1 Introduction

With the advancement and rapid growth of the information and communication technologies, it has brought us not only advantages of life, but also risks and challenges. In wireless communications system, the mobile users(MU) can obtain the service supplied by its home agent (HA) whenever they roam to a foreign agent(FA). To achieve identity authentication, FA needs assistance of the MU’s HA [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18] . Generally, a secure user authentication scheme for wireless communications should meet a series of requirements [4], such as user anonymity, low communication cost and computational complexity, single registration, updating session key periodically, etc.

In order to achieve secure and effective mutual authentication and privacy protection in wireless communications, a lot of anonymous authentication protocols have been published [1,2,3,4,5,6,7,8, 13,14,15,16,17,18,19,20]. Zhu and Ma [5] proposed the first authentication scheme for wireless environments in 2004. Later, Lee et al. [6] pointed that Zhu-Ma’s scheme had many shortcomings, such as cannot provide strong backward secrecy and authenticate each other, and then, they put forward an authentication scheme which fixed these security drawbacks. Subsequently, in 2008, Chang et al. [2] and Wu et al. [7] indicated that Lee et al.’s scheme cannot achieve user anonymity, and an adversary can join the same HA to get other users’ identities. They put forward an improvement scheme to remedy this weakness. But their scheme also cannot protect user’s privacy and vulnerable to other several weakness (i.e., replay attack and impersonation attack) [3, 12].

In 2012, Li and Lee [8] found that He et al.’s scheme [3] has three drawbacks: lacks of user friendliness; fails to achieve user anonymity; and unfairness in key agreement. Meanwhile, Xiong et al. [21] also showed that the scheme in [12] has some flaws. Additionally, they put forward their own improvement schemes respectively. Unfortunately, in 2013, Das [4] proved the scheme of Li and Lee [8] has some security issues in login, authentication and password change phases. Further, Das et al. proposed a novel scheme to withstand the weaknesses of Li and Lee’s scheme. But in 2014, Wen et al. [14] and Hu et al. [13] discovered that Das et al.’s scheme is still vulnerable to impersonation attack and offline password guessing attack respectively, then they presented the enhanced schemes to overcome the flaws.

In 2015, Farash et al. [15] presented a lightweight authentication scheme with anonymity, which is improved on Shin et al’s scheme [16] and Wen et al.’s scheme [17]. But Chung et al. [18] found their scheme cannot provide user anonymity, authentication and password replacement. At the same year, Djellali et al. [19] put forward an authentication scheme based on Markov chain and claimed their scheme provides both user anonymity and mutual authentication. Later on, Kang et al. [22] analyzed the security of Djellali et al. ’s scheme, and exhibited that their protocol cannot prevent insider attack, offline-password guessing attack, impersonation attack and replay attack. In 2016, Jiang et al. [20] proposed a three-factor authentication protocol for e-health clouds. But then Irshad and Chaudhry [23] found that Jiang et al.’s scheme is subject to denial of service(DoS) attack.

Table 1 Notations used in this paper
Full size table

Recently, Niu and Li [9] analysed the authentication protocol of Yoon et al. [10] and indicated that Yoon et al.’s scheme is not secure due to some security defects, such as unfair in key agreement and unable to protect user anonymity. Then they put forward an novel user authentication scheme for wireless environments on account of elliptic curve cryptosystem (ECC) [24], they claimed that the improved scheme had several excellent features, including achieving user anonymity, providing mutual authentication, security of session key exchanging and the ability to resist some known attacks like offline password-guessing attack, forgery attack and so on. However, we found Niu et al.’s scheme also had some significant security vulnerabilities and cannot prevent some known attacks.

The contributions of this paper are three points. Firstly, through careful analysis, we show that Niu et al.’s protocol is still insecure because of the following four security weaknesses in it:

  1. (1)

    Niu et al.’s scheme unable to provide secure authentication at login phase.

  2. (2)

    Niu et al.’s scheme unable to resist replay attack. A hostile FA can impersonate MU by forwarding the MU’s login request to another foreign agent.

  3. (3)

    Niu et al.’s scheme unable to work when large number of MU s visit a FA simultaneously. The FA will not be able to distinguish the MUs when lots of MUs visit a FA simultaneously.

  4. (4)

    Niu et al.’s scheme unable to resist the potential DoS attack. If an attacker stolen the smart card or device, the DoS attack can be easily launched by generating a lot of redundant messages to FA and HA.

Secondly, we present an enhanced secure and effective authentication protocol with anonymity for wireless communications to address the above problems. Considering the limited power and resources of mobile users, our scheme makes use of some low-cost functions(i.e. ECC, hash, XOR), hence it has high computational efficiency compared with previous schemes. The proposed scheme not only enjoys many merits from Niu et al.’s scheme like user anonymity, resistance of some known attacks, no verification table, timestamp verification and so on, but also improve it in security and DoS resistance. In other words, the proposed scheme protects the user’s privacy and provides mutual authentication, perfect forward secrecy and counters against off-line password guessing, impersonation, replay, and other known attacks.

Thirdly, we put forward a new method to effectively prevent DoS attack. Because the three-party roaming protocols demand the FA forward all login messages to HA unconditionally, the adversary can easily launch DoS attack on HA and FA. In this paper, an efficient way to address this issue was offered and its feasibility was approved. Additionally, further analysis also indicates that our protocol can successfully resist various well-known attacks and really applicable to mobile environment.

The structure of the rest of the paper is as follows. Section 2 provides a simply review and analysis of Niu et al.’s scheme. In Sect. 3, we describe the details of our improved scheme, which is then analyzed in Sect. 4. Next, we compare the performance and functionality of the new scheme with previous works in Sect. 5. Finally, we draw some conclusion in Sect. 6.

2 Review and Analysis of the Niu et al.’s Scheme

2.1 Review of the Scheme of Niu et al.

We first simply review Niu et al.’s scheme [9] before giving a description of its drawbacks. Table 1 lists some symbols used throughout in Niu et al.’s scheme. Their protocol have following entities: a mobile user MU, a home agent HA of MU and a visited foreign agent FA. The operation process of the scheme include three different phases: the registration phase, the authentication phase, and the session key update phase.

Fig. 1
figure 1

Registration phase of Niu’s scheme

Full size image

2.1.1 Registration Phase

When visiting a foreign agent FA, the MU requires registration to his/her home agent HA before obtaining the service provided by FA, the handshake is described in Fig. 1. The registration process of Niu et al.’s protocol is as follows:

  • Step R1 MU randomly chooses an identity \(ID_{MU}\), password \(PW_{MU}\) and a number \(r_{n}\). Next the MU sends the message \(\{ID_{MU}, h(r_{n} \parallel PW_{MU})\}\) to HA via a secure channel.

  • Step R2 When receiving \(\{ID_{MU}, h(r_{n} \parallel PW_{MU})\}\) from MU, the HA generates a strong secret key x and caculates \(X=xp, u=h( ID_{MU} \parallel x) \oplus h(r_{n} \parallel PW_{MU})\).

  • Step R3 HA delivers a smart card, which includes \(\{ID_{HA}, X, u, h()\}\), to MU through a secure channel.

  • Step R4 MU puts the received smart card into mobile device and enters \(r_{n}\) into it.

2.1.2 Authentication and Establishment of Session Key Phase

When a mobile user MU roams to a foreign agent(FA), the MU needs to be authenticated by FA with the help of its HA as well as verifies the validity of FA. The detail process of this phase in Niu et al.’s scheme is shown in Fig. 2.

Fig. 2
figure 2

Authentication and establishment of session key phase of Niu et al.’s scheme

Full size image

  • Step L1 The MU enters the \(ID_{MU}\) and \(PW_{MU}\) into its mobile device.

  • Step L2 The smart card in the mobile device randomly generates a number \(a \in Z_{n}^{*}\) and calculates \(A=aP, D=aX=axP, SID=ID_{MU} \oplus h(D \parallel T_{MU}), E=u \oplus\,h(r_{n} \parallel PW_{MU}), C_{1}=h(E \parallel D)\).

  • Step L3 The MU generates a timestamp \(T_{MU}\) and submits the login request message \(\{A, SID, C_{1}, T_{MU}, ID_{HA}\}\) to FA.

  • Step L4 When FA receives the login request from MU, it validates the message first. If the timestamp \(T_{MU}\) is in the allowable range, FA saves the received information and produces a timestamp \(T_{FA}\) and a random number \(b\in Z_{n}^{*}\). Then, FA calculates \(B=bP\) and the signature \(Sig_{FA}=S_{S_{FA}}(h(A \parallel SID \parallel C_{1} \parallel T_{MU} \parallel B \parallel T_{FA}))\) using its private key \(S_{FA}\).

  • Step L5 FA submits \(\{A, SID, C_{1}, T_{MU}, B, Cert_{FA} , Sig_{FA}, T_{FA}\}\) to HA, where \(Cert_{FA}\) is FA’s certificate.

  • Step L6 Once the message is received by HA, the HA first validate the certificate \(Cert_{FA}\) and the timestamp \(T_{FA}\). If they are valid, HA can perform authentication to FA through the signature \(Sig_{FA}\) using FA’s public key \(P_{FA}\). Next, HA computes \(D'=xA=xaP, ID'_{MU}=SID \oplus h(D' \parallel T_{MU})\) and gets MU’s real identity, and checks if the \(ID'_{MU}\) is valid. If it is, HA calculates \(E'=h(ID'_{MU} \parallel x), C'_{1}= h(E' \parallel D')\), and compares \(C'_{1}\) with \(C_{1}\). If the two values are the same, HA considers MU as legal user, then HA gets current timestamp \(T_{HA}\) and computes \(C_{2}=h(E' \parallel B), Sig_{HA}=S_{S_{HA}}(h(C_{2} \parallel T_{HA}))\), and then HA sends the message \(\{C_{2}, Cert_{HA}, Sig_{HA}, T_{HA}\}\) to FA.

  • Step L7 When FA receives the information from HA, it verifies the certificate \(Cert_{HA}\), timestamp \(T_{HA}\) and \(Sig_{HA}\). If both of them are valid, FA puts the timestamp and others information into a temporary certificate \(Tcert_{MU}\). Then, FA calculates \(sk=h(bA)=h(abP)\) as the session key and \(C_{3}=(Tcert_{MU} \parallel B \parallel C_{2})_{sk}\). After that, FA sends \(\{C_{3}, B\}\) to MU.

  • Step L8 When the message from FA is received, the MU decrypts \(C_{3}\) using computed session key \(sk=h(aB)=h(abP)\) and obtains \(Tcert_{MU}, B\) and \(C'_{2}\), then MU computes \(C_{2}=h(E \parallel B)\) and compares \(C_{2}\) with \(C'_{2}\), if the two values are equal, MU can confirm that FA is authenticated by HA, so MU and FA can safely communicate with each other through the session key sk.

2.1.3 Update Session Key Phase

If a MU always stay in a same FA, the session key between the MU and the FA need to be regularly update for reasons of safety. Their ith session key \(sk_{i}(i=2,\ldots ,n)\) can be updated as follows. We demonstrate this phase in Fig. 3.

Fig. 3
figure 3

Update session key phase of Niu’s scheme

Full size image

produces a timestamp

  • Step U1 MU randomly selects a number \(a_{i} \in Z_{n}^{*}\) and computes \(A_{i}=a_{i}P(i=2,\ldots ,n)\). Next, MU sends \(A_{i}\) to FA.

  • Step U2 FA also randomly chooses a number \(b_{i} \in Z_{n}^{*}\) and computes \(B_{i}=b_{i}P(i=2,\ldots ,n)\). Then, FA calculates \(sk_{i}=h(b_{i}A_{i})=h(a_{i}b_{i}P)\) and \(V_{i}=h(a_{i}b_{i}P \parallel a_{i-1}b_{i-1}P)\) which \(sk_{i}\) is a new session key. After that, FA submits \(\{B_{i}\) , \(V_{i}\}\) to MU.

  • Step U3 After receiving message \(\{B_{i}, V_{i}\}\) from FA, the MU computes \(V'_{i}=h(a_{i}B_{i} \parallel a_{i-1}B_{i-1})=h(a_{i}b_{i}P \parallel a_{i-1}b_{i-1}P)\) and checks if \(V'_{i}\) and \(V_{i}\) are the same. If so, MU computes the new session key \(sk_{i}=h(a_{i}B_{i})=h(a_{i}b_{i}P)\) by using the received \(B_{i}\) and replaces old session key \(sk_{i-1}\) with new session key \(sk_{i}\).

2.2 Weaknesses in the Scheme of Niu et al.

Although Niu et al. presented an improved protocol of Yoon et al.’s scheme, we show that there are still some shortcomings and deficiencie in their scheme. The detail is as follows:

2.2.1 Niu et al.’s Scheme Unable to Achieve Secure Authentication at Login Phase

In Niu et al.’s scheme, the MU needs to input its identity and password into the mobile device for access services when he/her first visits a foreign network. However, we notice that both the inputed identity and password are not to be checked by smart card in the mobile device. That means even if the MU careless inputs wrong login information, their scheme still carry on the login and authentication process. Eventually, the HA will verify that the MU is illegal and terminates the authentication phase in step L6. The step L2 to L6 are unnecessarily operations and result in extra communication and computational costs.

One possible solution to the problem is that the MU’s entered information (i.e. \(ID_{MU}\) and \(PW_{MU}\)) should be verified in the early stages of the login phase. Then it can avoid the additional computational and communication overhead in the login phase. Finally, because of this information verfication problem, Niu et al.’s scheme unable to achieve secure authentication at login phase.

2.2.2 Niu et al.’s Scheme Unable to Resist Replay Attack

Suppose a mobile user \(MU_{i}\) visits a new foreign agent \(FA_{j}\) and sends a login message to it, a hostile \(FA_{j}\) can impersonate this mobile user through replaying its login information to access the services from other foreign network like \(FA_{j+1}\).

The detailed steps for the above problem is discussed below. Suppose a \(MU_{i}\) submits login request message \(\{A, SID, C_{1}, T_{MU}, ID_{HA}\}\) to \(FA_{j}\). After receiving the information, the \(FA_{j}\) impersonates \(MU_{i}\) to forward \(MU_{i}\)’s login request to another foreign agent \(FA_{j+1}\). Since the login request does not include the sender’s information, the \(FA_{j+1}\) would consider that this is a message from a mobile user rather than a foreign network. The message will always be maliciously used by \(FA_{j}\) in its lifetime of the timestamp \(T_{MU}\), then \(FA_{j}\) and \(FA_{j+1}\) send the same message to HA respectively in the same time threshold. Next, \(FA_{j}\) generates two session keys for \(MU_{i}\) and \(FA_{j+1}\) which the values of the two session keys are the same and equal \(sk=h(abP)\). In update session key phase, \(FA_{j}\) can also computes the same session key \(k_{i}\) as \(MU_{i}\)’s session key at ith session. Finally, Niu et al.’s scheme unable to resist replay attack even if they have adopted the timestamp.

Note the \(FA_{j+1}\) will find that it is under the relay attack only the information transportation time exceeds the preset lifetime. But choosing a proper timestamp’s lifetime is a difficult work in some real environments, so we should take this security issue into account.

2.2.3 Niu et al.’s Scheme Unable to Complete Login and Authentication Phase When Large Number of MUs Visit a FA Simultaneously

In Niu et al.’s scheme, suppose that in a short time interval, there are large number of mobile users from a same home agent, say \(HA_{i}\), roam to a foreign agent, say \(FA_{j}\), and send login request messages to \(FA_{j}\) for accessing service at the same time. The \(FA_{j}\) passes all access request messages to their home agent, \(HA_{i}\), and then \(HA_{i}\) verify these messages and generates the reply message \(\{C_{2}, Cert_{HA}, Sig_{HA}, T_{HA}\}\) for every login request message. Next, the \(HA_{i}\) sends these reply messages to \(FA_{j}\) in a short time interval. Note that every reply message \(\{C_{2}, Cert_{HA}, Sig_{HA}, T_{HA}\}\) does not contain any information about MU, that result in the \(FA_{j}\) cannot establish the one to one correspondence relation between reply messages and MUs when receiving so many reply messages from \(HA_{i}\). Finally, the Niu et al.’s scheme cannot work in this circumstance.

2.2.4 Niu et al.’s Scheme Unable to Prevent the Potential DoS Attack

When a MU wants to get the service of a FA, the MU should submits the login request message \(\{A, SID, C_{1}, T_{MU}, ID_{HA}\}\) to FA first. Because the timestamp \(T_{MU}\) and the number a are constantly changing, the information \(\{A, SID, C_{1}, T_{MU}\}\) are also different in every login request message. Then the FA does not verify the login message and directly forward it to HA. So if the smart card gets viruses or malicious using by attacker, it can launch DoS attack by generating large number of illegal login request messages to FA and HA. That will rapidly run out of the resources of FA and HA and force them to stop providing services to legitimate MUs.

3 Our Proposed Scheme

In this section, we propose an improvement user authentication scheme for roaming environment on account of the security of elliptic curve cryptosystem(ECC). The proposed scheme fixes the vulnerabilities and security weaknesses pointed out in Niu et al.’s scheme while remaining its advantages. The new scheme has four phases: the initialization phase, the registration phase, the authentication and session key establishment phase, and the update session key phase. Table 1 lists the notations and corresponding description used in our scheme.

3.1 Preliminaries

In this section, we will review some basic knowledge of elliptic curve cryptosystem(ECC). More details of ECC refer to [24].

3.1.1 Elliptic Curve Cryptosystem

Comparing with other non-ECC cryptography, ECC requires a smaller key size and less time to achieve equivalent security. The equation \(E_{P}(a,b): y^{2} \equiv x^{3} + ax + b\)(mod p) over the prime finite field \(F_{p}^{*}\) is defined to be elliptic curve equation, where p is a big prime number, \(a,b \in F_{p}^{*}\) and \(4a^{3} + 27b^{2} \ne 0\) (mod p). All the points \((x,y) \in F_{p}^{*} \times F_{p}^{*}\) satisfying the equation \(E_{P}(a,b)\) make up an elliptic curve. The point multiplications kP over \(E_{P}(a,b)\) is defined as \(k \cdot P= P+P+\ldots +P\)(k times), where \(k \in F_{p}^{*}, P \in E_{P}(a,b)\).

3.1.2 Related Cryptographic Assumptions

We suppose that the following difficult problems cannot be solved in polynomial time.

  1. (1)

    elliptic curve discrete logarithm problem(ECDLP): Given two points \(P,Q \in E_{P}(a,b)\),it is hard to search an integer \(k \in F_{p}^{*}\) such that \(Q = k \cdot P\)

  2. (2)

    elliptic curve computational Diffie-Hellman problem(ECDHP): Given three points \(P, kP, mP \in F_{p}^{*}\), it is hard to calculate kmP over \(E_{P}(a,b)\)

3.2 Initialisation Phase

The process of initialization phase is the following: First, HA randomly selects an elliptic curve equation \(E_{P}(a,b)\) and a base point P with the order n over \(E_{P}(a,b)\), and releases the information \(\{E_{P}(a,b), n, P\}\) as its public parameters. Then the HA and the FA generates their public and private key pair respectively. Suppose that the private key of HA and FA are \(S_{HA} \in Z_{n}^{*}\) and \(S_{FA} \in Z_{n}^{*}\), and the corresponding public key are \(P_{HA}=S_{HA}P\) and \(P_{FA}=S_{FA}P\). Afterwards, each HA and FA should publish its certificate \(Cert_{HA}\) and \(Cert_{FA}\). These published certificates must pass the authentication by a trusted Certificate Authority(CA).

3.3 Registration Phase

When a roaming mobile user MU wants to gain the services of a foreign network, the MU needs to register to his/her home agent HA first.

The registration process between MU and HA is depicted in Fig. 4.

  • Step R1 The MU generates a identity \(ID_{MU}\) and a corresponding password \(PW_{MU}\), and computes a temporary value \(d=f(ID_{MU} \parallel PW_{MU})\) where f() is a number generating algorithm based on hardware encryption module. Then MU computes a hash value \(PW_{MU}^{*}= h(PW_{MU} \parallel d)\) and transmits the message \(\{ID_{MU}, PW_{MU}^{*}\}\) to its HA through a secure channel.

  • Step R2 Upon receipt of the above information \(\{ID_{MU}, PW_{MU}^{*}\}\), HA firstly determines whether the identity \(ID_{MU}\) is exist in its user table. If the identity already exists, the HA notifies MU to send a new registration information with a new identity. Otherwise, the HA chooses a number \(c \in Z_{n}^{*}\) as master secret key, and computes \(C=cP, Q_{MU}= h(ID_{MU} \parallel c) \oplus h(ID_{MU} \parallel PW_{MU}^{*}), V_{MU}=h(ID_{MU} \oplus PW_{MU}^{*})\). Then HA puts the message of \(\{ID_{HA}, C, Q_{MU}, V_{MU}, h()\}\) into a smart card and distributes it to MU over a secure channel.

Fig. 4
figure 4

Registration phase of our scheme

Full size image

3.4 Authentication and Establishment of Session Key Phase

When a MU visits a new foreign network FA, they need to mutual authentication before establish communication links. The following steps are performed during authentication and establishment of session key phase. Figure 5 illustrates this process in detail.

Fig. 5
figure 5

Authentication and establishment of session key phase of our scheme

Full size image

  • Step L1 MU enters the login information into the mobile device. Then the smart card in the mobile device generates the temporary value \(d = f(ID_{MU} \parallel PW_{MU})\) and \(V_{MU}^{*}=h(ID_{MU} \oplus h(PW_{MU} \parallel d))\), and compares the values of \(V_{MU}^{*}\) and \(V_{MU}\). If the two values are equal, it means MU is a legitimate user. Otherwise the login process is going to be aborted immediately by smart card. Then the smart card randomly chooses a number \(a \in Z_{n}^{*}\) and \(R_{MU} \in Z_{n}^{*}\), for the sake of resist DoS attack, the a and \(R_{MU}\) will remain in the memories of mobile device for a short time(suppose that the average time of the authentication and establishment phase is \(T_{auth}\), we choose the threshold time is 1.5\(T_{auth}\) by considering of transmission latency). Then the smart card caculates \(A=aP, R_{AC}=aC, N=Q_{MU} \oplus h(ID_{MU} \parallel PW_{MU}^{*}), E_{1}=(ID_{MU} \parallel ID_{FA} \parallel R_{MU})_{R_{AC}}, H_{1}=h(N \parallel ID_{HA} \parallel A \parallel C \parallel R_{MU} \parallel T_{1})\), where \(T_{1}\) is the current timestamp. Then MU sends \(\{E_{1}, A, H_{1}, ID_{HA}, T_{1}\}\) to FA.

  • Step L2 Upon receiving the login request message \(\{E_{1}, A, H_{1}, ID_{HA}, T_{1}\}\) at time \(T_{2}\), FA checks whether the time span between \(T_{1}\) and \(T_{2}\) is in a preset time threshold \(\Delta T\). (i.e., check if \(T_{2}-T_{1} \le \Delta T\)). If not, FA terminates the phase. Otherwise the FA checks the message to prevent DoS attack, if the number of login requests from a same MU exceeds the threshold level in a preset time interval, the FA can judge it suffers from the DoS attack and terminates the login phase, and notifies MU’s home agent. Otherwise, FA randomly selects a number \(b \in Z_{n}^{*}\), and caculates \(B=bP, E_{2}=E_{P_{HA}}(E_{1} \parallel A \parallel B \parallel H_{1} \parallel Cert_{FA} \parallel T_{1} \parallel T_{2}), Sig_{FA}=S_{S_{FA}}(h(E_{1} \parallel A \parallel B \parallel H_{1} \parallel Cert_{FA} \parallel T_{2}))\). Here \(P_{HA}\) is the HA’s public key, \(S_{FA}\) is the FA’s private key, \(Cert_{FA}\) is the FA’s certificate. Then FA submits \(\{E_{2}, Sig_{FA}, T_{2}\}\) to HA.

  • Step L3 Upon receiving \(\{E_{2}, Sig_{FA}, T_{2}\}\) from FA at time \(T_{3}\), HA firstly checks the time difference among \(T_{2}\) and \(T_{3}\). Next, HA decrypts \((E_{2})_{S_{HA}}=(E_{1}, A, B, H_{1}, Cert_{FA}, T_{1}, T_{2})\) using its private key and decrypts \((E_{1})_{R_{AC}}=(ID_{MU}^{*}, ID_{FA}^{*}, R_{MU})\) using the computed \(R_{AC}=cA\), then verifies the signature \(Sig_{FA}\) and checks if the \(ID_{FA}^{*}\) is a valid user using \(Cert_{FA}\). If the two values are valid, FA is authenticated. After that, HA computes \(H_{1}^{*}=h(h(ID_{MU}^{*} \parallel c) \parallel ID_{HA} \parallel A \parallel C \parallel R_{MU} \parallel T_{1})\). Then HA checks \(H_{1}^{*} ?= H_{1}\). If the result is equal, the MU is authenticated by HA. subsequently, HA caculates \(E_{3}=E_{P_{FA}}(h(B \parallel R_{MU}) \parallel A \parallel Cert_{HA} \parallel T_{3}), Sig_{HA}=S_{S_{HA}}(h(h(B \parallel R_{MU}) \parallel A \parallel Cert_{HA} \parallel T_{3}))\), where \(T_{3}\) is the current timestamp. At last, HA sends \(\{E_{3}, Sig_{HA}, T_{3}\}\) to FA.

  • Step L4 Upon receiving \(\{E_{3}, Sig_{HA}, T_{3}\}\) from HA, FA verifies the freshness of \(T_{3}\) first. Then FA decrypts \((E_{3})_{S_{FA}}=(h(B \parallel R_{MU}), A, Cert_{HA}, T_{3})\) and uses HA’s public key \(P_{HA}\) to verify the validity of the signature \(Sig_{HA}\). If the result is valid, HA is authenticated which also means that HA claimed MU is a legitimate user. Next, FA generates a mutual and secret session key \(sk=h(bA)=h(abP)\) with MU and \(E_{4}=(B \parallel h(B \parallel R_{MU}))_{sk}\), and sends \(\{E_{4}, B, T_{4}\}\) to MU where \(T_{4}\) is the current timestamp.

  • Step L5 Once the message \(\{E_{4}, B, T_{4}\}\) is received by MU, he/she checks the freshness of \(T_{4}\) first, then decrypts \((E_{4})_{sk}= (B^{*}, h(B \parallel R_{MU})^{*})\) using the computed session key \(sk=h(aB)=h(abP)\). Then MU computes \(h(B \parallel R_{MU})\) and checks whether \(B^{*}?=B\) and \(h(B \parallel R_{MU})^{*} ?=h(B \parallel R_{MU})\). If both of them are equal, FA and HA are all authenticated by MU. Then MU confirms the shared session key is sk and can safely communicate with FA.

3.5 Update Session Key Phase

The shared session key between MU and FA must to be updated regularly for security reason if the MU stays in the FA all the time. MU and FA can use the following steps for updating their shared session key \(sk_{i}(i=2,\ldots ,n)\) at the ith session. The details of update session key phase of our new scheme are shown in Fig. 6.

Fig. 6
figure 6

Update session key phase of our scheme

Full size image

  • Step U1 MU randomly chooses \(a_{i} \in Z_{n}^{*}\) and caculates \(A_{i}=a_{i}P(i=2,\ldots ,n)\). Then, MU generates a timestamp \(T_{1}\) and sends \(\{A_{i}, T_{1}\}\) to FA.

  • Step U2 When receiving the information at time \(T_{2}\), FA firstly checks the freshness of \(T_{1}\). If it fails validation, FA stops the process immediately. Otherwise, FA generates a new random number \(b_{i} \in Z_{n}^{*}\) and caculates \(B_{i}=b_{i}P(i=2,\ldots ,n)\). Next, FA generates \(sk_{i}=h(b_{i}A_{i})=h(a_{i}b_{i}P)\) as new session key and \(V_{i}=h(a_{i}b_{i}P \oplus a_{i-1}b_{i-1}P)\) and submits \(\{B_{i}, V_{i}, T_{2}\}\) to MU.

  • Step U3 Upon receiving \(\{B_{i}, V_{i}, T_{2}\}\) from FA, MU firstly checks the freshness of \(T_{2}\). If the time difference is within the allowable range, MU computes \(V_{i}^{*}=h(a_{i}B_{i} \oplus a_{i-1}B_{i-1})=h(a_{i}b_{i}P \oplus a_{i-1}b_{i-1}P)\) and checks whether \(V_{i}^{*}=V_{i}\). If so, MU generates a new session key \(sk_{i}=h(a_{i}B_{i})=h(a_{i}b_{i}P)\) and replaces the old session key \(sk_{i-1}\) with \(sk_{i}\).

4 Security Analysis of the Proposed Scheme

In this section, we discuss some security characteristics and efficiency of our new user authentication scheme. We mainly divide it into seven aspects.

4.1 Ability to Provide User Anonymity

We can obtain the MU’s anonymity from using symmetric encryption technique and hash function in the new protocol. Suppose that the attacker steals the mobile device and has extracted the secrets \(\{ID_{HA}, C, Q_{MU}, V_{MU} , h()\}\) by analyzing the communication messages or the energy consumption of the mobile device [25, 26], but without konwing the the secret key c and the algorithm f() , he/she cannot get the secret information such as MU’s real identity and MU’s password. Assume the attacker eavesdrops the messages transmitting among MU, FA and HA. Based on the ECDLP problem, the attacker cannot obtain the random a from A and thus cannot obtain \(ID_{MU}, R_{MU}\) from \(E_{1}\). Meanwhile the attacker cannot to get the moving history and current position of MU because the random value a is adopted, which is constantly changing for each login. Furthermore, because the these random variables \(a, R_{MU}\) and \(T_{1}\) are dynamically changed in different login request messages, the message \(\{E_{1}, A, H_{1}, T_{1}\}\) is also different for each login.

In the login phase of our new scheme, the random number \(a, R_{MU}\) will not change in a preset time interval, that will not reduce MU’s anonymity because a legal MU does not send the login information frequently. A legal MU sends the login request message only once for getting services while an adversary sends large number of messages to FA in a short time interval for the purpose of DoS attack.

Hence, the proposed scheme can provide user’s anonymity.

4.2 Ability to Mutual Authentication and Prevent Impersonation Attacks

The new scheme can realize mutual authentication among MU, HA and FA and prevent impersonation attacks. The details are as following:

  1. (1)

    Mutual authentication between MU and HA

    In the step L3 of authentication stage, HA can verify the identity of MU if \(ID_{MU}^{*}\) is exist and the values of the computed \(H_{1}^{*}\) and the recevied \(H_{1}\) are equal. On the other hand, because only the HA has authority to get \(R_{MU}\) and B at the same time, so MU can authenticate HA in step L5 by checking \(h(B \parallel R_{MU})^{*}?=h(B \parallel R_{MU})\). So MU and HA can achieve mutual authentication.

  2. (2)

    Mutual authentication between FA and HA

    FA and HA can perform mutual authentication in step L3 and L4 of the authentication stage. HA can verify the identity of FA by checking whether FA’s signature \(Sig_{FA}\) is equal \(S_{P_{FA}}(h(E_{1} \parallel A \parallel B \parallel H_{1} \parallel Cert_{FA} \parallel T_{1} \parallel T_{2}))\) using FA’s public key \(P_{FA}\) and \(ID_{FA}^{*}\) is valid using FA’s certificate \(Cert_{FA}\). HA also can be authenticated by FA if its signature \(Sig_{HA}\) is equal to \(S_{P_{HA}}(h(h(B \parallel R_{MU}) \parallel A \parallel Cert_{HA} \parallel T_{3}))\).

  3. (3)

    Mutual authentication between MU and FA

    Because the HA has authenticated MU’s valid in step L3 before HA sends the reply message, the FA can simultaneously authenticate HA and MU with the message \(\{E_{3}, Sig_{HA}, T_{3}\}\) from HA in step L4. MU also can authenticated FA by checking \(h(B \parallel R_{MU})^{*}?=h(B \parallel R_{MU})\) which from HA.

4.3 Ability to Meets the Security Requirement for Perfect Forward Secrecy

The capability of forward secrecy means that even if an adversary breaks the whole passwords of the participants, he/her still cannot compromise the previous session keys.

The shared session key \(sk=h(abP)\) in the new scheme is generated by two numbers a and b which belong to the MU and the FA respectively, and has nothing to do with the system master key c. The random number cannot be obtain from \(A=aP, B=bP, R_{AC}=aC=cA\) based on the security of ECDLP and ECDHP problem. So even though the master key c is compromised or an adversary gets the whole passwords of the participants, the transmitted messages and the previous established session keys will not be leaked. Hence, our new scheme can achieve strong forward secrecy.

4.4 Ability to Resist Off-Line Password Guessing Attack with Smart Card Security Breach

In the new scheme, we assumed that the attacker has obtained the information \(\{ID_{HA}, C, Q_{MU}, V_{MU}, h()\}\) from the stolen MU’s smart card and has eavesdropped a previous transmitted messages \(\{E_{1}, A, H_{1}, ID_{HA}, T_{1}, E_{2}, Sig_{FA}, T_{2} , E_{3}, Sig_{HA}, T_{3} , E_{4}, B, T_{4}\}\). Note that the password of MU only appear in \(Q_{MU}, V_{MU}\) and \(H_{1}\), which \(Q_{MU}, V_{MU}\) is stored in smart card. Clearly if the values \(ID_{MU}, d\) and the master key c are unknown, the attacker cannot launch this type of attack.

4.5 Ability to Prevent Replay Attack

Our proposed scheme can protect foreign agent against the normal impersonal attack by replaying previously sent login request due to the the identity \(ID_{FA_{j}}\) was employed. As mentioned in the previous section, we suppose that a MU sends the message \(\{E_{1}, A, H_{1}, ID_{HA}, T_{1}\}\) to a foreign agent, say \(FA_{j}\). Upon receiving the message, \(FA_{j}\) impersonates the MU to forward its login request to another network, say \(FA_{j+1}\). Then \(FA_{j+1}\) pass the received information to HA. To be more precise, \(FA_{j+1}\) submits message \(\{E_{2}, Sig_{FA_{j+1}}, T_{2}\}\) to HA, where \(E_{2}=E_{P_{HA}}(E_{1} \parallel A \parallel B \parallel H_{1} \parallel Cert_{FA_{j+1}} \parallel T_{1} \parallel T_{2})\) and \(E_{1}=(ID_{MU} \parallel ID_{FA_{j}} \parallel R_{MU})_{R_{AC}}\). In the authentication phase of the new scheme, HA computes \(R_{AC}=cA\) and decrypts \(E_{1}\) to obtain \(ID_{FA_{j}}\). HA can authenticate FA’s valid by comparing \(ID_{FA_{j}}\) with the identity in the certificate \(Cert_{FA_{j+1}}\). If the values of them are not the same, HA stops the authentication phase and sends a message “The user is illegal” to \(FA_{j+1}\). After receiving the message “The user is illegal” from HA, \(FA_{j+1}\) will terminate the authentication processing with \(FA_{j}\). Eventually, \(FA_{j}\) cannot impersonate other mobile user(e.g. MU) and establish a session with \(FA_{j+1}\). Hence, our new scheme can effectively prevent the messages replay attacks described in Sect. 2.

4.6 Ability to Prevent Potential DoS Attack

With Denial-of-Service(DoS) attack [27], the adversaries send large amounts of bogus login message to network servers so as to rapidly consume the resources of FA and HA and render them unable to provide services to legitimate MUs. Most of the three-party roaming handover authentication [1,2,3,4,5,6,7,8,9,10] requires the FA to retransmit all the login request to HA unconditionally, then the attackers can easily start DoS attack on HA via FA. One way to thwart the DoS attack is that the FA can verify the received login request message before forwarding it.

Our scheme proposes a method which can prevent the potential DoS attack. All the smart card distributed by network servers should preset a time threshold(e.g. \(1.5T_{auth}\)), and the random number a and \(R_{MU}\) will keep in the mobile device’s memories within this period, that is the content \(\{E_{1}, A, H_{1}, ID_{HA}\}\) of sending login request message will not change too. Suppose a mobile user, say \(MU_{i}\), catches a virus or malicious use by an adversary, it flood a lot of illegal access request messages \(\{E_{1}, A, H_{1}, ID_{HA}, T_{1}\}\) to a foreign agent, say \(FA_{j}\). When receiving the message from \(MU_{i}\), the \(FA_{j}\) firstly verifies these messages. If there are large number of messages contain the same \(\{E_{1}, A, H_{1}, ID_{HA}\}\) in preset time threshold, \(FA_{j}\) can judge it is suffering from DoS attack. Subsequently, \(FA_{j}\) abandons all the messages from the \(MU_{i}\) and terminates the session with \(MU_{i}\) and sends a notify “\(MU_{i}\) has been compromised” to \(MU_{i}\)’s home agent. Finally, our scheme can effectively prevent the potential DoS attack.

Table 2 Performance comparisons
Full size table
Table 3 Function comparisons
Full size table

4.7 Ability to Avoid Authentication Phase Interrupt When Large Number of MUs Visit a FA

In the circumstances, we suppose that there are a lot of MUs from a same HA visit a FA, they send their login request messages to FA respectively for getting service, and the FA pass all the messages to HA, then the HA will reply to all the messages in a short time after verify those messages. Note that every reply message \(\{E_{3}, Sig_{HA}, T_{3}\}\) from HA contains the information of MU, the FA could decrypt \(E_{3}\) and get A, which is sent by MU. So the FA can map every message to every MU by A and b because of they are all random number derived from MU and FA respectively.

Hence, the proposed scheme can complete the login and authentication phase when massive user roam a same FA because the A and b were employed.

5 Performance Comparison and Functionality Analysis

In this section, we firstly compares the performance functionality of the new scheme with other related works. Table 2 shows the performance comparisons results. Some symbols used in Table 2 are as follows: H denotes the one-way hash function operation(i.e., SHA-1 [28]); S denotes the symmetric encryption/decryption operation(i.e., AES [29]); A denotes the encryption/decryption operation using a pair of asymmetric keys(i.e., RSA [30]); and EC means the ECC multiplication operation. Table 3 lists the functionality comparisons among the new scheme and other related works. As the Table 3 shows, our scheme possesses a lot of outstanding features and is more safe and more robust than others.

6 Conclusions

In wireless mobility networks, roaming user authentication is an important task, and a lot of solution schemes have been put forward to enhance the security and efficiency in authentication. In this paper, we analyse Niu et al.’s scheme in detail and found that although they claimed their protocol can protect the networks against some known attacks, their scheme still has several weaknesses. For the sake of improving its security in wireless communications networks, we present a novel roaming authentication scheme based on ECC. Security analysis has indicated that our protocol is able to resist various known attacks like impersonation attack, replay attack and DoS attack. Meanwhile, the new protocol also support mutual authentication among all kinds of entities and provide user anonymity in mobile networks. The functionality comparisons and performance comparison also demonstrate that our new scheme is more suitable for wireless communications networks.