A Novel Mobile Communications Authentication Scheme with Roaming Service and User Anonymity

Abstract

Many novel, effective, and efficient applications and networking services are being developed for the Social Internet of Things. Recently, Li proposed a more secure and efficient authentication scheme with roaming service and user anonymity for mobile communications. The security analysis and discussion of the agreement phase is sufficiently safe; however, an attacker can intercept the identity of a mobile user’s home agent in the authentication phase. By using this information, the attacker can mount distributed denial-of-service attacks in the roaming phase through replay attacks targeting the network’s foreign agent and mobile user’s home agent by using their corresponding session keys. Li’s method also has some shortcomings regarding anonymity that we aim to address. To overcome these issues, this study proposes an elliptic curve–based wireless roaming anonymous login method for the authentication phase. The problems faced in the roaming phase are resolved, and this approach provides balanced session key computation between senders and receivers. Burrows-Abadi-Needham logic (BAN-logic) is used to verify the security of the proposed scheme. The proposed scheme affords good security, efficiency, and integrity and maintains anonymity.

1. Introduction

Wireless networks and smartphones have undergone rapid developments, allowing the use of the same device across different networks [1,2]. Users such as businessmen or tourists visiting a new area can use a smart card to register with their home agents. Such cards use an anonymous connection to register to the home agent from the foreign agent server [3,4]. After validation, a temporary certificate is sent to the user. The user may use this temporary certificate for network roaming via the foreign agent server. This approach can provide billing information while maintaining anonymity [5,6,7,8].

In general, an anonymous roaming scheme has three entities: mobile user (MU), foreign agent (FA), and home agent (HA) [9,10,11,12,13]. In communication, the user must remain anonymous to the other entities. This scheme consists of three phases: registration (initialization phase), authentication (first phase), and roaming (second phase) [14,15,16]. When an MU is anonymously roaming in a foreign network, it can use one of two methods: real-time online and offline. Real-time online means that when a user requests roaming permissions, the FA can immediately authenticate with the HA and verify the user’s legitimacy. The FA is unaware of the user’s true identity but only knows whether the user is legitimate. Offline means that when the user requests roaming permissions, the FA can verify the user’s legitimacy directly through the information obtained during the registration phase. In other words, this method does not use a real-time connection with the HA to verify the user, and the FA does not know the user’s true identity [17,18,19,20,21,22,23]. In this study, the mobile phone roaming anonymous login is based on the real-time online method.

In 2004, Zhu and Ma [24] first proposed an authentication scheme with anonymity for wireless environments. Although they claimed that their scheme was secure, some weaknesses remained. The attacker can obtain r (r = H(N||ID_HA)⊕H(N||ID_MU)⊕ID_HA⊕ID_MU) by registering and calculating the HA’s private key or by intercepting messages n of other legitimate users and then using the HA’s private key exclusive—or r can obtain the legitimate user’s identity ID_MU and PW_MU. In other words, this scheme does not provide anonymity. In 2006, however, Lee et al. [25] showed several security flaws in Zhu and Ma’s scheme and then improved it. Unfortunately, the HA still provided PW_MU to the MU in the registration phase, enabling PW_MU to be calculated. In 2008, Wan et al. [13] noted the security vulnerabilities of Lee et al.’s scheme and proposed an enhanced version of their scheme. However, in 2009, Chang and Lee [26] showed that Wu et al.’s improved scheme still did not provide anonymity, as they claimed. Recently, in 2012, Li [27] proposed a more secure and efficient authentication scheme with roaming service and user anonymity for mobile communications. This scheme’s main characteristic is that the MU chooses PW_MU in the registration phase and sends it to the HA to perform other operations. Because the MU sends PW_MU to the HA, this solves the ID_MU and PW_MU problems encountered in traditional schemes. Li’s scheme is more efficient in terms of performance because it uses a lightweight elliptic curve Diffie-Hellman computation compared with traditional schemes that use RSA (Ron Rivest, Adi Shamir, and Leonard Adlema) [28] with certificates. However, Li’s scheme has two weaknesses: (1) ID_HA is transmitted using plaintext in the authentication phase and therefore an attacker can easily perform distributed denial-of-service attacks if ID_HA is intercepted; and (2) there exist some issues in how the session key is generated in the roaming phase. Specifically, the details of session key management are not shown and are left unaddressed in Li’s scheme [27].

This study proposes an elliptic curve–based authentication scheme with roaming service and user anonymity for mobile communications that overcomes the weaknesses of Li’s scheme [27] and ensures fair load-sharing of the session key computation in the authentication phase.

The remainder of this paper is organized as follows: In Section 2, we review Li’s scheme and analyze its weaknesses. In Section 3, we propose an elliptic-curve-based authentication scheme with roaming service and user anonymity for mobile communications. In Section 4, we use BAN-logic (Burrows-Abadi-Needham logic) to demonstrate the security of our proposed scheme. In Section 5, we analyze our proposed scheme, and in Section 6, we compare it with other schemes. Finally, Section 7 presents the conclusions of our study.

2. Preliminaries

In this section, we review Li’s scheme [27]. His scheme consists of three phases: registration, authentication, and roaming, of which the authentication phase is real-time online.

2.1. Li’s Scheme

For simplicity, we list the common notations used throughout Li’s scheme in Table 1.

Table 1. Notations used throughout Li’s scheme.

Notations	Descriptions
MU	A mobile user
HA	The home agent of a mobile user
FA	The foreign agent of the network
IDMU	The MU’s identity
PWMU	The MU’s password
N	A strong secret key of the HA
TA	Timestamp generated by an entity A
CertA	Certificate of an entity A
(X)K	Encryption of a message X using a symmetric key K
(PA,SA)	The asymmetric public key and private key pair of an entity A based on Elliptic curve cryptography (ECC)
EP	An elliptic curve equation, over a finite field p: y2 = x3 + ax + b mod p, where p > 216°, n > 2160, a and b are two integer elements and 4a3 + 27b2 mod p≠0
E	An elliptic curve equation of HA choose
p, n	Two large prime numbers
P	A base point with the order n over E
SKHF	A pre-shared symmetric key between HA and FA
⊕	Exclusive-OR (XOR) operation
H(.)	A collision-free one-way hash function
||	Concatenation

2.1.1. Registration Phase

R1. MU→HA: m_LR1{ID_MU, H(PW_MU⊕r_n)}

The MU chooses the identity ID_MU, password PW_MU, and a random number r_n; calculates H(PW_MU⊕r_n); and sends the registration request message {ID_MU, H(PW_MU⊕r_n)} to the HA.

R2. HA→MU: m_LR2{ID_HA, E_p, E, n, P, P_HA, z, H(.)}

When the registration request message {ID_MU, H(PW_MU⊕r_n)} is received from the MU, the HA calculates H(ID_MU||N) and z = H(PW_MU⊕r_n)⊕H(ID_MU||N). Then, the HA sends ID_HA, E_p, E, n, P, P_HA, z, and H(.) to the MU.

R3. MU: ID_HA, E_p, E, n, P, P_HA, z, H(.)

After the message {ID_HA, E_p, E, n, P, P_HA, z, H(.)} is received from the HA, the MU stores this information along with r_n onto the smart card. This completes the registration phase.

2.1.2. Authentication Phase

V1. MU→FA: m_LV1{X, IND, c₁, ID_HA, T_MU}

When the MU enters ID_MU and PW_MU, the smart card chooses a random number x and calculates X = xP, X₁ = xP_HA, Z = z⊕H(PW_MU⊕r_n), IND = ID_MU⊕H(X₁||T_MU), and c₁ = H(X₁||Z). T_MU is the MU’s current timestamp. Then, the MU sends the authentication request message {X, IND, c₁, ID_HA, T_MU} to the FA.

V2. FA→HA: m_LV2{X, IND, c₁, Y, T_MU, T_FA, MAC_FA}

When the authentication message is received from the MU, the FA checks the validity of the timestamp T_MU. If it is valid, FA chooses a random number y and calculates Y = yP and MAC_FA = H(X||IND||c₁||Y||T_MU||T_FA||SK_HF), where T_FA is the FA’s current timestamp and SK_HF is a session key between the HA and the FA. The FA then sends the message {X, IND, c₁, Y, T_MU, T_FA, MAC_FA} to the HA.

V3. HA→FA: m_LV3{MAC_HA, c’₂ = c₂⊕H(T_HA||SK_HF), T_HA}

When the authentication message is received from the FA, the HA checks the validity of the timestamp T_FA. If it is valid, the HA calculates H(X||IND||c₁||Y||T_MU||T_FA||SK_HF) and verifies whether H(X||IND||c₁||Y||T_MU||T_FA||SK_HF) is the same as the received MAC_FA. If it is not valid, the HA terminates the execution. Otherwise, the HA calculates X’₁ = XN, ID’_MU = IND⊕H(X’₁||T_MU), and c’₁ = H(X’₁||H(ID’_MU||N)) and checks whether the equation c’₁ = c₁ holds. If it is not valid, the HA terminates the execution. Otherwise, the HA calculates MAC_HA = H(X||Y||ID_FA||ID_HA||T_HA||SK_HF) and c₂ = H(X’₁||H(ID’_MU||N)||X||Y||ID_FA||ID_HA), where T_HA is the HA’s current timestamp. The HA then sends the message {MAC_HA, c’₂ = c₂⊕H(T_HA||SK_HF), T_HA} to the FA.

V4. FA→MU: m_LV4{Y, c₂, c₃ = (TCert_MU)_sk}

When the message is received from the HA, the FA checks the validity of the timestamp T_HA. If it is valid, the FA calculates H(X||Y||ID_FA||ID_HA||T_HA||SK_HF) and verifies whether H(X||Y||ID_FA||ID_HA||T_HA||SK_HF) is the same as the received MAC_HA. If it is not valid, the FA terminates the execution. Otherwise, the FA believes that the HA is a valid home agent and the MU is an authenticated user. The FA then calculates c₂ = c’₂⊕H(T_HA||SK_HF) and a session key sk = yX = xyP and sends the message {Y, c₂, c₃ = (TCert_MU)_sk} to the MU, where TCert_MU is a temporary certificate for the MU.

V5. MU: Y, c₂, c₃ = (TCert_MU)_sk

When a message is received from the FA, the MU calculates H(X’₁||H(ID’_MU||N)||X||Y||ID_FA||ID_HA) and verifies whether it is the same as the received c₂. If it is not valid, the MU terminates the execution. Otherwise, the MU believes that it is communicating with a legal FA. The MU subsequently calculates a session key sk’ = xY = xyP = sk and decrypts c₃. Finally, the MU obtains TCert_MU from the FA.

2.1.3. Roaming Phase

L1. MU→FA: m_LRo1{m_i, mac}

The MU calculates m_i = (TCert_MU||sk_i+1||Other)_ski and mac = H(TCert_MU||sk_i+1||Other) and sends the roaming message {m_i, mac} to the FA, where sk_i+1 is a session key for the next communication.

L2. FA: m_i, mac

When received the roaming message from the MU, the FA calculates the session key and decrypts m_i. The FA then checks the validity of mac. If it is valid, the FA updates the session key sk_i with sk_i+1 for the next communication.

2.2. Advantages of Li’s Scheme

Li’s scheme has two advantages. First, the MU calculates H(PW_MU⊕r_n) and sends this message to HA. In other words, the MU chooses PW_MU and sends it to the HA; this prevents PW_MU from being calculated easily, which was a shortcoming of previous schemes. Second, Li’s scheme is more efficient in terms of performance because it uses the lightweight elliptic curve Diffie-Hellman computation compared with other traditional schemes that use heavyweight asymmetric cryptosystems with certificates.

2.3. Weaknesses of Li’s Scheme

Li’s scheme has two weaknesses. First, because ID_HA is not properly hidden, an attacker can easily intercept it and determine the relationships among the MU, FA, and HA. In addition, it does not use an authentication mechanism between the MU and the FA, and therefore, for any message m₁ to the FA, the FA performs the appropriate processing and transfers the results to HA. Because of this feature, the attacker can flood a specific target (HA), intercept other people’s message (m₁) over the wireless network, and change the message timestamp T_MU. Although the message will not be verified through the HA, the attacker can do enough to cripple a specific target host (HA), namely, the attacker can perform a distributed denial-of-service attack. Second, Li’s scheme does not clearly define or address some important issues, such as the assignment of session key computation during the roaming phase and how to manage the various session keys for a large number of users. If there are hundreds of thousands of people in a wireless network environment, and each person’s session key is different, managing the keys is not trivial. Table 2 shows a detailed description of the weaknesses of Li’s scheme [18].

Table 2. Weaknesses of Li’s scheme.

Step	Phase	Descriptions
V1	Authentication phase	Because IDHA is transmitted in plaintext, the attacker can intercept messages and determine the relationship among the MU, FA, and HA. Then, the attacker can use a replay attack and target a specific object, namely the HA, by a distributed denial-of-service attack.
L2	Roaming phase	Li’s scheme does not clearly explain how to obtain corresponding session keys and the relationship between different users. So FA is impossible for a user to calculate the specific session key, and decrypt mi. Therefore, this scheme lacks integrity.

3. Proposed Scheme

The proposed scheme consists of three phases: registration, authentication, and roaming, of which the authentication phase is real-time online.

3.1. Notations

The proposed scheme uses the same notations as those in Table 1 and the new notations listed in Table 3.

Table 3. Additional notations.

Notations	Descriptions
PFA = b	A public key of the FA based on ECC
G1	Additive group on ECC
G2	Multiplicative group on ECC
H1	H1 = {0,1}*→Z*q
H2	H2 = {0,1}n→Znq
H3	H3 = G1→{0,1}*

3.2. Registration Phase

Figure 1 shows the registration phase of the proposed scheme. The detailed steps as follows.

Figure 1. Registration phase.

R1. MU→HA: m_R1{ID_MU, H₂(PW_MU⊕r_n)}

The MU chooses ID_MU, PW_MU, and a random number r_n and calculates H₂(PW_MU⊕r_n). Then, the MU sends the message {ID_MU, H₂(PW_MU⊕r_n)} to the HA.

R2. HA→MU: m_R2{ID_HA, E_p, E, n, P, P_HA, z_i, H(.), W_i}

When the message H₂(PW_MU⊕r_n) is received from the MU, the HA calculates z_i = H₂(PW_MU⊕r_n)⊕H₁(ID_MU||N||W_i)⊕H₃(W_i). Then, the HA chooses a random number w, calculates W_i = wP, and transmits {ID_HA, E_p, E, n, P, P_HA, z_i, W_i, H(.)} to the MU.

R3. MU: ID_HA, E_p, E, n, P, P_HA, z_i, W_i, H(.)

The MU enters W_i into his/her smart card, and the MU’s smart card contains ID_HA, E_p, E, n, P, P_HA, z_i, W_i, and H(.)

3.3. Authentication Phase

Figure 2 shows the authentication phase of the proposed scheme. The steps are detailed as follows.

Figure 2. Authentication phase.

V1. MU→FA: m_V1{A, U}

The U inserts the smart card into the card reader and enters ID_MU and PW_MU. Then, the smart card chooses a random number x and calculates X = xP, X₁ = xP_HA, ZP = [z_i⊕H₂(PW_MU⊕r_n)⊕H₃(W_i)]P, IND = ID_MU⊕H₁(X₁||T_MU), c₁ = H(X₁||Z), and A = aP, where T_MU is the MU’s timestamp. Subsequently, the MU calculates a shared key EC = aY = ayP, the message U = (W_i, X, IND, c₁, ID_HA, T_MU)_EC, and sends an authentication request message {A, U} to the FA.

V2. FA→HA: m_V2{W_i, X, IND, c₁, Y, T_MU, T_FA, MAC_FA}

The FA calculates a shared key yA = ayP = EC and decrypts U by using EC to obtain W_i, X, IND, c₁, Y, and T_MU. Then, the FA checks the validity of the timestamp T_MU. If it holds, the FA chooses a random number y and calculates Y = yP and MAC_FA = H₁(W_i||X||IND||c₁||Y||T_MU||T_FA||SK_HF), where T_FA is the FA’s current timestamp and SK_HF is the session key between the HA and the FA. This key is mainly used for signature verification. The FA then sends the message {W_i, X, IND, c₁, Y, T_MU, T_FA, MAC_FA} to the HA.

V3. HA→FA: m_V3{MAC_HA, MAC’_HA = MAC_HA⊕H₁(T_HA||SK_HF), T_HA}

The HA checks the validity of the timestamp T_FA. If it is valid, the HA checks if the calculated value MAC’_FA = H₁(W_i||X|| IND||c₁||Y||T_MU||T_FA||SK_HF) is the same as the received MAC_FA. If it is not valid, the HA terminates the execution. Otherwise, the HA calculates X’₁ = XN, ID’_MU = IND⊕H₁(X’₁||T_MU), and c’₁ = H₁(X’₁||H₁(ID’_MU||N||W_i)) and checks whether the equation c’₁ = c₁ holds. If it is not valid, the HA terminates the execution. Otherwise, the HA calculates MAC_HA = H₁(W_i||X||Y||ID_FA||ID_HA||T_HA||SK_HF), where T_HA is the HA’s current timestamp. The HA then sends the message {MAC_HA, MAC’_HA = MAC_HA⊕H₁(T_HA||SK_HF), T_HA} to the FA.

V4. FA→MU: m_V4{c₂ = (TCert_MU)_sk}

The HA checks the validity of the timestamp T_HA. If it is valid, the FA calculates MAC_HA = H₁(W_i||X||Y||ID_FA||ID_HA||T_HA||SK_HF) and verifies whether this value is the same as the received MAC_HA. If it is not valid, the FA terminates the execution. Otherwise, the FA believes that the MU is an authenticated user. The FA then calculates MAC_HA = MAC’_HA⊕H₁(T_HA||SK_HF), Y = yP, and sk = yX = xyP and sends the message {c₂ = (TCert_MU)_sk} to the MU, where TCert_MU is a temporary certificate from the FA to the MU.

V5. MU: Y, c₂ = (TCert_MU)_sk

The MU calculates a session key sk’ = xY = xyP = sk and decrypts c₂. Finally, the MU obtains TCert_MU from the FA.

3.4. Roaming Phase

Figure 3 shows the roaming phase of the proposed scheme. The steps are detailed as follows.

Figure 3. Roaming phase.

L1. MU→FA: m_Ro1{A, U}

The MU calculates m_i = (TCert_MU||sk_i+1||Other)_ski, mac = H(TCert_MU||sk_i+1||Other), and (m_i||mac||sk_i||T_MU)_EC and sends the message {A, U} to the FA, where sk_i+1 is a session key for the next communication and T_MU is the current timestamp.

L2. FA: A, U

The FA calculates aA = abP = EC and decrypts U to obtain m_i, mac, sk_i, and T_MU. The FA then checks the validity of T_MU. If it is valid, the FA decrypts m_i by using sk_i and calculates mac’ = H(TCert_MU||sk_i+1||Other). If the equation mac’ = mac holds, the FA updates the session key sk_i with sk_i+1 for the next communication.

4. BAN-Logic Analysis

4.1. Introduction to BAN-Logic

BAN-logic is used to establish session key security between the MU and the FA to prove that the session key is safeguarded in the authentication phase of our scheme. The main process has four proofs:

• MU believes the session key: MU←-SK-→FA
• MU believes that FA believed the session key: MU←-SK-→FA
• A believes the session key: MU←-SK-→FA
• FA believes that MU believed the session key: MU←-SK-→FA

According to the BAN-logic characteristics of the security analysis, the following basic symbolic representation rules are used [29,30,31]:

• (X, Y): X or Y is one part of the parameter (X, Y).
• <X>Y: X can be obtained through the secret parameter Y.
• {X}_K: X is encrypted under the key K.
• P←-K-→Q: P and Q may use the shared secret key K to communicate. The third party does not know the secret key K.
• P<=S=>Q: S is only known between P and Q. P and Q must use S to prove the identity of each other.

4.2. Rules of BAN-Logic

Freshness rule: If part of the message is fresh, then the whole message is also fresh.

Message meaning rule: K is a key shared between P and Q; therefore, if P sees an encrypted message, it must come from Q.

Nonce verification rule: If P believes that Q once said X, then P believes that Q once believed X. If X is fresh, then Q should still hold this belief.

Jurisdiction rule: If P trusts Q as an authority on X, then P should believe X if Q does so.

4.3. Authentication Proof Based on BAN-logic

We use the rules of BAN-logic to represent the authentication phase in our proposed scheme and describe these messages as follows:

• m_V1. MU→FA: {(<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}, W_i, X, ID_HA)}_EC
• m_V2. FA→HA: (<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}, W_i, X, Y)_{Ri}SKHF
• m_V3. HA→FA: {(W_i, X, Y, ID_HA, ID_FA)} _SKHF
• m_V4. FA→MU:{TCert_MU}_{<MU←-SK-→FA>}

To analyze our proposed scheme, we made the following assumptions without loss of generality:

A1: 

MU believes X.

A2: 

MU believes X₁.

A3: 

MU believes A.

A4: 

FA believes Y.

A5: 

FA believes R_i.

A6: 

HA believes W_i.

A7: 

MU believes MU<=^H(N)=>HA.

A8: 

HA believes MU<=^H(N)=>HA.

A9: 

FA believes FA <=^SK_HF=>HA.

A10: 

HA believes FA <=^SK_HF=>HA.

A11: 

MU believes MU←-^SK-→FA.

A12: 

FA believes (MU controls MU←-^SK-→FA).

A13: 

HA believes (MU controls MU←-^SK-→FA).

A14: 

HA believes (MU controls ID_MU).

A15: 

ID_MU is known only to user.

A16: 

MU believes TCert_MU.

A17: 

MU believes ID_MU.

A18: 

FA believes ID_FA.

A19: 

HA believes ID_HA.

We show the processes of the proofs as follows:

• By m_V1, A3, and A4, we apply the freshness rule to derive

  FA believes (<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}, W_i, X, ID_HA).

  (Statement 1)
• By m_V1, A1, and A6, we apply the nonce verification rule to derive

  FA believes that MU said (<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}, ID_HA).

  (Statement 2)
• By m_V2 and A10, we apply the message meaning rule to derive

  HA believes that FA said (<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}, W_i, X, Y)_{Ri}.

  (Statement 3)
• By m_V2, A1, A4, A5, and A6, we apply the nonce verification rule to derive

  HA believes that FA believes (<ID_MU>_H1(X1||TMU), <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}).

  (Statement 4)
• By Statement 4, we break the conjunction to obtain

  HA believes that FA believes <ID_MU>_H1(X1||TMU).

  (Statement 5)

  HA believes that FA believes <X₁, H₁(ID_MU||N||W_i)>_{H2(PWMU⊕rn), H3(Wi)}.

  (Statement 6)
• By Statement 5 and A2, we apply the message meaning rule and nonce verification rule to derive

  HA believes that MU believes ID_MU.

  (Statement 7)
• By Statement 7 and A14, we apply the jurisdiction rule to obtain

  HA believes ID_MU.

  (Statement 8)
• By Statement 8 and A15, we break the conjunction to obtain

  HA believes MU<=ID_MU=>HA.

  (Statement 9)
• By m_V3 and A9, we apply the message meaning rule to derive

  FA believes that HA said (W_i, X, Y, ID_HA, ID_FA).

  (Statement 10)
• By Statement 10, A1, A4, A5, and A6, we apply the nonce verification rule to derive

  FA believes that HA believes (ID_HA, ID_FA).

  (Statement 11)
• By Statement 11 and A18, we break the conjunction to obtain

  FA believes that HA believes ID_HA.

  (Statement 12)
• By Statement 12, we apply the jurisdiction rule to obtain

  FA believes ID_HA.

  (Statement 13)
• By m_V3, A1, A4, and A12, we break the conjunction to obtain

  FA believes that MU believes <MU←-^SK-→FA>.

  (Statement 14)
• By Statement 14, we apply the jurisdiction rule to obtain

  FA believes <MU←-^SK-→FA>.

  (Statement 15)
• By m_V4 and A16, we break the conjunction to obtain

  MU believes that FA believes <MU←-^SK-→FA>.

  (Statement 16)
• By Statement 14, 15, 16, and A11, we prove that the process of setting the session key is safe between the MU and the FA.

From the foregoing analysis, we can find a consistent result with assumption A11 and Statement 16. Therefore, this indicates that Assumption A11 is established, and this also proves that the process of setting the session key is safe between the MU and the FA in our proposed scheme.

5. Security Analysis

In the authentication phase of our proposed scheme, we improved the session key ID_HA by using symmetric encryption computation, compared with Li’s scheme that does not perform any encryption protection. Therefore, the anonymity level of the proposed scheme is even stronger than that of Li’s scheme. In other words, the security level increased from C2 to C3 (in [13], the C2 level means that the FA does not know the identity of the anonymous user, and the C3 level means that the attacker does not know the relationship among the MU, FA and HA) Hence, the attacker cannot intercept ID_HA and cannot use replay attacks to paralyze the HA. In addition, for the problem of generating the session key in the roaming phase, our approach lets the MU encrypt the calculated session key by using the shared key EC and transmits it to the FA. Therefore, no problems are encountered during transmission. The FA does not need to recalculate the session key, and therefore, the amount of computation is reduced because there is no additional matching of session keys to individual MUs. Finally, the computation of the session key is balanced between the sender and the receiver in the authentication phase. In this section, we show that the proposed scheme can withstand some possible attacks and affords several good security properties.

5.1. Resist Replay Attack

The proposed scheme has a timestamp in each transmission process, including the authentication (V1→V5) and roaming (L1→L2) phases. In addition, V1 and L1 are encrypted by using the shared key EC, and therefore, we can imagine that V1 and L1 are secure channels. Therefore, even if an attacker intercepts the message, the message cannot be broken in this secure channel. This allows our proposed scheme to resist replay attacks.

5.2. Resist Distributed Denial-of-Service Attack

The attacker can intercept the cipher text of message m₁ that contains the timestamp T_MU and ID_HA. However, the attacker cannot decrypt the cipher text and cannot forge the timestamp T_MU and specific object ID_HA. Then, the attacker cannot use a distributed denial-of-service attack to attack the HA.

5.3. Achieve High Level of Anonymity

In a wireless environment, messages can be intercepted easily. In [27], the MU sends the authentication message m₁ to the FA in the authentication phase. The message content is not encrypted, and therefore, the attacker easily intercepts ID_HA and then determines the relationship among the MA, FA, and HA. When the relationship is known, the level of anonymity of the entire scheme is lowered, and the attacker can successfully use the attacks described in Section 4.2 and Section 4.3. In our proposed scheme, when the MU wants to send the message to the FA, it will calculate the shared key EC and then encrypt the message by using EC to achieve the security and integrity requirements. Only the FA possesses the EC, and therefore, other people cannot decrypt this cipher text. Therefore, our scheme can achieve the C3 level requirement of high anonymity.

5.4. Solve Corresponding Problem of Session Key in Roaming Phase

In Li’s scheme, when the FA receives the roaming message, it calculates the session key, decrypts the cipher text m_i, and performs a comparison with mac. However, there are in fact hundreds of thousands of people in a wireless network environment, and Li’s scheme did not clearly discuss how to calculate the session key in the roaming phase. Each person’s session key is not the same, and it did not clarify how to calculate one hundred thousand different session keys or save them in the table. It can be saved as a form, but this may pose some risks, which need to be discussed further. In the proposed scheme, the FA can decrypt the cipher text m_i by using the session key calculated by the MU in the authentication phase. On the other hand, we encrypt the session key by using EC calculated by the MU in the authentication phase. In this manner, our scheme resists data disclosure to attackers, who intercept the session key during the transfer processes. Even if the message is intercepted, it can only reveal the cipher text. Therefore, the proposed scheme solves the corresponding problem of the session key.

5.5. Balanced Calculation of Session Key

The load of session key computation is balanced between the senders and the receivers in the authentication phase. Table 4 shows the balanced calculation of the session key.

Table 4. Balanced calculation of the session key.

Sender	Receiver
V1: MU calculates X = xP and EC = aPFA = abP	V2: FA calculates Y = yP and EC = bA = abP
V2: FA calculates MACFA	V3: HA calculates MACFA
V3: HA calculates MACHA	V4: FA calculates MACHA
V4: FA calculates ski = xY and c2	V5: MU calculates ski = xY and c2

6. Comparison with Related Works

Table 5 shows that the proposed scheme can resist internal attack, replay attack, and distributed denial-of-service attack for the specific object while maintaining a high level of anonymity. It provides a balanced calculation and solves the issue of session key management. Li’s scheme cannot resist replay attack or distributed denial-of-service attack for the specific object while also providing less anonymity of level C2. Li’s scheme did not address the problem of session key management as calculated by the FA in the roaming phase. However, our proposed scheme resolves these issues. Our method maintains the advantages and weaknesses of Zhu and Ma’s [24] scheme from 2004 and Lee et al.’s [25] scheme from 2006.

Table 5. Comparison with related works.

Secure Item	Li [27]	Lee et al. [25]	Zhu-Ma [24]	Our Scheme
Resist internal attack	Yes	No	No	Yes
Resist replay attack	No	Yes	Yes	Yes
Resist distributed denial-of-service attack for specific object	No	Yes	Yes	Yes
Achieve a high level of anonymity	No	No	No	Yes
Session key providing anonymity and authentication	No	No	No	Yes
Balanced calculation of the session key	Yes	No	No	Yes

7. Conclusions

This study proposes an elliptic-curve-based authentication scheme with roaming service and user anonymity for mobile communication. It overcomes the weaknesses of Li’s scheme [27] and provides balanced session key computation in the authentication phase. We use an elliptic curve in the calculations, and therefore, the security performance is good. Although our computational complexity is comparable to that of Li’s scheme, our scheme reduces the load of MU calculation by moving this calculation to the HA, which has better computing performance. Finally, the advantages and weaknesses of our scheme are compared with those of other related works, and it demonstrates improved security, anonymity, and resistance to attacks without having additional computational complexity.