Research Article Robust and Efficient Authentication Scheme for Session Initiation Protocol

Transcription

1 Mathematcal Problems n Engneerng Volume 205, Artcle ID , 9 pages Research Artcle Robust and Effcent Authentcaton Scheme for Sesson Intaton Protocol Yanrong Lu,,2 Lxang L,,2 and Yxan Yang,2 Informaton Securty Center, State Key Laboratory of Networkng and Swtchng Technology, Bejng Unversty of Posts and Telecommuncatons, Bejng 00876, Chna 2 Natonal Engneerng Laboratory for Dsaster Backup and Recovery, Bejng Unversty of Posts and Telecommuncatons, Bejng 00876, Chna Correspondence should be addressed to Lxang L; l lxang2006@63.com Receved 6 October 204; Revsed 4 January 205; Accepted 5 January 205 Academc Edtor: Elmetwally Elabbasy Copyrght 205 Yanrong Lu et al. Ths s an open access artcle dstrbuted under the Creatve Commons Attrbuton Lcense, whch permts unrestrcted use, dstrbuton, and reproducton n any medum, provded the orgnal work s properly cted. The sesson ntaton protocol (SIP) s a powerful applcaton-layer protocol whch s used as a sgnalng one for establshng, modfyng, and termnatng sessons among partcpants. Authentcaton s becomng an ncreasngly crucal ssue when a user asks to access SIP servces. Htherto, many authentcaton schemes have been proposed to enhance the securty of SIP. In 204, Arshad and Nkooghadam proposed an enhanced authentcaton and key agreement scheme for SIP and clamed that ther scheme could wthstand varous attacks. However, n ths paper, we show that Arshad and Nkooghadam s authentcaton scheme s stll susceptble to key-compromse mpersonaton and trace attacks and does not provde proper mutual authentcaton. To conquer the flaws, we propose a secure and effcent ECC-based authentcaton scheme for SIP. Through the nformal and formal securty analyses, we demonstrate that our scheme s reslent to possble known attacks ncludng the attacks found n Arshad et al. s scheme. In addton, the performance analyss shows that our scheme has smlar or better effcency n comparson wth other exstng ECCbased authentcaton schemes for SIP.. Introducton Multmeda servce s one of the most mportant applcaton classes of wred or wreless networks. The sesson ntaton protocol (SIP) s one of the most mportant protocols supportng multmeda servces snce t could manage sessons ncludng multmeda dstrbuton, nternet telephone calls, and nternet multmeda conferences []. Authentcatons an mportant securty requrement when a user wants to access the SIP servces. Therefore, the securty of SIP [2] has receved a lot of attenton and the SIP authentcaton has become a crucal topc n modern multmeda servces. Up to now, varous researches have focused on proposng a secure and effcent authentcated key agreement scheme to provde varous aspects of securty for SIP. In 2005, Yang et al. [3] ndcated that the procedure of hyper text transport protocol (HTTP) dgest authentcaton for SIP could not resst the offlne password guessng and server-spoofng attacks. To resolve these problems, Yang et al. proposed an mproved scheme based on Dffe-Hellman key exchange protocol.later on,huang et al.[4] dentfed that Yang et al. s protocolwasnsecureagansttheofflnepasswordguessng attack. To enhance the securty of Yang et al. s scheme, Huang et al. also presented an mproved scheme. Later on, Jo et al. [5] demonstrated that Huang et al. s scheme was stll vulnerable to the offlne password guessng attack. Based on Yang et al. s study, Durlank and Sogukpnar [6]proposedan Ellptc Curve Cryptography (ECC) [7] based authentcaton scheme for SIP. Compared wth other cryptosystems, ECC canachevethesamesecurtywthasmallerkeysze[8]. Therefore, the scheme proposed by Durlank and Sogukpnar s consdered to be more effcent than Yang et al. s scheme. Later, Wu et al. [9] also proposed an authentcaton scheme for SIP usng ECC. However, Yoon et al. [0] showedthat both of Durlank et al. s scheme and Wu et al. s scheme were susceptble to the offlne password guessng, Dennng-Sacco, and stolen verfer attacks. To overcome these weaknesses, Yoon et al. proposed an enhanced authentcaton scheme for

2 2 Mathematcal Problems n Engneerng SIP wth more securty. Unfortunately, Pu [] showed that the scheme of Yoon et al. was stll prone to the offlne password guessng and replay attacks. In order to reduce the hgh computatonal cost, Tsa [2] suggested an effcent authentcated key agreement scheme only adoptng one-way hash functons and exclusve-or operatons. Nevertheless, Tsa s scheme was stll vulnerable to the offlne password guessng attack [3, 4]. Yoon et al. [4] proposedanenhancedschemetoovercomeweaknesses n Tsa s scheme. However, Xe [5] demonstrated that Yoon et al. s scheme dd not resst the stolen-verfer and offlne password guessng attacks. Xe then proposed an mproved scheme to overcome the weaknesses of Yoon et al. s scheme. Nevertheless, Farash and Attar [6] dscovered that Xe s scheme was stll nsecure aganst the mpersonaton and offlnepasswordguessngattacks.toenhancesecurty,farash and Attar presented an mproved scheme to solve problems n Xe s scheme. Recently, Zhang et al. [7] proposed an effcent and flexble password authentcated key agreement protocol for SIP usng smart card and clamed ther protocol was secure aganst varous attacks. However, Zhang et al. s scheme suffers from the mpersonaton attack [8, 9]. To tackle the problem, Tu et al. [8] andirshadetal.[9], respectvely, proposed ther own mproved authentcaton scheme based on Zhang et al. s scheme. Unfortunately, Arshad and Nkooghadam [20] demonstrated that Irshad et al. s schemecouldnotwthstandtheusermpersonatonattack. Arshad and Nkooghadam then proposed an enhancement of Irshad et al. s scheme sufferng from user mpersonaton attack and clamed that ther scheme was mmune to many known attacks. In ths study, we dentfy that the scheme by Arshad and Nkooghadam s nsecure aganst key-compromse mpersonaton and trace attacks whle t fals to provde proper mutual authentcaton. To conquer the mentoned weaknesses, we propose a robust and effcent authentcaton schemeusngecc.throughthenformalandformalsecurty analyses, we demonstrate that our scheme s reslent to possble known attacks ncludng the attacks found n Arshad and Nkooghadam s scheme. In addton, the performance analyss shows that our scheme has smlar or better effcency n comparson wth other related ECC-based authentcaton schemes for SIP. The remander of ths paper s organzed as follows. Secton 2 provdes some basc prelmnares and notatons used n ths paper. The revew and securty analyss of Arshad and Nkooghadam s scheme are shown n Sectons 3 and 4, respectvely.secton 5 shows our proposed scheme. Secton6 analyzes our scheme s securty. Secton7 shows the performance and functonalty comparson among the proposed scheme and other related ones. Secton 8 s a bref concluson. 2. Prelmnares In ths secton, some notatons used n ths paper are descrbed n Secton 2.. We also recall the defntons of the hash functon [2] and Ellptc Curve Dscrete Logarthm Problem (ECDLP) [7] whch we use n the securty proof of Arshad et al. s scheme and our mproved scheme. 2.. Notatons. We use the notatons that are lsted below throughout the rest of the paper. U,S: user and sever ID,PW :denttyandpasswordofu h( ):hashfuncton k U,k S : secret key selected by U and S, : exclusve-or operaton and concatenaton operaton Hash Functon. A secure one-way hash functon h : {0, } {0, } n takes an nput as an arbtrary length bnary strng x {0,} and outputs a bnary strng h(x) {0, } n.theprobabltyofa n fndng collson s defned as AdV A HASH (t )=Pr[A((x, x ), x =x ):h(x)=h(x )] ECDLP. In an ellptc curve cryptosystem, the ellptc curveequatonsdefnedastheformofe p (a, b) : y 2 =x 3 + ax+b(modp) over a fnte feld F p,wherea, b F p and 4a b =0(mod p). Gven ponts P, Q over E p (a, b), theecdlp s to decde m F p such that Q=mP.TheprobabltyofA can solve the ECDLP whch s defned as AdV A ECDLP (t 2)=Pr[A(P, Q) = m:m F p,q=mp]. 3. Revew of Arshad and Nkooghadam s Scheme In ths secton, we wll revew Arshad et al. s authentcaton scheme for SIP. Ther scheme s composed of three phases, whch are regstraton, authentcaton, and password change. 3.. Regstraton () U generates a random number N C, chooses hs password PW,computesV = h(id PW N C ), and sends {ID, V } to S. (2) S computes V = h(id k S ) V andstorestntohs database Authentcaton () U generates a random number d C and computes R C = d C K S,whereK S =k S P s the publc key of S.Then,U sends a message REQUEST(ID,R C ) to S. (2) On recevng the request message, S chooses a random number d S and computes Q S = d S P, Q SC = d S k S R C = d S d C P,andV S = h(id Q S Q SC ). Fnally, S sends the message CHALLENGE(realm, Q S,V S ) to U.

3 Mathematcal Problems n Engneerng 3 (3) After recevng the challenge message, U computes Q CS = d C Q S and valdates whether V S = h(id Q S Q CS ) s equal to the receved V S.Iftstrue,U computes V = h(id PW N C ), V C = h(id Q S realm Q CS V ),andthecommonsessonkey = h(id Q S Q CS realm).fnally,u sends the message RESPONSE(ID,realm,V C ) to S. (4) After recevng the response message, S computes V = V h(id k S )=h(id PW N C ), V C = h(id Q S realm Q CS V ) and compares V C wth the receved V C.Iftscorrect,S agrees on the common sesson key = h(id Q S Q CS realm)wth U Password Change () U selectsanewrandomnumbern C and a new password PW and computes V = h(id PW N C ), z=h(id PW N C ) V, Z=z h(id ), and V z = h(id V V ).Then,U sends the message CHANGEPWD(ID,Z,V z ) to S. (2) After recevng the message, S computes V = V h(id k S ) and V = Z V h(id ) and verfes whether V z = h(id V V ) =V? z.ift holds, S contnues to compute V =V z = h(id k S ) h(id PW N C ) and replaces V wth V. Then, S sends the message ACCEPT(h(ID V accept V ))to U. (3) On recevng the message from S, U computes h(id V accept V )andchecks whether t s equal to the receved ACCEPT message or not. If they are equal, U replaces N C wth N C n hs database. 4. Cryptanalyss of Arshad and Nkooghadam s Scheme In ths secton, we present the Arshad and Nkooghadam s scheme that s vulnerable to key-compromse mpersonaton and trace attacks and does not provde proper mutual authentcaton.thefollowngattacksarebasedontheassumptons that a malcous attacker A has completely montored over the communcaton channel connectng U and S n logn and authentcaton phase. So A can eavesdrop, modfy, nsert, or delete any messages transmtted va publc channel [22 24]. 4.. Key-Compromse Impersonaton Attack. Key-compromse mpersonaton attack means that A knows the long-term secret key of one partcpatng entty and can mpersonate the entty to other partcpatng enttes [25]. In Arshad et al. s scheme, f S s secret key k S s compromsed by A,hecan launch a user mpersonaton attack as per the followng steps. () A compromses S and steals the nformaton {ID,V } kept n S s database. He then generates a random number d C and computes R C = d C k SP. Fnally,he sends the forged message REQUEST(ID,R C ) to S. (2) Once recevng the request message, S generates a random number d S and computes Q S =d S P, Q SC = d S k S P,andV S = h(id Q S Q SC ).Fnally,hesends theforgedmessagechallenge(realm, Q S,V S ) to A whompersonatesasalegaluser. (3) After recevng the challenge message, A frst checks h(id Q S d C Q S) =V? S.Obvously,theequaton holds and A then computes V C = h(id Q S realm d C Q S V h(id k S )), = h(id Q S realm d C Q S) andsendsthemessage RESPONSE(ID,realm,V C ) to S. (4) After recevng the response message, S checks whether h(id Q S realm d C Q S V h(id k S )) s equal to the receved V C.Iftscorrect,S negotates the common sesson key as = h(id Q S realm d C Q S) wth A (Table ). In ths way, S beleves that he has successfully establshed the sesson key wth U whereaststheadversarywhos makng fool of S by mtatng the legal user Trace Attack. In the authentcaton phase of Arshad and Nkooghadam s scheme, the user U sends the request messages contanng the user s dentty ID to S wthout any protecton. Snce the user s dentty ID s sent over an open communcaton channel, A may ntercept the message usng the assumed capablty. Wth the user s dentty ID, A can trace t to know what knd of servces the user accesses and how long the user logns nto the system. Snce S may have the system log recordng what the user dd, the user s prvacy may be leaked. Furthermore, A may trace the user s locaton accordng to the user s IP address. The trace attack serously nvades the user s prvacy and can be utlzed to commt real crmes such as kdnappngs Lack of Proper Mutual Authentcaton () A eavesdrops the message REQUEST(ID,R C ),and then A generates a random number d C and computes R C =d C K S. (2) A sends the forged message (ID,R C ) to S.Obvously, S wll accept A s request because S does not verfy the valdty of the request message from U. Then, S generates a random number d S and computes Q S = d S P, Q SC = d Sk S R C = d SR C, V S = h(id Q S Q SC ).Then,S delvers the message CHALLENGE(realm, Q S,V S ) to A who masquerades as a legal user. (3) After recevng the message from S, A computes Q CS =d C Q S and checks whether V S = h(id Q S Q CS ) s equal to the receved V S.Iftstrue,Acontn- ues to compute V C = h(id Q S realm Q CS V ), = h(id Q S Q CS realm),wherev = h(id PW N C );bothpw and N C are the forged password and random number. Then, A delvers the message RESPONSE(realm, ID,V C ) to S.

4 4 Mathematcal Problems n Engneerng Table : Regstraton and authentcaton phase of Arshad and Nkooghadam s scheme. Regstraton Authentcaton U () Generate N C (3) Compute Compute V = h(id PW N C ). (2) ID, V Secure Channel S V = V h(id k S ). Store ID,V. () Generate d C (3) Generate d S R C = d C K S. Q S = d S P, (2) REQUEST(ID,R C) Q SC = d S k S R C, V S = h(id Q S Q SC ). (4) CHALLENGE(realm, Q S,V S ) (5) Q CS = d C Q S, (7) V = V h(id k S ), h(id Q S Q CS ) =V? S, V = h(id PW N C ), h(id Q S realm Q CS V ) =V? C, V C = h(id Q S realm Q CS V ), = h(id Q S Q CS realm). = h(id Q S Q CS realm). (6) RESPONSE(realm, ID,V C ) (4)UponrecevngthemessagefromA who masquerades as a legal user, S computes V =V h(id k S ), h(id Q S realm Q SC V ) and compares t wth the receved V C. It s obvous that they are not equal, and then S mmedately stops sesson. In ths condton, any one can forge and send the request message to S, whch leads to S thnkng U s a cheater, whereas U s actually an honest user. Ths obvously results n makng great consumpton of computng resources and communcaton resources. 5. Proposed Authentcaton Scheme for SIP In ths secton, we propose a novel mutual authentcaton scheme based on ECC, whch conssts of three phases: regstraton, authentcaton, and password change. 5.. Regstraton () U freely selects hs password PW and hs own secret key k U and generates a random number r.thenu computes PWD = h(pw k U ) and submts {ID, r,pwd}to S through a secure channel. (2) S computes VPW = h(id PWD r ) h(k S ) and stores VPW n hs database, where k S s S s secret key Authentcaton () U generates a random number r 2 and computes T= h(id PWD r ), R=r 2 P, M =Tr 2 P, AID = ID T,andM 2 = h(id R).Then,U sends the message REQUEST(M,AID,M 2 ) to S. (2) On recept of the request message from U, S derves T from VPW by computng VPW h(k S ) and then he computes ID =AID T and R =T M and checks whether M 2 = h(id R ) =M? 2 holds or not. If t does not hold, S rejects the request. Otherwse, S generates a random number r 3 and computes H= r 3 P, M 3 = ID H, S = r 3 P,andAuth S = h( S T R).Fnally,S sends the message CHALLENGE(realm, M 3,Auth S ) to U. (3)UponrecevngthechallengemessagefromS, U retreves H by computng M 3 ID and then he computes U =r 2 H and verfes whether Auth S = h( U T R) s equal to the receved Auth S.If t s not correct, U stops the sesson. Otherwse, U computes Auth U = h( U T H)and then sends the message RESPONSE(realm, Auth U ) to S. (4) When recevng the response message from U, S checks f Auth U = h( S T H) =Auth? U.Ifso, the sesson key shared between U and S s set as = U = S (Table 2) Password Change. In ths subsecton, U can change hs passwordanytmewhenhewants.u choosesanewpassword PW new,anewsecretkeyk new U, and a new random number r new. Then the followng process wll be performed by U and S. () U submts the message h(h(id r h(pw r ) )) and h(id r new h(pw new r new )) to S. (2) S computes h(h(vpw h(k S )) ) and checks whethertsequaltotherecevedh(h(id r h(pw r ) )).Iftscorrect,S computes VPW new = h(id r new h(pw new r new )) h(k S ) and then replaces VPW wth VPW new.

5 Mathematcal Problems n Engneerng 5 Table 2: Regstraton and authentcaton phase of our scheme. Regstraton Authentcaton U () Generate r (3) Compute PWD = h(pw U k U ). T = h(id r PWD), (2) ID,r,PWD Secure Channel S VPW = T h(k S ). Store VPW. () Generate r 2 (2) Compute T = h(id r PWD), T = VPW h(k S ), R = r 2 P, ID = AID T, M = T r 2 P, R = T M, AID = ID T, REQUEST(M,AID,M 2 ) h(r ID ) =M? 2, M 2 = h(r ID ). Generate r 3 H = r 3 P, (3) H = M 3 ID, M 3 = ID H, U = r 2 H, CHALLENGE(realm, M 3,Auth S ) S = r 3 R, h( U T R? = Auth S, Auth U = h( U T H). RESPONSE(realm, Auth U ) Auth S = h( S T R). (4) h( S T H)= Auth U = U = S 6. Analyss Securty In ths secton, we frst adopt Burrows-Abad-Needham (BAN) logc [26] to demonstrate that the proposed scheme s workng correctly by achevng the authentcaton goals. Then, we conduct a securty analyss of the enhanced scheme through both the nformal and formal analyses. BAN Logc Notatons A X: A beleves a statement X K U S:shareakeyKbetween U and S #X: X s fresh A X: A sees X A X: A sad X {X, Y} K : X and Y are encrypted wth the key K (X, Y) K : X and Y arehashedwththekeyk X K : X s xor-ed wth the key K. () BAN logcal postulates the followng. (a) Message-meanng rule (A A K B,A {X} K )/(A B X):fAbeleves that the key K s shared by A and B and sees X encrypted wth K,thenAbeleves that B once sad X. (b) Nonce-verfcaton rule (A #X, A B X)/(A B X): fa beleves that X could have been uttered only recently and that B once sad X,thenAbeleves that B beleves X. (c) The belef rule (A X, A Y)/(A (X, Y)): f A beleves X and Y,thenAbeleves (X, Y). (d) Fresh conjuncatenaton rule (A #X)/(A #(X, Y)):fAbeleves freshness of X, B beleves freshness of (X, Y). (e) Jursdcton rule (A B X,A B X)/(A X): fa beleves that B has jursdcton over X and A beleves B on the truth of X, then A beleves X. 6.. Verfyng Authentcaton Scheme wth BAN Logc. BAN logc [26] s a set of rules for defnng and analyzng nformaton exchange schemes. It helps ts users determne whether exchanged nformaton s trustworthy, secured aganst eavesdroppng, or both. It has been hghly successful n analyzng the securty of authentcaton schemes [27, 28]. In ths subsecton, we prove that a sesson key between communcatng partes can be correctly generated wthn authentcatonprocessusngbanlogc.frst,wentroduce some notatons and logcal postulates of BAN logc that we wll use n our scheme. (2) Idealzed scheme: U : R, ID T U,(ID T S U ) R, (U S H), T U S S: (U S,R), ID T U H. S (3) Establshment of securty goals: (g ) S U U S, S,

6 6 Mathematcal Problems n Engneerng (g 2 ) S U S, (g 3 ) U S U S, (g 4 ) U U S. (4) Intatve premses: (p ) U #r, (p 2 ) U #r 2, (p 3 ) S #r 3, T (p 4 ) U U S, T (p 5 ) S U S, (p 6 ) U S (U S), (p 7 ) S U (U S). (5) Scheme analyss: consder the followng. (a )Sncep 4 and U (U S,R) T, we apply U S the message-meanng rule to obtan U S (U S,R). (a 2 )Sncep 2 and a, we apply the fresh conjuncatenaton rule and nonce-verfcaton rule to obtan U S (U S,R). (g )Sncea 2,weapplythebelefruletoobtanU S U S. (g 2 )Sncep 6 and g, we apply the jursdcton rule to obtan U U S. (a 3 )Sncep 5 and S (U S,H) T, we apply U S the message-meanng rule to obtan S U (U S,H). (a 4 )Sncep 3 and a 3, we apply the fresh conjuncatenaton rule and nonce-verfcaton rule to obtan S U (U S,H). (g 3 )Sncea 4,weapplythebelefruletoobtanS U U S. (g 4 )Snceg 3 and p 7, we apply the jursdcton rule to obtan S U S. By analyzng the securty of our scheme wth BAN logc, the results demonstrate that the proposed scheme can effectvely acheve the securty goal of the mutual authentcaton of U and S Informal Securty Analyss. In ths subsecton, we wll examne whether the enhanced scheme s safe and consder ts ablty to resst varous known attacks. The followng attacks are also based on the assumptons that a malcous adversary A has total control over the communcaton channel connectng U and S n authentcaton phase. So A can ntercept, nsert, delete, or modfy any messages transmtted va publc channel [22 24] User s Anonymous and Untraceable. Suppose A eavesdrops the request messages REQUEST(M,AID,M 2 ),the challenge message CHALLENGE(realm, M 3,Auth S ), and theresponsemessageresponse(realm, Auth U ) from the publc channel. To obtan ID from these values by means of guessng and verfyng, A must have the knowledge of {{PW,r,k U }, {r 3 }, {r 2 }}. DuetoU and S compute dfferent M and M 3 wth a new random number (r,r 2 ) and r 3 for each sesson, and A snotabletotracewhocommuncates wth S by montorng the channel. Ths shows the proposed scheme provdes the attrbute of anonymous Insder Attack. In our scheme, t s computatonally mpossble to derve the password PW from the PWD = h(pw k U ) because of the dffcultes of hash functon wth the secret key k U of U. Therefore, the proposed scheme can wthstand the nsder attack Perfect Forward Secrecy. If U s password PW,thesecret key k U,andS s secret key k S are all compromsed, ths does not allow A to determne the sesson key for the past sesson. A cannot compute r r 2 P from M and M 3 because of secure one-way hash functon and ECDLP Mutual Authentcaton. In our scheme, S and U can authentcate each other by checkng M 2, Auth U,andAuth S, separately. Therefore, our scheme can provde mutual authentcaton Key-Compromse Impersonaton Attack. Assume that A ntercepts the request, the challenge, and the response messages. Supposng the secret key k U of U s compromsed by A, hecannotgothroughtheverfcatonprocessofu as the random number r s not known. On the other hand, supposng the secret key k S of S s compromsed by A, he cannot mpersonate U to cheat S. SnceA cannot know the values of the dentty ID and r of U,hecannotcompute the correct value T and hence cannot be authentcated by S. Therefore, the proposed scheme can wthstand the keycompromse mpersonaton attack Replay Attack. Assumng that A eavesdrops REQUEST(M,AID,M 2 ) and replays t to mpersonate? U, S then verfes the condton M 2 = h(r2 P ID ).The message verfcaton does not hold, so try to guess r 2 from R s the ECDLP and r 2 s dfferent n each authentcaton message. On the other hand, suppose A eavesdrops CHALLENGE(realm, M 3,Auth S ) and replays t to mpersonate S. The repled message cannot pass the verfcaton process Auth S = h( S h(id PWD r ) r 2 P), snce both r and r 2 are new random numbers chosen by U n each sesson, and A has no control of t. Therefore, A has no opportunty to successfully replay used messages Offlne Password Guessng Attack. Even f A nterceptsall the exchanged messages (M,M 2,AID,M 3,Auth U,Auth S ) by passve attack, he cannot guess the correct password of U.

7 Mathematcal Problems n Engneerng 7 () Eavesdrop request message REQUEST(M,AID,M 2 ) (2) Call the reveal oracle 2. Let (T,r 2 ) ReVeal2(M ) (3) Call the reveal oracle. Let (ID,PW,r ) ReVeal(T ) (4) Eavesdrop challenge message CHALLENGE(realm, M 3, Auth S ) (5) Call the reveal oracle. Let (,T,R ) ReVeal(Auth S ) (6) Call the reveal oracle 2. Let (r 2 ) ReVeal2(R ) (7) f (r 2 = r 2 ) then (8) Accept the derved ID, PW,and as the correct ID and PW of the user U (9) and the sesson key between U and S,respectvely (0) return (success) () else (2) return 0(falure) (3) end f Algorthm : Algorthm EXP REASSIP,A HASH,ECDLP. Snce A cannot know the values of the user s dentty ID,the secret key k U,andtherandomnumberr,hecannotcompute the value T=h(ID r h(pw k U )) to verfy the guessed password PW through the recorded messages. Therefore, our scheme can resst the offlne password guessng attack Known Sesson Key Securty. Because of the randomness and ndependence of the generatons of r and r 3 n all the sessons, the sesson key = r r 3 P of each sesson s ndependent of that of any other sessons. Therefore, the proposed scheme can ensure known sesson key securty. 6.. Formal Securty Analyss of the Proposed Scheme. In ths subsecton, we provde the formal securty analyss of our scheme and show that our scheme s secure. We frst defne the followng oracles. Reveal. Ths random oracle wll uncondtonally output the nput x from the gven hash value y=h(x). Reveal 2. Ths random oracle wll uncondtonally output m from gven ponts P and Q=mPn an ellptc curve E p (a, b). Theorem. Under the ECDLP assumpton, our scheme s secure aganst an adversary A for dervng the dentty ID and password PW of a legal user U and the sesson key between U and S f the hash functon h( ) closely behaves lke a random oracle. Proof. The formal securty proof of our scheme s smlar to that as n [29 3]. A runs the expermental algorthm showed n Algorthm, EXP REASSIP,A HASH,ECDLP for our robust, and effcent authentcaton scheme for sesson ntaton protocol; say REASSIP. Defne the success probablty for EXP REASSIP,A HASH,ECDLP as Succ REASSIP,A HASH,ECDLP = 2Pr[EXPREASSIP,A HASH,ECDLP = ] and the advantage functon for ths experment then becomes AdV REASSIP,A HASH,ECDLP (t, q R,q R2 ) = max A Succ REASSIP HASH,ECDLP,where the maxmum s taken over all A wth executon tme t, and the number of queres q R,q R2 made to the Reveal and Reveal 2 oracles, respectvely. If A has the ablty to solvethehashfunctonandtheecdlp,thenhecandrectly derve U s dentty ID,passwordPW,andthesessonkey between U and S. Inthscase,A wll dscover the complete connectons between U and S. However,tsa computatonally nfeasble problem to nvert the nput from agvenhashvalueandoutputm from gven ponts P, Q;that s, AdV A HASH (t ) ε, AdV A ECDLP (t 2) ε, ε > 0. Hence, we have AdV REASSIP,A HASH,ECDLP (t, q R,q R2 ) ε, as t s dependent on AdV A HASH (t ) and AdV A ECDLP (t 2). Therefore, our scheme s probably secure aganst A for dervng ID, PW,and. 7. Securty Propertes and Performance Comparson In ths secton, we show that our proposed scheme satsfes many securty attrbutes and has lower computaton cost. Securty propertes and performance cost comparsons between our scheme and the other related schemes n [3 20] are gven n Table 3 and Fgure,respectvely. Table 3 shows that our scheme s more secure than Arshad et al. s scheme and other related schemes and acheves more functonalty features. In performance comparson, we manly focus on computatons of the authentcaton phase, snce t s the man body of an authentcaton scheme, andtheregstratonphaseonlyperformsonetmebefore authentcaton. Let PA, PM, INV, SE, M, and H be the tme for performng an ellptc curve pont addton, an ellptc curve pont multplcaton, a modular nverson, a symmetrc key encrypton or decrypton, a modular multplcaton, and a hash functon. Snce xor operatons requre very lttle computatons, we omtted t. From Fgure we can see that ourschemehassmlarorbettereffcencyncomparson wth other related ECC-based authentcaton schemes. 8. Concluson We have analyzed the securty of a recently proposed Arshad et al. s SIP authentcaton scheme. We have ponted out that

8 8 Mathematcal Problems n Engneerng Ours Arshad and Ikram [3] Yoon et al. [4] Table 3: Comparson of securty attrbutes. Xe [5] Farash and Attar [6] Zhang et al. [7] Tu et al. [8] Irshad et al. [9] Arshad and Nkooghadam [20] T Yes No No No No No No No T 2 Yes Yes Yes Yes Yes Yes Yes Yes No T 3 Yes Yes Yes Yes Yes Yes Yes Yes T 4 Yes Yes Yes Yes Yes Yes T 5 Yes No No No No No Yes Yes Yes T 6 Yes Yes Yes Yes Yes Yes Yes Yes Yes T 7 Yes T 8 Yes No No No Yes Yes Yes Yes Yes T :provdnganonymtyanduntraceable;t 2 : provdng mutual authentcaton; T 3 : provdng perfect forward secrecy; T 4 : known sesson key securty; T 5 : resst nsder attack; T 6 : resst replay attack; T 7 : resst key-compromse mpersonaton attack; T 8 : resst offlne password guessng attack Ours Arshad and Ikram [3] Yoon et al. [4] Number of H Number of PM Number of PA Xe [5] Farash and Attar [6] Zhang et al. [7] Tu et al. [8] Number of INV Number of M Number of SM Irshad et al. [9] Fgure : Comparson of computatonal cost. Arshad and Nkooghadam [20] an adversary can successfully launch the trace and keycompromse mpersonaton attacks on Arshad et al. s scheme. We also have shown that Arshad et al. s scheme does not acheve proper mutual authentcaton. The cryptanalyss of Arshad and Nkooghadam s scheme thus shows that the securty of ther scheme s compromsed. In order to elmnate the securty ptfalls found n Arshad et al. s scheme, we have then presented a robust and effcent ECC based authentcaton scheme for SIP. Our scheme s mmune to the trace, key-compromse mpersonaton, and nsder attacks whch Arshad and Nkooghadam s scheme fals to satsfy. Meanwhle, our scheme can wthstand the replay, offlne password guessng, and nsder attacks. In addton, our scheme acheves the known sesson key securty and perfect forward secrecy. We present a cryptanalyss of our scheme through both nformal and formal securty analyses. Besdes, our scheme s computatonally effcent as compared to other related ECC based SIP authentcaton schemes. Consderng the securty and effcency provded by our scheme, we conclude that our scheme s more approprate for practcal applcatons n comparson wth other related schemes. Conflct of Interests The authors declare that there s no conflct of nterests regardng the publcaton of ths paper. Acknowledgments The authors are grateful to the anonymous referees for ther valuable comments and suggestons to mprove the presentaton of ths paper. Ths paper s supported by the Natonal Natural Scence Foundaton of Chna (Grant nos and 6206), the Bejng Hgher Educaton Young Elte Teacher Project (Grant no. YETP0449), the Asa Foresght Program under NSFC Grant (Grant no ), and the Bejng Natural Scence Foundaton (Grant no ). References [] C. Shen, E. Nahum, H. Schulzrnne, and C. P. Wrght, The mpact of TLS on SIP server performance: measurement and modelng, IEEE/ACM Transactons on Networkng,vol.20,no. 4, pp , 202. [2]S.Salsano,L.Veltr,andD.Papallo, SIPsecurtyssues:the SIP authentcaton procedure and ts processng load, IEEE Network,vol.6,no.6,pp.38 44,2002. [3] C.-C.Yang,R.-C.Wang,andW.-T.Lu, Secureauthentcaton scheme for sesson ntaton protocol, Computers and Securty, vol.24,no.5,pp ,2005. [4] H. Huang, W. We, and G. E. Brown, A new effcent authentcaton scheme for sesson ntaton protocol, n Proceedngs of the 9th Jont Conference on Informaton Scences,2006. [5] H. Jo, Y. Lee, M. Km, S. Km, and D. Won, Off-lne passwordguessng attack to Yang s and Huang s authentcaton schemes for sesson ntaton protocol, n Proceedngs of the 5th Internatonal Jont Conference on INC, IMS and IDC (NCM 09),pp , August [6] A. Durlank and I. Sogukpnar, SIP authentcaton scheme usng ECDH, World Enformatka Socty Transactons on Engneerng Computng and Technology,vol.8,pp ,2005. [7] N. Kobltz, Ellptc curve cryptosystems, Mathematcs of Computaton,vol.48,no.77,pp ,987.

9 Mathematcal Problems n Engneerng 9 [8] Y.-P. Lao and S.-S. Wang, A new secure password authentcated key agreement scheme for SIP usng self-certfed publc keys on ellptc curves, Computer Communcatons, vol. 33, no. 3, pp , 200. [9] L. Wu, Y. Zhang, and F. Wang, A new provably secure authentcaton and key agreement protocol for SIP usng ECC, Computer Standards and Interfaces,vol.3,no.2,pp ,2009. [0] E.-J. Yoon, K.-Y. Yoo, C. Km, Y.-S. Hong, M. Jo, and H.-H. Chen, A secure and effcent SIP authentcaton scheme for converged VoIP networks, Computer Communcatons, vol. 33, no. 4, pp , 200. [] Q. Pu, Weaknesses of SIP authentcaton scheme for converged VoIP networks, IACR Cryptology eprnt Archve 464, 200, [2] J. L. Tsa, Effcent nonce-based authentcaton scheme for sesson ntaton protocol, Internatonal Network Securty,vol.8,no.3,pp.32 36,2009. [3] R. Arshad and N. Ikram, Ellptc curve cryptography based mutual authentcaton scheme for sesson ntaton protocol, Multmeda Tools and Applcatons, vol.66,no.2,pp.65 78, 203. [4] E.-J. Yoon, Y.-N. Shn, I.-S. Jeon, and K.-Y. Yoo, Robust mutual authentcaton wth a key agreement scheme for the sesson ntaton protocol, IETE Techncal Revew, vol. 27, no. 3, pp , 200. [5] Q. Xe, A new authentcated key agreement for sesson ntaton protocol, Internatonal Communcaton Systems, vol.25,no.,pp.47 54,202. [6] M. S. Farash and M. A. Attar, An enhanced authentcated key agreement for sesson ntaton protocol, Informaton Technology and Control,vol.42,no.4,pp ,203. [7] L. Zhang, S. Tang, and Z. Ca, Effcent and flexble password authentcated key agreement for Voce over Internet Protocol Sesson Intaton Protocol usng smart card, Internatonal Communcaton Systems,vol.27,no.,pp , 204. [8]H.Tu,N.Kumar,N.Chlamkurt,andS.Rho, Anmproved authentcaton protocol for sesson ntaton protocol usng smart card, Peer-to-Peer Networkng and Applcatons, 204. [9] A.Irshad,M.Sher,S.A.Ch,M.U.Hassan,andA.Ghan, A sngle round-trp SIP authentcaton scheme for Voce over Internet Protocol usng smart card, Multmeda Tools and Applcatons,203. [20] H. Arshad and M. Nkooghadam, An effcent and secure authentcaton and key agreement scheme for sesson ntaton protocol usng ECC, Multmeda Tools and Applcatons, 204. [2] P. Sarka, A smple and generc constructon of authentcated encrypton wth assocated data, ACM Transactons on Informaton and System Securty,vol.3,no.4,artcle33,200. [22] L. Lamport, Password authentcaton wth nsecure communcaton, Communcatons of the ACM, vol. 24, no., pp , 98. [23] T. Esenbarth, T. Kasper, A. Morad, C. Paar, M. Salmaszadeh, and M. T. Shalman, On the power of power analyss n the real world: a complete break of the KeeLoq code hoppng scheme, n Advances n Cryptology CRYPTO 2008, vol.557 of Lecture Notes n Computer Scence, pp , Sprnger, Berln, Germany, [24] W.-H. Yang and S.-P. Sheh, Password authentcaton schemes wth smart cards, Computers and Securty, vol. 8, no. 8, pp , 999. [25] M. Hölbl,T.Welzer,andB.Brumen, Anmprovedtwo-party dentty-based authentcated key agreement protocol usng parngs, Computer and System Scences, vol.78,no.,pp.42 50,202. [26] M. Burrows, M. Abad, and R. Needham, Logc of authentcaton, ACM Transactons on Computer Systems,vol.8,no.,pp. 8 36, 990. [27] J.L.Tsa,N.W.Lo,andT.C.Wu, Novelanonymousauthentcaton scheme usng smart cards, IEEE Transactons on Industral Informatcs,vol.9,no.4,pp ,203. [28]D.Zhao,H.Peng,L.L,andY.Yang, Asecureandeffectve anonymous authentcaton scheme for roamng servce n global moblty networks, Wreless Personal Communcatons, vol. 78, no., pp , 203. [29] V. Odelu, A. K. Das, and A. Goswam, A secure effectve key management scheme for dynamc access control n a large leaf class herarchy, Informaton Scences, vol. 269, pp , 204. [30] S. Chatterjee, A. K. Das, and J. K. Sng, An enhanced access control scheme n wreless sensor networks, Ad-Hoc and Sensor Wreless Networks,vol.2,no.-2,pp.2 49,204. [3] A. K. Das and A. Goswam, A secure and effcent unquenessand-anonymty-preservng remote user authentcaton scheme for connected health care, Medcal Systems, vol. 37, no.3,artcle9948,203.

10 Advances n Operatons Research Advances n Decson Scences Appled Mathematcs Algebra Probablty and Statstcs The Scentfc World Journal Internatonal Dfferental Equatons Submt your manuscrpts at Internatonal Advances n Combnatorcs Mathematcal Physcs Complex Analyss Internatonal Mathematcs and Mathematcal Scences Mathematcal Problems n Engneerng Mathematcs Dscrete Mathematcs Dscrete Dynamcs n Nature and Socety Functon Spaces Abstract and Appled Analyss Internatonal Stochastc Analyss Optmzaton