Comments on CSAP-IoD: A Chaotic Map-Based Secure Authentication Protocol for Internet of Drones
Article Information
Abstract
Recently, Zahednejad and Gao (2025 Journal of Information Security and Applications, Elsevier, https://doi.org/10.1016/j.jisa.2025.104083,) identified key compromise impersonation (KCI) in both, a two-factor, and a three-factor authentication protocols for IoT devices. They further proposed a lightweight authentication scheme designed to mitigate the identified KCI threats. Subsequently, Zhang et al. (2025, IEEE Transactions on Information Forensics and Security, https://doi.org/10.1109/TIFS.2025.3599678) introduced a chaotic map-based authentication protocol for the Internet of Drones, claiming that their design is resilient to a wide range of security attacks. Earlier, Kumari et al. (2019) had emphasized the significance of KCI attacks, urging the research community to devise robust countermeasures to eliminate KCI and other vulnerabilities arising from the compromise of a trusted authority’s keys. We observe that the protocol proposed by Zahednejad and Gao effectively resists KCI, even in scenarios where both the cloud server’s database and the secret key are compromised. In this comment, we demonstrate that Zhang et al.’s protocol fails to withstand KCI attacks and is further susceptible to session-specific temporary random number leakage attack. These findings highlight that, despite continuous research efforts over the years, KCI remains a persistent challenge in the design of user authentication protocols, underscoring the urgent need for future schemes that are immune to KCI.
Keywords
Data Availability Statement
Funding
Conflicts of Interest
AI Use Statement
Ethical Approval and Consent to Participate
References
- Zahednejad, B., & Gao, C. Z. (2025). Mitigating server key compromise impersonation: a secure and efficient authentication and key agreement protocol for IoT devices using chaotic maps. Journal of Information Security and Applications, 92, 104083.
[CrossRef] [Google Scholar] - Qiu, S., Wang, D., Xu, G., & Kumari, S. (2020). Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices. IEEE Transactions on Dependable and Secure Computing, 19(2), 1338-1351.
[CrossRef] [Google Scholar] - He, D., Cai, Y., Zhu, S., Zhao, Z., Chan, S., & Guizani, M. (2023). A lightweight authentication and key exchange protocol with anonymity for IoT. IEEE Transactions on Wireless Communications, 22(11), 7862-7872.
[CrossRef] [Google Scholar] - Kumari, S., Chaudhary, P., Chen, C. M., & Khan, M. K. (2019). Questioning key compromise attack on Ostad-Sharif et al.’s authentication and session key generation scheme for healthcare applications. IEEE Access, 7, 39717-39720.
[CrossRef] [Google Scholar] - Zhang, J., Cheng, Q., Chen, X., & Luo, X. (2025). CSAP-IoD: A Chaotic Map-Based Secure Authentication Protocol for Internet of Drones. IEEE Transactions on Information Forensics and Security, 20, 8848-8862.
[CrossRef] [Google Scholar]
Cite This Article
TY - JOUR AU - Kumar, Akash AU - Kumari, Saru PY - 2026 DA - 2026/06/19 TI - Comments on CSAP-IoD: A Chaotic Map-Based Secure Authentication Protocol for Internet of Drones JO - Journal of Reliable and Secure Computing T2 - Journal of Reliable and Secure Computing JF - Journal of Reliable and Secure Computing VL - 2 IS - 2 SP - 156 EP - 160 DO - 10.62762/JRSC.2026.503368 UR - https://www.icck.org/article/abs/JRSC.2026.503368 KW - authentication KW - key compromise impersonation KW - KCI attacks KW - Internet of Drones AB - Recently, Zahednejad and Gao (2025 Journal of Information Security and Applications, Elsevier, https://doi.org/10.1016/j.jisa.2025.104083,) identified key compromise impersonation (KCI) in both, a two-factor, and a three-factor authentication protocols for IoT devices. They further proposed a lightweight authentication scheme designed to mitigate the identified KCI threats. Subsequently, Zhang et al. (2025, IEEE Transactions on Information Forensics and Security, https://doi.org/10.1109/TIFS.2025.3599678) introduced a chaotic map-based authentication protocol for the Internet of Drones, claiming that their design is resilient to a wide range of security attacks. Earlier, Kumari et al. (2019) had emphasized the significance of KCI attacks, urging the research community to devise robust countermeasures to eliminate KCI and other vulnerabilities arising from the compromise of a trusted authority’s keys. We observe that the protocol proposed by Zahednejad and Gao effectively resists KCI, even in scenarios where both the cloud server’s database and the secret key are compromised. In this comment, we demonstrate that Zhang et al.’s protocol fails to withstand KCI attacks and is further susceptible to session-specific temporary random number leakage attack. These findings highlight that, despite continuous research efforts over the years, KCI remains a persistent challenge in the design of user authentication protocols, underscoring the urgent need for future schemes that are immune to KCI. SN - 3070-6424 PB - Institute of Central Computation and Knowledge LA - English ER -
@article{Kumar2026Comments,
author = {Akash Kumar and Saru Kumari},
title = {Comments on CSAP-IoD: A Chaotic Map-Based Secure Authentication Protocol for Internet of Drones},
journal = {Journal of Reliable and Secure Computing},
year = {2026},
volume = {2},
number = {2},
pages = {156-160},
doi = {10.62762/JRSC.2026.503368},
url = {https://www.icck.org/article/abs/JRSC.2026.503368},
abstract = {Recently, Zahednejad and Gao (2025 Journal of Information Security and Applications, Elsevier, https://doi.org/10.1016/j.jisa.2025.104083,) identified key compromise impersonation (KCI) in both, a two-factor, and a three-factor authentication protocols for IoT devices. They further proposed a lightweight authentication scheme designed to mitigate the identified KCI threats. Subsequently, Zhang et al. (2025, IEEE Transactions on Information Forensics and Security, https://doi.org/10.1109/TIFS.2025.3599678) introduced a chaotic map-based authentication protocol for the Internet of Drones, claiming that their design is resilient to a wide range of security attacks. Earlier, Kumari et al. (2019) had emphasized the significance of KCI attacks, urging the research community to devise robust countermeasures to eliminate KCI and other vulnerabilities arising from the compromise of a trusted authority’s keys. We observe that the protocol proposed by Zahednejad and Gao effectively resists KCI, even in scenarios where both the cloud server’s database and the secret key are compromised. In this comment, we demonstrate that Zhang et al.’s protocol fails to withstand KCI attacks and is further susceptible to session-specific temporary random number leakage attack. These findings highlight that, despite continuous research efforts over the years, KCI remains a persistent challenge in the design of user authentication protocols, underscoring the urgent need for future schemes that are immune to KCI.},
keywords = {authentication, key compromise impersonation, KCI attacks, Internet of Drones},
issn = {3070-6424},
publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and Permissions
Copyright © 2026 by the Author(s). Published by Institute of Central Computation and Knowledge. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.
Portico