A Robust Mutual Authentication Scheme Based on ... - IEEE Xplore

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2780124, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000. Digital Object Identifier 10.1109/ACCESS.2017.DOI

A Robust Mutual Authentication Scheme Based on Elliptic Curve Cryptography for Telecare Medical Information Systems SHUMING QIU1,2 , GUOAI XU1 , HASEEB AHMAD3 , AND LICHENG WANG1 1 2 3

School of CyberSpace security, Beijing University of Posts and Telecommunications, Beijing 100876, China Elementary Educational College, Jiangxi Normal University, Nanchang 330022, China Department of Computer Science, National Textile University, Faisalabad, 37610, Pakistan

Corresponding author: Guoai Xu (e-mail: [email protected]). This research is supported by the National Key Research and Development Plan (Grant No. 2017YFB0801901).

ABSTRACT The telecare medical information systems (TMIS) provide the convenience to the patients/users to be served at home. Along with such ease, it is essential to preserve the privacy and to provide the security to the patients/users in TMIS. Often, authentication protocols are adopted to guarantee privacy and secure interaction between the patients/users and remote server. Recently, Chaudhry et al. pointed out that Islam et al.’s scheme based on smart card is prone to user impersonation and server impersonation attacks. Chaudhry et al. later presented a enhanced scheme based on Elliptic curve cryptography (ECC) to remedy the weaknesses of Islam et al.’s scheme. Unfortunately, we find some important limitations in both schemes. We remark that their scheme is prone to off-line password guessing attack, user/server impersonation attack and man-in-middle attack. To overcome these limitations, we present an improved authentication scheme keeping apart the threats encountered in the design of Chaudhry et al.’s scheme. Moreover, the presented scheme can also resist all known attacks. We prove the security of the proposed scheme with the help of widespread Burrows-Abadi-Needham Logic (BAN-Logic). A brief comparison with the previous works provides that the presented protocol is more efficient and more secure than other related schemes. INDEX TERMS Telecare medicine information systems, elliptic curve cryptography, smart card, off-line password guessing attack, authentication, BAN-Logic.

I. INTRODUCTION

ITH the rapid development of networking and communication technologies in the recent past, telecare medical information systems (TMIS) offer an efficient and convenient connection between patients and the medical server. The patients can be served with the medical services via public networks, hence, the privacy preservation is considered as a very critical issue in TMIS. Hitherto, numerous authentication and key agreement schemes are proposed for TMIS. The original authentication scheme is based on hyper text transport protocol (HTTP) digest authentication and was proposed in 1999 [11]. In 2005, Yang et al. [38] proved it insecure and proposed the improved version based on the Diffie-Hellman key exchange protocol. The authors remarked

W

VOLUME 0, 0000

it as vulnerable against the off-line password guessing attack and the server-spoofing attack. Subsequently, Yang et al. [38] also proposed an improved scheme to improve security. However, in 2006 Huang et al. [14] pointed that Yang et al.’s [38] scheme cannot resist the stolen-verifier, the off-line password guessing and the Denning-Sacco attacks as well as it is not suitable for the low computation power equipments because of the high computational cost [7], [13]. In 2005, Durlanik and Sogukpinar [8] firstly use the Elliptic Curve Cryptography (ECC) to propose an efficient authentication scheme in the foundation of Yang et al.’s [38] work. In precise terms, the ECC could provide the same security with a smaller key size as compared to the traditional public key cryptography. In many subsequent works, numerous authentication schemes are proposed using ECC [2], [6], [10], [21], 1

2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2780124, IEEE Access S. Qiu et al.: Mutual Authentication Scheme Based on ECC

[25], [27], [39]–[41]. However, most among these protocols for TMIS have some security limitations. Therefore, it is a challenging academic topic to design a more secure session key agreement scheme. In 2013, Xu et al. proposed a secure and efficient authentication and key agreement scheme based on ECC for TMIS. The underlying scheme provides the patient anonymity by employing the dynamic identity. However, in 2014 Islam et al. pointed out that Xu et al.’s protocol is not appropriate for practical use because: (1) it fails to provide strong authentication in login and authentication phases; (2) it does not facilitate to update the password correctly during the password change phase; (3) it does not offer provide the revocation of lost/stolen smart card; and (4) it fails to resist the strong replay attack. To overcome the security weaknesses of Xu et al.’s scheme, Islam et al. devised an anonymous and provably secure two-factor authentication protocol based on ECC. But in the year 2015, Chaudhry et al. proved that Islam et al.’s protocol suffers from user impersonation and server impersonation attacks. Furthermore, in order to cope with the draw backs of Islam et al.’s protocol, Chaudhry et al. also proposed an enhanced protocol to improve the security of Islam et al.’s protocol. Unfortunately, we suspect that the Chaudhry et al.’s scheme has some potential security vulnerabilities. In this paper, we concentrate on revisiting the scheme of Chaudhry et al. and present a more secure and efficient scheme. We find that Chaudhry et al.’s scheme is also susceptible to off-line password guessing attack, server impersonation attack, user impersonation attacks and man-in-middle attack. We observe that off-line identity guessing attack is a fatal attack in their protocol. In our proposed protocol, we utilize the technique of "fuzzy-verifiers" [32] to resist offline identity guessing attack. Moreover, our scheme not only addresses the security problems of Chaudhry et al.’s [5] and Islam et al.’s [16] schemes, but also retains all their merits as depicted in Table 5. Although, our scheme employs complex elliptic curve point multiplication operation, however, as a trade off, it offers resistance against all known-attacks. In terms of safety performance and efficiency, the proposed scheme is more secure and efficent and has many excellent features compared with counterparts. The remainder of this paper is organized as follows: Section II introduces some notations and the capacities of adversary. The review and cryptanalysis of Chaudhry et al.’s scheme is detailed in Section III and Section IV. Section V presents our proposed scheme. Section VI and Section VII present a conventional and a BAN-Logic security analysis of our scheme, respectively. The performance and functionality comparisons among the proposed scheme and other related schemes are discussed in Section VIII. Finally, concluding thoughts are detailed in Section IX. II. PRELIMINARIES

In this section, we show some notations and introduces the capacities of adversary of the authentication scheme. Some 2

TABLE 1. Notations and abbreviations

Symbol Description S

Server

Ui

Patient/User

IDi

Identity of Ui

P Wi

Password of Ui

ri , ai

Random numbers of Ui

ks

Secret key of S

rs , cs

Random numbers of S

||

The string concatenation operation

A

Malicious adversary

⊕

The bitwise XOR operation

h(·)

Collision free one-way hash function

−→

An insecure channel

=⇒

A secure channel

SK

Session key between U and S

notations used in this paper are displayed in Table 1. A. THREAT MODEL

Throughout this paper, according to [29] [32], the capacities of the adversary A are summarized as follows: 1. The adversary A is able to control the open communication channel completely, that is, he can intercept, modify, delete, block, and resend the messages over the open channel. 2. The adversary A can list all pairs of (IDi , P Wi ) from (DP W , DID ) in a polynomial time, where DP W and DID denote the space of passwords in DP W and the space of identities in DID , respectively. 3. The adversary A can either intercept the password of the user via malicious device or extract the parameters from smart card, but both methods cannot be used together. 4. While evaluating forward secrecy, the adversary A can obtain server’s private key or comprise the user’s password. III. REVIEW OF CHAUDHRY ET AL.’S SCHEME

In this section, we review Chaudhry et al.’s authentication scheme [5] for TMIS. Their scheme is composed of three phases including registration phase, login phase and authentication phase, and password updating phase. A. THE REGISTRATION PHASE

Step 1:Firstly the patient Ui picks up his identity, password, and a random number as IDi , P Wi and ri ∈ Zp∗ , respectively. Subsequently, Ui computes li = h(IDi ||P Wi ||ri ) and resultant li along with IDi that is transmitted towards server S over a secure channel. Step 2:After receiving registration request from particular patient Ui , server S performs the identity verification. If Ui is a new user, it set ti = 0, otherwise sets ti = ti + 1 and stores {IDi , ti } in its VOLUME 0, 0000



database. Afterwards, S chooses a random number bs and computes α = ((bs + ks )/li ) mod p, Bi = bs G, ui = h(ks G||li ) and Oi = h(IDi ||ks ) ⊕ li . S then stores {E/Fp , G, ui , Bi , α, h(), p, ti , Oi } in smart card. Step 3:Upon receiving the smart card, the patient/user inserts ri into SC. B. THE LOGIN AND AUTHENTICATION PHASE

The login process proceeds as follows: Step 1:Patient Ui enters his identity IDi and password P Wi , then the smart card computes as follows:

C. PASSWORD UPDATING PHASE

Firstly, Ui inserts the smart card SC into the card reader and then inputs its IDi , P Wi . Afterwards, the smart card computes the followings: li = h(IDi ||P Wi ||ri ), ks G = (αli )G − Bi and u∗i = h(ks G||li ). The smart card SC then checks whether u∗i is equal to ui . If u∗i is not equal to ui , then SC refuses the request. Otherwise, SC requires Ui inputting its new password P Winew and new rinew ∈ Zp∗ . Then, SC calculates the following: linew = h(IDi ||P Winew ||rinew ),

li = h(IDi ||P Wi ||ri ), ks G = (αli )G − Bi and u∗i = h(ks G||li ). The smart card SC then checks whether u∗i is equal to ui . If u∗i is not equal to ui , SC aborts the session. Otherwise, SC generates a random number ai ∈ Zp∗ and a time stamp Ti1 and computes P IDi = ID ⊕ ai G, Ci = ai (ks G) and Gi = h(IDi ||Oi ⊕ li ||Ci ||Ti1 ||ks G||Ni ). Then Ui sends the following

αnew = (bs + ks )/linew mod p, unew = h(ks G||linew ) i and Oinew = h(IDi ||ks ) ⊕ linew . SC further stores unew , rinew , αnew , Oinew in place of i ui , ri , α, Oi in smart card, respectively.

mi = {P IDi , Ci , Gi , Ti1 } to S. Step 2:Once receiving mi , S verifies the validity of Ti1 . If it is not valid, S ends the session. Otherwise, S calculates IDi0 = P IDi ⊕ (Ci ks−1 ) and G0i = h(IDi0 ||h(IDi0 ||ks )||Ci ||Ti1 ||ks G||Ni ). S then checks whether G0i is equal to Gi and ends the session if G0i is not equal to Gi . Otherwise S selects a random number cs ∈ Zp∗ and a time stamp Ti2 , then S calculates the following: Cs = cs (ks G), Csi = cs (Ci ), SK = h(IDi0 ||h(IDi0 ||ks )||Ci ||Cs ||Csi ||ks G) and Gs = h(SK||Cs ||Ti2 ||ks G) and stores {IDi , Ni , Ti2 } in its database. Finally, S sends the following ms = {Cs , Gs , Ti2 } to Ui . Step 3:After receiving ms , Ui checks the validity of Ti2 and subsequently computes the following: Cis = ai (Cs ), SK 0 = h(IDi ||Oi ⊕ li ||Ci ||Cs ||Cis ||ks G), G0s = h(SK 0 ||Cs ||Ti2 ||ks G. Ui then verifies whether G0s is equal to Gs and ends the session if not equal. Otherwise Ui accepts the session key SK. VOLUME 0, 0000

IV. CRYPTANALYSIS OF CHAUDHRY ET AL.’S SCHEME

In this section, we show that Chaudhry et al.’s scheme is vulnerable to off-line password guessing attack, (user) server impersonation attack and man-in-middle attack. These attacks are also based on the assumptions that a malicious adversary A has total control over the communication channel connecting U and S in authentication phase. Thus, A can intercept, insert, delete, or modify any messages transmitted via public channel [9], [20], [36]. A. OFF-LINE PASSWORD GUESSING ATTACK

In off-line password guessing attack, the adversary A stole the legal user’s smart card and extracts some useful parameters from it, and/or intercepts the messages from insecure channel, then A tries to guess the user’s correct password and identity. In this subsection, we show that the scheme of Chaudhry et al. cannot resist off-line password guessing attack. We give the attack in four cases as below: • Case 1: (Via verification value in smart card) In this case, the adversary A firstly only extracts the datum {ui , ri } stored in smart card. Afterwards, A can guess the legal user U ’s password and identity by performing the following steps: Step1: A first guesses P W ∗ and ID∗ from the password dictionary space DP W and the identity dictionary space DID , respectively. Step2: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). Step3: Since ks = li α − bs and ks G = (li α − bs )G = (li α)G − bs G = (li α)G − Bi , A computes u∗i = h((ks G)∗ ||l∗ ). Step4: A checks whether u∗i is equal to the value of parameter ui . If they are equal, A finds the 3



•

correct password and identity of user U . Otherwise, A can repeat steps (1), (2), (3) and (4) until it finds the correct password and identity. The time complexity of the above attack is: O(|DP W | ∗ |DID | ∗ (2Th + Tm + Ta )), where Th is the running time for hash computation, Ta is the running time for point addition and Tm is the running time for point multiplication, |DP W | and |DID | denote the number of passwords in DP W and the number of identity in DID , respectively. Usually |DID | ≤ |DP W | ≤ 106 [30], [31], therefore, the above attack is quite efficient in the first case. In fact, the reason for the success of the above attack is that, A obtains the verification value ui in smart card and uses it to verify the correctness of the guessing password and identity. We observe that, the purpose of the designer is to verify the legitimacy of the login with this data ui and to help legal user freely change his password locally no needing to communicate with the server. Case 2: (Via verification value in public channel) In this case, the adversary A intercepts the login request messages {Ci , Gi , Ti1 } and extracts the datum {ui , Oi , ri , Ni } stored in smart card. Afterwards, A also can guess the legal user U ’s password and identity by performing the following steps: Step1: A first guesses P W ∗ and ID∗ from the password dictionary space DP W and the identity dictionary space DID , respectively. Step2: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). Step3: A computes (ks G)∗ = (li∗ α)G − Bi . Step4: A calculates the following: G∗i = h(ID∗ ||Oi ⊕ li∗ ||Ci ||Ti1 ||(ks G)∗ ||Ni ).

•

Step5: A checks whether G∗i is equal to the value of parameter Gi in login messages. If they are equal, A finds the correct password and identity of user U . Otherwise, A can repeat steps (1), (2), (3), (4) and (5) until finding the correct password and identity. The time complexity of the above attack is also: O(|DP w | ∗ |DID | ∗ (2Th + Tm + Ta )). Therefore, the attack based on the second case is also quite efficient. Actually, the reason for the success of the above attack is that, A obtains the verification value Gi in login request messages and uses it to verify the correctness of the guessing password and identity. Case 3: (The legitimate patient acts as an attacker I) In this case, we show that a legitimate patient Uj can act as a malicious opponent A for off-line password guessing attack. The adversary A extracts the datum {E/Ep , G, Bi , ri } stored in smart card. Afterwards, A also can guess the legal user U ’s password and identity by performing the following steps: Step1: Firstly, Uj extracts the following datum {E/Ep , G, Bj , rj , α, h(), p}

4

•

from his own smart card. Then, Uj computes lj = h(IDj ||P Wj ||rj ) and ks G = (lj α)G − Bj . Step2: A(Uj ) guesses P W ∗ and ID∗ from the password dictionary space DP W and the identity dictionary space DID , respectively. Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). Step4: A computes (ks G)∗ = (li∗ α)G − Bi . Step5: A checks whether (ks G)∗ is equal to the value of parameter ks G in Step 1. If they are equal, A finds the correct password and identity of user U . Otherwise, A can repeat steps (2), (3), (4) and (5) until finding the correct password and identity. The time complexity of the above attack is : O(Th + Tm + Ta + |DP w | ∗ |DID | ∗ (Th + Tm + Ta )). Therefore, the above attack based on the third case is also quite efficient. By observing, we find that the key reason for the success of the above attack is that, any legal patient can computes the common value ks G, then A guesses the password and identity of the other users and computes (ks G)∗ . If the guessing is correct, it must result in ks G = (ks G)∗ . According to the complexity, it shows that A can verify the correctness of the guessing password and identity. Case 4: (The legitimate patient acts as an attacker II) Similarly to Case 3, we also show that a legitimate patient Uj can act as a malicious opponent A for offline password guessing attack. But the adversary A extracts the datum {ui , E/Ep , G, ri } stored in smart card. Whereafter, A guesses the legal user U ’s password and identity by implementing the following steps: Step1: Uj extracts the following datum {E/Ep , G, Bj , rj , α, h(), p} from his own smart card and computes lj = h(IDj ||P Wj ||rj ) and ks G = (lj α)G − Bj . Step2: A(Uj ) guesses P W ∗ and ID∗ from the password dictionary space DP W and the identity dictionary space DID , respectively. Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). Step4: A computes u∗i = h(ks G||l∗ ). Step5: A checks whether u∗i is equal to the value of parameter ui in Step 1. If they are equal, A finds the correct password and identity of user U . Otherwise, A can repeat steps (2), (3), (4) and (5) until finding the correct password and identity. The time complexity of the above attack is : O(Th + Tm + Ta + |DP w | ∗ |DID | ∗ 2Th ). Therefore, the above attack based on the fourth case is also quite efficient. Similarly to Case 3, the key reason for the success of the above attack is that, any legal patient can computes the common value ks G, then A guesses the password and identity of the other users but computes u∗i . If ui = u∗i , VOLUME 0, 0000



it is assured that the guessing is correct. Therefore, any of the above cases illustrates that the scheme of Chaudhry et al. cannot resist off-line password guessing attack. B. USER IMPERSONATION ATTACK

Once the scheme of Chaudhry et al. is vulnerable to the off-line password guessing attack, the adversary becomes capable to impersonate other legal patients/users. To do so, the adversary A captures the login request message {Ti1 } and performs the following steps. Step1: A computes li = h(IDi ||P Wi ||Ri ) by the already guessed correct identity and password. Subsequently, A computes ks G = (αli )G − Bi . At present A selects a random number a∗i ∈ Zp∗ and computes the followings: P IDi∗ = IDi ⊕ a∗i G, Ci∗ = a∗i (ks G) and G∗i = h(IDi ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ). Then, A sends the following login request message {P IDi∗ , Ci∗ , G∗i , Ti1 } to server S. Step2: After receiving the login request message from A, S checks the timestamp Ti1 and then computes IDi0 = P IDi∗ ⊕ (Ci∗ ks−1 ) and G0i = h(IDi0 ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ), and checks ? G0i = G∗i . Obviously, it is true. Therefore, S chooses the random cs and Ti2 , and then computes Cs = cs (ks G), Csi = cs (Ci∗ ), SK = h(IDi0 ||h(IDi0 ||ks )||Ci∗ ||Cs ||Csi ||ks G) and Gs = h(SK||Cs ||Ti2 ||ks G). Subsequently, S also stores {IDi , Ni , Ti1 } in its database. Finally, a challenge message {Cs , Gs , Ti2 } is sent from server S to A. Step3: Upon reception of the challenge message from ∗ server S, A computes Cis = a∗i (Gs ) and then calculates the session key as follows: ∗ SK ∗ = h(IDi0 ||Oi ⊕ li ||Ci∗ ||Cs ||Cis ||ks G).

Thus, an adversary A can impersonate successfully a legal patient/user to the server. Therefore, Chaudhry et al.’s scheme becomes insecure against user impersonation attack. C. SERVER IMPERSONATION ATTACK

According to off-line password guessing attack, once the scheme of Chaudhry et al. is vulnerable to the offline password guessing attack, the adversary A obtains the correct {IDi , P Wi } of U and computes li = h(IDi ||P Wi ||Ri ), ks G = (αli )G − Bi . Now, A waits for U to send a login request message {P IDi , Ci , Gi , Ti1 } to S, and subsequently captures the message. Afterwards A can launch a server impersonation attack by performing the following steps: VOLUME 0, 0000

Step1: Upon capturing the login request message from U , ∗ A selects a random number c∗s ∈ Zp∗ and Tis . ∗ ∗ ∗ ∗ ∗ Then, A computes Cs = cs (ks G), Csi = cs (Ci ), ∗ ||ks G), and SK ∗ = h(IDi ||Oi ⊕ li ||Ci ||Cs∗ ||Csi ∗ ∗ ∗ ∗ Gs = h(SK ||Cs ||Ti2 ||ks G). Afterwards, A sends a challenge message {Cs∗ , G∗s , Ti∗2 } to Ui . Step2: On receiving the challenge message from A, Ui checks the validity of the timestamp Ti∗2 . If it is found as valid, A computes Cis = a∗i (G∗s ), and then calculates the session key SK = h(IDi ||Oi ⊕ li ||Ci ||Cs ||Cis ||ks G) and G0s = h(SK||Cs∗ ||Ti∗2 ||ks G). Then A verifies ?

G0s = G∗s . It is obvious that these expressions are equal. Therefore, Ui accepts the session key SK with the server who is indeed the adversary A. Accordingly, the adversary A successfully launches a server impersonation attack and gets a session key SK with Ui . Moreover, since A also obtains ks G of server S and computes h(ID||ks ) = li ⊕ Oi utilizing the obtained sensitive information, the adversary can perform similar server impersonation attacks on all users. Therefore, the scheme cannot resist server impersonation attack. D. MAN-IN-MIDDLE ATTACK

According to our analyses, we have shown that Chaudhry et al.’s scheme is vulnerable to off-line password guessing attack, user impersonation attack and server impersonation attack. It is easy to understand that the adversary can impersonate patient/user to server and vice versa. Therefore, the adversary can launch the man-in-middle attack. Thus, it is remarked that Chaudhry et al.’s scheme cannot resist man-inmiddle attack. V. OUR PROPOSED SCHEME

The underlying section proposes an improved mutual authentication scheme based on ECC for TMIS. In our scheme, we use random numbers to avoid replay attack, therefore, we don’t need to assume that both Ui and S are synchronized with their clocks. Meanwhile, the proposed scheme not only overcomes weaknesses of Chaudhry et al.’s [5] scheme and Islam et al.’s [16] scheme, but also achieves mutual authentication and resists various attacks. The proposed scheme consists of three phases: registration phase, authentication and key agreement phase, and password changing phase. The notations of the proposed protocol are listed in Table 1 and the registration and authentication process of our scheme is presented in Fig. 1. A. REGISTRATION PHASE

1.

2.

The patient Ui chooses a password P Wi , an identity IDi and a random number ri ∈ Zp∗ . Subsequently, Ui computes li = h(IDi ||P Wi ||ri ). Ui ⇒ S: {IDi , li }. 5



Sever (S)

Patient (Ui ) Registration Phase: Inputs IDi , P Wi and selects a random number ri ∈ Zp∗ Computes li = h(IDi ||P Wi||ri ) {IDi , li }

Selects an integer 24 ≤ n0 ≤ 28 Computes Ai = h((h(IDi ) ⊕ h(li )) mod n0 ) Selects a random number rs ∈ Zp∗ Computes T = h(IDi ||ks ||rs )

Smart Card

Oi = T ⊕ li

Stores {IDi , rs } in database. Stores {Ai , Oi , G, n0 , h()} in a new smart card.

Stores ri in smart card (SC) Login and Authentication Phase: Inserts SC and inputs IDi , P Wi Computes li = h(IDi ||P Wi ||ri )

Ai = h((h(IDi ) ⊕ h(li )) mod n0 )

Computes T = h(IDi ||ks ||rs ) using datum in database.

?

Checks A′i = Ai Computes T = Oi ⊕ li Generates: ai ∈ Zp∗ Computes Ci = ai G P IDi = T ⊕ (IDi ||Ci )

(IDi′ ||Ci′ ) = T ⊕ P IDi ?

{P IDi , Gi }

Checks IDi′ = IDi

Computes G′i = h(IDi′ ||T ||Ci′ ) ?

Checks G′i = Gi

Gi = h(IDi ||T ||Ci ) {Cs , Gs }

SK ′ = h(IDi ||T ||ai Cs ||Ci ||Cs )

Generates cs ∈ Zp∗ , compute Cs = cs G SK = h(IDi′ ||T ||cs Ci′ ||Ci′ ||Cs ) Gs = h(SK||Cs ||T ||Ci′ )

G′s = h(SK||Cs||T ||Ci ) ?

Checks G′s = Gs If valid, then S is authenticated. Computes Mi = h(SK||T ||Ci)

{Mi }

Computes Mi′ = h(SK||T ||Ci′) ?

Checks Mi′ = Mi If valid, then U is authenticated.

Session Key: SK = SK ′ FIGURE 1. Registration and authentication phase of the proposed scheme.

3.

After receiving the registration message, S chooses a random number rs ∈ Zp∗ and calculates the following:

and stores {IDi , rs } in its database, where n0 is an integer and 24 ≤ n0 ≤ 28 [32]. S ⇒ Ui : a smart card SC containing

Ui inserts the smart card SC into a card reader and inputs IDi , P Wi . SC calculates li = h(IDi ||P Wi ||ri ), and then computes A0i = h((h(IDi ) ⊕ li ) mod n0 ). Then, SC checks the correctness of A0i by comparing the value of Ai sorted in SC. If A0i = Ai , IDi , P Wi are accepted as valid. Otherwise, the session is terminated. SC continues computing T = Oi ⊕ li and chooses a random number ai ∈ Zp∗ , and computes the following:

{Ai , Oi , n0 , h(·), p, G}.

Ci = ai G, P IDi = T ⊕ (IDi ||Ci ),

1.

Ai = h((h(IDi ) ⊕ li ) mod n0 ), T = h(IDI ||ks ||rs ), Oi = T ⊕ li

4.

5.

Ui stores ri in SC.

B. LOGIN AND MUTUAL AUTHENTICATION PHASE

Once the patient Ui registers to the server successfully, he can send the login request to the server S when he wants to be served follows: 6

Gi = h(IDi ||T ||Ci ). 2. 3.

Ui → S : {P IDi , Gi }. After obtaining {P IDi , Gi }, S calculates the following: T = h(IDi ||ks ||rs ) VOLUME 0, 0000



firstly by using the stored datum and server’s private key. S then computes IDi0 ||Ci0 = P IDi ⊕ T ? and checks IDi0 = IDi by searching database list. If they are not equal, S judges that the input password is wrong. Once the wrong times exceeds a fixed value (such as 5), S forms a judgement that the smart card has been usurped by some attacker. What’s more, S locks the smart card until Ui re-registers. Otherwise, S computes G0i = ? h(IDi0 ||T ||Ci0 ) and verifies G0i = Gi . In case of invalidation, S exits the session and counts a number N = 1. And S suspends the card until Ui re-registers in case if N exceeds some threshold value (such as 5). Otherwise, S generates a random number cs and computes the following: Cs = cs G, SK = h(IDi0 ||T ||cs Ci0 ||Ci0 ||Cs ), Gs = h(SK||Cs ||T ||Ci0 ). 4. 5.

S → Ui : {Cs , Gs }. On receiving the message {Cs , Gs }, Ui computes the following: SK 0 = h(IDi ||T ||ai Cs ||Ci ||Cs ), G0s = h(SK||Cs ||T ||Ci ). ?

6. 7.

8.

Afterwards, Ui verifies whether G0s = Gs . If these are not equal, the session is terminated. Otherwise, S is authenticated by Ui and Ui accepts the session key SK 0 . Then, Ui computes Mi = h(SK||T ||Ci ). Ui → S : {Mi }. After receiving the challenge message {Mi }, S computes Mi0 = h(SK||T ||Ci0 ) and checks ? whether Mi0 = Mi . If it is validated, then Ui is authenticated. Finally, both the patient Ui and the server S agree on a common session key SK = SK 0 .

Anew = h((h(IDi ) ⊕ h(linew )) mod n0 ). i Finally, SC stores Anew , Oinew , rinew in place of i Ai , Oi , ri in smart card, respectively. VI. SECURITY ANALYSIS

In this section, we prove that our scheme can withstand all known attacks. A. USER ANONYMITY

In the proposed scheme, on the one hand, there is no identity notions transmitted in the open channel. On the other hand, suppose the adversary A eavesdrops the messages {P IDi , Gi } and {Cs , Gs } from the public channel. But to obtain the correct identity IDi of Ui , A is needed T that is not available since T is protected by the private key ks of S. Moreover, A cannot guess the correct identity, since, Ci = ai G is not available. Further, even if A obtains the smart card of Ui and extracts the information in SC, A cannot recover the identity of Ui since IDi is protected by one-way hash function and modulo operator. Therefore, our proposed scheme provides the user anonymity. B. OFF-LINE PASSWORD GUESSING ATTACK

According to our analysis, in Chaudhry et al.’s scheme, the attacker can guess the correct identity and password by using any of the three cases in IV-A. But in proposed scheme, the adversary A cannot guess the correct identity and password of Ui even if it extracts the information in SC. We suppose that A can guess the IDi0 and P Wi0 satisfying the equation A0i = Ai . But A still cannot be sure if the IDi0 and P Wi0 are the correct IDi and P Wi . A can only guess the correct value by launching on-line guessing. But because the number of the IDi0 and P Wi0 is enough larger to resist on-line guessing attack, so the smart card SC will be suspended until Ui reregisters once the wrong login times exceeds the a fixed value N (such as 5). Accordingly, our scheme has a good resistance to off-line password guessing attack.

C. PASSWORD UPDATING PHASE

C. PRIVILEGED INSIDER ATTACK

This phase facilitates the user to update her/his password on its own will for which Ui and S can execute the following steps and the password updating process of our scheme is presented in Fig. 2. 1. Firstly, Ui inserts the smart card into the card reader. Ui then inputs IDi , P Wi and a new password P Winew . 2. The smart card SC calculates li = h(IDi ||P Wi ||ri ), and computes A0i = h((h(IDi ) ⊕ h(li )) mod n0 ). Subsequently, SC verifies whether A0i is equal to Ai . If they are not equal, SC rejects Ui to change the password. 3. Otherwise, SC generates a random number rinew and calculates the following:

Consider a scenario where an insider can access the registration information {IDi , li } of a valid patient and Ui turns as an adversary A. A cannot get the password P Wi since it is protected by random number ri and one-way hash function. Therefore, the proposed scheme can withstand the privileged insider attack.

linew = h(IDi ||P Winew ||rinew ), Oinew = li ⊕ linew ⊕ Oi , VOLUME 0, 0000

D. USER IMPERSONATION ATTACK

To impersonate a legitimate patient, the adversary A has to obtain the identity IDi and password P Wi of U , or construct {P IDi , Gi }. Firstly, it is impossible for A to guess the correct identity and password of Ui according to "off-line password guessing attack". Secondly, to construct {P IDi , Gi }, A has to get the key parameter T . It is still not possible to recover T without knowing the secret key ks . Therefore, our scheme resists against user impersonation attack. 7



Smart Card (SC)

Patient (Ui ) Password update phase: Inputs IDi , P Wi , P Winew

{IDi , P Wi , P Winew } Computes li = h(IDi ||P Wi ||ri )

A′i = h((h(IDi ) ⊕ h(li ))mod n0 ) ?

Checks A′i = Ai Generates a random number rinew ∈ Zp∗ linew = h(IDi ||P Winew ||rinew ) Oinew = li ⊕ linew ⊕ Oi = h((h(IDi ) ⊕ linew )mod n0 ) Anew i , Oinew , rinew in place of Ai , Oi , ri Stores Anew i

FIGURE 2. Password updating phase of the proposed scheme.

E. SERVER IMPERSONATION ATTACK

I. PERFECT FORWARD SECRECY

In proposed scheme, A cannot cheat Ui by masquerading as S. Without having the value of T , A cannot recover IDi and Ci . So A cannot calculate the correct response message Gs . Therefore, our scheme is resistant to server impersonation attack.

Assuming that the private key ks of S is compromised and that the adversary A obtains the data rs , IDi , P Wi , A can compute T . But to calculate the previous session key SK = h(IDi ||T ||cs Ci ||Ci ||Cs ), A must need ai or cs . It is impossible to compute ai from Ci or cs from Cs and calculate cs Ci due to the intractability of ECDLP and CDHP . Thus, even if obtaining {SC, IDi , P Wi , ks , rs }, the adversary A is still not able to compute the session key SK. Consequently, the proposed scheme provides perfect forward secrecy.

F. REPLAY ATTACK

In our scheme, utilization of nonce ai , cs and two-way challenge response mechanism impart resistance to replay attack. If A replays the login request {P IDi , Gi }, then S would disrupt the session as the replayed Gi would not pass the verification test since random number ai used in each session is different. Furthermore, A cannot replay the respond message {Cs , Gs }, since, random number cs is also different in each session. Accordingly, replay of any message is useless and our scheme is safe from the replay attack. G. MUTUAL AUTHENTICATION

In our scheme, S authenticates Ui by verifying whether G0i equals to Gi and checking whether Mi0 equals to Mi ; Ui authenticates S by testing whether G0s equals to Gs . Consequently, proposed scheme achieves mutual authentication. H. MAN-IN-MIDDLE ATTACK

In our scheme, the adversary A cannot launch the man-inmiddle attack, since, it cannot pass through the authentication from S and Ui . If A wants to pass the authentication from S, it must know the password and identity of Ui . From Subsection VI-B, it is clear that A cannot to obtain the IDi , P Wi of Ui . Meanwhile, A also cannot pass the authentication from Ui since it cannot get the private key ks of S. Accordingly, the proposed scheme resists against the man-in-middle attack.

8

VII. SECURITY PROOF WITH BAN-LOGIC

In this section, we present the security analysis of our proposed scheme using Burrows-Abadi-Needham Logic (BANLogic) [3]. We provide that the proposed scheme allows the user to establish a session key with the server. Suppose that X & Y are symbols of statements, A & B are symbols for principals, and K is symbol for cryptographic encryption key. Firstly, we list some basic logic notations of BAN-Logic as listed in Table2. Secondly, we mention some basic BANlogic postulates, and provide the idealized form, security goals and initiative premises of proposed scheme. Finally, we complete the security analysis using BAN-Logic. In this section, for convenience, let U be denoted as Ui . • Basic BAN-Logic postulates: K

R1.

R2.

R3.

←→B,AC(XK ) Message meaning rule: A|≡AA|≡B|∼X , that is, if A believes that A and B share K, and sees X is encrypted with K, then A believes B once said X. Nonce-verification rule: A|≡](X),A|≡B|∼X , A|≡B|≡X that is, if A believes the freshness of X and that B once said X, then A believes that B trusts X. Jurisdiction rule: A|≡B|⇒X,A|≡B|≡X , that is, if A|≡X A believes that B controls X, and A believes that B believes X, then A believes X. VOLUME 0, 0000



sk

with T , then U believes S once said (U ←→ S, Cs , Ci0 ). Thus, we obtain the following:

TABLE 2. BAN-Logic notations

Symbol

Description

A| ≡ X

P believes on X

ACX

A observes/receives X

A| ∼ X

A once said X (or A sends X)

](X)

X is fresh

A| ⇒ X

sk

U | ≡ S| ∼ (U ←→ S, Cs , Ci0 ). S3.

A controls X

K

A ←→ B A and B communicate using shared key K (X, Y )K

Take hash of X and Y using K as key

sk

U | ≡ ](U ←→ S, Cs , Ci0 ).

< X >K X is xor-ed with the key K

S4.

•

R4.

A|≡](X) Freshness rule: A|≡](X,Y ) , that is, if A believes freshness of X then A believes freshness of (X, Y ).

R5.

) Believe rule: A|≡B|≡(X,Y or A|≡X,A|≡Y A|≡B|≡X A|≡(X,Y ) , that is, if A believes that B believes (X, Y ), then A believes that B believes X; or if A believes X and B believes Y , then A believes (X, Y ).

Idealized scheme: – Message1: U (IDi , Ci ) T

U ←→S

→ S: < IDi ||Ci .

>

T

U ←→S

sk

– Message2: S → U : Cs , (U ←→ S, Cs , Ci0 )

T

U ←→S

sk

– Message3: U → S: (U ←→ S, Ci )

T

U ←→S

•

sk

S5.

sk

U | ≡ S| ≡ (U ←→ S) (Goal1). .

S6.

.

sk

From Goal1, A7 and the jurisdiction rule, if U sk believes that S controls (U ←→ S), and U besk lieves that S believes (U ←→ S), then U believes sk (U ←→ S). Thus, we get the second goal as following: sk

U | ≡ (U ←→ S) (Goal2). S7.

Initiative premises: A1. U | ≡ ](ai ). A2. U | ≡ ](Cs ). A3. S| ≡ ](cs ). A4. S| ≡ ](Ci ). T A5. U | ≡ (U ←→ S). T A6. S| ≡ (U ←→ S). sk A7. U | ≡ S ⇒ (U ←→ S). sk A8. S| ≡ U ⇒ (U ←→ S). Now, we utilize BAN-Logic postulates and rules to provide that U and S successfully share a common session key sk. S1. From Message2, it shows that U receives the messk sage (U ←→ S, Cs , Ci0 ) T from S. So we have U ←→S the following: •

sk

T

U ←→S

From Message3, it indicates that S observes the sk message (U ←→ S, Ci ) T from U . Then we U ←→S have the following: sk

S C (U ←→ S, Ci ) S8.

T

U ←→S

.

From S7, A6 and the message-meaning rule, it states clearly that, because S believes that U and S sk share T , and sees (U ←→ S, Ci ) is encrypted with sk T , then S believes U once said (U ←→ S, Ci ). So we obtain the following: sk

S| ≡ U | ∼ (U ←→ S, Ci ). S9.

From A4 and the freshness rule, we can find that, because S believes freshness of Ci then S believes sk freshness of (U ←→ S, Ci ). Consequently, we get the following: sk

.

From S1, A5 and the message-meaning rule, it illustrates that, because U believes that U and S sk share T , and sees (U ←→ S, Cs , Ci0 ) is encrypted

VOLUME 0, 0000

From S4 and the believe rule, if U believes that S sk believes (U ←→ S, Cs , Ci0 ), then U believes that S sk believes (U ←→ S). Therefore, we obtain the first goal as below:

,

Goal1. U | ≡ S| ≡ (U ←→ S). sk Goal2. U | ≡ (U ←→ S). sk Goal3. S| ≡ U | ≡ (U ←→ S). sk Goal4. S| ≡ (U ←→ S).

S2.

From S2, S3 and the nonce-verification rule and the freshness rule, we find that, if U believes freshness sk of (U ←→ S, Cs , Ci0 ) and believes S once said it, sk then U believes that S trusts (U ←→ S, Cs , Ci0 ). Hence, we deduce the following: U | ≡ S| ≡ (U ←→ S, Cs , Ci0 ).

Security goals:

U C (U ←→ S, Cs , Ci0 )

From A1, A2 and the freshness rule, we can observe that, because U believes freshness of Cs then U sk believes freshness of (U ←→ S, Cs , Ci0 ). Accordingly, we can get the following:

S| ≡ ](U ←→ S, Ci ). S10.

From S8, S9 and the nonce-verification rule and the freshness rule, we see that, if S believes freshness sk of (U ←→ S, Ci ) and believes U once said it, then 9



sk

S believes that U trusts (U ←→ S, Ci ). Hence, we deduce the following: sk

S| ≡ U | ≡ (U ←→ S, Ci ). S11.

From S10 and the believe rule, if S believes that U sk believes (U ←→ S, Cs , Ci0 ), then S believes that U sk believes (U ←→ S). In short, we get the third goal as following: sk

S| ≡ U | ≡ (U ←→ S) (Goal3). S12.

From Goal3, A8 and the jurisdiction rule, if S sk believes that U controls (U ←→ S), and S besk lieves that U believes (U ←→ S), then S believes sk (U ←→ S). Thereupon we obtain the fourth goal as below: sk

S| ≡ (U ←→ S) (Goal4). According to Goal1, Goal2, Goal3 and Goal4, we conclude that U (S) has trusted that S(U ) believes on the session key sk between them is shared successfully. VIII. COMPARATIVE PERFORMANCE ANALYSIS

This section analyzes the performance of our proposed scheme by comparing it with Chaudhry et al’s [5] , Tu et al’s [28], Wei et al.’s [33], Xu et al.’s [35] and Islam et al.’s [16] schemes. To compare the computational complexity, we neglect the lightweight operations like exclusive-OR operation and string concatenation. Some operations’s descriptions used in our paper are presented as follows: • Tpa : the time for executing an elliptic curve point addition operation. • Tpm : the time for executing a point multiplication operation. • Tme : the time for executing a modular exponentiation operation. • Tmi : the time for executing a modular inversion operation. • Th : the time for executing a hash operation. According to the experimental results performed as [12], Tpa , Tpm , Tme , Tmi and Th are referring to the running time listed in Table 3 which takes 100ms, 130ms, 380ms, 30ms and 1ms on Philips Hipersmart card with clock speed 36MHz, respectively. While for server side Pentium IV Processor with clock speed 3GHz these operations takes 0.1ms, 1.17ms, 3.16ms, 0.3ms and 0.01ms, respectively. Now, we present the comparative analysis at two levels: • Comparison of computational complexity (Table 4) • Comparison of security features (Table5) From Table 4, the computational costs of login and authentication phases in Tu et al.’s scheme [28], Xu et al.’s scheme [35], Islam et al.’s scheme [16], Wei et al.’s scheme [33], Chaudhry et al’s scheme [5] and our proposed scheme are 8Th + 6Tpm + 1Tpa ≈ 497.55ms, 11Th + 6Tpm ≈ 399.56ms, 10Th +6Tpm +1Tpa ≈ 499.55ms, 10Th +2Tme + 10

1Tmi ≈ 388.51ms, 9Th +7Tpm +1Tpa +1Tmi ≈ 628.85ms and 13Th + 4Tpm ≈ 270.39ms, respectively. In Chaudhry et al.’s scheme [5], the authors asserted that their protocol has better efficiency than Islam et al.’s protocol. But in fact, their protocol’s computational costs is more than Islam et al.’s protocol. We observe that our protocol has better performance than [5], [16], [28], [33], [35] and the computational costs of our proposed protocol is only 270.39ms. Therefore, in terms of efficiency, the proposed protocol performs the best. In Table 5, we find that [5], [16], [28], [33], [35] lack some security ingredients and have more security problems than the proposed scheme. In Chaudhry et al.’s scheme [5], the authors declared that their protocol improved varient against user and server impersonation attack and man-in-middle attack applicable on Islam et al.’s scheme [16]. While according to our analysis, we point out that Chaudhry et al.’s scheme [5] is not only still vulnerable to server and user impersonation and man-in-middle attacks, but also vulnerable to off-line identity guessing attack. We find that off-line identity guessing attack is a fatal attack in their protocol. In our proposed protocol, we utilize the technique of "fuzzy-verifiers" [32] to resist offline identity guessing attack. Therefore, the proposed scheme not only amends these security problems of Chaudhry et al.’s [5] and Islam et al.’s [16] schemes but also retains all their merits as depicted in Table 5. Although, our scheme also employs complex elliptic curve point multiplication operation, however as a trade off, it can resist all knownattacks which are very important ingredients of the security of mutual authentication. In terms of safety performance, the proposed scheme is more secure and has many excellent features compared with the counterparts. IX. CONCLUSION

In this paper, we present a security analysis of Chaudhry et al.’s [5] scheme and shown that Chaudhry et al.’s [5] scheme is vulnerable to off-line password guessing attack, user and server impersonation attack and man-in middle attack. In order to remove these limitations, we present a new scheme with refined security. The proposed scheme inherits the merits of the Chaudhry et al.’s [5] and Islam et al.’s [16] schemes and resists the aforementioned attacks with a lower computational costs than others. Meanwhile, we conduct the security analysis of our proposed scheme using BANLogic. Finally, in comparison with the previously proposed schemes, our scheme is more efficient and more secure than other related schemes. REFERENCES [1] J. Arkko, V. Torvinen , G. Camarillo, A. Niemi, and T. Haukka, “Security mechanism agreement for SIP sessions,” IETF Internet Draft, Jun(2002). [2] R. Arshad and N. Ikram, “Elliptic curve cryptography based mutual authentication scheme for session initiation protocol,” Multimed Tools Appl, 66(2):165-178(2013). [3] M. Burrow, M. Abadi, and R. M. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, 8(1): 18-36(1990). [4] S. A. Chaudhry, I. Khan, A. Irshad, M. U. Ashraf, M. K. Khan, and H. F. Ahmad, “A provably secure anonymous authentication scheme for session initiation protocol,” Secur Commun Netw, doi:10.1002/sec.1672(2016). VOLUME 0, 0000



TABLE 3. The time of executing cryptographic operations

Server

Tpa 0.1ms

Tpm 1.17ms

Tme 3.16ms

Tmi 0.3ms

Th 0.01ms

User/Client

100ms

130ms

380ms

30ms

1ms

TABLE 4. Comparison of computational complexity

Scheme Tu et al. [28] Xu et al. [35] Islam et al. [16] Wei et al. [33] Chaudhry et al. [5]

User Computations 4Th + 3Tpm + 1Tpa ≈ 494ms

Server Computations 4Th + 3Tpm ≈ 3.55ms

Total 8Th + 6Tpm + 1Tpa ≈ 497.55ms

6Th + 3Tpm + 1Tpa ≈ 496ms

4Th + 3Tpm ≈ 3.55ms

10Th + 6Tpm + 1Tpa ≈ 499.55ms

6Th + 3Tpm ≈ 396ms 5Th + Tme ≈ 385ms

5Th + 4Tpm + 1Tpa ≈ 625ms 8Th + 2Tpm ≈ 268ms

Ours

5Th + 3Tpm ≈ 3.56ms

11Th + 6Tpm ≈ 399.56ms

5Th + 1Tme + 1Tmi ≈ 3.51ms

4Th + 3Tpm + 1Tmi ≈ 3.85ms 5Th + 2Tpm ≈ 2.39ms

10Th + 2Tme + 1Tmi ≈ 388.51ms

9Th + 7Tpm + 1Tpa + 1Tmi ≈ 628.85ms 13Th + 4Tpm ≈ 270.39ms

TABLE 5. Comparison of Security Features

F1 F2

Tu et al. [28] Yes

Xu et al. [35] Yes No

Islam et al. [16] Yes Yes

Wei et al. [33] No Yes

Chaudhry et al. [5] Yes Yes

Ours Yes Yes

F3 F4 F5 F6 F7 F8

Yes Yes Yes Yes

Yes Yes Yes No No Yes

No No No Yes No No

No No No No No No

No No No Yes No Yes

Yes Yes Yes Yes Yes Yes

F9 Yes Yes Yes Yes Yes F1 : Provides user anonymity; F2 : Resists privileged insider attack ; F3 : Resists off-line password guessing attack; F4 : Resists user impersonation attack; F5 : Resists server impersonation attack; F6 : Resists replay attack; F7 : Resists man-in-middle attack ; F8 : Provides mutual authentication; F9 : Provides perfect forward secrecy.

[5] S. A. Chaudhry, H. Naqvi, T. Shon, M. Sher, and M. S. Farash, “Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems,” J. Medical Systems, 39(6): 66:1-66:11 (2015). [6] T. H. Chen, H. L. Yeh, P. C. Liu, H. C. Hsiang, and W. K. Shih, “A secured authentication protocol for SIP using elliptic curves cryptography,” In: FGCN2010, Part I, Communications in Computer and Information Science, 119:46-55(2010). [7] D. Denning and G. Sacco, “Timestamps in key distribution systems,” Commun ACM, 24:533-536(1981). [8] A. Durlanik and I. Sogukpinar, “SIP authentication scheme using ECDH,” World Enformatika Soc Trans Eng Comput Technol, 8:350-353(2005). [9] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, and M. T. Shalmani, “On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme,” Advances in CryptologyCRYPTO, 2008,vol.5157 of Lecture Notes in Computer Science. Springer, Berlin, Germany. 5157:203´lC220(2008). [10] M. S. Farash and M. A. Attari, “An Enhanced authenticated key agreement for session initiation protocol,” Inf Technol Control, 42(4):333-342 (2013). [11] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach and A. Luotonen, “HTTP Authentication: Basic and digest access authentication,” IETF RFC, 2617(1999). [12] D. He, “An efficient remote user authentication and key agreement protocol for mobile client´lCserver environment from pairings,” Ad Hoc Netw, 10(6):1009-1016, 2012. [13] D. He, J. Chen, and Y. Chen, “A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography,” Secur Commun Netw, 5(12):1423-1429(2012). [14] H. F. Huang, W. C. Wei, and G. E. Brown, “A new efficient authentication scheme for session initiation protocol,” In: 9th Joint Conference on Information Sciences(2006). [15] M. Hölbl, T. Welzer, and B. Brumen, “An improvedtwo-party identityVOLUME 0, 0000

[16]

[17] [18]

[19]

[20] [21]

[22]

[23]

[24]

[25]

based authenticated key agreement protocol using pairings,” Journal of Computer and System Sciences, 78(1):142-150(2012). S. Islam and M. Khan, “Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems,” J. Med. Syst, 38(10):135, 2014. doi:10.1007/s10916-014-0135-9. W. S. Juang, “Efficient password authenticated key agreement using smart cards,” Computers and Security, 23(2):167-173(2004). S. Kumari, M. Karuppiah, A. K. Das, et al, “Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography,” J Ambient Intell Human Comput, doi:10.1007/s12652-017-0460-1 (2017). H. Kilinc and T. Yanik, “A survey of SIP authentication and key agreement schemes,” IEEE Communications Surveys and Tutorials, doi:10.1109/SURV.2013.091513.00050(2013). L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, no. 11, pp. 770- 772(1981). F. W. Liu and H. Koenig, “Cryptanalysis of a SIP authentication scheme,” In: 12th IFIP TC6/TC11 International Conference, CMS 2011, Lecture Notes in Computer Science, 7025: 134-143(2011). Y. R. Lu, L. X. Li, and Y. X. Yang, “Robust and efficient authentication scheme for session initiation protocol,” Math Probl Eng, doi:10.1155/2015/894549. Article ID 894549, 9(2015). Y. R. Lu, L. X. Li, H. P. Peng, and Y. X. Yang, “A secure and efficient mutual authentication scheme for session initiation protocol,” Peer-toPeer Netw Appl, 9(2):449-459 (2016). C. Shen, E. Nahum, H. Schulzrinne, and C. P. Wright, “The impact of TLS on SIP server performance: measurement and modeling,” IEEE/ACM Transactions on Networking, 20(4):1217-1230(2012). H. Tang H and X. Liu, “Cryptanalysis of Arshad et al’.s ECC-based mutual authentication scheme for session initiation protocol,” Multimed Tools Appl, 65(3):165-178(2013). 11



[26] M. Thomas, “SIP Security Requirements,” IETF Internet Draft, Work In Progress Nov.(2001). [27] J. L. Tsai, “Efficient nonce-based authentication scheme for session initiation protocol,” Int J Netw Secur, 8(3):312-316(2009). [28] H. Tu, N. Kumar, N. Chilamkurti, and S. Rho. “An improved authentication protocol for session initiation protocol using smart card,” Peer-to-Peer Network Applied, (2014). [29] D. Wang, D. He, P. Wang, and C. Chu. “Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment,” IEEE Trans Depend Secur Comput, 2015;12(4):428-442. [30] D. Wang D, Z. Zhang, P. Wang, “Targeted online password guessing: An underestimated threat,” Proc. ACM CCS, 16: 1242-1254(2016). [31] D. Wang and P. Wang, “On the implications of zipfa´ ˛rs law in passwords,” Proc. ESORICS, 111-131(2016). [32] D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Trans Depend Secur Comput, 2016. https://doi.org/10.1109/TDSC.2016.2605087. [33] J. Wei, X. Hu, and W. Liu, “An improved authentication scheme for telecare medicine information systems,” J. Med. Syst, 36(6):3597-3604, 2012. doi:10.1007/s10916-012-9835-1. [34] Q. Xie, “A new authenticated key agreement for session initiation protocol,” Int J Commun Syst, 25(1):47-54(2012). [35] X. Xu, P. Zhu, Q. Wen, Z. Jin, H. Zhang, and L. He, “A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems,” J. Med. Syst, 38(1):1-7, 2014. [36] W. H. Yang and S. P. Shieh, “Password authentication schemes with smart cards,” Computers and Security, 18(8):727-733(1999). [37] H. L. Yeh, T. H. Chen, and W. K, Shih, “Robust smart card secured authentication scheme on SIP using elliptic curve cryptography,” Comput Stand Interfaces, 36:397-402(2014). [38] C. Yang, R. Wang, and W. Liu, “Secure authentication scheme for session initiation protocol,” Comput Secur, 24:381-386(2005). [39] E. J. Yoon and K. Y. Yoo, “Cryptanalysis of DS-SIP authentication scheme using ECDH,” In: International Conference on New Trends in Information and Service Science, 642-647(2009). [40] E. J. Yoon and K. Y. Yoo, “A new authentication scheme for session initiation protocol,” In: International Conference on Complex, Intelligent and Soft-ware Intensive Systems, CISIS’09: 549-554(2009). [41] E. J. Yoon, Y. N. Shin, I. S. Jeon, and K. Y. Yoo, “Robust mutual authentication with a key agreement scheme for the session initiation protocol,” IETE Tech Rev, 27(3):203-213(2010). [42] Z. Zhang, Q. Qi , N. Kumar, N. Chilamkurti, and H. J. Jeong, “A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography,” Multimed Tools Appl, 74(10):34773488(2015).

12

VOLUME 0, 0000
