Abstract
Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users’ privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li’s scheme does not provide user anonymity and that the user’s privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.
Citation: Pak K-S, Kim M-H, Pak S-H, Ho C-M (2022) Improved anonymity preserving three-party mutual authentication key exchange protocol based on chaotic maps. PLoS ONE 17(9): e0273664. https://doi.org/10.1371/journal.pone.0273664
Editor: Yanrong Lu, Civil Aviation University of China, CHINA
Received: September 24, 2021; Accepted: August 11, 2022; Published: September 16, 2022
Copyright: © 2022 Pak et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the manuscript and its Supporting information files.
Funding: The authors received no specific funding for this work.
Competing interests: The authors have declared that no competing interests exist.
1. Introduction
Authentication key exchange is one of the important issues to ensure the confidentiality of network security as a way of sharing the session key to perform encryption communication between communication parties in public network.
Researchers have done a lot of work on the two-party authentication key exchange (2PAKE) scheme (only two parties participate in key exchange) [1–5] and three-party authentication key exchange (3PAKE) scheme (except two communicating parties, the trusted third party server participates in key exchange) [6–43]. The main focus in authentication key exchange is to propose a clear authentication and a secure key exchange between participants. Key exchange is a process of setting up a session key to encrypt a message exchanged between participants and only two parties must share the key and the security of the key must be guaranteed. Typical encryption methods used for key exchange include secret-key encryption [26–43] and public-key encryption. Public-key encryption methods include in detail modular exponential operation -based schemes [6–13], elliptic curve encryption-based schemes [14, 15, 30–33, 34], chaotic maps-based schemes [16–25] and bilinear pairing-based schemes [34, 36]. User authentication is a key issue in authentication key exchange as a process of verifying whether a user is legal or not, where it is important to use authentication factor. Authentication factors include knowledge-based factors (e.g., registered passwords), ownership-based factors (e.g., smart card), biometric infrastructures (fingerprints, irises, etc.) [33]. According to the number of authentication factors, it is classified into single factor authentication [6–13, 16, 20, 34], two-factor authentication [14, 15, 26, 29, 38–42, 44], three-factor authentication [1, 3, 4, 24, 25, 28, 30, 32, 33, 37].
Recently, with the introduction of technologies such as peer-to-peer, cloud computing, wireless sensor network, and Internet of Things (IoT), researchers are further investigating 3PAKE.
1.1 Related work
Password-based authentication key exchange is a traditional method, and many researchers have proposed password-based authentication key exchange methods [6–13, 16, 20, 34]. However, several security disadvantages have been revealed in the authentication key exchange scheme using only passwords.
Tallapally [6] proposed a simple 3PAKE protocol based on password in wireless communication networks, however, Farash [7] has revealed that Lu’s scheme cannot detect online and offline password guessing attacks, and he has improved their scheme, but his scheme was also found to be vulnerable to offline password guessing attacks by Lu [8]. Lu proposed an improved scheme, but his scheme was still vulnerable to offline password guessing attacks [9].
Youn [10] proposed a 3PAKE protocol based on password and exponential operation. However, Heydari [11] pointed out that Youn’s scheme is vulnerable to user impersonate attack. Heydari proposed a modified 3PAKE protocol that overcame the limitations of the Youn’s scheme. However, his scheme also does not provide user anonymity because user’s identity is disclosed in the key exchange phase. Lin et al. [12] proposed verifier-based 3PAKE with low computational cost and transfer cost based on password and modulator exponential operation. However, Chiou [13] pointed out that Lin’s scheme does not provide anonymity and untraceability and is not computationally efficient, and proposed 3PAKE that provides anonymity and untraceability by implementing message encryption with long term key. However, since his scheme also performs key exchange [45] based on modular exponential operation, the computation is still not efficient.
Researchers used the Elliptic Curve Cryptography (ECC) [46] and Chebyshev Chaotic Maps (CCM) [47, 48] much more efficient compared to modular exponential operations. ECC encryption is fast because of its much smaller key length at the same encryption intensity compared to modular exponential operations. Chebyshev Chaotic Maps has a lower public parameter for encryption compared to ECC and is simple to implement and is convenient to apply in portable terminal-system environments.
Wu [14] proposed a key agreement scheme for mobile user roaming service in global mobility networks based on ECC. In his scheme user’s dynamic identity is updated in each session. However, Gupta [15] pointed out that Wu’s scheme fails to support untraceability and it has inefficient typo-detection.
Xie [16] proposed a 3PAKE protocol based on chaotic maps with user password. However, Lee [17] found that Xie’s scheme is vulnerable to offline password guessing attacks and does not provide user anonymity, and proposed a 3PAKE protocol that does not use passwords that overcome their shortcomings. In Lee’s scheme, user privacy is generated by combining the server’s secret key and the user’s identification, it is used to authenticate the corresponding user. However, Xie [18] found that Lee’s scheme is vulnerable to user impersonate attacks, and Jabbari [19] showed that Lee’s scheme is vulnerable to internal user impersonate attacks and does not provide anonymity.
Farash [20] proposed 3PAKE based on Chebyshev chaotic maps with user password. In his scheme user authentication verifier is generated by combining server privacy with user’s identifier and user’s password. However, Xie [21] and Li [22] found that Farashi’s scheme is capable of user impersonate attacks and offline password guessing attacks. Xie proposed an updated scheme based on chaotic maps overcoming the disadvantages of Farashi’s scheme. However, his scheme was also found by Lu [23] that offline password guessing attacks and user impersonate attacks are possible and user anonymity is not provided. Lu’s scheme encrypts a message with a secret key generated from the server’s public key based on the chaotic map to provide anonymity. However, his scheme has defects in protocol design [24].
To overcome the disadvantages of user authentication using passwords, researchers proposed 3PAKE protocols that combine smart card and biometric with user’s password to authenticate user.
In 2014, Xue [26] analysed Li [27] scheme that proposed a dynamic identifier-based 3PAKE in a multi-server environment and demonstrated that his scheme is vulnerable to attacks such as denial-of-service, internal attack, smart card attack, eavesdropping attack, masquerade attack. He also proposed an authentication key exchange scheme between a client and a service provider based on pseudo dynamic user identity using smart cards and user’s passwords in a multi-server environment. However, Gupta [28] found that his scheme is vulnerable to known password attacks, stolen smart card attacks and user impersonate attacks. In addition, Amin [29] also pointed out that Xue’s scheme does not provide anonymity, is vulnerable to offline password guessing attacks, privileged insider attacks, session key disclose attacks, and user impersonate attacks and has some defects in the authentication phase. Gupta proposed a hash function-based 3PAKE in a multi-service environment with user passwords and smart cards, but Tomar [30] demonstrated that his scheme is vulnerable to DoS attack, stolen smart card attack, user impersonate attacks, and does not provide perfect forward security.
Challa [32] also proposed a signature-based 3PAKE in IoT with password, smart card and biometric. However, Jia [33] pointed out that Challa’s scheme does not provide anonymity and untraceability and is vulnerable to user impersonate attacks, stolen smart card attacks, offline password guessing attacks, and attacks in the password change phase. Jia proposed a signature-based 3PAKE protocol that provides anonymity by updating Challa’s scheme. To provide anonymity, Jia used XOR operations and applied signature based on elliptic curve cryptography. Jia [34] proposed a 3PAKE scheme in fog-driven IoT based on Bilinear Pairing, whose scheme indicated by Ma [35] that it is computationally expensive because of Bilinear Pairing, and proposed a scheme that does not use Bilinear Pairing. Reddicherla [36] also proposed authentication key exchange scheme in Heterogeneous network based on Bilinear Pairing, but it is also not efficient because of the high computational cost.
Researchers also proposed key exchange scheme based on secret-key encryption without public-key encryption to implement 3PAKE in a portable terminal environment with narrow bandwidth and limited storage capacity, such as wireless communication environment or IoT. Key exchange based on secret-key encryption is much more advantageous in terms of computational cost because it does not use high-computational public-key encryption.
Chuang [37] proposed a 3PAKE scheme that provides anonymity with password, smart card and biometric in a multi-service environment. He proposed an authentication key exchange scheme that provides anonymity without public-key encryption in protocol design. However, his scheme was found by Amin [29] to be vulnerable to user impersonate attacks and vulnerable to session key disclose attacks. Amin analysed the disadvantages of the scheme proposed by Xue [26] and Chuang [37] and proposed an improved lightweight authentication scheme. His scheme provided anonymity using smart cards and passwords without public key encryption.
In 2018, Wei [38] also proposed a 3PAKE protocol that provides anonymity without public-key cryptography to reduce computational cost. In 2019, Yang [39] proposed a lightweight 3PAKE protocol that provides perfect forward security using only XOR and hash functions in a WSN environment.
1.2 Motivation and our contribution
The authentication scheme with password, smart card and biometric is effective in systems that require high security performance. However, most schemes using smart cards are vulnerable to stolen smart card attacks [26, 28, 32], and most schemes are vulnerable to some known attacks.
It is still a challenge for researchers to design protocols that are secure against various attacks in various environments while providing anonymity and untraceability. Many schemes attempted to provide anonymity and traceability, but failed [12, 14, 17, 20, 23, 32, 43].
Recently, in 2018, Li [38] proposed a chaotic maps-based 3-PAKE that provides anonymity with password and smart cards. In his scheme, users share user’s credentials related to user’s identity, user’s password and server’s secret with the server, and chaotic maps is used for exchanging session key. He also used modulo square operations and square root operations based on Chinese Remainder Theorem to encrypt the message providing anonymity and untraceability. However, there are drawbacks in his protocol.
We have analysed the disadvantages of the Li’s scheme and demonstrated that the user’s authentication verifier is disclosed by an internal attacker, providing anonymity is failed and that the password modification is not successful by blocking attacks in the password change phase. We design an enhanced 3PAKE protocol that overcomes several security disadvantages of Li’s scheme, and is resistant to various attacks. In this paper, we propose a strong mutual authentication between server and users to overcome insider attacks, and a re-registration phase that allows users to re-register without altering their identity. Then, we analyse the security properties of our scheme and verify its validity using Ban-Logic [49] and AVISPA [50] tools and show the results of comparative analysis with previous works.
2. Preliminaries
This section describes Chebyshev chaotic maps and Bio-hashing functions.
2.1 Chebyshev polynomials
Chebyshev polynomial Tn(α) is defined as follows [47].
Chebyshev polynomials satisfy the following recursive relationship [47].
2.2 The property of Chebyshev polynomials
Chebyshev polynomials have the following two properties [47, 48].
Chaotic property: When n>1, Chebyshev polynomial map Tn(α):[-1,1]→[-1,1] of degree n is a chaotic map with its invariant density , for positive Lyapunov exponent ln(n) > 0.
Semi-group property: For u, v ∈N and any α∈ [-1,1], Tu (Tv(α)) = Tuv(α) = Tv(Tu(α)).
2.3 Enhanced Chebyshev polynomials
The semi-group property holds for Chebyshev polynomials on the interval (-∞, +∞), which can enhance the property as follows [48]:
2.4 Computational problems based on Chebyshev polynomials
CDLP (Chaotic maps-based Discrete Logarithm problem): For given two real numbers α and β, it is infeasible to find the integer n by any polynomial time bounded algorithm, where β = Tn(α) mod p [48].
CDHP (Chaotic maps-based Diffie-Hellman problem): For given three elements α, Tm(α) mod p and Tn(α) mod p, it is infeasible to compute the value Tmn(α) mod p by any polynomial time bounded algorithm [48].
2.5 Bio-hashing and Fuzzy Extractor function
Biometric indicators have an advantage over traditional user identification methods, because these have some inherent attributes that cannot be easily shared and every person has unique biometric-attributes [51]. Generally, imprint biometric characteristics (face, fingerprint, palm-print etc.) may not be exactly same at each time since it might be change at some environment. To solve this problem, Lumini et al. [52] proposed and updated Bio-hashing, which is used to map a user’s biometric features to a user-specific random vectors. Recently many researchers [3, 24] have proposed authentication key exchange schemes based on Bio-Hashing.
Dodis et al. [53] proposed a scheme based on Fuzzy Extractor, which consists of two functions (Rep, Gen). The function Gen extracts biometric input B and outputs a nearly random binary string R and an auxiliary binary string P. Then function Rep recovers R with the corresponding auxiliary string P and biometric B*. If dist (B, B*) ≦ t and Gen(B) -> <R, P>, then we have Rep (B*, P) = R. Fuzzy Extractor is also used in many authentication schemes [1, 3, 4, 30, 32, 33].
2.6 Adversary model
For the security analysis of authentication protocols, several adversary models have been proposed, such as Dolev-Yao adversary model [54], side-channel technology [55], password guessing attack [56], and insider attacker model [4, 33].
The Dolev-Yao attacker model defines the ability of an attacker in the public channel, and the side-channel technology enables an attacker to extract data stored in a smart card based on reverse engineering and power analysis [57, 58]. Also, the password guessing attack enables an attacker to guess a password from the information related to the user’s password under the premise that the entropy of the password is low. An insider attacker is a legitimate user in the system and performs malicious actions.
In this subsection, the adversary model for security analysis of the previous work and the proposed scheme is described as follows.
1. An adversary can eavesdrop, modify, remove, block, and retransmit all messages sent on the public channel [54] and cannot access messages sent on the secure channel.
2. An adversary can extract all stored data from a lost or stolen smart card based on side channel technology [55, 57, 58].
3. An attacker can easily guess the user identity or password after obtaining information from an intelligent card or public channel according to [56].
4. An adversary can be a legitimate but malicious user or server in the system [4, 33].
3. Review of Li et al.’s scheme
This section shows that the scheme proposed by Li et al. [22] has some deficiencies. Li designed three-party password-based authentication key exchange protocol based on chaotic maps providing user anonymity. In his scheme, the information related to user’s password is registered with the server side. Also a modular squaring operation and a square root modulo based on the Chinese Remainder Theorem is used for user anonymity. However, his scheme has some faults in the session key exchange phase and the password change phase. Below is a brief description of the scheme proposed by Li et al. and its deficiencies.
3.1 Li et al.’s scheme
Notations used in his paper.
Table 1 shows some notations used to describe Li et al.’s schemes.
[Figure omitted. See PDF.]
System initialization.
The server selects one private key k and two secret large primes (u, v), and publishes {p, α, h(), N}.
Registration.
1. Step 1: The user submits {Ui, h (rmi, PWi)} to S, where rmi ∈ [1, p+1] is random number and PWi = Tpwi(α).
2. Step 2: Upon receiving the message from the user, S computes VPi = h (Ui, k) + h(rmi, PWi) mod p and stores (Ui, VPi) in its database.
3. Step 3: The user stores rmi into his end-user device.
Authentication and key exchange.
Step 1 The user A chooses a random number rA ∈ [1, p + 1] and computes RA = TrA(α) mod p, PWA = TpwA(α) mod p and h(rmA, PWA), where rmA is retrieved from his end-user device. Then A sends M1 = SQR (UA, UB, h(rmA, PWA), RA) mod N to S.
Step 2 Upon receiving M1 from A, S obtains (UA, UB, h(rmA, PWA)*, RA) = SQRT(M1) by using the Chinese Remainder Theorem with u and v. Next, S retrieves the stored VPA = h(UA, k) + h(rmA, PWA) corresponding to UA. If VPA—h(UA, k) = h(rmA, PWA)*, then S continues next step. S chooses two random numbers rS1, rS2∈ [1, p + 1] and computes RS1 = TrS1(α)- h(rmA, PWA) mod p, RS2 = TrS2(α)—h(rmB, PWB) mod p and μA = UA ⊕ TrS2(α) mod p. Then S sends M2 = {μA, RA, RS2} to B.
Step 3 Upon receiving M2 from S, B computes PWB = TpwB(α) mod p, h(rmB, PWB), TrS2(α) = RS2 + h(rmB, PWB) and UA = μA ⊕ TrS2(α). Then B chooses a random number rB ∈ [1, p + 1] and computes RB = TrB(α) mod p, KBS = TrB(TrS2(α)) mod p = TrBrS2(α) mod p, KBA = TrB(RA) mod p = TrBrA(α) mod p, VBA = h(0, UB, UA, RB, RA, KBA) and VBS = h(0, UB, UA, RB, RS2, VBA, KBS). Then B sends M3 = SQR(UB, UA, RB, VBS, VBA) mod N to S.
Step 4 Upon receiving M3 from B, S obtains (UB, UA, RB, VBS*, VBA) = SQRT(M3). S computes KSB = TrS2(RB) = TrBrS2(α) mod p and VBS = h(0, UB, UA, RB, RS2, VBA, KBS). If VBS* = VBS, B is authenticated by S and then S computes KSA = TrS1(RA) = TrS1rA(α) mod p and VSA = h(0, UA, UB, RS1, RA, RB, VBA, KSA). Then S sends M4 = {RS1, RB, VBA, VSA} to A.
Step A5: Upon receiving M4 from S, A computes KAS = TrA(RS1 + h(rmA, PWA)) = TrArS1(α) mod p and VSA = h(0, UA, UB, RS1, RA, RB, VBA, KSA). If VSA equals received VSA*, S is authenticated by A. Next, A computes KAB = TrA(RB) mod p = TrArB(α) mod p and VBA = h(0, UB, UA, RB, RA, KBA). If VBA equals received VBA*, B is authenticated by A. A computes VAB = h(1, UA, UB, RA, RB, KAB) and VAS = h(1, UA, UB, RA, RS1, VAB, KAS). Then A sends M5 = {VAS, VAB} to S.
Step A6 After receiving M5 from A, S verifies if computed h(1, UA, UB, RA, RS1, VAB, KSA) equals received VAS. If it holds, A is authenticated by S. Then S computes VSB = h(1, UA, UB, RA, RB, VAB, KSB) and sends M6 = {VAB, VSB} to B.
Step A7 After receiving M6 from S, B verifies if computed h(1, UA, UB, RA, RB, VAB, KSB) and h(1, UA, UB, RA, RB, KAB) equal received VSB and VAB. If they are valid, A and S are authenticated by B. Finally, A computes the session key SKAB = h(2, UA, UB, RA, RB, KAB) and B computes the session key SKBA = h(2, UA, UB, RA, RB, KAB).
Password change phase.
Step 1 The user A chooses a random number rA ∈ [1, p + 1] and computes RA = TrA(α) mod p, PWA = TpwA(α) mod p and h(rmA, PWA), Then A sends C1 = SQR(UA, h(rmA, PWA), RA) mod p to S.
Step 2 Upon receiving C1 from A, S obtains (UA, h(rmA, PWA)*, RA) = SQRT(C1) by using the Chinese Remainder Theorem with u and v. Next, S verifies the received h(rmA, PWA)* with the stored VPA = h(UA, k)+h(rmA, PWA) mod p corresponding to UA. If VPA—h(UA, s) = h(rmA, PWA)*, S accepts A’s request message C1. Then S chooses a random number rS ∈ [1, p + 1] and computes RS = TrS(α)—h(rmA, PWA) mod p, KSA = TrS(RA) = TrSrA(α) mod p and VSA = h(0, UA, RS, RA, KSA). Then S sends C2 = {RS, VSA} to A.
Step 3 Upon receiving C2 from S, A computes KSA = TrA(RS + h(rmA, PWA)) = TrSrA(α) mod p and verifies if computed VSA = h(0, UA, RS, RA, KSA) equals received VSA*. If it holds, S is authenticated by A. Next, A selects a new password pwA* and a new random number rmA* and computes VAS = h(1, UA, RA, RS, KAS), PWA* = TpwA* (α) mod p, and h(rmA*, PWA*). Then A sends C3 = SQR(VAS, UA, h(rmA*, PWA*)) mod p to S.
Step 4 Upon receiving C3 from A, S verifies if computed VAS = h(1, UA, RA, RS, KAS) equals received VAS*. If it holds, S accepts A’s password change request, computes R1 = h(1, UA, h(rmA*, PWA*), KSA) and VPA* = h(UA, k) + h(rmA*, PWA*) mod p and replaces VPA with VPA*. Then S sends C4 = {Accept, R1} to A. Otherwise, S rejects A’s password change request, computes R2 = h(0, UA, h(rmA*, PWA*), KSA) and sends C5 = {Reject, R2} to A. If the message is C4, A verifies if computed R1 = h(1, UA, h(rmA*, PWA*), KSA) equals received R1*. If it holds, A confirms pwA* as the new password and replaces rmA with rmA* in his end-user device. Otherwise, A returns to Step 1 and follows the process. If the message is C5, A returns to Step 1 with another new password and follows the process.
3.2 Faults of Li et al.’s scheme
Many attack models [54–58] have been proposed by researchers and based on them, cryptographic protocols [25, 33, 34, 38, 59, 60] have been analysed. Based on the adversary model presented in Section 2.6, we analyse Li et al.’ scheme. According to the adversary model, the adversary can eavesdrop and block all message sent on the public channel and he can be a legitimate user in the system. In this paper, we call such an adversary an insider adversary.
Verifier disclosure attacks.
Li et al.’s scheme has a faults that user’s authentication verifier is disclosed to the insider adversary in the authentication and key exchange phase. In his scheme, h(rmi, PWi) is user’s authentication verifier, where rmi is stored into user’s end-device, PWi = Tpwi(α) mod p and pwi is user’s password. However, h(rmi, PWi) is disclosed to the insider adversary.
The details of verifier disclosure attack in his scheme are described as follows.
Step 1. In order to exchange a session key with a legal user A, an inside adversary C chooses a random number rC ∈ [1, p + 1] and computes RC = TrC(α) mod p, PWC = TpwC(α) mod p and h(rmC, PWC), where rmC is retrieved from his end-user device. Then C sends M1 = SQR (UC, UA, h(rmC, PWC), RC) mod N to S.
Step 2. Upon receiving M1 from C, S obtains (UC, UA, h(rmC, PWC)*, RC) = SQRT(M1). Next, S retrieves the stored VPC = h(UC, k) + h(rmC, PWC) corresponding to UC. If VPC—h(UC, k) = h(rmC, PWC)*, then S continues next step. S chooses two random numbers rS1, rS2∈ [1, p + 1] and computes RS1 = TrS1(α)- h(rmC, PWC) mod p, RS2 = TrS2(α)—h(rmA, PWA) mod p and μC = UC ⊕ TrS2(α) mod p. Then S sends M2 = {μC, RC, RS2} to A.
Step 3. At this time, C intercepts M2 = {μC*, RC*, RS2*} and computes as follows:
UC ⊕ μC* = UC ⊕UC ⊕ TrS2(α) = TrS2(α) (Because of UC is C’s identifier, C knows it. Through checking for RC* of M2, C can verify that M2 is a message generated at the server according to M1.)
As the result, C can obtain A’s authentication verifier h(rmA, PWA).
In this way, C can obtain all of legal users’ authentication verifier.
If an insider adversary wants to get an authentication verifier of user A, it is necessary to generate a message M1 for exchanging session key with user A according to the designed protocol, send it to the server, intercept the message M2 from the server, and then compute it according to the procedure shown above.
User impersonate attacks.
As shown above, since an insider adversary C can obtain any of legal users’ authentication verifier through verifier disclosure attack, he can impersonate as any legal user.
If an insider adversary C wants to impersonate as a legal user A and communicate with B, he obtains the user A’s authentication verifier VA = h(rmA, PWA) through the verifier disclosure attack as shown above before the authentication and key exchange phases.
In the authentication and key exchange phase, C works as follows
Step 1. C chooses a random number rC ∈ [1, p + 1] and computes RC = TrC(α) mod p. After that, he can sufficiently make the message M1 = SQR(UA, UB, h(rmA, PWA), RC) mod N by using the user A’s authentication verifier VA = h(rmA, PWA). Then C impersonates A to sends M1 to S.
The process in steps 2, 3 and 4 is performed according to the protocol, B computes KBA* = TrB(RC) mod p = TrBrC(α) mod p and VBA* = h(0, UB, UA, RB, RC, KBA*), S computes KSA* = TrS1(RC) = TrS1rC(α) mod p and VSA* = h(0, UA, UB, RS1, RC, RB, VBA*, KSA*).
Step 5: C intercepts M4 from S to A, C computes KAS* = TrC(RS1 + h(rmA, PWA)) = TrCrS1(α) mod p, KAB* = TrC(RB) mod p = TrCrB(α) mod p and VAB* = h(1, UA, UB, RC, RB, KAB*) and VAS* = h(1, UA, UB, RC, RS1, VAB*, KAS*). Then A sends M5 = {VAS*, VAB*} to S.
The process in steps 6 and 7 is performed according to the protocol, B computes SKBA* = h(2, UA, UB, RC, RB, KBA*) and C computes the session key SKAB* = h(2, UA, UB, RC, RB, KAB*).
As the result, C can successfully impersonate as the user A.
Failure of user anonymity.
An insider adversary C can obtain all of legal users’ authentication verifier through verifier disclosure attack as shown above. That is, C knows the authentication identifier Vi of any user Ui. When a legal user A exchanges a session key with a legal user B, an insider adversary C can intercept M2 = {μA, RA, RS2} that S sends to B and then computes as follows: For each authentication verifier Vi of user Ui, C repeat the following calculation until UA* and Ui are equal.
If UA* and Ui are equal, C can know that current user’s identifier is Ui.
As the result, C can know user A’s identifier UA.
Weaknesses of password change phase.
In the Li et al. ‘s scheme, the information related to the user’s password is registered with the remote server and users can change their password in the password change phase. In the registration phase, the information related to the user Ui’s password stored on the server is VPi = h(Ui, k)+h(rmi, PWi) (where h(rmi, PWi) is user authentication verifier) and this information is replaced with VP*i = h(Ui, k)+h(rm*i, PW*i) in the password change phase. However, an attacker can block the message C3(user’s request) and C4 or C5(server’s response) in Step 4 of the password change phase, then the user cannot know whether his password is successfully changed or not. In this case, if the scheme decides that does not change user’s password, the attacker blocks the message C4 or C5, if the scheme decides that changes user’s password, the attacker blocks the message C3. As the result, the user’s authentication verifier is different with the server’s one, the user cannot login to the server no more.
4. Proposed scheme
This section describes an enhanced 3PAKE protocol using smart card that overcomes the limitations of the Li et al.’s scheme. The proposed scheme has five phases: system initialization phase, registration phase, authentication and session key exchange phase, password change phase, and renew registration phase. Table 2 shows some notations used to describe the proposed schemes.
[Figure omitted. See PDF.]
4.1 System initialization phase
1. S selects his secret key ks ∈ [1, p+1] and computes public key Ps = Tks(α).
2. S selects a large prime number p, α∈Zp, H(∙) and EK(∙)/DK(∙).
S publishes {p, α, Ps, Tn(∙), H(∙), EK(∙), DK(∙)} as system’s parameters.
4.2 User registration phase
Fig 1 shows user registration process.
[Figure omitted. See PDF.]
User A sends his identifier UA to S via secure channel. S retrieves UA in the user registration table to check whether user A has already been registered. If UA does not exist in the user registration table, S chooses a random number Na, computes XA = H(UA||Na||ks) and stores {p, α, Ps, XA, Tn(∙), H(∙), EK(∙), DK(∙)} in SCA and delivers it to user A via secure channel. S stores a tuple {UA, Na} into his user-register table.
User A, which receives SCA from S, inputs password pwA and biometric bmA. The SCA that receives the user input and computes GA = H(UA||pwA||h(bmA)) ⊕ XA, FA = H(UA||pwA|| h(bmA)||XA) and stores {p, α, Ps, GA, FA, Tn(∙), H(∙), EK(∙), DK(∙)} in his memory.
4.3 Authentication and session key exchange phase
Fig 2 shows the authentication and session key exchange steps of the proposed scheme.
[Figure omitted. See PDF.]
Step 1. User A connects his smart card SCA to the user end-device and inputs his identifier UA, password pwA and biometrics bmA. SCA computes
If FA ≠ FA*, SCA aborts the process. Otherwise SCA selects any a∈ [1, p+1] and computes
A sends M1 = {MAS, TA} to S.
Step 2. After receiving M1 = {MAS, TA} from A, S computes
S checks whether VA and VA* are same. If VA ≠ VA*, S aborts the process. S chooses a random number Ns ∈ [1, p+1] and computes VSA = H(NS||UA||UB|| TA||XA).
S sends M2 = {VSA, NS} to A.
Step 3. After receiving M2 = {VSA*, NS*} from S, A computes VSA = H(NS*||UA||UB|| TA||XA).
A checks whether VSA and VSA* are same. If VSA ≠ VSA*, A aborts the process. A computes VAS = H(UA||UB||TA||NS||XA) and sends M3 = {VAS, NS} to B.
Step 4. After receiving M3 = {VAS*, NS*} from A, B connects his smart card SCB to the user end-device and inputs his identifier UB, password pwB and biometrics bmB. SCB computes
If FB ≠ FB*, SCB aborts the process. Otherwise SCB computes
B sends M4 = {MBS, TB, VAS} to S.
Step 5. After receiving M4 = {MBS, TB*, VAS*} from B, S computes
If VB ≠ VB* or VAS ≠ VAS *, S aborts the process. Otherwise S authenticates A and B, and chooses a random number RS, then computes
S sends M5 = {MSB, MSA} to B.
Step 6. After receiving M5 = {MSB, MSA} from S, B computes
If VSB ≠ VSB*, B aborts the process. Otherwise B authenticates S and A, and then computes
B sends M6 = {VBA, MSA} to A.
Step 7. After receiving M6 = {VBA*, MSA} from B, A computes
If VSAB ≠ VSAB* or VBA ≠ VBA*, A aborts the process. Otherwise A authenticates B and S. A sets KAB as a session key. Then A computes VAB = H(UB*|| UA|| TB*|| TA||RS*||KAB)
A sends M7 = {VAB} to B.
Step 8. After receiving M7 = {VAB*} from A, B computes
If VAB≠ VAB*, B aborts the process. Otherwise B authenticates A and sets KBA as a session key.
4.4 Password change phase
User A connects his smart card SCA to the user end-device and inputs his identifier UA, password and biometrics bmA. SCA computes XA* = GA ⊕ H(UA||pwA||h(bmA)) and FA* = H(UA||pwA||h(bmA)||XA*), and checks whether FA and FA* are same. If FA ≠ FA*, SCA aborts the process. Otherwise SCA requests the user to input a new password npwA. SCA computes GAnew = H(UA||npwA||h(bmA)) ⊕ XA, FAnew = H(UA||npwA|| h(bmA)||XA) and replaces <GA, FA> of his memory with <GAnew, FAnew>.
4.5 Re-registration phase
When a user registered with the server has lost or stolen his smart card, he needs to re-register with the server. But, some schemes [19, 22, 23] have not the re-registration phase or cannot re-register without changing his identifier, because the user’s secret consists of user’s identifier and server’s secret.
In the proposed scheme, as the user’s secret XA consists of user’s identifier, random number and server’s secret, users can re-register with the remote server without changing his identifier. If a user wants to re-register with the server, he should only send his identifier to the server and register with the server following the proposed registration phase scheme.
User A sends his identifier UA to S via secure channel. S retrieves UA in the user registration table to check whether user A has already been registered. If UA exists in the user registration table, S chooses a random number Nanew, computes XAnew = H(UA||Nanew||ks) and stores {p, α, Ps, XAnew, Tn(∙), H(∙), EK(∙), DK(∙)} in SCA and delivers it to user A via secure channel. S stores a tuple {UA, Nanew} into his user-register table.
User A, which receives SCA from S, inputs password pwA and biometric bmA. The SCA that receives the user input and computes GA = H(UA||pwA||h(bmA)) ⊕ XAnew, FA = H(UA||pwA|| h(bmA)||XAnew) and stores {p, α, Ps, GXA, GKA, FA, Tn(∙), H(∙), EK(∙), DK(∙)} in his memory.
5. Security analysis of the proposed scheme
In this section, we present an informal analysis and formal verification of the proposed scheme.
For formal analysis, we first use the BAN logic [49] to verify the mutual authentication property and the validation of the established session key of the proposed scheme, and we next use AVISPA (Automated validation of internet security protocol and application) toolkit [50] to verify the resistance of the proposed scheme against the passive and active attacks including man-in-the-middle and replay attacks.
Last, we demonstrate the proposed scheme can resist various kinds of attacks and provides various security properties through informal security analysis.
5.1 Authentication proof based on BAN logic
Notations and rules.
Table 3 shows some notations and rules defined in BAN logic [49].
[Figure omitted. See PDF.]
Goals.
We establish the following goals to prove that our scheme provides strong mutual authentication and the established session key is secure.
1. Goal1:S|≡A|≡UA
2. Goal2:S|≡B|≡UB
3. Goal3:A|≡S|≡RS
4. Goal4:B|≡S|≡RS
5. Goal5:A|≡B|≡UB
6. Goal6:B|≡UA
7.
8.
9.
10.
Idealize.
We idealize the messages of the proposed scheme as follows:
1.
2.
3.
4.
5.
6.
7. M6:B → A:VBA = H(UA‖UB‖TA‖TB‖RS‖KAB)
8. M7:A → B:VAB = H(UB‖UA‖TB‖TA‖RS‖KAB)
Assumptions.
The initial assumptions of the proposed scheme are as follows:
1. AA1: A|≡a
2. AA2: A|≡#(a)
3. AA3: A|≡KAS
4.
5. AA5: A|≡UA
6. AA6: A|≡UB
7. AA7: A|≡S|⇒TB
8. AA8: A|≡S|⇒RS
9. AB1: B|≡b
10. AB2: B|≡#(b)
11. AB3: B|≡KBS
12.
13. AB5: B|≡UB
14. AB6: B|≡S|⇒TA
15. AB7: B|≡S|⇒RS
16. AS1: S|≡NS
17. AS2: S|≡#(NS)
18.
19.
Analysis.
According to MAS and AS3, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to M2 and AA4, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to M2, Freshness rule(R4) and AA2, we can obtain:
According to S2 and S3, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:
According to M3, AS3 and S1, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to M3, Freshness rule(R4) and AS2, we can obtain:
According to S5 and S6, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:
According to MBS and AS4, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to MBS, Freshness rule(R4) and AS2, we can obtain:
According to S8 and S9, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:
According to MSB and AB4, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to MSB, Freshness rule(R4) and AB2, we can obtain:
According to S11 and S12, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:
According to S13 and AB6, we apply the Jurisdiction rule (R3), we can obtain:
According to S13, AB7 and AB8, we apply the Jurisdiction rule (R3), we can obtain:
According to S15, AB1 and KAB = H(TAB || RS), we apply the Belief rule(R5), we can obtain:
According to MSA and AA4, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to MSA, Freshness rule(R4) and AA2, we can obtain:
According to S17 and S18, we apply the Nonce-verification rule (R2) and Belief rule(R5), we can obtain:
According to S19, AA7 and AA8, we apply the Jurisdiction rule (R3), we can obtain:
According to S20, AA1 and KAB = H(TAB || RS), we apply the Belief rule(R5), we can obtain:
According to M6 and S21, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to M6, Freshness rule(R4) and AA2, we can obtain:
According to S22 and S23, we apply the Nonce-verification rule (R2), we can obtain:
According to M7 and S16, we apply the Message-meaning rule (R1) and Hash function rule(R8), we can obtain:
According to M7, Freshness rule(R4) and AB2, we can obtain:
According to S25 and S26, we apply the Nonce-verification rule (R2), we can obtain:
5.2 Validation test based on AVISPA
In this section, we simulate the proposed scheme for the formal security analysis using AVISPA. The AVISPA tool provides the role based HLPSL (High-Level Protocol Specification Language) for specification of protocols and security properties and four back-ends: OFMC(On-the-fly Model-Checker), CL-AtSe(Constraint-Logic-based Attack Searcher), SATMC(SAT-based ModelChecker) and TA4SP(Tree Automata-based Protocol Analyzer), which are used to identify active and inactive attacks on the protocol such as Man-In-The-Middle attack and replay attack, and to analyse various security properties of the protocol, such as key security and authentication [25, 50].
In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL (High Level Protocol Specification Language).
Specifying the proposed protocol.
There are three participants in the proposed protocol: server S and two users A, B. Figs 3–5 shows the specifications in HLPSL for the role of users A, B, and server S.
[Figure omitted. See PDF.]
[Figure omitted. See PDF.]
[Figure omitted. See PDF.]
In Fig 6, we show the HLPSL implementation for the role of the session, environment and goal.
[Figure omitted. See PDF.]
In our implementation, we verified the six secrecy goals containing the user anonymity and the user’s secret preserving and seven authentication properties for the mutual authentication.
Analysis of the results.
We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results of the security verification are shown in Figs 7 and 8.
[Figure omitted. See PDF.]
[Figure omitted. See PDF.]
The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity and provides with mutual authentication, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.
5.3 Informal security analysis
In this section, we demonstrate that the proposed scheme can resist various kinds of attacks and provides various security properties such as mutual authentication, user anonymity, untraceability and so on.
Mutual authentication.
Mutual authentication is a key feature of the authenticated key agreement protocol. The proposed scheme achieves strong mutual authentication. In the proposed scheme, Xi is a shared secret between the server S and the user Ui in the registration phase. Also, Ns is a nonce of the server S, and a, b are secrets generated by user A and user B for generating a session key and these are also used as the nonce.
In the Step5 of the authentication and key exchange phase, the server S receives the message M4 from user B, which includes VB* = H(UB||TB||NS||XB) generated by user B and the VAS* = H(UA||UB||TA||NS||XA) generated by user A. S also computes VB = H(UB*||TB*||NS*||XB), VAS = H(UA||UB||TA||NS*||XA) and authenticates the user A and B through verifying whether VB = VB* and VAS = VAS*. Since XA and XB are the secrets shared between S and the user A, B and NS is a nonce of S, VB* can be generated only by user B, and VAS* can be generated only by user A. Thus, S can authenticate the user A and B through checking these values. In the Step6, the user B receives the message M5 from S, which includes VSB* = H(UA||UB||TA||TB||RS||XB) generated by the server S. Since TB (= Tb(α) mod p) includes B’s nonce b and XB is a secret shared with S, VSB* can be generated only by S. Therefore, B can authenticate S through checking VSB*. In the Step7, the user A also can authenticate S through verifying VSAB* = H(UA||UB*||TA (= Ta(α) mod p)||TB*||RS*|XA). Likewise, User A authenticates User B through checking VBA = H(UA||UB*||TA||TB*||RS*||KAB) at Stage7, and User B authenticates User A through checking VAB = H(UB|| UA|| TB|| TA||RS||KAB) at Stage8.
User anonymity.
The proposed scheme guarantees user anonymity. The messages (MAS, MBS, MSA and MSB) associated with the user’s identifier are encrypted with the secret key, which is only known for each participant. For example, MAS is encrypted with the secret key KAS, which is calculated as follows: KAS = Ta(Ts(x)) = Ts(Ta(x)), where the random number a is only known for the user A and the secret key s is only known for the server S.
Even if Ta(x) and Ts(x) is exposed, according to CDLP and CDHP assumptions, it is impossible for a third party to calculate KAS or a, s. Therefore, a third party except user and server cannot know the user’s identifier.
Untraceability.
The proposed protocol provides untraceability.
As in the user anonymity proof, all messages (MAS, MBS, MSA and MSB) containing the user’s identity are encrypted as follows.
1. MAS = EKAS(UA, UB, VA), MSA = EKAS(UB, TB, RS, VSAB), KAS = Tks(TA) = Tksa(α) mod p
2. MBS = EKBS(UB, NS, VB), MSB = EKBS(UA, TA, RS, VSB), KBS = Tks(TB) = Tbks(α) mod p
Then, the encryption keys KAS and KBS are all computed from the random numbers a and b generated by user A and B, so that different messages are exchanged in different sessions. Other messages also contain a random number in different sessions, so that they are presented random bit arrays in each sessions.
Therefore, the proposed protocol provides untraceability.
Off-line password guessing attack
The proposed scheme is secure against the password guessing attack.
In the proposed scheme, user’s password is used for accessing the smart card and the information related to it does not disclose in public channel.
The information stored in the user A’s smart card is {p, α, Ps, GA, FA, Tn(∙), H(∙), EK(∙), DK(∙)}, and the information related to the user’s password is GA = H(UA||pwA||h(bmA))⊕XA and FA = H(UA||pwA||h(bmA) ||XA). Suppose that an attacker steals user A’s smart card SCA and knows his identifier UA. In order to guess the user A’s password, the attacker must compute PRA* = H(UA||pwA*||h(bmA)), XA* = GA ⊕ PRA* and FA* = H(UA||pwA*||h(bmA)||XA*) with any password pwA* to compare FA* and FA stored in SCA. However, as the attacker cannot know h(bmA), he cannot compute PRA*. Therefore, the attacker cannot guess the user’s password.
Privileged insider attack.
The proposed scheme is secure against the privileged-insider attack. In the proposed scheme, user’s password is not transmitted to the server S and the privilege insider of the server cannot know the user’s password. Therefore, the proposed scheme is secure against this attack.
Stolen verifier attack.
The proposed scheme is secure against stolen verifier attack. In the registration phase of the proposed scheme, the server stores a tuple {UA, Na} into his user register-table, where UA is user A’s identifier and Na is a random number selected by the server. These are not sensitive to authenticate the user. Therefore, the proposed scheme is secure against stolen verifier attack.
User impersonate attack.
The proposed scheme is secure against the user impersonate attack.
The user impersonate attack is only possible in the scheme which can’t provide a certain authentication. For example, if a participant X can’t authenticate a participant Y, an attacker can impersonate as Y. As shows the above, the proposed scheme achieves certain mutual authentication. In the Step5, the server S certainly authenticates A and B with his nonce NS and the user’s secret XA and XB. If an attacker wants to impersonate as the user A, he must compute VA = H(UA||UB||TA||XA) or VAS = H(UA||UB||TA||NS||XA), but he doesn’t know the user A’s secret XA = H(UA||Na||ks) and could not compute it (Because ks is the server’s secret key), so he cannot compute VA or VAS and cannot impersonate as the user A. As the same, an attacker cannot impersonate as the user B.
Man-in-the-middle attack.
As shows the above, the proposed scheme achieves certain mutual authentication, so an attacker cannot impersonate as the initiator A and the responder B, and cannot achieve the man-in-the-middle attack.
If an attacker wants to achieve a man-in-the-middle attack, he must exchange a session key KAB* = H(TAB ||RS*) with users A and B.
Suppose that an attacker generates a random number b* and RS* to exchange the session key with user A, computes TAB* = Tb*(Ta) = Tab*(α) mod p, and then computes KAB* = H(TAB* ||RS*). However, the attacker cannot generate VSAB = H(UA||UB*||TA||TB*||RS*||XA) because he does not know the user A’s secret XA. Therefore, in Step 7, user A can detect the attack via checking for VSAB.
To exchange the session key with user B, an attacker has to compute KAB* by generating random numbers a* and RS* and calculate VSB = H(UA*||UB||TA*||TB||RS*||XB). However, since the attacker does not know the user B’s secret XB, it is impossible to compute the VSB, so in Step 6, user B can detect the attack via checking for the VSB.
That is, the proposed scheme is resistant to man-in-the-middle attack.
Replay attack.
In the Step5 of the proposed scheme, the server S certainly authenticates A and B.
If an attacker C intercepts the previous message M1 = {MAS*, TA*} of the user A and retransmits it to the server, the server responses M2 = {VSA, NS}, where NS is generated by the server. However, in the Step3, the attacker must compute M3 = {VAS, NS}, but he does not know the user A’s secret XA and he cannot compute VAS = H(UA||UB||TA||NS||XA). Therefore, in the Step5, the server S can successfully detect the replay attack through checking for VAS. Likewise, if an attacker retransmits the user B’s message M4 to server S, in the Step5, the server can detect the replay attack through checking for VB = H(UB*||TB*||NS*||XB) containing the user B’s secret XB.
Known key security.
In the proposed scheme, the session key KAB is calculated as KAB = H(Tab(α) mod p || RS). It contains the random numbers a, b and RS that are generated by each participant for each session. Even if an attacker knows the previous session key, he cannot calculate a new session key.
6. Performance comparisons
This section, we evaluate the computational cost, communication overhead and security performance of our proposed scheme and other recent 3PAKE schemes [19, 22, 23, 61]. For comparison of computational cost, we define some notations as follows.
1. tc: time needed for Chebyshev polynomial operation
2. th: time needed for one-way hash function operation
3. tm: time needed for a modular exponential operation
4. tr: time needed for a modular squaring operation
5. tq: time needed for a square root modulo N operation
6. ts: time needed for symmetric encryption/decryption operation
Table 4 shows the comparison of the computational cost of our proposed scheme and other 3PAKE schemes. As shown Table 4, the computational cost of our proposed scheme is lower than Jabbari et al.’s scheme, Li et al.’s scheme and Lu et al.’s scheme.
[Figure omitted. See PDF.]
In order to presume the communication overhead of our proposed scheme, we consider the bit size of identity, random number |N|, timestamp, hash(SHA-1) output and Chebyshev chaotic maps as |ID| = 160, |N| = 160, |Ts| = 32, |H| = 160, |CM| = 160 bits, respectively. Furthermore, the bit sizes used for modular exponentiation and modular square operations are considered as |ME| = 1024 bits [25]. Table 5 shows the communication overhead of our proposed scheme according to above assumption.
[Figure omitted. See PDF.]
Table 6 shows the comparison of the communication overhead of our proposed scheme and other 3PAKE schemes. As shown Table 6, our proposed scheme has many message rounds and its communication overhead is higher than other schemes.
[Figure omitted. See PDF.]
Table 7 shows the comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.
[Figure omitted. See PDF.]
As shown in Table 7, the proposed scheme outperforms the other schemes in terms of the security functions presented.
Irshad’s scheme has lower communication overhead and computational cost than the proposed scheme, but it does not provide untraceability and re-registration phase.
Jabbari’s scheme has higher communication overhead and more expensive computational costs than ours and it does not provide re-registration phase.
Li’s scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme attempted to provide user anonymity, but did not achieve it. His scheme is also vulnerable to the verifier disclose attack, user impersonate attack and stolen verifier attack and it has faults in password change phase.
Lu’s scheme has lower communication overhead than ours, but it has more expensive computational costs and his scheme does not provide user anonymity, untraceability and re-registration phase.
7. Conclusion and future work
In this paper, we have analysed the Li et al.’s scheme and proved that his scheme has some faults, and proposed an enhanced three-party mutual authentication key exchange(3PMAKE) protocol based on chaotic maps using smart card to provide with user anonymity and untraceability in the environment for user-to-user communication. The proposed scheme provides strong mutual authentication between servers and users without using timestamp, can be re-registered to the system without changing the user’s identifier. The proposed scheme also provides anonymity and untraceability and is secure against several attacks such as user impersonate attacks, privileged insider attacks, stolen verifier attacks. In addition, we have formally analysed the security properties of proposed scheme and verified their validity based on BAN logic and AVISPA tool, and proved that the proposed scheme is secure against various attacks through informal security analysis.
The proposed scheme is designed to provide strong mutual authentication between communication participants without a timestamp, so the number of message exchanges and communication overhead are relatively high. In addition, since key exchange is performed based on chaotic-maps, the security performance of the proposed scheme is enhanced, but has the limitation of increasing computational cost compared to lightweight schemes that do not use public key encryption. The proposed method is suitable for systems that have to provide stronger security properties in environments where timestamp is not available and there is no restriction on communication overhead.
In the future, we will investigate more improved authentication key exchanges in IoT or WSN environments that requires lightweight scheme in terms of communication overhead or computational cost. That is, instead of public key encryption, we only use hash functions to reduce the computational cost of key exchange and reduce the communication overhead.
Supporting information
S1 Protocol.
https://doi.org/10.1371/journal.pone.0273664.s001
(DOCX)
Citation: Pak K-S, Kim M-H, Pak S-H, Ho C-M (2022) Improved anonymity preserving three-party mutual authentication key exchange protocol based on chaotic maps. PLoS ONE 17(9): e0273664. https://doi.org/10.1371/journal.pone.0273664
About the Authors:
Kyong-Sok Pak
Contributed equally to this work with: Kyong-Sok Pak, Mi-Hyang Kim, Song-Ho Pak, Chol-Man Ho
Roles: Conceptualization, Methodology
E-mail: [email protected]
Affiliation: Faculty of Information Science, Kim Il Sung University, Pyongyang, Democratic People’s Republic of Korea
https://orcid.org/0000-0002-1622-3538
Mi-Hyang Kim
Contributed equally to this work with: Kyong-Sok Pak, Mi-Hyang Kim, Song-Ho Pak, Chol-Man Ho
Roles: Resources, Software
Affiliation: Faculty of Information Science, Kim Il Sung University, Pyongyang, Democratic People’s Republic of Korea
Song-Ho Pak
Contributed equally to this work with: Kyong-Sok Pak, Mi-Hyang Kim, Song-Ho Pak, Chol-Man Ho
Roles: Data curation, Formal analysis
Affiliation: Faculty of Information Science, Kim Il Sung University, Pyongyang, Democratic People’s Republic of Korea
Chol-Man Ho
Contributed equally to this work with: Kyong-Sok Pak, Mi-Hyang Kim, Song-Ho Pak, Chol-Man Ho
Roles: Investigation, Validation
Affiliation: Faculty of Information Science, Kim Il Sung University, Pyongyang, Democratic People’s Republic of Korea
1. Wang C, Zhang X, Zheng Z. Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme. Plos One. 2016;11(2):e0149173. pmid:26866606
2. Maitra T, Obaidat MS, Islam SH, Giri D, Amin R. Security analysis and design of an efficient ECC-based two-factor password authentication scheme. Secur Commun Netw. 2016;9(17):4166–4181.
3. Guo H, Wang P, Zhang X, Huang Y, Ma F. A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments. Plos One. 2017;12(11):e0187403. pmid:29121050
4. Yang L, Zheng Z. Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments. Plos One. 2018;13(3):e0194093. pmid:29534085
5. Odelu V, Saha S, Prasath R, Sadineni L, Conti M, Jo M. Efficient privacy preserving device authentication in WBANs for industrial e-health applications. COMPUTERS & SECURITY. 2019;83:300–312.
6. Tallapally S. Security enhancement on simple three party PAKE protocol. Inform Technol Control. 2012;41(1):15–22.
7. Farash MS, Attari MA. An enhanced and secure three-party password-based authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Inform Technol Control. 2014;43(2):143–150.
8. Lu Y, Peng H, Yang Y et al. A three-party password-based authenticated key exchange protocol for wireless communications. Inform Technol Control. 2015;44(4):404–409.
9. Chen CM, Wang KH, Yeh KH, Xiang B, Wu TY. Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. Journal of Ambient Intelligence and Humanized Computing. 2018;10(8):3133–3142.
10. Youn TY, Kang ES, Lee C. Efficient three-party key exchange protocols with round efficiency. Telecommunication Systems. 2013;52(2):1367–1376.
11. Heydari M, Sadough SMS, Farash MS, Chaudhry SA, Mahmood K. An Efficient Password-Based Authenticated Key Exchange Protocol with Provable Security for Mobile Client-Client Networks. Wireless Pers Commun. 2016;88(2):337–356.
12. Lin TH, Lee TF. Secure verifer-based three-party authentication schemes without server public keys for data exchange in telecare medicine information systems. Journal of Medical Systems. 2014;38(5):30–38.
13. Chiou SY, Lin CH. An Efficient Three-Party Authentication Scheme for Data Exchange in Medical Environment. Secur Commun Netw. 2018;2018:1–15.
14. Wu F, Xu L, Kumari S, Li X, Khan MK, Das AK. An enhanced mutual authentication and key agreement scheme for mobile user roaming service in global mobility networks. Ann. Telecommun. 2017;72(3):131–144.
15. Gupta M, Chaudhari NS. Anonymous two factor authentication protocol for roaming service in global mobility network with security beyond traditional limit. Ad Hoc Networks. 2019;84:56–67.
16. Xie Q, Zhao J, Yu X. Chaotic maps-based three-party password-authenticated key agreement scheme. Nonlinear Dyn. 2013;74(4):1021–1027.
17. Lee CC, Li CT, Chiu ST, Lai YM. A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn. 2014;79(4):2485–2495.
18. Xie Q, Hu B, Chen KF, Liu W H, Tan X. Chaotic maps and biometrics-based anonymous three-party authenticated key exchange protocol without using passwords. Chin. Phys. B. 2015;24(11):1–8. Article No. 110505.
19. Jabbari A, Mohasefi J B. Improvement in new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn. 2019;95:3177–3191.
20. Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dyn. 2014;77(7):399–411.
21. Xie Q, Hu B, Wu T. Improvement of a chaotic maps-based three-party password-authenticated key exchange protocol without using server’s public key and smart card. Nonlinear Dyn. 2014;79(4):2345–2358.
22. Li CT, Chen CL, Lee CC, Weng CY, Chen CM. A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps. Soft Comput. 2018;22:2495–2506.
23. Lu Y, Li L, Zhang H, Yang Y. An extended chaotic maps-based three-party password-authenticated key agreement with user anonymity. Plos One. 2016;11(4):e0153870. pmid:27101305
24. Pak KS, Pak SH, Ho CM, Pak MS, Hwang CJ. Anonymity preserving and round effective three-party authentication key exchange protocol based on chaotic maps. Plos One. 2019;14(3):e0213976. pmid:30893354
25. Jangirala S, Das K, Wazid M, Kumar N. Anonymous Lightweight Chaotic Map-Based Authenticated Key Agreement Protocol for Industrial Internet of Things. IEEE Transactions on Dependable and Secure Computing. 2020;17(6):1133–1146.
26. Xue K, Hong P, Ma C. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. System Sci. 2014;80(1):195–206.
27. Li X, Xiong Y, Ma J, Wang W. An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications. 2012;35(2):763–769.
28. Gupta PC, Dhar J. Hash based multi-server key exchange protocol using smart card. Wireless Pers Commun. 2016;87(1):225–244.
29. Amin R, Kumar N, Biswas GP, Iqbal R, Chang V. A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment. Future Generation Computer Systems. 2018;78:1005–1019.
30. Tomar A, Dhar J. An ECC Based Secure Authentication and Key Exchange Scheme in Multi-server Environment. Wireless Pers Commun. 2019;107(1):351–372.
31. Zhou J, Ma M, Sun S. A Hybrid Authentication Protocol for LTE/LTE-A Network. IEEE Access. 2019;7:28319–28333.
32. Challa S, Wazid M, Das AK, Kumar N, Reddy AG, Yoon EJ, et al. Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access. 2017;5:3028–3043.
33. Jia X, He D, Li L, Choo KKR. Signature-based three-factor authenticated key exchange for internet of things applications. Multimed Tools Appl. 2018;2017(2):1–28.
34. Jia X, He D, Kumar N, Choo KKR. Authenticated key agreement scheme for fog-driven IoT healthcare system. Wireless Networks. 2018;25(8):4737–4750.
35. Ma M, He D, Wang H, Kumar N, Choo KKR. An Efficient and Provably-Secure Authenticated Key Agreement Protocol for Fog-Based Vehicular Ad-Hoc Networks. IEEE Internet of Things Journal. 2019;6(5):8056–8075.
36. Reddicherla VR, Rawat U, Garg K. Securing NEMO Using a Bilinear Pairing-Based 3-Party Key Exchange (3PKE-NEMO) in Heterogeneous Networks. Foundations of Science. 2019;25(4):1125–1146.
37. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smartcards and biometrics. Expert Syst. Appl. 2014;41(4):1411–1418.
38. Wei F, Zhang R. A Provably Secure Anonymous Two-Factor Authenticated Key Exchange Protocol for Cloud Computing. Fundamenta Informaticae. 2018;157:201–220.
39. Yang Z, Lai J, Sun Y, Zhou J. A Novel Authenticated Key Agreement Protocol With Dynamic Credential for WSNs. ACM Transactions on Sensor Networks. 2019;15(2):1–27. Article No. 22.
40. Marko K, Islam SH, and Marko H. A Robust and Efficient Mutual Authentication and Key Agreement Scheme with Untraceability for WBANs. Comput. Networks. 2019;148:196–213.
41. Zhou L, Li X, Yeh KH, Su C, Chiu W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Generation Computer Systems. 2019;91:244–251.
42. Mehra PS, Doja MN, Alam B. Codeword Authenticated Key Exchange (CAKE) light weight secure routing protocol for WSN. Int J Commun Syst. 2019;32:1–27. Article No. e3879.
43. Li X, Ibrahim MH, Kumari S, Sangaiah AK, Gupta V, Choo KKR. Anonymous mutual authentication and key agreement scheme for wearable sensors in wireless body area networks. Comput. Networks. 2017;129:429–443.
44. Khan MK, Alghathar K. Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’. Sensors. 2010;10:2450–2459. pmid:22294935
45. Diffie W, Hellman M. New directions in cryptography. IEEE Trans. Inf. Theory. 1976;22(6):644–654.
46. Koblitz N. Elliptic curve cryptosystems. Math Comput. 1987;48(177):203–209.
47. Mason JC, Handscomb DC. Chebyshev polynomials. London: Chapman & Hall/CRC Press; 2003.
48. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos Soliton Fract. 2012;37(3):669–674.
49. Burrows M, Abadi M, Needham R. A logic of authentication. Acm Sigops Operating Systems Review. 1990;8(1):18–36.
50. AVISPA: Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/ (accessed on January 2019).
51. Jin ATB, Ling DNC, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 2004;37(11):2245–2255.
52. Lumini A, Nanni L. An improved BioHashing for human authentication. Pattern Recogn. 2007;40(3):1057–1065.
53. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A. Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets. IEEE Trans. Inf. Theory. 2008;58(9):6207–6222.
54. Dolev D, Yao A, On the security of public key protocols, IEEE Trans. Inform. Theory. 1983; 29 (2) (1983): 198–208.
55. Veyrat-Charvillon, N.; Standaert, F.X. Generic side-channel distinguishers: Improvements and limitations. In Proceedings of the Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Springer: Berlin/Heidelberg, Germany, 2011; 354–372.
56. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. Tecnologia Electronica E Informatica 1. 2000;807:139–155.
57. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011; 1(1): 5–27.
58. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput. 2002;51(5):541–552.
59. Horng SJ, Tzeng SF, Pan Y, Fan P, Wang X, Li T, et al. b-SPECS+: Batch Verification for Secure Pseudonymous Authentication in VANET. IEEE Transactions on Information Forensics and Security. 2013;8(11);1860–1875.
60. Tzeng SF, Horng SJ, Li T, Wang X, Huang PH, Khan MK. Enhancing Security and Privacy for Identity-based Batch Verification Scheme in VANET. IEEE Transactions on Vehicular Technology. 2017;66(4):3235–3248.
61. Irshad A, Sher M, Chaudhry S, Xie Q, Kumari S, Wu F. An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimed. Tools Appl. 2017;77(01): 1–38.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
© 2022 Pak et al. This is an open access article distributed under the terms of the Creative Commons Attribution License: http://creativecommons.org/licenses/by/4.0/ (the “License”), which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Abstract
Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users’ privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li’s scheme does not provide user anonymity and that the user’s privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Details
; Chol-Man Ho Song-Ho Pak; Chol-Man Ho Chol-Man Ho Contributed equally to this work with: Kyong-Sok Pak