Enhanced secure mutual authentication and key ...

3 downloads 0 Views 952KB Size Report
get valid information, such as the identity or the password of the user, if the ... Zhu et al. proposed a wireless security protocol based on smart ...... and secure id-based remote mutual authentication with key agreement scheme for mobile.
Journal of Information Security and Applications 35 (2017) 160–167

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Enhanced secure mutual authentication and key agreement scheme with user anonymity in ubiquitous global mobility networks Prosanta Gope Department of Computer Science, National University of Singapore, 21 Lower Kent Ridge Rd, 119077, Singapore

a r t i c l e

i n f o

Article history:

Keywords: Privacy Anonymity Authentication Smart card Global mobility networks

a b s t r a c t With the widespread use of mobile gadgets, security in mobile communication becomes an important issue. In 2011, Zhou et al. proposed a mutual authentication and key agreement scheme with the user anonymity for roaming environments. In this article, however, we reveal that the authentication protocol presented by Zhou et al. suffers from certain weaknesses which have been overlooked during design. As a consequence of these weaknesses, Zhou et al.’s scheme cannot achieve desired security. Therefore, here we propose a novel authentication scheme to overcome these weaknesses that is efficient, secure, and causes significantly less computational overhead as compared to Zhou et al.’s scheme. © 2017 Elsevier Ltd. All rights reserved.

1. Introduction Wireless mobile networks take up a large mount in the contemporary communications. One can use a mobile device, e.g., a smart phone, to access wireless mobile networks distributed everywhere in anytime to obtain the data he/she needs. Global Mobility Network(GLOMONET) provides the roaming service, which is supported by the home agent(HA) in any foreign network. But unfortunately the fact that the message transmission is very dangerous in wireless environment is widely accepted by all. So before the communication, authentication is very important to make the data flow secure. When a mobile station (MS) moves into any foreign wireless network, he should contact the special foreign agent(FA) to get the information in it. However, it is necessary that the process of mutual authentication between MS and FA must be helped through the home agent(HA) where MS registers itself. After the mutual authentication, a temporary session key is constructed for the latter conversation between MS and FA and the following messages can keep secret. The other hot issue about the secure transmission is about the privacy of the MS. Malicious attackers may get valid information, such as the identity or the password of the user, if the authentication scheme is designed with security flaws. So how to protect the user’s information is also an urgent task for the researchers. For accomplishing these goals, many authentication and key agreement schemes have been proposed with anonymity for roaming services in global mobile networks [1–8]. Particularly, in 2004, Zhu et al. proposed a wireless security protocol based on smart

E-mail addresses: [email protected], [email protected] http://dx.doi.org/10.1016/j.jisa.2017.07.002 2214-2126/© 2017 Elsevier Ltd. All rights reserved.

card and featuring user anonymity [1]. Unfortunately, Lee and Hwang [2] pointed out in 2006 that Zhu and Ma’s protocol’s [1] does not achieve mutual authentication and is also subjected to the forgery attack. Lee et al. also proposed a slightly modified version of Zhu et al.’s protocol so as to remedy the identified shortcomings. However, in [3], it was shown that the Zhu et al.’s scheme and Lee and et al.’s scheme fails to provide user anonymity, and Wu, Lee and Tsaur proposed an enhanced scheme by providing an effective remedy. Independently, in [4], Chang et al. showed that Lee et al.’s scheme cannot provide user anonymity under the forgery attack and also proposed an enhanced authentication scheme. Unfortunately, Youn et al. found that the scheme of [4] fails to achieve user anonymity under four attack strategies [5]. In 2008, Tang et al. proposed an authentication protocol for mobile network [6], and they claimed that their scheme is immune to all known types of attacks. However, [7] showed that Teng et al.’s scheme [6] suffers from replication attack. Hereafter, in 2011, Zhou et al. proposed a mutual authentication and key agreement scheme [8], based on the Decisional Diffie-Hellman (DDH) assumption. However, in this article, we show that the scheme has some serious weaknesses which have been overlooked during design. Therefore, the contribution of this article is to disclose the weaknesses of the Zhou et al.’s scheme, which have not been revealed yet. Apart from [1–8], there are many authentication schemes [15– 21] have been proposed in recent years. For example, Gope et al. proposed two authentication protocols [10] and [15] which are the improvements of He et al. [16] and Wen et al.’s scheme [17], respectively. In [10], to easily comprehend a mobile subscriber and also for dealing with replay attack, the authors introduced the concept of a sequence number, which is randomly generated, thus may

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167 Table 1 Notations and cryptographic functions. Symbol

Definition

MS FA HA IDM AIDM SIDM IDh IDf SK Kuh Kfh Tsuh EK h(.)

Mobile Station Foreign Agent Home Agent Identity of the mobile user One-time-alias identity of the MS Shadow identity of the MS assigned by the HA Identity of the HA Identity of the FA Session key between FA and MS Shared key between MS and HA Secret Key shared between the FA and HA Transaction sequence number (maintain both MS and HA) Encryption using secret key K One-way hash function Exclusive-OR operation Concatenation operation





not be unique and hence this may cause difficulty at the serverside to uniquely identify a MS. On the other hand, the scheme presented in [15], is based on Chinese Remainder Theorem (CRT), which will cause higher computational overhead and hence is suitable for resource constrained mobile devices. Meanwhile, Zhang et al. [18] proposed a new authentication scheme for roaming environment. However, Wang et al. [19] shown that Zhang et al.’s scheme is vulnerable to password-guessing attack. Besides, they also pointed out the security weaknesses in some existing GLOMONET authentication protocols [20,21]. Recently, some other interesting anonymous authentication protocols have introduced using public-key cryptography, where the researches have shown how to enhance the security of the anonymous authentication protocols in GLOMONET by considering various new aspects of privacy. In a nutshell, this article makes three main contributions. • First, this article shows some security weaknesses on an existing authentication protocol proposed by Zhou et al. • Second, we propose a new mutual authentication and key agreement scheme based on symmetric key crypto-system. • Finally, through security and performance analyses we show that our proposed scheme can ensure several imperative security properties (like privacy against eavesdropper, security against any forgery attacks) and hence can guarantee a secure and expeditious roaming service in GLOMONET with the reasonable computational overhead. The remainder of this article is organized as follows. Section 2 reviews the protocol of [8] and whose weaknesses are pinpointed in Section 3. Thereafter, we present our proposed scheme in Section 4, whose security and performance are analyzed in Sections 5 and 6 respectively. The formal analysis of the proposed scheme is presented in Section 7. Finally, a concluding remark is given in Section 8. The abbreviations and cryptographic functions used in this article are defined in Table 1.

161

2.1. Phase I: registration phase When a mobile user desires to register at the home agent, the user needs to request to the home agent, and then the home agent will issue a smart card with related information to the user. In this regard, MS at first submits his/her identity IDM and the password PSWM to the HA. After receiving the request from MS, the HA selects two large prime number p, q, where p = 2q + 1 and a multiplicative group generator g of order q. Then, the home agent also chooses its secret key b ∈ Zq∗ and computes B = gb mod p, u = h(IDM  b)PSWM . Hereafter HA issues a smart card containing {p, g, B, h(.), u} and delivers it to MS through a secure channel. 2.2. Phase II: mutual authentication and key agreement phase Once enrolled by HA, when MS visits a foreign network managed by the FA, then he/she needs to authenticate himself/herself to FA. In this case, they take assistance of the HA, who issued the smart card to MS. The steps of this phase are outlined in Fig. 1. and explained as follows. Step 1 MA1 : MS → FA :{AIDM , Nm , A, V1 , IDh }. MS submits his/her identity and password to the smart card. Then the device generates two random numbers a and Nm , and computes A = ga mod p, D = Ba mod p, C = uPSWM , AIDM = IDM h(D  Nm ), and V1 = h(C  D). Where AIDM denotes the one-time alias identity of the MS. Finally, MS forms the request message MA1 and sends it to FA. Step 2 MA2 : F A → HA : {AIDM , Nm , A, V1 , N f , ID f , V2 }. Upon receiving the request message from MS, FA at first generates a random number Nf , then computes V2 = h(Nf || Kfh || V1 || IDf || A || AIDM || Nm ) and sends a message MA2 = {AIDM , Nm , A, V1 , N f , ID f , V2 } to the HA. Step 3 MA3 : HA → F A : {K1 , V3 , V4 }. After receiving MA2 , HA computes and verifies whether V2 is equal to h(Nf || Kfh || V1 || IDf || A || AIDM || Nm ) or not. If so, HA computes D = Ab mod p, ID∗M = AIDM  h(D || Nm ), V1∗ = h(h(ID∗M || b) || D ) and checks legitimacy of the user where the relation V1∗ = V1 must satisfy. After successful verification, HA continues to compute SK = h(D || IDM || Nm || IDf || Nf ), K1 = SKh(Kfh || Nf ), V4 = h(D || Nm || IDf ), V3 = h(Kfh || Nf || K1 || V4 ) and sends a response message MA3 to the foreign agent (FA). Step 4 MA4 : F A → MS : {ID f , N f , V4 }. After receiving MA3 , FA verifies whether V3 is equal to h(Kfh || Nf || K1 || V4 ) or not. If so, then the system computes the session key SK = K1 h(Kfh || Nf ) and forms a message MA4 and sends it to MS. After receiving the message MA4 , MS at first verifies V4 is equal to h(D || Nm || IDf ) or not. If so, MS believes that the foreign agent is a legitimate one and based on that, computes the agreed session key SK = h(D || IDM || Nm || Nf || IDf ). 3. Security weaknesses in Zhou et al.’s protocol In this section, we present the several weaknesses of the Zhou et al.’s protocol, which certainly cause an insecure mobile communication.

2. Review of Zhou et al.’s scheme 3.1. Unsuccessful key-agreement (forgery attacks) In this section, we briefly describe Zhou et al.’s scheme, which consists of two phases. In Phase I, the home agent (HA) securely issues a smart card to a mobile user MS. In Phase II, both the MS and foreign agent (FA) mutually authenticate each other under the supervision of the MS’s home agent and eventually establish a session key between them.

Assume that a malicious adversary A who does not want that FA and MS successfully establish the session key SK between them. In this regard, A just eavesdrops the communication between FA and MS (intercepts MA4 ) and replaces the nonce Nf with N f . Unfortunately, MS does not verify it and even cannot

162

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

Fig. 1. Mutual authentication and key agreement phase of Zhou et al.’s scheme.

comprehend that and eventually generates a wrong session key SK  = h(D || IDM || Nm || N f || ID f ), which clearly signifies that the scheme proposed by Zhou et al. is an unsuccessful key agreement scheme and that also indicates a successful forgery attempt against the user.

The replay attack works if the system cannot check whether the received messages for authentication are fresh or not. The attackers can re-transmit the authentication messages those are transmitted during any previous session of communication. Once the system has no ability to deal with the problem, the attackers will obtain the authorization of the system or the user. Unfortunately, Zhou et al.’s scheme cannot resist replay attacks. If MA2 = {AIDM , Nm , A, V1 , N f , ID f , V2 } is repeatedly sent several times to the system, the home agent cannot comprehend that, as a result, it may keep the system busy and eventually degrades the performance of the system.

verification of legitimacy of the mobile user, as well as the foreign network, when, the HA sends the response message MA3 to FA. We assume that the adversary has intercepted that message. Therefore, A receives both K1 , V3 , V4 where V3 = h(Kfh || Nf || K1 || V4 ). In this relation, only Kfh is unknown to the adversary A, where the adversary can easily get the other information in unencrypted form after intercepting the messages MA2 , MA3 . Therefore, by executing an exhaustive search operation, he/she can easily figure out the long-term shared secret key Kfh , which is indeed a serious concern. As, this will not only affect a particular mobile subscriber, at the same time it also compromises the security of other mobile users who received their smart card from that particular home agent and willing to roam through the area covered by that particular foreign agent whose secret key Kfh has been revealed. In this case, after acquiring that secret key, the adversary can perform any kind of forgery attempt and even can share this secret key with a dishonest foreign agent who can exploit it with its superior capabilities and that may even annoy the mobile subscriber with billing problem.

3.3. Vulnerable to insider attack

3.5. Vulnerable to known session key attacks

During the execution of the registration phase of the Zhou et al.’s scheme, a user discloses his/her password to the home agent; in that case a privileged insider of the home agent can get the information about a registered user’s password, which may eventually cause the insider attacks.

It is obvious that known session key attack is a serious threat against any session key establishing schemes. A protocol is called secure against known session key attacks if a revealed session key does not influence on the security of other session keys. In other words, if past session keys are compromised, it should not allow an adversary to compromise future session key or any even any other session keys earlier than that one. In this way, a protocol can also compromise its backward and forward secrecy. Where, by backward secrecy, we mean that a compromise of any session key should not compromise any earlier key. While forward secrecy implies that a compromise of the current session key should not compromise any future key. However, unfortunately, the Zhou et al.’s scheme cannot ensure the security against known session

3.2. Vulnerable to replay attacks

3.4. Revealing of long-term secret key between HA and FA Consider an adversary A who has control over the communicating messages transmitted over open networks. Precisely, the adversary A has the capability to intercept the messages flowing through the mobile network. Now, in the mutual authentication and key agreement phase of the Zhou et al.’s scheme, after the successful

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

163

key attack. If a session key established between MS and FA is revealed to an adversary, then the adversary may target the relation SK = K1 h(Kfh || Nf ), where only the secret key Kfh is unknown. However, it can be easily obtained by performing the exhaustive search operation. Besides, to recover the secret key Kfh , the adversary can also use the strategy of Section 3.3. Once the secret key has been acquired, then the adversary can achieve any past or future session keys. Accordingly, Zhou et al.’s scheme cannot defeat the known session key attacks and even cannot insure any forward and backward secrecy. 3.6. Revealing of user identity (attack against anonymity) We assume the attacker has revealed one of the session key using the strategy discussed in Section 3.4. Hereafter, to acquire the identity of the user the adversary needs to perform the following steps. Let the adversaryA eavesdrops the communication between MS and FA and receives the message MA4 = {ID f , N f , V4 }, where V4 = h(D || Nm || IDf ). In this relation, only Dis unknown which can be figured out by applying the exhaustive search operation. Thereafter, the adversary needs to target the relation SK = h(D || IDM || Nm || Nf || IDf ), where only IDM is unknown other parameters can easily be achieved through the interception of the communication between MS, FA, and HA. Now, performing the similar exhaustive search operation, the adversary can easily get the mobile user’s real identity. Note that, after intercepting the related messages, in order to figure out the long-term secret key Kfh (using the strategies of Sections 3.4 and 3.5) and the identity of the mobile user IDM (using the strategy of Section 3.6), the adversary can even perform those exhaustive search operations offline. Once, these secrets are recovered, and then the adversary can utilize those in different ways to perform several attacks 4. Proposed scheme In order to resolve the aforesaid issues of the Zhou et al.’s scheme, here we propose a new authentication scheme which also consists of two phases, In Phase I, HA issues a smart card to a mobile user MS, this phase is called registration and reestablishment phase. Here, along with other parameters the home agent will also provide the user a unique sequence number called transaction sequence number Tsuh . Unlike [10], this sequence number is sequentially generated based on the number of requests (m) handled by the HA. For each request of any subscriber the corresponding system (HA) will increment the value of m by one. This sequence number is used for easily identifing the MU and also to prevent any replay attempt from any adversary. Another consideration is rapidly changing of sequence number, as the system (HA) has to deal with thousands of call requests within a short span of time period and as for each request, the request parameter m will change to m ← m + 1. Accordingly, it will be quite difficult to be guessed by an adversary. In case of loss of synchronization during the execution of the MAKA phase (Phase II), the MS needs to ask his/her HA for reestablishment with the valid shadow identity SIDM . So, the next phase of our proposed scheme (Phase II) is the mutual authentication and key agreement (MAKA) phase, through which both MS and the foreign agent (FA), from whom the MS wants to acquire roaming services, can authenticate themselves under the supervision of HA and eventually can establish a session key between them. The design goals of our proposed authentication scheme are as follows: • To achieve mutual authentication between mobile user MS, FA, and HA with the user anonymity support; • To establish a session key between MS and FA;

Fig. 2. Registration and reestablishment phase.

• User untraceability; • To defeat known session key, forgery attacks with the assurance of forward and backward secrecy; • To resolve smart card lost problem. • To reduce computation and communication cost. 4.1. Phase I: registration and reestablishment phase When, a new mobile user wants to have a smart card to enjoy the ubiquitous services in roaming environment, then the user needs to register at the HA. In that case, the user needs to submit a request to the home agent, and then the HA will issue a smart card with the related messages to the user. The detail of the registration and restoring phases is depicted in Fig. 2. and presented as follows. Step 1 MB1 : MS → HA : {IDM , SIDM (if any )}. A mobile user MS submits his/her claimed identity IDM to the HA via a secure channel. Step 2 MA2 : HA → MS : {SIDM , Kuh , T suh , h(. )}. After receiving the request from MS, the home agent two random numbers nh , rh and then computesKuh = h(IDM || nh )IDh , m = m + 1, Tsuh = m, SIDM = h(IDM || rh || Kuh || Tsuh ). Where m denotes the number of requests that the system (HA) already dealt with. Hereafter, the home agent (HA) personalizes a smart card with {SIDM , Kuh , Tsuh , h(.)} and issues it to MS through the secure channel. After that, MS computes ∗ = K  h (I D || P SW ),SID∗ = SI D  h (I D || P SW ). Kuh M M M M M uh M ∗ and SID ∗ Then replaces Kuh with Kuh M with SIDM . Finally, the ∗ , Ts , h(.). smart card contains SID∗M , Kuh uh Note that, here the shadow identity (SIDM ) of the MS is required to be sent only when MS requests for reestablishment. In this case, the MS has to compute SIDM = SID∗M  h(IDM || P SWM ) at first, then he/she can apply with the valid IDM , and SIDM . Now, if the HA is unable to recognize the SIDM then for security perspective the system can even deny to reestablish the subscriber. Otherwise, the MS will receive a new SIDM from the home agent. 4.2. Phase II: mutual authentication and key agreement phase We assume that MS roams into the foreign network and tries to access services. Before providing services, FA needs to authenti-

164

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

Fig. 3. User anonymity based mutual authentication and key agreement protocol.

cate MS through HA. The authentication process (shown in Fig. 3) consists of the following steps.

Step 1 MC1 : MS → FA : {AIDM , {Nm || Kuh }EKuh , T suh }. MS inserts his/her smart card into the device and enters his/her identity IDM and password PSWM . The smart card ∗  generates a random number Nm and computes Kuh = Kuh h(IDM || P SWM ), AIDM = h(IDM || Kuh || Nm || Tsuh ). Finally, MS sends a request message MC1 to FA. Step 2 MC2 : FA → HA : {MC1 , ID f , (N f || K f h )EK f h , V0 }. Upon receiving MC1 FA generates a random number Nf and computes V0 = h(MC1 || N f || K f h ). Subsequently, FA sends the message MC2 = {MC1 , ID f , (N f || K f h )EK f h , V0 } to HA. Step 3 MC3 :HA → FA : {V1 , Vx , V2 , V3 , V4 }. After receiving MC2 , HA at first checks whether V0 is equal to h(MC1 || N f || K f h ) or not. If so, then the HA will verify Tsuh and AIDM . After successful verification, HA at first acquires the latest value of the request parameter m and then increments it by m ← m + 1 and stores the updated value of m in Tuhnew . Then, the home agent will compute V1 = EK f h (N f  Nm ), Vx = h(Kfh  V1  Nf ), V2 = Nf h(IDM  Kuh  Nm )Kuh , V3 = T suhnew  h(IDM  Nm )  Kuh , V4 = h(V2  V3  Nm  Kuh ). Then it forms a response message MC3 and sends it to FA. Afterwards, the system (HA) updates its database with Tuh = Tuhnew . Step 4 MC4 : FA → MS : {V2 , V3 , V4 }. Upon receiving the message MC3 , FA at first checks whether Vx is equal to h(Kfh  V1  Nf ) or not. If so, then FA decrypts V1 and checks Nf . If the verification is successful, then FA derives the session key SK = Nm Nf . Thereafter, the system (FA) forms a response message MC4 and sends it to MS. After receiving the message from FA, MS at first checks whether V4 is equal to h(V2  V3  Nm  Kuh ). If so, then MS derives Nf = V2 h(IDM  Kuh  Nm )Kuh , T suhnew = V3 

h(IDM  NM )  Kuh , SK = Nm Nf and updates the old transaction sequence number by T suh = T suhnew . If there is any check in the above steps is invalid, this phase of the proposed scheme will be aborted. On the other hand, successful completion of this phase indicates that both the MS and FA mutually authenticate each other and at the same time it also denotes the successful establishment of the session key. Note that, in our proposed scheme we can support a legitimate MS to change his/her password in the similar way as mentioned in [10]. Moreover, here we consider the “Usability Problem” as mentioned in [22], where if an attacker gains temporary access (e.g., a few seconds) of the mobile device, he/she can change the smartcard password. Hence, a legitimate user MS cannot login successfully even after getting her smart card back. To address this issue, we adopt the technique used in [22], where we need to store an additional parameter Ai = h(h(IDM || PSWM )) is kept in the smart card. Whenever MS wants to change her password, first she must submit her old password P SWMi , then the card checks whether h(h(IDM || P SWMi )) equals the stored Ai . 5. Security analysis In this section, we will show that our proposed scheme satisfies the following security properties and also remedies the security flaws presented in Section 3. 5.1. Mutual authentication In our proposed scheme HA authenticates mobile user MS by verifying the most recent transaction sequence number Tsuh , and the secret key Kuh , and the one-time alias identity AIDM . Now, by checking the parameter V0 in MC2 , the HA can verify the legitimacy of the FA. Whereas, FA authenticates the HA using its nonce Nf , which is sent back by the HA after enciphering with the shared

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

secret key Kfh . MS authenticates HA as well as the FA by verifying the parameter V4 in MC4 which must be equal to the h(V2  V3  Nm  Kuh ). Now, for generating the response V4 , it is imperative that the sender has the prior knowledge of the secret key Kuh , which is only possible if the sender is a legitimate one. 5.2. Fair key agreement A fair key agreement protocol is such a one that agreed session key contains some contribution from each participant, so that nobody has an unfair advantage in controlling the session key. Our mutual authentication and key agreement protocol (discussed in Section 4.2) ends up with MS and FA agreeing on SK, a session key, containing equal contribution from both parties. Precisely, the session key SK = Nm Nf , where Nm , and Nf represent the nonces produced by the MS and FA respectively, that clearly signifies the equal contribution of the participants (MS, FA). Hence, our key agreement protocol has retained the fairness property. 5.3. Privacy against eavesdroppers with user anonymity An orthogonal security arising as a result of mobility is the confidentiality of the mobile subscriber’s identity and movements. For obvious reasons, it is desirable to keep this information secret. In other words, passive eavesdroppers and active intruders should not be able to identify or keep track the user. In fact, it can be argued that even the visited locations should not be privy to the user’s real identity. In case of 3GPP-AKA [9–12], the subscriber identity (IMSI) is forced to be directly exposed, as it is sent unencrypted, especially when synchronization is lost. Therefore, UMTS is unable to assure location privacy or user anonymity. In contrast, to insure good anonymity to the mobile user during his/her migration, the proposed scheme has maintained the one-time-alias feature (using AIDM ), where there is no direct relationship between aliases. Besides, since all the parameters in MC1 are one-time, hence, it will be quite difficult for anyone to keep track of the mobile subscriber. Furthermore, here we also maintain the domain separation that means even when assuming conspiracy of the all visited domains (FAs) the real identity of the user cannot be figured out. This approach of the proposed scheme is quite effective for privacy against eavesdroppers (PAE) [23–25] to achieve along with the features of user anonymity and untraceability. 5.4. Resistance to forgery attacks In our proposed scheme, only the legitimate MS can form a valid AIDM . Because, in order to do that adversary must have prior knowledge of the user’s real identity IDM and password PSWM . After inserting the correct pair of (IDM , PSWM ) only, a ∗  h (I D || P SW ), and subsequently user can compute Kuh = Kuh M M AIDM = h(IDM || Kuh || Nm || Tsuh ). This seems to be difficult for any adversary to guess this pair. Whereas, legitimacy of the foreign agent can easily be verified using the parameter V0 in MC2 Besides, if someone tries to alter MB4 in order to cheat against the user and to resist the MS to form a valid session key which can easily be detected by checking the parameter V4 . 5.5. Security against known session key attacks In our proposed scheme, if one of the session key SKi has been compromised, but it never helps to recover any past or future session key (say SKi−1 or SKi+1 ). As, there is no significant relationship between any SKi , SKi−1 , SKi+1 . Precisely, as the session key is generated based on the two nonces i.e. SK = Nm Nf , which are expected to be different each time. Besides, since these nonces must not be transmitted in unencrypted manner during authentication. Hence,

165

Table 2 Performance benchmarking based on security properties. Property

Zhou et al. [8]

Proposed scheme

P1 P2 P3 P4 P5 P6 P7 P8

No No No No No No No Low

Yes Yes Yes Yes Yes Yes Yes High

P1: User Anonymity; P2: Untraceability; P3: Successful key-agreement; P4: Robust against forgery attacks; P5: Robust against known session key attacks with backward and forward secrecy support; P6: Robust against replay attacks; P7: Security Assurance in case of lost smart card; P8: Overall security impact; Table 3 Performance benchmarking based on computational cost. Computational cost

Zhou et al. [8]

Proposed scheme

CC1 CC2 CC3

2tExp + 4tHash 3tHash tExp + 7tHash

tSym + 5tHash 2tSym + 2tHash 3tSym + 6tHash

CC1: Computational cost of the MS; CC2: Computational cost of the FA; CC3: Computational cost of the HA; tSym : Execution time of a symmetric key operation; tASym : Execution time of a asymmetric key operation; tHash : Execution time of aoneway hash function; tExp : Execution time of a exponential operation;

it is indeed a difficult task to figure out or guess these nonces. Which is only possible, if the adversary has some prior knowledge of the secret keys Kuh and Kfh . However, it seems to be hard, as none of the participant of our proposed scheme is allowed to share the long-term secrets. In this way, our proposed scheme can resist any known session key attack and can even assure the backward/forward secrecy. 5.6. Security assurance in case of lost smart card Usually, if the user’s smart card is lost or an attacker steals the MS’s smart card then the attacker can easily get all the secret parameters stored in it and thereafter can use it for illegal purposes. However, in our proposed scheme if the smart card is lost or stolen, the attacker cannot obtain the MS’s identity IDM and password PSWM . Besides, without knowing these parameters ∗  h (I D  P SW ), AI D = the attackers cannot compute Kuh = Kuh M M M h(IDM  Kuh  Nm  T suh ) which are essential to convince the HA. Moreover, if the attacker tries to restore the smart card, in that case also he/she needs to know the IDM and SIDM which seems to be difficult. Since, IDM is not stored in the smart card and to obtainSIDM , the attacker needs to compute SIDM = SID∗M  h(IDM || P SWM ), but without having any prior knowledge on the IDM and PSWM , it is not possible at all. Furthermore, in the registration and reestablishment phase, users need not to submit their passwords to HA, the privileged insider of HA could not get any information about a registered user’s password. Hence, insider attack is also prevented. 6. Performance analysis and comparisons In this section, in order to manifest the advantages of our scheme, we compare the performance of our proposed scheme with respect to Zhou et al.’s schemes. Tables 2 and 3 present the comparison between the Zhou et al.’s schemes and our scheme in terms of the security property and computational overhead. Now, from the Tables 2 and 3, it is obvious that, our proposed scheme is highly secure as compared to Zhou et al.’s scheme [8]. The proposed scheme can deal with several imperative security issues which are indeed essential for roaming services in global

166

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

Table 4 Comparison based on CPU cycle and execution time. Computational Metrics

Zhou et al. [8]

Proposed scheme

Overall Computational Cost CPU Cycles Execution Time

3∗ tExp + 14∗ tHash 21093.53 × 103 11526.52 × 10 − 3 m sec

6∗ tSym + 13∗ tHash 4.82 × 103 2.63 × 10 − 3 m sec

tHash ≈ 2.528 × 102 (Cycle per operation); tSym ≈ 2.56 × 102 (Cycle per operation);tExp

that the formula X is encrypted under the key K. The inference rules of BAN logic that are required in the analysis are described below. P |≡ P ↔Q,P {X }K ; P |≡ Q |∼X P |≡ #(X ), P |≡ Q |∼X 2. Nonce-verification rules R2: ; P | ≡ Q |≡ X ≈ 7.03 ×3. 106Jurisdiction (Cycle per operation); rules R3: P |≡ Q |⇒PX,|≡P X|≡ Q |≡ X ;

mobile network. In contrast, the authentication protocol presented in [8] is vulnerable to forgery attacks, known session key attack and even cannot preserve user anonymity (shown in Section 3). Now, as far as the computational overhead is concerned, the proposed scheme causes reasonable computational overhead as compared to [8]. Precisely, since, there is no asymmetric crypto-system or any exponential operation has been introduced in the proposed scheme, which certainly demands higher computational overhead. Instead, the proposed scheme is built upon the underlying foundation of the symmetric key crypto-system, which requires reasonable computational overhead. Accordingly, the proposed scheme encompasses less CPU cycle and even less execution time as compared to [8]. In order to analyze the performance of the proposed scheme more comprehensively, here we simulate the proposed scheme and Zhou et al.’s scheme by using CryptoPP cryptographic library [13] on an Intel Core 2 Duo 1.83 GHZ machine. According to Table 4, our proposed scheme only takes 4.31 × 103 CPU cycles in order to perform 6∗ tSym + 13∗ tHash operations in 2.63 × 10 − 3 ms, where a hash operation needs 2.528 × 102 CPU cycles by using the SHA256 algorithm and a symmetric key encryption/decryption consumes 2.56 × 102 CPU cycles by using AES-CBC algorithm. In contrast, Zhou et al.’s scheme takes 21093.53 × 103 CPU cycle and 11526.52 × 10 − 3 ms execution time in order to complete the authentication process with 3∗ tExp + 14∗ tHash operations. Whereas, the public key solutions based on D-H requires 7.03 × 106 CPU cycle to perform the exponential operation. Therefore, from the Table 4, we can see that the execution time of our proposed scheme is remarkably 4905 times shorter than the Zhou et al.’s scheme. Besides, if the exponential operations used in [8] are pre-computed (in case of MS) then also it bears significantly higher CPU cycles and consumes higher battery power of the mobile equipment. Certainly, having limited battery power and computational capability, which is not acceptable at all. Conclusively, it can be argued that the performance of the proposed scheme is better than [8] and much suitable for roaming services in GLOMONET.

1. Message-meaning rules R1:

X,Y ) 4. Seeing rules R4: P( ; R5: P X

5. Fresh rules R6: 6. Belief rules R7:

;

Now, in order to analyze the properties of our proposed scheme, here we need to extend the BAN logic with the following: K

P, P  f (X,Y ) ER1: P |≡ Q P←→ , where the extension rule ER1 denotes that |≡ Q |∼X the key K is shared among P and Q; function f is used to verify the originality of the principles.

7.2. Formal analysis of the proposed scheme The initial security assumptions about MS, FA and HA are as

follows: Kfh

Kuh

Kuh

1.MS |≡ MS ←→ HA; 2.HA |≡ MS ←→ HA; 3.FA | ≡ Kfh

FA ←→ HA; 4. HA |≡ FA ←→ HA; Now, applying R1-R7 with ER1 on our proposed scheme, we can write the following statements: HA | ≡ MS | ∼ {AIDM }, more accurately, by using ER1 we can write, Kuh

HA |≡ MS←→HA, HA f (h (IDM  Kuh  Nm  T suh ),AIDM ) ; HA |≡ MS|∼AIDM

Hereafter, using R7 and R6 we can write the following stateHA |≡# (T suh ) HA |≡# (T s ) HA |≡ (Nm ,AIDM ) ments: ; HA ≡# (T s ,AI and HA |≡# (T s uh . SimiDM ) HA |≡ Nm uh uh ,Nm ) larly, HA | ≡ FA | ∼ {V0 }, more accurately, by using ER1 we can Kfh

write the following statement:

HA |≡ FA←→HA,HA f (h (MC  K f h  N f ),V0 ) 1 ; HA |≡ FA|∼V0 HA |≡ (MC ,V0 ) 2

and based on that we can write,

more

HA |≡ MC

.

2

F A |≡ HA| ∼ MC3 , ∃ FA |≡ #(Vx ),

Now,

accurately,

by

using

ER1

and we

FA |≡ (MC ,Vx ) 3

FA |≡ MC

can

;

3

write,

Kfh

FA |≡ HA←→FA, FA f (h (K f h  N f  V1 ),Vx ) ; and using R6 and FA |≡ HA|∼Vx FA |≡# (N f ) FA |≡ HA|⇒ Vx ,FA |≡ HA |≡ Vx FA |≡# (Vx ) ; ; ; FA |≡# (N f ,Vx ) FA |≡# (Vx ,MC ) FA |≡ Vx

R3 we have,

3

Now, for MS we can write, MS |≡ HA| ∼ MC4 , ∃ MS |≡ # (V4 );

and 7. Protocol analysis

P |≡# (X ) ; P |≡# (X,Y ) P |≡ (X,Y ) ; P |≡ X

K

P |≡ P ←→Q,P {X }K P X

MS |≡ (MC , V4 ) 4

MS |≡ MC

;

precisely,

using

ER1

we

can

write,

4

Kuh

In order to find out flaws in the proposed scheme, here we introduce formal analysis using BAN logic, which is basically model logic with primitives which describe the belief of the principle involved in a crypto system. Using the inference rules of the BAN logic, authentication issues between the principles can be dealt with. 7.1. BAN logic and its improvement Three sorts of objects below are included in BAN logic [14]: principle, encryption keys and logical formulas. The main construction of BAN logic is described as follows. P | ≡ X denotes P believes X; PX denotes that P sees X; P | − X denotes that P said X; P | ⇒X denotes that P has jurisdiction over X; #(X) denotes that the formula X is fresh, that is X has not been sent in a message at any K

time before the current execution of the protocol. P ←→ Q denotes P and Q may use the shared K to communicate; P  X denotes that P processes or is capable of processing, formula X; {X}K denotes

MS |≡ HA←→MS, MS  f (h (V2  V3  Nm  Kuh ),V4 ) . FA |≡ HA|∼V4

Now, MS can verify the nonceNf , which is imperative for session key generation. Since in case of wrongNf , MS will form the wrong session key. In this case we can write the following statements: MS |≡ (N f ,V2 ) MS |≡ (V2 ,V4 ) ; ; MS |≡ V2 MS |≡ N f

and

MS |≡ (SK,N f ) , MS |≡ SK

where SK = Nm Nf . In

this way, MS, Foreign Agent (FA), and Home Agent (HA) can authenticate themselves through the legitimate security capabilities. Now, from the above analysis using the BAN logic, we have proved that the protocol used in the proposed scheme is correct where the legitimate participants (MS, FA, andHA)can authenticate each other by using the several security capabilities, if the executions of the protocols are successful. 8. Conclusion In this article, we have demonstrated certain deficiencies of the Zhou et al.’s scheme, proposed in the year of 2011. For the enhancement in security in global mobile network environments, we

P. Gope / Journal of Information Security and Applications 35 (2017) 160–167

have presented a novel authentication and key agreement protocol featuring user anonymity. Analysis shows that our proposed protocol is resilient to various well-known attacks. Eventually, it is highly secure as compared to Zhou et al.’s scheme. Besides, it bears relatively much less CPU cycles and even consumes less battery power as compared to Zhou et al.’s scheme. References [1] Zhu J, Ma J. A new authentication scheme with anonymity for wireless environments. IEEE Trans Consum Electron 2004;50(1):230–4. [2] Lee CC, Hwang MS, Liao IE. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Trans Indust Electron 2006;53(5):1683–7. [3] Wu CC, Lee WB, Tsaur WJ. A secure authentication scheme with anonymity for wireless communications. IEEE Commun Lett 2008;12(10):722–3. [4] Chang CC, Lee CY, Chiu YC. Enhance authentication scheme with anonymity for roaming service in global mobility networks. Comput Commun 2009;32:611–18. [5] Youn TY, Park TH, Lim. Weaknesses in an anonymous authentication scheme for roaming service in global mobile networks. IEEE Commun Lett 2009;13(7):471–3. [6] Tang C, Wu DO. Mobile privacy in wireless networks revisited. IEEE Trans Wireless Commun 2008;7:1035–42. [7] Lu J, Zhou J. On the security of an efficient mobile authentication scheme for wireless networks. In: WICOM2010, 6th international conference on wireless communications networking and mobile computing. IEEE Press; 2010. p. 23–5. [8] Zhou T, Xu J. Provable secure authentication protocol with anonymity for roaming service in global mobility networks. Comput Networks 2011;55:205–13. [9] Hwang T, Gope P. Provably secure mutual authentication and key exchange scheme for expeditious mobile communication through synchronously one-time secrets. Wireless Personal Commun 2013. doi:10.1007/s11277- 013- 1501- 5. [10] Gope P, Hwang T. An efficient mutual authentication and key agreement scheme preserving strong anonymity of the mobile user in global mobility networks. J Netw Comput Appl 2016;62:1–8.

167

[11] TS 33.102, Security architecture, version 4.2.0, released 4. Third Generation Partnership Project-Technical Specification Group, 2001. [12] TR 33.902, Formal analysis of the 3 G authentication protocol. Third Generation Partnership Project-Authentication and Key Agreement (AKA), 20 0 0. [13] Crypto++ Library.[Online] Available: http://www.cryptopp.com. [14] Burrows M, Abadi M, Needham R. A logic of authentication. ACM Trans Comput Syst (TOCS) 1990;8(1):18–36. [15] Gope P, Hwang T. Enhanced secure mutual authentication, and key agreement scheme preserving user anonymity in global mobile networks. Wireless Personal Commun 2015. doi:10.1007/s11277- 015- 2344- z. [16] He D, Ma M, Zhang Y, Chen C. A strong user authentication scheme with smart cards for wireless communications. Comput Commun 2011;34:367–74. [17] Wen F, Susilo W, Yang G. A secure and effective user authentication scheme for roaming service in global mobility networks. Wireless Personal Commun 2013. doi:10.1007/s11277- 013- 1243- 4. [18] Zhang G, Fan D, Zhang Y, Li X, Liu X. A privacy preserving authentication scheme for roaming services in global mobility networks. Security Commun Netw 2015;8(16):2850–9. [19] Wang; D, Cheng; H, He; D, Wang P. On the challenges in designing identitybased privacy-preserving authentication schemes for mobile devices. IEEE Syst J 2016;PP(99):1–10. doi:10.1109/JSYST.2016.2585681. [20] Truong TT, Tran MT, Duong AD. Improvement of the more efficient and secure id-based remote mutual authentication with key agreement scheme for mobile devices on ECC. In: Proceedings of IEEE 26th international conference on advanced information networking and application workshops; 2012. p. 698–703. [21] Li X, Zhang Y, Liu X, Cao J, Zhao Q. A lightweight roaming authentication protocol for anonymous wireless communication. In: Proceedings of IEEE global communications conference; 2012. p. 1029–34. [22] Ma C-G, Wang D, Zhao S-D. Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst 2014. doi:10.1002/ dac.2468. [23] Gope P, Lee J, Quek T∼QS. Resilience of DoS attack in designing anonymous user authentication protocol for wireless sensor networks. IEEE Sens J 2016;17(2):498–503. [24] Gope P, Das AK. Robust anonymous mutual authentication scheme for n-times ubiquitous mobile cloud computing services. IEEE Internet of Things J 2017. doi:10.1109/JIOT.2017.2723915. [25] Gope P, Kumar A, Luthra G. An enhanced JPEG steganography scheme with encryption technique. Int J Comput Electr Eng 2011;2(5).