Design of a password-based authenticated key exchange protocol for SIP

Abstract

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. In recent years, password-based authenticated key exchange protocols are designed to provide strong authentication for SIP. In this paper, we address this problem in two-party setting where the user and server try to authenticate each other, and establish a session key using a shared password. We aim to propose a secure and anonymous authenticated key exchange protocol, which can achieve security and privacy goal without increasing computation and communication overhead. Through the analysis, we show that the proposed protocol is secure, and has computational and computational overheads comparable to related authentication protocols for SIP using elliptic curve cryptography. The proposed protocol is also provably secure in the random oracle model.

1 Introduction

Session Initiation Protocol (SIP) is a signaling protocol, which operates on the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) at the application layer in order to maintain, initiate and terminate the multimedia sessions [27]. SIP supports the multimedia services (transmission of voice and video) on both wired as well as wireless networks, which has gained a wide popularity. However, there are emerging security challenges in SIP such as authentication and confidentiality by knowing the fact that an adversary can fully control the public channels. The authenticity ensures the correctness of the participants, whereas the confidentiality is used to achieve data security and integrity. In order to ensure the authorized access of resources, the server verifies the authenticity of the user. However, one way authentication is not enough in these services as an adversary can perform server-spoofing attack [11, 24, 26, 40]. On the contrary, the mutual authentication ensures the authenticity of the sender and the receiver, where the user and the server can verify the authenticity of each other [16]. To achieve confidentiality, usually transmitted data is encrypted using the established session key between the user and server. To establish session key, key agreement mechanism is used, where the user and server compute a common session key using their shared secrets.

Security challenges in SIP are emerging with advancement in computing technology [2, 28, 31, 35]. In recent years, several SIP authentication and key agreement protocols have been designed and developed to satisfy desirable security attributes. In earlier proposed schemes for SIP, the server uses a challenge-response mechanism to verify the authenticity of the user. Unfortunately, these schemes support one-way authentication in which the server can verify user’s authenticity, but the user can not verify the correctness of source. This enables an adversary to masquerade as the trusted server to achieve user’s secret information. In 2005, Yang et al. [38] showed that the earlier proposed authentication schemes for SIP are vulnerable to the server-spoofing and the off-line password guessing attacks. To fix the security pitfalls of SIP authentication schemes, Yang et al. introduced a new authentication scheme for SIP, which is based on the Diffie-Hellman key exchange protocol. Their scheme supports mutual authentication and session key agreement. Although Huang et al. [17] showed that Yang et al.’s scheme does not withstand off-line password guessing attack. To enhance the security of Yang et al.’s scheme, Huang et al. also presented an improved scheme. Letter, Jo et al. [21] found that proposed scheme by Huang et al.’s does not withstand the off-line password guessing attack. Durlanik et al. [9] proposed an efficient and improved authentication scheme for SIP using the elliptic curve cryptography (ECC) in order to overcome the weaknesses in Yang et al.’s scheme. Wu et al. [34] also presented an authentication scheme for SIP using ECC. Later on, Yoon et al. [41] demonstrated that both Durlanik et al.’s scheme and Wu et al.’s scheme do not withstand the stolen-verifier attack and the off-line password guessing attack. In addition, Yoon et al. introduced an ECC-based improved authentication scheme for SIP. However, Gokhroo et al. [13] and Pu [25] pointed out that Yoon et al.’s scheme is still vulnerable to the off-line password guessing attack and does not withstand the replay attack. To enhance the security of Yoon et al.’s scheme, Tsai et al. [32] proposed an improved authentication scheme for SIP based on random nonce. Unfortunately, Yoon et al. [42] identified that Tsai et al.’s scheme cannot resist the off-line password guessing attack and the stolen-verifier attack. To overcome these weaknesses, Yoon et al. further proposed an improved scheme for SIP. Later, Xie et al. [36] found that Yoon et al.’s scheme is still vulnerable to the off-line password guessing and stolen-verifier attacks. Arshad et al. [3] also pointed out the vulnerability of Tsai’s scheme, and showed that the off-line password guessing and stolen verifier attacks are possible on Tsai’s scheme. To erase security flaws of Tsai’s scheme, Arshad et al. proposed an ECC-based improved scheme, which is later shown to be insecure against the off-line password guessing attack by He et al. [15]. Zhang et al. [43] proposed an efficient smart card-based authentication and key agreement scheme for SIP. Tu et al. [33] pointed out that that Zhang et al.’s scheme cannot withstand the impersonation attack. To enhance the security of Zhang et al.’s scheme, Tu et al. proposed an improved authentication scheme for SIP. Their scheme is more efficient than Zhang et al.’s protocol as computational cost in the authentication phase of their scheme is about 75 % of Zhang et al.’s scheme. Recently, Farash [10] pointed out that Tu et al.’s scheme is insure against impersonation attack. He also proposed an improved scheme to withstand impersonation attack without increasing computation overhead. Jiang et al. [20] showed that Zhang et al.’s scheme is insecure against the malicious insider impersonation attack. Furthermore, they proposed an improved scheme to overcome the security weakness found in Zhang et al.’s scheme. However, Jiang et al.’s scheme does not present password change phase. Irshad et al. [18] also pointed out that Zhang et al.’s scheme is without any password-verifier database using smart card. They proposed single round authentication and key-agreement protocol which allows the involved parties to authenticate in a single round-trip of exchanged messages. Recently, Arshad and Nikooghadam [4] demonstrated that Irshad et al.’s scheme is insure against user impersonation attack. Moreover, ECC-based authentication and key agreement scheme for SIP is proposed without smart card. Yeh et al. [39] analyzed the Diffie-Hellman (DH) based authentication protocols for SIP to enhance the security in the current SIP authentication mechanism. They proposed an ECC-based authentication protocol for SIP, which is more efficient as compared to DH-based authentication protocols for SIP.

The ECC-based SIP authentication schemes [10, 20, 39] are secure against various attacks and have low computation cost compare to DH-based authentication protocols for SIP. But, these schemes do not support anonymous authentication which increases the possibility of ID-theft and other privacy concerns. However, a scalable authentication scheme for SIP should protect user’s anonymity. Recently, Zhang et al. [44] proposed an anonymous authentication scheme based on Farash and Attari’s work [12]. Their scheme can efficiently protect user’s privacy, but it is vulnerable to insider attack, where a malicious insider can know the user’s password. It increases the possibility of illegal access of user’s accounts, which are protected using the same passwords. Additionally, server responses to any login request with a challenge message without identifying the validity of requester. Due to this drawback, the server may be flooded with fake requests. In this paper, we propose an improved scheme, which keeps the merits of anonymity and efficiency. Through the rigorous formal and informal security analysis, we show that our scheme is secure against various known attacks including the attacks discussed in existing authentication schemes for SIP. We also give the proof of security in the random oracle model.

The rest of the article is arranged as follows: In next Section, we recall some basic mathematical preliminaries and define some notations. In Section 3, we present password-based two party authenticated key exchange protocol (2PAKE) for SIP. Correctness of mutual authentication is demonstrated in Section 4. Security analysis is given in Section 5. We compare the security features and performance of our scheme with other related schemes in Section 6. Finally, we conclude the paper in Section 7.

2 Mathematical preliminaries

In this section, we briefly discuss some basic mathematical preliminaries. We discussed the meaning of symbols in Table 1 and abbreviations in Table 2.

Table 1 List of symbols

Table 2 List of abbreviations

2.1 BAN logic

BAN logic [7, 30] is applied to show the correctness of mutual authentication between the user and server. Using BAN logic, one can show that the user and server determine whether the exchanged information is secured and trustworthy against eavesdropping. It comprises the verification of message origin, message freshness and the origin’s trustworthiness. Some notations used in BAN logic analysis are described as follows:

• P| ≡X: The principal P believes the statement X.

• \(P \lhd X\): P sees X, means that P has received a message combine X.

• P| ∼X: P once said X, means that P| ≡X when P sent it.

• P| ⇒X: P controls X, P has an authority on X (Jurisdiction over X).

• ♯(X): The message X is fresh.

• \(P |\hspace {-.15cm}\equiv Q \overset {{k}}\longleftrightarrow P\): P and Q use K (shared key), to communicate with each other.

• \(A \overset {x}{\longleftrightarrow } B:x\) is a shared secret information between A and B.

• {X} _K : The formula X is encrypted under k.

• < X > _Y : The formula X is combined with formula Y.

• (X) _K : The formula X is hashed with the key K.

• \(\overset {{k}}\rightarrow P\): K is public key of P.

• \(P \overset {{X}}\rightleftharpoons Q\): X is a secret formula, known only to P and Q.

In order to describe logical postulates of BAN logic in formal terms [6, 7], following rules are defined below:

1. Rule (1).

   Message meaning rule:

   $$ \frac{P |\equiv Q \overset{{K}}\longleftrightarrow P, P \lhd \{X\}_{k}}{P |\equiv Q|\sim X} $$

   (1)

   If P believes that K is shared with Q and sees X encrypted under k, then P believes that Q once said X.

2. Rule (2).

   The nonce verification rule:

   $$ \frac{P |\equiv \sharp (X), P | \equiv Q|\sim X}{P |\equiv Q|\equiv X} $$

   (2)

   If P believes that X has been uttered recently (freshness) and P believes that Q once said X, and then P believes that Q believes X.

3. Rule (3).

   The jurisdiction rule:

   $$ \frac{P |\equiv Q |\equiv X, P |\equiv Q|\Rightarrow X}{P |\equiv X} $$

   (3)

   If P believes that Q has jurisdiction over X, and P believes that Q believes a message X, then P believes X.

4. Rule (4).

   The freshness rule:

   $$ \frac{P |\equiv \sharp (X)}{P |\equiv \sharp (X, Y)} $$

   (4)

   If one part known to be fresh, then the entire formula must be fresh.

2.2 Collision-resistant one-way hash function

A collision-resistant one-way hash function is defined in [5, 29] as follows.

Definition 1 (Collision-resistant one-way hash function)

A collision-resistant one-way hash function h : X → Y, where X = {0, 1}^∗ and Y = {0, 1}ⁿ is a deterministic algorithm that takes an input as an arbitrary length binary string x ∈ {0, 1}^∗ and outputs a binary string y ∈ {0, 1}ⁿ of fixed-length n. If we denote \(Adv_{\mathcal {A}}^{HASH} (t)\) as an adversary \(\mathcal {A}\)’s advantage in finding collision, we then have

$$\begin{array}{@{}rcl@{}} Adv_{\mathcal{A}}^{HASH} (t) & = & Pr[(x, x^{\prime}) \in_{R} \mathcal{A} : \\ & & x \ne x^{\prime}\ and\ h(x) = h(x^{\prime})], \end{array} $$

where P r[E] denotes the probability of a random event E and \((x, x^{\prime }) \in _{R} \mathcal {A}\) denotes the pair (x, x′) is selected randomly by \(\mathcal {A}\). In this case, the adversary \(\mathcal {A}\) is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary \(\mathcal {A}\) with the execution time t. We call such a hash function h(⋅) is collision-resistant, if \(Adv_{\mathcal {A}}^{HASH}(t) \le \epsilon _{1}\), for any sufficiently small 𝜖 ₁ > 0.

2.3 Elliptic curve over a prime field

A non-singular elliptic curve y ² = x ³ + a x + b over the finite field G F(p) is considered as the finite set E _p (a, b) of solutions (x, y) ∈ Z _p × Z _p to the congruence y ² = x ³ + a x + b (mod p), where a, b ∈ Z _p are constants chosen such that the condition 4a ³ + 27b ² ≠ 0 (mod p) is satisfied, together with a special point \(\mathcal {O}\) called the point at infinity or zero point, where Z _p = {0, 1, … , p−1} and p > 3 be a prime. The total number of points on the elliptic curve E _p (a, b), which is denoted by |E|, satisfies the inequality [22]: \(p + 1 -2\sqrt {p} \le |E| \le p + 1 +2 \sqrt {p}\). Thus, we can say that an elliptic curve E _p (a, b) over Z _p has roughly p points. Furthermore, E _p (a, b) forms an commutative group under addition modulo p operation.G be a additive group of points of E _p (a, b), whose order is n. Assume that P = (x _P , y _P ) and Q = (x _Q , y _Q ) are two points on elliptic curve y ² = x ³ + a x + b (mod p). Then R = (x _R , y _R ) = P + Q is computed as follows [23]:

$$\begin{array}{@{}rcl@{}} x_{R} & = & (\gamma^{2} - x_{P} - x_{Q}) (\bmod \, p), \\ y_{R} & = & (\gamma (x_{P} - x_{R}) - y_{P}) (\bmod \, p), \\ \text{where} \, \gamma & = & \left\{ \begin{array}{c} \frac{y_{Q}-y_{P}} {x_{Q}-x_{P}} \, (\bmod \, p), \text{if} \, P \neq Q \\ \frac{{3 x_{P}}^{2} + a} {2y_{P}} \, (\bmod \, p), \text{if} \, P = Q. \end{array} \right. \end{array} $$

In elliptic curve cryptography, multiplication is defined as the repeated additions. For example, if P ∈ E _p (a, b), then 5P is computed as 5P = P + P + P + P + P (mod p).

Definition 2

(Elliptic curve Computational Diffie-Hellman (EC-CDH) Assumption) The problem of computing Q = q P and R = r P are relatively easy for given scalar q, r ∈ Z _p and an elliptic curve point P ∈ E _p (a, b). However, given two points q P and r P, it is a computationally hard to derive q r P. This problem is called the elliptic curve Computational Diffie-Hellman [23].This can be defined more formally by considering an Experiment \(Exp^{cdh}_{G}(\mathcal {A})\) where we choose two values q and r in Z _p , compute q P and r P, and then provide q P and r P to \(\mathcal {A}\). \(\mathcal {A}\) experiment \(Exp^{cdh}_{G}(\mathcal {A})\) outputs 1 if Z = q r P and 0 otherwise. We defined \(Adv^{cdh}_{G} (\mathcal {A}) = Pr[Exp^{cdh}_{G}(\mathcal {A}) = 1]\) as the advantage of adversary in violating the CDH assumption. The advantage function of the group, \(Adv^{cdh}_{G}(t) = max_{\mathcal {A}}\{Adv^{cdh}_{G} (\mathcal {A})\}\) with time complexity at most t.

2.3.1 Security model

In order to show that proposed scheme withstand the known attacks to the authentication protocols, we use the method of provable security. The security proof is based on the model of ECC-based password authentication scheme [1, 8, 14, 19, 37].

Participants

We consider a distributed system, which constitutes two disjoint sets: \(\mathcal {U}\), the set of users and \(\mathcal {S}\), the set of trusted servers which assumed to consist of single trusted server. In distinct executions of the proposed authentication protocol π, the participants may have several instances called oracles. \({{\Pi }_{E}^{i}}\) denotes the i-th instance of participant E in a session. Each instance \({{\Pi }_{E}^{i}}\) has partner ID, session ID and a session key \(pi{d^{i}_{E}}\), \(si{d^{i}_{E}}\) and \(s{k^{i}_{E}}\), respectively.

Long lived keys

Each user \(U_{i}\in \mathcal {U}\) holds a password P W _i and server S holds a vector \(PW_{S} = <PW_{i}>_{U\in \mathcal {U}}\) with an entry for each client.

Adversary model

The interaction between the protocol participants and an adversary \(\mathcal {A}\) occurs only via oracle queries that models the adversary \(\mathcal {A}\) capacities in the real attack. The several instances may be active at any given time in a concurrent model, for a given intended partner, only one active user instance is allowed and password is non-concurrent model. This enables an adversary to simulates a real attack on the protocol. Let \({{\Pi }^{i}_{U}}\) defines the i-th instance of participant U _i and b be a bit selected uniformly at random, then possible oracle queries are as follows:

• Execute \(({{\Pi }^{i}_{U}}, {{\Pi }_{S}^{j}})\) This query models passive attacks against the protocol where adversary \(\mathcal {A}\) eavesdrops on honest execution between user instance \({{\Pi }^{i}_{U}}\) and server instance \({{\Pi }^{i}_{S}}\). It prompts an execution of the protocol between the user’s instances \({{\Pi }^{i}_{U}}\) and server’s instances \({{\Pi }_{S}^{j}}\) that outputs the exchanged messages during honest protocol execution to \(\mathcal {A}\).

• Reveal\(({{\Pi }^{i}_{U}})\) This query captures the notion of known key security. The instance \({{\Pi }^{i}_{U}}\), upon receiving the query and if it has accepted, provides the session key, back to \(\mathcal {A}\).

• Send\(({{\Pi }^{i}_{U}}, m)\) This query models simulate active attacks. This query sends a message m to an instance \({{\Pi }^{i}_{U}}\), enabling \(\mathcal {A}\) for active attacks. On receiving m, the instance \({{\Pi }^{i}_{U}}\) continues according to the protocol specification. The message output by \({{\Pi }^{i}_{U}}\), if any, is returned to \(\mathcal {A}\).

• Corrupt \(({{\Pi }^{i}_{U}})\) This query returns the long-lived key P W _i of the participant U _i to the adversary.

• Test\(({{\Pi }^{i}_{U}})\) This query is used for determining whether the protocol achieves authenticated key exchange or not. If \({{\Pi }^{i}_{U}}\) has accepted, then a random bit b ∈ {0, 1} chosen by the oracle, \(\mathcal {A}\) is given either the real session key if b = 1, otherwise, a random key drawn from the session-key space.

Notation

We say that an instance \({{\Pi }^{i}_{U}}\) is said to be open if a query Reveal\(({{\Pi }^{i}_{U}})\) has been made by adversary and unopened if it is not opened. We say that an instance \({{\Pi }^{i}_{U}}\) has accepted if it goes into an accept mode after receiving the last expected protocol message.

Definition 3

Two instances \({{\Pi }^{i}_{U}}\) and \({{\Pi }^{i}_{S}}\) are said to be partnered if the following conditions hold:

1. (1)

   Both \({{\Pi }^{i}_{U}}\) and \({{\Pi }^{i}_{S}}\) accept;

2. (2)

   Both \({{\Pi }^{i}_{U}}\) and \({{\Pi }^{i}_{S}}\) share the same session identifications (sid );

3. (3)

   The partner identification for \({{\Pi }^{i}_{U}}\) and \({{\Pi }^{i}_{S}}\) and vice-versa.

Definition 4

We say an instance \({{\Pi }^{i}_{U}}\) is considered fresh if the following conditions are met:

1. (i)

   It has accepted;

2. (ii)

   Both \({{\Pi }^{i}_{U}}\) and its partner \({{\Pi }^{i}_{S}}\) are unopened;

3. (iii)

   They are both instances of honest clients.

Definition 5

Consider an execution of the authentication protocol π by an adversary \(\mathcal {A}\), in which the latter is given access to the Execute, Send and Test oracles and asks at most single Test query to a fresh instance of an honest clints. Let b′ be his output, if b′ = b, where b is the hidden bit selected by the Test oracle. Let D be user’s password dictionary with size |D|. Then, the advantage of \(\mathcal {A}\) in violating the semantic security of the protocol π is defined more precisely as follows:

$$Adv_{\Pi,D} \mathcal{(A)} = |2Pr[b^{\prime} = b] -1| $$

The password authentication protocol is semantically secure if the advantage \(Adv_{\Pi ,D} \mathcal {(A)}\) is only negligibly larger than O(q _s )/|D|, where where q _s is the number of Send queries.

3 Proposed authenticated key exchange protocol for sip using ECC

In this section, we discuss our proposed authenticated key exchange scheme without using smart card. Our presented scheme consists of following four phases:

• System setup phase

• Registration phase

• Authentication and key agreement phase

• password change phase

3.1 System setup phase

The server selects an elliptic curve E _p (a, b) over a finite field \(\mathbb {Z}_{p}\), where p is a large prime. A base point P with order n over the elliptic curve E _p (a, b) is selected. The secret keys \(mk\in Z^{*}_{p}\) is also selected. Lastly, the server computes public key P _{p u b} = m k P and chooses a one way hash function h : {0, 1}^∗ → {0, 1}ⁿ, and then publishes the system parameters {E _p (a, b), p, P, h(⋅), P _{p u b} } and keeps mk secret.

3.2 Registration phase

To become a new user in the system, a user resisters his/her username to the server. The registration phase is summarized in Fig. 1. The description of registration phase is given below:

1. Step 1.

   User → Server: < I D _i , R P W _i >

   The user U _i chooses uniformly distributed password P W _i and selects a random number \(b\in Z^{*}_{p}\). U _i computes R P W _i = h(I D _i ||b||P W _i ). U _i stores b in his device and submits < I D _i , R P W _i > to S via secure channel.

2. Step 2.

   On receiving registration request with I D _i and R P W _i , S checks I D _i in its database. If I D _i exists, S asks a new username. Otherwise, S computes Y _i = h(I D _i ||m k) ⊕ R P W _i and stores (I D _i , Y _i , Y _{o l d} ) in its database, where Y _{o l d} is a null value.

Fig. 1

Mechanism of user registration

3.3 Authentication and key agreement phase

A legal user with valid username and password can initiate login session. Then, the user and server verify the correctness of each other. If the mutual authentication holds, both user and server compute session key. The summary of phase is given in Fig. 2.

1. Step 1.

   User → Server: REQUEST < D I D _i , C _i , V _i , T _i >

   The user U _i chooses a random number u ∈ Z _p and computes C _i = u P and \(D_{i} = uP_{pub} = umkP = ({D^{x}_{i}}, {D^{y}_{i}}) \in E_{P}(a, b)\). U _i also computes \(V_{i} = h(ID_{i}||T_{i}||h(ID_{i}||b||PW_{i})||{D^{x}_{i}})\), where T _i is the current timestamp. U _i masks I D _i as \(DID_{i} = ID_{i}\oplus {D^{y}_{i}}\). Finally, U _i sends the login message REQUEST < D I D _i , C _i , V _i , T _i > to S.

2. Step 2.

   Upon receiving the message < D I D _i , C _i , V _i , T _i > at time \(T_{i}^{\prime }\), S first verifies \(T_{i}^{\prime } - T_{i} \leqslant {\Delta } T\). If verification holds, S computes \(D_{s} = mkC_{i} = mkuP = ({D^{x}_{s}}, {D^{y}_{s}})\), and then retrieves \(ID_{i} = DID_{i}\oplus {D^{y}_{s}}\). S computes h(I D _i ||m k) and retrieves R P W _i as R P W _i = Y _i ⊕h(I D _i ||m k). S verifies \(V_{i} \overset {?}{=} h(ID_{i}||T_{i}||RPW_{i}||{D^{x}_{i}})\). If verification succeeds, U _i is authenticated by S.

3. Step 3.

   Server → User: CHALLENGE {C _s , V _s , T _s }

   S selects a random number \(s\in Z^{*}_{p}\) and computes C _s = s P and Z _s = s C _i = s u P. S computes the session key \(sk_{s} = h(ID_{i}||T_{i}||RPW_{i}||T_{s}||{D^{x}_{s}}||{Z^{x}_{s}})\) and \(V_{s} = h(ID_{i}||T_{i}||sk_{s}||T_{s}||{Z^{y}_{s}})\), where T _s is the current timestamp used by server. S sends the challenge message CHALLENGE < C _s , V _s , T _s > to U _i .

4. Step 4.

   On receiving the challenge message < C _s , V _s , T _s > at time \(T_{s}^{\prime }\), U _i verifies \(T_{i}^{\prime } - T_{i} \leqslant {\Delta } T\). If verification succeeds, U _i computes Z _i = u C _s = u s P and the session key \(sk_{i} = h(ID_{i}||T_{i}||h(ID_{i}||b||PW_{i})||T_{s}||{D^{x}_{i}}||{Z^{x}_{i}})\). Then, S verifies \(V_{s} \overset {?}{=} h(ID_{i}||T_{i}||sk_{i}||T_{s}||{Z^{y}_{i}})\). If the verification succeeds, S’s authentication and session key verification hold.

Fig. 2

Authentication and key exchange mechanism, where user and server mutually authenticate each other and draw a common key

3.4 Password change phase

When a legal user U _i wants to change his/her password, he/she selects a new password and sends the password change request to the server using established session key of current authorized session. Upon receiving the password change request, the server verifies the validity of request. For valid request, server updates the password and response with accept message. Otherwise, server responds with reject message. If a user receive acceptance of new password, he update the password. Otherwise, user again sends the password update request. The password change phase is summarized in Fig. 3. The description of password update phase is given below:

1. Step 1.

   User → Server: CHANGEPW < D I D _i , B, M _i >

   U _i selects a new password P W _{n e w} and a random number b ^∗. U _i computes R P W _{n e w} = h(I D _i ||b ^∗||P W _{n e w} ), B = R P W _{n e w} ⊕h(s k _i ||R P W _i ) and M _i = h(R P W _{n e w} ||s k _i ||R P W _i ). Then, U _i sends the password change request message CHANGEPW < D I D _i , B, M _i > to S.

2. Step 2.

   Server → User: ACCEPT < M _s >

   Upon receiving request with message CHANGEPW < D I D _i , B, M _i > , S retrieves R P W _{n e w} = B⊕h(s k _s ||R P W _i ), and then verifies \(M_{i} \overset {?}{=} h(RPW_{new}||sk_{s}||RPW_{i})\). If verification holds, S accepts the request and updates (I D _i , Y _i , Y _{o l d} ) with (I D _i , Y _{n e w} , Y _i ), where Y _{n e w} = h(I D _i ||m k)⊕R P W _{n e w} . S sends the message ACCEPT < M _s > to U _i , where M _s = h(I D _i ||R P W _{n e w} ||s k _s ||R P W _i ).

3. Step 3.

   Server → User: ACCEPT\(<M_{s}^{\prime }>\)

   If verification does not hold, S retrieves R P W _{o l d} = B⊕h(s k _s ||R P W _{o l d} ) using old password, where R P W _{o l d} = Y _{o l d} ⊕h(I D _i ||m k). S verifies \(M_{i} \overset {?}{=} h(RPW_{new}||sk_{s}||RPW_{old})\). If verification holds, S accepts the request and updates (I D _i , Y _i , Y _{o l d} ) with (I D _i , Y _{n e w} , Y _{o l d} ). Then, S sends the message ACCEPT\(<M_{s}^{\prime }>\) to U _i , where \(M_{s}^{\prime } = h(ID_{i}||RPW_{new}||sk_{s}||RPW_{old})\).

4. Step 4.

   Server → User: Reject\(<M_{s}^{\prime \prime }>\)

   If verification fails in Step 2 & Step 3, S rejects the password update request with the message Reject\(<M_{s}^{\prime \prime }>\), where \(M_{s}^{\prime \prime } = h(ID_{i}||RPW_{new}||sk_{s})\).

5. Step 5.

   On receiving the response message, U _i can verify the correctness of response. If server rejects the request or U _i does not receive server’s response, U _i again initiates the password update phase as discussed in Step 1. Otherwise, U _i can verify the response of the server as follows:

   • On receiving the message ACCEPT < M _s > , U _i can verify \(M_{s} \overset {?}{=} h(ID_{i}||RPW_{new}||sk_{i}||RPW_{i})\) using current password. If verification succeeds, U _i replaces b with b ^∗.

   • On receiving the message ACCEPT\(<M_{s}^{\prime }>\), U _i verifies \(M_{s} \overset {?}{=} h(ID_{i}||RPW_{new}||sk_{i}||RPW_{old})\). The user receives \(<M_{s}^{\prime }>\) only if last session of password update failed at user side. In this case also, a user can identify the correctness of server’s response and replace b with b ^∗.

   • On receiving the message REJECT\(<M_{s}^{\prime \prime }>\), U _i verifies \(M_{s}^{\prime \prime } \overset {?}{=} h(ID_{i}||RPW_{new}||sk_{s})\). Then, U _i does not update b.

Fig. 3

Summary of password change phase

Remark 1

The server keeps the backup of old password to avoid DOS attack. In case, if an adversary intercept the server’s response in password update, the server will update the password, but not the user. However, the user can again sends the password update request, which correctness a server can identify using the backup password.

4 Proof of mutual authentication using BAN Logic

We apply logical postulates of BAN logic [7, 30] to show the correctness of mutual authentication between the remote user and server. Using BAN logic, we show that the user and server determine whether exchanged information is fresh and trustworthy against eavesdropping. It comprises the verification of message origin, message freshness and the origin’s trustworthiness. In the proposed scheme, the generic form of the messages exchange between the user and server are as follows:

• Message 1. \(U_{i} \rightarrow S: \langle ID_{i}\oplus {D^{y}_{i}}, h(ID_{i}||T_{i}||RPW_{i}||{D^{x}_{i}}), uP, T_{i} \rangle \)

• Message 2. \(S \rightarrow U_{i}: \langle h(ID_{i}||T_{i}||sk_{s}||T_{s}||{Z^{y}_{s}}), sP, T_{s} \rangle \)

Subsequently, we translate the message 1 & 2 into idealize form as follows:

• Message 1. \(U\rightarrow S: <ID_{i}>_{umkP}, (ID_{i}, umP, T_{i})_{RPW_{i}}, uP, T_{i}\)

• Message 2. \(S\rightarrow U: (U_{i} \overset {sk}{\longleftrightarrow } S, ID_{i}, T_{i}, T_{s})_{suP}, T_{s}\)

Recall that in the proposed scheme, the user and server use fresh timestamp. We make the following assumptions about the initial state of the proposed scheme:

• A ₀: U _i | ≡ ♯(u);

• A ₁: U _i | ≡♯(T _i );

• A ₂: S| ≡♯(T _s );

• A ₃: \(U_{i} |\hspace {-.1cm}\equiv (U_{i} \overset {{RPW_{i}}}\longleftrightarrow S)\);

• A ₄: \(S |\hspace {-.1cm}\equiv (U_{i} \overset {RPW_{i}}\longleftrightarrow S)\);

• A ₅: \(U_{i} |\hspace {-.1cm}\equiv S |\hspace {-.1cm}\equiv (U_{i} \overset {RPW_{i}}\longleftrightarrow S)\);

• A ₆: \(S |\hspace {-.1cm}\equiv U_{i} |\hspace {-.1cm}\equiv (U_{i} \overset {RPW_{i}}\longleftrightarrow S)\);

• A ₇: \(U_{i} |\hspace {-.1cm}\equiv (U_{i} \overset {umkP}\longleftrightarrow S)\);

• A ₈: \(S |\hspace {-.1cm}\equiv (U_{i} \overset {umkP}\longleftrightarrow S)\);

Lemma 1

The server can verify the freshness and authenticity of user’s message.

Proof

User generates a login message and sends to the server in order to login to the server. With the message, the server receives the timestamp with other values which help to prove the correctness of message source as follows:

• S ₁: According to the message 1, we could get: \(S \lhd (ID_{i}, umkP, T_{i})_{RPW_{i}}, uP, T_{i}\).

• S ₂: According to the assumption A ₄, we apply the message meaning rule to get:S| ≡U _i | ∼T _i .

• S ₃: According to the assumption A ₁, we apply the freshness-propagation rule to get: \(S |\hspace {-.1cm}\equiv \sharp (ID_{i}, umkP, T_{i})_{RPW_{i}}\).

• S ₄: According to the A ₈ and S ₃, we apply nonce verification rule to obtain: \(S |\hspace {-.1cm}\equiv U_{i}|\hspace {-.1cm}\equiv (ID_{i}, umkP, T_{i})_{RPW_{i}}\).

• S ₅: According to the assumption A ₄ and S ₄, we apply the jurisdiction rule to get: S| ≡T _i .The server can identify freshness of user’s message using S ₅ and authenticity using S ₄. □

Lemma 2

The user can verify the freshness and authenticity of server’s response.

Proof

In the proposed scheme, when correctness of user’s login message holds, the server responds with a message which includes the server’s timestamp. The user can be able to identify the authenticity of server’s message as follows:

• S ₆: According to the message 2, we could obtain: \(U_{i} \lhd (U_{i} \overset {sk}{\longleftrightarrow } S, ID_{i}, T_{i}, T_{s})_{suP}, T_{s}\).

• S ₇: According to the assumption A ₃, we apply the message meaning rule to get: U _i | ≡S| ∼T _s .

• S ₈: According to the assumption A ₁ and S ₇, we apply the freshness conjuncatenation rule to get: \(U_{i} |\hspace {-.1cm}\equiv \sharp (U_{i} \overset {sk}{\longleftrightarrow } S, ID_{i}, T_{i}, T_{s})_{suP}\).

• S ₉: To compute the session key \(sk (= h(ID_{i}||T_{i}||RPW_{i}||T_{s}||{D^{x}_{s}}||{Z^{x}_{s}}))\), the shared secret value R P W _i and u m k P are needed to get: \(U_{i} |\hspace {-.1cm}\equiv \sharp (ID_{i}, T_{i}, T_{s}, muP, suP)_{RPW_{i}}\).

• S ₁₀: According to the A ₇, S ₈ and S ₉, we apply nonce verification rule to obtain: \(U_{i} |\hspace {-.1cm}\equiv S|\hspace {-.1cm}\equiv (ID_{i}, T_{i}, T_{s}, muP, suP)_{RPW_{i}}\).

• S ₁₁: According to the assumption A ₃, A ₇ and S ₁₀, we apply the jurisdiction rule to get: U _i | ≡T _s .This shows that the user can verify the freshness and authenticity of server’s message with S ₁₀ and S ₁₁. □

Theorem 1

The user and server can mutually authenticate each other.

Proof

According to the Lemma 1, the server can identify the fastnesses of message. Then, using A ₆ and A ₈, we apply the BAN logic rule to get \(S |\hspace {-.1cm}\equiv U_{i} |\hspace {-.1cm}\equiv (S \overset {sk}\longleftrightarrow U_{i})\).

According to the Lemma 2, the user can identify the freshness of server’s response and authenticity with A ₅ and A ₇. Then, we apply the BAN logic rule to get \(U_{i} |\hspace {-.1cm}\equiv S |\equiv (U_{i} \overset {sk}\longleftrightarrow S)\). □

5 Security analysis

5.1 Formal security analysis of the proposed scheme

Theorem 2

let D be a uniformly distributed dictionary of possible passwords with size |D|, Let π be the improved authentication protocol described in Algorithm 1 & 2. Let \(\mathcal {A}\) be an adversary against the semantic security within a time bound t. Suppose that CDH assumption holds, then,

$$Adv_{\Pi,D} \mathcal{(A)} = \frac{2{q_{h}^{2}}}{p} + \frac{2q_{s}}{p} + \frac{(q_{s} + q_{e})^{2}}{p} + 2q_{h}Adv^{cdh}_{G}(\mathcal{A}) + \frac{2q_{h}}{p} + \frac{2{q_{s}^{2}}}{D}$$

where \(Adv^{cdh}_{G}(\mathcal {A})\) is the success probability of \(\mathcal {A}\) of solving the elliptic curve based computational DiffieHellman problem. q _s is the number of Send queries, q _e is the number of Execute queries, q _h is the number of random oracle queries and p is a n-bit prime number, where n is security parameter.

Proof

This proof defines a sequence of hybrid games, starting at the real attack and ending up in game where the adversary has no advantage. For each game G _i (0≤i≤5), we define an event S u c c _i corresponding to the event in which the adversary correctly guesses the bit b in the test-query.

• Game G ₀ This game correspond to the real attack in the random oracle model. In this game, all the instances of U _i and the server S are modeled as the real execution in the random oracle. By definition of event S u c c _i in which the adversary correctly guesses the bit b involved in the Test-query, we have

  $$ Adv_{\Pi, D}(\mathcal{A}) = 2|Pr[Succ_{0}] - \frac{1}{2}| $$

  (5)

• Game G ₁ This game is identical to the game G ₀, except that we simulate the hash oracles h by maintaining the hash lists L i s t _h with entries of the form (I n p, O u t). On hash query for which there exists a record (I n p, O u t) in the hash list, return O u t. Otherwise, randomly choose a number \(Out \in Z_{p}^{*}\), send it to \(\mathcal {A}\) and store the new tuple (I n p, O u t) into the hash list. The Execute, Reveal, Send, Corrupt and Test oracles are also simulated as in the real attack where the simulation of the different polynomial number of queries asked by \(\mathcal {A}\). From the viewpoint of \(\mathcal {A}\), we identify that the game is perfectly indistinguishable from the real attack. Thus, we have

  $$ Pr[Succ_{1}] = Pr[Succ_{0}] $$

  (6)

• Game G ₂ In this game, the simulation of all the oracles is identical to game G ₁ except that the game is terminated if the collision occurs in the simulation of the transcripts < D I D _i , C _i , V _i , T _i > and < C _s , V _s , T _s > . According to the birthday paradox, the probability of collisions of the simulation of hash oracles is at most \(\frac {{q_{h}^{2}}}{2p}\). Similarly, the probability of collisions in the transcripts simulations is at most \(\frac {(q_{h} + q_{e})^{2}}{2p}\). Since C _i was selected uniformly at random. Thus, we have

  $$ |Pr[Succ_{2}] - Pr[Succ_{1}]| = \frac{{q_{h}^{2}}}{2p} + \frac{(q_{s} + q_{e})^{2}}{2p} $$

  (7)

• The simulation of this game is similar to the previous game except the game will be aborted if \(\mathcal {A}\) can correctly guessed the authentication values V _i and V _s without asking oracle h. This game and earlier game are indistinguishable unless the instances \({{\Pi }^{i}_{U}}\) and \({{\Pi }^{i}_{S}}\) rejects a valid authentication value. Hence, we have

  $$ |Pr[Succ_{3}] - Pr[Succ_{2}]| \leq \frac{q_{h}}{p} $$

  (8)

• Game G ₄ In this game, the session key is guessed without asking the corresponding oracle h so that it become independent of password and ephemeral keys u m k P. We change the way with earlier game unless \(\mathcal {A}\) queries h on the common value (I D _i ||T _i ||R P W _i ||T _s ||u m k P||u s P). Thus, \(Adv^{cdh}_{G}(\mathcal {A}) \geq \frac {1}{q_{h}}|Pr[Succ_{4}] - Pr[Succ_{3}]| - \frac {1}{p}\), that is, the difference between the game G ₄ and the game G ₃ is as follows:

  $$ |Pr[Succ_{4}] - Pr[Succ_{3}]| \leq q_{h}Adv^{cdh}_{G}(\mathcal{A}) + \frac{q_{h}}{p} $$

  (9)

• Game G ₅ This game is similar to the game G ₄ except that in Test query, the game is aborted if \(\mathcal {A}\) asks a hash function query with (I D _i ||T _i ||R P W _i ||T _s ||u m k P||u s P). \(\mathcal {A}\) gets the session key sk by hash function query with probability at most \(\frac {{q_{h}^{2}}}{2p}\). Hence, we have

  $$ |Pr[Succ_{5}] - Pr[Succ_{4}]| \leq \frac{{q_{h}^{2}}}{2p} $$

  (10)

  If \(\mathcal {A}\) does not make any h query with the correct input, it will not have any advantage in distinguishing the real session key from the random once. Moreover, if the corrupt query Corrupt (U,2) is made that means the password-corrupt query Corrupt (U,1) is not made. Thus, the probability of \(\mathcal {A}\) made off-line password guessing attack is \(\frac {{q_{s}^{2}}}{D}\). Combining the Eqs. 6, 7, 8, 9, 10 and 11 one gets the announced result as:

  $$Adv_{\Pi,D} \mathcal{(A)} = \frac{2{q_{h}^{2}}}{p} + \frac{2q_{s}}{p} + \frac{(q_{s} + q_{e})^{2}}{p} + 2q_{h}Adv^{cdh}_{G}(\mathcal{A}) + \frac{2q_{h}}{p} + \frac{2{q_{s}^{2}}}{D}$$

□

5.2 Further security discussion of the proposed scheme

In this section, we discuss that the proposed scheme have all the security feature of authentication and key agreement protocols including user’s anonymity.

Proposition 1

The proposed scheme could provide user’s anonymity with unlinkability.

Proof

The login message {D I D _i , C _i , V _i , T _i } includes D I D _i instead of I D _i . To retrieve I D _i from D I D _i is equivalent to compute u m k P using u P and m k P as D I D _i = I D _i ⊕u m k P ^y. Computation of u m k P using u P and m k P is equivalent to elliptic curve computational DiffieHellman (EC-CDH) problem. As EC-CDH is considered to be a computationally hard problem (defined in Definition 2), \(\mathcal {A}\) cannot retrieve I D _i from D I D _i . Moreover, user randomly chooses value u for each session, which makes u m k P different for each session so as D I D _i . Additionally, no information is repeated in consecutive communications. This shows that our scheme also achieve unlinkability property. □

Proposition 2

The proposed scheme could withstand privileged-insider attack.

Proof

During the registration phase, a legal user U _i submits masked password R P W _i to the server S instead of original password P W _i , where R P W _i = h(I D _i ||b||P W _i ) for randomly selected value b. Thus, an insider cannot achieve the password P W _i due to the non-retrieval property of the one-way hash function h(⋅). Moreover, the insider cannot guess the password as user does not submit b to the server. This shows that the proposed scheme resists insider attack. □

Proposition 3

The proposed scheme could resist stolen verifier attack.

Proof

In proposed scheme, the server stored Y _i , where Y _i = h(I D _i ||m k) ⊕ R P W _i . Thus, to retrieve, R P W _i from Y _i , the adversary needs user’s identity I D _i and server’s secret key mk. It is noted that neither the smart card nor the transmitted messages includes user’s identity I D _i in the proposed scheme. Additionally, the server key is consider secret. As the server secret key is only known to the server, the adversary cannot achieve R P W _i . This shows that our proposed scheme withstands the stolen verifier attack. □

Proposition 4

The proposed scheme could resist off-line password guessing attack.

Proof

In this attack, an adversary may try to guess a legal user U _i ’s password P W _i using the transmitted messages. In proposed scheme, the adversary may try to verify the password using the condition V _i = h(I D _i ||T _i ||h(I D _i ||b||P W _i )||u m k P ^x) or V _s = h(I D _i ||T _i ||s k _s ||T _s ||u s P ^x), where \(sk_{s} = h(ID_{i}||T_{i}||h(ID_{i}||b||PW_{i})||T_{s}||{D^{x}_{s}}||{Z^{x}_{s}})\). However, this attempt cannot succeed in the proposed scheme which is justified below:

• To verify the guessed password \(PW_{i}^{\ast }\) using V _i = h(I D _i ||T _i ||h(I D _i ||b||P W _i )||u m k P ^x), \(\mathcal {A}\) has to compute u P _{p u b} . To compute u P _{p u b} using u P and P _{p u b} , is equivalent to solve EC-CDH problem.

• To verify the guessed password \(PW_{i}^{*}\) using V _s = h(I D _i ||T _i ||s k _s ||T _s ||u s P ^x), \(\mathcal {A}\) has to compute s u P. The computation of s u P using u P and s P, is equivalent to solve EC-CDH problem.

It is clear from the above discussion that guessing password in the proposed scheme is equivalent to solve EC-CDH problem, which is hard. □

Proposition 5

The proposed scheme could withstand replay and man-in-the-middle attacks.

Proof

The login and verification messages include the timestamp. The maximum transmission delay ΔT is in communication, does not allow to repeat the old transmitted message. To update the timestamp of message {D I D _i , C _i , V _i , T _i } with \(\{DID_{i}, C_{\mathcal {A}}, V_{\mathcal {A}}, T_{\mathcal {A}}\}\) for current timestamp \(T_{\mathcal {A}}\), \({\mathcal {A}}\) has to compute \(V_{\mathcal {A}}\) which requires the user U _i ’s password P W _i and identity I D _i as \(V_{\mathcal {A}} = h(ID_{i}||T_{\mathcal {A}}||h(ID_{i}||b||PW_{i})||aP_{pub}^{x})\) for timestamp \(T_{\mathcal {A}}\) and random value a. Since the user’s password P W _i is secret, \(\mathcal {A}\) cannot achieve it. Moreover, to replace {s P, V _s , T _s } with \(\{aP, V_{s}^{*}, T_{E}\}\), \(\mathcal {A}\) has to compute v = h(I D _i ||T _i ||s k _s ||T _s ||a u P ^y), which also requires R P W _i and I D _i . As only valid user know I D _i and R P W _i , our proposed scheme resists the replay and man-in-the-middle attacks. □

Proposition 6

The proposed scheme could resist user impersonation attack.

Proof

In such an attack, an adversary may try to masquerade as a legitimate user U _i to successfully login to the server S. However, our proposed scheme resists this attack.

• \({\mathcal {A}}\) may try to login to the server S using the replay attack. However, the proposed scheme resists the replay attack.

• \({\mathcal {A}}\) may try to generate a valid login message \(\{DID_{\mathcal {A}}, aP, V_{\mathcal {A}}, T_{\mathcal {A}}\}\) for a random value a and current timestamp \(T_{\mathcal {A}}\), where \(V_{\mathcal {A}} = h(ID_{i}||T_{\mathcal {A}}||h(ID_{i}||b||PW_{i})||aP_{pub}^{x})\). However, the adversary cannot compute \(V_{\mathcal {A}}\) as computation of \(V_{\mathcal {A}}\) requires P W _i and I D _i .

It is clear that the adversary cannot generate valid login message as P W _i and I D _i are only known to user. This shows that the proposed scheme resists user impersonation attack. □

Proposition 7

The proposed scheme could withstand server impersonation attack.

Proof

In this attack, an adversary can masquerade as the server S and try to respond with a valid message to the user U _i . When a user U _i sends a login message \(\{DID_{i}, u^{\prime }P, V_{i}^{\prime }, T_{i}^{\prime }\}\) to the server S, the adversary intercepts this message and try to respond with a valid message, where \(V_{i}^{\prime } = h(ID_{i}||T_{i}^{\prime }||h(ID_{i}||b||PW_{i})||u^{\prime }mkP^{x})\). However, the proposed scheme resist this attack as follows:

• \(\mathcal {A}\) may try to respond using the old transmitted message < C _s , V _s , T _s > of S. This attempt cannot succeed as the login and response message includes timestamp and proposed scheme resists replay attack.

• \(\mathcal {A}\) may try to generate a valid response message \(<aP, V_{s}^{\prime }, T_{\mathcal {A}}>\) for current timestamp \(T_{\mathcal {A}}\), where computation of \(V_{s}^{\prime } = h(ID_{i}||T_{i}^{\prime }||sk_{s}^{\prime }||T_{E}||au^{\prime }P^{x})\) and \(sk_{s} = h(ID_{i}||T_{i}^{\prime }||RPW_{i}||T_{\mathcal {A}}||u^{\prime }mkP^{x}||au^{\prime }P^{x})\) require R P W _i and I D _i .

This shows that our proposed scheme has the ability to resist the server impersonation attack. □

Proposition 8

The proposed scheme could support mutual authentication.

Proof

In our scheme, the server S verifies the authenticity of user U _i ’s request by checking the condition \(V_{i} = h(ID_{i}||T_{i}||h(ID_{i}||b||PW_{i})||{D^{x}_{i}})\) during the authentication phase. To compute V _i , U _i ’s I D _i and P W _i are needed. Therefore, \(\mathcal {A}\) cannot forge. Additionally, V _i includes timestamp, the adversary cannot replay the old message. This shows that the server S can correctly verify the message source. U _i also verifies the authenticity of the server S with the condition \(V_{s} = h(ID_{i}||T_{i}||sk_{s}||T_{s}||{Z^{y}_{s}})\), which also requires I D _i and P W _i as \(sk_{s} = h(ID_{i}||T_{i}||RPW_{i}||T_{s}||{D^{x}_{s}}||{Z^{x}_{s}})\) and R P W _i = h(I D _i ||b||P W _i ). This shows that the user U _i can also correctly verify the server S challenge. Hence, mutual authentication between U _i and S can successfully achieved in our scheme. □

Proposition 9

The proposed scheme could have Key freshness property.

Proof

Note that in our scheme, each established sessionkey h(I D _i ||T _i ||R P W _i ||T _s ||u m k P ^x||s u P ^x) includes timestamp T _i and T _s and random values u and s. The timestamp are used to achieve the freshness for each session. Uniqueness property of timestamp for each session, guaranties the unique key for each session. The unique key construction for each session shows that the proposed scheme supports the key freshness property. □

Proposition 10

The proposed scheme could have known key secrecy property.

Proof

In our scheme, if a previously established session key h(I D _i ||T _i ||R P W _i ||T _s ||u m k P ^x||s u P ^x) is compromised, the compromised session key reveals no information about other session keys due to following reasons:

• Each session key is hashed with one-way hash function. Therefore, no information can be retrieved from the session key.

• Each session key includes timestamp, which ensures different key for each session.

Since no information about other established session keys from the compromised session key is extracted, our proposed scheme achieves the known key secrecy property. □

Proposition 11

The proposed scheme could have forward secrecy and perfect forward secrecy.

Proof

Forward secrecy states that compromise of user’s secret value does not lead to compromise of the established session keys. The perfect forward secrecy states that using compromised secret key of server, an adversary cannot compute established session keys. In the proposed scheme, using user’s secret value P W _i and server’s secret key mk, an adversary \(\mathcal {A}\) cannot compute the session key due to the following fact:

• To compute the session key sk, user identity I D _i , u s P and u m k P are needed along with P W _i as session key \(sk = h(ID_{i}||T_{i}||h(ID_{i}||b||PW_{i})||T_{s}||{D^{x}_{s}}||{Z^{x}_{s}})\), where \(Z_{s} = mkuP = ({D^{x}_{s}}, {D^{y}_{s}})\) and \(D_{s} = mkuP = ({D^{x}_{s}}, {D^{y}_{s}})\),.

• Neither the smart card nor transmitted messages includes I D _i . The transmitted message include D I D _i . Using P W _i , \(\mathcal {A}\) cannot derive I D _i , but using mk, \(\mathcal {A}\) can get I D _i .

• The computation of u m k P using u P and m k P is equivalent to solve EC-CDH problem. But, using mk, \(\mathcal {A}\) can compute u m k P.

• To compute u s P using u P and s P is also equivalent to solve EC-CDH problem. Moreover, \(\mathcal {A}\) cannot achieve u from u P and s from s P using mk and P W _i .

As computation of u s P is also equivalent to solve EC-CDH problem using u P and s P. This shows that our scheme preserves forward secrecy and perfect forward secrecy. □

6 Discussion

In this section we compare the performance of the proposed scheme with some recently proposed authentication schemes for SIP using ECC, namely, Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Zhang et al.’s protocol [44], Jiang et al. [20] and Yeh et al.’s protocol [39].

In Table 3, we compare the computational overhead of our scheme with Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Zhang et al.’s protocol [44], Jiang et al. [20] and Yeh et al.’s protocol [39]. For calculate the computational overhead, we use the following notations: T _{e c m} : time complexity of executing an elliptic curve point multiplication operation; T _{e c a} : time complexity of executing an elliptic curve point addition; T _{i n v} : time complexity of executing modular inversion; T _h : time complexity of executing a one-way hash function. From Fig. 2, we see that our scheme requires computation cost from user’s side and server’s side are 4T _h +3T _{e c m} and 4T _h +3T _{e c m} , respectively. It is clear from Table 3 that our proposed scheme is more efficient as compared to Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Zhang et al.’s protocol [44], Jiang et al. [20] and Yeh et al.’s protocol [39].

Table 3 Computational overhead comparison of the proposed scheme with related schemes

In Table 4, we have compared the communication overhead of the proposed scheme with other schemes, namely, Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Zhang et al.’s protocol [44], Jiang et al. [20] and Yeh et al.’s protocol [39]. For the login phase and authentication phase. We assume that the hash digest (output) is 160 bits, if we use SHA-1 hash function [29], timestamp is 32 bits, username is 160 bits, realm identity realm is 32 bits and random nonce/number is 160 bits. We take 160-bit ECC cryptosystem, because its security is same as 1024-bit RSA cryptosystem. Thus, for an elliptic curve E _p (a, b), each parameter p, a and b requires 160 bits. Then, a point P = (x _P , y _P ) ∈ E _p (a, b) requires (160+160) = 320 bits. In our scheme, the REQUEST message {D I D _U , C _i , V _i , T _i } requires (160 + 160 + 320 + 32) = 672 bits, the CHALLENGE message {C _s , V _s , T _s } requires (320 + 160 + 32) = 512 bits. As a result, our scheme needs (672 + 512) = 1184 bits for the communication overhead of two transmitted messages. From Table 4, it is clear that our scheme requires less communication overhead from Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Jiang et al. [20] and Yeh et al.’s protocol [39] and it is equally efficient to Zhang et al.’s protocol [44].

Table 4 Communication overhead comparison between our scheme and recently proposed SIP schemes

Finally, in Table 5, we have summarized the comparison of security features provided by the proposed scheme and other schemes, where symbol ’Yes’ used if the protocol support the attribute, otherwise, ’No’ is used. From this table, it is clear that the proposed scheme provides better security features. The proposed scheme has the ability to supports other good features such as user’s anonymity and formal verification. The scheme is superior in terms of features as compared to relevant SIP authentication schemes: Zhang et al.’s protocol [43], Tu et al.’ protocol [33], Farash’s protocol [10], Zhang et al.’s protocol [44], Jiang et al. [20] and Yeh et al.’s protocol [39].

Table 5 Features comparison between our scheme and other schemes

7 Conclusion

We have discussed the merits and demerits of the existing authentication schemes for SIP in the literature. The analysis indicates that the existing schemes are failing to resist various attacks or does not protect user anonymity. In this work, we have presented a password based authenticated key agreement scheme for SIP without using smart card. The proposed scheme achieves user anonymity without imposing extra computation overhead. The proposed scheme also requires less computation and computation overhead compare to other related authentication scheme for SIP using elliptic curve cryptography. It supports mutual authentication and session key agreement where the user and server can correctly identify the legitimacy of each other and can draw a common key. Our scheme satisfies all desirable security attributes which are demonstrated in the security analysis through both informal and formal security analysis. Considering the security and efficiency, the proposed scheme provides strong authentication with anonymity for SIP.