j} \Rightarrow U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

A4: $S_{j} | \equiv U_{i} \Rightarrow U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

A5: $U_{i} | \equiv U_{i} \overset{h (P_{2})}{\leftrightarrow} S_{j}$ A6: $S_{j} | \equiv U_{i} \overset{h (P_{2})}{\leftrightarrow} S_{j}$

A7: $U_{i} | \equiv U_{i} \begin{matrix} A_{i} \\ ⇌ \end{matrix} S_{j}$ A8: $S_{j} | \equiv U_{i} \begin{matrix} A_{i} \\ ⇌ \end{matrix} S_{j}$

(4) Security goals:

G1: $U_{i} | \equiv S_{j} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

G2: $S_{j} | \equiv U_{i} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

G3: $S_{j} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

G4: $U_{i} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$

Based on the above rules and assumptions, using BAN logic reasoning to analyze our proposed scheme, we can find that our scheme can achieve the expected four objectives. The specific analysis process is as follows:

S1. $S_{j}) {U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}, σ_{i}}_{A_{i}}$

Based on S1,A8 and message rule R1, we can get:

S2. $S_{j} | \equiv U_{i} | \sim {U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}, σ_{i}}$

From hypothesis A2 and freshness rule R5, it can be inferred that::

S3. $S_{j} | \equiv # {U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}, σ_{i}}$

On the basis of S2 and S3, the fresh number verification rule R2 can be obtained as follows:

S4. $S_{j} | \equiv U_{i} | \equiv {U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}, σ_{i}}$

Through conclusion S4 and belief rule R6, we get:

S5. $S_{j} | \equiv U_{i} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$ (G2)

Under conclusion S5, based on hypothesis A4 and arbitration rule R4, we can get:

S6. $S_{j} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$ (G3)

S7. U_i ) { σ_i, δ_j } _{A
_i}

Based on S7,A7 and message rule R1, we can get:

S8. U_i|≡ S_j| ∼ { σ_i, δ_j }

According to A1, using freshness rule R5:

S9. U_i|≡ # { σ_i, δ_j }

From S8, S9 and nonce verification rule R2, we can get:

S10. U_i|≡ S_j| ≡ { σ_i, δ_j }

According to A7, the belief rule R6 is obtained as follows:

S11. U_i|≡ S_j| ≡ { σ_i, δ_j, A_i }

According to the session key SK_ij = h(MID_i^*||SID_j|| σ _i || δ _j ^*||A_i^*) and S11, we can get:

S12. $U_{i} | \equiv S_{j} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$ (G1)

Based on S12 and assumption A3, using arbitration rule R4, we can get:

S13. $U_{i} | \equiv U_{i} \overset{S K_{ij}}{\leftrightarrow} S_{j}$ (G4)

From the above analysis, we can know that the scheme we proposed is secure and there are no loopholes and defects. At the same time, mutual authentication between users and servers is secure.

6.2.2 Formal Security Analysis Using Real-or-Random(ROR) Model

The ROR model [42] is used to perform formal security analysis on the proposed protocol, which can prove that the session key established between the user and the server is secure. The specific process is briefly described as follows:

In our proposed scheme, there are three entities: user U_i, server S_j and registration center RC.

Participants: Using ∏^t_Ui, ∏ ^u _Sj and ∏ ^v _RC to represent instances t, u and v of U_i, S_j and RC respectively. These are also used as prototypes.

Acceptance status: If the status of ∏^t changes to acceptance status after accepting the last agreement information, ∏ ^t is considered to be in acceptance status.

Partnering: Two instances ∏^t1 and ∏ ^t2 are considered as partners if they meet the following requirements at the same time: 1) both instances ∏^t1 and ∏ ^t2 are in the accepted state, 2) ∏^t1 and ∏ ^t2 authenticate with each other and share the same session key sid, 3) ∏^t1 and ∏ ^t2 are partners with each other.

Freshness: If the session key SK_ij between instances ∏^t1 and ∏ ^t2 is not disclosed to the adversary through the Reveal query, ∏^t1 and ∏ ^t2 are considered fresh.

Adversary: We believe that adversary A completely controls all communication in the network. He can query, eavesdrop, modify information in the network and forge new messages to the network.

Execute (∏ ^t , ∏ ^u ): By executing this query, adversary $A$ can eavesdrop on the messages exchanged between two legitimate subjects (between any two of ∏ ^t _Ui , ∏ ^u _Sj and ∏ ^v _RC). This query is also known as a passive eavesdropping attack.

Reveal (∏ ^t ): Adversary $A$ uses Reveal query to get the current session key SK_ij created by ∏^t (and his partner).

Send (∏ ^t ,msg): Adversary $A$ forges a message msg to participant instance ∏ ^t and gets a response from ∏ ^t ^. This query is executed by adversary $A$ , so an active attack is simulated.

CorruptSD: ( $\prod_{{SD}_{i}}^{t}$ ): Adversary A uses side-channel attack to analyze the energy consumption in the SD_i and steal the secret values {F_ij,Y_i,V_i,Z_i,E_i} stored in the SD_i. This operation simulates an active attack. In the 1.1 adversary model, we assume that RC is completely trusted, so an adversary cannot steal any information stored in RC.

Test (∏ ^t ): Follows the indistinguishable feature of ROR model, this query corresponds to the semantic security of session key SK_ij established by U_i and S_j. Before the game starts, flip an unbiased coin(0 and 1 are equally probability to be chosen) and hide the result c.

On the premise that the session key SK_ij is fresh, the adversary executes the Test query. ∏ ^t returns SK_ij when c = 0, ∏ ^t returns a random number M of the same length as SK_ij when c = 1. In other cases, it returns a null value (⊥).

We assume that an adversary can access the Test operation multiple times, but the number of access to the CorruptSD operation is limited.

Semantic security of session keys: In ROR model, the adversary needs to distinguish the real session key SK_ij of instance ∏ ^t from the random number M. In the game, an adversary can access the Test operation many times. After the game, the adversary gives the guess value c of c. If the adversary’s guess value c is equal to the hidden result c, the adversary is considered to have won the game (represented by W). Adv_p^AKE^, p and Pr[X] respectively represent the advantage of the adversary to break the semantic security of our proposed key agreement authentication protocol, our protocol and the probability of X events. We can get Adv_p^AKE=|2.Pr[W]-1|. If Adv_p^AKE≤ɛ, when ɛ>0 and ɛ is small enough, p is considered safe.

Random model: As described in [43], all communicating participants and adversary A have access to the conflict-resistant one-way cryptographic hash function h(·). h(·) is simulated as Hs by a random oracle.

Theorem 1: Under the widely accepted ROR model, we describe the semantic security of the proposed scheme. The adversary A’s successful advantage in attacking our protocol p with polynomial time T can be expressed as Adv_p^AKE≤ $\frac{q_{h}^{2}}{| Hs |}$ + $\frac{q_{send}}{2^{l - 1}}$ , where q_h, |Hs|, q_send and l respectively represent the number of hash queries, the spatial range of hash function, the number of Send queries and the length of key K_u generated by biometrics.

Proof: As shown in [50], four game G_i(i = 0,1,2,3) are defined in order. An adversary winning the game can be represented as Suce_i (i = 0,1,2,3).

G₀: Under the random model, A launches a real attack on our protocol p. A needs to guess the size of c, which is randomly chosen before the game starts. According to the semantic security of session key, it can be obtained as follows: ${Adv}_{p}^{AKE} = | 2 . \Pr [W] - 1 |$ (1)

G₁: After adding Execute simulation to game G₀, game G₀ becomes game G₁. In this game, we simulate eavesdropping attack. After game G₁ ends, the adversary performs Test query. With the help of Reveal query, the adversary determines whether the result of the Test query is the actual session key SK_ij or the random number M. In the proposed protocol, both user U_i and server S_j calculate the same session key SK_ij = h(MID_i||SID_j||σ _i ||δ _j ||A_i). If an adversary wants to calculate the session key SK_ij, he needs to know two short-term random secrets σ _i and δ _j ,and the long-term secret A_i. In addition, it is difficult for an adversary to know the user U_i’s pseudo-identity MID_i. Obviously, the adversary cannot compute the session key SK_ij. Thus the adversary’s advantage in winning the game does not increase, so: $\Pr [{Suce}_{1}] = \Pr [{Suce}_{0}]$ (2)

G₂: Compared with G₁, G₂ increases the simulation of Send operation and Hs query. In G₂, the adversary deceives the instance to accept a message modified or forged by him. Therefore, G₂ simulates an active attack. $A$ can perform multiple Hs queries to check whether conflicts exist.The messages {CID_i, Nu_i, M₁, β _i , P_i}, {Ns_j, M₂} and {M₃} intercepted by the adversary are related to the entity’s pseudo-identity, long-term secrets, and short-term random secrets. Because these parameters are unique that there is no collision when simulating the Hs operation. According to the results of birthday paradox, the following conclusions are obtained: $| \Pr [{Suce}_{1}] - \Pr [{Suce}_{2}] | \leq q^{2} h / (2 | Hs |)$ (3)

G₃: The G₃ simulates an active attack. In addition to being able to emulate queries in G₂, adversary can also emulate CorruptSD query. After being processed by the fuzzy extractor, the user’s biometrics become a secret value K_u composed of l random bits. The adversary uses the values {F_ij,Y_i,V_i,Z_i,E_i} stored in the SD_i to guess K_u∈{0,1}^l, and the probability of correct guess is close to 1/2^l. If the system has a limit on the number of input errors, we can know: $| \Pr [{Suce}_{2}] - \Pr [{Suce}_{3}] | \leq q_{send} / (2^{l})$ (4)

All random oracles are simulated in G₃. In order to win the game, after the Test query, the adversary immediately guesses the real value of the result c. Obviously, the following can be obtained: $\Pr [{Suce}_{3}] = 1 / 2$ (5) From (1) and (2), we can obtain $\frac{1}{2} {Adv}_{p}^{AKE} = | \Pr [Suc e_{0}] - \frac{1}{2} | = | \Pr [Suc e_{1}] - \frac{1}{2} |$ (6) According to the triangle inequality |a - b| + |b - c| ⩾ |a - c|, and (3), (4), (5) get the following corollary: $\begin{matrix} | \Pr [Suc e_{1}] - \frac{1}{2} | = | \Pr [Suc e_{1}] - \Pr [Suc e_{3}] | \\ ⩽ | \Pr [Suc e_{1}] - \Pr [Suc e_{2}] | + | \Pr [Suc e_{2}] - \Pr [Suc e_{3}] | \\ ⩽ \frac{q_{h}^{2}}{2 | Hs |} + \frac{q_{send}}{2^{l}} \end{matrix}$

Where ${Adv}_{p}^{AKE} ⩽ \frac{q_{h}^{2}}{| Hs |} + \frac{q_{send}}{2^{l - 1}}$ , $\frac{q_{h}^{2}}{| Hs |} + \frac{q_{send}}{2^{l - 1}}$ is small enough,so our proposed scheme has the semantic security of the session key.

7 Performance comparison

In this section, in order to reflect the advantages of our proposed scheme, we compare the performance of the proposed scheme with the relevant schemes proposed by Lu et al. [44], Nassoro et al. [45], Gupta et al. [46], Haq et al. [37], Barman et al. [47], Roy et al. [48] and Zhang et al. [49]. Because each user and server only need to register once, we compare the login and authentication phases in terms of security, communication overhead and time complexity.

7.1 Security Comparison

In Table 2, we compare the performance of the proposed scheme with the seven multi-server authentication schemes mentioned above in resisting various attacks. The comparison results show that our scheme is secure against well-known attacks. On the contrary, the schemes [37] is difficult to resist user impersonation attacks, and cannot ensure the anonymity of users and the security of session keys. The schemes of [45] and [46] cannot achieve forward secrecy and resist stolen smart card attack. And [44] is vulnerable to user anonymity and untraceability, forgery attack and privileged-insider attack. The scheme [47–49] also contain security flaws, and are not resistant to all security attacks

Table 2
Comparison of security and functional features

Feature/Property SF ₁ SF ₂ SF ₃ SF ₄ SF ₅ SF ₆ SF ₇ SF ₈ SF ₉ SF ₁₀ SF ₁₁ SF ₁₂

Lu et al. [44] × √ √ √ × × √ √ √ √ √ √

Nassoro et al. [45] × √ × √ √ √ × √ √ √ × ×

Gupta et al. [46] √ √ × √ √ √ × × × √ √ √

Haq et al. [37] × √ √ √ √ √ √ √ × × √ √

Barman et al. [47] √ × √ √ √ √ √ × √ × √ ×

Roy et al. [48] √ √ × √ √ × √ √ × × × ×

Zhang et al.[49] √ √ × √ × × √ × √ × √ √

Ours √ √ √ √ √ √ √ √ √ √ √ √

Feature/Property	SF ₁	SF ₂	SF ₃	SF ₄	SF ₅	SF ₆	SF ₇	SF ₈	SF ₉	SF ₁₀	SF ₁₁	SF ₁₂
Lu et al. [44]	×	√	√	√	×	×	√	√	√	√	√	√
Nassoro et al. [45]	×	√	×	√	√	√	×	√	√	√	×	×
Gupta et al. [46]	√	√	×	√	√	√	×	×	×	√	√	√
Haq et al. [37]	×	√	√	√	√	√	√	√	×	×	√	√
Barman et al. [47]	√	×	√	√	√	√	√	×	√	×	√	×
Roy et al. [48]	√	√	×	√	√	×	√	√	×	×	×	×
Zhang et al.[49]	√	√	×	√	×	×	√	×	√	×	√	√
Ours	√	√	√	√	√	√	√	√	√	√	√	√

Note: SF₁:user anonymity and untraceability; SF₂: mutual authentication; SF₃: Resist stolen smart card attack; SF₄: Resist replay attack; SF₅: Resist forgery attack; SF₆: Resist privileged-insider attack; SF₇: Perfect forward secrecy; SF₈: Resist Denial-of-Service attack; SF₉: Resist user impersonation attack; SF₁₀: Session key security; SF₁₁: Resist server impersonation attack; SF₁₂: Resist offline password guessing attack.

7.2 Comparison of calculation cost

The time required for XOR and join operations is much less than that required for other operations, which is ignored here. We use the following notations to represent the time cost of each operation: T_h: Time cost of executing one-way hash function

T_f: Time cost of executing fuzzy extraction function

T_e: Time cost of performing elliptic curve point multiplication function

T_H: Time cost of executing biological hash function

T_fz: Time cost of executing fuzzy commitment function

T_p: The time cost of executing PUF functions

T_sam: Time cost of symmetric/asymmetric encryption/decryption

According to the experimental results on the Intel Pentium IV 2600 MHz processor with 1024MB RAM [50], T_h = 0.0023 ms, T_f = 2.226 ms, T_e = 2.226 ms and T_p = 0.12 ms. According to [51, 52], T_H = T_e, T_sam = T_e and T_H = T_fz can be obtained. The calculation time cost of each authentication scheme is given in Table 3. The proposed scheme consumes 9T_h, 1T_f and T_p to complete login and mutual authentication, which takes 2.3782 ms in total. Obviously, our scheme saves more time than that proposed by Nassoro et al. [45], Gupta et al. [46], Barman et al. [47], Roy et al. [48] and Zhang et al. [49]. Although the scheme proposed by Lu et al. [44] and Haq et al. [37] has a slightly lower computational cost than our scheme, our scheme has higher security.

Table 3
Computation complexity comparison

Protocol Operations Total Cost (ms)

Client Side Server Side Total

Lu et al. [44] T_H+8T_h 7T_h T_H+15T_h 2.2605

Nassoro et al. [45] 2T_sam 3T_sam 5T_sam 11.1300

Gupta et al. [46] 6T_h 19T_h+4T_sam 25T_h+4T_sam 8.9615

Haq et al. [33] 9T_h+T_f 6T_h 15T_h+T_f 2.2605

Barman et al. [47] 10T_h+3T_e+T_H 5T_h 15T_h+3T_e+T_H 8.9385

Roy et al. [48] 7T_h 6T_h+2T_sam 13T_h+2T_sam 4.4819

Zhang et al. [49] 2T_h+7T_e+T_p T_h+4T_e 3T_h+11T_e+T_p 24.6129

Ours 9T_h+T_f++T_p 5T_h 14T_h+T_f+T_p 2.3782

Protocol	Operations	Total Cost (ms)
Lu et al. [44]	T_H+8T_h	7T_h	T_H+15T_h	2.2605
Nassoro et al. [45]	2T_sam	3T_sam	5T_sam	11.1300
Gupta et al. [46]	6T_h	19T_h+4T_sam	25T_h+4T_sam	8.9615
Haq et al. [33]	9T_h+T_f	6T_h	15T_h+T_f	2.2605
Barman et al. [47]	10T_h+3T_e+T_H	5T_h	15T_h+3T_e+T_H	8.9385
Roy et al. [48]	7T_h	6T_h+2T_sam	13T_h+2T_sam	4.4819
Zhang et al. [49]	2T_h+7T_e+T_p	T_h+4T_e	3T_h+11T_e+T_p	24.6129
Ours	9T_h+T_f++T_p	5T_h	14T_h+T_f+T_p	2.3782

7.3 Comparison of communication cost

In order to compare the communication cost of the protocol, it is assumed that the bit length of user identification, server identification and hash output (message digest) (we use SHA-1 as one-way hash function), timestamp and elliptic curve point P=(P_x, P_y) are 160, 160, 160, 32 and (160 + 160)=320 bits respectively, where P_x and P_y represent the X and Y coordinates of point P respectively. The communication cost of each authentication scheme can be obtained as shown in Fig. 7. It can be seen that the scheme of Gupta et al. [46] requires the largest cost. Although the cost consumption of Lu [44], Haq et al. [33] and Roy et al. [48] are very close to that of our scheme, their scheme cannot resist some common security attacks. Therefore, the proposed scheme has a better balance between performance and security.

Fig. 6

Comparison of Computation complexity.

Fig. 7

Comparison of communication cost.

7.4 Comparison of memory cost

We still use the assumed length of all identifiers in 7.3 to calculate the storage space required for storing various valid information in the registration phase of users and servers. According to Table 4, [33] and [48] need to occupy the storage space of users and servers in a positive correlation with the number of servers. When the number of servers is enough, the storage space consumed by these two schemes will far exceed that of other schemes. The proposed scheme can reduce the consumption of user storage resources by adding remote databases. At the same time, data is stored separately, which is conducive to enhancing data security [47]. It consumes more storage than the proposed scheme. Schemes [44, 46, 49] consume slightly less storage space than the proposed scheme, but the proposed scheme has higher security.

Table 4
Comparison of memory cost

Protocol Client Side (bits) Server Side (bits) Total Cost (bits)

Lu et al. [44] 640 160 800

Nassoro et al. [45] 960 320 1280

Gupta et al. [46] 640 320 960

Haq et al. [33] (5 + 2n)160 320 (7 + 2n)160

Barman et al. [47] 480 960 1440

Roy et al. [48] (5 + 3n)160 (2 + n)160 (7 + 4n)*160

Zhang et al. [49] 960 — 960

Ours 800 480 1280

Protocol	Client Side (bits)	Server Side (bits)	Total Cost (bits)
Lu et al. [44]	640	160	800
Nassoro et al. [45]	960	320	1280
Gupta et al. [46]	640	320	960
Haq et al. [33]	(5 + 2n)*160	320	(7 + 2n)*160
Barman et al. [47]	480	960	1440
Roy et al. [48]	(5 + 3n)*160	(2 + n)*160	(7 + 4n)*160
Zhang et al. [49]	960	—	960
Ours	800	480	1280

8 Conclusion and future work

The scheme proposed in this paper is an improved scheme based on the scheme of Haq et al. [33]. Firstly, we briefly review the scheme of Haq et al, analyze the security of their scheme, and find that their scheme is still unable to key compromise impersonation attack. Then we analyze the reasons for the security defects in the scheme of Haq et al. [33], and propose a key-free two factor multi-server key agreement authentication scheme based on PUF. Finally, we use formal and informal methods to prove that our proposed authentication scheme has high security, and compared with other similar authentication schemes are effective in communication overhead and computational complexity.

In the scheme, combining the uniqueness of user biometric characteristics with the uniqueness of physical device PUF to replace the password in the traditional authentication scheme can effectively improve the effectiveness of the scheme and the security of user privacy data. However, this scheme uses the original biometrics of users. In the following work, we will try to apply the cancelable biometrics technology to the scheme, so as to further meet the needs of users for the security. In addition, we will apply the proposed scheme to more real scenarios and strengthen the combination of theory and practical scenarios.

Footnotes

Acknowledgment

This work was supported in part by the NSFC (Nos. 61801004), NSF_AH (Nos. 2108085MF206).

Declarations

Conflicts of interests

We declare that we have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

References

Lamport

, Password authentication with insecure communication, Communications of the ACM 24(11) (1981), 770–772.

ElGamal

, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31(4) (1985), 469–472.

Chien

H.Y.

, Jan

J.K.

and Tseng

Y.M.

, An efficient and practical solution to remote authentication: smart card, Computers & Security 21(4) (2002), 372–375.

Bian

, Gope

, Cheng

, et al. Bio-AKA: An efficient fingerprint based two factor user authentication and key agreement scheme, Future Generation Computer Systems 109 (2020), 45–55.

Chaturvedi

, Mishra

, Jangirala

, et al. A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme, Journal of Information Security and Applications 32 (2017), 15–26.

Khan

M.K.

, Kumari

and Gupta

M.K.

, More efficient key-hash based fingerprint remote authentication scheme using mobile device, Computing 96(9) (2014), 793–816.

Chen

C.L.

, Lee

C.C.

and Hsu

C.Y.

, Mobile device integration of a fingerprint biometric remote authentication scheme, International Journal of Communication Systems 25(5) (2012), 585–597.

Sabri

, Moin

M.S.

and Razzazi

, A new framework for match on card and match on host quality based multimodal biometric authentication, Journal of Signal Processing Systems 91(2) (2019), 163–177.

Iqbal

, Khan

, Rauf

, et al. Decentralized authentication for secure cloud data sharing. IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). IEEE, (2018), 95–99.

10.

Kaur

and Khanna

, Privacy preserving remote multi-server biometric authentication using cancelable biometrics and secret sharing, Future Generation Computer Systems 102 (2020), 30–41.

11.

Chakraborty

N.R.

, Rahman

M.T.

, Rahman

M.E.

, et al. Generation and verification of digital signature with two factor authentication. International Workshop on Computational Intelligence (IWCI). IEEE, (2016), 131–135.

12.

ul Haq

, Wang

, Zhu

, et al. A survey of authenticated key agreement protocols for multi-server architecture, Journal of Information Security and Applications 55 (2020), 102639.

13.

Pippal

R.S.

, Jaidhar

C.D.

and Tapaswi

, Robust smart card authentication scheme for multi-server architecture, Wireless Personal Communications 72 (2013), 729–745.

14.

, Chen

, Shi

and Khan

M.K.

, On the security of an authentication scheme for multi-server architecture, International Journal of Electronic Security and Digital Forensics 5 (2013), 288–96.

15.

Guo

and Wen

, Analysis and improvement of a robust smart card based-authentication scheme for multi-server architecture, Wirel Pers Commun 78 (2014), 475–90.

16.

Wei

, Liu

and Hu

, Cryptanalysis and improvement of a robust smart card authentication scheme for multi-server architecture, Wirel Pers Commun 77 (2014), 2255–69.

17.

Yeh

K.-H.

, A provably secure multi-server based authentication scheme, Wirel Pers Commun 79 (2014), 1621–34.

18.

Chaturvedi

, Das

A.K.

, Mishra

, et al. Design of a secure smart card-based multi-server authentication scheme, Journal of Information Security and Applications 30 (2016), 64–80.

19.

Tsaur

W.-J.

, Wu

C.-C.

and Lee

W.-B.

, A smart card-based remote scheme for password authentication in multi-server internet services, Comput Stand Interf 27(1) (2004), 39–51.

20.

Amin

, Islam

S.H.

, Khan

M.K.

, Karati

, Giri

and Kumari

, A two-factor RSA-based robust authentication system for multiserver environments, Secur Commun Netw 2017 (2017), 1–15.

21.

Xue

, Hong

and Ma

, A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture, J Comput Syst Sci 80(1) (2014), 195–206.

22.

Lee

J.-S.

, Chang

Y.-F.

and Chang

C.-C.

, A novel authentication protocol for multi-server architecture without smart cards, Int J Innov Comput Inform Control 4(6) (2008), 1357–64.

23.

Zhang

, Zhu

, Ren

, et al. An energy-efficient authentication scheme based on Chebyshev chaotic map for smart grid environments, IEEE Internet of Things Journal 8(23) (2021), 17120–17130.

24.

Dharminder

, Kumar

and Gupta

, A construction of a conformal Chebyshev chaotic map based authentication protocol for healthcare telemedicine services, Complex & Intelligent Systems 7(5) (2531), 2542.

25.

, Hu

and Shen

, A provably secure three-factor authentication protocol based on chebyshev chaotic mapping for wireless sensor network, IEEE Access 10 (2022), 12137–12152.

26.

Al-Shareeda

M.A.

, Manickam

, Mohammed

B.A.

, et al. Cm-cppa: Chaotic map-based conditional privacy-preserving authentication scheme in 5g-enabled vehicular networks, Sensors 22(13) (2022), 5026.

27.

Meshram

, Ibrahim

R.W.

, Meshram

S.G.

, et al. An efficient authentication with key agreement procedure using Mittag– Leffler– Chebyshev summation chaotic map under the multi-server architecture, The Journal of Supercomputing 78 (2022), 4938–4959.

28.

Vivekanandan

, Sastry

V.N.

and Srinivasulu

, Reddy, MAPMCECCM: a mutual authentication protocol for mobile cloud environment using Chebyshev Chaotic Map, Telecommunication Systems 78(3) (2021), 477–496.

29.

Alshudukhi

J.S.

, Al-Mekhlafi

Z.G.

and Mohammed

B.A.

, A lightweight authentication with privacy-preserving scheme for vehicular ad hoc networks based on elliptic curve cryptography, IEEE Access 9 (2021), 15633–15642.

30.

Dai

and Xu

, A secure three-factor authentication scheme for multi-gateway wireless sensor networks based on elliptic curve cryptography, Ad Hoc Networks 127 (2022), 102768.

31.

Nyangaresi

V.O.

, Lightweight anonymous authentication protocol for resource-constrained smart home devices based on elliptic curve cryptography, Journal of Systems Architecture 133 (2022), 102763.

32.

Jain

, Nandhini

and Doriya

, ECC-based authentication scheme for cloud-based robots, Wireless Personal Communications 117 (2021), 1557–1576.

33.

Sengupta

, Singh

, Kumar

, et al. A secure and improved two factor authentication scheme using elliptic curve and bilinear pairing for cyber physical systems, Multimedia Tools and Applications 81(16) (2022), 22425–22448.

34.

Chandrakar

and Om

, A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC, Computer Communications 110 (2017), 26–34.

35.

Amin

, Islam

S.K.H.

, Vijayakumar

, et al. A robust and efficient bilinear pairing based mutual authentication and session key verification over insecure communication, Multimedia Tools and Applications 77(9) (2018), 11041–11066.

36.

Kumar

and Om

, An improved and secure multiserver authentication scheme based on biometrics and smartcard, Digital Communications and Networks 4(1) (2018), 27–38.

37.

Haq

, Wang

, Zhu

and Maqbool

, An efficient hash-based authenticated key agreement scheme for multi-server architecture resilient to key compromise impersonation, Digital Communications and Networks 7(1) (2021), 140–150.

38.

Juels

and Wattenberg

, A fuzzy commitment scheme. Proceedings of the 6th ACM conference on Computer and communications security, (1999), 28–36.

39.

Kaveh

, Martín

and Mosavi

M.R.

, A lightweight authentication scheme for V2G communications: A PUF-based approach ensuring cyber/physical security and identity/location privacy, Electronics 9(9) (2020), 1479.

40.

Maurya

P.K.

and Bagchi

, A secure PUF-based unilateral authentication scheme for RFID system, Wireless Personal Communications 103(2) (2018), 1699–1712.

41.

Burrows

, Abadi

and Needham

R.M.

, A logic of authentication. Proceedings of the Royal Society of London A, Mathematical and Physical Sciences 426 (1989), 233–271.

42.

Abdalla

, Fouque

P.A.

and Pointcheval

, Password-based authenticated key exchange in the three-party setting. International Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg 3386 (2005), 65–84.

43.

Chattaraj

, Sarma

and Das

A.K.

, A new two-server authentication and key agreement protocol for accessing secure cloud services, Computer Networks 131 (2018), 144–164.

44.

, Li

, Yang

, et al. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards, PLoS One 10(5) (2015), e0126323.

45.

Lwamo

N.M.R.

, Zhu

, Xu

, et al. SUAA: A secure user authentication scheme with anonymity for the single & multi-server environments, Information Sciences 477 (2019), 369–385.

46.

Gupta

P.C.

and Dhar

, Hash based multi-server key exchange protocol using smart card, Wireless Personal Communications 87(1) (2016), 225–244.

47.

Barman

, Chaudhuri

, Chatterjee

, et al. An elliptic curve cryptography-based multi-server authentication scheme using cancelable biometrics, Intelligent Computing and Communication: Proceedings of 3rd ICICC 2019 1034 (2020), 153–163.

48.

Roy

P.K.

and Bhattacharya

, A group key-based lightweight Mutual Authentication and Key Agreement (MAKA) protocol for multi-server environment, The Journal of Supercomputing 78 (2022), 5903–5930.

49.

Zhang

, Bian

, Jie

, et al. BioF-TAP: An efficient method of template protection and two-factor authentication protocol combining biometric and PUF, Journal of Intelligent & Fuzzy Systems 43(4) (2022), 1–17.

50.

Zhao

, Bian

, Xu

, et al. A secure biometrics and PUFs-based authentication scheme with key agreement for multi-server environments, IEEE Access 8 (2020), 45292–45303.

51.

Rehman

H.U.

, Ghani

, Chaudhry

S.A.

, et al. A secure and improved multi server authentication protocol using fuzzy commitment, Multimedia Tools and Applications 80(11) (2021), 16907–16931.

52.

Barman

, Shum

H.P.H.

, Chattopadhyay

, et al. A secure authentication protocol for multi-server-based e-healthcare using a fuzzy commitment scheme, IEEE Access 7 (2019), 12557–12574.