Robust and Efficient Authentication Scheme for Session Initiation Protocol
The session initiation protocol (SIP) is a powerful application-layer protocol which is used as a signaling one for establishing, modifying, and terminating sessions among participants. Authentication is becoming an increasingly crucial issue when a user asks to access SIP services. Hitherto, many authentication schemes have been proposed to enhance the security of SIP. In 2014, Arshad and Nikooghadam proposed an enhanced authentication and key agreement scheme for SIP and claimed that their scheme could withstand various attacks. However, in this paper, we show that Arshad and Nikooghadam’s authentication scheme is still susceptible to key-compromise impersonation and trace attacks and does not provide proper mutual authentication. To conquer the flaws, we propose a secure and efficient ECC-based authentication scheme for SIP. Through the informal and formal security analyses, we demonstrate that our scheme is resilient to possible known attacks including the attacks found in Arshad et al.’s scheme. In addition, the performance analysis shows that our scheme has similar or better efficiency in comparison with other existing ECC-based authentication schemes for SIP.
Multimedia service is one of the most important application classes of wired or wireless networks. The session initiation protocol (SIP) is one of the most important protocols supporting multimedia services since it could manage sessions including multimedia distribution, internet telephone calls, and internet multimedia conferences . Authentication is an important security requirement when a user wants to access the SIP services. Therefore, the security of SIP  has received a lot of attention and the SIP authentication has become a crucial topic in modern multimedia services.
Up to now, various researches have focused on proposing a secure and efficient authenticated key agreement scheme to provide various aspects of security for SIP. In 2005, Yang et al.  indicated that the procedure of hyper text transport protocol (HTTP) digest authentication for SIP could not resist the offline password guessing and server-spoofing attacks. To resolve these problems, Yang et al. proposed an improved scheme based on Diffie-Hellman key exchange protocol. Later on, Huang et al.  identified that Yang et al.’s protocol was insecure against the offline password guessing attack. To enhance the security of Yang et al.’s scheme, Huang et al. also presented an improved scheme. Later on, Jo et al.  demonstrated that Huang et al.’s scheme was still vulnerable to the offline password guessing attack. Based on Yang et al.’s study, Durlanik and Sogukpinar  proposed an Elliptic Curve Cryptography (ECC)  based authentication scheme for SIP. Compared with other cryptosystems, ECC can achieve the same security with a smaller key size . Therefore, the scheme proposed by Durlanik and Sogukpinar is considered to be more efficient than Yang et al.’s scheme. Later, Wu et al.  also proposed an authentication scheme for SIP using ECC. However, Yoon et al.  showed that both of Durlanik et al.’s scheme and Wu et al.’s scheme were susceptible to the offline password guessing, Denning-Sacco, and stolen verifier attacks. To overcome these weaknesses, Yoon et al. proposed an enhanced authentication scheme for SIP with more security. Unfortunately, Pu  showed that the scheme of Yoon et al. was still prone to the offline password guessing and replay attacks.
In order to reduce the high computational cost, Tsai  suggested an efficient authenticated key agreement scheme only adopting one-way hash functions and exclusive-or operations. Nevertheless, Tsai’s scheme was still vulnerable to the offline password guessing attack [13, 14]. Yoon et al.  proposed an enhanced scheme to overcome weaknesses in Tsai’s scheme. However, Xie  demonstrated that Yoon et al.’s scheme did not resist the stolen-verifier and offline password guessing attacks. Xie then proposed an improved scheme to overcome the weaknesses of Yoon et al.’s scheme. Nevertheless, Farash and Attari  discovered that Xie’s scheme was still insecure against the impersonation and offline password guessing attacks. To enhance security, Farash and Attari presented an improved scheme to solve problems in Xie’s scheme. Recently, Zhang et al.  proposed an efficient and flexible password authenticated key agreement protocol for SIP using smart card and claimed their protocol was secure against various attacks. However, Zhang et al.’s scheme suffers from the impersonation attack [18, 19]. To tackle the problem, Tu et al.  and Irshad et al. , respectively, proposed their own improved authentication scheme based on Zhang et al.’s scheme. Unfortunately, Arshad and Nikooghadam  demonstrated that Irshad et al.’s scheme could not withstand the user impersonation attack. Arshad and Nikooghadam then proposed an enhancement of Irshad et al.’s scheme suffering from user impersonation attack and claimed that their scheme was immune to many known attacks.
In this study, we identify that the scheme by Arshad and Nikooghadam is insecure against key-compromise impersonation and trace attacks while it fails to provide proper mutual authentication. To conquer the mentioned weaknesses, we propose a robust and efficient authentication scheme using ECC. Through the informal and formal security analyses, we demonstrate that our scheme is resilient to possible known attacks including the attacks found in Arshad and Nikooghadam’s scheme. In addition, the performance analysis shows that our scheme has similar or better efficiency in comparison with other related ECC-based authentication schemes for SIP.
The remainder of this paper is organized as follows. Section 2 provides some basic preliminaries and notations used in this paper. The review and security analysis of Arshad and Nikooghadam’s scheme are shown in Sections 3 and 4, respectively. Section 5 shows our proposed scheme. Section 6 analyzes our scheme’s security. Section 7 shows the performance and functionality comparison among the proposed scheme and other related ones. Section 8 is a brief conclusion.
In this section, some notations used in this paper are described in Section 2.1. We also recall the definitions of the hash function  and Elliptic Curve Discrete Logarithm Problem (ECDLP)  which we use in the security proof of Arshad et al.’s scheme and our improved scheme.
We use the notations that are listed below throughout the rest of the paper. : user and sever : identity and password of : hash function : secret key selected by and exclusive-or operation and concatenation operation.
2.2. Hash Function
A secure one-way hash function takes an input as an arbitrary length binary string and outputs a binary string . The probability of in finding collision is defined as .
In an elliptic curve cryptosystem, the elliptic curve equation is defined as the form of over a finite field , where and .
Given points over , the ECDLP is to decide such that . The probability of can solve the ECDLP which is defined as .
3. Review of Arshad and Nikooghadam’s Scheme
In this section, we will review Arshad et al.’s authentication scheme for SIP. Their scheme is composed of three phases, which are registration, authentication, and password change.
(1) generates a random number , chooses his password , computes , and sends to .(2) computes and stores it into his database.
(1) generates a random number and computes , where is the public key of . Then, sends a message to .(2)On receiving the request message, chooses a random number and computes , , and . Finally, sends the message to .(3)After receiving the challenge message, computes and validates whether is equal to the received . If it is true, computes , , and the common session key . Finally, sends the message to .(4)After receiving the response message, computes , and compares with the received . If it is correct, agrees on the common session key with .
3.3. Password Change
(1) selects a new random number and a new password and computes , , , and . Then, sends the message to .(2)After receiving the message, computes and and verifies whether . If it holds, continues to compute and replaces with . Then, sends the message to .(3)On receiving the message from , computes and checks whether it is equal to the received message or not. If they are equal, replaces with in his database.
4. Cryptanalysis of Arshad and Nikooghadam’s Scheme
In this section, we present the Arshad and Nikooghadam’s scheme that is vulnerable to key-compromise impersonation and trace attacks and does not provide proper mutual authentication. The following attacks are based on the assumptions that a malicious attacker has completely monitored over the communication channel connecting and in login and authentication phase. So can eavesdrop, modify, insert, or delete any messages transmitted via public channel [22–24].
4.1. Key-Compromise Impersonation Attack
Key-compromise impersonation attack means that knows the long-term secret key of one participating entity and can impersonate the entity to other participating entities . In Arshad et al.’s scheme, if ’s secret key is compromised by , he can launch a user impersonation attack as per the following steps.(1) compromises and steals the information kept in ’s database. He then generates a random number and computes . Finally, he sends the forged message to .(2)Once receiving the request message, generates a random number and computes , , and . Finally, he sends the forged message to who impersonates as a legal user.(3)After receiving the challenge message, first checks . Obviously, the equation holds and then computes , and sends the message to .(4)After receiving the response message, checks whether is equal to the received . If it is correct, negotiates the common session key as with (Table 1).
In this way, believes that he has successfully established the session key with whereas it is the adversary who is making fool of by imitating the legal user.
4.2. Trace Attack
In the authentication phase of Arshad and Nikooghadam’s scheme, the user sends the request messages containing the user’s identity to without any protection. Since the user’s identity is sent over an open communication channel, may intercept the message using the assumed capability. With the user’s identity , can trace it to know what kind of services the user accesses and how long the user logins into the system. Since may have the system log recording what the user did, the user’s privacy may be leaked. Furthermore, may trace the user’s location according to the user’s IP address. The trace attack seriously invades the user’s privacy and can be utilized to commit real crimes such as kidnappings.
4.3. Lack of Proper Mutual Authentication
(1) eavesdrops the message , and then generates a random number and computes .(2) sends the forged message to . Obviously, will accept ’s request because does not verify the validity of the request message from . Then, generates a random number and computes , , . Then, delivers the message to who masquerades as a legal user.(3)After receiving the message from , computes and checks whether is equal to the received . If it is true, continues to compute , , where ; both and are the forged password and random number. Then, delivers the message to .(4)Upon receiving the message from who masquerades as a legal user, computes , and compares it with the received . It is obvious that they are not equal, and then immediately stops session.
In this condition, any one can forge and send the request message to , which leads to thinking is a cheater, whereas is actually an honest user. This obviously results in making great consumption of computing resources and communication resources.
5. Proposed Authentication Scheme for SIP
In this section, we propose a novel mutual authentication scheme based on ECC, which consists of three phases: registration, authentication, and password change.
(1) freely selects his password and his own secret key and generates a random number . Then computes and submits to through a secure channel.(2) computes and stores in his database, where is ’s secret key.
(1) generates a random number and computes , , , , and . Then, sends the message to .(2)On receipt of the request message from , derives from by computing and then he computes and and checks whether holds or not. If it does not hold, rejects the request. Otherwise, generates a random number and computes , , , and . Finally, sends the message to .(3)Upon receiving the challenge message from , retrieves by computing and then he computes and verifies whether is equal to the received . If it is not correct, stops the session. Otherwise, computes and then sends the message to .(4)When receiving the response message from , checks if . If so, the session key shared between and is set as (Table 2).
5.3. Password Change
In this subsection, can change his password any time when he wants. chooses a new password , a new secret key , and a new random number . Then the following process will be performed by and .(1) submits the message and to .(2) computes and checks whether it is equal to the received . If it is correct, computes and then replaces with .
6. Analysis Security
In this section, we first adopt Burrows-Abadi-Needham (BAN) logic  to demonstrate that the proposed scheme is working correctly by achieving the authentication goals. Then, we conduct a security analysis of the enhanced scheme through both the informal and formal analyses.
BAN Logic Notations : believes a statement : share a key between and : is fresh : sees : said : and are encrypted with the key : and are hashed with the key : is xor-ed with the key .
6.1. Verifying Authentication Scheme with BAN Logic
BAN logic  is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes [27, 28]. In this subsection, we prove that a session key between communicating parties can be correctly generated within authentication process using BAN logic. First, we introduce some notations and logical postulates of BAN logic that we will use in our scheme.(1)BAN logical postulates the following.(a)Message-meaning rule : if believes that the key is shared by and and sees encrypted with , then believes that once said .(b)Nonce-verification rule : if believes that could have been uttered only recently and that once said , then believes that believes .(c)The belief rule : if believes and , then believes .(d)Fresh conjuncatenation rule : if believes freshness of , believes freshness of .(e)Jurisdiction rule : if believes that has jurisdiction over and believes on the truth of , then believes .(2)Idealized scheme: : , , , : , .(3)Establishment of security goals:(),(),(),().(4)Initiative premises:(p1),(p2),(p3),(p4),(p5),(p6),(p7).(5)Scheme analysis: consider the following.(a1)Since and , we apply the message-meaning rule to obtain .(a2)Since and , we apply the fresh conjuncatenation rule and nonce-verification rule to obtain .()Since , we apply the belief rule to obtain .()Since and , we apply the jurisdiction rule to obtain .(a3)Since and , we apply the message-meaning rule to obtain .(a4)Since and , we apply the fresh conjuncatenation rule and nonce-verification rule to obtain .()Since , we apply the belief rule to obtain .()Since and , we apply the jurisdiction rule to obtain .
By analyzing the security of our scheme with BAN logic, the results demonstrate that the proposed scheme can effectively achieve the security goal of the mutual authentication of and .
6.2. Informal Security Analysis
In this subsection, we will examine whether the enhanced scheme is safe and consider its ability to resist various known attacks. The following attacks are also based on the assumptions that a malicious adversary has total control over the communication channel connecting and in authentication phase. So can intercept, insert, delete, or modify any messages transmitted via public channel [22–24].
6.3. User is Anonymous and Untraceable
Suppose eavesdrops the request messages , the challenge message , and the response message from the public channel. To obtain from these values by means of guessing and verifying, must have the knowledge of . Due to and compute different and with a new random number and for each session, and is not able to trace who communicates with by monitoring the channel. This shows the proposed scheme provides the attribute of anonymous.
6.4. Insider Attack
In our scheme, it is computationally impossible to derive the password from the because of the difficulties of hash function with the secret key of . Therefore, the proposed scheme can withstand the insider attack.
6.5. Perfect Forward Secrecy
If ’s password , the secret key , and ’s secret key are all compromised, this does not allow to determine the session key for the past session. cannot compute from and because of secure one-way hash function and ECDLP.
6.6. Mutual Authentication
In our scheme, and can authenticate each other by checking , , and , separately. Therefore, our scheme can provide mutual authentication.
6.7. Key-Compromise Impersonation Attack
Assume that intercepts the request, the challenge, and the response messages. Supposing the secret key of is compromised by , he cannot go through the verification process of as the random number is not known. On the other hand, supposing the secret key of is compromised by , he cannot impersonate to cheat . Since cannot know the values of the identity and of , he cannot compute the correct value and hence cannot be authenticated by . Therefore, the proposed scheme can withstand the key-compromise impersonation attack.
6.8. Replay Attack
Assuming that eavesdrops and replays it to impersonate , then verifies the condition . The message verification does not hold, so try to guess from is the ECDLP and is different in each authentication message. On the other hand, suppose eavesdrops and replays it to impersonate . The replied message cannot pass the verification process , since both and are new random numbers chosen by in each session, and has no control of it. Therefore, has no opportunity to successfully replay used messages.
6.9. Offline Password Guessing Attack
Even if intercepts all the exchanged messages by passive attack, he cannot guess the correct password of . Since cannot know the values of the user’s identity , the secret key , and the random number , he cannot compute the value to verify the guessed password through the recorded messages. Therefore, our scheme can resist the offline password guessing attack.
6.10. Known Session Key Security
Because of the randomness and independence of the generations of and in all the sessions, the session key of each session is independent of that of any other sessions. Therefore, the proposed scheme can ensure known session key security.
6.11. Formal Security Analysis of the Proposed Scheme
In this subsection, we provide the formal security analysis of our scheme and show that our scheme is secure. We first define the following oracles.
Reveal 1. This random oracle will unconditionally output the input from the given hash value .
Reveal 2. This random oracle will unconditionally output from given points and in an elliptic curve .
Theorem 1. Under the ECDLP assumption, our scheme is secure against an adversary for deriving the identity and password of a legal user and the session key between and if the hash function closely behaves like a random oracle.
Proof. The formal security proof of our scheme is similar to that as in [29–31]. runs the experimental algorithm showed in Algorithm 1, for our robust, and efficient authentication scheme for session initiation protocol; say REASSIP.
Define the success probability for as and the advantage function for this experiment then becomes , where the maximum is taken over all with execution time , and the number of queries made to the Reveal 1 and Reveal 2 oracles, respectively. If has the ability to solve the hash function and the ECDLP, then he can directly derive ’s identity , password , and the session key between and . In this case, will discover the complete connections between and . However, it is a computationally infeasible problem to invert the input from a given hash value and output from given points ; that is, , , . Hence, we have , as it is dependent on and . Therefore, our scheme is probably secure against for deriving , , and .
7. Security Properties and Performance Comparison
In this section, we show that our proposed scheme satisfies many security attributes and has lower computation cost. Security properties and performance cost comparisons between our scheme and the other related schemes in [13–20] are given in Table 3 and Figure 1, respectively.
Table 3 shows that our scheme is more secure than Arshad et al.’s scheme and other related schemes and achieves more functionality features. In performance comparison, we mainly focus on computations of the authentication phase, since it is the main body of an authentication scheme, and the registration phase only performs one time before authentication. Let PA, PM, INV, SE, M, and H be the time for performing an elliptic curve point addition, an elliptic curve point multiplication, a modular inversion, a symmetric key encryption or decryption, a modular multiplication, and a hash function. Since xor operations require very little computations, we omitted it. From Figure 1 we can see that our scheme has similar or better efficiency in comparison with other related ECC-based authentication schemes.
We have analyzed the security of a recently proposed Arshad et al.’s SIP authentication scheme. We have pointed out that an adversary can successfully launch the trace and key-compromise impersonation attacks on Arshad et al.’s scheme. We also have shown that Arshad et al.’s scheme does not achieve proper mutual authentication. The cryptanalysis of Arshad and Nikooghadam’s scheme thus shows that the security of their scheme is compromised. In order to eliminate the security pitfalls found in Arshad et al.’s scheme, we have then presented a robust and efficient ECC based authentication scheme for SIP. Our scheme is immune to the trace, key-compromise impersonation, and insider attacks which Arshad and Nikooghadam’s scheme fails to satisfy. Meanwhile, our scheme can withstand the replay, offline password guessing, and insider attacks. In addition, our scheme achieves the known session key security and perfect forward secrecy. We present a cryptanalysis of our scheme through both informal and formal security analyses. Besides, our scheme is computationally efficient as compared to other related ECC based SIP authentication schemes. Considering the security and efficiency provided by our scheme, we conclude that our scheme is more appropriate for practical applications in comparison with other related schemes.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
The authors are grateful to the anonymous referees for their valuable comments and suggestions to improve the presentation of this paper. This paper is supported by the National Natural Science Foundation of China (Grant nos. 61472045 and 61121061), the Beijing Higher Education Young Elite Teacher Project (Grant no. YETP0449), the Asia Foresight Program under NSFC Grant (Grant no. 61411146001), and the Beijing Natural Science Foundation (Grant no. 4142016).
H. Huang, W. Wei, and G. E. Brown, “A new efficient authentication scheme for session initiation protocol,” in Proceedings of the 9th Joint Conference on Information Sciences, 2006.View at: Google Scholar
H. Jo, Y. Lee, M. Kim, S. Kim, and D. Won, “Off-line password-guessing attack to Yang's and Huang's authentication schemes for session initiation protocol,” in Proceedings of the 5th International Joint Conference on INC, IMS and IDC (NCM '09), pp. 618–621, August 2009.View at: Publisher Site | Google Scholar
A. Durlanik and I. Sogukpinar, “SIP authentication scheme using ECDH,” World Enformatika Socity Transactions on Engineering Computing and Technology, vol. 8, pp. 350–353, 2005.View at: Google Scholar
J. L. Tsai, “Efficient nonce-based authentication scheme for session initiation protocol,” International Journal of Network Security, vol. 8, no. 3, pp. 312–316, 2009.View at: Google Scholar
T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, and M. T. Shalmani, “On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme,” in Advances in Cryptology—CRYPTO 2008, vol. 5157 of Lecture Notes in Computer Science, pp. 203–220, Springer, Berlin, Germany, 2008.View at: Publisher Site | Google Scholar | MathSciNet
S. Chatterjee, A. K. Das, and J. K. Sing, “An enhanced access control scheme in wireless sensor networks,” Ad-Hoc and Sensor Wireless Networks, vol. 21, no. 1-2, pp. 121–149, 2014.View at: Google Scholar