This section explains the automated formal security validation of the proposed algorithm using popular tool ProVerif, as well as under the hardness assumptions of ECDLP, collision resistant property of one-way hash, and hardness of symmetric encryption algorithm. The section then solicits the informal discussion on required security, supplemented by the security features comparisons with existing related schemes.
5.1. Formal Security Analysis
For the purpose of formal security analysis of our protocol, we define formal interpretations of repetition and chose the cipher-text attack (IDN-CCA) of the symmetric cryptographic algorithm, secure hash collision-resistant function, and ECDLP as follows:
Definition 1. Given is the algorithm of symmetric key and cipher-text , the IDN-CCA’s definition is considered as hard problem if , in which describes an ’s benefit in finding the string (the set of plain-texts) of antecedent messages from the given (the set of cipher-texts) also algorithm of symmetric key with key (the set of enc/dec keys) which is unknown, for any small enough . Definition 2. Given an elliptic curve based point over , the interpretation of the ECDLP is considered as hard problem if , in which describes the benefit of an in discovering the integer from G and P which are given, for any small enough . Definition 3. Given the output , the interpretation of the function of hash is considered as hard problem if , in which describes the benefit of an in extracting the input from which is given, for any small enough . For the formal analysis of security, we have defined random oracles  which are as follows:
: This oracle will output plain-text k unconditionally from cipher-text that is given.
: This oracle will output integer y unconditionally from and P that are publicly given values.
: This oracle will output the input y from O that is the corresponding value of hash.
On the basis of supposition Security of Symmetric Cryptography algorithm, the enhanced protocol is provably protected in the arbitrary oracle model across a probabilistic polynomial time restricted attacker for extracting mobile user.
Assume that experiment for the attacker who has capability to extract the user’s ID, be a probabilistic polynomial time restricted attacker. We determine success probability for like . Then, the benefit of is examined as , whereas the maximal is taken overall attacker with number of query and time of execution made the Reveal1 oracle. the enhanced protocol is provably protected in the arbitrary oracle model across attacker for extract the of mobile user if , for any appropriately small . Examine the experiment as described in , can successfully extract the of mobile user if he is able to break security of symmetric encryption description algorithm. Nevertheless, according to Definition 1, we could have , for any appropriately small . Thus, we get since depends on . So, concluded that the enhanced protocol is protected against an for extracting the of mobile user .□
Under the consideration that a hash function intently behaves as an arbitrary oracle model adjacent to a probabilistic polynomial time restricted attacker for extracting session key between user and foreign agent.
Assume that experiment for the attacker who has capability to extract the arbitrary numbers in calculated the between user and foreign agent, be a probabilistic polynomial time restricted attacker. We determine success probability for as . After that, the benefit of is considered as , whereas the maximal is taken overall attacker with time of execution and number of queries made to Reveal2 and made to Reveal3 oracles. The enhanced protocol is provably protected in the random oracle model across for the values of hash of session key if ,for any appropriately small . Examine the experiment shown in , can successfully extract the values of hash of session key if he has the capability to convert the hash function and solve the . Though, as by the Definition 2 and Definition 3, , , for any appropriately small , . Thus, we get since depends on and . So, concluded that the enhanced protocol is provably protected against an attacker for extracting session key and foreign agent. □
5.2. Automated Security Analysis with ProVerif
We chose the prevailing software tool ProVerif [34
] for performing an automated security perusal. The ProVerif is developed over the concept of applied
]. It is able to test and simulate many cryptographic operations, such as encryption/decryption, symmetric/asymmetric cryptosystems, hashes, signatures, etc. It can substantiate the characteristics of secrecy and authenticity. Complete protocol as given in Figure 2
is implemented and verified in ProVerif. Three channels as shown in Figure 3
a are introduced in the implementation. The secure channel sch1 is dedicated for facilitating registration between mobile user and home agent, whereas two public channels pch2 and pch3 have been introduced for commencing communication between mobile user and home agent with foreign agent. Subsequently, variables and constants are also defined in Figure 3
a. To keep the mobile user anonymous, its identity IDmx is kept private, whereas identities of home and foreign agents, i.e., IDhz and IDfy, respectively, are public. Mobile user’s password PWmx, shared keys Kxz, Kyz between mobile user-home agent and foreign agent-home agent, respectively, are assumed as private. Sh and Ph are considered as the private public key pairs of home agent. The Constructors are specified to simulate cryptographic operations and functions. Thereafter, destructor and equation are specified to simulate inverse and decryption.
Every participant can be described through two events a begin and an end event. The protocol authenticity is realized through exposing the respective relationship between begin and end interval of the related event initiated by the specific participant. If end event is not reached it simply means the protocol terminated unsuccessfully and scheme is incorrect. In Figure 3
b, three distinct processes are implemented and simulated on behalf of three participants. These participants includes pMuser, pHagt, and pFagt, which are defined and implemented as shown in Figure 2
and described in Section 4
. The proposed scheme is simulated as an unbounded parallel execution of user, home and foreign networks processes.
The subsequent four queries are defined in Figure 3
c to substantiate the security and correctness of our protocol. The query attacker simulates an actual attack to expose the session key, whereas another 3 queries inj-event corresponds to begin and end event of 3 processes, i.e., user, home, and foreign networks. If any of these queries results false, it implies the scheme is incorrect. The abilities of an attacker are evaluated by executing the Not-attacker (SK) predicate, where
is private. It is assumed that public parameters are accessible to the attacker. The Not-attacker is also applied over SK. Moreover, three successive queries on inj-event affirms the association between initiation and termination of events corresponding to each of these processes, i.e., user, home, and foreign networks. The outcome of the discussed queries are shown in Figure 3
It is observed through results 1, 2, and 3 in Figure 3
d that each process initiated and terminated successfully, which substantiates the correctness of our scheme, whereas result 4 Not-attacker (SK) affirms that session key is secure against security threats. Hence, our protocol maintains authenticity and secrecy during its execution.
5.3. Security Requirements
The security requirement of the proposed scheme and a comparison of the proposed scheme with related competing schemes [9
] is detailed in following subsections. Table 2
also illustrates the comparisons and confirms that only the proposed scheme provides all the required features and resists known attacks, whereas competing schemes lacks either some features or ensuring against some known attack.
5.3.1. Mutual Authentication
The proposed scheme, through (the home agent) provides mutual authentication between ( the mobile node) and (the foreign agent). authenticates by validating , computation of valid/legal requires an adversary to have access to the secret parameter of , i.e., , as well as valid/legal , which can only be extracted though by the use of secret key () of . Neither nor can be computed by any adversary, which implies that only valid can pass this test. Moreover, authenticates by validating . The computation of valid/legal requires an adversary to extract , which can by computed by public parameter sent by . The computation of requires an adversary to have access to the pre-shared secret key among and . No adversary, insider/outsider can have access to the pre-shared secret key. Therefore, only legal/valid can pass this test. Similarly, authenticates validating , the computation of valid requires an adversary to have access to pre-shared secret key between and . Moreover, the adversary also needs to compute the valid/legal, corresponding against the parameter sent on public channel earlier by to , the computation of again requires the use of pre-shared secret key . Therefore, only valid can pass this test. likewise, authenticates: 1) by validating and 2) by verifying . To generate a valid/legal , an adversary requires having access to secret parameter of , as well as computation of valid/legal , both of which can be performed only by legal . Likewise, to generate valid , an adversary requires to compute valid/legal , and . All the mentioned parameters can only be computed by legal . Hence, mutual authentication among and through is essential trait of the proposed scheme.
The proposed scheme correctly accomplishes the process of authentication between and through . Unlike Lu et al.’s scheme, in the proposed scheme, does not unnecessarily updates () after each successful login. More precisely, the proposed schemes does not require any verifier table for any user; therefore, no entry can be modified by . Due to non-usage of verifier table by , the user request does not involve fining and comparing with verifier entries, which helps in minimizing the delay. Hence, the proposed scheme provides correct and secure authentication process.
5.3.3. User Anonymity/Untraceability
Unfortunately and despite their claim, in the scheme of Lu et al. the pseudo identity remains same not only for multiple but for all sessions. In the proposed scheme, on every login/authentication request selects a new random variable and computes the dynamic pseudo identity . Therefore, the proposed scheme not only provides identity hiding but also untraceability/unlinkability.
5.3.4. Perfect Forward Secrecy:
The session key computed after successful authentication among or contains the share from both, i.e., from and from . Both and are generated freshly for each session. Moreover, neither nor having full control on key generation. Even if one or more shared keys from previous session/s are compromised, the adversary may not be able to compute any future session key. Hence, the proposed scheme provides perfect forward secrecy.
5.3.5. User Forgery Attack
As described in Section 5.3.1
authenticates the user by validating
can only be computed by legal
, an adversary requires to compute
, as well as
. Only legal
can compute it’s own secretly generated parameter
, which requires the usage of secret parameter
. Therefore, the proposed scheme strongly resists user forgery attack.
5.3.6. Stolen Verifier and Insider Attack
The home agent , in the proposed scheme does not store any information relating to the credentials of, including password, ; rather, is free of any verifier table. The only information stored is the public identities of the users. Moreover, during registration process, sends , along with , to . The password is concealed in one-way hash function, along with a random number. Therefore, no deceitful insider gets any information relating to password and is having no advantage. Hence, the proposed scheme resists insider attacks. Moreover, without verifier table, the stolen verifier is impossible in the proposed scheme.
5.3.7. Stolen Smart-Card Attack
In the proposed scheme, the smart-card contains , where, the user related information is stored in and parameters, where , and . Extracting password information from or requires inverse to hash function, which by definition is a hard problem. Moreover, user secret parameter is also concealed with , and without password information, it is computationally infeasible to compute . Therefore, the proposed scheme resists stolen smart-card attacks.
5.3.8. Known Session-Specific Parameters Attack
The adversary in the proposed scheme may not able to compute session key even if, he gets the session parameters and , as the session key also requires the hashed identity concealed in an elliptic curve point . Computation of needs to break on way property of hash, as well as elliptic curve discrete logarithm problem. Therefore, the proposed scheme resists known session-specific parameters attack.