Abstract
Three-party authenticated key exchange protocol (3PAKE) is used to provide security protection on the transmitted data over the insecure communication by performing session key agreement between the entities involved. Comparing with the 2PAKE protocol, 3PAKE protocol is more suitable for managing unrestricted number of users. Recently, several researchers have proposed many 3PAKE protocols using smart card. However, we have scrutinized carefully recently published Yang et al.’s protocol, and it has been observed that the same protocol suffers from several security weaknesses such as insider attack, off-line password guessing attack, many logged-in users’ attack and replay attack. Moreover, we have justified a serious security issue of the password change phase of the same scheme. In order to fix the above-mentioned shortcomings, this paper proposes an efficient 3PAKE protocol using smart card based on the cryptographic one-way hash function. The formal security analysis proves that proposed protocol provides strong security protection on the relevant security attacks including the above-mentioned security weaknesses. Moreover, the simulation results of the proposed scheme using AVISPA tool show that the same protocol is SAFE under OFMC and CL-AtSe models. The performance comparisons are also made, which ensure that the protocol is relatively better than the existing related schemes. To the best of our knowledge, the proposed scheme should be implemented in practical application, as it provides well security protection on the relevant security attacks, provides relatively better complexities than the existing schemes, achieves proper mutual authentication along with user-friendly password change phase.
Similar content being viewed by others
References
Diffie W., Hellman M.: New directions in cryptography. IEEE Trans. Inf. Theory. 22, 644–654 (1976)
Bellovin, S.M.; Merritt, M.: Encrypted key exchange: password based protocols secure against dictionary attacks. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Farash M.S., Bayat M., Attari M.A.: Vulnerability of two multiple-key agreement protocols. Comput. Electr. Eng. 37(2), 199–204 (2011)
Farash, M.S.; Attari, M.A.: Cryptanalysis and impro-vement of a chaotic maps-based key agreement proto-col using Chebyshev sequence membership testing. Nonlinear Dyn. (2013) doi:10.1007/s11071-013-1204-1
Diffie W., Wiener M., Oorschot P.V.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2, 107–125 (1992)
Abdalla, M.; Fouque, P.A.; Pointcheval, D.: Password based authenticated key exchange in the three-party setting. In: Proceedings of the PKC’05, pp. 65–84 (2005)
Law L., Menezes A., Qu M., Solinas J., Vanstone S.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28, 119–134 (2003)
Yang Y., Deng R.H.l, Bao F.: A practical password-based two-server authentication and key exchange system. IEEE Trans. Dependable Secure Comput. 3, 105–114 (2006)
Li X., Qiu W., Zheng D., Chen K., Li J.: Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 57, 793–800 (2010)
Chang, C.; Lee, J.; Cheng, T.: Security design for three-party encrypted key exchange protocol using smart cards. In: Proceedings of the 2nd International Conference on Ubiquitous Information Management and Communication, pp. 329–333 (2008)
Juang W.S.: Efficient three-party key exchange using smart cards. IEEE Trans. Consum. Electron. 50, 619–624 (2004)
Yoon, E.J.; Yoo, K.Y.: Token-based authenticated key establishment protocols for three-party communication. In: Proceedings of the Conference on Emerging Direction in Embedded and Ubiquitous Computing, LNCS 4809, pp. 758–769 (2007)
Yoon, E.J.; Yoo, K.Y.: 3PSA: 3-Party Smart Card-Based Authentication Scheme. In: Proceedings of the Fourth International Conference on Innovative Computing Information and Control(ICICIC), pp. 1447–1451 (2009)
Kwon J.O., Jeong I.R., Lee D.H.: Three-round smart card-based key exchange scheme. IEICE Trans. Commun. E90-B, 3255–3258 (2007)
Yang H., Zhang Y., Zhou Y., Fu X., Liu H., Vasilakos A.V.: Provably secure three-party authenticated key agreement protocol using smart cards. Comput. Netw. 58, 29–38 (2014)
Chang T.Y., Hwang M.S., Yang W.P.: A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 181(1), 217–226 (2011)
Wu S., Pu Q., Wang S., He D.: Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 215(1), 83–96 (2012)
Farash, M.S.; Attari, M.A.: An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dyn. (2014) doi:10.1007/s11071-014-1304-6
Wu S., Chen K., Zhu Y.: Enhancements of A Three-Party Password-Based Authenticated Key Exchange Protocol. Int. Arab J. Inf. Technol. 10(3), 215–221 (2013)
Lou D.C., Huang H.F.: Efficient three-party password-based key exchange scheme. Int. J. Commun. Syst. 24, 504–512 (2011)
Xie Q., Zhao J., Yu X.: Chaotic maps-based three-party password-authenticated key agreement scheme. Nonlinear Dyn. 74(4), 1021–1027 (2013)
Zhao F., Gong P., Li S., Li M., Li P.: Cryptanalysis and improvement of a three-party key agreement protocol using enhanced Chebyshev polynomials. Nonlinear Dyn. 74(1–2), 419–427 (2013)
Tan Z.: A chaotic maps-based authenticated key agreement protocol with strong anonymity. Nonlinear Dyn. 72(1–2), 311–320 (2013)
Lee C.C., Hsu C.W.: A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 71(1–2), 201–211 (2013)
Guo C., Chang C.C.: Chaotic maps-based password-authenticated key agreement using smart cards. Commun. Nonlinear Sci. Numer. Simul. 18(6), 1433–1440 (2013)
Lee C., Li C., Hsu C.: A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps. Nonlinear Dyn. 73(1–2), 125–132 (2013)
Yoon, E.J.; Yoo, K.Y.: Enhanced three-round smart card-based key exchange protocol. In: Proceedings of the 5th International Conference on Autonomic and Trusted Computing (ATC 2008), LNCS 5060, pp. 507–515 (2008)
Chang Y.-F., Yu S.-H., Shiao D.-R.: An uniqueness-and anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37, 9902 (2013)
Messerges T.S., Dabbish E.A., Sloan R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)
Kocher, P.; Jaffe, J.; Jun, B.: Differential power analysis. In: Proceedings of advances in Cryptology, pp. 388–397 (1999)
Jina A.T.B., Linga D.N.C., Goh A.: Biohashing: Two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 37(11), 2245–2255 (2004)
Lumini A., Nanni L.: An improved BioHashing for human authentication. Pattern Recogn. 40(3), 1057–1065 (2007)
Amin R., Biswas G.P.: A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS. J. Med. Syst. 39(3), 1–17 (2015)
Mishra D., Das A.K., Mukhopadhyay S.: A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl 41(18), 8129–8143 (2014)
Das A.K., Goswami A.: A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37, 9948 (2013). doi:10.1007/s10916-013-9948-1
Pu Q., Wang J., Wu S., Fu J.: Secure verifier-based three-party password-authenticated key exchange. Peer peer Netw. Appl. 6(1), 15–25 (2013)
Youn T.Y., Kang E.S., Lee C.: Efficient three-party key exchange protocols with round efficiency. Telecommun Syst. 52(2), 1367–1376 (2013)
Chang T.Y., Hwang M.S., Yang W.P.: A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci. 181(1), 217–226 (2011)
Tso R.: Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. J Supercomput. (2013). doi:10.1007/s11227-013-0917-8
Farash, M.S.; Attari, M.A.: An efficient client-client password-based authentication scheme with provable security. J Supercomput. (2014). doi:10.1007/s11227-014-1273-z
Lee J.-S., Chang C.-C.: Secure communications for cluster-based ad hoc networks using node identities. J. Netw. Comput. Appl. 30(4), 1377–1396 (2007)
Schneier B.: Applied Cryptography Protocols Algorithms and Source Code in C, second ed. Wiley, London (1996)
Amin, R.; Bisaws, G.P.: Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wireless Personal Commun. (2015). doi:10.1007/s11277-015-2616-7
Amin, R.; Bisaws, G.P.: Remote access control mechanism using rabin public key cryptosystem. In: Information Systems Design and Intelligent Applications, pp. 525–533. Springer (2015). doi:10.1007/978-81-322-2250-7_52
Amin, R.; Bisaws, G.P.: Anonymity preserving secure hash function based authentication scheme for consumer USB mass storage device, In: 2015 Third International Conference on Computer, Communication, Control and Information Technology (C3IT), pp. 1–6 (2015) doi:10.1109/C3IT.2015.7060190
Amin, R.; Bisaws, G.P.: A secure three-factor user authentication and key agreement protocol for TMIS with user anonymity. J. Med. Syst. (2015). doi:10.1007/s10916-015-0258-7)
Amin, R.; Bisaws, G.P.: An improved RSA based user authentication and session key agreement protocol usable in TMIS. J. Med. Syst. (2015). doi:10.1007/s10916-015-0262-y
Amin R.: Cryptanalysis and an efficient secure ID-based remote user authentication scheme using smart card. Int. J. Comput. Appl. 75(13), 43–48 (2013)
AVISPA. AVISPA Web Tool. http://www.avispa-project.org/web-interface/expert.php/. Accessed December 2014 (2014)
AVISPA. (2014). Automated validation of internet security protocols and applications. http://www.avispa-project.org/
Dolev D., Yao A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Amin, R., Biswas, G.P. Cryptanalysis and Design of a Three-Party Authenticated Key Exchange Protocol Using Smart Card. Arab J Sci Eng 40, 3135–3149 (2015). https://doi.org/10.1007/s13369-015-1743-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13369-015-1743-5