Abstract
Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.
Similar content being viewed by others
References
Aboshosha A, ElDahshan KA, Elsayed EK, Elngar AA (2016) Secure authentication protocol based on machine-metrics and RC4-EA hashing. Int J Netw Secur 18(6):1080–1088
Bergamo P, Arco P, Santis A, Kocarev L (2005) Security of public-key cryptosystems based on Chebyshev polynomials. IEEE Trans Circuits Syst I 52(7):1382–1393
Brindha T, Shaji RS (2016) A secure transaction of cloud data using conditional source trust attributes encryption mechanism. Soft Comput. doi:10.1007/s00500-016-2405-6
Chen Y, Chou JS, Sun HM (2008) A novel mutual authentication scheme based on quadratic residues for RFID systems. Comput Netw 52(12):2373–2380
Chen Y, Chou JS, Sun HM (2013) A novel biometric-based remote user authentication scheme using quadratic residues. Int J Inf Electron Eng 3(4):419–422
Drissi A, Asimi A (2017) Behavioral and security study of the OHFGC hash function. Int J Netw Secur 19(3):335–339
Farash MS, Attari MA (2014) An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dyn 77(1–2):399–411
Guo C, Chang CC (2013) Chaotic maps-based password-authenticated key agreement using smart cards. Commun Nonlinear Sci Numer Simul 18(6):1433–1440
He D, Chen Y, Chen J (2012) Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dyn 69(3):1149–1157
He D, Zhao W, Wu S (2013) Security analysis of a dynamic ID-based authentication scheme for multi-server environment using smart cards. Int J Netw Secur 15(5):350–356
He D, Zeadally S, Wu L (2015) Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst J. doi:10.1109/JSYST.2015.2428620
He D, Zeadally S (2015) Authentication protocol for ambient assisted living system. IEEE Commun Mag 35(1):71–77
He D, Zeadally S, Kumar N, Lee JH (2016) Anonymous authentication for wireless body area networks with provable security. IEEE Syst J. doi:10.1109/JSYST.2016.2544805
He D, Wang H, Wang L, Shen J, Yang X (2016) Efficient certificateless anonymous multi-receiver encryption scheme for mobile devices. Soft Comput. doi:10.1007/s00500-016-2231-x
Islam Sk H, Khan MK, Li X (2015) Security analysis and improvement of ’a more secure anonymous user authentication scheme for the integrated EPR information system. Plos ONE 10(8):e0131368
Khan MK (2009) Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world. IETE Tech Rev 26(3):191–195
Khan MK, Kumari S (2013) An authentication scheme for secure access to healthcare services. J Med Syst 37:9954. doi:10.1007/s10916-013-9954-3
Lai H, Xiao J, Li L, Yang Y (2012) Applying semigroup property of enhanced Chebyshev polynomials to anonymous authentication protocol. Math Probl Eng, Article ID 454823. doi:10.1155/2012/454823
Lee CC, Li CT, Hsu CW (2013) A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Nonlinear Dyn 73(1–2):125–132
Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5
Li CT, Lee CC (2012) A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Math Comput Model 55(1–2):35–44
Li CT (2013) A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. IET Inf Secur 7(1):3–10
Li CT, Lee CC, Weng CY, Fan CI (2013) An extended multi-server-based user authentication and key agreement scheme with user anonymity. KSII Trans Internet Inf Syst 7(1):119–131
Li CT, Weng CY, Lee CC (2013) An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks. Sensors 13(8):9589–9603
Li CT, Lee CC, Weng CY (2013) An extended chaotic maps based user authentication and privacy preserving scheme against DoS attacks in pervasive and ubiquitous computing environments. Nonlinear Dyn 74(4):1133–1143
Li X, Niu J, Kumari S, Khan MK, Liao J, Liang W (2015) Design and analysis of a chaotic maps-based three-party authenticated key agreement protocol. Nonlinear Dyn 80(3):1209V1220
Li CT (2016) A secure chaotic maps-based privacy-protection scheme for multi-server environments. Secur Commun Netw. doi:10.1002/sec.1487
Li CT, Lee CC, Weng CY (2016a) A secure cloud-assisted wireless body area network in mobile emergency medical care system. J Med Syst 40(5):1–15. Article no. 117
Li CT, Lee CC, Weng CY (2016b) A secure dynamic identity and chaotic maps based user authentication and key agreement scheme for e-healthcare systems. J Med Syst 40(11):1–10. Article no. 233
Lin TH, Lee TF (2014) Secure verifier-based three-party authentication schemes without server public keys for data exchange in telecare medicine information systems. J Med Syst 38:30
Lv C, Ma M, Li H, Ma J, Zhang Y (2013) An novel three-party authenticated key exchange protocol using one-time key. J Netw Comput Appl 36(1):498–503
Mishra D, Kumari S, Khan MK, Mukhopadhyay S (2015) An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems. Int J Commun Syst. doi:10.1002/dac.2946
National Institute of Standards and Technology (2002) US department of commerce, secure hash standard. US Federal Information Processing Standard Publication, Gaithersburg, pp 180–182
Peris-Lopez P, Hernandez-Castro JC, Estevez-Tapiador JM, Ribagorda A (2006) M2AP: a minimalist mutual-authentication protocol for low-cost RFID tags. In: Proceedings of international conference on ubiquitous intelligence and computing, vol 4195. LNCS, pp 912–923
Ramasamy R, Muniyandi AP (2012) An efficient password authentication scheme for smart card. Int J Netw Secur 14(3):180–186
Wen F (2014) A more secure anonymous user authentication scheme for the integrated EPR information system. J Med Syst 38:42
Wang X, Zhao J (2010) An improved key agreement protocol based on chaos. Commun Nonlinear Sci Numer Simul 15(12):4052–4057
Wu W, Hu S, Yang X, Liu JK, Au MH (2015) Towards secure and cost-effective fuzzy access control in mobile cloud computing. Soft Comput. doi:10.1007/s00500-015-1964-2
Xie Q, Zhao J, Yu X (2013) Chaotic maps-based three-party password-authenticated key agreement scheme. Nonlinear Dyn 74(4):1021–1027
Yang L, Ma JF, Jiang Q (2012) Mutual authentication scheme with smart cards and password under trusted computing. Int J Netw Secur 14(3):156–163
Yoon EJ, Jeon IS (2011) An efficient and secure DiffieVHellman key agreement protocol based on Chebyshev chaotic map. Commun Nonlinear Sci Numer Simul 16(6):2383–2389
Zhao F, Gong P, Li S, Li M, Li P (2013) Cryptanalysis and improvement of a three-party key agreement protocol using enhanced Chebyshev polynomials. Nonlinear Dyn 74(1–2):419–427
Acknowledgements
The authors would like to thank the anonymous reviewers and the Editor for their constructive and generous feedback on this paper. In addition, this research was partially supported and funded by the Ministry of Science and Technology, Taiwan, R.O.C., under contract no.: MOST 105-2221-E-165-005 and MOST 105- 2221-E-030-012.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
Conflict of interest
Chun-Ta Li, Chin-Ling Chen , Cheng-Chi Lee, Chi-Yao Weng declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants performed by any of the authors.
Additional information
Communicated by V. Loia.
Rights and permissions
About this article
Cite this article
Li, CT., Chen, CL., Lee, CC. et al. A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps. Soft Comput 22, 2495–2506 (2018). https://doi.org/10.1007/s00500-017-2504-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-017-2504-z