An improved and efficient mutual authentication scheme for session initiation protocol.

Qiu et al. made a security analysis about the protocols of Chaudhry et al. and Kumari et al. in 2018, and they pointed out that there are many security weaknesses in the protocols. To improve the security, Qiu et al. proposed an advanced authentication scheme for Session Initiation Protocol on the basis of the previous protocols and claimed that their own protocol was very secure and practical. However, we demonstrate that the protocol of Qiu et al. has a serious mistake which causes their protocol cannot be executed normally. Beyond that, we also find out that their protocol cannot withstand insider attack and denial service attack. In order to remove these weaknesses, we propose an efficient provably secure mutual authentication scheme. Furthermore, our scheme provides security analysis with the help of Burrows-Abadi-Needham (BAN) logic. Compared with their protocol, ours has greater security and better performance.

1 | Introduction

With the network of universal gradually, we often send messages, make phone calls and watch videos via the network, which brings great convenience to our lives. However, the network security issues become increasingly prominent. In order to enhance the security of the Session Initiation Protocol (SIP) in communication via the network, lots of scholars have proposed numerous solutions. The first authentication scheme about SIP on the basis of Hypertext Transport Protocol (HTP) authentication was proposed in 1999 [1], but Yang et al. [2] proved that the scheme was insecure in 2005, then they proposed an improved scheme. In fact, the scheme of Yang et al. still has security loopholes. Latterly, although some scholars want to design secure and practical schemes [3-11], the most schemes have more or less flaws.

In recent years, Zhang et al. [12] proposed a remote mutual authentication protocol with protecting user anonymity for SIP, but there are also lots of loopholes in their protocol too. It was as expected that Lu et al. [13] showed that their protocol lacks mutual authentication and cannot resist insider attack in 2016. In order to remove these weaknesses, Lu et al. proposed a new scheme protocol based on the protocol of Zhang et al., but it still had fatal weaknesses in security. Chaudhry et al. [14] found that the scheme of Lu et al. is invalid to impersonation attack. Besides, Kumari et al. [15] showed that the scheme of Lu et al. cannot withstand identity guessing attack and forgery attack. According to their conclusion, Chaudhry et al. proposed a mutual authentication protocol, Kumari et al. proposed an authentication protocol too. However, on the basis of the schemes of Chaudhry et al. and Kumari et al., Qiu et al. [16] demonstrated their schemes are frail for some attacks including insider attack, off-line guessing attack and so on. To overcome these defects, Qiu et al. proposed an improved mutual authentication scheme, claiming that the scheme not only could resist above certain attacks, but also adopted a method of generating random numbers instead of time labels to solve the problem that time is difficult to synchronize. We have to admit that the improved scheme of Qiu et al. did remove certain weaknesses. But after our analysis, we find that the scheme of Qiu et al. has a serious mistake which make the scheme cannot execute properly and cannot resist some attacks. Considering the worst condition, the adversary affects user password update even accesses crucial information of a legal user. In order to overcome the weaknesses, we design a new, more secure and high-performance scheme.

We will focus on the rest seven sections to describe our paper, section 2 reviews Qiu et al.’s scheme. In section 3 we pay attention to analyze the weaknesses about Qiu et al.’s scheme. Section 4 describes our proposed scheme. Next section 5 and section 6 mainly provide analysis and proof of security. Section 7 gives the performance comparison among our scheme and the relative schemes of other scholars. Finally, section 8 shows the conclusion of our scheme.

2 | Review of the scheme of Qiu et al.

In this section, we will briefly review Qiu et al.’ s scheme [16], which contains three phases: registration phase, login and authentication phase and password update phase. The detailed information about the three phases is shown as follows.

Before we show each phase, the notations which throughout this paper are introduced in Table 1 firstly.

Table 1

The notations of the schemes.

Symbol	Description
U	A legitimate user
S	The remote server
Id	The identity of the U
Pw	The password of the U
Up	The secret key of the U
Sp	The private key of the S
Qs = Sp·P	The public key of the S
h(·)	A one-way hash function
||	String concatenation operation
⊕	The bitwise XOR operation
sk	The session key between U and S

2.1| Registration phase

During the registration phase, user U and server S do the following operations to finish registering.

U⇒S:{Id,HId}:

A user U registers to server S with his/her identity Id, password Pw and secret key Up. After that, U completes VPw = h(Pw‖Up), HId = h(Id‖VPw) and transmits {Id, HId} to sever S.

After receiving Id and HId, S will compute N =HId⊕h(S) and store N into database.

2.2| Login and authentication phase

If a user U completed the registration phase successfully and wants to access request to the server S, U and S should perform the following steps.

U→S:{B,X,T}:

The user U accesses server S with his or her identity Id, password Pw and secret key Up. After that U calculates VPw = h(Pw‖Up), generates a long random number r and computes HId = h(Id‖VPw), W = h(Id‖Up), X = r⋅P, Y = r⋅Q, B = W⊕h(HId‖Y) and T = h(B‖Y‖W). After completion of calculation, U sends {B,X,T} to server S.

S→U:{E,Auth}:

When server S receives message {B,X,T}, it will calculate HId = N⊕h(S), Y = S⋅X, W = B⊕h(HId‖Y) and check whether T* = h(B‖Y‖W) is equal to T. If not valid, the session will be terminated by S, otherwise server S generates a long random number r′ and calculates E = r′⋅Q, sk = r′⋅Y, Auth = h(sk‖W‖Y). After that, S transmits information {E,Auth} to U.

U→S:{Auth}:

Upon getting {E,Auth}, U calculates sk = r⋅E,Auth′= h(sk‖W‖Y). Then U checks whether Auth′ = Auth. If valid, then U computes Auth = h(sk‖W‖Y‖E) and sends result Auth to S, else terminates the session.

Once receiving the message {Auth}, S computes Auth′= h(sk‖W‖Y‖E). If Auth′ is not equal to Auth, S terminates the session. After that, the user U communicates with server S based on the common session key sk = sk = sk = r⋅r′⋅Q.

2.3| Password update phase

For a legitimate user U, if he or she wants to change own password Pw for some reasons, the following steps will be performed.

U→S:{V,M}:

U already picks a new password Pw and a new secret key Up, after that he or she inputs identity Id, password Pw and secret key Up. U computes V = h(sk‖h(Id‖h(Pw‖Up))) and M = h(Id‖sk)⊕h(Id‖h(Pw‖Up)), then U transmits message {V,M} to S.

After obtaining message {V,M}, S computes V* = h(sk‖N⊕h(S)) firstly, then S judges if the value of V* is equal to V. If holds, S will replace N with N by computing N = h(S)⊕h(Id‖sk)⊕M into database. If not, S fails to change password and exits the session.

3 | Weakness of scheme proposed by Qiu et al.

In this section, we analyze the weaknesses of Qiu et al.’ s scheme [16] carefully. After our study, we find that their scheme has a serious mistake which causes the scheme cannot executed normally. What is more, their scheme cannot resist insider attack, denial service attack and makes user U have poor experience [17].

3.1 | Serious mistake

In registration phase of Qiu et al.’s scheme, we notice that information N is stored into database alone. As is known to all, there should be some information like identity Id correspond to N in the database. Or else in login and authentication phase in their scheme, when S receives message from users, S cannot match corresponding N in database without the help of the corresponding information. So, the scheme of Qiu et al. is unable to carry out normally.

Perhaps Qiu et al. just forgot corresponding information, here we help them supply corresponding information on the basis of the scheme of Qiu et al. In registration, S only knows information Id, HId and N which relates to U. HId is the most important secret data during the entire protocol execution process, so the server cannot store HId in the database but stores Id. We assume a semi honest server S0 has the ability of gaining and calculating the sensitive information in the sever. If Id corresponds to N, we notice that an adversary S0 can obtain {Id*, Up*, Pw*} of a legitimate user U* in login and authentication phase by off-line guessing attack, the specific steps are as follows.

Step 1: According to the login and authentication process in the scheme of Qiu et al., S0 will get the values of HId* and W* at time of calculating HId* = N*⊕h(S) and W* = B*⊕h(HId*⊕Y*). Besides, because Id* corresponds to N*, S0 can get the corresponding value of Id*.

Step 2: After getting user U's sensitive information {Id*, HId*, W*}, S0 can guess the value of Up* from the identity space by calculating W* = h(Id*||Up*). According to the same truth, S0 can guess the value of Pw* from the identity space by calculating HId* = h(Id*||VPw*) = h(Id*||h(Pw*||Up*)). Obviously, S0 can access {Id*, Up*, Pw*}.

Through the above steps, S0 has successfully accessed information {Id*, Up*, Pw*} of a legal user U*.

3.2 | Insider attack

In this part, we assume that a malicious insider adversary A can obtain some sensitive information in the database of server S. In Qiu et al.’s scheme, the adversary A can achieve insider attack by registering as a legitimate user. Firstly, he masquerades as a legitimate user in registration to input identity Id*, password Pw* and secret key Up*, then S will store the corresponding value N* into database and he can get the value N* form the database of sever S. After that A has already mastered the information {Id*,Up*,Pw*,N*}. On the basis of formulas HId = h(Id‖h(Pw‖Up)) and HId = N⊕h(S), A can get h(S) = N*⊕h(Id*‖h(Pw*‖Up*)). In addition, A can get other user’s N0 in the database, so he will get the user’s corresponding HId0 by formula HId0 = N0⊕h(S). In login and authentication phase, A can impersonate to be the user U0 to access sever S by corresponding N0 and HId0. The specific steps are as follows.

U0→S:{B0,X0,T0}:

Adversary A chooses random numbers r, W and computes X0 = r0⋅P, Y0 = r0⋅Q B0 = W0⊕h(HId0‖Y0) and T0 = h(B0‖Y0‖W0). After completion of calculation, U0 sends information {B, X, T} to server S.

S→U0: {E,Auth}:

Once getting message {B, X, T}, S computes HId0′ = N⊕h(S), Y0′ = S⋅X0 and W0′ = B0⊕h(HId0′‖Y0′). Obviously, the verification equation T0′ = h(B0‖Y0′‖W0′) is true. Next S generates random number r′ and computes E = r′⋅Q, sk = r′⋅Y0′, Auth = h(sk‖W0′‖Y0′). After that, S transmits {E,Auth} to U0.

U0→S:{Auth}:

When getting {E,Auth}, U0 computes sk = r0⋅E, Auth = h(sk‖W0‖Y0‖E) and sends {Auth} to S.

After receiving the message {Auth}, S computes Authu′ = h(sk‖W0′‖Y0′‖E) and gets a conclusion that Auth′ is equal to Auth. Finally, the user U0 communicates with server S based on the common session key sk = sk = sk = r0⋅r′⋅Q

We draw a conclusion that A can masquerade as an arbitrary legitimate user for entering server S by insider attack.

3.3| Denial service attack

We assume that an adversary A is able to intercept message which is transmitted between U and S. At password update phase in Qiu et al.’s scheme, U sends the result values of V and M to S. The adversary A intercepts message {V, M} and forges M by generating random number, then A transmits {V, M} to S. Apparently, A will pass verification of S by checking whether V is equal to V*. After that, S computes N = h(S)⊕h(Id‖sk)⊕M0 and replaces N with N in the database. Because of the falsify of N, the user U will fail to pass verification in next login and authentication phase.

3.4 | Defects of practicality

In term of Qiu et al.’s scheme, we find that a user U needs to remember identity Id, password Pw and secret key Up. It is a burden for users to keep in mind with three different data. If a user U wants to change password, according to the password update phase of Qiu et al., he or she has to bear in mind with a new password Pw and a new secret key Up. For the most users, it is hard to remember so much information. Therefore, the scheme of Qiu et al. has poor practicability.

4 | Our proposed scheme

In this section, in order to improve the security, we design an efficient provably secure mutual authentication scheme. Compared with the scheme of Qiu et al., our proposed scheme can resist various attacks and there is less pressure for users to remember. Our scheme consists of three phases: registration phase (see Fig 1), login and authentication phase (see Fig 2) and password update phase (see Fig 3). The proposed scheme is described as follows.

Fig 1

Registration phase.

Fig 2

Login and authentication phase.

Fig 3

Password update phase.

4.1| Registration phase

For a legal user U, if he or she wants to access the system, the necessary step is to register with the server S by submitting identity ID and password PW. User U and server S will perform the following steps.

U generates a long random number r and computes VPw = h(PW‖ID‖r) and HId = h(ID⊕r). Then U transmits {VPw,HId} to S by a secure channel.

After receiving the data, S computes N = VPw⊕h(S‖HId) and R = h(S⊕VPw). Then S stores {HId,N} into database and issues a smart card which contains R to U through a secure channel.

After receiving the smart card, U computes VR = h(PW⊕ID)⊕r and stores VR into the smart card.

4.2| Login and authentication phase

When a user U wants to acquire the service from server S, he or she should insert his or her smart card into card reader and enter his or her identity ID and password PW. U and S will perform the following steps.

The user U generates a random number r, and computes r′ = VR⊕h(PW⊕ID), HId′ = h(ID⊕r′), VPw′ = h(PW‖ID‖r′), C = h(R⊕VPw′)⊕r and Auth = h(r⊕HId′⊕VPw′). Then U transmits {HId′,C,Auth} to the server S.

After receiving the message, S extracts N according to corresponding HId′ from the database and calculates VPw′′ = N⊕h(S‖HId′), R′ = h(S⊕VPw′′), r′ = h(R′⊕VPw′′)⊕C. Then checks whether the value of Auth is equal to h(r′⊕HId′⊕VPw′′). If holds, S picks a random number r, computes sk = h(r′‖r‖HId′), D = h(R′‖VPw′′)⊕r, Auth = h(sk‖D) and transmits {D, Auth} to U. Otherwise, S terminates the session.

When U receives the message, U computes r′ = h(R‖VPw′)⊕D, sk = h(r‖r′‖HId′), checks whether Auth is equal to h(sk‖D). If success, user U and server S share the same session key sk = h(r′‖r‖HId′) = sk = h(r‖r′‖HId′). If not, the smart card aborts the session.

4.3| Password update phase

If a user U needs to change password PW for a number of reasons, he or she only needs to input identity ID, password PW and new password PW. User U and server S will perform the following steps.

The user U calculates r′ = VR⊕h(PW⊕ID), HId′ = h(ID⊕r′), VPw′ = h(PW‖ID‖r′), VPw = h(PW‖ID‖r′) and C1 = h(R⊕VPw′)⊕VPw. After generating a random number r, U continue computing C2 = h(VPw′⊕VPw)⊕r, Auth = h(r⊕HId′⊕VP). After that, U transmits {C1, C2, HId′, Auth} to S.

Upon receiving the message, S computes VPw′′ = N⊕h(S‖HId′), R′ = h(S⊕VPw′′), VPw′ = C1⊕h(R′⊕VPw′′) and r′ = C2⊕h(VPw′′⊕VPw′). Then S checks whether the value of Auth is equal to h(r′⊕HId′⊕VPw′). If not, S terminates this session, else continues to calculate N′ = VPw′⊕h(S‖HId′) to replace N with N' in the database. Finally, S computes R = h(S⊕VPw′), D = h(R′‖VPw′‖r′)⊕R and Auth = h(VPw′⊕R). After that, message {D, Auth} will be transmitted to U.

After receiving the message {D, Auth}, U gets R' by computing R′ = D⊕h(R‖VPw‖r) and checks whether the value of Auth is equal to h(VPw⊕R′). If success, S computes VR′ = h(PW⊕ID)⊕r′ and replaces {VR, R} with {VR', R'}, else terminates this session.

5 | Security analysis

In this part, we demonstrate our scheme is secure, practical and can provide kinds of security requirements. We assume that an adversary A might perform various attacks [18-21]. More detailed information is as follows.

5.1 |Insider attack

Assume that an adversary A can obtain N and HId of a legitimate user that stored in database. Because computational formulas are HId = h(ID⊕r), N = VPw⊕h(S‖HId), VR = h(PW⊕ID)⊕r, R = h(S⊕VPw) and VPw = h(PW‖ID‖r). Without the random number r, A cannot get the sensitive information ID or PW and cannot compute important secret data such as R and VPw form known data. Therefore, our scheme can resist insider attack.

5. 2|User anonymity

In the public channel, we do not send Id directly but transmit HId which is computed by means of the formula HId = h(ID⊕r). Even if A can access the value of HId, A still cannot get the sensitive information Id. Because the formula contains a random number r which A does not know. Therefore, our proposed scheme provides user anonymity.

5. 3|Replay attack

In our proposed scheme, the random numbers r and r change in every login. For an adversary A, he can intercept information {HId', C, Auth} and replay this message. Obviously, A can pass the verification of the server S and will receive the corresponding message {D, Auths} form sever S. Because A does not have a knowledge of the correct values R, VPw and r, he cannot compute r′ = h(R‖VPw′)⊕D and sk = h(r‖r′‖HId′). Therefore, our scheme is security even under replay attack.

5. 4| off-line password guessing attack

In our scheme, if an adversary A accesses exchanged information {HId', C, Auth, D, Auth} which is transmitted in a public channel [22,23]. Because of the formula HId′ = h(ID⊕r′), A is unable to guess correct ID without r′. In addition, in the formulas VPw′ = h(PW‖ID‖r′), C = h(R⊕VPw′)⊕r, A cannot guess PW correctly without the value ID and r'. Therefore, our scheme has an advantage of resisting off-line password guessing attack.

5. 5| Smart card lost attack

If an adversary A steals the smart card, he is able to get the VR and R which are stored in the smart card. Because the formulas are VR = r′⊕h(PW⊕ID) and C = h(R⊕h(PW‖ID‖r′))⊕r, without the knowledge of r’ and r, A cannot guess the correct identity ID and password PW. If A wants to communicate with S, he needs to structure legitimate {HId', C, Auth}. Because of the formulas HId′ = h(ID⊕r′), C = h(R⊕h(PW‖ID‖r′))⊕r, Auth = h(r⊕HId′⊕h(PW‖ID‖r′)), without identity ID and password PW, A is unable to pass through the verification of server S. Therefore, our scheme can resist smart card lost attack.

5. 6| Impersonation attack

For an adversary A, in authentication phase, if he wants to masquerade as a legal user U and login in server S, he must forge a valid login message {HId', C, Auth}. It is impossible for A to forge valid login message without legitimate identity ID, password PW, VR and R. The same is true, if A wants to masquerade as the server S, he has to counterfeit message {D, Auth}. Without valid information N, A is unable to obtain {D, Auth} which can pass through verification of the user U. Furthermore, in password update phase, A is unable to forge valid C1, C2 and Auth to pass the authentication of server S. In the same way, A is unable to forge valid D and Auth to pass the verification of user U. Therefore, our scheme can resist impersonation attack.

5. 7| Man-At-The-End attack

Man-At-The-End attack [24] contains widespread aspects and is difficult to model. The technical adversary is human that we call A here, he could authorize and limitless access to the target. All security protections stand up to A for a specific period of time. Because Man-At-The-End attack has concrete form in certain circumstance, one of the defense details is as follows:

A could personate a legitimate user to register and access the sensitive value of N* from the database end. His own identity ID*, password PW* are known. According to formulas h(S‖HId) = VPw⊕N, VPw = h(PW‖ID‖r) and HId = h(ID⊕r). Without having knowledge about the value of random number r, he will take unpractical time cost to computer S, by formulas h(S‖h(ID*⊕r)) = h(PW*‖ID*‖r)⊕N*. Our scheme offer a defense and A is unable to obtain important information S.

Although A could execute other forms and is hard to analyze, many protective devices have ability to against the attack, include software protection, hardware protection and digital asset protection, more details are reference no.24. Hence, our scheme can make a defense against Man-At-The-End attack.

5. 8| Perfect forward secrecy

When the system crashes in one session, an adversary can acquire information ID, PW, S and intercept message {HId', C, Auth} and {D, Auth}. For an adversary A, he wants to get sk = sk = h(r‖r‖HId′). But without the knowledge of the correct values VR and R, he cannot compute r′ = h(R′⊕VPw′′)⊕C, r′ = h(R‖VPw′)⊕D correctly. Finally, A still have no ability to get the session key to eavesdrop session. Hence, our scheme provides perfect forward secrecy.

6 | Security proof

Security model: Burrows–Abadi–Needham logic (also known as the BAN logic) is a set of rules for defining and analyzing information exchange protocols [25]. Specifically, BAN logic helps its users determine whether exchanged information is trustworthy, secured against eavesdropping or both.

In this section, we will demonstrate that our scheme is secure and practical by the Burrows-Abadi-Needham (BAN) logic. We list some essential BAN-Logic symbols and formulas as follows, Table 2 introduces the notations of symbol and Table 3 introduces notations of formula. Supposing that P and Q are the symbols of participants, X and Y are statements as symbols, and K is the symbol for hash function key, next notations include more detailed explanation. We give reasoning process based on BAN-Logic in the following steps.

Table 2

Notations of symbol.

Symbol	Description
P|≡X	P believes X
P⇒X	P has jurisdiction over X
#(X)	X is fresh
P⊲X	P sees X
P|~X	P once said X
(X,Y)	X or Y belongs to (X, Y)
(X)K	X is hash with the key K
P↔KQ	P communicates with Q using key K

Table 3

Notations of formula.

Formula	Description
P|≡P↔KQ,P⊲(X)_KP|≡Q|∼X	The message meaning rule
P|≡#(X)P|≡#(X,Y)	The freshness rule
P|≡#(X),P|≡Q|∼XP|≡Q|≡X	The nonce-verification rule
P|≡Q⇒X,P|≡Q|≡XP|≡X	The jurisdiction rule
P|≡Q|≡(X,Y)P|≡Q|≡X	The believe rule

Step 1 Our goals

In order to make our scheme practicable, we list some goals which need to be achieved.

Goal 1. .

Goal 2. .

Goal 3. .

Goal 4. .

Step 2 Idealized form

We show the idealized message form between user U and server S as follows.

Msg 1. .

Msg 2. .

Step 3 Initial state

We transform some premises about authentication and login phase in our scheme.

Aspt 1. U|≡#(r).

Aspt 2. S|≡#(r).

Aspt 3. .

Aspt 4. .

Aspt 5. .

Aspt 6. .

Aspt 7. .

Aspt 8. .

Aspt 9. .

Aspt 10. .

Aspt 11. .

Aspt 12. .

Step 4 Derivation process

We prove that user U and server S can set up the session key by combining with the above information.

(1) The proof of goal 1 and goal 2:

S 1.

On the basis of Msg 2, we get that , in the light of Aspt 7, we know that . Because of the message meaning rule, we get the following results:

S 2.

According to S 1 and Aspt 1, we know that and U|≡#(r). Owing to the nonce verification and the freshness rule, which is listed as follows.

S 3.

In line with S 2, we could achieve: and

Goal 1 is realized apparently.

S 4.

According to and Aspt 3 , By the jurisdiction rule, we confirmedly know that . According to , Aspt 5 , Aspt 9 and sk = h(r‖r‖HId), we make a representation is as follows:

So, we have achieved Goal 2.

(2) The proof of goal 3 and goal 4:

S 5.

From Msg 1, we know that , because of Aspt 8 and the message meaning rule, we can deduce that:

S 6.

On the basis of S 5 and Aspt 2, we know and S|≡#(r), owing to the nonce verification and the freshness rule, we obtain result what is as follows:

S 7.

According to S 6 and Aspt 4 , because of the jurisdiction rule, we could obtain . Form Aspt 6 , Aspt 10 and the formula sk = h(r‖r‖HId), we are able to get:

Goal 4 is accomplished.

S 8.

According to S 6 and Aspt 11 , Aspt 12 . Because of the formula sk = h(r‖r‖HId), we have following.

Distinctly, Goal 3 of our claim is achieved.

According to the proof above, our goals are achieved. We hold a sufficient reason to believe that both U and S believe that the session key sk which is shared between U and S.

7 | Performance comparison

The experience of users play an important role in protocol. During this part, we will show a performance comparison between our scheme and the other schemes (see Fig 4). Before making a comparative analysis, we assume that one elliptic curve point multiplication operation is T, one hash function operation is T. Other operations like generating a random number and exclusive-OR operation spend less time, which have little effect on performance comparison. So, we neglect the lightweight operations at this time. Before performance simulation test, we analysis performance of other protocols and ours in theory. So, we list Table 4 to descript theoretical time spend comparison.

Fig 4

Time consumption comparison of other scholars' protocols and ours.

Table 4

Comparison of our scheme and others.

Phase	Our scheme	Qiu et al.’s protocol [16]	Chaudhry et al.'s protocol [14]	Kumari et al.'s protocol [15]
Registration phase	5Th	3Th	3Th	2Th
Authentication phase	15Th	12Th +6Tpm	7Th +6Tpm	10Th +6Tpm
Password update phase	19Th	10Th		8Th
Total	39Th	25Th +6Tpm	10Th +6Tpm	20Th +6Tpm

From Table 4, at registration phase, execution time of our scheme mainly lies on executing 5T. In other three protocols, execution time mainly lies on executing 3T, 3T and 2T. At authentication phase, execution time of our scheme mainly depends on executing 15T. Meanwhile, execution time of other three protocols mainly depends on executing 12T +6T, 7T +6T, 10T +6T. At password update phase, execution time of our scheme mainly lies on executing 19T. And the other two protocols’ execution time mainly depends on executing 10T and 8T. The protocol of Chaudhry et al. lacks the phase of password update. In those four protocols, total execution time are 39 T, 25 T +6 T, 10 T +6 T, 20 T +6 T respectively.

In those four protocols, we find that our scheme performance mainly bases on hash function and the protocols of Qiu et al. [16], Chaudhry et al. [14] and Kumari et al. [15] are based on hash function and elliptic curve point multiplication. At registration phase and password update phase, we use a little more hash functions than those protocols. But the registration phase needs to be carried out only one time, so it has almost no effect on overall performance. And password update phase is not commonly used for a certain user, so it has little effect in practical applications. From authentication phase and total phases, though we use too many hash functions, other protocols all use six elliptic curve point multiplications. It is obvious that T is many times as much as T. Compared with other protocols, our scheme has a great advantage on computational costs in usual authentication phase and total phases.

We perform simulant performance comparison under the same computer simulation environment and write programs according to the schemes strictly. In the experiment, we run one hundred times to get the average data. According to the Fig 4, at registration phase, the time consumption in schemes of Qiu et al. [16], Chaudhry et al. [14] and we are all 0.00075s and Kumari et al.’s [15] scheme is 0.00088s. At password update phase, the time consumptions are 0.0018s, 0.001s, 0.0011s respectively. Although those scholars' protocols have a little bit better performance at registration phase and update phase, in practical application, those scholars' frequently-used authentication phases spend more time compared with our authentication phase. The costs of time are 0.0223s, 0.0201s, 0.0216s respectively, but ours is only 0.0023s. From comparative analysis, our total time is less than others. Obviously, our scheme is more efficient and more practice in application.

8 | Conclusion

In this paper, we review Qiu et al.’s protocol and find that it is vulnerable to some known attacks such as insider attack and denial service attack, then we review the scheme and carry on a strict security analysis about their scheme. Next, in order to solve these problems, we propose our more secure and more convenient scheme. Security analysis shows that our scheme can resist insider attack, off-line password guess attack and more, we give a sufficient reason. Then in security proof section, we adopt the BAN-logic to prove our scheme is secure and realizable. In the end, we make a performance comparison, the result shows that our scheme can be more suitable for users in SIP. Because under the same conditions, we can establish connections faster. In conclusion, compared to other protocols, our scheme is more security and practical.

Transport details between user and server in registration phase.

(TIF)

Click here for additional data file.

Transport details between user and server in login phase.

(TIF)

Click here for additional data file.

Transport details between user and server in update phase.

(TIF)

Click here for additional data file.

Performance Analysis Chart of the four schemes.

(TIF)

Click here for additional data file.

Zhang’s scheme.

The VS code for analyzing the performance of the Zhang’s scheme.

(ZIP)

Click here for additional data file.

Qiu’s scheme.

The VS code for analyzing the performance of the Qiu’s scheme.

(ZIP)

Click here for additional data file.

Kumari’s scheme.

The VS code for analyzing the performance of the Kumari’s scheme.

(ZIP)

Click here for additional data file.

Chaudhry’s scheme.

The VS code for analyzing the performance of the Chaudhry’s scheme.

(ZIP)

Click here for additional data file.