A Robust Three-Factor User Authentication Scheme based on Elliptic Curve Cryptography and Fuzzy Extractor

Trung Thanh Ngo, Tae-Young Choe

http://doi.org/10.5626/JOK.2019.46.6.587

A three-factor user authentication is appropriate to ensure a high degree of authentication. Fan and Lin proposed a typical three-factor authentication scheme, which requires token, password, and fingerprint. The scheme does not allow authentication in the absence of any of the three factors. Unfortunately, Fan and Lin"s scheme is associated with security risks such as vulnerability to insider attacks, stolen-verifier attacks, and message modification attacks. Yeh et al. proposed a three-factor user authentication, which overcomes such pitfalls and improves security and performance using elliptic curve cryptography. We found that Yeh et al."s scheme is still vulnerable to user impersonation attacks and server masquerading attacks. We propose a robust three-factor authentication scheme entailing server smart cards, elliptic curve cryptography, and a fuzzy extractor that address the foregoing flaws and result in enhanced security. The proposed scheme is resistant to various attacks and improves system performance. BAN logic is used to prove that the scheme establishes a secure channel.