Strong Authentication Scheme Based on Hand Geometry and Smart Card Factors

Abstract

In 2009, Xu et al. presented a safe, dynamic, id-based on remote user authentication method that has several advantages such as freely chosen passwords and mutual authentication. In this paper, we review the Xu–Zhu–Feng scheme and indicate many shortcomings in their scheme. Impersonation attacks and insider attacks could be effective. To overcome these drawbacks, we propose a secure biometric-based remote authentication scheme using biometric characteristics of hand-geometry, which is aimed at withstanding well-known attacks and achieving good performance. Furthermore, our work contains many crucial merits such as mutual authentication, user anonymity, freely chosen passwords, secure password changes, session key agreements, revocation by using personal biometrics, and does not need extra device or software for hand geometry in the login phase. Additionally, our scheme is highly efficient and withstands existing known attacks like password guessing, server impersonation, insider attacks, denial of service (DOS) attacks, replay attacks, and parallel-session attacks. Compared with the other related schemes, our work is powerful both in communications and computation costs.

1. Introduction

Password-based authentication schemes consider the most widespread protocol used to validate authentication between legitimate customers and the remote server. The single-factor authentication (SFA) considers the first process for securing access to a specified system, such as a web site or e-business system, that identifies the party demanding access over only one type of credential. One of the major worries with passwords is that users face many challenges to understand how to make robust and remarkable passwords, or undervalue the need for security. Furthermore, most users tend to select something such as phone numbers, birthdays, favorite games, and names of movies. These matters are easy to memorize. Accordingly, adversaries can build a table of important words in order to enter the system by applying a dictionary attack. Additionally, these passwords can be broken in a matter of a few short minutes. As a result, this type of password can be detected from a simple note, either in use or heedlessly rejected. While those ways need to be secured against, passwords are also required to be less predictable by machines. Moreover, the predications of password entropy mean how difficult an obtained password would be to crack via guessing, dictionary, brute force cracking attacks or other well-known schemes. In short, passwords are still one of the most simply stolen/broken categories of authentication. Multi-factor authentication (MFA) collects two or more separate credentials: what a user knows (PIN), what a user has (smart card) and what a user is (fingerprint). The purpose of MFA is to generate a layered protection and make it more troublesome for an illegal person to arrive at a target such as a server, computing device, web system, or network. If one factor is assumed to be disclosed or detected, the adversary still has at least one more fence to get around before successfully reaching the target. On the other side, the typical costs for prevailing multi-factor authentication techniques are a little money per month, per device. However, this can add up to thousands of dollars per year for budget companies that have a lot of customers or devices, or both. Obviously, multi-factor authentication tools are worthwhile, principally as the number of passwords continues to rise and make headlines. Businesses have been set-up to provide better methods to preserve user login information beyond an easy username/password mixture [1,2,3,4,5].

Furthermore, there are many challenging issues that raise concerns about using multi-factor authentication including the high costs, not being easy to carry, not providing the functionalities of revocation, and failing to resist well-known attacks such as off-line guessing of passwords, Man-in-the-Middle (MITM), and user/server impersonation attacks. Principally, the user’s password refers to the first factor while the second factor can be one of tokens, smart cards, fingerprints, voices, etc. Only the genuine user has registered his second factor to the server in advance. However, the token cannot resist the MITM seed-tracing, comes at a high cost, and when it is lost or stolen, the service provider security may be compromised. Furthermore, how to arrange tokens issued by several servers is a big problem for both users and servers. The shortcomings of users’ biometric factors, when a large number of users try to authenticate in the system at the same time, the mechanism of the system becomes unacceptably slow.

Moreover, biometric factors require extra hardware and software. In this paper, we propose a strong scheme based on smart card and feature extraction of hand geometry to overcome the above-mentioned issues. Therefore, this section introduces biometrics features and smart cards, and then explains the main goals of this paper that lead to the presentation of our proposed scheme [1,2,3,4,5,6].

Accountability with articular authentication is significant for security in the communication world. Several physiological features of humans such as biometrics, are characteristically time stable, easy to acquire, and unique for every individual. Biometric features such as palm prints, handwriting, signatures, fingerprints, irises, faces, and hand geometry have been proposed for security in many fields such as access control, authentication, and authorization. There is a lot of research focused on fingerprints and faces [6,7,8,9]. The trustworthiness of personal identification applied to the face is considered low, as researchers currently continue to fight with the issues of orientations, gestures, poses, and lighting [2]. Fingerprint identification is extensively used in biometric identification, as it leads to good results in most cases. Conversely, it is not easy to obtain fingerprint features such as minutiae for elderly people. Minutiae indicate specific points of user’s fingerprints, the small details of user’s fingerprints that are most significant for fingerprint recognition.

Consequently, other biometric characteristics receive more attention for personal identification. Similarly, additional biometric features like hand geometry, can be easily added into the current authentication scheme to provide an improved level of reliability in personal authentication.

There are several authentication schemes that are proposed in [8,9,10,11,12,13] to use the smart card as a second authentication factor. Das et al. [14] proposed a scheme that is secure against replay attack, password guessing attacks, forgery attacks, dictionary attacks and identity theft. The researchers [15,16] denoted drawbacks of Das et al.’s scheme, which suffers from disclosing the identity of user’s authentication messages. Shih [16] also explained that Liou et al.’s [15] scheme cannot achieve mutual authentication and fails to resist off-line password guessing attacks. Xu–Zhu–Feng [3] refers to a forgery attack on Lee–Chiu’s scheme [17], and Lee–Kim–Yoo’s scheme [18] cannot resist the password dictionary attack. Additionally, Wang et al. [19] describe weaknesses of the schemes proposed by Kumar [20] and Awasthi-Lal [12]. Currently, Chun-Ta et al. [21] presented an improved scheme of Khan et al. [22] that fails to preserve user’s anonymity. Continuously, their improved scheme can satisfy several of the main security and functionality features for remote login systems. However, it also cannot support the biometric factor for enabling the revocation feature when the valid user loses his smart card or gets its stolen.

Regarding the advantages of biometric factors, the low value of secret-key entropy is the fault of biometric factors, which can be hacked in polynomial time. For instance, there is no way to avoid an adversary from applying his impersonation attack to the victim user if both the user’s password and smart card were lost/stolen. Therefore, several schemes [16,17,18,19] ensure the security of the system when either his password or his smart card is lost/stolen, but not both of them at the same time. On the opposite side, there is a sturdy secret key that combines smart cards and biometrics with passwords (called Multi-Factor Authentication (MFA)) that enjoy high entropy. Furthermore, the essential feature of the biometric is uniqueness in that everybody has various sources of biometrics such as fingerprints and eye recognition, and it is hard for genuine user’s biometrics to be lost/stolen because only the actual user enters personal biometrics with his smart card to login to the system. There are many schemes based on biometrics with smart cards [9,13], but these schemes require extra hardware and software for each login phase.

Moreover, smart cards are considered small devices and require low computation capability, mingy energy resources and small memory size. It is more desirable to only use symmetric-key manners such as crypto-hash functions, symmetric encryptions instead of applying costly asymmetric cryptographic schemes. Moreover, smart cards are generally widespread in sensitive environments such as bank services and health-care. On the other hand, the conventional security risks are exposed to many malicious attacks and are prone to more dangerous attacks. As a result, an esteemed multi-factor authentication scheme for smart cards should be able to prevent various common malicious attacks like insider, impersonation, MITM, replay and online/offline password guessing.

Additionally, the privacy of users is considered very important in the smart card industry. There is an imperious need for preserving user’s data access privacy, when important data is submitted in the login phase, and what data types the user is interested in, since the infiltration of such information could be hard-done by an adversary to use it when the legal user logout the system. There is an increasing demand for preserving user privacy information from being leaked and abused, which borders the needs for protecting strong schemes that can acquire asymmetric-key encryption, preserving user’s privacy, and user anonymity [19].

Furthermore, imposing efforts have been focused on producing schemes with user anonymity by only applying lightweight symmetric-key primitives like crypto hash functions and modern block ciphers. In this paper, we focus on two parts. In the first part, we analyze Xue et al.’s scheme, and present the main challenges in designing an authentication scheme with user anonymity. In the second part, we refer to the practical solutions for using user anonymity in our proposed scheme.

Additionally, we embed users’ hand geometry features as a biometric factor with the smart card in an effective manner that does not require extra hardware and software in the login phase. In the registration phase, a user submits his hand geometry and hashed user name and password into the server. Then, the server extracts the features of hand geometry and sends back the features, and smart card to the user. After that, the user keeps his hand geometry features in his USB to use in the next phases. Therefore, the adversary will have difficulty obtaining the user’s smart card and USB for applying malicious attacks. Furthermore, we review a security analysis of the Xu–Zhu–Feng scheme that is not immune to password guessing attacks and impersonation attacks. We also propose a new efficient and secure smart card based on a remote password authentication scheme that overcomes not only the weaknesses of the Xu–Zhu–Feng scheme, but also enjoys several features such as efficiency, flexible password-based remote mutual authentication, user anonymity, users being able to freely select and update their passwords, and the server and user being able to construct authenticated session keys. In fact, our scheme generates a key once for each user’s login request in the authentication phase. Moreover, our scheme can resist many kinds of attacks such as replay attacks, insider attacks, off-line attacks, reflection attacks, and DOS attacks. Continuously, compared with the other related schemes, our work is powerful both in communications and computation costs.

The remainder of the paper is organized as follows. Section 2 reviews the Xu–Zhu–Feng scheme. Feature extraction of hand geometry and design issues of the proposed scheme are discussed in Section 3. Our proposed scheme is presented in Section 4. Security analysis is reviewed in Section 5, and Section 6 presents the discussion and comparison with state-of-the-art methods. Section 7 provides our conclusions.

2. The Xu–Zhu–Feng Scheme

In this section, we focus on review and cryptanalysis of the Xu–Zhu–Feng scheme as follows:

2.1. Review of the Xu–Zhu–Feng Scheme

Some notations of the Xu–Zhu–Feng scheme will be presented. Then, we will explain the main phases of the Xu–Zhu–Feng scheme, which consists of a registration phase, login phase, verification phase and password change phase. Figure 1 presents the Xu–Zhu–Feng scheme.

• Notations
  In order to make future references more easy to understand, frequently repeated notations are enumerated below with their descriptions (see

  Table 1. Notations used through the Xu–Zhu–Feng scheme.

  Symbol	Description
  $I{d}_A$	Identity of user A.
  $I{d}_B$	Identity of user B.
  $P{W}_A$	Password of user A.
  $R_A$	The one-time random number generated by the user A.
  $T_A$	The time-stamp of user A.
  $T_S$	The time-stamp of server S.
  $▵T$	Threshold’s time defined in advance by the system.
  h(.)	A cryptography one-way hash function.
  $E_K\left(M\right)$	The message M encrypted by session key K.
  x mod p	The remainder of x divided by p.
  ⊕	The bitwise XOR operation.
  $\left|\right|$	The concatenation operation.
  p,q	The two large prime numbers.
  $Z_q^{*}$	The multiplicative set of $Z_q$.
  $Z_q$	The ring of integers modulo q.

  ).
• Initial Phase
  The server picks large prime numbers, p and q, such that $p=2q+1$, and selects its secret key $x\in Z_q^{*}$.
• Registration Phase
  The user sends his identity ID and password PW to the authentication server via a secure channel. Then, the server calculates $B=h{\left(ID\right)}^x+h\left(PW\right)modp$ when he receives the registration request message {ID,PW} from the valid user. After that, the server saves the important data $\{ID,B,h(.),p,q\}$ into a new smart card and pushes it to the user.
• Login Phase
  The user attaches his smart card to a device reader and enters his ID and PW. The smart card selects a random number $w\in Z_q^{*}$, establishes the time-stamp with the current time, and computes the following:
  $B^{\prime }=B-h{\left(PW\right)}^{w}modp,w=h{\left(ID\right)}^{w}modp,C=h\left(T\right||B^{\prime }\left|\right|w\left|\right|ID)$.
  It then submits the login message $\{ID,C,w,T\}$ to the server. However, we notice that the smart card is required to run the modulus exponentiation computation twice in this phase.
• Authentication Phase
  After receiving the user’s login message at time $T^{\prime }$, the server verifies the identity of the user ID and the time-stamp T by checking $(T^{\prime }-T)\le \Delta T$, where $\Delta T$ is a threshold defined in advance. Then, the server calculates $B^{″}=w^{x}modp$ and tests whether C is equal to $h\left(T\right|\left|B^{″}\right|\left|w\right|\left|ID\right)$. If the above validations go through effectively, the user is genuine and the server continues with the following procedure. Otherwise, it terminates the login request. The server selects a random number $m\in Z_q^{*}$, sets the time-stamp $T^{″}$, $M=h{\left(ID\right)}^{m}modp,C^{\prime }=h\left(M\right||B^{″}\left|\right|T^{″}\left|\right|ID)$, and submits the message $\{ID,C^{\prime },M,T^{″}\}$ to the user. After receiving the message, the smart card verifies $ID$ and $T^{″}$ and then compares $C^{\prime }$ with $h\left(M\right|\left|B^{″}\right|\left|T^{″}\right|\left|ID\right)$. If they are equal, the server is valid. Both the user and server compute $s_k=h\left(ID\right|\left|M\right|\left|w\right||M^w)=h(ID\left|\right|M\left|\right|w\left|\right|w^m)$.

2.2. Cryptanalysis of the Xu–Zhu–Feng Scheme

We demonstrate that the Xu–Zhu–Feng scheme has many drawbacks such as user impersonation attacks in the authentication phase. Assume the user A is attempting to impersonate the user B using his $I{D}_B$. First, A tries to draw out the data $B_A$ saved on B’s smart card. With A’s password, he can easily retrieve $h{\left(I{D}_A\right)}^x$ by $h{\left(I{D}_A\right)}^x=B_A-h\left(P{W}_A\right)modp$. Then, he selects a random number $w\in Z_q^{*}$, sets the time-stamp T with the recent time, and computes the following steps:

• $B_A^{\prime }=modp$,
• $w=h{\left(I{D}_A\right)}^{w}modp$,
• $C=h\left(T\right|\left|B_A^{\prime }{\left(h{\left(I{D}_A\right)}^x\right)}^w\right|\left|I{D}_B\right)$.

Then, he sends the login message $\{I{D}_B,C,w,T\}$ to the authenticated server. Upon receiving user A’s login message, the authenticated server checks the identity of user $B\left(I{D}_B\right)$ and the time-stamp T. The verification of the user identity $B\left(I{D}_B\right)$ and the time-stamp T is effective since the user A employs a legal user identity $\left(I{D}_B\right)$ and selects the current time as the time-stamp. Furthermore, the authenticated server computes $B^{″}=w^{x}modp$ and $C^{″}=h\left(T\right||B^{″}\left|\right|w\left|\right|I{D}_B)$, and examines whether $C=C^{″}$. Since $B^{″}=w^x={\left(h{\left(I{D}_A\right)}^w\right)}^x=B_A^{\prime }modp$, the verification of C’s data is also successful. As a result, an adversary A, who poses as the user B, is successfully validated by the authenticated server. An adversary cannot access the rest of the process for authenticating the server, unlike a genuine user, as an adversary does not need to authenticate server. He is successful as long as the authenticated server accepts his login request.

3. Design Issues

In this section, we explain the feature extraction of hand geometry, our proposed scheme for design issues, our proposed scheme, and security analysis of our proposed scheme.

3.1. Feature Extraction of Hand Geometry Images

The geometry image is required to be arranged in a preferred way in order to obtain the same features for identical images. The image thresholding operation has been applied to get a binary hand-shape image. The value of the threshold is automatically calculated based on Otsu’s scheme [23]. Furthermore, the geometry’s background is stable (black) and the threshold value can be computed at once and then used consequently for remaining images. In fact, the binarized shape of hand geometry can be approximated to an ellipse. The factors of the most-appropriate ellipse for an obtained binary hand shape is computed depending on some objects such as hand-printed characters [24]. Additionally, the orientation of the binarized hand image is approached by the main axis of the ellipse, and the vital angle of rotation is the variance between regular and the orientation regions of image. As revealed in Figure 2, the binarized image is rotated and applied for gaining the hand geometry features. The appreciated orientation of the binarized image is also applied in order to rotate the gray-level hand geometry image. Consequently, the features are classified as follows:

(1) 

Lengths connection the base of the hand and tips of finger;

(2) 

Points viewing the base point of each finger;

(3) 

Area surrounded by the registered points.

3.2. Our Proposed Scheme for Design Issues

The traditional authentication scheme based on smart cards consists of four phases: registration, login, authentication, and changing the password. In the registration phase, the user registers his username and password with the server. Then, the server prepares the important information that will be saved in the user’s smart card. After that, the server provides the user with his smart card used in the login and authentication phases. There are many schemes [25,26,27] based on this traditional model that have faced several issues such as failing to preserve user’s anonymity, not being able to resist well-known attacks, and not having the ability to use revocation features when the legitimate user loses or has his smart card stolen.

Our proposed scheme overcomes the above-mentioned issues by depending on the feature extraction of a user’s hand geometry as an additional factor. In the registration phase, the valid user submits the hash of his username, password, and his hand geometry to the server in a secure channel. The server provides the credentials (smart card and features of hand geometry) to the user. This credential has an essential factor that will be applied by the valid user in the subsequent phases. Therefore, the user saves his features of hand geometry in his USB. In the login phase, the genuine user sends his hashed username and password to the server. Then, the server sends the challenge to the user requiring him to send his smart card and features of hand geometry. Then, the user will test the validity of the server by checking his challenge in the first step and submitting his information to the authenticated server in the second step. Finally, the user can access the server’s resources when the server verifies the user’s smart card and features of his hand geometry. Figure 3 shows the essential differences between our proposed scheme and the traditional authentication scheme based on smart cards.

3.3. Comparison

We compare our proposal with Xu–Zhu–Feng’s scheme and another generic design of multi-factor authentication in [28,29]. All protocols employ smart-card-based password authentication and fuzzy extractors as the building blocks to realize multi-factor authentication, but our design has made significant improvements in computation and communication. As shown in Figure 4, the authors in [28] have used three factors in the login and authentication phases. Their scheme was to run one factor in login and other factors executed in the authentication phase that may need multi-round message exchanges for Message Authentication Code (MAC) generation/verification. The proposed scheme from the authors in [29] requires three factors for authentication. The first two factors consist of login and authentication phases, and the third one is related to MAC generation/verification (only one message exchange). In terms of cost, the third factor requires extra hardware and software for extracting MAC keys from biometrics. Our proposed scheme is made up of four factors: the first two for login and the authentication phase and the other factors for MAC authentication. Our proposed scheme focuses on mutual authentication between servers and users based on feature extraction of the user’s hand geometry and smart cards. Additionally, our work does not need extra devices or software for hand geometry in the login phase because the features save the user’s USB in the registration phase. In terms of security and communication, our proposed scheme needs only one round to obtain MAC, which generates one time in the mutual authentication phase between users and servers. Additionally, the proposed scheme only needs lightweight symmetric-key operations compared with the Xu–Zhu–Feng scheme.

On the other hand, there are several schemes [30,31,32,33,34,35,36] that use synchronization mechanism(s) to preserve the tenacity of the one-time identity between legal users and authenticated servers. We notice that all of these schemes using similar steps to obtain user anonymity fail to resist de-synchronization attacks, which means that the synchronization of one-time identities between two entities is broken when an attacker prevents single message flow. Recently, this risk has also been revealed in [30,31], who refer to the de-synchronization weakness of the schemes in [37,38], yet no practical solution to manage this type of problem has been discovered. Lastly, the authors in [39] proposed a good scheme that can process this threat while staying efficient and accomplishing provable security. On an ongoing basis, our proposed scheme can support user anonymity based on generating one time keys for each user’s login. This key is used to encrypt a user’s message in the login phase, and the server also applies it in the mutual authentication phase. In addition, identification messages for each user and server are generated one time based on a random number that has worked as a salt key (see Theorem 3). Our proposed scheme does not rely directly on the principle of synchronization to obtain user anonymity compared with the other related schemes [14,15,25,26]. We proposed a new scheme that prevents an adversary from applying a de-synchronization attack or revealing the user’s identity.

4. Our Proposed Scheme

There are four phases in our scheme: the registration phase, the login phase, the mutual authentication with key agreement phase, and changing the password phase. The symbols used in our proposed scheme are discussed in

Table 2. Meaning of symbols used throughout our proposed scheme.

Symbol	Description
$U_i$	A legitimate user $U_i$.
S	A trustworthy server.
$I{D}_i$	Identity of user $U_i$.
$P{W}_i$	Password of user $U_i$.
$h\left(P{W}_i\right)$	Hashed password of user $U_i$.
$h\left(I{D}_i\right)$	Hashed identity of user $U_i$.
$H{g}_i$	Hand geometry of user $U_i$.
$P_i$	Features of $U_i^{\prime }s$ hand geometry.
$X_s$	A secret key kept by S in private.
h(.)	A cryptography one-way hash function.
$r_i$	The one-time random number generated by the user $U_i$.
$K_i$	The one-time key generated for each user’s login request.
$T,T^{\prime }$	The time-stamp of the user $U_i$.
$T^{\prime \prime }$	The time-stamp of server S.
$▵T$	Threshold’s time defined in advance by the system.
$E_{K_i}$	Symmetric encryption function based on key $K_i$.
M	Login request message from the user $U_i$ to the remote server S.
$f_i,Z^{\prime },Z^{″},a,a^{\prime }$	Other miscellaneous values that are applied in the verification.
⊕	The bitwise XOR operation.
$\left|\right|$	The concatenation operation.

. Figure 5 shows our proposed scheme.

• Registration Phase
  In this phase, everyone that will be registered on the remote server is provided with a smart card and features of hand geometry. To initialize, the user $U_i$ submits his biometric hand geometry $H{g}_i$, and his hashed password $h\left(P{W}_i\right)$ and identity $h\left(I{D}_i\right)$ to the remote server over a secure channel. Upon receiving the user’s registration request, the server performs the following operations:

  (1) 

  S extracts the features of the user’s hand geometry $H{g}_i$ and computes $P_i=h\left(H{g}_i\right),N_i=h(h\left(P{W}_i\right)\left|\right|P_i)\oplus h{\left(I{D}_i\right)}^{X_s},M_i=P_i\oplus h\left(X_s\right)$, where $X_s$ is a secret key kept by S in private;

  (2) 

  S saves the data $\{h(.),N_i,M_i\}$ on a new smart card. S sends each of the user’s smart cards and hashes of his personal biometrics (hand-geometry’s features) $P_i$ to $U_i$ over a secure channel;

  $S\Rightarrow U_i$: smart card, $P_i$;

  (3) 

  $U_i$ saves $P_i$ in his USB.

• Login Phase
  When the user $U_i$ wishes to login to S, then $U_i$ attaches his smart card in the card reader, his USB in the USB device to read $P_i$, and inputs his password $P{W}_i$. The smart card fulfills the following steps:

  (1) 

  Compute $Z^{\prime }=h(h\left(P{W}_i\right)\left|\right|P_i)$ and $h\left(X_s\right)=P_i\oplus M_i$;

  (2) 

  Generate a random number $r_i$ and perform the following steps:

  –

  Compute $K_i=h(r_i\oplus Z^{\prime }),C_i=K_i\oplus {(Z^{\prime }\oplus N_i)}^{r_i}\oplus h\left(X_s\right),f_i=h{\left(I{D}_i\right)}^{r_i}$;

  –

  Calculate $CI{D}_i=Z^{\prime }\oplus h(r_i\oplus T)$, where T is the current time-stamp of the input device;

  –

  Encrypt $E_{K_i}(r_i,T,N_i,CI{D}_i)$ by using $K_i$;

  (3) 

  The user’s smart card sends a login request message M to the remote server;

  Smart card→S: $M=(C_i,f_i,E_{K_i}(r_i,T,N_i,CI{D}_i))$.

• Authentication Phase
  Upon receiving the user’s login request message at time $T^{\prime }$, S performs the following computations:

  (1) 

  S computes $K_i=C_i\oplus f_i^{X_s}\oplus h\left(X_s\right)$, and decrypts $E_{K_i}(r_i,T,N_i,CI{D}_i)$;

  (2) 

  S checks the legitimacy of the time-stamp T. If $T^{\prime }-T\le \Delta T$, then the authenticated server S accepts user’s login request and then executes the next step. Otherwise, S terminates this phase;

  (3) 

  S computes $Z^{″}=CI{D}_i\oplus h(T\oplus r_i)=h(h\left(P{W}_i\right)\left|\right|P_i)$, and checks whether ${(N_i\oplus Z^{″})}^{r_i}$ is equal to $f_i^{X_s}$. If so, S accepts the user’s login request;

  (4) 

  S computes $a^{\prime }=h(Z^{″}\left|\right|r_i\left|\right|T^{\prime })$ and sends message $M^{\prime }=E_{K_i}(a^{\prime },T^{\prime })$ to $U_i$.

  $S\to U_i:M^{\prime }$;

  (5) 

  When $U_i$ receives the message $M^{\prime }=E_{K_i}(a^{\prime },T^{\prime })$ at time $T^{″},U_i$ executes the following steps:

  –

  Check whether $T^{″}-T^{\prime }\le \Delta T$. If this does not hold, then $U_i$ overthrows the message $M^{\prime }$ and terminates this phase. Otherwise, $U_i$ continues the next step;

  –

  $U_i$ decrypts message $M^{\prime }$ by using $K_i$, computes $a=h\left(Z^{\prime }\right|\left|r_i\right|\left|T^{\prime }\right)$, and compares a with $a^{\prime }$. If so, $U_i$ decides that the remote server S is authenticated.

• Password Change Phase
  When $U_i$ wants to change his password from $P{W}_i$ to $P{W}_i^n$, $U_i$ runs this phase. The password change phase needs to go through the following steps:

  (1) 

  $U_i$ needs to be executed in the above phases login and mutual authentication. The server S authenticates his old password $P{W}_i$;

  (2) 

  After the successful mutual authentication, $U_i$ enters a new password $P{W}_i^n$. Then, the smart card computes $N_i^n=N_i\oplus h(h\left(P{W}_i\right)\left|\right|P_i)\oplus h(h\left(P{W}_i^n\right)\left|\right|P_i)$ and replaces the old $N_i$ with a new $N_i^n$.

5. Security Analysis of Our Proposed Scheme

In this section, we analyze our proposed scheme and display that our work can withstand several famous attacks and enjoy several security properties. Moreover, we supply a comparative analysis with other authentication schemes.

Theorem 1. 

Our proposed scheme can support mutual authentication.

Proof. 

A mutual authentication feature requires both the server and the user to authenticate each other. In our work, authentication of $U_i$ to S is represented by $M=(C_i,f_i,E_{K_i}(r_i,T,N_i,CI{D}_i))$. In addition, the authentication of $U_i$ to S depends on generating a new key $K_i$ . After that, the user computes $E_{K_i}(a^{\prime },T^{\prime })$. An adversary is not able to generate $(K_i,h\left(X_s\right),h\left(P{W}_i\right),P_i,r_i)$. In addition, $U_i$ and S securely exchange $C_i=K_i\oplus {(Z^{\prime }\oplus N_i)}^{r_i}\oplus h\left(X_s\right)$ and $K_i=C_i\oplus f_i^{X_s}$ in the login and authentication phases, respectively. The authenticated session key is demonstrated as follows:

$C_i=K_i\oplus {(Z^{\prime }\oplus N_i)}^{r_i}=K_i\oplus {\left(h{\left(I{D}_i\right)}^{X_s}\right)}^{r_i},K_i=C_i\oplus f_i^{X_i}\oplus h\left(X_s\right)=C_i\oplus h{\left(I{D}_i\right)}^{r_i}{)}^{X_s}\oplus h\left(X_s\right)$. Thus, our proposed scheme provides mutual authentication (see Figure 5).

☐

Theorem 2. 

Our proposed scheme can support known-key security.

Proof. 

The definition of known-key security is that the jeopardy of a session key will not lead to further endangerment of other session keys. However, if a session key $f_i=h{\left(I{D}_i\right)}^{r_i}$ is exposed to an attacker, he incapacitates inferring other session keys that are produced from the random numbers ${(Z^{″}\oplus N_i)}^{r_i}$ and the $f_i^{X_s}$ dependent Diffie–Hellman key exchange scheme. In addition, it is impossible for an attacker to get a server’s secret key $X_s$. Furthermore, if we assume that an adversary can eavesdrop on $K_i$, he cannot gain any advantages from eavesdropping on $K_i$. Thus, it generates one time for each user login request. ☐

Theorem 3. 

Our proposed scheme can support user anonymity.

Proof. 

If an attacker eavesdrops on the user’s login request message, he fails to infer the user’s identity from encrypting message $E_{K_i}(r_i,T,N_i,CI{D}_i)$, since it is encrypted with $K_i$, which is anonymous to the attacker. In addition, the ciphertext does not possess the real user’s identity $I{D}_i$ where the server verifies the user’s identity in an anonymous manner between ${(Z^{″}\oplus N_i)}^{r_i}$ and $f_i^{X_s}$. Additionally, we used the time-stamp in the login phase; the user’s login request message is changed each login time when its parameters $\{T,r_i,K_i,f_i,T,CI{D}_i\}$ change in each login session. Therefore, it is impossible for the attacker to reveal the user’s identity. Obviously, our proposed scheme can support user anonymity. ☐

Theorem 4. 

Our proposed scheme can support revocation of smart cards and also does not require extra hardware and software, as it resists side-channel attacks.

Proof. 

If a user’s smart card is lost or stolen, an adversary cannot derive or change the password because he fails to pass the biometric verification. In addition, the secret information saved on the user’s smart card is as robust as the password. In the login phase, the user inputs his biometric key which is saved in his USB. Compared with Chuang et al.’s scheme in [9], their scheme needs extra hardware and software to complete the verification of a user’s biometric. Our scheme requires a USB device that is available in most of the terminate machines and focuses on features of hand geometry for increasing performance and decreasing costs.

Side-channel attacks commonly exploit the presence of data-dependent and physically noticeable phenomenons caused by the implementation of computing functions in microelectronics [40,41]. The main examples of such information outflows are comprised of power consumption and the electromagnetic radioactivity of integrated circuits. We focus on side-channel analysis against subscriber identity module (SIM) cards in smart cards that our proposed scheme does not cause overloading on smart cards because the important information of users was saved on USBs. Our proposed scheme retrieves $\{h(.),N_i,M_i\}$ from a smart card that connects with a USB’s information to complete the login and authentication phase. Therefore, an adversary cannot complete the login phase even if he already has the smart card because the rest of the information has been previously saved in the USB. Eventually, the performance of the smart card is very high since the power consumption of the device is very low. ☐

Theorem 5. 

Our proposed scheme can support security of the stored data and resist a password guessing attack.

Proof. 

In our proposed scheme, the remote server S stores only secret information $\{h(.),N_i,M_i\}$ in the smart card. The secret information $\{h(.),N_i,M_i\}$ derived from the user’s smart card does not assist an attacker without the user’s password $h\left(P{W}_i\right)$, the user’s personal biometric (hand geometry $\left(P_i\right)$) and server’s secret key $h\left(X_s\right)$ to retrieve the user’s secret key $K_i$, since $h\left(X_s\right)=P_i\oplus M_i,Z^{\prime }=h(h\left(P{W}_i\right)\left|\right|P_i),K_i=h(r_i\oplus Z^{\prime })$ and $C_i=K_i\oplus {(Z^{\prime }\oplus N_i)}^{r_i}\oplus h\left(X_s\right)$. If an attacker is attempting to retrieve $K_i$ by combining dictionary attacks with the recover secret information $\{h(.),N_i,M_i\}$, he requires locating both $h\left(X_s\right)$ and $h\left(h\left(P{W}_i\right)\right|\left|P_i\right)$ to compute $K_i=h(r_i\oplus Z^{\prime })$. On the other hand, the attacker can gain $(C_i,f_i)$ by eavesdropping on the insecure channel between $U_i$ and S. The attacker cannot get useful information about the user’s password/hand geometry from these values because other information is encrypted by the user’s secret key $K_i$ and only the user can access his biometric key. Thus, our proposed scheme provides security of the stored data and resists a password guessing attack. ☐

Theorem 6. 

Our proposed scheme can resist the server impersonation attack.

Proof. 

A user’s smart card contains two values: $N_i=h(h\left(P{W}_i\right)\left|\right|P_i)\oplus h{\left(I{D}_i\right)}^{X_s}$ and $M_i=P_i\oplus h\left(X_s\right)$. Since the user knows his password $P{W}_i$ and his biometric key $P_i$, he can obtain the value of $h{\left(I{D}_i\right)}^{X_s}$. However, this value is based on the user’s identity, and it is not the same for all users. The attacker cannot play the role of the server with this value and fails to get the values $\{X_s,K_i,P_i\}$. They are used to decrypt the ciphertext $E_{K_i}(r_i,T,N_i,CI{D}_i)$ sent by $U_i$, where $K_i$ is computed by $K_i=C_i\oplus f_i^{X_s}\oplus h\left(X_s\right)$. Therefore, the proposed scheme can resist the server impersonation attack. ☐

Theorem 7. 

Our proposed scheme can withstand insider attacks and user impersonation attacks.

Proof. 

In our proposed scheme, when $U_i$ wishes to register with a remote server, he sends $(I{D}_i,h\left(P{W}_i\right),P_i)$ instead of $I{D}_i,P{W}_i$. Due to the utilization of the one-way hash function h(.), it is difficult for the server to extract the password of the user from the hashed value. In addition, when the attacker wants to impersonate the valid user, he requires the forging of a legal login request message $(C_i,f_i,E_{K_i}(r_i,T,N_i,CI{D}_i))$, in which $K_i=h(r_i\oplus Z^{\prime }),C_i=K_i\oplus {(Z^{\prime }\oplus N_i)}^{r_i},f_i=h{\left(I{D}_i\right)}^{r_i},and$ $CI{D}_i=Z^{\prime }\oplus h(r_i\oplus T)$. However, the attacker cannot obtain the server’s secret key $h\left(X_s\right)$ and fails to forge such a message or obtain a user’s biometric key. Clearly, our proposed scheme resists insider attacks and user impersonation attacks. ☐

Theorem 8. 

Our proposed scheme can resist DOS attack.

Proof. 

This attack means that an attacker changes the password verification information of a user’s smart card to other information. As a result, an illegal user cannot complete his login to the server request successfully. In our proposed scheme, a user’s smart card checks the legitimacy of a user’s biometric key based on hand geometry $P_i$, user identity $I{D}_i$ and password $P{W}_i$ before the password change phase. If we assume that the attacker inserts the user’s smart card into the terminated machine, he must guess the values of the user identity and password. These values are not stored directly in the smart card, but they are combined with other values, e.g., $h{\left(I{D}_i\right)}^{X_s},h(P{W}_i\left|\right|P_i)$, where $X_s,P_i$ are not stored in the smart card. Additionally, an attacker cannot access the features of a user’s hand geometry saved on his preferred USB. Therefore, the attacker cannot obtain $X_s,P_i,P{W}_i,I{D}_i$ to apply a DOS attack. ☐

Theorem 9. 

Our proposed scheme can resist a replay attack.

Proof. 

In our proposed scheme, the user’s login request message combines a random number $r_i$ with the time-stamp T to protect a login message from replay attack. However, if an attacker eavesdrops on a user’s previous login message, he still cannot apply a replay attack to the next login request since $CI{D}_i=Z^{\prime }\oplus h(r_i\oplus T)$ combines several values with the time-stamp T. The attacker cannot get these values, and $r_i$ generates one time for each user’s login request. ☐

Theorem 10. 

Our proposed scheme can withstand a parallel-session attack.

Proof. 

In our work, an attacker cannot impersonate a valid user by constructing a legal login message in another continuous execution from the authentic execution since the server’s submitted message $M_i=E_{K_i}(a^{\prime },T^{\prime })$ is encrypted by $K_i$, which is anonymous to the attacker and $a^{\prime }$ generates one time for each mutual authentication phase. Hence, our proposed scheme can withstand the parallel-session attack. ☐

Theorem 11. 

Our proposed scheme can resist the common attacks when a USB device is lost or stolen.

Proof. 

If a user’s USB is lost or stolen, an adversary cannot complete the login or authentication phase because he fails to get the smart card, $K_i$, $P{W}_i$, and $X_s$. In addition, the secret information saved on the user’s smart card is as robust as the password. Our scheme requires a USB, and a user’s password and smart card to apply to the login phase. First, a user submits his message $M=(C_i,f_i,E_{K_i}(r_i,T,N_i,CI{D}_i))$ to the server. Continuously, the server checks the validity of users and he will send a challenge ($M^{\prime }=E_{K_i}(a^{\prime },T^{\prime })$) to the user. After that, the authenticated user should retrieve $Z^{\prime },r_i$ to decrypt M based on $K_i$. Additionally, he computes $a=h\left(Z^{\prime }\right|\left|r_i\right|\left|T^{\prime }\right)$ for comparison with $a^{\prime }$ to ensure authority of the server. Therefore, the adversary cannot apply malicious attacks when the USB is lost or stolen. ☐

As a result, we notice that the proposed scheme is more robust and flexible for practical applications such as online payment environments and e-business in protecting user privacy compared with other related schemes. Additionally, we propose a good authentication scheme based on a smart card and feature extraction of a user’s hand geometry. The proposed scheme aims to support more functionality to resist well-known attacks and provides several security features such as revocation, user anonymity, known-key security, and mutual authentication. The mechanism of the proposed scheme can be compatible with ubiquitous computing models such as cloud computing. Additionally, a USB provides a biometric factor for multi-factor authentication.

6. Discussion and Comparison with the State-of-the-Art Methods

We compare security properties and computational costs of our proposed scheme with one of six authentication schemes including Xu–Zhu–Feng [3], Das et al. [14], Liao et al. [15], Wang et al. [25], Khan et al. [26], and Yoon and Yoo [27].

Table 3. Comparison of authentication schemes.

Scheme	C1	C2	C3	C4	C5	C6	C7
Our Scheme	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Das et al. [14]	Yes	Yes	No	No	No	No	No
Liao et al. [15]	Yes	Yes	Yes	No	Yes	Yes	No
Wang et al. [25]	No	No	No	No	Yes	No	No
Yoon and Yoo [27]	Yes	Yes	Yes	No	Yes	Yes	No
Khan et al. [26]	Yes	No	Yes	No	Yes	Yes	No
Xu–Zhu–Feng [3]	Yes	No	Yes	Yes	Yes	No	No

describes comparison of security properties based on the main security features as follows:

C1 :

Freely chosen password;

C2 :

User anonymity;

C3 :

Secure password change;

C4 :

Session key agreement;

C5 :

Mutual authentication;

C6 :

No password revealed;

C7 :

Revocation by using personal biometrics.

The time requirement of our scheme is briefly listed in

Table 4. Comparison of computational cost.

Scheme	Registration Phase	Login & Authentication Phase	Total Cost
Our Scheme	$5T_h+T_{\left|\right|}+2T_{\oplus }$	$10T_h+5T_{\left|\right|}+8T_{\oplus }+4T_{Exp}+2T_{Enc}+2T_{Dec}$	$15T_h+6T_{\left|\right|}+10T_{\oplus }+4T_{Exp}+2T_{Enc}+2T_{Dec}$
Das et al. [14]	$2T_h+T_{\oplus }$	$7T_h+14T_{\oplus }$	$9T_h+15T_{\oplus }$
Liao et al. [15]	$2T_h+T_{\oplus }+T_{\left|\right|}$	$9T_h+20T_{\oplus }$	$11T_h+21T_{\oplus }+T_{\left|\right|}$
Wang et al. [25]	$2T_h+2T_{\oplus }$	$8T_h+14T_{\oplus }$	$10T_h+16T_{\oplus }$
Yoon and Yoo [27]	$3T_h+2T_{\oplus }+3T_{\left|\right|}$	$10T_h+3T_{\oplus }+21T_{\left|\right|}$	$13T_h+5T_{\oplus }+24T_{\left|\right|}$
Khan et al. [26]	$2T_h+T_{\oplus }+3T_{\left|\right|}$	$10T_h+9T_{\oplus }+8T_{\left|\right|}$	$12T_h+10T_{\oplus }+13T_{\left|\right|}$
Xu–Zhu–Feng [3]	$2T_h+T_{Exp}+2T_{Enc}$	$9T_h+6T_{Exp}+4T_{Enc}+18T_{\left|\right|}$	$11T_h+7T_{Exp}+6T_{Enc}+18T_{\left|\right|}$

. The details of communication costs are viewed in

Table 5. Comparison of communication costs.

Scheme	From User to Server		From Server to User		Total Communication Cost (Numbers of Bits)
	Login Message	Cost (Bits)	Mutual Message	Cost (Bits)
Our Scheme	$C_i,f_i,E_{K_i}$	384	$M^{\prime }$	192	576
Das et al. [14]	$CI{D}_i,N_i,C_i,T$	448	-	-	448
Liao et al. [15]	$CI{D}_i,N_i,C_i,T$	448	$D,$$T^{″}$	192	640
Wang et al. [25]	$CI{D}_i,N_i,N_i,T$	448	$a^{\prime },T^{″}$	192	640
Khan et al. [26]	$CI{D}_i,C_i,d,T$	384	$C_2,T_s$	192	576
Yoon and Yoo [27]	$I{D}_i,C_i,N_i,T$	448	$D,$$T^{″}$	192	640

. We depend on the measurements for computing communication cost in [27]. They supposed that the output size of a crypto one-way hash function equals 128 bits. For comparison, they also supposed that, without wasting generality, the lengths of a user’s identity $I{D}_i$ and password $P{W}_i$ are 128 bits. Finally, the sizes of the both random numbers and time-stamps equal 64 bits.

In Table 4, a comparison of computational cost is shown, where the following notations are used.

(1) 

$T_h$: Time for performing a one-way hash function.

(2) 

$T_{\oplus }$: Time for performing the XOR operation.

(3) 

$T_{\left|\right|}$: Time for performing a concatenation function.

(4) 

$T_{Exp}$: Time performing for exponentiation function.

(5) 

$T_{Enc}$:Time performing for a symmetric encryption function.

(6) 

$T_{Dec}$:Time performing for a symmetric decryption function.

In Table 5, we notice that our proposed scheme has a good performance compared with related works. Although our proposed scheme is based on biometric factors (features of user’s hand geometry), the efficiency and flexility remain at a good level.

7. Conclusions

In this paper, we review a cryptanalysis of the Xu–Zhu–Feng scheme and present the weaknesses of their scheme. Our proposed scheme has good properties such as freely chosen passwords, user anonymity, mutual authentication, session key agreement, no password revealed, and the features of user’s hand geometry provide our work with the ability to prevent an adversary from applying eavesdropping attacks. Furthermore, we have also demonstrated that our proposed scheme is immune against attacks such as password guessing, server impersonation, DOS attacks, replay attacks, and parallel-session attacks. Moreover, compared with related works, our scheme is more secure and practical.