Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps

Tian-Fu Lee; Chia-Hung Hsiao; Shi-Han Hwang; Tsung-Hung Lin

doi:10.1371/journal.pone.0181744

Abstract

A smartcard based password-authenticated key agreement scheme enables a legal user to log in to a remote authentication server and access remote services through public networks using a weak password and a smart card. Lin recently presented an improved chaotic maps-based password-authenticated key agreement scheme that used smartcards to eliminate the weaknesses of the scheme of Guo and Chang, which does not provide strong user anonymity and violates session key security. However, the improved scheme of Lin does not exhibit the freshness property and the validity of messages so it still fails to withstand denial-of-service and privileged-insider attacks. Additionally, a single malicious participant can predetermine the session key such that the improved scheme does not exhibit the contributory property of key agreements. This investigation discusses these weaknesses and proposes an enhanced smartcard-based password-authenticated key agreement scheme that utilizes extended chaotic maps. The session security of this enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem, and is proven in the real-or-random and the sequence of games models. Moreover, the enhanced scheme ensures the freshness of communicating messages by appending timestamps, and thereby avoids the weaknesses in previous schemes.

Citation: Lee T-F, Hsiao C-H, Hwang S-H, Lin T-H (2017) Enhanced smartcard-based password-authenticated key agreement using extended chaotic maps. PLoS ONE 12(7): e0181744. https://doi.org/10.1371/journal.pone.0181744

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: December 1, 2016; Accepted: July 6, 2017; Published: July 31, 2017

Copyright: © 2017 Lee et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This research was supported by Ministry of Science and Technology under the grants MOST 105-2221-E-320-003 and Tzu Chi University under the grants TCRPP105004.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Smartcard-based password-authenticated key agreement supports a communicating platform that enables legitimate users to log in to, and access, systems conveniently and securely over an open network. In a smartcard-based password-authenticated key agreement system, users register their identities and passwords with a trusted server. The trusted server is then responsible for generating authentication information and secrets of users and providing smartcards to legitimate users over a secure and authenticated channel. Finally, legitimate users conveniently and securely log in and enjoy remote services using their weak passwords and smartcards [1–8].

Recently, Chen et al. [9] developed a smartcard-based password authentication scheme based on the Discrete Logarithm problem and claimed that their scheme can withstand potential attacks. However, Jiang et al. [10] stated that their scheme is insecure against offline password guessing attacks, and presented an improved authentication scheme based on the Diffie-Hellman problem to solve the security flaw of the scheme of Chen et al. and to keep efficiency. In 2013, Wen [11] designed an enhanced user authentication scheme based on the quadratic residue problem [12, 13] to overcome the weaknesses of previous schemes [14, 7]. However, Islam et al. [15] pointed out the security weaknesses of Wen’s scheme, and showed that their scheme cannot resist some possible attacks, including impersonation and privileged-insider attacks. Islam et al. also presented a new user authentication scheme based on the quadratic residue problem for the application of integrated EPR information system. Additionally, Li [16] developed a two-factor authentication scheme with user anonymity based on elliptic curve cryptography. But, Wang et al. [17] showed that his scheme may suffer from smart-card loss and de-synchronization attacks, and provided a better understanding of the underlying evaluation metric for anonymous two-factor schemes. These schemes [9–16] are developed by using public-key cryptosystem to have higher security. Nevertheless, time-consuming modular exponential computations are required so that these schemes are inefficient in computation.

Since cryptography that uses chaotic maps was demonstrated to exhibit the semi-group property and cryptosystems that use chaotic map operations were shown to be more efficient than cryptosystems that use modular exponential computations and scalar multiplications on the elliptic curve [18–20], many chaotic map-based authentication approaches [21–29] have been developed. However, in 2005, Bergamo et al. [20] showed the security weakness of public-key cryptosystems that are based on Chebyshev polynomials, and that therefore some authentication schemes have security limitations and lack the contributory property of key agreements. In 2008, Zhang [30] enhanced the Chebyshev polynomials to eliminate this security weakness. Zhang also demonstrated that the enhanced Chebyshev polynomials support the semi-group property and the commutivity under composition on interval (−∞,+∞). Additionally, extended Chebyshev chaotic maps are utilized in solving the extended chaotic map-based discrete logarithm and Diffie-Hellman problems [30–32]. In 2013, Guo and Change [33] were the first to present a novel chaotic map-based password-authenticated key agreement scheme using smartcards to increase efficiency. In 2014, Lin [34] developed a mobile user authentication scheme using dynamic identity and chaotic map, and declared that their scheme offers mutual authentication, session key security and user anonymity, and resilience against possible attacks. Later, Islam et al. [35] stated that Lin’s scheme had some design flaws and limitations, and cannot resist user impersonation attack. Islam et al. also presented a provably secure scheme using extended chaotic map to solve the weaknesses of Lin’s scheme. Additionally, Islam [36] in 2014 proposed a dynamic identity-based three-factor scheme using extended chaotic maps three-factor authentication to offer more security properties. However, Jiang et al. [37] pointed out the processing flaws of Islam’s scheme, and showed that his scheme is also vulnerable to some potential attacks. To solve these limitations, Jiang et al. also presented a more secure robust three-factor authentication scheme. Subsequently, Hao et al. [38], Lee [39] and Lin [40] noted that the scheme developed by Guo and Chang had weaknesses that included an inability to ensure strong user anonymity, inefficiency in hiding double secrets, and violation of both the session key security and the contributory property of key agreements. Lin [41] also proposed an improved scheme to eliminate the weaknesses in the scheme of Guo and Chang. However, Lin’s scheme also failed to withstand some attacks and to meet all security requirements. In the password change phase of that scheme, the server does not confirm the freshness of the messages from the users, and the smartcard does not verify the updated data from the server, so the scheme fails efficiently to protect against replay and denial of service attacks. Additionally, in the authenticated key exchange phase, a malicious server can control the value of a session key by the method that was introduced by Bergamo et al. [20] so Lin’s scheme also the fails to provide the contributory property of key agreements. Moreover, in that scheme, every legitimate user can derive session key that is shared between another user and the server by the method of Bergamo et al. [20]. A malicious user can even forge validate request messages and to impersonate other users, so Lin’s scheme fails to withstand privileged-insider attacks.

To address the weaknesses of Lin’s scheme, this work develops a more secure and efficient smartcard-based password-authenticated key agreement scheme that is based on the schemes of both Guo and Chang [33] and Lin [40]. The enhanced scheme constructs the session key using extended chaotic maps, and so the session key of security is based on the extended chaotic map-based Diffie-Hellman problem. The enhanced scheme eliminates the security weakness that was identified by Bergamo et al.; ensures the contributory property of key agreements, and withstands attacks by privileged insiders. Moreover, in the password change phase of the enhanced scheme, the messages are guaranteed to exhibit freshness property owing to the appending of timestamps, so the enhanced scheme withstands replay and denial-of-service attacks. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes.

The remainder of this article is organized as follows. Section 2 describes the notation and the definitions used in this paper. Section 3 reviews the authenticated key agreement scheme of Lin and elucidates its weaknesses. Section 4 presents the enhanced smartcard-based password-authenticated key agreement that uses extended chaotic maps. Section 5 analyzes the security and performance of the enhanced scheme. Finally, Section 6 draws conclusions.

Preliminaries

This section presents the notation and the definitions that are used herein this work.

Notation

The followings detail the notation that is utilized herein.

U: The user
ID: The identity of U
PW: The password of U
S: The remote server, which U is registered in
T₁: The user’s time stamp
T₂: The server’s time stamp
ΔT: The time threshold
E_k(·)/D_k(·): A secure symmetric en/decryption algorithm with the secret key k
λ: The session key generated between U and S
l: The secure parameter size
h(·): A one-way hash function and h:{0,1}*→{0,1}^l
H(.): A one-way hash function and H:[−1,1]→{0,1}^l
A→B : M: A sends message M to B through a common channel.
M₁||M₂: Message M₁ concatenates to message M₂.

Definition

Session key security (AKE security).

This definition defines that an adversary fails to effectively distinguish between two messages from a challenger . One message is encrypted with the real session key λ and the other one is encrypted with a random string λ’ via an unbiased coin c. selects one message and sends it to . Then flips an unbiased coin c ∈ {0,1} and decides to return the message encrypted with λ if c = 1 or encrypted with λ′ if c = 0. intends to correctly guess the value of the hidden bit. The advantage that an adversary violates the indistinguishability of a scheme P is denoted as (). The scheme P is AKE-secure if () is negligible. [41–44]

Chebyshev chaotic maps.

The Chebyshev polynomial T_n(x) is a polynomial in x of degree n and is defined by the following relation:

The recurrence relation of T_n(x) is defined as: for any n ≥ 2, with T₀(x) = 1 and T₁(x) = x.

The Chebyshev polynomial satisfies the semi-group property and satisfies: for s,r ∈ Z⁺.

The Chebyshev polynomial satisfies chaotic property: When n > 1, Chebyshev polynomial map T_n: [−1,1]→[−1,1] of degree n is a chaotic map with its invariant density for Lyaounov exponent ln n > 0.[29–32]

Zhang [30] in 2008 enhanced the Chebyshev polynomials for avoiding the security weakness showed by Bergamo et al. [20] in 2005, and also proved that the enhanced Chebyshev polynomials still satisfy the semi-group property and the commutative under composition on interval (−∞,+∞). That is, where n ≥ 2, x ∈ (−∞,+∞) and p is a large prime number. Then, holds.

The enhanced Chebyshev chaotic maps also exhibit the Discrete Logarithm and Diffie-Hellman problems [30–32], which are described as follows.

Extended chaotic map-based discrete logarithm problem (DLP).

Given x, y and p, finding the integer r satisfying y = T_r(x) mod p is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DLP is denoted as Adv^dlp, and thus is negligible.

Extended chaotic map-based computational Diffie-Hellman problem (CDHP).

Given T_r(x), T_s(x), T(·), x and p, where r, s ≥ 2, x ∈ (−∞,+∞) and p is a large prime number, calculating is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based CDHP is denoted as Adv^cdh, and thus is negligible.

Extended chaotic map-based decisional Diffie-Hellman problem (DDHP).

Given T_r(x), T_s(x), T_z(x), T(·), x and p, deciding whether holds or not is computationally infeasible. The advantage that an adversary solves the extended chaotic map-based DDHP is denoted as Adv^ddh, and thus is negligible.

The authenticated key agreement scheme of Lin and its limitations

The authenticated key agreement scheme of Lin

Lin [40] recently presented an improved chaotic maps-based password authenticated key agreement scheme using smartcards. The four phases of the improved scheme are system initialization, user registration, authenticated key exchange and password change phases, which are discussed further below.

System initialization phase.

The remote server S setups the system’s parameters by performing the following steps:

S generates a random number r as the private key and a random number x ∈ [−1,+1].
S chooses a master key s, a secure symmetric en/decryption algorithm E_k(·)/D_k(·) and a one-way hash function h(·).

Registration phase.

A user U registers his/her identity and password by performing the following steps.

U chooses his identity ID, password PW and a random number t and sends ID and H = h(PW ∥ t) to S via a secure channel.
S verifies ID and computes R = E_s(ID ∥ H) and D = H ⊕ (x ∥ T_r(x)) by using its master key s.
S stores (R,h(·),E_k(·),D) into a smartcard SC, and issue SC to U through a secure channel.
U inserts t into it and finishes the registration.

Authenticated key exchange phase.

In this phase, as shown in Fig 1, U and S authenticate each other by performing the following steps.

U inserts his SC into a card reader and inputs PW. Then SC generates a random number j, computes T_j(x), (x ∥ T_r(x)) = h(PW ∥ t) ⊕ D, v = T_j(T_r(x)), Q = h(ID ∥ H), E_v(Q ∥ R ∥ T₁), where T₁ is the current timestamp, and sends M₁ = {T_j(x),E_v(Q ∥ R ∥ T₁)} to S.
On receiving M₁, S computes v = T_r(T_j(x)), obtains (Q ∥ R ∥ T₁) by decrypting E_v(Q ∥ R ∥ T₁) with v, and checks T₁. If unsuccessful, S rejects this service request. Otherwise, S obtains (ID′ ∥ H′) by decrypting R with its master key s and checks whether Q′ = ?h(ID′ ∥ H′). If unsuccessful, S rejects this service request. Otherwise, S generates a random number j′, and computes T_j′(x) and E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂), where T₂ is the current timestamp, and sends E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂) to SC.
On receiving E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂), SC obtains (T_j′(x) ∥ h′(ID ∥ T₂) ∥ T₂) by decrypting E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂) with v and checks T₂. If unsuccessful, the SC aborts this service request. Otherwise, SC checks whether h′(ID ∥ T₂) = ?h(ID ∥ T₂). If unsuccessful, SC aborts this service request. Finally, both U and S share a common session key λ = T_j′(T_j(x)) = T_j(T_j′(x)).

Download:

Fig 1. The authenticated key exchange phase of the enhanced scheme.

https://doi.org/10.1371/journal.pone.0181744.g001

Password change phase.

A legal user U inserts his SC into a card reader and inputs the old password PW and a new password PW* and changes his/her password by performing the following steps.

The SC generates a random number i, computes H′ = h(PW ∥ t), (x ∥ T_r(x)) = h(PW ∥ t) ⊕ D, η = T_i(T_r(x)), H* = h(PW* ∥ t), and sends (T_i(x),E_η(H′ ∥ H* ∥ R)) to S.
On receiving (T_i(x),E_η(H′ ∥ H* ∥ R)), S computes v = T_r(T_i(x)), obtains (H* ∥ Q ∥ R) by decrypting E_η(H′ ∥ H* ∥ R) with v and obtains (ID ∥ H) by decrypting R with s, respectively. Then S checks whether H′ = ?H holds or not. If successful, S computes R* = E_s(ID ∥ H*) and sends R* to SC.
After receiving R*, SC updates R as R*.

Weaknesses in the authenticated key agreement scheme of Lin

This subsection elucidates the weaknesses of the improved scheme of Lin, which suffers from denial-of-service attacks and privileged-insider attacks, and violation of the contributory property of key agreements.

Suffering from denial-of-service attacks.

In the password change phase, the smartcard does not validate the updated data R so an attacker can easily perform a denial-of-service by the following steps.

On receiving message (T_i(x),E_η(H′,H*,R)) from a user, the server computes η = T_r(T_i(x)), decrypts E_η(H′,H*,R) and R = E_s(ID ∥ H) using η and the server’s master key s, respectively, and then checks whether H′ = ?H.
If H′ = H, then S returns R* = E_s(ID ∥ H*) to the smart card. At this time, an attacker intercepts R* and replaces it with a nonce .
On receiving message , the smartcard does not verify it but updates R as . Thereafter, when the user attempts to implement the steps of the authenticated key exchange phase or the password change phase, the failed request message or will be detected by the server because the user does not have the correct R. Thereafter, the server always rejects the service requests made by the user. Therefore, the scheme of Lin is insecure against denial-of-service attacks.

Moreover, in the password change phase, the server does not verify the freshness of messages from the users so an attacker can exhaust computational resources in the server by replaying previous request messages. Possible scenarios are as follows.

After the user sends the message (T_i(x), E_η(H′,H*,R)) to the server, an attacker can copy it and successively re-send it to the server.
Upon receiving each message (T_i(x), E_η(H′,H*,R)) from the attacker, the server computes η = T_r(T_i(x)), decrypts E_η(H′,H*,R) and R = E_s(ID ∥ H), and successfully checks whether H′ = H. Then, the server computes and returns R* = E_s(ID ∥ H*). The server may exhaust computational resources and cannot efficiently prevent denial-of-service attacks since the server does not verify the freshness of these request messages.

Suffering from privileged insider attacks.

In Lin’s authentication scheme, every legitimate user can derive (x ∥ T_r(x)) from his/her smartcard. A malicious user U* still can derive the session key that is shared between another user U and the server using the method that was introduced by Bergamo et al. [20]. The details are as follows.

After the user U sends out the message (T_j(x),E_v(Q,R,T₁)), U* receives T_j(x). By the method of Bergamo et al., U* possesses x, T(·), T_r(x) and T_j(x), and so can compute an integer solution j* that satisfies the equation :
U* can compute the secret key since . Then, U* receives R by decrypting E_v(Q,R,T₁) using v, and can determine whether two request messages came from the same user.
After the server returns the message E_v(T_j′(x), h(ID ∥ T₂), T₂), U* receives T_j′(x) and so can compute the session key since . Furthermore, U* can impersonate another user U by forging a request message , where is an acceptable timestamp and , since U* has x, T_r(x), Q and R.

Therefore, Lin’s authentication scheme fails to withstand privileged insider attacks since every legitimate user has x and T_r(x), and can derive users’ hidden information concerning Q and R.

Lack of the contributory property of key agreements.

In the authenticated key exchange phase of the authenticated key agreement scheme of Lin, the malicious server alone can control the value of the session key using the method proposed by Bergamo et al. [20]. The details are as follows.

Upon receiving the message from a user, the malicious server S receives T_j(x) and computes an integer solution j* to the equation :
S uses a predetermined value λ₀ to find an integer j′, using
calculates E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂), and sends it to the smart card.
Upon receiving the message from S, the smartcard receives (T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂) by decrypting E_v(T_j′(x) ∥ h(ID ∥ T₂) ∥ T₂); it then computes T_j(T_j′(x)) as the session key. Therefore, U obtains the session key λ₀ because .

Therefore, Lin’s scheme does not support the contributory property of key agreements because the malicious server can control the value of the session key.

Enhanced smartcard-based password-authenticated key agreement scheme

This section elucidates the enhanced smartcard-based password-authenticated key agreement scheme that uses extended chaotic maps. The session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem so one malicious participant cannot alone predetermine the value of the session key. Additionally, malicious users cannot derive the mutually session key that is shared between another user and the server, and they cannot forge validate request messages or impersonate other users. Thus, the enhanced scheme withstands privileged insider attacks. Moreover, in the password change phase of the enhanced scheme, the appending of timestamps guarantees the freshness of messages that are sent from users, and the smartcard can validate the updated data from the server, so the enhanced scheme withstands replay and denial-of-service attacks.

The enhanced scheme consists of five phases, which are system initialization, user registration, authenticated key exchange, password change, and smartcard revocation phases. The system initialization phase is similar to those of Lin’s scheme, except that it uses enhanced Chebyshev chaotic maps and the parameter x on interval (−∞,+∞), requires a large prime number p for the modular arithmetic, and maintains a smartcard revocation table in the system initialization phases. The registration, authenticated key exchange, password change and smartcard revocation phases are described further below.

Registration phase

A user U registers his/her identity and password to be a legal user by performing the following steps.

U chooses his identity ID, password PW and a random number t and sends ID and H = h(PW ∥ t) to S via a secure channel.
S verifies ID and computes R = E_s(ID ∥ H ∥ CNT) by using its master key s, where CNT = 0 and indicates the revocation times.
S stores (R ⊕ H,h(·),E_k(·),x,T_r(x)) into a smartcard SC, issue the SC to U through a secure channel.
After receiving SC, U inserts t into it and finishes the registration.

Authenticated key exchange phase

In this phase, as shown in Fig 1, the user U and the server S authenticate each other and negotiate a common session key by performing the following steps.

U inserts his SC, inputs PW, computes H = h(PW ∥ t) and R = (R ⊕ H) ⊕ H, generates a random number a, calculates X₁ = T_a(x)mod p, K = T_a(T_r(x))mod p, Q = h(ID ∥ H ∥ T₁), X₂ = E_K(Q ∥ R), where T₁ is the current timestamp, and sends M₁ = {X₁,X₂,T₁} to S.
On receiving M₁, S checks whether T′−T₁ ≤ ΔT holds or not, where T′ is the current timestamp. If unsuccessful, S aborts this service request; Otherwise S computes K = T_r(X₁) mod p, obtains (Q ∥ R) by decrypting X₂with K and obtains (ID ∥ H ∥ CNT) by decrypting with s, respectively. Then S checks whether (ID, CNT) is recorded in its revocation table or not and verifies Q = ?h(ID ∥ H ∥ T₁). If unsuccessful, S still rejects this service request; Otherwise S generates random numbers b, computes Y₁ = T_b(x)modp, the session key λ = T_b(T_a(x))mod p and Y₂ = h(λ ∥ ID ∥ Q ∥ T₂), where T₁ is the current timestamp, and sends M₂ = {Y₁,Y₂,T₂} to U.
On receiving M₂, U checks whether T″−T₂ ≤ ΔT holds or not, where T″ is the current timestamp. If unsuccessful, U omits this service request; Otherwise U computes the session key λ = T_a(Y₁)modp and checks whether Y₂ = ?h(λ ∥ ID ∥ Q ∥ T₂) holds or not. If unsuccessful, U still omits this service request.

Password change phase

In this password change phase, as shown in Fig 2, a legal user inserts his/her smartcard SC and inputs the old password PW and a new password PW*, and then changes the password by performing the following steps.

SC computes H = h(PW ∥ t), H* = h(PW* ∥ t), generates a random number a, calculates X₁ = T_a(x) mod p, K = T_a(T_r(x)) mod p, Q = h(ID ∥ H ∥ H* ∥ T₁), R = (R ⊕ H) ⊕ H and X₂ = E_K(H* ∥ Q ∥ R), where T₁ is the current timestamp, and sends M₁ = {X₁,X₂,T₁} to the server.
On receiving M₁, S checks whether T′−T₁ ≤ ΔT holds or not, where T′ is the current timestamp. If unsuccessful, S aborts this service request; Otherwise S computes K = T_r(X₁) mod p, obtains (H* ∥ Q ∥ R) by decrypting X₂ with K and obtains (ID ∥ H ∥ CNT) by decrypting with s, respectively. Then S checks whether (ID, CNT) is recorded in its revocation table or not and verifies Q = ?h(ID ∥ H ∥ T₁). If successful, S computes R* = E_s(ID ∥ H* ∥ CNT), Y₁ = Q ⊕ R* and Y₂ = h(K ∥ H* ∥ R* ∥T₁), and sends M₂ = {Y₁,Y₂} to the smartcard.
On receiving M₂, SC computes R* = Q ⊕ Y₁ and checks whether holds or not. If successful, the smartcard replaces R ⊕ H with R* ⊕ H*.

Download:

Fig 2. The password change phase of the enhanced scheme.

https://doi.org/10.1371/journal.pone.0181744.g002

Smartcard revocation phase

This phase enables a legal user to revoke his/her old smartcard and to issue a new smartcard by performing the following steps.

U inputs his/her identity ID, password PW, selects a random number t_new, computes H_new = h(PW ∥ t_new), and sends {ID, H_new, Smartcard Revocation Request} to S via a secure channel.
S searches (ID,CNT) in its revocation table, computes CNT_new = CNT+1 and R_new = E_s(ID ∥ H_new ∥ CNT_new) by using its master key s, and stores (ID,CNT_new) in its revocation table.
S stores (R_new,h(·),E_k(·),x,T_r(x)) into a smartcard, and issue the smartcard to U through a secure channel.
After receiving the smartcard, U inserts t_new into it and finishes the smartcard revocation processes.

Security and performance analyses

Security analysis

This subsection analyzes the security of the enhanced scheme, with reference to session key security, the contributory property of key agreements, and the withstanding of replay, denial-of-service and privileged-insider attacks.

Since the enhanced scheme is based on the schemes of Guo and Chang and Lin, the analyses of security requirements and the withstanding of possible attacks closely resemble those for the schemes of Guo and Chang and Lin, and so are not presented here.

Providing session key security (AKE security).

The following descriptions reveal that the enhanced scheme provides session key security by adopting the real-or-random (ROR) and the sequence of games (SOG) models [41–45].

The Difference Lemma [45] is used for the sequence of games and is described as follows:

Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that . Then

The following theorem shows that the proposed scheme has AKE security if the extended chaotic map-based DDHP holds.

Theorem 1. The probability that an adversary breaks the AKE security of the enhanced authenticated key agreement scheme P satisfies, where Adv^ddh is the advantage that an extended chaotic map-based DDH attacker can gain by solving the extended chaotic map-based DDHP, N is the size of password lists, and l is a secure parameter size.

Proof: Game defines the probability of the event E_i that the adversary wins this game. The start game is a real attack against the proposed scheme, and the final game ends a negligible advantage gained by an attacked by breaking the AKE security of the enhanced scheme.

Game : This game corresponds to the real attack. By definition, (1)

Game : This game considers password-guessing attacks. Each X₂ = E_K(Q ∥ R) is different, where Q = h(ID ∥ H ∥ T₁), H = h(PW ∥ t) and K = T_a(T_r(x)) mod p, since t and a are random numbers selected by user U, and T₁ is the timestamp. Thus, the adversary has no information for verifying his/her password guesses. This implies that the security against password attacks is measured by the probability that exists messages of the form X₂ = E_K(Q ∥ R) such that the guessing password is correct. Then, we have (2)

Game : This game transforms game into game , getting Q by choosing a random number, instead of computing a hash. Then, games and are undistinguishable except collisions of a hash function in . Thus, according to the birthday paradox [42] and Lemma 1, we have (3)

Game : This game is transformed from game by using a triple (X,Y,Z) sample from a random distribution (T_a(x)mod p,T_b(x)mod p,T_z(x)mod p), rather than an extended chaotic map-based DDH triple. is therefore equivalent to , and (4)

Let a challenger A_ddh attempt to violate the indistinguishability of the extended chaotic map-based DDHP, and let an adversary A_ake be created to violate the session key security. A_ddh returns the real key λ to A_ake if the flipping unbiased coin bit c = 1; otherwise, c = 0 and it returns a random string to A_ake. Then A_ake outputs its guess bit c' and wins if c' = c. A_ddh returns the output exactly as in the preceding experiment, except with (X, Y, Z) that was input to it. If A_ake outputs c, then A_ddh outputs 1; otherwise, it outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then A_ddh executes A_ake in and so Prob. [event that A_ddh outputs 1] equals the Prob.[E₃]. If (X, Y, Z) is a random triple, then A_ddh runs A_ake in and so Prob. [event that A_ddh outputs 1] equals Prob.[E₄]. Therefore, (5)

No information about flipping unbiased coin bit c is revealed, and all session keys are random and independent among all executions of the enhanced scheme. Thus, (6)

Combining Eqs (1)–(6) and using Lemma 1, yields

The proof is thus concluded.

Providing the contributory property of key agreements.

Theorem 2. The enhanced scheme provides the contributory property of key agreements.

Proof: By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Therefore, the enhanced scheme avoids the security weakness that was proposed by Bergamo et al. [20] and neither a user nor the server alone can determine a session key. Thus, the enhanced scheme satisfies the contributory property of key agreements.

Withstanding replay attacks.

Theorem 3. The password change phase of the enhanced scheme withstands replay attacks.

Proof: In the password change phase of the enhanced scheme, the smartcard sends the request message M₁ = {X₁,X₂,T₁} to the server, where T₁ is the current timestamp, X₁ = T_a(x) mod p, X₂ = E_K(H* ∥ Q ∥ R), K = T_a(T_r(x)) mod p, H* = h(PW* ∥ t) and Q = h(ID ∥ H ∥ H* ∥ T₁. By validating timestamp T₁ and Q = ?h(ID ∥ H ∥ H* ∥ T₁, the server can easily verify the freshness of the request messages that are received from the users, so the enhanced scheme withstands replay attacks.

Withstanding denial of service attacks.

Theorem 4. The password change phase of the enhanced scheme withstands denial-of-service attacks.

Proof: Since the smartcard validates updated data R* by checking Y₂ = h(K ∥ H* ∥ R* ∥ T₁ and then replaces R with R*, where the timestamp T₁ is generated by the smartcard and H* = h(PW* ∥ t), an attacker has difficulty in modifying the response message M₂ = {Y₁,Y₂}. Therefore, the enhanced scheme withstands denial-of-service attacks.

Withstanding privileged insider attacks.

Theorem 5. The password change phase of the enhanced scheme withstands privileged-insider attacks.

Proof: In the enhanced scheme, every legitimate user has (x,T_r(x)) in his/her smartcard. By Theorem 1, the session key security of the enhanced scheme is based on the extended chaotic map-based Diffie-Hellman problem. Thus, a malicious user cannot derive the secret key K and the session key λ that is shared between another user and the server in the authenticated key exchange and the password change phases. Consequently, a malicious user cannot receive (Q ∥ R) and (ID ∥ H ∥ CNT) in the authenticated key exchange phase, and (H* ∥ Q ∥ R) and (ID ∥ H ∥ CNT) in the password change phases. Such a user has difficulty in forging valid request messages and impersonating other users. Thus, the enhanced scheme withstands privileged insider attacks.

Logical analyses

This subsection describes the logical analyses of the proposed scheme by using the logical tool, which was defined and presented by Burrows et al. [46] in 1990 and Buttyan et al. [47] in 1998.

Assume that P and Q range over principals. C denotes a communicating channel and X and Y are messages. Table 1 defines the notation used for logical analyses [46–48].

Download:

Table 1. The notation used for logical analyses.

https://doi.org/10.1371/journal.pone.0181744.t001

Table 2 lists the used assumptions and Table 3 lists the used logical description [46–48], where A and B are S and U, but A ≠ B.

Download:

Table 2. The assumptions of the proposed scheme.

https://doi.org/10.1371/journal.pone.0181744.t002

Download:

Table 3. The inference rules of the logic of the proposed scheme.

https://doi.org/10.1371/journal.pone.0181744.t003

Then, according to [46–48], the proposed scheme is described in logic as follows.

On the basis of to the assumptions and logical analyses, the proposed scheme must realize the following four goals of authentication and key agreement.

Goal 1: : User U believes that λ = T_ab(x) mod p is a symmetric key shared between participants U and S.

Goal 2: : Server S believes that λ = T_ab(x) mod p is a symmetric key shared between U and S.

Goal 3: : User U believes that S is convinced of λ = T_ab(x) mod p is a symmetric key shared between U and S.

Goal 4: : Server S believes that U is convinced of λ = T_ab(x) mod p is a symmetric key shared between U and S.

To accomplish the Goal 1, we have that (7) and (8) must hold because of the interpretation rule (I3) and assumption (A5).

Next, to accomplish Eq (8), we have that (9) and (10) must hold because of assumption (A3) and the rationality rule (R1). To accomplish Eq (10), we have that (11) must hold because of the freshness rules (F1), (F2) and assumption (A4).

To accomplish Eq (11), we have that (12) (13) and (14) must hold because of the interpretation rules (I1), the seeing rules (S1), (S2), assumptions (A1) and (A2). By using the interpretation rules (I3) and, we have the proposed scheme realizes

Similarly, we have that the proposed scheme realizes Goal 2: by using the same arguments of Goal 1.

To accomplish Goal 3, we have that (15) and (16) must hold because of the rationality rule (R1) and assumption (A3). To accomplish Eq (16), we have that (17) and (18) must hold because of the freshness rules (F1), (F2) and assumption (A4). To accomplish Eq (18), we have that (19) (20) and (21) must hold because of the interpretation rule (I1), the assumptions (A1), (A2) and the seeing rules (S1) and (S2).

Thus, the proposed protocol realizes

Similarly, using the same arguments of Goal 3, the proposed scheme realizes Goal 4:

Therefore, the proposed scheme realizes Goals 1, 2, 3 and 4.

Performance analysis and comparisons

Table 4 compares the performance and security properties of the enhanced scheme with related approaches [7, 9, 10, 15, 36, 37, 40, 49–53], where T_H denotes the time of executing a hash function operation; T_C denotes the time of executing a chaotic map operation; T_S denotes the time of executing a symmetric encryption/decryption operation; T_SQ denotes the time of executing a squaring operation; T_SR denotes the time of executing a squaring root solving operation; T_M denotes the time of executing a multiplication/division operation and T_E denotes the time of executing a modular exponential computation.

Download:

Table 4. Performance and security properties comparison.

https://doi.org/10.1371/journal.pone.0181744.t004

The schemes proposed by Islam et al. [15], Chen et al. [9] and Jiang et al. [10] use the public key cryptosystem, require time-consuming modular exponential computations, and thus are inefficient. Although the schemes proposed by Wang et al. [49], Lee et al. [7] and Yan et al. [50] only employ the hash function operations and are more efficient than other schemes, these schemes fail to resist possible attacks and cannot provide perfect forward secrecy. The schemes proposed by Das and Goswami [51], Lee et al. [52], He et al. [53], Islam et al. [36], Jiang et al. [37] and Lin [40] and the enhanced scheme are based on chaotic maps and retain low computations and communications. Additionally, only the schemes proposed by Das and Goswami [51] and Jiang et al. [37] and the enhanced scheme resist potential attacks and provide more functions.

Conclusions

This study addresses the weaknesses of Lin’s improved scheme including its vulnerability to denial-of-service attacks and privileged-insider attacks, and its inability to support the contributory property of key agreements. An enhanced smartcard-based password-authenticated key agreement scheme that is based on extended chaotic maps is presented. The session key security of the enhanced scheme is proven secure using the real-or-random and the sequence-of-game models, and it is based on the extended chaotic map-based DDHP. Thus, malicious users cannot derive a session key between another user and the server, and they cannot forge valid request messages or impersonate other users. Accordingly, the enhanced scheme withstands privileged insider attacks. Additionally, in the enhanced scheme, the messages that are sent from users are guaranteed to be fresh by the appending of timestamps, and the smartcard validates updated data from the server so the enhanced scheme withstands replay and denial-of-service attacks. Therefore, the enhanced scheme eliminates the weaknesses in previous schemes.

Acknowledgments

This research was supported by Ministry of Science and Technology under the grants MOST 105-2221-E-320-003 and by Tzu Chi University under the grants TCRPP105004. Ted Knoy is appreciated for his editorial assistance.

References

1. Juang W. Efficient password authenticated key agreement using smart cards, Computers & Security 2004; 23: 167–173.
- View Article
- Google Scholar
2. Fan CI, Chan YC, Zhang ZK. Robust remote authentication scheme with smart cards, Computers & Security 2005; 24: 619–628.
- View Article
- Google Scholar
3. Juang WS, Chen ST, Liaw HT. Robust and efficient password-authenticated key agreement using smart card, IEEE Transactions on Industrial Electronics 2008; 55: 2551–2556.
- View Article
- Google Scholar
4. Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY. Improvements of Juang et al’.s password-authenticated key agreement scheme using smart cards, IEEE Transactions on Industrial Electronics 2009; 56: 2284–2291.
- View Article
- Google Scholar
5. Yeh KH, Su C, Lo NW, Li YJ, Hung YX. Two robust remote user authentication protocols using smart cards, Journal of Systems and Software 2010; 83: 2556–2565.
- View Article
- Google Scholar
6. Li XX, Qiu WD, Zheng D, Chen KF, Li JH. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards, IEEE Transactions on Industrial Electronics 2010; 57: 780–793.
- View Article
- Google Scholar
7. Lee TF, Chang IP, Lin TH, Wang CC. A secure and efficient password-based user authentication scheme using smart cards for the integrated EPR information system, Journal of Medical Systems 2013; 37(3): 9941. pmid:23553734
- View Article
- PubMed/NCBI
- Google Scholar
8. Lee TF, Liu CM. A secure smart-card based authentication and key agreement scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9933): 1–8.
- View Article
- Google Scholar
9. Chen BL, Kuo WC, Wuu LC. Robust smart-card-based remote user password authentication scheme, International Journal of Communication Systems 2012;
- View Article
- Google Scholar
10. Jiang Q, Ma J, Li G, Li X. Improvement of robust smart-card-based password authentication scheme, International Journal of Communication Systems 2015 28(2): 383–393,
- View Article
- Google Scholar
11. Wen FT. A robust uniqueness and anonymity preserving remote user authentication scheme for connected health care, Journal of Medical System 2013; 37(6): 9980. pmid:24146334
- View Article
- PubMed/NCBI
- Google Scholar
12. Chen Y, Chou J, Sun H. A novel mutual-authentication scheme based on quadratic residues for RFID systems, Computer Networks 2008; 52(12): 2373–2380.
- View Article
- Google Scholar
13. Rosen K. Elementary number theory and its applications. Reading. MA: Addison-Wesley, 2008.
14. Wu ZY, Lee YC, Lai F, Lee HC, Chung Y. A secure authentication scheme for telecare medicine information systems, Journal of Medical System 2012; 36(3): 1529–1535. pmid:20978928
- View Article
- PubMed/NCBI
- Google Scholar
15. Islam SH, Khan MK, Li X. Security Analysis and Improvement of ‘a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System’, PLOS ONE 2015, http://dx.doi.org/10.1371/journal.pone.0131368
- View Article
- Google Scholar
16. Li CT. A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card, IET Inform. Security 2013; 7(1): 3–10.
- View Article
- Google Scholar
17. Wang D, He D, Wang P, Chu CH. Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment, IEEE Transactions on Dependable and Secure Computing 2015; 12(4): 428–442.
- View Article
- Google Scholar
18. Kocarev L, Tasev Z. Public-key encryption based on Chebyshev maps, Proc. of the International Symposium on Circuits and Systems 2003; 3: III-28–III-31.
19. Mason JC, Handscomb DC. Chebyshev polynomials. Chapman & Hall/CRC, Boca Raton, Florida, 2003.
20. Bergamo P, D’Arco P, Santis A., Kocarev L. Security of public-key cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems I 2005; 52: 1382–1393.
- View Article
- Google Scholar
21. Xiao D, Liao X, Deng S. A novel key agreement protocol based on chaotic maps, Information Sciences 2007; 177: 1136–1142.
- View Article
- Google Scholar
22. Han S. Security of a key agreement protocol based on chaotic maps, Chaos, Solitons & Fractals 2008; 38: 764–768.
- View Article
- Google Scholar
23. Xiao D, Liao XF, Deng SJ. Using time-stamp to improve the security of a chaotic maps-based key agreement protocol, Info. Sci. 2008; 178: 1598–1602.
- View Article
- Google Scholar
24. Tseng H, Jan, R, Yang W. A chaotic maps-based key agreement protocol that preserves user anonymity, IEEE International Conference on Communications (ICC09) 2009, pp. 1–6.
25. Wang X, Zhao J. An improved key agreement protocol based on chaos, Communications in Nonlinear Science and Numerical Simulation 2010; 15: 4052–4057.
- View Article
- Google Scholar
26. Guo XF, Zhang JS. Secure group key agreement protocol based on chaotic hash, Information Sciences 2010; 180: 4069–4074.
- View Article
- Google Scholar
27. Niu Y. Wang X. An anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation 2011; 16: 1986–1992.
- View Article
- Google Scholar
28. Xue K, Hong P. Security improvement on an anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation 2012; 17: 2969–2977.
- View Article
- Google Scholar
29. Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps, Nonlinear Dynamics 2014; 77(1–2): 399–411.
- View Article
- Google Scholar
30. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems, Chaos Solitons Fractals 2008; 37(3): 669–674.
- View Article
- Google Scholar
31. Lee CC, Chen CL, Wu CY, Huang SY. An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics 2012; 69: 79–87.
- View Article
- Google Scholar
32. Lee CC, Hsu CW. A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps, Nonlinear Dynamics 2013; 71: 201–211.
- View Article
- Google Scholar
33. Guo C, Chang CC. Chaotic maps-based password-authenticated key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation 2013; 18: 1433–1440.
- View Article
- Google Scholar
34. Lin HY. Chaotic map based mobile dynamic ID authenticated key agreement scheme, Wireless Personal Communications 2014; 78(2):1487–1494.
- View Article
- Google Scholar
35. Islam SH., Obaidat MS, Amin R. An anonymous and provably secure authentication scheme for mobile user, International Journal of Communication Systems 2016.
- View Article
- Google Scholar
36. Islam SKH. Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps, Nonlinear Dyn. 2014; 78(3), 2261–2276.
- View Article
- Google Scholar
37. Jiang Q, Wei F, Fu S, Ma J, Li G, Alelaiwi A. Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy, Nonlinear Dyn. 2016; 83(4), 2085–2101.
- View Article
- Google Scholar
38. Hao X, Wang J., Yang Q, Yan X, Li P. A chaotic map-based authentication scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9919): 1–7.
- View Article
- Google Scholar
39. Lee TF. An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9958): 1–9.
- View Article
- Google Scholar
40. Lin HY. Improved chaotic maps-based password-authenticated key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation 2015; 20: 482–488.
- View Article
- Google Scholar
41. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks, Proc. of Advances in Cryptology—Eurocrypt 2000, Lecture Notes in Computer Science 1807, pp 139–155.
42. Boyko V, MacKenzie P, Patel S. Provably secure password-based authenticated key exchange protocols using Diffie-Hellman, Proc. of Advances in Cryptology—Eurocrypt 2000, Lecture Notes in Computer Science 1807, pp. 156–171.
43. Abdalla M, Fouque PA, Pointcheval D. Password-based authenticated key exchange in the three-party setting, Proc. of Public Key Cryptography—PKC 2005, Lecture Notes in Computer Science 3386, pp. 65–84.
44. Abdalla M, Pointcheval D. Simple password-based authenticated key protocols, Topics in Cryptology—CT-RSA 2005, Lecture Notes in Computer Science 3376, pp. 191–208.
45. Shoup V. Sequences of games: A tool for taming complexity in security proofs, manuscript, www.shoup.net, 2005.
46. Burrows M, Abadi M, Needham R. A logic of authentication, ACM Trans. Comput. Syst. 1990; 8(1): 18–36.
- View Article
- Google Scholar
47. Buttyan L, Staamann S, Wilhelm U. A simple logic for authentication protocol design, Proc. of the 11th IEEE Computer Security Foundation Workshop, June 1998, Rockport, MA.
48. Aslan HK. Logical analysis of AUTHMAC_DH: a new protocol for authentication and key distribution, Comput. Secur. 2004; 23: 290–299.
- View Article
- Google Scholar
49. Wang YY, Liu JY, Xiao FX, Dan J. A more efficient and secure dynamic ID-based remote user authentication scheme, Comput. Commun. 2009; 32:583–585.
- View Article
- Google Scholar
50. Yan X, Li W, Li P, Wang J, Hao X, Gong P. A secure biometrics-based authentication scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37: 9972, pmid:23996083
- View Article
- PubMed/NCBI
- Google Scholar
51. Das AK, Goswami A. An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function, Journal of Medical Systems 2014; 38: 27, pmid:24888983
- View Article
- PubMed/NCBI
- Google Scholar
52. Lee CC, Chen CL, Wu CY, Huang SY. An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics 2012; 69(1–2): 79–87.
- View Article
- Google Scholar
53. He D, Chen Y, Chen J, Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol, Nonlinear Dynamics 2012; 69(3): 1149–1157.
- View Article
- Google Scholar

[ref1] 1. Juang W. Efficient password authenticated key agreement using smart cards, Computers & Security 2004; 23: 167–173.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Fan CI, Chan YC, Zhang ZK. Robust remote authentication scheme with smart cards, Computers & Security 2005; 24: 619–628.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Juang WS, Chen ST, Liaw HT. Robust and efficient password-authenticated key agreement using smart card, IEEE Transactions on Industrial Electronics 2008; 55: 2551–2556.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Sun DZ, Huai JP, Sun JZ, Li JX, Zhang JW, Feng ZY. Improvements of Juang et al’.s password-authenticated key agreement scheme using smart cards, IEEE Transactions on Industrial Electronics 2009; 56: 2284–2291.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Yeh KH, Su C, Lo NW, Li YJ, Hung YX. Two robust remote user authentication protocols using smart cards, Journal of Systems and Software 2010; 83: 2556–2565.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Li XX, Qiu WD, Zheng D, Chen KF, Li JH. Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards, IEEE Transactions on Industrial Electronics 2010; 57: 780–793.
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Lee TF, Chang IP, Lin TH, Wang CC. A secure and efficient password-based user authentication scheme using smart cards for the integrated EPR information system, Journal of Medical Systems 2013; 37(3): 9941. pmid:23553734
View Article
PubMed/NCBI
Google Scholar

[20] View Article

[21] PubMed/NCBI

[22] Google Scholar

[ref8] 8. Lee TF, Liu CM. A secure smart-card based authentication and key agreement scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9933): 1–8.
View Article
Google Scholar

[24] View Article

[25] Google Scholar

[ref9] 9. Chen BL, Kuo WC, Wuu LC. Robust smart-card-based remote user password authentication scheme, International Journal of Communication Systems 2012;
View Article
Google Scholar

[27] View Article

[28] Google Scholar

[ref10] 10. Jiang Q, Ma J, Li G, Li X. Improvement of robust smart-card-based password authentication scheme, International Journal of Communication Systems 2015 28(2): 383–393,
View Article
Google Scholar

[30] View Article

[31] Google Scholar

[ref11] 11. Wen FT. A robust uniqueness and anonymity preserving remote user authentication scheme for connected health care, Journal of Medical System 2013; 37(6): 9980. pmid:24146334
View Article
PubMed/NCBI
Google Scholar

[33] View Article

[34] PubMed/NCBI

[35] Google Scholar

[ref12] 12. Chen Y, Chou J, Sun H. A novel mutual-authentication scheme based on quadratic residues for RFID systems, Computer Networks 2008; 52(12): 2373–2380.
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref13] 13. Rosen K. Elementary number theory and its applications. Reading. MA: Addison-Wesley, 2008.

[ref14] 14. Wu ZY, Lee YC, Lai F, Lee HC, Chung Y. A secure authentication scheme for telecare medicine information systems, Journal of Medical System 2012; 36(3): 1529–1535. pmid:20978928
View Article
PubMed/NCBI
Google Scholar

[41] View Article

[42] PubMed/NCBI

[43] Google Scholar

[ref15] 15. Islam SH, Khan MK, Li X. Security Analysis and Improvement of ‘a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System’, PLOS ONE 2015, http://dx.doi.org/10.1371/journal.pone.0131368
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref16] 16. Li CT. A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card, IET Inform. Security 2013; 7(1): 3–10.
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref17] 17. Wang D, He D, Wang P, Chu CH. Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment, IEEE Transactions on Dependable and Secure Computing 2015; 12(4): 428–442.
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref18] 18. Kocarev L, Tasev Z. Public-key encryption based on Chebyshev maps, Proc. of the International Symposium on Circuits and Systems 2003; 3: III-28–III-31.

[ref19] 19. Mason JC, Handscomb DC. Chebyshev polynomials. Chapman & Hall/CRC, Boca Raton, Florida, 2003.

[ref20] 20. Bergamo P, D’Arco P, Santis A., Kocarev L. Security of public-key cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems I 2005; 52: 1382–1393.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref21] 21. Xiao D, Liao X, Deng S. A novel key agreement protocol based on chaotic maps, Information Sciences 2007; 177: 1136–1142.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref22] 22. Han S. Security of a key agreement protocol based on chaotic maps, Chaos, Solitons & Fractals 2008; 38: 764–768.
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref23] 23. Xiao D, Liao XF, Deng SJ. Using time-stamp to improve the security of a chaotic maps-based key agreement protocol, Info. Sci. 2008; 178: 1598–1602.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref24] 24. Tseng H, Jan, R, Yang W. A chaotic maps-based key agreement protocol that preserves user anonymity, IEEE International Conference on Communications (ICC09) 2009, pp. 1–6.

[ref25] 25. Wang X, Zhao J. An improved key agreement protocol based on chaos, Communications in Nonlinear Science and Numerical Simulation 2010; 15: 4052–4057.
View Article
Google Scholar

[69] View Article

[70] Google Scholar

[ref26] 26. Guo XF, Zhang JS. Secure group key agreement protocol based on chaotic hash, Information Sciences 2010; 180: 4069–4074.
View Article
Google Scholar

[72] View Article

[73] Google Scholar

[ref27] 27. Niu Y. Wang X. An anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation 2011; 16: 1986–1992.
View Article
Google Scholar

[75] View Article

[76] Google Scholar

[ref28] 28. Xue K, Hong P. Security improvement on an anonymous key agreement protocol based on chaotic maps, Communications in Nonlinear Science and Numerical Simulation 2012; 17: 2969–2977.
View Article
Google Scholar

[78] View Article

[79] Google Scholar

[ref29] 29. Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps, Nonlinear Dynamics 2014; 77(1–2): 399–411.
View Article
Google Scholar

[81] View Article

[82] Google Scholar

[ref30] 30. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems, Chaos Solitons Fractals 2008; 37(3): 669–674.
View Article
Google Scholar

[84] View Article

[85] Google Scholar

[ref31] 31. Lee CC, Chen CL, Wu CY, Huang SY. An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics 2012; 69: 79–87.
View Article
Google Scholar

[87] View Article

[88] Google Scholar

[ref32] 32. Lee CC, Hsu CW. A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps, Nonlinear Dynamics 2013; 71: 201–211.
View Article
Google Scholar

[90] View Article

[91] Google Scholar

[ref33] 33. Guo C, Chang CC. Chaotic maps-based password-authenticated key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation 2013; 18: 1433–1440.
View Article
Google Scholar

[93] View Article

[94] Google Scholar

[ref34] 34. Lin HY. Chaotic map based mobile dynamic ID authenticated key agreement scheme, Wireless Personal Communications 2014; 78(2):1487–1494.
View Article
Google Scholar

[96] View Article

[97] Google Scholar

[ref35] 35. Islam SH., Obaidat MS, Amin R. An anonymous and provably secure authentication scheme for mobile user, International Journal of Communication Systems 2016.
View Article
Google Scholar

[99] View Article

[100] Google Scholar

[ref36] 36. Islam SKH. Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps, Nonlinear Dyn. 2014; 78(3), 2261–2276.
View Article
Google Scholar

[102] View Article

[103] Google Scholar

[ref37] 37. Jiang Q, Wei F, Fu S, Ma J, Li G, Alelaiwi A. Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy, Nonlinear Dyn. 2016; 83(4), 2085–2101.
View Article
Google Scholar

[105] View Article

[106] Google Scholar

[ref38] 38. Hao X, Wang J., Yang Q, Yan X, Li P. A chaotic map-based authentication scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9919): 1–7.
View Article
Google Scholar

[108] View Article

[109] Google Scholar

[ref39] 39. Lee TF. An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems, Journal of Medical Systems 2013; 37 (9958): 1–9.
View Article
Google Scholar

[111] View Article

[112] Google Scholar

[ref40] 40. Lin HY. Improved chaotic maps-based password-authenticated key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation 2015; 20: 482–488.
View Article
Google Scholar

[114] View Article

[115] Google Scholar

[ref41] 41. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks, Proc. of Advances in Cryptology—Eurocrypt 2000, Lecture Notes in Computer Science 1807, pp 139–155.

[ref42] 42. Boyko V, MacKenzie P, Patel S. Provably secure password-based authenticated key exchange protocols using Diffie-Hellman, Proc. of Advances in Cryptology—Eurocrypt 2000, Lecture Notes in Computer Science 1807, pp. 156–171.

[ref43] 43. Abdalla M, Fouque PA, Pointcheval D. Password-based authenticated key exchange in the three-party setting, Proc. of Public Key Cryptography—PKC 2005, Lecture Notes in Computer Science 3386, pp. 65–84.

[ref44] 44. Abdalla M, Pointcheval D. Simple password-based authenticated key protocols, Topics in Cryptology—CT-RSA 2005, Lecture Notes in Computer Science 3376, pp. 191–208.

[ref45] 45. Shoup V. Sequences of games: A tool for taming complexity in security proofs, manuscript, www.shoup.net, 2005.

[ref46] 46. Burrows M, Abadi M, Needham R. A logic of authentication, ACM Trans. Comput. Syst. 1990; 8(1): 18–36.
View Article
Google Scholar

[122] View Article

[123] Google Scholar

[ref47] 47. Buttyan L, Staamann S, Wilhelm U. A simple logic for authentication protocol design, Proc. of the 11th IEEE Computer Security Foundation Workshop, June 1998, Rockport, MA.

[ref48] 48. Aslan HK. Logical analysis of AUTHMAC_DH: a new protocol for authentication and key distribution, Comput. Secur. 2004; 23: 290–299.
View Article
Google Scholar

[126] View Article

[127] Google Scholar

[ref49] 49. Wang YY, Liu JY, Xiao FX, Dan J. A more efficient and secure dynamic ID-based remote user authentication scheme, Comput. Commun. 2009; 32:583–585.
View Article
Google Scholar

[129] View Article

[130] Google Scholar

[ref50] 50. Yan X, Li W, Li P, Wang J, Hao X, Gong P. A secure biometrics-based authentication scheme for telecare medicine information systems, Journal of Medical Systems 2013; 37: 9972, pmid:23996083
View Article
PubMed/NCBI
Google Scholar

[132] View Article

[133] PubMed/NCBI

[134] Google Scholar

[ref51] 51. Das AK, Goswami A. An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function, Journal of Medical Systems 2014; 38: 27, pmid:24888983
View Article
PubMed/NCBI
Google Scholar

[136] View Article

[137] PubMed/NCBI

[138] Google Scholar

[ref52] 52. Lee CC, Chen CL, Wu CY, Huang SY. An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics 2012; 69(1–2): 79–87.
View Article
Google Scholar

[140] View Article

[141] Google Scholar

[ref53] 53. He D, Chen Y, Chen J, Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol, Nonlinear Dynamics 2012; 69(3): 1149–1157.
View Article
Google Scholar

[143] View Article

[144] Google Scholar

Figures

Abstract

Introduction

Preliminaries

Notation

Definition

Session key security (AKE security).

Chebyshev chaotic maps.

Extended chaotic map-based discrete logarithm problem (DLP).

Extended chaotic map-based computational Diffie-Hellman problem (CDHP).

Extended chaotic map-based decisional Diffie-Hellman problem (DDHP).

The authenticated key agreement scheme of Lin and its limitations

The authenticated key agreement scheme of Lin

System initialization phase.

Registration phase.

Authenticated key exchange phase.

Password change phase.

Weaknesses in the authenticated key agreement scheme of Lin

Suffering from denial-of-service attacks.

Suffering from privileged insider attacks.

Lack of the contributory property of key agreements.

Enhanced smartcard-based password-authenticated key agreement scheme

Registration phase

Authenticated key exchange phase

Password change phase

Smartcard revocation phase

Security and performance analyses

Security analysis

Providing session key security (AKE security).

Providing the contributory property of key agreements.

Withstanding replay attacks.

Withstanding denial of service attacks.

Withstanding privileged insider attacks.

Logical analyses

Performance analysis and comparisons

Conclusions

Acknowledgments

References