A lightweight and secure two factor anonymous authentication protocol for Global Mobility Networks

Global Mobility Networks(GLOMONETs) in wireless communication permits the global roaming services that enable a user to leverage the mobile services in any foreign country. Technological growth in wireless communication is also accompanied by new security threats and challenges. A threat-proof authentication protocol in wireless communication may overcome the security flaws by allowing only legitimate users to access a particular service. Recently, Lee et al. found Mun et al. scheme vulnerable to different attacks and proposed an advanced secure scheme to overcome the security flaws. However, this article points out that Lee et al. scheme lacks user anonymity, inefficient user authentication, vulnerable to replay and DoS attacks and Lack of local password verification. Furthermore, this article presents a more robust anonymous authentication scheme to handle the threats and challenges found in Lee et al.’s protocol. The proposed protocol is formally verified with an automated tool(ProVerif). The proposed protocol has superior efficiency in comparison to the existing protocols.


Introduction
The wireless communications are extensively used in current decade, the internet based applications are accessed by mobile networks at anytime and from anywhere. Nowadays, roaming in mobile communication become extremely famous. Due to the technological improvements many security issues have been raised up because anyone can intercept the communication anytime. While traveling, the mobility services assure that wireless devices are connected with a network without any breakage of connection. When a person visits some other country he/ she has to use the mobile services. Global Mobility Networks(GLOMONETs) facilitates a roaming user to leverage their home mobile services in a foreign country [1]. A roaming Mobile Node(MN) uses the mobile services at foreign country with the help of their home country network. Mobile Node(MN) connects to a foreign network in foreign country and a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 information. To overcome these issues the Wei et al. [19] presented a more enhanced protocol that provides secure features like user anonymity and mutual authentication. Wu et al. [20] also found Lee et al. [18] protocol does not achieve the backward secrecy, user anonymity and vulnerable to off-line key guessing attacks. Thus, Wu et al. [20] proposed an efficient protocol that provides resistance of aforementioned attacks. He et al. [21] notified that Wu et al. [20] protocol unable to achieve user anonymity and also vulnerable to replay and forgery attacks. Therefore, He et al. [21] presented a lightweight authentication scheme with the features of strong resistance of stolen verification attacks. Li et al. [22] pointed out He et al. [21] protocol unable to provide the features of user anonymity and also provides unfair key-exchange system. Li et al. [22] presented a protocol that provides the feature of user anonymity and fair key-agreement system. Li et al. [23] pointed out Li et al's [22] protocol is inefficient due to extra computational cost. Das. [24] also pointed out Li et al. [22] protocol cannot withstand the replay attacks. Yoon et al. [25] presented a new lightweight authentication protocol to handle the loopholes of different protocol with the features of mutual authentication, user friendliness, User anonymity. Niu et al. [26] pointed out the Yoon et al. [25] protocol and proved that protocol does not provide user anonymity and also has an insecure key management system. Therefore, Niu. [26] presented a novel based authentication protocol that provides the feature of user anonymity. Jiang et al. [27] also pointed out that He et al. protocol [21] does not provide strong of two-factor authentication furthermore, the protocol is vulnerable to insider attack, replay attack and failure of user friendliness. The present protocol of Jiang et al. [27] improves the privacy and authentication. Wen et al. [28] proved Jiang et al. [27] protocol does not resist the replay attack and password based verification-attack. Wen et al. [28] presented new protocol that does not enable the users to share the secret-key. Mun et al. [29] presented a new hash and concatenation operation based lightweight scheme. Lee et al. [30] found Mun et al. [29] scheme cannot withstand man-in-the middle attack, masquerade attack and perfect forward secrecy They proposed a more efficient protocol for GLOMNET.
This article notifies that the Lee et al. [30] scheme lacks unfair user registration, inefficient user authentication, unable to provide local user/password verification and vulnerable to replay and DoS attacks.

Contributions
In this article a detailed analysis of Lee et al. protocol has been presented to check its strengths against various attacks. As a result the following improvements are contributed: [30] in following sequence: registration phase, AESK phase, the session key update phase, and the password alter phase. The notation guide is given in Table 1.

Registration phase
The registration phase of Lee et al. scheme is between Mobile Node(MN) and Home Node (HN). The Mobile Node(MN) and Home Node(HN) perform the registration in following steps: Step

Authentication and establishment of session-key(AESK Phase)
AESK phase of Lee et al. [30] is performed in following steps: Step

Session-Key update phase
Step Step 3: Mobile Node(MN) receives message and calculates N 0

Password alter phase
Step

Security weaknesses of Lee et al. scheme
This section demonstrates the security weakness of Lee et al. scheme [30]. The Lee et al. scheme suffers unfair user registration, inefficient user authentication, vulnerable to replay and DoS attacks furthermore, the Lee et al. scheme does not provide local user and old password verification. The detailed discussion is given in following subsections:

Replay and DoS attacks
In Lee et al. Scheme an adversary A will intercept the channel and will obtain login-request As no timestamp or sequence number is associated with login message M 1 the Adv A can replay M 1 in login phase latter on. Likewise the adversary A will perform the replay attacks in step2 with , N FN2 } of authentication phase because any no timestamps or sequence numbers are used with any message. Although, the adversary A is unable to compute the session key but adversary A will send too many login requests intentionally to overwhelm the MN, FN and HN. Simultaneous repetition of replay attacks in large numbers can exhaust the communication and computation cost and also leads to Denial of service(DoS)attacks that may cause the prevention of access the resource to legal user.

Lack of local user and password verification
Lee et al. scheme does not verify old password in phase 5 password alter phase. Any malicious user with a stolen Smartcard(SC) can submit request to change the password. Although the malicious user would not be succeed in this process but He/she can send multiple requests which also lead to DoS as discussed previously. Furthermore, suppose in login phase a Mobile Node(MN) unintentionally, inputs ID MN and old PW MN . Before transmitting the login request to Home Node(HN) the scheme does not verify the identity ID or password PW are correct or incorrect in login phase. Even if the user enters old password PW MN for login, the authentication steps(1-4)can still be executed with old ID/PW. Although, at step 4 the Home Node(HN) would reject authentication but this process takes unnecessary computation and communication overhead. Hence, the smartcard(SC) cannot verify the the identity and password of Mobile Node(MN) at login phase which proves inefficiencies in Lee et al. scheme.

Proposed scheme
Proposed scheme includes of following phases: registration phase, login and authentication phase and password change phase. The detailed description of these phases is as following:

Registration phase
The registration phase of proposed scheme is between Mobile Node(MN) and Home Node (HN). In registration phase the Mobile Node(MN) freely chooses an Identity ID MN , password PW MN and a random number r 2 Z Ã n (natural number). Afterward the MN computes U = h (PW MN kr) and transmits a registration request message to HN M = {ID MN , U} on secure channel.
When the Home Node(HN) receives the registration request message he/she selects a random number m 2 Z Ã n and computes the following: Where R T is the registration time, after that the Home Node (HN)

Login and authentication phase
For the authentication phases we presume, the Mobile Node(MN) is in foreign country under the administration of foreign network. The Mobile Node(MN) intends to use the mobile services in foreign area. To avail the mobile services in foreign region the Mobile Node(MN) has to login with Identity ID MN , password PW MN and afterward for the security and legitimacy he/ she will authenticate himself/herself with the help of their Foreign Node(FN) and Home Node (HN) in a proper manner as shown in Fig 2. After the successful authentication Mobile Node (MN) will use the services with collaboration hosted country's network. Step 1: MN ! FN: M 1 = {ID HN , K, V, r 1 , T 1 } In first step the user MN puts his/her smart card(SC) into the machine and uses his/her identity ID MN and password PW MN for login, on login request the machine calculates B 0 = U È h(ID MN km) that was saved at the registration phase and afterward MN compares whether B 0 ¼ ? B if no then session is terminated and login request is rejected. If both B' and B are same then the legality holds. The smartcard(SC) chooses random number r 1 and calculates the following: Where, T 1 is timestamp of Mobile Node(MN). Ultimately, MN sends login request message M 1 to Foreign Node(FN) over a public channel.
Step 2: FN ! HN: M 2 = {M 1 , Y, r 2 , T 2 } After receiving the message M1 Foreign Node(FN) checks the freshness of T 1 if the comparison fails, FN does not accept the login request. Afterward Foreign Node(FN) generate a nonce r 2 , and calculates the following equations: Where, FH k is a pre-shared key between FN and HN. Afterward Foreign Node(FN) transmits the M 2 to Home Node(HN).
Step 3: HN ! FN: When HN obtains M 2 , the Home Node HN confirms the freshness of timestamp T 2 and afterward, verifies both values V 0 ¼ ? V and Y Ã ¼ ? Y if comparison do not match, the Home Node(HN) rejects M 2 and terminates the session. Afterward Home Node(HN) generates a nonce r 3 and compute following values: When the Home Node verifies all step then M 3 = {V 1 , k 0 , K Ã , T 3 } is sent to Foreign Node (FN). Step

Password change phase
The password change phase makes the scheme user friendly and enhances the security of the proposed scheme. Our proposed scheme allows the user to update or change their password. Whenever the Mobile Node(MN) requests to change the password he/she has to perform the following steps: Step 1: Proposed scheme allows the user to Alter or update the password. When a user with a smartcard(SC) wants to change the password. The user has to login with his/her identity ID 0 MN and enters the password PW 0 MN and performs following steps: Step 2: On the request the smartcard(SC) executes and verifies the following steps: After the calculation of U Ã smart card checks whether U Ã ¼ ? U. If the values of U Ã and U are not same then SC reject the request otherwise, it requests the Mobile Node(MN) to choose another new password PW new .
Step 3: The Smartcard(SC) calculates the following equations:

Security analysis
This section shows the formal and informal security analysis of proposed scheme. We have analyzed formal verification of proposed scheme with automated tool ProVerif and informally analyzed the scheme against different attacks.

Security analysis with ProVerif
ProVerif [31] may be defined as an automated reasoning software tool or verifier, which verifies cryptographic protocols. The ProVerif handles different cryptographic primitives like: Encryption/decryption, MAC, signatures, hash, Symmetric and asymmetric key cryptography and many others [33]. The formal verification of proposed protocol is tested with this tool, the detailed description of code and results are given below.
The proposed scheme uses two channels one channel "ChSec" is a secure channel which is used between MN and HN in registration phase. Whereas, "ChPub" is called a public or insecure channel. The ChPub is used is login and authentication phase. The Fig 3 1(a) elaborates channels, Constructs and events used in proposed scheme. In Fig 4 1(b) following authentication properties are verified: The query 1 is used to verify whether the session key is secure or not. The query 2 is used for the verification process 1, It determines whether event of Mobile Node(MN) started and terminated successfully or not. The query 3 is used for the verification process 2, It determines whether event of Foreign Node(FN) started and terminated successfully or not. The query 4 is used for the verification process 3, It determines whether event of Home Node(HN) started and terminated successfully or not. Furthermore, we introduced six events, every event represents start and end of each process. Furthermore, Figs 5 1(c), 6 1(d) and 7 1(e) contain full code of three processes(MN, FN and HN)   The automatic tool ProVerif returns true or false result, When a protocol do not prove the any of the required property then this tool return false result otherwise it returns true result. The results of proposed scheme are shown in Fig 8 1

(f) and further elaboration is stated below:
The result 1 demonstrates that process of Home Node(HN) with identity ID HN has successfully started and terminated The result 2 demonstrates that process of Foreign Node(FN) with identity ID FN has successfully started and terminated The result 3 demonstrates that process of Mobile Node(MN) with identity ID MN has successfully started and terminated The result 4 presents the attacker does not access the session-key(SK). However, all results demonstrates that the proposed scheme preserves the secrecy and authentication.

Informal security analysis
This section presents the informal security analysis of proposed scheme, The detailed discussions about different attacks and counter measurements to withstand these attacks are stated in subsections: 5.5.1 Node anonymity. Anonymity is considered a valuable factor in secure authentication protocol, identity of Mobile Node(MN) should not reveal to anyone except the authorized participants. A secure protocol protects personal data and sensitive information of a node so, an attacker/adversary could not analyze any information that can help to breach the security requirements. Our proposed scheme achieves the anonymity requirements because we used strong encryption techniques in our proposed scheme we used hash function in registration phase, M = {ID MN , U} is sent through secure and reliable channel and we used random numbers that protects our messages. In login-authentication phase lets suppose adversary A captures the message M 1 and tires to attain the ID MN but, identity of Mobile Node is saved in SID and SID = h(UkR T ) È N MN , Adversary A cannot extract SID, we can say that our proposed scheme achieves all requirements of Mobile Node(MN) anonymity.

Node traceability.
For a secure protocol traceability is vulnerable issue because, the node traceability may leads to many attacks. Our scheme does not disclose login information or previous history because we used random numbers(r 1 , r 2 , m). Hence in our scheme Mobile Node(MN) is untraceable.

Man in the middle attack.
In this type of attack the malicious adversary A illegitimately intercepts two parties Communication. The Adversary can capture the sensitive data/ information, can send or receive data anytime and may impersonate both parties by pretending Himself/Herself a legal user. In our proposed scheme adversary or attacker cannot perform the Man-In-Middle attack because our proposed scheme provides mutual authentication and endpoint authentication at each side. In our proposed scheme we used the timestamps of each

Backward and forward secrecy.
Proposed scheme fulfills backward and forward secrecy requirements due to random numbers and freshly generated timestamps(T), with every new session random numbers and timestamps are freshly generated. So, if current communication keys are revealed to some malicious user, it is not possible to predict previous or future communication key with current keys. the Adversary A can neither generate same random number nor A can generate fresh timestamps. Hence, Adversary A may not compute the SK. Therefore we can say that our proposed-scheme accomplishes backward/forward secrecy.

5.5.6
Known key attacks. An Adversary A performs known key attacks when he/she finds palintext associated with ciphertext and the malicious attacker simply perform backtracking operations to trace the plaintext. As stated in previous subsections our proposed scheme uses fresh random numbers and timestamps for each sessions the random numbers are freshly generated. Furthermore, all participants create the session key independently. If an attacker gets the previous session key He/She cannot compute recent session key. Hence, the proposed scheme resists the known-key-attacks. 5.5.7 User friendliness. A secure and useful protocol fulfills requirements of a user friendliness, this means to enable a user to freely pick out his/her identity, password. User friendly schemes provide freedom to change or update his/her password to enhance the security and privacy.
Proposed scheme permits the users to select an identity ID and password PW freely. Whereas, the SC verifies the inputs and correctness. A User may freely generate the nonce and also can change or updates his/her password so password may keep save from attackers and adversaries.

Local user and password verification.
To avoid the illegal access proposed scheme provides the password verification in login-authentication phase and also in password change phase. In registration phase the Mobile Node(MU) computed U = (PW MN kr) and then computes B = U È h(ID MN km) where, in login-authentication phase is re-verified locally if B 0 ¼ ? B then the login phase proceeds to next step otherwise session in aborted. So, by using local password-verification we enhanced our proposed scheme more secure. 5.5.9 Insider attacks. Insider attack may defined as malicious network attack that is committed by an authorized person with legal access. In our proposed scheme let's suppose some insider of Home Node(HN) tries to attain the password of Mobile User(MU) by registration message M = {ID MN , U}. The insider of Home Node(HN) can see the message M but could not compute the U whereas, U = h(PW MU kr). The user password is concatenated with a nonce and have been hashed with one-way-hash function. Hence, the insider cannot achieve nonce r and it is infeasible for any one to compute password from hash value. So, by following assumptions we say that proposed scheme may prevent the insider attacks.

Stolen-verifier attacks.
Proposed scheme resist the stolen-verifier-attacks as, the Mobile Node(MN) stored the user's password in encrypted format even the HN and FN cannot get any information about the user password. If SC is stolen then no one can extract the password because password is save in U and this value is in encrypted form, adversary cannot alter the password. Hence, proposed scheme can resist the stolen-verifier attacks. 5.5.12 Impersonation attacks. Impersonation attack means an adversary may forge a legitimate user by pretending himself/herself a legal user. Adversary/attacker can delete or modify any message in different manners or can forge the other participants by pretending their self a legitimate user. In proposed scheme we withstand the forgery attacks in following ways as stated in subsections: • MN Impersonation attacks: Suppose the adversary A intercepts the login message M 1 = {ID HN , V, K, r 1 , T 1 } in step 1. When session terminates the Adversary A can try to send login message M 1 to FN. When Adversary A transmits login request message M1 the Foreign Node(FN) confirms freshness of T 1 as, timestamps is not fresh the login request will not be accepted by FN. The adversary can generate a new timestamp T 1 and resend M 1 ¼ fID HN ; V; r 2 ; K; T 1 with fresh T 1 to FN. FN confirms the freshness of T 1 the freshness comparison may successful this time. For further confirmation FN scrutinizes whether V ¼ ? hðK k SID k r 1 k T 1 Þ. Here the values of V is not equal to V' so request will be rejected. Adversary may also try to impersonate in step 4 but due to comparison of V1' with V1 the adversary will fail to play the impersonation game in each phase.
• FN Impersonation attacks: In step 2 adversary will try to impersonate the Home Node(HN) by sending message M 2 = {M 1 , Y, r 2 , T 2 }. Without knowing the pre-shared key FH k the adversary cannot impersonate the FN. Moreover proposed protocol also scrutinizes the differentiation of Y Ã ¼ ? Y in second phase. Furthermore the HN and FN share the SK secretly. The adversary will not be able to impersonate HN or FN by any mean or by any message.
• HN Impersonation attacks: Proposed protocol can efficiently withstand HN forgery attacks. If the adversary attempts to forge the MN or FN with the message M 3 = {V 1 , k 0 , K Ã , T 3 } in third phase. In M 3 we used V 1 for local verification hence, the adversary cannot compute the values of V 1 . Thus, proposed protocol can easily withstand the HN impersonation in different steps.

Security requirements and performance analysis
This section presents the requirements analysis and computation cost analysis of our proposed scheme. The first subsection provides the comparison of different security requirements and the second subsection demonstrates computation cost analysis, cost comparison and execution time comparison with other schemes.

Security requirements
To evaluate the different security requirements, this article compares following security requirements with with Yoon et al. [25], Mun et al. [29] and Lee et al. [30] scheme. R1:Node anonymity; R2:Node Traceability; R3:Man-in-the Middle attack; R4:Backward/Forward secrecy; R5:Replay and Dos attacks; R6:Known-key attacks; R7:User friendliness; R8:Local User and Password verification; R9:Insider attacks; R10:Mutual authentication; R11:Impersonation attacks; R12: Efficiency in user authentication; R13:Formal Verification. As shown in Table 2 only our proposed protocol fulfills all security requirements. Furthermore, this article provides user friendliness, mutual authentication and also formally tested with a well-known verification tool ProVerif. The detailed comparison shown in Table 2.

Computation cost analysis
The main focus of the proposed protocol is to safeguard against various security attacks and issues present in the Lee et al. proposal for global mobility networks. In addition, the proposed protocol provides a realistic solution which guarantees reasonable computational cost. In this subsection, a comparison of the protocol with the security protocols of Mun et al. and Lee et al. has been presented based on the number of the state of the art XOR operation, concatenation and hash encryption used in these protocols. The detailed notation guide for each terminology is given in Table 3. For analyzing the proposed protocol in terms of computation cost on the security front, Kilinc and Yanik [32] experimental measurements have been adopted for different encryption operation and functions. According Kilinc and Yanik [32] single Hash encryption utilize 0.0023ms of time in computation. As shown in Table 4 Fig 9. It is quite clear from the comparison Table 4 and Fig 9 that the proposed scheme has efficient performance. In addition, our proposed scheme satisfies all security requirements using minimum encryption operations and functions. The proposed security protocol successfully attains mutual authentication, node anonymity and have strong resistance against different security attacks.

Conclusion
This article scrutinized Lee et al.'s authentication scheme. It has been disclosed that Lee et al. scheme suffers with different security weaknesses. We propose a lightweight and secure twofactor authentication protocol, based on lightweight cryptographic primitives functions such as XOR operations, one-way hash(owh) and concatenation operation. The formal protocol Verification is tested with ProVerif a well known automated tool that confirms the correctness of the proposed scheme and informal security analysis demonstrates that the proposed scheme can withstand different attacks. Security comparison and performance analysis show that the proposed scheme is resistant against all possible attacks and it has very efficient performance making it suitable for practical environment.