A novel user authentication scheme with anonymity for wireless ...

5 downloads 137200 Views 1MB Size Report
Aug 13, 2012 - cation technology, wireless and mobile communication systems such as GSM, 3G, and 4G wireless networks are rapidly extending their ...
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2014; 7:1467–1476 Published online 13 August 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.601

SPECIAL ISSUE PAPER

A novel user authentication scheme with anonymity for wireless communications Jianwei Niu1* and Xiong Li2,3 1 2 3

State Key Laboratory of Software Development Environment, Beihang University, Beijing 100191, China School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411201, China State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

ABSTRACT User authentication and privacy protection are important issues for wireless and mobile communication systems such as GSM, 3G, and 4G wireless networks. Recently, Yoon et al. proposed a user-friendly authentication scheme with anonymity for wireless communications. However, in this paper, we show that user anonymity of their scheme is not achieved under the eavesdropping attack and their scheme is not fair in the key agreement. In order to ensure security authentication and protect user anonymity for wireless communications, we propose a novel user authentication scheme with anonymity based on elliptic curve cryptosystem, which can resist various known types of attacks and is more practical for wireless and mobile communications. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS authentication; user anonymity; smart card; password; wireless communications; elliptic curve cryptosystem *Correspondence Jianwei Niu, State Key Laboratory of Software Development Environment, Beihang University, Beijing 100191, China. E-mail: [email protected]

1. INTRODUCTION With the rapid development of information and communication technology, wireless and mobile communication systems such as GSM, 3G, and 4G wireless networks are rapidly extending their capabilities. Because of the increasing bandwidth, flexibility, and freedom of the wireless and mobile communications, they are becoming important choices of communication infrastructure besides the traditional Internet networks. By using a wireless and mobile communication channel, which can also be served as an access method to the Internet, the mobile user (MU) can access the services provided by their home agent (HA) when they visit a foreign agent (FA) at anytime and anywhere. But, in almost all the communication and information systems such as the traditional Internet networks, grouporiented communication systems [1], wireless sensor networks [2–4], radio-frequency ID systems [5,6], ad-hoc networks [7], and so on, security protection such as user authentication [8–11] is an important issue, and the wireless and mobile communication networks [12] are no exception. When an MU roams to and would like access to an FA, the FA must authenticate the validity of the MU through its HA. Generally, a strong user authentication scheme in wireless

Copyright © 2012 John Wiley & Sons, Ltd.

networks should satisfy some security and practical requirements such as user anonymity, low communication cost and computational complexity, single registration, updating session key periodically. This paper first review the user authentication scheme with anonymity for wireless communications, which is proposed by Yoon et al., and then, we analyze its weaknesses for security and practical requirements, and lastly, we propose a novel user authentication scheme with anonymity for wireless communications based on elliptic curve cryptosystem (ECC). The rest of the paper is organized as follows. Section 2 briefly describes related works. In Section 3, we provide a brief review of the scheme of Yoon et al. Section 4 analyzes the scheme of Yoon et al. from security and practical consideration. The proposed user authentication scheme with anonymity for wireless communications and corresponding analysis are presented in Sections 5 and 6, respectively. Finally, we draw our conclusions and future works in Section 7.

2. RELATED WORKS In order to verify the identity of a legal MU and ensure anonymity of the MU to protect his or her privacy

1467

J. Niu and X. Li

A novel user authentication scheme with anonymity

simultaneously, researchers have proposed many authentication schemes for seamless roaming over wireless communications [13–23]. In 2004, Zhu and Ma [23] proposed an efficient authentication scheme with anonymity for wireless communications. Their scheme is based on hash function and smart cards, and it provides not only high security but also low computation in the MU side. Moreover, their scheme requires only four message exchanges between MU, FA, and HA. Therefore, their solution has low computation complexity and low communication cost. However, Lee et al. [15] showed that Zhu–Ma scheme cannot achieve perfect backward secrecy, mutual authentication, and it cannot resist the forgery attack, and then, they proposed an improved scheme. However, Wu et al. [17] pointed out that both schemes of Zhu–Ma and Lee et al. failed to provide user anonymity. From their analysis, an attacker who has registered as a user of an HA can get the identity of other users who registered at the same HA. To remedy this weakness, they proposed their improvement of the scheme of Lee et al. However, their improvement also proved unable to protect the user anonymity [19,22]. Later, Xu et al. [20] pointed out that both schemes in [23] and [15] are vulnerable to the insider attack and that the scheme in [15] suffers from key agreement unfairness and lack of user friendliness. Almost in the same moment, He et al. [14] had shown that the scheme in [19] was also vulnerable to replay attacks and two impersonation attacks. There are two enhanced schemes proposed by Xu et al. [20] and He et al. [14]. But, Li and Lee [16] showed that the scheme of He et al. has the following drawbacks: lack of user friendliness, unfairness in key agreement, and loss of user anonymity. Most recently, in order to remedy the weaknesses of the previous related schemes, Yoon et al. [21] proposed a userfriendly authentication scheme with anonymity for wireless communications. They claimed that their scheme had several properties such as choosing passwords freely, providing user anonymity, no need verification table, providing mutual authentication and secure session key establishment, and so on. However, in this paper, we will show that the scheme of Yoon et al. is unfair in key agreement and it really cannot protect user anonymity. In this paper, we propose a novel user authentication scheme with anonymity for wireless communications based on ECC [24], which proved suitable for computation constrained devices such as smart cards. Also, we will analyze and compare the proposed scheme with other related schemes in functionality and efficiency.

HA FA MU PWMU N IDA TA CertA (X)K p, n Fp Ep(a, b) P (PA, SA) EPA ðX Þ S SA ðX Þ h()  k

Home agent of a mobile user Foreign agent of the network Mobile user A password of MU A strong secret key of HA Identity of an entity A Timestamp generated by an entity A Certificate of an entity A Encryption of a message X using a symmetric key K based on AES Two large prime numbers A finite field An elliptic curve defined on finite field Fp with prime order n A point on elliptic curve Ep(a, b) with order n (Public key, private key) pair of an entity A based on ECC Encryption of a message X using a public key of A Signature on a message X using a private key of A A one-way hash function such as SHA-1 Bitwise exclusive-or operation Concatenation

MU; and the FA of the network. When the MU visits a new foreign network, the FA needs to authenticate the MU through the user’s HA. During the initialization process, each FA and HA first choose a random number SFA and SHA as his or her private key, and then compute the corresponding public key PFA and PHA, respectively. Afterwards, each FA’s certificate CertFA and the HA’s certificate CertHA should be published. For security consideration, they should be certified by a trusted authority. The certificate CertA of entity A contains the identity IDA of entity A, the public key PA of entity A, and so on. Their scheme contains three phases, that is, the registration phase, the authentication phase, and the ith roaming phase (which means that the MU stays within the FA’s converage, and MU visits FA at the ith session). We show each phase in Figures 1–3, respectively, and more details are provided in the following parts. 3.1. Registration phase The following steps are performed during the registration phase. (1) MU ! HA : IDMU ; PWMU rn When an MU wants to register and become a new legal user, MU chooses his or her identity IDMU and password PWMU, and generates a random number rn. Then, MU submits IDMU and PWMU  rn to the HA for registration via a secure channel.

3. OVERVIEW OF THE SCHEME OF YOON ET AL. The notations used throughout this paper are summarized in Table I. For a detailed analysis, we first review the anonymity authentication scheme for wireless communications of Yoon et al. [21]. There are three parties in the protocol of Yoon et al., that is, the MU; the HA of the 1468

Table I. Notations used in this paper.

(2) HA ! MU : Smart card The HA generates a random number e and computes z = h(IDHA k N k e) and r = z  PWMU  rn, where N is a

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

J. Niu and X. Li

A novel user authentication scheme with anonymity

Figure 1. Registration phase of the scheme of Yoon et al.

Figure 2. Authentication phase of the scheme of Yoon et al.

strong secret key held by HA. Then, HA issues a smart card to the user MU through a secure channel, which contains (IDHA, e, r, h()). (3) The MU enters rn into his or her smart card. So, MU’s smart card contains (IDHA, e, r, rn, h()). 3.2. Authentication phase When an MU visits a new foreign network, the following steps are performed during the authentication phase.

(1) MU ! FA : ðc1 ; e; IDHA ; TMU Þ The MU enters his or her identity IDMU and password PWMU to the card reader, and then, the reader extracts z by computing r  PWMU  rn. MU gets current timestamp TMU and generates two random numbers x0 and x. Then, MU computes the temporary key L = h(z k TMU) and message authentication code MAC = h(IDMU k x0 k x k TMU k L). Finally, MU encrypts IDMU k x0 k x k MAC with the key L using a symmetric cryptosystem indicated as c1 = (IDMU k x0 k x k MAC)L and then sends a login request message (c1, e, IDHA, TMU) to FA.

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1469

J. Niu and X. Li

A novel user authentication scheme with anonymity

Figure 3. i th roaming phase of Yoon the scheme of Yoon et al.

(2) FA ! HA : ðc1 ; e; TMU ; CertFA ; SigFA ; TFA Þ After receiving the authentication request from the user MU, FA first checks the timestamp TMU with the current date and time. If the timestamp is valid, FA generates the current timestamp TFA, and computes his or her signature SigFA ¼ SSFA ðhðc1 eTMU TFA ÞÞ , where SFA is FA’s private key. Finally, FA sends the message (c1, e, TMU, CertFA, SigFA, TFA) to HA, where CertFA is FA’s certificate defined in X.509.

sk to obtain TCertMU and h(x0 k x). MU then computes h(x0 k x) and verifies if the two hash h(x0 k x) are equal. If it is, MU authenticates FA and can be sure that it is communicating with a legal FA. 3.3. i th roaming phase When MU visits FA at the ith session, MU sends the following message to FA. (1) MU ! FA : ðc; macÞ

(3) HA ! FA : ðc2 ; CertHA ; SigHA ; THA Þ After receiving the message from FA, HA checks if the certificate CertFA and timestamp TFA are valid. If they are valid, HA can authenticate FA by verifying FA’s signature using FA’s public key PFA. After FA is authenticated, HA computes z = h(IDHA k N k e) using its identity IDHA, secret key N, and the received random number e. Then, HA computes L = h(z k TMU) and decrypts c1 = (IDMU k x0 k x k MAC)L using L to obtain IDMU, x0, x, MAC. HA then verifies MU’s identity by checking whether the decrypted MAC is equals to the computed MAC = h(IDMU k x0 k x k TMU k L). If it is, HA computes c2 ¼ EPFA ðhðLÞx0 xÞ and generates its timestamp THA and its signature using his or her private key SHA, that is, SigHA ¼ SSHA ðhðc2 THA ÞÞ . HA then transmits message (c2, CertHA, SigHA, THA) to FA.

The MU computes c = (xi k TcertMU kOther InformationÞski to encrypt xi and other information with the ith session key ski = h(h(L) k x k xi  1), where xi is a random number for the next communication. Here, other information contains the new call arrival rate, user mobility pattern, the cell/WLAN capacity, and so on. MU then computes a message authentication value mac = h(xi k TcertMU kOther Informationk ski). Finally, MU sends (c, mac) to FA and updates xi  1 with xi for the next communication with FA. (2) MU, FA decrypts c with its computed ith session key ski and checks if the certificate TCertMU and the message authentication value mac are valid. If so, FA updates xi  1 with xi for the next communication with MU.

(4) FA ! MU : c3 After receiving the message from HA, FA checks whether the certificate CertHA and timestamp THA are valid. If so, FA can authenticate HA by verifying HA’s signature using HA’s public key PHA. After HA is authenticated, FA issues MU the temporary certificate TCertMU, which includes timestamp and other information. FA decrypts c2 and obtains h(L) k x0 k x. Then, FA computes a session key sk = h(h(L) k x k x0) and encrypts TCertMU k h(x0 k x) using sk, that is, c3 = (TCertMU k h(x0 k x))sk. Finally, FA transmits c3 to MU. (5) After receiving the message from FA, MU computes a session key sk = h(h(L) k x k x0) and decrypts c3 using 1470

4. WEAKNESSES IN THE SCHEME OF YOON ET AL. In this section, we show that the scheme of Yoon et al. still has two serious deficiencies. The detailed descriptions of these weaknesses are as follows. 4.1. Unfair key agreement Mitchell et al. [25] suggested that it was often recommended to use key agreement to prevent one party having any kind of advantage over the other. In other words, a

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

J. Niu and X. Li

fair key agreement protocol requires that the agreed key contains some contribution from each participant, so that nobody has an unfair advantage in controlling the session key, and it is a practical requirement to design the key agreement protocol. We find that the scheme of Yoon et al. is not really a fair key agreement scheme. In the authentication phase, MU can always choose two random numbers x0 and x, such that the common session key computed by FA according to sk = h(h(L) k x k x0) = h(h(z k TMU) k x k x0) is always MU’s pre-determined x0 and x. Therefore, sk does not contain any contribution from FA, and it can unilaterally be determined by MU. The session key update in the ith roaming phase of the scheme of Yoon et al. is also not a fair protocol. In the ith roaming phase, MU and FA agree on updating xi  1 with xi to compute the new shared session key ski + 1, where xi is chosen by MU as he or she likes, which will deduce that the next ski + 1 is still exactly in MU’s preference. 4.2. Attacks against the user anonymity Yoon et al. claimed that the encrypted value c1 = (IDMU k x0 k x k MAC)L is used instead of IDMU to guarantee the user anonymity. Because IDMU is never transmitted as plaintext over wireless communication links, so FA or any adversary cannot find the real identification IDMU of MU without knowing the encryption key L = h(z k TMU). In addition, because c1 is randomly generated by using two random numbers x0 and x, there is no relationship between the previous c1 and the current c1 of an MU. Therefore, anyone including FA cannot trace an MU. However, we find that the user anonymity of the scheme of Yoon et al. cannot be protected from the eavesdropping attack in the authentication phase. Using the eavesdropping attack, an attacker can monitor the communication among MU, FA, and HA in the wireless network and discover some usable information about the messages being transmitted over the wireless communication channel. In Step 1 of the authentication phase, when an MU roams to the foreign network and sends the login message (c1, e, IDHA, TMU) to FA in the open air to access service, the content of e and IDHA is uniquely corresponding to this user MU, and these two values always are unchanging when MU logins into the FA after he or she registered from HA. Thus, user anonymity will not be achieved even though the real identity of MU, IDMU is not revealed, and the FA or an attacker can easily trace down the relation between the MU and the HA by comparing (e, IDHA) with all the eavesdropped messages in wireless network. Actually, in this case, e has become some form of identity related to this user. Similarly, the user anonymity in Step 2 of the authentication phase is not achieved as Step 1. The content of e in authentication message (c1, e, TMU, CertFA, SigFA, TFA) is unchanging when it transmitted from FA to HA. Thus, the attacker can confirm that there is a connection between the MU and the HA. So, the FA or an attacker can easily trace an MU, and the user anonymity of the scheme of Yoon et al. would be compromised.

A novel user authentication scheme with anonymity

5. OUR PROPOSED PROTOCOL In this section, we propose a novel user authentication scheme with anonymity for wireless communications. The security of our proposed scheme is based on elliptic curve discrete logarithm problem (ECDLP) and elliptic curve computational Diffie–Hellman problem (ECDHP), so we first give an introduction of the ECC [24]. Compared with other public key cryptosystem (PKC), ECC offers a better performance because it can achieve the same security level with a smaller key size. For example, 160-bit ECC and 1024-bit RSA have the same security level in practice [24]. Thus, ECC-based authentication schemes are more suitable for smart cards and mobile devices than PKC-based ones. In an ECC, the elliptic curve equation is defined as the form of Ep(a, b): y2 = x3 + ax + b(mod p) over a prime finite field Fp, where a, b 2 Fp, p > 3, and 4a3 + 27b2 0(mod p). Given an integer s 2 Fp and a point P 2 Ep(a, b), the point multiplications sP over Ep(a, b) can be defined as sP = P + P + ⋯ + P (s times). More details information about ECC can be found in [24]. Generally, the security of ECC relies on the difficulties of the following problems. Definition 1. (ECDLP): Given two points P and Q over Ep (a, b), the ECDLP is to find an integers 2 Fp such that Q = sP. Definition 2. (ECDHP): Given three points P, sP, and tP over Ep(a, b) for s; t 2 Fp, the elliptic curve Diffie–Hellman problem (ECDHP) is to find the point stP over Ep(a, b). The notations and assumptions of the proposed scheme are the same as those in the scheme of Yoon et al. During the initialization process, HA chooses an elliptic curve equation Ep(a, b) and a base point P with the order n over Ep(a, b), and publishes the parameters (Ep(a, b), n, P). Then, the FA and the HA choose a random number SFA 2 Zn and SHA 2 Zn as his or her private key, and compute the corresponding public key PFA = SFAP and PHA = SHAP, respectively. Afterwards, each FA’s certificate CertFA and the HA’s certificate CertHA should be published. For security consideration, they should be certified by a trusted authority. The proposed scheme also contains three phases, that os, the registration phase, the authentication phase, and the ith roaming phase. We show each phase of the proposed scheme in the following subsections. 5.1. Registration phase Figure 4 shows the registration phase of the proposed scheme, and the details of this phase are as follows: (1)

MU ! HA : IDMU ; hðrnPWMU Þ

When an MU wants to register and become a new legal user, MU chooses his or her identity IDMU and password PWMU, and generates a random number rn. Then, MU computes the masked password h(rn k PWMU),

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1471

J. Niu and X. Li

A novel user authentication scheme with anonymity

Figure 4. Registration phase of the proposed scheme.

and submits IDMU, h(rn|PWMU) to the HA for registration via a secure channel. (2) HA ! MU : Smart card HA chooses his or her strong secret key x 2 Zn , and computes X = xP, u = h(IDMU k x)  h(rn k PWMU). Then, HA stores (IDHA, X, u, h()) into the smart card and submits it to the user through a secure channel. (3) MU enters rn into his or her smart card. At last, MU’s smart card contains parameters (IDHA, X, u, rn, h()).

5.2. Authentication phase When a user MU visits a new foreign network FA, the following steps are performed during the authentication phase. The details of steps are also shown in Figure 5. (1) MU ! FA : ðA; SID; C1 ; TMU ; IDHA Þ The MU enters his or her identity IDMU and password PWMU to the mobile device. The smart card generates a random number a 2 Zn and gets current timestamp TMU; then, the smart card computes A = aP, D = aX = axP, SID =

Figure 5. Authentication phase of the proposed scheme.

1472

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

J. Niu and X. Li

A novel user authentication scheme with anonymity

IDMU  h(D k TMU), E = u  (rn k PWMU), and C1 = h(E k D). Finally, MU sends an login request message (A, SID, C1, TMU, IDHA) to FA. (2) FA ! HA : ðA; SID; C1 ; TMU ; B; CertFA ; SigFA ; TFA Þ After receiving the login request from the user MU, FA first checks the timestamp TMU with current date and time. If the timestamp is valid, FA generates a random number b 2 Zn and gets current timestamp TFA; then, FA computes B = bP and its signature SigFA ¼ SSFA ðhðASIDC1 TMU BTFA ÞÞ, where SFA is FA’s private key. Finally, FA sends the message (A, SID, C1, TMU, B, CertFA, SigFA, TFA) to HA, where CertFA is FA’s certificate. (3) HA ! FA : ðC2 ; CertHA ; SigHA ; THA Þ After receiving the message from FA, HA checks whether the certificate CertFA and timestamp TFA are valid. If so, HA can authenticate FA by verifying FA’s signature using FA’s public key PFA. If the FA’s signature is valid, HA computes D0 = xA = xaP, IDMU = SID  h(D0 k TMU) and checks whether IDMU is a legal identity. If so, HA computes E0 = h(IDMU k x), C1 = h(E0 k D0 ), and compares C1 with the received C1. If they are equal, the identity of MUis authenticated by HA. After the identity of FA and HA are verified, HA gets the current timestamp THA, and computes C2 = h(E0 k B), SigHA ¼ SSHA ðhðC2 THA ÞÞ, and then HA submits the message (C2, CertHA, SigHA, THA) to FA. (4) FA ! MU : ðC3 ; BÞ After receiving the message from HA, FA checks whether the certificate CertHA and timestamp THA are valid. If so, FA can authenticate HA by verifying HA’s signature using HA’s public key PHA. Then, FA generates a temporary certificate TCertMU for MU, which includes timestamp and other information. FA computes the shared session key sk = h(bA) = h(abP), C3 = (TCertMU k B k C2)sk. Finally, FA transmits message (C3, B) to MU. (5) After receiving the message (C3, B) from FA, MU computes a session key sk = h(aB) = h(abP) and gets TCertMU, B and C2 by using sk to decrypts C3. MU then computes C2 = h(E k B) and checks whether C2 is equals to C2. If it is, HA authenticates FA and HA.

5.3. i th roaming phase When MU visits the same FA at the ith session, MU and FA can update their session key ski(i = 2, . . ., n) as follows. The procedures of this phase are depicted in Figure 6. (1) MU ! FA : Ai The MU selects a new random number ai 2 Zn and computes Ai = aiP(i = 2, . . ., n). Then, MU sends Ai to FA. (2) FA ! MU : ðBi ; Vi Þ The FA selects a new random number bi 2 Zn and computes Bi = biP(i = 2, . . ., n). FA generates a new session key ski = h(biAi) = h(aibiP), and then computes Vi = h(biAi k bi  1Ai  1) = h(aibiP k ai  1bi  1P). At last, FA submits (Bi, Vi) to MU. (3) Upon receiving (Bi, Vi), MU computes Vi = h(aiBi k ai 1Bi  1) = h(aibiP k ai  1 bi  1P), and checks whether the computed Vi is equals to received Vi. If they are equal, MU computes the session key ski = h(aiBi) = h(aibiP) and updates ski  1 with the new session key ski for future use.

6. SCHEME ANALYSIS In this section, we discuss the security features of the proposed user authentication scheme with anonymity for wireless communications. Then, we evaluate the functionalities and performance of our proposed scheme and make comparisons with some related user authentication schemes with anonymity. 6.1. Mutual authentication and fair key agreement Proposition. Our proposed scheme not only can provide mutual authentication, but also can provide a fair key agreement. sk Proof. Let MU ↔ FA denotes the established session key sk shared between MU and FA. Hence, the mutual authentication is achieved between MU and FA if there exists a sk session key sk; then, MU would believe MU ↔ FA, and

Figure 6. i th roaming phase of the proposed scheme. Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1473

J. Niu and X. Li

A novel user authentication scheme with anonymity

sk FA would believe MU ↔ FA. At last, the goal of a strong mutual authentication should satisfy the following equations: sk (a) MU believes that FA believes MU ↔ FA: sk (b) FA believes that MU believes MU ↔ FA:

In Step 4 of the authentication phase, FA computes the shared session key sk = h(bA) = h(abP) and sends a response C3 = (TCertMU k B k C2))sk, B) to MU. Because b sk

is chosen by FA, FA believes MU believes MU ow FA . After MU has received the response message from FA, MU use B to compute sk = h(aB) to decrypt C3 = (TCertMU B k C2))sk; MU then computes C2 = h(E k B) and checks whether C2 is equals to C2. If the aforementioned holds, sk MU believes MU ↔ FA. Because a is chosen by MU, sk MU believes that FA believes MU ↔ FA. Finally, when equations (a) and (b) are satisfied, we can say that our proposed scheme can provide mutual authentication. Besides, at the end of the authentication phase, MU and FA can agree on an shared session key sk = h(abP), which contains MU’s contribution aP and FA’s contribution bP, and no one can determine the shared session key alone. So, besides the mutual authentication, our proposed scheme can provide a fairness key agreement. Besides the formal analysis, we discuss that our scheme can achieve the mutual authentication among MU, HA, and FA as follows: (1) Mutual authentication between MU and HA: In Step 3 of the authentication phase, HA can authenticate MU by checking the identity IDMU and compare the computed C1 with the received C1. On the other hand, MU can authenticate HA in Step 5 of authentication phase by checking C2 = h(E k B) ? = C2. So the mutual authentication between MU and HA can be achieved. (2) Mutual authentication between FA and HA: The mutual authentication between FA and HA can be achieved in Steps 3 and 4 of the authentication phase. HA can authenticate FA by verifying whether SigFA ¼ SSFA ðhðASIDC1 TMU BTFA ÞÞ is FA’s valid signature using FA’s public key PFA. FA also can authenticate HA by verifying whether SigHA ¼ SSHA ðhðC2 THA ÞÞ is HA’s valid signature using HA’s public key PHA. (3) Mutual authentication between MU and FA: If FA communicated with an illegal user, Step 3 of the authentication phase will failure, and MU can authenticate FA by decrypting C3 and checking C2 = h (E k B) ? = C2. 6.2. User anonymity As shown in Section 3, during the authentication phase of the scheme of Yoon et al., the FA or an attacker can trace an MU by comparing (e, IDHA) with all the collected messages in the wireless network, and the user anonymity 1474

property of the scheme of Yoon et al. may be compromised. But in our proposed scheme, the FA or an attacker cannot trace a MU by the same method. The MU first submits (A, SID, C1, TMU, IDHA) to FA to access the service where A is computed by a random number a, which is different for each login. Besides, because the difference of random number a and the timestamp TMU for each session, message SID, C1 are also different for each login. So even if the FA or an attacker can get IDHA, he or she does not know who logins into the FA and cannot trace the communications among MU, FA, and HA. Similarly, because messages A, SID, C1, TMU, B, SigFA, and TFA are different for each session when FA submits message (A, SID, C1, TMU, B, CertFA, SigFA, TFA) to HA, the attacker has no way to discover the complete connection from the FA to the HA. From the aforementioned analysis, we can see that our proposed scheme can protect user anonymity perfectly. 6.3. Security of session key (1) Perfect forward secrecy Perfect forward secrecy means that if long-term private keys of one or more entities are compromised, the secrecy of previous session keys established by honest entities is not affected. In our proposed scheme, the session key sk = h(abP) is depended on the random number a and b, and totally not associated with the system master key x. So, even if the master secret key x is leaked, the established session key will not be affected, and our scheme can ensure perfect forward secrecy. (2) Known-key security Known-key security means that the compromise of one session key does not reveal other session keys. In our proposed scheme, knowing a session key sk = h(abP) and the random point elements a and b is useless for computing the other session keys sk’ = h(a’b’P), since without knowing a’ and b’, it is impossible to compute the session key sk’. Therefore, the proposed scheme provides known-key security.

Table II. Functionality comparisons. Our scheme Yoon et al. [21] Wu et al. [17] User anonymity Fairness in key agreement No verification table Free password choose Mutual authentication Session key establishment Perfect forward secrecy

Yes Yes

No No

No No

Yes Yes Yes

Yes Yes Yes

Yes No Yes

Yes

Yes

Yes

Yes

No

No

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

J. Niu and X. Li

A novel user authentication scheme with anonymity

Table III. Efficiency comparisons in authentication phase.

MU FA HA Total Round

Our scheme

Yoon et al. [21]

Wu et al. [17]

4Hash+1Sym+3Ecc 2Hash+1Sym+2Asym+2Ecc 4H+2Asym+1Ecc 10H+2Sym+4Asym+6Ecc 4

4Hash+2Sym 2Hash+1Sym+3Asym 5Hash+1Sym+3Asym 11Hash+4Sym+6Asym 4

2Hash+2Sym 3Hash+1Sym+3Asym 6Hash+1Sym+3Asym 11Hash+4Sym+6Asym 4

6.4. Resist impersonation attack and offline password guessing attack The proposed scheme can avoid the impersonation attack by replaying the login and authentication message because the timestamps TMU, TFA, and THA are employed. Besides, in order to impersonate a legal MU, the attacker must know the identity IDMU and password PWMU at the same time, but even if the attacker gets MU’s smart card and further gets the information u = h(IDMU k x)  h(rn k PWMU), which is stored in smart card, he or she still cannot get IDMU and PWMU because they are both protected by the one-way hash function and the master secret key x, so our proposed scheme can resist the offline password guessing attack at the same time. Without knowing the private key SFA of FA, the attacker cannot impersonate a valid FA. Similarly, without knowing the private key SHA and the master secret key x of HA, the attacker cannot impersonate a legal HA. 6.5. Functionality and performance analysis We compare the functionality of the proposed scheme with other related schemes in authentication phase because it is the most important phase, and the results are shown in Table II. In the scheme of Wu et al., user’s password generated by the HA and the user must interact with the HA when he or she wants to change the password. In addition, in the schemes of Yoon et al. and Wu et al., the properties of user anonymity and fairness in key agreement are also not achieved. From Table II, we can see that the proposed scheme is more secure than other related schemes. Now, we analyze the efficiency comparisons of the proposed scheme with other related schemes in authentication phase. We define the following notations for the convenient of analysis: Hash: Sym: Asym:

Ecc:

the operation of the one-way hash functions such as SHA-1 [26]. the operation of symmetric encryption/decryption such as AES [27]. the encryption/decryption operation or the signature generation/signature verification operation by using the asymmetric cryptosystem such as ECC [24] or RSA [28]. the ECC multiplication operation.

Table III shows the result of efficiency comparisons of the proposed scheme and the previous schemes in authentication phase. In order to provide user anonymity, fairness in key agreement, and perfect forward secrecy, the proposed scheme needs six ECC multiplication operations, but compared with other two schemes, our scheme needs fewer asymmetric cryptosystem operations. Our proposed scheme remains efficient and more secure than the other related schemes.

7. CONCLUSIONS AND FUTURE WORKS Recently, Yoon et al. proposed a user-friendly authentication scheme with anonymity for wireless communications. However, in this paper, we have shown the certain flaws of the scheme of Yoon et al. In order to ensure the security in wireless network communication environments, we proposed a novel user authentication scheme with user anonymity using ECDLP and ECDHP. Analysis shows that our proposed scheme is effective in protection user anonymity and achieves fairness of the session key agreement. At the same time, our proposed scheme is still efficient in computation for seamless accessing and roaming over wireless networks. In the future, we would like to establish a security model for user authentication protocols in wireless communications, and design more security and effective user authentication protocols with anonymity under this security model. At the same time, we will investigate how to protect user’s privacy under the wireless environment. Further, we will consider how to design the authentication and key management protocol for heterogeneous networks, such as the 3G-WLAN integrated networks.

ACKNOWLEDGEMENTS This work was supported by the research fund of the State Key Laboratory of Software Development Environment under grant no. BUAA SKLSDE-2010ZX-13, the National Natural Science Foundation of China under grant nos. 60873241 and 61170296, the Fund of Aeronautics Science under grant no. 20091951020, the Program for New Century Excellent Talents in University under grant no. 291184.

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1475

J. Niu and X. Li

A novel user authentication scheme with anonymity

REFERENCES 1. Wang SJ, Tsai YR, Shen CC, Chen PY. Hierarchical key derivation scheme for group-oriented communication systems. International Journal of Information Technology, Communications and Convergence 2010; 1(1): 66–76. 2. Doh IS, Lim JY, Chae KJ. Distributed authentication mechanism for secure channel establishment in ubiquitous medical sensor networks. Mobile Information Systems 2011; 7(3): 189–200. 3. Ponomarchuk Y, Seo DW. Intrusion detection based on traffic analysis and fuzzy inference system in wireless sensor networks. Journal of Convergence 2010; 1(1): 35–42. 4. Sarkar P, Saha A. Security enhanced communication in wireless sensor networks using Reed–Muller codes and partially balanced incomplete block designs. Journal of Convergence Seoul 2011; 2(1): 23–30. 5. Chen CL. Design of a secure RFID authentication scheme preceding market transactions. Mobile Information Systems 2011; 7(3): 201–216. 6. Konidala DM, Kim KJ, Kim DY, Yeun CY, Lee BC, Kim S. Security framework for RFID-based applications in smart home environment. Journal of Information Processing Systems 2011; 7(1): 111–120. 7. Kim HJ, Chitti RB, Song JS. Handling malicious flooding attacks through enhancement of packet processing technique in mobile ad hoc networks. Journal of Information Processing Systems 2011; 7(1): 137–150. 8. Li CT, Hwang MS. An efficient biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications 2010; 33(1): 1–5. 9. Li X, Niu JW, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometric-based remote authentication scheme using smart cards. Journal of Network and Computer Applications 2011; 34(1): 73–79. 10. Li X, Xiong YP, Ma J, Wang WD. An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. Journal of Network and Computer Applications 2012; 35(2): 763–769. 11. Sood SK, Sarje AK, Singh K. A secure dynamic identity based authentication protocol for multi-server architecture. Journal of Network and Computer Applications 2011; 34(2): 609–618. 12. Xie B, Kumar A, Zhao D, Reddy R, He B. On secure communication in integrated heterogeneous wireless networks. International Journal of Information Technology, Communications and Convergence 2010; 1(1): 4–23.

1476

13. Chang CC, Lee CY, Chiu YC. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Computer Communications 2009; 32(4): 611–618. 14. He DJ, Ma MD, Zhang Y, Chen C, Bu JJ. A strong user authentication scheme with smart cards for wireless communications. Computer Communications 2011; 34(3): 367–374. 15. Lee CC, Hwang MS, Liao IE. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics 2006; 53(5): 1683–1687. 16. Li CT, Lee CC. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Mathematical and Computer Modelling 2012; 55(1–2): 35–44. 17. Wu CC, Lee WB, Tsaur WJ. A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters 2008; 12(10): 722–723. 18. Wu SH, Zhu YF, Pu Q. A novel lightweight authentication scheme with anonymity for roaming service in global mobility networks. International Journal of Network Management 2011; 21(5): 384–401. 19. Xu J, Feng DG. Security flaws in authentication protocols with anonymity for wireless communications. ETRI Journal 2009; 31(4): 460–462. 20. Xu J, Zhu WT, Feng DG. An efficient mutual authentication and key agreement protocol preserving user’s anonymity in mobile networks. Computer Communications 2011; 34(3): 319–325. 21. Yoon EJ, Yoo KY, Ha KS. A user friendly authentication scheme with anonymity for wireless communications. Computers and Electrical Engineering 2011; 37(3): 356–364. 22. Zeng P, Cao ZF, Choo KR, Wang SB. On the anonymity of some authentication schemes for wireless communications. IEEE Communications Letters 2009; 13(3): 170–171. 23. Zhu JM, Ma JF. A new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics 2004; 50(1): 230–234. 24. Hankerson D, Menezes A, Vanstone S. Guide to Elliptic Curve Cryptography. LNCS, Springer: New York, 2004. 25. Mitchell CJ, Ward M, Wilson M. Key control in key agreement protocols. Electronics Letters 1998; 34(10): 980–981. 26. Eastlake D, Jones P. US Secure Hash Algorithm 1 (SHA1). Internet RFC 3174, September 2001. 27. Daemen J, Rijmen V. The Design of Rijndael: AES—the Advanced Encryption Standard. Springer Verlag: Berlin, 2002. 28. Buchmann J. Introduction to Cryptography (2nd edn). Springer: New York, 2004.

Security Comm. Networks 2014; 7:1467–1476 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec