A robust ECC based mutual authentication protocol with anonymity for session initiation protocol

Over the past few years, Session Initiation Protocol (SIP) is found as a substantial application-layer protocol for the multimedia services. It is extensively used for managing, altering, terminating and distributing the multimedia sessions. Authentication plays a pivotal role in SIP environment. Currently, Lu et al. presented an authentication protocol for SIP and profess that newly proposed protocol is protected against all the familiar attacks. However, the detailed analysis describes that the Lu et al.’s protocol is exposed against server masquerading attack and user’s masquerading attack. Moreover, it also fails to protect the user’s identity as well as it possesses incorrect login and authentication phase. In order to establish a suitable and efficient protocol, having ability to overcome all these discrepancies, a robust ECC-based novel mutual authentication mechanism with anonymity for SIP is presented in this manuscript. The improved protocol contains an explicit parameter for user to cope the issues of security and correctness and is found to be more secure and relatively effective to protect the user’s privacy, user’s masquerading and server masquerading as it is verified through the comprehensive formal and informal security analysis.


Introduction
The applications of multimedia services have great significance in advanced networks. The SIP is a valued application-layer protocol used in controlling and signaling the multimedia sessions. The prime responsibility of SIP is the internet telephone services such as voice call, video call and instant messaging over the public network. Furthermore, SIP is responsible to establish, modify and terminate the multimedia sessions [1]. Authentication process is performed by the users in order to login the server through SIP. So, the authentication plays a vital role for the SIP protocol services. Nowadays, due to keen interest of the researchers for security maintenance and authentication of SIP, there is an immense scope for research in authentication of multimedia services. Recently, numerous scholars have presented some secure and efficient authentication techniques to sustain the security of SIP [2][3][4][5][6] researchers have consensus that Hypertext Transport Protocol (HTTP) digest authentication for SIP is found vulnerable for stolen verifier, server spoofing and off-line password guessing attacks and unable to provide mutual authentication [1,[7][8][9]. In order to counter these weaknesses, Yang et al. [7] introduced an authentication protocol based on Diffie-Hellman key exchange protocol. Afterwords, Huang et al. [10] pointed out that Yang et al.'s protocol fails to resist off-line password guessing attack and proposed an updated scheme to fix the identified issues appeared in Yang et al.'s scheme. However, Huang's protocol is found unprotected against off-linen password guessing attack indicated by Jo et al. [11]. In order to enhance Yang et al.'s proposed technique, Durlanik and Sogukpinar [12] presented a secure as well as effective authentication technique based on Elliptic Curve Cryptography (ECC) [13]. ECC can provide same security with relatively smaller key size than the other cryptosystems [13][14][15][16][17][18]. In 2009, Wu et al. [19] presented an improved and secure authentication protocol for SIP based on ECC. Later on, Yoon et al. [20] demonstrated that Durlanik [23]. Later on, Arshad and Ikram [24] proved that Tsai's protocol is breakable against the off-line password guessing and stolen-verifier attacks. Moreover, Tsai's protocol remained unable to maintain forward secrecy and known-key secrecy. Though Yoon et al. [25] presented a robust authentication technique with a key agreement to address the limitations of Tsai's scheme, yet Yoon et al.'s scheme is found unprotected against off-line password guessing and stolen verifier attacks indicated by Xie [26] and introduced a new scheme. Unfortunately, Xie's protocol is exposed against off-line password guessing and impersonation attacks indicated by Farash and Attari [27]. Moreover, they proposed a new technique to counter the limitations of Xie's scheme. Zhang et al. [28] offered an authentication protocol by using ECC with anonymity. Recently, Lu et al. [29] indicated that Zhang et al.'s scheme was breakable in case of insider attack and failed to offer mutual authentication. To remedy these vulnerabilities, Lu et al.'s [29] suggested an advance scheme, which is claimed to be more appropriate against all possible attacks. However, it is analyzed that Lu et al.'s proposed protocol is found insecure in case of server and user masquerading attacks. Additionally, it also fails to offer user anonymity accompanied with incorrect scheme. Hence, a new robust mutual authentication protocol with anonymity using ECC for SIP is presented in this manuscript. The improved scheme contains a slight modification in both registration and authentication phases. We have supplemented an explicit parameter for user to cope the issues of correctness and security. Furthermore, the protocol is highly secured against all the possible attacks as validated through informal and formal security analysis. Comprehensive analysis also verifies that security and performance of the proposed protocol is more effective and reliable as compared to the recent authentication protocols. The remainder of the manuscript is arranged as follows: Table 1 describes the notations used in this manuscript. Review and weaknesses of Lu et al.'s scheme is demonstrated in sections 2 and 3, respectively. The proposed protocol is presented in section 4, formal and informal security are figured out in section 5. Performance comparison of the present protocol with recently presented protocols is investigated in sections 6. Concluding statement of the proposed protocol is elaborated in section 7.

Review of Lu et al.'s scheme
This segment concisely demonstrates the detail analysis of Lu et al.'s protocol. The overall protocol contains three stages. At the first stage, the user performs the registration process, then use it to login into the server and authenticate itself. It also permits the user to update his/her password in inadmissible condition. All these phases are explained in detail and Fig 1 shows the registration and authentication Phases as follows:

Authentication phase
1. A random number r 1 is generated and computed by U i : Now the U i transmits the REQUEST fY; HID i ; Zg to S.
2. S computes, upon reception of request message from U i : verify Z 0 ¼ ? Z, in case of failure, the session is aborted otherwise, a random number r 2 is generated by S and calculates: Now S sends the challenge message CHALLEN GEfrealm; D; Auth s g to user U i .
3. U i on getting the challenge message from S calculates:

Password change phase
in order to change the password. The following strides are performed by the U i and S.

Cryptanalysis of Lu et al.'s scheme
In this section, it is revealed that the Lu et al.'s scheme is impressionable to server and user masquerading attacks and also unable to achieve the user anonymity. Moreover, it also has incorrect authentication phase on server side. As per adversary model mentioned in [30][31][32][33][34], A can access the public communication link and can replay, remove, modify, intercept or can send a new devised message.

User anonymity attack
The user anonymity violation is observed in this subsection. In the Lu et al.'s protocol, any legitimate user can derive the authentic identity of the specific user by intercepting the login request message from the public communication channel. Assume a legal user U j try to extract the authentic identity of the another user U i . U j , performs the following steps.
1. User U j steals the information V PW stored on the server.
2. Now by using his/her ID j , PW j and P uj , U j computes PWD j ¼ hðPW j kP uj Þ and obtains the value T = h(ID j kPWD j ). Now, U j can also extract the server private key hðP s Þ ¼ T È V PW .
3. U j intercepts the U i login request message {Y, HID i , Z} and sends it to the server S from the public communication channel.

Server masquerading attack
In Lu et al.'s scheme, if A devised the server S's secret key P s , another authorized user U j can easily masquerade as a legal server by executing the subsequent steps.
1. Adversary A can steal the information V PW stored in the server's repository. Then the following steps have to be performed by the A 2. When U i a legal user needs to login into the server,U i calculates: T ¼ hðID i khðPWikP ui ÞÞ ð20Þ Now U i conveys the request message {Y, HID i , Z} to the server S.

3.
A computes after intercepting the request message: generates r 2 ð28Þ Auth s ¼ hðsk s kT After that A transmits CHALLAN GEðrealm; D; Auth s Þ to the legal user U i 4. On getting the challenge message, U i computes: Auth 0 s ¼ hðsk ui kTkXÞ ¼ Auth s ð33Þ 5. The U i conveys the response message RESPON SEðrealm; Auth ui Þ to the server S, whereas, A intercepts the message. Hence, A successfully masquerades the server for legal users.

User masquerading attack
For user masquerading attack, an attacker A will get the request message {Y, HID i , Z} and derive the identity ID i as mentioned in 3.1. Now, any legitimate user U j can easily masquerade another user U i by performing subsequent steps:

1.
A intercepts the remote user U i request message {Y, HID i , Z} and computes: Generates r 1 ð36Þ A transmits his own request message fY ; HID i ; Zg.
2. S upon getting the message computes: Generates r 2 ð44Þ Therefore, A sends the response message to S 4. On receiving the message, the S authenticates the adversary as a legal user by verifying Auth ui = h(sk s kT 0 kD) equation. Therefore, A has successfully misled the server S and S treats the shared session key as a valid key.

Incorrectness problem
In this segment, it is demonstrated that while authentication is performed on the server side the server, computes T 0 ¼ VPW È hðP s Þ, where, hðP s Þ is the private key of the server which is secret within the server. But how the server can compute the exact value of T 0 , without knowing the valid ID i of the specific user as the verifier table contains the T values of all the legal users of the system.

Proposed scheme
In this segment, a new proposed protocol is presented. The improved protocol is divided into three phases, i.e., System Setup, Registration and Authentication phase. Before going into the details of proposed protocol, it explains that the insecurity of Lu et al.'s scheme against server and user's masquerading attacks was due to a generic secret value hðP s Þ hideously stored in the verifier table V PW into the server. A legitimate but dishonest user (say U j ) can easily extract hðP s Þ by using his/her T which is computed as T = h(ID j kPWD j ) and then with the help of this T, it can compute server private key hðP s Þ ¼ T È V PW. After obtaining hðP s Þ, the illegitimate but authorized user U j can easily find the real identity of any other user. Moreover, the U j after stealing the V PW from the server can easily masquerade himself as U i as well as the legal server. In present protocol, V PW consist of user's particular identity ID i . Hence, if A successfully gets the secrets from the verifiers table, one can retrieve his/her own value of PWD as user ID i is inserted with server secret key. So, he cannot masquerade himself as another user or server of the systems though he has also V PW verifier table. The scheme is illustrated in Fig 2 and is explain as follows:

System setup phase
1. The server S selects elliptic curve [35] points (Ep(a, b)) of order n and gets initialized with a base point P.
2. The secret key P s 2 R ! Z Ã p is being generated by S ranging from ðP s 2 ½0; n À 1Þ and S computes the public key as Q s ¼ P s :P. Then S selects one-way hash function h(), which keeps the secret key P s safe and publishes the rest of the public parameters.
1. U i computes PWD i ¼ hðID i kPW i kP ui Þ and conveys {ID i , PWD i } to S through secure channel.
2. On getting the message, S computes V PW i ¼ PWD i È hðP s kID i Þ and saves the V PW in the server database.

Authentication phase
1. First of all, a random number r 1 is generated by U i and it computes: Now U i sends request message REQUEST fM 1 ; M 2 g to S.
2. S compute the following, upon getting the request message Check if t i isfresh ð57Þ Compute and check PWD 0 i ¼ ? PWD i , failure of which leads to the termination of session, otherwise S generates r 2 and computes:

Security analysis
Security analysis informal and formal of the present stated scheme demonstrates that it is resilient against all known attacks over public communication channels.

Resist replay attack.
Suppose if an eavesdropper can steal the request message {M 1 , M 2 } and try to replay it to pretend as a legal user U i , but on the server side S verifies the freshness of time stamp t i and also the condition PWD To successfully pass the condition. A requires ID i and server secret key P s . But A is unable to get ID i and server secret key P ui as they are secured by the One-way hash function. Furthermore, if A is able to get the challenge message {realm, M 3 , Auth s } from S and tries to replay it to U i . A fails to obtain r 2 from D and Auth s is not equal to the computed h(sk ui kPWD i kX) by U i . Then U i is failed to send response message to A. Hence, the present scheme is protected against replay attack.

Anonymity and privacy.
In the proposed scheme, the ID i is protected on the public channel by hash function along with user secret key P ui . So, it is impossible for A to get the ID i from the public channel. Hence, the proposed scheme provides appropriate anonymity.

Off-line password guessing attack.
Suppose if A can steal the REQUEST fM 1 ; M 2 g but password is secured in M 2 and for retrieving the password from M 2 it is required to calculate the PWD i and it is impossible for A to obtain these parameters due to the security of hash function. Even if the password is compromised, it is impossible for A to prove the legitimacy of the password. Hence, the present protocol withstands against off-line password guessing attack.

Mutual authentication.
In the present protocol both user U i as well as server S compute Auth

Perfect forward secrecy.
Suppose if the secret keys of U i and S are compromised, A is still unable to guess the session keys sk = r 1 .r 2 .P. It is infeasible for A to compute r 1 and r 2 from X and D, respectively, due to ECDLP. Hence, the present protocol provides forward secrecy. 5.1.6 Masquerading attack. For user masquerading, A requires user password PW i to compute the valid value of PWD i . Assume A successfully intercepts the request message {M 1 , M 2 }, it is not possible to compute the value of PWD i from M 1 , M 2 due to the hardness of ECDLP and M 2 contains the encrypted value by X. For server masquerading attack, A requires verifier V PW from server database and secret key P s , which is only known to the server. Without P s server secret key, A is unable to compute the PWD i from V PW. For authenticating the user, A also needs the r 1 to compute the X, so, A is unable to authenticate E X (t i kID i kXkPWD i ) = M 2 . Moreover, r 2 is required to compute sk s and Auth s . Hence, the proposed scheme resists against masquerading attack.

Resist insider attack.
In registration phase of the newly stated protocol. U i transmits a message containing (ID i , PWD i ) instead of (ID i , PW i ), where PWD i ¼ hðID i kPW i kP ui Þ. So, A is incapable of obtaining the user's password PW i without knowledge of P ui . Hence, it is impossible for A to launch the insider attack.
5.1.8 Session key secrecy. The two random numbers r 1 and r 2 are used to compute the session key for every session. These two numbers are chosen by the server S and user U i , independently, which is different in each session. So, if one of the session key is exposed, the rest of the session keys will persist. Hence, the new proposal achieved the session key secrecy.

Formal security analysis
This segment, demonstrates the formal security analysis of the present protocol. This analysis validates the claim about the proposed scheme that it is provably secured.
Theorem 1 The robust authentication protocol with anonymity using ECC for session initiation protocol PREBMAPSIP is provably secured against an adversary A. Due to ECDLP assumption and security of hash function, it is impossible to obtain the user U i 's real identity ID i , password PW i , user private key P ui and shared session key sk within user U i and the server S.
Proof 1 For analysis of the present stated protocol that it is provably secured, the similar model as [33,34,36,37] is adopted.
Before proceeding ahead, following oracles are defined: •

Computation cost analysis
The present protocol's performance and security analysis is evaluated with previously stated schemes [24][25][26][27][28][29][38][39][40][41] in this segment. Registration phase is performed only once before authentication, so, the authentication phase mainly focuses on the performance comparison. For performance calculation, the notation used for the different cryptographic operation are as follows: • t sh : time to compute secure One-way hash function  [42] recently. Furthermore, XOR and inverse operation are neglected due to the insignificance of these operation, as indicated by Kilinc and Yanik. Performance comparison is demonstrated in the Table 2 with the recent allied schemes. Table 2 demonstrates that the present protocol possess the same running time as compared with the previously proposed schemes [27]. Moreover, [27] is found to be insecure against some known attacks. The remaining schemes [24-26, 28, 29, 38-41] almost have relatively extended running time and they are also found insecure against some known attacks. Moreover, proposed scheme is provably secure and resists against all possible attacks shown in section 5.

Schemes
User Server Total Running time messages exchanged, the present protocol provides better performance as compared to previously stated schemes.

Security comparison
In Table 4, the comparison of security parameters for the present protocol with conventional schemes [24][25][26][27][28][29][38][39][40][41] is summarized. It is easier to draw the conclusion from Table 4 that the proposed scheme results are better as compared to its counterpart other conventional schemes. The proposed scheme not only outrun in efficiency but also provides mutual authentication. The proposed protocol is robust against the user as well as server masquerading attack.

Conclusion
In this research work, the Lu et al.'s scheme is cryptanalyzed and it is exhibited that the protocol is insecure against the server and user masquerading attacks. Moreover, the login and authentication phase is found to be incorrect. To overcome these drawbacks, a novel technique is proposed for reducing the processing time and enhancing the system protection. It is proved to be relatively more secure than the conventional techniques as it is verified through well known random oracle model. Hence, the proposed technique provides enhanced security and better performance. So, it is suitable for the practical applications.