An Extended Chaotic Maps-Based Three-Party Password-Authenticated Key Agreement with User Anonymity.

User anonymity is one of the key security features of an authenticated key agreement especially for communicating messages via an insecure network. Owing to the better properties and higher performance of chaotic theory, the chaotic maps have been introduced into the security schemes, and hence numerous key agreement schemes have been put forward under chaotic-maps. Recently, Xie et al. released an enhanced scheme under Farash et al.'s scheme and claimed their improvements could withstand the security loopholes pointed out in the scheme of Farash et al., i.e., resistance to the off-line password guessing and user impersonation attacks. Nevertheless, through our careful analysis, the improvements were released by Xie et al. still could not solve the problems troubled in Farash et al‥ Besides, Xie et al.'s improvements failed to achieve the user anonymity and the session key security. With the purpose of eliminating the security risks of the scheme of Xie et al., we design an anonymous password-based three-party authenticated key agreement under chaotic maps. Both the formal analysis and the formal security verification using AVISPA are presented. Also, BAN logic is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.

1 Introduction

Authenticated key exchange protocols, are among the core cryptographic mechanisms for ensuring network security, which aims at establishing a common session key between the communicated participates. For authenticated key exchange through an open environment, both security and privacy are desired. Over the past few decades, many works on authenticated key-exchange have been done referring to kinds of cryptographic primitives (e.g., symmetric cryptography, public key cryptography, hash functions, etc.) applied for different applications [1-11].

With infiltration and mergence of many scientific branches, chaotic theory has entered the field of vision of the cryptography researchers. Chaotic theory possesses the properties of unpredictability and sensitivity to parameters and initial conditions, which meet some essential requirements of cryptography. Subsequently, cryptography based on chaos theory has been studied widely. The chaotic maps have been applied in the design of symmetric encryption [12-13], S-boxes [14], signature [15] and hash functions [16]. Additionally, chaotic systems have also been applied to design the key agreements, various chaotic maps-based key agreements and related approaches have been presented recently [17-20], owing to that chaotic maps operations offer the semi-group property, and have a better efficiency than point multiplications on an elliptic curve and modular exponential operations [21-22].

According to the numbers of participants for an authenticated key exchange scheme, there are two-party authenticated key exchange schemes, three-party authenticated key exchange schemes, and multi-party authenticated key exchange schemes. Two-party authenticated key exchange schemes are used to establish a session key under environment of client-server. In particular, the suggestion of three-party authenticated key exchange schemes are considered for solving the infeasibility of two-party schemes exchange session keys in large-scale communication environments. In 2011, Wang et al. [23] developed a three-party authenticated key agreement scheme using chaotic maps. However, Yoon et al. [24] declared that the scheme of Wang et al. violated an illegal message modification attack and then they presented an improvement. Next, Lee et al. [25] presented a chaotic maps based three-party authenticated key agreement scheme without using smart card. However, Hu et al. [26] proved that their scheme was not secure against the man-in-the-middle attack in condition that the identity was lost. After that, Farash et al. [27] proposed a three-party authenticated key agreement without applying symmetric cryptography and server’s public key. Nevertheless, Xie et al. [28] pointed out three-party authenticated key agreement proposed by Farash et al. could not withstand off-line password guessing attack, thus suffering user impersonation attack. In order to prevent the security threats, Xie et al. presented an enhancement without using server’s public key. Obviously, both of Farash et al. and Xie et al.’s schemes are efficient, but without using server’s public key is no guarantee of safety. The most important thing to consider that the identity of user is a key personal privacy. Generally, there is a growing requirement for protecting user privacy information from being leaked and abused, which outlines the needs for designing schemes that can attain user anonymity. The adoption of public key cryptography is essential needed to protect user anonymity, which has been verified by the excellent works [29]. Through our carefully analysis, we found that the proposed scheme by Xie et al. could not achieve user anonymity. In addition, their scheme could not resist off-line password guessing, thus notwithstanding user impersonation attack. Furthermore, the session key security could not provide in their scheme. Motivated by it, we design an extended chaotic maps-based three-party password-authenticated key agreement with user anonymity. Both the formal analysis and the formal security verification using AVISPA [30-31] are presented. Also, BAN logic [32] is used to show the correctness of the enhancements. Furthermore, we also demonstrate that the design thwarts most of the common attacks. We also make a comparison between the recent chaotic-maps based schemes and our enhancements in terms of performance.

The outline of the paper are arranged as follows. The Chebyshev chaotic maps and the related intractable problems are introduced in Section 2. The cryptanalysis of Xie et al.’s scheme is presented in Section 3. Section 4 proposes a chaotic maps-based three-party authenticated key agreement. The security analysis of our scheme and comparison with other works are described in Sections 5 and 6, respectively. We summarize the whole paper in Section 7.

2 Preliminaries

We will introduce the Chebyshev chaotic maps and the related intractable problems [33-34].

Chebyshev polynomial Let n be an integer and x ∈ [−1, 1]. The Chebyshev polynomial T(x):[−1, 1] → [−1, 1] can be defined as: T(x) = cos(n ⋅ arccos(x)). The recurrent formulas of the Chebyshev polynomial is shown as: T0(x) = 1, T1(x) = x, T2(x) = 2x2 − 1, T(x) = 2xT(x) − T(x).

Semi-group property For .

Discrete logarithm problem Known the parameters x and y, it is intractable to find an integer p such that T(x) = y.

Diffie-Hellman problem Known the parameters x, T(x), and T(x), it is intractable to compute the value T(x).

3 Review of Xie et al.’s scheme

In this section, we shall review Xie et al.’s chaotic-maps based authenticated key agreement. Their scheme consists of four phases: system setup, registration, authentication and key exchange and password change. The registration and authentication and key exchange phases are shown in Fig 1. The notations used throughout this study are listed as follows.

Fig 1

Mutual authentication and key agreement of Xie et al.’s scheme.

S: a remote server.

A and B: two users.

ID and ID: users’ identities of A and B.

pw and pw: users’s passwords of A and B.

k and T(x): private and public keys of S.

s: a secret key of S.

r: shared secret key between A and S.

h1(): a one-way hash function h1: {0, 1}* → {0, 1}.

h(): a chaotic maps-based one-way hash function .

: ring of integer.

p: a large prime number.

3.1 System setup

The server S performs the following steps:

Selects its secret key s;

Selects a large prime number p, ;

Selects a secure one-way hash function h1;

Selects a chaotic maps-based one-way hash function h().

At last, S maintains the secret key s and releases the parameters {p, x, h1(), h()}.

3.2 Registration

The user A registers the server S as below:

Step 1: User A computes PW = T(x)modp and sends {ID, PW} to S through a secure channel, where ID and pw are the identity and password of A, respectively.

Step 2: The server S computes VPW = h1(ID, s) + PW and stores {ID, VPW} in its database.

The user B also registers S as the above processes, we omit it.

3.3 Authentication and key exchange

The establishment of the session key among A, B and S are described in the following:

Step 1: User A computes R = T(x)modp and sends {ID, ID, R} to S, where a ∈ [1, p + 1].

Step 2: Once receiving the login message, S computes PW = VPW − h(ID, s), PW = VPW − h(ID, s), R = T(x) − PW modp, R = T(x) − PW modp and sends back {ID, R} to B, sends {ID, R} to A.

Step 3: Upon receiving {ID, R} from S, B computes R = T(x)modp, K = T(R + PW) = T(x)modp, Z = h(0, ID, ID, R, R, K). Then, B sends {R, Z} to S. After A receives {ID, R} from S, he computes K = T(R + PW) = T(x)modp, Z = h(0, ID, ID, R, R, K). Then, A sends {Z} to S.

Step 4: Upon receiving the messages from A and B, S computes K = T(R) = T(x)modp and checks whether . If it is true, S then computes K = T(R) = T(x)modp and checks whether . If holds, S computes Z = h(1, ID, ID, R, R, K), Z = h(1, ID, ID, R, R, K) and sends {R, Z} and {R, Z} to A and B, respectively.

Step 5: When A gets {R, Z}, he verifies whether . If holds, A can compute K = T(R) = T(x)modp and the session key SK = h(2, ID, ID, R, R, K). Similarly, once B gets {R, Z}, he verifies whether . If it is valid, B can compute K = T(R) = T(x)modp and the session key SK = h(2, ID, ID, R, R, K).

3.4 Password change

If user A attempts to update his password as a new one, he can perform the following steps:

Step 1: User A computes and sends {ID, R, Z, PWD, V, M} to S, where M = {Password update request}.

Step 2: S first checks whether . If it holds, S computes PW = PWD − h(K, ID)modp and checks whether . If it holds, S computes R1 = h(1, ID, PWD, V, K), VPW = h(ID, s) + PW modp, replaces VPW with in its database, and sends {Accept, R1} to A. Otherwise, S sends {Reject, R2} to A, where R2 = h(0, ID, PWD, V, K).

Step 3: When A receives {Accept, R1}, he verifies if . If true, A accepts as his new password. Otherwise, he verifies whether and returns Step 1 to execute the above steps again.

4 Cryptanalysis of Xie et al.’s scheme

Xie et al.’s scheme declared that their improvements could withstand the password off-line guessing attack and the user impersonation attack which Farash et al.’s scheme failed to resist. However, we will demonstrate their improvement cannot really resist the off-line password guessing attack, thus suffering the user impersonation attack. Besides, we also demonstrate their improvements cannot achieve the session key security as they stated. Furthermore, user anonymity is also not able to provide in their improvements. In order to launch the attacks, we adopt the attack model proposed by Xu et al. [35]. According to their assumption, an attacker can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents.

4.1 Off-line password guessing attack

can easily perform the attack by intercepting the transmitted messages {ID, ID, R} and Z from A to S as below:

Step 1: computes R = T(x)modp and sends {ID, ID, R} to S, where a ∈ [1, p + 1] is a random number.

Step 2: S computes PW = VPW − h(ID, s), PW = VPW − h(ID, s), R = T(x) − PW modp, R = T(x) − PW modp, where S1, S2 ∈ [1, p + 1]. Next, S sends {ID, R} to A.

Step 3: guesses a candidate password and computes . After that, checks whether . If the equation is true, which means gets the correct password. Otherwise, performs the above steps again until he succeeds.

4.2 User impersonation attack

After obtaining the password of user A(or user B), can masquerade as a legitimate user A (or user B) to cheat the server A and the user B (or user A). Following previous subsection, once guesses correctly, he then sends {Z} to S. Upon receiving the messages from , S executes the original scheme without any detection. Finally, S sends {R, Z} to . After receiving the messages from S, verifies whether Z = h(1, ID, ID, R, R, K). If it is true, computes K = T(R) = T(x)modp and the session key SK = h(2, ID, ID, R, R, K). That is, successfully wormed himself into S and Bs’ confidence.

4.3 Anonymity of users

The user identity is an important personal privacy. In many cases, may exploit the user identity to link different login sessions together to trace user activities [29]. Moreover, the violation of user identity and activities may also facilitate an unauthorized entity to trace the user’s login history and even current location [36]. In Xie et al.’s scheme, the messages transmitted from A to S {ID, ID, R}, sent from S to A {ID, R}, the message transmitted from S to B {ID, R}, are all exposed the identity of A and B. It is a good chance for to obtain the identity and know who is requiring the service and further trace the position. This means Xie et al.’s scheme fails to achieve user anonymity.

4.4 Violation of the session key security

After deriving password PW by performing the off-line password guessing attack, can easily derive the mutually shared session key between A and B after intercepting the transmitted messages R and R. And thus, can compute an integer solution a* (or b*) to satisfy the equation (or ) by adopting the method of Bergamo et al. [22]:

With the value a* and b*, can compute the session key:

In this regard, can compute the session key SK = h(2, ID, ID, R, R, K) since all the parameters contained in SK can be obtained only by intercepting the communication channel.

5 Proposed scheme

This section presents our enhanced scheme which inherits the advantages and avoids the disadvantages of the scheme proposed by Xie et al‥ The proposed scheme contains four phases: system initialization, registration, the session key establishment and password updating. The registration and the session key establishment phases are shown in Fig 2.

Fig 2

Mutual authentication and key agreement of our scheme.

5.1 System initialization

The server S performs the following steps:

Step 1: Selects a random number ;

Step 2: Selects a private key k ∈ [1, p + 1] and computes T(x)modp as its public key;

Step 3: Selects a chaotic map hash function h(), S maintains the secret key k and releases the parameters {p, x, T(x)modp, h()}.

5.2 Registration

The registration phase of A/B as below:

Step 1: User A/B submits {ID, g = h1(pw, r)}/{ID, g = h1(pw, r)} to the server S, where r and r are the random numbers;

Step 2: Upon receiving the registration request, S computes VPW = h1(ID, k) ⊕ g/ VPW = h1(ID, k) ⊕ g. Next, S randomly chooses a secret key r for A and sends it to A via the private channel. Noth that r is kept securely by A and is different for each user A. Finally, S stores k ⊕ r and VPW/VPW into its memory.

5.3 Session key establishment

After registering the server S, users A and B establish the session key with the help of S in the following manner:

Step 1: Using the stored shared secret key r, user A computes his own version of C = E(ID, ID, T(x), F) and sends them to S, where K = T(T(x)), F = h(ID, ID, T(x), g) and a ∈ [p + 1] is a random number.

Step 2: Once receiving the message, S first derives r by computing k ⊕ r ⊕ k and derives {ID, ID, T(x), F} by decrypting C with computed symmetric key K = T(T(x)). Next, S checks whether , where g = VPW ⊕ h(ID, k). If the equation is true, S computes C = E(T(x), F, ID, ID) and sends back it to user B, where F = h(T(x), ID).

Step 3: After receipt of the authentication message from S, user B first retrieves {T(x), ID, ID, F} by decrypting C and checks the validness of F. If it is correct, B computes P = E(T(x), H) and sends back an authentication message via an unsecure channel to S with the following values {P}, where H = h(ID, T(x)) and b ∈ [1, p + 1] is a random number at B side.

Step 4: S decrypts P to get T(x) and H using g. After that, S examines whether . If it is correct, S computes Z = h(ID, ID, T(x), T(x)), R = E(T(x), T(x), ID, Z) and returns R to A, where S1 is the random number and K = T(T(x)) is a shared key between A and S. At the same time, S also computes Z = h(ID, ID, T(x), T(x)), R = E(T(x), T(x), ID, Z) and returns R to B, where S2 is the random number and K = T(T(x)).

Step 5: When receiving the message from S, A checks whether which is decrypted from R. If it holds, A computes the session key SK = T(T(x)) and V = h(ID, SK), and then sends V to B. Similarly, B verifies the validity of Z = h(ID, ID, T(x), T(x)) which is derived from R. If it holds, B computes the session key SK = T(T(x)) and V = h(ID, SK), and then sends V to A.

Step 6: Upon receiving the message from B, A verifies whether h(ID, SK) is equal to the received V. If the verification holds, A negotiates SK as the shared session key to encrypt the following messages. Otherwise, A aborts the session. At the same time, B checks the correctness of V = h(ID, SK). Once the result is true, B agrees the session key SK with A.

5.4 Password update

When A intends to change his password after successful handshake between A and S, he can perform the following steps:

Step 1: A selects a new password and computes and Z = h(ID, T(x), K) to S.

Step 2: S decrypts R to retrieve using the shared secret key r and verifies whether . If it is correct, S computes . Next, S updates VPW with .

If B plans to change his password into a new one after successful authentication process between B and S, he performs the following steps:

Step 1: B selects a new password and computes and Z = h(ID, T(x), K) to S.

Step 2: S decrypts R to retrieve by the shared key K and verifies whether . If it is correct, S computes . Next, S updates VPW with .

6 Security analysis of the proposed scheme

In this part, we first present a formal security analysis and then adopt the well-known formal tool for analyzing cryptographic protocol, i.e., BAN logic, to demonstrate the validness of the established session key between A and B in the help of the server S. After that, we conduct a security discussion for the proposed scheme according to the known kinds of security attributes. Next, we adopt the formal verification software to demonstrate our scheme is secure.

6.1 Formal security proof of the proposed scheme

Based on the one-way property of hash function [16] and ciphertext indistinguishability of symmetric cryptography algorithm [37], this part gives the formal analysis of the proposed scheme.

Symmetric cryptography algorithm Θ assumption: Denote the Θ advantage by . Θ is secure if is negligible for any probabilistic, polynomial time adversary.

Let Θ is secure. Assume that the one-way hash function h(⋅) behaves as a random oracle, then our proposed password-authentication key agreement defends against an adversary for extracting the identity ID of the user A, and the session key SK between the user A and the user B.

Reveal 1: This oracle unconditionally outputs the cleartext m using symmetric cryptography algorithm Θ under the corresponding ciphertext C = Enc(m).

Reveal 2: This oracle unconditionally outputs the input x using hash function under the corresponding hash value y = h(x).

The adversary executes the experiments (Table 1) and (Table 2) for our three-party password-authentication key agreement. Suppose that the adversary could get the identity ID of the user A, and the session key SK between the user A and the user B, which means has an extremely high probability and to win the game within the running time t and the number of queries q(i = 1, 2), where and . However, they are both computationally infeasible problems under the symmetric cryptography algorithm Θ assumption without the knowledge of the secret key k and non-invertibility of hash function, i.e., , , for any sufficiently small ε > 0(i = 1, 2). That is, and since both they depend on the advantage and , respectively. As a result, no adversary has the ability to derive the identity ID of the A and the session key SK between the user A and the user B.

Table 1

Algorithm 1.

1. Intercept the login message {CA}, CA = EKAS(IDA, IDB, Ta(x), FA)

2. Call Reveal oracle 1. Let (IDA′,IDB′,T_a(x)^′,FA′)←Reveal(C_A)

3. Intercept the authenticated message {CB}, where CB = EgB(IDA, IDB, Ta(x), FB)

4. Call Reveal oracle 1. Let (IDA′′,IDB′′,T_a(x)^′′,FB′′)←Reveal(C_B)

5. If (Ta(x)′′ = Ta(x)′) then

6. Accept IDA′ as the true identity of the user A

7. return 1

8. else

9. return 0

10. end if

Table 2

Algorithm 2.

1. Intercept the login message {VA}, where VA = h(IDA, SK)

2. Call Reveal oracle 2. Let (IDA′,SK^′)←Reveal(V_A)

3. Intercept the authenticated message Intercept the login message {VA},

where VB = h(IDB, SK)

4. Call Reveal oracle 1. Let (IDA′′,SK^′′)←Reveal(V_B)

5. If (IDA′=IDA′′) then

6. Accept SK′ as the correct session key between A and B

7.  return 1

8. else

9.  return 0

10. end if

6.2 Authentication proof based on BAN logic

BAN logic is an important formal mean and is widely applied for the security analysis of authentication schemes. Verification process for the protocol using BAN logic is mainly composed of four parts: , , and . Goals, as its name suggests, the objectives of the verification; Idealisation aims at formulating the protocol step in a way for each ciphertext communication; Assumptions state some essential information, such as, which principals have generated which fresh random numbers, what keys are originally shared between the principals, and which principals are trusted in special ways. Upon all the aforementioned basis, BAN logic analysis on the protocol step by step is a natural procedure. BAN logic defines some notations and rules to verify whether the mutual authentication is achieved between corresponds. We first introduce some common notations and rules related with our analysis in the following.

Notations

P ⊲ X: principal P sees a message containing X

P| ≡ X: P believes X is true

P| ∼ X: P is known to have sent a message including X

: P and Q communicate with a shared key K

#X: formula X is fresh

P ⇒ X: P has jurisdiction over X

: X and Y are encrypted with the key K

{X, Y}: X or Y is a part of the message {X, Y}

: a conjunction of statements1 and 2 can infer statement3

Rules

(Message-meaning rule): if A believes that the key K is shared with B and and receives a message containing X encrypted under K, then A believes that B once said X.

(Nonce-verification rule): if A once said X, and A believes that B once said X, then A believes that A believes X.

(Fresh conjuncatenation rule): if A believes a component of a formula (X, Y) is fresh, then A believes the formula is fresh.

(Jurisdiction rule): if A believes that B has controlled over X, and A believes that B believes X, then A trusts B on the truth of X.

(1) We establish the following which the session key agreement protocol should achieve:

goal3. A| ≡ B| ≡ ID

goal5. B| ≡ ID

goal6. B| ≡ A| ≡ ID

(2) We the communication messages of the proposed scheme as below:

A → S:

,

.

S → A:

,

Z: (ID, ID, T(x), T(x)).

S → B:

,

F: h(T(x), ID),

,

Z: h(ID, ID, T(x), T(x)).

B → S:

,

H: (ID, T(x)).

A → B:

.

B → A:

.

(3) We make some initial for the proposed scheme as follows:

A1. A| ≡ #a

A2. B| ≡ #b

A3. B| ≡ ID

A4. A| ≡ ID

A7. A| ≡ ID

Now, using the rules of the BAN logic, we the proposed scheme can attain the intended goals based on the above descriptions:

According to the message C, we derive:

D1.

According to A6, D1 and message-meaning rule, we get:

D2.

According to R, we obtain:

D3.

According to A5, D3 and message-meaning rule, we get:

D4.

According to D4, A4 and fresh conjuncatenation rule, we obtain:

D5.

According to D5, we immediately retrieve:

D6.

According to D6, SK = T(T(x)) and A1, we also eventually achieve:

goal1.

According to the message V, we gain:

D7.

According to D7, goal1 and message-meaning rule, we get:

D8.

According to goal1, D8 and nonce-verification rule, we attain:

goal2.

According to D8, A7 and nonce-verification rule, we achieve:

goal3.

According to the message R, we extract:

D9.

According to A14, D9 and message-meaning rule, we collect:

D10.

According to A3, D10 and fresh conjuncatenation rule, we acquire:

D11.

According to D11, we intuitively collect:

D12.

According to A2, D12 and SK = T(T(x)), we naturally receive:

goal4.

According to the message C, we obtain:

D13.

According to A15, D13 and message-meaning rule, we attain:

D14.

According to A3, D14 and fresh conjuncatenation rule, we derive:

goal5.

According to V, we collect:

D15.

According to A15, goal4 and message-meaning rule, we attain:

D16.

According to goal5, D16 and nonce-verification rule, we get:

goal6.

According to goal4, goal5 and nonce-verification rule, we get:

goal7.

6.3 Informal security analysis

In this part, we demonstrate the strong ability of the proposed scheme. Specifically, we will show that the proposed scheme is secure against the loopholes which found in the scheme of Xie et al. Besides, the proposed scheme also provide other common security features. To facilitate the discussion, we also adopt the attack model proposed by Xu et al. [35], that is, an adversary can completely monitor the open communication channel, thus inserting, deleting, and modifying any messages among correspondents.

6.3.1 User anonymity

We employ symmetric cryptography to safeguard user identity. Specifically, the identities {ID, ID} are contained only in C, R or C, G and R in the form of ciphtertext, where C = E(ID, ID, F), R = E(T, T(x), Z), Z = h(ID, ID, T(x), T(T(x))), C = E(T(x), h(T(x), T(ID)), G = E(ID, H), R = E(T, T(x), Z), Z = h(ID, ID, T(x)), K = T(T(x)), g = h1(pw, r). From the above we can see that both the identities of A and B are protected by the server’s public key, chaotic-maps, hash function and symmetric cryptographic operations. Besides, used parameters include secret keys and random numbers are not exposed in the public channel. For example, suppose an adversary eavesdrops the message C and he plans to derive the identity of A. He first needs to know K = T(T(x)). To obtain T(x) from intercepted H = T(x) ⊕ T(x), the shared secret key r is needed. In general, it is hard to derive from the transmitted messages. Our proposed scheme is therefore secure from trace attack.

6.3.2 Avoidance of insider attack

In the registration phase of our proposed scheme, A and B send g = h1(pw, r) or g = h1(pw, r) to the server S, respectively. When S receiving the registration request, he cannot retrieve the cleartext password pw or pw owing to the unawareness of the random numbers r and r. Therefore, the proposed scheme can protect against the insider attack.

6.3.3 Avoidance of off-line password guessing attack

intercepts all the communicated messages {C, H, C, P, G, R, R}, he still cannot derive password of user B. Assume that steals the stored information {VPW} or {VPW}, where VPW = h1(pw, r) ⊕ h1(ID, k). Even if the secret key k of S is compromised, also requires the random number r. In addition, the identity of A or B is also needed. This point has been ensured by user anonymity. This means the off-line password guessing attack is not able to come true in our scheme.

6.3.4 Avoidance of user impersonation attack

By virtue of being discussed in the previous subsection, is not possible to guess the correct password, let alone masquerade as a legal user to cheat the services provided by the server S. Once fabricates the password and sends the forged message {C} or {P} to the server S. After receiving the message, S will decrypt C by using its own private key k. It is clear that S will detect the attack from user by checking the correctness of F or H by using its own computed values g = h1(pw, r) = VPW ⊕ h1(ID, k) or g = h1(pw, r) = VPW ⊕ h1(ID, k). Therefore, is also impossible to launch the user impersonation attack.

6.3.5 Avoidance of man-in-the-middle attack

Assume that intercepts the login message {C = E(ID, ID, T(x), F)} and attempts to modify it. However, he has no way to know the shared symmetric key K between A and S. Without the important key, he is not possible to decrypt it. Similarly, if eavesdrops the message C = E(T(x), F, ID, ID) and plans to forge it. He also face an embarrassed reality without knowledge of the shared symmetric key g. Therefore, the proposed scheme protects against the man-in-the middle attack. This point will be verified by the simulation result later.

6.3.6 The session key perfect forward secrecy

The session key SK = T(T(x)), where T(x) and T(x) are not directly transmitted in the public channel. On the one side, T(x) and T(x) are encrypted with the symmetric cryptographic technology or the Chebyshev polynomials, where the symmetric key is g and chaotic map is T(x). The security of symmetric key has been demonstrated in the previous subsection. On the other side, assume that has the secret key of S and the stored information {VPW} or {VPW}. In this case, it is an impossible task for to attempt to derive g or g due to the unknown of the identity A or B. In order to know the identity, which goes back to this discussion about user anonymity. Therefore, the proposed scheme is able to provide the session key perfect forward secrecy.

6.3.7 Mutual authentication

A sent the message {C, H} to S, where C = E(ID, ID, F), F = h(ID, ID, T(x), g) and H = T(x) ⊕ T(x). Upon receiving the message, S derives T(x) using the shared secret key r and then decrypts C to get {ID, ID, F} using its private key k. Next, S computes h(ID, ID, T(x), VPW ⊕ h1(ID, k)) and checks whether it is equal to the decrypted from C. If it is correct, A is authenticated. The validness of F which is decrypted from C to verify the legitimacy of S. And the correctness of H which is decrypted from G to validate the legalization of B. Similarly, A authenticates S by checking the verification of Z decrypted from R. Finally, the authentication between A and B are gone through the correctness of V and V.

6.4 Formal validation of the proposed scheme using AVISPA software

In this part, we simulate the proposed scheme using the commonly used AVISPA (Automated Validation of Internet Security Protocols and Applications) toolkit [30-31] to validate the passive and active attacks including man-in-the-middle and replay attacks that has been withstand. AVISPA integrates four backends: (i)OFMC; (ii)CL-AtSe; (iii)SATMC; (iv)TA4SP for the analysis of security schemes and implements in the role based HLPSL (High Level Protocol Specification Language). After execution through the OFMC and CL-AtSe backends, the results (Figs 3–4) clearly verify that the proposed scheme is secure under the Dolev-Yao model. The specifications for the roles for U(S1 Fig), U(S2 Fig), S(S3 Fig), the Session(S4 Fig) and the Environment(S5 Fig) in HLPSL are provided in Supporting Information.

Fig 3

Simulation result for the OFMC.

Fig 4

Simulation result for the CL-AtSe.

7 Performance comparisons

In this section, we evaluate the performance of our proposed scheme and make comparisons with the recent chaotic-maps based schemes [28, 2, 4, 9]. The following types of computation costs will be used to evaluate the feasibility of the attack in terms of its computational complexity.

T: time for computing Chebyshev polynomial;

T: time for computing hash function;

T: time for performing symmetric cryptography;

T: time for computing point multiplication;

T: time for performing MAC generation/verification.

Table 3 shows the computation overhead comparisons of our proposed scheme and some recent three-party schemes. We mainly address on the consumptions of authentication and session key agreement due to these are the principal parts of an authentication scheme and should be performed for each session. In Table 3, it is obvious that our improvements need a sight higher computational cost than Xie et al.’s scheme while consuming less than others, where the time for performing a point multiplication is much more expensive than the lightweight cryptographic operations, and a symmetric encryption/decryption operation is almost as many costs as a hash function [34]. However, it is worth an additional chaotic-maps and symmetric cryptographic operations to achieve strong security and better functionality attributes compared with Xie et al.’s scheme.

Table 3

Performance comparison.

	Ours	Xie et al. [28]	Chou et al. [2]	He-Wang [4]	Nam et al. [9]
User	3Tcp + 4Th + 4Th	3Tcp + 3Th	3Tpm + 2Th	3Tpm + 7Th	3Tpm + 1TS + 4Th + 1Tm
Second party	2Tcp + 3TS + 5Th	3Tcp + 3Th	3Tpm + 2Th	2Tpm + 5Th	1Tm + 1TS + 1Th
Third patry	5Tcp + 5TS + 7Th	4Tcp + 6Th	3Tpm + 8Th	2Tpm + 9Th	1Tm + 1TS + 2Th
Communication rounds	6	5	6	6	4

Table 4 lists the security comparisons among our proposed scheme and some recent three-party schemes. It demonstrates that our scheme has many excellent features and is more secure than other recent three-party schemes.

Table 4

Security properties comparison.

	Ours	Xie et al. [28]	Chou et al. [2]	He-Wang [4]	Nam et al. [9]
Session key perfect forward secrecy	Yes	No	Yes	Yes	Yes
Mutual authentication	Yes	Yes	Yes	Yes	Yes
User anonymity	Yes	No	No	Yes	Yes
Insider attack	Yes	Yes	-	Yes	No
Off-line password guessing attack	Yes	No	-	Yes	No
Impersonation attack	Yes	No	No	No	No

8 Conclusion and future work

This paper discussed the security of the recent scheme proposed by Xie et al. We showed that the recent scheme had several security pitfalls. Besides, we found that it was insecure only using hash function. To mend all the identified weaknesses, we then presented an enhancement which utilized asymmetric cryptography to conceal the user’s identity. We demonstrated that the improvements not only was immune to the loopholes found in Xie et al.’s scheme but also was secure other common attacks. We also performed the BAN logic test and confirmed the mutual authentication is achieved in our scheme. The formal security analysis also shows our scheme supports more security properties. The performance comparison between the recent schemes and the proposed scheme showed our improvements was more secure than other schemes. Actually, it is not negligible that based on chaotic maps has inevitable restrictions in some applications and an ID-based solution is a better one. Therefore, our near future work is to address to design a robust ID-based authenticated key agreement scheme.

Role specification of U.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

Role specification of S.

(EPS)

Click here for additional data file.

Role specification of the Session.

(EPS)

Click here for additional data file.

Role specification of the Environment.

(EPS)

Click here for additional data file.