ogpr

u2,l Tsiver

etricthorricThuity rFur

metr

authentication. In 2008, Rhee et al. [6] pointed out thatKhan and Zhangs scheme [4] is vulnerable toimpersonation attacks and ofine dictionary attacks. Later,Laata

www.ietdl.org

IEdi and Hwang [5] proposed the lower computation schemend it is based on smart card, the one-way hash functionnd biometrics verication. However, Li et al. [7] point outhat Li and Hwangs scheme fails to provide proper mutualuthentication and is vulnerable to man-in-the-middle

toaimsthT Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252oi: 10.1049/iet-ifs.2011.0348for users is less complicated.It is still subject to privacy and security threats despite the

benets of Fan and Lins scheme. It is obvious that Fan andLins scheme needs to maintain a verication table in order

provide protection from inside attacks. In this paper, ouruthentication scheme employs a different approach. Weprove the scheme of Fan and Lin and enhance the

ecurity and privacy protection. This leads to a robustree-factor remote authentication protocol based on the[5] showed that Lin and Lais scheme is vulnerable to theserver spoong attack and does not provide proper mutual

privacy protection is enhanced. In addition, account setup

and replay attacks, and Khan and Zhang [4] Li and Hwang1 Introduction

With the current advance of network services, proper useridentication for remote user authentication over insecurecommunication channels is increasingly essential. Contraryto traditional password-based remote user authentication,biometrics-based authentication has greater security and ismore reliable for remote user authentication [1]. In addition,some three-factor authentication schemes have beenproposed in many publications [28]. Biometrics-basedauthentication systems are increasingly common for remoteuser identity authentication schemes. Owing to itsphysiological or behavioural characteristics, remoteauthentication schemes can provide enhanced security usingsuch techniques as ngerprint verication, iris analysis,facial analysis, handwritten signature verication andkeystroke analysis [1, 9].Recently, Lee et al. [2] proposed a remote user

authentication scheme based on smart card and ngerprintwithout a verication table to maintain records. In [3], thescheme of Lee et al. is vulnerable to the masquerade attacks

attacks. Unfortunately, the scheme of Li et al. fails tosecurely update the new password and is also insecure.The above-mentioned schemes consider privacy protection

using biometrics on the users side, without consideringbiometric characteristics on the servers side. For privacyprotection using biometrics, the biometric data and settingshave to be considered. Some methods, such as those basedon error-correcting codes [10] and fuzzy encryption [11],use biometric data to key encrypt and extract a secret andthen match the biometric template. In order to providemutual authentication, biometric data have to be stored onthe users side and the servers side. Storing biometric dataon the servers side leads to increasing concerns with regardto privacy protection. In Fan and Lins scheme [9], userdata is only stored on the users side while still permittingthe server to perform the authentication. Thus, a three-factor(smart card, password, biometric) authentication schemewith privacy protection on biometrics is proposed. Theprivacy of biometric recognition is protected because theserver can perform the authentication procedure without theusers actual biometric data. As the server does not need tomaintain a database of users passwords and biometric data,Published in IET Information SecurityReceived on 11th December 2011Revised on 5th October 2012Accepted on 21st November 2012doi: 10.1049/iet-ifs.2011.0348

Robust elliptic curve cryptfactor user authenticationbiometric dataHsiu-Lien Yeh1, Tien-Ho Chen2, Kuei-Jung H1Institute of Information System and Applications, Nationa2Department of Computer Science, National Tsing Hua UnE-mail: s9865805@m98.nthu.edu.tw

Abstract: Recently, to achieve privacy protection using biombased on password, smart card and biometrics. However, the auin the design of biometrics privacy, (ii) fails to maintain a vemodication attack, and (iii) is vulnerable to insider attacks.authentication scheme that is improved with regard to securaws of Fan and Lins scheme and is secured from attacks.their scheme to show that their scheme is suitable for the bioISSN 1751-8709

raphy-based threeoviding privacy of

Wei-Kuan Shih2

ing Hua University, Hsinchu 30013, Taiwansity, Hsinchu 30013, Taiwan

s, Fan and Lin proposed a three-factor authentication schemes have found that Fan and Lins proposed scheme (i) has awsation table, making it vulnerable to stolen-verier attack ands, the authors propose an elliptic curve cryptography-basedequirements. The authors proposed scheme overcomes thethermore, the authors have presented a security analysis ofic systems.247& The Institution of Engineering and Technology 2013

h(): A public one-way hash function

Ui sends {IDi, h(PWi), SSi} to the remote server via a

www.ietdl.orgsecure channel.Step 2: Server Uis smart card: {IDi, yi, h(.), pk}.After receiving a message from Ui, the remote server

computes yi = Ex(IDi||h(PWi)|| SSi) and records IDi in averication table, in order to check whether the loginidentity is registered. Finally, the result {IDi, yi, h(), pk} isstored in the smart card and delivers to Ui via a securechannel.Step 3: The sketch Si(r) is stored in the smart card using his/her biometric template Si as an encryption key. ||: string concatenation operation E(): A symmetric encryption function K: The function of XOR operation with secret key k Si: The iris template of the user Ui Si(): The encryption function with biometric template Si r: A random string u: A random string A: An extracting algorithm : A string XOR operation : A common channel : A secure channel

2.1 Initialisation phase

In order to provide privacy protection, the server sets upsecurity parameters for users that have made a biometricmatch. That is, the key pair (pk, sk) for public-keycryptosystems and a secret key (x) for secret-keycryptosystems are prepared. The result (x, sk), called secretparameter, is used by the server.

2.2 Registration phase

In this phase, user Ui has an identity IDi to register the licenseand the detailed steps are stated as follows:

Step 1: Ui server: {IDi, h(PWi), SSi}.After taking the Uis iris as the biometric characteristic, it

scans to a template Si through a capturer. Next, the Uicomputes SSi = r(Si) = r Si, where user chooses arandom string r and encrypts it using a template Si. Then,elliptic curve cryptography (ECC). We propose a more secureand practical authentication scheme.The remainder of this paper is organised as follows. In

Section 2, we review the Fan and Lin scheme includingcryptanalysis of their scheme. In Section 3, we present theECC preliminaries for our scheme. In Section 4, wepropose a robust three-factor biometric-based authenticationscheme with ECC. Then, in Section 5, we provide thesecurity analysis and comparisons. Finally, we present someconcluding remarks in Section 6.

2 Review of Fan and Lins scheme

In this section, we briey review the scheme of Fan and Lin[9] using a three-factor authentication scheme and state theessential details. First, we summarise the notations usedthroughout this paper as follows.

Ui: The ith user IDi: The identity of the user Ui PWi: The password of Ui248& The Institution of Engineering and Technology 2013Step 1: The server checks whether the IDi is legitimacy.According to the records of a verication table, the server

can verify whether IDi is legitimacy. First, the server mustdecrypt the C0 message to obtain yi with the private key skand then the (IDi|| h(PWi) ||SSi) is derived from secret key x.Step 2: Then, checks whether the value IDi of C0 and yi isequal. If the validity of IDi is assured, the server can usethe h(PWi || SSi) later and proceed the remaining step.Step 3: ServerUi: {C1 = Eu(SID||v)}.The server randomly chooses the v and derives the u from

above step, besides it computes the C1 = Eu(SID||v), whereSID denotes the servers identity. Then, the server sends theC1 message to Ui.Step 4: After receiving the C1 message, the Ui can decrypt theC1 to obtain (SID||v). Then, Uis smart card checks whetherthe C1 come from the server or not and obtains the value ofv to proceed the next step.Step 5: Ui Server: {C2 = Ev(IDi || h(PWi*) || SSi*)}.Ui sends the {C2 = Ev(IDi || h(PWi*) || SSi*)}to the server.

Step 6: Checks h(PWi)? = h(PWi*) and veries if (SSi*, SSi)is within the threshold.

When server checks that h(PWi) = h(PWi*) and the (SSi*,SSi) is within the dened threshold, it means that the serverwill accept the login request and the process is authorised.Here, denotes the biometric matching algorithm.

2.4 Cryptanalysis of Fan and Lins scheme

In this section, we have analysed the security aws of Fan andLins scheme and found the following assumptions to provethe weaknesses of their scheme.

Assumption 1:When the remote user logs in to the system, theserver will attempt to validate the users identity according tothe servers verication table. That is, the server veries thatthe login identity and the identity stored in the vericationtable are exactly the same. Otherwise, the user is unable topass the authentication and request is terminated.

The Fan and Lins proposed scheme requires storing the IDi tothe inside verication tables of remote server. If the adversarysuccessfully manages the server after owning the right ofauthentication, the information of a verication table couldbe stolen. Then, the adversary can read the verication table2.3 Login and authentication phase

During the login phase, Ui inserts a smart card into the cardreader and then enters a PWi* and allows to scan his/heriris biometric characteristic in order to login to the remoteserver. Then, the smart card performs the followingoperations:

Step 1: Ui inputs the personal biometrics, Si*, and the randomstring r is decrypted by the sketch Si(r) function using Si* toretrieve (r = A(Si(r), Si*). Then, the smart card will computethe value SSi* = r(Si*) = r Si*.Step 2: Ui Server: {C0 = epk(IDi|| yi ||u)}Ui randomly chooses string u to derive the C0 = epk(IDi|| yi ||

u) where epk() denotes the public key encryption function ofthe server with the pk.

During the authentication phase, the server executes thefollowing operations to verify the legitimacy.IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252doi: 10.1049/iet-ifs.2011.0348

www.ietdl.org

and utilises Trojan Horse program to steal the logininformation of a user. Further, the yi = Ex(IDi|| h(PWi)|| SSi)will be easily retrieved by the adversary. Owing to theencrypted data (yi) is easy to break by simple dictionaryattacks. The adversary may try to be derived the encrypteddata with mapping the identity or biometric data. Inaddition, this property that need of a verication table maynot able to resist the stolen-verier attack and modicationattack [12]. Therefore a verication table is stored insidecomputer and suffers easily from an adversarys attacks.

Assumption 2: During the authentication phase, the server hasown identity symbol and encrypts a message with a randomstring. Then, the servers identity can be inspected usingusers smart card. In a word, the user successfully loginsthe server and proceeds the remaining operation.

Assume that the adversary uses the SID* to impersonate SIDand replays messages to the remote server to encrypt C1* witha random string v. Then, the adversary sends the messages tothe user. Until the users smart card accepts the pretendedSID*. Thus, a user will encrypt the function with theadversarys random string v and send the encryptionmessages to the adversary. Since the adversary owns thepassword and biometric data, the remote server can acceptby the adversarys login request.

Assumption 3: In registration phase, a user Ui has an identityIDi to register the license for remote server. The privilegedserver has the ownership of the user Uis authenticationkey. Additionally, the Fan and Lins scheme must recordIDi to a verication table inside remote server. Assumingremote server can perform to check whether IDi islegitimacy and performing some steps of Fan and Linsscheme in the authentication phase.

When Ui want to register to more than one server with thesame identity IDi and authentication key h(PWi), any servercan impersonate the eligible user and access other servers toobtain a login request. The registration in Fan and Linsscheme, a user Ui has the same authentication key for eachsystem or server with the same password. When anadversary obtain Uis identity IDi and authentication key,he/she can impersonate Ui to access the authenticationserver. Once a users login information is stolen, the serverwill accept the adversary login request. Furthermore, theadversary can request to login and possibly pass theauthentication. Obviously, the insider attack is possible inthe assumption.

3 ECC preliminaries

In the section, we introduce some preliminary informationabout the fundamentals of ECC. In 1985, Victor Miller andNeil Koblitz proposed a secure and efcient ECC [13, 14].An elliptic curve is a cubic equation of the form:E: y2 + axy + by = x3 + cx2 + dx + e, where a, b, c, d, e are

real numbers.With regard to cryptography, we focus on the nite eld of

ECC and aim mainly at the prime p of elliptic curve group.The mathematical equation of ECC satises the form

E : y2 = x3 + ax+ b( )mod p

with a, b Fp satisfying (4a3 + 27b2)mod p 0.IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252doi: 10.1049/iet-ifs.2011.0348Let Fp denote the nite eld of points, where p is a largeprime number and containing x, y, a, b elements. Theequation points and the point at innity O compose theelliptic curve group over real numbers. We nd a largeprime number n such that n P =O using the elliptic curveaddition algorithm. Here, denotes an elliptic curvemultiplication. The arithmetic of elliptic curve discretelogarithm problem (ECDLP) is given points Q and P,where Q, P Fp and are both publicly known, determinethe random number , 0 < < n 1, and compute Q as:Q = P satises. It is hard to determine given Q and P,namely, ECDLP is a difcult mathematical problem suchthat the security is achieved. The analogue of DifeHellman key exchange uses elliptic curve characteristic tocomplete key exchange. The key exchange between UA andUB can be done as follows (here denotes an elliptic curvemultiplication):

1. The user UA chooses a random integer rA as a private key,where rA < n and computes the public key QA as: QA = rA P.Then, UA sends QA to the user UB.2. The user UB selects a random integer rB as a private key,where rB < n and computes the public key QB as: QB = rB P. UB sends QB to UA.3. UA can compute shared key KA = rAQB = rA rB P and UBcan compute shared key KB = rB QA = rB rA P. In thismanner, we nd KA = KB.

4 Robust biometrics-based authenticationscheme using ECC

We propose a robust three-factor authentication scheme withthe ECC for the network communication. Our enhancedscheme involves the use of the ECC, a smart card and abiometric characteristic. A three-factor authenticationscheme involves a user, a server and consists of fourphrases: initiation phase, registration phase, login phase andauthentication phase. Our scheme is described in Fig. 1 anddetailed steps of phases are as follows:

4.1 Initiation phase

In the system initiation phase, the server sets up the followingsystem parameters for session key generation:

1. The user and server choose an elliptic curve of order n overEp(a, b) generated by P, where n is a large prime numberbecause of security considerations.2. The eligible server randomly selects qs Z*P as its ownprivate key, and then computes the point multiplication asusers authentication key. That is, the server computes thecorresponding public key Qs = qs P.3. The server employs the one-way hash function h(.).4. The server stores the private key qs and generates themessage {Ep(a, b), P, Qs}.

4.2 Registration phase

In this phase, the Ui wants to register to the remote server andsetup the secret codes into the smart card for the Ui.

Step 1: Ui server: {IDi, h(PWi r), r(Si)}The Ui enters his/her username IDi and password PWi for

computing h(PWi r). Here, Ui scans the biometriccharacteristic as a template Si and chooses a random string r249& The Institution of Engineering and Technology 2013

www.ietdl.orgto encrypt as r(Si) = r Si using an encryption key Si. Thatis, the user submits his/her IDi, h(PWi r), and r(Si) toremote server if the user wants to convert into a neweligible user.Step 2: ServerUis smart card: {W, h(.), P, Qs}.After receiving the message from Ui, the server computes

QS = qs P and W = h(P h(PWi r)). Finally, the serverstores the secret parameters {W, h(.), P, Qs} to a smart cardand issues the smart card to the user over a secure channel.Step 3: The Ui checks the W in the smart card.Uis smart card checks whether W = h(P h(PWi r)) is

correct. If the condition is true, the user will accept thesmart card from the server via a secure channel. Otherwise,the user will reject the smart card. That is, the smart carddoes not come from the server.Step4: The sketch Si(r) is stored in the smart card using his/her biometric template Si as an encryption key.

4.3 Login phase

Step 1: Ui submits a PWi* and his/her own biometrics, Si*,and the random string ri = A(Si(r)) is decrypted by thesketch Si(r) function which using Si* to retrieve. Then,the smart card will compute the value SSi* = r(Si*) = riSi*.Step 2: The server validates W.

Fig. 1 Proposed scheme

250& The Institution of Engineering and Technology 2013The server computes W and validates whether W = h(P h(PWi* ri)) is correct. If it holds true, the system accepts thelogin and proceeds the authentication phase. Otherwise,server rejects the login request and authentication isterminated.

4.4 Authentication phase

After receiving the login request from the user, the detaildescriptions of the authentication phase are described in thefollowing operations.

Step 1: Ui Server: m1 = {Q1, Qu, Mu}The Ui randomly chooses a private key qu = ri* and

computes Qu = qu P, where Qu is Uis public key (Here,let the random string ri convert to ri* Zp*, ri* < n). ThenUi computes the following formulas for the authenticationprocedure. Recall that QS is the servers public key in thesystem initiation phase.

Q1 = qu QSMu = Nu +Qu +Q1, where Nu is chosen by SSi* which isprovided by Ui.Then, Ui sends the m1 = {Q1, Qu, Mu} to the server.

Step 2: Server verify whether the m1 message come from Ui.After receiving the m1 message, the server computes

IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252doi: 10.1049/iet-ifs.2011.0348

QS = qS P and Q1 = qS Qu and then checks whether theNu* =MuQuQ1 =Nu is correct. If it holds true, the m1message denitely comes from the Ui, otherwise, theverication is failure.Step 3: Server Ui: m2 = {TS, MS, QS*}The server computes QS* = qS* P and TS =Nu* +QS +Q1

and MS =NS +QS +Q1 +Nu*, where the NS is chosen by SIDwhich is provided by the server. Then, the server sends the m2message {TS, MS, QS*} to Ui.Step 4: Ui Server:m3 {L =NS +Qu +Q1}After receiving the m2 message, Ui computes Nu** and

checks whether Nu** = TSQS*Q1 =Nu is correct. If itholds true, the m2 message surely comes from the server,otherwise, the verication is false. Ui computes NS* =MSQSQ1 Nu* and L = NS* +Qu +Q1, and then sends them3 message {L =NS +Qu +Q1} to the server.Step 5: Server checks NS.

equal, then sends the m2 message {TS, MS, QS*} to user Ui.That is, the user Ui is a legal user. Then the user Ui checksthe condition whether Nu** =Nu. Finally, the servervalidates whether NS** is equal to NS. This enables bothcommunicating parties to be assured of the eligible identity.

5.2.2 Resist insider attacks: As for convenience, someusers are registered to different systems or servers with thesame password. If an adversary owns authority and stealsanother users password, then the adversary masqueradesthe eligible user to login the system. Note that in ourregistered phase, a user Ui has the different authenticationkey for each system or server with the same password PWi.The user Uicomputes the authentication key h(PWi r) andaccesses the remote server, where PWi is chosen by theuser Ui. Therefore our scheme can resist insider attacks.

5.2.3 No need of a verication table: Our scheme is

i sch[3]

noesno

eses+ 1E+ 4E

ar mial cpent

www.ietdl.orgThe remote server compares NS with computed NS** = LQuQ1 and these two are the same. If it holds true, the serveraccepts the Uis login request. Otherwise, the server rejectsthe login request.

5 Security analysis and comparisons

5.1 Security requirements in remote userauthentication scheme

Owing to resistance to various attacks, some securityrequirements are essential and need to be considered forevaluating identity authentication. Liao et al. [12] proposedten independent requirements and previous research [3, 7]indicates that a secure remote user authentication schemeshould t in with the several conditions. For instance,provided with mutual authentication, there is no need of averication table to store in the remote server, which allowsthe user to choose his/her identity, updates a passwordfreely etc. Furthermore, FanLins scheme fails to providesecurity requirements.

5.2 Security against the diverse attacks

5.2.1 Propermutual authentication: Our authenticationscheme is based on ECC and provides the proper mutualauthentication between the user and the server. In loginphase, the users password can be veried by the servercomputing W = h(P h(PWi* ri)). During authenticationphase, the user Ui sends the m1 message to the remoteserver. The server rst validates whether the Nu* =Nu is

Table 1 Comparison among the referenced schemes

Security item Our scheme LinLa

proper mutual authentication yesresist insider attack yes yresist stolen-verifier attack andmodification attack

yes

without a verification table yes ysecurely change/update password yes yregistration phase 2H + PA 1Hlogin and authentication phase TA +H + 7PA +

4PM3H

H, the time spent in hashing operation; PM, the time spent in scalpoint addition operation of elliptic curve; E, the exponent polynomcomputation and public key with nameless method; TA, the time sIET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252doi: 10.1049/iet-ifs.2011.0348based on the ECC mechanism, and the remote server hasno need to store the password or a verication table in thecomputer. That is, the remote server only maintains thesecret parameters. Then the remote server can authenticatewhether the user is allowed to login. Thus, the proposedscheme can resist the stolen-verier attack and modicationattack.

5.2.4 Allow user securely to change or updatepassword: Our proposed scheme can securely accept theusers demand for changing or updating password afterentering system. The Ui can compute the new value h(PWi* r) and sent the message {IDi, h(PWi* r), r(Si)}to the remote server. After receiving the demand forpassword change, the remote server computes the newvalue to update W* = h(P h(PWi* r)) into the smartcard. Thus, the original value of W has been replaced bythe use of new value W*.

5.3 Comparisons

Recall that the scheme of Fan and Lin [9] and other [47, 15,16], we compare our scheme with other referenced schemes insecurity properties and computation cost. Table 1 summarisesthe comparisons among our scheme and other referencedschemes.Obviously, our scheme can overcome the security aws

of Fan and Lin and other schemes. As for computationcost, the exclusive-OR operation is negligible because itusually requires few computation. We can divide the ECCcomputation time of our scheme into two parts: the scalarmultiplication operation and point addition operation. Our

eme KhanZhangscheme [4]

FanLi scheme[9]

LiHwangsscheme [5]

es yes noyes no yesyes no yes

yes no yesno yes yes2H H + Tmec 3H7H TA + 7Tmec 7H

ultiplication operation of elliptic curve; PA, the time spent inomputation time; Tmec, the computation time for private keyin extracting algorithm.251& The Institution of Engineering and Technology 2013

scheme requests only three hash operations and 12 ECCcomputations. We can realise that PA, PM calculates acubic equation at most and H calculates a linear equationor quadratic equation at most. Besides, our proposedscheme is computed through combination of pointaddition and point multiplication, point multiplication isdened by repeated addition. Note that the computationcosts of Tmec and E are relatively higher than PA, PMbecause Tmec calculates a nameless function and E needspolynomial computation cost. Thus, our computation costis relatively low compared with the referenced schemesexcept KhanZhang and LiHwangs scheme. In terms ofthe requirements for a remote user authentication scheme,our proposed scheme solves all listed table problems.

6 Conclusions

Obviously, biometric-based authentication can assure morereliable authentication than traditional password-basedauthentication. In addition, recent concerns inbiometric-based authentication focus on the issues ofsecurity and privacy protection. In this paper, we proposea robust three-factor remote user authentication schemebased on the ECC. In our assumption analysis, we pointout the drawbacks of Fan and Lins scheme. That is, thescheme of Fan and Lin fails to resist insider attacks,stolen-verier attacks and modication attacks, and hassecurity pitfalls because of the storage of a verication

7 References

1 Matyas, V.J., Riha, Z.: Toward reliable user authentication throughbiometrics, IEEE Secur. Priv. Mag., 2003, 1, pp. 4549

2 Lee, J.K., Ryu, S.R., Yoo, K.Y.: Fingerprint-based remote userauthentication scheme using smart cards, Electron. Lett., 2002, 38,pp. 554555

3 Lin, C.H., Lai, Y.Y.: A exible biometrics remote user authenticationscheme, Comput. Stand. Interfaces, 2004, 27, pp. 1923

4 Khan, M.K., Zhang, J.S.: Improving the security of a exiblebiometrics remote user authentication scheme, Comput. Stand.Interfaces, 2007, 29, pp. 8285

5 Li, C.T., Hwang, M.S.: An efcient biometrics-based remote userauthentication scheme using smart cards, J. Netw. Comput. Appl.,2010, 33, pp. 15

6 Rhee, H.S., Kwon, J.O., Lee, D.H.: A remote user authentication schemewithout using smart cards, Comput. Stand. Interfaces, 2008, 31, pp. 613

7 Li, X., Niu, J.W., Ma, J., Wang, W.D., Liu, C.L.: Cryptanalysis andimprovement of a biometric-based remote authentication scheme usingsmart cards, J. Netw. Comput. Appl., 2011, 34, pp. 7379

8 Kim, H.J.: Biometrics, is it a viable proposition for identity authenticationand access control, Comput. Secur., 1995, 14, pp. 205214

9 Fan, C.I., Lin, Y.H.: Provably secure remote truly three-factorauthentication scheme with privacy protection on biometrics, IEEETrans. Inf. Forensics Sec., 2009, 4, pp. 933945

10 Davida, G.I., Matt, B.J., Peralta, R., Frankel, Y.: On the relation oferror correction and cryptography to an ofine biometric basedidentication scheme. Processing Workshop Coding Cryptography,1999, pp. 129138

11 Jain, A.K., Nandakumar, K., Nagar, A.: Biometric template security,EURASIP J. Adv. Signal Process., 2008, 2008, (113), pp. 117

12 Liao, I.E., Lee, C.C., Hwang, M.S.: A password authentication schemeover insecure networks, J. Comput. Syst. Sci., 2006, 72, pp. 727740

13 Koblitz, N.: Elliptic curve cryptosystems, Math Comput., 1987, 48,pp. 203209

14 Miller, V.: Uses of elliptic curves in cryptography. Advances in

www.ietdl.orgreferenced schemes to be less secure and less resistant toattack. Our proposed scheme can overcome securitypitfalls and strengthen the security and privacy protection.Our scheme is practical and suitable for biometrics-basedremote authentication.252& The Institution of Engineering and Technology 201315 Yeh, H.L., Chen, T.H., Liu, P.C., Kim, T.H., Wei, H.W.: A securedauthentication protocol for wireless sensor networks using ellipticcurves cryptography, Sensors, 2011, 11, pp. 47674779

16 Hsieh, W.B., Leu, J.S.: Anonymous authentication protocol based onelliptic curve Dife-Hellman for wireless access networks, Wirel.Commun. Mobile Comput., Wiley, 2012, doi: 10.1002/wcm.2252table inside the server. In addition, we found the other Cryptology Crypto85 Proc., 1985, (LNCS, 218), pp. 417426IET Inf. Secur., 2013, Vol. 7, Iss. 3, pp. 247252doi: 10.1049/iet-ifs.2011.0348