Evaluating Three Party Authentication and Key Agreement Protocols ...

Wireless Pers Commun DOI 10.1007/s11277-014-2118-z

Evaluating Three Party Authentication and Key Agreement Protocols Using IP Multimedia Server–Client Systems B. D. Deebak · R. Muthaiah · K. Thenmozhi · P. Swaminathan

© Springer Science+Business Media New York 2014

Abstract Since the technologies of Internet and wireless communication have grown tremendously in the past, people have always occupied of some security sensitive wireless devices for the Internet services, such as voice call, instant messaging, online game, electronic banking, electronics trading and so on. Over a few decades, session key sharing has been used as a promising strategy for two/three parties authentication. In addition, several authentication and key agreement (AKA) protocols have been developed, but then very few protocols have been dedicated for the IP multimedia domain. In the literature, the 3-PAKE schemes, such as Xie et al., Xiong et al., Tallapally, Hsieh et al. and Tseng et al. have thoroughly been studied for the identification of its security weaknesses. Following are the security weaknesses of 3-PAKE schemes, namely user anonymity, known-key security, mutual authentication, (perfect) forward secrecy and so on. In addition, the existing schemes can not withstand for the attacks, like modification, key-impersonation, parallel-session, privileged-insider and so on. Thus, this paper presents a novel three party authentication and key agreement protocol based on computational Diffie–Hellman which not only fulfills all the security properties of AKA, but also provides the resiliency to the most of the potential attacks. Since the proposed 3-PAKE scheme has less computational overhead, it is able to curtail all the hop-by-hop security association defined by the standard of third generation partnership project. Above all, a real time multimedia server and client systems have been designed and developed for the purpose of average end-to-end delay analysis. The examination result is shown that the proposed 3-PAKE scheme can offer better service extensibility B. D. Deebak (B) · R. Muthaiah · P. Swaminathan School of Computing, SASTRA University, Thanjavur 613401, TN, India e-mail: [email protected] R. Muthaiah e-mail: [email protected] P. Swaminathan e-mail: [email protected] K. Thenmozhi School of Electrical and Electronics, SASTRA University, Thanjavur 613401, TN, India e-mail: [email protected]

123

B. D. Deebak et al.

than the other 3-PAKE schemes, since it has the minimum message rounds to be executed for the establishment of service connection. Keywords Internet · Wireless communication · Authentication and key agreement protocol · Key compromise-impersonation · User anonymity · Third generation partnership project

1 Introduction Lately, the schemes of three-party authenticated key agreement (3-PAKA) protocol have attracted for the Internet research for the purpose of acquiring of online-services over a public network. Several Internet based applications have been developed to access the services, such as online (banking) system, pay for online IP TV, electronic-voting, online shopping and payment order [1–5], since the technologies, such as information and communication have been revolutionized by the people of IT industry. Nowadays, the prime usage of the People is the computer and mobile communication systems, though it does not have an inherent security of the Internet infrastructure. Therefore, the issue of security is now being a big challenge, while a remote-user wishes to access an authentic server over an insecure public network. For a secure communication between the users and the server, several authentication 3PAKA protocols have been proposed. It is thus widely used in the Internet. In general, the system collects the users’ data from every individual and then it extracts the users’ feature sets from the acquired users’ data set. Later on, it compares the users’ feature set by the template which is stored in the system database. Thus, the 3-PAKA scheme is indeed provided some important aspects and they are as follows: 1. 2. 3. 4. 5.

The system data are not supposed to be lost or left behind. The system data are not so easy to be copied and shared. The system data are not so easy to be forged/tamper and distribute. The system data are not so easy to be guessed. The system data are not easy to be broken.

Thus, the authentication system based on 3-PAKA is believed to be more robust, efficient and secure rather than the traditional authentication system. In the 3-PAKA scheme, two or more communication parties are permitted to share a common session key and it is widely used to encrypt the data transmission over an insecure network. To derive the shared session key, some information, such as private/public key is contributed from the communication parties. In Diffie and Hellman [6], proposed the first key agreement protocol; though, the protocol does not have a feature of security scheme to enable the authentication to the communication parties, thus it is vulnerable to many potential attacks, such as man-in-the-middle, replay, key-impersonation, modification, Identity (ID) theft and so on. Therefore, authentication and key agreement (AKA) protocol has been proposed to offer the authentication to the communication parties. Moreover, it is now being an attractive research for the practical implementation. A certification of public key infrastructure (PKI) is always ensured for the remote user authentication. In 1984, a concept of identity based crypto-system [7] was introduced as an alternative for certification based PKI. This concept uses the Social Security Number (SSN) to calculate the public key, whereas the calculation of users’ private key is done by the trusted authorities. An identity based authenticated key agreement protocol is an application

123

Evaluating Three Party Authentication

of identity-based cryptosystems. Generally, the key agreement (KA) protocols include a number of communication parties (usually 2 or more parties) and trusted authorities referred as Key Generation Center (KGC). Bellovin and Merritt [8] introduced the first two-party password authenticated keyexchange (2-PAKE) scheme, where two communicating parties, such as Alice and Bob share a common session key in advance through an insecure public network channel; though this scheme is challenging for the large-scale communication systems. Suppose, a communication system has n users in which two communicating parties exchange a common session key using the scheme of Bellovin and Merritt. Thus, there would be [ n(n−2) 2 ] password to be shared and stored securely in the database on the server. Several three-party password authenticated key-exchange (3-PAKE) [9–12] schemes have improved the Bellovin and Merritt scheme wherein a trusted server TS coexists with the communicating properties to share a session key. It is thus well-suited for the large-scale environments. Ding and Horster [13] and Sun et al. [14] proven that the scheme of Steiner et al. [12] is susceptible to the attack of undetectable online-password guessing. In the attack of undetectable online-password guessing, the adversary may stay on the network as undetectable, so that the adversary can log in to the authentic server while the online data transmission is processed. The scheme of Lin et al. [15] shown that the scheme of Steiner et al. [12] not only suffered from the attack of undetectable online-password guessing, but also from undetectable offline-password guessing. In the attack of undetectable offline-password guessing, the adversary may guess an authentic password in the off-line till the adversary guesses the right one. Moreover, the schemes of Sun et al. [14] and Lin et al. [15] have used a publickey cryptosystem for the server-side, and hence the schemes are able to prevent the attacks, namely undetectable online and offline-password guessing. On the one hand, the scheme of Yeh and Sun [16] considered the communication system of Kerberos for the distributed computing environment. On the other hand, the scheme of Lin et al. [17] has extended a new version of 3-PAKE; since the heuristic analysis does not guarantee the complete security against all the possible potential attacks. In addition, the new version of Lin et al. scheme proves to be secured under the assumption of intractability. Wen et al. [18] proposes a 3-PAKE scheme which is related to the assumption of Diffie–Hellman [19]. Though the scheme of Wen et al. has thoroughly analyzed in the formal security model, it is still considered to be insecure by the scheme of Nam et al. [20]. Chien and Wu [21] proposed a 3-PAKE scheme based on the public key crypto-system; but it requires four rounds to be executed to establish a common session-key. Lee et al. [22] proposed a round-efficient version of the 3-PAKE scheme to offer least number of message execution, and thus it has less computational overhead rather than the other related 3-PAKE schemes. Thus, this paper focuses on the three-party authentication key agreement (3-PAKA) protocol for the server-client systems of IP Multimedia Subsystem (IMS). It has three communication parties and KGC. The three communication parties include Alice, Bob and Server; and the proposed 3-PAKE scheme is based on the problem of computational Diffie–Hellman. In addition, this paper uses the problem of computational Diffie–Hellman to encrypt/decrypt the data transmission on the networks by the users/server. The main purpose of this paper is to offer the mutual authenticity between the users and servers; and to provide the user’s anonymity to ensure that the identities of the users are well-secured. Eventually, in the performance analysis, the proposed 3-PAKE is proven that it can mitigate computation and communication overheads reasonably to resist most of the potential attacks. The remaining sections of this paper are organized as follows. Section 2 discusses the related works and security properties of AKA protocol. Section 3 reviews the protocol ver-

123

B. D. Deebak et al.

sions of Xie et al. [33], Xiong et al. [36], Tallapally [40], Hsieh et al. [41] and Tseng [42]. Section 4 presents a novel 3-PAKE scheme based on the computational Diffie–Hellman to fulfill the security properties of AKA protocols, and to resist most of the possible potential attacks. Section 5 demonstrates the real time multimedia systems analysis for average end-to-end delay. Section 6 draws the conclusion of the paper. 2 Related Works Lu and Cao [23] proposed an efficient 3-PAKE scheme; though it is found to be vulnerable to the possible attacks, such as offline (password) guessing and man-in-the-middle [24–29]. Huang [30] presented an another version of the 3-PAKE scheme where the server does not hold the public key; though the scheme of Yoon and Yoo [31] proven that the scheme of Huang is susceptible to the attacks, such as undetectable (password) guessing and offline (password) guessing. Lou and Huang [32] discovered a new version of the 3-PAKE scheme which can be employed in the group of elliptic-curve cryptography. Moreover, it is applicable to the resource-constrained devices, such as cellular phones and smart card systems and can be resilient to the most of the possible password-guessing attacks. Xie et al. [33] shown that several existing 3-PAKE schemes [23–32] are vulnerable to the attacks, like offline (password) guessing and partition. Thus, the scheme of Xie et al. presented with a new version of the 3-PAKE scheme to overcome the security issues of the 3-PAKE schemes; though the Xie et al. scheme is susceptible to the key-impersonation attack. Chang et al. [34] proposed an efficient 3-PAKE authentication scheme which involves neither public key of the server, nor the symmetric crypto-system, though the scheme of Wu et al. [35] found that the scheme of Chang et al. is insecure for the password (guessing) attack. Recently, Xiong et al. [36] proved that the scheme of Wu et al. is susceptible to the attack of key-compromise impersonation (KCI) attack. Thus, the Xiong et al. proposed an extended version of the 3-PAKE authentication scheme using the servers’ public key. In addition, the scheme of Xiong et al. demonstrated the necessities of KCI resilience to the 3-PAKE scheme. To address the security issues of Chang et al. scheme, Tso [37] proposed an enhanced version of the 3-PAKE scheme without the usage of servers’ public key or symmetric cryptosystem. Chien [38] introduced an another efficient 3-PAKE authentication scheme using the strategy of verifiers which does not need neither servers’ public key, nor symmetric cryptosystem. Though the scheme claimed that it can be resilient to the various potential attacks, such as replay, redirection, masquerade, key-impersonation and so on; the scheme of Pu et al. [39] shown that the scheme of Chien et al. is susceptible to the attack of (open-door) partition. Thus, the authors of Pu et al. proposed a verification-based 3-PAKE scheme which does not necessitate neither servers’ public key, nor a symmetric crypto-system; though the scheme of Tallapally [40] proven that the scheme of Huang [30] is susceptible to the attack of the unknown key-share. Thus, the author of Tallapally presented an improved version of the 3PAKE scheme without using servers’ public key; though the schemes, such as Xie et al. [33], Xiong et al. [36] and Tallapally [40] are susceptible to the various potential attacks, such as modification, Denning-Sacco, Identity (theft), key-impersonation [41,42], parallel (session), privileged-insider and so on. Therefore, this paper proposes a more secure-cum-efficient 3-PAKE scheme to overcome the security barricades of the existing authentication schemes. 2.1 Related Security Properties of 3-PAKE To achieve the secure communication between the communication parties, the 3-PAKE protocol should fulfill the following security requirements:

123


Mutual Authentication To enable the mutual authentication, users/clients should be able to share the secret-session key securely. Session-Key Security The adversary/anonymous user can’t deduce the session-key without the knowledge the users’/clients’ secret-key. No Online (Guessing) Attack None of the adversary can predict the secret-key of the users’/clients’, and thus verification cannot be done. Known-Key Security If the protocol scheme has a property of known-key security, then the adversary can’t infer other session keys from the compromise of previous session-key. No Intruder-in-the-Middle Attack Since the 3-PAKE scheme closely couples the secret session-key between the communication parties, thus the intruder can’t intercept between the secure communication to modify/replace the messages. No Replay Attack Since no previous messages are recorded/stored in the database on the server, the adversary cannot betray the secure communication of the authentic clients’. Forward (Perfect) Secrecy Though the adversaries might exploit the long-term session keys, the secrecy of the session-key cannot be revealed/affected. Key Compromise-Impersonate Though the session key of one of the communication parties is disclosed, the adversary cannot interpret the other’s session-key to impersonate as a legal user. Unknown-Key Secure As to the best of the entities knowledge, the legal communication entities is believed that the session-key is not shared with any other third party clients’. Key-Control No clients/entities can predict/preselect the session-keys, till the secure communication is established between them.

3 Reviews of 3-PAKE Protocols This section will discuss the brief reviews of the 3-PAKE schemes, such as Xie et al. [33], Xiong et al. [36], Tallapally [40], Hsieh et al. [41] and Tseng [42]. 3.1 Review of Xie et al. [33] The trustworthy server (TS ) selects a large prime integer (q), an elliptic-curve cryptography E(E q ) defined over a finite-field E q , cyclic-group G pointed over a finite elliptic-cure E(E q ), a key generator P of G and a secure hash-function H (·), where H (·): {0, 1}∗ → G. TS produces a random number rd as a secret session-key by which the users’ public key will be computed E = rd P. Assume, the secret-key sk A /sk B be the shared session-key between the users A/B and trustworthy server TS . The execution steps of the Xie et al. scheme are as follows: Step 1 User A selects a random integer ra and computes q A = T A P, f A = T A E and z A = q A ⊕ H (sk A , A, B). Lastly, the user A sends the request-message of {A, z A , f A } to the user B. Step 2 After receiving the request-message of {A, z A , E A } from User A, User B selects a random integer Tb to compute q B = TB P, f B = TB E and z B = q B ⊕ H (sk B , A, B). Then, user B sends the response-message of {A, z A , f A , B, z B , f B } to TS . Step 3 After receiving the response message of {A, z A , f A , B, z B , f B } from user B, TS determines q A = z A ⊕ H (sk A , A, B), f A = Dq B , q B = z B ⊕ H (sk B , A, B) and f B = Dq B . Then, TS verifies whether the equations, such as f A = f A and f B = f B holds or not. If any of the them fails to hold, then TS terminate the session; otherwise, TS randomly selects

123

B. D. Deebak et al.

an integer rTS to compute r A = rTS q A ⊕ H (sk A , B, A) and r B = rTS q B ⊕ H (sk B , B, A). Eventually, TS sends the response-message of {r A , r B } to user B. Step 4 After receiving the response-message of {r A , r B } from TS , user A determine sk1 = r A ⊕ H (sk B , B, A), sk = TB · sk1 and s B = H (sk, B). Then, sends the response-message of {r B , s B } to user A. Step 5 After receiving the response-message of {r B , s B } from TS , user A determine sk2 = r B ⊕ H (sk A , B, A), sk = T A · sk2 and s A = H (sk, A). Then, sends the response-message of {r B , s B } to user B. Step 6 After receiving {s A }, user B verifies whether the equation s A = H (sk, A) holds or not. If it fails to hold, then B terminates the session; otherwise, users A and user B generate a common session key sk = T A TB rTS P. 3.1.1 Cryptanalysis of Xie et al. Though the scheme of Xie et al. is secured to the various potential attacks, the scheme is still susceptible for the attacks, such as offline (password) guessing and key (compromise) impersonation. The detail analysis of such attacks is given below. Offline (Password) Guessing Attack Since users prefer easy-to-remember password, thus it is susceptible to the offline (password) guessing attack. As referred in Ding and Horster [43], the attacks, like detectable (online) password guessing, undetectable (password) guessing and offline (password) guessing are used to infer the secret key/password info of the users/clients. The attack of offline (password) guessing is extremely hazardous in relation with the other attacks, such as detectable (online) password guessing and undetectable (password) guessing. Though the scheme of Xie et al. claimed that it could withstand for the offline (password) guessing attack, this cryptanalysis will show that the scheme of Xie et al. is still susceptible to the offline (password) guessing attack. Assume the elliptic curve equation E C ( f q ) as u 2 = v 3 + ax + b, where a, b ∈ f q and 3 4a + 27b2 = 0 mod q. The attack descriptions are stated below. Step 1 Adversary (A) intercept the request-message {A, z A , f A } which is sent by the A , where q A = T A P, f A = T A E and z A = q A ⊕ H (sk A , A, B). Step 2 Now, Adversary (A) selects a possible secret-key sk A from a dictionary DC , and then it computes z A = q A ⊕ H (sk A , A, B); Step 3 After the assumption of sk A , adversary (A) verifies whether q A is a point on E C ( f q )from the equation of u q2 = vq2 axq A + b mod q. If it holds the equation, then q A is a A A point on E C ( f q ). Otherwise, Adversary (A) repeat Step (2) and Step (3), till the secret-key is cracked. Key-Compromise Impersonation Attack Since the 3-PAKE is a key exchange protocol, it ought to fulfill all the key security properties of AKA protocol, such as (perfect) forward secrecy, resilient to key-compromise impersonation, resilient to unknown keyshare and no-key control. The scheme of Xie et al adheres all the security properties except key-compromise impersonation. In 3-PAKE, the resilient to key-compromise impersonation means that the Adversary (A) cannot misbehave/impersonate as a legal user without the proper sharing of secret-key. Assume that Adversary (A) deduces the secret-key info of a legal user A, then he/she can misbehave/impersonate as A to B through a trusted-server TS . To execute such attack, the following steps are necessitated.

123


Step 1 A selects a random-integer T A to compute q A = T A P, f A = T A E and z A = q A ⊕ H (sk A , A, B). Then, A sends the request-message {A, z A , f A } to B. Step 2 Then, Adversary (A) intercepts the request-message {A, z A , f A } to compute q A = z A ⊕ H (sk A , A, B). Step 3 Adversary (A) selects two random-integers TB , TS to compute q B = TB P, r A = TTS q A , r B = TTS q B ⊕ H (sk A , B, A), sk1 = r A , sk = TB sk1 and S B = H (sk, B). Then, Adversary (A) sends the response-message {r B , S B } to B. Step 4 After receiving the response-message {r B , S B }, A determines sk2 = r B ⊕ H (sk A , B, A), sk = T A sk1 and verify whether the equation S B = H (sk, B) holds or not. If the equation determines {r B , S B }, then the Adversary (A) can impersonate as a legal user A to B through the trusted server TS . Thus, the scheme of Xie et al. is claimed to be vulnerable to the attack of key-compromise impersonation. 3.2 Review of Xiong et al. [36] To overcome the security issue of KCI, the scheme of Xiong et al. was proposed. Assume, PK be the S’s public key, {M} PK be the message M encrypted with the public key PK under a scheme of public-key encryption. [M]sk be the encrypted message M with a shared sessionkey sk under a scheme of symmetric-encryption. The execution steps of Xiong et al. are as follows, Step 1 Alice → Ser ver : ID A , ID B Alice sends her credentials, including ID A , ID B to Ser ver as an initial login-request. Step 2 Ser ver → Alice: [Rs1 ] Sk Alice , [Rs2 ] Sk Bob Upon receiving the login-request message of ID A , ID B from Alice, Ser ver selects two random numbers of exponents exs1 , exs2 ∈ Z q to determine Rs1 = g exs1 mod p and Rs2 = g exs2 mod p. According to ID A and ID B , the choice is made to select the corresponding Sk Alice and SkBob respectively. Then, Ser ver computes [Rs1 ] Sk Alice and [Rs2 ] Sk Bob . Finally, Ser ver sends [Rs1 ] Sk Alice , [Rs2 ] Sk Bob to Alice. Step 3 Alice → Bob: ID A , {r A , H (r AS1 , rs1 , sk Alice , ID A , ID B )} Sk , [Rs2 ] Sk Bob Upon receiving the response message of [Rs1 ] Sk Alice , [Rs2 ] Sk Bob from Ser ver, Alice retrives [Rs1 ] by the encryption of [Rs1 ] Sk Alice and selects a random exponent inteex A ger exs1 ∈ Z q to determine r A = g ex A mod p, r AS1 = r AS1 mod p and the hashvalue H (r AS1 , Rs1 , sk Alice , ID A , ID B ). Then, Alice generates a public-key encryption {r A , H(r AS1 , Rs1 , sk Alice , ID A , ID B )} Sk with a public-key of the Ser ver Sk . Lastly, Alice sends ID A , {r A , H(r AS1 , Rs1 , sk Alice , ID A , ID B )} Sk , Rs2 ⊕ Sk Bob to Bob. Step 4 Bob → Ser ver :{r A , H (r AS1 , Rs1 , Sk Alice , ID A , ID B )} Sk , {r B , H (rBS1 , Rs2 , Sk Bob , ID A , ID B )} Sk Upon receiving the response message of Alice, Ser ver determines Rs2 by the decryption of [Rs2 ] Sk Bob and selects a random integer exponent exs2 ∈ Z q to determine r B = ex B g ex B mod p, rBS1 = rBS1 mod p and the hash-value H (rBS1 , Rs2 , sk Bob , ID A , ID B ). Finally, Bob sends {r A , H (r AS1 , Rs1 , Sk Alice , ID A , ID B )} Sk , {r B , H (rBS1 , Rs2 , Sk Bob , ID A , ID B )} Sk to Ser ver . Step 5 Ser ver → Alice: [r A ] R S2Bob , [r B ] R S1Alice , H (S K Alice , R S1Alice , r B ), H(S K Bob , R S2Bob , r A )

123

B. D. Deebak et al.

Upon receiving the response message of Bob, Ser ver decrypts {r A , H (r AS1 , Rs1 , Sk Alice , ID A , ID B )} Sk and {r B , H (rBS1 , Rs2 , Sk Bob , ID A , ID B )} Sk with his/her private-key and checks whether it is able to authenticate either Alice or Bob. To authenticate Alice, Ser ver determines R S1Alice = r AE S1 mod p and hash-valued function H (r AS1 , Rs1 , Sk Alice , ID A , ID B ). Then, Ser ver verifies the consistency of the computational values between H (r S1Alice , Rs1 , Sk Alice , ID A , ID B ) and H (r AS1 , Rs1 , Sk Alice , ID A , ID B ). To authenticate Alice, Ser ver determines R S2Bob = r BE S2 mod p and hash-valued function H (r AS2 , Rs2 , Sk Bob , ID A , ID B ). Then, Ser ver checks the computational efficiency between H (r S2Bob , Rs2 , Sk Bob , ID A , ID B ) and H (r AS2 , Rs2 , Sk Bob , ID A , ID B ). If the determined values of the Ser ver are equal, then Ser ver determines the hash-values H (S K Alice , R S1Alice , r B ) and H (S K 2V Bob , R S2Bob , r A ), two symmetric-encryption [r A ] R S2Bob and [r B ] R S1Alice . Finally, Ser ver sends [r A ] R S2Bob , [r B ] R S1Alice , H (S K Alice , R S1Alice , r B ), H(S K Bob , R S2Bob , r A ) to Alice. Step 6 Alice → Bob: H(S K Bob , R S2Bob , r A ), H(S K Alice , r B ), [r A ] R S2Bob Upon receiving the response message of Ser ver, Alice decrypts [r B ] R S1Alice with R AS1 and determine the hash-valued function H (S K Alice , R S1Alice , r B ) by using the computed parameter of R AS1 in Step 3 and the received parameter r B . Then, Alice authenticates Ser ver by the validation of consistency between the determined-value H(S K Alice , R AS1 , r B ) and the received-value H(S K Alice , R S1Alice , r B ). If the results are equal, then Alice determines K Alice = r BE A mod p and the hash-valued function H (K Alice , r B ) to verify it with the received hash-value H (K Bob , r A ). If the results are equal, then Alice may be hoped that Bob may have an ability to determine the secure-session key E A E B mod p, r , r , ID , ID ). Eventually, Alice sends the message of A B A B S K = H (g H(S K Bob , R S2Bob , r A ), H(S K Alice , r B ), [r A ] R S2Bob to Bob. Step 7 Bob → Alice: H (K B , r A ) Upon receiving the response message of Alice, Bob decrypts [r A ] R S1Bob with R AS2 and determine the hash-valued function H (S K Bob , R S1Bob , r A ) by using the computed parameter of R AS2 in Step 3 and the received parameter r A . Then, Bob authenticates Ser ver by the validation of consistency between the determined-value H(S K Bob , R AS2 , r A ) and the received-value H(S K Bob , R S2Bob , r A ). If the results are equal, then Bob determines K Bob = r AE B mod p and the hash-valued function H (K Bob , r A ) to verify it with the received hashvalue H (K Alice , r B ). If the results are equal, then Bob may be hoped that Alice may have an ability to determine the secure-session key S K = H (g E B E A mod p, r B , r A , ID A , ID B ). Eventually, Alice sends the message of H (K B , r A ) to Alice. 3.2.1 Cryptanalysis of Xiong et al. The scheme of Xiong et al. is vulnerable to the possible potential attacks, such as replay and man-in-the-middle. In addition, this scheme cannot guarantee a secure session-key sharing. Following is a concise security analysis of the Xiong et al. scheme. Replay Attack: (Authentication and Key Agreement Phases) In the phase of AKA, the Adversary (A) can intercept the request-message of ID A , ID B between Alice and Ser ver . Then, the Adversary (A) modifies ad sends the login-request again to Ser ver to impersonate as a legal user. Since the scheme does not backup the current session details on the database, the Adversary (A) may exploit this weakness to launch the attack of replay successfully between Alice and Ser ver . Thus, this scheme is susceptible to the attack of replay.

123


Man-in-the-Middle Attack: (Authentication and Key Agreement Phases) In the phase of authenticate and key agreement, the Adversary (A) may launch the attack of man-in-themiddle to modify the content of data transmission of the legal users. Since it cannot modify the identity of the client/user, the Adversary (A) exploits such weakness to the launch of man-in-the-middle attack successfully. Session-Key Impairments Since Alice and Bob H(S K Bob , R S2Bob , r A ), H(S K Alice , r B ), [r A ] R S2Bob cannot be determined the secure session-key S K = H (g E B E A mod p, r B , r A , ID A , ID B ), it is so difficult to Ser ver to establish a secure communication channel. Thus, the users/client cannot compute a valid session-key to establish a secure communication channel on the networks. 3.3 Review of Tallapally’s [40] In addition, this section reviews the details analysis of Tallapally’s 3-PAKE scheme. The execution steps are devised as follows: Step 1 Alice randomly selects a random integer number a, r A ∈ Z q∗ , and then determine the values f S (r A ) and R A = (g a ) ⊕ H (r A , Sk A , Alice, Bob). Then, Alice sends requestmessage (Alice, R A , f S (r A )) to Ser ver . Similarly, Bob randomly selects a random integer number b, rb ∈ Z q∗ , and then determine the values f S (r B ) and R B = (g b ) ⊕ H (r B , Sk B , Alice, Bob). Then, Alice sends requestmessage (Bob, R B , f S (r B )) to Ser ver . Step 2 After receiving the request messages, such as (Alice, R A , f S (r A )) and (Bob, R B , f S (r B )), Ser ver initially extracts the parameter details r A and r B from f S (r A ) and f S (r B ), then obtains g a = R A ⊕ H (r A , S K A , Alice, Bob) and g b = R B ⊕ H (r B , SKB , Alice, Bob). Ser ver randomly selects an integer z ∈ R Z q∗ to compute x = g az and y = g bz . Eventually, Ser ver computes Z A = y ⊕ H (r A , S K A , g a ) and Z B = x ⊕ H (r B , SKB , g b ); and then it sends the parameter Z A and Z B to Alice and Bob respectively. Step 3 After receiving the response message of Z A from the Ser ver, Alice computes y = Z A ⊕ H (r A , S K A , g a ) and the shared-session key k = y a = g abz . Then, she determines S A = H (k, Alice) and sends it to Bob. Meanwhile, After receiving the response message of Z B from the Ser ver, Bob computes y = Z B ⊕ H (r B , SKB , g b ) and the shared-session key k = y b = g abz . Then, she determines S B = H (k, Bob) and sends it to Alice. Step 4 Eventually, Alice and Bob check S A = H (k, Alice) = S B = H (k, Bob) to authenticate each other. 3.3.1 Cryptanalysis of Tallapally The scheme of Tallapally is susceptible to the potential attacks, such as undetectable online (password) guessing and offline (password) guessing. Following is a concise security analysis of the Tallapally scheme. Attack of Undetectable Online (Password) Guessing The execution scenario of the attack is as follows,

123

B. D. Deebak et al.

Step 1 Bob → Ser ver :(Alice, r A , f S (R A )), Bob, r B , f S (R B )) Assume that, Eve is a malicious client intercepting between Ser ver and Alice. Without Alice’s knowledge, Eve randomly selects R A , R B ∈ Z q∗ and x ∈ Z ∗p to guess a secret-key S K A . It is used to determine f S (R A ), f(R B ), r A = x ⊕ H (R A , S K A , Alice, Bob) and r B = , Alice, Bob). Eventually, Eve sends (Alice, r , f (R )), Bob, r , f (R )) x⊕H (R B , SKB B S B A S A to Ser ver . Step 2 Ser ver → Alice:Z A and Ser ver → Bob:Z B After receiving the login-request messages, such as (Alice, r A , f S (R A )) and (Bob, r B , f S (R B )), Ser ver initially extracts the information,namely R A and R B to obtain x = r A ⊕ H (R A , S K A , Alice, Bob) and x = r B ⊕ H (R B , SKB , Alice, Bob). Then, Ser ver selects a random-integer z ∈ Z q∗ to determine A = x z and B = x z . Finally, Ser ver determines Z A = B ⊕ H (R A , S K A , x ) and Z B = A ⊕ H (R B , S K A , x); later on, it sends Z A and Z B to the clients, namely, Alice and Bob. Step 3 After receiving Z B and Z A interception, Eve acquires A = r B ⊕ H (R B , SKB , x) and B = r ⊕ H (R A , S K A , x). Later on, verify whether A == B or not; if it holds, then Eve asserts that the secret-key S K A which is guessed; is valid to become A = B = x z . Step 4 Otherwise, Eve repeatedly executes the above Step (1)–Step (3) to deduce a valid secret session-key. Attack of Offline (Password) Guessing The execution scenario of the attack is as follows, Step 1 Assume that, Eve is a malicious client intercepting between Ser ver and Alice. Without Alice’s knowledge, Eve randomly selects R A , R B ∈ Z q∗ and x ∈ Z ∗p to determine f S (R A ), f(R B ), r A = x and r B = 1 ⊕ H (R B , SKB , Alice, Bob). Finally, Eve sends (Alice, r A , f S (R A )) and (Bob, r B , f S (R B )) to Ser ver . Step 2 Ser ver → Alice : Z A and Ser ver → Bob : Z B After receiving the login-request messages, such as (Alice, r A , f S (R A )) and (Bob, r B , f S (R B )), Ser ver initially extracts the information, namely R A and R B to obtain x = r A ⊕ H (R A , S K A , Alice, Bob) and y = r B ⊕ H (R B , SKB , Alice, Bob). Since r B ⊕ H (SKB , Alice, Bob) = (1 ⊕ H (S KB , Alice, Bob)) ⊕ H (SKB , Alice, Bob) = 1, y is equal to one. Then, Eve chooses a random-integer z ∈ Z q∗ to compute A = x z and B = y z = 1. Eventually, Ser ver computes Z A = B ⊕ H (R A , S K A , x ) and Z B = A ⊕ H (R B , SKB , y), and then sends Z A , Z B to Alice, Bob. Step 3 After receiving Z B and Z A interception, Eve guesses a secret-key S K A and verify whether Z A = 1 ⊕ H (R A , S K A , x ⊕ H (R A , S K A , Alice, Bob)) or not. If the condition is hold, then Eve asserts that the guessed secret-key S K A is the valid one. Step 4 If not, Eve chooses another secret-key S K A and iteratively execute the steps (1)–(3) to deduce the valid secret-key. 3.4 Review of Hsieh et al. [41] The authentication protocol of Hsieh et al.’s is fundamentally grounded on the Saeednia’s authentication protocol [6]. In addition, the computational cost of Hsieh et al. is reduced by one modular multiplication and exponentiation to improve its communication efficiency. Startup System In this phase, prime integer ( p), root primitive (G ∈ Z ∗p ), one-way function (h), random integer variable (X ∈ Z∗p−1 ) are used to compute Ys = G X s mod p and it is

123


chosen by the Key Generation Center (KGC). Thereafter, the parameters {G, h, p, Ys } are publicly made, whereas X s is secured. Extraction of Private Key In this phase, computation of KGC is done for each user, where UIDi is a user identity i and ki ∈ Z ∗p is a chosen random number. Ui = G k mod p and Vi = Ii K i + X s Ui mod ( p − 1)are used to find the user’s public and private keys’. Agreement of Key (mod p) is computed for all the operations. Step 1 Select a Random number Ra ∈ Z p , and then compute Ta = G Ra for Alice and sends the parameters {Ua , Ta , IDa } to Bob. Likewise, Select a Random number Rb ∈ Z p , and then compute Tb = G Rb for Bob and sends the parameters {Ub , Tb , IDb }to Alice. Step 2 Ib = H (IDb ), X a = UbIb · Y Ub = (G K b Ib · G X s Ub )Va = G Va Vb is computed for Alice, and then the key K ba = X a · TbRa is computed. Likewise, Ia = H (IDa ), X b = UaIa · Y Ua = (G K a Ia · G X s Ua )Vb = G Va Vb is computed for Bob and the key is K ba = X b · TbRb . After computation, the shared secret key becomes K = G Va Vb +Ra Rb . 3.5 Review of Tseng et al. [42] In 2007, Tseng et al. proposed an identity based authenticated key agreement protocol, where the startup system is same as Hsieh et al., while the extraction of private keys and agreement of key are modified. Extraction of Private Keys K i ∈ Z ∗p is a random number chosen by KGC for Legal User i. Ui = G K i and Vi = K i + X s H (I D i , U I ) of the user with the identity IDi to compute the corresponding public and private keys. Agreement of Key (mod p) is used to compute all the operations. Step 1 Select a random number Ra ∈ Z p , and then compute Ta = G Ra . Va is a private key used to compute Wa = Ra + Va Ta , then send {IDa , Ta , Ua } to Bob. Likewise, Select a random number Rb ∈ Z p and then compute Tb = G Rb . Vb is a private key used to compute Wba = Rb + Vb Tb , then send {IDb , Tb , Ub } to Alice. H (ID ,U )

b b Step 2 X a = Ua Ys = G Vb is computed for Alice and K ab = (Tb (X a )Tb )Wa = R +V T W W W a a a b b b (G ) =G is a session key. H (IDa ,Ua ) Likewise, X b = Ub Ys = G Va is computed for Bob and K ba = (Ta (X b )Ta )Wb = R +V T W W W a a a b b b (G ) =G is a session key. After the computation, Alice and Bob share the common secret key as K = G Wa Wb to secure the communication on the public networks.

3.5.1 Cryptanalysis of Hsieh et al and Tseng et al. In 2007, the scheme of Tseng et al. revealed that the scheme of Hsieh et al. is vulnerable to the attack of key-compromise impersonation. Assume that an Adversary (A) had not only learnt the long-term private-key Va , but also inferred the key parameters, such as Tb , Ub , Ib by the technique of communication eavesdrop between Alice and Bob. Then, the adversary

123

B. D. Deebak et al.

can be able to impersonate as a legal user to deduce the shared session key of the users; since the security parameters are directly inferred to determine the secure session-key X b = (UaIa Y SUa )Vb mod p = G Va Vb = G Vb Va = (UbIb Y SU B )Va . Thus, the adversary can determine X a = (UbIb Y SUb )Va without the prior knowledge of Vb and it is subsequently susceptible to the attack of key-compromise impersonation. Though the Tseng et al. scheme can fulfill the general security properties, such as known-key security, (perfect) forward-secrecy, keycompromise and unknown key-share, it is not having any resiliency for the attacks, namely, denial of service (DoS), modification, password (guessing) and so on. 4 Proposed Three-Party Authentication Key Agreement Protocol In this section, we define crypto-system primitive and some notations. The crypto-system primitive includes the assumption of computational Diffie–Hellman and one-way hash function and they are as follows: Assumption 1 (Computational Diffie–Hellman (CD–H)) Assume p be a large prime integer such that can be defined in the discrete-logarithm problem as Z ∗p as is hard. Assume G ⊆ Z ∗p be a large cyclic group with a prime-order q and g be a key generator of G, where p = 2(q) + 1. Assume ℘ be a (t, ε)—CD–H security analysis where a challenge be ψ = {G Ra , G Rb , G V a , G V b } and ε be a probability that ℘ can exhibit the output of an element Z in G such that Z = G (Ra+V a)(Rb+V b) and it is expressed as a polynomial time t such that t = G Ra = G Rb . The assumption of CD–H is (t, ε) intractable if ε is negotiable. Assumption 2 (One-way hash function) H :{0, 1}∗ → {0, 1}l is a hash function of oneway crypto-graphic and it is used to map a string-to-string character with a length l. H is expressed as a secure hash function for the users. The important notations used in this paper are illustrated in Table 1. The important notations of this protocol are as follows.

Table 1 Important notations

123

Key agreement (KA) protocol

μ

Adversary

Alice, Bob and server

Communication parties

p

Prime integer

G ⊆ Z ∗p H()

Root primitive

X s , Ys , a, b, Ra , Rb , Va , Vb , Ia , Ib , ta , tb , Ii G

Random integers

Ui

User public key

Vi

User private key

Ki

Random number

SK

Session key b/w Alice and Bob

IDa , IDb

Identities of client A and B

Pubkey

Public key of server

lguser

Legal user

IDleguser

Identity of legal user i

One way hash function

Base generator


The proposed protocol of three-party authentication key agreement protocol (3-PAKA) structure explanation and illustration are described in below. 4.1 Proposed Protocol of 3-PAKA System Set-up In this phase, the key generation center (KGC) chooses a large prime integer p, a primitive root G ⊆ Z ∗p , a one-way hash function H () and random integer Ra , Rb ⊆ Z ∗p to compute ta = G Ra mod p and tb = G Rb mod p. The objective is to reduce the exponential cost of the protocol. Figure 1 depicts a proposed 3-PAKE scheme. Extraction of Private-Key Each user Ii = H (IDi ) computes Ra , Rb ⊆ Z ∗p and Va , Vb ∈ Z q to determine the users’ public key Pubkey = G K i mod p and users’ private key Vi = Ii K i + X s Pubkey mod ( p − 1). (Authenticated) Key Agreement Step 1 Alice → Ser ver :{IDa , IDb } Alice sends her identity, including IDa and IDb to the server S as an initial login-request. Step 2 Ser ver → Alice:{ta ⊕ Pubkey , tb ⊕ Pubkey } Upon receiving the initial login-request from the Alice, the Ser ver chooses two random integer values ta , tb ∈ Z q to compute ta = G Ra mod p and tb = G Rb mod p. This computation is done according to the identities of IDa and IDb to determine the corresponding session key S K . Then, the Ser ver computes ta ⊕ Pubkey and tb ⊕ Pubkey ; and sends the computation of {ta ⊕ Pubkey , tb ⊕ Pubkey } to the Alice. Step 3 Alice → Bob:{IDa , Ra , H (IDa , IDb , G Ra )ta }Sk Upon receiving the message of {ta ⊕ Pubkey , tb ⊕ Pubkey } from the Ser ver , the Alice chooses a random integer Ra ⊆ Z ∗p to compute ta = G Ra mod p and the hash value H (ta , Ra , IDa , IDb ). Then, the Alice encrypts the computational parameters {IDa , Ra , H (IDa , IDb , G Ra )ta }Sk using the public key of the Ser ver Pubkey to Bob. Step 4 Bob → Ser ver :{Ra , H(ta , IDa , IDb ), Rb , H(tb , IDb , IDa ), H(Sk , Ra )} Upon receiving the message of {IDa , Ra , H (IDa , IDb , G Ra )ta }Sk from the Alice, the Bob chooses the private key integers Va , Vb ∈ Z q to determine the value of Ra by the computation of Ra = G Va mod p and the value of Rb by the computation of Rb = G Vb mod p. The corresponding hash function value is H(tb , IDb , IDa ), where tb = G Rb mod p. The computation of Ra and Rb is done to determine the shared session-key Sk . Lastly, the Bob sends the computational parameters of {Ra , H(ta , IDa , IDb ), Rb , H(tb , IDb , IDa ), K(Sk , Ra } to the Ser ver . Step 5 Ser ver → Alice:{Rb , H(tb , IDb , IDa ), Ra , H(ta , IDa , IDb ), H(Sk , Rb )} Upon receiving the message of {Ra , H(ta , IDa , IDb ), Rb , H(tb , IDb , IDa ), K(Sk , Ra } from the Bob, the Ser ver determines ta = G Ra mod p and hash value function H(tb , IDb , IDa ), where tb = G Rb mod p. Then, to authenticate Alice, Ser ver checks the hash function consistency between the current hash computation H(tb , IDb , IDa ) and previous hash computation H(ta , IDa , IDb ). To authenticate Bob, Ser ver determines tb = G Rb mod p and hash value function H(ta , IDa , IDb ), where ta = G Ra mod p. Then, Ser ver checks the hash function consistency between the current hash computation H(ta , IDa , IDb ) and previous hash

123

B. D. Deebak et al.

Fig. 1 Proposed 3-PAKE scheme

computation H(tb , IDb , IDa ). If the two checking results are positive, then the Ser ver determines the hash function values, such as H(Sk , Ra ) and H(Sk , Rb ). Lastly, Ser ver sends the parameters {Rb , H(tb , IDb , IDa ), Ra , H(ta , IDa , IDb ), H(Sk , Rb )} to Alice. Note The two authentic messages, such as H(ta , IDa , IDb ) and H(tb , IDb , IDa ) confirm that the Alice and Bob has agreed for the establishment of shared session-key Sk . Step 6 Alice → Bob:{(H(Sk , Ra ), H (Sk , Rb )}

123


Upon receiving the message of {Rb , H(tb , IDb , IDa ), Ra , H(ta , IDa , IDb ), H(Sk , Rb )} from the Ser ver , the Alice determines the hash function values H(Sk , Ra ), where Ra = G Va mod p Va , Vb ∈ Z q ; Rb , Ra ⊆ Z ∗p ; and then Alice again determines the hash function values H(Sk , Rb ), where Rb = G Vb mod p Va , Vb ∈ Z q ; Rb , Ra ⊆ Z ∗p . Then, Alice checks the consistency of hash function values between the current hash function H(Sk , Rb ) and previous hash function H(Sk , Ra ). If the two function values are positive, then the Alice determines the shared session-key Sk = G (Rb +Vb )(Ra +Va ) mod p. Finally, Alice sends the hash function values {(H(Sk , Ra ), H (Sk , Rb )} to the Bob to compute Sk = G (Ra +Va )(Rb +Vb ) mod p. On the other side, upon receiving the Alice message’s, Bob compute the hash function value H(Sk , Ra ) by the computation of Ra = G Va mod p and Sk = G (Ra +Va )(Rb +Vb ) mod p where Va , Vb ∈ Z q ; Rb , Ra ⊆ Z ∗p . Then, Bob authenticates Ser ver by the consistency verification between the current hash value function H(Sk , Ra ) and previous hash value function H(Sk , Rb ). If the two hash function values are positive, then Bob computes the session-key Sk = G (Rb +Vb )(Ra +Va ) mod p and Sk = G (Ra +Va )(Rb +Vb ) mod p to check whether it is valid or not. If the session-key Sk is valid, then Bob may be sure that Alice has obtained a valid session key Sk . Upon the message transfer in the above steps (steps 1–6),Alice and Bob agrees upon a common session-key Sk = G (Ra +Va )(Rb +Vb ) mod p = G (Rb +Vb )(Ra +Va ) mod pvia a Ser ver . The main objective of Sk is to achieve some security goals. 4.2 Security Analysis This section discusses the security properties of the proposed three-party authentication protocol and the properties are as follows: Resilient to Replay Attack The adversary may launch the replay attack to deceive or impersonate as a legitimate user. Assume, if any adversary tries to reprocess the request of the legitimate client {IDa , IDb } and {IDa , ta }, then the adversary should able to determine the parameter of Ta . Since the computation of Ta is concealed on the networks, the adversary can’t pass a valid request to the Bob via Ser ver . In addition, to determine Ta , the adversary should be able deduce a random integer Ra ⊆ Z ∗p ; since the value of Ra is changed time to time, the adversary can’t predetermine/deduce a valid Ra to form a legal login-request. The adversary may seize the login-response on its way to impersonate as a legal server. Since the computation of login-response ta ⊕ Pubkey is generated along with the users’ public key and in addition, the adversary already fails to compute/determine a valid login-request, the adversary can’t compute a valid login-response to behave as a legal server. Thus, we assert that the proposed scheme is resilient to the replay attack. Resilient to Man-in-the-Middle Attack The adversary may launch the man-in-the-middle attack to behave as a silent interceptor between the intended clients. In addition, the main objective of this attack is to ensure that the clients are legally tagged; and thus no adversary can interfere/prevent the communication. But, the adversary may thwart this scenario, if this attack succeeds. To be a silent interceptor, the adversary should be able to determine/compute Ra , G Ra , ta , Sk to behave as a legal client. Since the parameters, such as Ra , G Ra , ta , Sk are not closely coupled, the adversary can’t compute neither Ra nor Sk to recover the legal parameters of clients {IDa , IDb }. Thus, we assert that the proposed scheme is resilient to the attack of man-in-the-middle. Modification Attack Assume, if any adversary is able to modify/alter and reprocess the legal users’ message content as a manner of unauthorized, then the adversary may be succeeded in

123

B. D. Deebak et al.

the launching of such attack to process the message content to any of the legal client on the network. To be an intellectual modifier, the adversary may generate a login-request {IDa , ta } to form a valid login-request. Since the Ser ver conceals one of the main parameters of ta (i.e. Ra ) on the network, the adversary can’t form a valid login-request to modify/reprocess the message contents of the legal users’. Assume, the adversary {IDa , Ra , H (IDa , IDb , G Ra )ta }Sk tries to modify/alter and reprocess a login-response of the opponent client. Since the parameters, such as Ra , G Ra , ta , Sk are not closely coupled and in addition, the adversary already fails to form a valid loginrequest, thus the adversary can’t frame a valid login-response without a prior computation of ta , Sk . Thus, we assert that the proposed scheme is resilient to the modification attack. Resilient to Denning-Sacco Attack The attack of Denning-Sacco may be used to deduce either users’ session key or public key. Since the random integer Ra varies for every loginrequest/response, thus the adversary can’t infer neither session key nor public key of users. Thus, we assert that the proposed scheme is resilient to the Denning-Sacco attack. Resilient to Identity (ID) Theft Attack The attack of ID theft may be influenced to identify the privacy details of the legitimate users’. If the privacy details of the users’ are maintained in the database of the, then the adversary may tamper such details to behave as a legitimate users’. Since the information of the login-request/response is not stored/maintained in the servers’ database, thus the adversary can’t infer any credentials from the users’ to be behaving as a legitimate user. Hence, we assert that the proposed scheme is resilient to the attack of ID theft. Resilient to Offline Dictionary Attack In the attack of offline dictionary, the adversary may try to frame a valid login-request/response format from the combination of all the available inputs. In addition, the adversary may enforce the attack of brute-force to derive a format of login-request/response. In the proposed scheme, the legitimate user parameters, such as Ra , G Ra , ta , Sk are not coupled closely, and thus the adversary can’t infer/deduce any such parameter to derive the previous/current session of any legitimate users’. In addition, the parameters are always related to each other, and thus the illegal inference may lead an adversary to solve a computational Diffie–Hellman problem. Thus, we assert that the proposed scheme is resilient to the attack of offline dictionary. Mutual Authentication It is defined as that each entity should authenticate each others with the same authentication protocol. Since the communication parties, such as Alice and Bob exchange the same sets of parameters to authenticate one another {IDa , IDb }/{IDb , IDa } via Ser ver {IDa , ta }/{IDb , tb }, thus the communication party always follow each other to ensure that the shared session key Sk = G (Ra +Va )(Rb +Vb ) mod p = G (Rb +Vb )(Ra +Va ) mod p is kept out of the sight of anonymous users. Hence, we assert that the proposed scheme offers a feature of mutual authentication to the legitimate users’. Known Key-Security In this attack, the adversary may reuse some previous session key to determine the current session of the users’. Assume, some of the previous session key are made known to the adversaries; but then the adversaries can’t infer any useful info to compute the current and the future session keys; since the random integers, such as Ra , Rb , Va , Vb are changed often for each client session. Hence, we assert that the proposed scheme satisfies the known-key security.

123


Resilient to Key-Impersonation Attack No adversary can impersonate as a illegal/malicious server, since the adversary can’t compute and satisfy the session key Sk = G (Ra +Va )(Rb +Vb ) mod p = G (Rb +Vb )(Ra +Va ) mod p without a prior knowledge of Ra , Rb , G Ra , G Rb , ta , tb , Sk . Thus, we assert that the proposed scheme is resilient to the attack of key-impersonation. (Perfect) Forward Secrecy It is defined as that even if the long-term (private key) is compromised, the (secrecy) of the previous session key wouldn’t be affected. In the proposed scheme, no key parameters Ra , Rb , G Ra , G Rb , ta , tb , Sk can be tampered to deduce the previous session keys Sk = G (Ra +Va )(Rb +Vb ) mod p = G (Rb +Vb )(Ra +Va ) mod pof the users. Thus we assert that the proposed scheme satisfies the (perfect) forward secrecy. Users’ Anonymity Suppose an adversary tries to intercept the users’ login-request {IDa , IDb } to deduce the parameter values, such as ta , tb . Since it is bound of some key parameters, such as Ra , Rb , the real identity Ii can’t be determined unless the adversary satisfies the key conditions, such as Pubkey and Vi . Thus, we assert that the proposed scheme satisfies the key feature of user anonymity. Resilient to Parallel Session Attack It states that the adversary may try to be an impersonator of legal user Ii = H (IDi ) without {IDa , IDb }. To find a solution, the adversary should be able to compute the users’ public key Pubkey = G K i mod p and private key Vi = Ii K i + X s Pubkey mod (p − 1). Since the users public and private key are concealed on the networks, the adversary can’t fabricate a valid login-request/response to authenticate {IDa , Ra , H (IDa , IDb , G Ra )ta }Sk without the prior knowledge of Pubkey , Vi . Thus, we assert that the proposed scheme is resilient to the attack of the parallel-session. Resilient to Privileged-Insider Attack In this proposed scheme, the legal user Ii send the identity IDa /IDb securely to the Ser ver . Upon receiving the request of the real users’, the Ser ver stores and compute ta = G Ra mod p. Then, the Ser ver sends the login-response {IDa , Ra , H (IDa , IDb , G Ra )ta }Sk to the legal users along with the key parameter Sk . Thus, we assert that the adversary can’t tamper any credentials of the real users until the users’ key are disclosed/stolen, and so it is resilient to the attack of a privileged-insider. Resilient to Denail of Service (DoS) Attack Since Bob/Alice authenticates Ser ver by the consistency verification between the current hash value function H(Sk , Ra ) and previous hash value function H(Sk , Rb ). Thus, the two hash function values are positive to computes the session-key Sk = G (Rb +Vb )(Ra +Va ) mod p and Sk = G (Ra +Va )(Rb +Vb ) mod p to check whether it is valid or not. Therefore, the proposed scheme asserts that it is resilient to the attack of DoS. 4.3 Comparison of Security Properties Table 2 depicts that the proposed protocol based on computational Diffie–Hellman not only provides mutual authentication, (perfect) forward secrecy, user anonymity; but also resists the various potential attacks, such as modification, DoS, password guessing, replay, manin-the-middle, dictionary, privileged-insider and so on. Moreover, the proposed 3-PAKE scheme has the robust in security features in comparison with the other related 3-PAKE schemes [33,36,40–42]. Since the proposed protocol based on the assumption of computational Diffie–Hellman has less transmission round, it can be able to mitigate the computational cost considerably in comparison with the other related authentication schemes [33,36,40–

123

B. D. Deebak et al. Table 2 Comparison of security properties Security properties

Proposed 3-PAKE protocol

Xie et al. [33]

Xiong et al. [36]

Tallapally [40]

Hsieh et al. [41]

Tseng [42]

Resilient to replay attack

Yes

Yes

No

Resilient to man-in-the-middle attack Resilient to modification attack Resilient to Denning-Sacco attack Resilient to identity (ID) theft attack Resilient to offline dictionary attack Mutual authentication

Yes

No

No

Yes

No

No

No

No

No

Yes

No

No

No

No

No

Yes

Yes

No

No

No

No

Yes

No

No

No

No

No

Yes

No

No

No

No

No

Yes

No

No

No

No

No

Known key-security

Yes

Yes

No

Yes

Yes

Yes

Resilient to key-impersonation attack (Perfect) forward secrecy

Yes

No

No

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Users’ anonymity

Yes

No

No

No

No

No

Resilient to parallel session attack Resilient to privileged-insider attack Resilient to denail of service (DoS) attack

Yes

No

No

No

No

No

Yes

No

No

No

No

No

Yes

No

No

No

No

No

42]. The real time multimedia server and client systems have been deployed in the Linux platform for the analysis of end-to-end delay and the analysis is to probe the significance of the proposed 3-PAKE scheme with the other related 3-PAKE schemes [33,36,40–42]. The analysis details are discussed in Sect. 5. 4.4 Performance Comparison This section shows off the performance comparison of 3-PAKE schemes, such as proposed scheme, Xie et al. [33], Xiong et al. [36], Tallapally [40], Hsieh et al. [41] and Tseng [42]. Table 3 reveals that the proposed 3-PAKE scheme is functionally efficient, relatively than the other 3-PAKE schemes. Since the proposed 3-PAKE scheme has less message transmission rounds (3 rounds messages), it is able to tailor out the computational cost of the real time multimedia systems. Thus, the proposed 3-PAKE scheme not only fulfills the security requirements of AKA protocol; but also mitigates the computational efficiency of the multimedia systems; and it is comparatively better than the other related 3-PAKE schemes [33,36,40–42].

5 Results and Discussion A real time multimedia server [OpenIMSCore:@ http://www.openim-score.org/] and client [UCTIMS:@ http://uctimsclient.berlios.de/] have been designed and developed in the Linux

123

Evaluating Three Party Authentication Table 3 Performance comparison of 3-PAKE schemes 3-PAKE scheme

Modular exponentiation

Modular multiplication

Modular addition

Hash operation

Exclusive OR operation

Message rounds

Proposed protocol

7

0

2

38

2

3

Xie et al. [33]

0

8

0

0

0

6

Xiong et al. [36]

8

0

0

33

1

4

Tallapally [40]

4

0

0

8

6

4

Hsieh et al. [41]

5

2

0

1

0

3

Tseng [42]

5

3

0

1

0

3

Table 4 Important Parameters and its Related Values

Parameters

Values

Server execution

1 Day

Voice-Codec

G.729

Data packet discard ratio

0.05 %

Data packet transmission delay

Exponential of 0.05 s

Startup time of client profile

1.5 min

Access type

IEEE 802.11g

platform [Installation Procedure:@ http://www.openimscore.org/?q=installation_guide] for the end-to-end delays analysis. The real time multimedia server is consisted of three call session control functions (CSCFs’: proxy, serving and interrogating) and one home subscriber server (HSS). In the CSCFs’, the proxy server is used as a first point of contact as for the multimedia terminal; the serving server is used as a central signaling plane as for the interface of the HSS; and the interrogating server is used to explore the message function of the Session Initiation Protocol (SIP) resided at the administrative domain. The HSS is used to act as a master database as to handle the service calls of the network entities. In the multimedia server and client systems, the 3-PAKE schemes, such as proposed protocol, Xie et al. [33], Xiong et al. [36], Tallapally [40], Hsieh et al. [41] and Tseng [42] have been implemented in the object oriented language of C++ for the purpose of clients’ authorization and configured realistically in the systems for the analysis of end-to-end delay. To cross-examine the 3-PAKE schemes, a network analyzer [Ntop:@ http://www.ntop.org/ get-started/download/] has been installed in the Linux platform and enabled at the background of the WiFi network for the effective analysis. In the Multimedia laboratory, a high-end server machine which is capable of 1TB 5400 RPM SATA HDD, i5-4440s Processor, 8GB Dual Channel DDR3L 1,600 MHz and Wireless 1707; has had a deployment of the multimedia servers (proxy, interrogating, serving and HSS). The Multimedia laboratory has been employed as for the setup of real time multimedia systems. In addition, to probe the metrics, a real time multimedia client of UCTIMS has been installed in the availabilities of 200 PCs’. To examine proficiently, the service of voice call connection has been established between the multimedia client systems via the 3-PAKE schemes. In parallel, the network analyzer is steadily used to inspect the end-to-end delay of the various 3-PAKE schemes [33,36,40–42]. Table 4 depicts the important parameter and its related values in which the execution duration of the server is set as one day; the service of voice call connection is randomly

123

Fig. 2 Average end-to-end delays of voice call sessions

Average End - To - End Delay (sec)

B. D. Deebak et al.

0.5

0.35

0.2

1440

1200

1320

1080

840

960

720

600

480

360

120

240

0.05

Execution Time (min) With Xie et al. [33]

With Hsieh et al. [41]

With Xiong et al. [36]

With Tseng et al. [42]

With Tallapally [40

With Porposed Protocol

established to analyze the average end-to-end delay of the established connection; a voice codec of G.729 is manually configured to enhance the performance of the data transmission rate; the data packet discard ration is set as 0.05 %; the data packet transmission latency is set as an exponential of 0.05 s; the startup time of the clients’ profile is set as 1.5 min; and the wireless access type of the multimedia client is set as IEEE 802.11g. Figure 2 depicts that the proposed 3-PAKE scheme is steadily stabilized the average endto-end delay as 0.220 s, whereas the average end-to-end delay of Xie et al. is 0.260; the average end-to-end delay of Xiong et al. is 0.273; the average end-to-end delay of Tallapally is 0.289; the average end-to-end delay of Hsieh et al. is 0.318; and the average end-to-end delay of Tseng et al. is 0.3 s. Since the proposed 3-PAKE scheme has mitigated the message rounds, it has been able to curtail the end-to-end delay considerably and it is comparatively better than the other related authentication schemes [33,36,40–42]. Moreover, the examination result is revealed that the proposed 3-PAKE scheme achieves a more secure key exchange channel, and hence the end-to-end delay of the voice call session (via the proposed 3-PAKE scheme) tailors the complete association of hop-by-hop security defined by the standard of third generation partnership project (3GPP). Thus, the proposed 3-PAKE scheme is well-suited to protect the voice call session of the real time multimedia systems.

6 Conclusion We have proposed a novel 3-PAKE scheme for the fulfillment of AKA security properties. In addition, the proposed 3-PAKE scheme has had a resiliency for most of the potential attacks, such as modification, key-impersonation, parallel-session, privileged-insider, replay, manin-the-middle and DoS. For the analysis of average end-to-end delay, a real time multimedia server and client systems, namely OpenIMSCore and UCTIMS have been designed and developed in the Linux platform. For the experimental analysis, a best-effort Internet service of voice call has been established between the multimedia client via 3-PAKE scheme. The tool of network analyzer is revealed that the proposed 3-PAKE scheme has less average

123


end-to-end delay in comparison with the other related 3-PAKE schemes; since it minimizes the round message transmission. Moreover, the proposed 3-PAKE scheme can avert the hopby-hop security association defined by the standard of 3GPP, and thus it experiences better service scalability than the other related 3-PAKE schemes. Acknowledgments The corresponding author would like to thank Tata Consultancy Services (TCS) and SASTRA University for financial support under the scheme of Research Scholar Program (RSP)

References 1. He, D., Chen, Y., & Chen, J. (2012). Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dynamics, 69, 1149–1157. 2. He, D., Chen, J., & Zhang, R. (2012). A more secure authentication scheme for telecare medicine information systems. Journal of Medical Systems, 36(3), 1989–1995. 3. Islam, S. H., & Bisws, G. P. (2011). Improved remote login scheme based on ECC. In Proceedings of the international conference on recent trends in information technology (pp. 1221–1226). 4. Islam, S. H., & Bisws, G. P. (2011). Comments on ID-based client authentication with key agreement protocol on ECC for mobile client–server environment. In Proceedings of the international conference on advanced in computing and communications, CCIS, Springer-Verlag, Part II (Vol. 191, pp. 628–635). 5. Islam, S. H., & Bisws, G. P. (2012). An improved ID-based client authentication with key agreement scheme on ECC for mobile client–server environments. Theoretical and Applied Informatics, 24(4), 293–312. 6. Diffie, W., & Hellman, M. E. (1976). New directions in cryptography. IEEE Transaction on Information Theory, 22(6), 644–654. 7. Shamir, A. (1985). Identity-based cryptosystems and signature schemes. In Proceeding of the 4th annual international cryptology conference (CRYPTO ’84, Springer, USA) (pp. 47–53). 8. Bellovin, S. M., & Merritt, M. (1992). Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of 1992 IEEE computer society conference on research in security and privacy (pp. 72–84). 9. Gong, L. (1995). Optimal authentication protocols resistant to password guessing attacks. In Proceedings of 8th IEEE computer security foundation workshop (pp. 24–29). 10. Gong, L., Lomas, M., Needham, R., & Saltzer, J. (1993). Protecting poorly choosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5), 648–656. 11. Kwon, T., Kang, M., Jung, S., & Song, J. (1999). An improvement of the password-based authentication protocol K1P on security against replay attacks. IEICE Transactions on Communications, E82-B(7), 991–997. 12. Steiner, M., Tsudik, G., & Waidner, M. (1995). Refinement and extension of encrypted key exchange. ACM Operating Systems Review, 29(3), 22–30. 13. Ding, Y., & Horster, P. (1995). Undetectable on-line password guessing attacks. ACM Operating Systems Review, 29(3), 22–30. 14. Sun, H. M., Chen, B. C., & Hwang, T. (2005). Secure key agreement protocols for three-party against guessing attacks. The Journal of Systems and Software, 75(1–2), 63–68. 15. Lin, C. L., Sun, H. M., & Hwang, T. (2000). Three-party encrypted key exchange: Attacks and a solution. ACM Operating Systems Review, 34(4), 12–20. 16. Yeh, H. T., & Sun, H. M. (2004). Password-based user authentication and key distribution protocols for client–server applications. The Journal of Systems and Software, 72(1), 97–103. 17. Lin, C. L., Wen, H. A., Hwang, T., & Sun, H. M. (2004). Provably secure three-party passwordauthenticated key exchange. IEICE Transaction on Fundamentals, E87-A(11), 2990–3000. 18. Wen, H. A., Lee, T. F., & Hwang, T. (2005). Provably secure three-party password-based authenticated key exchange protocol using weil pairing. IEE Proceedings-Communications, 152(2), 138–143. 19. Joux, A. (2004). One round protocol for tripartite Diffie–Hellman. Journal of Cryptology, 17, 263–276. 20. Nam, J., Lee, Y., Kim, S., & Won, D. (2007). Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Information Sciences, 177(6), 1364–1375. 21. Chien, H. Y., & Wu, T. C. (2009). Provably secure password-based three-party key exchange with optimal message steps. Computer Journal, 52(6), 646–655. 22. Lee, T. F., Liu, J. L., Sung, M. J., Yang, S. B., & Chen, C. M. (2009). Communication-efficient threeparty protocols for authentication and key agreement. Computers & Mathematics with Applications, 58(4), 641–648.

123

B. D. Deebak et al. 23. Lu, R. X., & Cao, Z. F. (2007). Simple three-party key exchange protocol. Computers and Security, 26(1), 94–97. 24. Guo, H., Li, Z. J., Mu, Y., & Zhang, X. Y. (2008). Cryptanalysis of simple three-party key exchange protocol. Computers and Security, 27(1), 16–21. 25. Chang, Y. F. (2008). A practical three-party key exchange protocol with round efficiency. International Journal of Innovative Computing, Information and Control, 4(4), 953–960. 26. Chung, H. R., & Ku, W. C. (2008). Three weaknesses in a simple three-party key exchange protocol. Information Sciences, 178(1), 220–229. 27. Phan, R. C. W., Yau, W. C., & Goi, B. M. (2008). Cryptanalysis of simple three-party key exchange protocol (S-3PAKE). Information Sciences, 178(13), 2849–2856. 28. Nam, J. Y., Paik, J. Y., Kang, H. K., Kim, U. M., & Won, D. H. (2009). An off-line dictionary attack on a simple three-party key exchange protocol. IEEE Communication Letters, 13(3), 205–207. 29. Kim, J. S., & Choi, Y. (2009). Enhanced password-based simple three-party key exchange protocol. Computers and Electrical Engineering, 35(1), 107–114. 30. Huang, H. F. (2009). A simple three-party password-based key exchange protocol. International Journal of Communication Systems, 22(7), 857–862. 31. Yoon, E. J., & Yoo, K. Y. (2011). Cryptanalysis of a simple three-party password-based key exchange protocol. International Journal of Communication Systems, 24, 532–542. 32. Lou, D. C., & Huang, H. F. (2011). Efficient three-party password-based key exchange scheme. International Journal of Communication Systems, 24, 504–512. 33. Xie, Q., Dong, N., Tan, X., Wong, D. S., & Wang, G. (2013). Improvement of a three-party password-based key exchange protocol with formal verification. Information Technology and Control, 42(3), 231–237. 34. Chang, T. Y., Hwang, M. S., & Yang, W. P. (2011). A communication-efficient three-party password authenticated key exchange protocol. Information Sciences, 181(1), 217–226. 35. Wu, S., Pu, Q., Wang, S., & He, D. (2012). Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Information Sciences, 215(1), 83–96. 36. Xiong, H., Chen, Y., Guan, Z., & Chen, Z. (2013). Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys. Information Sciences, 235(1), 329–340. 37. Tso, R. (2013). Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. The Journal of Supercomputing, 66(2), 863–874. 38. Chien, H. (2011). Secure verifier-based three-party key exchange in the random oracle model. Journal of Information Science and Engineering, 27(4), 1487–1501. 39. Pu, Q., Wang, J., Wu, S., & Fu, J. (2013). Secure verifier-based three-party password-authenticated key exchange. Peer-to-Peer Networking and Applications, 6(1), 15–25. 40. Tallapally, S. (2012). Security enhancement on simple three party PAKE protocol. Information Technology and Control, 41(1), 15–22. 41. Hsieh, B. T., Sun, H. M., Hwang, T., & Lin, C. T. (2002). An improvement of Saeednia’s identity based key exchange protocol. In Proceeding of the information security conference, 2002 (pp. 41–43). 42. Tseng, Y. M. (2007). An efficient two-party identity-based key exchange protocol. Informatica, 18(1), 125–136. 43. Yun, D., Patrick, H. (1995). Undetectable on-line password guessing attacks. Operating Systems Review, 29(4), 77–86. B. D. Deebak obtained the degree of B.Tech. (Information Technology) at Anna University, Chennai, India in 2007. He obtained the degree of M.E (Embedded System and Computing) at RTM Nagpur University, Nagpur, India in 2009. Since July 2011, he has been pursuing the degree of Ph.D. (Wireless Multimedia Communication Networking) at SASTRA University, Thanjavur, India. He has had 6 months of experience in industry sector and 2.5 years of experience in academic sector. He worked as Lecturer for 1.8 years at KITSRANTEK, India and then he worked as Assistant Professor for 1 year at Sundharsan Engineering College, Pudukottai, India. He has so far had 3 International Journals papers and 6 International Conferences papers. He is an active member of IE. His research interest includes Computer Networks, Wireless Networks and Network Security, Multimedia Communication and Protocols.

123

Evaluating Three Party Authentication R. Muthaiah obtained the degree of B.E (Electronic and Instrumentation) at Annamalai University, Chidambaram, India in 1989. He obtained the degree of M.E (Power Electronics and Industrial Drives) at Bharathidasan University, Thiruchirapalli, India in 1996. And then, he obtained the degree Ph.D. (Digital Image Compression) at SASTRA University, Thanjavur, India in 2009. He has had 3 years of experience in industry sector and 21 years of experience in academic sector. He worked as Lecturer for 12 years and Associate Professor for 2 years at SASTRA University, Thanjavur, India. Since April 2013, he has been working as Professor at the same University. He has so far had 28 International Journals papers and 5 International Conferences papers. He is being a member of IE and AECE. His research interest includes Image Processing, VLSI and Speech Recognition.

K. Thenmozhi obtained Ph.D. degree from SASTRA University in 2008. Currently, she is working as Associate Dean in School of Electrical and Electronics Engineering at SASTRA University. Her research interest includes Networking and Wireless Communication.

P. Swaminathan obtained Doctorate Degree in Electronics and Communication Engineering. Currently, he is working as Dean in School of Computing at SASTRA University. His research interest includes Embedded Systems, Software Engineering and Expert Systems.

123