A software agent enabled biometric security algorithm for secure file access in consumer storage devices

Transcription

1 A software agent enabled bometrc securty algorthm for secure fle access n consumer storage devces Artcle Accepted Verson Amn, R., Sherratt, R. S., Gr, D., Islam, S. K. H. and Khan, M. K. (2017) A software agent enabled bometrc securty algorthm for secure fle access n consumer storage devces. IEEE Transactons on Consumer Electroncs, 63 (1). pp ISSN do: Avalable at It s advsable to refer to the publsher s verson f you ntend to cte from the work. Publshed verson at: To lnk to ths artcle DOI: Publsher: IEEE All outputs n CentAUR are protected by Intellectual Property Rghts law, ncludng copyrght law. Copyrght and IPR s retaned by the creators or other copyrght holders. Terms and condtons for use of ths materal are defned n the End User Agreement.

2 CentAUR Central Archve at the Unversty of Readng Readng s research outputs onlne

3 1 Full-Text verson Ttle: A Software Agent Enabled Bometrc Securty Algorthm for Secure Fle Access n Consumer Storage Devces Authors: Ruhul Amn, Department of Computer Scence and Engneerng, Thapar Unversty, Patala, Punjab, Inda (e-mal: amn_ruhul@lve.com) R. Smon Sherratt, Fellow, IEEE Department of Bomedcal Engneerng, the Unversty of Readng, RG6 6AY, UK (e-mal: sherratt@eee.org) Debass Gr Department of Computer Scence and Engneerng, Halda Insttute of Technology, Halda , Inda (e-mal: debass_gr@hotmal.com) Hafzul Islam Department of Computer Scence and Engneerng, Indan Insttute of Informaton Technology, Kalyan, West Bengal , Inda (e-mal: haf786@gmal.com) Muhammad Khurram Khan, Senor Member, IEEE Center of Excellence n Informaton Assurance (CoEIA), Kng Saud Unversty, Ryadh 11451, Saud Araba (e-mal: mkhurram@ksu.edu.sa) Publcaton: IEEE Transactons on Consumer Electroncs Publsher: IEEE Volume: 63 Issue: 1 Date: February 2017 pp.: not yet assgned DOI: not yet assgned Abstract In order to resst unauthorzed access, consumer storage devces are typcally protected usng a low entropy password. However, storage devces are not fully protected aganst an adversary because the adversary can utlze an off-lne dctonary attack to fnd the correct password and/or run an exstng algorthm for resettng the exstng password. In addton, a password protected devce may also be stolen or msplaced allowng an adversary to easly retreve all the stored confdental nformaton from a removable storage devce. In order to protect the consumer s confdental nformaton that has been stored, ths paper proposes a mutual authentcaton and key negotaton protocol that can be used to protect the confdental nformaton n the devce. The functonalty of the protocol enables the storage devce to be secure aganst relevant securty attacks. A formal securty analyss usng Burrows-Abad-Needham (BAN) logc s presented to verfy the presented algorthm. In addton, a performance analyss of the proposed protocol reveals a sgnfcantly reduced communcaton overhead compared to the relevant lterature. Index Terms Securty Protocol, Bometrc, Computer System, BAN logc, Fle Secrecy

4 2 I. INTRODUCTION Consumer storage s commonly used to store and retreve dgtal nformaton. Consumers often store confdental nformaton, fles, or dgtal meda purchases n the devce. These devces are low cost and easly portable so the consumer often carres the devce when travellng. As a result, the devce may be lost or stolen by an adversary. If the confdental nformaton s not protected, an adversary can easly retreve the stored nformaton from the devce memory. However, the adversary faces a problem to retreve the nformaton from the store f the devce s password protected. It s worth notng that a user s password (typcally low entropy) cannot provde a strong secure system under a cryptographc dctonary attack. Indeed, many technques are currently avalable to guess the password to access the devce. Mutual authentcaton and key agreement protocols are a popular paradgm n clent-server envronments to prevent unauthorzed access. In 1981, Lamport [1] frst ntroduced the secure communcaton clent-server archtecture and then numerous protocols [2]-[4] have been proposed for several applcatons, ncludng wreless sensor networks [5], medcal systems [6] and fle securty for USB based Mass Storage Devces (USB MSD) [7]-[12]. In order to provde secure access, authentcaton protocols play an mportant role. Sgnfcant lterature s now avalable to provde solutons to protect confdental fles stored n a USB MSD. Yang et al. [7] frst proposed a secure authentcaton protocol usng the Schnorr Sgnature to protect the nformaton stored. However, Chen et al. [8] argued that the protocol from Yang et al. [7] was not secure aganst the forgery attack and the replay attack. Furthermore, Lee et al. [9] argued that the protocol by Chen et al. [8] was computatonally neffcent. In order to solve the securty weaknesses, Lee et al. [9] proposed the three-factor authentcaton protocol based on ellptc curve cryptography. The protocol from Lee et al. [9] requred the user s password, bometrc and smartcard nformaton as authentcaton tokens. More recently, He et al. [10] demonstrated that the protocol proposed by Lee et al. [9] was not secure aganst the password guessng attack, Denal-of-Servce (DoS) attack and the replay attack, so proposed an mproved three-factor authentcaton scheme. In order to resst the DoS attack, He et al. [10] employed the concept of the fuzzy extractor [13], [14]. In 2015, Amn and Bswas [15] proposed a three-factor authentcaton protocol for the same envronment usng a hash functon to acheve a lower computaton cost than exstng protocols [9], [10]. Ths paper proposes a mutual authentcaton and key agreement protocol to provde only authorzed access to confdental nformaton stored on the devce wth the ad of a Regstraton Server (RS). A new user completes a regstraton procedure wth RS allowng RS to delver a lnk va e-mal from whch the user can download and nstall regstraton software n ther devce whch also ncorporates the requred secure access nformaton relevant for only each user. In order to provde secure access to fles, the user provdes the necessary dentty, password and bometrc nformaton. The devce checks the legtmacy of the user and then negotates a sesson key wth RS. It s to be noted that ths sesson key s used to encrypt the fles n the storage devce. The rest of the paper s organzed as follows: Secton II presents an overvew of the contrbuton and the novelty clams. Secton III presents the hash functon, fuzzy extractor and ellptc curve cryptography. The proposed protocol s provded n Secton IV. The securty analyss usng BAN logc s dscussed n Secton V. Secton VI provdes the performance evaluaton and comparson of the proposed protocol wth related protocols. Secton VII concludes the paper. TABLE I shows the nomenclature that s used throughout the paper.

5 3 TABLE I NOMENCLATURE Term Usage U -th user RS Remote server PW Password of user U BT Bometrc Template of user U ID Identty of user U E k[] Symmetrc key encrypton usng key k D k[] Symmetrc key decrypton usng key k x Secret key of the remote server (P x, P y) x and y coordnate of the ellptc curve pont P T Current tmestamp of U s storage devce T j Current tmestamp of the Remote server ΔT Estmated tme delay UNSID Unque software dentty SL Software lnk h( ) Cryptographc one-way hash functon REP() REP procedure n fuzzy extractor GEN() GEN procedure n fuzzy extractor Btwse XOR operator Concatenaton operator (a.b) Pont multplcaton operaton of a and b II. SYSTEM ENVIRONMENT In ths work, a Regstraton Server (RS) delvers a lnk to all the users who have performed regstraton successfully, and then each user uses the lnk to obtan and nstall software n ther devce whle also provdng ther credentals (password, dentty and bometrc sgnature.) Note that whle the password may be guessed, t s hard to guess bometrc sgnatures. Then, the software encrypts mportant fles by usng a negotated key to provde securty on the storage fle. Whenever, the user of that devce wants to access that fle, RS frst verfes the user and then provdes a decrypton key to recover the orgnal fle. All the fles are then encrypted usng a new sesson key. However, we argue that a storage devce wll stll not be completely securty protected. Hence, we have devsed a standard securty protocol whch protects the storage devce to defend unauthorzed access. Frstly we have used the concept of bometrc data along wth a password n our protocol, hence t s dffcult to guess the password along wth bometrc nformaton. Secondly, an attacker cannot utlze a resettng technque, as we have mentoned n our protocol that f the attacker desres to use resettng technque, he/she frst has to logn nto the system. As the attacker cannot logn nto the system wthout bometrc data, the resettng technque s not usable. Ths paper acheves the followng contrbutons: A mutual authentcaton and key negotaton protocol to provde securty protecton of the stored nformaton on the storage devce, Securty analyss to show that the proposed protocol s robust aganst known securty attacks. Furthermore, n the proposed scheme, the mutual authentcaton and sesson key agreement have been verfed usng BAN logc. Sgnfcantly less communcaton overhead and computaton costs than other related systems. III. PRELIMINARIES Ths secton defnes the fuzzy extractor [10]-[14] and the hash functon [15] to analyze the securty of the proposed protocol. Furthermore, the hardness assumpton on the ellptc curve group s dscussed. Defnton 1: A cryptographc one-way hash functon maps a bnary strng of an arbtrary length to a bnary strng of fxed length, called the hashed value. It can be symbolzed as: :{0,1}* {0,1} n h, where n s a postve nteger. The propertes of the hash functon have been presented [4], [5]. Defnton 2: A fuzzy system based collson resstant extractor can be modeled as a procedure whch takes a bnary strng, say b, of some metrc space M 0,1 n as an nput for some postve number n and outputs a random strng, say 0,1 l for some

6 4 postve number l and an auxlary strng, say r procedure s denoted by GEN: space 0,1 n M, where b b 0,1 for some postve number r, where r can be l or n. Ths mappng M. Another procedure whch takes two nputs: () a bnary strng say, 0,1, and () an unform dstrbuton bnary strng say, r 0,1 l as output. Ths mappng procedure s denoted by REP : M. b of the metrc, and t produces the random strng A. Ellptc Curve Cryptography (ECC) The concept of ellptc curve cryptography was ntroduced by Kobltz [16] and Mller [17], to desgn publc key cryptosystems. Let Ep a, b be a set of ellptc curve ponts over prme feld F p, where p s a large prme number. The ellptc curve equaton s defned as: G y p F p 2 3 x axbmod p wth a b 3 2 and, Fp 4a 27b mod p 0. The addtve ECC group s defned as: {( x, y) : x, y and ( x, y) Ep( a, b)} { O}, where the pont O s known as the Pont at Infnty. The scalar pont multplcaton on the cyclc group G p s defned as: [k].p = P + P + + P), that means k tmes addton of P. Defnton 3: Ellptc curve dscrete logarthm problem: Gven Q, R Gp, computaton of the nteger k Z p * s hard, where R k. Q. Defnton 4: Ellptc curve computatonal Dffe-Helman problem: Gven a. b. P s hard. P, a. P, b. P, for some a, b Z p *, computaton of IV. PROPOSED PROTOCOL Ths secton descrbes the proposed mutual authentcaton and key negotaton protocol, whch ncludes seven phases, (A) Regstraton and software nstallaton phase, (2) Logn phase, (C) Mutual authentcaton and key negotaton phase, (D) Fle management phase, (E) Fle accessng phase, (F) Password renewal phase and (G) Bometrc renewal phase. Intally, RS chooses a secret key x and computes P x. P as the correspondng publc key. It should be noted that executon of the regstraton phase and the regstraton software nstallaton phase s performed only once. pub A. Regstraton and Software Installaton Phase Intally, each new user U must complete a regstraton procedure wth RS. In ths phase, U provdes ther nformaton securely or n person (off-lne mode) to RS. Then, RS securely sends to U, va e-mal, a lnk to downloadable regstraton software whch must be nstalled n the storage devce. The descrpton of ths phase s gven below: Step 1: U frst chooses ID, PW and scans the user s bometrc template, BT, such as a fngerprnt. Ths work uses the bometrc template to provde a hgh degree securty snce bometrc templates cannot easly be forged [10]-[15]. U s devce computes PWB hpw b, where b s a random number generated by U and then sends ID, PWB, BT and a vald e- mal address to RS securely ether usng Transport Layer Securty (TLS) or n person (off-lne mode.) Step 2: After recevng the regstraton message, RS computes, GEN BT, A hpwb, G hid x B G PWB, C hid PWB and D E A B C, where GEN() s the fuzzy extractor functon. G, Step 3: RS then embeds D, ID, B, GEN (), REP(), h() nto the requred regstraton software ncludng all necessary parameters for the ECC cryptosystem. The regstraton software s a smple software applcaton that must be nstalled n the consumer devce. RS needs to mantan a database for storng all the regstraton nformaton for all the consumers. RS stores

7 ID, UNSID, SL, nto the database, where UNSID and SL are the unque software dentty and software lnk respectvely, and ndcates empty attrbutes used to store the encrypted key. Fnally, RS delvers to U va e-mal a lnk to user specfc regstraton software (that ncludes SL.) Ths regstraton software s provded by the regstraton server to all the consumers wth the software content varyng wth the user. Step 4: After recevng the lnk for U to download the regstraton software, U nstalls t on ther personal storage devce. U then nputs b nto the regstraton software. Fnally, the regstraton software nstalled n U s storage devce contans D, ID, B, b, GEN (), REP (), h(). 5 B. Logn Phase Ths phase ensures that a non-regstered user could not nstall the regstraton software wthout provdng the correct nformaton. The devce runs the regstraton software now nstalled n the storage devce and the software requests U to nput ther dentty, password and bometrc nformaton (ID, PW and BT ). Then the regstraton software checks the legtmacy of U by verfyng PWB h PW b, G B PWB A B C D D, the user s nformaton by calculatng hid PWB C, REP B, and A hpwb, G. The regstraton software checks whether the condtons A? A and B? B holds. If both the condtons are true, then the regstraton software of U accepts that the nformaton provded by U s correct; otherwse, t aborts the sesson. C. Mutual Authentcaton and Key Negotaton Phase Ths phase frst acheves mutual authentcaton and then negotates a sesson key between the regstraton software of U and RS over an nsecure channel. In ths process, U and RS perform the followng steps: Step 1: U runs the regstraton software nstalled n hs/her devce and then provdes ther ID, PW and BT to the regstraton PWB h PW b, G B PWB A B C D D, software. Then the regstraton software of U computes hid PWB C, REP B, and A hpwb, G. The regstraton software n U s devce checks condtons A? A and B? B. If both the condtons are not correct, regstraton software of U aborts the connecton; otherwse, accepts U. Step 2: The regstraton software n U generates random number r and sends where M ID, M5, T to RS through an nsecure channel, M1 [ r ]. P, M 2 [ ]. M1, M 3 ( K x, K y ) [ G ]. Ppub, M h ID M M T K ) and 5 K ( x 1 4 E M M PWB C ). Step 3: After recevng 4 ( 1 2 y ID, M5, T, RS frst checks the exstence of ID n the user database held by RS. If the entry does not exst then RS rejects the connecton, otherwse RS checks the tmestamp valdty condton T j T T holds, where T j s the current tmestamp of RS. If t does not hold, RS rejects the connecton; otherwse RS computes the legtmacy of U by G h ID x, computng M K K G P 3 x, y. pub, M1 M 4 PWB C D M 5, K x h ID PWB C, M. M and 2 1 M 3 h( ID M1 M 2 T K y ). RS checks whether M3?M3 s true. If t s correct, then RS accepts U ; otherwse, rejects U. Step 4: RS generates random number 7 K 6 j y r j and computes j j. 2, M 6 hid PWB Kx rj Tj r M M E M r. RS sends M 7 to the regstraton software n U through a publc channel. and

8 6 Step 5: After recevng M 7, the regstraton software n U frst checks whether the tmestamp valdty condton T jc T T holds, where T jc s the current tmestamp at the user end. If t fals, the regstraton software of U termnates the sesson; otherwse, t decrypts M 7 to obtan M, 6 r j as M6 r D M7. The regstraton software n U further computes 6 x j j j K y M h ID PWB K r T and checks M M 6 6. If true, RS s verfed. Then regstraton software n U computes sesson key as [ rj]. M 2, whch must be equal to j and used to encrypt desred fles stored n the memory of the consumer storage devce. j D. Fle Management Phase After performng mutual authentcaton and key negotaton, the regstraton software can encrypt any chosen fles (F 1, F 2,, F n), usng the encrypton key for securty protecton. Note that, the regstraton software n U can forget the encrypton key after encryptng any fles and send a confrmaton message to RS. In ths proposed protocol, RS mantans a table aganst each user U wth the dentty ID. Now, RS stores hid x n the table aganst the dentty ID. E. Fle Accessng Phase In ths phase, U makes a request to RS to access the encrypted fles stored n the consumer s storage devce. In order to do t, U executes Steps 1-3 of the mutual authentcaton and key negotaton phase to verfy the legtmacy of U and generate a new sesson key. After the verfcaton, RS frst generates a random number j j. 2, where j j r M x j j, M7 E M 6 rj M 6 h ID PWB K r T computes the old sesson key r j rj rj and then computes the new sesson key and the random numbers are dfferent n each sesson. Furthermore, RS then computes and retreves hid x Ky. Fnally, RS computes M E channel. Then, the regstraton software n U decrypts M 7 and M 8 usng from the local table n RS and then 8 K and sends 7,M 8 x legtmacy of RS, the regstraton software n U computes M 6 hid PWB Kx rj Tj y x M to U through an nsecure K and K respectvely. In order to verfy the. If M M, the regstraton 6 6 software of U rejects the connecton; otherwse, decrypts the encrypted fles usng the old key obtaned from M 8 and can then access the fles. After that, the regstraton software n U encrypts all the requred fles usng the new key r. M. Fnally, the regstraton software n U sends a confrmaton message to RS that the obtaned encrypted j j 2 fle s correct. Next, RS stores hid x n the table aganst ID. F. Password Renewal Phase Ths phase s nfrequently used and the choce s dependent on the needs of the user. The descrpton of the password update procedure s gven as follows: Step 1: U runs the regstraton software nstalled n ther devce, then provdes ther ID, the current PW and BT. Then the U PWB h PW b, G B PWB A B C D D h ID PWB C, regstraton software computes REP B, and A hpwb If fasle U aborts the sesson., G, A. The regstraton software n U checks whether both A? and B? B hold. Step 2: U nputs a new password * PW. The regstraton software n U computes PWB * * h PW b * *, C hid PWB and D * * * * E A B C A h PWB * *. G, B * * G PWB,

9 7 * Step 3: Fnally, the regstraton software n U replaces D wth new value D and keeps the remanng nformaton unchanged. Thus, U can change ther old password wthout requestng any assstance from RS. G. Bometrc Renewal Phase The executon of ths phase s mportant whenever an exstng user s wllng to update ther bometrc nformaton. The descrpton of ths phase s gven as follows: Step 1: U runs the regstraton software nstalled the devce and then provdes prevous logn nformaton ID, PW and BT to the regstraton software. Then the regstraton software n U computes PWB hpw b A B C D D G,, hid PWB C, REP B, and A hpwb A U checks that both condtons A? and B? B. If false, the regstraton software n U aborts the sesson. Step 2: U nputs new the bometrc table A h PWB * * * *, C hid PWB G B PWB,. The regstraton software n * * * * BT. the regstraton software of U computes, GEN BT * * *, and D EG A B C., * Step 3: Fnally, the regstraton software n U replaces D wth the new value D and keeps the remanng nformaton unchanged. Thus, U can change/renew bometrc nformaton wthout requestng any assstance from RS. V. SECURITY ANALYSIS Ths secton explores the securty of the proposed mutual authentcaton and key negotaton protocol. Ths work employs BAN logc [5], [10], [18], [19] to demonstrate that the proposed protocol provdes secure authentcaton. The nformal securty analyss examnes that the proposed protocol s secure aganst relevant securty attacks. A. Authentcaton Proof based on BAN Logc In ths secton, the securty of the proposed protocol s analyzed usng BAN logc. BAN logc s a well-known securty verfcaton and analyss model. It has been wdely used for analyzng the securty of authentcaton and sesson key agreement protocols. Some prelmnares and notatons of BAN logc: a) Prncpals are those agents nvolved n the protocol (usually people or programs). b) Keys are used to encrypt messages symmetrcally. c) Publc Keys are smlar to keys except that they are used n pars. d) Nonces are message parts that are not meant to be repeated. e) Tmestamps are smlar to nonce n that they are unlkely to be repeated. Relevant BAN logc statements that are useful for analyzng securty of the proposed protocol are: R1: P X: P beleves X or P would be enttled to beleve X. In partcular, P can take X as true R2: P X: P sees X. P has receved some message X and s capable of readng and repeatng t. R3: P ~X: P once sad X. P at some tme sent a message ncludng the statement X. It s not known whether ths s a replay, though t s known that P beleved X when t was sent. R4: P X: P has jursdcton over X. The prncpal P s an authorty on X and should be trusted on ths matter. R5: (X): The message X s fresh. R6: (X, Y): The formulae X or Y s one part of the formulae (X, Y). R7: <X> Y: The formulae X combned wth the formulae Y. R8: {X} K: The formulae X s encrypted under the formulae K. R9: (X) K: The formulae X s hashed wth the key K. R10: P K Q: Prncpal P and Q communcate va shared key K. R11: P Q: The formulae X s a secret known only to P and Q only and possble to prncpal trusted by them.

10 8 R12: : The sesson key used n the current sesson. Relevant logcal postulates of BAN logc for ths work are: The message-meanng rule: P K Q, P X, P Q ~ X f the prncpal P beleves that the secret key K s shared wth the prncpal Q and P receves the message X encrypted wth K then, P beleves that the prncpal Q once sent the message X. P ( X ) The freshness-conjuncatenaton rule:, P ( X, Y ) f the prncpal beleves that X s fresh, then the prncpal P beleves freshness of (X, Y). P ( X ), P ( Y ) The belef rule:, P ( X, Y ) f the prncpal P beleves X and Y, then the prncpal P beleves (X, Y). The nonce verfcaton rule: P ( X ), P Q ~ X, P Q X f the prncpal P beleves that X s fresh and the prncpal Q once sent X then, prncpal P beleves that Q beleves X. The jursdcton rule: P Q X, P Q X, P X f the prncpal beleves that Q has jursdcton over X and Q beleves X, then P beleves that X s true. The sesson key rule: P ( X ), P Q ( X ), K P P Q f the prncpal P beleves that the sesson key s fresh and the prncpal P and Q beleves X, whch are the necessary parameters of the sesson key, then prncpal P beleves that he/she shares the sesson key K wth Q. In order to prove the proposed protocol secure, the proposed protocol must satsfy the followng goals based on BAN logc, where RS and U defne regstraton server and consumer respectvely. Goal 1: U Goal 2: U Goal 3: Goal 4: U RS RS U RS RS RS U RS U RS U The proposed protocol s transformed to the dealzed form as: MSG 1 : U RS : ID, M5, T : M 1 G MSG 2 : RS U : M 7 : r j K x The followng assumptons about the ntal state of the protocol are gven: ASM : U ( r, r ) 1 2 j ASM : RS ( r j, r ) ASM : U 3 ASM4 ASM 5 G U RS Kx : RS RS U : U RS r j

11 9 ASM6 : RS U r Applyng BAN logc rules and assumptons: MSG 1 : U RS : ID, M5, T : M 1 G Thus S1: RS ID, M5, T : M 1 G Applyng assumpton ASM 4, S1 and message meanng rule gves: S2: RS U ~ M1 Accordng to ASM 2, S2, freshness-conjuncatenaton and nonce verfcaton rule: S3: RS U M1, where nformaton of the parameter M1 s used to computed the sesson key n our protocol. Accordng to ASM 6, S3 and jursdcton rule: S4: RS M1 Accordng to ASM 2, S3 and sesson key rule: S5: RS RS U (Goal 3) Accordng to ASM 2, S5 and nonce verfcaton rule: S6: RS U RS U (Goal 4) MSG 2 : RS U : M 7 : Accordng to seeng rule: S7: U : M 7 : r j K x r j K x Applyng the assumpton ASM 3, S7 and message meanng rule: S8: U RS ~ rj Accordng to ASM 1, S8, freshness-conjuncatenaton and nonce verfcaton rule: S9: U RS rj, where nformaton of the parameter rj s used to computed sesson key n our protocol. Accordng to ASM 5, S9 and jursdcton rule: S10: U rj Accordng to ASM 1, S9 and sesson key rule: S11: U U RS (Goal 1) Accordng to ASM 1, S11 and nonce verfcaton rule: S12: U RS U RS (Goal 2) The above justfcaton clams that the declared goals have been successfully proven usng BAN logc model. Therefore, t can be clamed that the proposed protocol successfully provdes mutual authentcaton property as well as sesson key negotaton between the user and RS.

12 10 B. Further Securty Analyss It has been observed that numerous authentcaton protocols [1], [2], [13], [14], [17], [20] analyze the reslence aganst known attacks through nformal securty analyss [21], [22]. Therefore, ths secton provdes the descrpton of the reslence aganst the known securty attacks, such as off-lne password guessng attack, prvleged nsder attack, user mpersonaton attack, server mpersonaton attack, known key securty attack, stolen-verfer attack, DoS attack and mutual authentcaton. 1) Off-lne password guessng attack Durng the regstraton phase, U s password PW was never transmtted to RS n plantext form and the computaton of PWB depends on PW and random number b. Therefore, f the adversary wants to guess PW, they have to frst know PWB, whch s used to compute M 5 n Step 2 of mutual authentcaton and sesson key negotaton phase, where 5 Kx 1 4 M E M M PWB C and PWB s encrypted wth key K x. Thus, the adversary cannot retreve Accordngly, the adversary cannot compute PWB usng M 6 wthout ths proposed protocol clams that t s mmune to the password guessng attack. 2) Prvleged nsder attack PWB wthout K y, where M 6 hid PWB Kx rj Tj K x.. Hence, Durng the regstraton, as mentoned n the lterature [5], [6], a user s password should not be sent to RS n plantext form durng the regstraton phase n order to resst the nsder attack. In the regstraton phase of ths work, U sends a masked password PWB to RS nstead of PW, where PWB hpw b. Therefore, the nsder attach of RS cannot extract PW from PWB due to the strong collson resstance property of the hash functon h(). 3) User mpersonaton attack Suppose that an adversary endeavors to mpersonate U. In order to do t, the adversary frst captures U s message from the publc channel and then makes an effort to generate another vald message, whch should be authentcated by RS. The adversary traps ID, M5, T from the publc channel and tres to compute M 2, K y, C usng the known nformaton. However, the adversary cannot compute M 2 and K y wthout and x, respectvely, where x s the secret key of RS. In addton, C s also secure beng stored n the regstraton software n U n encrypted form. Therefore, t s dffcult task for the adversary to mpersonate U. 4) Server mpersonaton attack An adversary may try to mpersonate RS n the mutual authentcaton phase. In ths proposes protocol, RS sends M 7 to the regstraton software n U through an open channel, where M7 E M K 6 rj y t s depends on M 6 and r j, where M 6 hid PWB Kx rj Tj. Note that M 7 s encrypted wth key K y and. It s clear that the adversary can easly generate a random number, but to compute M 6, the adversary needs ( PWB, K x ). However, the adversary s unable to successfully compute PWB, K from the publc message. Therefore, ths proposed protocol can wthstand the server mpersonaton attack. x 5) Stolen-verfer attack Ths type of attack occurs when the stored nformaton n RS s leaked, however, the authentcaton system should not be affected by the adversary. Suppose that the nformaton stored n the table avalable to RS has been compromsed, where the table contans the entres of the form ID, UNSID, SL, hid x. Note that the adversary cannot extract hid x wthout. Furthermore, a vald user s not able to obtan long-term nformaton from RS. Therefore, the adversary s unable to get any advantage after obtanng the stored table.

13 11 6) Denal-of-servce attack In bometrc based authentcaton, the bometrc nformaton may be affected due to nose durng the bometrc acquston, resultng n dffculty n reproducng the exact bometrc data sgnature accurately each tme. The hash functon s very senstve to even slght changes n the nput. Therefore, the hash functon cannot be appled drectly to the bometrc data. A legal user may even fal to logn to the remote server due to nosy bometrc sensor data. If a bometrc based authentcaton protocol reles * on verfyng hbt? hbt, n each sesson, then U may get rejected and n bometrc authentcaton ths phenomenon s called the DoS attack. In order to resst such knd of problem, a fuzzy extractor s typcally used. Therefore, the regstraton software n U passes the bometrc verfcaton of U and thus, t can wthstand the DoS attack. 7) Mutual authentcaton Mutual authentcaton [23] s typcally one of the mportant and envable property of any clent-server authentcaton protocol. In Step 3 of the mutual authentcaton phase of ths work, RS verfes the authentcty of U by checkng the condton M3?M3 whereas U checks M6?M6 n Step 5 to verfy the legtmacy of RS. Therefore, ths proposed protocol acheves the mutual authentcaton property. 8) Man-n-the-mddle attack In ths form of attack, the adversary ensnares the publc messages and attempts to act as a mddle broker between the user and the remote server. In user mpersonaton attack, the work demonstrated that the adversary cannot generate a forged logn message wthout knowng the user s secret nformaton. For the same reason, the adversary cannot also mpersonate the RS. Therefore, ths proposed protocol can wthstand the man-n-the-mddle attack. VI. PERFORMANCE ANALYSIS Ths secton apprases the performance of the proposed protocol n terms of computaton and communcaton costs wth other compettve protocols [7], [9], [10]. Ths work uses crypto-operatons to evaluate the computaton cost. The notatons and descrpton of the crypto-operatons are: T e: Tme needed to perform exponentaton operaton. T pm: Tme needed to perform ellptc curve pont multplcaton operaton. T h: Tme needed to perform one-way hash operaton. T s: Tme needed to perform symmetrc key encrypton/decrypton operaton. TABLE II provdes computaton costs of ths proposed protocol compared to the relevant lterature [7], [9], [10]. Ths proposed protocol requres an ncreased computaton cost, however for the consdered devce, the ncrease n computaton cost s margnal compared to the sgnfcantly mproved securty benefts. The communcaton cost of ths work compared to the lterature [7], [9], [10] was analyzed. It was observed that ths proposed protocol has a lower communcaton cost than the protocols consdered n the lterature. For comparson purposes, ths work assumed that the length of ID, PW and BT are 64 bts of length each. In addton, the message dgest of the hash functon, ECCpont multplcaton and symmetrc key encrypton produced 160-bts, 160-bts and 128-bts, respectvely. TABLE III presents the communcaton overhead cost and t can be observed that the proposed protocol s very effcent n terms of the communcaton cost.

14 12 TABLE II COMPARISON OF THE COMPUTATIONAL COST OF THIS WORK COMPARED TO THE LITERATURE User cost Server cost Total cost Yang et al. [7] 4Te 3Th 1T s 6Te 2Th 1T s 10Te 5Th 2Ts Lee et al. [9] 2T pm 5Th 1T s 2T pm 4Th 1T s 4T pm 9Th 2Ts He et al. [10] 2T pm 5Th 1T s 2T pm 4Th 1T s 2T pm 4Th 1T s Proposed 3T pm 5Th 3Ts 3T pm 5Th 2Ts 6T pm 10Th 5Ts TABLE III COMPARISON OF THE COMMUNICATION COST OF THIS WORK COMPARED TO THE LITERATURE User Server Total cost Yang et al. [7] Lee et al. [9] He et al. [10] Proposed VII. CONCLUSION The man ntenton of ths paper s to provde securty protecton on the stored nformaton n the consumer devce from the unauthorzed access by mplementng an authentcaton protocol. In order to do t, ths paper proposes a mutual authentcaton and key negotaton protocol usng ellptc curve cryptography. The securty verfcaton of the protocol has been done usng BAN logc and the securty analyss ensures that the protocol can wthstand several relevant securty attacks. The protocol s not only effcent n terms of securty attacks, but t also acheves hgh performance n terms of communcaton cost n comparson wth the exstng protocols. Moreover, the proposed protocol provdes the mutual authentcaton property between the partcpants nvolved and provdes a password update faclty to regstered users. Ths work enables secure bometrc personal storage devces to be confgured from an Internet servce and mantaned throughout the lfetme of the devce. REFERENCES [1] L. Lamport, Password authentcaton wth nsecure communcaton, Communcatons of the ACM, vol. 24, no. 11, pp , Nov [2] M.-S. Hwang, and L.-H. L, A new remote user authentcaton scheme usng smart cards, IEEE Trans. Consumer Electron., vol. CE-46, no. 1, pp , Feb [3] H.-M. Sun, An effcent remote use authentcaton scheme usng smart cards, IEEE Trans. Consumer Electron., vol. CE-46, no. 4, pp , Nov [4] C.-K. Chan, and L.M. Cheng, Cryptanalyss of a remote user authentcaton scheme usng smart cards, IEEE Trans. Consumer Electron., vol. CE-46, no. 4, pp , Nov [5] R. Amn, and G. P. Bswas, A secure lght weght scheme for user authentcaton and key agreement n mult-gateway based wreless sensor networks, Ad Hoc Networks, vol. 36, no. 1, pp , Jan [6] R. Amn, and G. P. Bswas, A novel user authentcaton and key agreement protocol for accessng mult-medcal server usable n TMIS, Journal of Medcal Systems, vol. 39, no. 3, pp. 1 17, Mar [7] F.-Y. Yang, T.-D. Wu, and S.-H. Chu, A secure control protocol for USB mass storage devces, IEEE Trans. Consumer Electron., vol. CE-56, no. 4, pp , Nov [8] B. Chen, C. Qn, and L. Yu, A Secure Access Authentcaton Scheme for Removable Storage Meda, Journal of Informaton & Computatonal Scence, vol. 9, no. 15, pp , Nov [9] C. Lee, C. Chen, and P. Wu, Three-factor control protocol based on ellptc curve cryptosystem for unversal seral bus mass storage devces, IET Computers & Dgtal Technques, vol. 7, no. 1, pp , Jan [10] D. He, N. Kumar, J.-H. Lee, and R. S. Sherratt, Enhanced three-factor securty protocol for consumer USB mass storage devces, IEEE Trans. Consumer Electron., vol. CE-60, no. 1, pp , Feb

15 13 [11] D. Gr, R. S. Sherratt, T. Matra, and R. Amn, Effcent Bometrc and Password Based Mutual Authentcaton for Consumer USB Mass Storage Devces, IEEE Trans. Consumer Electron., vol. CE-61, no. 4, pp , Nov [12] D. Gr, R. S. Sherratt, and T. Matra, A novel and effcent sesson spannng bometrc and password based three-factor authentcaton protocol for consumer USB mass storage devces, IEEE Trans. Consumer Electron., vol. CE-62, no. 3, pp , Aug [13] Y. Dods, L. Reyzn, and A. Smth, Fuzzy extractors: How to generate strong keys from bometrcs and other nosy data, LNCS, vol. 3027, pp , [14] X. Boyen, Reusable cryptographc fuzzy extractors, n Proc. ACM CCS, 2004, pp [15] R. Amn, and G.P. Bswas, Anonymty preservng secure hash functon based authentcaton scheme for consumer USB mass storage devce, n Proc. IEEE CCCIT, 2015, pp [16] N. Kobltz, Ellptc curve cryptosystem, Mathematcs of Computaton., vol. 48, no. 177, pp , Jan [17] V. S. Mller, Use of ellptc curves n cryptography, LNCS, vol. 218, pp , Dec [18] M. Burrows, M. Abad, and R. Needham, A logc of authentcaton, ACM Trans. Computer Systems, vol. 8, no. 1, pp , Feb [19] D. He, N. Kumar and N. Chlamkurt, A secure temporal-credental-based mutual authentcaton and key agreement scheme wth pseudo dentty for wreless sensor networks, Informaton Scences, vol. 321, pp , Nov [20] P. Sarkar, A smple and generc constructon of authentcated encrypton wth assocated data, ACM Trans. Informaton and System Securty, vol. 13, no. 4, pp. 1 16, Dec [21] W.-C. Ku, and S.-M. Chen, Weaknesses and mprovements of an effcent password based remote user authentcaton scheme usng smart cards, IEEE Trans. Consumer Electron., vol. CE-50, no. 1, pp , Feb [22] E.-J. Yoon, E.-K. Ryu, and K.-Y. Yoo, Further mprovement of an effcent password based remote user authentcaton scheme usng smart cards, IEEE Trans. Consumer Electron., vol. CE-50, no. 2, pp , May [23] S. H. Islam, and G. P. Bswas, A more effcent and secure ID-based remote mutual authentcaton wth key agreement scheme for moble devces on ellptc curve cryptosystem, J. Systems and Software, vol. 84, no. 11, pp , Nov Ruhul Amn receved hs B.Tech and M.Tech from West Bengal Unversty of Computer Scence and Engneerng, Indan Engneerng n 2009 and 2013, respectvely. He was a Ph.D. research scholar n Computer Scence and Engneerng, Indan School of Mnes (ISM), Dhanbad, Inda. He s currently a Lecturer n the Department of Computer Scence and Engneerng, Thapar Unversty, Patala, Punjab, Inda. He has publshed many research papers n Journals and Conference proceedngs of Internatonal reputes. Hs current research nterests nclude cryptographc authentcaton protocols and securty n wreless sensor networks. R. Smon Sherratt (M 97-SM 02-F 12) receved the B.Eng. degree n Electronc Systems and Control Engneerng from Sheffeld Cty Polytechnc, UK n 1992, M.Sc. n Data Telecommuncatons n 1994 and Ph.D. n vdeo sgnal processng n 1996 from the Unversty of Salford, UK. In 1996, he has apponted as a Lecturer n Electronc Engneerng at the Unversty of Readng where he s now Professor of Bosensors. Hs research topc s sgnal processng and personal communcatons n consumer devces focusng on wearable devces and healthcare. He receved the 1 st place IEEE Chester Sall Memoral Award n 2006, the 2 nd place n 2016 and the 3 rd place n He s a revewer for the IEEE SENSORS JOURNAL and s currently a Senor Edtor and Emttus Edtor-n-Chef of the IEEE TRANSACTIONS ON CONSUMER ELECTRONICS. Debass Gr receved the Ph.D degree from the Indan Insttute of Technology, Kharagpur, Inda n He dd hs masters (M.Tech and M.Sc) both from Indan Insttute of Technology, Kharagpur, Inda n 2001 and 1998 respectvely. Presently he s a Dean under the school of Electronc, Computer Scence and Informatcs of Halda Insttute of Technology, Inda, and Professor n the Department of Computer Scence and Engneerng, Halda Insttute of Technology, Inda. He has tenth All Inda Rank wth percentle score n the Graduate Apttude Test n Engneerng (GATE) Examnaton n Hs current research nterests nclude Cryptography, Network securty, Data Hdng, Securty n Wreless Sensor Networks and Securty n VANETs. Dr. Gr s an Edtoral Board Member and a Revewer of many reputed Internatonal Journals. Presently he s an Assocate Edtor of the Journal of Securty and Communcaton Networks (Wley), the Journal of Communcaton Systems (Wley) and the Journal of Electrcal and Computer Engneerng Innovatons. He s also a Program Commttee member for many Internatonal Conferences.

16 14 Hafzul Islam receved the M.Tech from ISM Dhanbad n 2009 and the Ph.D n Computer Scence and Engneerng from Indan School of Mnes, Dhanbad (SM Dhanbad), Inda. He was an Assstant Professor n the Department of CSIS, BITS Plan, Plan Campus, Rajasthan, Inda and s currently an Assstant Professor n the Department of CSE, Indan Insttute of Informaton Technology, Kalyan (IIIT Kalyan), West Bengal, Inda. He has publshed 50 research papers n reputed nternatonal Journals and Conference proceedngs. He s an Assocate Edtor of the Internatonal journal of Communcaton Systems, Wley. Hs research nterest ncludes Cryptography and Informaton Securty. Muhammad Khurram Khan (M 07, SM 12) s currently workng as a Full Professor at the Center of Excellence n Informaton Assurance (CoEIA), Kng Saud Unversty, Kngdom of Saud Araba. He has publshed over 250 research papers n the journals and conferences of nternatonal repute. In addton, he s an nventor of 10 US/PCT patents. Prof. Khan s the Edtor-n-Chef of Telecommuncaton Systems Journal, Sprnger. He s a Fellow of the IET, Fellow of the BCS, Fellow of the FTRA, a member of the IEEE Techncal Commttee on Securty & Prvacy, a member of the IEEE Cybersecurty communty, and a member of IEEE Consumer Electroncs socety.