R. Amin et al.

: A Software Agent Enabled Biometric Security Algorithm for Secure File Access in Consumer Storage Devices 53

A Software Agent Enabled Biometric Security

Algorithm for Secure File Access in Consumer
Storage Devices
Ruhul Amin, R. Simon Sherratt, Fellow, IEEE, Debasis Giri,
SK Hafizul Islam, Muhammad Khurram Khan, Senior Member, IEEE


Abstract—In order to resist unauthorized access, consumer the device may be lost or stolen by an adversary. If the
storage devices are typically protected using a low entropy confidential information is not protected, an adversary can
password. However, storage devices are not fully protected easily retrieve the stored information from the device memory.
against an adversary because the adversary can utilize an off-line However, the adversary faces a problem to retrieve the
dictionary attack to find the correct password and/or run an
existing algorithm for resetting the existing password. In
information from the store if the device is password protected.
addition, a password protected device may also be stolen or It is worth noting that a user’s password (typically low
misplaced allowing an adversary to easily retrieve all the stored entropy) cannot provide a strong secure system under a
confidential information from a removable storage device. In cryptographic dictionary attack. Indeed, many techniques are
order to protect the consumer’s confidential information that has currently available to guess the password to access the device.
been stored, this paper proposes a mutual authentication and key Mutual authentication and key agreement protocols are a
negotiation protocol that can be used to protect the confidential
popular paradigm in client-server environments to prevent
information in the device. The functionality of the protocol
enables the storage device to be secure against relevant security unauthorized access. In 1981, Lamport [1] first introduced the
attacks. A formal security analysis using Burrows-Abadi- secure communication client-server architecture and then
Needham (BAN) logic is presented to verify the presented numerous protocols [2]-[4] have been proposed for several
algorithm. In addition, a performance analysis of the proposed applications, including wireless sensor networks [5], medical
protocol reveals a significantly reduced communication overhead systems [6] and file security for USB based Mass Storage
compared to the relevant literature. Devices (USB MSD) [7]-[12]. In order to provide secure
access, authentication protocols play an important role.
Index Terms— Security Protocol, Biometric, Computer
System, BAN logic, File Secrecy Significant literature is now available to provide solutions
to protect confidential files stored in a USB MSD. Yang et al.
[7] first proposed a secure authentication protocol using the
I. INTRODUCTION Schnorr Signature to protect the information stored. However,
Chen et al. [8] argued that the protocol from Yang et al. [7]
C ONSUMER storage is commonly used to store and retrieve
digital information. Consumers often store confidential
information, files, or digital media purchases in the device.
was not secure against the forgery attack and the replay attack.
Furthermore, Lee et al. [9] argued that the protocol by Chen et
al. [8] was computationally inefficient. In order to solve the
These devices are low cost and easily portable so the security weaknesses, Lee et al. [9] proposed the three-factor
consumer often carries the device when travelling. As a result, authentication protocol based on elliptic curve cryptography.
The protocol from Lee et al. [9] required the user’s password,
Manuscript received January 12, 2017; accepted February 28, 2017. Date biometric and smartcard information as authentication tokens.
of publication April 12, 2017. (Corresponding author: Debasis Giri.) More recently, He et al. [10] demonstrated that the protocol
R. Amin is with the Department of Computer Science and Engineering,
Thapar University, Patiala, Punjab, India (e-mail: [email protected]). proposed by Lee et al. [9] was not secure against the password
R. S. Sherratt is with the Department of Biomedical Engineering, the guessing attack, Denial-of-Service (DoS) attack and the replay
University of Reading, RG6 6AY, UK (e-mail: [email protected]). attack, so proposed an improved three-factor authentication
D. Giri is with the Department of Computer Science and Engineering,
Haldia Institute of Technology, Haldia-721657, India (e-mail:
scheme. In order to resist the DoS attack, He et al. [10]
[email protected]). employed the concept of the fuzzy extractor [13], [14]. In
S. H. Islam is with the Department of Computer Science and Engineering, 2015, Amin and Biswas [15] proposed a three-factor
Indian Institute of Information Technology, Kalyani, West Bengal 741235, authentication protocol for the same environment using a hash
India (e-mail: [email protected]).
M. K. Khan is with the Center of Excellence in Information Assurance function to achieve a lower computation cost than existing
(CoEIA), King Saud University, Riyadh 11451, Saudi Arabia (e-Mail: protocols [9], [10].
[email protected]). This paper proposes a mutual authentication and key
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. agreement protocol to provide only authorized access to
Digital Object Identifier 10.1109/TCE.2017.014735 confidential information stored on the device with the aid of a

0098 3063/17/$20.00 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
54 IEEE Transactions on Consumer Electronics, Vol. 63, No. 1, February 2017
Registration Server (RS). A new user completes a registration device to defend unauthorized access. Firstly we have used the
procedure with RS allowing RS to deliver a link via e-mail concept of biometric data along with a password in our
from which the user can download and install registration protocol, hence it is difficult to guess the password along with
software in their device which also incorporates the required biometric information. Secondly, an attacker cannot utilize a
secure access information relevant for only each user. In order resetting technique, as we have mentioned in our protocol that
to provide secure access to files, the user provides the if the attacker desires to use resetting technique, he/she first
necessary identity, password and biometric information. The has to login into the system. As the attacker cannot login into
device checks the legitimacy of the user and then negotiates a the system without biometric data, the resetting technique is
session key with RS. It is to be noted that this session key is not usable.
used to encrypt the files in the storage device. This paper achieves the following contributions:
The rest of the paper is organized as follows: Section II  A mutual authentication and key negotiation protocol to
presents an overview of the contribution and the novelty provide security protection of the stored information on the
claims. Section III presents the hash function, fuzzy extractor storage device,
and elliptic curve cryptography. The proposed protocol is  Security analysis to show that the proposed protocol is
provided in Section IV. The security analysis using BAN logic robust against known security attacks. Furthermore, in the
is discussed in Section V. Section VI provides the proposed scheme, the mutual authentication and session key
performance evaluation and comparison of the proposed agreement have been verified using BAN logic.
protocol with related protocols. Section VII concludes the  Significantly less communication overhead and
paper. TABLE I shows the nomenclature that is used computation costs than other related systems.
throughout the paper.
III. PRELIMINARIES
TABLE I This section defines the fuzzy extractor [10]-[14] and the
NOMENCLATURE
hash function [15] to analyze the security of the proposed
Term Usage protocol. Furthermore, the hardness assumption on the elliptic
curve group is discussed.
Ui i-th user
RS Remote server Definition 1: A cryptographic one-way hash function maps
PWi Password of user Ui a binary string of an arbitrary length to a binary string of fixed
BTi Biometric Template of user Ui length, called the hashed value. It can be symbolized as:
IDi Identity of user Ui
Ek[] Symmetric key encryption using key k h :{0,1}*  {0,1}n , where n is a positive integer. The
Dk[] Symmetric key decryption using key k properties of the hash function have been presented [4], [5].
x Secret key of the remote server
(Px, Py) x and y coordinate of the elliptic curve point P
Definition 2: A fuzzy system based collision resistant
Ti Current timestamp of Ui’s storage device extractor can be modeled as a procedure which takes a binary
Tj Current timestamp of the Remote server
string, say b, of some metric space M  0,1 as an input for
n
ΔT Estimated time delay
UNSID Unique software identity some positive number n and outputs a random string, say
SL Software link
  0,1 for some positive number l and an auxiliary string,
l
h(·) Cryptographic one-way hash function
REP() REP procedure in fuzzy extractor
GEN() GEN procedure in fuzzy extractor say   0,1r for some positive number r, where r can be l or
⊕ Bitwise XOR operator
|| Concatenation operator
n. This mapping procedure is denoted by GEN: M     .
(a.b) Point multiplication operation of a and b Another procedure which takes two inputs: (i) a binary string

say, b' of the metric space M  0,1 , where b  b ' , and (ii)
n

II. SYSTEM ENVIRONMENT an uniform distribution binary string say,   0,1r , and it
In this work, a Registration Server (RS) delivers a link to all
produces the random string   0,1 as output. This mapping
l

the users who have performed registration successfully, and

then each user uses the link to obtain and install software in procedure is denoted by REP : M   '   .
their device while also providing their credentials (password,
identity and biometric signature.) Note that while the A. Elliptic Curve Cryptography (ECC)
password may be guessed, it is hard to guess biometric The concept of elliptic curve cryptography was introduced
signatures. Then, the software encrypts important files by by Kobiltz [16] and Miller [17], to design public key
using a negotiated key to provide security on the storage file. cryptosystems. Let E p  a, b  be a set of elliptic curve points
Whenever, the user of that device wants to access that file, RS over prime field F p , where p is a large prime number. The
first verifies the user and then provides a decryption key to
recover the original file. All the files are then encrypted using elliptic curve equation is defined as: y 2  x 3  ax  b mod p
a new session key. However, we argue that a storage device
will still not be completely security protected. Hence, we have
with  a , b   Fp and  4a 3

 27b 2 mod p  0 . The additive

devised a standard security protocol which protects the storage ECC group is defined as: G p  {( x, y ) : x, y  F p and
R. Amin et al.: A Software Agent Enabled Biometric Security Algorithm for Secure File Access in Consumer Storage Devices 55

( x, y )  E p ( a , b )}  {O} , where the point O is known as the UNSID i and SLi are the unique software identity and software
‘Point at Infinity’. The scalar point multiplication on the cyclic link respectively, and  indicates empty attributes used to
group G p is defined as: [k].P = P + P +… + P), that means k store the encrypted key. Finally, RS delivers to Ui via e-mail a
times addition of P. link to user specific registration software (that includes SLi .)
Definition 3: Elliptic curve discrete logarithm problem: This registration software is provided by the registration
 
Given Q, R  G p , computation of the integer k  Z p * is server to all the consumers with the software content varying
with the user.
hard, where R   k .Q . Step 4: After receiving the link for Ui to download the
Definition 4: Elliptic curve computational Diffie-Helman registration software, Ui installs it on their personal storage
problem: Given  P,  a .P, b.P  , for some a, b  Z p * , device. Ui then inputs bi into the registration software. Finally,
the registration software installed in Ui’s storage device
computation of  a .b .P is hard. contains Di , IDi , Bi , bi , GEN (), REP (), h () .

IV. PROPOSED PROTOCOL B. Login Phase

This section describes the proposed mutual authentication This phase ensures that a non-registered user could not
and key negotiation protocol, which includes seven phases, install the registration software without providing the correct
(A) Registration and software installation phase, (2) Login information. The device runs the registration software now
phase, (C) Mutual authentication and key negotiation phase, installed in the storage device and the software requests Ui to
(D) File management phase, (E) File accessing phase, (F) input their identity, password and biometric information (IDi,
Password renewal phase and (G) Biometric renewal phase. PWi and BTi). Then the registration software checks the
Initially, RS chooses a secret key x and computes legitimacy of Ui by verifying the user’s information by
Ppub   x .P as the corresponding public key. It should be calculating PWBi '  h  PWi || bi  , G i '  Bi  PWB i ' ,
noted that execution of the registration phase and the  Ai ' || Bi ' || Ci '  DG  Di  ,
' i '  h  IDi || PWBi '   Ci ' ,
i
registration software installation phase is performed only
once.  i '  REP  Bi ,i '  and Ai ''  h  PWBi ' ||  i '  . The registration
A. Registration and Software Installation Phase software checks whether the conditions Ai ''  ? Ai ' and
Initially, each new user Ui must complete a registration Bi ' ? Bi holds. If both the conditions are true, then the
procedure with RS. In this phase, Ui provides their registration software of Ui accepts that the information
information securely or in person (off-line mode) to RS. Then, provided by Ui is correct; otherwise, it aborts the session.
RS securely sends to Ui, via e-mail, a link to downloadable
registration software which must be installed in the storage C. Mutual Authentication and Key Negotiation Phase
device. The description of this phase is given below: This phase first achieves mutual authentication and then
Step 1: Ui first chooses IDi , PWi and scans the user’s negotiates a session key between the registration software of
Ui and RS over an insecure channel. In this process, Ui and RS
biometric template, BTi, such as a fingerprint. This work uses
perform the following steps:
the biometric template to provide a high degree security since
Step 1: Ui runs the registration software installed in his/her
biometric templates cannot easily be forged [10]-[15]. Ui’s
device and then provides their IDi, PWi and BTi to the
device computes PWBi  h  PWi || bi  , where bi is a random
registration software. Then the registration software of Ui
number generated by Ui and then sends IDi , PWB i , BTi and computes PWBi '  h  PWi || bi  , G i '  Bi  PWB i ' ,
a valid e-mail address to RS securely either using Transport
Layer Security (TLS) or in person (off-line mode.)  Ai ' || Bi ' || Ci '  DG  Di  ,
' i '  h  IDi || PWBi '   Ci ' ,
i

Step 2: After receiving the registration message, RS  i '  REP  Bi ,i '  and Ai ''  h  PWBi ' ||  i '  . The registration
computes  i , i   GEN  BTi  , Ai  h  PWBi ||  i  ,
Gi  h  IDi || x  , Bi  Gi  PWBi , Ci   i  h  IDi || PWBi  software in Ui’s device checks conditions Ai ''  ? Ai ' and
Bi ' ? Bi . If both the conditions are not correct, registration
and Di  EGi  Ai || Bi || Ci  , where GEN() is the fuzzy
software of Ui aborts the connection; otherwise, accepts Ui.
extractor function.
Step 2: The registration software in Ui generates random
Step 3: RS then embeds Di , IDi , Bi , GEN (), REP (), h ()
number ri and sends IDi , M 5 , Ti to RS through an insecure
into the required registration software including all necessary
channel, where M 1  [ri ].P , M 2  [ i ].M 1 ,
parameters for the ECC cryptosystem. The registration
software is a simple software application that must be installed M 3  ( K x , K y )  [Gi ' ].Ppub ,
in the consumer device. RS needs to maintain a database for
M 4  h( IDi || M 1 || M 2 || Ti || K y ) and
storing all the registration information for all the consumers.
RS stores  IDi , UNSIDi , SLi ,   into the database, where M 5  E K x ( M 1 || M 4 || PWB i || C i ) .
56 IEEE Transactions on Consumer Electronics, Vol. 63, No. 1, February 2017

Step 3: After receiving IDi , M 5 , Ti , RS first checks the '

verification, RS first generates a random number r j rj '  rj  
existence of IDi in the user database held by RS. If the entry
and then computes the new session key SK j   rj  .M 2 , ' '

does not exist then RS rejects the connection, otherwise RS

checks the timestamp validity condition | T j  Ti | T holds, 
where SK j '  SK j  and the random numbers are different in
where T j is the current timestamp of RS. If it does not hold, each session. Furthermore, RS then computes
RS rejects the connection; otherwise RS computes the  ' '

M 6  h IDi || PWBi || K x || rj || Tj , M 7  EK '  M 6 || rj '  and
y

legitimacy of Ui by computing Gi '  h  IDi || x  , retrieves  SK i  h  IDi  x   from the local table in RS and
M 3   K x , K y   Gi  .Ppub ,
' ' ' '
then computes the old session key SK i . Finally, RS computes
 M1 || M 4 || PWBi || Ci   DK '  M 5  ,  i '  h  IDi || PWBi   Ci
x
M 8  EK '  SKi  and sends
x
M7,M8 to Ui through an

, M 2'  i '  .M1 and insecure channel. Then, the registration software in Ui
'
decrypts M 7 and M 8 using K y and K x ' respectively. In
M 3 '  h( IDi || M 1 || M 2 ' || Ti || K y ' ) . RS checks whether
order to verify the legitimacy of RS, the registration software
M 3 '  ? M 3 is true. If it is correct, then RS accepts Ui; 
in Ui computes M 6'  h IDi || PWBi || K x ' || rj ' || T j . If 
otherwise, rejects Ui. M 6  M 6 , the registration software of Ui rejects the
'

Step 4: RS generates random number r j and computes

connection; otherwise, decrypts the encrypted files using the
SK j   rj  .M 2' , M 6  h  IDi || PWBi || K x ' || rj || T j  and old key SK i obtained from M 8 and can then access the files.
After that, the registration software in Ui encrypts all the
M 7  EK '  M 6 || rj  . RS sends M7 to the registration
y required files using the new key SKi '  SK j '   rj '  .M 2 .
software in Ui through a public channel. Finally, the registration software in Ui sends a confirmation
Step 5: After receiving M 7 , the registration software in Ui message to RS that the obtained encrypted file is correct.
first checks whether the timestamp validity condition  
Next, RS stores SKi '  h  IDi  x  in the table against IDi .
| T jc  T j | T holds, where T jc is the current timestamp at
the user end. If it fails, the registration software of Ui F. Password Renewal Phase
terminates the session; otherwise, it decrypts M 7 to obtain This phase is infrequently used and the choice is dependent
on the needs of the user. The description of the password
M , r 
6 j as  M 6 || rj   DK '  M 7  . The registration software
y update procedure is given as follows:
Step 1: Ui runs the registration software installed in their

in Ui further computes M 6  h IDi || PWBi || K x ' || rj || Tj
'
 and device, then provides their IDi, the current PWi and BTi. Then
checks M 6  M 6 ' . If true, RS is verified. Then registration the Ui registration software computes PWBi '  h  PWi || bi  ,
software in Ui computes session key as SK i  [rj ].M 2 , which G i '  Bi  PWB i ' ,  Ai ' || Bi ' || Ci '  DG  Di  ,
i
'

must be equal to SK j and used to encrypt desired files stored

i  h  IDi || PWBi   Ci ' ,
' '
 i  REP  Bi , i
' '
 and
in the memory of the consumer storage device.
Ai ''  h  PWBi ' ||  i '  . The registration software in Ui checks
D. File Management Phase
whether both Ai ''  ? Ai ' and Bi ' ? Bi hold. If fasle Ui aborts
After performing mutual authentication and key negotiation,
the registration software can encrypt any chosen files (F1, F2, the session.
…, Fn), using the encryption key SK i for security protection. Step 2: Ui inputs a new password PWi * . The registration
Note that, the registration software in Ui can forget the software in Ui computes PWBi*  h  PWi* || bi  ,
encryption key after encrypting any files and send a Bi *  Gi '  PWBi * , Ai*  h  PWBi* ||  i '  ,
confirmation message to RS. In this proposed protocol, RS
maintains a table against each user Ui with the identity IDi. Ci*  i '  h  IDi || PWBi*  and Di*  EG '  Ai* || Bi* || Ci*  .
i

Now, RS stores  SKi  h  IDi  x   in the table against the Step 3: Finally, the registration software in Ui replaces Di
identity IDi. with new value Di * and keeps the remaining information
unchanged. Thus, Ui can change their old password without
E. File Accessing Phase requesting any assistance from RS.
In this phase, Ui makes a request to RS to access the
encrypted files stored in the consumer’s storage device. In G. Biometric Renewal Phase
order to do it, Ui executes Steps 1-3 of the mutual The execution of this phase is important whenever an
authentication and key negotiation phase to verify the existing user is willing to update their biometric information.
legitimacy of Ui and generate a new session key. After the The description of this phase is given as follows:
R. Amin et al.: A Software Agent Enabled Biometric Security Algorithm for Secure File Access in Consumer Storage Devices 57
Step 1: Ui runs the registration software installed the device R4: P  X: P has jurisdiction over X. The principal P is
and then provides previous login information IDi, PWi and BTi an authority on X and should be trusted on this matter.
to the registration software. Then the registration software in R5: ♯(X): The message X is fresh.
Ui computes PWBi '  h  PWi || bi  , G i '  Bi  PWB i ' , R6: (X, Y): The formulae X or Y is one part of the
formulae (X, Y).
 Ai ' || Bi ' || Ci '  DG  Di  , i '  h  IDi || PWBi '   Ci ' ,
i
'
R7: <X>Y: The formulae X combined with the formulae
 i '  REP  Bi ,i '  and Ai ''  h  PWBi ' ||  i '  . The registration Y.
R8: {X}K: The formulae X is encrypted under the
software in Ui checks that both conditions Ai ''  ? Ai ' and formulae K.
Bi ' ? Bi . If false, the registration software in Ui aborts the R9: (X)K: The formulae X is hashed with the key K.
R10: P  Q: Principal P and Q communicate via
K
session.
Step 2: Ui inputs new the biometric table BTi * . the shared key K.
R11: P  Q: The formulae X is a secret known only to P

registration software of Ui computes  i* ,i*  GEN BTi* ,    and Q only and possible to principal trusted by them.
Ai*  h  PWBi ||  i*  , Ci *   i *  h  IDi || PWBi  , and R12: SK: The session key used in the current session.

Di*  EGi  Ai* || Bi || Ci*  . Relevant logical postulates of BAN logic for this work are:

 The message-meaning rule: P  Q, P  X ,

K
Step 3: Finally, the registration software in Ui replaces Di
with the new value Di * and keeps the remaining information P | Q |~ X
unchanged. Thus, Ui can change/renew biometric information if the principal P believes that the secret key K is shared
without requesting any assistance from RS. with the principal Q and P receives the message X encrypted
with K then, P believes that the principal Q once sent the
V. SECURITY ANALYSIS message X.
 The freshness-conjuncatenation rule:
P | ( X ) ,
This section explores the security of the proposed mutual
authentication and key negotiation protocol. This work P | ( X , Y )
employs BAN logic [5], [10], [18], [19] to demonstrate that if the principal believes that X is fresh, then the principal P
the proposed protocol provides secure authentication. The believes freshness of (X, Y).
informal security analysis examines that the proposed protocol P | ( X ), P | (Y ) ,
is secure against relevant security attacks.  The belief rule:
P | ( X , Y )
A. Authentication Proof based on BAN Logic
if the principal P believes X and Y, then the principal P
In this section, the security of the proposed protocol is believes (X, Y).
analyzed using BAN logic. BAN logic is a well-known
security verification and analysis model. It has been widely  The nonce verification rule: P | ( X ), P | Q |~ X ,
used for analyzing the security of authentication and session P | Q | X
key agreement protocols. Some preliminaries and notations of if the principal P believes that X is fresh and the principal Q
BAN logic: once sent X then, principal P believes that Q believes X.
a) Principals are those agents involved in the protocol
(usually people or programs).  The jurisdiction rule: P | Q  X , P | Q | X ,
P | X
b) Keys are used to encrypt messages symmetrically.
c) Public Keys are similar to keys except that they are used if the principal believes that Q has jurisdiction over X and Q
in pairs. believes X, then P believes that X is true.
d) Nonces are message parts that are not meant to be  The session key rule: P | ( X ), P | Q | ( X ) ,
repeated. P | P  K
Q
e) Timestamps are similar to nonce in that they are unlikely
to be repeated. if the principal P believes that the session key is fresh and
the principal P and Q believes X, which are the necessary
Relevant BAN logic statements that are useful for analyzing parameters of the session key, then principal P believes that
security of the proposed protocol are: he/she shares the session key K with Q.
R1: P |  X: P believes X or P would be entitled to believe In order to prove the proposed protocol secure, the proposed
X. In particular, P can take X as true protocol must satisfy the following goals based on BAN logic,
R2: P  X: P sees X. P has received some message X and where RS and U i define registration server and consumer
is capable of reading and repeating it. respectively.
R3: P |~X: P once said X. P at some time sent a message Goal 1: U i | U i SK
 RS
including the statement X. It is not known whether this is a
replay, though it is known that P believed X when it was sent. Goal 2: U i | RS | U i SK
 RS
58 IEEE Transactions on Consumer Electronics, Vol. 63, No. 1, February 2017

Goal 3: RS | RS SK
U i According to ASM 1 , S9 and session key rule:

Goal 4: RS | U i | RS SK
U i S11: U i | U i SK
 RS (Goal 1)
The proposed protocol is transformed to the idealized form According to ASM 1 , S11 and nonce verification rule:
as: S12: U i | RS | U i SK
 RS (Goal 2)
MSG1 : U i  RS : IDi , M 5 , Ti : M 1 G
i The above justification claims that the declared goals have
been successfully proven using BAN logic model. Therefore,
MSG2 : RS  U i : M 7 : r j
Kx it can be claimed that the proposed protocol successfully
The following assumptions about the initial state of the provides mutual authentication property as well as session key
protocol are given: negotiation between the user and RS.
ASM 1 : U i | ( ri , r j ) B. Further Security Analysis
ASM 2 : RS | ( r j , ri ) It has been observed that numerous authentication protocols
Gi [1], [2], [13], [14], [17], [20] analyze the resilience against
ASM 3 : U i | U i  RS
known attacks through informal security analysis [21], [22].
Kx
ASM 4 : RS | RS  Ui Therefore, this section provides the description of the
ASM 5 : U i | RS  r j resilience against the known security attacks, such as off-line
password guessing attack, privileged insider attack, user
ASM 6 : RS | U i  ri impersonation attack, server impersonation attack, known key
Applying BAN logic rules and assumptions: security attack, stolen-verifier attack, DoS attack and mutual
MSG1 : U i  RS : IDi , M 5 , Ti : M 1 G authentication.
i
1) Off-line password guessing attack
Thus During the registration phase, Ui’s password PWi was never
S1: RS  IDi , M 5 , Ti : M 1 Gi
transmitted to RS in plaintext form and the computation of
PWBi depends on PWi and random number bi. Therefore, if
Applying assumption ASM 4 , S1 and message meaning rule
the adversary wants to guess PWi , they have to first know
gives:
S2: RS | U i ~ M 1 PWBi , which is used to compute M 5 in Step 2 of mutual
authentication and session key negotiation phase, where
According to ASM 2 , S2, freshness-conjuncatenation and
M 5  EK x  M 1 || M 4 || PWBi || Ci  and PWBi is encrypted
nonce verification rule:
S3: RS | U i | M 1 , where information of the parameter M 1 with key K x . Thus, the adversary cannot retrieve PWBi
is used to computed the session key in our protocol. without K x . Accordingly, the adversary cannot compute
According to ASM 6 , S3 and jurisdiction rule: PWBi using M6 without Ky , where
S4: RS | M 1 M 6  h  IDi || PWBi || K x ' || rj ' || Tj  . Hence, this proposed
According to ASM 2 , S3 and session key rule: protocol claims that it is immune to the password guessing
S5: RS | RS SK
U i (Goal 3) attack.
2) Privileged insider attack
According to ASM 2 , S5 and nonce verification rule:
During the registration, as mentioned in the literature [5],
S6: RS | U i | RS SK
U i (Goal 4) [6], a user’s password should not be sent to RS in plaintext
form during the registration phase in order to resist the insider
MSG2 : RS  U i : M 7 : r j attack. In the registration phase of this work, Ui sends a
Kx
According to seeing rule: masked password PWBi to RS instead of PWi, where
PWBi  h  PWi || bi  . Therefore, the insider attach of RS
S7: U i  : M 7 : r j
Kx
cannot extract PWi from PWBi due to the strong collision
Applying the assumption ASM 3 , S7 and message meaning resistance property of the hash function h().
rule: 3) User impersonation attack
S8: U i | RS ~ r j Suppose that an adversary endeavors to impersonate Ui. In
order to do it, the adversary first captures Ui’s message from
According to ASM 1 , S8, freshness-conjuncatenation and
the public channel and then makes an effort to generate
nonce verification rule: another valid message, which should be authenticated by RS.
S9: U i  RS | r j , where information of the parameter r j is
The adversary traps IDi , M 5 , Ti from the public channel and
used to computed session key in our protocol.
According to ASM 5 , S9 and jurisdiction rule: tries to compute M 2 , K y , Ci using the known information.
S10: U i | r j However, the adversary cannot compute M 2 and K y without
R. Amin et al.: A Software Agent Enabled Biometric Security Algorithm for Secure File Access in Consumer Storage Devices 59

 i and x , respectively, where x is the secret key of RS. In 8) Man-in-the-middle attack

addition, Ci is also secure being stored in the registration In this form of attack, the adversary ensnares the public
messages and attempts to act as a middle broker between the
software in Ui in encrypted form. Therefore, it is difficult task user and the remote server. In user impersonation attack, the
for the adversary to impersonate Ui. work demonstrated that the adversary cannot generate a forged
4) Server impersonation attack login message without knowing the user’s secret information.
An adversary may try to impersonate RS in the mutual
For the same reason, the adversary cannot also impersonate
authentication phase. In this proposes protocol, RS sends the RS. Therefore, this proposed protocol can withstand the
M 7 to the registration software in Ui through an open man-in-the-middle attack.
channel, where M 7  EK '  M 6 || rj  . Note that M7 is
y
VI. PERFORMANCE ANALYSIS
encrypted with key K y and it is depends on M 6 and r j , This section appraises the performance of the proposed
 
where M 6  h IDi || PWBi || K x || rj || T j . It is clear that the
' protocol in terms of computation and communication costs
with other competitive protocols [7], [9], [10]. This work uses
adversary can easily generate a random number, but to crypto-operations to evaluate the computation cost. The
compute M 6 , the adversary needs ( PWBi , K x ) . However, the notations and description of the crypto-operations are:
adversary is unable to successfully compute  PWBi , K x  from  Te: Time needed to perform exponentiation
the public message. Therefore, this proposed protocol can operation.
withstand the server impersonation attack.  Tpm: Time needed to perform elliptic curve point
5) Stolen-verifier attack multiplication operation.
This type of attack occurs when the stored information in  Th: Time needed to perform one-way hash
RS is leaked, however, the authentication system should not operation.
be affected by the adversary. Suppose that the information  Ts: Time needed to perform symmetric key
stored in the table available to RS has been compromised, encryption/decryption operation.
where the table contains the entries of the form TABLE II provides computation costs of this proposed
 ID ,UNSID , SL ,  SK
i i i i 
 h  IDi  x   . Note that the
protocol compared to the relevant literature [7], [9], [10]. This
proposed protocol requires an increased computation cost,
adversary cannot extract h  IDi  x  without SK i . however for the considered device, the increase in
Furthermore, a valid user is not able to obtain long-term computation cost is marginal compared to the significantly
information from RS. Therefore, the adversary is unable to get improved security benefits.
any advantage after obtaining the stored table.
6) Denial-of-service attack TABLE II
In biometric based authentication, the biometric information COMPARISON OF THE COMPUTATIONAL COST OF THIS WORK
COMPARED TO THE LITERATURE
may be affected due to noise during the biometric acquisition,
resulting in difficulty in reproducing the exact biometric data User cost Server cost Total cost
signature accurately each time. The hash function is very Yang et al. [7] 4Te  3Th  1Ts 6Te  2Th  1Ts 10Te  5Th  2Ts
sensitive to even slight changes in the input. Therefore, the
hash function cannot be applied directly to the biometric data. Lee et al. [9] 2T pm  4Th  1Ts 4T pm  9Th  2T s
2T pm  5Th  1T s
A legal user may even fail to login to the remote server due to
noisy biometric sensor data. If a biometric based He et al. [10] 2T pm  5Th  1T s 2T pm  4Th  1Ts 2T pm  4T h  1T s

authentication protocol relies on verifying h BTi*  ? hBTi , in 
Proposed 3T pm  5Th  3T s 3T pm  5T h  2T s 6T pm  10Th  5Ts
each session, then Ui may get rejected and in biometric
authentication this phenomenon is called the DoS attack. In
order to resist such kind of problem, a fuzzy extractor is
typically used. Therefore, the registration software in Ui
passes the biometric verification of Ui and thus, it can The communication cost of this work compared to the
withstand the DoS attack. literature [7], [9], [10] was analyzed. It was observed that this
7) Mutual authentication proposed protocol has a lower communication cost than the
Mutual authentication [23] is typically one of the important protocols considered in the literature. For comparison
and enviable property of any client-server authentication purposes, this work assumed that the length of IDi, PWi and
protocol. In Step 3 of the mutual authentication phase of this BTi are 64 bits of length each. In addition, the message digest
work, RS verifies the authenticity of Ui by checking the of the hash function, ECC-point multiplication and symmetric
key encryption produced 160-bits, 160-bits and 128-bits,
condition M 3 '  ? M 3 whereas Ui checks M 6 '  ? M 6 in Step respectively. TABLE III presents the communication overhead
5 to verify the legitimacy of RS. Therefore, this proposed cost and it can be observed that the proposed protocol is very
protocol achieves the mutual authentication property. efficient in terms of the communication cost.
60 IEEE Transactions on Consumer Electronics, Vol. 63, No. 1, February 2017
TABLE III [12] D. Giri, R. S. Sherratt, and T. Maitra, “A novel and efficient session
COMPARISON OF THE COMMUNICATION COST OF THIS WORK spanning biometric and password based three-factor authentication
COMPARED TO THE LITERATURE protocol for consumer USB mass storage devices,” IEEE Trans.
Consumer Electron., vol. CE-62, no. 3, pp. 283–291, Aug. 2016.
User Server Total cost [13] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generate
strong keys from biometrics and other noisy data,” LNCS, vol. 3027, pp.
Yang et al. [7] 4224 1312 5536 523–540, 2004.
Lee et al. [9] 480 480 960 [14] X. Boyen, “Reusable cryptographic fuzzy extractors,” in Proc. ACM
He et al. [10] CCS, 2004, pp. 82–91.
480 480 960
[15] R. Amin, and G.P. Biswas, “Anonymity preserving secure hash function
Proposed 256 256 512 based authentication scheme for consumer USB mass storage device,” in
Proc. IEEE CCCIT, 2015, pp. 1–6.
[16] N. Koblitz, “Elliptic curve cryptosystem,” Mathematics of
VII. CONCLUSION Computation., vol. 48, no. 177, pp. 203–209, Jan. 1987.
[17] V. S. Miller, “Use of elliptic curves in cryptography,” LNCS, vol. 218,
The main intention of this paper is to provide security pp. 417–426, Dec. 2000.
protection on the stored information in the consumer device [18] M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,”
ACM Trans. Computer Systems, vol. 8, no. 1, pp. 18–36, Feb. 1990.
from the unauthorized access by implementing an [19] D. He, N. Kumar and N. Chilamkurti, “A secure temporal-credential-
authentication protocol. In order to do it, this paper proposes a based mutual authentication and key agreement scheme with pseudo
mutual authentication and key negotiation protocol using identity for wireless sensor networks,” Information Sciences, vol. 321,
pp. 263–277, Nov. 2015.
elliptic curve cryptography. The security verification of the [20] P. Sarkar, “A simple and generic construction of authenticated
protocol has been done using BAN logic and the security encryption with associated data,” ACM Trans. Information and System
analysis ensures that the protocol can withstand several Security, vol. 13, no. 4, pp. 1–16, Dec. 2010.
[21] W.-C. Ku, and S.-M. Chen, “Weaknesses and improvements of an
relevant security attacks. The protocol is not only efficient in efficient password based remote user authentication scheme using smart
terms of security attacks, but it also achieves high cards,” IEEE Trans. Consumer Electron., vol. CE-50, no. 1, pp. 204–
performance in terms of communication cost in comparison 207, Feb. 2004.
with the existing protocols. Moreover, the proposed protocol [22] E.-J. Yoon, E.-K. Ryu, and K.-Y. Yoo, “Further improvement of an
efficient password based remote user authentication scheme using smart
provides the mutual authentication property between the cards,” IEEE Trans. Consumer Electron., vol. CE-50, no. 2, pp. 612–
participants involved and provides a password update facility 614, May. 2004.
to registered users. This work enables secure biometric [23] S. H. Islam, and G. P. Biswas, “A more efficient and secure ID-based
remote mutual authentication with key agreement scheme for mobile
personal storage devices to be configured from an Internet devices on elliptic curve cryptosystem,” J. Systems and Software, vol.
service and maintained throughout the lifetime of the device. 84, no. 11, pp. 1892–1898, Nov. 2011.

REFERENCES
Ruhul Amin received his B.Tech and
[1] L. Lamport, “Password authentication with insecure communication,” M.Tech from West Bengal University of
Communications of the ACM, vol. 24, no. 11, pp. 770–772, Nov. 1981.
[2] M.-S. Hwang, and L.-H. Li, “A new remote user authentication scheme Computer Science and Engineering,
using smart cards,” IEEE Trans. Consumer Electron., vol. CE-46, no. 1, Indian Engineering in 2009 and 2013,
pp. 28–30, Feb. 2000. respectively. He was a Ph.D. research
[3] H.-M. Sun, “An efficient remote use authentication scheme using smart scholar in Computer Science and
cards,” IEEE Trans. Consumer Electron., vol. CE-46, no. 4, pp. 958–
961, Nov. 2000. Engineering, Indian School of Mines
[4] C.-K. Chan, and L.M. Cheng, “Cryptanalysis of a remote user (ISM), Dhanbad, India. He is currently a
authentication scheme using smart cards,” IEEE Trans. Consumer Lecturer in the Department of Computer
Electron., vol. CE-46, no. 4, pp. 992–993, Nov. 2000. Science and Engineering, Thapar University, Patiala, Punjab,
[5] R. Amin, and G. P. Biswas, “A secure light weight scheme for user
authentication and key agreement in multi-gateway based wireless India. He has published many research papers in Journals and
sensor networks,” Ad Hoc Networks, vol. 36, no. 1, pp. 58–80, Jan. Conference proceedings of International reputes. His current
2016. research interests include cryptographic authentication
[6] R. Amin, and G. P. Biswas, “A novel user authentication and key protocols and security in wireless sensor networks.
agreement protocol for accessing multi-medical server usable in TMIS,”
Journal of Medical Systems, vol. 39, no. 3, pp. 1–17, Mar. 2015.
[7] F.-Y. Yang, T.-D. Wu, and S.-H. Chiu, “A secure control protocol for
USB mass storage devices,” IEEE Trans. Consumer Electron., vol. CE- R. Simon Sherratt (M’97-SM’02-F’12)
56, no. 4, pp. 2339–2343, Nov. 2010. received the B.Eng. degree in Electronic
[8] B. Chen, C. Qin, and L. Yu, “A Secure Access Authentication Scheme Systems and Control Engineering from
for Removable Storage Media,” Journal of Information &
Computational Science, vol. 9, no. 15, pp. 4353–4363, Nov. 2012. Sheffield City Polytechnic, UK in 1992,
[9] C. Lee, C. Chen, and P. Wu, “Three-factor control protocol based on M.Sc. in Data Telecommunications in
elliptic curve cryptosystem for universal serial bus mass storage 1994 and Ph.D. in video signal processing
devices,” IET Computers & Digital Techniques, vol. 7, no. 1, pp. 48–55, in 1996 from the University of Salford,
Jan. 2013.
[10] D. He, N. Kumar, J.-H. Lee, and R. S. Sherratt, “Enhanced three-factor UK.
security protocol for consumer USB mass storage devices,” IEEE Trans. In 1996, he has appointed as a Lecturer
Consumer Electron., vol. CE-60, no. 1, pp. 30–37, Feb. 2014. in Electronic Engineering at the University of Reading where
[11] D. Giri, R. S. Sherratt, T. Maitra, and R. Amin, “Efficient Biometric and he is now Professor of Biosensors. His research topic is signal
Password Based Mutual Authentication for Consumer USB Mass
Storage Devices,” IEEE Trans. Consumer Electron., vol. CE-61, no. 4, processing and personal communications in consumer devices
pp. 491–499, Nov. 2015. focusing on wearable devices and healthcare.
R. Amin et al.: A Software Agent Enabled Biometric Security Algorithm for Secure File Access in Consumer Storage Devices 61
st
He received the 1 place IEEE Chester Sall Memorial SK Hafizul Islam received the M.Tech
Award in 2006, the 2nd place in 2016 and the 3rd place in 2017. from ISM Dhanbad in 2009 and the Ph.D
He is a reviewer for the IEEE SENSORS JOURNAL and is in Computer Science and Engineering
currently a Senior Editor and Emeritus Editor-in-Chief of the from Indian School of Mines, Dhanbad
IEEE TRANSACTIONS ON CONSUMER ELECTRONICS. (SM Dhanbad), India. He was an Assistant
Professor in the Department of CSIS,
BITS Pilani, Pilani Campus, Rajasthan,
Debasis Giri received the Ph.D degree India and is currently an Assistant
from the Indian Institute of Technology, Professor in the Department of CSE, Indian Institute of
Kharagpur, India in 2009. He did his Information Technology, Kalyani (IIIT Kalyani), West
masters (M.Tech and M.Sc) both from Bengal, India. He has published 50 research papers in reputed
Indian Institute of Technology, Kharagpur, international Journals and Conference proceedings. He is an
India in 2001 and 1998 respectively. Associate Editor of the International Journal of
Presently he is a Dean under the school of Communication Systems, Wiley. His research interest
Electronic, Computer Science and includes Cryptography and Information Security.
Informatics of Haldia Institute of Technology, India, and
Professor in the Department of Computer Science and
Engineering, Haldia Institute of Technology, India. He has Muhammad Khurram Khan (M’07,
tenth All India Rank with percentile score 98.42 in the SM’12) is currently working as a Full
Graduate Aptitude Test in Engineering (GATE) Examination Professor at the Center of Excellence in
in 1999. His current research interests include Cryptography, Information Assurance (CoEIA), King
Network security, Data Hiding, Security in Wireless Sensor Saud University, Kingdom of Saudi
Networks and Security in VANETs. Arabia. He has published over 250
Dr. Giri is an Editorial Board Member and a Reviewer of research papers in the journals and
many reputed International Journals. Presently he is an conferences of international repute. In
Associate Editor of the Journal of Security and addition, he is an inventor of 10 US/PCT patents.
Communication Networks (Wiley), the Journal of Prof. Khan is the Editor-in-Chief of Telecommunication
Communication Systems (Wiley) and the Journal of Electrical Systems Journal, Springer. He is a Fellow of the IET, Fellow
and Computer Engineering Innovations. He is also a Program of the BCS, Fellow of the FTRA, a member of the IEEE
Committee member for many International Conferences. Technical Committee on Security & Privacy, a member of the
IEEE Cybersecurity community, and a member of IEEE
Consumer Electronics society.