CCMbAS: A Provably Secure CCM-Based Authentication Scheme for Mobile Internet

To improve the security of authentication system and strengthen privacy protection in mobile Internet environment, this paper proposes a provably secure Chebyshev chaotic map (CCM)-based authentication scheme (CCMbAS). The proposed scheme transformed the traditional public key of Chebyshev chaotic map into a private key and combined two private keys to compute a one-time key used to encrypt authentication information. The scheme is verified using security review of BAN logic and ProVerif simulation tool. The verification results confirm that the scheme is well secured against all existing security threats. Compared with similar schemes, the proposed scheme is more efficient and secure. The security analysis shows that the proposed scheme can fulfil secure demands and ensure the security of user’s information in mobile Internet environment.


Introduction
Mobile Internet is the Internet and service that takes mobile network as access network. It has the characteristics of openness and complexity. With the rapid upgradation of mobile communication and the wide application of intelligent terminal, the application services provided by mobile Internet are more and more widespread. However, the network environment is more and more complex. Identity authentication is the rst defender of information system, which can guarantee the security of system data and user information in complex network environment. It plays a key role in application system.
Aiming at solving the security threat of identity authentication system and protecting user's privacy information, Zhu et al. [1] proposed a biometrics-based multiserver key agreement scheme (BbKAS) on chaotic map cryptosystem. e encryption key of the scheme is not secure enough because the attacker can obtain encrypting key and crack encrypted information with dictionary attack of the intercepting information. Jiang et al. [2] proposed a new three-factor scheme. Ali et al. [3] proposed a three-factor identity authentication scheme based on RSA encryption algorithm.
To reduce the computational cost, Dong et al. [4] proposed a biometric veri cation-based authentication scheme (BVbAS) using Chebyshev chaotic mapping. e design of the scheme is unreasonable because the registry centre must provide all concerned information about all users and servers to each other before they request authentication. e design may result in a sharp increase in the communication cost of system. Otherwise, the authentication cannot be performed.
In general, the schemes can be classi ed into ve groups in terms of the underlying intractability problem: based on discrete-logarithm problem [5][6][7][8], based on pairing [9,10], based on chaotic map [11][12][13], based on integer-factorization problem [14], and based on hash function [15][16][17][18]. Among them, schemes based on elliptic curve bilinear pairings, such as a robust provable-secure privacy-preserving authentication protocol (PpAP) for Industrial Internet of ings [10], usually require large computation cost. Chaotic cryptography has become increasingly popular due to its lower computational complexity and higher asymmetric key security [19]. In view of the computing and security advantages of chaotic cryptography, CCMbAS is proposed to solve the problems of the above schemes.

Fuzzy Extractor.
In order to solve the contradiction between the variability of extracted biometric feature data and the input stability of traditional cryptography, Dodis proposed an algorithm of fuzzy extractors [20]. e algorithm could keep the numerical consistency of output results in the case of slight differences in the extracted biometric features.
Fuzzy extractor includes generation function Gen(·) and reproduction function ep(·), and Gen(·) is a probabilistic generating function. When the user inputs a biometric feature BIO i , the function will generate a random string b i limited to a fixed length (b i ∈ 0, 1 { } m ) and a public reproduction parameter P i (as an auxiliary string), namely, Gen(BIO i ) � (b i , P i ), and Rep(·) is a deterministic reproduction function which can reproduce the biometric key according to the input biometric feature BIO i ′ and corresponding public reproduction parameter P i . If the Hamming distance between BIO i and BIO i ′ is within the preset fault tolerance threshold, Rep(BIO i ′ , P i ) � b i . When Gen(·) and Rep(·) run in polynomial time, fuzzy extractor is very efficient. Without the aid of the original biometric feature, the biometric key cannot be reproduced with only the public reproduction parameter through calculation [4]. e application of fuzzy extractor can be effectively combined with cryptography in the field of authentication. In recent years, fuzzy extractor is used in many multi-factor authentication schemes [21][22][23][24][25].

Chebyshev Map
Definition 1. Chebyshev polynomial Tn(x) is the polynomial of n orders about x, where n is a natural number, x ∈ [−1, 1], and T n (x) � cos (n * arccos(x)).
According to trigonometric transformation, Chebyshev polynomial iterative relation can be obtained as follows:

Definition 2.
e cryptosystem based on Chebyshev polynomial has the risk that session key is intercepted. In order to remedy the security defect, Zhang et al. [26] extended the domain of x from x ∈ [−1, 1] to x ∈ (−∞, +∞) in 2008, that is, extended Chebyshev polynomial: where ≥2, x ∈ (−∞, +∞), and p is a big prime number. It still has the semigroup property: Definition 3. It is a very hard problem of discrete logarithm to get r with the value x and y ( T r (x) � y ). It is impossible in theory.

Definition 4.
It is Diffie-Hellman problem to compute T rs (x) using T r (x) and T s (x). It is also impossible in theory.

Scheme Design
e authentication system consists of three parts: certificate authority (CA), user terminal, and server.
CA includes registration module, important data management module, and user authority management module.
User terminal includes registration module, biometric feature authentication module, password verification module, important data management module, and application interface module.
Server includes registration module, key agreement module, important data management module, and application platform interface module.

Symbol Definitions.
e symbol definitions of the proposed scheme are shown in Table 1.

System
Settings. CA first generates a private key k (assuming that the key is absolutely secure), then selects a random string x, and generates T k (x) through Chebyshev chaos map. e public key is published. e private key is hidden.

Server Registration Phase.
e registration process of the server is shown in Figure 1.
Step 1. e server S j selects a unique identity ID j and sends ID j and the current time t j to CA via secure channel.
Step 2. After receiving the registration request message ID j , t j from S j , CA first checks whether the time t j exceeds the maximum valid time interval Δt or not. If the time interval meets the requirements, CA then checks whether the identity ID j of the server is registered already or not. If the identity ID j is registered , selects a random number r j , and computes the key Q j � T r j (x) and r j ′ � r j ⊕ k. e key Q j cannot be published. en, CA stores the data ID j , S r j , r j ′ , Q j in the important data management module and sends the message S r j , Q j to server S j via secure channel.
Step 3. After receiving S r j , Q j , the server S j stores them in the important data management module.

User Registration Phase.
e process is shown in Figure 2.
Step 1. e user U i selects a unique identity ID i and W i . en, the biometric sample B i is input through the sensor of biometric authentication module. e biometric key b i is obtained by using the fuzzy extractor and its public reproduction parameter α i . at is, Step 2. e user U i computes U r � h(ID i ‖ PW i ), gets current time t i , and then sends the registration information M reg i � ID i , U r , t i to CA via secure channel.
Step 3. After receiving M reg i � ID i , U r , t i , CA first checks whether the time t i exceeds the maximum time interval Δt or not. If it exceeds the maximum time interval, CA rejects the user's request. If the result is eligible, CA checks whether the identity is registered already or not. CA forbids the user to register again. If the identity ID i is not registered, CA calculates , selects a random number r i , and calculates the key Q i � T r i (x) (the public key transformed into private key) and r i ′ � r i ⊕ k. en, CA stores ID i , U r i , r i ′ , Q i in the important data management module and sends U r i , Q i to user U i via the secure channel.
Step 4. After receiving

Login, Authentication, and Key Agreement
Phase. If the user requests to login to the server, successfully authenticates his identity, and accesses resources, he/she must perform the steps shown in Figure 3.
Step 1. e user U i inputs biometric feature through the sensor of biometric feature authentication module and uses fuzzy extractors and its public reproduction parameter α i to obtain biometric key b i ′ by calculating When the Hamming distance from B i ′ and B i is only less than the default tolerance threshold value, the equation b i ′ � b i can be set up and the user U i can pass biometric feature authentication. en, the user Step 2. e user U i inputs the correct password W i and calculates the equation Step 3. e user U i selects a random number r a as the temporary private key, calculates , obtains the current time t 1 , and sends the message M 1 , t 1 to server S j via public network. e key k 1 is the one-time key generated by calculation after the combination of the private key r a and Q i , Step 4. After receiving M 1 , t 1 , server S j first checks whether the time t 1 exceeds the maximum time interval Δt or not. If it exceeds the maximum time interval, the server rejects the user's request. If the result is eligible, server S j selects a random number r b as the temporary private key, calculates , M 1 , then obtains the current time t 2 , and sends M 2 , t 2 to CA via public network.
e key k 2 is the one-time key generated by calculation after the combination of the private key r b and Q j .
Step 5. After receiving M 2 , t 2 , CA first checks whether the time t 2 exceeds the maximum time interval or not. If it exceeds the maximum time interval, CA rejects the request. If it is eligible, CA calculates r j � r j ′ ⊕k, If the result is equal, CA authenticates the server S j .
CA calculates obtains the current time t 3 , and sends M 3 , t 3 to the server S j via public network.
Step 8. After receiving M 3 , t 3 , server S j first checks whether the time t 3 exceeds the maximum time interval or not. If it exceeds the maximum time interval, the server will discard the received information. If the result is eligible, the server fetches R j from M 3 and calculates R j ′ � R j ⊕k 2 and h(ID j ‖ S r j ). en, the server verifies h(ID j ‖ S r j ) � R j ′ . If the result is not equal, the server stops authentication. If the result is equal, the server can authenticate CA. en, the server calculates the session key SK � T r b (T r a (x)) which will be used with the user U i , gets the current time t 4 , and sends M 4 , t 4 M 4 � R i , T r b (x) ) to the user U i via public network.
Step 9. After receiving M 4 , t 4 , user U i first checks whether the time t 4 exceeds the maximum time interval. If it oversteps the maximum time interval, user U i will discard the received information. If the result is eligible, the user calculates R i ′ � R i ⊕k 1 and h(ID i ‖ U r i ). en, the user verifies h( If the result is not equal, the user stops authentication. If the result is equal, the user can authenticate CA and the server S j . en, the user calculates the session key SK � T r a (T r b (x)) which will be used with the server S j .

Password
Change. If the user wants to change the password, the authentication must be completed of the user on the terminal first. en, the user changes the password according to the steps of registration. e corresponding information stored in the user terminal and the CA can be updated.

Identity and Biometric Feature
Change. If the user needs to change the identity, the identity can be changed by the similar steps of the password change. If the user needs to change the biometric feature, the biometric feature can be changed after the terminal authenticates the legitimate user.

Key Security.
e user's biometric key b i is generated by fuzzy extractor, so the attacker cannot get the user's biometric key through the fuzzy extractor without the user's biometric feature. In the proposed scheme, a double key combined encryption mechanism is designed. For example, the key k 1 is the one-time key generated by calculation after the combination of the private key r a and Q i . Because the one-time key k 1 is newly generated, the information encrypted with k 1 is difficult to crack. e user calculates F * i � F i ⊕b i , U * i � U r i ⊕b i , and T * r i (x) � T r i (x)⊕PW i in order to hide U r i and T r i (x) and then stores the information ID i , U * i , T * r i (x) into the important data management module. Suppose that attacker can obtain the data stored in the user's terminal, and the encrypted information cannot be decrypted. erefore, the information b i , U r i , and T r i (x) cannot be leaked or stolen.

Terminal Lost Attack.
If the terminal device is lost, authentication requires not only the correct biometric feature information but also the correct password. e user's secret information stored in the terminal device is encrypted data. e attacker cannot provide the correct information and decrypt the stored secret information. erefore, the system can ensure the security of the secret information in the case of terminal device loss.

Password Guessing Attack.
In this scheme, user authentication includes two steps. If user wants to login successfully, the biometric feature and password must be correct. Without biometric feature of the legitimate user, the attacker cannot pass the initial biometric feature authentication. erefore, the attacker cannot proceed the second step, password authentication. e shared session key generated temporarily is new and different each time. Attacker cannot guess the session key. erefore, authentication system can effectively avoid password guessing attack.

Impersonation Attack.
Because user authentication includes biometric feature and password, the attacker cannot pass through password authentication when he initiates impersonation attack in case of obtaining the user's biometric feature. If an attacker impersonates a legitimate user or server to transmit information, the user, server, or CA can identify the authenticity of the sender through calculation and the impersonation attack information.

Eavesdropping Attack.
e scheme uses the randomness of hash function value to hide the authentication information transmitted in the public network and uses the one-off key randomly generated by Chebyshev chaos map to encrypt the authentication information. Under the premise of this double security, the attacker cannot get useful information by eavesdropping on the messages transmitted in the public network.
4.1.6. Denial-of-Service Attack. Within a certain time period, CA does not allow users using the same ID to apply for registration. erefore, CA can avoid excessive consumption of server resources and effectively defend against denial-ofservice attack.

Man-in-the-Middle Attack.
Even if information of legitimate users or servers is intercepted and tampered by attacker, the attacker cannot pass the inspection and authentication of users or servers. erefore, the attacker cannot steal the content from the information of user and server by attack.

Replay Attack.
Time information is added to the transmitted information in the proposed scheme, which has the function of time stamp and can effectively avoid replay attack.

Privileged Insider Attack.
In this scheme, CA uses its own private key to perform XOR operation to the key of user or server to hide the important information. e password of user is protected by one-way hash function when applying for registration and authentication, which also achieves the purpose of hiding important information. In this way, privilege attack can be effectively avoided.

Forward Security.
e encryption key of authentication information is one-off in the process of certification. e sharing session key is also one-off after key agreement. e scheme has dual security by hiding and encryption. e attacker cannot crack the former session key.

Mutual Authentication.
In the proposed scheme, the shared session key calculated only by the legitimate user and server will be the same. erefore, the scheme can realize mutual authentication among CA, user, and server. Meanwhile, the scheme can ensure the communication security between legitimate user and server. e comparison results in terms of security are shown in Table 2.

BAN Logic.
Among the cryptographic protocol formal verification methods, BAN logic proposed by Burrows et al. in 1989 is the well-known one [27]. BAN logic is a kind of modal logic based on belief, which mainly includes the following three processing objects: subject, key, and formula. P, Q, and R represent the subject variable. K represents the key variable. X and Y represent the formula variable. A and B represent the two common subjects. S is the authentication Mobile Information Systems server. K ab , K ac , and K bc represent the specific shared key. K a , K b , and K c represent the specific public key. K −1 a , K −1 b , and K −1 c represent the specific secret key. N a , N b , and N c represent the temporary value. h(X) represents the irreversible hash function of X.
(1) e syntax and semantics of the BAN logical component. e syntax and semantics of the BAN logical component are shown in Table 3.  Table 4.  Subject P receives the message X. P| ∼ X Subject P has sent out the message X. P|⇒X Subject P has jurisdiction over X.
P↔ K Q K is the shared key of subjects A and B, which is unknown to other subjects. ⟶ K P K is the public key of the subject P. e other subjects do not know the corresponding private key K −1 . ⟶ K −1 P K −1 is the private key of the subject P. P⇌ X XQ X is the shared secret between subjects P and Q, which is unknown to other subjects. X { } K e ciphertext is obtained by encrypting X with the key K. 〈X〉 Y A cascade between message X and secret Y can prove that the message 〈X〉 Y is sent by a certain subject.
Mobile Information Systems Concrete proof process V1. According to the rule R4 and formalization F3, S j | ≡ U i | ∼ T r a (x) , S j | ≡ #(T r a (x)) ├ S j | ≡ U i | ≡ T r a (x) can be got. erefore, the goal G1 is true. V2. In the same way of V1 above, according to the rule R4 and formalization F4, the goal G2 is true. V3. According to the rule R5 and formalization F5, can be obtained. erefore, the goal G3 is true. V4. In the same way of V3 above, according to the rule R5 and formalization F6, the goal G4 is true. V5. According to goal G3, formalization F2, and rule R12, S j | ≡ T r a (x) , S j | ≡ T r b (x) ├ S j | ≡ (T r a (x), T r b (x)) can be obtained. erefore, the goals G5 and G6 are true.
Basing on the BAN logic proof, the proposed authentication scheme can achieve the predetermined security goal, which proves that the scheme is secure.

Performance Result.
e performance result is shown in Figure 4. From the result, we can see that our scheme is secure.

Computation Cost.
According to literature [1,10,[28][29][30][31] and the measured consumption time of the relative algorithms of the proposed scheme on our Intel Core i5-3470 platform, the details are shown as follows.  Table 5.
As can be seen from Table 5, the computation cost of two phases is the lowest respectively in our proposed scheme. e proposed scheme is superior to the similar scheme in [1, 4, 10].

Communication Cost.
Referring to [1,4,10], we set the length as follows. L ID : the length of identity is 32bits; L H : the length of hash function is 160bits; L M : the output size of chaotic maps is 128bits; L T : the length of time is 128bits because it can be considered as a random number; L E : the length of symmetric encryption/decryption is 128bits; L P : the output size of an elliptic curve point P � (P x , P y ) is 320bits; and L r : the length of random nonce is 128bits.
Here only the often executed login and authentication phases are considered for cost calculations. e comparison results of communication cost for the protocols are presented in Table 6. It can be observed that our scheme is more efficient than the schemes [1,10] in communication cost.

Conclusion
In order to improve security of authentication system and strengthen protection for sensitive information and privacy of users, a provably secure Chebyshev chaotic map (CCM)based authentication scheme is proposed. e scheme uses hash function to hide user information and uses fuzzy extractor to authenticate user biometric feature. Especially, the proposed scheme transformed the traditional public key of Chebyshev chaotic map into a private key and combined two private keys to compute a one-time key used to encrypt authentication information. e results verified by BAN logic and ProVerif simulation tool confirm that the scheme is well secured against all existing security threats. Compared Table 5: Execution time comparison.

Scheme
Login, authentication, and key agreement phase (bits) BbKAS [1] 6L M + 15L ID + 8L T � 2528 BVbAS [4] 7L H + 3L T � 1504 PpAP [10] 4L H + 6L P + 4L T � 3072 Proposed scheme 6L H + 5L ID + 4L M + 4L T � 2144 with similar schemes, the proposed scheme is more efficient and secure. erefore, the proposed scheme has great application value in high security demands scenarios such as mobile payment and contactless access control. In the future, we will continue to further study authentication schemes for more complex network environment.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.