A Round-Efficient Authenticated Key Agreement Scheme Based on Extended Chaotic Maps for Group Cloud Meeting

Abstract

The security is a critical issue for business purposes. For example, the cloud meeting must consider strong security to maintain the communication privacy. Considering the scenario with cloud meeting, we apply extended chaotic map to present passwordless group authentication key agreement, termed as Passwordless Group Authentication Key Agreement (PL-GAKA). PL-GAKA improves the computation efficiency for the simple group password-based authenticated key agreement (SGPAKE) proposed by Lee et al. in terms of computing the session key. Since the extended chaotic map has equivalent security level to the Diffie–Hellman key exchange scheme applied by SGPAKE, the security of PL-GAKA is not sacrificed when improving the computation efficiency. Moreover, PL-GAKA is a passwordless scheme, so the password maintenance is not necessary. Short-term authentication is considered, hence the communication security is stronger than other protocols by dynamically generating session key in each cloud meeting. In our analysis, we first prove that each meeting member can get the correct information during the meeting. We analyze common security issues for the proposed PL-GAKA in terms of session key security, mutual authentication, perfect forward security, and data integrity. Moreover, we also demonstrate that communicating in PL-GAKA is secure when suffering replay attacks, impersonation attacks, privileged insider attacks, and stolen-verifier attacks. Eventually, an overall comparison is given to show the performance between PL-GAKA, SGPAKE and related solutions.

1. Introduction

Communicating over the Internet is a convenient application as the development of the Internet becomes popular. People can communicate with each other via cloud meeting is a common application. A lot of companies deploy cloud meeting equipment to realize a remote discussion. Some special industries also take into account the cloud meeting, but they focus on the information security. For example, personalized information must be under controlled in medical conferences, and business confidentiality can not be tapped in cloud meeting.

The cloud meeting has following properties:

• Known members: The meeting members are known before meeting. Therefore, the organizer has a participant list in advance.
• Difficult preset: Even if the organizer has a participant list, generating the meeting setting, e.g., passwords or meeting tokens, in advance is inappropriate. Dynamically generating meeting setting is the optimal solution [1,2,3,4,5,6,7] for the security consideration.
• Over the Internet: This is the core requirement for realizing a cloud meeting.
• Multi-member communication: The communication within a pair of members is tractable. When the number of participants increases, to ensure that each member can identify each other is difficult.

For the fourth property, the cloud meeting can be classified into three categories, and they are one-to-one, one-to-many, and many-to-many models as shown in Figure 1. The most popular application is one-to-many model. For example, the user uses a password to log in to a web service. In this model, participants have a security communication based on a centralized server [8]. The many-to-many model is similar to the one-to-many model, but the many-to-many model is decentralized [9].

Both one-to-many and many-to-many models are popular in real world cloud meeting. For example, building a safety communication tunnel to avoid information loss is a possible solution [8]. As shown in case of Figure 1b, the server provides a safety communication tunnel for all connected members. The major advantage of the one-to-many model is the convenience. Although the many-to-many model does not suffer the attacks from hackers due to the decentralization, each member must have higher security equipment in the many-to-many model than in the one-to-many model. Therefore, we focus on the one-to-many model and propose a lightweight solution with security communication.

Before entities send messages with each other, they have to build up a secure communication. In the current secure communication technologies including Internet Protocol Security (IPSec) and https require a communication setup process with two steps: session key generation and message encryption/decryption. The goal of session key generation is to compute a session key for all communication members. Since the message that required by computing a session key is sent over the Internet, hiding the information applied to generate a session key is the major challenge. After all members have the same session key, they can use the session key to encrypt or decrypt messages in the second step. In this paper, we focus on the first step to design an efficient session key agreement scheme under the scenario drawn in case of Figure 1b.

Group authentication key agreement scheme is a possible solution in security cloud meeting. Each participant generates a session key to encrypt information, and it only can be used during this cloud meeting. Even if encrypted messages sent over the Internet are taken by man in the middle, they do not have enough information to get the original message. Diffie–Hellman key exchange is an appropriate technique to develop the group authentication key agreement scheme [8]. It guarantees high security for information exchange in a limited time period. A cloud meeting takes a few hours rather than several years, so Diffie–Hellman key exchange is secure for a cloud meeting.

However, Diffie–Hellman key exchange applies modular exponentiation to compute single-use session key, so it requires a lot of computation cost before the information exchange. In the cloud meeting, the schedules of many people may be rush, so they need an efficient solution for minimizing the setup time.

Another efficient key agreement protocol is extended chaotic map-based approaches [8,10]. These kind of schemes apply Chebyshev polynomials to provide the property, which is equivalent to the semigroup property of chaotic map [10,11,12,13,14]. The details are shown in Section 2 Preliminaries. Therefore, extended chaotic map-based approaches are efficient in computing session keys [15]. However, there is no group authentication key agreement scheme that applies the extended chaotic map in the one-to-many model [10].

There are some key agreement protocols that can be applied in case of Figure 1a. For example, Abdalla and Pointcheval provide a password-based approach for a pair of users [15]. Dutta and Barua extend the results of Abdalla and Pointcheval from one-to-one communication to the many-to-many model, and the shared password has been enhanced [16]. Kim et al. focus on the members join/leave a group without the assistance from a central server [3]. Boyd and Nieto address the efficiency of the key agreement protocol in terms of the number of rounds to generate a session key, and the proposed solution can be done in one round [17]. However, the solution still needs to be improved for the forward security issue.

For the group authentication, Lee et al. present a simple group password-based authenticated key agreement (SGPAKE) [8]. SGPAKE considers modular exponentiation, but the cost of generating session keys is not acceptable in cloud meeting. Therefore, we apply the extended chaotic map to propose the passwordless group authentication key agreement, termed by PL-GAKA. PL-GAKA is an extended chaotic map-based approach, so it improves the computation efficiency of SGPAKE. Since PL-GAKA is passwordless, meeting members do not need other password maintenance.

In our analysis, we first prove that each member can compute correct session key and they have security communication. Then, we refer to [8,18,19,20,21,22] to measure the security of PL-GAKA in terms of session key security, mutual authentication, perfect forward security, data integrity, and man-in-the-middle attack. Moreover, we also demonstrate that the proposed solution is safe when suffering replay attacks, impersonation attacks, privileged insider attacks, and stolen-verifier attacks.

The structure of this paper is as follows: the background knowledge is present in Section 2. The proposed PL-GAKA is illustrated in Section 3. In Section 4, we analyze the correctness, security, and the overall comparison. The conclusion and future works are illustrated in Section 5.

2. Preliminaries

In this section, we will show that the security of Diffie–Hellman key exchange, and how the chaotic map-based approaches can reduce the computation cost without sacrificing the security of key agreement. In the following context, we first give an example to show the way of computing a session key over the Internet. Then, we introduce the Diffie-Hellman problem, which is the major property to guarantee the communication security. Eventually, we show an alternative technique named by the chaotic map to reduce the computation cost.

Diffie–Hellman key exchange is a famous scheme in terms of security communications. Considering the following scenario of generating a session key before starting a safety communication: Alice and Bob would like to create a security communication within G rounds. Firstly, Alice selects a big prime p and a primitive root g. Then, Alice generates a secrete value a for this communication with Bob:

Step 1

Alice obtains the message $A=g^{a}modp$ and sends $g,p,A$ to Bob over Internet.

Step 2

Bob also computes a secret value b for the communication with Alice. Bob computes the message $B=g^{b}modp$ and sends B to Alice. Moreover, Bob uses $g,p,A$ and b to compute the session key $K=A^{b}modp=g^{ab}modp$.

Step 3

Alice can compute the session key $K=B^{a}modp=g^{ba}modp$ from B. Then, both Alice and Bob have the same session key and they can start to communicate with each other.

In Step 3, Alice and Bob get the session key K, and then they can communicate with each other via encrypting/decrypting messages by K.

During the steps above, Alice and Bob focus on computing K in an open environment. Only Alice and Bob can derive correct K even if eavesdroppers capture the messages sent from Alice or Bob. The core idea of the safety in terms of generating K is the Diffie–Hellman problem and that is shown in the following definition.

Definition 1.

Diffie–Hellman problem [23]: Given appropriate settings of G and g, eavesdroppers obtain $g^{ab}$ by solving the Diffie–Hellman problem.

Solving Difie-Hellman problem is hard [23,24], and this is the reason that Diffie–Hellman key exchange provides high security. However, Diffie–Hellman key exchange requires heavy computation cost due to the modular exponentiation consideration. Designing a key ageerment approach with lower computation cost is a research direction.

Since Alice computes $K=B^{a}modp=g^{ba}modp$ and Bob computes $K=A^{b}modp=g^{ab}modp$, they derive the same K. Therefore, Alice and Bob can generate the session key via Internet. Chebyshev polynomials have similar properties as shown in the following definition.

Definition 2.

Semigroup property [25]: We have $T_r\left(T_s\left(x\right)\right)=T_{rs}\left(x\right)$ for different r and s, where $\forall -1\le x\le 1$.

The core idea of semigroup is similar to $g^{ab}$ in the Diffie–Hellman problem. Semigroup implies that there is not a specific order for r and s. This property comes from Chebyshev polynomials, which is defined as $T_{n+1}\left(x\right)=2x{T}_n\left(x\right)-T_{n-1}\left(x\right)$, where $T_0\left(x\right)=1$, $T_1\left(x\right)=x$, $n\in {\mathbb{Z}}^{+}$, and $x\in \mathbb{R}$.

However, $-1\le x\le 1$ is not enough provide high security in terms of the diversity of x, and Zhang extends the mapping range from $[-1,1]$ to $(-\infty ,\infty )$ [10]. The Extended Chebyshev polynomials are shown in Definition 3. The security can be improved dramatically. In other words, the scheme with semigroup property has similar security to that of the Diffie–Hellman key exchange.

Definition 3.

Extended Chebyshev polynomials: Given $x\in \mathbb{R}$, we have $T_r\left(T_s\left(x\right)\right)modp=T_{sr}\left(x\right)modp=T_s\left(T_r\left(x\right)\right)modp$ for different r and s.

In other words, we can apply chaotic map functions to design a key agreement approach with lower computation costs than that required by Diffie–Hellman key exchange protocols. The chaotic map-based key agreement approaches have similar security to that of the Diffie–Hellman problem.

3. Proposed Solution

SGPAKE has three processes including registration, authentication, and password modification. PL-GAKA is a passwordless scheme, so password modification is not necessary. The processes of registration and authentication are illustrated in the following subsections. Moreover, the symbol system applied in this paper is shown in

Table 1. The symbol system applied by the proposed solution.

Symbol	Definition
$U_i$	i-th user
GWN	The trusty authentication server
$h(.)$	One-way hash function
$K_G$	The private key generated by GWN
$UI{D}_i$	The id of $U_i$
p	A large prime number
$T_r$	Chaotic map
T	The timestamp
x	A variable within $(-\infty ,\infty )$
$K_{G{S}_i}$	The identity of GWN for $U_i$
$Aut{h}_{G{S}_i}$	The authentication information applied by $U_i$ for verifying GWN
$Aut{h}_{i1}$	The authentication information applied by $U_j$, $\forall j\ne i$, for verifying $U_i$
$Aut{h}_{i2}$	The authentication information applied by GWN for verifying $U_i$
$s{k}_i$	The factor of generating session key for $U_i$
$S_n$	The list of participants
$SK$	The session key

.

3.1. Registration

The purpose of registration is to construct a list of potential meeting members for GWN. Each meeting member $U_i$ provides the identity $UI{D}_i$ to GWN. GWN uses $UI{D}_i$ to generate the encrypted shared secret information $K_{G{S}_i}$, and then $U_i$ are available to join a cloud meeting.

The major consideration is the security, and we have the following issues. The first issue is how GWN confirms $U_i$, and the second one is how to ensure the safety of the entire process. Since PL-GAKA is passwordless, $UI{D}_i$ is important information for verifying $U_i$. The whole registration can be completed in an offline and face-to-face process, and the secure solution can be applied to determine the user characteristics, e.g., smart card [18]. We focus on providing the communication security during the cloud meeting, and meeting members can be pre-defined before meeting. Therefore, the offline registration process is available for cloud meeting to ensure each member is verified. The registration processes are illustrated in Figure 2, and details are listed as follows:

Step 1

The user $U_i$ registers his/her identity $UI{D}_i$ in GWN.

Step 2

GWN uses the private key $k_G$ to compute $K_{G{S}_i}=h(UI{D}_i\parallel k_G)$ and then sends $K_{G{S}_i}$ to $U_i$ via the secure channel.

Step 3

$U_i$ saves $K_{G{S}_i}$ for further authentications.

3.2. Authentication

The communication security depends on the stable member. All members must know each other. When a member joins the meeting, the authentication process is launched to ensure that all members know each other including GWN.

The authentication process spreads four messages. In the beginning, each $U_i$ sends the encrypted identity message $M_1$ to GWN. GWN verifies $M_1$ and sends the message $M_2$ including the list of meeting members and the encrypted server information back. After receiving $M_2$, $U_i$ broadcasts $M_3$ including the information required by cross authentication. Then, $U_i$ generates and broadcasts authentication information $M_4$. Eventually, each member authenticates each other and computes the session key for the encryption in the following meeting. We consider the timestamp in each message to guarantee that the process sequence can be tracked. Thus, when receiving a message, verifying the timestamp is the first task.

Consider n registered members who would like to participate in a cloud meeting. The proposed authentication process is illustrated in Figure 3, and the details are shown as follows:

Step 1

Each user $U_i$ generates a random number $a_i$ and computes $R_i=T_{a_i}\left(X\right)modp$. After considering the timestamp $T_1$, we have $R_i\oplus h(K_{G{S}_i}\parallel T_1)$. Then, the encrypted identity message $M_1=\{UI{D}_i,R_i\oplus h(K_{G{S}_i}\parallel T_1),T_1\}$ is organized and sent to GWN.

Step 2

As receiving $M_1$, GWN verifies $T_1$ firstly. GWN calculates $h(K_{G{S}_i}\parallel T_1)$ and obtains $R_i\oplus h(K_{G{S}_i}\parallel T_1)$ by Exclusive-OR (XOR) operation. Then, $R_i$ is derived by $(R_i\oplus h(K_{G{S}_i}\parallel T_1))\oplus h(K_{G{S}_i}\parallel T_1)$. According to semigroup property from Definition 3, we have $X_i=T_{b_i}\left(R_i\right)modp=T_{a_i{b}_i}\left(X\right)modp$ and $X_i^{\prime }=T_{b_i}\left(R_{i+1}\right)modp=T_{a_{i+1}{b}_i}\left(X\right)modp$. Then, we use $Y_i=X_{i-1}\oplus h(K_{G{S}_i}\parallel R_i\parallel T_2\parallel 0)$ and $Y_i^{\prime }=X_i^{\prime }\oplus h(K_{G{S}_i}\parallel R_i\parallel T_2\parallel 1)$ to generate the authentication information $Aut{h}_{G{S}_i}=h(K_{G{S}_i}\parallel R_i\parallel Y_i\parallel Y_i^{\prime })$ for verifying GWN. Eventually, the message $M_2=\{S_n,Y_i,Y_i^{\prime },Aut{h}_{G{S}_i},T_2\}$, where $S_n=\{U_1,U_2,\dots ,U_n\}$, including meeting member list and GWN authentication information is sent to $U_i$.

Step 3

Any other member $U_i,\forall i\ne j,$ receives $M_2$ and verifies $T_2$ and GWN by $Aut{h}_{G{S}_i}$. Next, $X_{i-1}$ and $X_i^{\prime }$ are derived by $Y_i\oplus h(K_{G{S}_i}\parallel R_i\parallel T_2\parallel 0)$ and $Y_i^{\prime }\oplus h(K_{G{S}_i}\parallel R_i\parallel T_2\parallel 1),$ respectively. Thus, we can compute $V_i=T_{a_i}\left(X_{i-1}\right)modp=T_{a_{i-1}{b}_{i-1}{a}_i}\left(X\right)modp$, and $V_{i-1}=T_{a_i}\left(X_i^{\prime }\right)modp=T_{a_{i+1}{b}_i{a}_i}\left(X\right)modp$. Then, the factor of the session key can be derived $W_i=V_i/V_{i-1}=(T_{a_{i-1}{b}_{i-1}{a}_i}\left(X\right)modp)/(T_{a_{i+1}{b}_i{a}_i}\left(X\right)modp)$. Finally, the message $M_3=\{UI{D}_i,W_i,T_3\}$ is broadcasted to all users.

Step 4

$U_i$ verifies $T_3$ after receiving $M_3$, and then derives the session key $s{k}_i$ by the following process:

$$\begin{array}{ccc}\hfill s{k}_i& =& {\left(V_i\right)}^n\times {\left(W_{i+1}\right)}^{n-1}\times {\left(W_{i+2}\right)}^{n-2}\times \dots \times \left(W_{i-1}\right)\hfill \\ & =& V_1\times V_2\times \dots \times V_n.\hfill \end{array}$$

The authentication information $Aut{h}_{i1}=h(S_n\parallel s{k}_i\parallel UI{D}_i\parallel T_3)$ applied by other members, and the authentication information $Aut{h}_{i2}=h(K_{G{S}_i}\parallel S_n\parallel V_i\parallel T_3)$ applied by GWN can be derived. $U_i$ broadcasts authentication information $M_4=\{Aut{h}_{i1},Aut{h}_{i2}\}$ to other users.

Step 5

After receiving $M_4$, any other member $U_j,\forall i\ne j,$ can authenticate $U_i$ by $Aut{h}_{i1}$, and GWN can authenticate $U_i$ by $Aut{h}_{i2}$. Eventually, the session key of this meeting can be generated $SK=h(S_n,s{k}_i)$.

When each participant obtains $SK$, they can start to communicate with each other via encrypting/decrypting messages by $SK$.

In PL-GAKA, we apply a chaotic map to reduce the computation cost from SGPAKE. The process of key agreement can be finished early, and the meeting members can build a safety communication. For the security, each participant applies a semigroup property shown in Definition 3 to compute the factor of session key as shown in Step 2. The messages required by the process of key agreement can be sent via the Internet. In summary, the proposed PL-GAKA requires low computation cost but provides similar security level to the Diffie–Hellman problem in a convenient cloud meeting.

4. Performance Analysis

We analyze the proposed solution in terms of the correctness, the security and the overall comparison with related solutions. For the security verification, we refer to [8,18,19,20,21,22] to evaluate session key security, mutual authentication, perfect forward security, and data integrity. Moreover, we also demonstrate that the proposed solution is safe when suffering replay attacks, impersonation attacks, privileged insider attacks, and stolen-verifier attacks.

4.1. Correctness

If each $U_i$ computes $s{k}_i$ correctly, it implies that all members have security communications in the cloud meeting. Therefore, we trace the process of generating $s{k}_i$, and the resuls are correct:

$$\begin{array}{ccc}\hfill s{k}_i& ={(T_{a_{i-1}{b}_{i-1}{a}_i}\left(x\right)modp)}^n& \times {\left(\frac{T_{a_i{b}_i{a}_{i+1}}\left(x\right)modp}{T_{a_{i-1}{b}_{i-1}{a}_i}\left(x\right)modp}\right)}^{n-1}\times {\left(\frac{T_{a_{i+1}{b}_{i+1}{a}_{i+2}}\left(x\right)modp}{T_{a_i{b}_i{a}_{i+1}}\left(x\right)modp}\right)}^{n-2}\hfill \\ & & \times \dots \times \left(\frac{T_{a_{i+n-1}{b}_{i+n-1}{a}_{i+n}}\left(x\right)modp}{T_{a_{i+n-2}{b}_{i+n-2}{a}_{i+n-1}}\left(x\right)modp}\right)\hfill \\ & =(T_{a_{i-1}{b}_{i-1}{a}_i}\left(x\right)modp)& \times (T_{a_i{b}_i{a}_{i+1}}\left(x\right)modp)\times (T_{a_{i+1}{b}_{i+1}{a}_{i+2}}\left(x\right)modp)\hfill \\ & & \times \dots \times (T_{a_{i+n-1}{b}_{i+n-1}{a}_{i+n}}\left(x\right)modp)\hfill \\ & =(T_{a_1{b}_1{a}_2}\left(x\right)modp)& \times (T_{a_2{b}_2{a}_3}\left(x\right)modp)\times (T_{a_3{b}_3{a}_4}\left(x\right)modp)\hfill \\ & & \times \dots \times (T_{a_n{b}_n{a}_{n+1}}\left(x\right)modp).\hfill \end{array}$$

4.2. Security Analysis

4.2.1. Session Key Security

$U_i$ uses the session key to encrypt the information sending over Internet. Therefore, if the session key is secure, it means that the communication in the cloud meeting is also security. The proposed solution has the Diffie–Hellman problem. Even if attackers capture $T_{a_i}\left(x\right)$ or $T_{b_i}\left(x\right)$, they still can not generate authentication information. Moreover, we consider random value $a_i$ and $b_i$, so it is difficult for attackers to compute $s{k}_i$ and $SK=h(S_n,s{k}_i)$. Therefore, the session key is security in PL-GAKA.

4.2.2. Mutual Authentication

In the authentication process, the authentication information is used to verify members and GWN. In PL-GAKA, each member uses $Aut{h}_{G{S}_i}$ and $Aut{h}_{i1}$ to verify GWN and other members while GWN uses $Aut{h}_{i2}$ to verify participants. Even if attackers can capture the identity and $K_{G{S}_i}$, respectively, and then generate $Aut{h}_{G{S}_i}$ and $M_4$, each member must be authenticated by all other members and GWN. Therefore, the PL-GAKA is secure under the multi-authentication consideration.

4.2.3. Perfect Forward Security

Considering a situation in which attackers have the ability to capture the session key, they can use the session key to decrypt the information sending during cloud meetings. For example, a web user uses a username and a password to log in to a web service. If someone knows the username and the password, he/she can log in to the same web service and use it.

PL-GAKA does not take username and password into account for each meeting member. In each meeting, we use $s{k}_i={\left(V_i\right)}^n\times {\left(W_{i+1}\right)}^{n-1}\times {\left(W_{i+2}\right)}^{n-2}\times \dots \times \left(W_{n-1}\right)$ to compute the session key $SK=h(S_n,s{k}_i)$. In other words, even if the session key is captured by attackers, the cloud meeting is still secure during the cloud meeting.

4.2.4. Data Integrity

When the information is modified by attackers, we say that the protocol has data integrity if each member can recognize the correctness of the received data. In PL-GAKA, if $R_i\oplus h(K_{G{S}_i}\parallel T_1)$ in $M_1$ is tampered with, GWN can use $h(K_{G{S}_i}\parallel T_1)$ to capture $R_i$. If $W_i$ in $M_3$ is tampered with, other members will derive an unmatched $s{k}_i$. Therefore, the proposed protocol satisfies data integrity.

4.2.5. Replay Attack

Attackers can eavesdrop on the packets sending over Internet to capture the communication information. Then, attackers send the captured information again to be an authenticated user. This is the replay attack. If the mechanism can not detect replay attack, someone can counterfeit an authentication member.

In the proposed solution, we consider the timestamp for each message. If attackers counterfeit an authentication member and resend the message again, the timestamp can be used to capture the irrationality. Thus, the replay attack is useless in PL-GAKA.

4.2.6. Impersonation Attack

Impersonation attack means that illegal users impersonate legal ones and pass the authentication process with the stolen authenticated message to enter the system.

In the proposed group authenticated key agreement mechanism, the attacker can not obtain the authenticated message of $K_{G{S}_i}$ because $K_{G{S}_i}$ is encrypted. Without $K_{G{S}_i}$, the attacker can not impersonate $U_i$ or GWN. Therefore, PL-GAKA can defend impersonation attacks.

4.2.7. Privileged-Insider Attack

Privileged-insider attack means that an authentication member impersonates other legal users with his/her own authenticated message. $U_i$ in PL-GAKA gets $K_{G{S}_i}$ from GWN in a safety tunnel in the registration process. Since different members will have various $K_{G{S}_i}$, no member can use his/her own $K_{G{S}_i}$ to impersonate the other one. Hence, this mechanism can defend privileged-insider attack.

4.2.8. Stolen-Verifier Attack

Some protocol considers static verification data, which is saved in the server for authenticating members. Attackers steal the verification data from authentication servers, so that the attackers are authenticated by the verification data. Each member in the proposed solution is verified by other members and GWN, so verification data is not necessary. Therefore, the stolen-verifier attack is useless for the PL-GAKA.

4.2.9. Shared Device

Sharing a communication device, e.g., cell phone or tablet, is a common behavior between friends. In our scenario, if the encryption and decryption protocols are implemented in the specific communication device, the sharing device may be a security issue. PL-GAKA requires users to provide the identity as shown in several processes, such as generating $M_1$ and $M_3$. If a sharing device is used in PL-GAKA, the impersonator still can not join the cloud meeting due to the lack of identity. Therefore, sharing a device does not work in PL-GAKA.

4.2.10. Man-in-the-Middle Attack

During the key generation process, man-in-the-middle attack means that there is an attacker who builds a pair of connections with a specific sender and receiver. In other words, all messages sent from sender to receiver will be relayed by the attacker, and the attacker can access all the information of sender and receiver.

Man-in-the-middle attack is useless in the PL-GAKA, and we have the following properties to prove this claim. First, each member uses his/her unique $UI{D}_i$ in the registration and authentication processes. Thus, generating $UI{D}_i$ is an essential requirement. Second, each member must register in the GWN by the $UI{D}_i$. The attacker has to be verified by GWN. Third, $S_n$ is considered in Step 2 of authentication process. In other words, each meeting member must be verified by each other. Putting the above together, PL-GAKA avoids a man-in-the-middle attack.

4.3. Security Analysis via BAN Logic

We apply Burrows-Abadi-Needham (BAN) logic to verify the security of PL-GAKA in a formal analysis. PL-GAKA consists of registration and authentication phrases. Since registration phrase can be processed in a safety tunnel, we focus on the analysis in terms of the authentication phrase.

PL-GAKA is a group key authentication scheme, and some cloud meeting members will exchange messages between each member and GWN. To simplify the communication model, we generalize a meeting communication to the model with GWN and two members $u_i$ and $u_j$. There are some concurrent processes in the authentication of PL-GAKA. For example, each member sends the identity message to GWN that all members send $M_1$ to GWN, and we consider a simple case that $u_i$ and $u_j$ send $M_1$ to GWN simultaneously. Moreover, $M_3$ and $M_4$ will be broadcasted to all members, and we consider the case that $u_i$ sends $M_3$ to $u_j$ while $u_j$ sends $M_4$ to $u_i$. Therefore, we can generalize the communication model to a simple one, as shown in Figure 4.

After registering in GWN, each $u_i$ has the initial state including $UI{D}_i$, $K_{G{S}_i}$, and a timestamp generator. According to Figure 4, we have the following processes. Note that both $u_i$ and $u_j$ sends $M_1$ to GWN while GWN responses $M_2$ to $u_i$ and $u_j$, and we just focus on the notation on the communication between $u_i$ and GWN.

P1	$said(u_i,M_1)$: $u_i$ sends $M_1$.
P2	$sees(GWN,M_1)$: GWN receives $M_1$.
P3	$said(GWN,M_2)$: GWN sends $M_2$.
P4	$sees(u_i,M_2)$: $u_i$ receives $M_2$.
P5	$said(u_i,M_3)$: $u_i$ sends $M_3$.
P6	$sees(u_j,M_3)$: $u_j$ receives $M_3$.
P7	$said(u_j,M_4)$: $u_j$ sends $M_4$.
P8	$sees(u_i,M_4)$: $u_i$ receives $M_4$.

Here, we have the following assumptions:

A1	$bel(GWN,cont(u_i,M_1))$: GWN believes that he/she has the ability to confirm $M_1$ sent from $u_i$.
A2	$bel(GWN,goodinfo(u_i,M_1,GWN))$: GWN believes that $M_1$ sent from $u_i$ to GWN is confirmed.
A3	$bel(u_i,cont(GWN,M_2))$: $u_i$ believes that he/she has the ability to confirm $M_2$ sent from GWN.
A4	$bel(u_i,goodinfo(GWN,M_2,u_i))$: $u_i$ believes that $M_2$ sent from GWN to $u_i$ is confirmed.
A5	$bel(u_j,cont(u_i,M_3))$: $u_j$ believes that he/she has the ability to confirm $M_3$ sent from $u_i$.
A6	$bel(u_j,goodinfo(u_i,M_3,u_j))$: $u_j$ believes that $M_3$ sent from $u_i$ to $u_j$ is confirmed.
A7	$bel(u_i,cont(u_j,M_4))$: $u_i$ believes that he/she has the ability to confirm $M_4$ sent from $u_j$.
A8	$bel(u_i,goodinfo(u_j,M_4,u_i))$: $u_i$ believes that $M_4$ sent from $u_j$ to $u_i$ is confirmed.
A9	$bel(GWN,fresh\left(T_1\right))$: GWN believes that $T_1$ is fresh.
A10	$bel(u_i,fresh\left(T_2\right))$: $u_i$ believes that $T_2$ is fresh.
A11	$bel(u_j,fresh\left(T_3\right))$: $u_j$ believes that $T_3$ is fresh.

Thus, we have the following goals:

G1	$bel(UI{D}_i,R_i\oplus h(K_{G{S}_i}\parallel T_1),fresh\left(T_1\right))$. $GWN\to u_i$: $M_1$ sent from $u_i$ to GWN is correct and fresh.
G2	$bel(S_n,Y_i,Y_i^{\prime },Aut{h}_{G{S}_i},fresh\left(T_2\right))$. $u_i\to GWN$: $M_2$ sent from GWN to $u_i$ is correct and fresh.
G3	$bel(UI{D}_i,W_i,fresh\left(T_3\right))$. $u_j\to u_i$: $M_3$ sent from $u_i$ to $u_j$ is correct and fresh.
G4	$bel(Aut{h}_{i1},Aut{h}_{i2})$. $u_i\to u_j$: $M_4$ sent from $u_j$ to $u_i$ is correct and fresh.

From the believe connection, each goal can be achieved:

G1:	From $P_1$, $P_2$, $A_1$, $A_2$, and $A_9$, $M_1$ is correct and fresh.
G2:	From $P_3$, $P_4$, $A_3$, $A_4$, and $A_{10}$, $M_2$ is correct and fresh.
G3:	From $P_5$, $P_6$, $A_5$, $A_6$, and $A_{11}$, $M_3$ is correct and fresh.
G4:	From $P_7$, $P_8$, $A_7$, and $A_8$, $M_4$ is correct and fresh.

Since each goal can be achieved, PL-GAKA provides a secure session key generation.

4.4. Security Comparison

The overall comparison between PL-GAKA and related approaches are shown in

Table 2. The overall comparison between the proposed solution and related approaches.

Protocol	Protocol #1	Protocol #2	Protocol #3	Protocol #4	Protocol #5	PL-GAKA
Public Key	No	No	Yes	Yes	No	No
Private Key	shared password	shared password	PKI-based	PKI-based	Yes	No
Asymmetric Encryption	No	No	No	Yes	No	No
Symmetric Encryption	Yes	Yes	No	No	Yes	No
Signature Verification	No	No	Yes	Yes	No	No
Mutual Authentication	No	Yes	No	No	Yes	Yes
Perfect Forward Security	Yes	No	Yes	No	Yes	Yes

PKI: Public Key Infrastructure.

. We refer to [8] for considering the following protocols:

• Protocol #1 proposed by Abdalla and Pointcheval is a group password-based key agreement [15].
• Protocol #2 proposed by Dutta and Barua is a group password-based authentication key agreement [16].
• Protocol #3 proposed by Kim et al. is a group key agreement [3].
• Protocol #4 proposed by Boyd and Nieto is a group key agreement [17].
• Protocol #5 proposed by Lee et al. is a group password-based authentication key agreement [8].

For the security consideration, PL-GAKA takes into account the extended chaotic map to improve the computation efficiency from SGPAKE. Although the extended chaotic map does not provide the Diffie–Hellman problem, we still can derive an equivalent security level by extended Chebyshev polynomials. Therefore, solving the message generated by the extended chaotic map requires similar computing resource to that in the Diffie–Hellman problem. Therefore, the security level gap between PL-GAKA and SGPAKE is small.

4.5. Efficiency Comparison

The results of the efficiency comparison between SGPAKE and PL-GAKA are illustrated in

Table 3. The efficiency comparison between SGPAKE and PL-GAKA.

Protocol	SGPAKE	PL-GAKA
Password Maintenance	Yes	No
Exponentiation	Yes	No
Key Calculation	Modular Exponentiation	Extented Choatic Map

. Since this paper focuses on the cloud meeting and improves SGPAKE in the cloud meeting, we compare PL-GAKA with SGPAKE. For the Exponentiation evaluation, SGPAKE requires $4\left(2^a\right)$ because of two modular exponential computations for generating session keys. According to the properties of cloud meetings, the participant list can be determined before PL-GAKA starts, so the heavy work can be well prepared, and the computation cost can be finished from an offline computation.

For the efficiency of the session key calculation process, PL-GAKA considers the extended chaotic map, which is a lightweight calculation compared with the modular exponential computation. Thus, PL-GAKA requires less computation time to generate a session key than that of SGPAKE. On the other hand, the meeting member does not require a password to verify the identity in PL-GAKA, so the password maintenance mechanism is not necessary in Pl-GAKA, but it is required in SGPAKE. Putting the above together, PL-GAKA is more efficient than SGPAKE in terms of key generation and the user maintenance.

5. Conclusions

Group authentication key agreement is necessary for providing security communications, and a cloud meeting is a typical and popular application. Lee et al. present SGPAKE to realize the secure group communication. However, SGPAKE is a Diffie–Hellman key exchange scheme, and the heavy computation cost is an implementation issue. We consider SGPAKE and apply the extended chaotic map to propose a password-less group authentication key agreement named PL-GAKA. Since an extended chaotic map provides properties that are similar to semigroup in chaotic map, the security of PL-GAKA is equivalent to that of SGPAKE. PL-GAKA is a password-less protocol, so each user does not worry about the password maintenance. Moreover, the session key is dynamic in each cloud meeting. In other words, PL-GAKA considers short-term authentication, and it provides stronger security than other long-term authentication protocols. In the future, we will focus on the progress on improving the registration security of the meeting members coming from various companies, and consider sharing devices.

When a cloud meeting takes place, only the registered users can be invited to join the meeting. In the real world applications, the registration can be finished when a new staff member is reported to the company, and the entire process can be done in a secure procedure. It means that the meeting members must be employed in the same company in PL-GAKA. In other words, the registration process must be improved for staff members from different companies that do not have consistent registration processes.