1 Introduction

The rapid development of mobile communication technology demands for various multimedia applications such as multimedia online gaming, video and audio streaming, mobile TV etc., which involves high usage of data. To meet these requirements, 3rd Generation Partnership Project (3GPP) evolved prominent widespread technologies such as LTE and LTE-A technologies for the next generation mobile wireless communication networks or 4G standard (Akyildiz et al. 2010; Cao et al. 2014). The LTE system (Cao et al. 2014) mainly provides high data rates, flexible bandwidth and low access latency. It also improves the coverage as well as capacity of the system. It supports the flexible integration with other wireless communication networks as well. LTE-A provides much higher data rates, throughput, coverage, spectral efficiency and lower latency than the existing LTE (Akyildiz et al. 2010; Cao et al. 2014). To secure the high speed LTE network, an Authentication and Key Agreement (AKA) scheme called Evolved Packet System AKA (EPS-AKA) was used in LTE system (Alezabi et al. 2014; Lai et al. 2013). However, LTE system still suffers from various security issues such as replay attack, Denial of Service (DoS) attack, eavesdropping attack, impersonation attack, known key attack etc. Another drawback of LTE technology is that it does not provide perfect forward secrecy.

Peyravian and Zunic (2000) proposed a secure scheme for password protection and password update by employing ‘collision resistant one way hash function’ without using any symmetric or public key encryption technique. Meanwhile, Hwang and Yeh (2002) presented an enhanced version of the proposed scheme Peyravian and Zunic (2000) by using public key cryptosystem. In this paper, the authors identified that the scheme described in Peyravian and Zunic (2000) suffered from password guessing attack, data eavesdropping attack and server spoofing attack. These security issues were rectified and subsequently mutual authentication was achieved in Hwang and Yeh (2002). One major drawback of the scheme Hwang and Yeh (2002) was that it was not free from DoS attack. Another demerit was that it could not provide perfect forward secrecy. To overcome these difficulties, Lin and Hwang (2003) developed an enhanced system based on the Diffie–Hellman key ex-change algorithm. In the meantime, Zhu et al. (2008) also pointed out that the scheme Hwang and Yeh (2002) was vulnerable to replay attack, impersonation attack, DoS attack and stolen-verifier attack. In Zhu et al. (2008) scheme, the authors proposed an improved password authentication system based on strong hash functions to mitigate the above security issues. However, this scheme was prone to impersonation attack. Islam and Biswas (2013) analyzed the scheme proposed in Lin and Hwang (2003) and identified that it suffered from various attacks such as, insider attack, impersonation attack, stolen-verifier attack, many logged in users attack and known session specific temporary information attack. To eliminate these security flaws, the authors developed an ECC based improved password authentication and updated scheme. The authors in Islam and Biswas (2013) claimed that their proposed scheme brought a considerable improvement in scheme Lin and Hwang (2003). Moreover, the work described in Islam and Biswas (2013) removed many of the security weaknesses of the scheme Zhu et al. (2008) and established that the proposed scheme Islam and Biswas (2013) was protected from all related attacks. Afterwards, Li (2013) analyzed the scheme described in Islam and Biswas (2013) and pointed out that it could get affected by stolen verifier attack, password guessing attack and insider attack. In Li (2013), the author removed these security flaws by proposing a new password authentication and updated scheme based on ECC with smart cards in two different versions. However, Xu and Wu (2015) identified that two versions of the scheme Li (2013) could not provide enough security. To enhance the security as described in Li (2013), the authors proposed an improved scheme by employing ECC with user anonymity in Xu and Wu (2015).

An AKA scheme called Evolved Packet System AKA (EPS-AKA) (Alezabi et al. 2014; Lai et al. 2013) was proposed by 3GPP to secure LTE network. Lai et al. (2013) found that the EPS-AKA protocol was associated with some security problems, such as, lack of privacy preservation and Key Backward/Forward Secrecy (KBS/KFS). It also faced a big challenge for group based authentication. To address these security related issues, the authors presented a Secure and Efficient AKA protocol named SE-AKA, based on ECDH and an asymmetric key cryptosystem. The asymmetric key cryptosystem provided privacy preservation; whereas, ECDH provided KBS/KFS for the system. Moreover, it could effectively authenticate group devices by providing a group authentication mechanism. However, the system failed to authenticate the group of devices. Another Efficient EPS-AKA protocol called EEPS-AKA was developed by Alezabi et al. (2014) based on Simple Password Exponential Key Exchange (SPEKE) (Jablon 2013). The authors in Alezabi et al. (2014) identified that the EPS-AKA protocol had the possibility of getting affected by some security issues, such as, Man in the Middle (MITM) attack, disclosure of the user identity, authentication delay and computational overhead. The authors in Alezabi et al. (2014) established that their proposed scheme was efficient enough to overcome these security problems. Moreover, the authors claimed that the EEPS-AKA was faster than previously developed methods due to the employment of secret key method into it. The proposed method also reduced the storage overhead and authentication delay effectively. Furthermore, the formal verifications showed that the proposed protocol was secure from both active and passive attacks. In the context of EPS-AKA, Abdrabou et al. (2015) showed that the said protocol was vulnerable to replay attack, DoS attack, MITM and disclosure of the user identity. To overcome these weaknesses, the authors proposed a Modified EPS-AKA (MEPS-AKA) protocol based on SPEKE and symmetric key cryptography. It was found that the execution time for MEPS-AKA was more than the EPS-AKA. To mitigate the security weakness of LTE networks, an improved technique called enhanced AKA was approached by Degefa et al. (2016) without adding any extra cost to the environment. The authors employed the secret key cryptographies to enhance the security, computation and communication cost of the LTE networks. However, the scheme assumed that the secret function \(f()\) would be kept secret even if the Home Subscriber Server (HSS) is compromised, which is more impractical. Moreover, the scheme could not achieve key forward secrecy (Chien 2018). In 2017, Hamandi et al. (2017) developed a computationally efficient privacy enhanced scheme for LTE networks. To reduce the overhead, the authors minimized the use of asymmetric and symmetric encryptions. However, the scheme was found to be vulnerable to DoS attack, replay attack and could not provide perfect forward secrecy (Singh and Shrimankar 2018). Several improved versions of EPS-AKA were proposed in (Cao et al. 2012; Køien 2011; Singh and Shrimankar 2018; Xiehua and Yongjun 2011) which pointed out different drawbacks associated with EPS-AKA and afterwards removed them by using different cryptographic techniques.

To address the security issues present in two security protocols namely, Internet Protocol Security (IPsec) and Security Socket Layer (SSL), Huang et al. developed a secure communication system defined as Wireless Security System with Data Connection Core (WiSDC) in Huang et al. (2012). This system adopted the Data Connection Core (DCC) as its security base to protect the secrecy, integrity and authenticity of the transmitted messages. To increase the security level of the system, the authors introduced three mechanisms. Firstly, to protect the DCC from hackers, the system produced internal keys in order to derive the communication keys, which were transmitted through medium rather than DCC. Secondly, to lower the probability of information being captured, the system reduced the key exchange level. Finally, to encrypt and decrypt the transmitted message, it employed two dimensional stream cipher technique. A secure authentication scheme called Security system with Pseudo random number generator, Diffie–Hellman algorithms and Data Connection Core (SPDiD) was proposed by Huang et al. (2013) for wireless environment. The system employed DCC to establish a strong connection between UE and HSS and employed Diffie-Hellman algorithm to exchange common secret keys. Moreover, Pseudo Random Number Sequences (PRNSs) were used to generate more symmetric keys for the purpose of encrypting the key and messages without reducing the security levels. Further, the authors compared the performance of the proposed SPDiD with LTE-A and WiMAX systems which showed that the proposed system provided better security than the existing systems in terms of forgery attack, reply attack, eavesdropping attack and DoS attack. Another novel Security Scheme for 4G Environment called Se4GE was developed by Huang et al. (2014). To overcome some of the security issues found in LTE-A such as replay attack and eavesdropping attack, the system integrated RSA and DH algorithm. This work analytically showed that the security level of Se4GE was higher than LTE-A system though the authentication phase required longer processing time. It was also found that the scheme suffered from some security attacks like impersonation attack and known key attack. Related to this work, Kanani et al. (2014) proposed a modified security scheme based on symmetric key, RSA, random number generator and Se4GE. In this work, the authors analyzed the Se4GE scheme and modified it by providing secured DCC in order to bring improvement in the performance of the said system. The authors also claimed that the proposed system achieves better security than the Se4GE system. However, it was observed that the proposed scheme was not immune to impersonation attack and known key attack.

Meanwhile, many secure authentication schemes were also proposed for the LTE environment. Abdeljebbar and Kouch (2018) established an improved EPS-AKA to provide a new solution to remove the security weakness of LTE network. The scheme protected the key exchange messages by the use of asymmetric cryptographic. However, this scheme was incapable to prevent the DoS attack because of the fact that the scheme did not use any authentication mechanisms to protect some of the transmitted messages. To overcome the security issues found in the existing AKA schemes, several group based efficient and secure AKA scheme for Machine to Machine Communication (MTC) in LTE/LTE-A networks was established by (Gupta et al. 2018; Parne et al. 2018). Both of the schemes used a symmetric cryptosystems and adopted group authentication techniques to verify the group of Machine Type Communication Devices (MTCDs) simultaneously. Ferrag et al. (2018) made a survey on the security for 4G and 5G cellular networks. The authors analyzed different existing privacy models of 4G and 5G networks with respect to several security attributes and performance parameters. Zikria et al. (2018a) analyzed the requirements and challenges for software’s, protocols design and valid techniques for the emerging techniques Internet of Things (IoT). The authors reviewed several papers related to the research trends in IoT. Several secure authentication mechanisms and surveyed work for 4G/5G enabled IoT were also presented in (Kumari et al. 2018; Ni et al. 2018; Zikria et al. 2018b; Musaddiq et al. 2018).

To meet the above research demands mainly in the area of LTE/LTE-A, an improved authentication and security scheme for LTE/LTE-A networks has been proposed in this paper. The important contributions of this paper are summarized as follows:

  1. 1.

    The proposed system employs ECC, ECDH and stream cipher Salsa20 algorithm to mitigate the security weaknesses related to 4G wireless system.

  2. 2.

    This scheme adopts ECC and ECDH to protect the system from different security attacks and also improves the key exchange flow between UE and MME, which enhances the security level of the system.

  3. 3.

    The system employs Salsa20 stream cipher and modifies it for the purpose of the encryption and decryption of the plain text and cipher text, which makes the system more secure and faster.

  4. 4.

    The proposed scheme uses timestamp to protect the system from the replay attack and Hash based Message Authentication Code (HMAC) ensures the authenticity, integrity and certification of the transmission messages.

  5. 5.

    The proposed scheme also uses some sophisticated encryption functions to hide important parameters and achieve proper mutual authentication between UE and MME.

  6. 6.

    Security analysis of the proposed system has been carried out in detail to evaluate its performance with respect to LTE standard and some related existing work in terms of several security attributes, such as, replay attack, known key attack, impersonation attack, eavesdropping attack, DoS attack, many logged in user attack and perfect forward secrecy.

  7. 7.

    The effectiveness of the proposed system has been established by comparing the performance of our proposition with other related systems in terms of key generation time, encryption and decryption time, computational cost, total computational time, time complexity and storage overhead. The performance analysis establishes the supremacy of the proposed scheme over other existing schemes.

The rest of this paper is structured as follows. In Sect. 2, we have discussed the technical background relevant to this work. In Sect. 3, we have analyzed the methodology of the proposed system. In Sect. 4, we have analyzed various security attributes related to the proposed system and compared its performance with LTE standard and some existing related work. In Sect. 5, the performance of the proposed system has been analyzed. Finally, some concluding remarks and outline for future work have been included in Sect. 6.

2 Theoretical background

2.1 Long term evaluation advance (LTE-A)

LTE-A is (Akyildiz et al. 2010) considered as a well-accepted standard for 4G wireless environments. The key objectives of LTE-A are to provide high data rate, wide scalable bandwidth, low latency and improved spectral efficiency (Cao et al. 2014).

The LTE-A comprises of following important components:

  1. (a)

    User Equipment (UE) It is the user device, which consists of different mobile equipment’s.

  2. (b)

    Evolved Node B (eNodeB or eNB) eNB is a base station that controls the mobiles in different cells.

  3. (c)

    Mobility Management Entity (MME) MME acts as a bridge between UE and HSS. It controls the high level operation of the mobile. It is also responsible for authentication and data transfer.

  4. (d)

    Home Subscriber Server (HSS) A central data base that contains information about the entire serving subscriber. UE authentication is one of the major responsibilities of HSS.

The detailed analysis of the LTE-A architecture has been further discussed in (Akyildiz et al. 2010). This paper follows the communication flow of LTE-A architecture and considers the LTE-A as the physical network platform for analyzing end to end security and performance of the network.

2.2 Elliptic curve cryptography (ECC)

This cryptography technique was proposed by Miller and Koblitz in 1985 to design public key cryptosystem, which lies on the algebraic structure of elliptic curves over finite fields \(Z_{q}\) (Hankerson et al. 2004). It is currently used in various cryptographic systems to provide better security and computational efficiency. The security of the ECC is mainly dependent on the hardness involved in solving Elliptic Curve Discrete Logarithm Problem (ECDLP). Moreover, it uses smaller key bits to achieve equivalent level of security same as RSA (Hankerson et al. 2004) i.e. the 160-bit elliptic curve key provides the same level of security as 1024-bit RSA key (Mahto et al. 2016). Furthermore, the computational cost of elliptic curve point multiplication is less expensive as compared to the modular exponentiation which is involved in RSA (Chung et al. 2007). Hence, to achieve the better security and provide efficient performance, the proposed scheme adopts ECC over other cryptography techniques. An overview of ECC is presented below.

A set of elliptic curve points \(E_{q} (a,b)\) over a finite field \(Z_{q}\) is the all pairs of integers \((x,y)\) that satisfy the equation \(y^{2} \bmod q = x^{3} + ax + b(\bmod q)\) together with \(O\), called the point at infinity. Where, \(q\) is a large prime number and \(a\) and \(b\) are two constants such that \(a,b \in Z_{q}\) and satisfies the condition of \(4a^{3} + 27b^{3} \ne 0\). The additive cyclic group is defined by \(E_{g} = \{ (x,y) \in E_{q} (a,b)\} \cup \{ O\}\). The point multiplication on the cyclic group is calculated by repeated addition. A point \(P\) is the public point of the elliptic curve group with order \(n\) such that \(n \cdot P = 0\). The further details of the elliptic curve cryptosystems properties are described in (Hankerson et al. 2004).

The computational problems over the elliptic curve group which are normally used to design secure cryptographic systems have been analyzed below (Hankerson et al. 2004; Xu et al. 2018):

Elliptic curve discrete logarithm problem (ECDLP) Given \(P, \, Q \in E_{g}\), hard to find an integer \(m \in\)[1, \(n\)-1], such that \(Q = m \cdot P\).

Computational Diffie–Hellman Problem (CDHP) For \(a,b \in\) [1, \(n\)-1], given \(P, \, aP\) and \(bP\), hard to compute \(abP\).

Decisional Diffie–Hellman Problem (DDHP) For \(a,b,c \in\) [1, \(n\)-1], given \(P, \, aP, \, bP\) and \(cP\), difficult to decide whether \(c = ab \, mod \, q\) or not.

2.3 Salsa20 algorithm

A stream cipher algorithm Salsa20 is one of the eSTREAM candidates proposed by Bernstein (2008). This is recommended for the design of cryptographic schemes where speed and security both are of prime importance. Salsa20 is also suggested for the quantum resistant algorithm (Cheng et al. 2017). The core of Salsa20 is a hash function having an input of 64-byte to produce an output of 64-byte. Mathematical operations such as addition, X-OR and constant distance rotation are used to construct the Salsa20 algorithm. Moreover, the keystream of 64-byte is obtained by mapping 32-byte secret key, 8-byte nonce, and 8-byte block number. Furthermore, it goes through several rounds to obtain 64-byte key stream, which is depicted in Fig. 1 (Afdhila et al. 2016; Bernstein 2005). Salsa20 encrypts a k-byte of plain text by performing X-OR operation with the first k-byte of keystream and discarding the remaining stream. Similarly, it decrypts the k-byte of cipher text by performing the X-OR operation with the first k-byte of the key stream to generate the plain text. To achieve secure and faster system, the proposed scheme employs Salsa20 algorithm and modifies it for the purpose of encryption and decryption of the data. The Salsa20 encryption and decryption process is illustrated in Fig. 2 (Afdhila et al. 2016; Bernstein 2005).

Fig. 1
figure 1

Salsa20 keystream generation process

Full size image
Fig. 2
figure 2

Encryption and decryption process of Salsa20

Full size image

3 Proposed model

In this section, a security system based on ECC and Salsa20 algorithm has been proposed to enhance the end to end security of 4G environment. The notations which are used in this study have been presented in Table 1 and the relevant functions have been defined in Sect. 3.1.

Table 1 Notations used in the proposed system
Full size table

3.1 Functions

  1. 1.

    Encryption functions:

    1. a.
      $$Enc\_fun(p,q) = p \oplus q.$$
    2. b.
      $$ECC\_Enc(a,b) = b * a.$$

    Where, \(a\) represents the point function \((a_{x} ,a_{y} )\)

  2. 2.

    Decryption functions:

    1. a.
      $$Dec\_fun(p,q) = p = e \oplus q.$$

      where, \(e = Enc\_fun(a,b)\)

    2. b.
      $$ECC\_Dec(a,b) = a = d * f.$$

      where, \(d = minv(b,n)\) and \(f = ECC\_Enc(a,b)\)

  3. 3.

    HMAC (K) = A hash based message authentication code. The hash function performs both on secret key K and transmitted message to generate HMAC. It is used to ensure the authenticity, integrity and certification of the transmitting and receiving messages.

As for example, if a message which is transmitted from UE to MME is \((OP_{code} ,T_{UE} ,IMSI_{A} ,Enc\_fun(E_{U} ,K_{A} ),ECC\_Enc(U_{A} ,K_{P} ),ECC\_Enc(P_{{U_{A} }} ,A_{R} ))\) then the authentication code generated by performing hash function on both the key \((K_{P} + K_{A} \oplus A_{R} )\) and the message \((OP_{code} ,T_{UE} ,IMSI_{A} ,Enc\_fun(E_{U} ,K_{A} ),ECC\_Enc(U_{A} ,K_{P} ),ECC\_Enc(P_{{U_{A} }} ,A_{R} ))\) is found to be \(HMAC(K_{P} + K_{A} \oplus A_{R} )\).

An important point of discussion related to our proposed model is that the keys which are generated by ECC are the pair of numbers i.e. point function. Whenever these keys are used as a session key for generating different keys or for traditional encryption, a single number is used which is generated by performing the XOR operation between the two numbers.

3.2 Communication steps

In this study, a distinctive Operation Code (\(OP_{code}\)) has been assigned to individual message to describe the function of each message. The various \(OP_{code}\) used in this model reduce the authentication time and operational complexity. The definitions of various \(OP_{code}\) have been described in Table 2.

Table 2 Definitions of various \(OP_{code}\)
Full size table

The operational flow diagram of the proposed model has been presented in Fig. 3. To achieve an end to end secure communication, the proposed model has been categorized into three phases:

Fig. 3
figure 3

Operational flow diagram of the proposed system

Full size image
  1. 1.

    Registration phase

  2. 2.

    Authentication and key exchange phase

  3. 3.

    Data transmission phase.

In the registration phase, at first the user get registered himself in the server HSS with his own parameters and subsequently collects the server public key. Next, the server stores each legal user’s parameters into a write protected file. Afterwards, the authentication and key exchange process starts.

In the authentication and key exchange phase, initially UE transmits an authentication request message to MME which contains encrypted keys with UE’s identity. Upon receiving the authentication request message, MME sends a request to HSS for the encrypted private key and password verifier for user, based on the identity of the respective user. Subsequently, HSS sends those parameters to MME. After receiving; MME decrypts all the keys and authenticates the user by verifying the authentication parameter of UE. Then MME will validate the received message to check whether the message is valid or not. If not valid, MME terminates the message; otherwise, MME sends an authentication reply message to UE which contains encrypted keys. By receiving the authentication reply message, UE decrypts the keys and authenticates MME by verifying the authentication parameter of MME. If the received authentication parameter is proper, then mutual authentication is achieved. Next, it checks the correctness of the message. If the message is not a correct one, it discards the message; otherwise, the process goes to data transmission phase.

In the data transmission phase, UE sends a data transmission request to MME. On receiving the request message, MME checks whether the received message is valid or not. If it is not valid, the MME terminates it; else, MME sends a data transmission reply message to UE to make a confirmation that a secure communication can be established. On receiving the confirm message, UE starts delivering the encrypted data to MME in a secure communication channel. MME retrieves the plaintext by decrypting the data and afterwards the data exchange process continues. The complete process has been explained mathematically as follows:

3.2.1 Registration phase

At the initial stage of the network entry, the user registers himself to the server HSS with his own parameters such as identity of the user i.e. \(IMSI_{A}\) and password verifier \(V_{A}\) and subsequently collects the server’s public key \(P_{S}\). Afterwards, the server stores each legal user’s identity, password verifier and a status bit into a write protected file as presented in Table 3. Here, the status bit represents the present status of the user i.e. when the user is logged into the server, the status bit is set to one (‘1’), else it is set to zero (‘0’).

Table 3 The verifier table with user status bit
Full size table

3.2.2 Authentication and key exchange phase

In this phase, at first, UE transmits an authentication request message to MME that includes encrypted keys. After receiving the authentication request message, MME sends request to HSS for the encrypted private key \(K_{P}\) and password verifier \(V_{A}\) for user A based on \(IMSI_{A}\). Subsequently, HSS delivers \(K_{P}\) and \(V_{A}\) to MME. MME decrypts the keys and authenticates the user by verifying the condition \(U_{A,C} \begin{array}{*{20}c} ? \\ = \\ \end{array} U_{A}\). If this condition is not satisfied, MME terminates the session; else it authenticates UE and then verifies the correctness of the message by comparing the HMAC value i.e. \(HMAC(K_{P} ,K_{A} ,A_{R} )_{c} \begin{array}{*{20}c} ? \\ = \\ \end{array} HMAC(K_{P} ,K_{A} ,A_{R} )_{r}\). Here, subscripts ‘c’ and ‘r’ are used to represent the calculated and retrieved HMAC values respectively. If the above stated condition is not satisfied, MME discards the message; otherwise, it sends an authentication reply message to UE which contains encrypted keys. On receiving authentication reply message, UE decrypts the encrypted keys and authenticates MME by verifying the condition \(M_{A,C} \begin{array}{*{20}c} ? \\ = \\ \end{array} M_{A}\). If the condition does not fulfill, UE discards the message; else, it authenticates the MME. Thus, the mutual authentication is achieved. Next, UE checks the correctness of the message by verifying the condition \(HMAC(IK_{1} ,IK_{2} ,IK_{3} )_{c} \begin{array}{*{20}c} ? \\ = \\ \end{array} HMAC(IK_{1} ,IK_{2} ,IK_{3} )_{r}\). If the condition is not satisfied, the process is terminated; otherwise, it is forwarded to the data transmission phase.

3.2.3 Data transmission phase

In this phase, UE sends a data transmission request message to MME. On receiving the request message, MME checks the correctness of the data transmission request message by verifying the condition \(HMAC(IK_{4} ,IK_{5} ,IK_{6} )_{c} \begin{array}{*{20}c} ? \\ = \\ \end{array} HMAC(IK_{4} ,IK_{5} ,IK_{6} )_{r}\). If this condition is not satisfied, MME discards the message; otherwise, it generates the dynamic keys such as, \(DK_{1 - 9}\),\(DX_{1 - 9}\) and \(TEK_{1 - 81}\), and then sends a data transmission reply message to UE to confirm that a secure communication can be established. On receiving the confirmation, UE starts transmitting the encrypted data to MME in a secure communication channel. The data transmission process has been analyzed as follows: For example, assume that plaintext message = \(m_{0} m_{1} m_{2} m_{3} \ldots ..m_{l - 1}\) is divided into \(l\) number of blocks of the same size. Correspondingly, the ciphertext message = \(C_{0} C_{1} C_{2} C_{3} \ldots ..C_{l - 1}\) is generated and transmitted to MME. On receiving the ciphertext message, MME retrieves the plaintext by decrypting the data and subsequently data exchange process continues. The complete process is described in Sect. 3.2.4 in the form of algorithm.

3.2.4 Proposed algorithm

figure a
figure b
figure c
figure d
figure e
figure f
figure g
figure h
figure i

4 Security analysis

In this section, we have analyzed different Security Attributes (SA) related to the proposed system and compared them with LTE standard and other related existing systems.

SA1: mutual authentication During authentication and key exchange process of the proposed protocol, UE and MME authenticate each other by verifying the authentication parameters \(U_{A}\) and \(M_{A}\) with the computed authentication parameter \(U_{A,C}\) and \(M_{A,C}\) of UE and MME respectively. In the authentication reply step, MME authenticates UE by verifying the equality condition between \(U_{A,C}\) and \(U_{A}\). UE derives \(E_{U}\) and \(U_{A}\) by using different parameters \(K_{P}\), \(K_{A}\) and \(A_{R}\) and then sends them to MME. During the authentication reply step, MME decrypts \(E_{U}\) to generate \(A_{R,C}\) by using \(K_{P}\) and \(K_{A}\), and then computes \(U_{A,C}\) which is equal to the received \(U_{A}\). In the authentication reply check step, UE authenticates MME by verifying the equality condition between \(M_{A,C}\) and \(M_{A}\). By following above similar process, it is found that \(M_{A,C}\) and \(M_{A}\) both provide equal computed value. Thus the proposed system achieves mutual authentication. In this context, it can be identified that the process of proper mutual authentication between UE and MME has not been followed in existing literatures such as SPDiD (Huang et al. 2013), Se4GE (Huang et al. 2014), Kanani et al. (2014), MEPS-AKA (Abdrabou et al. 2015) and Hamandi et al. (2017) (Singh and Shrimankar 2018).

SA2: replay attack The proposed system uses time stamp \(T_{UE}\) and \(HMAC(K_{P} ,K_{A} ,A_{R} )\) to defend replay attacks. For the purpose of illustration, let us assume that the authentication request message (M1) is duplicated by hackers and sent. In this case, the condition \(T_{R1} - T_{UE} \le \Delta T_{1}\) will not be satisfied because of the fact that time stamp \(T_{UE}\) is set at that time when M1 is sent from UE and \(\Delta T_{1}\) is the predefined threshold. Consequently, the message is discarded by MME. If the hackers modify the time stamp \(T_{UE}\) to the present time through some means, then also the computation of \(HMAC(K_{P} + K_{A} \oplus A_{R} )\) by the hackers will be incorrect. Therefore, the computed \(HMAC(K_{P} ,K_{A} ,A_{R} )_{c}\) will not be equal to the received \(HMAC(K_{P} ,K_{A} ,A_{R} )_{r}\). Similar conclusion can be drawn for M2 as well. All other transmission messages contain HMAC (K) function, whose secret key K is only known to UE and MME. Hence the proposed scheme can defend the replay attack in an efficient manner. However, the scheme Hamandi et al. (2017) does not prevent the replay attack (Singh and Shrimankar 2018).

SA3: impersonation attack Impersonate attack (Xiehua and Yongjun 2011) occurs when the hackers access the security parameters of the users stored in the server. In the proposed scheme, the server may compromise \(V_{A}\) of user. However, with this knowledge of \(V_{A}\), the hackers cannot decrypt all the keys of authentication request message, which requires the knowledge of \(K_{P}\), \(K_{A}\) and the random number \(A_{R}\). Computation of \(K_{P}\) and \(K_{A}\) requires a password \(PW_{A}\). The hackers may try to extract \(PW_{A}\) from \(V_{A}\) but they fail to do so as it is hard to solve the ECDLP (Hankerson et al. 2004). Therefore, the proposed scheme is more immune to impersonation attack. In contrast, in existing schemes like SPDiD (Huang et al. 2013), Se4GE (Huang et al. 2014) and Kanani et al. (2014) if the server compromises user identity and Data Connection Core (DCC) then the hackers can decrypt all the keys involved in the authentication request message. Thus these schemes can get affected by impersonation attack.

SA4: known key attack When the session ephemeral private keys are accidently exposed to attackers through any means, the attackers can avail all the keys of the system resulting in known key attack (Hamandi et al. 2017). In the proposed scheme, both UE and MME compute a shared key \(K_{S}\) = \(RM \cdot RU_{A} \cdot PW_{A} \cdot RS \cdot P\). If it is assumed that the ephemeral private keys \(RM\) and \(RU_{A}\) are exposed to an attacker then also it is difficult to derive the shared key \(K_{S}\) as it is not easy to extract the knowledge of \(PW_{A} \cdot RS \cdot P\). This is because of the fact that the computation of \(PW_{A} \cdot RS \cdot P\) from the pair \((V_{A} ,P_{S} ) = (PW_{A} \cdot P,RS \cdot P)\) is equivalent to solving the CDHP, which is difficult to achieve. Hence the proposed system can prevent the known key attack. In the existing scheme Se4GE (Huang et al. 2014), the attacker can easily compute the common secret key \(CSK = P_{BR}^{MR} \bmod p{\text{ = g}}^{BR \cdot MR} \bmod p\) or \(CSK = P_{MR}^{BR} \bmod p{\text{ = g}}^{MR \cdot BR} \bmod p\) with the knowledge of the private keys MR and BR corresponding to UE and MME respectively. Above process shows that if the private keys are exposed, the attackers may also compute common secret key CSK in the existing schemes SPDID (Huang et al. 2013) and Kanani et al. (2014). Thus all these existing schemes are not capable enough to prevent the known key attack.

SA5: DoS attack DoS attack (Panda and Chattopadhyay 2019) occurs when the attacker sends the illegal messages to reduce the performance of the network and also makes the resources inaccessible from the intended users. The DOS attack can be avoided by protecting the messages using encryption mechanisms and hashing. The proposed scheme encrypts all the transmitted keys by using eminent encrypted functions to protect all the management messages. Another important feature is that HMAC function is used to validate all the messages. Therefore, any of the illegal messages cannot pass to UE and MME for validation. Thus the system can defend DoS attack successfully. However, in the existing schemes MEPS-AKA (Abdrabou et al. 2015), Hamandi et al. (2017) and Kumari et al. (2018) some of the transmitted keys have not been encrypted and also some of the messages have not been protected by any authentication mechanism. Hence, the schemes MEPS-AKA, Hamandi et al. (2017) and Kumari et al. (2018) can get affected by DoS attack (Singh and Shrimankar 2018). Another scheme namely Improved EPS-AKA (Abdeljebbar and Kouch 2018) was also vulnerable to DoS attack as it did not use any authentication mechanism to protect the transmitted messages.

SA6: Eavesdropping attack In the proposed system, the hackers can get only the transmitted keys from the different encrypted functions such as \(Enc\_fun()\) and \(ECC\_Enc()\) which are adopted in different messages. However, to decrypt the public keys

\(P_{{U_{A} }}\) and \(P_{M}\), it is required to compute two authentication random numbers \(A_{R}\) and \(A_{M}\). Moreover, \(P_{{U_{A} }}\) is associated with password \(PW_{A}\) which is unavailable to hackers. Similarly, other keys and security parameters which are involved in this communication process are also well protected. Even though the hackers capture the messages from the network, it is not possible to extract the user’s keys. Hence the proposed system is able to defend the eavesdropping attack (Panda and Chattopadhyay 2019).

SA7: many logged in user’s/device’s attack The many logged in user’s attack occurs when the identity and password of the legal users/devices are leaked by some means to many hackers, as a result of which they can simultaneously access the accounts of the legitimate users/devices in a remote server. In the proposed system, only single hacker, having the knowledge of proper user identity and password can access the account although many others try to do so. This is because of the fact that whenever a single hacker logs in by using proper user identity and password, the server sets the status bit to ‘1’. Meantime, if any other hacker tries to log into the server with the same user identity and password, the status-bit indicates that someone is already logged in and the server rejects rest of the attempts. Thus the proposed scheme is safe from many logged in user’s attack. As far as the existing schemes SPDiD (Huang et al. 2013), Se4GE (Huang et al. 2014), Kanani et al. (2014), MEPS-AKA (Abdrabou et al. 2015), Enhanced-AKA (Degefa et al. 2016), Hamandi et al. (2017), Kumari et al. (2018), SEGB (Parne et al. 2018), DGBES (Gupta et al. 2018), Improved EPS-AKA (Abdeljebbar and Kouch 2018) and EAKA-EPS (Singh and Shrimankar 2018) are concerned, they are not safe from many logged in users/devices attack as they do not incorporate any concept of setting the login status of the logged user/device.

SA8: perfect forward secrecy Perfect forward secrecy (Alezabi et al. 2014) implies that if the password of the user and secret key of the server are exposed then also the secrecy of the other computed keys should not be affected. As for example, if the hacker has the knowledge of user password \(PW_{A}\) and server private key \(RS\) then it is possible to compute \(V_{A}\) and \(P_{S}\). Moreover, the hacker may get information about the public keys \(P_{{U_{A} }}\) and \(P_{M}\) which are decrypted from the messages M1 and M2 respectively. However, it is difficult to compute the shared key \(K_{S}\) = \(RM \cdot RU_{A} \cdot PW_{A} \cdot RS \cdot P\) as it requires two private keys \(RU_{A}\) and \(RM\) which are two random numbers. If someone tries to extract them from the pair (\(P_{{U_{A} }}\),\(P_{M}\)) = (\(RU_{A} \cdot PW_{A} \cdot RS \cdot P\),\(RM \cdot RS \cdot P\)), it is not easy to solve due to hard of CDHP. Hence it can be said that the proposed scheme offers perfect forward secrecy. In contrast, the existing schemes MEPS-AKA (Abdrabou et al. 2015), Enhanced-AKA (Degefa et al. 2016) and Hamandi et al. (2017) do not provide perfect forward secrecy (Chien 2018; Singh and Shrimankar 2018).

Security comparison of the proposed system with the other related systems has been presented in Table 4. Here, different security attributes such as Replay attack, Known key attack, Impersonation attack, Eavesdropping attack, DoS attack, Many logged in user’s attack and Perfect forward secrecy have been intensified by “Yes” and “No”. Moreover, the degree of Mutual authentication has been indicated by “Partial” and “Full”.

Table 4 Security comparison of the proposed scheme with other related schemes
Full size table

5 Performance analysis

In this section, performance analysis of the proposed system and some other related systems has been analyzed and compared. Simulation has been performed using MATLAB 2015a platform. The simulation parameters have been presented in Table 5. Generation of different keys and related functions has been analyzed to examine various security issues related to wireless communication systems. The logical key reasoning for evaluating the time consumptions of several keys and functions have been explained below:

Table 5 Simulation parameters
Full size table

In this work, the time generating different keys and related functions on both UE and MME sides has been evaluated for different key lengths such as 112-bit, 128-bit and 160-bit which provide the security levels of 56-bit, 64-bit and 80-bit respectively (Mahto et al. 2016; Barker 2016). Moreover, the performance of the proposed system has been compared with other existing systems with respect to key generation time on both UE and MME sides. Here, the key generation time has been taken as the sum of the time required to generate the following keys: public keys (\(P_{{U_{A} }}\) and \(P_{M}\)), shared keys (\(K_{S}\)) and encryption keys (\(TEK_{1 - 81}\) and \(KS\)) for both UE and MME sides, for the purpose of comparison. Furthermore, the encryption and decryption time, the computational cost, the total computational time, the time complexity and the storage overhead have been calculated and compared with other existing systems. The respective results are listed below:

5.1 Key generation time

The time elapsed for the generation of different keys and different functions on UE side and MME side has been summarized in Table 6 and Table 7 respectively.

Table 6 Consumption of time for the generation of different keys and related functions on UE side
Full size table
Table 7 Consumption of time for the generation of different keys and related functions on MME side
Full size table

The proposed system has been compared with some related existing systems such as SPDiD (Huang et al. 2013), Se4GE (Huang et al. 2014) and Kanani et al. (2014) based on key generation time on both UE and MME sides as presented in Fig. 4a, b respectively.

Fig. 4
figure 4

Comparison of key generation time of the proposed system with existing systems on UE side and MME side. a The Key generation time of the proposed system and existing systems on UE side. b The Key generation time of the proposed system and existing systems on MME side

Full size image

Figure 4a shows that the time consumed to generate the keys on UE side for the proposed system is 0.513 s as compared to the existing systems such as SPDiD, Se4GE and Kanani et al. (2014) which take 1.827 s, 3.495 s and 4.296 s respectively for a security level of 80-bit resulting in a percentage improvement of 71.92, 85.32 and 88.05% for the proposed system over SPDiD, Se4GE and Kanani et al. (2014) respectively. Similarly, Fig. 4(b) shows that the time required to generate the keys on MME side for the proposed system is 0.591 s in contrast to SPDiD, Se4GE and Kanani et al. (2014) which take 1.819 s, 3.502 s and 3.558 s respectively for a security level of 80-bit providing a percentage improvement of 67.51, 83.12 and 83.39% for the proposed system over SPDiD, Se4GE and Kanani et al. (2014) respectively. These results indicate that the proposed system is more efficient than SPDiD, Se4GE and Kanani et al. (2014) as far as key generation time is concerned.

5.2 Encryption and decryption time

Comparison of the time spent for encrypting the plaintext on UE side and decrypting the cipher text on MME side of the proposed system and the other existing systems such as SPDiD, Se4GE and Kanani et al. (2014) has been presented in Fig. 5a, b respectively for different sizes of the plain text such as 256, 768, 512 and 1024 bits

From Fig. 5a it is found that the time required for encrypting the plain text of 1024-bit in length takes 1.096 s, 2.067 s, 2.822 s and 2.92 s for the proposed system, SPDID, Se4GE and Kanani et al. (2014) system respectively. As far as decryption time is concerned, these values are found to be 2.34 s, 4.063 s, 36.909 s and 38.669 s for the proposed system, SPDID, Se4GE and Kanani et al. (2014) system respectively as evident from Fig. 5b considering a text size of 1024-bit. In both the cases, it is found that the proposed system provides considerable improvement over SPDID, Se4GE and Kanani et al. (2014) system.

Fig. 5
figure 5

Comparison of the encryption time and decryption time of the proposed system with existing systems. a The encryption time of proposed system and existing systems. b The decryption time of proposed system and existing systems

Full size image

5.3 Computational cost

The logic behind the calculation of the computational cost of the proposed scheme and related existing schemes has been analyzed as follows: While computing the computational cost, different simpler operations such as addition, subtraction, X-OR etc. as stated in Sect. 3 (Sect. 3.2.4) has not been included due to their minimal contribution as compared to other operations. For computing the computational cost different notations are used which are defined below:

  1. 1.

    \(T_{ME}\): the time for executing a modular exponentiation operation

  2. 2.

    \(T_{EPM}\): the time for computing an elliptic curve point multiplication

  3. 3.

    \(T_{RE}\): the time for computing a RSA encryption operation

  4. 4.

    \(T_{RD}\): the time for computing a RSA decryption operation

  5. 5.

    \(T_{H}\): the time for executing a HMAC operation

  6. 6.

    \(T_{SY\_ENC}\): the time for computing symmetric encryption/decryption operation

  7. 7.

    \(T_{ASY\_ENC}\): the time for computing asymmetric encryption/decryption operation

  8. 8.

    \(T_{AES}\): the time for computing AES encryption/decryption operation

  9. 9.

    \(T_{KDF}\): the time for executing KDF operation

  10. 10.

    \(T_{Q}\): the time for computing quantum key operation

  11. 11.

    \(T_{MAC}\): the time for executing MAC operation

Here, computational cost is evaluated individually for all the phases such as Registration phase, Authentication and key exchange phase and Data transmission phase by considering the computational time of the security functions which are mentioned above. The detailed analyses have been presented below:

5.3.1 Computational cost of the SPDiD scheme (Huang et al. 2013)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{ME}\) + 2 \(T_{H}\) + 2 \(T_{ME}\) + 2 \(T_{H}\)  = 3 \(T_{ME}\) + 4 \(T_{H}\)

Data transmission phase\(T_{ME}\) + 8 \(T_{H}\)

The overall computational cost of the SPDiD scheme is: 4 \(T_{ME}\) + 12 \(T_{H}\)

5.3.2 Computational cost of the Se4GE scheme (Huang et al. 2014)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase 2 \(T_{ME}\) + \(T_{RE}\) + \(T_{H}\) + \(T_{RD}\) + \(T_{H}\) +4 \(T_{ME}\) + \(T_{H}\) + 2 \(T_{ME}\) + \(T_{H}\)

= 8 \(T_{ME}\) + \(T_{RE}\) + \(T_{RD}\) +4 \(T_{H}\)

Data transmission phase: 4 \(T_{H}\)

The overall computational cost of the Se4GE scheme is: 8 \(T_{ME}\) + \(T_{RE}\) + \(T_{RD}\) +8 \(T_{H}\)

5.3.3 Computational cost of the Kanani et al. (2014) scheme

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase 2 \(T_{ME}\) +2 \(T_{RE}\) + \(T_{H}\) +2 \(T_{RD}\) + \(T_{H}\) +3 \(T_{ME}\) +2 \(T_{H}\) + \(T_{ME}\) + \(T_{RE}\) + \(T_{H}\) + \(T_{RD}\) + \(T_{H}\) + \(T_{ME}\) +2 \(T_{H}\)= 7 \(T_{ME}\) +3 \(T_{RE}\) +3 \(T_{RD}\) +8 \(T_{H}\)

Data transmission phase Not applicable

The overall computational cost of the Kanani et al. (2014) scheme is: 7 \(T_{ME}\) +3 \(T_{RE}\) +3 \(T_{RD}\) +8 \(T_{H}\)

5.3.4 Computational cost of the MEPS-AKA scheme (Abdrabou et al. 2015)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{H}\) + \(T_{ME}\) + \(T_{SY\_ENC}\) + \(T_{ME}\) + 7 \(T_{SY\_ENC}\)= 2 \(T_{ME}\) + \(T_{H}\) + 8 \(T_{SY\_ENC}\)

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: 2 \(T_{ME}\) + \(T_{H}\) + 8 \(T_{SY\_ENC}\)

5.3.5 Computational cost of the Enhanced-AKA scheme (Degefa et al. 2016)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{SY\_ENC}\) + \(T_{KDF}\) + \(T_{SY\_ENC}\) + \(T_{KDF}\) + 2 \(T_{SY\_ENC}\) + \(T_{KDF}\)= 3 \(T_{KDF}\) + 4 \(T_{SY\_ENC}\)

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: 3 \(T_{KDF}\) + 4 \(T_{SY\_ENC}\)

5.3.6 Computational cost of the Hamandi et al. (2017) scheme

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{SY\_ENC}\) + \(T_{MAC}\) +3 \(T_{KDF}\) + \(T_{SY\_ENC}\) + (3 \(T_{KDF}\))* x=\(T_{MAC}\) +3 \(T_{KDF}\) + 2 \(T_{SY\_ENC}\) + (3 \(T_{KDF}\))* x

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: \(T_{MAC}\) +3 \(T_{KDF}\) + 2 \(T_{SY\_ENC}\) + (3 \(T_{KDF}\))* x

Where, x is represented as the required numbers of authentication vectors/UEs.

5.3.7 Computational cost of the Improved EPS-AKA scheme (Abdeljebbar and Kouch 2018)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{H}\) + \(T_{ME}\) + \(T_{ASY\_ENC}\) + \(T_{ME}\) +3 \(T_{ASY\_ENC}\) +2 \(T_{H}\) + \(T_{ME}\) + \(T_{ASY\_ENC}\) + \(T_{MAC}\) + \(T_{KDF}\) + \(T_{ME}\) +4 \(T_{ASY\_ENC}\) + \(T_{H}\) + \(T_{KDF}\) +2 \(T_{ASY\_ENC}\)= 3 \(T_{ME}\) + 4 \(T_{H}\) + \(T_{MAC}\) +2 \(T_{KDF}\) +11 \(T_{ASY\_ENC}\)

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: 3 \(T_{ME}\) + 4 \(T_{H}\) + \(T_{MAC}\) +2 \(T_{KDF}\) +11 \(T_{ASY\_ENC}\)

5.3.8 Computational cost of the DGBES scheme (Gupta et al. 2018)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase

  1. (a)

    The computational cost of MTC devices is: (4 \(T_{H}\)) * n + (2 \(T_{H}\) + \(T_{AES}\)) * m

  2. (b)

    The computational cost of network is: (3 \(T_{H}\)) * n + (2 \(T_{H}\) + \(T_{AES}\)) * m

Total computational cost: (7 \(T_{H}\)) * n + (4 \(T_{H}\) +2 \(T_{AES}\)) * m

Data transmission phase: Not applicable

The overall computational cost of the MEPS-AKA scheme is: (7 \(T_{H}\)) * n + (4 \(T_{H}\) +2 \(T_{AES}\)) * m

Where, n and m are represented as the number of MTCDS and number of group formed for n number of MTCDS respectively.

5.3.9 Computational cost of the SEGB scheme (Parne et al. 2018)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase

  1. (a)

    The computational cost of MTC devices is: (4 \(T_{H}\) +2 \(T_{AES}\)) * n + (2 \(T_{H}\)) * m

  2. (b)

    The computational cost of network is: (3 \(T_{H}\) +2 \(T_{AES}\)) * n + (2 \(T_{H}\)) * m

Total computational cost: (7 \(T_{H}\) + 4 \(T_{AES}\)) * n + (4 \(T_{H}\)) * m

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: (7 \(T_{H}\) + 4 \(T_{AES}\)) * n + (4 \(T_{H}\)) * m

5.3.10 Computational cost of the EAKA-EPS scheme (Singh and Shrimankar 2018)

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase Not applicable

Authentication and key exchange phase\(T_{ASY\_ENC}\) + \(T_{MAC}\) +2 \(T_{KDF}\) + 2 \(T_{ASY\_ENC}\) + \(T_{MAC}\) + \(T_{ASY\_ENC}\) + \(T_{KDF}\) + \(T_{ASY\_ENC}\) + \(T_{MAC}\) + \(T_{ASY\_ENC}\) + \(T_{KDF}\)= 3 \(T_{MAC}\) +4 \(T_{KDF}\) + 6 \(T_{ASY\_ENC}\)

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: 3 \(T_{MAC}\) +4 \(T_{KDF}\) + 6 \(T_{ASY\_ENC}\)

5.3.11 Computational cost of the Kumari et al. (2018) scheme

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase 2 \(T_{EPM}\) + \(T_{H}\) + 4 \(T_{EPM}\)= 6 \(T_{EPM}\) + \(T_{H}\)

Authentication and key exchange phase 12 \(T_{EPM}\) + \(T_{H}\) + \(T_{EPM}\) + 4 \(T_{H}\) + 2 \(T_{Q}\) + 2 \(T_{H}\)= 13 \(T_{EPM}\) + 7 \(T_{H}\) + 2 \(T_{Q}\)

Data transmission phase Not applicable

The overall computational cost of the MEPS-AKA scheme is: 19 \(T_{EPM}\) + 8 \(T_{H}\) + 2 \(T_{Q}\)

5.3.12 Computational cost of the proposed scheme

Computational costs corresponding to the several operations executed on the different phases are as follows:

Registration phase\(T_{EPM}\) + \(T_{EPM}\) = 2 \(T_{EPM}\)

Authentication and key exchange phase 6 \(T_{EPM}\) + \(T_{H}\) + 4 \(T_{EPM}\) + \(T_{H}\) +6 \(T_{EPM}\) + \(T_{H}\) +4 \(T_{EPM}\) + \(T_{H}\)= 20 \(T_{EPM}\) + 4 \(T_{H}\)

Data transmission phase 6 \(T_{H}\)

The overall computational cost of the proposed scheme is 22 \(T_{EPM}\) + 10 \(T_{H}\).

The computational cost of the proposed system and other related systems has been listed in Table 8.

Table 8 Computational cost of the proposed system and different existing systems
Full size table

From Table 8, it is noticed that the proposed system achieves lower computational cost as compared to other existing systems such as SPDiD, Se4GE, Kanani et al. (2014), MEPS-AKA, Improved EPS-AKA and EAKA-EPS system. This is because of the fact that the proposed system uses elliptic curve point multiplication whereas the systems SPDiD, MEPS-AKA, Improved EPS-AKA and EAKA-EPS includes modular exponentiation operation and the systems Se4GE and Kanani et al. (2014) use RSA encryption and decryption operation and modular exponentiation operation (Chung et al. 2007). Moreover, the computational cost of the proposed scheme is little higher than some of the related existing schemes due to the fact that the proposed scheme uses more ECC functions to protect the keys which helps to prevent the system from several security attacks. Furthermore, it achieves perfect forward secrecy. Although some of the proposed schemes achieves better computational cost than the proposed scheme, many of them are vulnerable to several security attacks such as DoS attack, replay attack and many logged in user’s/device’s attack and also do not provide perfect forward secrecy. Thus, it can be said that the proposed protocol provides better security than the existing schemes with competitive computational cost.

5.4 Computational time

Comparison of total computation time of the proposed system with existing systems has been presented in Fig. 6.

Fig. 6
figure 6

Comparison of the total computational time of the proposed system and existing systems

Full size image

From Fig. 6 it is found that the total computation time of the proposed system is only 8.724 s in contrast to SPDiD, Se4GE and Kanani et al. (2014) system which consumes a time of 10.21 s, 170.593 s and 442.895 s respectively for a security level of 80-bit, resulting in a percentage improvement of 14.55, 94.89 and 98.03% over the systems SPDiD, Se4GE and Kanani et al. (2014) respectively.

5.5 Time complexity

The time complexity of the proposed scheme and the related schemes has been evaluated based on the following logic: The security of the proposed system is based on the hard of solving ECDLP. Hence, the time complexity of the proposed system is \(O(\sqrt p )\) (Soram and Khomdram 2009; Panda and Chattopadhyay 2019), where p is the largest prime divisor of the order n. The security of the other related systems SPDiD, Se4GE and Kanani et al. (2014) are depends on the difficulty of solving discrete logarithm problem. Therefore, the time complexity of the systems SPDiD, Se4GE and Kanani et al. (2014) is \(O(\exp \sqrt {cm\ln m} )\) (Panda and Chattopadhyay 2019; Elgamal 1985), where, c = 0.69 and m is the length of the public key. The time complexity of the proposed system and other related systems are listed in Table 9.

Table 9 Time complexity of proposed system and different existing systems
Full size table

5.6 Storage overhead

In this section, we present the storage overhead of the proposed scheme and some existing schemes. The list of parameters with the standard size for the evaluation of storage overhead has been listed in Table 10 (Saxena et al. 2015). The logical key reasoning for evaluating the storage overhead of the proposed and related existing schemes has been analyzed as follows:

Table 10 Setting of parameters
Full size table

In the proposed scheme, at the initial stage of network entry when the user gets registered with the server, user’s identity (\(IMSI_{A}\), \(IMSI_{B}\) ….), password verifier (\(V_{A}\)) and a status bit into a write protected file also get stored in the server. Subsequently, the server sends its public key \(P_{S}\) to the users. Moreover, by the request of MME for the authentication purpose, the server sends \(K_{P}\) and \(V_{A}\) to MME. Hence, the storage space requirement for the proposed scheme is found to be 705 bits which has been calculated by adding the individual storage space of all the above mentioned parameters. In SPDiD, the server stores the DCC (\(K_{i}\) and \(K_{f}\)) and IMSI and also sends a message \(PRN_{1 - 6} |CSK|P_{hs}^{'} |HMAC(P_{hs} + PRN_{5} \oplus PRN_{6} )\) to MME for the purpose of authentication. Therefore, the storage space for SPDiD is calculated as 1536 bits. Similarly, in both the schemes such as Se4GE and Kanani et al. (2014), the server stores the DCC which contains IMSI, RSA triple keys such as public key \(e_{i}\), private key \(d_{i}\) and the modulus \(N_{i}\) and authentication key \(K_{i}\). Thus the storage space requirement for both the schemes Se4GE and Kanani et al. (2014) is found to be 3352 bits for 1024 bits RSA system (Soram and Khomdram 2009; Panda and Chattopadhyay 2019). The storage overhead of the proposed system and existing systems has been presented in Table 11.

Table 11 Comparison of storage overhead of the proposed system with existing systems
Full size table

5.7 Discussion

The outcomes of the above analysis have been summarized below:

  1. 1.

    The proposed system attains better percentage of improvement over other existing systems SPDiD, Se4GE and Kanani et al. (2014) with respect to key generation time.

  2. 2.

    The proposed system modifies the Salsa20 stream cipher technique at the time of the process of encryption and decryption and uses it for the same purpose. Hence in contrast to other existing systems SPDiD, Se4GE and Kanani et al. (2014), the proposed system acquires faster encryption of plain text and decryption of cipher text.

  3. 3.

    The proposed system offers proper mutual authentication where some other related existing systems SPDiD, Se4GE, Kanani et al. (2014), MEPS-AKA and Hamandi et al. (2017) provide partial mutual authentication.

  4. 4.

    The proposed system attains greater security than the standard LTE and the related existing systems.

  5. 5.

    The computational cost of the proposed system decreases from the values of the other related systems SPDiD, Se4GE, Kanani et al. (2014), MEPS-AKA, Improved EPS-AKA and EAKA-EPS. This is due to the fact that the proposed system includes ECC and ECDH in contrast to the systems SPDiD, Se4GE, Kanani et al. (2014), MEPS-AKA, Improved EPS-AKA and EAKA-EPS which employ RSA and DH-PKDS in it. This achievement has occurred because of the fact that the computational cost of elliptic curve point multiplication is much less than that of modular exponentiation used in RSA and DH-PKDS (Chung et al. 2007). Moreover, the proposed system achieves better percentage of improvement on total computation time over the existing systems SPDiD, Se4GE and Kanani et al. (2014).

  6. 6.

    The performance analysis shows that the storage overhead of the proposed system is also reduced as compared to the existing systems SPDiD, Se4GE and Kanani et al. (2014).

  7. 7.

    Hence it can be concluded that the proposed scheme outperforms the related existing systems in all respect.

6 Conclusions and future work

In this paper, an improved authentication and security scheme has been proposed for LTE/LTE-A networks by employing ECC, ECDH and Salsa20 stream cipher algorithm to enhance the end to end security and speedy data transmission. The proposed work protects the transmission messages, prevents the system from several security attacks and offers proper mutual authentication by incorporating a number of propositions such as timestamp, different encrypted functions, authentication parameters, HMAC and user password verifier. From the security analysis of the system it is found that the proposed system attains better security as compared to LTE standard and some related existing work. Furthermore, the performance analysis of the proposed system shows the following outcomes: Firstly, the key generation time of the proposed scheme is much less than other related systems SPDiD, Se4GE and Kanani et al. (2014). Secondly, the encryption and decryption speed are faster than the systems SPDiD, Se4GE and Kanani et al. (2014). Thirdly, the computational cost and the total computation time of the proposed system are much lower as compared to other existing systems. Finally, the storage overhead of the proposed system is also significantly decreased. Hence it can be concluded that our proposed system is more efficient, secure, and reliable as compared to the existing security schemes.

The above discussion shows that our proposition is capable to provide lower computation cost. However, enhancing the performance of the system without sacrificing its security by employing a reduced number of ECC point multiplication can be considered an important area of research in future. Extension of this work to emerging technology like IoT can also be considered as another scope for future work.