Beruflich Dokumente
Kultur Dokumente
5, July 2014
ISSN: 2321-2381 2014 | Published by The Standard International Journals (The SIJ) 190
AbstractKey agreement protocol is one of the most important cryptography protocols which is used to build
a shared secret key between two or more participants through an insecure channel. To increase the security and
efficiency of these protocols, many studies have been carried out. Recently, in 2012, Lee et al. proposed a key
agreement protocol using smart cards and claimed that their protocol is secure and practical. However, He et
al. proved that the Lee et al.'s protocol is vulnerable to the privileged insider attack and the denial of service
attack, and also the protocol cannot protect the user's true identity. We also will point out that the protocol
requires timestamp information and the cost of card and reader makes this protocol costly. In order to
overcome these weaknesses, we present a two-party key agreement protocol based on Chebyshev chaotic map
without using smart card. Our protocol allows users to interact with the server anonymously. Moreover,
analysis shows that the proposed protocol can successfully resist the current attacks.
KeywordsChebyshev Chaotic Map; Cryptography; Key Agreement Protocol; Logistic Chaotic Map;
Security; Session Key.
AbbreviationsDiffie-Hellman Problem (DHP); Discrete Logarithm Problem (DLP).
I. INTRODUCTION
key agreement protocol is a protocol that is used to
build secret session keys by two or more
communication parties, but no party can
predetermine the resulting session key. Users can transmit
information securely over an open channel by using these
keys and encrypt/decrypt information. In 1976, Whitfield
Diffie & Martin Hellman (1976) developed and registered the
first key agreement protocol. However, their protocol did not
provide mutual authentication between the communication
parties, and so was vulnerable to the man-in-the-middle
attack.
Over the last few decades, cryptography based on chaos
has been studied vastly. Because of impressive properties of
Chebyshev map such as sensitivity to initial
conditions/parameters and likeness to random behavior, this
map is a chaotic map which has been used for symmetric
encryption schemes, hash functions, public key encryption
schemes and key agreement protocols. In 2003, Kocarev and
Tasev (2003) proposed a public-key encryption algorithm
using chaotic maps. In 2005, Bergamo et al., pointed out that
the Kocarev-Tasev's protocol is insecure because an
adversary is able to recover the plaintext from a given
ciphertext without any required private key. In 2007, Xiao et
al., designed a novel key agreement protocol, which utilizes
the semi-group property of the Chebyshev chaotic map.
However, in 2008, Han pointed out that Xiao et al.'s protocol
is insecure and presented two attacks on this protocol, in
which an adversary can prevent communication parties from
establishing a shared secret session key. Furthermore, in
2009, Xiang et al., pointed out that the Xiao et al.'s protocol
is vulnerable to the stolen-verifier attack and the off-line
password guessing attack. Later, Han & Chang (2009)
proposed a key agreement protocol based on chaotic maps
which works with/out clock synchronization. In 2010, Wang
& Zhao proposed an improved key agreement protocol based
on chaos. However, in 2011, Yoon & Jeon proved that Wang-
Zhao's protocol still requires timestamp information and is
vulnerable to illegal message modification attacks and then
proposed an efficient and secure key agreement protocol. In
various scenarios such as e-commerce, e-banking and telecare
information systems, users want to obtain services
anonymously. In 2009, Tseng et al., presented the first key
agreement protocol based on chaotic maps with user
anonymity. In 2011, Niu & Wang pointed out that Tseng et
al.'s protocol can not provide user anonymity and perfect
forward secrecy and is also insecure against an insider
A
*Master's Student, Department of Electrical Engineering, Khavaran Institute of Higher Education, Mashhad, IRAN.
E-Mail: nahid.yahyapoor{at}gmail{dot}com
**Department of Electrical Engineering, International University of Imam Reza, Mashhad, IRAN.
E-Mail: shaerbaf{at}imamreza{dot}ac{dot}ir
***Department of Computer Engineering, International University of Imam Reza, Mashhad, IRAN.
E-Mail: m_nikooghadam{at}sbu{dot}ac{dot}ir
Nahid Yahyapoor*, Saeed Shaerbaf** & Morteza Nikooghadam***
Presentation of a Two-Party Key
Agreement Protocol based on Chaos
The SIJ Transactions on Computer Science Engineering & its Applications (CSEA), Vol. 2, No. 5, July 2014
ISSN: 2321-2381 2014 | Published by The Standard International Journals (The SIJ) 191
attacks. Thus they proposed a new anonymous key agreement
protocol. Soon, Yoon (2012) proved that Niu-Wang's
protocol is vulnerable to denial of service attack and has a
computational problem. In 2012, Lee et al., presented a key
agreement protocol with smart cards. In this paper, we will
point out that Lee et al.'s protocol suffers from insufficiency
of resisting the privileged insider attack and denial of service
attack, insufficiency of providing anonymity, the high cost
due to using smart cards and requiring synchronization. In
order to overcome these problems, we introduce an improved
key agreement protocol based on chaotic maps.
This paper is organized as follows: Section 2 gives
descriptions of the Chebyshev chaotic map and Logistic
chaotic map. In section 3, we review Lee et al.'s key
agreement protocol. In section 4, we introduce a secure key
agreement protocol and then analyze the security of our
proposed protocol in section 5. Finally, our conclusion is
given in section 6.
II. PRELIMINARIES
In this section, we introduce concepts used in our protocol,
such as Chebyshev chaotic map and Logistic chaotic map.
2.1. Chebyshev Chaotic Map
Definition 1. Let n be an integer and let x be a variable over
the interval [-1,1]. Chebyshev polynomial maps R R
n
T :
of degree n are defined using the recurrent relation 1:
( ) ( ) ) (
2 1
2 x
n
T x
n
xT x
n
T
=
(1)
Where 2 > n , ( ) 1
0
= x T and ( ) x x T =
1
. Some examples of
Chebyshev polynomials are shown as:
( ) 1
2
2
2
= x x T , ( ) x x x T 3
3
4
3
= , ( ) 1
2
8
4
8
4
+ = x x x T (2)
Definition 2. Let n be an integer and let x be a variable
over the interval [-1,1]. The polynomial is defined as:
( ) ( ) ( ) x n x T
n
arccos cos =
(3)
Definition 1 and definition 2 are equivalent.
Chebyshev polynomials have two important properties:
the semi-group property and the chaotic property.
Definition 3. The semi-group property: One of the most
important properties of Chebyshev polynomials is the semi-
group property which is defined using the relation 4:
( ) ( ) ( ) ( ) ( ) x T x T T x T T
rs r s s r
= = (4)
Definition 4. The chaotic property: If the degree n>1,
| | | | 1 , 1 1 , 1 =
n
T is a type of a chaotic map with invariant
density ( )
2
*
1
1
x
x f
=
t
for positive lyapunov exponent
n ln = .
Definition 5. Enhanced Chebyshev polynomials: In
2008, Zhang proved that the semi-group property holds true
for Chebyshev polynomials in the interval ( ) + , .
Enhanced Chebyshev polynomials are defined as:
( ) ( ) ( )( ) N x T x xT x T
n n n
mod 2
2 1
=
(5)
Where 2 > n , ( ) + e , x and N is a large prime number.
Definition 6. The Diffie-Hellman problem (DHP): DHP
is explained as: two different degree polynomials ( ) x T
r
and
( ) x T
s
are assumed, finding ( ) x T
rs
is impossible without
knowing r and s.
Definition 7. The discrete logarithm problem (DLP):
DLP is explained as: a element is assumed, finding the
integer r so that ( ) a x T
r
is impossible.
2.2. Logistic Chaotic Map
One of the simplest chaotic maps is called Simple Logistic
Function or SLF for short. It can be expressed as:
( )
n n n
x x x =
+
1 .
1
(6)
where ,... 1 , 0 = n , | | 1 , 0
0
e x is an initial value, x
n
is the n
th
value in the sequence, x
n+1
is the n+1
th
value in the same
sequence and 4 0 s s is the logistic map parameter. For a
behavior to be chaotic, should be 4 57 . 3 s s .
III. ANALYSIS OF LEE ET AL.,S PROTOCOL
In this section, we describe Lee et al.'s protocol and show its
problems.
3.1. Lee et al.'s Key Agreement Protocol
In this subsection, we describe Lee et al.'s (2012) protocol.
There are three phases in their protocol including registration
phase, login phase, and authentication phase. U
i
and the
server are two participants of the key agreement process,
where U
i
is user i.
3.1.1. Registration Phase
1. U
i
chooses his/her random password pw
i
and inputs
his/her personal biometrics BT
i
by a special device and
computes H(BT
i
), then sends ID
i
, pw
i
, and H(BT
i
) to the
server over a secure channel, where ID
i
is his/her identity
and H(.) is the one-way hash function.
2. The server selects a random number N and computes
( )
s i i
X ID H P , = and ( ) ( )
i i i i
BT H pw H P Q = , where X
s
is a private key of the server and is XOR operation.
Then, the server stores ( ) ( ) N Q BT H ID
i i i
, , , into the user's
smart card and sends it to the user over a secure channel.
3.1.2. Login Phase
1. U
i
inserts his/her smart card into the card reader and
inputs his/her personal biometrics
'
i
BT by a special
device.
2. The smart card checks whether ( ) ( )
i i
BT H BT H ?
'
= . If it
does not hold, the card stops here; otherwise, the smart
card performs step 3.
3. U
i
inputs his/her password
'
i
pw and the card supplies two
random numbers r and x. The smart card calculates
( ) ( )
' ' '
i i i i
BT H pw H Q P = , r P M
i
=
'
1
, ( ) r ID H M
i
,
2
= ,
( ) r T r M
x
=
3
, and ( )
u i i
t N H ID AID , = , where T
x
(r) is
Chebyshev polynomial in r of degree x and t
u
is a
The SIJ Transactions on Computer Science Engineering & its Applications (CSEA), Vol. 2, No. 5, July 2014
ISSN: 2321-2381 2014 | Published by The Standard International Journals (The SIJ) 192
timestamp of the user. U
i
sends ( )
u i
t M M M AID C , , , ,
3 2 1 1
=
to the server.
3.1.3. Authentication Phase
1. Upon receiving C
1
, the server checks whether the
equation t t t
u
A >
'
holds, where t
'
is the time when the
server receives C
1
and t A is the predetermined time
interval of transmission delay. If the equation holds, the
server stops the session; otherwise, the server computes
( )
u i i
t N H AID ID ,
'
= and checks the validity of
'
i
ID .
Then, the server computes ( )
s i i
X ID H P ,
' '
= ,
'
1
'
i
P M r = ,
( )
' ' '
2
, r ID H M
i
= , and checks whether
2
'
2
?M M = . If so, the
server computes ( )
3
' '
M r r T
x
= . The server chooses a
random integer y, and computes session key
( ) ( )
'
r T T sk
x y i
= , ( )
' '
4
r T r M
y
= , and ( )
i i
sk r ID H M , ,
' '
5
= .
Next, he/she sends ( )
5 4 2
, M M C = to U
i
.
2. U
i
computes ( )
4
'
M r r T
y
= , ( ) ( )
'
r T T sk
y x i
= ,
( )
i i
sk r ID H M , ,
'
5
= and checks whether
5
'
5
? M M = . If so,
the server is authenticated and
i
sk is used as a secret
session key.
3.2. Problems of Lee et al.,'s Key Agreement Protocol
Lee et al., claimed that their protocol is secure and efficient.
Unfortunately, Lee et al.'s protocol has some problems.
3.2.1. Privileged insider Attack [He et al., 2012]
In the first step of the registration phase of Lee et al.'s
protocol, U
i
sends ID
i
and pw
i
to the server. If user uses the
same password to access other servers for ease of
remembering different passwords; the server knows the
users password, he/she may try to impersonate U
i
. Therefore
one of the most common and yet biggest mistakes is choosing
one password for all accounts, and this protocol is vulnerable
to the privileged insider attack.
3.2.2. Denial-of-Service Attack [He et al., 2012]
U
i
inputs his/her personal biometrics
'
i
BT by a special device
in step 1 of the login phase to confirm the correct claim of a
registered. The smart card checks relation ( ) ( )
i i
BT H BT H ?
'
= .
One of the properties of hash functions is that its outputs will
change even only one bit of the inputs changes; so if ( )
'
i
BT H
is not equal to (