The Proxy Mobile IPv6 (PMIPv6) is a network-based mobility management protocol that allows a Mobile Node(MN) connected to the PMIPv6 domain to move from one network to another without changing the assigned IPv6 address. The user authentication procedure in this protocol is not standardized, but many smartcard based authentication schemes have been proposed. Recently, Alizadeh et al. proposed an authentication scheme for the PMIPv6. However, it could allow an attacker to derive an encryption key that must be securely shared between MN and the Mobile Access Gate(MAG). As a result, outsider adversary can derive MN’s identity, password and session key. In this paper, we analyze Alizadeh et al.’s scheme regarding security and propose an enhanced authentication scheme that uses a dynamic identity to satisfy anonymity. Furthermore, we use BAN logic to show that our scheme can successfully generate and communicate with the inter-entity session key.
Citation: Kang D, Jung J, Lee D, Kim H, Won D (2017) Security analysis and enhanced user authentication in proxy mobile IPv6 networks. PLoS ONE 12(7): e0181031. https://doi.org/10.1371/journal.pone.0181031
Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA
Received: March 21, 2017; Accepted: June 25, 2017; Published: July 18, 2017
Copyright: © 2017 Kang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data within the paper.
Funding: This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2010-0020210) http://www.nrf.re.kr/index.
Competing interests: The authors have declared that no competing interests exist.
In recent years, the mobile-device market has grown rapidly, and with the increasing availability of wireless Internet access, various services including browsing, file-sharing, and shopping are becoming increasingly available regardless of the time and place. The Internet Engineering Task Force (IETF) has been developing the Internet standards, and after more than 20 releases, the standardization of IPv6-based mobility has been discussed as “Mobility Support in IPv6 (MIPv6)” since the late 1990s; the standardization to the proposed standard “RFC 3775” was completed in June 2004 .
However, the MIPv6 imposes a burden on the mobile terminal by increasing the resource usage, and this is due to the signaling between the mobile terminal and the access router and the implementation of a complicated standard specification in a mobile terminal with limited resources. Thus, telecommunication operator were not satisfied. To solve this problem, the IETF proposed the Proxy Mobile IPv6 (PMIPv6) technology, and various research institutes are actively conducting the corresponding research. With the adoption of the PMIPv6, the complicated specification and signaling problems that are highlighted in the existing MIPv6 have been solved. However, it is still necessary to continue research because the technology cannot significantly reduce the handover-delay time that can occur with the movement of the Mobile Node (MN) [2, 3]. Additionally, in the “RFC 5213” document wherein the PMIPv6 standard is defined, the authentication process of the MN is not properly specified. Therefore, a lot of research have been proposed on the authentication process between MN and Mobile Access Gate (MAG) .
In this circumstance, a smartcard can be used as an authentication method between MN and MAG. Because of high potability and low cost, authentication schemes using smartcard have been proposed over the past few years. Since Lamport proposed the first password-based authentication scheme in 1981. Smartcard-based authentication has been applied to numerous protocols, such as the session initiation protocol , mobile client-client network , wireless sensor network , Electronic Patient Records(EPR) information systems .
In 2013, Chuang et al. proposed a new authentication mechanism using smartcard called “SPAM”. SPAM offers a low packet loss and low latency rates compared with the other PMIPv6 mechanisms . However, SPAM is susceptible to the replay and malicious-insider attacks, and it does not provide protection against the compromise of a single node . Also SPAM has several vulnerabilities which is susceptible to impersonation attack and password guessing attack, ignore the MAG and LMA anonymity . To complement with these security drawbacks, Alizadeh et al. proposed a new authentication scheme with revocation process in 2015 . However, Alizadeh et al.’s scheme has a fatal vulnerability when deriving the encryption key using the symmetric key algorithm. It is possible to carry out various attacks, including impersonation attack, password guessing attack, session key derive attack. For that, we proposed a new scheme to defend against the attacks that are present in “RFC 4832”  and Alizadeh et al.’s research .
- Man in the middle attack: an adversary can interrupt between two entities during authentication. Thus, the adversary can intercept, modify, or drop the packets sourced by or destined to the MN
- Impersonation attack: an adversary can impersonate a user to the MN or MAG through inspection and discovery of the authentication information.
- Replay attack: an adversary can resend the legal message sent earlier in order to disorder the traffic flow or impersonate.
- Verifier impersonation: impersonation attack that the adversary creates independent connection with the victims and sends messages between them, causing them to think that they can directly communicate to each other.
- Modification attack: an adversary may try to change the authentication message of the MAG or the MN.
- Stolen-verifier: an adversary may thieve verification table if the scheme of authentication saves this table with LMA or MAG.
The following paper is organized as follows. Section 2 concisely introduces the requisite preliminary knowledge for an improved comprehension of this paper, including the PMIPv6, hash function, and bio-hash function. Section 3 is a review of Alizadeh et al.’s scheme. Section 4 is an analysis of Alizadeh et al.’s scheme and shows its security vulnerabilities. Section 5 describes the proposed scheme that protects against the attacks shown in Section 4. In Section 6, the proposed scheme is analyzed using a formal security analysis with Burrows-Abadi-Needham (BAN) logic and an informal security analysis. Section 7 presents a comparison of the performances of the prior schemes with that of the proposed scheme, and Section 8 concludes this paper.
In this section, we introduce some preliminaries, including the structure of PMIPv6, the hash function based on both Alizadeh et al.’s and our proposed scheme.
Structure of proxy mobile IPv6(PMIPv6)
The basic method for the provision of Internet protocol (IP) mobility to a mobile terminal involves the use of the mobile IP. But, the mobile IP manages the binding information on the MN’s location information by exchanging the signaling message between the MN and the Home Agent (HA). The PMIPv6 does not need a separate protocol stack for mobility management because the network elements handle the exchange of the binding-related messages instead of the MN. The components of the PMIPv6 are shown in Fig 1:
The PMIPv6 domain refers to a network that manages the movement of the MN using the PMIPv6. Domains require the new functional elements the MAG and the LMA. The MAG monitors the movement of the MN on the access link and transmits the MN’s mobile signaling message to the LMA instead of the MN, while the LMA acts as the HA for the MN in the PMIPv6 domain. The LMA is an anchor point on the topology of the home-network prefix that is allocated to the MN and serves to manage the reachability state of the MN in the domain. In general, the function of the MAG can be implemented in the access router, and the LMA can be located in the gateway of the domain.
Between the LMA and the MAG, there is an IP tunnel for the transmission of signaling messages and the data packets for sending and receiving the MN. The MAG can support different IP prefixes for terminals receiving mobility-support services and general terminals using the PMIPv6. The previous MAG (PMAG) detected by the MN is a detached event wherein the MN is not present on its access link, and it notifies the LMA of the detachment of the MN using a Proxy Binding Update (PBU) message. The LMA performs an operation to delete the binding entry associated with the MN and transmits the PBA.
When the MN is connected to a new MAG (NMAG), the NMAG performs the initial access procedure of the MN, and it transmits the home-network-prefix information that the MN has allocated in the initial access through the Router Solicitation/Router Advertisement that is sent to the MN. Therefore, the MN can use the initially assigned address. Fig 2 shows the handover process in the PMIPv6 environment.
A cryptographic hash function can support confidence of data integrity. Hash function is used to construct a short “dactylogram” of data. Also hash function can be any function that is used to map data of an arbitrary size to data of a fixed size. Furthermore, There are three main conditions of hash function that are defined as y = h(x) [15, 16] as follows.
- Preimage Resistance: When h(x) is given, find x′ such that h(x) = h(x′) is infeasible.
- Second Preimage Resistance: When x and h(x) are given, find x′ ≠ x such that h(x) = h(x′) is infeasible.
- Collision Resistance: Find x′ ≠ x such that h(x) = h(x′) is infeasible.
Recently, a three-factor authentication scheme that adds user’s biometric information to a two-factor authentication scheme using identity, password for growth security was widely proposed [17–19]. To apply biometric information in user authentication scheme, and since Jin et al.  proposed a fingerprint-based function to distinguish person in 2004. The bio-hash function is used in this study. Bio-hash method handles particular tokenized pseudo-random numbers for each user by summarily measuring the biometric information on two fold strands. Bio-hash function H(⋅) also has features of one-way hash function as mentioned previously.
Review in Alizadeh et al.’s scheme
In This section, we review the Alizadeh et al.’s secure password authentication mechanism in 2015. Alizadeh et al.’s scheme consists of following phases: registration, mutual authentication, password change phase. The notation utilized in Alizadeh et al.’s and our proposed scheme is summarized as Table 1. We describe each phase in detail, and Fig 3 describes Alizadeh et al.’s scheme.
The MN proceeds the registration phase using the Authentication, Authorization, and Accounting (AAA), which is the authentication server, before it commences the mutual authentication phase. In a typical authentication scheme, the registration phase communicates via a secure channel between the user and the server. It is assumed that the communication on this channel is not vulnerable to eavesdropping.
- Mobile user selects his/her identity and password IDMN, PWMN and extra value RMN.
- MN → AAA: Mobile Node(MN) computes RPWMN = h(PWMN||RMN). Then, sends < IDMN, RPWMN > via a secure channel.
- AAA → MN: AAA computes S1 = h(IDMN||sv), S2 = h(RPWMN) ⊕ S1, S3 = EPSK(IDMN||sv||aMN) where aMN is random nonce generated by AAA. Then, sends < S1, S2, S3, h(⋅) > via a secure channel.
- MN computes S4 = h(IDMN||PWMN) ⊕ S1, S5 = RMN ⊕ S1, S6 = S3 ⊕ S1. Then, issues a new smartcard and writes S2, S4, S5, S6 into smartcard’s memory.
Mutual authentication phase
In the mutual-authentication phase, the MN checks the authenticity of the user data, such as the user identity or password, and sends an authentication request message to the MAG. The MAG also authenticates the MN, generates a session key when the authentication is passed, and transmits the authentication confirmation message to the MN again. Lastly, the MN generates a session key using the received message, and the session key is finally shared between the MN and the MAG.
- Mobile user inserts his/her smartcard and inputs , . Smartcard computes , , , . Verify is equal to smartcard contained value S2. If this satisfies, proceeds with the next step.
- MN → MAG: Smartcard generates random nonce N1, calculates AIDMN = S1 ⊕ S6, AUTHMN = h(S1||N1). Then, sends < AIDMN, ES1(AUTHMN, N1) > to the MAG via public channel.
- MAG decrypts AIDMN using pre-shared Key(PSK) and obtains (IDMN, sv, aMN). Then, calculates S1 = h(IDMN||sv) and decrypts ES1(AUTHMN, N1).
- MAG verifies h(S1||N1) is equal to AUTHMN. If this holds, proceeds with the next step
- MAG → MN: MAG generates random nonce N2, computes h(N2||IDMAG), SKMN−MAG = h(N1||N2). Then sends ES1(N1 + 1, N2, IDMAG, h(N2||IDMAG) to MN.
- MN → MAG: MN decrypts message using S1. Checks N1 + 1 and h(N2||IDMAG). MN calculates SKMN−MAG = h(N1||N2). Then, sends (ESKMN−MAG(N2 + 1)) to MAG.
- MAG decrypts message using SKMN−MAG. Then, checks N2 + 1.
Password change phase
The password change phase is performed when the user wants to change his/her password. Primarily, the smartcard first verifies the authenticity and the user then inputs his/her new password. Based on the new password, the smartcard replaces the existing values with the new password based values.
- Mobile user inputs his/her original IDMN, PWMN, RMN.
- Smartcard computes S1 = h(IDMN||PWMN) ⊕ S4, RMN = S1 ⊕ S5, RPWMN = h(RMN||PWMN). Then, checks S2 is same as h(RPWMN) ⊕ S1. If holds, password change phase proceeds with the next step.
- User inputs his/her new password and extra value , .
- Smartcard computes , , , , .
- Smartcard replaces S2, S4, S5, S6 new values , , , .
Security drawbacks of Alizadeh et al.’s scheme
In this section, we point out security drawbacks of Alizadeh et al.’s scheme. Before showing the security weakness, we discuss some widely accepted threat model concerning user authentication and key agreement scheme [21–23].
- The smartcard contains the MN and AAA’s information in plaintext form. Therefore, an adversary can extract the smartcard information by monitoring the diffrential power analysis .
- An adversary can eavesdrop all the message between the entities via to public channel. Additionally, He/She can modify, delete, resend the eavesdropped message.
- An adversary can guess low entropy password and identity individually easily but guessing two secret parameters are computationally infeasible in polynomial time [25, 26].
- An adversary may be a valid user or with the order reversed.
- An adversary already knows all authentication scheme between MN, AAA and MAG.
Under these threat models, this study shows that Alizadeh et al.’s scheme is unable to resist against various attacks, including the offline password guessing and session-key-derived attacks.
Leak of symmetric encryption/decryption key
Most significant weakness of Alizadeh et al.’s scheme is leak of symmetric encryption key by following steps:
- Adversary can extract S6 which in the smartcard and AIDMN which in the login message via to public channel.
- Adversary computes S1 = S6 ⊕ AIDMN.
Computing value S1 is the symmetric encryption key from all of the messages communicated between the MN and the MAG. Therefore, an adversary can easily encrypt or decrypt every message and attack using various security threats.
Offline password guessing attack
If an outsider adversary Ua successfully derives symmetric key S1. Ua can perform offline password guessing attack by following steps:
- Ua derives RMN = S5 ⊕ S1, which S5 is in the smartcard.
- Ua selects random password candidate and calculates .
- If is equal to S2 which is in the smartcard, adversary infers that it has guessed the MN’s password accurately.
- Otherwise, Ua chooses another password nominee and performs same steps just before discover password.
Offline identity guessing attack
If an outsider adversary Ua successfully derives MN’s password by offline password guessing attack, Ua also can do offline identity guessing attack by following steps:
- Ua selects random identity candidate and calculates .
- If is equal to S4 which is in the smartcard, adversary infers that it has guessed the MN’s identity accurately.
- Otherwise, adversary chooses another identity nominee and repeats the same steps that precede the discovery of the identity.
MN impersonation attack
The MN impersonation attack means a outsider adversary Ua has made a fake login request message that it sends to the MAG. However, MAG cannot identify it, and accepts it as a legal login request message. In Alizadeh et al.’s scheme, an adversary can make a fake login request message using the following steps:
- Adversary Ua eavesdrops AIDMN beforehand because AIDMN is always same as EPSK(IDMN, sv, aMN). So, adversary can reuse it.
- Ua selects random nonce and computes .
- Ua makes login request message then, sends it MAG.
- MAG decrypts message then obtains , .
- MAG checks . Then, successfully accepts login request message which made by outsider adversary Ua.
MAG impersonation attack
Similar with MN impersonation attack, MAG impersonation attack means outsider adversary Ua makes fake authentication message and sends it to the MN. Also, MN can not attention it, then MN accept it is legal authentication message. MAG impersonation attack is performed by following steps:
- Adversary Ua eavesdrops ES1(N1 + 1, N2, IDMAG, h(N2||IDMAG) then, acquire IDMAG. In the same way, acquire N1 from ES1(AUTHMN, N1)
- Ua selects random nonce and computes .
- Ua makes authentication request message then, sends it MN.
- MN decrypts message then obtains .
- MN successfully accepts authentication request message which made by Ua.
Session key derive attack
Session key derive attack means adversary can compute session key and then use it after communication between MN and MAG. According to Alizadeh et al.’s scheme, adversary can derive session key between legal entities by following steps:
- Adversary Ua eavesdrops ES1(N1 + 1, N2, IDMAG, h(N2||IDMAG)) and ES1(AUTHMN, N1).
- Ua can derive N1, N2 by using symmetric key S1.
- Ua computes session key SKMN−MAG = h(N1||N2).
Since then, adversary can communicate using derived session key either MN or MAG without registration or login.
The proposed scheme
In this section, the scheme that is an improvement compared with Alizadeh et al.’s scheme is proposed. The proposed enhancements are described, as follows:
- Use of a dynamic identity to satisfy the MN anonymity. The main idea is the changing of the dynamic identity to another value upon the completion of the authentication phase. Therefore, the Ua cannot identify the initiation of two different sessions by the same user.
- Use of an encryption key that the Ua cannot derive without the legal user’s information.
- Use of biometric information with Bio-hashing to protect the MN’s information more securely.
Our proposed scheme consists of following phases: registration, mutual authentication and password change phase.
We designed a 3-factor authentication scheme by registering the user’s bio information in order to enhance safety. Also, at this phase, the dynamic identity DIDMN is created based on the random number generated by the AAA. The dynamic identity provides the MN anonymity because it is continuously changed in a mutual authentication phase that is performed later. Details procedure of registration phase is in Fig 4.
- Mobile user selects his/her identity and password IDMN, PWMN and imprints his/her biometrics BMN.
- MN → AAA: Mobile Node(MN) computes RPWMN = h(PWMN||H(BMN)). Then, sends < IDMN, RPWMN > via a secure channel.
- AAA → MN: AAA computes S1 = h(IDMN||RPWMN), S2 = h(aMN||sv), DIDMN = EPSK(IDMN, aMN), S3 = EPSK(sv, DIDMN) ⊕ S2 where aMN is random nonce generated by AAA. Then, AAA sends < S1, S2, S3, DIDMN, h(.) > via a secure channel.
- MN computes S4 = S2 ⊕ h(RPWMN||IDMN), S5 = S3 ⊕ RPWMN. Then, issues a new smartcard and writes < S1, S4, S5, DIDMN, H(.), h(.) > into smartcard.
Mutual authentication phase
When an MN joins a localized mobility domain, it must pass a mutual authentication step with the MAG. To enhance the safety of the proposed method, this process prevents an attacker from deriving an encryption key even if he/she eavesdrops a public channel or extracts a smartcard’s contents. In addition, once the authentication is completed, the MAG issues new dynamic identity value, , and the MN changes the DIDMN value in the smartcard. Thereby, an outsider adversary can not infer that same user performs mutual authentication several times. Details procedure of mutual authentication phase is in Fig 5.
- Mobile user inserts his/her smartcard and inputs , and imprints his/her biometric information . Smartcard computes , . Then, smartcard verifies is equal to smartcard contained value S1. If this satisfies, proceeds with the next step.
- MN → MAG: Smartcard generates random nonce N1, calculates , , , , . Then, sends < AIDMN, AUTHMN, TN1 > to the MAG via public channel.
- MAG decrypts AIDMN(= EPSK(sv, DIDMN)) using Pre-Shared Key(PSK) and obtains (sv, DIDMN). Then MAG decrypts DIDMN using PSK once again and obtains IDMN, aMN. Then, MAG calculates .
- MAG verifies is equal to AUTHMN. If this holds, proceeds with the next step.
- MAG → MN: MAG generates random nonces N2, , computes , , . Then MAG sends to MN via public channel.
- MN decrypts message using . Checks N1 + 1 and h(N2||IDMAG). Then, MN calculates SKMN−MAG = h(N1||N2), . Further, MN replaces DIDMN with and S5 with .
- MN → MAG: MN sends (ESKMN−MAG(N2 + 1)) to MAG.
- MAG decrypts message using SKMN−MAG. Checks N2 + 1.
Password change phase
- Mobile user inputs his/her original identity, password and biometric information IDMN, PWMN, BMN.
- Smartcard computes RPWMN = h(PWMN||H(BMN)) checks S1 is same as h(IDMN||RPWMN). If holds, password change phase proceeds with the next step.
- User inputs his/her new password .
- Smartcard computes , , , .
- Smartcard replaces S1, S4, S5 new values , , .
Security analysis of the proposed scheme
In this section, the proposed scheme is analyzed using the following two methods: informal analysis and formal analysis. The informal analysis proves that the proposed scheme is secure against many security threats compared with the other existing schemes. On the other side, using BAN logic, the formal analysis shows the proposed scheme’s generation of the session key’s legality to the entities who take part in the proposed scheme.
Informal security analysis
In this subsection, we check our proposed scheme is safe with various secure threat, and satisfies some basic requirements to design authentication scheme.
The insider attack is performed by someone who is in the server’s side and then guesses the user’s password from the registration message. However in our proposed scheme, MN sends user’s password to server in a form of RPWMN = h(PWMN||H(BMN)). In this case, server’s insider is not able to guess password because password is protected with bio-hash value based on user’s biometric.
An authentication scheme is said to satisfy anonymity if it can satisfy two main conditions: (1) User’s identity is not disclose to adversary and (2) the adversary cannot find out two different sessions are initiated by same user [27, 28]. In Our proposed scheme, we use dynamic identity DIDMN = EPSK(IDMN, aMN). Additionally, after a authentication phase, MAG computes new dynamic identity and sends it. New dynamic identity is protected by encryption key S2 known only MAG and MN. Then, MN replaces the previous DIDMN with received , and calculate new which contains new dynamic identity. In conclusion, outsider adversary can not figure out two different sessions are initiated by the same user.
Provide mutual authentication.
Our proposed scheme provides mutual authentication between MN and MAG. Mutual authentication means there are processes that each entity completes to authenticate the other party during the progression of the protocol. In our proposed scheme MAG checks MN’s legality by checking derived AUTHMN is equal to receiving value. The other way, MN checks MAG’s legality by checking derived h(N2||IDMAG) is equal to receiving value. Additionally, MN can check MAG’s legality by N1 + 1 whether MAG can derive MN generated nonce N1.
Resistant to stolen-verifier attack.
Several authentication schemes comprise a verification table that stores some of the user information. However, the use of a verification table can cause overhead problems in the server’s side and a vulnerability to the stolen-verifier attack. However, the proposed scheme does not need to store any information during the entire phase, and this means it prevents not only the AAA overhead but also the stolen-verifier attack.
Resistant to MN impersonation attack.
To do MN impersonation attack, adversary need to make AIDMN, AUTHMN, TN1. However AIDMN is encrypted text with pre-shared-key, AUTHMN is mixed IDMN, TN1 is mixed with AAA’s secret key sv and AAA generated random nonce aMN. So, even though adversary Ua generates his/her own random nonce , Ua can not make any require value which sends to MAG. Therefore, our proposed scheme prevents MN impersonation attack.
Resistant to MAG impersonation attack.
To do MAG impersonation attack, adversary needs to make S2 to encrypt message. However S2 is mixed with AAA’s secret key sv and AAA generated random nonce aMN. Like the preceding attack, even though adversary Ua can not derive normally. Therefore, our proposed scheme prevents MAG impersonation attack.
Resistant to replay attack.
MN and MAG generate random nonce N1, N2 during our proposed scheme process to resist replay attack. When adversary Ua eavesdrops login message < AIDMN, AUTHMN, TN1 > then resends it. In this case Ua’s login request is rejected by MAG, because our proposed scheme can expose an wrong number by contrasting AUTHMN. Supplementary, our proposed scheme uses various numbers when each session begins. Therefore, our proposed scheme can resist replay attack.
Resistant to Denial-of-service attack.
Denial-of-service(DOS) attack is occurred by adversary’s continuous wrong login requests. If MN’s identity, password verification process is in the MAG’s side, adversary inputs wrong identity and password in succession. In this circumstance, MAG is received a lot of login request message. As a result, MAG is overloaded by adversary. To prevent this attack, our proposed scheme checks MN’s identity and password in MN’s smartcard side. So, when adversary inputs wrong information, smartcard rejects login request in MN’s side quickly. As a result, our proposed scheme resists Denial-of-service attack.
Resistant to MN guessing attack.
According to our proposed scheme, adversary who guess MN’s password/identity must using S1’s value. Nevertheless, S1 has 3 MN’s information, identity, password and biometric. Even if adversary can guess user’s identity and password at same time in polynomial time, there is a precondition that adversary already knows MN’s biometric information. But, it is not possible to know MN’s biometric information in our scheme. Therefore, our scheme resist MN guessing attack.
Does not need time synchronization.
Several authentication scheme using timestamp to resist replay attack. However, using timestamp in authentication scheme, MN and MAG have to synchronize there clock beforehand. In the synchronization process, there is possibility that time synchronization error. To prevent this problem, our proposed scheme only use random nonce based authentication instead timestamp.
Efficient and freely password choose and change.
In our proposed scheme, MN user always chooses his/her password without any restriction in registration phase. Additionally, when MN changes his/her password in password change phase, smartcard checks the original password’s legality at first. Then, MN can change password. In this process, the MN only needs to communicate with the smartcard and not with the MAG.
Formal security analysis
Formal security analysis is usually used to analyse and judge various authentication schemes’ performance [29–32]. There are many formal security analysis methods can be applied to authentication scheme such as BAN logic , GNY , AVISPA  and ProVerif . In this paper, we used BAN logic to prove our scheme’s legality.
Authentication proof with BAN logic.
In this subsection, BAN logic is used to analyze the proposed scheme. BAN logic helps to prove whether or not a protocol does or does not meet its security goals. Also, BAN logic contributes to the improvement of the efficiency of a protocol by eliminating messages, message content, or message encryptions. The BAN-logic notation is defined in Table 3.
In order to achieve the reasonable result of BAN logic, we define some rules about introduction and elimination as follows:
- Message-meaning rule: : When P sees a message which is encrypted with the shared key of P and Q, than P believes that Q has sent the message. As the secret key only is known to P and Q, only P or Q are able to produce the message and P knows what it has said.
- Nonce-verification rule: : When P believes that X is a fresh message, and P believes that it was said by Q than P believes that Q still believes the message X.
- Believe rule(1): : A composite message can be when a principal believes in both parts, this can be generalised to more than two parts.
- Believe rule(2): : A more then two message can be when a principal believes in, this can be generalised to composite message.
- Freshness-conjuncatenation rule: : When a value is found to be fresh by an entity, than the entity also believes that the message, in which the value is used, is also fresh.
- Jurisdiction rule: : P believes that the principal Q jurisdiction has over the formula X. This means that Q is trusted to make statements over X.
The major objective of our proposed scheme is mutual authentication between the MN and MAG with shared key. Our objectives symbolized by BAN logic are as follows:
- Objective 1.
- Objective 2.
After establishing the main objectives, convert the message between MN and MAG to the idealized form.
- Message 1. MN → MAG: < IDMN >S2, < N1 >IDMN, < N1 >S2
- Message 2. MAG → MN: < N2 >S2, < N2 >IDMN
Also there are some assumptions of our proposed scheme to derive proper objective.
- A1: MAG ∣ ≡ ♯(N1)
- A2: MN ∣ ≡ ♯(N2)
- A3: MAG ∣≡ MN ⇒ N1
- A4: MN ∣≡ MAG ⇒ N2
Now, we describe our main proof as follows. According to Message 1, we could get:
- V1: MAG⊲ < IDMN >S2, < IDMN >N1, < N1 >S2
According to assumption A6, we apply the message meaning rule to obtain V2 and V3.
- V2: MAG ∣≡ MN ∣∼ IDMN
- V3: MAG ∣≡ MN ∣∼ N1
According to assumption A1, we apply the freshness conjuncatenation rule to obtain V4.
- V4: MAG ∣≡ MN ∣≡ N1
According to assumption A3 and V4, we apply the jurisdiction rule to obtain V5.
- V5: MAG ∣≡ N1
According to sk = h(N1||N2), V5 and assumption A3, we derive:
- V6: (Goal 2.)
According to Message 2, we could get:
- V7: MN⊲ < N2 >S2, < N2 >IDMN
According to assumption A5, we apply the message meaning rule to obtain V8.
- V8: MN ∣≡ MAG ∣∼ N2
According to assumption A2, we apply the freshness conjuncatenation rule to obtain V9.
- V9: MN ∣≡ N2
According to sk = h(N1||N2), V9 and assumption A4, we derive:
- V10: (Goal 1.)
The preceding discussion clearly shows that MN and MAG achieve mutual authentication, and based on (Goal.1) and (Goal.2), MN and MAG trust that the session key sk is securely shared between them.
Performance analysis of the proposed scheme
In this section, we measure our proposed scheme’s performance and compare with those of existing schemes. The notations used in this measurement are described as follows:
- Th: the time of executing a one-way hash function/bio-hash function.
- Tx: the time of executing a XOR operation.
- Ts: the time of executing a symmetric encryption or decryption.
Table 4 shows a analysis of the comparison of the computational cost for our proposed scheme and existing schemes. Time comparison results show that the scheme of Chuang et al.’s scheme is 16Th + 4Tx + 8Ts, Alizadeh et al.’s scheme is 14Th + 9Tx + 8Ts, and our proposed scheme is 17Th + 7Tx + 10Ts. The totals of the hash-function and XOR-operation executions that were recorded for the proposed scheme are similar to those of the two existing schemes. The proposed scheme implements the dynamic identity to satisfy the user anonymity, and it needs two further symmetric-encryption and symmetric-decryption operations
Based on the results in Table 4, Crypto++ Library is used to measure the computation process time of each operation . A simulation was performed to obtain the execution time of each cryptographic operation, and Table 5 shows our simulation environment.
Under this simulation environment, the value of each cryptographic operation time was measured. Table 6 shows execution time for each operation and the comparison of the total execution time between our proposed scheme and other scheme. In addition, Tx is not counted because it is too petty compared with other operations such as symmetric encryption or hash function.
As shown in Table 6, the execution time of the our proposed scheme requires 15.46ms(17Th + 10Ts ≈ 17 × 0.48ms + 10 × 0.73ms). The execution times for Chuang et al.’s and Alizadeh et al.’s schemes are 13.52ms (16Th + 8Ts ≈ 16 × 0.48ms + 8 × 0.73ms) and 12.56ms(14Th + 8Ts ≈ 14 × 0.48ms + 8 × 0.73ms), respectively. The results show that our proposed scheme’s execution time is more than those of the other schemes. However, in terms of security, the other schemes show has several vulnerabilities. Contrarily, our proposed scheme implements the dynamic identity at a relatively low additional cost, to satisfy MN anonymity and provide protection against various secure attacks. Thus, our proposed scheme also takes into account the necessary efficiency.
This paper shows that Chuang et al.’s scheme, which was proposed as the authentication scheme for the PMIPv6, is vulnerable to an attacker who can derive the symmetric key that is used in overall communication, and the execution of this attack is relatively simple. Then, we demonstrate how an outsider adversary can execute various security threats, such as the offline password guessing, MN impersonation, and MAG impersonation attacks, on Alizadeh et al.’s scheme. Accordingly, we propose an improved and efficient scheme using the MN user’s biometric information and a dynamic identity that provide protection against the previous security drawbacks. As a result, this paper shows that the proposed scheme can prevent attacks such as the MN guessing, MAG impersonation, and session key derived attacks, and its effectiveness is also due to the fact that it does not use timestamps or verification tables. Furthermore, BAN logic shows that the proposed scheme exhibited successful and stable session-key sharing between the MN and the MAG, and it is more efficient in terms of the computational-time cost.
I thank all of the authors, especially the corresponding author Dongho Won. I am also grateful to the anonymous reviewers for their time, priceless comments, and advice regarding this paper.
- 1. Johnson, David, Charles Perkins, and Jari Arkko. Mobility support in IPv6. No. RFC 3775. 2004;
- 2. Kong KS, Lee WJ, Han YH, Shin MK, You HR. Mobility management for all-IP mobile networks: mobile IPv6 vs. proxy mobile IPv6. IEEE Wireless communications. 2008; 15(2).
- 3. Giaretta, Gerardo. Interactions between proxy mobile IPv6 (PMIPv6) and mobile IPv6 (MIPv6): Scenarios and related issues. No. RFC 6612. 2012;
- 4. S. Gundavelli, K. Leung, V. Devarapalli, K. Chowdhury, B. Patil. Proxy mobile IPv6. No. RFC 5213. 2008;
- 5. Kumari S, Chaudhry S, Wu F, Li X, Farash M, Khan M. An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications. 2015; 1–14.
- 6. Heydari M, Sadough SMS, Farash MS, Chaundhry SA, Mahmood K. An efficient password-based authenticated key exchange protocol with provable security for mobile client–client networks. Wireless Personal Communications. 2016; 88(2):337–356.
- 7. Chaudhry SA, Farash MS, Naqvi H, Islam SH, Shon T. A robust and efficient privacy aware handover authentication scheme for wireless networks. Wireless Personal Communications. 2017; 93(2):311–335.
- 8. Jung J, Kang D, Lee D, Won D. An Improved and Secure Anonymous Biometric-Based User Authentication with Key Agreement Scheme for the Integrated EPR Information System. PloS one. 2017; 12(1):1–26
- 9. Chuang MC, Lee JF, Chen MC. SPAM: A secure password authentication mechanism for seamless handover in proxy mobile IPv6 networks. IEEE Systems Journal. 2013; 7(1): 102–113.
- 10. You I, Leu FY. Comments on “SPAM: A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks”. IEEE Systems Journal. 2015; 1–4
- 11. Alizadeh M, Baharuna S, Zamanib M, Khodadadia T, Darvishi M, Gholizadeh S, Ahmadi H. Anonymity and Untraceability Assessment of Authentication Protocols in PMIPv6. Jurnal Teknologi. 2015; 72(5): 31–34.
- 12. Alizadeh M, Zamani M, Baharun S, Manaf AA, Sakurai K, Anada H, Keshavarz H, Chaudhry SA, Khan MK. Cryptanalysis and improvement of “a secure password authentication mechanism for seamless handover in proxy mobile IPv6 networks”. PloS one. 2015; 10(11): 1–21.
- 13. J Kempf, C Vogt. Security threats to network-based localized mobility management (NETLMM). No. RFC 4832. 2007;
- 14. Alizadeh M, Zamani M, Baharun S, Hassan WH, Khodadadi T. Security and privacy criteria to evaluate authentication mechanisms in proxy mobile ipv6. Jurnal Teknologi. 2015; 72(5): 27–30.
- 15. P Rogaway, T Shrimpton. Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. International Workshop on Fast Software Encryption. 2004; 371–388.
- 16. Burrows JH. Secure hash standard. National Institute of Standards and Technology. 1995;17–45.
- 17. Moon J, Choi Y, Kim J, Won D. An improvement of robust and efficient biometrics based password authentication scheme for telecare medicine information systems using extended chaotic maps. Journal of medical systems. 2016; 40(3): 70. pmid:26743628
- 18. Choi Y, Lee Y, Won D. Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction. International Journal of Distributed Sensor Networks. 2016; 12(1): 1–16.
- 19. Jung J, Kang D, Lee D, Won D. An Improved and Secure Anonymous Biometric-Based User Authentication with Key Agreement Scheme for the Integrated EPR Information System. PloS one. 2017; 12(1): 1–26.
- 20. Jin ATB, Ling DNC, Goh A. Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern recognition. 2004; 37(11):2245–2255.
- 21. Tan Z. A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. Journal of medical systems. 2014; 38(3): 16. pmid:24643750
- 22. Liao IE, Lee CC, Hwang MS. A password authentication scheme over insecure networks. Journal of Computer and System Sciences. 2006; 72(4): 727–740.
- 23. Yang G, Wong DS, Wang H, Deng X. Two-factor mutual authentication based on smart cards and passwords. Journal of Computer and System Sciences. 2008; 74(7): 1160–1172.
- 24. Kocher P, Jaffe J, Jun B, Rohatgi P. Introduction to differential power analysis. Journal of Cryptographic Engineering. 2011; 1(1): 5–27.
- 25. Amin R, Biswas GP. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Networks. 2016; 36: 58–80.
- 26. Ma CG, Wang D, Zhao SD. Security flaws in two improved remote user authentication schemes using smart cards. International Journal of Communication Systems. 2014; 27(10): 2215–2227.
- 27. Chaudhry SA, Farash MS, Nagvi H, Kumari S, Khan MK. An enhanced privacy preserving remote user authentication scheme with provable security. Security and Communication Networks. 2015; 8(18): 3782–3795.
- 28. Chaudhry SA, Nagvi H, Sher M, Farash MS, Hassan MU. An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Networking and Applications. 2017; 10(1): 1–15.
- 29. Farash MS, Turkanovic M, Kumari S, Holbi M. An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the internet of things environment. Ad Hoc Networks. 2016; 36: 152–176.
- 30. Amin R, Kumar N, Biswas GP, lqbal R, Chang V. A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment. Future Generation Computer Systems. 2016; 1–15.
- 31. Sutrala AK, Das AK, Odelu V, Wazid M, Kumari S. Secure anonymity-preserving password-based user authentication and session key agreement scheme for telecare medicine information systems. Computer Methods and Programs in Biomedicine. 2016; 135: 167–185. pmid:27586489
- 32. Jung J, Kim J, Choi Y, Won D. An Anonymous User Authentication and Key Agreement Scheme Based on a Symmetric Cryptosystem in Wireless Sensor Networks. Sensors. 2016; 16(8): 1299.
- 33. Wessels J, CMG FINANCE BV. “Application of BAN-logic.” CMG FINANCE BV 19. 2001; 1–23.
- 34. Mathuria AM, Safavi-Naini R, Nickolas PR. On the automation of GNY logic. Australian Computer Science Communications. 1995; 17: 370–379.
- 35. Vigano L. Automated security protocol analysis with the AVISPA tool. Electronic Notes in Theoretical Computer Science. 2006; 155: 61–86.
- 36. Blanchet, Bruno, Ben Smyth, and Vincent Cheval. “ProVerif 1.90: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial.” URL: http://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf. 2015.
- 37. Wei Dai. 2017. Crypto++® Library. [ONLINE] Available at: https://www.cryptopp.com/. [Accessed 2 March 2017].