A secure and efficient mutual authentication scheme for session initiation protocol

The Session Initiation Protocol (SIP) as the core signaling protocol for multimedia services is receiving much attention. Authentication is becoming increasingly crucial issue when a user asks to use SIP services. Many authentication schemes for the SIP have been proposed. Very recently, Zhang et al. has presented an authentication scheme for SIP and claimed their scheme could overcome various attacks while maintaining efficiency. In this research, we illustrate that their scheme is susceptible to the insider attack and does not provide proper mutual authentication. We then propose a modified secure mutual authentication scheme to conquer the security flaws in Zhang et al.’s scheme. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Zhang et al.’s scheme. In addition, the performance analysis shows that our scheme has better efficiency in comparison with other related ECC-based authentication schemes for SIP.     

A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography

As a signaling protocol for controlling communication on the internet, establishing, maintaining, and terminating the sessions, the Session Initiation Protocol (SIP) is widely used in the world of multimedia communication. To ensure communication security, many authentication schemes for the SIP have been proposed. However, those schemes cannot ensure user privacy since they cannot provide user anonymity. To overcome weaknesses in those authentication schemes with anonymity for SIP, we propose an authentication scheme with anonymity using elliptic curve cryptograph. By a sophisticated analysis of the security of the proposed protocol, we show that the proposed scheme not only overcomes weaknesses in previous schemes but also is very efficient. Therefore, it is suitable for applications with higher security requirements.     

Cryptanalysis of Arshad et al.’s ECC-based mutual authentication scheme for session initiation protocol

Session Initiation Protocol (SIP) has been widely used in the current Internet protocols such as Hyper Text Transport Protocol (HTTP) and Simple Mail Transport Protocol (SMTP). However, the original SIP authentication scheme was insecure and many researchers tried to propose schemes to overcome the flaws. In the year 2011, Arshad et al. proposed a SIP authentication protocol using elliptic curve cryptography (ECC), but their scheme suffered from off-line password guessing attack along with password change pitfalls. To conquer the mentioned weakness, we proposed an ECC-based authentication scheme for SIP. Our scheme only needs to compute four elliptic curve scale multiplications and two hash-to-point operations, and maintains high efficiency. The analysis of security of the ECC-based protocol shows that our scheme is suitable for the applications with higher security requirement.     

A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. The proposed authentication in SIP is HTTP digest based authentication. Recently, Tu et al. presented an improvement of Zhang et al.’s smart card-based authenticated key agreement protocol for SIP. Their scheme efficiently resists password guessing attack. However, in this paper, we analyze the security of Tu et al.’s scheme and demonstrate their scheme is still vulnerable to user’s impersonation attack, server spoofing attack and man-in-the middle attack. We aim to propose an efficient improvement on Tu et al.’s scheme to overcome the weaknesses of their scheme, while retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Tu et al.’s scheme. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. Additionally, the proposed scheme is comparable in terms of the communication and computational overheads with Tu et al.’s scheme and other related existing schemes.     

一种基于ECC的SIP认证方案的提出与实现

随着会话发起协议（SIP）应用领域的不断扩大，SIP实体间通讯的安全问题成为了亟待解决的热点问题。对SIP的安全方案进行了讨论，分析了进行安全认证的方法，在此基础之上提出了一种新的基于椭圆曲线密码学（ECC）的认证方案，保证了SIP消息传输过程中完整性、机密性和不可抵赖性。     

Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography

The session initiation protocol (SIP) has been receiving a lot of attention to provide security in the Voice over IP (VoIP) in Internet and mobility management. Recently, Yeh et al. proposed a smart card-based authentication scheme for SIP using elliptic curve cryptography (ECC). They claimed that their scheme is secure against known security attacks. However, in this paper, we indicate that Yeh et al.’s scheme is vulnerable to off-line password guessing attack, user impersonation attack and server impersonation attack, in the case that the smart card is stolen and the information stored in the smart card is disclosed. As a remedy, we also propose an improved smart card-based authentication scheme which not only conquers the security weaknesses of the related schemes but also provides a reduction in computational cost. The proposed scheme also provides the user anonymity and untraceability, and allows a user to change his/her password without informing the remote server. To show the security of our protocol, we prove its security the random oracle model.     

Provably secure authenticated key agreement scheme for distributed mobile cloud computing services

With the rapid development of mobile cloud computing, the security becomes a crucial part of communication systems in a distributed mobile cloud computing environment. Recently, in 2015, Tsai and Lo proposed a privacy-aware authentication scheme for distributed mobile cloud computing services. In this paper, we first analyze the Tsai–Lo’s scheme and show that their scheme is vulnerable to server impersonation attack, and thus, their scheme fails to achieve the secure mutual authentication. In addition, we also show that Tsai–Lo’s scheme does not provide the session-key security (SK-security) and strong user credentials’ privacy when ephemeral secret is unexpectedly revealed to the adversary. In order to withstand these security pitfalls found in Tsai–Lo’s scheme, we propose a provably secure authentication scheme for distributed mobile cloud computing services. Through the rigorous security analysis, we show that our scheme achieves SK-security and strong credentials’ privacy and prevents all well-known attacks including the impersonation attack and ephemeral secrets leakage attack. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. More security functionalities along with reduced computational costs for the mobile users make our scheme more appropriate for the practical applications as compared to Tsai–Lo’s scheme and other related schemes. Finally, to demonstrate the practicality of the scheme, we evaluate the proposed scheme using the broadly-accepted NS-2 network simulator.     

基于秘密共享的SIP身份认证方案

SIP以其灵活的部署特性,为多媒体会话带来了便利。但由于协议本身对安全机制的考量较少,其面临的安全威胁也很多样。本文着重研究了SIP身份认证的安全方案,结合现有的公钥认证体制,提出了一种基于(2,2)秘密共享加密方案的SIP身份认证方案,实现了通信双方的双向身份认证,同时也实现了会话密钥的分发。     

Elliptic curve cryptography based mutual authentication scheme for session initiation protocol

The Session Initiation Protocol (SIP) is the most widely used signaling protocol for controlling communication on the internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of multimedia communication. Recently, Tsai proposed an efficient nonce-based authentication scheme for SIP. In this paper, we do a cryptanalysis of Tsai’s scheme and show that Tsai’s scheme is vulnerable to the password guessing attack and stolen-verifier attack. Furthermore, Tsai’s scheme does not provide known-key secrecy and perfect forward secrecy. We also propose a novel and secure mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP which is immune to the presented attacks.     

Design of a password-based authenticated key exchange protocol for SIP

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. In recent years, password-based authenticated key exchange protocols are designed to provide strong authentication for SIP. In this paper, we address this problem in two-party setting where the user and server try to authenticate each other, and establish a session key using a shared password. We aim to propose a secure and anonymous authenticated key exchange protocol, which can achieve security and privacy goal without increasing computation and communication overhead. Through the analysis, we show that the proposed protocol is secure, and has computational and computational overheads comparable to related authentication protocols for SIP using elliptic curve cryptography. The proposed protocol is also provably secure in the random oracle model.     

基于SIP协议的3G网络安全认证机制

简要说明了SIP协议的消息格式和会话建立的实现过程,分析了3G网络中目前存在的攻击类型和潜在的安全威胁,同时提出了SIP关于隐私和机密保护的主要方法,即加密算法和安全认证机制的紧密结合。主要讨论在3G网络应用层中作为信令协议的SIP的安全认证机制,包括当前一些基本的认证算法和认证类型以及一些改进的认证机制。最后指出一些能够提高3G网络安全性的在认证方面的新领域。     

An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks

User authentication with unlinkability is one of the corner stone services for many security and privacy services which are required to secure communications in wireless sensor networks (WSNs). Recently, Xue et al. proposed a temporal-credential-based mutual authentication and key agreement scheme for WSNs, and claimed that their scheme achieves identity and password protection, and the resiliency of stolen smart card attacks. However, we observe that Xue et al.’s scheme is subject to identity guessing attack, tracking attack, privileged insider attack and weak stolen smart card attack. In order to fix the drawbacks, we propose an enhanced authentication scheme with unlinkability. Additionally, the proposed scheme further cuts the computational cost. Therefore, the proposed scheme not only remedies its security flaws but also improves its performance. It is more suitable for practical applications of WSNs than Xue et al.’s scheme.     

Robust smart card secured authentication scheme on SIP using Elliptic Curve Cryptography

Recently, Voice over Internet Protocol (VoIP) has been one of the more popular applications in Internet technology. For VoIP and other IP applications, issues surrounding Session Initiation Protocol (SIP) have received significant attention. SIP is a widely used signaling protocol and is capable of operating on Internet Telephony, typically using Hyper Text Transport Protocol (HTTP) digest authentication protocol. Authentication is becoming increasingly crucial because it accesses the server when a user asks to use SIP services. In this paper, we concentrate on the security flaws in the current SIP authentication procedure. We propose a secure ECC-based authentication mechanism to conquer many forms of attacks in previous schemes. By a sophisticated analysis of the security of the ECC-based protocol, we show that it is suitable for applications with higher security requirements.     

A privacy preserving three-factor authentication protocol for e-Health clouds

E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic.     

对TAKASIP协议的分析和改进

会话初始化协议(SIP)提供了认证和协商会话密钥,能保证后续会话的安全。2010年,Yoon等(YOON E-J,YOO K-Y.A three-factor authenticated key agreement scheme for SIP on elliptic curves.NSS'10:4th International Conference on Network and System Security.Piscataway:IEEE,2010:334-339)提出一种新的三要素SIP认证密钥协商协议TAKASIP。但TAKASIP协议不能抵抗内部攻击、服务器伪装攻击、离线口令猜测攻击、身份冒充攻击和丢失标记攻击,并且没有提供双向认证。在TAKASIP协议基础上提出一种基于椭圆曲线密码三要素SIP认证协议ETAKASIP以解决上述问题。ETAKASIP基于椭圆曲线离散对数难题和椭圆曲线密码系统,提供了高安全性。该协议只需7次椭圆曲线点乘运算、1次椭圆曲线加法运算和最高6次哈希运算,有较高的运算效率。     

基于信任域的SIP认证机制

会话初始协议（SIP）在设计之初没有考虑太多安全问题,其安全隐患十分严重。针对上述问题,介绍SIP协议的安全特性,针对其可能受到的安全威胁,讨论SIP协议的安全机制问题。在“信任域”的基础上提出一个完善的SIP安全认证机制,描述方案的具体应用场景,并指出SIP认证机制的进一步研究方向。     

On the Privacy of Khan et al.'s Dynamic ID-Based Remote Authentication Scheme with User Anonymity

Abstract

Very recently, Khan, Kim, and Alghathbar [6] proposed a dynamic ID-based remote user authentication scheme and claimed that their scheme can provide user anonymity. However, in this article, the authors demonstrate that either a malicious user or an adversary with a valid smart card can trace any user by eavesdropping on his normal authentication session over the public channel. Therefore, Khan et al.'s scheme fails to provide the privacy service as claimed. Hence, the authors present an improved scheme to overcome its flaw and examine the privacy of the improved scheme by using the smart card-based privacy model. In addition, the security and efficiency of the improved scheme are scrutinized. The conclusive result is that the design of the improved scheme is reasonable in not only both privacy and security aspects but also the performance aspect.     

An efficient client–client password-based authentication scheme with provable security

Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso’s protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso’s protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model.     

Two robust remote user authentication protocols using smart cards

With the rapid growth of electronic commerce and enormous demand from variants of Internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme or universal access control mechanism. In order to reduce implementation complexity and achieve computation efficiency, design issues for efficient and secure password based remote user authentication scheme have been extensively investigated by research community in these two decades. Recently, two well-designed password based authentication schemes using smart cards are introduced by Hsiang and Shih (2009) and Wang et al. (2009), respectively. Hsiang et al. proposed a static ID based authentication protocol and Wang et al. presented a dynamic ID based authentication scheme. The authors of both schemes claimed that their protocol delivers important security features and system functionalities, such as mutual authentication, data security, no verification table implementation, freedom on password selection, resistance against ID-theft attack, replay attack and insider attack, as well as computation efficiency. However, these two schemes still have much space for security enhancement. In this paper, we first demonstrate a series of vulnerabilities on these two schemes. Then, two enhanced protocols with corresponding remedies are proposed to eliminate all identified security flaws in both schemes.     

A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography

The use of e-payment system for electronic trade is on its way to make daily life more easy and convenient. Contrarily, there are a number of security issues to be addressed, user anonymity and fair exchange have become important concerns along with authentication, confidentiality, integrity and non-repudiation. In a number of existing e-payment schemes, the customer pays for the product before acquiring it. Furthermore, many such schemes require very high computation and communication costs. To address such issues recently Yang et al. proposed an authenticated encryption scheme and an e-payment scheme based on their authenticated encryption. They excluded the need of digital signatures for authentication. Further they claimed their schemes to resist replay, man-in-middle, impersonation and identity theft attack while providing confidentiality, authenticity, integrity and privacy protection. However our analysis exposed that Yang et al.’s both authenticated encryption scheme and e-payment system are vulnerable to impersonation attack. An adversary just having knowledge of public parameters can easily masquerade as a legal user. Furthermore, we proposed improved authenticated encryption and e-payment schemes to overcome weaknesses of Yang et al.’s schemes. We prove the security of our schemes using automated tool ProVerif. The improved schemes are more robust and more lightweight than Yang et al.’s schemes which is evident from security and performance analysis.