Abstract
The advancement in communication and computation technologies has paved a way for connecting large number of heterogeneous devices to offer specified services. Still, the advantages of this advancement are not realized completely due to inherent security issues. Most of the existing authentication mechanisms ensure the legitimacy of requesting user thorough single server leading towards multiple registrations and corresponding credentials storage on user side. Intelligent multimedia networks (IMN) may encompass wide range of networks and applications. However, the privacy and security of IMN cannot be apprehended through traditional multi sign on/single server authentication systems. The multi-server authentication systems can enable a user to acquire services from multiple servers using single registration and with single set of credentials (i.e.Password/smart card etc.) and can be accomplish IMN security and privacy needs. In 2018, Barman et al. proposed a multi-server authentication protocol using fuzzy commitment. The authors claimed that their protocol provides anonymity while resisting all known attacks. In this paper, we analyze that Barman et al.’s protocol is still vulnerable to anonymity violation attack and impersonation based on stolen smart card attack; moreover, it has incomplete login request and is prone to scalability issues. We then propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s scheme. The security of the proposed protocol is verified using BAN logic and widely accepted automated AVISPA tool. The BAN logic and automated AVISPA along with the informal analysis ensure the robustness of the scheme against all known attacks.
Similar content being viewed by others
References
Ali R, Pal AK (2017) Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment. Arab J Sci Eng 42 (8):3655–3672
Amin R, Biswas G (2015) A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis. Journal of medical systems 39(3):33
Armando A, Basin D, Cuellar J, Rusinowitch M, Viganò L (2006) Avispa: automated validation of internet security protocols and applications ERCIM News 64(January)
Arshad H, Nikooghadam M (2016) An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc. Multimedia Tools and Applications 75(1):181–197
Barker E, Barker W, Burr W, Polk W, Smid M (2012) Recommendation for key management part 1: General (revision 3). NIST special publication 800(57):1–147
Barman S, Das AK, Samanta D, Chattopadhyay S, Rodrigues JJ, Park Y (2018) Provably secure multi-server authentication protocol using fuzzy commitment. IEEE Access 6(38):578–38,594
Burrows J (2015) Secure hash standard. fips pub 180-1, national institute of standards and technology (nist), us department of commerce april 1995
Burrows M, Abadi M, Needham RM (1989) A logic of authentication. Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences 426(1871):233–271
Canetti R, Krawczyk H (2001) Analysis of key-exchange protocols and their use for building secure channels. In: International conference on the theory and applications of cryptographic techniques, pp 453–474. Springer
Chaudhry SA, Naqvi H, Khan MK (2018) An enhanced lightweight anonymous biometric based authentication scheme for tmis. Multimedia Tools and Applications 77(5):5503–5524
Chen CM, Wang KH, Yeh KH, Xiang B, Wu TY (2019) Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. Journal of Ambient Intelligence and Humanized Computing 10(8):3133–3142
Chen CM, Xiang B, Liu Y, Wang KH (2019) A secure authentication protocol for internet of vehicles. IEEE Access 7(12):047–12,057
Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications 41(4):1411–1418
Debiao H, Jianhua C, Rui Z (2012) A more secure authentication scheme for telecare medicine information systems. Journal of medical systems 36 (3):1989–1995
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Transactions on information theory 29(2):198–208
Ghani A, Mansoor K, Mehmood S, Chaudhry SA, Rahman AU, Najmus Saqib M (2019) Security and key management in iot-based wireless sensor networks: an authentication protocol using symmetric key. Int J Commun Syst 32 (16):e4139
Hao F, Anderson R, Daugman J (2006) Combining crypto with biometrics effectively. IEEE transactions on computers 55(9):1081–1088
He D, Wang D (2014) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823
Hussain S, Chaudhry SA (2019) Comments on “biometrics-based privacy-preserving user authentication scheme for cloud-based industrial internet of things deployment”. IEEE Internet of Things Journal 6(6):10,936–10, 940
Irshad A, Sher M, Chaudhry SA, Xie Q, Kumari S, Wu F (2018) An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimedia Tools and Applications 77(1):1167–1204
Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S, et al. (2017) A secure and provable multi-server authenticated key agreement for tmis based on amin. scheme. Multimedia Tools and Applications 76(15):16,463–16,489
Juang WS, Chen ST, Liaw HT (2008) Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans Ind Electron 55(6):2551–2556
Juels A, Wattenberg M (1999) A fuzzy commitment scheme. In: Proceedings of the 6th ACM conference on Computer and communications security, pp 28–36. ACM
Kilinc HH, Yanik T (2014) A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials, IEEE 16(2):1005–1023
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual international cryptology conference, pp 388–397. Springer
Kumar V, Ahmad M, Kumari A, Kumari S, Khan M (2019) Sebap: a secure and efficient biometric-assisted authentication protocol using ecc for vehicular cloud computing. Int J Commun Syst, pp e4103. https://doi.org/10.1002/dac.4103
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Lee J, Ryu S, Yoo K (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555
Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Computer Standards & Interfaces 27(1):19–23
Lin H, Wen F, Du C (2017) An anonymous and secure authentication and key agreement scheme for session initiation protocol. Multimedia Tools and Applications 76(2):2315–2329
Lu Y, Li L, Yang X, Yang Y (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS One 10(5):e0126,323
Lwamo NM, Zhu L, Xu C, Sharif K, Liu X, Zhang C (2019) Suaa: a secure user authentication scheme with anonymity for the single & multi-server environments. Information Sciences 477:369–385
Mansoor K, Ghani A, Chaudhry SA, Shamshirband S, Ghayyur SAK (2019) Securing iot based RFID systems: a robust authentication protocol using symmetric cryptography. Sensors 19:21. https://doi.org/10.3390/s19214752
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE transactions on computers 51(5):541–552
Mir O, Nikooghadam M (2015) A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wirel Pers Commun 83(4):2439–2461
Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129– 8143
Mitchell CJ, Tang Q (2005) Security of the lin-lai smart card based user authentication scheme Technical Report
Nguyen NT, Chang CC (2018) A biometric-based authenticated key agreement scheme for session initiation protocol in ip-based multimedia networks. Multimedia Tools and Applications 77(18):23,909–23,947
Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst 30(16):e3341
Qi M, Chen J (2018) New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography. Multimedia Tools and Applications 77(18):23,335–23,351
Ratha NK, Chikkerur S, Connell JH, Bolle RM (2007) Generating cancelable fingerprint templates. IEEE Transactions on pattern analysis and machine intelligence 29(4):561–572
Ravanbakhsh N, Nazari M (2018) An efficient improvement remote user mutual authentication and session key agreement scheme for e-health care systems. Multimedia Tools and Applications 77(1):55–88
Reddy AG, Das AK, Odelu V, Ahmad A, Shin JS (2018) A privacy preserving three-factor authenticated key agreement protocol for client–server environment. Journal of Ambient Intelligence and Humanized Computing 10(2):661–680
Reddy AG, Yoon EJ, Das AK, Odelu V, Yoo KY (2017) Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE access 5:3622–3639
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126
Sood SK, Sarje AK, Singh K (2011) A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 34(2):609–618
Wang C, Zhang X, Zheng Z (2016) Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. Plos one 11(2) e0149:173
Wu ZY, Lee YC, Lai F, Lee HC, Chung Y (2012) A secure authentication scheme for telecare medicine information systems. Journal of medical systems 36(3):1529–1535
Zhu Z (2012) An efficient authentication scheme for telecare medicine information systems. Journal of medical systems 36(6):3833–3838
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Rehman, H.U., Ghani, A., Chaudhry, S.A. et al. A secure and improved multi server authentication protocol using fuzzy commitment. Multimed Tools Appl 80, 16907–16931 (2021). https://doi.org/10.1007/s11042-020-09078-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-020-09078-z