Advanced
Remote Login Authentication Scheme based on Bilinear Pairing and Fingerprint
Remote Login Authentication Scheme based on Bilinear Pairing and Fingerprint
KSII Transactions on Internet and Information Systems (TIIS). 2015. Dec, 9(12): 4987-5014
Copyright © 2015, Korean Society For Internet Information
  • Received : June 26, 2015
  • Accepted : October 07, 2015
  • Published : December 31, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
About the Authors
Shipra Kumari
Hari Om

Abstract
The bilinear pairing, also known as Weil pairing or Tate pairing, is widely used in cryptography and its properties help to construct cryptographic schemes for different applications in which the security of the transmitted data is a major concern. In remote login authentication schemes, there are two major requirements: i) proving the identity of a user and the server for legitimacy without exposing their private keys and ii) freedom for a user to choose and change his password (private key) efficiently. Most of the existing methods based on the bilinear property have some security breaches due to the lack of features and the design issues. In this paper, we develop a new scheme using the bilinear property of an elliptic point and the biometric characteristics. Our method provides many features along with three major goals. a) Checking the correctness of the password before sending the authentication message, which prevents the wastage of communication cost; b) Efficient password change phase in which the user is asked to give a new password after checking the correctness of the current password without involving the server; c) User anonymity - enforcing the suitability of our scheme for applications in which a user does not want to disclose his identity. We use BAN logic to ensure the mutual authentication and session key agreement properties. The paper provides informal security analysis to illustrate that our scheme resists all the security attacks. Furthermore, we use the AVISPA tool for formal security verification of our scheme.
Keywords
1. Introduction
I n the realm of computer networks, we save time and money by accessing the resources and services online. For innumerable day-to-day activities, we depend on the internet that makes our life much easier, for example, using ATM instead of waiting in long bank queues, booking e-tickets for train and flights, shopping through e-Commerce websites. Though these facilities are easily available and widely used all around the world, yet for accessing these services or resources, we depend on the transmission of data through the insecure channels. It involves a high risk of eavesdropping and intercepting of messages/resources by an adversary or enemy for his benefit. Thus, there is a need for a remote login authentication mechanism which can verify the legitimacy of a user and the service provider before exchanging the actual services.
In this paper, we propose a remote user authentication scheme that uses the bilinear property of an elliptic point and the biometric characteristics of the user. The bilinear property of an elliptic point and the user biometric can provide stronger security. The biometric enhances the security of the scheme as these characteristics of a person cannot easily be copied, guessed, stolen, forged or forgotten and are unique for every user. Thus, use of biometric with smart card and password provides three way authentication. Our proposed scheme checks the correctness of a password before sending the authentication message and as a result it avoids the communication cost in case a legal user or an adversary enters wrong password. In password change phase, it does not require the server’s involvement; thus, avoiding the communication cost. It hides the user identity, making it suitable for the applications where the user does not want to disclose his identity. Furthermore, it can resist many security attacks, such as replay attack, impersonation attack, password guessing attack, known key secrecy, denial of service attack, etc.
In order to design an efficient user authentication and key agreement protocol for accessing either a single server or multiserver system, the following security aspects should be achieved:
  • a. No verification table should be involved at the server end.
  • b. An efficient login phase and password change phase is necessary so that the protocol can detect wrong input information(s) in the early stage.
  • c. Mutual authentication property should be provided.
  • d. Session key agreement and verification are essential.
  • e. Resistance to the denial-of-service (DOS) attack.
  • f. User anonymity should be preserved.
  • g. Resistance to the off-line password/identity guessing attack.
  • h. Resistance to the user-server impersonation attack.
  • i. Resistance to the insider attack.
  • j. Resistance to the replay attack.
  • k. The protocol should resist the session key disclosure attack.
  • l. The protocol should provide perfect forward/backward secrecy.
  • m. The protocol should resist the stolen smart card attack.
2. Related Works
Remote login authentication has wide applications, especially in today’s scenario, where most of the transactions are done using computer networks. This has led several researchers to develop secure schemes that can achieve all the security goals and requirements. Since the development of the remote scheme by Lamport [1] , several schemes [2 - 22 , 28 , 32] have been discussed that use various approaches. These schemes have some pros and cons as far as the security features and security breaches are concerned. Now-a-days, bio-cryptography is emerging as a powerful solution for user authentication, which can combine the advantages of both conventional cryptography and biometric security [32] . Li and Hwang have discussed a biometric based remote user authentication scheme that uses the user biometric information to prove the legality of user [2] . In [3] , Das points out the flaw of the scheme [2] and proposes a new security protocol. In [4] , Lee et al. discuss a scheme by removing the security flaws in the Li et al.’s scheme [2] . The paper [5] shows that the Das’s scheme [3] does not resist the insider attack, password guessing, user and server impersonation attacks, and fails to achieve mutual authentication. Li et al. show that the Das’s scheme is vulnerable to the forgery and stolen smart card attacks and have enhanced the scheme in [7] . In [8] , Chaturvedi et al. report that the schemes [5 , 7] are inefficient in the login phase as the user password has no role in these schemes; moreover, they cannot resist the replay attack and known session specific temporary information attack. The Chaturvedi et al.’s scheme [8] is based on the exponential computation, which makes it costly as it needs more bits for transmitting the authentication messages. There have been developed some schemes by using the elliptic curve property, which reduces the computational and communication costs as less number of bits is required to compute the elliptic curve points. The paper [9] discusses a scheme for smart card authentication using bilinear pairings that provides the users a facility to choose and change their passwords by their own choices. However, the papers [10 - 13] report its vulnerability. Juang et al. [10] report that the scheme [9] suffers from different attacks like replay attack, password guessing attack, forgery attack, etc. Furthermore, it lacks mutual authentication and verification of the old password in the password change phase. Fang et al. [11] improve the scheme [9] by removing its weaknesses. Giri and Srivastava [12] discuss an improvement over the Fang et al.’ scheme. Awashthi [13] shows that the Giri and Srivastava’s scheme is still insecure against the theft and on-line attack and discusses a better scheme. The Awasthi’s scheme [13] , however, lacks the mutual authentication feature and cannot resist some important attacks. Yoon et al. [14] discuss an important authentication scheme. This scheme, as reported by Xie [15] scheme cannot resist the stolen-verifier attack, off-line password guessing attack. Xie [15] discusses an authentication scheme using the elliptic curve cryptography (ECC). Farash et al. [16] find that the Xie’s scheme [15] is also susceptible to the impersonation attack and off-line password guessing attack.
The above mentioned schemes do not provide the user anonymity. Based on the Farash et al.’s work [16] , Zhang et al. [17] have recently discussed an authentication scheme with anonymity. Islam and Biswas discuss an ECC-based password authentication and key agreement scheme using a smart card [18] . Li [19] points out that the Islam and Biswas’s scheme [18] cannot resist the off-line password guessing attack, stolen-verifier attack, and insider attack and overcomes its drawbacks in his scheme. Lee et al. [20] discover that both the original and modified schemes [18 , 19] are vulnerable to the insider attack and they have overcome this problem in their scheme.
Tang et al. [21] discuss a scheme based on ECC; however, it does not check the password correctness before sending the authentication message, resulting in wastage of the communication cost. Karuppiah et al. [22] present a scheme, which is claimed to be more secure. It however uses exponentiation to compute the authentication messages; thus, increasing the cost of communication.
In this paper, we propose a new authentication scheme based on ECC and biometric, which fulfills all the security requirements, and also prevents the waste of communication cost. The rest of the paper is organized as follows. Section 3 gives the attacker model, which defines the capabilities of an adversary on an insecure channel. Section 4 provides preliminaries that are required for further discussion in the paper. In Section 5, we discuss our proposed scheme. Section 6 presents its security analysis and section 7 presents the security proof using BAN Logic. In section 8, we present the simulation of our scheme using the AVISPA tool and in section 9 the comparative performance of our scheme along with the related schemes is given. Finally, section 10 concludes the paper.
3. Attacker Model
In this section, we describe the risk of the authentication schemes. As an authentication protocol is executed over an insecure channel, the attacker has several advantages or capabilities. In the following, we present some valid assumptions:
  • An attacker first taps the communication channel to obtain the messages and then tries to get the secret values.
  • An attacker may be a legitimate user.
  • An attacker may eavesdrop all the communications between the entities involved in the protocol over a public channel. It is also assumed that an attacker cannot intercept the message over a secure channel.
  • An attacker can modify, delete, resend, and reroute the eavesdropped messages.
  • An attacker can extract the smart card information by monitoring its power consumption. For example, if an attacker gets the smart card of a valid user, he may get all the stored information in the smart card.
  • The attacker knows the protocol description, i.e., the protocol is public.
  • An attacker can guess a low entropy password and identity individual password (parameters) easily, but guessing two secret parameters (e.g. Password, identity) is computationally infeasible in polynomial time. If we assume that the length of the user’s identity and password are ofncharacters, then the probability of guessing a string composed of approximatelyncharacters is 1/26n[27].
4. Preliminaries
In this section, we briefly review the basic concepts of fuzzy extraction, ECC, bilinear pairings, and the related mathematical problems.
- 4.1 Fuzzy Extractor
A fuzzy extractor deals with non-uniformity and error tolerance [24 - 25 , 29 - 31] . It reliably alters biometric input information in a uniformly random string R in an error tolerant approach.
Therefore, it may be appropriate for the cryptographic schemes which use biometric. If the input changes, but remains closed, the extracted R remains the same. To assist in recovering R from the entered biometric, a fuzzy extractor outputs a public string P. P, known as Helper data, is derived only from the biometric template and the cryptographic key R is generated from the helper data and the biometric query B. If the biometric template and query are from the same user, then the generated keys will be the same with overwhelming probability [31] . A fuzzy extractor consists of a pair of efficient randomized procedures, Gen and Rep, which mean ‘generate’ and ‘reproduce’, respectively, as given below:
  • Gen(B) = (R, P),
where B is biometric information, R and P are random strings generated by Gen .
  • R* = Rep(B*, P),
where B* is biometric information and P is a public string used by Rep to reproduce R*.
To reproduce the same R, i.e., R=R*, the metric space distance between B and B* has to satisfy the verification threshold.
- 4.2 Elliptic Curve
The equation of a non-singular elliptic curve E q (a, b) over a finite field Z q (q is a large prime number greater than 3) can be written as follows:
  • y2≡ x3+ ax + b(mod q)
where a and b are constants such that 4a 3 +27b 3 ≠ 0 mod q, which must be satisfied for its non-singularity.
Any point Q(x, y) ∈ E q (a, b), x, y ∈ Z q together with O, called ‘point at infinity’ forms an additive cyclic group E = {(x, y) ∈ E q (a, b)} ∪ {O},where O serves as the additive identity element of the group. The point addition and scalar multiplication with a point are defined as follows:
- a. Point Addition
If Q(x 1 ,y 1 ) and R(x 2 ,y 2 ) are two points on an elliptic curve, the resultant point S(x 3 , y 3 ) = Q + R is computed as follows:
  • x3= m2- x1- x2;
  • y3= -(y1+ m(x3- x1))
  • where,
  • m = (y2– y1) /( x2– x1), If R ≠ Q
  • m = (3x12+ a)/2y1, If R = Q.
- b. Point Multiplication with a scalar value
The point multiplication with a scalar k is computed by repeated addition of k times as follows:
  • k⋅Q = Q + Q + ... k times.
- 4.3 Bilinear Pairings
Let G 1 denote an additive cyclic group of prime order q, and G 2 a multiplicative cyclic group of the same order. A pairing is a map ê: G 1 × G 1 → G 2 , which satisfies the following properties:
  • Bilinearity: For all Q, R, S ∈ G1, ê (Q + R, S) = ê (Q, S) ∙ ê (R, S) and ê (Q, R + S) = ê (Q, R) ∙ ê (Q, S). As a result ê(a∙Q, b∙R)=ê (Q, R)abfor all Q, R∈G1and for all a, b∈Zq*, where Zq*=Zq-{0}.
  • Non-degenerate:There exist S, Q∈ G1such that ê (S, Q) ≠ 1G2, where 1G2is the identity element of group G2.
  • Computability:There is an efficient algorithm to compute ê (Q, R) for any Q, R ∈ G1.
- 4.4 Computational Problems
Definition 1: Elliptic Curve Discrete Logarithm Problem (ECDLP)
  • Given Q, R ∈ G1,
  • Find an integer k ∈ Zq∗, such that R = k ∙ Q.
Definition 2: Computational Diffie–Hellman Problem (CDHP)
  • Given (Q, a∙Q, b∙Q) for any a, b ∈ Zq∗,
  • Computation of ab∙Q is hard in group G1.
Definition 3: Decisional Diffie–Hellman Problem (DDHP)
  • Given (Q, a∙Q, b∙Q, c∙Q) for any a, b, c ∈ Zq∗,
  • Decide whether c⋅Q = ab∙Q, i.e., decide if c = abmodq or not.
5. Proposed Scheme
In this section, we propose an efficient remote login authentication scheme using fingerprint. There are two kinds of participants in our scheme: the login users and server. Each legitimate user can get services from the server only when he has registered with the server. So, a new user must register himself with the server to access the services. The scheme has five phases: initialization phase, registration phase, login phase, authentication phase, and password change phase. In the initialization phase, the server computes its public and private parameters. In the registration phase, the new user requests the server for registration and after some initial verification, the server registers the new user and provides a smart card to him. The smart card contains some user’s parameters. In login phase, a user must enter his secret values like identity, password, and biometric in the device attached to the system along with the smart card. In this phase, the correctness of the values entered by the user are first checked and then a login message is sent to the server. In authentication phase, the server first verifies the user’s legitimacy and then sends an authentication message to him. After receiving the authentication message, the user also verifies the server’s authenticity. Additionally, a session key is computed by both the participants, i.e. the user and server, for further communication in current login session. A password change phase is a feature provided in the scheme for giving a facility for a user to change his password whenever he wishes. Figs. 1 and 2 illustrate the proposed scheme and Table 1 consists of the notations used in our scheme. The detailed description of all the steps involved in the scheme is given below.
Notations used in the Paper
PPT Slide
Lager Image
Notations used in the Paper
PPT Slide
Lager Image
User Registration Phase
PPT Slide
Lager Image
Mutual Authentication and Key agreement
- 5.1 Initialization Phase
This is the setup phase of the system in which the server computes the public and secret parameters.
The server chooses G 1 as an additive cyclic group of a prime order q, and G 2 as a multiplicative cyclic group of the same order. It defines a bilinear mapping ê: G 1 × G 1 → G 2 . It also defines a cryptographic one-way hash function H and a Elliptic curve E q (a,b).
The server selects a Base Point G on the elliptic curve and a secret key d and then computes the corresponding public key Q d = d⋅G. Finally, it publishes the system parameters {G 1 , G 2 , ê, q, G, Q d , H} and keeps d secret.
- 5.2 Registration Phase
This phase is used to register a new user with the server as only the registered users can access the server. To register himself as a new user, the user U i first chooses his identity ID i and password PW i and then he registers his fingerprints B i using a fuzzy extractor such that Gen (B i ) = (R i , P i ), where R i and P i are random strings generated by Gen function. The PB i = H(PW i || R i ) is computed and the message {ID i , PB i , P i } is sent to the server through a secure channel.
The server computes CID i = (d||ID i )⋅G, HPW i = CID i + PB i ⋅Q d and A 1i = (PB i ||ID i )⋅G.
The values {HPW i , A 1i , G, Q d , q, P i , H, E q (a,b)} are stored in the smart card and it is sent to the user securely.
The user registration phase is summarized in Fig. 1 .
- 5.3 Login Phase
When a user wants to log into the system, he inserts his smart card into the terminal attached with the system and keys in his ID i * and password PW i * into the terminal and also provides his fingerprint into the device.
The smart card computes R i * = Rep(B i *,P i ), PB i * = H(PW i * || R i *) and A 1i * = (PB i *||ID i *)⋅G.
If A 1i * ≠ A 1i , terminate request; otherwise, the smart card computes CID i * = HPW i – (PB i *⋅Q d ).
Proof: CID i * = HPW i – PB i *⋅Q d = CID i + PB i ⋅ Q d – PB i *⋅Q d = CID i
The smart card generates a random number r u and computes A 2i = r u ⋅G, NID i = ID i * + r u ⋅Q d and A 3i = ê((T 1 ⋅r u ⋅CID i * + A 2i ), Q d ), where T 1 is the current time of login and it is assumed that the system is time synchronized.
The smart card sends the login message {NID i , A 2i , T 1 , H(A 3i )} to server.
- 5.4 Authentication phase
The server receives a login message {NID i , A 2i , T 1 , H(A 3i )} at time T 2 . It checks if (T 2 -T 1 ) <ΔT, where ΔT is legal tolerant time. If (T 2 -T 1 ) > ΔT, terminate a login session; otherwise, continue.
The server computes ID i ** = NID i – (d⋅A 2i ) and checks the format and existence of ID i **
It also computes CID i ** = (d||ID i i**)⋅G and A 3i * = ê(CID i **,A 2i ) T1.d ⋅ ê(d⋅A 2i ,G).
Then the server compares H(A 3i *) ?= H(A 3i ). If they are equal, the server authenticates the user; otherwise terminate login session.
Proof:
A 3i * = ê(CID i **, A 2i ) T1.d ⋅ ê(d⋅A 2i ,G)
  • = ê(T1⋅CIDi**, d⋅A2) ⋅ ê(A2i,G)d
  • = ê(T1⋅CIDi**,d⋅ru⋅G) ⋅ ê(A2i,d⋅G)
  • = ê(T1⋅CIDi**,ru⋅d⋅G) ⋅ ê(A2i, Qd)
  • = ê(T1⋅CIDi**,ru⋅ Qd) ⋅ ê(A2i, Qd)
  • = ê(T1⋅CIDi**, Qd)ru⋅ ê(A2i, Qd)
  • = ê(T1⋅ru⋅CIDi**, Qd) ⋅ ê(A2i, Qd)
  • = ê((T1⋅ru⋅CIDi** + A2i), Qd)
  • = A3i
Further, the server chooses a random number r s and computes B 1 = r s ⋅G, B 2 = r s ⋅A 2i , SK = H(CID i ** || SID j ⋅d⋅A 2i || T 3 ⋅B 2 ), and B 3 = H(SK||T 3 ||CID**||S 2 ), where SID j is server’s identity and T 3 is a time when the server sent the authentication message.
The server sends an authentication message {SID j , B 1 , B 3 , T 3 } to smart card, which is received at time T 4 .
The smart card checks if (T 4 – T 3 )<ΔT. If true, the smart card computes B 2 * = r u ⋅B 1 , SK* =H( CID i * || SID j ⋅r u ⋅Q d || T 3 ⋅B 2 *), and B 3 * = H(SK*||T 3 ||CID*||B 2 *).
Finally, the smart card compares B 3 * = B 3 . If both are equal, the smart card authenticates the server; otherwise, login session is terminated.
Mutual authentication and key agreement feature of the scheme are summarized in Fig. 2 .
Note: SK* = SK is a session key computed by both the user and server for this session.
- 5.5 Password Change Phase
In this section, we provide the password change procedure for a registered user of the system. If a user wants to change his password for any reason, he inserts his smart card into the terminal and keys in his ID i * and password PW i * into the terminal, and also gives his fingerprints into the device.
The smart card computes R i * = Rep(B i *,P i ), PB i * = H(PW i * || R i *), and A 1i * = (PB i *||ID i *)⋅G.
If A 1i * ≠ A 1i , then the process is terminated; otherwise, the smart card computes CID i * = HPW i – PB i *⋅Q d , and the user is asked to enter new Password PW new .
The smart card computes PB new = H(PW new || R i *), A 1new = (PB new ||ID i *)⋅G and HPW new = CID i * + PB new ⋅Q d .
Replace HPW i with HPW new and A 1i with A 1new in the smart card. The password is successfully changed.
6. Informal Security Analysis of Proposed Scheme
Security analysis of a scheme determines its efficacy and robustness. In order to achieve all security requirements, this section presents the security features that our scheme provides, followed by all security attacks that our scheme can resist. Based on the capabilities of an attacker as mentioned in the attacker model in section 3, we assume that an adversary has the smart card information {HPW i , A 1i , G, Q d , q, H, E q (a,b)} and he also traps the communication messages {NID i , A 2i , T 1 , H(A 3i )} and {SID j , B 1 , B 3 , T 3 } between the user and server. Here we present the security analysis of our scheme and claim that it is highly secure against the attacks.
- 6.1 No Verification Table is Needed
In our scheme, the server does not store any secret value in its database. So, in case an adversary somehow accesses the database, there is no chance for him to get/alter the secret values of the user. Thus, due to absence of verification table, our scheme resists the stolen verifier attack.
- 6.2 Efficient Login Phase
In our scheme, before sending any authentication request to the server, the smart card checks the correctness of ID i and password PW i entered by the user. If a legal user by mistake enters the wrong password PW i *, the smart card itself terminates the login session. Thus, there is no wastage of computation as well as communication cost.
If PW i * ≠ PW i , then PB i * = H (PW i * || R i ) ≠ PB i
Therefore, A 1i * = (PB i *||ID i *)⋅G ≠ A 1i .
It means that when a smart card compares the computed A 1i * with the stored A 1i and finds the inequality, it stops further computation and terminates the login session. In this way, it reduces the extra overload on the communication channel. Thus, our scheme provides efficient login phase.
- 6.3 Efficient Password Change Phase
To change the password, the correctness of the password PW i , user identity ID i , and R i are first checked by comparing A 1i * with A 1i by the smart card itself in a similar way as discussed above. If they match, the user is asked to give new password. The smart card then computes new values of HPW i and A 1i and replaces the old values with new ones. In our scheme, the server is not involved in password change phase. Thus, there is no communication cost for changing the password and the user is free to change his password whenever he wishes.
- 6.4 Mutual Authentication
In mutual authentication, the user and the server both authenticate each other. They use their own secret keys to compute the authentication messages, which are used to verify their authenticity. In authentication phase, the server computes the following message to authenticate the user by using his private key d as CID i ** = NID i – d⋅A 2i , A 3i * = ê(CID i **,A 2i ) T1.d ⋅ ê(d⋅A 2i ,G). If H(A 3i *) = H(A 3i ), the user is authenticated.
To authenticate the server, the smart card computes the following message using the user’s private value PW i *=PW i and R i *=R i as R i * = Rep(B i *,P i ), PB i * = H(PW i * || R i *), CID i * = HPW i – PB i *⋅Q d , B 2 * = r u ⋅B 1 , SK* =H( CID i * || SID j ⋅r u ⋅Q d || T 3 ⋅B 2 *) and B 3 * = H(SK*||T 3 )||CID*||B 2 *). If B 3 * = B 3 , the server is authenticated.
- 6.5 Session Key Agreement
In our scheme, we compute a session key for the current session when a user wishes to communicate with the server. It is to be noted here that the session key is a temporary value, which is accepted in a particular session and it is of no use in any other login session for the user. The session key depends on the temporary value selected by the user and the server. The SK = H(CID i ** || SID j ⋅d⋅A 2i || T 3 ⋅B 2 ) is the session key computed by the server and the SK* =H(CID i * || SID j ⋅r u ⋅Q d || T 3 ⋅B 2 *) is computed by the user. It may be noted that SK* = SK (proved). The unique key construction for each session ensures the key freshness property.
- 6.6 Resistance to Denial of Service Attack
In denial of service (DOS) attack, an adversary attempts to prevent a legal user from accessing the services. The adversary usually sends huge forged messages to make the network or server busy all the time. In our scheme, the correctness of the user’s secret values are checked before sending the login message for authentication. Furthermore, there is no role of the server in password change phase; thus, reducing the server load and network congestion as well. Thus, there is no chance of the denial of service attack.
- 6.7 User Anonymity Preservation
In our scheme, the user identity is stored in the encrypted form in the smart card as HPW i = CID i + PB i ⋅Q d , where CID i = (ID i ||d)⋅G. Finding ID i from (ID i ||d)⋅G is a problem of the ECDLP, which is intractable. If somehow the data of the smart card are extracted by the adversary, even then he cannot recover the value of the ID i . The user identity is also encrypted in authentication message, which is sent on an insecure channel to the server as NID i = ID i * + r u ⋅Q d . If the adversary intercepts the message and finds NID i , then, due to the problem of ECDLP, he cannot extract the random number r u and without knowing r u he cannot compute ID i *. Moreover, knowing A 2i = r u ⋅G and Q d =d⋅G, getting d⋅A 2i is not feasible due to the CDHP problem. Thus, our scheme preserves user anonymity.
- 6.8 Resistance to Offline Password/Identity Guessing Attack
In our scheme, the ID i and PW i of a user are stored in the smart card in encrypted form and it is not easy to extract them. Therefore, to find the values of ID i and PW i , the adversary performs guessing both the values. We have already mentioned that an adversary can get lots of parameters (HPW i , A 1i , NID i , A 2i , B 1 , B 3 ,) from the smart card and the communicating messages during execution of the protocol. Our claim is that the attacker cannot guess and derive both ID i and PW i in polynomial time as discussed below.
  • From A1i:The parameter A1iis defined as A1i= (PBi||IDi)⋅G, where PBi= H(PWi||Ri)⋅ In this case, the adversary has no knowledge about PWi, IDiand Ri⋅ Due to the ECDLP computational problem, he cannot get PBior IDifrom (PBi||IDi)⋅G. Moreover, due to non-invertible one way hash function, the adversary cannot find PWiand Ri. If the adversary wants to guess password, he needs to guess other secret values: IDiand Ri. We however have already discussed in the attacker model (in section 3) that the probability of guessing all these three parameters IDi, PWi, and Riat the same time is 1/218n, which is infeasible.
  • From HPWi:The parameter HPWiis defined as HPWi= CIDi+ PBi⋅Qd, where CIDi= (d||IDi)⋅G. Here, we can see that an extra unknown parameterdis involved in computation of HPWi, which cannot be extracted due to the ECDLP computational problem. If the adversary wants to guess all the four values of IDi, PWi, Ri, and d, then the probability of guessing these values is 1/218n+m, which is very less. Here, we have assumed thatdhas m characters. The probability of guessing the password is enormously negligible.
  • From NIDi:The attacker can use NIDito guess IDi, where NIDi= IDi+ ru⋅Qd. However, there are two unknown parameters IDiand ru. To verify the guessed IDi, the adversary also needs to guess ru. The probability of guessing the identity IDiis ½(6n+64), where the length of the random number is 64 bits, which is infeasible in polynomial time.
- 6.9 Resistance to User-server Impersonation Attacks
As mentioned in the attacker model (section 3), we assume that an attacker can catch the transmitting messages as and when it is conveyed through the public channel and after making some alteration in a message, he can re-transmit the message for verification. If the re-transmitted message is somehow verified, the attacker can break the security system and access the server, which isnot possible in our scheme as discussed below.
  • If the adversary wants to impersonate as a legal user, he eavesdrops the transmitted message {NIDi, A2i,H(A3i),T1} from the insecure channel and tries to construct a new message by changing the random nonce. Suppose, at current time T1', he selects a random number ru'. However, to compute NIDi= IDi+ ru'⋅Qdand A3i= ê((T1'⋅ru'⋅CIDi* + A2i), Qd), he needs CIDi* that cannot be computed without IDiand d, and extracting or guessing the IDianddat the same time is not possible in polynomial time as we have already proved above. Thus, the adversary cannot impersonate a legal user in our scheme.
  • If the adversary wants to impersonate the server, he eavesdrops the transmitted message {SIDj, B1, B3, T3)} from the insecure channel and tries to construct a new message. Suppose, at current time T3)', he selects a random number rs'. However, to compute B3= H(SK||T3)'||CID**||B2), he needs CIDi** and B2. He cannot compute B2= rs⋅ru⋅G even after knowing A2i= ru⋅G and B1= rs⋅G, due to the CDHP and DDHP problems. Thus, the adversary cannot impersonate the server in our scheme.
The above discussion clearly states that our scheme is well protected against the user-server impersonation attacks and an adversary cannot build any valid messages for transmission to the desired entity.
- 6.10 Resistance to Privileged Insider Attack
Due to insider attack, several security systems had been broken. It is therefore essential to keep the user’s confidential information secret from the server (though the server is trusted). Some insider of the system (system manager or administrator) may use that information with other accounts on other server, as most of the users use the same password for a set of accounts. In our scheme, a user submits the hashed value PB i = H (PW i || R i ) to the server instead of the original PW i in the registration phase. Thus, an insider cannot extract the user’s password due to non-invertible one way function. Moreover, guessing the password is also infeasible due to two unknown parameters, as discussed earlier.
- 6.11 Resistance to Replay Attack
When an adversary uses the information that he intercepted from the previous transmission to impersonate as a legal user, it is called as a replay attack. In our scheme, we use timestamp as well as random numbers for sending the authentication messages {ID i , A 2i , H(A 3i ),T 1 } and {SID j , B 1 , B 3 , T 3 )}. The adversary cannot extract random numbers from the messages due to the ECDLP problem.
Case 1: If the adversary sends the same authentication message, the tolerable time delay ΔT will be exceeded and the session will be terminated.
Case 2: When the adversary intercepts the message and later sends it at current time T 1 ' such as {NID i , A 2i , H(A 3i ),T 1 '}. The server accepts it and computes ID i ** = NID i – d⋅A 2i , CID i ** = (ID i **||d)⋅G and A 3i ' = ê(CID i **, A 2i ) T1'.d ⋅ê(d⋅A 2i ,G). Here, H(A 3i ') ≠ H(A 3i ), due to different timestamps T 1 '≠T 1 . Thus, the login session will be terminated by the server and the replay attack is forbidden in our scheme.
- 6.12 Resistance to Known Session Specific Temporary Information Attack
In our scheme, the session key SK upon which the user and server agreed in a particular session does not leave any information. Thus, it is not easy for an adversary to compute another session key. The session key is not transmitted as a plaintext on an insecure channel, rather it is computed by the server and the user using their private keys. So, getting SK is very hard for the adversary without the knowledge of the private keys and random values. However, if the adversary somehow gets r u and r s , he cannot compute SK without CID i .
If the adversary somehow gets the session specific temporary values SK, r u , and r s , it cannot affect other session keys. Extracting information from the session key is again a problem of the ECDLP. To compute the session key, the adversary needs a fresh random value of the current session and the secret value of the server. Thus, knowing the temporary value of any session, the adversary cannot find the keys of another session.
- 6.13 Perfect Forward/Backward Secrecy
In perfect forward/backward secrecy, a session key derived from a set of long-term keys (i.e. ID i and d) will not be compromised even if one of the long-term keys is compromised in future. Here, we assume that the long-term secret key d of the server is disclosed by some means to an attacker and he tries to compute the previous session key SK = H(CID i ** || SID j ⋅d⋅A 2i || T 3 ⋅B 2 ) = H(CID i * || SID j ⋅r u ⋅Q d || T 3 ⋅B 2 *), where CID i ** = (d||ID i )⋅G and B 2 = r s A 2i = r u ⋅B 1 . However, knowing only the secret key d, the attacker cannot compute the previous session key due to other secret parameters, namely, ID i , r s and r u as it has already been proved that extracting these values is not possible due to the ECDLP computational problem. Furthermore, if we assume that the session key of the protocol is compromised to the attacker, the attacker tries to compute the previous session key. The attacker cannot extract any secret parameters such as d and B 2 from the session key SK=H(CID i * || SID j ⋅r u ⋅Q d || T 3 ⋅B 2 ) = H(CID i ** || SID j ⋅d⋅A 2i || T 3 ⋅B 2 ) due to non-invertible one way hash function and hence he cannot compute the previous session key. Thus, our scheme preserves the perfect forward/backward secrecy property.
- 6.14 Resistance to Stolen Smart Card Attack
Suppose an attacker steals the smart card and somehow extracts the smart card parameters {HPW i , A 1i , G, Q d , p, H, E q (a,b)} and wants to generate a login message {NID i , A 2i , H(A 3i ),T 1 }. To compute A 3i , the attacker needs CID i * = HPW i – PB i *⋅Q d and for computing PB i *, the user ID i , password, and biometric value are needed. In some schemes, if the adversary finds the smart card, he can change the password by password guessing attack. However, in our scheme, ID i is also kept secret and it has already been proved that guessing attack is infeasible to guess ID i , PW i , and B i . It means that even after getting the smart card’s parameters the adversary cannot extract the correct values of ID i , PW i and R i to generate any valid message. Thus, the stolen smart card's attack is not effective in our scheme.
7. Authentication Proof based on BAN logic
In this section, we apply the BAN logic, a tool for analyzing authentication schemes [26] . The BAN - logic uses three objects: principals, encryption keys, and formulas (also called statements for identifying messages with a statement). We use symbols M and N as principals, X and Y range over statements, and K represents the cryptographic key.
We use same notations as in the BAN-logic for our demonstration.
M |≡ X : The principal M believes a statement X.
M X : The principal M sees the statement X.
M |~ X : M once said X.
M X : M has jurisdiction over X. (Used when the principal has delegated authority over some statement).
#( X ): X is fresh, that is, no principal sent X in a message before the current run of the protocol.
PPT Slide
Lager Image
: M and N communicate using shared K. Moreover, K will never be discovered by any principal except M and N, or a principal trusted by either M or N.
{ X } K : This stands for X encrypted under the K.
< X > Y : This stands for X combined with Y.
( X ) K : This stands for X hashed with key K.
K |→ M : K is the public key of M and M has a corresponding secret key K -1 .
Besides, we present some main logical BAN-logic postulates for proving our scheme.
Message meaning rule:Message meaning rule:
PPT Slide
Lager Image
Nonce verification rule:
PPT Slide
Lager Image
Jurisdiction rule:
PPT Slide
Lager Image
Freshness rule:
PPT Slide
Lager Image
Believe rule:
PPT Slide
Lager Image
All authentication schemes need to achieve four main goals between user U i and server S j . Following are the required goals:
PPT Slide
Lager Image
Following are the assumptions made about the initial state of the scheme to analyze the proposed scheme:
PPT Slide
Lager Image
We now analyze our scheme’s idealized form based on the BAN logic rules and the assumptions:
Message 1: U i →S j : i , A 2i , H(A 3 ), T 1 >
According to seeing rule
R 1 : S j ◁ <{ID i } Qd , A 2 , ({T 1 , A 2i } CIDi ), T 1 >
According to A 5 and R 1 and message meaning rule, we get
R 2 : S j |≡ U i |~(ID i ,T 1 ,A 2i )
According to A 1 , A 4 and R 2 and freshness-conjuncatenation rule and nonce verification rule is applied, we get
R 3 : S j |≡ U i |≡( ID i ,T 1 ,A 2i )
According to A 5 , A 6 , A 9 and R 3 and Believe rule
PPT Slide
Lager Image
According to A 10 and R 4 and Jurisdiction rule
PPT Slide
Lager Image
Message 2: S j →U i : < SID j , B 1 , B 3 , T 3 >
According to seeing rule
PPT Slide
Lager Image
According to A 6 , A 7 and R 6 and message meaning rule, we get
PPT Slide
Lager Image
According to A 2 , A 3 and R 7 and freshness-conjuncatenation rule and nonce verification rule is applied, we get
PPT Slide
Lager Image
Therefore, according to Believe rule:
PPT Slide
Lager Image
According to A 11 and R 9 and Jurisdiction rule
PPT Slide
Lager Image
According to A 12 , A 9 and R 8 and Jurisdiction rule
R 12 : U i |≡ (SID i , B 2 )
Since, CID i , SID j , B 2i are the main factors to compute, SK for smart card, According to R 12 , A 6 , A 7 and message meaning rule
PPT Slide
Lager Image
According to A 10 and R 13 and Jurisdiction rule
PPT Slide
Lager Image
The above discussion clearly proves the stated objectives using the BAN logic and it is also proved that the proposed protocol achieves mutual authentication and session key agreement between the U i and S j .
8. Simulation of Proposed Scheme using AVISPA Tool
We first briefly discuss about the AVISPA tool and then followed by the basic specification and simulation result of the proposed scheme.
- 8.1 Brief Description of AVISPA Tool
The Automated Validation of Internet Security Protocols and Applications (AVISPA) [33] is a freeware tool for formal security verification of the security protocols to check if a given security protocol is SAFE or UNSAFE. The basic architecture of the AVISPA tool is shown in Fig. 3 .
PPT Slide
Lager Image
Basic Architecture of AVISPA Tool
The AVISPA, a role-oriented language, is based on the Dolev-Yao [34] intruder model in which each participant plays a role during the protocol execution. It implements four different back-ends and abstraction based methods, called as On-the fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on Automatic Approximations, for the Analysis of Security Protocol (TA4SP). Based on these four back-ends, the output format (OF) is generated and the successful execution OF reports if the protocol is safe or unsafe and under what condition the output is obtained. The specifications for the protocol to be evaluated are written in High Level Protocol Specification Language (HLPSL) and they are translated into a low-level specification by a translator, called hlpsl2if, that generates the specifications into an intermediate format, called intermediate format (IF), a lower level language, that can directly be read by the back-ends of the AVISPA tool. To analyze a given cryptographic protocol with the AVISPA, the following steps are executed:
  • Step 1. The protocol is coded in the role based HLPSL specification, which describes each participant’s role and the composition roles for representing the scenarios of basic roles.
  • Step 2. Using the translator HLPSL2IF, the code is translated into Intermediate Format (IF) that contains some information about IF syntax for back-ends, the description of mathematical properties of operators (e.g., exponentiation, bit-wise XOR, etc.), and the intruder’s behavior.
  • Step 3. The IF specifications are given to the back-ends of the AVISPA tool to analyze if there are any active or passive attacks.
- 8.2 Brief Specification of Proposed Scheme
To validate and examine the security properties of our proposed scheme, we implement it using the HLPSL language in the AVISPA tool. The role specifications of the user Ui and server Sj are given in Figs. 4 & 5 , respectively. The proposed scheme is analyzed in the OFMC and CL-AtSe back-ends, and the corresponding results are given in Figs. 7 & 8 . From these simulation results, the proposed scheme indeed shows its strong security assurance against both the passive and active attacks. The type declaration channel(dy) means that the channel is for the Dolev-Yao threat model [34] . The Bilinear, Product, Subtract, Add, Mul, and H represents bilinear operation, scalar point multiplication, Point subtraction, point addition, scalar multiplication, and hash functions, respectively.
PPT Slide
Lager Image
Role specification in HLPSL for user Ui of our scheme
PPT Slide
Lager Image
Role specification in HLPSL for the server Sj of our scheme
In Fig. 4 , we have presented the role for the user Ui. Here, Transition 1 starts with the registration of the user. For this, the Ui initially sends the registration message Snd(IDi'.PBi'.Pi') to server Sj through a secure channel using Snd() operation and symmetric key SK1 . The declaration secret({IDi}, subs1, {Ui,Sj}) specifies that the {ID i } is known to user and server only, whereas the secret({PWi, Bi, Ri}, subs2, Ui) specifies that the (PWi, Bi, Ri) is known only to user Ui. In transition 2, the user Ui receives the smart card information Rcv({HPWi.A1i.G.Qd.Pi}_SK1) using Rcv() operation securely and generates a random nonce Ru' and timestamp T1' using new() operation. The user Ui sends Snd(NIDi,A2i,T1,H(A3i) to server Sj through a public channel.
The declaration witness(Ui,Sj,user_server,Ru') indicates that the user Ui freshly generated the value R u ' for S j and the declaration request(Ui,Sj,user_server,Ru') means that the Sj authenticates user Ui. Furthermore, the declaration secret({Ru'},subs3,{Ui}) says that the random number Ru' is only known to Ui and the declaration secret({A3i},subs4,{Ui,Sj}) says that {A3i} is known to {Ui, Sj} only. In transition 3, it says about the authentication phase, the user Ui receives Rcv(SIDj,B1,B3,T3) through a public channel and after receiving it, the user Ui computes the session key SK':= H(CIDi.Product(SIDj,Product(Ru,Qd)).Product(T3,B2)) of the protocol.
In Fig. 5 , we have presented the role of the Server Sj. In transition 1, the Sj chooses a generator G and generates own secret D' using new() operation and computes the public key Qd = Product(D.G) . In transition 2, Sj receives Rcv({IDi'.PBi'.Pi'}_SK1) securely from the user U i as the registration request. After computing the smart card parameters, Sj sends Snd({HPWi.A1i.G.Qd.Pi}_SK1) securely to user Ui. The declaration secret({D},subs5,{Sj}) shows that D is secretly known only to Sj.
In transaction 3, the Sj receives (NIDi,A2i,T1,H(A3i)) from the user Ui through a public channel. After computing the secret values, it generates a random number Rs' and timestamp T3' with the help of new() operation. The Sj computes authentication message and sends Snd(SIDj,B1',B3',T3') to the user Ui through a public channel. Here, the declaration secret({Rs'},subs6,{Sj}) says that the parameter Rs' is known only to Sj. Moreover, witness(Sj,Ui,server_user,Rs') shows that Sj freshly generates Rs' for the user Ui and request(Ui.Sj,server_user,Rs) shows that the Sj authenticates Ui.
In Fig. 6 , we have presented the role for the session, and the roles for the goal and environment. In session segment, all the basic roles including the roles for Ui and Sj are given along with actual arguments. The environment section contains the global constant and composition of one or more sessions. The intruder knowledge is also given in this section. It is clearly shown that all the transmitted messages between the entities and smart card parameters are provided. To make this protocol SAFE, 7 secrecy goals and two authentications are provided between the goal and the end goal that are to be verified in the environment section, which is given as follows:
PPT Slide
Lager Image
Role specification in HLPSL for the session and environment of our scheme
Security Goals
  • 1. The secrecy_of subs1 represents that IDi is kept secret to {Ui, Sj} only.
  • 2. The secrecy_of subs2 represents that {PWi, Bi, Ri} is known only to Ui.
  • 3. The secrecy_of subs3 represents that the random Ru of the Ui is kept secret to {Ui} only.
  • 4. The secrecy_of subs4 represents that the parameter A3i is known only to {Ui, Sj}.
  • 5. The secrecy_of subs5 represents that the secret parameter D is known only to Sj.
  • 6. The secrecy_of subs6 represents that the random number (Rs) generated by Sj is known only to Sj.
  • 7. The secrecy_of subs7 represents that the parameter B3 is known to {Ui, Sj} only.
Authentication goal
  • 1. The authentication_on user_sensor_ru represents that the Ui generates a random number ru and if the Sj receives it securely through the message, the Sj then authenticates Ui.
  • 2. The authentication_on server_user_rs represents that the Sj generates a random number rs and if Ui receives it securely through the message, Ui then authenticates Sj.
- 8.3 Simulation Results
The simulation results for formal security verification of our scheme using OFMC and CL-AtSe back-end are shown in Figs. 7 and 8 , respectively. It is clear from the SUMMARY ( Figs. 7 & 8 ) of results under OFMC and CL-AtSe back-ends that our method is SAFE. As a result, our scheme is secure against the passive and active attacks such as the replay and man-in-the-middle attacks.
PPT Slide
Lager Image
Simulation result for OFMC back-end
PPT Slide
Lager Image
Simulation result for CL-AtSe back-end
9. Performance Analysis
In this section, we present a comparative study of our scheme along with other related schemes. The measure of our comparisons is the communication cost (refer Fig.9 ), computation cost (refer Table 2 ), and security features (refer Table 3 ).
PPT Slide
Lager Image
Graphical representation of communication cost of various schemes
Computational cost in Login and Authentication phases of various schemes
PPT Slide
Lager Image
Computational cost in Login and Authentication phases of various schemes
Security Features of Various Schemes
PPT Slide
Lager Image
Here, Y = Yes, N =No, - =Not Applicable
For 163-bits elliptic curve cryptosystems and 1024-bits RSA security level, one scalar multiplication of elliptic curve point is roughly 5–15 times as fast as the RSA signing operation depending on the optimization and platform [23] . Also, one MD5/SHA operation is roughly 10 times as fast as one DES encryption/decryption operation and one DES encryption/decryption operation is roughly 1000 times as fast as the 1024-bit RSA signing operation. For fair comparisons, we assume that the identifications can be represented with 32 bits, the size of a timestamp is 32 bits, a point on an elliptic curve can be represented with 163 × 2 = 326 bits, the output size of the secure one-way hash functions is 160 bits, the size of a random number is 64 bits, and the size of an exponent result is 1024 bits. Thus, the communication cost of our scheme is 326+326+32+160 +32+326+160+32 =1394 (refer Fig.9 ). We find that our scheme needs very less communication cost as compared to the schemes [8 , 22] since we have used the ECC to compute the authentication message. The ECC takes fewer bits as compared to the RSA because it uses exponential function. However, our scheme requires higher cost as compared to the schemes [9 , 10 , 13 , 17 , 21] since these schemes have not considered the following attacks such as replay attack, insider attack, forward secrecy attack, and denial of service attack. Moreover, the schemes [9 , 13] do not provide mutual authentication between a user and the server (refer Table 3 ). In authentication schemes, the security is of prime concerned; therefore, paying a little more cost for gaining more security is justifiable.
In Table 2 , we have presented the computational cost of our scheme along with other related schemes [8 - 10 , 13 , 17 , 18 , 20 - 22] . Here, PM, PA, H, C, BP, EN, X, E represent the time Complexity of point multiplication on the Elliptic Curve, point addition on Elliptic Curve, Hash function, Concatenation, Pairing operation, Enc/Dec, XOR operation and Exponentiation, respectively.
In Table 3 , we have presented a comparative study of the security features for our scheme and other related schemes. As evident from Table 3 , our scheme provides maximum security features as compared to the schemes under consideration. We can also see that the schemes having same security features in Table 3 [8 , 22] take much more communication cost (refer Fig. 9 ) to achieve these security goals, which makes our scheme better than other schemes.
10. Conclusion
In this paper, we have discussed a new remote login authentication scheme using the bilinear property of a elliptic point and fingerprint that achieves various secure goals and requirements. In this scheme, a user and the sever both authenticate each other to enhance its security. A user can choose and change his password at any time, whenever he wishes. No wastage of communication cost takes place in our scheme if wrong password is entered and the communication cost is also saved during the password change phase. Using elliptic point computation makes the scheme fast as it needs fewer bits as compared to the exponentiation. The bilinear property, use of biometric, and the design of algorithm make it very secure. It is suitable for the applications where high security is required.
BIO
Shipra Kumari is currently working as a Research Scholar in the Department of Computer Science & Engineering at Indian school of Mines, Dhanbad, India. She received her Bachelor in Computer Applications and Master in Computer Applications from Indira Gandhi National Open University, New Delhi. Her research interest includes Cryptography and Network Security.
Hari Om is presently working as an Assistant Professor in the Department of Computer Science & Engineering at Indian School of Mines, Dhanbad, India. He did his Ph.D in Computer Science from Jawaharlal Nehru University, New Delhi, M.Tech. in Computer Science & Engineering from Kurukshetra University, Kurukshetra (Haryana), M.Sc. in Mathematics from Institute of Basic Sciences, Khandari, Dr. B. R. Ambedkar University, Agra. He has contributed more than hundred research papers in several International and National journals including IEEE Transactions and conference proceedings of high repute. He is a life member of Indian Society for Technical Education, Indian Mathematical Society, Indian Society of Mathematics and Mathematical Sciences, Cryptology Research Society of India and member of the Institute of Electronics and Telecommunication Engineers, IEEE, ACM, and IEICE. His main research interest includes Cryptography, Data Mining, Network Security, Image Processing.
References
Lamport L. 1981 “Password authentication with insecure communication,” Communications of the ACM 24 (11) 770 - 772    DOI : 10.1145/358790.358797
Li C. T. , Hwang M. S. 2010 “An efficient biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications 33 (1) 1 - 5    DOI : 10.1016/j.jnca.2009.08.001
Das A. 2011 “Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards,” Information Security, IET 5 (3) 145 - 151    DOI : 10.1049/iet-ifs.2010.0125
Lee C.C. , Chang R.X. , Chen L.A. 2011 “Improvement of Li-Hwang’s biometrics-based remote user authentication scheme using smart cards,” WSEAS Transactions on Communications 10 (7) 193 - 200
An Y. 2012 “Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards,” In:BioMed Research International
Kumari S. , Khan M. K. , Li X. 2014 “An improved remote user authentication scheme with key agreement,” Computers and Electrical Engineering 40 (6) 1997 - 2012    DOI : 10.1016/j.compeleceng.2014.05.007
Li X. , Niu J. , Wang Z. , Chen C. 2013 “Applying biometrics to design three-factor remote user authentication scheme with key agreement,” Security and Communication Networks
Chaturvedi A. , Mishra D. , Mukhopadhyay S. 2013 “Improved Biometric-Based Three-factor Remote User Authentication Scheme with key Agreement Using Smart Card,” Lecture Notes in Computer Science 8303 63 - 77
Das M.L. , Saxena A. , Gulati V. P. , Phatak D.B. 2006 “A novel remote client authentication protocol using bilinear pairings,” Computer and Security 25 (3) 184 - 189    DOI : 10.1016/j.cose.2005.09.002
Juang W. S. , Nien W.K. 2006 “Efficient password authenticated key agreement using bilinear pairings,” Mathematical and Computer Modelling Elsevier 47 (11-12) 1238 - 1245    DOI : 10.1016/j.mcm.2007.08.001
Fang G. , Huang G. “Improvement of recently proposed Remote User Authentication Schemes,” http://eprint.iacr.org/2006/200.pdf
Giri D. , Srivastava P. D. “An Improved Remote User Authentication Scheme with Smart Card using Billinear Pairings,” http://eprint.iacr.org/2006/274.pdf
Awasthi A.K. 2012 “An improved remote user authentication scheme with smart cards using bilinear pairings,” International Journal of Applied Mathematics and Computation 4 (4) 382 - 389
Yoon E. J. , Shin Y. N. , Jeon I.S. , Yoo K. Y. 2010 “Robust mutual authentication with a key agreement scheme for the session initiation protocol,” IETE Technical Review 27 (3) 203 - 213    DOI : 10.4103/0256-4602.62780
Xie Q. 2012 “A new authenticated key agreement for session initiation protocol,” Int J Commun Syst 25 (1) 47 - 54    DOI : 10.1002/dac.1286
Farash M. S. , Attari M. A. 2013 “An enhanced authenticated key agreement for session initiation protocol,” Information Technology And Control 42 (4) 333 - 342    DOI : 10.5755/j01.itc.42.4.2496
Zhang Z. , Qi Q. , Kumar N. , Chilamkurti N. , Jeong H. Y. 2014 “A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography,” Multimedia Tools and Application Springer
Islam S. H. , Biswas G. P. 2013 “Design of improved password authentication and update scheme based on elliptic curve cryptography,” Mathematical and Computer Modelling Elsevier 57 (11-12) 2703 - 2717    DOI : 10.1016/j.mcm.2011.07.001
Li T. 2013 “A new password authentication and user anonymity scheme Based on elliptic curve cryptography and smart card,” IET Information Security 7 (1) 3 - 10    DOI : 10.1049/iet-ifs.2012.0058
Lee C. , Li C.T. , Weng C.Y. , Jheng J.J. , Zhu X.Q. , Zhang Y.R. 2013 “Cryptanalysis and Improvement of an ECC-Based Password Authentication Scheme Using Smart Cards,” Lecture note in computer Science Springer 8300 338 - 348
Tang H. B. , Liu X. S. , Jiang L. 2013 “A Robust and Efficient Timestamp-based Remote User Authentication Scheme with Smart Card Lost Attack Resistance,” International Journal of Network Security 15 (6) 426 - 434
Karuppiah M. , Saravanan R. 2014 “A secure remote user mutual authentication scheme using smart cards,” Jouranal of information security and application Elsevier 19 (11) 282 - 294    DOI : 10.1016/j.jisa.2014.09.006
Lauter K. 2004 “The advantages of elliptic curve cryptography for wireless security,” IEEE Wireless Communications 11 (1) 62 - 67    DOI : 10.1109/MWC.2004.1269719
Dodis , Yevgeniy , Reyzin L. , Smith A. 2004 “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” Advances in cryptology-Eurocrypt 2004 Springer Berlin Heidelberg
Boyen Xavier ‘Reusable cryptographic fuzzy extractors,” ACM Proceedings of the 11th ACM conference on Computer and communications security 2004
Burrows M. , Abadi M. , Needham R 1990 “A logic of authentication,” ACM Transactions on Computer System 8 18 - 36    DOI : 10.1145/77648.77649
Chang Y.F. , Yu S.H. , Shiao D.R. 2013 “A uniqueness-and anonymity preserving remote user authentication scheme for connected health care,” J. Med. Syst. 37 (2) 9902 -    DOI : 10.1007/s10916-012-9902-7
Wen F. , Li X. 2012 “An improved dynamic id-based remote user authentication with key agreement scheme,” Computers & Electrical Engineering 38 (2) 381 - 387    DOI : 10.1016/j.compeleceng.2011.11.010
Juels , Sudan M. 2006 “A fuzzy vault scheme,” Designs, Codes and Cryptography 38 (2) 237 - 257    DOI : 10.1007/s10623-005-6343-z
Juels , Wattenberg M. “A fuzzy commitment scheme,” In Proceedings of the 6th ACM conference on Computer and communications security 1999 28 - 36
Li , Hu J. , Pieprzyk J. , Susilo W. 2015 “A New Biocryptosystem-Oriented Security Analysis Framework and Implementation of Multibiometric Cryptosystems Based on Decision Level Fusion,” Information Forensics and Security, IEEE Transactions 10 (6) 1193 - 1206    DOI : 10.1109/TIFS.2015.2402593
Xi K. , Ahmad T. , Han F. , Hu J. 2011 “A fingerprint based bio‐cryptographic security protocol designed for client/server authentication in mobile computing environment” Security and Communication Networks 4 (5) 487 - 499    DOI : 10.1002/sec.225
AVISPA Automated validation of internet security protocols and applications. http://www.avispa-project.org/
Dolev , Yao A.C. 1983 “On the security of public key protocols” Information Theory.IEEE Trans. 29 (2) 198 - 208    DOI : 10.1109/TIT.1983.1056650