Cryptanalysis and Improvement of a Remote Anonymous Authentication Protocol for Mobile Multi-server Environments

Recently, Feng et al. proposed an anonymous remote biometric authentication protocol for mobile multi-server environments. The protocol is vulnerable to session key attack, anonymity attack, replay attack, offline password guessing attack, and impersonation attack. To withstand these flaws, we propose a new secure and efficient anonymous remote biometric authentication protocol for mobile multi-server environments based on cryptographic hash function and elliptic curve cryptography(ECC). Security analysis shows that our protocol can achieve the authenticated key exchange in the random oracle model, with strong anonymity and perfect forward security guarantees, and can resist all known Internet attacks. Performance evaluation shows that our protocol is more secure than the previous protocols, and the computational efficiency and communication efficiency are more suitable for the application requirements of the mobile multi-server environments.