Sage Journals: Discover world-class research

Abstract

Mobile roaming authentication scheme achieves the mutual authentication and session key establishment between the mobile user and the foreign agent. In 2013, Xie et al. pointed out that Chen et al.'s scheme is vulnerable to offline password attack, and does not achieve fair session key generation, user untraceability, user friendliness, and perfect forward secrecy, and then they proposed an improved scheme. In this paper, we propose an improvement of Xie et al.'s scheme, since the foreign agent may confuse the mobile users when multiple mobile users simultaneously access the foreign agent in Xie et al.'s scheme. Further, we prove the formal security of the proposed scheme, and present the performance comparison between our scheme and some related schemes. The proposed scheme is more efficient and secure than other related schemes and is suitable for using in the global mobility network.

1. Introduction

With the rapid development of mobile technology such as 3G and 4G wireless networks, more and more mobile users can access services in global mobility networks. A typical mobile roaming authentication scheme includes three parties: a mobile user, a foreign agent, and a home agent; both the mobile user and the foreign agent should authenticate each other before establishing the session key. Privacy-preserving is usually referred to as user anonymity and user untraceability. It is important to protect the user's privacy, such as what the users did or where the users accessed, from the attacker even if he accesses to user's records. Strong anonymous mobile roaming authentication means that only the home agent can know the mobile user's identity, but adversary or foreign agent cannot. Since wireless network is more vulnerable to several attacks and mobile terminals' computational power is limited, therefore, how to design the secure and efficient authentication scheme for roaming service with strong anonymity in global mobility networks is brought into much attention.

In 2004, Zhu and Ma [1] proposed a first anonymous authentication scheme for wireless communications. Lee et al. [2] showed that their scheme is vulnerable to forgery attacks and does not provide perfect backward secrecy and mutual authentication and proposed an improved scheme. Later, Chang et al. [3], Wu et al. [4], and Xu et al. [5] pointed out that Lee et al.'s scheme cannot achieve privacy-preserving and proposed an improved scheme, respectively. However, Youn et al. [6] showed that Chang et al.'s improved scheme does not achieve user anonymity and provide secure key establishing service, and Mun et al. [7] showed that Wu et al.'s scheme does not achieve anonymity and perfect forward secrecy. In 2011, He et al. [8] proposed a two-factor user authentication scheme for wireless communications. But Li and Lee [9] demonstrated that He et al.'s scheme has several weaknesses such as lacks of user friendliness, user anonymity, and fairness of key agreement, and then they proposed an improvement of He et al.'s scheme. However, Hu et al. [10] showed that Li et al.'s improved scheme cannot resist the foreign agent's impersonation attacks and proposed an improved scheme. In 2011, Chen et al. [11] proposed a lightweight anonymous user authentication for roaming in the global mobility network, but Xie et al. [12] showed that their scheme is vulnerable to offline password attack and does not achieve fair session key generation, user untraceability, user friendliness, and perfect forward secrecy; then they proposed an improved scheme to overcome the weaknesses of Chen et al.'s scheme. Very recently, Chen et al. [13] and Xie et al. [14] proposed some other anonymous authentication schemes for roaming service in global mobility networks.

In this paper, we first propose a strong anonymous mobile roaming authentication scheme in the global mobility network, which is a modified version of [12], the preliminary version of our work. In [12], there is no formal model and no formal proof of the proposed scheme and no performance comparison between the proposed scheme and some related schemes. On the other hand, the scheme in [12] may be impractical; the reason is that the foreign agent does not confirm who is authenticated by the home agent; when multiple mobile users simultaneously access the foreign agent, the foreign agent may confuse the mobile users. Moreover, an adversary can know the $M U$ 's temporary certificate generated by $F A$ if the adversary can know the session key; thus, the mobile user's information may be divulged. After that, we prove the formal security of the proposed scheme. Finally, we present the performance comparison between our scheme and some related schemes.

The rest of this paper is organized as follows. Section 2 introduces the security model. The proposed scheme and security proof are given in Sections 3 and 4, respectively. After that, we present the performance comparison between the related schemes and ours in Section 5. Finally, we conclude the paper in Section 6.

2. Security Model

In this section, we recall the security model based on [15, 16].

2.1. Participants

In an authenticated key exchange (AKE) protocol, there are three different participants: a mobile user $M U$ , home agent $H A$ , and foreign agent $F A$ ; each of them may have certain number I of instances and may execute in the protocol at the same time. Each $M U$ has a low-entropy password $P W_{M U}$ chosen from a small dictionary D, and $H A$ and $F A$ hold some high-entropy private keys, respectively. When $M U$ registers to $H A$ , $H A$ will compute and store ${T K_{M U}, h (\cdot), I D_{M U}}$ to a smart card, which combined with $P W_{M U}$ , $M U$ 's identity $I D_{M U}$ , $H A$ 's identity $I D_{H A}$ , and hash function $h (\cdot)$ , and issue the smart card to $M U$ . The instance I of $M U$ (resp., $F A$ and $H A$ ) is denoted by $M U^{i}$ (resp., $F A^{j}$ and $H A^{k}$ ); $pi d_{U}^{i}$ is the partner identifier for an instance i.

2.2. Queries

The adversary's capabilities are captured by the following oracle queries.

$E x e c u t e (M U^{i}, F A^{j}, H A^{k})$ . The passive attack is captured by this oracle query. The adversary can get access to the honest execution process of the protocol between the instances.

$S e n d (I, m)$ . This query models an active attack; the adversary sends a message to instance I and gets the response message from instance I according to the protocol. A query $S e n d (M U^{i}, s t a r t)$ initializes the key agreement algorithm.

$R e v e a l (I)$ . This query allows the adversary to get some information about the session key of instance I.

$C o r r u p t (I, a)$ . The corruption capability of the adversary is modeled by this query. The adversary can obtain the secret value of $M U$ and messages stored in the smart card. (a)

If $a = 1$ , it outputs the $M U$ 's password $P W_{M U}$ .

(b)

If $a = 2$ , it outputs messages stored in the smart card.

$T e s t (I)$ . This oracle query is used to define semantic security of the session key of instance I. If session key is not defined or the instance is not fresh, then the invalid symbol ⊥ is returned. Otherwise, one flips a coin b, if $b = 1$ , and one returns the session key for instance I; otherwise, a random key with the same length is returned.

2.3. Freshness

The freshness of a session key is that the adversary does not trivially know the key. We say an instance I is fresh if (1) instance I has accepted; (2) no $R e v e a l (U^{i})$ and no $R e v e a l (pi d_{U}^{i})$ are queried by the adversary; (3) less than 2 $C o r r u p t (U, a)$ are queried by the adversary.

2.4. Semantic Security

Finally, the adversary outputs a bit $b^{'}$ . Let $S u c c$ be the event that the adversary A wins the game if $b^{'} = b$ . The AKE advantage of the adversary is defined as

\begin{matrix} A d v_{P A, D} (A) = 2 Pr [S u c c] - 1 . \end{matrix}

(1)

3. The Proposed Scheme

In this section, we demonstrate a practical scheme which is a modified version of our preliminary scheme in [12]. Some notations which will be used in this paper are defined as follows:

E: an elliptic curve defined over a finite field with large order n,

G: a generator on E with large order n,

$h ()$ : a one-way hash function,

$E_{k} [] / D_{k} []$ : the symmetric encryption/decryption functions with key k,

$T_{x}$ : a time stamp generated by an entity x,

N: a secret value of $H A$ ,

$S K_{F H}$ : a long-term common secretkey shared between $F A$ and $H A$ ,

$x_{0} \in Z_{q}^{*}$ , $y_{0} \in Z_{q}^{*}$ : random numbers chosen by $M U$ and $F A$ , respectively,

$S_{H A} = x_{H A}$ , $P_{H A} = x_{H A} G$ : $H A$ 's secret key and public key.

3.1. Registration

When a mobile user $M U$ wants to join the $H A$ , he needs to perform the following steps.

Step 1.

The mobile user $M U$ freely chooses his identity $I D_{M U_{}}$ and password $P W_{M U}$ . Then $M U$ submits $I D_{M U_{}}$ to $H A$ over a secure channel.

Step 2.

Upon receiving the message from $M U$ , the $H A$ computes $S I D_{M U} = E_{N} [(I D_{M U} ∥ I D_{H A})]$ , stores ${S I D_{M U}, h (\cdot)}$ into the smart card, and then returns it to the $M U$ .

Step 3.

The $M U$ computes

\begin{matrix} T K_{M U} = S I D_{M U} \oplus h (I D_{M U} \oplus P W_{M U}), \end{matrix}

(2)

stores

I D_{M U}

into the smart card, and replaces

S I D_{M U}

with

T K {}_{M U}

. Finally, the smart card contains

{T K_{M U}, h (\cdot), I D_{M U}}

The login and authentication phase of the proposed scheme is shown in Algorithm 1.

Algorithm 1: The proposed scheme: login and authentication phase.

MU FA HA

$X = x_{0} G$

$S I D_{M U} = T K_{M U} \oplus h (I D_{M U} \oplus P W_{M U}) \overset{m_{1} = {I D_{H A}, T_{M U}, E_{1}, X}}{\to}$

$D H_{M H} = x_{0} P_{H A} = x_{0} x_{H A} G$ ,

$E_{1} = E_{h (D H_{M H})} [S I D_{M U} ∥ I D_{M U} ∥ T_{M U}]$

$Y = y_{0} G$

$V = h (S K_{F H} ∥ m_{1} ∥ I D_{F A} ∥ T_{F A} ∥ I D_{H A} ∥ Y) \overset{m_{2} = {m_{1}, I D_{F A}, T_{F A}, V, Y}}{\to}$

$Check T_{F A}$ , V

$D H_{M H} = x_{H A} X = x_{0} x_{H A} G$

$\overset{m_{3} = {T_{H A}, X, E_{2}}}{\leftarrow} D_{h (D H_{M H})} [E_{1}]$

$D_{N} [S I D_{M U}]$

$I D_{M U} ? = I D_{M U}$

$E_{2}$

$D_{S K_{F H}} (E_{2})$

$\overset{m_{4} = {E_{3}, Y, X}}{\leftarrow} T_{H A}^{'} ? = T_{H A}, X^{'} ? = X$

$s k = y_{0} X = x_{0} y_{0} G$

$E_{3}$

$s k = x_{0} Y = x_{0} y_{0} G$

$D_{s k} [E_{3}]$

$h {((S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y))}^{'} ? = h ((S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y))$

The session key: $S K = h (s k ∥ X ∥ Y)$

3.2. Login

When $M U$ roams into the foreign network, he inserts his smart card into a device and inputs his password $P W_{M U}$ . Then the smart card performs the following steps.

Step 1.

It chooses a random number $x_{0}$ and computes $X = x_{0} G$ ,

\begin{array}{l} S I D_{M U}^{} = T K_{M U} \oplus h (I D_{M U} \oplus P W_{M U}) \\ = E_{N} [(I D_{M U} ∥ I D_{H A})], \\ D H_{M H} = x_{0} P_{H A}^{} = x_{0} x_{H A} G, \\ E_{1} = E_{h (D H_{M H})} [S I D_{M U} ∥ I D_{M U} ∥ T_{M U}], \end{array}

(3)

where

T_{M U}

is current timestamp.

Step 2.

It sends the login request $m_{1} = {I D_{H A}, T_{M U}, E_{1}, X}$ to the foreign agent $F A$ .

3.3. Authentication

Step 1.

The $F A$ checks the validity of the timestamp $T_{M U}$ by checking $T_{M U}^{'} - T_{M U} < Δ t$ , where $T_{M U}^{'}$ is the current time and $Δ t$ is a valid time interval. If it is valid, the $F A$ chooses a random number $y_{0}$ and computes $Y = y_{0} G$ and

\begin{matrix} V = h (S K_{F H} ∥ m_{1} ∥ I D_{F A} ∥ T_{F A} ∥ I D_{H A} ∥ Y), \end{matrix}

(4)

where a long-term common secret key

S K_{F H}

is shared between

H A

and

F A

, and

T_{F A}

is current timestamp.

F A

sends

m_{2} = {m_{1}, I D_{F A}, T_{F A}, V, Y}

to the

H A

Step 2.

The $H A$ checks the validity of the timestamp $T_{F A}$ . If it is valid, the $H A$ computes

\begin{matrix} V^{'} = h (S K_{F H} ∥ m_{1} ∥ I D_{F A} ∥ T_{F A} ∥ I D_{H A} ∥ Y) \end{matrix}

(5)

and compares it with the received V. If it does not match, the

H A

terminates this connection. Otherwise, it goes to the next step since only

F A

knows the

S K_{F H}

and only

F A

can generate the valid V.

Step 3.

The $H A$ computes $D H_{M H} = x_{H A} X = x_{0} x_{H A} G$ , computes $D_{h (D H_{M H})} [E_{1}]$ to obtain ${S I D_{M U}, I D_{M U}, T_{M U}}$ , and computes $D_{N} [S I D_{M U}]$ to get ${I D_{M U}, I D_{H A}}$ . In order to verify if $M U$ is a legal user or not, $H A$ compares $I D_{M U}$ with the decrypted $I D_{M U}$ . If they are equal, $H A$ believes that $M U$ is a legal user. Otherwise, $M U$ is illegal. Then $H A$ computes

\begin{matrix} E_{2} = E_{S K_{F H}} [h (S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y) ∥ T_{H A} ∥ X] \end{matrix}

(6)

and submits the message

m_{3} = {T_{H A}, X, E_{2}}

to the

F A

Step 4.

The $F A$ checks the validity of the timestamp $T_{H A}$ . If it is valid, the $F A$ decrypts $D_{S K_{F H}} (E_{2})$ to get ${h (S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y), T_{H A}^{'}, X^{'}}$ . Then, the $F A$ verifies $H A$ by comparing the decrypted timestamp $T_{H A}^{'}$ and $X^{'}$ to the received $T_{H A}^{}$ and X. If so, $F A$ can confirm that $M U$ has been authenticated by $H A$ , and $F A$ computes

\begin{matrix} s k = y_{0} X = x_{0} y_{0} G, \\ S K = h (s k ∥ X ∥ Y), \\ E_{3} = E_{s k} [h (S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y) ∥ X] . \end{matrix}

(7)

Then the $F A$ submits the message $m_{4} = {E_{3}, Y, X}$ to $M U$ .

Step 5.

On receiving the message $m_{4}$ from the $F A$ , the $M U$ computes $s k = x_{0} Y = x_{0} y_{0} G$ and $D_{s k} [E_{3}]$ to get ${(h (S I D_{M U} ∥ D H_{M H} {∥ T_{M U} ∥ Y))}^{'}, X}$ . Then, the $M U$ computes $h (S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y)$ and checks if it is equal to ${(h (S I D_{M U} ∥ D H_{M H} ∥ T_{M U} ∥ Y))}^{'}$ . If they are equal, then $M U$ believes that both himself and $F A$ are authenticated by $H A$ and computes the session key $S K = h (s k ∥ X ∥ Y)$ , which is shared with $F A$ .

3.4. Password Change

When mobile user $M U$ wants to change his password, he first passes through the authentication process with the $H A$ and $F A$ and then inputs his new password $P {W_{M U}}^{new}$ ; the smart card computes

\begin{array}{l} T {K_{M U}}^{new} \\ = T K_{M U} \oplus h (I D_{M U} \oplus P W_{M U}) \oplus h (I D_{M U} \oplus P {W_{M U}}^{new}) \end{array}

(8)

and replaces

T K_{M U}

with

T {K_{M U}}^{new}

4. Security Analysis

Theorem 1.

Let G and D be an elliptic curve group and a uniformly distributed password dictionary, respectively. Let P be our scheme, and let A be an adversary. Then, one has

\begin{array}{l} A d v_{P, D} (A) \\ \leq \frac{2 q_{s e n d}}{| D |} + 2 A d v_{G}^{E C D L P} (t + (q_{s e n d} + q_{e x e} + 1) \cdot τ_{G}) \\ + \frac{2 q_{s e n d}}{p} + \frac{2 q_{e}^{2} + q_{h}^{2} + {(q_{s e n d} + q_{e x e})}^{2}}{p}, \end{array}

(9)

where

q_{s e n d}

q_{e x e}

q_{h}

| D |

q_{e}

, and

τ_{G}

denote the number of

S e n d

-queries, the number of

E x e c u t e

-queries, the number of

H a s h

-queries, the size of D, the number of encryption/decryption queries, and the time of scale multiplication in G, respectively.

Proof.

We define a sequence of experiments starting at the real attack experiment $E x p_{0}$ and ending up the experiment $E x p_{5}$ . Let $S u c c_{i}$ be the event that the adversary guesses the bit b correctly involved in the $T e s t$ -query in the experiment $E x p_{i}$ , where $i = 0,1, \dots, 5$ . Let $Δ_{i}$ be the distance between $E x p_{i}$ and $E x p_{i + 1}$ . Then, we have

\begin{array}{l} A d v_{P, D} (A) \\ = 2 Pr [S u c c_{0}] - 1 \\ \leq 2 Pr [S u c c_{1}] + 2 (Pr [S u c c_{0}] - Pr [S u c c_{1}]) - 1 \\ \leq 2 Pr [S u c c_{2}] + 2 (Pr [S u c c_{1}] - Pr [S u c c_{2}]) \\ + 2 (Pr [S u c c_{0}] - Pr [S u c c_{1}]) - 1 \\ ⋮ \\ \leq 2 Pr [S u c c_{n}] + 2 \sum_{i = 0}^{n - 1} Δ_{i} - 1 . \end{array}

(10)

Experiment Exp ₀ . In the random oracle model, this experiment is the real attack. By definition, we have

\begin{matrix} A d v_{P, D} (A) = 2 Pr [S u c c_{0}] - 1 . \end{matrix}

(11)

Experiment Exp ₁. In this experiment, we simulate hash oracles and the encryption/decryption oracles (see Algorithm 2). $E x e c u t i o n$ , $R e v e a l$ , $S e n d$ , $C o r r u p t$ , and $T e s t$ oracles are also simulated (see Algorithms 3 and 4). We can see that Exp ₀ and Exp ₁ are indistinguishable unless the permutation property of E or D does not hold; we have

\begin{matrix} Δ_{0} = Pr [S u c c_{0}] - Pr [S u c c_{1}] \leq \frac{q_{e}^{2}}{2 p} . \end{matrix}

(12)

Experiment Exp ₂. In this experiment, we simulate all oracles as in the experiment Exp ₁ except that we cancel all executions in which some collisions occur in the transcript ${m_{1}, m_{2}, m_{3}, m_{4}}$ in the output of the hash queries. According to the birthday paradox, we have

\begin{matrix} Δ_{1} \leq \frac{q_{h}^{2} + q_{e}^{2} + {(q_{s e n d} + q_{e x e})}^{2}}{2 p} . \end{matrix}

(13)

Experiment Exp ₃. In this experiment, we cancel the executions wherein the adversary may be lucky in guessing the authentication values $E_{1}$ , V, $E_{2}$ , and $E_{3}$ . Since experiments $E x p_{3}$ and $E x p_{2}$ are indistinguishable unless home agent/foreign agent (or the mobile user) rejects a correct authentication value, we could get $Δ_{2} = q_{s e n d} / p$ .

Experiment Exp ₄. In this experiment, we use random value ( $A = a G$ , $B = b G$ , $Z = a b G$ ) instead of ( $X = x_{0} G$ , $Y = y_{0} G$ , $s k = x_{0} y_{0} G$ ) to compute $S K$ so that $S K$ is independent of X and Y. The experiments $E x p_{4}$ and $E x p_{3}$ are indistinguishable unless the event $A s k H_{4}$ occurs, where $A s k H_{4}$ denotes the event that the adversary uses $(A, B)$ to compute $S K$ . Therefore, we could get that $Δ_{3} \leq Pr [A s k H_{4}]$ , $Pr [S u c c_{4}] = 1 / 2$ .

Experiment Exp ₅. In this experiment, we introduce a random self-reducibility of the ECDL problem into the executions, given one ECDLP instance $(x_{0} G, y_{0} G)$ . The event that the adversary uses the $(A, B)$ to compute the session key is denoted by $k_{4}$ ; we may have $Pr [A s k H_{4}] = Pr [A s k H_{5}]$ and $Z = E C D L P (a G, b G)$ .

If the $C o r r u p t (U, 2)$ query has been made, it shows that the password-corrupt query $C o r r u p t (U, 1)$ has not been made. Then, in every transcript, the adversary only tests one password. Therefore, we can conclude that

\begin{array}{l} Pr [A s k H_{5}] \\ \leq \frac{q_{s e n d}}{| D |} + A d v_{G}^{E C D L P} (t + (q_{s e n d} + q_{e x e} + 1) \cdot τ_{G}) . \end{array}

(14)

Therefore, Theorem 1 is concluded.

Algorithm 2: Simulation of random oracle h, encryption oracle E, and decryption oracle D.

(i) On a hash query $h (m)$ , for which there exists a record $(m, r)$ appears in $Λ_{h}$ , return r.

Otherwise, choose an element $r \in Z_{p}^{*}$ , add the record $(m, r)$ to the list $Λ_{h}$ and return r.

(ii) On a query $E (M)$ , for which there exists a record $(M, *, *, C)$ appears in $Λ_{E}$ , return C.

Otherwise, choose an element C, add the record $(M, ⊥, E, C)$ to the list $Λ_{E}$ and return C.

(iii) On a query $D (C)$ , for which there exists a record $(M, *, *, C)$ appears in $Λ_{E}$ , return M.

Otherwise, choose an element M, add the record $(M, ⊥, D, C)$ to the list $Λ_{E}$ and return M.

Algorithm 3: Simulation of Send-query.

(i) On a query $S e n d (M U^{i}, s t a r t)$ , assuming $M U^{i}$ is in the correct state, we proposed

as login algorithm. Then the query is answered with ${I D_{H A}, T_{M U}, E_{1}, X}$ .

(ii) On a query $S e n d (F A^{i} (I D_{H A}, T_{M U}, E_{1}, X))$ , assuming $F A^{i}$ is in the correct state, we

proposed as login algorithm and authentication Step 1 algorithm. Finally, the query

is answered with ${I D_{H A}, T_{M U}, E_{1}, X, Y, I D_{F A}, T_{F A}, V}$ .

(iii) On a query $S e n d (H A^{i} (I D_{H A}, T_{M U}, E_{1}, X, I D_{F A}, T_{F A}, V, Y))$ , assuming $H A^{i}$ is in the

correct state, we proposed as authentication Step 2 and Step 3 algorithm. At last,

the query is answered with ${T_{H A}, X, E_{2}}$ .

(iv) On a query $S e n d (F A^{i} (T_{H A}, X, E_{2}))$ , assuming $F A^{i}$ is in the correct state, we proposed

as authentication Step 4 algorithm. The query is answered with ${E_{3}, Y, X}$ .

Algorithm 4: Simulation of Execute-, Reveal-, and Test-query.

(i) On a query $R e v e a l (M U^{i} / F A^{i})$ , we proposed as follows:

If the instance $M U^{i}$ has accepted, the query is answered with the session key.

(ii) On a query $E x e c u t e (M U^{i}, F A^{j}, H A^{k})$ , we proposed as follows:

${I D_{H A}, T_{M U}, E_{1}, X} \leftarrow S e n d (M U^{i}, S t a r t)$

${I D_{H A}, T_{M U}, E_{1}, X, I D_{F A}, T_{F A}, V, Y}$

$\leftarrow S e n d (F A^{i} (I D_{H A}, T_{M U}, E_{1}, X))$

${T_{H A}, X, E_{2}}$

$\leftarrow S e n d (H A^{i} (I D_{H A}, T_{M U}, E_{1}, X, I D_{F A}, T_{F A}, V, Y))$

${E_{3}, Y, X} \leftarrow S e n d (F A^{i} (T_{H A}, X, E_{2}))$

The query is answered with the transcript

${I D_{H A}, T_{M U}, E_{1}, X}$ , ${I D_{H A}, T_{M U}, E_{1}, X, I D_{F A}, T_{F A}, V, Y}$ ,

${T_{H A}, X, E_{2}}$ , ${E_{3}, Y, X}$ .

(iii) On a query $T e s t (M U^{i} / F A^{i})$ , we proposed as follows:

Get the session key $S K$ from the $R e v e a l (M U^{i} / F A^{i})$ and flip a coin b, if $b = 1$ , we

return the session key, otherwise we return a random value with the same length.

5. Performance Comparison

Since Chen et al.'s [11] scheme is more efficient than other schemes without perfect forward secrecy, to the best of our knowledge, only Mun et al. [7], Li and Lee [9], Hu et al. [10], Xie et al. [12], Chen et al. [13], and Xie et al. [14] schemes can provide perfect forward secrecy. Therefore, we will present performance comparison between our scheme and these related schemes. Table 1 is performance comparison of login and key agreement phase, as we know that login and key agreement is the main body of an authentication scheme, and registration phase only performs one time before authentication.

Table 1

Performance comparison.

	Performance cost	Estimated time (s)
Mun et al. [7]	$11 T_{h} + 4 T_{m}$	0.2578
Li and Lee [9]	$15 T_{e} + 7 T_{h} + 14 T_{s}$	7.9553
Hu et al. [10]	$11 T_{m} + 6 T_{h} + 8 T_{s}$	0.77
Chen et al. [11]	$6 T_{s} + 16 T_{h}$	0.0602
Xie et al. [12]	$6 T_{m} + 9 T_{h} + 7 T_{s}$	0.44385
Chen et al. [13]	$6 T_{e} + 11 T_{h} + 4 T_{s}$	3.1723
Xie et al. [14]	$8 T_{e} + 8 T_{h} + 9 T_{s}$	4.2501
Our scheme	$6 T_{m} + 7 T_{h} + 7 T_{s}$	0.44285

Let $T_{e}$ , $T_{h}$ , $T_{s}$ , and $T_{m}$ be the time for performing a modular exponentiation, a one-way hash function, a symmetric encryption/decryption, and a scalar multiplication on elliptic curve, which need 0.522 seconds, 0.0005 seconds, 0.0087 seconds, and 0.063075 seconds [17–19], respectively. We ignore modular addition, exclusive OR operation, and string concatenation operation which are negligible compared to others.

According to Table 1, we can conclude that Chen et al.'s [11] and Mun et al.'s [7] schemes are more efficient than others since Chen et al.'s scheme is completely based on hash and symmetric encryption/decryption operations but does not provide perfect forward secrecy and Mun et al.'s scheme is vulnerable to several attacks such as impersonation attack, replay attack, man-in-the-middle attack, and verification table stolen attack. And our scheme only needs 0.44 seconds in login and key agreement which keeps low performance cost.

6. Conclusions

In this paper, we proposed a modified scheme of our preliminary work, which was presented in ISBAST 2013. Compared with the preliminary work, the modified scheme can eliminate the weaknesses of the previous version. Further, we proved the security of the modified scheme and showed that the proposed scheme is efficient according to the performance comparison between our scheme and some related schemes. Therefore, the proposed scheme is secure and efficient and is suitable for using in the global mobility network.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research was supported by the Major State Basic Research Development (973) Program of China (no. 2013CB834205), the National Natural Science Foundation of China (no. 61070153), the Natural Science Foundation of Zhejiang Province (nos. LZ12F02005, LY12F02006), and a Grant from the RGC of the HKSAR, China (no. CityU 121512).

References

Zhu

J.-M.

J.-F.

A new authentication scheme with anonymity for wireless environments

IEEE Transactions on Consumer Electronics 2004 50 1 231 235

2-s2.0-1942487780

10.1109/TCE.2004.1277867

Lee

C.-C.

Hwang

M.-S.

Liao

I.-E.

Security enhancement on a new authentication scheme with anonymity for wireless environments

IEEE Transactions on Industrial Electronics 2006 53 5 1683 1687

2-s2.0-33750133438

10.1109/TIE.2006.881998

Chang

C.-C.

Lee

C.-Y.

Chiu

Y.-C.

Enhanced authentication scheme with anonymity for roaming service in global mobility networks

Computer Communications 2009 32 4 611 618

2-s2.0-59649101587

10.1016/j.comcom.2008.11.032

C.-C.

Lee

W.-B.

Tsaur

W.-J.

A secure authentication scheme with anonymity for wireless communications

IEEE Communications Letters 2008 12 10 722 723

2-s2.0-54949140749

10.1109/LCOMM.2008.080283

Zhu

W.-T.

Feng

D.-G.

An efficient mutual authentication and key agreement protocol preserving user anonymity in mobile networks

Computer Communications 2011 34 3 319 325

2-s2.0-78751650071

10.1016/j.comcom.2010.04.041

Youn

T.-Y.

Park

Y.-H.

Lim

Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks

IEEE Communications Letters 2009 13 7 471 473

2-s2.0-68349157387

10.1109/LCOMM.2009.090488

Mun

Han

Lee

Y.-S.

Yeun

C.-Y.

Choi

H.-H.

Enhanced secure anonymous authentication scheme for roaming service in global mobility networks

Mathematical and Computer Modelling 2012 55 1-2 214 222

2-s2.0-82755161699

10.1016/j.mcm.2011.04.036

D.-J.

M.-D.

Zhang

Chen

J.-J.

A strong user authentication scheme with smart cards for wireless communications

Computer Communications 2011 34 3 367 374

2-s2.0-78751648745

10.1016/j.comcom.2010.02.031

C.-T.

Lee

C.-C.

A novel user authentication and privacy preserving scheme with smart cards for wireless communications

Mathematical and Computer Modelling 2012 55 1-2 35 44

2-s2.0-82755189733

10.1016/j.mcm.2011.01.010

10.

Xie

Bao

M. J.

Dong

Improvement of user authentication protocol with anonymity for wireless communications

Kuwait Journal of Science & Engineering 2014 41 1 155 169

11.

Chen

Chan

Gao

Fan

Lightweight and provably secure user authentication with anonymity for the global mobility network

International Journal of Communication Systems 2011 24 3 347 362

2-s2.0-79952059658

10.1002/dac.1158

12.

Xie

Bao

M. J.

Dong

Wong

D.-S.

Secure mobile user authentication and key agreement protocol with privacy protection in global mobility networks

Proceedings of the International Symposium on Biometrics and Security Technologies (ISBAST '13)

July 2013

Chengdu, China

13.

Chen

Y.-C.

Chuang

S.-C.

Yeh

L.-Y.

Huang

J.-L.

A practical authentication protocol with anonymity for wireless access networks

Wireless Communications and Mobile Computing 2011 11 10 1366 1375

2-s2.0-80054005779

10.1002/wcm.933

14.

Xie

Tan

Bao

M.-J.

X.-Y.

Robust anonymous two-factor authentication scheme for roaming service in global mobility network

Wireless Personal Communications 2014 74 2 601 614

2-s2.0-84879773864

10.1007/s11277-013-1309-3

15.

Bellare

Pointcheval

Rogaway

Authenticated key exchange secure against dictionary attacks

Advances in Cryptology—EUROCRYPT 2000 2000 1807

Berlin, Germany

Springer

139 155 Lecture Notes in Computer Science

10.1007/3-540-45539-6_11

16.

Bresson

Chevassut

Pointcheval

Security proofs for an efficient password-based key exchange

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03)

October 2003

New York, NY, USA

241 250

2-s2.0-18744393738

17.

C.-T.

Hwang

M.-S.

Chu

Y.-P.

A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks

Computer Communications 2008 31 12 2803 2814

2-s2.0-46749099079

10.1016/j.comcom.2007.12.005

18.

Lee

J.-S.

Chang

C.-C.

Secure communications for cluster-based ad hoc networks using node identities

Journal of Network and Computer Applications 2007 30 4 1377 1396

2-s2.0-34547877223

10.1016/j.jnca.2006.10.003

19.

W.-M.

Wen

Q.-Y.

Jin

Z.-P.

An efficient and secure mobile payment protocol for restricted connectivity scenarios in vehicular ad hoc network

Computer Communications 2012 35 2 188 195

2-s2.0-82955235553

10.1016/j.comcom.2011.09.003

Privacy-Preserving Mobile Roaming Authentication with Security Proof in Global Mobility Networks

Abstract

1. Introduction

2. Security Model

2.1. Participants

2.2. Queries

2.3. Freshness

2.4. Semantic Security

3. The Proposed Scheme

3.1. Registration

Step 1.

Step 2.

Step 3.

Algorithm 1: The proposed scheme: login and authentication phase.

3.2. Login

Step 1.

Step 2.

3.3. Authentication

Step 1.

Step 2.

Step 3.

Step 4.

Step 5.

3.4. Password Change

4. Security Analysis

Theorem 1.

Proof.

Algorithm 2: Simulation of random oracle h, encryption oracle E, and decryption oracle D.

Algorithm 3: Simulation of Send-query.

Algorithm 4: Simulation of Execute-, Reveal-, and Test-query.

5. Performance Comparison

6. Conclusions

Footnotes

Conflict of Interests

Acknowledgments

References