One-way authenticated key agreement protocols, aiming at solving the problems to establish secure communications over public insecure networks, can achieve one-way authentication of communicating entities for giving a specific user strong anonymity and confidentiality of transmitted data. Public Key Infrastructure can design one-way authenticated key agreement protocols, but it will consume a large amount of computation. Because one-way authenticated key agreement protocols mainly concern on authentication and key agreement, we adopt multi-server architecture to realize these goals. About multi-server architecture, which allow the user to register at the registration center (
RC
) once and can access all the permitted services provided by the eligible servers. The combination of above-mentioned ideas can lead to a high-practical scheme in the universal client/server architecture. Based on these motivations, the paper firstly proposed a new one-way authenticated key agreement scheme based on multi-server architecture. Compared with the related literatures recently, our proposed scheme can not only own high efficiency and unique functionality, but is also robust to various attacks and achieves perfect forward secrecy. Finally, we give the security proof and the efficiency analysis of our proposed scheme.
Authenticated key exchange (AKE) is one of the most important cryptographic components which is used for establishing an authenticated and confidential communication channel. Based on the number of participants, we can divide AKE protocols into three categories: two-party AKE protocols [1-3], three-party AKE protocols [4], and N-party AKE protocols [5-7]. Furthermore, based on the respective features in detail, the previous AKE protocols [3-17] can be classified many categories, we use two-party AKE protocols to set an example: such as using smart card [1], password-based [1-2], chaotic map-based [3], ID-based [7], anonymity [4,8], secret sharing [9] and so on. Recently many researchers achieve AKE in the multi-server environment called multi-server authenticated key agreement (MSAKA) protocols. MSAKA protocols allow the user to register at the registration center (RC) once and can access all the permitted services provided by the eligible servers. In other words, users do not need to register at numerous servers repeatedly. MSAKA protocols mainly want to solve the problems in a traditional single server with authentication schemes [10] which lead to the fact that user has to register to different servers separately. On a macro level MSAKA protocols can be divided into three phases in chronological order: Creative Phase: The pioneer work in the field was proposed by Li et al. [11] in 2001. However, Lin et al. [12] pointed out that Li et al.’s scheme takes long time to train neural networks and an improved scheme based on ElGamal digital signature and geometric properties on the Euclidean plane has also been given. Development Phase: the main work in this phase is amended repeatedly. For example, Tsai [13] also proposed an efficient multi-server authentication scheme based on one-way hash function without a verification table. Because Tsai’s scheme only uses the nonce and one-way hash function, the problems associated with the cost of computation can be avoided in the distributed network environment. However, the literature [14] pointed out that Tsai’s scheme is also vulnerable to server spoofing attacks by an insider server and privileged insider attacks, and does not provide forward secrecy. Diversification Phase: the research emphasis shifts to functionality. Therefore, identity-based MSAKA protocols, based on bilinear pairings or elliptic curve cryptosystem (ECC) MSAKA protocols, dynamic identity-based MSAKA protocols and other MSAKA protocols came up recently [14]. Fig. 1 shows the history of AKE protocols development.
However, most existing AKE or MSAKA protocols have emphasized mutual authentication, in which both parties authenticate themselves to their peer. There are many scenes need not mutual authentication at all and we just need one-way authentication. We can take some facts as examples which are shown in the Fig. 2. (1) Readers-to-journalists model: Readers act upon the perceived reputation of a news source, so reputation is a valuable commodity for journalists. No further authentication is required and since the information is public, channel secrecy is not required and does not affect the actions of either party. (2) Patient-to-expert model: On Internet, patients requiring medical advice may wish to do so anonymously, while still ensuring the confidentiality of their request and assurance that the medical advice received comes from an authentic, qualified source.
No need for mutual authentication environment on Internet
The key idea of one-way AKE is that one party wishes for no one to be able to determine his/her identity, including all the authorities. However, only a few protocols have considered the problem of one-way authentication. Goldberg [15] gave a specialized one-way AKE security definition for the Tor1 authentication protocol. The literature [16] described an identity-based anonymous authenticated key exchange protocol but with a limited session key secrecy definition based on key recovery, not indistinguishability. Morrissey et al. [17] analyzed the security of the Transport Layer Security (TLS) protocol in the context of one-way authentication, but with specialized security definitions. Recently, Goldberg and Stebila [18] provided an intuitive set of goals and present a formal model that captures these goals. Usually, public key encryption can be used for one-way AKE protocols, for example by having the client encrypt a session key under the server's public key. This mechanism is widely used, for example in the RSA-based cipher suites in TLS [19] and in the KAS1 protocol in NIST SP800-56B [20].The main contributions are shown as below: The paper firstly presents a new one-way authentication key agreement scheme towards multi-server architecture. Furthermore, the proposed protocol is based on chaotic maps without using modular exponentiation and scalar multiplication on an elliptic curve. In Security aspect, the protocol can resist all common attacks, such as impersonation attacks, man-in-the-middle attacks, etc. About functionality, the protocol also has achieved some well-known properties, such as perfect forward secrecy and execution efficiency.The rest of the paper is organized as follows: Some preliminaries are given in Section 2. Next, a one-way AKE towards multi-server architecture is described in Section 3. Then, the security analysis and efficiency analysis are given in Section 4 and Section 5. This paper is finally concluded in Section 6.
The Onion Router, an anonymous Internet communicaton system.
2. Preliminaries
- 2.1 Multi-server architecture
Fig. 3 shows the multi-server environment. In the multi-server environment [11], each user must perform authentication procedure to login the server for a transaction. If the user is in a single authentication architecture, then the user must register at various servers and memorize the corresponding identifications and passwords, which could not be convenient for a user. In order to make the registration to various servers easier for users, each user must register with the registration center to obtain a secure account. Then the user uses the secure account to perform the login and authentication procedures with various servers.
Secure communication schemes for remote one-way authentication and session key agreement for the multi-server architecture should provide security requirements [24]:(1) One-way authentication and key agreement: One-way authentication and key agreement refers to only one party authenticating the other suitably and getting the session key simultaneously.(2) Impersonation attack: An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol.(3) Man-in-the-middle attack: The man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.(4) Replay attack: A replay attack is a form of network attack in which a valid data transmission is repeated or delayed maliciously or fraudulently.(5) Known-key security: Known-key security is that a protocol can protect the subsequent session keys from disclosing even if the previous session keys are revealed by the intendant user.(6) Perfect forward secrecy: An authenticated key establishment protocol provides perfect forward secrecy if the compromise of both of the node’s secret keys cannot results in the compromise of previously established session keys.(7) Session key security: A communication protocol exhibits session key security if the session key cannot be obtained without any long-term secrets.(8) Resistance to stolen-verifier attacks: An adversary gets the verifier table from servers or RC by a hacking way, and then the adversary can launch any other attack which called stolen-verifier attacks.(9) No verification table: there is no verification table at the RC or the server at all.(10) Securely chosen password and time synchronization: Guarantee securely chosen password and no need for time synchronization among parties.(11) Authentication: one way authentication or mutual authentication in different phase in our protocol.
3. The Proposed One-Way AKE towards Multi-Server Architecture
In this section, under the multi-server architecture, a chaotic maps-based one-way authentication key agreement scheme is proposed which consists of two phases: the servers registration phase, one-way authentication key agreement phase.Remark 1: Because our proposed protocol is a one-way authentication scheme, there is no password update phase for users in our protocol.
- 3.1 Notations and Chebyshev chaotic maps
In this section, any server i has its identity ID_{si} . Only RC has its identity ID_{RC} and public key (x, T_{k}(x)) and a secret key k based on Chebyshev chaotic maps, a secure one-way hash function H (·), and a pair of secure symmetric encryption/decryption functions E_{K}() / D_{K}() with key K. The concrete notations used hereafter are shown in Table 1.
Let n be an integer and let x be a variable with the interval [-1,1] . The Chebyshev polynomial [21]T_{n}(x) : [-1,1] → [-1,1] is defined as T_{n}(x) = cos(n cos^{-1}(x)). Chebyshev polynomial map T_{n} : R → R of degree n is defined using the following recurrent relation:
PPT Slide
Lager Image
The first few Chebyshev polynomials are:T_{2}(x) = 2x^{2} - 1, T_{3}(x) = 4x^{3} - 3x, T_{4}(x) = 8x^{4} - 8x^{2} + 1, ……One of the most important properties is that Chebyshev polynomials are the so-called semi-group property which establishes that
PPT Slide
Lager Image
An immediate consequence of this property is that Chebyshev polynomials commute under composition
PPT Slide
Lager Image
In order to enhance the security, Zhang [22] proved that semi-group property holds for Chebyshev polynomials defined on interval (-∞,+∞). The enhanced Chebyshev polynomials are used in the proposed protocol:
PPT Slide
Lager Image
where n = ≥ 2, x ∈ (-∞,+∞), and N is a large prime number. Obviously,
PPT Slide
Lager Image
Definition 3.1. Semi-group property of Chebyshev polynomials:T_{rs}(x) = T_{r}(T_{s}(x)) = cos(r cos^{-1}(s cos^{-1}(x))) = cos(rs cos^{-1}(x)) = T_{s}(T_{r}(x)) = T_{sr}(x)Definition 3.2. Given x and y, it is intractable to find the integer s, such that T_{s}(x) = y. It is called the Chaotic Maps-Based Discrete Logarithm problem (CMBDLP).Definition 3.3. Given x, T_{r}(x) and T_{s}(x), it is intractable to find T_{rs}(x). It is called the Chaotic Maps-Based Diffie-Hellman problem (CMBDHP).
- 3.2 Servers registration phase
Concerning the fact that the proposed scheme mainly relies on the design of Chebyshev chaotic maps-based in multi-server architecture, it is assumed that the servers can register at the registration center in some secure way or by secure channel. The same assumption can be set up for servers. Fig. 4 illustrates the server registration phase.
Server or a authenticated expert registration phase
Step 1. When a server(or an expert) wants to be a new legal service provider, she chooses her identity ID_{si} with her identification card in law. Then the server submits ID_{si} to the RC via a secure channel.Step 2. Upon receiving ID_{si} from the server, the RC computers R = H(ID_{si}||k), where k is the secret key of RC. Then the server stores R in a secure way via a secure channel.
- 3.3 One-way authenticated key agreement phase
In this phase, one-way authenticated means that the server or the RC can be authenticated by the other two peers, but the user can not be authenticated by the the server or the RC to keep the user complete anonymity in the multi-server architecture. This concrete process is presented in the following Fig. 5.
Step 1. If Alice(assume Alice as an anonymous user) wishes to consult some personal issues establish with S_{i} (or an expert) in a secure way, she will choose a random integer number a and a temporary session SID_{A}. Then the device of Alice will compute K_{A-RC} = T_{a}T_{k}(x), H_{A} = H(SID_{A}||ID_{si}||T_{a}(x))), C_{1} = E_{KA-RC}(SID_{A}||ID_{si}||H_{A}). After that, Alice sends m_{1} = {SID_{A}, T_{a}(x), C_{1}} to S_{i} where she wants to get the server’s service.Step 2. After receiving the message m_{1} = {SID_{A}, T_{a}(x), C_{1}} rom Alice, S_{i} will do the following tasks to ask RC for helping Alice to authenticate itself: S_{i} selects random r_{i} and computes T_{ri}(x) and C_{2} = H(ID_{Si})||m_{1}||R||T_{ri}(x)). And then sends the message m_{2} to RC.Step 3. Next, RC will help Alice to authenticate S_{i} and verify the temporary information by helping them to compute the session key. After receiving the message m_{2} = {ID_{Si}, T_{ri}(x), C_{2}, m_{1}}, RC will do the following tasks:1) Authenticate S_{i} : Based on ID_{Si}, RC can compute R' = H(ID_{Si}||k). Then RC computes C'_{2} = H(ID_{Si}||m_{1}||R'||T_{ri}(x)) and check if C'_{2}? = C_{2}. If above equation holds, that means S_{i} are legal participants in this instance because only S_{i} own R.(2) Confirm S_{i} is the server that Alice wants to consult with: RC computes K_{RC-A} = T_{k}T_{a}(x) and then decrypts C_{1} to get SID_{A}||ID_{Si}||H_{A}. Next RC computes H'_{A} = H(SID_{A}||ID_{Si}||T_{a}(x)). RC verifies H'_{A}? = H_{A} and checks if ID_{Si} in the C_{1} equals to ID_{Si} in plaintext or not. If holds, that means S_{i} is the server that Alice wants to consult with.(3) Help S_{i} and Alice to get the session key: RC computes C_{3} = H(ID_{RC}||ID_{Si}||m_{1}||R||T_{ri}(x)), C_{4} = E_{KRC-A}(ID_{RC}||ID_{Si}||m_{1}||R||T_{ri}(x)||H_{RC}) and H_{RC} = H(SID_{A}||ID_{Si}||ID_{RC}||T_{ri}(x)). Then RC sends the message ID_{RC}, C_{4} to Alice and sends the message ID_{RC}, C_{3} to S_{i}.If any authenticated process does not pass, the protocol will be terminated immediately.Step 4. For Alice: After receiving the message ID_{RC}, C_{4}, Alice uses K_{A-RC} to decrypt C_{4}. Next Alice computes H'_{RC} = H(SID_{A}||ID_{Si}||ID_{RC}||T_{ri}(x)). Check if H'_{RC} = H_{RC}. If holds, Alice computes SK = T_{a}T_{ri}(x). For S_{i}: After receiving the message ID_{RC}, C_{3}, S_{i}, computes C'_{3} = H(ID_{RC}||ID_{Si}||m_{1}||R||T_{ri}(x)) and checks if C'_{3} = C_{3}. If holds, then S_{i} computes SK = T_{ri}T_{a}(x).Remark 2: We can view the servers and RC as an integrated system for the user, so from the perspective of the user, we adopt one-way authentication, that means only user authenticated the integrated system (the server and RC) but there is no authentication for the user. However, from the inside integrated system, for providing the reliable service in multi-server architecture, and we must make the server and RC to authenticate each other, that is the mutual authentication.
4. Security Analysis
The section analyzes the security of our proposed protocol. Let us assume that there are three secure components, including the two problems CMBDLP and CMBDHP cannot be solved in polynomial-time, a secure one-way hash function, and a secure symmetric encryption. Assume that the adversary has full control over the insecure channel including eavesdropping, recording, intercepting, modifying the transmitted messages.
- 4.1 Security proof of the proposed scheme
- (1) One-way authentication and key agreement
Definition 4.1. One-way authentication and key agreement refers to only one party authenticating the other suitably and getting the session key simultaneously.Theorem 4.1.The proposed protocol can achieve one-way authentication and key agreement.Proof: In our proposed protocol, one-way authentication means that RC helps Alice (an anonymous user) to authenticate S_{i}. So we can divide the one-way authentication process into three steps:(a) Alice authenticates RC: Because only RC has the secret k, RC can computes K_{RC-A} = T_{k}T_{a}(x) which equals to K_{A-RC} = T_{a}T_{k}(x). So if Alice decrypts C_{4} to get the ecessary information and check if H'_{RC} = H_{RC}. If above equation is equal, then that means Alice authenticates RC.(b) RC and S_{i} authenticate each other: We can use the shared key R to achieve the task. Firstly, based on ID_{Si}, RC can compute R' = H(ID_{Si}||k) by its private key k. Then RC computes C'_{2} = H(ID_{Si}||m_{1}||R'||T_{ri}(x)) and checks if C'_{2} = C_{2}. If above equation is equal, then that means RC authenticates S_{i}. After receiving the messages {ID_{RC}, C_{3}}, S_{i}. computes C'_{3} = H(ID_{RC}||ID_{Si}||m_{1}||R||T_{ri}(x)) and chesks if C'_{3} = C_{3}. If holds, we can say S_{i} authenticates RC.(c) Alice authenticates S_{i} : If Alice already authenticates RC, then she can authenticate S_{i} based on the information ID_{RC}||ID_{Si}||m_{1}||T_{ri}(x)||H_{RC} which were decrypted by RC in C_{4}. The trust flow is Alice → RC → S_{i}.As for the key agreement, after authenticating each other, the temporary T_{a}(x), T_{ri}(x) and the SID_{A}||ID_{Si}||ID_{RC} were already authenticated by RC. So finally Alice and S_{i} can make the key agreement simultaneously.
- (2) Impersonation attack
Definition 4.2. An impersonation attack is an attack in which an adversary successfully assumes the identity of one of the legitimate parties in a system or in a communications protocol.Theorem 4.2.The proposed protocol can resist impersonation attack.Proof: An adversary cannot impersonate anyone of the S_{i} and RC. The proposed scheme has already authenticated each other between S_{i} And RC, and Alice authenticates S_{i} and RC(in section 4.1.(1)) based on the secrets k, R and the nonces a, r_{i}. So there is no way for an adversary to have a chance to carry out impersonation attack.Remark 3: Because Alice is an anonymous user, an adversary impersonates “Alice” is meaningless for the S_{i} and RC.
- (3) Man-in-the-middle attack
Definition 4.3. The man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.Theorem 4.3.The proposed protocol can resist Man-in-the-middle attack.Proof: Because C_{i}(1 ≤ i ≤ 4) contain the participants’ identities or an anonymous user’s temporary session ID, a man-in-the-middle attack cannot succeed
- (4) Replay attack
Definition 4.4. A replay attack is a form of network attack in which a valid data transmission is repeated or delayed maliciously or fraudulently.Theorem 4.4.The proposed protocol can resist replay attack.Proof: That any message of Alice was replayed by an adversary is meaningless. Because “Alice” is an anonymous user, the adversary can as an anonymous user to initiate the protocol legally as his wish.For the messages between S_{i} and RC, an adversary cannot start a replay attack against our scheme because there were the fresh nonces a, r_{i} in each session. If T_{a}(x) and T_{ri}(x) have appeared before or the status shows in process, any of the participants in instance protocol will reject the session request. If the adversary wants to launch the replay attack successfully, it must compute and modify T_{a}(x) and T_{ri}(x) and C_{i}(1 ≤ i ≤ 4) correctly which is impossible.
- (5) Known-key security
Definition 4.5. Known-key security is that a protocol can protect the subsequent session keys from disclosing even if the previous session keys are revealed by the intendant user.Theorem 4.5.The proposed protocol can achieve known-key security.Proof: Since the session key SK = T_{a}T_{ri}(x) = T_{ri}T_{a}(x) is depended on the random nonces a and r_{i}, and the generation of nonces is independent in all sessions, an adversary cannot compute the previous and the future session keys when the adversary knows one session key. And in the secrets update phase, any session key is only used once, so it has known-key security attribute.
- (6) Perfect forward secrecy
Definition 4.6. An authenticated key establishment protocol provides perfect forward secrecy if the compromise of both of the node’s secret keys cannot results in the compromise of previously established session keys.Theorem 4.6.The proposed protocol can achieve perfect forward secrecy.Proof: In the proposed scheme, the session key SK = T_{a}T_{ri}(x) = T_{ri}T_{a}(x) is related with a and r_{i}, which were randomly chosen by Alice and the server S_{i} respectively. So any session key has not related with the secret key (such as k) of each of participants. Furthermore, because of the intractability of the CMBDLP and CMBDHP problem, an adversary cannot compute the previously established session keys.
- (7) Session key security
Definition 4.7. A communication protocol exhibits session key security if the session key cannot be obtained without any long-term secrets.Theorem 4.7.The proposed protocol can achieve session key security.Proof: In the authenticated key agreement phase, a session key SK is generated from a and r_{i}. These parameter values are different in each session, and each of them is only known by Alice and S_{i}. Whenever the communication ends between S_{i} and Alice, the key will immediately self-destruct and will not be reused. Therefore, assuming the attacker has obtained a session key, and Alice will be unable to use this session key to decode the information in other communication processes. Because the random point elements a and r_{i} are all generated randomly and are protected by the CMBDLP, CMBDHP, and the secure symmetric encryption, a known session key cannot be used to calculate the value of the next session key. Additionally, since the values a and r_{i} of the random elements are very large, attackers cannot directly guess the values a and r_{i} of the random elements to generate session key. Therefore, the proposed scheme provides session key security.
- (8) Resistance to stolen-verifier attacks
Definition 4.8. An adversary gets the verifier table from servers or RC by a hacking way, and then the adversary can launch any other attack which called stolen-verifier attacks.Theorem 4.8.The proposed protocol can resistance to stolen-verifier attacks.Proof: In the proposed scheme, neither the server nor the registration center maintains any verification table. Thus, the stolen-verifier attack is impossible to initiate in the proposed scheme.Remark 4: One-way authentication AKE means that there is no verification table at the RC or the server at all. And securely chosen password is also no need for our protocol. Because our protocol is based on nonces, there is no need for time synchronization.From the Table 2, we can see that the proposed scheme can provide secure session key agreement, perfect forward secrecy and so on. As a result, the proposed scheme is more secure and has much functionality compared with the recent related scheme.
Remark 5: Some qualitatively discuss about the difference between the proposed scheme and [26-29] as followed: (1) Our protocol is one way authentication AKE for users, so only servers need to registration at the RC. (2) About authentication, one-way authentication for users and mutual authentication for server and RC (see Remark 2). (3) Our proposed protocol can hold the security S1-S12, but the [26-29] have some defects. (4) Our protocol is anonymity, and [28-29] only assure ID hiding, and [26-27] have no privacy protect at all. The main differences about anonymity and ID hiding, and please see the Appendix.
- 4.2 The provable security of the proposed scheme
We recall the definition of session-key security in the authenticated-links adversarial model of Canetti and Krawczyk [25]. The basic descriptions are shown in Table 3.
We allow the adversary access to the queries SessionStateReveal, SessionKeyReveal, and Corrupt.(1) SessionStateReveal(s): This query allows the adversary to obtain the contents of the session state, including any secret information. s means no further output.(2) SessionKeyReveal(s): This query enables the adversary to obtain the session key for the specified session s, so long as s holds a session key.(3) Corrupt(P_{i}) : This query allows the adversary to take over the party P_{i}, including long-lived keys and any session-specific information in P_{i}’s memory. A corrupted party produces no further output.(4) Test(s): This query allows the adversary to be issued at any stage to a completed, fresh, unexpired session s. A bit b is then picked randomly. If b = 0, the test oracle reveals the session key, and if b = 1, it generates a random value in the key space. The adversary Λ can then continue to issue queries as desired, with the exception that it cannot expose the test session. At any point, the adversary can try to guess b. Let GoodGuess^{Λ}(k) be the event that the adversary Λ correctly guesses b, and we define the advantage of adversary Λ as
PPT Slide
Lager Image
where k is a security parameter.A session s is locally exposed with P_{i} : if the adversary had issued SessionStateReveal(s), SessionKeyReveal(s), Corrupt(P_{i}) before s would have expired.Definition 4.9. An authenticator exchange protocol ∏_{1} in security parameter k is said to be authentication secure in the adversarial model of Canetti and Krawczyk if for any polynomial-time adversary Λ,
PPT Slide
Lager Image
(1) If two uncorrupted parties have completed matching sessions, these sessions produce the same key as output;(2) Advantage^{Λ} (k) is negligible.Theorem 4.9.Under the CMBDHP assumption, using the1to compute an authenticator is authentication secure in the adversarial model of Canetti and Krawczyk[25].Proof. The proof is based on the proof given by Refs. [25]. There are two uncorrupted parties in matching sessions output the same session key, and thus the first part of Definition 4.9. is satisfied. To show that the second part of the definition is satisfied, assume that there is a polynomial-time adversary Λ with a non-negligible advantage ε in standard model. We claim that Algorithm 1 forms a polynomial-time distinguisher for CMBDHP having non-negligible advantage.Probability analysis. It is clear that Algorithm 1 runs in polynomial time and has non-negligible advantage. There are two cases where the r-th session is chosen by Λ as the test session: (1) If the r-th session is not the test session, then Algorithm 1 outputs a random bit, and thus its advantage in solving the CMBDHP is 0. (2) If the r-th session is the test session, then Λ, will succeed with advantage ε, since the simulated protocol provided to Λ is indistinguishable from the real protocol. The latter case occurs with probability 1/k, so the overall advantage of the CMBDHP distinguisher is ε/k, which is non-negligible.Definition 4.10. A composable key exchange protocol П_{2} in security parameter k is said to be session-key secure in the adversarial model of Canetti and Krawczyk if for any polynomial-time adversary Λ,
PPT Slide
Lager Image
(3) If two uncorrupted parties have completed matching sessions with pre-distributed parameter, these sessions produce the same key as output;(4) Advantage^{Λ}(k) is negligible.Theorem 4.10.Under the CMBDHP assumption, using the2to compute session key is session-key secure in the adversarial model of Canetti and Krawczyk[25].Proof. The proof’s process is similar to Theorem 4.9. The protocol П_{2} is the composable instance of protocol multiple П_{1}. Since Theorem 4.9 is session-key secure, the protocol П_{2} is also session-key secure.Probability analysis. It is similar to Algorithm 1. If we assume that Algorithm 2 forms a polynomial-time distinguisher for CMBDHP having non-negligible advantage, the overall advantage of the proposed protocol simulator with authenticated parameter is ε/k which is also non-negligible. Because the protocol П_{2} chooses different parameters to structure session keys in different phase which are secure independence of protocol П_{1}.
5. Efficiency Analysis
Compared to RSA and ECC, Chebyshev polynomial computation problem offers smaller key sizes, faster computation, as well as memory, energy and bandwidth savings. In our proposed protocol, no time-consuming modular exponentiation and scalar multiplication on elliptic curves are needed. However, Wang [21] proposed several methods to solve the Chebyshev polynomial computation problem. For convenience, some notations are defined as follows.
Thash: The time for executing the hash function;
Tsym: The time for executing the symmetric key cryptography;
TXOR: The time for executing the XOR operation;
TExp: The time for a modular exponentiation computation;
TCH: The time for executing theTn(x) modpin Chebyshev polynomial using the algorithm in literature[30].
To be more precise, on an Intel Pentium4 2600 MHz processor with 1024 MB RAM, where n and p are 1024 bits long, the computational time of a one-way hashing operation, a symmetric encryption/decryption operation, an elliptic curve point multiplication operation and Chebyshev polynomial operation is 0.0005s, 0.0087s, 0.063075s and 0.02102s separately [30]. Moreover, the computational cost of XOR operation could be ignored when compared with other operations.Table 4 shows performance comparisons between our proposed scheme and the literature of [26-29] in multi-server architecture. Therefore, as in Table 4 the concrete comparison data as follows:
(1) The concrete computation cost. Based on the [21][30], the conclusions can be drawn with different phase as follows:Phase A: The computation cost of our proposed protocol is zero. And the computation cost of the literatures [26-29] is about 0.001s, 0.001s, 0.0025s, and 0.004s respectively.Phase B: The computation cost of our proposed protocol is the same as all the related literature [26-29] which is about 0.0005s.Phase C: The computation cost of our proposed protocol is about 1T_{sym} + 1T_{hash} + 1T_{CH}≈ 0.03022s. And the computation cost of the literatures [26-29] is about 0.064075s, 0.0005s, 0.0015s, and 0.0035s respectively.Phase D: The computation cost of our proposed protocol is about 8T_{hash}+3T_{CH}+2T_{sym}≈ 0.08443s. And the computation cost of the literatures [26-29] is about 0.193725s, 0.008s, 0.0045s, and 0.0075s respectively.Phase E: The computation cost of our proposed protocol is zero. And the computation cost of the literatures [26-29] is about 0.001s, 0.001s, 0.002s, and 0.002s respectively.Total: The computation cost of our proposed protocol is 0.11415s. And the computation cost of the literatures [26-29] is about 0.2603s, 0.011s, 0.011s, and 0.0175s respectively.(2) The concrete communication cost. The communication round of our proposed protocol is equal to the literature [28], and reduced by about 25%, 57%, and 40% with the literature [26][27][29] respectively.(3) Comparisons and Reasons(a) The total computation cost of our proposed protocol is lower than the literatures [26]. The main reason is that the literatures [26] adopted modular exponentiation computation. At the same time, the literatures [26] cannot provide privacy protection for a user.(b) The total computation cost of our proposed protocol is higher than the literatures [27-29]. Furthermore, the communication round of our proposed protocol is superior to the literature [27][29] and is equal to the literature [28]. The reasons are: one reason is our protocol mainly adopts Chebyshev chaotic maps but the literatures [27-29] mainly adopts one way hash funciton. At the same time, Chebyshev chaotic maps has more attributes which leading to reduce communication rounds. Furthermore, from the perspective of security, our protocol is more secure than the literatures [27-29]. From the Table 3, we can see that the literatures [26-29] cannot resist many attacks and the literatures [28-29] cannot afford any authentication method. Therefore, as in Table 3 and Table 4, we can draw a conclusion that the proposed scheme has achieved the balance of efficiency and security.There are few one-way AKE schemes. The literature [17] was a security analysis of the TLS handshake protocol which has some context was related with one-way AKE protocol, but there was no a concrete protocol process. So this paper choose the literature [18] as a compared paper. For simplify, we just compare with the literature [18] about authentication phase. Table 5 presents the effciency in term of modular exponentiations(T_{Exp}), chebyshev polynomial(T_{CH}) and symmetric key cryptography(T_{sym}) computation of relevant one-way authentication key agreement protocol [18]. Therefore, from Table 5 we can see that the our proposed scheme has achieved the tight security and good efficiency. The tight security will be given in Section 4.2. Our protocol is more efficient than the literature [18] because chebyshev polynomial and symmetric key cryptography computation is more efficient than modular exponentiations computation, and our protocol chooses the former algorithms. Moreover, our proposed scheme possesses expandability because it is realized in multi-server architecture.
Efficiency in terms of modular exponentiations and chebyshev polynomial
PPT Slide
Lager Image
Efficiency in terms of modular exponentiations and chebyshev polynomial
6. Conclusion
This work provides a new approach to one-way authenticated key establishment towards multi-server architecture. The core ideas of the proposed scheme are the mutual authentication between the servers and RC and the anonymity for the users. Subsequently, we explain the practical motivations for authentication and secrecy assurances of parties engaging in one-way AKE protocols and some related terms. Based on our discussion we proposed a suitable protocol that covers those goals and offered an efficient protocol that formally meets the proposed security definition. Finally, after comparing with related literatures (multi-server schemes and one-way protocols) respectively, we found our proposed scheme has satisfactory security, efficiency and functionality. Therefore, our protocol is more suitable for practical applications.
BIO
Hongfeng Zhu obtained his Ph.D. degree in Information Science and Engineering from Northeastern University. Hongfeng Zhu is a full associate professor of the Kexin software college at Shenyang Normal University. He is also a master's supervisor. He has research interests in wireless networks, mobile computing, cloud computing, social networks, network security and quantum cryptography. Other things that interest him are number theory and the investigation of mathematics for designing secure and efficient cryptographic schemes. Dr. Zhu had published more than 60 international journal and international conference papers on the above research fields.
Lee C
,
Li C
,
Hsu C
2013
“A three-party password-based authenticated key exchange protocol with user anonymity using extended chaotic maps,”
Nonlinear Dyn
73
125 -
132
DOI : 10.1007/s11071-013-0772-4
Li Hui
,
Wu Chuan-Kun
,
Sun Jun
2010
“A general compiler for password-authenticated group key exchange protocol,”
Information Processing Letters
160 -
167
DOI : 10.1016/j.ipl.2009.11.013
Tseng H
,
Jan R
,
Yang W
“A chaotic maps-based key agreement protocol that preserves user anonymity,”
in Proc. of IEEE International Conference on Communications (ICC09)
2009
1 -
6
Di Raimondo M.
,
Gennaro R.
2006
“Provably secure threshold password-authenticated key exchange,”
System Sci
72
(6)
978 -
1001
DOI : 10.1016/j.jcss.2006.02.002
Khan MK
,
Zhang J
2007
“Improving the security of a flexible biometrics remote user authentication scheme,”
Comput Stand Interfaces
29
(1)
82 -
85
DOI : 10.1016/j.csi.2006.01.002
Li LH
,
Lin IC
,
Hwang MS
2001
“A remote password authentication scheme for multi-server architecture using neural networks,”
IEEE Transactions on Neural Networks
12
(6)
1498 -
1504
DOI : 10.1109/72.963786
Lin I C
,
Hwang MS
,
Li LH
2003
“A new remote user authentication scheme for multi-server architecture,”
Future Generation Computer Systems
19
(1)
13 -
22
DOI : 10.1016/S0167-739X(02)00093-6
Tsai JL
2008
“Efficient multi-server authentication scheme based on one-way hash function without verification table,”
Comput Secur
27
(3-4)
115 -
121
DOI : 10.1016/j.cose.2008.04.001
Goldberg Ian
2006
“On the security of the Tor authentication protocol, In George Danezis and Philippe Golle,”Privacy Enhancing Technologies (PET)
LNCS
4258
316 -
331
Kate Aniket
,
Zaverucha Greg M.
,
Goldberg Ian
2010
“Pairing-based onion routing with improved forward secrecy,”
ACM Transactions on Information and System Security
13
(4)
29 -
DOI : 10.1145/1880022.1880023
Morrissey Paul
,
Smart Nigel P.
,
Warinschi B.
“A modular security analysis of the TLS handshake protocol,”
Advances in Cryptology-Proc
2008
vol. 5350
55 -
73
NIST National Institute of Standards and Technology
2009
“Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography,”
Special Publication 800-56B
Wang X
,
Zhao J
2010
“An improved key agreement protocol based on chaos,”
Commun. Nonlinear Sci. Numer. Simul
15
4052 -
4057
DOI : 10.1016/j.cnsns.2010.02.014
Zhang L
2008
“Cryptanalysis of the public key encryption based on multiple chaotic systems,”
Chaos Solitons Fractals
37
(3)
669 -
674
DOI : 10.1016/j.chaos.2006.09.047
Pfitzmann Andreas
,
Hansen Marit
2010
“A terminology for talking about privacy by dataminimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management,”
Canetti Ran
,
Krawczyk Hugo
“Analysis of key-exchange protocols and their use for building secure channels,”
EUROCRYPT
2001
Vol. 2045 of Lecture Notes in Computer Science
453 -
474
Tsai JL
2008
“Efficient multi-server authentication scheme based on one-way hash function without verification table,”
Comput Secur
27
(3-4)
115 -
121
DOI : 10.1016/j.cose.2008.04.001
Liao YP
,
Wang SS
2009
“A secure dynamic ID based remote user authentication scheme for multiserver environment,”
Comput Stand Interfaces
31
(1)
24 -
29
DOI : 10.1016/j.csi.2007.10.007
Hsiang HC
,
Shih WK
2009
“Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment,”
Comput Stand Interfaces
31
(6)
1118 -
1123
DOI : 10.1016/j.csi.2008.11.002
@article{ E1KOBZ_2015_v9n2_811}
,title={A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment}
,volume={2}
, url={http://dx.doi.org/10.3837/tiis.2015.02.19}, DOI={10.3837/tiis.2015.02.19}
, number= {2}
, journal={KSII Transactions on Internet and Information Systems (TIIS)}
, publisher={Korean Society for Internet Information}
, author={Zhu, Hongfeng}
, year={2015}
, month={Feb}
TY - JOUR
T2 - KSII Transactions on Internet and Information Systems (TIIS)
AU - Zhu, Hongfeng
SN - 1976-7277
TI - A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment
VL - 9
PB - Korean Society for Internet Information
DO - 10.3837/tiis.2015.02.19
PY - 2015
UR - http://dx.doi.org/10.3837/tiis.2015.02.19
ER -
Zhu, H.
( 2015).
A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment.
KSII Transactions on Internet and Information Systems (TIIS),
9
(2)
Korean Society for Internet Information.
doi:10.3837/tiis.2015.02.19
&
Zhu, H
2015,
A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment,
KSII Transactions on Internet and Information Systems (TIIS),
vol. 2,
no. 2,
Retrieved from http://dx.doi.org/10.3837/tiis.2015.02.19
[1]
and
H Zhu
,
“A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment”,
KSII Transactions on Internet and Information Systems (TIIS),
vol. 2,
no. 2,
Feb
2015.
Zhu, Hongfeng
and
.
“A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment”
KSII Transactions on Internet and Information Systems (TIIS),
2.
2
2015:
Zhu, H
A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment.
KSII Transactions on Internet and Information Systems (TIIS)
[Internet].
2015.
Feb ;
2
(2)
Available from http://dx.doi.org/10.3837/tiis.2015.02.19
and
Zhu, Hongfeng
.
“A Provable One-way Authentication Key Agreement Scheme with User Anonymity for Multi-server Environment.”
KSII Transactions on Internet and Information Systems (TIIS)
2
no.2
()
Feb,
2015):
http://dx.doi.org/10.3837/tiis.2015.02.19