Wireless Personal Communications

, Volume 96, Issue 2, pp 2351–2387 | Cite as

A Secure Anonymity Preserving Authentication Scheme for Roaming Service in Global Mobility Networks

  • Vanga Odelu
  • Soumya Banerjee
  • Ashok Kumar Das
  • Samiran Chattopadhyay
  • Saru Kumari
  • Xiong Li
  • Adrijit Goswami
Article

Abstract

In real-life applications, ensuring secure transmission of data over public network channels to prevent malicious eavesdropping of the data is an important issue. Several potential security risks arise while protecting data and providing access control over the data. Due to the broadcast nature of the wireless channels, wireless networks are often vulnerable to various possible known attacks. Therefore, designing a secure and efficient authentication scheme in the global mobility network (GLOMONET) environment becomes a challenging task to the researchers. In recent years, several user authentication schemes for roaming services in GLOMONET have been proposed. However, most of them are either vulnerable to various known attacks or they are inefficient. Most recently, Zhao et al. proposed an anonymous authentication scheme for roaming service in GLOMONET (Zhao et al. in Wireless Personal Communications 78:247–269, 2014) and they claimed that their scheme can withstand all possible known attacks. In this paper, Zhao et al.’s scheme is revisited, and it is shown that their scheme fails to provide strong user anonymity when the session-specific temporary information are revealed to an adversary. Further, their scheme does not protect replay attack, offline password guessing attack and privileged-insider attack. In addition, there is no provision for revocation and re-registration mechanism in their scheme and also there exists design flaw in their schemeu. Moreover, another recently proposed Memon et al.’s scheme (Memon et al. in Wireless Personal Communications 84:1487–1508, 2015) fails to protect the privileged-insider attack. Thus, there is a great need to provide security enhancement of their schemes in order to apply in practical applications. The proposed scheme withstands the security weaknesses found in Zhao et al.’s scheme and Memon et al.’s scheme. Through the rigorous formal and informal security analysis, it is shown that the proposed scheme has the ability to tolerate various known attacks. In addition, the proposed scheme is simulated using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications tool and the simulation results reveal that the proposed scheme is secure. The proposed scheme is also efficient in computation and communication as compared to Zhao et al.’s scheme and other related schemes.

Keywords

Authentication Key agreement User anonymity Roaming service Global mobility networks Security BAN logic AVISPA 

1 Introduction

The global roaming service is provided by the global mobility network (GLOMONET) that permits an authorized mobile user to use ubiquitous services provided by the home agent (HA) in a foreign agent (FA) [18]. With the rapid development of such environment, several security problems including user’s privacy are brought into attention in research [28]. As a result, authentication problem with anonymity in GLOMONET becomes a very important security issue in recent years. A strong user authentication scheme in GLOMONET needs to satisfy the following requirements [19, 42]: (1) user anonymity; (2) low communication cost and computation complexity; (3) single registration; (4) update session key periodically; (5) user friendly; (6) no password/verifier table; (7) update password securely and freely; (8) prevention of fraud; (9) prevention of replay attack; (9) prevention of man-in-the-middle attack; (10) security; and (11) providing the authentication scheme when a user is located in the home network. In addition, a strong user authentication scheme in GLOMONET should satisfy the security requirements listed in Sect. 1.1.

1.1 Security Requirements of Authentication Schemes

According to [5, 7, 31], in the basic adversarial model, a probabilistic polynomial-time (PPT) adversary \(\mathcal {A}\) has a full control over all the authentic messages. Hence, \(\mathcal {A}\) can read, modify or delete all the authentic messages transmitted between users and server. In addition, \(\mathcal {A}\) can have access to the secret information via the session exposure attacks. Thus, an authentication scheme should satisfy the following security properties [31]:
  • SK-security An authentication scheme should guarantee the security of the session key, called the session key security (SK-security), in the following two cases:
    1. 1.

      The leakage of a session key or session-specific temporary information will have no effects on the security of other sessions.

       
    2. 2.

      The leakage of the crucial long-term secrets, such as the private keys of users or servers, which are used across the multiple sessions, will not necessarily compromise the secret information from all past sessions, known as the perfect forward secrecy.

       
  • User credentials privacy It ensures that \(\mathcal {A}\) cannot derive a user credentials, such as authentication parameter, user password and identity.

  • Secure mutual authentication It ensures that an authentication scheme must provide the secure mutual authentication with the presence of the shared secret credentials.

1.2 Threat Model

In the Dolev–Yao threat model [15], any two communicating entities can communicate over an insecure channel. An attacker can eavesdrop on all traffic, inject packets and reply old messages previously delivered. The similar threat model for the proposed scheme is used, where the communicating channels are insecure and the end-points cannot be trusted. Further, the following two assumptions for an adversary \(\mathcal {A}\) as in [38] are considered: (1) \(\mathcal {A}\) can obtain and breach a victim’s smart card and (2) \(\mathcal {A}\) can return the breached smart card without detection. In these two cases, \(\mathcal {A}\) can obtain (stolen or picked up) a user smart card for a relative long period of time (e.g., a few hours), and extract the sensitive information stored in the smart card’s memory by using power analysis attack [22, 27] him/herself (or with recourse to professional labs). Finally, \(\mathcal {A}\) returns the breached smart card back to that user without his/her awareness.

1.3 Related Work

To achieve secure and effective mutual authentication and privacy protection in GLOMONET, several authentication protocols have been proposed in the literature [18, 19, 23, 28, 42, 44]. Particularly, in 2004, Zhu and Ma [44] proposed a smart card based wireless security protocol, which preserves the user anonymity property. Unfortunately, although their scheme is computationally very efficient, later it was found that their protocol cannot achieve mutual authentication and perfect backward secrecy, and it is also vulnerable to the forgery attack [23].

In 2006, Lee et al. [23] proposed an enhanced anonymous authentication scheme which withstands the security pitfalls found in Zhu–Ma’s scheme [44]. Later, Wu et al. [40] and Chang et al. [8] pointed out that Lee et al.’s scheme fails to achieve user’anonymity. In addition, they pointed out that, in Lee et al.’s scheme, an attacker being a registered user of an HA has the ability to obtain the identity of other users as long as they registered at the same HA. In order to withstand the security flaws found in Wu et al.’s scheme, He et al. [19] further proposed an enhanced scheme. In 2012, Li and Lee [24] showed that He et al.’s scheme [19] fails to provide user’s anonymity and is also vulnerable to replay and impersonation attacks. However, in 2013, Das [10] pointed out that Li–Lee’s scheme fails to achieve strong authentication in login and authentication phases. In addition, Li–Lee’s scheme fails to update the user’s password correctly in the password change phase and also it fails strongly to protect replay attacks. To remedy these security weaknesses, Das proposed an effective user authentication and privacy preserving scheme with smart cards for wireless communications.

In 2013, Jiang et al. [21] proposed an anonymous user authentication scheme. However, He et al. [20] showed that Jiang et al.’s scheme is vulnerable to several attacks including the spoofing attack and replay attack. In addition, Gope and Hwang [17] analyzed the security of Wen et al.’s scheme [39] and showed that their scheme is vulnerable to forgery attack, replay attack, known session key attack, and fails to provide backward and forward secrecy. Gope and Hwang [18] further analyzed Zhou–Xu’s scheme [43] and pointed out that their scheme is also insecure. To erase the security drawbacks of Zhou–Xu’s scheme, Gope and Hwang [18] proposed an efficient mutual authentication and fair key agreement scheme preserving the anonymity for roaming services.

Most recently, Zhao et al. [42] proposed an anonymous authentication scheme for roaming service in GLOMONET and they claimed that their scheme can withstand all possible known attacks. Memon et al. [26] asserted that Zhao et al.’s scheme is vulnerable to offline guessing attack, replay attack, smart card stolen attack, stolen verifier attack and it lacks proper session-key agreement. They proposed an efficient anonymous communication for location based service using asymmetric cryptography scheme over the wireless system. However, it is noted that their scheme is insecure against privileged-insider attack as outlined in Remark 1. Nevertheless, it is also show that Zhao et al.’s scheme is still insecure against some other known attacks discussed in Sect. 4.

1.4 Our Contributions

The contributions made in this paper are outlined below:
  • The recently proposed Zhao et al.’s scheme [42] is first analyzed and it is then shown that their scheme fails to provide strong user anonymity when the session-specific temporary information are revealed to an adversary. Further, their scheme does not protect offline password guessing attack and privileged-insider attack. In addition, there is no provision for revocation and re-registration mechanism in their scheme and also there exists design flaw in their scheme.

  • Moreover, it is also pointed out that the recently proposed Memon et al.’s scheme [26] is insecure against the privileged-insider attack.

  • An enhanced anonymous authentication scheme for roaming service in GLOMONET is put forward to withstand all the security pitfalls found in Zhao et al.’s scheme.

  • Through the rigorous formal and informal security analysis, it is shown that the proposed scheme is secure against possible known attacks including the SK-security (discussed in Sect. 1.1).

  • The security analysis using the widely accepted Burrows–Abadi–Needham logic (BAN logic) shows that the proposed scheme provides the mutual authentication between a mobile user and the foreign agent (FA)/home agent (HA).

  • The simulation of the proposed scheme using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool is also carried out, and the simulation results clearly indicate that the proposed scheme is secure.

  • Finally, the proposed scheme is also efficient compared to Zhao et al.’s scheme and other related schemes.

1.5 Roadmap of the Paper

The remainder of this paper is organized as follows. Sections 2 discusses some mathematical preliminaries, which are very useful is discussing and analyzing Zhao et al.’s scheme as well as the proposed scheme. In Sect. 3, the various phases of Zhao et al.’s scheme are reviewed in order to cryptanalyze their scheme in Sect. 4. In Sect. 5, a secure and effective enhanced anonymous authentication scheme for roaming service in GLOMONET is proposed. The security of the proposed scheme is analyzed using both formal and informal security analysis in Sect. 6. In Sect. 7, the proposed scheme for the formal security verification using the widely-accepted AVISPA tool is simulated, and it is shown that the proposed scheme is secure against the replay and man-in-the-middle attacks against an adversary. The performance of the proposed scheme with Zhao et al.’s scheme and other related schemes is compared in Sect. 8. Finally, the paper is concluded in Sect. 9.

2 Mathematical Preliminaries

In this section, the following basic mathematical preliminaries are briefly reviewed, which are helpful for describing and analyzing the proposed scheme and other schemes.

2.1 Elliptic Curve Cryptosystem

A non-singular elliptic curve \(y^2 = x^3 + ax + b\) over the finite field GF(p) is the set \(E_p(a,b)\) of solutions (xy) \(\in Z_p \times Z_p\) to the congruence \(y^2 = x^3 + ax + b \, (\bmod \, p)\). Here \(a \in Z_p\) and \(b \in Z_p\) are constants such that \(4a^3 + 27b^2 \ne 0 \, (\bmod \, p)\), together with a special point \(\mathcal {O}\) called the point at infinity or zero point, \(Z_p = \{ 0, 1, \ldots , p-1\}\) and \(p > 3\) be a prime. The condition \(4a^3 + 27b^2 \ne 0 \, (\bmod \, p)\) is the necessary and sufficient condition to ensure that the equation \(x^3 + ax + b = 0\) has a non-singular solution [29]. Hasse [36] asserts that the number |E| of points on the elliptic curve \(E_p(a,b)\) satisfies the inequality: \(p + 1 -2\sqrt{p} \le |E| \le p + 1 +2 \sqrt{p}\). In other words, an elliptic curve \(E_p(a,b)\) over \(Z_p\) has roughly p points. In addition, \(E_p(a,b)\) forms an abelian (commutative) group under addition modulo p operation.

Elliptic curve discrete logarithm problem (ECDLP) Computing \(Q = kP\) is relatively easy for given scalar \(k \in Z_p\) and an elliptic curve point \(P \in E_{p}(a,b)\). However, given P and Q, it is computationally hard to derive the scalar \(k \in Z_p\) such that \(Q = kP\). This problem is known as elliptic curve discrete logarithm problem [31, 36].

Definition 1

(Formal definition of elliptic curve discrete logarithm problem) The elliptic curve discrete logarithm problem (ECDLP) is formally defined as given in [13, 16, 30]. Let \(E_p(a, b)\) be an elliptic curve modulo a prime p. Let \(P \in E_p(a, b)\) and \(Q = kP \in E_p(a, b)\) be two points, where \(k \in _R Z_p\). The notation \(a \in _R B\) is to denote that a is chosen randomly from the set B.

Instance: (PQr) for some \(r \in _R Z_p\).

Output: Yes, if \(Q = rP\), i.e., \(k = r\), and output: No, otherwise.

Consider the following two distributions:
$$\begin{aligned} \Delta _{real}= & {} \{k \in _R Z_p, A = P, B = Q(= kP), C = k : (A, B, C)\}, \\ \Delta _{rand}= & {} \{k, r \in _R Z_p, A = P, B = Q(= kP), C = r : (A, B, C)\}. \end{aligned}$$
The advantage of any probabilistic, polynomial-time, 0/1-valued (false/true-valued) distinguisher \(\mathcal {D}\) in solving ECDLP on \(E_p(a, b)\) is defined by
$$\begin{aligned} Adv_{\mathcal {D}, E_p(a,b)}^{ECDLP}= & {} |Pr[(A, B, C) \leftarrow \Delta _{real}: \mathcal {D}(A, B, C) = 1] \\&- Pr[(A, B, C) \leftarrow \Delta _{rand} : \mathcal {D}(A, B, C) = 1]|, \end{aligned}$$
where the probability \(Pr[\cdot ]\) is taken over the random choices of k and r. \(\mathcal {D}\) is said to be a \((t, \epsilon )\)-ECDLP distinguisher for \(E_p(a, b)\) if \(\mathcal {D}\) runs at most in time t such that \(Adv_{\mathcal {D}, E_p(a,b)}^{ECDLP}(t) \ge \epsilon \).

ECDLP assumption There exists no \((t, \epsilon )\)-ECDLP distinguisher for \(E_p(a, b)\). In other words, for every probabilistic, polynomial-time 0/1-valued distinguisher \(\mathcal {D}\), \(Adv_{\mathcal {D}, E_p(a,b)}^{ECDLP}(t) \le \epsilon \), for any sufficiently small \(\epsilon > 0\).

2.2 Collision-Resistant One-Way Hash Function

A collision-resistant one-way hash function \(h : \{0, 1\}^* \rightarrow \{0, 1\}^n\) is a deterministic algorithm [35] that takes an input as an arbitrary length binary string \(x \in \{0, 1\}^*\). It then outputs a binary string \(h(x) \in \{0, 1\}^n\) of fixed-length n. The formalization of an adversary \(\mathcal {A}\)’s advantage in finding collision is given as follows:
$$\begin{aligned} Adv^{HASH}_{\mathcal {A}} (t) = Pr[(x, x^\prime ) \Leftarrow _R \mathcal {A} : x \ne x^\prime \, \text{ and } \, \, h(x) = h(x^\prime )], \end{aligned}$$
(1)
where Pr[E] denotes the probability of an event E in a random experiment, and \((x, x^\prime ) \Leftarrow _R \mathcal {A}\) denotes the pair \((x, x^\prime )\) is selected randomly by \(\mathcal {A}\). In this case, \(\mathcal {A}\) is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by \(\mathcal {A}\) with the execution time t. \(h(\cdot )\) is said to be collision-resistant, if \(Adv^{HASH}_{\mathcal {A}} (t) \le \epsilon \), for any sufficiently small \(\epsilon > 0\).

One of the fundamental properties of a secure one-way hash function is that its outputs are very sensitive to small perturbations in inputs.

2.3 Symmetric-Key Encryption Scheme \(\varOmega \) and IND-CPA

In the proposed scheme, it is considered a symmetric-key encryption scheme \(\varOmega \) (for example symmetric-key cryptosystem AES-128 [1]) which is secure against indistinguishability of encryption and chosen plaintext attack (IND-CPA). In the following, the IND-CPA is defined in single and multiple eavesdropper setting [4, 41].

Definition 2

(Indistinguishability of encryption and chosen plaintext attack) Suppose SE / ME denotes single/multiple eavesdropper and \(O_{n_1}, O_{n_2}, \ldots , O_{n_k}\) are k different encryption oracles which are associated with the secret keys \(n_1, n_2, \ldots , n_k\), respectively. The advantage functions of SE and ME are defined as \(Adv_{\varOmega , SE}^{IND-CPA}\)\((l) =\)\(2Pr[SE \leftarrow O_{n_1}; (m_0, m_1 \leftarrow _R SE); \theta \leftarrow _R \{0,1\}; \gamma \leftarrow _R O_{n_1}(m_{\theta }): SE(\gamma ) = \theta ]-1\), and \(Adv_{\varOmega , ME}^{IND-CPA}(l) =\)\(2Pr[ME \leftarrow O_{n_1}, O_{n_2}, \ldots , O_{n_k};\)\((m_0, m_1\)\(\leftarrow _R ME); \theta \leftarrow _R \{0, 1\}; \gamma _1 \leftarrow _R O_{n_1}(m_{\theta }), \gamma _2 \leftarrow _R O_{n_2}(m_{\theta }), \ldots , \gamma _k \leftarrow _R O_{n_k}(m_{\theta })\)\(: ME(\gamma _1, \gamma _2,\)\(\ldots ,\)\(\gamma _k) = \theta ]-1\), respectively, where \(\theta \leftarrow _R \{0, 1\}\) represents that the \(\theta \) is a bit chosen randomly from the set \(\{0, 1\}\). The encryption scheme \(\varOmega \) is said to be IND-CPA secure in the single (multiple) eavesdropper setting if \(Adv_{\varOmega , SE}^{IND-CPA}(l)\) (respectively, \(Adv_{\varOmega , ME}^{IND-CPA}(l)\)) is negligible (in the security parameter l) for any probabilistic, polynomial time adversary SE (respectively, ME).
Table 1

Notations used in this paper

Symbol

Description

MUFAHA

EntityHome agent, respectively

\(SC_U\)

Smart card of MU

\(PW_X\)

Password of an entuty X

\(ID_X\)

Identity of an entity X

\(Cert_X\)

Certificate of an entity X

\(N_X\)

Random number generated by an entity X

p

A sufficiently large prime number

E

Elliptic curve \(y^2 = x^3 + ab +b \pmod {p}\) over finite field \(F_p\)

P

A base point on E

R.x

x-coordinate of an ECC point \(R \in E\)

\(P+Q\)

ECC point addition of \(P, Q \in E\)

\(P-Q\)

\(P + (-Q)\), where \(-Q \in E\) is the inverse of \(Q \in E\)

\(h(\cdot )\)

A secure collision-resistant one-way hash function

\(E_k(\cdot )/D_k(\cdot )\)

Symmetric-key encryption/decryption using the key k

\((k_X, P_X)\)

Private and public key pair of entity X, where \(P_X = k_X P\)

\(\varOmega \)

Secure symmetric-key cryptosystem

A||B

Data A concatenates with data B

\(A \oplus B\)

Exclusive-OR of data A and data B

\(\Rightarrow {\ } \)

A secure channel

\(\rightarrow {\ } \)

A public channel

3 Review of Zhao et al.’s Scheme

In this section, the recently proposed Zhao et al.’s authentication scheme for roaming service in global mobility networks [42] is briefly reviewed for understanding the cryptanalysis on this scheme. The notations listed in Table 1 are used for describing Zhao et al.’s scheme. Their scheme consists of the following phases.

3.1 Registration Phase

A mobile user MU registers at his/her home agent HA in order to become a legal client to access the services. The user MU’s registration procedure is as follows.
R1:

MU selects his/her own identity-password pair \((ID_U, PW_U)\) and a random number \(N_U\). Then, MU sends a registration request message \(Reg = \{ID_U, h(PW_U || N_U)\}\) to the home agent HA via a secure channel.

R2:

Upon receiving Reg from MU, HA computes \(Q = h(ID_U || k) \oplus h(PW_U || N_U)\) and \(h_U = h(ID_U || h(PW_U || N_U))\), where k is the secret key of HA. HA stores \(\{Q, h_U, C = cP, ID_H\}\) in a smart card, say \(SC_U\), and sends it to MU via a secure channel.

R3:

After receiving \(SC_U\) from HA, MU stores \(N_U\) into \(SC_U\). Therefore, MU’s smart card \(SC_U\) finally contains the parameters \(\{Q, h_U, C, ID_H, N_U\}\).

3.2 Authentication and Key Establishment Phase

In Zhao et al.’s scheme [42], in order to mutually authenticate and agree on a session key with the presence of the home agent HA of MU, a mobile user MU and a foreign agent FA need to execute the following steps:
A1:

MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). Then, \(SC_U\) computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. Otherwise, \(SC_U\) randomly generates a number a, and computes \(A = aP\), \(R_{AC} = aC\), \(N = Q \oplus h(PW_U || N_U)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(N || R_{AC} || ID_H || A || C)\). Then, \(SC_U\) sends the request message \(M_1 = \{A, DID_U, C, V_1, ID_H\}\) to the foreign agent FA over a public channel.

A2:

Upon receiving \(M_1\) from MU, FA generates a random number b, and computes \(B = bP\), \(R_{BC} = bC\), \(W_2 = E_{R_{BC}}[A, B, Cert_F, V_1, DID_U]\) and \(V_2 = E_{S_F}\{h(A, B, Cert_F, V_1, DID_U)\}\), where \(S_F\) and \(Cert_F\) are the private key and certificate of FA, respectively. FA sends the message \(M_2 = \{B, W_2, V_2\}\) to the home agent HA of MU over a public channel.

A3:

After receiving \(M_2\) from FA, HA computes \(R_{BC} = cB\). HA and retrieves \([A, B, Cert_F, V_1, DID_U] = D_{R_{BC}}[W_2]\), and then verifies FA’s signature \(V_2\) by using FA’s certificate \(Cert_F\). If it is valid, FA is authenticated by HA. After that HA computes \(R_{AC} = cA\), \(ID_U = DID_U \oplus h(R_{AC})\) and \(V_1^\prime = h(h(ID_U || k) || R_{AC} || ID_H || A || C)\), and checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. After both MU and FA are authenticated by HA, HA randomly generates a number d and computes \(D = dP\), \(G_U = dB \oplus R_{AC}\), \(W_1 = h(h(ID_U || k) || dB || A || D || ID_F || ID_H)\), \(W_3 = E_{R_{BC}}[ID_F, Cert_H, G_U, dA, A, B, D, W_1]\) and \(V_3 = E_{S_H}\{h(ID_F, Cert_H, G_U, dA, A, B, D, W_1)\}\). Finally, HA sends \(M_3 = \{W_3, V_3\}\) to FA over a public channel.

A4:

Upon receiving \(M_3\), FA decrypts \(D_{R_{BC}}[W_3]\) to retrieve \(ID_F\), \(Cert_H\), \(G_U\), dA, A, B, D and \(W_1\) using the computed \(R_{BC}\) in Step A2. Then, FA verifies the validity of HA’s signature \(V_3\) by using HA’s certificate \(Cert_H\). If it is valid, HA is authenticated by FA, which also means that HA claims that MU is a legitimate user. After authentication, FA computes the common session key \(SK = h(bdA)\) and \(W_4 = E_{SK}[W_1, D, ID_F]\). Finally, FA sends \(M_4 = \{G_U, W_4\}\) to MU over a public channel.

A5:

After receiving \(M_4\), MU computes \(dB = G_U \oplus R_{AC}\) and \(SK = h(adB)\), and decrypts \(D_{SK}[W_4]\) to retrieve \(W_1\), D, \(ID_F\). Then, MU computes \(W_1^\prime = h(N || dB || A || D || ID_F || ID_H)\) and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, FA and HA are authenticated by MU. After authentication, MU confirms that the common session key is \(SK = h(adB)\). Then, MU computes \(Auth = h(W_1 || adB)\) and sends \(M_5 = \{Auth\}\) to FA over a public channel.

A6:

After receiving \(M_5\), FA computes \(Auth^\prime = h(W_1 || bdA)\) and compares it with the received Auth. If they are equal, FA confirms that the common session key with MU is \(SK = h(bdA)\).

3.3 Authentication and Key Establishment When a Mobile User is Located in His/Her Home Network

In order to authenticate and agree on a session key when a mobile user MU is located in his/her home network, MU and the home agent HA need to execute the following steps:
H1:

MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). Then, \(SC_U\) computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it holds, \(SC_U\) confirms that MU is a legitimate user. Otherwise, \(SC_U\) rejects the entered user credentials. Next, \(SC_U\) randomly generates a and computes \(A = aP\), \(R_{AC} = aC\), \(N = Q \oplus h(PW_U || N_U)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(N || R_{AC} || ID_H || A || C)\). Finally, \(SC_U\) sends the request message \(Req = \{A, DID_U, C, V_1, ID_H\}\) to HA over a public channel.

H2:

After receiving Req, HA computes \(R_{AC} = cA\), \(ID_U = DID_U \oplus h(R_{AC})\) and \(V_1^\prime = h(h(ID_U || k) || R_{AC} || ID_H || A || C)\). HA checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. Next, HA randomly generates d and computes \(D = dP\), \(W_1 = h(h(ID_U || k) || A || C || D || ID_H)\), the session key \(SK = h(dA)\) shared with MU. Finally, HA sends the challenge message \(Challenge = \{D, W_1, ID_H\}\) to MU over a public channel.

H3:

Upon receiving Challenge from HA, MU computes \(W_1^\prime = h(N || A || C || D || ID_H)\) and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, HA is authenticated by MU. Finally, MU also computes the common session key \(SK = h(a D)\) shared with HA.

4 Cryptanalysis on Zhao et al.’s Scheme

In this section, the cryptanalysis on Zhao et al.’s scheme is presented and it is also shown that their scheme is vulnerable to several known attacks.

4.1 Known Session-Specific Temporary Information and Its Consequences

Assume that the session-specific temporary information a of a mobile user MU is revealed to the PPT adversary \(\mathcal {A}\). In addition, the adversary \(\mathcal {A}\) also intercepts the login request message \(M_1 = \{A, DID_U, C, V_1, ID_H\}\), where \(A = aP\), \(R_{AC} = aC\), \(N = Q \oplus h(PW_U || N_U)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(N || R_{AC} || ID_H || A || C)\), and also the message \(M_4 = \{G_U, W_4\}\), where \(G_U = dB \oplus R_{AC}\) and \(W_4 = E_{SK}[W_1, D, ID_F]\). Then, Zhao et al.’s scheme has the following drawbacks:
  • Since the session key SK is computed as \(SK = h(bdA)\), the attacker \(\mathcal {A}\) computes the session key as follows. \(\mathcal {A}\) first computes \(R_{AC} = aC\), \(dB = G_U \oplus R_{AC}\) and then \(SK = h(adB)\) using the session-specific temporary information a.

  • \(\mathcal {A}\) intercepts the login request message \(M_1\), and computes \(A^\prime = aP\). Then, \(\mathcal {A}\) checks whether the condition \(A^\prime = A\) holds or not. If it holds, \(\mathcal {A}\) further computes \(R_{AC}^\prime = a C\) and the identity \(ID_U = DID_U \oplus h(R_{AC})\). Thus, Zhao et al.’s scheme fails to provide the strong user anonymity when the session-specific temporary information are revealed to the adversary \(\mathcal {A}\).

  • Assume that \(\mathcal {A}\) intercepts the message \(M_1\) during the login phase, and replays it to login in the system. Since it is the valid login message, the foreign agent FA and the home agent HA cannot identify the replay message, and finally, \(\mathcal {A}\) receives the valid message \(M_4 = \{G_U, W_4\}\) from the foreign agent FA. Since \(\mathcal {A}\) has the session-specific temporary information a corresponding to \(M_1\), he/she can compute the session key SK as above without the knowledge of MU’s credentials \((ID_U, PW_U)\). Then, \(\mathcal {A}\) can decrypt \(W_4\) using SK to retrieve \(W_1, D, ID_F\) and computes the valid authentication message \(Auth = h(W_1 || adB)\). As a result, \(\mathcal {A}\) knowing session-specific temporary information can successfully establish a session with the foreign agent FA without any difficulty. Thus, Zhao et al.’s scheme fails to prevent the replay attack.

Note that, in case of establishing the session key directly with home agent HA, the mobile user MU does not send any confirmation message to the home agent HA after receiving the message Challenge in Step H2. Thus, the above analysis is also applicable when the mobile user MU establishes a session key directly with his/her home agent HA.

4.2 Privileged-Insider Attack

This attack analysis is similar to that presented in [11]. During the registration of a mobile user MU, the privileged insider of the HA can collect MU’s registration information \(\{ID_U^\prime , h(PW_U || N_U)^\prime \}\). Assume that the privileged insider being an attacker \(\mathcal {A}\) tries to impersonate the valid mobile user MU using stolen/lost smartcard \(SC_U\) of MU. \(\mathcal {A}\) retrieves the information \(\{Q, h_U, C, ID_H, N_U\}\) stored in the smart card of MU using the power analysis [22, 27], where \(Q = h(ID_U || k) \oplus h(PW_U || N_U)\), \(h_U = h(ID_U || h(PW_U || N_U))\) and \(N_U\) is random number. \(\mathcal {A}\) then computes \(h_U^\prime = h(ID_U^\prime || h(PW_U || N_U)^\prime )\) using the collected information \(\{ID_U^\prime , h(PW_U || N_U)^\prime \}\), and then verifies whether the condition \(h_U = h(ID_U^\prime || h(PW_U || N_U)^\prime )\) holds or not. If it holds, \(\mathcal {A}\) confirms that the massage \(Reg = \{ID_U^\prime , h(PW_U || N_U)^\prime \}\) corresponds to MU with the smartcard \(SC_U\), and launches the offline password guessing attack as follows.
Step 1

Guess a password \(PW^{guess}\) and computes \(h^{guess} = h(PW^{guess} || N_U)\).

Step 2

Checks whether the condition \(h^{guess} = h(PW_U || N_U)\) holds or not. If the condition is true, the guessed password \(PW^{guess}\) is correct password \(PW_U\).

Step 3

Otherwise, \(\mathcal {A}\) repeats from Step 1.

4.3 No Provision for Revocation and Reregistration

In order to provide the strong security to the mobile user MU, revocation of lost/stolen smart-card is one of the fundamental security requirement of smart-card based authentication schemes. If the mobile user MU’s smart-card \(SC_U\) is lost or stolen, there must be some mechanism to prevent the misuse of lost/stolen smart-card \(SC_U\). Otherwise, an adversary \(\mathcal {A}\) can impersonate the legal user MU as the registration phase has no ability to detect the re-registration with old identity. To cope with this problem, the smart-card based authentication schemes need to store the identity information table in the HA’s database, based on which the invalid smartcard will be detected [31, 38]. However, Zhao et al.’s authentication scheme does not consider the fundamental security feature for revocation and re-registration in their scheme.

4.4 Other Drawbacks of Zhao et al.’s Scheme

During the registration phase of Zhao et al.’s scheme, the home agent HA is given the parameter \(C = cP\), where c is random number generated by HA. However, they have not defined whether the parameter C is same for all users. If it is same for all users, it is not necessary to send with the message \(M_1\). So, it may be different for each user MU. In this case, it may cause for user traceability attack. Moreover, they claimed that their scheme requires no verification table. Thus, if C is different for different users, then computing \(R_{BC} = cB\), \(R_{AC} = cA\) and \(ID_U = DID_U \oplus h(R_{AC})\) without knowing the random value c are impossible. Hence, Zhao et al.’s scheme fails to avoid this specified design flaw.

Remark 1

The privileged-insider attack analysis on Memon et al.’s scheme [26] is also similar to that presented in [11]. During the registration the mobile client \(ID_{Mc}\) chooses a password \(pw_{Mc}\) and a random number \(b_1 \in Z_p^*\). It computes the hash \(PW_{Mc}= h(pw_{Mc} || b_1)\). Then, it submits the registration request \(m_{reg}= \{ID_{Mc}, PW_{Mc}\}\) to the home agent LBSs via a secure channel. Suppose a privileged insider of the home agent LBSs collects the registration information \(\{ID_{Mc}, PW_{Mc}\}\). Assume that the privileged insider \(\mathcal {A}\) tries to impersonate as the valid mobile client by stolen the smart card of the mobile client \(ID_{Mc}\). Note that the secret information \(b_1\) is stored in the smart card. The adversary \(\mathcal {A}\) then retrieves all the information including \(b_1\) using the power analysis [22, 27]. After that the adversary \(\mathcal {A}\) can guess a password \(pw_{Mc}^*\), computes \(PW_{Mc}^* = h(pw_{Mc}^* || b_1)\) using the retrieved \(b_1\), and then checks the condition \(PW_{Mc}^* = PW_{Mc}\). If it is valid, the adversary \(\mathcal {A}\) is successful in guessing the correct password \(pw_{Mc}\). It is thus clear that Memon et al.’s scheme [26] is insecure against the privileged-insider attack.

5 The Proposed Scheme

In this section, an enhancement scheme is presented to withstand the security drawbacks found in Zhao et al.’s scheme as well as Memon et al.’s scheme. As in Zhao et al.’s scheme, our improved scheme also consists of the initialization phase, registration phase, authentication and key establishment phase, session key update phase, authentication and key establishment phase when a mobile user is located in his/her home network and password update phase, which are described in the following subsections.

5.1 Initialization Phase

In this phase, the home agent HA initializes with the following parameters: (1) elliptic curve E over finite field \(F_p\), a base point P on E, a private key k, and the corresponding public key \(P_H = kP\); (2) a collision-resistant one-way cryptographic hash function \(h(\cdot )\); and (3) an IND-CPA secure symmetric-key cryptosystem \(\varOmega \). Finally, HA publicly declares the parameters \(\{F_p, E, P_H, h(\cdot ), \varOmega \}\) and keeps the private key k as secret, which is only known to HA.

5.2 Registration Phase

In order to complete the registration of a mobile user MU to become a legal client to access the services, MU and the home agent HA need to execute the following steps:
R1:

MU chooses his/her own identity \(ID_U\) and a strong password \(PW_U\). Then, MU chooses a random number \(N_U\) and computes \(NID_U = h(ID_U || N_U)\). Finally, MU sends a registration request \(Reg = \{ID_U, NID_U\}\) to the home agent HA via a secure channel.

R2:

Upon receiving Reg from MU, HA computes \(Q = E_{k}(NID_U || ID_U)\) and stores \(\{Q, ID_H, F_p,\)\(E, P_H,\)\(h(\cdot ), \varOmega \}\) in a smart card, say \(SC_U\). Furthermore, HA stores \(\{HID_U = h(NID_U || k), EID_U = E_k(ID_U)\}\) in its database corresponding to MU. HA sends \(SC_U\) to MU via a secure channel.

R3:

After receiving \(SC_U\) from HA, MU computes \(NPW = h(PW_U || ID_U) \oplus N_U\), \(NQ = Q \oplus h(N_U || PW_U)\) and \(SPW = h(N_U || ID_U || PW_U)\). MU then stores NQ, NPW and SPW into the smartcard \(SC_U\). Finally, MU’s smart card \(SC_U\) containing the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\).

The summary of registration phase is given in Table 2.
Table 2

Registration phase of the proposed scheme

5.3 Authentication and Key Establishment Phase

When the mobile MU wants to establish a session key with the foreign agent FA, he/she executes the following steps with the foreign agent FA in the presence of his/her home agent HA:
A1:

MU first inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs his/her identity \(ID_U\) and password \(PW_U\). \(SC_U\) computes \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\), \(NID_U = h(ID_U || N_U^\prime )\) and verifies whether the condition \(SPW = h(N_U^\prime || ID_U || PW_U)\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. Otherwise, \(SC_U\) randomly generates a one-time secret x and computes \(Q = NQ \oplus h(N_U || PW_U)\), \(a = h(x || Q)\), \(A = aP\), \(R_{AC} = aP_H\), \(RID_U = E_{R_{AC}.x}(NID_U)\), where \(R_{AC}.x\) denotes the x-coordinate of the ECC point \(R_{AC}\), and \(V_1 = h(Q || R_{AC} || ID_H || A || ID_U)\). Then, \(SC_U\) sends the login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to the foreign agent FA over a public channel.

A2:

Upon receiving \(M_1\) from MU, FA generates a random number b and computes \(B = bP\), \(R_{BC} = bP_H\), \(W_2 = E_{R_{BC}.x}[A, B, Cert_F, RID_U, V_1]\) and \(V_2 = E_{S_F}\{h(A, B, Cert_F, RID_U, V_1)\}\), where \(R_{BC}.x\) denotes the x-coordinate of the ECC point \(R_{BC}\), and \(S_F\) and \(Cert_F\) are the private key and certificate of FA, respectively. Then FA sends the message \(M_2 = \{B, W_2, V_2\}\) to the home agent HA of MU over a public channel.

A3:

After receiving \(M_2\) from FA, the home agent HA computes \(R_{BC} = kB\) and \([A, B, Cert_F, V_1, RID_U] = D_{R_{BC}.x}[W_2]\), HA verifies the validity of FA’s signature \(V_2\) by using the FA’s certificate \(Cert_F\). If it is valid, FA is authenticated by HA. HA computes \(R_{AC} = kA\), \(NID_U^\prime = D_{R_{AC}}(RID_U)\) and \(HID_U^\prime = h(NID_U^\prime || k)\). Next, HA checks whether the value \(HID_U^\prime \) presents in its database entry. If it is present in the database, HA retrieves the original identity \(ID_U\) of MU by decrypting the corresponding database entry \(EID_U = E_k(ID_U)\) using its master secret key k. HA then verifies whether the condition \(V_1 = h(E_{k}(NID_U || ID_U) || R_{AC} || ID_H || A || ID_U)\) holds or not. If it holds, HA authenticates MU. After both MU and FA are authenticated by HA, HA generates a random secret y and computes \(d = h(y || E_{k}(NID_U || ID_U))\), \(D_{AC} = dR_{BC}\), \(D_{BC} = dR_{AC}\), \(G_U = D_{AC} + R_{AC}\), \(W_1 = h(E_{k}(NID_U || ID_U)\)\(|| D_{AC}\)\(|| A || ID_U\)\(|| ID_F\)\(|| ID_H)\), \(W_3 = E_{R_{BC}.x}[ID_F,\)\(Cert_H,\)\(G_U,\)\(D_{BC},\)AB\(W_1]\) and \(V_3 =\)\(E_{S_H}[h(ID_F,\)\(Cert_H,\)\(G_U,\)\(D_{BC},\)AB\(W_1)]\). Finally, HA sends the message \(M_3 = \{W_3, V_3\}\) to FA over a public channel.

A4:

Upon receiving \(M_3\) from HA, FA decrypts \(W_3\) using computed \(R_{BC}.x\) to retrieve \([ID_F\), \(Cert_H\), \(G_U\), \(D_{BC}\), A, B, \(W_1]\), and verifies the validity of HA’s signature \(V_3\) by using the HA’s certificate \(Cert_H\). If it is valid, HA is authenticated by FA, which also means that HA has claimed that MU is a legitimate user. After authentication, FA computes the common session key \(SK_F = h(b D_{BC} || W_1)\) shared with MU, and also \(W_4 = h(SK_F || G_U || A || B)\). Finally, FA sends the message \(M_4 = \{G_U, B, W_4\}\) to MU over a public channel.

A5:

After receiving \(M_4\), MU computes \(D_{AC} = G_U - R_{AC}\) and \(SK_U = h(a D_{AC} || W_1^\prime )\), where \(W_1^\prime =\)\(h(E_{k}(NID_U || ID_U)\)\(|| D_{AC}\)\(|| A || ID_U\)\(|| ID_F\)\(|| ID_H)\). MU then checks whether the condition \(W_4 = h(SK_U || G_U || A || B)\) holds or not. If it holds, FA and HA are authenticated by MU. After authentication, MU confirms that the common session key shared with the FA is \(SK_U = h(aD_{AC} || W_1^\prime ) = h(adbP_H || W_1^\prime )\). Then, MU computes \(Auth = h(W_1^\prime || aD_{AC} || B || A)\) and sends the confirmation message \(M_5 = \{Auth\}\) to FA over a public channel.

A6:

After receiving \(M_5\), FA computes \(Auth^\prime = h(W_1 || b D_{BC} || B || A)\) and compares it with the received Auth. If they are equal, FA confirms that the common session key shared with MU is \(SK_F = h(bD_{BC} || W_1) = h(bdaP_H || W_1)\).

The authentication and key establishment phase of the proposed scheme is summarized in Table 3.
Table 3

Authentication and key establishment phase of the proposed scheme

Remark 2

In order to protect the replay attack, the similar strategy as suggested in [9, 25] is adopted. FA stores the pair \((RID_U, A)\) in its database and HA also stores the pair \((ID_U, B)\) in its database. When FA received the next login request message, say \(M_1^\prime = \{A^\prime , RID_U, V_1^\prime , ID_H\}\) from MU, it compares the received \(A^\prime \) with the stored A in its database. If there is a match, the message \(M_1^\prime \) is regarded as a replay message and discarded by FA. Otherwise, FA replaces A with \(A^\prime \) in its database corresponding to \(RID_U\) and treats the message \(M_1^\prime \) as the fresh message. In a similar way, when HA receives the next message, say \(M_2^\prime = \{B^\prime , W_2^\prime , V_2^\prime \}\) from FA, its checks the decrypted \(B^\prime \) with the computed key \(R_{BC}.x\) with the stored B in its database corresponding to \(ID_U\). If there is a match, the message \(M_2^\prime \) is regarded as a replay message and discarded by HA. Otherwise, HA replaces B with \(B^\prime \) in its database corresponding to \(ID_U\) and treats the message \(M_2^\prime \) as the fresh message. For strong replay attack protection, both FA and HA can keep the pairs \((RID_U, A)\) and \((ID_U, B)\), respectively, for some time so that the replay messages can be detected easily by the FA and HA.

5.4 Session Key Update Phase

If a mobile user MU stays always within the same foreign agent FA, for security reasons MU and FA need to renew the existing session key. The steps involved in this phase when MU visits FA at the ith session are as follows:
U1:

MU chooses a new random number \(x_i\) and computes \(a_i = h(x_i || W_1^\prime )\) and \(a_iP_H\). MU sends the message \(\{a_i P_H\}\) to FA over a public channel.

U2:

After receiving the message \(\{a_i P_H\}\), FA chooses a new random number \(y_i\) and computes \(b_i = h(y_i || W_1)\) and \(b_i P_H\). FA computes a new session key \(SK_i = h(b_i a_i P_H || W_1)\) shared with MU and \(S_i = h(b_i a_i P_H || SK_{i-1} || W_1)\). FA then sends \(\{b_iP_H, S_i\}\) to MU over a public channel.

U3:

Upon receiving \(\{b_iP_H, S_i\}\), MU computes \(S_i^\prime = h(a_i b_i P_H || SK_{i-1} || W_1^\prime )\) and checks whether the condition \(S_i^\prime = S_i\) holds or not. If it does not hold, MU terminates the session. Otherwise, MU computes the new session key \(SK_i = h(a_i b_i P_H || W_1^\prime )\) shared with FA.

The summary of update session key phase is given in Table 4.
Table 4

Update session key phase of the proposed scheme

5.5 Authentication and Key Establishment Phase When a Mobile User is Located in His/Her Home Network

In order to authenticate and agree on a session key when a mobile user is located in his/her home network, a mobile user MU and the home agent HA need to execute the following steps:
H1:

MU first inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs his/her identity \(ID_U\) and password \(PW_U\). \(SC_U\) computes \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\), \(NID_U = h(ID_U || N_U^\prime )\) and verifies whether the condition \(SPW = h(N_U^\prime || ID_U || PW_U)\) holds or not. If it does not hold, \(SC_U\) rejects the entered credentials. \(SC_U\) then randomly generates a one-time secret x, and computes \(Q = NQ \oplus h(PW_U || N_U)\)\(= E_{k}(NID_U || ID_U)\), \(a = h(x || Q)\), \(A = aP\), \(R_{AC} = a P_H\)\((= akP)\), \(DID_U = ID_U \oplus h(R_{AC})\) and \(V_1 = h(Q || R_{AC} || ID_H || A)\). Finally, \(SC_U\) sends the login request message \(Req = \{A, DID_U, V_1, ID_H\}\) to HA via a public channel.

H2:

After receiving the login request message Req, HA computes \(R_{AC}^\prime = kA\), \(ID_U^\prime = DID_U \oplus h(R_{AC})\), \(Q^\prime =\)\(E_{k}(NID_U || ID_U)\) and \(V_1^\prime = h(Q^\prime || R_{AC}^\prime || ID_H || A)\). HA checks whether the condition \(V_1^\prime = V_1\) holds or not. If it holds, MU is authenticated by HA. Next, HA randomly generates d and computes \(D = d P\), the session key \(SK = h(Q^\prime || d A)\) shared with MU and \(W_1 = h(ID_U^\prime || A || D || Q^\prime || ID_H || SK)\). Finally, HA sends the reply message \(Rep = \{D, W_1, ID_H\}\) to MU via a public channel.

H3:

Upon receiving the reply message Rep from HA, MU computes the common session key \(SK = h(Q^\prime || a D)\) and then \(W_1^\prime = h(ID_U || A || D || Q || ID_H || SK)\), and checks whether the condition \(W_1^\prime = W_1\) holds or not. If it holds, HA is authenticated by MU. Note that MU also shares the common session key \(SK = h(Q^\prime || aD)\) with HA.

The summary of this phase is given in Table 5.
Table 5

Authentication and key establishment phase when a mobile user is located in his/her home network of the proposed scheme

5.6 Password Update Phase

Assume that a mobile user MU wants to change his/her password \(PW_U\) to a new password \(PW_U^{new}\). Without communicating with his/her home agent HA, MU can change his/her password using the following steps:
P1:

MU inserts his/her smart card \(SC_U\) into the suitable smart card reader, and inputs identity \(ID_U\) and password \(PW_U\). \(SC_U\) then computes \(h_U^\prime = h(ID_U || h(PW_U || N_U))\) and checks whether the condition \(h_U^\prime = h_U\) holds or not. If it does not hold, \(SC_U\) rejects the entered identity and password. Otherwise, \(SC_U\) asks a new password. MU inputs a new password \(PW_U^{new}\) into \(SC_U\).

P2:

\(SC_U\) generates a new random number \(x_U^{new}\), and computes \(Q^{new} = Q \oplus h(PW_U || N_U) \oplus h(PW_U^{new} || x_U^{new})\) and \(h_U^{new} = h(ID_U || h(PW_U^{new} || x_U^{new}))\). Then, \(SC_U\) replaces Q, \(h_U\) and \(N_U\) with \(Q^{new}\), \(h_U^{new}\) and \(x_U^{new}\) in the smart card \(SC_U\)’s memory, respectively.

6 Security Analysis of the Proposed Scheme

In this section, through the rigorous informal and formal security analysis it is shown that the proposed scheme has the ability to defend various known attacks.

6.1 Authentication Proof Based on BAN Logic

In this section, through the formal security analysis using the widely-accepted Burrows–Abadi–Needham logic (BAN logic) [6], it is shown that the proposed scheme provides the mutual authentication between a mobile user MU and the foreign agent (FA)/home agent (HA).

The notations used in the BAN logic are as follows:
  • \(P \mid \equiv X\): Principal P believes a statement X, or P is entitled to believe X.

  • \(\#(X)\): Formula X is fresh.

  • \(P \shortmid \Rightarrow X\): Principal P has jurisdiction over statement X.

  • \(P \vartriangleleft X\): Principal P sees the statement X.

  • \(P \mid \sim X\): Principal P once said the statement X.

  • (XY): Formula X or Y is one part of formula (XY).

  • \(\{X\}_K\): Formula X encrypted under the key K.

  • \(\langle X \rangle _Y\): Formula X combined with the formula Y.

  • \(P \overset{K}{\longleftrightarrow } Q\): P and Q may use the shared key K to communicate. The key K is good, in that it will never be discovered by any principal except P and Q.

  • \(P \overset{X}{\rightleftharpoons } Q\): Formula X is secret known only to P and Q, and possibly to principals trusted by them.

Rules There are following four rules in the BAN logic:
  • Rule (1) Message-meaning rule: \(\frac{P \mid \equiv P \overset{K}{\longleftrightarrow } Q, P \vartriangleleft \{X\}_K}{P \mid \equiv Q \mid \sim X}\) and \(\frac{P \mid \equiv P \overset{Y}{\rightleftharpoons } Q, P \vartriangleleft \langle X \rangle _Y}{P \mid \equiv Q \mid \sim X}\).

  • Rule (2) Nonce-verification rule: \(\frac{P \mid \equiv \# (X), P \mid \equiv Q \mid \sim X}{P \mid \equiv Q \mid \equiv X}\).

  • Rule (3) Jurisdiction rule: \(\frac{P \mid \equiv Q\shortmid \Rightarrow X, P \mid \equiv Q \mid \equiv X}{P \mid \equiv X}\).

  • Rule (4) Freshness-conjuncatenation rule: \(\frac{P \mid \equiv \# (X)}{P \mid \equiv \#(X, Y)}\).

Goals According to the analytic procedures of the BAN logic, the proposed scheme must satisfy the following test goals in order to prove the system is secure:
  • \(G_1\): \(FA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA\).

  • \(G_2\): \(MU \mid \equiv FA \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).

  • \(G_3\): \(MU \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).

  • \(G_4\): \(FA \mid \equiv MU \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).

  • \(G_5\): \(FA \mid \equiv MU \overset{SK}{\longleftrightarrow } FA\).

Generic form The generic form of the proposed scheme is given below:
  • From message \(M_1\), \(MU \rightarrow FA\): \(A = aP, RID_U = {NID_U}_{R_{AC}}, V_1= \langle R_{AC}, ID_H, A, ID_U \rangle _{Q}, ID_H\).

  • From message \(M_2\), \(FA \rightarrow HA\): \(B = bP, W_2 = \{A, B, Cert_F, RID_U, V_1\}_{R_{BC}}, V_2 = \{h(A, B, Cert_F, RID_U, V_1)\}_{S_F}\}\).

  • From message \(M_3\), \(HA \rightarrow FA\): \(W_3 = \{ID_F, Cert_H, G_U, D_{BC}, A, B, W_1\}_{R_{BC}}, V_3 = \{h(ID_F,Cert_H, G_U, D_{BC}, A, B, W_1\}_{S_H}\).

  • From message \(M_4\), \(FA \rightarrow MU\): \(G_U = {D_{AC}}_{R_{AC}}, W_4 = h(\langle bD_{BC} \rangle _{W_1}, G_U, A, B)\}\).

  • From message \(M_5\), \(MU \rightarrow FA\): \(\langle aD_{AC}, B, A \rangle _{W_1}\).

Idealized form The arrangement of proposed scheme to idealized form is as follows:
  • Message \(M_1\), \(MU \rightarrow FA\): \(\langle MU \overset{R_{AC}}{\longleftrightarrow } HA, ID_H, A, ID_U \rangle _{MU \overset{Q}{\longleftrightarrow } HA}\).

  • Message \(M_2\), \(FA \rightarrow HA\): \(\{FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \}_{FA \overset{R_{BC}}{\longleftrightarrow } HA}\).

  • Message \(M_3\), \(HA \rightarrow FA\): \(\langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle _{FA \overset{R_{BC}}{\longleftrightarrow } HA}\).

  • Message \(M_4\), \(FA \rightarrow MU\): \(\langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}\).

  • Message \(M_5\), \(MU \rightarrow FA\): \(\langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}\).

Hypotheses The following assumptions about the initial states are made to analyze the proposed scheme:
  • \(H_1\): \(MU \mid \equiv \#(A)\);

  • \(H_2\): \(FA \mid \equiv \#(B)\);

  • \(H_3\): \(MU \mid \equiv MU \overset{Q}{\longleftrightarrow } HA\);

  • \(H_4\): \(HA \mid \equiv MU \overset{Q}{\longleftrightarrow } HA\);

  • \(H_5\): \(MU \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA\);

  • \(H_6\): \(FA \mid \equiv FA \overset{R_{BC}}{\longleftrightarrow } HA\);

  • \(H_7\): \(HA \mid \equiv FA \overset{R_{BC}}{\longleftrightarrow } HA\);

  • \(H_8\): \(MU \mid \equiv HA \shortmid \Rightarrow FA \mid \sim X\);

  • \(H_9\): \(FA \mid \equiv HA \shortmid \Rightarrow MU \mid \sim X\);

  • \(H_{10}\): \(MU \mid \equiv FA \shortmid \Rightarrow MU \overset{SK}{\longleftrightarrow } FA\);

  • \(H_{11}\): \(FA \mid \equiv MU \shortmid \Rightarrow MU \overset{SK}{\longleftrightarrow } FA\);

  • \(H_{12}\): \(FA \mid \equiv HA \shortmid \Rightarrow MU \overset{W_1}{\longleftrightarrow } FA\).

The idealized form of the proposed scheme is analyzed based on the BAN logic rules and the assumptions. The main proofs are stated as follows:
  • From message \(M_2\), we have,
    $$\begin{aligned} S_1: HA \vartriangleleft \{FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \}_{FA \overset{R_{BC}}{\longleftrightarrow } HA}. \end{aligned}$$
  • From \(H_7\), \(S_1\) and Rule (1), we have,
    $$\begin{aligned} S_2: HA \mid \equiv FA \,\mid \sim \, \langle FA \overset{B}{\longleftrightarrow } HA, Cert_F, MU \mid \sim (MU \overset{A}{\longleftrightarrow } HA, RID_U, V_1) \rangle . \end{aligned}$$
  • From \(S_2\), HA believes that the value \(V_1\) is said by MU, and then, from message \(M_1\), we have,
    $$\begin{aligned} S_3: HA \vartriangleleft \langle MU \overset{R_{AC}}{\longleftrightarrow } HA, ID_H, A, ID_U \rangle _{MU \overset{Q}{\longleftrightarrow } HA}. \end{aligned}$$
  • From \(H_4, S_3\) and Rule (1), we also have,
    $$\begin{aligned} S_4: HA \mid \equiv MU \mid \sim \langle MU \overset{R_{AC}}{\longleftrightarrow } HA \rangle . \end{aligned}$$
  • Since the value \(V_1\) is derived from \(S_2\) and it a fresh message, from the message \(S_4\) and Rule (2), we obtain,
    $$\begin{aligned} S_5: HA \mid \equiv MU \mid \equiv \langle MU \overset{R_{AC}}{\longleftrightarrow } HA \rangle . \end{aligned}$$
  • From message \(M_3\), we have,
    $$\begin{aligned} S_6: FA \vartriangleleft \langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle _{FA \overset{R_{BC}}{\longleftrightarrow } HA}. \end{aligned}$$
  • From \(H_6, S_6\) and Rule (1), we obtain,
    $$\begin{aligned} S_7: FA \mid \equiv HA \mid \sim \langle D_F, Cert_H, G_U, D_{BC}, A, B, MU \overset{W_1}{\rightleftharpoons } FA \rangle . \end{aligned}$$
  • From \(H_2, S_6\), Rules (2) and (4), we get,
    $$\begin{aligned} S_8: FA \mid \equiv HA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA. \end{aligned}$$
  • Again, from \(H_{12},\)\(S_8\) and Rule (3), we have,
    $$\begin{aligned} S_9: FA \mid \equiv MU \overset{W_1}{\rightleftharpoons } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_1)} \end{aligned}$$
  • From message \(M_4\), we get,
    $$\begin{aligned} S_{10}: MU \vartriangleleft \langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}. \end{aligned}$$
  • From \(H_5,\)\(S_{10}\) and Rule (1), we get
    $$\begin{aligned} S_{11}: MU \mid \equiv FA \mid \sim \langle MU \overset{bD_{BC}}{\longleftrightarrow } FA, A, B \rangle . \end{aligned}$$
  • It is clear from the computation of the session key \(SK = SK_F = h(bD_{BC} || W_1) = h(a D_{AC} || W_1) (= SK_U)\) is a function of \(b D_{BC} = a D_{AC}\) and \(W_1\). As a result, from \(H_1,\)\(S_{11}\), Rules (2) and (4), we have,
    $$\begin{aligned} S_{12}: MU \mid \equiv FA\,\mid \equiv MU \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_2)} \end{aligned}$$
  • From \(H_{10},\)\(S_{12}\) and Rule (3), we obtain,
    $$\begin{aligned} S_{13}: MU \mid \equiv MU\,\overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_3)} \end{aligned}$$
  • From message \(M_5\), we get,
    $$\begin{aligned} S_{14}: FA \vartriangleleft \langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle _{MU \overset{W_1}{\rightleftharpoons } FA}. \end{aligned}$$
  • From \(S_8,\)\(S_{14}\) and Rule (1), we also get,
    $$\begin{aligned} S_{15}: FA \mid \equiv MU \mid \sim \langle MU \overset{aD_{AC}}{\longleftrightarrow } FA, B, A \rangle . \end{aligned}$$
  • Since the computation of the session key \(SK = SK_F = h(bD_{BC} || W_1) = h(a D_{AC} || W_1) (= SK_U)\) is a function of \(b D_{BC} = a D_{AC}\) and \(W_1\), from \(H_2,\)\(S_{15},\)Rules (2) and (4), we obtain,
    $$\begin{aligned} S_{16:} FA \mid \equiv MU\, \mid \equiv MU\, \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_4)} \end{aligned}$$
  • Finally, from \(H_{11},\)\(S_{16},\) and Rule (3), we have,
    $$\begin{aligned} S_{17}: FA \mid \equiv MU\, \overset{SK}{\longleftrightarrow } FA. \qquad \qquad \qquad {(\mathbf{Goal}~G_5)} \end{aligned}$$
From the goals \(G_1, G_2, G_3, G_4,\) and \(G_5\), it is clear that the proposed scheme provides the secure mutual authentication between a mobile user MU and the foreign agent FA during the authentication and key establishment phase described in Sect. 5.3. In a similar, it is not hard to prove that the proposed scheme also provides the secure mutual authentication between a mobile user MU and the home agent HA during the authentication and key establishment phase when MU is located in his/her home network described in Sect. 5.5.

6.2 Informal Security Analysis

In this section, it is shown that the proposed scheme has the ability to tolerate the following known attacks.

Proposition 1

The proposed scheme provides the user anonymity property.

Proof

In the proposed scheme, the mobile user MU sends the login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to the foreign agent FA, where \(RID_U = E_{R_{AC.x}}(NID_U)\) is used to protect the real identity \(ID_U\) of MU. Since \(R_{AC} = aP_H = h(x || Q)kP\) and \(NID_U = h(ID_U || N_U)\), an attacker has no ability to obtain the original real identity \(ID_U\) of MU, even if the session-specific temporary information x revealed to the adversary due to the difficulty of solving the ECDLP and inverting the one-way hash function \(h(\cdot )\). At the same time, the attacker cannot trace the moving history and current location of MU according to the login request message as the login message is dynamically changed in different login request messages of MU. In addition, FA has no ability to trace the MU’s activities as it authenticates the user MU using \(W_1 = h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\), which is shared with the home agent HA due to the difficulty of inverting the collision-resistant one-way hash function \(h(\cdot )\). Hence, the proposed scheme can provide strong user anonymity property.□

Proposition 2

The proposed scheme resists the impersonation attacks.

Proof

The proposed scheme can efficiently prevent the impersonation attacks in the following scenarios:
  • Any attacker cannot impersonate MU to cheat FA and HA. In the proposed scheme, whether MU is located in a foreign network or in his/her home network, the HA validates MU’s credentials by verifying the value \(V_1\) sent in the request message \(M_1\). HA validates the MU’s credentials and identifies the reply message as discussed in Remark 2. Then, HA gives the temporary authentication factor \(W_1= h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\) to the FA in order to mutually authenticate FA and MU, and shares a session key. Thus, MU needs to provide the confirmation message \(M_5 = \{Auth\}\), where \(Auth = h(W_1 || aD_{AC} || B || A)\) to FA. The attacker has no ability to compute \(M_5\) as it cannot compute \(W_1\) and \(a = h(x || Q)\) without the knowledge of session temporary secret x and long-term secret Q. On the other hand, when MU is located in a foreign network, he/she has no ability to cheat FA due to the difficulty of computing the confirmation message without the knowledge of x and Q. As a result, the proposed scheme successfully prevents the impersonate attack against MU to cheat the FA and MU.

  • An attacker cannot impersonate FA to cheat HA and MU. In the proposed scheme, HA authenticates FA by checking the validity of \(V_2\), which is the FA’s digital signature. So, the attacker cannot compute the correct FA’s digital signature without knowing FA’s private key \(S_F\). Therefore, the attacker cannot cheat HA successfully by masquerading as FA. At the same time, the authentication of MU to FA is completely dependent on the authentication of HA to FA. If an attacker cannot successfully cheat HA by masquerading as FA, he/she cannot also cheat MU successfully.

  • Any attacker cannot impersonate HA to cheat FA and MU. In the proposed scheme, the FA authenticates HA by checking the validity of \(V_3\), which is the HA’s digital signature. The attacker cannot compute the correct HA’s digital signature without knowing HA’s private key \(S_H\). Thus, the attacker cannot cheat FA successfully by masquerading as HA. On the other hand, the MU authenticates HA by verifying the computed \(W_1= h(E_k(NID_U || ID_U) || D_AC || A || ID_U || ID_F || ID_H)\). Since the attacker cannot compute the correct \(W_1\) without the knowledge of \(NID_U\), \(ID_U\) and k, the attacker cannot cheat MU successfully.

As a result, the proposed scheme is secure against the impersonate attacks.□

Proposition 3

The proposed scheme prevents the replay attack.

Proof

An attacker might replay an old login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to FA and receive the message \(M_4 = \{G_U, B, W_4\}\) from FA. However, the attacker still cannot compute the correct session key \(SK = h(aD_{AC} || W_1) = h(bD_{BC} || W_1)\) as he/she has no ability to compute the \(W_1\) and \(aD_{AC}\) without the knowledge of x, Q and \(ID_U\). Furthermore, verifying of old B and A by the HA and FA, respectively, prevents the replay attack as explained in Remark 2. Thus, the reply message is authenticated, and as a result, our successfully prevent the replay attack.□

Proposition 4

The proposed scheme withstands the man-in-the-middle attack.

Proof

From the goal G3 and G5 of the BAN logic proof in Sect. 6.1, it is clear that the proposed scheme provides secure mutual authentication with the presence of home agent HA. Thus, it identifies any unauthorized modification in the communicated messages. Hence, the attacker has no ability to launch the man-in-the-middle attack.□

Proposition 5

The proposed scheme provides the SK-security.

Proof

In the proposed scheme, the session key is computed as \(SK = h(aD_{AC} || W_1) = h(bD_{BC} || W_1)\), where \(W_1= h(Q || D_AC || A || ID_U || ID_F || ID_H)\) and \(a = h(x || Q)\). It is clear that the session key is a function of both session-temporary information x and long-term secret Q. Thus, if any one of the x and Q, but not both, is unexpectedly revealed to the adversary, he/she cannot be successful in computing the session key SK. Hence, the proposed scheme is secure against session-temporary information attack as well as it provides perfect forward secrecy. As a result, the proposed scheme provides the session key security.□

Proposition 6

The proposed scheme prevents the offline password guessing attack with smart card security breach.

Proof

Assume that an attacker captures all the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\) stored in the user smart card \(SC_U\) from the stolen/lost smart card \(SC_U\) using the power analysis attacks [22, 27], where \(NQ = Q \oplus h(N_U || PW_U)\), \(NPW = h(PW_U || ID_U) \oplus N_U\), \(SPW = h(N_U || ID_U || PW_U)\). From the transmitted messages, the user identity \(ID_U\) is anonymous. Thus, in order to guess the password \(PW_U\), attacker also needs to guess identity \(ID_U\). The attacker needs to guess both identity \(ID_U^\prime \) and password \(PW_U^\prime \) at the same time, and check the validity as follows: (1) compute \(N_U^\prime = h(PW_U || ID_U) \oplus NPW\) and check the validity of the condition \(SPW = h(N_U^\prime || ID_U^\prime || PW_U^\prime )\). If it is valid, the attacker is successful in guessing correct password and identity. However, the success probability of guessing both password and identity simultaneously is approximately \(\frac{1}{2^{6n + 6m}}\), where n and m represent the number of characters in \(PW_U\) and \(ID_U\), respectively [12]. For example, if \(n = m = 10\), the probability of success is \(\frac{1}{120}\), which is negligible. As a result, the proposed scheme is secure against the offline password guessing attack.□

Proposition 7

The proposed scheme withstands the privileged-insider attack.

Proof

In the proposed scheme, the mobile user MU does not share the chosen password with home agent HA. Instead of that, MU only sends the information \(\{ ID_U, NID_U \}\) securely to the HA during the registration phase. Suppose knowing these information, the privileged-insider attacker of the HA attains all the information \(\{NQ, P_H,\)\(ID_H, NPW,\)\(SPW, F_p, E,\)\(h(\cdot ), \varOmega \}\) from the lost/stolen smart card \(SC_U\) of the mobile user MU using the power analysis attacks [22, 27]. To guess the correct password \(PW_U\) of MU from NQ and SPW, the attacker needs to know \(ID_U\) and the random secret \(N_U\) of MU. Since \(N_U\) and \(ID_U\) are not stored in the smart card \(SC_U\), it is computationally infeasible for the attacker to guess \(PW_U\) correctly. On the other hand, to guess correctly \(PW_U\), the attacker needs to also guess correctly \(ID_U\) in order to verify the guessed password using NPW. It is also computationally infeasible for the attacker to guess \(PW_U\) correctly in this case. Thus, the privileged inside attack is prevented in the proposed scheme.□

Proposition 8

The proposed scheme provides the local password verification.

Proof

As in Zhao et al.’s scheme, the proposed scheme also provides the local password verification facility. In addition, the proposed scheme prevents the unauthorized local password verification as it prevents the offline password guessing attack.□

Proposition 9

The proposed scheme provides provision for revocation and re-registration.

Proof

In the proposed scheme, the home agent HA maintains the identity table to prevent the many logged-in users attack. Moreover, the proposed scheme provides the revocation and re-registration facility when the two real-life genuine cases such as when unexpectedly the authentication factor is revealed or the user smart card is lost/stolen. However, Zhao et al.’s scheme fails to provide this facility as it does not maintain any identity table.□

Fig. 1

Role specification in HLPSL for the mobile user MU (Case 1)

Fig. 2

Role specification in HLPSL for the home agent HA (Case 1)

7 Simulation Results for Formal Security Verification Using AVISPA Tool

In this section, the proposed scheme is simulated for the formal security verification using the widely-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool and show that the proposed scheme is secure against the replay and man-in-the-middle attacks against an adversary.
Fig. 3

Role specification in HLPSL for the foreign agent FA (Case 1)

7.1 AVISPA Overview

AVISPA is treated as a modular and expressive formal language for specifying protocols and their security properties, which integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques [2]. It is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. Recently, it becomes a widely-accepted tool for the formal security verification [10, 11, 14, 31, 32, 33, 34]. AVISPA contains four back-ends: On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). The detailed descriptions of these back-ends are available in [2, 37].

The protocols to be analyzed under the AVISPA tool need to be specified in the High Level Protocols Specification Language (HLPSL), which is a role-oriented language [2, 37]. HLPSL is based on roles: the basic roles represent each participant role, and composition roles represent the scenarios of basic roles. Each role is independent from the others, which gets some initial information by parameters, and then communicates with the other roles by channels. In HLPSL, an intruder is always denoted by i, which is always modeled using the Dolev–Yao model [15]. Thus, it is possible for the intruder to assume a legitimate role in a protocol run. The role system also defines a number of sessions, and a number of principals and some basic roles. HLPSL is first translated using HLPSL2IF translator to the intermediate format (IF). IF is then fed to one of the backends to produce the output format (OF). It contains the following sections [37]:
  • SUMMARY section tells that whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.

  • DETAILS section either explains under what condition the tested protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.

  • PROTOCOL, GOAL and BACKEND sections denote the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.

  • Finally, after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice–Bob format.

Fig. 4

Role specification in HLPSL for the session, goal and environment (Case 1)

For better understanding of the specifications of various roles described in Sect. 7.2, some basic types are supported in HLPSL are listed below [2]:
  • agent It is for the principal name. The intruder is always assumed to have the special identifier i.

  • public_key It indicates agents’ public keys in a public-key cryptosystem. For example, given a public (respectively private) key K, its inverse private (respectively public) key is obtained by \(inv\_K\).

  • symmetric_key It represents the keys for a symmetric-key cryptosystem.

  • text It is often used as nonces. These values can be also used for messages. For example, if Ni is of type text (fresh), then \(Ni^\prime \) will be a fresh value which the intruder cannot guess easily.

  • nat It represents the natural numbers in non-message contexts.

  • const It denotes the constants.

  • hash_func It represents cryptographic hash functions.

For a given message msg and encryption key k, \(\{msg\}\_k\) denotes the symmetric/public-key encryption. In HLPSL, the associative “\(\cdot \)” operator is always used for concatenation.
Fig. 5

Role specification in HLPSL for the mobile user MU (Case 2)

Fig. 6

Role specification in HLPSL for the home agent HA (Case 2)

Fig. 7

Role specification in HLPSL for the session, goal and environment (Case 2)

7.2 Specifying the Protocol

In this section, the implementation details of the various roles for the mobile user MU, the foreign agent FA and the home agent HA are discussed. Apart from these roles, the roles for the session, goal and environment for the proposed scheme are also discussed. For this purpose, the following two cases are considered:
  • Case 1: It consists of the registration phase, and authentication and key establishment phase.

  • Case 2: It consists of the registration phase, and authentication and key establishment phase when a mobile user MU is located in his/her home network.

Consider Case 1: The role of the initiator, mobile user MU is shown in Fig. 1. MU first receives the start signal, changes its state from 0 to 1, which is maintained by the variable State, and then sends the registration request message \(Reg =\{ID_U, NID_U\}\) securely to the home agent HA during the registration phase with the help of \(SND(\, )\) operation. MU also receives a smart card \(SC_U\) with the information \(\{Q, ID_H, F_p, E, P_H, h(\cdot ), \varOmega \}\) securely from the HA with the help of \(RCV(\, )\) operation. During the authentication and key establishment phase, MU sends the login request message \(M_1 = \{A, RID_U, V_1, ID_H\}\) to FA via a public channel. MU then receives the message \(M_4 = \{G_U, B, W_4\}\) from FA via a public channel. Finally, MU sends the message \(M_5 = \{Auth\}\) to FA via a public channel. The type declaration \(channel \,(dy)\) declares that the channel is for the Dolev–Yao threat model [15]. Thus, the intruder (i) has the ability to intercept, analyze, and/or modify messages transmitted over a insecure public channel. By the “played_by A” declaration it means that the agent named in variable A plays in the role. A knowledge declaration (generally in the top-level Environment role) is used to specify the intruder’s initial knowledge in HLPSL. The immediate reaction transitions are declared in the form \(X =|> Y\). This relates an event X and an action Y. The declaration witness (A, B, id, E) declares for a (weak) authentication property of A by B on E, declares that agent A is witness for the information E; this goal will be identified by the constant id in the goal section [2]. On the other hand, the declaration request (B, A, id, E) means for a strong authentication property of A by B on E, declares that agent B requests a check of the value E; this goal will be identified by the constant id in the goal section [2]. For examples, witness (MU, FA, mu_fa_x, X\(^\prime \)) means that MU has freshly generated the random value x for FA. Similarly, the roles for HA and FA are specified in Figs. 2 and 3, respectively. In Fig. 2, request (FA, HA, fa_ha_b, B\(^\prime \)) indicates that HA’s acceptance of the random value b generated for HA by FA. The declaration type secret (K, s3, HA) means that the private key k of HA is kept secret to HA only, which is characterized by the protocol id s3. If a variable V is kept permanently secret, it is expressed by the goal secrecy_of V. Thus, if V is ever obtained or derived by the intruder, a security violation will result. The roles for the session, and the goal and environment of the proposed scheme are given in Fig. 4. All the basic roles, such as mobileuser, homeagent and foreignagent are the instances with concrete arguments in the role of the session. The top-level role (environment) is always defined in HLPSL specification. The intruder (i) also participates in the execution of protocol as a concrete session as shown in Fig. 4. Five secrecy goals and three authentication goals are considered in our implementation for Case 1. For example, the secrecy goal: secrecy_of s3 tells that the information k is kept secret to HA only. The authentication goal: authentication_on ha_fa_y indicates that HA generates a random nonce y, where y is only known to HA. When FA will receive y from other messages from HA, it performs a strong authentication for HA based on y.

Consider the HLPSL implementations for the various roles in Case 2. In a similar way, the roles for MU and HA are also implemented in Figs. 5 and 6, respectively. In addition, the roles for the session, and the goal and environment of the proposed scheme are given in Fig. 7.

7.3 Analysis of Results

The proposed scheme are simulated for both the Cases 1 and 2 under the OFMC and CL-AtSe backends using the AVISPA Web tool [3]. The following verifications are executed in the proposed scheme:
  • Executability check on non-trivial HLPSL specifications Due to some modeling mistakes, the protocol model can not sometimes execute to completion. It may be possible that the AVISPA backends can not find an attack, if the protocol model can not reach to a state where that attack can happen. An executability test becomes extremely essential [37]. the proposed scheme shows that the protocol description is well matched with the designed goals as specified in Figs. 123456 and 7 for the executability test.

  • Replay attack check For the replay attack check, the OFMC and Cl-AtSe back-ends verify if the legitimate agents can execute the specified protocol by performing a search of a passive intruder. These back-ends provide the intruder the knowledge of some normal sessions between the legitimate agents. The test results shown in Figs. 8 and 9 indicate that the proposed scheme is secure against the replay attack.

  • Dolev–Yao model check For the Dolev–Yao model check, the OFMC and Cl-AtSe back-ends also verifies whether there is any man-in-the-middle attack possible by an intruder. It is evident from the results reported in Figs. 8 and 9 that the proposed scheme fulfills the design properties and is also secure under these backends.

Fig. 8

The result of the analysis using OFMC and CL-AtSe backends (Case 1)

Fig. 9

The result of the analysis using OFMC and CL-AtSe backends (Case 2)

8 Performance Analysis of the Proposed Scheme

In this section, the performance of the proposed scheme with the related existing schemes, such as Mun et al.’s scheme [28], Zhao et al.’s scheme [42] and Memon et al.’s scheme [26] is compared.
Table 6

Communication cost comparison among the proposed scheme and other schemes during the login, authentication and session key agreement phases

 

Ours

Zhao et al. [42]

Mun et al. [28]

Memon et al. [26]

Communication cost (bytes)

1072

1072

384

480

Communication cost (rounds)

5

5

5

5

The bit-length of different parameters: \(ID_x\): 160 bits, random number: 160 bits; xP (ECC point \((x_1,y_1)\)): 320 bits (assuming 160-bit ECC provides the same level security of 1024-bit RSA); one-way hash function h(x): 160 bits; \(Cert_H/Cert_F\): 512 bits; modular exponentiation \(g^x \pmod {p}\): 1024 bits; symmetric encryption/decryption (using AES-128): 128 bits ciphertext for an 128-bit plaintext block

In Table 6, the communication costs among the proposed scheme and other schemes during the login, authentication and session key agreement phases are compared. It is seen that the communication costs for Zhao et al.’s scheme, Mun et al.’s scheme and Memon et al.s scheme are 1072 bytes, 384 bytes and 480 bytes respectively, each requiring five rounds. It is well-known that 160-bit ECC provides the same level security as compared to that for 1024-bit RSA public key cryptosystem. In the proposed scheme, during the authentication and session key agreement phase, the message \(M_1 = \{A, RID_U, V_1, ID_H\}\) needs \((320 + (\lceil 160 \rceil / 128)\times 128 + 160 + 160)\)\(= 896\) bits. The messages \(M_2 = \{B, W_2, V_2\}\), \(M_3 = \{W_3, V_3\}\), \(M_4 = \{G_U, B, W_4\}\) and \(M_5 = \{Auth\}\) require \((320+ (\lceil 320+320+512+256+160 \rceil /128)\times 128 + 1024\)\( = 3008\) bits, \(((\lceil 160+1024+320+320+320=320+160 \rceil )/128) \times 128) + 1024\)\(= 3712\) bits, \(320+320+160\)\(= 800\) bits and 160 bits, respectively. As a result, the total communication cost for five rounds becomes \((896+3008+3712+800+160)\)\( = 8576\) bits, that is, 1072 bytes. It is noted that the communication cost of the proposed scheme is same as Zhao et al.’s scheme, whereas it is more than Mun et al.’s scheme and Memon et al.s scheme. This is justified, because the proposed scheme provides significantly better security and more functionality as compared to Mun et al.’s scheme and Memon et al.s scheme as well as Zhao et al.’s scheme.
Table 7

Computational cost comparison among the proposed scheme and other schemes during the login, authentication and session key agreement phases

 

MU

FA

HA

Ours

\(4A+13H+2Mu+1E+1Ma\)

\(5H+2Mu+3E+1D+2G\)

\(4H+1E+3D+3Mu\)

  

\(+1Ma+1G+1V\)

Zhao et al. [42]

\(3A + 7H + 1Mu + 1D\)

\(2H+2Mu+2E+1D+1G+1V\)

\(2A+4H+3Mu\)

  

\(+1E+1D+1G+1V\)

Mun et al. [28]

\(2A+4H+1Mu+1E\)

\(2A+3H+1Mu+1E\)

\(3A+3H\)

Memon et al. [26]

\(5A+10H+1E+1D\)

\(3H+2Mo+2E+2D+1G+1V\)

\(2A+3H+3Mo+1E\)

  

\(+3D+1G+1V\)

A bitwise XOR operation; H one-way hash operation; Mo modular exponentiation; Mu ECC point scalar multiplication; Ma ECC point addition; E symmetric encryption \(E_K[\cdot ]\); D symmetric decryption \(D_K[\cdot ]\); G signature generation \(E_K\{h(\cdot )\}\); G signature verification \(D_K\{h(\cdot )\}\).

Table 7 shows the computational cost comparison among the proposed scheme and other schemes during the login, authentication and session key agreement phases for the MU, HA and FA. It is clear from this table that the proposed scheme is comparable with other schemes in terms of computational cost comparison.
Table 8

Functionality comparison among the proposed scheme and other schemes

Functionality

Ours

Zhao et al. [42]

Mun et al. [28]

Memon et al. [26]

\(F_1\)

Yes

No

No

Yes

\(F_2\)

Yes

Yes

No

Yes

\(F_3\)

Yes

Yes

No

Yes

\(F_4\)

Yes

Yes

No

Yes

\(F_5\)

Yes

Yes

No

Yes

\(F_6\)

Yes

No

No

Yes

\(F_7\)

Yes

Yes

Yes

Yes

\(F_8\)

Yes

No

No

No

\(F_9\)

Yes

No

No

No

\(F_{10}\)

Yes

Yes

Yes

Yes

\(F_{11}\)

Yes

Yes

No

Yes

\(F_{12}\)

Yes

No

No

No

\(F_{13}\)

Yes

No

No

Yes

\(F_{14}\)

Yes

No

No

Yes

\(F_{15}\)

Yes

No

Yes

Yes

\(F_{16}\)

Yes

Yes

No

Yes

\(F_1\) strong user’s anonymity; \(F_2\) proper mutual authentication; \(F_3\) resist MU impersonation attack; \(F_4\) resist FA impersonation attack; \(F_5\) resist HA impersonation attack; \(F_6\) resist replay attack; \(F_7\) perfect forward secrecy; \(F_8\) resist offline password guessing attack; \(F_9\) resist privileged-insider attack; \(F_{10}\) no verifier table; \(F_{11}\) local password change; \(F_{12}\) resist known session-specific temporary information; \(F_{13}\) resist stolen verifier attack; \(F_{14}\) provide revocation and re-registration; \(F_{15}\) Free from the design flaw in registration phase; \(F_{16}\) provide the authentication scheme when a user is located in his/her home network.

Finally, in Table 8 compares the functionality among the proposed scheme and other schemes, such as Zhao et al.’s scheme, Mun et al.’s scheme and Memon et al.’s scheme. It is also clear that the proposed scheme is more security and provides more security functionality as compared to other schemes. In Zhao et al.’s scheme, the functionality features \(F_1\), \(F_6\), \(F_8\)\(F_9\) and \(F_{12}\)\(F_{14}\) are not satisfied. In addition, there is design flaw in registration phase of Zhao et al.’s scheme. In Mun et al.’s scheme, the functionality features \(F_1\)\(F_6\), \(F_8\)\(F_9\) and \(F_{11}\)\(F_{14}\) are not satisfied. On the other hand, in Memon et al.’s scheme, the functionality features \(F_8\)\(F_9\) and \(F_{12}\) are not satisfied.

9 Conclusion

In this paper, the merits and demerits of the existing authentication schemes for the roaming service in GLOMONET are first discussed. A secure and effective user authentication scheme for the roaming service in GLOMONET is then presented in order to withstand the security pitfalls and design flaws found in both recently proposed Zhao et al.’s scheme as well as Memon et al.’s scheme. Through the rigorous formal security analysis using the BAN logic, it is proved that the proposed scheme provides secure mutual authentication between a mobile user and the foreign/home agent. Further, the rigorous informal security analysis shows that the proposed scheme has the ability to tolerate various known attacks. Moreover, the proposed scheme is simulated using the most-widely accepted AVISPA tool. The simulation results reported in this paper clearly indicate that the proposed scheme is secure. In addition, the proposed scheme is efficient in computation and communication as compared to other related schemes. Better security, extra functionality features and efficiency make the proposed scheme is feasible in the roaming service in GLOMONET.

Notes

Acknowledgements

The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper. This research is supported by the National Natural Science Foundation of China under Grant No. 61300220, and it is also supported by PAPD and CICAEET.

References

  1. 1.
    Advanced Encryption Standard, U.S. Department of Commerce, November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Accessed Nov 2010.
  2. 2.
    AVISPA. Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed Aug 2015.
  3. 3.
    AVISPA. AVISPA Web Tool. http://www.avispa-project.org/web-interface/expert.php/. Accessed Aug 2015.
  4. 4.
    Bellare, M., Boldyreva, A., & Micali, S. (2000). Public-key encryption in a multi-user setting: Security proofs and improvements. In Advances in cryptology—EUROCRYPT 2000 (pp. 259–274). Springer.Google Scholar
  5. 5.
    Bellare, M., Canetti, R., & Krawczyk, H. (1998). A modular approach to the design and analysis of authentication and key exchange protocols. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing (STOC) (pp. 419–428). Dallas: ACM.Google Scholar
  6. 6.
    Burrows, M., Abadi, M., & Needham, R. (1990). A logic of authentication. ACM Transactions on Computer Systems, 8(1), 18–36.CrossRefMATHGoogle Scholar
  7. 7.
    Canetti, R., & Krawczyk, H. (2001). Analysis of key-exchange protocols and their use for building secure channels. In Advances in cryptology—EUROCRYPT 2001 (pp. 453–474). Innsbruck: Springer.Google Scholar
  8. 8.
    Chang, C., Lee, C., & Chiu, Y. (2009). Enhanced authentication scheme with anonymity for roaming service in global networks. Computer Communications, 34(4), 611–618.CrossRefGoogle Scholar
  9. 9.
    Das, A. K. (2011). Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Information Security, 5(3), 145–151.CrossRefGoogle Scholar
  10. 10.
    Das, A. K. (2013). A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science, 2(1–2), 12–27.CrossRefGoogle Scholar
  11. 11.
    Das, A. K. (2016). A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Networking and Applications, 9(1), 223–244.Google Scholar
  12. 12.
    Das, A. K., & Goswami, A. (2013). A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. Journal of Medical Systems, 37(3), 9948.CrossRefGoogle Scholar
  13. 13.
    Das, A. K., Paul, N. R., & Tripathy, L. (2012). Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences, 209, 80–92.MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Das, A. K. (2015). A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wireless Personal Communications, 82(3), 1377–1404.CrossRefGoogle Scholar
  15. 15.
    Dolev, D., & Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2), 198–208.MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Dutta, R., & Barua, R. (2008). Provably secure constant round contributory group key agreement in dynamic setting. IEEE Transactions on Information Theory, 54(5), 2007–2025.MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Gope, P., & Hwang, T. (2015). Enhanced secure mutual authentication, and key agreement scheme preserving user anonymity in global mobile networks. Wireless Personal Communications, 82(4), 2231–2245.CrossRefGoogle Scholar
  18. 18.
    Gope, P., & Hwang, T. (2016). Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Systems Journal, 10(4), 1370–1379.CrossRefGoogle Scholar
  19. 19.
    He, D., Ma, M., Zhang, Y., Chen, C., & Bu, J. (2011). A strong user authentication scheme with smart cards for wireless communications. Computer Communications, 34(3), 367–374.CrossRefGoogle Scholar
  20. 20.
    He, D., Zhang, Y., & Chen, J. (2014). Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wireless Personal Communications, 74(2), 229–243.CrossRefGoogle Scholar
  21. 21.
    Jiang, Q., Ma, J., Li, G., & Yang, L. (2013). An enhanced authentication scheme with privacy preservation for roaming services in global mobility networks. Wireless Personal Communications, 68(4), 1477–1491.CrossRefGoogle Scholar
  22. 22.
    Kocher, P., Jaffe, J., & Jun, B. (1999). Differential power analysis. In Advances in cryptology—CRYPTO’99 (pp. 388–397). California: Springer.Google Scholar
  23. 23.
    Lee, C., Hwang, M., & Liao, I. (2006). Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Industrial Electronics, 53(5), 1683–1686.CrossRefGoogle Scholar
  24. 24.
    Li, C. T., & Lee, C. (2012). A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Mathematical and Computer Modelling, 55(1–2), 35–44.MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Li, X., Niu, J.-W., Ma, J., Wang, W.-D., & Liu, C.-L. (2011). Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. Journal of Network and Computer Applications, 34, 73–79.CrossRefGoogle Scholar
  26. 26.
    Memon, I., Hussain, I., Akhtar, R., & Chen, G. (2015). Enhanced Privacy and Authentication: An Efficient and Secure Anonymous Communication for Location Based Service Using Asymmetric Cryptography Scheme. Wireless Personal Communications, 84(2), 1487–1508.CrossRefGoogle Scholar
  27. 27.
    Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.MathSciNetCrossRefGoogle Scholar
  28. 28.
    Mun, H., Han, K., Lee, Y. S., Yeun, C. Y., & Choi, H. H. (2012). Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Mathematical and Computer Modelling, 55, 214–222.MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    Nickalls, R. W. D. (1993). A new approach to solving the cubic: Cardan’s solution revealed. The Mathematical Gazette, 77(480), 354–359.CrossRefGoogle Scholar
  30. 30.
    Odelu, V., Das, A. K., & Goswami, A. (2014). A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Information Sciences, 269, 270–285.MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Odelu, V., Das, A. K., & Goswami, A. (2015). A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security, 10(9), 1953–1966.CrossRefGoogle Scholar
  32. 32.
    Odelu, V., Das, A. K., & Goswami, A. (2015). DMAMA: Dynamic migration access control mechanism for mobile agents in distributed networks. Wireless Personal Communications, 84(1), 207–230.CrossRefGoogle Scholar
  33. 33.
    Odelu, V., Das, A. K., & Goswami, A. (2015). An effective and robust secure remote user authenticated key agreement scheme using smart cards in wireless communication systems. Wireless Personal Communications,. doi:10.1007/s11277-015-2721-7.Google Scholar
  34. 34.
    Odelu, V., Das, A. K., & Goswami, A. (2015). A secure and scalable group access control scheme for wireless sensor networks. Wireless Personal Communications,. doi:10.1007/s11277-015-2866-4.Google Scholar
  35. 35.
    Sarkar, P. (2010). A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security, 13(4), 33.CrossRefGoogle Scholar
  36. 36.
    Stallings, W. (2006). Cryptography and network security: Principles and practices (3rd ed.). Pearson Education India.Google Scholar
  37. 37.
    von Oheimb, D. (2005). The high-level protocol specification language HLPSL developed in the EU project AVISPA. In Proceedings of APPSEM 2005 Workshop.Google Scholar
  38. 38.
    Wang, D., He, D., Wang, P., & Chu, C. (2015). Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Transactions on Dependable and Secure Computing, 12(4), 428–442.CrossRefGoogle Scholar
  39. 39.
    Wen, F., Susilo, W., & Yang, G. (2013). A secure and effective user authentication scheme for roaming service in global mobility networks. Wireless Personal Communications, 73(3), 993–1004.CrossRefGoogle Scholar
  40. 40.
    Wu, C., Lee, W., & Tsaur, W. (2008). A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters, 12(10), 722–723.CrossRefGoogle Scholar
  41. 41.
    Wu, S., & Chen, K. (2012). An efficient key-management scheme for hierarchical access control in e-medicine system. Journal of Medical Systems, 36(4), 2325–2337.CrossRefGoogle Scholar
  42. 42.
    Zhao, D., Peng, H., Li, L., & Yang, Y. (2014). A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications, 78(1), 247–269.CrossRefGoogle Scholar
  43. 43.
    Zhou, T., & Xu, J. (2011). Provable secure authentication protocol with anonymity for roaming service in global mobility networks. Computer Networks, 55(1), 205–213.MathSciNetCrossRefMATHGoogle Scholar
  44. 44.
    Zhu, J., & Ma, J. (2004). A new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics, 55(1), 230–234.Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Department of MathematicsIndian Institute of TechnologyKharagpurIndia
  2. 2.Department of Computer Science and EngineeringIndian Institute of Information TechnologyChittoor, Sri CityIndia
  3. 3.Department of Information TechnologyJadavpur UniversitySalt Lake City, KolkataIndia
  4. 4.Center for Security, Theory and Algorithmic ResearchInternational Institute of Information TechnologyHyderabadIndia
  5. 5.Department of MathematicsCh. Charan Singh UniversityMeerutIndia
  6. 6.School of Computer Science and EngineeringHunan University of Science and TechnologyXiangtanChina
  7. 7.Nanjing University of Information Science and TechnologyNanjingChina

Personalised recommendations