A secure and lightweight authentication scheme for roaming service in global mobile networks

Journal of Information Security and Applications 38 (2018) 96–110

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

A secure and lightweight authentication scheme for roaming service in global mobile networks R. Madhusudhan∗, Shashidhara Department of Mathematical and Computational Science, National Institute of Technology Karnataka, Surathkal 575025, India

a r t i c l e

i n f o

Article history:

Keywords: Global roaming Mobility networks User anonymity Clock synchronization Stolen-verifier attack

a b s t r a c t Global Mobile Network provides global roaming service to the users moving from one network to another. It is essential to authenticate and protect the privacy of roaming users. Recently, Marimuthu and Saravanan proposed a secure authentication scheme for roaming service in mobile networks. This scheme can protect user anonymity, untraceability, and is believed to have many abilities to resist a range of attacks in global mobile networks. In this paper, we analyse the security strength of their scheme and show that the authentication protocol is in fact insecure against insider attack, stolen-verifier attack, impersonation attack, denial-of-service attack, synchronization problem, lack of user anonymity and operational inefficiencies. Hence, we propose a secure and lightweight authentication scheme for Global Mobile Networks. In addition, the proposed scheme requires few message exchanges between the entities such as MU (Mobile User), FA (Foreign Agent) and HA (Home Agent). The scheme ensures both communication and computation efficiency as compared to the well-known authentication schemes. The performance analysis shows that the proposed authentication scheme is well suited for resource limited wireless and mobile environments. © 2017 Elsevier Ltd. All rights reserved.

1. Introduction With the rapid development of mobile technologies, such as GSM (Global System for Mobile communications), GPRS (General Packet Radio Service), EDGE (Enhanced Data Rates for Global Evolution), UMTS (Universal Mobile Telecommunication Service) and HSPA (High Speed Packet Access), over the last couple of years, most of the electronic transactions are processed through mobile devices. A mobility network provides roaming service that permits mobile subscriber to access the services provided by the home agent in a foreign network [1,2]. To provide global roaming service for a mobile user, remote user authentication is an essential requirement and challenging task. A scenario of remote user authentication in global mobile network involves a Mobile User (MU), Foreign Agent (FA) and the Home Agent (HA) is shown in Fig. 1. A MU of a specific network can roam anywhere in the world and he/she can access the desired services through a foreign agent [3]. When a MU roams into a foreign network, the FA authenticates the roaming user (MU) with the assistance of home agent [3]. During roaming process in global mobile networks, privacy protection is challenging and essential requirement. The identity of mobile users should be protected, which is known as user anonymity and ∗

Corresponding author. E-mail address: [email protected] (R. Madhusudhan).

https://doi.org/10.1016/j.jisa.2017.12.002 2214-2126/© 2017 Elsevier Ltd. All rights reserved.

his/her location activities should be kept secret, which is known as user untraceability [4]. Mutual authentication is a very important security aspect. It requires that the MU, FA and HA prove their identities to each other before offering any application services between these entities. In order to achieve all security requirements, several authentication schemes [1–12] have been proposed for roaming services in global mobility networks. However, some of them have been proved to be insecure against known attacks. 1.1. Motivations and contributions We studied many user authentication schemes in global mobile networks that provide roaming service for mobile users. It has been observed that the previous authentication schemes have the following problems: Most of them (1) are vulnerable to some known cryptographic attacks. (2) Make use of tamper-resistant devices such as smartcards, which does not ensure that an authentication protocol is safe and secure against all security risks. Because, the information stored in the smartcard can be extracted easily, either by analysing the leaked information or by monitoring its power consumption [13]. In addition, the smartcard based infrastructure required card reader terminals, which greatly increases the deployment cost. (3) Suffers from clock synchronization problem. (4) Uses static key agreement method to distribute secret

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

97

Fig. 1. Mobile user authentication for roaming service.

parameters between different entities. (5) Some of the existing authentication protocols do not have the secure password change and local password verification mechanisms. (6) Do not satisfy all the security requirements specified in Section 6.1. Recently, Marimuthu and Saravanan [2] proposed a secure authentication scheme for roaming service. This scheme can protect user anonymity, untraceability and is believed to have many abilities to resist a range of attacks in global mobile networks. However, this paper presents a brief review of Marimuthu and Saravanan scheme and we identify that their scheme has some security pitfalls. Compared with previous related authentication schemes, the proposed scheme has many advantages. Firstly, the scheme enjoys important security attributes including prevention of various attacks. The scheme ensures user anonymity, local password verification, user friendliness, no password-verifier in HA to maintain secret key and so on. Secondly, the scheme makes use of common memory devices such as USB (Universal Serial Bus) sticks, PDAs (Digital Assistant) and mobile phones without a tamper resistant property to store authentication information issued by the home agent. Finally, the performance and cost analysis of the scheme shows that there are only few encryption and decryption primitives. Also, the proposed scheme does not require additional clock synchronization mechanisms. Therefore, the proposed scheme is simple, secure, lightweight and more suitable for wireless and mobile environments. 1.2. Organization of the paper The rest of the paper is organized as follows: Section 2, covers related work. Section 3, provides some mathematical preliminaries such as Diffie–Hellman problem, discrete logarithm problem and one-way hash function. These preliminaries form basis of the proposed security model and useful for a security analysis. Section 4, reviews Marimuthu and Saravanan’s scheme. Section 5, shows security weaknesses in this scheme and points out its computational inefficiencies. Section 6, proposes a Secure and Lightweight Authentication Scheme and corresponding scheme analysis are presented in Section 7. The performance analysis and security requirement comparisons are presented in Section 8. Section 9, concludes the paper. 2. Related work To support the roaming facility, in 2004, Zhu et al. [14] established an efficient two-factor authentication scheme. However, Lee et al. [8] showed that Zhu et al.s. scheme does not achieve

mutual authentication and is vulnerable to impersonation attack. In 2006, the authors also proposed an improved scheme, to overcome the weakness of Zhu et al.’s authentication scheme. In 2008, Wu et al. [15] proved that the proposed scheme of Lee et al.s still fails to provide strong user anonymity and perfect backward secrecy. Wang et al. [16] also introduced the new authentication scheme, later, Jeon et al. [17] pointed out that Wang et al.s. authentication scheme cannot withstand against forgery attacks and fails to achieve anonymity. Independently, Chang et al. [9] proved Lee et al.s. authentication scheme fails to achieve user anonymity. Then, Chang et al. proposed a new authentication scheme. Unfortunately, Youn et al. [10] found that, their scheme cannot provide anonymity. In 2010, He et al.s. [12] pointed that Wu et al.’s authentication scheme is vulnerable to forgery and replay attacks. Then, they come up with a robust authentication mechanism for mobile and wireless communications. After, in 2011, Li et al.’s [11] also points that, Wu et al.’s protocol is unlikely to provide anonymity due to an inherent design weakness and also cannot withstand against impersonation attack and replay attack. Then they proposed an enhanced authentication scheme using smartcards, which provides both computation and communication efficiency as compared to some well known authentication schemes. Recently, Mun et al. [18] reanalysed Wu et al.’s [15] authentication scheme, they pointed that Wu et al.’s authentication scheme fails to provide forward secrecy and reveals the legitimate mobile users password. Then they come up with an enhanced scheme for roaming service, which has several advantages: (1) It can provide several security properties such as providing perfect forward secrecy and preventing disclosure of users password. (2) It is more efficient regarding performance compared with some previous known schemes that use public key cryptosystem with certificates. (3) It does not use timestamps, thus it is not required to synchronize the time. Zhao et al. [7] in 2014, proved that Mun et al.’s [18] authentication scheme does not provide mutual authentication, local password verification and user friendliness. Also, the scheme cannot withstand against forgery attacks. Further, they designed an enhanced user authentication scheme. Later on, some new remote user authentication schemes have been proposed [7,19–21]. Recently, in 2015, Marimuthu and Saravanan’s [2] proposed a secure authentication scheme with user anonymity for roaming service in global mobility networks. This scheme can protect user anonymity, untraceability, and is believed to have many abilities to resist a range of attacks in global mobile networks. However, this paper presents a brief review of Marimuthu and Saravanan’s scheme [2] and we identify that their scheme has some security

98

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

pitfalls. We proved that the security flaws of their scheme to insider attack, stolen-verifier attack, offline guessing attack, denial of service attack, forgery attack. In addition, Marimuthu and Saravanan’s scheme includes more number of encryption and decryption operations, which increases the computational complexity of the system. To avoid these security flaws and computational inefficiencies, the paper proposed a secure and lightweight authentication scheme for roaming service in global mobile networks. The proposed scheme is designed to meet various security goals and suitable for resource limited and low power mobile devices. 3. Mathematical preliminaries In this section, we discuss computational problems such as Discrete Logarithmic Problem (DLP) [22], Computational Diffie– Hellman problem (CDH) [23], and one-way hash functions [5,24], which will be used throughout the paper. 3.1. Discrete logarithm problem Consider a generator g of

Z ∗p

Table 1 Notations used throughout the paper. Notations

Descriptions

MU, FA, HA PWDmu IDMU , IDFA , IDHA d y K (X )K Sesskey KFH x, rf , XMU , RMU h(.) TA T ||

The Mobile User, Foreign Agent, Home Agent The Password of MU The Identity of MU, FA and HA The HA’s Secret key The HA’s Public key Counter of MU Symmetric encryption/decryption The Session key The shared secret key Random numbers One-way hash function The entity A’s timestamp Expected time interval Concatenation operator XOR operation



4.2. Registration phase and a large prime p. Assume:

X = gx mod p

(1)

In this phase, MU freely selects the identity IDMU , password PWDMU and a random number b. Then, MU sends registration request M = {IDMU , (b  PW DMU )} to HA. Then HA computes

If we know p, x and g, calculating X = gx mod p is trivial. However, if we have p, X and g, which is impossible to compute x due to the factoring of primes [2,22].

Ci = h(h(IDMU )  h(b  PW DMU )) mod n

3.2. Computational Diffie–Hellman problem

KMU = h(IDMU ||IDHA ||XMU ||TR )  h(b  PW DMU ).

Consider a cyclic group G with order q. The Computational Diffie–Hellman problem states that, given g, gx , gy for a generator g and random number x, y  {1, 2, ..., q − 1}, it is computationally intractable to compute the value gxy [23].

Where TR is the MU’s registration time and Xmu is a random number chosen by HA. Then, HA creates an entry for MU and stores an encrypted form of {IDMU , XMU , TR } in its database. Then, the HA personalizes smart card with {Ci , IDHA , y, g, n, KMU , h(.)} and delivers it to MU. Upon receiving the smart card, mobile user stores b into it. Finally, the mobile user smart card contains {Ci , g, y, n, IDHA , KMU , b, h(.)}

3.3. One-way hash function The one way hash function takes a string of any length and produces a fixed-length called as a message digest or hash value. The hash functions are used in cryptographic applications to check the message integrity. Also, the hash function can be used to generate MAC (Message Authentication Code) or sign on the message to provide message authentication and non repudiation services [5,24]. 4. Review of Marimuthu and Saravanan scheme In this section, we review Marimuthu and Saravanan’s authentication scheme [2]. It consists of registration phase, login and authentication phase and password change phase. The notations used throughout this paper are defined in Table 1. Consider the MU associated with its HA and roaming into a FN (Foreign Network). Assume, y is a public key, d is a secret key. Before, system starts, it is assumed that, FA and HA shares a secret key KFH using key agreement method.

4.3. Login and authentication phase If the MU visits a FN administered by FA and access the desired services, then FA needs to authenticate the MU through HA. The login and authentication phase of Marimuthu and Saravanan scheme is described through the following steps. Step 1: MU inserts the smart card into terminal then inputs his identity ID∗MU and password PW D∗MU . Then, smart card computes Ci∗ = h(h(ID∗MU )  h(b  PW D∗MU )) and checks whether ?

Ci∗ = Ci . If verification fails the session is terminated. If verification is passed then the MU’s smart card chooses a random number x. Then computes

B1 = gx mod n

4.1. Initialization phase

B2 = yx mod n

In this phase HA issues the smart card, whenever a new MU registered at the server through registration phase. Initialization phase steps are as follows.

SID = (IDMU ||B1 )B2  h(B1  B2 )

Step 1: The HA choose two primes p, q and generator g of finite field in Z ∗p . Step 2: Which computes n = p × q and (n ) = ( p − 1 ) × (q − 1 ). Step 3: Next, HA selects an integer e such that gcd (e, (n )) = 1 and 1 < e < (n). Step 4: It calculates value of an integer d such that d = e−1 where d is the HA’s secret key, and y = gd mod n; y is the public key.

K = KMU  h(b  PW DMU ) = h(IDMU ||IDHA ||XMU ||TR ) V1 = h(K ||B2 ||SID||TMU ). Where TMU is current timestamp value. Finally MU sends request message for login M1 = {B1 , SID, V1 , IDHA , TMU } to the FA.

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

Step 2: After receiving M1 , FA checks the freshness of TMU by comparing with TF and expected time interval T, where TF is the current timestamp of FA. If verification fails, FA rejects login message M1 . Otherwise, a random number rf is generated by the FA and computes

W1 = h(KF H ||IDF A ||r f ||TF ||B1 ||V1 ||SID ).

99 

Step 5: After receiving M4 , MU verifies freshness of TF by com TMU

paring with and expected time interval T. Which gives the transmission delay between MU and FA. If the comparison fails, the MU rejects FA’s message M4 . Otherwise MU computes

V2∗ = h(h(IDMU ||K )||IDF A ||r f ||IDMU )

Where KFH is the pre-shared key between HA and FA. Then FA sends message M2 = (W1 , IDF A , r f , TF , B1 , V1 , SID, TMU ) to HA. Step 3: Upon receiving M2 , HA checks for the freshness of TF by comparing with TH and expected time interval T. Which gives the transmission delay between FA and HA. If verification fails, HA ignores the message M2 . Upon successful verification, HA retrieves KFH and computes

W1 = h(KF H ||IDF A ||r f ||TF ||B1 ||V1 ||SID )

veri f ies V2∗ =? V2 . If verification is successful, mobile user ensures the authentication of FA and HA. Then, MU computes session key.

Sesskey = h(h(IDMU ||K )||IDF A ||r f ||IDMU ||B1 ) 4.4. Password change phase In this phase, MU inputs the identity ID∗MU and password PW D∗MU . Then, smartcard computes Ci∗ = h(h(ID∗MU )  h(b 

veri f ies W1∗ =? W1

?

PW D∗MU )) and checks whether Ci∗ = Ci . If verification fails, the request for password change is rejected. Otherwise, the legality of ID∗MU and password PW D∗MU is proved and smartcard reader terminal asks the MU to enter his/her new password PW DMUNew . After that, smartcard computes

B∗1 = (B1 )d mod n = (gx )d mod n = gdx mod n = (gd )x mod n

CiNew = h(h(IDMU )  h(b  PW DMUNew ) mod n )

x

= y mod n = B2

∗ KMU = KMU  h(b  PW DMU )  h(b  PW DMUNew )

SID  h(B1  B∗2 ) = (IDMU ||B1 )B2

= h(IDMU ||IDHA ||XMU ||TR )  h(b  PW DMUNew )

Decrypts (IDMU ||B1 )B2

∗ } in the smartcard. and replaces {Ci , KMU } with {CiNew , KMU

Retrieves {XMU , TR }

5. Cryptanalysis of Marimuthu and Saravanan scheme In this section, we show that Marimuthu and Saravanan’s scheme is vulnerable to insider attack, stolen-verifier attack, offline guessing attack, denial of service attack, impersonation attack and clock synchronization problem. Also, the scheme cannot achieve user anonymity. In addition, their scheme [2] involves more number of encryption and decryption operations for open messages. Before analysing Marimuthu and Saravanan’s scheme [2], we make some assumptions regarding the attacker A. Which as suggested by Xu et al. [25], Kocher et al. [26], Messerges et al. [27] and Ma et al. [28] respectively.

K ∗ = h(IDMU ||IDHA ||XMU ||TR ) V1∗ = h(K ||B∗2 ||SID||TMU )

veri f ies V1∗ =? V1 . Then HA computes the following:

Sesskey = h(h(IDMU ||K ∗ )||IDF A ||r f ||IDMU ||B1 )

1. An attacker A has control over communication medium between the users and remote server [25]. 2. The attacker A may either pick up the mobile users smartcard for short period of time or steal a mobile users smartcard. Then, the attacker A can extract the secret parameters stored in the mobile user’s smartcard by analysing the leaked information or by monitoring the power consumption [26,27].

K1 = Sesskey  h(KF H ||r f ) V2 = h(h(IDMU ||K ∗ )||IDF A ||r f ||IDMU ) S2 = h(Sesskey ||IDF A ||r f ||B1 ) 

and sends the message M3 = {K1 , V2 , S2 , TH }.

5.1. Vulnerable to insider attack



Step 4: Upon receiving M3 , FA checks for freshness of TH by 



comparing with TF and expected time interval T, where TF is the current timestamp of FA. If verification fails, the FA rejects message M3 . Otherwise, FA computes

Sesskey = K1  h(KF H ||r f ) S2∗ = h(Sesskey ||IDF A ||r f ||B1 )

veri f ies S2∗ =? S2 Then, FA sends the message M4 = {V2 , r f , TF } to MU.

Insider attacker is one who is having administrative access of the home agent. In registration phase, the mobile user (MU) freely selects IDMU , PWDMU and random number b. Then, MU sends registration request M = {IDMU , (PW DMU  b)} to the HA. Note that, in message M, the identity of mobile user IDMU is transmitted in the form of plain text and MU s password is xored with random number b, which is breakable. Assume that, an attacker is the privileged insider of the HA, he/she may record the pattern of password (PWDMU b) present in the M. Then, an insider can learns the length of the xored password pattern. If he knows the length, it is easy to break MU s password by using tools xorBruteForcer,

100

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

brutexor and NoMoreXOR. These tools are used for de-obfuscating xor-encoded data, using even slow computers this can solved in a matter of milliseconds. Thus, it is not a good practice to hide sensitive information like passwords using xor functions. Having user’s identity or password, an insider can impersonate legal user of the system at other servers. As an alternative, Assume that, the same privileged insider gets the lost/stolen smartcard of legitimate MU. Subsequently, he/she can extract the information stored in the smartcard, either by analysing the leaked information or by monitoring its power consumption [26,27]. As a result, the insider of HA obtain MU srandom number b from the smartcard. Afterwards, the attacker can derive the MU’s password as follows:

5.4. Pre-distribution of common secret key KFH

let R = b  PW DMU

The cryptographic primitive such as Diffie–Hellman key agreement protocol needs to hand over the secret parameter KFH to the other entities in advance through pre-distribution by third party, which is illustrated in Fig. 3. However, in this scheme no entity transmits the common secret key KFH in all transactions. Thus, it requires third party to generate the secret key once and distribute them to all HA’s and FA’s in advance so the secret key KFH is static for all authentication sessions. It is not convenient when a new HA or FA joins mobile network. Furthermore, all entities must use the same secret parameter in each session, so there is no flexible and dynamic key generation mechanism. Therefore, there is a need for a more secure and flexible authentication scheme for a mobility networks.

PW = b  R

5.5. Offline password guessing attack with smart cards

= b  b  PW DMU

PW = PW DMU This shows that password (PW) derived by an attacker is identical to the MU s password (PWDMU ). After obtaining the password, insider can purposely leak the information or impersonate the legitimate user or may modify the information. Also he/she can issue an illegal smart card to some fake mobile user. Thus submission of identity or password in plaintext format during registration has many serious consequences. The above attack demonstrates that, the inside attacker can obtain MU s IDMU and PWDMU , which is depicted in Fig. 2. Therefore, the above scheme is vulnerable to insider attack.

Suppose an attacker steals or finds a lost smart card, he/she can extract the smart card parameters. The detail of guessing attack is demonstrated as follows. With the knowledge of MU’s identity IDMU and the information {Ci , g, y, n, IDHA , KMU , b, h(.)} stored in the smartcard, an adversary can launch offline password guessing attack. Though the adversary may guess a password PW D∗MU to derive Ci∗ . Where Ci∗ = h(h(IDMU )  h(b  PW D∗MU )). If this condition holds, the adversary has guessed the MU’s password correctly. Otherwise, the adversary attempts to guess a new password of the MU, until he succeeds. In general, the MU’s identity and passwords are usually human memorable and short strings. That is, both IDMU and PWDMU are low entropy keys. Therefore, it’s possible for an adversary to guess the password using exhaustive search. Hence, the scheme is vulnerable to password guessing attack.

5.6. Vulnerable to impersonation attack 5.2. Vulnerable to stolen-verifier attack The registration phase of this scheme, HA makes an entry for MU in it’s database. Subsequently, HA stores an enciphered form of {IDMU , XMU , TR } in this entry (see Fig. 2). The encrypted data in HA is not 100 percent secure. Because, every encryption mechanism there is a key, after encrypting the parameters of HA’s database the encryption key should be stored in same HA. The key appears as a plain text and stored in HA’s verifier table, the malicious attacker registered with same HA can easily crack the authentication parameters in its database using the secret key obtained from HA’s verifier. As a result, the scheme is vulnerable to stolen-verifier attack.

An attacker can impersonate a legal MU by successfully logging, spoof the FA and HA. The attacker achieves mobile user’s identity (IDMU ) and password (PWDMU ) as described earlier in Sections 5.2, 5.3 and 5.5. The attacker achieves smartcard parameters by sidechannel attack techniques [26,27,29]. Subsequently,the smartcard  chooses a random number x and computes the following: 

B1 = gx mod n 

B2 = yx mod n SID = (IDMU ||B1 )B2  h(B1  B2 )

5.3. Absence of user anonymity User anonymity in the global mobility environment is to maintain the confidentiality of mobile users identity, namely to prevent an eavesdropper from discovering a correspondence between a mobile user and a particular subscriber registered on a certain mobile network. Anonymity can be provided to the mobile users through either assigning a kind of alias or encrypting the real identity. Assume a malicious attacker has registered at the same HA. Then, he/she can reveal the MU’s identity IDMU by performing dictionary attack on HA’s database {IDMU , XMU , TR } as discussed in 5.2. Besides, the inside attacker can easily records the plain text pattern of IDMU from the message M = {IDMU , (PW DMU  b)} transmitted during registration phase through secure channel. Therefore, the scheme fails to achieve user anonymity.

K = KMU  h(b  PW DMU ) = h(IDMU ||IDHA ||XMU ||TR ) V1 = h(K ||B2 ||SID||TMU ) Then, MU sends the login request message M1 = {B1 , SID, IDHA , V1 , TMU } to the foreign agent FA. Afterwards, the FA and HA successfully follows the subsequent steps of authentication phase. Since, login message sent by an attacker is valid. An attacker can cheat FA as well as HA, therefore this scheme is vulnerable to impersonation (forgery attacks) attack.

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

101

Fig. 2. Insider attack model.

5.7. Vulnerable to denial of service attack In this scheme an attacker can update false verification information of a legal user for the next login phase. After that the legal user is unable to login successfully any more. Since, adversary A has known MU’s identity and password as discussed in Section 5.6. Accordingly, an attacker can change the password using password change phase. 1. An attacker inputs IDMU and PW D∗MU . Then, he/she submits a password change request. 2. The smartcard computes Ci∗ = h(h(IDMU )  h(b  PW D∗MU )), ?

and checks whether Ci∗ = Ci . 3. If the verification succeeds, the attacker enters his new password PW DMUNew . Then, the smart card computes

CiNew = h(h(IDMU )  h(b  PW DMUNew ))mod n ∗ KMU = KMU  h(b  PW DMU )  h(b  PW DMUNew )

= h(IDMU ||IDHA ||XMU ||TR )  h(b  PW DMUNew ) ∗ } in the smartcard. Once the and replaces {Ci , KMU } with {CiNew , KMU ∗ values of CiNew , KMU are updated, the legal mobile user cannot login successfully even if he gets his smartcard back. Because, the

attacker updated his own password PW DMUNew in the smartcard. Therefore, the legal user login request will be denied during the login phase, as a result, the scheme is vulnerable to the denial of service attack.

5.8. Clock synchronization problem Clock synchronization is difficult and expensive in existing network environments especially in mobile networks [30]. Marimuthu and Saravanan Scheme employs the additional clocks (timestamp mechanism) to resist replay attacks, which are not suitable for real time mobile applications. Assume that mobile jammers are used in the places where a mobiles would be particularly disruptive like temples, libraries, hospitals, cinema halls, schools, colleges etc. These jammers are used to prevent mobile devices from receiving or transmitting signals with the base stations. In this authentication scheme a sequence of messages {M1 , M2 , M3 , M4 } associated with timestamps such as {TMU , TF A , TH , TF }, which are transmitted between MU, FA and HA. In case of mobile jammers or due to network failure, the reception of authentication messages will be delayed. Upon receiving the messages {M1 , M2 , M3 , M4 }, each entity checks for freshness of timestamp by comparing with its current timestamp value and expected time interval T. If verification fails, the particular mobile entity simply rejects the authentication messages sent by other entities (see Fig. 4). Therefore, the legal user

102

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

Fig. 3. Pre-distribution of static key KFH .

login request will be denied during the authentication phase, as a result, the scheme suffers from clock synchronization problem. 5.9. Inefficiencies due to unnecessary encryptions In registration and authentication phase of the above scheme includes more number of encryption and decryption operations, which increases the computational complexity of the system. For example, the inputs of encrypted output W1 are rf , B1 , KFH , V1 and SID. Unfortunately, all these inputs are known to the entities, which have been participated in communication such as MU, FA, HA and to the attacker A. With respect to the cryptographic service of integrity, the encryption of a known message is unnecessary. 6. The proposed scheme In this section, the important security requirements of authentication scheme for wireless mobile networks will be discussed. In 2012, Madhusudhan and Mittal [31] pointed out that earlier security requirement criteria sets, have ambiguities and redundancies and thus they developed a new criteria set of nine security requirements and ten design goals to evaluate the goodness of authentication schemes. This criteria set is a refinement of earlier security requirement criteria sets. Therefore, we prefer Madhusudhan–Mittal’s criteria set as a representative benchmark. The design goals of the proposed scheme involves resistance to security threats and computational efficiency. Then, we proposed a secure and lightweight user authentication scheme for roaming service in global mobile networks (Fig. 5).

6.1. Security requirements The essential security requirements of roaming services in global mobile networks will be discussed in this section.

SR1 User anonymity and untraceability: The identity of the MU should be kept secret from third party, including FA. Untraceability means for an attacker, it should be infeasible to link two conversations originated from the same MU. SR2 Mutual authentication: To avoid forgery attacks, a secure authentication is ensured between the MU, FA and the HA. All these entities should authenticate each other. In every session the FA and MU should be able to generate a secret key. SR3 Robustness against attacks: The protocol should be able to resist various attacks such as insider attack, replay attack, stolen-verifier attack, password guessing attack and impersonation attacks even if an adversary knows all information stored in the smartcard. SR4 Perfect forward secrecy: Which means that even if the adversary compromises previous session key between the MU and the FA, it cannot derive a new session key. SR5 Local password verification: The MU smart card must verifies the validity of identity and password of the user, before communicating with foreign agent FA or HA. SR6 Session key security and fairness: The mutual authentication between MU and FA is not sufficient to provide the data confidentiality, a session key negotiation is also important for establishing a secure channel between them.

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

103

Fig. 4. Clock synchronization problem.

SR7 No time synchronization: The authentication scheme should not require additional clocks or clock synchronization mechanisms. SR8 User friendliness: The mobile user should freely choose his/her own password and identity. Also, MU should allowed to change the password without the assistance of HA. The proposed scheme is divided into the following phases: the initialization phase, registration phase, login phase, authentication phase and the password change phase.

6.3. Registration phase If the mobile user wants to register with its home agent, he/she must send the necessary information through a secure channel. The procedure of registration phase is shown in Fig. 4. R1: A new mobile user chooses his/her identity IDMU , password PWMU and generates a random nonce N. Then, MU computes and submits R1 = h(IDMU ||N ) to its HA through secure channel. R2: Upon receiving R1 , the HA computes as follows

R = (R1 ||IDHA ||d ) a = h (d ) 6.2. Initialization phase The HA choose two prime numbers p, q and g is generator of a finite field in Z ∗p . It computes n = p × q and (n ) = ( p − 1 ) × (q − 1 ). Next, HA selects an integer e such that gcd (e, (n )) = 1 and 1 < e < (n). Then, HA calculates the value of an integer d such that d = e−1 where d is the HA’s secret key, and y = gd mod n; y is the public key. The HA keeps [d, p, q] secretly like above discussed Marimuthu and Saravanan’s scheme.

CMU = (ga mod p)  h(R ) then, HA Initializes the counter value K=0 for MU and stores {K, R} in its database. Finally, HA sends {R, CMU , K, h(.)} to MU through secure socket layer. R3: After receiving authentication information from HA, the MU device computes

KMU = h(IDMU ||PWMU ||R )

104

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

Fig. 5. Registration phase of the proposed scheme.

then, stores {KMU , R, CMU , K, h(.)} on his/her mobile device and threshold timeout is set to ensure correctness of the authentication information. If the information stored in the device may be altered maliciously or carelessly. In these cases,

the user has to re-register to get the new authentication information when he/she does not receive HA’s response in the threshold time.

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

6.4. Login and authentication phase We consider the scenario where a mobile user MU, associated with its home agent HA, is visiting a foreign network with the foreign agent FA, and tries to access services. The procedure of login and authentication phase is depicted in Fig. 6. A1: MU −→ F A : M1 = {U, V, W } The MU first retrieves the authentication information stored on the device and inputs IDMU and PWMU . Then, the device ∗ = h (ID computes KMU MU ||PWMU ||R ) and verifies whether ∗ KMU = KMU or not. If verification fails, the session is terminated. Otherwise, the legality of MU is ensured, then MU chooses a random number RMU . Then computes

U = R  RMU V = (CMU  h(R )||IDF A )  RMU W = (U ||K ||CMU  h(R )) Finally MU sends message M1 = {U, V, W } to the FA. A2: F A → HA : M2 = {IDF A , EKF H (M1, RF A )} After receiving M1 , FA generates a random number RFA and FA encrypts the message M1 with random number RFA , after that, FA sends the encrypted information with its identity IDFA to the HA. A3: HA → F A : M3 = {EKF H (SK )} Upon receiving the message M2, HA checks for the identity IDFA and find secret key corresponding to IDFA , then deciphers the received information and performs authentication on it. If authentication successful, then HA generates a SK for communication between FA and MU. If verification fails, then HA rejects the login request M2 . The procedure of authentication performed by HA is as follows.

DKF H (EKF H (M1, RF A )) a = h(d ), ga mod p R∗MU = V  ((ga mod p)||IDF A ) R∗MU = (CMU  h(R )||IDF A )  RMU  ((ga mod p)||IDF A ) R∗MU = RMU R∗ = U  R∗MU Check whether R∗ exists in HA. If it so, HA authenticates MU. Otherwise, HA terminates the session. Compute W ∗ = (U ||K ||(ga mod p)). Check whether W∗ is equal to W, if the comparison succeeds, HA authenticates MU. Otherwise, the HA terminates the authentication process. Compute session key SK = h(ga mod p)  RMU  RF A then, HA computes the message M3 = {EKF H (SK )} and sends to FA. A4: F A → MU : M4 = {X, RF A } After receiving M3 , FA computes

DKF H (EKF H (SK )) X = h(SK ||RF A ) then, sends the message M4 = {X, RF A } to MU

105

A5: Upon receiving M4 , MU generates a session key SK as follows

SK ∗ = CMU  h(R )  RMU  RF A X ∗ = h(SK ∗ ||RF A ) Verify whether computed X∗ is equal to the received X, if the verification succeeds, MU authenticates the FA, otherwise, MU stops the process. 6.5. Password change phase In this phase the MU can freely change his/her password. The mobile user requires no communication with FA or its HA during password change. The detail steps of the password change phase are: 1. If a legal MU wants to change the password, then MU inputs his/her identity IDMU , password PWMU and the password change request will be submitted through terminal. ∗ = h (ID 2. The MU’s device computes KMU MU ||PWMU ) and verifies ?

∗ =K whether KMU MU . If verification succeeds the legality of MU is ensured. Otherwise, the request is rejected. New . Then computes K New = 3. The MU inputs new password PWMU MU New h(IDMU ||PWMU ) After that, the MU’s device replaces old KMU New . with new KMU

7. Security analysis In this section we analyze and demonstrate that the proposed authentication scheme can withstand all possible security attacks in global mobile networks. 7.1. User anonymity and untraceability In this proposed scheme, one-way hash function is used to achieve the user anonymity. During registration, MU transmits the identity with random nonce N {R1 = h(IDMU ||N )} to HA via secure channel. In addition, the HA will not keep MU’s registration request R1 in it’s database. In this regard, it is impossible for an adversary to obtain the identity of MU. From Fig. 6, we can see that the proposed scheme reveals no information about the identity IDMU of the user in login and authentication phase. Assume that an attacker eavesdrops on the message M1 = {U, V, W, TMU } communicated between the MU and FA. The proposed protocol does not contain a user specific values in M1, due to random number RMU is generated in every login request. Therefore, the login message M1 is consists of different values of {U, V, W}. So, the attacker cannot derive specific value R from U = (R  RMU ) in login request message. Thus, the anonymity of mobile user is ensured. Also, the communication messages shared between the parities U, V, W are changed in every session due to employing the random numbers. Therefore adversary cannot trace the user current location. As a result, the proposed scheme preserves untraceability. 7.2. Mutual authentication To avoid forgery attacks, a secure authentication is ensured between the MU, FA and the HA. All these entities should authenticate each other. In every session the MU FA and MU entities are able to generate a session key. In the proposed protocol, the mutual authentication between FA and HA is achieved by decrypting and verifying the authentication parameters present in the messages M1, M2, M3, M4 received by MU,FA and HA. Mutual authentication of the proposed protocol is described through the following cases.

106

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

Fig. 6. The login and authentication phases of the proposed scheme.

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

Case 1: Mutual authentication between MU and HA In this scenario, mobile user can authenticates home agent by receiving M4 and verifying the session key SK ∗ = CMU  h(IDMU )  RMU  RF A in step A5 of the login and authentication phase. Similarly, HA can authenticate MU by receiving ?

?

M2 , verifying R∗ = R and W ∗ = W in step A3 of the authentication phase. Case 2: Mutual authentication between HA and FA In this scenario, home agent authenticates the foreign agent by validating IDFA present in the message M2 in step A3 of the login and authentication phase. Similarly, FA can authenticate HA by verifying a random number RFA present in M3 in step A4 of the login and authentication phase. Case 3: Mutual authentication between MU and FA In the login and authentication phase, MU and FA can au?

thenticates each other by receiving M4 , checking X ∗ = X. Consequently, mutual authentication between MU and FA is provided in the proposed scheme. 7.3. Security against impersonation attacks 7.3.1. MU impersonation attack In order to forge MU, an attacker should have IDMU and PWMU . Suppose, an attacker compromised MU s IDMU , PWMU but the login credentials {KMU , R, K, CMU , h(.)} are safe and secure in the mobile device. Then, it is obvious that attacker is infeasible to get the ∗ = h (ID composition of R to compute KMU MU ||PWMU ||R ) and unable succeed the login process. Consider the MU’s device is stolen and compromised, the attacker can retrieve the values {KMU , R, K, CMU , h(.)} from it. However, this time an attacker knows neither IDMU nor PWMU , and ∗ . Therefore, the proagain he cannot computes the value of KMU posed protocol resist against MU impersonation attack. 7.3.2. FA impersonation attack Without knowledge of the secret keys KFH , d at FA and HA, an adversary will not be able to forge the message M2 . Because, FA cannot compute the correct EKFH (M1, RFA ). Besides, FA and HA uses Diffie–Hellman keys for mutual authentication, the attacker is not able to cheat either of them due to the intractability of ECDH (elliptic curve Diffie–Hellman) problem. Additionally, without knowledge of the session key SK of MU and FA, an adversary can’t forge the message M4 . Therefore, the proposed authentication scheme prevents FA impersonation attack. 7.3.3. HA impersonation attack Without knowledge of the secret key d of HA and KFH is preshared in between FA and HA, the attacker is not able to forge the message M3 = {EKF H (SK )}. Because, he cannot derive RFA , RMU to compute session key SK. Therefore, the proposed scheme withstand the HA impersonation attack. 7.4. Security against off-line dictionary attack There is no way for an adversary A to retrieve MU’s password PWMU based on the eavesdropped authentication messages {M1 , M2 , M3 , M4 }. Because, these messages do not contain any information of MU’s password. Suppose an attacker A steals MU’s authentication information {KMU , R, CMU , K, h(.)} and tries to retrieve password PWMU from KMU = h(IDMU ||PWMU ||R ). However, this is not possible. Since, the MU’s identity and password are concealed with secure one-way hash function so it is impossible for A to guess both identity and password. In addition, it is impossible for an attacker A to recover the HA’s secret key d from the MU’s authentication information or eavesdropped messages. Therefore, the proposed scheme can withstand offline dictionary attack.

107

7.5. Security against replay attack In the proposed scheme there is no timestamps used to prevent replay attacks. An attacker may intercept messages {M1 , M2 , M3 , M4 } are transmitted between MU, FA and HA. An adversary may replay the old message M1 = {U, V, W } to the FA and then receives the message M4 = {X, RF A }. However, an adversary cannot obtain the valid session key SK = h(ga mod p)  RMU  RF A without knowing the random numbers RMU and RFA . As a result, an adversary cannot access the required services from FA. Furthermore, in order to prevent replay attack, we used the counter based authentication system. HA can detect the attack by examining the counter value K of MU. The home agent checks the received counter value K present in the login message with stored value of K. If verification fails, HA rejects the login request. Therefore, the proposed scheme can prevent the replay attack. 7.6. Resistance to insider attack In the real environment, it is conventional that many users use the same password PWMU to access different servers or home agents for convenience. Now, if a privileged insider of the HA has learned the MU s password, he/she may try to impersonate the legitimate MU to login other servers where MU could be a registered user. In the registration and authentication phases of the proposed scheme, mobile users need not to submit their passwords PWMU to the HA. Thus, a privileged insider of the HA could not get any information about a registered MU s password. Hence, insider attack is prevented. Further, a legal mobile user cannot perform an insider attack to cheat HA. Because, it’s very difficult to derive the secret value d from the HA. Besides, in the password change phase, MU can easily change his password PWMU without the assistance of the HA. Therefore the insider has no chance/clue to obtain MU s password, Therefore, the proposed scheme can withstand the insider attack. 7.7. Accomplishment of the fair key agreement In the proposed scheme, the mutual authentication and key agreement protocol ends up with MU and FA agreeing on SK, a session key containing equal contribution from all parties SK = h(ga mod p)  RMU  RF A . In this protocol, the adversary does not know the values of {a, RMU , RFA } so, he/she cannot compute the SK directly. Also, the protocol achieves forward secrecy. Because, the value of RMU is freshly generated in every authentication session, all the past session keys will remain secure even if the secret key d is compromised. Which signifies the fairness of key agreement and achieves the perfect forward secrecy. 7.8. Resistance to stolen-verifier attack In this attack, an attacker steals the password verifier table from HA and applies the password guessing attack on it to derive MUs password PWMU . In the proposed scheme, HA and FA does not maintain any password-verifier tables to store the password related information. Furthermore, HA’s database contains encrypted identity of user MU and no clue about the users password. Therefore, in the proposed protocol the adversary cannot launch stolenverifier attack. 7.9. Local password verification In the proposed scheme, the mobile device validates identity (IDMU ) and password (PWMU ) of the mobile user, before communicating with the FA. An attacker cannot compute the correct KMU

108

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110 Table 2 Functionality comparison. Security requirements

Proposed scheme

Scheme [2]

Scheme [12]

Scheme [32]

User anonymity Mutual authentication Insider attack Off-line password guessing attack Replay attack Perfect forward secrecy Stolen-verifier attack Local password verification Fair key agreement No time synchronization User friendliness

          

      ×   × 

× ×       × × 

×    ×  × × × × 

Table 3 Performance comparison. Computation

Proposed scheme

Scheme [2]

Scheme [12]

Scheme [32]

CMU CFA CHA CMU−FA CFA−HA

5th th + 2tsym 3th + tm + 2tsym 1 1

8th + 2tse + tm 3th 8th + tqr + 3tsym 1 1

10th + 2tsym th + 4tasym 4th + 3tsym + 4tasym 1 1

9th + 2P 2th + 2P 6th 1 1

CMU : MU’s computation cost; CFA : FA’s computation cost; CHA : HA’s computation cost; CMU−FA : Communication rounds between the MU and FA; CFA−HA : Communication rounds between the FA and HA.

without the knowledge of IDMU , PWMU and R to succeed the ver∗ =K ification step KMU MU . Therefore, the proposed authentication scheme is designed to avoid unauthorized use of mobile devices by verifying the password locally.

8. Functionality features and performance analysis In this section, we compare the functionality and performance of the proposed scheme with some other related schemes [2,12,32]. 8.1. Functionality comparison

7.10. Resistance to smart card loss attack An attacker robs users smart cards to take out the contents by the power consumption attack and reverses the engineering techniques known as burglarized smart card attack. The proposed scheme does not use smart card based authentication mechanism. The proposed scheme makes use of memory devices such as USB sticks, mobile phones etc., during registration the HA transmits authentication information to the mobile user through secure socket layer instead of storing details in the smart cards. As a result, the proposed scheme avoids smart card loss attack.

7.11. The clock synchronization problem Remote user authentication schemes employing timestamps to provide message freshness may still suffer from replay attacks as the transmission delay is unpredictable in existing networks. In addition, clock synchronization is difficult and expensive in existing network environments. Hence, the proposed scheme does not employ the timestamp mechanism to synchronize the time between mobile entities MU, FA and HA. Therefore, in the proposed scheme there is no additional clocks are required for clock synchronization.

7.12. User friendliness In the proposed scheme, MU can freely choose his/her own identity IDMU and password PWMU without HA assistance. In other hand, MU permits to change PWMU in short period of time. Since, the MU does not required to go through the entire login procedure, which saves the time as well as minimizes the computational complexity of authentication system. Therefore, the proposed scheme is simple and user friendly.

Table 2 lists the functionality comparison of the proposed scheme with other related works. The security requirements as discussed in Section 6.1, it is obvious that the proposed scheme has many excellent features and is more secure than other related schemes. Therefore, the proposed scheme provides better security protection for the roaming users. 8.2. Performance comparison Due to the resources constraints of wireless mobile network environments in terms of bandwidth, memory, power, processor, etc., the authentication scheme must take efficiency into account. Generally, the efficiency estimation is performed in terms of communication and computation cost. The notations used in Table 3, are as follows: tqr is the time complexity of computing a square root modulo n. The time complexity of the hash computation is given by th . The time complexity of the modular squaring computation is tm . The time complexity of the symmetric encryption and decryption is tsym . The tasym is defined as the time complexity of the asymmetric encryption/decryption and tse is the computational cost of one small-modular exponent. The proposed scheme includes few encryption/decryption primitives, modular operations of higher computation cost in MU. Which performs five hash operations in MU. The FA requires one hash function and two encryption/decryption operations to form a messages to HA and MU. The HA requires one exponentiation to authenticate the mobile user MU, two encryption/decryption operations and performs three hash operations. Comparison with respect to the number of cryptographic operations needed for the registration, login and authentication and password change phase of the proposed scheme and other related schemes [2,12,32] have been listed in Table 4. Table 5, shows a communication cost comparison of the schemes in [2,12,32] and the proposed scheme. In

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

109

Table 4 Efficiency comparison of the proposed scheme. Phase

Operation

Proposed scheme

Scheme [2]

Scheme [12]

Scheme [32]

Registration phase

HF E/D

3 0

5 1

7 1

2 0

Login phase

HF MM ME PM E/D

7 0 2 0 4

24 1 3 0 3

17 0 0 0 13

17 0 0 6 0

Password change

HF E/D

2 0

10 0

7 0

6 0

Total no of operations

HF MM ME PM E/D

12 0 2 0 4

39 1 3 0 4

31 0 0 0 14

25 0 0 6 0

HF: Hash Function; MM: Modular Multiplication; ME: Modular Exponentiation; PM: Point Multiplication on ECC; E/D: Encryption and Decryption. Table 5 Comparison of communication cost(bits). Phase

Proposed scheme

Scheme [2]

Scheme [12]

Scheme [32]

Registration phase Login phase Authentication and key establishment Password change Total cost

640 480

1120 800

640 640

640 800

960 – 2080

2400 – 4320

2560 – 3840

2880 320 4640

order to estimate communication cost, we assumed that the length of message digest, random number, the user information are 160 bits each and the length of the elliptic curve point and SHA-1 are 320 bits and 160 bits, respectively. From the table, we observed that the communication cost of the proposed scheme is lower than the schemes in [2,12,32]. The proposed scheme does not require additional clock synchronization mechanisms. Above all, the proposed scheme provides a great improvement in terms of security strength. Also, it preserves the low computation. Therefore, the proposed scheme can efficiently authenticate the roaming users in global mobile network. In the proposed scheme there is only few encryption and decryption primitives. Which is designed using only hash functions, symmetric cryptographic primitives with modular exponentiation. Above all, our proposed scheme provides a great improvement in terms of security strength. Also, it preserves the low computation cost. Therefore, it is a secure, light-weight and efficient authentication scheme. 9. Conclusion In this paper, we have analysed Marimuthu and Saravanan’s scheme and shown that, this scheme suffers from insider attack, stolen-verifier attack, offline guessing attack, denial of service attack, impersonation attack and clock synchronization problem. Also, the scheme does not ensure user anonymity. In order to overcome the security flaws of their scheme, we proposed a robust authentication protocol for roaming service in global mobile networks. The proposed scheme uses a common storage devices such as USB, mobile device instead of smart cards to authenticate the roaming users. Mobile devices, USB sticks are commonly used these days and offer several benefits such as low cost, convenience, expandability, auto-configuration. The primary merit of our scheme is simplicity with security strength and practicality for implementation under expensive and insecure network environments, especially in wireless and mobile networks.

Supplementary material Supplementary material associated with this article can be found, in the online version, at 10.1016/j.jisa.2017.12.002. References [1] Suzuki S, Nakada K. An authentication technique based on distributed security management for the global mobility network. Sel Areas Commun IEEE J 1997;15(8):1608–17. [2] Karuppiah M, Saravanan R. A secure authentication scheme with user anonymity for roaming service in global mobility networks. Wireless Pers Commun 2015;84(3):2055–78. [3] Jiang Q, Ma J, Li G, Yang L. An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wireless Pers Commun 2013;68(4):1477–91. [4] Samfat D, Molva R, Asokan N. Untraceability in mobile networks. In: Proceedings of the 1st annual international conference on mobile computing and networking. ACM; 1995. p. 26–36. [5] Ha J. An efficient and robust anonymous authentication scheme in global mobility networks. Int J SecurAppl 2015;9(10):297–312. [6] Yoon E, Yoo K, Young, Ha K. A user friendly authentication scheme with anonymity for wireless communications. Comput Electr Eng 2011;37(3):356–64. [7] Zhao D, Peng H, Li L, Yang Y. A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Pers Commun 2014;78(1):247–69. [8] Lee C, Hwang M, Liao E. Security enhancement on a new authentication scheme with anonymity for wireless environments. Ind Electron IEEE Trans 2006;53(5):1683–7. [9] Chang C, Lee C, Chiu Y. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Comput Commun 2009;32(4):611–18. [10] Youn T, Park Y, Lim J. Weaknesses in an anonymous authentication scheme for roaming in global mobility networks. Commun Lett IEEE 2009;13(7):471–3. [11] Li C, Lee C. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Math Comput Model 2012;55(1):35–44. [12] He D, Ma M, Zhang Y, Chen C, Bu J. A strong user authentication scheme with smart cards for wireless communications. Comput Commun 2011;34(3):367–74. [13] Jiang Q, Ma J, Li G, Ma Z. An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 2013;42(2):113–23. [14] Zhu J, Ma J. A new authentication scheme with anonymity for wireless environments. Consum Electron IEEE Trans 2004;50(1):231–5.

110

R. Madhusudhan, Shashidhara / Journal of Information Security and Applications 38 (2018) 96–110

[15] Wu C, Lee W, Tsaur W, et al. A secure authentication scheme with anonymity for wireless communications. IEEE Commun Lett 2008;12(10):722–3. [16] Wang R, Juang W, Lei C, et al. A robust authentication scheme with user anonymity for wireless environments. Int J Innovative ComputInf Control 2009;5(4):1069–80. [17] Jeon W, Kim J, Lee Y, Won D. Security analysis of authentication scheme for wireless communications with user anonymity. In: Information technology convergence, secure and trust computing, and data management. Springer; 2012. p. 225–31. [18] Mun H, Han K, Lee YS, Yeun CY, Choi HH. Enhanced secure anonymous authentication scheme for roaming service in global mobility networks. Math Comput Model 2012;55(1):214–22. [19] Xie Q, Hong D, Bao M, Dong N, Wong DS. Privacy-preserving mobile roaming authentication with security proof in global mobility networks. Int J Distrib Sens Netw 2014;2014. [20] Yang H, Chen J, Zhang Y. An improved two-party authentication key exchange protocol for mobile environment. Wireless Pers Commun 2015;85(3):1399–409. [21] Gope P, Hwang T. An efficient mutual authentication and key agreement scheme preserving strong anonymity of the mobile user in global mobility networks. J Netw Comput Appl 2016;62:1–8. [22] ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. In: Advances in cryptology. Springer; 1984. p. 10–18.

[23] Diffie W, Hellman ME. New directions in cryptography. Inf Theory IEEE Trans 1976;22(6):644–54. [24] Standard SH. Technical report fips pub 180-1. US Department of Commerce/National Institute of Standards and Technology; 1995. [25] Xu J, Zhu W, Feng D. An improved smart card based password authentication scheme with provable security. Comput Stand Interfaces 2009;31(4):723–8. [26] Kocher P, Jaffe J, Jun B. Differential power analysis. In: Advances in CryptologyCRYPTO99. Springer; 1999. p. 388–97. [27] Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. Comput IEEE Trans 2002;51(5):541–52. [28] Ma C, Wang D, Zhao S, Dong. Security flaws in two improved remote user authentication schemes using smart cards. Int J Commun Syst 2014;27(10):2215–27. [29] Kasper T, Oswald D, Paar C. Side-channel analysis of cryptographic rfids with analog demodulation. In: RFID. Security and privacy. Springer; 2011. p. 61–77. [30] Giridhar A, Kumar P. Distributed clock synchronization over wireless networks: algorithms and analysis. In: Decision and control, 2006 45th IEEE conference on. IEEE; 2006. p. 4915–20. [31] Madhusudhan R, Mittal R. Dynamic id-based remote user password authentication schemes using smart cards: a review. J Netw Comput Appl 2012;35(4):1235–48. [32] Kuo W-C, Wei H-J, Cheng J-C. An efficient and secure anonymous mobility network authentication scheme. J Inf Secur Appl 2014;19(1):18–24.