# A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. The Contributions

- The scheme provides provable security under the hardness of ECDLP (elliptic-curve discrete logarithm and elliptic-cure deffie-Hellman problems.
- The scheme provides security and anonymity under automated security model of ProVerif.
- The scheme provides authentication among user and foreign network with the help of home network.
- The scheme achieves low computation power as compared with baseline scheme presented in Reference [26].

#### 1.2. Security Requirements

- The mobile roaming user should have facility to change his password credentials in an easy manner and he should be facilitated not to memorize a complicated and/or long password.
- Along with traditional security requirements, The scheme should ensure user privacy and anonymity. Any insider/outsider, including foreign agents, should remain unaware regarding the original identity of the roaming user. Moreover, current location of the user should not be exposed to anyone with some previous knowledge.
- Home network should facilitate the authentication process between user and foreign network.
- The authentication should result into a shared secret key among user and foreign network for subsequent confidential communication over insecure link.
- The scheme should at least resist all known attacks.

#### 1.3. Adversarial Model

- Adversary (${\mathcal{MU}}_{a}$) fully controls the link and can listen, modify, replay a message from all the legal communicating parties. ${\mathcal{MU}}_{a}$ is also able to inject a self created false message.
- ${\mathcal{MU}}_{a}$ can easily get identity related information.
- ${\mathcal{MU}}_{a}$ knows all public parameters.
- Being an insider, ${\mathcal{MU}}_{a}$ can extract verifier table stored in home network database.
- Home Network’s private key is considered as secret and no other entity can extract the key.
- The pre-shared key between home and foreign networks is assumed to be secure.

## 2. Review of the Scheme of Lu et al.

#### 2.1. Home Network Agent Setup Phase

#### 2.2. Registration Phase

- Step LRP1:
- The mobile user ${\mathcal{MU}}_{x}$ selects identity/password pair $\{I{D}_{mx},P{W}_{mx}\}$, along with ${r}_{mx}$ (generated randomly), and computes $PW{U}_{hz}=h(P{W}_{mx},{r}_{mx})$. ${\mathcal{MU}}_{x}$ sends the pair $\{I{D}_{mx},PW{U}_{hz}\}$ to ${\mathcal{HA}}_{z}$.
- Step LRP2:
- Upon reception of $\{I{D}_{mx},PW{U}_{hz}\}$ to ${\mathcal{HA}}_{z}$ pair from ${\mathcal{MU}}_{x}$, ${\mathcal{HA}}_{z}$ generates random ${x}_{1},{x}_{2}$ and ${r}_{mx}$ and stores $I{D}_{mx}$ and a sequence number $SNu{m}_{mx}$ against ${i}^{th}$ registration request of ${\mathcal{MU}}_{x}$. ${\mathcal{HA}}_{z}$ then computes $PI{D}_{mx}=h(h(I{D}_{mx},{x}_{1}),{x}_{2})$, ${K}_{xz}=h(PI{D}_{mx},{S}_{h})$, ${\alpha}_{hz}={E}_{PW{U}_{hz}}\left({K}_{xz}\right)$, and ${\beta}_{hz}=h(h\left(I{D}_{mx}\right),PW{U}_{hz})$. ${\mathcal{HA}}_{z}$ then sends a smart-card containing $\{{\alpha}_{hz},{\beta}_{hz},PI{D}_{mx}\}$ to ${\mathcal{MU}}_{x}$. ${\mathcal{HA}}_{z}$ stores ${K}_{xz}$ in a verifier table maintained by ${\mathcal{HA}}_{z}$.
- Step LRP3:
- Upon reception of smart-card, ${\mathcal{MU}}_{x}$ inserts ${r}_{mx}$. Finally, the smart-card contains: $\{{\alpha}_{hz},{\beta}_{hz},PI{D}_{mx},{r}_{mx},h\left(\right),H\left(\right),{E}_{k},{D}_{k},Ma{c}_{k},P\}$.

#### 2.3. Login & Authentication Phase

- Step LLA1:
- After inserting smart-card, ${\mathcal{MU}}_{x}$ inputs $I{D}_{mx}$ and $P{W}_{mx}$, the smart-card computes $PW{U}_{hz}=h(P{W}_{mx},{r}_{mx})$ and verifies $h(h\left(I{D}_{mx}\right),h({r}_{mx},PW{U}_{hz}))\stackrel{?}{=}{\beta}_{hz}$. Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp ${T}_{1}$, random ${N}_{mx}$ and computes ${K}_{xz}={D}_{PW{U}_{hz}}\left({\alpha}_{hz}\right)$, ${A}_{mx}={N}_{mx}P+H({K}_{xz},I{D}_{mx},I{D}_{hz})P$, ${B}_{mx}={E}_{{K}_{xz}}(I{D}_{mx},{T}_{1},PI{D}_{mx})$ and ${C}_{mx}=Ma{c}_{{K}_{xz}}({N}_{mx}P,I{D}_{mx},{T}_{1})$. ${\mathcal{MU}}_{x}$ sends ${M}_{uf1}=\{{A}_{mx},{B}_{mx},{C}_{mx},PI{D}_{mx},{T}_{1}\}$ to ${\mathcal{FA}}_{y}$.
- Step LLA2:
- ${\mathcal{FA}}_{y}$ upon reception of request, checks freshness of ${T}_{1}$ and generates fresh time-stamp ${T}_{2}$, random ${N}_{fy}$. ${\mathcal{FA}}_{y}$ then computes ${A}_{fy}={N}_{fy}P+H({K}_{yz},I{D}_{fy},{T}_{2})P$, ${B}_{fy}=Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{1})$ and sends ${M}_{fh2}=\{{M}_{uf1},{A}_{fy},{B}_{fy},{T}_{2}\}$ to ${\mathcal{HA}}_{z}$.
- Step LLA3:
- ${\mathcal{HA}}_{z}$ verifies freshness of ${T}_{2}$ after receiving message from ${\mathcal{FA}}_{y}$. Rejects the message, if ${T}_{2}$ is not fresh. Otherwise, ${\mathcal{HA}}_{z}$ based on $PI{D}_{mx}$ extracts corresponding shared key ${K}_{xz}$ from verifier database and decrypts ${B}_{mx}$ to get $I{D}_{mx}$. ${\mathcal{HA}}_{z}$ verifies originality of $I{D}_{mx}$ by comparing with the once stored in verifier in a tuple consisting of $I{D}_{mx}$, $PI{D}_{mx}$ and ${K}_{xz}$. Upon successful verification, ${\mathcal{HA}}_{z}$ computes ${N}_{mx}P={A}_{mx}-H({K}_{xz},I{D}_{mx},I{D}_{hz})P$ and verifies whether ${C}_{mx}\stackrel{?}{=}Ma{c}_{{K}_{xz}}({N}_{mx}P,I{D}_{mx},{T}_{1})$. Upon successful verification, ${\mathcal{HA}}_{z}$ computes ${N}_{fy}P={A}_{fy}-H({K}_{yz},I{D}_{fy},{T}_{2})P$ and then checks ${B}_{fy}\stackrel{?}{=}Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{1})$. On success, ${\mathcal{HA}}_{z}$ updates ${K}_{yz}={K}_{yz}\oplus h(I{D}_{fy},{N}_{fy}P,{T}_{3})$ and computes ${A}_{hz}={N}_{mx}P+H\left(I{D}_{mx}\right)P+H({K}_{yz},I{D}_{hz},{N}_{fy}P)P$, ${B}_{hz}=Ma{c}_{{K}_{yz}}({N}_{fy}P,{N}_{mx}P+H(I{D}_{mx}P,{T}_{3}))$. ${\mathcal{HA}}_{z}$ also updates ${K}_{xz}={K}_{xz}\oplus h(I{D}_{mx},{N}_{mx}P,{T}_{3})$ and computes ${C}_{hz}={N}_{fy}P+H({K}_{xz},I{D}_{hz},{N}_{mx}P)P$, ${D}_{hz}=Ma{c}_{{K}_{xz}}(I{D}_{fy},{N}_{fy}P,{T}_{3},PI{D}_{mx})$. HA then sends ${M}_{hf3}=\{{A}_{hz},{B}_{hz},{C}_{hz},{D}_{hz},{T}_{3}\}$ to ${\mathcal{FA}}_{y}$ and increments $SNu{m}_{mx}$.
- Step LLA4:
- ${\mathcal{FA}}_{y}$ checks freshness of ${T}_{3}$ after receiving response of ${\mathcal{HA}}_{z}$. On success, ${\mathcal{FA}}_{y}$ computes ${N}_{mx}P+H\left(I{D}_{mx}\right)P={A}_{hz}-H({K}_{yz},I{D}_{hz},{N}_{fy}P)p$. ${\mathcal{FA}}_{y}$ then verifies validity of ${B}_{hz}$ and on success, computes ${C}_{fy}=Ma{c}_{{({N}_{mx}P+H\left(I{D}_{mx}P\right))}_{x}}(I{D}_{fy},{N}_{fy}P,{T}_{3},{T}_{4},{C}_{mx})$.The session key is computed as $SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right)$. Then, ${\mathcal{FA}}_{y}$ sends ${M}_{fu4}=\{{C}_{fy},{C}_{hz},{D}_{hz},{T}_{3},{T}_{4}\}$ to ${\mathcal{MU}}_{x}$.
- Step LLA5:
- Upon reception, ${\mathcal{MU}}_{x}$ verifies freshness of ${T}_{3}$ and ${T}_{4}$ and on success, computes ${N}_{fy}P={C}_{hz}-H({K}_{xz},I{D}_{hz},{N}_{mx}P)P$. ${\mathcal{MU}}_{x}$ further checks validity of ${D}_{hz}$ and ${C}_{fy}$, if both holds, ${\mathcal{MU}}_{x}$ computes session key $SK=h\left(({N}_{mx}+H\left(I{D}_{mx}\right)){N}_{fy}P\right)$, ${D}_{mx}=Ma{c}_{{{N}_{mx}+H\left(I{D}_{mx}\right)P}_{x}}({C}_{fy},{N}_{fy}P)$ and sends ${M}_{uf5}=\{{D}_{mx},{T}_{5}\}$ to ${\mathcal{FA}}_{y}$.
- Step LLA6:
- ${\mathcal{FA}}_{y}$ verifies freshness of ${T}_{5}$ and checks validity of ${D}_{mx}$. If it holds, ${\mathcal{FA}}_{y}$ treats ${\mathcal{MU}}_{x}$ as legitimate user and now further communication between ${\mathcal{FA}}_{y}$ and ${\mathcal{MU}}_{x}$ may be carried out using the shared key $SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right)$.

## 3. Cryptanalysis of the Scheme of Lu et al.

#### 3.1. Stolen Verifier Attack

- Step IA1:
- ${\mathcal{MU}}_{a}$ generates time-stamp ${T}_{a1}$, random ${N}_{ma}$, and computes:$$\begin{array}{}\mathrm{(1)}& \phantom{\rule{1.em}{0ex}}\hfill & {A}_{ma}={N}_{ma}P+H({K}_{xz},I{D}_{ma},I{D}_{hz})P,\hfill \mathrm{(2)}& \phantom{\rule{1.em}{0ex}}\hfill & {B}_{ma}={E}_{{K}_{xz}}(I{D}_{mx},{T}_{1},PI{D}_{mx}),\hfill \mathrm{(3)}& \phantom{\rule{1.em}{0ex}}\hfill & {C}_{ma}=Ma{c}_{{K}_{xz}}({N}_{ma}P,I{D}_{mx},{T}_{a1}).\hfill \end{array}$$
- Step IA2:
- ${\mathcal{FA}}_{y}$ upon reception of request, checks freshness of ${T}_{a1}$, as well as generates fresh time-stamp ${T}_{2}$ and random ${N}_{fy}$. ${\mathcal{FA}}_{y}$ then computes:$$\begin{array}{}\mathrm{(4)}& \phantom{\rule{1.em}{0ex}}\hfill & {A}_{fy}={N}_{fy}P+H({K}_{yz},I{D}_{fy},{T}_{2})P,\hfill \mathrm{(5)}& \phantom{\rule{1.em}{0ex}}\hfill & {B}_{fy}=Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{a1}).\hfill \end{array}$$${\mathcal{FA}}_{y}$ sends ${M}_{fh2}=\{{M}_{A1},{A}_{fy},{B}_{fy},{T}_{2}\}$ to ${\mathcal{HA}}_{z}$.
- Step IA3:
- ${\mathcal{HA}}_{z}$ verifies freshness of ${T}_{2}$ after receiving message from ${\mathcal{FA}}_{y}$ and accepts the message as ${T}_{2}$ is fresh. ${\mathcal{HA}}_{z}$ based on $PI{D}_{mx}$ extracts ${K}_{xz}$ and $I{D}_{mx}$ from the verifier table and computes:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& (I{D}_{mx},{T}_{a1},PI{D}_{mx})={D}_{{K}_{xz}}\left({B}_{ma}\right).\hfill \end{array}$$${\mathcal{HA}}_{z}$ compares the decrypted $I{D}_{mx}$ from Equation (6) with the one extracted from verifier table. The attacker ${\mathcal{MU}}_{a}$ will pass this test as both values are same. Now, ${\mathcal{HA}}_{z}$ computes:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {N}_{ma}P={A}_{mx}-H({K}_{xz},I{D}_{mx},I{D}_{hz})P.\hfill \end{array}$$${\mathcal{HA}}_{z}$ checks:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {C}_{ma}\stackrel{?}{=}Ma{c}_{{K}_{xz}}({N}_{ma}P,I{D}_{mx},{T}_{a1}).\hfill \end{array}$$${\mathcal{HA}}_{z}$ authenticates ${\mathcal{MU}}_{x}$ on the basis of equality of Equation (8). ${\mathcal{MU}}_{a}$ will also pass this test, as all parameters in computation of ${C}_{ma}$ were in access to ${\mathcal{MU}}_{a}$ and were correctly calculated at the time of computation of ${C}_{ma}$ by ${\mathcal{MU}}_{a}$. Now, ${\mathcal{HA}}_{z}$ computes:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {N}_{fy}P={A}_{fy}-H({K}_{yz},I{D}_{fy},{T}_{2})P.\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {B}_{fy}\stackrel{?}{=}Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{a1}).\hfill \end{array}$$As ${\mathcal{FA}}_{y}$ is legitimate; therefore, it will pass the check of Equation (10). Hence, ${\mathcal{HA}}_{z}$ computes:$$\begin{array}{}\mathrm{(11)}& \phantom{\rule{1.em}{0ex}}\hfill & {A}_{hz}={N}_{mx}P+H\left(I{D}_{mx}\right)P+H({K}_{yz},I{D}_{hz},{N}_{fy}P),\hfill \mathrm{(12)}& \phantom{\rule{1.em}{0ex}}\hfill & {B}_{hz}=Ma{c}_{{K}_{yz}}({N}_{fy}P,{N}_{mx}P+H(I{D}_{mx}P,{T}_{3})),\hfill \mathrm{(13)}& \phantom{\rule{1.em}{0ex}}\hfill & {C}_{hz}={N}_{fy}P+H({K}_{xz},I{D}_{hz},{N}_{mx}P)P,\hfill \mathrm{(14)}& \hfill \phantom{\rule{1.em}{0ex}}& {D}_{hz}=Ma{c}_{{K}_{xz}}(I{D}_{fy},{N}_{fy}P,{T}_{3},PI{D}_{mx}).\hfill \end{array}$$$$\begin{array}{}\mathrm{(15)}& \phantom{\rule{1.em}{0ex}}\hfill & {K}_{yz}={K}_{yz}\oplus h(I{D}_{fy},{N}_{fy}P,{T}_{3}),\hfill \mathrm{(16)}& \hfill \phantom{\rule{1.em}{0ex}}& {K}_{xz}={K}_{xz}\oplus h(I{D}_{mx},{N}_{ma}P,{T}_{3}).\hfill \end{array}$$
- Step IA4:
- ${\mathcal{FA}}_{y}$ checks freshness of ${T}_{3}$ and computes:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {N}_{mx}P+H\left(I{D}_{mx}\right)P={A}_{hz}-H({K}_{yz},I{D}_{hz},{N}_{fy}P).\hfill \end{array}$$$$\begin{array}{}\mathrm{(18)}& \phantom{\rule{1.em}{0ex}}\hfill & {C}_{fy}=Ma{c}_{{({N}_{mx}P+H\left(I{D}_{mx}P\right))}_{x}}(I{D}_{fy},{N}_{fy}P,{T}_{3},{T}_{4},{C}_{mx}),\hfill \mathrm{(19)}& \phantom{\rule{1.em}{0ex}}\hfill & SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right).\hfill \end{array}$$
- Step IA5:
- ${\mathcal{MU}}_{a}$ intercepts the message and computes:$$\begin{array}{}\mathrm{(20)}& \phantom{\rule{1.em}{0ex}}\hfill & {N}_{fy}P={C}_{hz}-H({K}_{xz},I{D}_{hz},{N}_{ma}P)P,\hfill \mathrm{(21)}& \hfill \phantom{\rule{1.em}{0ex}}& SK=h\left(({N}_{ma}+H\left(I{D}_{mx}\right)){N}_{fy}P\right),\hfill \mathrm{(22)}& \phantom{\rule{1.em}{0ex}}\hfill & {D}_{ma}=Ma{c}_{{{N}_{ma}+H\left(I{D}_{mx}P\right)}_{x}}({C}_{fy},{N}_{fy}P).\hfill \end{array}$$
- Step IA6:
- ${\mathcal{FA}}_{y}$ verifies freshness of ${T}_{A5}$ and checks validity of ${D}_{ma}$. As ${T}_{A5}$ is freshly generated, so it will pass the test. Similarly, ${\mathcal{MU}}_{a}$ has access to all parameters used for computation of ${D}_{ma}$, so it will also pass the test. Therefore, ${\mathcal{MU}}_{a}$ has also deceived the ${\mathcal{FA}}_{y}$ and passed the authentication. Now, ${\mathcal{MU}}_{a}$ can easily communicate with ${\mathcal{FA}}_{j}$ on behalf of ${\mathcal{MU}}_{x}$ using the shared key $SK=h\left({N}_{fy}({N}_{ma}P+H\left(I{D}_{mx}\right)P)\right)$.

#### 3.2. Traceability

#### 3.3. Incorrectness

#### 3.4. Scalability Problem

## 4. Proposed scheme

#### 4.1. System Setup Phase

#### 4.2. Proposed Registration Phase

- Step PRP1:
- The mobile user ${\mathcal{MU}}_{x}$ selects identity/password pair $\{I{D}_{mx},P{W}_{mx}\}$, along with ${r}_{mx}$ (generated randomly), and computes $PW{U}_{hz}=h(P{W}_{mx},{r}_{mx})$. ${\mathcal{MU}}_{x}$ sends the pair $\{I{D}_{mx},PW{U}_{hz}\}$ to ${\mathcal{HA}}_{z}$.
- Step PRP2:
- Upon reception of $\{I{D}_{mx},PW{U}_{hz}\}$ to ${\mathcal{HA}}_{z}$ pair from ${\mathcal{MU}}_{x}$, ${\mathcal{HA}}_{z}$. ${\mathcal{HA}}_{z}$ then computes ${U}_{hz}=h(I{D}_{mx},{S}_{h})$, ${\alpha}_{hz}={U}_{hz}\oplus PW{U}_{hz}$, and ${\beta}_{hz}=h(h\left(I{D}_{mx}\right),PW{U}_{hz})$. ${\mathcal{HA}}_{z}$ then sends a smart-card containing $\{{\alpha}_{hz},{\beta}_{hz},{P}_{h}={S}_{h}P\}$ to ${\mathcal{MU}}_{x}$.
- Step PRP3:
- Upon reception of smart-card, ${\mathcal{MU}}_{x}$ computes ${R}_{mx}={r}_{mx}\oplus P{W}_{mx}$ inserts ${r}_{mx}$. Finally, the smart-card contains: $\{{\alpha}_{hz},{\beta}_{hz},{r}_{mx},h\left(\right),H\left(\right),{E}_{k},{D}_{k},Ma{c}_{k},{P}_{h}={S}_{h},P\}$.

#### 4.3. Login & Authentication Phase

- Step PLA1:
- After inserting smart-card, ${\mathcal{MU}}_{x}$ inputs $I{D}_{mx}$ and $P{W}_{mx}$,the smart-card computes ${r}_{mx}={R}_{mx}\oplus P{W}_{mx}$ and $PW{U}_{hz}=h(P{W}_{mx},{r}_{mx})$. The smart-card then verifies $h(h\left(I{D}_{mx}\right),h({r}_{mx},PW{U}_{hz}))\stackrel{?}{=}{\beta}_{hz}$. Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp ${T}_{1}$, random ${N}_{mx}$ and computes ${U}_{hz}={\alpha}_{hz}\oplus PW{U}_{hz}$, ${A}_{mx}={N}_{mx}P$, ${B}_{mx}={N}_{mx}{P}_{h}$, $PI{D}_{mx}={A}_{mx}\oplus I{D}_{mx}$ and ${C}_{mx}=Ma{c}_{{U}_{hz}}({N}_{mx}P,I{D}_{mx},{T}_{1})$. ${\mathcal{MU}}_{x}$ sends ${M}_{uf1}=\{{B}_{mx},{C}_{mx},PI{D}_{mx},{T}_{1}\}$ to ${\mathcal{FA}}_{y}$.
- Step PLA2:
- ${\mathcal{FA}}_{y}$ upon reception of request, checks freshness of ${T}_{1}$ and generates fresh time-stamp ${T}_{2}$, random ${N}_{fy}$. ${\mathcal{FA}}_{y}$ then computes ${A}_{fy}={N}_{fy}P+H({K}_{yz},I{D}_{fy},{T}_{2})P$, ${B}_{fy}=Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{1})$ and sends ${M}_{fh2}=\{{M}_{uf1},{A}_{fy},{B}_{fy},{T}_{2}\}$ to ${\mathcal{HA}}_{z}$.
- Step PLA3:
- ${\mathcal{HA}}_{z}$ verifies freshness of ${T}_{2}$ after receiving message from ${\mathcal{FA}}_{y}$. Rejects the message, if ${T}_{2}$ is not fresh. Otherwise, ${\mathcal{HA}}_{z}$ computes ${A}_{mx}={S}_{h}^{-1}{B}_{mx}$ and $I{D}_{mx}={A}_{mx}\oplus PI{D}_{mx}$. ${\mathcal{HA}}_{z}$ verifies originality of $I{D}_{mx}$ stored in subscribers identity table. Upon successful verification, ${\mathcal{HA}}_{z}$ computes ${U}_{hz}=h(I{D}_{mx},{S}_{h})$ and verifies ${C}_{mx}\stackrel{?}{=}Ma{c}_{{U}_{hz}}({N}_{mx}P,I{D}_{mx},{T}_{1}))$. Upon successful verification, ${\mathcal{HA}}_{z}$ computes ${N}_{fy}P={A}_{fy}-H({K}_{yz},I{D}_{fy},{T}_{2})P$ and then checks ${B}_{fy}\stackrel{?}{=}Ma{c}_{{\left({N}_{fy}P\right)}_{x}}(I{D}_{hz},{T}_{1})$. On success, ${\mathcal{HA}}_{z}$ computes ${A}_{hz}={N}_{mx}P+H\left(I{D}_{mx}\right)P+H({K}_{yz},I{D}_{hz},{N}_{fy}P)P$, ${B}_{hz}=Ma{c}_{{K}_{yz}}({N}_{fy}P,{N}_{mx}P+H(I{D}_{mx}P,{T}_{3}))$. ${\mathcal{HA}}_{z}$ computes ${C}_{hz}={N}_{fy}P+H({U}_{hz},I{D}_{hz},{N}_{mx}P)P$, ${D}_{hz}=Ma{c}_{{U}_{hz}}(I{D}_{fy},{N}_{fy}P,{T}_{3},PI{D}_{mx})$. HA then sends ${M}_{hf3}=\{{A}_{hz},{B}_{hz},{C}_{hz},{D}_{hz},{T}_{3}\}$ to ${\mathcal{FA}}_{y}$.
- Step PLA4:
- ${\mathcal{FA}}_{y}$ checks freshness of ${T}_{3}$ after receiving response of ${\mathcal{HA}}_{z}$. On success, ${\mathcal{FA}}_{y}$ computes ${N}_{mx}P+H\left(I{D}_{mx}\right)P={A}_{hz}-H({K}_{yz},I{D}_{hz},{N}_{fy}P)P$. ${\mathcal{FA}}_{y}$ then verifies validity of ${B}_{hz}$ and on success, computes ${C}_{fy}=Ma{c}_{{({N}_{mx}P+H\left(I{D}_{mx}P\right))}_{x}}(I{D}_{fy},{N}_{fy}P,{T}_{3},{T}_{4},{C}_{mx})$.The session key is computed as $SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right)$. Then, ${\mathcal{FA}}_{y}$ sends ${M}_{fu4}=\{{C}_{fy},{C}_{hz},{D}_{hz},{T}_{3},{T}_{4}\}$ to ${\mathcal{MU}}_{x}$.
- Step PLA5:
- Upon reception, ${\mathcal{MU}}_{x}$ verifies freshness of ${T}_{3}$ and ${T}_{4}$ and on success, computes ${N}_{fy}P={C}_{hz}-H({U}_{hz},I{D}_{hz},{N}_{mx}P)P$. ${\mathcal{MU}}_{x}$ further checks validity of ${D}_{hz}$ and ${C}_{fy}$, if both holds, ${\mathcal{MU}}_{x}$ computes session key $SK=h\left(({N}_{mx}+H\left(I{D}_{mx}\right)){N}_{fy}P\right)$, ${D}_{mx}=Ma{c}_{{({N}_{mx}+H\left(I{D}_{mx}\right)P)}_{x}}({C}_{fy},{N}_{fy}P)$ and sends ${M}_{uf5}=\{{D}_{mx},{T}_{5}\}$ to ${\mathcal{FA}}_{y}$.
- Step PLA6:
- ${\mathcal{FA}}_{y}$ verifies freshness of ${T}_{5}$ and checks validity of ${D}_{mx}$. If it holds, ${\mathcal{FA}}_{y}$ treats ${\mathcal{MU}}_{x}$ as legitimate user and now further communication between ${\mathcal{FA}}_{y}$ and ${\mathcal{MU}}_{x}$ may be carried out using the shared key $SK=h\left({N}_{fy}({N}_{mx}P+H\left(I{D}_{mx}\right)P)\right)$.

## 5. Security Analysis

#### 5.1. Formal Security Analysis

**Definition**

**1.**

**Definition**

**2.**

**Definition**

**3.**

- $Reveal\phantom{\rule{4pt}{0ex}}1$: This oracle will output plain-text k unconditionally from cipher-text $CP=EN{C}_{key}\left(k\right)$ that is given.
- $Reveal\phantom{\rule{4pt}{0ex}}2$: This oracle will output integer y unconditionally from $yP$ and P that are publicly given values.
- $Reveal\phantom{\rule{4pt}{0ex}}3$: This oracle will output the input y from O that is the corresponding value of hash.

**Theorem**

**1.**

**Proof.**

**Theorem**

**2.**

**Proof.**

#### 5.2. Automated Security Analysis with ProVerif

#### 5.3. Security Requirements

#### 5.3.1. Mutual Authentication

#### 5.3.2. Correctness

#### 5.3.3. User Anonymity/Untraceability

#### 5.3.4. Perfect Forward Secrecy:

#### 5.3.5. User Forgery Attack

#### 5.3.6. Stolen Verifier and Insider Attack

#### 5.3.7. Stolen Smart-Card Attack

#### 5.3.8. Known Session-Specific Parameters Attack

## 6. Performance Comparisons

- ${T}_{hm}$: Computation time for hash/mac operations
- ${T}_{ed}$: Computation time for Symmetric Enc/Dec
- ${T}_{pme}$: Computation time for scalar multiplication of point over ${E}_{p}(a,b)$
- ${T}_{pae}$: Computation time for addition of points over ${E}_{p}(a,b)$
- ${T}_{me}$: Computation time for modular exponentiation
- ${T}_{pb}$: Computation time for bilinear pairing
- ${T}_{mtp}$: Computation time for map to point hash

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- He, D.; Kumar, N.; Khan, M.K.; Lee, J. Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Trans. Consum. Electron.
**2013**, 59, 811–817. [Google Scholar] [CrossRef] - Li, X.; Liu, S.; Wu, F.; Kumari, S.; Rodrigues, J.J.P.C. Privacy Preserving Data Aggregation Scheme for Mobile Edge Computing Assisted IoT Applications. IEEE Internet Things J.
**2019**, 6, 4755–4763. [Google Scholar] [CrossRef] - Wei, F.; Vijayakumar, P.; Jiang, Q.; Zhang, R. A Mobile Intelligent Terminal Based Anonymous Authenticated Key Exchange Protocol for Roaming Service in Global Mobility Networks. IEEE Trans. Sustain. Comput.
**2018**, 1-1. [Google Scholar] [CrossRef] - Jiang, Y.; Lin, C.; Shen, X.; Shi, M. Mutual Authentication and Key Exchange Protocols for Roaming Services in Wireless Mobile Networks. IEEE Trans. Wirel. Commun.
**2006**, 5, 2569–2577. [Google Scholar] [CrossRef] [Green Version] - Jo, H.J.; Paik, J.H.; Lee, D.H. Efficient Privacy-Preserving Authentication in Wireless Mobile Networks. IEEE Trans. Mob. Comput.
**2014**, 13, 1469–1481. [Google Scholar] [CrossRef] - Hsu, R.; Lee, J.; Quek, T.Q.S.; Chen, J. GRAAD: Group Anonymous and Accountable D2D Communication in Mobile Networks. IEEE Trans. Inf. Forensics Secur.
**2018**, 13, 449–464. [Google Scholar] [CrossRef] [Green Version] - Alezabi, K.A.; Hashim, F.; Hashim, S.J.; Ali, B.M. An efficient authentication and key agreement protocol for 4G (LTE) networks. In Proceedings of the 2014 IEEE REGION 10 SYMPOSIUM, Kuala Lumpur, Malaysia, 14–16 April 2014; pp. 502–507. [Google Scholar]
- Mun, H.; Han, K.; Lee, Y.S.; Yeun, C.Y.; Choi, H.H. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Math. Comput. Model.
**2012**, 55, 214–222. [Google Scholar] [CrossRef] - Goutham Reddy, A.; Yoon, E.; Das, A.K.; Yoo, K. Lightweight authentication with key-agreement protocol for mobile network environment using smart cards. IET Inf. Secur.
**2016**, 10, 272–282. [Google Scholar] [CrossRef] - El Idrissi, Y.E.H.; Zahid, N.; Jedra, M. An Efficient Authentication Protocol for 5G Heterogeneous Networks. In Ubiquitous Networking; Sabir, E., García Armada, A., Ghogho, M., Debbah, M., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 496–508. [Google Scholar]
- Su, C.; Santoso, B.; Li, Y.; Deng, R.H.; Huang, X. Universally Composable RFID Mutual Authentication. IEEE Trans. Dependable Secur. Comput.
**2017**, 14, 83–94. [Google Scholar] [CrossRef] - Li, X.; Niu, J.; Kumari, S.; Wu, F.; Choo, K.K.R. A robust biometrics based three-factor authentication scheme for Global Mobility Networks in smart city. Future Gener. Comput. Syst.
**2018**, 83, 607–618. [Google Scholar] [CrossRef] - He, D.; Chen, C.; Chan, S.; Bu, J. Secure and Efficient Handover Authentication Based on Bilinear Pairing Functions. IEEE Trans. Wirel. Commun.
**2012**, 11, 48–53. [Google Scholar] [CrossRef] - Jiang, Q.; Ma, J.; Li, G.; Yang, L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wirel. Pers. Commun.
**2013**, 68, 1477–1491. [Google Scholar] [CrossRef] - Zhu, J.; Ma, J. A new authentication scheme with anonymity for wireless environments. IEEE Trans. Consum. Electron.
**2004**, 50, 231–235. [Google Scholar] - Tsai, J.L.; Lo, N.W.; Wu, T.C. Secure Handover Authentication Protocol Based on Bilinear Pairings. Wirel. Pers. Commun.
**2013**, 73, 1037–1047. [Google Scholar] [CrossRef] - Chang, C.C.; Lee, C.Y.; Chiu, Y.C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Comput. Commun.
**2009**, 32, 611–618. [Google Scholar] [CrossRef] - Chaudhry, S.A.; Albeshri, A.; Xiong, N.; Lee, C.; Shon, T. A privacy preserving authentication scheme for roaming in ubiquitous networks. Clust. Comput.
**2017**, 20, 1223–1236. [Google Scholar] [CrossRef] - Chen, C.M.; Xiang, B.; Liu, Y.; Wang, K.H. A secure authentication protocol for internet of vehicles. IEEE Access
**2019**, 7, 12047–12057. [Google Scholar] [CrossRef] - Chen, C.M.; Wang, K.H.; Yeh, K.H.; Xiang, B.; Wu, T.Y. Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. J. Ambient Intell. Humaniz. Comput.
**2019**, 10, 3133–3142. [Google Scholar] [CrossRef] - Wang, D.; Wang, P. On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Comput. Netw.
**2014**, 73, 41–57. [Google Scholar] [CrossRef] - Youn, T.; Park, Y.; Lim, J. Weaknesses in an Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks. IEEE Commun. Lett.
**2009**, 13, 471–473. [Google Scholar] [CrossRef] - Kim, J.S.; Kwak, J. Improved secure anonymous authentication scheme for roaming service in global mobility networks. Int. J. Secur. Its Appl.
**2012**, 6, 45–54. [Google Scholar] - Lee, H.; Lee, D.; Moon, J.; Jung, J.; Kang, D.; Kim, H.; Won, D. An improved anonymous authentication scheme for roaming in ubiquitous networks. PLoS ONE
**2018**, 13, e0193366. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Gope, P.; Hwang, T. Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst. J.
**2015**, 10, 1370–1379. [Google Scholar] [CrossRef] - Lu, Y.; Xu, G.; Li, L.; Yang, Y. Robust Privacy-Preserving Mutual Authenticated Key Agreement Scheme in Roaming Service for Global Mobility Networks. IEEE Syst. J.
**2019**, 1–12. [Google Scholar] [CrossRef] - Eisenbarth, T.; Kasper, T.; Moradi, A.; Paar, C.; Salmasizadeh, M.; Shalmani, M. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. In Advances in Cryptology, CRYPTO 2008; Wagner, D., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5157, pp. 203–220. [Google Scholar]
- Dolev, D.; Yao, A.C. On the security of public key protocols. Inf. Theory, IEEE Trans.
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - He, D.; Zeadally, S.; Kumar, N.; Lee, J.H. Anonymous Authentication for Wireless Body Area Networks With Provable Security. IEEE Syst. J.
**2016**, 11, 2590–2601. [Google Scholar] [CrossRef] - He, D.; Kumar, N.; Shen, H.; Lee, J.H. One-to-many authentication for access control in mobile pay-TV systems. Sci. China Inf. Sci.
**2016**, 59, 052108. [Google Scholar] [CrossRef] [Green Version] - Kumari, S.; Li, X.; Wu, F.; Das, A.K.; Arshad, H.; Khan, M.K. A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Gener. Comput. Syst.
**2016**, 63, 56–75. [Google Scholar] [CrossRef] - Hoffstein, J. An introduction to cryptography. In An Introduction to Mathematical Cryptography; Springer: Berlin/Heidelberg, Germany, 2008; pp. 1–523. [Google Scholar]
- Bellare, M.; Rogaway, P. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS93, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73. [Google Scholar]
- Xie, Q.; Hwang, L. Security enhancement of an anonymous roaming authentication scheme with two-factor security in smart city. Neurocomputing
**2019**, 347, 131–138. [Google Scholar] [CrossRef] - Mansoor, K.; Ghani, A.; Chaudhry, S.A.; Shamshirband, S.; Ghayyur, S.A.K.; Mosavi, A. Securing IoT-Based RFID Systems: A Robust Authentication Protocol Using Symmetric Cryptography. Sensors
**2019**, 19, 4752. [Google Scholar] [CrossRef] [Green Version] - Ghani, A.; Mansoor, K.; Mehmood, S.; Chaudhry, S.A.; Rahman, A.U.; Najmus Saqib, M. Security and key management in IoT-based wireless sensor networks: An authentication protocol using symmetric key. Int. J. Commun. Syst.
**2019**, 32, e4139. [Google Scholar] [CrossRef] - Kilinc, H.; Yanik, T. A Survey of SIP Authentication and Key Agreement Schemes. Commun. Surv. Tutorials IEEE
**2014**, 16, 1005–1023. [Google Scholar] [CrossRef]

Notation | Definition |
---|---|

${\mathcal{MU}}_{x}$,${\mathcal{HA}}_{z}$, ${\mathcal{FA}}_{y}$ | Mobile Node, Home Network, foreign Network |

$I{D}_{mx}$$I{D}_{hz}$, $I{D}_{fy}$ | Identities of ${\mathcal{MU}}_{x}$,${\mathcal{HA}}_{z}$ and ${\mathcal{FA}}_{y}$ |

$P{W}_{mx}$, $PW{U}_{hz}$ | Password and concealed password of ${\mathcal{MU}}_{x}$ |

${K}_{xz}$, ${K}_{yz}$ | Shared keys between ${\mathcal{MU}}_{x}$, ${\mathcal{HA}}_{z}$ and ${\mathcal{FA}}_{y}$, ${\mathcal{HA}}_{z}$ |

${E}_{p}(a,b)$, P | Elliptic curve and a base point over curve |

${S}_{h}$, ${P}_{h}={S}_{h}P$ | Private and public key pair of ${\mathcal{HA}}_{z}$ |

${E}_{k}/{D}_{k}$ | Symmetric Encryption/decryption |

$h\left(\right)$, $H\left(\right)$ | Two one-way hash Functions |

${\left(\right)}_{x}$, ⊕ | x-coordinate of a EC point, Exclusive-OR |

$Ma{c}_{k}$ | Key based Mac |

↓ Features/Scheme → | [9] | [12] | [14] | [25] | [26] | Our |
---|---|---|---|---|---|---|

Mutual Authentication | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

Correctness | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |

User Anonymity/Untraceability | ✗ | ✓ | ✓ | ✓ | ✗ | ✓ |

Perfect Forward Secrecy | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |

Resists User Forgery | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |

Resists Stolen Verifier | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |

Resists Insiders | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ |

Resists Stolen Smart-Card | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |

Resists Known Session parameters | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |

Entity → | ${\mathcal{MU}}_{\mathit{x}}$ | ${\mathcal{FA}}_{\mathit{y}}$ | ${\mathcal{HA}}_{\mathit{k}}$ | Total | Time |
---|---|---|---|---|---|

Scheme ↓ | (ms) | ||||

[9] | $10{T}_{hm}+2{T}_{pme}$ | $4{T}_{hm}+2{T}_{pme}$ | $4{T}_{hm}$ | $18{T}_{hm}+4{T}_{pme}$ | $8.9454$ |

[12] | $5{T}_{pme}+1{T}_{pae}+7{T}_{hm}+1{T}_{mtp}+1{T}_{pb}$ | $3{T}_{pme}+1{T}_{pb}+5{T}_{hm}$ | $2{T}_{pme}+5{T}_{h}$ | $10{T}_{pme}+1{T}_{pae}+17{T}_{hm}+2{T}_{pb}+1{T}_{mtp}$ | $34.936$ |

[14] | $3{T}_{hm}+1{T}_{me}$ | $4{T}_{hm}$ | $5{T}_{hm}+1{T}_{me}$ | $12{T}_{hm}+2{T}_{me}$ | $7.7276$ |

[25] | $6{T}_{hm}$ | $5{T}_{hm}$ | $10{T}_{hm}$ | $21{T}_{hm}$ | $0.0483$ |

[26] | $10{T}_{hm}+5{T}_{pme}+3{T}_{pae}+2{T}_{ed}$ | $6{T}_{hm}+4{T}_{pme}+2{T}_{pae}$ | $9{T}_{hm}+6{T}_{pme}+5{T}_{pae}+1{T}_{ed}$ | $25{T}_{hm}+15{T}_{pme}+10{T}_{pae}+3{T}_{ed}$ | $33.7493$ |

our | $9{T}_{hm}+5{T}_{pme}+2{T}_{pae}$ | $6{T}_{hm}+4{T}_{pme}+2{T}_{pae}$ | $8{T}_{hm}+5{T}_{pme}+3{T}_{pae}$ | $23{T}_{hm}+14{T}_{pme}+7{T}_{pae}$ | $31.8946$ |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Alzahrani, B.A.; Chaudhry, S.A.; Barnawi, A.; Al-Barakati, A.; Alsharif, M.H.
A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks. *Symmetry* **2020**, *12*, 287.
https://doi.org/10.3390/sym12020287

**AMA Style**

Alzahrani BA, Chaudhry SA, Barnawi A, Al-Barakati A, Alsharif MH.
A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks. *Symmetry*. 2020; 12(2):287.
https://doi.org/10.3390/sym12020287

**Chicago/Turabian Style**

Alzahrani, Bander A., Shehzad Ashraf Chaudhry, Ahmed Barnawi, Abdullah Al-Barakati, and Mohammed H. Alsharif.
2020. "A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks" *Symmetry* 12, no. 2: 287.
https://doi.org/10.3390/sym12020287