a chaotic maps-based authentication scheme for...
TRANSCRIPT
1
A Chaotic Maps-based Authentication Scheme for Wireless
Body Area Networks
Gaimei GAO 1,2
, Xinguang PENG 1,Ye TIAN
1,3, Zefeng QIN
4
1. College of Computer Science & Technology, Taiyuan University of Technology, Taiyuan 030024, China;
2. Department of Computer Science and Technology, Taiyuan University of Science and Technology, Tai Yuan
030024, China;
3. Center of Computer, Taiyuan Normal University, Tai Yuan 030012, China;
4. Department of Computer Science, Shanxi Youth Vocational College, Tai Yuan 030032, China.
Correspondence should be addressed to Xinguang PENG; [email protected]
Abstract: As a technology of monitoring and recording human body
health signals, wireless body area networks (WBANs) plays an
increasingly important role in the field of healthcare. Inspired by the semigroup property of Chebyshev maps, we designed a novel chaotic
maps-based authentication scheme for wireless body area networks. The
study aims to avoid modular exponential computation or scalar multiplication on an elliptic curve and reduce the need for time-consuming.
Compared with the previous schemes, our scheme not only enjoys more
security features, but also has reduced computational cost of client and application provider. Moreover, we present the security model for our
scheme, demonstrate the validity of the protocol by the BAN (Burrows,
Abadi, and Needham) logic in detail, and analyze the software
implementation method of Chebyshev polynomial.
Keywords: Wireless body area networks; Identity authentication; Chaotic
map; Chebyshev polynomial; Semigroup property
1. Introduction
In wireless body area networks (WBANs) [ 1 , 2 ], with the human body as the communication center, some intelligent low-power sensor nodes are integrated in/on, or
around a human body. Low-power sensor nodes can collect important physiological
parameters of human body and surrounding environment data, then send the collected data to the intelligent mobile terminal or the base station near the body in the wireless way, and
finally transfer the data to the server for analysis and processing through the Internet. Through
the network, medical personnel can monitor the physiological information and surrounding
environmental information of users by computer and users may ask for emergency first aid. Moreover, the server can also realize real-time recording of the user data. WBANs is not only
applied in medical and health care but also applied to privacy protection. Security and privacy
are key aspects of the applications in WBANs [3],so access control and authentication are the
major security services needed. A typical wireless body area networks is shown in Figure 1.
Authentication is to confirm the legitimacy of the two communication entities in an open
network environment; it allows two entities to establish the trust relationship and is an important component of network security technologies. Authentication can be realized via 3W
(What You Know, What You Have, or What You Are). Physiological information and health
privacy data has strict security requirements. As the first barrier, the authentication information protection system also becomes one of the key problems of WBANs. The
2
authentication enables a node to verify the legitimacy of the other sensor nodes involved in
the communication, and only messages sent by authorized nodes can be detected and accepted.
However, the authentication schemes costing more time of computation and communication
are not suitable for WBANs because of the limitations of computation capability, energy, storage space and the battery’s lifetime. Therefore, a WBANs system requires more secure
and practical authentication mechanism.
In 1981, L. Lamport [4] presented a solution to solve the problem of password-based remote authentication using cryptographic hash functions. However, high hash overhead and
the necessary consumption of password resetting lowered its practical applicability. Since
then, several improved password-based authentication schemes had been proposed [5-7]. However, most of these password-based remote user authentication schemes can only prevent
certain kinds of attacks [8-9].The authentication scheme based on symmetric key encryption
was vulnerable to smart card attack [10]. The scheme based on public key password
encryption involving modular exponentiation computation or elliptic curve algorithm [11-13] produced large computational overhead for terminal equipment. In 2009, Tseng et al. [14]
proposed the first authentication scheme based on chaotic maps. However, Niu and Wang [15]
pointed out that the scheme of [14] could not ensure user anonymity and scheme security when there was a malicious user. In order to overcome these disadvantages, Niu and Wang
also presented an improved scheme. Unfortunately, Xue and Hong [16] found that the scheme
of [15] was vulnerable to the man-in-the-middle attack. In 2013, Guo and Chang [17] pointed
out that these schemes [14-16] did not meet the requirements of key agreement, put forward a new authentication scheme based on chaotic maps, and asserted that the scheme could realize
user anonymity and resist a variety of attacks. In the same year, Hao et al. [18] pointed out
that Guo and Chang’s scheme cannot ensure user untraceability and requires the use of double secret keys. To enhance the efficiency and privacy, they presented their modified version.
Unfortunately, Lee [19] found that Hao et al.’s scheme violates the contributory property of
key agreements and it can predetermine the session key alone by a malicious participant. To handle this, Lee presents effective improvements with higher security. In addition, Jiang et
al.[20] identified that the security flaws of Hao et al. scheme is not to resist the stolen smart
card attack, and they also proposed a new chaotic map-based authentication scheme. It is a
regret that Li et al. [21] found that both Lee’s and Jiang et al.’s authentication have a serious security problem which can cause the service misuse attack, so they modified it slightly to
prevent the shortcomings. In [22] the authors proposed a key exchange scheme which worked
like Diffie-Hellman algorithm by utilizing the semigroup property of Chebyshev polynomials. The improved protocol overcomes many drawbacks of the previous chaotic key agreement
protocols. Both analysis and experimental results demonstrate that it was secure and practical.
Theoretically, the authentication schemes in WBANs could be realized by tranditional public key cryptosystem such an RSA algorithm [23] and ELGamal algorithm [24]. But in
Figure1. A Typical Scenario of WBANs
3
these algorithms, a complicated operation called modular exponentiation is needed. Rather,
the computation capability of medical sensors and control nodes in WBANs is very limited.
Hence those algorithms are not suitable for WBANs. In recent years, Liu et al.[25-26]
proposed a certificateless signature (CLS) scheme and designed two certificateless remote anonymous authentication schemes for WBANs. The two schemes involved the bilinear
paring operation, and the computation complexity of a pairing operation is several times of
that of an elliptic curve point multiplication. Moreover, the first scheme did not realize user anonymity because a constant value related to client’s identity should be transferred via the
network, and the second security enhanced authentication scheme was vulnerable to the
stolen-verifier attack. Therefore, the scheme of Liu et al. was not suitable for WBANs. In 2014, Zhao [27] presented an identity (ID)-based efficient anonymous authentication scheme
for WBANs with elliptic curve cryptosystem (ECC), the proposed scheme avoided the
complicated bilinear pairing operation and saved the additional computation to verify the
legality of certificate. However, the proposed scheme requires the elliptic curve point multiplication, thus increasing the computation cost.
In the paper, we studied the intrinsic characteristics of WBANs, compared existing
remote authentication schemes, and proposed a chaotic maps-based authentication scheme for WBANs. Our scheme took full advantage of the semigroup property of Chebyshev chaotic
map. In the new scheme, two entities in communication did not need to establish a public key
encryption system in advance and the modular exponential calculation and elliptic curve
scalar multiplication were avoided in the authentication phase. Besides we analyze validity, security and computational cost of the scheme, and also demonstrate the security model for
the scheme and software implementation of Chebyshev polynomial. We think the proposed
scheme was more suitable for WBANs. The rest of the paper is arranged as follows. Section 2 briefly introduces the preliminaries
of Chebyshev chaotic maps. Section 3 elaborates scheme’s design, including design
architecture, three phases of the authentication scheme, and password change phase. Section 4 is performance analysis, it gives the scheme’s security model, the validity proof of our
scheme by BAN logic in detail, security analysis of defense variety attacks, software
implementation of Chebyshev polynomial and computational cost comparison with recently
published schemes. Section 5 presents the conclusion.
2. Chebyshev chaotic maps
In this section, we firstly described Chebyshev polynomials. The definitions of
Chebyshev polynomials [28] are provided as follows:
Definition 1 Let n be an integer and , [ 1,1]n Z x . The Chebyshev polynomial
( ) :[ 1,1] [ 1,1]nT x is defined as:
( ) cos( arccos( ))nT x n x
Where the trigonometric function [13] cos( )x is defined as cos( ) : [0, ]x R and
arccos( )x is defined as arccos( ) :[ 1,1] [0, ]x .
Then, the recurrence relationship of Chebyshev polynomial is defined as
1 2( ) 2 ( ) ( ), 2n n nT x xT x T x n , where 0 ( ) 1T x and 1( )T x x .
Here are some examples of Chebyshev polynomials: 2
2 ( ) 2 1T x x ; 3
3( ) 4 3T x x x ; 4 2
4 ( ) 8 8 1T x x x ; 5 3
5( ) 16 20 5T x x x x .
Chebyshev polynomials satisfy the following important characteristics [29-31], the
semigroup property and the chaotic property.
(1) Semigroup property
4
One of the most important properties of Chebyshev polynomials is called the semigroup
property:
( ( )) ( )r s rsT T x T x , , , [ 1,1]r s Z s
According to the semigroup property, Chebyshev polynomial meets the following
conditions:
( ( )) ( ) ( ( ))r s sr s rT T x T x T T x , , , [ 1,1]r s Z s
In 2008, Zhang [32] proved that the semigroup property could be defined within the
interval (−∞,+∞) as:
1 2( ) (2 ( ) ( ))modn n nT x xT x T x p
Here 2, ( , )n x , and p is a large prime number.
Therefore, ( ( )) ( ) ( ( ))modr s sr s rT T x T x T T x p .
(2) Chaotic property
When 1n , the Chebyshev polynomial map ( ) :[ 1,1] [ 1,1]nT x of the degree n is a
chaotic map with the invariant density 2*( ) 1/ ( 1 )f x x and its positive Lyapunov
exponent ln 0n .
Chebyshev polynomials are often to be used to solve the following two kinds of
problems[20,33,35,36], which are intractable to be solved within polynomial time.
Definition 2 Chaotic maps-based discrete logarithm problem(CMDLP) Given two
elements x and y , it is computationally infeasible to find the integer n such that
( )modnT x p y .
Definition 3 Chaotic maps-based Diffe-Hellman Problem (CMDHP) Given three
elements x , ( )modrT x p and ( )modsT x p , it is computationally infeasible to compute
( )modrsT x p .
3. Design Scheme
3.1. Design architecture
As show in Figure 2, three kinds of participation objects are involved in the authentication protocol for WBANs: the WBANs client, the network manager (NM) and the application
provider (AP). WBANs client refers to the users who can obtain certain service from AP
through WBANs terminals or applications such as PDA, smartphone, biosensor or medical
equipment. AP may be a hospital, a clinic or a physician, which can provide medical service through WBANs. NM is responsible for creating the private key between the client and the
application service provider. It is not necessarily the strong trusted third party (TTP) because
it only issues one part of the private key of a legitimate user. However, this part of the private key is not adequate to pretend to be a legitimate client. TTP is a trusted third party in the
network, and it may be a trusted server or a key distribution center. TTP shares different
secret key with each participant and all of these keys will be in place before protocol begins.
In our scheme, we have not employed TTP, because (1) TTP needs to know user’s identity to search the session key which is contrary to the anonymity of the user; (2) more steps will lead
communication burden and computational load, which neglects the resource constraints of
WBANs;(3) even though the server is pretended by malicious user, it could not obtain user’s
random number b because user sends ( )h PW b but not b to server by secure channel in the
registration phase. When malicious user guess a random number to authenticate, it will
arise '
u uX X , so the authentication will be aborted. In a practical application, NM may be a
commercial organization which has been delegated as the private key generator for managing
the registration system.
5
3.2. Authentication scheme
In this section, we will elaborate our remote authentication scheme for WBANs. The proposed scheme has three phases: the initialization phase, the registration phase, and the
authentication phase. The notations used in this scheme are provided below:
Notation Description
U a user or a user’s computing device with the smart card
ID U ’s identity
PW U ’s password
S the remote server for the WBANs
mk The secret key shared betweenU and S when registration
sk the session key established betweenU and S
SC smart card
AU attacker
T time threshold
( )h a secure one-way hash function
the bitwise XOR operation
the concatenation operation
3.2.1. Initialization phase
This phase is also called parameter generation phase. In this phase, S firstly creates the
system parameters, including the secret key mk with the length of at least 256 bits, a random
number ( , )x and a one-way hash function ( )h . The generation process of a random
number is similar to that in the C++ program language. First create a seed, and then provide a
random number.
3.2.2. Registration phase
If the userU wants to be a legal user, the following steps must be executed between
U and S through a secure channel, as shown in Figure 3.
Step 1. U chooses an identity ID , a password PW and a random number b , and then
sends ID and ( )h PW b to server through a secure channel.
Step 2. Upon receiving ID and ( )h PW b , S selects a random number p and
computes ( )uX h ID mk and ( )uY X h PW b , then stores{ , , ( ), , ( ), }u mkX Y h x T x p into
the smart card, and publishes it toU .
Step 3. U computes uY Y b , and replaceY with uY , then stores the random number
b into the smart card and completes the registration phase.
Table1 Notations used in this scheme
Figure2. Working Flow in the Authentication Scheme for WBANs
6
3.2.3. Authentication phase
A legal userU with valid smart card can establish the secure and authorized session with
the server. When the users want to request some services, they firstly carry out the mutual authentication and then consult the session key that will be used in the future for the secure
transmission of data. As shown in Figure 4, the authentication between the user and the server
consists of the following steps.
Step 1. UserU inserts the smart card SC into a card reader, and then enters his/her
password PW . The smart card generates a random number u and computes 1 ( )moduC T x p ,
( ( ))modu mkKA T T x p , ( )uX Y h PW and ( )DID ID h KA , then creates the message
1( )us uM h ID DID X C KA and send the login message 1 1 1{ , , }usM C DID M T
to S through a public channel, where 1T is the current timestamp.
Step 2. Upon receiving the request message, S checks whether 2 1T T T holds, where
2T is the current timestamp. If it does not hold, S terminates the session; otherwise S
computes ' ( ( ))modmk uKA T T X p ,' '( )ID DID h KA ,and ' ( )uX h ID mk .Then S
checks whether ' ' '
1( )u ush ID DID X C KA M ,If not, S also terminates the session;
otherwise S generates a random number r and computes 2 ( )modrC T x p and the session
key ( ( ))modr usk T T x p . Finally S computes ' '
2( )suM h ID C KA sk and sends the
response message 2 2 3{ , }suM C M T to the userU , where 3T is the current timestamp.
Step 3. After receiving the response message 2M , the smart card SC verifies whether
4 3T T T holds, where 4T is the timestamp. If not, SC terminates the session; otherwise
SC computes ' ( ( ))modu rsk T T x p , then SC checks whether '
2( ) suh ID C KA sk M , If
not, SC terminates the session; otherwise U computes '( )skM h KA sk and sends
3 { }skM M to server S .
Step 4. Upon receiving the message 3M , S checks the equation '( ) skh KA sk M whether
holds. if it is true, the verification betweenU and S succeeds and mutual authentication is
accomplished. The session key is correct and bothU and S can use sk to communicate with
each other in safety. Otherwise, this connection will be stopped.
Figure3. Registration phase
7
3.3. Password change phase
In addition to the above three phases, the system also provide the function of changing the
password. A legal user U with smart card can change the password of the smart card in the
following steps:
Step 1. User U inserts his/her smart card SC into a card reader, and enters the old
password PW .
Step 2. In order to verify the correctness of the input, the smart card SC establishes a
certification session with the server S as described in the above authentication phase. If the
user inputs the correct identity and password, the mutual authentication succeeds and then the
userU inputs a new password newPW .
Step 3. Smart card SC computes ( )new u newY X h PW and replaces Y with newY .
4. Performance Analysis
In this section, we will analyze the validity, security and efficiency of our protocol. First,
we demonstrate the security model, and then use Burrows-Abadi-Needham (BAN) logic to confirm the correctness of the proposed protocol. Second, we will explain that our protocol
can withstand various attacks. The third is the discussion of the efficiency about our proposed
protocol.
4.1. Security model
In order to make our scheme resists the known attacks in the authentication protocol, so
the method of provable security is used. The proof of security is in the random oracle model
and is based on the model proposed by Abdalla and Pointcheval [34]. The model [35,36]
which we use is as follows:
Figure 4.Authentication phase
8
4.1.1 Participants
Each participant of an authentication protocol is either a client1 2{ , ,..., ,... }i nU U U U U or
a server S . We refer to the i-th instance ofiU in a session as i
U, and the instance of the server
is denoted byS
4.1.2 Adversary model
The communication network is assumed to be a potentially controlled by an adversary ,
who has the ability to intercept, block, inject, remove or modify any messages transmitted
over the public network. The adversary is allowed to access to the following queries in any
order.
( , )i
U SExecute : This query models passive attacks. It outputs the messages that were
exchanged during the honest execution of the client instance i
Uand server instance
S.
( , )k
cSend M : This query models active attacks. Adversary can send a message
through this oracle to k
c, where ( , )c U S . Then k
creturns some messages, which are
computed by k
cbased on the proposed scheme, to .
Re ( )k
cveal : This query models the misuse of session key. can obtain a session key
from the oracle k
c. If the oracle k
chas accepted, then it returns the session key to .
Otherwise, k
c returns a null value to .
( )Corrupt U : This query models the adversary to corrupt a protocol participantU , i.e.,
can get the secret information aboutU .
( )k
cTest : This query measures the semantic security of the session key sk . To respond
to this query, the oracle k
c chooses a random bit {0,1}b . If 1b , then k
c returns the
session key sk . Otherwise, it returns a random value. Adversary can send only a single
query of this form to k
c .
( )ih m : In this query, when an adversary does this hash query with message im , k
c returns a random number ir and add ( , )i im r into a list hL . From the every beginning,
the list is empty.
4.1.3 Security proof
Here we show that the proposed scheme can provide the secure authentication and key
agreement under the assumption of CMDHP.
Theorem 1 Suppose that can violate the proposed protocol with a non-negligible
probability. makes uq query to the oracle of the user i
U , sq query to the oracle of the
server S and hq query to ( )h .Then we can design an algorithm to solve the Chaotic
maps-based Diffie-Hellman Problem(CMDHP) with a non-negligible probability.
Proof Firstly, we assume the type of attack which forges the user to communicate with
server. Then we can construct an algorithm to solve the CMDHP, i.e., returns
( )modurT x p from an instance of{ , ( )mod , ( )mod }u rx T x p T x p by CMDHP, where *, pu r Z .
For an instance of CMDLP is { , ( ), }mkx T x mk . B simulates the system initializing
algorithm and registration phase to generate the parameters{ , ( ), ( )}mkx T x h to . B interacts
with as follows.
( )h query: B holds a list hL of tuples ( , )i istr h . When queries the oracle ( )h on ( , )i istr h ,
B responds as follows:
9
Ifistr is on
hL , B returnsih to . Otherwise, B randomly chooses an integer
ih which is the
only inhL , and adds ( , )i istr h into
hL , then responds withih .
Re ( )veal query: When the adversary makes a Re ( )u
cveal query, B responds as
follows.
If u
cis not accepted, B returns a null value to . Otherwise, B examines the list
hL and
responds with the correspondingih .
( )Send query: When the adversary makes a query ( ," ")u
cSend start , B responds as
follows. If u u
c U, B follows the proposed steps. Otherwise, B generates a random
number *mk , computes * ( )mk
T x and replaces ( )mkT x with * ( )mk
T x . completes the subsequent
certification by using * ( )mk
T x . B responds with *
*
1{ , , }us
C DID M .The simulation works
successfully since cannot distinguish whether*
*
1{ , , }us
C DID M is correct or not only
when knows the identity ID and the password PW .
When the adversary makes a *
*
1( ,( , , ))u
c usSend C DID M query, B responds as follows.
If u u
c U, B cancels the game. Otherwise, B computes 'KA , 'ID ,and '
uX with *mk . B checks
whether *
* ' '
1( ' || || || || )u ush ID DID X C KA M holds or not. If it holds, B computes
2 ( )modrC T x p , ( ( ))modr usk T T x p , and responds message*2{ , }
suC M according to the
proposed protocol.
When the adversary makes a query *2( ,( , ))u
c suSend C M , B responds as follows. If
u u
c U, B cancels the game. Otherwise, B computes * ( ( ))modr usk T T x p .
If can violate a user to the authentication, it means that can get mk from ( , ( ))mkx T x ,
get ( ( ))modr usk T T x p from ( , ( )mod , ( )mod )u rx T x p T x p , and get ( || )h ID PW from the list
hL . Therefore, if can violate a user to authenticate with server, B must solve the CMDHP
problem with a non-negligible probability. This is contradiction to the computation infeasible
to the CMDHP problem.
To sum up, we can see that the possibility of pretend to be the user authenticate with
the server is negligible.
4.2. Authentication proof based on BAN logic
BAN logic [37-39] is a formal logic analysis method based on the belief, it achieves from the initial belief to the final purpose of the operation through sending and receiving of the
message during the running of authentication protocol. It is a well-known formal model used
to analyze the security of authentication and key agreement schemes. In this section, we first present the notations, rules, goals and assumptions. Then we verify the validity of our
protocol. The details are shown as follows.
4.2.1 Notations and rules
First of all, let us define P , Q as participators, and X as a formula. In order to use the
BAN logic, some notations and rules used in BAN logic analysis are given below.
• |P X : P believes that in the current run of the protocol that the formula X is true.
• P X : P sees or holds formula X .
• P X : P has complete control over the formula X . This can be used to express a
certificate authority.
• |~P X : P has once said the formula X .
• #( )X : The formula X is fresh, which means that X is recent or X is a nonce.
10
•k
P Q : P and Q share a secret key k . The secret key is only usable in the
communication between P and Q , and is only known to P and Q .
•{ }kX : The formula X is encrypted by key k .
• ( , )X Y : X or Y is one part of formula ( , )X Y .
Rule 1 The message meaning rule (for shared secret keys):
| , { }
| |~
k
k
P Q P P X
P Q X
When P sees a message which is encrypted with the shared key k of P and Q , then P
believes that Q has said the X .
Rule 2 The nonce verification rule
| #( ), | |~
| |
P X P Q X
P Q X
If P believes that X is a recent message and that Q once said X , then P believes that
Q believes X .
Rule 3 The jurisdiction rule
| , | |
|
P Q X P Q X
P X
If P believes that Q has jurisdiction over X , and P believes that Q believes the X , then
P believes X .
Rule 4 The freshness rule
| #( )
| #( , )
P X
P X Y
If one part of a formula X is known to be fresh, then the entire formula must also be fresh.
Rule 5 The message of elimination of multipart rules
( , )P X Y
P X, YP X
P X,
| , { }k
k
P Q P P X
P X,
| ( , )
|
P X Y
P X,
| |~ ( , )
| |~
P Q X Y
P Q X,
| | ( , )
| |
P Q X Y
P Q X
These rules show that how principal handle multipart message.
The idealized forms for our protocol, as illustrated in Figure 4, expressed by the BAN
logic are as follows.
Message 1: .: ,{ } , ( ,{ } ,{ } )u u u mkU S DID X h DID X X
Message 2: :{ } , ({ } ,{ } , )sk
r r mk uS U X h X X U S
Message 3: : ({ } , )sk
uU S h X U S
4.2.2 Goals
According to the analytic procedures of BAN logic, the proposed protocol has the
following four goals, the goals of our protocol are shown as formula 1 4G G in the language
of the BAN logic.
1: |sk
G U U S
2: |sk
G S U S
3: | |sk
G U S U S
4: | |sk
G S U U S
11
4.2.3Assumptions
The following assumptions about the initial state are made to analyze our protocol by
using the BAN logic.
1: | #( )A U u
2: | #( )A S r
3: |mk
A U U S
4: |mk
A S U S
5: | |mk
A U S U S
6: | |mk
A S U U S
7 : | |sk
A U S U S
8: |sk
A S U S
4.2.4 Verification
We use the rules and assumptions based on the BAN logic to analyze the idealized form
of the proposed protocol, the main steps of the proof are described as follows.
Message 1: .: ,{ } , ( ,{ } ,{ } )u u u mkU S DID X h DID X X
According to the message1, we obtain:
S1: .,{ } , ( ,{ } ,{ } )u u u mkS DID X h DID X X
According to the assumption 4A , Rule 1, and Rule 5, we obtain:
S2: | |~{ }uS U X
S computes the session key :{ }sk
r uU S X
Message 2: :{ } , ({ } ,{ } , )sk
r r mk uS U X h X X U S
According to the message 2, we obtain:
S3: ({ } ,{ } , ),{ }sk
r mk u rU h X X U S X
According to the assumption 3A , Rule 1, and Rule 5, we obtain:
S4: | |~ ({ } ,{ } , )sk
r mk uU S X X U S
According to the assumption 1A , S4, and Rule 2, we obtain:
S5: | | ({ } ,{ } , )sk
r mk uU S X X U S
According to S5 and Rule 5, we obtain:
S6: | | ( )sk
U S U S (This is 3G .)
According to the assumption 7A ,S5, and Rule 3, we obtain:
S7: | ( )sk
U U S (This is 1G .)
Message3. : ({ } , )sk
uU S h X U S
According to the message 3, we obtain:
S8: ({ } , )sk
uS h X U S
According to the assumption 2A and Rule 4, we obtain:
S9: | #( )sk
S U S
According to the assumption 8A and Rule 1, we obtain:
S10: | |~ ( )sk
S U U S
12
According to S9, S10, and Rule 2, we obtain:
S11: | | ( )sk
S U U S (This is 4G .)
Therefore, we can sure that our proposed protocol is capable of achieving the goals
from 8A , S6, S7, and S11.
4.3. Security analysis
4.3.1. Anonymity
User anonymity refers to the condition that an attackerAU cannot discover anything about
the registered userU from the transmitted information. In our proposed authentication phase,
the login information1 1 1{ , , }usM C DID M T includes the dynamic ( ( ))DID ID h KA
other than ID , user’s real identity ID implicitly involved in DID , where
( ( ))modu mkKA T T x p . Thus, if the attackerAU wants to forgeU , he/she must compute KA
and derive ID from DID . However, it is computationally infeasible to find
out ( ( ))modu mkT T x p directly from ( )moduT x p and ( )modmkT x p based on the CMDHP.
Therefore, the adversary cannot retrieve ID from DID . Moreover, the login request
1 1 1{ , , }usM C DID M T is independent and different in every session because KA and random
number u is randomly selected and updated in every session. In brief, our scheme can achieve
user anonymity.
4.3.2. Mutual authentication
Mutual authentication means that the server and the user can verify each other, and establish mutual trust before visiting the patient privacy information. In our scenario, only the
legitimate user who possesses the right password and authenticated information can send the
request to the server, and only the authorized server who owns the correct secret key can verify the user’s request. Therefore, this scheme can provide mutual authentication between
the user and the server. That is to say, our proposed scheme achieves mutual authentication
between the legal user and the server.
4.3.3. Replay attack
Replay attack means that the attacker captures the message before running the protocol or
being run to attack the current agreement. In the process of authentication, both the user’s
request 1 1 1{ , , }usM C DID M T and the server’s response 2 2 3{ , }suM C M T contain a
timestamp. The valid period of each message is limited by the timestamp. Even if the attacker had intercepted the transmitted information and pretended to be a legitimate user, it will be
easily detected by checking the freshness of the timestamp. In addition, the adversary cannot
bypass the timestamp verification, because the transmitted message has been protected by the hash function. Therefore, this scheme can resist replay attack.
4.3.4. Perfect forward secrecy
Perfect forward secrecy means that the previously claimed session key remains safe even
if the long-term private keys of the server and the user are disclosed. In our scenario, it is assumed that even the current session key is compromised, and then the previously
established session key ( ( ))modu rsk T T x p remains secure because different sessions have
different random numbers, and it is computationally infeasible to calculate the session key
with ( )moduT x p and ( )modrT x p directly.
13
4.3.5. Man-in-the-middle attack
Man-in-the-middle attack refers to the condition that the attacker disguises herself as a
legitimate participant, thus making the other communication terminal think that they are
performing a direct dialogue through the secret connection. In our scheme, the attackerAU
cannot compute the value ( )uX Y h PW which is related to the random number u and the
private key mk . In addition, the attackerAU also cannot calculate the value
( ( ))modu mkKA T T x p because u is the temporarily generated random number in every
session. Therefore, the attacker cannot disguise himself/herself as a legitimate user. That is to say, our scheme can resist man-in-the-middle attack.
4.3.6. Smart card stolen attack
An attackerAU who steals a smart card can retrieve the stored data
{ , , ( ), , ( ), , }u mkX Y h x T x p b from the smart card and guess a password *PW . However, the
attacker cannot get the real information1 1 1{ , , }usM C DID M T to validate the correctness
of *PW , because ( ( ))DID ID h KA and ( ( ))modu mkKA T T x p , where the random
number u is temporarily generated for each session and different sessions has different u .
Therefore, our scheme can resist the smart card stolen attack.
4.3.7. Efficient password change phase
A user can make a denial of service attack if he/she did a little mistake which may be due to incorrect password input in the password change phase. The invalid detection of incorrect
input can lead to denial of service scenario, so we should give efficient password change
phases. In our scheme, the smart card first verifies the correctness of identity and password with the server by establishing an authorized session. Then owing to entering correct identity
and password, the authorized session can successfully established. As long as the session has
established, the smart card request a new password and initiate the password change phase.
This process shows that our proposed scheme has efficiency to detect incorrect input.
4.3.8. Privileged insider attack
A malicious privileged insider in server’s system may try to obtain a legitimate user’s
password. In the registration phase of our proposed protocol, the user U sends
{ , ( ) }ID h PW b to the server instead of PW in its original form. Therefore, a malicious
insider cannot derive the user’s password PW because hash function ( )h cannot be reverted.
Furthermore, an insider attacker cannot do password guessing attack as user submit
( )h PW b instead of the random number b itself. So our scheme can avoid the privileged
insider attack.
4.3.9. Session key verification
In the step 3 and step 4 of the authentication phase, the user sends message 3 { }skM M to
the medical server and upon receiving it, the server checks the verification whether '( || ) skh KA sk M or not. If the verification equation is true, it ensures that the session
key sk is verified. Therefore, the proposed scheme provides session key verification property.
14
4.4. Software implementation analysis and comparison
4.4.1. Software implementation
The main problem of our scheme in software implementation is computation time of the
Chebyshev polynomials ( )nT x . During the computation, a high-order polynomial is involved
in the Chebyshev chaotic map. If we directly compute the high-order polynomial according to
the definition or recursive sequence, then we can find that the computation error will be very large for the high-order polynomial. Moreover, the computation load will increase with the
increase in the order of the polynomial. In reality, the security of our proposed scheme does
not largely depend upon the high-order polynomials. Therefore, we can select a certain large
number as s in order to reduce the time for factorizing s to get ( 1,2,3...)iK i . The method
adopted in this paper is described below.
Let the Chebyshev polynomial order be 1 2
1 2 ... ikk k
is s s s ,
Then
1 1
1
( ) (... ... (... ( )))i i
i
s s s s s
k k
T m T T T T m
Therefore, the computation of ( )sT m only requires 1 2 ik k k iterations of the
Chebyshev map other than s iterations [40].
With the existing high-precision libraries, the correctness of numerical algorithms in finite
precision arithmetic may be solved. In the practical application, the security of this agreement does not completely rely on the difficulty of high-order polynomial number problem anymore.
Therefore, we may not take the most maximum values of u and r , thus further enhancing the
security of the protocol.
4.4.2. Comparison
In this section, we will compare the security and the computational cost of the proposed
scheme with the recently published scheme. In the WBANs applications, resource constraint in low cost devices must be given priority
to consider in addition to security and privacy. The used sensors for medical service are
limited with storage space, computation power and the lifetime of a battery. Firstly, we
defined some computational parameters as follows. H denotes the time for the hash operation;
S denotes the time for the encryption/decryption operation; T denotes the time for the
Chebyshev polynomial computing. As show in Table 2, comparing with the chaotic maps-based authentication, the proposed
scheme can satisfy the desirable security attributes of authentication, and overcome the
weaknesses of the existing schemes. The number of Chebyshev chaotic maps operations used in our scheme equals that in [20], but our scheme does not need symmetric en/decryption
operations. Moreover, the proposed scheme needs one more Chebyshev polynomial operation
than that in [21], but it can better guarantee the authentication on both communication sides. In addition, the proposed scheme supports the function of session key verification and
efficient password changing, however, the schemes [18-21] not provide efficient password
changing phase and the schemes [18-21,40] lack the verification of session key.
15
Hao et al.
[18]
Lee
[19]
Jiang et al.
[20]
Li et al.
[21]
Mishra et al.
[40]
Our scheme
Registration phase
User side
1H 2H H 2H H H
Server side
1 1 1H S T 2H 1 1S T 3H 2 1H T 1 1H T
Authentication phase
User side
3 2 2H S T 7 2H T 2 1 3H S T 8 2H T 5 1H T 4 3H T
Server side
2 3 2H S T 8 2H T 1 2 3H S T 9 2H T 5 1H T 4 3H T
User anonymity
Privileged insider attack
Mutual authentication
Replay attack - -
Perfect forward secrecy - -
Man-in-the-middle attack -
Smart card stolen attack
Efficient password chan-
ge phase
Session key verification
Table 3 shows the comparison of computational cost among our proposed scheme and the
other two schemes in WBANs. Here, we established the simulation hardware environment and evaluated the computation overhead of this scheme. The simulation environment of AP is
Windows 7 OS (a Pentium(R) E5300 2.6 GHz processor and 2GB RAM). The simulated
WBANs client is run in Android OS 5.0 (64-bit processor and 32GB memory). Otherwise, Table 3 shows the computational cost comparison at the client and application provider in the
authentication phase among three related schemes in WBANs. In our proposed scheme, it is
obvious that the computational overhead is superior to the other two schemes both at the WBANs client and the application provider. In our authentication protocol based on
Chebyshev polynomials, the semigroup property of Chebyshev polynomials is utilized to
achieve the mutual authentication and acquire the common session key. At the beginning of
the authentication, we do not need to establish the public key cryptographic system. In the authentication phase, we save the time for modular exponential computing and scalar
multiplication on elliptic curves which are involved in previous agreements. Therefore, in our
scheme, the calculation load is decreased. It is obviously seen from Table 4 that the proposed scheme not only satisfy the existing
security attribute of [26, 27] but also satisfy the efficient password change. So it can achieve
the desirable safety demands of WBANs. Moreover, the proposed scheme has the less
computational cost than previous results [26,27]. In conclusion, our proposed scheme takes into account not only the security properties but also the computation overhead of APs and
WBANs client.
Table 2 Comparisons among our scheme and other related chaotic maps-based schemes
: Scheme prevents this attack or satisfies the attribute
: Scheme fails to prevent the attack or does not satisfy the attribute
-: Not mentioned
16
Liu et al.’s [26] Zhao et al.’s [27] Our scheme
Client (s) ≈0.18619 ≈0.09201 ≈0.06853
Application provider(s)
≈0.03983 ≈0.03829 ≈0.03623
Security attribute Liu et al.’s [26] Zhao et al.’s [27] Our scheme
User anonymity
Privileged insider attack -
Mutual authentication
Replay attack -
Perfect forward secrecy -
Man-in-the-middle attack -
Smart card stolen attack -
Efficient password change phase - -
Session key verification
5. Conclusion
In this paper, we proposed a chaotic maps-based authentication scheme for WBANs. This
scheme can not only realize user anonymity but also resist a variety of attacks. Moreover, the scheme makes full use of Chebyshev polynomial’s semigroup feature to create the session
key. In the authentication phase, it reduces the computation time by eliminating the modular
exponential and the scalar multiplication on elliptic curve. In addition, it is not required to
create a public cryptographic system in advance. We presented the security model for our scheme and verified the validity of the protocol,
demonstrated its security property, analyzed the key implementation point of Chebyshev
polynomial and compared computation overhead of the related schemes. Through the above analysis, we think the proposed scheme is more suitable for WBANs.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this
paper.
References
Table 3 A comparison of computational cost of different schemes in WBANs
Table 4 Security attributes comparison with some recently proposed schemes in WBANs
: Scheme prevents this attack or satisfies the attribute
: Scheme fails to prevent the attack or does not satisfy the attribute
- : Not mentioned
17
[1] T.G. Zimmerman, “Personal area networks: near-field intrabody communication”, IBM System Journal, vol. 35, no. 3-4, pp. 609–617, 1996.
[2] Y. Tian, Y. Peng, X. Peng, and H. Li, “An Attribute-Based Encryption Scheme with Revocation for Fine-Grained Access Control in Wireless Body Area Networks”, International Journal of Distributed Sensor Networks, Volume 2014, Article ID713541.
[3] M.A. Ameen, J. Liu, and K. Kwak, “Security and privacy issues in wireless sensor networks for healthcare applications”, Journal of Medical Systems, vol.36, no. 1, pp. 93–101, 2012.
[4] L. Lamport, “Password authentication with insecure communication”, Communications of the ACM, vol. 24,
pp. 770–772, November 1981. [5] M. Sandirigama, A. Shimizu, and M.T. Noda, “Simple and secure password authentication protocol(sas)”,
IEICE TransActions on Communication, vol. 83, no. 6, pp. 1363–1365, 2000. [6] N. Haller, “The s/key one-time password system”, in Proceedings Internet Society Symposium on Network and
Distributed System Security, pp. 151-158, 1994. [7] T.H. Chen and W.B. Lee, “A new method for using hash function to solve remote user authentication”,
Computers and Electrical Engineering, vol. 34, no.1, pp.53–62, 2008. [8] G. Jaspher, W. Kathrine, E. Kirubakaran, and P. Prakash, “Smart card based remote user authentication schemes:
A survey”, in Proceedings of the 3rd International Conference on Computing Communication & Networking Technologies (ICCCNT’11), pp.1-5, IEEE, 2012.
[9] R. Madhusudhan and R.C. Mittal, “Dynamic ID-based remote user password authentication schemes using smart cards: A review”, Journal of Network and Computer Applications, vol. 35, No. 4, pp. 1235–1248, 2012.
[10] C.G. Ma, D. Wang, and S. Zhao, “Security flaws in two improved remote user authentication schemes using smart cards”, International Journal of Communication Systems, vol. 27, pp.2215-2227, 2014.
[11] D. Xiao, X. Liao, and S. Deng, “A novel key agreement protocol based on chaotic maps”, Information Sciences, vol. 177, no. 1, pp. 1136-1142, 2007.
[12] J. C. Mason and D. C. Handscomb, “Chebyshev polynomials”, Chapman & Hall/CRC, Boca Raton, 2003.
[13] P. Bergamo, P. D’Arco, A. Santis, and L. Kocarev, “Security of public-key cryptosystems based on Chebyshev polynomials”, Circuits and Systems I: Regular Papers, vol. 52, no.7, pp. 1382–1393, IEEE, 2005.
[14] H. Tseng, R. Jan, and W. Yang, “A chaotic maps-based key agreement protocol that preserves user anonymity”, In Proceedings of the IEEE International Conference on Communications (ICC’09), pp.1–6, 2009.
[15] Y.J. Niu and X.Y. Wang, “An anonymous key agreement protocol based on chaotic maps”, Communications in Nonlinear Science and Numerical Simulation, vol. 16, no. 4, pp.1986–1992, 2011.
[16] K.P. Xue and P.L. Hong, “Security improvement on an anonymous key agreement protocol based on chaotic maps”, Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 7, pp. 2969-2977, 2011.
[17] C. Guo and C.C. Chang, “Chaotic Maps-Based Password-Authenticated Key Agreement Using Smart Cards”, Communications in Nonlinear Science and Numerical Simulation, vol. 18, no. 6, pp. 1433-1440, 2013.
[18] X. Hao, J. Wang, Q. Yang, X. Yan, and Li, P., “A Chaotic Map-Based Authentication Scheme for Telecare Medicine Information Systems”, Journal of Medical Systems,vol.37, no.2, pp.1-7, 2013.
[19] T.F. Lee, “An Efficient Chaotic Map-Based Authentication and Key Agreement Scheme Using Smartcards for telecare Medicine Information Systems”, Journal of medical Systems,vol.37, no.6, pp. 1-9, 2013.
[20] Q.Jiang, J.Ma, X.Lu, and Y.Tian, “Robust Chaotic Map-Based Authentication and Key Agreement Scheme with Strong Anonymity for Telecare Medicine Information Systems”, Journal of medical Systems,vol.38,
no.12, pp.1-12, 2014. [21] C.T. Li, C.C. Lee, and C.Y. Weng, “A Secure Chaotic Maps and Smart Cards Based Password Authentication
and Key Agreement Scheme with User Anonymity for Telecare Medicine Information Systems”, Journal of medical Systems,vol.38, no.77, pp. 1-11, 2014.
[22] X. Wang and J. Zhao, “An improved key agreement protocol based on chaos”, Communications in Nonlinear Science and Numerical Simulation, Vol. 15, no. 12, pp. 4052–4057, 2010.
[23] R.L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems”, Communications of the ACM, vol. 21, no.2, pp.120–126, 1978.
[24] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Transactions on Information Theory, vol.31, no.4, pp.469–472, 1985.
[25] J. Liu, Z. Zhang, X. Chen, and K. Kwak, “An Efficient Certificateless Remote Anonymous Authentication Scheme for Wireless Body Area Networks”, in proceedings of IEEE international conference on Communications (ICC’12), pp.3404-3408, 2012.
[26] J.Liu, Z. Zhang, X.Chen, and K. Kwak, “Certificateless remote anonymous authentication schemes for wireless body sensor networks”. IEEE TransActions on Parallel Distributed System, Vol. 25, no. 2, pp. 332–342, 2014.
[27] Zh. Zhao, “An Efficient Anonymous Authentication Scheme for Wireless Body Area Networks Using Elliptic
Curve Cryptosystem”, Journal of Medical Systems, vol. 38, no. 13, pp. 1-7,2014. [28] C.C. Lee, C.W. Hsu, and Y.M. Lai, A. Vasilakos, “An Enhanced Mobile-Healthcare Emergency System Based
on Extended Chaotic Maps”, Journal of medical Systems, vol. 37, no. 5, pp.1-12, 2013. [29] S. Han and E. Chang, “Chaotic map based key agreement with/out clock synchronization”, Chaos, Solitons &
Fractals, vol. 39, no. 3, pp. 1283–1289, 2009. [30] C.C. Lee, C.L. Chen, C.Y. Wu, and S.Y. Huang, “An extended chaotic maps-based key agreement protocol
with user anonymity”, Nonlinear Dynamics, vol. 69, no. 1–2, pp.79–87, 2012.
18
[31] D. He, Y. Chen, and J. Chen, “Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol”, Nonlinear Dynamics, vol. 69, no.3, pp.1149–1157, 2012.
[32] L. Zhang, “Cryptanalysis of the public key encryption based on multiple chaotic systems”, Chaos, Solitons & Fractals, vol. 37, no. 3, pp. 669–674, 2008.
[33] C.C. Lee and C.W. Hsu, “A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps”, Nonlinear Dynamics, vol. 71, no.1-2, pp. 201–211, 2013.
[34] M. Abdalla, D. Pointcheval, “Interactive Diffie-Hellman assumptions with applications to password-based authentication”, In: Proceedings of FC’05, LNCS 3570, pp 341–356, 2005.
[35] H. Zhu and X. Hao, “A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps”, Nonlinear Dynamics, vol. 81, no.1-2, pp. 311–321, 2015.
[36] S.K. Hafizul, “Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps”, Nonlinear Dynamics, vol. 78, no.3, pp. 2261–2276, 2014.
[37] M. Burrows, M. Abadi, and R.M. Needham, “A logic of authentication”, Proceedings of the Royal society of London A-Mathematical and Physical Sciences, 1989(426), 233-271.
[38] J. Wessels, “Application of BAN-logic”, CMG Public Sector B.V.(2001), Available at http://www.win.tue.nl/ ipa/ archive/springdays2001/banwessels.pdf, Access date:2015/12/11.
[39] D. Mishra, J. Srinivas, S. Mukhopadhyay, “A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems”, Journal of medical Systems, vol. 38, no. 10, pp. 1-12, 2014.
[40] L. Kocarev, J. Makraduli, and P. Amato, “Public-key encryption based on Chebyshev polynomials”, Circuits systems signal processing, vol. 24, No.5, 2005, pp.497-517.