Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy

  • Shuming Qiu ,

    Contributed equally to this work with: Shuming Qiu, Guoai Xu, Haseeb Ahmad, Yanhui Guo

    Roles Writing – original draft

    qiushuming2008@163.com (SQ); xga@bupt.edu.cn (GX)

    Affiliations School of CyberSpace Security, Beijing University of Posts and Telecommunications, Beijing, 100876, China, Elementary Educational College, Jiangxi Normal University, Nanchang, 330022, China

  • Guoai Xu ,

    Contributed equally to this work with: Shuming Qiu, Guoai Xu, Haseeb Ahmad, Yanhui Guo

    Roles Writing – original draft

    qiushuming2008@163.com (SQ); xga@bupt.edu.cn (GX)

    Affiliation School of CyberSpace Security, Beijing University of Posts and Telecommunications, Beijing, 100876, China

  • Haseeb Ahmad ,

    Contributed equally to this work with: Shuming Qiu, Guoai Xu, Haseeb Ahmad, Yanhui Guo

    Roles Writing – original draft

    Affiliation Department of Computer Science, National Textile University, Faisalabad, 37610, Pakistan

  • Yanhui Guo

    Contributed equally to this work with: Shuming Qiu, Guoai Xu, Haseeb Ahmad, Yanhui Guo

    Roles Writing – original draft

    Affiliation School of CyberSpace Security, Beijing University of Posts and Telecommunications, Beijing, 100876, China

An enhanced password authentication scheme for session initiation protocol with perfect forward secrecy

  • Shuming Qiu, 
  • Guoai Xu, 
  • Haseeb Ahmad, 
  • Yanhui Guo
PLOS
x

Abstract

The Session Initiation Protocol (SIP) is an extensive and esteemed communication protocol employed to regulate signaling as well as for controlling multimedia communication sessions. Recently, Kumari et al. proposed an improved smart card based authentication scheme for SIP based on Farash’s scheme. Farash claimed that his protocol is resistant against various known attacks. But, we observe some accountable flaws in Farash’s protocol. We point out that Farash’s protocol is prone to key-compromise impersonation attack and is unable to provide pre-verification in the smart card, efficient password change and perfect forward secrecy. To overcome these limitations, in this paper we present an enhanced authentication mechanism based on Kumari et al.’s scheme. We prove that the proposed protocol not only overcomes the issues in Farash’s scheme, but it can also resist against all known attacks. We also provide the security analysis of the proposed scheme with the help of widespread AVISPA (Automated Validation of Internet Security Protocols and Applications) software. At last, comparing with the earlier proposals in terms of security and efficiency, we conclude that the proposed protocol is efficient and more secure.

1 Introduction

The Session Initiation Protocol (SIP) is an important and popular communications protocol for signaling and controlling multimedia communication sessions in applications including Internet telephony for voice and video calls, private IP telephone systems, as well as instant messaging over Internet Protocol (IP) networks [1, 2]. Up to now, SIP has gained the attention of extensive scholastic community.

The first authentication scheme for SIP based on hyper text transfer protocol (HTTP) digest authentication can be traced back to 1999 proposed by Franks et al. [3]. In 2005, Yang et al. [4] pointed out that the scheme of Franks et al. [3] cannot resist the off-line password guessing attack and the server impersonation attack. Subsequently, Yang et al. [4] presented an new scheme to cope with the aforementioned issue in [3]. However, Huang et al. [5] proved that Yang et al.’s [4] scheme cannot resist the stolen-verifier, the off-line password guessing and the Denning-Sacco attacks [6], and is not suitable for power constraint devices because of the high computational cost. In 2005, in order to improve Yang et al.’s [4] scheme, Durlanik and Sogukpinar [7] proposed an efficient and secure authentication scheme for SIP using the Elliptic Curve Cryptography (ECC). It is known that ECC could provide the same security with a smaller key size comparing with the other traditional Public Key Cryptography. Subsequently, numerous one-factor, two-factor and three factor authentication schemes have been proposed for SIP using ECC, RSA, Hash function or Chaotic theory, etc [725].

1.1 Related works

Recently, Zhang et al. [26] pointed out that the existing protocols for SIP require the SIP server maintaining a password or verification table, which makes these protocols vulnerable to stolen-verifier attack, server spoofing attack, insider attack, and password-guessing attack. To address these issues, Zhang et al. proposed a new two-factor authentication protocol for SIP by using smart cards to avoid maintenance of password tables at the SIP server.

Later, Zhang et al. [27] showed that their scheme [26] is prone to impersonation attack problem. To remedy this problem, the authors proposed a much improved protocol based on Zhang et al.’s protocol [26] by using smart card. However, Farash [28] pointed out that Zhang et al. protocol [27] is still insecure against the impersonation attack. Thereupon, Farash proposed an improved protocol by making a slight change in Zhang et al. protocol [27]. However, Lu et al. [29] analyzed the security of Farash’s [28] scheme and pointed out that the enhanced scheme presented by Farash et al. [28] has still some security vulnerabilities, including key-compromise impersonation attack, off-line guessing attack and lack of anonymity, pre-verification. Afterwards, Lu et al. designed a preserving anonymous authentication protocol to remedy the security limitations of Farash’s scheme. The authors showed that their scheme is resistance to all known attacks besides those attacks existed in Farash’s scheme. But subsequently, Kumari [30] showed that an adversary is able to calculate the user’s identity and password once the adversary obtains the datum of user’s smart card in Lu et al. [29]’s scheme. Thus, Kumari [30] claimed that Lu et al.’s scheme does not adhere to two-factor security criterion. Besides, the author also pointed out that the key agreement procedure of Lu et al. [29]’s scheme cannot culminate to achieve the intended aim of authenticated key agreement. On the other hand, in order to eliminate the drawbacks of Zhang et al. [26]’s scheme, Irshad et al. [31] also developed an enhancement SIP authentication scheme only using a single round-trip in 2005. But, Arshad et al. [32] found that the improvement of Irshad et al. [31] was also susceptible to the user impersonation attack and further proposed their improved scheme regarding performance and security analyses. However, the modified scheme of Arshad et al. [32] was demonstrated to be lacking user anonymity and mutual authentication and susceptible to the key-compromise impersonation attack by Lu et al. [33]. In 2014, Jiang et al. [34] also observed that Zhang et al.’s scheme [26] was prone to the user impersonation attack and made a few modifications to enable more secure than the original design. Azrour et al. [35] showed that Jiang et al.’s protocol suffers from server impersonation attack.

In 2014, Tu et al. [36] also proved that Zhang et al. [26]’s scheme is vulnerable to user impersonation attack. Furthermore, Tu et al. [36] proposed an enhanced protocol to improve the security. However, Farash [37] pointed out that Tu et al.’s scheme is still vulnerable to server impersonation attack and proposed an improvement in Tu et al.’s scheme. In 2015, Chaudhry et al. [38] also showed that Tu et al.’s scheme [36] is vulnerable to server impersonation, replay and denial of services attacks as well as lacking user anonymity. Moreover, Chaudhry et al. [38] also analyzed that Farash’s improvement [37] on Tu et al.’s scheme [36] is lacking user anonymity and is also vulnerable to replay attack. Thereupon, Chaudhry et al. [38] proposed an anonymous authenticated key agreement scheme while claiming that it is more secure and suitable for all lightweight environments. Recently, Kumari et al. [39] also analyzed Farash’s protocol [37] and showed that it is vulnerable to user impersonation attack, password guessing attack, session-specific temporary information leakage attack and lacks to provide user anonymity. Furthermore, Kumari et al. [39] proposed an improved protocol, and showed that their protocol is not only robust against all known attacks, but is also lightweight as compared to Farash’s protocol [37]. From the above analysis, one can observes that most of these protocols have still some security loopholes and not really reach the security of the authentication protocol. Accordingly, it is still a challenging academic topic to design a more secure and efficient authentication and key agreement protocol for SIP.

1.2 Contribution of this paper

The positional relation of the proposed scheme and related researches are depicted in Fig 1. The contributions of this paper are listed as follows:

  • We concentrate on analyzing the security of Kumari et al. [39]’s authentication scheme for SIP, and point out that Kumari et al. [39]’s scheme fails to provide pre-verification, local password change in smart card and perfect forward secrecy, is also susceptible to key-compromise impersonation attack.
  • To overcome aforementioned limitations, we propose an improved scheme while maintaining the benefits of the original schemes at the cost of slight increase in the computation consumptions by employing “Fuzzy-Verifier” [40]. Besides, we prove that our scheme provides various security features including perfect forward secrecy and resistance against key-compromise impersonation attack, etc.
  • We use AVISPA tool to prove that proposed scheme satisfies the mutual authentication and session key secrecy.
  • We provide security and performance comparisons with various relevant schemes. It illustrates that the proposed scheme is efficient and more secure than the prevalent schemes.

1.3 Organization of this paper

The remainder of this paper is organized as follows: Section “Preliminaries” introduces some notations, associated difficult problems based on ECC and adversary model used in this paper. The review and cryptanalysis of Kumari et al. [39]’s scheme is detailed in Section “Review of Kumari et al.’s scheme” and Section “Cryptanalysis of Kumari et al.’s scheme”, respectively. Section “The enhanced scheme for SIP” provides our proposed scheme. Section “Security analysis of the enhanced scheme” and Section “Formal security validation using AVISPA tool” highlight an informal and formal security analysis of our scheme, respectively. The performance and functionality comparison is presented in Section “Comparative analysis of performance”. At last, we provide concluding remarks in Section “Conclusion”.

2 Preliminaries

In this section, we describe some notations and the definitions of one-way hash function and hard problems related with the Elliptic Curve Cryptography(ECC) and the capacities of the adversary in this paper. Some notations used in this paper are listed in Table 1.

2.1 Intractable problems

Definition 1 (Collision-resistant one-way hash function) A secure one-way hash function h(⋅): {0, 1}* → {0, 1}n takes an arbitrary length binary string x ∈ {0, 1}* as an input, and outputs a binary string y = h(x) ∈ {0, 1}n. A cryptographic hash function h(⋅) satisfies the following properties.

  1. It is hard to find the the input x ∈ {0, 1}* in polynomial time for given y ∈ {0, 1}n;
  2. It is hard to find x′ ∈ {0, 1}* such that x′ ≠ x and h(x) = h(x′);
  3. It is hard to find a pair (x, x′) ∈ {0, 1}* such that h(x) = h(x′), where x′ ≠ x.

In ECC, the elliptic curve equation is defined as the form of Ep(a, b): y2 = x3 + ax + b(mod p) over a finite field Fp, where a, bFp and 4a3 + 27b ≠ 0(mod p).

Definition 2 (ECDLP) For given generator P and Q = mP in Ep(a, b), where m is randomly selected from Fp and p is sufficiently large prime, it is computationally hard by a probabilistic polynomial time (PPT) adversary to calculate the secret value mFp such that Q = mP.

Definition 3 (ECCDHP) For given points mP, nPEp(a, b), computing mnP is computationally infeasible by a probabilistic polynomial time (PPT) adversary .

2.2 Adversary model

Throughout this paper, according to [4043], the capacities of the adversary are summarized as follows:

  1. The adversary has the capability to extract all parameters stored in smart card utilizing the power analysis method [41, 42].
  2. The adversary is able to control the open communication channel completely, i.e. he can intercept, modify, delete, block, and resend the messages over the open channel.
  3. The adversary can list all pairs of (IDi, PWi) from in a polynomial time, where and denote the space of passwords and the space of identities, respectively.
  4. The adversary can either intercept the password of the user via malicious device or extract the parameters from smart card, but not both.
  5. While evaluating forward secrecy, the adversary can obtain server’s private key or comprise of the user’s password.
  6. When it comes to key-compromise impersonation attack, we assume that knows the long-term private key of server.

3 Review of Kumari et al.’s scheme

3.1 System setup phase

The server S chooses an elliptic curve E over the finite field Fq and an additive group G of order p with P as generator, a one-way hash function h(⋅), a secret key computes its public key Q = kP. At last, S publishes its public parameters {E(Fq), P, p, Q, h(⋅)}, and keeps ks as its long-term private key.

3.2 Registration phase

In this phase, the user U is registered as a legal user by executing the following steps over the secure channel:

  1. Step 1: User U selects his identity ID, password PW and a random number . Then, he computes VPW = h(ID||PW||au) and sends the registration request message {ID, VPW} to server S
  2. Step 2: After receiving the request message {ID, VPW}, S calculates ru = (VPW + h(ID||ks))P, and stores ru in a new smart card SC. Also, S issues SC = {ru, Q = ksP, h(⋅)} to U
  3. Step 3: Upon receiving the new smart card SC, U inserts au in SC. Finally, SC = {ru, Q = ksP, au, h(⋅)} and U is thus registered as a legal user.

3.3 Login and mutual authentication phase

In this phase, user U establishes the session key with server S as follows:

  1. Step 1: U inserts his smart card SC to a card reader and inputs his identity ID and password PW.
  2. Step 2: U selects a random number , and computes bP, V = bQ, Wu = b(ruVPWP). U further calculates fu = IDVx, zu = h(ID||bP||Vy||Wu), where Vx, Vy are xth, yth components of V, respectively. At last, U sends the login request message {fu, bP, zu} to S.
  3. Step 3: After receiving the request message {fu, bP, zu}, S computes V = ksQ. Subsequently, S computes ID = fuVx and further calculates . S then checks whether . If it holds, S chooses a random number and calculates , Auths = h(c||sk). Afterwards, S sends the challenge request message {c, Auths} to u.
  4. Step 4: After receiving the challenge message {c, Auths}, U calculates . U then checks whether . If it holds, U calculates Authu = h(ID||c + 1||sk) and sends the response message {Authu} to S.
  5. Step 5: Once receiving the response message {Authu}, S computes . U then verifies whether . If , S believes that it has successfully established the session key sk with U.

3.4 Password changing phase

In this phase, U can change his password by interacting with the server S. After U establishes the session key sk with S, U changes his password by performing the following steps:

  1. Step 1: User U selects his new password PWnew and two random numbers . Subsequently, he computes VPWnew = h(ID||PWnew||anew) and then calculates mu = Encsk(ID||e||VPWnew||h(ID||e||VPWnew)). At last, U send the request message {mu, e} to server S.
  2. Step 2: After receiving the request message {mu, e}, S computes Decsk(mu) = ID||e||VPWnew||h(ID||e||VPWnew). Subsequently, S verifies the validity of h(ID||e||VPWnew). If it passes the validity test, afterwards S calculates . S then sends response message {ms} to U.
  3. Step 3: Upon getting the message {ms}, U decrypts ms and obtains . Subsequently, U verifies the validity of . If it passes the validity test, U replaces with ru, au, respectively.

4 Cryptanalysis of Kumari et al.’s scheme

Kumari et al. [39] claimed that their scheme can resist many known attacks. However, we explain minutely that the scheme of Kumari et al. not only fails to provide pre-verification in smart card, perfect forward secrecy and efficient password changing, but also fails to resist key-compromise impersonation attack in the following subsections. Actually, the above functions are fundamental and crucial to authentication scheme for session initiation protocol. Accordingly, these imply that their scheme is still unsuitable for the practical session initiation protocol.

4.1 Pre-verification in smart card

When a user inputs her/his password and identity, if the smart card verifies their correctness, implies that respective protocol can provide pre-verification in smart card. But, Kumari et al.’s scheme is not providing such mechanism.

In the login phase of Kumari et al.’s scheme, the smart card is unable to provide any verification for the password and identity information of user because there is no verified information in smart card. If the user inputs the wrong password and identity or an adversary performs this step, the smart card fails to check this problem. Until the server finds the incorrectness of the login, the session will not be terminated. In this case, it increases computational cost of server. Consequently, Kumari et al.’s scheme is unable to provide the pre-verification in smart card.

4.2 Key-compromise impersonation attack

Let us consider a scenario that when the long-term private key of server S is compromised, an adversary can certainly impersonate the legal server of being legitimate user, but if is not impersonated as the legal user by the corresponding server, we say that this protocol can resist key-compromise impersonation attack. It is a pity that Kumari et al.’s scheme is unable to withstand this attack. Now, let’s execute the following steps to attack their scheme.

  1. Step 1: Firstly, the adversary gets some useful information {ru, kP, au} stored in smart card utilizing the side-channel attack [41]. then captures the login request message {fu, bP, zu} of user. If the long-term private key k of S is revealed to , computes V = k(bP), and further calculates the real identity ID = fuvx. As an illegal user, randomly selects and computes V′ = b′(kP), . Subsequently, the adversary sends the forged request message to S.
  2. Step 2: On receiving the request message, S then computes V′ = k(bP), and checks the correctness of . Obviously, . This infers that the illegal user is successfully authenticated by server S. S further chooses a random number and calculates , Auths = h(c||sk). Finally, the server S returns the message {c, Auths} to
  3. Step 3: On receiving the challenge message from the server, computes and verifies whether . If it holds, then calculates and sends the response message to S.
  4. Step 4: Upon getting the response message, S computes and checks whether . We know that it is obvious. Therefore, the server S undoubtedly believes that it has successfully established the session key sk with the legal user. Actually, the server suffers from the key-compromise impersonation attack.

Accordingly, we infer that Kumari et al.’s scheme fails to resist key-compromise impersonation attack.

4.3 Perfect forward secrecy

In case, when the long-term private key k is compromised to the adversary , will execute the following steps to attack Kumari et al.’s scheme.

  1. Step 1: intercepts the login request message {fu, bP, zu} of user S. Afterwards, computes V = k(bP) and obtains {Vx, Vy}.
  2. Step 2: gets ID = fuVx and further computes .
  3. Step 3: captures the challenge request message {c, Auths} of server S and calculates Afterwards, the adversary obtains the current session key sk when the long-term private key k is revealed to , and thus the whole session is completely exposed to .

Therefore, Kumari et al.’s scheme fails to provide the perfect forward secrecy.

4.4 Efficient password changing

In the password changing phase of Kumari et al.’s scheme, if the user U wants to change her/his password, she/he must firstly establish the session key with the server. In this way the communication and computational overhead is increased to a large extent.

5 The enhanced scheme for SIP

In this section, we present an improved scheme based on the Kumari et al.’s scheme. Meanwhile, our proposed scheme not only overcomes the limitations of Kumari et al.’s scheme but also achieves mutual authentication and resists against various known attacks. Specifically, we employ public-key primitive to intrinsically protect the identity of the user and provide perfect forward secrecy. In registration phase, the server S generates a random nonce b to prevent the long-term private key of S from being compromised. In the password changing phase, the smart card SC can provide the function of the local password change. The proposed scheme is comprised of four phases, i.e., system initialization, registration, login-authentication and password change. The registration and login-authentication phases are depicted in Fig 2.

5.1 System initialization phase

In this phase, the server S selects an elliptic curve E over the finite field Fp, a random number and a one-way hash function h(⋅). S then computes G = kP as the public key of S. Finally, the server S publishes the parameters {E, P, G, h(⋅)}, while maintains ks as the long-term private key of S.

5.2 Registration phase

  1. Step 1. The user U chooses an identity ID.
  2. Step 2. US: {ID}.
  3. Step 3. After receiving the registration message from U, S chooses two random numbers au, and calculates N = h(k||ID||b), VPW = h(PW0||au||ID), where PW0 is the initial password. S further computes ru = NVPW and Au = h((h(ID) ⊕ VPW) mod n0), where n0 is an integer and 24n0 ≤ 28. Subsequently, S stores {ID, b} in its database.
  4. Step 4. SU: {SC, PW0}, where the smart card SC contains {ru, P, au, Au, p, G = kP, n0, h(⋅)}.
  5. Step 5. On receiving the smart card SC from S, the user U should immediately change the initial password during password update phase.

5.3 Login and mutual authentication phase

Once the patient U registers to the server successfully, he can send the login request to the server S when he wants to enjoy the service as follows:

  1. Step 1. U inserts the smart card SC into a card reader and inputs ID, PW.
  2. Step 2. SC calculates VPW = h(PW||au||ID), and then computes . Then SC checks the correctness of by comparing the value of Au sorted in SC. If , it shows that ID, PW are valid. Otherwise, the session is terminated.
  3. Step 3. SC continues computing N = ruVPW and chooses a random number , and then computes V = cuP, W = cuG, fu = IDWx, zu = h(ID||Wy||fu||N), where Wx, Wy are xth, yth components of W, respectively.
  4. Step 4. US: {V, fu, zu}.
  5. Step 5. After obtaining {V, fu, zu}, S calculates W* = kV, and checks by searching database list. If these are not equal, S judges that the input password is wrong. As the wrong attempts exceed the threshold (such as 8), S forms a judgement that the smart card is usurped by some attacker. What’s more, S locks the smart card until U re-registers. Otherwise, S computes and verifies . If it is not found valid, S exits the session and counts a number T = 1. Alongwith, S suspends the card until U re-registers when T exceeds some threshold value. Otherwise, S generates a random number cs, and computes Vs = csV, , Auths = h(t||sk||N).
  6. Step 6. SU: {csG, Auths, t}.
  7. Step 7. On receiving the message {CsG, Auths, t}, U computes , and checks whether If these are not equal, the session is terminated. Otherwise, S is authenticated by U and U accepts the session key sk*. Afterwards, U computes , and sends {Authu} to S.
  8. Step 8. US: {Authu}.
  9. Step 9. After receiving the challenge message {Authu}, S computes and checks whether . If it is found valid, then U is authenticated.
  10. Step 10. Finally, both the patient U and the server S agree on a common session key sk = sk*.

5.4 Password update phase

This phase is incorporated to facilitate the user to change her/his password at will for which U and SC can execute the following steps:

  1. Step 1. Firstly, U inserts the smart card into the card reader. U then inputs ID′, PW′ and a new password PWnew.
  2. Step 2. The smart card SC calculates VPW′ = h(PW||au||ID), and then computes Subsequently, SC verifies whether . If these are not equal, SC rejects U to change the password.
  3. Step 3. Otherwise, SC generates a random number and calculates

Finally, SC stores in place of au, ru, Au in smart card, respectively.

6 Security analysis of the enhanced scheme

In this part, we prove that the proposed scheme is secure against the attacks found overlooked by Kumari et al. Besides, we show that the proposed scheme also takes care common security features. To facilitate the discussion, we also adopt the attack model proposed by Kumari et al. and the adversary model, that is, an adversary can completely monitor the open communication channel, therefore, is able to insert, delete or modify any messages among correspondents. Moreover, has the ability to obtain all useful information of the smart card by the side-channel attack [41]. When it comes to key-compromise impersonation attack and perfect forward secrecy, the long-term private key ks is revealed to .

6.1 User anonymity and user un-traceability

In this enhanced scheme, on one hand, there is no identity notations transmitted in the open channel or stored in smart card. On the other hand, suppose that the adversary captures the messages {V, fu, zu}, {csG, Auths, t} and {Authu} from the public channel. But in order to obtain the user U’s identity ID, needs to know Wx, which is not available since Wx is computed using the random number cu. Moreover, cannot guess the correct identity, since, {N, VPW} are also not available. Further, even if obtains the smart card of U and extracts the information in SC, cannot recover the identity of U since ID is protected by one-way hash function and modulo operator. In process of login and authentication, has no ability to trace the user’s identity, since, every transmitted message is different and does not reveal any location information about user. Therefore, the user anonymity and user un-traceability are ensured by the proposed scheme.

6.2 Privileged insider attack

In the registration phase, user U only submits ID to the server S. S subsequently sets an initial password PW0 for U. After receiving the smart card and PW0, U immediately changes the password that U knows only. Therefore, no privileged insider can access and compute user’s password, that is, the proposed scheme resists privileged insider attack.

6.3 Pre-verification in the smart card

In the login phase of Kumari et al.’s scheme, the smart card is inability to provide any verification for the identity and password of any user increases the burden on the server. While in our login phase, the smart card checks whether after inputting ID, PW. If it is found valid, SC sends the request message to S. Otherwise, it defers the session until the correct password and identity are entered. This implies that our method saves the computational and communication costs when there exists incorrect input or an illegal user. Consequently, the pre-verification is successfully provided by the proposed scheme.

6.4 Key-compromise impersonation attack

In our scheme, although the secret key k of the server S is compromised by the adversary , cannot impersonate the legal user U to cheat S. Because, the adversary cannot know the random number b of S or the correct {ID, PW}, therefore, he is unable to compute the correct value of N though the information in smart card is extracted. Thus, cannot calculate the correct request message {V, fu, zu} and cannot be authenticated by S. Consequently, our scheme is able to resist the key-compromise impersonation attack.

6.5 Server impersonation attack

Because, k is a long-term private key and b is also a random secret value of server S, therefore, the adversary cannot recover W* = kV, ID = fuW*, N = h(k||ID||b) and is not able to forge , Auths = h(t||sk||N). Thus, is unable to impersonate the server S to the user U.

6.6 Off/On-line password guessing attack

In the proposed scheme, the adversary cannot guess the correct identity and password of U even if it extracts the information {ru, Au, G, no} in SC. If guesses a pair of ID and PW, it shows that the equation must be satisfied. But according to “fuzzy-verifier” [40], still cannot be sure if the ID′ and PW′ are the correct ID and PW, respectively. only guesses the correct value by launching the on-line guessing to server S. But the number space of the ID′ and PW′ is large enough to be immune to the on-line guessing attack, therefore, the smart card SC remains suspended until U re-registers once the wrong login times exceeds the the fixed threshold. Therefore, the proposed scheme can withstand the off/on-line password guessing attack.

6.7 Replay attack

Suppose that has captured all the communication messages {{V, fu, zu}, {csG, Auths, t}, {Mi}} through open channel and tried to replay them to U or S. However, the proposed scheme takes advantage of some random numbers {cu, cs, t} that remain different in every session to prevent replay attack. In the process of communication, after receiving the request/challenge message, both the user and the server can immediately verify the validity of the random number everytime if replays the communication message. Therefore, the replay attack is prevented by the proposed scheme.

6.8 Session-specific temporary information attack

In the proposed scheme, if the random numbers cu, cs, t are compromised, then the adversary can calculate W = cuG and further computes Wx. captures the transmitted messages {V, fu, zu, csG, t}. Afterwards, computes ID = fuWx, Vs = csV. But in order to obtain the session key sk = h(N||Wx||G||Vs||ID||t), must have ability to know the value of N that is not available, since, N is protected by the private k and the random number b of server S. Implies, still can not calculate the session key sk, although, the random numbers {cu, cs, t} are compromised. Therefore, the proposed protocol is secured against the session-specific temporary information attack.

6.9 Man-in-the-middle attack

Suppose that an adversary intercepts the login request message {V, fu, zu} and the information stored in smart card. In order to launch the man-in-middle attack, needs to compute for sending to server S. Although, chooses a random , still cannot know the value of N and the real identity ID, therefore, he can not compute and . On the other hand, even if he intercepts the challenge message {csG, Auths, t}, still can not compute the forged message as he does not know the values of {N, ID}. Without knowing the server’s private key k and random number b, computation of N is computationally infeasible for the adversary . Thus, the attacker does not have any ability to modify the login request message or the challenge message. As a result, our scheme also resists the man-in-the-middle attack.

6.10 Mutual authentication

In the proposed scheme, S firstly checks the validity of ID. Afterwards, S authenticates U by verifying whether and checking whether , respectively. On the other hand, U authenticates S by testing whether . Consequently, our proposed scheme provides mutual authentication.

6.11 Perfect forward secrecy

When it comes to the forward secrecy, we assume that the private key k of S is compromised and that the adversary obtains the sensitive datum {ru, Au, G} stored in smart card and the transmitted message {V, fu, zu}. can compute W = kV and calculates ID = fuWx. But in order to calculate the previous session key sk = h(N||Wx||G||Vs||ID||t), must know cu or cs. However, it is impossible for to obtain cu from V or cs from csG and calculate cucsG due to the intractability of ECDLP and ECCDHP. Thus, even by obtaining the private key k of server S and the smart card, the adversary is still unable to calculate the session key sk. As a result, the proposed scheme provides perfect forward secrecy.

6.12 Efficient password changing

In the proposed protocol, if the user U wants change her/his password, U only needs to interact with the smart card SC to perform some operators. In this phase, the server S is not involved in the process of password changing. Therefore, our proposed protocol is efficient in password changing phase.

7 Formal security validation using AVISPA tool

AVISPA (Automated Validation of Internet Security Protocols and Applications) is a push-button software tool for the automated validation of Internet security-sensitive protocols and applications [44]. The AVISPA supports High Level Protocol Specification Language called as HLPSL and is usually used to provide the formal security verification of the simulated protocol. The simulation results in AVISPA can point out that whether proposed protocol is secure against the active and passive attacks. The architecture of the AVISPA tool is depicted in Fig 3 and its detailed introduction can be found in [44].

Accordingly, in order to test the security of the proposed protocol, we also use the AVISPA software tool to simulate it. Firstly, we translate the proposed protocol in HLPSL. The specifications for the roles for the user Ui, the server S, the session, goal and environment in HLPSL are depicted in Figs 4, 5 and 6, respectively. Since only OFMC and CL-AtSe backends support the Diffie-Hellman and the bitwise exclusive-OR (XOR) operation, after execution through the OFMC and CL-AtSe backends, the simulation results ensure that our proposed protocol is SAFE against the active and passive attacks under the Dolev-Yao model [45]. The simulation results of the proposed scheme are provided in Figs 7 and 8.

thumbnail
Fig 6. Role specification of the session, goal and environment in HLPSL.

https://doi.org/10.1371/journal.pone.0194072.g006

8 Comparative analysis of performance

This section analyzes the performance of our proposed scheme by comparing it with Zhang et al.’s [27], Jiang et al.’s [34], Irshad et al.’s [31], Chaudhry et al.’s [38], Tu et al.’s [36], Zhang et al.’s [26], Farash’s [37] and Kumari et al.’s [39] schemes. Generally, in order to compare the computational complexity, we neglect the lightweight operations like exclusive-OR operation and string concatenation. We list some operations’s descriptions used in our paper as below:

  • Tpa: the time for performing an elliptic curve point addition operation.
  • Tpm: the time for performing a point multiplication operation.
  • Tme: the time for performing a modular exponentiation operation.
  • Tsed: the time for performing symmetric cryptography.
  • Th: the time for performing a hash operation.

According to the experimental results performed as [46], Th, Tpm, Tpa and Tsed take approximately 0.0023ms, 2.226ms, 0.0288ms and 0.0046ms, respectively. The above timings are obtained on a personal computer which has a Intel Pentium Dual CPU E2200 2.20GHz processor, 2048 MB of RAM and the Ubuntu 12.04.1 LTS 32bit operating system [46].

In this section, the comparative analysis is twofold as follows:

  • Comparison of computational complexity (Table 2)
  • Comparison of security features (Table 3)
thumbnail
Table 2. Comparison of computational complexity in login-authentication phase.

https://doi.org/10.1371/journal.pone.0194072.t002

According to Table 2, the total computational costs of our proposed scheme in login and authentication phase is 13Th + 6Tpm ≈ 13.3859ms. The results provide that the proposed scheme outperforms [26, 27, 31, 34, 3638]. In comparison to Kumari et al. [39], our scheme has slightly more computational costs. However, it is an acceptable range under the trade-off of security and usability.

From Table 3, we observe that these proposals [26, 27, 31, 34, 3639] lack some security ingredients and have more security problems than the proposed scheme. In Kumari et al.’s scheme [39], the authors declared that their protocol is secured against user impersonation attack, password guessing attack and session-specific temporary information attack applicable on Farash’s scheme [37]. On one hand, it is well known that perfect forward secrecy is a key security feature of key agreement scheme. Perfect forward secrecy ensures the security of the session key. On the other hand, key-compromise impersonation attack is also a fatal attack on SIP. If we have measures to resist this attack, why not to design such scheme? However, according to our observation, we find that Kumari et al.’s scheme [39] cannot provide the perfect forward secrecy and is vulnerable to key-compromise impersonation attack. Meanwhile, key-compromise impersonation attack is not considered by all schemes of Table 3, expect our scheme. Fortunately, we have taken effective measures to tackle key-compromise impersonation attack in our scheme, that is, the server stores random secret values b in its database. Besides, the proposed protocol utilizes the technique of “fuzzy-verifiers” [40] to resist off-line identity guessing attack and provides more security features, including pre-verification in the smart card and efficient password changing. Therefore, the proposed scheme not only address the security problems of Kumari et al.’s scheme [39] but also retains all their merits as depicted in Table 3. Although, our scheme employs a slightly complex elliptic curve point multiplication operation, but, as a trade-off, it can resist all known-attacks that are very important ingredients of the security of mutual authentication.

9 Conclusion

In this paper, we have provided a security analysis of Kumari et al.’s scheme [39] to prove that their scheme [39] is vulnerable to key-compromise impersonation attack and does not provide perfect forward secrecy, pre-verification in the smart card and efficient password changing. In order to remedy these limitations in Kumari et al.’s [39] scheme, we propose an enhanced authentication scheme with refined security. The proposed scheme inherits the merits of the Kumari et al.’s [39] scheme, resists the aforementioned attacks and provides more comprehensive security features with a slightly high computational cost than [39]. Additionally, the simulating results of the proposed protocol using AVISPA software infer that this proposed protocol is secure against active and passive attacks. Finally, in comparison with the previously proposed schemes, we conclude that the proposed protocol is more secure and effective to be implemented in real-life scenarios. Actually, many of the existing protocols can not be unconditional security. In order to enhance the security of the authentication protocol, a number of three-factor authentication protocols have been designed. Therefore, in our future work, we will design a more secure three-factor mutual authentication protocol based on smart cards to be implemented in many practical scenarios, such as: Internet of Things, Wireless Sensor Networks, Medical Care Systems, Vehicular Ad Hoc Networks, etc.

Supporting information

S1 Fig. Registration and authentication phase of our scheme.

https://doi.org/10.1371/journal.pone.0194072.s001

(EPS)

S2 Fig. Architecture of the AVISPA tool.

https://doi.org/10.1371/journal.pone.0194072.s002

(EPS)

S3 Fig. Role specification of Ui in HLPSL.

https://doi.org/10.1371/journal.pone.0194072.s003

(EPS)

S4 Fig. Role specification of S in HLPSL.

https://doi.org/10.1371/journal.pone.0194072.s004

(EPS)

S5 Fig. Role specification of the session, goal and environment in HLPSL.

https://doi.org/10.1371/journal.pone.0194072.s005

(EPS)

S6 Fig. The simulation result using the OFMC backend.

https://doi.org/10.1371/journal.pone.0194072.s006

(EPS)

S7 Fig. The simulation result using the CL-AtSe backend.

https://doi.org/10.1371/journal.pone.0194072.s007

(EPS)

Acknowledgments

The authors thank the anonymous reviewers and the Editor for the constructive comments and generous feedback. The authors are also grateful to Dr. Shehzad Ashraf Chaudhry for the valuable suggestions on this paper. This work was supported by the National Key Research and Development Program of China (No. 2017YFB0801900 and No. 2017YFB0801901).

References

  1. 1. Shen C, Nahum E, Schulzrinne H, Wright CP. The impact of TLS on SIP server performance: measurement and modeling. IEEE/ACM Transactions on Networking, 20(4):1217–1230 (2012). https://doi.org/10.1109/TNET.2011.2180922
  2. 2. Session Initiation Protocol. https://en.wikipedia.org/wiki/Session_Initiation_Protocol (accessed on December 2017).
  3. 3. Franks J, Hallam-Baker P, Hostetler J, Lawrence S, Leach P, Luotonen A. HTTP Authentication: Basic and digest access authentication. IETF RFC.,1999; 2617.
  4. 4. Yang C, Wang R, Liu W. Secure authentication scheme for session initiation protocol. Comput Secur. 2005; 24:381–386. https://doi.org/10.1016/j.cose.2004.10.007
  5. 5. Huang HF, Wei WC, Brown GE. A new efficient authentication scheme for session initiation protocol. In: 9th Joint Conference on Information Sciences., 2006.
  6. 6. Denning D, Sacco G. Timestamps in key distribution systems. Commun ACM. 1981; 24(8): 533–536. https://doi.org/10.1145/358722.358740
  7. 7. Durlanik A, Sogukpinar I. SIP authentication scheme using ECDH. World Enformatika Soc Trans Eng Comput Technol. 2005; 8:350–353.
  8. 8. Arkko J, Torvinen V, Camarillo G, Niemi A, Haukka T. Security mechanism agreement for SIP sessions. IETF Internet Draft.;2002 Jun.
  9. 9. Arshad R, Ikram N. Elliptic curve cryptography based mutual authentication scheme for session initiation protocol. Multimed Tools Appl. 2013; 66(2):165–178. https://doi.org/10.1007/s11042-011-0787-0
  10. 10. Challa S, Das AK, Kumari S, Odelu V, Wu F, Li X. Provably secure three-factor authentication and key agreement scheme for session initiation protocol. Security and Communication Networks. 2016; 9(18): 5412–5431. https://doi.org/10.1002/sec.1707
  11. 11. Chaudhry SA, Khan I, Irshad A, Ashraf MU, Khan MK, Ahmad HF. A provably secure anonymous authentication scheme for session initiation protocol. Secur Commun Netw.; 2016. https://doi.org/10.1002/sec.1672.
  12. 12. Chaudhry SA, Naqvi H, Shon T, Sher M, Farash MS. Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems. J. Medical Systems. 2015; 39(6): 1–11. https://doi.org/10.1007/s10916-015-0244-0
  13. 13. Chen TH, Yeh HL, Liu PC, Hsiang HC, Shih WK. A secured authentication protocol for SIP using elliptic curves cryptography. FGIT-FGCN. 2010; 119(1): 46–55. https://doi.org/10.1007/978-3-642-17587-9_6
  14. 14. Farash MS, Attari MA. An Enhanced authenticated key agreement for session initiation protocol. Inf Technol Control. 2013; 42(4):333–342. http://dx.doi.org/10.5755/j01.itc.42.4.2496
  15. 15. Farash MS, Chaudhry SA, Heydari M, Sadough SMS, Kumari S, Khan MK. A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. Int. J. Communication Systems. 2017; 30(4). https://doi.org/10.1002/dac.3019
  16. 16. He DB, Chen J, Chen Y. A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Secur Commun Netw. 2012; 5(12):1423–1429. https://doi.org/10.1002/sec.506
  17. 17. Khan MK. Fingerprint Biometric-based Self-Authentication and Deniable Authentication Schemes for the Electronic World. Iete Technical Review. 2009; 26(3): 191–195.
  18. 18. Kumari S, Karuppiah M, Das AK, Li X, Wu F, Gupta V. Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography. J Ambient Intell Human Comput. 2017. https://doi.org/10.1007/s12652-017-0460-1
  19. 19. Kumari S, Khan MK. More secure smart card-based remote user password authentication scheme with user anonymity. Security and Communication Networks. 2014; 7(11): 2039–2053. https://doi.org/10.1002/sec.916
  20. 20. Liu FW, Koenig H. Cryptanalysis of a SIP authentication scheme. In: 12th IFIP TC6/TC11 International Conference, CMS, Lecture Notes in Computer Science. 2011; 7025: 134–143. https://doi.org/10.1007/978-3-642-24712-5_11
  21. 21. Qiu SM, Xu GA, Ahmad H, Wang LC. A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems. IEEE Access. 2017. https://doi.org/10.1109/ACCESS.2017.2780124
  22. 22. Sutrala AK, Das AK, Odelu V, Wazid M, Kumari S. Secure anonymity-preserving password-based user authentication and session key agreement protocol for telecare medicine information systems. Computer Methods and Programs in Biomedicine. 2016; 135: 167–185. https://doi.org/10.1016/j.cmpb.2016.07.028 pmid:27586489
  23. 23. Tang H, Liu X. Cryptanalysis of Arshad et al’.s ECC-based mutual authentication scheme for session initiation protocol. Multimed Tools Appl. 2013; 65(3): 321–333. https://doi.org/10.1007/s11042-012-1001-8
  24. 24. Tsai JL. Efficient nonce-based authentication scheme for session initiation protocol. Int J Netw Secur. 2009; 8(3):312–316.
  25. 25. Wang XM, Guo W, Zhang WF, Khan MK, Alghathbar K. Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network. Telecommunication Systems. 2013; 52(2): 515–524. http://dx.doi.org/10.1007/s11235-011-9457-9
  26. 26. Zhang L, Tang S, Cai Z. Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. International Journal of Communication Systems. 2014; 27(11):2691–2702. http://dx.doi.org/10.1002/dac.2499
  27. 27. Zhang L, Tang S, Cai Z. Cryptanalysis and improvement of password-authenticated key agreement for session initiation protocol using smart cards. Security and Communication Networks. 2014; 7(12):2405–2411. https://doi.org/10.1002/sec.951
  28. 28. Farash MS. An improved password-based authentication scheme for session initiation protocol using smart cards without verification table. Int J Commun Syst. 2014. https://doi.org/10.1002/dac.2879
  29. 29. Lu YR, Li LX, Peng HP, Yang YX. An anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography. Multimed Tools Appl. 2015; 76: 1801. https://doi.org/10.1007/s11042-015-3166-4
  30. 30. Kumari S. Design flaws of “an anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography”. Multimed Tools Appl. 2017; 76: 13581. https://doi.org/10.1007/s11042-016-3771-x
  31. 31. Irshad A, Sher M, Rehman E, Ch SA, Hassan MU, Ghani A. A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications. 2015; 74(11):1–18. https://doi.org/10.1007/s11042-013-1807-z
  32. 32. Arshad H, Nikooghadam M. An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC. Multimedia Tools Appl. 2016; 75(1): 181–197. https://doi.org/10.1007/s11042-014-2282-x
  33. 33. Lu YR, Li LX, Yang YX. Robust and efficient authentication scheme for session initiation protocol. Math Probl Eng.; 2015. https://doi.org/10.1155/2015/894549. Article ID 894549, 9.
  34. 34. Jiang Q, Ma J, Tian Y. Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of zhang et al. International Journal of Communication Systems. 2014; 28(7). https://doi.org/10.1002/dac.2767
  35. 35. Azrour M, Farhaoui Y, Ouanan M. A New Secure Authentication and Key Exchange Protocol for Session Initiation Protocol Using Smart Card. International Journal of Network Security. 2017; 19(6): 870–879. https://doi.org/10.6633/IJNS.201711.19(6).02
  36. 36. Tu H, Kumar N, Chilamkurti N, Rho S. An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Network Applied. 2015; 8(5): 903–910. https://doi.org/10.1007/s12083-014-0248-4
  37. 37. Farash MS. Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Networking and Applications. 2014; 1–10. https://doi.org/10.1007/s12083-014-0315-x.
  38. 38. Chaudhry SA, Naqvi H, Sher M, Farash MS, Hassan MU. An improved and provably secure privacy preserving authentication protocol for sip. Peer-to-Peer Networking and Applications. 2017; 10(1): 1–15. https://doi.org/10.1007/s12083-015-0400-9
  39. 39. Kumari S, Chaudhry SA, Wu F, Li X, Farash MS, Khan MK. An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications., 2015. https://doi.org/10.1007/s12083-015-0409-0.
  40. 40. Wang D, Wang P. Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans Depend Secur Comput. 2016. https://doi.org/10.1109/TDSC.2016.2605087
  41. 41. Kocher P, Jaffe J, Jun B. Differential power analysis. Advances in Cryptology. 1999; 1666:388–397. https://doi.org/10.1007/3-540-48405-1_25
  42. 42. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput. 2002; 51(5): 541–552. https://doi.org/10.1109/TC.2002.1004593
  43. 43. Wang D, He DB, Wang P, Chu C. Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Depend Secur Comput. 2015; 12(4):428–442. https://doi.org/10.1109/TDSC.2014.2355850
  44. 44. AVISPA. Automated validation of internet security protocols and applications. http://www.avispa-project.org/ (accessed on December 2017).
  45. 45. Dolev D, Yao A. On the security of public key protocols. IEEE Trans Inf Theory. 1083; 29(2):198–208. https://doi.org/10.1109/TIT.1983.1056650
  46. 46. Kilinc H, Yanik T. A survey of SIP authentication and key agreement schemes. IEEE Communications Surveys and Tutorials. 2014; 16(2): 1005–1023. https://doi.org/10.1109/SURV.2013.091513.00050