An efficient biometrics-based remote user authentication scheme using smart cards

Abstract

In this paper, we propose an efficient biometric-based remote user authentication scheme using smart cards, in which the computation cost is relatively low compared with other related schemes. The security of the proposed scheme is based on the one-way hash function, biometrics verification and smart card. Moreover, the proposed scheme enables the user to change their passwords freely and provides mutual authentication between the users and the remote server. In addition, many remote authentication schemes use timestamps to resist replay attacks. Therefore, synchronized clock is required between the user and the remote server. In our scheme, it does not require synchronized clocks between two entities because we use random numbers in place of timestamps.

Introduction

Lamport (1981) first proposed a remote authentication scheme in which the remote server could authenticate the remote user based on identity and password over an insecure network. However, Lamport's scheme has to store verification tables. Jan and Chen (1998) proposed a password authentication scheme without storing verification tables in the system. It is ineffective for the server to maintain the verification tables due to the size of the verification tables are proportional to the number of users. Later, Hwang and Li (2000) proposed a new remote user authentication scheme using smart cards based on ElGamal's (1985) public-key cryptosystem in 2000. The Hwang–Li scheme has to maintain only one secret key and no password table is required to keep in the system. Note that the smart card is a temper-resistant device and the primary properties are: (1) it is unable to get the information in it unless the user passes the verification; (2) it will have great trouble in performing complex computations for the smart card in each ongoing session due to its constrained computational capability.

In traditional remote identity-based remote authentication schemes (Li and Chu, 2009; Hwang and Liu, 2005; Kim and Koç, 2005; Lee and Chiu, 2005; Shen et al., 2005), the security of the remote user authentication is based on the passwords, but simple passwords are easy to break by simple dictionary attacks. So, the cryptographic secret keys are used as they are long and random (e.g. 128 bits for the advanced encryption standard, AES; Daemen and Rijmen, 2001). However, the cryptographic keys are difficult to memorize and they must be stored somewhere. Thus, they are expensive to maintain. Furthermore, both passwords and cryptographic keys are unable to provide non-repudiation because they can be forgotten, lost or when they are shared with other people, there is no way to know who the actual user is. Therefore, biometric keys (Li and Hwang, 2009a; Khan and Zhang, 2007; Khan et al., 2008; Lin and Lai, 2004) are proposed which are based on physiological and behavioral characteristics of persons such as fingerprints, faces, irises, hand geometry, and palmprints, etc. In the following, we shall present some advantages of biometric keys as follows:

• Biometric keys cannot be lost or forgotten.

• Biometric keys are very difficult to copy or share.

• Biometric keys are extremely hard to forge or distribute.

• Biometric keys cannot be guessed easily.

• Someone's biometrics is not easy to break than others.

Accordingly, biometrics-based authentication is inherently more reliable than traditional password-based authentication. Recently, Lee et al. (2002) proposed a fingerprint-based remote user authentication scheme using smart cards, but this scheme could not withstand impersonation attack (Hsieh et al., 2003; Lin and Lai, 2004). Lin and Lai (2004) further proposed a flexible biometrics remote user authentication scheme. However, this scheme is susceptible to the server spoofing attack (Khan and Zhang, 2007). In this article, we shall present a secure and efficient biometric-based remote authentication scheme and compare it with other related schemes in terms of functionality requirements and computation costs. To do so, we shall list some essential requirements and the goal of the proposed scheme must satisfy these requirements of a secure user authentication scheme which will be mentioned in Section 2.

The remainder of this paper is organized as follows: Section 2 shows some related requirements for our scheme. In Section 3, our biometric-based authentication scheme is proposed. The security and the efficiency of our scheme will be analyzed in Section 4. Finally, we conclude this article in Section 5.