Security analysis and enhancements of an improved multi-factor biometric authentication scheme

Many remote user authentication schemes have been designed and developed to establish secure and authorized communication between a user and server over an insecure channel. By employing a secure remote user authentication scheme, a user and server can authenticate each other and utilize advanced services. In 2015, Cao and Ge demonstrated that An’s scheme is also vulnerable to several attacks and does not provide user anonymity. They also proposed an improved multi-factor biometric authentication scheme. However, we review and cryptanalyze Cao and Ge’s scheme and demonstrate that their scheme fails in correctness and providing user anonymity and is vulnerable to ID guessing attack and server masquerading attack. To overcome these drawbacks, we propose a security-improved authentication scheme that provides a dynamic ID mechanism and better security functionalities. Then, we show that our proposed scheme is secure against various attacks and prove the security of the proposed scheme using BAN Logic.


Introduction
With the rapid development of Internet technology and the smart device industry, users can access any service from anywhere. 1 In addition, the growth in network technology has made these services user-friendly and adoptable and mobile devices have become a vital part of our lives. Nowadays, people are able to easily utilize advanced services such as e-commerce, e-healthcare, and e-learning. 2 Despite advantages of ubiquitous mobile computing technologies, several new threats have emerged. The transmission of data through insecure channels leads to the security challenges such as authentication, privacy, and integrity. And adversaries are considered to be sufficiently powerful to control communication over a public channel. To ensure authorized and secure communication, a user and server should verify their mutual legitimacy and exchange a session key, which can be used to transmit data securely. 3,4 Moreover, an anonymous authentication is required to provide secure communications between numerous network users while preserving privacy.
To address security and authorized access in mobile environments, various remote user authentication schemes have been designed and developed. Remote user authentication is a common approach to verify the legitimacy of users who seek service and has become an indispensable component of service access. By employing a remote user authentication scheme, a server first authenticates remote users and grants service access only to those who are legitimate and authorized while rejecting unauthorized entities whose aim is to damage network security.
Smart card-based authentication schemes were introduced initially to resolve such security issues. [5][6][7] Recently, a large amount of research on passwordbased authentication schemes using smart cards has been presented. 3,8,9 However, password-based authentication schemes are vulnerable to identity/password guessing attacks and subject to inefficient password change policies. To resolve single-password authentication problems, several biometric-based remote user authentication schemes have been proposed. 2,[10][11][12] In contrast to passwords, biometric information, such as irises, fingerprints, and palmprints, is considered to be a unique identifier of a user and is difficult to spoof. Therefore, biometric-based remote user authentication is inherently more secure and reliable than conventional authentication schemes. 13 Li and Hwang 14 proposed an efficient biometricbased remote user authentication scheme in 2010. In 2011, Das 15 cryptanalyzed and improved Li and Hwang's 14 scheme. However, An 16 found out that Das' 15 scheme failed to provide mutual authentication and enhanced it to support secure authentication in 2012. In 2015, Cao and Ge 17 demonstrated that An's 16 scheme is vulnerable to replay attacks, in which an adversary can masquerade as the legal server. In addition, they mentioned that An's scheme does not provide user anonymity just as most recently presented biometric-based authentication schemes are not properly addressed, so An's scheme is insecure against user masquerading attack. Cao and Ge also proposed an improved multi-factor biometric authentication scheme to overcome the security weaknesses of An's scheme and support user anonymity. However, we point out their scheme fails to provide re-registration and does not withstand several attacks.
This article discusses the security vulnerability of Cao and Ge's scheme and proposes an enhanced multifactor biometric authentication scheme with better security functionality than Cao and Ge's scheme. We provide an analysis of the security and efficiency of our proposed scheme. The major contributions of this study are summarized as follows: Cryptanalysis of Cao and Ge's scheme. We cryptanalyze Cao and Ge's scheme and demonstrate the incorrectness of their scheme in re-registration phase and the vulnerability to the off-line ID guessing attack and server masquerading attack. We illustrate that an adversary can obtain the identity of any legal user of the system once he or she obtains the smart card of the user. Hence, the scheme does not provide user anonymity.
Enhancements of Cao and Ge's scheme. We propose an enhanced multi-factor biometric authentication scheme to overcome the security weaknesses of Cao and Ge's scheme. Our scheme supports the dynamic identity mechanism using timestamps and resists off-line ID guessing attack and server masquerading attack. We also provide password change phase to enhance the security of the system. Security analysis against various attacks. We analyze the proposed scheme in security. Our scheme supports better security functionality than that of Cao and Ge's scheme. Our scheme is secure against off-line ID guessing attack, user masquerading attack, and server masquerading attack. In addition, it provides user anonymity, mutual authentication, session key agreement, efficient password change, and forward secrecy. We also prove that our scheme provides mutual authentication using Burrows-Abadi-Needham (BAN) Logic. 18

Preliminaries
In this section, we present notations and then define Bio-Hashing.

Notations
The notations used throughout this article are described in Table 1.

Bio-hashing
Biometric technology often attracts attention in the area of unique user authentication in general authentication systems. Especially, the use of biometric information is extending steadily in cryptosystem for authentication purpose. However, imprint biometric characteristics (such as fingerprint, palmprint, retina, and iris) may not appear exactly the same in each scan. With high probability, imprinted biometric information rejects registered, legitimate users. To resolve the high false rejection rate, Jin et al. 19 proposed a two-factor authenticator on iterated inner products comprising a tokenized pseudo-random number and user-specific fingerprint features, which produces a set of user-specific compact codes; this is called Bio-Hashing. Later, Lumini and Nanni 20 proposed an improvement of Bio-Hashing. As noted by Chang et al., 21 Bio-Hashing is used to map a user's/patient's biometric feature onto user-specific random vectors to generate a code called a bio-code and then discretize the projection coefficients into zeroes and ones. Bio-Hashing is verified to be the most suitable and compatible technique that can be utilized in tiny smart devices such as smart cards and smart phones. 22

Review of Cao and Ge's authentication scheme
In this section, we review Cao and Ge's authentication scheme. It comprises four phases: registration phase, re-registration phase, login phase, and authentication phase.

Registration phase
A user C i first registers oneself at a trusted registration center R i to obtain the service from the remote server S i and receives a personalized smart card. A user chooses one's identity ID i and password PW i , imprints biometric information B i , and then performs the following steps: A user C i chooses random number K and then compute (PW i È K) and (B i È K).
(R3) R i creates an entry in the account database for the user ID i and store n i = 0 in this entry. Then, R i sends a smart card that contains fEID i , h(), f i , e i , n i g to C i via a secure channel. Then, C i stores a random K in the smart card.

Re-registration phase
(RR1) C i chooses a new random number K 0 and then submits to R i the identity ID i , password information (PW i È K 0 ), and biometric information (B i È K 0 ) via a secure channel.
Then, R i performs the following computations; via a secure channel. Then, C i stores the random number K 0 in the smart card.

Login phase
In order to login to the remote server S i , the user C i performs the following steps using the smart card: (L1) C i imprints one's biometric information B i , then the smart card SC i computes h(B i È K) and compares it with f i . If it is valid, SC i continues the following steps. (L2) C i chooses a random number R C and inputs (ID i , PW i , R C ) into the smart card. Then, SC i computes

Authentication phase
The user C i and the remote server S i verify the authenticity of each other in this phase as follows: (A1) S i checks the validity of the received EID i by comparing h(ID i )jjn i in the account database.
, S i accepts the user's login request and sends the message fM 10 g to C i .
If it is valid, C i accepts S i as the legitimate server.

Cryptanalysis of Cao and Ge's authentication scheme
In this section, we analyze the security problems of Cao and Ge's scheme. Cao and Ge 17 cryptanalyzed Younghwa An's 16 scheme and improved it to support better security functionality. However, we found out that Cao and Ge's remote user authentication scheme has security vulnerabilities. We assume that the capabilities of adversaries are as follows: 2, 23 An adversary A i has total control over the communication channel connecting the users and the remote server in login/authentication phase. Thus, the adversary can intercept, insert, delete, or modify any message transmitted via a public channel. An adversary may either steal a user's smart card or obtain a user's password, but not both.
An adversary can extract the information stored in a smart card by means of analyzing the power consumption of the smart card.

Incorrectness in registration phase
Younghwa An 16 claimed that if the password PW i and biometric information B i of the user are revealed to the server, the insider in the server can obtain the user's password and biometric information directly. To protect the user's information from the insider in the server, Younghwa An concealed password and biometric information in registration phase using a XOR (È) operation with user's information. Thus, the insider of the server may not know the user's password and biometric information. Cao and Ge referred to this method too; however, they failed to provide correctness. We show that registration phase of Cao and Ge's 17 scheme fails in correctness: We showed that Cao and Ge's scheme has fails in correctness and ultimately cannot proceed with reregistration phase because v i is used to check the validity of the user in re-registration phase, but R i cannot compute v i . This means that it is vulnerable to user masquerading attack as is An's scheme. Therefore, the method of generation of v i or the way to update user's identity must be revised.

Off-line identity guessing attack
The identity of a user is registered at the registration center. Users normally choose their social security ID, e-mail, phone number, and so on as their identity and are requested to input their identity, password, and biometric information in login phase. Although users attempt to keep their identities secret, identities are selected from a limited set that can be enumerated, and adversaries have sufficient power to guess from a limited set of identities in the off-line condition. 24 The complexity of this attack depends on the length of the identity. We show that Cao and Ge's scheme is vulnerable to off-line identity guessing attack.
1. An adversary A i can know the information of the user C i stored in a smart card. A i extracts n i from the smart card. 2. When C i sends the login message to the remote server S i , A i records EID i . 3. A i selects a candidate identity ID Once the identity of the user is revealed, an adversary can recognize and trace the user before the user performs re-registration phase. However, as we mentioned in ''Incorrectness in registration phase,'' Cao and Ge's scheme fails in correctness to proceed reregistration phase. Therefore, the adversary can identify and trace the user continuously.

Server masquerading attack
Cao and Ge analyzed the security of their authentication scheme against server masquerading attack by sending M 10 , because C i will finally find that the equation M 10 is not equal to M 9 . However, C i cannot know whether the sender of the message fEID i , M 6 , M 7 g is valid or not. Thus, the message M 9 , C i sends to the server, can be sent to the adversary attempting to masquerade as the legal server. Finally, the adversary who sends the fEID i , M 6 , M 7 g can obtain the message M 9 and send a valid message M 10 by replacing it with the message M 9 received right before the communication. We show that Cao and Ge's scheme is vulnerable to server masquerading attack: 1. An adversary A i can intercept the message fEID i , M 6 , M 7 g over the communication channel. 2. When a new session is opened, A i sends the replaying message fEID i , M 6 , M 7 g to C i during the authentication phase pretending to the legal server. 3. C i sends the message M 9 to the adversary because he or she still don't know whether the server is valid or not using the message fEID i , M 6 , M 7 g.

4.
A i responds with the message M 10 which is the received message M 9 from C i . 5. C i checks whether M 10 is equal to M 9 or not.
Because M 9 = M 10 , C i regards the adversary as the legal server.
An adversary can masquerade as the server before the user performs re-registration phase. However, as we mentioned in ''Incorrectness in registration phase,'' Cao and Ge's scheme fails in correctness to proceed with reregistration phase. Therefore, the adversary can continue pretending to be the legal server.

The proposed remote user authentication scheme
We propose a dynamic ID-based multi-factor biometric authentication scheme to overcome the security problems of Cao and Ge's remote user authentication scheme. In the proposed scheme, we use timestamps to support the dynamic identity mechanism and resist offline ID guessing attack. We assume that the registration center and the remote server are trustworthy and share a server's secret key X S and a master key of the registration center x in advance. Our scheme comprises four phases: registration phase, login phase, authentication phase, and password change phase.

Registration phase
In this phase, a user C i chooses one's identity ID i and password PW i , and imprints biometric information B i , then performs following steps: A user C i chooses a random number K, and then computes (PW i È K) and (H(B i ) È K). Then, C i submits (ID i , PW i È K, H(B i ) È K) to R i via a secure channel. (R2) R i chooses an unique number y i of C i and computes R i creates an entry in the ID i and virtual identity VID i in this entry.
Upon receiving SC i , C i stores a random K in the smart card. Figure 1 illustrates the registration phase of the proposed remote user authentication scheme.

Login phase
In order to login to the remote server S i , the user C i performs following steps using the smart card as follows:

Authentication phase
The user C i and the remote server S i verify the authenticity of each other and generate a session key in this phase as follows.

Password change phase
The smart card establishes an authorized session with the user C i to verify the correctness of input parameters (identity, password, and biometric information). C i updates the password without interaction with the remote server or the registration center:

Analysis
In this section, we describe an analysis of our proposed authentication scheme with respect to security and performance. We assume that the capabilities of adversaries are the same as those from our cryptanalysis of Cao and Ge's authentication scheme. We first prove the security of our proposed scheme using BAN Logic. 18 Then, we show the security analysis of proposed scheme against various attacks.

Authentication proof based on BAN logic
In this section, we analyze the security of our proposed authentication scheme with BAN Logic 18 which is a formal analysis method for authentication protocols. Table 2 illustrates notations used in BAN Logic.    For shared keys, we postulate P believes Q $ K P, P sees fX g K P believes Q said X That is, if P believes that the key K is shared with Q and sees X encrypted under K, then P believes that Q once said X . b. Nonce-verification rule expresses the check that a message is recent, and hence, that the sender still believes in it P believes fresh (X ), P believes Q said X P believes Q believes X That is, if P believes that X could have been uttered only recently and that Q once said X , then P believes that Q believes X . c. Jurisdiction rule states that if P believes that Q has jurisdiction over X , then P trusts Q on the truth of X P believes Q controls X , P believes Q believes X P believes X d. If a principal sees a formula, then he also sees its components, provided he knows the necessary keys P sees (X , Y ) P sees X , P sees hX i Y P sees X P believes Q $ K P (, )P sees ½X K P sees X P believes 7 ! K P , P sees ½X K P sees X P believes 7 ! K P, P sees ½X K À1 P sees X Note that if P sees X and P sees Y , it does NOT follow that P sees (X , Y ) since that means that X and Y were uttered at the same time. e. Freshness-conjuncatenation rule states that if one part of the formula is fresh, then the entire formula must be fresh P believes fresh(X ) P believes fresh(X , Y ) 2. Security goals. The proposed scheme will satisfy the following goals Idealized scheme. We transform our scheme into the idealized form as follows 4. Initiative premises. We make the assumptions about the initial state of the scheme to analyze the proposed scheme as follows

Notations Meaning
Pj[X P believes X P / X P sees X Pj;X P once said X P ) X P has jurisdiction over X #(X) X is fresh P $ K Q P and Q may use the shared key K P › X Q X is a secret known only to P and to Q hXi Y X combined with the formula Y (X) K X hashed under the key K fXg K X encrypted under the key K 5. Security analysis of the idealized form of the proposed scheme a 1 . According to Msg 1 , We could get a 2 . According to p 2 and p 4 , we apply the message-meaning rule to obtain a 3 . According to p 8 , we apply the freshnessconjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain a 4 . According to Msg 3 , we could get a 5 . According to p 4 , we apply the messagemeaning rule to obtain a 6 . According to p 8 , we apply the freshnessconjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain According to a 6 and p 6 and SK = h(R C , R S , h(ID i jjX S )), we could obtain According to a 7 and p 9 , we apply the jurisdiction rule to obtain a 9 . According to Msg 4 , we could get a 10 . According to p 3 , we apply the messagemeaning rule to obtain a 11 . According to p 7 , we apply the freshnessconjuncatenation rule to obtain Then, we apply the nonce-verification rule to obtain According to a 11 , we apply the BAN Logic rule to break conjunctions to produce a 13 . According to a 12 and p 9 , we apply the jurisdiction rule to produce According to (Goal 1), (Goal 2), (Goal 3), and (Goal 4), we know that C i and S i believe SK is shared.

Security analysis against various attacks
Off-line ID guessing attack. The smart card and login message contain pseudo identities, VID i and DID i , which are random values. Suppose an adversary A i obtains these values and the smart card SC i . To derive an actual identity ID i from VID i , the adversary is required to guess both h(y i jjX S ) and ID i concurrently. The probability of guessing them correctly, when ID i is composed of n characters and the hash value is taken as 160 bits, is approximately 1=2 6n+160 and it is considered to be a computationally infeasible problem. 21,25 The complexity of our proposed scheme against this attack is higher than that of Cao and Ge's scheme. To derive ID i from DID i , A i is required to compute more, which means that the complexity is higher, because DID i is dynamic.
User masquerading attack. A i is required to compute a valid login request to impersonate a legal user. A i may attempt to login to S i using the message fDID i , Z i , M 2 , M 3 , T 1 g. However, DID i is dynamic in every session, so A i cannot use the message repeatedly. Moreover, A i cannot generate a valid dynamic identity either because he or she cannot know h(y i jjX S ).
Server masquerading attack. To masquerade as a legal server, A i must compute messages fM 6 , M 7 g and h(SK). An's 16 scheme and Cao and Ge's 17 scheme were vulnerable to this attack because A i could replay messages captured in a previous session. However, our proposed scheme is secure against this attack because we use timestamps, and the messages are fresh in each session.
User anonymity. We use pseudo identities to hide an actual identity. To derive ID i from VID i or DID i , A i should know h(y i jjX S ); however, it is computationally infeasible to correctly guess y i and X S concurrently.
Therefore, it is difficult for A i to derive ID i from pseudo identities.
Mutual authentication. The server verifies the legitimate user by checking the equivalence M 9 = h(M 4 jjM 5 jjR S jjT 2 ). Likewise, the user ensures the validity of the server by checking the equivalence h(SK 0 ) = h(SK). However, A i can masquerade as neither the legitimate user nor the server. Therefore, the proposed scheme provides proper mutual authentication.
Forward secrecy. Suppose that the server's secret key X S is compromised, the identity ID i is still unknown to A i . Therefore, h(ID i jjX S ) is kept secret and R C and R S remain secure. Thus, compromise of X S does not allow A i to compute the previous session keys. We compare the functionality features and the computational cost of the proposed scheme with those of other existing schemes. Table 3 compares the functionality features provided by our scheme with those of other existing schemes. s denotes the scheme provides the property; 3 denotes the scheme does not provide the property; NA denotes the scheme does not consider the property.

Performance
In Table 4, we compare the computational cost. T h denotes the computation time for hash function; T H denotes the computation time for Bio-Hashing Table 3. Comparisons of the functionality features.
Das's scheme 15 Younghwa An's scheme 16 Cao and Ge's scheme 17 Proposed scheme Resists ID guessing attack NA NA 3 function. XOR operations are not considered because it can be ignored comparing with T h . Our scheme is constructed on one-way hash functions and XOR operations. The computation cost of ours is similar to An 16 and Cao and Ge, 17 but the proposed scheme provides the enhanced security functionalities and is secure against various attacks.

Conclusion
Users are able to access and utilize advanced services owing to the growth of Internet technology and smart devices. However, given the unsolved security problems and adversaries that are sufficiently powerful to control communication, users are exposed to malicious attacks, and extension of Internet service is limited. To ensure authorized and secure communication, a user and server should verify each other's legitimacy.
In this article, we demonstrated the security vulnerability of Cao and Ge's scheme and its incorrectness in re-registration phase. We noted that their scheme is vulnerable to off-line ID guessing attack and server masquerading attack and fails in correctness. In addition, we proposed an enhanced multi-factor biometric authentication scheme with better security functionality than that of Cao and Ge. Our scheme supports a dynamic identity mechanism using timestamps and resists off-line ID guessing attack and server masquerading attack. Our scheme satisfies all desirable security attributes, as demonstrated in the security analysis.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.