The Resilience of DoS Attacks in User-Authentication to Preserving The Availability

—User authentication is imperative to ensure legitimate users—The majority of the existing user authentications based on identity and password. Nowadays, user authentications that are based on biometric and password have been applied widely. Unfortunately, most existing user -authentications are vulnerable to various attacks, including online/offline password guessing attacks, stolen device/smart card attacks, user masquerades attacks, server spoofing attacks, and DoS attacks. Additionally, most of them did not consider resolving the loss of the synchronization-problem. On the other hand, availability is essential in authentication protocol; authentication protocol must still operate even if loss of synchronization occurs. This article is proposed to resolve user authentication with the main security feature achievement, namely, availability, resolve the loss of synchronization, and withstand DoS attack. Informal analysis is used to ensure that our authentication protocol achieves security features, and we also evaluate our proposal formally using BAN Logic, Real-or-Random Model, and Scyther tool — comparison of computational complexity to ensure that our protocol obtains low computational complexity.


INTRODUCTION
SER authentication is essential to ensure a legitimate user. Three crucial phases must be done if the user wants to access information systems. The user must register initially and then perform Login, mutual authentication between the user's device and server. Wireless-based communication between a user's device and the server enables the attacker to intercept, alter, and delete the message. Additionally, the attacker can perform a severe attack. The attacker steals the device and obtains the data from the device's memory, then the attacker conducts a severe attack, such as online/offline password guessing attack, masquerade attack, spoofing attack, or tracking attack. Several schemes have been proposed to resolve the issues in user authentication. [1] proposed user authentication based on identity and password. [2] and [3] proposed a user authentication based on a smart card, identity, and password. However, most of the existing schemes fail to withstand various attacks, such as online/offline guessing attacks, masquerade attack, spoofing attack, tracking attack [4], [5].
The other researchers, [4], [5], [14], [6]- [13] proposed user authentication using passwords, biometric, and smart cards. Unfortunately, [4], [5], [14], [6]- [13] have a similar problem with [2] and [3]. Further, based on our investigation that most of them did not consider resolving the loss of the synchronization problem. It is very dangerous if the scheme is applied to the IoT-based health care system. For instance, the doctor needs the data of a critical patient from the server immediately but a loss of synchronization occurs and the protocol cannot handle that problem. Therefore, the doctor cannot obtain the data due to this problem. It can be said the existing schemes cannot achieve availability. We define availability at the user authentication protocol, namely, the user authentication protocol is still operating even if the loss of synchronization occurs. Moreover, due to the previous user authentication protocols did not consider to achieve unclonable device, hence, the previous user authentication protocols cannot guarantee to withstand cloning attacks.
[10]- [12] introduce Physical Unclonable Function (PUF) to be applied in a limited resource and withstand cloning attack. A PUF is a unique property of a circuit that maps a Challenge C to the Response R in the chip manufacturing process; internal structure provides a one-way function; hence PUF cannot be duplicated and almost impossible to clone. Recently, Weixin Bian et al. [15] proposed the user authentication protocol using biometric and PUF-based . However, based on our investigation that Weixin Bian et al.'s scheme [15] fails to achieve availability, resolve the loss of synchronization problems and cannot withstand the DoS attack.
In this paper, we propose a new user authentication protocol using biometric and PUF. The proposed protocol can achieve various security features, mutual authentication, anonymity, untraceability, resolve the loss of synchronization problem, and availability. Further, the proposed protocol withstands kinds of attacks such as DoS Attack, tracking attack, and cloning attack (see Table 3).
The rest of this paper is organized as follows. Section II presents the detailed proposal and is followed by informal analysis in Section III, Section IV presents performance analysis, and comparison followed by formal analysis using BAN Logic, RoR Model, Syther tool in Section V, VI, VII, respectively and finally conclusion in Section VI.

Relater Works and Motivation
Several researchers have proposed user authentication. One example is a traditional user authentication based on identity and password, proposed by Lamport [1], which must store the password's table of the user to verify the legitimate user. Unfortunately, [1] suffered an offline password guessing attack. Hwang et al. [2] proposed user authentication in smart cards but [2] did not store the password in the table. Nonetheless, [3] pointed out that [2] suffer against forged identity attacks. Lee et al. [14] tried to resolve the problem of [2] in the smart card using biometric. Unfortunately, [16] showed that [14] fails to withstand masquerade attacks. Additionally, [14] and [16] did not provide mutual authentication; only consider user authentication; hence [14] and [16] suffer server spoofing attack. [17] then proposed a new authentication protocol to improve security features in [16]. Unfortunately, [17] fails to withstand password guessing attack and masquerade attack.
Another researcher, Khan et al. [4] proposed a new user authentication to improve security features based on a biometric and a one-way hash function. Unfortunately, Khan et al.'s proposed authentication protocol fails to withstand the password guessing attack and the masquerade attack after the attacker extracts data from the device's memory. Chen et al. [5] proposed the scheme using biometric and password. However, their scheme is vulnerable to password guessing attacks. Troung et al. [6] proposed user authentication to improve security features including anonymity and withstand spoofing attack and reply attack. However, Troung et al.'s scheme [6] has a loophole; namely, the user can reveal the server's secret key. Khan et al. [7] proposed the scheme to enhance security features. Unfortunately, Khan et al.'s scheme [7] is as vulnerable as the schemes proposed by [5] and [6] to malicious attacks.
Several researchers offered the smart card to resolve the security problems in user authentication. One of them is Poh et al. [18] who proposed user authentication in a smart home. However, Poh et al. [18] fail to the verified users in the login phase. Later, Das [8] proposed a scheme in user authentication which eventually fails to withstand external attacks. An [9] offered the scheme to improve Das's scheme [8]. However, Khan et al. [10] and Ibjaoun [11] point out that An [9] fails to achieve security features similar to Das [8]. Li et al. [12] proposed a scheme to improve Das's scheme [8] by administering mutual authentication and establishing a session key between user and server. However, Chaturvedi et al. [13] point out that Li et al. [12] cannot achieve user anonymity. Therefore, Chaturvedi et al. [13] proposed a new scheme to resolve user authentication by providing mutual authentication and establishing a session key. However, [13] fails to withstand the cloning attack of the device.
Recently, many researchers proposed user authentication based on biometric which is different from traditional password-based user authentication. It gives many advantages based on unique individual biometric input [18]. Additionally, it prevents the user from remembering and losing passwords. The other researchers, [19]- [22] use biometric for user authentication. The biometric should not store in the user device and server directly to mitigate risk [14], [16], [17], [4]. Meanwhile [5], [6], [7], [8] proposed biometric-based user authentication using a one-way hash function to protect biometric before stored. The fact that biometric have a noisy output and will change over time makes the device not recognize the user in the future because of noisy output and biometric changes. To resolve this problem, a fuzzy extractor is used to generate a fixed key, help data from biometric input, where (K, hd)FE.Gen(Biometric) and then it can perform reconstruction to obtain a similar fixed key, where (K)=FE.Rec(Biometric, hd) [23], [24]. However, if only Biometric is used, it cannot guarantee to withstand cloning attack. [10]- [12] introduce Physical Unclonable Function (PUF) to be applied in a limited resource and to withstand a cloning attack. A PUF is a unique property of a circuit that maps a Challenge C to the Response R in the chip manufacturing process; internal structure provides a one-way function; hence PUF cannot be duplicated and is almost impossible to clone.
Recently, Weixin Bian et al. [15] proposed a user authentication protocol using biometric and PUF-based. However, Weixin Bian et al.'s scheme cannot resolve the loss of synchronization problems and withstands the DoS attack. It is very dangerous if the scheme is applied in the IoTbased health care system. For example, the doctor needs critical data patients from the server immediately but the protocol cannot operate because of loss of synchronization; hence the doctor cannot obtain the data.

2.
Our scheme also has the ability to withstand various attack, such as online/offline password guessing attack, stolen mobile device/smart card, reply attack, user masquerade attack, server spoofing attack, man-in-the-middle attack, known session key attack, cloning attack, and DoS attack. 3. A formal analysis using BAN Logic was carried out to ensure that our user authentication protocol achieves secure mutual authentication. 4. The RoR model and Scyther tool are used as also analysis formally to ensure that our proposal withstands various attacks. 5. Comparison, in terms of security features and computational complexity, to ensure that our proposal is not only secure but also has low computational complexity.

Preliminaries
This subsection presents briefly the preliminary background of the Fuzzy Extractor and PUF a. Fuzzy Extractor. The fuzzy extractor is a function that has two processes, namely .
() and . (). . () is the process to generate the fixed key and helper data ℎ from the input Biometric , where ( , ℎ ) = .
() is the process to reconstruct from helper data ℎ and noisy input ′ where is biometric of the user and ′ is an approximation of from a hamming distance, where ( , ′ ) ≤ , and is a threshold. Therefore, ( , ℎ ) = .
(ℎ , ′ ). The successful is based on the similarity of original data and noisy data. Therefore, in this paper, we use the fuzzy extractor to obtain a fixed key, namely from Biometric , where ( , ℎ ) = .

b. Physically Unclonable Function (PUF)
A PUF is a unique property of a circuit that maps a Challenge C to the Response R in the chip manufacturing process [25]. Formally, input C into PUF to produce R where R=PUF(C). Significantly, PUFs are hard to clone [26]. We divide PUF into two types, namely non-ideal PUF and ideal PUF. The first is a non-ideal PUF, where PUF may produce a different response with similar input Challenge C into PUF due to temperature. We can use the fuzzy extractor to ensure the stable PUF output [23], [24]; however, a fuzzy extractor increases computational overhead.
The second is an ideal PUF, where PUF will produce a similar response with similar challenges inputted into PUF. Even if the non-stable temperature occurs, in the last few years, researchers have developed ideal PUF, ensuring 0% Bit-Error Rate [27]- [30]. Therefore, in this paper, we use the ideal PUF.

PROPOSED SCHEME
This section presents our proposed scheme starting from System structure, Assumptions, Notation, user registration phase, login, mutual authentication and session key establishment between device and server. For convenience, we use the notation in Table 1 throughout our scheme.

System Structure
In Fig. 1, the system structure consists of two components device and server; the device may be a mobile phone, laptop, or iPad, and the server stores user data. User login Private key of server / Secret key (Long term key) A user unique random number generated by server || Concatenation operation ⨁ Exclusive-OR operation Session key between user and server IO Biometric of User Fuzzy extractor for Biometric , ℎ Fixed key and help data ℎ are generated from Bu where ( , ℎ ) = .
( ) to the device and the device verifies user based on biometric, if the biometric input is not equal to the biometric stored in the device, the login will be terminated. Otherwise, the protocol performs mutual authentication and establishes a session key between device and server; after the establishment of the session key, devices and servers can communicate securely. Our scheme has two phases, namely the user's device registration ( Figure 2), login, mutual authentication, and session key establishment between the user's device and server ( Figure 3)

Assumptions
We have several assumptions as follows a. The devices are equipped with biometric input and PUF. b. The devices have constrained resources c. The server has no constrained resources

Notations of Cryptography Fnction
This subsection presents the notations of the cryptography function throughout this paper. Additionally, based on the assumption aforesaid, the devices are equipped with biometric and PUF; hence our scheme uses this facility (see Table 1).

Login, Mutual Authentication and Session Key Establishment between Device and Server
This subsection presents the notations of the cryptography function throughout this paper. Additionally, based on the assumption aforesaid, the devices are equipped with biometric and PUF; hence our scheme uses this facility.
Login, Mutual authentication, and session key establishment between device and server has 4 steps as follows: Step 1: user login to device, user imprints biometric , the device extracts = .

The Solution to Resolve the Loss of Synchronization and DoS Attack
The solution to resolve the loss of synchronization as follows: Step 1: When desynchronization occurs, the device uses (pseudo-identity and shared-key synchronization) pairs, that is {( 1 , 1 ),…,( , )} = ∈ ( , ).
Step 2: Run the same step with the authentication phase.

Security Features Analysis
This subsection presents the security feature analysis. The details are as follows: a. Mutual Authentication Both parties recognize the identity of the other party by the possession of a ℎ( || ) and . The device checks , and the server checks to ensure the freshness. Therefore, the scheme achieves mutual authentication.
b. Anonymity Our protocol uses a one-time pseudonym . Even if the attacker intercepts all messages in public channels including ; the attacker cannot get the user's real identity. Therefore, our protocol achieves anonymity.
c. Untraceability Since our protocol achieves anonymity, it can be said that the attacker finds it hard to track the legitimate user. Additionally, the challenge is protected by nonce pairs { , } so the challenge is not public, the attacker cannot know the owner of the challenge based on the collected message in the public channel. Therefore, the scheme achieves untraceability. d. Perfect forward secrecy. In our scheme, the message updates in every session include Nonce, challenge , and response , session key . There is no relationship between them. Even if the attacker obtains the current session key, the attacker cannot obtain past session key. Therefore, the scheme achieves perfect forward.
e. Session key security In our protocol, the session key changes every session and there is no relation between them. Even if the attacker obtains the session key, the attacker cannot obtain past and future session key. Therefore, our authentication protocol achieves session key security.
f. Resolve the desynchronization problem If loss of synchronization occurs, the device replaces , by 1 from = { 1 , 2 , … , } deletes 1 in , the server replaces , by 1 from = { 1 , 2 , … , } , replaces Nonce by = { 1 , 2 , … , }, and runs the same step with the authentication phase. Therefore, the scheme can provide resolve for the loss of synchronization g. Availability Since our protocol can resolve the loss of synchronization problem, the protocol is still operating even if the synchronization is lost. Therefore, our protocol achieves availability.

Attack Analysis
This subsection presents the attack analysis to ensure that our protocol withstands various attacks. The details are as follows: a. Withstanding online/offline password guessing attack Our user authentication protocol does not need a password, the protocol only use to protect the data stored in the device. Therefore, the attacker never has the opportunity to guess the password and our protocol does not have any risks of guessing the password as well.
b. Withstanding stolen device/smart card If the attacker has stolen the mobile device and extracted data from the memory , ℎ , * , * , * , * , since the data are protected by , where extract from biometric, the attacker is hard to obtain the original/real data. Therefore, our protocol withstands stolen mobile device.
c. Withstanding replay attack In our scheme, message updates in every session e.g.

{
, * , 0 }, If the attacker intercepts message in public channel e.g. 1  g. Withstanding known session key attack Since session key security has been achieved, even if the attacker knows one session key, the attacker cannot obtain past and future session key. Therefore, our scheme can withstand session key attack.
h. Withstanding DoS attack. Based on the achievement of resolve for loss of synchronization problem, our scheme can withstand DoS attack.
i. Withstanding Cloning Attack Our scheme uses PUF, therefore, our scheme can guarantee to withstand cloning attacks.
The execution time of cryptography operation will be explained in detail as follows. The execution time of in the device is 0.12 ms, .
in the device is 1.67 ms, and the server has 1.17 ms, . in the device is 3.28 ms and  the server is 2.85 ms, in the device is 7.86 ms and in the server is 2.34 ms, ℎ in the device is 0.026 ms and in the server is 0.011 ms.
Based on table 4, Lin and Lay [16] get the computational complexity of registration phase ℎ + , login and mutual authentication for user 2 ℎ + 2 and server ℎ + 2 with a total computational time of 28.35ms. Chen et al. [5] get the computational complexity of registration phase 3 ℎ , login and mutual authentication for user 5 ℎ and server 3 ℎ with a total computational time of 0.24 ms. Troung et al. [6] get the computational complexity of registration phase 4 ℎ , login and mutual authentication for user 6 ℎ and server 5 ℎ with a total computational time of 0.312 ms. Khan et al. [7] get the computational complexity of registration phase 5 ℎ , login and mutual authentication for user 7 ℎ and server 6 ℎ with a total computational time of 0.348 ms. Poh et al. [18] get the computational complexity of the registration phase 3 ℎ , login and mutual authentication for user 4 ℎ and server 3 ℎ with a total computational time of 0.215 ms.
Das [8] gets the computational complexity of registration phase 3 ℎ , login and mutual authentication for user 5 ℎ and server 5 ℎ with a total computational time of 0.263 ms. An [9] gets the computational complexity of registration phase 3 ℎ , login and mutual authentication for user5 ℎ and server 4 ℎ with a total computational time of 0.252 ms. Khan and Kumari [10] get the computational complexity of registration phase 4 ℎ , login and mutual authentication for user 5 ℎ and server 5 ℎ with a total computational time of 0.289 ms. Li et al. [12] get the computational complexity of registration phase . + 3 ℎ , login and mutual authentication for user . + 6 ℎ + 2 and server 5 ℎ + 2 with a total computational time of 25.64 ms.
Chatervedi et al. [13] get the computational complexity of registration phase . + 3 ℎ + 2 , login and mutual authentication for user , login and mutual authentication for user . + 7 ℎ + 2 and server 3 ℎ with a total computational time of 5.68 ms. Table 5 and the diagram in Fig 2 show that our protocol has lower computational time than the user authentication protocol proposed by [16], [12], [13], and [15]. Additionally, our protocol not only has low computational time but also fulfills achievement of all security features SF1-SF7, and withstand kinds of attacks (WA1-WA9) in table 2, and 3.

ANALYSIS FORMALLY USING BAN LOGIC
This subsection presents an analysis formally using BAN logic as evidence that our scheme achieves secure mutual authentication.

Brief Explanation of BAN Logic
The BAN Logic has three objects [38], namely, participants, encryption keys, and logical formulas. In this paper, participants are device and server, encryption keys are = ℎ( || ), , , , logical formulas are based on Table 5 and 6.

Proof of the scheme's formal analysis using BAN Logic
This subsection presents the formal analysis of Mutual Authentication between user's device (U) and the server (S), starting from the idealized protocol, the assumption and goal, and protocol analysis.

2)
The assumption or goals This subsection presents the assumptions and goals including the belief of shared keys, the belief of freshness, and trust.
a. Belief of shared keys The user believes that user and server using the same key = ℎ( || ) The server believes that server and using the same key ℎ( || ) = | ≡ U↔ The user believes that user and server using a shared key | ≡ S↔ The server believes that server and user using a shared key b. Belief of freshness U| ≡ #( ) The user believes that is fresh. | ≡ #( ) The server believes that is fresh. | ≡ #( ) The server believes that is fresh. U| ≡ #( ) The user believes that is fresh.

c. Trust
|≡ | ≡ ↔ the user believes that the server believes between server and user using a shared secret .

|≡ S| ⟹ U↔
The user believes that the server has jurisdiction over session key SK between user and server.

S| ≡ (U↔ )
Because the server believes that the user has jurisdiction over session key (S↔ ) and server believe that the user believes (S↔ ), the server believes (S↔ ).
Based on formal analysis using the BAN logic, our proposed scheme achieves mutual authentication with evidence that upon the receiving { * , * , ′ } =ℎ( || ), , , , the user obtains with computing = * ⨁ , verify 0 to ensure the message from the server, computes = * ⨁ℎ( || ), and generates = ( ). On the other hand, the server also authenticates the user with evidence; upon receiving , the server computes = ℎ( || )⨁ 1 , = ℎ( || ), and then verifies 2 to ensure the message from the user. Subsequently, the server computes a session key = ℎ( || || ). Therefore, all parties recognize the identity of the other party by the possession of secret key = ℎ( || ), , , and checks the freshness based on , and establishes session key.

ANALYSISI FROMALLY USING ROR MODEL
In this section, we also proof security analysis formally using the Real or Random (ROR) model, and In our ROR model has two participants are the user's device ( ), and Server (S), the model as follows.

1) Participants:
, and are the oracle of , related with user's device , server 2) Partnering: the partnering achieved if and only if "fulfills two conditions" 1. ( , ): Where the adversary has the capability to send a message to any participant e.g. , and the adversary can receive and reply as well. This query is called the active attack c.
( ): The adversary captures the device and he/she can extract the credential stored from the memory of the device. It called a stolen or lost device attack. d.
( , ): The semantic security is determined by the establishment of the session key SK between the user's device and the server by following the ROR model's indistinguishability in the ROR model [40]. Initially, the adversary tosses an unbiased coin c and then the result is an outcome of the toss. If c = 1 denotes the new share key is fresh, hence, the adversary A doesn't need to Reveal( , ), namely, session key SK. Otherwise, If SK is not fresh, , returns a null, it denotes the outcome is a random key.

5) Semantic Security Of Session Key
In the ROR model, the adversary must have the ability to distinguish the actual session key and random key. The adversary repeated running () queries or and stores the test's result in a bit c. If = ′ denotes that the adversary is a winner. Where c ′ represents the bit guessed by the adversary randomly. The ability of the adversary to break semantic security from the Authentication Key Agreement protocol in specific time is defined where represents an event that adversary A wins the game.

6) Random Oracle
In our ROR model, the collision ℎ(•) and the secure (•) can be accessed by the adversary and every participant
Rely on Definition 1 and Definition 2 aforesaid and acknowledging Zipf's law [41]. Theorem 1 yields semantic security of proposed protocol as follow: Theorem 1: Let the Adversary run an attack in the proposed protocol P at the polynomial-time under the ROR model. The user-chosen passwords based on Zipf's law [41], 1 , 2 are the bits in biometric's secret key , is secret user identity. The estimation of Adversary's advantage to break the semantic security of the protocol and reveal Session Key between user's device and server as follows. , ( ) ≤ ℎ 2 | ℎ| + 2 | | + 2 max { ′ . , , 2 1 , 2 2 } Where ℎ , , are the number of Hash, PUF, and send queries, respectively. | ℎ| is the range space's ℎ(•), | | is the range space's (•), and ′ and ′ are Zipf's parameters [41].
denotes five sequence games, where ∈ [0,4]. The Adversary A successes guess bit c in the game is represented by . The detail of the game as follows.
Game 0 : The game is considered an actual attack on protocol P by Adversary A under the ROR model. The beginning of game 0 as follows: , ( ) = |2. Pr[ 0 ] − 1| (1) Game 1 : the game 1 is an eavesdropping attack, Adversary A activate ( , ) hence A can intercept all the transmitted message such as 1 { , * , 0 }, 2 : { * , * , ′ , 1 }, and 3 : { 1 , 3 }. After that adversary A executes the Test to verify whether the result is the actual secret response or random number. In our protocol SK is computed from = ℎ( || || ). In this case, the computation of session key SK needs to reveal the secret credentials , , , and in fact that the adversary unknow these credentials, where only a legitimate device can compute , and only legitimate device can compute SK. Therefore, Adversary A's probability to win in 1 by eavesdropping attack is not increased. Consequently, we have following the result.
(2) Game 2 : game 2 simulates the Send and Hash queries claims of the protocol. Figure 5 is the SPDL modeling of our protocol, and Figure 6 is a validating result of the Scyther tool, showing that the Scyther tool cannot find the attack in our scheme. Hence, it can be said that our protocol withstands various attacks based on the Scyther tool claim.

CONCLUSION
This article proposed a new user authentication protocol based on biometric and PUF to improve the security features and resolve the user authentication problem. Based on the informal analysis, our proposed scheme fulfills security features such as Mutual Authentication, Anonymity, Untraceability, Perfect forward secrecy, secrecy session key security, resolve Desynchronization, availability (SF1-SF7), and withstand various kinds of attacks (WA1-WA10). Additionally, formal analysis using BAN Logic ensures our scheme to achieve mutual authentication, the result of the ROR model and Scyther tool show that our proposed scheme withstands various kinds of attacks and it proofs and strengthens our informal analysis. On the other hand, based on the computational complexity comparison, our protocol obtains lower computational cost compared to the scheme proposed by [16], [12], [13], and [15]. Therefore, our scheme is much suitable to be applied in user authentication.