1 Introduction

VoIP technology has provided the possibility to use the internet to make phone calls in comparison with traditional phones. In VoIP technology, voice is sent by IP information packets through the internet. VoIP technology in comparison to traditional phone networks has many advantages such as easy expansibility, implementation flexibility, concentration management and lower cost [48]. VoIP is composed of session initiation protocol (SIP) and real-time transportprotocol (RTP). SIP was first developed by Internet Engineering Task Force on 1999 [13, 31]. It is an application layer signaling protocol whose function is to initiate, manage and terminate a session between two or more systems based on IP. H323 and MGCP are some of rival protocols of SIP [48, 34]. Authentication and key agreement schemes in SIP are either based on password, which are called one-factor schemes [6, 23, 32, 35], or based on password and smart card which are called two-factor schemes [1, 5, 12, 22, 26,27,28,29, 48].

In order to provide a secure key agreement on SIP, many protocols have been proposed in recent years [4, 10, 11, 15,16,17,18, 23, 27, 30, 36,37,38,39, 42,43,44,45,46,47,48]. One of the oldest technologies used for authentication and key agreement in SIP is HTTP digest single factor scheme which was dismissed due to inefficiency in providing security requirements such as mutual authentication, off-line password guessing and stolen verifier attacks [14, 33, 42]. Furthermore, some schemes based on Diffie-Hellman key agreement were presented which suffer from considerable computational costs. Nowadays, considering the importance of decreasing computation and communication costs, protocols are up to providing this matter.

Because of the efficiency of elliptic curve, the difficulty of Discrete Logarithm Problem, and shorter key length, nowadays most one-factor and two-factor authentication schemes use Elliptic Curve Cryptography to provide full security and reduce the computational cost [16, 22, 27, 29, 36, 39, 48].

In 2005, Yang et al. [42] showed that previous mechanism used for authentication and key agreement in SIP (HTTP digest) is vulnerable against offline password guessing and server spoofing attacks. Therefore, a new scheme based on Diffie-Hellman key exchange was presented that the security of this scheme was based on the difficulty of solving the Discrete Logarithm Problem. Durlanik and Sogukpinar [10] showed that Yang et al.’s protocol [42] was not suitable for resource-constrained equipment due to its high computational costs. In order to decrease computational costs, a new scheme based on Elliptic Curve Diffie–Hellman was presented [44]. Yoon and Yoo in 2009 [44] proved that the mentioned scheme [10] is vulnerable against some attacks including stolen verifier and Denning Sacco attacks. Wu et al. in 2009 [39] presented a key agreement and secure authentication scheme for SIP based on the difficulty of Elliptic Curve Cryptography problem. However, Yoon et al. [45] showed that their scheme [39] is vulnerable against offline password guessing attack. Later, it is shown that the presented scheme by Yoon et al. [45] is vulnerable against password guessing attack [21]. Tsai [37] presented a lightweight scheme for SIP. However, Arshad and Ikram [4] proved that the presented scheme by Tsai is vulnerable against offline password guessing and stolen verifier attacks, and does not provide perfect forward secrecy (PFS) and known key secrecy. They also presented a new mutual authentication scheme based on Elliptic Curve Cryptography. Some other researcher, [15, 24, 30, 36], illustrate vulnerability of Arshad and Ikram’s scheme [4] against offline password guessing, internal and masquerade attacks. Irshad et al. [16] demonstrated that the proposed scheme in [36] was insecure against server impersonation attack and they proposed a new scheme, however, their scheme was vulnerable to privileged insider attack [6]. Zhang et al. [46] presented an authentication and key agreement scheme for SIP based on password and smart card which unlike the mentioned schemes doesn’t need to store passwords in server or hold a verification table. Zhang et al. [46] claimed that their scheme is resistant to well-known attacks. Nevertheless, some other researchers affirmed that Zhang et al.’ scheme [46] is vulnerable against user impersonation and malicious insider attacks [18, 38, 47]. Irshad et al. [17] proved that Zhang et al. [46] scheme is vulnerable against Denial of Service attack. Arshad and Nikooghadam [5] proved that the presented protocol by Jiang et al. [18] is vulnerable against user impersonation attack, and Yeh et al.’s scheme [43] is not robust against offline password guessing attack, and can’t provide perfect forward secrecy. Recently, Chaudhry et al. [8] presented an authentication and key agreement scheme preserving privacy. In this paper, we proved their scheme doesn’t provide perfect forward secrecy.

Lu et al. [23] introduced a secure and efficient scheme for SIP in 2016. Nevertheless, Chaudhry et al. [9], Xu et al. [41] and Kumari et al. [20] pointed Lu et al.’s scheme [23] is still vulnerable against user and server impersonation attack, stolen verifier attack and identity guessing attack. Therefore, Xu et al. [41] in 2017 designed a provably secure anonymous mutual authentication scheme.

In 2016, Zhang et al. [48] also presented an efficient authentication and key agreement scheme for VoIP networks. Besides, Nikooghadam et al. [28] presented a scheme for key agreement to preserve privacy through anonymity. In this paper, security flaws of Zhang et al. [48] and Nikooghadam et al. [28] schemes are scrutinized and is demonstrated that Zhang et al. scheme [48] is vulnerable against replay attacks, known session specific temporary information attacks, ignoring re-registration and revocation, violation of fast error detection and does not provide user anonymity, Furthermore, Nikooghadam et al.’s scheme [28] does not provide perfect forward secrecy.

Our contribution: The contribution of this paper is as follows.

  • Cryptanalysis of Chaudhry et al.’s scheme [8], Zhang et al. ‘s scheme [48] and Nikooghadam et al. ‘s scheme [28], and demonstrating their security challenges and flaws.

  • Presenting a two-factor authentication and key agreement protocol that (a) solves the security challenges of schemes [8, 28, 48]; (b) provides perfect forward secrecy and user anonymity; (c) is more efficient than most recent schemes in terms of both communication and computation costs; (d) uses no expensive operations over elliptic curves.

  • Security analysis of the proposed scheme in the BAN logic and the AVISPA tool.

In the first section of this paper, VoIP, SIP and some related works are reviewed. Nikooghadam et al.’s scheme [28] and its security weakness is described in the second section. Chaudhry et al.’s scheme [8] is reviewed in Section 3. security weakness of Chaudhry et al.’s scheme [8] is also explained in this section. Zhang et al.’s scheme [48] is reviewed and analyzed in Section 4. In Section 5, we propose our suggested protocol. In Section 6, security of our suggested protocol is verified through informal and formal analyses. In Section 7, we analyze and compare performance of the suggested protocol with other protocols and finally, the conclusion part is presented.

2 Review of Nikooghadam et al.’s scheme

Nikooghadam et al.’s scheme [28] includes three phases: registration, login and authentication, and password changing phases. In this section, we briefly review the first two phases to analyze their proposed scheme, then its security flaw is demonstrated. The definition of notations used in Nikooghadam et al.’s scheme [28], Chaudhry et al.’s scheme [8] and Zhang et al.’s scheme [48] are shown in Table 1.

Table 1 The notations used in Nikooghadam et al., Chaudhry et al., and Zhang et al.’s schemes
Full size table

2.1 Registration phase

In registration phase, user performs the following steps over a secure channel. At the end of this phase, a smart card is issued by server to a user.

  1. Step 1.

    First, an identity IDi, a password PWi, and a random number, r, are chosen by the user. Then the masked password MPWi = hIDirPWi) is computed by the user. The values of IDi and MPWi are transferred to the server via a secure channel.

  2. Step 2.

    After receiving {IDi, MPWi}, the server searches registered user’s table whether received IDi exists or not. If received IDi was repetitive, the server asks for a new IDi. Otherwise, the server computes the values of Ai = hIDix), Bi = Ai ⨁ MPWi and selects a random number, N, and calculates masked identity of user MIDi = ExIDiN). At last, the server stores IDi to the table of registered user, and issues a smart card that, includes {Bi, MIDi, Ekey(.)/Dkey(.), h(.)}. Then the server sends the smart card to user through a secure channel.

  3. Step 3.

    As soon as the user receives smart card, stores the value of random number r into the smart card.

2.2 Login and authentication phase

  1. Step 1.

    The user inserts his/her smart card into the card reader and inputs his/her IDi and PWi. Then the smart card selects a random number RNi, captures the current time stamp Ti, and calculates Ai = Bi ⨁ h(IDirPWi) = h(IDix),\( {M}_1={E}_{A_i}\left({ID}_i\left\Vert\ {RN}_i\right\Vert\ {T}_i\left\Vert\ {MID}_i\right.\right) \). Then login request message REQUEST{MIDi, M1, Ti} is transmitted to the server via an insecure channel.

  2. Step 2.

    when, the server receives login request message at Ts, checks condition |Ts − Ti| ≤ ∆T holds or not. If |Ts − Ti| ≤ ∆T holds, then the server calculates DxMIDi) = (IDiN) and\( {A}_i^{\ast }=h\left({ID}_i\left\Vert x\right.\right) \). After that, the server decrypts received M1 by\( {A}_i^{\ast } \) as\( {D}_{A_i^{\ast }}\left({M}_1\right)=\left({ID}_i\left\Vert\ {RN}_i\right\Vert \left.\ {T}_i\right\Vert\ {MID}_i\right) \), acquires (IDi‖ RNi‖ Ti‖ MIDi) and compares them with received MIDi and Ti. If they are equal, then the server selects two random numbers Nnew and RNs and computes\( {MID}_i^{new}={E}_x\left({ID}_i\left\Vert {N}^{new}\right.\right) \),\( \kern0.50em {M}_2={E}_{A_i^{\ast }}\left({MID}_i^{new}\left\Vert\ {RN}_s\right\Vert\ {ID}_i\left\Vert\ {RN}_i\right.\right) \) and transmits a challenge message CHALLENGE {M2} to the user.

  3. Step 3.

    Upon receiving {M2}, user decrypts M2 as\( {D}_{A_i}\left(\ {M}_2\right)=\left({MID}_i^{new}\left\Vert\ {RN}_s\right\Vert \left.\ {ID}_i\right\Vert\ {RN}_i\right) \) and verifies IDi and RNi. After calculating \( {M}_3=h\left(\ {RN}_s\left\Vert {MID}_i^{new}\right\Vert\ {RN}_i\right) \) and SK = hRNi‖ Ai‖ RNs) by the user, he/she replaces MIDi with \( {MID}_i^{new} \) and sends a response message RESPONSE {M3} to the server.

  4. Step 4.

    Upon the server receives {M3}, calculates \( {M}_3^{\ast }=h\left(\ {RN}_s\left\Vert {MID}_i^{new}\right\Vert\ {RN}_i\right) \) and verifies condition\( {M}_3^{\ast }=?{M}_3 \). If this condition holds, the user is authenticated by the server. Then server and user agree on same session key \( SK=h\left(\ {RN}_i\left\Vert\ {A}_i^{\ast}\right\Vert\ {RN}_s\right) \).

2.3 Cryptanalysis of Nikooghadam et al.’s scheme

If the adversary obtains the private key of the server, x, he/she can acquire session key SK = hRNiAi‖ RNs) by performing the following steps:

  1. Step 1.

    In first step of login and authentication phase of Nikooghadam et al.’s scheme [28], M1 and MIDi are sent through a public channel. So, the adversary can decrypt MIDi with private key of server (x) as DxMIDi) = ( IDiN), and obtains IDi and N. Then the adversary calculates Ai as Ai = hIDix) and decrypts M1 using Ai as\( {D}_{A_i}\left(\ {M}_1\right)=\left(\ {ID}_i\left\Vert\ {RN}_i\right\Vert \left.\ {T}_i\right\Vert\ {MID}_i\right) \), and derives RNi.

  2. Step 2.

    In second step of login and authentication phase, M2 is sent to user via an insecure channel, therefore the adversary reaches RNs with decrypting M2 with Ai as\( {D}_{A_i}\left(\ {M}_2\right)=\left({MID}_i^{new}\left\Vert\ {RN}_s\right\Vert \left.\ {ID}_i\right\Vert\ {RN}_i\right) \). As a result, by exposing the private key of server, the adversary is able to derive RNiRNs,and Ai, then calculates session key SK = hRNiAi‖ RNs). Therefore, Nikooghadam et al.’s scheme does not provide the perfect forward secrecy.

3 Review of Chaudhry et al.’s scheme

In this section, first two phases of Chaudhry et al.’s scheme [8] is briefly discussed and then we prove that it does not provide perfect forward secrecy. Chaudhry et al.’s scheme [8] includes three phases: registration phase, login and authentication phase, and password change phase. The used notations in their scheme are listed in the Table 1.

3.1 Registration phase

In this phase, user and server performs the following steps:

  1. Step 1.

    The user chooses an identity IDi, a password PWi, a random number c, and calculates RPi = h(c‖ IDi). Then he/she transmits {IDi, RPi } to the server through a secure channel.

  2. Step 2.

    The server computes pseudo-identity PIDi = Eks2IDiTs0) for the user. After that, the values of Gi = hIDiks1) ⊕ RPi, Ki = ki ⊕ RPi, Hi = hIDiki‖ RPi) and Ji = ki ⊕ h(ks2IDi) are calculated by the server, the server saves {Ki, Hi, Ji, PIDi, h(.)} into the smart card and forwards the smart card SCui and Gi to the user over a secure channel.

  3. Step 3.

    When the user receives {SCui, Gi }, he/she computes Ri = ( IDiPWi) ⊕ c and Li = Gi ⊕ c, and stores both Ri and Li in SCui. At last, the smart card SCui subtends {Ki, Hi, Ji, PIDi, h(.), Ri, Li}.

3.2 Login and authentication phase

Through the login phase, a valid user is able to login to the server after the following calculation.

  1. Step 1.

    The user inserts his/her SCuiIDi and PWi. Then, SCui computes c = Ri ⊕ (IDiPWi), RPi = h(cPWi), hIDiks1) = Li ⊕ RPi ⊕ c ,  ki = Ki ⊕ h(cPWi) and \( {H}_i^{\ast }=h\left(\ {ID}_i\left\Vert {k}_i\right\Vert {RP}_i\right) \).

  2. Step 2.

    The smart card SCui compares\( {H}_i^{\ast }=?{H}_i \), if this condition does not hold, the smart card SCui stops this session.

  3. Step 3.

    After that, the smart card SCui calculates hks2IDi) = ki ⊕ Ji, Gi = Li ⊕ c, \( \overline{G_i}={G}_i\oplus h\left({k}_i\Big\Vert\ {T}_{ui}\right) \), Qi = h(GikiPi‖ Tui), Pi = Gi ⨁ RPi, and Si = ki ⨁ (hks2IDi)‖ Tui), transmits authentication request message \( \left\{{PID}_i,\overline{G_i},{Q}_i,{S}_i,{T}_{ui}\right\} \) to the server.

  4. Step 4.

    Upon receiving the authentication request message, the server S validates time stamp Tui and calculates \( \left(\ {ID}_i\left\Vert {T}_{s0}\right.\right)={D}_{k_{s2}}\left(\ {PID}_i\right) \), ki = Si ⨁ (hks2IDi)‖ Tui), \( {G}_i=\overline{G_i}\oplus h\left({k}_i\Big\Vert\ {T}_{ui}\right) \), \( {P}_i^{\ast }=h\left(\ {ID}_i\left\Vert {k}_{s1}\right.\right) \) and \( {Q}_i^{\ast }=h\left({G}_i\left\Vert {k}_i\right\Vert {P}_i^{\ast}\left\Vert\ {T}_{ui}\right.\right) \).

  5. Step 5.

    The server S checks whether Qi is equal with\( {Q}_i^{\ast } \). If they are equal, S authenticates the user Ui.

  6. Step 6.

    The values \( a=h\left({P}_i^{\ast}\left\Vert {k}_i\right\Vert {T}_{s2}\right) \) and \( {Z}_i={P}_i\oplus {E}_{k_{s2}}\left(\ {ID}_i\left\Vert {T}_{s1}\right.\right) \) are computed and {a, Ts2, Zi} are sent by the server to the user.

  7. Step 7.

    After receiving {a, Ts2, Zi}, initially the user verifies Ts2, then computes a = hPikiTs2) and compares it with received {a}. If a is equal with received a, the user authenticates the server as a valid server.

  8. Step 8.

    The server S and the user Ui calculates the shared key as SK = hPikiTuiTs2hks2IDi)).

3.3 Cryptanalysis of Chaudhry et al.’s scheme

Assume secret keys ks1 and ks2 of the server are disclosed, by executing the following calculations, the attacker is able to acquire the session key SK = hPikiTuiTs2hks2IDi)).

The attacker eavesdrops exchanged messages over a public channel and obtains values {PIDi, Tui, Ts2, Si, Zi}. Then, the attacker decrypts PIDi with ks2 as \( {D}_{k_{s2}}\left(\ {PID}_i\right)=\left(\ {ID}_i\left\Vert {T}_{s0}\right.\right) \) and evolves IDi. For deriving ki and Pi, the attacker computes ki = Si ⊕ (hks2IDi)‖Tui) and Pi = PIDi ⨁ Zi. Thus, in this scheme, perfect forward secrecy does not provide.

4 Review of Zhang et al.’s scheme

In this section, Initialization, registration and authentication phases of Zhang et al.’s scheme [48] is reviewed, then its security flaws are explained. Zhang et al.’s scheme [48] contains four phases: Initialization, registration, authentication, and password changing phases. The used notations in their scheme are listed in the Table 1.

4.1 Initialization phase

  1. Step 1.

    An Elliptic Curve equation Ep(a, b) : y2 = x3 + ax + b(mod p) over a prime finite field Fp, (where a, bϵFp and 4a3 + 27b2 ≠ 0(mod p)) are chosen by the SIP server. Then, the SIP server selects a base point P over Ep(a, b).

  2. Step 2.

    The server selects a high entropy random integer s as its secret key and a one-way hash function h(.) : {0, 1} → {0, 1}k, next computes Ppub = sP.

  3. Step 3.

    The secret key s is protected by server and {Ep(a, b), P, Ppub, h(.)} as public parameters are published.

4.2 Registration phase

In this phase, a new user registers in the SIP server and at the end of this phase, he/she receives a smart card.

  1. Step 1.

    Initially, the user chooses his/her identity IDi, password PWi, a high entropy random integer r, and calculates C1 = h(PWi ⨁ r). Next, {IDi, C1} is sent to the SIP server through a secure channel.

  2. Step 2.

    The SIP server calculates C2 and C3 as C2 = h(IDi ⨁ s) and C3 = C1 ⨁ C2, respectively. Also, it stores C3 in the memory of the smart card and sends the smart card to the user, via a secure channel.

  3. Step 3.

    After receiving the smart card by the user, he/she saves r in to the smart card.

4.3 Authentication phase

At the end of this phase, the user and the SIP server agree to a same session key.

  1. Step 1.

    The user inserts his/her smart card into the card reader, and inputs his/her IDi and PWi. The smart card chooses a high entropy random integer r1, a random integer r2, and calculates the following computations:

$$ {C}_2={C}_3\oplus h\left(\ {PW}_i\oplus r\right)=h\left(\ {ID}_i\oplus s\right), $$
$$ {C}_4={r}_1P, $$
$$ {C}_5={r}_1{C}_2{P}_{pub}, $$
$$ {C}_6=h\left(\ {C}_5\right)\oplus \left(h\left(\ {ID}_i\oplus s\right)\oplus {r}_2\left\Vert {\left(\ {C}_5\right)}_x\right\Vert {\left(\ {C}_5\right)}_y\right). $$

where ( C5)x and ( C5)y are x/y-coordinates values of elliptic curve point C5, respectively.

Finally, the request message REQUEST {IDi, C4, C6} is sent by the user to the SIP server through a public channel.

  1. Step 2.

    The SIP server computes C2 = hIDi ⊕ s) and retrieves (hIDi ⊕ s) ⊕ r2‖( C5)x‖( C5)y) as (hIDi ⊕ s) ⊕ r2‖( C5)x‖( C5)y = h(sC2C4) ⨁ C6. Next, it verifies whether the condition ( C5)x‖( C5)y = (s C2 C4)x‖(s C2 C4)y holds or not. If it is not equal, the request is rejected. Otherwise, the SIP server acquires r2 as C2 ⨁ hIDi ⨁ s) ⨁ r2, then it selects two random integers (r3, r4) and calculates C7 = r3P and session key SK = hC4‖ r3 C4‖ C7). In the following, the SIP server calculates an authentication message Auths = h(hIDi ⊕ s)‖ r2‖(SK)x‖( C5)x‖(SK)y‖( C5)y) and forwards a challenge message CALLENGE {realm, C7, Auths, r4} to the user Ui.

  2. Step 3.

    Upon receiving the message CALLENGE {realm, C7, Auths, r4}, the smart card calculates the session key SK = hC4‖ r1 C7‖ C7), and then it computes hC2‖ r2‖(SK)x‖( C5)x‖(SK)y‖( C5)y), and checks the condition hC2‖ r2‖(SK)x‖( C5)x‖(SK)y‖( C5)y) =  ? Auths. If it was true, the user Ui and the SIP server S agree to a same session key SK. The user Ui computes the authentication information Authu = h((SK)x‖( r4 + 1)‖(SK)y); otherwise, it aborts the session. At last, Ui transmits a response message RESPONSE {realm, Authu} to the SIP server S.

  3. Step 4.

    The SIP server checks whether Authu is equal with h((SK)x‖( r4 + 1)‖(SK)y) or not. If it is not equivalent, the authentication process is terminated. Otherwise, the session key is equal to SK = r1 r3P.

4.4 Security weaknesses of Zhang et al.’s scheme

Lack of user anonymity and probability of user traceability

At the end of first step of authentication phase of Zhang et al.’s scheme [48], identity of user is revealed in message REQUEST{ IDi, C4, C6}. So, the adversary is able to eavesdrop request message and obtain identity IDi of user. Also, the adversary can trace a certain user. Thus, in Zhang et al.’s scheme [48] both user anonymity and user untraceability are violated.

Ignoring re-registration and revocation

The adversary can retrieve the identity of user, IDi, because IDi is sent as a plaintext via an insecure channel. So, if an outsider attacker selects a new password \( {PW}_i^{\prime } \) and a new random integer r, he/she can register in the SIP server S using identity of legal user and the SIP server S cannot distinguish that formerly another user with same identity is registered and thus, it issues a new smart card for outsider attacker. Also, if user’s smart card is stolen/lost, there is no mechanism to prevent misuse stolen/lost smart card.

Known-session-specific temporary information attack

Assume a random number r1 that it is chosen by smart card in the first step of authentication phase, is unexpectedly revealed to the adversary. Since the values C4 and C7 are sent through an insecure channel. The adversary is able to compare the value of r1P with C4. If r1P is equal with C4, the adversary can retrieve the session key SK as hC4‖ r1 C7‖ C7).

Replay attack

In authentication phase of Zhang et al.’s scheme [48], assume the adversary obtains overheard message REQUEST {IDi, C4, C6} and resent it to the SIP server S, he/she is able to login to the SIP server S. Because the SIP server S does not check the freshness of received message REQUEST {IDi, C4, C6}. The server calculates all of computations in Step 2 of authentication phase and sends message CALLENGE{realm, C7, Auths, r4}. Therefore, time and energy of the SIP server S is wasted.

Violation of fast error detection

In the first step of authentication phase of Zhang et al.’s scheme [48], the smart card calculates ( C2, C4, C5, C6) without verification through IDi and PWi, and sends REQUEST {IDi, C4, C6} to the server. An attacker can enter incorrect IDi and PWi, and creates denial of service attack, because the smart card doesn’t check the entered information.

5 The proposed scheme

In this section, we explain our secure and efficient proposed scheme. The proposed scheme includes three phases: (1) registration phase, (2) authentication and key agreement phase, and (3) password update phase. The used symbols in the proposed scheme are shown in the Table 2.

Table 2 The notations used in proposed scheme
Full size table

5.1 Registration phase

The server and the user perform the following steps‌. At the end of this phase, server issues a smart card to the user.

  1. Step 1:

    The user selects identity IDi, password PWi and two high-entropy random numbers ri and bi, then computes values RB and IPi as RB = hri‖ bi) and IPi = h(hIDi‖ PWiRB) mod m) where m is an integer between 28 and 216 to avoid simultaneous guess identity and password [19, 25]. Next, he/she sends {IDi, IPi, bi} to the server through a secure channel.

  2. Step 2:

    After receiving the registration request {IDi, IPi, bi}, the server calculates AiBi and NIDi as Ai = hSIDi‖ xs‖ IDsc‖ IDi), Bi = Ai ⨁ IPi and NIDi = IDi ⨁ IPi, then selects time stamp T1 and computes\( {RID}_i={E}_{x_s}\left(\ {ID}_{sc}\left\Vert\ {ID}_i\right\Vert\ {T}_1\right) \). The server stores RIDi and Bi in the smart card and forwards it through a secure channel. Also, the server saves 〈NIDi, status, bi〉 in its database. If the user is logged in, set a status bit, otherwise status = 0. Note: If the user logged out and status = 0, it is impossible that the attacker logs in, because the proposed scheme provides user anonymity and resists against password guessing attack.

  3. Step 3:

    when the user receives his/her smart card, computes Ki = Bi ⨁ riWi = h(hbi‖ PWi‖ IDi‖ IDsc) mod m), and Hi = Wi ⨁ ri. Then, he/she deletes Bi and saves {bi, Ki, Hi, IDsc } in the smart card. Finally, his/her smart card contains values {RIDi, bi, Ki, Hi, IDsc, Ekey(.)/Dkey(.), h(.) }. We suppose that database of server is secure and only the server has access to the database. The registration phase of proposed scheme is shown in Fig. 1.

Fig. 1
figure 1

Registration phase of proposed scheme

Full size image

5.2 Authentication and key agreement phase

  1. Step 1:

    In the beginning of this phase, the user inserts his/her smart card and next, enters his/her identity IDi and password PWi. Then, the smart card computes the following calculations:

$$ {W}_i^{\ast }=h\left(h\left(\ {b}_i\left\Vert {PW}_i^{\ast}\right\Vert {ID}_i^{\ast}\left\Vert {ID}_{sc}^{\ast}\right.\right)\mathit{\operatorname{mod}}\ m\right), $$
$$ {r}_i^{\ast }={H}_i\oplus {W}_i^{\ast }, $$
$$ {B}_i^{\ast }={K}_i\bigoplus {r}_i^{\ast }, $$
$$ {RB}^{\ast }=h\left({r}_i^{\ast}\left\Vert\ {b}_i\right.\right), $$
$$ {IP}_i^{\ast }=h\left(h\left({ID}_i^{\ast}\left\Vert {PW}_i^{\ast}\left\Vert {RB}^{\ast}\right.\right.\right)\mathit{\operatorname{mod}}\ m\right), $$
$$ {A}_i^{\ast }={B}_i^{\ast}\bigoplus {IP}_i^{\ast }. $$

Then, it chooses a time stamp T2 and a random number rc, calculates \( {E}_{A_i^{\ast }}\Big({A}_i^{\ast}\left\Vert {r}_c\right\Vert {T}_2\left\Vert {IP}_i^{\ast}\Big)=E\right.{A}_i \) and forwards message REQUEST {EAi, RIDi, T2} to the server via an insecure channel.

  1. Step 2:

    When the server receives the login request message REQUEST {EAi, RIDi, T2}, checks whether |T3 − T2| ≤ ∆T is true or not. If this condition holds, the server decrypts RIDi with secret key xs as \( {D}_{x_s}\left(\ {RID}_i\right)=\left({ID}_{sc}^{\ast}\left\Vert {ID}_i^{\ast}\right\Vert {T}_1\right) \). Next, it calculates \( {A}_i^{\ast }=h\left({SID}_i\left\Vert\ {x}_s\right\Vert\ {ID}_{sc}\left\Vert\ {ID}_i\right.\right) \) and decrypts EAi with \( {A}_i^{\ast } \) and extracts Airc, T2 and IPi. Then, the server compares Ai with \( {A}_i^{\ast } \), and verifies |T3 − T2 | ≤ ∆T, if these values are not equal, the session is aborted. Otherwise, the user is authenticated by the server. The server calculates NIDi = IDi ⨁ IPi, searches NIDi in its database and extracts 〈NIDi, status, bi〉, if the value of status = 1, then, the session is terminated, otherwise the server chooses a time stamp T4 and a random number rs. Afterward, it computes the following calculations and forwards a challenge message CHALLENGE {RIDi, T4, EA2}:

$$ SK=h\left({A}_i\left\Vert {r}_s\right.\left\Vert {r}_c\right.\left\Vert {IP}_i\left\Vert {b}_i\right.\right.\right), $$
$$ m=h\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert SK\right.\right), $$
$$ {EA}_2={E}_{IP_i}\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert {T}_4\right.\right), $$
$$ {RID_i}^{\prime }={E}_{x_s}\left({ID}_{sc}\left\Vert {ID}_i\right.\left\Vert {T}_4\right.\right). $$
  1. Step 3:

    When the user receives the challenge message at the time T5, he/she verifies |T5 − T4| ≤ ∆T is true or not. If not, the session is aborted. Otherwise, the smart card decrypts EA2 using IPi and extracts ( IPi, rc,  rs, T4). Then, it compares IPi with IPi and rc with rc. If, IPi = IPi and rc = rc, the smart card authenticates the server and calculates the session key SK and m as SK = h(AirsrcIPibi) and m = h(IPircrsSK) and replaces RIDi with RIDi. Finally, the smart card sends response message RESPONSE {m} to the server through a public channel.

  2. Step 4:

    After receiving RESPONSE {m}, the server verifies condition m =  ? m is valid or not. If the condition holds, the server updates status = 1 and agrees with the user on the session key. After computing the session key, the server changes the value of status to zero. The authentication and key agreement phase of proposed scheme is shown in Fig. 2.

Fig. 2
figure 2

Authentication and key agreement phase of proposed scheme

Full size image

5.3 Password update phase

In this phase, a legal user is able to change his/her Password, securely.

  1. Step 1:

    This step is same as the first step of authentication and key agreement phase.

  2. Step 2:

    This step is same as the second step of authentication and key agreement phase.

  3. Step 3:

    When the user receives challenge message at the time T5, he/she verifies |T5 − T4| ≤ ∆T is true or not. If not, the session is aborts. Otherwise, the smart card decrypts EA2 using IPi and extracts (IPi, rc,  rs, T4). Then, it compares IPi with IPi and rc with rc. If, IPi = IPi and rc = rc, the smart card authenticates the server and calculates SK = h(AirsrcIPibi). Then, the smart card requests the user to enter his/her new password PWinew, and calculates values (IPinew, Binew, Winew, Kinew, Hinew, NIDinew) as following:

$$ {IP_i}^{new}=h\left(h\left(\ {ID}_i\left\Vert {PW_i}^{new}\right\Vert RB\right)\mathit{\operatorname{mod}}\ m\right), $$
$$ {B_i}^{new}={B_i}^{old}\oplus {IP_i}^{old}\oplus {IP_i}^{new}, $$
$$ {W_i}^{new}=h\left(h\left(\ {b}_i\left\Vert {PW_i}^{new}\right\Vert\ {ID}_i\left\Vert\ {ID}_{sc}\right.\right)\mathit{\operatorname{mod}}\ m\right), $$
$$ {K_i}^{new}={B_i}^{new}\oplus {r}_i, $$
$$ {H_i}^{new}={W_i}^{new}\oplus {r}_i, $$
$$ {NID_i}^{new}={ID}_i\oplus {IP_i}^{new}. $$

Finally, the smart card replaces ( Ki, Hi) with ( Kinew, Hinew), respectively, and encrypts ( biNIDinew) with SK as ESKbiNIDinew) = ESK. Next, it sends ESK to the server.

  1. Step 4:

    The server decrypts ESK, with SK and extracts ( biNIDinew). Then, it searches bi in its database, extracts 〈NIDi, status, bi〉 and replaces NIDi with NIDinew in the database.

6 Security analysis

6.1 Informal security analysis

Anonymity

In REQUEST, CHALLENGE and RESPONSE messages, identity of user will not be sent plain to the server. Also, if the attacker steals/finds smart card of user and extracts its stored information as {RIDi, bi, Ki, Hi, IDsc, Ekey(.)/Dkey(.), h(.)},and interrupts the login request message REQUEST {EAi, RIDi, T2}, the challenge message CHALLENGE {RIDi, T4, EA2}, and response message RESPONSE {m}, he/she is not able to acquire identity of user IDi.

$$ {RID}_i={E}_{x_s}\left(\ {ID}_{sc}\left\Vert\ {ID}_i\right\Vert\ {T}_1\right), $$
$$ {EA}_i={E}_{A_i^{\ast }}\Big({A}_i^{\ast}\left\Vert {r}_c\right\Vert {T}_2\left\Vert {IP}_i\Big)\right., $$
$$ {EA}_2={E}_{IP_i}\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert {T}_4\right.\right), $$
$$ {RID_i}^{\prime }={E}_{x_s}\left({ID}_{sc}\left\Vert {ID}_i\right.\left\Vert {T}_4\right.\right), $$
$$ {m}^{\ast }=h\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert SK\right.\right). $$

For obtaining identity of user, IDi, the attacker needs to have secret key of the server xs, whereas secret key of the server xs has been kept securely by the server, therefore, anonymity of user is preserved.

Perfect forward secrecy

If user’s password PWi and server’s secret key xs is disclosed, without knowing random numbers rsrc and bi, the attacker cannot compute the session key SK = h(AirsrcIPibi). For obtaining rs and rc, the attacker should know IPi, that IPi = h(h(IDi‖ PWiRB) mod m). Since, value of RB is secret, thus, the attacker is not able to compute IPi. Therefore, the proposed scheme provides perfect forward secrecy. Also, the attacker has no way to find the value of ri.

Known-key secrecy

Since the session key is equal to SK = h(AirsrcIPibi) and random numbers rs and rc are generated randomly and different to selected random numbers in the other sessions, and also, random numbers rs and rc are not related to selected random numbers in previous sessions, even if the session key is disclosed, the attacker is not able to compute other session keys.

Session key security

In our proposed scheme, only the user and the server know the session key. Whereas, the attacker is not able to calculate bi, Ai and IPi, therefore, he/she cannot obtain random numbers rs and rc, and cannot compute the session key.

Known-session-specific temporary information attack

If session random numbers rsrc and bi are unexpectedly revealed to the attacker, he/she is not able to compute session key SK. Because the attacker cannot calculate IPi and Ai. Since, the attacker doesn’t know secret key of the server xs, user’s password PWi and identity of user IDi, the proposed scheme is robust against known-session-specific temporary information attack.

Offline guessing attack

In our proposed scheme, if the attacker interrupts REQUEST, CHALLENGE and RESPONSE messages, he/she acquires following values.

$$ {RID}_i={E}_{x_s}\left(\ {ID}_{sc}\left\Vert\ {ID}_i\right\Vert\ {T}_1\right), $$
$$ {EA}_i={E}_{A_i^{\ast }}\Big({A}_i^{\ast}\left\Vert {r}_c\right\Vert {T}_2\left\Vert {IP}_i\Big)\right., $$
$$ {EA}_2={E}_{IP_i}\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert {T}_4\right.\right), $$
$$ {RID_i}^{\prime }={E}_{x_s}\Big({ID}_{sc}\left\Vert {ID}_i\right.\left\Vert {T}_4\Big),\right. $$
$$ {m}^{\ast }=h\left({IP}_i\left\Vert {r}_c\right.\left\Vert {r}_s\right.\left\Vert SK\right.\right). $$

According to IPi = h(hIDi‖ PWiRB) mod m), for calculating user’s password, the attacker should know IPi, because the attacker does not aware Ai and Bi (IPi = Ai ⨁ Bi), he/she is not able to compute IPi. So, using any of aforementioned messages, the attacker cannot acquire password of user.

Whereas stored parameters in the smart card are {RIDi, bi, Ki, Hi, IDsc, Ekey(.)/Dkey(.), h(.)}, even if the attacker finds/steals smart card, he/she is not able to find PWi. Also, in our presented scheme, to avoidance guessing two parameters PWi and IDi, we use mod m which 28 < m < 216.

User impersonation attack

If the attacker wants to impersonate user and send a reliable REQUEST and RESPONSE messages to the server. He/she needs to calculate valid EAi and m. To compute a valid EAi, the attacker should obtain PWiIDi and RB. But, these values are kept securely by the user. Also, to calculate a valid m, the attacker should know IPirsrc, and SK. The attacker is not able to acquire session key SK and he/she does not know selected random numbers by the server, rs, and the user, rc.

Server impersonation attack

If the attacker wants to forge the server, he/she should produce a valid challenge message as {RIDi′∗, T4, EA2}. To compute a valid EA2 and RIDi′∗, the attacker should know IPi and the random number generated by the user as rc. Since the attacker is not able to detect PWi and IDi, also, he/she doesn’t know secret key of server, xs, and RB, thus the attacker cannot impersonate the server. Therefore, the proposed scheme resists against impersonation attacks.

Stolen-verifier attack

In our presented scheme, neither password nor secret key of the server xs are stored in the server’s database. Therefore the attacker can not retrieve the verification information.

Denning-sacco attack

In this attack, the attacker tries to find a long term private key e.g. user’s password or other session keys through obtained old session key. In the proposed scheme, if the attacker acquires old session key, he/she cannot retrieve user’s password, server’s secret key or other session keys. Because, the session key is equal to SK = h(AirsrcIPibi) that random numbers rs and rc are chosen by the server and the user, randomly. So, the attacker cannot detect other session keys using an old session key. Hence, the proposed scheme can resist against denning-sacco attack.

Replay attack

Assume an attacker A, replays the old message REQUEST{EAi, RIDi, T2} to the server. In our scheme, the server will find out that this message is repetitive and old. At first, the server verifies|T3 − T2| ≤ ∆T, and if this condition is not true, the session terminates. Even if the attacker changes T2 with current time \( {T}_2^{\ast } \) and sends \( \left\{{EA}_i,{RID}_i,{T}_2^{\ast}\right\} \) to the server, the server is able to distinguish that the message is old. The server computes \( {A}_i^{\ast } \), decrypts EAi with \( {A}_i^{\ast } \) and compares \( {T}_2^{\prime } \) with T3, (\( {T}_2^{\prime } \) extracts from decryption EAi). Since the attacker is not able to calculate new EAi with current time\( {T}_2^{\ast } \), so\( \left|{T}_3-{T}_2^{\prime}\right|\nleqq \Delta T \), our proposed scheme is resist against replay attack.

Privileged insider attack

Assume an insider obtains the registration information {IDi, IPi, bi} from the registration request message. The insider needs to obtain bi and ri to guess the user’s password, but, bi and ri are random selected numbers by the legal user and they are high entropy. Hence, insider user of the server is not able to guess bi and ri during a polynomial time. As a result, our scheme is secure against privileged insider attack.

6.2 Formal security analysis using AVISPA tool

We prove security of our proposed scheme by means of AVIPSA tool [3]. The two widely-accepted back-ends, OFMC and CL-AtSe are selected for the execution tests and a bounded number of sessions model checking. For verification whether the replay attack is possible, these back-ends check whether the legitimate agents can execute the specified protocol by performing a search of a passive intruder. The back-ends then provide the intruder the knowledge of some normal sessions among the legitimate agents. For the Dolev–Yao model checking, these back-ends also verify possibility man-in-the-middle attack by the attacker. The output format contains the following sections:

  • SUMMARY shows that the proposed scheme is safe, unsafe, or whether the analysis is also inconclusive.

  • DETAILS denotes that under what condition the proposed scheme is safe, or what conditions are used to detect an attack, or why the result was inconclusive.

  • PROTOCOL, GOAL and BACKEND are other sections for the protocol name, goal of the analysis and the back-end that has been used, respectively.

  • Finally, the trace of an attack (if there is) is also presented in the standard Alice–Bob format [26]. Eventually, we simulate our scheme under OFMC and CL-AtSe back-ends using AVISPA tool.

6.2.1 Simulation results

In this section, we present the simulation results of our proposed scheme. Figs. 3 and 4 show the simulation results for the two back-ends OFMC and CL-AtSe. The results affirm that the proposed scheme is SAFE and secure against active and passive attacks, including replay attack and man-in-the-middle attack.

Fig. 3
figure 3

The simulation result of the analysis using OFMC of our proposed scheme

Full size image
Fig. 4
figure 4

The simulation result of the analysis using CL-AtSe of our proposed scheme

Full size image

6.3 Formal security proof based BAN logic

Table 3 defines the symbols that are used in the BAN logic rules and the assumptions. In this section, using the BAN logic [7], we analyze our proposed scheme to affirm the correctness of the proposed protocol. In the following, the BAN logic’s rules, assumptions, security goals, and idealized form are defined.

Table 3 The BAN notations
Full size table

Rules:

  • The message meaning rule: \( \frac{P\mid \equiv P\overset{K}{\leftrightarrow }Q,P\vartriangleleft {\left\{X\right\}}_K}{P\mid \equiv Q\mid \sim X}. \)

  • The freshness rule: \( \frac{P\mid \equiv \#(X)}{P\mid \equiv \#\left(X,Y\right)} \).

  • The nonce verification rule: \( \frac{P\mid \equiv \#(X),P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X} \).

  • The jurisdiction rule: \( \frac{P\left|\equiv Q\right|\Longrightarrow X,P\left|\equiv Q\right|\equiv X}{P\mid \equiv X} \).

  • The belief rule: \( \frac{P\mid \equiv (X),P\mid \equiv (Y)}{P\mid \equiv \left(X,Y\right)} \).

Assumptions:

  • A1: \( {U}_i\mid \equiv \left({U}_i\overset{A_i}{\leftrightarrow }S\right) \).

  • A2: \( S\mid \equiv \left(S\overset{A_i}{\leftrightarrow }{U}_i\right) \).

  • A3: Ui ∣  ≡  ⋕ (rc).

  • A4: Ui ∣  ≡  ⋕ (T2).

  • A5: S ∣  ≡  ⋕ (rs).

  • A6: S ∣  ≡  ⋕ (T4).

  • A7: \( {U}_i\mid \equiv S\Longrightarrow \left({U}_i\overset{SK}{\leftrightarrow }S\right) \).

  • A8: \( S\mid \equiv {U}_i\Longrightarrow \left({U}_i\overset{SK}{\leftrightarrow }S\right) \).

  • A9: \( {U}_i\mid \equiv \left({U}_i\overset{IP_i}{\leftrightarrow }S\right) \).

  • A10: \( S\mid \equiv \left(S\overset{IP_i}{\leftrightarrow }{U}_i\right) \).

  • A11: \( {U}_i\mid \equiv \left({U}_i\overset{b_i}{\leftrightarrow }S\right) \).

  • A12: \( S\mid \equiv \left(S\overset{b_i}{\leftrightarrow }{U}_i\right) \).

Goals:

  • Goal1: \( {U}_i\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right) \) .

  • Goal2: \( S\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right) \).

Idealized form:

  • Message1: \( {U}_i\to S:\left({\left\{{A}_i,{r}_c,{T}_2,{IP}_i\right\}}_{A_i},{\left\{{ID}_{sc},{ID}_i,{T}_1\right\}}_{x_s},{T}_2\right) \).

  • Message2: \( S\to {U}_i:\left({\left\{{ID}_{sc},{ID}_i,{T}_4\right\}}_{x_s},{T}_4,{\left\{{IP}_i,{r}_c,{r}_s,{T}_4\right\}}_{IP_i}\right) \).

  • Message3: \( {U}_i\to S:\left({\left({r}_c,{r}_s,{U}_i\overset{SK}{\leftrightarrow }S\right)}_{IP_i}\right) \).

According to the BAN logic rules and the assumptions, the idealized form of the proposed scheme are analyzed as follows:

Based on the message1, we can achieve the following:

  • R1) \( S\vartriangleleft \left({\left\{{A}_i,{r}_c,{T}_2,{IP}_i\right\}}_{A_i},{\left\{{ID}_{sc},{ID}_i,{T}_1\right\}}_{x_s},{T}_2\right) \)

According to the assumption A2, after exerting the message meaning rule to R1, we can conclude R2:

  • R2) S ∣  ≡ Ui ∣ ~ (Ai, rc, T2, IPi).

Based on the message2, we can derive R3:

  • R3) \( {U}_i\vartriangleleft \left({\left\{{ID}_{sc},{ID}_i,{T}_4\right\}}_{x_s},{T}_4,{\left\{{IP}_i,{r}_c,{r}_s,{T}_4\right\}}_{IP_i}\right) \).

Based on assumption A9, after applying the message meaning rule to R3, we can conclude R4:

  • R4) Ui|≡S|~(IPi, rc, rs, T4).

According to A3, after applying the nonce verification rule to R4, we can derive R5:

  • R5) Ui|≡S| ≡ (IPi, rc, rs, T4).

Based on R5, assumptions A2, A12, and session key SK = h(AirsrcIPibi), R6 is concluded:

  • R6) \( {U}_i\mid \equiv S\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right) \).

According to assumption A7, we apply the jurisdiction rule to R6 and we can conclude the goal1:

  • R7) \( {U}_i\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right).\left(\mathrm{Goal}1\right) \)

Based on the message3, we can achieve R8:

  • R8) \( S\vartriangleleft \left({\left({r}_c,{r}_s,{U}_i\overset{SK}{\leftrightarrow }S\right)}_{IP_i}\right) \).

According to assumption A10, we apply the message meaning rule to R8, and derive R9:

  • R9) \( S\mid \equiv {U}_i\mid \sim \left({r}_c,{r}_s,{U}_i\overset{SK}{\leftrightarrow }S\ \right) \).

Based on A5, after applying the nonce verification rule to R9, R10 is retrieved as follow:

  • R10) \( S\mid \equiv {U}_i\mid \equiv \left({r}_c,{r}_s,{U}_i\overset{SK}{\leftrightarrow }S\kern0.5em \right) \).

We apply the belief rule on R10 and can obtain R11:

  • R11) \( S\mid \equiv {U}_i\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right) \).

According to assumption A8, after applying the jurisdiction rule to R11, we can achieve to goal2:

  • R12) \( S\mid \equiv \left({U}_i\overset{SK}{\leftrightarrow }S\right).\left(\mathrm{Goal}2\right) \)

7 Analysis of performance and features

The notations Thf, Tmu, Tad, Ten/d, Tmm, Tinv are considered to show the computing complexity of one-way hash function, performing the scalar multiplication operation of elliptic curve, a point addition operation of elliptic curve, performing symmetric encryption/decryption and the modular multiplication and modular inversion, respectively. Due to the low computation cost of concatenation (||) and XOR operation, their cost is not considered. According to [2, 40], execution time of Thf, Tmu, Tad, Ten/d, Tmm, Tinv are 0.0004 ms, 7.3529 ms, 0.009 ms, 0.1303 ms, 0.0147 ms, and 0.1032 ms, respectively.

The computation costs of recent protocols including the registration, authentication, and key agreement phases for clients and server are represented in Table 4.

Table 4 Computation cost comparison between recent protocols and proposed protocol
Full size table

As it is shown in Table 4 and Fig. 5, our proposed scheme comes third in terms of computation cost. The protocol of Chaudhry et al. [8] has the least calculation costs but Chaudhry et al.’s scheme [8] and Nikooghadam et al.’s scheme [28] do not provide the perfect forward secrecy security requirement.

Fig. 5
figure 5

Comparison of execution time between our proposed protocol and other protocols

Full size image

According to [40], communication costs for sending identity IDi is considered to be 160 bits, for timestamp 32-bits, for symmetric encryption and decryption operations is 128-bits, elliptic curve point multiplication and output hash function are 320 bits and 160 bits, respectively.

According to the Table 5, in the login phase of our proposed scheme, three messages will be sent. Communication cost of our proposed scheme based on the given aforementioned numbers is:

  • The sending request: \( \left\lceil \frac{160+128}{128}\ \right\rceil \)*128+ \( \left\lceil \frac{160+128}{128}\ \right\rceil \)*128 + 32 = 800 bits.

  • The sending challenge: 32+ \( \left\lceil \frac{160+128}{128}\ \right\rceil \)*128+ \( \left\lceil \frac{160+128}{128}\ \right\rceil \)*128 = 800 bits.

  • The sending response: 160 bits.

Table 5 Communication costs comparison between recent protocols and proposed protocol
Full size table

According to the performed computation, the cost of communication in our proposed protocol is 1760 bits. Communication costs of the other protocols are calculated in the same way and given in Table 5.

Although the communication cost of the proposed protocol in comparison with schemes [8, 9, 20, 28, 41, and] is increased, the schemes [9] and [41] are vulnerable against known session specific temporary information attack and ignore re-registration and revocation, scheme [20] is vulnerable against ignoring re-registration and revocation, schemes [8] and [28] do not provide the perfect forward secrecy. As shown in Table 5, this additional communication cost provides all security aspects that are provided by the proposed scheme.

The performed analysis of the recent protocols are presented in Table 6. As it can be observed in Table 6, our suggested protocol is resistant to all of the attacks and provides security requirements such as perfect forward secrecy and known key secrecy. Moreover, the user anonymity is provided in our presented protocol. Therefore, our proposed scheme is a secure scheme with reasonable cost among all latest authentication schemes.

Table 6 Functionality comparison between recent protocols and proposed protocol
Full size table

8 Conclusion

In this paper, we first investigate the security weaknesses in the represented protocols by Chaudhry et al., Nikooghadam et al. and Zhang et al. As it was investigated, the presented protocols by Chaudhry et al. and Nikooghadam et al. do not provide the perfect forward secrecy and the represented protocol by Zhang et al. does not resist against the replay attack, known session-specific temporary information attack and also, does not provide user anonymity, fast error detection and ignores re-registration and revocation. Therefore, in order to resolve the mentioned security flaws, we present an authentication and key agreement scheme based on password and smart card. Then, the presented protocol is analyzed formally and informally. Security verifications show security of the proposed protocol against various attacks. Informal proof shows that the presented scheme provides significant security requirements. Then, we show that the presented scheme has low calculating costs as it does not use expensive operators in elliptic curve including multiplication on elliptic curve. Thus, we present an efficient scheme that it provides security and has low computation and communication costs, therefore, this is an efficient and secure scheme for VoIP.