• Open Access

A security-enhanced key agreement protocol based on chaotic maps

Authors


Tzung-Her Chen, Department of Computer Science and Information Engineering, National Chiayi University, Chiayi City, Taiwan 60004.

E-mail: thchen@mail.ncyu.edu.tw

ABSTRACT

Recently, Tseng et al. proposed a novel key agreement protocol based on chaotic maps. They claimed that their protocol achieved the session key agreement between server and users with user's anonymity and security. Although Niu and Wang proposed a new improvement, the presented scheme involved an additional participant, the trusted party, in such a way that the system cost raised a lot. To inherit the superiority of Tseng et al. but remove the security weaknesses, it is worthwhile to point out the kernel of drawback in the scheme of Tseng et al. and, further, propose a security-enhanced scheme by overcoming the drawback with slight modifications. Copyright © 2012 John Wiley & Sons, Ltd.

1 INTRODUCTION

With the rapid advancement of network communication, more and more people are accustomed to transmit information via the Internet. Because a great amount of privacy information is transported over public channels, information security issues are attracting much attention. Key agreement protocols are designed to provide two or more specified parties communicating over public channels with a common shared secret key, which may subsequently be used to exchange information among communicating parties. Therefore, building secure key agreement protocols over open networks is essential in information security.

Many practical systems of key agreement have been proposed in the literature. The most famous and first key agreement protocol is the Diffie–Hellman key agreement protocol [1]. It is well-known that the Diffie–Hellman protocol does not provide authentication of the communicating parties and is vulnerable to the man-in-the-middle attacks. Because of this, a variety of secure key agreement protocols have been continuously proposed to prevent the man-in-the-middle and related attacks.

Chaos is the well-defined universal, random-like and robust phenomenon in nonlinear system. Chaotic systems are characterized by the properties of unpredictability, and sensitivity to parameters and initial conditions. For example, Chebyshev chaotic [2] with the semi-group property and chaotic property has been adopted in References [3-5]. As these properties meet the some essential requirements of cryptography, chaos recently has become a promising candidate in the field of cryptography. In the past decade, chaos-based security protocols [3-6, 8, 9] have thus become one candidate of cryptosystems other than discrete logarithm-based and factoring-based.

Since the 1990s, some chaotic systems have been adopted to design and analyze secure communication protocols. The main approaches introducing chaotic systems to design communication protocols can be categorized into two main categories: analog ones and discrete digital ones. The former is based on the chaos synchronization using chaotic circuits, whereas the latter is designed for the digital computer with finite computing precision to generate chaotic ciphers.

Kocarev and Tasev [3] proposed a public key encryption protocol, which utilizes the semi-group property of Chebyshev chaotic map. Because of the periodicity of cosine function, an adversary can efficiently recover the plaintext from a given ciphertext without any private key; hence, Bergamo et al. [6] pointed out that the protocol of Kocarev et al. is not secure. Later, Xiao et al. [4] utilized chaotic maps to design a new key agreement protocol. Soon Han [7] proved that the protocol of Xiao et al. is still not secure.

Even though the aforementioned researches improve the security of key agreement protocol based on chaotic maps, these protocols still do not protect the user's identities while establishing a shared secret session key. To protect user anonymity, Tseng et al. [8] proposed a novel key agreement protocol based on the Chebyshev chaotic map and claimed that their protocol possesses the following three merits: (i) mutual authentication achieved between the server and user; (ii) user identity anonymity to agree on session keys with the server; and (iii) session keys generated for protecting the subsequent communications.

In 2011, Niu and Wang [9] demonstrated their cryptanalysis to the scheme of Tseng et al. and proposed a new improvement. Unfortunately, Niu and Wang's scheme introduced a new participant, a trusted party, in such a way that the system cost raised a lot.

To inherit the superiority of the scheme of Tseng et al. but remove the security weaknesses, it is worthwhile to point out the kernel of drawbacks in the scheme of Tseng et al. and, further, propose a security-enhanced scheme overcoming the security weaknesses by slight modifications without involving the heavy cost of introducing the trusted third party.

The remainder of this paper is organized as follows. Section 2 gives a brief review of the scheme of Tseng et al. and describes the security problem of the scheme of Tseng et al. The proposed protocol is presented in Section 3, and its security analysis is demonstrated in Section 4. Finally, the conclusions are drawn in Section 5.

2 BRIEF REVIEW OF THE SCHEME OF TSENG ET AL. AND SECURITY ANALYSIS

This section first briefly illustrates the scheme of Tseng et al. and demonstrates the security concern later. All the notations used in this paper are described in Table 1.

Table 1. The notations used in this paper.
NotationsDefinition
UiSome user i
IDsIDiThe identities of the server and user i
PWiA password decided by user i
KsThe private key of server
Tn(x)The Chebyshev polynomial in x of degree n
snA session number
N, vnonces
H(⋅)A one-way hash function based on chaotic maps
E(⋅)A symmetric key encryption function
D(⋅)A symmetric key decryption function
SKiFinally established session key between server and user i
The excusive-or operation
BAn inside attacker
pi pi'A one-time pad and a new one-time pad for updating

2.1 Review of the key agreement protocol of Tseng et al. with user anonymity

Initially, the server publishes system parameters including the Chebyshev polynomials, E(⋅), D(⋅) and H(⋅) [8]. Suppose a new user Ui with the identity IDi intends to communicate with a server for establishing session keys SKi. Ui randomly chooses his password PWi and sends the pair of (IDi, H(PWi)) to the server via an existing secure channel. Upon receiving the message, the server concatenates IDi and H(PWi) from left to right as the pending message, and a one-way hash function H(⋅) is adopted to compute H(IDi, H(PWi)) by the server. Then the server computes Regi = H(IDi, H(PWi)) ⊕ H(Ks) where Ks denotes the server's long-term private key. Subsequently, the server returns Ui and Regi through a secure channel. Ui keeps Regi secret.

The key agreement protocol of Tseng et al. goes on as follows.

  1. Ui → Server : {sn, Ri, C1}

    Ui performs the following operations.

    • 1.1Choose three random numbers ri, r and v, where ri ∈ [− 1, 1] is the seed x of the Chebyshev polynomial of degree r and v is a nonce.
    • 1.2Compute the pair of (Ri, Ki), where Ri = Regi ⊕ H(v) and Ki = H(IDi, H(PWi)) ⊕ H(v).
    • 1.3Encrypt IDi, ri and Tr(x) with Ki, that is, math formula.
    • 1.4Transmit sn, Ri and C1 to the server, where sn is the session number.
  2. Server → Ui : {sn, IDs, C2, AUs}

    Upon receiving the message, the server performs the following operations.

    • 2.1Compute Ki = Ri ⊕ H(Ks), and extract IDi, ri and Tr(x) from C1 with Ki.
    • 2.2Check the validity of IDi, and then choose two random numbers s and rt, where s is the degree of the Chebyshev polynomial and rt is a nonce.
    • 2.3Compute the pair of (C2, SKi) by math formula and SKi = Ts(Tr(x)) = Trs(x).
    • 2.4Generate the authentication value AUs = H(IDi, ri, rt, SKi) and send sn, IDs, C2 and AUs back to Ui.
  3. Ui → Server : {sn, AUi}

    After receiving the message, Ui performs the following operations.

    • 3.1Extract IDs, rt and Ts(x) from C2 with Ki.
    • 3.2Compute the pair of (SKi, AUs ') by SKi = Tr(Ts(x)) = Trs(x) and AUs ' = H(IDi, ri, rt, SKi).
    • 3.3Check whether AUs and AUs ' are equal. If so, the identity of the server is authenticated.
    • 3.4Compute AUi = H(IDs, ri, rt, SKi).
    • 3.5Send sn and AUi back to the server.
  4. After receiving sn and AUi, the server computes AUi ' = H(IDs, ri, rt, SKi). Then the server checks if AUi and AUi ' are equal. If so, the identity of Ui is authenticated.

After both mutual authentication and key agreement between Ui and the server are achieved, SKi is used as a shared session key for the subsequent communication.

The circuit of key agreement protocol of Tseng et al. is shown in Figure 1.

Figure 1.

Key agreement protocol of Tseng et al.

2.2 Security concern of the scheme of Tseng et al.

It is found that if an attacker is an inside user, the scheme of Tseng et al. cannot guarantee user's anonymity and security. There are five security problems found while the last two of them have been pointed out by Niu and Wang [9].

  1. Password guessing attack

    Because the server is assumed to be not entrusted, the server or the server administrator potentially deduces the user's password. In the registration phase, Ui is asked to send (IDi, H(PWi)) to the server. It is feasible for the server to guess PWi by the well-known dictionary attacks. Then, user impersonation by a server is possible.

  2. User impersonation by insider users

    Tseng et al. claimed that the parameter H(Ks), used to authenticate users, is the security kernel, which must be only known to the server. Unfortunately, it is not true. Assume that an inside attacker B is able to use his RegB to compute H(Ks) = RegB ⊕ H(IDB, H(PWB)). If B intends to impersonate Ui, he computes y = Regi ⊕ H(Ks) = H(IDi, H(PWi)) first. Then, he computes math formula, math formula and math formula. Upon receiving math formula, the server is fooled to deduce math formula and extract math formula from math formula with math formula.

  3. Server impersonation by inside users

    It is intuitive that server impersonation attacks are possible. Because each user knows H(Ks), he can impersonate the server to cheat the other users.

  4. Failure of user anonymity

    An inside attacker B can obtain H(Ks) by computing H(Ks) = RegB ⊕ H(IDB, H(PWB)). If B intercepts another user's message, namely {sn, Ri, C1} from Ui, he can compute Ki = Ri ⊕ H(Ks) and decrypt math formula to obtain IDi. Then B can know who is performing the key agreement protocol with the server.

  5. Failure of secret communication

    Because the attacker B can obtain the shared session key between the server and Ui, the security of secret communication is problematic.

Although Niu and Wang proposed another new key agreement scheme with anonymity, their scheme, however, belongs to the three-party key agreement scheme such as Reference [10]. This implies the heavy cost of establishing their environment involving the third trusted party online. Furthermore, Niu and Wang's scheme also suffers the burden of secret key management because the third trusted party must maintain the security-sensitive database of all secret keys in the system. However, the scheme of Tseng et al. kept off this burden of management by adopting friendly passwords. Therefore, inheriting the superiority of the scheme of Tseng et al. to enhance the security is worthwhile.

3 PROPOSED PROTOCOL

With the consideration of the security weaknesses found in the scheme of Tseng et al., a security-enhanced protocol is proposed in this section.

3.1 Registration phase

First, Ui randomly chooses his easy-to-remember password PWi and sends the pair of (IDi, H(PWi||N)) to the server where N is a nonce kept secret by Ui. After receiving the pair, the server computes H(IDi, H(PWi||N)) and H(Ks||pi) where Ks is server's long-term private key, and pi is an one-time pad. Then the server computes Regi = H(IDi, H(PWi||N)) ⊕ H(Ks||pi). Note that N, Regi and pi are stored into Ui's smart card.

3.2 Key agreement phase

  1. Ui → Server : {sn, Ri, C1, pi}

    Ui performs the following operations.

    • 1.1Choose random numbers ri, r, v and pi ', where ri ∈ [− 1, 1] is the seed x of the Chebyshev polynomial of degree r, v is a nonce and pi ' is an one-time pad for updating Regi later.
    • 1.2Compute the pair of (Ri, Ki), where Ri = Regi ⊕ H(v) and Ki = H(IDi, H(PWi||N)) ⊕ H(v).
    • 1.3Encrypt IDi, ri and Tr(x) with Ki, that is, math formula.
    • 1.4Transmit sn, Ri, C1 and pi to the server where sn is the session identity.
  2. Server → Ui : {sn, IDs, C2, AUs}

    Upon receiving the message, the server performs the following operations.

    • 2.1Compute Ki = Ri ⊕ H(Ks||pi), and extract IDi, ri, Tr(x) and pi ' from C1 with Ki.
    • 2.2Check the validity of IDi, and then choose two random numbers s and rt, where s is the degree of the Chebyshev polynomial and rt is a nonce.
    • 2.3Compute the pair of (C2, SKi) by math formula and SKi = Ts(Tr(x)) = Trs(x).
    • 2.4Generate the authentication value AUS = H(sn, IDi, IDs, C2, ri, rt, SKi) and send sn, IDs, C2 and AUs back to Ui.
    • 2.5Update pi with pi ' for IDi.
  3. Ui → Server : {sn, AUi}

    After receiving the message, Ui performs the following operations.

    • 3.1Extract IDs, rt, Ts(x) and H(Ks||pi ') from C2 with Ki.
    • 3.2Compute the pair of (SKi, AUs ') by SKi = Tr(Ts(x)) = Trs(x) and math formula.
    • 3.3Check whether AUs and AUs ' are equal. If so, the received message and the identity of the server are authenticated.
    • 3.4Compute AUi = H(sn, IDs, IDi, rt, ri, SKi).
    • 3.5Update Regi by Regi ' = H(IDi, H(PWi||N)) ⊕ H(Ks||pi ').
    • 3.6Send sn and AUi back to the server.
  4. After receiving sn and AUi, the server computes math formula. Then the server checks whether AUi and AUi ' are equal. If so, the received message and the identity of Uiare authenticated.

After mutual authentication and key agreement, SKi is used as a shared session key between Ui and the server. Note that the updated Regi ' will be used in next key agreement protocol for a new communication between Ui and the server. In such a way, Regi 'is one-time-used.

The brief flowchart of the proposed key agreement protocol is shown in Figure 2.

Figure 2.

The proposed key agreement protocol.

4 SECURITY ANALYSIS

In this section, security analyses of the proposed scheme are illustrated by taking the following into account.

For the security between the users and the server, what a man/attacker in the middle can do is to intercept or modify the information between users and the server. For the user end, he may impersonate a legal user to communicate with the server, intercept the communicating message to perform the password guessing attack or merely replay the intercepted request. For the server's end, an attacker may impersonate the server to cheat legal users, or modify the message for key agreement to cheat the server.

Prior to demonstrating the security of the proposed scheme, some definitions are given below.

Definition 1. A discrete logarithm problem based on chaos is that given the result a of some degree k of chaotic map, that is, Tk(x) ≡ a, findingk is infeasible.

Definition 2. A Diffie–Hellman problem based on chaos is that given two different degree chaotic map polynomials Tr(x) and Ts(x), finding the combination Trs(x) without knowing r and s is infeasible.

Proposition 1. Password guessing attack

Proof. In the registration phase of the proposed scheme, Ui uses a nonce N when computing H(PWi||N) and keeps N secret from the server. Hence, it is infeasible for the server to guess PWi. In the key agreement phase, only the message {sn, Ri, C1 and pi}, sent from Ui to the server, consists of user's password, as shown in the equation Ri = Regi ⊕ H(v) = H(IDi, H(PWi||N)) ⊕ H(Ks||pi) ⊕ H(v). Hence, without knowing N, an attacker or the server has no feasible way to guess user's password. □

Proposition. User impersonation

Proof. In the proposed scheme, a one-time pad is used in each user's Reg, and thus an attacker Bcan compute H(Ks||pB) = RegB ⊕ (IDB, H(PWB||NB)). But pB is unique to B so that it is impossible for B to impersonate another user, namely A, to communicate with the server by H(Ks||pA). □

Proposition 2. Server impersonation

Proof. Although each user Ui can learn to know H(Ks||pi), the one-time pad, pi, is distinct chosen by users for each communication and thus H(Ks||pi) is one-time used. Furthermore, it is infeasible to deduce the server's private key Ks by the one-way property of H(·). Hence, an attacker cannot impersonate the server to cheat users. □

Proposition 3. Secret communication

Proof. Secret communication is based on the secrecy of the generated session key SKi = Tr(Ts(x)) = Trs(x). By Definition 1, it is infeasible for an attacker to deduce SKi = Tr(Ts(x)) = Trs(x) even if intercepting Ts(x) and Tr(x).Hence, the secret communication is guaranteed. □

Proposition 4. User anonymity

Proof. In the key agreement phase, the user identity is protected either in the cipher C1 encrypted by the secret key Ki or in the hash value. If an attacker has no feasible way to obtain Ki to decrypt C1, he cannot learn to know the user identity. If an inside attacker B with H(Ks||pB) intercepts the message {sn, Ri, C1, pi} sent from Ui, he cannot compute Ki = Ri ⊕ H(Ks||pi) without knowing H(Ks||pi). Although B can intercept the value pi, the relationship between IDi and pi is kept secret between the server and Ui; furthermore, without knowing SKi, an attacker has no feasible way to guess IDi from either AUi or AUs. Hence, the proposed protocol can protect the user's anonymity. □

Proposition 5. Unlinkability

Proof. Because all the messages (except for IDS) communicated between users and the server are changed in each key agreement phase, the unlinkability is guaranteed. Thanks to the design of one-time pad pi, Regi is updated in each run of the key agreement protocol. Although pi is transmitted in public, it is the first and only one time to be transmitted so that pi is always distinct in each run of the key agreement protocol. Similarly, using H(v) makes Ri be different in each key agreement. Moreover, a new one-time pad pi ' for updating Regi is transmitted in the form of H(Ks||pi '), which guarantees that pi ' is the first time publicly transmitted in the next run of the key agreement protocol. Hence, an attacker has no idea about whether the current user is the same as someone who had performed some key agreement with the server. □

Proposition 6. Replay attacks

Proof. The user is asked to update Regi from time to time because the next verifier is prepared in the current phase. Moreover, Ri is computed with H(v), where v is a nonce randomly chosen such that Ri is different in each run of the key agreement phase. Furthermore, the hash values for mutual authentication, AUs and AUi also include a randomly chosen nonce rt, which is different in each key agreement protocol. Hence, the attack of replaying the previous messages is infeasible. □

Proposition 7. Bergamo et al. attack

Proof. In the proposed scheme, because the related parameters ri, Tr(x) and Ts(x) are transmitted by ciphertext C1 and C2, Bergamo et al. attack does not work. □

Proposition 8. Stolen-verifier attack

Proof. In the key agreement protocol, the server only needs the private key without the need of user passwords, that is, there is no password-verifier. Hence, the proposed scheme can avoid the threat of stolen-verifier attacks. □

Proposition 9. Mutual authentication

Proof. In the proposed protocol, Ui authenticates the server by checking if AUs = AUs ' because only the server can compute AUs by their common session key SKi. Moreover, the server can authenticate Ui by checking if AUi = AUi '. Obviously, the protocol can achieve mutual authentication. □

Proposition 10. Perfect forward secrecy

Proof. Assume that an attacker can access the server's long-term private key. However, the shared session key between Ui and the server is computed by SKi = Trs(x), which is irrelative to server's private key. If the attacker intends to compute SKi = Trs(x), by Definitions 1 and 2, it is infeasible to compute SKi = Trs(x) without knowing r and s.Therefore, the protocol achieves perfect forward secrecy.□

The comparison in terms of security and computational cost between Tseng et al., Niu and Wang and the proposed is illustrated in Tables 2 and 3.

Table 2. Security comparison between the related work and the proposed.
Security propertiesTseng et al. [8]Niu and Wang [9]Proposed scheme
Password guessing attackInsecureN/ASecure
User impersonationInsecureSecureSecure
Server impersonationInsecureSecureSecure
User's anonymityNot providedProvidedProvided
Secret communicationNot providedProvidedProvided
UnlinkabilityNot providedProvidedProvided
Replay attackSecureSecureSecure
Bergamo et al. attackInsecureSecureSecure
Stolen-verifier attackInsecureSecureSecure
Mutual authenticationNot providedProvidedProvided
Perfect forward secrecyNot providedProvidedProvided
Table 3. Cost comparison between the related work and the proposed.
Computational costTseng et al. [8]Niu and Wang [9]The proposed
Cost of user2TX + 5TH + 1TE + 1TD + 2TCM0TX + 2TH + 1TE + 1TD + 2TCM3TX + 7TH + 1TE + 1TD + 2TCM
Cost of the server1TX + 3TH + 1TE + 1TD + 2TCM0TX + 2TH + 1TE + 1TD + 2TCM1TX + 4TH + 1TE + 1TD + 2TCM
Cost of trusted third partyN/A0TX + 0TH + 2TE + 2TD + 0TCMN/A
Infrastructure cost of trusted third partyUnneededNeededUnneeded
Maintenance of system secret keysUnneededNeeded (trusted third party)Unneeded

The following notations are used in Table 3.

  • TX : time cost of XOR operation
  • TH : time cost of one-way hash function operation
  • TE : time cost of symmetric encryption operation
  • TD : time cost of symmetric encryption operation
  • TCM : time cost of performing Chebyshev chaotic maps operation

Compared with the scheme of Tseng et al., the proposed protocol is securer and has the property of user anonymity, although it costs more XOR and hash function operations. Compared with Niu and Wang's scheme, the proposed scheme needs more hash function operations, but Niu and Wang need to involve a trusted third party to maintain a large amount of shared secret keys. The trusted third party may cost more for maintaining those security-sensitive secret keys.

5 CONCLUSIONS

In this paper, we analyze the reasons why the scheme of Tseng et al. is not secure against some attacks and has no anonymity for users. Although Niu and Wang presented their new key agreement to avoid the known attacks, unfortunately, their scheme introduces the cost-heavy assumption of a trusted third party existing between server and users. Furthermore, their scheme has the drawback of high complexity of management of secret keys. A security-enhanced scheme that overcomes the security weaknesses without involving the trusted part has been proposed, and the security and computational cost analyses demonstrate that the proposed scheme is highly practical.

ACKNOWLEDGEMENT

The authors would like to thank the anonymous referees for their valuable discussions and comments. This research was partially supported by National Science Council, Taiwan, under contract no. NSC 99-2221-E-415-008.

Ancillary