A Secure and Efﬁcient Three-Factor Authentication Protocol in Global Mobility Networks

: With the developments in communication and mobile technologies, mobile users can access roaming services by utilizing a mobile device at any time and any place in the global mobility networks. However, these require several security requirements, such as authentication and anonymity, because the information is transmitted over an open channel. Thus, secure and efﬁcient authentication protocols are essential to provide secure roaming services for legitimate users. In 2018, Madhusudhan et al. presented a secure authentication protocol for global mobile networks. However, we demonstrated that their protocol could not prevent potential attacks, including masquerade, session key disclosure, and replay attacks. Thus, we proposed a secure and efﬁcient three-factor authentication protocol to overcome the security weaknesses of Madhusudhan et al.’s scheme. The proposed scheme was demonstrated to prevent various attacks and provided a secure mutual authentication by utilizing biometrics and secret parameters. We evaluated the security of the proposed protocol using informal security analysis and formal security analysis, such as the real-or-random (ROR) model and Burrows–Abadi–Needham (BAN) logic. In addition, we showed that our scheme withstands man-in-the-middle (MITM) and replay attacks utilizing formal security validation automated validation of internet security protocols and applications (AVISPA) simulation. Finally, we compared the performance of our protocol with existing schemes. Consequently, our scheme ensured better security and efﬁciency features than existing schemes and can be suitable for resource-constrained mobile environments.


Introduction
With the advances in wireless communication technology, the global mobility network (GLOMONET) [1][2][3] has become a popular means of communication. Users can access roaming services through mobile devices; therefore, people's access to knowledge has been improved significantly. In GLOMONET, each mobile user depends on a specific home agent (HA) where they are registered. If the mobile user is in the domain of a foreign agent (FA), the FA must ensure service after authenticating the mobile user. However, as a mobile device has limited resources available in terms of computing power, memory, and battery capacity [4,5], it is not suitable to apply symmetric and asymmetric cryptosystems that generate high computational overheads. In this case, mobile users can face delays during processing and service availing. In addition, a malicious adversary may attempt various attacks using sensitive data transmitted via an insecure channel in GLOMONET. Therefore, secure and efficient mutual authentication has become an essential security requirement to provide secure roaming services for legitimate mobile users. The security requirements for GLOMONET are summarized as follows: • Secure and efficient authentication schemes are required to provide various services in GLOMONET.

•
Authentication schemes must resist various attacks, including stolen mobile devices, masquerades, and trace attacks. • Authentication schemes must consider the limitations of mobile devices relative to the computing power, memory, and battery capacity [4,5].
In the last few years, many authentication schemes have been presented for GLOMONET to ensure the security of users [6][7][8][9]. In 2004, Zhu et al. [10] presented an efficient two-factor authentication scheme to provide the roaming facility. However, Lee et al. [11] indicated that Zhu et al.'s [10] protocol did not resist impersonation attacks and also could not achieve user authentication. In 2006, Lee et al. [11] presented an improved protocol for wireless environments to overcome the security flaws of Zhu et al.'s scheme. However, Wu et al. [12] assessed that Lee et al.'s [11] scheme did not withstand perfect backward secrecy and did not ensure user anonymity. In 2012, Li et al. [13] assessed that Wu et al.'s [12] scheme could not withstand replay and masquerade attacks and also could not provide user anonymity.
To overcome these security flaws, Li et al. [13] then proposed a novel user authentication scheme based smart-card to provide efficient high computational and communication overheads. However, Das et al. [14] demonstrated that Li et al.'s protocol [13] was sensitive to replay attacks and did not achieve proper user password updates in the password change processes. In 2015, Marimuthu and Saravanan [15] presented a secure authentication protocol in GLOMONET. However, Madhusudhan et al. [16] proved that their protocol could not withstand offline guessing, insider, stolen-verifier, denial of service, and forgery attacks.
In 2018, Madhusudhan et al. [16] presented a secure and efficient user authentication scheme for GLOMONET using a mobile device to resolve the security problems of Marimuthu and Saravanan's scheme. Madhusudhan et al. claimed that their scheme could prevent replay and masquerade attacks and provide secure mutual authentication. Unfortunately, we analyzed that Madhusudhan et al.'s scheme [16] could not prevent various security threats and could not provide secure mutual authentication. Moreover, Madhusudhan et al.'s scheme [16] was unsuitable for resource-constrained mobile devices as it uses symmetric key encryption and modular multiplication, which generate high computational overheads. Thus, we proposed a secure and efficient three-factor user authentication scheme for roaming services in GLOMONET to resolve the security flaws of Madhusudhan et al.'s scheme.

Motivation and Contributions
We have studied numerous user authentication schemes [6,8,15,16] for roaming services and found that they had the following in common: and could ensure secure mutual authentication and anonymity. However, our paper presents a brief review of Madhusudhan et al.'s scheme [16], and we demonstrated that their scheme could not prevent various security threats. To resolve the security threats of Madhusudhan et al.'s scheme, we proposed a secure and efficient three-factor authentication protocol. The proposed scheme demonstrated several advantages compared with previous related authentication schemes.
First, the proposed scheme could prevent various attacks, such as mobile device theft, masquerade, session key disclosure, and replay attacks and also provided secure mutual authentication, user anonymity, and user friendliness. Second, the proposed scheme used the fuzzy extractor mechanism to improve the security level of the protocol. Even if two of the three factors were compromised, the proposed scheme was still secure. Finally, the proposed scheme provided better effective computation costs with related schemes as it only utilized the one-way hash function. Therefore, the proposed scheme was secure, efficient, and more suitable for practical mobile and wireless environments.

Security Requirements
The research on the security of communication for GLOMONET has shown that the security requirements are essential to produce a secure and efficient authentication protocol. Table 1 shows the security requirements for authenticaiton and key agreement protocol. Table 1. Security requirements for authentication and key agreement protocols.

Properties Description
Three-factor security This should remain secure even if any two of the three factors are compromised.
Resisting known attacks This requires that the authentication protocol for GLOMONET is secure from various known attacks, including privileged insider, replay, session key disclosure, MITM, and masquerade attacks.
Resisting stolen mobile device attack If an unauthorized person obtains the lost/stolen mobile device, it is impossible for him to impersonate a valid user with a counterfeit login request by using the information extracted from the mobile device.
Forward and backward secrecy This requires that the attacker is not able to obtain the previous session keys or future ones by using the compromised session key.

Secure mutual authentication and key agreement
This is an essential requirement in the GLOMONET scenario, and requires the communication parties to be able to authenticate each other and generate a shared session key to provide confidentiality of messages in public channels.

User friendliness
The mobile user should freely select his/her own identity and password. In addition, the mobile user should be allowed to update the password without the assistance of the home agent.
Anonymity and untraceability A malicious attacker is incapable of revealing and tracking the real identity of the legitimate user, and this is an important privacy-preserving requirement for users.

Organization
The remainder of this paper is organized as follows. In Section 2, we present the preliminaries, and in Section 3, we review Madhusudhan et al.'s scheme [16]. In Sections 4 and 5, we assess the security flaws of Madhusudhan et al.'s scheme [16] and present a secure and efficient authentication scheme for GLOMONET to overcome the security flaws of Madhusudhan et al.'s scheme [16]. In Section 6, we demonstrate the security of our scheme using informal security analysis and formal security analysis, including Burrows-Abadi-Needham (BAN) logic and the real-or-random (ROR) model. In Section 7, we report a formal security validation utilizing the Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool. In Section 8, we compare the performance properties of our protocol to existing protocols. We present our conclusions in the final Section 9.

Preliminaries
This section presents preliminaries to facilitate reader comprehension.

Attacker Model
To examine the security of our protocol, we describe the Dolev-Yao (DY) model [17], which is described as follows: • An adversary is able to eavesdrop, intercept, modify, delete, or insert messages exchanged through an open channel.

•
An adversary is able to obtain the lost or stolen mobile device of legitimate mobile users [18,19] and can extract the important data stored in the mobile device by utilizing a power-analysis attack [20,21].

•
An adversary is able to perform various types of attacks, including replay, masquerade, man-in-the-middle (MITM) and mobile device theft attacks.

Fuzzy Extractors
This section discusses the basic concepts of a fuzzy extractor. According to [22], this mechanism involves two procedures, such as Gen and Rep. The detailed description for Gen and Rep are below: 1. Gen: After a user imprints the biometric input Bio, the probabilistic function Gen selects a consistent random string ρ ∈ {0, 1} l and a random auxiliary string σ ∈ {0, 1} * .

2.
Rep : After a new user imprints the biometric input Bio new and the string value σ in a session, Rep successfully recovers the value ρ.

Review of Madhusudhan et al.'s Protocol
Madhusudhan et al.'s scheme [16] is comprised of three processes: (1) user registration, (2) authentication, and (3) password update. The notations utilized in this paper are defined in Table 2 and each process is detailed as follows.

Initialization Process
The home agent (H A) selects two prime numbers p, q and generator g of a finite field in Z * p , of which Z * p is a nonsingular elliptic curve y 2 = x 3 + ax + b (mod p). The H A calculates n = p × q and φ(n) = (p − 1) × (q − 1). Then, the H A chooses an integer e, such that 1 < e < φ(n) and gcd(e, φ(n)) = 1. After that, the H A computes the value of an integer d, such that d = e −1 , where d is the secret key of the H A, and y = g d mod n, where y is the public key of the H A. The H A keeps {p, q, d} securely.

Registration Process
In Madhusudhan et al.'s protocol, a new MU who requests roaming services must register their identity with the H A. Figure 1 indicates the user registration process of Madhusudhan et al.'s protocol [16] and this process is described in detail as follows.

Mobile User (MU)
Home Agent (HA)  Step 1: A mobile user MU inputs ID MU andPW MU and selects a random number N. Then, MU computes R 1 = h(ID MU ||N) and sends a request message to the H A via a public channel.

Login and Authentication Process
In Madhusudhan et al.'s protocol [16], they considered a scenario in which the MU associated with the H A visits a foreign network from the foreign agent FA and attempts to access the roaming service. A MU who requests roaming service must send a login request message to the H A. The MU, FA, and H A then perform mutual authentication with each other, then MU and FA share the session key. Figure 2 indicates the login and authentication process of Madhusudhan et al.'s protocol [16]. The process is described in detail as follows.

Mobile User (MU)
Foreign Agent (FA) Step 1: The MU retrieves the authentication data stored in the mobile device and enters ID MU and PW MU . After that, the mobile device computes K * MU = h(ID MU ||PW MU ||R) and checks whether K * FA and retrieves the secret key corresponding to ID FA . After that, the H A decrypts D KFH (E KFH (M 1 , R FA )) and computes a = h(d), g a mod p, R * MU = V⊕ ((g a mod p)||ID FA ) and R * = U ⊕ R * MU . The H A then checks whether there exists R * ? = R in a secure database. If the condition is valid, the H A computes W * =(U||K||(g a mod p)) and checks whether Step 4: After obtaining the After that, the MU checks whether X * ? = X. If this holds, the MU and FA achieve the SK successfully.

Password Update Process
In Madhusudhan et al.'s protocol, the MU can freely update their password. The process is described in detail as follows.
Step 1: When a legitimate MU wants to update the password, the MU inputs ID MU , PW MU and the request messages are transmitted via a terminal.
Step 2: The mobile device of MU calculates K * MU = h(ID MU ||PW MU ) and checks whether K * MU ? = K MU . If this holds, the MU is legitimate user. Otherwise, the mobile device terminates the password change process.
Step 3: The MU selects new password PW NEW MU and computes K NEW

Cryptanalysis of Madhusudhan et al.'s Protocol
We demonstrated the security shortcomings of the existing protocol [16]. They claimed that their scheme can resist replay and masquerade attacks and achieve secure user authentication. However, we demonstrated that Madhusudhan et al.'s protocol [16] is insecure against various attacks, including session key disclosure, replay, and masquerade attacks. Furthermore, we show that the existing protocol [16] does not provide mutual authentication.

Masquerade Attack
If a malicious adversary MU a can attempt to impersonate a legitimate user, MU a can easily generate the message M 1 = {U, V, W} of the legitimate user. As discussed in Section 2.1, MU a obtains the mobile device of MU and extracts the stored secret parameters in it. In addition, MU a intercepts the message exchanged over a public channel. Finally, MU a performs the masquerade attack and its detailed procedures.
Step 1: Step 2: After obtaining the M 1a = {U a , V a , W a }, the FA selects a random number R FA and encrypts E KFH (M 1 , R FA ) using a shared secret key. Then, the FA sends and computes a = h(d), g a mod p, R * a = V a ⊕ ((g a mod p||ID FA ) and R * = U a ⊕ R * a . Then, the H A checks whether R * ? = R. After that, H A computes W * a =(U a ||K|| (g a mod p)) and checks whether W * ? = W. Finally, H A computes SK = h(g a mod p)⊕R a ⊕ R FA and sends Step 4: After obtaining the M 3 = {E KFH (SK)}, the FA decrypts D KFH (E KFH (SK)) and computes If it is correct, MU a computes the SK MU a obtains the session key between MU a and FA and performs mutual authentication successfully. As a result, Madhusudhan et al.'s protocol [16] is insecure against the masquerade attacks.

Replay Attack
Madhusudhan et al. claimed that their protocol can withstand replay attacks because a MU a cannot calculate the correct SK = h(g a mod p)⊕R MU ⊕ R FA without the random number R FA and R MU . However, according to Section 4.1, MU a computes R MU = U ⊕ R and obtains R FA in an open channel. Furthermore, MU a can extract the secret parameter {C MU , R} stored in the mobile device. MU a computes SK = C MU ⊕ h(R) ⊕ R MU ⊕ R FA . In addition, according to Section 2.1, MU a can obtain the counter value K in the mobile device. Thus, Madhusudhan et al.'s protocol [16] is insecure against replay attacks.

Session Key Disclosure Attack
According to Section 4.1, a MU a can successfully impersonate a legitimate mobile user MU and calculate the SK. According to the discussion presented in Section 2.1, MU a can extract the {C MU , R} in the mobile device and obtain random number R FA of FA over an open channel, and then compute [16] is insecure against session key disclosure attacks.

Mutual Authentication
In the existing protocol [16], they indicated that their scheme preserves secure mutual authentication among the MU, FA, and H A. However, according to Section 4.1, their protocol cannot prevent masquerade attacks and the MU a can successfully calculate authentication request message W = (U||K||C MU ⊕ h(R)) and authentication message X * = h(SK * ||R FA ). Consequently, Madhusudhan et al.'s protocol [16] cannot achieve mutual authentication.

Proposed Secure and Efficient Authentication Protocol for GLOMONET
Many biometric-based user authentication protocols [23,24] have been presented to improve the security flaws associated with mobile device authentication. Biometric-based schemes are difficult to guess, duplicate, and forge and cannot be stolen or lost. Therefore, biometric-based three-factor authentication mechanisms are more secure than mobile device and password based two-factor authentication mechanisms. Therefore, we present a secure and efficient authentication protocol using biometrics to overcome the security problems of the existing protocol [16].

Registration Process
A new MU should register with H A to receive the roaming services. Figure 3 presents the user registration process of our protocol.

Mobile User (MU)
Home Agent (HA) Step 1: A MU selects ID MU , PW MU and imprints biometric BIO i . After that, MU computes R i , P i =Gen(BIO i ), RPW i = h(PW MU ||R i ) and sends {ID MU , RPW i } to the H A over a secure communication.
Step 2: After obtaining messages {ID MU , RPW i }, the H A computes RID i = h(ID MU ||RPW i ),

Login and Authentication Process
Before performing a session, the MU requests authentication to the H A in order to establish the session key. Figure 4 presents the user authentication process of our protocol. The process is described in detail as follow.

Mobile User (MU)
Foreign Agent (FA) Home Agent (H A) Inputs ID MU and PW MU Imprints biometrics BIO i Computes Step 1: The mobile device inputs ID MU , PW MU and imprints biometrics BIO i . The MU computes Finally, the MU checks whether Q * MF ? = Q MF . If it holds, the MU and FA establish the SK i successfully.

Password Update Process
In the proposed protocol, a MU can easily update their password. Figure 5 presents the password change process of the proposed protocol.

Mobile User (MU)
Mobile Device Inputs ID * MU , PW * Step 1: The MU inputs ID * MU , PW * MU and imprints biometrics BIO * i . After that, MU computes

Security Analysis
We utilized the BAN logic to evaluate the user authentication of our protocol and then we used the ROR model to prove the session key security. In addition, we performed AVISPA simulation to evaluate the security of our protocol to replay and MITM attacks.

Informal Security Analysis
This section presents an informal security analysis to evaluate the security of the proposed protocol. We proved that our scheme can prevent various attacks and allow user authentication and anonymity.

Masquerade Attack
If a MU a attempts to impersonate a legal mobile user, MU a must calculate a request message {M 1 , M 2 , RID i , Q M } and response message {M 4 , Q MF } successfully. However, MU a cannot compute this because MU a does not know MU's real identity ID MU , password PW MU , secret parameters X i , random nonce R MU , and biometrics BIO i . Consequently, the proposed protocol can withstand masquerade attacks because MU a cannot generate correct messages successfully.

Replay Attack
Our protocol can resist replay attacks utilizing random nonce that is changed every session. If a MU a may try to impersonate a mobile user by resending messages that were exchanged in a previous session, MU a cannot obtain the previous messages because the H A checks whether R * MU ? = R MU and R * FA ? = R FA . Consequently, the proposed protocol can withstand replay attacks because MU a does not know R MU and R FA .

Stolen Mobile Device Attack
We assume that a MU a can steal the mobile device of a legitimate user and extract the data {A i , B i , P i } from the mobile device by utilizing a power analysis attack [20]. However, MU a still cannot obtain a legitimate user's information because the parameters stored in the mobile device are masked using bitwise XOR operations and hash functions. Thus, the proposed scheme can defend against mobile device theft attacks.

Session Key Disclosure Attack
In our protocol, a MU a cannot compute {M 1 , M 2 , Q M } because a legitimate mobile user MU generates an authentication request message by using the dynamic random nonce R MU and secret parameter X i . Consequently, the proposed protocol protects against session key disclosure attacks.

Anonymity
In our protocol, a MU a cannot obtain the identity ID MU of a legitimate mobile user because the parameters are masked by using XOR operations and hash functions, such as M 2 = ID MU ⊕ X i and Q M = h(RID i ||X i ||R MU ). Consequently, our protocol provides anonymity because a MU a cannot obtain ID MU without X i and R MU .

User Friendliness
In our protocol, MU can easily change his/her own ID i and PW i without the assistance of the H A. In particular, the proposed protocol allows the MU to change the original password PW i in a short time. Because, the MU need not go through the entire login process, which saves the time as well as minimizes the computation complexity of the proposed scheme. Consequently, the proposed protocol is user-friendly. Table 3 presents the better security properties ensured by the proposed scheme compared to related schemes [6,8,15,16]. The existing schemes are insecure various attacks and their scheme cannot ensure mutual authentication and user anonymity. In contrast, the proposed scheme can provide essential security properties and can achieve user anonymity and mutual authentication.

Authentication Proof Using BAN Logic
We present the security analysis utilizing the BAN logic [25] to prove the secure user authentication of our protocol. In Table 4, we present the notations used for BAN logic. We present the security rules, the security goals, the idealized forms and the assumptions that are essential to BAN logic. We assessed that our scheme ensured mutual authentication among MU, FA, and H A. The rules of BAN logic are summarized as follows.

Goals
To analyze mutual authentication, we define the goals of our protocol as below.

Idealized Forms
The idealized form of messages of our protocol are as below.

Assumptions
The following assumptions are applied in the BAN logic analysis.

Proof Using BAN Logic
The proof then proceeds as below: Step 1: According to Msg 1 , we obtain the following Step 14: According to Msg 4 , we could obtain Step 15: Utilizing S 14 and A 7 with the "message meaning rule", we obtain Step 16: Now, using S 15 and A 8 with the "freshness rule", the following is obtained Step 17: Utilizing S 15 and S 16 with the "nonce verification", we obtain Step 18: Utilizing S 17 and the belief rule, we obtain (Goal 3) Step 19: Now, using S 18 and A 9 with the "jurisdiction rule", the following is obtained Based on goals 1 to 4, we proved that MU, FA, and H A are securely mutually authenticated. We assessed that the proposed scheme ensured mutual authentication between MU, FA, and H A.

ROR Model Analysis
To evaluate the session key (SK) security of the protocol from the malicious adversary U A , the proposed protocol performs the ROR model [26], which is a widely known formal security analysis. We first introduce the ROR model before doing a SK security proof for the proposed protocol.
Participants: There are three participants: the mobile user P t 1 MU , the foreign agent P t 2 FA , and the home agent P and t th 2 are in the accept state, (2) t th 1 and t th 2 authenticate each other mutually sharing the same sid, and (3) t th 1 and t th 2 are mutually authenticated. Freshness: If the U A does not obtain the SK between MU and FA by utilizing the reveal query Reveal, the instance t th 1 or t th 2 is considered fresh. Adversary: In the ROR model, the U A can eavesdrop, modify, delete, or insert the exchanged messages during the communication. Furthermore, the U A will have the access to the following queries. MU ): It is modeled from the mobile device lost/stolen attack, in which the U A is able to extract the secret data in the mobile device.
• Send(P t , M): In this query, the U A can dispatch a message M to the instance P t and can also reply accordingly. • Test(P t ): It corresponds to the semantic security of the SK ij between MU and FA following the indistinguishability style in the ROR model [26]. In this query, before the experiment starts, an unbiased coin c is tossed. If the U A executes Tset query and the established SK ij is fresh, then P t returns SK ij for the case when c = 1 or a random value when c = 0. On the other cases, it returns a null value (⊥). • Reveal(P t ): With this query, the U A can reveal the SK i created by its partner to U A in the current session.

Semantic security of the session key:
In this formal security model, the malicious adversary U A must distinguish between an instance's actual SK and a random secret key. The U A can perform Test queries to either P t 1 MU or P t 2 FA , and its output is checked for consistency against the random bit c. If the condition c = c is valid, the U A wins the game. Otherwise, the U A loses the game. Let Succ denote an event that is U A winning the game. Therefore, the advantage of U A in breaking the semantic security of our protocol P is shown in Equation (1). The proposed protocol P is secure relative to the ROR model when Adv P ≤ ψ, for any sufficiently small ψ > 0.
Random oracle: In this paper, all the participants and the malicious adversary U A can access a collision-resistant one-way hash function h(·). We model h(·) as a random oracle, say Hash.

Security Proof
We utilized Zipf's law [27] to assess the SK security of our protocol and the detailed theorems are given as follows: Theorem 1. If Adv U A denotes the advantage function of the U A in violating SK security of our protocol. Then, we obtain the following.
where Hash, q send , and q h are the number of Hash queries, the number of Send queries, and the range space of the hash function h(.), respectively; l b is the number of bits present in the MU i 's biometric secret key b i ; and s and C are the Zipf's parameters [27].
Proof. We follow the proof as presented in [28,29]. A sequence of five games denoted by GM i , where i ∈ [0, 3], are defined to demonstrate the SK security of our protocol. Succ i denotes the probability of U A winning the game GM i . Each game is described in detail as follows.
• Game GM 0 : This game is considered as an actual attack by the U A for the proposed protocol P.
Since the bit c is guessed at the beginning of G 0 . According to this game, we obtain the following: H A ) query. Then, U A performs the Test query to check whether it is the real SK or a random number. In the proposed protocol, the SK i is calculated as SK i = h(R MU ||R FA ). To derive SK i , the U A needs secret credentials, such as R MU , R FA , and X i . Consequently, the U A 's probability in winning GM 1 by eavesdropping on the exchanged messages does not increase. We can obtain • Game GM 2 : The difference between GM 1 and GM 2 is that the Hash and Send queries are included in GM 2 . This game can be considered as an active attack in which the U A may try to fool a legitimate entity to accept the exchanged messages modified by the U A . All exchanged messages are protected by using the collision-resistant one-way hash function h(·). All exchanged messages are constructed using the random credentials R MU , R FA , and X i . All exchanged messages are constructed using the random credentials R MU , R FA , and X i and these messages are protected by using the collision-resistant one-way hash function h(.). Using birthday paradox, we can obtain the following result: • Game GM 3 : In the final game, the CorruptDevice query is modeled. In this case, a U A can extract the secret parameters {A i , B i , P i } from a mobile device's memory utilizing the power-analysis attack. Here, It is computationally infeasible for U A to derive the real identity ID MU and password PW MU of MU correctly via the Send query without H A's master key K s and secret parameter X i . The probability of guessing the biometric key b i of l b bits by the U A is approximately 1 2 l b . Consequently, the GM 2 and GM 3 are indistinguishable if password/biometrics guessing attacks are not implemented. Therefore, utilizing Zipf's law [27], we can obtain the following result: As all the games are executed, the U A must guess the exact bit c. Thus, we can obtain the following result: With Equations (1), (2), and (5), we can obtain the result as below: Using Equations (4)-(6), we can obtain the following result, which uses the triangular inequality.
Finally, multiplying both sides of Equation (7) by a factor of two, we can obtain the result as belows:

AVISPA Simulation
We discuss a formal security validation of our protocol utilizing Automated Validation of Internet Security Protocols and Applications (AVISPA) [30,31], which evaluates the security of the protocol to MITM attacks and replay attacks. To evaluate the AVISPA, the environment and session of the protocol must be implemented utilizing the High-Level Protocols Specification Language (HLPSL).

HLPSL Specification
According to HLPSL, we consider three roles: the MU, the FA, and the H A. We define the environment and session using HLPSL in Figure 6, which comprises the security goals. Figure 7 presents the role specification of MU and FA.
As shown in Figure 7, the MU initially receives the message and changes the state value from 1 to 2. Then, the MU sends the registration request messages {ID MU , RPW i } to HA over a secure channel. Then, MU receives the secret parameter {A i , B i } from HA and MU updates the state value from 1 to 2. When a MU requests access to roaming services, the MU must send a login request message

Result Analysis of AVISPA Simulation
We show the results of the AVISPA simulation using Constraint-Logic-based ATtack SEarcher (CL-AtSe) and On-the-Fly Model Checker (OFMC) to verify the security of our protocol. The CL-AtSe assessed the security of the protocol to replay attacks. The CL-AtSe verifies whether a legitimate user could perform the scheme by executing a search for a malicious adversary. Furthermore, the OFMC verifies the security of the proposed protocol to MITM attacks. The results, shown in Figure 9, demonstrate that the proposed protocol is secure against both MITM and replay attacks. The OFMC verification shows that the search time was 1.12 s for visiting 130 nodes, and the CL-AtSe verification analyzed three states with 0.08 s to translate.

Performance Analysis
This section assesses the performance of our protocol in terms of the computation cost, communication cost, and security properties. We also compared the proposed protocol with other related protocols [6,8,15,16]. We demonstrated that the proposed scheme provides better security properties and efficiency as compared to other related schemes.

Computation Cost
We compared the computation costs of our protocol to those of existing protocols [6,8,15,16]. Referring to [32,33], we estimated the approximate execution time of each cryptographic operation on the following configurations of the computer system. Windows 7 OS and Android phones were used and the system structure of the mobile phone ws Android 4.4.4KTU84P along with a 2 GB RAM and 1.8 GHz processor. Furthermore, the configurations of the computer system were Windows 7, Professional with an Intel(R) Core(TM) 2 Quad CPU Q8300, 2 GB RAM, @2.50 Hz. The XOR function was not included as it was negligible compared to other functions. The following shows the time complexity for the computational analysis. The total computation costs for our protocol and for Madhusudhan et al.'s scheme were 27T h (≈0.0135 s) and 10T h + 3T mm + 4T sym (≈1.6058 s), respectively. Table 5 presents the result for computation costs. Consequently, we provided better efficient computation costs compared with related schemes because it only uses one-way hash functions. Therefore, the proposed scheme is considered efficient in the application for practical mobile environments.

Conclusions
In this paper, we assessed that Madhusudhan et al.'s authentication scheme did not prevent various attacks. Furthermore, we assessed that their protocol could not achieve user authentication. We proposed a secure and efficient three-factor authentication protocol for roaming services in GLOMONET to improve the security flaws of Madhusudhan et al.'s scheme. Our scheme was able to resist various attacks, such as masquerade, replay, session key disclosure, and mobile device theft attacks and could ensure anonymity and user authentication. We demonstrated that our scheme achieved secure mutual authentication among the mobile user, the foreign agent, and the home agent by performing BAN logic analysis.
Furthermore, we assessed a formal security validation analysis of our protocol utilizing the ROR model and AVISPA simulation. We compared the computation costs and security features with existing schemes. The three-factor based proposed scheme provided a great improvement in terms of the security level compared with two-factor based existing schemes and also preserved the low computation cost. The principal merit of the proposed scheme was resistance against potential attacks in GLOMONET. Therefore, the proposed scheme satisfies the security requirements for roaming service and is suitable for practical mobile environments.