# A Secure Mobility Network Authentication Scheme Ensuring User Anonymity

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. The Proposed Secure Mobility Network Authentication Scheme Ensuring User Anonymity

#### 2.1. Registration Phase

- Step 1:
- MU selects his/her password p
_{MU}and identifier ID_{MU}. - Step 2:
- MU sends ID
_{MU}and p_{MU}to HA via a secure channel. - Step 3:
- After HA receives {ID
_{MU}, p_{MU}} from MU, HA checks if ID_{MU}does not exist. If it does hold, HA generates a random nonce R_{MU}and the secret key p_{HA-MU}for MU. - Step 4:
- HA computes PW
_{MU}= h(ID_{MU}|| p_{MU}), U = h(p_{HA-MU}|| R_{MU}), W = PW_{MU}⊕ R_{MU}, V = R_{MU}⊕ p_{HA-MU}and L = h(ID_{MU}|| R_{MU}|| PW_{MU}). - Step 5:
- HA stores {ID
_{HA}, L, W, V, h(·)} into a smart card and issues it to MU via a secure channel. - Step 6:
- HA stores {U, R
_{MU}, p_{HA-MU}} into HA’s database for MU.

#### 2.2. Login Phase

- Step 1:
- MU inserts his/her smart card into his/her terminal device and enters ID
_{MU}and p_{MU}. - Step 2:
- The smart card computes PW
_{MU}= h(ID_{MU}|| p_{MU}), R_{MU}= W ⊕ PW_{MU}, and L′ = h(ID_{MU}|| R_{MU}|| PW_{MU}). - Step 3:
- The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process and accumulates the number of times for L′ is not equal to L. If the entered ID
_{MU}and p_{MU}make L′ and L differ from each other three consecutive times, the smart card will be locked automatically. Note that the counter will be reset to zero when the entered ID_{MU}and p_{MU}have L′ equal L.

#### 2.3. Authentication and Establishment of the Session Key Phase

_{FA-HA}in advance, where different FA’s possess different p

_{FA-HA}’s. The authentication and establishment of the session key phase is depicted in Figure 4, and the details are as follows:

- Step 1:
- The smart card generates a new random nonce ${R}_{{MU}_{new}}$ and selects a random number b
_{0}. - Step 2:
- The smart card computes b
_{0}P, R_{MU}= PW_{MU}⊕ W, p_{HA-MU}= R_{MU}⊕ V, S_{1}= h(p_{HA-MU}|| R_{MU}), S_{2}= R_{MU}⊕ ${R}_{{MU}_{new}}$, and S_{3}= h(R_{MU}⊕ h(p_{HA-MU}|| ${R}_{{MU}_{new}}$) || b_{0}P.x). - Step 3:
- MU sends {ID
_{HA}, S_{1}, S_{2}, S_{3}, b_{0}P} to FA and stores {b_{0}, ${R}_{{MU}_{new}}$}. - Step 4:
- After FA receives {ID
_{HA}, S_{1}, S_{2}, S_{3}, b_{0}P}, FA selects a new random number a_{0}and computes a_{0}P and ${S}_{{FA}_{1}}$ = h(a_{0}P.x || b_{0}P.x || p_{FA-HA}). - Step 5:
- FA stores the information {ID
_{HA}, b_{0}P, a_{0}, a_{0}P} and sends {ID_{FA}, S_{1}, S_{2}, S_{3}, a_{0}P, b_{0}P, ${S}_{{FA}_{1}}$} to HA. - Step 6:
- When HA receives {ID
_{FA}, S_{1}, S_{2}, S_{3}, a_{0}P, b_{0}P, ${S}_{{FA}_{1}}$}, HA uses S_{1}to get the corresponding data {R_{MU}, p_{HA-MU}} from its database because the matched {R_{MU}, p_{HA-MU}} makes S_{1}= h(p_{HA-MU}|| R_{MU}). Then HA computes ${R}_{{MU}_{new}}$ = S_{2}⊕ R_{MU}, S′_{3}= h(R_{MU}⊕ h(p_{HA-MU}|| ${R}_{{MU}_{new}}$) || b_{0}P.x), and ${S}_{{FA}_{1}}^{\prime}$ = h(a_{0}P.x || b_{0}P.x || p_{FA-HA}). - Step 7:
- HA checks if S′
_{3}= S_{3}and ${S}_{{FA}_{1}}^{\prime}={S}_{{FA}_{1}}$. If they both hold, HA selects a new random number c_{0}and computes c_{0}P and S_{4}= h(c_{0}b_{0}P.x || a_{0}P.x || ID_{FA}|| ID_{HA}|| R_{MU}|| ${R}_{{MU}_{new}}$); otherwise, HA aborts this authentication request and terminates this phase. After that, HA updates U and R_{MU}stored in its database to h(p_{HA-MU}|| ${R}_{{MU}_{new}}$) and ${R}_{{MU}_{new}}$, respectively. Note that the original U = S_{1}and the original R_{MU}are also stored in HA’s database to resist the synchronization problem. That is, the original U instead of the updated one will be searched to find the corresponding data {the original R_{MU}, p_{HA-MU}} when only HA’s data is updated. - Step 8:
- HA computes ${S}_{{FA}_{2}}$ = h(c
_{0}a_{0}P.x || b_{0}P.x || p_{FA-HA}) and sends {ID_{HA}, c_{0}P, S_{4}, ${S}_{{FA}_{2}}$} to FA. - Step 9:
- After receiving {ID
_{HA}, c_{0}P, S_{4}, ${S}_{{FA}_{2}}$} from HA, FA checks if ID_{HA}exists in its database. If it does exist, FA computes ${S}_{{FA}_{2}}^{\prime}$ = h(a_{0}c_{0}P.x || b_{0}P.x || p_{FA-HA}) and checks if ${S}_{{FA}_{2}}^{\prime}={S}_{{FA}_{2}}$. If it does hold, FA computes ${K}_{{MF}_{0}}$ = h(a_{0}b_{0}P.x) and ${C}_{{MF}_{0}}$ = h(h(${K}_{{MF}_{0}}$ || b_{0}P.x)); otherwise, FA terminates this phase directly. - Step 10:
- FA sends {ID
_{FA}, S_{4}, a_{0}P, c_{0}P, ${C}_{{MF}_{0}}$} to MU. - Step 11:
- When MU receives {ID
_{FA}, S_{4}, a_{0}P, c_{0}P, ${C}_{{MF}_{0}}$}, MU computes S′_{4}= h(b_{0}c_{0}P.x || a_{0}P.x || ID_{FA}|| ID_{HA}|| R_{MU}|| ${R}_{{MU}_{new}}$) and checks whether S_{4}is equal to S′_{4}. If it does not hold, MU terminates this phase directly; otherwise, MU computes the session key ${K}_{{MF}_{0}}$ = h(b_{0}a_{0}P.x), ${C}_{{MF}_{0}}^{\prime}$ = h(${K}_{{MF}_{0}}$ || b_{0}P.x), and ${C}_{{MF}_{0}}^{\u2033}$ = h(${C}_{{MF}_{0}}^{\prime}$), and checks if ${C}_{{MF}_{0}}={C}_{{MF}_{0}}^{\u2033}$. If it does not hold, MU terminates this phase directly; otherwise, MU computes ${B}_{{MF}_{0}}$ = h(c_{0}P.x || ${K}_{{MF}_{0}}$), updates W to W_{new}= PW_{MU}⊕ ${R}_{{MU}_{new}}$ and V to V_{new}= ${R}_{{MU}_{new}}$ ⊕ p_{HA-MU}and stores ${C}_{{MF}_{0}}^{\prime}$, a_{0}P, b_{0}P, and the session key ${K}_{{MF}_{0}}$. - Step 12:
- MU sends {${B}_{{MF}_{0}}$} to FA.
- Step 13:
- After obtaining {${B}_{{MF}_{0}}$}, FA computes ${B}_{{MF}_{0}}^{\prime}$ = h(c
_{0}P.x || ${K}_{{MF}_{0}}$) and checks if ${B}_{{MF}_{0}}={B}_{{MF}_{0}}^{\prime}$. If it does not hold, FA terminates this phase directly; otherwise, FA stores {${C}_{{MF}_{0}}$, a_{0}P, b_{0}P, ${K}_{{MF}_{0}}$} into its database.

#### 2.4. Update Session Key Phase

_{i}b

_{i}P.x) = h(b

_{i}a

_{i}P.x) while FA and MU store {${C}_{{MF}_{i}}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$} and {${C}_{{MF}_{i}}^{\prime}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$}, respectively. Update session key phase is depicted in Figure 5, and the details are as follows:

- Step 1:
- MU selects a new random number b
_{i}_{+1}and computes b_{i}_{+1}P and h_{1}= h(b_{i}P.x || b_{i}_{+1}P.x || ${K}_{{MF}_{i}}$). - Step 2:
- MU sends {b
_{i}_{+1}P, ${C}_{{MF}_{i}}^{\prime}$, h_{1}} to FA. - Step 3:
- After receiving {b
_{i}_{+1}P, ${C}_{{MF}_{i}}^{\prime}$, h_{1}}, FA checks if $h({C}_{{MF}_{i}}^{\prime})$ exists in its database, where $h({C}_{{MF}_{i}}^{\prime})$ = ${C}_{{MF}_{i}}$. If it does not exist, FA terminates this phase; otherwise, FA extracts {${C}_{{MF}_{i}}$, a_{i}P, b_{i}P, ${K}_{{MF}_{i}}$} from its database. - Step 4:
- FA computes h′
_{1}= h(b_{i}P.x || b_{i}_{+1}P.x || ${K}_{{MF}_{i}}$) and checks if h′_{1}is equal to h_{1}. If it does not hold, FA terminates this phase; otherwise, FA selects a new random number a_{i}_{+1}and computes a_{i}_{+1}P, ${K}_{{MF}_{i+1}}$ = h(a_{i}_{+1}b_{i}_{+1}P.x), ${C}_{{MF}_{i+1}}$ = h(h(${K}_{{MF}_{i+1}}$ || b_{i}_{+1}P.x)) and h_{2}= h(${C}_{{MF}_{i+1}}||{K}_{{MF}_{i}}||{K}_{{MF}_{i+1}}$). - Step 5:
- FA updates {${C}_{{MF}_{i}}$, a
_{i}P, b_{i}P, ${K}_{{MF}_{i}}$} to {${C}_{{MF}_{i+1}}$, a_{i}_{+1}P, b_{i}_{+1}P, ${K}_{{MF}_{i+1}}$} in its database and sends {a_{i}_{+1}P, h_{2}} to MU. - Step 6:
- When MU receives {a
_{i}_{+1}P, h_{2}} from FA, MU computes ${K}_{{MF}_{i+1}}$ = h(b_{i}_{+1}a_{i}_{+1}P.x), ${C}_{{MF}_{i+1}}^{\prime}$ = h(${K}_{{MF}_{i+1}}$ || b_{i}_{+1}P.x), and h′_{2}= h(h(${C}_{{MF}_{i+1}}^{\prime}$) || ${K}_{{MF}_{i}}||{K}_{{MF}_{i+1}}$). Then, MU checks if h′_{2}is equal to h_{2}. If it does not hold, MU terminates this phase; otherwise, MU updates {${C}_{{MF}_{i}}^{\prime}$, a_{i}P, b_{i}P, ${K}_{{MF}_{i}}$} to {${C}_{{MF}_{i+1}}^{\prime}$, a_{i}_{+1}P, b_{i}_{+1}P, ${K}_{{MF}_{i+1}}$} in the mobile device.

#### 2.5. Password Change Phase

- Step 1:
- MU inserts his/her smart card into his/her terminal device and enters ID
_{MU}and p_{MU}. - Step 2:
- The smart card computes PW
_{MU}= h(ID_{MU}|| p_{MU}), R_{MU}= W ⊕ PW_{MU}and L′ = h(ID_{MU}|| R_{MU}|| PW_{MU}). - Step 3:
- The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process.
- Step 4:
- If L′ equals L, MU selects the new password ${p}_{{MU}_{new}}$ and sends it to the smart card. Note that this approach can be executed by entering ${p}_{{MU}_{new}}$ with an embedded keyboard.
- Step 5:
- When the smart card receives the new password ${p}_{{MU}_{new}}$, it will ask MU to enter ${p}_{{MU}_{new}}$ again for correctness. If the reentered password is different from the previous one, the smart card will inform MU of this issue. MU may resend the new password or terminate this phase. If the reentered password and the previous one are the same, the smart card computes ${PW}_{{MU}_{new}}$, W
_{new}= ${PW}_{{MU}_{new}}$ ⊕ R_{MU}and L_{new}= h(ID_{MU}|| R_{MU}|| ${PW}_{{MU}_{new}}$). Then, the smart card updates W to W_{new}and L to L_{new}.

## 3. Property Analysis

#### 3.1. User Anonymity

_{MU}= h(ID

_{MU}|| p

_{MU}) and is never transmitted when MU wants to access the roaming service. In authentication and establishment of the session key phase, MU sends {ID

_{HA}, S

_{1}, S

_{2}, S

_{3}, b

_{0}P} to FA, where S

_{1}= h(p

_{HA-MU}|| R

_{MU}), S

_{2}= R

_{MU}⊕ ${R}_{{MU}_{new}}$, and S

_{3}= h(R

_{MU}⊕ h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) || b

_{0}P.x). After authenticating MU and FA successfully, HA sends {ID

_{HA}, c

_{0}P, S

_{4}, ${S}_{{FA}_{2}}$} to FA, where S

_{4}= h(c

_{0}b

_{0}P.x || a

_{0}P.x || ID

_{FA}|| ID

_{HA}|| R

_{MU}|| ${R}_{{MU}_{new}}$). Parameters S

_{1}, S

_{2}, S

_{3}, and S

_{4}contain MU’s specific information R

_{MU}and ${R}_{{MU}_{new}}$ and are transmitted via public channels. Because R

_{MU}and ${R}_{{MU}_{new}}$ will be updated in each session, it denotes that S

_{1}, S

_{2}, S

_{3}, and S

_{4}in one session differ from those in other sessions. That is, no constant parameter is transmitted for MU in different sessions, and our scheme ensures user anonymity.

#### 3.2. Resistance to Common Attacks

_{MU}kept by HA will be updated to ${R}_{{MU}_{new}}$ after MU is authenticated successfully, and MU will update W to W

_{new}= PW

_{MU}⊕ ${R}_{{MU}_{new}}$ and V to V

_{new}= ${R}_{{MU}_{new}}$ ⊕ p

_{HA-MU}after MU is assured that ${C}_{{MF}_{0}}={C}_{{MF}_{0}}^{\u2033}$. If only HA updates U to h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) and R

_{MU}to ${R}_{{MU}_{new}}$ while W and V are not updated, MU may be regarded as an illegal user. That is, the proposed scheme has to resist desynchronization attacks to ensure that an authorized mobile user can access the service even when the new authentication parameters are modified by an attacker. Third, the proposed scheme has to resist insider attacks such that no one can impersonate a legal mobile user even when a malicious insider with privileges can access the home agent’s database. Forth, the proposed scheme has to resist replay attack such that no one can impersonate MU to cheat FA and HA by sending the intercepted data transmitted in previous sessions. Fifth, because the computational capacities of computers progress rapidly, an attacker can eavesdrop to get transmitted messages and analyze them offline. That is, an attacker may attempt to retrieve the secrets p

_{HA-MU}and p

_{FA-HA}by mounting an offline secret key guessing attack. The corresponding analysis is given as follows.

_{0}P. However, this approach will never succeed because MU computes S

_{3}= h(R

_{MU}⊕ h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) || b

_{0}P.x) for HA and HA verifies b

_{0}P by checking whether S

_{3}= S′

_{3}. FA can also verify b

_{0}P by checking whether ${S}_{{FA}_{2}}^{\prime}={S}_{{FA}_{2}}$. On the other hand, if the attacker tries to impersonate FA and establish the session key with MU by modifying a

_{0}P, this approach will never succeed because HA can verify a

_{0}P by checking whether ${S}_{{FA}_{1}}^{\prime}={S}_{{FA}_{1}}$ and MU can verify a

_{0}P by checking whether S

_{4}= S′

_{4}. In the update session key phase, FA authenticates MU by checking if h

_{1}= h′

_{1}and MU authenticates FA by checking if h

_{2}= h′

_{2}Because of the above reasons, our scheme can resist man-in-the-middle attacks.

_{HA-MU}|| ${R}_{{MU}_{new}}$) and R

_{MU}to ${R}_{{MU}_{new}}$ in its database. Although MU does not update W and V in his/her smart card, MU still can be authenticated by HA successfully because HA stores the original R

_{MU}and the original U. Because of the above reasons, our scheme can resist desynchronization attack.

_{MU}and ID

_{MU}to compute MU’s secret PW

_{MU}, where PW

_{MU}= h(ID

_{MU}|| p

_{MU}). Therefore, our scheme can resist insider attack.

_{HA}, S

_{1}, S

_{2}, S

_{3}, b

_{0}P} to FA and stores ${R}_{{MU}_{new}}$, where S

_{1}= h(p

_{HA-MU}|| R

_{MU}), S

_{2}= R

_{MU}⊕ ${R}_{{MU}_{new}}$, and S

_{3}= h(R

_{MU}⊕ h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) || b

_{0}P.x). In Step 10, FA sends {ID

_{FA}, S

_{4}, a

_{0}P, c

_{0}P, ${C}_{{MF}_{0}}$} to MU, where ${C}_{{MF}_{0}}$ = h(h(${K}_{{MF}_{0}}$ || b

_{0}P.x)) = h(h(h(a

_{0}b

_{0}P.x) || b

_{0}P.x)). In Step 12, MU sends {${B}_{{MF}_{0}}$} to FA, where ${B}_{{MF}_{0}}$ = h(c

_{0}P.x || ${K}_{{MF}_{0}}$). In Step 13, FA computes ${B}_{{MF}_{0}}^{\prime}$ = h(c

_{0}P.x || ${K}_{{MF}_{0}}$) and checks if ${B}_{{MF}_{0}}$ = ${B}_{{MF}_{0}}^{\prime}$ to determine whether MU is legal. After an attacker eavesdrops, he may use the intercepted data to cheat HA and FA to access services. However, the attacker cannot mount a reply attack successfully because of the following. ${K}_{{MF}_{0}}$ = h(a

_{0}b

_{0}P.x) and ${B}_{{MF}_{0}}$ = h(c

_{0}P.x || ${K}_{{MF}_{0}}$) = h(c

_{0}P.x || h(a

_{0}b

_{0}P.x)). If the attacker wants to cheat, he has to obtain a

_{0}b

_{0}P. Although a

_{0}P and b

_{0}P are available, the attacker knows neither a

_{0}nor b

_{0}because of the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). As a result, the attacker cannot compute a

_{0}b

_{0}P to obtain ${B}_{{MF}_{0}}$. Since ${B}_{{MF}_{0}}$ cannot be obtained by the attacker, he cannot be authenticated by FA successfully by retransmitting the intercepted data. Therefore, our scheme can resist replay attack.

_{0}P.x || b

_{0}P.x || p

_{FA-HA}) and ${S}_{{FA}_{2}}$ = h(c

_{0}a

_{0}P.x || b

_{0}P.x || p

_{FA-HA}). The secret p

_{FA-HA}shared between FA and HA is contained in both ${S}_{{FA}_{1}}$ and ${S}_{{FA}_{2}}$. Although a

_{0}P, b

_{0}P and c

_{0}P are available, an attacker cannot compute c

_{0}a

_{0}P because of the difficulty of solving ECDLP. On the other hand, MU authenticates HA by checking whether S

_{4}= S′

_{4}and HA authenticates MU by checking whether S

_{3}= S′

_{3}, where S

_{4}= h(c

_{0}b

_{0}P.x || a

_{0}P.x || ID

_{FA}|| ID

_{HA}|| R

_{MU}|| ${R}_{{MU}_{new}}$) and S

_{3}= h(R

_{MU}⊕ h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) || b

_{0}P.x). The secret p

_{HA-MU}shared between MU and HA is contained in the transmitted parameters S

_{1}and S

_{3}, where S

_{1}= h(p

_{HA-MU}|| R

_{MU}). If an attacker wants to obtain p

_{HA-MU}, he has to guess R

_{MU}at the same time. This makes retrieving p

_{HA-MU}hard. Because of the above, offline secret key guessing attacks cannot be mounted on the proposed scheme.

#### 3.3. Local Password Change

_{MU}to the new password ${PW}_{{MU}_{new}}$, he/she does not need to connect to HA. This means a user can change his/her password at will.

#### 3.4. Mutual Authentication

_{0}P.x || b

_{0}P.x || p

_{FA-HA}) and ${S}_{{FA}_{2}}$ = h(c

_{0}a

_{0}P.x || b

_{0}P.x || p

_{FA-HA}). Because p

_{FA-HA}is only known to FA and HA, it denotes that only FA and HA can compute the correct parameters to be authenticated successfully. That is, our proposed scheme provides mutual authentication between FA and HA.

_{4}= S′

_{4}, and HA authenticates MU by checking whether S

_{3}= S′

_{3}, where S

_{4}= h(c

_{0}b

_{0}P.x || a

_{0}P.x || ID

_{FA}|| ID

_{HA}|| R

_{MU}|| ${R}_{{MU}_{new}}$) and S

_{3}= h(R

_{MU}⊕ h(p

_{HA-MU}|| ${R}_{{MU}_{new}}$) || b

_{0}P.x). Only MU and HA can compute the correct parameters to be authenticated successfully because p

_{HA-MU}, ${R}_{{MU}_{new}}$ and R

_{MU}are only known to MU and HA. As the result, our proposed scheme provides mutual authentication between MU and HA.

_{4}= S′

_{4}, where S

_{4}= h(c

_{0}b

_{0}P.x || a

_{0}P.x || ID

_{FA}|| ID

_{HA}|| R

_{MU}|| ${R}_{{MU}_{new}}$). Because only HA and MU know p

_{HA-MU}, ${R}_{{MU}_{new}}$ and R

_{MU}, only HA can compute c

_{0}b

_{0}P and S

_{4}. If S

_{4}= S′

_{4}, it denotes (1) a

_{0}P is valid because S

_{4}contains a

_{0}P.x and (2) FA has been already authenticated by HA. Then, MU computes the session key ${K}_{{MF}_{0}}$ = h(b

_{0}a

_{0}P.x), ${C}_{{MF}_{0}}^{\prime}$ = h(${K}_{{MF}_{0}}$ || b

_{0}P.x), and ${C}_{{MF}_{0}}^{\u2033}$ = h(${C}_{{MF}_{0}}^{\prime}$) and checks if ${C}_{{MF}_{0}}={C}_{{MF}_{0}}^{\u2033}$. If ${C}_{{MF}_{0}}={C}_{{MF}_{0}}^{\u2033}$, it denotes that FA really knows ${K}_{{MF}_{0}}$ = h(a

_{0}b

_{0}P.x). Because MU has already authenticated HA, MU is assured that only FA knows a

_{0}to compute ${K}_{{MF}_{0}}$. As a result, FA is authenticated successfully by MU. Thereupon, MU computes ${B}_{{MF}_{0}}$ = h(c

_{0}P.x || ${K}_{{MF}_{0}}$) and sends it to FA. After obtaining {${B}_{{MF}_{0}}$}, FA computes ${B}_{{MF}_{0}}^{\prime}$ = h(c

_{0}P.x || ${K}_{{MF}_{0}}$) and checks if ${B}_{{MF}_{0}}={B}_{{MF}_{0}}^{\prime}$. If ${B}_{{MF}_{0}}={B}_{{MF}_{0}}^{\prime}$, FA is assured that MU knows b

_{0}to compute ${K}_{{MF}_{0}}$. FA has authenticated HA by checking if ${S}_{{FA}_{2}}^{\prime}={S}_{{FA}_{2}}$, where ${S}_{{FA}_{2}}$ = h(c

_{0}a

_{0}P.x || b

_{0}P.x || p

_{FA-HA}). It denotes (1) b

_{0}P is valid because ${S}_{{FA}_{2}}$ contains b

_{0}P.x and (2) MU has been already authenticated by HA. As a result, MU is authenticated successfully by FA. Therefore, our proposed scheme provides mutual authentication between MU and FA.

_{i}b

_{i}P.x) in the previous session, they can use ${K}_{{MF}_{i}}$ and the stored data to authenticate each other. At the moment, FA stores {${C}_{{MF}_{i}}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$} and MU stores {${C}_{{MF}_{i}}^{\prime}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$}, where ${C}_{{MF}_{0}}^{\prime}$ = h(${K}_{{MF}_{0}}$ || b

_{0}P.x) and ${C}_{{MF}_{0}}$ = h(h(${K}_{{MF}_{0}}$ || b

_{0}P.x)) = h(${C}_{{MF}_{0}}^{\prime}$). MU selects r b

_{i}

_{+1}, computes b

_{i}

_{+1}P and h

_{1}= h(b

_{i}P.x || b

_{i}

_{+1}P.x || ${K}_{{MF}_{i}}$), and sends {b

_{i}

_{+1}P, ${C}_{{MF}_{i}}^{\prime}$, h

_{1}} to FA. After receiving {b

_{i}

_{+1}P, ${C}_{{MF}_{i}}^{\prime}$, h

_{1}}, FA checks if $h({C}_{{MF}_{i}}^{\prime})$ exists in its database, where $h({C}_{{MF}_{i}}^{\prime})$ = ${C}_{{MF}_{i}}$. Because it is hard to find the input of the hash function with a known hash value, this search approach protects MU from being traced even he stays in FA’s service domain and implies MU‘s legality. After finding the matched ${C}_{{MF}_{i}}$, FA extracts {${C}_{{MF}_{i}}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$} from its database and selects a

_{i}

_{+1}. FA computes h′

_{1}= h(b

_{i}P.x || b

_{i}

_{+1}P.x || ${K}_{{MF}_{i}}$) and checks if h′

_{1}= h

_{1}. If h′

_{1}= h

_{1}, it denotes (1) MU indeed knows ${K}_{{MF}_{i}}$ and (2) b

_{i}

_{+1}P is valid. FA authenticates MU successfully. Then, FA computes a

_{i}

_{+1}P, ${K}_{{MF}_{i+1}}$ = h(a

_{i}

_{+1}b

_{i}

_{+1}P.x), ${C}_{{MF}_{i+1}}$ = h(h(${K}_{{MF}_{i+1}}$ || b

_{i}

_{+1}P.x)) and h

_{2}= h(${C}_{{MF}_{i+1}}||{K}_{{MF}_{i}}||{K}_{{MF}_{i+1}}$). FA updates {${C}_{{MF}_{i}}$, a

_{i}P, b

_{i}P, ${K}_{{MF}_{i}}$} to {${C}_{{MF}_{i+1}}$, a

_{i}

_{+1}P, b

_{i}

_{+1}P, ${K}_{{MF}_{i+1}}$} in its database and sends {a

_{i}

_{+1}P, h

_{2}} to MU. After receiving {a

_{i}

_{+1}P, h

_{2}}, MU computes ${K}_{{MF}_{i+1}}$ = h(b

_{i}

_{+1}a

_{i}

_{+1}P.x), ${C}_{{MF}_{i+1}}^{\prime}$ = h(${K}_{{MF}_{i+1}}$ || b

_{i}

_{+1}P.x), and h′

_{2}= h(h(${C}_{{MF}_{i+1}}^{\prime}$) || ${K}_{{MF}_{i}}||{K}_{{MF}_{i+1}}$). Then, MU checks if h′

_{2}= h

_{2}. If h′

_{2}= h

_{2}, it denotes that FA indeed knows ${K}_{{MF}_{i}}$ and ${K}_{{MF}_{i+1}}$. MU authenticates FA successfully. As a result, mutual authentication is ensured in update session key phase.

## 4. Further Discussions

#### 4.1. Comparisons

#### 4.2. BAN Logic-Based Authentication Proof

- RBL1 (Message Meaning Rule 1): $\frac{A|\equiv A\stackrel{N}{\leftrightarrow}B,A\u22b2M{}_{N}}{A|\equiv B|~M}$.
- RBL2 (Message Meaning Rule 2): $\frac{A|\equiv A\stackrel{K}{\leftrightarrow}B,A\u22b2{(M)}_{K}}{A|\equiv B|~M}$.
- RBL3 (Nonce Verification Rule): $\frac{A|\equiv \#(M),A|\equiv B|~M}{A|\equiv B|\equiv M}$.
- RBL4 (Jurisdiction Rule): $\frac{A|\equiv B\Rightarrow M,A|\equiv B|\equiv M}{A|\equiv M}$.
- RBL5 (Freshness Conjunction Rule): $\frac{A|\equiv \#(M)}{A|\equiv \#(M,N)}$.
- RBL6 (Belief Rule): $\frac{A|\equiv (M),A|\equiv (N)}{A|\equiv (M,N)}$.
- RBL7 (Session Key Rule): $\frac{A|\equiv \#(M),A|\equiv B|\equiv M}{A|\equiv A\stackrel{K}{\leftrightarrow}B}$.

- Goal 1:
- $HA|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}{c}_{0}{b}_{0}P}{\leftrightarrow}HA$.
- Goal 2:
- $HA|\equiv MU|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}{c}_{0}{b}_{0}P}{\leftrightarrow}HA$.
- Goal 3:
- $MU|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}\hspace{0.17em}{b}_{0}{c}_{0}P}{\leftrightarrow}HA$.
- Goal 4:
- $MU|\equiv HA|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}\hspace{0.17em}{b}_{0}{c}_{0}P}{\leftrightarrow}HA$.
- Goal 5:
- $HA|\equiv FA\stackrel{{c}_{0}{a}_{0}P}{\leftrightarrow}HA$.
- Goal 6:
- $HA|\equiv FA|\equiv FA\stackrel{{c}_{0}{a}_{0}P}{\leftrightarrow}HA$.
- Goal 7:
- $FA|\equiv FA\stackrel{{a}_{0}{c}_{0}P}{\leftrightarrow}HA$.
- Goal 8:
- $FA|\equiv HA|\equiv FA\stackrel{{a}_{0}{c}_{0}P}{\leftrightarrow}HA$.
- Goal 9:
- $MU|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$.
- Goal 10:
- $MU|\equiv FA|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$.
- Goal 11:
- $FA|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$.
- Goal 12:
- $FA|\equiv MU|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$.

_{HA}, S

_{1}, S

_{2}, S

_{3}, b

_{0}P:

_{FA}, S

_{1}, S

_{2}, S

_{3}, a

_{0}P, b

_{0}P, ${S}_{{FA}_{1}}$:

_{HA}, c

_{0}P, S

_{4}, ${S}_{{FA}_{2}}$:

_{FA}, S

_{4}, a

_{0}P, c

_{0}P, ${C}_{{MF}_{0}}$:

- A1:
- $MU|\equiv MU\stackrel{{R}_{MU},\hspace{0.17em}\hspace{0.17em}{p}_{HA-MU}}{\leftrightarrow}HA$.
- A2:
- $HA|\equiv MU\stackrel{{R}_{MU},\hspace{0.17em}\hspace{0.17em}{p}_{HA-MU}}{\leftrightarrow}HA$.
- A3:
- $FA|\equiv FA\stackrel{\hspace{0.17em}\hspace{0.17em}{p}_{FA-HA}}{\leftrightarrow}HA$.
- A4:
- $HA|\equiv FA\stackrel{\hspace{0.17em}\hspace{0.17em}{p}_{FA-HA}}{\leftrightarrow}HA$.
- A5:
- $MU|\equiv \#({b}_{0})$.
- A6:
- $FA|\equiv \#({a}_{0})$.
- A7:
- $HA|\equiv \#({c}_{0})$.
- A8:
- $HA|\equiv MU\Rightarrow {b}_{0}P$.
- A9:
- $FA|\equiv MU\Rightarrow {b}_{0}P$.
- A10:
- $MU|\equiv FA\Rightarrow {a}_{0}P$.
- A11:
- $HA|\equiv FA\Rightarrow {a}_{0}P$.
- A12:
- $MU|\equiv HA\Rightarrow {c}_{0}P$.
- A13:
- $FA|\equiv HA\Rightarrow {c}_{0}P$.

_{HA}, S

_{1}, S

_{2}, S

_{3}, b

_{0}P:

_{FA}, S

_{1}, S

_{2}, S

_{3}, a

_{0}P, b

_{0}P, ${S}_{{FA}_{1}}$:

_{HA}, S

_{1}, S

_{2}, S

_{3}, b

_{0}P:

_{FA}, S

_{1}, S

_{2}, S

_{3}, a

_{0}P, b

_{0}P, ${S}_{{FA}_{1}}$:

S3: | $HA|\equiv MU|~${h(p_{HA-MU} || R_{MU}),$<{R}_{M{U}_{new}}{>}_{{R}_{MU}}$, $<{b}_{0}P{>}_{{R}_{MU}\oplus h({p}_{HA-MU}||{R}_{M{U}_{new}})}$, b_{0}P}. |

S4: | $HA|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}{c}_{0}{b}_{0}P}{\leftrightarrow}HA$. | Goal 1 |

S5: | $HA|\equiv MU|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}{c}_{0}{b}_{0}P}{\leftrightarrow}HA$. | Goal 2 |

S6: | $HA|\equiv FA|~${ID_{FA}, a_{0}P, ${({a}_{0}P,{b}_{0}P)}_{{p}_{FA-HA}}$}. |

S7: | $HA|\equiv FA\stackrel{{c}_{0}{a}_{0}P}{\leftrightarrow}HA$ | Goal 5 |

S8: | $HA|\equiv FA|\equiv FA\stackrel{{c}_{0}{a}_{0}P}{\leftrightarrow}HA$. | Goal 6 |

_{HA}, c

_{0}P, S

_{4}, ${S}_{{FA}_{2}}$:

_{HA}, c

_{0}P, S

_{4}, ${S}_{{FA}_{2}}$:

S10: | $FA|\equiv HA|~${ID_{HA}, c_{0}P, ${({c}_{0}{a}_{0}P,{b}_{0}P)}_{{P}_{FA-HA}}$}, |

S11: | $FA|\equiv FA\stackrel{{a}_{0}{c}_{0}P}{\leftrightarrow}HA$, | Goal 7 |

S12: | $FA|\equiv HA|\equiv FA\stackrel{{a}_{0}{c}_{0}P}{\leftrightarrow}HA$, and | Goal 8 |

S13: | $FA|\equiv MU|~{b}_{0}P$. |

S14: | $FA|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$ and | Goal 11 |

S15: | $FA|\equiv MU|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$ | Goal 12 |

_{FA}, S

_{4}, a

_{0}P, c

_{0}P, ${C}_{{MF}_{0}}$:

_{FA}, S

_{4}, a

_{0}P, c

_{0}P, ${C}_{{MF}_{0}}$:

S17: | $MU|\equiv HA|~${${({c}_{0}{b}_{0}P,{a}_{0}P,{b}_{0}P,{R}_{M{U}_{new}})}_{{R}_{MU}}$, a_{0}P, c_{0}P}. |

S18: | $HA|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}{c}_{0}{b}_{0}P}{\leftrightarrow}HA$ and | Goal 3 |

S19: | $MU|\equiv HA|\equiv MU\stackrel{{R}_{M{U}_{new}},\hspace{0.17em}\hspace{0.17em}{b}_{0}{c}_{0}P}{\leftrightarrow}HA$. | Goal 4 |

S20: | $MU|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$ and | Goal 9 |

S21: | $MU|\equiv FA|\equiv FA\stackrel{{K}_{M{F}_{0}}}{\leftrightarrow}MU$. | Goal 10 |

## 5. Conclusions

_{4}are employed by HA and MU to verify a

_{0}P, and S

_{3}and ${S}_{{FA}_{2}}$ are employed by HA and FA to verify b

_{0}P. In the update session key phase, h

_{1}and h

_{2}are employed by MU and FA to authenticate each other. Second, HA does not store MU’s password anymore and MU can change his/her password locally without connecting to HA. Third, the smart card authenticates MU before the authentication and establishment of the session key phase and password change phase. Forth, no fixed parameters are transmitted, to ensure user anonymity.

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Suzukiz, S.; Nakada, K. An authentication techinque based on distributed security management for the global mobility network. IEEE J. Sel. Areas Commun.
**1997**, 15, 1608–1617. [Google Scholar] [CrossRef] - Buttyan, L.; Gbaguidi, C.; Staamann, S.; Wilhelm, U. Extensions to an authentication technique proposed for the global mobility network. IEEE Trans. Commun.
**2000**, 48, 373–376. [Google Scholar] [CrossRef] - Tzeng, Z.J.; Tzeng, W.G. Authentication of mobile users in third generation mobile systems. Wirel. Pers. Commun.
**2001**, 16, 35–50. [Google Scholar] [CrossRef] - Hwang, K.F.; Chang, C.C. A self-encryption mechanism for authentication of roaming and teleconference services. IEEE Trans. Wirel. Commun.
**2003**, 2, 400–407. [Google Scholar] [CrossRef] - Zhu, J.; Ma, J. A new authentication scheme with anonymity for wireless environments. IEEE Trans. Consum. Electron.
**2004**, 50, 230–234. [Google Scholar] - Lee, C.Y.; Chang, C.C.; Lin, C.H. User authentication with anonymity for global mobility networks. In Proceedings of the 2005 IEEE Mobility Conference, the Second Asia Pacific Conference on Mobile Technology, Guangzhou, China, 15–17 November 2005; pp. 1–5. [Google Scholar]
- Lee, C.C.; Hwang, M.S.; Liao, I.E. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Trans. Ind. Electron.
**2006**, 53, 1683–1687. [Google Scholar] [CrossRef] - Chang, C.C.; Lee, C.Y.; Chiu, Y.C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Comput. Commun.
**2009**, 32, 611–618. [Google Scholar] [CrossRef] - Kuo, W.C.; Wei, H.J.; Cheng, J.C. An efficient and secure anonymous mobility network authentication scheme. J. Inf. Secur. Appl.
**2014**, 19, 18–24. [Google Scholar] [CrossRef] - Lu, Y.; Wu, X.; Yang, X. A secure anonymous authentication scheme for wireless communications using smart cards. Int. J. Netw. Secur.
**2015**, 17, 237–245. [Google Scholar] - Chang, Y.F.; Hsu, M.H.; Tai, W.L. Comments on Kuo et al.’s anonymous mobility network authentication scheme. In Proceedings of the 4th Annual Conference on Engineering and Information Technology (ACEAIT 2016), Kyoto, Japan, 29–31 March 2016; pp. 778–785. [Google Scholar]
- Chang, Y.F.; Peng, C.H.; Tai, W.L. Comments on a secure anonymous authentication scheme for wireless communications using smart cards. In Proceedings of the International Conference on Innovation and Management (IAM2017 Winter), Tokyo, Japan, 7–10 February 2017; pp. 527–536. [Google Scholar]
- Alizadeh, M.; Baharun, S.; Zamani, M.; Khodadadi, T.; Darvishc, M.; Gholizadeh, S.; Ahmadi, H. Anonymity and Untraceability Assessment of Authentication Protocols in Proxy Mobile IPv6. J. Teknol.
**2015**, 72, 31–34. [Google Scholar] [CrossRef] - Ibrahim, M.H.; Kumari, S.; Das, A.K.; Wazid, M.; Odelu, V. Secure Anonymous Mutual Authentication for Star Two-tier Wireless Body Area Networks. Comput. Methods Programs. Biomed.
**2016**, 135, 37–50. [Google Scholar] [CrossRef] [PubMed] - Amin, R.; Islam, S.K.H.; Biswas, G.P.; Khan, M.K.; Leng, L.; Kumar, N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Comput. Netw.
**2016**, 101, 42–62. [Google Scholar] [CrossRef] - Wang, X.; Mu, Y. Communication security and privacy support in 6LoWPAN. Inf. Secur. Appl.
**2017**, 34, 108–119. [Google Scholar] [CrossRef] - Kumari, S.; Li, X.; Wu, F.; Das, A.K.; Choo, K.R. Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Future Gener. Comput. Syst.
**2017**, 68, 320–330. [Google Scholar] [CrossRef] - Tai, W.L.; Chang, Y.F.; Li, W.H. An IOT notion–based authentication and key agreement scheme ensuring user anonymity for heterogeneous ad hoc wireless sensor networks. Inf. Secur. Appl.
**2017**, 34, 133–141. [Google Scholar] [CrossRef] - Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. ACM Trans. Comput. Syst.
**1990**, 8, 18–36. [Google Scholar] [CrossRef]

Symbol | Definition |
---|---|

MU | A mobile user |

FA | A foreign agent |

HA | The home agent |

ID_{A} | The identifier of an entity A |

h(·) | A collision free one-way hash function |

p_{MU} | The password chosen by MU |

PW_{MU} | The secret of MU that is computed by ID_{MU} and p_{MU} |

R_{A} | A random nonce chosen by an entity A |

p | A prime greater than 2^{160} |

n | A prime greater 2^{160} |

P | A point on the elliptic curve E_{p}(a, b) of order n, where a, b ∈ Z_{p}, E_{p}(a, b): y^{2} = x^{3} + ax + b and 4a^{3} + 27b^{2} ≠ 0 |

P.x | The x coordinate of the point P |

p_{HA-MU} | The secret key of HA for MU |

p_{FA-HA} | The secret key shared between HA and FA |

|| | Concatenation operator |

⊕ | Exclusive-or operator |

Schemes | Ours | Kuo et al.’s [9] | Lu et al.’s [10] |
---|---|---|---|

Local password change | Yes | No | Yes |

Anonymity | Yes | Yes | No |

Insider attack resistance | Yes | No | Yes |

Man-in-the-middle attack resistance | Yes | No | Yes |

The synchronization problem resistance | Yes | No | Yes |

Replay attack resistance | Yes | Yes | No |

Symbol | Definition |
---|---|

A, B | Principals indicate general instances participating in a protocol. |

$A|\equiv M$ | A believes the statement M. |

$A\u22b2M$ | A sees M. |

$A|~M$ | A once said M. |

$A\Rightarrow M$ | A has jurisdiction over M. |

#(M) | M is a fresh message. |

<M>_{N} | Formula M is combined with formula N. |

(M, N) | M or N is one part of message (M, N). |

(M)_{K} | M is hashed with the secret K. |

$A\stackrel{K}{\leftrightarrow}B$ | K is the secret shared between A and B. |

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Chang, Y.-F.; Tai, W.-L.; Hsu, M.-H.
A Secure Mobility Network Authentication Scheme Ensuring User Anonymity. *Symmetry* **2017**, *9*, 307.
https://doi.org/10.3390/sym9120307

**AMA Style**

Chang Y-F, Tai W-L, Hsu M-H.
A Secure Mobility Network Authentication Scheme Ensuring User Anonymity. *Symmetry*. 2017; 9(12):307.
https://doi.org/10.3390/sym9120307

**Chicago/Turabian Style**

Chang, Ya-Fen, Wei-Liang Tai, and Min-How Hsu.
2017. "A Secure Mobility Network Authentication Scheme Ensuring User Anonymity" *Symmetry* 9, no. 12: 307.
https://doi.org/10.3390/sym9120307