An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy

The Session Initiation Protocol (SIP) is an extensive and esteemed communication protocol employed to regulate signaling as well as for controlling multimedia communication sessions. Recently, Kumari et al. proposed an improved smart card based authentication scheme for SIP based on Farash’s scheme. Farash claimed that his protocol is resistant against various known attacks. But, we observe some accountable flaws in Farash’s protocol. We point out that Farash’s protocol is prone to key-compromise impersonation attack and is unable to provide pre-verification in the smart card, efficient password change and perfect forward secrecy. To overcome these limitations, in this paper we present an enhanced authentication mechanism based on Kumari et al.’s scheme. We prove that the proposed protocol not only overcomes the issues in Farash’s scheme, but it can also resist against all known attacks. We also provide the security analysis of the proposed scheme with the help of widespread AVISPA (Automated Validation of Internet Security Protocols and Applications) software. At last, comparing with the earlier proposals in terms of security and efficiency, we conclude that the proposed protocol is efficient and more secure.


Introduction
The Session Initiation Protocol (SIP) is an important and popular communications protocol for signaling and controlling multimedia communication sessions in applications including Internet telephony for voice and video calls, private IP telephone systems, as well as instant messaging over Internet Protocol (IP) networks [1,2]. Up to now, SIP has gained the attention of extensive scholastic community.
The first authentication scheme for SIP based on hyper text transfer protocol (HTTP) digest authentication can be traced back to 1999 proposed by Franks et al. [3]. In 2005, Yang et al. [4] pointed out that the scheme of Franks et al. [3] cannot resist the off-line password guessing attack and the server impersonation attack. Subsequently, Yang et al. [4] presented an new scheme to cope with the aforementioned issue in [3]. However, Huang et al. [5] proved that a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 user anonymity and is also vulnerable to replay attack. Thereupon, Chaudhry et al. [38] proposed an anonymous authenticated key agreement scheme while claiming that it is more secure and suitable for all lightweight environments. Recently, Kumari et al. [39] also analyzed Farash's protocol [37] and showed that it is vulnerable to user impersonation attack, password guessing attack, session-specific temporary information leakage attack and lacks to provide user anonymity. Furthermore, Kumari et al. [39] proposed an improved protocol, and showed that their protocol is not only robust against all known attacks, but is also lightweight as compared to Farash's protocol [37]. From the above analysis, one can observes that most of these protocols have still some security loopholes and not really reach the security of the authentication protocol. Accordingly, it is still a challenging academic topic to design a more secure and efficient authentication and key agreement protocol for SIP.

Contribution of this paper
The positional relation of the proposed scheme and related researches are depicted in Fig 1. The contributions of this paper are listed as follows: • We concentrate on analyzing the security of Kumari et al. [39]'s authentication scheme for SIP, and point out that Kumari et al. [39]'s scheme fails to provide pre-verification, local password change in smart card and perfect forward secrecy, is also susceptible to key-compromise impersonation attack.
• To overcome aforementioned limitations, we propose an improved scheme while maintaining the benefits of the original schemes at the cost of slight increase in the computation consumptions by employing "Fuzzy-Verifier" [40]. Besides, we prove that our scheme provides various security features including perfect forward secrecy and resistance against key-compromise impersonation attack, etc.
• We use AVISPA tool to prove that proposed scheme satisfies the mutual authentication and session key secrecy.
• We provide security and performance comparisons with various relevant schemes. It illustrates that the proposed scheme is efficient and more secure than the prevalent schemes.

Organization of this paper
The remainder of this paper is organized as follows: Section "Preliminaries" introduces some notations, associated difficult problems based on ECC and adversary model used in this paper. The review and cryptanalysis of Kumari et al. [39]'s scheme is detailed in Section "Review of Kumari et al.'s scheme" and Section "Cryptanalysis of Kumari et al.'s scheme", respectively. Section "The enhanced scheme for SIP" provides our proposed scheme. Section "Security analysis of the enhanced scheme" and Section "Formal security validation using AVISPA tool" highlight an informal and formal security analysis of our scheme, respectively. The performance and functionality comparison is presented in Section "Comparative analysis of performance". At last, we provide concluding remarks in Section "Conclusion".

Preliminaries
In this section, we describe some notations and the definitions of one-way hash function and hard problems related with the Elliptic Curve Cryptography(ECC) and the capacities of the adversary in this paper. Some notations used in this paper are listed in Table 1.

Intractable problems
In ECC, the elliptic curve equation is defined as the form of E p (a, b): y 2 = x 3 + ax + b(mod p) over a finite field F p , where a, b 2 F p and 4a 3 + 27b 6 ¼ 0(mod p).
Definition 2 (ECDLP) For given generator P and Q = mP in E p (a, b), where m is randomly selected from F p and p is sufficiently large prime, it is computationally hard by a probabilistic polynomial time (PPT) adversary A to calculate the secret value m 2 F p such that Q = mP. Definition 3 (ECCDHP) For given points mP, nP 2 E p (a, b), computing mnP is computationally infeasible by a probabilistic polynomial time (PPT) adversary A.

Adversary model
Throughout this paper, according to [40][41][42][43], the capacities of the adversary A are summarized as follows: 3. The adversary A can list all pairs of (ID i , PW i ) from ðD PW ; D ID Þ in a polynomial time, where D PW and D ID denote the space of passwords and the space of identities, respectively.
4. The adversary A can either intercept the password of the user via malicious device or extract the parameters from smart card, but not both.
5. While evaluating forward secrecy, the adversary A can obtain server's private key or comprise of the user's password.
6. When it comes to key-compromise impersonation attack, we assume that A knows the long-term private key of server.

System setup phase
The server S chooses an elliptic curve E over the finite field F q and an additive group G of order p with P as generator, a one-way hash function h(Á), a secret key k s 2 Z Ã p computes its public key Q = kP. At last, S publishes its public parameters {E(F q ), P, p, Q, h(Á)}, and keeps k s as its long-term private key.

Registration phase
In this phase, the user U is registered as a legal user by executing the following steps over the secure channel: Step 1: User U selects his identity ID, password PW and a random number a u 2 Z Ã p . Then, he computes VPW = h(ID||PW||a u ) and sends the registration request message {ID, VPW} to server S Step 2: After receiving the request message {ID, VPW}, S calculates r u = (VPW + h(ID||k s ))P, and stores r u in a new smart card SC. Also, S issues SC = {r u , Q = k s P, h(Á)} to U Step 3: Upon receiving the new smart card SC, U inserts a u in SC. Finally, SC = {r u , Q = k s P, a u , h(Á)} and U is thus registered as a legal user.

Login and mutual authentication phase
In this phase, user U establishes the session key with server S as follows: Step 1: U inserts his smart card SC to a card reader and inputs his identity ID and password PW.
Step 2: U selects a random number b 2 Z Ã p , and computes bP, V = bQ, W u = b(r u − VPW Á P). U further calculates f u = ID È V x , z u = h(ID||bP||V y ||W u ), where V x , V y are x th , y th components of V, respectively. At last, U sends the login request message {f u , bP, z u } to S.

Password changing phase
In this phase, U can change his password by interacting with the server S. After U establishes the session key sk with S, U changes his password by performing the following steps: Step

Cryptanalysis of Kumari et al.'s scheme
Kumari et al. [39] claimed that their scheme can resist many known attacks. However, we explain minutely that the scheme of Kumari et al. not only fails to provide pre-verification in smart card, perfect forward secrecy and efficient password changing, but also fails to resist key-compromise impersonation attack in the following subsections. Actually, the above functions are fundamental and crucial to authentication scheme for session initiation protocol. Accordingly, these imply that their scheme is still unsuitable for the practical session initiation protocol.

Pre-verification in smart card
When a user inputs her/his password and identity, if the smart card verifies their correctness, implies that respective protocol can provide pre-verification in smart card. But, Kumari et al.'s scheme is not providing such mechanism.
In the login phase of Kumari et al.'s scheme, the smart card is unable to provide any verification for the password and identity information of user because there is no verified information in smart card. If the user inputs the wrong password and identity or an adversary A performs this step, the smart card fails to check this problem. Until the server finds the incorrectness of the login, the session will not be terminated. In this case, it increases computational cost of server. Consequently, Kumari et al.'s scheme is unable to provide the pre-verification in smart card.

Key-compromise impersonation attack
Let us consider a scenario that when the long-term private key of server S is compromised, an adversary A can certainly impersonate the legal server of being legitimate user, but if A is not impersonated as the legal user by the corresponding server, we say that this protocol can resist key-compromise impersonation attack. It is a pity that Kumari et al.'s scheme is unable to withstand this attack. Now, let's execute the following steps to attack their scheme.
Step 1: Firstly, the adversary A gets some useful information {r u , kP, a u } stored in smart card utilizing the side-channel attack [41]. A then captures the login request message {f u , bP, z u } of user. If the long-term private key k of S is revealed to A, A computes V = k(bP), and further calculates the real identity Step 2: On receiving the request message, S then computes This infers that the illegal user A is successfully authenticated by server S. S further chooses a random number c 2 Z Ã p and calculates sk ¼ hðw Ã u jjb 0 PjjkPjjV 0 jjcjjIDÞ, Auth s = h(c||sk). Finally, the server S returns the message {c, Auth s } to A: Step 3: On receiving the challenge message from the server, A computes If it holds, then A calculates Auth 0 u ¼ hðIDjjc þ 1jjsk 0 Þ and sends the response message fAuth 0 u g to S.
Step 4: Upon getting the response message, S computes Auth Ã u ¼ hðIDjjc þ 1jjskÞ and checks whether Auth Ã u ¼ Auth 0 u . We know that it is obvious. Therefore, the server S undoubtedly believes that it has successfully established the session key sk with the legal user. Actually, the server suffers from the key-compromise impersonation attack.
Accordingly, we infer that Kumari et al.'s scheme fails to resist key-compromise impersonation attack.

Perfect forward secrecy
In case, when the long-term private key k is compromised to the adversary A, A will execute the following steps to attack Kumari et al.'s scheme.
Step 1: A intercepts the login request message {f u , bP, z u } of user S. Afterwards, A computes V = k(bP) and obtains {V x , V y }.
Step 2: A gets ID = f u È V x and further computes w Ã u ¼ hðIDjjkÞbP.
Step 3: A captures the challenge request message {c, Auth s } of server S and calculates Afterwards, the adversary A obtains the current session key sk when the long-term private key k is revealed to A, and thus the whole session is completely exposed to A.
Therefore, Kumari et al.'s scheme fails to provide the perfect forward secrecy.

Efficient password changing
In the password changing phase of Kumari et al.'s scheme, if the user U wants to change her/ his password, she/he must firstly establish the session key with the server. In this way the communication and computational overhead is increased to a large extent.

The enhanced scheme for SIP
In this section, we present an improved scheme based on the Kumari et al.'s scheme. Meanwhile, our proposed scheme not only overcomes the limitations of Kumari et al.'s scheme but also achieves mutual authentication and resists against various known attacks. Specifically, we employ public-key primitive to intrinsically protect the identity of the user and provide perfect forward secrecy. In registration phase, the server S generates a random nonce b to prevent the long-term private key of S from being compromised. In the password changing phase, the smart card SC can provide the function of the local password change. The proposed scheme is comprised of four phases, i.e., system initialization, registration, loginauthentication and password change. The registration and login-authentication phases are depicted in Fig 2.

System initialization phase
In this phase, the server S selects an elliptic curve E over the finite field F p , a random number k 2 Z Ã p and a one-way hash function h(Á). S then computes G = kP as the public key of S. Finally, the server S publishes the parameters {E, P, G, h(Á)}, while maintains k s as the longterm private key of S.

Registration phase
Step 1. The user U chooses an identity ID.
Step 2. U ) S: {ID}.  Step 5. On receiving the smart card SC from S, the user U should immediately change the initial password during password update phase.

Login and mutual authentication phase
Once the patient U registers to the server successfully, he can send the login request to the server S when he wants to enjoy the service as follows: Step 1. U inserts the smart card SC into a card reader and inputs ID, PW.
Step 2. SC calculates VPW = h(PW||a u ||ID), and then computes A 0 u ¼ hððhðIDÞ È VPWÞmod n 0 Þ. Then SC checks the correctness of A 0 u by comparing the value of A u sorted in SC. If A 0 u ¼ A u , it shows that ID, PW are valid. Otherwise, the session is terminated.
Step 3. SC continues computing N = r u È VPW and chooses a random number c u 2 Z Ã p , and then computes V = c u P, W = c u G, f u = ID È W x , z u = h(ID||W y ||f u ||N), where W x , W y are x th , y th components of W, respectively.
Step 5. After obtaining {V, f u , z u }, S calculates W Ã = kV, ID ¼ f u È W Ã x and checks ID 0 i ¼ ? ID i by searching database list. If these are not equal, S judges that the input password is wrong. As the wrong attempts exceed the threshold (such as 8), S forms a judgement that the smart card is usurped by some attacker. What's more, S locks the smart card until U re-registers.
Otherwise, S computes z Ã u ¼ hðIDjjW Ã y jjf u jjNÞ and verifies z Ã u ¼ ? z u . If it is not found valid, S exits the session and counts a number T = 1. Alongwith, S suspends the card until U reregisters when T exceeds some threshold value. Otherwise, S generates a random number c s , t 2 Z Ã p and computes V s = c s V, sk ¼ hðNjjW Ã x jjGjjV s jjIDjjtÞ, Auth s = h(t||sk||N).
Step 7. On receiving the message {C s G, Auth s , t}, U computes V Ã s ¼ c u ðc s GÞ, sk Ã ¼ hðNjjW x jjGjjV Ã s jjIDjjtÞ; and checks whether Auth Ã s ¼ ? Auth s If these are not equal, the session is terminated. Otherwise, S is authenticated by U and U accepts the session key sk Ã . Afterwards, U computes Auth u ¼ hðt þ 1jjsk Ã jjNjjV Ã s jjIDÞ, and sends {Auth u } to S. Step 8. U ! S: {Auth u }.
Step 9. After receiving the challenge message {Auth u }, S computes Auth Ã u ¼ hðt þ 1jjskjjNjjV s jjIDÞ and checks whether Auth Ã u ¼ ? Auth u . If it is found valid, then U is authenticated.
Step 10. Finally, both the patient U and the server S agree on a common session key sk = sk Ã .

Password update phase
This phase is incorporated to facilitate the user to change her/his password at will for which U and SC can execute the following steps: Step 1. Firstly, U inserts the smart card into the card reader. U then inputs ID 0 , PW 0 and a new password PW new .
Step 2. The smart card SC calculates VPW 0 = h(PW||a u ||ID), and then computes A 0 u ¼ hððhðID i Þ È VPWÞmod n 0 Þ: Subsequently, SC verifies whether A 0 u ¼ A u . If these are not equal, SC rejects U to change the password. Step

Security analysis of the enhanced scheme
In this part, we prove that the proposed scheme is secure against the attacks found overlooked by Kumari et al. Besides, we show that the proposed scheme also takes care common security features. To facilitate the discussion, we also adopt the attack model proposed by Kumari et al. and the adversary model, that is, an adversary A can completely monitor the open communication channel, therefore, is able to insert, delete or modify any messages among correspondents. Moreover, A has the ability to obtain all useful information of the smart card by the side-channel attack [41]. When it comes to key-compromise impersonation attack and perfect forward secrecy, the long-term private key k s is revealed to A.

User anonymity and user un-traceability
In this enhanced scheme, on one hand, there is no identity notations transmitted in the open channel or stored in smart card. On the other hand, suppose that the adversary A captures the messages {V, f u , z u }, {c s G, Auth s , t} and {Auth u } from the public channel. But in order to obtain the user U's identity ID, A needs to know W x , which is not available since W x is computed using the random number c u . Moreover, A cannot guess the correct identity, since, {N, VPW} are also not available. Further, even if A obtains the smart card of U and extracts the information in SC, A cannot recover the identity of U since ID is protected by one-way hash function and modulo operator. In process of login and authentication, A has no ability to trace the user's identity, since, every transmitted message is different and does not reveal any location information about user. Therefore, the user anonymity and user un-traceability are ensured by the proposed scheme.

Privileged insider attack
In the registration phase, user U only submits ID to the server S. S subsequently sets an initial password PW 0 for U. After receiving the smart card and PW 0 , U immediately changes the password that U knows only. Therefore, no privileged insider can access and compute user's password, that is, the proposed scheme resists privileged insider attack.

Pre-verification in the smart card
In the login phase of Kumari et al.'s scheme, the smart card is inability to provide any verification for the identity and password of any user increases the burden on the server. While in our login phase, the smart card checks whether A 0 u ¼ ? A u after inputting ID, PW. If it is found valid, SC sends the request message to S. Otherwise, it defers the session until the correct password and identity are entered. This implies that our method saves the computational and communication costs when there exists incorrect input or an illegal user. Consequently, the pre-verification is successfully provided by the proposed scheme.

Key-compromise impersonation attack
In our scheme, although the secret key k of the server S is compromised by the adversary A, A cannot impersonate the legal user U to cheat S. Because, the adversary A cannot know the random number b of S or the correct {ID, PW}, therefore, he is unable to compute the correct value of N though the information in smart card is extracted. Thus, A cannot calculate the correct request message {V, f u , z u } and cannot be authenticated by S. Consequently, our scheme is able to resist the key-compromise impersonation attack.

Server impersonation attack
Because, k is a long-term private key and b is also a random secret value of server S, therefore, the adversary A cannot recover W Ã = kV, ID = f u È W Ã , N = h(k||ID||b) and is not able to forge sk ¼ hðNjjW Ã x jjGjjV s jjIDjjtÞ, Auth s = h(t||sk||N). Thus, A is unable to impersonate the server S to the user U.

Off/On-line password guessing attack
In the proposed scheme, the adversary A cannot guess the correct identity and password of U even if it extracts the information {r u , A u , G, n o } in SC. If A guesses a pair of ID and PW, it shows that the equation A 0 u ¼ ? A u must be satisfied. But according to "fuzzy-verifier" [40], A still cannot be sure if the ID 0 and PW 0 are the correct ID and PW, respectively. A only guesses the correct value by launching the on-line guessing to server S. But the number space of the ID 0 and PW 0 is large enough to be immune to the on-line guessing attack, therefore, the smart card SC remains suspended until U re-registers once the wrong login times exceeds the the fixed threshold. Therefore, the proposed scheme can withstand the off/on-line password guessing attack.

Replay attack
Suppose that A has captured all the communication messages {{V, f u , z u }, {c s G, Auth s , t}, {M i }} through open channel and tried to replay them to U or S. However, the proposed scheme takes advantage of some random numbers {c u , c s , t} that remain different in every session to prevent replay attack. In the process of communication, after receiving the request/challenge message, both the user and the server can immediately verify the validity of the random number everytime if A replays the communication message. Therefore, the replay attack is prevented by the proposed scheme.

Session-specific temporary information attack
In the proposed scheme, if the random numbers c u , c s , t are compromised, then the adversary A can calculate W = c u G and further computes W x . A captures the transmitted messages But in order to obtain the session key sk = h(N||W x ||G||V s ||ID||t), A must have ability to know the value of N that is not available, since, N is protected by the private k and the random number b of server S. Implies, A still can not calculate the session key sk, although, the random numbers {c u , c s , t} are compromised. Therefore, the proposed protocol is secured against the session-specific temporary information attack.

Man-in-the-middle attack
Suppose that an adversary A intercepts the login request message {V, f u , z u } and the information stored in smart card. In order to launch the man-in-middle attack, A needs to compute fV Ã ; f Ã u ; z Ã u g for sending to server S. Although, A chooses a random c Ã u , still A cannot know the value of N and the real identity ID, therefore, he can not compute f Ã u and z Ã u . On the other hand, even if he intercepts the challenge message {c s G, Auth s , t}, A still can not compute the forged message fc Ã s G; Auth Ã s ; t Ã g as he does not know the values of {N, ID}. Without knowing the server's private key k and random number b, computation of N is computationally infeasible for the adversary A. Thus, the attacker A does not have any ability to modify the login request message or the challenge message. As a result, our scheme also resists the man-in-themiddle attack.

Mutual authentication
In the proposed scheme, S firstly checks the validity of ID. Afterwards, S authenticates U by verifying whether z Ã u ¼ z u and checking whether Auth Ã u ¼ Auth u , respectively. On the other hand, U authenticates S by testing whether Auth Ã s ¼ Auth s . Consequently, our proposed scheme provides mutual authentication.

Perfect forward secrecy
When it comes to the forward secrecy, we assume that the private key k of S is compromised and that the adversary A obtains the sensitive datum {r u , A u , G} stored in smart card and the transmitted message {V, f u , z u }. A can compute W = kV and calculates ID = f u È W x . But in order to calculate the previous session key sk = h(N||W x ||G||V s ||ID||t), A must know c u or c s . However, it is impossible for A to obtain c u from V or c s from c s G and calculate c u c s G due to the intractability of ECDLP and ECCDHP. Thus, even by obtaining the private key k of server S and the smart card, the adversary A is still unable to calculate the session key sk. As a result, the proposed scheme provides perfect forward secrecy.

Efficient password changing
In the proposed protocol, if the user U wants change her/his password, U only needs to interact with the smart card SC to perform some operators. In this phase, the server S is not involved in the process of password changing. Therefore, our proposed protocol is efficient in password changing phase.

Formal security validation using AVISPA tool
AVISPA (Automated Validation of Internet Security Protocols and Applications) is a pushbutton software tool for the automated validation of Internet security-sensitive protocols and applications [44]. The AVISPA supports High Level Protocol Specification Language called as HLPSL and is usually used to provide the formal security verification of the simulated protocol. The simulation results in AVISPA can point out that whether proposed protocol is secure against the active and passive attacks. The architecture of the AVISPA tool is depicted in Fig 3  and its detailed introduction can be found in [44].
Accordingly, in order to test the security of the proposed protocol, we also use the AVISPA software tool to simulate it. Firstly, we translate the proposed protocol in HLPSL. The specifications for the roles for the user U i , the server S, the session, goal and environment in HLPSL are depicted in Figs 4, 5 and 6, respectively. Since only OFMC and CL-AtSe backends support the Diffie-Hellman and the bitwise exclusive-OR (XOR) operation, after execution through the OFMC and CL-AtSe backends, the simulation results ensure that our proposed protocol is   [39] schemes. Generally, in order to compare the computational complexity, we neglect the lightweight operations like exclusive-OR operation and string concatenation. We list some operations's descriptions used in our paper as below: Authentication scheme for session initiation protocol • T me : the time for performing a modular exponentiation operation.
• T sed : the time for performing symmetric cryptography.
• T h : the time for performing a hash operation.
According to the experimental results performed as [46], T h , T pm , T pa and T sed take approximately 0.0023ms, 2.226ms, 0.0288ms and 0.0046ms, respectively. The above timings are obtained on a personal computer which has a Intel Pentium Dual CPU E2200 2.20GHz processor, 2048 MB of RAM and the Ubuntu 12.04.1 LTS 32bit operating system [46].
In this section, the comparative analysis is twofold as follows: • Comparison of computational complexity ( Table 2) • Comparison of security features (Table 3) According to Table 2, the total computational costs of our proposed scheme in login and authentication phase is 13T h + 6T pm % 13.3859ms. The results provide that the proposed scheme outperforms [26,27,31,34,[36][37][38]. In comparison to Kumari et al. [39], our scheme has slightly more computational costs. However, it is an acceptable range under the trade-off of security and usability.
From Table 3, we observe that these proposals [26,27,31,34,[36][37][38][39] lack some security ingredients and have more security problems than the proposed scheme. In Kumari et al.'s  scheme [39], the authors declared that their protocol is secured against user impersonation attack, password guessing attack and session-specific temporary information attack applicable on Farash's scheme [37]. On one hand, it is well known that perfect forward secrecy is a key security feature of key agreement scheme. Perfect forward secrecy ensures the security of the session key. On the other hand, key-compromise impersonation attack is also a fatal attack on SIP. If we have measures to resist this attack, why not to design such scheme? However, according to our observation, we find that Kumari et al.'s scheme [39] cannot provide the perfect forward secrecy and is vulnerable to key-compromise impersonation attack. Meanwhile, key-compromise impersonation attack is not considered by all schemes of Table 3, expect our scheme. Fortunately, we have taken effective measures to tackle key-compromise impersonation attack in our scheme, that is, the server stores random secret values b in its database. Besides, the proposed protocol utilizes the technique of "fuzzy-verifiers" [40] to resist off-line identity guessing attack and provides more security features, including pre-verification in the smart card and efficient password changing. Therefore, the proposed scheme not only address the security problems of Kumari et al.'s scheme [39] but also retains all their merits as depicted in Table 3. Although, our scheme employs a slightly complex elliptic curve point multiplication operation, but, as a trade-off, it can resist all known-attacks that are very important ingredients of the security of mutual authentication.

Conclusion
In this paper, we have provided a security analysis of Kumari et al.'s scheme [39] to prove that their scheme [39] is vulnerable to key-compromise impersonation attack and does not provide perfect forward secrecy, pre-verification in the smart card and efficient password changing. In order to remedy these limitations in Kumari et al.'s [39] scheme, we propose an enhanced authentication scheme with refined security. The proposed scheme inherits the merits of the Kumari et al.'s [39] scheme, resists the aforementioned attacks and provides more comprehensive security features with a slightly high computational cost than [39]. Additionally, the simulating results of the proposed protocol using AVISPA software infer that this proposed protocol is secure against active and passive attacks. Finally, in comparison with the previously proposed schemes, we conclude that the proposed protocol is more secure and effective to be implemented in real-life scenarios. Actually, many of the existing protocols can not be unconditional security. In order to enhance the security of the authentication protocol, a number of three-factor authentication protocols have been designed. Therefore, in our future work, we will design a more secure three-factor mutual authentication protocol based on smart cards to be implemented in many practical scenarios, such as: Internet of Things, Wireless Sensor Networks, Medical Care Systems, Vehicular Ad Hoc Networks, etc.