3.1 Authentication process of GLOMONET

GLOMONET consists of a home node, a foreign node, and a mobile node. The goal of GLOMONET is to provide secure and efficient roaming when the mobile node is out of the network of its home node, sharing the session key and communicating with the home node through the foreign network’s foreign node [13]. This process consists of three major steps.

1. Registration phase: the mobile node registers its identity and password with the home node.
2. Login phase: when the mobile node changes network, the mobile node proves its identity through foreign nodes.
3. Authentication phase: the home node verifies the mobile node and the foreign node, then generates and shares the session key.

The process of a login/authentication phase is illustrated in Fig 1.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Authentication process of the GLOMONET environment.

https://doi.org/10.1371/journal.pone.0247441.g001

3.2 Threat model

To analyze the security of the user authentication scheme, we present a threat model based on the Dolev–Yao model [14]. In the threat model, which is applied to both the existing and proposed schemes, the adversary has the following capabilities [15, 16].

1. Any message sent over the public channel can be intercepted by an adversary.
2. An adversary can reprocess, delete, or alter eavesdropping messages.

In addition, in smartcard-based user authentication, we assume that the user’s smartcard is stolen to ensure the safety of the proposed scheme. Thus, the important parameter in it can be acquired via side channel attacks [17]. In addition, an adversary can guess a user’s identity or password offline. According to Wang et al. [18], the dictionary space of a user’s identity or password is 2²⁰ ≈ 10⁶, and thus it can be guessed by an adversary within polynomial time.

3.3 One-way hash function

A one-way hash function is a function that can be used for data integrity and message authentication. It compresses a string of bits of arbitrary length into a hash code that is a fixed length output. A one-way hash function satisfies the following properties [19, 20].

1. Preimage resistance: if h(x) is output by the input value x, it is computationally impossible to find an input value x when only the output value h(x) is given.
2. Second preimage resistance: given both input x and output h(x), it is computationally impossible to find or produce x′ that returns the same h(x).
3. Collision resistance: it is computationally difficult to find a pair of inputs x, x′ with the same output h(x) = h(x′).

3.4 Privacy in the user authentication scheme

In the user authentication scheme, privacy is preserved by satisfying the following four conditions:

1. Parameter privacy: Information related to the user’s identity and password and the session key must not be exposed or derived under any circumstances. In the case of enhanced privacy, the session key is also included in the condition.
2. User anonymity: Even for user verification, the user’s identity should not be exposed as it is in login communication.
3. User non-traceability: Assuming that there are two different sessions, the attacker must not know if they are the same person even though they cannot specify the user of the session.
4. Resistant to user impersonation: Even if the user’s information is not known, an attacker must not be able to trick other parties by pretending to be a legitimate user.

Situational examples where some conditions are not satisfied are described as follows.

Fig 2 presents an example where user anonymity is not satisfied [21]. It can be observed that the user’s identity is transmitted in plain text without any processing during the login phase. Fig 3 presents an example where user non-traceability is not satisfied [22]. The user’s identity and password are hashed with a random number generated by the user during the registration phase in the form of T_i = h(h(PW_i ⊕ b)||ID_i) ⊕ β_i. In this case, the attacker who steals the login message cannot identify the user. However, the value of T_i is the same for each login attempt; hence, the attacker can determine whether two different login request messages have been generated by the same user through T_i.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Example of user anonymity not being satisfied.

https://doi.org/10.1371/journal.pone.0247441.g002

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Example of user non-traceability not being satisfied.

https://doi.org/10.1371/journal.pone.0247441.g003

4.1 Registration phase

1. (1). The mobile node’s user freely chooses an identity ID_MN, password PW_MN, and randomly generated nonce r.
2. (2). The mobile node computes U = h(PW_MN||r) and sends a registration request message as follows:
3. (3). The home node selects a randomly generated random nonce m, and computes B = U ⊕ h(ID_MN||m), N_MN = h(U||R_T) ⊕ ID_MN.
4. (4). The home node issues a smartcard and stores {B, N_MN, m, U, h(.)}, and then sends it to the mobile node’s user through a secure channel.
5. (5). The mobile node stores nonce r generated in step (1) to the smartcard.

4.2 Login phase

1. (1). The mobile node’s user inputs their identity and password into the smartcard.
2. (2). The node calculates then checks . If not equal, the mobile node terminates the login phase.
3. (3). The smartcard generates the random nonce r₁ and sends a login request message as follows:
4. (4). After receiving the login request message, the foreign node checks the freshness of the timestamp T₁ and V, then generates a random nonce r₂ and sends the following message:

4.3 Authentication phase

1. (1). After receiving message M₂, the home node checks the freshness of timestamp T₂ and Y, V, then derives ID_MN = h(U||R_T) ⊕ N_MN.
2. (2). The home node calculates K* = h(ID_HN||ID_FN||R_T) and generates session key SK = h(ID_MN||K*||ID_HN||r₂).
3. (3). The home node sends the following message:
4. (4). The foreign node checks the freshness of timestamp T₃, derives session key SK′ = K₀ ⊕ h(K*||V₁), and sends the following message:
5. (5). The mobile node checks the freshness of timestamp T₄, calculates , and checks . If not equal, the mobile node terminates the authentication phase.
6. (6). The mobile node derives the session key SK = h(ID_MN||K*||ID_HN||r₂).

4.4 Password change phase

A mobile node user that wants to change their password can request a password change phase.

1. (1). The user inputs their existing identity and password , then the smartcard computes .
2. (2). The smartcard checks . If not equal, the smartcard rejects the password change phase.
3. (3). The user inputs their new password PW_new, then the smartcard computes B′ = (U′ ⊕ h(PW_new||m)) and .
4. (4). The smartcard replaces B with B′, N_MN with , and U with U′ in its contents.

5.1 Incomplete verification of identity and password

In a typical authentication scheme, the determination of a user attempting to login begins with verifying that the user has entered the correct identity and password. Also a user wants to change his or her password, the user’s identity and password are first verified and the password change procedure is performed. However, in Ahmed et al.’s scheme, process of verifying the user’s identity and password is incomplete both login and password change phase. In the login phase, user inputs their identity and password to login. However, in the login phase, creating B′ value with the input identity and password, and if it matches the B value stored in the smartcard, it verifies that the user is the legitimate user and proceeds to the next step. However, the only verification that can be done with this comparison is that the stored identity value is the same as the input identity value. Because B is composed of U ⊕ h(ID_MN||m), and information related to the user’s password(PW_MN) is not in B. Such that, the verification process succeeds if only the identity is the same even if the user incorrectly enters the password in the login phase. Similarly in the password change phase, user inputs their identity and password to password change. Likewise, creating U′ value with the input identity and password, and if it matches the U value stored in the smartcard, it verifies that the user is the legitimate user and proceeds to the next step. However, the only verification that can be done with this comparison is that the stored password value is the same as the input password value. Because U is composed of h(PW_MN||r), and information related to the user’s identity(ID_MN) is not in U. Therefore, these comparisons cannot properly verify the user. The process of incomplete verification of identity and password in each phase is shown in Fig 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Incomplete verification of identity and password in Ahmed et al.’s scheme.

https://doi.org/10.1371/journal.pone.0247441.g004

5.2 Lack of resistance to offline password guessing attack

An offline password guessing attack allows the adversary to guess a user’s password. In Ahmed et al.’s scheme, an adversary that steals a smartcard can use side channel attacks, then simply guess the user’s password using the values in the smartcard. The process of offline password guessing attack is described below.

1. (1). The adversary extracts U and r values in smart card through side channel attack (by Section 2.2 Threat model).
2. (2). The adversary selects the existing password candidate PW₁ through dictionary attack and calculate U′ = h(PW₁||r).
3. (3). Check whether U′ and U are equal. If they are different, go back to (2), and pick another password candidate from the dictionary and continue guessing with PW₂, PW₃, …, PW_n.
4. (4). If they are same, the adversary knows that inferred PW_i is the password for the mobile node.

5.3 Lack of resistance to offline identity guessing attack

An offline identity guessing attack allows the adversary to guess a user’s identity. In particular, if the identity and password can be guessed independently, the adversary achieves the ideal conditions to impersonate the user. Therefore, an attack that can infer the identity and password should be considered first in a user authentication scheme. In Ahmed et al.’s scheme, SID in login phase is same as mobile node’s identity ID_MN for the reason below:

SID = h(U‖R_T) ⊕ N_MN [∵ in the Ahmed et al.’s scheme Login phase 4.2 (3)]

⇔ SID = h(U‖R_T) ⊕ h(U‖R_T) ⊕ ID_MN [∵ N_MN = h(U‖R_T) ⊕ ID_MN in the Ahmed et al.’s scheme registration phase 4.1 (3)]

⇔ SID = ID_MN [∵ h(U‖R_T) ⊕ h(U‖R_T) = 0]

The process of the adversary performing an offline identity guessing attack is described below.

1. (1). The adversary eavesdropped V = h(K‖SID‖r₁‖T₁) in login request message M₁ which communicates via public channel.
2. (2). According to the above proof, since the SID and the identity of the mobile node ID_MN are the same, V can be expressed as V = h(K‖ID_MN‖r₁‖T₁)
3. (3). The adversary eavesdropped K, r₁, T₁ in login request message.
4. (4). The adversary selects the existing identity candidate ID₁ through dictionary attack and calculate V′ = h(K‖ID₁‖r₁‖T₁).
5. (5). Check whether V′ and V are equal. If they are different, go back to (4), and pick another identity candidate from the dictionary and continue guessing with ID₂, ID₃, …, ID_n.
6. (6). If they are same, the adversary knows that inferred ID_i is the identity for the mobile node.

5.4 Absence of mobile node non-traceability

Non-traceability signifies that when the adversary analyzes multiple login request messages, it is impossible to know whether different login request messages are from the same user. Therefore, to satisfy non-traceability, all contents of a login request message should be generated based on a random nonce or the contents of the smartcard should be changed continuously periodically. In Ahmed et al.’s scheme, the login request message container K is created using a bit-wise exclusive OR operation of N_MN, U, and ID_MN. However, these three values are never changed after the registration phase. Thus, the value of K does not change every time a mobile node user logs in, and non-traceability is not satisfied.

5.5 Lack of resistance to mobile node impersonation attack

An impersonation attack implies that an adversary creates a fake login request message for the purpose of passing authentication. Then, the home node receives the message and misinterprets an adversary as a legitimate user through the login phase. The process of impersonating a mobile node and obtaining parameters is described below.

1. (1). The adversary selects a random nonce and current-time-based timestamp
2. (2). The adversary calculates K′ = N_MN ⊕ U ⊕ ID_MN using the smartcard’s container and identity guessing attack (Section 4.3).
3. (3). The adversary generates .
4. (4). The adversary sends the fake login request message to the home node via the foreign node.

After the home node receives message , the home node checks the legitimacy of the mobile node’s message. However, the home node is not able to distinguish between V′ and V because the adversary has used a legitimate user’s identity ID_MN. Thus, the verification phase is terminated normally, and the session key is established with the adversary.

5.6 Absence of resistance to session key derived attack

The session key is an encryption key used only by one party during a communication session. If there several ciphertexts use one key, the session key may be analyzed to calculate the key. Therefore, the session key should not be derived in any case other than with a legitimate party for communication. However, Ahmed et al.’s scheme allows the adversary to derive a session key and allow the adversary to communicate with the derived session key. In Ahmed et al.’s scheme, the session key can lead to two attack scenarios. Each attack scenario comprises the adversary performing a session key derived attack; these scenarios are shown in Fig 5.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Session key derived attack in Ahmed et al.’s scheme.

https://doi.org/10.1371/journal.pone.0247441.g005

5.7 Lack of session key mutual authentication

Mutual authentication means establishing a session key after authenticating a party other than itself to all parties participating in the communication. In addition, the general purpose of mutual authentication is to ensure that the session key created in each party is created correctly. Otherwise, the session key could be tampered with by a malicious adversary, and the session key thus created would be able to communicate with the malicious adversary. However, in Ahmed et al.’s scheme, the session key created in the home node is derived from the mobile node, but the phase ends without any verification of the created session key.

6.1 Secure protection of identity and password

To address the aforementioned weaknesses, first, secure protection of the identity and password is required. Because privacy information, such as a user’s identity or password, can be guessed by an adversary, it is important to make it impossible to infer it solely by combining it with other random nonces. To this end, we protect the password with the random nonce generated in the registration phase; further, the system is designed to require the correct identity to induce a random nonce. In other words, to verify whether the user has entered the correct identity and password, a mutual derivation structure was created that derives a random nonce through the entered identity and verifies the password through the derived random nonce.

6.2 Satisfy user non-traceability

To satisfy the user’s non-traceability, the home node needs to update the user’s information in the authentication phase. The home node generates a random nonce and updates the user’s information with the generated random nonce, and the values in the user’s smartcard must be updated accordingly. In addition, the generated random nonce must be safely transmitted in the public channel, which has the risk of eavesdropping. To this end, the scheme must protect the random nonce with the value that only the user can derive so that the user can safely derive the random nonce created by the home node.

6.3 Secure session key and mutual authentication

The session key is also created based on the random nonce created by each mobile node and foreign node, and the scheme is designed to securely protect the generated random nonce. The scheme must also employ various credentials in the session key generation because these parameters can be kept unavailable to attackers, who, as a result, cannot compute a session key within a reasonable time. In addition, it creates an additional variable that can verify that the session key is correct, and this enables mutual authentication for the session key.

7.1 Registration phase

In the registration phase, the user of the mobile node selects their identity and password, registers with the home node in its home network, and receives a smartcard from the home node. The progress of the registration phase is as follows and is depicted in Fig 6.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Registration phase of proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g006

1. (1). The mobile node’s user freely chooses identity ID_MN, password PW_MN, and randomly generated nonce r.
2. (2). The mobile node computes U = h(PW_MN||r), CID = h(ID_MN||r), and sends a registration request message as follows:
3. (3). The home node computes A_i = h(CID||s), B_i = A_i ⊕ h(U).
4. (4). The home node issues a smartcard and stores {B_i, h(.)}, then sends it to the mobile node’s user through the secure channel.
5. (5). The mobile node computes R_i = h(CID||U) and stores R_i generated in step (1) to the smartcard.

7.2 Login phase

In the login phase, users who have moved to a foreign network enter their identity and password through a smartcard to use their home network service. Then, the smartcard verifies whether the value is correct by comparing it with the information in the smartcard. Next, the foreign node transmits the user’s information and the foreign node’s information to the home node in the user’s home network. The process of the login phase is as follows and is depicted in Fig 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Login phase of proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g007

1. (1). The mobile node’s user inputs identity and password and , respectively into the smartcard.
2. (2). The mobile node calculates , , then checks . If not equal, the mobile node terminates the login phase.
3. (3). The smartcard generates a random nonce n₁ and computes . Then, it sends a login request message as follows:
4. (4). After receiving a login request message, the foreign node checks the freshness of timestamp T₁, generates a random nonce n₂, and sends the following message:

7.3 Authentication phase

In the authentication phase, the home node uses the message received from the foreign node to verify the validity of the foreign node and the mobile node. Next, a session key is created to start the service with the mobile node in the foreign network, then the session key is sent to the home node via the foreign node. The progress of the login phase is as follows and is depicted in Fig 8.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. Authentication phase of proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g008

1. (1). After receiving message M₂, the home node checks the freshness of timestamp T₂, derives and , and then checks . If not equal, the home node determines that the validity of the foreign node has not been confirmed and terminates the authentication phase.
2. (2). Then, the home node calculates , , , , and .
3. (3). The home node checks ; if not equal, the home node determines that the validity of the mobile node has not been confirmed and terminates the authentication phase.
4. (4). The home node generates a session key as .
5. (5). The home node generates a random nonce n₃ and sends the following message:
6. (6). The foreign node checks the freshness of timestamp T₃, derives a session key SK′ = H₁ ⊕ h(FH_k||n₂), and checks the session key as .
7. (7). The foreign node sends the following message:
8. (8). The mobile node checks the freshness of timestamp T₄ and calculates .
9. (9). The mobile node derives a session key , then checks . If not equal, the mobile node terminates the authentication phase.
10. (10). To remove the traceability of the mobile node, the contents of the smartcard are changed as follows:

7.4 Password change phase

If a mobile node’s user wants to change their password, they can request a password change phase. The proposed scheme’s password change phase proceeds as follows. The process of the password change phase is as follows and is depicted in Fig 9.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. Password change phase of proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g009

1. (1). A user inputs their existing identity and password , then the smartcard computes and .
2. (2). The smartcard checks . If not equal, the smartcard rejects the password change phase. If equal, the smartcard derives .
3. (3). The user inputs their new password , then the smartcard computes , , and .
4. (4). The smartcard replaces B_i with and R_i with in its contents.

8.1 Formal security analysis: ProVerif

Simulation code materialization.

Simulation code for verification of our proposed scheme was implemented with eight components.

1. Channels: defines channels used for communication between each party. In total, there are three channels, and ‘cha’ is set as private because it is a secure channel used for communication between mobile node and home node in the registration phase. The channel ‘chb’ is the public channel used for communication between the mobile node and foreign node. The channel ‘chc’ is the public channel used for communication between the foreign node and home node.
2. Constants: defines constants used in the protocol. The identity and password of the mobile node are defined as ‘IDmn’ and ‘PWmn’. These two constants are set to private because they are confidential information that should not be disclosed, but the attacker was able to guess ‘IDmn’ and ‘PWmn’, so they were set to weaksecret. The identity of the home node and foreign node are not set to private because they are public information.
3. Secret key: defines a long-term secret key used in the protocol. In our proposed scheme, there are ‘s’, the secret key of the server, and ‘FHk’, the pre-shared key between the foreign node and the home node.
4. Shared key: defines the session key derived from the protocol.
5. Functions: defines the function used in the protocol. In our proposed scheme, concatenation, bit-wise exclusive OR, and hash function are defined and each function’s expressions are written.
6. Events: defines the communication start and end events of each node.
7. Process: defines the communication process for each node. Channels and parameters transmitted through channels can be defined through the ‘out’ and ‘in’ functions during the communication process.
8. Queries: defines the query on which the attacker’s capabilities will be modeled and verified. We verify that the session key and the identity and password of the user cannot be derived by an attacker and the internodal relationships are used to determine the process of the proposed scheme in the proper order.

The code for channels, constants, secret key, shared key, and functions is displayed in Fig 10; the mobile node, foreign node, and home node process codes for each are displayed in Figs 11, 12, and 13, respectively. The code for query is displayed in Fig 14.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 10. ProVerif simulation code for channels, constants, secret key, shared key, and functions.

https://doi.org/10.1371/journal.pone.0247441.g010

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 11. ProVerif simulation code for mobile node process.

https://doi.org/10.1371/journal.pone.0247441.g011

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 12. ProVerif simulation code for foreign node process.

https://doi.org/10.1371/journal.pone.0247441.g012

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 13. ProVerif simulation code for the home node process.

https://doi.org/10.1371/journal.pone.0247441.g013

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 14. ProVerif simulation code for queries.

https://doi.org/10.1371/journal.pone.0247441.g014

Simulation result.

ProVerif outputs the results of query as the following five results [25].

• RESULT [Query] is true: the query is proved, there is no attack. In this case, ProVerif displays no attack derivation and no attack trace.
• RESULT [Query] is false: the query is false, ProVerif has discovered an attack against the desired security property.
• RESULT [Query] cannot be proved: ProVerif could not prove that the query is true and also could not find an attack that proves that the query is false.
• RESULT inj-event[Event] ⇒ inj-event[Event] is true: the latter event is proved; that is, the authentication of the former to latter holds.
• RESULT inj-event[Event] ⇒ inj-event[Event] is false: the latter event is not proved; that is, the authentication of the former to latter does not hold.

The simulation results of ProVerif for our proposed scheme are displayed in Fig 15.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 15. ProVerif simulation result for proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g015

Thus, our proposed scheme can safely protect the session key and mobile node’s secret information from the attacker. Furthermore, it can be seen that internodal mutual authentication has been achieved.

8.2 Formal security analysis: AVISPA

Overview of AVISPA.

The AVISPA project aims at developing a push-button, industrial-strength technology for the analysis of large-scale Internet security-sensitive protocols and applications [26, 27]. The AVISPA Tool provides a suite of applications for building and analyzing formal models of security protocols [28, 29]. Protocol models are written in the High Level Protocol Specification Language (HLPSL). The structure of the AVISPA Tool is shown in Fig 16. A HLPSL specification is translated into the Intermediate Format (IF), using a translator called hlpsl2if. IF is a lower-level language than HLPSL and is read directly by the back-ends to the AVISPA Tool.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 16. Architecture of the AVISPA Tool.

https://doi.org/10.1371/journal.pone.0247441.g016

Simulation result.

AVISPA outputs the results as the following sections [31].

• SUMAMRY: indicates whether the protocol is safe, unsafe, or if the analysis is inconclusive.
• DETAILS: explains under what conditions the protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.
• PROTOCOL, GOAL, BACKEND: recall the name of the protocol, the goal of the analysis, and the name of the back-end used, respectively.

The proposed scheme was verified with the OFMC (On-the-fly Model-Checker) and CLAtSe (CL-based Attack Searcher) back-ends, and the results are displayed in Fig 17. We can see that OFMC and CLAtSe both found no attacks. In other words, the stated security goals were satisfied for a bounded number of sessions as specified in the role of environment. Furthermore, the results described previously indicate that our scheme is safe against man-in-the-middle and replay attacks under each back-end environment.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 17. AVISPA simulation result for proposed scheme.

https://doi.org/10.1371/journal.pone.0247441.g017

8.3 Privacy preserving analysis

This section proves the mathematical safety of the privacy conditions presented in Section 3.4, excluding user anonymity. User anonymity is trivial because ID_MN is not transmitted in the login request message of the proposed scheme. In proof, adversary has the ability to control all communications, and uses the following queries.

• Execute query: This query models a passive attack in which an attacker overhears a protocol P between player.
• Send query: This query receives the message generated by instance in response to another instance processing message m according to protocol P.
• Corrupt query: This query models the attacker’s corruption capabilities.

Definition Random oracle: In this paper, all participants and adversary use a one-way hash function h(.), which is modeled as a Hash oracle. When a two-tuple (x, y) table of binary strings and a hash query are given, if x is discovered, the oracle returns y. Otherwise, it returns a uniformly random string y, and the (x, y) pair is stored in the corresponding table.

Theorem Let be an adversary operating within polynomial time t for our protocol, , in a random oracle. Let D be a uniformly distributed password and identity dictionary, and let l be the number of bits in a random nonce. The probability of P’s privacy security being broken by is as follows: where q_hash, |Hash|, q_send, |D|, and l_s denote the number of hash queries, the range space of the one-way hash function, the number of send queries, the size of D, and the secret parameter that determines the length of the random nonce, respectively.

Proof. The formal proof of our scheme consists of four different games G_i for i = 1, 2, 3, 4. Our protocol, , runs from game G₁ to game G₄, and through a series of games, it will demonstrate that has a negligible advantage in breaking user privacy.

Game G₁: This game simulates an eavesdropping attack of an adversary using the Execute, Send, Hash query. The attacker also queries the Test query and determines whether the result is a real session key SK or some other random value. Session key SK is computed as SK = h(h(n₁)‖h(CID‖s)‖h(n₂)‖ID_FN). To compute the session key, has to know s. Therefore, cannot compute h(CID‖s) because s is a master secret key of S. Furthermore, must know random nonce n₁ and n₂. Thus, the probability of adversary winning this game through an eavesdropping attack is equal to the probability of correctly guessing the hash output value without any information and verifying the guessed session key with V₄ through a hash query. Thus, we obtain the following: (1)

Game G₂: In this game, adversary models an active attack that sends a fake message to deceive the participants, using the Send and Hash queries. can repeatedly generate hash queries to discover collisions. In our proposed scheme, K₃ and V₃ received to the home node are verified, and V₄ received to the mobile node is verified. These three values are associated with random numbers n₁, n₂, andn₃, respectively. Therefore, the messages are guaranteed to be random, and there is no collision while querying the Send oracle. Because the attacker cannot know the container of the hash, through a birthday attack [32], the attacker must find another input such that the hash value is the same. (2)

Game G₃: This game simulates the Corrupt_SC oracle and models a lost smartcard attack. Adversary can attempt a dictionary attack using information from a smartcard and can attempt to obtain an identity ID_MN and password PW_MN. Thereafter, the adversary runs the experimental algorithm to break user non-traceability. The success probability of is represented by . Therefore, the probability that can guess the identity and password is , and the probability that it can guess the random nonce is . We obtain the following probability: (3)

Algorithm 1:

1 Input: Corruput_SC query’s output = B_i, R_i

2 Output: 0 or 1

3 Select each candidate for the identity() and password() from the dictionary.

4 Select the candidate of random nonce of length l_s, r′

5 if then

6  Accept that the guessed identity and password are the actual user’s identity and password.

7  return 1

8 else

9  Reject that the guessed identity and password are the actual user’s identity and password.

10  return 0

11 end

Game G₄: In this game, the attacker analyzes two different login request messages and verifies whether they are generated from the same mobile node. Suppose that the adversary extracts all parameters from the smartcard’s memory and overhears the communication message. Thereafter, the adversary runs the experimental algorithm to break user non-traceability. The success probability of is represented by . Using , if is able to reveal the hash function, the adversary wins the game. However, computing the input value from the hash function is not computationally feasible because it has the following probability: (4)

Algorithm 2:

1 Input: two login messages

2 Output: 0 or 1

3 Eavesdrop login message {CID, K₂, K₃, K₄, T₁}

4 Eavesdrop another login message

5 Call the Reveal oracle. Let (ID_MN, r) ← Reveal(CID) Call the Reveal oracle. Let () ← Reveal(CID′) if then

6  Accept that eavesdropped login messages are created from the same mobile node

7  return 1

8 else

9  Accept that eavesdropped login messages are created from different mobile nodes

10  return 0

11 end

Combining Eqs (1)–(4), the results are as follows:

8.4 Informal security analysis

In this section, we perform an informal security analysis of our proposed scheme. The threat model is identical to the Dolev–Yao threat model applied to Ahmed et al.’s scheme. We considered not only the privacy preserving mentioned in Section 3.4, but also other security requirements to consider in the GLOMONET environment [33]. Table 2 compares privacy preserving, security attack resistance and some security requirements of our proposed scheme and other related schemes [4, 9, 11, 12, 34].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Security comparison of the proposed scheme and other related schemes.

https://doi.org/10.1371/journal.pone.0247441.t002

Perspective of Privacy Preserving.

Pr1. Offline identity/password guessing attack To guess a mobile node’s identity or password, the adversary needs to know the hashed value of the user’s identity or password, such as h(ID) or h(PW), or the adversary already knows all the salted parameters. In our proposed scheme, the identity and password of the mobile node is transformed and stored by a random nonce r, such as CID = h(ID_MN) ⊕ r and U = h(PW_MN||r). During the login phase, a nonce r can only be derived by the correct identity of the mobile node. Therefore, an adversary that does not know the identity of the mobile node cannot derive the r value and consequently cannot infer the user’s password.

Pr2. Mobile node anonymity In our proposed scheme, ID_MN, the identity of the mobile node, is stored as a CID in the form of pseudo-identity and transmitted in the login phase. To derive the user’s identity from CID, the adversary needs r and derives h(ID_MN) and guesses ID_MN through identity guessing. Therefore, even if the adversary is eavesdropping on CID in advance, the adversary does not expose the mobile node’s identity, and the CID value also changes at the end of each session. Owing to this, our proposed scheme provides mobile node anonymity.

Pr3. Mobile node non-traceability To satisfy the non-traceability of the mobile node, the values of all messages transmitted from the mobile node in the login phase must be changed based on the random nonce in each session. If the contents of the message are the same, the attacker cannot specify the mobile node but can know whether different login request messages are sent from the same mobile node. In our proposed scheme, the values transmitted by the mobile nodes are CID, K₂, K₃, K₄, and T₁. Among them, K₂, K₃, and K₄ are generated based on the random nonce n₁ that is generated for each login phase. The value of CID is newly issued from the home node when the session is terminated once. That is, our proposed scheme satisfies non-traceability because the value of the login request message is replaced when the session ends and the next session begins.

Pr4. Mobile node impersonation attack To impersonate a mobile node, the adversary needs to create an M₁. As CID is a value stored in the smartcard, the adversary can extract it from a stolen smartcard. Then, the adversary generates a random nonce and a current-time-based timestamp . However, the adversary would not be able to infer a mobile node’s password or identity. As a result, the adversary would not be able to generate values for K₂ and K₃. As such, our proposed scheme can prevent mobile node impersonation attacks. Fig 18 provides a detailed proof of our proposed scheme’s resistance to a mobile node impersonation attack.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 18. Resistance of proposed scheme to mobile mode impersonation attack.

https://doi.org/10.1371/journal.pone.0247441.g018

9.1 Computational cost analysis

We examined how many cryptographic operations were performed during the registration phase and login, authentication phases in each node in similar environment. In order to measure the execution time for each protocol, first, compute computational overhead and measure the execution time of the cryptographic operations used in the protocol. Finally, substitute the measured time obtained. Notation for the execution time of each operation is given in Table 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Notation for the execution time of each operation.

https://doi.org/10.1371/journal.pone.0247441.t003

In the registration phase, all the analyzed schemes had a similar number of hash function and random number generator operations. In the login and authentication phases, the operation types varied according to the encryption method used in each scheme. In the scheme of Yoon et al., Elliptic Curve Cryptosystem based encryption, decryption, and signature were used. In the scheme proposed by Mun et al., the Hash based Message Authentication Code (HMAC) and Elliptic Curve multiplication algorithm was used. In Gope et al.’s scheme, symmetric key encryption is used. In the schemes proposed by Lee et al., Ahmed et al., and our proposed scheme only used the hash function to reduce the scheme’s computational cost. The number of operations for each scheme and each node are listed in Fig 19.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 19. Computation time for each GLOMONET environment scheme.

https://doi.org/10.1371/journal.pone.0247441.g019

In addition, we built our own test-bed to measure the execution time of each operation. We simulated the operations using Python cryptography library hashlib, Crypto, ECIES, Pycoin in the following hardware environment: Window 10 64bit, Intel Pentium CPU G4600, 3.60GHz, 16.0 GB RAM. We also assume that the hash function is implemented by SHA2, the symmetric encryption is implemented by AES-256 CTR Block Mode. Elliptic Curve Cryptosystem uses elliptic curve over the secp256k1 curve and implements 256-bit ECDSA signature, ECIES cryptosystem. Results of some computation time measurements for each operation time under the construction environment are given in Table 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Computation time of each operation.

https://doi.org/10.1371/journal.pone.0247441.t004

Based on the results in Table 4, the computation cost required for our proposed scheme and existing scheme are displayed in Fig 20.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 20. Computation cost analysis between proposed scheme and existing schemes.

https://doi.org/10.1371/journal.pone.0247441.g020

Our proposed scheme uses a lightweight authentication method that transmits secret information using bit-wise exclusive OR with information and verifies it through the hash function. The computation cost of the proposed scheme is approximately 1.5 to 2 times that of other lightweight authentication schemes. This is because we increased the number of hash functions to create a verification value to satisfy the session key mutual authentication and the number of random number generators to generate a new value for each mobile node login to satisfy the mobile node non-traceability. Therefore, this can be considered as the overhead to satisfy security requirements that were not included in the existing schemes.

9.2 Communication cost analysis

We compared and analyzed the size of the messages transmitted by each node in the registration, login, and authentication phases. We presume the size of identity/password, random nonce, and timestamp to be 128, 160, and 64 bits, respectively [35]. The Hash function and hash-based MAC have a 160-bit output size [36]. In an elliptic curve–based cryptosystem, the output size of the signature algorithm, the 256-bit ECDSA signature, is 512 bits and output size of the scalar multiplication operation is 360 bits [37, 38].

In existing papers, communication cost has been calculated assuming that the encrypted text had the same size regardless of the size of the plain text. However, this is practically impossible. Generally, the size of the ciphertext increases proportionally as the size of the plaintext increases. For more accurate communication cost comparison, we assume the symmetric key encryption method is AES-256, and the number of bytes of cipher text is set as follows according to the bytes of plain text [39].

Further, the length of the ciphertext using elliptic curve integrated encryption scheme (ECIES) is typically twice that of the plain text [30, 40]. In addition, for X.509 certificates is set to 108 bytes according to standard document [41]. The above is summarized in Table 5 as follows:

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. Communication cost(bit) of each operation.

https://doi.org/10.1371/journal.pone.0247441.t005

Based on this, the communication cost of each message is calculated by analyzing the composition of message of the existing scheme is as shown in Fig 21. In all schemes, in the registration phase, there are a total of 2 message exchanges between the Mobile Node and the Home Node, and in the Login & Authentication phase, a total of 4 messages are exchanged, 2 times each between the Mobile Node and Foreign Node, and the Foreign Node and Home Node. In the table, M_AB means the message transmitted from node A to node B. For example, M_MH is a message sent from Mobile Node to Home Node.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 21. Detailed analysis by each communication message between our proposed scheme and existing scheme.

https://doi.org/10.1371/journal.pone.0247441.g021

And the total communication cost required for our proposed scheme and existing scheme is as shown in Fig 22.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 22. Communication cost analysis between our proposed scheme and existing scheme.

https://doi.org/10.1371/journal.pone.0247441.g022

In our proposed scheme, the communication cost used in the registration phase is 480 bits, which is similar to the existing schemes. The communication cost used in the login/authentication phase is 3936 bits, which is slightly higher than that of other existing schemes. However, this can be regarded as an overhead that comes from increasing the verifying parameters to provide mutual authentication of session key and for update parameters to provide mobile node non-traceability that do not have existing schemes.

9.3 Memory capacity of the smartcard

We also compared the memory capacity of the smartcard in our scheme with other associated schemes. We assume the output length of the parameter to be as shown in Table 5. In Yoon et al.’s scheme, a smartcard requires one identity, two random nonces, and one hash function output = (128 + 160 × 3 = 608) bits. In Mun et al.’s scheme, a smartcard is not issued. In Lee et al.’s scheme, one random nonce and 1 hash function = (160 × 2 = 320) bits are required. In Gope et al.’s scheme, the smartcard requires one random nonce and four hash functions = (160 × 5 = 800) bits. In Ahmed et al.’s scheme, the smartcard requires one random nonce and three hash functions = (160 × 4 = 640) bits. Finally, in our proposed scheme, the smartcard requires only three hash functions (160 × 3 = 480) bits. In conclusion, Fig 23 presents a comparison of the memory capacity of the smartcard. Even though our scheme needs slightly more memory capacity for the smartcard than existing schemes, our scheme can guarantee safety against various existing attacks and preserves privacy, as shown in Table 2.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 23. Comparison of memory capacity of the smartcard in our proposed scheme with those of existing schemes.

https://doi.org/10.1371/journal.pone.0247441.g023

9.4 Practical demonstration

The proposed scheme is simulated using the widely accepted NS2 simulator tool to provide a practical perspective. NS2 is an event-driven simulation tool that has proven useful in studying the dynamic nature of communication networks [42].

9.4.1 Simulation environment.

The operating system used in the NS2 simulation is Ubuntu 14.04 LTS, and the NS2 version used is ns-2.35 allinone [43]. We have defined scenarios that will simulate the proposed GLOMONET authentication protocol as follows.

1. Four foreign nodes (FNs) are communicating with the home node (HN), and each neighboring pair is separated by a distance of 100 m.
2. Between the mobile node and FN, a wireless environment is used, and between the HN and FN, a wired environment is used.
3. The mobile nodes are restricted within a 500 × 500m² area with a speed of 2m/s.
4. For each scenario, 10, 20, 30, and 40 mobile nodes are deployed.
5. The proposed GLOMONET is simulated for 60 s, and each mobile node sends a login request message once every 1 s.

As described in Section 8.2, the proposed scheme consists of four messages between the mobile node, FN, and HN in the login and authentication phase with TCP communication. Login request message M_MF has a size of 704 bits, and the authentication request and response message M_FH, M_HF, M_FM have sizes of 704, 1216, 1024, and 992 bits, respectively. Fig 24 depicts our simulation environment topology.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 24. Topology of our simulation environment (when there are 10 mobile nodes).

https://doi.org/10.1371/journal.pone.0247441.g024

9.4.3 Impact on throughput.

Throughput is defined as the number of bits transmitted per unit time. The throughput (in bps) values for our protocol under different mobile nodes, as plotted in Fig 25, are 31487.78, 39784.42, 47139.27, and 58134.18 bps for the 10, 20, 30, and 40 mobile nodes, respectively. The results indicate that as the number of mobile nodes increases, the number of messages exchanged per unit time increases; thus, it can be observed that the throughput increases linearly with the number of mobile nodes.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 25. Throughput according to the number of mobile nodes.

https://doi.org/10.1371/journal.pone.0247441.g025

9.4.4 Impact on packet loss ratio.

The packet loss ratio is defined as the ratio of the total number of data packets lost at the destination and the total number of sent packets. The packet loss ratio (in %) values for our protocol under different mobile nodes, as plotted in Fig 26, are 99.70, 97.83, 95.14, and 93.48% for 10, 20, 30, and 40 mobile nodes, respectively. The results indicate that as the number of mobile nodes increases, the network has more congestion. Moreover, if the mobile node is far from the HN, then the energy in a sent packet will be dry and dropped at the FN.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 26. Packet loss ratio according to the number of mobile nodes.

https://doi.org/10.1371/journal.pone.0247441.g026

9.4.5 Impact on End-to-End Delay.

EED is defined as the time taken for a packet to be sent across a network. The EED (in ms) values for our protocol under different mobile nodes, as plotted in Fig 27, are 3.18, 3.29, 3.45, and 3.57 ms for 10, 20, 30, and 40 mobile nodes, respectively. The results indicate that as the number of mobile nodes increases, the maximum flow of messages results in higher distances and more bottlenecks in the network.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 27. End-to-end delay according to the number of mobile nodes.

https://doi.org/10.1371/journal.pone.0247441.g027