Efficiency analysis

Now we first examine the performance of the protocol-I. The evaluation parame-ters are defined in Table 3.6. The time requirement of the protocol-I is summarized

Table 3.7: Performance of the protocol-I

in Table 3.7. We use the computational overhead as the metrics to evaluate the performance of the protocol-I. In the protocol-I, only one hashing operation is re-quired for a user to register and get his smart card. In the login-and-authentication phase, three hashing operations, eleven exclusive-or operations, two exponentia-tion operaexponentia-tion, one symmetric encrypexponentia-tion operaexponentia-tion, and one symmetric decrypexponentia-tion operation are needed for a user.

We can see from Table 3.7 that the exponentiation operations are required by the server and the user due to the requirements of key agreement and perfect forward secrecy. These operations might be expensive for smart cards nowadays.

However, with an increasing demand for information security as today’s security systems still have plenty of room for improvement, it is expected that the compli-cated computations will be widely adopted as a necessary security measure and hardware security enhancement for smart cards will become prevalent in the near future.

Now we examine the performance of the protocol-II. We can see from Ta-ble 3.8 that the computations between Wong et al.’s protocol [63] and our pro-posed protocol-II in the three phases (registration, login-and-authentication, and

Table 3.8: Performance comparison between Wong et al.’s protocol and the protocol-II

Phase Wong et al.’s protocol Protocol-II

Registration 3T_H 1T_H

Login-and-authentication

4T_H + 4T_XOR 4T_H + 4T_XOR

Password-change Not supported 2T_H

Total 7T_H + 4T_XOR 7T_H + 4T_XOR

password-change) are very similar. Clearly, in these phases, our proposed protocol-II does not add additional computational cost. Compared with their protocol, the proposed protocol is also efficient.

Chapter 4

Biometrics-based user authentication protocol

In this chapter, we propose a biometrics-based remote user authentication pro-tocol using smart cards. The propro-tocol fully preserves the privacy of the biometric data of each user while allowing the server to verify the correctness of the users’

biometric characteristics without knowing the exact values. The crucial merits include (1) it allows users to choose and change their passwords freely and hence gives users more convenience and security; (2) it achieves mutual authentication between a server and a user; (3) a server and a user can generate authenticated sessions keys so that later communication between them can proceed efficiently in protected mode to fulfill desired confidentiality.

In addition, the proposed protocol is later extended to a multi-party biometrics-based remote user authentication protocol by incorporating a secret sharing com-ponent [56]. Moreover, security of the proposed protocol is modelled and analyzed with Petri nets. Our analysis shows that the proposed protocol can successfully defend notorious attacks, including replay attacks, forgery attacks, stolen-smart-card attacks, reflection attacks, parallel-session attacks, and insider attacks, and

suitable for smart cards with limited computing capability.

4.1 Proposed protocol

The proposed protocol is divided into three phases: registration, login-and-authentication, and password-change. Firstly, the server randomly chooses a string Ks as its secret key for symmetric encryption. Then, the server keeps the secret key K_s secret.

4.1.1 Registration phase

Suppose a new user U_i (with identity ID_i) wants to register with a server for remote-access services. He/she will take the following steps:

Step R1: User U_i randomly chooses his/her password P W_i, two random strings b_i and r_i, performs an iris scan, and computes S_i with his/her iris template T M_i:

S_i = r_i⊕ T M_i (4.1)

Next, Ui sends the triple (IDi, h(bi ⊕ P Wi), Si) to the server via a secure channel.

Step R2: Upon receiving the registration message, the server computes the triple (yi, zi, wi):

y_i = E_Ks(ID_ikS_i) (4.2)

z_i = h(ID_ikK_s) ⊕ h(b_i⊕ P W_i) (4.3) w_i = h(h(ID_ikK_s)kh(b_i ⊕ P W_i)) (4.4) Then, the server stores the tuple (ID_i, y_i, z_i, w_i, h(·)) in a smart card and issues it to U via a secure channel.

Step R3: Finally, U_i encrypts b_i and r_i with the biometrics template T M_i and stores the sketch E_{T Mi}(b_ikr_i) in the smart card. At this time, the smart contains the following information: IDi, yi, zi, wi, h(·), and ET Mi(bikri).

4.1.2 Login-and-authentication phase

When user U_i wants to login to the system, U_i first inputs his/her password P W_i^∗ and performs an iris scan to obtain T M_i^∗. The details are presented as follows.

Step L1: The smart card retrieves (b_ikr_i) by decryption the sketch E_{T Mi}(b_ikr_i) with T M_i^∗, and then computes C0 and checks whether the equation holds as fol-lows:

C₀ = z_i⊕ h(b_i⊕ P W_i^∗) (4.5) w_i = h(C^? ₀kh(b_i⊕ P W_i^∗)) (4.6) If equation (4.6) holds, Ui is a legitimate user and the smart card proceeds to the next step, otherwise, it rejects the login request. Next, the smart card computes the pair (S_i^∗, C₁):

S_i^∗ = ri⊕ T M_i^∗ (4.7)

C₁ = C₀⊕ u_i (4.8)

where ui is a string randomly chosen by the smart card. Then the smart card sends (y_i, C₁) to the server as a login request.

Step L2: After receiving the login request (y_i, C₁), the server first decrypts y_ito obtain (ID_ikS_i). The server checks the validity of ID_i. If so, the server keeps S_i for

later use and computes C₂ to obtain u⁰_i as follows:

C₂ = h(ID_ikK_s) (4.9)

u⁰_i = C1 ⊕ C2 (4.10)

Next, the server computes the pair (C3, C4):

C₃ = h(C₁ku⁰_i) (4.11)

C₄ = C₂⊕ v_i (4.12)

where v_i is a string randomly chosen by the server. Then the server sends (C3, C4) back to the smart card.

Step L3: The smart card checks whether the equation holds as follows:

C₃ = h(C^? ₁ku_i) (4.13)

If equation (4.13) holds, the smart card can ensure that C3 indeed comes from the original server. Then, the smart card computes the tuple (v⁰_i, SK_i, C₅, C₆):

v_i⁰ = C₄⊕ C₀ (4.14)

SKi = h(uikv⁰_i) (4.15)

C5 = h(C4kv_i⁰) (4.16)

C₆ = v_i⁰⊕ S_i^∗ (4.17)

Finally, the smart card sends (C₅, C₆) to the server.

Step L4: Upon receiving (C5, C6), the server checks whether the equation holds as follows:

C = h(C^? kv ) (4.18)

If so, the server computes S_i^∗:

S_i^∗ = C₆ ⊕ v_i (4.19)

Finally, the server checks whether the matching score ∆(S_i^∗, S_i) is beyond a pre-defined threshold value If so, the server accepts the login request of the smart card and computes SK_i:

SK_i = h(u⁰_ikv_i) (4.20)

A high-level depiction of the login-and-authentication phase in the proposed protocol is illustrated in Figure 4.1.

4.1.3 Password-change phase

When U_i wants to change his password P W_i to P W_i⁰, he/she has to input the old password P W_i^∗ and perform an iris scan to obtain T M_i^∗. The following steps will be performed.

Step P1: The smart card retrieves (bikri) by decryption the sketch ET Mi(bikri) with T M_i^∗, and then computes C₀ and checks whether the equation holds as fol-lows:

C0 = zi⊕ h(bi⊕ P W_i^∗) (4.21) w_i = h(C^? ₀kh(b_i⊕ P W_i^∗)) (4.22) If equation (4.22) holds, U_i is a legitimate user and the smart card proceeds to the next step, otherwise, it rejects the request.

Step P2: U_i inputs the new password P W_i⁰. The smart card computes the pair (z_i⁰, w⁰_i):

z_i⁰ = z_i⊕ h(b_i⊕ P W_i^∗) ⊕ h(b_i⊕ P W_i⁰) (4.23)

User i Server Figure 4.1: The login-and-authentication phase of the proposed protocol.

w_i⁰ = h(C₀kh(b_i⊕ P W_i⁰)) (4.24) Then the smart card replaces the old z_i and w_i with the new z_i⁰ and w⁰_i in the smart card.

4.2 Multi-party biometrics-based authentication