A robust mutual authentication scheme for session initiation protocol with key establishment

Abstract

The Session Initiation Protocol (SIP) is a communication protocol that controls multimedia communication sessions. As the Internet users widely use SIP services, mutual authentication between the user and SIP server becomes an important issue. Several authentication protocols for SIP have been proposed for enhancing security and better complexities. Very recently, Lu et al. proposes an authenticated key agreement protocol for SIP and claims that it withstands various attacks and efficient. This paper points out that their protocol does not provide one of the most important features user anonymity. In addition, the same protocol is not able to resist user impersonation attack, server impersonation attack and fails to provide mutual authentication. The paper also presents an improved mutual authentication and key establishment protocol that conquers the security weaknesses in Lu et al.’s protocol. Informal security analysis is also carried out for several security properties. The formal proof for the correctness of mutual authentication and session key agreement is provided using BAN logic. It is shown that the proposed protocol is provably secure against identity and password guessing attacks in the random oracle model. The performance of the proposed scheme is compared with that of the existing related Elliptic Curve Cryptography (ECC) based schemes for SIP and shown that our scheme outperforms the others.

1 Introduction

Nowadays, the Internet telephony for video and voice calls are widely popular in the online multimedia services. There are many applications of the Internet that require the creation and management of a session. A session can be a collaborative multi-media conference or a simple two-way telephone call or a simple call to exchange data between two endpoints [22, 33, 45]. An endpoint can be a laptop, a smartphone or any device which can send and receive multimedia data through the Internet. This makes possible to implement services like web page click-to-dial, voice-enriched e-commerce or instant messaging with peer lists in an IP based system. The implementation of these applications is complicated as users are addressable by multiple names, move between endpoints and communicate via different media [21]. Various protocols have been proposed which carry several forms of real-time multimedia session data. SIP is a signaling protocol in an IP based network used to control multimedia communication sessions by creating, modifying, and terminating a session with several users over the Internet.

1.1 Background of SIP

SIP is used in Voice over Internet Protocol (VoIP) technology and is a choice for services related to VoIP [10, 27]. SIP is an application layer protocol, which works in association with a VoIP application to control multimedia communication sessions over the Internet. SIP applications include instant messaging, file transferring, online games, video conferencing and streaming multimedia distribution. SIP protocol is used for the Internet telephony and multimedia distribution between two or more endpoints [13, 31]. For instance, a user initiates a telephone call to another user using SIP, or someone creates a conference call with many participants. Two SIP endpoints can communicate without any intermediary SIP infrastructure. The SIP protocol is designed to be free from the underlying transport protocol. As it has only a limited set of commands, it is very simple. Also, anyone can read a SIP message passed between the endpoints in a SIP session, as it is text-based. But it should be noted that SIP is limited to only the setup and control of sessions [43]. The details of the data exchanged within a session related to an audio/video media is not controlled by SIP and is taken care of by other protocols. SIP is an agile, general-purpose tool, and is still growing and being modified to take into account all relevant features as the technology expands and evolves [44].

SIP defines user agents as well as several types of server network elements. SIP is executed between two user agents. Each user agent has two components client and server. Client at initiator user agent side sends a request to the server at responder user agent side, server sends a challenge to the client and the client sends the response to the challenge and hence complete an authentication process with establishment of a session key. After successful completion of the authentication process with key establishment, the client and server establish a channel between the two user agents using the session key. Using this established channel, the two user agents can start to exchange their multimedia data securely by executing SIP.

An Internet user can access the remote server to avail various multimedia services using SIP. In this scenario, the user authenticates to the server and vice-versa. This requires a vigorous mutual authentication scheme for SIP with key agreement to provide a strong security.

1.2 Related work

The SIP authentication scheme originates from the basic and digest access authentication protocol for hyper text transport [15]. On following that, several authentication schemes for SIP have been initiated in the literature [12, 28, 29, 31]. Later, Yang et al. [37] pointed out that these schemes are insecure and presented an improved authentication scheme for SIP based on the Diffie-Hellman key agreement technique. Huang & Wei [20] showed that Yang et al.’s scheme computation cost is high and it is not applicable for the system that has limited computational power. Moreover, He et al. [18] showed that Yang et al.’s scheme fails to resist the Denning-Sacco, off-line password guessing and stolen-verifier attacks.

Tsai [32] designed a robust authentication scheme for SIP that uses only XOR operations and one-way hash functions. However, Yoon et al. [40] pointed out that the scheme by Tsai [32] is vulnerable to the Denning-Sacco, stolen-verifier and off-line password guessing attacks. They presented an enhanced protocol to overcome the drawbacks in Tsai’s scheme. However, Xie [36] has pointed out that Yoon et al. [40] protocol fails to resist off-line password guessing and stolen-verifier attacks. They also presented an improved scheme that rectifies the stipulated shortcomings. Unfortunately, Farash et al. [14] showed that Xie’s protocol cannot withstand off-line password guessing and the impersonation attacks. They also proposed an enhanced protocol that overcomes the weaknesses in Xie’s scheme.

Since ECC uses limited key size and provides the same level of security in comparison with RSA cryptosystem, it is better to use ECC to design SIP protocol. Wu et al. [35] designed a provably secure ECC based authenticated key establishment protocol. However, Yoon et al. [41] showed that Wu et al.’s scheme fails to withstand the Denning-Sacco, off-line password guessing and stolen verifier attacks. In order to overcome the stipulated issues, Yoon et al. presented an enhanced authentication protocol for SIP using ECC. However, Gokhroo et al. [17] pointed out that Yoon et al.’s scheme is vulnerable to the replay attack and off-line password guessing attack.

Anonymity also becomes a significant issue in SIP since it could protect user’s privacy. However, Zhang et al. [42] pointed out that these authentication schemes are not providing user anonymity. They also presented an efficient and secure password based authenticated key agreement scheme for SIP. Recently Lu et al. [23] showed that Zhang et al.’s scheme is vulnerable to insider attack and it does not provide proper mutual authentication. In order to overcome the drawbacks in Zhang et al. scheme, Lu et al. [23] proposed a secure and efficient mutual authentication scheme for SIP. However, in this paper, it is shown that Lu et al. [23] protocol does not preserve user anonymity and it is completely insecure against impersonation attack.

It should be noted that most of the existing authentication protocols are not preserves user anonymity and not secured against off-line password guessing attack. Therefore, there is a need to develop a robust user anonymous authentication protocol for SIP that will resist off-line password guessing attack and many other known security attacks.

In this paper, an anonymity preserving mutual authentication protocol for SIP environment overcoming the security issues of Lu et al. [23] protocol is designed. Mutual authentication property of the proposed protocol is proved using BAN logic and the informal security analysis ensures resilience of off-line password guessing attack, impersonation attack, man-in-the-middle attack etc. The protocol is shown to be provably secure in random oracle model. In addition, our protocol offers password change and password recover facility to the registered users.

1.3 Adversary model

The adversary model in this section describes some valid assumptions about the authentication protocol, these assumptions are widely accepted [3, 4, 25, 30].

• An adversary can eavesdrop all the messages communicated between the protocol entities over the public channel, whereas the adversary has no control over the messages communicated over the private channel.

• The adversary can guess low-entropy identity and password of the user without difficulty, but guessing more than one secret parameter at a time is not feasible in polynomial time.

• The adversary can delete, modify, reroute and resend the eavesdropped messages.

• A legitimate user can be an adversary or vice versa.

• The probability of success for guessing the user’s identity or password composed of n characters is approximately \( \frac {1}{2^{6n}} \) as mentioned in [1, 6]

The paper is organised as follows. Section 2 describes Lu et al.’s scheme in brief and the security pitfalls of the same scheme are detailed in Section 3. The proposed protocol is described in Section 4. The BAN logic analysis and further security discussion of the proposed protocol against several security attacks are provided in Section 5. Section 6 details the comparative analysis of the proposed protocol with the existing related research. Section 7 concludes the paper.

2 Overview of Lu et al. scheme

Lu et al.’s scheme [23] consists of three phases mainly (1) registration, (2) authentication and (3) password change phase. The description of the three phases are detailed as below:

2.1 Registration phase

• Step R1: User U selects his/her own identity ID, password PW and a secret key p _u . After that, U computes P W D = h(P W||p _u ) and sends m ₁ = 〈I D, P W D〉 to the server S through a private channel.

• Step R2: Upon the receipt of the registration message from the user, server S computes V P W = h(I D||P W D) ⊕ h(p _s ) and backlog VPW in its database, where p _s is the secret key of the server.

2.2 Login and authentication phase

• Step L1: User selects a random number r _u and computes

  $$\begin{array}{@{}rcl@{}} T &=&h(ID||h(PW||p_{u})) \\ A &=& r_{u} \cdot P \\ B &=& T \oplus A \\ HID &=& ID \oplus T \\ C&=& h(ID||A) \end{array} $$

  where P is a point generator in the cyclic group of ECC cryptosystem. After that U sends the message m ₂ = 〈B, H I D, C〉 to S.

• Step L2: On receiving this message, S extracts \(T^{\prime }\) from VPW as \(T^{\prime }=VPW \oplus h(p_{s})\) and computes

  $$\begin{array}{@{}rcl@{}} A^{\prime} &=& B \oplus T^{\prime} \\ ID^{\prime} &=& HID \oplus T^{\prime} \\ C^{\prime} &=& h(ID^{\prime}||A^{\prime}) \end{array} $$

  The server also verifies the correctness of the equation \(C^{\prime } \overset {?}{=} C\). If it is correct, then the server selects a random number r _s and computes

  $$\begin{array}{@{}rcl@{}} D &=& r_{s} \cdot P \\ SK_{s} &=& r_{s} \cdot A \\ Auth_{s} &=&h(SK_{s}||T||A) \end{array} $$

  At last, S transmits the challenge message m ₃ = 〈D,A u t h _s 〉 to U.

• Step L3: After receiving this message from the server, U computes S K _u = r _u ⋅ D, \(Auth_{s}^{\prime }=h(SK_{u}||T||A)\) and verifies whether \(Auth_{s}^{\prime } \overset {?}{=} Auth_{s}\) holds. If it does not hold, the user terminates the session. Otherwise, U computes A u t h _u = h(S K _u ||T||D) and sends the response message m ₄ = 〈A u t h _u 〉 to the server.

• Step L4: In receipt of this message, the server computes \(Auth_{u}^{\prime }= h(SK_{s}||T||D)\) and checks for the correctness of \(Auth_{u}^{\prime } \overset {?}{=} Auth_{u}\). If it is correct, then the server and user share the symmetric key S K = S K _u = S K _s for the future session.

2.3 Password change phase

The user selects his new password P W ^new and the new secret key p ^new. Then the following steps are executed between the user and server:

• Step PC1: User computes V = h(S K||h(I D||h(P W D||p _u ))), \(M= h(ID||SK) \oplus h(ID||h(PWD^{new}||p_{u}^{new}))\) and sends the message m ₅ = 〈I D, V, M〉 to the server.

• Step PC2: After receiving password change request, server computes \(V^{\prime }= h(SK||VPW \oplus h(p_{s}))\) and checks the correctness of \(V^{\prime } \overset {?}{=} V\). If it is correct, the server computes V P W ^new = h(p _s ) ⊕ h(I D||S K) ⊕ M and then puts V P W ^new in the place of VPW in its database.

3 Security pitfalls in Lu et al. scheme

This section briefly describes several security pitfalls of the scheme proposed by Lu et al. such as off-line identity guessing attack, user impersonation attack, server impersonation attack and inefficient registration phase. The details of all the security weaknesses of Lu et al. scheme are shown below:

Off-line identity guessing attack

In online business, it is commonly assumed that the internet user perpetually chooses easy to recall the identity for his/her benefits and as mentioned in [2], an adversary can guess it due to preserving low-entropy property. The authors in protocol [23] claimed that their protocol is user-anonymous. Hence, a malicious user is not able to find the identity of a legal user. However, the scheme in [23] is not user-anonymous due to revealing of the identity of the user by the adversary as below.

An adversary captures the message m ₁ = 〈B, H I D, C〉 and extracts all the components B, HID, and C from m ₁. After that, the adversary guesses the user identity as ID and computes \(C^{\prime }= h(ID||(B\oplus (ID\oplus HID)))\). The adversary checks whether his guess is correct or not by verifying \(C^{\prime } \overset {?}{=} C\). If this condition is satisfied, the guessed identity is correct; else he guesses another identity and follows the same method.

$$\begin{array}{@{}rcl@{}} C &=& h(ID||A) \\ &=& h(ID|| (B \oplus T )) \\ &=& h(ID || (B \oplus (ID \oplus HID))) \\ &= &C^{\prime}. \end{array} $$

Further a procedure to reveal the identity is provided in Algorithm 1.

Also during the execution of password change phase, ID can be retrieved easily by the adversary, as it is transmitted in plain-text form.

User impersonation attack

After succeeded in ID guessing, an attacker can impersonate as a legal user. The attacker intercepts the login message m ₂ = {B, H I D, C} of the legal user and extracts all the components. The attacker chooses a random number \(r_{u}^{*} \in Z_{q}^{*}\) and computes \(A^{*}= r_{u}^{*} \cdot P\) since P is a public parameter. The attacker also computes T = H I D ⊕ I D, B ^∗ = T ⊕ A ^∗ and C ^∗ = h(I D||A ^∗). Finally, the attacker sends the login message \(m_{2}^{*}=\{ B^{*},HID,C^{*} \}\) to the server. This message will be authenticated in the server side as below:

Corresponding to HID, the server extracts VPW from the database and computes \(T^{\prime }= VPW \oplus h(p_{s})\), \(T^{\prime }=T\) because HID is of the legal user, computes \(A^{\prime } = B^{*} \oplus T^{\prime }\), \(A^{\prime }=A^{*}\) because \(T^{\prime }=T\) and computes \(ID^{\prime } = HID \oplus T^{\prime }\), \(ID^{\prime }=ID\) because \(T^{\prime }=T\) and computes \(C^{\prime } = h(ID^{\prime }||A^{\prime })=C^{*}\) because \(ID^{\prime }=ID\) and \(A^{\prime }=A^{*}\). Thus, Lu et al. scheme is vulnerable to user impersonation attack.

Server impersonation attack

As mentioned above, any attacker can extract T from the login message m ₂ and he can impersonate as a legal server. The attacker chooses a random number \(r_{s}^{*}\), computes \(D^{*}= r_{s}^{*} \cdot P\), A = B ⊕ T, \(SK_{s}^{*}= r_{s}^{*} \cdot A\) and \(Auth_{s}^{*}=h(SK_{s}^{*}||T||A)\). Finally, the attacker sends the challenge message \(m_{3}^{*}= \{ D^{*}, Auth_{s}^{*} \}\) to the user as a legal server. The legal user U computes \(SK^{*}_{u}=r_{u} \cdot D^{*}=r_{u} r_{s} \cdot P=SK_{s}^{*}\) and \(Auth_{s}^{\prime }=h(SK_{u}^{*}||T||A)\) which is equal to \(Auth_{s}^{*}\) because \(SK_{u}^{*}=SK_{s}^{*}\). Hence, the message m ₃ is authenticated in the user side. Thus, Lu et al.’s scheme is vulnerable to server impersonation attack.

Fails to preserve server secrecy

The attacker somehow hacks the stored information from the server side and tries to break the security system. Here, we assume that information VPW is compromised somehow, and it is known to an attacker. If the attacker succeeds in guessing user identity ID, he can compute T = H I D ⊕ I D. Then, the attacker can compute the secret information h(p _s ) of the server as V P W ⊕ T. It is noticed that long term secret information of the server should not be disclosed under any circumstances. Thus, this protocol fails to preserve server secrecy.

Inefficient registration phase

During registration, the user chooses secret key p _u and uses it during login phase. Hence, the user should keep in mind three information ID, PW and p _u . As p _u is high entropy information, it is very hard to remember. Hence, the protocol is not user-friendly and realistic.

Inefficient authentication in password change phase

Efficient password change phase requires user’s login information for user authentication. The server needs to check the user’s information for which the user should have sent the login information before password change. In Lu et al.’s scheme user authentication in password change phase is done without getting any login information, which is not efficient. Moreover, user authentication and password change process are carried out simultaneously. Hence, the password change phase is inefficient.

Replay attack

In this instance, the adversary masquerades as a legal user by reusing the data received from the previously executed protocol. However, Lu et al.’s protocol cannot withstand the replay attack as below:

• Suppose an adversary traps the previous login message m ₂ = 〈B, H I D, C〉, where B = T ⊕ A, T = h(I D||h(P W||p _u )), A = r _u ⋅ P, H I D = I D ⊕ T and C = h(I D||A). Now, the adversary sends the message m ₂ = 〈B, H I D, C〉 to the server without altering it.

• After receiving the login message, the server extracts \(T^{\prime }\) from VPW as \(T^{\prime }=VPW \oplus h(p_{s})\) and computes \(A^{\prime }= B \oplus T^{\prime }\), \(ID^{\prime } = HID \oplus T^{\prime }\), \(C^{\prime } = h(ID^{\prime }||A^{\prime })\). The server also verifies the correctness of the equation \(C^{\prime } \overset {?}{=} C\). Obviously, this will be satisfied at server side.

• The server selects a random number r _s , computes D = r _s ⋅ P, S K _s = r _s ⋅ A, A u t h _s = h(S K _s ||T||A) and sends m ₃ = 〈D, A u t h _s 〉 to U.

• Finally, the adversary tries to compute the session S K _u or S K _s , which relies on the unknown secrets r _u and r _s and it is confirmed that the adversary cannot compute the session key of the scheme.

Even though, the adversary cannot compute the session key, the adversary still makes server’s communication channel busy. However, this attack leads to a denial-of-service attack, if the adversary repeats many times previously captured login messages. This justification demonstrates that the Lu et al.’s scheme is vulnerable to replay attack.

4 Proposed protocol

In this section, we design a mutual authentication protocol for SIP with a key agreement scheme that overcomes the stipulated weaknesses found in Lu et al.’s scheme and provides strong security.

4.1 System setup phase

Server selects an additive cyclic group G of elliptic curve E(F(q)) defined over a finite field F(q) of prime order q, a secret key x _s in \(Z_{q}^{*}\) and point generator P of G as mentioned in [5]. The server computes P _s = x _s ⋅ P and announces the public parameters 〈G, q, P, P _s , E, h(⋅)〉, where \(h: \{0,1 \}^{*} \rightarrow \{0,1 \}^{q}\) a collision resistant one-way hash function and keeps the private key x _s safely.

4.2 Registration phase

In this phase, user U registers with the server S. Since the registration phase is executed only once for a user, it can be done in a private secure channel.

• Step PR1: User chooses his/her own identity ID, password PW and computes H I P = h(I D||P W). The user also computes H I D = h(I D), R P = I D ⊕ P W and then sends the registration message M ₁ = 〈H I D, H I P, R P〉 to the server via secure channel. Although, we have used ID in the construction of all the three parameters HID, HIP and RP, the adversary has no access to the user ID. According to the assumption in Section 1.3, the adversary has no control over the messages communicated via the private channel. However in Lu et al. protocol, the ID is sent as a plain message in the registration phase.

• Step PR2: On the receipt of the registration message from the user, server computes U P W = h(H I D||x _s ) ⊕ H I P, where \(x_{s} \in Z_{q}^{*}\) is the private key of the server. Finally, the server stores the pair 〈U P W, R P〉 corresponding to HID into his database. As these stored parameters contain three secret values namely ID, PW and x _s , it is not possible to predict. Thus, the ID is masked and stored in the system. Moreover, RP is computed only for the purpose of password recovery phase and it will not be used anywhere else in the protocol. This registration process is also depicted in Fig. 1.

Fig. 1

User registration phase

4.3 Authentication and key generation phase

If the user U wants to login, the following steps should be performed.

• Step PL1: U chooses a random number \(r_{u} \in Z^{*}_{q}\), computes R _u = r _u ⋅ P, T R _u = r _u ⋅ P _s , where P _s = x _s ⋅ P is the public key of the server. The user U also computes H I D = h(I D), H I P = h(I D||P W), D = H I D ⊕ h(T R _u ) and A _u = h(H I P||T R _u ||T S _u ), then U sends the login message M ₂ = 〈R _u , D, A _u , T S _u 〉 to the server, where T S _u is the current timestamp chosen by the user. The parameters in M ₂ do not contain ID, PW, HID or HIP in the explicit form. However, the parameters D = h(I D) ⊕ h(T R _u ), A _u = h(h(I D||P W)||T R _u ||T S _u ) contains ID and PW implicitly, it is computationally infeasible to extract them. More particularly, the parameters D and A _u contain the secret value T R _u .

• Step PL2: After receiving the login message from the user, server checks T S _s − T S _u < △T, where T S _s is the current timestamp chosen by the server and △T is an acceptable time delay. If the condition does not hold, the server aborts the connection, otherwise S computes \(TR_{u}^{*}= x_{s} \cdot R_{u}\) and \(HID= D \oplus h(TR_{u}^{*})\). The server extracts HIP from the stored UPW corresponding to HID in the database. Now, the server computes \(A_{u}^{*}= h(HIP||TR_{u}^{*}||TS_{u})\) and checks for the correctness of \(A_{u}^{*} \overset {?}{=} A_{u}\). If it is incorrect, then the server terminates the session. Otherwise, the server S confirms that U is a legitimate user, generates a random number \(r_{s} \in Z^{*}_{q}\) and computes R _s = r _s ⋅ P, D K = r _s ⋅ R _u , A _s = h(H I P||R _s ||D K||T S _s ) and \(SK=h(TR_{u}^{*}||DK||HIP^{*})\). Then the server sends the response message M ₃ = 〈R _s , A _s , T S _s 〉 to the user U.

• Step PL3: Upon receiving the response message from the server, user checks T S _u1 − T S _s < △T, where \(TS_{u_{1}}\) is the current timestamp chosen by the user. If it does not hold, the user aborts the connection otherwise, computes D K ^∗ = r _u ⋅ R _s , \(A_{s}^{*}=h(HIP||R_{s}||DK^{*}||TS_{s})\) and checks whether \(A_{s}^{*} \overset {?}{=} A_{s}\). If it is satisfied, then U confirms that S is a legitimate server, computes S K = h(T R _u ||D K ^∗||H I P), T = h(A _u ||A _s ||S K) and sends M ₄ = 〈T〉.

• Step PL4: The message M ₄ is a confirmation message to the server that confirms that the user has created the session key SK by computing T ^∗ = h(A _u ||A _s ||S K) and by checking \(T^{*} \overset {?}{=} T\).

This login, authentication and key establishment phase is also depicted in Fig. 2.

Fig. 2

Login and key establishment phase

4.4 Password change phase

If the user’s password is leaked by any means, then there is a need for the user to change the password. The password based authentication protocol is robust, if it has an efficient password change phase. Hence, the password change provision is included in our protocol. It is assumed that the user has successfully completed the login authentication phase and established a new session key SK with old PW before starting of the password change phase. The description of this phase is as follows:

• Step PPC1: The user selects a random number r ₁ ∈ Z _q and computes the following

  $$\begin{array}{@{}rcl@{}} R_{1} &=& r_{1} \cdot P \\ DR_{1} &=& r_{1} \cdot P_{s} \\ HID &=& h(ID) \\ PK_{1} &=& HID \oplus h(DR_{1}) \\ HIP &= & h(ID||PW) \\ CF &=& h(HID||HIP) \end{array} $$

  then sends the message M ₅ = 〈R ₁,P K ₁,C F〉 to the server. On receipt of this message, the server computes \(DR_{1}^{*}=x_{s} \cdot R_{1}\), \(HID^{*}=PK_{1} \oplus h(DR_{1}^{*})\), retrieves UPW from the database corresponding to the received H I D ^∗ and computes T I D ^∗ = h(H I D ^∗||x _s ), H I P ^∗ = U P W ⊕ T I D ^∗ and C F ^∗ = h(H I D ^∗||H I P ^∗). The server checks whether the received CF matches with the computed C F ^∗. If it does not hold, server rejects the session otherwise server selects a random number r ₂ ∈ Z _q , computes R ₂ = r ₂ ⋅ P, D R ₂ = r ₂ ⋅ R ₁ and sends the message \(M_{6}= \langle R_{2}, ``Enter \ new \ password^{\prime \prime } \rangle \).

• Step PPC2: The user selects his/her own new password P W ^new and computes \(DR_{2}^{*}=r_{1} \cdot R_{2}\), \(PK_{2}=ID \oplus PW^{new} \oplus h(DR_{2}^{*})\), H I P ^new = h(I D||P W ^new), the commitment \(\phi = h(HID||DR_{2}^{*}||HIP||HIP^{new})\) and \(DPW= h(DR_{2}^{*}||HIP) \oplus HIP^{new}\). Then, the user sends the message M ₇ = 〈R ₁,P K ₂,ϕ,D P W〉 to the server.

• Step PPC3: After receiving the password change request, server computes H I P ^new = D P W ⊕ h(D R ₂||H I P), ϕ ^∗ = h(H I D||S K||H I P||H I P ^new) and checks whether \(\phi ^{*} \overset {?}{=} \phi \) holds or not. If it is satisfied, then the server computes U P W ^new = T I D ^∗⊕ H I P ^new, R P ^new = P K ₂ ⊕ h(D R ₂) and replaces 〈H I D, U P W, R P〉 with 〈H I D, U P W ^new, R P ^new〉 in its database, otherwise terminates the session. In this phase unlike Lu et al. scheme, checking the condition \(\phi ^{*} \overset {?}{=} \phi \) prevent any other user to impersonate U between login authentication phase and password change phase. This password change phase is also depicted in Fig. 3.

  Fig. 3

  

  Password change phase

4.5 Password recovery phase

Suppose a user wants to login into the server after long-time and forgets his/her password. The re-registration process consumes time and therefore, it is essential to recover the password for the user. The registered password can be recovered in our protocol by executing the following steps.

• Step PPR1: The user U chooses a random number \(r \in Z^{*}_{q}\) and computes the following

  $$\begin{array}{@{}rcl@{}} K_{1} &=& r \cdot P \\ K_{2} &=& r \cdot P_{s} \\ HID &=&h(ID) \\ PWR &=& HID \oplus h(K_{2}) \\ Auth &=& h(P||K_{2}) \end{array} $$

  then U sends the message M ₈ = 〈K ₁,P W R,A u t h〉 to the server.

• Step PPR2: After receiving M ₈, the server computes \(K_{2}^{*}=x_{s} \cdot K_{1}\), \(Auth^{*}= h(P||K_{2}^{*})\) and checks \(Auth^{*} \overset {?}{=} Auth\). If it is not satisfied, the server terminates the session, otherwise the server computes \(HID^{*}=PWR \oplus h(K_{2}^{*})\) and extracts RP, UPW corresponds to H I D ^∗ from the database. The server computes T I D = h(H I D||x _s ), H I P = U P W ⊕ T I D, A S = h(R P||H I P) and sends the message M ₉ = 〈R P, A S〉 to the user. Since AS contain HIP which is composed of two secrets ID and PW inside hash. It is computationally infeasible to predict two unknown parameters simultaneously, which is addressed in the security analysis section.

• Step PPR3: Upon receiving the message M ₈, user recovers the password by computing P W = R P ⊕ I D, also computes A S ^∗ = h(R P||h(I D||P W)) and ensures it by checking \(AS \overset {?}{=} AS^{*}\).

Lu et al. scheme does not contain this phase and this phase is also essential. The password recovery phase is also depicted in Fig. 4.

Fig. 4

Password recovery phase

5 Analysis of the proposed protocol

In this section, we analyze our protocol informally to prove that it overcomes the security pitfalls in Lu et al. scheme. Further, the analysis using BAN logic formally proves that our scheme achieves mutual authentication between user and server and the analysis in random oracle model shows that the scheme is provably secure against identity and password guessing attacks.

5.1 Informal security analysis

With respect to the adversary model described in Section 1.3, the protocol is analyzed against relevant security attacks.

Proposition 1

The proposed protocol can withstand the off-line identity guessing attack.

Proof

Theidentity of the user is masked using one-way hash function, hence the attacker cannot extract it while executing the proposed protocol. Suppose a user selects a low entropy identity for his/her easy remembrance. In this situation, an attacker may guess the user’s identity and try to verify his/her guess. The attacker captures the login message m ₂ = {R _u , D, A _u } of the protocol, and the attacker extracts the parameters R _u , D , and A _u . The parameter D is constructed as D = H I D ⊕ h(T R _u ), where H I D = h(I D) and \(TR_{u}^{*}= x_{s} \cdot R_{u}\). If the attacker attempts to check the correctness of his/her guessed user identity, he/she needs to guess two factors ID and x _s simultaneously which is computationally infeasible. If each of the user identity and server secret x _s are of length n, then the probability of success for the correct guess is \( \frac {1}{2^{12n}} \). The parameter A _u is constructed as A _u = h(H I P||T R _u ||R _u ),where H I P = H(I D||P W). The attacker cannot extract ID from this, however the attacker can guess I D ^g and try to check his/her guess. The parameter A _u contains three unknown factors ID, PW and T R _u . To check the correctness, the attacker needs to guess three factors simultaneously and the probability for success is \(\frac {1}{2^{18n}}\) which is significantly small. Hence, the proposed protocol can withstand the off-line identity guessing attack. □

Proposition 2

The proposed protocol can withstand the off-line password guessing attack.

Proof

Suppose that an attacker guess the user’s password and try to verify it. The attacker captures the login- response messages M ₂ = {R _u , D, A _u }, m ₃ = {R _s , A _s }, and extracts the parameters R _u , D, R _s , A _u and A _s from these messages. The parameter A _u is constructed as A _u = h(H I P||T R _u ||R _u ), where H I P = h(H I D||P W). If the attacker attempts to check the correctness of his/her guessed user identity, he/she needs to guess three factors ID, PW and T R _u simultaneously. The probability of success for the correct guess is \(\frac {1}{2^{12n+m}}\) which is very small. The parameter A _s is constructed as A _s = h(H I P||R _s ||D K), where D K = r _s ⋅ R _u and r _s is a secret random value known only to the server. If the attacker attempts to check the correctness of his/her guessed user identity, he/she needs to guess three factors ID, PW and DK simultaneously. Then the probability of success for the correct guess is \(\frac {1}{2^{18n}}\) which is a negligible one. □

Proposition 3

The proposed protocol preserves user anonymity property.

Proof

Suppose an attacker tries to identify a particular user and captures the login message of the proposed protocol. The login message is m ₂ = {R _u , D,A _u }, where R _u = r _u ⋅ P, D = H I D ⊕ h(T R _u ), A _u = h(H I P||T R _u ||T S _u ), R _s = r _s ⋅ P and A _s = h(H I P||R _s ||D K). As the parameter R _u contains the random value r _u , message m ₂ is dissimilar in all the communications and hence the attacker cannot realize a particular message for a specific user. Also the user identity ID is masked using the hash function, the attacker cannot extract the ID from the transmitted messages. Thus, the proposed protocol provides user anonymity property. □

Proposition 4

The proposed protocol provides untraceability.

Proof

If an attacker wants to trace the legal user then he/she captures all the login-response messages transmitted in the protocol. The login and response messages are m ₂ = {R _u , D, A _u } and m ₃ = {R _s ,A _s } respectively, where R _u = r _u ⋅ P, D = H I D ⊕ h(T R _u ), A _u = h(H I P||T R _u ||T S _u ), R _s = r _s ⋅ P, A _s = h(H I P||R _s ||D K), R _s = r _s ⋅ P and A _s = h(H I P||R _s ||D K). Each time the login message m ₂ is different since it contains D, A _u and R _u = r _u ⋅ P, where r _u is a randomly selected value. Moreover, the response message contains parameter R _s which is constructed using the random value r _s . This makes the attacker suspicious to link the login and response messages with the concerned user. Hence, attacker fails to break untraceability property. □

Proposition 5

The proposed protocol is secure against insider attack.

Proof

In the proposed protocol, the user sends masked password for registration to the server. Therefore, an insider of the system can not extract the user ID and password due to the collision resistant and non-invertible property of the cryptographic one-way hash function. Therefore, the proposed scheme can withstand privileged insider attack. □

Proposition 6

The proposed protocol can withstand user impersonation attack.

Proof

In this attack, an attacker captures the legal user’s login message and creates forged login message. We claim that, the attacker cannot succeed in his/her attempt. The attacker can choose \({r_{u}^{a}}\) in random and compute \({r_{u}^{a}}\), \(T{R_{u}^{a}}\) and \(h(T{R_{u}^{a}})\) but, computation of correct HID is infeasible as it contains the secret parameter ID. Similarly, the attacker cannot compute correct A _u as it involves the component HIP that contains two unknown parameters ID, PW of the legal user. The probability of success for the correct guess is \(\frac {1}{2^{12n}}\) which is a negligible one. Thus, the attacker cannot compute valid D and A _u . Hence proposed protocol withstands user impersonation attack. □

Proposition 7

The proposed protocol can withstand server impersonation attack.

Proof

In this attack, an attacker entraps the response message of a legal server and tries to create a forged response message. We claim that the attacker cannot succeed in his/her attempt. The attacker can select \({r_{s}^{a}}\) at random and compute \({r_{s}^{a}}\) but, cannot create T R _s and HIP as they contain the unknown parameters x _s and I D,P W respectively. □

Proposition 8

The proposed protocol can withstand the session key computation attack.

Proof

After performing successful mutual authentication, the server and client attempts to establish a fresh session key which they can use for their secure communication. The session key SK is the hash value of R _u , R _s , D K ^∗ and HIP. Even though R _u , R _s are known parameters, D K ^∗ and HIP are unknown parameters. Hence the computation of session key is infeasible. □

Proposition 9

The proposed protocol is secure against replay attack.

Proof

In this attack, the attacker captures all the messages transmitted in the proposed protocol and tries to impersonate as a legal user/server using the captured messages. But, R _u is generated freshly in each session, D K = r _s ⋅ R _u is computed in server side at each session using R _u . If the message m ₂ is a replay message then m ₃ will not be authenticated in the user side, as user computes D K ^∗ = r _u ⋅ R _s and checks \(A_{s}^{*} \overset {?}{=} A_{s}\). In addition, both the messages m ₂ and m ₃ include timestamp, which also thwart replay attack. Hence, the proposed protocol is secure against replay attack. □

Proposition 10

The proposed protocol provides perfect forward secrecy.

Proof

If an adversary compromise the long-term secret values such as user identity, user password and server’s secret key, then adversary cannot compute the session key S K = h(T R _u ||D K ^∗||H I P) as it contains the component D K = r _u r _s ⋅ P. In which the random values r _u , r _s are freshly generated, they cannot be predicted and it is an Elliptic Curve Discrete Logarithm Problem(ECDLP) [5]. Hence, the proposed protocol preserves perfect forward secrecy. □

Proposition 11

The proposed protocol is secure against stolen-verifier attack.

Proof

Suppose an adversary steals the pair 〈U P W,R P〉 from the server’s database and tries to extract user’s HID and HIP to impersonate the server. This attack is impossible as U P W = h(H I D||x _s ) ⊕ H I P contains three unknown factors HID, x _s and HIP. Also, the guess of any parameter has the success probability \(\frac {1}{2^{12n}}\), which is highly negligible. □

Proposition 12

The proposed protocol is secure against man-in-the-middle attack.

Proof

Suppose an adversary wants to know the session key by performing a man-in-the-middle attack. The adversary can choose \({r_{u}^{a}}\) in random, as computation of HID requires the knowledge of the secret parameter ID, the adversary cannot compute HID. To construct M ₂, the two parameters D and A _u are essential, which requires the knowledge of HID and HIP. Thus, the creation M ₂ for the adversary becomes a tedious process. Also, the adversary can attempt to create forged response message after capture the message from the legal server. The adversary cannot succeed in the attempt. The adversary can select \({r_{s}^{a}}\) at random, but cannot create a valid A _s as its construction requires the knowledge of the two unknown parameters HIP and DK. Hence, the adversary cannot compute the session key by performing a man-in-the-middle attack. □

5.2 Authentication proof using BAN logic

Burrows, Abadi and Needham (BAN) coined a logic for proving the correctness of authentication and key establishment protocols formally [9]. The BAN logic is one of the formal methods which is used for the analysis of security protocols. The concept of a ‘fresh message’ and all public and shared key primitives are modelled using the logic. Using this it is possible to idealize a challenge-response protocol. The belief of an entity in the truth of a statement is the basis for the logic. A statement needs not be true in the accepted sense of truth. A validation with BAN logic doesn’t indicate that there are no attacks on the protocol always. A proof with the BAN logic is a valid proof of correctness, with respect to the assumptions given in [19]. However, the interpretation of the logic and the logic does rule out possible attacks are questionable.

5.2.1 Notations

This section details with some of the syntax of the BAN logic. Other syntactical rules are found in the article of Burrows, Abadi and Needham [9].

• P believes that X holds: P∣ ≡ X. It means that P believes that in the current run of the protocol that the formula X is true. it just shows what P believes X.

• P sees the formula X: P ⊲ X. It can be said as: P holds X.

• P has jurisdiction over X: \(P \mid \Rightarrow X\). The entity P has complete control over the formula X. This can be used when reasoning over Certificate Authorities.

• P has once said the formula X: P∣ ∼ X. The past holds all earlier runs of the protocol and earlier messages of the current run of the protocol.

• X is fresh: ♯(X). The formula X is recent. The formula has not been used before, X is a nonce.

• X is combined with Y: 〈X〉 _Y . The formula X is combined with the formula Y.

• X is hashed with Y: (X) _Y . The formula X is hashed with the formula Y.

• P and Q share a secret formula : \(P \overset {X}{\rightleftharpoons }Q\). The formula X is a secret known only to P and Q.

5.2.2 Rules of inference

A short overview of the introduction, usage and elimination rules are given. The overview is not complete, but is sufficient for the analysis in this section. The rules are also the most used rules.

Message-meaning rule:

If P believes that the secret Y is shared with Q and sees 〈X〉 _Y , then P believes that Q once said X.

$$\frac{P \mid\equiv Q \overset{Y} {\rightleftharpoons} P,\ P\triangleleft \langle X \rangle_{Y} }{P \mid\equiv Q \mid \sim X }$$

For random values

$$\frac{P \ Chooses \ random \ X}{P \mid\equiv \sharp X}$$

Nonce-verification rule:

If P believes that X could have been uttered only recently (in the present) and that Q once said X (either in the past or in the present), then P believes that Q believes X.

$$\frac{P \mid\equiv \sharp X , \ P \mid\equiv Q \mid\sim X }{P \mid\equiv Q \mid\equiv X }$$

Jurisdiction rule:

If P believes that Q has jurisdiction over X then P trusts Q on the truth of X

$$\frac{P \mid\equiv Q \mid\Rightarrow X ,\ P \mid\equiv Q \mid\equiv X }{P \mid\equiv X }$$

Freshness rule:

If one part of a formula is fresh, then the entire formula must also be fresh:

$$\frac{P \mid\equiv \sharp X }{P \mid\equiv \sharp \left( X,\ Y \right) }$$

Session key rule:

If the principal P believes that the parameter X is fresh and the principal P and Q believe X, which are the necessary parameters of the session key, then principal P believes that s/he shares the session key K with Q.

$$\frac{P \mid\equiv \sharp X, P \mid\equiv Q \mid\equiv X }{P \mid\equiv P \overset{K}{\rightleftharpoons} Q }$$

A composite message can be made when a principal believes in both parts. This can be generalised to more than two parts

$$\frac{P \mid\equiv X,\ \ P \mid\equiv Y }{P \mid\equiv \left( X,\ Y \right) }$$

Additional rules on multipart messages.

$$\frac{P \mid\equiv Q \mid\sim \left( X,\ Y \right) }{P \mid\equiv Q \mid\sim X}$$

$$\frac{P \mid\equiv Q \mid\equiv \left( X,\ Y \right) }{P \mid\equiv Q \mid\equiv X}$$

$$\frac{P \mid\equiv \left( X,\ Y \right) }{P \mid\equiv X}$$

$$\frac{P \triangleleft \left( X,\ Y \right) }{P \triangleleft X}$$

5.2.3 Protocol idealization

The concrete protocol needs to be idealized in the BAN logic syntax for the proper analysis.

$$\begin{array}{@{}rcl@{}} m_{2}=U \rightarrow S &:& R_{u}, D: \langle HID \rangle_{h(TR_{u})} , A_{u}: (TS_{u}, TR_{u} )_{U \overset{HIP} {\rightleftharpoons} S } \\ m_{3}=S \rightarrow U &:& R_{s}, A_{s}: (R_{s}, DK,TS_{s} )_{U \overset{HIP}{\rightleftharpoons} S} \\ m_{4}=U \rightarrow S &:& T: (A_{u}, A_{s} )_{U \overset{SK}{\rightleftharpoons} S} \end{array} $$

The primary goals are to confirm that the user believes, the server belief that the user and server shares the same session key and vice versa. To achieve these goals, we need two more security goals; user and server believes that they have shared the same session key. As the session key contains two secret parameters DK and T R _u , server should believe T R _u and user should believe DK. Now we list the following goals based on the BAN logic, which needs to be achieved to ensure the formal verification of the mutual authentication.

5.2.4 Security goals

The list of security goals need to be achieved are listed below.

$$\begin{array}{@{}rcl@{}} G_{1} &:& S \mid\equiv TR_{u} \\ G_{2} &:& U \mid\equiv DK \\ G_{3} &:& U \mid\equiv U \overset{SK}{\rightleftharpoons} S \\ G_{4} &:& S \mid\equiv U \overset{SK}{\rightleftharpoons} S \\ G_{5} &:& U \mid\equiv S \mid\equiv U \overset{SK}{\rightleftharpoons} S \\ G_{6} &:& S \mid\equiv U \mid\equiv U \overset{SK}{\rightleftharpoons} S \end{array} $$

5.2.5 Initial assumptions

The principals U and S believe that the random numbers generated in the protocol are fresh. In addition, the server and user should have the control on the secret parameters T R _u and DK respectively, which they have created. Based on the set of required security goals,the following assumptions about the initial state of the protocol are made to analyze the proposed protocol.

$$\begin{array}{@{}rcl@{}} A_{1} &:& U \mid\equiv \sharp R_{u} \\ A_{2} &:& S \mid\equiv \sharp R_{s} \\ A_{3} &:& U \mid\equiv \sharp R_{s} \\ A_{4} &:& S \mid\equiv \sharp R_{u} \\ B_{1} &:& U \mid\equiv U \overset{TR_{u}}{\rightleftharpoons} S \\ B_{2} &:& U \mid\equiv U \overset{HIP}{\rightleftharpoons} S \\ B_{3} &:& S \mid\equiv U \overset{HIP}{\rightleftharpoons} S \\ C_{1} &:& S \mid\equiv U \mid\Rightarrow TR_{u} \\ C_{2} &:& U \mid\equiv S \mid\Rightarrow DK \end{array} $$

5.2.6 Scheme analysis

To achieve the required security goals, sequence of rules are imposed on the idealized protocol along with the initial assumptions. Applying seeing rule on m ₂, we get S ⊲ 〈R _u , T R _u 〉 _{H I P} and by assumption \(B_{3}, \ S \mid \equiv U \overset {HIP}{\rightleftharpoons } S\). Now applying message meaning rule,

$$\frac{S \mid\equiv U \overset{HIP}{\rightleftharpoons}S,\ S \triangleleft \langle R_{u}, \ TR_{u} \rangle_{HIP} }{S \mid\equiv U \mid \sim \langle R_{u}, \ TR_{u} \rangle }$$

Thus, we have S1 : S∣ ≡ U∣ ∼〈R _u , T R _u 〉. By assumption A ₄, S∣ ≡ ♯ R _u implies that S∣ ≡ ♯(R _u , T R _u ). Using nonce verification rule with S1, we get S∣ ≡ U∣ ≡ (R _u , T R _u ). Applying conjunctions rule, S2 : S∣ ≡ U∣ ≡ (T R _u ).

Applying Jurisdiction rule on C ₁ and S2, we get G ₁ : S∣ ≡ T R _u which is nothing but goal G ₁.

Seeing rule on m ₃ implies that \(U \triangleleft (R_{s}, DK )_{U \overset {HIP}{\rightleftharpoons } S}\), applying message meaning rule with the assumption B ₃, we get S3 : U∣ ≡ S∣ ∼〈R _s , D K〉. By assumption A ₃ : U∣ ≡ ♯ R _s and applying conjunctions rule, we get S4 : U∣ ≡ ♯(R _s , D K). Using nonce verification rule on S4 and S3, we get S5 : U∣ ≡ S∣ ≡〈R _s , D K〉. Applying conjunction rule, S5 : U∣ ≡ S∣ ≡ D K. Applying Jurisdiction rule on C ₂ and S5, we get G ₂ : U ∣ ≡ D K which is our goal G ₂.

As T R _u is the necessary parameter for the construction of SK in the server side, by freshness rule, ♯(r _u ) implies that S∣ ≡ ♯(T R _u ). Applying the session key rule on S2, we get \(G_{3}: S\mid \equiv U \overset {SK}{\rightleftharpoons } S\) which is our goal G ₃.

Similarly, DK is the necessary parameter for the construction of SK in the user side, by freshness rule, ♯(r _s ) implies that U∣ ≡ ♯(D K). Applying the session key rule on S5, we get \(G_{4}: U\mid \equiv U \overset {SK}{\rightleftharpoons } S\). Hence, goal G ₄ is achieved.

Using A ₁ and nonce verification rule with G ₃, we get goal G ₅ which is \(G_{5}: U \mid \equiv S\mid \equiv U \overset {SK}{\rightleftharpoons } S\). Using C ₂ and nonce verification rule with G ₄, we get \(G_{6}: S \mid \equiv U\mid \equiv U \overset {SK}{\rightleftharpoons } S\) which is our goal G ₆.

Thus, BAN logic is used to analyze the security of the proposed protocol and the results show that the protocol achieves mutual authentication between the user and the server.

5.3 Formal security proofs in random oracle model

The formal security analysis of the proposed protocol using random oracle model [11, 16, 24, 26] is presented in this section. The advantage and reveal oracle for a hash function of an adversary are defined as follows:

Definition 1

The advantage of an adversary \(\mathcal {A}\) for finding collision in the cryptographic hash function h is \(Adv_{\mathcal {A}}^{h}(t)= Prob([m_{1},m_{2}] \leftarrow _{R} \mathcal {A} \ such \ that \ h(m_{1})=h(m_{2}) )\), where \(Adv_{\mathcal {A}}^{h}(t)\) denotes the advantages of the probability over the random selection by \(\mathcal {A}\) in the time duration t, \([m_{1},m_{2}] \leftarrow _{R} \mathcal {A}\) denotes the messages [m ₁,m ₂] selected by \(\mathcal {A}\) are random and P r o b(E) denotes the probability of an event E. The hash function h(⋅) is said to be collision resistant if for any small value 𝜖, \(Adv_{\mathcal {A}}^{h}(t) \leq \epsilon \).

Now we define the reveal oracle as follows:

Definition 2

Reveal oracle denoted by R O R A C L E(⋅) is defined as an oracle that will unconditionally output the string m for a given hash value h(m).

Definition 3

Extract oracle denoted by E O R A C L E(⋅) is defined as an oracle that will unconditionally output the string x for a given two ECC points x ⋅ P and P.

Theorem 1

Suppose that the cryptographic hash function closely behaves like an oracle, the proposed protocol is provably secure against an adversary for obtaining the secret parameters 〈I D,P W〉of a legal user though the adversary knows all the messages transmitted in the public channel.

Proof

Consider an adversary \(\mathcal {A}\) who has the capacity to derive the identity and password of a legal user from the proposed protocol Φ. As mentioned in Section 1.3, \(\mathcal {A}\) can capture the login message 〈R _u , D, A _u , T S _u 〉 and response message 〈R _s , A _s , T S _s 〉 in the execution of the protocol Φ. Then, \(\mathcal {A}\) uses reveal oracle to execute the algorithm \(ALGO^{h}_{\Phi }\) for deriving ID and PW of a legal user as depicted in the Algorithm 2.

Now we define the probability of success for the algorithm \(ALGO^{h}_{\Phi }\) as \(SUC1^{h}_{\Phi } = |Prob(ALGO^{h}_{\Phi }=1)-1|\). According to Definition 1, the advantage of \(ALGO^{h}_{\Phi }\) is given by \(Adv^{h}_{\Phi }(t_{1},qr_{1})= Max_{\mathcal {A}}(SUC1^{h}_{\Phi })\) where maximum is taken over all the adversary \(\mathcal {A}\) with the number of queries q r ₁ made to R O R A C L E() in the execution time t ₁. The proposed protocol is provably secure against the adversary \(\mathcal {A}\) for obtaining the secret parameters 〈I D,P W〉 if for any small value 𝜖, \(Adv_{\mathcal {A}}^{h}(t_{1},qr_{1}) \leq \epsilon \). According to the algorithm \(ALGO^{h}_{\Phi }\), the adversary \(\mathcal {A}\) can obtain the secret parameters ID , PW and succeeded provided he/she has the ability to invert the hash function h(⋅). But, it is computationally infeasible to invert a hash function. Thus, \(SUC1^{h}_{\Phi } \leq \epsilon \) for all the attackers. Since \(Adv^{h}_{\Phi }\) depends on \(SUC1^{h}_{\Phi } \) and maximum is taken over all the adversary \(\mathcal {A}\), we have \(Adv_{\mathcal {A}}^{h}(t_{1},qr_{1}) \leq \epsilon \) for any small value 𝜖. Thus, the proposed protocol is provably secure against the adversary \(\mathcal {A}\) for obtaining the secret parameters 〈I D,P W〉. □

Theorem 2

Suppose that the cryptographic hash function closely behaves like an oracle, the proposed protocol is provably secure against an adversary for obtaining the secret parameters 〈r _u , r _s 〉and the session key SK between the server and the legal user though the adversary knows all the messages transmitted in the public channel.

The proof of this theorem is similar to that of the previous theorem using the Algorithm 3.

6 Performance comparison

In this part, we compare the performance of the designed protocol with that of the existing related protocols in two aspects; computational complexity and the advanced security functionalities.

6.1 Security features comparison

Table 1, shows the comparison of the proposed protocol with the related existing protocols in the aspect of several security functionalities. It is noted that, our scheme withstands relevant security threats and achieves required security attributes than other protocols. More preciously, Table 1 confirms that our scheme withstands all the security attacks mentioned in Lu et al. scheme.

Table 1 Functionality and security comparison

6.2 Computational cost comparison

We have provided computational cost comparisons of our protocol with several related protocols in Table 2. The time complexity that measures the computation cost associated with hash and point multiplication operations can be expressed as T _{p m} >> T _{p a} >> T _{i n v} >> T _h . It is most important for the cryptographic protocol that it must be free from security attacks. Though our scheme has more time complexity than [7, 8, 14, 18, 23], our scheme withstands the security attacks over those schemes and in these schemes user needs to maintain an additional random number as secret which makes protocol is not user-friendly and realistic. In addition to that, our scheme has the password recovery phase, which is not included in any of the existing SIP authentication protocols.

Table 2 Computational cost comparison

7 Conclusion

In this paper, we have showed that the recently proposed Lu et al.’s SIP authentication protocol has several security vulnerabilities including impersonation attack. In addition to that a robust authentication scheme for SIP with key establishment technique is proposed . Our scheme additionally contains password recovery phase, which is important for real-time application and this feature does not exist in the existing schemes. Informal security analysis against security attacks are described. The formal proof of correctness for mutual authentication using BAN logic is provided. In addition, the proposed protocol is shown to be provably secure against identity and password guessing attacks in random oracle model. Finally, we compared our scheme with the existing related schemes and shown that our scheme has better security with less complexity than the others. As a future work, the proposed protocol can still be enhanced such that it reduce the number of cryptographic operations used and achieves more security properties. Also, the automatic verification of the proposed protocol needs to be done using the popular tool Automated Validation of Internet Security Protocols and Applications (AVISPA).