Professional Documents
Culture Documents
net/publication/321690298
CITATIONS READS
3 66
4 authors, including:
Licheng Wang
Beijing University of Posts and Telecommunications
96 PUBLICATIONS 527 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Haseeb Ahmad on 11 December 2017.
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
ABSTRACT The telecare medical information systems (TMIS) provide the convenience to the pa-
tients/users to be served at home. Along with such ease, it is essential to preserve the privacy and to provide
the security to the patients/users in TMIS. Often, authentication protocols are adopted to guarantee privacy
and secure interaction between the patients/users and remote server. Recently, Chaudhry et al. pointed out
that Islam et al.’s scheme based on smart card is prone to user impersonation and server impersonation
attacks. Chaudhry et al. later presented a enhanced scheme based on Elliptic curve cryptography (ECC)
to remedy the weaknesses of Islam et al.’s scheme. Unfortunately, we find some important limitations
in both schemes. We remark that their scheme is prone to off-line password guessing attack, user/server
impersonation attack and man-in-middle attack. To overcome these limitations, we present an improved
authentication scheme keeping apart the threats encountered in the design of Chaudhry et al.’s scheme.
Moreover, the presented scheme can also resist all known attacks. We prove the security of the proposed
scheme with the help of widespread Burrows-Abadi-Needham Logic (BAN-Logic). A brief comparison
with the previous works provides that the presented protocol is more efficient and more secure than other
related schemes.
INDEX TERMS Telecare medicine information systems, elliptic curve cryptography, smart card, off-line
password guessing attack, authentication, BAN-Logic.
VOLUME 0, 0000 1
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
[25], [27], [39]–[41]. However, most among these protocols TABLE 1. Notations and abbreviations
2 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
VOLUME 0, 0000 3
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
correct password and identity of user U . Oth- from his own smart card. Then, Uj computes
erwise, A can repeat steps (1), (2), (3) and (4) lj = h(IDj ||P Wj ||rj ) and ks G = (lj α)G −
until it finds the correct password and identity. Bj .
The time complexity of the above attack is: O(|DP W | ∗ Step2: A(Uj ) guesses P W ∗ and ID∗ from the pass-
|DID | ∗ (2Th + Tm + Ta )), where Th is the running word dictionary space DP W and the identity
time for hash computation, Ta is the running time for dictionary space DID , respectively.
point addition and Tm is the running time for point Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ).
multiplication, |DP W | and |DID | denote the number of Step4: A computes (ks G)∗ = (li∗ α)G − Bi .
passwords in DP W and the number of identity in DID , Step5: A checks whether (ks G)∗ is equal to the value
respectively. Usually |DID | ≤ |DP W | ≤ 106 [30], [31], of parameter ks G in Step 1. If they are equal, A
therefore, the above attack is quite efficient in the first finds the correct password and identity of user
case. In fact, the reason for the success of the above U . Otherwise, A can repeat steps (2), (3), (4)
attack is that, A obtains the verification value ui in smart and (5) until finding the correct password and
card and uses it to verify the correctness of the guessing identity.
password and identity. We observe that, the purpose of The time complexity of the above attack is : O(Th +
the designer is to verify the legitimacy of the login with Tm + Ta + |DP w | ∗ |DID | ∗ (Th + Tm + Ta )). Therefore,
this data ui and to help legal user freely change his the above attack based on the third case is also quite
password locally no needing to communicate with the efficient. By observing, we find that the key reason
server. for the success of the above attack is that, any legal
• Case 2: (Via verification value in public channel) patient can computes the common value ks G, then A
In this case, the adversary A intercepts the login re- guesses the password and identity of the other users
quest messages {Ci , Gi , Ti1 } and extracts the datum and computes (ks G)∗ . If the guessing is correct, it must
{ui , Oi , ri , Ni } stored in smart card. Afterwards, A also result in ks G = (ks G)∗ . According to the complexity, it
can guess the legal user U ’s password and identity by shows that A can verify the correctness of the guessing
performing the following steps: password and identity.
Step1: A first guesses P W ∗ and ID∗ from the pass- • Case 4: (The legitimate patient acts as an attacker
word dictionary space DP W and the identity II) Similarly to Case 3, we also show that a legitimate
dictionary space DID , respectively. patient Uj can act as a malicious opponent A for off-
Step2: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). line password guessing attack. But the adversary A
Step3: A computes (ks G)∗ = (li∗ α)G − Bi . extracts the datum {ui , E/Ep , G, ri } stored in smart
Step4: A calculates the following: card. Whereafter, A guesses the legal user U ’s password
and identity by implementing the following steps:
G∗i = h(ID∗ ||Oi ⊕ li∗ ||Ci ||Ti1 ||(ks G)∗ ||Ni ).
Step1: Uj extracts the following datum
Step5: A checks whether G∗i is equal to the value
of parameter Gi in login messages. If they {E/Ep , G, Bj , rj , α, h(), p}
are equal, A finds the correct password and
from his own smart card and computes lj =
identity of user U . Otherwise, A can repeat
h(IDj ||P Wj ||rj ) and ks G = (lj α)G − Bj .
steps (1), (2), (3), (4) and (5) until finding the
Step2: A(Uj ) guesses P W ∗ and ID∗ from the pass-
correct password and identity.
word dictionary space DP W and the identity
The time complexity of the above attack is also:
dictionary space DID , respectively.
O(|DP w | ∗ |DID | ∗ (2Th + Tm + Ta )). Therefore, the
Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ).
attack based on the second case is also quite efficient.
Step4: A computes u∗i = h(ks G||l∗ ).
Actually, the reason for the success of the above attack is
Step5: A checks whether u∗i is equal to the value of
that, A obtains the verification value Gi in login request
parameter ui in Step 1. If they are equal, A
messages and uses it to verify the correctness of the
finds the correct password and identity of user
guessing password and identity.
U . Otherwise, A can repeat steps (2), (3), (4)
• Case 3: (The legitimate patient acts as an attacker I)
and (5) until finding the correct password and
In this case, we show that a legitimate patient Uj can
identity.
act as a malicious opponent A for off-line password
guessing attack. The adversary A extracts the datum The time complexity of the above attack is : O(Th +
{E/Ep , G, Bi , ri } stored in smart card. Afterwards, A Tm + Ta + |DP w | ∗ |DID | ∗ 2Th ). Therefore, the above
also can guess the legal user U ’s password and identity attack based on the fourth case is also quite efficient.
by performing the following steps: Similarly to Case 3, the key reason for the success of the
above attack is that, any legal patient can computes the
Step1: Firstly, Uj extracts the following datum
common value ks G, then A guesses the password and
{E/Ep , G, Bj , rj , α, h(), p} identity of the other users but computes u∗i . If ui = u∗i ,
4 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
it is assured that the guessing is correct. Step1: Upon capturing the login request message from U ,
Therefore, any of the above cases illustrates that the scheme A selects a random number c∗s ∈ Zp∗ and Tis ∗
.
∗ ∗ ∗ ∗ ∗
of Chaudhry et al. cannot resist off-line password guessing Then, A computes Cs = cs (ks G), Csi = cs (Ci ),
attack. SK ∗ = h(IDi ||Oi ⊕ li ||Ci ||Cs∗ ||Csi∗
||ks G), and
∗ ∗ ∗ ∗
Gs = h(SK ||Cs ||Ti2 ||ks G). Afterwards, A
B. USER IMPERSONATION ATTACK sends a challenge message {Cs∗ , G∗s , Ti∗2 } to Ui .
Once the scheme of Chaudhry et al. is vulnerable to the Step2: On receiving the challenge message from A, Ui
off-line password guessing attack, the adversary becomes checks the validity of the timestamp Ti∗2 . If it is
capable to impersonate other legal patients/users. To do so, found as valid, A computes Cis = a∗i (G∗s ), and
the adversary A captures the login request message {Ti1 } then calculates the session key
and performs the following steps.
SK = h(IDi ||Oi ⊕ li ||Ci ||Cs ||Cis ||ks G)
Step1: A computes li = h(IDi ||P Wi ||Ri ) by the already
guessed correct identity and password. Subsequent- and G0s = h(SK||Cs∗ ||Ti∗2 ||ks G). Then A verifies
ly, A computes ks G = (αli )G − Bi . At present A ?
selects a random number a∗i ∈ Zp∗ and computes G0s = G∗s . It is obvious that these expressions are
the followings: equal. Therefore, Ui accepts the session key SK
with the server who is indeed the adversary A.
P IDi∗ = IDi ⊕ a∗i G, Ci∗ = a∗i (ks G) Accordingly, the adversary A successfully launches a server
and impersonation attack and gets a session key SK with Ui .
Moreover, since A also obtains ks G of server S and com-
G∗i = h(IDi ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ). putes h(ID||ks ) = li ⊕ Oi utilizing the obtained sensitive
Then, A sends the following login request message information, the adversary can perform similar server imper-
sonation attacks on all users. Therefore, the scheme cannot
{P IDi∗ , Ci∗ , G∗i , Ti1 } resist server impersonation attack.
to server S.
Step2: After receiving the login request message from D. MAN-IN-MIDDLE ATTACK
A, S checks the timestamp Ti1 and then com- According to our analyses, we have shown that Chaudhry
putes IDi0 = P IDi∗ ⊕ (Ci∗ ks−1 ) and G0i = et al.’s scheme is vulnerable to off-line password guessing
h(IDi0 ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ), and checks attack, user impersonation attack and server impersonation
? attack. It is easy to understand that the adversary can imper-
G0i = G∗i . Obviously, it is true. Therefore, S
chooses the random cs and Ti2 , and then com- sonate patient/user to server and vice versa. Therefore, the
putes Cs = cs (ks G), Csi = cs (Ci∗ ), SK = adversary can launch the man-in-middle attack. Thus, it is
h(IDi0 ||h(IDi0 ||ks )||Ci∗ ||Cs ||Csi ||ks G) and Gs = remarked that Chaudhry et al.’s scheme cannot resist man-in-
h(SK||Cs ||Ti2 ||ks G). Subsequently, S also stores middle attack.
{IDi , Ni , Ti1 } in its database. Finally, a challenge
message {Cs , Gs , Ti2 } is sent from server S to A. V. OUR PROPOSED SCHEME
Step3: Upon reception of the challenge message from The underlying section proposes an improved mutual authen-
∗
server S, A computes Cis = a∗i (Gs ) and then tication scheme based on ECC for TMIS. In our scheme, we
calculates the session key as follows: use random numbers to avoid replay attack, therefore, we
don’t need to assume that both Ui and S are synchronized
SK ∗ = h(IDi0 ||Oi ⊕ li ||Ci∗ ||Cs ||Cis
∗
||ks G). with their clocks. Meanwhile, the proposed scheme not only
Thus, an adversary A can impersonate successfully a legal overcomes weaknesses of Chaudhry et al.’s [5] scheme and
patient/user to the server. Therefore, Chaudhry et al.’s scheme Islam et al.’s [16] scheme, but also achieves mutual authen-
becomes insecure against user impersonation attack. tication and resists various attacks. The proposed scheme
consists of three phases: registration phase, authentication
C. SERVER IMPERSONATION ATTACK and key agreement phase, and password changing phase. The
According to off-line password guessing attack, once the notations of the proposed protocol are listed in Table 1 and
scheme of Chaudhry et al. is vulnerable to the off- the registration and authentication process of our scheme is
line password guessing attack, the adversary A obtain- presented in Fig. 1.
s the correct {IDi , P Wi } of U and computes li =
h(IDi ||P Wi ||Ri ), ks G = (αli )G − Bi . Now, A waits for A. REGISTRATION PHASE
U to send a login request message {P IDi , Ci , Gi , Ti1 } to 1. The patient Ui chooses a password P Wi , an identi-
S, and subsequently captures the message. Afterwards A ty IDi and a random number ri ∈ Zp∗ . Subsequent-
can launch a server impersonation attack by performing the ly, Ui computes li = h(IDi ||P Wi ||ri ).
following steps: 2. Ui ⇒ S: {IDi , li }.
VOLUME 0, 0000 5
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
Registration Phase:
Inputs IDi , P Wi Selects an integer 24 ≤ n0 ≤ 28
and selects a random number ri ∈ Zp∗
Computes li = h(IDi ||P Wi||ri ) {IDi , li } Computes Ai = h((h(IDi ) ⊕ h(li )) mod n0 )
Oi = T ⊕ li
Smart Card Stores {IDi , rs } in database.
Stores ri in smart card (SC) Stores {Ai , Oi , G, n0 , h()} in a new smart card.
3. After receiving the registration message, S chooses 1. Ui inserts the smart card SC into a card read-
a random number rs ∈ Zp∗ and calculates the er and inputs IDi , P Wi . SC calculates li =
following: h(IDi ||P Wi ||ri ), and then computes A0i =
h((h(IDi ) ⊕ li ) mod n0 ). Then, SC checks the
Ai = h((h(IDi ) ⊕ li ) mod n0 ), correctness of A0i by comparing the value of Ai
sorted in SC. If A0i = Ai , IDi , P Wi are accepted
T = h(IDI ||ks ||rs ), Oi = T ⊕ li
as valid. Otherwise, the session is terminated. SC
and stores {IDi , rs } in its database, where n0 is an continues computing T = Oi ⊕ li and chooses
integer and 24 ≤ n0 ≤ 28 [32]. a random number ai ∈ Zp∗ , and computes the
4. S ⇒ Ui : a smart card SC containing following:
6 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
VOLUME 0, 0000 7
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
Stores Anew
i , Oinew , rinew in place of Ai , Oi , ri
8 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
sk
TABLE 2. BAN-Logic notations with T , then U believes S once said (U ←→
S, Cs , Ci0 ). Thus, we obtain the following:
Symbol Description
sk
A| ≡ X P believes on X U | ≡ S| ∼ (U ←→ S, Cs , Ci0 ).
ACX A observes/receives X
A| ∼ X A once said X (or A sends X) S3. From A1, A2 and the freshness rule, we can observe
A| ⇒ X A controls X that, because U believes freshness of Cs then U
sk
](X) X is fresh believes freshness of (U ←→ S, Cs , Ci0 ). Accord-
K
A ←→ B A and B communicate using shared key K
ingly, we can get the following:
(X, Y )K Take hash of X and Y using K as key sk
U | ≡ ](U ←→ S, Cs , Ci0 ).
< X >K X is xor-ed with the key K
S4. From S2, S3 and the nonce-verification rule and the
freshness rule, we find that, if U believes freshness
sk
A|≡](X) of (U ←→ S, Cs , Ci0 ) and believes S once said it,
R4. Freshness rule: A|≡](X,Y ) , that is, if A believes sk
freshness of X then A believes freshness of then U believes that S trusts (U ←→ S, Cs , Ci0 ).
(X, Y ). Hence, we deduce the following:
R5. Believe rule: A|≡B|≡(X,Y
A|≡B|≡X
)
or A|≡X,A|≡Y
A|≡(X,Y ) , that
sk
U | ≡ S| ≡ (U ←→ S, Cs , Ci0 ).
is, if A believes that B believes (X, Y ), then A
believes that B believes X; or if A believes X S5. From S4 and the believe rule, if U believes that S
sk
and B believes Y , then A believes (X, Y ). believes (U ←→ S, Cs , Ci0 ), then U believes that S
sk
believes (U ←→ S). Therefore, we obtain the first
• Idealized scheme:
goal as below:
– Message1: U → S: < IDi ||Ci > T ,
U ←→S sk
(IDi , Ci ) T . U | ≡ S| ≡ (U ←→ S) (Goal1).
U ←→S
sk
– Message2: S → U : Cs , (U ←→ S, Cs , Ci0 ) T . S6. From Goal1, A7 and the jurisdiction rule, if U
U ←→S
sk sk
– Message3: U → S: (U ←→ S, Ci ) T . believes that S controls (U ←→ S), and U be-
U ←→S sk
lieves that S believes (U ←→ S), then U believes
• Security goals: sk
sk
(U ←→ S). Thus, we get the second goal as
Goal1. U | ≡ S| ≡ (U ←→ S). following:
sk
Goal2. U | ≡ (U ←→ S). sk
sk
Goal3. S| ≡ U | ≡ (U ←→ S). U | ≡ (U ←→ S) (Goal2).
sk
Goal4. S| ≡ (U ←→ S). S7. From Message3, it indicates that S observes the
sk
message (U ←→ S, Ci ) T from U . Then we
•Initiative premises: U ←→S
have the following:
A1. U | ≡ ](ai ).
sk
A2. U | ≡ ](Cs ). S C (U ←→ S, Ci ) T .
U ←→S
A3. S| ≡ ](cs ).
A4. S| ≡ ](Ci ). S8. From S7, A6 and the message-meaning rule, it
T states clearly that, because S believes that U and S
A5. U | ≡ (U ←→ S). sk
T share T , and sees (U ←→ S, Ci ) is encrypted with
A6. S| ≡ (U ←→ S). sk
sk T , then S believes U once said (U ←→ S, Ci ). So
A7. U | ≡ S ⇒ (U ←→ S).
sk we obtain the following:
A8. S| ≡ U ⇒ (U ←→ S).
sk
Now, we utilize BAN-Logic postulates and rules to provide S| ≡ U | ∼ (U ←→ S, Ci ).
that U and S successfully share a common session key sk.
S9. From A4 and the freshness rule, we can find that,
S1. From Message2, it shows that U receives the mes- because S believes freshness of Ci then S believes
sk
sage (U ←→ S, Cs , Ci0 ) T from S. So we have sk
freshness of (U ←→ S, Ci ). Consequently, we get
U ←→S
the following: the following:
sk sk
U C (U ←→ S, Cs , Ci0 ) T . S| ≡ ](U ←→ S, Ci ).
U ←→S
S2. From S1, A5 and the message-meaning rule, it S10. From S8, S9 and the nonce-verification rule and the
illustrates that, because U believes that U and S freshness rule, we see that, if S believes freshness
sk sk
share T , and sees (U ←→ S, Cs , Ci0 ) is encrypted of (U ←→ S, Ci ) and believes U once said it, then
VOLUME 0, 0000 9
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
sk
S believes that U trusts (U ←→ S, Ci ). Hence, we 1Tmi ≈ 388.51ms, 9Th +7Tpm +1Tpa +1Tmi ≈ 628.85ms
deduce the following: and 13Th + 4Tpm ≈ 270.39ms, respectively. In Chaudhry et
sk al.’s scheme [5], the authors asserted that their protocol has
S| ≡ U | ≡ (U ←→ S, Ci ). better efficiency than Islam et al.’s protocol. But in fact, their
S11. From S10 and the believe rule, if S believes that U protocol’s computational costs is more than Islam et al.’s pro-
sk
believes (U ←→ S, Cs , Ci0 ), then S believes that U tocol. We observe that our protocol has better performance
sk than [5], [16], [28], [33], [35] and the computational costs of
believes (U ←→ S). In short, we get the third goal
our proposed protocol is only 270.39ms. Therefore, in terms
as following:
of efficiency, the proposed protocol performs the best.
sk
S| ≡ U | ≡ (U ←→ S) (Goal3). In Table 5, we find that [5], [16], [28], [33], [35] lack some
security ingredients and have more security problems than
S12. From Goal3, A8 and the jurisdiction rule, if S the proposed scheme. In Chaudhry et al.’s scheme [5], the au-
sk
believes that U controls (U ←→ S), and S be- thors declared that their protocol improved varient against us-
sk
lieves that U believes (U ←→ S), then S believes er and server impersonation attack and man-in-middle attack
sk applicable on Islam et al.’s scheme [16]. While according to
(U ←→ S). Thereupon we obtain the fourth goal
as below: our analysis, we point out that Chaudhry et al.’s scheme [5] is
sk
not only still vulnerable to server and user impersonation and
S| ≡ (U ←→ S) (Goal4). man-in-middle attacks, but also vulnerable to off-line identity
According to Goal1, Goal2, Goal3 and Goal4, we conclude guessing attack. We find that off-line identity guessing attack
that U (S) has trusted that S(U ) believes on the session key is a fatal attack in their protocol. In our proposed protocol,
sk between them is shared successfully. we utilize the technique of "fuzzy-verifiers" [32] to resist off-
line identity guessing attack. Therefore, the proposed scheme
VIII. COMPARATIVE PERFORMANCE ANALYSIS not only amends these security problems of Chaudhry et
This section analyzes the performance of our proposed al.’s [5] and Islam et al.’s [16] schemes but also retains all
scheme by comparing it with Chaudhry et al’s [5] , Tu et their merits as depicted in Table 5. Although, our scheme
al’s [28], Wei et al.’s [33], Xu et al.’s [35] and Islam et al.’s also employs complex elliptic curve point multiplication
[16] schemes. To compare the computational complexity, we operation, however as a trade off, it can resist all known-
neglect the lightweight operations like exclusive-OR opera- attacks which are very important ingredients of the security
tion and string concatenation. Some operations’s descriptions of mutual authentication. In terms of safety performance,
used in our paper are presented as follows: the proposed scheme is more secure and has many excellent
features compared with the counterparts.
• Tpa : the time for executing an elliptic curve point
addition operation.
IX. CONCLUSION
• Tpm : the time for executing a point multiplication
operation. In this paper, we present a security analysis of Chaudhry
• Tme : the time for executing a modular exponentiation
et al.’s [5] scheme and shown that Chaudhry et al.’s [5]
operation. scheme is vulnerable to off-line password guessing attack,
• Tmi : the time for executing a modular inversion opera-
user and server impersonation attack and man-in middle
tion. attack. In order to remove these limitations, we present a new
• Th : the time for executing a hash operation.
scheme with refined security. The proposed scheme inherits
the merits of the Chaudhry et al.’s [5] and Islam et al.’s [16]
According to the experimental results performed as [12],
schemes and resists the aforementioned attacks with a lower
Tpa , Tpm , Tme , Tmi and Th are referring to the running
computational costs than others. Meanwhile, we conduct
time listed in Table 3 which takes 100ms, 130ms, 380ms,
the security analysis of our proposed scheme using BAN-
30ms and 1ms on Philips Hipersmart card with clock speed
Logic. Finally, in comparison with the previously proposed
36MHz, respectively. While for server side Pentium IV Pro-
schemes, our scheme is more efficient and more secure than
cessor with clock speed 3GHz these operations takes 0.1ms,
other related schemes.
1.17ms, 3.16ms, 0.3ms and 0.01ms, respectively.
Now, we present the comparative analysis at two levels:
REFERENCES
• Comparison of computational complexity (Table 4)
[1] J. Arkko, V. Torvinen , G. Camarillo, A. Niemi, and T. Haukka, “Security
• Comparison of security features (Table5) mechanism agreement for SIP sessions,” IETF Internet Draft, Jun(2002).
From Table 4, the computational costs of login and au- [2] R. Arshad and N. Ikram, “Elliptic curve cryptography based mutual
authentication scheme for session initiation protocol,” Multimed Tools
thentication phases in Tu et al.’s scheme [28], Xu et al.’s Appl, 66(2):165-178(2013).
scheme [35], Islam et al.’s scheme [16], Wei et al.’s scheme [3] M. Burrow, M. Abadi, and R. M. Needham, “A logic of authentication,”
[33], Chaudhry et al’s scheme [5] and our proposed scheme ACM Transactions on Computer Systems, 8(1): 18-36(1990).
[4] S. A. Chaudhry, I. Khan, A. Irshad, M. U. Ashraf, M. K. Khan, and H. F.
are 8Th + 6Tpm + 1Tpa ≈ 497.55ms, 11Th + 6Tpm ≈ Ahmad, “A provably secure anonymous authentication scheme for session
399.56ms, 10Th +6Tpm +1Tpa ≈ 499.55ms, 10Th +2Tme + initiation protocol,” Secur Commun Netw, doi:10.1002/sec.1672(2016).
10 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
Tu et al. [28] Xu et al. [35] Islam et al. [16] Wei et al. [33] Chaudhry et al. [5] Ours
F1 - Yes Yes No Yes Yes
F2 Yes No Yes Yes Yes Yes
F3 Yes Yes No No No Yes
F4 Yes Yes No No No Yes
F5 - Yes No No No Yes
F6 Yes No Yes No Yes Yes
F7 - No No No No Yes
F8 Yes Yes No No Yes Yes
F9 - Yes Yes Yes Yes Yes
F1 : Provides user anonymity; F2 : Resists privileged insider attack ; F3 : Resists off-line password guessing
attack; F4 : Resists user impersonation attack; F5 : Resists server impersonation attack; F6 : Resists replay
attack; F7 : Resists man-in-middle attack ; F8 : Provides mutual authentication; F9 : Provides perfect forward
secrecy.
[5] S. A. Chaudhry, H. Naqvi, T. Shon, M. Sher, and M. S. Farash, “Cryptanal- based authenticated key agreement protocol using pairings,” Journal of
ysis and Improvement of an Improved Two Factor Authentication Protocol Computer and System Sciences, 78(1):142-150(2012).
for Telecare Medical Information Systems,” J. Medical Systems, 39(6): [16] S. Islam and M. Khan, “Cryptanalysis and improvement of authentication
66:1-66:11 (2015). and key agreement protocols for telecare medicine information systems,”
[6] T. H. Chen, H. L. Yeh, P. C. Liu, H. C. Hsiang, and W. K. Shih, “A secured J. Med. Syst, 38(10):135, 2014. doi:10.1007/s10916-014-0135-9.
authentication protocol for SIP using elliptic curves cryptography,” In: [17] W. S. Juang, “Efficient password authenticated key agreement using smart
FGCN2010, Part I, Communications in Computer and Information Sci- cards,” Computers and Security, 23(2):167-173(2004).
ence, 119:46-55(2010). [18] S. Kumari, M. Karuppiah, A. K. Das, et al, “Design of a secure
[7] D. Denning and G. Sacco, “Timestamps in key distribution systems,” anonymity-preserving authentication scheme for session initiation proto-
Commun ACM, 24:533-536(1981). col using elliptic curve cryptography,” J Ambient Intell Human Comput,
[8] A. Durlanik and I. Sogukpinar, “SIP authentication scheme using ECDH,” doi:10.1007/s12652-017-0460-1 (2017).
World Enformatika Soc Trans Eng Comput Technol, 8:350-353(2005). [19] H. Kilinc and T. Yanik, “A survey of SIP authentication and key
[9] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, and M. T. agreement schemes,” IEEE Communications Surveys and Tutorials,
Shalmani, “On the power of power analysis in the real world: a complete doi:10.1109/SURV.2013.091513.00050(2013).
break of the KeeLoq code hopping scheme,” Advances in Cryptology-
[20] L. Lamport, “Password authentication with insecure communication,”
CRYPTO, 2008,vol.5157 of Lecture Notes in Computer Science. Springer,
Communications of the ACM, vol. 24, no. 11, pp. 770- 772(1981).
Berlin, Germany. 5157:203ĺC220(2008).
[10] M. S. Farash and M. A. Attari, “An Enhanced authenticated key agreement [21] F. W. Liu and H. Koenig, “Cryptanalysis of a SIP authentication scheme,”
for session initiation protocol,” Inf Technol Control, 42(4):333-342 (2013). In: 12th IFIP TC6/TC11 International Conference, CMS 2011, Lecture
[11] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach and A. Notes in Computer Science, 7025: 134-143(2011).
Luotonen, “HTTP Authentication: Basic and digest access authentication,” [22] Y. R. Lu, L. X. Li, and Y. X. Yang, “Robust and efficient au-
IETF RFC, 2617(1999). thentication scheme for session initiation protocol,” Math Probl Eng,
[12] D. He, “An efficient remote user authentication and key agreement proto- doi:10.1155/2015/894549. Article ID 894549, 9(2015).
col for mobile clientĺCserver environment from pairings,” Ad Hoc Netw, [23] Y. R. Lu, L. X. Li, H. P. Peng, and Y. X. Yang, “A secure and efficient
10(6):1009-1016, 2012. mutual authentication scheme for session initiation protocol,” Peer-toPeer
[13] D. He, J. Chen, and Y. Chen, “A secure mutual authentication scheme Netw Appl, 9(2):449-459 (2016).
for session initiation protocol using elliptic curve cryptography,” Secur [24] C. Shen, E. Nahum, H. Schulzrinne, and C. P. Wright, “The impact of
Commun Netw, 5(12):1423-1429(2012). TLS on SIP server performance: measurement and modeling,” IEEE/ACM
[14] H. F. Huang, W. C. Wei, and G. E. Brown, “A new efficient authentica- Transactions on Networking, 20(4):1217-1230(2012).
tion scheme for session initiation protocol,” In: 9th Joint Conference on [25] H. Tang H and X. Liu, “Cryptanalysis of Arshad et al’.s ECC-based mutual
Information Sciences(2006). authentication scheme for session initiation protocol,” Multimed Tools
[15] M. Hölbl, T. Welzer, and B. Brumen, “An improvedtwo-party identity- Appl, 65(3):165-178(2013).
VOLUME 0, 0000 11
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
12 VOLUME 0, 0000
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
View publication stats http://www.ieee.org/publications_standards/publications/rights/index.html for more information.