Keywords

1 Introduction

The rapid development of wireless networks [11] has brought great convenience to people’s lives, in which there is a special network environment called global mobility network (GLOMONET) [1, 2, 9, 10, 14]. GLOMONET refers to a new network environment that can provide global roaming service for communication. With the rapid development of communication technologies, mobile users can access the services through roaming technologies. In this environment, the mobile user registers with the home agent. To obtain the service of the foreign network, it needs the help of the home agent to realize the authentication and establish a session secret key [6, 18,19,20] between the mobile user and the foreign agent. However, the communication transmitted in the mobile network environment is easily vulnerable to various attacks [4]. Thus, it is necessary to protect the privacy of users as well as to design authentication protocols to ensure the realization of secure communication [5, 7, 12, 15,16,17, 21].

In 2009, Chang et al. [3] proposed an enhanced authentication protocol to maintain the anonymity of mobile users for roaming services in global mobile networks. However, this protocol cannot guarantee anonymity and confidentiality. To improve their protocol, Zhou et al. [23] proposed a secure authentication protocol. Unfortunately, their protocol is also vulnerable to forgery attacks, replay attacks, and insider attacks. In 2016, Gope et al. [8] proposed an effective authentication protocol. However, the cost of this protocol is computationally expensive. Xu et al. [22] analyzed Gope et al.’s protocol and found that the protocol is vulnerable to replay attacks and clock synchronization problems. Then, a new user authentication protocol is proposed.

Recently, Shashidhara et al. [13] analyzed Xu et al.’s protocol and found that the protocol is vulnerable to denial of service attacks, privileged-insider attacks, and impersonation attacks. To solve these security problems, they further proposed a lightweight user authentication protocol with privacy preservation. In this paper, we analyze Shashidhara et al.’s authentication protocol and point out its security vulnerabilities, including perfect forward secrecy (PFS), key compromise impersonation attacks (KCIA), and known-session-specific temporary information attacks (KTIA).

2 Review of Shashidhara et al.’s Protocol

In this section, we review the initialization phase, registration phase, login phase, and authentication phase of the protocol. The symbols used in this protocol are described in Table 36.1.

Table 36.1 Notations
Full size table

2.1 Initialization Phase

The protocol includes three roles. Mobile User (MU), Foreign Agent (FA), and Home Agent (HA). In the initialization phase, FA obtains a dynamic Diffie–Hellman secret key \(\mathrm {SK}_F\) from HA, where \(\mathrm {SK}_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\).

2.2 Registration Phase

The registration phase of the protocol is that MU registers with HA. The registration of MU follows the following steps.

  1. (1)

    MU selects identity \(\mathrm {ID}_{\mathrm {MU}}\), password \(\mathrm {PSW}_{\mathrm {MU}}\) and randomly generates a random number \(R_M\), then MU computes a pseudo identity \(\mathrm {AID}=h(\mathrm {ID}_{\mathrm {MU}}\parallel R_M)\), and sends \(M_m = \{\mathrm {AID}\}\) to HA through secure channel.

  2. (2)

    HA computes \( \mathrm {RID}= h(\mathrm {AID}\parallel \mathrm {SK}_H)\) after receiving message \(M_m\) from MU, and initializes \(K_{\mathrm {MU}}\) to 0. Then, HA stores \(\{\mathrm {AID}, K_{\mathrm {MU}}\}\) in its own database. Finally, HA sends \(M_h =\{\mathrm {RID}, K_{\mathrm {MU}}, h(.)\}\) to MU through secure channel.

  3. (3)

    After MU receives the message \(M_h\) from HA, MU computes two values: \(\mathrm {AC} = \mathrm {RID} \oplus h(\mathrm {PSW}_{\mathrm {MU}}\parallel R_M ), LA = h(\mathrm {ID}_{\mathrm {MU}}\parallel \mathrm {PSW}_{\mathrm {MU}}||R_M )\). Finally, MU stores \(\{ \mathrm {AC}, \mathrm {LA}, R_M, K_{\mathrm {MU}} \} \) in the smart card.

2.3 Login and Mutual Authentication Phase

This is an authentication protocol based on three parties. When MU wants to access a foreign network through roaming service, to ensure secure communication, MU and FA need to be authenticated by HA. The authentication steps are as follows.

  1. (1)

    First of all, MU enters its own \(\mathrm {ID}_{\mathrm {MU}}\) and password \(\mathrm {PSW}_{\mathrm {MU}}\) in the smart device, and computes \(\mathrm {LA}^*= h(\mathrm {ID}_{\mathrm {MU}}\parallel \mathrm {PSW}_{\mathrm {MU}}\parallel R_M )\) through the \(R_M\) obtained from the smart card, then MU verifies \(\mathrm {LA}^*\overset{?}{=}\mathrm {LA}\). If equal, login to smart card is successful. Otherwise, the login fails.

  2. (2)

    After successful login, MU generates a random number \(N_{\mathrm {MU}}\), and computes \(\mathrm {RID}= \mathrm {AC} \oplus h(\mathrm {PSW}_{\mathrm {MU}}\parallel R_M )\), \(A_M = h(\mathrm {ID}_{\mathrm {MU}}\parallel R_M )\oplus N_{\mathrm {MU}} \), \(V_1 = h(\mathrm {RID}\parallel K_{\mathrm {MU}}) \oplus N_{\mathrm {MU}} \). Finally, \(\mathrm {MU}\) transmits the login request \(M_1 =\{A_M, V_1, \mathrm {ID}_{\mathrm {HA}}\} \) to FA through public channel.

  3. (3)

    After receiving the message \(M_1\) from MU, FA generates a random number \(N_{\mathrm {FA}}\), and computes \(B_M=h(A_M\parallel \mathrm {SK}_F)\oplus N_{\mathrm {FA}}\), \(V_2 = h(B_M\parallel \mathrm {SK}_F\parallel V_1)\). FA transmits authentication request \(M_2=\{B_M, V_1, V_2, \mathrm {ID}_{\mathrm {FA}}\}\) to HA through public channel.

  4. (4)

    After receiving the message \(M_2\) from FA, HA verifies the \(\mathrm {ID}_{\mathrm {FA}}\), and if it exists, HA finds the \(\mathrm {SK}_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\) associated with the \(\mathrm {ID}_{\mathrm {FA}}\). HA computes \(V^*_2 = h(B_M\parallel \mathrm {SK}_F\parallel V_1)\), and verifies \(V_2^*\overset{?}{=}V_2\). If equal, HA believes that FA is legal. Otherwise, the certification is terminated. HA computes \(\mathrm {RID}^* = h(\mathrm {AID}\parallel \mathrm {SK}_H)\), \(N^*_{\mathrm {MU}} = h(\mathrm {RID}^*\parallel K_{\mathrm {MU}} )\oplus V_1 \), \(V_1^*=h(\mathrm {RID}^*\parallel K_{\mathrm {MU}} )\oplus N^*_{\mathrm {MU}}\) and verifies \(V_1^*\overset{?}{=}V_1\). If equal, HA believes that MU is legal. Otherwise, authentication is terminated. HA computes \(A^*_M =(\mathrm {AID}\parallel R_M )\oplus N^*_{\mathrm {MU}}\), \(N^*_{\mathrm {FA}} =h(A^*_M\parallel \mathrm {SK}_F)\oplus B_M \), \(N^*_M = h(\mathrm {RID}^*\parallel N^*_{\mathrm {MU}}) \oplus N_{\mathrm {FA}}\), \(V_3 = h(\mathrm {ID}_{\mathrm {HA}}\parallel A^*_M\parallel \mathrm {SK}_F)\), \(V_4\) = \(h(\mathrm {RID}^*\parallel \mathrm {ID}_{\mathrm {FA}} \parallel K_{\mathrm {MU}})\). Then HA updates \( K_{\mathrm {MU}}= K_{\mathrm {MU}}+1 \) and stores in database of HA. Finally, HA transmits authentication request \(M_3=\{ N^*_M, V_3, V_4 \}\) to HA.

  5. (5)

    After receiving authentication request \(M_3\) from HA, FA computes \(V^*_3\) = \(h(\mathrm {ID}_{\mathrm {HA}}\parallel A_M\parallel \mathrm {SK}_F)\), and verifies \(V_3^*\overset{?}{=}V_3\). If it is equal to \(V_3\), FA believes that HA and MU are legal. Otherwise, the communication will be terminated. Then, FA computes \(\mathrm {SK}=h(N_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\), and finally FA transmits message \( M_4=\{ N^*_M, V_4 \}\) to MU.

  6. (6)

    After receiving message \(M_4\) from FA, MU computes \(V^*_4 = h(\mathrm {RID}\parallel \mathrm {ID}_{\mathrm {FA}} \parallel K_{\mathrm {MU}})\), and verifies \(V_4^*\overset{?}{=}V_4\). If equal, MU believes that FA and HA are legal. Otherwise, the certification is terminated. Then, MU computes \(N_{\mathrm {FA}} = h(\mathrm {RID}\parallel N_{\mathrm {MU}} )\oplus N^*_M, \mathrm {SK}=h(N_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\), and finally MU updates \(K_{\mathrm {MU}}\) = \(K_{\mathrm {MU}}\) + 1 and stores it in the smart card.

3 Statement of the Problem

This paper is about the protocol of Shashidhara et al. In this section, we analyze the protocol and point out three security vulnerabilities, violation of perfect forward secrecy (PFS), key compromise impersonation attacks (KCIA), and known-session-specific temporary information attacks (KTIA). PFS means that although the server’s long-term private key is compromised by the adversary (A), the former session keys can also be protected. KCIA refers to that if A can obtain a long-term private key of the user, then A can impersonate as another legitimate user. KTIA means that the exposure of the random number will lead to the exposure of the session key.

In this paper, we suppose A has the following abilities. A can access the public communication channel. And A may obtain a dynamic Diffie–Hellman secret key \(\mathrm {SK}_F\) from HA, where \(\mathrm {SK}_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\), and direct access a random number \(N_{\mathrm {FA}}\).

3.1 Perfect Forward Secrecy

To compute the session key, A may follow the following steps.

  1. (1)

    A can first intercept the login request \(M_1 =\{A_M, V_1, \mathrm {ID}_{\mathrm {HA}}\}\) and authentication request \(M_2=\{B_M, V_1, V_2, \mathrm {ID}_{\mathrm {FA}}\}\) transmitted on the public channel. A can obtain parameters \(\{ A_M, \mathrm {ID}_{\mathrm {HA}}, B_M, \mathrm {ID}_{\mathrm {FA}} \} \) from the two requests for subsequent computation of session key.

  2. (2)

    A uses \(\{\mathrm {ID}_{\mathrm {FA}}, B_M, A_M\}\) in intercepted message \(M_2\) and \(\mathrm {SK}_H\) to compute \(\mathrm {SK}_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H), N_{\mathrm {FA}} =h(A_M\parallel \mathrm {SK}_F)\oplus B_M \) to get the value \(N_{\mathrm {FA}}\) required for session key computation.

  3. (3)

    Finally, A can successfully compute \(\mathrm {SK}=h(N_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\).

Therefore, the protocol of R. Shashidhara et al. cannot provide PFS.

3.2 Key Compromise Impersonation Attacks

To impersonate as a legitimate FA, A may follow the following steps.

  1. (1)

    Firstly, A can intercept the authentication request \(M_2=\{B_M, V_1, V_2, \mathrm {ID}_{\mathrm {FA}}\}\) and login request \(M_1 =\{A_M, V_1, \mathrm {ID}_{\mathrm {HA}}\}\) transmitted on the public channel, and compute \(\mathrm {SK}^*_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\) with \(\mathrm {SK}_H\) obtained by A.

  2. (2)

    Then, A generates a random number \(N^{\prime }_{\mathrm {FA}}\), and computes \(B^{\prime }_M=h(A_M\parallel \mathrm {SK}^*_F)\oplus N^{\prime }_{\mathrm {FA}}\), \(V^{\prime }_2 = h(B^{\prime }_M\parallel \mathrm {SK}^*_F\parallel V_1)\). A can form an effective authentication request \(M^{\prime }_2=\{B^{\prime }_M, V_1, V^{\prime }_2, \mathrm {ID}_{\mathrm {FA}}\}\) and send it to HA.

  3. (3)

    After receiving the message \(M^{\prime }_2\) from A, HA verifies the \(\mathrm {ID}_{\mathrm {FA}}\), and if it exists, HA finds the \(\mathrm {SK}^*_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\) associated with the \(\mathrm {ID}_{\mathrm {FA}}\). HA computes \(\mathrm {SK}^*_F = h(\mathrm {ID}_{\mathrm {FA}}\parallel \mathrm {SK}_H)\), \(V^*_2 = h(B^{\prime }_M\parallel \mathrm {SK}^*_F\parallel V_1)\), and verifies \(V_2^*\overset{?}{=}V^{\prime }_2\). If equal, HA believes that A is a legal FA. Otherwise, the certification is terminated. HA computes \(\mathrm {RID}^* = h(\mathrm {AID}\parallel \mathrm {SK}_H)\), \(N^*_{\mathrm {MU}} = h(\mathrm {RID}^*\parallel K_{\mathrm {MU}} )\oplus V_1 \), \(V_1^*=h(\mathrm {RID}^*\parallel K_{\mathrm {MU}} )\oplus N^*_{\mathrm {MU}}\) and verifies \(V_1^*\overset{?}{=}V_1\). If equal, HA believes that MU is legal. Otherwise, authentication is terminated. HA computes \(A^*_M = h(\mathrm {ID}_{\mathrm {MU}}\parallel R_M )\oplus N^*_{\mathrm {MU}}\), \(N^{\prime }_{\mathrm {FA}} =h(A^*_M\parallel \mathrm {SK}^*_F)\oplus B^{\prime }_M \), \(N^{\prime }_M = h(\mathrm {RID}^*\parallel N^*_{\mathrm {MU}}) \oplus N^{\prime }_{\mathrm {FA}}\), \(V^{\prime }_3 = h(\mathrm {ID}_{\mathrm {HA}}\parallel A^*_M\parallel \mathrm {SK}^*_F), V^{\prime }_4 = h(\mathrm {RID}^*\parallel \mathrm {ID}_{\mathrm {FA}} \parallel K_{\mathrm {MU}})\). Then, HA updates \( K_{\mathrm {MU}}= K_{\mathrm {MU}}+1 \) and stores in database of HA. Finally, HA transmits authentication request \(M^{\prime }_3=\{ N^{\prime }_M, V^{\prime }_3, V^{\prime }_4 \}\) to HA.

  4. (4)

    After receiving authentication request \(M^{\prime }_3\) from HA, A computes \(V^*_3 = h(\mathrm {ID}_{\mathrm {HA}}\parallel A_M\parallel \mathrm {SK}^*_F)\), and verifies \(V_3^*\overset{?}{=}V^{\prime }_3\). If it is equal to \(V^{\prime }_3\), A believes that HA and MU are legal. Otherwise, the communication will be terminated. Then, A computes \(\mathrm {SK}=h(N^{\prime }_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\) and transmits message \( M^{\prime }_4=\{ N^{\prime }_M, V^{\prime }_4 \}\) to MU.

  5. (5)

    After receiving message \(M^{\prime }_4\) from A, MU computes \(V^*_4 = h(\mathrm {RID}\parallel \mathrm {ID}_{\mathrm {FA}} \parallel K_{\mathrm {MU}})\), and verifies \(V^*_4\overset{?}{=}V^{\prime }_4\). If equal, MU believes that A and HA are legal. Otherwise, the communication is terminated. Then, MU computes \( N^{\prime }_{\mathrm {FA}} = h(\mathrm {RID}\parallel N_{\mathrm {MU}} )\oplus N^{\prime }_M, \mathrm {SK}=h(N^{\prime }_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\), updates \(K_{\mathrm {MU}}= K_{\mathrm {MU}}+1\), and stores it in the smart card. So A can get the session key SK by impersonating FA.

Therefore, the protocol of R. Shashidhara et al. is vulnerable to KCIA.

3.3 Known-session-specific Temporary Information Attacks

To compute the session key, A may follow the following steps.

  1. (1)

    A can first intercept the login request \(M_1 =\{A_M, V_1, \mathrm {ID}_{\mathrm {HA}}\}\) transmitted on the public channel. A can obtain parameters\(\{ A_M, \mathrm {ID}_{\mathrm {HA}}\} \) from the request for subsequent computation of session key.

  2. (2)

    A can obtain a random number \(N_{\mathrm {FA}}\) generated by FA.

  3. (3)

    Finally, A can successfully compute \(\mathrm {SK}=h(N_{\mathrm {FA}}\parallel A_M\parallel \mathrm {ID}_{\mathrm {HA}})\).

Therefore, the protocol of R. Shashidhara et al. is vulnerable to KTIA.

4 Conclusion

This paper is about the protocol of Shashidhara et al. We carefully analyze their proposed protocol and point out three security vulnerabilities, including PFS, KCIA, and KTIA. It is contrary to the protocol of Shashidhara et al. that the protocol is unable to resist some well-known attacks and cannot guarantee secure communications. We hope that this research can guide researchers to design a more secure protocol for roaming services in mobile environments.