Next Article in Journal / Special Issue
A Block-Based Division Reversible Data Hiding Method in Encrypted Images
Previous Article in Journal
Complexity Phenomena Induced by Novel Symmetry and Symmetry-Breakings with Antiscreening at Cosmological Scales—A Tutorial
Previous Article in Special Issue
Face Liveness Detection Based on Skin Blood Flow Analysis
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Secure Mobility Network Authentication Scheme Ensuring User Anonymity

1
Department of Computer Science and Information Engineering, National Taichung University of Science and Technology, Taichung 40401, Taiwan
2
Department of Information Communications, Chinese Culture University, Shilin, Taipei 11114, Taiwan
*
Author to whom correspondence should be addressed.
Symmetry 2017, 9(12), 307; https://doi.org/10.3390/sym9120307
Submission received: 26 October 2017 / Revised: 24 November 2017 / Accepted: 4 December 2017 / Published: 8 December 2017
(This article belongs to the Special Issue Information Technology and Its Applications)

Abstract

:
With the rapid growth of network technologies, users are used to accessing various services with their mobile devices. To ensure security and privacy in mobility networks, proper mechanisms to authenticate the mobile user are essential. In this paper, a mobility network authentication scheme based on elliptic curve cryptography is proposed. In the proposed scheme, a mobile user can be authenticated without revealing who he is for user anonymity, and a session key is also negotiated to protect the following communications. The proposed mobility network authentication scheme is analyzed to show that it can ensure security, user anonymity, and convenience. Moreover, Burrows-Abadi-Needham logic (BAN logic) is used to deduce the completeness of the proposed authentication scheme.

1. Introduction

With the rapid growth of network technologies, users are used to accessing various services with their mobile devices. As a result, mobile devices and mobility networks play an important role in people’s daily lives. There are three entities in mobility networks; mobile user, home agent and foreign agent. Before being able to access mobile services, a mobile user needs to register with the home agent. After successful registration, the mobile user with a mobile device can access mobile services. These mobile services are provided by the home agent directly or a foreign agent. If the requested mobile service is provided by a foreign agent, the registered mobile user needs the home agent’s help to have himself/herself authenticated by the foreign agent. An illustration of mobility networks is shown in Figure 1, where a mobile user with a mobile device can be regarded as a mobile node. Plenty of mobility network applications are proposed and utilized because they provide great convenience.
Although mobility networks bring people great convenience and advantages, security threats exist. First, the transmission medium is a public but insecure channel such that an attacker can easily eavesdrop or intercept the transmitted data. Second, when a mobile user enters a service domain dominated by a new foreign agent, the mobile user has to access services via the new foreign agent. In this condition, two issues raise: (1) how the mobile user determines whether the foreign agent is legal; and (2) how the foreign agent determines whether the mobile user is legal. That is, the mobile user and the foreign agent have to authenticate each other. Unfortunately, in the beginning, no secret is shared between them. Third, because the mobile user is a visitor, the foreign agent serves the mobile user when he continuously stays. The mobile user may continuously stay, but the mobile user may not request mobile services continuously. This denotes that the mobile user and the foreign agent do not always communicate with each other. In such a condition, it is a challenge for the mobile user and the foreign agent to ensure each other’s legality after they have already authenticated each other. Forth, a mobile user may roam. Because the transmission medium is public, anyone can eavesdrop. If an attacker wants to trace a mobile user, he can eavesdrop and use the intercepted messages to obtain required information.
To ensure security of mobility networks, many authentication protocols are proposed [1,2,3,4,5,6,7,8,9,10]. In 2004, Zhu and Ma proposed an authentication scheme with anonymity for wireless environments based on the hash function and smart cards [5]. Later, Lee et al. [6] analyzed Zhu and Ma’s scheme and found that Zhu and Ma’s scheme does not provide mutual authentication and cannot resist forgery attack. In 2006, Lee et al. [7] proposed an enhancement to improve Zhu and Ma’s authentication scheme for wireless networks. In 2009, Chang et al. [8] analyzed Lee et al.’s scheme [7] and pointed out that Lee et al.’s scheme still suffers from forgery attack and also proposed an improvement.
In 2014, Kuo et al. [9] showed that Chang et al.’s scheme cannot ensure anonymity for mobile users and proposed an improvement. Kuo et al. claimed that their scheme could ensure efficiency and security in mobility networks and provide anonymity for mobile users. In 2015, Lu et al. [10] showed that Kuo et al.’s scheme suffers from three drawbacks, vulnerability to insider attack, unfriendly password changes, and no local validation. They also proposed an authentication scheme to remedy these drawbacks. Later, Chang et al. [11] found that Kuo et al.’s scheme [9] is vulnerable to the other two weaknesses in 2016. First, Kuo et al.’s scheme cannot resist man-in-the-middle attacks when a mobile user and a foreign agent negotiate the session key. Via this security flaw, an attacker can impersonate a mobile user and negotiate the session key with the foreign agent. Second, Kuo et al.’s scheme cannot resist the synchronization problem. An attacker only needs to modify the transmitted data in password change phase such that a legal mobile user is unable to be authenticated by the home agent anymore. Lu et al. [10] claimed that their scheme could defend against replay attack and provide mobile user anonymity.
After thoroughly analyzing Lu et al.’s scheme, Chang et al. found that it possesses three drawbacks [12]. First, Lu et al.’s scheme is vulnerable to replay attack in authentication with key agreement phase. An attacker only needs to eavesdrop and resend the intercepted message with a new timestamp to cheat the foreign agent and the home agent. Second, user anonymity is not ensured as claimed because some transmitted parameters are fixed. Third, a random number chosen by the mobile user in registration phase is not stored in his/her smart card. As a result, the mobile user’s smart card cannot compute one essential parameter to have himself/herself authenticated by the home agent in authentication with key agreement phase.
In addition to mobility networks, privacy is also an important topic in different types of networks. To ensure privacy and security in different types of networks, related security mechanisms are proposed [13,14,15,16,17,18]. After analyzing the previous authentication schemes, the weaknesses that they suffer from and the security mechanisms of other networks, we propose a mobility network authentication scheme by considering the following four properties to ensure security and convenience.
Property 1: user anonymity
User anonymity needs to be ensured to prevent an unauthorized party from tracing a specific user. It denotes that only the authorized parties can know who the user is.
Property 2: resistance to common attacks
The proposed authentication scheme should be able to resist common attacks to ensure security.
Property 3: local password change
A mobile user should be able to change his/her password locally and at will without accessing the home agent to make the authentication scheme more convenient and user-friendly.
Property 4: mutual authentication between any two of a mobile user, a foreign agent and the home agent
In a mobility network authentication scheme, any two of a mobile user, a foreign agent and the home agent have to authenticate each other mutually to make sure that the other communication parties are legal.
The rest of this paper is organized as follows. The proposed scheme is shown in Section 2. The corresponding analysis is given in Section 3. Further discussions including comparisons and authentication proof using Burrows-Abadi-Needham logic (BAN logic) [19] are made in Section 4. Finally, some conclusions are given in Section 5.

2. The Proposed Secure Mobility Network Authentication Scheme Ensuring User Anonymity

In this section, we propose a user anonymity-ensured mobility network authentication scheme for mobility networks based on elliptic curve cryptography. Our scheme is composed of five phases: registration phase, login phase, authentication and establishment of the session key phase, update session key phase, and password change phase. A mobile user has to register with the home agent before accessing mobile services. In the registration phase, a mobile user registers with the home agent, the home agent stores parameters in a smart card, and the home agent issues it to the user. The mobile user and the home agent communicate via a secure channel. And the home agent stores parameters in a smart card securely because the smart card only can be accessed and modified by privilege users or administrators. In the login phase, a mobile user inserts his smart card into his terminal device. This denotes that the mobile user and the smart card can exchange required data via the terminal device. The terminal device possesses computational capacities and has a user interface to show the authentication progress or the response. The terminal device will execute computational operations on behalf of the mobile user. The terminal device should be personal or protected with proper security mechanisms such as firewalls. For simplicity, the communications between the mobile user and the smart card will be omitted, and the operations executed by either the user or the terminal device will be denoted by the user. In both the authentication and establishment of the session key phase and the update session key phase, data is transmitted via public channels. Notations used in our mobility network authentication scheme are listed in Table 1. The details are as follows.

2.1. Registration Phase

In this phase, if MU wants to access the roaming service, he/she must register with HA at first. Registration phase is depicted in Figure 2, and the details are as follows:
Step 1:
MU selects his/her password pMU and identifier IDMU.
Step 2:
MU sends IDMU and pMU to HA via a secure channel.
Step 3:
After HA receives {IDMU, pMU} from MU, HA checks if IDMU does not exist. If it does hold, HA generates a random nonce RMU and the secret key pHA-MU for MU.
Step 4:
HA computes PWMU = h(IDMU || pMU), U = h(pHA-MU || RMU), W = PWMURMU, V = RMUpHA-MU and L = h(IDMU || RMU || PWMU).
Step 5:
HA stores {IDHA, L, W, V, h(·)} into a smart card and issues it to MU via a secure channel.
Step 6:
HA stores {U, RMU, pHA-MU} into HA’s database for MU.

2.2. Login Phase

After registering with HA, MU can login with the smart card issued in registration phase to access the roaming service. Login phase is depicted in Figure 3, and the details are as follows:
Step 1:
MU inserts his/her smart card into his/her terminal device and enters IDMU and pMU.
Step 2:
The smart card computes PWMU = h(IDMU || pMU), RMU = WPWMU, and L′ = h(IDMU || RMU || PWMU).
Step 3:
The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process and accumulates the number of times for L′ is not equal to L. If the entered IDMU and pMU make L′ and L differ from each other three consecutive times, the smart card will be locked automatically. Note that the counter will be reset to zero when the entered IDMU and pMU have L′ equal L.

2.3. Authentication and Establishment of the Session Key Phase

After the login phase, the authentication and establishment of the session key phase is executed. In this phase, MU can be authenticated anonymously and negotiate a session key with FA while roaming. In the proposed scheme, HA and FA share a secret key pFA-HA in advance, where different FA’s possess different pFA-HA’s. The authentication and establishment of the session key phase is depicted in Figure 4, and the details are as follows:
Step 1:
The smart card generates a new random nonce R M U n e w and selects a random number b0.
Step 2:
The smart card computes b0P, RMU = PWMUW, pHA-MU = RMUV, S1 = h(pHA-MU || RMU), S2 = RMU R M U n e w , and S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x).
Step 3:
MU sends {IDHA, S1, S2, S3, b0P} to FA and stores {b0, R M U n e w }.
Step 4:
After FA receives {IDHA, S1, S2, S3, b0P}, FA selects a new random number a0 and computes a0P and S F A 1 = h(a0P.x || b0P.x || pFA-HA).
Step 5:
FA stores the information {IDHA, b0P, a0, a0P} and sends {IDFA, S1, S2, S3, a0P, b0P, S F A 1 } to HA.
Step 6:
When HA receives {IDFA, S1, S2, S3, a0P, b0P, S F A 1 }, HA uses S1 to get the corresponding data {RMU, pHA-MU} from its database because the matched {RMU, pHA-MU} makes S1 = h(pHA-MU || RMU). Then HA computes R M U n e w = S2RMU, S′3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x), and S F A 1 = h(a0P.x || b0P.x || pFA-HA).
Step 7:
HA checks if S′3 = S3 and S F A 1 = S F A 1 . If they both hold, HA selects a new random number c0 and computes c0P and S4 = h(c0b0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ); otherwise, HA aborts this authentication request and terminates this phase. After that, HA updates U and RMU stored in its database to h(pHA-MU || R M U n e w ) and R M U n e w , respectively. Note that the original U = S1 and the original RMU are also stored in HA’s database to resist the synchronization problem. That is, the original U instead of the updated one will be searched to find the corresponding data {the original RMU, pHA-MU} when only HA’s data is updated.
Step 8:
HA computes S F A 2 = h(c0a0P.x || b0P.x || pFA-HA) and sends {IDHA, c0P, S4, S F A 2 } to FA.
Step 9:
After receiving {IDHA, c0P, S4, S F A 2 } from HA, FA checks if IDHA exists in its database. If it does exist, FA computes S F A 2 = h(a0c0P.x || b0P.x || pFA-HA) and checks if S F A 2 = S F A 2 . If it does hold, FA computes K M F 0 = h(a0b0P.x) and C M F 0 = h(h( K M F 0 || b0P.x)); otherwise, FA terminates this phase directly.
Step 10:
FA sends {IDFA, S4, a0P, c0P, C M F 0 } to MU.
Step 11:
When MU receives {IDFA, S4, a0P, c0P, C M F 0 }, MU computes S′4 = h(b0c0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ) and checks whether S4 is equal to S′4. If it does not hold, MU terminates this phase directly; otherwise, MU computes the session key K M F 0 = h(b0a0P.x), C M F 0 = h( K M F 0 || b0P.x), and C M F 0 = h( C M F 0 ), and checks if C M F 0 = C M F 0 . If it does not hold, MU terminates this phase directly; otherwise, MU computes B M F 0 = h(c0P.x || K M F 0 ), updates W to Wnew = PWMU R M U n e w and V to Vnew = R M U n e w pHA-MU and stores C M F 0 , a0P, b0P, and the session key K M F 0 .
Step 12:
MU sends { B M F 0 } to FA.
Step 13:
After obtaining { B M F 0 }, FA computes B M F 0 = h(c0P.x || K M F 0 ) and checks if B M F 0 = B M F 0 . If it does not hold, FA terminates this phase directly; otherwise, FA stores { C M F 0 , a0P, b0P, K M F 0 } into its database.
After the above, FA and MU share the session key K M F 0 . Thereupon, the communication between FA and MU can be protected by K M F 0 .

2.4. Update Session Key Phase

After being authenticated by HA via FA, MU can update the session key shared with FA for some security issues while staying in the same FA continuously. For generality, assume that MU has stayed in the same FA and updated the session i times. Thus, the secret key shared between FA and MU is K M F i = h(aibiP.x) = h(biaiP.x) while FA and MU store { C M F i , aiP, biP, K M F i } and { C M F i , aiP, biP, K M F i }, respectively. Update session key phase is depicted in Figure 5, and the details are as follows:
Step 1:
MU selects a new random number bi+1 and computes bi+1P and h1 = h(biP.x || bi+1P.x || K M F i ).
Step 2:
MU sends {bi+1P, C M F i , h1} to FA.
Step 3:
After receiving {bi+1P, C M F i , h1}, FA checks if h ( C M F i ) exists in its database, where h ( C M F i ) = C M F i . If it does not exist, FA terminates this phase; otherwise, FA extracts { C M F i , aiP, biP, K M F i } from its database.
Step 4:
FA computes h′1 = h(biP.x || bi+1P.x || K M F i ) and checks if h′1 is equal to h1. If it does not hold, FA terminates this phase; otherwise, FA selects a new random number ai+1 and computes ai+1P, K M F i + 1 = h(ai+1bi+1P.x), C M F i + 1 = h(h( K M F i + 1 || bi+1P.x)) and h2 = h( C M F i + 1 | | K M F i | | K M F i + 1 ).
Step 5:
FA updates { C M F i , aiP, biP, K M F i } to { C M F i + 1 , ai+1P, bi+1P, K M F i + 1 } in its database and sends {ai+1P, h2} to MU.
Step 6:
When MU receives {ai+1P, h2} from FA, MU computes K M F i + 1 = h(bi+1ai+1P.x), C M F i + 1 = h( K M F i + 1 || bi+1P.x), and h′2 = h(h( C M F i + 1 ) || K M F i | | K M F i + 1 ). Then, MU checks if h′2 is equal to h2. If it does not hold, MU terminates this phase; otherwise, MU updates { C M F i , aiP, biP, K M F i } to { C M F i + 1 , ai+1P, bi+1P, K M F i + 1 } in the mobile device.
If this phase is terminated by MU or FA and MU still wants to access the roaming service, login phase is executed immediately.

2.5. Password Change Phase

MU can change his/her password with his/her smart card at will without HA’s help. Password change phase is depicted in Figure 6, and the details are as follows:
Step 1:
MU inserts his/her smart card into his/her terminal device and enters IDMU and pMU.
Step 2:
The smart card computes PWMU = h(IDMU || pMU), RMU = WPWMU and L′ = h(IDMU || RMU || PWMU).
Step 3:
The smart card checks if L′ is equal to L. If it does not hold, the smart card aborts the process.
Step 4:
If L′ equals L, MU selects the new password p M U n e w and sends it to the smart card. Note that this approach can be executed by entering p M U n e w with an embedded keyboard.
Step 5:
When the smart card receives the new password p M U n e w , it will ask MU to enter p M U n e w again for correctness. If the reentered password is different from the previous one, the smart card will inform MU of this issue. MU may resend the new password or terminate this phase. If the reentered password and the previous one are the same, the smart card computes P W M U n e w , Wnew = P W M U n e w RMU and Lnew = h(IDMU || RMU || P W M U n e w ). Then, the smart card updates W to Wnew and L to Lnew.

3. Property Analysis

In this section, we analyze our proposed scheme’s security and convenience by taking the following four properties into consideration: (1) user anonymity; (2) resistance to common attacks; (3) local password change; and (4) mutual authentication. In the following, we discuss our scheme to show that it possesses these properties.

3.1. User Anonymity

In our proposed scheme, MU’s real identifier is concealed in PWMU = h(IDMU || pMU) and is never transmitted when MU wants to access the roaming service. In authentication and establishment of the session key phase, MU sends {IDHA, S1, S2, S3, b0P} to FA, where S1 = h(pHA-MU || RMU), S2 = RMU R M U n e w , and S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x). After authenticating MU and FA successfully, HA sends {IDHA, c0P, S4, S F A 2 } to FA, where S4 = h(c0b0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ). Parameters S1, S2, S3, and S4 contain MU’s specific information RMU and R M U n e w and are transmitted via public channels. Because RMU and R M U n e w will be updated in each session, it denotes that S1, S2, S3, and S4 in one session differ from those in other sessions. That is, no constant parameter is transmitted for MU in different sessions, and our scheme ensures user anonymity.

3.2. Resistance to Common Attacks

To show that the proposed authentication scheme can resist common attacks to ensure security, common attacks, man-in-the-middle attack, desynchronization attack, insider attack, replay attack, and offline secret key guessing attack are taken into consideration. These attacks are chosen for security analysis because of the following reasons. First, HA, MU, and FA transmit data via public channels. It is essential to protect all communication parties from being threatened by an attacker without being detected when the authentication scheme is in progress. This denotes that the proposed scheme has to resist man-in-the-middle attack. Second, in authentication and establishment of the session key phase of the proposed scheme, the random nonce RMU kept by HA will be updated to R M U n e w after MU is authenticated successfully, and MU will update W to Wnew = PWMU R M U n e w and V to Vnew = R M U n e w pHA-MU after MU is assured that C M F 0 = C M F 0 . If only HA updates U to h(pHA-MU || R M U n e w ) and RMU to R M U n e w while W and V are not updated, MU may be regarded as an illegal user. That is, the proposed scheme has to resist desynchronization attacks to ensure that an authorized mobile user can access the service even when the new authentication parameters are modified by an attacker. Third, the proposed scheme has to resist insider attacks such that no one can impersonate a legal mobile user even when a malicious insider with privileges can access the home agent’s database. Forth, the proposed scheme has to resist replay attack such that no one can impersonate MU to cheat FA and HA by sending the intercepted data transmitted in previous sessions. Fifth, because the computational capacities of computers progress rapidly, an attacker can eavesdrop to get transmitted messages and analyze them offline. That is, an attacker may attempt to retrieve the secrets pHA-MU and pFA-HA by mounting an offline secret key guessing attack. The corresponding analysis is given as follows.
In authentication and establishment of the session key phase, an attacker may mount a man-in-the-middle attack by impersonating a communication party to establish the session key with another innocent communication party. First, we assume an attacker tries to impersonate MU and establish the session key with FA by modifying b0P. However, this approach will never succeed because MU computes S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x) for HA and HA verifies b0P by checking whether S3 = S′3. FA can also verify b0P by checking whether S F A 2 = S F A 2 . On the other hand, if the attacker tries to impersonate FA and establish the session key with MU by modifying a0P, this approach will never succeed because HA can verify a0P by checking whether S F A 1 = S F A 1 and MU can verify a0P by checking whether S4 = S′4. In the update session key phase, FA authenticates MU by checking if h1 = h′1 and MU authenticates FA by checking if h2 = h′2 Because of the above reasons, our scheme can resist man-in-the-middle attacks.
In the authentication and establishment of the session key phase, an attacker may attempt to mount a desynchronization attack by disturbing the authentication process after HA updates U to h(pHA-MU || R M U n e w ) and RMU to R M U n e w in its database. Although MU does not update W and V in his/her smart card, MU still can be authenticated by HA successfully because HA stores the original RMU and the original U. Because of the above reasons, our scheme can resist desynchronization attack.
Assume that a malicious insider with privileges tries to get MU’s private data in HA’s database to impersonate MU. In our proposed scheme, this attack cannot be mounted successfully because HA does not store a user’s password and his/her real identifier. No insider can obtain pMU and IDMU to compute MU’s secret PWMU, where PWMU = h(IDMU || pMU). Therefore, our scheme can resist insider attack.
In authentication and establishment of the session key phase, anyone can eavesdrop to intercept the transmitted data because the channel is public. In Step 3, MU sends {IDHA, S1, S2, S3, b0P} to FA and stores R M U n e w , where S1 = h(pHA-MU || RMU), S2 = RMU R M U n e w , and S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x). In Step 10, FA sends {IDFA, S4, a0P, c0P, C M F 0 } to MU, where C M F 0 = h(h( K M F 0 || b0P.x)) = h(h(h(a0b0P.x) || b0P.x)). In Step 12, MU sends { B M F 0 } to FA, where B M F 0 = h(c0P.x || K M F 0 ). In Step 13, FA computes B M F 0 = h(c0P.x || K M F 0 ) and checks if B M F 0 = B M F 0 to determine whether MU is legal. After an attacker eavesdrops, he may use the intercepted data to cheat HA and FA to access services. However, the attacker cannot mount a reply attack successfully because of the following. K M F 0 = h(a0b0P.x) and B M F 0 = h(c0P.x || K M F 0 ) = h(c0P.x || h(a0b0P.x)). If the attacker wants to cheat, he has to obtain a0b0P. Although a0P and b0P are available, the attacker knows neither a0 nor b0 because of the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). As a result, the attacker cannot compute a0b0P to obtain B M F 0 . Since B M F 0 cannot be obtained by the attacker, he cannot be authenticated by FA successfully by retransmitting the intercepted data. Therefore, our scheme can resist replay attack.
In the authentication and establishment of the session key phase, HA authenticates FA by checking whether S F A 1 = S F A 1 , and FA authenticates HA by checking whether S F A 2 = S F A 2 , where S F A 1 = h(a0P.x || b0P.x || pFA-HA) and S F A 2 = h(c0a0P.x || b0P.x || pFA-HA). The secret pFA-HA shared between FA and HA is contained in both S F A 1 and S F A 2 . Although a0P, b0P and c0P are available, an attacker cannot compute c0a0P because of the difficulty of solving ECDLP. On the other hand, MU authenticates HA by checking whether S4 = S′4 and HA authenticates MU by checking whether S3 = S′3, where S4 = h(c0b0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ) and S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x). The secret pHA-MU shared between MU and HA is contained in the transmitted parameters S1 and S3, where S1 = h(pHA-MU || RMU). If an attacker wants to obtain pHA-MU, he has to guess RMU at the same time. This makes retrieving pHA-MU hard. Because of the above, offline secret key guessing attacks cannot be mounted on the proposed scheme.

3.3. Local Password Change

In our proposed scheme, MU can locally update his/her password. When MU wants to change his/her password PWMU to the new password P W M U n e w , he/she does not need to connect to HA. This means a user can change his/her password at will.

3.4. Mutual Authentication

First, we make discussions on communication parties MU, FA and HA in authentication and establishment of the session key phase by the following three cases.
Case 1: Mutual authentication between FA and HA
HA authenticates FA by checking whether S F A 1 = S F A 1 , and FA authenticates HA by checking whether S F A 2 = S F A 2 , where S F A 1 = h(a0P.x || b0P.x || pFA-HA) and S F A 2 = h(c0a0P.x || b0P.x || pFA-HA). Because pFA-HA is only known to FA and HA, it denotes that only FA and HA can compute the correct parameters to be authenticated successfully. That is, our proposed scheme provides mutual authentication between FA and HA.
Case 2: Mutual authentication between MU and HA
MU authenticates HA by checking whether S4 = S′4, and HA authenticates MU by checking whether S3 = S′3, where S4 = h(c0b0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ) and S3 = h(RMUh(pHA-MU || R M U n e w ) || b0P.x). Only MU and HA can compute the correct parameters to be authenticated successfully because pHA-MU, R M U n e w and RMU are only known to MU and HA. As the result, our proposed scheme provides mutual authentication between MU and HA.
Case 3: Mutual authentication between MU and FA
In authentication and establishment of the session key phase, MU authenticates HA by checking if S4 = S′4, where S4 = h(c0b0P.x || a0P.x || IDFA || IDHA || RMU || R M U n e w ). Because only HA and MU know pHA-MU, R M U n e w and RMU, only HA can compute c0b0P and S4. If S4 = S′4, it denotes (1) a0P is valid because S4 contains a0P.x and (2) FA has been already authenticated by HA. Then, MU computes the session key K M F 0 = h(b0a0P.x), C M F 0 = h( K M F 0 || b0P.x), and C M F 0 = h( C M F 0 ) and checks if C M F 0 = C M F 0 . If C M F 0 = C M F 0 , it denotes that FA really knows K M F 0 = h(a0b0P.x). Because MU has already authenticated HA, MU is assured that only FA knows a0 to compute K M F 0 . As a result, FA is authenticated successfully by MU. Thereupon, MU computes B M F 0 = h(c0P.x || K M F 0 ) and sends it to FA. After obtaining { B M F 0 }, FA computes B M F 0 = h(c0P.x || K M F 0 ) and checks if B M F 0 = B M F 0 . If B M F 0 = B M F 0 , FA is assured that MU knows b0 to compute K M F 0 . FA has authenticated HA by checking if S F A 2 = S F A 2 , where S F A 2 = h(c0a0P.x || b0P.x || pFA-HA). It denotes (1) b0P is valid because S F A 2 contains b0P.x and (2) MU has been already authenticated by HA. As a result, MU is authenticated successfully by FA. Therefore, our proposed scheme provides mutual authentication between MU and FA.
Second, we make discussions on communication parties MU and FA in the update session key phase. Because MU and FA have already shared the session key K M F i = h(aibiP.x) in the previous session, they can use K M F i and the stored data to authenticate each other. At the moment, FA stores { C M F i , aiP, biP, K M F i } and MU stores { C M F i , aiP, biP, K M F i }, where C M F 0 = h( K M F 0 || b0P.x) and C M F 0 = h(h( K M F 0 || b0P.x)) = h( C M F 0 ). MU selects r bi+1, computes bi+1P and h1 = h(biP.x || bi+1P.x || K M F i ), and sends {bi+1P, C M F i , h1} to FA. After receiving {bi+1P, C M F i , h1}, FA checks if h ( C M F i ) exists in its database, where h ( C M F i ) = C M F i . Because it is hard to find the input of the hash function with a known hash value, this search approach protects MU from being traced even he stays in FA’s service domain and implies MU‘s legality. After finding the matched C M F i , FA extracts { C M F i , aiP, biP, K M F i } from its database and selects ai+1. FA computes h′1 = h(biP.x || bi+1P.x || K M F i ) and checks if h′1 = h1. If h′1 = h1, it denotes (1) MU indeed knows K M F i and (2) bi+1P is valid. FA authenticates MU successfully. Then, FA computes ai+1P, K M F i + 1 = h(ai+1bi+1P.x), C M F i + 1 = h(h( K M F i + 1 || bi+1P.x)) and h2 = h( C M F i + 1 | | K M F i | | K M F i + 1 ). FA updates { C M F i , aiP, biP, K M F i } to { C M F i + 1 , ai+1P, bi+1P, K M F i + 1 } in its database and sends {ai+1P, h2} to MU. After receiving {ai+1P, h2}, MU computes K M F i + 1 = h(bi+1ai+1P.x), C M F i + 1 = h( K M F i + 1 || bi+1P.x), and h′2 = h(h( C M F i + 1 ) || K M F i | | K M F i + 1 ). Then, MU checks if h′2 = h2. If h′2 = h2, it denotes that FA indeed knows K M F i and K M F i + 1 . MU authenticates FA successfully. As a result, mutual authentication is ensured in update session key phase.

4. Further Discussions

In this section, we first make comparisons between the proposed scheme and the related works, and BAN logic is then used to deduce the completeness of the proposed authentication scheme.

4.1. Comparisons

In the following, we present a discussion of the properties of the proposed scheme and the related works. The term “Local password change” denotes whether the mobile user can locally change his password without the home agent’s help in the corresponding scheme. The term “Anonymity” denotes whether the corresponding scheme can ensure user anonymity. The term “Insider attack resistance” denotes whether the corresponding scheme can resist insider attack. The term “Man-in-the-middle attack resistance” denotes whether the corresponding scheme can resist man-in-the-middle attack. The term “The synchronization problem resistance” denotes whether the corresponding scheme can resist the synchronization problem. “Replay attack resistance” denotes whether the corresponding scheme can resist replay attack. The comparisons between our scheme and the related works are given in Table 2. According to the comparisons, it is assured that our scheme can resist common attacks and ensure security and convenience at the same time while others cannot.

4.2. BAN Logic-Based Authentication Proof

In the following, BAN logic is used to deduce the completeness of the proposed authentication scheme. Notations used in BAN logic are listed in Table 3.
Fundamental rules for BAN logic analysis are listed as follows:
  • RBL1 (Message Meaning Rule 1): A | A N B ,   A < M > N A | B | ~ M .
  • RBL2 (Message Meaning Rule 2): A | A K B ,   A ( M ) K A | B | ~ M .
  • RBL3 (Nonce Verification Rule): A | # ( M ) , A | B | ~ M A | B | M .
  • RBL4 (Jurisdiction Rule): A | B M , A | B | M A | M .
  • RBL5 (Freshness Conjunction Rule): A | # ( M ) A | # ( M , N ) .
  • RBL6 (Belief Rule): A | ( M ) , A | ( N ) A | ( M , N ) .
  • RBL7 (Session Key Rule): A | # ( M ) , A | B | M A | A K B .
The following goals must be satisfied by using the above rules to ensure the security of the proposed authentication scheme under BAN logic.
Goal 1:
H A | M U R M U n e w , c 0 b 0 P H A .
Goal 2:
H A | M U | M U R M U n e w , c 0 b 0 P H A .
Goal 3:
M U | M U R M U n e w , b 0 c 0 P H A .
Goal 4:
M U | H A | M U R M U n e w , b 0 c 0 P H A .
Goal 5:
H A | F A c 0 a 0 P H A .
Goal 6:
H A | F A | F A c 0 a 0 P H A .
Goal 7:
F A | F A a 0 c 0 P H A .
Goal 8:
F A | H A | F A a 0 c 0 P H A .
Goal 9:
M U | F A K M F 0 M U .
Goal 10:
M U | F A | F A K M F 0 M U .
Goal 11:
F A | F A K M F 0 M U .
Goal 12:
F A | M U | F A K M F 0 M U .
Idealized transformation of the proposed scheme is as follows:
IM1: MUFA: IDHA, S1, S2, S3, b0P:
{ I D H A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , b 0 P } .
IM2: FAHA: IDFA, S1, S2, S3, a0P, b0P, S F A 1 :
{ I D F A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , a 0 P , b 0 P , ( a 0 P , b 0 P ) p F A H A } .
IM3: HA → FA: IDHA, c0P, S4, S F A 2 :
{ I D H A , c 0 P , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , ( c 0 a 0 P , b 0 P ) P F A - H A } .
IM4: FA → MU: IDFA, S4, a0P, c0P, C M F 0 :
{ I D F A , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , a 0 P , c 0 P , ( b 0 P ) K M F 0 } .
To evaluate the proposed scheme, assumptions regarding the preliminary state are shown as follows:
A1:
M U | M U R M U , p H A M U H A .
A2:
H A | M U R M U , p H A M U H A .
A3:
F A | F A p F A H A H A .
A4:
H A | F A p F A H A H A .
A5:
M U | # ( b 0 ) .
A6:
F A | # ( a 0 ) .
A7:
H A | # ( c 0 ) .
A8:
H A | M U b 0 P .
A9:
F A | M U b 0 P .
A10:
M U | F A a 0 P .
A11:
H A | F A a 0 P .
A12:
M U | H A c 0 P .
A13:
F A | H A c 0 P .
Considering IM1 and IM2 of the idealized forms:
IM1: MUFA: IDHA, S1, S2, S3, b0P:
{ I D H A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , b 0 P } .
IM2: FAHA: IDFA, S1, S2, S3, a0P, b0P, S F A 1 :
{ I D F A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , a 0 P , b 0 P , ( a 0 P , b 0 P ) p F A H A } .
By applying seeing rule, we have
S1: FA IDHA, S1, S2, S3, b0P:
{ I D H A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , b 0 P } .
S2: HA IDFA, S1, S2, S3, a0P, b0P, S F A 1 :
{ I D F A , h ( p H A M U | | R M U ) , < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , a 0 P , b 0 P , ( a 0 P , b 0 P ) p F A H A } .
By S2, A2, and RBL1, we have
S3: H A | M U | ~ {h(pHA-MU || RMU), < R M U n e w > R M U , < b 0 P > R M U h ( p H A M U | | R M U n e w ) , b0P}.
By S3, A5, A8, RBL3, RBL4, and RBL7, we have
S4: H A | M U R M U n e w , c 0 b 0 P H A .Goal 1
By S4, A7, A12, and RBL4, we have
S5: H A | M U | M U R M U n e w , c 0 b 0 P H A .Goal 2
By S2, A4, and RBL2, we have
S6: H A | F A | ~ {IDFA, a0P, ( a 0 P , b 0 P ) p F A H A }.
By S6, A6, A11, RBL3, RBL4, and RBL7, we have
S7: H A | F A c 0 a 0 P H A Goal 5
By S7, A7, A13, and RBL4, we have
S8: H A | F A | F A c 0 a 0 P H A .Goal 6
Considering IM3 of the idealized form:
IM3: HA → FA: IDHA, c0P, S4, S F A 2 :
{ I D H A , c 0 P , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , ( c 0 a 0 P , b 0 P ) P F A - H A } .
By applying seeing rule, we have
S9: FA IDHA, c0P, S4, S F A 2 :
{ I D H A , c 0 P , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , ( c 0 a 0 P , b 0 P ) P F A - H A } .
By S9, A3, A7, A13, RBL2, RBL3, RBL4, and RBL7, we have
S10: F A | H A | ~ {IDHA, c0P, ( c 0 a 0 P , b 0 P ) P F A - H A },
S11: F A | F A a 0 c 0 P H A ,Goal 7
S12: F A | H A | F A a 0 c 0 P H A , andGoal 8
S13: F A | M U | ~ b 0 P .
By S13, A5, and A9, we have
S14: F A | F A K M F 0 M U andGoal 11
S15: F A | M U | F A K M F 0 M U Goal 12
Considering IM4 of the idealized form:
IM4: FA → MU: IDFA, S4, a0P, c0P, C M F 0 :
{ I D F A , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , a 0 P , c 0 P , ( b 0 P ) K M F 0 } .
By applying seeing rule, we have
S16: MU IDFA, S4, a0P, c0P, C M F 0 :
{ I D F A , ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , a 0 P , c 0 P , ( b 0 P ) K M F 0 } .
By S16, A1, and RBL1, we have
S17: M U | H A | ~ { ( c 0 b 0 P , a 0 P , b 0 P , R M U n e w ) R M U , a0P, c0P}.
By S17, A7, A12, RBL3, RBL4, and RBL7, we have
S18: H A | M U R M U n e w , c 0 b 0 P H A andGoal 3
S19: M U | H A | M U R M U n e w , b 0 c 0 P H A .Goal 4
By S16, A6, A10, RBL3, RBL4, and RBL7, we have
S20: M U | F A K M F 0 M U andGoal 9
S21: M U | F A | F A K M F 0 M U .Goal 10
The above BAN logic analysis formally proves the authentication process has any two of MU, FA, and HA authenticate each other and the shared secrets are established as claimed.

5. Conclusions

In this paper, we propose a user anonymity-ensured mobility network authentication scheme after analyzing the previous related schemes and the weaknesses that they suffer from. In our scheme, first the parameters for negotiating the session key are verified. In the authentication and establishment of the session key phase, S F A 1 and S4 are employed by HA and MU to verify a0P, and S3 and S F A 2 are employed by HA and FA to verify b0P. In the update session key phase, h1 and h2 are employed by MU and FA to authenticate each other. Second, HA does not store MU’s password anymore and MU can change his/her password locally without connecting to HA. Third, the smart card authenticates MU before the authentication and establishment of the session key phase and password change phase. Forth, no fixed parameters are transmitted, to ensure user anonymity.
Via these new approaches, the proposed mobility network authentication scheme can defend against the weaknesses that the previous schemes suffer from. The proposed scheme is also analyzed to show that it ensures security and convenience and can be applied to mobility networks.

Acknowledgments

This work was supported in part by Ministry of Science and Technology under the Grants MOST 106-2221-E-034-006-, MOST 106-2622-H-025-001-CC3, and MOST 106-2410-H-025-006-.

Author Contributions

Ya-Fen Chang designed the algorithm, conducted all experiments, analyzed the results, wrote the manuscript, and conducted the literature review. Wei-Liang Tai conceived the algorithm, analyzed the results, and wrote the manuscript. Min-How Hsu wrote the manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Suzukiz, S.; Nakada, K. An authentication techinque based on distributed security management for the global mobility network. IEEE J. Sel. Areas Commun. 1997, 15, 1608–1617. [Google Scholar] [CrossRef]
  2. Buttyan, L.; Gbaguidi, C.; Staamann, S.; Wilhelm, U. Extensions to an authentication technique proposed for the global mobility network. IEEE Trans. Commun. 2000, 48, 373–376. [Google Scholar] [CrossRef]
  3. Tzeng, Z.J.; Tzeng, W.G. Authentication of mobile users in third generation mobile systems. Wirel. Pers. Commun. 2001, 16, 35–50. [Google Scholar] [CrossRef]
  4. Hwang, K.F.; Chang, C.C. A self-encryption mechanism for authentication of roaming and teleconference services. IEEE Trans. Wirel. Commun. 2003, 2, 400–407. [Google Scholar] [CrossRef]
  5. Zhu, J.; Ma, J. A new authentication scheme with anonymity for wireless environments. IEEE Trans. Consum. Electron. 2004, 50, 230–234. [Google Scholar]
  6. Lee, C.Y.; Chang, C.C.; Lin, C.H. User authentication with anonymity for global mobility networks. In Proceedings of the 2005 IEEE Mobility Conference, the Second Asia Pacific Conference on Mobile Technology, Guangzhou, China, 15–17 November 2005; pp. 1–5. [Google Scholar]
  7. Lee, C.C.; Hwang, M.S.; Liao, I.E. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Trans. Ind. Electron. 2006, 53, 1683–1687. [Google Scholar] [CrossRef]
  8. Chang, C.C.; Lee, C.Y.; Chiu, Y.C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Comput. Commun. 2009, 32, 611–618. [Google Scholar] [CrossRef]
  9. Kuo, W.C.; Wei, H.J.; Cheng, J.C. An efficient and secure anonymous mobility network authentication scheme. J. Inf. Secur. Appl. 2014, 19, 18–24. [Google Scholar] [CrossRef]
  10. Lu, Y.; Wu, X.; Yang, X. A secure anonymous authentication scheme for wireless communications using smart cards. Int. J. Netw. Secur. 2015, 17, 237–245. [Google Scholar]
  11. Chang, Y.F.; Hsu, M.H.; Tai, W.L. Comments on Kuo et al.’s anonymous mobility network authentication scheme. In Proceedings of the 4th Annual Conference on Engineering and Information Technology (ACEAIT 2016), Kyoto, Japan, 29–31 March 2016; pp. 778–785. [Google Scholar]
  12. Chang, Y.F.; Peng, C.H.; Tai, W.L. Comments on a secure anonymous authentication scheme for wireless communications using smart cards. In Proceedings of the International Conference on Innovation and Management (IAM2017 Winter), Tokyo, Japan, 7–10 February 2017; pp. 527–536. [Google Scholar]
  13. Alizadeh, M.; Baharun, S.; Zamani, M.; Khodadadi, T.; Darvishc, M.; Gholizadeh, S.; Ahmadi, H. Anonymity and Untraceability Assessment of Authentication Protocols in Proxy Mobile IPv6. J. Teknol. 2015, 72, 31–34. [Google Scholar] [CrossRef]
  14. Ibrahim, M.H.; Kumari, S.; Das, A.K.; Wazid, M.; Odelu, V. Secure Anonymous Mutual Authentication for Star Two-tier Wireless Body Area Networks. Comput. Methods Programs. Biomed. 2016, 135, 37–50. [Google Scholar] [CrossRef] [PubMed]
  15. Amin, R.; Islam, S.K.H.; Biswas, G.P.; Khan, M.K.; Leng, L.; Kumar, N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Comput. Netw. 2016, 101, 42–62. [Google Scholar] [CrossRef]
  16. Wang, X.; Mu, Y. Communication security and privacy support in 6LoWPAN. Inf. Secur. Appl. 2017, 34, 108–119. [Google Scholar] [CrossRef]
  17. Kumari, S.; Li, X.; Wu, F.; Das, A.K.; Choo, K.R. Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Future Gener. Comput. Syst. 2017, 68, 320–330. [Google Scholar] [CrossRef]
  18. Tai, W.L.; Chang, Y.F.; Li, W.H. An IOT notion–based authentication and key agreement scheme ensuring user anonymity for heterogeneous ad hoc wireless sensor networks. Inf. Secur. Appl. 2017, 34, 133–141. [Google Scholar] [CrossRef]
  19. Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [Google Scholar] [CrossRef]
Figure 1. An illustration of mobility networks.
Figure 1. An illustration of mobility networks.
Symmetry 09 00307 g001
Figure 2. Registration phase in our scheme.
Figure 2. Registration phase in our scheme.
Symmetry 09 00307 g002
Figure 3. Login phase in our scheme.
Figure 3. Login phase in our scheme.
Symmetry 09 00307 g003
Figure 4. Authentication and establishment of the session key phase in our scheme.
Figure 4. Authentication and establishment of the session key phase in our scheme.
Symmetry 09 00307 g004
Figure 5. Update session key phase in our scheme.
Figure 5. Update session key phase in our scheme.
Symmetry 09 00307 g005
Figure 6. Password change phase in our scheme.
Figure 6. Password change phase in our scheme.
Symmetry 09 00307 g006
Table 1. Notations used in our mobility network authentication scheme.
Table 1. Notations used in our mobility network authentication scheme.
SymbolDefinition
MUA mobile user
FAA foreign agent
HAThe home agent
IDAThe identifier of an entity A
h(·)A collision free one-way hash function
pMUThe password chosen by MU
PWMUThe secret of MU that is computed by IDMU and pMU
RAA random nonce chosen by an entity A
pA prime greater than 2160
nA prime greater 2160
PA point on the elliptic curve Ep(a, b) of order n, where a, bZp, Ep(a, b): y2 = x3 + ax + b and 4a3 + 27b2 ≠ 0
P.xThe x coordinate of the point P
pHA-MUThe secret key of HA for MU
pFA-HAThe secret key shared between HA and FA
||Concatenation operator
Exclusive-or operator
Table 2. Comparisons between our scheme and the related works.
Table 2. Comparisons between our scheme and the related works.
SchemesOursKuo et al.’s [9]Lu et al.’s [10]
Local password changeYesNoYes
AnonymityYesYesNo
Insider attack resistanceYesNoYes
Man-in-the-middle attack resistanceYesNoYes
The synchronization problem resistanceYesNoYes
Replay attack resistanceYesYesNo
Table 3. Notations used in Burrows-Abadi-Needham logic (BAN logic).
Table 3. Notations used in Burrows-Abadi-Needham logic (BAN logic).
SymbolDefinition
A, BPrincipals indicate general instances participating in a protocol.
A | M A believes the statement M.
A M A sees M.
A | ~ M A once said M.
A M A has jurisdiction over M.
#(M)M is a fresh message.
<M>NFormula M is combined with formula N.
(M, N)M or N is one part of message (M, N).
(M)KM is hashed with the secret K.
A K B K is the secret shared between A and B.

Share and Cite

MDPI and ACS Style

Chang, Y.-F.; Tai, W.-L.; Hsu, M.-H. A Secure Mobility Network Authentication Scheme Ensuring User Anonymity. Symmetry 2017, 9, 307. https://doi.org/10.3390/sym9120307

AMA Style

Chang Y-F, Tai W-L, Hsu M-H. A Secure Mobility Network Authentication Scheme Ensuring User Anonymity. Symmetry. 2017; 9(12):307. https://doi.org/10.3390/sym9120307

Chicago/Turabian Style

Chang, Ya-Fen, Wei-Liang Tai, and Min-How Hsu. 2017. "A Secure Mobility Network Authentication Scheme Ensuring User Anonymity" Symmetry 9, no. 12: 307. https://doi.org/10.3390/sym9120307

APA Style

Chang, Y.-F., Tai, W.-L., & Hsu, M.-H. (2017). A Secure Mobility Network Authentication Scheme Ensuring User Anonymity. Symmetry, 9(12), 307. https://doi.org/10.3390/sym9120307

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop