An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards

Int. J. Commun. Syst. (2014)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/dac.2848

An anonymous and untraceable password-based authentication

scheme for session initiation protocol using smart cards

Mohammad Sabzinejad Farash

and Mahmoud Ahmadian Attari

SUMMARY

Recently, Zhang et al. proposed a password-based authenticated key agreement for session initiation pro-tocol (Int J Commun Syst 2013, doi:10.1002/dac.2499). They claimed that their propro-tocol is secure against known security attacks. However, in this paper, we indicate that the protocol by Zhang et al. is vulnerable to impersonation attack whereby an active adversary without knowing the user’s password is able to introduce himself/herself as the user. In addition, we show that the protocol by Zhang et al. suffers from password changing attack. To overcome the weaknesses, we propose an improved authentication scheme for session initiation protocol. The rigorous analysis shows that our scheme achieves more security than the scheme by Zhang et al. Copyright © 2014 John Wiley & Sons, Ltd.

Received 19 September 2013; Revised 11 March 2014; Accepted 29 July 2014

KEY WORDS: password-based protocol; voice over internet protocol; session initiation protocol; smart card

1. INTRODUCTION

With the widespread application of the voice over IP (VoIP) in Internet [1–4] and mobility manage-ment [5–8], the security of VoIP is becoming increasingly important [9]. When a user wants to access a VoIP service, he or she has to perform an authentication process from the remote server. Among many protocols used to handle authentication for VoIP, the session initial protocol (SIP), developed by the Internet Engineering Task Force [10] in 1996, is the widely used one. SIP is an application layer signaling protocol for creating, modifying, and terminating multimedia sessions among one or more participants. Various authentication schemes [11, 12], especially based on elliptic curve cryptography (ECC), have been proposed to provide security for SIP for a decade [13–28].

1.1. Related works

In 2005, Yang et al. [29] indicated that the original SIP authentication scheme is vulnerable to offline password guessing attack and server-spoofing attack. To overcome the attacks, Yang et al. proposed a modified scheme based on Diffie–Hellman key exchange protocol. However, Huang et al. [30] pointed out that the scheme by Yang et al. may not be suitable for users with limited computational power and further proposed a new scheme. In [31], Jo et al. demonstrated that the schemes by Yang

et al. and Huang et al. are both vulnerable to offline password guessing attack.

*Correspondence to: Mohammad Sabzinejad Farash, Faculty of Mathematical Sciences and Computer, Kharazmi University, Tehran, Iran.

Based on the scheme by Yang et al., Durlanik et al. [32] introduced an efficient authentica-tion scheme for SIP by using elliptic curve Diffie–Hellman key exchange protocol. Because of the adoption of elliptic curves, the scheme by Durlanik et al. reduced the total execution time and the requirements for memory in comparison with the scheme by Yang et al. However, Yoon et al. [33] indicated that the scheme by Durlanik et al. still suffered from offline password guessing and Denning-Sacco attacks, and projected an improved scheme to overcome the weaknesses. However, Liu et al. [34] demonstrated that the scheme by Yoon et al. still puts up with offline password guessing and insider attacks.

In 2009, Tsai [35] proposed an efficient authentication protocol based on random nonce, in which one-way hash functions and exclusive or operations were only utilized for computing all the com-munication messages. As a result, the computation cost was very low, and it was suitable for low computation equipments. However, it was still defenseless to offline password guessing, Denning-Sacco, and stolen-verifier attacks. Furthermore, it did not provide any key agreement, known-key secrecy, and perfect forward secrecy [36–38]. To deal with the problems, Arshad et al. proposed an ECC-based authentication scheme [38]. But Tang et al. [39] demonstrated the vulnerability of the scheme by Arshad et al. to offline password guessing attack and introduced an improved scheme to overcome the weakness.

In 2010, Yoo et al. [40] also proposed an authentication scheme based on ECC to deal with the problems in the scheme by Tsai et al. In 2012, Xie [41] pointed out that the scheme by Yoo et al. still suffers from stolen-verifier and offline password guessing attacks and proposed an improved scheme. But Farash and Attari [42] fount Xie’s scheme insecure against password guessing attacks and proposed an improved scheme. To equip Farash and Attari’s scheme with user anonymity, Zhang

et al. [43] proposed an anonymous authentication scheme. 1.2. Motivation and countribution

To improve the efficiency of the authentication schemes, Zhang et al. [44] also proposed a new password-based authenticated protocol and claimed that their protocol is efficient and secure against known attacks. However, in this paper, we demonstrate that the protocol by Zhang et al. suffers from the crucial attacks including impersonation attack and password changing attack. In order to overcome the weaknesses of Zhang et al., we propose a novel authentication scheme to be more secure and practical for SIP.

1.3. Outline

The rest of this paper is organized as follows. Section 2 defines elliptic curves. We review the pro-tocol by Zhang et al. in Section 3. In Section 4, we propose the security weaknesses of the propro-tocol by Zhang et al. The improved scheme and its analysis are proposed in Section 5 and Section 6, respectively. Finally, we conclude our paper in Section 7.

2. PRELIMINARIES

2.1. Elliptic curves

An elliptic curve, denoted by E, over a finite field Fpis defined by the Weierstrass equation

E W y2C a1xy C a3y D x3C a2x2C a4x C a6 (1)

where ai 2 Fp for i D 1; 2; 3; 4; 6 and  ¤ 0.  is the discriminate of the elliptic curve E.

The condition  ¤ 0 guarantees the smooth property of the elliptic curve. Also, there is a point at infinity on an elliptic curve, which is denoted byO. To add two points on an elliptic curve, the chord and tangent rule is used. By using this addition rule, the set of points denoted by E.Fp/ forms a

2.2. Security requirements of authentication schemes for SIP

To provide efficiency and security, an authentication scheme for SIP should satisfy the following requirements:

1. Known-key security: The disclosure of past session keys will not help the adversary to get future session keys and to derive the password.

2. Forward secrecy: A compromised password does not affect the secrecy of previous session keys.

3. Password guessing attacks resistance: The adversary cannot perform an exhaustive offline/online search for the password by analyzing the captured messages of one or more sessions.

4. Freely change password: A mobile user is allowed to choose and change his/her password freely and does not need to remember a long string;

5. User anonymity: Any adversary cannot obtain the real identity of a mobile user and also cannot trace the location of the mobile user;

6. Mutual authentication: A user and the server can mutually authenticate each other;

7. Key agreement: After a mutual authentication, the user should share a session key with the server for secure message transfer between them. The session keys used in each session should not be related to former session keys for forward secrecy;

3. REVIEW OF THE PROTOCOL BY ZHANG ET AL.

In this Section, we review the password-based authenticated key agreement protocol by Zhang

et al. using the same notation (Table I) as [44]. This protocol has four phases: setup, registration,

authentication, and password changing phases.

3.1. Setup phase

In this phases, the server chooses the following items:  The elliptic curve E over the finite field Fq,

 the additive group G generated by the base point P with the prime order p,

Table I. The notations.

Notation Description

U A user

usernameA The unique identity of the user A P WU The password of the user U

.RU; aU/ The secret information of the user U stored in the smart card

p; q Two prime numbers

E An elliptic curve

Fq A finite field

E.Fq/ A group contains the points on the elliptic curve E over the finite field Fq P An element of E.Fq/ with the prime order p

G A subgroup of E.Fq/ generated by the base point P Z_p The non-zero integers modulus p

h The hash function h W ¹0; 1º! ¹0; 1ºk

h1 The hash function h1W G  ¹0; 1º ¹0; 1º! ¹0; 1ºk h2 The hash function h2W G  G  ¹0; 1º ¹0; 1º! ¹0; 1ºk Enc, Dec Symmetric encryption and decryption algorithms

s The private key of the server

 three one-way hash functions h W ¹0; 1º_{! ¹0; 1º}k_{, h}

1W G  ¹0; 1º ¹0; 1º! ¹0; 1ºk, and

h2 W G  G  ¹0; 1º ¹0; 1º! ¹0; 1ºk, and

 the random number s 2 Zpas the server’s private key and computes the corresponding public

key Ppub D sP .

Finally, the server publishes the public parameters ¹E.Fq/; P; p; G; h; h1; h2; Ppubº, and

maintains the private key s.

3.2. Registration phase

In this phase, the user U who wants to become a legal user of a remote server performs the following steps over a secure channel:

 U freely chooses the password P WU and the random number a 2 Zp, computes h.P WUkaU/,

and sends the messages ¹h.P WUka/, usernameUº to the remote server.

 After receiving the message ¹h.P WUka/; usernameUº, the server computes ¹RU D h

.h.P WUkaU/kusernameU/s1P; aUº, stores RU in a smart card, and finally delivers the

smart card to U .

 Upon receiving the smart card, U inserts the random numbers aU in the memory of the smart

card and memorizes the password P WU in his/her mind.

3.3. Authentication phase

When the user U wants to login to the remote server, he/she inserts his/her smart card to a card reader and inputs his/her username and password P WU. Then, the smart card and the remote server

perform as follows:

Step A1. The smart card randomly chooses b 2 Z_p, computes V D bR C h.usernameU/P

and W D bh.h.P WUkaU/kusernameU/Ppub, and sends ¹usernameU; V; W º to the

remote server.

Step A2. Upon receiving ¹usernameU; V; W º, the remote server firstly computes X D

h.usernameU/P and W0 D s2.V  X /, then he/she checks if W D W0. If it holds, the remote

server selects the random numbers c; r 2 Z_p, and computes S D cP; K D cs.V  X / D cbP; SK D h1.KkrkusernameU/ and Aut hsD h2.KkW0krkSK/. Finally, the remote server

sends the message ¹realm; Aut hs; S; rº to the smart card.

Step A3. Upon receiving the message ¹realm; Aut hs; S; rº; U computes K D bS D bcP and

SK D h1.KkrkusernameU/. Then, he/she verifies Aut hsD h2.KkW krkSK/. If it holds, the

smart card computes Aut hu D h2.KkW kr C 1kSK/ and sends the message ¹realm; Aut huº

to the remote server.

Step A4. Upon receiving the message ¹realm; Aut huº, the remote server checks if Aut hu D

h2.KkW0kr C 1kSK/. If it holds, the remote server confirms that the claimant U is a legal user.

3.4. Password changing phase

The user U can change his/her password freely in this phase. To do so, he/she firstly exe-cutes the login and authentication phase with his/her usernameU and the old password P WU.

After receiving the successful authentication and sharing the session key SK, the user U does as follows:

Step C1. U freely selects the new password P W_U, and the random number N; a_U 2 Zp.

U then computes C_ 1 D EncSKusernameUkN khP W_Uka_Ukh .usernameUkN kh

P W_UkaU



. Next, U sends ¹usernameU; C1; N º to the server.

Step C2. Upon receiving the message ¹usernameU; C1; N º, the server decrypts C1 and verifies

 hP W_UkaU  kusernameU  s1P , encrypt it as C2 D EncSK  R_Ukh .usernameU kN C 1kR_U, and sends C2to U .

Step C3. Upon receiving the message, U decrypts the message and checks the integrity of it. If it is

valid, U storesP W_Uka_Uin the smart card.

4. SECURITY WEAKNESSES OF THE PROTOCOL BY ZHANG ET AL.

In this section, we propose three attacks on the protocol by Zhang et al. [44].

4.1. Extraction of the sensitive information

The basis of the proposed attacks on the protocol by Zhang et al. is that each legal user U can calculate the value of s1P from his/her sensitive information RU. Therefore, before the description

of the proposed attacks, we show that how each user can calculate the critical data s1P .

Assume the legal user U owns a smart card containing the sensitive information ®RU D h

.h.P WUkaU/kusernameU/s1P; aU¯. To obtain the sensitive data RU, he/she can apply a side

channel attack [45] and analyze the power consumption of his/her smart card. However, applying side channel attacks on a smart card is costly and time-consuming. Alternatively, each legal user can employ the password change protocol (Section 3.4) to obtain the sensitive information. In this procedure, the user performs the password chaining phase and selects the new parameters P W_U and a_U. At the end of this execution, the user receives the new sensitive data R_U. Then, he/she can easily calculate s1P DhhP W_UkaU



kusernameU

1

R_U.

In the following subsections, we will show the malicious userAcan make use of s1P to apply some attacks on the protocol by Zhang et al.

4.2. Attack 1: Stolen smart card attack

By this attack, an attacker who obtained the secret information stored in the smart card be able to extract the user’s password. Assume the malicious userAwho obtained s1P from his/her smart card, finds or steals the smart card of the other user U .Acan guess the U ’s password as follows:

Step 1. Aextracts the secret information ¹RU; aUº from U ’s smart card using side channel attack

technics.

Step 2. Guesses the password P W_U0 and computes R0_U D hhP W_U0kaU



kusernameU

 s1P .

Step 3. Checks if R0_U D RU. If it holds, the guessed password P W_U0 is correct. Otherwise, backs

to Step 3 and follows the process.

4.3. Attack 2: Impersonation attack

By this attack, a malicious user can easily impersonate other legal users. To apply this attack, the malicious userAwho obtains s1P , described in Section 4.1, performs the following steps with the legal U as shown in Figure 1:

Step I1. A randomly chooses Ob 2 Zp, computes OV D Obs1P C h.usernameU/P and OW D

O

bPpub, and sends

°

usernameU; OV ; OW

±

to the remote server.

Step I2. Upon receiving °usernameU; OV ; OW

±

, the remote server firstly computes X D h.usernameU/P and W0 D s2. OV  X /, then he/she checks if OW D W0. It is clear that the

equation holds, because W0 D s2. OV  X / D s ObP D ObPpub D OW . Thus, the remote server

selects the random numbers c; r 2 Z_p and computes S D cP , K D cs. OV  X / D c ObP , SK D h1.KkrkusernameU/ and Aut hsD h2.KkW0krkSK/. Finally, the remote server sends

Figure 1. The impersonation attack on the protocol by Zhang et al.

Step I3. Upon receiving the message ¹realm; Aut hs; S; rº;A computes K D ObS D ObcP and

SK D h1.KkrkusernameU/. Then, he/she verifies Aut hsD h2.Kk OW krkSK/. It is clear that

the equation holds, because OW D W0 _{and the amount of K and SK computed by the remote}

server andAare equal. Thus,Acomputes Aut huD h2.Kk OW kr C1kSK/ and sends the message

¹realm; Aut huº to the remote server.

Step I4. Upon receiving the message ¹realm; Aut huº, the remote server checks if Aut hu D

h2.KkW0kr C 1kSK/. It is clear that the equation holds, because OW D W0and the amount of

K and SK computed by the remote server andAare equal.

Therefore, the remote server ensures that he/she communicated with the legal user U whereas the protocol indeed carried out by the malicious user A. So, the malicious user A succeeds to impersonate the legal user U for the remote server satisfactorily.

4.4. Attack 3: Password changing attack

In this attack, the malicious userAfirst impersonates the legal user U and shares the secret key SK with the remote server (Section 4.3). Then, she/she performs the password changing phase instead of U and changes U ’s password. To do so, the malicious userAperforms as follows:

Step 1. Afreely selects the new password P W_Uand the random number N; a_U 2 Zp. U , then

com-putes C1 D EncSKusernameUkN khP W_Uka_UkhusernameUkN khP W_Uka_U.

Next,Asends ¹usernameU; C1; N º to the server.

Step 2. Upon receiving the message ¹usernameU; C1; N º, the server decrypts C1

and verifies the integrity of husernameUkN khP W_Uka_U. If it is valid, the

server computes R_U D hhP W_UkaU



kusernameU



s1P , encrypt it as C2 D

Step 3. Upon receiving the message,Adecrypts the message and checks the integrity of it. If it is valid, U storesP W_Uka_Uin the smart card.

Hereafter, the real user U cannot login to the remote server by his/her password, because the password was changed by the malicious userAand accepted by the remote server.

5. THE IMPROVED SCHEME

We propose an improved remote user authentication scheme to overcome the security weaknesses inherent in the scheme by Zhang et al. [44]. The proposed scheme consists of four phases: initial phase, registration phase, login and authentication phase, and password change phase.

5.1. Initial phase

In this phase, the server S selects the generator P of G with order p and the master secret key s 2 Zp. Then, S computes the corresponding master public key Ppub D sP , and chooses a

cryptographic one-way hash function h.:/ W ¹0; 1º! Zp.

5.2. Registration phase

U can register or re-register at the remote server S and perform the following steps through a secure channel as shown in Figure 2:

Step 1. U chooses the identity IDu, the password P Wu, and the random number Ru, and calculates

PRWu D h.RukP WukBIu/, where BIu is the unique biometric identity of U . Then, he/she

sends the message ¹IDu; PRWuº to S .

Step 2. Upon receiving the message ¹IDu; PRWuº; S checks if IDu is valid. If it is invalid,

S rejects it. Then, S checks the account records in database. If U is a new user, S adds .IDu; N D 0/ into the database. Otherwise, S sets N D N C 1 and stores it. Then, S

calculates Ju D h.sjjIDukN / and Lu D Ju C h.PRWukIDu/ mod p. Finally, S stores

¹Ju; Lu; h.:/; Enckey.:/; Deckey.:/; P; p; P pubº into the smart card S C and issues it to U .

Step 3. Upon receiving the smart card S C , U computes inserts Ru into S C . Finally, S C D

¹Ju; Lu; Ru; h.:/; Enckey.:/; Deckey.:/; P; p; Ppubº.

5.3. Login and authentication phase

When Up wants to login the server S , he/she inserts his/her smart card into the card reader and

inputs IDu; P Wu, and the biometric identity BIu. The details of this phase, shown in Figure 3, is

as follows:

Figure 3. Login and authentication phase of the proposed protocol.

Step 1. The smart card S C retrieves Ju; Lup, and Rup; computes PRWup0 D h.RujjP WukBIu/;

and checks if Ju D Lu h.PRWukIDu/ mod p. If it does not hold, S terminates the login

process. Otherwise, S C selects the random number  2 Zp, computes M1 D P; k D

Ppub D sP; M2 D h.IDukJukM1/ and M3 D Enck.IDukM2/, and sends the login

message ¹M1; M3º to S .

Step 2. Upon receiving the message ¹M1; M3º; S computes k0 D sM1 D sP , and decrypts M3

as Deck0.M₂/ to obtain ID_uand M₂. Then, S extracts N from his database and computes J_uD

h.skIDukN /, and verifies h.IDukJukM1/ D M2. If it does not hold, S terminates the session.

Otherwise, S selects the random number  2 Z_p, computes M3 D P; M4D M1D P and

M5D h.IDukM3kh.sjjIDukN /kM4/, and sends the response message ¹M3; M5º to S C .

Step 3. Upon receiving the message ¹M3; M5º; S C computes M40 D M3 D P and

veri-fies M5 D h



IDukM3kJukM40



. If it does not hold, S C terminates the session. Otherwise, it computes M6 D hIDukM3kM40



and sends it to SH . Finally, it computes the session key SK D hIDukM3kM40kM5kM6

 .

Step 4. Upon receiving the message ¹M7º; S verifies M7 D h.IDukM4kM5/. If it holds, S

computes the session key SK D h.IDukM1kM4kM5/.

5.4. Password change phase

In the scheme by Zhang et al., the client changes the password after the verification by the server and the smart card. In our scheme, the user changes the password after the verification by the smart card only.

Step 1. To change password, U inserts his/her smart card S C into the card reader. U inserts his/her

identity IDuand old password P Wuand inputs his biometrics information BIu.

Step 2. S C retrieves Ju; Lu, and Ru, computes PRWup0 D h.RujjP WukBIu/, and checks if JuD

Lu h.PRWukIDu/ mod p. If it does not hold, S C terminates the login process. Otherwise,

Step 3. S C computes PRWunew D h  RukP Wunewk BIu  , and J_unew D Luh  PRW_unewkIDu  modp.

Step 4. S C replaces Juwith Junewand Funew, respectively.

6. SECURITY ANALYSIS AND COMPARISON

6.1. No verification table

The server only stores the client’s identity IDuand the registered number N in the database. IDu

and N are not the client’s secrets and can be published in public. If the attacker compromises the server, he can only obtain the public information IDu and N , and not password verification

information. Thus, the server does not need to maintain the verification table.

6.2. Stolen-verifier attack

There is no verification table such as hashed passwords or any information containing P Wu. The

server SH authenticates the client’s session by its secret number s and uses no number relating to P Wu. So our scheme is secure against stolen-verifier attack.

6.3. Man-in-middle attack

Assume that the attacker A intercepts the messages between U and S and replaces part or the whole message with his own faked information to impersonate the user or the server. However, it is impossible forAto fabricate legal messages due to lack of P Wpand s. Therefore, our scheme

withstands client impersonation attack, server impersonation attack, and modification attack.

6.4. Mutual authentication

It is important for an authentication scheme to let the client and the server verify the identity of each other. In fact, once the scheme can withstand user and server impersonation attack, it satisfies the character of mutual authentication. According to the analysis of Man-in-middle attack, we can see this point.

6.5. Privileged administrator resilience

The privileged administrator can control the server absolutely. Once the administrator obtains a client’s password, he may login the client’s other applications using this password because many people use the same password in different servers. Our scheme provides password confidentiality even for the privileged administrator. In registration phase, U sends ¹IDu; PRWuº to the server

S , where PRWu D h.RujjP WukBIu/. The submitted PRWu blinded by Ru and BIu is secure

from leaking confidential information about the password P Wu. Here, P Wuis protected by a hash

function with the keys Ruand BIu. Without the knowledge of Ruand BIu, the administrator cannot

mount offline password guessing attack to obtain client’s password.

6.6. Freely chosen password

The password is selected by the user himself and can be updated anytime if the user wants. It is more flexible and convenient compared with password chosen by the server. In password change phase, the user can update the current password with a new one.

6.7. Known-key security

The random key materials  and  are fresh values for each session. One session key is inde-pendent with another session key. Thus, compromise some session keys could not affect the other session keys.

6.8. User anonymity and untraceability

It is obvious that any third party cannot know the real identity of U , because IDuis encrypted by

the key k, and k is protected by s, so the attackerAfaces the problem to get k. Furthermore, k varies in each session because it is generated by the random number , which is different for each session. It is difficult forAto tell apart U from others in communication channel. So our scheme satisfies user anonymity and untraceability.

6.9. Resistance of password guessing attacks

We assume that the attacker have the ability of stealing a client’s smart card. Once the attacker gets a smart card, he can derive the confidential data ¹Ku; Eu; Fu; h.:/; Enckey.:/;

Deckey.:/; P; p; Ppubº stored in the smart card by physical attack.

We show that our scheme can resist offline password guessing attacks on a stolen smart card. In our scheme, the password P Wu is blinded by the server’s secret s and the user’s secret Ruand

BIu. Although the attacker obtains confidential data stored in the smart card, he cannot verify the

correctness of a guessed password because he does not know the secret parameters s; Ru, and BIu.

6.10. Forward security

Forward security is the property that the scheme is also secure even if the attacker compromises some long-term keys. Perfect forward security means that the scheme will not be compromised if all the long-term keys is compromised. Because our scheme uses Diffie–Hellman key exchange, our scheme provides perfect forward security.

6.11. Security comparison

The security properties comparisons between our proposed scheme and the scheme by Zhang et

al. [44] are summarized in Table II. From Table II, we can see that the proposed scheme not only

provides some new security properties, but also prevents the attacks, which are applicable to the scheme by Zhang et al. As a result, the proposed scheme is more secure and has many functionality compare with the scheme by Zhang et al.

6.12. Performance comparison

We evaluate the performance of the proposed scheme in terms of the computation cost. To estimate the computation cost of our scheme, we define the following notations: PM is the time complex-ity of elliptic curve scalar point multiplication, PA is the time complexcomplex-ity of elliptic curve point

Table II. Security comparison.

Security properties Proposed scheme The scheme by Zhang et al. [44]

No verification table Yes Yes

Prevention of guessing attack Yes No

Prevention of replay attack Yes Yes

Prevention of stolen-verifier attack Yes Yes

Prevention of stolen smart card attack Yes No

Prevention of privileged server attack Yes Yes

Prevention of impersonation attack Yes No

Prevention of modification attack Yes No

Mutual authentication Yes Yes

Known-key security Yes Yes

Providing of perfect forward secrecy Yes Yes

Providing of biometrics authentication Yes No

User anonymity and untraceability Yes No

Table III. Performance comparison.

U ’s computational costs S ’s computational costs The scheme by Zhang et al. [44] 4PM C 1PA C 4H 4PM C 1PA C 4H

Our scheme 3PM C 1SE C 6H 3PM C 1SE C 5H

addition, H is time complexity of one-way hash function or message authentication code, I is time complexity of modular inversion, and SE is time complexity of symmetric encryption/decryption. It is to be noted that the other operations such as random number generation and modular addition and multiplication need very few computations; it is usually neglected considering its computa-tional cost. We summarize the computation cost of our scheme and carried out a comparison with the scheme by Zhang et al. [44] in Table III.

7. CONCLUSIONS

In this paper, we analyzed the password-based authenticated key agreement protocol by Zhang et al. We pointed out the main weakness of the protocol by Zhang et al. is due to the ability of each legal user to calculate s1P using his/her secret information. Based on this idea, we pointed out that the protocol by Zhang et al. suffers from three crucial flaws by which an insider attacker can imperson-ate each legal user, find the user’s password, and even change the user’s password without his/her awareness. As a remedy, we proposed an improved authenticated scheme using elliptic curves. Our analysis showed that the improved scheme could overcome the weaknesses in the scheme by Zhang et al.

REFERENCES

1. Li JS, Kao CK, Tzeng JJ. VoIP secure session assistance and call monitoring via building security gateway.

International Journal of Communication Systems, posted on 2011. DOI: 10.1002/dac.1191., (to appear in print).

2. Chen WE, Huang YL, Lin YB. An effective IPv4-IPv6 translation mechanism for SIP applications in next generation networks. International Journal of Communication Systems, posted on 2010. DOI: 10.1002/dac.1040., (to appear in print).

3. Chen WE, Lin PJ. A performance study for IPv4-IPv6 translation in IP multimedia core network subsystem.

International Journal of Communication Systems, posted on 2010. DOI: 10.1002/dac.1071., (to appear in print).

4. Lloret J, Garcia M, Atenas M, Canovas A. A QoE management system to improve the IPTV network. International

Journal of Communication Systems 2011; 24(1):118–138.

5. Chiu KL, Chen YS, Hwang RH. Seamless session mobility scheme in heterogeneous wireless networks. International

Journal of Communication Systems, posted on 2011. DOI: 10.1002/dac.1189., (to appear in print).

6. Cho K, Pack S, Kwon TT, Choi Y. An extensible and ubiquitous RFID management framework over next-generation networks. International Journal of Communication Systems, posted on 2010. DOI: 10.1002/dac.1073., (to appear in print).

7. Chiang WK, Chang WY. Mobile-initiated network-executed SIP-based handover in IMS over heterogeneous accesses. International Journal of Communication Systems, posted on 2010. DOI: 10.1002/dac.1115., (to appear in print).

8. Chen MX, Wang FJ. Session integration service over multiple devices. International Journal of Communication

Systems, posted on 2010. DOI: 10.1002/dac.1109., (to appear in print).

9. Geneiatakis D, Dagiuklas T, Kambourakis G, Lambrinoudakis C, Gritzalis S, Ehlert S. Survey of security vulnerabilities in session initiation protocol. IEEE Communications Surveys and Tutorials 2006; 8(3):68–81. 10. Rosenberg J, Schulzrinne H, Camarillo G, Johnston A, Peterson J, Sparks R, Handley M, Schooler E. SIP: Session

Initiation Protocol. The Internet Engineering Task Force, The Internet Society, 2002. RFC 3261.

11. Farash MS, Attari MA. Cryptanalysis and improvement of a chaotic maps-based key agreement protocol using Chebyshev sequence membership testing. Nonlinear Dynamics 2014; 76(2):1203–1213.

12. Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dynamics 2014; 77(1-2):399–411.

13. Jiang Q, Ma J, Tian Y. Cryptanalysis of smartcardbased password authenticated key agreement protocol for ses-sion initiation protocol of Zhanget al. International Journal of Communication Systems, posted on 2014. DOI: doi:10.1002/dac.2767, (to appear in print).

14. Sadat Mousavi-nik S, Yaghmaee-moghaddam MH, Ghaznavi-ghoushchi MB. Proposed secure SIP authentication scheme based on elliptic curve cryptography. International Journal of Computer Applications 2012; 58(8):25–30. 15. Yoon E, Yoo K, Kim C, Hong Y, Jo M, Chen H. A Secure and efficient SIP authentication scheme for converged

16. Wang F, Zhang Y. A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography. Computer Communications 2008; 31:2142–2149.

17. Dimitris G, Costas L. A lightweight protection mechanism against signaling attacks in a SIP-Based VoIP environ-ment. Telecommunication Systems 2007; 36(4):153–159.

18. Wu L, Zhang Y, Wang F. A new provably secure authentication and key agreement protocol for SIP using ECC.

Computer Standards & Interfaces 2009; 31(2):286–291.

19. Liao Y, Wang S. A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves. Computer Communications 2010; 33(3):372–380.

20. Wu S, Pu Q, Kang F. Practical authentication scheme for SIP. Peer-to-Peer Networking and Applications 2013; 6(1):61–74.

21. He D, Chen J, Chen Y. A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Security Communication Networks 2012; 5:1423–1429.

22. Farash MS, Bayat M, Attari MA. Vulnerability of two multiple-key agreement protocols. Computers & Electrical

Engineering 2011; 37(2):199–204.

23. Farash MS, Attari MA. An id-based key agreement protocol based on ECC among users of separate networks. 9th

International ISC Conference on Information Security and Cryptology (ISCISC’12), Tabriz, Iran, 2012; 32–37.

24. Farash MS, Attari MA. A Pairing-free ID-based key agreement protocol with different PKGs. International journal

of Network Security 2014; 16(2):143–148.

25. Bayat M, Farash MS, Movahed A. A novel secure bilinear pairing based remote user authentication scheme with smart card. IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC), Hong Kong, China, 2010; 578–582.

26. Farash MS, Attari MA, Atani RE, Jami M. A new efficient authenticated multiple-key exchange protocol from bilinear pairings. Computers & Electrical Engineering 2013; 39(2):530–541.

27. Farash MS, Attari MA. Provably secure and efficient identity-based key agreement protocol for independent PKGs using ECC. The ISC International Journal of Information Security 2013; 5(1):18–43.

28. Farash MS, Attari MA, Bayat M. A certificateless multiple-key agreement protocol without hash functions based on bilinear pairings. International Journal of Engineering and Technology 2012; 4(3):321–325.

29. Yang CC, Wang RC, Liu WT. Secure authentication scheme for session initiation protocol. Computers & Security 2005; 24:381–386.

30. Huang HF, Wei WC, Brown GE. A new efficient authentication scheme for session initiation protocol. 9th Joint

Conference on Information Sciences, Kaohsiung, Taiwan, 2006. DOI: 10.2991/jcis.2006.222.

31. Jo H, Lee Y, Kim M, Kim S, Won D. Off-line password-guessing attack to Yang’s and Huang’s authentication schemes for session initiation protocol. Fifth International Joint Conference on INC, IMS and IDC, Seoul, Korea, 2009; 618–621.

32. Durlanik A, Sogukpinar I. SIP authentication scheme using ECDH. World Enformatika Socity Transations on

Engineering Computing and Technology 2005; 8:350–353.

33. Yoon EJ, Yoo KY. Cryptanalysis of DS-SIP authentication scheme using ECDH. International Conference on New

Trends in Information and Service Science, Beijing, China, 2009; 642–647.

34. Liu FW, Koenig H. Cryptanalysis of a SIP authentication scheme. Communications and Multimedia Security, Ghent, Belgium, 2011; 134–143.

35. Tsai JL. Efficient nonce-based authentication scheme for session initiation protocol. International Journal of Network

Security 2009; 8(3):312–316.

36. Yoon EJ, Yoo KY. A new authentication scheme for session initiation protocol. International Conference on

Complex, Intelligent and Software Intensive Systems (CISIS), Fukuoka, Japan, 2009; 549–554.

37. Chen TH, Yeh HL, Liu PC, Hsiang HC, Shih WK. A secured authentication protocol for SIP using elliptic curves cryptography. Communication and Networking, CCIS, Vol. 119, Jeju Island, Korea, 2010; 46–55.

38. Arshad R, Ikram N. Elliptic curve cryptography based mutual authentication scheme for session initiation protocol.

Multimedia Tools and Applications, posted on 2011. DOI: 10.1007/s11042-011-0787-0, (to appear in print).

39. Tang H, Liu X. Cryptanalysis of Arshad et al.Šs ECC-based mutual authentication scheme for session initiation protocol. Multimedia Tools and Applications, posted on 2012. DOI: 10.1007/s11042-012-1001-8, (to appear in print). 40. Yoon E, Shin Y, Jeon I, Yoo K. Robust mutual authentication with a key agreement scheme for the session initiation

protocol. IETE Technical Review 2010; 27(3):203–213.

41. Xie Q. A new authenticated key agreement for session initiation protocol. International Journal of Communication

Systems, posted on 2012. DOI: 10.1002/dac.1286, (to appear in print).

42. Farash MS, Attari MA. An enhanced authenticated key agreement for session initiation protocol. Information

Technology And Control 2013; 42(4):333–342.

43. Zhang Z, Qi Q, Kumar N, Chilamkurti N, Jeong HY. A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications 2014. DOI: 10.1007/s11042-014-1885-6.

44. Zhang L, Tang S, Cai Z. Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. International Journal of Communication Systems, posted on 2013. DOI: 10.1002/dac.2499, (to appear in print).

45. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks.