A robust ECC based mutual authentication protocol with anonymity for session initiation protocol

Zahid Mehmood; Gongliang Chen; Jianhua Li; Linsen Li; Bander Alzahrani

doi:10.1371/journal.pone.0186044

Abstract

Over the past few years, Session Initiation Protocol (SIP) is found as a substantial application-layer protocol for the multimedia services. It is extensively used for managing, altering, terminating and distributing the multimedia sessions. Authentication plays a pivotal role in SIP environment. Currently, Lu et al. presented an authentication protocol for SIP and profess that newly proposed protocol is protected against all the familiar attacks. However, the detailed analysis describes that the Lu et al.’s protocol is exposed against server masquerading attack and user’s masquerading attack. Moreover, it also fails to protect the user’s identity as well as it possesses incorrect login and authentication phase. In order to establish a suitable and efficient protocol, having ability to overcome all these discrepancies, a robust ECC-based novel mutual authentication mechanism with anonymity for SIP is presented in this manuscript. The improved protocol contains an explicit parameter for user to cope the issues of security and correctness and is found to be more secure and relatively effective to protect the user’s privacy, user’s masquerading and server masquerading as it is verified through the comprehensive formal and informal security analysis.

Citation: Mehmood Z, Chen G, Li J, Li L, Alzahrani B (2017) A robust ECC based mutual authentication protocol with anonymity for session initiation protocol. PLoS ONE 12(10): e0186044. https://doi.org/10.1371/journal.pone.0186044

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: June 2, 2017; Accepted: September 25, 2017; Published: October 20, 2017

Copyright: © 2017 Mehmood et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: This Research work is funded by the National key R & D Project Research on New Principle and New Algorithm of Electronic Currency under grant No. yfb0802505 (2017), NSFC-Zhejiang Joint Fund for the Integration of Industrialization and Informatization under grant No. U1509219, National Science Foundation of China Grant No. 61271220, Priority Development Field Project of Doctoral Fund under grant No. 20130073130006 and Shanghai Municipal Science and Technology Project under grant No. 16511102605 and No. 16DZ1200702. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

The applications of multimedia services have great significance in advanced networks. The SIP is a valued application-layer protocol used in controlling and signaling the multimedia sessions. The prime responsibility of SIP is the internet telephone services such as voice call, video call and instant messaging over the public network. Furthermore, SIP is responsible to establish, modify and terminate the multimedia sessions [1]. Authentication process is performed by the users in order to login the server through SIP. So, the authentication plays a vital role for the SIP protocol services. Nowadays, due to keen interest of the researchers for security maintenance and authentication of SIP, there is an immense scope for research in authentication of multimedia services. Recently, numerous scholars have presented some secure and efficient authentication techniques to sustain the security of SIP [2–6]. Many researchers have consensus that Hypertext Transport Protocol (HTTP) digest authentication for SIP is found vulnerable for stolen verifier, server spoofing and off-line password guessing attacks and unable to provide mutual authentication [1, 7–9]. In order to counter these weaknesses, Yang et al. [7] introduced an authentication protocol based on Diffie-Hellman key exchange protocol. Afterwords, Huang et al. [10] pointed out that Yang et al.’s protocol fails to resist off-line password guessing attack and proposed an updated scheme to fix the identified issues appeared in Yang et al.’s scheme. However, Huang’s protocol is found unprotected against off-linen password guessing attack indicated by Jo et al. [11]. In order to enhance Yang et al.’s proposed technique, Durlanik and Sogukpinar [12] presented a secure as well as effective authentication technique based on Elliptic Curve Cryptography (ECC) [13]. ECC can provide same security with relatively smaller key size than the other cryptosystems [13–18]. In 2009, Wu et al. [19] presented an improved and secure authentication protocol for SIP based on ECC. Later on, Yoon et al. [20] demonstrated that Durlanik and Sogukpinar as well as Wu et al.’s proposed protocols are not secure against Denning-Sacco [21], off-line password guessing and stolen verifier attacks. Then Yoon et al.’s introduced a sophisticated technique for SIP with higher security. Pu et al. [22] identified that Yoon et al.’s technique is vulnerable against replay and off-line password guessing attacks. Then a comparatively lightweight authentication and a key agreement protocol by using hash function and exclusive-OR operation is presented by Tsai [23]. Later on, Arshad and Ikram [24] proved that Tsai’s protocol is breakable against the off-line password guessing and stolen-verifier attacks. Moreover, Tsai’s protocol remained unable to maintain forward secrecy and known-key secrecy. Though Yoon et al. [25] presented a robust authentication technique with a key agreement to address the limitations of Tsai’s scheme, yet Yoon et al.’s scheme is found unprotected against off-line password guessing and stolen verifier attacks indicated by Xie [26] and introduced a new scheme. Unfortunately, Xie’s protocol is exposed against off-line password guessing and impersonation attacks indicated by Farash and Attari [27]. Moreover, they proposed a new technique to counter the limitations of Xie’s scheme. Zhang et al. [28] offered an authentication protocol by using ECC with anonymity. Recently, Lu et al. [29] indicated that Zhang et al.’s scheme was breakable in case of insider attack and failed to offer mutual authentication. To remedy these vulnerabilities, Lu et al.’s [29] suggested an advance scheme, which is claimed to be more appropriate against all possible attacks. However, it is analyzed that Lu et al.’s proposed protocol is found insecure in case of server and user masquerading attacks. Additionally, it also fails to offer user anonymity accompanied with incorrect scheme. Hence, a new robust mutual authentication protocol with anonymity using ECC for SIP is presented in this manuscript. The improved scheme contains a slight modification in both registration and authentication phases. We have supplemented an explicit parameter for user to cope the issues of correctness and security. Furthermore, the protocol is highly secured against all the possible attacks as validated through informal and formal security analysis. Comprehensive analysis also verifies that security and performance of the proposed protocol is more effective and reliable as compared to the recent authentication protocols.

The remainder of the manuscript is arranged as follows: Table 1 describes the notations used in this manuscript. Review and weaknesses of Lu et al.’s scheme is demonstrated in sections 2 and 3, respectively. The proposed protocol is presented in section 4, formal and informal security are figured out in section 5. Performance comparison of the present protocol with recently presented protocols is investigated in sections 6. Concluding statement of the proposed protocol is elaborated in section 7.

Download:

Table 1. Notation guide.

https://doi.org/10.1371/journal.pone.0186044.t001

2 Review of Lu et al.’s scheme

This segment concisely demonstrates the detail analysis of Lu et al.’s protocol. The overall protocol contains three stages. At the first stage, the user performs the registration process, then use it to login into the server and authenticate itself. It also permits the user to update his/her password in inadmissible condition. All these phases are explained in detail and Fig 1 shows the registration and authentication Phases as follows:

2.1 Registration phase

chooses his/her ID_i, PW_i and his/her secret key . now computes and transmits {ID_i, PWD} to by private channel.
determines upon receiving the message and stores it in server’s repository.

Download:

Fig 1. Lu et al.’s scheme.

https://doi.org/10.1371/journal.pone.0186044.g001

2.2 Authentication phase

A random number r₁ is generated and computed by : (1) (2) (3) (4) (5)
Now the transmits the to .
computes, upon reception of request message from : (6) (7) (8) (9) verify , in case of failure, the session is aborted otherwise, a random number r₂ is generated by and calculates: (10) (11) (12)
Now sends the challenge message to user .
on getting the challenge message from calculates: (13) checks is equal to received Auth_s, if the equation is not satisfied, aborts the session, otherwise computes Auth_ui = h(sk_ui‖T‖D) and transmits the message to .
Upon getting the message, verifies , if it true, the already computed session key sk = sk_ui = sk_s is treated as legitimate key.

2.3 Password change phase

selects new , and in order to change the password.

The following strides are performed by the and .

computes: (14) (15)
Now transmits {ID_i, W, N} to the
On getting the message, concludes: and verifies whether it is equal to the acquired W. Then computes and updates V PW with V PW^new.

3 Cryptanalysis of Lu et al.’s scheme

In this section, it is revealed that the Lu et al.’s scheme is impressionable to server and user masquerading attacks and also unable to achieve the user anonymity. Moreover, it also has incorrect authentication phase on server side. As per adversary model mentioned in [30–34], can access the public communication link and can replay, remove, modify, intercept or can send a new devised message.

3.1 User anonymity attack

The user anonymity violation is observed in this subsection. In the Lu et al.’s protocol, any legitimate user can derive the authentic identity of the specific user by intercepting the login request message from the public communication channel.

Assume a legal user try to extract the authentic identity of the another user . , performs the following steps.

User steals the information V PW stored on the server.
Now by using his/her ID_j, PW_j and , computes and obtains the value T = h(ID_j‖PWD_j). Now, can also extract the server private key .
intercepts the login request message {Y, HID_i, Z} and sends it to the server from the public communication channel.
Now by using the stolen verifier V PW, he/she can compute . Finally, extracts the real identity ID_i of user’s as .

3.2 Server masquerading attack

In Lu et al.’s scheme, if devised the server ’s secret key , another authorized user can easily masquerade as a legal server by executing the subsequent steps.

Adversary can steal the information V PW stored in the server’s repository. Then the following steps have to be performed by the (16) (17) (18)
When a legal user needs to login into the server, calculates: (19) (20) (21) (22) (23) (24)
Now conveys the request message {Y, HID_i, Z} to the server .
computes after intercepting the request message: (25) (26) (27) (28) (29) (30) (31)
After that transmits to the legal user
On getting the challenge message, computes: (32) (33) (34)
The conveys the response message to the server , whereas, intercepts the message. Hence, successfully masquerades the server for legal users.

3.3 User masquerading attack

For user masquerading attack, an attacker will get the request message {Y, HID_i, Z} and derive the identity ID_i as mentioned in 3.1. Now, any legitimate user can easily masquerade another user by performing subsequent steps:

intercepts the remote user request message {Y, HID_i, Z} and computes: (35) (36) (37) (38) (39)
transmits his own request message .
upon getting the message computes: (40) (41) (42) (43) (44) (45) (46) (47)
transmits the challenge message {realm, D, Auth_s} to
Upon getting the message computes: (48) (49) (50)
Therefore, sends the response message to
On receiving the message, the authenticates the adversary as a legal user by verifying Auth_ui = h(sk_s‖T′‖D) equation. Therefore, has successfully misled the server and treats the shared session key as a valid key.

3.4 Incorrectness problem

In this segment, it is demonstrated that while authentication is performed on the server side the server, computes , where, is the private key of the server which is secret within the server. But how the server can compute the exact value of T’, without knowing the valid ID_i of the specific user as the verifier table contains the T values of all the legal users of the system.

4 Proposed scheme

In this segment, a new proposed protocol is presented. The improved protocol is divided into three phases, i.e., System Setup, Registration and Authentication phase. Before going into the details of proposed protocol, it explains that the insecurity of Lu et al.’s scheme against server and user’s masquerading attacks was due to a generic secret value hideously stored in the verifier table V PW into the server. A legitimate but dishonest user (say ) can easily extract by using his/her T which is computed as T = h(ID_j‖PWD_j) and then with the help of this T, it can compute server private key . After obtaining , the illegitimate but authorized user can easily find the real identity of any other user. Moreover, the after stealing the V PW from the server can easily masquerade himself as as well as the legal server. In present protocol, V PW consist of user’s particular identity ID_i. Hence, if successfully gets the secrets from the verifiers table, one can retrieve his/her own value of PWD as user ID_i is inserted with server secret key. So, he cannot masquerade himself as another user or server of the systems though he has also V PW verifier table. The scheme is illustrated in Fig 2 and is explain as follows:

Download:

Fig 2. Proposed scheme.

https://doi.org/10.1371/journal.pone.0186044.g002

4.1 System setup phase

The server selects elliptic curve [35] points (Ep(a, b)) of order n and gets initialized with a base point P.
The secret key is being generated by ranging from and computes the public key as . Then selects one-way hash function h(), which keeps the secret key safe and publishes the rest of the public parameters.

4.2 Registration phase

computes and conveys {ID_i, PWD_i} to through secure channel.
On getting the message, computes and saves the V PW in the server database.

4.3 Authentication phase

First of all, a random number r₁ is generated by and it computes: (51) (52) (53) (54)
Now sends request message to .
compute the following, upon getting the request message (55) (56) (57) (58) (59)
Compute and check , failure of which leads to the termination of session, otherwise generates r₂ and computes: (60) (61) (62) (63)
transmits the message {realm, M₃, Auth_s} to the .
Upon receiving the message, calculates: (64) (65) and verifies the condition , failure of which leads to the termination of the session, otherwise computes Auth_ui = h(sk_ui‖PWD_i‖D′) and transmits message to .
On receipt of the message {realm, Auth_ui}, the verifies , if it withstands, the session key sk = sk_ui = sk_s is considered to be the valid key between and .

5 Security analysis

Security analysis informal and formal of the present stated scheme demonstrates that it is resilient against all known attacks over public communication channels.

5.1 Informal security analysis

5.1.1 Resist replay attack.

Suppose if an eavesdropper can steal the request message {M₁, M₂} and try to replay it to pretend as a legal user , but on the server side verifies the freshness of time stamp t_i and also the condition . To successfully pass the condition. requires ID_i and server secret key . But is unable to get ID_i and server secret key as they are secured by the One-way hash function. Furthermore, if is able to get the challenge message {realm, M₃, Auth_s} from and tries to replay it to . fails to obtain r₂ from D and Auth_s is not equal to the computed h(sk_ui‖PWD_i‖X) by . Then is failed to send response message to . Hence, the present scheme is protected against replay attack.

5.1.2 Anonymity and privacy.

In the proposed scheme, the ID_i is protected on the public channel by hash function along with user secret key . So, it is impossible for to get the ID_i from the public channel. Hence, the proposed scheme provides appropriate anonymity.

5.1.3 Off-line password guessing attack.

Suppose if can steal the but password is secured in M₂ and for retrieving the password from M₂ it is required to calculate the PWD_i and it is impossible for to obtain these parameters due to the security of hash function. Even if the password is compromised, it is impossible for to prove the legitimacy of the password. Hence, the present protocol withstands against off-line password guessing attack.

5.1.4 Mutual authentication.

In the present protocol both user as well as server compute and verifies on server side and similarity, on client side. So, improved scheme fulfills the requirement of mutual authentication.

5.1.5 Perfect forward secrecy.

Suppose if the secret keys of and are compromised, is still unable to guess the session keys sk = r₁.r₂.P. It is infeasible for to compute r₁ and r₂ from X and D, respectively, due to ECDLP. Hence, the present protocol provides forward secrecy.

5.1.6 Masquerading attack.

For user masquerading, requires user password PW_i to compute the valid value of PWD_i. Assume successfully intercepts the request message {M₁, M₂}, it is not possible to compute the value of PWD_i from M₁, M₂ due to the hardness of ECDLP and M₂ contains the encrypted value by X. For server masquerading attack, requires verifier V PW from server database and secret key , which is only known to the server. Without server secret key, is unable to compute the PWD_i from V PW. For authenticating the user, also needs the r₁ to compute the X, so, is unable to authenticate E_X(t_i‖ID_i‖X‖PWD_i) = M₂. Moreover, r₂ is required to compute sk_s and Auth_s. Hence, the proposed scheme resists against masquerading attack.

5.1.7 Resist insider attack.

In registration phase of the newly stated protocol. transmits a message containing (ID_i, PWD_i) instead of (ID_i, PW_i), where . So, is incapable of obtaining the user’s password PW_i without knowledge of . Hence, it is impossible for to launch the insider attack.

5.1.8 Session key secrecy.

The two random numbers r₁ and r₂ are used to compute the session key for every session. These two numbers are chosen by the server and user , independently, which is different in each session. So, if one of the session key is exposed, the rest of the session keys will persist. Hence, the new proposal achieved the session key secrecy.

5.2 Formal security analysis

This segment, demonstrates the formal security analysis of the present protocol. This analysis validates the claim about the proposed scheme that it is provably secured.

Theorem 1 The robust authentication protocol with anonymity using ECC for session initiation protocol PREBMAPSIP is provably secured against an adversary . Due to ECDLP assumption and security of hash function, it is impossible to obtain the user ’s real identity ID_i, password PW_i, user private key and shared session key sk within user and the server .

Proof 1 For analysis of the present stated protocol that it is provably secured, the similar model as [33, 34, 36, 37] is adopted.

Before proceeding ahead, following oracles are defined:

Extract 1: This oracle results from input A out of a secure one-way hash function B = h(A).
Extract 2: Result of this oracle is the plain text p from cipher text C = Ek(p) without the knowledge of shared symmetric key k.
Extract 3: This oracle returns the integer multiplier a out of given an ECC point a.P.

performed the experiment to break the proposed PREBMAPSIP protocol. is allowed to use Extract 1, Extract 2 and Extract 3 oracles for the said purpose. has the potential to retrieve the user’s private key , user’s password PW_i and shared session key sk by executing the experiment and by use of oracles Extract 1, Extract 2 and Extract 3. The probability of success for the said experiment , where, performed several queries q_re1, q_re2 and q_re3 in polynomial time t. According to experiment , can break the PREBMAPSIP security if and only if he can (1) break security of One-way hash function (inversion), (2) obtained the plain text without the knowledge of key (Decipher text) and (2) break ECDLP (extracting scalar). However, it is computationally impractical to break One-way hash function, decrypt the message without key and ECDLP. Hence, the newly presented protocol for SIP is provably secure against to acquire ID_i, PW_i, , and sk.

Algorithm 1

1: Eavesdrop the request message (M₁, M₂), Where M₂ = E_X(t_i‖ID_i‖X‖PWD_i)

2: Call Extract 2 on E_X(t_i‖ID_i‖X‖PWD_i) to obtain ← Extract 2 (M₂).

3: Call Extract 3 on (X′) to obtain ← Extract (X′).

4: Eavesdrop challenge message (M₃, Auth_s), Where Auth_s = h(sk_s‖T‖X)

5: Call Extract 1 on h(sk_s‖T‖X) and get ← Extract 1 (Auth_s)

6: Call Extract 3 on (X″) to obtain ←Extract (X″).

7: then if .

8: Compute .

9: if X′ = X‴ then.

10: Accept

11: Call Extract on PWD_i to obtain (, , ) ← Extract 1 (PWD_i).

12: Accept the deduced , , and as the appropriate user’s identity ID_i user’s password PW_i, user’s secret key and session key sk_s between and .

13: return Success

14: else

15: return Fail

16: end if

6 Performance & security comparisons

6.1 Computation cost analysis

The present protocol’s performance and security analysis is evaluated with previously stated schemes [24–29, 38–41] in this segment. Registration phase is performed only once before authentication, so, the authentication phase mainly focuses on the performance comparison. For performance calculation, the notation used for the different cryptographic operation are as follows:

t_sh: time to compute secure One-way hash function
t_em: time to calculate point multiplication
t_ea: time to calculate point addition operations
t_emt: time to calculate map to point operation
: time for a symmetric encryption/decryption

The running times for t_sh, t_em, t_ea, t_emt and are approximately 0.0023 ms, 2.226 ms, .0288 ms, 0.947 ms and 0.0046 ms, respectively mentioned by Kilinc and Yanik [42] recently. Furthermore, XOR and inverse operation are neglected due to the insignificance of these operation, as indicated by Kilinc and Yanik. Performance comparison is demonstrated in the Table 2 with the recent allied schemes.

Download:

Table 2. Computational cost analysis.

https://doi.org/10.1371/journal.pone.0186044.t002

Table 2 demonstrates that the present protocol possess the same running time as compared with the previously proposed schemes [27]. Moreover, [27] is found to be insecure against some known attacks. The remaining schemes [24–26, 28, 29, 38–41] almost have relatively extended running time and they are also found insecure against some known attacks. Moreover, proposed scheme is provably secure and resists against all possible attacks shown in section 5.

6.2 Communication cost analysis

The communication cost analysis is demonstrated in Table 3 of the present protocol with the counterpart schemes [24–29, 38–41]. The present protocol acquires same or less communication overhead as compared with relevant schemes [24–26, 28, 29, 38–41], whereas, it has some additional communication overhead as compared to [27]. However, in term of the number of messages exchanged, the present protocol provides better performance as compared to previously stated schemes.

Download:

Table 3. Communication cost analysis.

https://doi.org/10.1371/journal.pone.0186044.t003

6.3 Security comparison

In Table 4, the comparison of security parameters for the present protocol with conventional schemes [24–29, 38–41] is summarized. It is easier to draw the conclusion from Table 4 that the proposed scheme results are better as compared to its counterpart other conventional schemes. The proposed scheme not only outrun in efficiency but also provides mutual authentication. The proposed protocol is robust against the user as well as server masquerading attack.

Download:

Table 4. Comparison of security parameters.

https://doi.org/10.1371/journal.pone.0186044.t004

7 Conclusion

In this research work, the Lu et al.’s scheme is cryptanalyzed and it is exhibited that the protocol is insecure against the server and user masquerading attacks. Moreover, the login and authentication phase is found to be incorrect. To overcome these drawbacks, a novel technique is proposed for reducing the processing time and enhancing the system protection. It is proved to be relatively more secure than the conventional techniques as it is verified through well known random oracle model. Hence, the proposed technique provides enhanced security and better performance. So, it is suitable for the practical applications.

Acknowledgments

This Research work is funded by the National key R & D Project Research on New Principle and New Algorithm of Electronic Currency under grant No. yfb0802505(2017), NSFC-Zhejiang Joint Fund for the Integration of Industrialization and Informatization under grant No. U1509219, National Science Foundation of China Grant No. 61271220 and Priority Development Field Project of Doctoral Fund under grant No. 20130073130006 and Shanghai Municipal Science and Technology Project under grant No. 16511102605 and No. 16DZ1200702.

References

1. Salsano S, Veltri L, Papalilo D. SIP security issues: the SIP authentication procedure and its processing load. IEEE network, 16(6), (2002), 38–44. Available from: http://dx.doi.org/10.1109/MNET.2002.1081764.
- View Article
- Google Scholar
2. Chaudhry S. A, Naqvi H, Sher M, Farash M. S, Hassan M U. An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Networking and Applications, 10(1) (2017), 1–15. Available from: http://dx.doi.org/10.1007/s12083-015-0400-9.
- View Article
- Google Scholar
3. Irshad A, Sher M, Rehman E, Chaudhry S. A, Hassan M. U, Ghani A A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications, 74(11), (2015), 3967–3984. Available from: http://dx.doi.org/10.1007/s11042-013-1807-z.
- View Article
- Google Scholar
4. Kumari S. Design flaws of an anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography Multimedia tools and applications, 76.11 (2017): 13581–13583. Available from: http://dx.doi.org/10.1007/s11042-013-1807-z.
- View Article
- Google Scholar
5. Kumari S, Karuppiah M, Das A. K, Li X, Wu F, Gupta V. Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography. Journal of Ambient Intelligence and Humanized Computing, 1–11. (2017). Available from: http://dx.doi.org/10.1007/s12652-017-0460-1.
- View Article
- Google Scholar
6. Chaudhry S. A. Comment on ‘Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol-based communications IET Communications. 2015; 9 (7):1034–1034. Available from: http://dx.doi.org/10.1049/iet-com.2014.1082
- View Article
- Google Scholar
7. Yang C. C, Wang R. C, Liu W. T. Secure authentication scheme for session initiation protocol. Computers and Security Elsevier. 2005, 24(5), 381–386. Available from: http://dx.doi.org/10.1016/j.cose.2004.10.007
- View Article
- Google Scholar
8. Geneiatakis D, Dagiuklas T, Kambourakis G, Lambrinoudakis C, Gritzalis S, Ehlert S, Sisalem D. Survey of security vulnerabilities in session initiation protocol. IEEE Communications Surveys and Tutorials 8 (1–4) (2006) 68–81. Available from: http://dx.doi.org/10.1109/COMST.2006.253270
- View Article
- Google Scholar
9. Sisalem D, Kuthan J, Ehlert S. Denial of service attacks targeting a sip voip infrastructure: attack scenarios and prevention mechanisms, Network IEEE 20 (5) (2006) 26–31. Available from: http://dx.doi.org/10.1109/MNET.2006.1705880
- View Article
- Google Scholar
10. Huang H. F, Wei W. C. A new efficient authentication scheme for session initiation protocol. computing 1 (2). Available from: http://dx.doi.org/10.2991/jcis.2006.222
- View Article
- Google Scholar
11. Jo H, Lee Y, Kim M, Kim S, Won D. Off-line password-guessing attack to yang’s and huang’s authentication schemes for session initiation protocol. in: INC, IMS and IDC, 2009. NCM’09. Fifth International Joint Conference on IEEE 2009, pp. 618–621. Available from: http://dx.doi.org/10.1109/NCM.2009.251
12. Durlanik A, Sogukpinar I. Sip authentication scheme using ecdh. World Enformatika Socity Transations on Engineering Computing and Technology 8 (2005) 350–353. Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.192.9488&rep=rep1&type=pdf
- View Article
- Google Scholar
13. Koblitz N. Elliptic curve cryptosystems. Mathematics of computation 48 (177) (1987) 203–209. Available from: http://dx.doi.org/10.1090/S0025-5718-1987-0866109-5
- View Article
- Google Scholar
14. Islam Hafizul SK, Amin R, Biswas GP, Farash M S, Xiong Li, Kumari S. Improved three party authenticated key exchange protocol using hash function and elliptic curve cryptography for mobile-commerce environments Journal of King Saud University Computer and Information Sciences Available from https://doi.org/10.1016/j.jksuci.2015.08.002.
- View Article
- Google Scholar
15. Islam Sk Hafizul, and Biswas G P. Design of two-party authenticated key agreement protocol based on ECC and self-certified public keys. Wireless Personal Communications 82.4 (2015): 2727–2750. Available from: http://dx.doi.org/10.1007/s11277-015-2375-5
- View Article
- Google Scholar
16. Islam S H, Biswas G P. An improved pairing-free identity-based authenticated key agreement protocol based on ECC. Procedia Engineering, 30, (2012). 499–507. Avaliable from: http://dx.doi.org/10.1016/j.proeng.2012.01.890
- View Article
- Google Scholar
17. Liao Y P, Wang S S. A new secure password authenticated key agreement scheme for sip using self-certified public keys on elliptic curves. Computer Communications 33 (3) (2010) 372–380. Available from: http://dx.doi.org/10.1016/j.comcom.2009.10.005
- View Article
- Google Scholar
18. Chaudhry S A, Naqvi H, Sher M, Farash M S, Hassan M U. An improved and provably secure privacy preserving authentication protocol for sip. Peer-to-Peer Networking and Applications (2015) –15. Available from: http://dx.doi.org/10.1007/s12083-015-0400-9
- View Article
- Google Scholar
19. Wu L., Zhang Y., Wang F. A new provably secure authentication and key agreement protocol for sip using ecc. Computer Standards and Interfaces 31 (2) (2009) 286–291. Available from: http://dx.doi.org/10.1016/j.csi.2008.01.002
- View Article
- Google Scholar
20. Yoon E J, Yoo K Y, Kim C, Hong Y S, Jo M, Chen H H. A secure and efficient sip authentication scheme for converged voip networks. Computer Communications 33 (14) (2010) 1674–1681. Available from: http://dx.doi.org/10.1016/j.comcom.2010.03.026
- View Article
- Google Scholar
21. Denning Dorothy E and Sacco Giovanni Maria Timestamps in key distribution protocols. Communications of the ACM (1981) 533–536. Available from: http://dx.doi.org/10.1145/358722.358740
- View Article
- Google Scholar
22. Pu Q. Weaknesses of sip authentication scheme for converged voip networks. IACR Cryptology ePrint Archive 2010 (2010) 464. Available from: http://eprint.iacr.org/2010/464.
- View Article
- Google Scholar
23. Tsai J L. Efficient nonce-based authentication scheme for session initiation protocol. IJ Network Security 9 (1) (2009) 12–16. Available from: https://pdfs.semanticscholar.org/58bd/1e7e19e5e3698e80fe82a23c84515723aefd.pdf
- View Article
- Google Scholar
24. Arshad R, Ikram N. Elliptic curve cryptography based mutual authentication scheme for session initiation protocol. Multimedia tools and applications 66 (2) (2013) 165–178. Available from: http://dx.doi.org/10.1007/s11042-011-0787-0
- View Article
- Google Scholar
25. Yoon E J, Shin Y N, Jeon I. S, Yoo K Y. Robust mutual authentication with a key agreement scheme for the session initiation protocol. IETE Technical Review 27 (3) (2010) 203–213. Available from: http://dx.doi.org/10.4103/0256-4602.62780
- View Article
- Google Scholar
26. Xie Q. A new authenticated key agreement for session initiation protocol. International Journal of Communication Systems 25 (1) (2012) 47–54. Available from: http://dx.doi.org/10.1002/dac.1286
- View Article
- Google Scholar
27. Farash M S, Attari M A. An enhanced authenticated key agreement for session initiation protocol. Information Technology And Control 42 (4) (2013) 333–342. Available from: http://dx.doi.org/10.5755/j01.itc.42.4.2496
- View Article
- Google Scholar
28. Zhang Z, Qi Q, Kumar N, Chilamkurti N, Jeong H Y. A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications 74 (10) (2014) 3477–3488. Available from: http://dx.doi.org/10.1007/s11042-014-1885-6
- View Article
- Google Scholar
29. Lu Y, Li L, Peng H, Yang Y. A secure and efficient mutual authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications 9(2) (2016) 449. Available from: http://dx.doi.org/10.1007/s12083-015-0363-x
- View Article
- Google Scholar
30. Eisenbarth T, Kasper T, Moradi A, Paar C, M. Salmasizadeh, Shalmani M. T. M. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. Advances in Cryptology—CRYPTO 2008 Springer 2008, pp. 203–220. Available from: http://dx.doi.org/10.1007/978.3.540.85174.5.12.
31. Yang W H, Shieh S P. Password authentication schemes with smart cards. Computers & Security 18 (8) (1999) 727–733. Available from: http://dx.doi.org/10.1016/S0167-4048(99)80136-9.
- View Article
- Google Scholar
32. Hölbl M, Welzer T, Brumen B. An improved two-party identity-based authenticated key agreement protocol using pairings. Journal of Computer and System Sciences 78 (1) (2012) 142–150. Available from: http://dx.doi.org/10.1016/j.jcss.2011.01.002.
- View Article
- Google Scholar
33. Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology—CRYPTO’ 99 Springer, 1999, pp. 388–397. http://dx.doi.org/10.1007/3.540.48405.1.25
34. Messerges T S, Dabbish E, Sloan R H. Examining smart-card security under the threat of power analysis attacks. Computers IEEE Transactions on 51 (5) (2002) 541–552. Available from: http://dx.doi.org/10.1109/TC.2002.1004593
- View Article
- Google Scholar
35. Hankerson D, Menezes A J, Vanstone S. Guide to elliptic curve cryptography. Springer Science & Business Media, 2006. Available from: https://link.springer.com/book/10.1007.2Fb97644
36. Odelu V, Das A K, Goswami A. A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Information Sciences 269 (2014) 270–285. Available from: http://dx.doi.org/10.1016/j.ins.2013.10.022
- View Article
- Google Scholar
37. Chatterjee S, Das A K, Sing J K. An enhanced access control scheme in wireless sensor networks. Adhoc & Sensor Wireless Networks 21 (1).
- View Article
- Google Scholar
38. He D, Chen J, Chen Y. A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Security and Communication Networks 5 (12) (2012) 1423–1429. Available from: http://dx.doi.org/10.1002/sec.506
- View Article
- Google Scholar
39. Zhang L, Tang S, Cai Z. Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. International Journal of communication systems 27 (11) (2014) 2691–2702. Available from: http://dx.doi.org/10.1002/dac.2499
- View Article
- Google Scholar
40. Yeh H L, Chen T H., Shih W K. Robust smart card secured authentication scheme on sip using elliptic curve cryptography. Computer Standards & Interfaces 36 (2) (2014) 397–402. Available from: http://dx.doi.org/10.1016/j.csi.2013.08.010
- View Article
- Google Scholar
41. Tu H, Kumar N, Chilamkurti N, Rho S. An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Networking and Applications (2014) 1–8. Available from: http://dx.doi.org/10.1007/s12083-014-0248-4
- View Article
- Google Scholar
42. Kilinc H H, Yanik T. A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials IEEE 16 (2) (2014) 1005–1023. Available from: http://dx.doi.org/10.1109/SURV.2013.091513.00050
- View Article
- Google Scholar

[ref1] 1. Salsano S, Veltri L, Papalilo D. SIP security issues: the SIP authentication procedure and its processing load. IEEE network, 16(6), (2002), 38–44. Available from: http://dx.doi.org/10.1109/MNET.2002.1081764.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Chaudhry S. A, Naqvi H, Sher M, Farash M. S, Hassan M U. An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Networking and Applications, 10(1) (2017), 1–15. Available from: http://dx.doi.org/10.1007/s12083-015-0400-9.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Irshad A, Sher M, Rehman E, Chaudhry S. A, Hassan M. U, Ghani A A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications, 74(11), (2015), 3967–3984. Available from: http://dx.doi.org/10.1007/s11042-013-1807-z.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Kumari S. Design flaws of an anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography Multimedia tools and applications, 76.11 (2017): 13581–13583. Available from: http://dx.doi.org/10.1007/s11042-013-1807-z.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Kumari S, Karuppiah M, Das A. K, Li X, Wu F, Gupta V. Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography. Journal of Ambient Intelligence and Humanized Computing, 1–11. (2017). Available from: http://dx.doi.org/10.1007/s12652-017-0460-1.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Chaudhry S. A. Comment on ‘Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol-based communications IET Communications. 2015; 9 (7):1034–1034. Available from: http://dx.doi.org/10.1049/iet-com.2014.1082
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Yang C. C, Wang R. C, Liu W. T. Secure authentication scheme for session initiation protocol. Computers and Security Elsevier. 2005, 24(5), 381–386. Available from: http://dx.doi.org/10.1016/j.cose.2004.10.007
View Article
Google Scholar

[20] View Article

[21] Google Scholar

[ref8] 8. Geneiatakis D, Dagiuklas T, Kambourakis G, Lambrinoudakis C, Gritzalis S, Ehlert S, Sisalem D. Survey of security vulnerabilities in session initiation protocol. IEEE Communications Surveys and Tutorials 8 (1–4) (2006) 68–81. Available from: http://dx.doi.org/10.1109/COMST.2006.253270
View Article
Google Scholar

[23] View Article

[24] Google Scholar

[ref9] 9. Sisalem D, Kuthan J, Ehlert S. Denial of service attacks targeting a sip voip infrastructure: attack scenarios and prevention mechanisms, Network IEEE 20 (5) (2006) 26–31. Available from: http://dx.doi.org/10.1109/MNET.2006.1705880
View Article
Google Scholar

[26] View Article

[27] Google Scholar

[ref10] 10. Huang H. F, Wei W. C. A new efficient authentication scheme for session initiation protocol. computing 1 (2). Available from: http://dx.doi.org/10.2991/jcis.2006.222
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref11] 11. Jo H, Lee Y, Kim M, Kim S, Won D. Off-line password-guessing attack to yang’s and huang’s authentication schemes for session initiation protocol. in: INC, IMS and IDC, 2009. NCM’09. Fifth International Joint Conference on IEEE 2009, pp. 618–621. Available from: http://dx.doi.org/10.1109/NCM.2009.251

[ref12] 12. Durlanik A, Sogukpinar I. Sip authentication scheme using ecdh. World Enformatika Socity Transations on Engineering Computing and Technology 8 (2005) 350–353. Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.192.9488&rep=rep1&type=pdf
View Article
Google Scholar

[33] View Article

[34] Google Scholar

[ref13] 13. Koblitz N. Elliptic curve cryptosystems. Mathematics of computation 48 (177) (1987) 203–209. Available from: http://dx.doi.org/10.1090/S0025-5718-1987-0866109-5
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref14] 14. Islam Hafizul SK, Amin R, Biswas GP, Farash M S, Xiong Li, Kumari S. Improved three party authenticated key exchange protocol using hash function and elliptic curve cryptography for mobile-commerce environments Journal of King Saud University Computer and Information Sciences Available from https://doi.org/10.1016/j.jksuci.2015.08.002.
View Article
Google Scholar

[39] View Article

[40] Google Scholar

[ref15] 15. Islam Sk Hafizul, and Biswas G P. Design of two-party authenticated key agreement protocol based on ECC and self-certified public keys. Wireless Personal Communications 82.4 (2015): 2727–2750. Available from: http://dx.doi.org/10.1007/s11277-015-2375-5
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref16] 16. Islam S H, Biswas G P. An improved pairing-free identity-based authenticated key agreement protocol based on ECC. Procedia Engineering, 30, (2012). 499–507. Avaliable from: http://dx.doi.org/10.1016/j.proeng.2012.01.890
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref17] 17. Liao Y P, Wang S S. A new secure password authenticated key agreement scheme for sip using self-certified public keys on elliptic curves. Computer Communications 33 (3) (2010) 372–380. Available from: http://dx.doi.org/10.1016/j.comcom.2009.10.005
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref18] 18. Chaudhry S A, Naqvi H, Sher M, Farash M S, Hassan M U. An improved and provably secure privacy preserving authentication protocol for sip. Peer-to-Peer Networking and Applications (2015) –15. Available from: http://dx.doi.org/10.1007/s12083-015-0400-9
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref19] 19. Wu L., Zhang Y., Wang F. A new provably secure authentication and key agreement protocol for sip using ecc. Computer Standards and Interfaces 31 (2) (2009) 286–291. Available from: http://dx.doi.org/10.1016/j.csi.2008.01.002
View Article
Google Scholar

[54] View Article

[55] Google Scholar

[ref20] 20. Yoon E J, Yoo K Y, Kim C, Hong Y S, Jo M, Chen H H. A secure and efficient sip authentication scheme for converged voip networks. Computer Communications 33 (14) (2010) 1674–1681. Available from: http://dx.doi.org/10.1016/j.comcom.2010.03.026
View Article
Google Scholar

[57] View Article

[58] Google Scholar

[ref21] 21. Denning Dorothy E and Sacco Giovanni Maria Timestamps in key distribution protocols. Communications of the ACM (1981) 533–536. Available from: http://dx.doi.org/10.1145/358722.358740
View Article
Google Scholar

[60] View Article

[61] Google Scholar

[ref22] 22. Pu Q. Weaknesses of sip authentication scheme for converged voip networks. IACR Cryptology ePrint Archive 2010 (2010) 464. Available from: http://eprint.iacr.org/2010/464.
View Article
Google Scholar

[63] View Article

[64] Google Scholar

[ref23] 23. Tsai J L. Efficient nonce-based authentication scheme for session initiation protocol. IJ Network Security 9 (1) (2009) 12–16. Available from: https://pdfs.semanticscholar.org/58bd/1e7e19e5e3698e80fe82a23c84515723aefd.pdf
View Article
Google Scholar

[66] View Article

[67] Google Scholar

[ref24] 24. Arshad R, Ikram N. Elliptic curve cryptography based mutual authentication scheme for session initiation protocol. Multimedia tools and applications 66 (2) (2013) 165–178. Available from: http://dx.doi.org/10.1007/s11042-011-0787-0
View Article
Google Scholar

[69] View Article

[70] Google Scholar

[ref25] 25. Yoon E J, Shin Y N, Jeon I. S, Yoo K Y. Robust mutual authentication with a key agreement scheme for the session initiation protocol. IETE Technical Review 27 (3) (2010) 203–213. Available from: http://dx.doi.org/10.4103/0256-4602.62780
View Article
Google Scholar

[72] View Article

[73] Google Scholar

[ref26] 26. Xie Q. A new authenticated key agreement for session initiation protocol. International Journal of Communication Systems 25 (1) (2012) 47–54. Available from: http://dx.doi.org/10.1002/dac.1286
View Article
Google Scholar

[75] View Article

[76] Google Scholar

[ref27] 27. Farash M S, Attari M A. An enhanced authenticated key agreement for session initiation protocol. Information Technology And Control 42 (4) (2013) 333–342. Available from: http://dx.doi.org/10.5755/j01.itc.42.4.2496
View Article
Google Scholar

[78] View Article

[79] Google Scholar

[ref28] 28. Zhang Z, Qi Q, Kumar N, Chilamkurti N, Jeong H Y. A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications 74 (10) (2014) 3477–3488. Available from: http://dx.doi.org/10.1007/s11042-014-1885-6
View Article
Google Scholar

[81] View Article

[82] Google Scholar

[ref29] 29. Lu Y, Li L, Peng H, Yang Y. A secure and efficient mutual authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications 9(2) (2016) 449. Available from: http://dx.doi.org/10.1007/s12083-015-0363-x
View Article
Google Scholar

[84] View Article

[85] Google Scholar

[ref30] 30. Eisenbarth T, Kasper T, Moradi A, Paar C, M. Salmasizadeh, Shalmani M. T. M. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. Advances in Cryptology—CRYPTO 2008 Springer 2008, pp. 203–220. Available from: http://dx.doi.org/10.1007/978.3.540.85174.5.12.

[ref31] 31. Yang W H, Shieh S P. Password authentication schemes with smart cards. Computers & Security 18 (8) (1999) 727–733. Available from: http://dx.doi.org/10.1016/S0167-4048(99)80136-9.
View Article
Google Scholar

[88] View Article

[89] Google Scholar

[ref32] 32. Hölbl M, Welzer T, Brumen B. An improved two-party identity-based authenticated key agreement protocol using pairings. Journal of Computer and System Sciences 78 (1) (2012) 142–150. Available from: http://dx.doi.org/10.1016/j.jcss.2011.01.002.
View Article
Google Scholar

[91] View Article

[92] Google Scholar

[ref33] 33. Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology—CRYPTO’ 99 Springer, 1999, pp. 388–397. http://dx.doi.org/10.1007/3.540.48405.1.25

[ref34] 34. Messerges T S, Dabbish E, Sloan R H. Examining smart-card security under the threat of power analysis attacks. Computers IEEE Transactions on 51 (5) (2002) 541–552. Available from: http://dx.doi.org/10.1109/TC.2002.1004593
View Article
Google Scholar

[95] View Article

[96] Google Scholar

[ref35] 35. Hankerson D, Menezes A J, Vanstone S. Guide to elliptic curve cryptography. Springer Science & Business Media, 2006. Available from: https://link.springer.com/book/10.1007.2Fb97644

[ref36] 36. Odelu V, Das A K, Goswami A. A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Information Sciences 269 (2014) 270–285. Available from: http://dx.doi.org/10.1016/j.ins.2013.10.022
View Article
Google Scholar

[99] View Article

[100] Google Scholar

[ref37] 37. Chatterjee S, Das A K, Sing J K. An enhanced access control scheme in wireless sensor networks. Adhoc & Sensor Wireless Networks 21 (1).
View Article
Google Scholar

[102] View Article

[103] Google Scholar

[ref38] 38. He D, Chen J, Chen Y. A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Security and Communication Networks 5 (12) (2012) 1423–1429. Available from: http://dx.doi.org/10.1002/sec.506
View Article
Google Scholar

[105] View Article

[106] Google Scholar

[ref39] 39. Zhang L, Tang S, Cai Z. Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. International Journal of communication systems 27 (11) (2014) 2691–2702. Available from: http://dx.doi.org/10.1002/dac.2499
View Article
Google Scholar

[108] View Article

[109] Google Scholar

[ref40] 40. Yeh H L, Chen T H., Shih W K. Robust smart card secured authentication scheme on sip using elliptic curve cryptography. Computer Standards & Interfaces 36 (2) (2014) 397–402. Available from: http://dx.doi.org/10.1016/j.csi.2013.08.010
View Article
Google Scholar

[111] View Article

[112] Google Scholar

[ref41] 41. Tu H, Kumar N, Chilamkurti N, Rho S. An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Networking and Applications (2014) 1–8. Available from: http://dx.doi.org/10.1007/s12083-014-0248-4
View Article
Google Scholar

[114] View Article

[115] Google Scholar

[ref42] 42. Kilinc H H, Yanik T. A survey of sip authentication and key agreement schemes. Communications Surveys & Tutorials IEEE 16 (2) (2014) 1005–1023. Available from: http://dx.doi.org/10.1109/SURV.2013.091513.00050
View Article
Google Scholar

[117] View Article

[118] Google Scholar

Figures

Abstract

1 Introduction

2 Review of Lu et al.’s scheme

2.1 Registration phase

2.2 Authentication phase

2.3 Password change phase

3 Cryptanalysis of Lu et al.’s scheme

3.1 User anonymity attack

3.2 Server masquerading attack

3.3 User masquerading attack

3.4 Incorrectness problem

4 Proposed scheme

4.1 System setup phase

4.2 Registration phase

4.3 Authentication phase

5 Security analysis

5.1 Informal security analysis

5.1.1 Resist replay attack.

5.1.2 Anonymity and privacy.

5.1.3 Off-line password guessing attack.

5.1.4 Mutual authentication.

5.1.5 Perfect forward secrecy.

5.1.6 Masquerading attack.

5.1.7 Resist insider attack.

5.1.8 Session key secrecy.

5.2 Formal security analysis

6 Performance & security comparisons

6.1 Computation cost analysis

6.2 Communication cost analysis

6.3 Security comparison

7 Conclusion

Acknowledgments

References