A Novel Mobile Communications Authentication Scheme with Roaming Service and User Anonymity

: Many novel, effective, and efﬁcient applications and networking services are being developed for the Social Internet of Things. Recently, Li proposed a more secure and efﬁcient authentication scheme with roaming service and user anonymity for mobile communications. The security analysis and discussion of the agreement phase is sufﬁciently safe; however, an attacker can intercept the identity of a mobile user’s home agent in the authentication phase. By using this information, the attacker can mount distributed denial-of-service attacks in the roaming phase through replay attacks targeting the network’s foreign agent and mobile user’s home agent by using their corresponding session keys. Li’s method also has some shortcomings regarding anonymity that we aim to address. To overcome these issues, this study proposes an elliptic curve–based wireless roaming anonymous login method for the authentication phase. The problems faced in the roaming phase are resolved, and this approach provides balanced session key computation between senders and receivers. Burrows-Abadi-Needham logic (BAN-logic) is used to verify the security of the proposed scheme. The proposed scheme affords good security, efﬁciency, and integrity and maintains anonymity


Introduction
Wireless networks and smartphones have undergone rapid developments, allowing the use of the same device across different networks [1,2].Users such as businessmen or tourists visiting a new area can use a smart card to register with their home agents.Such cards use an anonymous connection to register to the home agent from the foreign agent server [3,4].After validation, a temporary certificate is sent to the user.The user may use this temporary certificate for network roaming via the foreign agent server.This approach can provide billing information while maintaining anonymity [5][6][7][8].
In general, an anonymous roaming scheme has three entities: mobile user (MU), foreign agent (FA), and home agent (HA) [9][10][11][12][13].In communication, the user must remain anonymous to the other entities.This scheme consists of three phases: registration (initialization phase), authentication (first phase), and roaming (second phase) [14][15][16].When an MU is anonymously roaming in a foreign network, it can use one of two methods: real-time online and offline.Real-time online means that when a user requests roaming permissions, the FA can immediately authenticate with the HA and verify the user's legitimacy.The FA is unaware of the user's true identity but only knows whether the user is legitimate.
Offline means that when the user requests roaming permissions, the FA can verify the user's legitimacy directly through the information obtained during the registration phase.In other words, this method does not use a real-time connection with the HA to verify the user, and the FA does not know the user's true identity [17][18][19][20][21][22][23].In this study, the mobile phone roaming anonymous login is based on the real-time online method.
In 2004, Zhu and Ma [24] first proposed an authentication scheme with anonymity for wireless environments.Although they claimed that their scheme was secure, some weaknesses remained.The attacker can obtain r (r = H(N||ID HA )⊕H(N||ID MU )⊕ID HA ⊕ID MU ) by registering and calculating the HA's private key or by intercepting messages n of other legitimate users and then using the HA's private key exclusive-or r can obtain the legitimate user's identity ID MU and PW MU .In other words, this scheme does not provide anonymity.In 2006, however, Lee et al. [25] showed several security flaws in Zhu and Ma's scheme and then improved it.Unfortunately, the HA still provided PW MU to the MU in the registration phase, enabling PW MU to be calculated.In 2008, Wan et al. [13] noted the security vulnerabilities of Lee et al.'s scheme and proposed an enhanced version of their scheme.However, in 2009, Chang and Lee [26] showed that Wu et al.'s improved scheme still did not provide anonymity, as they claimed.Recently, in 2012, Li [27] proposed a more secure and efficient authentication scheme with roaming service and user anonymity for mobile communications.This scheme's main characteristic is that the MU chooses PW MU in the registration phase and sends it to the HA to perform other operations.Because the MU sends PW MU to the HA, this solves the ID MU and PW MU problems encountered in traditional schemes.Li's scheme is more efficient in terms of performance because it uses a lightweight elliptic curve Diffie-Hellman computation compared with traditional schemes that use RSA (Ron Rivest, Adi Shamir, and Leonard Adlema) [28] with certificates.However, Li's scheme has two weaknesses: (1) ID HA is transmitted using plaintext in the authentication phase and therefore an attacker can easily perform distributed denial-of-service attacks if ID HA is intercepted; and (2) there exist some issues in how the session key is generated in the roaming phase.Specifically, the details of session key management are not shown and are left unaddressed in Li's scheme [27].
This study proposes an elliptic curve-based authentication scheme with roaming service and user anonymity for mobile communications that overcomes the weaknesses of Li's scheme [27] and ensures fair load-sharing of the session key computation in the authentication phase.
The remainder of this paper is organized as follows: In Section 2, we review Li's scheme and analyze its weaknesses.In Section 3, we propose an elliptic-curve-based authentication scheme with roaming service and user anonymity for mobile communications.In Section 4, we use BAN-logic (Burrows-Abadi-Needham logic) to demonstrate the security of our proposed scheme.In Section 5, we analyze our proposed scheme, and in Section 6, we compare it with other schemes.Finally, Section 7 presents the conclusions of our study.

Preliminaries
In this section, we review Li's scheme [27].His scheme consists of three phases: registration, authentication, and roaming, of which the authentication phase is real-time online.

Li's Scheme
For simplicity, we list the common notations used throughout Li's scheme in Table 1.After the message {ID HA , E p , E, n, P, P HA , z, H(.)} is received from the HA, the MU stores this information along with r n onto the smart card.This completes the registration phase.When a message is received from the FA, the MU calculates H(X' 1 ||H(ID' MU ||N) ||X||Y||ID FA ||ID HA ) and verifies whether it is the same as the received c 2 .If it is not valid, the MU terminates the execution.Otherwise, the MU believes that it is communicating with a legal FA.The MU subsequently calculates a session key sk' = xY = xyP = sk and decrypts c 3 .Finally, the MU obtains TCert MU from the FA.

L1. MU→FA: m LRo1 {m i , mac}
The MU calculates m i = (TCert MU ||sk i+1 ||Other) ski and mac = H(TCert MU ||sk i+1 ||Other) and sends the roaming message {m i , mac} to the FA, where sk i+1 is a session key for the next communication.

L2. FA: m i , mac
When received the roaming message from the MU, the FA calculates the session key and decrypts m i .The FA then checks the validity of mac.If it is valid, the FA updates the session key sk i with sk i+1 for the next communication.

Advantages of Li's Scheme
Li's scheme has two advantages.First, the MU calculates H(PW MU ⊕r n ) and sends this message to HA.In other words, the MU chooses PW MU and sends it to the HA; this prevents PW MU from being calculated easily, which was a shortcoming of previous schemes.Second, Li's scheme is more efficient in terms of performance because it uses the lightweight elliptic curve Diffie-Hellman computation compared with other traditional schemes that use heavyweight asymmetric cryptosystems with certificates.

Weaknesses of Li's Scheme
Li's scheme has two weaknesses.First, because ID HA is not properly hidden, an attacker can easily intercept it and determine the relationships among the MU, FA, and HA.In addition, it does not use an authentication mechanism between the MU and the FA, and therefore, for any message m 1 to the FA, the FA performs the appropriate processing and transfers the results to HA.Because of this feature, the attacker can flood a specific target (HA), intercept other people's message (m 1 ) over the wireless network, and change the message timestamp T MU .Although the message will not be verified through the HA, the attacker can do enough to cripple a specific target host (HA), namely, the attacker can perform a distributed denial-of-service attack.Second, Li's scheme does not clearly define or address some important issues, such as the assignment of session key computation during the roaming phase and how to manage the various session keys for a large number of users.If there are hundreds of thousands of people in a wireless network environment, and each person's session key is different, managing the keys is not trivial.Table 2 shows a detailed description of the weaknesses of Li's scheme [18].

Step
Phase Descriptions

V1 Authentication phase
Because ID HA is transmitted in plaintext, the attacker can intercept messages and determine the relationship among the MU, FA, and HA.Then, the attacker can use a replay attack and target a specific object, namely the HA, by a distributed denial-of-service attack.

L2 Roaming phase
Li's scheme does not clearly explain how to obtain corresponding session keys and the relationship between different users.So FA is impossible for a user to calculate the specific session key, and decrypt m i .Therefore, this scheme lacks integrity.

Proposed Scheme
The proposed scheme consists of three phases: registration, authentication, and roaming, of which the authentication phase is real-time online.

Notations
The proposed scheme uses the same notations as those in Table 1 and the new notations listed in Table 3.

Registration Phase
Figure 1 shows the registration phase of the proposed scheme.The detailed steps as follows.
The MU chooses ID MU , PW MU , and a random number r n and calculates H 2 (PW MU ⊕r n ).Then, the MU sends the message {ID MU , H 2 (PW MU ⊕r n )} to the HA.R2.HA→MU: m R2 {ID HA , E p , E, n, P, P HA , z i , H(.), W i } When the message H 2 (PW MU ⊕r n ) is received from the MU, the HA calculates z i = H 2 (PW MU ⊕r n ) ⊕H 1 (ID MU ||N||W i )⊕H 3 (W i ).Then, the HA chooses a random number w, calculates W i = wP, and transmits {ID HA , E p , E, n, P, P HA , z i , W i , H(.)} to the MU.

V4. FA→MU: mV4{c2 = (TCertMU)sk}
The HA checks the validity of the timestamp THA.If it is valid, the FA calculates MACHA = H1(Wi||X||Y||IDFA||IDHA||THA||SKHF) and verifies whether this value is the same as the received MACHA.If it is not valid, the FA terminates the execution.Otherwise, the FA believes that the MU is an authenticated user.The FA then calculates MACHA = MAC'HA⊕H1(THA||SKHF), Y = yP, and sk = yX = xyP and sends the message {c2 = (TCertMU)sk} to the MU, where TCertMU is a temporary certificate from the FA to the MU.

Authentication Phase
Figure 2 shows the authentication phase of the proposed scheme.The steps are detailed as follows.

V1. MU→FA: m V1 {A, U}
The U inserts the smart card into the card reader and enters ID MU and PW MU .Then, the smart card chooses a random number x and calculates X = xP, X 1 = xP HA , ZP = [z i ⊕H 2 (PW MU ⊕r n )⊕H 3 (W i )]P, IND = ID MU ⊕H 1 (X 1 ||T MU ), c 1 = H(X 1 ||Z), and A = aP, where T MU is the MU's timestamp.Subsequently, the MU calculates a shared key EC = aY = ayP, the message U = (W i , X, IND, c 1 , ID HA , T MU ) EC , and sends an authentication request message {A, U} to the FA.
The FA calculates a shared key yA = ayP = EC and decrypts U by using EC to obtain W i , X, IND, c 1 , Y, and T MU .Then, the FA checks the validity of the timestamp T MU .If it holds, the FA chooses a random number y and calculates Y = yP and MAC FA = H 1 (W i ||X||IND||c 1 ||Y||T MU ||T FA ||SK HF ), where T FA is the FA's current timestamp and SK HF is the session key between the HA and the FA.This key is mainly used for signature verification.The FA then sends the message {W i , X, IND, c 1 , Y, T MU , T FA , MAC FA } to the HA.

Roaming Phase
Figure 3 shows the roaming phase of the proposed scheme.The steps are detailed as follows.

L2. FA: A, U
The FA calculates aA = abP = EC and decrypts U to obtain mi, mac, ski, and TMU.The FA then checks the validity of TMU.If it is valid, the FA decrypts mi by using ski and calculates mac' = H(TCertMU||ski+1||Other).If the equation mac' = mac holds, the FA updates the session key ski with ski+1 for the next communication.

Introduction to BAN-Logic
BAN-logic is used to establish session key security between the MU and the FA to prove that the session key is safeguarded in the authentication phase of our scheme.The main process has four proofs: a. MU believes the session key: MU-SK-FA b.MU believes that FA believed the session key: MU-SK-FA c. FA believes the session key: MU-SK-FA d.FA believes that MU believed the session key: MU-SK-FA According to the BAN-logic characteristics of the security analysis, the following basic symbolic representation rules are used [29][30][31]: 1. (X, Y): X or Y is one part of the parameter (X, Y). 2. <X>Y: X can be obtained through the secret parameter Y. 3. {X}K: X is encrypted under the key K. 4. P-K-Q: P and Q may use the shared secret key K to communicate.The third party does not know the secret key K.

Roaming Phase
Figure 3 shows the roaming phase of the proposed scheme.The steps are detailed as follows.
L1. MU→FA: m Ro1 {A, U} The MU calculates m i = (TCert MU ||sk i+1 ||Other) ski , mac = H(TCert MU ||sk i+1 ||Other), and (m i ||mac||sk i ||T MU ) EC and sends the message {A, U} to the FA, where sk i+1 is a session key for the next communication and T MU is the current timestamp.

L2. FA: A, U
The FA calculates aA = abP = EC and decrypts U to obtain m i , mac, sk i , and T MU .The FA then checks the validity of T MU .If it is valid, the FA decrypts m i by using sk i and calculates mac' = H(TCert MU ||sk i+1 ||Other).If the equation mac' = mac holds, the FA updates the session key sk i with sk i+1 for the next communication.

Roaming Phase
Figure 3 shows the roaming phase of the proposed scheme.The steps are detailed as follows.

L2. FA: A, U
The FA calculates aA = abP = EC and decrypts U to obtain mi, mac, ski, and TMU.The FA then checks the validity of TMU.If it is valid, the FA decrypts mi by using ski and calculates mac' = H(TCertMU||ski+1||Other).If the equation mac' = mac holds, the FA updates the session key ski with ski+1 for the next communication.

Introduction to BAN-Logic
BAN-logic is used to establish session key security between the MU and the FA to prove that the session key is safeguarded in the authentication phase of our scheme.The main process has four proofs: a. MU believes the session key: MU-SK-FA b.MU believes that FA believed the session key: MU-SK-FA c. FA believes the session key: MU-SK-FA d.FA believes that MU believed the session key: MU-SK-FA According to the BAN-logic characteristics of the security analysis, the following basic symbolic representation rules are used [29][30][31]:

Introduction to BAN-Logic
BAN-logic is used to establish session key security between the MU and the FA to prove that the session key is safeguarded in the authentication phase of our scheme.The main process has four proofs: a.
MU believes that FA believed the session key: MU←-SK-→FA c.
A believes the session key: MU←-SK-→FA d.
FA believes that MU believed the session key: MU←-SK-→FA According to the BAN-logic characteristics of the security analysis, the following basic symbolic representation rules are used [29][30][31]: 1.
(X, Y): X or Y is one part of the parameter (X, Y).From the foregoing analysis, we can find a consistent result with assumption A11 and Statement 16.Therefore, this indicates that Assumption A11 is established, and this also proves that the process of setting the session key is safe between the MU and the FA in our proposed scheme.

Security Analysis
In the authentication phase of our proposed scheme, we improved the session key ID HA by using symmetric encryption computation, compared with Li's scheme that does not perform any encryption protection.Therefore, the anonymity level of the proposed scheme is even stronger than that of Li's scheme.In other words, the security level increased from C2 to C3 (in [13], the C2 level means that the FA does not know the identity of the anonymous user, and the C3 level means that the attacker does not know the relationship among the MU, FA and HA) Hence, the attacker cannot intercept ID HA and cannot use replay attacks to paralyze the HA.In addition, for the problem of generating the session key in the roaming phase, our approach lets the MU encrypt the calculated session key by using the shared key EC and transmits it to the FA.Therefore, no problems are encountered during transmission.The FA does not need to recalculate the session key, and therefore, the amount of computation is reduced because there is no additional matching of session keys to individual MUs.Finally, the computation of the session key is balanced between the sender and the receiver in the authentication phase.In this section, we show that the proposed scheme can withstand some possible attacks and affords several good security properties.

Resist Replay Attack
The proposed scheme has a timestamp in each transmission process, including the authentication (V1→V5) and roaming (L1→L2) phases.In addition, V1 and L1 are encrypted by using the shared key EC, and therefore, we can imagine that V1 and L1 are secure channels.Therefore, even if an attacker intercepts the message, the message cannot be broken in this secure channel.This allows our proposed scheme to resist replay attacks.

Resist Distributed Denial-of-Service Attack
The attacker can intercept the cipher text of message m 1 that contains the timestamp T MU and ID HA .However, the attacker cannot decrypt the cipher text and cannot forge the timestamp T MU and specific object ID HA .Then, the attacker cannot use a distributed denial-of-service attack to attack the HA.

Achieve High Level of Anonymity
In a wireless environment, messages can be intercepted easily.In [27], the MU sends the authentication message m 1 to the FA in the authentication phase.The message content is not encrypted, and therefore, the attacker easily intercepts ID HA and then determines the relationship among the MA, FA, and HA.When the relationship is known, the level of anonymity of the entire scheme is lowered, and the attacker can successfully use the attacks described in Sections 4.2 and 4.3.In our proposed scheme, when the MU wants to send the message to the FA, it will calculate the shared key EC and then encrypt the message by using EC to achieve the security and integrity requirements.Only the FA possesses the EC, and therefore, other people cannot decrypt this cipher text.Therefore, our scheme can achieve the C3 level requirement of high anonymity.

Solve Corresponding Problem of Session Key in Roaming Phase
In Li's scheme, when the FA receives the roaming message, it calculates the session key, decrypts the cipher text m i , and performs a comparison with mac.However, there are in fact hundreds of thousands of people in a wireless network environment, and Li's scheme did not clearly discuss how to calculate the session key in the roaming phase.Each person's session key is not the same, and it did not clarify how to calculate one hundred thousand different session keys or save them in the table.It can be saved as a form, but this may pose some risks, which need to be discussed further.In the proposed scheme, the FA can decrypt the cipher text m i by using the session key calculated by the MU in the authentication phase.On the other hand, we encrypt the session key by using EC calculated by the MU in the authentication phase.In this manner, our scheme resists data disclosure to attackers, who intercept the session key during the transfer processes.Even if the message is intercepted, it can only reveal the cipher text.Therefore, the proposed scheme solves the corresponding problem of the session key.

Balanced Calculation of Session Key
The load of session key computation is balanced between the senders and the receivers in the authentication phase.Table 4 shows the balanced calculation of the session key.

Comparison with Related Works
Table 5 shows that the proposed scheme can resist internal attack, replay attack, and distributed denial-of-service attack for the specific object while maintaining a high level of anonymity.It provides a balanced calculation and solves the issue of session key management.Li's scheme cannot resist replay attack or distributed denial-of-service attack for the specific object while also providing less anonymity of level C2.Li's scheme did not address the problem of session key management as calculated by the FA in the roaming phase.However, our proposed scheme resolves these issues.Our method maintains the advantages and weaknesses of Zhu and Ma's [24] scheme from 2004 and Lee et al.'s [25] scheme from 2006.

Conclusions
This study proposes an elliptic-curve-based authentication scheme with roaming service and user anonymity for mobile communication.It overcomes the weaknesses of Li's scheme [27] and provides balanced session key computation in the authentication phase.We use an elliptic curve in the calculations, and therefore, the security performance is good.Although our computational complexity is comparable to that of Li's scheme, our scheme reduces the load of MU calculation by moving this calculation to the HA, which has better computing performance.Finally, the advantages and weaknesses of our scheme are compared with those of other related works, and it demonstrates improved security, anonymity, and resistance to attacks without having additional computational complexity.

2. 1
.2. Authentication Phase V1.MU→FA: m LV1 {X, IND, c 1 , ID HA , T MU } When the MU enters ID MU and PW MU , the smart card chooses a random number x and calculates X = xP, X 1 = xP HA , Z = z⊕H(PW MU ⊕r n ), IND = ID MU ⊕H(X 1 ||T MU ), and c 1 = H(X 1 ||Z).T MU is the MU's current timestamp.Then, the MU sends the authentication request message {X, IND, c 1 , ID HA , T MU } to the FA.V2.FA→HA: m LV2 {X, IND, c 1 , Y, T MU , T FA , MAC FA } When the authentication message is received from the MU, the FA checks the validity of the timestamp T MU .If it is valid, FA chooses a random number y and calculates Y = yP and MAC FA = H(X||IND||c 1 ||Y||T MU ||T FA ||SK HF ), where T FA is the FA's current timestamp and SK HF is a session key between the HA and the FA.The FA then sends the message {X, IND, c 1 , Y, T MU , T FA , MAC FA } to the HA.V3.HA→FA: m LV3 {MAC HA , c' 2 = c 2 ⊕H(T HA ||SK HF ), T HA } When the authentication message is received from the FA, the HA checks the validity of the timestamp T FA .If it is valid, the HA calculates H(X||IND||c 1 ||Y||T MU ||T FA ||SK HF ) and verifies whether H(X||IND||c 1 ||Y||T MU ||T FA ||SK HF ) is the same as the received MAC FA .If it is not valid, the HA terminates the execution.Otherwise, the HA calculates X' 1 = XN, ID' MU = IND⊕H(X' 1 ||T MU ), and c' 1 = H(X' 1 ||H(ID' MU ||N)) and checks whether the equation c' 1 = c 1 holds.If it is not valid, the HA terminates the execution.Otherwise, the HA calculates MAC HA = H(X||Y||ID FA ||ID HA ||T HA ||SK HF ) and c 2 = H(X' 1 ||H(ID' MU ||N)||X||Y||ID FA ||ID HA ), where T HA is the HA's current timestamp.The HA then sends the message {MAC HA , c' 2 = c 2 ⊕H(T HA ||SK HF ), T HA } to the FA.V4.FA→MU: m LV4 {Y, c 2 , c 3 = (TCert MU ) sk } When the message is received from the HA, the FA checks the validity of the timestamp T HA .If it is valid, the FA calculates H(X||Y||ID FA ||ID HA ||T HA ||SK HF ) and verifies whether H(X||Y||ID FA ||ID HA ||T HA ||SK HF ) is the same as the received MAC HA .If it is not valid, the FA terminates the execution.Otherwise, the FA believes that the HA is a valid home agent and the MU is an authenticated user.The FA then calculates c 2 = c' 2 ⊕H(T HA ||SK HF ) and a session key sk = yX = xyP and sends the message {Y, c 2 , c 3 = (TCert MU ) sk } to the MU, where TCert MU is a temporary certificate for the MU.V5.MU: Y, c 2 , c 3 = (TCert MU ) sk

V3.
HA→FA: m V3 {MAC HA , MAC' HA = MAC HA ⊕H 1 (T HA ||SK HF ), T HA } The HA checks the validity of the timestamp T FA .If it is valid, the HA checks if the calculated value MAC' FA = H 1 (W i ||X|| IND||c 1 ||Y||T MU ||T FA ||SK HF ) is the same as the received MAC FA .If it is not valid, the HA terminates the execution.Otherwise, the HA calculates X' 1 = XN, ID' MU = IND⊕H 1 (X' 1 ||T MU ), and c' 1 = H 1 (X' 1 ||H 1 (ID' MU ||N||W i )) and checks whether the equation c' 1 = c 1 holds.If it is not valid, the HA terminates the execution.Otherwise, the HA calculates MAC HA = H 1 (W i ||X||Y||ID FA ||ID HA ||T HA ||SK HF ), where T HA is the HA's current timestamp.The HA then sends the message {MAC HA , MAC' HA = MAC HA ⊕H 1 (T HA ||SK HF ), T HA } to the FA.V4.FA→MU: m V4 {c 2 = (TCert MU ) sk }The HA checks the validity of the timestamp T HA .If it is valid, the FA calculates MAC HA = H 1 (W i ||X||Y||ID FA ||ID HA ||T HA ||SK HF ) and verifies whether this value is the same as the received MAC HA .If it is not valid, the FA terminates the execution.Otherwise, the FA believes that the MU is an authenticated user.The FA then calculates MAC HA = MAC' HA ⊕H 1 (T HA ||SK HF ), Y = yP, and sk = yX = xyP and sends the message {c 2 = (TCert MU ) sk } to the MU, where TCert MU is a temporary certificate from the FA to the MU.V5.MU: Y, c 2 = (TCert MU ) skThe MU calculates a session key sk' = xY = xyP = sk and decrypts c 2 .Finally, the MU obtains TCert MU from the FA.

Table 4 .
Balanced calculation of the session key.Sender Receiver V1: MU calculates X = xP and EC = aP FA = abP V2: FA calculates Y = yP and EC = bA = abP V2: FA calculates MAC FA V3: HA calculates MAC FA V3: HA calculates MAC HA V4: FA calculates MAC HA V4: FA calculates sk i = xY and c 2 V5: MU calculates sk i = xY and c 2

Table 1 .
Notations used throughout Li's scheme.The MU chooses the identity ID MU , password PW MU , and a random number r n ; calculates H(PW MU ⊕r n ); and sends the registration request message {ID MU , H(PW MU ⊕r n )} to the HA.

Table 5 .
Comparison with related works.