Provably secure anonymous three-factor authentication scheme for multi-server environments

  • Dongqing XuEmail author
  • Jianhua Chen
  • Qin Liu
Original Research


Significant developments in wireless communication technologies have resulted in the increased popularity of mobile devices and mobile services. However, excessive service requests reduce the efficiency of traditional single-server architectures, which consist of one server and many users. To overcome this limitation, a multi-server architecture was proposed. Additionally, password-based or smart-card-based authentication schemes cannot support some important security properties in multi-server environments. Consequently, biometrics are widely used as a third factor, in addition to passwords and smart cards, to make authentication schemes more secure. Reddy et al. recently designed a three-factor (i.e., password, smart card and biometrics) authentication scheme for multi-server environments. However, we found that their scheme lacks untraceability and is vulnerable to privileged insider attacks. To address these deficiencies, we propose a security-enhanced three-factor authentication scheme for multi-server environments based on elliptic curve cryptography (ECC). We prove that the proposed scheme is secure using the random oracle model. Moreover, an informal security analysis shows that the proposed scheme fulfills all the security requirements of the multi-server architecture. Finally, the results from performance analyses indicate that our proposed scheme achieves a significant improvement in security with minimal impact on performance.


Key exchange Three-factor Multi-server ECC Privileged insider attack 


  1. Amin R, Islam S, Khan MK, Karati A, Giri D, Kumari S (2017) A two-factor rsa-based robust authentication system for multiserver environments. Secur Commun Netw 2017(13):1–15CrossRefGoogle Scholar
  2. Brick (2017) Mobile marketing.
  3. Cao X, Zhong S (2006) Breaking a remote user authentication scheme for multi-server architecture. IEEE Commun Lett 10(8):580–581CrossRefGoogle Scholar
  4. Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst Appl 41(4):1411–1418CrossRefGoogle Scholar
  5. Dodis Y, Reyzin L, Smith A (2004) Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. International conference on the theory and applications of cryptographic techniques. Springer, New York, pp 523–540Google Scholar
  6. Dolev D, Yao AC (1981) On the security of public key protocols. In: Foundations of Computer Science, 1981. Sfcs ’81. Symposium on, pp 350–357Google Scholar
  7. Eisenbarth T, Kasper T, Moradi A, Paar C, Salmasizadeh M, Shalmani MT (2008) On the power of power analysis in the real world: a complete break of the keeloq code hopping scheme. In: Conference on cryptology: advances in cryptology. Springer, Berlin, Heidelberg, pp 203–220Google Scholar
  8. Gope P, Hwang T (2016) A realistic lightweight anonymous authentication protocol for securing real-time application data access in wireless sensor networks. IEEE Trans Industr Electron 63(11):7124–7132CrossRefGoogle Scholar
  9. Gope P, Lee J, Quek T (2017) Resilience of dos attacks in designing anonymous user authentication protocol for wireless sensor networks. IEEE Sensors J 99:1Google Scholar
  10. He D (2011) Security flaws in a biometrics-based multi-server authentication with key agreement scheme. Iacr Cryptology Eprint ArchiveGoogle Scholar
  11. He D, Wang D (2015) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823CrossRefGoogle Scholar
  12. Huang Z, Liu S, Mao X, Chen K, Li J (2017) Insight of the protection for data security under selective opening attacks. Inform Sci 412413:223–241CrossRefGoogle Scholar
  13. Islam SH (2014) A provably secure id-based mutual authentication and key agreement scheme for mobile multi-server environment without esl attack. Wireless Pers Commun 79(3):1975–1991CrossRefGoogle Scholar
  14. Jiang P, Wen Q, Li W, Jin Z, Zhang H (2015) An anonymous and efficient remote biometrics user authentication scheme in a multi server environment. Front Comput Sci 9(1):142–156MathSciNetCrossRefGoogle Scholar
  15. Jiang Q, Khan MK, Lu X, Ma J, He D (2016) A privacy preserving three-factor authentication protocol for e-health clouds. J Supercomput 72(10):3826–3849CrossRefGoogle Scholar
  16. Jiang Q, Chen Z, Li B, Shen J, Yang L, Ma J (2017a) Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems. J Ambient Intell Hum Comput 5:1–13Google Scholar
  17. Jiang Q, Zeadally S, Ma J, He D (2017b) Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 5:3376–3392CrossRefGoogle Scholar
  18. Kaufman C (2005) Internet key exchange (ikev2) protocol. RFC 4306Google Scholar
  19. Khan MK, Kim SK, Alghathbar K (2011) Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme. Comput Commun 34(3):305–309CrossRefGoogle Scholar
  20. Kim H, Jeon W, Lee K, Lee Y, Won D (2012) Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In: International conference on computational science and its applications. Springer, pp 391–406Google Scholar
  21. Koblitz N (1987) Elliptic curve cryptosystems. Math Comput 48(177):203–209MathSciNetCrossRefzbMATHGoogle Scholar
  22. Li J, Chen X, Li M, Li J, Lee PPC, Lou W (2014) Secure deduplication with efficient and reliable convergent key management. IEEE Trans Parallel Distrib Syst 25(6):1615–1625CrossRefGoogle Scholar
  23. Li J, Li J, Chen X, Jia C, Lou W (2015a) Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans Comput 64(2):425–437MathSciNetCrossRefzbMATHGoogle Scholar
  24. Li J, Li YK, Chen X, Lee PPC, Lou W (2015b) A hybrid cloud approach for secure authorized deduplication. Parallel Distrib Syst IEEE Trans 26(5):1206–1216CrossRefGoogle Scholar
  25. Li X, Niu J, Kumari S, Islam SH, Wu F, Khan MK, Das AK (2016) A novel chaotic maps-based user authentication and key agreement protocol for multi-server environments with provable security. Wireless Pers Commun 89(2):569–597CrossRefGoogle Scholar
  26. Lin H, Wen F, Du C (2015) An improved anonymous multi-server authenticated key agreement scheme using smart cards and biometrics. Wireless Pers Commun 84(4):2351–2362CrossRefGoogle Scholar
  27. Lu Y, Li L, Yang X, Yang Y (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS One 10(5):e0126,323CrossRefGoogle Scholar
  28. Ma C, Wang D, Zhao S (2015) Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst 27(10):2215–2227CrossRefGoogle Scholar
  29. Maitra T, Islam S, Amin R, Giri D, Khan MK, Kumar N (2016) An enhanced multi-server authentication protocol using password and smart-card: cryptanalysis and design. Security Commun Netw 9(17):4615–4638CrossRefGoogle Scholar
  30. Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129–8143CrossRefGoogle Scholar
  31. Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966CrossRefGoogle Scholar
  32. Reddy AG, Yoon EJ, Das AK, Odelu V, Yoo KY (2017) Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE Access 5(99):3622–3639CrossRefGoogle Scholar
  33. Wang C, Zhang X, Zheng Z (2016) Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS One 11(2):e0149,173CrossRefGoogle Scholar
  34. Wang D, Wang P (2014) Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw 20(2):1–15CrossRefGoogle Scholar
  35. Xie Q, Wong DS, Wang G, Tan X, Chen K, Fang L (2017) Provably secure dynamic id-based anonymous two-factor authenticated key exchange protocol with extended security model. IEEE Trans Inf Forensics Secur 12(6):1382–1392CrossRefGoogle Scholar
  36. Yang D, Yang B (2010) A biometric password-based multi-server authentication scheme with smart card. In: International conference on computer design and applications. IEEE, pp V5–554–V5–559Google Scholar
  37. Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63(1):235–255CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.School of Mathematics and StatisticsWuhan UniversityWuhanChina
  2. 2.State Key Lab of Software Engineering, Computer SchoolWuhan UniversityWuhanChina

Personalised recommendations