Sage Journals: Discover world-class research

Abstract

As a technology of monitoring and recording human body health signals, wireless body area networks (WBANs) play an increasingly important role in the field of healthcare. Inspired by the semigroup property of Chebyshev maps, we designed a novel chaotic maps-based authentication scheme for wireless body area networks. The study aims to avoid modular exponential computation or scalar multiplication on an elliptic curve and reduce the need for time-consuming. Compared with the previous schemes, our scheme not only enjoys more security features but also has reduced computational cost of client and application provider. Moreover, we present the security model for our scheme, demonstrate the validity of the protocol by the BAN (Burrows, Abadi, and Needham) logic in detail, and analyze the software implementation method of Chebyshev polynomial.

1. Introduction

In wireless body area networks (WBANs) [1, 2], with the human body as the communication center, some intelligent low-power sensor nodes are integrated in/on or around a human body. Low-power sensor nodes can collect important physiological parameters of human body and surrounding environment data, then send the collected data to the intelligent mobile terminal or the base station near the body in the wireless way, and finally transfer the data to the server for analysis and processing through Internet. Through the network, medical personnel can monitor the physiological information and surrounding environmental information of users by computer and users may ask for emergency first aid. Moreover, the server can also realize real-time recording of the user data. WBANs are not only applied in medical and health care but also applied to privacy protection. Security and privacy are key aspects of the applications in WBANs [3], so access control and authentication are the major security services needed. A typical wireless body area network is shown in Figure 1.

Figure 1

A typical scenario of WBANs.

Authentication is to confirm the legitimacy of the two communication entities in an open network environment; it allows two entities to establish the trust relationship and is an important component of network security technologies. Authentication can be realized via 3W (What You Know, What You Have, or What You Are). Physiological information and health privacy data have strict security requirements. As the first barrier, the authentication information protection system also becomes one of the key problems of WBANs. The authentication enables a node to verify the legitimacy of the other sensor nodes involved in the communication, and only messages sent by authorized nodes can be detected and accepted. However, the authentication schemes costing more time of computation and communication are not suitable for WBANs because of the limitations of computation capability, energy, storage space, and the battery's lifetime. Therefore, WBANs system requires more secure and practical authentication mechanism.

In 1981, Lamport [4] presented a solution to solve the problem of password-based remote authentication using cryptographic hash functions. However, high hash overhead and the necessary consumption of password resetting lowered its practical applicability. Since then, several improved password-based authentication schemes had been proposed [5–7]. However, most of these password-based remote user authentication schemes can only prevent certain kinds of attacks [8, 9]. The authentication scheme based on symmetric key encryption was vulnerable to smart card attack [10]. The scheme based on public key password encryption involving modular exponentiation computation or elliptic curve algorithm [11–13] produced large computational overhead for terminal equipment. In 2009, Tseng et al. [14] proposed the first authentication scheme based on chaotic maps. However, Niu and Wang [15] pointed out that the scheme of [14] could not ensure user anonymity and scheme security when there was a malicious user. In order to overcome these disadvantages, Niu and Wang also presented an improved scheme. Unfortunately, Xue and Hong [16] found that the scheme of [15] was vulnerable to the man-in-the-middle attack. In 2013, Guo and Chang [17] pointed out that these schemes [14–16] did not meet the requirements of key agreement, put forward a new authentication scheme based on chaotic maps, and asserted that the scheme could realize user anonymity and resist a variety of attacks. In the same year, Hao et al. [18] pointed out that Guo and Chang's scheme cannot ensure user untraceability and requires the use of double secret keys. To enhance the efficiency and privacy, they presented their modified version. Unfortunately, Lee [19] found that Hao et al.'s scheme violates the contributory property of key agreements and it can predetermine the session key alone by a malicious participant. To handle this, Lee presents effective improvements with higher security. In addition, Jiang et al. [20] identified that the security flaw of Hao et al.'s scheme is not to resist the stolen smart card attack, and they also proposed a new chaotic map-based authentication scheme. Regrettably, Li et al. [21] found that both Lee's and Jiang et al.'s authentication have a serious security problem which can cause the service misuse attack, so they modified it slightly to prevent the shortcomings. In [22] the authors proposed a key exchange scheme which worked like Diffie-Hellman algorithm by utilizing the semigroup property of Chebyshev polynomials. The improved protocol overcomes many drawbacks of the previous chaotic key agreement protocols. Both analysis and experimental results demonstrate that it was secure and practical.

Theoretically, the authentication schemes in WBANs could be realized by traditional public key cryptosystem such an RSA algorithm [23] and ElGamal algorithm [24]. But in these algorithms, a complicated operation called modular exponentiation is needed. Rather, the computation capability of medical sensors and control nodes in WBANs is very limited. Hence those algorithms are not suitable for WBANs. In recent years, Liu et al. [25, 26] proposed a certificateless signature (CLS) scheme and designed two certificateless remote anonymous authentication schemes for WBANs. The two schemes involved the bilinear paring operation, and the computation complexity of a pairing operation is several times of that of elliptic curve point multiplication. Moreover, the first scheme did not realize user anonymity because a constant value related to client's identity should be transferred via the network, and the second security enhanced authentication scheme was vulnerable to the stolen-verifier attack. Therefore, the scheme of Liu et al. was not suitable for WBANs. In 2014, Zhao [27] presented an identity- (ID-) based efficient anonymous authentication scheme for WBANs with elliptic curve cryptosystem (ECC); the proposed scheme avoided the complicated bilinear pairing operation and saved the additional computation to verify the legality of certificate. However, the proposed scheme requires the elliptic curve point multiplication, thus increasing the computation cost.

In the paper, we studied the intrinsic characteristics of WBANs, compared existing remote authentication schemes, and proposed a chaotic maps-based authentication scheme for WBANs. Our scheme took full advantage of the semigroup property of Chebyshev chaotic map. In the new scheme, two entities in communication did not need to establish a public key encryption system in advance and the modular exponential calculation and elliptic curve scalar multiplication were avoided in the authentication phase. Besides we analyze validity, security, and computational cost of the scheme and also demonstrate the security model for the scheme and software implementation of Chebyshev polynomial. We think that the proposed scheme was more suitable for WBANs.

The rest of the paper is arranged as follows. Section 2 briefly introduces the preliminaries of Chebyshev chaotic maps. Section 3 elaborates scheme's design, including design architecture, three phases of the authentication scheme, and password change phase. Section 4 is performance analysis, it gives the scheme's security model, the validity proof of our scheme by BAN logic in detail, security analysis of defense variety attacks, software implementation of Chebyshev polynomial, and computational cost comparison with recently published schemes. Section 5 presents the conclusion.

2. Chebyshev Chaotic Maps

In this section, we firstly described Chebyshev polynomials. The definitions of Chebyshev polynomials [28] are provided as follows.

Definition 1.

Let n be an integer and $n \in Z$ , $x \in [- 1,1]$ . The Chebyshev polynomial $T_{n} (x) : [- 1,1] \to [- 1,1]$ is defined as

\begin{matrix} T_{n} (x) = \cos (n \cdot \arccos (x)), \end{matrix}

(1)

where the trigonometric function [13]

\cos (x)

is defined as

\cos (x) : R \to [0, π]

and

\arccos (x)

is defined as

\arccos (x) : [- 1,1] \to [0, π]

Then, the recurrence relationship of Chebyshev polynomial is defined as

\begin{matrix} T_{n} (x) = 2 x T_{n - 1} (x) - T_{n - 2} (x), n \geq 2, \end{matrix}

(2)

where

T_{0} (x) = 1, T_{1} (x) = x

Here are some examples of Chebyshev polynomials:

\begin{matrix} T_{2} (x) = 2 x^{2} - 1; \\ T_{3} (x) = 4 x^{3} - 3 x; \\ T_{4} (x) = 8 x^{4} - 8 x^{2} + 1; \\ T_{5} (x) = 16 x^{5} - 20 x^{3} + 5 x . \end{matrix}

(3)

Chebyshev polynomials satisfy the following important characteristics [29–31], the semigroup property, and the chaotic property.

(1) Semigroup Property. One of the most important properties of Chebyshev polynomials is called the semigroup property:

\begin{matrix} T_{r} (T_{s} (x)) = T_{r s} (x), r, s \in Z, s \in [- 1,1] . \end{matrix}

(4)

According to the semigroup property, Chebyshev polynomial meets the following conditions:

\begin{matrix} T_{r} (T_{s} (x)) = T_{s r} (x) = T_{s} (T_{r} (x)), r, s \in Z, s \in [- 1,1] . \end{matrix}

(5)

In 2008, Zhang [32] proved that the semigroup property could be defined within the interval $(- \infty, + \infty)$ as

\begin{matrix} T_{n} (x) \equiv (2 x T_{n - 1} (x) - T_{n - 2} (x)) \mod p . \end{matrix}

(6)

Here $n \geq 2$ , $x \in (- \infty, + \infty)$ , and p is a large prime number.

Therefore, $T_{r} (T_{s} (x)) \equiv T_{s r} (x) \equiv T_{s} (T_{r} (x)) \mod p$ .

(2) Chaotic Property. When $n > 1$ , the Chebyshev polynomial map $T_{n} (x) : [- 1,1] \to [- 1,1]$ of the degree n is a chaotic map with the invariant density $f * (x) = 1 / (π \sqrt{1 - x^{2}})$ and its positive Lyapunov exponent $λ = \ln n > 0$ .

Chebyshev polynomials are often to be used to solve the following two kinds of problems [20, 33–35], which are intractable to be solved within polynomial time.

Definition 2 (chaotic maps-based discrete logarithm problem (CMDLP)).

Given two elements x and y, it is computationally infeasible to find the integer n such that $T_{n} (x) \mod p = y$ .

Definition 3 (chaotic maps-based Diffe-Hellman Problem (CMDHP)).

Given three elements x, $T_{r} (x) \mod p$ , and $T_{s} (x) \mod p$ , it is computationally infeasible to compute $T_{r s} (x) \mod p$ .

3. Design Scheme

3.1. Design Architecture

As show in Figure 2, three kinds of participation objects are involved in the authentication protocol for WBANs: the WBANs client, the network manager (NM), and the application provider (AP). WBANs client refers to the users who can obtain certain service from AP through WBANs terminals or applications such as PDA, smartphone, biosensor, or medical equipment. AP may be a hospital, a clinic, or a physician, which can provide medical service through WBANs. NM is responsible for creating the private key between the client and the application service provider. It is not necessarily the strong trusted third party (TTP) because it only issues one part of the private key of a legitimate user. However, this part of the private key is not adequate to pretend to be a legitimate client. TTP is a trusted third party in the network, and it may be a trusted server or a key distribution center. TTP shares different secret key with each participant and all of these keys will be in place before protocol begins. In our scheme, we have not employed TTP, because (1) TTP needs to know user's identity to search the session key which is contrary to the anonymity of the user; (2) more steps will lead communication burden and computational load, which neglects the resource constraints of WBANs; (3) even though the server is pretended by malicious user, it could not obtain user's random number b because user sends $h (P W) \oplus b$ but not b to server by secure channel in the registration phase. When malicious users guess a random number for authentication, it will raise $X_{u} \neq X_{u}^{'}$ , so the authentication will be aborted. In a practical application, NM may be a commercial organization which has been delegated as the private key generator for managing the registration system.

Figure 2

Working flow in the authentication scheme for WBANs.

3.2. Authentication Scheme

In this section, we will elaborate our remote authentication scheme for WBANs. The proposed scheme has three phases: the initialization phase, the registration phase, and the authentication phase. The notations used in this scheme are provided in Notations.

3.2.1. Initialization Phase

This phase is also called parameter generation phase. In this phase, S firstly creates the system parameters, including the secret key $m k$ with the length of at least 256 bits, a random number $x \in (- \infty, + \infty)$ , and a one-way hash function $h (\cdot)$ . The generation process of a random number is similar to that in the C++ program language. First create a seed, and then provide a random number.

3.2.2. Registration Phase

If the user U wants to be a legal user, the following steps must be executed between U and S through a secure channel, as shown in Box 1.

Box 1: Registration phase.

$U s e r$ Secure Channel $S e r v e r$

Select $I D$ and $P W$

Generate a random number b Generate a random number p

Compute $X_{u} = h (I D ‖ m k)$

$Y = X_{u} \oplus h (P W) \oplus b$

Compute $Y_{u} = Y \oplus b$

Replace Y with $Y_{u}$

Store b into $S C$

Step 1.

U chooses $I D$ , $P W$ , and a random number b and then sends $I D$ and $h (P W) \oplus b$ to server through a secure channel.

Step 2.

Upon receiving $I D$ and $h (P W) \oplus b$ , S selects a random number p and computes $X_{u} = h (I D ∥ m k)$ and $Y = X_{u} \oplus h (P W) \oplus b$ , then stores ${X_{u}, Y, h (\cdot), x, T_{m k} (x), p}$ into the smart card, and publishes it to U.

Step 3.

U computes $Y_{u} = Y \oplus b$ , replaces Y with $Y_{u}$ , then stores the random number b into the smart card, and completes the registration phase.

3.2.3. Authentication Phase

A legal user U with valid smart card can establish the secure and authorized session with the server. When the users want to request some services, they firstly carry out the mutual authentication and then consult the session key that will be used in the future for the secure transmission of data. As shown in Box 2, the authentication between the user and the server consists of the following steps.

Box 2: Authentication phase.

$U s e r$ Public Channel $S e r v e r$

Input $I D$ and $P W$

Generate a random number u

Compute $C_{1} \equiv T_{u} (x) \mod p$

$K A \equiv T_{u} (T_{m k} (x)) \mod p$

$X_{u} = Y \oplus h (P W)$

$D I D = I D \oplus h (K A)$ Check $T_{2} - T_{1} \leq Δ T$

$M_{u s} = h (I D ‖D I D‖ X_{u} ‖ C_{1} ‖ K A) \overset{M_{1} = \{C_{1}, D I D, M_{u s} ‖ T_{1}\}}{\to}$ if true

Compute ${K A}^{'} \equiv T_{m k} (T_{u} (X)) \mod p$

${I D}^{'} = D I D \oplus h ({K A}^{'})$

$X_{u}^{'} = h (I D ‖ m k)$

Check $h ({I D}^{'} ‖D I D‖ X_{u}^{'} ‖C_{1}‖ {K A}^{'}) = M_{u s}$

if true

Generate a random number r

Compute $C_{2} \equiv T_{r} (x) \mod p$

Check $T_{4} - T_{3} \leq Δ T$ $s k \equiv T_{r} (T_{u} (x)) \mod p$

if true $\overset{M_{2} = \{C_{2}, M_{s u} ‖ T_{3}\}}{\leftarrow}$ $M_{s u} = h ({I D}^{'} ‖ C_{2} ‖ {K A}^{'} ‖ s k)$

Compute ${s k}^{'} \equiv T_{u} (T_{r} (x)) \mod p$

Check $h (I D ‖C_{2}‖ K A ‖{s k}^{'}) = M_{s u}$

if true Check $h ({K A}^{'} ‖ s k) = M_{s k}$

Compute $M_{s k} = h (K A ‖ {s k}^{'}) \overset{M_{3} = \{M_{s k}\}}{\to}$ if true

$s k \equiv T_{r} (T_{u} (x)) \mod p \equiv T_{u} (T_{r} (x)) \mod p$

Step 1.

User U inserts the smart card $S C$ into a card reader and then enters his/her $P W$ . The smart card generates a random number u, computes $C_{1} \equiv T_{u} (x) \mod p$ , $K A \equiv T_{u} (T_{m k} (x)) \mod p$ , $X_{u} = Y \oplus h (P W)$ , and $D I D = I D \oplus h (K A)$ , then creates the message $M_{u s} = h (I D ∥ D I D ∥ X_{u} ∥ C_{1} ∥ K A)$ , and sends the login message $M_{1} = {C_{1}, D I D, M_{u s} ∥ T_{1}}$ to S through a public channel, where $T_{1}$ is the current timestamp.

Step 2.

Upon receiving the request message, S checks whether $T_{2} - T_{1} \leq Δ T$ holds, where $T_{2}$ is the current timestamp. If it does not hold, S terminates the session; otherwise S computes ${K A}^{'} \equiv T_{m k} (T_{u} (X)) \mod p$ , ${I D}^{'} = D I D \oplus h ({K A}^{'})$ , and $X_{u}^{'} = h (I D ∥ m k)$ . Then S checks whether $h ({I D}^{'} ∥ D I D ∥ X_{u}^{'} ∥ C_{1} ∥ {K A}^{'}) = M_{u s}$ ; if not, S also terminates the session; otherwise S generates a random number r and computes $C_{2} \equiv T_{r} (x) \mod p$ and the session key $s k \equiv T_{r} (T_{u} (x)) \mod p$ . Finally S computes $M_{s u} = h ({I D}^{'} ∥ C_{2} ∥ {K A}^{'} ∥ s k)$ and sends the response message $M_{2} = {C_{2}, M_{s u} ∥ T_{3}}$ to the user U, where $T_{3}$ is the current timestamp.

Step 3.

After receiving the response message $M_{2}$ , the smart card $S C$ verifies whether $T_{4} - T_{3} \leq Δ T$ holds, where $T_{4}$ is the timestamp. If not, $S C$ terminates the session; otherwise $S C$ computes ${s k}^{'} \equiv T_{u} (T_{r} (x)) \mod p$ ; then $S C$ checks whether $h (I D ∥ C_{2} ∥ K A ∥ {s k}^{'}) = M_{s u}$ . If not, $S C$ terminates the session; otherwise U computes $M_{s k} = h (K A ∥ {s k}^{'})$ and sends $M_{3} = {M_{s k}}$ to server S.

Step 4.

Upon receiving the message $M_{3}$ , S checks whether $h ({K A}^{'} ∥ s k) = M_{s k}$ holds; if it is true, the verification between U and S succeeds and mutual authentication is accomplished. The session key is correct and both U and S can use $s k$ to communicate with each other in safety. Otherwise, this connection will be stopped.

3.3. Password Change Phase

In addition to the above three phases, the system also provides the function of changing the password. A legal user U with smart card can change the password of the smart card in the following steps.

Step 1.

User U inserts his/her smart card $S C$ into a card reader and enters the old $P W$ .

Step 2.

In order to verify the correctness of the input, the smart card $S C$ establishes a certification session with the server S as described in the above authentication phase. If the user inputs the correct identity and password, the mutual authentication succeeds and then the user U inputs a new password ( ${P W}_{n e w}$ ).

Step 3.

Smart card $S C$ computes $Y_{n e w} = X_{u} \oplus h ({P W}_{n e w})$ and replaces Y with $Y_{n e w}$ .

4. Performance Analysis

In this section, we will analyze the validity, security, and efficiency of our protocol. First, we demonstrate the security model and then use Burrows-Abadi-Needham (BAN) logic to confirm the correctness of the proposed protocol. Second, we will explain that our protocol can withstand various attacks. The third is the discussion of the efficiency about our proposed protocol.

4.1. Security Model

In order to make our scheme resist the known attacks in the authentication protocol, so the method of provable security is used. The proof of security is in the random oracle model and is based on the model proposed by Abdalla and Pointcheval [36]. The model [34, 35] which we use is as follows.

4.1.1. Participants

Each participant of an authentication protocol is either a client $U = {U_{1}, U_{2}, \dots, U_{i}, \dots, U_{n}}$ or a server S. We refer to the ith instance of $U_{i}$ in a session as $Π_{U}^{i}$ , and the instance of the server is denoted by $Π_{S}$

4.1.2. Adversary Model

The communication network is assumed to be potentially controlled by an adversary $A$ , who has the ability to intercept, block, inject, remove, or modify any messages transmitted over the public network. The adversary $A$ is allowed to have access to the following queries in any order. (i)

$E x e c u t e (Π_{U}^{i}, Π_{S})$ . This query models passive attacks. It outputs the messages that were exchanged during the honest execution of the client instance $Π_{U}^{i}$ and server instance $Π_{S}$ .

(ii)

$S e n d (Π_{c}^{k}, M)$ . This query models active attacks. Adversary $A$ can send a message through this oracle to $Π_{c}^{k}$ , where $c \in (U, S)$ . Then $Π_{c}^{k}$ returns some messages, which are computed by $Π_{c}^{k}$ based on the proposed scheme, to $A$ .

(iii)

$R e v e a l (Π_{c}^{k})$ . This query models the misuse of session key. $A$ can obtain a session key from the oracle $Π_{c}^{k}$ . If the oracle $Π_{c}^{k}$ has accepted, then it returns the session key to $A$ . Otherwise, $Π_{c}^{k}$ returns a null value to $A$ .

(iv)

$C o r r u p t (U)$ . This query models the adversary $A$ to corrupt a protocol participant U; that is, $A$ can get the secret information about U.

(v)

$T e s t (Π_{c}^{k})$ . This query measures the semantic security of the session key $s k$ . To respond to this query, the oracle $Π_{c}^{k}$ chooses a random bit $b \in {0,1}$ . If $b = 1$ , then $Π_{c}^{k}$ returns the session key $s k$ . Otherwise, it returns a random value. Adversary $A$ can send only a single query of this form to $Π_{c}^{k}$ .

(vi)

$h (m_{i})$ . In this query, when an adversary $A$ does this hash query with message $m_{i}$ , $Π_{c}^{k}$ returns a random number $r_{i}$ and adds $(m_{i}, r_{i})$ to a list $L_{h}$ . From every beginning, the list is empty.

4.1.3. Security Proof

Here we show that the proposed scheme can provide the secure authentication and key agreement under the assumption of CMDHP.

Theorem 4.

Suppose that $A$ can violate the proposed protocol with a nonnegligible probability. $A$ makes $q_{U}$ query to the oracle of the user $Π_{U}^{i}$ , $q_{S}$ query to the oracle of the server $Π_{S}$ , and $q_{h}$ query to $h (\cdot)$ . Then we can design an algorithm $C$ to solve the chaotic maps-based Diffie-Hellman Problem (CMDHP) with a nonnegligible probability.

Proof.

Firstly, we assume the type of attack which forges the user to communicate with server. Then we can construct algorithm $C$ to solve the CMDHP; that is, $C$ returns $T_{u r} (x) \mod p$ from an instance of ${x, T_{u} (x) \mod p, T_{r} (x) \mod p}$ by CMDHP, where $u, r \in Z_{p}^{*}$ .

For instance, CMDLP is ${x, T_{m k} (x), m k}$ . B simulates the system initializing algorithm and registration phase to generate the parameters ${x, T_{m k} (x), h (\cdot)}$ to $A$ . B interacts with $A$ as follows.

$h (\cdot)$ Query. B holds a list $L_{h}$ of tuples $(s t r_{i}, h_{i})$ . When $A$ queries the oracle $h (\cdot)$ on $(s t r_{i}, h_{i})$ , B responds as follows.

If $s t r_{i}$ is on $L_{h}$ , B returns $h_{i}$ to $A$ . Otherwise, B randomly chooses an integer $h_{i}$ which is the only one in $L_{h}$ and adds $(s t r_{i}, h_{i})$ to $L_{h}$ and then responds with $h_{i}$ .

Reveal $(\cdot)$ Query. When the adversary $A$ makes a $R e v e a l (Π_{c}^{u})$ query, B responds as follows.

If $Π_{c}^{u}$ is not accepted, B returns a null value to $A$ . Otherwise, B examines the list $L_{h}$ and responds with the corresponding $h_{i}$ .

Send $(\cdot)$ Query. When the adversary $A$ makes a query $S e n d (Π_{c}^{u}, “ s t a r t ”)$ , B responds as follows. If $Π_{c}^{u} = Π_{U}^{u}$ , B follows the proposed steps. Otherwise, B generates a random number $m k^{*}$ , computes $T_{m k^{*}} (x)$ , and replaces $T_{m k} (x)$ with $T_{m k^{*}} (x)$ . $A$ completes the subsequent certification by using $T_{m k^{*}} (x)$ . B responds with ${C_{1}, {D I D}^{*}, M_{u s^{*}}}$ . The simulation works successfully since $A$ cannot distinguish whether ${C_{1}, {D I D}^{*}, M_{u s^{*}}}$ is correct or not only when $A$ knows $I D$ and $P W$ .

When the adversary $A$ makes a $S e n d (Π_{c}^{u}, (C_{1}, {D I D}^{*}, M_{u s^{*}}))$ query, B responds as follows. If $Π_{c}^{u} = Π_{U}^{u}$ , B cancels the game. Otherwise, B computes ${K A}^{'}$ , ${I D}^{'}$ , and $X_{u}^{'}$ with $m k^{*}$ . B checks whether $h ({I D}^{'} ∥ {D I D}^{*} ∥ X_{u}^{'} ∥ C_{1} ∥ {K A}^{'}) = M_{u s^{*}}$ holds or not. If it holds, B computes $C_{2} \equiv T_{r} (x) \mod p$ and $s k \equiv T_{r} (T_{u} (x)) \mod p$ and responds message ${C_{2}, M_{s u^{*}}}$ according to the proposed protocol.

When the adversary $A$ makes a query $S e n d (Π_{c}^{u}, (C_{2}, M_{s u^{*}}))$ , B responds as follows. If $Π_{c}^{u} = Π_{U}^{u}$ , B cancels the game. Otherwise, B computes ${s k}^{*} \equiv T_{r} (T_{u} (x)) \mod p$ .

If $A$ can violate a user to the authentication, it means that $A$ can get $m k$ from $(x, T_{m k} (x))$ , get $s k \equiv T_{r} (T_{u} (x)) \mod p$ from $(x, T_{u} (x) \mod p, T_{r} (x) \mod p)$ , and get $h (I D ∥ P W)$ from the list $L_{h}$ . Therefore, if $A$ can violate a user to the server authentication, B must solve the CMDHP problem with a nonnegligible probability. This is contradiction to the computation infeasible to the CMDHP problem.

Through analyzing, we can conclude that it is almost impossible for $A$ to violate the user to the server authentication.

4.2. Authentication Proof Based on BAN Logic

BAN logic [37–39] is a formal logic analysis method based on the belief; it achieves from the initial belief to the final purpose of the operation through sending and receiving of the message during the running of authentication protocol. It is a well-known formal model used to analyze the security of authentication and key agreement schemes. In this section, we first present the notations, rules, goals, and assumptions. Then we verify the validity of our protocol. The details are shown as follows.

4.2.1. Notations and Rules

First of all, let us define P, Q as participators and X as a formula. In order to use the BAN logic, some notations and rules used in BAN logic analysis are given below. (i)

$P ∣ \equiv X$ : P believes that in the current run of the protocol the formula X is true.

(ii)

$P ⊲ X$ : P sees or holds formula X.

(iii)

$P \Rightarrow X$ : P has complete control over the formula X. This can be used to express a certificate authority.

(iv)

$P ∣ ~ X$ : P has once said to be formula X.

(v)

$# (X)$ : the formula X is fresh, which means that X is recent or X is nonce.

(vi)

$P \overset{k}{\leftrightarrow} Q$ : P and Q share a secret key k. The secret key is only usable in the communication between P and Q and is only known to P and Q.

(vii)

${X}_{k}$ : the formula X is encrypted by key k.

(viii)

$(X, Y)$ : X or Y is one part of formula $(X, Y)$ .

Rule 1.

The message meaning rule (for shared secret keys) is as follows:

\begin{matrix} \frac{P ∣ \equiv Q \overset{k}{⟷} P, P ⊲ {\{X\}}_{k}}{P ∣ \equiv Q ∣ ~ X} . \end{matrix}

(7)

When P sees a message which is encrypted with the shared key k of P and Q, then P believes that Q has said to be X.

Rule 2.

The nonce verification rule is as follows:

\begin{matrix} \frac{P ∣ \equiv # (X), P ∣ \equiv Q ∣ ~ X}{P ∣ \equiv Q ∣ \equiv X} . \end{matrix}

(8)

If P believes that X is a recent message and Q has once said to be X, then P believes that Q believes X.

Rule 3.

The jurisdiction rule is as follows:

\begin{matrix} \frac{P ∣ \equiv Q ⟹ X, P ∣ \equiv Q ∣ \equiv X}{P ∣ \equiv X} . \end{matrix}

(9)

If P believes that Q has jurisdiction over X and P believes that Q believes X, then P believes X.

Rule 4.

The freshness rule is as follows:

\begin{matrix} \frac{P ∣ \equiv # (X)}{P ∣ \equiv # (X, Y)} . \end{matrix}

(10)

If one part of a formula X is known to be fresh, then the entire formula must also be fresh.

Rule 5.

The message of elimination of multipart rules is as follows:

\begin{matrix} \frac{P ⊲ (X, Y)}{P ⊲ X}, \\ \frac{P ⊲ {〈X〉}_{Y}}{P ⊲ X}, \\ \frac{P ∣ \equiv Q \overset{k}{⟷} P, P ⊲ {\{X\}}_{k}}{P ⊲ X}, \\ \frac{P ∣ \equiv (X, Y)}{P ∣ \equiv X}, \\ \frac{P ∣ \equiv Q ∣ ~ (X, Y)}{P ∣ \equiv Q ∣ ~ X}, \\ \frac{P ∣ \equiv Q ∣ \equiv (X, Y)}{P ∣ \equiv Q ∣ \equiv X} . \end{matrix}

(11)

These rules show how principal handles multipart message.

The idealized forms for our protocol, as illustrated in Box 2, expressed by the BAN logic are as follows:

Message 1: $U \to S : D I D, {X}_{u}, h (D I D, {X}_{u}, {X}_{u \cdot m k})$ .

Message 2: $S \to U : {X}_{r}, h ({X}_{r}, {X}_{m k \cdot u}, U \overset{s k}{\leftrightarrow} S)$ .

Message 3: $U \to S : h ({X}_{u}, U \overset{s k}{\leftrightarrow} S)$ .

4.2.2. Goals

According to the analytic procedures of BAN logic, the proposed protocol has the following four goals; the goals of our protocol are shown as formulas $(G 1) – (G 4)$ in the language of the BAN logic: ( $G 1$ )

$U ∣ \equiv U \overset{s k}{\leftrightarrow} S$ ;

( $G 2$ )

$S ∣ \equiv U \overset{s k}{\leftrightarrow} S$ ;

( $G 3$ )

$U ∣ \equiv S ∣ \equiv U \overset{s k}{\leftrightarrow} S$ ;

( $G 4$ )

$S ∣ \equiv U ∣ \equiv U \overset{s k}{\leftrightarrow} S$ .

4.2.3. Assumptions

The following assumptions about the initial state are made to analyze our protocol by using the BAN logic: ( $A 1$ )

$U ∣ \equiv # (u)$ ;

( $A 2$ )

$S ∣ \equiv # (r)$ ;

( $A 3$ )

$U ∣ \equiv U \overset{m k}{\leftrightarrow} S$ ;

( $A 4$ )

$S ∣ \equiv U \overset{m k}{\leftrightarrow} S$ ;

( $A 5$ )

$U ∣ \equiv S ∣ \equiv U \overset{m k}{\leftrightarrow} S$ ;

( $A 6$ )

$S ∣ \equiv U ∣ \equiv U \overset{m k}{\leftrightarrow} S$ ;

( $A 7$ )

$U ∣ \equiv S ∣ \Rightarrow U \overset{s k}{\leftrightarrow} S$ ;

( $A 8$ )

$S ∣ \equiv U \overset{s k}{\leftrightarrow} S$ .

4.2.4. Verification

We use the rules and assumptions based on the BAN logic to analyze the idealized form of the proposed protocol; the main steps of the proof are described as follows.

Message 1 ( $U \to S : D I D, {X}_{u}, h (D I D, {X}_{u}, {X}_{u \cdot m k})$ ). According to Message 1, we obtain (S1)

$S ⊲ D I D, {X}_{u}, h (D I D, {X}_{u}, {X}_{u \cdot m k})$ .

According to assumption ( $A 4$ ) and Rules 1 and 5, we obtain (S2)

$S ∣ \equiv U ∣ ~ {X}_{u}$ .

S computes the session key $U \overset{s k}{\leftrightarrow} S : {X}_{r \cdot u}$ .

Message 2 ( $S \to U : {X}_{r}, h ({X}_{r}, {X}_{m k \cdot u}, U \overset{s k}{\leftrightarrow} S)$ ). According to Message 2, we obtain (S3)

$U ⊲ h ({X}_{r}, {X}_{m k \cdot u}, U \overset{s k}{\leftrightarrow} S), {X}_{r}$ .

According to assumption ( $A 3$ ) and Rules 1 and 5, we obtain (S4)

$U ∣ \equiv S ∣ ~ ({X}_{r}, {X}_{m k \cdot u}, U \overset{s k}{\leftrightarrow} S)$ .

According to assumption ( $A 1$ ), (S4), and Rule 2, we obtain (S5)

$U ∣ \equiv S ∣ \equiv ({X}_{r}, {X}_{m k \cdot u}, U \overset{s k}{\leftrightarrow} S)$ .

According to (S5) and Rule 5, we obtain (S6)

$U ∣ \equiv S ∣ \equiv (U \overset{s k}{\leftrightarrow} S)$ (this is ( $G 3$ )).

According to assumption ( $A 7$ ), (S5), and Rule 3, we obtain (S7)

$U ∣ \equiv (U \overset{s k}{\leftrightarrow} S)$ (this is ( $G 1$ )).

Message 3 ( $U \to S : h ({X}_{u}, U \overset{s k}{\leftrightarrow} S)$ ). According to Message 3, we obtain (S8)

$S ⊲ h ({X}_{u}, U \overset{s k}{\leftrightarrow} S)$ .

According to assumption ( $A 2$ ) and Rule 4, we obtain (S9)

$S ∣ \equiv # (U \overset{s k}{\leftrightarrow} S)$ .

According to assumption ( $A 8$ ) and Rule 1, we obtain (S10)

$S ∣ \equiv U ∣ ~ (U \overset{s k}{\leftrightarrow} S)$ .

According to (S9), (S10), and Rule 2, we obtain (S11)

$S ∣ \equiv U ∣ \equiv (U \overset{s k}{\leftrightarrow} S)$ (this is ( $G 4$ )).

Therefore, we are sure that our proposed protocol is capable of achieving the goals from ( $A 8$ ), (S6), (S7), and (S11).

4.3. Security Analysis

4.3.1. Anonymity

User anonymity refers to the condition that an attacker $U_{A}$ cannot discover anything about the registered user U from the transmitted information. In our proposed authentication phase, the login information $M_{1} = {C_{1}, D I D, M_{u s} ∥ T_{1}}$ includes the dynamic $D I D = (I D \oplus h (K A))$ other than $I D$ , user's real $I D$ implicitly involved in $D I D$ , where $K A \equiv T_{u} (T_{m k} (x)) \mod p$ . Thus, if the attacker $U_{A}$ wants to forge U, he/she must compute $K A$ and derive $I D$ from $D I D$ . However, it is computationally infeasible to find out $T_{u} (T_{m k} (x)) \mod p$ directly from $T_{u} (x) \mod p$ and $T_{m k} (x) \mod p$ based on the CMDHP. Therefore, the adversary cannot retrieve $I D$ from $D I D$ . Moreover, the login request $M_{1} = {C_{1}, D I D, M_{u s} ∥ T_{1}}$ is independent and different in every session because $K A$ and random number u are randomly selected and updated in every session. In brief, our scheme can achieve user anonymity.

4.3.2. Mutual Authentication

Mutual authentication means that the server and the user can verify each other and establish mutual trust before visiting the patient privacy information. In our scenario, only the legitimate user who possesses the right password and authenticated information can send the request to the server, and only the authorized server who owns the correct secret key can verify the user's request. Therefore, this scheme can provide mutual authentication between the user and the server. That is to say, our proposed scheme achieves mutual authentication between the legal user and the server.

4.3.3. Replay Attack

Replay attack means that the attacker captures the message before running the protocol or being run to attack the current agreement. In the process of authentication, both the user's request $M_{1} = {C_{1}, D I D, M_{u s} ∥ T_{1}}$ and the server's response $M_{2} = {C_{2}, M_{s u} ∥ T_{3}}$ contain a timestamp. The valid period of each message is limited by the timestamp. Even if the attacker had intercepted the transmitted information and pretended to be a legitimate user, it will be easily detected by checking the freshness of the timestamp. In addition, the adversary cannot bypass the timestamp verification, because the transmitted message has been protected by the hash function. Therefore, this scheme can resist replay attack.

4.3.4. Perfect Forward Secrecy

Perfect forward secrecy means that the previously claimed session key remains safe even if the long-term private keys of the server and the user are disclosed. In our scenario, it is assumed that even the current session key is compromised and then the previously established session key $s k \equiv T_{u} (T_{r} (x)) \mod p$ remains secure because different sessions have different random numbers, and it is computationally infeasible to calculate the session key with $T_{u} (x) \mod p$ and $T_{r} (x) \mod p$ directly.

4.3.5. Man-in-the-Middle Attack

Man-in-the-middle attack refers to the condition that the attacker disguises herself as a legitimate participant, thus making the other communication terminal think that they are performing a direct dialogue through the secret connection. In our scheme, the attacker $U_{A}$ cannot compute the value $X_{u} = Y \oplus h (P W)$ which is related to the random number u and the private key $m k$ . In addition, the attacker $U_{A}$ also cannot calculate the value $K A = T_{u} (T_{m k} (x)) \mod p$ because u is the temporarily generated random number in every session. Therefore, the attacker cannot disguise himself/herself as a legitimate user. That is to say, our scheme can resist man-in-the-middle attack.

4.3.6. Smart Card Stolen Attack

An attacker $U_{A}$ who steals a smart card can retrieve the stored data ${X_{u}, Y, h (\cdot), x, T_{m k} (x), p, b}$ from the smart card and guess ${P W}^{*}$ . However, the attacker cannot get the real information $M_{1} = {C_{1}, D I D, M_{u s} ∥ T_{1}}$ to validate the correctness of ${P W}^{*}$ , because $D I D = (I D \oplus h (K A))$ and $K A \equiv T_{u} (T_{m k} (x)) \mod p$ , where the random number u is temporarily generated for each session and different sessions have different u. Therefore, our scheme can resist the smart card stolen attack.

4.3.7. Efficient Password Change Phase

A user can make denial of service attack if he/she did a little mistake which may be due to incorrect password input in the password change phase. The invalid detection of incorrect input can lead to denial of service scenario, so we should give efficient password change phases. In our scheme, the smart card first verifies the correctness of identity and password with the server by establishing an authorized session. Then owing to entering correct identity and password, the authorized session can be successfully established. As long as the session has been established, the smart card requests a new password and initiates the password change phase. This process shows that our proposed scheme has efficiency to detect incorrect input.

4.3.8. Privileged Insider Attack

A malicious privileged insider in server's system may try to obtain a legitimate user's password. In the registration phase of our proposed protocol, the user U sends ${I D, h (P W) \oplus b}$ to the server instead of $P W$ in its original form. Therefore, malicious insider cannot derive the user's $P W$ because hash function $h (\cdot)$ cannot be reverted. Furthermore, an insider attacker cannot do password guessing attack as user submit $h (P W) \oplus b$ instead of the random number b itself. So our scheme can avoid the privileged insider attack.

4.3.9. Session Key Verification

In Steps 3 and 4 of the authentication phase, the user sends message $M_{3} = {M_{s k}}$ to the medical server and upon receiving it, the server checks the verification whether $h ({K A}^{'} ∥ s k) = M_{s k}$ or not. If the verification equation is true, it ensures that the session key $s k$ is verified. Therefore, the proposed scheme provides session key verification property.

4.4. Software Implementation Analysis and Comparison

4.4.1. Software Implementation

The main problem of our scheme in software implementation is computation time of the Chebyshev polynomials $T_{n} (x)$ . During the computation, a high-order polynomial is involved in the Chebyshev chaotic map. If we directly compute the high-order polynomial according to the definition or recursive sequence, then we can find that the computation error will be very large for the high-order polynomial. Moreover, the computation load will increase with the increase in the order of the polynomial. In reality, the security of our proposed scheme does not largely depend upon the high-order polynomials. Therefore, we can select a certain large number as s in order to reduce the time for factorizing s to get $k_{i} (i = 1,2, 3, \dots)$ . The method adopted in this paper is described below.

Let the Chebyshev polynomial order be

\begin{matrix} s = s_{1}^{k_{1}} s_{2}^{k_{2}}, \dots, s_{i}^{k_{i}} . \end{matrix}

(12)

Then

\begin{matrix} T_{s} (m) = \underset{k_{1}}{\underset{︸}{T_{s_{1}} (\dots T_{s_{1}}}} \dots \underset{k_{i}}{\underset{︸}{T_{s_{i}} (\dots T_{s_{i}}}} (m))) . \end{matrix}

(13)

Therefore, the computation of $T_{s} (m)$ only requires $k_{1} + k_{2} + \dots k_{i}$ iterations of the Chebyshev map other than s iterations [40].

With the existing high-precision libraries, the correctness of numerical algorithms in finite precision arithmetic may be solved. In the practical application, the security of this agreement does not completely rely on the difficulty of high-order polynomial number problem anymore. Therefore, we may not take the most maximum values of u and r, thus further enhancing the security of the protocol.

4.4.2. Comparison

In this section, we will compare the security and the computational cost of the proposed scheme with the recently published scheme.

In the WBANs applications, resource constraint in low cost devices must be given priority to consider in addition to security and privacy. The used sensors for medical service are limited with storage space, computation power, and the lifetime of a battery. Firstly, we defined some computational parameters as follows. H denotes the time for the hash operation; S denotes the time for the encryption/decryption operation; T denotes the time for the Chebyshev polynomial computing.

As show in Table 1, comparing with the chaotic maps-based authentication, the proposed scheme can satisfy the desirable security attributes of authentication and overcome the weaknesses of the existing schemes. The number of Chebyshev chaotic maps operations used in our scheme equals that in [20], but our scheme does not need symmetric en/decryption operations. Moreover, the proposed scheme needs one more Chebyshev polynomial operation than that in [21], but it can better guarantee the authentication on both communication sides. In addition, the proposed scheme supports the function of session key verification and efficient password changing; however, the schemes [18–21] do not provide efficient password changing phase and the schemes [18–21, 39] lack the verification of session key.

Table 1

Comparisons among our scheme and other related chaotic maps-based schemes.

	Hao et al.'s scheme [18]	Lee's scheme [19]	Jiang et al.'s scheme [20]	Li et al.'s scheme [21]	Mishra et al.'s scheme [39]	Our scheme
Registration phase
User side	$1 H$	$2 H$	H	$2 H$	H	H
Server side	$1 H + 1 S + 1 T$	$2 H$	$1 S + 1 T$	$3 H$	$2 H + 1 T$	$1 H + 1 T$
Authentication phase
User side	$3 H + 2 S + 2 T$	$7 H + 2 T$	$2 H + 1 S + 3 T$	$8 H + 2 T$	$5 H + 1 T$	$4 H + 3 T$
Server side	$2 H + 3 S + 2 T$	$8 H + 2 T$	$1 H + 2 S + 3 T$	$9 H + 2 T$	$5 H + 1 T$	$4 H + 3 T$
User anonymity	✓	✓	✓	✓	✓	✓
Privileged insider attack	✓	✓	✓	✓	✓	✓
Mutual authentication	✓	✓	✓	✓	✓	✓
Replay attack	✓	—	✓	—	✓	✓
Perfect forward secrecy	—	—	✓	✓	✓	✓
Man-in-the-middle attack	✓	—	✓	✓	✓	✓
Smart card stolen attack	✓	✓	✓	✓	✓	✓
Efficient password change phase	✘	✘	✘	✘	✓	✓
Session key verification	✘	✘	✘	✘	✘	✓

✓: scheme prevents this attack or satisfies the attribute.

✘: scheme fails to prevent the attack or does not satisfy the attribute.

—: not mentioned.

Table 2 shows the comparison of computational cost among our proposed scheme and the other two schemes in WBANs. Here, we established the simulation hardware environment and evaluated the computation overhead of this scheme. The simulation environment of AP is Windows 7 OS (a Pentium(R) E5300 2.6 GHz processor and 2 GB RAM). The simulated WBANs client is run in Android OS 5.0 (64-bit processor and 32 GB memory). Otherwise, Table 2 shows the computational cost comparison at the client and application provider in the authentication phase among three related schemes in WBANs. In our proposed scheme, it is obvious that the computational overhead is superior to the other two schemes both at the WBANs client and the application provider. In our authentication protocol based on Chebyshev polynomials, the semigroup property of Chebyshev polynomials is utilized to achieve the mutual authentication and acquire the common session key. At the beginning of the authentication, we do not need to establish the public key cryptographic system. In the authentication phase, we save the time for modular exponential computing and scalar multiplication on elliptic curves which are involved in previous agreements. Therefore, in our scheme, the calculation load is decreased.

Table 2

A comparison of computational cost of different schemes in WBANs.

	Liu et al.'s scheme [26]	Zhao's scheme [27]	Our scheme
Client(s)	≈0.18619	≈0.09201	≈0.06853
Application provider(s)	≈0.03983	≈0.03829	≈0.03623

It is obviously seen from Table 3 that the proposed scheme does not only satisfy the existing security attribute of [26, 27] but also satisfy the efficient password change. So it can achieve the desirable safety demands of WBANs. Moreover, the proposed scheme has less computational cost than previous results [26, 27]. In conclusion, our proposed scheme takes into account not only the security properties but also the computation overhead of APs and WBANs client.

Table 3

Security attributes comparison with some recently proposed schemes in WBANs.

Security attribute	Liu et al.'s scheme [26]	Zhao's scheme [27]	Our scheme
User anonymity	✓	✓	✓
Privileged insider attack	—	✓	✓
Mutual authentication	✓	✓	✓
Replay attack	—	✓	✓
Perfect forward secrecy	—	✓	✓
Man-in-the-middle attack	—	✓	✓
Smart card stolen attack	—	✓	✓
Efficient password change phase	—	—	✓
Session key verification	✘	✘	✓

✓: scheme prevents this attack or satisfies the attribute.

✘: scheme fails to prevent the attack or does not satisfy the attribute.

—: not mentioned.

5. Conclusion

In this paper, we proposed a chaotic maps-based authentication scheme for WBANs. This scheme can not only realize user anonymity but also resist a variety of attacks. Moreover, the scheme makes full use of Chebyshev polynomial's semigroup feature to create the session key. In the authentication phase, it reduces the computation time by eliminating the modular exponential and the scalar multiplication on elliptic curve. In addition, it is not required to create a public cryptographic system in advance.

We presented the security model for our scheme, verified the validity of the protocol, demonstrated its security property, analyzed the key implementation point of Chebyshev polynomial, and compared computation overhead of the related schemes. Through the above analysis, we think that the proposed scheme is more suitable for WBANs.

Footnotes

Notations

Competing Interests

The authors declare that there are no competing interests regarding the publication of this paper.

References

Zimmerman

T. G.

Personal area networks: near-field intrabody communication

IBM Systems Journal 1996 35 3-4 609 617

10.1147/sj.353.0609

2-s2.0-0030380805

Tian

Peng

An attribute-based encryption scheme with revocation for fine-grained access control in wireless body area networks

International Journal of Distributed Sensor Networks 2014 2014 9

259798

10.1155/2014/259798

2-s2.0-84912076625

Al Ameen

Liu

Kwak

Security and privacy issues in wireless sensor networks for healthcare applications

Journal of Medical Systems 2012 36 1 93 101

10.1007/s10916-010-9449-4

2-s2.0-84860253312

Lamport

Password authentication with insecure communication

Communications of the ACM 1981 24 11 770 772

10.1145/358790.358797

2-s2.0-0019634370

Sandirigama

Shimizu

Noda

M. T.

Simple and secure password authentication protocol (SAS)

IEICE Transactions on Communications 2000 83 6 1363 1365

Haller

The s/key one-time password system

Proceedings of the Internet Society Symposium on Network and Distributed System Security

February 1994

San Diego, Calif, USA

151 158

Chen

T.-H.

Lee

W.-B.

A new method for using hash functions to solve remote user authentication

Computers and Electrical Engineering 2008 34 1 53 62

10.1016/j.compeleceng.2007.01.001

ZBL1131.68046

2-s2.0-36349014859

Jaspher

Kathrine

Kirubakaran

Prakash

Smart card based remote user authentication schemes—survey

Proceedings of the 3rd International Conference on Computing Communication Networking Technologies (ICCCNT' 11)

July 2012

Coimbatore, India

IEEE

1 5

10.1109/ICCCNT.2012.6395882

Madhusudhan

Mittal

R. C.

Dynamic ID-based remote user password authentication schemes using smart cards: a review

Journal of Network and Computer Applications 2012 35 4 1235 1248

10.1016/j.jnca.2012.01.007

2-s2.0-84860376061

10.

C.-G.

Wang

Zhao

S.-D.

Security flaws in two improved remote user authentication schemes using smart cards

International Journal of Communication Systems 2014 27 10 2215 2227

10.1002/dac.2468

2-s2.0-84911988880

11.

Xiao

Liao

Deng

A novel key agreement protocol based on chaotic maps

Information Sciences 2007 177 4 1136 1142

10.1016/j.ins.2006.07.026

MR2288747

2-s2.0-33751227507

12.

Mason

J. C.

Handscomb

D. C.

Chebyshev Polynomials 2003

Boca Raton, Fla, USA

Chapman & Hall/CRC

13.

Bergamo

D'Arco

De Santis

Kocarev

Security of public-key cryptosystems based on Chebyshev polynomials

IEEE Transactions on Circuits and Systems I: Regular Papers 2005 52 7 1382 1393

10.1109/tcsi.2005.851701

MR2167459

2-s2.0-23144460039

14.

Tseng

H.-R.

Jan

R.-H.

Yang

A chaotic maps-based key agreement protocol that preserves user anonymity

Proceedings of the IEEE International Conference on Communications (ICC '09)

June 2009

Dresden, Germany

1 6

10.1109/icc.2009.5198581

2-s2.0-70449471727

15.

Niu

Y. J.

Wang

X. Y.

An anonymous key agreement protocol based on chaotic maps

Communications in Nonlinear Science and Numerical Simulation 2011 16 4 1986 1992

10.1016/j.cnsns.2010.08.015

MR2736063

2-s2.0-78049382801

16.

Xue

K. P.

Hong

P. L.

Security improvement on an anonymous key agreement protocol based on chaotic maps

Communications in Nonlinear Science and Numerical Simulation 2012 17 7 2969 2977

10.1016/j.cnsns.2011.11.025

MR2880466

2-s2.0-84856430473

17.

Guo

Chang

C.-C.

Chaotic maps-based password-authenticated key agreement using smart cards

Communications in Nonlinear Science and Numerical Simulation 2013 18 6 1433 1440

10.1016/j.cnsns.2012.09.032

MR3016895

ZBL1301.94135

2-s2.0-84872373047

18.

Hao

Wang

Yang

Yan

A chaotic map-based authentication scheme for telecare medicine information systems

Journal of Medical Systems 2013 37, article 9919

10.1007/s10916-012-9919-y

2-s2.0-84872265840

19.

Lee

T.-F.

An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems

Journal of Medical Systems 2013 37 6, article 9985 9

10.1007/s10916-013-9985-9

2-s2.0-84891599579

20.

Jiang

Tian

Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems

Journal of Medical Systems 2014 38, article 12

10.1007/s10916-014-0012-6

2-s2.0-84893187211

21.

C.-T.

Lee

C.-C.

Weng

C.-Y.

A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems

Journal of Medical Systems 2014 38, article 77

10.1007/s10916-014-0077-2

2-s2.0-84905560609

22.

Wang

Zhao

An improved key agreement protocol based on chaos

Communications in Nonlinear Science and Numerical Simulation 2010 15 12 4052 4057

10.1016/j.cnsns.2010.02.014

MR2652676

ZBL1222.94039

2-s2.0-77952742569

23.

Rivest

R. L.

Shamir

Adleman

A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM 1978 21 2 120 126

10.1145/359340.359342

MR700103

2-s2.0-0017930809

24.

ElGamal

A public key cryptosystem and a signature scheme based on discrete logarithms

IEEE Transactions on Information Theory 1985 31 4 469 472

10.1109/tit.1985.1057074

MR798552

25.

Liu

Zhang

Sun

Kwak

K. S.

An efficient certificateless remote anonymous authentication scheme for wireless body area networks

Proceedings of the IEEE International Conference on Communications (ICC '12)

June 2012

Ottawa, Canada

3404 3408

10.1109/icc.2012.6363786

2-s2.0-84871980715

26.

Liu

Zhang

Chen

Kwak

K. S.

Certificateless remote anonymous authentication schemes for wirelessbody area networks

IEEE Transactions on Parallel and Distributed Systems 2014 25 2 332 342

10.1109/tpds.2013.145

2-s2.0-84891804845

27.

Zhao

An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem

Journal of Medical Systems 2014 38, article 13 7

10.1007/s10916-014-0013-5

2-s2.0-84893021026

28.

Lee

C.-C.

Hsu

C.-W.

Lai

Y.-M.

Vasilakos

An enhanced mobile-healthcare emergency system based on extended chaotic maps

Journal of Medical Systems 2013 37 5, article 9973 12

10.1007/s10916-013-9973-0

2-s2.0-84883484959

29.

Han

Chang

Chaotic map based key agreement with/out clock synchronization

Chaos, Solitons & Fractals 2009 39 3 1283 1289

10.1016/j.chaos.2007.06.030

2-s2.0-62949175202

30.

Lee

C.-C.

Chen

C.-L.

C.-Y.

Huang

S.-Y.

An extended chaotic maps-based key agreement protocol with user anonymity

Nonlinear Dynamics 2012 69 1-2 79 87

10.1007/s11071-011-0247-4

MR2929856

2-s2.0-84861748201

31.

Chen

Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol

Nonlinear Dynamics 2012 69 3 1149 1157

10.1007/s11071-012-0335-0

MR2943375

2-s2.0-84863989374

32.

Zhang

Cryptanalysis of the public key encryption based on multiple chaotic systems

Chaos, Solitons & Fractals 2008 37 3 669 674

10.1016/j.chaos.2006.09.047

2-s2.0-40249103088

33.

Lee

C.-C.

Hsu

C.-W.

A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps

Nonlinear Dynamics 2013 71 1-2 200 211

10.1007/s11071-012-0652-3

MR3010573

2-s2.0-84871955339

34.

Zhu

Hao

A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps

Nonlinear Dynamics 2015 81 1-2 311 321

10.1007/s11071-015-1993-5

MR3355033

2-s2.0-84930765236

35.

Islam

S. H.

Provably secure dynamic identity-based three-factor password authentication scheme using extended chaotic maps

Nonlinear Dynamics 2014 78 3 2261 2276

10.1007/s11071-014-1584-x

2-s2.0-84910132760

36.

Abdalla

Pointcheval

Patrick

A. S.

Yung

Interactive Diffie-Hellman assumptions with applications to password-based authentication

Financial Cryptography and Data Security 2005 3570 341 356 Lecture Notes in Computer Science

10.1007/11507840_31

37.

Burrows

Abadi

Needham

R. M.

A logic of authentication

Proceedings of the Royal society of London A—Mathematical and Physical Sciences 1989 426 233 271

38.

Wessels

Application of BAN-logic

CMG Public Sector B.V., 2001, http://www.win.tue.nl/ipa/archive/springdays2001/banwessels.pdf

39.

Mishra

Srinivas

Mukhopadhyay

A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems

Journal of Medical Systems 2014 38 10 1 12

10.1007/s10916-014-0120-3

2-s2.0-84935925341

40.

Kocarev

Makraduli

Amato

Public-key encryption based on Chebyshev polynomials

Circuits, Systems and Signal Processing 2005 24 5 497 517

10.1007/s00034-005-2403-x

MR2187035

2-s2.0-29244435793

A Chaotic Maps-Based Authentication Scheme for Wireless Body Area Networks

Abstract

1. Introduction

2. Chebyshev Chaotic Maps

Definition 1.

Definition 2 (chaotic maps-based discrete logarithm problem (CMDLP)).

Definition 3 (chaotic maps-based Diffe-Hellman Problem (CMDHP)).

3. Design Scheme

3.1. Design Architecture

3.2. Authentication Scheme

3.2.1. Initialization Phase

3.2.2. Registration Phase

Box 1: Registration phase.

Step 1.

Step 2.

Step 3.

3.2.3. Authentication Phase

Box 2: Authentication phase.

Step 1.

Step 2.

Step 3.

Step 4.

3.3. Password Change Phase

Step 1.

Step 2.

Step 3.

4. Performance Analysis

4.1. Security Model

4.1.1. Participants

4.1.2. Adversary Model

4.1.3. Security Proof

Theorem 4.

Proof.

4.2. Authentication Proof Based on BAN Logic

4.2.1. Notations and Rules

Rule 1.

Rule 2.

Rule 3.

Rule 4.

Rule 5.

4.2.2. Goals

4.2.3. Assumptions

4.2.4. Verification

4.3. Security Analysis

4.3.1. Anonymity

4.3.2. Mutual Authentication

4.3.3. Replay Attack

4.3.4. Perfect Forward Secrecy

4.3.5. Man-in-the-Middle Attack

4.3.6. Smart Card Stolen Attack

4.3.7. Efficient Password Change Phase

4.3.8. Privileged Insider Attack

4.3.9. Session Key Verification

4.4. Software Implementation Analysis and Comparison

4.4.1. Software Implementation

4.4.2. Comparison

5. Conclusion

Footnotes

Notations

Competing Interests

References