An improved anonymous authentication scheme for roaming in ubiquitous networks

With the evolution of communication technology and the exponential increase of mobile devices, the ubiquitous networking allows people to use our data and computing resources anytime and everywhere. However, numerous security concerns and complicated requirements arise as these ubiquitous networks are deployed throughout people’s lives. To meet the challenge, the user authentication schemes in ubiquitous networks should ensure the essential security properties for the preservation of the privacy with low computational cost. In 2017, Chaudhry et al. proposed a password-based authentication scheme for the roaming in ubiquitous networks to enhance the security. Unfortunately, we found that their scheme remains insecure in its protection of the user privacy. In this paper, we prove that Chaudhry et al.’s scheme is vulnerable to the stolen-mobile device and user impersonation attacks, and its drawbacks comprise the absence of the incorrect login-input detection, the incorrectness of the password change phase, and the absence of the revocation provision. Moreover, we suggest a possible way to fix the security flaw in Chaudhry et al’s scheme by using the biometric-based authentication for which the bio-hash is applied in the implementation of a three-factor authentication. We prove the security of the proposed scheme with the random oracle model and formally verify its security properties using a tool named ProVerif, and analyze it in terms of the computational and communication cost. The analysis result shows that the proposed scheme is suitable for resource-constrained ubiquitous environments.


Introduction
The development of communication technology provides efficient services based on sustainable infrastructures that improve the human quality of life. As smart devices such as smartphones, smart watches, and tablets become widely available, it has become possible to access various services and to allow people to utilize information anytime and anywhere. Also, the ubiquitous smart society, in which the combining of the data from smart devices and various sensors enables intelligent communication, is being built in the form of the smart city [1,2]. a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 In this smart city, the ubiquitous network provides useful information and resources for remote operations such as human-resource management and enterprise-resource management by connecting to a home agent (HA) through the roaming of a foreign agent (FA) while a citizen is moving [3,4].
For a user mobile device to be able to remotely access the authority of various services via the HA, remote user authentication is required. In the remote authentication scheme, the user identifier is required to verify that the user is legitimate. This identifier such as an ID and password is associated with user privacy, and it can seriously affect the user security when they are leaked; therefore, the login and authentication requests of the user that are transmitted to the public channel with the identifier can be easily targeted by an attacker. Due to this issue, the user anonymity and untraceability should be maintained in the remote authentication process [5].
In addition, after the user login and authentication requests are accepted, the participants on the ubiquitous network must share the same session key for secure future communications. At this time, to establish a secure session key from an attacker's spoofing attack that threatens the security of the participants, the key should not be directly distributed from one node to the other. The key agreement must be performed after a mutual authentication in which the participants identify each other's legitimacy [6].
In recent years, authentication techniques [7][8][9][10][11][12][13] have been frequently proposed. A twofactor authentication scheme using the user ID and password is widely used. However, the password-based authentication scheme has the security issue that it is vulnerable to password-guessing attacks. A key technology to overcome this security issue is a biometricbased three-factor authentication method. Since biometric keys (irises, fingerprints, hand geometry, palm prints, etc.) represent unique human characteristics, they have the following advantages [14]: (1) Biometric keys cannot be lost or forgotten; (2) it is extremely difficult to forge or distribute biometric keys; (3) biometric keys maintain uniqueness; and (4) it is difficult to guess biometric keys. Thus, it is obvious that the biometric-based user authentication methods are more secure and reliable than the traditional password-based user authentication methods.
Combining password and biometric key makes it difficult to guess the user credentials. Because of this, three-factor authentication schemes that use the uniqueness of users have recently been proposed [15,16]. However, there are some caveats to be noted when practically applying biometric-based authentication techniques. First, as mentioned, biometrics is a human characteristic, so it cannot be changed, unlike a password. Consequently, if it is leaked, it will cause serious privacy problems [17]. Therefore, the original biometric template or the feature-vector value of users should not be directly exported. To enhance the security, many biometric-based authentication schemes have been proposed using techniques for extracting user's biometrics into a random value such as a bio-hash or a fuzzyextractor [18][19][20].
Over the past few years, a number of authentication scheme have been proposed to support the roaming in ubiquitous networks. In 2004, Zhu and Ma [21] presented the first passwordbased authentication scheme for ubiquitous networks to protect the security of ubiquitous networks, but Lee et al. [22] then demonstrated that this scheme does not achieve a perfect backward secrecy and a mutual authentication, and also its failure to resist the forgery attack. To enhance the security of Zhu and Ma's scheme [21], Lee et al. [22] proposed an improved password-based authentication scheme. In 2008, however, Wu et al. [23] proved that the schemes of both Zhu and Ma [21] and Lee et al. [22] do not preserve the user anonymity, and the latter scheme does not achieve a perfect backward secrecy; additionally, Wu et al. [23] proposed simple solutions to fix the drawbacks of the two schemes. In 2012, however, Mun et al. [24] showed that the scheme of Wu et al. [23] does not achieve the user anonymity and a perfect forward secrecy and they presented an enhanced password-based authentication scheme to overcome these weaknesses. Unfortunately, in 2014, Zhao et al. [25] then proved that the scheme of Mun et al. [24] is vulnerable to various attacks.
In 2011, He et al. [26] proposed a lightweight password-based authentication scheme, claiming that it satisfies the various security requirements for ubiquitous networks. In 2013, however, Jiang et al. [27] proved that He et al.'s scheme [26] does not prevent the off-line password guessing, server-spoofing, replay, and privileged-insider attacks, and they also presented an enhanced password-based authentication scheme to overcome these weaknesses. Wen et al. [28] subsequently showed that Jiang et al.'s scheme [27] is vulnerable to stolen-verifier, serverspoofing, replay, and denial-of-service attacks and its failure regarding the provision of the forward secrecy. In 2015, in a different study of Farash et al. [29], and Gope and Hwang [30], it was common that Wen et al.'s scheme [28] is insecure against the known attacks. Then, Farash et al. [29], and Gope and Hwang [30] independently introduced the improved password-based authentication schemes that prevent the various attacks. Nevertheless, Wu et al. [31] showed both schemes of Farash et al. [29], and Gope and Hwang [30] are vulnerable to various attacks. In addition, Chaudhry et al. [32] also found a number of security pitfalls in Farash et al.'s scheme [29] such as a user-anonymity violation and the disclosure of the secret parameters of the mobile node (MN) and the session key.

Contributions of the paper
Recently, Chaudhry et al. [32] proposed a privacy-preserving password-based authentication scheme for roaming in ubiquitous networks to solve the security issues of Farash et al.'s scheme [29]. They claimed that their scheme is secure against the various known attacks and is lightweight compared with the earlier scheme of Farash et al. [29]. However, We found that Chaudhry et al.'s scheme [32] is still vulnerable to several attacks; therefore, in this paper, we provide the proof that Chaudhry et al.'s scheme [32] is vulnerable to stolen-mobile devices and user impersonation attacks, and has drawbacks to the absence of the incorrect login-input detection, incorrect password change phase, and the absence of the revocation-process provision. To fix the security flaw of the scheme of Chaudhry et al. [32], we present an improved biometric-based authentication scheme for roaming in ubiquitous networks in this paper. In addition, to achieve the three-factor authentication that protects the user's biometrics, a biohash technique is applied in the proposed scheme whenever the user imprints his/her biometrics on a mobile device. Furthermore, we perform formal and informal analyses to prove that the proposed scheme meets the various security requirements, and conduct the comparisons in terms of the computational and communication cost to show the efficiency of the proposed scheme.

Organization of the paper
The remainder of this paper is organized as follows. In Section 2, a number of preliminaries are introduced. A brief review of the scheme of Chaudhry et al. [32] is presented in Section 3, and a cryptanalysis of Chaudhry et al. [32]'s scheme is presented in Section 4. The proposed scheme is presented in Section 5. The proposed scheme is analyzed in terms of formal and informal security in Section 6. Data from the comparisons of the performance of the proposed scheme with other related works are presented in Section 7. The conclusion of this paper is provided in Section 8.

Preliminary knowledge
This section introduces the requisite basic knowledge for the attainment of an understanding of the authentication process in ubiquitous networks, adversarial models, security requirements, and bio-hash functions.

User authentication in ubiquitous networks
To enable the roaming service in ubiquitous networks, MN and FA perform a mutual authentication and share the session key with the support of the HA. The brief description of the user authentication process that is depicted in Fig 1 is as

Adversarial model
For the analysis of the security of Chaudhry et al. and the proposed scheme in this paper, we consider the adversarial model with following the capacity of adversary: 1. The adversary A has full control over the public communication channel, which means that A can eavesdrop, insert, delete, alter, or intercept any of the transmitted messages of the public channel.
2. If A obtains a stolen or lost mobile device of a user in some way, he/she is able to extract the secret parameters from the device using side-channel attacks [33][34][35][36].

Security requirements
Based on recent research efforts [6,[39][40][41], a biometrics-based authentication scheme for roaming in ubiquitous networks should meet the following security requirements against the adversarial model and the functional requirements to provide user-friendliness: 1. User anonymity: The scheme must ensure the user anonymity to preserve the privacy of MN, i.e., A should not be able to discover the real identity of MN.

Unlinkability:
To provide greater security for the user's privacy, the scheme should ensure unlinkability, i.e., A should not be able to trace the user's actions.

Mutual authentication:
The schemes should support mutual authentication to ensure the legitimacy of each participant, i.e., MN, FA, and HA are capable of authenticating each other in the authentication phase.

4.
Session key agreement: When the scheme permits the establishment of a session key between each of the participants, the session key that is used to encrypt and decrypt messages in the future communications should be fresh and provide the forward secrecy.

Three-factor secrecy:
To ensure the secrecy of the user's private keys, the scheme should provide three-factor (e.g., identity, password, and biometrics) secrecy. The A should not be able to extract one secret value from the remaining two factors.
6. Resilience to various attacks: The scheme should provide all major security goals and should be resistant to different types of the known attacks.

Bio-hash function
The biometrics provides a unique identification method to solve the security vulnerabilities of passwords, pins, and tokens that are easy to forget or can be stolen. The imprint biometric characteristics may be slightly different each time due to a variety of reasons such as the user's dry or cracked skin, and the presence of dirt on the imprint sensor [42]. Therefore, high false rejection of genuine users that results in a denial of access often occur in the evaluation of biometric systems, and this consequently impacts on the usability of a system [43]. To resolve the problem of high false rejection instances, Jin et al. [44] proposed a two-factor authenticator in 2004 that is based on the iterated inner products between a tokenized pseudorandom number and the user-specific fingerprint features. To achieve this, a set of user-specific compact codes called the bio-hash code can be created. The bio-hash is a random mapping of biometric feature onto binary strings with user-specific tokenized pseudorandom numbers. In recent times, many authentication schemes using bio-hash have been proposed [45][46][47]. According to the recent bio-hash researches [48][49][50][51], the execution times of bio-hash are considered to be the same as the one-way hash function. In contrast, the execution time of the fuzzy extractor that is also generally used in biometric-system is considered to be the same as the elliptic-curve cryptography (ECC) [52]. Bio-hash is an effective technique for biometrics-based authentication schemes [53], and it is convenient mechanisms for small devices such as smart cards and mobile devices.

Review of Chaudhry et al.'s scheme
This section discusses Chaudhry et al.'s [32] user authentication scheme for roaming in ubiquitous networks. This scheme consists of the following three phases: (1) registration, (2) login and authentication, and (3) password change. All of the notations that are used in this paper are presented in Table 1.

Registration phase
In the registration phase, MN i registers with HA k and the following operations are performed: MN i selects his/her identity ID mi and password PW mi , and generates r A . MN i then computes h(PW mi ||r A ||ID mi ) and sends a registration request message hID mi , h(PW mi ||r A ||ID mi )i to HA k via a secure channel.
2. HA k ! MN i : PID mi , A mi HA k verifies whether MN i 's ID mi is valid. If it is valid, HA k computes the following equations: HA k then sends EID mi and A mi to MN i via a secure channel.
3. MN i retains the secret parameters EID mi , A mi and r A in the mobile device.

Login and authentication phase
In this phase, MN i and FA j perform a mutual authentication to establish a session key with the support of MN i 's HA k . It is assumed that each pair of FA j and HA k share pre-shared key K F,H . The details of the login and authentication procedure, which are depicted in Fig 2 are as follows: her ID mi and PW mi , generates the random number n mi , and computes the following equations: MN i sends the login request message M 1 = hEID mi , MV 2 , MV 3 , T mi , ID hk i to FA j via a public channel.
2. FA j ! HA k : M 2 = hID fj , EM 1 )i FA j checks the freshness of T mi . If it is fresh, FA j generates the random number n fj and computes as follows: FA j then sends the message M 2 = hID fj , EM 1 )i to HA k .
3. HA k ! FA j : M 3 = hEM 2 )i HA k checks ID fj and finds its corresponding K F,H . To obtain M 1 and n fj , HA k decrypts EM 1 and computes the following equations: Then, HA k checks the validity of the following equation: If Eq (11) does not hold, this phase is terminated; otherwise, HA k computes as follows: Lastly, HA k sends the message M 3 = hEM 2 i to FA j .
To obtain SK fj , FA j decrypts the received message EM 2 and computes as follows: Then, FA j sends the message M 4 = hID fj , FV 1 , n fj i to MN i .

5.
To check validity of the session key, MN i computes the following equations: If Eq (17) does not hold, MN i terminates connection; otherwise, MN i accepts FA j as legal and authenticated.

Password change phase
MN i inputs ID mi , a old password PW old mi and a new password PW new mi into his/her mobile device. The mobile device then computes the following equations: Lastly, the mobile device replaces A mi with A new mi .

Cryptanalysis of Chaudhry et al.'s scheme
This section consists of the cryptanalysis of Chaudhry et al.'s scheme [32].

Stolen-mobile device attack
Under the previously explained adversarial model, it is assumed that A somehow acquires MN i 's mobile device, extracts the secret parameters, and captures the login request message M 1 . Using the extracted parameters and the captured messages, A can attempt to guess MN i 's identity and password until the correct identity and password are found.
In [33,34,37,38,54], the identity and password can be guessed simultaneously after the user's device is stolen by A; therefore, it is prudent to consider off-line identity and password guessing attacks.
Based on [37], jD id j jD pw j % 2 20 % 10 6 . The time complexity to determine a identity and password is linear to jD id j and jD pw j because the more candidate data the attacker has, the more that matching operations are required to determine the desired value.
To demonstrate the vulnerability of Chaudhry et al.'s scheme [32] to the stolen-mobile device attack, the following scenario is used: 1. A eavesdrops the previous login messages M 1 = hEID mi , MV 2 , MV 3 , T mi i, and compromises the secret parameters hA mi , EID mi , r A i from the mobile device.

A selects any of the identity and password candidates ID
5. If the comparison shows they are equal, A successfully guesses the correct ID mi and PW mi .
Otherwise, A selects another identity and password, and repeats the steps 3 and 4 until he/ she finds the correct identity and password.
In Chaudhry et al.'s scheme [32], the time complexity of the guessing attack process is where T h is the execution time of the hash operation and T XOR is the execution time of the exclusive-or operation. Therefore, the time complexity of the guessing attack in Chaudhry et al.'s scheme is not negligible, and their scheme is consequently vulnerable to the stolen-mobile device attack.

User impersonation attack
This subsection presents a demonstration of the way that Chaudhry et al.'s scheme [32] allows A to impersonate a legal user if A obtains the MN i 's identity and password through a guessing attack, as presented in the previous subsection, as follows: 1. A obtains the secret parameters hA mi , EID mi , r A i, correctly guessing the identity ID Ã mi and password PW Ã mi of MN i by completing the stolen-mobile device attack. 2. The mobile device of A generates the random number n ai , and computes the following equation: 3. Because of the validation of M Ã 1 , FA j and HA k successfully proceed the subsequent steps of the authentication phase. Lastly, FA j sends the message M 4 = hID fj , FV 1 , n fj i to MN i , but A receives M 4 and computes the following equations: If Eq (21) holds, A has successfully established a session key with FA j .
Therefore, Chaudhry et al.'s scheme [32] is vulnerable to the user impersonation attack.

Absence of the incorrect login-input detection
The detection of the incorrect login inputs must be performed at the beginning of the login phase. However, Chaudhry et al.'s scheme [32] does not support the incorrect input detection during the login and authentication phase. In their scheme, the MN i sends the message M 1 without verifying the correctness of the ID mi and PW mi . Even if MN i mistakenly enters the wrong ID 0 mi and PW 0 mi , the mobile device can still compute MV 0 As a result, an invalid form of the login request message, M 1 , is transmitted to HA k through FA j , thereby resulting in unnecessary computations and communication costs.

Incorrectness of the password change phase
Chaudhry et al.'s scheme [32] allows the user to change his/her password easily without any server assistance. However, in the password change phase, the mobile device does not check the accuracy of the old password when MN i enters the old and new passwords to replace the old password with a new password. If MN i enters the old password incorrectly, an incorrect MV 1 is computed with Eq (18), and an incorrect A new mi is also computed with Eq (19). As a result, h(K H È ID mi ) will be damaged beyond the possibility of a restoration, thereby causing HA k 's rejection of MN i in the future authentication phase.

No provision for revocation
The revocation of a stolen or lost mobile device is essential for the practical deployment of smart card-based authentication schemes [55]. If a legal MN i 's mobile device is lost or stolen, some kind of mechanism must be in place to prevent the misuse of the mobile device. To address this problem, the server needs to maintain the identity information that will serve as the basis for the detection of the invalid mobile device [56]. However, Chaudhry et al.'s scheme [32] scheme does not take this feature into consideration.

Proposed scheme
This section contains the proposal for the improved and anonymous biometrics-based authentication scheme for roaming in ubiquitous networks. The proposed scheme consists of the following three phases: (1) registration, (2) login and authentication, (3) password change, and (4) mobile-device revocation.

Registration phase
The registration phase for the mobile user MN i that are illustrated in Fig 3 involves   An improved anonymous authentication scheme for roaming in ubiquitous networks gernerates r A and r D , and computes the following equations: If MN i is a new user, HA k sets I mi to zero, otherwise, I mi = I mi + 1. HA k then stores I mi , PID mi , and RID mi as a tuple in the database, and it sends hPID mi , A mi , B mi , r A i to MN i via a secure channel.
3. MN i stores all of the received parameters into the mobile device.

Login and authentication phase
In this phase, MN i and FA j perform a mutual authentication to establish a session key with the support of MN i 's HA k . It is assumed here that each pair of FA j and HA k share the pre-shared key K F,H . The details of the login and authentication procedure that are illustrated in Fig 4 are as follows: 1. MN i ! FA j : M 1 = hPID mi , MV 2 , MV 3 , ID hk i MN i enters his/her ID mi , PW mi , and BIO mi , and it then computes as follows: HA k then checks the validity of: If Eq (28) does not hold, MN i terminates the user's login request. Otherwise, MN i generates n mi and computes the following equations: MN i then sends the login request message M 1 = hPID mi , MV 2 , MV 3 , ID hk i to FA j .
2. FA j ! HA k : M 2 = hID fj , FV 2 , FV 3 , M 1 i FA j generates the random number n fj and computes the following equations: FA j sends the message M 2 = hID fj , FV 2 , FV 3 , M 1 i to HA k . An improved anonymous authentication scheme for roaming in ubiquitous networks 3. HA k À ! FA j : M 3 ¼ hPID new mi ; HV 1 ; HV 2 Þi HA k checks ID fj to find its corresponding K F,H and computes the following equations: If Eq (37) does not hold, this phase is terminated; otherwise, HA k accepts FA j as legitimate. HA k then computes the following equations: If Eq (41) does not hold, this phase is terminated; otherwise, HA k accepts MN i as legitimate. HA k then generates r new D and computes the following equations: HA k then replaces PID mi with PID new mi , and it then sends the message 4 i FA j computes the following equations: If Eq (47) does not hold, FA j terminates the connection; otherwise, FA j computes the following equation: FA j then sends the message M 4 ¼ hPID new mi ; ID fj ; FV 4 i to MN i .

MN i computes the following equations to check the validity of the session key:
If Eq (51) If Eq (57) does not hold, MN i terminates this phase; otherwise, MN i computes the following equations:

Mobile device revocation phase
To recover a stolen/lost mobile device or a long-term key of MN i , the mobile device revocation mechanism that is illustrated in Fig 6 is

Security analysis
In this section, a security analysis of the proposed scheme is performed using formal and informal verification methods. The formal analysis is conducted using automatic analysis tool named ProVerif and a random oracle model.

Formal verification using ProVerif
ProVerif is an automatic tool for analyzing cryptographic protocols according to the formal model (the so-called Dolev-Yao model). It supports a wide range of cryptographic primitives that are defined by rewrite rules or equations, as follows: asymmetric and symmetric en/ decryption, digital signatures, and hash functions. This tool can prove the various security properties as follows: secrecy, authentication, and process equivalences of the protocol with unlimited sessions and message space [57].
The verification structure of ProVerif is illustrated in Fig 7. First, ProVerif takes as its input a protocol description to perform a verification in a dialect of the applied pi calculus, which is an extension of the pi-calculus and is a language for describing and analyzing protocols.
It also takes an input the security properties that are being proven here. It then automatically translates this protocol description into Horn clauses and the security properties into derivability queries on these clauses, and it determines whether a fact can be proved from these clauses using an algorithm that is based on a resolution with a free selection. If the fact is An improved anonymous authentication scheme for roaming in ubiquitous networks not derivable, the corresponding security properties are proved. If the fact is derivable, the protocol may be vulnerable to an attack against the corresponding security properties. Actually, the derivation either corresponds to a real attack or a false attack, since the problem of the protocol verifications for an unbounded number of sessions is not decidable.
Recently, many researchers [58][59][60][61] have used ProVerif to verify the security of the schemes for the key agreement and authentication. In this section, the security of the proposed scheme is proven using ProVerif, where the ProVerif code is introduced as a description of the proposed scheme, and the analysis results are then provided.
The definitions for the process of the proposed scheme are shown in Fig 8, wherein the following identifiers are used: "cha" denotes the private channel between the MN i and HA k ; "chb" and "chc" denote the public channels between the MN i and FA j and the FA j and HA k , respectively; "IDmi", "PWmi", and "BIOmi" denote the private MN identity, password, and biometrics, respectively; "IDfj" and "IDhk" denote the public identity of FA j and HA k , respectively. "KH" denotes the HA k 's private key; "KFH" denotes the pre-shared key between the FA j and HA k ; "SKfj" denotes a HA k -generated session key that is transmitted to the FA j ; and "SKmi" denotes an MN i -generated session key. The constructors for the operations of the concatenation, symmetric cryptography, exclusive-or, one-way hash, and bio-hash are defined from the lines 18 to 22. In addition, the destructors for the symmetric decryption and exclusive-or operations are defined in the lines 23 and 24. In the lines 26 to 31, six events that indicate the start and end of each node are defined to verify the correspondence relations for the messages of each node. The code for the modeling of the adversary capabilities and the verifying of the interprocess equivalences is shown in Fig 12. The lines 103 to 104 prove that the session keys SKfj and SKmi are secret and unknown to the adversary. The lines 105 to 107 verify the internodal relationships to determine the execution of the proposed scheme in the correct order.
When the code that defines the elements that are needed to configure the protocol is run, ProVerif prints the results in the following format: The execution of the ProVerif code for the verification of the security and the authentication of the proposed scheme produces the simulation result, as shown in Fig 13, thereby verifying the accuracy of the results for all of the events and queries. That is, the successful mutual authentication of the proposed scheme has been achieved as the mutual communication with all of the authentication factors among MN i , FA j , and HA k , as defined by the previously mentioned events. Furthermore, the session keys of the proposed scheme are secure against the adversary; therefore, the proposed scheme can be considered as secure against simulated attacks. An improved anonymous authentication scheme for roaming in ubiquitous networks

Formal verification using the random oracle model
In this section, the formal security analysis of the proposed scheme is demonstrated using the random oracle model. For this, we define a hash function and symmetric cryptography as follows: Definition 1. A hash function h: {0, 1} Ã ! {0, 1} n is a one-way function that takes an input x 2 {0, 1} Ã of an arbitrary length and outputs a bit string with a fixed-length h(x) 2 {0, 1} n and it satisfies the following three security requirements: • It is computationally infeasible to find an input x such that y = h(x).
• It is computationally infeasible to find another input • It is computationally infeasible to find the inputs (x, x 0 ), with
• E, called the encryption algorithm, is a deterministic algorithm that takes a pair of the strings, a and x and produces y = E a (x).
• D, called the decryption algorithm, is a deterministic algorithm that takes a pair of the strings, a and y and outputs the string x = D a (y) It is required here, for any k 2 N, if a 2 KSPC(k), x 2 MSPC, any y = E a (x), then D a (y) = x. Theorem 1. Under the assumption that the one-way hash function and the symmetric cryptography closely behave like an oracle, then the proposed scheme is provably secure against A for the protection of the identity ID mi of MN i , and the private key K H of HA k .
Reveal: Given the hash result y = h(x), this random oracle will unconditionally output the input x.
Extract: Given the cipher text C = E K x (P), this random oracle will unconditionally output the plain text P.
Proof. A method for the formal security proof that is similar to that used in [62][63][64] is applied in the proposed scheme. For the proof, it is assumed that A is able to derive ID mi and K H . For this, A runs the experimental algorithm that is shown in Algorithm 1, EXP1 IAUA S;A HASH;SYMM for the proposed improved and anonymous user authentication scheme, called IAUAS. The success probability of EXP1 IAUA S;A HASH;SYMM is defined by the following equation: The advantage function for this experiment becomes as following equation: in which the maximum is determined by all of A with the execution time t and the number of queries q R and q E that are made to the Reveal and Extract oracles, respectively. If A is able to An improved anonymous authentication scheme for roaming in ubiquitous networks invert the hash function and the symmetric cryptography that are provided in Definitions 1 and 2, A can directly derive ID mi and K H . Consider the attack experiment that is shown in Algorithm 1. In this case, A will discover the complete connections between all of the participants. However, it is computationally infeasible to invert the input from the given hash and encrypted values, i.e.,  An improved anonymous authentication scheme for roaming in ubiquitous networks Adv1 IAUAS;A HASH;SYMM ðt; q R ; q E Þ is also negligible. As a result, A cannot compute the ID mi and K H and the proposed scheme is provably secure against A for the deriving of them.
Accept K 0 H as the correct secret key K H of HA k 11.
Accept ID 0 mi as the correct secret key ID mi of MN i 12

Informal verification
In this section, we perform an informal security analysis of the proposed scheme to prove that it is secure against the various security threats. According to the adversarial model that is described in the preliminary knowledge section, A can perform the following attacks to undermine the security of the proposed scheme. ii. If A obtains a stolen or lost mobile device of a user in some way, he/she is able to extract the PID mi , A mi , B mi , and r A from the device using side-channel attacks [33,34].
iii. A has the ability to make an offline guessing attack within a polynomial time and can try to threaten the privacy of the user by enumerating the eavesdropped messages and the extracted parameters. Table 2 shows the analysis summary of the comparison of the proposed scheme with the related schemes [26][27][28][29]32].

User anonymity
In the proposed scheme, the pseudo-identity PID mi = E h(K H ) (ID mi ||r D ) that varies each session by r D is used. After MN i is authenticated by HA k in Eq (41), HA k replaces the existing PID mi with a new PID new mi using a new r new D . Then, PID new mi is transmitted to MN i that has been encrypted with HA k 's private key K H in Eq (42). Therefore, even if A obtains PID mi by eavesdropping the public messages or extracting the secret parameters stored in the mobile device, the proposed scheme guarantees the user anonymity because it is not possible for A to know the real identity ID mi of MN i .

User untraceability
In the login and authentication phase, MN i sends PID mi , MV 2 and MV 3 via a public channel. They contain n mi and r D , which are changed for each session. That is, A cannot trace MN i 's actions in the proposed scheme because these parameters are computed each time with a different value. Therefore, the proposed scheme ensures the user untraceability.

Stolen-mobile device attack
With the proposed scheme, A needs to know K H to guess ID mi and PW mi ; however, K H is not stored in the mobile device directly, nor it is transmitted via the public channel as plaintext. Also, even if A finds this value somehow, he/she still cannot guess PW mi without H(BIO mi ) that is unique to only MN i . Therefore, the proposed scheme withstands the stolen-mobile device attack.

Mutual authentication
In the proposed scheme, MN i and FA j authenticate each other with the assistance of HA k . Only a legitimate MN i can compute MV 1 that A cannot compute because of PWB mi . Accordingly, HA k authenticates only the legitimate MN i using Eq (41). Also, only the legitimate HA k is authenticated by MN i through the verification of FV Ã 4 ¼ ? FV 2 , as shown in Eq (51). Only FA j and HA k that share K F,H can verify each other using the same key to compute valid messages, and only they can compute and obtain a valid session key, SK. Therefore, the adversary or invalid participants cannot carry out the login and authentication phase. Furthermore, FA j authenticates HA k by performing Eq (47). After it receives M 4 , MN i can verify that FV Ã 4 ¼ ? FV 4 using Eq (51) to authenticate FA j and to establish the session key, SK. Therefore, the proposed scheme achieves the mutual authentication.

Session key agreement
After the login and authentication process, FA j receives HV 1 and obtains the session key SK fj from HA k , and MN i generates the session key SK mi . As a result, only the legitimate MN i and FA j establish the same session key SK mi = h(MV 1 ||ID mi ||ID fj ||n mi ) = SK fj . Therefore, the proposed scheme provides a secure session key agreement.

User impersonation attack
With the proposed scheme, the user impersonation attack is prevented by the mutual authentication, local user-verification process, and prevention of the stolen-mobile-device attack. Furthermore, the proposed scheme provides a secure session key agreement. Therefore, the proposed scheme ensures the prevention of the user impersonation attack.

Replay attack
A might replay an old login request message M 1 to FA j and receive the message M 4 from FA j . However, A still cannot compute the correct session key SK as he/she is not capable of computing ID mi and n mi without K H . Furthermore, A cannot derive the session key, SK, without K F,H . Therefore, the proposed scheme is secure against the replay attack.

Local user verification process
With the proposed scheme, mobile devices verify the legality of the user. Only a user who enters the correct ID mi , PW mi , and BIO mi can pass the user-verification process, as given by Eq (28). In addition, since BIO mi of each individual user is unique, A cannot attempt an illegal access.

Stolen-verifier attack
In the login and authentication phase of the proposed scheme, HA k does not store and receive any of the credentials of MN i such as PW mi and H(BIO mi ). Furthermore, HA k retains RID mi in the database; however, A cannot know the real identity of MN i even if A steals the user registration information from HA k 's database. Therefore, the proposed scheme withstands the stolen-verifier attack.

Privileged-insider attack
In the registration phase of the proposed scheme, MN i sends ID mi and PWB mi to HA k . Here, PWB mi contains H(BIO mi ). The insider of HA k cannot derive MN i 's password PW mi . Therefore, he/she cannot try to impersonate MN i to access FA j . Furthermore, MN i can change his/ her password, PWB mi , without the assistance of HA k in the password change phase. Since it is not possible for the insider to know the MN i 's password, PW mi , the proposed scheme resists the privileged-insider attack.

User-friendly password change
Generally, it is recommended that the performance of the password change process is without any server involvement, thereby providing a user-friendliness and an improvement of the computational efficiency. In the password change phase of the proposed scheme, the existing user password is self-verified in the user's mobile device, and it is replaced by the new password only if it passes the verification process. Therefore, the proposed scheme supports an efficient password change phase.

Forward secrecy
In the proposed scheme, even though the generated session key between all of the participants can be compromised by A, he/she cannot recover any earlier session keys because the session key SK mi = h(MV 1 ||ID mi ||ID fj ||n mi ) = SK fj is different each time. Consequently, a significant correlation was not found between the past, current, and future session keys. Therefore, the proposed scheme ensures the forward secrecy.

Foreign bypass attack
During the authentication phase of the proposed scheme, A may try to construct the messages M 1 and M 2 using the parameters that are stored in a stolen mobile device and transmitted over a public channel to impersonate a legitimate FA j . However, Ar cannot compute FV 1 , because K F,H is not public information. Thus, A cannot construct a sufficient message to cheat HA k . Eventually, A is unable to impersonate a valid FA j .

Does not need time synchronization
In many authentication schemes, timestamps are used to resist the replay attack. However, by using the timestamp in the authentication scheme, the clocks of MN i and HA k must be synchronized beforehand. In the synchronization process, there is the possibility that time synchronization error occurs; therefore, to prevent this problem, the proposed scheme only uses random-number-based authentication mechanism instead of timestamps.

Provision of the revocation phase
In the proposed scheme, if MN i 's mobile device is stolen/lost or a secret parameter/authentication factor is revealed, HA k can issues new secret parameters to MN i for the purpose of recovery. HA k retains RID mi that is encrypted with the real identity of MN i , in the database. When HA k receives a revocation request with ID m i from MN i , HA k computes RID old mi ¼ E K H ðID mi Þ and compares it with the existing RID mi that is stored in the database to verify that MN i is registered and legitimate. Therefore, the proposed scheme can cope with unexpected problems by supporting the revocation phase.

Performance analysis
In this section, we perform the comparisons of the computational and communication cost of the proposed scheme with the related schemes [27][28][29][30][31][32].

Comparisons of the computational costs
We consider four cryptographic operations: hash function T h , the symmetric en/decryption T s , the ECC-based asymmetric en/decryption T e , and the modular exponent operation T m were considered. The authors [66] measured the approximate execution time of each cryptographic operation on the following central processing unit (CPU): Intel(R) Core(TM)2T6570 2.1GHz, 4G memory, OS:Win7 32-bit, and Visual C++ 2008 software using the MIRACL C/C ++ library. The authors considered the 1024-bit Rivest-Shamir-Adleman (RSA) algorithm, the 320-bit ECC algorithm, the 128-bit Advanced Encryption Standard (AES) algorithm, and the 160-bit Secure Hash Algorithm 1 (SHA-1) hash function, and the experiment the results are T m % 1.8269ms, T e % 1.6003ms, T s % 0.1303ms, and T h % 0.0004ms, respectively. The registration and password change phases were excluded from the comparison because the registration phase of the mobile node occurs only once and the password change phase can be executed only within MN. Therefore, only the login and authentication phase was considered in the comparison, because this phase frequently occurs during the intercommunication between participants when the mobile node accesses the ubiquitous networks and the roaming occurs. Table 3 3.6543ms, 7.3081ms, 0.5217ms, 3.6543ms, 6.9232ms, and 0.6519ms, respectively. The Table 3 highlights that the computational cost of the proposed scheme is lowest in comparison with the related schemes.

Comparisons of the communication costs
For the communication costs, a comparison of the login and authentication phases that referred to [67,68] was performed, and it is assumed that the lengths of the identity, random number, and timestamp are 128 bits, 64 bits, and 32 bits, respectively. The hash function and the symmetric-key encryption produce 160 bits and 256 bits, respectively. For the asymmetrickey encryption, the modular prime operation and the scalar multiplication operation on the elliptic curve produces 1024 bits and 320bits, respectively. Table 4  their schemes are insecure, as previously mentioned. Therefore, the proposed scheme is a more practical option for the ubiquitous network environment.

Conclusion
In this paper, Chaudhry et al.'s authentication scheme for roaming in ubiquitous networks is reviewed, and the scheme's ongoing vulnerability to several attacks is proven; furthermore, the improved proposed scheme resolves the security issues of Chaudhry et al.'s scheme. To demonstrate the security of the proposed scheme, informal and formal analyses were performed using the random oracle model and the automated verification tool, ProVerif. Also, the performance evaluation that was conducted with related works shows that the proposed scheme is suitable for resource-constrained ubiquitous environments.