Biometric-based Remote Mutual Authentication Scheme for Mobile Device

Remote user authentication schemes provide a system to verify the legitimacy of remote users’ authentication request over insecure communication channel. In the past years, many authentication schemes using password and smart card have been proposed. However, password might be guessed, leaked or forgotten and smart card might be shared, lost or stolen. In contrast, the biometrics which utilize biological characteristics, such as face, fingerprint or iris, have no such weakness. With the trend of mobile payment, more and more applications of mobile payment use biometrics to replace password and smart card. In this paper, we propose a biometric-based remote authentication scheme substituting biometric and mobile device bounded by user for password and smart card. This scheme is more convenient, suitable and securer than the schemes using smart cards on mobile payment environment.


Introduction
With the rapid development of wireless communication networks and e-commerce applications, such as e-banking, mobile payment and other transaction-oriented services, there is a growing demand for protecting user's credentials privacy. In the recent decades, more and more transactions have been implemented on the internet or wireless network due to the portability property of mobile devices, such as laptops, tablet computers, smart phones and smart watches.
More and more authentication systems use biological characteristics to be the key. The biometrics is the measurement and statistical analysis of people's physical and behavioral characteristics. The biometrics of physiological characteristics are face, iris, fingerprint, ear, voice, palm print, retina, etc. The biometrics of behavioral characteristics are gait, signature, keystrokes, mouse use characteristics, etc. Compare with traditional secrets such as passwords, biometric-based secrets have many advantages. Several advantages are described as follows [12]: • It is difficult to lose or forget biometric keys. • It is difficult to copy or share biometric keys. • It is difficult to forge or distribute biometrics. • It is difficult to guess biometric keys.
• It is more difficult to break biometric keys.
Accordingly, biometrics-based authentication is inherently more reliable than traditional password-based authentication. In 2010, Li and Hwang [7] proposed a biometrics-based remote user authentication scheme using smart cards. In their scheme, they substituted nonce for the use of time synchronization. In 2011, Das et al. [8] analyzed Li and Hwang's scheme and pointed out the security drawbacks. Subsequently, they proposed an efficient remote user authentication scheme to overcome the weaknesses of Li and Hwang's scheme. In 2012, An et al. [9]  Nowadays people are increasingly relying on mobile devices, so the mobile payment will be the trend in the nearly future. Payments with smart cards is less convenient than mobile payment. The current mobile payments such as Alipay, LINE pay and Apple Pay adopt virtual currency or credit cards. Users using mobile payment need to store the credit card numbers in their mobile devices. If a thief knows the credit card number, he can complete fraudulent transactions. Every time you use your credit card you are making your card number available to everyone who is involved in the transaction, from the sales clerk to the billing staff of the creditor. In this paper, we proposed a new remote user authentication scheme based on biometric technology. The architecture is shown in Fig. 1. The mobile device uses the camera, microphone, fingerprint reader or other devices to capture the user's biometric features likes face, iris, fingerprint, voice, etc. The server stores the user's information and biometric file in the server's database.
In authentication process, biometric information inputted by the user is encrypted by the mobile device and is sent to a remote authentication server. Biometric authentication system verifies the users' identification by comparing biometric traits to stored data in databases. We substitute bounding with mobile devices for smart cards. The user only completes a transaction by the bounding device.
This paper is organized as follows: Section 2 gives some background of advanced encryption standard (AES) and one-way hash function. Section 3 describes our new biometric based remote user authentication scheme. Section 4 and 5 are about security analysis and implement result. Finally, a conclusion is offered in Section 6.

Advanced Encryption Standard
The Advanced Encryption Standard is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001 [13]. AES is based on the Rijndael cipher [14] developed by Joan Daemen and Vincent Rijmen. NIST selected three different. Fig. 1 Architecture key sizes from Rijndael cipher, each with a block size of 128 bits. The three distinct key sizes are 128, 192 and 256 bits. AES operates on a 4 × 4 column-major order matrix of bytes and has the following property.
• AES can be applied to a file of all sizes and types. • AES is a symmetric-key algorithm.
• AES is a block cipher using an iterative structure known as a substitution-permutation network • AES is fast in both software and hardware The number of repetitions of transformation rounds is specified by the key length used for an AES cipher. AES executes 10, 12 and 14 cycles of repetition for the key size of 128, 192 and 256 bits respectively. Every cycle consists of several processing steps. There are four main steps, which are SubBytes, ShiftRows, MixColumns and AddRoundKey. In the SubBytes step, each byte in the state matrix is replaced with a byte using a substitution box, the Rijndael S-box. The S-box is derived from the multiplicative inverse over GF (2 8 ). The ShiftRows operates on the rows of the state. It shifts the bytes in each row by a particular offset cyclically. The first row is left unchanged and each byte of the second row is shifted one position to left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. The n-th row is shifted left circular by n − 1 bytes. In the MixColumns step, the algorithm uses an invertible linear transformation to combine the four bytes of column of the state. During this operation, each column is transformed using a fixed matrix. In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael key expansion algorithm. To combine with the state, the corresponding byte of the subkey does a bitwise XOR operation on each byte of the state. The procedure of AES can be divided into four steps, KeyExpansions, InitialRound, Rounds and FinalRound. In the KeyExpansions, Rijndael key schedule is used to derive round keys from the cipher key. The InitialRound execute AddRoundKey. The Rounds sequential executes SubBytes, ShiftRows, MixColumns and AddRoundKey. The Final Round sequential executes SubBytes, ShiftRows and AddRoundKey.

One-Way Hash Function
A one-way collision-resistant hash function h takes an input as arbitrary length binary string x ∈ {0, 1} * and outputs a binary string h(x) ∈ {0, 1} n of fixed-length n. The hash function may be the fingerprint of a file, a message, or other data block, and has the following attribute [11].
• Hash function can be applied to a data block of all sizes. • For any given x, it is easy to compute the message digest h(x). Its implementation in software and hardware is simple. • The output length of the message digest h(x) is fixed.
• Given an output hash value y = h(x) and the hash function y = h(·). It is computationally infeasible to derive the input x. This property is called the one-way property. • For any given input x, finding any other input y ≠ x so that h(y) = h(x) is computationally infeasible. This property is referred to as weak-collision resistant property. • Finding a pair of input (x, y), with x ≠ y, so that h(x) = h(y) is computationally infeasible. This property is referred to as strong-collision resistant property.

New Biometric-Based Authentication Scheme
In this section, we give the detail of our remote authentication scheme. There are four phases in the proposed scheme, which are registration phase, authentication phase, password change phase and UUID change phase. The notations used throughout this paper are summarized in Table 1.

Registration Phase
In this phase, U i sends the registration request to S j . Then U i inputs user's information and biometric template to accomplish the registration. As shown in Fig. 2, the detail of the phase is presented as follows: (1) U i gets a smart card from the service provider through a secure channel (e.g. in person).
Each smart card has a unique identification SID j and a nonce N s which is encrypted and recorded in the service provider's database. When a smart card is activated, it generates a nonce N s and computes M 1 = h(SID j )♁N s and stores M 1 in EEPROM.

Authentication Phase
In this phase, U i and S j generate nonce (N u , N s ) for mutual authentication. After mutual authentication completes, U i encrypts biometric template by AES encryption. As shown in Fig. 3, the detail of the phase is presented as follows: (1) U i inputs his ID i and get the UUID i from user's device. Then U i computes M 10 20 and M 20 are equal. If they are not equal, S j rejects the session; otherwise, the user passes the authentication and the mutual authentication completes. Then S j gets the B c = AES.D(f) and the key of AES is M 8 ♁N s . Finally, S j recognizes the user by using a recognition system to compare B c with B i . If B c and B i are matched, S j confirms that U i is a legal user; otherwise, S j stops the session.

Password Change Phase
In this phase, U i could change the old password PW old i to the new password PW new i . The detail of this phase is illustrated as Fig. 4 and is presented as follows: (1) The U i sends the password-change request to S j . Then

Uuid Change Phase
In this phase, U i could change the old device's UUID UUID old i to the new device's UUID UUID new i . The steps of this phase are similar with password-change phase. The detail of this phase is presented as follows: (1) The U i sends the UUID-change request to S j . Then S j computes M 28 = h(SID j ||PSK)♁N s .
Finally, S j sends the message M 28 to U i .

Mutual Authentication
In Step.1 of the authentication phase, the U i regenerates a nonce N u and computes

Anonymity
In the authentication process, all the information (ID i , UUID i , SID j ) are protected by hash function. In message M 12 = h(h(ID i )||h(UUID i ))♁N u , the ID i and UUID i are protected by nonce N u . The adversary must have the N u , but N u changes over sessions. Even if the adversary has the N u , he is hard to recover ID i and UUID i from h(h(ID i )||h(UUID i )). As the result, our scheme could preserve the user anonymity property.

User Impersonation Attack
To impersonate as a legal user, the adversary must be able to generate the messages {M 9 , M 11 , M 12 }. The adversary must know the user information ID i and UUID i . But the ID i and UUID i are protected in message M11 = h(h(IDi) ||h(UUID i ))♁N u . Therefore, our scheme could withstand the user impersonation attack.

Man-in-the-Middle Attack
MITM is an active attack which the adversary eavesdrops the communication and tries to extract the information to complete the authentication.  ). This attempt will not succeed, since the different session uses different nonces, that is N u ≠ N ' u and the session will reject by U i . Therefore, our scheme could resist the server spoofing attack.

Password Guessing Attack
We have made use of a randomly-generated nonce to protect users' passwords. Even if an attacker intercepts the message M 4 = h(PW i )♁M 2 in registration phase. The complexity of combination of a password and a nonce makes the attacker cannot guess the password and nonce at the same time. Thus, it is computationally infeasible for an attacker to guess the user's credentials. Thus, our scheme is free from the password guessing attack.
The security analysis of the related scheme and the proposed scheme is summarized in Table 2. The proposed scheme is more secure than Das's and Li-Hwang's scheme relatively. In addition, the proposed scheme provides mutual authentication between the user and the server that can verify each other's identity before transmitting data.
In Table 3, we have compared the computational overhead of the proposed scheme with Das's scheme and Li-Hwang's scheme. Though our scheme requires more computational  overheads, but providing more security features. Besides, many operations in our scheme can be pre-computed to cut down the amount of time and the performance EVALUATION in section 5 also shows that the execution time is acceptable. We conclude that the proposed scheme is superior to the other schemes.

Adversary Model
According to the classic Dolev-Yao model [17], Das et al.'s threat model [18] and Yu et al.'s [19] assumptions, we improve and propose the hypothesis about the adversary's abilities which is enumerated in Table 4.
Definition 1 (one-way hash function). We define a one-way collision-resistant hash function h:{0, 1} * {0, 1} n that takes an arbitrary length binary string x {0, 1} * as input and outputs a fixed-length binary string y = h(x) {0, 1} n . The formula of advantage that an adversary in finding collision is defined as follows: where Pr[E] denotes the probability of an event E, and x, x ′ ← A indicates the pair x, x ′ which is selected randomly by the adversary. The Adv H A (t) stands for the probability in the advantage over the random choices made by the adversary A with the execution time t. The hash function is considered to be collision-resistant if Adv H A (t) ≤ , for is negligible small. Then we define the random oracle as follows:

Reveal:
The random oracle will output the input x from the corresponding hash value y = h(x) unconditionally.
The adversary must derive the biometric template B i to masquerade as the user to pass the authentication. The experimental algorithm is given in Algorithm EXP A, auth . For the n-factor protocol, the adversary can get n-1 of the b authentication factors at the same time Cap. 4 The adversary can obtain user ID (When evaluating the anonymity of the protocol, the user ID should be assumed to be sensitive information)

Algorithm EXP A, auth
Proof In this proof, we need to construct a model that the adversary can derive the encrypted biometric feature to pass the authentication of the server. For this purpose, the adversary executes the experimental algorithm EXP A, auth . The success probability for EXP A, auth is defined as Succ A, auth = Pr[EXP A, auth = 1] − 1. The advantage formula of an adversary for this experiment becomes Adv H A t, q R = max Succ A,auth , where the maximum probability that adversary takes with the execution time t and the number of queries q R . Our scheme is said to be secure against an adversary for masquerading as a user to pass the authentication of the server, if Adv H A t, q R ≤ , for is negligible small.
Consider the experiment EXP A, auth , if the adversary can invert the one-way hash function, he/she can obtain key materials to derive AES key and encrypt the biometric feature that can pass the server's authentication. However, by definition 1, Adv H A (t) ≤ , for is negligible small. Therefore, the adversary has a tiny advantage Adv H A t, q R ≤ . As a result, the proposed scheme is provably secure against an adversary in the model.

Environment
To realize the performance, we conduct an implementation of a face-based remote authentication scheme on smart phones. We use three different smart phones, HTC One M8, HTC One M7 and Samsung Galaxy S4, to evaluate the execution time of hash function and encryption of AES. We use the jpg images of the size is around 1 MB to calculate the average time of AES encryption. We also test the execution time of hash function and AES decryption on our server. The specification of our server is Intel Core i7-4790 and 16 GB RAM and the server codes by PHP and shell script. We implement AES encryption by Magic Crypt library [15] which shared by Magic Len and the face recognition by openBR library [16]. In our implementation we adopt that the hash function is sha-256 and the key length of AES is 256 bits.

Performance Result
In our proposed scheme the user need to use 4 times hash function and 1 time encryption of AES in registration phase as well as 8 times hash function and 1 time encryption of AES in authentication phase. The server need to use 2 times hash function in registration phase as well as 6 times hash function and 1 time decryption of AES in authentication phase. The user side result, which is the average execution time of a cryptographic hash function of SHA256 and encryption of AES algorithm, is showed in Table 4. The server side result showed in Table 5 is the average execution time of once hash function and decryption of AES. In our implementation we directly encrypt the image and the file size encrypting by AES is a little larger than original file size. If you want to decrease the transmission data size, you can extract the biometric feature before carrying out the AES encryption. The computation formula is shown as follows: In Table 6, we present the execution time of encrypting and decrypting images with an average size 1Mbytes on client side and server side. The size is almost equal to a 512 × 512 bmp image which can contain critical biometric features.
In order to increase the comparison of testing platforms, we refer to Nur et al.'s research to present the test result as Table 7 [20]. The testing scenario is the AES algorithm with 256-bit key length is carried out 20 times. The performance of Redmi Note 5 is slightly inferior to ones of HTC and Galaxy.

Average Execution Time
ImageSize i CryptAlgo n

Conclusion
In this paper, we propose a biometric-based remote authentication scheme between mobile devices and cloud servers using AES encryption. Security analysis shows that the proposed scheme could satisfy security requirement of remote authentication system. In our proposed scheme, we substitute bounding mobile device for smart card. The proposal is more convenient and suitable for mobile payment environment. Therefore, our scheme provides security and convenience for authentication scheme of mobile payment.