Security and efficiency enhancement of an anonymous three-party password-authenticated key agreement using extended chaotic maps

Recently, Lu et al. claimed that Xie et al.’s three-party password-authenticated key agreement protocol (3PAKA) using chaotic maps has three security vulnerabilities; in particular, it cannot resist offline password guessing attack, Bergamo et al.’s attack and impersonation attack, and then they proposed an improved protocol. However, we demonstrate that Lu et al.’s attacks on Xie et al.’s scheme are unworkable, and their improved protocol is insecure against stolen-verifier attack and off-line password guessing attack. Furthermore, we propose a novel scheme with enhanced security and efficiency. We use formal verification tool ProVerif, which is based on pi calculus, to prove security and authentication of our scheme. The efficiency of the proposed scheme is higher than other related schemes.


Introduction
Nowadays it is very common to use mobile devices to conduct transactions via insecure wireless networks [1][2], therefore, how to design secure, efficient and convenient 3PAKA scheme has become an urgent issue for researchers to solve it. Utilizing the semi-group property of Chebyshev polynomial, many extended chaotic maps based 3PAKA protocols were proposed in recent years. However, most of them suffer from security vulnerabilities and low computational efficiency.
In 1995, Steiner et al. [3] extended two-party password-authenticated key agreement to 3PAKA protocol. However, Ding and Horster [4] and Lin et al. [5] demonstrated that their scheme is vulnerable to undetectable online password guessing attack, and Lin et al. [5] further showed that their protocol suffers from offline password guessing attack. To remedy those weaknesses, they proposed an improved 3PAKA protocol, but the server needs to keep a longterm secret key and the parties have to verify server's public key beforehand. To improve the efficiency, Lin et al. [6] introduced another 3PAKA protocol without using server's public key. Unfortunately, Chang and Chang [7] pointed out that their improved scheme needs more PLOS  3. Resistant to impersonation attack: The legal user must not be masqueraded by the unauthorized entities. 4. Resistant to password guessing attacks: The password of each user is secure even if the leakage of user's memory. 5. Resistant to replay attack: The improvement should be able to security against the reusage of the transmitted messages.
6. Resistant to privileged-insider attack: The privileged-insider must not be obtained the plaintext password of each user.
7. Resistant to man-in-the-middle attack: The improvement can withstand this attack if it will not be compromised under impersonation attack and replay attack.
The rest of paper is organized as follows. After that, an improved protocol is introduced in Section 6. Security analysis and computation comparisons are presented in Sections 7 and 8. Section 9 concludes the paper.

Review of Xie et al.'s scheme
Xie et al.'s protocol [23] has four phases: system initialization phase, user registration phase, authenticated key agreement phase, and password change phase. The first three phases are as follows.

System initialization
Let s be the secret key of the server S, p be a large prime number, h() be a secure one-way hash function, H() be a chaotic maps based one-way hash function, and x2Z p , the parameters {p, h (), x, H()} are published and s is kept secret.

User registration
Let UID i and upw i be user i's identity and password. User i computes UPW i ¼ T upw i ðxÞmodp, and sends {UID i ,UPW i } to S through a secure channel.
When the server S receives {UID i ,UPW i }, it computes VUPW i = h(UID i ,s)+UPW i , and stores {UID i ,VUPW i } in its database.

Authenticated key agreement
In this phase, both user A and user B are authenticated and the session key is established.
Step 1: User A selects a random number ua2 [1,p+1], and computes UR A = T ua (x)mod p, and sends {UID A ,UID B ,UR A } to S.
Step  such as T ua 0 (x) = T ua (x) and T ub 0 (x) = T ub (x). Therefore, the adversary can compute KBA =

System initialization
Let p be a large prime number, Sk2 [1,p+1] and T Sk (x)mod p be the private and public keys of the server S, where x2Z p . Let h 1 () be a secure one-way hash function and h() be a chaotic maps based one-way hash function. S keeps Sk secret and publishes the parameters {p,x,h 1 (),h(), T Sk (x)mod p}.

User registration
User i chooses his identity UID i , a random number r i and password upw i , and computes VG i = h 1 (upw i ,r i ), and sends {UID i ,VG i } to S through a private channel.
When the server S receives{UID i ,VG i } from the user i, it computes VUPW i = h 1 (UID i ,Sk)+VG i , and randomly chooses d i , stores {d i ÈSk,VUPW i } in its database, sends {d i ,VUPW i }to user i through a private channel. user i stores {r i ,d i } in his memory.

Authenticated key agreement
In this phase, both A and B are authenticated and the session key is established.
Step 1: , and then he sends CV A to S.
Step 2: Step 3: User B uses VG B to decrypt CV B and get (T ua (x),FV B ,UID A ,UID B ), then checks the validity of FV B . After that, B chooses ub2 [1,p+1] Step 4: S decrypts PV B , gets (T ub (x),HV B ), and checks if Step 5: When A obtains RV AS , he decrypts RV AS and gets (T C1 (x),T ub (x),UID A ,ZV AS ), then verifies whether ZV AS = h(UID A ,UID B ,T ub (x),T C1 (x)) is correct or not. If yes, A computes SK AB = T ua (T ub (x))mod p, VAB = h(UID A ,SK AB ), and sends VAB to B.
B verifies the validity of ZV BS = h(UID A ,UID B ,T ua (x),T C2 (x)), and computes SK AB = T ub (-T ua (x))mod p, VBA = h(UID B ,SK AB ), and sends VBA to A.
Step 6: A and B check the validity of VBA and VAB, respectively. If the checking holds, SK AB = T ua (T ub (x))mod p is the shared session key between A and B.

Analysis on Lu et al.'s protocol
In this section, we show that Lu et al.'s claims are not correct.

Off line password guessing attack
In Lu et al.'s protocol, an adversary can get the verification parameters {r i ,d i } stored in users' mobile terminals by side-channel attack [32][33][34], then he can do offline password guessing attack. When and checks whether it is equal to FV B 0 . If yes, the guessed password is correct. Otherwise, the adversary can do it again untill he gets the correct password.
The adversary can obtain user A's password by using the above method. Therefore, Lu et al.'s protocol is vulnerable to offline password guessing attack.

Stolen-verifier attack
In Lu et al.'s protocol, the server needs to store the verifier messages {d i ÈSk,VUPW i } for each user i. Obviously, the registered adversary C has his/her own {d C ,VUPW C }. If he/she obtains the verifier messages {d i ÈSk,VUPW i } from the database of the server, then he/she can launch stolen-verifier attack. That is to say, the adversary can find d C ÈSk from VUPW C , then he/she can compute server's private key Sk = d C ÈSkÈd C . After this, the adversary can compute each user's message and launch server impersonation attack.

Improved scheme
Our improved protocol also has four phases: system initialization, user registration, authenticated key agreement, and password change.

System initialization
The parameters {Sk,p,x,h 1 (),h(),T Sk (x)mod p} are the same as that of Lu et al.'s scheme, and let H() be biological information hash function.

User registration
User i chooses his identity UID i , a random number r i and password upw i , and computes VG i = h 1 (upw i ,r i ), and sends {UID i ,VG i } to S through a private channel.
When the server S receives User i inputs his biometrics UBIO i , and computes

Authenticated key agreement
In this phase, both A and B are authenticated and the session key is established (Please see Algorithm 1).
Step 1: User A enters his or her biometrics UBIO A and upw A , computes H(UBIO A ,upw A ) and checks if it equals to d A . If not, repeat this process. A selects Ua2 [1,p+1], computes T Ua (x), The session key is SKAB = T Ua (T Ub (x))mod p Algorithm 1: The proposed 3PAKA protocol Step 2:

User A
The server S User B  Step 6: A and B check the validity of N B and N A , respectively. If the checking holds, SKAB = T Ua (T Ub (x))mod p is the shared session key between A and B.

Password change phase
Each user can update his password as follows.
Step 1: User i enters his/her biometrics UBIO i and upw i , computes and checks whether H (UBIO i ,upw i ) = d A . If not, repeat this process. Otherwise, User i enters a new password upw Ã i , chooses c2 [1,p+1], and computes T c (x),

Security analysis
We first use formal tool ProVerif [35] based on applied pi calculus [36], to prove that our protocol satisfies mutual authentication and session key security. Then, we use security analysis to demonstrate that the proposed scheme not only provides common security features, but also is secure against various attacks.

Formal verification
The formal proof has three different parts: the declaration part, the process part and the security property part. The declaration includes the definition of the components used in the protocol, such as communication channels, variables and constants, functions, etc. Two kinds of channels are used in the scheme: private channel used in the user registration phase, and public channel used in the authenticated key exchange phase, we define them as below: free  In the registration phase, she sends {UID A ,VG A } to the server, then receives {VUPW A } from it. All communications in this phase are carried out over secure channel sch. In authenticated key agreement phase, user A sends message 3 to remote server, and wait for message 6 from remote server, after that she computes session key SKAB and the authenticate message N A , and sends it to user B. This phase can run more than once. User A is defined as: let ).
query attacker(SKAB). query attacker(SKBA). Proverif verifies the authentication attribute by checking the corresponding assertion of the event. An event is an indicator used specifically for authentication validation in Proverif. In the formal model, the authentications processes are modeled as two relations: one relation for user A to authenticate user B and another for user B to authenticate user A. The formal relations are defined as: query id: bitstring; inj-event(UserAAuthed(id)) = = > inj-event(UserARequest(id)). query id: bitstring; inj-event(UserBAuthed(id)) = = > inj-event(UserBResponse(id)). We perform the above process in the ProVerif version 1.95. Fig 1 demonstrates that the correspondence queries are true, and the attacker queries are not true. The first result implies that the authentication attribute is satisfied in the presented protocol. The latter result means that the attackers can't gain the session key, therefore the session key is safe.

Informal analysis
In this section, we discuss that the proposed protocol can resist various known attacks.

User anonymity.
In the proposed scheme, the users' identities are are protected by symmetric cryptographic algorithms and hash functions. Therefore, the adversary can not obtain users' identities without knowing the secret keys. So the proposed protocol can provide user anonymity. 7.2.2 Password guessing attacks. In the proposed protocol, the users' passwords are contained in VG i = h 1 (upw i ,r i ), and 7.2.7 Man-in-the-middle attack. According to the above analysis, it is impossible for the adversary to launch impersonation attack and replay attack on our protocol. As a result, our protocol can resist the man-in-the-middle attack. Tables 1 and 2 show the security and computational cost comparison between our scheme and some related protocols. For convenience, some notations are used here: let T be the unit time for performing one Chebyshev polynomial computation, E be the unit time for one symmetric encryption/decryption and H be the unit time for one hashing. Table 1 shows that our protocol owns more secutity properties than other related protocols. According to the protocol proposed by Xue and Hong [37], the actual execution time is as follows: T is about 32.2ms, E is about 0.45ms and H is about 0.2ms. From Table 2, we know that our protocol is more efficient than other related schemes.

Conclusion
In this paper, we showed that Lu et al.'s attacks on Xie et al.'s scheme are untenable, and further pointed out that their improved protocol is insecure, which suffers from offline password guessing attack and stolen-verifier attack. Therefore, we proposed an improved protocol to eliminate their security vulnerabilities. We showed that our improved protocol possesses user anonymity, known session key security and withstands impersonation attack, reply attack, man-in-the-middle attack, etc. Also, we verified our protocol achieves mutual authentication and the secutity of the session key. Finally, the performance comparison showed that the efficiency of our scheme is higher than other related schemes. In the future, we will apply our protocol to verify its performance in real scenarios.
If the scheme can prevent the attack or satisfy the property, the symbol 'Y' is used. Otherwise, 'N' is used. https://doi.org/10.1371/journal.pone.0203984.t002