Abstract
Recently, Lu et al. claimed that Xie et al.’s three-party password-authenticated key agreement protocol (3PAKA) using chaotic maps has three security vulnerabilities; in particular, it cannot resist offline password guessing attack, Bergamo et al.’s attack and impersonation attack, and then they proposed an improved protocol. However, we demonstrate that Lu et al.’s attacks on Xie et al.’s scheme are unworkable, and their improved protocol is insecure against stolen-verifier attack and off-line password guessing attack. Furthermore, we propose a novel scheme with enhanced security and efficiency. We use formal verification tool ProVerif, which is based on pi calculus, to prove security and authentication of our scheme. The efficiency of the proposed scheme is higher than other related schemes.
Highlights
Nowadays it is very common to use mobile devices to conduct transactions via insecure wireless networks [1,2], how to design secure, efficient and convenient 3PAKA scheme has become an urgent issue for researchers to solve it
Utilizing the semi-group property of Chebyshev polynomial, many extended chaotic maps based 3PAKA protocols were proposed in recent years
Ding and Horster [4] and Lin et al [5] demonstrated that their scheme is vulnerable to undetectable online password guessing attack, and Lin et al [5] further showed that their protocol suffers from offline password guessing attack
Summary
Nowadays it is very common to use mobile devices to conduct transactions via insecure wireless networks [1,2], how to design secure, efficient and convenient 3PAKA scheme has become an urgent issue for researchers to solve it. Ding and Horster [4] and Lin et al [5] demonstrated that their scheme is vulnerable to undetectable online password guessing attack, and Lin et al [5] further showed that their protocol suffers from offline password guessing attack To remedy those weaknesses, they proposed an improved 3PAKA protocol, but the server needs to keep a longterm secret key and the parties have to verify server’s public key beforehand. Guo et al [12] and Phan et al [13] demonstrated that Lu et al.’s scheme is susceptible to undetectable online dictionary attack, man-in-the-middle attack, and unknown key-share attack, respectively They proposed a scheme with enhanced security, but it requires for more computational cost. Our security goals are as follows: 1. User anonymity: The real identity of each user must be protected during authenticated and key agreement stage
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
