A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps
- 157 Downloads
Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.
KeywordsChebyshev chaotic maps Quadratic residues Password security Three-party authenticated key exchange User anonymity
The authors would like to thank the anonymous reviewers and the Editor for their constructive and generous feedback on this paper. In addition, this research was partially supported and funded by the Ministry of Science and Technology, Taiwan, R.O.C., under contract no.: MOST 105-2221-E-165-005 and MOST 105- 2221-E-030-012.
Compliance with ethical standards
Conflict of interest
Chun-Ta Li, Chin-Ling Chen , Cheng-Chi Lee, Chi-Yao Weng declare that they have no conflict of interest.
This article does not contain any studies with human participants performed by any of the authors.
- Aboshosha A, ElDahshan KA, Elsayed EK, Elngar AA (2016) Secure authentication protocol based on machine-metrics and RC4-EA hashing. Int J Netw Secur 18(6):1080–1088Google Scholar
- Chen Y, Chou JS, Sun HM (2013) A novel biometric-based remote user authentication scheme using quadratic residues. Int J Inf Electron Eng 3(4):419–422Google Scholar
- Drissi A, Asimi A (2017) Behavioral and security study of the OHFGC hash function. Int J Netw Secur 19(3):335–339Google Scholar
- He D, Zhao W, Wu S (2013) Security analysis of a dynamic ID-based authentication scheme for multi-server environment using smart cards. Int J Netw Secur 15(5):350–356Google Scholar
- Lai H, Xiao J, Li L, Yang Y (2012) Applying semigroup property of enhanced Chebyshev polynomials to anonymous authentication protocol. Math Probl Eng, Article ID 454823. doi: 10.1155/2012/454823
- Li CT, Lee CC, Weng CY (2016a) A secure cloud-assisted wireless body area network in mobile emergency medical care system. J Med Syst 40(5):1–15. Article no. 117Google Scholar
- Li CT, Lee CC, Weng CY (2016b) A secure dynamic identity and chaotic maps based user authentication and key agreement scheme for e-healthcare systems. J Med Syst 40(11):1–10. Article no. 233Google Scholar
- National Institute of Standards and Technology (2002) US department of commerce, secure hash standard. US Federal Information Processing Standard Publication, Gaithersburg, pp 180–182Google Scholar
- Peris-Lopez P, Hernandez-Castro JC, Estevez-Tapiador JM, Ribagorda A (2006) M2AP: a minimalist mutual-authentication protocol for low-cost RFID tags. In: Proceedings of international conference on ubiquitous intelligence and computing, vol 4195. LNCS, pp 912–923Google Scholar
- Ramasamy R, Muniyandi AP (2012) An efficient password authentication scheme for smart card. Int J Netw Secur 14(3):180–186Google Scholar
- Yang L, Ma JF, Jiang Q (2012) Mutual authentication scheme with smart cards and password under trusted computing. Int J Netw Secur 14(3):156–163Google Scholar