文摘
Traditional two party client server authentication protocol may not provide a scalable solution for present network environments where personal and ubiquitous computing technologies are involved as it is now becoming multi-server based. To achieve efficient authorized communication, multi-server based authentication protocols have been designed. The key feature of multi-server based protocols is one time registration. We study the existing multi-server based authentication protocols, and identify that many of the multi-server based authentication protocols involve control server in mutual authentication or trusted server environment is required. The involvement of central authority in mutual authentication may be a bottleneck for large network, and the servers may be semi-trusted. To erase these drawbacks, Wei et al. recently proposed a multi-server based authentication protocol. Their protocol does not require all servers to be trusted and involvement of control server in mutual authentication. Unfortunately, we identify the security vulnerability of Wei et al.'s scheme to insider attack and password guessing attack. Additionally, lack of pre-smart card authentication leads to denial of service attack. To enhance the security of Wei et al.'s protocol, we propose a secure biometric-based authentication scheme for multi-server environment using smart card. We simulate the proposed protocol for the formal security verification using the widely accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool to show that our scheme is secure against active and passive attacks. In addition, we prove that our proposed scheme provides mutual authentication using the widely-accepted Burrows–Abadi–Needham (BAN) logic and is also secured against various well known attacks. In addition, our scheme is efficient in terms of computational and communication overheads as compared to Wei et al.'s scheme and other existing related schemes.