Xiong Li,Jianwei Niu,Saru Kumari,Muhammad Khurram Khan,Junguo Liao,Wei Liang

DOI: https://doi.org/10.1007/s11071-015-1937-0

IF: 5.741

2015-01-01

Nonlinear Dynamics

Abstract:An authenticated key agreement protocol is a protocol for information security over insecure networks. Due to the excellent properties of chaotic system, chaos-related cryptography has received a certain development, and recently, researchers have presented some three-party authenticated key agreement protocols based on the chaotic maps. Unfortunately, most of the chaotic maps-based key agreement protocols use a password to achieve the key agreement, and this leads to some security loopholes. First, the server has to store a sensitive password table, and it would be dangerous if the server was compromised or the password table was leaked. Besides, the low-entropy passwords are vulnerable to some password-related attacks, such as insider attack and password guessing attacks. In this paper, we design a communication- and computation-efficient chaotic maps-based three-party authenticated key agreement protocol without password and clock synchronization, and formally analyze the security using Burrows–Abadi–Needham logic. In addition to the formal analysis, we also prove that the presented protocol is free from most of the common attacks, and compare the performance and functionality with other related protocols. The result of the analysis and comparisons demonstrate that our protocol is more efficient and practical for real applications.

LI Xiong,WU Fan,LIAO Jun-guo,LIU Yu-zhen

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00060

2016-01-01

Abstract:Chaotic map has been used in the design of key agreement protocol due to its excellent properties. In most of password three-party authenticated key agreement protocol based on chaotic map, the server needs to store a sensitive password table. It makes these protocols vulnerable to some password related attacks. Besides, it would be dangerous if the password table was leaked. To resolve the aforementioned problems, a new password three-party authenticated key agreement protocol based on chaotic maps was proposed. The server didn’t need to maintain a password table, so the proposed scheme was free from password related attack. Compared with other related proto-cols, the proposed protocol not only enhances the security, but also improves the efficiency greatly.

Nan Liu,Cheng Guo,Huan Zhang,Lifeng Yuan

DOI: https://doi.org/10.1049/ic.2014.0156

2014-01-01

Abstract:With the gradual research on authentication issues, many researchers began to apply chaotic maps. Chaos theory has many good properties. It can achieve fast computing, and the time of encryption and decryption can be shortened to ensure smooth communication. Meanwhile, smart card technology is becoming a more practical technology. It has capabilities of security, confidentiality and identification, and can complete simple encryption and decryption operations. Based on the property of chaotic maps and smart cards, we proposed an authenticated key agreement protocol. In our protocol, we reach the goal of creatively combining chaotic maps and smart cards. Using chaotic maps and smart cards simplify our protocol and decrease the communication overhead, also improve the security of the authentication process.

Debiao He,Yitao Chen,Jianhua Chen

DOI: https://doi.org/10.1007/s11071-012-0335-0

IF: 5.741

2012-01-01

Nonlinear Dynamics

Abstract:Very recently, Lee et al. (C. Lee, C. Chen, C. Wu, S. Huang, An extended chaotic maps-based key agreement protocol with user anonymity, Nonlinear Dynamics, doi: 10.1007/s11071-011-0247-4) proposed a chaotic maps-based key agreement protocol with user anonymity and claimed their protocol could resist various attacks. In this paper, we will point out that Lee et al.'s protocol suffers from three weaknesses: (1) inability of resisting the privileged insider attack; (2) inability of resisting the denial-of-service attack; and (3) inability of providing anonymity. To overcome the weaknesses, we also proposed an improved protocol. The analysis shows our protocol is more suitable for practical applications.

Xiong Li,Junguo Liao,Wei Liang,Jingqiang Zhao

DOI: https://doi.org/10.1007/978-3-319-48671-0_37

2016-01-01

Abstract:Chaotic maps have been used in the design of cryptosystem due to its excellent properties. Recently, researchers have proposed many authenticated key agreement protocols based on the chaotic maps. However, most of those protocols use the password to achieve the key agreement, and it will lead some security problems. First, the server has to store a sensitive verification table, and it is dangerous if the server has been compromised or the verification table was stolen. Besides, the low entropy passwords are vulnerable to some password related attacks, such as insider attack and password guessing attack. To resolve the aforementioned problems, this paper propose an extended chaotic maps based authenticated key agreement protocol without using password, where the server just needs to maintain a master secret key and the user just needs to hold a secret key, then they can achieve the key agreement. Compared with other related protocols, the proposed protocol not only keeps the efficiency, but also enhances the security. So, it is more suitable for client/server environment.

Kyong-Sok Pak,Mi-Hyang Kim,Song-Ho Pak,Chol-Man Ho

DOI: https://doi.org/10.1371/journal.pone.0273664

IF: 3.7

2022-09-16

PLoS ONE

Abstract:Three-party authentication key exchange is a protocol that allows two users to set up a session key for encrypted communication by the help of a trusted remote server. Providing user anonymity and mutual authentication in the authentication key exchange is important security requirements to protect users’ privacy and enhance its security performance. Recently Li proposed a chaotic maps-based authentication key exchange protocol which attempts to provide mutual authentication and user anonymity, but we found that there were some faults in the key exchange phase and password change phase of his scheme. We prove that Li’s scheme does not provide user anonymity and that the user’s privacy information is disclosed, and propose enhanced three-party authentication key exchange protocol that provides user anonymity and we analyse its security properties and verify its validity based on BAN logic and AVISPA tool.

multidisciplinary sciences

Shuming Qiu,Ding Wang,Guoai Xu,Saru Kumari

DOI: https://doi.org/10.1109/tdsc.2020.3022797

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the limitations of symmetric-key techniques, authentication and key agreement (AKA) protocols based on public-key techniques have attracted much attention, providing secure access and communication mechanism for various application environments. Among these public-key techniques used for AKA protocols, chaotic-map is more effective than scalar multiplication and modular exponentiation, and it offers a list of desirable cryptographic properties such as un-predictability, un-repeatability, un-certainty, and higher efficiency than scalar multiplication and modular exponentiation. Furthermore, it is usually believed that three-factor AKA protocols can achieve a higher security level than single- and two-factor protocols. However, none of existing three-factor AKA protocols can meet all security requirements. One of the most prevalent problems is how to balance security and usability, and particularly how to achieve truly three-factor security while providing password change friendliness. To deal with this problem, in this article we put forward a provably secure three-factor AKA protocol based on extended chaotic-maps for mobile lightweight devices, by adopting the techniques of "Fuzzy-Verifiers" and "Honeywords". We prove the security of the proposed protocol in the random oracle model, assuming the intractability of extended chaotic-maps Computational Diffie-Hellman problem. We also simulate the protocol by using the AVISPA tool. The security analysis and simulation results show that our protocol can meet all 13 evaluation criteria regarding security. We also assess the performance of our protocol by comparing with seven other related protocols. The evaluation results demonstrate that our protocol offers better balance between security and usability over state-of-the-art ones.

computer science, information systems, software engineering, hardware & architecture

Yu Liu,Kaiping Xue

DOI: https://doi.org/10.1007/s11071-015-2506-2

IF: 5.741

2015-01-01

Nonlinear Dynamics

Abstract:Recently, chaos has been treated as a good way to reduce computational complexity while satisfying security requirements of a key agreement protocol. Guo and Zhang (Inf Sci 180(20):4069–4074, 2010 ) proposed an chaotic public-key cryptosystem-based key agreement protocol. Lee (Inf Sci 290:63–71, 2015 ) has proved that Guo et al.’s scheme cannot resist off-line password guess attack. In this paper, we furtherly demonstrate Guo et al.’s scheme has redundancy in protocol design and still has some security flaws. Furthermore, we present an improved secure password and chaos-based two-party key agreement protocol, which can solve the security threats of replay and denial-of-service attacks. Meanwhile, we simplify the protocol steps to reduce redundancy in protocol design. From security and performance analysis, our proposed protocol can resist the security flaws in related works, and it has less communication overhead and computational complexity.

Kaiping Xue,Peilin Hong

DOI: https://doi.org/10.1016/j.cnsns.2011.11.025

IF: 4.186

2012-01-01

Communications in Nonlinear Science and Numerical Simulation

Abstract:In 2009, Tseng et al. proposed a password sharing and chaotic map based key agreement protocol (Tseng et al.’s protocol). They claimed that the protocol provided mutual authentication between a server and a user, and allowed the user to anonymously interact with the server to establish a shared session key. However, in 2011, Niu et al. have proved that Tseng et al.’s protocol cannot guarantee user anonymity and protocol security when there is an internal adversary who is a legitimate user. Also it cannot provide perfect forward secrecy. Then Niu et al. introduced a trust third party (TTP) into their protocol designing (Niu et al.’s protocol). But according to our research, Niu et al.’s protocol is found to have several unsatisfactory drawbacks. Based on reconsidering Tseng et al.’s protocol without introducing TTP, we give some improvements to meet the original security and performance requirements. Meanwhile our proposed protocol overcomes the security flaws of Tseng et al.’s protocol.

Kyongsok Pak,Songho Pak,Cholman Ho,Myongsuk Pak,Choljin Hwang

DOI: https://doi.org/10.1371/journal.pone.0213976

IF: 3.7

2019-03-20

PLoS ONE

Abstract:Three-party authentication key exchange (3PAKE) is a protocol that allows two users to set up a common session key with the help of a trusted remote server, which is effective for secret communication between clients in a large-scale network environment. Since chaotic maps have superior characteristics, researchers have recently presented some of the studies that apply it to authentication key exchange and cryptography. Providing user anonymity in the authentication key exchange is one of the important security requirements to protect users' personal secrets. We analyse Lu et al.'s scheme which attempts to provide user anonymity and we prove that his scheme has errors in the key exchange phase and password change phase. We propose a round-effective three-party authentication key exchange (3PAKE) protocol that provides user anonymity and we analyse its security properties based on BAN logic and AVISPA tool.

Jiao Zhang,Yong He,Yu-Zhen Liu,Xiong Li

2015-01-01

Abstract:Identity authentication protocol is an important type of protocols for information security protection. Recently, Lee et al. pointed out the security flaws of a multi-server user authentication protocol with key agreement which is presented by Tsaur et al., and they further proposed an extended chaotic maps-based user authentication protocol for multi-server. However, we observed that Lee et al.'s protocol has some functionality and security flaws. In this paper, the cryptanalysis of Lee et al.'s authentication protocol was pointed out, and it was found inefficient in the detection of unauthorized login and did not support password change. Besides, their protocol is pointed out vulnerable to registration center spoofing attack and server spoofing attack.

Saru Kumari,Xiong Li,Fan Wu,Ashok Kumar Das,Hamed Arshad,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.future.2016.04.016

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:Spread of wireless network technology has opened new doors to utilize sensor technology in various areas via Wireless Sensor Networks (WSNs). Many authentication protocols for among the service seeker users, sensing component sensor nodes (SNs) and the service provider base-station or gateway node (GWN) are available to realize services from WSNs efficiently and without any fear of deceit. Recently, Li et al. and He et al. independently proposed mutual authentication and key agreement schemes for WSNs. We find that both the schemes achieve mutual authentication, establish session key and resist many known attacks but still have security weaknesses. We show the applicability of stolen verifier, user impersonation, password guessing and smart card loss attacks on Li et al.’s scheme. Although their scheme employs the feature of dynamic identity, an attacker can reveal and guess the identity of a registered user. We demonstrate the susceptibility of He et al.’s scheme to password guessing attack. In both the schemes, the security of the session key established between user and SNs is imperfect due to lack of forward secrecy and session-specific temporary information leakage attack. In addition both the schemes impose extra computational load on resource scanty sensor-nodes and are not user friendly due to absence of user anonymity and lack of password change facility. To handle these drawbacks, we design a mutual authentication and key agreement scheme for WSN using chaotic maps. To the best of our knowledge, we are the first to propose an authentication scheme for WSN based on chaotic maps. We show the superiority of the proposed scheme over its predecessor schemes by means of detailed security analysis and comparative evaluation. We also formally analyze our scheme using BAN logic.

Xiong Li,Jianwei Niu,Saru Kumari,SK Hafizul Islam,Fan Wu,Muhammad Khurram Khan,Ashok Kumar Das

DOI: https://doi.org/10.1007/s11042-017-4390-x

IF: 2.017

2014-01-01

Wireless Personal Communications

Abstract:The widespread popularity of the computer networks has triggered concerns about information security. Password-based user authentication with key agreement protocols have drawn attentions since it provides proper authentication of a user before granting access right to services, and then ensure secure communication over insecure channels. Recently, Lee et al. pointed out different security flaws on Tsaur et al.'s multi-server user authentication protocol, and they further proposed an extended chaotic maps-based user authentication with key agreement protocol for multi-server environments. However, we observed that Lee et al.'s protocol has some functionality and security flaws, i.e., it is inefficient in detection of unauthorized login and it does not support password change mechanism. Besides, their protocol is vulnerable to registration center spoofing attack and server spoofing attack. In order to remedy the aforementioned flaws, we proposed a novel chaotic maps-based user authentication with key agreement protocol for multi-server environments. The proposed protocol is provably secure in the random oracle model under the chaotic-maps based computational Diffie-Hellman assumption. In addition, we analyzed our protocol using BAN logic model. We also compared our protocol with Lee et al.'s protocol in aspects of computation cost, functionalities and securities.

Tong Tong,Jianhua Chen

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.08.046

2017-01-01

Abstract:When people transfer accounts or shop online using their mobile device, it needs authenticated scheme to protect the security.Recently, Zhu Hongfeng proposed a chaotic maps based authenticated scheme.This paper pointed out that Zhu''s scheme was suffered from user impersonation attack, off-line dictionary attack and ID-theft attack.Moreover, this scheme had design flaws in login phase and password change phase.In order to overcome these flaws, this paper proposed an improved chaotic maps based mobile authenticated scheme.Furthermore, it certufued the proposed scheme by BAN logic.According to the comparison with other schemes and simulation results, the proposed scheme is more secure and efficient than other schemes.

Dharminder Dharminder,Uddeshaya Kumar,Pratik Gupta

DOI: https://doi.org/10.1007/s40747-021-00441-7

Abstract:The outbreak of coronavirus has caused widespread global havoc, and the implementation of lockdown to contain the spread of the virus has caused increased levels of online healthcare services. Upgraded network technology gives birth to a new interface "telecare medicine information systems" in short TMIS. In this system, a user from a remote area and a server located at the hospital can establish a connection to share the necessary information between them. But, it is very clear that all the information is always being transmitted over a public channel. Chaotic map possesses a dynamic structure and it plays a very important role in the construction of a secure and efficient authentication protocols, but they are generally found vulnerable to identity-guess, password-guess, impersonation, and stolen smart-card. We have analyzed (Li et al. in Fut Gen Comput Syst 840:149-159, 2018; Madhusudhan and Nayak Chaitanya in A robust authentication scheme for telecare medical information systems, 2008; Zhang et al in Privacy protection for telecare medicine information systems using a chaotic map-based three-factor authenticated key agreement scheme, 2017; Dharminder and Gupta in Pratik security analysis and application of Chebyshev Chaotic map in the authentication protocols, 2019) and found that Bergamo's attack (IEEE Trans Circ Syst 52(7):1382-1393, 2005) cannot be resisted by the protocol. Although few of the protocols ensures efficient computations but they cannot ensure an anonymous and secure communication. Therefore, we have proposed a secure and efficient chaotic map based authentication protocol that can be used in telecare medicine information system. This protocol supports verified session keys with only two messages of exchange. Moreover, we have analysed the performance of proposed protocol with relevant protocols and it is being implemented in "Automated Validation of Internet Security Protocols and Applications" respectively.

Azeem Irshad,Shehzad Ashraf Chaudhry,Qi Xie,Xiong Li,Mohammad Sabzinejad Farash,Saru Kumari,Fan Wu

DOI: https://doi.org/10.1007/s11042-016-4236-y

IF: 2.807

2017-01-01

Arabian Journal for Science and Engineering

Abstract:Multi-Server Authentication (MSA) provides the user an efficient way to avail multiple services of various multimedia service providers, once after getting registered from a registration centre. Previously, a user had to register all servers individually to use their respective service; which proves to be a redundant and inefficient procedure in comparison with MSA. Many MSA-based techniques have been put forward by researchers, so far, however with proven pitfalls. In the last few years, the focus has been shifted towards a more flexible and efficient Chebyshev cryptographic technique. In this regard, recently Tan’s scheme presented a chaotic map based multi-server authentication scheme with a focus on login scalability. Nonetheless, Tan’s scheme has been found vulnerable to insider (impersonation attack) and stolen smart card attacks. Besides, the Tan’s scheme fails to differentiate the login requests between the two presented cases. The current study work is based on improving the Tan’s technique in terms of security in almost an equivalent cost. The security for proposed work is evaluated in the performance evaluation section, while it shows that the security is provable under formal security model, as well as using BAN Logic.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1002/sec.1305

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Nowadays, smart-card-based user authentication becomes one of the most important security issues. But many schemes of that kind are under different attacks. Recently, Kumari et al. pointed that Chen et al.'s scheme and Li et al.'s scheme with the smart card were not secure. They proposed two improved schemes. Unfortunately, we find that the two schemes are not secure. The first scheme of Kumari et al. is under the de-synchronization attack and lacks strong forward security. The second has the weaknesses including no user anonymity and password leaking. Also, it cannot withstand the user-impersonation attack. We present a new scheme also based on the smart card overcoming common disadvantages and give a formal proof. We also use the tool ProVerif to verify the security of our scheme. Compared with some recent schemes, our scheme performs well, and it is fit for network applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Dheerendra Mishra

DOI: https://doi.org/10.48550/arXiv.1401.4790

2014-01-20

Abstract:Advancement in communication technology provides a scalable platform for various services where a remote user can access the server from anywhere without moving from its place. It has provided a unique opportunity for online services, such that the user need not physically present at the service center. These services adopt authentication and key agreement protocols to ensure authorized and secure access to resources. Most of the authentication schemes support single server environment where the user has to register with each server. If a user wishes to access multiple application servers, he requires to register with each of the servers. Although multi-server authentication schemes introduced a scalable platform such that a user can interact with any server using single registration. Recently, Chuang and Chen proposed an efficient multi-server authenticated key agreement scheme based on smart cards along with password and biometrics. This is a lightweight authentication scheme which requires the computation of only hash function. In this article, we present a brief review of Chuang and Chen's scheme. We analyze Chuang and Chen's scheme and identify that their scheme does not resist stolen smart card attack which causes the user's impersonation attack, server spoofing attack and man-in-the middle attack. Additionally, we show that their scheme has a weak key agreement protocol, which does not ensure forward secrecy.

Cryptography and Security

Wenting Li,Ping Wang

DOI: https://doi.org/10.1109/CSCloud/EdgeCom.2019.000-2

2019-01-01

Abstract:Nowadays, Edge Computing plays an important role in today's constantly increasing data-demanding services such as healthcare and augmented reality. To facilitate external users to enjoy remote data directly and securely from such kinds of environments, user authentication constitutes the most prevailing access control mechanism. Over the past decades, considerable efforts have been devoted to proposing secure and usable two-factor authentication schemes by making use of chaotic maps, yet most of the existing schemes are far from practical. In this work, we make an attempt towards improving this undesirable situation by reviewing two representative schemes presented by Kumari et al. and Li et al. and providing reasonable solving methods. We find that Kumari et al.'s scheme is confronted with verifier table issue, also cannot withstand smart card loss attack, impersonation attack and Li et al.'s scheme fails to realize the imperative goal of truly two-factor security and forward secrecy. Finally, we present some reasonable fixes for these identified weaknesses.

Chun‐Ta Li,Chun-Ta Li

DOI: https://doi.org/10.1002/sec.1487

IF: 1.968

2016-03-11

Security and Communication Networks

Abstract:Abstract A multi‐server environment helps the users to register at the registration center once and can gain numerous network services and resources provided by remote application servers. In order to protect sensitive data from unauthorized disclosure, to authenticate the identities of network participants, and to preserve user anonymity, many chaotic maps‐based multi‐server authenticated key agreement schemes with user anonymity were proposed. Recently, Zhu proposed a provable privacy‐protection system towards multi‐server architecture, and the main contributions of their proposed system are achieving mutual authentication between network participants and ensuring the anonymity or hiding identities for the login users. However, we analyze the security of Zhu's scheme and show that it is vulnerable to privileged‐insider attack and does not protect user anonymity. We also demonstrate that Zhu's scheme fails to provide mutual authentication between login user and application server and has a design flaw in anonymous authentication. To withstand these security drawbacks, we further design an improved chaotic maps‐based privacy‐protection scheme for multi‐server environments. In comparison with the existing chaotic maps‐based privacy‐protection schemes, our proposed scheme is more secure with acceptable computation costs for multi‐server environments. Copyright © 2016 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications