Cryptanalysis of an anonymous multi-server authenticated key agreement scheme using smart cards and biometrics

With the growing popularity of network applications, multi-server architectures are becoming an essential part of heterogeneous networks and numerous security mechanisms have been widely studied in recent years. To protect sensitive information and restrict the access of precious services for legal privileged users only, smart card and biometrics based password authentication schemes have been widely utilized for various transaction-oriented environments. In 2014, Chuang and Chen proposed an anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards, password, and biometrics. They claimed that their three-factor scheme achieves better efficiency and security as compared to those for other existing biometrics-based and multi-server schemes. Unfortunately, in this paper, we found that the user anonymity of Chuang-Chen´s authentication scheme cannot be protected from an eavesdropping attack during authentication phase. Moreover, their scheme is vulnerable to smart card lost problems, many logged-in users´ attacks and denial-of-service attacks and is not easily reparable.