Cryptanalysis and improved mutual authentication key agreement protocol using pseudo-identity

Hyang-Rim Jo; Kyong-Sok Pak; Chung-Hyok Kim; Il-Jin Zhang

doi:10.1371/journal.pone.0271817

Abstract

The authentication key agreement is a scheme that generates a session key for encrypted communication between two participants. In the authentication key agreement, to provide the mutual authentication and the robust session key agreement is one of the important security requirements to enhance the security performance of key agreement. Recently Zhou et al. had proposed the key agreement protocol using pseudo-identifiers, but we found that there were weaknesses in their protocol. We have demonstrated that Zhou et al.’s protocol is vulnerable to replay attack, fails to provide mutual authentication, no key control, re-registration with the original identifier and efficiency in the verification of wrong password. We improved their scheme and proposed an improved authentication key agreement protocol that provides robust mutual authentication and the secure session key agreement. We analyzed its security performance using BAN logic and AVISPA tools and compared computational cost, communication overhead and security properties with other related schemes.

Citation: Jo H-R, Pak K-S, Kim C-H, Zhang I-J (2022) Cryptanalysis and improved mutual authentication key agreement protocol using pseudo-identity. PLoS ONE 17(7): e0271817. https://doi.org/10.1371/journal.pone.0271817

Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA

Received: April 18, 2022; Accepted: July 8, 2022; Published: July 28, 2022

Copyright: © 2022 Jo et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: The authors received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

1. Introduction

Authentication key agreement(AKA) is one of the important issues to ensure the confidentiality of network security (to protect user privacy and network resources) as a scheme where the session key is exchanged to encrypt a message exchanged between communication participants on a public network. The authentication key agreement protocol can be divided into key agreement for end-to-end communication, and key agreement for end-to-server communication, depending on the entities involved in the communication. In the key agreement protocol for end-to-end communication, two parties participating in key exchange are both users and it applies for the encrypted communication between users. The key agreement protocol for end-to-server communication is used for encrypted communication between the user and several servers or service providers. Key agreement for end-to-server communication can be classified as a key agreement scheme (SS-AKA) between single server and end users, a key agreement scheme between multiple servers and end users (MS-AKA) [1–38]. Recently, with the introduction of technologies such as P2p, cloud computing, WSN, and IoT, researchers are further investigating authentication key agreement between end-to-end servers. Particularly, research on key agreement for communication between multiple servers and end users(MS-AKA) is focused on.

For the MS-AKA implementation, researchers introduced multi-factor authentication such as password, smart card and biometrics and they used public key cryptographics and non-cryptographics for key agreement. Research has mainly focused on lightweight and security enhancement. The research for lightweight is based on non-cryptographics [1–13, 24–32] that only uses hash function and XOR operation, and the research for security performance improvement is mainly based on public key encryption [14–21, 32–37].

However, most of the lightweight approaches suffer from low security performance, and security performance improvements suffer from high computational costs and communication overhead. Research on authenticated key agreement scheme with higher security and lower computational cost and lower communication overhead is still a challenge for researchers. In particular, user anonymity and mutual authentication are very important properties for authenticated key agreement. In this paper, we propose an improved authenticated key agreement scheme based on pseudo-identiy and chaotic maps to provide user anonymity and mutual authentication.

1.1 Related work

In order to implement authentication key agreement between multiple servers and end users, researchers have studied both the key agreement scheme [1–21] where the registration center does not participate in key exchange and the key agreement scheme [24–38] where the registration center participates in key exchange.

In such a way that the registration center does not participate in key exchange, users, servers, or service providers register on the registration center in the system registration phase, and in the key exchange phase, exchange the key without the involvement of the registration center.

Research has mainly been done in terms of security performance enhancement rather than lightening of computational cost.

As authentication factors for the user, they used passwords, smart cards, and biometric information, and used a pre-shared key, a group key and secret-sharing technique for authentication to the service system.

The researchers used computationally efficient hash functions, elliptic curve cryptosystem (ECC), and Chebyshev chaotic maps (CCM) for key agreement to enhance the security performance of key exchange schemes between multiple servers and end users. For key agreement, they used hash functions and performed user authentication using a dynamic identifier and a pre-shared key. In 2007, Liao et al. [1] proposed a secure dynamic identifier-based remote user authentication scheme in a multi-server environment. But it was revealed that his protocol is vulnerable to insider attacks, impersonation attacks, server spoofing attacks, registration center spoofing attacks, and fails to provide mutual authentication by Hsiang et al. [22] in 2009. In 2012, Li et al. [2] proposed a new remote user authentication scheme based on smart card and dynamic identifier for multi-server environments. In order to protect the user identifier from tracking, their scheme allows the user’s identifier to change dynamically whenever the user logs on to the server. In 2012, Tsaur et al. [3] proposed an efficient and secure multi-server authentication scheme with key exchange. However, his protocol was found to be vulnerable to offline password guessing attacks, privileged insider attacks, and malicious user attacks by Xu et al. [4] in 2013. Xu et al. proposed a new dynamic identification-based authentication scheme for a multi-server environment using smart cards. He proposed an improved dynamic identity based scheme to eliminate all the security and efficiency weaknesses without decreasing other security performances in his work. In 2014, Chuang et al. [5] proposed an anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. However, it was revealed that his protocol is vulnerable to denial of service attacks, stolen smartcard attacks, user impersonation attacks, and server spoofing attacks by Maitra et al. [6] and Mishra et al. [7] in 2014. Maitra et al. proposed efficient remote user authentication using biometric and password-based smart cards for telemedicine information systems in a multi-server environment. He found that an unregistered attacker can successfully log into the system as a valid user in Chuang et al.’s scheme, and in order to overcome vulnerabilities, he proposed a scheme that allows users to register simultaneously on a root remote server called registration center to be served from all branch remote servers using a registered smart card. In 2014 Mishra et al. proposed a multi-server authentication key agreement scheme using smart cards based on biometrics to preserve secure user anonymity. He improved Chuang et al.’s protocol, but it was found that his protocol is vulnerable to impersonation attacks, replay attacks, denial of service attacks, fails to achieve perfect forward security and no user re-registration phase by Wang et al. [10] in 2016. Wang et al. proposed cryptanalysis and improvement on multi-server authentication and key agreement schemes based on biometrics. But it was revealed that his protocol is vulnerable to user impersonation attacks, privileged insider attacks, and server impersonation attacks and does not provide perfect forward security by Yang et al. [20] in 2018. Yang et al. designed a protocol that performs mutual authentication between the user and the service provider and exchanges key without involvement of the registration center in a multi-service system environment. In his protocol, the registration center shares the pre-shared key (PSK) and long term key with service providers. In 2015, Amin et al. [8] proposed a new user authentication and key agreement protocol for multiple healthcare provider access available in TMIS. They developed a new structure for access to multiple healthcare providers in order to decrease the vulnerability of a single healthcare provider, where the user can communicate directly and safely with the doctor of the healthcare provider. They also developed smart card-based authentication and key agreement security protocols that can be used in TMIS systems using one-way hash functions as cryptography. In 2017, Guo et al. [11] proposed a key exchange protocol that provides user anonymity in a multi-service system environment. In key exchange, the registration server does not participate, shares a pre-shared key with the service providers and uses the public key of the service providers.

In 2019 Lwamo et al. [12] proposed a key exchange scheme without a third-party server using hash functions and symmetric key encryption. He demonstrated lightweight and anonymity, and the user identifier is encrypted with the service provider’s public key, and it is updated every round. In key exchange using only hash functions, the registration center shares pre-shared key with the service providers to authenticate them. In 2020, Mishra et al. [13] proposed a dynamic ID-based authenticated key agreement scheme for mobile edge computing without a trusted third party. The proposed scheme guarantees mutual authentication between user and edge servers and achieves important security properties such as secure communication, mutual authentication, user anonymity, and session key agreement.

To overcome the disadvantage of using a pre-shared key, researchers used public-key encryption for key exchange.

In 2014, Han et al. [14] proposed an identifier-based mutual authentication with a key agreement protocol for a multi-server environment based on elliptic curve cryptography. In order to improve the performance of precedent bilinear pairing-based several authentication schemes in a multi-server environment, they proposed a new identifier-based mutual authentication protocol using signature based elliptic curve cryptography. In 2016, Chaudhry et al. [9] proposed a secure biometrics-based multi-server authentication scheme for social multimedia networks. They show that first one of the two schemes of Lu et al. [37] designed for multi-server architectures is vulnerable to impersonation attacks and doesn’t provide user anonymity, and the second one is vulnerable to user impersonation attacks. They proposed an enhanced scheme, and used elliptic curve cryptography and hash functions for key exchange. In 2019, Ying et al. [15] proposed a lightweight remote user authentication protocol for multi-server 5G networks using self-verified public-key encryption. To reduce the computational complexity, they used self-verified public-key cryptography based on elliptic curve cryptography to verify the valid of users and servers. Without pairing operations, their scheme could improve computational efficiency and provide mutual authentication. In 2016, Irshad et al. [16] proposed an anonymous multi-user authentication key exchange protocol based on chaotic mapping using smart cards. They reviewed recent multi-server authentication schemes and proposed a single-round trip multi-server authentication protocol based on chaotic mapping to overcome their schemes’ limitations. In 2017 Kumari et al. [17] proposed a user key exchange scheme in a multi-server environment using chaotic mapping. His scheme is based on a single-sign-on, where the registration center pre-shares the secret key with the service providers. In 2019 Qiao et al. [18] proposed an authentication key exchange scheme that provides strong anonymity for multi-server environments in TMIS. His scheme exchanges key with chaotic mapping and encrypts the identifier with symmetric encryption without involving the key exchange server. In 2012 Chuang et al. [19] proposed a generalized identifier-based user authentication scheme for a mobile multi-server environment. In his work, he first proposed a security model for a multi-server environment and then a bilinear pairing-based mutual authentication and key exchange scheme. Their scheme can be used for both common users with long valid periods and anonymous users with short valid periods. In 2020 Yu et al. [21] proposed a key agreement scheme (AKA-NS) that shares keys without authentication servers in an IoT-based cloud environment based on bilinear pairing. His scheme authenticates users based on the Elgamal cryptography signature, and uses secret values based on bilinear pairingand hash functions for key agreement.

To overcome the disadvantage of using a pre-shared key, researchers also proposed a combination of group key agreement and secret-sharing techniques [22, 23]. In 2021, Vinoth et al. [22] proposed a secure multifactor authenticated key agreement scheme for industrial IoT environment to support authorized user remotely accessing the sensors. In their proposed scheme, only hash functions, XOR operation and symmetric encryption are used for session key agreement, and sensor devices share secret information by combining group key agreement and secret-sharing techniques.

The key agreement scheme involving the registration center in key exchange has been studied towards lightweight rather than maintaining security performance. Researchers used passwords, smart cards, and biometric information as the authentication factors for the user, and used a pre-shared key for authentication of the service provider system. In order to lighten the computational cost of the scheme, researchers focused on computationally efficient hash functions, ECC and ECM for key agreement. Some researchers designed the protocol where the registration center participates in key exchange, using only a hash function without using public-key encryption in key exchange to reduce computational cost.

In 2009, Hsiang et al. [24] proposed a secure dynamic ID-based remote user authentication scheme for a multi-server environment. But it was revealed that his protocol is vulnerable to impersonation attacks, server spoofing attacks, cannot be easily repaired, and cannot provide mutual authentication by Lee et al. [25] In 2011, Lee et al. proposed a secure dynamic identifier-based remote user authentication scheme for a multi-server environment using smart cards. But it was revealed that his protocol is vulnerable to impersonation attacks and server spoofing attacks, and if the mutual authentication message is partly modified by the attacker, it cannot provide a corresponding authentication by Li et al. [2] in 2012. In 2014, Xue et al. [26] proposed a lightweight dynamic anonymous identity-based authentication and key exchange protocol that does not use verification tables in a multi-server environment. However, in 2015, Gupta et al. [27] has shown that Xue et al.’s protocol is vulnerable to known password guessing attacks, stolen smartcard attacks, and impersonation attacks, and in 2018, Amin et al. [29] found that Xue et al.’s protocol has flaws in user anonymity, offline password guessing attacks, privileged insider attacks, no key control, user impersonation attacks. Gupta et al. proposed a hash function-based multi-server key exchange protocol with smart cards. But in 2019, it was found that his protocol is vulnerable to denial of service attack, stolen smart card attack, and user impersonation attacks and that it does not achieve perfect forward security by Tomar et al. [35]. Tomar et al. proposed an authentication key exchange protocol with a password, biometrics (Fuzzy extractor) and smart cards. His protocol uses timestamps, uses elliptic curve cryptography to establish the session key, and performs mutual authentication using two control servers. Amin et al. proposed the anonymous authentication and key exchange protocol between a user and multi-server in cloud environment. In his work, the server and user use a shared secret that combines the server’s secret with the user’s identifier, and the user accesses to the smart card using the password. In 2016, Maitra et al. [28] proposed an enhanced multi-server authentication protocol using passwords and smart cards. He found that some flaws in the precedent works, and he proposed a new protocol, focusing on the improvement of their security performances, and used symmetric key encryption. In 2018, Wei et al. [30] proposed a two-factor authentication key exchange protocol using the password and secret keys stored in smart cards in cloud environments. They used the shared-secret key combined with timestamps as a message-encryption key. In 2019, Zhou et al. [31] proposed a lightweight authentication key exchange protocol based on a hash function in cloud computing environment. In his work, they updated pseudo-identities of two participants every round. The user registers with identifiers, pseudo-identifiers, passwords, and random numbers, and the IoT controller registers with identifiers, pseudo-identifiers, and random numbers.

To enhance the security performance of key exchange, some researchers have used public key encryption such as ECC and ECM.

In 2010, Yoon et al. [32] proposed a robust multi-server authentication scheme based on biometrics using smart cards in elliptic curve cryptography. They proposed an authentication scheme without a verification table, and the proposed scheme can provide stronger user authentication by using biometrics, and provide more secure key exchange scheme based on ECC. In 2017, Chandrakar et al. [33] proposed a key exchange protocol for remote user authentication that provides three factors authentication and anonymity using elliptic curve cryptography in a multi-server environment. For the exchanged key, they use Elliptic Curve Diffie–Hellman (ECDH), but for the encryption, they use the addition of a point on elliptic curve, and XOR without the use of special encryption. In 2018, Qi et al. [34] proposed a key exchange scheme using elliptic curve cryptography in a multi-server environment. They used the server’s public-key-based symmetric key encryption for the communication between the user and the server. They also used the registration center’s public-key-based symmetric key encryption for communication between the server and the registration center. Thus, his protocol provides a relatively strong key exchange scheme. In 2017, Irshad et al. [36] proposed a new user authentication key exchange protocol based on chaotic mapping for a multi-server environment. They used password, biometrics, smart card and the secret key shared with the registration center to authenticate the user and used chaotic mappings and bio-hash functions to exchange the session key. In 2021, Xia [38] proposed a modular exponention based anonymous authentication and key agreement scheme with privacy-preserving in IoT environment for smart city, and the work for authenticated key agreement scheme was studied not only in P2P, IoT environment, but also in VANET environment [39].

1.2 Motivation and our contribution

According to the research of the precedent schemes, we found that key agreement protocols without the registration server have several disadvantages such as the mutual authentication, anonymity and untraceability in their implementation for communication between multiple servers and end users [1, 3, 7, 10]. Also we found that the research in protocols with the registration server has been intensified towards lightweight, but on the other hand, their security performance has become weakened [24, 26, 29]. In our work, we analysed the pre-shared key-based Lwamo et al.’s scheme [12] where the registration center doesn’t participate in the key agreement, and found that his scheme is vulnerable to the stolen smart card attack. We also analysed the pseudo-identities-based Zhou et al.’s scheme [31] where the registration center participates in the key agreement, and found that their scheme is vulnerable to replay attack and does not provide mutual authentication, no key control, re-registration with an original identity, and efficiency in the verification of wrong password. From this research, we propose an improved authentication key agreement protocol for communication between multi-servers and end users to overcome the flaws of Zhou et al.’s scheme. Finally, we analysed the security properties of our protocol and performed comparative analysis with precedent protocols to show that our protocol is superior in terms of security properties and computational complexity.

2. Preliminaries

This section describes Fuzzy extractor, Chebyshev chaotic maps, their computational problems and threat model.

2.1 Fuzzy extractor

The fuzzy extractor includes two functions Gen and Rep. The function Gen extracts biometric input BI, and outputs a nearly random binary string R and an auxiliary binary string P. And the function Rep recovers R with the assistance of corresponding auxiliary string P and biometric BI*. If dis(BI, BI*) ≤ t and Gen(BI) → <R, P>, then we have Rep(BI*, P) = R. Otherwise, there is no guarantee provided by function Rep. The literature [40, 41] describes more details about the fuzzy extractor.

2.2 Chebyshev polynomials

Chebyshev polynomial T_m(a) is defined as follows [42].

Chebyshev polynomials satisfy the following recursive relationship [42].

2.3 The property of Chebyshev polynomials

Chebyshev polynomials have the following two properties [42, 43].

Chaotic property: When m>1, Chebyshev polynomial map T_m(a): [–1,1]→[–1,1] of degree m is a chaotic map with its invariant density , for positive Lyapunov exponent ln(m) > 0.

Semi-group property: For x, y∈N and any a∈[–1,1], T_x(T_y(a)) = T_xy(a) = T_y(T_x(a)).

2.4 Enhanced Chebyshev polynomials

The semi-group property holds for Chebyshev polynomials on the interval (-∞, +∞), which can enhance the property as follows [43]:

2.5 Computational problems based on Chebyshev polynomials

CDLP (Chaotic map-based Discrete Logarithm problem): For given two real numbers a and b, it is infeasible to find the integer m by any polynomial time bounded algorithm, where b = T_m(a) mod p [43].

CDHP (Chaotic map-based Diffie-Hellman problem): For given three elements a, T_x(a) mod p and T_y(a) mod p, it is infeasible to compute the value T_xy(a) mod p by any polynomial time bounded algorithm [43].

2.6 Threat model

In this subsection, we introduce several threat models including the Dolev-Yao threat model [44], side channel attack [45], and password guessing attack [46], for the security analysis of the proposed scheme and previous schemes.

An attacker can eavesdrop, modify, remove, block and retransmit all messages transmitted on the public channel [44].
An attacker can extract all stored data from a lost or stolen smart card as a power analysis attack [40].
An attacker can perform offline and online password guessing attacks after obtaining information from user’s smart card [46].
An attacker can be a malicious user or an outside hacker [20].

3. Analysis of precedent schemes

In this section, we review the schemes proposed by Lwamo et al. [12] and Zhou et al. [31], and show that their schemes have some flaws.

3.1 Analysis of Lwamo et al.’s scheme

3.1.1 Lwamo et al.’s scheme.

Lwamo et al. proposed the authentication key agreement protocol without the registration center using hash function and symmetric key encryption. The user identity is encrypted with the public key of the service server and it is updated every round.

Table 1 shows the notations used in his scheme.

Download:

Table 1. Notations in Lwamo et al.’s scheme.

https://doi.org/10.1371/journal.pone.0271817.t001

Registration phase

Registration for server
To be a valid server, the server sends a registration request to RC via a secure channel. The server’s identity S_j and its public key pu_j are contained in the registration request. Then RC sends VPSK and s to the server by a response via a secure channel like Internet Key Exchange version 2 (IKEv2) and publishes pu_j.
Registration for user
1. Step 1: First the user A_i selects his/her identity U_i, password P_i, a nonce a_i and biometric information BO_i.
2. Step 2: A_i computes MP_i = h(U_i || a_i || P_i) and VREG = h(MP_i⊕BO_i).
3. Step 3: The registration request {U_i, VREG = h(MP_i⊕BO_i)} is sent to RC by A_i.
4. Step 4: SA_i = h (U_i || s), SB_i = h(SA_i) and SC_i = h(VREG = h(MP_i ⊕BO_i))⊕SB_i are generated by RC.
5. Step 5: The RC chooses a nonce a_ci for A_i, computes MU_i = E_s(U_i||a_ci), SD_i = VPSK⊕MU_i and makes the smart card storing {MU_i, SB_i, SC_i, SD_i, h(.)} its own possession.
6. Step 6: The A_i inserts the nonce a_i into the smart card, which now includes SC = {MU_i, a_i, SB_i, SC_i, SD_i, h(.)} and owns the smart card.

Login and authentication phase

Step 1: A_i inserts the smart card into the reader and enters U_i, P_i and BO_i.
Step 2: Then the smart card computes SB_i* = SC_i⊕h(h(U_i||a_i||P_i) ⊕ BO_i) and sees if SB_i* = SB_i. If SB_i*≠SB_i, the smart card stops the login phase. The smart card is blocked if the two values do not match for three continued trials within limited threshold time.
Step 3: Then the smart card chooses a nonce Ra_i and computes M₁ = h(SB_i) ⊕ Ra_i, M₂ = h(Ra_i || MU_i || SD_i ||T₁), where T₁ is the current time on the smart card, and M₃ = Epu_j(MU_i, M₁).
Step 4: The smart card sends the login request LOGIN {M₂, M₃, S_j, T₁} to the server B_j.
Step 5: When B_j receives the request, the difference between the received login request time T₁ and the server time T₂ is computed as ΔT = T₂ –T₁ by B_j, the phase is terminated by the server if the difference is bigger than the required transfer time.
Step 6: To get MU_i and M₁, M₃ is decrypted as Dpr_j(M₃) by the server. And to get the real identity of the user MU_i is decrypted as Ds(MU_i) = U_i || a_ci by the server.
Step 7: The server calculates SA_i* = h (U_i||s) and R_ai = M₁ ⊕h²(SA_i*).
Step 8: M₂* = h (R_ai|| MU_i || (VPSK⊕MU_i) ||T₁) is computed and it is checked if M₂ = M₂* by the server. The session is stopped if M₂ ≠ M₂*.
Step 9: The server selects two nonces Ra_j and Ra_j^new, calculates s* = h(Ra_i|| T₃) where T₃ is the current server time, and computes a new identity for A_i as MU_i^new = h(U_i|| Ra_j^new).
Step 10: Then a challenge message M₄ = E_s (MU_i^new||Ra_j||Ra_i||U_i||R_j^new||S_j) and the masked identity MS_j = h(S_j⊕Ra_j) are computed by the server. And the message CHALLENGE {M₄, MS_j, T₃} is sent to A_i.
Step 11: After receiving the message from the server, the smart card computes the difference ΔT = T₄ − T₃, where T₄ is the current time on the smart card. The smart card stops the session if the difference is bigger than the defined interval.
Step 12: The smart card calculates s* = h(Ra_i|| T₃) and M₄ is decrypted as Ds*(M₄) to get MU_i^new, Ra_j, Ra_i, Ra_j^new, U_i and S_j.
Step 13: The smart card calculates MU_i^new * = h(U_i|| Ra_j^new *) and MS_j* = h(S_j||Ra_j). And then it sees if MS_j = MS_j* and if MU_i^new* = MU_i^new. Also the smart card sees if R_i and U_i are equal to those sent to the server on the login request, if they do not match, the smart card terminates the session.
Step 14: The response message M₅ = h(Ra_j||MU_i^new||Ra_i) and the session key Sk_ij = h(Ra_i||SB_i||S_j||Ra_j) is calculated by the smart card. And the smart card sends the response RESP {M₅} to B_j.
Step 15: After the server receives the response, it calculates M₅* = h (Ra_j||MU_i^new||Ra_i) and sees if M₅* = M₅. The session is stopped if M₅*≠M₅.
Step 16: The session key Sk_ij = h(Ra_i||h²(U_i||s) ||S_j||Ra_j) is computed by the server. In this step, the mutual authentication between the user and the server is achieved and the session key between them is created.

Password update phase

Step 1: The user inserts the smart card into the card reader and inputs U_i, P_i and BO_i.
Step 2: The smart card computes SB_i* = SC_i⊕h ((h(U_i||a_i||P_i) ⊕ BO_i).
Step 3: The smart card sees if SB_i* = SB_i and stops the session if SB_i*≠SB_i.
Step 4: The smart card gets a new password P_i^new from the user and calculates SC_i^new = SC_i⊕h(h(U_i|| a_i || P_i) ⊕BO_i) ⊕h(h(U_i|| a_i || P_i^new) ⊕BO_i).
Step 5: The value of SC_i is replaced with SC_i^new by the smart card.

3.1.2 Flaws of Lwamo et al.’s scheme.

Stolen smart card attack. In his scheme, SC = {MU_i, SB_i, SC_i, SD_i, h(.), a_i} is stored in his/her smart card. Thus, an attacker can get SB_i directly without inputting the identity U_i, the password P_i or the biometric BO_i if he gets the user’s smart card. Then the attacker generates a random number Ra_i, computes M₁ = h (SB_i) ⊕ Ra_i, M₂ = h (Ra_i||MU_i||SD_i||T₁) and M₃ = E_puj(MU_i, M₁) and sends LOGIN{M₂, M₃, S_j, T₁} with a time stamp T₁ to the server B_j. In this case, B_j recognizes the attacker as a valid user A_i. After receiving the message CHALLENGE {M₄, MS_j, T₃} from the server via step 10 from the step 4 of the login and authentication phase, the attacker finally gets the session key Sk_ij = h(Ra_i||h²(U_i||s) ||S_j||Ra_j) between himself and the server B_j.

As a result, Lwamo et al.’s scheme is vulnerable to the stolen smart card attack.

3.2 Analysis of Zhou et al.’s scheme

3.2.1 Zhou et al.’s scheme.

In 2019, Zhou et al. proposed a hash function-based lightweight authentication key agreement scheme for user-multi IoT access in IoT environment. In their scheme, the pseudo-identities are used. Table 2 shows the notations used in Zhou et al.’s scheme.

Download:

Table 2. Notations in Zhou et al.’s scheme.

https://doi.org/10.1371/journal.pone.0271817.t002

Registration phase

Registration for user
1. Step 1: UV_i chooses his/her identity and pseudo-identity pair (I_i, PI_i), password PA_i and a random number r_i. HP_i = h (PA_i || r_i) is computed and (I_i, PI_i) is sent to CS through the secure channel by the user.
2. Step 2: CS sees if I_i is valid and will terminate the registration process if the identity is invalid. If it is valid, then CS computes C₁* = h (PI_i||I_cs||k) and C₂* = h (I_i||k). And the identity I_i is stored in database and (C₁*, C₂*, I_cs) is sent to UV_i through the secure channel by CS.
3. Step 3: The user calculates C₁ = C₁* ⊕ HP_i, C₂ = C₂* ⊕ h (I_i ||HP_i) and C₃ = r_i ⊕ h(I_i || PA_i) and stores (C₁, C₂, C₃, PI_i, I_cs) in his smart card.
Registration for cloud server
1. Step 1: The server SV_j’s identity and pseudo-identity pair (SI_j, PSI_j) is sent to CS through a secure channel by the server.
2. Step 2: CS calculates B₁ = h(PSI_j||I_cs||k) and B₂ = h(SI_j ||k), stores S_ij and (B₁, B₂, I_cs) is sent to the server through the secure way.
3. Step 3: (B₁, B₂, SI_j, PSI_j, I_cs) is stored in SV_j’s database.

Authentication phase

Step 1: The user UV_i inserts his/her smart card into the reader and inputs (I_i, PA_i). And the smart card chooses a nonce b_u and a new pseudo-identity PI_i^new and calculates r_i = C₃ ⊕h(I_i || PA_i), HP_i = h(PA_i|| r_i), C₁* = C₁ ⊕ HP_i, C₂* = C₂ ⊕ h(I_i || HP_i), D₁ = C₁* ⊕ b_u, D₂ = h(b_u||PI_i||I_cs) ⊕I_i, D₃ = C₂* ⊕ h(I_i ||HP_i) ⊕ PI_i^new ⊕ h(b_u || I_i), D₄ = h(I_i||PI_i||PI_i^new||b_u||D₃). Then the user sends the message M₁ = {PI_i, D₁, D₂, D₃, D₄} to the nearest cloud server SV_j.
Step 2: The server chooses PSI_j^new and a nonce b_s, calculates D₅ = B₁ ⊕ b_s, D₆ = h (b_s||PSI_j||I_cs) ⊕ SI_j, D₇ = B₂ ⊕ PSI_j^new ⊕ h(b_s || SI_j), D₈ = h(SI_j||PSI_j||PSI_j^new||b_s||D₇). And SV_j sends the message M₂ = {PI_i, D₁, D₂, D₃, D₄, PSI_j, D₅, D₆, D₇, D₈} to CS through the secure channel.
Step 3: b_u = D₁ ⊕ h(PI_i||I_cs||k), I_i = D₂ ⊕ h(b_u||PI_i||I_cs), PI_i^new = D₃ ⊕ h(I_i || k) ⊕ h(b_u || I_i) is computed by CS and CS sees if I_i is valid and sees if D₄ = h(I_i||PI_i||PI_i^new||b_u||D₃). If so, CS computes b_s = D₅ ⊕ h(PSI_j||I_cs||k), SI_j = D₆ ⊕ h(b_s||PSI_j||I_cs), PSI_j^new = D₇ ⊕ h(SI_j ||k) ⊕ h(b_s || SI_j) and sees if S_ij is valid and sees if D₈ = h(SI_j||PSI_j||PSI_j^new||b_s||D₇). CS will stop the session if any verification is not right. Or else, CS chooses a nonce b_cs and computes SK_cs = h(b_u ⊕ b_s ⊕ b_cs), D₉ = h(PSI_j^{ne w}||I_cs||k) ⊕ h(b_s || PSI_j^new), D₁₀ = h(PSI_j^new||b_s||PSI_j) ⊕ (b_u ⊕ b_cs), D₁₁ = h(SK_cs||D₉||D₁₀ || h(SI_j || k)), D₁₂ = h(PI_i^new||I_cs||k) ⊕ h(b_u|| PI_i^new), D₁₃ = h(PI_i^new||b_u||PI_i) ⊕(b_s ⊕ b_cs), D₁₄ = h(SK_cs||D₁₂||D₁₃|| h(I_i || k)). And CS sends the message M₃ = {D₉, D₁₀, D₁₁, D₁₂, D₁₃, D₁₄} to SV_j.
Step 4: (b_u ⊕ b_cs) = D₁₀ ⊕ h (PSI_j^new||b_s||PSI_j) and SK_s = h (b_s ⊕b_u ⊕ b_cs) are computed by SV_j. And the server sees if D₁₁ = h (SK_s||D₉||D₁₀ || B₂) is true. If it’s true, SV_j computes B₁^new = D₉ ⊕ h(b_s ||PSI_j^new) and replaces (B₁, PSI_j) with (B₁^new, PSI_j^new). In the end, the server sends the message M₄ = {D₁₂, D₁₃, D₁₄} to UV_i.
Step 5: After receiving M₄, the smart card calculates (b_s ⊕ b_cs) = D₁₃ ⊕ h(PI_i^new||b_u||PI_i), SK_u = h(b_u ⊕ b_s ⊕ b_cs) and sees if D₁₄? = h (SK_u||D₁₂||D₁₃ || C₂*) is true. If passed, the smart card calculates C₁^new = D₁₂ ⊕ h (b_u || PI_i^new) ⊕ HP_i and replaces (C₁, PI_i) with (C₁^new, PI_i^new).

Password update phase

Step 1: When the user UV_i wants to change his/her password, he/she inserts his/her smart card into the reader and inputs (I_i, PA_i). And the smart card chooses a nonce b_u and a new pseudo-identity PI_i^new and calculates r_i = C₃ ⊕h(I_i || PA_i), HP_i = h(PA_i || r_i), C₁ * = C₁ ⊕ HP_i, C₂ * = C₂ ⊕ h(I_i || HP_i), D₁ = C₁* ⊕ b_u, D₂ = h(b_u||PI_i||I_cs) ⊕I_i, D₃ = C₂* ⊕ h(I_i || HP_i) ⊕ PI_i^new ⊕ h(b_u || I_i) and D₄ = h(I_i||PI_i||PI_i^new||b_u||D₃). Then the user sends the message M₅ = {PI_i, D₁, D₂, D₃, D₄} with a password change request to CS.
Step 2: CS calculates b_u, I_i, P_i and sees if I_i and D₄ are correct. If so, D₁₂ and D₁₅ = h(I_i||PI_i||PI_i^new||b_u||D₁₂) is computed by CS. In the end, M₆ = {D₁₂, D₁₅} with a permission is sent to UV_i.
Step 3: The smart card sees if D₁₅ = h(I_i||PI_i||PI_i^new||b_u||D₁₂) is true. If so, it prompts UV_i to enter a new password PA_i^new and calculates HP_i^new = h(PA_i^new || r_i), C₁^new2 = D₁₂ ⊕ h(b_u ||PI_i^new) ⊕ HP_i^new, C₂^new = C₂* ⊕ h(I_i || HP_i^new) and C₃^new = r_i ⊕ h(I_i || PA_i^new) and replaces (C₁, C₂, C₃, PI_i) with (C₁^new2, C₂^new, C₃^new, PI_i^new).

3.2.2 Cryptanalysis of Zhou et al.’s scheme.

No providing mutual authentication. Zhou et al.’s scheme doesn’t provide the mutual authentication between the user and the server. At first, in the step 1 of authentication phase, the message M₁ = {PI_i, D₁, D₂, D₃, D₄} which is sent to the server by the user doesn’t include the information concerned with the server SV_j. And in the step 2 of authentication phase, after receiving the message M₁, SV_j directly computes D₅, D₆, D₇ and D₈ without verifying the user which sends M₁, and then sends the message M₂ = {PI_i, D₁, D₂, D₃, D₄, PSI_j, D₅, D₆, D₇, D₈} to the registration center CS. Also in the step 3, CS authenticates SV_j by checking if D₈ = h(SI_j||PSI_j||PSI_j^new||b_s||D₇) and authenticates UV_i by checking if D₄ = h(I_i||PI_i||PI_i^new||b_u||D₃). In the step 4, when the server receives the message M₃ = {D₉, D₁₀, D₁₁, D₁₂, D₁₃, D₁₄}, the server authenticates CS by checking if D₁₁ = h (SK_s||D₉||D₁₀ || B₂). But the message M₃ doesn’t contain the information that the server can authenticate the user UV_i. In this step, the information concerned with UV_i is only (b_u ⊕ b_cs) but using it, the server cannot authenticate the user UV_i. So in this step, the server can authenticate CS, but it cannot authenticate the user UV_i. Continuously in the step5, UV_i receives the message M₄ = {D₁₂, D₁₃, D₁₄} from the server and authenticates CS by checking if D₁₄ = h(SK_u||D₁₂||D₁₃ || C₂*). But the information that the user can authenticate the server SV_j isn’t included in the message M₄. In this step, the information concerned with SV_j is only (b_s ⊕ b_cs) but using it, the user cannot authenticate SV_j. So in this step, the user can authenticate CS, but cannot authenticate the server SV_j.

In conclusion, Zhou et al.’s scheme doesn’t provide the mutual authentication between the user and the server.

According to the random oracle model [46], the attacker can intercept and steal the message M₁ which is sent to the server SV_j by UV_i and he can send it to another server SV_m which is not the server SV_j. Then SV_m cannot know that UV_i sent M₁ to itself because the mutual authentication isn’t provided between them. And the server SV_m sends the message M₄ to the attacker after passing from the step2 to the step 4. In that case, the attacker sends back this message to the user UV_i and the user UV_i regards the session key which he computes in the end as the session key between himself and the server SV_j because he doesn’t know that he has communicated with the server SV_m until then.

Like this, in this scheme, the user doesn’t know which server he is communicating with, so even if the attacker sends his message to the other server, he will never recognize it.

Replay attack. In the step2 of the authentication phase, after receiving the message M₁ from the user, the server doesn’t check if the message M₁ was replayed. And the server computes D₅, D₆, D₇, D₈ and sends the message M₂ to CS. And in the step3, the message M₂ which the server sent to CS doesn’t contain any information which CS can check if M₁ was replayed in the step1 such as a time stamp or the random number which CS generated and sent to the user. In this step, CS only knows the random number b_u generated by the user. So CS also doesn’t recognise the replay attack. Thus, if the attacker steals the message M₁ and retransmits it to the server SV_j, the server will not recognize this attack and will keep computing. After receiving M₁, the server will send M₂ to CS and CS also will not recognize the replay attack and will transmit M₃ to the server. Finally, the server will send M₄ to the attacker. Like this way, the attacker can pass the step2, 3 and 4 very easily. As a result, this scheme is vulnerable to the replay attack.

No key control. In Zhou et al.’s scheme, the session key is computed as follow: SK_s = h(b_s ⊕b_u ⊕ b_cs). Here, b_s is the random number generated by the server, b_u is the random number generated by the user and b_cs is the random number generated by CS. In the step3 of the authentication phase, CS gets b_u and b_s by computing b_u = D₁ ⊕ h (PI_i||I_cs||k) and b_s = D₅ ⊕ h(PSI_j||I_cs||k). And CS generates the random number b_CS and computes the session key SK_cs = h (b_u ⊕ b_s ⊕ b_cs). Like this, CS knows all of the three random numbers so the session key between the user and the server publishes to CS. As we know, the session key is the secret value which only two session entities must have because this is the key for the session between the user and the server. But in this scheme, CS also gets the session key between the user and the server. Thus, this scheme doesn’t provide no key control property.

Re-registration with the original identity. In the user registration process of this scheme, the secret value concerned with the user identity is C₂* = h(I_i || k). In the case that CS’s secret key k is known to the attacker, the user has to update the value of C₂* concerned with his identity by reregistration in CS. So the attacker cannot guess the next round’s secret value. But in this scheme, the user cannot register again with his original identity I_i and he can no longer use this identity because the secret C₂* doesn’t include any nonce.

If a random number is included in the computing of C₂*, the user can use the original identity because he can update C₂* by generating the new random number.

Inefficiency in the verification of wrong password. In 2006, Tsai et al. [47] pointed out that the ideal password-based scheme should detect typo error quickly without the communication with the home server. But in Zhou et al.’s scheme, if the attack inputs wrong password, it can not be quickly detected by the smart card. In the step 1 of the authentication phase, the smart card gets r_i = C₃ ⊕ h(I_i || PA_i) when the user enters his identity and password. But in this step, the smart card doesn’t check if this r_i is the same with the random number generated by the user in the registration phase, keeps computing and sends the message M₁ to the server. In the step2, there is also no verification process of the password and in this step the server sends the message M₂ to CS. Only then in the step3, CS can recognise the wrong password by checking the value of D₄.

Therefore, if the attacker inputs the wrong password in the step1, all the values computed in this step will be wrong. But the authentication process keeps going passing the step2 and step3, only then in the step3 these errors are detected.

4. Proposed scheme

In this section we describe an improved authentication key agreement protocol using pseudo-identity that overcomes the limitations of the Zhou et al.’s scheme. The proposed scheme consists of four steps: registration phase, authentication, session key exchange phase, password change phase and user revocation, reregistration phase. The notations in Table 3 are used to describe the proposed scheme in our work.

Download:

Table 3. Notation used in proposed scheme.

https://doi.org/10.1371/journal.pone.0271817.t003

4.1 Registration phase

4.1.1 User registration phase.

All users who want to exchange session keys using the proposed scheme must register on CS.

Fig 1 shows the user registration process.

Download:

Fig 1. User registration phase in the proposed scheme.

https://doi.org/10.1371/journal.pone.0271817.g001

Step 1: The user UR_i selects UID_i, PUID_i, PW_i and inputs BIO_i in the smart card. Then the smart card extracts (R_i, P_i) from Gen(BIO_i) → (R_i, P_i), computes VD_i = h(PW_i||R_i||UID_i) and sends (UID_i,PUID_i) to R via a secure channel.
Step 2: The registration center R generates a random number RU_c, computes UD₁* = h(PUID_i||RID||x_U), UD₂* = h(UID_i||x_U||RU_cs) and stores UID_i, RU_cs in its database. And then R sends (UD₁*, UD₂*, RID) to UR_i via a secure channel.
Step 3: The user computes UD₁ = UD₁*⊕VD_i, UD₂ = UD₂*⊕VD_i, UD₃ = h(VD_i||UD₁*||UD₂*) and stores (UD₁,UD₂,UD₃,PUID_i,RID,P_i) in his smart card.

4.1.2 Server registration phase.

Fig 2 shows the server registration process.

Download:

Fig 2. Server registration phase in the proposed scheme.

https://doi.org/10.1371/journal.pone.0271817.g002

Step 1: The server SR_j first selects SID_j, PSID_j and sends (SID_j, PSID_j) to R via a secure channel.
Step 2: R computes SD₁ = h (PSID_j||RID||x_S), SD₂ = h(SID_j||x_S||RS_cs) and stores SID_j, RS_cs in the database. And then R sends (SD₁, SD₂, RID) to the server.
Step 3: The server SR_j stores (SD₁, SD₂, SID_j, PSID_j, RID) in his smart card.

4.2 Authentication and session key exchange phase

Fig 3 shows the authentication and session key exchange steps of the proposed scheme.

Download:

Fig 3. Authentication and session key exchange phase of the proposed scheme.

https://doi.org/10.1371/journal.pone.0271817.g003

Step 1: The user UR_i inserts his smart card into a card reader and enters UID_i, PW_i and BIO_i*. The smart card recovers R_i from Rep(BIO_i*,P_i) → R_i, selects the random numbers r_U, PUID_i^new, rk_U and computes P_U = T_rkU(α) mod p, UD₁* = UD₁⊕h(PW_i||R_i||UID_i), UD₂* = UD₂⊕h(PW_i||R_i||UID_i). And then UR_i computes UD₃’ = h(h(PW_i ||R_i ||UID_i) ||UD₁*||UD₂*) and checks if UD₃’ = UD₃. If it’s false, this phase will be stopped. If so, the smart card calculates E₁ = UD₁*⊕r_U, E₂ = h(r_U||PUID_i||RID) ⊕UID_i, E₃ = PUID_i^new⊕h(r_U||UID_i), V_UR = h(UID_i||PUID_i||PUID_i^new||r_U||P_U||SID_j||T₁||UD₂*)(T₁ is a time stamp.) and sends the message M₁ = {PUID_i,E₁,E₂,E₃,V_UR, P_U,T₁} to the server SR_j.
Step 2: After receiving the message M₁, the server SR_j computes ΔT = T₁-T₂ that is the difference between T₁ and T₂ (T₂ is the current time on SR_j). If the difference ΔT is greater than ΔT_define that is the defined time interval, the server will stop the authentication phase. Else the server selects PSID_j^new, r_S, rk_S and calculates P_S = T_rkS(α) mod p, SK = T_rkS(P_U) = T_rkS,rkU(α) mod p, E₄ = SD₁⊕r_S, E₅ = h(r_S||PSID_j||RID)⊕SID_j, E₆ = PSID_j^new⊕h(r_S||SID_j), V_SU = h(SK||SID_j||RID), V_SR = h(SID_j||PSID_j|| PSID_j^new||r_S||P_U||P_S||T₃||V_SU|| SD₂) (T₃ is a time stamp.). And SR_j transmits the message M₂ = {PUID_i,E₁,E₂,E₃, V_UR,E₄,E₅,E₆,V_SR,T₁,T₃,P_S, P_U,V_SU} to the registration center R.
Step 3: And R computes ΔT* = T₃-T₄ that is the difference between T₃ and T₄ (T₄ is the current time on R). If ΔT* is greater than ΔT*_define that is the defined time interval, R will stop this phase. Else R computes the following data: r_U = E₁⊕h(PUID_i||RID||x_U), UID_i = E₂⊕h(r_U||PUID_i||RID), UD₂*’ = h(UID_i||x_U||RU_cs), PUID_i^new = E₃⊕h(r_U||UID_i), r_S = E₄⊕h(PSID_j||RID||x_S), SID_j = E₅⊕ h(r_S ||PSID_j||RID), SD₂* = h(SID_j||x_S||RS_cs), PSID_j^new = E₆⊕h(r_S||SID_j). And then R checks if the identity UID_i is valid. If so, R computes V_UR’ = h(UID_i||PUID_i||PUID_i^new||r_U||P_U||SID_j||T₁||UD₂*) and checks if V_UR’ = V_UR. If not so, the session will be terminated. Else it is checked if SID_j is valid, computes V_SR’ = h(SID_j||PSID_j|| PSID_j^new||r_S||P_U||P_S||T₃||V_SU|| SD₂) and checks if V_SR’ = V_SR. If so, E₇ = h(PSID_j^new||RID||x_S)⊕h(r_S||PSID_j), V_RS = h(SD₂*||r_S||P_U), E₈ = h(PUID_i^new||RID||x_U)⊕h(r_U||PUID_i), V_RU = h(UD₂*’||r_U||P_S) are computed and R sends the message M₃ = {E₇,E₈,V_RU,V_RS,P_S,V_SU} to UR_i.
Step 4: Then the user calculates V_RU’ = h(UD₂*||r_U||P_S) and checks if V_RU’ = V_RU. If so, he calculates SK’ = T_rkU(P_S) = T_rkSrkU(α) mod p, V_SU’ = h(SK’||SID_j||RID) and checks if V_SU’ = V_SU. If not so, the session will be stopped. Else he keeps SK’ as the session key SK. And the user computes UD₁*^new = E₈⊕h(r_U||PUID_i), UD₁^new = UD₁*^new⊕ h(PW_i||BIO_i||UID_i) and replaces (UD₁,PUID_i) with (UD₁^new,PUID_i^new). Also he calculates V_US = h(SK||RID) and transmits the message M₄ = {E₇, V_RS, V_US} to the server SR_j.
Step 5: The server SR_j computes V_RS’ = h(SD₂||r_S||P_U) and checks if V_RS’ = V_RS. If so, SR_j computes V_US’ = h(SK||RID) and checks if V_US = V_US’. If not so, the session will be terminated. Else the server regards SK as the session key for itself and UR_i, computes SD₁^new = E₇⊕h(r_S||PSID_j) and replaces (SD₁, PSID_j) with (SD₁^new, PSID_j^new).

4.3 Password change phase

Step 1: When the user UR_i wants to change his password, he first inserts his smart card into a reader and inputs UID_i, PW_i and BIO_i. Then the smart card extracts (R_i, P_i) from Gen(BIO_i) → (R_i, P_i), selects r_U, PUID_i^new, rk_U, computes P_U = T_rkU(α) mod p, UD₁* = UD₁⊕h(PW_i||R_i||UID_i), UD₂* = UD₂ ⊕h(PW_i||R_i||UID_i),UD₃’ = (h(PW_i||R_i||UID_i)||UD₁*||UD₂*) and checks if UD₃’ = UD₃. If so, the smart card calculates E₁ = UD₁⊕r_U, E₂ = h(r_U||PUID_i||RID) ⊕UID_i and E₃ = UD₂*⊕PUID_i^new⊕h(r_U||UID_i), V_UR = h(UID_i||PUID_i||PUID_i^new||r_U||P_U||SID_j||T₅)(T₅ is a time stamp.), and sends the message M₅ = {PUID_i,E₁,E₂,E₃,V_UR, P_U,T₅} with a password change request to R.
Step 2: After receiving the message with a request, R calculates ΔT** = T₅-T₆ that is a difference between T₅ and T₆ (T₆ is the current time on R). If ΔT** is greater than a defined time interval, R will terminate this phase. Else R computes r_U = E₁⊕h(PUID_i||RID||x_U), UID_i = E₂⊕h(r_U||PUID_i||RID), UD₂*’ = h(UID_i||x_U||RU_cs), PUID_i^new = E₃⊕UD₂*’⊕h(r_U||UID_i). And R checks if UID_i is valid, computes V_UR’ = h(UID_i||PUID_i||PUID_i^new||r_U||P_U||SID_j||T₁) and checks if V_UR’ = V_UR. If so, E₈ = h(PUID_i^new||RID||x_U)⊕h(r_U||PUID_i), E₉ = h(UID_i||PUID_i||PUID_i^new||r_U||D₈) are computed and the message M₆ = {E₈,E₉} is sent to the user UR_i.
Step 3: And the smart card of UR_i calculates E₉’ = h(UID_i||PUID_i||PUID_i^new||r_U||E₈) and checks if E₉’ = E₉. If so, UR_i enters the new password PW_i^new. Then the smart card calculates VD_i^new = h(PW_i^new||R_i||UID_i), UD₁^new2 = UD₁^new⊕VD_i^new, UD₂^new = UD₂*⊕VD_i^new, UD₃^new = h(VD_i^new||UD₁^new||UD₂*) and replaces (UD₁,UD₂,UD₃) with (UD₁^new2,UD₂^new,UD₃^new).

4.4 User revocation and re-registration phase

4.4.1 User revocation phase.

If the user UR_i wants to revocate his data on the registration center, he needs to send his identity UID_i with a revocation request to R via a secure channel. Then R checks if UID_i was included in its database and if so, R will remove all data concerned with the identity UID_i in the database. And a revocation response is sent to the user UR_i via a secure channel.

4.4.2 Reregistration phase.

If the user UR_i wants to register again, he has to choose his new identity, new pseudo-identity, new password, new biometric and to pass the steps in the user registration phase as they are. In the precedent schemes, the user’s secret key UD₁* = h (UID_i||x_U) consists of only the user’s identity and the server’s secret value. Thus, if the user’s secret key is published, the user must choose a new identity to register again. But in our scheme, the user’s secret key UD₁* = h (UID_i||x_U||RU_cs) consists of the user’s identity, the server’s secret value and a nonce. The user’s secret key is updated without the identity change because the registration center R generates a new nonce RU_cs every registration phase. Therefore, the user can register again on R without change of his identity. To register again on R with an original identity, the user has to transmit his original identity, pseudo-identity, password and biometric to R. And then he has to pass the steps in the user registration phase as they are.

5. Security analysis of the proposed scheme

In this section, we analyse the security properties of the proposed scheme. First, we prove the validation of the session key between the user and server by using BAN logic [48]. Next, we simulate the proposed scheme for the formal security analysis by using AVISPA (Automated validation of internet security protocol and application) tool [49]. Last, we demonstrate the proposed scheme can resist various kinds of attacks.

5.1 Authentication proof based on BAN logic

Notations and rules.

We define P and Q as the specific participators, S is the trusted server, and X is the formula (statement). Some notations and rules of BAN logic are as follows [48].

P |≡ X: P believes X.
P ⊲ X: P sees X.
P |∼ X: P once said X.
P |⇒ X: P has jurisdiction over X.
#(X): X is fresh.
: K is a shared secret key between P and Q.
{X}_K: Formula X is encrypted under the key K.
<X>_Y: X combined with the formula Y.
(Message-meaning rule): if P believes that the key K is shared with Q and receives a message containing X encrypted under K, then P believes that Q once said X.
(Nonce-verification rule): if P believes X is fresh and Q once said X, P believes Q believes X.
(Jurisdiction rule): if P believes that Q had jurisdiction right to X and believes Q believes X, P believes X.
(Freshness rule): If X is a part of message (X, Y) and X is fresh, message (X, Y) is also fresh.
(Belief rule 1): If P believes Q believes the message set (X, Y), P also believes Q believes the message X.
(Belief rule 2): If P believes the message X and Y, P also believes the message set (X, Y).
(Hash function rule): if P believes that Q once said H(X) and receives X, P believes Q once said X.

Goals.

The session key exchange protocol should achieve the following goals:

Idealize.

We idealize the communication messages of the proposed scheme as follows:

Assumptions.

The initial assumptions of the proposed scheme are as follows:

A_UR1: UR|≡rk_U
A_UR2: UR|≡#(rk_U)
A_UR3: UR|≡R|⇒P_S
A_UR5: UR|≡r_U
A_UR6: UR|≡#(r_U)
A_SR1: SR|≡rk_S
A_SR2: SR|≡#(rk_S)
A_SR3: SR|≡R|⇒P_U
A_SR5: SR|≡r_S
A_SR6: SR|≡#(r_S)

Analysis.

According to M₃ and A_UR4, we apply the hash function rule (R₇), we can obtain:

According to M₃ and A_UR6, we apply the Freshness rule (R₄), we can obtain:

According to S₁ and S₂, we apply the Nonce-verification rule (R₂) and Belief rule 1(R₅), we can obtain:

According to S₃ and A_UR3, we apply the Jurisdiction rule (R₃), we can obtain:

According to S₄, A_UR1 and SK = T_rkU (P_S) mod p, we apply the Belief rule 2(R₆), we can obtain:

According to M₄ and A_SR4, we apply the message meaning rule (R₁) and the hash function rule (R₇), we can obtain:

According to M₄ and A_SR6, we apply the Freshness rule (R₄), we can obtain:

According to S₆ and S₇, we apply the Nonce-verification rule (R₂) and Belief rule 1(R₅), we can obtain:

According to A_SR3 and S₈, we apply the jurisdiction rule (R₃), we can obtain:

According to A_SR1, S₉ and SK = T_rkS(P_U) mod p, we apply the Belief rule 2(R₆), we can obtain:

According to M₃ and S₅, we apply the message meaning rule (R₁) and the hash function rule (R₇), we can obtain:

According to A_UR2, M₃ and SK = T_rkU(P_S) mod p, we apply the Freshness rule (R₄), we can obtain:

According to S₁₁ and S₁₂, we apply the Nonce-verification rule (R₂) and Belief rule 1(R₅), we can obtain:

According to M₄ and S₁₀, we apply the message meaning rule (R₁) and the hash function rule (R₇), we can obtain:

According to A_SR2, M₄ and SK = T_rkS(P_U) mod p, we apply the Freshness rule (R₄), we can obtain:

According to S₁₄ and S₁₅, we apply the Nonce-verification rule (R₂) and Belief rule 1(R₅), we can obtain:

5.2 Validation test based on AVISPA

In this section, we simulate the proposed scheme for the formal security analysis using AVISPA, which is widely used to verify the security properties of designed protocol such as resistance against replay attack and man-in-the-middle attack. This tool implements four back-ends: On-the-Fly-Model-Check (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC) and Three Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). In order to verify the security properties of the protocol using AVISPA, it needs to be specified in HLPSL (High Level Protocol Specification Language), which is a role-based language: basic roles for representing each participant role, and composition roles for representing scenarios of basic roles. Each role is independent from the other, communicating with the other roles by channels [44]. The output format is generated by using one of the four back-ends.

Specifying the proposed protocol.

In our HLPSL implementation, we define three basic roles for the user U, server S and registration center R. Figs 4–6 shows the specifications in HLPSL for the role of U, S and R.

Download:

Fig 4. Role specification in HLPSL for the user U.

https://doi.org/10.1371/journal.pone.0271817.g004

Download:

Fig 5. Role specification in HLPSL for the server S.

https://doi.org/10.1371/journal.pone.0271817.g005

Download:

Fig 6. Role specification in HLPSL for the registration center R.

https://doi.org/10.1371/journal.pone.0271817.g006

In Figs 7–9, we show the HLPSL implementation for the role of the session, environment and goal.

Download:

Fig 7. Role specification in HLPSL for the session.

https://doi.org/10.1371/journal.pone.0271817.g007

Download:

Fig 8. Role specification in HLPSL for the environment.

https://doi.org/10.1371/journal.pone.0271817.g008

Download:

Fig 9. Role specification in HLPSL for the goal.

https://doi.org/10.1371/journal.pone.0271817.g009

In our implementation, we verified the following fifteen secrecy goals and six authentication properties.

secrecy_of sec_rscs: It represents that the nonce Rscs generated by R is kept secret to the registration center R only.
secrecy_of sec_vd: It represents that user U’s private data VD is kept secret to the user U only.
secrecy_of sec_rucs: It represents that the nonce Rucs generated by R is kept secret to the registration center R only.
secrecy_of sec_xs: It represents that registration center R’s secret key X_S is kept secret to R only.
secrecy_of sec_b1: It represents that the server S’s shared secret key B₁ is kept secret to the user U and the registration center R only.
secrecy_of sec_b2: It represents that the server S’s shared secret key B₂ is kept secret to the user U and the registration center R only.
secrecy_of sec_rks: It represents that the nonce Rks generated by the server S is kept secret to the server S only.
secrecy_of sec_rs: It represents that the nonce Rs generated by the server S is kept secret to the server S only.
secrecy_of sec_sid: It represents that the server S’s identity SID is kept secret to the user U, the server S and the registration center R only.
secrecy_of sec_c1: It represents that the user U’s shared secret key C₁ is kept secret to the user U and the registration center R only.
secrecy_of sec_c2: It represents that the user U’s shared secret key C₂ is kept secret to the user U and the registration center R only.
secrecy_of sec_xu: It represents that registration center R’s secret key X_U is kept secret to R only.
secrecy_of sec_rku: It represents that the nonce Rku generated by the user U is kept secret to the user U only.
secrecy_of sec_ru: It represents that the nonce Ru generated by the user U is kept secret to the user U only.
secrecy_of sec_uid: It represents that the user U’s identity UID is kept secret to the user U and the registration center R only.
authentication_on auth_vsr: It represents that the registration R authenticates the server S.
authentication_on auth_vsu: It represents that the user U authenticates the server S.
authentication_on auth_vrs: It represents that the server S authenticates the registration center R.
authentication_on auth_vus: It represents that the server S authenticates the user U.
authentication_on auth_vru: It represents that the user U authenticates the registration center R.
authentication_on auth_vur: It represents that the registration center R authenticates the user U.

Analysis of the results.

We have simulated the proposed scheme using FMC and CL-AtSe back-ends of AVISPA. The simulation results for the security verification are shown in Figs 10 and 11.

Download:

Fig 10. The result of the analysis using OFMC back-end.

https://doi.org/10.1371/journal.pone.0271817.g010

Download:

Fig 11. The result of the analysis using CL-AtSe back-end.

https://doi.org/10.1371/journal.pone.0271817.g011

The results ensure that the proposed scheme is secure under the test of AVISPA using OFMC and CL-AtSe back-ends, and guarantees user anonymity, and it is also secure against the passive attacks and the active attacks, such as the replay attack and man-in-the-middle attack.

5.3 Informal security analysis

In this part, we demonstrate the proposed scheme can resist various kinds of attacks.

Mutual authentication.

The proposed scheme provides the mutual authentication.

In the step 3 of the authentication phase, the registration center R computes r_U = E₁⊕ h(PUID_i||RID||x_U), UID_i = E₂⊕h(r_U||PUID_i||RID), UD₂*’ = h(UID_i||x_U||RU_cs), PUID_i^new = E₃⊕ h(r_U||UID_i), r_S = E₄⊕h(PSID_j||RID||x_S), SID_j = E₅⊕h(r_S||PSID_j||RID), SD₂* = h(SID_j||x_S||RS_cs), PSID_j^new = E₆⊕h(r_S||SID_j) and checks if the user’s identity UID_i is included in the verification table. If so, R computes V_UR’ = h(UID_i||PUID_i||PUID_i^new||r_U||P_U||SID_j||T₁|| UD₂*) and checks if V_UR’ = V_UR. If so, R authenticates the user UR_i. The proof of this authentication is as follows. At first, UD₂* included in V_UR is a secret key known to only the user UR_i and the registration center R. And V_UR contains the nonce r_U generated by the user. Thus the registration center can verify that V_UR was sent by the user and that it wasn’t replayed if V_UR’ = V_UR is true.

And the registration center R checks if the server’s identity SID_j is included in the verification table. If so, R computes V_SR’ = h (SID_j||PSID_j|| PSID_j^new||r_S||P_U||P_S||T₃||V_SU||SD₂) and checks if V_SR’ = V_SR. If so, R authenticates the server SR_j. The proof of this authentication is as follows. At first, SD₂ included in V_SR is a secret key known to only the server SR_j and the registration center R. And V_SR contains the nonce r_S generated by the server. Thus the registration center can verify that V_SR was sent by the server and that it wasn’t replayed if V_SR’ = V_SR is true.

In the step4, the user UR_i computes V_RU’ = h (UD₂*||r_U||P_S) and checks if V_RU’ = V_RU. If so, UR_i authenticates the registration center R. The proof of this authentication is as follows. At first, UD₂* included in V_RU is a secret key known to only the user UR_i and the registration center R. And V_RU contains the nonce r_U generated by the user. Thus the user can verify that V_RU was sent by R and that it wasn’t replayed if V_RU’ = V_RU is true.

And UR_i computes SK = T_rkU (P_S) = T_rkSrkU(α) mod p, V_SU’ = h(SK||SID_j||RID) and authenticates the server SR_j by checking if V_SU’ = V_SU. The proof of this authentication is as follows. Because SK included in V_SU is computed as SK = T_rkS (P_U) = T_rkU (P_S) = T_rkSrkU(α) mod p, it is a secret generated by only the server SR_j except for the user UR_i. Also it contains the nonce r_kU generated by the user in step 1. Thus the user can verify that V_SU was sent by the server and that it wasn’t replayed if V_SU’ = V_SU is true.

In the step5, the server computes V_RS’ = h (SD₂||r_S||P_U) and checks if V_RS’ = V_RS. If so, the server authenticates the registration center R. The proof of this authentication is as follows. At first, SD₂ included in V_RS is a secret key known to only the server SR_j and the registration center R. And V_RS contains the nonce r_S generated by the server. Thus the user can verify that V_RS was sent by R and that it wasn’t replayed if V_RS’ = V_RS is true.

And the server computes V_US’ = h(SK||RID) and authenticates the user UR_i by checking if V_US’ = V_US. The proof of this authentication is as follows. Because SK included in V_US is computed as SK = T_rkS(P_U) = T_rkU(P_S) = T_rkSrkU(α) mod p, it is a secret generated by only the user UR_i except for the server SR_j. Also it contains the nonce r_kS generated by the server in step2. Thus the server can verify that V_US was sent by the user and that it wasn’t replayed if V_US’ = V_US is true.

Therefore, the registration center authenticates the user and server in the step3, the user authenticates the registration center and server in step4, and the server authenticates the registration center and user in step5. Thus the proposed scheme achieves the mutual authentication between the registration center, user and server.

User anonymity.

The proposed scheme provides user anonymity for key exchange.

The data that an attacker can use to get the user’s identity UID_i is E₂ = h(r_U||PUID_i||RID) ⊕ UID_i among the messages M₁ = {PUID_i, E₁, E₂, E₃, V_UR, P_U, T₁}, M₂ = {PUID_i, E₁, E₂, E₃, V_UR, E₄, E₅, E₆, V_SR, T₁, T₃, P_S, V_SU}, M₃ = {E₇, E₈, V_RU, V_RS, P_S, V_SU} and M₄ = {E₇, V_RS, V_US} in authentication key exchange process. If the attacker wants to get UID_i, he may compute as follows: UID_i = E₂⊕h (r_U||PUID_i||RID). For this, the attacker needs to know the nonce r_U generated by the user and has to compute r_U = E₁⊕h (PUID_i||RID||x_U). So the attacker also needs to know x_U, but the attacker cannot get x_U because it is a secret known to only the registration center R. Thus, the attacker cannot get the user’s identity UID_i.

If the attacker wants to get the server’s identity SID_j, he may compute as follows: SID_j = E₅⊕h(r_S||PSID_j||RID). For this, the attacker needs to know the nonce r_S generated by the server and has to compute r_S = E₄⊕h(PSID_j||RID||x_S). So the attacker also needs to know x_S but the attacker cannot get x_S because it is a secret known to only the registration center R. Thus, the attacker cannot get the server’s identity SID_j.

As a result, the attacker cannot get both the user’s identity and server’s identity.

Perfect forward security of session key.

In the proposed scheme, the session key SK is computedd as SK = T_rkS(P_U) = T_rkU(P_S) = T_rkSrkU(α) mod p. It contains the random numbers rk_S and rk_U generated by the different session entities for each session. Thus, even if the attacker gets rk_S and rk_U for the current session, he cannot compute the session key for the previous session. Therefore, the proposed scheme provides the perfect forward secrecy of session key.

Untraceability.

The proposed scheme provides the untraceability.

Let’s imagine that the attacker can get the secret data of the user and server for the previous session by stealing previous messages. But in the step 4 of authentication key exchange phase, the user replaces (UD₁, PUID_i) with (UD₁^new, PUID_i^new) and in the step 5, the server replaces (SD₁, PSID_j) with (SD₁^new, PSID_j^new). And for the next session, both the user and server combine their identities with the updated secret data and generated new random numbers. Therefore, the attacker cannot get the identities of the user and server, for the next session using the previous messages, so he cannot know the current communicating entities.

No key control.

The proposed scheme provides no key control property.

In the proposed scheme, the session key SK is computed as SK = T_rkS(P_U) = T_rkU(P_S) = T_rkSrkU(α) mod p. In this equation, P_S is computed as T_rkS(α) mod p and P_U is computed as T_rkU(α) mod p. And rk_S is only known to the server and the user knows only P_S. But according to the rules CDLP [36] and CDHP [36], the user never computes rk_S from P_S. Also rk_U is only known to the user and the server never gets rk_U from P_U. Thus, the session key cannot be generated by each of the user and server, and it can be only generated by the agreement of both of them.

Off-line password guessing attack.

The proposed scheme resists the password guessing attack.

This scheme does not use passwords during the authentication process but only uses passwords for access to the smart card. The information stored in the user’s smart card is (UD₁, UD₂, UD₃, PUID_i, RID, P_i) and the information that can be used for guessing password is UD₁ = UD₁* ⊕ h(PW_i||R_i||UID_i) and UD₂ = UD₂* ⊕ h(PW_i||R_i||UID_i). Let’s imagine that an attacker steals the user’s smart card SC_i and gets his identity UID_i. Then to guess the password PW_i, the attacker must compute VD_i* = h(PW_i*||R_i||UID_i), UD₁*’ = UD₁⊕VD_i*, UD₂*’ = UD₂⊕VD_i*, UD₃’ = h(VD_i* ||UD₁*’ ||UD₂*’) by using UID_i and any password PW_i* to compare UD₃’ and UD₃ stored in SC_i. But the attacker cannot get R_i because he cannot know the user’s biometric BIO_i so he cannot calculate above equations. Thus, the attacker cannot guess the user’s password.

Privileged insider attack.

The proposed scheme is secure against the privileged-insider attack. In the registration phase of the proposed scheme, only the user’s identifier is transmitted to the registration center through a secure channel and the user’s password and biometric are not transmitted to the registration center. Therefore, the privilege insider of the registration center cannot know the user’s password and biometric. Therefore, the proposed scheme is secure against this attack.

Stolen verifier attack.

The proposed scheme is secure against stolen verifier attack.

In the registration phase, the registration center R stores {UID_i, RU_cs} in the user registration table. Here UID_i is the identity of the user UR_i and RU_cs is the random number chosen by R. The essential factors that R can use to authenticate the user are the shared secrets between the registration center and user, UD₁* = h(PUID_i||RID||x_U), UD₂* = h(UID_i||x_U||RU_cs) and the random numbers r_U, rk_U generated by the user. So even if the attacker knows UID_i and RU_cs, he cannot pass the authentication steps safely. Therefore, the attacker cannot be successful in this attack.

User impersonate attack.

The proposed scheme is secure against the user impersonate attack. In order to impersonate as the user UR_i, the attacker has to compute E₁ = UD₁*⊕r_U, E₂ = h(r_U||PUID_i||RID) ⊕ UID_i and E₃ = PUID_i^new⊕h(r_U||UID_i). Let’s imagine that the attacker knows PUID_i, RID, UID_i and he generates PUID_i^new and a nonce r_U. Then he can calculate E₃ = PUID_i^new⊕h(r_U||UID_i) and E₂ = h(r_U||PUID_i||RID) ⊕UID_i. But he cannot compute E₁ = UD₁*⊕r_U without knowing of UD₁*. But he cannot compute UD₁* = h(PUID_i||RID||x_U) because x_U is a secret known to only the registration center and cannot also calculate E₁ = UD₁*⊕r_U.

Therefore, the attacker cannot impersonate as UR_i and achieve this attack.

Server impersonate attack.

The proposed scheme is secure against the server impersonate attack.

In order to impersonate as the server SR_j, the attacker has to compute E₄ = SD₁⊕r_S, E₅ = h(r_S||PSID_j^new||RID) ⊕ SID_j and E₆ = PSID_j^new⊕h(r_S||SID_j). Let’s imagine that the attacker knows RID, SID_j and he generates PSID_j^new and a nonce r_S. Then he can calculate E₆ = PSID_j^new ⊕ h(r_S||SID_j) and E₅ = h(r_S||PSID_j^new||RID) ⊕SID_j. But he cannot compute E₄ = SD₁⊕r_S without knowing of SD₁. But he cannot compute SD₁ = h(PSID_j||RID||x_S) because x_S is a secret known to only the registration center and cannot also calculate E₄ = SD₁⊕r_S.

Therefore, the attacker cannot impersonate as SR_j and achieve this attack.

Man-in-the-middle attack.

As it is shown above, the proposed scheme achieves certain mutual authentication and the attacker can neither impersonate as the initiator UR_i and the responder SR_j, so an attacker cannot achieve the man-in-the-middle attack. The reasons for this are as follows.

First, the attacker cannot exchange any messages with the user by impersonating as the responder, valid server. As we show above, the attacker cannot compute SD₁ = h(PSID_j||RID||x_S) because x_S is a secret known to only the registration center and cannot also calculate E₄ = SD₁⊕r_S. Hence, the attacker cannot impersonate as the responder. Also the attacker cannot exchange any messages with the server by impersonating as the initiator, valid user. As we show above, the attacker cannot compute UD₁* = h(PUID_i||RID||x_U) because x_U is a secret known to only the registration center and cannot also calculate E₁ = UD₁*⊕r_U. Hence, the attacker cannot impersonate as the initiator.

In conclusion, the attacker cannot achieve the man-in-the-middle attack.

Replay attack.

In the step 2 of the authentication key exchange phase, after receiving the message M₁, the server checks if ΔT = T₁-T₂<ΔT_define and if it is false, the server stops the session. Here T₁ is the time when the message is sent and T₂ is the time when the message is received. So the replay attack can’t be achieved in this step. Also in the step 3, the attacker cannot achieve the replay attacker because the message M₃ contains a time stamp. In the step 4, the user checks if V_RU = h(UD₂*||r_U||P_S) is true. Here r_U is a nonce generated by the user in the step 1, so in the case that the attacker replays the message M₃ to the user, the user can recognize this attack using r_U. Like this, in the step 5, the server can recognize that the message M₄ was replayed by the attacker by checking r_S generated by the server in the step 2.

Therefore, the attacker cannot achieve replay attack.

Forgery attack.

Forgery attack means that an attacker attempts to forge captured messages to masquerade as the legitimate user for wireless system access to the resources.

These followings are the analysis of messages in the proposed scheme.

In the message M₁, E₁ and V_UR both contain x_U.
In M₂, x_S is required in both E₄ and V_SR, besides the original elements in M₁.
In M₃, E₇, V_RS, E₈ and V_RU all needs x_U and x_S.
In M₄, x_U and x_S are required in both E₇ and V_RS.

As it is shown above, the attacker has to know both x_U and x_S to forge any messages in the session. But x_U and x_S cannot be captured by the attacker because both of them are the secret keys known to only the registration center R. Therefore, the attacker cannot forge any messages and we can claim that the proposed scheme resists forgery attack.

Known key security.

In the proposed scheme, the session key SK is calculated as SK = T_rkS (P_U) = T_rkU(P_S) = T_rkSrkU(α) mod p. It contains the random numbers rk_S and rk_U that are generated by session entities for each session. Even if an attacker gets the previous session key, he cannot calculate the current session key.

Therefore, the proposed scheme provides known key security property.

6. Performance comparisons

In this section, we compare the computational cost, communication overhead and security performance of the proposed scheme with the recent similar authentication key exchange protocols [12, 31, 35].

The notations used for comparison of computational cost are as follows.

t_c: time needed for Chebyshev polynomial operation
t_e: time needed for a scalar multiplication on elliptic curve
t_s: time needed for symmetric encryption/decryption operation
t_p: time needed for public key encryption/decryption operation
t_h: time needed for one-way hash function operation

Table 4 shows the comparison of the computational cost of the four schemes, including the proposed scheme in the authentication and session key exchange phase. According to the execution overhead given in [50–52], in the environment where CPU is 2.20GHz and RAM is 2048MB, it takes about 0.0023ms, 0.0046ms, 2.226ms, 3.85ms, 2.226ms to execute the one-way hash function, symmetric encryption/decryption, the scalar multiplication on elliptic curve, public key encryption/decryption and Chebyshev polynomial operation respectively. Compared with other schemes, the result shows that our scheme requires nearly low computational cost.

Download:

Table 4. Comparison of the computational cost between the proposed scheme and other schemes in the authentication and session key exchange phase.

https://doi.org/10.1371/journal.pone.0271817.t004

In order to measure the communication overhead of our proposed scheme, let us assume the bit size of identity, random number, timestamp, hash output, Chebyshev chaotic maps and elliptic curve cryptography as |ID| = 160, |N| = 160, |Ts| = 32, |H| = 160, |T| = 160 and |E| = 320 bits respectively.

Table 5 shows the communication overhead of our proposed scheme according to above assumption.

Download:

Table 5. Communication overhead of our proposed scheme.

https://doi.org/10.1371/journal.pone.0271817.t005

Table 6 shows the comparison of the communication overhead of our proposed scheme and three other schemes. As shown in Table 6, the communication overhead of our proposed scheme is higher than other schemes.

Download:

Table 6. Comparison of the computational cost between the proposed scheme and other schemes.

https://doi.org/10.1371/journal.pone.0271817.t006

Table 7 shows the comparative evaluation of the security function between the proposed scheme and other schemes.

Download:

Table 7. Comparative evaluation of the security function between the proposed scheme and other schemes.

https://doi.org/10.1371/journal.pone.0271817.t007

As shown in Tables 4, 6 and 7, the proposed scheme outperforms the other schemes in terms of the security properties presented.

Lwamo et al.’s scheme has high computational cost because it uses the public key encryption. Also his scheme has lower communication overhead than ours’ scheme and doesn’t provide re-registration with the original identity and it is vulnerable to the stolen smart card attack.

Zhou et al.’s scheme uses only hash functions so it has very low computational cost, but it has lower communication overhead than ours. And it is vulnerable to the replay attack and doesn’t provide various properties such as mutual authentication, no key control, re-registration with the original identity, and efficiency in the verification of wrong password.

Tomar et al.’s scheme provides the security properties mentioned in the Table 7 but his scheme has higher computational cost and higher communication overhead than our proposed scheme. And it doesn’t provide the re-registration with the original identity.

As shown in Tables 4, 6 and 7, the schemes with strong security performances have high computational cost, while the schemes with low computational cost don’t provide the strong security performances.

7. Conclusion

In this work, we analysed Lwmao et al.’s scheme and Zhou et al.’s scheme, pointed out its weakness and proposed an improved chaotic mapping-based authentication key agreement protocol with low computational cost, high communication overhead, robust security performance and strong mutual authenticaton. The proposed scheme was designed to provide strong mutual authentication between communication participants, so the length of messages is long and communication overhead is relatively high. In the proposed scheme, we allowed the users to re-register without modifying their identities by including the random numbers in their secret keys shared with the registration center in the registration phase. Also, we used the users’ biometrics and the fuzzy extractor to keep their privacies more secure. We also prevented the replay attack using timestamps and chaotic maps, and provided the robust mutual authentication and safer session key agreement. The proposed scheme also achieved various security properties and attack resistances such as the anonymity, untraceability and resistance of stolen smart card attack. Also, we formally analysed our protocol based on BAN logic and AVISPA tool, and demonstrated that it is secure against various attacks through informal security analysis.

References

1. Liao YP, Wang SS. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 2009;31(1):24–29.
- View Article
- Google Scholar
2. Li X, Ma J, Wang W, Xiong Y, Zhang J. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 2012.
- View Article
- Google Scholar
3. Tsaur WJ, Li JH, Lee WB. An efficient and secure multi-server authentication scheme with key agreement. The Journal of System and Software. 2012;85:876–882.
- View Article
- Google Scholar
4. Xu C, Jia Z, Wen F, Ma Y. A Novel Dynamic Identity based Authentication Scheme for MultiServer Environment using Smart Cards. International Journal of Security and Its Applications. 2013;7(4):105–118.
- View Article
- Google Scholar
5. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst. Appl. 2014;41(4):1411–1418.
- View Article
- Google Scholar
6. Maitra T, Giri D. An efficient biometric and passwordbased remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 2014;38(12):142. pmid:25371272
- View Article
- PubMed/NCBI
- Google Scholar
7. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multiserver authenticated key agreement scheme using smart cards. Expert Syst. Appl. 2014;41(18):8129–8143.
- View Article
- Google Scholar
8. Amin R, Biswas GP. A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS. J. Med. Syst. 2015;39:33. pmid:25681100
- View Article
- PubMed/NCBI
- Google Scholar
9. Chaudhry SA. A secure biometric based multi-server authentication scheme for social multimedia networks [M]. Multimedia Tools and Applications. 2015;75;12705–12725.
- View Article
- Google Scholar
10. Wang C, Zhang X, Zheng Z. Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE. 2016;11(2):1–25. pmid:26866606
- View Article
- PubMed/NCBI
- Google Scholar
11. Guo H, Wang P, Zhang X, Huang Y, Ma F. A robust anonymous biometric-based authenticated key agreement scheme for multiserver environments. PLoS ONE. 2017;12(11):e0187403. pmid:29121050
- View Article
- PubMed/NCBI
- Google Scholar
12. Lwamo NMR, Zhu L, Xu C, Sharif K, Liu X, Zhang C. A Secure User Authentication Scheme with Anonymity for the Single & Multi-server Environments. Inf. Sci. 2019;477:369–385.
- View Article
- Google Scholar
13. Mishra D, Dharminder D, Yadav P, Rao YS, Vijayakumar P, Kumar N. A provably secure dynamic ID-based authenticated key agreement framework for mobile edge computing without a trusted party. Journal of Information Security and Applications. 2020;55:102648.
- View Article
- Google Scholar
14. Han W, Zhu Z. An ID-based mutual authentication with key agreement protocol for multiserver environment on elliptic curve cryptosystem. Int. J. Commun. Syst. 2014;27:1173–1185.
- View Article
- Google Scholar
15. Ying B, Nayak A. Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography. Journal of Network and Computer Applications. 2019;131:66–74.
- View Article
- Google Scholar
16. Irshad A, Sher M, Chaudhary SA, Naqvi H, Farash MS. An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre. J. Supercomput. 2016;72(4):1623–1644.
- View Article
- Google Scholar
17. Kumari S, Das AK, Li X, Wu F, Khan MK, Jiang Q, et al. A provably secure biometrics-based authenticated key agreement scheme for multi-server environments. Multimed Tools Appl. 2017;1–31.
- View Article
- Google Scholar
18. Qiao H, Dong X, Shen Y. Authenticated Key Agreement Scheme with Strong Anonymity for Multi-Server Environment in TMIS. J. Med. Syst. 2019;43:321. pmid:31591653
- View Article
- PubMed/NCBI
- Google Scholar
19. Chuang YH, Tseng YM. Towards generalized ID-based user authentication for mobile multi-server environment. Int. J. Commun. Syst. 2012; 25:447–460.
- View Article
- Google Scholar
20. Yang L, Zheng Z. Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments. PLoS ONE. 2018;13(3):e0194093. pmid:29534085
- View Article
- PubMed/NCBI
- Google Scholar
21. Yu Y, Hu L, Chu J. A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment. Symmetry. 2020;12:150.
- View Article
- Google Scholar
22. Vinoth R, Deborah LJ, Vijayakumar P, Kumar N. Secure multifactor authenticated key agreement scheme for industrial IoT. IEEE Internet of Things Journal. 2021;8(5):3801–3811.
- View Article
- Google Scholar
23. Vijayakumar P, Naraeh R, Deborah LJ, Islam SH. An efficient group key agreement protocol for secure P2P communication. Secur. Commun. Netw. 2016;9(17):3952–3965.
- View Article
- Google Scholar
24. Hsiang HC, Shih WK. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standard & Interfaces. 2009;31(6):1118–1123.
- View Article
- Google Scholar
25. Lee CC, Lin TH, Chang RX. A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Syst. Appl. 2011;38:13863–13870.
- View Article
- Google Scholar
26. Xue K, Hong P, Ma C. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences. 2014;80(1):195–206.
- View Article
- Google Scholar
27. Gupta PC, Dhar J. Hash Based Multi-server Key Exchange Protocol Using Smart Card. Wireless Pers Commun. 2015;87(1);1–20.
- View Article
- Google Scholar
28. Maitra T, Islam S, Amin R, Giri D, Khan MK, Kumar N. An enhanced multiserver authentication protocol using password and smart-card: cryptanalysis and design. Secur. commun. Networks. 2016;9(17):4615–4638.
- View Article
- Google Scholar
29. Amin R, Kumar N, Biswas G, Iqbal R, Chang V. A light weight authentication protocol for iot-enabled devices in distributed cloud computing environment, Future Gener. Comput. Syst. 2018;78:1005–1019.
- View Article
- Google Scholar
30. Wei F, Zhang R. A Provably Secure Anonymous Two-Factor Authenticated Key Exchange Protocol for Cloud Computing. Fundamenta Informaticae. 2018;157:201–220.
- View Article
- Google Scholar
31. Zhou L, Li X, Yeh KH, Su C, Chiu W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Gener. Comput. Syst. 2019;91:244–251.
- View Article
- Google Scholar
32. Yoon EJ, Yoo KY. Robust biometrics-based multiserver authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J. Supercomput. 2013;63(1):235–255.
- View Article
- Google Scholar
33. Chandrakar P, Om H. Cryptanalysis and extended three-factor remote user authentication scheme in multi-server environment. Arabian Journal for Science and Engineering. 2017;42(2):765–786.
- View Article
- Google Scholar
34. Qi M, Chen J, Chen Y. A Secure Biometrics-Based Authentication Key Exchange Protocol for Multi-Server TMIS using ECC. Computer Methods and Programs in Biomedicine. 2018;164;101–109. pmid:30195418
- View Article
- PubMed/NCBI
- Google Scholar
35. Tomar A, Dhar J. An ECC Based Secure Authentication and Key Exchange Scheme in Multi-server Environment. Wireless Pers Commun. 2019;107:351–372.
- View Article
- Google Scholar
36. Irshad A, Sher M, Chaudhry SA, Xie Q, Kumari S, Wu F. An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimed Tools Appl. 2017;76(1):1–38.
- View Article
- Google Scholar
37. Lu Y, Li L, Yang X, Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015;10(5):e0126323. pmid:25978373
- View Article
- PubMed/NCBI
- Google Scholar
38. Xia XY, Ji S, Vijayakumar P, Shen J, Rodrigues J. An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities. International Journal of Distributed Sensor Networks. 2021;17(6).
- View Article
- Google Scholar
39. Li XH, Liu J, Obaidat MS, Vijayakumar P, Jiang Q, Amin R. An unlinkable authenticated key agreement with collusion resistant for VANET’s. 2021;70(8):7992–8006.
- View Article
- Google Scholar
40. Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in Cryptology—EUROCRYPT 2004. 2004;3027:523–540.
- View Article
- Google Scholar
41. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A. Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets. IEEE Trans. Inf. Theory. 2012;58(9):6207–6222.
- View Article
- Google Scholar
42. Mason JC, Handscomb DC. Chebyshev polynomials. London: Chapman & Hall/CRC Press; 2003.
43. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos Soliton Fract. 2012;37(3):669–674.
- View Article
- Google Scholar
44. Dolev D, Yao A. On the security of public key protocols. IEEE Trans. Inf. Theory. 2012;29:198–208.
- View Article
- Google Scholar
45. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011;1(1):5–27.
- View Article
- Google Scholar
46. Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of the 1st Annual ACM Conference on Computer and Communications Security—CCS’93. ACM: New York, USA.1993;62–73.
47. Tsai C, Lee C, Hwang M. Password authentication schemes: current status and key issues. Int. J. Netw. Secur. 2006;3(2):101–115.
- View Article
- Google Scholar
48. Burrows M, Abadi M, Needham R. A logic of authentication. Acm Sigops Operating Systems Review. 1990;8(1):18–36.
- View Article
- Google Scholar
49. AVISPA: Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/ (accessed on January 2019)
50. Odelu V, Das AK, Goswami A. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security. 2015; 10(9): 1953–1966.
- View Article
- Google Scholar
51. Kilinc HH, Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Communications Surveys & Tutorials. 2014; 16(2): 1005–1023.
- View Article
- Google Scholar
52. Jangirala S, Das K, Wazid M, Kumar N. Anonymous Lightweight Chaotic Map-Based Authenticated Key Agreement Protocol for Industrial Internet of Things. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING. 2020;17(6):1133–1146.
- View Article
- Google Scholar

[ref1] 1. Liao YP, Wang SS. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces. 2009;31(1):24–29.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Li X, Ma J, Wang W, Xiong Y, Zhang J. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Mathematical and Computer Modelling. 2012.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Tsaur WJ, Li JH, Lee WB. An efficient and secure multi-server authentication scheme with key agreement. The Journal of System and Software. 2012;85:876–882.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Xu C, Jia Z, Wen F, Ma Y. A Novel Dynamic Identity based Authentication Scheme for MultiServer Environment using Smart Cards. International Journal of Security and Its Applications. 2013;7(4):105–118.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Chuang MC, Chen MC. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst. Appl. 2014;41(4):1411–1418.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Maitra T, Giri D. An efficient biometric and passwordbased remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 2014;38(12):142. pmid:25371272
View Article
PubMed/NCBI
Google Scholar

[17] View Article

[18] PubMed/NCBI

[19] Google Scholar

[ref7] 7. Mishra D, Das AK, Mukhopadhyay S. A secure user anonymity-preserving biometric-based multiserver authenticated key agreement scheme using smart cards. Expert Syst. Appl. 2014;41(18):8129–8143.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref8] 8. Amin R, Biswas GP. A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS. J. Med. Syst. 2015;39:33. pmid:25681100
View Article
PubMed/NCBI
Google Scholar

[24] View Article

[25] PubMed/NCBI

[26] Google Scholar

[ref9] 9. Chaudhry SA. A secure biometric based multi-server authentication scheme for social multimedia networks [M]. Multimedia Tools and Applications. 2015;75;12705–12725.
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref10] 10. Wang C, Zhang X, Zheng Z. Cryptanalysis and improvement of a biometric-based multi-server authentication and key agreement scheme. PLoS ONE. 2016;11(2):1–25. pmid:26866606
View Article
PubMed/NCBI
Google Scholar

[31] View Article

[32] PubMed/NCBI

[33] Google Scholar

[ref11] 11. Guo H, Wang P, Zhang X, Huang Y, Ma F. A robust anonymous biometric-based authenticated key agreement scheme for multiserver environments. PLoS ONE. 2017;12(11):e0187403. pmid:29121050
View Article
PubMed/NCBI
Google Scholar

[35] View Article

[36] PubMed/NCBI

[37] Google Scholar

[ref12] 12. Lwamo NMR, Zhu L, Xu C, Sharif K, Liu X, Zhang C. A Secure User Authentication Scheme with Anonymity for the Single & Multi-server Environments. Inf. Sci. 2019;477:369–385.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref13] 13. Mishra D, Dharminder D, Yadav P, Rao YS, Vijayakumar P, Kumar N. A provably secure dynamic ID-based authenticated key agreement framework for mobile edge computing without a trusted party. Journal of Information Security and Applications. 2020;55:102648.
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref14] 14. Han W, Zhu Z. An ID-based mutual authentication with key agreement protocol for multiserver environment on elliptic curve cryptosystem. Int. J. Commun. Syst. 2014;27:1173–1185.
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref15] 15. Ying B, Nayak A. Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography. Journal of Network and Computer Applications. 2019;131:66–74.
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref16] 16. Irshad A, Sher M, Chaudhary SA, Naqvi H, Farash MS. An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre. J. Supercomput. 2016;72(4):1623–1644.
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref17] 17. Kumari S, Das AK, Li X, Wu F, Khan MK, Jiang Q, et al. A provably secure biometrics-based authenticated key agreement scheme for multi-server environments. Multimed Tools Appl. 2017;1–31.
View Article
Google Scholar

[54] View Article

[55] Google Scholar

[ref18] 18. Qiao H, Dong X, Shen Y. Authenticated Key Agreement Scheme with Strong Anonymity for Multi-Server Environment in TMIS. J. Med. Syst. 2019;43:321. pmid:31591653
View Article
PubMed/NCBI
Google Scholar

[57] View Article

[58] PubMed/NCBI

[59] Google Scholar

[ref19] 19. Chuang YH, Tseng YM. Towards generalized ID-based user authentication for mobile multi-server environment. Int. J. Commun. Syst. 2012; 25:447–460.
View Article
Google Scholar

[61] View Article

[62] Google Scholar

[ref20] 20. Yang L, Zheng Z. Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments. PLoS ONE. 2018;13(3):e0194093. pmid:29534085
View Article
PubMed/NCBI
Google Scholar

[64] View Article

[65] PubMed/NCBI

[66] Google Scholar

[ref21] 21. Yu Y, Hu L, Chu J. A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment. Symmetry. 2020;12:150.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref22] 22. Vinoth R, Deborah LJ, Vijayakumar P, Kumar N. Secure multifactor authenticated key agreement scheme for industrial IoT. IEEE Internet of Things Journal. 2021;8(5):3801–3811.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

[ref23] 23. Vijayakumar P, Naraeh R, Deborah LJ, Islam SH. An efficient group key agreement protocol for secure P2P communication. Secur. Commun. Netw. 2016;9(17):3952–3965.
View Article
Google Scholar

[74] View Article

[75] Google Scholar

[ref24] 24. Hsiang HC, Shih WK. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standard & Interfaces. 2009;31(6):1118–1123.
View Article
Google Scholar

[77] View Article

[78] Google Scholar

[ref25] 25. Lee CC, Lin TH, Chang RX. A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Syst. Appl. 2011;38:13863–13870.
View Article
Google Scholar

[80] View Article

[81] Google Scholar

[ref26] 26. Xue K, Hong P, Ma C. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. Journal of Computer and System Sciences. 2014;80(1):195–206.
View Article
Google Scholar

[83] View Article

[84] Google Scholar

[ref27] 27. Gupta PC, Dhar J. Hash Based Multi-server Key Exchange Protocol Using Smart Card. Wireless Pers Commun. 2015;87(1);1–20.
View Article
Google Scholar

[86] View Article

[87] Google Scholar

[ref28] 28. Maitra T, Islam S, Amin R, Giri D, Khan MK, Kumar N. An enhanced multiserver authentication protocol using password and smart-card: cryptanalysis and design. Secur. commun. Networks. 2016;9(17):4615–4638.
View Article
Google Scholar

[89] View Article

[90] Google Scholar

[ref29] 29. Amin R, Kumar N, Biswas G, Iqbal R, Chang V. A light weight authentication protocol for iot-enabled devices in distributed cloud computing environment, Future Gener. Comput. Syst. 2018;78:1005–1019.
View Article
Google Scholar

[92] View Article

[93] Google Scholar

[ref30] 30. Wei F, Zhang R. A Provably Secure Anonymous Two-Factor Authenticated Key Exchange Protocol for Cloud Computing. Fundamenta Informaticae. 2018;157:201–220.
View Article
Google Scholar

[95] View Article

[96] Google Scholar

[ref31] 31. Zhou L, Li X, Yeh KH, Su C, Chiu W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Gener. Comput. Syst. 2019;91:244–251.
View Article
Google Scholar

[98] View Article

[99] Google Scholar

[ref32] 32. Yoon EJ, Yoo KY. Robust biometrics-based multiserver authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J. Supercomput. 2013;63(1):235–255.
View Article
Google Scholar

[101] View Article

[102] Google Scholar

[ref33] 33. Chandrakar P, Om H. Cryptanalysis and extended three-factor remote user authentication scheme in multi-server environment. Arabian Journal for Science and Engineering. 2017;42(2):765–786.
View Article
Google Scholar

[104] View Article

[105] Google Scholar

[ref34] 34. Qi M, Chen J, Chen Y. A Secure Biometrics-Based Authentication Key Exchange Protocol for Multi-Server TMIS using ECC. Computer Methods and Programs in Biomedicine. 2018;164;101–109. pmid:30195418
View Article
PubMed/NCBI
Google Scholar

[107] View Article

[108] PubMed/NCBI

[109] Google Scholar

[ref35] 35. Tomar A, Dhar J. An ECC Based Secure Authentication and Key Exchange Scheme in Multi-server Environment. Wireless Pers Commun. 2019;107:351–372.
View Article
Google Scholar

[111] View Article

[112] Google Scholar

[ref36] 36. Irshad A, Sher M, Chaudhry SA, Xie Q, Kumari S, Wu F. An improved and secure chaotic map based authenticated key agreement in multi-server architecture. Multimed Tools Appl. 2017;76(1):1–38.
View Article
Google Scholar

[114] View Article

[115] Google Scholar

[ref37] 37. Lu Y, Li L, Yang X, Yang Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE. 2015;10(5):e0126323. pmid:25978373
View Article
PubMed/NCBI
Google Scholar

[117] View Article

[118] PubMed/NCBI

[119] Google Scholar

[ref38] 38. Xia XY, Ji S, Vijayakumar P, Shen J, Rodrigues J. An efficient anonymous authentication and key agreement scheme with privacy-preserving for smart cities. International Journal of Distributed Sensor Networks. 2021;17(6).
View Article
Google Scholar

[121] View Article

[122] Google Scholar

[ref39] 39. Li XH, Liu J, Obaidat MS, Vijayakumar P, Jiang Q, Amin R. An unlinkable authenticated key agreement with collusion resistant for VANET’s. 2021;70(8):7992–8006.
View Article
Google Scholar

[124] View Article

[125] Google Scholar

[ref40] 40. Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Advances in Cryptology—EUROCRYPT 2004. 2004;3027:523–540.
View Article
Google Scholar

[127] View Article

[128] Google Scholar

[ref41] 41. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A. Robust Fuzzy Extractors and Authenticated Key Agreement From Close Secrets. IEEE Trans. Inf. Theory. 2012;58(9):6207–6222.
View Article
Google Scholar

[130] View Article

[131] Google Scholar

[ref42] 42. Mason JC, Handscomb DC. Chebyshev polynomials. London: Chapman & Hall/CRC Press; 2003.

[ref43] 43. Zhang L. Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos Soliton Fract. 2012;37(3):669–674.
View Article
Google Scholar

[134] View Article

[135] Google Scholar

[ref44] 44. Dolev D, Yao A. On the security of public key protocols. IEEE Trans. Inf. Theory. 2012;29:198–208.
View Article
Google Scholar

[137] View Article

[138] Google Scholar

[ref45] 45. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011;1(1):5–27.
View Article
Google Scholar

[140] View Article

[141] Google Scholar

[ref46] 46. Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of the 1st Annual ACM Conference on Computer and Communications Security—CCS’93. ACM: New York, USA.1993;62–73.

[ref47] 47. Tsai C, Lee C, Hwang M. Password authentication schemes: current status and key issues. Int. J. Netw. Secur. 2006;3(2):101–115.
View Article
Google Scholar

[144] View Article

[145] Google Scholar

[ref48] 48. Burrows M, Abadi M, Needham R. A logic of authentication. Acm Sigops Operating Systems Review. 1990;8(1):18–36.
View Article
Google Scholar

[147] View Article

[148] Google Scholar

[ref49] 49. AVISPA: Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/ (accessed on January 2019)

[ref50] 50. Odelu V, Das AK, Goswami A. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security. 2015; 10(9): 1953–1966.
View Article
Google Scholar

[151] View Article

[152] Google Scholar

[ref51] 51. Kilinc HH, Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Communications Surveys & Tutorials. 2014; 16(2): 1005–1023.
View Article
Google Scholar

[154] View Article

[155] Google Scholar

[ref52] 52. Jangirala S, Das K, Wazid M, Kumar N. Anonymous Lightweight Chaotic Map-Based Authenticated Key Agreement Protocol for Industrial Internet of Things. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING. 2020;17(6):1133–1146.
View Article
Google Scholar

[157] View Article

[158] Google Scholar

Figures

Abstract

1. Introduction

1.1 Related work

1.2 Motivation and our contribution

2. Preliminaries

2.1 Fuzzy extractor

2.2 Chebyshev polynomials

2.3 The property of Chebyshev polynomials

2.4 Enhanced Chebyshev polynomials

2.5 Computational problems based on Chebyshev polynomials

2.6 Threat model

3. Analysis of precedent schemes

3.1 Analysis of Lwamo et al.’s scheme

3.1.1 Lwamo et al.’s scheme.

Registration phase

Login and authentication phase

Password update phase

3.1.2 Flaws of Lwamo et al.’s scheme.

3.2 Analysis of Zhou et al.’s scheme

3.2.1 Zhou et al.’s scheme.

Registration phase

Authentication phase

Password update phase

3.2.2 Cryptanalysis of Zhou et al.’s scheme.

4. Proposed scheme

4.1 Registration phase

4.1.1 User registration phase.

4.1.2 Server registration phase.

4.2 Authentication and session key exchange phase

4.3 Password change phase

4.4 User revocation and re-registration phase

4.4.1 User revocation phase.

4.4.2 Reregistration phase.

5. Security analysis of the proposed scheme

5.1 Authentication proof based on BAN logic

Notations and rules.

Goals.

Idealize.

Assumptions.

Analysis.

5.2 Validation test based on AVISPA

Specifying the proposed protocol.

Analysis of the results.

5.3 Informal security analysis

Mutual authentication.

User anonymity.

Perfect forward security of session key.

Untraceability.

No key control.

Off-line password guessing attack.

Privileged insider attack.

Stolen verifier attack.

User impersonate attack.

Server impersonate attack.

Man-in-the-middle attack.

Replay attack.

Forgery attack.

Known key security.

6. Performance comparisons

7. Conclusion

References