Cryptanalysis and Improvement of "A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks"

Proxy Mobile IPv6 is a network-based localized mobility management protocol that supports mobility without mobile nodes’ participation in mobility signaling. The details of user authentication procedure are not specified in this standard, hence, many authentication schemes have been proposed for this standard. In 2013, Chuang et al., proposed an authentication method for PMIPv6, called SPAM. However, Chuang et al.’s Scheme protects the network against some security attacks, but it is still vulnerable to impersonation and password guessing attacks. In addition, we discuss other security drawbacks such as lack of revocation procedure in case of loss or stolen device, and anonymity issues of the Chuang et al.’s scheme. We further propose an enhanced authentication method to mitigate the security issues of SPAM method and evaluate our scheme using BAN logic.


Introduction
Mobile devices have been experiencing rapid growth as people utilize these devices to access different types of services, including the Internet browsing, file sharing, video conferencing, and multimedia applications, anytime and anywhere [1]. This growth does not appear to halt any time soon even though mobile devices are faced with different challenges in using wireless technologies such as computation limitation, wireless communication bandwidth inadequacy, and security problems. The Mobile IPv6 (MIPv6) [2] is a standard of the Internet Engineering Task Force (IETF), that facilitates the roaming of the mobile nodes in the IPv6 network. This

Review of the SPAM Scheme
The SPAM includes three stages known as the initial registration, mutual authentication process for both the MAG and the MN, and the password changing process. The authentication credentials are stored in smart card under the assumption of using tamper-proof smart card. Table 1 describes the notations utilized in the SPAM scheme.

Initial Registration
The mobile node receives certain credentials for further authentication during the initial registration with the authentication server, AAA. It is assumed that the communication channel between the MN and the AAA server is secure. The initial registration steps are as follows: 1. MN ! AAA: The MN sends its ID and Password to the AAA server using secure channel.

Mutual Authentication between the MN and the MAG
There are two main sections in this mutual authentication; firstly, the MN's authenticity is checked by the MAG prior to knowing its real ID, and secondly; the MN checks the MAG authentication. The mutual authentication between the MN, and the MAG is described in the following: 1. The user inserts a smart card and enters its ID and password. The smart card verifies whether the equation, h(PW MN ) È c 2 = c 1 , to check mobile user authentication. Then, it generates N and compute AID MN = ID MN È h(c 5 k N 1 ) and AUTH MN = h(c 1 k N 1 ).  After mutual authentication between the MN and the MAG, the mutual authentication between the MAG and the LMA is processed in the SPAM method. The details of this authentication procedure are as follows.
1. The MAG generates N 3 to compute h(N 3 k ID MAG ).
7. The LMA decrypts the encrypted message using the session key and checks (N 4 + 1) to prevent the replay attack.
The message exchange flow chart of mutual authentication between the LMA and the MAG is illustrated in Fig 3.

SPAM Password Change Phase
The SPAM scheme provides the password change process. Mobile users are able to change their passwords without contacting other entities like the AAA server and the MAG. The procedure is described as follows: 1. The user inserts the smart card and enters his ID and password.

Security Issues of the SPAM Method
This section discusses the security strengths of the authentication methods in the PMIPv6 using the assumption that smart cards are not exactly free from tampering. The suitable authentication method should fulfill some security and privacy criteria such as anonymity, mutual authentication, session key secrecy, and user unlinkability [10][11][12][13][14][15]. Furthermore, authentication schemes should secure enough against some security attacks such as session hijacking, denial of service, impersonation, replay, password guessing, man-in-the-middle, stolen-verifier, and eavesdropping attacks [16][17][18][19][20][21][22][23][24]. Therefore, we discuss the security and privacy of the SPAM method under the assumption that smart cards are not exactly free from tampering. In addition, the potential for utilizing smart cards in PMIPv6 that are tamper resistant are explained according to these researchers [25][26][27][28][29][30][31] by offering several examples. After that, the SPAM method's security issues are discussed using certain evidences.  The conventional remote authentication using passwords [32,33] utilizes a password table, which is stored in an authentication server. This kind of approach is susceptible to attacks on password, including password dictionary attacks, offline guessing attack, tampering of the password table, and corruption attacks. This also gives rise to an increase overhead for protecting and maintaining the password table. Therefore, many smart card based password authentication schemes that do not require a password table have been proposed [34][35][36][37][38][39][40][41][42][43] to improve security of the authentication protocols. However, these schemes remain vulnerable to sophisticated attacks that use offline password dictionary searches, observation of power consumption, or physically exposition of the chip to extract the data it stores [44].
Khan et al. [26] and Rhee et al. [29] claim that mobile devices, including smart phones, PDAs, and notebooks are not free from tampering and users' data inside the mobile devices are susceptible to different forms of security attacks [31]. Various methods have been suggested to crack the security of smart cards in the past few years. For instance, Kocher et al. [45] proposed the potential of retrieving the smart card's secret key by observing the smart card's power consumption. The vulnerability of the smart card is observed through its power analysis attack [46]. Another form of the threat against the smart cards is the fault-based cryptanalysis, as demonstrated by Bellcore's press release [47]. This attack occurs when an attacker initiates a particular form of fault into the mobile device and later retrieves the secrets embedded within according to the incorrect responses received from the mobile devices. Therefore, given the assumption of utilizing a non-tamper-proof smart card, many of the authentication methods in the PMIPv6 are susceptible to different forms of attacks like the impersonation attack; thus, making it is crucial to offer an appropriate method of authentication according to the assumption of the non-tamper-proof smart card. This paper assumes that the attacker could have complete control of the channel of communication between the MAG and the MN, and he/she would be able to change, insert, and tap into any messages of communication. In the following sections, the security and privacy issues of the SPAM method are discussed.

The MN Impersonation Attack
Mobile devices such as smartphones, PDAs, and Tablets are vulnerable to threats such as stolen or loss. In addition, most of the authentication mechanisms use smart card to store critical information such as secret keys, passwords, and encryption functions. Therefore, if an attacker access to smart card inside mobile devices and steal the keys, even if he leaves the mobile device intact, he can impersonate legitimate user or access point [26,48](Khan and Kumari, 2014; Wei-Chi and Chang, 2005). In SPAM method, the information are stored in smart card, hence impersonation attack can be launched. The smart card in the SPAM method contains (ID MN , C 1 , C 2 , C 3 , C 4 , C 5 , h()), if an attacker accesses to this smart card secrets, and sniffs the first message, (AID MN , c 3 , E C 4 (AUTH MN k N 1 )) between the MN and the MAG in login phase, he can impersonate the MN as follows: 1. First, an attacker generates his own nonce, N Ã 1 , then computes using retrieved secrets from smart card an login request message, ID MN , C 1 , and C 5 .
2. An attacker generates authentication request, AID MN ; C 3 ; E C 4 ðAUTH MN k N Ã 1 Þ, and sends it to the MAG.
3. The MAG decrypts C 3 using PSK and obtains ID AAA and sv. Then, calculates Finally, for checking MN authentication, the MAG compares the value of the AUTH MN is generated using the values, C 1 , C 2 , and N Ã 1 , which can be captured or generated by an attacker. This means an attacker is authenticated to the MAG successfully.

The MAG Impersonation Attack
Similar to the MN impersonation attack, we assume that an attacker retrieved the smart cart secrets, (ID MN , C 1 , C 2 , C 3 , C 4 , C 5 , h()), and sniffed the login request, (AID MN , c 3 , E C 4 (AUTH MN k N 1 )). An attacker can impersonate the MAG as follows: 1. An attacker decrypts E C 4 (AUTH MN k N 1 ) to get N 1 , then generate N Ã 2 , and selects a fake Þ to obtain (N 1 + 1) and ðN Ã 2 Þ. Then, it checks the value, hðID Ã MAG k ðN Ã 2 ÞÞ, and (N 1 + 1) for the MAG authentication. As the value, N 1 is the original nonce issued by the MN, then, the MN verifies (N 1 + 1), which means an attacker is authenticated to the MN. When an attacker is verified, the MN completes the rest of authentication.

Anonymity
The SPAM method does not preserve the MN anonymity. An attacker can easily find the ID MN using the intercepted login request and smart card secrets. Firstly, an attacker extracts E C 4 (AUTH MN k N 1 ) in the login request message, (AID MN , C 3 , E C 4 (AUTH MN k N 1 )), and decrypts it using C 4 to get N 1 . After obtaining N 1 , the ID MN can be retrieved by computing, ID MN = AID MN È h(C 5 k N 1 ), because an attacker received (AID MN ) from login request, and (C 5 ) from smart card. Secondly, ID MAG can be retrieved from the message, (ID MAG , E C 4 ((N 1 + 1)kN 2 k h(ID MAG k N 2 ))), as this message is sent by the MAG to the MN in a plain text, during the mutual authentication phase. Clearly, the anonymity of user is not protected because an attacker can find the ID of network entity.

Lack of Revocation of Smart Card
The revocation procedure is used in case of the MN misbehavior or lost mobile device. The user can report the loss of the mobile device to the AAA server to prevent the further security problems like impersonation attack [30] in case of the lost or stolen mobile device. The revocation procedure is not provided for the SPAM method.

Password Guessing Attack
In this section, we show that how an attacker can retrieve the MN password using intercepted login message based on the reference [49,50]. An attacker can get the value, (AID MN , C 3 , E C 4 (AUTH MN k N 1 )) and the stored information inside the smart card, (ID MN , C 1 , C 2 , C 3 , C 4 ,

Proposed Method
In the section, our proposed enhancement is described. First, we change registration phase in the way that if even an attacker finds the secrets inside the smart card, he cannot launch impersonation attack. Subsequently, mutual authentication procedure between the MN and the MAG is proposed. The main is idea is that smart card needs user name and password of the MN to calculate other secrets and initiate authentication.

Initial Registration Procedure
In this phase, the AAA server generates the secrets for the MN. The main objective of the improvement is to prevent revealing smart card information in the case of a stolen or loss device. All the stored information in smart card should be useless for an attacker. We introduce an extra value, R MN , in this step. Fig 5 depicts the initial registration procedure.

Authentication Procedure
The MN should perform mutual authentication with the MAG when it joins to the localized mobility domain. We assume that an attacker can retrieve the secrets inside the smart card if the case of the stolen or lost mobile device. The main idea of our approach is not to store critical secrets inside the smart card. The mobile user enters his ID and password to the smart card to start the authentication procedure. The proposed authentication procedure is as follows: 7. The MAG decrypts the received message using the session key and checks (N 2 + 1) to prevent replay attack.
This mutual authentication between the MN and the MAG is described in Fig 6.

Password Change Phase
We improved the password change phase as described in Fig 7. It is worth noticing that the random number, R MN , should be changed as well the user password, PW MN . The symbol,], means the new value in Fig 7. It worth noticing the mutual authentication procedure between the MAG and the LMA in our proposed method is the same as the SPAM method.

Revocation Procedure
The revocation phase can be applied for the SPAM authentication scheme to protect the network entities in case of lost or stolen of smart card. Firstly, the mobile user requests the AAA server for its revocation. Then, the AAA server checks the user credentials, which can be the values known by the user. In case of revocation, the AAA server revokes all the secrets of the mobile user and creates a new set of secrets for the mobile user. Later on, the mobile user can re-register to the AAA server.

Security Analysis of the Proposed Scheme
In this section, we analyze the security and privacy of the proposed enhanced method. Furthermore, the security comparison of the SPAM authentication scheme is provided to prove the security improvement of our proposed method. The proposed authentication method satisfies following requirements:

Anonymity
We applied two methods to protect the MN and the MAG anonymity. For the MN anonymity, we generate an alias ID for the MN, AID MN = E PSK (ID MN k sv k aMN). The ID of the mobile node is mixed with aMN, and secret key sv. An adversary cannot find ID MN the without knowing the secret key PSK. Furthermore, the use of aMN and sv restricts the adversary to launch identity guessing attack. Furthermore, in the SPAM scheme, the ID MAG is transferred in the plain text during mutual authentication between the MN and the MAG. In our proposed  methods; we mix the ID MAG with the MAG nonce, N 2 , then we encrypt using one-way hash function and N 2 in the message, E S 1 ((N 1 + 1)kN 2 k h(N 2 k ID MAG )). An attacker must know N 2 and N 1 to find the ID MAG , which is impossible for him because he does not know N 2 and N 1 even if he accesses to the smart card.

Mutual Authentication
The mutual authentication between the MN and the MAG is provided in proposed method. As it is shown in Fig 6, the MAG checks the MN authentication in Step 3, by comparing the value, AUTHMN received from the MN and the value, h(S 1 k N 1 ), where it calculates S 1 = h(ID MN k sv). Furthermore, the MN checks the MAG authenticity is Step 5 by checking the value of h(N 2 k ID MAG ) and (N 1 + 1). Actually, the mobile node checks the value of its nonce, N 1 to be sure that the MAG is legitimate, as the authentic MAG has the pre-shared secrets to decrypt the received messages from the MN.

Revocation Procedure
The revocation of the lost mobile device is provided in proposed method to prevent further security threats against the PMIPv6. In case of loss or stealing the mobile device, the mobile user can inform the AAA server and request to revoke his secret credentials. Therefore, the mobile user can re-register to the AAA server.

Resistance to the MN Impersonation Attack
An attacker must know some values such as S 1 , S 6 , ID MN , and N 1 to generate the required values, AID MN = E PSK (ID MN k sv k aMN) and AUTH MN = h(S 1 k N 1 ) and impersonate the MN. Under the assumption of not using tamper-proof smart card; we assume that an attacker can accesses to the smart card, S 2 , S 4 , S 5 , S 6 , and even sniffs the communication messages, he cannot find out the values, AID MN , and AUTH MN because he does not know the values, S 1 , S 3 , ID MN , and R MN .

Resistance to the MAG Impersonation Attack
To impersonate the MAG, an attacker must know the value, S 5 , which is the symmetric key between the network entities, to decrypt the sniffed message, E S 1 ((N 1 + 1)kN 2 k h(N 2 k ID MAG )). Furthermore, both the MN and the MAG nonce are required to decrypt this message.

Resistance to Replay Attack
A nonce is used for both the MN and the Mag during authentication procedure to prevent replay attack in the proposed method. Therefore, if an attacker intercepts the authentication communication messages and accesses to the secrets inside the smart card, he cannot replay the sniffed messages, as the MAG or the MN rejects the request because of using invalid nonce by an attacker.

Forgery Attack Resistance
In this section, we discuss that a valid MN cannot launch forgery attack. If an attacker uses the it secrets, S 2 , S 4 , S 5 , S 6 , to forge another valid MN, it is impossible to find AUTH MN because he does not know the AAA secret key, sv, to calculate S 1 = h(ID MN k sv), an then use it to get AUTH MN = h(S 1 k N 1 ). As explained in Fig 6, the valid MN must calculate AUTH MN to initiate authentication procedure.

Denial-of-service Attack Resistance
The denial-of-service (DoS) can be discussed in two different situations in our proposed method. First, when the mobile user inserts wrong username and password during the login phase, if there is no suitable mechanism, the smart card processes some procedure and sends the login request to the MAG. In our proposed method, the smart card checks the username and password of the mobile user before computing login request. As described in Fig 6, Step 1, the smart card checks the validity of the mobile user before generating N 1 and the rest of procedure. Second, an attacker can launch DoS attack by requesting password change; however, the smart card first checks PW MN and R MN before updating with new values, PW ] MN and R ] MN . Therefore, DoS cannot happen by requesting password change message.

Resistance to Password Guessing Attack
In the proposed method, an attacker should know at least ID MN , to find RPW MN for guessing the password, which is impossible as we protect the mobile user privacy by using alias ID of the MN, AID MN instead of real mobile node ID, ID MN . Furthermore, even an attacker can get to find ID MN ; he cannot guess the password because he does not know the R MN to calculate

Stolen-verified Attack Resistance
The verification table is not required for the AAA server in our method. Therefore, an attacker cannot obtain the authentication secrets of the MN, even if he can access to the AAA server data base. In addition, the MAG does not need the verification table to verify the mobile node authenticity. In other words, even if the MAG reveals the MN secrets, an attacker cannot find another required information for authentication procedure. The security and privacy comparison between SPAM scheme and the proposed enhancement is summarized in Table 2.

BAN Logic
BAN logic is widely used to analyze security vulnerabilities of security schemes. It consists of three main steps, including translating a target scheme into an idealized version, defining assumption, and applying BAN logic rules to achieve the intended beliefs. The notations of this logic are described in Table 3.
In order to evaluate the security scheme, BAN logic rules should be applied. We just use some of these rules as follows: The main goals of our proposed method are mutual authentication between the MN and the MAG. Furthermore, both the MN and the MAG should believe in the shared key. Based on BAN logic and our objectives, the goals of our proposed method are as follows:

Performance Analysis
The performance of our proposed method is analyzed in this section. We evaluate authentication procedure for our proposed method and compare to SPAM The performance of our proposed method is evaluated according to the methodology used in [65][66][67][68][69] and described in Table 4. The computation time for one-way hash function, symmetric cryptography, and random number generation time [70], are 0.0005 s, 0.0087 s, and 0.063075 s respectively. The computation time for XOR operation can be ignored because it trivial compare to other operations. It worth noticing that the computation time for each cryptographic operation is calculated relatively and is not the exact amount, because computation time varies based on the computation resource of network entities. In memory efficiency section, we assume that the length of ID, PW, random number, and output of hash function, is 128 bits. Table 3 summarizes performance evaluation of our proposed method and SPAM method based on criteria such as communication cost, memory requirement, and computational cost. The proposed method requires 640 bits memory space in smart card, but SPAM requires memory storage, 768 bits. Likewise, the communication cost of the proposed scheme is 896 bits, and SPAM requires 1152 bits. Similarly, the proposed scheme also having less computation cost as compared with Chuang et al.'s scheme.

Conclusion
In this paper, we show that how an attacker can launch different attacks such as impersonation attack and password guessing attack using smart card secrets and sniffed login request message on Chuang et al.'s scheme. Furthermore, other security flaws such as lack of revocation procedure in case of loss or stolen device, and anonymity issues of this scheme, are discussed. In addition, we proposed an enhanced scheme to cover the discussed security drawbacks. The security of the proposed scheme is analyzed using BAN logic. The results show that proposed scheme while mitigating all the discussed security flaws, is also more efficient in terms of memory communication and computation costs.