An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy.

The Session Initiation Protocol (SIP) is an extensive and esteemed communication protocol employed to regulate signaling as well as for controlling multimedia communication sessions. Recently, Kumari et al. proposed an improved smart card based authentication scheme for SIP based on Farash's scheme. Farash claimed that his protocol is resistant against various known attacks. But, we observe some accountable flaws in Farash's protocol. We point out that Farash's protocol is prone to key-compromise impersonation attack and is unable to provide pre-verification in the smart card, efficient password change and perfect forward secrecy. To overcome these limitations, in this paper we present an enhanced authentication mechanism based on Kumari et al.'s scheme. We prove that the proposed protocol not only overcomes the issues in Farash's scheme, but it can also resist against all known attacks. We also provide the security analysis of the proposed scheme with the help of widespread AVISPA (Automated Validation of Internet Security Protocols and Applications) software. At last, comparing with the earlier proposals in terms of security and efficiency, we conclude that the proposed protocol is efficient and more secure.

1 Introduction

The Session Initiation Protocol (SIP) is an important and popular communications protocol for signaling and controlling multimedia communication sessions in applications including Internet telephony for voice and video calls, private IP telephone systems, as well as instant messaging over Internet Protocol (IP) networks [1, 2]. Up to now, SIP has gained the attention of extensive scholastic community.

The first authentication scheme for SIP based on hyper text transfer protocol (HTTP) digest authentication can be traced back to 1999 proposed by Franks et al. [3]. In 2005, Yang et al. [4] pointed out that the scheme of Franks et al. [3] cannot resist the off-line password guessing attack and the server impersonation attack. Subsequently, Yang et al. [4] presented an new scheme to cope with the aforementioned issue in [3]. However, Huang et al. [5] proved that Yang et al.’s [4] scheme cannot resist the stolen-verifier, the off-line password guessing and the Denning-Sacco attacks [6], and is not suitable for power constraint devices because of the high computational cost. In 2005, in order to improve Yang et al.’s [4] scheme, Durlanik and Sogukpinar [7] proposed an efficient and secure authentication scheme for SIP using the Elliptic Curve Cryptography (ECC). It is known that ECC could provide the same security with a smaller key size comparing with the other traditional Public Key Cryptography. Subsequently, numerous one-factor, two-factor and three factor authentication schemes have been proposed for SIP using ECC, RSA, Hash function or Chaotic theory, etc [7-25].

1.1 Related works

Recently, Zhang et al. [26] pointed out that the existing protocols for SIP require the SIP server maintaining a password or verification table, which makes these protocols vulnerable to stolen-verifier attack, server spoofing attack, insider attack, and password-guessing attack. To address these issues, Zhang et al. proposed a new two-factor authentication protocol for SIP by using smart cards to avoid maintenance of password tables at the SIP server.

Later, Zhang et al. [27] showed that their scheme [26] is prone to impersonation attack problem. To remedy this problem, the authors proposed a much improved protocol based on Zhang et al.’s protocol [26] by using smart card. However, Farash [28] pointed out that Zhang et al. protocol [27] is still insecure against the impersonation attack. Thereupon, Farash proposed an improved protocol by making a slight change in Zhang et al. protocol [27]. However, Lu et al. [29] analyzed the security of Farash’s [28] scheme and pointed out that the enhanced scheme presented by Farash et al. [28] has still some security vulnerabilities, including key-compromise impersonation attack, off-line guessing attack and lack of anonymity, pre-verification. Afterwards, Lu et al. designed a preserving anonymous authentication protocol to remedy the security limitations of Farash’s scheme. The authors showed that their scheme is resistance to all known attacks besides those attacks existed in Farash’s scheme. But subsequently, Kumari [30] showed that an adversary is able to calculate the user’s identity and password once the adversary obtains the datum of user’s smart card in Lu et al. [29]’s scheme. Thus, Kumari [30] claimed that Lu et al.’s scheme does not adhere to two-factor security criterion. Besides, the author also pointed out that the key agreement procedure of Lu et al. [29]’s scheme cannot culminate to achieve the intended aim of authenticated key agreement. On the other hand, in order to eliminate the drawbacks of Zhang et al. [26]’s scheme, Irshad et al. [31] also developed an enhancement SIP authentication scheme only using a single round-trip in 2005. But, Arshad et al. [32] found that the improvement of Irshad et al. [31] was also susceptible to the user impersonation attack and further proposed their improved scheme regarding performance and security analyses. However, the modified scheme of Arshad et al. [32] was demonstrated to be lacking user anonymity and mutual authentication and susceptible to the key-compromise impersonation attack by Lu et al. [33]. In 2014, Jiang et al. [34] also observed that Zhang et al.’s scheme [26] was prone to the user impersonation attack and made a few modifications to enable more secure than the original design. Azrour et al. [35] showed that Jiang et al.’s protocol suffers from server impersonation attack.

In 2014, Tu et al. [36] also proved that Zhang et al. [26]’s scheme is vulnerable to user impersonation attack. Furthermore, Tu et al. [36] proposed an enhanced protocol to improve the security. However, Farash [37] pointed out that Tu et al.’s scheme is still vulnerable to server impersonation attack and proposed an improvement in Tu et al.’s scheme. In 2015, Chaudhry et al. [38] also showed that Tu et al.’s scheme [36] is vulnerable to server impersonation, replay and denial of services attacks as well as lacking user anonymity. Moreover, Chaudhry et al. [38] also analyzed that Farash’s improvement [37] on Tu et al.’s scheme [36] is lacking user anonymity and is also vulnerable to replay attack. Thereupon, Chaudhry et al. [38] proposed an anonymous authenticated key agreement scheme while claiming that it is more secure and suitable for all lightweight environments. Recently, Kumari et al. [39] also analyzed Farash’s protocol [37] and showed that it is vulnerable to user impersonation attack, password guessing attack, session-specific temporary information leakage attack and lacks to provide user anonymity. Furthermore, Kumari et al. [39] proposed an improved protocol, and showed that their protocol is not only robust against all known attacks, but is also lightweight as compared to Farash’s protocol [37]. From the above analysis, one can observes that most of these protocols have still some security loopholes and not really reach the security of the authentication protocol. Accordingly, it is still a challenging academic topic to design a more secure and efficient authentication and key agreement protocol for SIP.

1.2 Contribution of this paper

The positional relation of the proposed scheme and related researches are depicted in Fig 1. The contributions of this paper are listed as follows:

Fig 1

Positional relation of the proposed scheme.

We concentrate on analyzing the security of Kumari et al. [39]’s authentication scheme for SIP, and point out that Kumari et al. [39]’s scheme fails to provide pre-verification, local password change in smart card and perfect forward secrecy, is also susceptible to key-compromise impersonation attack.

To overcome aforementioned limitations, we propose an improved scheme while maintaining the benefits of the original schemes at the cost of slight increase in the computation consumptions by employing “Fuzzy-Verifier” [40]. Besides, we prove that our scheme provides various security features including perfect forward secrecy and resistance against key-compromise impersonation attack, etc.

We use AVISPA tool to prove that proposed scheme satisfies the mutual authentication and session key secrecy.

We provide security and performance comparisons with various relevant schemes. It illustrates that the proposed scheme is efficient and more secure than the prevalent schemes.

1.3 Organization of this paper

The remainder of this paper is organized as follows: Section “Preliminaries” introduces some notations, associated difficult problems based on ECC and adversary model used in this paper. The review and cryptanalysis of Kumari et al. [39]’s scheme is detailed in Section “Review of Kumari et al.’s scheme” and Section “Cryptanalysis of Kumari et al.’s scheme”, respectively. Section “The enhanced scheme for SIP” provides our proposed scheme. Section “Security analysis of the enhanced scheme” and Section “Formal security validation using AVISPA tool” highlight an informal and formal security analysis of our scheme, respectively. The performance and functionality comparison is presented in Section “Comparative analysis of performance”. At last, we provide concluding remarks in Section “Conclusion”.

2 Preliminaries

In this section, we describe some notations and the definitions of one-way hash function and hard problems related with the Elliptic Curve Cryptography(ECC) and the capacities of the adversary in this paper. Some notations used in this paper are listed in Table 1.

Table 1

Notations and abbreviations.

Symbol	Description
S	Server
U	Patient/User
ID	Identity of U
PW	Password of U
cu, au	Random numbers of U
ks	Secret key of S
b, cs	Random numbers of S
||	The string concatenation operation
⊕	The bitwise XOR operation
A	Malicious adversary
h(⋅)	Collision free one-way hash function
→	An insecure channel
⇒	A secure channel
sk	Session key between U and S

2.1 Intractable problems

Definition 1 (Collision-resistant one-way hash function) A secure one-way hash function h(⋅): {0, 1}* → {0, 1} takes an arbitrary length binary string x ∈ {0, 1}* as an input, and outputs a binary string y = h(x) ∈ {0, 1}. A cryptographic hash function h(⋅) satisfies the following properties.

It is hard to find the the input x ∈ {0, 1}* in polynomial time for given y ∈ {0, 1};

It is hard to find x′ ∈ {0, 1}* such that x′ ≠ x and h(x) = h(x′);

It is hard to find a pair (x, x′) ∈ {0, 1}* such that h(x) = h(x′), where x′ ≠ x.

In ECC, the elliptic curve equation is defined as the form of E(a, b): y2 = x3 + ax + b(mod p) over a finite field F, where a, b ∈ F and 4a3 + 27b ≠ 0(mod p).

Definition 2 (ECDLP) For given generator P and Q = mP in E(a, b), where m is randomly selected from F and p is sufficiently large prime, it is computationally hard by a probabilistic polynomial time (PPT) adversary to calculate the secret value m ∈ F such that Q = mP.

Definition 3 (ECCDHP) For given points mP, nP ∈ E(a, b), computing mnP is computationally infeasible by a probabilistic polynomial time (PPT) adversary .

2.2 Adversary model

Throughout this paper, according to [40-43], the capacities of the adversary are summarized as follows:

The adversary has the capability to extract all parameters stored in smart card utilizing the power analysis method [41, 42].

The adversary is able to control the open communication channel completely, i.e. he can intercept, modify, delete, block, and resend the messages over the open channel.

The adversary can list all pairs of (ID, PW) from in a polynomial time, where and denote the space of passwords and the space of identities, respectively.

The adversary can either intercept the password of the user via malicious device or extract the parameters from smart card, but not both.

While evaluating forward secrecy, the adversary can obtain server’s private key or comprise of the user’s password.

When it comes to key-compromise impersonation attack, we assume that knows the long-term private key of server.

3 Review of Kumari et al.’s scheme

3.1 System setup phase

The server S chooses an elliptic curve E over the finite field F and an additive group G of order p with P as generator, a one-way hash function h(⋅), a secret key computes its public key Q = kP. At last, S publishes its public parameters {E(F), P, p, Q, h(⋅)}, and keeps k as its long-term private key.

3.2 Registration phase

In this phase, the user U is registered as a legal user by executing the following steps over the secure channel:

Step 1: User U selects his identity ID, password PW and a random number . Then, he computes VPW = h(ID||PW||a) and sends the registration request message {ID, VPW} to server S

Step 2: After receiving the request message {ID, VPW}, S calculates r = (VPW + h(ID||k))P, and stores r in a new smart card SC. Also, S issues SC = {r, Q = kP, h(⋅)} to U

Step 3: Upon receiving the new smart card SC, U inserts a in SC. Finally, SC = {r, Q = kP, a, h(⋅)} and U is thus registered as a legal user.

3.3 Login and mutual authentication phase

In this phase, user U establishes the session key with server S as follows:

Step 1: U inserts his smart card SC to a card reader and inputs his identity ID and password PW.

Step 2: U selects a random number , and computes bP, V = bQ, W = b(r − VPW ⋅ P). U further calculates f = ID ⊕ V, z = h(ID||bP||V||W), where V, V are x, y components of V, respectively. At last, U sends the login request message {f, bP, z} to S.

Step 3: After receiving the request message {f, bP, z}, S computes V = kQ. Subsequently, S computes ID = f ⊕ V and further calculates . S then checks whether . If it holds, S chooses a random number and calculates , Auth = h(c||sk). Afterwards, S sends the challenge request message {c, Auth} to u.

Step 4: After receiving the challenge message {c, Auth}, U calculates . U then checks whether . If it holds, U calculates Auth = h(ID||c + 1||sk) and sends the response message {Auth} to S.

Step 5: Once receiving the response message {Auth}, S computes . U then verifies whether . If , S believes that it has successfully established the session key sk with U.

3.4 Password changing phase

In this phase, U can change his password by interacting with the server S. After U establishes the session key sk with S, U changes his password by performing the following steps:

Step 1: User U selects his new password PW and two random numbers . Subsequently, he computes VPW = h(ID||PW||a) and then calculates m = Enc(ID||e||VPW||h(ID||e||VPW)). At last, U send the request message {m, e} to server S.

Step 2: After receiving the request message {m, e}, S computes Dec(m) = ID||e||VPW||h(ID||e||VPW). Subsequently, S verifies the validity of h(ID||e||VPW). If it passes the validity test, afterwards S calculates . S then sends response message {m} to U.

Step 3: Upon getting the message {m}, U decrypts m and obtains . Subsequently, U verifies the validity of . If it passes the validity test, U replaces with r, a, respectively.

4 Cryptanalysis of Kumari et al.’s scheme

Kumari et al. [39] claimed that their scheme can resist many known attacks. However, we explain minutely that the scheme of Kumari et al. not only fails to provide pre-verification in smart card, perfect forward secrecy and efficient password changing, but also fails to resist key-compromise impersonation attack in the following subsections. Actually, the above functions are fundamental and crucial to authentication scheme for session initiation protocol. Accordingly, these imply that their scheme is still unsuitable for the practical session initiation protocol.

4.1 Pre-verification in smart card

When a user inputs her/his password and identity, if the smart card verifies their correctness, implies that respective protocol can provide pre-verification in smart card. But, Kumari et al.’s scheme is not providing such mechanism.

In the login phase of Kumari et al.’s scheme, the smart card is unable to provide any verification for the password and identity information of user because there is no verified information in smart card. If the user inputs the wrong password and identity or an adversary performs this step, the smart card fails to check this problem. Until the server finds the incorrectness of the login, the session will not be terminated. In this case, it increases computational cost of server. Consequently, Kumari et al.’s scheme is unable to provide the pre-verification in smart card.

4.2 Key-compromise impersonation attack

Let us consider a scenario that when the long-term private key of server S is compromised, an adversary can certainly impersonate the legal server of being legitimate user, but if is not impersonated as the legal user by the corresponding server, we say that this protocol can resist key-compromise impersonation attack. It is a pity that Kumari et al.’s scheme is unable to withstand this attack. Now, let’s execute the following steps to attack their scheme.

Step 1: Firstly, the adversary gets some useful information {r, kP, a} stored in smart card utilizing the side-channel attack [41]. then captures the login request message {f, bP, z} of user. If the long-term private key k of S is revealed to , computes V = k(bP), and further calculates the real identity ID = f ⊕ v. As an illegal user, randomly selects and computes V′ = b′(kP), . Subsequently, the adversary sends the forged request message to S.

Step 2: On receiving the request message, S then computes V′ = k(b′P), and checks the correctness of . Obviously, . This infers that the illegal user is successfully authenticated by server S. S further chooses a random number and calculates , Auth = h(c||sk). Finally, the server S returns the message {c, Auth} to

Step 3: On receiving the challenge message from the server, computes and verifies whether . If it holds, then calculates and sends the response message to S.

Step 4: Upon getting the response message, S computes and checks whether . We know that it is obvious. Therefore, the server S undoubtedly believes that it has successfully established the session key sk with the legal user. Actually, the server suffers from the key-compromise impersonation attack.

Accordingly, we infer that Kumari et al.’s scheme fails to resist key-compromise impersonation attack.

4.3 Perfect forward secrecy

In case, when the long-term private key k is compromised to the adversary , will execute the following steps to attack Kumari et al.’s scheme.

Step 1: intercepts the login request message {f, bP, z} of user S. Afterwards, computes V = k(bP) and obtains {V, V}.

Step 2: gets ID = f ⊕ V and further computes .

Step 3: captures the challenge request message {c, Auth} of server S and calculates Afterwards, the adversary obtains the current session key sk when the long-term private key k is revealed to , and thus the whole session is completely exposed to .

Therefore, Kumari et al.’s scheme fails to provide the perfect forward secrecy.

4.4 Efficient password changing

In the password changing phase of Kumari et al.’s scheme, if the user U wants to change her/his password, she/he must firstly establish the session key with the server. In this way the communication and computational overhead is increased to a large extent.

5 The enhanced scheme for SIP

In this section, we present an improved scheme based on the Kumari et al.’s scheme. Meanwhile, our proposed scheme not only overcomes the limitations of Kumari et al.’s scheme but also achieves mutual authentication and resists against various known attacks. Specifically, we employ public-key primitive to intrinsically protect the identity of the user and provide perfect forward secrecy. In registration phase, the server S generates a random nonce b to prevent the long-term private key of S from being compromised. In the password changing phase, the smart card SC can provide the function of the local password change. The proposed scheme is comprised of four phases, i.e., system initialization, registration, login-authentication and password change. The registration and login-authentication phases are depicted in Fig 2.

Fig 2

Registration and authentication phase of our scheme.

5.1 System initialization phase

In this phase, the server S selects an elliptic curve E over the finite field F, a random number and a one-way hash function h(⋅). S then computes G = kP as the public key of S. Finally, the server S publishes the parameters {E, P, G, h(⋅)}, while maintains k as the long-term private key of S.

Step 1. The user U chooses an identity ID.

Step 2. U ⇒ S: {ID}.

Step 3. After receiving the registration message from U, S chooses two random numbers a, and calculates N = h(k||ID||b), VPW = h(PW0||a||ID), where PW0 is the initial password. S further computes r = N ⊕ VPW and A = h((h(ID) ⊕ VPW) mod n0), where n0 is an integer and 24 ≤ n0 ≤ 28. Subsequently, S stores {ID, b} in its database.

Step 4. S ⇒ U: {SC, PW0}, where the smart card SC contains {r, P, a, A, p, G = kP, n0, h(⋅)}.

Step 5. On receiving the smart card SC from S, the user U should immediately change the initial password during password update phase.

5.3 Login and mutual authentication phase

Once the patient U registers to the server successfully, he can send the login request to the server S when he wants to enjoy the service as follows:

Step 1. U inserts the smart card SC into a card reader and inputs ID, PW.

Step 2. SC calculates VPW = h(PW||a||ID), and then computes . Then SC checks the correctness of by comparing the value of A sorted in SC. If , it shows that ID, PW are valid. Otherwise, the session is terminated.

Step 3. SC continues computing N = r ⊕ VPW and chooses a random number , and then computes V = cP, W = cG, f = ID ⊕ W, z = h(ID||W||f||N), where W, W are x, y components of W, respectively.

Step 4. U → S: {V, f, z}.

Step 5. After obtaining {V, f, z}, S calculates W* = kV, and checks by searching database list. If these are not equal, S judges that the input password is wrong. As the wrong attempts exceed the threshold (such as 8), S forms a judgement that the smart card is usurped by some attacker. What’s more, S locks the smart card until U re-registers. Otherwise, S computes and verifies . If it is not found valid, S exits the session and counts a number T = 1. Alongwith, S suspends the card until U re-registers when T exceeds some threshold value. Otherwise, S generates a random number c, and computes V = cV, , Auth = h(t||sk||N).

Step 6. S → U: {cG, Auth, t}.

Step 7. On receiving the message {CG, Auth, t}, U computes , and checks whether If these are not equal, the session is terminated. Otherwise, S is authenticated by U and U accepts the session key sk*. Afterwards, U computes , and sends {Auth} to S.

Step 8. U → S: {Auth}.

Step 9. After receiving the challenge message {Auth}, S computes and checks whether . If it is found valid, then U is authenticated.

Step 10. Finally, both the patient U and the server S agree on a common session key sk = sk*.

5.4 Password update phase

This phase is incorporated to facilitate the user to change her/his password at will for which U and SC can execute the following steps:

Step 1. Firstly, U inserts the smart card into the card reader. U then inputs ID′, PW′ and a new password PW.

Step 2. The smart card SC calculates VPW′ = h(PW||a||ID), and then computes Subsequently, SC verifies whether . If these are not equal, SC rejects U to change the password.

Step 3. Otherwise, SC generates a random number and calculates

Finally, SC stores in place of a, r, A in smart card, respectively.

6 Security analysis of the enhanced scheme

In this part, we prove that the proposed scheme is secure against the attacks found overlooked by Kumari et al. Besides, we show that the proposed scheme also takes care common security features. To facilitate the discussion, we also adopt the attack model proposed by Kumari et al. and the adversary model, that is, an adversary can completely monitor the open communication channel, therefore, is able to insert, delete or modify any messages among correspondents. Moreover, has the ability to obtain all useful information of the smart card by the side-channel attack [41]. When it comes to key-compromise impersonation attack and perfect forward secrecy, the long-term private key k is revealed to .

6.1 User anonymity and user un-traceability

In this enhanced scheme, on one hand, there is no identity notations transmitted in the open channel or stored in smart card. On the other hand, suppose that the adversary captures the messages {V, f, z}, {cG, Auth, t} and {Auth} from the public channel. But in order to obtain the user U’s identity ID, needs to know W, which is not available since W is computed using the random number c. Moreover, cannot guess the correct identity, since, {N, VPW} are also not available. Further, even if obtains the smart card of U and extracts the information in SC, cannot recover the identity of U since ID is protected by one-way hash function and modulo operator. In process of login and authentication, has no ability to trace the user’s identity, since, every transmitted message is different and does not reveal any location information about user. Therefore, the user anonymity and user un-traceability are ensured by the proposed scheme.

6.2 Privileged insider attack

In the registration phase, user U only submits ID to the server S. S subsequently sets an initial password PW0 for U. After receiving the smart card and PW0, U immediately changes the password that U knows only. Therefore, no privileged insider can access and compute user’s password, that is, the proposed scheme resists privileged insider attack.

6.3 Pre-verification in the smart card

In the login phase of Kumari et al.’s scheme, the smart card is inability to provide any verification for the identity and password of any user increases the burden on the server. While in our login phase, the smart card checks whether after inputting ID, PW. If it is found valid, SC sends the request message to S. Otherwise, it defers the session until the correct password and identity are entered. This implies that our method saves the computational and communication costs when there exists incorrect input or an illegal user. Consequently, the pre-verification is successfully provided by the proposed scheme.

6.4 Key-compromise impersonation attack

In our scheme, although the secret key k of the server S is compromised by the adversary , cannot impersonate the legal user U to cheat S. Because, the adversary cannot know the random number b of S or the correct {ID, PW}, therefore, he is unable to compute the correct value of N though the information in smart card is extracted. Thus, cannot calculate the correct request message {V, f, z} and cannot be authenticated by S. Consequently, our scheme is able to resist the key-compromise impersonation attack.

6.5 Server impersonation attack

Because, k is a long-term private key and b is also a random secret value of server S, therefore, the adversary cannot recover W* = kV, ID = f ⊕ W*, N = h(k||ID||b) and is not able to forge , Auth = h(t||sk||N). Thus, is unable to impersonate the server S to the user U.

6.6 Off/On-line password guessing attack

In the proposed scheme, the adversary cannot guess the correct identity and password of U even if it extracts the information {r, A, G, n} in SC. If guesses a pair of ID and PW, it shows that the equation must be satisfied. But according to “fuzzy-verifier” [40], still cannot be sure if the ID′ and PW′ are the correct ID and PW, respectively. only guesses the correct value by launching the on-line guessing to server S. But the number space of the ID′ and PW′ is large enough to be immune to the on-line guessing attack, therefore, the smart card SC remains suspended until U re-registers once the wrong login times exceeds the the fixed threshold. Therefore, the proposed scheme can withstand the off/on-line password guessing attack.

6.7 Replay attack

Suppose that has captured all the communication messages {{V, f, z}, {cG, Auth, t}, {M}} through open channel and tried to replay them to U or S. However, the proposed scheme takes advantage of some random numbers {c, c, t} that remain different in every session to prevent replay attack. In the process of communication, after receiving the request/challenge message, both the user and the server can immediately verify the validity of the random number everytime if replays the communication message. Therefore, the replay attack is prevented by the proposed scheme.

6.8 Session-specific temporary information attack

In the proposed scheme, if the random numbers c, c, t are compromised, then the adversary can calculate W = cG and further computes W. captures the transmitted messages {V, f, z, cG, t}. Afterwards, computes ID = f ⊕ W, V = cV. But in order to obtain the session key sk = h(N||W||G||V||ID||t), must have ability to know the value of N that is not available, since, N is protected by the private k and the random number b of server S. Implies, still can not calculate the session key sk, although, the random numbers {c, c, t} are compromised. Therefore, the proposed protocol is secured against the session-specific temporary information attack.

6.9 Man-in-the-middle attack

Suppose that an adversary intercepts the login request message {V, f, z} and the information stored in smart card. In order to launch the man-in-middle attack, needs to compute for sending to server S. Although, chooses a random , still cannot know the value of N and the real identity ID, therefore, he can not compute and . On the other hand, even if he intercepts the challenge message {cG, Auth, t}, still can not compute the forged message as he does not know the values of {N, ID}. Without knowing the server’s private key k and random number b, computation of N is computationally infeasible for the adversary . Thus, the attacker does not have any ability to modify the login request message or the challenge message. As a result, our scheme also resists the man-in-the-middle attack.

6.10 Mutual authentication

In the proposed scheme, S firstly checks the validity of ID. Afterwards, S authenticates U by verifying whether and checking whether , respectively. On the other hand, U authenticates S by testing whether . Consequently, our proposed scheme provides mutual authentication.

6.11 Perfect forward secrecy

When it comes to the forward secrecy, we assume that the private key k of S is compromised and that the adversary obtains the sensitive datum {r, A, G} stored in smart card and the transmitted message {V, f, z}. can compute W = kV and calculates ID = f ⊕ W. But in order to calculate the previous session key sk = h(N||W||G||V||ID||t), must know c or c. However, it is impossible for to obtain c from V or c from cG and calculate ccG due to the intractability of ECDLP and ECCDHP. Thus, even by obtaining the private key k of server S and the smart card, the adversary is still unable to calculate the session key sk. As a result, the proposed scheme provides perfect forward secrecy.

6.12 Efficient password changing

In the proposed protocol, if the user U wants change her/his password, U only needs to interact with the smart card SC to perform some operators. In this phase, the server S is not involved in the process of password changing. Therefore, our proposed protocol is efficient in password changing phase.

7 Formal security validation using AVISPA tool

AVISPA (Automated Validation of Internet Security Protocols and Applications) is a push-button software tool for the automated validation of Internet security-sensitive protocols and applications [44]. The AVISPA supports High Level Protocol Specification Language called as HLPSL and is usually used to provide the formal security verification of the simulated protocol. The simulation results in AVISPA can point out that whether proposed protocol is secure against the active and passive attacks. The architecture of the AVISPA tool is depicted in Fig 3 and its detailed introduction can be found in [44].

Fig 3

Architecture of the AVISPA tool.

Accordingly, in order to test the security of the proposed protocol, we also use the AVISPA software tool to simulate it. Firstly, we translate the proposed protocol in HLPSL. The specifications for the roles for the user U, the server S, the session, goal and environment in HLPSL are depicted in Figs 4, 5 and 6, respectively. Since only OFMC and CL-AtSe backends support the Diffie-Hellman and the bitwise exclusive-OR (XOR) operation, after execution through the OFMC and CL-AtSe backends, the simulation results ensure that our proposed protocol is SAFE against the active and passive attacks under the Dolev-Yao model [45]. The simulation results of the proposed scheme are provided in Figs 7 and 8.

Fig 4

Role specification of U in HLPSL.

Fig 5

Role specification of S in HLPSL.

Fig 6

Role specification of the session, goal and environment in HLPSL.

Fig 7

The simulation result using the OFMC backend.

Fig 8

The simulation result using the CL-AtSe backend.

8 Comparative analysis of performance

This section analyzes the performance of our proposed scheme by comparing it with Zhang et al.’s [27], Jiang et al.’s [34], Irshad et al.’s [31], Chaudhry et al.’s [38], Tu et al.’s [36], Zhang et al.’s [26], Farash’s [37] and Kumari et al.’s [39] schemes. Generally, in order to compare the computational complexity, we neglect the lightweight operations like exclusive-OR operation and string concatenation. We list some operations’s descriptions used in our paper as below:

T: the time for performing an elliptic curve point addition operation.

T: the time for performing a point multiplication operation.

T: the time for performing a modular exponentiation operation.

T: the time for performing symmetric cryptography.

T: the time for performing a hash operation.

According to the experimental results performed as [46], T, T, T and T take approximately 0.0023ms, 2.226ms, 0.0288ms and 0.0046ms, respectively. The above timings are obtained on a personal computer which has a Intel Pentium Dual CPU E2200 2.20GHz processor, 2048 MB of RAM and the Ubuntu 12.04.1 LTS 32bit operating system [46].

In this section, the comparative analysis is twofold as follows:

Comparison of computational complexity (Table 2)

Table 2

Comparison of computational complexity in login-authentication phase.

Scheme	User computations	Server computations	Total of computation overhead
Zhang et al. [27]	4Th + 3Tpm	4Th + 4Tpm	8Th + 7Tpm ≈ 15.6004ms
Jiang et al. [34]	5Th + 4Tpm + 1Tpa	4Th + 4Tpm + 1Tpa	9Th + 8Tpm + 2Tpa ≈ 17.8863ms
Irshad et al. [31]	6Th + 4Tpm	6Th + 3Tpm	12Th + 7Tpm ≈ 15.6096ms
Chaudhry et al. [38]	5Th + 3Tpm + 1Tpa	5Th + 3Tpm + 2Tsed	10Th + 6Tpm + 1Tpa + 2Tsed ≈ 13.417ms
Tu et al. [36]	4Th + 3Tpm + 1Tpa	4Th + 3Tpm	8Th + 6Tpm + 1Tpa ≈ 13.4032ms
Zhang et al. [26]	6Th + 1Tpa + 5Tpm	4Th + 2Tpa + 4Tpm	10Th + 3Tpa + 9Tpm ≈ 20.1434ms
Farash [37]	5Th + 3Tpm + 1Tpa	4Th + 3Tpm	9Th + 6Tpm + 1Tpa ≈ 13.4055ms
Kumari et al. [39]	5Th + 1Tpa + 3Tpm	5Th + 2Tme	10Th + 1Tpa + 5Tpm ≈ 11.1818ms
Ours	7Th + 3Tpm	5Th + 3Tpm	13Th + 6Tpm ≈ 13.3859ms

Comparison of security features (Table 3)

Table 3

Comparison of security features.

Security features	Zhang et al. [27]	Jiang et al. [34]	Irshad et al. [31]	Chaudhry et al. [38]	Tu et al. [36]	Zhang et al. [26]	Farash [37]	Kumari et al. [39]	Ours
F1	No	No	Yes	No	No	No	No	Yes	Yes
F2	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
F3	No	No	No	No	No	No	No	No	Yes
F4	□	□	□	□	□	□	□	No	Yes
F5	Yes	Yes	No	Yes	No	□	Yes	Yes	Yes
F6	No	No	Yes	Yes	No	Yes	No	Yes	Yes
F7	Yes	No	No	Yes	No	Yes	No	Yes	Yes
F8	Yes	Yes	No	□	No	Yes	No	Yes	Yes
F9	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes
F10	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
F11	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes
F12	No	No	No	No	No	No	No	No	Yes

F1: Provides user anonymity and user un-traceability; F2: Resists privileged insider attack; F3: Provides pre-verification in the smart card; F4: Resists key-compromise impersonation attack; F5: Resists server impersonation attack; F6: Resists off/On-line password guessing attack; F7: Resists replay attack; F8: Resists session-specific temporary information attack; F9: Resists man-in-the-middle attack; F10: Provides mutual authentication; F11: Provides perfect forward secrecy; F12: Provides efficient password changing. “Yes” means the property is satisfied; “No” means the property is not satisfied and “▫” means the property is not discussed.

According to Table 2, the total computational costs of our proposed scheme in login and authentication phase is 13T + 6T ≈ 13.3859ms. The results provide that the proposed scheme outperforms [26, 27, 31, 34, 36–38]. In comparison to Kumari et al. [39], our scheme has slightly more computational costs. However, it is an acceptable range under the trade-off of security and usability.

From Table 3, we observe that these proposals [26, 27, 31, 34, 36–39] lack some security ingredients and have more security problems than the proposed scheme. In Kumari et al.’s scheme [39], the authors declared that their protocol is secured against user impersonation attack, password guessing attack and session-specific temporary information attack applicable on Farash’s scheme [37]. On one hand, it is well known that perfect forward secrecy is a key security feature of key agreement scheme. Perfect forward secrecy ensures the security of the session key. On the other hand, key-compromise impersonation attack is also a fatal attack on SIP. If we have measures to resist this attack, why not to design such scheme? However, according to our observation, we find that Kumari et al.’s scheme [39] cannot provide the perfect forward secrecy and is vulnerable to key-compromise impersonation attack. Meanwhile, key-compromise impersonation attack is not considered by all schemes of Table 3, expect our scheme. Fortunately, we have taken effective measures to tackle key-compromise impersonation attack in our scheme, that is, the server stores random secret values b in its database. Besides, the proposed protocol utilizes the technique of “fuzzy-verifiers” [40] to resist off-line identity guessing attack and provides more security features, including pre-verification in the smart card and efficient password changing. Therefore, the proposed scheme not only address the security problems of Kumari et al.’s scheme [39] but also retains all their merits as depicted in Table 3. Although, our scheme employs a slightly complex elliptic curve point multiplication operation, but, as a trade-off, it can resist all known-attacks that are very important ingredients of the security of mutual authentication.

9 Conclusion

In this paper, we have provided a security analysis of Kumari et al.’s scheme [39] to prove that their scheme [39] is vulnerable to key-compromise impersonation attack and does not provide perfect forward secrecy, pre-verification in the smart card and efficient password changing. In order to remedy these limitations in Kumari et al.’s [39] scheme, we propose an enhanced authentication scheme with refined security. The proposed scheme inherits the merits of the Kumari et al.’s [39] scheme, resists the aforementioned attacks and provides more comprehensive security features with a slightly high computational cost than [39]. Additionally, the simulating results of the proposed protocol using AVISPA software infer that this proposed protocol is secure against active and passive attacks. Finally, in comparison with the previously proposed schemes, we conclude that the proposed protocol is more secure and effective to be implemented in real-life scenarios. Actually, many of the existing protocols can not be unconditional security. In order to enhance the security of the authentication protocol, a number of three-factor authentication protocols have been designed. Therefore, in our future work, we will design a more secure three-factor mutual authentication protocol based on smart cards to be implemented in many practical scenarios, such as: Internet of Things, Wireless Sensor Networks, Medical Care Systems, Vehicular Ad Hoc Networks, etc.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.

(EPS)

Click here for additional data file.