Robust Multiple Servers Architecture Based Authentication Scheme Preserving Anonymity

Recently, many dynamic ID based remote user authentication schemes using smart card have been proposed to improve the security in multiple servers architecture authentication systems. In 2017, Kumari and Om proposed an anonymous multi-server authenticated key agreement scheme, which is believed to be secure against a range of network attacks. Nevertheless, in this paper we reanalyze the security of their scheme, and show that the scheme is vulnerable to impersonation attack and server spoofing attack launched by any adversary without knowing any secret information of the victim users. In addition, their protocol fails to achieve the claimed user privacy protection. For handling these aforementioned shortcomings, we introduce a new biometric-based authentication scheme for multi-server architecture preserving user anonymity. Besides, Burrows—Abadi—Needham (BAN)-logic validated proof and discussion on possible attacks demonstrate the completeness and security of our scheme, respectively. Further, the comparisons in terms of security analysis and performance evaluation of several related protocols show that our proposal can provide stronger security without sacrificing efficiency.


Introduction
In the multiple servers architecture based authentication system, registration center, service providing servers and users are major participants. Registration center is the trusted party to administrate all the involved users and servers in the system. Servers provide network services and legitimate users can access these services. Compared with the conventional two-party authentication system, a multi-server architecture based authentication system offers registration procedure one time and allows users to access services from multiple servers. The latter obliterates the inappropriateness that users should perform stuffy reduplicative registration in each server.
In 2004, Das et al. [1] proposed a dynamic ID based remote user authentication scheme using smart card. Since then, many dynamic ID authentication schemes are published to enhance the security properties and reduce the communication and computation costs [2][3][4][5][6][7][8][9][10][11][12]. However, these schemes are designed for single-server architecture which are not suitable for a multi-server environment.
For fulfilling the particularity of the multi-server architecture, ample authentication schemes designed for the multi-server environment have been investigated by researchers. In 2009, Liao and Wang [13] proposed a remote user authentication scheme for multi-server architecture preserving user anonymity to eliminate the risk of ID-theft. Nevertheless, their scheme is proved to be susceptible to insider attack, masquerade attack and fail to provide a mutual authentication. Later on, Hsiang and Shih [14] introduced a remedied protocol to solve the above security flaws. Unfortunately, Sood et al. [15] reanalyzed their scheme and pointed out that it is vulnerable to replay attack, impersonation attack and stolen smart card attack. Meanwhile, they presented a novel multiple servers based authentication scheme. After that, many multi-server authentication schemes have been proposed to strengthen the security and improve the efficiency [16][17][18][19][20][21][22][23][24][25][26].
In 2014, Chuang and Chen [16] proposed an anonymous multi-server authentication key agreement scheme using smart cards, password and biometrics. However, Kumari and Om [23] identified the vulnerabilities of their scheme, such as being insecure against DoS attack, user/server impersonation attack, stolen smart card attack, and failing to achieve perfect forward secrecy. For obliterating the aforementioned shortcomings of Chuang et al.'s scheme, they proposed an enhanced protocol for a multiple servers authentication system, which offered non-repudiation utilizing RSA digital signature. Moreover, the authors stated that their proposal possessed all required security properties and resisted all the network attacks. Unluckily, in this paper, we reexamine the security of Kumari et al.'s RSA cryptosystem based authentication scheme and indicate that their scheme falls short to withstand impersonation attack and server spoofing attack. Specifically, any adversary could break through their scheme easily, even without the knowledge of the victim's user information. Moreover, adversaries could create test scenarios to execute the brute force attack and reveal users' low entropy identities. For the purpose of surmounting the identified vulnerabilities, we further devise an improved biometric-based multi-server authentication scheme with a distinctive policy compared with the original. Note that, Burrows-Abadi-Needham (BAN)-logic, one of the important formal methods focusing on evaluating the beliefs of participants in authentication system, is put forward to certify the validity of our proposal. Finally, the security and performance analysis are discussed to observe that the proposed protocol is superior to other related schemes.
This paper is organized as follows. We introduce the basic concept of fuzzy extraction in Section 2. Then, in Sections 3 and 4 we briefly review Kumari et al.'s scheme and identify its security flaws, respectively. Next, we propose a new robust authentication scheme in Section 5 and analyze its security in Section 6. Subsequently, in Section 7 we compare the performance of our new protocol with the previous schemes. Finally, the paper is concluded in Section 8.

Preliminaries
In this section, we briefly introduce the basic concept of fuzzy extractor, for more details please refer to [27]. In 1999, Juels and Wattenberg fetched out the definition of fuzzy extractor which focused on verifying the legality of users by biometric template. Noticeably, it could deal with non-uniformity and error tolerance. Concretely, it could output a uniform key R with an auxiliary P and non-uniform noisy biometric input B * by employing reproducible extraction, which was an error tolerant approach. The auxiliary string P to recover authentication key R is a public parameter and does certainly not compromise secrecy of R. Probabilistic generation algorithm Gen and deterministic reproduction algorithm Rep are efficient procedures of fuzzy extractor with parameters (m, l, t, ), which are detailed as follows.

•
Gen: Inputs biometric template B, outputs an authenticated value R ∈ {0, 1} l and an auxiliary value P ∈ {0, 1} * . We list the notations used throughout this paper in Table 1. Secret key of registration center p, q Two distinct large primes n, φ(n) Session key shared between user and server H(·) Hash function ⊕ Exclusive-OR operation String concatenation operation

Review of Kumari and Om's Scheme
In this section, we briefly describe Kumari and Om's [23] multi-server architecture based authentication scheme. It consists of initialization, registration, login, authentication and password changing phases. In Figure 1, we describe in detail the login and authentication phases in the form of infographics.

Initialization Phase
Registration center RC chooses a secret value X c and two distinct large prime numbers p, q. Subsequently, it calculates n = p × q and φ(n) = (p − 1) × (q − 1). X c is the master secret key and only kept by RC. p, q could be destroyed to avoid leaking.

Server Registration
Application server S j transmits its identification SID j to RC and applies for the jurisdiction to offer network services. RC selects a random number e j ∈ (1, φ(n)) with gcd(e j , φ(n)) = 1. Then it computes and seeks out d i such that e j × d j ≡ 1mod(φ(n)). Finally, RC sends the credentials {M1 j , e j , d j , n} to S j via a secured communication channel, where M1 j = H(SID j X c ), d j are kept secret and e j , n are announced as public values.

User Registration
Step 1: U i firstly imprints his/her biometrics and uses fuzzy extractor to obtain authenticated value R i and auxiliary value P i such that Gen(B i ) = (R i , P i ). Then, he/she selects identity ID i and password PW i to calculate PB i = H(PW i ⊕ R i ) and sends {ID i , PB i , P i } to registration center for registration.
Step 2: Upon receiving registration request from U i , RC computes HPW i = H(ID i PB i ),

Login Phase
U i inserts his/her smart card into the terminal and inputs identity ID i , password and the biometric template B i imprinted at the sensor. The smart card will execute the following procedure.
Step 1: Performs reproduction algorithm R * i = Rep(B i , P i ) and computes PB * Step 2: Verifies the equivalence of HPW * i and the stored value HPW i . If they are equal, proceeds to next steps; otherwise, terminates this session immediately.
Step 3: Generates a random number r u and acquires the current timestamp T1 to calculate Step 4: Submits the login request message {CID ij , N1 ij , N3 ij , T1} to S j .

Authentication Phase
On receiving the login request {CID ij , N1 ij , N3 ij , T1} from U i at T2, S j verifies the validity of T1 by checking T2 − T1 whether less or equal than the permissible time interval T for a transmission delay. If so, continues to perform the following steps; else, S j aborts the login session.
Step 1: Step 2: Then S j verifies the computed N3 ij with the received one. If the equation does not hold, terminates the session; on the contrary, continues to execute the further steps.
Step 3: S j acquires the current timestamp T3 and generates a random number r s to compute Step 4: Subsequently, S j responses to U i the replied mutual authentication message {CSID ij , M2 ij , M4 ij , T3}.
Step 5: Upon receiving the response message from S j at T4, U i checks whether T4 − T3 ≤ T. If it does not hold, U i gives up this login procedure; otherwise, the smart card computes M3 ij = (M2 ij ) Step 6: Afterwards, the smart card checks the equivalence of the computed M4 ij and the received one. If they are not equal, the authentication fails; else, U i confirms S j is authentic and the mutual authentication is completed. Finally, U i and S j share a current session key SK ij .

Password Changing Phase
In the procedure of password changing phase, U i could update her/his password offline. Firstly, he/she should insert smart card into the device and input ID i , PW i , the biometric template B i . Then, the smart card verifies the legitimation of U i to launch the following steps.
Step 1: and compares the stored value HPW i equals to the computed H(ID i PB i ). If they are not equal, the smart card terminates this session; otherwise, the smart card continues to compute Step 2: Subsequently, U i is allowed to input a new password PW new i . The smart card Step 3: Finally, the smart card replaces {B i , C ij , HPW i } with the new parameters to finish the password change phase.

Cryptanalysis of Kumari and Om's Scheme
In this phase, we show that Kumari and Om's protocol is vulnerable to impersonation attack, server spoofing attack and fails to protect user anonymity. Their scheme is thoroughly broken down by any malicious user in the multi-server authentication system, even when one knows nothing about the victim user. The detailed demonstration is described as follows.

Impersonation Attacks
Consider a legitimate but malicious user U A in the multiple servers authentication system, he/she can obtain M1 secret parameters stored in his/her own smart card. Then, the adversary can further impersonate any legal user (even a non-existent user) to unauthorized access S j .
In the login phase, U A randomly selects a string ID k with the format of identity and computes where r A and T1 k are generated random number and acquired current timestamp respectively. Subsequently, he/she transmits the forged login request {CID kj , N1 kj , N3 kj , T1 k } to S j .
After receiving the forged login request, S j checks the validity of T1 k and calculates Obviously, the computed N3 kj is consistent to the forged one in the login request, that is, the verification of U A is successful and S j accepts the login request of the adversary. Subsequently, S j computes M2 kj = (M1 j ) r s ·d j , M3 kj = (N1 kj ) r s , SK kj = H(ID k SID j M3 kj N2 kj ), M4 kj = H(SK kj T3), CSID kj = SID j ⊕ M3 kj with the random number r s and timestamp T3, and replies {CSID kj , M2 kj , M4 kj , T3} to the adversary.
After that, the adversary computes M3 kj = (M2 kj ) e 2 j ·r A , SID j = CSID kj ⊕ M3 kj , SK kj = H(ID k SID j M3 kj N2 kj ). Finally, U A obtains the session key SK kj and uses it to communicate with S j . Hence, the adversary successfully accesses the service providing server unauthorized.

Failure of Preserving Anonymity
As described above, a legitimate but malicious user U A could obtain M1 e j j with his/her own secret values. Suppose that U A intercepts U i 's login request {CID ij , N1 ij , N3 ij , T1} in a prior transaction, he/she could easily get U i 's identity by the brute force attack. In the following we present the concrete procedures.
Step 1. Firstly, let ID * i be an identity candidate in the identity space. Subsequently, the adversary computes N2 * ij = CID ij ⊕ ID * i .
Step 2. Secondly, the adversary checks N3 ij ? = H(ID * i M1 e j j N2 * ij T1) to verify the correctness of chosen candidate ID * i .
Step 3. The adversary performs Steps 1 and 2 repeated with another candidate in the identity space until the correct ID i such that N3 ij = H(ID i M1 e j j (CID ij ⊕ ID i ) T1) is found. Actually, the above attack could be executed effectively since the amount of identity space is limited. The primary causes of this problem are the inherently restricted human cognition and the limitation of identity format.

Server Spoofing Attack
In Kumari and Om's protocol, a legitimate but malicious user U A also can masquerade as an authorized server. Based on the description in the above analysis, U A can obtain U i 's identity ID i by employing feasible brute force attack and record the identity SID j of S j in a prior session. Furthermore, he/she also needs to intercept the mutual authentication message {CSID ij , M2 ij , M4 ij , T3} replied to U i from S j in a previous session, and records a pair values (M2 ij , M3 ij ) = (M2 ij , CSID ij ⊕ SID j ). Noticeably, the adversary merely does preparatory work one time, rather than repetitively recording these values before performing each server spoofing attack. The concrete description of server spoofing attack is shown as follows.
Step 1: Suppose that U i requests to access S j with {CID ij , N1 ij , N3 ij , T1}. The adversary selects a random number r A and computes with the values previously recorded. Afterwards, sends the forged response Step 2: After receiving the forged reply, U i computes Obviously, the computed H(SK * ij T3 A ) is equal to the received M4 * ij . Hence, U i authenticates the adversary successfully and communicates with him/her. The major contributor of the network flaw is the allelomorphism of array (M2 ij , M3 ij )-any attacker could reconstitute these two values by performing an exponentiation with exponent r A respectively.

Our Scheme
Herein, we propose a novel multiple servers architecture based authentication scheme with biometrics, which contains five phases, namely initialization phase, registration phase, login phase, authentication phase and password changing phase. Furthermore, we depict the login and authentication phases in Figure 2.

Initialization Phase
Registration center RC initializes the authentication system with secret value X c and two distinct large primes p, q. Then, it keeps {X c } secret and publishes the public parameters {n, φ(n)}, where n = p × q, φ(n) = (p − 1) × (q − 1). Finally, RC obliterates the two values p, q.

Registration Phase
This segment contains two sub-phases: server registration and user registration. Service providing servers and users apply for authorization of registration center through the following procedures, respectively.

Server Registration
Similar to the original protocol, service providing server S j sends its identity SID j to RC for registration. After receiving the registration request, it seeks out two large numbers e j ∈ (1, φ(n)) and d j such that gcd(e j , φ(n)) = 1 and e j × d j ≡ 1mod(φ(n)), computes s j = H(SID j X c ). Afterwards, RC transmits the calculated credentials {s j , e j , d j , n} to S j . S j publishes {e j , n} and keeps {s j , d j } as secret keys.

User Registration
Step 1: U i imprints the biometrics B i and invokes the fuzzy extractor to generate (R i , P i ) ← Gen(B i ). Subsequently, he/she calculates IB i = H(ID i R i ) and PB i = H(PW i R i ) with the selected identity and password. After that, U i registers in RC with {IB i , PB i }.
Step 2: Then, RC computes K ij = H(IB i s j ) with each service providing server secret key {s 1 , s 2 , · · ·, s k }.
RC continues to calculate A ij = (K ij ) e j ⊕ H(IB i ⊕ PB i ), C ij = K ij ⊕ PB i and D i = H(IB i PB i ). Afterwards, RC personalizes the smart card with the {(A i1 , A i2 , · · ·, A ik ), (C i1 , C i2 , · · ·, C ik ), D i } and sends it to U i via a secure channel.

Login Phase
Step 1: U i inserts his/her smart card into the card reader and inputs ID i , PW i , the imprinted biometric template B i . Then the smart card recovers the value R i through R i ← Rep(B i , P i ), computes IB i = H(ID i R i ), PB i = H(PW i R i ), and verifies whether the computed H(IB i PB i ) equals to the stored D i or not. If they are consistent, continues to execute Step 2; otherwise, the login phase is aborted directly.
Step 2: The smart card generates a random number r i and calculates Step 3: U i accesses S j with the login request {CID ij , M1 ij , M3 ij , T i }.

Authentication Phase
Step 1: Upon receiving U i 's login request at T1 i , S j checks the validity of Subsequently, it verifies the uniformity of the computed value H(IB i H(IB i s j ) M2 ij T i ) and the received M3 ij . If they are equal, the legitimacy of U i is ensured; on the contrary, S j discards the session immediately.
Step 2: After that, S j acquires the current timestamp T j and generates a random integer number r j to compute SK ij = (M1 ij ) r j ·d j = (K ij ) r j ·r i , V1 ij = (K ij ) r j ·d j , V2 ij = H(SID j SK ij K ij T j ). Subsequently, it sends the response authentication message {V1 ij , V2 ij , T j } to U i .
Step 3: Upon receiving the replied message at T1 j , the smart card verifies the validity of T j . If T1 j − T j is less than or equal to the permissible time interval T for a transmission delay, the authentication fails. Otherwise, the smart card calculates SK ij = (V1 ij ) e j ·r i and V2 * ij = H(SID j SK ij K ij T j ). If V2 * ij = V2 ij , U i confirms that S j is authentic and mutual authentication is completed successfully; on the contrary, the session will be terminated.
After finishing the above mutual authentication procedures, S j and U i agree on the session key SK ij for the future secure communication.

Password Changing Phase
These procedures are invoked whenever U i changes the overdue password with a new one.
Step 1: Similar to Step 1 of login phase, the smart card verifies the legitimacy of the card holder. If it confirms the validity of U i , the smart card proceeds to Step 2; otherwise, it rejects the request of changing password.
Step 2: The smart card permits U i to enter a new password PW new i to replace the original. Specifically, U i should enter the new one twice to prevent him/her from typing errors. Suppose that the entered passwords are unequal-the smart card requests U i to enter a new one two more times.
Step 3: After that, the smart card computes PB new

Authentication Proof Based on BAN-Logic
Herein, we present the demonstration for the completeness of the proposed scheme through BAN-logic [28]. BAN-logic is one of the widely employed formal proofs for analyzing the trustworthiness of involved participants in authentication protocol.
In the following, we define some notations for the further BAN-logic analysis.
• P |≡ X: The principal P believes a statement X or P would be entitled to believe X. • (X): The formula X is fresh. • P ⇒ X: The principal P has jurisdiction over the statement X. • P X: The principal P sees the statement X. • P |∼ X: The principal P once said the statement X.
The formula X is combined with the formula Y.
• P K ←→ Q: The principals P and Q use the shared key K to communicate. Here, K will never be discovered by any principal except for P and Q.
• P K Q: K is shared secret known to P, Q, and possibly to one trusted by them. • SK ij : The session key used in the current session.
We present several logical postulates of BAN-logic as follows.
• The message-meaning rule: The freshness-conjuncatenation rule: The nonce-verification rule: In the following, we present the verification goals based on the analytic procedures of BAN-logic.
Next, we present the idealized form of the proposed scheme which was arranged from generic type.
In the following, we present some assumptions about the initial state of our proposed scheme to further analyze it.
Next, we analyze the idealized form of the proposed protocol based on the aforementioned

Discussion on Possible Attacks
In this section, we present the security analysis in regard to a series of venomous network attacks and security properties to evaluate the proposed scheme.

Preserve User Privacy
In the proposed scheme, S j can retrieve the identity information IB i = H(ID i R i ) from the value CID ij = IB i ⊕ M2 ij in the login request, which integrates with exponent r i of K ij . S j keeps the secret key d j and can recover M2 ij with another value M1 ij in login request by computing M2 ij = M1 d j ij . In this way, the adversary either compromises S j 's master secret key d j or solves the big integer factorization problem. Whereas, it is infeasible for him/her to obtain IB i in the above introduced method. Additionally, in our scheme, the dynamic identity CID ij is invoked by a hash value IB i of U i 's identity and biometric template, rather than a low entropy identity ID i . Hence, the adversary could not reveal user's ID i by the attack introduced for breaching Kumari and Om' protocol. Accordingly, our proposal is secure to against ID-theft attack and achieves user privacy protection.

Off-Line Password Guessing Attack
The adversary could perform brute force attack to compromise the low entropy password with the eavesdropped session messages and revealed parameters stored in the smart card of victim users [29,30]. Because of this vulnerability, we introduce another security factor biometrics in our proposal. Concretely, IB i , PB i are both attached with the secret value R i retrieved by legitimate biometric template B i . Assume that the attacker has revealed the credential D i = H(IB i PB i ) stored in the smart card, he/she has to guess identity ID i , password PW i and secret value R i simultaneously. Notably, the length of secret value R i meets the requirements of information security. Thus, off-line password guessing attack is fruitless for our proposed scheme.

Impersonation Attack
Impersonation attack means that an adversary forges a login request to masquerade legitimate users for unauthorized access to network services.
It is indispensable for the adversary to generate an authenticated login request message . From computational procedure of these parameters, we can obviously see that K ij and IB i are the key values to form them. In our proposal, K ij = H(IB i s j ) is a unique secret value contributed by secrets of server and user, instead of a static value M1 j of S j for each user in Kumari and Om' protocol. The measure guarantees that users cannot abuse a unitary element to access servers illegally. On the other hand, the adversary also has no ability to calculate the verified login request without knowing K ij . Consequently, the impersonation attack is trivial in our scheme.

Server Spoofing Attack
Server spoofing attack indicates that someone (it could even be a legal but malicious server) pretends to be another server to deceive users. In order to perform the attack, the adversary should reply to U i a rightful authentication message {V1 ij , V2ij, T j } likewise with the victim server, where V1 ij = (K ij ) r j ·d j , V2 ij = H(SID j SK ij K ij T j ), SK ij = (K ij ) r j ·r i . The value K ij is also the core to generate the response parameters. As described in Section 6.2.3, K ij is only accessible to U i and S j -others could obtain it unless it compromises the secret key X c of RC. Therefore, server spoofing attack is meaningless in our scheme.

Replay Attacks
The replay attack signifies that someone spitefully resubmits repeated or delayed messages to deceive honest participants for nefarious purposes. Timestamping is one of the most widely employed techniques to prevent replay attack. In our proposal, both login request and replied authentication messages are involved in current timestamp. Both participants can verify its validity by detecting message transmitting delay. As a consequence, the replay attack is resisted effectively.

Forward Secrecy
Forward secrecy of information exchange protocol safeguards the past sessions to be revealed in which the long term key of RC is compromised in the future, even if the adversary actively interfered. Our proposed scheme achieves forward secrecy because the session key SK ij = (K ij ) r j ·r i is surrounded by r i and r j . Even though the adversary calculates K ij with the leaked key X c , he/she also is unable to further compromise SK ij computed with the contribution of one-time random numbers {r i , r j }.

Performance and Functionality Analysis
Herein, we present performance and functionality evaluation analysis of our proposed scheme and other recently related protocols, that is, Chuang et al.'s scheme [16], Kumari and Om's scheme [23] and Jangirala et al.'s scheme [26]. Tables 2 and 3 show the comparative study in terms of security features and computational cost of the proposed scheme along with the aforementioned schemes, separately.  According to the comparisons of Table 2, we can see that our scheme satisfies all the requirements and criterion for multiple servers based authentication system. In contrast, the other three schemes suffer from more or less susceptibilities, even the superiorities claimed by the authors. In the modified scheme, we eliminate these flaws and enhance the security by targeted renovation.
In Table 3, the notations T h and T e denote the consuming time for a one-way hash function and a modular exponential operation, respectively. The evaluation shown in Table 3 focuses on the login phase, authentication phase and neglects the other three phases which do not frequently need to be performed. Chuang et al.'s and Jangirala et al.'s schemes use symmetric encryption and only perform hash function. Our proposed scheme and Kumari & Om's scheme are employed by RSA cryptosystem and require to execute modular exponentiation. Thus, the latter two schemes need to expend more computational cost. From Table 3, the total computation cost of Chuang et al.'s scheme, Kumari & Om's scheme, Jangirala et al.'s scheme and our scheme are 17T h , 9T h + 7T e , 25T h and 8T h + 6T e . Noticeably, our scheme can thwart many security threats identified on these schemes. Additionally, our scheme is proved formally with the BAN-logic.

Conclusions
This paper firstly identified that Kumari and Om's anonymous multi-server authenticated key agreement scheme was plagued by impersonation attack, server spoofing attack and privacy disclosure. Even worse, any attacker could decipher it by launching a malicious attack without the knowledge of the victim's secret information. Secondly, we introduce a modified multiple servers architecture based authentication scheme with biometric to rectify these security flaws. Subsequently, to evaluate the devised scheme, we present the formal proof validated by BAN-logic and logical analysis for a range of network attacks. The performance and functionality comparisons in terms of computational cost and security features show that the designed protocol is superior for multiple servers authentication system.