Keywords

1 Introduction

Anonymous authentication is an important cryptographic technique to protect privacy. While it seems paradoxical to combine both anonymity with authentication together, such technique has been extensively studied in the recent literatures. Some of them focused on the anonymous authentication in a client-server architecture, where clients authenticate themselves to the server without revealing their identities [1, 2]. The others proposed a scheme for some various network systems such as peer-to-peer systems [3,4,5].

Authentication protocols [6,7,8,9,10] preserving user anonymity are also desirable in mobile networks [11,12,13]. Under a three-party setting, a trusted third party, or a trusted server, is introduced into the mobile networks to help the other two parties authenticate each other anonymously, and establish a session key for direct communication after successful authentication. In mobile networks, anonymous authentication allows authenticated mobile devices to access resources from local service provider or other mobile devices, to whom their identities remain anonymous. Under such situations, it is natural and convenient to introduce the trusted third party. Typically, mobile devices get registered at its home agent, also known as the trusted third party. When roaming around foreign places, the resources located at foreign agents or nearby devices will be available. Thus, to protect mobile devices’ privacy, their identities are hidden when communicating with foreign agents or nearby devices.

Recently, several anonymous authentication protocols designed for mobile networks are proposed. These protocols are proposed and enhanced to be efficiently employed for roaming users in mobile networks to anonymously access resources from local foreign agents. In 2015, Shin et al. [14] improved an authentication scheme with only low-cost functions, such as hash functions and exclusive-or operations. However, Farash et al. [15] demonstrated that their scheme does not protect user’s privacy in terms of untraceablility, and thus proposed a new protocol. To achieve secure inter-device communication in mobile networks, Chung et al. [16] proposed an efficient anonymous mutual authentication scheme that allows registered devices authenticate and communicate with each other, both anonymously and directly. Unfortunately, we find that their scheme does not guarantee untraceability neither. A passive attacker can easily identify the protocol runs initiated by the same user, thus breaking user’s anonymity. Also, Chung et al.’s protocol is vulnerable to a denial of service attack and a user impersonation attack.

In this paper, we reconsider Chung et al.’s protocol, and find that their protocol does not provide untraceability and security against know attacks. The paper is organized as follows. In next section, we review the protocol proposed by Chung et al.. In Sect. 3, our cryptanalysis of the protocol shows the attacks in details. Finally, we conclude the paper in Sect. 4.

2 Review of Chung et al.’s Protocol

In this section, we describe Chung et al.’s protocol, which consists of three phases: registration, authentication and session key establishment, and renewal. There are two types of entities involved in the protocol: the mobile devices and the trusted server. The notations used in the protocol are listed in Table 1.

Table 1. The notations used in Chung et al.’s protocol
Full size table

2.1 Registration Phase

In the registration phase, a mobile device M get registered using its chosen identity \(ID_M\). First, it sends \(ID_M\) to the server R through a secure channel. After checking the validity of its identity, R retrieves its secret key x, chooses a random number \(x_M\), and computes a virtual identity for the mobile device as

$$\begin{aligned} VID_M=h(ID_M\Vert x_M\Vert x). \end{aligned}$$
(1)

Then, R stores \([VID_M, ID_M, x_M]\) in its database and send back \([VID_M, x_M, h(\cdot )]\). Finally, M store these values securely.

2.2 Authentication and Session Key Establishment Phase

In the authentication and session key establishment phase, two mobile devices, \(M_1\), \(M_2\), authenticate each other anonymously with the help of the server R. The following descriptions explain this phase in steps.

  1. 1.

    \(M_1\) first generates two nonces \(n_{M_1}\) and \(r_{M_1}\) and retrieves \([VID_{M_1}, x_{M_1}, h(\cdot )]\) with input \(ID_{M_1}\). Then, it computes

    $$\begin{aligned} SID_{M_1}=VID_{M_1} \oplus h(h(x)\Vert n_{M_1}), \end{aligned}$$
    (2)
    $$\begin{aligned} V_1=r_{M_1} \oplus h(x_{M_1}\Vert n_{M_1}), \end{aligned}$$
    (3)
    $$\begin{aligned} H_1=h(x_{M_1}\Vert SID_{M_1}\Vert V_1\Vert n_{M_1}), \end{aligned}$$
    (4)

    and sends \(m_1=\{SID_{M_1}, V_1, H_1, n_{M_1}, ID_R\}\) to the nearby mobile device.

  2. 2.

    When \(M_2\) receives an authentication request from another mobile device, it generates a nonce \(n_{M_2}\), retrieves \([VID_{M_2}, x_{M_2}, h(\cdot )]\) with input \(ID_{M_2}\), and computes

    $$\begin{aligned} SID_{M_2}=VID_{M_2} \oplus h(h(x)\Vert n_{M_2}), \end{aligned}$$
    (5)
    $$\begin{aligned} H_2=h(x_{M_2}\Vert SID_{M_2}\Vert V_2\Vert n_{M_2}). \end{aligned}$$
    (6)

    Then, it forward \(m_1\) together with the computed values to R as \(m_2 = \{SID_{M_1}, V_1, H_1, n_{M_1}, ID_R, SID_{M_2}, H_2, n_{M_2}\}\).

  3. 3.

    When R receives \(m_2\) from a mobile device, it first recovers the virtual identity as follows:

    $$\begin{aligned} VID_{M_1}' = SID_{M_1} \oplus h((h(x)\Vert n_{M_1}), \end{aligned}$$
    (7)
    $$\begin{aligned} VID_{M_2}' = SID_{M_2} \oplus h((h(x)\Vert n_{M_2}). \end{aligned}$$
    (8)

    Then, R retrieves the records \([VID_{M_1}, ID_{M_1}, x_{M_1}]\) and \([VID_{M_2}, ID_{M_2},x_{M_2}]\) from the database. If the records do not exist, R terminates the session. Otherwise, it checks \(H_1\) and \(H_2\) respectively using the obtained values. If both are valid, R authenticates both mobile devices. Next, it generates a nonce \(n_R\) and computes

    $$\begin{aligned} r_{M_1}' = V_1 \oplus h(x_{M_1}\Vert n_{M_1}), \end{aligned}$$
    (9)
    $$\begin{aligned} V_2 = r_{M_1}' \oplus h(x_{M_2}\Vert n_{M_2}), \end{aligned}$$
    (10)
    $$\begin{aligned} V_3 = h(x_{M_2}\Vert VID_{M_1}\Vert {n_{M_2}}), \end{aligned}$$
    (11)
    $$\begin{aligned} V_4 = h(x_{M_1}\Vert VID_{M_2}\Vert {n_{M_1}}), \end{aligned}$$
    (12)
    $$\begin{aligned} H_3 = h(x_{M_2}\Vert V_2\Vert V_3\Vert V_4\Vert n_R), \end{aligned}$$
    (13)

    and sends \(m_3 = \{V_2, V_3, V_4, H_3, n_R\}\) back to \(M_2\).

  4. 4.

    When \(M_2\) receive the response from R, it computes the required values to check \(H_3\). Also, it recovers \(M_1\)’s virtual identity as (7), and check \(V_3\) accordingly. If both are valid, it recovers the nonce \(r_{M_1}'\) as (9), generates a new nonce \(r_{M_2}\), and computes

    $$\begin{aligned} SK = h(h(x)\Vert r_{M_1}\Vert r_{M_2}\Vert VID_{M_1}\Vert VID_{M_2}), \end{aligned}$$
    (14)
    $$\begin{aligned} V_5 = r_{M_2}\oplus h(h(x)\Vert r_{M_1}), \end{aligned}$$
    (15)
    $$\begin{aligned} V_6 = h(SK\Vert n_{M_1}), \end{aligned}$$
    (16)
    $$\begin{aligned} H_4 = h(r_{M_1}\Vert SID_{M_2}\Vert V_4\Vert V_5\Vert V_6\Vert n_{M_2}). \end{aligned}$$
    (17)

    Then, it sends \(m_4 = \{SID_{M_2}, V_4, V_5, V_6, H_4, n_{M_2}\}\) back to \(M_1\).

  5. 5.

    When \(M_1\) receive the response from the nearby mobile device, it computes the required values to check \(H_4\). Also, it recovers \(M_2\)’s virtual identity as (8), and \(M_2\)’s new nonce as

    $$\begin{aligned} r_{M_2}' = V_5 \oplus h(h(x)\Vert n_{M_2}). \end{aligned}$$
    (18)

    Then, it checks \(V_4\) and \(V_6\) accordingly. If all checking procedures return valid, it computes

    $$\begin{aligned} V_7 = h(SK\Vert n_{M_2}), \end{aligned}$$
    (19)

    and sends \(m_5 = \{V_7\}\) to \(M_2\).

  6. 6.

    When \(M_2\) receives the response from \(M_1\), it checks the validity of \(V_7\). If it is correct, the session key SK is established between \(M_1\) and \(M_2\).

2.3 Renewal Phase

In the renewal phase, a mobile device M renews its virtual identity through the server R. The following descriptions explain this phase in steps.

  1. 1.

    M first generates a nonce \(n_M\) and retrieves \([VID_M, x_M, h(\cdot )]\) with input \(ID_M\). Then, it computes similarly as (5) and (6):

    $$\begin{aligned} SID_M = VID_M \oplus h(h(x)\Vert n_M), \end{aligned}$$
    (20)
    $$\begin{aligned} H_5 = h(x_M\Vert SID_M\Vert n_M), \end{aligned}$$
    (21)

    and sends \(m_6 = \{SID_M, H_5, n_M\}\) to R.

  2. 2.

    When R receives a renewal request from M, it recovers the virtual identity similarly as (7) or (8):

    $$\begin{aligned} VID_M' = SID_M\oplus h(h(x)\Vert n_M), \end{aligned}$$
    (22)

    and retrieves the records \([VID_M, ID_M, x_M]\) from the database. If the record does not exist, or it fails to check \(H_5\), R terminates the session immediately. Otherwise, it generates a nonce \(n_R\) and a new shared secret \(x_M^*\), computes the new virtual identity for M as

    $$\begin{aligned} VID_M^* = h(ID_M\Vert x_M^*\Vert x), \end{aligned}$$
    (23)

    and update the database accordingly. Then, R sends back \(m_7 = \{SID_M',V_8,H_6,n_R\}\) to M, where

    $$\begin{aligned} V_8 = x_M^*\oplus h(x_M\Vert n_M), \end{aligned}$$
    (24)
    $$\begin{aligned} SID_M' = VID_M^* \oplus h(h(x)\Vert x_M^*), \end{aligned}$$
    (25)
    $$\begin{aligned} H_6 = h(x_M\Vert SID_M'\Vert V_8\Vert n_R). \end{aligned}$$
    (26)
  3. 3.

    When M receives response from R, it first checks \(H_6\). If it is incorrect, M terminates the renewal phase immediately. Otherwise, it computes the new shared secret and virtual identity as

    $$\begin{aligned} x_M^* = V_8 \oplus h(x_M\Vert n_M), \end{aligned}$$
    (27)
    $$\begin{aligned} VID_M^* = SID_M'\oplus h(h(x)\Vert x_M^*). \end{aligned}$$
    (28)

    Then, R renews the stored values as \([VID_M^*, x_M^*, h(\cdot )]\), and will use the new virtual identity for later logins.

3 Cryptanalysis of Chung et al.’s Protocol

In this section, we analyze Chung et al.’s protocol in terms of security against known attacks. We assume that an attacker obtains a registered mobile device in all attacks. The analysis shows that their protocol does not protect user’s privacy in terms of untraceability. Also an acitve attacker can launch a denial of service (DoS) attack and a user impersonation attack.

3.1 No Provision of Untraceability

In this attack, a passive attacker can trace the mobile devices in different protocol runs. First, the attacker E extracts h(x) from the registered mobile device. Then, E starts to eavesdrop messages comming from other mobile devices in the authentication and session key establishment phase, and captures \(m_1\) and \(m_2\) continuously. According to (2) and (5), the virtual identities can be correctly computed by

$$\begin{aligned} VID_{M_i} = SID_{M_i} \oplus h(h(x)\Vert n_{M_i}). \end{aligned}$$
(29)

Thus, E can easily keeps the track of the mobile devices through the same virtual identity.

In Chung et al.’s protocol, the renewal phase allows the mobile device holder to renew the virtual identity if it is revealed. As a countermeasure to resist such attack launched by E, one may think of a simple invocation of a renewal phase immediately after an authentication and session key establishment phase. However, this incurs extra communication overhead. Furthermore, it still cannot resist the attacks discussed in the following subsections.

3.2 Denial of Service Attack

In this attack, an active attacker can force the trusted server to deny a valid authentication request coming from a registered mobile device. The following descriptions explain the attack in steps.

  1. 1.

    An active attacker E first eavesdrops a successful protocol run \(\varPi _{Auth}\) involving a mobile device as \(M_2\), and captures \(m_2\) in the authentication and session key establishment phase.

  2. 2.

    Then, E extracts \(m_2' = \{SID_{M_2}, H_2, n_{M_2}\}\) from \(m_2\), and initiates a fresh renewal phase by replacing \(m_6\) with \(m_2'\).

In the renewal phase, the trusted server R will accept the renewal request. This is because (1) \(m_2'\) and \(m_6\) consists of the same components of values, namely a masked virtual identity \(SID_M\), a hashed value \(H_i\) and a nonce \(n_M\), and (2) \(m_2'\) has passed the verification of \(H_2\) in \(\varPi _{Auth}\), and then it must pass the verification of \(H_5\) in the renewal phase. As soon as R updates its database with the new generated virtual identity and the shared secret, \(M_2\) has no chance to login again until either R or \(M_2\) discover such an attack.

It is essential to prevent the denial of service attacks on those schemes with an on-line renewal phase. Although the values stored in the mobile device and those in the server’s database are desynchronized by the attacker, the server may take measures to avoid desynchronization. It can keep the most recently renewed virtual identity as well as the values before the renewal. However, such enhancement incurs computation overhead since the server may query the database twice to find the correct identity for the mobile device. Furthermore, it does not resist a user impersonation attack described in the next subsection.

3.3 User Impersonation Attack

In this attack, an active attacker can successfully impersonate as another registered mobile device without knowing its real identity. The attack extends from the denial of service attack in Subsect. 3.3. The following descriptions explain the attack in steps.

  1. 1.

    An active attacker E initiates an authentication and session key establishment phase with target mobile device \(M_2\). Let \(\varPi _{auth}\) denotes this protocol run. Then, E captures \(m_3\) to obtain \(V_2\) in \(\varPi _{auth}\), and computes

    $$\begin{aligned} H_E = V_2 \oplus r_{M_1}. \end{aligned}$$
    (30)

    The value of \(H_E\) should be equal to \(h(x_{M_2}\Vert n_{M_2})\) according to (5).

  2. 2.

    Next, E follows the steps described in the denial of service attack in Subsect. 3.2. Let \(\varPi _{new}\) denotes the protocol run of the renewal phase.

  3. 3.

    In \(\varPi _{new}\), E also intercepts \(m_7\) to obtain \(V_8\) and \(SID_M'\). To further obtain the renewed virtual identity and the shared secret stored in R’s database, E computes

    $$\begin{aligned} x_{M_E} = V_8 \oplus H_E, \end{aligned}$$
    (31)

    and derives \(VID_{M_E}\) similarly as (28) using the computed \(x_{M_E}\). Both values should be equal to the renewed ones stored in the database according to (24) and (25).

  4. 4.

    To impersonate \(M_2\), E always retrieves \([VID_{M_E}, x_{M_E}, h(x)]\) to compute required values in the authentication and session key establishment phase or the renewal phase.

The user impersonation attack is based on the denial of service attack discussed in Subsect. 3.2. So, the active attacker E can continue to impersonate \(M_2\) until someone figures out the attack.

4 Conclusions

In this paper, we reconsider Chung et al.’s anonymous mutual authentication protocol. Their protocol aims to provide secure authentication and preserve user’s privacy for inter-device communication in mobile networks. However, we find that their protocol does not guarantee user’s privacy in terms of untraceability. Also, we demonstrate that the protocol is vulnerable to a denial of service attack and a user impersonation attack.