A Secure Mobility Network Authentication Scheme Ensuring User Anonymity

: With the rapid growth of network technologies, users are used to accessing various services with their mobile devices. To ensure security and privacy in mobility networks, proper mechanisms to authenticate the mobile user are essential. In this paper, a mobility network authentication scheme based on elliptic curve cryptography is proposed. In the proposed scheme, a mobile user can be authenticated without revealing who he is for user anonymity, and a session key is also negotiated to protect the following communications. The proposed mobility network authentication scheme is analyzed to show that it can ensure security, user anonymity, and convenience. Moreover, Burrows-Abadi-Needham logic (BAN logic) is used to deduce the completeness of the proposed authentication scheme.


Introduction
With the rapid growth of network technologies, users are used to accessing various services with their mobile devices.As a result, mobile devices and mobility networks play an important role in people's daily lives.There are three entities in mobility networks; mobile user, home agent and foreign agent.Before being able to access mobile services, a mobile user needs to register with the home agent.After successful registration, the mobile user with a mobile device can access mobile services.These mobile services are provided by the home agent directly or a foreign agent.If the requested mobile service is provided by a foreign agent, the registered mobile user needs the home agent's help to have himself/herself authenticated by the foreign agent.An illustration of mobility networks is shown in Figure 1, where a mobile user with a mobile device can be regarded as a mobile node.Plenty of mobility network applications are proposed and utilized because they provide great convenience.
Although mobility networks bring people great convenience and advantages, security threats exist.First, the transmission medium is a public but insecure channel such that an attacker can easily eavesdrop or intercept the transmitted data.Second, when a mobile user enters a service domain dominated by a new foreign agent, the mobile user has to access services via the new foreign agent.In this condition, two issues raise: (1) how the mobile user determines whether the foreign agent is legal; and (2) how the foreign agent determines whether the mobile user is legal.That is, the mobile user and the foreign agent have to authenticate each other.Unfortunately, in the beginning, no secret is shared between them.Third, because the mobile user is a visitor, the foreign agent serves the mobile user when he continuously stays.The mobile user may continuously stay, but the mobile user may not request mobile services continuously.This denotes that the mobile user and the foreign agent do not always communicate with each other.In such a condition, it is a challenge for the mobile user and the foreign agent to ensure each other's legality after they have already authenticated each other.Forth, a mobile user may roam.Because the transmission medium is public, anyone can eavesdrop.If an attacker wants to trace a mobile user, he can eavesdrop and use the intercepted messages to obtain required information.
To ensure security of mobility networks, many authentication protocols are proposed [1][2][3][4][5][6][7][8][9][10].In 2004, Zhu and Ma proposed an authentication scheme with anonymity for wireless environments based on the hash function and smart cards [5].Later, Lee et al. [6] analyzed Zhu and Ma's scheme and found that Zhu and Ma's scheme does not provide mutual authentication and cannot resist forgery attack.In 2006, Lee et al. [7] proposed an enhancement to improve Zhu and Ma's authentication scheme for wireless networks.In 2009, Chang et al. [8] analyzed Lee et al.'s scheme [7] and pointed out that Lee et al.'s scheme still suffers from forgery attack and also proposed an improvement.
and the foreign agent to ensure each other's legality after they have already authenticated each other.Forth, a mobile user may roam.Because the transmission medium is public, anyone can eavesdrop.If an attacker wants to trace a mobile user, he can eavesdrop and use the intercepted messages to obtain required information.
To ensure security of mobility networks, many authentication protocols are proposed [1][2][3][4][5][6][7][8][9][10].In 2004, Zhu and Ma proposed an authentication scheme with anonymity for wireless environments based on the hash function and smart cards [5].Later, Lee et al. [6] analyzed Zhu and Ma's scheme and found that Zhu and Ma's scheme does not provide mutual authentication and cannot resist forgery attack.In 2006, Lee et al. [7] proposed an enhancement to improve Zhu and Ma's authentication scheme for wireless networks.In 2009, Chang et al. [8] analyzed Lee et al.'s scheme [7] and pointed out that Lee et al.'s scheme still suffers from forgery attack and also proposed an improvement.In 2014, Kuo et al. [9] showed that Chang et al.'s scheme cannot ensure anonymity for mobile users and proposed an improvement.Kuo et al. claimed that their scheme could ensure efficiency and security in mobility networks and provide anonymity for mobile users.In 2015, Lu et al. [10] showed that Kuo et al.'s scheme suffers from three drawbacks, vulnerability to insider attack, unfriendly password changes, and no local validation.They also proposed an authentication scheme to remedy these drawbacks.Later, Chang et al. [11] found that Kuo et al.'s scheme [9] is vulnerable to the other two weaknesses in 2016.First, Kuo et al.'s scheme cannot resist man-in-the-middle attacks when a mobile user and a foreign agent negotiate the session key.Via this security flaw, an attacker can impersonate a mobile user and negotiate the session key with the foreign agent.Second, Kuo et al.'s scheme cannot resist the synchronization problem.An attacker only needs to modify the transmitted data in password change phase such that a legal mobile user is unable to be authenticated by the home agent anymore.Lu et al. [10] claimed that their scheme could defend against replay attack and provide mobile user anonymity.
After thoroughly analyzing Lu et al.'s scheme, Chang et al. found that it possesses three drawbacks [12].First, Lu et al.'s scheme is vulnerable to replay attack in authentication with key agreement phase.An attacker only needs to eavesdrop and resend the intercepted message with a new timestamp to cheat the foreign agent and the home agent.Second, user anonymity is not ensured as claimed because some transmitted parameters are fixed.Third, a random number chosen by the mobile user in registration phase is not stored in his/her smart card.As a result, the mobile user's smart card cannot compute one essential parameter to have himself/herself authenticated by the home agent in authentication with key agreement phase.In 2014, Kuo et al. [9] showed that Chang et al.'s scheme cannot ensure anonymity for mobile users and proposed an improvement.Kuo et al. claimed that their scheme could ensure efficiency and security in mobility networks and provide anonymity for mobile users.In 2015, Lu et al. [10] showed that Kuo et al.'s scheme suffers from three drawbacks, vulnerability to insider attack, unfriendly password changes, and no local validation.They also proposed an authentication scheme to remedy these drawbacks.Later, Chang et al. [11] found that Kuo et al.'s scheme [9] is vulnerable to the other two weaknesses in 2016.First, Kuo et al.'s scheme cannot resist man-in-the-middle attacks when a mobile user and a foreign agent negotiate the session key.Via this security flaw, an attacker can impersonate a mobile user and negotiate the session key with the foreign agent.Second, Kuo et al.'s scheme cannot resist the synchronization problem.An attacker only needs to modify the transmitted data in password change phase such that a legal mobile user is unable to be authenticated by the home agent anymore.Lu et al. [10] claimed that their scheme could defend against replay attack and provide mobile user anonymity.
After thoroughly analyzing Lu et al.'s scheme, Chang et al. found that it possesses three drawbacks [12].First, Lu et al.'s scheme is vulnerable to replay attack in authentication with key agreement phase.An attacker only needs to eavesdrop and resend the intercepted message with a new timestamp to cheat the foreign agent and the home agent.Second, user anonymity is not ensured as claimed because some transmitted parameters are fixed.Third, a random number chosen by the mobile user in registration phase is not stored in his/her smart card.As a result, the mobile user's smart card cannot compute one essential parameter to have himself/herself authenticated by the home agent in authentication with key agreement phase.
In addition to mobility networks, privacy is also an important topic in different types of networks.To ensure privacy and security in different types of networks, related security mechanisms are Symmetry 2017, 9, 307 3 of 16 proposed [13][14][15][16][17][18].After analyzing the previous authentication schemes, the weaknesses that they suffer from and the security mechanisms of other networks, we propose a mobility network authentication scheme by considering the following four properties to ensure security and convenience.Property 1: user anonymity User anonymity needs to be ensured to prevent an unauthorized party from tracing a specific user.It denotes that only the authorized parties can know who the user is.

Property 2: resistance to common attacks
The proposed authentication scheme should be able to resist common attacks to ensure security.

Property 3: local password change
A mobile user should be able to change his/her password locally and at will without accessing the home agent to make the authentication scheme more convenient and user-friendly.Property 4: mutual authentication between any two of a mobile user, a foreign agent and the home agent In a mobility network authentication scheme, any two of a mobile user, a foreign agent and the home agent have to authenticate each other mutually to make sure that the other communication parties are legal.
The rest of this paper is organized as follows.The proposed scheme is shown in Section 2. The corresponding analysis is given in Section 3. Further discussions including comparisons and authentication proof using Burrows-Abadi-Needham logic (BAN logic) [19] are made in Section 4. Finally, some conclusions are given in Section 5.

The Proposed Secure Mobility Network Authentication Scheme Ensuring User Anonymity
In this section, we propose a user anonymity-ensured mobility network authentication scheme for mobility networks based on elliptic curve cryptography.Our scheme is composed of five phases: registration phase, login phase, authentication and establishment of the session key phase, update session key phase, and password change phase.A mobile user has to register with the home agent before accessing mobile services.In the registration phase, a mobile user registers with the home agent, the home agent stores parameters in a smart card, and the home agent issues it to the user.The mobile user and the home agent communicate via a secure channel.And the home agent stores parameters in a smart card securely because the smart card only can be accessed and modified by privilege users or administrators.In the login phase, a mobile user inserts his smart card into his terminal device.This denotes that the mobile user and the smart card can exchange required data via the terminal device.The terminal device possesses computational capacities and has a user interface to show the authentication progress or the response.The terminal device will execute computational operations on behalf of the mobile user.The terminal device should be personal or protected with proper security mechanisms such as firewalls.For simplicity, the communications between the mobile user and the smart card will be omitted, and the operations executed by either the user or the terminal device will be denoted by the user.In both the authentication and establishment of the session key phase and the update session key phase, data is transmitted via public channels.Notations used in our mobility network authentication scheme are listed in Table 1.The details are as follows.

Registration Phase
In this phase, if MU wants to access the roaming service, he/she must register with HA at first.Registration phase is depicted in Figure 2, and the details are as follows: Step 1: MU selects his/her password p MU and identifier ID MU .
Step 2: MU sends ID MU and p MU to HA via a secure channel.

Registration Phase
In this phase, if MU wants to access the roaming service, he/she must register with HA at first.Registration phase is depicted in Figure 2, and the details are as follows: Step 1: MU selects his/her password pMU and identifier IDMU.

Login Phase
After registering with HA, MU can login with the smart card issued in registration phase to access the roaming service.Login phase is depicted in Figure 3, and the details are as follows: Step 1: MU inserts his/her smart card into his/her terminal device and enters ID MU and p MU .
Step 2: The smart card computes Step 3: The smart card checks if L is equal to L. If it does not hold, the smart card aborts the process and accumulates the number of times for L is not equal to L. If the entered ID MU and p MU make L and L differ from each other three consecutive times, the smart card will be locked automatically.Note that the counter will be reset to zero when the entered ID MU and p MU have L equal L.

Login Phase
After registering with HA, MU can login with the smart card issued in registration phase to access the roaming service.Login phase is depicted in Figure 3, and the details are as follows: Step 1: MU inserts his/her smart card into his/her terminal device and enters IDMU and pMU.
Step 3: The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process and accumulates the number of times for L′ is not equal to L. If the entered IDMU and pMU make L′ and L differ from each other three consecutive times, the smart card will be locked automatically.Note that the counter will be reset to zero when the entered IDMU and pMU have L′ equal L.

Authentication and Establishment of the Session Key Phase
After the login phase, the authentication and establishment of the session key phase is executed.In this phase, MU can be authenticated anonymously and negotiate a session key with FA while roaming.In the proposed scheme, HA and FA share a secret key pFA-HA in advance, where different FA's possess different pFA-HA's.The authentication and establishment of the session key phase is depicted in Figure 4, and the details are as follows: Step 1: The smart card generates a new random nonce R MU new and selects a random number b0.
Step 2: The smart card computes b0P, RMU Enetr and Login phase in our scheme.

Authentication and Establishment of the Session Key Phase
After the login phase, the authentication and establishment of the session key phase is executed.In this phase, MU can be authenticated anonymously and negotiate a session key with FA while roaming.In the proposed scheme, HA and FA share a secret key p FA-HA in advance, where different FA's possess different p FA-HA 's.The authentication and establishment of the session key phase is depicted in Figure 4, and the details are as follows: Step 1: The smart card generates a new random nonce R MU new and selects a random number b 0 .
Step 2: The smart card computes b

Update Session Key Phase
After being authenticated by HA via FA, MU can update the session key shared with FA for some security issues while staying in the same FA continuously.For generality, assume that MU has stayed in the same FA and updated the session i times.Thus, the secret key shared between FA and MU is K = h(aibiP.x)= h(biaiP.x)while FA and MU store {C , aiP, biP, K } and {C , aiP, biP, K }, After the above, FA and MU share the session key K MF 0 .Thereupon, the communication between FA and MU can be protected by K MF 0 .

Update Session Key Phase
After being authenticated by HA via FA, MU can update the session key shared with FA for some security issues while staying in the same FA continuously.For generality, assume that MU has stayed in the same FA and updated the session i times.Thus, the secret key shared between FA and MU is K MF i = h(a i b i P.x) = h(b i a i P.x) while FA and MU store {C MF i , a i P, b i P, K MF i } and {C MF i , a i P, b i P, K MF i }, respectively.Update session key phase is depicted in Figure 5, and the details are as follows: Step 1: MU selects a new random number b i+1 and computes b i+1 P and h 1 = h(b i P.x || b i+1 P.x || K MF i ).

Password Change Phase
MU can change his/her password with his/her smart card at will without HA's help.Password change phase is depicted in Figure 6, and the details are as follows: Step 1: MU inserts his/her smart card into his/her terminal device and enters IDMU and pMU.
Step 2: The smart card computes Step 3: The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process.
Step 4: If L′ equals L, MU selects the new password p MU new and sends it to the smart card.Note that this approach can be executed by entering p with an embedded keyboard.

Password Change Phase
MU can change his/her password with his/her smart card at will without HA's help.Password change phase is depicted in Figure 6, and the details are as follows: Step 1: MU inserts his/her smart card into his/her terminal device and enters ID MU and p MU .

Property Analysis
In this section, we analyze our proposed scheme's security and convenience by taking the following four properties into consideration: (1) user anonymity; (2) resistance to common attacks; (3) local password change; and (4) mutual authentication.In the following, we discuss our scheme to show that it possesses these properties.

User Anonymity
In our proposed scheme, MU's real identifier is concealed in PWMU = h(IDMU || pMU) and is never transmitted when MU wants to access the roaming service.In authentication and establishment of the session key phase, MU sends {IDHA, S1, S2, S3, b0P} to FA, where After authenticating MU and FA successfully, HA sends {IDHA, c0P, S4, S FA 2 } to FA, where Parameters S1, S2, S3, and S4 contain MU's specific information RMU and R MU new and are transmitted via public channels.Because RMU and R MU new will be updated in each session, it denotes that S1, S2, S3, and S4 in one session differ from those in other sessions.That is, no constant parameter is transmitted for MU in different sessions, and our scheme ensures user anonymity.

Resistance to Common Attacks
To show that the proposed authentication scheme can resist common attacks to ensure security, common attacks, man-in-the-middle attack, desynchronization attack, insider attack, replay attack, and offline secret key guessing attack are taken into consideration.These attacks are chosen for security analysis because of the following reasons.First, HA, MU, and FA transmit data via public channels.It is essential to protect all communication parties from being threatened by an attacker without being detected when the authentication scheme is in progress.This denotes that the proposed scheme has to resist man-in-the-middle attack.Second, in authentication and establishment

Property Analysis
In this section, we analyze our proposed scheme's security and convenience by taking the following four properties into consideration: (1) user anonymity; (2) resistance to common attacks; (3) local password change; and (4) mutual authentication.In the following, we discuss our scheme to show that it possesses these properties.

User Anonymity
In our proposed scheme, MU's real identifier is concealed in PW MU = h(ID MU || p MU ) and is never transmitted when MU wants to access the roaming service.In authentication and establishment of the session key phase, MU sends {ID HA , S 1 , S 2 , S 3 , b 0 P} to FA, where After authenticating MU and FA successfully, HA sends {ID HA , c 0 P, S 4 , S FA 2 } to FA, where S 4 = h(c 0 b 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ).Parameters S 1 , S 2 , S 3 , and S 4 contain MU's specific information R MU and R MU new and are transmitted via public channels.Because R MU and R MU new will be updated in each session, it denotes that S 1 , S 2 , S 3 , and S 4 in one session differ from those in other sessions.That is, no constant parameter is transmitted for MU in different sessions, and our scheme ensures user anonymity.

Resistance to Common Attacks
To show that the proposed authentication scheme can resist common attacks to ensure security, common attacks, man-in-the-middle attack, desynchronization attack, insider attack, replay attack, Symmetry 2017, 9, 307 9 of 16 and offline secret key guessing attack are taken into consideration.These attacks are chosen for security analysis because of the following reasons.First, HA, MU, and FA transmit data via public channels.It is essential to protect all communication parties from being threatened by an attacker without being detected when the authentication scheme is in progress.This denotes that the proposed scheme has to resist man-in-the-middle attack.Second, in authentication and establishment of the session key phase of the proposed scheme, the random nonce R MU kept by HA will be updated to R MU new after MU is authenticated successfully, and MU will update and R MU to R MU new while W and V are not updated, MU may be regarded as an illegal user.That is, the proposed scheme has to resist desynchronization attacks to ensure that an authorized mobile user can access the service even when the new authentication parameters are modified by an attacker.Third, the proposed scheme has to resist insider attacks such that no one can impersonate a legal mobile user even when a malicious insider with privileges can access the home agent's database.Forth, the proposed scheme has to resist replay attack such that no one can impersonate MU to cheat FA and HA by sending the intercepted data transmitted in previous sessions.Fifth, because the computational capacities of computers progress rapidly, an attacker can eavesdrop to get transmitted messages and analyze them offline.That is, an attacker may attempt to retrieve the secrets p HA-MU and p FA-HA by mounting an offline secret key guessing attack.The corresponding analysis is given as follows.
In authentication and establishment of the session key phase, an attacker may mount a man-in-the-middle attack by impersonating a communication party to establish the session key with another innocent communication party.First, we assume an attacker tries to impersonate MU and establish the session key with FA by modifying b 0 P.However, this approach will never succeed because MU computes S 3 = h(R MU ⊕ h(p HA-MU || R MU new ) || b 0 P.x) for HA and HA verifies b 0 P by checking whether S 3 = S 3 .FA can also verify b 0 P by checking whether S FA 2 = S FA 2 .On the other hand, if the attacker tries to impersonate FA and establish the session key with MU by modifying a 0 P, this approach will never succeed because HA can verify a 0 P by checking whether S FA 1 = S FA 1 and MU can verify a 0 P by checking whether S 4 = S 4 .In the update session key phase, FA authenticates MU by checking if h 1 = h 1 and MU authenticates FA by checking if h 2 = h 2 Because of the above reasons, our scheme can resist man-in-the-middle attacks.
In the authentication and establishment of the session key phase, an attacker may attempt to mount a desynchronization attack by disturbing the authentication process after HA updates U to h(p HA-MU || R MU new ) and R MU to R MU new in its database.Although MU does not update W and V in his/her smart card, MU still can be authenticated by HA successfully because HA stores the original R MU and the original U.Because of the above reasons, our scheme can resist desynchronization attack.
Assume that a malicious insider with privileges tries to get MU's private data in HA's database to impersonate MU.In our proposed scheme, this attack cannot be mounted successfully because HA does not store a user's password and his/her real identifier.No insider can obtain p MU and ID MU to compute MU's secret PW MU , where PW MU = h(ID MU || p MU ).Therefore, our scheme can resist insider attack.
In authentication and establishment of the session key phase, anyone can eavesdrop to intercept the transmitted data because the channel is public.In Step 3, MU sends {ID HA , S 1 , S 2 , S In Step 13, FA computes B MF 0 = h(c 0 P.x || K MF 0 ) and checks if B MF 0 = B MF 0 to determine whether MU is legal.After an attacker eavesdrops, he may use the intercepted data to cheat HA and FA to access services.However, the attacker cannot mount a reply attack successfully because of the following.K MF 0 = h(a 0 b 0 P.x) and B MF 0 = h(c 0 P.x || K MF 0 ) = h(c 0 P.x || h(a 0 b 0 P.x)).If the attacker wants to cheat, he has to obtain a 0 b 0 P.Although a 0 P and b 0 P are available, the attacker knows neither a 0 nor b 0 because of the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP).As a result, the attacker cannot compute a 0 b 0 P to obtain B MF 0 .Since B MF 0 cannot be obtained by the attacker, he cannot be authenticated by FA successfully by retransmitting the intercepted data.Therefore, our scheme can resist replay attack.
In the authentication and establishment of the session key phase, HA authenticates FA by checking whether S FA 1 = S FA 1 , and FA authenticates HA by checking whether S FA 2 = S FA 2 , where S FA 1 = h(a 0 P.x || b 0 P.x || p FA-HA ) and S FA 2 = h(c 0 a 0 P.x || b 0 P.x || p FA-HA ).The secret p FA-HA shared between FA and HA is contained in both S FA 1 and S FA 2 .Although a 0 P, b 0 P and c 0 P are available, an attacker cannot compute c 0 a 0 P because of the difficulty of solving ECDLP.On the other hand, MU authenticates HA by checking whether S 4 = S 4 and HA authenticates MU by checking whether S 3 = S 3 , where S 4 = h(c 0 b 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ) and S 3 = h(R MU ⊕ h(p HA-MU || R MU new ) || b 0 P.x).The secret p HA-MU shared between MU and HA is contained in the transmitted parameters S 1 and S 3 , where S 1 = h(p HA-MU || R MU ).If an attacker wants to obtain p HA-MU , he has to guess R MU at the same time.This makes retrieving p HA-MU hard.Because of the above, offline secret key guessing attacks cannot be mounted on the proposed scheme.

Local Password Change
In our proposed scheme, MU can locally update his/her password.When MU wants to change his/her password PW MU to the new password PW MU new , he/she does not need to connect to HA.This means a user can change his/her password at will.

Mutual Authentication
First, we make discussions on communication parties MU, FA and HA in authentication and establishment of the session key phase by the following three cases.
Case 1: Mutual authentication between FA and HA HA authenticates FA by checking whether S FA 1 = S FA 1 , and FA authenticates HA by checking whether S FA 2 = S FA 2 , where S FA 1 = h(a 0 P.x || b 0 P.x || p FA-HA ) and S FA 2 = h(c 0 a 0 P.x || b 0 P.x || p FA-HA ).Because p FA-HA is only known to FA and HA, it denotes that only FA and HA can compute the correct parameters to be authenticated successfully.That is, our proposed scheme provides mutual authentication between FA and HA.  2) MU has been already authenticated by HA.As a result, MU is authenticated successfully by FA.Therefore, our proposed scheme provides mutual authentication between MU and FA.
Second, we make discussions on communication parties MU and FA in the update session key phase.Because MU and FA have already shared the session key K MF i = h(a i b i P.x) in the previous session, they can use K MF i and the stored data to authenticate each other.At the moment, FA stores {C MF i , a i P, b i P, K MF i } and MU stores {C MF i , a i P, b i P, K MF i }, where C MF 0 = h(K MF 0 || b 0 P.x) and C MF 0 = h(h(K MF 0 || b 0 P.x)) = h(C MF 0 ).MU selects r b i+1 , computes b i+1 P and h 1 = h(b i P.x || b i+1 P.x || K MF i ), and sends {b i+1 P, C MF i , h 1 } to FA.After receiving {b i+1 P, C MF i , h 1 }, FA checks if h(C MF i ) exists in its database, where h(C MF i ) = C MF i .Because it is hard to find the input of the hash function with a known hash value, this search approach protects MU from being traced even he stays in FA's service domain and implies MU's legality.After finding the matched C MF i , FA extracts {C MF i , a i P, b i P, K MF i } from its database and selects a i+1 .FA computes h ). FA updates {C MF i , a i P, b i P, K MF i } to {C MF i+1 , a i+1 P, b i+1 P, K MF i+1 } in its database and sends {a i+1 P, h 2 } to MU.After receiving {a i+1 P, h 2 }, MU computes K MF i+1 = h(b i+1 a i+1 P.x), C MF i+1 = h(K MF i+1 || b i+1 P.x), and h 2 = h(h(C MF i+1 ) || K MF i ||K MF i+1 ).Then, MU checks if h 2 = h 2 .If h 2 = h 2 , it denotes that FA indeed knows K MF i and K MF i+1 .MU authenticates FA successfully.As a result, mutual authentication is ensured in update session key phase.

Further Discussions
In this section, we first make comparisons between the proposed scheme and the related works, and BAN logic is then used to deduce the completeness of the proposed authentication scheme.

Comparisons
In the following, we present a discussion of the properties of the proposed scheme and the related works.The term "Local password change" denotes whether the mobile user can locally change his password without the home agent's help in the corresponding scheme.The term "Anonymity" denotes whether the corresponding scheme can ensure user anonymity.The term "Insider attack resistance" denotes whether the corresponding scheme can resist insider attack.The term "Man-in-the-middle attack resistance" denotes whether the corresponding scheme can resist man-in-the-middle attack.The term "The synchronization problem resistance" denotes whether the corresponding scheme can resist the synchronization problem."Replay attack resistance" denotes whether the corresponding scheme can resist replay attack.The comparisons between our scheme and the related works are given in Table 2.According to the comparisons, it is assured that our scheme can resist common attacks and ensure security and convenience at the same time while others cannot.

BAN Logic-Based Authentication Proof
In the following, BAN logic is used to deduce the completeness of the proposed authentication scheme.Notations used in BAN logic are listed in Table 3.  .
The following goals must be satisfied by using the above rules to ensure the security of the proposed authentication scheme under BAN logic.

Figure 1 .
Figure 1.An illustration of mobility networks.

Figure 1 .
Figure 1.An illustration of mobility networks.

Step 3 :
After HA receives {ID MU , p MU } from MU, HA checks if ID MU does not exist.If it does hold, HA generates a random nonce R MU and the secret key p HA-MU for MU.Step 4: HA computes PW MU = h(ID MU || p MU ), U = h(p HA-MU || R MU ), W = PW MU ⊕ R MU , V = R MU ⊕ p HA-MU and L = h(ID MU || R MU || PW MU ).Step 5: HA stores {ID HA , L, W, V, h(•)} into a smart card and issues it to MU via a secure channel.Step 6: HA stores {U, R MU , p HA-MU } into HA's database for MU.Symmetry 2017, 9, 307 4 of 17

Figure 2 .
Figure 2. Registration phase in our scheme.

Figure 2 .
Figure 2. Registration phase in our scheme.

Figure 3 .
Figure 3. Login phase in our scheme.

Step 7 : 16 Step 9 :
and S 3 = h(R MU ⊕ h(p HA-MU || R MU new ) || b 0 P.x).Step 3: MU sends {ID HA , S 1 , S 2 , S 3 , b 0 P} to FA and stores {b 0 , R MU new }.Step 4: After FA receives {ID HA , S 1 , S 2 , S 3 , b 0 P}, FA selects a new random number a 0 and computes a 0 P and S FA 1 = h(a 0 P.x || b 0 P.x || p FA-HA ).Step 5: FA stores the information {ID HA , b 0 P, a 0 , a 0 P} and sends {ID FA , S 1 , S 2 , S 3 , a 0 P, b 0 P, S FA 1 } to HA.Step 6: When HA receives {ID FA , S 1 , S 2 , S 3 , a 0 P, b 0 P, S FA 1 }, HA uses S 1 to get the corresponding data {R MU , p HA-MU } from its database because the matched {R MU , p HA-MU } makesS 1 = h(p HA-MU || R MU ).Then HA computes R MU new = S 2 ⊕ R MU , S 3 = h(R MU ⊕ h(p HA-MU || R MU new ) || b 0 P.x),andS FA 1 = h(a 0 P.x || b 0 P.x || p FA-HA ).HA checks if S 3 = S 3 and S FA 1 = S FA 1 .If they both hold, HA selects a new random number c 0 and computes c 0 P and S 4 = h(c 0 b 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ); otherwise, HA aborts this authentication request and terminates this phase.After that, HA updates U and R MU stored in its database to h(p HA-MU || R MU new ) and R MU new , respectively.Note that the original U = S 1 and the original R MU are also stored in HA's database to resist the synchronization problem.That is, the original U instead of the updated one will be searched to find the corresponding data {the original R MU , p HA-MU } when only HA's data is updated.Step 8: HA computes S FA 2 = h(c 0 a 0 P.x || b 0 P.x || p FA-HA ) and sends {ID HA , c 0 P, S 4 , S FA 2 } to FA. Symmetry 2017, 9, 307 6 of After receiving {ID HA , c 0 P, S 4 , S FA 2 } from HA, FA checks if ID HA exists in its database.If it does exist, FA computes S FA 2 = h(a 0 c 0 P.x || b 0 P.x || p FA-HA ) and checks if S FA 2 = S FA 2 .If it does hold, FA computes K MF 0 = h(a 0 b 0 P.x) and C MF 0 = h(h(K MF 0 || b 0 P.x)); otherwise, FA terminates this phase directly.Step 10: FA sends {ID FA , S 4 , a 0 P, c 0 P, C MF 0 } to MU. Step 11: When MU receives {ID FA , S 4 , a 0 P, c 0 P, C MF 0 }, MU computes S 4 = h(b 0 c 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ) and checks whether S 4 is equal to S 4 .If it does not hold, MU terminates this phase directly; otherwise, MU computes the session key K MF 0 = h(b 0 a 0 P.x), C MF 0 = h(K MF 0 || b 0 P.x), and C MF 0 = h(C MF 0 ), and checks if C MF 0 = C MF 0 .If it does not hold, MU terminates this phase directly; otherwise, MU computes B MF 0 = h(c 0 P.x || K MF 0 ), updates W to W new = PW MU ⊕ R MU new and V to V new = R MU new ⊕ p HA-MU and stores C MF 0 , a 0 P, b 0 P, and the session key K MF 0 .Step 12: MU sends {B MF 0 } to FA. Step 13: After obtaining {B MF 0 }, FA computes B MF 0 = h(c 0 P.x || K MF 0 ) and checks if B MF 0 = B MF 0 .If it does not hold, FA terminates this phase directly; otherwise, FA stores {C MF 0 , a 0 P, b 0 P, K MF 0 } into its database.Symmetry 2017, 9, 307 7 of 17

Figure 4 .
Figure 4. Authentication and establishment of the session key phase in our scheme.

Figure 4 .
Figure 4. Authentication and establishment of the session key phase in our scheme.

Figure 5 .
Figure 5. Update session key phase in our scheme.

Figure 5 .
Figure 5. Update session key phase in our scheme.

Figure 6 .
Figure 6.Password change phase in our scheme.

Case 2 :
Mutual authentication between MU and HA MU authenticates HA by checking whether S 4 = S 4 , and HA authenticates MU by checking whether S 3 = S 3 , where S 4 = h(c 0 b 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ) and S 3 = h(R MU ⊕ h(p HA-MU || R MU new ) || b 0 P.x).Only MU and HA can compute the correct parameters to be authenticated successfully because p HA-MU , R MU new and R MU are only known to MU and HA.As the result, our proposed scheme provides mutual authentication between MU and HA.Case 3: Mutual authentication between MU and FA In authentication and establishment of the session key phase, MU authenticates HA by checking if S 4 = S 4 , where S 4 = h(c 0 b 0 P.x || a 0 P.x || ID FA || ID HA || R MU || R MU new ).Because only HA and MU know p HA-MU , R MU new and R MU , only HA can compute c 0 b 0 P and S 4 .If S 4 = S 4 , it denotes (1) a 0 P is valid because S 4 contains a 0 P.x and (2) FA has been already authenticated by HA.Then, MU computes the session key K MF 0 = h(b 0 a 0 P.x), C MF 0 = h(K MF 0 || b 0 P.x), and C MF 0 = h(C MF 0 ) and checks if C MF 0 = C MF 0 .If C MF 0 = C MF 0 , it denotes that FA really knows K MF 0 = h(a 0 b 0 P.x).Because MU has already authenticated HA, MU is assured that only FA knows a 0 to compute K MF 0 .As a result, FA is authenticated successfully by MU.Thereupon, MU computes B MF 0 = h(c 0 P.x || K MF 0 ) and sends it to FA.After obtaining {B MF 0 }, FA computes B MF 0 = h(c 0 P.x || K MF 0 ) and checks if B MF 0 = B MF 0 .If B MF 0 = B MF 0 , FA is assured that MU knows b 0 to compute K MF 0 .FA has authenticated HA by checking if S FA 2 = S FA 2 , where S FA 2 = h(c 0 a 0 P.x || b 0 P.x || p FA-HA ).It denotes (1) b 0 P is valid because S FA 2 contains b 0 P.x and (

Fundamental
rules for BAN logic analysis are listed as follows: RBL1 (Message Meaning Rule 1):

Table 1 .
Notations used in our mobility network authentication scheme.A point on the elliptic curve E p (a, b) of order n, where a, b ∈ Z p , E p (a, b): y 2 = x 3 + ax + b and 4a 3 + 27b 2 = 0 P.x The x coordinate of the point P p HA-MUThe secret key of HA for MU p FA-HAThe secret key shared between HA and FA P

Table 1 .
Notations used in our mobility network authentication scheme.

Table 2 .
Comparisons between our scheme and the related works.
K is the secret shared between A and B.