An Improved Biometrics-Based Remote User Authentication Scheme with User Anonymity

The authors review the biometrics-based user authentication scheme proposed by An in 2012. The authors show that there exist loopholes in the scheme which are detrimental for its security. Therefore the authors propose an improved scheme eradicating the flaws of An's scheme. Then a detailed security analysis of the proposed scheme is presented followed by its efficiency comparison. The proposed scheme not only withstands security problems found in An's scheme but also provides some extra features with mere addition of only two hash operations. The proposed scheme allows user to freely change his password and also provides user anonymity with untraceability.


Introduction
In the last two decades, digital authentication has originated as a preferred method to authenticate remote users over insecure networks. After the first proposal of user authentication scheme by Lamport [1], considerable amount of research has been conducted in this field of which schemes  are few examples. In due course of time user authentication schemes underwent many changes. Initial schemes were based only on password [1][2][3][4], then schemes were based on smart card and password [5][6][7][8][9][10][11][12][13], and reliability of biometrics authentication over traditional password-based authentication gave rise to biometrics-based user authentication schemes [14][15][16][17][18][19][20].
In 2010, Li and Hwang [19] proposed a biometrics-based user authentication scheme. In 2011, Das [26] examined Li-Hwang's scheme and observed problems in login and authentication phase, in password change phase, and in biometrics verification mechanism of the scheme. Das depicted that user's smart card does not validate the inputted password during login phase which leads to useless computations in login and authentication phase. Owing to the same reason, Das further showed that the scheme suffers from incorrect password updating problem. Thus, Das proposed an improvement [26] of Li-Hwang's scheme and claimed their scheme to be free from problems observed in Li-Hwang's scheme. According to Das, their scheme [26] also provides mutual authentication. In 2012, An [27] pointed out that Das's scheme [26] deviates from the author's claim since an adversary can mount impersonation attacks and password guessing attack once he gets a chance to extract values from the smart card of the legal user. Thereby An [27] proposed an enhanced scheme to eradicate the flaws of Das's scheme.
In this paper, we review An's biometrics-based user authentication scheme. We show that An's scheme is vulnerable to the security problems to which Das's scheme is susceptible like online and offline password guessing attacks, user and server impersonation attacks, lack of mutual authentication, and lack of user anonymity. Besides, An's scheme lacks password change facility which is an important part of password-based user authentication schemes. We remove drawbacks from An's scheme by means of proposing an improved user authentication scheme. In addition, to resist various security threats, the proposed scheme incorporates features of password changing and user anonymity. The rest of this paper is arranged as follows. In Section 2, we review An's user authentication scheme. Section 3 is about cryptanalysis of An's scheme. In Section 4, we present our improved scheme. Section 5 is about security analysis of the improved scheme. In Section 6, we compare the improved scheme with related schemes. Finally, the conclusion is presented in Section 7.

Review of An's Scheme
The notations useful in this paper are summarized along with their description in Table 1. In this section, we review An's scheme [27] which is an enhanced version of Das's scheme [26]. It has three phases: registration phase, login phase and authentication phase. Registration phase is carried over a secure channel whereas login phase, and authentication phase are carried over an insecure channel. There are three participants in the scheme, the user ( ), the server ( ), and the registration centre ( ), where is assumed to be a trusted party. Details of each phase are given in the following subsections.

Registration Phase.
In the beginning of scheme, the registration centre and the user carry out this phase involving the following steps. (1) submits his identity ID and information (PW ⊕ ) containing password to via a secure channel. also submits information ( ⊕ ) containing his biometrics via the specific device to ; here is a random number chosen by .

Login Phase.
When the user wishes to login the server , the user and his smart card SC perform the following steps.
(1) inserts his smart card into a card reader and inputs his biometrics information on the specific device. SC computes ℎ( ⊕ ) and verifies if = ℎ( ⊕ ) or not. If this biometrics information matches, passes the biometrics verification. (2) inputs his ID and PW ; then SC generates a random number and computes the following equations: (3) sends the login request = {ID , 2 , 3 } to .

Authentication Phase.
On receiving the request login = {ID , 2 , 3 } from , the server and the user perform the following steps to authenticate each other.
(2) checks if 3 = ℎ( 4 ‖ 5 ) or not. If both are equal, it generates a random number and computes the following equations: Then, sends the reply message = { 6 , 7 } for its authentication to .

Cryptanalysis of An's Scheme
This section is about security problems in An's scheme. Here we show that an attacker can mount different types of attacks on the scheme. Independent researches by Kocher and Messerges [28,29] show that it is possible to extract the values stored inside a smart card. So we assume that can extract out parameters stored inside a user's smart card.

Online Password Guessing
Attack. If obtains the smart card SC of user and extracts [28,29] the values {ID , , , , ℎ(⋅)} stored inside it, then he can mount online password guessing attack as explained below.
(3) If does not receive any response from then he repeats step (2) with some other guess for user's password. But if receives response message from , then it implies that his guessed password PW is correct.

Offline Password Guessing Attack.
In the scheme, can easily identify the login request corresponding to a smart card since both contain the identity of user. If extracts [28,29]  (1) computes (2) guesses PW as user's possible password and computes 1 = [ ⊕ ] ⊕ ℎ(PW ⊕ ).

User Impersonation Attack. As just discussed in previous subsections,
can guess a user's password if he obtains the smart card of user. It is noticeable that the successful process of password guessing (online or offline manner) also yields 1 = ℎ(ID ‖ ). In fact, ℎ(ID ‖ ) is the key value required to compute a valid login request or valid reply messages. Further, has easy access to user's identity ID from SC = {ID , , , , ℎ(⋅)} or from the login request = {ID , 2 , 3 } of . Having ℎ(ID ‖ ) and ID in hand, can impersonate the user as explained below.
(1) generates a random number in his system and computes Then sends the login request = {ID , 2 , 3 } to .
(2) On receiving {ID , 2 , 3 }, the server first checks the format of ID . Clearly, would proceed further because ID is the identity of a legitimate registered user and hence it is in valid format. (3) computes 4 = ℎ(ID ‖ ) and 5 = 2 ⊕ 4 and checks if 3 = ℎ( 4 ‖ 5 ); clearly it would hold. Therefore believes that the login request = {ID , 2 , 3 } is from the legitimate user.

Server Impersonation Attack.
can easily impersonate the legal server to cheat the user whose information {ID and 1 = ℎ(ID ‖ )} he possesses as described in Section 3.3. To masquerade as the attacker proceeds in the following manner. (1) can easily recognize the login request = {ID , 2 , 3 } of transmitted over open channel as he possesses the identity ID of . So when sends his login request = {ID , 2 , 3 } to , the attacker intercepts and blocks it from reaching . (2) first obtains the random number by computing 5 = 2 ⊕ 1 . Next, he generates a random number in his system and computes 6 = 1 ⊕ and 7 = ℎ( 1 ‖ ). Then transmits the reply message { 6 , 7 } to .
(3) On receiving { 6 , 7 }, the user first obtains the random number by computing 8 = 6 ⊕ 1 , where 1 = ℎ(ID ‖ ). Next, he checks if 7 = ℎ( 1 ‖ 8 ) or not. Clearly, this equivalence will hold and hence will believe that he is communicating with the intended server. However, it is the clever attacker who is deceiving . [26], the enhanced scheme by An also fails to resist user impersonation attack and server impersonation attack as described in Sections 3.3 and 3.4. In fact, if extracts values {ID , , , , ℎ(⋅)} from the smart card SC of user and successfully obtains the secret value ℎ(ID ‖ ), then he can easily craft valid login request and reply messages so as to deceive the legal user or the legal server. Therefore, the scheme loses mutual authentication feature.

Lack of Mutual Authentication. Like Das's scheme
3.6. Lack of User Anonymity. In An's scheme, sends {ID , 2 , 3 } as his login request to through an insecure channel. User's identity ID is openly available if an attacker intercepts the login request of from the open channel. Moreover, identity ID is also stored inside user's smart card SC . Having ID in hand, it is easy for to craft threats against . To the worst, may be able to compromise user's biometrics information which would result in serious consequences. Thus, the scheme does not provide user anonymity.

The Proposed Scheme
In this section, we propose a new user authentication scheme which is an improvement of An's scheme. In addition to resist the security problems found in An's scheme, it also provides password change phase with which user can change his password at his will. It has four phases: registration phase, login phase, authentication phase and password change phase. Registration phase, and password change phase are carried over a secure channel whereas login phase and authentication phase are carried over an insecure channel. It also consists of three participants, the user ( ), the server ( ), and the registration centre ( ). In the proposed scheme, the server maintains two secret keys and . Details of each phase along with Figure 1 are given in the following.

Registration Phase.
Before starting the scheme, the registration centre and the user carry out this phase involving the following steps. (1) submits his identity ID and information (PW ⊕ ) containing password to via a secure channel. also submits information ( ⊕ ) containing his biometrics via a specific device to ; here is a random number chosen by .

Login Phase.
When the user wishes to login the server , the user and his smart card SC perform the following steps.
(1) inserts his smart card into a card reader, keys in his identity ID , and password PW and inputs his biometrics information on the specific device.
(2) SC retrieves ← (ID ‖ PW ) ⊕ and ← (ID ‖ PW ) ⊕ . It then checks if = ℎ( ⊕ ) or not. If this biometrics information matches, passes the biometrics verification; otherwise SC terminates the sesion. This process also verifies the correctness of inserted ID and PW .

Authentication Phase.
On receiving the request login = { 3 , 4 , 5 } from , the server and the user perform the following steps to authenticate each other.
(3) On receiving { 9 , 10 } from , the user computes 11 = 9 ⊕ 2 (which is indeed ). It then checks if 10 = ℎ( 2 ‖ 11 ) or not. If both are equal, . Then sends the reply message { 12 } for its authentication to . (1) inserts his smart card into a card reader, keys in his identity ID , and password PW and inputs his biometrics information on the specific device.

Security Analysis of the Proposed Scheme
In this section, we analyze security of the proposed scheme. We show that the scheme remains unaffected even if an attacker extracts [28,29] all the values stored inside a user's smart card.

Online Password Guessing Attack.
On having access to user's smart card SC an attacker can extract [28,29] all values { , , , , ℎ(⋅)} from it. In order to compute ⊕ But cannot compute forged 2a (= ℎ(ID ‖ )) = [ ⊕ ⊕ ] ⊕ ℎ(PW ⊕ ) using a guessed password PW because it requires knowledge of . It is troublesome for to obtain because is not stored in plaintext inside user's smart card but is stored securely in = (ID ‖ PW ) ⊕ . Further cannot obtain from without knowing ID and password PW . Besides, cannot compute 1 (= ℎ( ‖ )) = ( ⊕ ) as he does not have access to . Moreover, does not have ID of as ID is not stored in plaintext inside user's smart card. Thus, cannot compute a login request { 3 , 4 , 5 } in a way so as to guess user's password in an online manner. Hence, the proposed scheme withstands online password guessing attack.

Offline Password Guessing Attack.
Suppose obtains the smart card of some user. Though can intercept login message of any user from open channel, he cannot relate a user's smart card with its corresponding login request. This is due to the fact that, unlike An's scheme, in the proposed scheme user's identity in plaintext is neither stored inside user's smart card nor transmitted in login request. As a result, cannot combine values extracted from a user's smart card with values of corresponding login request to guess user's password in an offline manner. If we consider the situation that somehow happens to get the correct combination of user's smart card and login request, we show that still cannot mount offline password guessing attack. To guess password of and then verify the guess, can use 5 = ℎ( 2 ‖ ) provided that he possesses the values {[ℎ(ID ‖ ) ⊕ ℎ(PW ⊕ ) ⊕ ], and } in hand. As explained in Section 5.1, can obtain [ℎ(ID ‖ ) ⊕ ℎ(PW ⊕ ) ⊕ ] using { , and } extracted [28,29] from SC , but he cannot obtain the random number . Besides, cannot obtain the random number using 3 = 1 ⊕ without having 1 (= ℎ( ‖ )) and fails to obtain 1 (= ℎ( ‖ )) as discussed in Section 5.1. Thus an attacker cannot guess user's password in an offline manner.

User Impersonation and Server Impersonation Attack.
To impersonate a legal user, should possess 1 = ℎ( ‖ ) and 2 = ℎ(ID ‖ ); otherwise he cannot compute a valid login request { 3 , 4 , 5 } or a valid reply message { 12 }. The value ℎ(ID ‖ ) is equally important if wishes to masquerade as legal server. Unlike An's scheme, in the proposed scheme is not able to obtain 2 (= password. This is due to the fact that password guessing is not feasible as explained in Sections 5.1 and 5.2. Moreover, cannot obtain 1 = ℎ( ‖ ) (i) from 3 = 1 ⊕ obtained by intercepting the login request of because of not having random number and (ii) from = ℎ( ‖ ) ⊕ extracted from user's smart card without knowing . Thus, the proposed scheme resists impersonation attacks.

Supporting Mutual Authentication.
The success of mutual authentication in the proposed scheme follows directly from resistance against user impersonation attack and server impersonation attack as described in Section 5.3. In fact, has many hurdles before him to act as a legal user or a legal server: (i) the secret keys and maintained by the server are unknown for and (ii) has no access to the identity ID of user . As a result, cannot compute ℎ( ‖ ) and ℎ(ID ‖ ) required to mount impersonation attacks. Besides, has no method to retrieve these values either from the parameters extracted out of user's smart card or from the login request or using both. Therefore, the proposed scheme provides proper mutual authentication.

Providing User Anonymity and User Untraceability.
In the proposed scheme, user's plaintext identity ID is completely out of scene; it is neither stored in user's smart card SC nor sent in any of the login-authentication messages transmitted over insecure network. If extracts [28,29] the values { , , , , ℎ(⋅)} from SC , we explain in the following that he cannot obtain ID of . To guess ID from = (ID ‖ PW )⊕ and from = (ID ‖ PW )⊕ , the attacker must have the knowledge of {PW , } and {PW , }, respectively. cannot guess out ID from = ℎ(ID ‖ ) ⊕ without knowing and . If intercepts a login request { 3 , 4 , 5 } or the reply message { 9 , 10 }/{ 12 }, he cannot guess out ID using { 5 , 10 , 12 } without the knowledge of { , and }. Besides, it is not feasible for to retrieve ID out of { , 5 , 10 , 12 } due to one-way property of hash function. Moreover, each value { 3 , 4 , 5 , 9 , 10 , 12 } transmitted over insecure network is dynamic in nature by virtue of random numbers and which are different for each session. Thus, can neither obtain user's identity ID nor can he trace the legal user by means of observing and analyzing some fixed parameter in the login request or the reply messages. Hence, the scheme provides user anonymity as well as user untraceability. Probably the author might have opined that in the presence of biometrics verification procedure there is no need of password change facility. Undoubtedly, it is very difficult to forge copy or compromise biometrics, but once compromised then biometrics cannot be changed like passwords. So we opine that if password is employed in user authentication scheme then there should be the provision to facilitate the user to freely change his password. The proposed scheme provides password changing facility with which a user can freely (without interacting with server) change his old password to a new one whenever he feels to do so. Before updating stored values with the new password (PW ) new , the smart card verifies the correctness of identity ID old password PW along with verifying the biometrics information = ℎ( ⊕ ). Thus the proposed scheme provides secure and easy password changing facility.

Comparison
In this section, we examine the proposed scheme by means of comparing its efficiency with Li-Hwang's scheme [19], Das's scheme [26], and An's scheme [27]. Table 2 displays comparison of security attributes and Table 3 displays comparison of computational load in terms of hash functions. Comparison in Table 2 shows that the proposed scheme resists various attacks possible on schemes [19,26,27] and provides additional feature of user anonymity with untraceability. Besides, it also restores password change facility which is provided by original versions [19,26] but is missing in An's scheme [27]. As Table 3 shows, the proposed scheme carries only two additional hash operations over its immediate predecessor scheme [27]. The important aspect about the proposed scheme is minor increase of two hash functions in computational load to achieve higher efficiency as compared to other schemes [19,26,27].

Conclusion
This paper shows that the recently proposed biometricsbased user authentication scheme by An is susceptible to many threats. Once an attacker obtains the smart card of a legal user, he can guess user's password and impersonate the user. Further, the attacker can also cheat the user by masquerading as the legal server. Consequently, the scheme fails to provide mutual authentication. Besides, the scheme also suffers from the restriction of static password. We have proposed a new scheme based on the design of An's scheme so as to fix the problems identified in An's scheme. In the proposed scheme an attacker cannot figure out the identity of user either from the smart card or by intercepting all loginauthentication messages transmitted over insecure network. Analysis and comparison show improved performance of the proposed scheme.