Jun-Sub Kim 1 and Jin Kwak 2
Academic Editor:Jongsung Kim
1, ISAA Lab, Department of Information Security Engineering, Soonchunhyang University, Asan, Chungchungnam-do 336-745, Republic of Korea
2, Department of Information Security Engineering, Soonchunhyang University, Asan, Chungchungnam-do 336-745, Republic of Korea
Received 28 August 2013; Accepted 16 September 2013
This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
1. Introduction
Global mobility network (GLOMONET) provides global roaming services for mobile user between the home agent and the foreign agent. The GLOMONET must have a user authentication scheme in which the mobile user has secure access to the foreign agent. A strong user authentication scheme in GLOMONET should satisfy the following requirements: (1) user anonymity, (2) low communication cost and computation complexity, (3) single registration, (4) update session key periodically, (5) user friendly, (6) password/verifier table, (7) update password securely and freely, (8) prevention of fraud, (9) prevention of replay attack, (10) security, and (11) providing the authentication scheme when a user is located in the home network [1, 2].
Many user authentication schemes for use in GLOMONET have been proposed [1-18]. In 2004, Zhu and Ma [4] proposed a simple, efficient wireless authentication scheme that provides user anonymity for wireless environments. However, Lee et al. [5] subsequently pointed out that Zhu et al.'s scheme does not achieve mutual authentication and perfect backward secrecy, and therefore cannot protect against forgery attacks. They then proposed a slight modification of Zhu et al.'s scheme. Unfortunately, Wu et al. [6] demonstrated that Lee et al.'s proposed scheme still failed to provide anonymity and perfect backward secrecy. Consequently, they proposed an improvement to overcome the weakness identified in Lee et al.'s scheme. In 2009, Zeng et al. [7] showed that Wu et al.'s scheme also fails to provide anonymity. In 2012, Mun et al. [12] showed that Wu et al.'s scheme discloses the password of legitimate users and does not achieve perfect forward secrecy. They subsequently proposed a new enhancement for anonymous authentication to overcome these security weaknesses. However, their scheme is vulnerable to replay attack and man-in-the-middle attack, and incurs a high overhead in the database of the home agent.
Therefore, in this paper, we analyze the existing schemes [5, 6, 12] and show that it is vulnerable to security requirement. And we propose a secure and efficient anonymous authentication scheme that is resistant to replay attack and man-in-the-middle attack. Our proposed scheme also incurs less computational overhead in the database than Mun et al.'s scheme.
The remainder of this paper is organized as follows. In Section 2, we review the existing schemes, while in Section 3, we investigate the security vulnerabilities mentioned above. In Section 4, we present our proposed secure and efficient anonymous authentication scheme. This scheme is analyzed and compared with other schemes in Section 5. Finally, Section 6 presents our conclusions.
2. Review of the Previous Schemes
In this section, we examine variety of authentication schemes with anonymity proposed by Lee et al. [5], Wu et al. [6], and Mun et al. [12].
2.1. Lee et al.'s Scheme
Figure 1 shows the procedure of Lee et al.'s scheme. Their scheme comprises three phases: an initial phase, a first phase, and a second phase.
Figure 1: Procedure of Lee et al.'s scheme.
[figure omitted; refer to PDF]
2.1.1. Initial Phase
When a new mobile user MU wants to register with a home agent HA, he/she performs the following steps.
Step 1. Consider MU[arrow right]HA:{IDMU } .
MU sends his/her identifier IDMU to HA for registration.
Step 2. HA computes PWMU =h(N||IDMU ) and r=h(N||IDHA )[ecedil]5;h(N||IDMU )[ecedil]5;IDHA [ecedil]5;IDMU , where N is a long random number kept by HA.
Step 3. Consider HA[arrow right]MU:{PWMU , smart card [IDHA ,r,h(·)]} .
HA delivers PWMU and a smart card containing [IDHA ,r,h(·)] to MU through a secure channel.
2.1.2. First Phase
In this phase, FA authenticates MU and issues a temporary certificate to MU, which will be used in the second phase when MU always communicates this FA within this area. MU performs the following steps.
Step 1. Consider MU[arrow right]FA:{n,c1 ,IDHA ,TMU } .
MU computes n=r[ecedil]5;h(N||IDMU ) and temporary key L=h(TMU [ecedil]5;PWMU ) , and encrypts c1 =(h(IDMU )||||x0 ||x)L using symmetric key L , where x0 and x are secret random numbers. And, MU sends n , c1 , IDHA , and TMU to FA.
Step 2. Consider FA[arrow right]HA:{a,n,c1 ,TMU ,c2 ,CertFA ,TFA } .
If timestamp is valid, FA generates a secret random number a and computes signature c2 =EKRFA (h(a,n,c1 ,TMU ,CertFA )) using private key KRFA . And, FA sends a , n , c1 , TMU , c2 , CertFA , and TFA to HA .
Step 3. Consider HA[arrow right]FA:{b,c3 ,c4 ,CertHA ,THA } .
If certificate and timestamp are valid, HA computes L=h(TMU [ecedil]5;PWMU ) and H=h(IDHA ) , and decrypts (h(IDMU )||x0 ||x)L using symmetric key L . If h(IDHA ) is identical to H , HA authenticates MU. And, HA encrypts c3 =EKUFA (h(IDMU )||x0 ||x) using public key KUFA and computes signature c4 =EKRHA (h(a,b,c3 ,CertHA )) using private key KRHA . HA then sends b , c3 , c4 , CertHA , and THA to FA.
Step 4. Consider FA[arrow right]MU:{c5 } .
If certificate and timestamp are valid, FA issues the temporary certificate TCertMU and decrypts EKUFA (h(IDMU )||x0 ||x) using private key KRFA . And, FA computes h(x0 ||x) and session key k=h(IDMU ||x)[ecedil]5;x0 and encrypts c5 =(TCertMU ||h(x0 ||x))k using symmetric key k . FA then sends c5 to MU.
Step 5. MU computes M=h(x0 ||x) and session key k=h(IDMU ||x)[ecedil]5;x0 and decrypts (TCertMU ||h(x0 ||x))k using symmetric key k . If is identical to M , MU authenticates FA.
2.1.3. Second Phase
In this phase, MU visits FA at i th session when he/she is always within this FA. MU performs the following steps.
Step 1. Consider MU[arrow right]FA:{TCertMU ,c6 } .
MU encrypts c6 =(xi ||TCertMU ||OtherInfomation)ki using symmetric key ki , where ki =h(IDMU ||x)[ecedil]5;xi-1 , for i=1,2,...,n . And, MU sends TCertMU and c6 to FA.
Step 2. If TCertMU is valid, FA decrypts (xi ||TCertMU ||OtherInfomation)ki using symmetric key ki . If received TCertMU if identical to obtained TCertMU , FA authenticates MU.
2.2. Wu et al.'s Scheme
Figure 2 shows the first and second phase of Wu et al.'s scheme. Their scheme comprises three phases: an initial phase, a first phase, and a second phase. The initial phase is the same as the initial phase of Lee et al.'s scheme.
Figure 2: First and second phase of Wu et al.'s scheme.
[figure omitted; refer to PDF]
2.2.1. First Phase
In this phase, FA authenticates MU and issues a temporary certificate to MU, which will be used in the second phase when MU always communicates this FA within this area. MU performs the following steps.
Step 1. Consider MU[arrow right]FA:{n,c1 ,IDHA ,TMU } .
MU computes n=r[ecedil]5;h(N||IDMU ) and temporary key L=h(TMU [ecedil]5;PWMU ) , and encrypts c1 =(h(IDMU )||||x0 ||x)L using symmetric key L , where x0 and x are secret random numbers. And, MU sends n , c1 , IDHA , and TMU to FA.
Step 2. Consider FA[arrow right]HA:{a,n,c1 ,TMU ,c2 ,CertFA ,TFA } .
If timestamp is valid, FA generates a secret random number a and computes signature c2 =EKRFA (h(a,n,c1 ,TMU ,CertFA )) using private key KRFA . And, FA sends a , n , c1 , TMU , c2 , CertFA , and TFA to HA.
Step 3. Consider HA[arrow right]FA:{b,c3 ,c4 ,CertHA ,THA } .
If certificate and timestamp are valid, HA computes L=h(TMU [ecedil]5;PWMU ) and H=h(IDHA ) , and decrypts (h(IDMU )||x0 ||x)L using symmetric key L . If h(IDHA ) is identical to H , HA authenticates MU. And, HA encrypts c3 =EKUFA (h(h(N||IDMU ))||x0 ||x) using public key KUFA and computes signature c4 =EKRHA (h(a,b,c3 ,CertHA )) using private key KRHA . HA then sends b , c3 , c4 , CertHA , and THA to FA.
Step 4. Consider FA[arrow right]MU:{c5 } .
If certificate and timestamp are valid, FA issues the temporary certificate TCertMU and decrypts EKUFA (h(h(N||IDMU ))||x0 ||x) using private key KRFA . And, FA computes h(x0 ||x) and session key k=h(h(h(N||IDMU ))||x||x0 ) and encrypts c5 =(TCertMU ||h(x0 ||x))k using symmetric key k . FA then sends c5 to MU.
Step 5. MU computes M=h(x0 ||x) and session key k=h(h(h(N||IDMU ))||x||x0 ) and decrypts (TCertMU ||h(x0 ||x))k using symmetric key k . If h(x0 ||x) is identical to M , MU authenticates FA.
2.2.2. Second Phase
In this phase, MU visits FA at ith session when he/she is always within this FA. MU performs the following steps.
Step 1. Consider MU[arrow right]FA:{TCertMU ,c6 } .
MU encrypts c6 =(xi ||TCertMU ||OtherInfomation)ki using symmetric key ki , where ki =h(h(h(N||IDMU ))||x||xi-1 ) , for i=1,2,...,n . And, MU sends TCertMU and c6 to FA.
Step 2. If c6 is valid, FA decrypts (xi ||TCertMU ||OtherInfomation)ki using symmetric key ki . If received TCertMU if identical to obtained TCertMU , FA authenticates MU.
2.3. Mun et al.'s Scheme
Their scheme comprises three phases: a registration phase, an authentication phase, and an update phase.
2.3.1. First Phase
Figure 3 shows the procedure of the first phase. When a new MU, wants to register with HA, he/she performs the following steps.
Figure 3: First phase of Mun et al.'s scheme.
[figure omitted; refer to PDF]
Step 1. Consider MU[arrow right]HA:{IDMU ,NMU } .
MU sends his/her identifier IDMU and nonce NMU to HA for registration.
Step 2. HA generates nonce NHA and computes PWMU =h(NMU ||NHA ) and rMU =h(IDMU ||PWMU )[ecedil]5;IDHA .
Step 3. Consider HA[arrow right]MU:{rMU ,IDHA ,NHA ,PWMU ,h(·)} .
HA sends rMU , IDHA , NHA , PWMU , and h(·) to MU through a secure channel.
2.3.2. Second Phase
Figure 4 shows the procedure of the second phase. In this phase, for mutual authentication between MU and HA and between MU and a foreign agent FA, the following steps are performed.
Figure 4: Second phase of Mun et al.'s scheme.
[figure omitted; refer to PDF]
Step 1. Consider MU[arrow right]FA:{IDHA ,NHA ,rMU } .
MU accesses the new FA and sends IDHA , NHA , and rMU to it.
Step 2. Consider FA[arrow right]HA:{IDFA ,NFA ,rMU } .
FA stores the message received from MU for further communication and generates nonce NFA . FA then sends IDFA , NFA , and rMU to HA.
Step 3. Consider HA[arrow right]FA:{SHA ,PHA } .
HA computes rMU[variant prime] =h(IDMU ||PWMU )[ecedil]5;IDHA and checks whether rMU[variant prime] is identical to the received rMU . If they are identical, HA authenticates MU. Next, HA computes PHA =h(PWMU ||NFA ) and SHA =h(IDFA ||NFA )[ecedil]5;rMU [ecedil]5;PHA , and sends the computed SHA and PHA to FA.
Step 4. Consider FA[arrow right]MU:{SFA ,aP,PFA } .
FA computes SHA[variant prime] =h(IDFA ||NFA )[ecedil]5;rMU [ecedil]5;PHA and checks whether SHA[variant prime] is identical to the received SHA . FA then computes SFA =h(SHA ||NFA ||NHA ) , selects a random number a , and then computes aP on E using the elliptic curve Diffie-Hellman (ECDH) protocol. Next, FA sends SFA , aP , and PFA =(SHA ||IDFA ||NFA ) to MU.
Step 5. Consider MU[arrow right]FA:{bP,SMF } .
MU computes SHA[variant prime] =h(IDFA ||NFA )[ecedil]5;rMU [ecedil]5;h(PWMU ||NFA ) and SFA[variant prime] =h(SHA[variant prime] ||NFA ||NHA ) , and checks whether SFA[variant prime] is identical to the received SFA . If they are identical, MU authenticates HA and FA. After checking SFA , MU selects a random number b and computes bP , a session key KMF =h(abP) using the received aP and the computed bP , and SMF =fKMF (NFA ||bP) . Next, MU sends the computed bP and SMF to FA.
Step 6. FA computes KMF =h(abP) using private and public values, and SMF[variant prime] =fKMF (NFA ||bP) . FA then checks whether SMF[variant prime] is identical to the received SMF . If they are identical, FA authenticates MU.
2.3.3. Third Phase
The procedure followed in the third phase is depicted in Figure 5. The steps are as follows.
Figure 5: Third phase of Mun et al.'s scheme.
[figure omitted; refer to PDF]
Step 1. Consider MU[arrow right]FA:{bi P} .
MU selects a new random number bi and computes bi P (i=1,2,...,n) . MU then sends bi and bi P to FA.
Step 2. Consider FA[arrow right]MU:{ai P,SMFi } .
FA selects a new random number ai and computes ai P (i=1,2,...,n) . It then computes a new session key KMFi =h(aibi P) and SMFi =fKMFi (aibi P||ai-1bi-1 P) . Next, it sends ai P and SMFi to MU.
Step 3. MU computes a session key KMFi =h(aibi P) , using the received ai P , the computed bi P , and SMFi [variant prime] =fKMFi (aibi P||ai-1bi-1 P) . MU then checks whether SMFi [variant prime] is identical to the received SMFi . If they are identical, MU and FA use the new session key KMFi .
3. Vulnerabilities in the Previous Schemes
3.1. Vulnerability of Lee et al.'s and Wu et al.'s Scheme
Lee et al.'s and Wu et al.'s scheme are almost the same. Therefore, their schemes are also the same vulnerabilities. Their scheme is vulnerable replay attack, is disclosed password, and cannot achieve anonymity and perfect forward secrecy.
3.1.1. Anonymity
An adversary A can eavesdrop on and record the message {n,c1, IDHA ,TMU } transmitted from MU to FA, and can obtain MU's IDMU as follows.
Step 1 . A register as legitimate user to HA and obtain own PWA and r . And, A compute h(N||IDHA ) using PWA , r , IDHA , and IDA .
Step 2. A eavesdrops on and records messages {n,c1 ,IDHA ,TMU } transmitted from FA to MU.
Step 3. A compute IDMU using n , h(N||IDHA ) , and IDHA .
Therefore, Lee et al.'s and Wu et al.'s scheme cannot achieve anonymity [7].
3.1.2. Replay Attack
Legitimate FAi can record the message {n,c1 ,IDHA ,TMU } transmitted from MU, and can then impersonate MU by using the recorded message {n,c1, IDHA ,TMU } to another FAj as follows.
Step 1. FA i accesses another FAj and sends recorded message {n,c1 ,IDHA ,TMU } to this FAj . FAi can replay this message within the lifetime of TMU . After receiving this message, FAj sends the message {a,n,c1 ,TMU ,c2 ,CertFA ,TFA } to HA.
Step 2. HA compute h(IDMU ) and checks whether the computed h(IDMU ) is identical to the received h(IDMU ) . If they are identical, HA authenticate FAi , then sends the message {b,c3 ,c4 ,CertHA ,THA } to FAj .
Step 3. FA j computes session key k and sends the message {c5 } to FAi . FAi computes the session key k between FAi and MU, which is the same as the session key between FAi and FAj . And, FAi decrypts c5 and authenticates FAj .
Therefore, Lee et al.'s and Wu et al.'s scheme is vulnerable to replay attack [11].
3.1.3. Disclosure Password
If an adversary A can steel MU's smart card, A can obtain MU's password PWMU as follows.
Step 1. A can record the message {n,c1 ,IDHA ,TMU } transmitted from MU to FA. And, as described in Section 3.1.1, A can obtain the message {h(N||IDHA ),IDHA ,IDMU } .
Step 2. A stole MU's smart card, inserts MU' smart card into the device, and enters the fake password PW* =0 . The smart card computes n* =r[ecedil]5;PW* =h(N||IDHA )[ecedil]5;h(N||IDMU )[ecedil]5;IDHA [ecedil]5;IDMU and A obtains n* by eavesdropping.
Step 3. A computes PWMU using n* , h(N||IDHA ) , IDHA , and IDMU .
Therefore, Lee et al.'s and Wu et al.'s scheme are disclosed password [11].
3.1.4. Perfect Forward Secrecy
Assume that an adversary A obtain MU's password PWMU . Failing to provide perfect forward secrecy is as follows.
Step 1. A computes L using TMU and PWMU and decrypts (h(IDMU )||x0 ||x)L using L . Thus, A obtains x0 , x , and h(IDMU ) .
Step 2. A computes session key k1 using x0 , x , and PWMU and decrypts (x1 ||TCertMU ||OtherInformation)k1 using k1 . Thus, A obtains x1 .
Step 3. A computes session key k2 using x1 , x , and PWMU .
Therefore, Lee et al.'s and Wu et al.'s scheme cannot achieve perfect forward secrecy [11].
3.2. Vulnerability of Mun et al.'s Scheme
Mun et al. claimed that their scheme can thwart a variety of known attacks. Unfortunately, we found that their scheme is vulnerable to replay attack and man-in-the-middle attack. In addition, their scheme incurs a high overhead in the database of the home agent.
3.2.1. Replay Attack
In Mun et al.'s scheme, an adversary A can eavesdrop on and record the message {IDHA ,NHA ,rMU } transmitted from MU to FA; and can then impersonate MU by using the recorded message {IDHA ,NHA ,rMU } as follows.
Step 1. A accesses a new FA and sends the recorded message {IDHA ,NHA ,rMU } to this FA. After receiving this message, the FA sends the message {IDFA ,NFA ,rMU } to HA.
Step 2. HA computes rMU[variant prime] and checks whether rMU[variant prime] is identical to the received rMU . If they are identical, HA authenticates A , then computes PHA and SHA , and sends the message {SHA ,PHA } to FA. On receiving this message, FA computes SHA[variant prime] and checks whether SHA[variant prime] is identical to the received SHA . Next, FA sends the message {SFA ,aP,PFA } to A .
Step 3. A computes SFA[variant prime] and checks whether SFA[variant prime] is identical to the received SFA . If they are identical, A authenticates HA and FA, then computes bP and SMF , and sends the message {bP,SMF } to FA. On receiving this message, FA computes SMF[variant prime] and checks whether SMF[variant prime] is identical to the received SMF . If they are identical, FA authenticates A .
Therefore, Mun et al.'s scheme is vulnerable to replay attack [18].
3.2.2. Man-in-the-Middle Attack
In Mun et al.'s scheme, an adversary A can eavesdrop on messages transmitted between FA and MU. Consequently, A can also successfully mount a man-in-the-middle attack as follows.
Step 1. A blocks and copies the message {SFA ,aP,PFA } transmitted from FA to MU. It then selects a new random number a[variant prime] , computes a[variant prime] P , replaces message {SFA ,aP,PFA } with {SFA ,a[variant prime] P,PFA } , and sends this to MU.
Step 2. MU computes SHA[variant prime] and SFA[variant prime] , and checks whether SFA[variant prime] is identical to the received SFA . After checking SFA , MU selects a random number b and computes bP , a session key KMF =h(a[variant prime] bP) using the received a[variant prime] P , the computed bP , and SMF =fKMF (NFA ||bP) . Next, MU sends the message {bP,SMF } to FA.
Step 3. A blocks and copies the message {bP,SMF } transmitted from MU to FA. It then selects a new random number b[variant prime] and computes b[variant prime] P , a session key KMF =h(ab[variant prime] P) using the copied aP and the computed b[variant prime] P , and SMF[variant prime] =fKMF (NFA ||b[variant prime] P) . Next, A replaces message {bP,SMF } with {b[variant prime] P,SMF[variant prime] } and sends this to FA.
Step 4. FA computes KMF =h(ab[variant prime] P) using private and public values and SMF[variant prime][variant prime] =fKMF (NFA ||b[variant prime] P) . It then checks whether SMF[variant prime][variant prime] is identical to the value received for SMF[variant prime] . If they are identical, FA authenticates MU. However, the session key between FA and MU is different.
Therefore, Mun et al.'s scheme is vulnerable to man-in-the-middle attack [18].
3.2.3. High Overhead
For authentication, MU sends message {IDHA ,NHA ,rMU } to FA. After receiving this message, FA sends message {IDFA ,NFA ,rMU } to HA. In order to authenticate MU, HA computes rMU[variant prime] =h(IDMU ||PWMU )[ecedil]5;IDHA . To compute rMU for MU, HA must find IDMU and PWMU in its own database to compute the authentication message. However, HA incurs a high overhead because of the difficulty of finding IDMU and PWMU in the authentication message. In addition, HA incurs computational cost because of the one-way hash function and exclusive OR operation used to compute the authentication message. In other words, HA computes the authentication message using IDMU and PWMU in its own database, and incurs a high overhead because it has to compare it with the received authentication message.
4. Our Proposed Scheme
In this section, we propose a secure and efficient anonymous authentication scheme for roaming services in GLOMONETs. This scheme consists of three phases: a registration phase, an authentication and key establishment phase, and an update session key phase.
4.1. Notation
Table 1 shows the notation used to describe our proposed scheme.
Table 1: Notation used in our proposed scheme.
Notation | Description |
MU | Mobile User |
FA | Foreign Agent |
HA | Home Agent |
I D X | Identity of an entity X |
PW | Password of mobile user |
N X | Random nonce for current session of an entity X |
N X [variant prime] | Random nonce for next session of an entity X |
x | Master secret key of home agent |
y | Secret number of each mobile user generated by home agent |
h ( · ) | A one-way hash function |
[ecedil]5; | Exclusive OR operation |
| | | Concatenation operation |
E K / D K | Encryption/Decryption function of symmetric key cryptosystem using key K |
f K | MAC generation function by using the key K |
K X Y | Session key between entity X and Y |
A [arrow right] B : X | X is transmitted from A to B |
4.2. Registration Phase
Figure 6 illustrates the procedure of the registration phase. When a new MU wants to register with HA, he/she performs the following steps.
Figure 6: Registration phase of our proposed scheme.
[figure omitted; refer to PDF]
Step R1. Consider MU[arrow right]HA:{IDMU ,NMU } .
MU selects the identity IDMU and a random nonce NMU , and sends IDMU and NMU to HA for registration.
Step R2. Consider HA[arrow right]MU:{Smart card [IDMU ,IDHA ,K,N,h(x),h(·)]} .
After receiving the registration message from MU, HA selects a random nonce NHA and computes the following: [figure omitted; refer to PDF]
HA then issues a smart card containing [IDMU ,IDHA ,A,K,NMU ,h(·)] and delivers it to MU through a secure channel.
4.3. Authentication and Key Establishment Phase
The procedure followed in the authentication and key establishment phase is illustrated in Figure 7. In this phase, to attain mutual authentication between MU and HA, and between MU and FA, the following actions are performed.
Figure 7: Authentication and key establishment phase of our proposed scheme.
[figure omitted; refer to PDF]
Step A1. Consider MU[arrow right]FA:{IDHA ,A,c1 ,c2 ,aP,NMU } .
For authentication, MU selects a random nonce NMU[variant prime] and a random number a, and computes aP value on E using ECDH. MU then computes the following: [figure omitted; refer to PDF]
Next, MU sends IDHA , A , c1 , c2 , aP , and NMU to FA.
Step A2. Consider FA[arrow right]HA:{IDFA ,A,c1 ,c2 ,aP,bP,NMU } .
FA stores the IDHA and aP received from MU for further communication, selects a random number b , and computes the bP value on E using ECDH. FA then sends IDFA , A , c1 , c2 , aP , bP , and NMU[variant prime] to HA.
Step A3. Consider HA[arrow right]FA:{IDHA ,IDFA ,c3 ,aP,bP} .
On receiving the authentication message from FA, HA computes the following: [figure omitted; refer to PDF]
HA then checks whether c2[variant prime] is identical to c2 . If they are identical, HA authenticates MU. HA then computes c3 =h(IDFA ||aP||bP||K||h(PWMU ||NMU[variant prime] )||h(PWMU ||NMU )) and sends IDHA , IDFA , c3 , aP , and bP to FA.
Step A4. FA[arrow right]MU:{IDHA ,IDFA ,c3 ,aP,bP} .
FA checks IDHA , IDFA , and aP , and sends IDHA , IDFA , c3 , aP , and bP to MU.
Step A 5. MU [arrow right] FA : { S MF } .
MU checks IDHA and aP , and computes c3[variant prime] =h(IDFA ||aP||bP||K||h(PWMU ||NMU[variant prime] )||h(PWMU ||NMU )) . MU checks whether c3[variant prime] is identical to c3 . If they are identical, MU authenticates HA and FA. MU then computes KMF =h(abP) using private and public keys and SMF =fKMF (IDFA ||aP||bP) . Next, MU sends SMF to FA.
Step A6. FA computes KMF =h(abP) using private and public keys and SMF[variant prime] =fKMF (IDFA ||aP||bP) . FA then checks whether SMF[variant prime] is identical to SMF . If they are identical, FA authenticates MU. Otherwise, the procedure is terminated.
4.4. Update Session Key Phase
The update session key phase is the same as the third phase of Mun et al.'s scheme, as shown in Figure 5.
5. Analyses
5.1. Security Analysis
Table 2 compares the security of existing schemes with that of our proposed scheme. Our scheme has the following security properties.
Table 2: Security analysis of the compared schemes.
Scheme | Proposed scheme | Zhu and Ma [4] | Lee et al. [5] | Wu et al. [6] | Mun et al. [12] |
Anonymity | Yes | No | No | No | Yes |
Perfect forward secrecy | Yes | No | No | No | Yes |
Mutual authentication (MU-HA) | Yes | No | No | No | Yes |
Mutual authentication (MU-FA) | Yes | No | Yes | Yes | Yes |
Replay attack | Yes | Yes | No | No | No |
Impersonation attack | Yes | Yes | Yes | Yes | Yes |
Disclosure of password | Yes | Yes | No | No | Yes |
Man-in-the-middle attack (MU-HA) | Yes | No | No | No | Yes |
Man-in-the-middle attack (MU-FA) | Yes | No | Yes | Yes | No |
Anonymity. Assume that an adversary A intercepts the message {c1 ,c2 ,c3 ,A} over a public network. An adversary cannot derive the identifier IDMU of the mobile user from c1 , c2 , c3 , and A . This is because an adversary does not know x , y , and PWMU .
Perfect Forward Secrecy. The authentication and key establishment and update session key phases of our scheme use ECDH to provide perfect forward secrecy. To establish a session key, MU and FA use different ai P and bi P for each session, and thus they are not related to previous values ai-1 P and bi-1 P . Thus, if the previous session key KMFi-1 =h(ai-1bi-1 P) , is disclosed, an adversary A cannot guess KMFi =h(aibi P) . In other words, guessing KMFi is a computationally difficult problem.
Mutual Authentication. HA can authenticate MU by checking c2 in Step A3 of the authentication and key establishment phase, and MU can authenticate HA and FA by checking c3 in Step A5 of the authentication and key establishment phase. And, FA can authenticate MU by checking SMF in Step A6 of the authentication and key establishment phase.
Impersonation Attack. An adversary A cannot compute the authentication message {IDHA ,A,c1 ,c2 ,aP,NMU[variant prime] } because he/she cannot know IDMU , x , y , PWMU , and NHA . Even if A is a legitimate user of HA, he/she cannot compute the authentication message {IDHA ,A,c1 ,c2 ,aP,NMU[variant prime] } .
Disclosure of Password. We assume that an adversary A eavesdrops on MU's authentication message {IDHA ,A,c1 ,c2 ,aP,NMU[variant prime] } in the authentication and key establishment phase. However, A cannot know MU's PWMU from the authentication message {IDHA ,A,c1 ,c2 ,aP,NMU[variant prime] } by the nature of a one-way hash function.
Replay Attacks. MU uses a random nonce NMU and checks c2 to resist replay attacks in each authentication session. If an adversary A is replaying the previous authentication message, but he/she cannot authenticate from HA because c2 fail to check.
Man-in-the-Middle Attacks. Man-in-the-middle attacks are thwarted because of the authentication between MU and HA. Similarly, man-in-the-middle attacks can be thwarted by the establishment of a session key between MU and FA.
5.2. Performance Analysis
Table 3 compares the performance of existing schemes with that of our proposed scheme. Our scheme incurs less communication cost than conventional schemes [4-6]. Although our scheme incurs a little more communication cost than Mun et al.'s scheme, it incurs less computational overhead in the database than Mun et al.'s scheme [12].
Table 3: Performance analysis of the compared schemes.
Scheme | Proposed scheme | Zhu and Ma [4] | Lee et al. [5] | Wu et al. [6] | Wu et al. [6] |
Registration |
|
|
|
|
|
MU | -- | -- | -- | -- | -- |
HA | 5T (h) + 2T ([ecedil]5; ) | 2T (h) + 3T ([ecedil]5; ) | 2T (h) + 3T ([ecedil]5; ) | 2T (h) + 3T ([ecedil]5; ) | 2T (h) + 1T ([ecedil]5; ) |
Authentication and key establishment |
|
|
|
|
|
MU | 4T (h) + 1T ([ecedil]5; ) + 1 Asym | 2T (h) + 3T ([ecedil]5; ) + 2 Sym | 4T (h) + 3T ([ecedil]5; ) + 2 Sym | 3T (h) + 1T ([ecedil]5; ) + 1 Sym | 5T (h) + 2T ([ecedil]5; ) + 1 Asym |
FA | 1T (h) + 1 Asym | 2T (h) + 1T ([ecedil]5; ) + 1 Sym + 2 Asym | 4T (h) + 1T ([ecedil]5; ) + 2 Sym + 2 Asym | 5T (h) + 3 Asym | 4T (h) + 2T ([ecedil]5; ) + 1 Asym |
HA | 6T (h) + 3T ([ecedil]5; ) | 3T (h) + 1 Sym + 3 Asym | 3T (h) + 1 Sym + 2 Asym | 2T (h) + 2 Sym | 3T (h) + 3T ([ecedil]5; ) |
| |||||
Total | 16T (h) + 6T ([ecedil]5; ) + 2 Asym | 9T (h) + 7T ([ecedil]5; ) + 3 Sym + 5 Asym | 13T (h) + 7T ([ecedil]5; ) + 5 Sym + 4 Asym | 12T (h) + 4T ([ecedil]5; ) + 3 Sym + 3 Asym | 14T (h) + 8T ([ecedil]5; ) + 2 Asym |
T (h): number of hash operation, T ([ecedil]5; ): number of XOR operation, Sym: number of symmetric key operation, Asym: number of asymmetric key operation.
No Need for Time Synchronization. Conventional schemes use timestamps to resist replay attacks. Thus, time synchronization takes place when each entity is located in a different time zone. However, our scheme does not use timestamps, so there is no need to synchronize time between different entities.
Use of ECDH. Conventional schemes use certificates. However, mobile devices have power limitations; low-level computation based on certificates incurs a significant overhead. Our scheme uses ECDH instead of a public key cryptosystem with certificates in order to reduce the communication overhead. ECDH provides the same security properties and uses fewer resources than a public key cryptosystem with certificates. The performance advantage of ECDH is improved further as security needs increase.
Overhead Analysis. Our proposed authentication scheme can be compared with Mun et al.'s scheme in terms of the database overhead incurred by HA as the number of devices increase. In order to compare the overhead, the following terms are defined: the number of devices is d (d=1,10,20,...,100) , the identifier stored in the database of the home agent is i , the computational cost for a one-way hash function and exclusive OR operation is c (it is assumed that the computational cost for a one-way hash function and exclusive OR operation is 2, thus, c=2 ), and, finally, the overhead in the database of the home agent is O . Thus, the overhead can be expressed as O=d×i×c , that is, O=10×10×2=200 . Mun et al.'s scheme must obtain identifier and password information from its own database in order to compute the authentication message. However, their scheme compares the authentication message to compute the identifier and password of all the mobile users stored in its own database because of the difficulty of finding identifier and password information in the authentication message. For example, in Mun et al.'s scheme, if the number of devices to be authenticated by HA is 30, the number of identifiers stored in the database of the home agent is also 30, the computational cost for a one-way hash function and exclusive OR operation is 2 (according to Mun et al.'s scheme, c=2 because of the computational cost incurred); therefore, the overhead incurred in the database of HA is O=30×30×2=1800 . Our proposed scheme can compute the authentication message in its own database because the identifier information can be found in the authentication message. For example, in our proposed scheme, if the number of devices to be authenticated by the home agent is 30, the number of identifiers stored in the database of the home agent is also 30, the computational cost for a one-way hash function and exclusive OR operation is 1 (our proposed scheme does not incur computational cost; thus, c=1 ), and thus, the overhead incurred in the database of HA is O=30×30×1=900 . Just like our proposed scheme, Lee et al.'s and Wu et al.'s scheme are the same overhead analysis. Compared to the existing scheme, our proposed scheme incurs less computational overhead in the database (Figure 8).
Figure 8: Analysis of overhead incurred versus number of devices.
[figure omitted; refer to PDF]
6. Conclusion
In this paper, we examined the previous schemes and security vulnerabilities of the previous schemes. Lee et al.'s and Wu et al.'s scheme was vulnerable to replay attack, cannot achieved perfect forward secrecy, cannot provided anonymity. And Mun et al.'s scheme was vulnerable to replay attack and man-in-the-middle attack, and incurred a high overhead in the database. Therefore, we proposed a secure and efficient anonymous authentication scheme for roaming service in GLOMONET. Our scheme was developed using ECDH instead of the authentication mechanism used by Mun et al.'s scheme. Consequently, unlike Mun et al.'s scheme, our scheme achieves anonymity, provides perfect forward secrecy and mutual authentication, and is resistant to replay attack and man-in-the-middle attack. And our scheme incurs less overhead in the database than Mun et al.'s scheme does. In addition, our scheme does not use timestamps, and as a result, it does not need to synchronize time between different entities.
Acknowledgments
This research was funded by the MSIP (Ministry of Science, ICT & Future Planning), Korea in the ICT R&D Program 2013. This work was supported by the Soonchunhyang University Research Fund. The authors declare that there is no conflict of interests regarding the publication of this article.
[1] S. Suzuki, K. Nakada, "An authentication technique based on distributed security management for the global mobility network," IEEE Journal on Selected Areas in Communications , vol. 15, no. 8, pp. 1608-1617, 1997.
[2] D. He, S. Chan, "A secure and lightweight user authentication scheme with anonymity for the global mobility network," in Proceedings of the 13th International Conference on Network-Based Information Systems (NBiS '10), pp. 305-312, Takayama, Japan, September 2010.
[3] L. Buttyán, C. Gbaguidi, S. Staamann, "Extensions to an authentication technique proposed for the global mobility network," IEEE Transactions on Communications , vol. 48, no. 3, pp. 373-376, 2000.
[4] J. Zhu, J. Ma, "A new authentication scheme with anonymity for wireless environments," IEEE Transactions on Consumer Electronics , vol. 50, no. 1, pp. 231-235, 2004.
[5] C. Lee, M. Hwang, I. Liao, "Security enhancement on a new authentication scheme with anonymity for wireless environments," IEEE Transactions on Industrial Electronics , vol. 53, no. 5, pp. 1683-1687, 2006.
[6] C. Wu, W. Lee, W. Tsaur, "A secure authentication scheme with anonymity for wireless communications," IEEE Communications Letters , vol. 12, no. 10, pp. 722-723, 2008.
[7] P. Zeng, Z. Cao, K. R. Choo, S. Wang, "On the anonymity of some authentication schemes for wireless communications," IEEE Communications Letters , vol. 13, no. 3, pp. 170-171, 2009.
[8] J. Lee, J. H. Chang, D. H. Lee, "Security flaw of authentication scheme with anonymity for wireless communications," IEEE Communications Letters , vol. 13, no. 5, pp. 292-293, 2009.
[9] C. Chang, C. Lee, Y. Chiu, "Enhanced authentication scheme with anonymity for roaming service in global mobility networks," Computer Communications , vol. 32, no. 4, pp. 611-618, 2009.
[10] T. Youn, Y. Park, J. Lim, "Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks," IEEE Communications Letters , vol. 13, no. 7, pp. 471-473, 2009.
[11] D. He, M. Ma, Y. Zhang, C. Chen, J. Bu, "A strong user authentication scheme with smart cards for wireless communications," Computer Communications , vol. 34, no. 3, pp. 367-374, 2011.
[12] H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, H. H. Choi, "Enhanced secure anonymous authentication scheme for roaming service in global mobility networks," Mathematical and Computer Modelling , vol. 55, no. 1-2, pp. 214-222, 2012.
[13] Q. Pu, "An enhanced authentication scheme with anonymity for roaming service in global mobility networks," in Proceedings of the 2nd International Conference on MultiMedia and Information Technology (MMIT '10), pp. 219-222, Kaifeng, China, April 2010.
[14] T. Zhou, J. Xu, "Provable secure authentication protocol with anonymity for roaming service in global mobility networks," Computer Networks , vol. 55, no. 1, pp. 205-213, 2011.
[15] T. Lee, T. Hwang, "Provably secure and efficient authentication techniques for the global mobility network," Journal of Systems and Software , vol. 84, no. 10, pp. 1717-1725, 2011.
[16] C. C. Lee, Y. M. Lai, C. T. Li, "An improved secure dynamic ID based remote user authentication scheme for multi-server environment," International Journal of Security and Its Applications , vol. 6, pp. 203-210, 2012.
[17] Y. An, Y. Joo, "Security analysis and improvements of a password-based mutual authentication scheme with session key agreement," International Journal of Security and Its Applications , vol. 7, pp. 85-94, 2013.
[18] J. S. Kim, J. Kwak, "Improved secure anonymous authentication scheme for roaming service in global mobility networks," International Journal of Security and Its Applications , vol. 6, pp. 45-54, 2012.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Copyright © 2013 Jun-Sub Kim and Jin Kwak. Jun-Sub Kim et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Abstract
In 2012, Mun et al. pointed out that Wu et al.'s scheme failed to achieve user anonymity and perfect forward secrecy and disclosed the passwords of legitimate users. And they proposed a new enhancement for anonymous authentication scheme. However, their proposed scheme has vulnerabilities that are susceptible to replay attack and man-in-the-middle attack. It also incurs a high overhead in the database. In this paper, we examine the vulnerabilities in the existing schemes and the computational overhead incurred in the database. We then propose a secure and efficient anonymous authentication scheme for roaming service in global mobility network. Our proposed scheme is secure against various attacks, provides mutual authentication and session key establishment, and incurs less computational overhead in the database than Mun et al.'s scheme.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer