Improved Chebyshev Polynomials-Based Authentication Scheme in Client-Server Environment

Truong, Toan-Thinh; Tran, Minh-Triet; Duong, Anh-Duc

doi:https://doi.org/10.1155/2019/4250743

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 4250743 | https://doi.org/10.1155/2019/4250743

Improved Chebyshev Polynomials-Based Authentication Scheme in Client-Server Environment

Toan-Thinh Truong,¹Minh-Triet Tran,¹and Anh-Duc Duong²

Guest Editor: Esther Palomar

Received15 Jul 2018

Revised10 Dec 2018

Accepted20 Dec 2018

Published17 Jan 2019

Abstract

With nonstop development of communication technologies, all aspects of social life continuously change and so do network systems. When establishing connection is easy, the convenience of online-service receives many users’ attentions, for example, the patients directly access medical system to be advised by doctors at any time. Therefore, user authentication scheme is necessary when we want to provide privacy and security for working sessions. Storing a password list for verification is an old method and not secure. This list can be easily leaked, and adversary can launch an offline password-guessing attack. In addition, information exchanged between user and server needs being prevented from attacker’s decryption. It can be said that current authentication schemes are unsuitable for new security standard. We need a strong user authentication scheme using new approach to overcome existing limitations and guarantee time efficiency. In this paper, we make a design with Chebyshev polynomial to achieve our goals and resist some kinds of attacks.

1. Introduction

User authentication is one of the first important parts in all remote services. Furthermore, after successful authentication, partners secretly exchange the messages to each other and we need a session key to encrypt all these messages. Therefore, authentication scheme also needs a session key agreement phase. Especially, when the wearable devices become popular, such as smart-glasses or smart-watch, a user wants to connect to remote service through these low-power computing devices. Therefore, in addition to security, also we consider the time efficiency which is one of the important factors. There are many proposed results using cryptography primitives to make a reasonable user authentication scheme. Lamport [1] is the pioneer using hash function with password. His method is a usage of password-table for user verification in login phase. This is a simple way and easily implemented, but his scheme is vulnerable to verification stolen attack, and inappropriately using password can result in offline password-guessing attack. Then, there are many proposed schemes to enhance security. Typically, in 2004 Das et al. [2] proposed dynamic identity to provide user anonymity in his scheme. This is a positive idea, but in his scheme, he uses password instead of real user’s identity to create a dynamic login message. This causes their scheme cannot resist password-related attacks, and even the server may launch a password-guessing attack to find real user’s password.

In 2006, Yoon et al. [3] proposed dynamic identity scheme using time-stamp. This scheme overcomes the reflection attack existing in Liao et al.’s scheme [4]. Clearly, Yoon’s scheme has important improved ideas to isolate such problems. However, they also use password to authenticate with online server, so their scheme is still vulnerable to password-related attacks. Until now, password is still one of the most convenient factors in many authentication schemes, if only using this factor can be insecure. Using reasonable encryption scheme with block-cipher, such as Advance Encryption Standard (AES) or Triple Data Encryption Standard (T-DES), can enhance security for authentication scheme. Furthermore, if we only use hash function in scheme, this can increase authentication speed because time-cost of hash function is lower than the encryption scheme.

In addition to applying cryptography primitives, there is an approach using hard problems as security foundation, such as RSA or Elliptic curve crypto-systems (ECC). In 2009, Yang et al. [5] proposed a scheme in ECC. This is an efficient scheme because it uses discrete logarithm and Diffie-Hellman problems in elliptic curve. However, instead of using random values, they use point’s coordinates to create a session key which does not satisfy perfect forward session key secrecy (PFS), one of the most standards to evaluate a strong authentication scheme. Therefore, some improved schemes were proposed, for instance, Islam et al. [6]. Their scheme used random values in creation of session key. However, his scheme is still vulnerable to known session-specific temporary information and denial of service attacks. In 2015 and 2016, Huang et al. [7] and Chaudhry et al. [8] proposed ECC-based authentication schemes, but these schemes cannot resist malicious user attack and does not provide PFS. Also, in 2015 Chaudhry et al. [9] proposed an authentication scheme in multiserver environment with general public key cryptography (RSA or ECC). However, their scheme needs a certificate agency (CA) to check the validity for the server’s key pairs. Furthermore, all previous session keys will be recomputed if PFS appears. Compared with RSA, ECC can achieve the same security with a smaller key size. It can be said that ECC is one of the popular approaches many authors apply in authentication scheme because it offers better performance [10].

Recently, Chebyshev polynomial is an approach many authors pay attention to. Although this method’s computational cost is more than ECC’s and it is being researched to be a standard such as RSA or ECC. However, this is a new method, so there are so many papers applying it into their schemes. At first, authentication schemes use polynomial on real field to make a security foundation, but Bergamo [11] proposed a solution to break its security. In 2013, Hao et al. [12] proposed a scheme in telecare medicine information system using polynomial in real field, but Lee et al. [13] discovered that this scheme is vulnerable to violation of the contributory of key agreements. And Lee proposed a different improved scheme. However, we see that his scheme is still vulnerable to what Hao’s scheme did. Also, there are some papers [14, 15] facing the same problem which Lee and Hao did. To enhance security for Chebyshev polynomial, Zhang [16] extended the polynomial’s semigroup property to the interval (-∞, +∞). Since then, Chebyshev polynomial can be placed in modular prime number field and receives more consideration of security analysis [17]. In 2016, Irshad et al. [18] proposed an authentication scheme in multiserver with Chebyshev. This scheme is designed with three actors suitable for global mobility network (Glomonet). However, a partial of information about registration centre’s master key (K) can be leaked. In their scheme, they have PID ⊕ K = (q ∥ ID ∥ PW). Clearly, the value and length of ID and PW is known, and any users easily guess by inspecting PID = (x ∥easily_guess) ⊕ ( ∥ID ∥PW). Although all information of K is not leaked, this is dangerous because user can collect many PID to find the “x” value. In 2017, Wang and Xu [19] proposed a reference model to solve the offline dictionary attacks. Their model is truly useful for designing many schemes with different approaches, such as RSA, ECC, or Chebyshev. It can be said that Chebyshev polynomial is a new approach which is being developed by many researchers and can be replaced for ECC or RSA in the future.

The rest of our paper is organized as follows. In Section 2, we present some background about Chebyshev polynomial. In Section 3, we review some previous typical schemes and analyse them on security aspect. Then in Section 4 we propose improved scheme in client-server environment using Chebyshev polynomial in modular prime number field. In Section 5, we analyse our proposed scheme on two aspects, namely, security and efficiency. Finally, the conclusion is presented in Section 6.

2. Preliminaries

This section describes some features of Chebyshev polynomial in real and modular prime number fields [20]. Also, we give some different proofs compared with [21, 22]. Following are chaotic maps and two hard problems.

2.1. Chebyshev Chaotic Maps

Let n ∈ and x ∈ ; we define Chebyshev polynomial : → as T(x) = . Its semigroup property is as follows:

In 2008, Zhang [16] extended (1) to the interval (-∞, +∞). Therefore, we have a different formula of Chebyshev polynomial as follows:

where p ∈ , x ∈ and n ∈ℕ. We see that (2) can be changed to

2.2. The Hard Problems

In addition to four important properties, we have two computational problems on chaotic maps we apply in proposed user authentication scheme.(i)The first problem is chaotic maps based discrete logarithm (CMDLP): Given ∈ , p ∈ , and x, it is hard to find r value such that T(x) = y . We call this discrete logarithm problem on chaotic maps.(ii)The second problem is chaotic maps based discrete logarithm (CMDHP): Given x ∈ , p ∈ ℙ, T, and T, it is hard to find T. We call this Diffie-Hellman problem chaotic maps.

In this section, we review some typical related works applying Chebyshev chaotic map in user authentication schemes. Also, we analyse on their security.

3.1. Han-Yu Lin’s Scheme

Lin’s scheme [23] includes four phases: system initialization, user registration, authentication and password change phases.(1)Initialization phase. The server S chooses all necessary parameters (r, x, T, h(.), E(.)). Especially (x, ) is written into user’s smartcard.(2)Registration phase. The user U chooses identity ID, password PW, and random value t, then computes H = h(PW, t), and sends ID, H to S through a secure channel. Once receiving U’s messages, S checks ID’s validity and uses master key s to compute R = E(ID, H), D = H ⊕ (x ∥ T(x)). Finally, S sends R, h(.), E(.), D to U through a secure channel. U receives S’s incoming smartcard and inserts t into it.(3)Authentication phase. When U authenticates with S, U provides (ID, PW) and smartcard into the terminal. Below are some steps for authentication (see Figure 1):(a)Smartcard chooses j and computes (x ∥ T(x)) = h(PW, t) ⊕ D, v = T(T(x)) and Q = h(ID, H).(b)Next, U sends (T(x), (Q, R, T₁)) to S, where T₁ is receiving time-stamp.(c)Once receiving U’s messages, S computes v = T(T(x)) and decrypts (Q, R, T₁) and then checks T₁.(d)Next, S decrypts R with s to recover (ID′, H′) and computes Q′ = h(ID′, H′). If Q = Q′ then S successfully authenticates with U. Otherwise, S terminates the session.(e)Then, S chooses j′ and sends ((x), h(ID, T₂), T₂) to U, where T₂ is time-stamp when S sends the message to U.(f)Once receiving S’s message, U decrypts and checks T₂’s validity. At the same time, U computes h′(ID, T₂). U checks the validity of h′(ID, T₂) ?= h(ID, T₂). If this condition holds, U successfully authenticates with S; otherwise U terminates the session.(g)After successfully authentication phase, both U and S compute session key λ = () for later usage.(4)Password change phase. U provides smartcard, old PW and new PW. Then, smartcard randomly chooses i and computes H′ = h′(PW, t), (x ∥ T(x)) = H′ ⊕ D, η = (T(x)) and H = h(PW, t) and then sends (x), E_η(H′, H, R) to S. Once receiving U’s messages, S computes η = T((x)) and decrypts Eη(H′, H, R) with η and s. Finally, S compares H′ ?= H. If this holds, S returns R = E(ID, H) to smartcard, then it updates R = R.

3.2. Security Analysis on Han-Yu Lin’s Scheme

In this subsection, we also review some limitations existing in this scheme.(i)In this phase, (x ∥ (x)) is the same in all users’ smartcard. Therefore, malicious user can exploit this to launch an offline password-guessing attack if another user’s smartcard is lost. Suppose malicious user extracts R, h(.), (.), D, t of another user. Then, malicious user computes H by performing H = D ⊕ (x ∥ T(x)), where (x ∥ T(x)) belongs to malicious user’s smartcard. With H, malicious user builds H ?= h(PW, t) and Han-Yu Lin’s scheme is vulnerable to this kind of attack.(ii)Also, Han-Yu Lin’s scheme is vulnerable to contributory property of key agreement. In this scheme, S can determine common session key without U’s random value. Below are some steps S can perform:(1)Find j′ such that = T(x), where j′ = .(2)Then, S chooses session key λ′ and computes v = .(3)S has λ’ = () and transmits (x) to U. When U receives (x), U computes ((x)) = () = () = λ′. So, Lin’s scheme is vulnerable to this property.

3.3. Hongfeng Zhu’s Scheme

Zhu’s scheme [24] includes four phases: registration, login, authentication, and password change phases.(1)Registration phase. In this phase, the user U chooses password PW, then randomly chooses value t, and computes W = h(PW ∥ t). Next, U sends (ID, W) to the server S through a secure channel. After receiving U’s (ID, W), S computes H = h(s ∥ ID), n = h(W ∥ ID) ⊕ H, and sends n, x, T_s(x) to U through a secure channel. Once receiving S’s messages, U computes N = h(ID ∥ PW) ⊕ n ⊕ h(W ∥ ID) = h(ID ∥ PW) ⊕ H. Finally, U saves N, x, T(x) into U’s device.(2)Login-authentication phases (see Figure 2). In this phase, U inputs (ID, PW) and U’s device randomly chooses two values k, R to compute H = N ⊕ h(ID ∥ PW) = h(s ∥ ID), (x), K = TT(x), H = h(H ∥ T(x) ∥ ID ∥ ID ∥ R), C = (H ∥ ID ∥ ID ∥ R). Then, U sends C, T(x) to S. After receiving U’s messages, S computes K = TT(x) by using T(x) and master key s. Then, S decrypts C to recover H ∥ ID ∥ ID ∥ R. S computes H = h(s ∥ ID) and = h(H ∥ T(x) ∥ ID ∥ ID ∥ R). Finally, S checks ?= H. If this holds, S randomly chooses r and computes V₁ = h(h(R ∥ r)), V₂ = H ⊕ h(R ∥ r), SK = h(ID ∥ ID ∥ R ∥ h(R ∥ r)) and sends V₁, V₂ to U. Otherwise, S terminates the session. Once receiving S’s V₁, V₂, U’s device checks V₁ ?= h(V₂ ⊕ H). If this does not hold, U’s device terminates the session, otherwise it computes SK = h(ID ∥ ID ∥ R ∥ h(R ∥ r)).(3)Password change phase. In this phase, U provides old PW, new , and ID. Then, the device chooses random value k′ and computes H = N⊕ h(ID ∥ PW) = h(s ∥ ID), = N⊕ h (ID ∥ PW) ⊕ h(ID ∥ ), T(x)′, = , = h(H ∥ ∥ ID ∥ ID ∥ h()) and C′ = ( ∥ ID ∥ ID ∥ h()). The device sends C′, T(x)′ to S. S computes = (x) to decrypt (C) = ∥ ID ∥ ID ∥ h(). Next, S computes H = h(s ∥ ID) and = h(H ∥ T(x)′ ∥ ID ∥ ID ∥ h()). S checks ?= . If this does not hold, S rejects. Otherwise, password-update is accepted and device computes V₃ = h( ∥ response), where response = “update” or “refuse”. Finally, S returns V₃ to U. Once U’s device receives V₃, response, it checks V₃ ?= h( ∥ response). If this holds, it updates (N with ) or rejects if response is refused.

3.4. Security Analysis on Hongfeng Zhu’s Scheme

Next, we also review some limitations existing in this scheme.(i)Hongfeng Zhu’s scheme does not provide PFS. If important information such as master key s is leaked, U’s session key will be easily computed with previous exchanged messages. Suppose an adversary captures C, and V₁, V₂ at another session between U and S. With s, the adversary computes K = TT(x) and decrypts (C) = H ∥ ID ∥ ID ∥ R. Next, he/she computes H = h(s ∥ ID) and extracts h(R ∥ r) = V₂ ⊕ H. Finally, he/she computes SK = h(ID ∥ ID ∥ R ∥ h(R ∥ r)). Clearly, this scheme does not satisfy PFS.(ii)This scheme does not store password-confirmation message at U’s device, so password-update phase must connect to S. However, adding a value in U’s device helps login phase be more secure if the device is stolen. For example, we add L = h(ID ∥ PW ∥ H) into the device. When logging, U inputs ID and PW. U’s device computes H = N ⊕ h(ID ∥ PW) and then checks L ?= h(ID ∥ PW ∥ H). If this holds, U is real device’s owner. With L, this scheme can resist offline password-guessing attack if device’s information is leaked because L contains authentication key H = h(s ∥ ID). In password change phase, U needs correcting old PW to pass L = h(ID ∥ PW ∥ H). If this holds, U’s device will accept new PW′ provided by U. Next, U’s device recomputes = N ⊕ h(ID ∥ PW) ⊕ h(ID ∥ ) and L′ = h(ID ∥ ∥ H). Clearly, password change phase is more efficient than previous old phase.

4. Proposed Scheme

Our proposed scheme using Chebyshev polynomial includes five phases: initialization, registration, authentication, and biometrics update phases. Below are some notations used in our scheme:(i)U: the th user(ii)ID: the th user’s identification(iii)B: the th user’s biometrics(iv)S: the server(v)q: the server’s master key(vi)h(.): hash function(vii)sk: common session key(viii)SC: the smartcard(ix)⊕, ∥: the XOR and concatenation operations(x)T(.): Chebyshev polynomial operation

4.1. Initialization Phase

In this phase, we choose a huge prime number k-bit p. Then S chooses q∈ and h: 0, 1 → 0, 1. Finally, S publishes p, T(.), h(.)

4.2. Registration Phase

U provides B and ID. Also, U randomly chooses N. Then, U computes hB = h(N ∥ B) and V = h(B ∥ N). Finally, U sends hB, ID to S through a secure channel. On receiving the ’s information, S checks ’s validity. Then, S randomly chooses X. S computes hAID = (h(ID ∥ X)) + (h(ID ∥ hB)) , then S sends hAID, to U through a secure channel. U stores the information sent from S into a SC (see Figure 3).

4.3. Authentication Phase

U provides B and ID at the terminal. Then SC checks if V ?= h(B ∥ N). If this holds, SC computes hB = h(N ∥ B), AID = hAID - (h(ID ∥ hB)) . SC chooses r∈ and computes R′ = (h(ID ∥ X)) , R = (AID) , M = h(R, AID), and CID = ID ⊕ h(R). SC sends X, CID, M, R′ to S through a common channel (see Figure 4).

When receiving ’s login message, S computes and , where = (R′) mod p, ID = CID ⊕ h() and = (h(ID ∥ )) mod p. Then S checks if ?= h(, ). If this does not hold, S terminates the session. Otherwise, S chooses ∈ and computes = () , S′ = + , sk = h(()) and = h(, ). S sends S′, to through a common channel.

When receiving S′, M, ’s SC computes = S′ – R and checks if M ?= h(, AID). If this holds, SC computes sk = h(()), M = h(, ()). Then, SC sends M to S through a common channel.

S checks if M ?= h(, ()). If this holds, S accepts U. U and S use sk to encrypt the information after authentication phase.

4.4. Biometrics Update Phase

When changes his/her biometrics, ’s SC checks if ?= h( ∥ N). If this holds, SC computes = h( ∥ N) and = (h( ∥ )) mod p + - (h( ∥ )) mod p. Finally, SC replaces and with and .

5. Security and Efficiency Analyses

In this section, we analyse our scheme on security and efficiency aspects. Also, our scheme’s design is correctly proved with BAN-logic [25], while its security is presented in each concrete attack case.

5.1. Correctness Analysis

Before getting into details about security, we will prove our scheme’s correctness with BAN-logic. We inherit some objectives from [26] because we see that they are reasonable ones, which authentication scheme must achieve to successfully share partner’s identities and session keys. For simplicity, we let K denote user’s long-term key shared by server at registration phase, sk denote session key, and ⊗ denote Chebyshev operation. Firstly, our scheme must satisfy some assumptions as shown in Table 1 (this is a must in this model)

These assumptions represent the first necessary believes of user and server. For example, when the users register with server, it is mean that they believe they can share identity with server (A₁). Next, we will normalize all messages exchanged between user and server.(i)From the message CID we have <US, US, ⊗ K>(ii)From the message M_i we have < ⊗ K, US>(iii)From the third messages we have < ⊗ K, US>(iv)From the fourth message we have <US, US>

The normalization is an arrangement of information exchanged between user and server. For example, CID contains identity, challenge information r ⊗ K, and long-term key K. Normalization helps to highlight the important data in the messages. Next, we will demonstrate how our scheme satisfies seven lemmas that we reorganized from .

Lemma 1. If the server believes authentication key (long-term key) is successfully shared with user and the user’s messages encrypted with this key are fresh, the server will believe that the user believes his/her identity is successfully shared with server.

Proof. With A₆ and CID, we apply message-meaning rule to haveWith A₈, we apply freshness rule to haveWith (5) and (6), we apply nonce-verification rule to haveWith (7), we apply believe rule:So, with A₆ and A₈ we successfully demonstrate how our scheme satisfies Lemma 1.

Lemma 2. If the server believes the user also believes his/her identity is successfully shared with each other and user totally controls this identity’s sharing, the server also believes user’s identity is successfully shared with each other.

Proof. With Lemma 1 and A₄, we apply jurisdiction rule to haveSo, with Lemma 1 and A₄, we successfully demonstrate how our scheme satisfies Lemma 2.

Lemma 3. If the user believes authentication key is successfully shared with server and the server’s messages encrypted with this key are fresh, the user will believe the server also believes user’s identity is successfully shared with each other.

Proof. With A₂ and M, we apply jurisdiction rule to haveWith (12) and A₇, we apply freshness rule to haveWith (12) and (13), we apply nonce-verification rule to haveWith (14), we apply believe rule to have

So, with A₂ and A₇ we successfully demonstrate how our scheme satisfies Lemma 3. In short, with three lemmas we can say that both server and user believe and successfully share their identities with each other. Next, we need to prove the similar thing for session key.

Lemma 4. If the user believes that authentication key is successfully shared with server and server’s messages encrypted with this key are fresh, the user will believe the server also believes session key is successfully shared with each other.

Proof. With A₂ and , we apply message-meaning rule to haveWith A₇ and , we apply freshness rule to haveWith (17) and (18), we apply believe rule to haveWith (19), we apply believe rule to haveSo, with A₂ and A₇ we successfully demonstrate how our scheme satisfies Lemma 4.

Lemma 5. If the user believes the server totally controls session key’s sharing and the server also believes session key is successfully shared with user, the user will believe this session key’s sharing.

Proof. With A₃ and Lemma 4, we apply jurisdiction rule to haveSo, with A₃ and Lemma 4, we successfully demonstrate how our scheme satisfies Lemma 5.

Lemma 6. If the server believes authentication key is successfully shared with user and the user’s messages encrypted with this key are fresh, the server will believe the user also believes this session key’s sharing.

Proof. With A₆ and M, we apply message-meaning rule to haveWith A₈ and M, we apply freshness rule to haveWith (24) and (25), we apply nonce-verification to haveWith A₆ and (26), we apply believe rule to haveSo, with A₆ and A₈, we successfully demonstrate how our scheme satisfies Lemma 6.

Lemma 7. If the server believes the user totally controls the session key’s sharing, the server will believe the session key is successfully shared with user.

Proof. With (26) and A₅, we apply message-meaning rule to haveWith (29), we apply believe rule to have

So, with A₅ we completely demonstrate how our scheme satisfies Lemma 7. Finally, we can say that both server and user believe the common session key in our scheme.

5.2. Security Analysis

Before getting into details about some kinds of attacks, we will use random oracle model to prove the security for the session key in Chebyshev polynomial case (see [27, 28] for more details). At first, we need to remind the model’s circumstance. Assuming another actor B has Ω = T(x), T(x)) and B needs to compute T(x), B has some oracles Client andServer with all their instances at different times. B also has an algorithm A being able to break our scheme to compute the session key with given probability ε. B will use A to find the session key and then compute T(x) to solve CMDHP. To achieve this, B must “inject” Ω’s parameters into the messages when A interacts with the oracles’ instances, and B also simulates an appropriate environment suitable for A to operate. Note that our scheme uses hash function and it is considered as an oracle. Next, we claim our theorem about the session key’s security.

Theorem 8. Let A be an adversary breaking our scheme in the meaning of AKESecurity in time t, using q Send queries and q Hash queries. We havewhere B is an adversary breaking CMDHP in . The meaning of theorem is that A’s successful probability breaking our scheme in the meaning of AKESecurity is less than B’s successful probability breaking CMDHP. According to CMDHP, B’s success probability is extremely low, and so is A’s successful probability breaking our scheme. Therefore, we can claim that our scheme has secure session key in the meaning of AKESecurity.

Proof. Assume that we have actor B. This time, B needs to create some instances of oraclesClient andServer with Ω’s parameter. B also simulates an appropriate environment where A can operate.
When A sends Send(“Start”) to ∈Client, replies m₁ to A (note that m₁ = identity encrypted, challenge information, confirmation depends on concrete scheme). Maybe, A sends Send(“Start”) to some simulated oracle, for example, . This time, B needs to inject Ω’s parameters into m₁ with concrete scheme’s rules. Finally, B sends m₁ to A. When A sends Send(m₁) to ∈Server, replies m₂ to A (note that m₂ = confirmation, challenge information depends on concrete scheme). Maybe, A sends Send(m₁) to simulated oracle . This time, B also needs to inject Ω’s parameters into m₂ and sends m₂ to A. When A sends Send(m₂) to ∈Server, replies m₃ = final confirmation to A. Maybe, A sends Send(m₂) to simulated oracle . B randomly chooses sk , computes final confirmation message with this random sk, and sends m₃ to A.
Sometimes, A sends wrong Send queries to the instances, so there are some oracles with “Accept” state and some oracles with “Reject” state. However, when A finishes sending Send queries, all instances A interacts with must have “Terminated” state which is true.
When A sends Corrupt and Reveal queries to these instances, their state will determine what A obtains, such as long-term key or session key. When A sends Corrupt and Reveal queries to the oracles B simulates, B will generate a random string representing session key for them. When A sends hash queries, B will let hash’s oracle interact with A.
Finally, B activates A to sends a unique Test query to simulated oracle or indicated oracle, and B expects A to correctly guess bit b of this instance. In other words, B wants A to correct guess this instance’s session key with A’s successful probability. We see that if B is success, B needs three following consecutive factors:
(i) B needs A to correctly find sk of simulated oracle, and A’s successful probability is ε = (A, t).
(ii) Furthermore, when A correctly finds sk = h((x)…), A had found “(x)” satisfying with this sk. Clearly, if A sends queries to hash’s oracle, there is at least one-time A succeeds. So, γ ≥ . (Note that: the session key sk will be always computed with hash function.)
(iii) Next, when A correctly finds (x), A must correct guess q or s. Clearly, if A sends queries to the oracle, there is at least one-time A succeeds. So, μ ≥ .
Finally, we have (, , , ) = ε × γ × μ ≥ ε × ⇒ × × (, , , ) ≥ ε = (, , , ).

In this subsection, we analyse our scheme on security aspect (see Table 2).(1)Password-guessing attack. If the smartcard’s information is leaked, and the adversary can exploit to perform password-guessing attack. Therefore, the adversary has = h(B ∥ N) in the smartcard. Differently from password, B is the user’s biometrics and it cannot be predicted. In short, our scheme easily resists this kind of attack.(2)Replay attack. In this kind of attack, the adversary can replay the login message to impersonate the user. In our scheme, the adversary can replay , CID, M, R′ to the server. Then, the server replies S′, M to the adversary. At this time, the adversary cannot compute M because R = (AID) mod p is impossible to know. Therefore, our scheme can resist this kind of attack.(3)User anonymity. In this kind of attack, the adversary eavesdrops X, CID, M, R′, S′, M and M of another user. The user’s identity is encrypted with R, which includes the secret AID. Therefore, the adversary cannot trace who is authenticating and our scheme provides user anonymity.(4)Impersonation attack. In this kind of attack, the adversary can impersonate either user or server. In our scheme, the adversary eavesdrops X, CID, M, R′ and S′, . However, he must send M to cheat the server and this is impossible because r and AID are secret. Moreover, if he wants to impersonate the server, he needs to compute M and this is impossible because AID is secret. Therefore, our scheme can resist this kind of attack(5)Man-in-the-middle attack. In this kind of attack, the adversary can cheat both user and server simultaneously. However, he must compute random values r and AID. From this information, he can derive R to cheat the server and derive M to cheat the user. Clearly, this information is secret, and the adversary cannot steal them.(6)Parallel attack. In this kind of attack, the adversary uses another session’s messages to exploit the others. In our scheme, this is impossible because each session has different random values. For example, another session has the unique values r and r, so all sessions have no relationship with each other.(7)Two-factor attack. In this kind of attack, the adversary can steal the user’s biometrics, and then use this information to compute authentication key. We see that the smartcard includes N, V, hAID, , so if there is no , the adversary cannot compute AID. Of course, if the smartcard is well-protected, the adversary has no way to compute AID. Our scheme can resist this kind of attack.(8)Perfect secrecy. In this kind of attack, the adversary has all secret keys of the users and the server. Of course, the service must be stopped at this time. However, we need to prevent the adversary from knowing past-transactions, and this means that all session keys must be secret. In our scheme, the session key is constructed from r, r, and AID. Clearly, if the adversary knows (AID) and (AID), he cannot compute ((AID)) because of facing with CMDHP.

5.3. Efficiency Analysis

To compare efficiency between our scheme and previous ones, we let “h” be the hash operation, “e/d” be the encryption/decryption, and “T” be computational operation of polynomial. At registration phase, our scheme uses 4 × h and 2 × T. Lin’s scheme uses 1 × h, 1 × T, and 1× e/d. Zhu’s scheme uses 5 × h. At authentication phase, our scheme uses 14 × h and 8 × T. Lin’s scheme uses 4 × h, 5 × T, and 5 × e/d. Zhu’s scheme uses 9 × h, 3 × T, and 2 × e/d. Our scheme’s computational cost is more than previous ones due to security enhancement (see Table 3).

Also, we let t, t, and t denote running-time corresponding to each operation, for example, h, T, and e/d (t ≪ t < t). To relatively measure the running-time of three operations, we conduct an experiment using Java Cryptography Architecture with Bouncy Castle library in Android mobile device, core 4 CPU 1.2 GHz, and we have t ≈ 0.00004ms, t ≈ 0.09385ms, and t ≈ 80 ms (see Figure 5).

6. Conclusion

This paper proposes a Chebyshev polynomials-based scheme in client-server environment. Although, our scheme takes more time than previous ones, it is advanced and resists some popular kinds of attack. Soon, we improve some techniques to reduce time-cost for computing Chebyshev polynomials.

Conflicts of Interest

We declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research is funded by Vietnam National University HoChiMinh City (VNU-HCM) under Grant no. B2015-18-01.

References

L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770–772, 1981.
View at: Publisher Site | Google Scholar
M. L. Das, A. Saxena, and V. P. Gulati, “A dynamic ID-based remote user authentication scheme,” IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp. 629–631, 2004.
View at: Publisher Site | Google Scholar
E. Yoon and K. Yoo, “Improving the dynamic Id-based remote mutual authentication scheme,” in Proceedings of the OTM Workshops, vol. 4277 of LNCS, pp. 499–507, 2006.
View at: Publisher Site | Google Scholar
I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “Security enhancement for a dynamic ID-based remote user authentication scheme,” in Proceedings of the International Conference on Next Generation Web Services Practices, NWeSP 2005, pp. 437–440, Republic of Korea, August 2005.
View at: Publisher Site | Google Scholar
J.-H. Yang and C.-C. Chang, “An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,” Computers & Security, vol. 28, no. 3-4, pp. 138–143, 2009.
View at: Publisher Site | Google Scholar
S. H. Islam and G. P. Biswas, “A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,” The Journal of Systems and Software, vol. 84, no. 11, pp. 1892–1898, 2011.
View at: Publisher Site | Google Scholar
B. Huang, M. K. Khan, L. Wu, F. T. B. Muhaya, and D. He, “An Efficient Remote User Authentication with Key Agreement Scheme Using Elliptic Curve Cryptography,” Wireless Personal Communications, vol. 85, no. 1, pp. 225–240, 2015.
View at: Publisher Site | Google Scholar
S. A. Chaudhry, H. Naqvi, K. Mahmood, H. F. Ahmad, and M. K. Khan, “An Improved Remote User Authentication Scheme Using Elliptic Curve Cryptography,” Wireless Personal Communications, vol. 96, no. 4, pp. 5355–5373, 2017.
View at: Publisher Site | Google Scholar
S. A. Chaudhry, H. Naqvi, M. S. Farash, T. Shon, and M. Sher, “An improved and robust biometrics-based three factor authentication scheme for multiserver environments,” The Journal of Supercomputing, vol. 74, no. 8, pp. 3504–3520, 2015.
View at: Google Scholar
D. Hankerson, S. Vanstone, and A. J. Menezes, Guide to Elliptic Curve Cryptography, LNCS, Springer, New York, NY, USA, 2004.
View at: MathSciNet
P. Bergamo, P. D'Arco, A. De Santis, and L. Kocarev, “Security of public-key cryptosystems based on Chebyshev polynomials,” IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 52, no. 7, pp. 1382–1393, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
X. Hao, J. Wang, Q. Yang, X. Yan, and P. Li, “A chaotic map-based authentication scheme for telecare medicine information systems,” Journal of Medical Systems, vol. 37, article 9919, 2013.
View at: Publisher Site | Google Scholar
T.-F. Lee, “An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems,” Journal of Medical Systems, vol. 37, no. 6, pp. 9985–9994, 2013.
View at: Publisher Site | Google Scholar
H. Lin, “Chaotic map based mobile dynamic ID authenticated key agreement scheme,” Wireless Personal Communications, vol. 78, no. 2, pp. 1487–1494, 2014.
View at: Publisher Site | Google Scholar
C. Guo and C.-C. Chang, “Chaotic maps-based password-authenticated key agreement using smart cards,” Communications in Nonlinear Science and Numerical Simulation, vol. 18, no. 6, pp. 1433–1440, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
L. Zhang, “Cryptanalysis of the public key encryption based on multiple chaotic systems,” Chaos, Solitons & Fractals, vol. 37, no. 3, pp. 669–674, 2008.
View at: Publisher Site | Google Scholar
X. Liao, F. Chen, and K.-W. Wong, “On the security of public-key algorithms based on Chebyshev polynomials over the finite field ZN,” IEEE Transactions on Computer, vol. 59, no. 10, pp. 1392–1401, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
A. Irshad, H. F. Ahmad, B. A. Alzahrani, M. Sher, and S. A. Chaudhry, “An efficient and anonymous chaotic map based authenticated key agreement for multi-server architecture,” KSII Transactions on Internet and Information Systems, vol. 10, no. 12, pp. 5572–5595, 2016.
View at: Google Scholar
C. Wang and G. Xu, “Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card,” Security and Communication Networks, vol. 2017, Article ID 1619741, 14 pages, 2017.
View at: Publisher Site | Google Scholar
L. Kocarev, “Chaos-based cryptography: a brief overview,” IEEE Circuits and Systems Magazine, vol. 1, no. 3, pp. 6–21, 2001.
View at: Publisher Site | Google Scholar
L. Kocarev and S. Lian, Chaos-Based Cryptography: Theory, Algorithms and Applications, vol. 354, Springer, Berlin, Germany, 2011.
Z.-H. Li, Y.-D. Cui, and H.-M. Xu, “Fast algorithms of public key cryptosystem based on Chebyshev polynomials over finite field,” Journal of China Universities of Posts and Telecommunications, vol. 18, no. 2, pp. 86–93, 2011.
View at: Google Scholar
H.-Y. Lin, “Improved chaotic maps-based password-authenticated key agreement using smart cards,” Communications in Nonlinear Science and Numerical Simulation, vol. 20, no. 2, pp. 482–488, 2015.
View at: Publisher Site | Google Scholar
H. Zhu, “Cryptanalysis and Improvement of a Mobile Dynamic ID Authenticated Key Agreement Scheme Based on Chaotic Maps,” Wireless Personal Communications, vol. 85, no. 4, pp. 2141–2156, 2015.
View at: Publisher Site | Google Scholar
M. Burrows, M. Abadi, and R. Needham, “Logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18–36, 1990.
View at: Publisher Site | Google Scholar
J.-L. Tsai, T.-C. Wu, and K.-Y. Tsai, “New dynamic ID authentication scheme using smart cards,” International Journal of Communication Systems, vol. 23, no. 12, pp. 1449–1462, 2010.
View at: Publisher Site | Google Scholar
C.-C. Chang and C.-Y. Lee, “A secure single sign-on mechanism for distributed computer networks,” IEEE Transactions on Industrial Electronics, vol. 59, no. 1, pp. 629–637, 2012.
View at: Publisher Site | Google Scholar
M. Bellare and P. Rogaway, “The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs,” in Advances in Cryptology, 2006.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2019 Toan-Thinh Truong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1600

Downloads

976

Citations

Security and Communication Networks

Improved Chebyshev Polynomials-Based Authentication Scheme in Client-Server Environment

Abstract

1. Introduction

2. Preliminaries

2.1. Chebyshev Chaotic Maps

2.2. The Hard Problems

3. Cryptanalysis of Typical Related Works

3.1. Han-Yu Lin’s Scheme

3.2. Security Analysis on Han-Yu Lin’s Scheme

3.3. Hongfeng Zhu’s Scheme

3.4. Security Analysis on Hongfeng Zhu’s Scheme

4. Proposed Scheme

4.1. Initialization Phase

4.2. Registration Phase

4.3. Authentication Phase

4.4. Biometrics Update Phase

5. Security and Efficiency Analyses

5.1. Correctness Analysis

5.2. Security Analysis

5.3. Efficiency Analysis

6. Conclusion

Conflicts of Interest

Acknowledgments

References

Copyright