A Secure Anonymity Preserving Authentication Scheme for Roaming Service in Global Mobility Networks
Abstract
In real-life applications, ensuring secure transmission of data over public network channels to prevent malicious eavesdropping of the data is an important issue. Several potential security risks arise while protecting data and providing access control over the data. Due to the broadcast nature of the wireless channels, wireless networks are often vulnerable to various possible known attacks. Therefore, designing a secure and efficient authentication scheme in the global mobility network (GLOMONET) environment becomes a challenging task to the researchers. In recent years, several user authentication schemes for roaming services in GLOMONET have been proposed. However, most of them are either vulnerable to various known attacks or they are inefficient. Most recently, Zhao et al. proposed an anonymous authentication scheme for roaming service in GLOMONET (Zhao et al. in Wireless Personal Communications 78:247–269, 2014) and they claimed that their scheme can withstand all possible known attacks. In this paper, Zhao et al.’s scheme is revisited, and it is shown that their scheme fails to provide strong user anonymity when the session-specific temporary information are revealed to an adversary. Further, their scheme does not protect replay attack, offline password guessing attack and privileged-insider attack. In addition, there is no provision for revocation and re-registration mechanism in their scheme and also there exists design flaw in their schemeu. Moreover, another recently proposed Memon et al.’s scheme (Memon et al. in Wireless Personal Communications 84:1487–1508, 2015) fails to protect the privileged-insider attack. Thus, there is a great need to provide security enhancement of their schemes in order to apply in practical applications. The proposed scheme withstands the security weaknesses found in Zhao et al.’s scheme and Memon et al.’s scheme. Through the rigorous formal and informal security analysis, it is shown that the proposed scheme has the ability to tolerate various known attacks. In addition, the proposed scheme is simulated using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications tool and the simulation results reveal that the proposed scheme is secure. The proposed scheme is also efficient in computation and communication as compared to Zhao et al.’s scheme and other related schemes.
Keywords
Authentication Key agreement User anonymity Roaming service Global mobility networks Security BAN logic AVISPA1 Introduction
The global roaming service is provided by the global mobility network (GLOMONET) that permits an authorized mobile user to use ubiquitous services provided by the home agent (HA) in a foreign agent (FA) [18]. With the rapid development of such environment, several security problems including user’s privacy are brought into attention in research [28]. As a result, authentication problem with anonymity in GLOMONET becomes a very important security issue in recent years. A strong user authentication scheme in GLOMONET needs to satisfy the following requirements [19, 42]: (1) user anonymity; (2) low communication cost and computation complexity; (3) single registration; (4) update session key periodically; (5) user friendly; (6) no password/verifier table; (7) update password securely and freely; (8) prevention of fraud; (9) prevention of replay attack; (9) prevention of man-in-the-middle attack; (10) security; and (11) providing the authentication scheme when a user is located in the home network. In addition, a strong user authentication scheme in GLOMONET should satisfy the security requirements listed in Sect. 1.1.
1.1 Security Requirements of Authentication Schemes
- SK-security An authentication scheme should guarantee the security of the session key, called the session key security (SK-security), in the following two cases:
- 1.
The leakage of a session key or session-specific temporary information will have no effects on the security of other sessions.
- 2.
The leakage of the crucial long-term secrets, such as the private keys of users or servers, which are used across the multiple sessions, will not necessarily compromise the secret information from all past sessions, known as the perfect forward secrecy.
- 1.
User credentials privacy It ensures that \(\mathcal {A}\) cannot derive a user credentials, such as authentication parameter, user password and identity.
Secure mutual authentication It ensures that an authentication scheme must provide the secure mutual authentication with the presence of the shared secret credentials.
1.2 Threat Model
In the Dolev–Yao threat model [15], any two communicating entities can communicate over an insecure channel. An attacker can eavesdrop on all traffic, inject packets and reply old messages previously delivered. The similar threat model for the proposed scheme is used, where the communicating channels are insecure and the end-points cannot be trusted. Further, the following two assumptions for an adversary \(\mathcal {A}\) as in [38] are considered: (1) \(\mathcal {A}\) can obtain and breach a victim’s smart card and (2) \(\mathcal {A}\) can return the breached smart card without detection. In these two cases, \(\mathcal {A}\) can obtain (stolen or picked up) a user smart card for a relative long period of time (e.g., a few hours), and extract the sensitive information stored in the smart card’s memory by using power analysis attack [22, 27] him/herself (or with recourse to professional labs). Finally, \(\mathcal {A}\) returns the breached smart card back to that user without his/her awareness.
1.3 Related Work
To achieve secure and effective mutual authentication and privacy protection in GLOMONET, several authentication protocols have been proposed in the literature [18, 19, 23, 28, 42, 44]. Particularly, in 2004, Zhu and Ma [44] proposed a smart card based wireless security protocol, which preserves the user anonymity property. Unfortunately, although their scheme is computationally very efficient, later it was found that their protocol cannot achieve mutual authentication and perfect backward secrecy, and it is also vulnerable to the forgery attack [23].
In 2006, Lee et al. [23] proposed an enhanced anonymous authentication scheme which withstands the security pitfalls found in Zhu–Ma’s scheme [44]. Later, Wu et al. [40] and Chang et al. [8] pointed out that Lee et al.’s scheme fails to achieve user’anonymity. In addition, they pointed out that, in Lee et al.’s scheme, an attacker being a registered user of an HA has the ability to obtain the identity of other users as long as they registered at the same HA. In order to withstand the security flaws found in Wu et al.’s scheme, He et al. [19] further proposed an enhanced scheme. In 2012, Li and Lee [24] showed that He et al.’s scheme [19] fails to provide user’s anonymity and is also vulnerable to replay and impersonation attacks. However, in 2013, Das [10] pointed out that Li–Lee’s scheme fails to achieve strong authentication in login and authentication phases. In addition, Li–Lee’s scheme fails to update the user’s password correctly in the password change phase and also it fails strongly to protect replay attacks. To remedy these security weaknesses, Das proposed an effective user authentication and privacy preserving scheme with smart cards for wireless communications.
In 2013, Jiang et al. [21] proposed an anonymous user authentication scheme. However, He et al. [20] showed that Jiang et al.’s scheme is vulnerable to several attacks including the spoofing attack and replay attack. In addition, Gope and Hwang [17] analyzed the security of Wen et al.’s scheme [39] and showed that their scheme is vulnerable to forgery attack, replay attack, known session key attack, and fails to provide backward and forward secrecy. Gope and Hwang [18] further analyzed Zhou–Xu’s scheme [43] and pointed out that their scheme is also insecure. To erase the security drawbacks of Zhou–Xu’s scheme, Gope and Hwang [18] proposed an efficient mutual authentication and fair key agreement scheme preserving the anonymity for roaming services.
Most recently, Zhao et al. [42] proposed an anonymous authentication scheme for roaming service in GLOMONET and they claimed that their scheme can withstand all possible known attacks. Memon et al. [26] asserted that Zhao et al.’s scheme is vulnerable to offline guessing attack, replay attack, smart card stolen attack, stolen verifier attack and it lacks proper session-key agreement. They proposed an efficient anonymous communication for location based service using asymmetric cryptography scheme over the wireless system. However, it is noted that their scheme is insecure against privileged-insider attack as outlined in Remark 1. Nevertheless, it is also show that Zhao et al.’s scheme is still insecure against some other known attacks discussed in Sect. 4.
1.4 Our Contributions
The recently proposed Zhao et al.’s scheme [42] is first analyzed and it is then shown that their scheme fails to provide strong user anonymity when the session-specific temporary information are revealed to an adversary. Further, their scheme does not protect offline password guessing attack and privileged-insider attack. In addition, there is no provision for revocation and re-registration mechanism in their scheme and also there exists design flaw in their scheme.
Moreover, it is also pointed out that the recently proposed Memon et al.’s scheme [26] is insecure against the privileged-insider attack.
An enhanced anonymous authentication scheme for roaming service in GLOMONET is put forward to withstand all the security pitfalls found in Zhao et al.’s scheme.
Through the rigorous formal and informal security analysis, it is shown that the proposed scheme is secure against possible known attacks including the SK-security (discussed in Sect. 1.1).
The security analysis using the widely accepted Burrows–Abadi–Needham logic (BAN logic) shows that the proposed scheme provides the mutual authentication between a mobile user and the foreign agent (FA)/home agent (HA).
The simulation of the proposed scheme using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool is also carried out, and the simulation results clearly indicate that the proposed scheme is secure.
Finally, the proposed scheme is also efficient compared to Zhao et al.’s scheme and other related schemes.
1.5 Roadmap of the Paper
The remainder of this paper is organized as follows. Sections 2 discusses some mathematical preliminaries, which are very useful is discussing and analyzing Zhao et al.’s scheme as well as the proposed scheme. In Sect. 3, the various phases of Zhao et al.’s scheme are reviewed in order to cryptanalyze their scheme in Sect. 4. In Sect. 5, a secure and effective enhanced anonymous authentication scheme for roaming service in GLOMONET is proposed. The security of the proposed scheme is analyzed using both formal and informal security analysis in Sect. 6. In Sect. 7, the proposed scheme for the formal security verification using the widely-accepted AVISPA tool is simulated, and it is shown that the proposed scheme is secure against the replay and man-in-the-middle attacks against an adversary. The performance of the proposed scheme with Zhao et al.’s scheme and other related schemes is compared in Sect. 8. Finally, the paper is concluded in Sect. 9.
2 Mathematical Preliminaries
In this section, the following basic mathematical preliminaries are briefly reviewed, which are helpful for describing and analyzing the proposed scheme and other schemes.
2.1 Elliptic Curve Cryptosystem
A non-singular elliptic curve \(y^2 = x^3 + ax + b\) over the finite field GF(p) is the set \(E_p(a,b)\) of solutions (x, y) \(\in Z_p \times Z_p\) to the congruence \(y^2 = x^3 + ax + b \, (\bmod \, p)\). Here \(a \in Z_p\) and \(b \in Z_p\) are constants such that \(4a^3 + 27b^2 \ne 0 \, (\bmod \, p)\), together with a special point \(\mathcal {O}\) called the point at infinity or zero point, \(Z_p = \{ 0, 1, \ldots , p-1\}\) and \(p > 3\) be a prime. The condition \(4a^3 + 27b^2 \ne 0 \, (\bmod \, p)\) is the necessary and sufficient condition to ensure that the equation \(x^3 + ax + b = 0\) has a non-singular solution [29]. Hasse [36] asserts that the number |E| of points on the elliptic curve \(E_p(a,b)\) satisfies the inequality: \(p + 1 -2\sqrt{p} \le |E| \le p + 1 +2 \sqrt{p}\). In other words, an elliptic curve \(E_p(a,b)\) over \(Z_p\) has roughly p points. In addition, \(E_p(a,b)\) forms an abelian (commutative) group under addition modulo p operation.
Elliptic curve discrete logarithm problem (ECDLP) Computing \(Q = kP\) is relatively easy for given scalar \(k \in Z_p\) and an elliptic curve point \(P \in E_{p}(a,b)\). However, given P and Q, it is computationally hard to derive the scalar \(k \in Z_p\) such that \(Q = kP\). This problem is known as elliptic curve discrete logarithm problem [31, 36].
Definition 1
(Formal definition of elliptic curve discrete logarithm problem) The elliptic curve discrete logarithm problem (ECDLP) is formally defined as given in [13, 16, 30]. Let \(E_p(a, b)\) be an elliptic curve modulo a prime p. Let \(P \in E_p(a, b)\) and \(Q = kP \in E_p(a, b)\) be two points, where \(k \in _R Z_p\). The notation \(a \in _R B\) is to denote that a is chosen randomly from the set B.
Instance: (P, Q, r) for some \(r \in _R Z_p\).
Output: Yes, if \(Q = rP\), i.e., \(k = r\), and output: No, otherwise.
ECDLP assumption There exists no \((t, \epsilon )\)-ECDLP distinguisher for \(E_p(a, b)\). In other words, for every probabilistic, polynomial-time 0/1-valued distinguisher \(\mathcal {D}\), \(Adv_{\mathcal {D}, E_p(a,b)}^{ECDLP}(t) \le \epsilon \), for any sufficiently small \(\epsilon > 0\).
2.2 Collision-Resistant One-Way Hash Function
One of the fundamental properties of a secure one-way hash function is that its outputs are very sensitive to small perturbations in inputs.
2.3 Symmetric-Key Encryption Scheme \(\varOmega \) and IND-CPA
In the proposed scheme, it is considered a symmetric-key encryption scheme \(\varOmega \) (for example symmetric-key cryptosystem AES-128 [1]) which is secure against indistinguishability of encryption and chosen plaintext attack (IND-CPA). In the following, the IND-CPA is defined in single and multiple eavesdropper setting [4, 41].
Definition 2
Notations used in this paper
Symbol | Description |
---|---|
MU, FA, HA | EntityHome agent, respectively |
\(SC_U\) | Smart card of MU |
\(PW_X\) | Password of an entuty X |
\(ID_X\) | Identity of an entity X |
\(Cert_X\) | Certificate of an entity X |
\(N_X\) | Random number generated by an entity X |
p | A sufficiently large prime number |
E | Elliptic curve \(y^2 = x^3 + ab +b \pmod {p}\) over finite field \(F_p\) |
P | A base point on E |
R.x | x-coordinate of an ECC point \(R \in E\) |
\(P+Q\) | ECC point addition of \(P, Q \in E\) |
\(P-Q\) | \(P + (-Q)\), where \(-Q \in E\) is the inverse of \(Q \in E\) |
\(h(\cdot )\) | A secure collision-resistant one-way hash function |
\(E_k(\cdot )/D_k(\cdot )\) | Symmetric-key encryption/decryption using the key k |
\((k_X, P_X)\) | Private and public key pair of entity X, where \(P_X = k_X P\) |
\(\varOmega \) | Secure symmetric-key cryptosystem |
A||B | Data A concatenates with data B |
\(A \oplus B\) | Exclusive-OR of data A and data B |
\(\Rightarrow {\ } \) | A secure channel |
\(\rightarrow {\ } \) | A public channel |
3 Review of Zhao et al.’s Scheme
In this section, the recently proposed Zhao et al.’s authentication scheme for roaming service in global mobility networks [42] is briefly reviewed for understanding the cryptanalysis on this scheme. The notations listed in Table 1 are used for describing Zhao et al.’s scheme. Their scheme consists of the following phases.
3.1 Registration Phase
- R1:
MU selects his/her own identity-password pair \((ID_U, PW_U)\) and a random number \(N_U\). Then, MU sends a registration request message \(Reg = \{ID_U, h(PW_U || N_U)\}\) to the home agent HA via a secure channel.
- R2:
Upon receiving Reg from MU, HA computes \(Q = h(ID_U || k) \oplus h(PW_U || N_U)\) and \(h_U = h(ID_U || h(PW_U || N_U))\), where k is the secret key of HA. HA stores \(\{Q, h_U, C = cP, ID_H\}\) in a smart card, say \(SC_U\), and sends it to MU via a secure channel.
- R3:
After receiving \(SC_U\) from HA, MU stores \(N_U\) into \(SC_U\). Therefore, MU’s smart card \(SC_U\) finally contains the parameters \(\{Q, h_U, C, ID_H, N_U\}\).
3.2 Authentication and Key Establishment Phase
- A1:
MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). Then, \(SC_U\) computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. Otherwise, \(SC_U\) randomly generates a number a, and computes \(A = aP\), \(R_{AC} = aC\), \(N = Q \oplus h(PW_U || N_U)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(N || R_{AC} || ID_H || A || C)\). Then, \(SC_U\) sends the request message \(M_1 = \{A, DID_U, C, V_1, ID_H\}\) to the foreign agent FA over a public channel.
- A2:
Upon receiving \(M_1\) from MU, FA generates a random number b, and computes \(B = bP\), \(R_{BC} = bC\), \(W_2 = E_{R_{BC}}[A, B, Cert_F, V_1, DID_U]\) and \(V_2 = E_{S_F}\{h(A, B, Cert_F, V_1, DID_U)\}\), where \(S_F\) and \(Cert_F\) are the private key and certificate of FA, respectively. FA sends the message \(M_2 = \{B, W_2, V_2\}\) to the home agent HA of MU over a public channel.
- A3:
After receiving \(M_2\) from FA, HA computes \(R_{BC} = cB\). HA and retrieves \([A, B, Cert_F, V_1, DID_U] = D_{R_{BC}}[W_2]\), and then verifies FA’s signature \(V_2\) by using FA’s certificate \(Cert_F\). If it is valid, FA is authenticated by HA. After that HA computes \(R_{AC} = cA\), \(ID_U = DID_U \oplus h(R_{AC})\) and \(V_1^\prime = h(h(ID_U || k) || R_{AC} || ID_H || A || C)\), and checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. After both MU and FA are authenticated by HA, HA randomly generates a number d and computes \(D = dP\), \(G_U = dB \oplus R_{AC}\), \(W_1 = h(h(ID_U || k) || dB || A || D || ID_F || ID_H)\), \(W_3 = E_{R_{BC}}[ID_F, Cert_H, G_U, dA, A, B, D, W_1]\) and \(V_3 = E_{S_H}\{h(ID_F, Cert_H, G_U, dA, A, B, D, W_1)\}\). Finally, HA sends \(M_3 = \{W_3, V_3\}\) to FA over a public channel.
- A4:
Upon receiving \(M_3\), FA decrypts \(D_{R_{BC}}[W_3]\) to retrieve \(ID_F\), \(Cert_H\), \(G_U\), dA, A, B, D and \(W_1\) using the computed \(R_{BC}\) in Step A2. Then, FA verifies the validity of HA’s signature \(V_3\) by using HA’s certificate \(Cert_H\). If it is valid, HA is authenticated by FA, which also means that HA claims that MU is a legitimate user. After authentication, FA computes the common session key \(SK = h(bdA)\) and \(W_4 = E_{SK}[W_1, D, ID_F]\). Finally, FA sends \(M_4 = \{G_U, W_4\}\) to MU over a public channel.
- A5:
After receiving \(M_4\), MU computes \(dB = G_U \oplus R_{AC}\) and \(SK = h(adB)\), and decrypts \(D_{SK}[W_4]\) to retrieve \(W_1\), D, \(ID_F\). Then, MU computes \(W_1^\prime = h(N || dB || A || D || ID_F || ID_H)\) and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, FA and HA are authenticated by MU. After authentication, MU confirms that the common session key is \(SK = h(adB)\). Then, MU computes \(Auth = h(W_1 || adB)\) and sends \(M_5 = \{Auth\}\) to FA over a public channel.
- A6:
After receiving \(M_5\), FA computes \(Auth^\prime = h(W_1 || bdA)\) and compares it with the received Auth. If they are equal, FA confirms that the common session key with MU is \(SK = h(bdA)\).
3.3 Authentication and Key Establishment When a Mobile User is Located in His/Her Home Network
- H1:
MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). Then, \(SC_U\) computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it holds, \(SC_U\) confirms that MU is a legitimate user. Otherwise, \(SC_U\) rejects the entered user credentials. Next, \(SC_U\) randomly generates a and computes \(A = aP\), \(R_{AC} = aC\), \(N = Q \oplus h(PW_U || N_U)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(N || R_{AC} || ID_H || A || C)\). Finally, \(SC_U\) sends the request message \(Req = \{A, DID_U, C, V_1, ID_H\}\) to HA over a public channel.
- H2:
After receiving Req, HA computes \(R_{AC} = cA\), \(ID_U = DID_U \oplus h(R_{AC})\) and \(V_1^\prime = h(h(ID_U || k) || R_{AC} || ID_H || A || C)\). HA checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. Next, HA randomly generates d and computes \(D = dP\), \(W_1 = h(h(ID_U || k) || A || C || D || ID_H)\), the session key \(SK = h(dA)\) shared with MU. Finally, HA sends the challenge message \(Challenge = \{D, W_1, ID_H\}\) to MU over a public channel.
- H3:
Upon receiving Challenge from HA, MU computes \(W_1^\prime = h(N || A || C || D || ID_H)\) and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, HA is authenticated by MU. Finally, MU also computes the common session key \(SK = h(a D)\) shared with HA.
4 Cryptanalysis on Zhao et al.’s Scheme
In this section, the cryptanalysis on Zhao et al.’s scheme is presented and it is also shown that their scheme is vulnerable to several known attacks.
4.1 Known Session-Specific Temporary Information and Its Consequences
Since the session key SK is computed as \(SK = h(bdA)\), the attacker \(\mathcal {A}\) computes the session key as follows. \(\mathcal {A}\) first computes \(R_{AC} = aC\), \(dB = G_U \oplus R_{AC}\) and then \(SK = h(adB)\) using the session-specific temporary information a.
\(\mathcal {A}\) intercepts the login request message \(M_1\), and computes \(A^\prime = aP\). Then, \(\mathcal {A}\) checks whether the condition \(A^\prime = A\) holds or not. If it holds, \(\mathcal {A}\) further computes \(R_{AC}^\prime = a C\) and the identity \(ID_U = DID_U \oplus h(R_{AC})\). Thus, Zhao et al.’s scheme fails to provide the strong user anonymity when the session-specific temporary information are revealed to the adversary \(\mathcal {A}\).
Assume that \(\mathcal {A}\) intercepts the message \(M_1\) during the login phase, and replays it to login in the system. Since it is the valid login message, the foreign agent FA and the home agent HA cannot identify the replay message, and finally, \(\mathcal {A}\) receives the valid message \(M_4 = \{G_U, W_4\}\) from the foreign agent FA. Since \(\mathcal {A}\) has the session-specific temporary information a corresponding to \(M_1\), he/she can compute the session key SK as above without the knowledge of MU’s credentials \((ID_U, PW_U)\). Then, \(\mathcal {A}\) can decrypt \(W_4\) using SK to retrieve \(W_1, D, ID_F\) and computes the valid authentication message \(Auth = h(W_1 || adB)\). As a result, \(\mathcal {A}\) knowing session-specific temporary information can successfully establish a session with the foreign agent FA without any difficulty. Thus, Zhao et al.’s scheme fails to prevent the replay attack.
4.2 Privileged-Insider Attack
- Step 1
Guess a password \(PW^{guess}\) and computes \(h^{guess} = h(PW^{guess} || N_U)\).
- Step 2
Checks whether the condition \(h^{guess} = h(PW_U || N_U)\) holds or not. If the condition is true, the guessed password \(PW^{guess}\) is correct password \(PW_U\).
- Step 3
Otherwise, \(\mathcal {A}\) repeats from Step 1.
4.3 No Provision for Revocation and Reregistration
In order to provide the strong security to the mobile user MU, revocation of lost/stolen smart-card is one of the fundamental security requirement of smart-card based authentication schemes. If the mobile user MU’s smart-card \(SC_U\) is lost or stolen, there must be some mechanism to prevent the misuse of lost/stolen smart-card \(SC_U\). Otherwise, an adversary \(\mathcal {A}\) can impersonate the legal user MU as the registration phase has no ability to detect the re-registration with old identity. To cope with this problem, the smart-card based authentication schemes need to store the identity information table in the HA’s database, based on which the invalid smartcard will be detected [31, 38]. However, Zhao et al.’s authentication scheme does not consider the fundamental security feature for revocation and re-registration in their scheme.
4.4 Other Drawbacks of Zhao et al.’s Scheme
During the registration phase of Zhao et al.’s scheme, the home agent HA is given the parameter \(C = cP\), where c is random number generated by HA. However, they have not defined whether the parameter C is same for all users. If it is same for all users, it is not necessary to send with the message \(M_1\). So, it may be different for each user MU. In this case, it may cause for user traceability attack. Moreover, they claimed that their scheme requires no verification table. Thus, if C is different for different users, then computing \(R_{BC} = cB\), \(R_{AC} = cA\) and \(ID_U = DID_U \oplus h(R_{AC})\) without knowing the random value c are impossible. Hence, Zhao et al.’s scheme fails to avoid this specified design flaw.
Remark 1
The privileged-insider attack analysis on Memon et al.’s scheme [26] is also similar to that presented in [11]. During the registration the mobile client \(ID_{Mc}\) chooses a password \(pw_{Mc}\) and a random number \(b_1 \in Z_p^*\). It computes the hash \(PW_{Mc}= h(pw_{Mc} || b_1)\). Then, it submits the registration request \(m_{reg}= \{ID_{Mc}, PW_{Mc}\}\) to the home agent LBSs via a secure channel. Suppose a privileged insider of the home agent LBSs collects the registration information \(\{ID_{Mc}, PW_{Mc}\}\). Assume that the privileged insider \(\mathcal {A}\) tries to impersonate as the valid mobile client by stolen the smart card of the mobile client \(ID_{Mc}\). Note that the secret information \(b_1\) is stored in the smart card. The adversary \(\mathcal {A}\) then retrieves all the information including \(b_1\) using the power analysis [22, 27]. After that the adversary \(\mathcal {A}\) can guess a password \(pw_{Mc}^*\), computes \(PW_{Mc}^* = h(pw_{Mc}^* || b_1)\) using the retrieved \(b_1\), and then checks the condition \(PW_{Mc}^* = PW_{Mc}\). If it is valid, the adversary \(\mathcal {A}\) is successful in guessing the correct password \(pw_{Mc}\). It is thus clear that Memon et al.’s scheme [26] is insecure against the privileged-insider attack.
5 The Proposed Scheme
In this section, an enhancement scheme is presented to withstand the security drawbacks found in Zhao et al.’s scheme as well as Memon et al.’s scheme. As in Zhao et al.’s scheme, our improved scheme also consists of the initialization phase, registration phase, authentication and key establishment phase, session key update phase, authentication and key establishment phase when a mobile user is located in his/her home network and password update phase, which are described in the following subsections.
5.1 Initialization Phase
In this phase, the home agent HA initializes with the following parameters: (1) elliptic curve E over finite field \(F_p\), a base point P on E, a private key k, and the corresponding public key \(P_H = kP\); (2) a collision-resistant one-way cryptographic hash function \(h(\cdot )\); and (3) an IND-CPA secure symmetric-key cryptosystem \(\varOmega \). Finally, HA publicly declares the parameters \(\{F_p, E, P_H, h(\cdot ), \varOmega \}\) and keeps the private key k as secret, which is only known to HA.
5.2 Registration Phase
- R1:
MU chooses his/her own identity \(ID_U\) and a strong password \(PW_U\). Then, MU chooses a random number \(N_U\) and computes \(NID_U = h(ID_U || N_U)\). Finally, MU sends a registration request \(Reg = \{ID_U, NID_U\}\) to the home agent HA via a secure channel.
- R2:
Upon receiving Reg from MU, HA computes \(Q = E_{k}(NID_U || ID_U)\) and stores \(\{Q, ID_H, F_p,\)\(E, P_H,\)\(h(\cdot ), \varOmega \}\) in a smart card, say \(SC_U\). Furthermore, HA stores \(\{HID_U = h(NID_U || k), EID_U = E_k(ID_U)\}\) in its database corresponding to MU. HA sends \(SC_U\) to MU via a secure channel.
- R3:
After receiving \(SC_U\) from HA, MU computes \(NPW = h(PW_U || ID_U) \oplus N_U\), \(NQ = Q \oplus h(N_U || PW_U)\) and \(SPW = h(N_U || ID_U || PW_U)\). MU then stores NQ, NPW and SPW into the smartcard \(SC_U\). Finally, MU’s smart card \(SC_U\) containing the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\).
Registration phase of the proposed scheme
5.3 Authentication and Key Establishment Phase
- A1:
MU first inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs his/her identity \(ID_U\) and password \(PW_U\). \(SC_U\) computes \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\), \(NID_U = h(ID_U || N_U^\prime )\) and verifies whether the condition \(SPW = h(N_U^\prime || ID_U || PW_U)\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. Otherwise, \(SC_U\) randomly generates a one-time secret x and computes \(Q = NQ \oplus h(N_U || PW_U)\), \(a = h(x || Q)\), \(A = aP\), \(R_{AC} = aP_H\), \(RID_U = E_{R_{AC}.x}(NID_U)\), where \(R_{AC}.x\) denotes the x-coordinate of the ECC point \(R_{AC}\), and \(V_1 = h(Q || R_{AC} || ID_H || A || ID_U)\). Then, \(SC_U\) sends the login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to the foreign agent FA over a public channel.
- A2:
Upon receiving \(M_1\) from MU, FA generates a random number b and computes \(B = bP\), \(R_{BC} = bP_H\), \(W_2 = E_{R_{BC}.x}[A, B, Cert_F, RID_U, V_1]\) and \(V_2 = E_{S_F}\{h(A, B, Cert_F, RID_U, V_1)\}\), where \(R_{BC}.x\) denotes the x-coordinate of the ECC point \(R_{BC}\), and \(S_F\) and \(Cert_F\) are the private key and certificate of FA, respectively. Then FA sends the message \(M_2 = \{B, W_2, V_2\}\) to the home agent HA of MU over a public channel.
- A3:
After receiving \(M_2\) from FA, the home agent HA computes \(R_{BC} = kB\) and \([A, B, Cert_F, V_1, RID_U] = D_{R_{BC}.x}[W_2]\), HA verifies the validity of FA’s signature \(V_2\) by using the FA’s certificate \(Cert_F\). If it is valid, FA is authenticated by HA. HA computes \(R_{AC} = kA\), \(NID_U^\prime = D_{R_{AC}}(RID_U)\) and \(HID_U^\prime = h(NID_U^\prime || k)\). Next, HA checks whether the value \(HID_U^\prime \) presents in its database entry. If it is present in the database, HA retrieves the original identity \(ID_U\) of MU by decrypting the corresponding database entry \(EID_U = E_k(ID_U)\) using its master secret key k. HA then verifies whether the condition \(V_1 = h(E_{k}(NID_U || ID_U) || R_{AC} || ID_H || A || ID_U)\) holds or not. If it holds, HA authenticates MU. After both MU and FA are authenticated by HA, HA generates a random secret y and computes \(d = h(y || E_{k}(NID_U || ID_U))\), \(D_{AC} = dR_{BC}\), \(D_{BC} = dR_{AC}\), \(G_U = D_{AC} + R_{AC}\), \(W_1 = h(E_{k}(NID_U || ID_U)\)\(|| D_{AC}\)\(|| A || ID_U\)\(|| ID_F\)\(|| ID_H)\), \(W_3 = E_{R_{BC}.x}[ID_F,\)\(Cert_H,\)\(G_U,\)\(D_{BC},\)A, B, \(W_1]\) and \(V_3 =\)\(E_{S_H}[h(ID_F,\)\(Cert_H,\)\(G_U,\)\(D_{BC},\)A, B, \(W_1)]\). Finally, HA sends the message \(M_3 = \{W_3, V_3\}\) to FA over a public channel.
- A4:
Upon receiving \(M_3\) from HA, FA decrypts \(W_3\) using computed \(R_{BC}.x\) to retrieve \([ID_F\), \(Cert_H\), \(G_U\), \(D_{BC}\), A, B, \(W_1]\), and verifies the validity of HA’s signature \(V_3\) by using the HA’s certificate \(Cert_H\). If it is valid, HA is authenticated by FA, which also means that HA has claimed that MU is a legitimate user. After authentication, FA computes the common session key \(SK_F = h(b D_{BC} || W_1)\) shared with MU, and also \(W_4 = h(SK_F || G_U || A || B)\). Finally, FA sends the message \(M_4 = \{G_U, B, W_4\}\) to MU over a public channel.
- A5:
After receiving \(M_4\), MU computes \(D_{AC} = G_U - R_{AC}\) and \(SK_U = h(a D_{AC} || W_1^\prime )\), where \(W_1^\prime =\)\(h(E_{k}(NID_U || ID_U)\)\(|| D_{AC}\)\(|| A || ID_U\)\(|| ID_F\)\(|| ID_H)\). MU then checks whether the condition \(W_4 = h(SK_U || G_U || A || B)\) holds or not. If it holds, FA and HA are authenticated by MU. After authentication, MU confirms that the common session key shared with the FA is \(SK_U = h(aD_{AC} || W_1^\prime ) = h(adbP_H || W_1^\prime )\). Then, MU computes \(Auth = h(W_1^\prime || aD_{AC} || B || A)\) and sends the confirmation message \(M_5 = \{Auth\}\) to FA over a public channel.
- A6:
After receiving \(M_5\), FA computes \(Auth^\prime = h(W_1 || b D_{BC} || B || A)\) and compares it with the received Auth. If they are equal, FA confirms that the common session key shared with MU is \(SK_F = h(bD_{BC} || W_1) = h(bdaP_H || W_1)\).
Authentication and key establishment phase of the proposed scheme
Remark 2
In order to protect the replay attack, the similar strategy as suggested in [9, 25] is adopted. FA stores the pair \((RID_U, A)\) in its database and HA also stores the pair \((ID_U, B)\) in its database. When FA received the next login request message, say \(M_1^\prime = \{A^\prime , RID_U, V_1^\prime , ID_H\}\) from MU, it compares the received \(A^\prime \) with the stored A in its database. If there is a match, the message \(M_1^\prime \) is regarded as a replay message and discarded by FA. Otherwise, FA replaces A with \(A^\prime \) in its database corresponding to \(RID_U\) and treats the message \(M_1^\prime \) as the fresh message. In a similar way, when HA receives the next message, say \(M_2^\prime = \{B^\prime , W_2^\prime , V_2^\prime \}\) from FA, its checks the decrypted \(B^\prime \) with the computed key \(R_{BC}.x\) with the stored B in its database corresponding to \(ID_U\). If there is a match, the message \(M_2^\prime \) is regarded as a replay message and discarded by HA. Otherwise, HA replaces B with \(B^\prime \) in its database corresponding to \(ID_U\) and treats the message \(M_2^\prime \) as the fresh message. For strong replay attack protection, both FA and HA can keep the pairs \((RID_U, A)\) and \((ID_U, B)\), respectively, for some time so that the replay messages can be detected easily by the FA and HA.
5.4 Session Key Update Phase
- U1:
MU chooses a new random number \(x_i\) and computes \(a_i = h(x_i || W_1^\prime )\) and \(a_iP_H\). MU sends the message \(\{a_i P_H\}\) to FA over a public channel.
- U2:
After receiving the message \(\{a_i P_H\}\), FA chooses a new random number \(y_i\) and computes \(b_i = h(y_i || W_1)\) and \(b_i P_H\). FA computes a new session key \(SK_i = h(b_i a_i P_H || W_1)\) shared with MU and \(S_i = h(b_i a_i P_H || SK_{i-1} || W_1)\). FA then sends \(\{b_iP_H, S_i\}\) to MU over a public channel.
- U3:
Upon receiving \(\{b_iP_H, S_i\}\), MU computes \(S_i^\prime = h(a_i b_i P_H || SK_{i-1} || W_1^\prime )\) and checks whether the condition \(S_i^\prime = S_i\) holds or not. If it does not hold, MU terminates the session. Otherwise, MU computes the new session key \(SK_i = h(a_i b_i P_H || W_1^\prime )\) shared with FA.
Update session key phase of the proposed scheme
5.5 Authentication and Key Establishment Phase When a Mobile User is Located in His/Her Home Network
- H1:
MU first inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs his/her identity \(ID_U\) and password \(PW_U\). \(SC_U\) computes \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\), \(NID_U = h(ID_U || N_U^\prime )\) and verifies whether the condition \(SPW = h(N_U^\prime || ID_U || PW_U)\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. \(SC_U\) then randomly generates a one-time secret x, and computes \(Q = NQ \oplus h(PW_U || N_U)\)\(= E_{k}(NID_U || ID_U)\), \(a = h(x || Q)\), \(A = aP\), \(R_{AC} = a P_H\)\((= akP)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(Q || R_{AC} || ID_H || A)\). Finally, \(SC_U\) sends the login request message \(Req = \{A, DID_U, V_1, ID_H\}\) to HA via a public channel.
- H2:
After receiving the login request message Req, HA computes \(R_{AC}^\prime = kA\), \(ID_U^\prime = DID_U \oplus h(R_{AC})\), \(Q^\prime =\)\(E_{k}(NID_U || ID_U)\) and \(V_1^\prime = h(Q^\prime || R_{AC}^\prime || ID_H || A)\). HA checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. Next, HA randomly generates d and computes \(D = d P\), the session key \(SK = h(Q^\prime || d A)\) shared with MU and \(W_1 = h(ID_U^\prime || A || D || Q^\prime || ID_H || SK)\). Finally, HA sends the reply message \(Rep = \{D, W_1, ID_H\}\) to MU via a public channel.
- H3:
Upon receiving the reply message Rep from HA, MU computes the common session key \(SK = h(Q^\prime || a D)\) and then \(W_1^\prime = h(ID_U || A || D || Q || ID_H || SK)\), and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, HA is authenticated by MU. Note that MU also shares the common session key \(SK = h(Q^\prime || aD)\) with HA.
Authentication and key establishment phase when a mobile user is located in his/her home network of the proposed scheme
5.6 Password Update Phase
- P1:
MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). \(SC_U\) then computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it does not hold, \(SC_U\) rejects the entered identity and password. Otherwise, \(SC_U\) asks a new password. MU inputs a new password \(PW_U^{new}\) into \(SC_U\).
- P2:
\(SC_U\) generates a new random number \(x_U^{new}\), and computes \(Q^{new} = Q \oplus h(PW_U || N_U) \oplus h(PW_U^{new} || x_U^{new})\) and \(h_U^{new} = h(ID_U || h(PW_U^{new} || x_U^{new}))\). Then, \(SC_U\) replaces Q, \(h_U\) and \(N_U\) with \(Q^{new}\), \(h_U^{new}\) and \(x_U^{new}\) in the smart card \(SC_U\)’s memory, respectively.
6 Security Analysis of the Proposed Scheme
In this section, through the rigorous informal and formal security analysis it is shown that the proposed scheme has the ability to defend various known attacks.
6.1 Authentication Proof Based on BAN Logic
In this section, through the formal security analysis using the widely-accepted Burrows–Abadi–Needham logic (BAN logic) [6], it is shown that the proposed scheme provides the mutual authentication between a mobile user MU and the foreign agent (FA)/home agent (HA).
\(P \mid \equiv X\): Principal P believes a statement X, or P is entitled to believe X.
\(\#(X)\): Formula X is fresh.
\(P \shortmid \Rightarrow X\): Principal P has jurisdiction over statement X.
\(P \vartriangleleft X\): Principal P sees the statement X.
\(P \mid \sim X\): Principal P once said the statement X.
(X, Y): Formula X or Y is one part of formula (X, Y).
\(\{X\}_K\): Formula X encrypted under the key K.
\(\langle X \rangle _Y\): Formula X combined with the formula Y.
\(P \overset{K}{\longleftrightarrow } Q\): P and Q may use the shared key K to communicate. The key K is good, in that it will never be discovered by any principal except P and Q.
\(P \overset{X}{\rightleftharpoons } Q\): Formula X is secret known only to P and Q, and possibly to principals trusted by them.
Rule (1) Message-meaning rule: \(\frac{P \mid \equiv P \overset{K}{\longleftrightarrow } Q, P \vartriangleleft \{X\}_K}{P \mid \equiv Q \mid \sim X}\) and \(\frac{P \mid \equiv P \overset{Y}{\rightleftharpoons } Q, P \vartriangleleft \langle X \rangle _Y}{P \mid \equiv Q \mid \sim X}\).
Rule (2) Nonce-verification rule: \(\frac{P \mid \equiv \# (X), P \mid \equiv Q \mid \sim X}{P \mid \equiv Q \mid \equiv X}\).
Rule (3) Jurisdiction rule: \(\frac{P \mid \equiv Q\shortmid \Rightarrow X, P \mid \equiv Q \mid \equiv X}{P \mid \equiv X}\).
Rule (4) Freshness-conjuncatenation rule: \(\frac{P \mid \equiv \# (X)}{P \mid \equiv \#(X, Y)}\).
\(G_1\): \(FA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA\).
\(G_2\): \(MU \mid \equiv FA \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).
\(G_3\): \(MU \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).
\(G_4\): \(FA \mid \equiv MU \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).
\(G_5\): \(FA \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).
From message \(M_1\), \(MU \rightarrow FA\): \(A = aP, RID_U = {NID_U}_{R_{AC}}, V_1= \langle R_{AC}, ID_H, A, ID_U \rangle _{Q}, ID_H\).
From message \(M_2\), \(FA \rightarrow HA\): \(B = bP, W_2 = \{A, B, Cert_F, RID_U, V_1\}_{R_{BC}}, V_2 = \{h(A, B, Cert_F, RID_U, V_1)\}_{S_F}\}\).
From message \(M_3\), \(HA \rightarrow FA\): \(W_3 = \{ID_F, Cert_H, G_U, D_{BC}, A, B, W_1\}_{R_{BC}}, V_3 = \{h(ID_F,Cert_H, G_U, D_{BC}, A, B, W_1\}_{S_H}\).
From message \(M_4\), \(FA \rightarrow MU\): \(G_U = {D_{AC}}_{R_{AC}}, W_4 = h(\langle bD_{BC} \rangle _{W_1}, G_U, A, B)\}\).
From message \(M_5\), \(MU \rightarrow FA\): \(\langle aD_{AC}, B, A \rangle _{W_1}\).
Message \(M_1\), \(MU \rightarrow FA\): \(\langle MU \overset{R_{AC}}{\longleftrightarrow } HA, ID_H, A, ID_U \rangle _{MU \overset{Q}{\longleftrightarrow } HA}\).
Message \(M_2\), \(FA \rightarrow HA\): \(\{FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \}_{FA \overset{R_{BC}}{\longleftrightarrow } HA}\).
Message \(M_3\), \(HA \rightarrow FA\): \(\langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle _{FA \overset{R_{BC}}{\longleftrightarrow } HA}\).
Message \(M_4\), \(FA \rightarrow MU\): \(\langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}\).
Message \(M_5\), \(MU \rightarrow FA\): \(\langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}\).
\(H_1\): \(MU \mid \equiv \#(A)\);
\(H_2\): \(FA \mid \equiv \#(B)\);
\(H_3\): \(MU \mid \equiv MU \overset{Q}{\longleftrightarrow } HA\);
\(H_4\): \(HA \mid \equiv MU \overset{Q}{\longleftrightarrow } HA\);
\(H_5\): \(MU \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA\);
\(H_6\): \(FA \mid \equiv FA \overset{R_{BC}}{\longleftrightarrow } HA\);
\(H_7\): \(HA \mid \equiv FA \overset{R_{BC}}{\longleftrightarrow } HA\);
\(H_8\): \(MU \mid \equiv HA \shortmid \Rightarrow FA \mid \sim X\);
\(H_9\): \(FA \mid \equiv HA \shortmid \Rightarrow MU \mid \sim X\);
\(H_{10}\): \(MU \mid \equiv FA \shortmid \Rightarrow MU \overset{SK}{\longleftrightarrow } FA\);
\(H_{11}\): \(FA \mid \equiv MU \shortmid \Rightarrow MU \overset{SK}{\longleftrightarrow } FA\);
\(H_{12}\): \(FA \mid \equiv HA \shortmid \Rightarrow MU \overset{W_1}{\longleftrightarrow } FA\).
- From message \(M_2\), we have,$$\begin{aligned} S_1: HA \vartriangleleft \{FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \}_{FA \overset{R_{BC}}{\longleftrightarrow } HA}. \end{aligned}$$
- From \(H_7\), \(S_1\) and Rule (1), we have,$$\begin{aligned} S_2: HA \mid \equiv FA \,\mid \sim \, \langle FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \rangle . \end{aligned}$$
- From \(S_2\), HA believes that the value \(V_1\) is said by MU, and then, from message \(M_1\), we have,$$\begin{aligned} S_3: HA \vartriangleleft \langle MU \overset{R_{AC}}{\longleftrightarrow } HA, ID_H, A, ID_U \rangle _{MU \overset{Q}{\longleftrightarrow } HA}. \end{aligned}$$
- From \(H_4, S_3\) and Rule (1), we also have,$$\begin{aligned} S_4: HA \mid \equiv MU \mid \sim \langle MU \overset{R_{AC}}{\longleftrightarrow } HA \rangle . \end{aligned}$$
- Since the value \(V_1\) is derived from \(S_2\) and it a fresh message, from the message \(S_4\) and Rule (2), we obtain,$$\begin{aligned} S_5: HA \mid \equiv MU \mid \equiv \langle MU \overset{R_{AC}}{\longleftrightarrow } HA \rangle . \end{aligned}$$
- From message \(M_3\), we have,$$\begin{aligned} S_6: FA \vartriangleleft \langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle _{FA \overset{R_{BC}}{\longleftrightarrow } HA}. \end{aligned}$$
- From \(H_6, S_6\) and Rule (1), we obtain,$$\begin{aligned} S_7: FA \mid \equiv HA \mid \sim \langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle . \end{aligned}$$
- From \(H_2, S_6\), Rules (2) and (4), we get,$$\begin{aligned} S_8: FA \mid \equiv HA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA. \end{aligned}$$
- Again, from \(H_{12},\)\(S_8\) and Rule (3), we have,$$\begin{aligned} S_9: FA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_1)} \end{aligned}$$
- From message \(M_4\), we get,$$\begin{aligned} S_{10}: MU \vartriangleleft \langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}. \end{aligned}$$
- From \(H_5,\)\(S_{10}\) and Rule (1), we get$$\begin{aligned} S_{11}: MU \mid \equiv FA \mid \sim \langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle . \end{aligned}$$
- It is clear from the computation of the session key \(SK = SK_F = h(bD_{BC} || W_1) = h(a D_{AC} || W_1) (= SK_U)\) is a function of \(b D_{BC} = a D_{AC}\) and \(W_1\). As a result, from \(H_1,\)\(S_{11}\), Rules (2) and (4), we have,$$\begin{aligned} S_{12}: MU \mid \equiv FA\,\mid \equiv MU \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_2)} \end{aligned}$$
- From \(H_{10},\)\(S_{12}\) and Rule (3), we obtain,$$\begin{aligned} S_{13}: MU \mid \equiv MU\,\overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_3)} \end{aligned}$$
- From message \(M_5\), we get,$$\begin{aligned} S_{14}: FA \vartriangleleft \langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}. \end{aligned}$$
- From \(S_8,\)\(S_{14}\) and Rule (1), we also get,$$\begin{aligned} S_{15}: FA \mid \equiv MU \mid \sim \langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle . \end{aligned}$$
- Since the computation of the session key \(SK = SK_F = h(bD_{BC} || W_1) = h(a D_{AC} || W_1) (= SK_U)\) is a function of \(b D_{BC} = a D_{AC}\) and \(W_1\), from \(H_2,\)\(S_{15},\)Rules (2) and (4), we obtain,$$\begin{aligned} S_{16:} FA \mid \equiv MU\, \mid \equiv MU\, \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_4)} \end{aligned}$$
- Finally, from \(H_{11},\)\(S_{16},\) and Rule (3), we have,$$\begin{aligned} S_{17}: FA \mid \equiv MU\, \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_5)} \end{aligned}$$
6.2 Informal Security Analysis
In this section, it is shown that the proposed scheme has the ability to tolerate the following known attacks.
Proposition 1
The proposed scheme provides the user anonymity property.
Proof
In the proposed scheme, the mobile user MU sends the login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to the foreign agent FA, where \(RID_U = E_{R_{AC.x}}(NID_U)\) is used to protect the real identity \(ID_U\) of MU. Since \(R_{AC} = aP_H = h(x || Q)kP\) and \(NID_U = h(ID_U || N_U)\), an attacker has no ability to obtain the original real identity \(ID_U\) of MU, even if the session-specific temporary information x revealed to the adversary due to the difficulty of solving the ECDLP and inverting the one-way hash function \(h(\cdot )\). At the same time, the attacker cannot trace the moving history and current location of MU according to the login request message as the login message is dynamically changed in different login request messages of MU. In addition, FA has no ability to trace the MU’s activities as it authenticates the user MU using \(W_1 = h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\), which is shared with the home agent HA due to the difficulty of inverting the collision-resistant one-way hash function \(h(\cdot )\). Hence, the proposed scheme can provide strong user anonymity property.□
Proposition 2
The proposed scheme resists the impersonation attacks.
Proof
Any attacker cannot impersonate MU to cheat FA and HA. In the proposed scheme, whether MU is located in a foreign network or in his/her home network, the HA validates MU’s credentials by verifying the value \(V_1\) sent in the request message \(M_1\). HA validates the MU’s credentials and identifies the reply message as discussed in Remark 2. Then, HA gives the temporary authentication factor \(W_1= h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\) to the FA in order to mutually authenticate FA and MU, and shares a session key. Thus, MU needs to provide the confirmation message \(M_5 = \{Auth\}\), where \(Auth = h(W_1 || aD_{AC} || B || A)\) to FA. The attacker has no ability to compute \(M_5\) as it cannot compute \(W_1\) and \(a = h(x || Q)\) without the knowledge of session temporary secret x and long-term secret Q. On the other hand, when MU is located in a foreign network, he/she has no ability to cheat FA due to the difficulty of computing the confirmation message without the knowledge of x and Q. As a result, the proposed scheme successfully prevents the impersonate attack against MU to cheat the FA and MU.
An attacker cannot impersonate FA to cheat HA and MU. In the proposed scheme, HA authenticates FA by checking the validity of \(V_2\), which is the FA’s digital signature. So, the attacker cannot compute the correct FA’s digital signature without knowing FA’s private key \(S_F\). Therefore, the attacker cannot cheat HA successfully by masquerading as FA. At the same time, the authentication of MU to FA is completely dependent on the authentication of HA to FA. If an attacker cannot successfully cheat HA by masquerading as FA, he/she cannot also cheat MU successfully.
Any attacker cannot impersonate HA to cheat FA and MU. In the proposed scheme, the FA authenticates HA by checking the validity of \(V_3\), which is the HA’s digital signature. The attacker cannot compute the correct HA’s digital signature without knowing HA’s private key \(S_H\). Thus, the attacker cannot cheat FA successfully by masquerading as HA. On the other hand, the MU authenticates HA by verifying the computed \(W_1= h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\). Since the attacker cannot compute the correct \(W_1\) without the knowledge of \(NID_U\), \(ID_U\) and k, the attacker cannot cheat MU successfully.
Proposition 3
The proposed scheme prevents the replay attack.
Proof
An attacker might replay an old login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to FA and receive the message \(M_4 = \{G_U, B, W_4\}\) from FA. However, the attacker still cannot compute the correct session key \(SK = h(aD_{AC} || W_1) = h(bD_{BC} || W_1)\) as he/she has no ability to compute the \(W_1\) and \(aD_{AC}\) without the knowledge of x, Q and \(ID_U\). Furthermore, verifying of old B and A by the HA and FA, respectively, prevents the replay attack as explained in Remark 2. Thus, the reply message is authenticated, and as a result, our successfully prevent the replay attack.□
Proposition 4
The proposed scheme withstands the man-in-the-middle attack.
Proof
From the goal G3 and G5 of the BAN logic proof in Sect. 6.1, it is clear that the proposed scheme provides secure mutual authentication with the presence of home agent HA. Thus, it identifies any unauthorized modification in the communicated messages. Hence, the attacker has no ability to launch the man-in-the-middle attack.□
Proposition 5
The proposed scheme provides the SK-security.
Proof
In the proposed scheme, the session key is computed as \(SK = h(aD_{AC} || W_1) = h(bD_{BC} || W_1)\), where \(W_1= h(Q || D_AC || A || ID_U || ID_F || ID_H)\) and \(a = h(x || Q)\). It is clear that the session key is a function of both session-temporary information x and long-term secret Q. Thus, if any one of the x and Q, but not both, is unexpectedly revealed to the adversary, he/she cannot be successful in computing the session key SK. Hence, the proposed scheme is secure against session-temporary information attack as well as it provides perfect forward secrecy. As a result, the proposed scheme provides the session key security.□
Proposition 6
The proposed scheme prevents the offline password guessing attack with smart card security breach.
Proof
Assume that an attacker captures all the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\) stored in the user smart card \(SC_U\) from the stolen/lost smart card \(SC_U\) using the power analysis attacks [22, 27], where \(NQ = Q \oplus h(N_U || PW_U)\), \(NPW = h(PW_U || ID_U) \oplus N_U\), \(SPW = h(N_U || ID_U || PW_U)\). From the transmitted messages, the user identity \(ID_U\) is anonymous. Thus, in order to guess the password \(PW_U\), attacker also needs to guess identity \(ID_U\). The attacker needs to guess both identity \(ID_U^\prime \) and password \(PW_U^\prime \) at the same time, and check the validity as follows: (1) compute \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\) and check the validity of the condition \(SPW = h(N_U^\prime || ID_U^\prime || PW_U^\prime )\). If it is valid, the attacker is successful in guessing correct password and identity. However, the success probability of guessing both password and identity simultaneously is approximately \(\frac{1}{2^{6n + 6m}}\), where n and m represent the number of characters in \(PW_U\) and \(ID_U\), respectively [12]. For example, if \(n = m = 10\), the probability of success is \(\frac{1}{120}\), which is negligible. As a result, the proposed scheme is secure against the offline password guessing attack.□
Proposition 7
The proposed scheme withstands the privileged-insider attack.
Proof
In the proposed scheme, the mobile user MU does not share the chosen password with home agent HA. Instead of that, MU only sends the information \(\{ ID_U, NID_U \}\) securely to the HA during the registration phase. Suppose knowing these information, the privileged-insider attacker of the HA attains all the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\) from the lost/stolen smart card \(SC_U\) of the mobile user MU using the power analysis attacks [22, 27]. To guess the correct password \(PW_U\) of MU from NQ and SPW, the attacker needs to know \(ID_U\) and the random secret \(N_U\) of MU. Since \(N_U\) and \(ID_U\) are not stored in the smart card \(SC_U\), it is computationally infeasible for the attacker to guess \(PW_U\) correctly. On the other hand, to guess correctly \(PW_U\), the attacker needs to also guess correctly \(ID_U\) in order to verify the guessed password using NPW. It is also computationally infeasible for the attacker to guess \(PW_U\) correctly in this case. Thus, the privileged inside attack is prevented in the proposed scheme.□
Proposition 8
The proposed scheme provides the local password verification.
Proof
As in Zhao et al.’s scheme, the proposed scheme also provides the local password verification facility. In addition, the proposed scheme prevents the unauthorized local password verification as it prevents the offline password guessing attack.□
Proposition 9
The proposed scheme provides provision for revocation and re-registration.
Proof
In the proposed scheme, the home agent HA maintains the identity table to prevent the many logged-in users attack. Moreover, the proposed scheme provides the revocation and re-registration facility when the two real-life genuine cases such as when unexpectedly the authentication factor is revealed or the user smart card is lost/stolen. However, Zhao et al.’s scheme fails to provide this facility as it does not maintain any identity table.□
7 Simulation Results for Formal Security Verification Using AVISPA Tool
7.1 AVISPA Overview
AVISPA is treated as a modular and expressive formal language for specifying protocols and their security properties, which integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques [2]. It is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. Recently, it becomes a widely-accepted tool for the formal security verification [10, 11, 14, 31, 32, 33, 34]. AVISPA contains four back-ends: On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). The detailed descriptions of these back-ends are available in [2, 37].
SUMMARY section tells that whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.
DETAILS section either explains under what condition the tested protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.
PROTOCOL, GOAL and BACKEND sections denote the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.
Finally, after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice–Bob format.
agent It is for the principal name. The intruder is always assumed to have the special identifier i.
public_key It indicates agents’ public keys in a public-key cryptosystem. For example, given a public (respectively private) key K, its inverse private (respectively public) key is obtained by \(inv\_K\).
symmetric_key It represents the keys for a symmetric-key cryptosystem.
text It is often used as nonces. These values can be also used for messages. For example, if Ni is of type text (fresh), then \(Ni^\prime \) will be a fresh value which the intruder cannot guess easily.
nat It represents the natural numbers in non-message contexts.
const It denotes the constants.
hash_func It represents cryptographic hash functions.
7.2 Specifying the Protocol
Case 1: It consists of the registration phase, and authentication and key establishment phase.
Case 2: It consists of the registration phase, and authentication and key establishment phase when a mobile user MU is located in his/her home network.
Consider the HLPSL implementations for the various roles in Case 2. In a similar way, the roles for MU and HA are also implemented in Figs. 5 and 6, respectively. In addition, the roles for the session, and the goal and environment of the proposed scheme are given in Fig. 7.
7.3 Analysis of Results
Executability check on non-trivial HLPSL specifications Due to some modeling mistakes, the protocol model can not sometimes execute to completion. It may be possible that the AVISPA backends can not find an attack, if the protocol model can not reach to a state where that attack can happen. An executability test becomes extremely essential [37]. the proposed scheme shows that the protocol description is well matched with the designed goals as specified in Figs. 1, 2, 3, 4, 5, 6 and 7 for the executability test.
Replay attack check For the replay attack check, the OFMC and Cl-AtSe back-ends verify if the legitimate agents can execute the specified protocol by performing a search of a passive intruder. These back-ends provide the intruder the knowledge of some normal sessions between the legitimate agents. The test results shown in Figs. 8 and 9 indicate that the proposed scheme is secure against the replay attack.
Dolev–Yao model check For the Dolev–Yao model check, the OFMC and Cl-AtSe back-ends also verifies whether there is any man-in-the-middle attack possible by an intruder. It is evident from the results reported in Figs. 8 and 9 that the proposed scheme fulfills the design properties and is also secure under these backends.
8 Performance Analysis of the Proposed Scheme
Computational cost comparison among the proposed scheme and other schemes during the login, authentication and session key agreement phases
MU | FA | HA | |
---|---|---|---|
Ours | \(4A+13H+2Mu+1E+1Ma\) | \(5H+2Mu+3E+1D+2G\) | \(4H+1E+3D+3Mu\) |
\(+1Ma+1G+1V\) | |||
Zhao et al. [42] | \(3A + 7H + 1Mu + 1D\) | \(2H+2Mu+2E+1D+1G+1V\) | \(2A+4H+3Mu\) |
\(+1E+1D+1G+1V\) | |||
Mun et al. [28] | \(2A+4H+1Mu+1E\) | \(2A+3H+1Mu+1E\) | \(3A+3H\) |
Memon et al. [26] | \(5A+10H+1E+1D\) | \(3H+2Mo+2E+2D+1G+1V\) | \(2A+3H+3Mo+1E\) |
\(+3D+1G+1V\) |
Functionality comparison among the proposed scheme and other schemes
Functionality | Ours | Zhao et al. [42] | Mun et al. [28] | Memon et al. [26] |
---|---|---|---|---|
\(F_1\) | Yes | No | No | Yes |
\(F_2\) | Yes | Yes | No | Yes |
\(F_3\) | Yes | Yes | No | Yes |
\(F_4\) | Yes | Yes | No | Yes |
\(F_5\) | Yes | Yes | No | Yes |
\(F_6\) | Yes | No | No | Yes |
\(F_7\) | Yes | Yes | Yes | Yes |
\(F_8\) | Yes | No | No | No |
\(F_9\) | Yes | No | No | No |
\(F_{10}\) | Yes | Yes | Yes | Yes |
\(F_{11}\) | Yes | Yes | No | Yes |
\(F_{12}\) | Yes | No | No | No |
\(F_{13}\) | Yes | No | No | Yes |
\(F_{14}\) | Yes | No | No | Yes |
\(F_{15}\) | Yes | No | Yes | Yes |
\(F_{16}\) | Yes | Yes | No | Yes |
Finally, in Table 8 compares the functionality among the proposed scheme and other schemes, such as Zhao et al.’s scheme, Mun et al.’s scheme and Memon et al.’s scheme. It is also clear that the proposed scheme is more security and provides more security functionality as compared to other schemes. In Zhao et al.’s scheme, the functionality features \(F_1\), \(F_6\), \(F_8\)–\(F_9\) and \(F_{12}\)–\(F_{14}\) are not satisfied. In addition, there is design flaw in registration phase of Zhao et al.’s scheme. In Mun et al.’s scheme, the functionality features \(F_1\)–\(F_6\), \(F_8\)–\(F_9\) and \(F_{11}\)–\(F_{14}\) are not satisfied. On the other hand, in Memon et al.’s scheme, the functionality features \(F_8\)–\(F_9\) and \(F_{12}\) are not satisfied.
9 Conclusion
In this paper, the merits and demerits of the existing authentication schemes for the roaming service in GLOMONET are first discussed. A secure and effective user authentication scheme for the roaming service in GLOMONET is then presented in order to withstand the security pitfalls and design flaws found in both recently proposed Zhao et al.’s scheme as well as Memon et al.’s scheme. Through the rigorous formal security analysis using the BAN logic, it is proved that the proposed scheme provides secure mutual authentication between a mobile user and the foreign/home agent. Further, the rigorous informal security analysis shows that the proposed scheme has the ability to tolerate various known attacks. Moreover, the proposed scheme is simulated using the most-widely accepted AVISPA tool. The simulation results reported in this paper clearly indicate that the proposed scheme is secure. In addition, the proposed scheme is efficient in computation and communication as compared to other related schemes. Better security, extra functionality features and efficiency make the proposed scheme is feasible in the roaming service in GLOMONET.
Notes
Acknowledgements
The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper. This research is supported by the National Natural Science Foundation of China under Grant No. 61300220, and it is also supported by PAPD and CICAEET.
References
- 1.Advanced Encryption Standard, U.S. Department of Commerce, November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Accessed Nov 2010.
- 2.AVISPA. Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed Aug 2015.
- 3.AVISPA. AVISPA Web Tool. http://www.avispa-project.org/web-interface/expert.php/. Accessed Aug 2015.
- 4.Bellare, M., Boldyreva, A., & Micali, S. (2000). Public-key encryption in a multi-user setting: Security proofs and improvements. In Advances in cryptology—EUROCRYPT 2000 (pp. 259–274). Springer.Google Scholar
- 5.Bellare, M., Canetti, R., & Krawczyk, H. (1998). A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing (STOC) (pp. 419–428). Dallas: ACM.Google Scholar
- 6.Burrows, M., Abadi, M., & Needham, R. (1990). A logic of authentication. ACM Transactions on Computer Systems, 8(1), 18–36.CrossRefMATHGoogle Scholar
- 7.Canetti, R., & Krawczyk, H. (2001). Analysis of key-exchange protocols and their use for building secure channels. In Advances in cryptology—EUROCRYPT 2001 (pp. 453–474). Innsbruck: Springer.Google Scholar
- 8.Chang, C., Lee, C., & Chiu, Y. (2009). Enhanced authentication scheme with anonymity for roaming service in global networks. Computer Communications, 34(4), 611–618.CrossRefGoogle Scholar
- 9.Das, A. K. (2011). Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Information Security, 5(3), 145–151.CrossRefGoogle Scholar
- 10.Das, A. K. (2013). A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science, 2(1–2), 12–27.CrossRefGoogle Scholar
- 11.Das, A. K. (2016). A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Networking and Applications, 9(1), 223–244.Google Scholar
- 12.Das, A. K., & Goswami, A. (2013). A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. Journal of Medical Systems, 37(3), 9948.CrossRefGoogle Scholar
- 13.Das, A. K., Paul, N. R., & Tripathy, L. (2012). Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences, 209, 80–92.MathSciNetCrossRefMATHGoogle Scholar
- 14.Das, A. K. (2015). A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wireless Personal Communications, 82(3), 1377–1404.CrossRefGoogle Scholar
- 15.Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.MathSciNetCrossRefMATHGoogle Scholar
- 16.Dutta, R., & Barua, R. (2008). Provably secure constant round contributory group key agreement in dynamic setting. IEEE Transactions on Information Theory, 54(5), 2007–2025.MathSciNetCrossRefMATHGoogle Scholar
- 17.Gope, P., & Hwang, T. (2015). Enhanced secure mutual authentication, and key agreement scheme preserving user anonymity in global mobile networks. Wireless Personal Communications, 82(4), 2231–2245.CrossRefGoogle Scholar
- 18.Gope, P., & Hwang, T. (2016). Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Systems Journal, 10(4), 1370–1379.CrossRefGoogle Scholar
- 19.He, D., Ma, M., Zhang, Y., Chen, C., & Bu, J. (2011). A strong user authentication scheme with smart cards for wireless communications. Computer Communications, 34(3), 367–374.CrossRefGoogle Scholar
- 20.He, D., Zhang, Y., & Chen, J. (2014). Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless Personal Communications, 74(2), 229–243.CrossRefGoogle Scholar
- 21.Jiang, Q., Ma, J., Li, G., & Yang, L. (2013). An enhanced authentication scheme with privacy preservation for roaming services in global mobility networks. Wireless Personal Communications, 68(4), 1477–1491.CrossRefGoogle Scholar
- 22.Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology—CRYPTO’99 (pp. 388–397). California: Springer.Google Scholar
- 23.Lee, C., Hwang, M., & Liao, I. (2006). Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics, 53(5), 1683–1686.CrossRefGoogle Scholar
- 24.Li, C. T., & Lee, C. (2012). A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Mathematical and Computer Modelling, 55(1–2), 35–44.MathSciNetCrossRefMATHGoogle Scholar
- 25.Li, X., Niu, J.-W., Ma, J., Wang, W.-D., & Liu, C.-L. (2011). Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications, 34, 73–79.CrossRefGoogle Scholar
- 26.Memon, I., Hussain, I., Akhtar, R., & Chen, G. (2015). Enhanced Privacy and Authentication: An Efficient and Secure Anonymous Communication for Location Based Service Using Asymmetric Cryptography Scheme. Wireless Personal Communications, 84(2), 1487–1508.CrossRefGoogle Scholar
- 27.Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.MathSciNetCrossRefGoogle Scholar
- 28.Mun, H., Han, K., Lee, Y. S., Yeun, C. Y., & Choi, H. H. (2012). Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Mathematical and Computer Modelling, 55, 214–222.MathSciNetCrossRefMATHGoogle Scholar
- 29.Nickalls, R. W. D. (1993). A new approach to solving the cubic: Cardan’s solution revealed. The Mathematical Gazette, 77(480), 354–359.CrossRefGoogle Scholar
- 30.Odelu, V., Das, A. K., & Goswami, A. (2014). A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Information Sciences, 269, 270–285.MathSciNetCrossRefMATHGoogle Scholar
- 31.Odelu, V., Das, A. K., & Goswami, A. (2015). A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security, 10(9), 1953–1966.CrossRefGoogle Scholar
- 32.Odelu, V., Das, A. K., & Goswami, A. (2015). DMAMA: Dynamic migration access control mechanism for mobile agents in distributed networks. Wireless Personal Communications, 84(1), 207–230.CrossRefGoogle Scholar
- 33.Odelu, V., Das, A. K., & Goswami, A. (2015). An effective and robust secure remote user authenticated key agreement scheme using smart cards in wireless communication systems. Wireless Personal Communications,. doi:10.1007/s11277-015-2721-7.Google Scholar
- 34.Odelu, V., Das, A. K., & Goswami, A. (2015). A secure and scalable group access control scheme for wireless sensor networks. Wireless Personal Communications,. doi:10.1007/s11277-015-2866-4.Google Scholar
- 35.Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security, 13(4), 33.CrossRefGoogle Scholar
- 36.Stallings, W. (2006). Cryptography and network security: Principles and practices (3rd ed.). Pearson Education India.Google Scholar
- 37.von Oheimb, D. (2005). The high-level protocol specification language HLPSL developed in the EU project AVISPA. In Proceedings of APPSEM 2005 Workshop.Google Scholar
- 38.Wang, D., He, D., Wang, P., & Chu, C. (2015). Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Transactions on Dependable and Secure Computing, 12(4), 428–442.CrossRefGoogle Scholar
- 39.Wen, F., Susilo, W., & Yang, G. (2013). A secure and effective user authentication scheme for roaming service in global mobility networks. Wireless Personal Communications, 73(3), 993–1004.CrossRefGoogle Scholar
- 40.Wu, C., Lee, W., & Tsaur, W. (2008). A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters, 12(10), 722–723.CrossRefGoogle Scholar
- 41.Wu, S., & Chen, K. (2012). An efficient key-management scheme for hierarchical access control in e-medicine system. Journal of Medical Systems, 36(4), 2325–2337.CrossRefGoogle Scholar
- 42.Zhao, D., Peng, H., Li, L., & Yang, Y. (2014). A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications, 78(1), 247–269.CrossRefGoogle Scholar
- 43.Zhou, T., & Xu, J. (2011). Provable secure authentication protocol with anonymity for roaming service in global mobility networks. Computer Networks, 55(1), 205–213.MathSciNetCrossRefMATHGoogle Scholar
- 44.Zhu, J., & Ma, J. (2004). A new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics, 55(1), 230–234.Google Scholar