Biometrics based authentication scheme for session initiation protocol

Many two-factor challenge-response based session initiation protocol (SIP) has been proposed, but most of them are vulnerable to smart card stolen attacks and password guessing attacks. In this paper, we propose a novel three-factor SIP authentication scheme using biometrics, password and smart card, and utilize the pi calculus-based formal verification tool ProVerif to prove that the proposed protocol achieves security and authentication. Furthermore, our protocol is highly efficient when compared to other related protocols.

attack, off-line password guessing attack and stolen-verifier attack, and proposed a new SIP authentication scheme. In 2012, Xie (2012) demonstrated that Yoon et al. 's scheme is still vulnerable to stolen-verifier attack and off-line password guessing attack, and proposed an improvement of Yoon et al. 's scheme, but Farash and Attari (2013) found that Xie's protocol is also insecure against impersonation attack and off-line password guessing attack, and then they proposed an improved scheme to resolve these problems.
Recently, to enhance the performance and secrecy, Arshad and Ikram (2013) proposed an ECC-based SIP authentication protocol in 2013. But Tang and Liu (2013), He et al. (2012) and Pu et al. (2013) pointed out that Arshad et al. 's protocol is vulnerable to offline password guessing attack. They also developed new schemes to enhance the security of Arshad et al. 's scheme. Later, Irshad et al. (2014) demonstrated that Tang et al. 's scheme cannot resist the server impersonation attack if an adversary can obtain the user's password, and they proposed an improved protocol using ECC. Recently, Zhang et al. (2014) proposed a new password-based SIP authentication protocol, but Tu et al. (2015), Irshad et al. (2015) and Wu et al. (2013) showed that Zhang et al. 's protocol is vulnerable to the impersonation attack, and they proposed improved protocols respectively. After that, Arshad and Nikooghadam (2016) showed that Irshad et al. 's scheme is still vulnerable to impersonation attack. Farash (2016) and Mishra et al. (2016) found that Tu et al. 's protocol cannot resist the impersonation attack, and also presented improved schemes. It is worth mentioning that Mishra et al. 's scheme is a three-factor SIP authentication scheme, but it does not achieve perfect forward secrecy. Very recently, Chaudhry et al. (2015b) found that Tu et al. 's scheme is vulnerable to server impersonation attack. Moreover, both Tu et al. 's and Farash's improved schemes cannot protect user's privacy and suffer from replay and denial of services attacks. To enhance the security, they proposed a privacy preserving authentication scheme for SIP. Kumari et al. (2015) argued that Farash's protocol cannot withstand impersonation attack, password guessing attack, and session-specific temporary information attack. Further, Kumari et al. proposed an improved protocol to fix the weaknesses of Farash's protocol.
Many of above mentioned session initiation protocols are based on either password or both of password and smart card. However, password based protocol may suffer from password guessing attack, and smart card based protocol may suffer from smart card stolen attack by extracting information stored in smart card, even if the smart card is designed for achieving a certain level of tamper resistance (Witteman 2002). In order to solve password guessing attack and smart card stolen attack for SIP authentication scheme, we use user's biometrics to protect user's password and the sensitive information in smart card, since user's biometrics have many advantages, such as it is difficult to be fabricated, distributed, lost, forgotten, guessed or copied (Li and Hwang 2010). On the other hand, fuzzy extractor can always output the same random string if the input biometrics has sufficient similarity to the stored biometrics (Dodis et al. 2004). Therefore, in this paper, we propose a biometrics-based SIP authentication scheme, and use pi calculus (Abadi and Fournet 2001) based formal verification tool ProVerif (Abadi et al. 2009) to prove authentication and security of the proposed protocol.
The rest of the paper is organized as follows. In "Biometrics-based SIP authentication scheme" section, we propose our Biometrics-based SIP authentication scheme. Security analysis and formal verification are given in "Security analysis and formal verification" section. "Security and performance comparisons" section compares the security and performance of our protocol to existing ones, and we conclude the paper in "Conclusions" section.

Biometrics-based SIP authentication scheme
A biometrics based SIP authentication scheme is proposed in this section, which consists of three phases: registration, login and authentication, and password change. In this section, we first describe the construction of the fuzzy extractor, then we give the scheme specification of the proposed biometrics based SIP.

Fuzzy extractor
Fuzzy extractor contains a pair of randomized procedures 〈"generate" (Gen), "reproduce" (Rep)〉. The procedure Gen is designed for inputting users' biometrics BIO, and then outputting a random and uniform string η as secret information as well as a random auxiliary string as public information, namely, Gen(BIO) = (η, ). The procedure Rep takes the biometrics BIO * and the auxiliary string as inputs. Even if the inputted BIO * has slightly difference with BIO, as long as the difference is less than the threshold, the procedure Rep will generate the same string η, namely, Rep(BIO * , ) = η. Though we cannot always get the same biometrics due to the impact of noisy data when sampling, fuzzy extractor can overcome this problem. Readers may refer to Dodis et al. (2004), Yang and Yang (2009) for the detailed introduction of fuzzy extractor. The notations used in this paper are given in Table 1.

Registration
A legal user U i must register in the remote server S beforehand by performing the following steps, as shown in Algorithm 1.
Step 1. The user U i chooses a password pw i , a random number a i ∈ Z * n , computes M = h(a i �pw i ) and sends the register message {ID i , M} to S via a secure channel.
Step 2. After S receives the register request message {ID i , M}, S computes R = M ⊕ h(ID i �x ), stores R into a smart card and sends it to U i through a secure channel. Step 3. After U i obtains the smart card, he or she enters his or her biometrics BIO i on a specific device and computes Gen(BIO i ) = (η, ), B = a i ⊕ h(η), C = h(ID i �pw i �a i ) and stores B, C and λ into the smart card. Thus, the smart card contains {B, C, , R}.

Login and authentication
In this phase, U i and S can be authenticated by each other and establish the session key. The process is shown in Algorithm 2.
Step 1. The user U i inserts his or her smart card into a card reader, inputs his or her identity ID i and password pw i , and enters biometrics BIO * i . The smart card selects a random number b ∈ Z * n , computes Rep(BIO * i , ) = η, a i = B ⊕ h(η) , and C ′ = h(ID i �pw i �a i ). Then, the smart card checks whether C ′ is equal to C. If they are not equal, the protocol is terminated; otherwise, compute Step 2. When the server S receives REQUEST {ID i , D, F }, S computes D ′′ = h(ID i �x ) and checks if F and h(ID i �D�D ′′ ) are equal. If they are not equal, S rejects the request; otherwise, S randomly chooses two num- Step 3. When the user U i receives CHALLENGE realm, Auth s , H , t , he or she computes K = bD ′ H and SK = h(ID i �t�K ). Then U i checks if Auth s and h(D�K �D ′ �t�SK �H ) are equal. U i terminates the protocol if they are not equal; otherwise, U i computes Auth u = h(ID i realm K D ′ t�SK �H �D ) and sends the message RESPONSE ID i , realm, Auth u to S.
Step 4. When the server S receives RESPONSE ID i , realm, Auth u , it checks whether Auth u is equal to h(ID i realm K D ′′ t�SK �H �D ). If so, S and U i established the session key SK.

Password change
The user U i inserts his or her smart card into a terminal, inputs his ID i , old password pw i , new password pw new i , chooses a random number a new i ∈ Z * n and enters biometrics BIO * i on a specific device. Then the smart card computes Rep(BIO * i , ) = η, a i = B ⊕ h(η). After this, the smart card verifies h(ID i �pw i �a i ) = C. If it does not hold, the smart card rejects the request; otherwise, the smart card computes

Security analysis and formal verification
In this section, we will analyze the security of the proposed scheme.

Formal verification
In order to prove the security of cryptographic protocols, there are some available formal verification tools, such as BAN logic (Burrows et al. 1989), AVISPA (Armando et al. 2005) and ProVerif. In this section, we prove secrecy and authentication using ProVerif, because it is performed automatically and efficiently, and can detect errors easily. Pro-Verif makes use of Dolev-Yao model (Dolev and Yao 1983) and supports many cryptographic primitives, including digital signature, symmetric and asymmetric encryption, hash function, and so on.
There're two types of channels in the formal model: a public channel for transmitting general protocol messages and private channel for transmitting smart card data between user and his smart card. The definition of these channels is given as below: free cch: channel. free sch: channel [private].
The above code is performed in the latest version 1.90 of ProVerif to show that the correspondence query is true and the two attacker queries are not true. That is, the authentication property and security are satisfied, referring to the Fig. 1.

Session key security
Due to the impossibility of solving the computational Diffie-Hellman (CDH) problem, an adversary can neither know h(ID i x ) nor compute ubP from bP and uP. That is, the adversary cannot compute the session key SK = h(ID i �t�uh(ID i �x )bP).

Mutual authentication
The user U i and the server S can authenticate each other by checking the correctness of F, Auth u and Auth s , respectively. Without the knowledge of h(ID i x ), no one except the user and the server can compute Auth u and Auth s .

Replay attack
An adversary may intercept the request message REQUEST {ID i , D, F } and replay to the server, where D = bP, D ′ = h(ID i �x ) and F = h(ID i �D�D ′ ). Without the knowledge of b, he or she cannot generate the correct response message RESPONSE ID i , realm, Auth u after receiving the server's message CHALLENGE realm, Auth s , H , t . Then the server could detect the attack by checking the correctness of Auth u . On the other hand, the adversary may intercept the challenge message CHALLENGE realm, Auth s , H , t and replay it to the user, where K = uh(ID i �x )D and Auth s = h(D�K �D ′′ �t�SK �H ). As the user generates a new D = bP for each session, the attack can be detected by checking the correctness of Auth s . Therefore, proposed SIP authentication scheme can resist the replay attack.

Off-line password guessing attack
Suppose that the adversary gets the data {B, C, , R}, where B = a i ⊕ h(η) , He could also eavesdrop the message REQUEST {ID i , D, F }, CHALLENGE realm, Auth s , H , t and RESPONSE ID i , realm, Auth u transmitted between U i and S. The adversary may guess a password pw * i , but without the knowledge of S's secret key x, he or she can neither compute the random number a i nor verify if his guessed password is correct or not. Hence, our scheme can resist the off-line password guessing attack.
For similar reasons, our protocol can resist smart card stolen attacks.

Privileged insider attack
In the registration phase of our scheme, U i chooses the random number a i , the password pw i , and computes the hash value h(a i pw i ). Then U i sends the hash value to S. The privileged insider can't get pw i as it is protected by the random number a i and the secure hash function.

Impersonation attack
Without the knowledge of S's secret key x, the attacker can neither generate the valid challenge message CHALLENGE realm, Auth s , H , t , where Auth s = h(D�K �D ′′ �t�SK �H ) and K = uh(ID i �x )D, nor compute the legal message RESPONSE ID i , realm, Auth u . Note that all messages are transmitted via a secure channel in registration phase, which are supposed to be free of corruption. So our scheme could withstand the impersonation attack.

Stolen-verifier attack
In the proposed scheme, S only needs to keep its key x secret. No password-verifier table is required to be stored in the server's database. Therefore, our scheme can resist the stolen-verifier attack.

Man-in-the-middle attack
From the above security analysis, we know that our scheme could provide mutual authentication between U i and S, and can resist off-line password guessing attack and impersonation attack. Hence, our scheme is secure against the man-in-the-middle attack.

Perfect forward secrecy
In our protocol, the session key is SK = h(ID i �t�uh(ID i �x )bP), even if an adversary corrupts all secret parameters such as S's secret key x and U i 's password pw i , he or she still cannot compute uh(ID i x )bP from bP and uP due to the intractability of CDH problem. Therefore, the introduced scheme can provide perfect forward secrecy.

Security and computation cost comparison
The security and computation cost comparisons between the proposed scheme and some related schemes (Zhang et al. 2014;Tu et al. 2015;Irshad et al. 2015;Arshad and Nikooghadam 2016;Farash 2016;Mishra et al. 2016;Chaudhry et al. 2015a;Wu et al. 2015) are given in Tables 2 and 3. For convenience, some notations are defined as follows: SY, H, MI, SM and PA are the operation times of a symmetric key encryption or decryption, hash function, modular inversion, scalar multiplication and point addition over elliptic curve, respectively. Very recently, Kilinc and Yanik (2014) have estimated the complexity of various cryptographic operations by using the PBC library. The actual execution time for the above notations of operations are as follows: SY is about 0.0046 ms, H is about 0.0023 ms, MI is about 0.0056 ms (Koblitz et al. 2000), SM is about 2.226 ms, PA is about 0.0288 ms.
From Tables 2 and 3, we can conclude that our scheme enjoys better security than others, and higher efficiency than other related schemes except Mishra et al. 's protocol (Chaudhry et al. 2015a). Unfortunately, Mishra et al. 's protocol cannot provide perfect forward secrecy since the session key is where mk is the secret key of the server S, T 2 and T 3 are timestamps, u is nonce chosen by the user and N is registration sign. According to the definition of perfect forward secrecy, if an attacker can know the secret key mk of S then he or she can compute the Our scheme Session key security session key SK. Generally, we can use Diffie-Hellman key exchange algorithm to achieve perfect forward secrecy, but it needs more scalar multiplication operations over elliptic curve.

Storage capacity comparison
Since the proposed protocol is developed for applications using smart card, the memory requirement is a key parameter in concern. Therefore, we have also compared the storage capacity of our scheme with other related schemes (Zhang et al. 2014;Tu et al. 2015;Irshad et al. 2015;Arshad and Nikooghadam 2016;Farash 2016;Mishra et al. 2016;Chaudhry et al. 2015a;Wu et al. 2015). We assume that hash function outputs 256 bits, the size of a point on elliptic curve is 164 bits, the length of a random nonce is 128 bits, and the length of an identity is 128 bits. In the proposed scheme, the smart card needs to store {B, C, , R} which is 256 + 256 + 128 + 256 = 896 bits. The storage capacities of other relevant schemes have been shown in Table 4, which shows that the memory of smart cards needed in all schemes are less than 1 k bit.