http://orcid.org/0000-0002-1622-3538
Figures
Abstract
Three-party authentication key exchange (3PAKE) is a protocol that allows two users to set up a common session key with the help of a trusted remote server, which is effective for secret communication between clients in a large-scale network environment. Since chaotic maps have superior characteristics, researchers have recently presented some of the studies that apply it to authentication key exchange and cryptography. Providing user anonymity in the authentication key exchange is one of the important security requirements to protect users' personal secrets. We analyse Lu et al.'s scheme which attempts to provide user anonymity and we prove that his scheme has errors in the key exchange phase and password change phase. We propose a round-effective three-party authentication key exchange (3PAKE) protocol that provides user anonymity and we analyse its security properties based on BAN logic and AVISPA tool.
Citation: Pak K, Pak S, Ho C, Pak M, Hwang C (2019) Anonymity preserving and round effective three-party authentication key exchange protocol based on chaotic maps. PLoS ONE 14(3): e0213976. https://doi.org/10.1371/journal.pone.0213976
Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA
Received: June 15, 2018; Accepted: February 26, 2019; Published: March 20, 2019
Copyright: © 2019 Pak et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper.
Funding: The authors received no specific funding for this work.
Competing interests: Lu proposed the 3PAKE protocol in the article "An extended chaotic maps-based three-party password-authenticated key agreement with user anonymity" (Plos One. 2016;11(4):e0153870) and attempted to provide user anonymity. We have found in his paper that there is a protocol design flaw and that it does not provide user anonymity. We proposed a computationally effective, round-effective 3PAKE protocol that provides user anonymity. We explicitly agree that you invite authors of the disputed work to sign in the first round of revisions. This does not alter our adherence to PLOS ONE policies on sharing data and materials.
1. Introduction
Along with the rapid development of the information technology and computer network, user authentication plays an important role in protecting resources, service and user’s personal information in the computer network. The authentication key exchange protocol is one of the important mechanisms of network security aimed at setting a session key for secret communication between users via an open network. The authentication key exchange protocol is keys exchange for the secret communication based on authentication between the communicating parties in essence. The authentication key exchange protocol can be classified into Two-Party Authentication Key Exchange (2PAKE), Three-Party Authentication Key Exchange (3PAKE), and Multi-Party Authentication Key Exchange (MPAKE) depending on the number of participating in the key exchange. The key point of the 3PAKE protocol is that it does not need to remember various passwords for each user, and can establish secret communication between users with the help of a trusted remote server.
1.1 Cryptography for key exchange
Since the authentication key exchange protocol was proposed by Bellovin and Merritt [1] in 1992, there have been many studies on 2PAKE protocol [2,3], 3PAKE protocol and MPAKE[4–6] protocol based on the various cryptography algorithms for decades. The researchers used the Diffie-Hellman (DH) key exchange scheme [7–18], the Elliptic Curve Cryptosystem (ECC) based key exchange scheme [19–26], and the Chebyshev chaotic maps based key exchange scheme [27–38] for key exchange in 3PAKE protocol. The DH key exchange scheme based on modular exponentiation [39] requires a lot of computational cost. The ECC based scheme [40], in which the key length is small and the computational cost is low, has been used for key exchange. The ECC based scheme is more efficient in terms of key length and computational cost than the DH key exchange scheme using modular exponentiation [41].
In 2008, in order to enhance the property of the Chebyshev chaotic maps, Zhang [42] proved that the semi-group property holds for Chebyshev polynomials [43] defined over the interval (−∞, +∞), and Chebyshev chaotic maps based key exchange schemes were widely used in the 3PAKE protocol. Chebyshev chaotic maps based scheme has advantages such as high safety, low computational cost, simple encryption, small storage capacity requirement, and low bandwidth [37, 44, 45]. Therefore, compared to DH and ECC based scheme, Chebyshev chaotic maps based scheme is more suitable for the wireless sensor network and the authentication system using smart card. In 2016, Kumari et al.[46] proposed mutual authentication and key agreement scheme for wireless sensor networks using Chebyshev chaotic maps, in which they described different chaotic maps that could be used in digital authentication and discussed a design methodology to present a robust authentication and key agreement for wireless sensor networks, and proposed a new authentication scheme for wireless sensor networks which provides user anonymity. However, his scheme is vulnerable to session-specific temporary information attack, sensor node impersonation attack, man-in-the-middle attack [47].
1.2 User authentication schemes in 3PAKE
In 3PAKE, the authentication server authenticates users and exchanges session key between users. In order for server to authenticate users in the 3PAKE protocol, researchers applied user password scheme [7–15, 19, 20, 27, 48], a combination of server public key and user password [17, 18, 23–26, 30–36], shared secret key scheme [21, 22, 28, 29, 49–51], and a combination of shared secret key and server public key [16, 38, 52–54].
The user password scheme without public key and shared secret key is easily revealed by password guessing attack as the information entropy of the password is low [8]. For example, in 2009 Huang [7] designed a 3PAKE protocol based on user password. However, Yoon et al. [10] proved that Huang’s scheme is vulnerable to off-line password guessing attack and undetectable on-line password guessing attack. Wu et al. [17] proved that Huang’s scheme is vulnerable to key-compromise impersonate attack, and proposed an updated 3PAKE protocol using user password and server public key. On the other hand, Chang et al. [8] proposed efficient 3PAKE protocol based on user password using modular exponentiation, and Wu et al. [19] pointed out that his scheme is vulnerable to password guessing attack and designed a 3PAKE protocol based on user password, however Wu et al.’s scheme is vulnerable to key-compromise impersonate attack [18]. Tso [12] also pointed out that Chang et al.’s scheme is vulnerable to password guessing attack, and Tso’s scheme is vulnerable to the off-line password guessing attack and the impersonate attack [14]. Youn et al. [13] also designed efficient 3PAKE protocol based on user password, but his scheme is vulnerable to impersonate attack [15]. Farash et al. [27] proposed 3PAKE protocol based on the user password and the chaotic maps, but Li et al. [38] pointed out that his scheme is vulnerable to password disclosure attack, user impersonate attack, and off-line password guessing attack, and proposed a 3PAKE protocol based on chaotic maps with shared secret key.
The server public key scheme has to construct key management mechanism, so the protocol design is relatively complex and computational complexity is increased. But, using this scheme in the 3PAKE can provide user anonymity by encrypting the message exchanged between the user and the server. In 2014, Xie et al. [23] proposed a 3PAKE protocol based on ECC and the server public key, which provides user anonymity. However, his scheme is vulnerable to privileged insider attack, because there is a table stored user's password in the server side. Lou and Huang[24] also proposed a 3PAKE protocol based on ECC and the server public key, in which there is no encryption message using the server public key, but his scheme is vulnerable to off-line password guessing attack and key-compromise impersonate attack [26]. In 2013, Xie et al. [30] and Lee et al. [32] proposed a 3PAKE protocol based on the chaotic map and the server public key. However, Lee et al. [28] pointed out that Xie et al.’s scheme fails to provide user anonymity, is vulnerable to off-line password guessing attack, and has problems with password table management. Hu et al. [34] pointed out that Lee et al.'s scheme does not provide user anonymity and is vulnerable to MITM attack, and Farash et al. [33] pointed out that Lee et al.'s scheme is vulnerable to modification attack and impersonate attack.
In the shared secret key scheme, the server authenticates users by sharing his secret key with them. This scheme is safer than the password based scheme, because there is no user's private information in the server side. For example, it is resistant to privileged insider attack and stolen verifier attack. Tan [21] proposed a 3PAKE protocol based on ECC and the shared secret key, in which user keeps a private key combining with server secret key and user's identification. However his scheme is vulnerable to key-compromise impersonate attack [22]. Li [29] and Islam[50] proposed a 3PAKE protocol based on the chaotic map and the shared secret key, in which user encrypts the data for authentication with his private key derived by the server's private key, but user's identifier is exposed in the message, so their protocol does not provide user anonymity.
Meanwhile, in order to improve the effectiveness and safety of the authentication, there have been studies to implement the 3PAKE protocol by using devices such as smart cards [48–54]. In an authentication key exchange using a password that does not use a public key or shared secret key scheme, the user simply needs to remember the password. However, in an authentication key exchange that uses a public key or shared secret key scheme, the user must have a storage location for storing the server's shared secret key or his public key. The use of smart card not only allows users to carry their own authentication information, but also has the advantage of accessing service by using smart card reading devices anywhere. But in this scheme, there is a risk of losing the smart card. In 2012, Lai et al. [53] proposed the implementation of the 3PAKE protocol to use smart card based on chaotic maps. However, Zhao et al. [52] pointed out that Lai’s scheme is vulnerable to privileged insider attack and off-line password guessing attack, and proposed an updated scheme to use smart card with server public key and shared secret key. Yang et al. [51] proposed a 3PAKE protocol that uses smart card with shared secret key, but Amin et al. [49] proved that Yang’s scheme is vulnerable to off-line password attack, many logged-in user attack, privileged insider attack and has a security weakness in the password change phase, and proposed an updated scheme. In 2015, Xie et al. [48] proposed a 3PAKE protocol that uses smart card based on chaotic maps with user password, but his scheme had several weaknesses. In 2016, Lu et al. [31] pointed out that Xie’s scheme is vulnerable to off-line password attack, user impersonate attack, does not provide user anonymity, and is deficient in session key security. He proposed an updated 3PAKE protocol that provides user anonymity using server public key and user password. However, Lu et al.’s scheme still has a series of weaknesses.
1.3 Our contribution
The user’s identifier is a very important personal secret. If user anonymity is not provided, the attacker will know who is currently in the network conversation, and will be able to track the user’s subscription history and current location. Chebyshev chaotic maps based authentication and key exchange scheme is suitable for the authentication system using smart card or the wireless sensor network, which requires low computational cost, simple encryption, small memory size, and low bandwidth. Based on such studies, we analyse the Lu et al.’s scheme [31] and point out its weakness, and propose a round-effective 3PAKE protocol based on chaotic maps using smart cards to provide user anonymity and protect against various attacks. In the proposed scheme, in order to provide the user anonymity the messages exchanged between the sender and the receiver is encrypted with the shared secret key based on the server’s public key, and in order to authenticate the message, we use the user’s private key derived by user’s identifier and the server’s secret key.
In Section 2, we describe the theory of chaotic maps, one-way function and Bio-hashing function, and In Section 3 we review Lu et al.’s scheme. Section 4 presents the proposed scheme, and Section 5 describes the security analysis of the proposed scheme. And Section 6 compares the proposed scheme with the previous schemes in terms of performance.
2. Preliminaries
This section describes Chebyshev chaotic maps and their computational problems, and Bio-hashing functions.
2.1 Chebyshev polynomials
Chebyshev polynomial Tn(x) is defined as follows[43].
Tn(x) = cos(n·arcos(x)), x∈[–1,1], n∈N
Chebyshev polynomials satisfy the following recursive relationship[43].
Tn(x) = 2x·Tn-1(x)–Tn-2(x) (n>2),
T0(x) = 1, T1(x) = x
2.2 The property of Chebyshev polynomials
Chebyshev polynomials have the following two properties[43, 46].
Chaotic property: When n>1, Chebyshev polynomial map Tn(x):[–1,1]→[–1,1] of degree n is a chaotic map with its invariant density , for positive Lyapunov exponent ln(n) > 0.
Semi-group property: For r,s∈N and any x∈[–1,1],Tr(Ts(x)) = Trs(x) = Ts(Tr(x)).
2.3 Enhanced Chebyshev polynomials
The semi-group property holds for Chebyshev polynomials on the interval (-∞,+∞), which can enhance the property as follows [42, 43]:
Tn(x) = 2x·Tn-1(x)–Tn-2(x) mod p(n ≥ 2, x∈(-∞,+∞), p is a large prime number),
Tr(Ts(x)) ≡ Trs(x) ≡ Ts(Tr(x)) mod p (r,s∈N).
2.4 Computational problems based on Chebyshev polynomials
CDLP(Chaotic map-based Discrete Logarithm problem): For given two real numbers x and y, it is infeasible to find the integer r by any polynomial time bounded algorithm, where y = Tr(x) mod p [28, 42, 43].
CDHP(Chaotic map-based Diffie-Hellman problem): For given three elements x, Tr(x) mod p and Ts(x) mod p, it is infeasible to compute the value Trs(x) mod p by any polynomial time bounded algorithm [28, 42, 43].
2.5 Bio-hashing function
The biometric technique is very important for user authentication in the authentication system. Generally, imprint biometric characteristics (face, fingerprint, palm-print etc.) may not be exactly same at each time [49]. To solve this problem, Jina et al. [55] and Lumini et al. [56] proposed and updated Bio-hashing, which was used in many authentication schemes [45, 49, 57, 58]. Bio-hashing is used to map a user's biometric features to a user-specific random vectors [45, 57] and is useful for user authentication mechanisms that use small devices such as mobile devices, smart cards, and so on [57].
3. Review of Lu et al.’s scheme
This section shows that the scheme proposed by Lu et al. has series of deficiencies in the design. Lu et al. designed 3PAKE protocol based on chaotic maps providing user anonymity. However, his scheme has some errors in the session key exchange phase and the password change phase. Below is a brief description of the scheme proposed by Lu et al. and its deficiencies.
3.1 Lu et al.’s scheme
Notations used in his paper.
- S: a remote server.
- A and B: two users.
- IDA and IDB: users’ identities of A and B.
- pwdA and pwdB: users’ passwords of A and B.
- k and Tk(x) mod p: private and public keys of S.
- s: a secret key of S.
- q: shared secret key between A and S.
- h1(): a one-way hash function.
- h(): a chaotic maps-based one-way hash function.
- p: a large prime number.
System initialization.
The server selects random number x ∈ Zp and private key k ∈ [1, p+1], computes public key Tk(x) mod p and publishes {p, x, Tk(x) mod p, h(∙)}.
Registration.
- User A submits {IDA, gA = h1(pwdA, rA) } to S, where rA is random number.
- Upon receiving the registration request, S computes VPWA = h1(IDA, k)⊕gA. Next S randomly chooses a secret key q for A and sends it to A via the secure channel. Note that q is kept securely by A and is different for each user A. Finally, S stores k⊕q and VPWA into its memory.
Session key exchange.
- Step 1: Using the stored shared secret key q, user A computes his own version of CA = EKAS(IDA, IDB, Ta(x), FA) and sends them to S, where KAS = Tq(Tk(x)), FA = h(IDA, IDB, Ta(x), gA), a ∈ [1, p+1] is a random number.
- Step 2: Once receiving the message, S first derives q by computing k⊕q⊕k and derives {IDA, IDB, Ta(x), FA} by decrypting CA with computed symmetric key KAS = Tk(Tq(x)). The next steps are omitted here.
Password update.
- Step 1: A selects a new password pwdA* and computes RA = ETq(x)(IDA, h(pwdA*, rA), h(pwdA, rA), ZAS), ZAS = h(IDA, TS1(x), KAS) and sends them to S.
- Step 2: S decrypts RA to retrieve {IDA, h(pwdA*, rA), h(pwdA, rA), ZAS} using the shared secret key q. The next steps are omitted here.
3.2 Defects in the design of Lu et al.’s scheme
Session key exchange.
In the registration phase, Lu et al. pointed that q is kept securely by A and is different for each user A, and S stores k⊕q into its memory. Therefore, S must keep k⊕q for each user and can obtain it by user identifier. In the step2 of session key exchange phase, Lu et al. pointed that S derives q by computing k⊕q⊕k and derives {IDA, IDB, Ta(x), FA} by decrypting CA with computed symmetric key KAS = Tk(Tq(x)). In order for S to retrieve k⊕q of A, the A’s identifier must be present, but A’s message CA is encrypted for providing user anonymity and has not yet been decrypted. Therefore, S cannot know user A’s identifier, and cannot compute q = (k⊕q)⊕k. If S stores a single k⊕q for all users, S can decrypt the A’s message CA as in the protocol. But, in this case, other users can also decrypt A’s message because they also have q, so user anonymity cannot be provided in his scheme.
4. Proposed scheme
This section describes an improved 3PAKE protocol using smart card that overcomes the limitations of the Lu et al.'s scheme. The proposed scheme consists of four steps: system initialization phase, registration phase, authentication and session key exchange phase, and password change phase. The notation presented in Table 1 is used to describe the proposed schemes in this paper.
4.1 System initialization phase
- S selects a large prime number p and x ∈ Zp for Chebyshev polynomials Tn(x).
- S selects secure one-way hash function H(∙) and a symmetric encryption/decryption algorithm EK(∙)/DK(∙).
- S selects s ∈ [1, p+1] and keeps it as his secret key, and then computes public-key KS = Ts(x) mod p.
- S publishes {p, x, KS, H(∙), EK(∙), DK(∙)} as system’s parameters.
4.2 User registration phase
All users who want to exchange session keys using the proposed scheme must register on S.
Fig 1 shows an example of user A's registration process.
User A sends his/her identifier IDA to S via secure channel. S checks whether user A has already been registered, otherwise it computes XA = H(IDA||s) and stores {p, x, XA, KS, H(∙), EK(∙), DK(∙)} in SCA and delivers it to user A via secure channel.
User A, which receives SCA from S, inputs password pwA and biometric bmA to access SCA. The SCA that receives the user input computes GA = H(IDA||pwA||h(bmA)) ⊕ XA, FA = H(IDA||pwA|| h(bmA)||XA) and stores {p, x, GA, FA, KS, H(∙), EK(∙), DK(∙)} in his memory.
4.3 Authentication and session key exchange phase
Fig 2 show the authentication and session key exchange steps of the proposed scheme.
- User A connects his smart card SCA to the terminal and inputs his identifier IDA, password and biometrics bmA. SCA computes
XA* = GA ⊕ H(IDA||pwA||h(bmA)), FA* = H(IDA||pwA||h(bmA)||XA*).
If FA ≠ FA*, SCA aborts the process. Otherwise SCA selects any a∈ [1, p+1] and computes
KA = Ta(x) mod p, KAS = Ta(KS) = Tas(x) mod p, ZAS = H(IDA||IDB||KA ||XA), MAS = EKAS(IDA, IDB, ZAS).
A sends M1 = {MAS, KA} to B. - After receiving {MAS, KA} from A, B connects his smart card SCB to the terminal and inputs his identifier IDB, password and biometrics pwB. SCB computes
XB* = GB ⊕H(IDB||pwB||h(bmB)), FB* = H(IDB||pwB||h(bmB)||XB*).
If FB ≠ FB*, SCB aborts the process. Otherwise SCB selects any b∈ [1, p+1] and computes
KB = Tb(x) mod p, KBS = Tb(KS) = Tbs(x) mod p, KAB = Tb(KA) = Tba(x) mod p,
ZBA = H(IDB||KAB), ZBS = H(IDB||KB ||KA||XB), MBS = EKBS(IDB, ZBS, ZBA).
B sends M2 = {MAS, KA, MBS, KB} to S. - After receiving {MAS, KA, MBS, KB} from B, S computes
KAS = Ts(KA) = Tsa(x) mod p, {IDA, IDB*, ZAS*} = DKAS (MAS), XA = H(IDA||s), ZAS = H(IDA||IDB*||KA||XA).
S checks whether ZAS and ZAS* are same. If ZAS ≠ ZAS*, S aborts the process. S also computes
KBS = Ts(KB) = Tsb(x) mod p, {IDB, ZBS*, ZBA} = DKBS (MBS), XB = H(IDB||s), ZBS = H(IDB||KB||KA||XB).
S checks whether ZBS and ZBS* are same. If ZBS ≠ ZBS*, S aborts the process. S also checks whether IDB* of A’s message and IDB of B’s message are same. If not, S aborts the process.
After that, S computes
ZSA = H(IDA||IDB||KA||KB||XA), ZSB = H(IDB||IDA||KB||KA||XB), MSA = EKAS(IDB, KB, ZSA, ZBA), MSB = EKBS(IDA, KA, ZSB).
S sends M3 = {MSA, MSB} to A. - After receiving {MSA, MSB} from S, A computes
{IDB, KB, ZBA*, ZSA*} = DKAS (MSA), ZSA = H(IDA||IDB||KA||KB||XA).
If ZSA ≠ ZSA*, A aborts the process. A also computes
KAB = Ta(KB) = Tab(x) mod p, ZBA = H(IDB||KAB).
If ZBA ≠ ZBA*, A aborts the process, otherwise A sets KAB as a session key. A also computes
ZAB = H(IDA||IDB||KAB).
A sends M5 = {MSB, ZAB} to B. - After receiving {MSB, ZAB*} from A, B computes
{IDA, KA, ZSB*} = DKBS (MSB), ZSB = H(IDB||IDA||KB||KA||XB).
If ZSB ≠ ZSB*, B aborts the process. B also computes
ZAB = H(IDA||IDB||KAB).
If ZAB ≠ ZAB*, B aborts the process. Otherwise B sets KAB as a session key.
4.4 Password change phase
User A connects his smart card SCA to the terminal and inputs his identifier A, password and biometrics bmA. SCA computes XA = GA ⊕ H(IDA||pwA||h(bmA)) and FA* = H(IDA||pwA||h(bmA)||XA), and checks whether FA and FA* are same. If FA ≠ FA*, SCA aborts the process. Otherwise SCA requests the user to input a new password newpwA. SCA computes GAnew = H(IDA||newpwA||h(bmA)) ⊕ XA and FAnew = H(IDA||newpwA||h(bmA)||XA), and replaces <GA, FA> of his memory with <GAnew, FAnew>.
5. Security analysis of the proposed scheme
In this section, we analyse the security properties of the proposed scheme. First, we prove the correctness of the session key between users by using BAN logic [59]. Next, we simulate the proposed scheme for the formal security analysis by using AVISPA(Automated validation of internet security protocol and application) tool [60]. Last, we demonstrate the proposed scheme can resist various kinds of attacks.
5.1 Authentication proof based on BAN logic
Notations and Rules.
We define P and Q as the specific participators, S is the trusted server, and X is the formula (statement). Some notations and rules of BAN logic are as follows [59].
- P |≡ X: P believes X.
- P⊲X: P sees X.
- P |∼ X: P once said X.
- P |⇒ X: P has jurisdiction over X.
- #(X): X is fresh.
: K is a shared secret key between P and Q.
- {X}K: Formula X are encrypted under the key K.
- <X>Y: X combined with the formula Y.
(Message-meaning rule): if P believes that the key K is shared with Q and receives a message containing X encrypted under K, then P believes that Q once said X.
(Nonce-verification rule): if P believes X is fresh and Q once said X, P believes Q believes X.
(Jurisdiction rule): if P believes that Q had jurisdiction right to X and believes Q believes X, P believes X.
(Freshness rule): If X is a part of message(X, Y) and X is fresh, message (X, Y) is also fresh.
(Belief rule 1): If P believes Q believes the message set (X, Y), P also believes Q believes the message X.
(Belief rule 2): If P believes the message X and Y, P also believes the message set (X, Y).
(See rule): if P believes that the key K is shared with Q and receives a message containing X encrypted under K, then P sees X.
Analysis.
According to M3 and A5, we apply the message meaning rule (R1) and the See rule (R7), we can obtain:
According to ZSA = H(IDA||IDB||Ta(x)||Tb(x)||XA), A2 and M3, we apply the Freshness rule (R4), we can obtain:
According to S1 and S2, we apply the Nonce-verification rule (R2) and Belief rule 1(R5), we can obtain:
According to S3 and A7, we apply the Jurisdiction rule (R3), we can obtain:
According to S4, A1 and KAB = Ta(Tb(x)) = (a, Tb(x)), we apply the Belief rule 2(R6), we can obtain:
According to M5 and A6, we apply the message meaning rule (R1), we can obtain:
According to ZSB = H(IDB||IDA||Tb(x)||Ta(x)||XB), A4 and M5, we apply the Freshness rule(R4), we can obtain:
According to S6 and S7, we apply the Nonce-verification rule (R2) and the Belief rule 1(R5), we can obtain:
According to S8 and A8, we apply the Jurisdiction rule (R3), we can obtain:
According to S9, A3 and KAB = Tb(Ta(x)) = (b, Ta(x)), we apply the Belief rule 2 (R6), we can obtain:
According to M4, S1 and S5, we apply the message meaning rule (R1), we can obtain:
According to A2 and KAB = Tb(Ta(x)) = (a, Tb(x)), we apply the Freshness rule (R4), we can obtain:
According to S11 and S12, we apply the Nonce-verification rule (R2), we can obtain:
According to M6 and S10, we apply the message meaning rule (R1), we can obtain:
According to A4 and KAB = Ta(Tb(x)) = (b, Ta(x)), we apply the Freshness rule(R4), we can obtain:
According to S14 and S15, we apply the Nonce-verification rule (R2), we can obtain:
5.2 Validation test based on AVISPA
In this section, we simulate the proposed scheme for the formal security analysis using AVISPA, which is widely used to verify the security properties of designed protocol such as resistance against replay attack and man-in-the-middle attack. This tool implements four back-ends: On-the-Fly-Model-Check(OFMC), Constraint Logic based Attack Searcher(CL-AtSe), SAT-based Model-Checker(SATMC) and Three Automata based on Automatic Approximations for the Analysis of Security Protocols(TA4SP), which are given in details in [60]. In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL(High Level Protocol Specification Language), which is a role-based languages: basic roles for representing each participant role, and composition roles for representing scenarios of basic roles. Each role is independent from the other, communicating with the other roles by channels [60]. The output format is generated by using one of the four back-ends.
Specifying the proposed protocol.
In our HLPSL implementation, we define three basic roles for users A, B, and server S. Figs 3, 4 and 5 shows the specifications in HLPSL for the role of users A, B, and server S.
In Fig 6, we shows the HLPSL implementation for the role of the session, environment and goal.
In our implementation, we verified the following five secrecy goals and six authentication properties.
- secrecy_of sec_ida: It represents that user A's identifier IDA is kept secret to the user A, B and server S only.
- secrecy_of sec_idb: It represents that user B's identifier IDB is kept secret to the user A, B and server S only.
- secrecy_of sec_xa: It represents that user A's secret key XA is kept secret to the user A and server S only.
- secrecy_of sec_xb: It represents that user B's secret key XB is kept secret to the user B and server S only.
- secrecy_of sec_kab: It represents that session key KAB is kept secret to the user A and B only.
- authentication_on auth_a_s_kas: When user A receives the messages from server S and decrypts the message with KAS, A authenticates S based on KAS.
- authentication_on auth_a_b_zba: When user A receives ZBA from the messages from B, A authenticates B based on ZBA.
- authentication_on auth_b_s_kbs: When user B receives the messages from server S and decrypts the message with KBS, B authenticates S based on KBS.
- authentication_on auth_b_a_zab: When user B receives ZAB from the messages from A, B authenticates A based on ZAB.
- authentication_on auth_s_a_xa: When server S receives XA from the messages from A, S authenticates A based on XA.
- authentication_on auth_s_b_xb: When server S receives XB from the messages from B, S authenticates B based on XB.
Analysis of the results.
We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results for the security verification is shown in Figs 7 and 8.
The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.
5.3 Informal security analysis
In this part, we demonstrate the proposed scheme can resist various kinds of attacks.
User anonymity.
The proposed scheme provides user anonymity for key exchange. All message (MAS, MBS, MSA and MSB) associated with the user’s identifier is encrypted with the shared secret key KXS between the server S and the user X. The shared secret key KAS is calculated from the random number a of the user A and the secret key s of the server S as follows: KAS = Ta(Ts(x)) = Ts(Ta(x)).
Even if Ta(x) and Ts(x) is exposed, it is impossible to calculate KAS or a, s according to CDLP and CDHP assumptions. Therefore, a third party cannot know the user’s identifier except user and server.
Off-line password guessing attack.
The proposed scheme resists the password guessing attack. The proposed scheme does not use passwords during the authentication process but only uses passwords when accessing the smart card. The information registered on the user A’s smart card is {GA, FA, p, x, KS, RS, H(∙), EK(∙), DK(∙)}, and the information that can be used for guessing password is GA = H(IDA||pwA||h(bmA))⊕XA and FA = H(IDA||pwA||h(bmA) ||XA). Suppose that an attacker steals user A’s smart card SCA and knows his identifier IDA. Then the attacker must compute PWA* = H(IDA||pwA*||h(bmA)), XA* = GA ⊕ PWA* and FA* = H(IDA||pwA*||h(bmA)||XA*) by using IDA and any password pwA* to compare FA* and FA stored in SCA. However, PWA* cannot be calculated without knowing h(bmA) which is related A’s biometrics. Therefore, the attacker cannot guess the user’s password.
Privileged insider attack.
The proposed scheme is secure against the privileged-insider attack. In the registration phase of the proposed scheme, only the user’s identifier is transmitted to the server through a secure channel and the user’s password is not transmitted to the server. Therefore, the privilege insider of the server cannot know the user’s password. Therefore, the proposed scheme is secure against this attack.
Stolen verifier attack.
The proposed scheme is secure against stolen verifier attack. In the proposed scheme, there is no user registration table to authenticate user in the server. Therefore, the proposed scheme is secure against stolen verifier attack.
User impersonate attack.
The proposed scheme is secure against the user impersonate attack and the forgery attack.
In order to impersonate as user A, the attacker C changes KA to KC, and sends a message {MAS* (= EKCS(IDA, IDB, ZAS*)), KC} to the server. The server receiving the message from attacker C computes KSC from KC and decrypts MAS* using KSC to obtain IDA, IDB and ZAS*. Next, server computes XA = H(IDA||s) and ZAS = H(IDA||IDB||KA||XA), and compares it with ZAS*. Therefore, the attacker has to know XA = H(IDA||s) or s.
However, since s is a secret key of the server and XA is a secret data that only user A has, the attacker C cannot know it, and thus the impersonate attack is impossible. Also, even if an attacker attempts to impersonate as the user B, he does not know XB or s, so he cannot achieve the attack as before.
Man-in-the-middle attack.
As above, since an attacker C cannot know XA = H(IDA||s), XB = H(IDB||s) or s, so he cannot modify the sender’s message or cannot change KA and KB, and cannot achieve the man-in-the-middle attack.
Replay attack.
If an attacker C sends the previous message {MAS*, Ta*(x)} of the user A, according to CDLP and CDHP assumptions, he cannot know a*, so he does not calculate ZAB in the fourth message of the proposed scheme.
If an attacker C sends the previous message {MBS*, Tb*(x)} of the user B, ZBS* is calculated as ZBS* = H(IDB||RA*||RB*||XB). Since ZBS is related to RA and the server verifies the correctness of ZBS, it is impossible for the attacker C to achieve the replay attack.
6. Performance comparisons
This section compares the computational cost and security performance of the proposed scheme with the recent similar 3PAKE techniques [23, 31, 38, 49, 50], of which three [23, 31, 38] attempted to provide user anonymity and others [49, 50] use smart card. The notations used for comparison of computational cost are as follows.
- tc: time needed for Chebyshev polynomial operation
- te: time needed for a scalar multiplication on elliptic curve
- ts: time needed for symmetric encryption/decryption operation
- tm: time needed for a modular squaring operation
- tq: time needed for a square root modulo N operation
- th: time needed for one-way hash function operation
Table 2 shows the comparison of the computational cost of the six schemes, including the proposed scheme.
Table 3 shows the comparative evaluation of the security function between the proposed scheme and other 3PAKE schemes.
As shown in Table 2 and Table 3, the proposed scheme outperforms the other schemes in terms of the security functions presented. Xie’s scheme provides user anonymity, but his scheme is vulnerable to the privileged insider attack. Lu et al.’s scheme attempted to provide user anonymity, but did not achieve it. There are weaknesses at the session key establishment phase and the password change phase of his scheme. Li’s scheme provides user anonymity, but in his scheme there are more rounds, messages and computational cost than our proposed scheme. Amin’s and Islam’s scheme are superior to our proposed scheme in terms of computational cost, but do not provide user anonymity for key exchange.
7. Conclusion
In this paper, we analyse the Lu et al.’s scheme and point out its weakness, and propose a round-effective 3PAKE protocol based on chaotic maps using smart card to provide with user anonymity. In the proposed scheme, there is no information related to the user’s password at the server side and users share the secret key with the server, which is derived by the server’s secret key and his identifier. The proposed scheme is more efficient than other schemes in terms of number of rounds and computational cost, and it is formally analysed based on BAN logic and AVISPA tool, and can protect against various attacks as shown through informal security analysis. The proposed scheme is suitable for authentication and key agreement in a wireless network environment.
References
- 1. Bellovin SM, Merritt M. Encrypted key exchange: password-based protocols Secure Against dictionary attacks. IEEE Security and Privacy Magazine. 1992;72–13
- 2. Zhu H, Hao X. A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps. Nonlinear Dyn. 2015;81(1–2):311–11
- 3. Maitra T, Obaidat MS, Islam SH, Giri D, Amin R. Security analysis and design of an efficient ECC-based two-factor password authentication scheme. Secur Commun Netw. 2016;9(17):4166–16
- 4. Wang C, Zhang X, Zheng Z. Cryptanalysis and Improvement of a Biometric-Based Multi-Server Authentication and Key Agreement Scheme. Plos One. 2016;11(2):e0149173 pmid:26866606
- 5. Guo H, Wang P, Zhang X, Huang Y, Ma F. A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments. Plos One. 2017;12(11):e0187403 pmid:29121050
- 6. Yang L, Zheng Z. Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments. Plos One. 2018;13(3):e0194093 pmid:29534085
- 7. Huang HF. A simple three-party password-based key exchange protocol. Int J Commun Syst. 2009;22(7):857–6
- 8. Chang TY, Hwang MS, Yang WP. A communication-efficient three-party password authenticated key exchange protocol. Inform Sciences. 2011;181(1):217–10
- 9. Lee TF, Hwang T. Simple password-based three-party authenticated key exchange without server public keys. Inform Sciences. 2010;180(9):1702–13
- 10. Yoon EJ, Yoo KY. Cryptanalysis of a simple three-party password-based key exchange protocol. Int J Commun Syst. 2011;24(4):532–11
- 11. Pu Q, Wang J, Wu S, Fu J. Secure verifier-based three-party password authenticated key exchange. Peer Peer Netw Appl. 2013;6(1):15–11
- 12. Tso R. Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. J Supercomput. 2013;66(2):863–12
- 13. Youn TY, Kang E, Lee C. Efficient three-party key exchange protocols with round efficiency. Telecommun Syst. 2013;52(2):1367–10
- 14. Farash MS, Attari MA. An efficient client-client password-based authentication scheme with provable security. J Supercomput. 2014;70(2):1002–21
- 15. Heydari M, Sadough SMS, Farash MS, Chaudhry SA, Mahmood K. An efficient password-based authenticated key exchange protocol with provable security for mobile client-client networks. Wireless Pers Commun. 2016;88(2):337–20
- 16. Zhao J, Gu D. Provably secure three-party password-based authenticated key exchange protocol. Inform Sciences. 2012;184(1):310–14
- 17. Wu S, Chen K, Zhu Y. Enhancements of a three-party password-based authenticated key exchange protocol. Int Arab J Inf Techn. 2013;10(3):215–7
- 18. Xiong H, Chen Y, Guan Z, Chen Z. Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys. Inform Sciences. 2013;235():329–12
- 19. Wu S, Pu Q, Wang S, He D. Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Inform Sciences. 2012;215():83–14
- 20. Wu S, Chen K, Pu Q, Zhu Y. Cryptanalysis and enhancements of efficient three-party password-based key exchange scheme. Int J Commun Syst. 2013;26(5):674–13
- 21. Tan Z. A communication and computation-efficient three-party authenticated key agreement protocol. Secur Commun Netw. 2013;6(7):854–10
- 22. Wang ZH, Huo ZQ, Shi W. Security analysis and enhancements of a three-party authenticated key agreement protocol. Acta Scientiarum Technology. 2015;37(3):329–8
- 23. Xie Q, Hu B, Dong N, Wong DS. Anonymous three-party password authenticated key exchange scheme for telecare medical information systems. Plos One. 2014;9(7):e102747 pmid:25047235
- 24. Lou DC, Huang HF. Efficient three-party password-based key exchange scheme. Int J Commun Syst. 2011;24(4):504–9
- 25. Liu T, Pu Q, Zhao Y, Wu S. Ecc-based password-authenticated key exchange in the three-party setting. Arab J Sci Eng. 2013;38(8):2069–9
- 26. Marcos A, Simplicio JR, Sakuragui RM. Cryptanalysis of an efficient three-party password-based key exchange scheme. Int J Commun Syst. 2012;25(11):1443–7
- 27. Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on chebyshev chaotic maps. Nonlinear Dyn. 2014;77(1–2):399–13
- 28. Lee CC, Li CT, Chiu ST, Lai YM. A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn. 2015;79(4):2485–11
- 29. Li X, Niu J, Kumari S, Khan MK, Liao J, Liang W. Design and analysis of a chaotic maps-based three-party authenticated key agreement protocol. Nonlinear Dyn. 2015;80(3):1209–12
- 30. Xie Q, Zhao J, Yu X. Chaotic maps-based three-party password-authenticated key agreement scheme. Nonlinear Dyn. 2013;74(4):1021–7
- 31. Lu Y, Li L, Zhang H, Yang Y. An extended chaotic maps-based three-party password-authenticated key agreement with user anonymity. Plos One. 2016;11(4):e0153870 pmid:27101305
- 32. Lee CC, Li CT, Hsu CW. A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Nonlinear Dyn. 2013;73(1–2):125–8
- 33. Farash MS, Attari MA, Kumari S. Cryptanalysis and improvement of a three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Int J Commun Syst. 2017;30(1)
- 34. Hu X, Zhang Z. Cryptanalysis and enhancement of a chaotic maps-based three-party password authenticated key exchange protocol. Nonlinear Dyn. 2014;78(2):1293–8
- 35. Lai H, Orgun MA, Xiao J, Pieprzyk J, Xue L, Yang Y. Provably secure three-party key agreement protocol using chebyshev chaotic maps in the standard model. Nonlinear Dyn. 2014;77(4):1427–13
- 36. Lee TF, Lin CY, Lin CL, Hwang T. Provably secure extended chaotic map-based three-party key agreement protocols using password authentication. Nonlinear Dyn. 2015;82(1–2):29–10
- 37. Lee TF. Efficient three-party authenticated key agreements based on chebyshev chaotic map-based diffie-hellman assumption. Nonlinear Dyn. 2015;81(4):2071–8
- 38. Li CT, Chen CL, Lee CC, Weng CY, Chen CM. A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps. Soft Comput. 2017:1–12
- 39. Diffie W, Hellman M. New directions in cryptography. IEEE T Inform Theory. 1976;22(6):644–11
- 40. Koblitz N. Elliptic curve cryptosystems. Math Comput. 1987;48(177):203–7
- 41. Gura N, Patel A, Wander A, Eberle H, Shantz SC. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. Lecture Notes in Computer Science. 2004;4:119–14
- 42. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos Soliton Fract. 2008; 37(3):669–6
- 43.
Mason JC, Handscomb DC. Chebyshev polynomials. London: Chapman & Hall/CRC Press; 2003.
- 44. Liu L. The Arithmetic Performance Test and Analysis on Finite Fields Chebyshev Polynomials. Journal of Communication University of China. 2012:19(4):54–5
- 45. Chatterjee S, Roy S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV. Secure Biometric-Based Authentication Scheme using Chebyshev Chaotic Map for Multi-Server Environment. IEEE Transactions on Dependable & Secure Computing. 2016; PP(99):1–15
- 46. Kumari S, Wu F, Das AK, Arshad H, Khan MK. A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Generation Computer Systems. 2016; 63(C):56–20
- 47. Li JL, Zhang WG, Kumari S, Choo KKR, Hogrefe D. Security analysis and improvement of a mutual authentication and key agreement solution for wireless sensor networks using chaotic maps. T Emerg Telecommun T. 2018; (15):e3295
- 48. Xie Q, Hu B, Wu T. Improvement of a chaotic maps-based three-party password-authenticated key exchange protocol without using server's public key and smart card. Nonlinear Dyn. 2015;79(4):2345–14
- 49. Amin R, Biswas GP. Cryptanalysis and design of a three-party authenticated key exchange protocol using smart card. Arab J Sci Eng. 2015;40(11):3135–15
- 50. Islam SH. Design and analysis of a three party password-based authenticated key exchange protocol using extended chaotic maps. Inform Sciences. 2015;312:104–27
- 51. Yang H, Zhang Y, Zhou Y, Fu X, Liu H, Vasilakos AV. Provably secure three-party authenticated key agreement protocol using smart cards. Comput Netw. 2014;58:29–10
- 52. Zhao F, Gong P, Li S, Li M, Li P. Cryptanalysis and improvement of a three-party key agreement protocol using enhanced chebyshev polynomials. Nonlinear Dyn. 2013;74(1–2):419–9
- 53. Lai H, Xiao J, Li L, Yang Y. Applying semi-group property of enhanced chebyshev polynomials to anonymous authentication protocol. Math Probl Eng. 2012;2012
- 54. Odelu V, Das AK, Goswami A. An efficient biometric-based privacy-preserving three-party authentication with key agreement protocol using smart cards. Secur Commun Netw. 2015;8(18):4136–21
- 55. Jin ATB, Ling DNC, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 2004; 37(11):2245–11
- 56. Lumini A, Nanni L. An improved BioHashing for human authentication. Pattern Recogn. 2007; 40(3):1057–9
- 57. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst Appl. 2014; 41(18):8129–15
- 58. Amin R, Biswas GP. A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS. J Med Syst. 2015; 39(3):1–17
- 59. Burrows M, Abadi M, Needham R. A logic of authentication. ACM T Comput Syst. 1989; 23(5):1–13.
- 60.
AVISPA: Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/ (accessed on January 2019)