Abstract

An anonymous authentication scheme for roaming services in global mobility networks allows a mobile user visiting a foreign network to achieve mutual authentication and session key establishment with the foreign-network operator in an anonymous manner. In this work, we revisit He et al.’s anonymous authentication scheme for roaming services and present previously unpublished security weaknesses in the scheme: (1) it fails to provide user anonymity against any third party as well as the foreign agent, (2) it cannot protect the passwords of mobile users due to its vulnerability to an offline dictionary attack, and (3) it does not achieve session-key security against a man-in-the-middle attack. We also show how the security weaknesses of He et al.’s scheme can be addressed without degrading the efficiency of the scheme.

1. Introduction

As wireless network and communication technologies advance, there has been a dramatic increase in the use of lightweight computing devices, such as sensors, smart phones, and tablet PCs, being used in our daily lives. To enjoy the convenience of mobility, a roaming service should be seamlessly provided with respect to availability and security, by means of using a visited foreign network. In general, three parties—a mobile user, a foreign agent, and the home agent—participate in a roaming process. A seamless roaming service requires significant security challenges to be addressed among the participants. Basically, authentication and key establishment between the mobile user and the foreign agent should be achieved via assistance of the home agent to prevent illegal usages of the network and to protect their subsequent communications. Achieving anonymity of the mobile user is also important in a roaming service to protect the privacy of the user. Anonymity has recently been identified as a major security property for many applications, including location-based services, anonymous web browsing, and e-voting. These security challenges and their cryptographic solutions, commonly called anonymous authentication schemes, constitute an active research area.

The first anonymous authentication scheme for roaming services was proposed by Zhu and Ma [1] in 2004. This initial proposal has been followed by a number of authentication schemes offering various levels of security and efficiency. Some schemes [24] have been proven secure using a computer security approach while others (e.g., [57]) justify their security on purely heuristic grounds without providing no formal analysis of security. However, despite all the work conducted over the last decade, it still remains a challenging task to come up with an authentication scheme that meets all the desired goals for roaming services [8]. Most of the existing schemes fail to achieve important security properties such as user anonymity [2, 6], session-key security [9], perfect forward secrecy [10], two-factor security [11], resistance against impersonation attacks [12], and resistance against offline dictionary attacks [13]. For this domain, all published schemes are far from ideal as evidenced by a continual history of schemes being proposed and years later found to be flawed.

Recently, Xie et al. [4] proposed a new authentication scheme for roaming services and claimed that their scheme not only provides efficiency and user friendliness but also is secure against various attacks. But He et al. [12] demonstrated that Xie et al.’s scheme is susceptible to impersonation attacks and therefore does not achieve mutual authentication between a mobile user and the foreign agent. In addition, He et al. proposed a new authentication scheme which improves Xie et al.’s scheme in terms of both security and efficiency. However, we found that He et al.’s improved scheme is not satisfactory enough but still suffers from major security weaknesses.(i)He et al.’s scheme does not provide user anonymity not only against the foreign agent but also against any third party.(ii)He et al.’s scheme may not protect the passwords of mobile users against an offline dictionary attack.(iii)He et al.’s scheme is not secure against a man-in-the-middle attack and thus cannot guarantee the security of session keys.

Besides reporting these weaknesses in He et al.’s scheme, we also propose an improved authentication scheme which achieves, among others, user anonymity, session-key security, and resistance against offline dictionary attacks. The performance of our scheme is similar to that of He et al.’s scheme but is superior to that of Xie et al.’s scheme (see Section 4).

Throughout the paper, we make the following assumptions on the capabilities of the probabilistic polynomial-time adversary in order to properly capture security requirements of two-factor authentication schemes using smart cards in global mobility networks.(i)The adversary has the complete control of all message exchanges between the three parties: a mobile user, the foreign agent, and the home agent. That is, the adversary can eavesdrop, insert, modify, intercept, and delete messages exchanged among the parties at will [1416].(ii)The adversary is able to (1) extract the sensitive information on the smart card of a mobile user possibly via a power analysis attack [17, 18] or (2) learn the password of the mobile user through shoulder surfing or by employing a malicious card reader. However, it is not allowed that the adversary compromises both the information on the smart card and the password of the mobile user; it is clear that there is no way to prevent the adversary from impersonating the mobile user if both factors are compromised.

2. A Review of He et al.’s Scheme

He et al.’s authentication scheme [12] consists of three phases: the registration phase, the login and key agreement phase, and the password update phase. The system parameters listed in Table 1 are assumed to have been established in advance before the scheme is used in practice. Let and denote the string concatenation operation and the bitwise exclusive-OR (XOR) operation, respectively.

2.1. Registration Phase

For a mobile user , this phase is performed only once when registers itself with the home agent .(1) chooses its identity and password freely and sends the identity to via a secure channel.(2) computes and and issues a smart card loaded with , , , , , , .(3) replaces and , which are contained in the smart card, with and , respectively.

2.2. Login and Key Agreement Phase

This phase is carried out whenever visits a foreign network and wants to gain access to the network. During the phase, mutual authentication and session-key establishment are conducted between and with the help of . Algorithm 1 depicts how the phase works, and its description follows.

                           
inputs and
retrieves the timestamp
  
            checks the freshness of
            retrieves the timestamp
            
                 
                         checks the freshness of
                     Does yield and ?
                       
                      Does yield ?
                        Does yield ?
                        retrieves the timestamp
                  
                       
                  
           
            checks the freshness of
             
            
           
             
checks the freshness of
Does yield , and ?

Step 1. inserts its smart card into the card reader and inputs its identity and password . Next, retrieves the current timestamp , chooses a random number , and computes Then, sends the message to the foreign agent .

Step 2. Upon receiving , checks the freshness of the timestamp . If it is not fresh, aborts the session. Otherwise, retrieves the current timestamp , computes and sends the message to .

Step 3. checks if the timestamp is fresh. If not, aborts the session. Otherwise, decrypts with key and verifies that the decryption yields the same and as contained in . aborts if the verification fails. Otherwise, computes and , decrypts with key , and checks if this decryption produces the same as in . aborts if the check fails. Otherwise, decrypts with key and checks if this decryption gives the same as produced through the decryption of . If only the two IDs match, retrieves the current timestamp , computes and sends the message to .

Step 4. decrypts with key and checks the freshness of the timestamp . If only is fresh, chooses a random number and computes (Note, here, that the timestamp (received from ) is used in generating the ciphertext since will need it to check the validity of .) Then, sends the message to and computes the session key .

Step 5. first checks the freshness of the timestamp and aborts the session if not fresh. Otherwise, computes and , decrypts with key , and verifies that the decryption correctly returns , , and . If the verification succeeds, checks if is equal to and if equal computes the session key .

2.3. Password Update Phase

One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. He et al.’s scheme allows mobile users to freely update their passwords.(1) inserts his smart card into a card reader and enters both the current password and the new password .(2)The smart card computes and and replaces and with and , respectively.

3. Weaknesses in He et al.’s Scheme

In this section, we point out four weaknesses in He et al.’s scheme, starting with the most obvious one.

Weakness  1. He et al.’s scheme does not provide user anonymity against the foreign agent .

This weakness is straightforward to see as the identity of , , is given to via the ciphertext (see Step 4 of the login and key agreement phase of the scheme).

Weakness  2. He et al.’s scheme may not protect the password of , , against an offline dictionary attack.

Weakness 2 is due to the fact that is computed using the bitwise XOR operation when the multiplicative subgroup of is not closed under the XOR operation. This design flaw allows an adversary to find out the password by mounting an offline dictionary attack if the subgroup is much smaller than . We observe, for He et al.’s scheme, that and are defined as two primes such that for some and the random exponents and are chosen from . Based on these observations, it is reasonable to speculate that He et al.’s scheme was designed to work in a multiplicative subgroup of that has a prime order , though not explicitly mentioned by the authors. For simplicity, let us denote the prime-order subgroup by . Since and are computed as and , it ought to be the case that , which in turn implies that is a hash function mapping arbitrary strings into elements of . Now, assume that an adversary has gained temporary access to the smart card of and then obtained the value of stored there (possibly by employing a power analysis attack [17]). Then, note that can be used as a password verifier in an offline dictionary attack because is computed as when is not closed under the bitwise XOR operation. Let be the set of all possible passwords. The adversary can mount an offline dictionary attack as follows.

Step 1. makes a guess on the password and computes

Step 2. then checks whether is an element of or not. If , deletes from the dictionary (i.e., ). Note that implies .

Step 3. repeats Steps 1 and 2 until the correct password is found (i.e., until ).

If is a safe prime (i.e., ), then this attack would fail, cutting only the size of about in half. However, if is much greater than (e.g., and ), the dictionary attack will succeed in determining the correct password with an overwhelming probability. Similar dictionary attacks have been also mounted against key exchange protocols; see, for example, [19]. Weakness 2 can be easily addressed by replacing the bitwise XOR operation with the multiplication operation.

Next, we identify two other major weaknesses in He et al.’s scheme.

Weakness  3. He et al.’s scheme may not guarantee user anonymity even against a third party who is not a legitimate protocol participant.

Weakness  4. He et al.’s scheme could wrongly lead and to establish a session key with a malicious party who is not even registered with .

We demonstrate Weaknesses  3 and 4 by mounting a type of man-in-the-middle attack against the scheme. The attack scenario is outlined in Figure 1 and is detailed as follows.

Step 1. As a preliminary step, the adversary chooses a random number and computes , where denotes an arbitrary identity.

Step 2. When sends the first message to , eavesdrops on this message to obtain and . Immediately after the eavesdropping, retrieves the current timestamp and sends a fake message to as if it is another roaming request from a mobile user.

Step 3. Since both and are fresh, will compute and and send two messages and to . Let and be the instances of who sends the messages and , respectively.

Step 4. intercepts the message while letting reach its destination, . Since is a valid message, will compute and send the message to .

Step 5. redirects the message so that it is delivered to instead of . As a result, will not receive any response message and thus will abort after a certain amount of time.

Step 6. After decrypting and since is fresh, will proceed as per the protocol specification. That is, will choose a random number , compute send the message to , and then compute its session key as

Step 7. intercepts the message , computes and , and decrypts with key to obtain , , and . Then, chooses a random number , computes and sends the message to as if it is from .

Step 8. Upon receiving , will proceed to compute its session key where is computed as , because (1) is fresh, (2) decryption of with key correctly yields , , and , and (3) is equal to .

Step 9. computes the two session keys, and , in the straightforward way.

Through the attack, user anonymity is completely compromised as the identity of , , is disclosed to the adversary in Step 7. From the viewpoint of session-key secrecy, the effect of our attack is the same as that of a man-in-the-middle attack. At the end of the attack, and believe that they have established a secure session with each other sharing a secret key, while in fact they have shared their keys with the adversary . As a result, can not only access and relay any confidential messages between and but also send arbitrary messages for its own benefit impersonating one of them to the other. Man-in-the-middle attacks similar to the attack above have been also presented against various key exchange protocols; see, for example, [20, 21].

4. Our Improved Scheme

We now show how to address all the weaknesses identified in He et al.’s scheme without degrading the efficiency of the scheme. Let be a cyclic group of prime order . A standard way of generating is to choose two large primes such that for some small (e.g., ) and let be the subgroup of order in . Hereafter, we will omit “mod ” from expressions for notational simplicity. Assume that the master secret key of , , is an element of (i.e., ) and the secret key shared between and , , has length of bits. Then we define four cryptographic hash functions:(i),(ii),(iii), where represents the bit-length of session keys,(iv), where represents the bit-length of (for the definition of , see the description of He et al.’s scheme given in Section 2).

We begin by presenting how to address Weaknesses  3 and 4 (described in the previous section). The vulnerability of He et al.’s scheme to the man-in-the-middle attack is because there is no way for an instance of to check whether the received ciphertext was sent in response to its own request or another instance’s request. This design flaw allows the adversary to exploit ’s response sent for one session as the response for another session. To prevent the attack, we suggest to modify the computation of the ciphertext from to The timestamp is now included as part of the plaintext to be encrypted to . The inclusion of tightly links ’s request and ’s response and thus effectively prevents the man-in-the-middle attack.

However, with the above modification alone, He et al.’s scheme cannot fully achieve user anonymity in the sense that the identity of is still disclosed to . Therefore, we suggest to further modify the computation of as follows: The ciphertext is now generated using instead of . This modification certainly prevents from immediately learning via decryption of .

We next present a possible way of eliminating the vulnerability of He et al.’s scheme to offline dictionary attacks. Recall that this vulnerability is due to the fact that is computed using the bitwise XOR operation when the multiplicative subgroup of is not closed under the XOR operation. Given the flaw in the design, the solution is clear; use the multiplication operation instead of the XOR operation when computing . Hence, we change the computation of from to Accordingly, the computation of should be also changed to

Finally, we suggest the following additional changes to resolve some notational ambiguities and to correct the misuse of the hash function :

As a result of the above modifications, the password update phase is modified as follows.(1) inserts his smart card into a card reader and enters the identity , the current password , and the new password .(2)The smart card computes and and replaces and with and , respectively.

Combining the above modifications together yields an improved authentication scheme described in Algorithm 2. Our scheme improves He et al.’s scheme in various aspects: (1) it enjoys the anonymity of the mobile user against any parties other than the home agent , including the foreign agent ; (2) it withstands offline dictionary attacks even when the information in the smart card is disclosed; (3) it protects the security of session keys against man-in-the-middle attacks. Clearly, the performance of our scheme is similar to that of He et al.’s scheme. Hence, we can say that our improvement enhances the security of He et al.’s scheme while maintaining the efficiency of the scheme.

                           
inputs and
retrieves the timestamp
  
            checks the freshness of
            retrieves the timestamp
            
                 
                         checks the freshness of
                     Does yield and ?
                       
                      Does yield ?
                        Does yield ?
                        retrieves the timestamp
                  
                   
                  
            checks the freshness of
           Does yield & ?
             
            
           
             
checks the freshness of
Does yield , and ?

5. Concluding Remarks

This work demonstrated that He et al.’s authentication scheme for roaming services fails to achieve major security properties—user anonymity, password security, and session-key security—in the presence of a malicious adversary. We have shown that failure to achieving user anonymity and session-key security is due to the vulnerability to a man-in-the-middle attack while failure to achieving password security is due to the vulnerability to an offline dictionary attack. Note that the latter vulnerability implies that He et al.’s scheme does not achieve two-factor security. We hope that similar security flaws as identified in this work can be prevented in the future design of anonymous authentication schemes.

This work also showed how the security of He et al.’s authentication scheme can be improved without efficiency degradation. Our improved scheme not only protects user anonymity against any third parties other than the home agent but also is secure against offline dictionary attacks as well as man-in-the-middle attacks. We leave it as a future work to design an anonymous authentication scheme for roaming services that achieves provable security in a well-defined communication model while providing the same (or even better) level of efficiency as the schemes studied in this paper.

Conflict of Interests

The authors declare no conflict of interests.

Acknowledgment

This work was supported by Howon University in 2014.