275341.pdf

Research ArticleAn Improved Biometric-Based User Authentication Scheme forC/S System

Li Jiping,1 Ding Yaoming,1 Xiong Zenggang,1 and Liu Shouyin2

1 School of Computer and Information Science, Hubei Engineering University, Xiaogan 432000, China2 College of Physical and Technology, Central China Normal University, Wuhan 430079, China

Correspondence should be addressed to Ding Yaoming; [email protected]

Received 24 August 2013; Revised 18 February 2014; Accepted 27 February 2014; Published 27 April 2014

Academic Editor: Chuan-Ming Liu

Copyright 2014 Li Jiping et al.This is an open access article distributed under the Creative Commons Attribution License, whichpermits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

The authors first review the recently proposed Dass biometric-based remote user authentication scheme, and then show that Dassscheme is still insecure against some attacks and has some problems in password change phase. In order to overcome the designflaws in Dass scheme, an improvement of the scheme is further proposed. Cryptanalysis shows that our scheme is more efficientand secure against most of attacks; moreover, our scheme can provide strong mutual authentication by using verifying biometric,password as well as random nonces generated by the user and server.

1. Introduction

In a client/server system, the validity of remote user is neces-sary to assure the security of the system. Traditional remoteidentity-based authentication schemes [19] are based onpasswords only.However, simple passwords are always easy tobreak by using simple dictionary attacks since they have lowentropy. To overcome this problem, cryptographic secret keysand passwords are used in the remote user authenticationschemes. But the long and random cryptographic keys aredifficult to memorize and hence they must be stored some-where [10]; it is expensive to maintain the long cryptographickeys. Furthermore, both passwords and cryptographic keysare unable to provide nonrepudiation because they can beforgotten or lost or when they are shared with other people,there is no-way to know who the actual user is [11]. Abiometric system operates by acquiring biometric data froman individual, extracting a feature set from the acquired dataand comparing this feature set against the template set inthe database [1214]. In [3], the authors propose an online(, ) threshold secret sharing scheme based on biometricverification and threshold password authentication. In [15],a continuous user authentication scheme based on biometricverification by fusing hard and soft traits is proposed irrespec-tive of user posture in front of the system. In [16], a BIO3G

protocol based on biometric authentication for 3G mobileenvironments is proposed to provide real end to end stronguser authentication. In [17], the author analyzes the securityof Dass biometric-based authentication scheme and showsthat the scheme is still insecure against some attacks anddoes not provide mutual authentication between the userand server. In [18], the author proposes an enhanced schemebased on biometric verification and smart card to removethe security weakness of Dass scheme analyzed in [17].However, the proposed scheme in [18] cannot withstand thereplay attack between the user and the remote server. Inthe abovementioned schemes, biometric verification allowsone to confirm or establish an individual identity. Therefore,biometric keys are proposedwhich are based on physiologicaland behavioral characteristics of persons such as fingerprints,faces, irises, hand geometry, and palm prints. Some advan-tages of biometric keys are described as follows [19, 20].

(i) Biometric keys cannot be lost or forgotten.(ii) Biometric keys are very difficult to copy or share.(iii) Biometric keys are extremely hard to forge or dis-

tribute.(iv) Biometric keys cannot be guessed easily.(v) Someones biometrics is not easier to break than

others.

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2014, Article ID 275341, 9 pageshttp://dx.doi.org/10.1155/2014/275341

2 International Journal of Distributed Sensor Networks

Table 1: Notations used in the proposed scheme.

Notation Description

Client

Trusted registration center

ServerPW

Password shared between and

ID

Identity of the user

Biometric template of the user

() Symmetric parametric function Predetermined threshold for biometric verification() A secure one-way hash function

A secret information maintained by the server

A random number chosen by

A random number chosen by

Data concatenates with data XOR operation of and

As a result, biometric-based remote user authenticationsare inherently more reliable and secure than usual traditionalpassword-based remote user authentication schemes.

In this paper, we propose an improvement of Dassbiometric-based remote user authentication scheme usingsmart cards in order to withstand his design flaws. Theremainder of this paper is organized as follows. In Section 2,we briefly review the Dass biometric-based remote userauthentication scheme using smart cards [21]. In Section 3,we analyze the design flaws in Dass scheme. In Section 4, wepropose an improvement of the scheme in order to eliminatethe design flaws discussed in Section 3. Security analysis ofour scheme and performance comparison with other relatedschemes are implemented in Section 5. Finally, we concludethe paper in Section 6.

2. Review of DASs Biometric-Based RemoteUser Authentication Scheme

In this section, we review in brief Dass biometric-basedremote user authentication scheme [21]. For describing theDass scheme [21], we use the notations shown in Table 1.Dass scheme consists of the following four phases, namely,registration phase, login phase, authentication phase, andchange password phase. Details of each phase are given in thefollowing subsections.

2.1. Registration Phase. In order to login to the system, theremote user

needs to perform the following stages, as

shown in Algorithm 1.

Step 1.The user inputs his/her personal biometricon a spe-

cific device and offers his/her password PWand the identity

IDof the user to the registration center

in person.

(1)ID PW

(2) Computes and

= (

)

= (PW

)

= (ID

)

(3)Smart card(ID , (), , , )

Algorithm 1: Registration phase of Dass scheme.

Step 2. The registration center then computes

= (

),

= (PW

) , and

= (ID

) . Here

is secret

information generated by the server.

Step 3. Finally, the registration center

loads(ID, (),

, , ) on the users smart card and sends

the information to the user via a secure channel.

2.2. Login Phase. In this phase, if a user wants to login to

the server , he/she needs to perform the following steps, as

shown in Algorithm 2.

Step 1. first inserts his/her smart card into the smart card

reader of a terminal and offers his/her personal biometrictemplate,

, on the specific device to verify his/her biometric.

Step 2. Next, the users personal biometric template is

matched against the template stored in the system.

Step 3. If the above verification does not hold, then does

not pass the biometric verification and, as a result, the remoteuser authentication is terminated. Otherwise, on the otherhand, if the abovementioned verification holds,

passes the

biometric verification and then inputs his/her password

PWto perform Step 4.

Step 4. The smart card computes = (PW

) . If = ,

then password verification fails, and the client terminates thesession.

Step 5. If = , the smart card computes

1= ,

which is equal to (ID ),2= 1 , which is equal

to (ID )

, and

3= (

), where

is a random

number generated by the user.

Step 6. Finally, sends the message ID

,2,3 to the

remote server .

2.3. Authentication Phase. After receiving the login requestmessage ID

,2,3, performs the following steps, as

shown in Algorithm 3, in order to authenticate whether theuser

is legal or not.

International Journal of Distributed Sensor Networks 3

(1) Inserts the smart card and

(2) Verifies whether matches with template stored in system?

(3) If it holds, then inputs his/her password PW

(4) Computes = (PW

)

(5) Checks if = ?

(6) If it holds, the smart card computes the following:1=

2= 1

3= (

)

(7)ID ,2 ,3

Algorithm 2: Login phase of Dass scheme.

(1) Checks whether the format of s IDis valid or not.

If above holds, computes the following:

4= (ID

)

5= 24

(2) Verifies whether (5) =

3?

If it holds, then computes6= 4

7= (

2 5)

8= (

)

(3)7 ,6 ,8

(4) Verifies whether7= (

2 )?

(5) If above holds, computes

9= 61

Verifies whether (9) =

8?

If it does not hold, is rejected by

Otherwise, if it holds, then computes10= (

6 9)

(6)10

(7) Verifies whether10= (

6 )?

(8) If it holds, accepts

s login request

(9) Otherwise, rejects

s login request

Algorithm 3: Authentication phase of Dass scheme.

Step 1. first checks the format of

s ID.

Step 2. If the above format is valid, then computes

4=

(ID ), 5=

2 4and then verifies whether

(5) =

3. If it does not hold, then

rejects

s login

request. In case the verification is successful, then computes

6= 4 ,7= (

2 5), and

8= (

).

Step 3. then sends the message

7,6,8 to

.

Step 4. After receiving the message in Step 3, verifies

whether 7= (

2 ). Thus, if the verification does

not pass, terminates the session. Otherwise,

proceeds

as follows by computing9= 61(= ) and verifying

further whether (9) =

8. If (

9) =

8, terminates

the session. On the other hand, computes

10= (

6

9) and sends the message

10 to the server

.

Step 5. After receivings message,

verifies whether

10=

(6 ).

Step 6. If the abovementioned does not hold, rejects

s

login request.

Step 7. In case the verification is successful, then only

accepts s login request.

2.4. Password Change. The password change phase of Dassscheme [21] has the following steps.


Step 1. It inserts the smart card into the card reader and offers.

Step 2. It verifies whether the users personal biometrictemplate

matches against the template stored in the system.

Step 3. If passes the biometric verification, then only

enters his/her old password PWold

and new changed

password PWnew

.

Step 4. The smart card then computes = (PWold

)

;

if = , the password change phase is terminated. If

= ,

then only smart card computes = (PWnew

)

, =

(= (ID

)), and

= .

Step 5. Finally, replace with

and

with

on the smart

card.

3. Cryptanalysis of Dass Scheme

This section demonstrates that Dass scheme [21] has somedrawbacks: denial-of-service attack, user impersonationattack, replay attack, and password change problem.

3.1. Denial-of-Service Attack. One of fundamental propertiesof a secure one-way hash function is that its outputs are verysensitive to small perturbations in their inputs. The crypto-graphic hash function cannot be applied straightforwardlywhen the input data are with noise such as biometrics [22].Then the predetermined threshold for biometric verificationcannot be used to measure outputs of hash functions. Inthe registration phase of Dass scheme, the register center

computes = (

) and

= (PW

) and then stores

and

in the smart card. In the login phase,

inserts

his/her smart card into the card reader and provides his/herpersonal biometrics

on a specific device to verify the users

biometrics by verifying whether () = or not. In Step 4 of

login phase, password verification is performed by verifyingwhether

= .However, both the biometric verification and

password verification procedures may result in serious flawsbecause (

) =

may never succeed, since the inputted

biometrics belonging to the same person may differ slightlyfrom time to time [22], so the next login and authenticationprocedure will be terminated. As a result, this may causethe legal user to be unable to pass biometric verification atthe login phase of Dass scheme. Therefore, Dass scheme isvulnerable to the denial-of-service attack.

3.2. User Impersonation Attack. We see from the login andauthentication phase of Dass scheme that an attacker canimpersonate a legal user to access to the server. In the loginphase of Dass scheme, since the user

sends the message

ID,2,3 to the remote server

where

identity is

not masked, this will result in user impersonation attack asfollows.

When an attack denoted aswants to access the remote

server, he/she can eavesdrop the message ID,2,3 by

tapping communication lines or wireless link between the

legal user and the remote server

. Once

derives

the message ID,2,3 he can send the eavesdropped

message to the remote server . Since the legal users ID is

not masked, so the check of users validity can easily pass. Wecan clearly see that when

computes

4= (ID

) and

5= 24, the verification of (

5) =

3is successful.

Then computes

6= 4 ,7= (

2 5), and

8= (

) and then sends message

7,6,8 to

.

The attackmay eavesdrops themessage

7,6,8 and

modifies the7, replaces it with

7, and then sends a forged

message 7,6,8 to

. Obviously

7= (2 ),

so terminates the session. However, the attacker

will

pass the verification 7,6,8, and

computes

9=

6 1= 6 4. Since the attack

can verify

9=

8, he proceeds as follows by computing

10= (

6

9) and sends message

10 to the remote server

. On

receiving themessage, the remote server will verifywhether

10= (

6 ) or not. We can see obviously that the

above equation holds, so the remote accepts the attackers

login request and the user impersonation attack will occursequentially.

3.3. Replay Attack. In Dass scheme, the replay and man-in-the-middle attack is withstood by checking whether

5(=

24) =

5, where

5is equal to

and is stored in the

database of remote server . It is noted that

5= 24=

1 4= (1= 4) is disclosed to any user when

one breaks the remote server . When the remote server

is compromised by an attacker, he/she can change ID,5

in the database of the remote server . Obviously, once

5

is changed, the replayed message ID,2,3 will not be

discarded and5will be replaced by

5.

3.4. Password Change. In password change procedure ofDass scheme, if remote user

wants to change his/her pass-

word, he/she must pass biometric verification by verifying() = . However, the inputted biometrics belonging to the

same personmay differ slightly from time to time [22], so thepassword change procedure will be terminated. In addition,for more time, since (

) = , then

= (PWold

)

computed by smart card is not equal to stored in the

smart card, so the password change procedure will also beterminated. According to the above analysis, Dass schemecannot realize the password change freely.

4. Proposed Scheme

In this section, we propose an improvement of the Dassbiometric-based remote user authentication scheme [21]using smart cards in order to withstand the flaws discussed inSection 3. For convenience, we use the same notations used asin Dass scheme shown in Table 1.

4.1. Registration Phase. In order to login to the system, theremote user

needs to perform the following steps, as shown

in Algorithm 4.


(1)ID PW

(2) computes , , and

= (

)

= (ID

)

= (PW

)

= (

)

(3)Smart card((), , , , , , ())

Algorithm 4: Registration phase of our scheme.

Step 1. The user inputs his/her personal biometric

on

a specific device and offers his/her password PWand the

identity IDto the registration center

in person.

Step 2. The registration center then computes

= (

),

= (ID

), = (PW

), and

= (

). Here

is secret information generated by the server.We note that

and passwords of the corresponding users are not disclosed toany others for all secure future communications.

Step 3. Finally, the registration center

loads((),

, , , , , ()) on the users smart card and

sends this information to the user via a secure channel.

4.2. Login Phase. In order to login to the system, the remoteuser

needs to perform the following stages, as shown in

Algorithm 5.

Step 1. first inserts his/her smart card into the card reader

of a terminal and offers his/her personal biometric template,

, on the specific device. If (

,

) > , the remote

user authentication is terminated. Otherwise, passes the

biometric verification and then inputs his/her password PW

to perform Step 2.

Step 2.The smart card computes = (PW

). If(

, ) >

, then password verification fails, and the system terminatesthe session; otherwise, the smart card computes

1= ,

which is equal to ( ),2= (

), where

is a

random number generated by the userand is the current

timestamp of s system, and

3= 12.

Step 3. Finally, the user sends the message

,2,3,

to the remote server .

4.3. Authentication Phase. When the remote server

receives the login request ,2,3, at time , it will

perform the following steps as shown in Algorithm 6 toauthenticate whether the user

is legal or not.

Step 1. Verify T. If ( ) > , the authenticationphase aborts, where is the expected time interval for the

transmission delay of the system. On the contrary, if ( ) , the next step will be performed.

Step 2. checks the format of

s ID. It computes

4=

( ) using the secret value

maintained by the server

and then computes

5= 4 3and verifies whether

5= 2. If it does not hold, then

rejects

s login request.

In case the verification is successful, the next step will beperformed.

Step 3. computes

6= (

) and

7= 4 6,

where is the current timestamp of the server

, and then

sends message

4,6,7, to the user

.

Step 4. After receiving the message 4,6,7, at

time , first checks the freshness of

by verifying

( ) > . If it holds, the following session is

terminated; otherwise computes

8=

4

7

and then verifies whether 8=

6. If it does not

hold, terminates the session. Otherwise, it goes to the

next step.

Step 5.computes

9= 46and then verifies whether

9= 7. If it does not hold,

is rejected by

; otherwise,

if it holds, computes

10= (

), where is the

current timestamp of the user , and then computes

11=

710and sends the message

11, , to the remote

server .

Step 6. When receives the message

11, , at

time , it verifies ( ) > . If it holds, theauthentication phase is terminated. Otherwise, if it does nothold,

computes

12= (

) and then computes

13= 4612. After computing

13, then

verifies

whether13= 11. If it holds,

accepts

s login request;

otherwise, rejects the login request.

4.4. Password Change. In our scheme, user can freely

change the password PWold

to a new one PWnew

. Thepassword change procedure is performed as follows.

Step 1.inserts the smart card into the card reader and offers

his/her personal biometrics ; then the smart card computes

= (

) and verifies it by checking (

, ) . where

= (

) is the information stored in the smart card.

Step 2. If it holds, inserts old password PWold

and new

password PWnew

; otherwise the password change procedureis terminated.

Step 3. Smart card performs = (PWold

) and checks

(, ) . where

is the information stored in the smart

card.Step 4. If it holds, the smart card computes

= (PWnew

)

, = (= (ID

)), and

= .

Step 5. Finally, replace with

and

with

on the smart

card.


(1) Inserts the smart card and inputs

(2) Verifies whether (,

) < ?

(3) If it holds, then inputs his/her password PW

(4) Computes = (PW

) and verifies whether (

, ) < ?

(5) If it holds, the smart card computes1=

2= (

)

3= 12

(6) ,2 ,3 ,

Algorithm 5: Login phase of our scheme.

(1) When receiving ,2,3, ,

checks ( ) > ?

(2) computes

4= (

),

5= 43, and verifies whether

5= 2?

(3) computes

6= (

),

7= 46,

4 ,6 ,7 , .

(4) When receiving 4, 6, 7,

at , checks ( ) > ?

computes8= 47, then verifies

8= 6?

(5) computes

9= 46, then verifies

9= 7? computes

10= (

), and

then11= 710,

11 , , .

(6) When receiving 11, , at ,

verifies ( ) > ?

then computes12= (

),

13= 4612, then verifies

13= 11?

If it holds, accepts

login request.

Algorithm 6: Authentication phase of our scheme.

5. Security Analysis and Performance ofthe Proposed Scheme

5.1. Security Analysis. If a legal user lost his/her smart card,it is extremely hard for an adversary to derive the userssensitive information such as users identity, password, andbiometrics because the extraction of parameters from thesmart card is quite difficult. Furthermore, the adversarycannot change the password because he/she cannot pass thebiometric verification.

5.1.1. Denial-of-Service Attack. In our proposed protocol,we take into account hash functions sensitivity to smallperturbations in its inputs. In the login phase, users biometricverification is performed by checking (

, ) > instead

of checking () =

. Moreover, the password verification

is performed by checking (, ) > instead of

= . So

denial-of-service attack caused by hash functions fundamen-tal properties can be withstood.

5.1.2. Stolen-Verifier Attack. Our scheme can resist stolen-verifier attack because the scheme is free from the veri-fier/password table. In our protocol, the remote server

does

not keep password tables. Therefore, an attacker cannot stealusers password from

. Moreover, the password ismasked by

hash function in the procedure of message transfer betweenthe user

and remote server

.

5.1.3. Many Logged-In Users Attack. Most systems, whichmaintain the password table to verify user login, are vulner-able to this kind of threat. Our scheme can resist the threatsince our scheme requires on-card computation for login tothe remote server

, and once the smart card is removed, the

login process will be aborted.


5.1.4. Guessing Attack. Our protocol can resist guessingattack, which is a critical concern in password-based systems,since the password in our protocol is transmitted as a digestof some other secret information. The attacker cannot guessthe users password from the digest because of the one-waycharacteristic of the hash function, even if the attacker mayget the digest which contains the password.

5.1.5. ReplayAttack. Replaying an interceptedmessage can beprevented in our proposed protocol. If an attacker interceptsID,2,3, and tries to login to the remote server

via replaying the same message, he/she cannot pass the

verification of the login request due to ( ) > , where is the system time when the remote server

receives

the replayed message. Moreover, if an attacker intercepts4,6,7, and tries to replay the message to the user

, this kind of attack also can be prevented due to (

) >

.

5.1.6. User Impersonation Attack. In the login phase ofour scheme, the message sent to remote server

is

,2,3, instead of ID

,2,3, , where the users

identity IDis masked by hash function. Even though an

attacker eavesdrops the message ,2,3, , he cannot

derive the users identity, ID, due to the one-way charac-

teristic of hash function. In the authentication phase, whenthe remote server

receives the login request message

,2,3, , it will check the validity of users identity.

Since the attacker cannot derive legal users identity, thecheck of users identity cannot pass which will result inthe termination of authentication phase. Through the aboveanalysis, we can see that user impersonation attack can beavoided in our scheme.

5.1.7. Server Masquerading Attack. If an attack attempts

to masquerade as the legitimate server , he/she must make

the forged replay message to the user when receiving theusers login request message

,2,3, . However, the

forged replay message is more difficult to fake since thetime-stamped message

4,6,7, is sent to the user

when the remote server

is receiving

s login request

message ,2,3, . Moreover, the attacker

cannot

masquerade as the server by forging the replay message4,6,7, , because

cannot compute (

4,7)

sending to the user without knowing the secret value

kept by the server

. Hence, the attacker

cannot

masquerade as the legal server to the user by launching theserver masquerading attack.

5.1.8. Insider Attack. In the registration phase, if the userspassword PW

and the biometrics information

are revealed

to the server , the insider of the server may directly obtain

PWand

, and the insider impersonates as the user

to

access the users other accounts in the server. But in the loginphase of our scheme, if the insider wants to access

s other

accounts, he/she must input his/her smart card to the cardreader and provide his biometric information

in order to

pass the verification (, ) < . Since the insider cannot

provide the user s smart card, the biometric verification

will be aborted. So the insider attack can be prevented.

5.1.9. Mutual Authentication. As described above, ourscheme can withstand the user impersonation attack andserver masquerading attack; consequently our scheme canprovide mutual authentication between the user

and

remote server .

5.1.10. Man-in-the-Middle Attack. Man-in-the-middle attackmeans that an active attacker intercepts the communicationline between a legal user and the server and uses somemeansto successfully masquerade as both the server to the user andthe user to the server. Then, the user will believe that he istalking to the intended server and vice versa. In our scheme,when a user

wants to login to the remote server

, mutual

authentication between the user and remote server

is

performed, so man-in-the-middle attack can be prevented.

5.2. Performance of the Proposed Scheme. In this subsection,we compare the performances of our improved schemewith those for Li-Hwangs scheme [11] and Dass scheme[21]. It is worth recalling that the protocol of Li-Hwangsscheme [11] has security weaknesses against denial-of-serviceattack, replay attack, user impersonation attack, and man-in-the-middle attack. It is noted that Dass scheme [21] hassecurity weaknesses against denial-of-service attack, userimpersonation attack, replay attack, server masqueradingattack, and insider attack. The security comparisons betweenour scheme and the schemes proposed by Li and Hwang [11]and Das [21] are summarized in Table 2. For the convenienceof evaluating the efficiency of related scheme, we define thenotation

, the time of executing a one-way hash function.

The efficiency comparison with related schemes is shown inTable 3. From the table, we can see that our scheme is moreefficient than Dass scheme [21]. Though our scheme is lessefficient than Li-Hwangs scheme [11], it can provide bettersecurity against most attacks.

6. Conclusion

This paper presents a biometric-based user authenticationscheme for client/server system. The method employs bio-metric keys and resists the threats of stolen-verifier, of whichmany are logged-in users with the same login identity, denial-of-service attack, guessing attack, insider attack, replay attack,user impersonation attack, server masquerading attack, andman-in-the-middle attack. Moreover, the improved schemecan realize mutual authentication between the user andremote server. The proposed scheme uses only hash functionand XOR operation, which is efficient compared with thatof related protocols. In addition, the users password can bechanged freely using the proposed scheme. Our proposedscheme provides strong authentication with the help of ver-ifying biometrics, passwords, and random nonces generatedby the user and server as compared to that of related schemes.


Table 2: Security comparisons among related protocols.

Item Our scheme Li-Hwangs scheme [11] Dass scheme [21]Avoiding denial-of-service attack Yes No NoAvoiding stolen-verifier attack Yes Yes YesAvoiding many logged-in users attack Yes Yes YesAvoiding guessing attack Yes Yes NoAvoiding replay attack Yes No NoAvoiding user impersonation attack Yes No NoAvoiding server masquerading attack Yes No NoAvoiding man-in-the-middle attack Yes No YesAvoiding insider attack Yes No NoMutual authentication Yes No NoHaving flaws in password change No Yes Yes

Table 3: Efficiency comparison with related schemes.

Different phase Li-HwangsScheme [11]Dass

scheme [21] Our scheme

RegistrationUser computation cost 2

4

Server computation cost 3

Login

User computation cost 3

3

3

Server computation cost Authentication

User computation cost 2

3

Server computation cost 3

5

3

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper.

Acknowledgments

The authors would like to thank the valuable comments andsuggestions of the reviewers.Thiswork is supported in part byNational Natural Science Foundation of China (no. 61370223)and by Science Research Project of Hubei Provincial Depart-ment of Education (XD2012374 and B2013024).

References

[1] M. S. Hwang and C. Y. Liu, Authenticated encryption schemes:current status and key issues, International Journal of NetworkSecurity, vol. 1, no. 2, pp. 6173, 2005.

[2] N.-Y. Lee and Y.-C. Chiu, Improved remote authenticationscheme with smart card, Computer Standards and Interfaces,vol. 27, no. 2, pp. 177180, 2005.

[3] C. T. Li, An enhanced remote user authentication schemeproviding mutual authentication and key agreement withSmart Cards, in Proceedings of the 5th International IEEEComputer Society Conference on Information Assurance andSecurity, pp. 517520, Xian, China, 2009.

[4] M.Kim andC. K. Koc, A simple attack on a recently introducedhash-based strong-password authentication scheme, Interna-tional Journal of Network Security, vol. 1, no. 2, pp. 7780, 2005.

[5] K. H. M. Wong, Z. Yuan, C. Jiannong, and W. Shengwei,A dynamic user authentication scheme for wireless sensornetworks, in Proceedings of the IEEE International Conferenceon Sensor Networks, Ubiquitous, and Trustworthy Computing(SUTC 06), pp. 244251, Taichung, Taiwan, June 2006.

[6] H.-R. Tseng, R.-H. Jan, and W. Yang, An improved dynamicuser authentication scheme for wireless sensor networks, inProceedings of the 50th Annual IEEEGlobal TelecommunicationsConference (GLOBECOM 07), pp. 986990, Washington, DC,USA, November 2007.

[7] T. H. Lee, Simple dynamic user authentication protocolsfor wireless sensor networks, in Proceedings of the 2nd Inter-national Conference on Sensor Technologies and Application(SENSORCOMM08), pp. 657660,CapEsterel, France,August2008.

[8] L.-C. Ko, A novel dynamic user authentication scheme forwireless sensor networks, in Proceedings of the IEEE Interna-tional Symposium on Wireless Communication Systems (ISWCS08), pp. 608612, Reykjavik, Iceland, October 2008.

[9] B. Vaidya, J. J. Rodrigues, and J. H. Park, User authenticationschemes with pseudonymity for ubiquitous sensor network inNGN, International Journal of Communication Systems, vol. 23,no. 9-10, pp. 12011222, 2010.

[10] J. Daemen and R. V. Rijndael, The advanced encryptionstandard, Dr. Dobbs Journal, vol. 26, no. 3, pp. 137139, 2001.

[11] C.-T. Li and M.-S. Hwang, An efficient biometrics-basedremote user authentication scheme using smart cards, Journalof Network and Computer Applications, vol. 33, no. 1, pp. 15,2010.

[12] A. K. Jain, A. Ross, and S. Prabhakar, An introduction to bio-metric recognition, IEEE Transactions on Circuits and Systemsfor Video Technology, vol. 14, no. 1, pp. 420, 2004.

[13] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar, Handbook ofFingerprint Recognition, Springer, New York, NY, USA, 2009.

[14] S. Prabhakar, S. Pankanti, and A. K. Jain, Biometric recogni-tion: security and privacy concerns, IEEE Security and Privacy,vol. 1, no. 2, pp. 3342, 2003.

[15] A. Prakash, A biometric approach for continuous user authen-tication by fusing hard and soft traits, International Journal ofNetwork Security, vol. 16, no. 1, pp. 6570, 2014.


[16] C. K. Dimitriadis and S. A. Shaikh, A biometric authenticationprotocol for 3G mobile systems: modelled and validated usingCSP and rank functions, International Journal of NetworkSecurity, vol. 5, no. 1, pp. 99111, 2007.

[17] A. Yang, Security weaknesses and improvements of afingerprint-based remote user authentication scheme usingsmart cards, International Journal of Advancements inComputing Technology, vol. 4, no. 3, pp. 2128, 2012.

[18] A. N. Younghwa, Security analysis and enhancements of aneffective biometric-based remote user authentication schemeusing smart cards, Journal of Biomedicine and Biotechnology,vol. 2012, Article ID 519723, 6 pages, 2012.

[19] C.-H. Lin and Y.-Y. Lai, A flexible biometrics remote userauthentication scheme,Computer Standards and Interfaces, vol.27, no. 1, pp. 1923, 2004.

[20] C.-T. Li and M.-S. Hwang, An efficient biometrics-basedremote user authentication scheme using smart cards, Journalof Network and Computer Applications, vol. 33, no. 1, pp. 15,2010.

[21] A. K.Das, Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards,IET Information Security, vol. 5, no. 3, pp. 145151, 2011.

[22] J. P. Linnartz and P. Tuyls, New shielding functions toenhance privacy and prevent misuse of biometric templates,in Proceedings of the Audio and Video-Based Biometric PersonAuthentication, vol. 2688 of Lecture Notes in Computer Science,pp. 393402, 2003.

Submit your manuscripts athttp://www.hindawi.com

VLSI Design

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014

International Journal of

RotatingMachinery


Hindawi Publishing Corporation http://www.hindawi.com

Journal of

EngineeringVolume 2014


Shock and Vibration


Mechanical Engineering

Advances in


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of


Distributed Sensor Networks


The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014

SensorsJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Active and Passive Electronic Components


Chemical EngineeringInternational Journal of

Control Scienceand Engineering

Journal of


Antennas andPropagation




Navigation and Observation


Advances inOptoElectronics

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

RoboticsJournal of


275341.pdf

Documents

biometric authentication

stronguser authentication

proposed dass biometric

user posture

actual user

strong mutual authentication

biometric verification

validity of remote user