Professional Documents
Culture Documents
RESEARCH ARTICLE
ABSTRACT
Modern individuals heavily rely on the support of information systems. Various applications and information processing
systems provide all kinds of assistance for peoples lives such as information search, work scheduling, entertainment,
and online shopping. For a user, in order to access an Internet-connected system or an internal system within an enterprise,
in general, a unique password is given to the user to log into the system. Therefore, how to conveniently maintain or re-
member multiple passwords has become a serious headache for people. In this study, a new chaotic maps-based authenti-
cated key agreement protocol is rst proposed for multi-server environments. A trusted third party, called the registration
center (RC), is introduced in our protocol. Once a legal user has registered with the RC, this user can log into any server
with only one memorable password in a multi-server environment as long as the user has been granted access rights in
advance. As security robustness of our protocol is built on randomly generated nonces and chaotic maps, there is no time
synchronization issue. Security analyses and comparisons on performance efciency and security features among existing
protocols show that our protocol is computationally efcient, and withstands password-guessing attacks and other well-
known security threats. Copyright 2014 John Wiley & Sons, Ltd.
KEYWORDS
multi-server environment; authenticated key agreement protocol; chaotic maps; password-guessing attack
*Correspondence
Nai-Wei Lo, Department of Information Management, National Taiwan University of Science and Technology.
E-mail: nwlo@cs.ntust.edu.tw
authentication. Even though a smartcard provides storage on the discrete logarithm problem; a symmetric cryptosys-
space for a longer secret key than a human-memorable tem and a one-way hash function were adopted to realize
password, the inconvenience caused by the necessity of the design of their protocol. However, the protocol of
carrying smartcards is always an issue for users. Lee et al. [31] suffers from undetectable online
Smartcard-based authenticated key agreement protocols password-guessing attack, server-spoong attack, and im-
usually do not consider the security threat from personation attack plotted by legitimate users. Several en-
password-guessing attacks, because the secret key stored hanced protocols [32,33] have been proposed since then.
in a smartcard is usually longer than 256 bits and it is gen- This paper rst proposes a new password-based multi-
erally more difcult for an adversary to take the smartcard server authenticated key agreement protocol based on cha-
of a user and retrieve the corresponding secret key from the otic maps. By adopting the trusted third party architecture,
smartcard in comparison with executing a series of a registration center is introduced in our protocol. With the
password-guessing attacks. proposed authentication protocol, a user can access multi-
In modern countries, an individual usually needs to ac- ple servers using only one memorable password. A session
cess multiple information systems via the Internet or local key is constructed to encrypt and decrypt subsequent mes-
area networks. Consequently, a user has to remember mul- sages between the targeted server and a user after both
tiple passwords or carry multiple smartcards to gain access sides have mutually authenticated each other. Based on
to all targeted systems when traditional authenticated key the results of security analyses, the proposed protocol with-
agreement protocols are adopted. A multi-server authenti- stands well-known security threats such as password-
cated key agreement protocol allows a user to access mul- guessing attack, replay attack, impersonation attack, and
tiple servers with only one password or one smartcard once server-spoong attack. Our protocol also has better perfor-
the user has registered with a trusted third party called a mance efciency in terms of computation cost in compari-
registration center (RC). Figure 1 shows a multi-server en- son with existing protocols.
vironment in which different information systems are gath-
ered together with users having to authenticate themselves
to the registration center before permission to access these 2. CHEBYSHEV CHAOTIC MAPS
systems is granted. The concept of a smartcard-based
multi-server authenticated key agreement protocol was Let n be an integer and x a variable ranging in the interval
proposed by Li et al. in 2001 [25]. However, the protocols [1, 1]. The Chebyshev chaotic maps is dened as
proposed in [25] require heavy computing operations. In
order to enhance protocol performance, other protocols T n x cosn arccosx (1)
based on different cryptosystems have been proposed re-
Based on its denition, the Chebyshev polynomial has
cently [2630]. However, none of these multi-server au-
the following recurrence relations.
thentication protocols were based on a password until
Lee et al. [31] rst proposed a password-based multi-
T 0 x 1; T 1 x x;
server authentication protocol without using a smartcard (2)
in 2008. The security strength of their protocol is based T n1 x 2xT n x T n1 x; for n N
1972 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo A multi-server authenticated key agreement protocol without smartcard
The Chebyshev polynomial possesses the following Detailed operation ows for each phase are described as
properties: follows.
User registration: The entire user registration phase is
(1) Semi-group property: mainly executed in the registration center RC. Before a
user Ui can access any server in the targeted multi-server
T r T s x cosr arccoscoss arccos x environment, the user rst has to register with the registra-
tion center RC and become a legal user. To register with the
cosrs arccosx
registration center RC, the user Ui must send the identity
cossr arccosx (3) IDi and the corresponding password PWi to RC via a secure
T sr x channel. Upon receiving (IDi, PWi) from the user Ui, the
T s T r x registration center RC computes h(PWi) and then stores
IDi and h(PWi) in its database.
Notations Descriptions
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd. 1973
DOI: 10.1002/sec
A multi-server authenticated key agreement protocol without smartcard T. Jia-Lun and N.-W. Lo
1974 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo A multi-server authenticated key agreement protocol without smartcard
Proof. In our protocol, only authentic messages {h(h(PWi), a user Ui and the registration center RC. However, in our
IDi, SIDj) Tr(x)} and {h(h(PWi), IDi, SIDj) Tk(x), h(IDi, protocol, the adversary A cannot plot this kind of attack
SIDj, C)} can be used to guess the user password PWi. As- successfully. Without the shared secret key Rj = h(SIDj, y)
sume that an adversary A tries to guess the user password between the legal server Sj and the RC, the adversary A
PWi from authentic messages generated by the user Ui using cannot retrieve the generated credential C = Trk(x) from
the off-line attack mechanism. The adversary A rst randomly the partial message C h(Rj, x, IDi, z). Hence, the user
selects a password PWi and then computes and retrieves the Ui will detect that the communicating server, which is the
guessed values of Tr (x) and Tk (x) from authentic messages adversary A, is not a legitimate one. In consequence, the
h(h(PWi), IDi, SIDj) Tr(x) and h(h(PWi), IDi, SIDj) Tk(x). user Ui will drop the current authentication session with
However, the adversary A cannot verify whether his or her the adversary A. In summary, the proposed protocol with-
guessed password PWi is correct because the adversary A stands server-spoong attacks.
cannot know the correct values of Tk(x), Tr(x), and C, because
CCMDHP. In addition, the generated credential C = Tkr(x) in Theorem 5. Our protocol defends against registration-
our protocol is based on the key agreement protocol of Dife center-spoong attacks.
and Hellman, and therefore, the value of C cannot be success-
fully guessed. Therefore, the proposed protocol withstands Proof. Assume an adversary A masquerades as the registra-
off-line password-guessing attacks. tion center RC. Because the adversary A does not have the
primary secret key y and all hashed user passwords, the
Theorem 3. Our protocol defends against undetectable false registration center cannot generate the correct se-
password-guessing attacks from the server side [35]. cret keys Rj shared among servers and the genuine
RC. Therefore, the adversary A cannot perform any
Proof. In a multi-server environment, the security threat for RC operations correctly. In consequence, a successful
undetectable password-guessing attacks is more likely to communication session will not be established between
occur at the server side as servers usually possess crucial au- the RC and users or between the RC and servers.
thentication information such as user passwords. In our pro- Hence, no adversary can plot a registration-center-
tocol, a generated credential C = Tkr(x) is used to prevent the spoong attack successfully.
adversary from knowing user password PWi during an au-
thentication session. Assume that an adversary A compro- Theorem 6. Our protocol withstands impersonation
mises a legal server Sj and the adversary A disguises itself attacks.
as a legal user Ui at the same time. The malicious server Sj
randomly selects a user password PWi and then computes Proof. In our protocol, an adversary A must know a user
the value of h(h(PWi), IDi, SIDj) Tr(x). Next, the mali- Uis correct password PWi to log into a targeted server Sj
cious server Sj sends the message {IDi, SIDj, x, h(h(PWi), as this legal user Ui. Without knowledge of the user pass-
IDi, SIDj) Tr(x)} to the registration center RC. Upon word PWi, it is impossible for the adversary A to generate
receiving the message {IDi, SIDj, x, h(h(PWi), IDi, the login request message {IDi, SIDj, x, h(h(PWi), IDi,
SIDj) Tr(x)}, the registration center RC retrieves Tr (x) SIDj) Tr(x)} to RC and the nal response message
from the received message and then computes the following {C Tv(x), h(IDi, SIDj, C, Ts(x), Tv(x), SK)} to the targeted
values: h(h(PWi), IDi, SIDj) Tk(x), h(IDi, SIDj, C), and server Sj. Therefore, the proposed protocol is secure
C h(Rj, x, IDi, z). Then, the registration center RC sends against impersonation attacks.
the messages {h(h(PWi), IDi, SIDj) Tk(x), h(IDi, SIDj,
C)} and {IDi, x, z, C h(Rj, x, IDi, z)} to the user Ui Theorem 7. Our protocol supports perfect forward
(i.e., the adversary A) and the malicious server Sj, respectively. secrecy.
The adversary A retrieves the credential C = Tkr(x) from the
partial message C h(Rj, x, IDi, z). However, the adversary Proof. Perfect forward secrecy means that even if user
A cannot successfully retrieve the user password PWi from passwords PWi and the primary secret key y for all servers
the messages h(h(PWi), IDi, SIDj) Tr(x), and h(h(PWi), are compromised by the adversary, session keys SKs still
IDi, SIDj) Tk(x) by using only this credential C, because cannot be compromised by the adversary. In the proposed
the values of Tr(x) and Tk(x) cannot be derived from the protocol, the session key SK = Tsv(x) is dynamically gener-
credential C = Tkr(x) because of Chaotic Maps Discrete ated by two 1-time random numbers s and v in each au-
Logarithm Problem. Therefore, our protocol is secure thentication session. These two 1-time generated random
against undetectable password-guessing attacks from the numbers, v and s, are only held by the user Ui and the
server side. server Sj, respectively. Because of CCMDHP, the adver-
sary cannot retrieve the values of v and s from the session
Theorem 4. Our protocol is secure against server- key SK = Tsv(x). In other words, knowledge of the user
spoong attacks. passwords PWi and the primary secret key y for all servers
does not enable the session key SK to be derived.
Proof. A server-spoong attack means that an adversary A Therefore, our protocol supports the property of perfect
masquerades as a legal server Sj and successfully cheats on forward secrecy.
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd. 1975
DOI: 10.1002/sec
A multi-server authenticated key agreement protocol without smartcard T. Jia-Lun and N.-W. Lo
Lee et al. [31] Yeh and Lo [32] Tsai et al. [33] Ours
E1 2Te + 5TS + Th 2Te + 5TS + 4Th 3Te + 4TS + 2Th 4Tc + 4Th
1013.5Th 1016.5Th 1512Th 704Th
E2 2Te + 5TS + 2Th 2Te + 5TS + 2Th 2Te + 2TS + 3Th 2Tc + 3Th
1014.5Th 1014.5Th 1008Th 353Th
E3 2Te + 5TS + 2Th 2Te + 2TS + Th 4Te + 4TS + Th 2Tc + 3Th
1014.5Th 1006Th 2011Th 353Th
E4 6Te + 15TS + 5Th 6Te + 12TS + 7Th 9Te + 10TS + 6Th 8Tc + 10Th
3042.5Th 3037Th 4531Th 1410Th
E1: the user computation cost in the mutual authentication phase; E2: the server computation cost in the mutual authentication phase; E3: the registration
center computation cost in the mutual authentication phase; E4: the total computation cost in the mutual authentication phase.
Table III. Comparison on security features. spend 2Tc + 3Th computation time, and the registration
center needs to spend 2Tc + 3Th computation time. Next,
Lee et al. [29] Yeh and Lo [30] Tsai et al. [31] Ours we conduct the comparisons on performance efciency
S1 DLP DLP DLP CMDLP and security features among our protocol and other
S2 Yes Yes Yes Yes existing protocols as shown in Tables II and III.
S3 Yes No Yes Yes According to the authors of [19,23,3639], we can de-
S4 No No Yes Yes rive that the time spent for computing a Chebyshev poly-
S5 No Yes Yes Yes nomial operation Tc is approximately equivalent to
S6 Yes Yes Yes Yes executing a symmetric encryption/decryption operation
S7 No Yes Yes Yes TS 70 times. The time spent for computing a symmetric
S8 Yes Yes Yes Yes encryption/decryption operation TS is approximately
S9 No No No No equivalent to executing a one-way hash function Th 2.5
S1: security strength; S2: resistance to replay attack; S3: resistance to off- times, while the time spent for computing a modular expo-
line password-guessing attack; S4: resistance to undetectable password- nentiation operation Te is approximately equivalent to exe-
guessing attack; S5: resistance to server-spoong attack; S6: resistance cuting a one-way hash function Th 500 times. Therefore,
to the registration center spoong attack. S7: resistance to impersonation by using the consumed time of a one-way hash function
attack; S8: support of perfect forward secrecy; S9: implementation re- operation Th as a unit, we can obtain the following time
quirement for using verication table or verication database.
consumption estimations: Tc 70TS 175Th, TS 2.5Th,
CMDLP, Chaotic Maps Discrete Logarithm Problem.
and Te 500Th. From Table II, one can observe that our
protocol performs better than other existing protocols in
terms of computation cost. In addition, one can observe
5. COMPARISONS that only our protocol and the protocol of Tsai et al. [33]
support all of the security features as shown in Table III.
In this section, we evaluate the computation cost of our The other two password-based multi-server authentication
protocol and then compare our protocol with existing pro- protocols are vulnerable to several security threats. In sum-
tocols in terms of performance efciency and security fea- mary, our proposed protocol is secure and efcient.
tures. Because our protocol is the rst authenticated key
agreement protocol using chaotic maps for multi-server en-
vironments, we compare our protocol with other protocols 6. CONCLUSIONS
based on different cryptosystems. Let Tm be the time to
perform a modular multiplication computation, Te be the This paper proposes a new authenticated key agreement
time to perform a modular exponentiation computation, protocol based on chaotic maps for multi-server environ-
Tc be the time to perform a Chebyshev polynomial opera- ments. By adopting our protocol, a user can log in and access
tion, Th be the time to perform a one-way hash function op- multiple servers with only one memorable password if this
eration, and TS be the time to perform a symmetric user has registered with the registration center in advance.
encryption/decryption operation. The time to perform a After mutual authentication with each other, a user and the
modular addition operation and the time for an exclusive targeted server cooperatively determine a session key to en-
OR operation are both ignored during our time consump- crypt and decrypt all the subsequent messages transmitted
tion evaluation for the proposed protocol because both op- between the user and the server. Security analyses are
erations are very fast and their time consumptions are conducted to show that our protocol is able to defend against
negligible in comparison with other operation computa- well-known security threats such as password-guessing attack,
tions. The computation cost of our protocol is evaluated replay attack, and impersonation attack. In addition, the pro-
as follows. In the mutual authentication phase, a user needs posed protocol has better performance than existing protocols
to spend 4Tc + 4Th computation time, the server needs to for multi-server environments in terms of computation cost.
1976 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
T. Jia-Lun and N.-W. Lo A multi-server authenticated key agreement protocol without smartcard
Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd. 1977
DOI: 10.1002/sec
A multi-server authenticated key agreement protocol without smartcard T. Jia-Lun and N.-W. Lo
29. Khan MK, He D. A new dynamic identity-based au- guessing attacks. Wireless Personal Communications,
thentication protocol for multi-server environment Online First 2012. doi:10.1007/s11277-012-0918-6.
using elliptic curve cryptography. Security and 34. Pisarchik AN, Zanin M. Chaotic map cryptography
Communication Networks 2012; 5(11):12601266. and security. Horizons in Computer Science Research
30. Yoon EJ, Yoo KY. Robust biometrics-based multi- 2012; 4:301332.
server authentication with key agreement scheme for 35. Ding Y, Horster P. Undetectable on-line password
smart cards on elliptic curve cryptosystem. The guessing attacks. ACM Operating Systems Review
Journal of Supercomputing 2013; 63(1):235255. 1995; 29(4):7786.
31. Lee JS, Chang YF, Chang CC. A novel authentica- 36. Menezes A, Van OPC, Vanstone S. Handbook of Ap-
tion protocol for multi-server architecture without plied Cryptography. CRC Press: Boca Raton, 1997.
smart cards. International Journal of Innovative 37. Cheng TF, Lee JS, Chang CC. Security enhancement
Computing, Information and Control 2008; 4(6): of an IC-card-based remote login mechanism.
13571364. Computer Networks 2007; 51:22802287.
32. Yeh KH, Lo NW. A novel remote user authentication 38. Tsai JL. Convertible multi-authenticated encryption
scheme for multi-server environment without using scheme with one-way hash function. Computer com-
smart cards. International Journal of Innovative munication 2009; 32(5):783786.
Computing. Information and Control 2010; 6(8): 39. Fan CI, Sun WZ, Huang VSM. Provably secure ran-
34673478. domized blind signature scheme based on bilinear
33. Tsai JL, Lo NW, Wu TC. A new password-based pairing. Computers & Mathematics with Applications
multi-server authentication scheme robust to password 2010; 60:285293.
1978 Security Comm. Networks 2015; 8:19711978 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec