Accepted ManuscriptImproved Chaotic Maps-Based Password-Authenticated Key Agreement UsingSmart CardsHan-Yu LinPII: S1007-5704(14)00245-7DOI: http://dx.doi.org/10.1016/j.cnsns.2014.05.027Reference: CNSNS 3210To appear in: Communications in Nonlinear Science and Numer-

ical Simulation

Received Date: 7 June 2013Revised Date: 20 May 2014Accepted Date: 26 May 2014

Please cite this article as: Lin, H-Y., Improved Chaotic Maps-Based Password-Authenticated Key Agreement UsingSmart Cards, Communications in Nonlinear Science and Numerical Simulation (2014), doi: http://dx.doi.org/10.1016/j.cnsns.2014.05.027

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customerswe are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, andreview of the resulting proof before it is published in its final form. Please note that during the production processerrors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Improved Chaotic Maps-Based Password-Authenticated Key Agreement Using Smart Cards

Chaotic Maps-Based Password-AuthenticatedKey Agreement Using Smart Cards

Han-Yu Lin

Department of Computer Science and EngineeringNational Taiwan Ocean University

Keelung, 202, Taiwan

Correspondence to:Assistant Professor Han-Yu Lin, Ph.D.Department of Computer Science and EngineeringNational Taiwan Ocean University2, Beining Road, Keelung, 202Taiwan, Republic of ChinaE-mail: lin.hanyu@msa.hinet.netTel: +886-2-2462-2192 ext 6656Fax: +886-2-2462-3249

Abstract

Elaborating on the security of password-based authenticated keyagreement, in this paper, the author cryptanalyzes a chaotic maps-based password-authenticated key agreement proposed by Guo andChang recently. Specifically, their protocol could not achieve stronguser anonymity due to a fixed parameter and a malicious adversaryis able to derive the shared session key by manipulating the propertyof Chebyshev chaotic maps. Additionally, the author also presents animproved scheme to eliminate the above weaknesses and still maintainthe efficiency.

Keywords: authentication, key agreement, chaotic map, smart card,cryptanalysis.

1 Introduction

Key agreement protocols also known as key exchange ones aim at estab-lishing a common session key between two communicating parties. The keychallenge of designing such a protocol is how to securely and efficiently de-rive a session key that is only known to the communicated parties. Basedon the famous discrete logarithm problem (DLP), in 1976, Diffie and Hell-man [6] introduced the first key agreement protocol. In their scheme, eachparty could contribute partial value to the final session key. However, lateranalyses showed that a malicious adversary could easily plot the so-calledman-in-the-middle attack to fool both sides in their scheme. So far, manyrelated protocols have been proposed. According to their essential structures,we classify these schemes into the following types:

(1). Pure password-based protocols:In 1981, Lamport [14] proposed a password-based authentication scheme

in which a user is authenticated by his predefined password stored in theserver. That is, the server has to maintain a password table for verification.Although a secure hash function was employed to protect users passwordsfrom being learned by any outsider directly, some security vulnerabilities werestill found out in their scheme. Since then, lots of studies based on passwords[9, 17, 19, 20] have been proposed to either strengthen the security level orimprove the efficiency of existing schemes.

1

(2). Dynamic protocols:In 2004, Das et al. [5] raised the importance of keeping users identity

secret during communication as any adversary might easily reveal the identityof communicating user by eavesdropping the transmitted messages. Owingto this concern, they introduced the notion of dynamic authentication (alsocalled anonymous authentication) in which a user will first transform hisstatic ID into a dynamic one and then use the dynamic ID to request accessof the server. Since the dynamic ID will change with different sessions andit is difficult to derive the static ID from its dynamic one based on sometrapdoor one-way function, any adversary is impossible to obtain the real useridentity. However, some later researches [15, 24, 28] pointed out potentialsecurity flaws of Das et al.s scheme and gave the corresponding amendments,too. Inspired by Wang et al.s scheme [24], in 2010, Khan et al. [11] cameup with a new dynamic ID authentication protocol with better efficiency.(3). Dynamic protocols with smart cards:

In 2010, Tsai et al. [22] utilized a smart card to assist with the userlogin process and demonstrated that the user identity of previous works [24,28] could be exposed. In 2011, Wen and Li [25] introduced a dynamic keyagreement scheme further supporting revocation and secret renewal for bothusers and servers. Yet, in 2012, Tang and Liu [21] claimed that the Wen-Lischeme cannot be deployed in practical applications due to several securitydrawbacks. In addition to the above schemes, more related studies based ondynamic ID could also be found out in [1, 4, 8, 10, 13, 16-18, 23, 26, 29].(4). Chaotic map-based protocols with smart cards:

By the semi-group property of Chebyshev chaotic map [2, 12], Xiao et al.[27] presented the first chaos-based authenticated key agreement protocol.Such a scheme is unnecessary to choose large primes or perform complicatedmodular exponentiation computation and hence receives much attention forrecent years. In 2013, Guo and Chang [7] proposed a chaotic maps-basedpassword-authenticated key agreement using smart cards. They claimed thattheir scheme possesses necessary characteristics and achieves essential secu-rity requirements.

In this paper, the author pays his attention to the security of one recentlyproposed chaotic map-based protocol with smart cards, i.e., the Guo-Changscheme. The first contribution of this paper is to cryptanalyze the Guo-Chang scheme. More precisely, the author will point out two drawbacks oftheir schemes. One is that their protocol cannot provide full protection forusers identity. The other is that a malicious adversary is capable of deriving

2

the mutually shared session key by intercepting the transmitted messagesbetween the user and the server. The second contribution of this paper isto further address an improved variant amending above security weaknesseswithout increasing the computational complexity.

The rest of this paper is organized as follows. Section 2 states somepreliminaries. The formal model of authenticated key agreement protocol isdescribed in Section 3. Section 4 will briefly review the Guo-Chang scheme.Cryptanalyses and improvement will be detailed in section 5. Finally, aconclusion with the significance of this paper is presented in Section 6.

2 Preliminaries

We first state the properties of Chebyshev chaotic map and related compu-tational problems which will be employed in the proposed scheme.

Let a be a random number and x R [1, 1]. The Chebyshev polynomialof degree a is denoted as Ta(x) = cos(a arccos(x)). The recurrent formulasof the Chebyshev polynomial is shown below:

T0(x) = 1T1(x) = xT2(x) = 2x

2 1Ta+1(x) = 2xTa(x) Ta1(x), for a N .

Chebyshev polynomial exhibits two important properties described asfollows:

Semi-group propertyTa(Tb(x)) = cos(a arccos(cos(b arccos(x))))

= cos(ab arccos(x))= Tba(x)

= Tb(Ta(x))

Chaotic propertyWhen a > 1, Chebyshev polynomial map Ta : [1, 1] [1, 1] of de-gree a is a chaotic map with its invariant density f (x) = 1/(pi

1 x2)

for Lyapunov exponent = ln a > 0.

Chaotic Maps Discrete Logarithm Problem (CMDLP)

3

Given two random variables x, y R [1, 1], it is computationally infeasi-ble to find out an integer solution a such that y = Ta(x).

Computational Chaotic Maps Diffie-Hellman Problem (CCMDHP)Given three parameters x, Ta(x) and Tb(x), it is computationally infeasi-

ble to compute Tab(x) such that Tab(x) = Ta(Tb(x)) = Tb(Ta(x)).

3 Formal Model of Authenticated Key Agree-

ment (AKA) Protocol

In this section, we describe involved parties and composed algorithms of anAKA protocol.

3.1 Involved Parties

An AKA protocol has two involved parties: a user (client) and a remoteserver. Each party is a probabilistic polynomial-time Turing machine (PPTM).The user will generate a login request and send it to the server. After themutual authentication has been achieved, a shared session key will be createdfor subsequent secure communication.

3.2 Algorithms

An AKA protocol is composed of the following algorithms:

System initialization: This algorithm is used to generate the sys-tems parameters.

User registration: A user has to run this algorithm for becoming alegitimate member in the system.

Authenticated key exchange: This algorithm is performed by boththe user and the server to authenticate each other and create a sharedsecret key.

Password change: A user can run this algorithm to change his pass-word.

4

4 Brief Review of the Guo-Chang Scheme

We describe the detailed steps of the Guo-Chang scheme [7] as follows:

System initialization: the server Sv first computes a Chebyshev polyno-mial of degree r, i.e., Tr(x) where x [1, 1], and then selects a one-wayhash function h() and a symmetric encryption function Ek() under the keyk. Note that Sv has to keep r secret.

User registration: a user U with the identity ID and his password PWfirst selects an integer t to run the following steps with Sv:

1. Send {ID,H = h(PW, t)} to Sv via a secure channel.2. Sv verifies ID and computes R = Es(ID,H) where s is the master key.

3. A smart card SC containing (R, h(), Ek(), x, Tr(x)) is finally returnedto U.

4. U stores t into SC.

Authenticated key exchange: U first enters his (ID, PW ), and then SCruns the following steps with Sv:

1. Choose j to compute v = Tj(Tr(x)), Q = h(ID,H) and send (R, Tj(x),Ev(Q,R, T1)) where T1 is the current timestamp to Sv.

2. Sv computes v = Tr(Tj(x)), decrypts Ev(Q,R, T1)) and verifies whetherT1 is within a valid interval T .

3. Sv proceeds to decrypt R and compute Q = h(ID, H ). If Q = Q, Uis authenticated; otherwise, the session is terminated.

4. Sv selects j and sends Ev(Tj(x), h(ID, T2), T2) where T2 is the timestampto SC.

5. SC decrypts the ciphertext, verifies if T2 is acceptable and computesh(ID, T2).

6. If h(ID, T2) = h(ID, T2), SC also authenticates Sv.

5

7. The mutually shared session key = Tj(Tj(x)) can therefore be derivedby each other.

Password change: U first inserts his old and new passwords (PW,PW )and then SC runs the following steps with Sv:

1. Choose i, compute = Ti(Tr(x)), H = h(PW, t), H = h(PW , t)

and send (Ti(x), E(H, H, R)) to Sv.

2. Sv computes = Tr(Ti(x)), decrypts E(H, H, R) and Es(ID,H),

and then compares whether H = H.

3. If it holds, Sv returns R = Es(ID,H) to SC which can hence updateR as R.

5 Security Weakness and Improvement

In this section, we point out two security weaknesses of the Guo-Changscheme [7] and then give some amendments to eliminate these drawbacks.

5.1 Security Weakness

The first security weakness of the Guo-Chang scheme is that user identitycannot be fully protected. More precisely, their scheme only achieves par-tial anonymity. In the authenticated key agreement phase, the smart cardwill send a login request (R, Tj(x), Ev(Q,R, T1)) to the server. Although theparameter R = Es(ID,H) is protected with the server master key s, thesmart card will always sending the same R for different sessions to the serveruntil the user password is updated. According to this parameter, any mali-cious adversary can easily distinguish whether two intercepted login requestsbelong to the same user or not.

The second security weakness is that a malicious adversary can derive themutually shared session key between the user and the server after intercept-ing both transmitted messages. When first intercepting a login request (R,Tj(x), Ev(Q,R, T1)), the adversary can obtain Tj(x). Although it is compu-tationally infeasible to derive j from known x and Tj(x), the adversary can

6

use the approach [3] to derive

j =arccos(Tj(x)) + 2kpi

arccos(x)

k Zsuch that Tj(x) = Tj(x). With the value j

, the adversary can computeTj(Tr(x)) = Tjr(x)

= Tr(Tj(x))= Tr(Tj(x))= v

and decrypt the message Ev(Tj(x), h(ID, T2), T2) transmitted from the serverand obtain Tj(x). Now the adversary can derive the mutually shared sessionkey as

Tj(Tj(x)) = Tjj(x)= Tj(Tj(x))= Tj(Tj(x))= Tj(Tj(x))= .

5.2 Improvement

We introduce an improved scheme to amend aforementioned security weak-nesses in this subsection. Figures 1 to 3 separately illustrate the phases ofuser registration, authenticated key exchange and password change in ourimproved scheme. Details of the modification are stated below:

System initialization: the server selects all necessary parameters (r, x,Tr(x), h(), Ek()) as those defined in section 4. Note that the values (x,Tr(x)) will be encapsulated in users smart card rather than made public.

User registration: a user first chooses his password PW and a randominteger t to perform the following steps with the server:

1. Compute H = h(PW, t) and then sends the message {ID, H = h(PW ,t)} to the server via a secure channel.

2. On receiving it, the server verifies ID and uses his master key s tocompute

R = Es(ID,H), (1)

D = H (xTr(x)). (2)

7

Fig. 1: The user registration phase of our improved scheme

3. A smart card containing (R, h(), Ek(), D) is finally returned to theuser via the same secure channel.

4. The user further stores the random number t into his smart card.

Authenticated key exchange: to obtain mutual authentication and cre-ate a common session key, a user first enters his (ID, PW ), and then thesmart card performs the following steps with the server:

1. Choose a random integer j to compute

(xTr(x)) = h(PW, t)D, (3)v = Tj(Tr(x)), (4)

Q = h(ID,H), (5)

and delivers (Tj(x), Ev(Q,R, T1)) where T1 is the current timestamp tothe server.

2. Upon receiving it, the server computes

v = Tr(Tj(x)) (6)

to decrypt Ev(Q,R, T1)) and verifies whether the transmission timefrom T1 is within a valid interval T .

3. Then the server proceeds to decrypt R with his master key s to obtain(ID, H ) and computes

Q = h(ID, H ). (7)

8

Fig. 2: Schematic of improved scheme

If Q = Q, the server authenticates the user; otherwise, the session isterminated.

4. Then the server selects j and sends the challenge Ev(Tj(x), h(ID, T2), T2)where T2 is the timestamp to the smart card.

5. Upon receiving it, the smart card decrypts the ciphertext, verifies ifthe transmission delay for T2 is acceptable and computes h

(ID, T2).

6. If h(ID, T2) = h(ID, T2), the smart card also authenticates the server.Otherwise, terminate the connection.

7. When both sides are authenticated, the mutually shared session key = Tj(Tj(x)) can therefore be derived by each other.

Password change: a user first inserts his old and new passwords (PW ,PW ) and then the smart card performs the following steps with the server:

9

Fig. 3: The password change phase of our improved scheme

1. Choose a random integer i to compute

H = h(PW, t), (8)

(xTr(x)) = H D, (9) = Ti(Tr(x)), (10)

H = h(PW , t), (11)

and send (Ti(x), E(H, H, R)) to the server.

2. After receiving it, the server computes

= Ts(Ti(x)), (12)

decrypts E(H, H, R) and R = Es(ID,H) with and his master key

s, respectively, and then compares whether H = H.

3. If it holds, the server returns R = Es(ID,H) to the smart card whichcan hence update R as R.

5.3 Security Analyses

Since the improved scheme is extended from the Guo-Chang scheme, the es-sential security requirements of their scheme can also be applied to ours. We

10

further analyze the security of the improved scheme to withstand aforemen-tioned attacks.

Theorem 1. The improved scheme provides full protection for users iden-tity.Proof: In the authenticated key exchange phase, it can be seen that thesmart card will send two parameters (Tj(x), Ev(Q,R, T1)) to the server. Sincethe variable j is randomly selected, the two transmitted parameters will varywith different login sessions. More specifically, given only two interceptedauthenticated messages (Tj(x), Ev(Q,R, T1)) and (Tj(x), Ev(Q, R, T1)), itis computationally infeasible for any adversary to distinguish whether theycorrespond to the same user or not.

Theorem 2. Any malicious adversary cannot derive the mutually sharedsession key by intercepting the transmitted messages from both sides.Proof: By eavesdropping the communication messages between a user andthe server, a malicious adversary can obtain (Tj(x), Ev(Q,R, T1)) and Ev(Tj(x), h(ID, T2), T2), respectively. According to Eq. (3), however, the ad-versary has no way to derive (xTr(x)) without knowing the users passwordand the random number t. Consequently, he cannot find out an integer so-lution j such that Tj(x) = Tj(x) since he lacks the information of value x.Therefore, we claim that any adversary is impossible to compute the commonsession key = Tj(Tj(x)).

6 Conclusions

Two-factor authentication combining the password and smart cards is animportant technique for extending the security strength of two-party com-munication. In this paper, the author first showed that Guo and Changschaotic maps-based password-authenticated key agreement using smart cardsfails to provide strong user anonymity. Then a malicious adversary is ableto compute the common session key between both sides by manipulating theproperty of Chebyshev chaotic maps. Without redesigning the original struc-ture of the Guo-Chang scheme or incurring much computational complexity,the author indicated how to eliminate these security vulnerabilities while stillpreserve the efficiency and merits of original protocol.

11

Acknowledgment

The author would like to thank anonymous referees for their valuable sug-gestions. This work was supported in part by the National Science Councilof Republic of China under the contract number NSC 102-2221-E-019-041.

References

[1] A. K. Awasthi, Comment on a dynamic ID-based remote user authen-tication scheme. Transaction on Cryptology, Vol. 1, No. 2, 2004, pp.15-16.

[2] M. S. Baptista, Cryptography with chaos, Physics Letters A, Vol. 240,No. 1-2, 1998, pp. 50-54.

[3] P. Bergamo, P. DArco, A. D. Santis and L. Kocarev, Security of public-key cryptosystems based on Chebyshev polynomials, IEEE Transac-tions on Circuits and Systems, Vol. 52, No. 7, 2005, pp. 1382-1393.

[4] C. Chen, D. He, S. Chan S, J. Bu, Y. Gao and R. Fan, Lightweightand provably secure user authentication with anonymity for the globalmobility network, International Journal of Communication Systems,Vol. 24, No. 3, 2011, pp. 347-362.

[5] M. L. Das, A. Saxana, V. P. Gulati, A dynamic ID-based remote userauthentication scheme, IEEE Transactions on Consumer Electronics,Vol. 50, No. 2, 2004, pp. 629-631.

[6] W. Diffie and M. Hellman, New directions in cryptography, IEEETransactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644-654.

[7] C. Guo and C. C. Chang, Chaotic maps-based password-authenticatedkey agreement using smart cards, Communications in Nonlinear Sci-ence and Numerical Simulation, Vol. 18, No. 6, 2013, pp. 1433-1440.

[8] D. He, J. Chen and R. Zhang, A more secure authentication schemefor telecare medicine information systems, Journal of Medical Systems,Vol. 36, No. 3, 2011, pp. 1989-1995.

12

[9] M. S. Hwang and L. H. Li, A new remote user authentication schemeusing smart cards, IEEE Transactions on Consumer Electron, Vol. 46,No. 1, 2000, pp. 28-30.

[10] W. S. Juang and J. L. Wu, Two efficient two-factor authenticated keyexchange protocols in public wireless lans, Computers and ElectricalEngineering, Vol. 1, No. 35, 2009, pp. 33-40.

[11] M. K. Khan, S. K. Kim and K. Alghathbar, Cryptanalysis and securityenhancement of a more efficient and secure dynamic ID-based remoteuser authentication scheme, Computer Communications, Vol. 34, No.3, 2011, pp. 305-309.

[12] L. Kocarev, Chaos-based cryptography: a brief overview, IEEE Cir-cuits and Systems Magazine, Vol. 1, No. 3, 2001, pp. 6-21.

[13] W. C. Ku and S. T. Chang, Impersonation attacks on a dynamic ID-based remote user authentication scheme using smart cards, IEICETransactions on Communications, Vol. E88-B, No. 5, 2005, pp. 2165-2167.

[14] L. Lamport, Password authentication with insecure communication,Communications of the ACM, Vol. 24, No. 11, 1981, pp. 770-772.

[15] I. Liao, C. C. Lee and M. S. Hwang, Security enhancement for a dy-namic ID-based remote user authentication scheme, Proceedings of 2005International Conference on Next Generation Web Services Practices,Seoul, Korea, 2005, pp. 437-440.

[16] H. Y. Lin, On the security of a dynamic ID-based authenticationscheme for telecare medical information systems, Journal of medicalsystems, Vol. 37, No. 2, 2013, pp. 1-5.

[17] C. L. Lin, H. M. Sun and T. Hwang, Attacks and solutions on strong-password authentication, IEICE Transactions on Communications,Vol. E84-B, No. 9, 2001, pp. 2622-2627.

[18] M. Misbahuddin and C. S. Bindu, Cryptanalysis of Liao-Lee-Hwangsdynamic ID scheme, International Journal of Network Security, Vol. 2,No. 6, 2008, pp. 211-213.

13

[19] A. Shimizu, A dynamic password authentication method by one wayfunction, System and Computers in Japan, Vol. 22, No. 7, 1991, pp.32-40.

[20] A. Shimizu, T. Horioka and H. Inagaki, A password authenticationmethod for contents communication on the Internet, IEICE Transac-tions on Communications, Vol. E81-B, No. 8, 1998, pp. 1666-1673.

[21] H. B. Tang and X. S. Liu, Cryptanalysis of a dynamic ID-based remoteuser authentication with key agreement scheme, International Journalof Communication Systems, to appear, 2012.

[22] J. L. Tsai, T. C. Wu and K. Y. Tsai, New dynamic ID authenticationscheme using smart cards, International Journal of CommunicationSystems, Vol. 23, No. 12, 2010, pp. 1449-1462.

[23] R. C. Wang, W. S. Juang and C. L. Lei, Robust authentication andkey agreement scheme preserving the privacy of secret key, ComputerCommunications, Vol. 34, No. 3, 2011, pp. 274-280.

[24] Y. Y. Wang, J. Y. Liu, F. X. and J. Dan, A more efficient and se-cure dynamic ID-based remote user authentication scheme, ComputerCommunications, Vol. 32, No. 4, 2009, pp. 583-585.

[25] F. Wen and X. Li, An improved dynamic ID-based remote user authen-tication with key agreement scheme, Computers and Electrical Engi-neering, Vol. 38, No. 2, 2011, pp. 381-387.

[26] S. Wu, T. Zhu and Q. Pu, Robust smart-cards-based user authentica-tion scheme with user anonymity, Security and Communication Net-works, Vol. 5, No. 2, 2011, pp. 236-248.

[27] D. Xiao, X. Liao and S. Deng, A novel key agreement protocol basedon chaotic maps, Information Sciences, Vol. 177, No. 4, 2007, pp. 1136-1142.

[28] E. J. Yoon and K. Y. Yoo, Improving the dynamic ID-based remotemutual authentication scheme, Proceedings of 2006 OTM Workshops,Lecture Notes in Computer Science, Vol. 4277, Springer, Berlin, 2006,pp. 499-507.

14

[29] E. J. Yoon, K. Y. Yoo and K. S. Ha, A user friendly authenticationscheme with anonymity for wireless communications, Computers andElectrical Engineering, Vol. 3, No. 37, 2011, pp. 356-364.

15

This paper demonstrates some security flaws of the Guo-Chang chaotic maps-based password-authenticated key agreement.

Specifically, some relation with user identities and the shared session key in their scheme could be compromised.

An improved scheme eliminating these weaknesses is also addressed.