A secure and improved multi server authentication protocol using fuzzy commitment


The advancement in communication and computation technologies has paved a way for connecting large number of heterogeneous devices to offer specified services. Still, the advantages of this advancement are not realized completely due to inherent security issues. Most of the existing authentication mechanisms ensure the legitimacy of requesting user thorough single server leading towards multiple registrations and corresponding credentials storage on user side. Intelligent multimedia networks (IMN) may encompass wide range of networks and applications. However, the privacy and security of IMN cannot be apprehended through traditional multi sign on/single server authentication systems. The multi-server authentication systems can enable a user to acquire services from multiple servers using single registration and with single set of credentials (i.e.Password/smart card etc.) and can be accomplish IMN security and privacy needs. In 2018, Barman et al. proposed a multi-server authentication protocol using fuzzy commitment. The authors claimed that their protocol provides anonymity while resisting all known attacks. In this paper, we analyze that Barman et al.’s protocol is still vulnerable to anonymity violation attack and impersonation based on stolen smart card attack; moreover, it has incomplete login request and is prone to scalability issues. We then propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s scheme. The security of the proposed protocol is verified using BAN logic and widely accepted automated AVISPA tool. The BAN logic and automated AVISPA along with the informal analysis ensure the robustness of the scheme against all known attacks.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9


  1. 1.

    Ali R, Pal AK (2017) Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment. Arab J Sci Eng 42 (8):3655–3672

    MathSciNet  MATH  Google Scholar 

  2. 2.

    Amin R, Biswas G (2015) A novel user authentication and key agreement protocol for accessing multi-medical server usable in tmis. Journal of medical systems 39(3):33

    Google Scholar 

  3. 3.

    Armando A, Basin D, Cuellar J, Rusinowitch M, Viganò L (2006) Avispa: automated validation of internet security protocols and applications ERCIM News 64(January)

  4. 4.

    Arshad H, Nikooghadam M (2016) An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc. Multimedia Tools and Applications 75(1):181–197

    Google Scholar 

  5. 5.

    Barker E, Barker W, Burr W, Polk W, Smid M (2012) Recommendation for key management part 1: General (revision 3). NIST special publication 800(57):1–147

    Google Scholar 

  6. 6.

    Barman S, Das AK, Samanta D, Chattopadhyay S, Rodrigues JJ, Park Y (2018) Provably secure multi-server authentication protocol using fuzzy commitment. IEEE Access 6(38):578–38,594

    Google Scholar 

  7. 7.

    Burrows J (2015) Secure hash standard. fips pub 180-1, national institute of standards and technology (nist), us department of commerce april 1995

  8. 8.

    Burrows M, Abadi M, Needham RM (1989) A logic of authentication. Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences 426(1871):233–271

    MathSciNet  MATH  Google Scholar 

  9. 9.

    Canetti R, Krawczyk H (2001) Analysis of key-exchange protocols and their use for building secure channels. In: International conference on the theory and applications of cryptographic techniques, pp 453–474. Springer

  10. 10.

    Chaudhry SA, Naqvi H, Khan MK (2018) An enhanced lightweight anonymous biometric based authentication scheme for tmis. Multimedia Tools and Applications 77(5):5503–5524

    Google Scholar 

  11. 11.

    Chen CM, Wang KH, Yeh KH, Xiang B, Wu TY (2019) Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. Journal of Ambient Intelligence and Humanized Computing 10(8):3133–3142

    Google Scholar 

  12. 12.

    Chen CM, Xiang B, Liu Y, Wang KH (2019) A secure authentication protocol for internet of vehicles. IEEE Access 7(12):047–12,057

    Google Scholar 

  13. 13.

    Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Systems with Applications 41(4):1411–1418

    Google Scholar 

  14. 14.

    Debiao H, Jianhua C, Rui Z (2012) A more secure authentication scheme for telecare medicine information systems. Journal of medical systems 36 (3):1989–1995

    Google Scholar 

  15. 15.

    Dolev D, Yao A (1983) On the security of public key protocols. IEEE Transactions on information theory 29(2):198–208

    MathSciNet  MATH  Google Scholar 

  16. 16.

    Ghani A, Mansoor K, Mehmood S, Chaudhry SA, Rahman AU, Najmus Saqib M (2019) Security and key management in iot-based wireless sensor networks: an authentication protocol using symmetric key. Int J Commun Syst 32 (16):e4139

    Google Scholar 

  17. 17.

    Hao F, Anderson R, Daugman J (2006) Combining crypto with biometrics effectively. IEEE transactions on computers 55(9):1081–1088

    Google Scholar 

  18. 18.

    He D, Wang D (2014) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823

    Google Scholar 

  19. 19.

    Hussain S, Chaudhry SA (2019) Comments on “biometrics-based privacy-preserving user authentication scheme for cloud-based industrial internet of things deployment”. IEEE Internet of Things Journal 6(6):10,936–10, 940

    Google Scholar 

  20. 20.

    Irshad A, Sher M, Chaudhry SA, Xie Q, Kumari S, Wu F (2018) An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimedia Tools and Applications 77(1):1167–1204

    Google Scholar 

  21. 21.

    Irshad A, Sher M, Nawaz O, Chaudhry SA, Khan I, Kumari S, et al. (2017) A secure and provable multi-server authenticated key agreement for tmis based on amin. scheme. Multimedia Tools and Applications 76(15):16,463–16,489

    Google Scholar 

  22. 22.

    Juang WS, Chen ST, Liaw HT (2008) Robust and efficient password-authenticated key agreement using smart cards. IEEE Trans Ind Electron 55(6):2551–2556

    Google Scholar 

  23. 23.

    Juels A, Wattenberg M (1999) A fuzzy commitment scheme. In: Proceedings of the 6th ACM conference on Computer and communications security, pp 28–36. ACM

  24. 24.

    Kilinc HH, Yanik T (2014) A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials, IEEE 16(2):1005–1023

    Google Scholar 

  25. 25.

    Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual international cryptology conference, pp 388–397. Springer

  26. 26.

    Kumar V, Ahmad M, Kumari A, Kumari S, Khan M (2019) Sebap: a secure and efficient biometric-assisted authentication protocol using ecc for vehicular cloud computing. Int J Commun Syst, pp e4103. https://doi.org/10.1002/dac.4103

  27. 27.

    Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772

    Google Scholar 

  28. 28.

    Lee J, Ryu S, Yoo K (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555

    Google Scholar 

  29. 29.

    Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Computer Standards & Interfaces 27(1):19–23

    Google Scholar 

  30. 30.

    Lin H, Wen F, Du C (2017) An anonymous and secure authentication and key agreement scheme for session initiation protocol. Multimedia Tools and Applications 76(2):2315–2329

    Google Scholar 

  31. 31.

    Lu Y, Li L, Yang X, Yang Y (2015) Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS One 10(5):e0126,323

    Google Scholar 

  32. 32.

    Lwamo NM, Zhu L, Xu C, Sharif K, Liu X, Zhang C (2019) Suaa: a secure user authentication scheme with anonymity for the single & multi-server environments. Information Sciences 477:369–385

    Google Scholar 

  33. 33.

    Mansoor K, Ghani A, Chaudhry SA, Shamshirband S, Ghayyur SAK (2019) Securing iot based RFID systems: a robust authentication protocol using symmetric cryptography. Sensors 19:21. https://doi.org/10.3390/s19214752

    Article  Google Scholar 

  34. 34.

    Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE transactions on computers 51(5):541–552

    MathSciNet  MATH  Google Scholar 

  35. 35.

    Mir O, Nikooghadam M (2015) A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. Wirel Pers Commun 83(4):2439–2461

    Google Scholar 

  36. 36.

    Mishra D, Das AK, Mukhopadhyay S (2014) A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl 41(18):8129– 8143

    Google Scholar 

  37. 37.

    Mitchell CJ, Tang Q (2005) Security of the lin-lai smart card based user authentication scheme Technical Report

  38. 38.

    Nguyen NT, Chang CC (2018) A biometric-based authenticated key agreement scheme for session initiation protocol in ip-based multimedia networks. Multimedia Tools and Applications 77(18):23,909–23,947

    Google Scholar 

  39. 39.

    Qi M, Chen J (2017) An efficient two-party authentication key exchange protocol for mobile environment. Int J Commun Syst 30(16):e3341

    Google Scholar 

  40. 40.

    Qi M, Chen J (2018) New robust biometrics-based mutual authentication scheme with key agreement using elliptic curve cryptography. Multimedia Tools and Applications 77(18):23,335–23,351

    Google Scholar 

  41. 41.

    Ratha NK, Chikkerur S, Connell JH, Bolle RM (2007) Generating cancelable fingerprint templates. IEEE Transactions on pattern analysis and machine intelligence 29(4):561–572

    Google Scholar 

  42. 42.

    Ravanbakhsh N, Nazari M (2018) An efficient improvement remote user mutual authentication and session key agreement scheme for e-health care systems. Multimedia Tools and Applications 77(1):55–88

    Google Scholar 

  43. 43.

    Reddy AG, Das AK, Odelu V, Ahmad A, Shin JS (2018) A privacy preserving three-factor authenticated key agreement protocol for client–server environment. Journal of Ambient Intelligence and Humanized Computing 10(2):661–680

    Google Scholar 

  44. 44.

    Reddy AG, Yoon EJ, Das AK, Odelu V, Yoo KY (2017) Design of mutually authenticated key agreement protocol resistant to impersonation attacks for multi-server environment. IEEE access 5:3622–3639

    Google Scholar 

  45. 45.

    Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126

    MathSciNet  MATH  Google Scholar 

  46. 46.

    Sood SK, Sarje AK, Singh K (2011) A secure dynamic identity based authentication protocol for multi-server architecture. J Netw Comput Appl 34(2):609–618

    Google Scholar 

  47. 47.

    Wang C, Zhang X, Zheng Z (2016) Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. Plos one 11(2) e0149:173

    Google Scholar 

  48. 48.

    Wu ZY, Lee YC, Lai F, Lee HC, Chung Y (2012) A secure authentication scheme for telecare medicine information systems. Journal of medical systems 36(3):1529–1535

    Google Scholar 

  49. 49.

    Zhu Z (2012) An efficient authentication scheme for telecare medicine information systems. Journal of medical systems 36(6):3833–3838

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Anwar Ghani.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Rehman, H.U., Ghani, A., Chaudhry, S.A. et al. A secure and improved multi server authentication protocol using fuzzy commitment. Multimed Tools Appl (2020). https://doi.org/10.1007/s11042-020-09078-z

Download citation


  • Multi-server
  • Authentication
  • Fuzzy commitment
  • Security
  • BAN logic