An improved and efficient mutual authentication scheme for session initiation protocol

Qiu et al. made a security analysis about the protocols of Chaudhry et al. and Kumari et al. in 2018, and they pointed out that there are many security weaknesses in the protocols. To improve the security, Qiu et al. proposed an advanced authentication scheme for Session Initiation Protocol on the basis of the previous protocols and claimed that their own protocol was very secure and practical. However, we demonstrate that the protocol of Qiu et al. has a serious mistake which causes their protocol cannot be executed normally. Beyond that, we also find out that their protocol cannot withstand insider attack and denial service attack. In order to remove these weaknesses, we propose an efficient provably secure mutual authentication scheme. Furthermore, our scheme provides security analysis with the help of Burrows-Abadi-Needham (BAN) logic. Compared with their protocol, ours has greater security and better performance.


| Introduction
With the network of universal gradually, we often send messages, make phone calls and watch videos via the network, which brings great convenience to our lives. However, the network security issues become increasingly prominent. In order to enhance the security of the Session Initiation Protocol (SIP) in communication via the network, lots of scholars have proposed numerous solutions. The first authentication scheme about SIP on the basis of Hypertext Transport Protocol (HTP) authentication was proposed in 1999 [1], but Yang et al. [2] proved that the scheme was insecure in 2005, then they proposed an improved scheme. In fact, the scheme of Yang et al. still has security loopholes. Latterly, although some scholars want to design secure and practical schemes [3][4][5][6][7][8][9][10][11], the most schemes have more or less flaws.
In recent years, Zhang et al. [12] proposed a remote mutual authentication protocol with protecting user anonymity for SIP, but there are also lots of loopholes in their protocol too. It was as expected that Lu et al. [13] showed that their protocol lacks mutual authentication and cannot resist insider attack in 2016. In order to remove these weaknesses, Lu et al. proposed a new scheme protocol based on the protocol of Zhang et al., but it still had fatal weaknesses in security. Chaudhry et al. [14] found that the scheme of Lu et al. is invalid to impersonation a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 attack. Besides, Kumari et al. [15] showed that the scheme of Lu et al. cannot withstand identity guessing attack and forgery attack. According to their conclusion, Chaudhry et al. proposed a mutual authentication protocol, Kumari et al. proposed an authentication protocol too. However, on the basis of the schemes of Chaudhry et al. and Kumari et al., Qiu et al. [16] demonstrated their schemes are frail for some attacks including insider attack, off-line guessing attack and so on. To overcome these defects, Qiu et al. proposed an improved mutual authentication scheme, claiming that the scheme not only could resist above certain attacks, but also adopted a method of generating random numbers instead of time labels to solve the problem that time is difficult to synchronize. We have to admit that the improved scheme of Qiu et al. did remove certain weaknesses. But after our analysis, we find that the scheme of Qiu et al. has a serious mistake which make the scheme cannot execute properly and cannot resist some attacks. Considering the worst condition, the adversary affects user password update even accesses crucial information of a legal user. In order to overcome the weaknesses, we design a new, more secure and high-performance scheme.
We will focus on the rest seven sections to describe our paper, section 2 reviews Qiu et al.'s scheme. In section 3 we pay attention to analyze the weaknesses about Qiu et al.'s scheme. Section 4 describes our proposed scheme. Next section 5 and section 6 mainly provide analysis and proof of security. Section 7 gives the performance comparison among our scheme and the relative schemes of other scholars. Finally, section 8 shows the conclusion of our scheme.

| Review of the scheme of Qiu et al.
In this section, we will briefly review Qiu et al.' s scheme [16], which contains three phases: registration phase, login and authentication phase and password update phase. The detailed information about the three phases is shown as follows.
Before we show each phase, the notations which throughout this paper are introduced in Table 1 firstly.

2.1| Registration phase
During the registration phase, user U and server S do the following operations to finish registering.

A. U)S:{Id,HId}:
A user U registers to server S with his/her identity Id, password Pw and secret key Up. After that, U completes VPw = h(PwkUp), HId = h(IdkVPw) and transmits {Id, HId} to sever S.

2.2| Login and authentication phase
If a user U completed the registration phase successfully and wants to access request to the server S, U and S should perform the following steps. If Auth 0 u is not equal to Auth u , S terminates the session. After that, the user U communicates with server S based on the common session key sk = sk u = sk s = r�r 0 �Q s .

2.3| Password update phase
For a legitimate user U, if he or she wants to change own password Pw for some reasons, the following steps will be performed.

| Weakness of scheme proposed by Qiu et al.
In this section, we analyze the weaknesses of Qiu et al.' s scheme [16] carefully. After our study, we find that their scheme has a serious mistake which causes the scheme cannot executed normally. What is more, their scheme cannot resist insider attack, denial service attack and makes user U have poor experience [17].

| Serious mistake
In registration phase of Qiu et al.'s scheme, we notice that information N is stored into database alone. As is known to all, there should be some information like identity Id correspond to N in the database. Or else in login and authentication phase in their scheme, when S receives message from users, S cannot match corresponding N in database without the help of the corresponding information. So, the scheme of Qiu et al. is unable to carry out normally. Perhaps Qiu et al. just forgot corresponding information, here we help them supply corresponding information on the basis of the scheme of Qiu et al. In registration, S only knows information Id, HId and N which relates to U. HId is the most important secret data during the entire protocol execution process, so the server cannot store HId in the database but stores Id. We assume a semi honest server S 0 has the ability of gaining and calculating the sensitive information in the sever. If Id corresponds to N, we notice that an adversary S 0 can obtain {Id � , Up � , Pw � } of a legitimate user U � in login and authentication phase by off-line guessing attack, the specific steps are as follows.
Step 1: According to the login and authentication process in the scheme of Qiu et al., S 0 will get the values of HId � and W � at time of calculating HId � = N � �h(S p ) and W � = B � �h (HId � �Y � ). Besides, because Id � corresponds to N � , S 0 can get the corresponding value of Id � .
Step 2: After getting user U's sensitive information {Id � , HId � , W � }, S 0 can guess the value of Up � from the identity space by calculating W � = h(Id � ||Up � ). According to the same truth, S 0 can guess the value of Pw � from the identity space by calculating Through the above steps, S 0 has successfully accessed information {Id � , Up � , Pw � } of a legal user U � .

| Insider attack
In this part, we assume that a malicious insider adversary A can obtain some sensitive information in the database of server S. In Qiu et al.'s scheme, the adversary A can achieve insider attack by registering as a legitimate user. Firstly, he masquerades as a legitimate user in registration to input identity Id � , password Pw � and secret key Up � , then S will store the corresponding value N � into database and he can get the value N � form the database of sever S. After that A has already mastered the information {Id � ,Up � ,Pw � ,N � }. On the basis of formulas HId = h(Idkh(PwkUp)) and HId = N�h(S p ), A can get h(S p ) = N � �h(Id � kh(Pw � kUp � )). In addition, A can get other user's N 0 in the database, so he will get the user's corresponding HId 0 by formula HId 0 = N 0 �h(S p ). In login and authentication phase, A can impersonate to be the user U 0 to access sever S by corresponding N 0 and HId 0 . The specific steps are as follows.
D. After receiving the message {Auth u }, S computes Authu 0 = h(sk s kW 0 0 kY 0 0 kE) and gets a conclusion that Auth 0 u is equal to Auth u . Finally, the user U 0 communicates with server S based on the common session key sk = sk u = sk s = r 0 �r 0 �Q s We draw a conclusion that A can masquerade as an arbitrary legitimate user for entering server S by insider attack.

3.3| Denial service attack
We assume that an adversary A is able to intercept message which is transmitted between U and S. At password update phase in Qiu et al.'s scheme, U sends the result values of V and M to S. The adversary A intercepts message {V, M} and forges M 0 by generating random number, then A transmits {V, M 0 } to S. Apparently, A will pass verification of S by checking whether V is equal to V � . After that, S computes N new = h(S p )�h(Idksk)�M 0 and replaces N with N new in the database. Because of the falsify of N new , the user U will fail to pass verification in next login and authentication phase.

| Our proposed scheme
In this section, in order to improve the security, we design an efficient provably secure mutual authentication scheme. Compared with the scheme of Qiu et al., our proposed scheme can resist various attacks and there is less pressure for users to remember. Our scheme consists of three phases: registration phase (see Fig 1), login and authentication phase (see Fig 2) and password update phase (see Fig 3). The proposed scheme is described as follows.

4.1| Registration phase
For a legal user U, if he or she wants to access the system, the necessary step is to register with the server S by submitting identity ID and password PW. User U and server S will perform the following steps.

4.2| Login and authentication phase
When a user U wants to acquire the service from server S, he or she should insert his or her smart card into card reader and enter his or her identity ID and password PW. U and S will perform the following steps.

4.3| Password update phase
If a user U needs to change password PW for a number of reasons, he or she only needs to input identity ID, password PW and new password PW new . User U and server S will perform the following steps.

| Security analysis
In this part, we demonstrate our scheme is secure, practical and can provide kinds of security requirements. We assume that an adversary A might perform various attacks [18][19][20][21]. More detailed information is as follows.

|Insider attack
Assume that an adversary A can obtain N and HId of a legitimate user that stored in database. Because computational formulas are HId = h(ID�r), N = VPw�h(S p kHId), VR = h(PW�ID)� An improved and efficient mutual authentication scheme for session initiation protocol r, R = h(S p �VPw) and VPw = h(PWkIDkr). Without the random number r, A cannot get the sensitive information ID or PW and cannot compute important secret data such as R and VPw form known data. Therefore, our scheme can resist insider attack.

2|User anonymity
In the public channel, we do not send Id directly but transmit HId which is computed by means of the formula HId = h(ID�r). Even if A can access the value of HId, A still cannot get the sensitive information Id. Because the formula contains a random number r which A does not know. Therefore, our proposed scheme provides user anonymity.

3|Replay attack
In our proposed scheme, the random numbers r a and r b change in every login. For an adversary A, he can intercept information {HId', C, Auth u } and replay this message. Obviously, A can pass the verification of the server S and will receive the corresponding message {D, Auths} form sever S. Because A does not have a knowledge of the correct values R, VPw and r a , he cannot compute r b 0 = h(RkVPw 0 )�D and sk u = h(r a kr b 0 kHId 0 ). Therefore, our scheme is security even under replay attack.

4| off-line password guessing attack
In our scheme, if an adversary A accesses exchanged information {HId', C, Auth u , D, Auth s } which is transmitted in a public channel [22,23]. Because of the formula HId 0 = h(ID�r 0 ), A is unable to guess correct ID without r 0 . In addition, in the formulas VPw 0 = h(PWkIDkr 0 ), C = h (R�VPw 0 )�r a , A cannot guess PW correctly without the value ID and r'. Therefore, our scheme has an advantage of resisting off-line password guessing attack.

5| Smart card lost attack
If an adversary A steals the smart card, he is able to get the VR and R which are stored in the smart card. Because the formulas are VR = r 0 �h(PW�ID) and C = h(R�h(PWkIDkr 0 ))�r a , without the knowledge of r' and r a , A cannot guess the correct identity ID and password PW. If A wants to communicate with S, he needs to structure legitimate {HId', C, Auth u }. Because of the formulas HId 0 = h(ID�r 0 ), C = h(R�h(PWkIDkr 0 ))�r a , Auth u = h(r a �HId 0 �h (PWkIDkr 0 )), without identity ID and password PW, A is unable to pass through the verification of server S. Therefore, our scheme can resist smart card lost attack.

6| Impersonation attack
For an adversary A, in authentication phase, if he wants to masquerade as a legal user U and login in server S, he must forge a valid login message {HId', C, Auth u }. It is impossible for A to forge valid login message without legitimate identity ID, password PW, VR and R. The same is true, if A wants to masquerade as the server S, he has to counterfeit message {D, Auth s }. Without valid information N, A is unable to obtain {D, Auth s } which can pass through verification of the user U. Furthermore, in password update phase, A is unable to forge valid C1, C2 and Auth u to pass the authentication of server S. In the same way, A is unable to forge valid D and Auth s to pass the verification of user U. Therefore, our scheme can resist impersonation attack.

7| Man-At-The-End attack
Man-At-The-End attack [24] contains widespread aspects and is difficult to model. The technical adversary is human that we call A here, he could authorize and limitless access to the target. All security protections stand up to A for a specific period of time. Because Man-At-The-End attack has concrete form in certain circumstance, one of the defense details is as follows: A could personate a legitimate user to register and access the sensitive value of N � from the database end. His own identity ID � , password PW � are known. According to formulas h (S p kHId) = VPw�N, VPw = h(PWkIDkr) and HId = h(ID�r). Without having knowledge about the value of random number r, he will take unpractical time cost to computer S p , by formulas h(S p kh(ID � �r)) = h(PW � kID � kr)�N � . Our scheme offer a defense and A is unable to obtain important information S p .
Although A could execute other forms and is hard to analyze, many protective devices have ability to against the attack, include software protection, hardware protection and digital asset protection, more details are reference no.24. Hence, our scheme can make a defense against Man-At-The-End attack.

| Security proof
Security model: Burrows-Abadi-Needham logic (also known as the BAN logic) is a set of rules for defining and analyzing information exchange protocols [25]. Specifically, BAN logic helps its users determine whether exchanged information is trustworthy, secured against eavesdropping or both.
In this section, we will demonstrate that our scheme is secure and practical by the Burrows-Abadi-Needham (BAN) logic. We list some essential BAN-Logic symbols and formulas as follows, Table 2 introduces the notations of symbol and Table 3 introduces notations of formula. Supposing that P and Q are the symbols of participants, X and Y are statements as symbols, and K is the symbol for hash function key, next notations include more detailed explanation. We give reasoning process based on BAN-Logic in the following steps.

Step 1 Our goals
In order to make our scheme practicable, we list some goals which need to be achieved. Goal 1. Uj � Sj � ðU $ sk SÞ. An improved and efficient mutual authentication scheme for session initiation protocol

| Performance comparison
The experience of users play an important role in protocol. During this part, we will show a performance comparison between our scheme and the other schemes (see Fig 4). Before making a comparative analysis, we assume that one elliptic curve point multiplication operation is T pm , one hash function operation is T h . Other operations like generating a random number and exclusive-OR operation spend less time, which have little effect on performance comparison. So, we neglect the lightweight operations at this time. Before performance simulation test, we analysis performance of other protocols and ours in theory. So, we list Table 4 to descript theoretical time spend comparison. An improved and efficient mutual authentication scheme for session initiation protocol From In those four protocols, we find that our scheme performance mainly bases on hash function and the protocols of Qiu et al. [16], Chaudhry et al. [14] and Kumari et al. [15] are based on hash function and elliptic curve point multiplication. At registration phase and password update phase, we use a little more hash functions than those protocols. But the registration phase needs to be carried out only one time, so it has almost no effect on overall performance. And password update phase is not commonly used for a certain user, so it has little effect in practical applications. From authentication phase and total phases, though we use too many hash functions, other protocols all use six elliptic curve point multiplications. It is obvious that T pm is many times as much as T h . Compared with other protocols, our scheme has a great advantage on computational costs in usual authentication phase and total phases.
We perform simulant performance comparison under the same computer simulation environment and write programs according to the schemes strictly. In the experiment, we run one hundred times to get the average data. According to the Fig 4, at registration phase, the time consumption in schemes of Qiu et al. [16], Chaudhry et al. [14] and we are all 0.00075s and Kumari et al.'s [15] scheme is 0.00088s. At password update phase, the time consumptions are 0.0018s, 0.001s, 0.0011s respectively. Although those scholars' protocols have a little bit better performance at registration phase and update phase, in practical application, those scholars' frequently-used authentication phases spend more time compared with our authentication phase. The costs of time are 0.0223s, 0.0201s, 0.0216s respectively, but ours is only 0.0023s. From comparative analysis, our total time is less than others. Obviously, our scheme is more efficient and more practice in application.

| Conclusion
In this paper, we review Qiu et al.'s protocol and find that it is vulnerable to some known attacks such as insider attack and denial service attack, then we review the scheme and carry on a strict security analysis about their scheme. Next, in order to solve these problems, we propose our more secure and more convenient scheme. Security analysis shows that our scheme can resist insider attack, off-line password guess attack and more, we give a sufficient reason. Then in security proof section, we adopt the BAN-logic to prove our scheme is secure and realizable. In the end, we make a performance comparison, the result shows that our scheme can be more suitable for users in SIP. Because under the same conditions, we can establish connections faster. In conclusion, compared to other protocols, our scheme is more security and practical. An improved and efficient mutual authentication scheme for session initiation protocol