Documente Academic
Documente Profesional
Documente Cultură
S1007-5704(14)00245-7
http://dx.doi.org/10.1016/j.cnsns.2014.05.027
CNSNS 3210
To appear in:
Received Date:
Revised Date:
Accepted Date:
7 June 2013
20 May 2014
26 May 2014
Please cite this article as: Lin, H-Y., Improved Chaotic Maps-Based Password-Authenticated Key Agreement Using
Smart Cards, Communications in Nonlinear Science and Numerical Simulation (2014), doi: http://dx.doi.org/
10.1016/j.cnsns.2014.05.027
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers
we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and
review of the resulting proof before it is published in its final form. Please note that during the production process
errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Correspondence to:
Assistant Professor Han-Yu Lin, Ph.D.
Department of Computer Science and Engineering
National Taiwan Ocean University
2, Beining Road, Keelung, 202
Taiwan, Republic of China
E-mail: lin.hanyu@msa.hinet.net
Tel: +886-2-2462-2192 ext 6656
Fax: +886-2-2462-3249
Abstract
Elaborating on the security of password-based authenticated key
agreement, in this paper, the author cryptanalyzes a chaotic mapsbased password-authenticated key agreement proposed by Guo and
Chang recently. Specifically, their protocol could not achieve strong
user anonymity due to a fixed parameter and a malicious adversary
is able to derive the shared session key by manipulating the property
of Chebyshev chaotic maps. Additionally, the author also presents an
improved scheme to eliminate the above weaknesses and still maintain
the efficiency.
Keywords: authentication, key agreement, chaotic map, smart card,
cryptanalysis.
Introduction
Key agreement protocols also known as key exchange ones aim at establishing a common session key between two communicating parties. The key
challenge of designing such a protocol is how to securely and efficiently derive a session key that is only known to the communicated parties. Based
on the famous discrete logarithm problem (DLP), in 1976, Diffie and Hellman [6] introduced the first key agreement protocol. In their scheme, each
party could contribute partial value to the final session key. However, later
analyses showed that a malicious adversary could easily plot the so-called
man-in-the-middle attack to fool both sides in their scheme. So far, many
related protocols have been proposed. According to their essential structures,
we classify these schemes into the following types:
(1). Pure password-based protocols:
In 1981, Lamport [14] proposed a password-based authentication scheme
in which a user is authenticated by his predefined password stored in the
server. That is, the server has to maintain a password table for verification.
Although a secure hash function was employed to protect users passwords
from being learned by any outsider directly, some security vulnerabilities were
still found out in their scheme. Since then, lots of studies based on passwords
[9, 17, 19, 20] have been proposed to either strengthen the security level or
improve the efficiency of existing schemes.
Preliminaries
We first state the properties of Chebyshev chaotic map and related computational problems which will be employed in the proposed scheme.
Let a be a random number and x R [1, 1]. The Chebyshev polynomial
of degree a is denoted as Ta (x) = cos(a arccos(x)). The recurrent formulas
of the Chebyshev polynomial is shown below:
T0 (x) = 1
T1 (x) = x
T2 (x) = 2x2 1
Ta+1 (x) = 2xTa (x) Ta1 (x), for a N .
Chebyshev polynomial exhibits two important properties described as
follows:
Semi-group property
Ta (Tb (x)) = cos(a arccos(cos(b arccos(x))))
= cos(ab arccos(x))
= Tba (x)
= Tb (Ta (x))
Chaotic property
When a > 1, Chebyshev polynomial map Ta : [1, 1] [1,
1] of degree a is a chaotic map with its invariant density f (x) = 1/( 1 x2 )
for Lyapunov exponent = ln a > 0.
Chaotic Maps Discrete Logarithm Problem (CMDLP)
3
Given two random variables x, y R [1, 1], it is computationally infeasible to find out an integer solution a such that y = Ta (x).
Computational Chaotic Maps Diffie-Hellman Problem (CCMDHP)
Given three parameters x, Ta (x) and Tb (x), it is computationally infeasible to compute Tab (x) such that Tab (x) = Ta (Tb (x)) = Tb (Ta (x)).
3.1
Involved Parties
An AKA protocol has two involved parties: a user (client) and a remote
server. Each party is a probabilistic polynomial-time Turing machine (PPTM).
The user will generate a login request and send it to the server. After the
mutual authentication has been achieved, a shared session key will be created
for subsequent secure communication.
3.2
Algorithms
7. The mutually shared session key = Tj (Tj 0 (x)) can therefore be derived
by each other.
Password change: U first inserts his old and new passwords (P W, P W )
and then SC runs the following steps with Sv:
1. Choose i, compute = Ti (Tr (x)), H 0 = h0 (P W, t), H = h(P W , t)
and send (Ti (x), E (H 0 , H , R)) to Sv.
2. Sv computes = Tr (Ti (x)), decrypts E (H 0 , H , R) and Es (ID, H),
and then compares whether H 0 = H.
3. If it holds, Sv returns R = Es (ID, H ) to SC which can hence update
R as R .
5.1
Security Weakness
The first security weakness of the Guo-Chang scheme is that user identity
cannot be fully protected. More precisely, their scheme only achieves partial anonymity. In the authenticated key agreement phase, the smart card
will send a login request (R, Tj (x), Ev (Q, R, T1 )) to the server. Although the
parameter R = Es (ID, H) is protected with the server master key s, the
smart card will always sending the same R for different sessions to the server
until the user password is updated. According to this parameter, any malicious adversary can easily distinguish whether two intercepted login requests
belong to the same user or not.
The second security weakness is that a malicious adversary can derive the
mutually shared session key between the user and the server after intercepting both transmitted messages. When first intercepting a login request (R,
Tj (x), Ev (Q, R, T1 )), the adversary can obtain Tj (x). Although it is computationally infeasible to derive j from known x and Tj (x), the adversary can
arccos(Tj (x)) + 2k
j =
k Z
arccos(x)
such that Tj (x) = Tj (x). With the value j , the adversary can compute
Tj (Tr (x)) = Tj r (x)
= Tr (Tj (x))
= Tr (Tj (x))
=v
and decrypt the message Ev (Tj 0 (x), h(ID, T2 ), T2 ) transmitted from the server
and obtain Tj 0 (x). Now the adversary can derive the mutually shared session
key as
Tj (Tj 0 (x)) = Tj j 0 (x)
= Tj 0 (Tj (x))
= Tj 0 (Tj (x))
= Tj (Tj 0 (x))
= .
5.2
Improvement
We introduce an improved scheme to amend aforementioned security weaknesses in this subsection. Figures 1 to 3 separately illustrate the phases of
user registration, authenticated key exchange and password change in our
improved scheme. Details of the modification are stated below:
System initialization: the server selects all necessary parameters (r, x,
Tr (x), h(), Ek ()) as those defined in section 4. Note that the values (x,
Tr (x)) will be encapsulated in users smart card rather than made public.
User registration: a user first chooses his password P W and a random
integer t to perform the following steps with the server:
1. Compute H = h(P W, t) and then sends the message {ID, H = h(P W ,
t)} to the server via a secure channel.
2. On receiving it, the server verifies ID and uses his master key s to
compute
R = Es (ID, H),
D = H (xkTr (x)).
7
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
5.3
Security Analyses
Since the improved scheme is extended from the Guo-Chang scheme, the essential security requirements of their scheme can also be applied to ours. We
10
further analyze the security of the improved scheme to withstand aforementioned attacks.
Theorem 1. The improved scheme provides full protection for users identity.
Proof: In the authenticated key exchange phase, it can be seen that the
smart card will send two parameters (Tj (x), Ev (Q, R, T1 )) to the server. Since
the variable j is randomly selected, the two transmitted parameters will vary
with different login sessions. More specifically, given only two intercepted
authenticated messages (Tj (x), Ev (Q, R, T1 )) and (Tj (x), Ev (Q, R, T1 )), it
is computationally infeasible for any adversary to distinguish whether they
correspond to the same user or not.
Theorem 2. Any malicious adversary cannot derive the mutually shared
session key by intercepting the transmitted messages from both sides.
Proof: By eavesdropping the communication messages between a user and
the server, a malicious adversary can obtain (Tj (x), Ev (Q, R, T1 )) and Ev
(Tj 0 (x), h(ID, T2 ), T2 ), respectively. According to Eq. (3), however, the adversary has no way to derive (xkTr (x)) without knowing the users password
and the random number t. Consequently, he cannot find out an integer solution j such that Tj (x) = Tj (x) since he lacks the information of value x.
Therefore, we claim that any adversary is impossible to compute the common
session key = Tj (Tj 0 (x)).
Conclusions
11
Acknowledgment
The author would like to thank anonymous referees for their valuable suggestions. This work was supported in part by the National Science Council
of Republic of China under the contract number NSC 102-2221-E-019-041.
References
[1] A. K. Awasthi, Comment on a dynamic ID-based remote user authentication scheme. Transaction on Cryptology, Vol. 1, No. 2, 2004, pp.
15-16.
[2] M. S. Baptista, Cryptography with chaos, Physics Letters A, Vol. 240,
No. 1-2, 1998, pp. 50-54.
[3] P. Bergamo, P. DArco, A. D. Santis and L. Kocarev, Security of publickey cryptosystems based on Chebyshev polynomials, IEEE Transactions on Circuits and Systems, Vol. 52, No. 7, 2005, pp. 1382-1393.
[4] C. Chen, D. He, S. Chan S, J. Bu, Y. Gao and R. Fan, Lightweight
and provably secure user authentication with anonymity for the global
mobility network, International Journal of Communication Systems,
Vol. 24, No. 3, 2011, pp. 347-362.
[5] M. L. Das, A. Saxana, V. P. Gulati, A dynamic ID-based remote user
authentication scheme, IEEE Transactions on Consumer Electronics,
Vol. 50, No. 2, 2004, pp. 629-631.
[6] W. Diffie and M. Hellman, New directions in cryptography, IEEE
Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644654.
[7] C. Guo and C. C. Chang, Chaotic maps-based password-authenticated
key agreement using smart cards, Communications in Nonlinear Science and Numerical Simulation, Vol. 18, No. 6, 2013, pp. 1433-1440.
[8] D. He, J. Chen and R. Zhang, A more secure authentication scheme
for telecare medicine information systems, Journal of Medical Systems,
Vol. 36, No. 3, 2011, pp. 1989-1995.
12
15
Specifically, some relation with user identities and the shared session key in their
scheme could be compromised.