A secure lightweight authentication scheme with ... - Wiley Online Library

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9:4192–4209 Published online 14 August 2016 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1598

RESEARCH ARTICLE

A secure lightweight authentication scheme with user anonymity for roaming service in ubiquitous networks Marimuthu Karuppiah1 *, Saru Kumari2 , Ashok Kumar Das3 , Xiong Li4 , Fan Wu5 and Sayantani Basu1 1 2 3 4 5

School of Computing Science and Engineering, VIT University, Vellore 632 014, Tamilnadu, India Department of Mathematics, Chaudhary Charan Singh University, Meerut 250 005, Uttar Pradesh, India Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan 411 201, China Department of Computer Science and Engineering, Xiamen Institute of Technology, Xiamen 361021, China

ABSTRACT Ubiquitous networks provide effective roaming services for mobile users (MUs). Through the worldwide roaming technology, authorized MUs can avail ubiquitous network services. Important security issues to be considered in ubiquitous networks are authentication of roaming MUs and protection of privacy of MUs. However, because of the broadcast nature of wireless channel and resource limitations of terminals, providing efficient user authentication with privacy preservation is a challenging task. Very recently, Farash et al. proposed an authentication scheme with anonymity for consumer roaming in ubiquitous networks and claimed their scheme achieves all security requirements. In this paper, we show that the scheme of Farash et al. fails to achieve user anonymity and mutual authentication. Their scheme also fails to provide local password verification, and it has a faulty password change phase. Moreover, their scheme is vulnerable to replay, offline password guessing, and forgery attacks. To fix the security flaws of the scheme of Farash et al., we present an improved authentication scheme for accessing roaming service provided by ubiquitous networks. We then formally verify the security properties of our scheme by the widely-accepted push-button tool called Automated Validation of Internet Security Protocols and Applications. Security and performance analyses show that our scheme is more powerful, efficient, and secure when it is compared with existing schemes. Copyright © 2016 John Wiley & Sons, Ltd. KEYWORDS authentication; ubiquitous networks; user anonymity; AVISPA; security *Correspondence Marimuthu Karuppiah, School of Computing Science and Engineering, VIT University, Vellore 632 014, Tamilnadu, India. E-mail: [email protected]

1. INTRODUCTION Ubiquitous networks (as shown in Figure 1) allow a mobile user (MU) to use the services provided by his/her home agent (HA) in a foreign network. A mobile user roaming into a foreign network must first be mutually authenticated to thwart illegal users and to ensure the connection of MU to trusted networks [1]. In general, the following security requirements are needed for a strong user authentication scheme in a ubiquitous network [2,3]: (a) achievement of user anonymity and untraceability, mutual authentication, session key agreement, and forward secrecy; (b) resistance to replay attack, offline password guessing attack, forgery attack, stolen verifier attack,

4192

modification attack, insider attack, man-in-themiddle attack, known-key attack, and session key disclosure attack; (c) user friendliness: MUs should be able to use the authentication scheme easily. Moreover, a legitimate MU has the freedom of updating his/her password; (d) local password verification: during the execution of the login and authentication phases, if an incorrect password is entered by the MU, unwanted excessive communication and computational overheads occur. This should be avoided by verifying the password locally at the MU end. Several authentication schemes that are proposed to provide roaming services in ubiquitous networks and that have attempted to achieve these security requirements are discussed in the succeeding text.

Copyright © 2016 John Wiley & Sons, Ltd.

M. Karuppiah et al.

Authentication for roaming service in ubiquitous networks

Figure 1. Authentication process for preserving privacy of MU in ubiquitous networks for accessing roaming service.

In 2004, Zhu et al. [4] proposed the first anonymous authentication scheme for roaming service in ubiquitous networks. However, Lee et al. [5] exposed some security weaknesses and proposed an enhanced scheme. Later, Chang et al. [6] and Wu et al. [7] individually found that the schemes of both Zhu et al. and Lee et al. fail to offer user anonymity under the forgery attack and presented schemes with better security. However, Youn et al. [8] revealed that the schemes of both Wu et al. and Chang et al. cannot achieve user anonymity. Furthermore, Mun et al. [9] showed that the scheme of Wu et al. refuses to provide perfect forward secrecy and proposed an alternative scheme. Nonetheless, Kim et al. [10] proved that the scheme of Mun et al. is susceptible to replay and man-in-the middle attacks and put forth an enhanced scheme. Although, He et al. [11] presented a novel authentication scheme, but Jiang et al. [12] pointed out that their scheme is exposed to the offline password guessing attack and provided a solution to overcome its flaws. However, Wen et al. [13] demonstrated that the scheme of Jiang et al. is prone to replay, stolen verifier, and denial of service attacks and suggested an enhanced scheme. Later, Shin et al. [14] came up with a novel authentication scheme and claimed that their scheme attained all the security requirements. Later, some other anonymous authentication schemes [2,3,15–28] in ubiquitous networks for accessing roaming services were proposed. However, all these schemes are insecure against known attacks[29].

vulnerable to forgery and session key disclosure attacks. Moreover, they have also shown that the scheme of Wen et al. [13] is vulnerable to session key disclosure attack and known session key attack. To overcome the security weaknesses, Farash et al. proposed an improved scheme with anonymity for consumer roaming in ubiquitous networks. In this paper, we first show that the scheme of Farash et al. [29] has several security flaws. We have showed that it cannot attain user anonymity and mutual authentication. It also does not provide local password verification and has a faulty password change phase. Moreover, it is vulnerable to replay attack, offline password guessing attack, and forgery attack. Secondly, in order to fix the security flaws of the scheme of Farash et al., we have presented an improved authentication scheme for roaming service in ubiquitous networks, which is able to prevent various attacks.

1.1. Motivation and contributions

2. REVIEW OF THE SCHEME OF FARASH ET AL.

In 2015, Farash et al. [29] showed that there are several security flaws in the scheme of Shin et al. [14], which are listed as follows: (i) absence of user anonymity, and (ii) Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1.2. Organization of the paper The rest of the paper is organized as follows. Section 2 gives a review of the scheme of Farash et al. Section 3 describes the weaknesses of the scheme of Farash et al. The improved scheme and its corresponding scheme analysis have been presented in Sections 4–6 , respectively. The performance analysis and security requirement comparisons have been discussed in Section 7. Lastly, we have presented our conclusions in Section 8.

In this section, we review the scheme of Farash et al. [29] that comprises three phases: registration phase, login and 4193

M. Karuppiah et al.


Table I. Notations. Notations

MU must be authenticated by FA with the help of the corresponding HA, where MU is registered. The detailed steps of login and authentication are as follows.

Descriptions

MU FA HA PWmu IDmu , IDfa , IDha p, q, e Kh Ek (X)/Dk (X) SKX Kfh Nmu , Nfa h() TA Ti || ˝ ˚

Mobile user Foreign agent Home agent Password of MU Identities of MU, FA and HA, respectively Larger prime numbers HA’s Secret key Encryption/Decryption of X using a key k Session key between FA and MU Pre-shared secret key between FA and HA Random number generated by MU and FA One-way hash function Timestamp of an entity A Predefined valid time interval for the transmission delay Concatenation Bitwise NOR operation Bitwise XOR operation

authentication phases, and password change phase. These phases are explained in the succeeding text. 2.1. Notations The notations listed in Table I are used for describing and analyzing the scheme of Farash et al. [29] as well as our proposed scheme. 2.2. Registration phase An MU needs to register in the HA before accessing services offered by HA through ubiquitous network system. The detailed steps of this phase are enumerated as follows. (1) An MU freely chooses his or her password PWmu , identity IDmu , and a random number r and then sends {h(PWmu kr ), IDmu } to HA via a secure communication channel. (2) When {h (PWmu kr ) , IDmu } is received, HA calculates Amu = h(Kh ) ˚ h(IDmu ),

(1)

Bmu = h (Kh kIDmu ) ˚ h (PWmu kr ) ,

(2)

where Kh is the HA’s secret key. Lastly, HA sends {Amu , Bmu , h()} to MU via a secure communication channel. (3) MU stores the received security parameters {Amu , Bmu , h()} and r into the smart card of his or her mobile device. 2.3. Login and authentication phase Suppose MU wants to access services provided by FA through the ubiquitous network system. For this purpose, 4194

(1) MU ! FA : M1 = {V2 , V3 , V5 }. MU enters his or her password PWmu and identity IDmu . Then, the mobile device chooses a random nonce Nmu and calculates V1 = Amu ˚ h(IDmu ),

(3)

V2 = V1 ˚ Nmu ,

(4)

V3 = h (V1 kNmu ) ˚ IDmu ,

(5)

V4 = Bmu ˚ h(PWmu kr ),

(6)

V5 = h (V2 kV3 k V4 ) .

(7)

MU sends M1 = {V n 2 , V3 , V5 } to FA. o (2) FA ! HA : M2 = IDfa , EKfh M1 , Nfa . When M1 is received, FA selects a random nonce Nfa , calculates EKfh (M1 , Nfa ), and sends n o M2 = IDfa , EKfh (M1 , Nfa ) to HA. n o (3) HA ! FA : M3 = EKfh (SKfa ) . When M2 is received, HA checks IDfa and obtains Kfh corresponding to IDfa . Then, HA calculates DKfh EKfh (M1 , Nfa ) to find M1 = {V2 , V3 , V5 } and Nfa . Next, HA calculates * = V ˚ h(K ), Nmu 2 h

(8)

* ID*mu = V3 ˚ h h(Kh ) Nmu ,

(9)

V4* = h Kh ID*mu ,

(10)

V5* = h V2 kV3 k V4* .

(11)

?

HA then verifies V5* = V5 . If the verification is false, HA rejects M2 . Otherwise, HA authenticates MU. Then, HA finds session key as * SKfa = h V4* Nmu Nfa kIDmu k IDfa .

(12)

At last, HA computes EKfh (SKfa ) and sends M3 = n o EKfh (SKfa ) to FA. ˚ (4) FA ! MU : M4 = IDfa , FV1 , Nfa . When M3 is received, FA computes DKfh EKfh (SKfa ) to find the session key SKfa . Next, FA computes FV1 = h SKfa Nfa and sends ˚ M4 = IDfa , FV1 , Nfa to MU. Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

M. Karuppiah et al.


(5) When M4 is received, MU finds the session key as follows: SKmu = h V4 kNmu k Nfa kIDmu k IDfa , FV1* = h SKmu Nfa .

(13) (14)

?

MU then verifies FV1* = FV1 . If the verification is false, MU rejects M4 . Otherwise, MU authenticates FA. 2.4. Password change phase This phase is invoked whenever an MU wants to update his/her password PWmu . The following steps are involved in this phase: (1) MU ! HA : M1 = {V2 , V3 , V5 }. MU enters his or her identity IDmu , present PWmu , new . The mobile device and new password PWmu computes

3. CRYPTANALYSIS OF THE SCHEME OF FARASH ET AL. This section proves that the scheme of Farash et al. is open to various kinds of attacks. The following two assumptions about the proficiency of an adversary A are made before the scheme of Farash et al. is analysed. Note that the following assumptions are quite reasonable and have also been made in recent works [30–35]: (1) The adversary A may eavesdrop, insert, block, intercept, modify, or delete any messages transmitted over the public channel [36]. (2) A can steal or accidentally pick up a legitimate MU’s smart card and then extract the secret parameters stored in the smart card by employing sidechannel attacks [37,38]. 3.1. Fail to achieve user anonymity The secret key of HA, Kh , is involved in both registration and login phases of the scheme of Farash et al. However, we show that a hashed form of the secret key, h(Kh ), can be obtained by any valid MU. Let adversary A be a legal ad MU of HA with identity IDad mu and password PWmu as well ad ad as the registration parameters Amu , Bmu , r, and h(), which are stored in his or her smart card of mobile device. Note that A can extract all the registration parameters from his or her own smart card according to Assumption 2, where

V1 = Amu ˚ h(IDmu ),

(15)

V2 = V1 ˚ Nmu ,

(16)

V3 = h (V1 kNmu ) ˚ IDmu ,

(17)

V4 = Bmu ˚ h(PWmu ),

(18)

V5 = h (V2 kV3 k V4 kIDmu ) .

(19)

ad Aad mu = h(Kh ) ˚ h IDmu , ad ad Bad mu = h Kh IDmu ˚ h PWmu kr .

* = V ˚ h(K ), Nmu 2 h

(20)

* ID*mu = V3 ˚ h h(Kh ) Nmu ,

A is now empowered to find the hashed form of the HA’s long term secret key h(Kh ) as follows.

(21)

V4* = h Kh ID*mu ,

ad ad ad Aad mu ˚ h IDmu = h(Kh ) ˚ h IDmu ˚ h IDmu

(22)

V5* = h V2 kV3 k V4* ID*mu .

(23)

MU sends M1 = {V2 , V3 , V5 } to HA. (2) When M1 is received, HA calculates

?

HA then verifies V5* = V5 . If the verification is false, HA rejects M1 . Otherwise,HAauthenticates * * HA. Then, HA computes HV1 = h V4* Nmu IDmu and sends M2 = {HV1 } to MU. (3) When M2 is received, MU verifies ?

h (V4 kNmu k IDmu ) = HV1 . If the verification holds, then MU computes 0 new Bmu = Bmu ˚ h(PWmu ) ˚ h PWmu

(24)

0

and replaces Bmu with Bmu . Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

= h(Kh ). Now, A can obtain the identity of other MUs registered under the same HA. MU is a registered mobile user at the same HA and executes the login phase. Clearly, A can intercept M1 = {V2 , V3 , V5 } from the Step 1 in authentication phase under Assumption 1. Using V2 and h(Kh ), A can find the random number Nmu of MU as follows: V2 ˚ h(Kh ) = V1 ˚ Nmu ˚ h(Kh ) = Amu ˚ h(IDmu ) ˚ Nmu ˚ h(Kh ) = h(IDmu ) ˚ h(Kh ) ˚ h(IDmu ) ˚ Nmu ˚ h(Kh ) = Nmu . 4195

M. Karuppiah et al.


Now that Nmu is known, A can find V1 as follows:

0

(4) Verifies the correctness of PWmu by checking ?

V2 ˚ Nmu , = V1 ˚ Nmu ˚ Nmu , = V1 . Then, A computes h(V1 kNmu ) and trace the identity IDmu of MU using V3 as follows: V3 ˚ h(V1 kNmu ) = h(V1 kNmu ) ˚ IDmu ˚ h(V1 kNmu ) = IDmu . Because the adversary A can obtain identity IDmu of any MU, the scheme of Farash et al. cannot attain user anonymity. 3.2. Faulty password change phase For changing password, MU must be authenticated by HA. To verify the authenticity of a MU, the verifica ? tion h V2 kV3 k V4* kIDmu = V5 must be true where V5 = h(V2 kV3 k V4 kIDmu ). However, the verification never evaluates to true because V4* ¤ V4 and because V4* = h(Kh kIDmu ) and V4 = Bmu ˚ h(PWmu ) = h(Kh kIDmu ) ˚ h(PWmu kr ) ˚ h(PWmu ), where Bmu = h(Kh kIDmu ) ˚ h(PWmu kr ). As a result, even a legal MU cannot change the password at his or her will because the aforementioned verification always fails. The password change phase of the scheme of Farash et al. is thus inefficient. Hence, the problem with the password change phase is that the protocol is not correctly designed and has a fault. 3.3. Vulnerable to offline password guessing attack The most appalling threat that any sound password-based protocol should be capable of thwarting is the offline password guessing attack [39]. The adversary deploys this attack by first recording previous communication messages, followed by performing an offline search for a password in the password dictionary until a match with the recorded communication is found. The probability of the adversary’s success is high because the password dictionary often has limited content. Incidentally, this attack can successfully be deployed with the scheme of Farash et al. If adversary A steals or accidentally picks up a legitimate MU’s smart card, the stored secret information {Amu , Bmu , r, h()} can easily be exposed under Assumption 2. With the previously intercepted message M1 = {V2 , V3 , V5 }, A can obtain MU’s password PWmu as follows: 0

password. (1) Guesses PWmu to be the MU’s 0

(2) Computes V4* = Bmu ˚ h PWmu kr . (3) Computes V5* = h V2 kV3 k V4* . 4196

V5* = V5 . 0 (5) If the verification holds, then A considers PWmu as the MU’s password. Otherwise Steps 1–4 are repeated by A until a matching password PWmu is obtained. ˇ ˇ Let the password dictionary DPW contain ˇDPW ˇ number of passwords. The aforementioned ˇ attack is carried ˇ out with an execution time of O ˇDPW ˇ (2Th + 1Txor ) , where Th and Txor are the execution time for Hash operation and XOR operation, respectively. According to Wang [30], the time for A to recover MU’s password is a linear function of the number of passwords in the password dictionary DPW . The password dictionary DPW has limited content, for example, |DPW | 106 [40,41]. Hence, the aforementioned attack can be deployed in polynomial time. 3.4. No local password verification The MU’s identity IDmu and password PWmu are accepted as inputs in Farash et al. scheme’s login phase; however, the mobile device does not check the correctness of MU’s password PWmu and identity IDmu . Therefore, even if the MU incorrectly enters the password PWmu or identity IDmu or both, Steps 1–3 of Section 2.3 are still performed(i.e., Equations (3) to (11) are computed). This proves the inefficiency of the scheme of Farash et al. with respect to detection of incorrect input. As a result, unnecessary extra communication and computational overheads occur during the execution of the login and authentication phases. Experimental results in [30,34] show that the execution times of Thash (using SHA-1 hash algorithm), Txor , and Ted (using AES-128 symmetric encryption/decryption) are 2.437s, 0.011s and 2.012s, respectively, where Ted is the execution time of an encryption/decryption operation. Then, the computational overhead is calculated as 8Th + 2Ted + 6Txor 23.586s. Hence, the login and authentication phase of the scheme of Farash et al. is inefficient. 3.5. Session key disclosure In the scheme of Farash et al., adversary A , a malicious MU who has obtained the hashed form of the HA’s secret key h(Kh ), can reveal the session key established between MU and the FA by recording the messages transmitted during the session. In order to do this, the adversary carries out the following: (1) The adversary A intercepts the session and records the transmitted messages M1 = {V2 , V3 , V5 } and ˚ M4 = IDfa , FV1 , Nfa between FA and MU. (2) A then obtains the random number Nmu and identity IDmu as discussed in Section 3.1 and is able to compute V4 as discussed in 3.3. Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

M. Karuppiah et al.

(3) A then computes the session key SKmu = h V4 kNmu k Nfa kIDmu k IDfa , which is equivalent to Equations (12) and (13). Therefore, the adversary A can compute a session key with MU. This weakness leads to the FA masquerade attack. Mutual authentication is accomplished in the scheme of Farash et al. However, the condition of masquerading the FA is overlooked. As a result, the mutual authentication setup is not achieved in the scheme of Farash et al. 3.6. Possibility of replay attack During the login and authentication phase of the scheme of Farash et al., MU sends the login message M1 = {V2 , V3 , V5 } to FA via a secure channel, where V2 = V1 ˚ Nmu , V3 = h(V1 kNmu ) ˚ IDmu and V5 = h(V2 kV3 k V4 ), respectively. Suppose an attacker successfully intercepts 0 the message and sends M1 = M1 to FA in the following attempt. On receiving this message during the login and authentication phase, FA generates the random number n 0 0 o 0 Nfa , calculates EKfh M1 , Nfa , and subsequently sends n o 0 0 0 the message M2 = IDfa , EKfh (M1 , Nfa ) to HA. HA then 0

processes M2 and verifies whether the attacker is a legal user or not. Although the attacker fails to obtain the session key, it is possible for the attacker to impersonate the MU while logging in to the FA. Therefore, the scheme of Farash et al. is incapable of preventing replay attack using random number.

4. THE PROPOSED SCHEME This section describes our improved lightweight authentication scheme with user anonymity property for the roaming service in ubiquitous networks. Our scheme has the following phases. 4.1. Initialization Home agent chooses two large prime integers p; q and computes n = p q and (n) = (p – 1) (q – 1). Then, HA selects randomly an integer e such that gcd(e, (n)) = 1 and 1 < e < (n). HA computes an integer Kh such that Kh e–1 (mod(n)). Lastly, e and n are made public, while (p, q) and Kh are kept secret by the HA. Note that Kh e–1 (mod(n)) can be computed efficiently using the extended Euclid’s greatest common divisor algorithm [42]. 4.2. Registration phase (1) Mobile user freely chooses his or her password PWmu , identity IDmu , and a random number r and sends the registration request {h(PWmu kr ), IDmu } to HA via a secure communication channel. Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec


(2) Upon receiving {h(PWmu kr ), IDmu }, HA generates a random number b and computes x = be (mod n),

(25)

Amu = h(Kh kb ) ˚ h(IDmu ),

(26)

Bmu = h(Kh kIDmu ) ˚ h(PWmu kr) .

(27)

Where Kh is the HA’s secret key. Lastly, HA stores {Amu , Bmu , x, IDha , e, n, h()} in smart card and sends it to MU via a secure communication channel. (3) Upon receiving the smart card, MU computes Cmu = h(IDmu kPWmu ) ˚ r and Ct = IDmu ˝ PWmu ˝ r and injects {Cmu , Ct } into smart card. Finally, the smart card contains {Amu , Bmu , Cmu , Ct , x, IDha , e, n, h()}. 4.3. Login and authentication phase The detailed steps of login and authentication phases are as follows and also in Figure 2: (1) MU ! FA : M1 = {IDha , x ˚ Tm , V2 , V3 , V5 , Tm }. MU inserts his or her smart card into the mobile device and enters password PWmu and identity IDmu . Then, the mobile device computes r = Cmu ˚ ?

h(IDmu kPWmu ) and verifies IDmu ˝ PWmu ˝ r = Ct . If the verification holds, then, it chooses a random number Nmu and computes the following values; Otherwise, it terminates the login process. The mobile device calculates V1 = Amu ˚ h(IDmu ),

(28)

V2 = V1 ˚ Nmu ,

(29)

V3 = h(V1 kNmu ) ˚ IDmu ,

(30)

V4 = Bmu ˚ h(PWmu kr ),

(31)

V5 = h(V2 kV3 k V4 kTm ),

(32)

where Tm is the present time stamp of MU. Then, MU sends M1 = {IDha , x ˚ Tm , V2 , V3 , V5 , Tm } to FA. n o (2) FA ! HA : M2 = IDfa , M1 , EKfh (Nfa ), Tf . Upon receiving M1 , FA checks the recentness of Tm using Tf – Tm T1 , where Tf is the present time stamp of FA, and T1 is the allowed time interval for the communication delay between FA and MU. If it does not hold, FA rejects M1 . Otherwise, FA generates the random number Nfa and computes EKfh (Nfa ), where Kfh is a pre-shared secret key between FA and o n HA, and sends M2 = IDfa , M1 , EKfh (Nfa ), Tf to HA, where Tf is the present time stamp of FA. 4197

M. Karuppiah et al.


Figure 2. Login and authentication phases of our scheme.

n o (3) HA ! FA : M3 = EKfh (SKfa , HT ), Z, Th . When M2 is received, HA checks the recentness of Tf using Th – Tf T2 , where Th is the present time stamp of HA, and T2 is the allowed time interval for the communication delay between FA and HA. If it does not hold, HA rejects M2 . Otherwise, HA checks IDfa and obtains Kfh corresponding to IDfa . Then, HA finds x = x ˚ Tm ˚ Tm . Next, HA decrypts DKfh (EKfh (Nfa )) and b = xKh (mod n) to find Nfa and b. Euler’s theorem states that for every b and n that are relatively prime, b(n) 1(mod n) [42]. An immediate corollary of the Euler’s theorem is as follows. Given two prime numbers p and q, and two integers n and b such that n = pq, 0 < b < n and arbitrary integer k, the relationship bk(n)+1 = bk(p–1)(q–1)+1 b(mod n) holds [42]. In our case, we have Kh e–1 (mod (n)), that is, eKh 1(mod (n)). Thus, we have, eKh = k(n)+ 4198

1 for some integer k. Therefore, by applying the corollary of the Euler’s theorem, we have, xKh (mod n) = (be )Kh (mod n) = beKh (mod n) = bk(n)+1 (mod n) b (mod n). Further, HA finds * = V ˚ h(K Nmu 2 h kb ),

(33)

* ID*mu = V3 ˚ h h (Kh kb ) Nmu ,

(34)

V4* = h Kh ID*mu ,

(35)

V5* = h V2 kV3 k V4* kTm .

(36)

Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

M. Karuppiah et al.


?

Home agent then verifies V5* = V5 . If the verification holds, MU is authenticated by HA. Otherwise, HA rejects M2 . Once MU is authenticated, HA finds the session key as follows: * SKfa = h V4* Nmu Nfa kIDmu k IDfa , HT = SKfa ˝ Nfa ˝ Kfh ˝ Th , Z = Nfa ˚

* x ˝ Nmu

?

r = Cmu ˚h(IDmu kPWmu ) and verifies IDmu ˝PWmu ˝r = Ct . If verification fails, it rejects the request. Otherwise, the following values are computed:

(37)

0 new Bmu = Bmu ˚ h(PWmu kr ) ˚ h PWmu kr new = h(Kh kIDmu ) ˚ h PWmu kr ,

(38)

0 new ˚ r, Cmu = h IDmu PWmu 0

.

(39)

At last, HA computes EKfh (SKfa , HT ) and sends M3 = n o EKfh (SKfa , HT ), Z, Th to FA. n o 0 (4) FA ! MU : M4 = IDfa , FV1 , Z, Tf . When M3 is received, FA checks the recentness of 0 0 Th using Tf – Th T2 , where Tf is the present time stamp of FA. If it does not hold, FA rejects M3 . Otherwise, FA decrypts DKfh (EKfh (SKfa , HT )) and finds the session key SKfa and HT . Then, FA computes HT* = SKfa ˝ Nfa ˝ Kfh ˝ Th and ver?

ifies HT* = HT . If the verification fails, FA rejects HA. Next, FA comM3 . Otherwise, FA authenticates 0 putes FV1 = h SKfa Nfa Tf and sends M4 = n o 0 IDfa , FV1 , Z, Tf to MU. (5) When M4 is received, MU checks the recentness of 0 0 0 0 Tf using Tm –Tf T1 , where Tm is the present time stamp of MU. If it does not hold, MU rejects M3 . Otherwise, MU computes the session key as follows: Nfa = Z ˚ (x ˝ Nmu ), SKmu = h V4 | kNmu k Nfa kIDmu k IDfa , 0 FV1* = h SKmu Nfa Tf .

(40) (41) (42)

?

MU then verifies FV1* = FV1 . If verification fails, MU rejects M4 . Otherwise, MU authenticates FA. The aforementioned verification ensures the successful mutual authentication among MU, FA, and HA. At the end of this phase, MU keeps SKmu (= SKfa ) as session key shared with FA, and FA also keeps the same key SKfa (= SKmu ) shared with MU. 4.4. Password change phase Mobile user inserts his/her smart card into the mobile device and enters password PWmu , identity IDmu , and new . Then, the mobile device computes new password PWmu Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

new ˝ r. Ct = IDmu ˝ PWmu

Finally, the values Cmu , Bmu , and Ct are substituted with 0 0 0 Cmu , Bmu , and Ct , respectively.

5. FORMAL SECURITY VERIFICATION USING AVISPA TOOL In this section, we perform the simulation of our scheme using the widely-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [43] and show that our scheme is secure against the replay and man-in-the-middle attacks. 5.1. Overview of AVISPA Automated Validation of Internet Security Protocols and Applications is a push-button tool for building and analyzing security protocols. AVISPA provides a role-based expressive formal language for protocol specification also known as High Level Protocol Specification Language(HLPSL) [44]. The HLPSL representation of the protocol is first translated into intermediate form (IF) using the HLPSL2IF translator, and then, the IF is used as input to one of the four different back ends: On-the-fly Model-Checker (OFMC), CL-based Attack Searcher (CLAtSe), SAT-based Model-Checker (SATMC), and TreeAutomata-based Protocol-Analyser (TA4SP). IF analyzes the protocol and outputs the results, which tell if the protocol is safe or unsafe. All back-ends assume perfect cryptography, which means that an attacker cannot solve encryption without the knowledge of the whole key. Also, the transmission channel is assumed to be controlled by the Dolev-Yao attacker [45]. For more detailed descriptions about these backends, one can refer to [46–50], [43–45], [51,52]. High Level Protocol Specification Language is a rolebased expressive language containing basic roles for participants and composite roles. In HLPSL, an intruder (always represented by i) plays as a legitimate role, which is modeled using the Dolev–Yao threat model [45]. The specification also mentions about a few predefined special roles session and environment. In the session role, all the basic roles are instantiated with concrete arguments. The environment role is the starting point for execution and instantiates session role using different basic roles. 4199


5.2. Specifying the protocol In our implementation, we have three basic roles: mobileuser, homeagent, and foreignagent for the MU, HA, and FA, respectively. The initiator MU in Figure 3 first receives the start signal. and after that, it updates its state (maintained by the variable State) from 0 to 1. MU then sends the registration request {h(PWmu kr ), IDmu } to HA with help of SND( ) channel. MU then receives the smart card SCi having {Amu , Bmu , x IDha , e, n, h()} from HA securely using RCV( ) channel and updates its state from 1 to 2. During the login and authentication phase, MU generates fresh timestamp Tm and random nonce Nmu and then sends the message M1 = {IDha , x ˚ Tm , V2 , V3 , V5 , Tm } to FA via a public channel. Finally, MU waits to receive

Figure 3. Role specification in HLPSL for the mobile user MU.

4200

M. Karuppiah et al.

n o 0 the message M4 = IDfa , FV1 , Z, Tf from FA via a public channel. Note that secret(A, sec, X) represents that the information A is kept permanently secret to the agent X. The declaration witness(X, Y, id, B’) means that the agent X has freshly generated the value b for the agent Y characterized by the protocol identifier id. On the other hand, request(Y, X, id, B’) tells that X’s acceptance of the value b generated for X by Y. Channel(dy) denotes that the channel is public and controlled by the Dolev–Yao attacker [45]. In a similar way, we have implemented the roles in HLPSL for the HA and FA in Figures 4 and 5, respectively.

Figure 4. Role specification in HLPSL for the home agent HA.


M. Karuppiah et al.


Figure 6. Specification of the session role in HLPSL.

Figure 7. Specification of the goal and environment role in HLPSL.

Figure 5. Role specification in HLPSL for the foreign agent HA.

We have then specified HLPSL specification for the roles: session, goal, and environment. In Figure 6, in the session role, all the basic roles are instantiated with concrete arguments. The top level role environment provided in Figure 7 is the starting point for execution. Finally, in goal section, six authentication goals and four secrecy goals are specified. For example, the secrecy goal sec3 n o mentions a p, q, b, Kh = e–1 (mod n) are kept secret only to the HA. Similarly, other secrecy goals are mentioned. Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

The authentication goal mu_fa_nmu says that FA must authenticate the random nonce Nmu generated for FA by MU. In a similar way, other authentication goals are also mentioned. 5.3. Simulation results In this section, we present the simulation results of our scheme using the AVISPA tool based on the widelyused OFMC and CL-AtSe backends [43,53]. Because the AVISPA implementation of our scheme in HLPSL uses XOR operation, currently SATMC and TA4SP backends 4201

M. Karuppiah et al.


do not support this feature. Because of this reason, the simulation results under SATMC and TA4SP backends indicate Inconclusive, and we have ignored these simulation results in this paper. Our scheme executes the following verifications: Executability check on non-trivial HLPSL specifications: It is highly desirable to meet the executability conditions [44] of a test, otherwise the AVISPA backends may not find an attack when the state, which leads to a potential attack, is unreachable. Also, in case of erroneous modeling, the protocol model may not execute to completion. HLPSL implementation shown in Figures 3–7 are well matched with design goals for executability test. Replay attack check: The OFMC and CL-AtSe backends verify if the legitimate agents can execute the specified protocol by performing a search of a passive intruder and decides if a replay attack exists or not. This back-end gives the intruder about the knowledge of some normal sessions between the legitimate agents. The simulation result are reported in Figures 8 and 9. From Figure 8, we see that the search time, the number of visited nodes, and the depth are 17.82 seconds, 2144 nodes, and 9 plies, respectively, under OFMC back-end. From Figure 9, it is observed that 15 states are analyzed and out of these states, all states are reachable, and translation and computation take 0.08 seconds and 0.01 seconds, respectively, under CL-AtSe back-end. Thus, the simulation results

Figure 9. The result of analysis using CL-AtSe backend.

clearly indicate that our scheme is secure against the replay attack. Dolev–Yao model check: For the Dolev–Yao model checking, the OFMC and CL-AtSe back-ends verify whether there is any man-in-the-middle attack possible by an intruder (i). Note that the intruder (i) also takes part of the protocol execution, which is shown in Figure 7. The simulation results are reported in Figures 8 and 9. The formal security verification of our scheme also clearly demonstrates that our scheme is secure against the man-in-the-middle attack.

6. ANALYSIS OF THE PROTOCOL PROPERTIES This section describes the security analyses of the improved scheme and shows that all security requirements stated in Table IV are achieved in the improved scheme. 6.1. User anonymity

Figure 8. The result of analysis using OFMC backend.

4202

Besides the MU and its HA, nobody including the FA can tell the identity of the MU. In the improved scheme, an attacker may try to find MU’s identity in two ways: First, according to Assumption 1, an attacker may intercept M1 = {IDha , x ˚ Tm , V2 , V3 , V5 , Tm }. Here, V3 = h(V1 kNmu ) ˚ IDmu is related with the MU’s identity IDmu . However, V3 is well protected by V1 = h(Kh ||b), and the random number Nmu . Kh and b are neither sent through messages Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

M. Karuppiah et al.


{M1 , M2 , M3 andM4 } nor stored in the smart card. The freshness of Nmu in every login attempt ensures that V3 is fresh in each attempt as well. This shows that the attacker cannot obtain the identity IDmu of MU without knowing V1 and Nmu . Second, according to Assumption 2, an attacker may steal MU’s smart card and extract the information {Amu , Bmu , Cmu , Ct , x, IDha , e, n, h()} from the smart card. Here, IDmu is related with parameters Amu = h(Kh kb ) ˚ h(IDmu ), Bmu = h(Kh kIDmu ) ˚ h(PWmu kr ), Cmu = h(IDmu kPWmu ) ˚ r and Ct = IDmu ˝ PWmu ˝ r. However, from these parameters, it is impossible to derive MU’s identity IDmu because IDmu is protected by the secret random values b and r, HA’s master secret key Kh and MU’s password PWmu . This shows that the attacker cannot obtain the identity IDmu of MU without knowing Kh , r, b, and PWmu . Therefore, the improved scheme preserves user anonymity.

6.2. User untraceability

6.3.2. Mutual authentication between HA and FA. Foreign agent is authenticated by HA in Step 3 of Section 4.3 by decrypting the EKfh (Nfa ) using pre-shared secret key Kfh between FA and HA. A valid EKfh (Nfa ) and DKfh (EKfh (Nfa )) can be computed by legitimate FA and legitimate HA, respectively, because of pre-shared secret key Kfh . Thus, HA authenticates FA. HA is authenticated by ? FA in Step 4 of Section 4.3 by verifying HT* = HT . A valid HT = SKfa ˝ Nfa ˝ Kfh ˝ Th can be computed by legitimate FA and legitimate HA, respectively, because of SKfa and pre-shared secret key Kfh . Thus, FA authenticates HA. 6.3.3. Mutual authentication between MU and FA. Foreign agent is authenticated by MU through HA ?

by verifying FV1* = FV1 in Step 5 of Section 4.3. A valid FV1* can be computed by legitimate HA and MU because SKmu = h V4 kNmu k Nfa kIDmu k IDfa in FV1* = 0 h SKmu Nfa T . So, the adversary cannot compute f

Besides the MU and its HA, nobody including the foreign agent is able to link any past or future protocol runs of the same mobile user. In the improved scheme, suppose that an attacker has intercepted all the protocol communication messages(runs) {M1 , M2 , M3 , M4 }. Then, an attacker may attempt to recover any user-specific static information from these communication messages to identify the MU, but the messages M1 , M2 , M3 , and M4 are all sessionvariant and indeed random strings because of the random numbers Nmu and Nfa . As a result, without knowing the random number Nmu , the attacker will have to resolve the large integer factorization problem to recover the exact value of the MU’s identity IDmu from V3 , while IDmu is the only user-specific static information in the protocol messages. Therefore, the improved scheme achieves user untraceability.

6.3. Mutual authentication The improved scheme ensures the successful mutual authentication among MU, FA, and HA.

6.3.1. Mutual authentication between HA and MU. Mobile user is authenticated by HA in Step 3 of ?

Section 4.3 by verifying V5* = V5 . A valid V5 can be com puted by legitimate MU because of V4* = h Kh ID*mu in V5* = h V2 kV3 k V4* kTm . As discussed in Section 6.1, because an attacker does not know Kh and IDmu , so valid V4 and V5 values cannot be computed by any malicious MU. Thus, HA authenticates MU. Also, HA can be ?

authenticated by MU by verifying FV1* = FV1 in Step 5. Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

FV1* without the knowledge of SKmu or SKfa . Thus, FA is authenticated by MU and vice versa. Therefore, the improved scheme achieves proper mutual authentication. 6.4. Replay attack A replay attack involves retransmitting earlier intercepted messages. Under Assumption 1, an attacker might intercept {M1 , M2 , M3 , M4 }, which are transmitted among HA, FA, and MU. However, the time stamp values 0 0 Tm , Tf , Th , Tf , and Th are used in the improved scheme to withstand the replay attack. An attacker may retransmit the intercepted messages without any alteration such as M1 =n {IDha , x ˚ Tm , V2 , oV3 , V5 , Tm } in Step 1, M2 = IDfa , M1 , EKfh (Nfa ), Tf in Step 2, n o M3 = EKfh (SKfa , HT ), Z, Th in Step 3, and M4 = n o 0 IDfa , FV1 , Z, Tf in Step 4. MU, FA, and HA can simply identify the attack by verifying the recentness of those time stamps. By retransmitting thenintercepted message M1 witho an * to alteration such as M1 = IDha , x ˚ Tm , V2 , V3 , V5 , Tm * is the modified time stamp, an attacker may FA, where Tm * T act as a legal MU. Now the verification Tf – Tm n o1 will be true. FA then sends M2 = IDfa , EKfh (M1 , Nfa ), Tf to HA. The HA verifies Th – Tf T2 to be true, decrypts EKfh (Nfa ), and finds M1 and Nfa . It computes

the Equations (33) to (36) as well and verifies (V5* = ? * h V2 kV3 k V4* Tm ) = (V5 = h(V2 | kV3 k V4 kTm )). As this verification fails, the attacker will not be verified as * ¤T . valid MU because Tm m An attacker may retransmit then intercepted message Mo2 with an alteration such as M2 = IDfa , M1 , EKfh (Nfa ), Tf* 4203

M. Karuppiah et al.


to HA, where Tf* is the modified time stamp. Now the verification Th – Tf* T2 will be true. HA then sends n o M3 = EKfh (SKfa , HT ), Z, Th to FA. Now an attacker may intercept M3 but cannot compute the session key SKfa because the attacker has no knowledge about the preshared secret key Kh to decrypt the value EKfh (SKfa , HT ). Thus, an attacker cannot act as a legal FA by retransmitting M2 . By retransmitting M3 , the attacker can try to act as a legal HA. However, M3 is computed freshly in every session because of the session key SKfa and Th . Because the random numbers Nmu and Nfa are generated freshly in every session, the session key SKfa has a new value in every session. Thus, an attacker cannot act as a legal HA by retransmitting M3 . Thus, the attacker will not be considered a valid MU or a valid FA or a valid HA. Therefore, the improved scheme successfully withstands the replay attack. 6.5. Offline password guessing attack In the improved scheme, an adversary A may steal or accidentally pick up a legitimate MU’s smart card. In such a situation, the stored secret information {Amu , Bmu , Cmu , Ct , x, IDha , e, n, h()} can easily be exposed by A under Assumption 2. With the previously intercepted message M1 = {IDha , x ˚ Tm , V2 , V3 , V5 , Tm }, A may try to obtain MU’s password PWmu . As we previously illustrated, throughout the improved scheme, MU’s password PWmu only makes three presences as Bmu = h(Kh kIDmu ) ˚ h(PWmu kr ), Cmu = h(IDmu kPWmu ) ˚ r, and Ct = IDmu ˝ PWmu ˝ r. Manifestly, the adversary cannot toss an offline password guessing attack without knowing a random number r and MU’s identity IDmu . The MU’s identity IDmu and a random number r in plaintext are neither transmitted through any of the messages {M1 , M2 , M3 , M4 } over the communication network nor stored in the MU’s smart card. Moreover, we have proved that our improved scheme achieves user anonymity in Section 6.1. Therefore, the improved scheme is resilient to the offline password guessing attack. 6.6. Forgery attack In the improved scheme, a valid message M1 can only be generated by a legitimate MU. In order to achieve this, the adversary must know the random number r, HA’s secret key Kh , and MU’s identity IDmu . However, we proved in Section 6.1 that the improved scheme achieves user anonymity, so the attacker cannot retrieve IDmu . Also, IDmu and the random number r are neither transmitted through {M1 , M2 , M3 and, M4 } over the communication network nor stored in the smart card. The messages M3 and M4 can be used to verify the legality of both HA and FA. Besides, in an attempt to cheat the MU, if someone tries altering M4 , it can be detected easily by verifying 4204

?

FV1 = FV1* . Alternatively, if the adversary tries modifying M3 or any of its parts, the FA can easily detect it ?

by verifying HT* = HT . Needless to mention, it is indeed an uphill task for the attacker to have prior knowledge of the pre-shared secret key Kfh and random numbers Nmu and Nfa . Moreover, we have already proved that the improved scheme achieves mutual authentication and withstands replay attack in Section 6.3 and 6.4, respectively. Hence, the improved scheme is resilient to the forgery attack as well. 6.7. Session key agreement Subsequent to the authentication process, the MU = and FA will establish a session key SKmu h(V4 kNmu k Nfa kIDmu k IDfa ) = SKFA with the assistance of HA. Because the adversary has no knowledge of V4 = h Kh ID*mu , Nmu , Nfa , and IDmu , the session key cannot be directly computed, as it is protected by a oneway hash function. Hence, the improved scheme ensures the secrecy of future session keys. 6.8. Forward secrecy The forward secrecy means that even though all participant’s long term secret keys are compromised, it will not helps to discover of any past session key. Now, in the improved scheme, if any long term secret of either the MU (PWmu ) or HA (Kh ) or pre-shared secret key (Kfh ) between FA and HA or all are compromised, it never supports in recovering any earlier session key (e.g., SKi–1 ) because there is no significant correlation among SKi–1 , SKi , SKi+1 . In particular, there are two random numbers, i.e., Nmu and Nfa , involved in the computation of the session key, i.e., SKmu = h(V4 kNmu k Nfa kIDmu k IDfa ) = SKFA , which are conventional to be different each time. Consequently, in the improved scheme, all previous session keys remain secure. Therefore, the improved scheme achieves forward secrecy. 6.9. Stolen verifier and modification attacks In the improved scheme, the HA does not store MU’s passwords. HA only keeps the secret key Kh . Therefore, the improved scheme can withstand the stolen verifier and modification attacks. 6.10. Insider attack If an insider of the HA obtains a MU’s password PWmu , he/she may attempt to impersonate MU to access any FA. MU sends {IDmu , h(PWmu kr )} to HA in the registration phase of the improved scheme. As a result, it is impossible for the insider to derive PWmu without knowing r. Moreover, in the password change phase, MU can modify his/her password PWmu without any assistance Security Comm. Networks 2016; 9:4192–4209 © 2016 John Wiley & Sons, Ltd. DOI: 10.1002/sec

M. Karuppiah et al.


from HA. Because the insider has no chance of obtaining MU’s password, our improved scheme can resist the insider attack. 6.11. Man-in-the-middle attack In the improved scheme, the Man-in-the-middle attack is prevented by mutual authentication between MU and HA as well as by establishing a session key between MU and FA. As a result, man-in-the-middle attacks are thwarted because we show that our improved scheme achieves mutual authentication in Section 6.3.

h V4 kNmu k Nfa kIDmu k IDfa = SKmu , where V4 = h(Kh kIDmu ). Suppose an adversary MUa may try to derive the session key SKfa (= SKmu ) to damage the later communications between them [54]. Note that calculation of SKfa (= SKmu ) requires V4 , and it depends on the private key Kh = e–1 (mod (n)) of the HA. It is computationally infeasible to derive the secret key Kh from the public e and n because of the integer factorization problem. Therefore, the adversary MUa has no way to compute the session key SKfa (= SKmu ). This clearly shows that our scheme is secure against the session key disclosure attack.

6.12. Known-key attack

7. PERFORMANCE COMPARISON The known-key attack involves a key agreement protocol accomplishing its goal despite an attacker finding out some session keys. scheme n The 0improved o uses inde0 0 pendent time stamps Tm , Tm , Th , Th , Tf , Tf and random numbers Nfa , Nmu for each session. Additionally, in every session, the valid MU and FA newly create SKmu = h(V4 kNmu k Nfa kIDmu k IDfa ) = SKfa . So, knowing previous session keys will not provide an edge in deriving subsequent session keys, and vice versa. Therefore, the improved scheme is able to resist the known-key attack. 6.13. Local password verification In the improved scheme, before logging into the FA, the mobile device checks the legality of MU’s identity IDmu and password PWmu . Without the knowledge of IDmu , 0 PWmu , and r, the attacker cannot correctly compute Ct , ?

0

and subsequently, the verification Ct = Ct fails. Thus, the improved scheme thwarts illegal access using password verification locally. 6.14. User-friendliness In the improved scheme, MU can freely choose his/her identity IDmu and password PWmu . Also, the MU can update password PWmu easily without the HA’s help within minimal time because he/she does not have to go through the entire Section 4.3. This shows that the improved scheme is hassle free and user friendly. 6.15. Session key disclosure In our scheme, after the successful authentication, both MU and FA establish the common session key SKfa =

In this section, we compare the security requirements and performance of the improved scheme with the other related schemes (Jiang et al. [12], Wen et al. [13], Shin et al. [14] and Farash et al. [29]) to manifest the advantages of the improved scheme. In order to carry out the performance analysis, the following notations have been defined: Th : the computational cost of a hash operation. Tmx : the computational cost of a modular exponent operation. Ted : the computational cost of a symmetric key encryption/decryption. The computational costs of only the login and authentication phases have been considered because these two phases are executed more frequently compared with the other phases in authentication schemes. Note that because limited computation is associated with lightweight operations (i.e., NOR, XOR, comparison, and concatenation), their computational costs have been ignored. In order to analyze the performance of our scheme more expansively, we simulated some cryptographic operations using a Crypto++ library [55] on an Arm Cortex–A8 processor with the frequency of 0.72 GHz. As per experimental results, the execution time needed for cryptographic operations are summarized in Table II. Based on Table II, the computational costs of the schemes of Jiang et al., Wen et al., Shin et al., Farash et al., and the proposed scheme are 12Th +3Tmx 39.67103 s, 13Th +4Tmx 52.89 103 s, 12Th + 4Ted +1Tmx 13.23 103 s, 12Th + 4Ted 13.58s and 12Th + 4Ted + 1Tmx 13.23 103 s, respectively, which are provided in Table III. Compared with the schemes of Jiang et al. and Wen et al., the improved scheme has greater efficiency and

Table II. Execution time of various cryptographic operations. Cryptographic operations Hash operation(SHA-256 [56]) Symmetric encryption/decryption(AES [57]) Modular exponent operation


ExecutionTime(s) 0.781 1.051 13.220 103

4205

M. Karuppiah et al.


Table III. Comparison of computational cost. Participant Schemes# Jiang et al. [12] Wen et al. [13] Shin et al. [14] Farash et al. [29] Ours

MU

FA

HA

Total

3Th + 1Tmx 4Th + 1Tmx 8Th 6Th 6Th

3Th 4Th + 1Tmx 1Th + 2Ted 1Th + 2Ted 1Th + 2Ted

5Th + 2Tmx 5Th + 2Tmx 3Th + 2Ted + 1Tmx 5Th + 2Ted 5Th + 2Ted + 1Tmx

12Th + 3Tmx 39.67 103 s 13Th + 4Tmx 52.89 103 s 12Th + 4Ted + 1Tmx 13.23 103 s 12Th + 4Ted 13.58s 12Th + 4Ted + 1Tmx 13.23 103 s

Figure 10. Computational cost comparison.

Table IV. Comparison of security requirements. Security requirements(SR) Schemes #

SR1

SR2

SR3

SR4

SR5

SR6

SR7

SR8

SR9

SR10

SR11

SR12

SR13

SR14

Jiang et al. [12] Wen et al. [13] Shin et al. [14] Farash et al. [29] Ours

3 3 5 5 3

3 3 3 5 3

3 3 5 3

3 5 5 5 3

3 5 5 5 3

3 3 5 5 3

5 3 3 5 3

3 3 5 5 3

5 3 3 3 3

3 3 3 3 3

3 3 3 3 3

3 5 3 3 3

3 3 3 5 3

3 5 5 5 3

Note: 3: achieved; 5: not achieved; SR1 : achievement of user anonymity; SR2 : achievement of mutual authentication; SR3 : local password verification; SR4 : achievement of forward secrecy; SR5 : resistance to session key disclose attack; SR6 : resistance to forgery attack; SR7 : resistance to replay attack; SR8 : resistance to offline password guessing attack; SR9 : resistance to stolen-verifier attack; SR10 : resistance to insider attack; SR11 : resistance to man-in-middle attack; SR12 : resistance to known-key attack; SR13 : user-friendly; SR14 : resistance to session key disclosure attack.

achieves all the security requirements while their schemes do not. Compared with Shin the scheme of et al., the improved scheme has equal efficiency and achieves all the security requirements whereas their scheme does not. Compared with the scheme of Farash et al., the improved scheme requires one extra modular exponent operation. It is not a matter because the HA is more powerful and has no resource constraints. In addition, the improved scheme provides greater security strength than the scheme of Farash et al.. The comprehensive performance analysis is illustrated in Figure10. Conclusively, when compared with the other related schemes [12–14,29], the improved scheme is more enhanced and handy for roaming services in ubiquitous networks. 4206

Table IV lists the security requirements comparisons between the improved scheme and other related schemes. From Table IV, it is evident that our scheme can withstand various known attacks in ubiquitous networks. In contrast, the schemes of Jiang et al., Wen et al., Shin et al., and Farash et al. are vulnerable to various attacks. Additionally, the schemes of Shin et al. and Farash et al. do not achieve user anonymity and forward secrecy. In the scheme of Farash et al., once the session key is compromised, then, the adversary can launch FA forgery attack. This breaks the mutual authentication setup of the scheme of Farash et al.. Furthermore, the scheme of Jiang et al. and our scheme protect the session key disclosure attack, whereas other schemes do not protect this attack. Thus, our scheme pro-


M. Karuppiah et al.


vides better security over the schemes of Jiang et al., Wen et al., Shin et al., and Farash et al.

7. Wu C C, Lee W B, Tsaur W J. A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters 2008; 12 (10): 722–723.

8. CONCLUSION We have analyzed the scheme of Farash et al. and shown that their scheme does not offer user anonymity and mutual authentication. Their scheme fails to provide local password verification and has a faulty password change phase. In addition, their scheme is susceptible to replay, offline password guessing, and forgery attacks. In order to fix the flaws of the scheme of Farash et al., we have presented a secure and enhanced authentication scheme for accessing roaming services in ubiquitous networks. Performance and security analyses show that the proposed scheme is invincible to various attacks and is well crafted for ubiquitous networks.

ACKNOWLEDGEMENTS The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the editor, which have improved the content and the presentation of this paper. This work was supported by the National Natural Science Foundation of China under Grant No. 61300220.

REFERENCES 1. Suzuki S, Nakada K. An authentication technique based on distributed security management for the global mobility network. IEEE Journal on Selected Areas in Communications 1997; 15 (8): 1608–1617. 2. He D, Ma M, Zhang Y, Chen C, Bu J. A strong user authentication scheme with smart cards for wireless communications. Computer Communications 2011; 34(3): 367–374. 3. Zhao D, Peng H, Li L, Yang Y. A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications 2014; 78(1): 247–269.

8. Youn T Y, Park Y H, Lim J. Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks. IEEE Communications Letters 2009; 13(7): 471–473. 9. Mun H, Han K, Lee Y S, Yeun C Y, Choi H H. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Mathematical and Computer Modelling 2012; 55 (1): 214–222. 10. Kim J S, Kwak J. Improved secure anonymous authentication scheme for roaming service in global mobility networks. International Journal of Security and Its Applications 2012; 6(3): 45–54. 11. He D, Chan S, Chen C, Bu J, Fan R. Design and validation of an efficient authentication scheme with anonymity for roaming service in global mobility networks. Wireless Personal Communications 2011; 61(2): 465–476. 12. Jiang Q, Ma J, Li G, Yang L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wireless personal communications 2013; 68(4): 1477–1491. 13. Wen F, Susilo W, Yang G. A secure and effective anonymous user authentication scheme for roaming service in global mobility networks. Wireless personal communications 2013; 73(3): 993–1004. 14. Shin S, Yeh H, Kim K. An efficient secure authentication scheme with user anonymity for roaming user in ubiquitous networks. Peer-to-Peer Networking and Applications 2015; 8(4): 674–683. 15. Xu J, Zhu W T, Feng D G. An efficient mutual authentication and key agreement protocol preserving user anonymity in mobile networks. Computer Communications 2011; 34(3): 319–325.

4. Zhu J, Ma J. A new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics 2004; 50(1): 231–235.

16. Li C T, Lee C C. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Mathematical and Computer Modelling 2012; 55(1): 35–44.

5. Lee C C, Hwang M S, Liao I E. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics 2006; 53(5): 1683–1687.

17. Chen Y C, Chuang S C, Yeh L Y, Huang J L. A practical authentication protocol with anonymity for wireless access networks. Wireless Communications and Mobile Computing 2011; 11(10): 1366–1375.

6. Chang C C, Lee C Y, Chiu Y C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Computer Communications 2009; 32(4): 611–618.

18. Das A K. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science 2013; 2(1-2): 12–27.


4207

M. Karuppiah et al.


19. Chen C, He D, Chan S, Bu J, Gao Y, Fan R. Lightweight and provably secure user authentication with anonymity for the global mobility network. International Journal of Communication Systems 2011; 24(3): 347–362. 20. Jeon W, Lee Y, Won D. An efficient user authentication scheme with smart cards for wireless communications. International Journal of Security and Its Applications 2013; 7(4): 1–16. 21. Kuo W C, Wei H J, Cheng J C. An efficient and secure anonymous mobility network authentication scheme. Journal of Information Security and Applications 2014; 19(1): 18–24. 22. Xie Q, Hong D, Bao M, Dong N, Wong D S. Privacypreserving mobile roaming authentication with security proof in global mobility networks. International Journal of Distributed Sensor Networks 2014: 2014. 23. He D, Khan M K, Kumar N. A new handover authentication protocol based on bilinear pairing functions for wireless networks. International Journal of Ad Hoc and Ubiquitous Computing 2015; 18(1-2): 67–74. 24. He D, Kumar N, Khan M, Lee J H. Anonymous twofactor authentication for consumer roaming service in global mobility networks. IEEE Transactions on Consumer Electronics 2013; 59(4): 811–817. 25. He D, Zhang Y, Chen J. Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless personal communications 2014; 74(2): 229–243. 26. He D, Chen J, Hu J. An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security. Information Fusion 2012; 13(3): 223–230. 27. Niu J, Li X. A novel user authentication scheme with anonymity for wireless communications. Security and Communication Networks 2014; 7(10): 1467–1476. 28. Karuppiah M, Saravanan R. A secure authentication scheme with user anonymity for roaming service in global mobility networks. Wireless Personal Communications 2015; 84(3): 2055–2078. 29. Farash MS, Chaudhry SA, Heydari M, Sadough S, Mohammad S, Kumari S, Khan MK. A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems 2015, DOI: 10.1002/dac.3019. 30. Wang D, Wang P. Offline dictionary attack on password authentication schemes using smart cards. In 16th Information Security Conference (ISC 2013), vol. 7807, LNCS. Springer-Verlag: Dallas, Texas, USA; 1–16. 31. Wang D, Wang P. On the anonymity of two-factor authentication schemes for wireless sensor networks: 4208

32.

33.

34.

35.

36.

37.

38.

39.

40.

41.

42.

43.

44.

attacks, principle and solutions. Computer Networks 2014; 73: 41–57. Wang D, Ma C. On the (in) security of some smart-card-based password authentication schemes for wsn. IACR Cryptology ePrint Archive 2012; 2012: 581. Karuppiah M, Saravanan R. A secure remote user mutual authentication scheme using smart cards. Journal of information Security and Applications 2014; 19(4–5): 257–320. Wang D, Wang P, Liu J. Improved privacy-preserving authentication scheme for roaming service in mobile networks. IEEE Wireless Communications and Networking Conference (WCNC), IEEE, Istanbul, Turkey, 2014; 3136–3141. Karuppiah M, Saravanan R. Cryptanalysis and an improvement of new remote mutual authentication scheme using smart cards. Journal of Discrete Mathematical Sciences and Cryptography 2015; 18(5): 623–649. Xu J, Zhu W T, Feng D G. An improved smart card based password authentication scheme with provable security. Computer Standards and Interfaces 2009; 31(4): 723–728. Kocher P, Jaffe J, Jun B. Differential power analysis. In Advances in Cryptology-CRYPTO’99. Springer: Santa Barbara, California, USA, 1999; 388–397. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers 2002; 51(5): 541–552. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. In Advances in Cryptology-Eurocrypt 2000, vol. 1807, LNCS. Springer-Verlag: Bruges (Brugge), Belgium, 2000; 139–155. Dell’Amico M, Michiardi P, Roudier Y. Password strength: an empirical analysis. 29th Conference on Computer Communications (INFOCOM 2010), IEEE, San Diego, CA, USA, 2010; 1–9. Bonneau J, Just M, Matthews G. Whats in a name?. In Financial Cryptography and Data Security. Springer: Canary Islands, Spain, 2010; 98–113. Stallings W. Cryptography and Network Security: Principles and Practices, 3rd edn. Pearson Education: India, 2004. AVISPA. Automated validation of internet security protocols and applications. http://www.avispa-project. org/ [Accessed on September 2015]. von Oheimb D. The high-level protocol specification language hlpsl developed in the eu project avispa. Proceedings of APPSEM 2005 Workshop, Frauenchiemsee, Germany, 2005; 1–17.


M. Karuppiah et al.

45. Dolev D, Yao A. On the security of public key protocols. IEEE Transactions on Information Theory 1983; 29(2): 198–208. 46. Chatterjee S, Das A K. An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks 2015; 8(9): 1752–1771. 47. Das AK. A secure and robust temporal credentialbased three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Networking and Applications 2015; 9(1): 223–244. 48. Das AK. A Secure and Efficient user anonymitypreserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wireless Personal Communications 2015; 82 (3): 1377–1404. 49. Das AK. A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. International Journal of Communication Systems 2015: 1–25, DOI: 10.1002/dac.2933. 50. Odelu V, Das A K, Goswami A. A secure biometricsbased multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security 2015; 10(9): 1953–1966.



51. AVISPA. AVISPA web tool. http://www.avispa-project. org/web-interface/expert.php/ [Accessed on September 2015]. 52. Odelu V, Das AK, Goswami A. SEAP secure and efficient authentication protocol for NFC applications using pseudonyms. IEEE Transactions on Consumer Electronics 2016; 62(1): 30–38. 53. Basin D, Modersheim S, Vigano L. OFMC: A symbolic model checker for security protocols. International Journal of Information Security 2005; 4(3): 181–208. 54. Li CT, Weng CY, Fan CI. Two-factor user authentication in multi-server networks. International Journal of Security and Its Applications 2012; 6(2): 261–267. 55. Crypto++ library. http://www.cryptopp.com [Accessed on September 2015]. 56. Stinson DR. Universal hashing and authentication codes. Designs, Codes and Cryptography 1994; 4 (3): 369–380. 57. Schneier B. Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley & Sons, 2007.

4209