A secure and improved multi server authentication protocol using fuzzy commitment

Creative Commons License

Rehman H. U., Ghani A., Chaudhry S. A., Alsharif M. H., Nabipour N.

Multimedia Tools and Applications, vol.80, no.11, pp.16907-16931, 2021 (SCI-Expanded) identifier

  • Publication Type: Article / Article
  • Volume: 80 Issue: 11
  • Publication Date: 2021
  • Doi Number: 10.1007/s11042-020-09078-z
  • Journal Name: Multimedia Tools and Applications
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus, FRANCIS, ABI/INFORM, Applied Science & Technology Source, Compendex, Computer & Applied Sciences, INSPEC, zbMATH
  • Page Numbers: pp.16907-16931
  • Keywords: Authentication, AVISPA, BAN logic, Fuzzy commitment, Multi-server, Security
  • Istanbul Gelisim University Affiliated: Yes


© 2020, Springer Science+Business Media, LLC, part of Springer Nature.The advancement in communication and computation technologies has paved a way for connecting large number of heterogeneous devices to offer specified services. Still, the advantages of this advancement are not realized completely due to inherent security issues. Most of the existing authentication mechanisms ensure the legitimacy of requesting user thorough single server leading towards multiple registrations and corresponding credentials storage on user side. Intelligent multimedia networks (IMN) may encompass wide range of networks and applications. However, the privacy and security of IMN cannot be apprehended through traditional multi sign on/single server authentication systems. The multi-server authentication systems can enable a user to acquire services from multiple servers using single registration and with single set of credentials (i.e.Password/smart card etc.) and can be accomplish IMN security and privacy needs. In 2018, Barman et al. proposed a multi-server authentication protocol using fuzzy commitment. The authors claimed that their protocol provides anonymity while resisting all known attacks. In this paper, we analyze that Barman et al.’s protocol is still vulnerable to anonymity violation attack and impersonation based on stolen smart card attack; moreover, it has incomplete login request and is prone to scalability issues. We then propose an enhanced protocol to overcome the security weaknesses of Barman et al.’s scheme. The security of the proposed protocol is verified using BAN logic and widely accepted automated AVISPA tool. The BAN logic and automated AVISPA along with the informal analysis ensure the robustness of the scheme against all known attacks.