A lightweight and secure two factor anonymous authentication protocol for Global Mobility Networks

Ahmed Fraz Baig; Khwaja Mansoor ul Hassan; Anwar Ghani; Shehzad Ashraf Chaudhry; Imran Khan; Muhammad Usman Ashraf

doi:10.1371/journal.pone.0196061

Abstract

Global Mobility Networks(GLOMONETs) in wireless communication permits the global roaming services that enable a user to leverage the mobile services in any foreign country. Technological growth in wireless communication is also accompanied by new security threats and challenges. A threat-proof authentication protocol in wireless communication may overcome the security flaws by allowing only legitimate users to access a particular service. Recently, Lee et al. found Mun et al. scheme vulnerable to different attacks and proposed an advanced secure scheme to overcome the security flaws. However, this article points out that Lee et al. scheme lacks user anonymity, inefficient user authentication, vulnerable to replay and DoS attacks and Lack of local password verification. Furthermore, this article presents a more robust anonymous authentication scheme to handle the threats and challenges found in Lee et al.’s protocol. The proposed protocol is formally verified with an automated tool(ProVerif). The proposed protocol has superior efficiency in comparison to the existing protocols.

Citation: Baig AF, Hassan KMu, Ghani A, Chaudhry SA, Khan I, Ashraf MU (2018) A lightweight and secure two factor anonymous authentication protocol for Global Mobility Networks. PLoS ONE 13(4): e0196061. https://doi.org/10.1371/journal.pone.0196061

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: January 3, 2018; Accepted: April 5, 2018; Published: April 27, 2018

Copyright: © 2018 Baig et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: The author(s) received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

The wireless communications are extensively used in current decade, the internet based applications are accessed by mobile networks at anytime and from anywhere. Nowadays, roaming in mobile communication become extremely famous. Due to the technological improvements many security issues have been raised up because anyone can intercept the communication anytime. While traveling, the mobility services assure that wireless devices are connected with a network without any breakage of connection. When a person visits some other country he/she has to use the mobile services. Global Mobility Networks(GLOMONETs) facilitates a roaming user to leverage their home mobile services in a foreign country [1]. A roaming Mobile Node(MN) uses the mobile services at foreign country with the help of their home country network. Mobile Node(MN) connects to a foreign network in foreign country and Foreign Node(FN) verifies the legitimacy of the Mobile Node(MN) through his/her home network by Home Node(HN)as shown in Fig 1.

Download:

Fig 1. Global mobility networks authentication.

https://doi.org/10.1371/journal.pone.0196061.g001

Authentication in wireless environment essential and decisive task. Authentication is the only source that ensures the Mobile Node(MN) is a legitimate node [2]. A valid and threat-proof authentication is required for prevention of illegal usage. numerous symmetric, asymmetric and lightweight hash, XOR based authentication schemes are proposed to to provide mutual authentication, node anonymity and to handle different security flaws in GLOMONETs [3–15]. A threat-proof authentication fulfills following requirements: Node anonymity(R1); Node Traceability(R2); Man-in-Middle attack(R3); Backward/Forward secrecy(R4); Replay and Dos attacks(R5); Known-key attacks(R6); Friendliness(R7); Local node and Password verification(R8); Insider attacks(R9); Mutual authentication(R10); Impersonation attacks(R11).

Suzuki et al. [16] in 1997 presented a distributed security based authentication scheme to enable a user to access mobile services in foreign country. Zhu et al. [17] in 2004 presented an authentication protocol that facilitates the features of mutual authentication and implicit mutual secret-key management. Lee et at. [18] disclosed that Zhu et al. [17] scheme is incapable to attain the feature of mutual authentication, moreover, scheme does not resist backward secrecy and impersonation attacks. Lee et al. [18] presented an enhanced authentication protocol to efficiently resolve the imperfections of scheme [17]. Later, the Wei et al. [19]also notified that Zhu et al. [17] scheme inefficient to achieve the user anonymity and also discloses secret information. To overcome these issues the Wei et al. [19] presented a more enhanced protocol that provides secure features like user anonymity and mutual authentication. Wu et al. [20] also found Lee et al. [18] protocol does not achieve the backward secrecy, user anonymity and vulnerable to off-line key guessing attacks. Thus, Wu et al. [20] proposed an efficient protocol that provides resistance of aforementioned attacks. He et al. [21] notified that Wu et al. [20] protocol unable to achieve user anonymity and also vulnerable to replay and forgery attacks. Therefore, He et al. [21] presented a lightweight authentication scheme with the features of strong resistance of stolen verification attacks. Li et al. [22] pointed out He et al. [21] protocol unable to provide the features of user anonymity and also provides unfair key-exchange system. Li et al. [22] presented a protocol that provides the feature of user anonymity and fair key-agreement system. Li et al. [23] pointed out Li et al’s [22] protocol is inefficient due to extra computational cost. Das. [24] also pointed out Li et al. [22] protocol cannot withstand the replay attacks. Yoon et al. [25] presented a new lightweight authentication protocol to handle the loopholes of different protocol with the features of mutual authentication, user friendliness, User anonymity. Niu et al. [26] pointed out the Yoon et al. [25] protocol and proved that protocol does not provide user anonymity and also has an insecure key management system. Therefore, Niu. [26] presented a novel based authentication protocol that provides the feature of user anonymity. Jiang et al. [27] also pointed out that He et al. protocol [21] does not provide strong of two-factor authentication furthermore, the protocol is vulnerable to insider attack, replay attack and failure of user friendliness. The present protocol of Jiang et al. [27] improves the privacy and authentication. Wen et al. [28] proved Jiang et al. [27] protocol does not resist the replay attack and password based verification-attack. Wen et al. [28] presented new protocol that does not enable the users to share the secret-key. Mun et al. [29] presented a new hash and concatenation operation based lightweight scheme. Lee et al. [30] found Mun et al. [29] scheme cannot withstand man-in-the middle attack, masquerade attack and perfect forward secrecy They proposed a more efficient protocol for GLOMNET.

This article notifies that the Lee et al. [30] scheme lacks unfair user registration, inefficient user authentication, unable to provide local user/password verification and vulnerable to replay and DoS attacks.

2 Contributions

In this article a detailed analysis of Lee et al. protocol has been presented to check its strengths against various attacks. As a result the following improvements are contributed:

Various security weaknesses of the Lee et al. protocol have been identified and elaborated in this paper.
A new and lightweight protocol has been proposed in this article which resists different possible attacks and provides the requirement of user friendliness.
The proposed protocol has been formally verified using an automated tool “ProVerif” to ensure its security strength.
Finally, the proposed protocol has been analyzed for computation and communication efficiency showing better performance than its counterpart protocols.

3 Brief review of Lee et al. scheme

Lee et al. presented a lightweight authentication using simple hash operation, XOR and concatenation operations. This section presents precise review of four phases of Lee et al. scheme [30] in following sequence: registration phase, AESK phase, the session key update phase, and the password alter phase. The notation guide is given in Table 1.

Download:

Table 1. Notations guide.

https://doi.org/10.1371/journal.pone.0196061.t001

3.1 Registration phase

The registration phase of Lee et al. scheme is between Mobile Node(MN) and Home Node(HN). The Mobile Node(MN) and Home Node(HN) perform the registration in following steps:

Step 1: The Mobile Node(MN) chooses {password PW_MN, nonce s} and computes EID = h(ID_MN ⊕ PW_MN) ⊕ s. Afterward MN forwards a message M = {EID} to the Home Node(HN) over a secure channel.
Step 2: The Home Node(HN) obtains the message M calculates S = h(EID‖h(SK_HN)) and sends S to MN
Step 3: Upon receiving S the MN computes SPW = S ⊕ h(PW_MN). Finally the MN stores SPW and s in smartcard(SC).

3.2 Authentication and establishment of session-key(AESK Phase)

AESK phase of Lee et al. [30] is performed in following steps:

Step 1: MN → FN: M₁ = {EID′, V_MN, Q_MN, N_MN}
The Mobile Node(MN) calculates EID′ = h(ID_MN ⊕ PW_MN) ⊕ s and S′ = h(EID‖h(SK_HN)). MU chooses two nonce s_new, N_MN. Afterward MN calculates following values , V_MN = EID_new ⊕ h(S′‖N_MN) and Q_MN = h(EID_new‖S′‖N_MN). Ultimately, a login request message M₁ = {EID′, V_MN, Q_MN, N_MN} is forwarded to Foreign Node(FN).
Step 2: FN → HN: M₂ = {EID′, V_MN, Q_FN, N_MN, V_FN, ID_FN}
After receiving the message M₁ Foreign Node FN generates a nonce N_FN and calculates Q_FN = h(Q_MN‖N_FN‖SK_FN), V_FN = N_FN ⊕ h(SK_FN). The Foreign Node FN sends the message M₂ = {EID′, V_MN, Q_FN, N_MN, V_FN, ID_FN} to Home Node(HN)
Step 3: HN → FN: M₃ = {V_HN}
Upon receiving the message M₂ the HN computes S′ = h(EID′‖h(SK_HN)) and afterward computes and retrieves , after that HN computes SK_FN = h(ID_FN ⊕ SK_HN), N_F = V_F ⊕ h(SK_HN). Afterward HN verifies for authentication of Mobile Node(MN) and Foreign Node(FN). Furthermore Home Node(HN) computes S_new = h(EID_New‖h(SK_HN), V_HN = (EID_new‖S‖S_new) ⊕ h(SK_FN‖N_FN) and forwards M₃ to FN.
Step 4: FN → MN: M₄ = {V_FN2, Q_FN2, N_FN2}
Upon receiving M₃, FN derives (EID_new‖S‖S_new) and verifies if the verification holds then Foreign Node(FN) authenticates the Mobile Node(MN) and Home Node(HN). Afterward FN generates a nonce and computes V_FN2 = S_new ⊕ h(S‖N_FN2), Q_FN2 = h(EID‖S_new‖N_FN2) and transmits M₄ to Mobile Node(MN).
Step 5: Upon receiving the M₄ the Mobile Node(MN) calculates S_new and checks to authenticate the Foreign Node(FN). Afterward the FN updates SPW_new = S_new ⊕ h(PW_MN) for further use. For a session communication Mobile Node(MN) computes K_FM = h(N_MN‖N_FN2‖S), Q_MF = h(N_MN‖S‖N_FN2‖S_new) and sends Q_MF to Foreign Node(FN) for reconfirmation.
Step 5: FN verifies and computes K_FM = h(N_MN‖N_FN2‖S) for the communication of current session.

3.3 Session-Key update phase

Step 1: The Mobile Node(MN) selects a nonce and calculates U_MN = N_MN ⊕ h(S‖N_MN‖N_FN2), and transmits to FN
Step 2: The Foreign Node(FN) computes and checks . Afterward, FN selects a nonce and calculates , . Afterward, FN transmits U_FN and to MN.
Step 3: Mobile Node(MN) receives message and calculates . Afterward, MN update , and transmits to FN
Step 3: Foreign Node(MN) verifies and updates and completes update phase.

3.4 Password alter phase

Step 1: Lee et al. scheme enables a Mobile Node(MN) to update his/her password. When a Mobile Node(MN) desires to update the password, the Mobile Node(MN) has to login with ID_MN and password PW_MN.
Step 2: MN uses new password and calculates EID_new = h(ID_MN) ⊕ PW_New) ⊕ S_New. Furthermore, for authentication and establishment phase SPW_New is computed and S_New is encrypted with old password PW_MN, SPW_New = S_New ⊕ PW_MN and for this phase the new password PW_New is used to encrypt S_New, SPW_New = S_New ⊕ PW_New. At the end password is altered successfully.

4 Security weaknesses of Lee et al. scheme

This section demonstrates the security weakness of Lee et al. scheme [30]. The Lee et al. scheme suffers unfair user registration, inefficient user authentication, vulnerable to replay and DoS attacks furthermore, the Lee et al. scheme does not provide local user and old password verification. The detailed discussion is given in following subsections:

4.1 Unfair user registration and inefficient user authentication

The Lee et al. Scheme suffers with a serious flaw in registration phase. The Mobile Node(MN) computes EID = h(ID_MN ⊕ PW_MN) ⊕ s and sends EID to Home Node(HN) for registration in step1. Whereas, the Mobile Node(MN) takes one way hash(OWH) of ID_MN and password PW_MN. When the Home Node(HN) receives registration request message EID, the HN would not be able to extract the identity ID_MN form EID because there is no such mechanism of de-hashing. Hence, the Home Node(HN) would be unable to recognize user at the registration time and the registration request would be rejected.

In AESK phase of Lee et al. Scheme the Home Node(HN) receives login request through Foreign Node(FN) sent by Mobile Node(MN). The identity of MN is saved in EID′. To authenticate the Mobile Node(HN) the Home Node(HN) searches for Identity of Mobile Node(MN) in database. Hence, the ID_MN does not exist in Home Node(HN) database and Home Node(HN) cannot recognize the user has sent the login request as a result the Home Node(HN) will reject the authentication request.

4.2 Replay and DoS attacks

In Lee et al. Scheme an adversary A will intercept the channel and will obtain login-request message M₁ = {EID′, V_MN, Q_MN, N_MN}. As no timestamp or sequence number is associated with login message M₁ the Adv A can replay M₁ in login phase latter on. Likewise the adversary A will perform the replay attacks in step2 with M₂ = {EID′, V_MN, Q_FN, N_MN, V_FN, ID_FN}, step3 with M₃ = V_HN and in step4 with M₄ = {V_FN2, Q_FN2, N_FN2} of authentication phase because any no timestamps or sequence numbers are used with any message. Although, the adversary A is unable to compute the session key but adversary A will send too many login requests intentionally to overwhelm the MN, FN and HN. Simultaneous repetition of replay attacks in large numbers can exhaust the communication and computation cost and also leads to Denial of service(DoS)attacks that may cause the prevention of access the resource to legal user.

4.3 Lack of local user and password verification

Lee et al. scheme does not verify old password in phase 5 password alter phase. Any malicious user with a stolen Smartcard(SC) can submit request to change the password. Although the malicious user would not be succeed in this process but He/she can send multiple requests which also lead to DoS as discussed previously. Furthermore, suppose in login phase a Mobile Node(MN) unintentionally, inputs ID_MN and old PW_MN. Before transmitting the login request to Home Node(HN) the scheme does not verify the identity ID or password PW are correct or incorrect in login phase. Even if the user enters old password PW_MN for login, the authentication steps(1-4)can still be executed with old ID/PW. Although, at step 4 the Home Node(HN) would reject authentication but this process takes unnecessary computation and communication overhead. Hence, the smartcard(SC) cannot verify the the identity and password of Mobile Node(MN) at login phase which proves inefficiencies in Lee et al. scheme.

5 Proposed scheme

Proposed scheme includes of following phases: registration phase, login and authentication phase and password change phase. The detailed description of these phases is as following:

5.1 Registration phase

The registration phase of proposed scheme is between Mobile Node(MN) and Home Node(HN). In registration phase the Mobile Node(MN) freely chooses an Identity ID_MN, password PW_MN and a random number (natural number). Afterward the MN computes U = h(PW_MN‖r) and transmits a registration request message to HN M = {ID_MN, U} on secure channel.

When the Home Node(HN) receives the registration request message he/she selects a random number and computes the following: (1) (2)

Where R_T is the registration time, after that the Home Node(HN) stores {B, N_MN, m, h(.)} in SC and afterward the smart card(SC) is issued to MN through a reliable network channel.

The Mobile Node MN regenerates r and stores it in smartcard(SC). Now {B, U, r, h(.)} are stored in SC database.

5.2 Login and authentication phase

For the authentication phases we presume, the Mobile Node(MN) is in foreign country under the administration of foreign network. The Mobile Node(MN) intends to use the mobile services in foreign area. To avail the mobile services in foreign region the Mobile Node(MN) has to login with Identity ID_MN, password PW_MN and afterward for the security and legitimacy he/she will authenticate himself/herself with the help of their Foreign Node(FN) and Home Node(HN) in a proper manner as shown in Fig 2. After the successful authentication Mobile Node(MN) will use the services with collaboration hosted country’s network.

Step 1: MN → FN: M₁ = {ID_HN, K, V, r₁, T₁}
In first step the user MN puts his/her smart card(SC) into the machine and uses his/her identity ID_MN and password PW_MN for login, on login request the machine calculates B′ = U ⊕ h(ID_MN‖m) that was saved at the registration phase and afterward MN compares whether if no then session is terminated and login request is rejected. If both B’ and B are same then the legality holds. The smartcard(SC) chooses random number r₁ and calculates the following: (3) (4) (5) Where, T₁ is timestamp of Mobile Node(MN). Ultimately, MN sends login request message M₁ to Foreign Node(FN) over a public channel.
Step 2: FN → HN: M₂ = {M₁, Y, r₂, T₂}
After receiving the message M1 Foreign Node(FN) checks the freshness of T₁ if the comparison fails, FN does not accept the login request. Afterward Foreign Node(FN) generate a nonce r₂, and calculates the following equations: (6) Where, FH_k is a pre-shared key between FN and HN. Afterward Foreign Node(FN) transmits the M₂ to Home Node(HN).
Step 3: HN → FN: M₃ = {V₁, k₀, K*, T₃}.
When HN obtains M₂, the Home Node HN confirms the freshness of timestamp T₂ and afterward, verifies both values and if comparison do not match, the Home Node(HN) rejects M₂ and terminates the session. Afterward Home Node(HN) generates a nonce r₃ and compute following values: (7) (8) (9) (10) (11) When the Home Node verifies all step then M₃ = {V₁, k₀, K*, T₃} is sent to Foreign Node(FN).
Step 4: FN → MN: M₄ = {M₃, r₂, T₄}
When FN obtains message M₃, he/she confirms the freshness T₃ if freshness fails the FN rejects the message, otherwise the Foreign Node(FN) computes the following equations: (12) After that for further processing the message M₄ = {M₃, r₂, T₄} is transmitted to Mobile Node(MN).
Upon receiving the message M₄ The Mobile Node MN confirms the freshness of T₃ if timestamp is fresh then checks if the resultant values do not match, then the Mobile Node(MN) terminates the session. Otherwise authentication procedure is completed by Foreign Node(FN) and Home Node(HN). Afterward, for further communication the Mobile Node(MN) computes the session key as following in equation: (13)

Download:

Fig 2. Login and mutual authentication phase of proposed scheme.

https://doi.org/10.1371/journal.pone.0196061.g002

5.3 Password change phase

The password change phase makes the scheme user friendly and enhances the security of the proposed scheme. Our proposed scheme allows the user to update or change their password. Whenever the Mobile Node(MN) requests to change the password he/she has to perform the following steps:

Step 1: Proposed scheme allows the user to Alter or update the password. When a user with a smartcard(SC) wants to change the password. The user has to login with his/her identity and enters the password and performs following steps:
Step 2: On the request the smartcard(SC) executes and verifies the following steps: (14) After the calculation of U* smart card checks whether . If the values of U* and U are not same then SC reject the request otherwise, it requests the Mobile Node(MN) to choose another new password PW_new.
Step 3: The Smartcard(SC) calculates the following equations: (15) N*_MN = h(ID_MN‖ID_HN‖R_T ⊕ U*) where, {B, U, N_MN} are replaced with {B*, U*, N*_MN} and smartcard(SC) carries {B*, U*, r′, h(.)}.

Security analysis

This section shows the formal and informal security analysis of proposed scheme. We have analyzed formal verification of proposed scheme with automated tool ProVerif and informally analyzed the scheme against different attacks.

5.4 Security analysis with ProVerif

ProVerif [31] may be defined as an automated reasoning software tool or verifier, which verifies cryptographic protocols. The ProVerif handles different cryptographic primitives like: Encryption/decryption, MAC, signatures, hash, Symmetric and asymmetric key cryptography and many others [33]. The formal verification of proposed protocol is tested with this tool, the detailed description of code and results are given below.

The proposed scheme uses two channels one channel “ChSec” is a secure channel which is used between MN and HN in registration phase. Whereas, “ChPub” is called a public or insecure channel. The ChPub is used is login and authentication phase. The Fig 3 1(a) elaborates channels, Constructs and events used in proposed scheme. In Fig 4 1(b) following authentication properties are verified: The query 1 is used to verify whether the session key is secure or not. The query 2 is used for the verification process 1, It determines whether event of Mobile Node(MN) started and terminated successfully or not. The query 3 is used for the verification process 2, It determines whether event of Foreign Node(FN) started and terminated successfully or not. The query 4 is used for the verification process 3, It determines whether event of Home Node(HN) started and terminated successfully or not. Furthermore, we introduced six events, every event represents start and end of each process. Furthermore, Figs 5 1(c), 6 1(d) and 7 1(e) contain full code of three processes(MN, FN and HN)

Download:

Fig 3. 1(a).

https://doi.org/10.1371/journal.pone.0196061.g003

Download:

Fig 4. 1(b).

https://doi.org/10.1371/journal.pone.0196061.g004

Download:

Fig 5. 1(c).

https://doi.org/10.1371/journal.pone.0196061.g005

Download:

Fig 6. 1(d).

https://doi.org/10.1371/journal.pone.0196061.g006

Download:

Fig 7. 1(e).

https://doi.org/10.1371/journal.pone.0196061.g007

The automatic tool ProVerif returns true or false result, When a protocol do not prove the any of the required property then this tool return false result otherwise it returns true result. The results of proposed scheme are shown in Fig 8 1(f) and further elaboration is stated below:

Download:

Fig 8. 1(f).

https://doi.org/10.1371/journal.pone.0196061.g008

The result 1 demonstrates that process of Home Node(HN) with identity ID_HN has successfully started and terminated The result 2 demonstrates that process of Foreign Node(FN) with identity ID_FN has successfully started and terminated The result 3 demonstrates that process of Mobile Node(MN) with identity ID_MN has successfully started and terminated The result 4 presents the attacker does not access the session-key(SK). However, all results demonstrates that the proposed scheme preserves the secrecy and authentication.

All processes (!pHN) | (!pFN) | (!pMN) are executed parallel.

5.5 Informal security analysis

This section presents the informal security analysis of proposed scheme, The detailed discussions about different attacks and counter measurements to withstand these attacks are stated in subsections:

5.5.1 Node anonymity.

Anonymity is considered a valuable factor in secure authentication protocol, identity of Mobile Node(MN) should not reveal to anyone except the authorized participants. A secure protocol protects personal data and sensitive information of a node so, an attacker/adversary could not analyze any information that can help to breach the security requirements. Our proposed scheme achieves the anonymity requirements because we used strong encryption techniques in our proposed scheme we used hash function in registration phase, M = {ID_MN, U} is sent through secure and reliable channel and we used random numbers that protects our messages. In login-authentication phase lets suppose adversary A captures the message M₁ and tires to attain the ID_MN but, identity of Mobile Node is saved in SID and SID = h(U‖R_T) ⊕ N_MN, Adversary A cannot extract SID, we can say that our proposed scheme achieves all requirements of Mobile Node(MN) anonymity.

5.5.2 Node traceability.

For a secure protocol traceability is vulnerable issue because, the node traceability may leads to many attacks. Our scheme does not disclose login information or previous history because we used random numbers(r₁, r₂, m). Hence in our scheme Mobile Node(MN) is untraceable.

5.5.3 Man in the middle attack.

In this type of attack the malicious adversary illegitimately intercepts two parties Communication. The Adversary can capture the sensitive data/information, can send or receive data anytime and may impersonate both parties by pretending Himself/Herself a legal user. In our proposed scheme adversary or attacker cannot perform the Man-In-Middle attack because our proposed scheme provides mutual authentication and endpoint authentication at each side. In our proposed scheme we used the timestamps of each participant with every message {M₁, M₂, M₃, M₄} first time difference is checked at each end if time difference is valid then session begins else more we used random numbers so adversary cannot guess any secret nor the adversary can compute the session key in addition, proposed scheme provides fair SK establishment. Thus, Our proposed scheme can withstand the Man-In-Middle attack.

5.5.4 Backward and forward secrecy.

Proposed scheme fulfills backward and forward secrecy requirements due to random numbers and freshly generated timestamps(T), with every new session random numbers and timestamps are freshly generated. So, if current communication keys are revealed to some malicious user, it is not possible to predict previous or future communication key with current keys. the Adversary can neither generate same random number nor can generate fresh timestamps. Hence, Adversary may not compute the SK. Therefore we can say that our proposed-scheme accomplishes backward/forward secrecy.

5.5.5 Replay attacks.

In replay attacks the malicious user repeats or delays the transmission. There are three participants in Global-Mobility-Networks MU, FNandHN who authenticate each other and four messages are transmitted among them {M₁, M₂, M₃, M₄} over a public channel. Lets assume an adversary A captures the M₁ and try to perform the replay attacks to FN. On M₁ FN compares the timestamps if it is valid then message is accepted otherwise message would be rejected by FN if adversary generates a timestamps T₁ and timestamp comparison becomes true then adversary tries to compute V’ which is impossible for adversary because adversary has no knowledge of values saved in V’ so adversary cannot forge FN. Similarly we used timestamps with all messages M₂, M₃, M₄ and timestamps(TS) comparison at each session also some other comparisons of different values at different sessions so, an adversary cannot replay any message. Furthermore, without knowing ID_MN an adversary is unable to compute the SK. Due to following reasons, our proposed-scheme can resist the replay attacks.

5.5.6 Known key attacks.

An Adversary performs known key attacks when he/she finds palintext associated with ciphertext and the malicious attacker simply perform backtracking operations to trace the plaintext. As stated in previous subsections our proposed scheme uses fresh random numbers and timestamps for each sessions the random numbers are freshly generated. Furthermore, all participants create the session key independently. If an attacker gets the previous session key He/She cannot compute recent session key. Hence, the proposed scheme resists the known-key-attacks.

5.5.7 User friendliness.

A secure and useful protocol fulfills requirements of a user friendliness, this means to enable a user to freely pick out his/her identity, password. User friendly schemes provide freedom to change or update his/her password to enhance the security and privacy.

Proposed scheme permits the users to select an identity ID and password PW freely. Whereas, the SC verifies the inputs and correctness. A User may freely generate the nonce and also can change or updates his/her password so password may keep save from attackers and adversaries.

5.5.8 Local user and password verification.

To avoid the illegal access proposed scheme provides the password verification in login-authentication phase and also in password change phase. In registration phase the Mobile Node(MU) computed U = (PW_MN‖r) and then computes B = U ⊕ h(ID_MN‖m) where, in login-authentication phase is re-verified locally if then the login phase proceeds to next step otherwise session in aborted. So, by using local password-verification we enhanced our proposed scheme more secure.

5.5.9 Insider attacks.

Insider attack may defined as malicious network attack that is committed by an authorized person with legal access. In our proposed scheme let’s suppose some insider of Home Node(HN) tries to attain the password of Mobile User(MU) by registration message M = {ID_MN, U}. The insider of Home Node(HN) can see the message M but could not compute the U whereas, U = h(PW_MU‖r). The user password is concatenated with a nonce and have been hashed with one-way-hash function. Hence, the insider cannot achieve nonce r and it is infeasible for any one to compute password from hash value. So, by following assumptions we say that proposed scheme may prevent the insider attacks.

5.5.10 Stolen-verifier attacks.

Proposed scheme resist the stolen-verifier-attacks as, the Mobile Node(MN) stored the user’s password in encrypted format even the HN and FN cannot get any information about the user password. If SC is stolen then no one can extract the password because password is save in U and this value is in encrypted form, adversary cannot alter the password. Hence, proposed scheme can resist the stolen-verifier attacks.

5.5.11 Mutual authentication.

Mutual authentication is robust feature of an authentication protocol, which enables the participants of a protocol to mutually authenticates each other at the same time. Proposed scheme furnished all conditions of mutual authentication between participants MN, FN and HN.

MN and HN Mutual authentication:

In our proposed scheme MN authenticates the HN by verifying the in step 4 and Home Node(HN) confirms the MU by checking in step 2 only a legitimate user can compute where both participants transfer the secret parameter ID_MN with each other also both participants compute the SK mutually so MN and FN authenticates each other mutually in proposed scheme.

HN and FN Mutual authentication:

Likewise FN and HN authenticates each other in step 3 HN verifies where Y is computed by real Foreign Node FN. a Pre-shared key FH_k is used to secure the Y. In step 3 FN is authenticated by HN, afterward session key(SK) is computed mutually so, our proposed scheme provides the mutual authenticity of FN and HN.

FN and MN Mutual authentication:

FN authenticates MN in step 1 by checking there is MN′ s timestamp and only a legal MN can compute V. So, after the verification of the Foreign Node(FN) authenticates MN.

5.5.12 Impersonation attacks.

Impersonation attack means an adversary may forge a legitimate user by pretending himself/herself a legal user. Adversary/attacker can delete or modify any message in different manners or can forge the other participants by pretending their self a legitimate user. In proposed scheme we withstand the forgery attacks in following ways as stated in subsections:

MN Impersonation attacks:

Suppose the adversary intercepts the login message M₁ = {ID_HN, V, K, r₁, T₁} in step 1. When session terminates the Adversary A can try to send login message M₁ to FN. When Adversary A transmits login request message M1 the Foreign Node(FN) confirms freshness of T₁ as, timestamps is not fresh the login request will not be accepted by FN. The adversary can generate a new timestamp and resend with fresh to FN. FN confirms the freshness of T₁ the freshness comparison may successful this time. For further confirmation FN scrutinizes whether . Here the values of V is not equal to V’ so request will be rejected. Adversary may also try to impersonate in step 4 but due to comparison of V1’ with V1 the adversary will fail to play the impersonation game in each phase.

FN Impersonation attacks:

In step 2 adversary will try to impersonate the Home Node(HN) by sending message M₂ = {M₁, Y, r₂, T₂}. Without knowing the pre-shared key FH_k the adversary cannot impersonate the FN. Moreover proposed protocol also scrutinizes the differentiation of in second phase. Furthermore the HN and FN share the SK secretly. The adversary will not be able to impersonate HN or FN by any mean or by any message.

HN Impersonation attacks:

Proposed protocol can efficiently withstand HN forgery attacks. If the adversary attempts to forge the MN or FN with the message M₃ = {V₁, k₀, K*, T₃} in third phase. In M₃ we used V₁ for local verification hence, the adversary cannot compute the values of V₁. Thus, proposed protocol can easily withstand the HN impersonation in different steps.

6 Security requirements and performance analysis

This section presents the requirements analysis and computation cost analysis of our proposed scheme. The first subsection provides the comparison of different security requirements and the second subsection demonstrates computation cost analysis, cost comparison and execution time comparison with other schemes.

6.1 Security requirements

To evaluate the different security requirements, this article compares following security requirements with with Yoon et al. [25], Mun et al. [29] and Lee et al. [30] scheme. R1:Node anonymity; R2:Node Traceability; R3:Man-in-the Middle attack; R4:Backward/Forward secrecy; R5:Replay and Dos attacks; R6:Known-key attacks; R7:User friendliness; R8:Local User and Password verification; R9:Insider attacks; R10:Mutual authentication; R11:Impersonation attacks; R12: Efficiency in user authentication; R13:Formal Verification. As shown in Table 2 only our proposed protocol fulfills all security requirements. Furthermore, this article provides user friendliness, mutual authentication and also formally tested with a well-known verification tool ProVerif. The detailed comparison shown in Table 2.

Download:

Table 2. Security Requirements.

https://doi.org/10.1371/journal.pone.0196061.t002

6.2 Computation cost analysis

The main focus of the proposed protocol is to safeguard against various security attacks and issues present in the Lee et al. proposal for global mobility networks. In addition, the proposed protocol provides a realistic solution which guarantees reasonable computational cost. In this subsection, a comparison of the protocol with the security protocols of Mun et al. and Lee et al. has been presented based on the number of the state of the art XOR operation, concatenation and hash encryption used in these protocols. The detailed notation guide for each terminology is given in Table 3. For analyzing the proposed protocol in terms of computation cost on the security front, Kilinc and Yanik [32] experimental measurements have been adopted for different encryption operation and functions. According Kilinc and Yanik [32] single Hash encryption utilize 0.0023ms of time in computation. As shown in Table 4, Mun et al. protocol contain 11 times hash encryption, 8-times XOR operation, 4-times Elliptic-curve Point Multiplication(ECMP) and generates the random number 5-times, which in total is 11T_h + 8T_⊕ + 5T_RG + 2T_SE + 4T_PM. Similarly, total computation cost of Gope et al. is 21T_h + 16T_⊕ + 3T_RG, and the computation cost of Lee et al. protocol is 32T_h + 18T_⊕ + 5T_RG, The computation cost of Chaudhry et al. is 8T_h + 6T_⊕ + 3T_RG + 3T_SE + 2T_SD. However, total computation cost of the proposed protocol is equal to 12T_h + 10T_⊕ + 4T_RG as shown in Table 4. Moreover, execution time of Mun et al. is 0.0345 and with ECMP it takes total 4.4865ms, the total execution time of Gope et al. scheme is 0.0483ms, the total execution time of Lee et al. scheme is 0.0736ms, Chaudhry et al. scheme takes 0.0414ms and total execution time of our proposed scheme is 0.0276ms the graphical representation of execution time is shown in Fig 9. It is quite clear from the comparison Table 4 and Fig 9 that the proposed scheme has efficient performance. In addition, our proposed scheme satisfies all security requirements using minimum encryption operations and functions. The proposed security protocol successfully attains mutual authentication, node anonymity and have strong resistance against different security attacks.

Download:

Table 3. Notations guide for computation cost.

https://doi.org/10.1371/journal.pone.0196061.t003

Download:

Table 4. Computation Cost.

https://doi.org/10.1371/journal.pone.0196061.t004

Download:

Fig 9. Execution time and performance comparison.

https://doi.org/10.1371/journal.pone.0196061.g009

7 Conclusion

This article scrutinized Lee et al.’s authentication scheme. It has been disclosed that Lee et al. scheme suffers with different security weaknesses. We propose a lightweight and secure two-factor authentication protocol, based on lightweight cryptographic primitives functions such as XOR operations, one-way hash(owh) and concatenation operation. The formal protocol Verification is tested with ProVerif a well known automated tool that confirms the correctness of the proposed scheme and informal security analysis demonstrates that the proposed scheme can withstand different attacks. Security comparison and performance analysis show that the proposed scheme is resistant against all possible attacks and it has very efficient performance making it suitable for practical environment.

References

1. Bhagwat P, Perkins C, Tripathi S. Network layer mobility: an architecture and survey. IEEE Personal Communications 3 (3) (1996) 54–64.
- View Article
- Google Scholar
2. Molva R, Samfat D, Tsudik G. Authentication of mobile users. IEEE Network 8 (2) (1994) 26–34.
- View Article
- Google Scholar
3. Alveras D, Grotschel M, Jonas P, Paul U. Survivable mobile phone network architectures: models and solution methods. IEEE Communications Magazine. 1998.3 p. 88–93.
- View Article
- Google Scholar
4. Krishnamurthy P, Kabara J. Security architecture for wireless residential networks. In:IEEE Vehicular Technology Conference, 2000 p. 1960–1966.
5. Horn G, Preneel B. Authentication and payment in future mobile systems. In: Journal of Computer Security 55 (1); (2002) 183–207.
- View Article
- Google Scholar
6. Go J, Kim K. Wireless authentication protocol preserving user anonymity. Citeseer; (2001).
7. Rahman MG, & Imai H Security in wireless communication. Wireless Personal Communications, 22(2), (2002) 213–228.
- View Article
- Google Scholar
8. Tzeng ZJ, & Tzeng WG. Authentication of mobile users in third generation mobile system. Wireless Personal Communications, 16(1), (2001) 35–50.
- View Article
- Google Scholar
9. Gope P, & Hwang T. Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Systems Journal, p. 10(4),2016, p.1370–1379.
- View Article
- Google Scholar
10. Dressler F. Authenticated Reliable and Semi-reliable Communication in Wireless Sensor Networks. IJ Network Security, 7(1), (2008) p. 61–68 (pp. 882–887). Vancouver, Canada.
- View Article
- Google Scholar
11. Farash MS, Chaudhry SA, Heydari M, Sajad S, Mohammad S, Kumari S, Khan MK. A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems, 30(4), (2017), p. e3019–n/a
- View Article
- Google Scholar
12. Amin R, Islam SKH, Biswas GP, Khan MK, Leng L, Kumar N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Computer Networks, 101, (2016), p.42–62.
- View Article
- Google Scholar
13. Kumari S, & Khan MK. More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks, 7(11), (2014), p.2039–2053.
- View Article
- Google Scholar
14. Khan MK. Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world. IETE Technical Review, 26(3), (2009), p.191–195.
- View Article
- Google Scholar
15. Kumari S, Chaudhry SA, Wu F,Li X, Farash MS, Khan MK. An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications, 10(1), (2017), p.92–105.
- View Article
- Google Scholar
16. Suzuki S, Nakada K. An authentication technique based on distributed security management for the global mobility network. In:IEEE Journal on Selected Areas in Communications 15 (8) (1997) 1608–1617.
- View Article
- Google Scholar
17. Zhu J, Ma J new authentication scheme with anonymity for wireless environments, Consumer Electronics. IEEE Transactions on Consumer Electronics 50 (1); (2004) 231–235.
- View Article
- Google Scholar
18. Lee CC, Hwang MS, Liao IE. Security enhancement on a new authentication scheme with anonymity for wireless environments, Industrial Electronics. In: IEEE Transactions on Industrial Electronics 53 (5); (2006) 1683–1687.
- View Article
- Google Scholar
19. Wei Y, Qiu H, Hu Y. Security analysis of authentication scheme with anonymity for wireless environments. (2006); 1–4.
20. Wu CC, Lee WB, Tsaur WJ. A secure authentication scheme with anonymity for wireless communications. In: IEEE Communications Letters 12 (10); (2008) 722–723.
- View Article
- Google Scholar
21. He D, Ma M, Zhang Y, Chen C, Bu J. strong user authentication scheme with smart cards for wireless communications. Computer Communications 34 (3); (2011) 367–374.
- View Article
- Google Scholar
22. Li CT. A more secure and efficient authentication scheme with roaming service and user anonymity for mobile communications. Information Technology and Control 41 (1); (2012) 69–76.
- View Article
- Google Scholar
23. Li CT, Lee CC. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. In: Mathematical and Computer Modelling 55 (1); (2012) 35–44.
- View Article
- Google Scholar
24. Das AK. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science 2 (1-2) (2013) 12–27.
- View Article
- Google Scholar
25. Yoon EJ, Yoo KY, Ha KS. A user friendly authentication scheme with anonymity for wireless communications. Computers & Electrical Engineering 37 (3); (2011) 356–364.
- View Article
- Google Scholar
26. Niu J, Li X. A novel user authentication scheme with anonymity for wireless communications. Security and Communication Networks 7 (10); (2014) 1467–1476.
- View Article
- Google Scholar
27. Jiang Q, Ma J, Li G, Yang L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wireless Personal Communications 68 (4); (2013) 1477–1491.
- View Article
- Google Scholar
28. Wen F, Susilo W, Yang G. secure and effective anonymous user authentication scheme for roaming service in global mobility networks. Wireless personal communications 73 (3); (2013) 993–1004.
- View Article
- Google Scholar
29. Mun H, Han K, Lee YS, Yeun CY, Choi HH. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks Mathematical and Computer Modelling 55 (1); (2012) 214–222.
- View Article
- Google Scholar
30. Lee CC, Lai YM, Chen CT, Chen SD. Advanced secure anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications 94 (3); (2017) 1281–1296.
- View Article
- Google Scholar
31. Blanchet B. ProVerif is a software tool for automated reasoning. [Online; accessed 01-June-2002] (2008).
32. Kilinc HH, & Yanik T. A survey of sip authentication and key agreement schemes. IEEE Communications Surveys & Tutorials 16 (2); (2014) 1005–1023.
- View Article
- Google Scholar
33. Chaudhry SA, Farash MS, Naqvi H, Islam SH, Shon T. A robust and efficient privacy aware handover authentication scheme for wireless networks. Wireless Personal Communications, Volume 93, (2017), p. 311–335
- View Article
- Google Scholar

[ref1] 1. Bhagwat P, Perkins C, Tripathi S. Network layer mobility: an architecture and survey. IEEE Personal Communications 3 (3) (1996) 54–64.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Molva R, Samfat D, Tsudik G. Authentication of mobile users. IEEE Network 8 (2) (1994) 26–34.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Alveras D, Grotschel M, Jonas P, Paul U. Survivable mobile phone network architectures: models and solution methods. IEEE Communications Magazine. 1998.3 p. 88–93.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Krishnamurthy P, Kabara J. Security architecture for wireless residential networks. In:IEEE Vehicular Technology Conference, 2000 p. 1960–1966.

[ref5] 5. Horn G, Preneel B. Authentication and payment in future mobile systems. In: Journal of Computer Security 55 (1); (2002) 183–207.
View Article
Google Scholar

[12] View Article

[13] Google Scholar

[ref6] 6. Go J, Kim K. Wireless authentication protocol preserving user anonymity. Citeseer; (2001).

[ref7] 7. Rahman MG, & Imai H Security in wireless communication. Wireless Personal Communications, 22(2), (2002) 213–228.
View Article
Google Scholar

[16] View Article

[17] Google Scholar

[ref8] 8. Tzeng ZJ, & Tzeng WG. Authentication of mobile users in third generation mobile system. Wireless Personal Communications, 16(1), (2001) 35–50.
View Article
Google Scholar

[19] View Article

[20] Google Scholar

[ref9] 9. Gope P, & Hwang T. Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Systems Journal, p. 10(4),2016, p.1370–1379.
View Article
Google Scholar

[22] View Article

[23] Google Scholar

[ref10] 10. Dressler F. Authenticated Reliable and Semi-reliable Communication in Wireless Sensor Networks. IJ Network Security, 7(1), (2008) p. 61–68 (pp. 882–887). Vancouver, Canada.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref11] 11. Farash MS, Chaudhry SA, Heydari M, Sajad S, Mohammad S, Kumari S, Khan MK. A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. International Journal of Communication Systems, 30(4), (2017), p. e3019–n/a
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref12] 12. Amin R, Islam SKH, Biswas GP, Khan MK, Leng L, Kumar N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Computer Networks, 101, (2016), p.42–62.
View Article
Google Scholar

[31] View Article

[32] Google Scholar

[ref13] 13. Kumari S, & Khan MK. More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks, 7(11), (2014), p.2039–2053.
View Article
Google Scholar

[34] View Article

[35] Google Scholar

[ref14] 14. Khan MK. Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world. IETE Technical Review, 26(3), (2009), p.191–195.
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref15] 15. Kumari S, Chaudhry SA, Wu F,Li X, Farash MS, Khan MK. An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications, 10(1), (2017), p.92–105.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref16] 16. Suzuki S, Nakada K. An authentication technique based on distributed security management for the global mobility network. In:IEEE Journal on Selected Areas in Communications 15 (8) (1997) 1608–1617.
View Article
Google Scholar

[43] View Article

[44] Google Scholar

[ref17] 17. Zhu J, Ma J new authentication scheme with anonymity for wireless environments, Consumer Electronics. IEEE Transactions on Consumer Electronics 50 (1); (2004) 231–235.
View Article
Google Scholar

[46] View Article

[47] Google Scholar

[ref18] 18. Lee CC, Hwang MS, Liao IE. Security enhancement on a new authentication scheme with anonymity for wireless environments, Industrial Electronics. In: IEEE Transactions on Industrial Electronics 53 (5); (2006) 1683–1687.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref19] 19. Wei Y, Qiu H, Hu Y. Security analysis of authentication scheme with anonymity for wireless environments. (2006); 1–4.

[ref20] 20. Wu CC, Lee WB, Tsaur WJ. A secure authentication scheme with anonymity for wireless communications. In: IEEE Communications Letters 12 (10); (2008) 722–723.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref21] 21. He D, Ma M, Zhang Y, Chen C, Bu J. strong user authentication scheme with smart cards for wireless communications. Computer Communications 34 (3); (2011) 367–374.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref22] 22. Li CT. A more secure and efficient authentication scheme with roaming service and user anonymity for mobile communications. Information Technology and Control 41 (1); (2012) 69–76.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref23] 23. Li CT, Lee CC. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. In: Mathematical and Computer Modelling 55 (1); (2012) 35–44.
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref24] 24. Das AK. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science 2 (1-2) (2013) 12–27.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref25] 25. Yoon EJ, Yoo KY, Ha KS. A user friendly authentication scheme with anonymity for wireless communications. Computers & Electrical Engineering 37 (3); (2011) 356–364.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref26] 26. Niu J, Li X. A novel user authentication scheme with anonymity for wireless communications. Security and Communication Networks 7 (10); (2014) 1467–1476.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

[ref27] 27. Jiang Q, Ma J, Li G, Yang L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wireless Personal Communications 68 (4); (2013) 1477–1491.
View Article
Google Scholar

[74] View Article

[75] Google Scholar

[ref28] 28. Wen F, Susilo W, Yang G. secure and effective anonymous user authentication scheme for roaming service in global mobility networks. Wireless personal communications 73 (3); (2013) 993–1004.
View Article
Google Scholar

[77] View Article

[78] Google Scholar

[ref29] 29. Mun H, Han K, Lee YS, Yeun CY, Choi HH. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks Mathematical and Computer Modelling 55 (1); (2012) 214–222.
View Article
Google Scholar

[80] View Article

[81] Google Scholar

[ref30] 30. Lee CC, Lai YM, Chen CT, Chen SD. Advanced secure anonymous authentication scheme for roaming service in global mobility networks. Wireless Personal Communications 94 (3); (2017) 1281–1296.
View Article
Google Scholar

[83] View Article

[84] Google Scholar

[ref31] 31. Blanchet B. ProVerif is a software tool for automated reasoning. [Online; accessed 01-June-2002] (2008).

[ref32] 32. Kilinc HH, & Yanik T. A survey of sip authentication and key agreement schemes. IEEE Communications Surveys & Tutorials 16 (2); (2014) 1005–1023.
View Article
Google Scholar

[87] View Article

[88] Google Scholar

[ref33] 33. Chaudhry SA, Farash MS, Naqvi H, Islam SH, Shon T. A robust and efficient privacy aware handover authentication scheme for wireless networks. Wireless Personal Communications, Volume 93, (2017), p. 311–335
View Article
Google Scholar

[90] View Article

[91] Google Scholar

Figures

Abstract

1 Introduction

2 Contributions

3 Brief review of Lee et al. scheme

3.1 Registration phase

3.2 Authentication and establishment of session-key(AESK Phase)

3.3 Session-Key update phase

3.4 Password alter phase

4 Security weaknesses of Lee et al. scheme

4.1 Unfair user registration and inefficient user authentication

4.2 Replay and DoS attacks

4.3 Lack of local user and password verification

5 Proposed scheme

5.1 Registration phase

5.2 Login and authentication phase

5.3 Password change phase

Security analysis

5.4 Security analysis with ProVerif

5.5 Informal security analysis

5.5.1 Node anonymity.

5.5.2 Node traceability.

5.5.3 Man in the middle attack.

5.5.4 Backward and forward secrecy.

5.5.5 Replay attacks.

5.5.6 Known key attacks.

5.5.7 User friendliness.

5.5.8 Local user and password verification.

5.5.9 Insider attacks.

5.5.10 Stolen-verifier attacks.

5.5.11 Mutual authentication.

5.5.12 Impersonation attacks.

6 Security requirements and performance analysis

6.1 Security requirements

6.2 Computation cost analysis

7 Conclusion

References