Elliptic curve cryptography based mutual authentication scheme for session initiation protocol

Abstract

The Session Initiation Protocol (SIP) is the most widely used signaling protocol for controlling communication on the internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of multimedia communication. Recently, Tsai proposed an efficient nonce-based authentication scheme for SIP. In this paper, we do a cryptanalysis of Tsai’s scheme and show that Tsai’s scheme is vulnerable to the password guessing attack and stolen-verifier attack. Furthermore, Tsai’s scheme does not provide known-key secrecy and perfect forward secrecy. We also propose a novel and secure mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP which is immune to the presented attacks.

1 Introduction

The Session Initiation Protocol (SIP) [7] is one of the most important protocols that support multimedia services on both wired as well as wireless networks. SIP is an application layer control (signalling) protocol that can create, modify and terminate sessions with one or more participants. These sessions include multimedia distribution, internet telephone calls and internet multimedia conferences. Session members can communicate via a mesh of unicast relations or via multicast or a combination of these. Authentication is the most important aspect for SIP. When a user wants to access a SIP server in order to get various services from the remote server, he/she has to perform an authentication process. Therefore, the security of SIP is becoming more important which calls for robust authentication scheme. The original authentication scheme for SIP does not provide strong security, as it is derived from HTTP digest authentication [5] and has been proven to be insecure [19].

Recently, various authentication schemes were proposed to provide strong security for SIP [1, 5, 6, 13, 14, 17, 19]. In the basic authentication scheme adopted in SIP, the SIP server uses challenge-response mechanism to verify the identity of the user only. In 2005, Yang et al. [19] pointed out that the procedure of the original SIP authentication scheme based on HTTP digest authentication is vulnerable to offline password guessing attack and server spoofing attack. In order to overcome these flaws, Yang et al. proposed a secure authentication scheme for SIP. This authentication scheme is based on Diffie-Hellmann Key Exchange [3], which depends on the difficulty of discrete logarithms. The computational cost of Yang et al.’s authentication scheme is very high, making it unsuitable for platforms offering low computational power. In order to improve this limitation, Durlanik et al. [4] proposed an authentication scheme using Elliptic Curve Diffie-Hellmann (ECDH) key exchange algorithm in 2005. Later in 2009, Tsai [16] proposed an efficient nonce-based authentication scheme. Since all the communication messages are encrypted/decrypted by using one-way hash function and XOR operation, its computation cost is low, making it promising for low-power processors.

Notwithstanding suitability of Tsai’s scheme for low power processors, Tsai’s scheme is still vulnerable to offline password guessing attack and stolen-verifier attack while it does not provide known-key secrecy and perfect forward secrecy [10]. This paper demonstrates the vulnerability of Tsai’s authentication scheme to the above attacks, and then proposes a secure and efficient authentication based on the Elliptic Curve Discrete Logarithm Problem (ECDLP) for SIP in order to overcome such security flaws.

The rest of the paper is organized as follows. Section 2 introduces the SIP architecture, SIP authentication procedure, elliptic curve cryptography and secure one-way hash function. Section 3 gives the review of the Tsai’s authentication scheme. Section 4 discusses the cryptanalysis of Tsai’s authentication scheme. In Section 5, an efficient and secure mutual authentication scheme of SIP is proposed. We analyse the security and efficiency of our proposed scheme in Sections 6 and 7. Finally, we conclude the paper in Section 8.

2 Preliminaries

2.1 SIP architecture

SIP, using client-server architecture over HTTP, is based on uniform resource locator and uniform resource identifier. Text-encoding scheme and the header format of SIP are the same as proposed in SMTP, i.e., SIP reuses SMTP headers such as To, From, Date, and subject [4]. The proxy server, redirect server, user agent, register server, and location server are the main components of SIP architecture [19]. The function of each component is described as follows.

• Proxy server: A proxy server always forwards a request and response between a callee and a caller. When the proxy server receives a request, it forwards the request to the current location of the callee, and then forwards the response from the callee to the caller.

• Redirect server: When a redirect server receives a request, it always informs the caller about the current location of the callee. Then the caller contacts the callee directly.

• User agent: A user agent is a logical entity, such as a callee or a caller.

• Register server: When a user agent changes its location, the user agent sends a register request to the register server to update its current location. In brief, the register server always helps the user agent update the information of the user agent’s location in the location server.

• Location server: The responsibility of the location server is to maintain information about the current location of the user agent. It also services the proxy server, redirect server, and register server for them to look up or register the location of the user agent.

2.2 SIP authentication procedure

The security of SIP authentication is based on the challenge-response mechanism [19]. Before the authentication procedure starts, the client user preshares a password with the server. This preshared password is used to verify the identity of the client user or the server. The original SIP authentication scheme proceeds as follows. See Fig. 1.

Fig. 1

SIP authentication procedure

1. Step 1

   Client→Server: REQUEST

   The client sends a REQUEST to the server.

2. Step 2

   Server→Client: CHALLENGE (nonce, realm)

   The server generates a CHALLENGE that includes a nonce and the client’s realm. Note that the realm is used to prompt the username and password. Then the server sends a CHALLENGE back.

3. Step 3

   Client→Server: RESPONSE (nonce, realm, username, response)

   The client computes a response = F (nonce, username, password, realm). Note that F (.) is a one-way hash function and is used to generate a digest authentication message. Then, the client sends the RESPONSE to the server.

4. Step 4

   According to the username, the server extracts the client’s password. Then the server verifies whether the nonce is correct or not. If it is correct, the server computes F (nonce, username, password, realm) and uses it to compare with the response. If they match, the server authenticates the identity of the client.

2.3 Elliptic curve cryptography

Let p > 3be a large prime number. An elliptic curve E over F _P is the set of all solutions (x, y) ∊ F _P * F _P to an equation \( E:{y^2} = {x^3} + ax + b \) mod p, where a, b ∊ F _P and \( {4}{a^{{3}}} + {27}{b^{{2}}} \ne 0 \) mod p, together with a special point O called the point at infinity. It is well known that E is an (additively written) abelian group with the point O serving as its identity element. Choose a generator point P = (x _P , y _P ) over E(F _P ), where P ≠ O. In such a way, a subgroup G of the elliptic curve groupE(F _P ) is constructed. To guard against small subgroup attacks, the point P should be of a prime order nor equivalently, nP = O and we should have \( n > 4\sqrt {p} \). To protect against other known attacks on special classes of elliptic curves [15], n should not dividep ⁱ–1 for all 1 ≤ i ≤ V(V = 20 suffices in practice), n ≠ p should be satisfied, and the curve should be non-super singular. To retain the intractability of ECDLP, n should at least satisfy n > 2¹⁶⁰.Let us consider three related mathematical problems in G; the Elliptic Curve Discrete Logarithm Problem (ECDLP), the Elliptic Curve Computational Diffie-Hellman Problem (ECCDHP) and the Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP).

• ECDLP: Given a point element Q in G, find an integer x ∊ Z _q ^*such that Q = xP, where xP indicates that the point P is added to itself for x times by the elliptic curves operation.

• ECCDHP: For \( a,b \in Z_q^{ * } \), given any two point elements aP, bP in G, compute abP in G.

• ECDDHP: For \( a,b,c \in Z_q^{ * } \), given any three point elements aP, bP and cP in G, decide whether cP = abP.

Clearly, we have the relationship that the ECCDHP is no harder than ECDLP, and ECDDHP is also no harder than ECCDHP in G. Therefore, we assume that ECDDHP is intractable (\( E:y^{2} = x^{3} + ax + b\,\bmod \,p \) is a non-super singular elliptic curve), which may guarantee that there is no polynomial time algorithm to solve ECDDHP, ECCDHP and ECDLP with non negligible probability.

2.4 One-way hash function

A one-way hash function H is said to be secure, if it satisfies the following properties [2].

• Given x, it is easy to compute H(x) = y. However, when given y, it is hard to compute \( {H^{{ - {1}}}}{(}y{)} = x \).

• Given x, it is computationally infeasible to find x′ ≠ x such that \( H(x\prime ) = H(x) \).

3 Review of Tsai’s authentication scheme for SIP

In this section, we briefly review Tsai’s nonce-based authentication scheme for SIP [16]. There are two phases in Tsai’s scheme: registration and authentication. Notations used in this paper are defined in Table 1

Table 1 Notations

3.1 Registration phase

When U wants to register and become a new legal user, U and S execute the following steps:

1. Step 1

   U→S: {username, PW}

   U submits his/her username and PW to S.

2. Step 2

   S stores U’s username and PW in the user account database.

3.2 Authentication phase

If a legal user U wants to login into the system, he/she must type his/her username and PW. All steps of authentication phase are then executed as follows.

1. Step 1

   U→S: REQUEST (username, N _C )

   U generates a random number N _C and then sends it with a request message as REQUEST (username, N _C ) to S.

2. Step 2

   S → U: CHALLENGE (realm, \( {N_S} \oplus h(PW\left\| {{N_C}} \right.),h(PW\left\| {{N_S}} \right.\left\| {{N_C}} \right.) \))

   When S receives the request message, S generates a random nonce N _S . Then, S uses N _S , N _C and PW to compute N _S ⊕ h(PW||N _C ) and h(PW||N _S ||N _C ).Finally, S sends a challenge message CHALLENGE (realm, \( {N_S} \oplus h(PW\left\| {{N_C}} \right.),h(PW\left\| {{N_S}} \right.\left\| {{N_C}} \right.) \)) to U.

3. Step 3

   U → S: RESPONSE (username, realm,h(username, realm, h(N _S ||PW||N _C )))

   When U receives the challenge message, U uses N _C , PW to compute h(PW||N _C ) and derivesN _S by computing \( {N_S} \oplus h(PW\left\| {{N_C}} \right.) \oplus h(PW\left\| {{N_C}} \right.) \). Then, U computes h(PW||N _S ||N _C ) and verifies whether it is equal to the received challenge h(PW||N _S ||N _C ).If the two are not equal, U rejects the server challenge message. Otherwise, U authenticatesS and computes two hash values h(N _S ||PW||N _C ) and h(username, realm, h(N _S ||PW||N _C )). Finally, U sends a response message RESPONSE (username, realm, h(username, realm, h(N _S ||PW||N _C ))) to S.

4. Step 4

   When S receives the response message, S uses N _S , N _C , PW to compute h(N _S ||PW||N _C ). If the computed h(N _S ||PW||N _C ) is not the same as response h(N _S ||PW||N _C ), thenS rejects the user request. Otherwise,S accepts the connection.

After mutual authentication between S and U, SK = N _S is used as a session key. See Fig. 2.

Fig. 2

Tsai’s authentication scheme for session initiation protocol

4 Cryptanalysis of Tsai’s authentication scheme for SIP

In this section, we show that Tsai’s authentication scheme is vulnerable to password guessing attack, stolen-verifier attack and does not provide perfect forward secrecy and known-key secrecy.

4.1 Password guessing attack

In password guessing attack, an adversary intercepts authentication messages and stores them locally and then attempts to use a guessed password to verify the correctness of his/her guessing using these authentication messages[9, 11]. In Tsai’s authentication scheme, an adversary can intercept N _C ,N _S ⨁ h(PW||N _C ) and h(PW||N _S ||N _C ). Then, the adversary can guess a password PW* from dictionaryDand computes h(PW ^*||N _C ). He/she derives \( N_S^{ * } \) by computing \( N_S^{ * } = {N_S} \oplus h(PW\left\| {{N_C}} \right.) \oplus h(PW * \left\| {{N_C}} \right.) \).Then, he/she computes \( h(PW * \left\| {N_S^{ * }} \right\|{N_C}) \). If it is equal to h(PW||N _S ||N _C ), then the guess password PW* is correct. Otherwise, the adversary repeatedly guesses a new password PW*. Thus, Tsai’s authentication scheme is vulnerable to password guessing attacks.

4.2 Stolen-verifier attack

In most existing password based authentication schemes, servers are always the prime targets of the adversaries, because the users’ verifiers (e.g. passwords) are stored in server’s database. In stolen-verifier attack [21], an adversary who steals a password-verifier from the server can use it directly to impersonate a legitimate user in a user authentication execution. In fact, an adversary who obtains password-verifier may further mount a guessing attack.

In Tsai’s authentication scheme, the plaintext password PW of the user is stored in the server, can be eavesdropped and then used to masquerade as the original user. Tsai did not explain the stolen-verifier attack, with regard to obtaining the user’s secret data PW, which is stored in the server. By obtaining user’s secret data PW, an illegitimate user can login to the server as a legitimate user. Suppose an adversary has stolen the user’s secret data PW from the server. Then, adversary can choose a random nonce N _E and send it with a request message as REQUEST (username, N _E ) to S in step 1 of authentication phase. Then, S will send a challenge message CHALLENGE (realm,\( {N_S} \oplus h(PW\left\| {{N_E}} \right.),h(PW\left\| {{N_S}} \right\|{N_E}) \))to adversary. Then, adversary can make a valid response message RESPONSE (username, realm, h(username, realm, h(N _S ||PW||N _E ))) and send it as a response message to S. As a result, S will authenticate adversary as a legal user U and accepts the user’s login request. Therefore, the adversary can easily impersonate the legal user U. In addition, adversary can also impersonate the legal server by using the stolen user’s secret password PW. Therefore, Tsai’s authentication scheme is insecure against stolen-verifier attack.

4.3 Known-key secrecy

The known-key secrecy means the compromise of a past session key can’t derive any other session keys or long term private key (e.g., U’s password PW or S private key K _S ). The compromise of session key enables the protocol to be compromised.

In Tsai’s authentication scheme, suppose an adversary has a session key SK = N _S of the protocol. Then, by using SK = N _S , the adversary computes h(PW||N _C )because of N _S ⊕ h(PW||N _C ) ⊕ SK. Since N _C is the open nonce value and PW included in h(PW||N _C ) is also known to adversary by performing password guessing attack. That is, adversary makes a guess at the secret password PW* from the dictionary D and checks if \( h(PW\left\| {{N_S}} \right.)? = h(PW * \left\| {{N_C}} \right.) \). If it holds, the adversary has guessed the correct password PW* = PW. Compromise of user password PW will enable the adversary to impersonate S or U freely. Therefore, Tsai’s authentication scheme cannot achieve known-key secrecy.

4.4 Perfect forward secrecy

The important security requirement for strong protocol evaluation is the perfect forward secrecy. A protocol with perfect forward secrecy ensures that even if one entity’s long-term key is compromised, it will never reveal any session keys used previously [18, 20]. It is easily seen that Tsai’s authentication scheme cannot achieve the perfect forward secrecy. When a user’s password PW is compromised, all the session keys SK = N _S will also be opened and hence previous communication messages will be learnt.

In Tsai’s authentication scheme, suppose an adversary obtains the password PW from the compromised user and N _C is also known because adversary can intercept it from the public channel. After that, adversary can compute the session key SK = N _S from N _S ⊕ h(PW||N _C ) because of the \( {N_S} \oplus h(PW\left\| {{N_C}} \right.) \oplus h(PW\left\| {{N_C}} \right.) \). Thus, if we know PW and N _C then any old short term session keys are compromised. Therefore, Tsai’s authentication scheme cannot achieve the perfect forward secrecy.

5 Proposed authentication scheme for SIP

In this section, we propose our novel mutual authentication scheme for session initiation protocol. The proposed scheme will consist of two phases: the registration phase and the authentication phase. Description of each phase is as follows:

5.1 Registration phase

When U wants to register and become a new legal user, U and S execute the following steps over a secure channel.

1. Step 1

   U → S: {username, PW}

   U submit his/her username and PW to S. S computes two secret values HPW and HK _S by using hash of U’s username, PW and K _S . Here HPW = h(username||PW) and HK _S = h(username||K _S ).

2. Step 2

   S computes the password verifier VPW = HPW ⊕ HK _S for U.

3. Step 3

   S stores U’s username and VPW in the user account database.

5.2 Authentication phase

If a legal user wants to login into S, he/she must type his/her username and PW. All steps of authentication phase executed as follows.

1. Step 1

   U → S: REQUEST (username, R ₁)

   U generates a random integer \( {r_{{1}}} \in Z_q^{ * } \). U computes HPW = h(username||PW) from username and PW respectively. Then, U computes R ₁ = (HPW.r ₁)P and sends it with a request message as REQUEST (username, R ₁) toS.

2. Step 2

   S → U: CHALLENGE (realm, R ₂, h ₁)

   Upon receiving the request message, S extracts HPW from VPW by computing HK _S = h(username||K _S ) and HPW = VPW ⊕ HK _S , where VPW is a stored password verifier for U in the user account database. Then, S computes \( R_1^{\prime } = HP{W^{{ - {1}}}}{R_{{1}}} = (HP{W^{{ - {1}}}}.HPW.{r_{{1}}})P = {r_{{1}}}P \). Here, HPW ⁻¹ is computed by using Extended Euclidean Algorithm over \( Z_q^{ * } \). Now, S generates another random integer \( {r_{{2}}} \in Z_q^{ * } \) and computes \( {R_{{2}}} = {r_{{2}}}P,S{K_S} = {r_{{2}}}R_1^{\prime } = {r_{{2}}}{r_{{1}}}P = {r_{{1}}}{r_{{2}}}P \) and \( {h_{{1}}} = h(S{K_S}\left\| {{R_2}} \right.) \), where SK _S is the secret session key and \( S{K_S} = {r_{{2}}}{r_{{1}}}P = {r_{{1}}}{r_{{2}}}P \) holds due to commutative property of elliptic curve group. Finally, S sends a challenge message CHALLENGE (realm, R ₂, h ₁) to U.

3. Step 3

   U → S: RESPONSE (username, realm, h(username||realm||SK _U ))

   Upon receiving the challenge message, U computes a secret session key \( S{K_U} = {r_{{1}}}{R_{{2}}} = {r_{{1}}}{r_{{2}}}P \) and checks that \( h(S{K_U}\left\| {{R_2}} \right.)? = {h_1} \). If these are not equal, U rejects the server challenge message. Otherwise, U authenticates S and computes a message authentication code h(username||realm||SK _U ). Finally, U sends a response message RESPONSE (username, realm, h(username||realm||SK _U )) toS.

4. Step 4

   Upon receiving the response message, S computes h(username||realm||SK _S ) and verifies whether it is equal to the received response h(username||realm||SK _U ). If they are not equal, S rejects the user response message. Otherwise, S authenticates U and accepts the user’s login request.

After mutual authentication between U and S, \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \) is used as a shared session key. See Fig. 3.

Fig. 3

Proposed authentication scheme for session initiation protocol

6 Security analysis

In this section, we examine the security of our proposed authentication scheme in terms of the following security properties: replay attack, password guessing attack, modification attack, stolen-verifier attack, server spoofing attack, man-in-middle attack, session key security, known-key secrecy and perfect forward secrecy.

6.1 Replay attack

In our proposed scheme, nonce variables r ₁ and r ₂ are generated independently and both will be different in each login message. Suppose, an adversary intercepts REQUEST(username, R ₁)in Step 1 of authentication phase and replays it to impersonate U to login into S. However, adversary cannot compute a correct session key SK and deliver it to S in step 3 of authentication phase unless he/she correctly guesses password PW to obtain r ₁ P and guesses the right r ₂ from R ₂ = r ₂ P. When an adversary tries to guess r ₁ from r ₁ P and r ₂ from R ₂ = r ₂ P, he/she will face ECDLP. On the other hand, suppose an adversary intercepts CHALLENGE (realm, R ₂,h ₁) from S in step 2 of the authentication phase and replays it to impersonate S. For the same reason, if an adversary cannot gain the correct r ₁ from r ₁ P, U will find out that h ₁ is not equivalent to his/her computed h(SK _U ||R ₂). Then, U will not send RESPONSE (username, realm, h(username||realm||SK _U )) back to adversary in step 3 of authentication phase. Therefore, our proposed authentication scheme can resist the replay attack.

6.2 Password guessing attack

An online password guessing attack cannot succeed since S can choose appropriate trial intervals. On the other hand, in an offline password guessing attack, there must be no verification information for passwords in all exchanges. Observe our proposed scheme, if an adversary obtains all the exchanged messages (R ₁, R ₂, h ₁, h(username, realm, SK _U )) by passive attack, and wants to guess U’s password, he first guesses a password PW ^*and uses it to compute \( R_1^{\prime } = h{({\text{username}}\left\| {PW * } \right.)^{{ - {1}}}}{R_{{1}}} = {r_{{1}}}P \). By using \( R_1^{\prime } \) and R ₂, the adversary will try to compute the session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \). However, adversary has to break the ECCDHP or ECDDHP to find the keying material SK = r ₁ r ₂ P from \( R_1^{\prime } = {r_{{1}}}P \) and R ₂ = r ₂ P to verify his/her guess. But, the adversary cannot gain the session key without r1 of r ₁.P and r ₂ of r ₂.P. Therefore, our proposed scheme can resist password guessing attack.

6.3 Modification attack

An adversary may modify the communication messages (R ₁, R ₂, h ₁, h(username||realm||SK _U )) being transmitted over an insecure network. However, although adversary forges them, our proposed scheme can detect this modification attack, because it can verify not only the equality of the session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \) computed by each party, but also the correctness of R ₁ and R ₂ transmitted between two parties by validating the message authentication code \( {h_{{1}}} = h(S{K_S}\left\| {{R_2}} \right.) \), h(username||realm||SK _U ) in the proposed scheme. Therefore, our proposed scheme can resist the modification attack.

6.4 Stolen-verifier attack

Servers are always the prime target of attacks. An adversary may acquire VPW = HPW ⊕ HK _S stored in S. However, without knowing K _S , adversary cannot forge a login request to pass the authentication, as HPW is hidden in VPW = HPW ⊕ HK _S by using server’s secret key K _S . Thus, the correctness of the guessed password HPW ^* cannot be verified by checking HPW* = HPW. Therefore, our proposed scheme can resist stolen-verifier attack.

6.5 Server spoofing attack

Since our proposed scheme provides mutual authentication, the server spoofing attack [12] can be resisted. In the authentication phase, as U sends REQUEST (username, R ₁) to the adversary masquerading as the server, the adversary cannot generate proper (R ₂,h ₁) without knowing K _S in Step 2 of the authentication phase. Therefore, the server spoofing attack doesn’t work in our proposed scheme.

6.6 Man-in-middle attack

In our proposed scheme, an adversary cannot pretend to be U or S to authenticate the other since he/she doesn’t know the password PW. Suppose adversary has recorded one of the U’s previous authentication message, say REQUEST (username, R ₁) and RESPONSE (username, realm, h(username||realm||SK _U )). If adversary knows the password PW corresponding to the intercepted R ₁, he/she can generate a random number \( i \in Z_q^{ * } \) to compute \( R_1^{\prime } = (h({\text{username}}\left\| {PW} \right.).i)P \) and send the forged authentication message REQUEST (username, \( R_1^{\prime } \)) to S. Next, adversary can intercept the message CHALLENGE (realm, R ₂, h ₁) sent back by S to U, where \( {h_{{1}}} = h(S{K_S}\left\| {{R_2}} \right.) \) and \( S{K_S} = {r_{{2}}}R_1^{\prime } = {r_{{2}}}iP = i{r_{{2}}}P \), compute \( SK_U^{\prime } = i{R_{{2}}} \), and then forge the authentication message \( h({\text{username}}\left\| {\text{realm}} \right\|SK_U^{\prime }) \) to fool S. However, since adversary does not know HPW and r ₁, he/she cannot compute \( S{K_U} = {r_{{1}}}{R_{{2}}} = {r_{{1}}}{r_{{2}}}P \) to impersonate U to fool S in this manner. The forged challenge message CHALLENGE (realm, R ₂, h ₁) to fool U can be also detected by U because adversary does not know HPW to extract r ₁fromR ₁ = (HPW.r ₁)P as same reason. Therefore, our proposed scheme can resist the man-in-middle attack.

6.7 Session key security

The session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \) is only known to U and S. The random values r ₁ and r ₂ are protected by the ECDLP and ECCDHP and the secure one-way hash function. Therefore, our proposed scheme provides session key security.

6.8 Known-key secrecy

Although, an adversary obtains the fresh session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \), he/she cannot obtains U’s secret password PW from \( {R_{{1}}} = (h({\text{username}}\left\| {PW} \right.).{r_{{1}}})P \) by using password guessing attack because he/she will face ECDLP to obtain r ₁ from r ₁ P. If the adversary obtains r ₁ P, then he/she can guess PW from \( {R_{{1}}} = (h({\text{username}}\left\| {PW} \right.).{r_{{1}}})P \) by computing \( R_1^{\prime } = (h{({\text{username}}\left\| {PW} \right.{)}^{{{ - 1}}}}{.}h({\text{username}}\left\| {PW} \right.{)}.{r_1})P? = {R_1} \). However, it is infeasible because U never sends the r ₁ P in the plaintext form over the open network. It is always encrypted by using the secret password PW such as \( {R_{{1}}} = (h({\text{username}}\left\| {PW} \right.).{r_{{1}}})P \). Also, adversary is unable to compute two values r ₁ P and r ₂ P from the fresh session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \) due to hardness of ECDLP and ECCDHP. Therefore, our proposed authentication scheme provides the feature of known-key secrecy.

6.9 Perfect forward secrecy

Perfect forward secrecy is provided in the situation that even though U’s secret password PW or S’s secret key K _S is compromised; an adversary still cannot obtain any previous session keys. In our proposed authentication scheme, suppose that an adversary knows U’s secret password PW or S’s secret key K _S , he tries to determine the session key SK for past sessions and decrypt them. Since adversary is still faced with the hardness of ECDLP and ECCDHP to compute the session key \( SK = S{K_U} = S{K_S} = {r_{{1}}}{r_{{2}}}P \) from the two extracted values r ₁ P and r ₂ P. Additionally, suppose an adversary may acquire VPW = HPW ⊕ HK _S stored in S. By knowing S’s secret key K _S , he/she extracts HPW* = VPW ⊕ h(username||K _S ).The adversary intercept all the exchange messages (R ₁, R ₂, h ₁, h(username, realm, SK _U )) by passive attack. Now, he/she can compute \( R_1^{\prime } = HPW{ *^{{ - 1}}}{R_{{1}}} = ((HPW{ *^{{ - 1}}}.HPW).{r_{{1}}})P = {r_{{1}}}P \). Since adversary is still faced with the hardness of ECDLP to compute the value r ₁ from r ₁ P. Therefore, our proposed authentication scheme can provide the property of perfect forward secrecy.

The security properties of previous related schemes [16, 19] and the proposed authentication scheme are summarized in Table 2.

Table 2 Comparison of security properties

7 Performance comparison

The computational costs of our proposed authentication scheme and the previous related schemes [16, 19] are summarized in Table 3. Since, our proposed authentication scheme is based on the elliptic curve cryptosystem [8], the total overhead for communication and performance can be reduced. For example, to reach a reasonable security level, it just requires a 160-bit prime p to construct the elliptic curve group E(F _P ).

Table 3 Comparison of computational cost

The proposed authentication scheme requires five ECC multiplications during the protocol. These five ECC computations are needed to provide known-key secrecy and perfect forward secrecy. The cost of inversion operation in \( Z_q^{ * } \) is negligible. When considering Tsai’s scheme, our proposed authentication scheme is though computationally a little intensive, but offer enhanced security. However, effects of computational intensity can easily be mitigated by the use of powerful processors.

8 Conclusion

In this paper, we have shown that Tsai’s authentication scheme for session initiation protocol is vulnerable to password guessing attack and stolen verifier attack. Furthermore, it does not provide known-key secrecy and perfect forward secrecy. In order to resolve these security problems, we have proposed a novel and secure mutual authentication scheme based on the elliptic curve discrete logarithm problem for session initiation protocol. The proposed authentication scheme not only resists these attacks but also provides greater security and efficiency. Hence, our proposed authentication scheme can be executed faster than any other previously proposed related schemes.