Next Article in Journal
Observed Thermal Impacts of Wind Farms Over Northern Illinois
Previous Article in Journal
Eco Assist Techniques through Real-time Monitoring of BEV Energy Usage Efficiency
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks

Department of Medical Informatics, Tzu Chi University, No. 701, Zhongyang Road, Sec. 3, Hualien 97004, Taiwan
Sensors 2015, 15(7), 14960-14980; https://doi.org/10.3390/s150714960
Submission received: 8 April 2015 / Revised: 17 June 2015 / Accepted: 20 June 2015 / Published: 25 June 2015
(This article belongs to the Section Sensor Networks)

Abstract

:
A secure temporal credential-based authenticated key agreement scheme for Wireless Sensor Networks (WSNs) enables a user, a sensor node and a gateway node to realize mutual authentication using temporal credentials. The user and the sensor node then negotiate a common secret key with the help of the gateway node, and establish a secure and authenticated channel using this common secret key. To increase efficiency, recent temporal credential-based authenticated key agreement schemes for WSNs have been designed to involve few computational operations, such as hash and exclusive-or operations. However, these schemes cannot protect the privacy of users and withstand possible attacks. This work develops a novel temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps, in which operations are more efficient than modular exponential computations and scalar multiplications on an elliptic curve. The proposed scheme not only provides higher security and efficiency than related schemes, but also resolves their weaknesses.

1. Introduction

Wireless sensor networks (WSNs) comprise a large number of sensor nodes, and are utilized in many environments, such as dangerous areas in which humans must be medically monitored, military environments in which reconnaissance and communication must be carried out, and others. Owing to the hardware limitations, sensor nodes in WSNs cannot support heavy computation loads, extensive communications or extensive storage. Thus, developing a lightweight and secure authenticated key agreement scheme is very important for WSNs. Temporal credential-based authenticated key agreements enable communicating entities to authenticate each other and to establish a secure and authenticated channel by confirming their temporal credentials. A temporal credential-based authenticated key agreement scheme for WSNs is composed of three classes of entity—users, sensor nodes and a gateway node (GWN)—and has registration, login, authentication and key agreement, and password change phases. In the registration phase, users and sensor nodes register their secret keys to the GWN. Then the GWN issues one temporal credential to each user and sensor node for authentication. In the login, authentication and key agreement phases, the user, the sensor node and GWN authenticate each other using these temporal credentials. Additionally, the user and the each sensor node negotiate a common secret key with the help of GWN to establish a secure and authentication channel in the WSN. Finally, the password change phase enables users to update their passwords for increased security [1,2,3,4,5,6,7,8,9].
Recently, Xue et al. [8] presented the concept of temporal credentials and developed a lightweight temporal credential-based authenticated key agreement scheme for WSNs. The scheme of Xue et al. has a lower computational burden, less extensive communication needs and requires less storage than previous approaches, and tries to provide more functionality and higher security [10,11,12,13,14,15,16,17]. Later, Li et al. [9] noted that the scheme of Xue et al. fails to withstand stolen-verifier attacks, password guessing attacks, insider attacks and lost smartcard attacks, and so proposed an advanced temporal credential-based scheme for WSNs as an alternative. However, in the scheme of Li et al., an adversary can derive users’ identities, temporal credentials, verification values in the GWN’s verifier table and expiration time from revealed messages allowing the adversary to perform successful impersonation attacks and stolen verifier attacks, easily discovering the hidden identity of the sender of the request message. Moreover, the adversary can derive all previous session keys of users and sensor nodes, and thus access all transmitted secrets. Accordingly, these temporal credential-based schemes for WSNs fail to resist possible attacks and to protect the privacy of users.

1.1. Our Contributions

This work addresses the weaknesses of the scheme of Li et al. and proposes an efficient and secure temporal credential-based authenticated key agreement scheme for WSNs that uses extended chaotic maps, and involves operations that are more efficient than modular exponential computations and scalar multiplications on an elliptic curve [18,19,20]. The proposed scheme protects a user’s identity using a temporary secret key of the user and the gateway node, which security is based on the extended chaotic maps-based Diffie-Hellman problem [21,22,23,24,25,26,27], and reduces the number of parameters concerning each user’s identity and password such that an adversary cannot impersonate any user or communicate with the gateway node or the sensor nodes, even if the adversary has stolen the verifier table and obtained the user’s private information. Additionally the ephemeral parameters are randomly selected and independent among executions of the scheme. Thus, the adversary cannot derive any previous session keys of the user and the sensor node. The proposed scheme avoids the weaknesses of previous schemes, has higher security and lower computational cost.

1.2. Enhanced Chebyshev Polynomial and Extended Chaotic Maps

Recent investigations have demonstrated that cryptosystems that use chaotic map operations are more efficient than those that use modular exponential computations and scalar multiplications on elliptic curves. Additionally, enhanced Chebyshev polynomials also exhibit the semi-group property and the commutative property, and they are subject to the discrete logarithm problem and the Diffie-Hellman problem [21,22,23,24,25,26,27], which are described as follows.

1.2.1. Enhanced Chebyshev Polynomial

The enhanced Chebyshev polynomial Tn(x) is a polynomial in x of degree n, defined by the following recurrence relation:
{ T 0 ( x ) = 1 T 1 ( x ) = x ; and T n ( x ) = 2 x T n 1 ( x ) T n 2 ( x ) mod   p , for   n 2
where and p is a large prime number. The enhanced Chebyshev polynomials satisfy the semi-group property and are commutative under composition. Then:
Tr(Ts(x)) ≡ Trs(x) ≡ Ts(Tr(x)) mod p
holds.

1.2.2. Extended Chaotic Map-Based Discrete Logarithm Problem

Given x, y and p, it is computationally infeasible to find the integer r satisfying:
y = Tr(x) mod p

1.2.3. Extended Chaotic Map-Based Diffie-Hellman Problem

Given Tu(x), Tv(x), T(.), x and p, where u, v ≥ 2, x∈(−∞, +∞) and p is a large prime number, it is computationally infeasible to calculate:
Tu⋅v(x) ≡ Tu(Tv(x)) ≡ Tv(Tu(x)) mod p

1.3. Organization of the Paper

The rest of this paper is organized as follows: Section 2 reviews the temporal credential-based scheme of Li et al. for WNSs and elucidates its weaknesses. Section 3 presents the proposed efficient and secure temporal credential-based authenticated key agreement scheme for WSNs using extended chaotic maps. Section 4 and Section 5 present the results of evaluations of the security and performance of the scheme, respectively. Finally, Section 6 draws conclusions.

2. The Temporal Credential-Based Scheme of Li et al. and Its Weaknesses

This section presents the notation used in this study, briefly reviews the advanced temporal credential-based scheme for wireless sensor networks proposed by Li et al. [9], and finally states its weaknesses.
Assume that Ui denotes the i-th user of WSNs; Sj denotes the j-th sensor node; and GWN denotes the Gateway node in which Ui and Sj are registered. Table 1 lists the notations which are used throughout this paper.
Table 1. Notation.
Table 1. Notation.
IDi, PWiIdentity and password pair of user Ui
SIDjPre-configured identity of the sensor node Sj
KGWN_U, KGWN_SThe long-term secret keys only known to GWN.
pA large prime number
TCRi, TCRjA temporal credential issued by GWN to Ui / Sj
EiThe expiration time of Ui’s temporal credential.
t1,t2,…,t6The timestamp values.
ΔtThe expected time interval for the transmission delay.
h(.)A collision free one-way hash function [28]
AB:M A sends message M to B through a common channel.
The exclusive-or (XOR) operation
M1||M2Message M1 concatenates to message M2.

2.1. Review of the Temporal Credential-Based Scheme of Li et al.

In 2013, Li et al. [9] proposed an advanced temporal credential-based scheme for WSNs, which consists of pre-registration, registration, login, authentication and key agreement phases, which are described as follows.

2.1.1. Pre-Registration Phase

Each user Ui has a pair of identity IDprei and password PWprei. GWN stores h(IDprei||PWprei) and IDprei in its storage. Similarly, each sensor node Sj is pre-configured with its identity SIDj and a random number rj and the hash value h(SIDj||rj). Then rj and SIDj are stored on the GWN’s storage.

2.1.2. Registration Phase

(1)
Registration phase for users
Step 1:
UiGWN: {IDprei, t1,VIi, CIi, DIi}
Ui selects his/her IDi, password PWi, and a random number ri, computes and sends {IDprei, t1, VIi, CIi, DIi} to GWN, where VIi = h(t1||h(IDprei||PWprei)), CIi = h(IDprei||PWprei) ⨁ h(IDi||PWi||ri), DIi = IDih(IDprei||PWprei) and t1 is the current timestamp.
Step 2:
GWNUi: {h(Qi), smartcard}
GWN checks the validity of t1, retrieves h(IDprei||PWprei) by using IDprei, computes VIi* = h(t1||h(IDprei||PWprei)) and checks VIi* =? VIi. Then GWN computes Qi = CIih(IDprei||PWprei) = h(IDi||PWi||ri), DIi = IDih(IDprei||PWprei), Pi = h(IDi||Ei), TCRi = h(KGMN_U||Pi||Ei) and PTCi = TCRiQi and personalizes the smart card for Ui with the parameters: {h(.), h(Qi), Ei, PTCi}. GWN maintains a write protected file, where the status-bit indicates the status of the user, i.e., when Ui is logged-in to GWN, the status-bit is 1, otherwise it is 0. Finally, GWN sends h(Qi) and smart card to Ui.
Step 3:
Ui and authenticates GWN by checking h(h(IDi||PWi||ri)) =? h(Qi) and enters ri into his/her smart card. Then the smart card contains {h(.), h(Qi), Ei, PTCi, ri}.
(2)
Registration phase for sensor nodes
Step 1:
SjGWN: {SIDj, t2,VIj}
Sj computes VIj = h(t2||h(SIDj||rj)) and sends {SIDj, t2,VIj} to GWN, where t2 is the current timestamp.
Step 2:
GWNSj: {t3, Qj, REGj}
GWN checks the validity of t2, retrieves h(SIDj||rj) by using SIDj and computes VIj* = h(t2||h(SIDj||rj)), checks VIj* =? VIj, computes TCRj = h(KGMN_S||SIDj), Qj = h(t3||h(SIDj||rj)) and REGj = h(h(SIDj||rj)||t3) ⨁ TCRj, and sends {t3, Qj, REGj} to Sj, where t3 is the current system timestamp.
Step 3:
Sj checks the validity of t3 and h(t3||h(SIDj||rj)) =? Qj, computes its temporal credential TCRj = REGjh(h(SIDj||rj)||t3) and stores it.

2.1.3. Login Phase

Step 1:
Ui inserts his/her smart card into a card reader and enters IDi and PWi.
Step 2:
The smartcard retrieves ri, computes Qi' = h(IDi||PWi||ri) and checks h(Qi') =? h(Qi). If successful, Ui passes the verification, allows to read the information stored in the smartcard, and computes TCRi = PTCiQi'.

2.1.4. Authentication and Key Agreement Phase

Step 1:
UiGWN: {DIDi, Ci, PKSi, t4, Ei, Pi}
Ui computes DIDi = IDih(TCRi||t4), Ci = h(h(IDi||PWi||ri)||t4) ⨁ TCRi, PKSi = Kih(TCRi||t4||"000"), and sends {DIDi, Ci, PKSi, t4, Ei, Pi} to GWN, where t4 is the current timestamp.
Step 2:
GWNSj: {t5, DIDi, DIDGWN, CGWN, PKSGWN}
GWN checks the validity of t4, computes TCRi* = h(KGMN_U||Pi||Ei) and IDi = DIDih(TCRi*||t4) and retrieves Ui's password-verifier of Qi = h(IDi||PWi||ri) by using IDi. Then, GWN further computes Ci* = h(Qi ||t4) ⨁ TCRi*, verifies Ci* =? Ci, sets the status-bit as “1” and records t4 in the 4th field of the identity table. GWN computes Ki = PKSih(TCRi*||t4||"000") and chooses a nearby suitable sensor node Sj as the accessed sensor node. GWN further computes Sj’s temporal credential TCRj = h(KGWN_S||SIDj), DIDGWN = IDih(DIDi||TCRj||t5), CGWN = h(IDi||TCRj||t5) and PKSGWN = Kih(TCRi||t5) and sends {t5, DIDi, DIDGWN, CGWN, PKSGWN} to Sj, where t5 is the current timestamp of GWN.
Step 3:
SjGWN, Ui: {SIDj, t6, Cj, PKSj}
Sj checks the validity of t5, computes IDi = DIDGWNh(DIDi||TCRj||t5) and CGWN* = h(IDi||TCRj||t5), and checks CGWN* =? CGWN. If unsuccessful, Sj terminates this session; otherwise, Sj convinces that the received message is from a legitimate GWN. Moreover, Sj computes Ki = PKSGWNh(TCRi||t5), Cj = h(Kj||IDi||SIDj||t6) and PKSj = Kjh(Ki||t6) and sends {SIDj, t6, Cj, PKSj} to GWN and Ui, where t6 is the current timestamp of Sj.
Step 4:
Ui and GWN separately computes Kj = PKSjh(Ki||t6) and Cj*= h(Kj||IDi||SIDj||t6). GWN authenticates Sj by checking Cj* =? Cj. Ui authenticates Sj and GWN by checking Cj* =? Cj. Finally, Ui and Sj computes a common session key Kij = h(Ki||Kj) for later securing communications.

2.2. Weaknesses of Temporal Credential-Based Scheme of Li et al.

This subsection elucidates the weaknesses of the temporal credential-based scheme of Li et al., which include vulnerability to impersonation and stolen verifier attacks, and failure to protect the privacy of users.

2.2.1. Vulnerability to Impersonation Attacks

In the registration phase of the scheme of Li et al., since (IDprei, t1, VIi, CIi, DIi) and (h(.), h(Qi), Ei, PTCi) are public, where VIi = h(t1||h(IDprei||PWprei)), CIi = h(IDprei||PWprei) ⨁ h(IDi||PWi||ri), DIi = IDih(IDprei||PWprei) and t1 is the current timestamp, an adversary, A, can obtain a correct PWprei by guessing a password PWpre*i and checking VIi = ? h(t1||h(IDprei||PWpre*i)) repeatedly. Next, the adversary can derive IDi, Qi ( =h(IDi||PWi||ri) ) and TCRi by computing DIih(IDprei||PWprei), h(IDprei||PWprei) ⨁ CIi and PTCiQi|, respectively. A can subsequently impersonate Ui and compromise Ui's privacy based on knowledge of (IDi, Qi, TCRi, Ei). By the following steps, A can successfully impersonate Ui, be authenticated, and communicate with GWN and Sj:
Step 1:
First, the adversary A retrieves Pi using Ei. In the authentication and key agreement phase, A can compute DIDi =IDih(TCRi||t4), Ci = h(h(Qi||t4)⨁TCRi), PKSi = Kih(TCRi||t4||"000"), where t4 is the current timestamp. Then, A successfully impersonates Ui and sends {DIDi, Ci, PKSi, t4, Ei, Pi} to GWN.
Step 2:
GWN checks t4, computes TCRi* =h(KGWN_U||Pi||Ei) and IDi =DIDih(TCRi*||t4), Ci* = h(h(Qi||t4)⨁TCRi*) and verifies Ci* =? Ci*. Then, GWN computes Ki = PKSih(TCRi||t4||"000"), TCRj =h(KGWN_S||SIDj), DIDGWN = IDih(DIDi||TCRj||t5), CGWN = h(IDi||TCRj||t5) and PKSGWN = Kih(TCRi||t5) and sends {t5, DIDi, DIDGWN, CGWN, PKSGWN} to Sj, where t5 is the current timestamp of GWN.
Step 3:
Sj checks t5, computes IDi = DIDGWNh(DIDi||TCRj||t5), CGWN* = h(IDi||TCRj||t5), Ki = PKSGWNh(TCRi||t5)and Cj = h(Kj||IDi||SIDj||t6); verifies CGWN* =? CGWN, and responds by sending {SIDj, t6, Cj, PKSj} to GWN and A, where PKSj = Kjh(Ki||t6). Finally, A computes Kj = PKSjh(Ki||t6) and shares the common session key Kij = h(Ki||Kj) with Sj.
However, if the password PWprei is sufficiently long, the credential based key agreement scheme of Li, et al. can resist the impersonation attacks.

2.2.2. Failure to Protect the Privacy of Users

In the scheme of Li et al., upon receiving the request message {DIDi, Ci, PKSi, t4, Ei, Pi} that is sent by Ui, whose identity is IDi, the adversary A easily determines that the request message belongs to Ui because A has the knowledge of (IDi, Qi, TCRi, Ei). Thus, the scheme of Li et al. fails to support user anonymity, data unlinkability, or untrackability [29]. Accordingly, the scheme of Li et al. cannot protect the privacy of users.

2.2.3. Vulnerability to Stolen Verifier Attacks

Assume that an adversary A steals the verifier table and obtains (IDi, Qi, Ei). The adversary A can derive TCRi using PTCiQi, since (h(.), h(Qi), Ei, PTCi) is public in the registration phase:
Step 1:
A → GWN: {DIDi**, Ci t4**, PKSi, t4**, Ei, Pi}
A randomly selects Ki**, computes DIDi** = IDih(TCRi||t4**), Ci** = h(Qi||t4**) ⨁ TCRi and PKSi** = Ki**h(TCRi||t4**||"000"), where t4** is the current timestamp, and sends {DIDi**, Ci t4**, PKSi, t4**, Ei, Pi} to GWN.
Step 2:
GWNSj: {t5, DIDi**, DIDGWN, CGWN, PKSGWN}
GWN validates t4**, computes TCRi* = h(KGMN_U||Pi||Ei) and IDi = DIDi**h(TCRi*||t4**), and retrieves Qi = h(IDi||PWi||ri). Then, GWN verifies h(Qi ||t4**) ⨁ TCRi* = Ci**, computes Ki = PKSih(TCRi*||t4**||"000") , TCRj = h(KGWN_S||SIDj), DIDGWN = IDih(DIDi**||TCRj||t5), CGWN = h(IDi||TCRj||t5) and PKSGWN = Kih(TCRi||t5), and sends {t5, DIDi**, DIDGWN, CGWN, PKSGWN} to Sj, where t5 is the current timestamp of GWN.
Step 3:
SjGWN, Ui: {SIDj, t6, Cj, PKSj}
Sj validates t5. If successful, Sj computes IDi = DIDGWNh(DIDi**||TCRj||t5) and CGWN* = h(IDi||TCRj||t5) and checks CGWN* =? CGWN, computes Ki** = PKSGWNh(TCRi||t5), Cj = h(Kj||IDi||SIDj||t6) and PKSj = Kjh(Ki**||t6) and sends out {SIDj, t6, Cj, PKSj}.
Step 4:
Upon receiving {SIDj, t6, Cj, PKSj}, A computes Kj = PKSjh(Ki**||t6) and a common session key Kij = h(Ki||Kj) that is shared with Sj.
Hence, the adversary A can impersonate Ui, be authenticated, and communicate with GWN and Sj. Additionally, A has TCRi and messages (PKSi, t4) and (PKSj, t6), which were previously sent out by user Ui. A can therefore derive previous secrets Ki and Kj by computing PKSih(TCRi||t4||"000") and PKSih(Ki||t6), respectively. A can calculate all session keys that have been used by Ui and Sj, and thereby derive all transmitted secrets. Therefore, the authenticated key agreement scheme of Li et al. fails to resist stolen verifier attacks.

3. Proposed Temporal Credential-Based Scheme Using Chaotic Maps for WSNs

This section describes the use of chaotic maps in a new temporal credential-based authenticated key agreement scheme for WSNs. The novel scheme does not reveal the user’s private parameters in the registration phase, and it protects the user’s identity with a temporary secret key of the user and the gateway node. The security of this temporary secret key is based on the extended chaotic map-based Diffie-Hellman problem. The proposed approach also reduces the redundant parameters associated with the user’s identity and password, which are stored in the GWN’s verifier table, preventing an adversary from impersonating a user and communicating with the gateway node and sensor nodes, even if the adversary has stolen the verifier table and obtained the user’s private information. The session key security is based on the extended chaotic map-based Diffie-Hellman problem, so the adversary cannot derive any previous session key of the user and the sensor node. In the proposed scheme, the user does not know which node it can access and communicate with, thus GWN requires choosing a nearby suitable sensor node as the accessed sensor node. The proposed scheme involves parameter generation, pre-registration, registration, login and authentication and password change phases, which are described below.

3.1. Parameter Generation Phase

Step 1:
The gateway node GWN randomly selects KGWN as its master secret key.
Step 2:
GWN computes PKG = TKGWN(x) mod p, where x is a random number, p is a large prime number and (PKG, T(.), x, p) are public parameters.

3.2. Pre-Registration Phase

Each user Ui has a pre-configured identity IDprei, which is stored in the GWN’s storage. Similarly, each sensor node Sj is pre-configured with its identity SIDj and a random number rj and the hash value h(SIDjrj). Then h(SIDjrj) and SIDj are stored on the GWN’s storage. The pre-configured data is transferred by using physical delivery.

3.3. Registration Phase

3.3.1. Registration Phase for Users

Step 1:
UiGWN: {X0, X1, REGi, t1}
Ui chooses his/her identity IDi, password PWi, random numbers r and ri, and computes KUG = Tr(PKG) mod p, X0 = Tr(x) mod p, REGi = KUG ⨁ (IDpreiIDih(IDiPWiri), and X1 = h(KUGh(IDiPWiri)║t1), where t1 is the current timestamp. Then Ui sends {X0, X1, REGi, t1} to GWN.
Step 2:
GWNUi: {Y0, Y1}
Upon receiving the register message form Ui, GWN checks the validity of t1 and computes KUG = TKGWN(X0) mod p and IDpreiIDih(IDiPWiri) = REGiKUG, and extracts (IDprei, IDi, h(IDiPWiri)). If GWN successfully checks h(KUGh(IDiPWiri)║t1) =? X1 and verifies that IDprei is in GWN’s storage and has not been registered, then generates an expiration time Ei, and computes Ui’s temporal credential TCRi= h(KGMN||IDi||Ei), D1= TCRih(IDiPWiri), Y0 = D1h(KUGt1) and Y1 = h(D1KUGt1). Then, GWN sends {Y0, Y1} to Ui. GWN also stores (h(IDi), Ei) in its storage and maintains a status-bit b and a last login field to indicate the status of the user. If Ui logins GWN, b = 1, otherwise b = 0.
Step 3:
After receiving the response message form GWN, Ui computes D1 = Y0h(KUGt1), checks h(D1KUGt1) =? Y1. If successful, Ui inserts (D1, PKG, T(.), x , p, h(.), ri) into a smartcard and finishes the registration.

3.3.2. Registration Phase for Sensor Nodes

Step 1:
SjGWN: {SIDj, Z0, t2}
Sj computes REGj = h(SIDjrj), Z0 = h(REGjt2), and sends {SIDj, Z0, t2} to GWN, where t2 is the current timestamp.
Step 2:
GWNSj: {SIDj, Y2, Y3}
Upon receiving {SIDj, Z0, t2}, GWN successfully checks the validity of t2 and h(REGj||t2) =? Z0 and verifies that SIDj has not been registered, then computes Sj’s temporal credential TCRj = h(KGWNREGj), Qj = TCRj REGj, Y2 = TCRjh(t2REGj), Y3 = h(TCRjREGjt2) stores (SIDj, Qj) in its storage, and sends {SIDj, Y2, Y3} to Sj.
Step 3:
Sj computes its temporal credential TCRj = Y2h(t2REGj), checks h(TCRjREGjt2) =? Y3, and stores (SIDj, TCRj, REGj, T(.), x, p, h(.)) in its storage.

3.4. Login and Authentication Phase

In this phase, as shown in Figure 1, Ui and GWN authenticate each other by performing the following steps:
Step 1:
UiGWN: M1 = {DIDi, X2, X3, t3}
Ui inserts his smart card, inputs IDi, and PWi, computes TCRi = D1h(IDiPWiri), generates a random number u, calculates K1 = Tu(PKG) mod p, DIDi = IDiK1 and X2 = Tu(x) mod p, X3 = h(IDiK1TCRit3), where t3 is the current timestamp, and sends M1 = {DIDi, X2, X3, t3} to GWN.
Figure 1. The login and authentication phase of the proposed scheme for WSNs.
Figure 1. The login and authentication phase of the proposed scheme for WSNs.
Sensors 15 14960 g001
Step 2:
GWNSj: M2 = {DIDG, X2, Y4, t4}
Upon receiving M1, GWN checks the validity of t3. If unsuccessful, GWN rejects this service request; Otherwise GWN computes K1' = TKGWN(X2) mod p, IDi' = DIDiK1', retrieval Ei by h(IDi'), computes TCRi = h(KGMN||IDi'||Ei), and checks the status-bit, X3 =? h(IDi'K1TCRit3). If unsuccessful, GWN rejects this service request; Otherwise GWN updates the status-bit, and chooses an accessed sensor node sensor node Sj which is nearby and suitable, computes K2 = h(Qjt4), DIDG = IDi'K2, Y4 = h(QjIDi'X2t4), where t4 is the current timestamp, and sends M2 = {DIDG, X2, Y4, t4} to Sj.
Step 3:
SjGWN: M3 = {Z1, Z2, Z3, t5}
Upon receiving M2, Sj checks the validity of t4. If unsuccessful, Sj aborts this service request; Otherwise Sj computes Qj = TCRj REGj, K2' = h(Qjt4), IDi" = DIDGK2', and checks Y4 =? h(QjIDi"X2t4). If unsuccessful, Sj still aborts this service request; Otherwise, Sj generates v, calculates Z1 = Tv(x) mod p, sk = Tv(X2) mod p, Z2 = h(K2'IDi"SIDjt5), Z3 = h(skIDi"SIDjt5), where t5 is the current timestamp, and sends M3 = {Z1, Z2, Z3, t5} to GWN.
Step 4:
GWNUi: M4 = {SIDj, Z1, Z3, t5}
Upon receiving M3, GWN checks the validity of t5. If unsuccessful, GWN rejects this request; Otherwise, GWN authenticates Sj by checking Z2 =? h(K2IDi'SIDjt5), and sends M4 = {SIDj, Z1, Z3, t5} to Ui.
Step 5:
Upon receiving M4, Ui checks the validity of t5. If unsuccessful, Ui aborts this request; Otherwise, Ui computes sk' = Tu(Z1) mod p and authenticates GWN and Sj by checking Z3 =? h(sk'IDiSIDjt5). Finally, Ui and Sj obtain a common session key sk = Tuv(x) mod p for later securing communications.

3.5. Password Change Phase

A user Ui changes his/her password by performing the following steps:
Step 1:
Ui inserts his smart card and inputs his/her identity IDi, old password PWi, and a new password PWi'.
Step 2:
The smart card computes Qi = h(IDiPWiri) and Qi' = h(IDiPWi'ri) and D1' = D1QiQi'. Then the smart card replaces D1 with D1'.

4. Security Analyses

This section analyzes the security of the proposed authenticated key agreement scheme, which provides mutual authentication, session key security and privacy protection for users, and resists potential attacks, including privileged insider attacks, password guessing attacks, impersonation attacks, stolen verifier attacks and many-logged-in-users attacks. The details are described below.

4.1. Communication Model

4.1.1. Communicating Participants:

The proposed scheme involves a user Ui, a sensor node Sj, and a gateway node GWN. Ui and Sj authenticate each other and establish a common session key sk with the help of the GWN. A participant may be involved in several instances, called oracles, of distinct concurrent executions of the proposed scheme P. The instance m of participant V is denoted as ΠVm.

4.1.2. Oracle Queries:

Oracle queries model the capabilities of adversary A, and are described below:
(1)
SendVm, M): This query models the capacity of an adversary A to control all communications in P. A sends a message M to oracle ΠVm; then ΠVm sends back a response message using P. A can initiate the execution of P by sending a query (ΠVm, "start") to a user oracle ΠVm.
(2)
Corrupt(V): This query models the perfect forward secrecy of P, meaning that a compromised long-lived key fails to endanger previous session keys. The adversary A sends a corrupt query to a participant V, and returns V's long-life key.
(3)
Hash(M): This query models adversary A’s reception of hash results by sending queries to a random oracle Ω. Upon receiving a query, Ωchecks whether a record (M, r) has been queried and recorded in the H-table. If (M, r) in the H-table, then Ω replies r to A; otherwise it returns a nonce r', and keeps (M, r') in the H-table.
(4)
RevealVm): This query models the known key security of P: a compromised session key fails to reveal other session keys, and is only available if oracle ΠVm has accepted.
(5)
TestVm): This query models the session key security to determine the indistinguishability of the real session key from a random string. During the execution of scheme P, adversary A sends queries to the oracle, including a single Test query at any time. Then, ΠVm flips an unbiased coin c. If c equals 1, then ΠVm returns the real session key sk; otherwise, it returns a random string to A.

4.2. Security Definitions

4.2.1. Partnering: Two user oracles ΠUim and ΠSjn are partnered if:

(1)
ΠUim and ΠSjn directly exchange message flows and
(2)
only ΠUim and ΠSjn have the same session key sk.

4.2.2. Freshness: An Oracle ΠUim is Fresh in P if:

(1)
ΠUim or ΠSjn has accepted a session key sk and
(2)
ΠUim and ΠSjn have not been sent a Reveal query.

4.2.3. Session Key Security (AKE Security):

This definition allows an adversary to generate many Test queries. If a Test query is generated concerning a client instance that has not accepted, then the invalid symbol ⊥ is returned. If a Test query is generated concerning an instance of an honest participant whose intended partner is dishonest or an instance of a dishonest participant, then replies with the real session key. Otherwise, the reply to the Test query provides either the real session key or a random string, as determine by flipping an unbiased coin, c. The adversary seeks to guess correctly the value of the hidden bit c that is used by the Test oracle. The ake-advantage of the event that an adversary violates the indistinguishability of scheme P is denoted as AdvPake(A). The scheme P is AKE-secure if AdvPake(A) is negligible [30,31,32].

4.2.4. Mutual Authentication (MA Security)

In the execution of P, the adversary A violates mutual authentication if A can fake the authenticator. The probability of this event is denoted by AdvPma(A). The scheme P is MA-secure if AdvPma(A) is negligible [33].

4.3. Providing Session Key Security (AKE Security)

The following lemma describes the Difference Lemma, which is made used within our sequence of games [34].
Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A∧¬F⟺ B∧¬F. Then
|Pr[A] − Pr[B]| ≤ Pr[F]
The following theorem shows that the proposed scheme involving Ui and Sj has AKE security if the used hash function is secure and the extended chaotic map-based Diffie-Hellman assumption holds.
Theorem 1. Let Advecmdh be the advantage that an ECMDH attacker solves the extended chaotic map-based Diffie-Hellman problem within time t. Then, the probability that an adversary breaks the AKE security of the proposed scheme:
AdvPake(t', qexe, qtest, qse, qake) ≤ 2⋅Advecmdh(t, qtest, qse, qake)
within time t' and t't +4(qexe+qake)τ, where qexe denotes the number of queries to the Execute oracle; qtest denotes the number of queries to the Test oracle; qse denotes the numbers of the Send queries; qake denotes the number of queries to the final AKE scheme; and τ is the time to perform an extended chaotic map operation.
Proof of Theorem 1. Each game Gi defines the probability of the event Ei that the adversary wins this game. The first game G0 is the real attack against the proposed scheme and the final game G2 concludes that the adversary has a negligible advantage to break the AKE security of the proposed scheme:
Game G0: This game corresponds to the real attack. By definition, we have
AdvPake(A) = |2Pr[E0] − 1|
Game G1: This game simulates all oracles as in previous game except for modifying the simulation of Send queries refereeing the flows containing Tu(x) mod p and Tv(x) mod p of the proposed scheme, and the simulation of the TestVm) oracle to avoid relying on the knowledge of u, v and w used to compute the answer to these queries. Assume that (X, Y, Z) = (Tu(x) mod p, Tv(x) mod p, Tu⋅v(x) mod p) is a random extended chaotic map-based Diffie-Hellman triple. A simulator Σ simulates the oracles for all sessions by using this triple (X, Y, Z) and the classical random self-reducibility of the extended chaotic map-based Diffie-Hellman problem. Next, Σ sets up all parameters and secret keys of the scheme, and picks a random number m ∈ [1, qse] and answers the oracle queries according to the proposed scheme. Σ thus can correctly return the Test queries. Additionally, the random variables in G0 is replaced by another random variables in G1. Then we have that G0 and G1 is equivalent, and thus:
Pr[E0] = Pr[E1]
Game G2: This game simulates all oracles as in previous game except that all rules are computed using a triple (X, Y, Z) from a random distribution (Tu(x) mod p, Tv(x) mod p, Tw(x) mod p), instead of an extended chaotic map-based Diffie-Hellman triple. Let a challenger Aecdh try to violate the indistinguishability of the extended chaotic map-based Diffie-Hellman problem; and an adversary Aake be constructed to break the session key security. Aecdh returns the real session key sk (if c = 1) or a random string (otherwise) to Aake by flipping an unbiased coin c ∈ {0,1}. Then Aake wins the game if its output bit c' equals c. Aecmdh is asked Send, Corrupt or Test queries, and returns the responses by using a previous experiment except for (X, Y, Z) that it had received as input. If Aake outputs c, then Aecmdh outputs 1; otherwise, Aecmdh outputs 0. If (X, Y, Z) is a real extended chaotic map-based Diffie-Hellman triple, then Aecmdh runs Aake in G1 and thus the probability of the event that Aecmdh outputs 1 equals the probability of E1. If (X, Y, Z) is a random triple, Aecmdh runs Aake in G2 and thus the probability of the event that Aecdh outputs 1 equals the probability of E2. Therefore, we have:
|Pr[E1] − Pr[E2]|≤Advecmdh(Aecmdh)
Since the coin bit c and all sessions keys are random and independent, we have
Pr[E2] = 1/2
By combining Equations (5)–(8) and using Lemma 1, we have:
AdvPake(Aake) ≤ 2⋅Advecmdh(Aecmdh)
Then the proof is concluded.

4.4. Providing Mutual Authentication

The following theorem shows that the proposed scheme has MA security if the used hash function is secure and the proposed scheme has AKE security:
Theorem 2. Let AdvPake denote the advantage that an adversary breaks the AKE security of the proposed scheme, and AdvPma denote the advantage that an adversary violates the mutual authentication of the proposed scheme. Then:
AdvPma(t", qse, qh) ≤ 2⋅AdvPake(t', qse, qh) + qh2/2l−1
within time t" and t"t' + (qse+ qh)⋅trelay + 2⋅τ, where qh denotes the numbers of the Hash queries; trelay denotes the time to relay a query; l denotes the security parameter and the parameters qse, t' and τ are defined as in Theorems 1.
Proof of Theorem 2. The start game Gma0 is the real attack against the proposed scheme and the final game Gma2 concludes that the adversary has a negligible advantage to break MA security of the proposed scheme. The challenger A1 attempts to break AKE security of the proposed scheme and the adversary Ama is constructed to break MA security of the proposed scheme. The adversary Ama wins this game if he successfully fakes the authenticator:
Game Gma0: This game corresponds to the real attack. By definition, we have:
AdvPma(Ama)=|2Pr[E0] − 1|
Game Gma1: This game simulates all oracles as in previous game except for using a table list H to simulate Hash queries involving Ui and GWN, and involving GWN and Sj. Then, games Gma0 and Gma1 are undistinguishable except collisions of H-table in Gma1. By using the birthday paradox and Lemma 1, we have:
|Pr[E0] − Pr[E1]|≤ qh2/2l
where Ama makes qh Hash queries involving Ui and GWN, and involving GWN and Sj.
Game Gma2: This game simulates all oracles as in previous game except for replacing the session key sk with a random number. Then, Ama is used for building an adversary A1 against the AKE security of the proposed scheme. Next, A1 arranges the parameters, simulates the proposed scheme and replies the oracle queries made by Ama by using following scenarios.
When receiving Send or Hash queries involving Ui and GWN, and involving GWN and Sj, A1 replies the results by executing the proposed scheme.
When receiving Hash queries involving Ui and Sj, A1 replies corresponding authenticators to Ama by making the same queries to the oracle Hash involving Ui and Sj.
When receiving Test queries, A1 replies these queries by using the coin bit c that it has previously selected and the computed session keys.
Therefore, the probability of the event that A1 outputs 1 when the authenticator is obtained by the real session key equals the probability of the event that Ama correctly guesses the hidden bit c in game Gma1. Similarly, the probability that A1 outputs 1 when the authenticator obtained by a random string equals the probability that Ama correctly guesses the hidden bit c in game Gma2. Thus, by Lemma 1, we have:
|Pr[E1] − Pr[E2]| ≤ AdvPake(A1)
Since no information on the authenticator is leaked to the adversary, we have
Pr[E2] = 1/2
Combining Equations (9)–(12) and using Lemma 1, we have
AdvPma(Ama) ≤ 2 AdvPake(A1)+ qh2/2l−1
Then the proof is concluded.

4.5. Protecting Privacy of Users

Theorem 3. The proposed scheme protects the privacy of users.
Proof of Theorem 3. The proposed scheme protects user Ui’s identity IDi using the temporary secret key K1 of the user and the gateway node, and enables any two request messages M1 = {DIDi, X2, X3, t3} and M1' = {DIDi', X2', X3', t3'} from user Ui to be independent and difficult to distinguish from each other, where K1 = Tu(PKG) mod p, DIDi = IDiK1, X2 = Tu(x) mod p, X3 = h(IDiK1TCRit3), u is a random number and t3 is a timestamp; and K1' = Tu'(PKG) mod p, DIDi' = IDiK1', X2' = Tu'(x) mod p, X3' = h(IDiK1'TCRit3'), u' is a random number and t3' is a timestamp. The proposed scheme provides user anonymity and data unlinkability, and thus exhibits untrackability [29]. Accordingly, the privacy of users is protected.

4.6. Resistance to Privileged Insider Attacks

Theorem 4. The proposed scheme withstands privileged insider attacks.
Proof of Theorem 4. In the registration phase, the user sends REGi rather than (IDi, PWi) to GWN, where REGi = KUG ⨁ (IDpreiIDih(IDiPWiri), Ui’s identity IDi and password PWi are protected by a random number ri. Therefore, the privileged insider fails to obtain (IDi, PWi) and REGi, and fails correctly to compute TCRi = D1h(IDiPWiri) (or h(KGMN||IDi||Ei)), so the proposed scheme withstands the privileged insider attack.

4.7. Resistance to Impersonation Attacks

Theorem 5. The proposed scheme withstands impersonation attacks.
Proof of Theorem 5. An adversary who tries to impersonate Ui fails to compute TCRi = D1h(IDiPWiri) and X3 = h(IDiK1TCRit3), and cannot send out the correct request messages M1 = {DIDi, X2, X3, t3} in the login and authentication phase without the correct IDi, PWi and (D1, ri) in Ui’s smart card, where t3 is the timestamp. A failed login is detected by the GWN in Step 2 of the login and authentication phase, so the proposed scheme withstands impersonation attacks.

4.8. Resistance to Off-Line Password Guessing Attacks

Theorem 6. The proposed scheme withstands off-line password guessing attacks.
Proof of Theorem 6. In the proposed scheme, since reveal messages M1 = {DIDi, X2, X3, t3}, M2 = {DIDG, X2, Y4, t4}, M3 = {Z1, Z2, Z3, t5} and M4 = {SIDj, Z1, Z3, t5} do not provide information about users’ passwords PWi, an adversary cannot confirm the accuracy of the passwords that have been guessed from M1, M2, M3 and M4, where DIDi = IDiK1, K1 = Tu(PKG) mod p, X2 = Tu(x) mod p, X3 = h(IDiK1TCRit3) and TCRi = h(KGMN||IDi||Ei); DIDG = IDi'K2, K2 = h(Qjt4) and Y4 = h(QjIDi'X2t4); and Z1 = Tv(x) mod p, Z2 = h(K2'IDi"SIDjt5), Z3 = h(skIDi"SIDjt5) and sk = Tv(X2) mod p. Thus, off-line password guessing attacks are ineffective against the proposed scheme.

4.9. Resistance to Undetectable On-Line Password Guessing Attacks

Theorem 7. The proposed scheme withstands on-line password guessing attacks.
Proof of Theorem 7. Again, the revealed messages M1, M2, M3 and M4 do not provide information about a user’s password PWi. Accordingly, an attacker has difficulty in guessing the password in an on-line transaction, and the scheme thus resists undetectable on-line password guessing attacks.

4.10. Resistance to Stolen Verifier Attacks

Theorem 8. The proposed scheme withstands stolen verifier attacks.
Proof of Theorem 8. In the proposed scheme, the GWN keeps (h(IDi), Ei) in the verifier table for each user Ui. An adversary who steals the GWN’s verifier table and copies (h(IDi), Ei) still fails to compute TCRi = D1h(IDiPWiri), DIDi = IDiK1 and X3 = h(IDiK1TCRit3) without knowledge of user Ui’s IDi, PWi, ri and D1, where u is a random number, K1 = Tu(PKG) mod p, X2 = Tu(x) mod p and t3 is the timestamp. The adversary fails to send out M1 = {DIDi, X2, X3, t3} in Step 1, and a failed login is detected by the GWN. Therefore, the proposed scheme resists stolen verifier attacks.

4.11. Resistance to Lost Smartcard Attacks

Theorem 9. The proposed scheme withstands lost smartcard attacks.
Proof of Theorem 9. An adversary who steals user Ui’s smartcard and copies the message (D1, PKG, T(.), x, p, h(.), ri) still fails to compute TCRi = D1h(IDiPWiri) and X3 = h(IDiK1TCRit3), where t3 is the timestamp, and so cannot send out the correct messages M1 = {DIDi, X2, X3, t3} in Step 1 of the login and authentication phase without the correct IDi and PWi. The GWN will detect a failed login Step 2 of the login and authentication phase, so the proposed scheme withstands lost smartcard attacks.

4.12. Resistance to Many Logged-in Users Attacks

Theorem 10. The proposed scheme withstands many-logged-in-users attacks.
Proof of Theorem 10. Assume that Ui’s login information (IDi, PWi, T(.), x, p, h(.), ri) is leaked to more than one non-registered user. The GWN also maintains a status-bit field and a last login field in its verifier table to prevent simultaneous duplicate logins. Therefore, the proposed scheme withstands many-logged-in-users attacks.

5. Performance Analyses and Functionality Comparisons

5.1. Performance Analyses

Table 2 compares the performance of the proposed scheme with those of the schemes developed by Yeh et al. [16], Xue et al. [8], Li et al. [9] and Kim et al. [35], where Th is the execution time for a one-way hash operation; Tc is the execution time for a Chebyshev chaotic map operation, and Te is the execution time for a scalar multiplication operation on an elliptic curve.
The first comparison made concerns the computational cost for user Ui, sensor node Sj and the gateway node GWN. The scheme of Yeh et al., [16] employs encryptions and decryptions on an elliptic curve, and has a greater computational cost than related schemes [8,9,35], which use only hash operations. Since Tc approximates Th, where Th is obtained by using the hash functions SHA-1 and MD5 [36,37,38], the proposed scheme requires six chaotic map operations and 13 hash function operations and so has a low computational burden.
Table 2. The performance comparisons of the related schemes and the proposed scheme.
Table 2. The performance comparisons of the related schemes and the proposed scheme.
Yeh et al. [16]Xue et al. [8]Li et al. [9]Kim et al. [35]Our Scheme
Ui2 Te + 1 Th7 Th9 Th8 Th3 Tc + 3 Th
ComputationsSj2 Te + 3 Th5 Th6 Th2 Th2 Tc + 4 Th
GWN4 Te + 4 Th10 Th11 Th8 Th1 Tc + 6 Th
Total8 Te + 8 Th22 Th26 Th18 Th6 Tc + 13 Th

5.2. Functionality Comparisons

Table 3 compares the proposed scheme and related schemes in terms of functionality, and specifically the meeting of security requirements and resistance to possible attacks. The schemes that were developed by Yeh et al., Xue et al., Li et al. and Kim et al. all fail to protect users’ privacy. Additionally, the scheme of Yeh et al. fails to withstand password guessing, lost smart card and many-logged-in-users attacks. The scheme of Xue et al. fails to withstand privileged insider, password guessing, stolen verifier, lost smart card and many-logged-in-users attacks. The scheme of Li et al. fails to withstand impersonation and stolen verifier attacks. Only the proposed scheme withstands all possible attacks and protects privacy. Thus, the proposed scheme provides greater functionality; exhibits more favorable security-related properties, and has a lower computational cost than the other schemes.
Table 3. The functionality comparisons of the related schemes and the proposed scheme.
Table 3. The functionality comparisons of the related schemes and the proposed scheme.
Yeh et al. [16]Xue et al. [8]Li et al. [9]Kim et al. [35]Our Scheme
Providing mutual authentication YesYesYesYesYes
Providing session key securityYesYesYesYesYes
Providing privacy protectionNoNoNoNoYes
Resisting privileged insider attacksYesNoYesYesYes
Resisting to impersonation attacksYesYesNoYesYes
Resisting password guessing attacksNoNoYesYesYes
Resisting stolen verifier attacksYesNoNoYesYes
Resisting lost smartcard attacksNoNoYesYesYes
Resisting many logged-in users attacksNoNoYesYesYes

6. Conclusions

This study addresses the weaknesses of the temporal credential-based authenticated key agreement scheme developed by Li et al., which enables an adversary to impersonate legitimate users, to perform a stolen verifier attack to calculate all used session keys and transmitted secrets of users and sensor nodes, and to reveal users’ identities. A new temporal credential-based authenticated key agreement scheme that uses chaotic maps is developed for WSNs. The proposed scheme protects each user’s identity using a temporary secret key; conceals each user’s private parameters, and reduces the number of redundant parameters concerning the user’s identity and password in the verifier table of the GWN. Therefore, the proposed scheme does not have any of the weaknesses of previous schemes. Additionally, session key security is based on the extended chaotic maps-based Diffie-Hellman problem, and the proposed scheme thus exhibits perfect forward secrecy and known-key security. The proposed scheme not only eliminates the weaknesses of previous approaches, but also increases security and efficiency.

Acknowledgments

This research was supported by Ministry of Science and Technology under the grants MOST 103-2221-E-320 -003 and TCRPP103008. Ted Knoy is appreciated for his editorial assistance.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Delgado-Mohatar, O.; Fuster-Sabater, A.; Sierra, J.M. A light-weight authentication scheme for wireless sensor networks. Ad Hoc Netw. 2011, 9, 727–735. [Google Scholar] [CrossRef]
  2. Li, C.T.; Hwang, M.S. A lightweight anonymous routing protocol without public key en/decryptions for wireless ad hoc networks. Inf. Sci. 2011, 181, 5333–5347. [Google Scholar] [CrossRef]
  3. Li, Z.; Gong, G. Computationally efficient mutual entity authentication in wireless sensor networks. Ad Hoc Netw. 2011, 9, 204–215. [Google Scholar] [CrossRef]
  4. Das, A.K. Improving Identity-based Random Key Establishment Scheme for Large-scale hierarchical wireless sensor networks. Int. J. Netw. Secur. 2012, 14, 1–21. [Google Scholar]
  5. Mi, Q.; Stankovic, J.A.; Stoleru, R. Practical and secure localization and key distribution for wireless sensor networks. Ad Hoc Netw. 2012, 10, 946–961. [Google Scholar] [CrossRef]
  6. Jie, H.; Guohua, O. A public key polynomial-based key pre-distribution scheme for large-scale wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2012, 16, 45–64. [Google Scholar]
  7. Han, K.; Kim, K.; Choi, W.; Choi, H.H.; Seo, J.; Shon, T. Efficient authenticated key agreement protocols for dynamic wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2012, 14, 251–269. [Google Scholar]
  8. Xue, K.; Ma, C.; Hong, P.; Ding, R. A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. J. Netw. Comput. Appl. 2013, 36, 316–323. [Google Scholar] [CrossRef]
  9. Li, C.T.; Weng, C.Y.; Lee, C.C. An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks. Sensors 2013, 13, 9589–9603. [Google Scholar] [CrossRef] [PubMed]
  10. Wong, K.H.M.; Zheng, Y.; Cao, J.; Wang, S. A dynamic user authentication scheme for wireless sensor networks. In Proceedings of the IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, 5–7 June 2007; pp. 32–58.
  11. Xu, J.; Zhu, W.; Feng, D. An improved smart card based password authentication scheme with provable security. Comput. Stand. Interfaces 2009, 31, 723–728. [Google Scholar] [CrossRef]
  12. Das, M.L. Two-factor user authentication scheme in wireless sensor networks. IEEE Trans. Wirel. Commun. 2009, 8, 1086–1090. [Google Scholar] [CrossRef]
  13. He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu, J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens. Wirel. Netw. 2010, 10, 361–371. [Google Scholar]
  14. Khan, M.K.; Alghathbar, K. Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks. Sensors 2010, 10, 2450–2459. [Google Scholar] [CrossRef] [PubMed]
  15. Song, R. Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 2010, 32, 321–325. [Google Scholar] [CrossRef]
  16. Yeh, H.L.; Chen, T.H.; Liu, P.C.; Kim, T.H.; Wei, H.W. A secure authentication protocol for wireless sensor networks using elliptic curves cryptography. Sens. J. 2011, 11, 4767–4779. [Google Scholar] [CrossRef] [PubMed]
  17. Chen, T.H.; Shih, W.K. A robust mutual authentication protocol for wireless sensor networks. ETRI J. 2010, 32, 704–712. [Google Scholar] [CrossRef]
  18. Bergamo, P.; D’Arco, P.; Santis, A.; Kocarev, L. Security of public-key cryptosystems based on Chebyshev polynomials. IEEE Trans. Circuits Syst. I 2005, 52, 1382–1393. [Google Scholar] [CrossRef]
  19. Kocarev, L.; Tasev, Z. Public-key encryption based on Chebyshev maps. In Proceedings of the International Symposium on Circuits and Systems, Bangkok, Thailand, 25–28 May 2003; pp. III-28–III-31.
  20. Mason, J.C.; Handscomb, D.C. Chebyshev. Polynomials; Chapman & Hall/CRC: Boca Raton, Florida, FL, USA, 2003. [Google Scholar]
  21. Zhang, L. Cryptanalysis of the public key encryption based on multiple chaotic systems. Chaos Solitons. Fractals 2008, 37, 669–674. [Google Scholar] [CrossRef]
  22. Lee, C.C.; Chen, C.L.; Wu, C.Y.; Huang, S.Y. An extended chaotic maps-based key agreement protocol with user anonymity. Nonlinear Dyn. 2012, 69, 79–87. [Google Scholar] [CrossRef]
  23. Lee, C.C.; Hsu, C.W. A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 2013, 71, 201–211. [Google Scholar] [CrossRef]
  24. Lee, T.F. An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems. J. Med. Syst. 2013, 37. [Google Scholar] [CrossRef] [PubMed]
  25. Lee, T.F. Verifier-based three-party authentication schemes using extended chaotic maps for data exchange in telecare medicine information systems. Comput. Meth. Programs Biomed. 2014, 117, 464–472. [Google Scholar] [CrossRef] [PubMed]
  26. Farash, M.S.; Attari, M.A. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dyn. 2014, 77, 399–411. [Google Scholar] [CrossRef]
  27. Lou, D.C.; Lee, T.F.; Lin, T.H. Efficient biometric authenticated key agreements based on extended chaotic maps for telecare medicine information systems. J. Med. Syst. 2015, 39. [Google Scholar] [CrossRef] [PubMed]
  28. Stallings, W. Cryptography and Network Security: Principles and Practice, 5th ed.; Pearson: Upper Saddle River, NJ, USA, 2011. [Google Scholar]
  29. Lee, T.F. User authentication scheme with anonymity, unlinkability and untrackability for global mobility networks. Secur. Commun. Netw. 2013, 6, 1404–1413. [Google Scholar] [CrossRef]
  30. Abdalla, M.; Pointcheval, D. Simple password-based authenticated key protocols. Proc. Topics in Cryptology—CT-RSA 2005; San Francisco, CA, USA, 14–18 February 2005; pp. 191–208. [Google Scholar]
  31. Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attacks. Proc. Adv. Cryptol. Eurocrypt 2000; Bruges, Belgium, 14–18 May 2000; pp. 122–138. [Google Scholar]
  32. Boyko, V.; MacKenzie, P.; Patel, S. Provably secure password-based authenticated key exchange protocols using Diffie-Hellman. Proc. Adv. Cryptol. Eurocrypt 2000; Bruges, Belgium, 14–18 May 2000; pp. 156–171. [Google Scholar]
  33. Lee, T.F.; Hwang, T. Provably secure and efficient authentication techniques for the global mobility network. J. Syst. Soft. 2011, 84, 1717–1725. [Google Scholar] [CrossRef]
  34. Shoup, V. Sequences of Games: A Tool for Taming Complexity in Security Proofs, Manuscript. Available online: http:// www.shoup.net (accessed on 18 January 2015).
  35. Kim, J.; Lee, D.; Jeon, W.; Lee, Y.; Won, D. Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks. Sensors 2014, 14, 6443–6462. [Google Scholar] [CrossRef] [PubMed]
  36. Xiao, D.; Liao, X.; Deng, S. One-way hash function construction based on the chaotic map with changeable-parameter. Chaos Solitons Fractals 2005, 24, 65–71. [Google Scholar] [CrossRef]
  37. Wu, S.; Chen, K. An efficient key-management scheme for hierarchical access control in E-Medicine system. J. Med. Syst. 2012, 36, 2325–2337. [Google Scholar] [CrossRef] [PubMed]
  38. Cheng, Z.Y.; Liu, Y.; Chang, C.C.; Chang, S.C. Authenticated RFID security mechanism based on chaotic maps. Secur. Commun. Netw. 2013, 6, 247–256. [Google Scholar] [CrossRef]

Share and Cite

MDPI and ACS Style

Lee, T.-F. Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks. Sensors 2015, 15, 14960-14980. https://doi.org/10.3390/s150714960

AMA Style

Lee T-F. Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks. Sensors. 2015; 15(7):14960-14980. https://doi.org/10.3390/s150714960

Chicago/Turabian Style

Lee, Tian-Fu. 2015. "Efficient and Secure Temporal Credential-Based Authenticated Key Agreement Using Extended Chaotic Maps for Wireless Sensor Networks" Sensors 15, no. 7: 14960-14980. https://doi.org/10.3390/s150714960

Article Metrics

Back to TopTop