Improving an Anonymous and Provably Secure Authentication Protocol for a Mobile User

1Department of Electrical and Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu, Suwon-si, Gyeonggi-do 16419, Republic of Korea 2Department of Cyber Security, Howon University, 64 Howondae 3-gil, Impi-myeon, Gunsan-si, Jeonrabuk-do 54058, Republic of Korea 3Department ofMobile Internet, DaelimUniversity College, 29 Imgok-ro, Dongan-gu, Anyang-si, Gyeonggi-do 13916, Republic of Korea 4Department of Computer Engineering, Sungkyunkwan University, 2066 Seobu-ro, Jangan-gu, Suwon-si, Gyeonggi-do 16419, Republic of Korea


Introduction
Given recent developments in mobile telecommunications and the rapid spread of mobile devices, there is a growing importance of wireless and wired networking services that utilize bygone and current positional information from users carrying mobile devices with location tracking capabilities [1].Remote user authentication schemes typically verify registered credentials using stored databases.Since Lamport [2] presented the first authentication scheme based on passwords in 1981, various remote user authentication schemes [3,4] based on passwords have been proposed.However, since a server under a password-based remote user authentication protocol needs to store a verification table, which stores the password to determine the credentials of a remote user, the server arranges for extra storage for the verification table.
Furthermore, several studies have shown that passwordbased remote user authentication protocols are insecure against some attacks, including off-line password guessing or stolen smart card attacks [5][6][7].The problem with passwordbased authentication scheme is that it can be easily stolen or lost and making it difficult to remember on a regular basis.For these reasons, many researchers have presented new remote user authentication protocols that use biometrics.A major characteristic of biometrics is it uniqueness.Other advantage is that it cannot be guessed or stolen.Biological characteristics have been used in numerous remote user authentication schemes [8][9][10][11][12][13].
1.1.Our Contribution.To address the security vulnerabilities in Islam et al. 's authentication protocol and obtain the required performance, we propose a security-improved scheme.The primary contribution of this paper are described below.
(i) First, we prove that Islam et al. 's protocol is still vulnerable to some attacks, and we show how an adversary can impersonate a legitimate user or server.(ii) Second, we suggest an improved biometrics-based authentication and key agreement protocol on Islam et al. 's protocol.The improved protocol is designed to be secure to well-known attacks.(iii) Third, we analyze that the proposed protocol has better robustness and a lower computational cost with a performance analysis.

Chebyshev Chaotic Maps.
The Chebyshev polynomial   (V) is a V polynomial of degree .
Definition 1.Let  be a whole number and  be a real number from the round [−1, 1]; the Chebyshev polynomial of degree  is then defined as   (V) = cos( ⋅ arccos(V)).
Definition 2 (CMDLP).Given the two parameters V,  ∈  *  , the Chaotic Maps Discrete Logarithm Problem is whether integer  can be found such that  =   (V).The probability of E being able to address the CMDLP is defined as Definition 3 (CMDHP).Given the three elements V,   (V), and   (V), the Chaotic Maps Diffie-Hellman Problem is whether   (V) can be computed such that

Threat Assumptions.
We introduce some threat model [37,38] and consider constructing the threat assumptions described as follows: (i) Adversary E can be both a user or server.Any registered mobile user can act as an adversary.
(ii) E can intercept all messages in a public channel, thereby capturing any message exchanged between a user or server.
(iii) E has the ability to modify, reroute, or delete the captured message.
(iv) Stored parameters can be extracted from the mobile device.

Fuzzy Extractor.
In this subsection, we describe the basis for a biometric-based fuzzy extractor that converts biometric information data into a random value.Based on [39][40][41], the fuzzy extractor is operated through two procedures (Gen, Rep), demonstrated as Gen is a probabilistic generation function for which the biometrics BIO returns an "extracted" string  ∈ {0,1}  and auxiliary string  ∈ {0, 1} * , and Rep is a deterministic reproduction function that enables the recovery of  from  and any vector BIO * close to BIO.Detailed information of the fuzzy extractor can be found in [42].

Review of Islam et al.'s Protocol
We review Islam et al. 's protocol.Their protocol consists of registration, login, verification, and password change phases and uses an extended chaotic maps.The term   () is the chaotic map computation that is calculated with respect to "mod " and  ∈ (−∞, +∞).The notations of this paper are illustrated in the Notations.

Cryptanalysis of Islam et al.'s Protocol
We cryptanalyze the security problems in  [43], the adversary computes

On-Line Identity Guessing and User Impersonation Attack.
Let E be an active adversary who is a legitimate user and owns a mobile device to extract information ⟨ E ,  E ⟩. E can then easily guess the identity of any user   and impersonate   as follows. ( , guesses any identity ID  , and then com- and  1 is the current time stamp.MD  sends ⟨CID  ,  E ,   ,  E ,  1 ⟩ to server  over an insecure network.(iii) Upon receiving the login request message ⟨CID  ,  E ,   ,  E ,  1 ⟩ from the adversary E, server  verifies the freshness of the timestamp  1 and terminates the session if (ii) Using [43], the adversary computes   = (arccos(  ( E )) + 2  )/ arccos( E ), ∀ ∈ .

The Proposed Protocol
We will propose an improved biometric-based authentication protocol using the fuzzy extractor.The proposed protocol is also two members, user   and server , and consists of four phases such as registration, login, verification, and password change.Figures 1 and 2 are the registration and login and verification phases of the proposed scheme.
Server S

Security Analysis of the Improved Protocol
The proposed protocol, which retains the advantages of Islam et al. 's protocol, is demonstrated, and it can resist some possible attacks and supports all security properties.The analysis of the improved protocol was organized with the threat assumptions made in Preliminaries.

Formal Security Analysis. A random oracle-based formal
analysis is demonstrated here, and its security is shown.First, the following hash function is defined [44]: Definition 4. A collision-resistance and one-way hash function ℎ : {0, 1} * → {0, 1}  receives an input as a binary string of arbitrary length V ∈ {0, 1} * , returns a binary string of fixed length ℎ(V) ∈ {0, 1}  , and gratifies the following conditions: (i) Given  ∈ , it is computationally impracticable to find a V ∈  such that  = ℎ(V).
(ii) Given V ∈ , it is computationally impracticable to find another (iii) It is computationally impracticable to find a pair Theorem 5.According to the assumptions if hash function ℎ(⋅) similarly acts like an random oracle, then the improved protocol is clearly secure to an adversary E to protect sensitive information, including identity   , semigroup property   (  ), common session key , and master secret key .
Proof.Formal proof of the proposed protocol is similar in [40,45], and it uses the oracle to construct E, which will have the ability to extract ID  ,   (  ), , and .HASH,A (,   ) = max Success , where  and   are the execution time and number of queries.We then discuss the algorithm in Algorithm 1 for E. If E has the capability to address the problem of hash function given in Definition 4, then he/she can immediately retrieve ID  ,   (  ), , and .In that case, E will detect the complete connections between   and ; however, the inversion of the input from a given hash result is not possible computationally; that is, Adv BBSMK HASH,A () ≤ , for all  > 0. Thus, Adv BBSMK HASH,A (,   ) ≤ , since Adv BBSMK HASH,A (,   ) depends on Adv BBSMK HASH,A ().In conclusion, there is no method for E to detect the complete connections between   and , and the proposed protocol is distinctly invulnerable to an adversary E to retrieve (ID  ,   (  ), , ).

Simulation Result
Using AVISPA.We perform to simulate the improved protocol for formal analysis using the widely accepted AVISPA.The main contribution of the simulation is to prove that the improved protocol is invulnerable to man-in-the-middle and replay attacks.AVISPA tool consists of four back-ends: (1) On-the-Fly Model Checker (OFMC); (2) Constraint-Logic-Based Attack Searcher; (3) SAT-Based Model Checker; and (4) Tree Automata Based on Automatic Approximations for the Analysis of Security Protocols.In the AVISPA, the protocol is implemented in High-Level Protocol Specification Language (HLPSL) [44], which is based on the roles: the basic roles for representing each entity role and composition roles for representing the scenarios of the basic Call the Reveal oracle.Let ⟨  ⟩ ← Reveal( 2 = ℎ(   ‖ )) (12) if (  ==   ) then (13) Accept ID   ,   (  )  ,   ,   as the correct ID  ,   (  ), , , respectively.( 14) return 0 (Success) ( 15) else (16) return 0 (Failure) ( 17) else (18) return 0 (Failure) ( 19) else (20) return 0 (Failure) (21) roles.The fundamental types available in the HLPSL are [46] as follows: (i) agent: it means a primary name.The intruder always has the special identifier .
(ii) symmetric key: it is the key using the symmetric-key cryptosystem.
(iii) text: the text values are applied for messages.They are often used as nonces.
(iv) nat: the nat is used for meaning the natural numbers in nonmessage contexts.
(v) const: it is the type for representing constants.
(vi) hash func: the basic type hash func expresses collision-resistance secure one-way hash functions.
The role of the initiator, user   , is shown in Algorithm 2.   first receives the signal for starting and modifies its state variable from 0 to 1.This state variable is retained by the variable state.Similar to user, the roles of server  are implemented and shown in Algorithm 3. The specifications in HLPSL for the roles of environment, session, and goal are described in Algorithm 4. The result for the formal security verification of the improved protocol using OMFC is provided in Algorithm 5.It is clear that the improved protocol is invulnerable to passive and active attacks including the two attacks.login to , the biometrics BIO  is also needed.The proposed protocol can therefore resist a lost mobile device attack.6.3.6.Replay Attack.One of the best solutions to prevent replay attack is to use a timestamp technique.The proposed protocol also uses timestamps.Even if any adversary E eavesdrops on any user's login request message and sends it to the server , the server  checks the freshness of the timestamp and rejects the request.Furthermore, an adversary  cannot compute   without ID  and   .The proposed protocol can therefore resist a replay attack.

Off-Line Password Guessing Attack.
To obtain a password of user   , the biometrics BIO  is needed.Biometrics is uniquene and it cannot be guessed or stolen.The proposed protocol can therefore resist an off-line password guessing attack.

Stolen Verifier Attack.
In the proposed protocol, a server  does not store any information related to the user's identity or password.The proposed protocol can therefore resist a stolen verifier attack.6.3.9.Session Key Forward Security.One important objective of any user authentication protocols is to constitute a session key between user   and server .The forward secrecy can protect previous and future session keys from adversary E if the master secret key of  is exposed.Suppose that the master secret key  of  is known to E. However, E does not know   (  ).Thus, the session key  = ℎ(  ‖   (  ) ‖ ℎ(   ‖ ) ‖  1 ‖  3 ) of the improved protocol is still undiscovered to E. Therefore, forward secrecy is retained in the proposed protocol.
7.1.Functionality Analysis.Table 1 compares the security features provided by the proposed protocol with previous protocols.The results indicate that the proposed protocol is distinctly invulnerable and achieves all of the avoidance requirements.

Performance Analysis.
We demonstrated the computational cost of the improved protocol against previous protocols in terms of the computational cost.According to the simulations obtained in [34], we found that   ≈ 32.40 ms and  ℎ ≈ 0.20 ms, respectively, with a system using Pentium IV 3.2 G (CPU) with a 3.0 GB (RAM).According to [47], the computational cost of the fuzzy extractor technique   is nearly identical to ECC multiplication.Kilinc and Yanik [48] has gauged the execution time of some cryptographic algorithms by using the Pairing-Based Cryptography Library (version 0.5.12)[49] in the OS: 32-bit Ubuntu 12.04.1,2.2 G (CPU), and 2.0 G (RAM).They demonstrated that the cost to perform an elliptic curve point multiplication   is nearly 2.226 ms.In addition, they proved that the cost of a bitwise XOR operation is negligible.In Table 2, we presented the

Figure 1 :
Figure 1: Registration phase of the proposed scheme.

Figure 2 :
Figure 2: Login and verification phases of the proposed protocol.
[43]   = ℎ(CID  ,  E ,  E ,  E ,  1 ).then rejects the session if   Let E be an active adversary who is a legitimate user and owns a mobile device to extract information ⟨ E ,  E ⟩. E can then easily impersonate  as follows.(i)AdversaryEcomputes(E ‖   ( E )) =  E ⊕ℎ(ID E , PW E ). (ii) Using[43], the adversary computes   = (arccos(  ( E )) + 2  )/ arccos( E ), ∀ ∈ .The mobile device next checks whether    =   .If this holds, the mobile device accepts  as the session key.However, server  faultily decides that he/she is communicating with   .4.4.Violation of the Session Key.Assume that any adversary E eavesdrops on the communication messages ⟨CID  ,   ,   ,   ,  1 ,   ,  2 ,   (  )⟩ between user   and server .E can then easily calculate the session key between   and .

( 1 )
Eavesdrop the login request message {CID  ,   ,   ,  1 } (2) Call the Reveal oracle.Let ⟨ID  1 ,   (  )  ⟩ ← Reveal(  ) (3) Eavesdrop the authentication response message {  ,   ,  3 } (4) Use the Reveal oracle.Let ⟨  , Security Analysis 6.3.1.Mutual Authentication.Not only does the proposed scheme guarantee security as the other biometric-based schemes, but also   and  authenticate each other.authenticatesbycheckingwhether   is valid or not, because only a legitimate user can compute a valid ℎ(ID  ‖   ( i ) ‖   ‖  1 ) using a chaotic map.then authenticates  by checking   , which only  can compute using the long-term key  and timestamp  3 .6.3.2.User Anonymity.To compromise the anonymity of user   , adversary E must be able to compute ℎ(  ‖ ).The value  is the master secret key of server , and the random value   changes every session.Thus, the login request message changes every session.Even if adversary E eavesdrops on the login request message of a user   , E does not know ID  .The proposed protocol provides user anonymity.6.3.3.User Impersonation Attack.Suppose that an adversary E steals the mobile device MD  of user   and extracts the parameters {  ,   ,   ,   ,   } from MD  .To make the login request message ⟨CID  ,   ,   ,  1 ⟩, where CID  = ID  ⊕ ℎ(  ‖ ) and   = ℎ(ID  ‖   (  ) ‖   ‖  1 ), the server's master key  is needed.Without the master secret key  from server , E cannot compute   .The proposed protocol can therefore resist a user impersonation attack.6.3.4.Privileged Insider Attack.In the proposed protocol, user   sends the login request message ⟨ID  , DPW  = RPW  ⊕ ⟩.Even if the privileged insider adversary E obtains these values ⟨ID  , DPW  = RPW  ⊕⟩, E does not know RPW  and cannot impersonate user   .The proposed protocol can therefore resist a privileged insider attack.6.3.5.Lost Mobile DeviceAttack.Suppose that user   's mobile device MD  has been stolen or lost and any adversary E obtains it.E then tries to login to server  using MD  ; however, E does not know the correct password PW  .To