Security analysis and enhanced user authentication in proxy mobile IPv6 networks

The Proxy Mobile IPv6 (PMIPv6) is a network-based mobility management protocol that allows a Mobile Node(MN) connected to the PMIPv6 domain to move from one network to another without changing the assigned IPv6 address. The user authentication procedure in this protocol is not standardized, but many smartcard based authentication schemes have been proposed. Recently, Alizadeh et al. proposed an authentication scheme for the PMIPv6. However, it could allow an attacker to derive an encryption key that must be securely shared between MN and the Mobile Access Gate(MAG). As a result, outsider adversary can derive MN’s identity, password and session key. In this paper, we analyze Alizadeh et al.’s scheme regarding security and propose an enhanced authentication scheme that uses a dynamic identity to satisfy anonymity. Furthermore, we use BAN logic to show that our scheme can successfully generate and communicate with the inter-entity session key.


Introduction
In recent years, the mobile-device market has grown rapidly, and with the increasing availability of wireless Internet access, various services including browsing, file-sharing, and shopping are becoming increasingly available regardless of the time and place. The Internet Engineering Task Force (IETF) has been developing the Internet standards, and after more than 20 releases, the standardization of IPv6-based mobility has been discussed as "Mobility Support in IPv6 (MIPv6)" since the late 1990s; the standardization to the proposed standard "RFC 3775" was completed in June 2004 [1].
However, the MIPv6 imposes a burden on the mobile terminal by increasing the resource usage, and this is due to the signaling between the mobile terminal and the access router and the implementation of a complicated standard specification in a mobile terminal with limited resources. Thus, telecommunication operator were not satisfied. To solve this problem, the IETF proposed the Proxy Mobile IPv6 (PMIPv6) technology, and various research institutes are actively conducting the corresponding research. With the adoption of the PMIPv6, the complicated specification and signaling problems that are highlighted in the existing MIPv6 have been solved. However, it is still necessary to continue research because the technology a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 cannot significantly reduce the handover-delay time that can occur with the movement of the Mobile Node (MN) [2,3]. Additionally, in the "RFC 5213" document wherein the PMIPv6 standard is defined, the authentication process of the MN is not properly specified. Therefore, a lot of research have been proposed on the authentication process between MN and Mobile Access Gate (MAG) [4].
In this circumstance, a smartcard can be used as an authentication method between MN and MAG. Because of high potability and low cost, authentication schemes using smartcard have been proposed over the past few years. Since Lamport proposed the first password-based authentication scheme in 1981. Smartcard-based authentication has been applied to numerous protocols, such as the session initiation protocol [5], mobile client-client network [6], wireless sensor network [7], Electronic Patient Records(EPR) information systems [8].
In 2013, Chuang et al. proposed a new authentication mechanism using smartcard called "SPAM". SPAM offers a low packet loss and low latency rates compared with the other PMIPv6 mechanisms [9]. However, SPAM is susceptible to the replay and malicious-insider attacks, and it does not provide protection against the compromise of a single node [10]. Also SPAM has several vulnerabilities which is susceptible to impersonation attack and password guessing attack, ignore the MAG and LMA anonymity [11]. To complement with these security drawbacks, Alizadeh et al. proposed a new authentication scheme with revocation process in 2015 [12]. However, Alizadeh et al.'s scheme has a fatal vulnerability when deriving the encryption key using the symmetric key algorithm. It is possible to carry out various attacks, including impersonation attack, password guessing attack, session key derive attack. For that, we proposed a new scheme to defend against the attacks that are present in "RFC 4832" [13] and Alizadeh et al.'s research [14]. The following paper is organized as follows. Section 2 concisely introduces the requisite preliminary knowledge for an improved comprehension of this paper, including the PMIPv6, hash function, and bio-hash function. Section 3 is a review of Alizadeh et al.'s scheme. Section 4 is an analysis of Alizadeh et al.'s scheme and shows its security vulnerabilities. Section 5 describes the proposed scheme that protects against the attacks shown in Section 4. In Section 6, the proposed scheme is analyzed using a formal security analysis with Burrows-Abadi-Needham (BAN) logic and an informal security analysis. Section 7 presents a comparison of the performances of the prior schemes with that of the proposed scheme, and Section 8 concludes this paper.

Preliminary knowledge
In this section, we introduce some preliminaries, including the structure of PMIPv6, the hash function based on both Alizadeh et al.'s and our proposed scheme.

Structure of proxy mobile IPv6(PMIPv6)
The basic method for the provision of Internet protocol (IP) mobility to a mobile terminal involves the use of the mobile IP. But, the mobile IP manages the binding information on the MN's location information by exchanging the signaling message between the MN and the Home Agent (HA). The PMIPv6 does not need a separate protocol stack for mobility management because the network elements handle the exchange of the binding-related messages instead of the MN. The components of the PMIPv6 are shown in Fig 1: The PMIPv6 domain refers to a network that manages the movement of the MN using the PMIPv6. Domains require the new functional elements the MAG and the LMA. The MAG monitors the movement of the MN on the access link and transmits the MN's mobile signaling message to the LMA instead of the MN, while the LMA acts as the HA for the MN in the PMIPv6 domain. The LMA is an anchor point on the topology of the home-network prefix that is allocated to the MN and serves to manage the reachability state of the MN in the domain. In general, the function of the MAG can be implemented in the access router, and the LMA can be located in the gateway of the domain.
Between the LMA and the MAG, there is an IP tunnel for the transmission of signaling messages and the data packets for sending and receiving the MN. The MAG can support different IP prefixes for terminals receiving mobility-support services and general terminals using the PMIPv6. The previous MAG (PMAG) detected by the MN is a detached event wherein the MN is not present on its access link, and it notifies the LMA of the detachment of the MN using a Proxy Binding Update (PBU) message. The LMA performs an operation to delete the binding entry associated with the MN and transmits the PBA.
When the MN is connected to a new MAG (NMAG), the NMAG performs the initial access procedure of the MN, and it transmits the home-network-prefix information that the MN has allocated in the initial access through the Router Solicitation/Router Advertisement that is sent to the MN. Therefore, the MN can use the initially assigned address. Fig 2 shows the handover process in the PMIPv6 environment.

Hash function
A cryptographic hash function can support confidence of data integrity. Hash function is used to construct a short "dactylogram" of data. Also hash function can be any function that is used to map data of an arbitrary size to data of a fixed size. Furthermore, There are three main conditions of hash function that are defined as y = h(x) [15,16] as follows.

Preimage Resistance: When
2. Second Preimage Resistance: When x and h(x) are given, find

Bio-hash function
Recently, a three-factor authentication scheme that adds user's biometric information to a two-factor authentication scheme using identity, password for growth security was widely proposed [17][18][19]. To apply biometric information in user authentication scheme, and since Jin et al. [20] proposed a fingerprint-based function to distinguish person in 2004. The bio-hash function is used in this study. Bio-hash method handles particular tokenized pseudo-random numbers for each user by summarily measuring the biometric information on two fold strands. Bio-hash function H(Á) also has features of one-way hash function as mentioned previously.

Review in Alizadeh et al.'s scheme
In

Registration phase
The MN proceeds the registration phase using the Authentication, Authorization, and Accounting (AAA), which is the authentication server, before it commences the mutual authentication phase. In a typical authentication scheme, the registration phase communicates via a secure channel between the user and the server. It is assumed that the communication on this channel is not vulnerable to eavesdropping.

Mutual authentication phase
In the mutual-authentication phase, the MN checks the authenticity of the user data, such as the user identity or password, and sends an authentication request message to the MAG. The MAG also authenticates the MN, generates a session key when the authentication is passed, and transmits the authentication confirmation message to the MN again. Lastly, the MN generates a session key using the received message, and the session key is finally shared between the MN and the MAG.

Mobile user inserts his/her smartcard and inputs ID
If this satisfies, proceeds with the next step.

Smartcard computes
Then, checks S 2 is same as h(RPW MN ) È S 1 . If holds, password change phase proceeds with the next step.

Security drawbacks of Alizadeh et al.'s scheme
In this section, we point out security drawbacks of Alizadeh et al.'s scheme. Before showing the security weakness, we discuss some widely accepted threat model concerning user authentication and key agreement scheme [21][22][23].
1. The smartcard contains the MN and AAA's information in plaintext form. Therefore, an adversary can extract the smartcard information by monitoring the diffrential power analysis [24].
2. An adversary can eavesdrop all the message between the entities via to public channel. Additionally, He/She can modify, delete, resend the eavesdropped message.
3. An adversary can guess low entropy password and identity individually easily but guessing two secret parameters are computationally infeasible in polynomial time [25,26].
4. An adversary may be a valid user or with the order reversed.
5. An adversary already knows all authentication scheme between MN, AAA and MAG.
Under these threat models, this study shows that Alizadeh et al.'s scheme is unable to resist against various attacks, including the offline password guessing and session-key-derived attacks. Computing value S 1 is the symmetric encryption key from all of the messages communicated between the MN and the MAG. Therefore, an adversary can easily encrypt or decrypt every message and attack using various security threats.

Offline password guessing attack
If an outsider adversary U a successfully derives symmetric key S 1 . U a can perform offline password guessing attack by following steps: 1. U a derives R MN = S 5 È S 1 , which S 5 is in the smartcard.
2. U a selects random password candidate PW 0 MN and calculates S 0 2 is equal to S 2 which is in the smartcard, adversary infers that it has guessed the MN's password accurately. 4. Otherwise, U a chooses another password nominee and performs same steps just before discover password.

Offline identity guessing attack
If an outsider adversary U a successfully derives MN's password by offline password guessing attack, U a also can do offline identity guessing attack by following steps: 1. U a selects random identity candidate ID 0 MN and calculates S 0 4 is equal to S 4 which is in the smartcard, adversary infers that it has guessed the MN's identity accurately.
3. Otherwise, adversary chooses another identity nominee and repeats the same steps that precede the discovery of the identity.

MN impersonation attack
The MN impersonation attack means a outsider adversary U a has made a fake login request message that it sends to the MAG. However, MAG cannot identify it, and accepts it as a legal login request message. In Alizadeh et al.'s scheme, an adversary can make a fake login request message using the following steps: 1. Adversary U a eavesdrops AID MN beforehand because AID MN is always same as E PSK (ID MN , sv, a MN ). So, adversary can reuse it.
2. U a selects random nonce N 0 1 and computes AUTH 0

Session key derive attack
Session key derive attack means adversary can compute session key and then use it after communication between MN and MAG. According to Alizadeh et al.'s scheme, adversary can derive session key between legal entities by following steps: 1. Adversary U a eavesdrops E S 1 (N 1 + 1, N 2 , ID MAG , h(N 2 ||ID MAG )) and E S 1 (AUTH MN , N 1 ).
2. U a can derive N 1 , N 2 by using symmetric key S 1 .

U a computes session key SK MN−MAG
Since then, adversary can communicate using derived session key either MN or MAG without registration or login.

The proposed scheme
In this section, the scheme that is an improvement compared with Alizadeh et al.'s scheme is proposed. The proposed enhancements are described, as follows: 1. Use of a dynamic identity to satisfy the MN anonymity. The main idea is the changing of the dynamic identity to another value upon the completion of the authentication phase. Therefore, the U a cannot identify the initiation of two different sessions by the same user.
2. Use of an encryption key that the U a cannot derive without the legal user's information.
3. Use of biometric information with Bio-hashing to protect the MN's information more securely.
Our proposed scheme consists of following phases: registration, mutual authentication and password change phase.

Registration phase
We designed a 3-factor authentication scheme by registering the user's bio information in order to enhance safety. Also, at this phase, the dynamic identity DID MN is created based on the random number generated by the AAA. The dynamic identity provides the MN anonymity because it is continuously changed in a mutual authentication phase that is performed later. Details procedure of registration phase is in

Mutual authentication phase
When an MN joins a localized mobility domain, it must pass a mutual authentication step with the MAG. To enhance the safety of the proposed method, this process prevents an attacker from deriving an encryption key even if he/she eavesdrops a public channel or extracts a smartcard's contents. In addition, once the authentication is completed, the MAG issues new dynamic identity value, DID 0 MN , and the MN changes the DID MN value in the smartcard. Thereby, an outsider adversary can not infer that same user performs mutual authentication several times. Details procedure of mutual authentication phase is in Fig 5. 1. Mobile user inserts his/her smartcard and inputs ID 0 MN , PW 0 MN and imprints his/her bio- Then, smartcard verifies S 0 1 is equal to smartcard contained value S 1 . If this satisfies, proceeds with the next step.

Security analysis of the proposed scheme
In this section, the proposed scheme is analyzed using the following two methods: informal analysis and formal analysis. The informal analysis proves that the proposed scheme is secure against many security threats compared with the other existing schemes. On the other side, using BAN logic, the formal analysis shows the proposed scheme's generation of the session key's legality to the entities who take part in the proposed scheme.

Informal security analysis
In this subsection, we check our proposed scheme is safe with various secure threat, and satisfies some basic requirements to design authentication scheme. Insider attack. The insider attack is performed by someone who is in the server's side and then guesses the user's password from the registration message. However in our proposed scheme, MN sends user's password to server in a form of RPW MN = h(PW MN ||H(B MN )). In this case, server's insider is not able to guess password because password is protected with bio-hash value based on user's biometric.
MN anonymity. An authentication scheme is said to satisfy anonymity if it can satisfy two main conditions: (1) User's identity is not disclose to adversary and (2) the adversary cannot find out two different sessions are initiated by same user [27,28]. In Our proposed scheme, we use dynamic identity DID MN = E PSK (ID MN , a MN ). Additionally, after a authentication phase,

Resistant to stolen-verifier attack.
Several authentication schemes comprise a verification table that stores some of the user information. However, the use of a verification table can cause overhead problems in the server's side and a vulnerability to the stolen-verifier attack. However, the proposed scheme does not need to store any information during the entire phase, and this means it prevents not only the AAA overhead but also the stolen-verifier attack.
Resistant to MN impersonation attack. To do MN impersonation attack, adversary need to make AID MN , AUTH MN , TN 1 . However AID MN is encrypted text with pre-shared-key, AUTH MN is mixed ID MN , TN 1 is mixed with AAA's secret key sv and AAA generated random nonce a MN . So, even though adversary U a generates his/her own random nonce N 0 1 , U a can not make any require value which sends to MAG. Therefore, our proposed scheme prevents MN impersonation attack.
Resistant to MAG impersonation attack. To do MAG impersonation attack, adversary needs to make S 2 to encrypt message. However S 2 is mixed with AAA's secret key sv and AAA generated random nonce a MN . Like the preceding attack, even though adversary U a can not derive E S 2 ðN 1 þ 1; N 2 ; ID MAG ; hðN 2 jjID MAG Þ; DID 0 MN ; AID 0 MN Þ normally. Therefore, our proposed scheme prevents MAG impersonation attack.
Resistant to replay attack. MN and MAG generate random nonce N 1 , N 2 during our proposed scheme process to resist replay attack. When adversary U a eavesdrops login message < AID MN , AUTH MN , TN 1 > then resends it. In this case U a 's login request is rejected by MAG, because our proposed scheme can expose an wrong number by contrasting AUTH MN . Supplementary, our proposed scheme uses various numbers when each session begins. Therefore, our proposed scheme can resist replay attack.
Resistant to Denial-of-service attack. Denial-of-service(DOS) attack is occurred by adversary's continuous wrong login requests. If MN's identity, password verification process is in the MAG's side, adversary inputs wrong identity and password in succession. In this circumstance, MAG is received a lot of login request message. As a result, MAG is overloaded by adversary. To prevent this attack, our proposed scheme checks MN's identity and password in MN's smartcard side. So, when adversary inputs wrong information, smartcard rejects login request in MN's side quickly. As a result, our proposed scheme resists Denial-of-service attack.
Resistant to MN guessing attack. According to our proposed scheme, adversary who guess MN's password/identity must using S 1 's value. Nevertheless, S 1 has 3 MN's information, identity, password and biometric. Even if adversary can guess user's identity and password at same time in polynomial time, there is a precondition that adversary already knows MN's biometric information. But, it is not possible to know MN's biometric information in our scheme. Therefore, our scheme resist MN guessing attack.
Does not need time synchronization. Several authentication scheme using timestamp to resist replay attack. However, using timestamp in authentication scheme, MN and MAG have to synchronize there clock beforehand. In the synchronization process, there is possibility that time synchronization error. To prevent this problem, our proposed scheme only use random nonce based authentication instead timestamp.
Efficient and freely password choose and change. In our proposed scheme, MN user always chooses his/her password without any restriction in registration phase. Additionally, when MN changes his/her password in password change phase, smartcard checks the original password's legality at first. Then, MN can change password. In this process, the MN only needs to communicate with the smartcard and not with the MAG.
Comparison with previous work. Also, the proposed scheme is compared with two existing schemes regarding the PMIPv6 user authentication, as shown in Table 2. The results are described as follows.

Formal security analysis
Formal security analysis is usually used to analyse and judge various authentication schemes' performance [29][30][31][32]. There are many formal security analysis methods can be applied to authentication scheme such as BAN logic [33], GNY [34], AVISPA [35] and ProVerif [36]. In this paper, we used BAN logic to prove our scheme's legality.
Authentication proof with BAN logic. In this subsection, BAN logic is used to analyze the proposed scheme. BAN logic helps to prove whether or not a protocol does or does not meet its security goals. Also, BAN logic contributes to the improvement of the efficiency of a protocol by eliminating messages, message content, or message encryptions. The BAN-logic notation is defined in Table 3.
In order to achieve the reasonable result of BAN logic, we define some rules about introduction and elimination as follows: • Message-meaning rule: PjP$ K Q;P⊲<X > K PjQj$X : When P sees a message which is encrypted with the shared key of P and Q, than P believes that Q has sent the message. As the secret key only is known to P and Q, only P or Q are able to produce the message and P knows what it has said.
• Nonce-verification rule: Pj #ðX Þ;PjQj$X PjQjX : When P believes that X is a fresh message, and P believes that it was said by Q than P believes that Q still believes the message X.

• Believe rule(1): PjX ;PjY
PjðX ;Y Þ : A composite message can be when a principal believes in both parts, this can be generalised to more than two parts. • Freshness-conjuncatenation rule: Pj # ðX Þ Pj # ðX ;Y Þ : When a value is found to be fresh by an entity, than the entity also believes that the message, in which the value is used, is also fresh.
• Jurisdiction rule: PjQj)X ;PjQjX PjX : P believes that the principal Q jurisdiction has over the formula X. This means that Q is trusted to make statements over X.
The major objective of our proposed scheme is mutual authentication between the MN and MAG with shared key. Our objectives symbolized by BAN logic are as follows: After establishing the main objectives, convert the message between MN and MAG to the idealized form.
Also there are some assumptions of our proposed scheme to derive proper objective.
Now, we describe our main proof as follows. According to Message 1, we could get: According to assumption A 6 , we apply the message meaning rule to obtain V2 and V3.
• V2: MAG j MN j* ID MN • V3: MAG j MN j* N 1 According to assumption A 1 , we apply the freshness conjuncatenation rule to obtain V4.
• V4: MAG j MN j N 1 According to assumption A 3 and V4, we apply the jurisdiction rule to obtain V5.
• V8: MN j MAG j* N 2 According to assumption A 2 , we apply the freshness conjuncatenation rule to obtain V9.
• V9: MN j N 2 According to sk = h(N 1 ||N 2 ), V9 and assumption A 4 , we derive: • V10: MN j ðMN$ sk MAGÞ (Goal 1.) The preceding discussion clearly shows that MN and MAG achieve mutual authentication, and based on (Goal.1) and (Goal.2), MN and MAG trust that the session key sk is securely shared between them.

Performance analysis of the proposed scheme
In this section, we measure our proposed scheme's performance and compare with those of existing schemes. The notations used in this measurement are described as follows: • T h : the time of executing a one-way hash function/bio-hash function.
• T x : the time of executing a XOR operation.
• T s : the time of executing a symmetric encryption or decryption. Table 4 shows a analysis of the comparison of the computational cost for our proposed scheme and existing schemes. Time comparison results show that the scheme of Chuang et al.'s scheme is 16T h + 4T x + 8T s , Alizadeh et al.'s scheme is 14T h + 9T x + 8T s , and our proposed scheme is 17T h + 7T x + 10T s . The totals of the hash-function and XOR-operation executions that were recorded for the proposed scheme are similar to those of the two existing schemes. The proposed scheme implements the dynamic identity to satisfy the user anonymity, and it needs two further symmetric-encryption and symmetric-decryption operations Based on the results in Table 4, Crypto++ Library is used to measure the computation process time of each operation [37]. A simulation was performed to obtain the execution time of each cryptographic operation, and Table 5 shows our simulation environment.
Under this simulation environment, the value of each cryptographic operation time was measured. Table 6 shows execution time for each operation and the comparison of the total execution time between our proposed scheme and other scheme. In addition, T x is not counted Table 4. Comparison of the computational costs between the proposed scheme and other related schemes.

Registration Mutual Authentication Total
Chuang because it is too petty compared with other operations such as symmetric encryption or hash function. As shown in Table 6, the execution time of the our proposed scheme requires 15.46ms (17T h + 10T s % 17 × 0.48ms + 10 × 0.73ms). The execution times for Chuang et al.'s and Alizadeh et al.'s schemes are 13.52ms (16T h + 8T s % 16 × 0.48ms + 8 × 0.73ms) and 12.56ms(14T h + 8T s % 14 × 0.48ms + 8 × 0.73ms), respectively. The results show that our proposed scheme's execution time is more than those of the other schemes. However, in terms of security, the other schemes show has several vulnerabilities. Contrarily, our proposed scheme implements the dynamic identity at a relatively low additional cost, to satisfy MN anonymity and provide protection against various secure attacks. Thus, our proposed scheme also takes into account the necessary efficiency.

Conclusion
This paper shows that Chuang et al.'s scheme, which was proposed as the authentication scheme for the PMIPv6, is vulnerable to an attacker who can derive the symmetric key that is used in overall communication, and the execution of this attack is relatively simple. Then, we demonstrate how an outsider adversary can execute various security threats, such as the offline password guessing, MN impersonation, and MAG impersonation attacks, on Alizadeh et al.'s scheme. Accordingly, we propose an improved and efficient scheme using the MN user's biometric information and a dynamic identity that provide protection against the previous security drawbacks. As a result, this paper shows that the proposed scheme can prevent attacks such as the MN guessing, MAG impersonation, and session key derived attacks, and its effectiveness is also due to the fact that it does not use timestamps or verification tables. Furthermore, BAN logic shows that the proposed scheme exhibited successful and stable session-key sharing between the MN and the MAG, and it is more efficient in terms of the computationaltime cost.

Acknowledgments
I thank all of the authors, especially the corresponding author Dongho Won. I am also grateful to the anonymous reviewers for their time, priceless comments, and advice regarding this paper.