Next Article in Journal
On a Generalization of a Lucas’ Result and an Application to the 4-Pascal’s Triangle
Next Article in Special Issue
A Robust Hybrid Iterative Linear Detector for Massive MIMO Uplink Systems
Previous Article in Journal
Primeness of Relative Annihilators in BCK-Algebra
Previous Article in Special Issue
Impact of Stair and Diagonal Matrices in Iterative Linear Massive MIMO Uplink Detectors for 5G Wireless Networks
Open AccessArticle

A Privacy Preserving Authentication Scheme for Roaming in IoT-Based Wireless Mobile Networks

1
Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia
2
Department of Computer Engineering, Faculty of Engineering and Architecture Istanbul Gelisim University Istanbul, Avcılar, 34310 Istanbul, Turkey
3
Department of Electrical Engineering, College of Electronics and Information Engineering, Sejong University, 209 Neungdong-ro, Gwangjin-gu, Seoul 05006, Korea
*
Authors to whom correspondence should be addressed.
Symmetry 2020, 12(2), 287; https://doi.org/10.3390/sym12020287
Received: 16 January 2020 / Revised: 8 February 2020 / Accepted: 10 February 2020 / Published: 15 February 2020
(This article belongs to the Special Issue Information Technologies and Electronics)

Abstract

The roaming service enables a remote user to get desired services, while roaming in a foreign network through the help of his home network. The authentication is a pre-requisite for secure communication between a foreign network and the roaming user, which enables the user to share a secret key with foreign network for subsequent private communication of data. Sharing a secret key is a tedious task due to underneath open and insecure channel. Recently, a number of such schemes have been proposed to provide authentication between roaming user and the foreign networks. Very recently, Lu et al. claimed that the seminal Gopi-Hwang scheme fails to resist a session-specific temporary information leakage attack. Lu et al. then proposed an improved scheme based on Elliptic Curve Cryptography (ECC) for roaming user. However, contrary to their claim, the paper provides an in-depth cryptanalysis of Lu et al.’s scheme to show the weaknesses of their scheme against Stolen Verifier and Traceability attacks. Moreover, the analysis also affirms that the scheme of Lu et al. entails incorrect login and authentication phases and is prone to scalability issues. An improved scheme is then proposed. The scheme not only overcomes the weaknesses Lu et al.’s scheme but also incurs low computation time. The security of the scheme is analyzed through formal and informal methods; moreover, the automated tool ProVerif also verifies the security features claimed by the proposed scheme.
Keywords: roaming user; authentication; internet of things; mobile networks; anonymity; elliptic curve cryptography; ProVerif roaming user; authentication; internet of things; mobile networks; anonymity; elliptic curve cryptography; ProVerif

1. Introduction

The emerging Internet of Things (IoT) is an infrastructure of all globally connected devices, including home appliances, vehicles, mobiles, tablets, surveillance systems, smart grids, etc. The IoT facilitate the heterogeneity of networks to seamlessly communicate with each other. The roaming service in IoT-based networks enables a remote user to enjoy seamless and scuffle free services during roaming outside the home network. A typical roaming scenario is shown in Figure 1. Involving three entities, namely mobile user, home network, and foreign network, the mobile user, using his digital communication device, like smart-phone, smart-vehicle, Laptop, PDA, etc., can access the services of his home network remotely in the coverage area of a foreign network. The roaming service extends the handover of connections from home network to foreign network, when both the networks belong to different types and are located at different geographical locations. The home and foreign network enter into a roaming agreement in order to facilitate their users. The user registers himself with the home network and, when he roams out of the coverage of his home network and enters into the coverage range of another network (foreign network having roaming agreement with home network), can access and enjoy the services of his home network through the foreign network. The roaming service is getting importance rapidly, due to millions of subscribers traveling abroad per year. The main issue restricting wide usage of roaming services is the security and privacy of the connecting parties. All the services provided are subject to communicate through an open/insecure wireless channel, causing an inherited effect on the security of such networks. The roaming process requires proper security mechanisms and is equally important for the three participants because the foreign networks cannot allow the user’s resources and services to be used illegitimately and without payment, whereas the home network avoids becoming a source of illegal access to foreign network, and the user does not want to be charged for the services used by some adversary. Moreover, as per user’s perspective, privacy and anonymity has gotten much importance. Without privacy and anonymity, the adversary can track user movements and current location [1,2]. The proper countering of security-related issues requires the development of customized authentication protocol, in which the authentication protocols not only verify the authenticity of the communicating parties but also ensure a session key for subsequent confidential data/services extended between the participating entities. The authentication is required when a user roams out of the coverage area of his home network and enters into the coverage area of a foreign network. The user has to get authenticated by the foreign network by the help of his home network. The successful authentication process can ensure that the access to the network is limited to legitimate users only [3].
In recent years, various authentication protocols were proposed [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20] based on different cryptographic mechanisms. The schemes [15,16,17,18] are based on lightweight symmetric key primitives, as per the criteria laid down by Wang and Wang [21], the symmetric key mechanisms cannot provide privacy except for keeping a very large number of pseudo identities in smart-card with low memory or getting dynamic identity from home network at each login request. The schemes [4,5,6,7,12,13,14] based on bilinear pairing/modular exponentiation operations consume much more computation and in turn drains more battery power of already limited power wireless/mobile devices. Some of such schemes [8,9,10,11] are based on public but still low resource sucker Elliptic Curve Cryptography (ECC).
In 2009, Chang et al. [17] proposed an authentication scheme to secure GLOMONET. However, soon it was realized by Youn et al. [22] that the scheme proposed in Reference [17] could not achieve user anonymity. In 2012, Mun et al. [8] proposed and ECC based authentication scheme for roaming user on the principles of EC Diffie–Hellman problem (ECDHP). Soon after Mun et al.’s proposal, Reddy et al. [9] and Kim et al. [23] found various weaknesses in Mun et al.’s scheme, including insecurity against replay attacks. Reddy et al. [9] then proposed a slightly modified version to resist replay and other attacks against Mun et al.’s scheme. In 2017, another symmetric key based scheme for GLOMONET was proposed by Chaudhry et al. [18]. However, authors in Reference [24] found various weaknesses, including vulnerability to impersonation and related attacks in Chaudhry et al.’s scheme [18]. The scheme proposed by Lee et al. [24] is susceptible to traceability attack, as the dynamic identity is sent by the home agent during the session in plain text and this plain text dynamic identity sent through open channel can be used to trace future login requests. Recently, Gope and Hwang [25] proposed an authentication scheme for roaming user in GLOMONET using pseudo identity to counter DoS attack. Very recently in 2019, Lu et al. [26] pointed out various weaknesses in Gopi-Hwang’s scheme, including its insecurity against known session-specific parameters in leakage attacks. Moreover, Lu et al. claimed the Password Renewal Phase of Gopi-Hwang as faulty, and they proposed an ECC based new scheme.

1.1. The Contributions

Quite recently, in 2019, Lu et al. [26] found some weaknesses in Gopi-Hwang [25] authentication scheme for roaming users. To combat, Lu et al. proposed a new roaming user authentication scheme using ECC and claimed that their proposal extends required security features and resists known attacks. Contrary to their [26] claim, the cryptanalysis in this article shows that the roaming scheme presented in Reference [26] cannot protect the remote user against Stolen Verifier and Traceability attacks. Moreover, the analysis also affirms that the scheme of Lu et al. entails incorrect login and authentication phases and is prone to scalability issues. Therefore, an improved scheme based on ECC is designed by just modifying some of the steps in Lu et al.’s proposal. The scheme not only overcomes the weaknesses of Lu et al.’s scheme but also incurs low computation time. The proposed scheme entails following merits:
  • The scheme provides provable security under the hardness of ECDLP (elliptic-curve discrete logarithm and elliptic-cure deffie-Hellman problems.
  • The scheme provides security and anonymity under automated security model of ProVerif.
  • The scheme provides authentication among user and foreign network with the help of home network.
  • The scheme achieves low computation power as compared with baseline scheme presented in Reference [26].

1.2. Security Requirements

The user friendly security requirements for a roaming user authentication scheme are as follows:
  • The mobile roaming user should have facility to change his password credentials in an easy manner and he should be facilitated not to memorize a complicated and/or long password.
  • Along with traditional security requirements, The scheme should ensure user privacy and anonymity. Any insider/outsider, including foreign agents, should remain unaware regarding the original identity of the roaming user. Moreover, current location of the user should not be exposed to anyone with some previous knowledge.
  • Home network should facilitate the authentication process between user and foreign network.
  • The authentication should result into a shared secret key among user and foreign network for subsequent confidential communication over insecure link.
  • The scheme should at least resist all known attacks.

1.3. Adversarial Model

The common model for adversary capabilities, as mentioned in Reference [27,28,29,30,31], is adopted and explained below:
  • Adversary ( MU a ) fully controls the link and can listen, modify, replay a message from all the legal communicating parties. MU a is also able to inject a self created false message.
  • MU a can easily get identity related information.
  • MU a knows all public parameters.
  • Being an insider, MU a can extract verifier table stored in home network database.
  • Home Network’s private key is considered as secret and no other entity can extract the key.
  • The pre-shared key between home and foreign networks is assumed to be secure.

2. Review of the Scheme of Lu et al.

A brief review of Lu et al.’s roaming user authentication scheme is explained here. Before moving further, please refer to Table 1 for understanding the notations used in this paper. The three main phases of Lu et al.’s scheme are detailed in below subsections:

2.1. Home Network Agent Setup Phase

For system-setup purposes, Home Network Agent HA z selects an Elliptic curve E p ( a , b ) : y 2 = x 3 + a x + b mod p , where a, ∈ F p a finite field, such that 4 a 3 + 27 b 2 0 , along with an infinite point O. HA then selects a base point P over E p ( a , b ) . HA z selects a secret key S h and computes public key P h = S h P . HA z also selects irreversible Hash and keyed MAC functions h ( ) , H ( ) , M a c k ( ) , along with symmetric encryption/decryption algorithms E k ( ) , D k ( ) .

2.2. Registration Phase

Step LRP1: 
The mobile user MU x selects identity/password pair { I D m x , P W m x } , along with r m x (generated randomly), and computes P W U h z = h ( P W m x , r m x ) . MU x sends the pair { I D m x , P W U h z } to HA z .
Step LRP2: 
Upon reception of { I D m x , P W U h z } to HA z pair from MU x , HA z generates random x 1 , x 2 and r m x and stores I D m x and a sequence number S N u m m x against i t h registration request of MU x . HA z then computes P I D m x = h ( h ( I D m x , x 1 ) , x 2 ) , K x z = h ( P I D m x , S h ) , α h z = E P W U h z ( K x z ) , and β h z = h ( h ( I D m x ) , P W U h z ) . HA z then sends a smart-card containing { α h z , β h z , P I D m x } to MU x . HA z stores K x z in a verifier table maintained by HA z .
Step LRP3: 
Upon reception of smart-card, MU x inserts r m x . Finally, the smart-card contains: { α h z , β h z , P I D m x , r m x , h ( ) , H ( ) , E k , D k , M a c k , P } .

2.3. Login & Authentication Phase

Step LLA1: 
After inserting smart-card, MU x inputs I D m x and P W m x , the smart-card computes P W U h z = h ( P W m x , r m x ) and verifies h ( h ( I D m x ) , h ( r m x , P W U h z ) ) = ? β h z . Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp T 1 , random N m x and computes K x z = D P W U h z ( α h z ) , A m x = N m x P + H ( K x z , I D m x , I D h z ) P , B m x = E K x z ( I D m x , T 1 , P I D m x ) and C m x = M a c K x z ( N m x P , I D m x , T 1 ) . MU x sends M u f 1 = { A m x , B m x , C m x , P I D m x , T 1 } to FA y .
Step LLA2: 
FA y upon reception of request, checks freshness of T 1 and generates fresh time-stamp T 2 , random N f y . FA y then computes A f y = N f y P + H ( K y z , I D f y , T 2 ) P , B f y = M a c ( N f y P ) x ( I D h z , T 1 ) and sends M f h 2 = { M u f 1 , A f y , B f y , T 2 } to HA z .
Step LLA3: 
HA z verifies freshness of T 2 after receiving message from FA y . Rejects the message, if T 2 is not fresh. Otherwise, HA z based on P I D m x extracts corresponding shared key K x z from verifier database and decrypts B m x to get I D m x . HA z verifies originality of I D m x by comparing with the once stored in verifier in a tuple consisting of I D m x , P I D m x and K x z . Upon successful verification, HA z computes N m x P = A m x - H ( K x z , I D m x , I D h z ) P and verifies whether C m x = ? M a c K x z ( N m x P , I D m x , T 1 ) . Upon successful verification, HA z computes N f y P = A f y - H ( K y z , I D f y , T 2 ) P and then checks B f y = ? M a c ( N f y P ) x ( I D h z , T 1 ) . On success, HA z updates K y z = K y z h ( I D f y , N f y P , T 3 ) and computes A h z = N m x P + H ( I D m x ) P + H ( K y z , I D h z , N f y P ) P , B h z = M a c K y z ( N f y P , N m x P + H ( I D m x P , T 3 ) ) . HA z also updates K x z = K x z h ( I D m x , N m x P , T 3 ) and computes C h z = N f y P + H ( K x z , I D h z , N m x P ) P , D h z = M a c K x z ( I D f y , N f y P , T 3 , P I D m x ) . HA then sends M h f 3 = { A h z , B h z , C h z , D h z , T 3 } to FA y and increments S N u m m x .
Step LLA4: 
FA y checks freshness of T 3 after receiving response of HA z . On success, FA y computes N m x P + H ( I D m x ) P = A h z - H ( K y z , I D h z , N f y P ) p . FA y then verifies validity of B h z and on success, computes C f y = M a c ( N m x P + H ( I D m x P ) ) x ( I D f y , N f y P , T 3 , T 4 , C m x ) .The session key is computed as S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) . Then, FA y sends M f u 4 = { C f y , C h z , D h z , T 3 , T 4 } to MU x .
Step LLA5: 
Upon reception, MU x verifies freshness of T 3 and T 4 and on success, computes N f y P = C h z - H ( K x z , I D h z , N m x P ) P . MU x further checks validity of D h z and C f y , if both holds, MU x computes session key S K = h ( ( N m x + H ( I D m x ) ) N f y P ) , D m x = M a c N m x + H ( I D m x ) P x ( C f y , N f y P ) and sends M u f 5 = { D m x , T 5 } to FA y .
Step LLA6: 
FA y verifies freshness of T 5 and checks validity of D m x . If it holds, FA y treats MU x as legitimate user and now further communication between FA y and MU x may be carried out using the shared key S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) .

3. Cryptanalysis of the Scheme of Lu et al.

In this section, cryptanalysis of the Lu et al.’s scheme is accomplished, under the realistic assumptions made in the adversarial model of Section 1.3. The following subsections show that the scheme of Lu et al. carries severe weaknesses, including in security against Stolen Verifier and known Session Specific variables attacks. Moreover, the scheme does not provide untraceability and has scalability issues. More seriously, the scheme also entails correctness issues, such incorrectness may stop authentication process before completion and legitimate user may experience denial of services. The following subsections explain the weaknesses:

3.1. Stolen Verifier Attack

Let MU a be a dishonest insider and based on his capabilities, as mentioned in Section 1.3, can steal the verifier table with tuples { I D m x , P I D m x , K x z } . Using the verifier parameters, MU a can impersonate as any roaming mobile user registered with home agent. The attack is simulated as follows:
Step IA1: 
MU a generates time-stamp T a 1 , random N m a , and computes:
(1) A m a = N m a P + H ( K x z , I D m a , I D h z ) P , (2) B m a = E K x z ( I D m x , T 1 , P I D m x ) , (3) C m a = M a c K x z ( N m a P , I D m x , T a 1 ) .
MU a sends M A 1 = { A m a , B m a , C m a , P I D m a , T a 1 } to FA y .
Step IA2: 
FA y upon reception of request, checks freshness of T a 1 , as well as generates fresh time-stamp T 2 and random N f y . FA y then computes:
(4) A f y = N f y P + H ( K y z , I D f y , T 2 ) P , (5) B f y = M a c ( N f y P ) x ( I D h z , T a 1 ) .
FA y sends M f h 2 = { M A 1 , A f y , B f y , T 2 } to HA z .
Step IA3: 
HA z verifies freshness of T 2 after receiving message from FA y and accepts the message as T 2 is fresh. HA z based on P I D m x extracts K x z and I D m x from the verifier table and computes:
( I D m x , T a 1 , P I D m x ) = D K x z ( B m a ) .
HA z compares the decrypted I D m x from Equation (6) with the one extracted from verifier table. The attacker MU a will pass this test as both values are same. Now, HA z computes:
N m a P = A m x - H ( K x z , I D m x , I D h z ) P .
HA z checks:
C m a = ? M a c K x z ( N m a P , I D m x , T a 1 ) .
HA z authenticates MU x on the basis of equality of Equation (8). MU a will also pass this test, as all parameters in computation of C m a were in access to MU a and were correctly calculated at the time of computation of C m a by MU a . Now, HA z computes:
N f y P = A f y - H ( K y z , I D f y , T 2 ) P .
HA z then checks:
B f y = ? M a c ( N f y P ) x ( I D h z , T a 1 ) .
As FA y is legitimate; therefore, it will pass the check of Equation (10). Hence, HA z computes:
(11) A h z = N m x P + H ( I D m x ) P + H ( K y z , I D h z , N f y P ) , (12) B h z = M a c K y z ( N f y P , N m x P + H ( I D m x P , T 3 ) ) , (13) C h z = N f y P + H ( K x z , I D h z , N m x P ) P , (14) D h z = M a c K x z ( I D f y , N f y P , T 3 , P I D m x ) .
HA z then updates:
(15) K y z = K y z h ( I D f y , N f y P , T 3 ) , (16) K x z = K x z h ( I D m x , N m a P , T 3 ) .
Finally, HA sends M h f 3 = { A h z , B h z , C h z , D h z , T 3 } to FA y and increments S N u m m x .
Step IA4: 
FA y checks freshness of T 3 and computes:
N m x P + H ( I D m x ) P = A h z - H ( K y z , I D h z , N f y P ) .
FA y then verifies validity of B h z and, on success, computes:
(18) C f y = M a c ( N m x P + H ( I D m x P ) ) x ( I D f y , N f y P , T 3 , T 4 , C m x ) , (19) S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) .
Then, FA y sends M f u 4 = { C f y , C h z , D h z , T 3 , T 4 } to MU x .
Step IA5: 
MU a intercepts the message and computes:
(20) N f y P = C h z - H ( K x z , I D h z , N m a P ) P , (21) S K = h ( ( N m a + H ( I D m x ) ) N f y P ) , (22) D m a = M a c N m a + H ( I D m x P ) x ( C f y , N f y P ) .
MU a sends M A 5 = { D m a , T A 5 } to FA y .
Step IA6: 
FA y verifies freshness of T A 5 and checks validity of D m a . As T A 5 is freshly generated, so it will pass the test. Similarly, MU a has access to all parameters used for computation of D m a , so it will also pass the test. Therefore, MU a has also deceived the FA y and passed the authentication. Now, MU a can easily communicate with FA j on behalf of MU x using the shared key S K = h ( N f y ( N m a P + H ( I D m x ) P ) ) .

3.2. Traceability

Along with security, user anonymity/privacy is of vital interest, if compromised the attacker can foresee victim related important information, including his lifestyle, habits, shopping preferences, and sensitive location-related information of the mobile user. Ensuring (1) identity hiding and (2) untraceability are primary goals of privacy protection. Identity hiding refers to concealing original idntity of the user on public network, and untraceability ensures that no one can predict that two different sessions are requested by a single user. In the scheme of Lu et al., a static parameter P I D m x is used as pseudo identity of MU x , which remains the same for all sessions. Although it provides identity hiding, it lacks untraceability. Therefore, anyone just listening to the public channel can affirm whether or not different sessions are initiated by a single user.

3.3. Incorrectness

In Lu et al.’s scheme, the HA z updates the pre-shared keys K x z with MU x and K y z with FA y during each session as shown in Equation (15) and (16), whereas these keys are not updated on other sides, i.e., MU x and FA y . Hence, the subsequent authentication request will fail and the scheme can work for a single time authentication, which is not required in any scenario, especially in IoT-based systems.

3.4. Scalability Problem

Due to storage of verifier table on HA z , the scheme may suffer scalability issues. Moreover, finding corresponding entries from a large verifier table may cause delay in delay sensitive scenarios.

4. Proposed scheme

This section explains our improved authentication scheme for roaming user in IoT-based wireless networks, the reasons effecting Lu et al.’s security are considered in designing phase of our improved scheme. The storage of verifier table with entries consisting of tuple { I D m x , P I D m x , K x z } is the hitch giving space to insecurities. Moreover, the verifier also results in delaying the authentication process. In Lu et al.’s scheme, HA z updates the pre-shared keys K x z with MU x and K y z with FA y during each session, whereas these keys ( K x z , K y z ) are not updated on other sides, i.e., MU x and FA y . Therefore, the authentication may fail in subsequent sessions. Proposed scheme handles this incorrectness by removing this step, as updation of these keys is an unnecessary step. The proposed scheme avoids usage of any verifier stored on HA z to provide scuffle-free security. Moreover, the proposed scheme modifies some steps in registration and login/authentication phases. The working of the proposed scheme is shown in Figure 2. Following subsections explain the phases of the scheme:

4.1. System Setup Phase

For system-setup purposes, Home Network Agent HA z selects an Elliptic curve E p ( a , b ) : y 2 = x 3 + a x + b mod p , where a , b F p a finite field, such that 4 a 3 + 27 b 2 0 , along with an infinite point O. HA then selects a base point P over E p ( a , b ) . HA z selects a secret key S h and computes public key P h = S h P . HA z also selects two hash functions h ( ) , H ( ) , as well as a keyed MAC functions M a c k ( ) , along with symmetric encryption/decryption algorithms E k ( ) , D k ( ) .
Note: The details of cryptographic primitives, including Hash, keyed MAC, etc., can be found in Reference [32].

4.2. Proposed Registration Phase

Step PRP1: 
The mobile user MU x selects identity/password pair { I D m x , P W m x } , along with r m x (generated randomly), and computes P W U h z = h ( P W m x , r m x ) . MU x sends the pair { I D m x , P W U h z } to HA z .
Step PRP2: 
Upon reception of { I D m x , P W U h z } to HA z pair from MU x , HA z . HA z then computes U h z = h ( I D m x , S h ) , α h z = U h z P W U h z , and β h z = h ( h ( I D m x ) , P W U h z ) . HA z then sends a smart-card containing { α h z , β h z , P h = S h P } to MU x .
Step PRP3: 
Upon reception of smart-card, MU x computes R m x = r m x P W m x inserts r m x . Finally, the smart-card contains: { α h z , β h z , r m x , h ( ) , H ( ) , E k , D k , M a c k , P h = S h , P } .

4.3. Login & Authentication Phase

Step PLA1: 
After inserting smart-card, MU x inputs I D m x and P W m x ,the smart-card computes r m x = R m x P W m x and P W U h z = h ( P W m x , r m x ) . The smart-card then verifies h ( h ( I D m x ) , h ( r m x , P W U h z ) ) = ? β h z . Terminates the session if verification is unsuccessful. Otherwise, generates time-stamp T 1 , random N m x and computes U h z = α h z P W U h z , A m x = N m x P , B m x = N m x P h , P I D m x = A m x I D m x and C m x = M a c U h z ( N m x P , I D m x , T 1 ) . MU x sends M u f 1 = { B m x , C m x , P I D m x , T 1 } to FA y .
Step PLA2: 
FA y upon reception of request, checks freshness of T 1 and generates fresh time-stamp T 2 , random N f y . FA y then computes A f y = N f y P + H ( K y z , I D f y , T 2 ) P , B f y = M a c ( N f y P ) x ( I D h z , T 1 ) and sends M f h 2 = { M u f 1 , A f y , B f y , T 2 } to HA z .
Step PLA3: 
HA z verifies freshness of T 2 after receiving message from FA y . Rejects the message, if T 2 is not fresh. Otherwise, HA z computes A m x = S h - 1 B m x and I D m x = A m x P I D m x . HA z verifies originality of I D m x stored in subscribers identity table. Upon successful verification, HA z computes U h z = h ( I D m x , S h ) and verifies C m x = ? M a c U h z ( N m x P , I D m x , T 1 ) ) . Upon successful verification, HA z computes N f y P = A f y - H ( K y z , I D f y , T 2 ) P and then checks B f y = ? M a c ( N f y P ) x ( I D h z , T 1 ) . On success, HA z computes A h z = N m x P + H ( I D m x ) P + H ( K y z , I D h z , N f y P ) P , B h z = M a c K y z ( N f y P , N m x P + H ( I D m x P , T 3 ) ) . HA z computes C h z = N f y P + H ( U h z , I D h z , N m x P ) P , D h z = M a c U h z ( I D f y , N f y P , T 3 , P I D m x ) . HA then sends M h f 3 = { A h z , B h z , C h z , D h z , T 3 } to FA y .
Step PLA4: 
FA y checks freshness of T 3 after receiving response of HA z . On success, FA y computes N m x P + H ( I D m x ) P = A h z - H ( K y z , I D h z , N f y P ) P . FA y then verifies validity of B h z and on success, computes C f y = M a c ( N m x P + H ( I D m x P ) ) x ( I D f y , N f y P , T 3 , T 4 , C m x ) .The session key is computed as S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) . Then, FA y sends M f u 4 = { C f y , C h z , D h z , T 3 , T 4 } to MU x .
Step PLA5: 
Upon reception, MU x verifies freshness of T 3 and T 4 and on success, computes N f y P = C h z - H ( U h z , I D h z , N m x P ) P . MU x further checks validity of D h z and C f y , if both holds, MU x computes session key S K = h ( ( N m x + H ( I D m x ) ) N f y P ) , D m x = M a c ( N m x + H ( I D m x ) P ) x ( C f y , N f y P ) and sends M u f 5 = { D m x , T 5 } to FA y .
Step PLA6: 
FA y verifies freshness of T 5 and checks validity of D m x . If it holds, FA y treats MU x as legitimate user and now further communication between FA y and MU x may be carried out using the shared key S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) .

5. Security Analysis

This section explains the automated formal security validation of the proposed algorithm using popular tool ProVerif, as well as under the hardness assumptions of ECDLP, collision resistant property of one-way hash, and hardness of symmetric encryption algorithm. The section then solicits the informal discussion on required security, supplemented by the security features comparisons with existing related schemes.

5.1. Formal Security Analysis

For the purpose of formal security analysis of our protocol, we define formal interpretations of repetition and chose the cipher-text attack (IDN-CCA) of the symmetric cryptographic algorithm, secure hash collision-resistant function, and ECDLP as follows:
Definition 1.
Given ( Σ , Ω , Φ ) is the algorithm of symmetric key and cipher-text C P = E N C k e y ( k ) , the IDN-CCA’s definition is considered as hard problem if A D V A I D N - C C A ( t a 1 ) ϵ a 1 , in which A D V A I D N - C C A ( t a 1 ) describes an A ’s benefit in finding the string p Ω (the set of plain-texts) of antecedent messages from the given C P Σ (the set of cipher-texts) also algorithm of symmetric key with key k Φ (the set of enc/dec keys) which is unknown, for any small enough ϵ a 1 > 0 [32].
Definition 2.
Given an elliptic curve based point G = y P over E p ( x , y ) , the interpretation of the ECDLP is considered as hard problem if A D V C E C D L P ( t a 2 ) ϵ a 2 , in which A D V C E C D L P ( t a 2 ) describes the benefit of an A in discovering the integer y Z q * from G and P which are given, for any small enough ϵ a 2 > 0 [32].
Definition 3.
Given the output O = H ( y ) , the interpretation of the function of hash is considered as hard problem if A D V A H ( t a 3 ) ϵ a 3 , in which A D V A H ( t a 3 ) describes the benefit of an A in extracting the input y { 0 , 1 } * from H ( y ) which is given, for any small enough ϵ a 3 > 0 [32].
For the formal analysis of security, we have defined random oracles [33] which are as follows:
  • R e v e a l 1 : This oracle will output plain-text k unconditionally from cipher-text C P = E N C k e y ( k ) that is given.
  • R e v e a l 2 : This oracle will output integer y unconditionally from y P and P that are publicly given values.
  • R e v e a l 3 : This oracle will output the input y from O that is the corresponding value of hash.
Theorem 1.
On the basis of supposition I N D - C C A Security of Symmetric Cryptography algorithm, the enhanced protocol is provably protected in the arbitrary oracle model across a probabilistic polynomial time restricted attacker for extracting mobile user.
Proof. 
Assume that experiment E X P E 1 A I N D - C C A for the attacker A who has capability to extract the user’s ID, A be a probabilistic polynomial time restricted attacker. We determine success probability for E X P E 1 A I N D - C C A like S u c c 1 A I N D - C C A = 2 P r [ E X P E 1 A I N D - C C A = 1 ] - 1 . Then, the benefit of E X P E 1 A I N D - C C A is examined as A d v A I N D - C C A ( t 1 , q R 1 ) = m a x A S u c c 1 A I N D - C C A , whereas the maximal is taken overall attacker A with number of query q R 1 and time of execution t 1 made the Reveal1 oracle. the enhanced protocol is provably protected in the arbitrary oracle model across attacker A for extract the I D of mobile user M U a if A d v A I N D - C C A ( e t 1 ; q R 1 ) 1 , for any appropriately small 1 > 0 . Examine the experiment E X P E 1 A I N D - C C A as described in A l g o r i t h m 1 , A can successfully extract the I D of mobile user M U a if he is able to break I N D - C C A security of symmetric encryption description algorithm. Nevertheless, according to Definition 1, we could have A d v A I N D - C C A ( t 1 ) 1 , for any appropriately small 2 > 0 . Thus, we get A d v A I N D - C C A ( t 1 ; q R 1 ) 1 since A d v A I N D - C C A ( t 1 ; q R 1 ) depends on A d v A I N D - C C A ( t 1 ) . So, concluded that the enhanced protocol is protected against an A for extracting the I D of mobile user M U a .□
Symmetry 12 00287 i001
Theorem 2.
Under the consideration that a hash function intently behaves as an arbitrary oracle model adjacent to a probabilistic polynomial time restricted attacker for extracting session key S K between user and foreign agent.
Proof. 
Assume that experiment E X P E 2 A H a s h , E C D L P for the attacker A who has capability to extract the arbitrary numbers in calculated the S K between user and foreign agent, A be a probabilistic polynomial time restricted attacker. We determine success probability for E X P E 2 A H a s h , E C D L P as S u c c 2 A H a s h , E C D L P = 2 P r [ E X P E 2 A H a s h , E C D L P = 1 ] - 1 . After that, the benefit of E X P E 2 A H a s h , E C D L P is considered as A d v A H a s h , E C D L P ( t 2 ; q R 2 ; q R 3 ) = m a x A S u c c 2 A H a s h , E C D L P , whereas the maximal is taken overall attacker A with time of execution t 2 and number of queries q R 2 made to Reveal2 and q R 3 made to Reveal3 oracles. The enhanced protocol is provably protected in the random oracle model across A for the values of hash of session key S K if A d v A H a s h , E C D L P ( t 2 ; q R 2 ; q R 3 ) 2 ,for any appropriately small 2 > 0 . Examine the experiment E X P E 2 A H a s h , E C D L P shown in A l g o r i t h m 2 , A can successfully extract the values of hash of session key S K if he has the capability to convert the hash function and solve the E C D L P . Though, as by the Definition 2 and Definition 3, A d v A E C D L P ( t 2 ) 3 , A d v A H a s h ( t 3 ) 4 , for any appropriately small 3 > 0 , 4 > 0 . Thus, we get A d v A H a s h , E C D L P ( t 2 ; q R 2 ; q R 3 ) 2 since A d v A H a s h , E C D L P ( t 2 ; q R 2 ; q R 3 ) depends on A d v A E C D L P ( t 2 ) 3 and A d v A H a s h ( t 3 ) 4 . So, concluded that the enhanced protocol is provably protected against an attacker for extracting session key S K and foreign agent. □
Symmetry 12 00287 i002

5.2. Automated Security Analysis with ProVerif

We chose the prevailing software tool ProVerif [34,35] for performing an automated security perusal. The ProVerif is developed over the concept of applied π calculus [36]. It is able to test and simulate many cryptographic operations, such as encryption/decryption, symmetric/asymmetric cryptosystems, hashes, signatures, etc. It can substantiate the characteristics of secrecy and authenticity. Complete protocol as given in Figure 2 is implemented and verified in ProVerif. Three channels as shown in Figure 3a are introduced in the implementation. The secure channel sch1 is dedicated for facilitating registration between mobile user and home agent, whereas two public channels pch2 and pch3 have been introduced for commencing communication between mobile user and home agent with foreign agent. Subsequently, variables and constants are also defined in Figure 3a. To keep the mobile user anonymous, its identity IDmx is kept private, whereas identities of home and foreign agents, i.e., IDhz and IDfy, respectively, are public. Mobile user’s password PWmx, shared keys Kxz, Kyz between mobile user-home agent and foreign agent-home agent, respectively, are assumed as private. Sh and Ph are considered as the private public key pairs of home agent. The Constructors are specified to simulate cryptographic operations and functions. Thereafter, destructor and equation are specified to simulate inverse and decryption.
Every participant can be described through two events a begin and an end event. The protocol authenticity is realized through exposing the respective relationship between begin and end interval of the related event initiated by the specific participant. If end event is not reached it simply means the protocol terminated unsuccessfully and scheme is incorrect. In Figure 3b, three distinct processes are implemented and simulated on behalf of three participants. These participants includes pMuser, pHagt, and pFagt, which are defined and implemented as shown in Figure 2 and described in Section 4. The proposed scheme is simulated as an unbounded parallel execution of user, home and foreign networks processes.
The subsequent four queries are defined in Figure 3c to substantiate the security and correctness of our protocol. The query attacker simulates an actual attack to expose the session key, whereas another 3 queries inj-event corresponds to begin and end event of 3 processes, i.e., user, home, and foreign networks. If any of these queries results false, it implies the scheme is incorrect. The abilities of an attacker are evaluated by executing the Not-attacker (SK) predicate, where S K is private. It is assumed that public parameters are accessible to the attacker. The Not-attacker is also applied over SK. Moreover, three successive queries on inj-event affirms the association between initiation and termination of events corresponding to each of these processes, i.e., user, home, and foreign networks. The outcome of the discussed queries are shown in Figure 3d.
It is observed through results 1, 2, and 3 in Figure 3d that each process initiated and terminated successfully, which substantiates the correctness of our scheme, whereas result 4 Not-attacker (SK) affirms that session key is secure against security threats. Hence, our protocol maintains authenticity and secrecy during its execution.

5.3. Security Requirements

The security requirement of the proposed scheme and a comparison of the proposed scheme with related competing schemes [9,12,14,25,26] is detailed in following subsections. Table 2 also illustrates the comparisons and confirms that only the proposed scheme provides all the required features and resists known attacks, whereas competing schemes lacks either some features or ensuring against some known attack.

5.3.1. Mutual Authentication

The proposed scheme, through HA z (the home agent) provides mutual authentication between MN x ( the mobile node) and FA y (the foreign agent). HA z authenticates MN x by validating C m x = ? M a c U h z ( N m x P , I D m x , T 1 ) ) , computation of valid/legal C m x requires an adversary to have access to the secret parameter of MN x , i.e., U h z = h ( I D m x , S h ) , as well as valid/legal N m x P , which can only be extracted though A m x by the use of secret key ( S h ) of HA z . Neither U h z nor N m x P can be computed by any adversary, which implies that only valid MN x can pass this test. Moreover, HA z authenticates FA y by validating B f y = ? M a c ( N f y P ) x ( I D h z , T 1 ) . The computation of valid/legal B f y requires an adversary to extract N f y P , which can by computed by public parameter A f y = N f y P + H ( K y z , I D f y , T 2 ) P sent by FA y . The computation of A f y requires an adversary to have access to the pre-shared secret key K y z among HA z and FA y . No adversary, insider/outsider can have access to the pre-shared secret key. Therefore, only legal/valid FA y can pass this test. Similarly, FA y authenticates HA z validating B h z = ? M a c K y z ( N f y P , N m x P + H ( I D m x ) P , T 3 ) , the computation of valid B h z requires an adversary to have access to pre-shared secret key K y z between HA z and FA y . Moreover, the adversary also needs to compute the valid/legal, corresponding N f y P against the parameter A f y = N f y P + H ( K y z , I D f y , T 2 ) P sent on public channel earlier by FA y to HA z , the computation of A f y again requires the use of pre-shared secret key K y z . Therefore, only valid HA z can pass this test. likewise, MN x authenticates: 1) HA z by validating D h z = ? M a c U h z ( I D f y , N f y P , T 3 , P I D m x ) and 2) FA y by verifying C f y = ? M a c ( N m x P + H ( I D m x P ) ) x ( I D f y , N f y P , T 3 , T 4 , C m x ) . To generate a valid/legal D h z , an adversary requires having access to secret parameter U h z of MN x , as well as computation of valid/legal N f y P , both of which can be performed only by legal HA z . Likewise, to generate valid C f y , an adversary requires to compute valid/legal N m x P + H ( I D m x P , N f y P and C m x . All the mentioned parameters can only be computed by legal FA y . Hence, mutual authentication among MN x and FA y through HA z is essential trait of the proposed scheme.

5.3.2. Correctness

The proposed scheme correctly accomplishes the process of authentication between MN x and FA y through HA z . Unlike Lu et al.’s scheme, in the proposed scheme, HA z does not unnecessarily updates ( K x z , K y z ) after each successful login. More precisely, the proposed schemes does not require any verifier table for any user; therefore, no entry can be modified by HA z . Due to non-usage of verifier table by HA z , the user request does not involve fining and comparing with verifier entries, which helps in minimizing the delay. Hence, the proposed scheme provides correct and secure authentication process.

5.3.3. User Anonymity/Untraceability

Unfortunately and despite their claim, in the scheme of Lu et al. the pseudo identity P I D m x remains same not only for multiple but for all sessions. In the proposed scheme, on every login/authentication request MN x selects a new random variable N m x and computes the dynamic pseudo identity P I D m x = N m x P I D m x . Therefore, the proposed scheme not only provides identity hiding but also untraceability/unlinkability.

5.3.4. Perfect Forward Secrecy:

The session key S K = h ( N f y ( N m x P + H ( I D m x ) P ) ) computed after successful authentication among MN x or FA y contains the share from both, i.e., N m x from MN x and N f y from FA y . Both N m x and N f y are generated freshly for each session. Moreover, neither MN x nor FA y having full control on key generation. Even if one or more shared keys from previous session/s are compromised, the adversary may not be able to compute any future session key. Hence, the proposed scheme provides perfect forward secrecy.

5.3.5. User Forgery Attack

As described in Section 5.3.1, the HA z authenticates the user by validating C m x and valid/legal C m x can only be computed by legal MN x . Moreover, FA y authenticates MN x by validating D m x = ? M a c ( N m x + H ( I D m x ) P ) x ( C f y , N f y P ) , an adversary requires to compute N m x P , as well as N f y P . Only legal MN x can compute it’s own secretly generated parameter N m x P and extract N f y P out of N f y P = C h z - H ( U h z , I D h z , N m x P ) P , which requires the usage of secret parameter U h z of MN x . Therefore, the proposed scheme strongly resists user forgery attack.

5.3.6. Stolen Verifier and Insider Attack

The home agent HA z , in the proposed scheme does not store any information relating to the credentials of, including password, MN x ; rather, HA z is free of any verifier table. The only information stored is the public identities of the users. Moreover, during registration process, MN x sends P W U h z = h ( P W m x , r m x ) , along with I D m x , to HA z . The password is concealed in one-way hash function, along with a random number. Therefore, no deceitful insider gets any information relating to password and is having no advantage. Hence, the proposed scheme resists insider attacks. Moreover, without verifier table, the stolen verifier is impossible in the proposed scheme.

5.3.7. Stolen Smart-Card Attack

In the proposed scheme, the smart-card contains { α h z , β h z , r m x , h ( ) , H ( ) , E k , D k , M a c k , P h = S h , P } , where, the user related information is stored in α h z , β h z and r m x parameters, where α h z = U h z P W U h z , and β h z = h ( h ( I D m x ) , P W U h z ) . Extracting password information from α or β requires inverse to hash function, which by definition is a hard problem. Moreover, user secret parameter U h z is also concealed with P W U h z , and without password information, it is computationally infeasible to compute U h z . Therefore, the proposed scheme resists stolen smart-card attacks.

5.3.8. Known Session-Specific Parameters Attack

The adversary in the proposed scheme may not able to compute session key even if, he gets the session parameters N m x and N f y , as the session key also requires the hashed identity concealed in an elliptic curve point H ( I D m x ) P . Computation of I D m x needs to break on way property of hash, as well as elliptic curve discrete logarithm problem. Therefore, the proposed scheme resists known session-specific parameters attack.

6. Performance Comparisons

This section illustrates the performance comparisons of the proposed with competing schemes. For performance comparison purposes, following notations are used:
  • T h m : Computation time for hash/mac operations
  • T e d : Computation time for Symmetric Enc/Dec
  • T p m e : Computation time for scalar multiplication of point over E p ( a , b )
  • T p a e : Computation time for addition of points over E p ( a , b )
  • T m e : Computation time for modular exponentiation
  • T p b : Computation time for bilinear pairing
  • T m t p : Computation time for map to point hash
Referring the results of Kilinic and Yanik [37], the experiment time computed over Ubuntu 12.04.1 LTS 32bit Operating system with version (0.5.12) of PBC library structured on the version (5.0.5) of the GMP Library on an Intel PC with Dual CPU E2200 2.20GHz and with memory of 2048 MB, the execution time for T h m 0 . 0023 ms, T e d 0 . 0046 ms, T p m e 2 . 226 ms, T p a e 0 . 0288 ms, T m e 3 . 85 ms, T p b 5 . 811 ms, and T m p h 0 . 947 ms, respectively. The computation costs of each scheme is presented in Table 3. The scheme of Reddy et al. completes the authentication by computing 18 T h m + 4 T p m e , the scheme of Li et al. requires 10 T p m e + 1 T p a e + 17 T h m + 2 T p b + 1 T m t p operations for a successful authentication procedure, the scheme of Jiang et al. computes 12 T h m + 2 T m e to accomplish the authentication process, and the scheme of Gope-Hwang performs 21 T h m during authentication, whereas Lu et al.’s scheme completes a round of authentication procedure with computation cost 25 T h m + 15 T p m e + 10 T p a e + 3 T e d . The computation cost of the proposed scheme is 23 T h m + 14 T p m e + 7 T p a e , although the computation cost of the proposed scheme is bit higher than some competing schemes. However, while providing all security features, the proposed scheme reduced 2 T h m , 1 T p m e , 3 T p a e , and 3 T e d as compared with seminal Lu et al.’s scheme. Table 3 also shows execution time of all competing schemes; it is shown that proposed scheme completes roaming authentication in 31 . 8946 ms and reduced approximately 1 . 8547 ms as compared with Lu et al.’s scheme.

7. Conclusions

In this paper, we identified weaknesses of Lu et al.’ scheme against stolen verifier and traceability attacks. We also identified that their scheme has correctness issues besides scalability. To combat the weaknesses, we proposed an improved scheme for IoT-based wireless networks. The formal, informal, and automated security analysis has proven that our scheme with stands the known attacks, whereas the performance analysis has shown that our scheme is more efficient and practical as compared with Lu et al.’s scheme. The proposed scheme is more practical in roaming scenarios.

Author Contributions

B.A.A. wrote the initial draft, revision and was involved in ProVerif Simulation. S.A.C. conceptualized the idea and performed cryptanalysis and designed the new scheme. A.B., and A.A.-B. performed security and efficiency analysis. M.H.A. performed formal analysis and supervised the whole process. All authors contributed equally to this work. All authors have read and agreed to the published version of the manuscript.

Funding

This Project was funded by the Deanship of Scientific Research (DSR), King Abdulaziz University, Jeddah, under Grant No. (RG-7-611-40). The author, therefore, gratefully acknowledge the DSR for technical and financial support.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. He, D.; Kumar, N.; Khan, M.K.; Lee, J. Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Trans. Consum. Electron. 2013, 59, 811–817. [Google Scholar] [CrossRef]
  2. Li, X.; Liu, S.; Wu, F.; Kumari, S.; Rodrigues, J.J.P.C. Privacy Preserving Data Aggregation Scheme for Mobile Edge Computing Assisted IoT Applications. IEEE Internet Things J. 2019, 6, 4755–4763. [Google Scholar] [CrossRef]
  3. Wei, F.; Vijayakumar, P.; Jiang, Q.; Zhang, R. A Mobile Intelligent Terminal Based Anonymous Authenticated Key Exchange Protocol for Roaming Service in Global Mobility Networks. IEEE Trans. Sustain. Comput. 2018, 1-1. [Google Scholar] [CrossRef]
  4. Jiang, Y.; Lin, C.; Shen, X.; Shi, M. Mutual Authentication and Key Exchange Protocols for Roaming Services in Wireless Mobile Networks. IEEE Trans. Wirel. Commun. 2006, 5, 2569–2577. [Google Scholar] [CrossRef]
  5. Jo, H.J.; Paik, J.H.; Lee, D.H. Efficient Privacy-Preserving Authentication in Wireless Mobile Networks. IEEE Trans. Mob. Comput. 2014, 13, 1469–1481. [Google Scholar] [CrossRef]
  6. Hsu, R.; Lee, J.; Quek, T.Q.S.; Chen, J. GRAAD: Group Anonymous and Accountable D2D Communication in Mobile Networks. IEEE Trans. Inf. Forensics Secur. 2018, 13, 449–464. [Google Scholar] [CrossRef]
  7. Alezabi, K.A.; Hashim, F.; Hashim, S.J.; Ali, B.M. An efficient authentication and key agreement protocol for 4G (LTE) networks. In Proceedings of the 2014 IEEE REGION 10 SYMPOSIUM, Kuala Lumpur, Malaysia, 14–16 April 2014; pp. 502–507. [Google Scholar]
  8. Mun, H.; Han, K.; Lee, Y.S.; Yeun, C.Y.; Choi, H.H. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Math. Comput. Model. 2012, 55, 214–222. [Google Scholar] [CrossRef]
  9. Goutham Reddy, A.; Yoon, E.; Das, A.K.; Yoo, K. Lightweight authentication with key-agreement protocol for mobile network environment using smart cards. IET Inf. Secur. 2016, 10, 272–282. [Google Scholar] [CrossRef]
  10. El Idrissi, Y.E.H.; Zahid, N.; Jedra, M. An Efficient Authentication Protocol for 5G Heterogeneous Networks. In Ubiquitous Networking; Sabir, E., García Armada, A., Ghogho, M., Debbah, M., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 496–508. [Google Scholar]
  11. Su, C.; Santoso, B.; Li, Y.; Deng, R.H.; Huang, X. Universally Composable RFID Mutual Authentication. IEEE Trans. Dependable Secur. Comput. 2017, 14, 83–94. [Google Scholar] [CrossRef]
  12. Li, X.; Niu, J.; Kumari, S.; Wu, F.; Choo, K.K.R. A robust biometrics based three-factor authentication scheme for Global Mobility Networks in smart city. Future Gener. Comput. Syst. 2018, 83, 607–618. [Google Scholar] [CrossRef]
  13. He, D.; Chen, C.; Chan, S.; Bu, J. Secure and Efficient Handover Authentication Based on Bilinear Pairing Functions. IEEE Trans. Wirel. Commun. 2012, 11, 48–53. [Google Scholar] [CrossRef]
  14. Jiang, Q.; Ma, J.; Li, G.; Yang, L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wirel. Pers. Commun. 2013, 68, 1477–1491. [Google Scholar] [CrossRef]
  15. Zhu, J.; Ma, J. A new authentication scheme with anonymity for wireless environments. IEEE Trans. Consum. Electron. 2004, 50, 231–235. [Google Scholar]
  16. Tsai, J.L.; Lo, N.W.; Wu, T.C. Secure Handover Authentication Protocol Based on Bilinear Pairings. Wirel. Pers. Commun. 2013, 73, 1037–1047. [Google Scholar] [CrossRef]
  17. Chang, C.C.; Lee, C.Y.; Chiu, Y.C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Comput. Commun. 2009, 32, 611–618. [Google Scholar] [CrossRef]
  18. Chaudhry, S.A.; Albeshri, A.; Xiong, N.; Lee, C.; Shon, T. A privacy preserving authentication scheme for roaming in ubiquitous networks. Clust. Comput. 2017, 20, 1223–1236. [Google Scholar] [CrossRef]
  19. Chen, C.M.; Xiang, B.; Liu, Y.; Wang, K.H. A secure authentication protocol for internet of vehicles. IEEE Access 2019, 7, 12047–12057. [Google Scholar] [CrossRef]
  20. Chen, C.M.; Wang, K.H.; Yeh, K.H.; Xiang, B.; Wu, T.Y. Attacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications. J. Ambient Intell. Humaniz. Comput. 2019, 10, 3133–3142. [Google Scholar] [CrossRef]
  21. Wang, D.; Wang, P. On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Comput. Netw. 2014, 73, 41–57. [Google Scholar] [CrossRef]
  22. Youn, T.; Park, Y.; Lim, J. Weaknesses in an Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks. IEEE Commun. Lett. 2009, 13, 471–473. [Google Scholar] [CrossRef]
  23. Kim, J.S.; Kwak, J. Improved secure anonymous authentication scheme for roaming service in global mobility networks. Int. J. Secur. Its Appl. 2012, 6, 45–54. [Google Scholar]
  24. Lee, H.; Lee, D.; Moon, J.; Jung, J.; Kang, D.; Kim, H.; Won, D. An improved anonymous authentication scheme for roaming in ubiquitous networks. PLoS ONE 2018, 13, e0193366. [Google Scholar] [CrossRef] [PubMed]
  25. Gope, P.; Hwang, T. Lightweight and energy-efficient mutual authentication and key agreement scheme with user anonymity for secure communication in global mobility networks. IEEE Syst. J. 2015, 10, 1370–1379. [Google Scholar] [CrossRef]
  26. Lu, Y.; Xu, G.; Li, L.; Yang, Y. Robust Privacy-Preserving Mutual Authenticated Key Agreement Scheme in Roaming Service for Global Mobility Networks. IEEE Syst. J. 2019, 1–12. [Google Scholar] [CrossRef]
  27. Eisenbarth, T.; Kasper, T.; Moradi, A.; Paar, C.; Salmasizadeh, M.; Shalmani, M. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. In Advances in Cryptology, CRYPTO 2008; Wagner, D., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5157, pp. 203–220. [Google Scholar]
  28. Dolev, D.; Yao, A.C. On the security of public key protocols. Inf. Theory, IEEE Trans. 1983, 29, 198–208. [Google Scholar] [CrossRef]
  29. He, D.; Zeadally, S.; Kumar, N.; Lee, J.H. Anonymous Authentication for Wireless Body Area Networks With Provable Security. IEEE Syst. J. 2016, 11, 2590–2601. [Google Scholar] [CrossRef]
  30. He, D.; Kumar, N.; Shen, H.; Lee, J.H. One-to-many authentication for access control in mobile pay-TV systems. Sci. China Inf. Sci. 2016, 59, 052108. [Google Scholar] [CrossRef]
  31. Kumari, S.; Li, X.; Wu, F.; Das, A.K.; Arshad, H.; Khan, M.K. A user friendly mutual authentication and key agreement scheme for wireless sensor networks using chaotic maps. Future Gener. Comput. Syst. 2016, 63, 56–75. [Google Scholar] [CrossRef]
  32. Hoffstein, J. An introduction to cryptography. In An Introduction to Mathematical Cryptography; Springer: Berlin/Heidelberg, Germany, 2008; pp. 1–523. [Google Scholar]
  33. Bellare, M.; Rogaway, P. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS93, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73. [Google Scholar]
  34. Xie, Q.; Hwang, L. Security enhancement of an anonymous roaming authentication scheme with two-factor security in smart city. Neurocomputing 2019, 347, 131–138. [Google Scholar] [CrossRef]
  35. Mansoor, K.; Ghani, A.; Chaudhry, S.A.; Shamshirband, S.; Ghayyur, S.A.K.; Mosavi, A. Securing IoT-Based RFID Systems: A Robust Authentication Protocol Using Symmetric Cryptography. Sensors 2019, 19, 4752. [Google Scholar] [CrossRef]
  36. Ghani, A.; Mansoor, K.; Mehmood, S.; Chaudhry, S.A.; Rahman, A.U.; Najmus Saqib, M. Security and key management in IoT-based wireless sensor networks: An authentication protocol using symmetric key. Int. J. Commun. Syst. 2019, 32, e4139. [Google Scholar] [CrossRef]
  37. Kilinc, H.; Yanik, T. A Survey of SIP Authentication and Key Agreement Schemes. Commun. Surv. Tutorials IEEE 2014, 16, 1005–1023. [Google Scholar] [CrossRef]
Figure 1. Roaming user authentication.
Figure 1. Roaming user authentication.
Symmetry 12 00287 g001
Figure 2. Proposed Scheme.
Figure 2. Proposed Scheme.
Symmetry 12 00287 g002
Figure 3. ProVerif Simulation.
Figure 3. ProVerif Simulation.
Symmetry 12 00287 g003
Table 1. Notations.
Table 1. Notations.
NotationDefinition
MU x , HA z , FA y Mobile Node, Home Network, foreign Network
I D m x I D h z , I D f y Identities of MU x , HA z and FA y
P W m x , P W U h z Password and concealed password of MU x
K x z , K y z Shared keys between MU x , HA z and FA y , HA z
E p ( a , b ) , PElliptic curve and a base point over curve
S h , P h = S h P Private and public key pair of HA z
E k / D k Symmetric Encryption/decryption
h ( ) , H ( ) Two one-way hash Functions
( ) x , ⊕x-coordinate of a EC point, Exclusive-OR
M a c k Key based Mac
Table 2. Comparison of functional security.
Table 2. Comparison of functional security.
↓ Features/Scheme →[9][12][14][25][26]Our
Mutual Authentication
Correctness
User Anonymity/Untraceability
Perfect Forward Secrecy
Resists User Forgery
Resists Stolen Verifier
Resists Insiders
Resists Stolen Smart-Card
Resists Known Session parameters
Provides: ✓, Not-Provides: ✗.
Table 3. Comparison of computation cost.
Table 3. Comparison of computation cost.
Entity → MU x FA y HA k TotalTime
Scheme ↓ (ms)
[9] 10 T h m + 2 T p m e 4 T h m + 2 T p m e 4 T h m 18 T h m + 4 T p m e 8 . 9454
[12] 5 T p m e + 1 T p a e + 7 T h m + 1 T m t p + 1 T p b 3 T p m e + 1 T p b + 5 T h m 2 T p m e + 5 T h 10 T p m e + 1 T p a e + 17 T h m + 2 T p b + 1 T m t p 34 . 936
[14] 3 T h m + 1 T m e 4 T h m 5 T h m + 1 T m e 12 T h m + 2 T m e 7 . 7276
[25] 6 T h m 5 T h m 10 T h m 21 T h m 0 . 0483
[26] 10 T h m + 5 T p m e + 3 T p a e + 2 T e d 6 T h m + 4 T p m e + 2 T p a e 9 T h m + 6 T p m e + 5 T p a e + 1 T e d 25 T h m + 15 T p m e + 10 T p a e + 3 T e d 33 . 7493
our 9 T h m + 5 T p m e + 2 T p a e 6 T h m + 4 T p m e + 2 T p a e 8 T h m + 5 T p m e + 3 T p a e 23 T h m + 14 T p m e + 7 T p a e 31 . 8946
Back to TopTop