Research Article | Open Access
Yousheng Zhou, Xinyun Chen, "An Anonymous and Efficient ECC-Based Authentication Scheme for SIP", Wireless Communications and Mobile Computing, vol. 2020, Article ID 8886585, 11 pages, 2020. https://doi.org/10.1155/2020/8886585
An Anonymous and Efficient ECC-Based Authentication Scheme for SIP
Session initiation protocol (SIP), a widely used signal protocol for controlling multimedia communication sessions, is under numerous attacks when performing the authentication steps between the user and server. So secure authentication schemes are needed to be presented for SIP. Recently, Arshad et al. advanced novel schemes for SIP using elliptic curve cryptography (ECC) and claimed their schemes can resist various attacks. However, Lu et al. found that Arshad et al.’s scheme cannot resist trace and key-compromise impersonation attacks; hence, it cannot provide proper mutual authentication. Meanwhile, an enhanced scheme was advanced by Lu et al. and they stated that their scheme can stand up to possible known attacks. Nevertheless, in this paper, we conclude that Arshad and Nikooghadam’s scheme is insecure against impersonation attack and Lu et al.’s scheme is still vulnerable to impersonation attack. To overcome these weaknesses of their schemes, we present a novel anonymous ECC-based scheme for SIP. Security analysis and performance analysis show that our proposed scheme can resist various known attacks and efficient in the meantime.
SIP (session initiation protocol), a text-based application layer signaling control protocol, is used to create, modify, and release sessions between participators. These sessions will be initiated when users request Internet multimedia conferences, IP phones, and multimedia distribution. The participants of SIP can communicate with each other by multicast, unicast, or a mixture of two. SIP is widely used since 2002, the time when it was presented by the Internet Engineering Task Force (IETF) . To protect the privacy of users, it is critical for SIP to provide mutual authentication between communicating parties. Therefore, many researchers devote to proposing secure and efficient schemes for SIP to prevent various attacks and provide mutual authentication between a legal user and server nowadays.
In 2009, Tsai  presented a scheme based on random nonce for SIP. He used one-way hash functions and exclusive or operations to encrypts/decrypts all the necessary information. So Tsai’s scheme can be used in low-computation equipment because its computation cost is very low. Later, Yoon et al.  demonstrated that Tsai’s scheme is not secure against off-line password guessing attack, Denning-Sacco attack, and stolen-verifier attack and cannot provide perfect forward secrecy. To overcome the shortcomings of Tsai’s scheme, Yoon et al. proposed a scheme based on the elliptic curve discrete logarithm problem (ECDLP) for SIP and they claimed their scheme can resist various attacks while providing more efficiency than Tsai’s scheme. In 2012, Xie  proposed an improved scheme after finding Yoon et al.’s scheme is still too weak to resist stolen-verifier attack and off-line password guessing attack. Shortly afterwards, Farash and Attari  demonstrated that Xie’s scheme still suffers from off-line password guessing attack and impersonation attack and proposed an enhanced scheme. Later on, Zhang et al.  proposed an authentication scheme with anonymity for SIP based on Farash and Attari’s work. However, Lu et al.  found that Zhang et al.’s scheme cannot provide proper security, because it is insecure against insider attack. To cover the demerits of Zhang et al.’s scheme, Lu et al. advanced a new scheme and they demonstrate that their scheme is resistant to possible known attacks while having lower computation cost than other related schemes. In 2016, Chaudhry et al.  stated that Lu et al.’s scheme cannot withstand user and sever impersonation attacks, so they proposed their own enhanced scheme to correct these problems. However, Kumari et al.  suspected that the Chaudhry et al.’s scheme still has the disadvantages that appeared in Lu et al.’s. Meanwhile, Kumari et al. showed that Lu et al.’s  scheme cannot resist impersonation and identity guessing attacks.
In 2014, a smart-card-based scheme was advanced by Zhang et al.  to overcome the weaknesses of previous schemes. When a legal user attempts to communicate with the server, he must use the smart card as another authentication factor in addition to the password to achieve authentication. Later, Irshad et al.  demonstrated that Zhang et al.’s scheme is vulnerable to denial of service (DOS) attack and impersonation attack and advanced an improved scheme while optimizing the cost in their protocol. However, Irshad et al.’s scheme was suspected of being unable to resist user impersonation attack by Arshad and Nikooghadam , and Arshad and Nikooghadam advanced a new scheme in their paper. Unfortunately, Lu et al. in  found that Arshad et al.’s scheme is still insecure against some attacks, such as key-compromise impersonation attack and trace attack. In order to correct the shortcomings of Arshad and Nikooghadam’s scheme, Lu et al. proposed a robust and efficient authentication scheme by using ECC and demonstrated that their scheme is resistant to possible known attacks. Recently, we find that Arshad and Nikooghadam’s  scheme cannot resist user impersonation attack. Meanwhile, we observe that Lu et al.’s  scheme is insecure against server impersonation attack.
2. Motivations and Contributions
In this paper, we revisit Arshad and Nikooghadam and Lu et al.’s schemes and show that their schemes are vulnerable to impersonation attack. Meanwhile, we propose our enhanced ECC-based scheme for SIP to make up for the shortcomings of Arshad et al.’s and Lu et al.’s schemes.
The rest of the paper is organized as follows. Review and cryptanalysis of Arshad and Nikoofhadam’s scheme are showed in Sections 3 and 4, separately. Review and cryptanalysis of Lu et al.’s scheme will be put in in Sections 5 and 6, separately. In Section 7, we present our scheme. Security analysis and performance analysis are showed in Sections 8 and 9, separately. Finally, conclusion of this paper is shown in Section 10.
3. Review of Arshad and Nikoofhadam’s Scheme
In this section, we will review Arshad and Nikoofhadam’s  scheme briefly. Firstly, we will list the notations that were used throughout Arshad et al.’s scheme in Figure 1. Then, we will use four parts to review Arshad et al.’s scheme, including setup phase, registration phase, authentication and key agreement phase, and password change phase.
Firstly, the server selects an elliptic curve equation and a secure one-way function . Then, the server selects a base point with order over , chooses a integer randomly and keeps it as a secret key, and computes public key . Finally, the server publishes .
(1)The client generates a number randomly, chooses a password , computes , sends to the server, and stores in the memory device(2)If does not exit in database, the server computes and stores it in his/her database
3.3. Authentication and Key Agreement
In this part, we will introduce the authentication and key agreement phase of Arshad and Nikoofhadam’s scheme and the steps of this phase are also represented by Table 1. (1)The client selects an integer randomly, computes and sends to the server through the public channel(2)If exits in database, the server selects a integer randomly, computes , , , and sends to the client. If does not exit in database, the server terminates the session(3)The client computes and compares the value of and . If and are not equal, the session will be stopped by the client. Otherwise, the client computes and . Then, is sent to the server(4)The server computes and compares the value of and . If is equal to , the server authenticates the client
3.4. Password Change
(1)Firstly, a new password is chosen by the client. Then, the client generates a new random number , computes , , , and sends to server(2)The server computes , , and verify whether is equal to or not. If they are equal, the server computes and replaces with in the database. Then, the server sends to the client(3)The client calculates and if it is equal to the , the client replaces with in the memory device
4. Cryptanalysis of Arshad and Nikoofhadam’s Scheme
In this part, we will prove that Arshad and Nikoofhadam’s scheme cannot withstand server impersonate attack. To do so, the adversary performs the following steps.
Step 1. Suppose obtains when a client wants to communicate with the server. Then, forges and , where is the server’s public key. Then, computes and sends to the client.
Step 2. After receiving , the client computes . Since , . Thus, and the verification will hold. The client authenticates the “server.” Then, the client computes , and . Finally, the client sends to .
Step 3. After receiving , does not need to compute and verify whether or not. only need to computes and then can make sure that he/she shares the same with the victim client.
From what has been discussed above, we can come to the conclusion that Arshad and Nikoofhadam’s scheme cannot resist server impersonation attack.
5. Review of Lu et al.’s Scheme
(1) chooses a password , selects secret key , generates a number randomly, computes and sends (2) calculates and stores in database
5.2. Authentication and Key Agreement
In this part, we will briefly introduce the authentication and key agreement phase of Lu et al.’s scheme and the steps of this phase are also represented by Table 2. (1) generates a number randomly, then computes , , , , and . Finally, sends (2) calculates , then computes , and checks whether equals to or not. If they are equal, generates a number randomly, computes , , , and and sends to (3) computes , and verifies whether is equal to . If they are equal, computes and then sends to (4) checks whether equals to . If the equation holds, and share the session key
5.3. Password Change
(1) sends the message and to (2)If is equal to the value of that just calculated, then computes and then replaces with
6. Cryptanalysis of Lu et al.’s Scheme
In this part, we will analyze the security of Lu et al.’s scheme and prove that their scheme cannot resist user impersonation attack. To do so, suppose an adversary obtains of a legal user and intercepts when wants to send it to . can obtains by computing , then masquerades as to communicate with by following steps.
Step 1. generates a number randomly, computes , , , and . Then, sends to .
Step 2. computes , , and and checks if . Obviously, this equation is established. So authenticates the attacker as . Then, generates and computes , , , and and sends to .
Step 3. computes , , and checks whether equals to . If they are equal, then calculates and sends to S.
Step 4. checks whether equals to . Obviously, this equation is established. So the attacker shares the same session key with S.
From what has been discussed above, we can come to the conclusion that Lu et al.’s scheme cannot resist user impersonation attack.
7. Our Proposed Scheme
An enhanced scheme for SIP will be advanced in this section. Our scheme is based on the schemes of Irshad et al and Lu et al. and has corrected the problem that appeared in their schemes. We will list the notations that used throughout our scheme in Figure 3. The content of our scheme will be shown as follows:
7.1. Setup Phase
Firstly, an elliptic curve equation and a secure one-way function are selected by the server. Then, chooses a base point with order over and two random numbers ,, computes public key . Finally, keeps , as its secret keys, publishes .
The registration phase will be shown in Table 3 and the steps for user registration are as follows:
Step 1. The user chooses number randomly, chooses a password , computes . Then, sends to through a secure channel.
Step 2. calculates , , and . Then stores and sends to through a secure channel.
Step 3. keeps in the memory device.
7.3. Authentication and Key Agreement
When a legal user attempts to obtain a session key shared with , the following steps will be performed. Meanwhile, the details of this phase will be shown in Table 4.
Step 1. The user selects a integer randomly, generates a time stamp , and then computes , , and . Finally, computes and sends to .
Step 2. checks the validity of time stamp by checking the validity of the predicate , and abort if the check fails. Then, computes , and compares the values of and the stored . If they are equal, can make sure that the received and is a pair. After that, computes , , and and checks whether equals to or not. If they are equal, authenticates the user . Then, chooses a integer randomly, computes , , , and . Finally, sends to .
Step 3. computes , , and and then checks whether equals to received . If they are equal, authenticates . Finally, computes and sends message to .
Step 4. calculates and compares the values and the received . confirms that he/she shares the same session key with if is equal to .
7.4. Password Change
Step 1. chooses a figure randomly, selects a new password , then computes , and sends to , where is the current session key and means the encryption of the message with the symmetric key .
Step 2. Once receiving , computes , , and then computes , , and . Finally, replaces with and sends to , where means the decryption of message with .
Step 3. After receiving , computes and . Finally, replaces with in the memory device.
8. Security Analysis for our Proposed Scheme
In this part, we use Burrows-Abadi-Needham logic to prove the correctness of our proposed scheme at first. Then, we use informal security analysis to prove that our scheme is secure under various attacks.
8.1. Correctness Proof
In this section, we will briefly introduce the BAN logic and then prove the security of our proposed scheme by using BAN logic.
8.1.1. Brief Introduction about BAN Logic
BAN logic is a belief-based logic proposed by Burrow, Abadi, and Needham, and this logic plays a significant role in analyzing authentication protocols. When applying BAN logic to protocol analysis, it is essential to idealize the message of the protocol into a formula that BAN logic can recognize. Then, according to the reasonable initialization hypothesis, and the logical reasoning rules are used to infer whether the protocol can reach the expected goal according to the idealized protocol and initialization protocol. Figure 4 lists some of the logical symbols and inference rules for BAN logic.
8.1.2. Verifying the Proposed Scheme with BAN Logic
() (2)Idealized scheme (a):, , , (b): (3)Initiative premises
(n9) (4)Proof of the proposed scheme
(p1) From , and by applying the message meaning rule, we deduce,
(p2) From and by applying the fresh conjuncatenation rule, we deduce,
(p3) From , and by applying the nonce-verification rule, we deduce,
(p4) From deduction and by applying the belief rule, we deduce,
(p5) From , and by applying the jurusdiction rlue, we deduce,
(p6) From , and by applying the message meaning rule, we deduce,
(p7) From and by applying the fresh conjuncatenation rule, we deduce,
(p8) From , and by applying the nonce-verification rule, we deduce,
(p9) From deduction and by applying the belief rule, we deduce,
(p10) From , and by applying the jurusdiction rlue, we deduce,
Therefore, our proposed scheme achieves mutual authentication and key agreement between and .
8.2. Informal Security Analysis
The security of our proposed scheme will be discussed in this section. We will prove our scheme is secure in the face of various attacks. We draw on the experience of  and define the capabilities of the attacker as follows:
(c1) can off-line enumerate the Cartesian product , where , means the size of the identity space and password space, separately
(c2) has full control of the communication channel
(c3) may either learn the victim’s password via malicious card readers, or extract the secret data in the card by side-channel attacks, but cannot realize both
(c4) can learn the previous session key(s)
(c5) can learn the server’s long-time private key(s) as well as all other data stored in the server only when evaluating the eventual failure of the server
8.2.1. Denning-Sacco Attack
In Denning-Sacco attack , when the client or server leaks the previous session key, then tries to get other session keys or a long-term key (for example, the client’s password or the server’s key).
Suppose has gained a session key . cannot obtain use’s password since is hidden in a hash function . Besides, it is impossible for to obtain the other session keys as he/she does not know the values of and .
8.2.2. Man-in-the-Middle Attack (MITM)
In this attack, intercepts communication channels between users and the server and attempts to make them believe that they are communicating with each other directly.
In our proposed scheme, assume intercepts and . However, does not know and so that he/she is not able to figure out the right , and . will fail to cheat server as a legal user. At the same time, is unaware of the server’s secret keys and . So cannot masquerade as a legal server since he/she cannot compute the right and .
8.2.3. Off-Line Password Guessing Attack
Off-line password guessing attack means keeps previous authentication messages. Then, selects a set of candidate passwords and uses stored messages to verify whether there is a appropriate password.
In our proposed scheme, can obtain , , , , , and from the communicating channels between users and server. But cannot compute the values of and to verify the candidate password since does not know the values of , , , , and .
8.2.4. Replay Attack
In this attack, suppose grabs when a legal user try to send REQUEST to server, then replays it to server to impersonate . However, on account of the attacker is unaware of and , the server can easily find out if the attacker modified the time stamp . If replay to server without any changing, the server can figure out the message is invalid since the verification of will not hold.
8.2.5. Impersonation Attack
In this attack, the goal of is impersonating a legal server or a legal user. Suppose a legal user attempts to use what he/she has got to masquerade other users, and all s are available for him/her.That means one of the legal users is now. Then, can intercept and compute obviously. However, since is unknown for the attacker and the hardness of ECDLP, cannot compute the correct . If use his/her own and the victim user’s to compute , then use his/her own , to compute and attempt to impersonate . The verification will not hold since is matched with and when server computes . Thus, our proposed scheme can withstand user impersonation attack.
Suppose tries to impersonate a legal server. Since the server’s secret key and are unknown for , he/she cannot figure out the correct . Thus, the verification will fail on the user’s side.
8.2.6. Privileged inside Attack
Suppose a privileged inside user of the server obtains , , and of a legal user , and then tries to impersonate to access server. Since is only stored in memory device which is kept by and server’s secret key , are kept by server, the attacker cannot get the right . Thus, the verification will not hold if a privileged inside attacker want to masquerade the victim user.
8.2.7. Known Session Key Attack
If a previous session key has been divulged, and attempts to compute a new session key. The attacker will not make it since each session key is independent from others. Only if the attacker has the newest and could him/her have opportunity to compute the newest .
8.2.8. Perfect Forward Secrecy
Perfect forward secrecy means that cannot obtain old session keys even if the secret key of server or the user’s password has leaked. In our scheme, . And cannot figure out previous session keys even if he gains user’s password and server’s secret key because and are unknown for . Due to the hardness of ECDLP, it is hardly impossible for to obtain from and from . Consequently, the proposed scheme achieves perfect forward secrecy.
8.2.9. Anonymous and Untraceable
Suppose intercepts and . Since is unknown for , he/she cannot compute . Thus, our proposed scheme is anonymous to third parties. Besides, since a legal user use a random number to compute and for each session, so cannot trace who is communicating with .
8.2.10. Stolen Verifier Attack
Suppose obtains from server’s database and tries to impersonate a legal user. Since the server’s secret is unavailable for , cannot figure out of a legal user as .
8.2.11. Stolen Memory Device Attack
Suppose had stolen the smart card of user and can extract the secret parameters from the smart card, then tries to attack the user by using impersonation attack or off-line password guessing attack. Since the password is unknown for , will fail when he wants to impersonate the legal user. When obtains previous from the communication channel and decides to use off-line password guessing attack to find user’s pair. However, is computed as , and will be frustrated because there are candidates of , where [16, 17] and , mean the size of the identity space and password space, separately.
9. Performance Analysis
In Table 5, we compute the total computational costs of three phases (registration phase, authentication and key agreement phase and password change phase) of our scheme and make a comparison with other schemes. In order to represent each computation cost of time, we define some notations in Figure 5.
According to [18, 19], an elliptic curve point multiplication operation takes 2.226 ms, an elliptic curve point addition operation costs 0.0288 ms, a one-way hash function takes 0.0023 ms, a modular inversion operation takes 0.0056 ms, and generating a random number needs 0.539 ms.
Figure 6 shows the comparison of security attributes between our scheme and other schemes. We can notice that our scheme is resistant to various attacks. On the contrary, Zhang et al.  and Irshad et al.’s  schemes cannot withstand impersonation attack and are not anonymous and untraceable, and Arshad et al.’s  scheme fails to achieve anonymity and untraceability and cannot stand up to impersonation attack. Meanwhile, Lu et al.’s  scheme cannot resist impersonation attack. So our scheme’s computational cost is lower than Irshad et al. and Zhang et al.’s schemes while providing better security. Despite having a little more computational cost, our scheme performance better in security attributes than Arshad et al. and Lu et al.’s schemes. From what we have discussed above, we can draw a conclusion that our proposed scheme is efficient and can withstand virous known attacks.
In this paper, we have demonstrated that Arshad et al.’s scheme cannot withstand user impersonation attack and Lu et al.’s scheme is not secure against server impersonation attack. In order to remedy the weaknesses of their schemes, we present an enhanced anonymous and efficient ECC-based authentication scheme for SIP. Our scheme inherits the merits of Arshad and Nikooghadam and Lu et al.’s schemes while standing up to user and server impersonation attacks that their schemes failed to satisfy. We use BAN logic and informal analysis to demonstrate the correctness and security of our scheme. Therefore, our proposed scheme is suitable and practical for SIP.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Our work was jointly supported by the National Natural Science Foundation of China (No. 61872051, No. 61702067), the Chongqing Natural Science Foundation of China (No. cstc2020jcyj-msxmX0343), and the Venture & Innovation Support Program for Chongqing Overseas Returnees (No. CX2018122).
- H. Schulzrinne, G. Camarillo, A. Johnston et al., Sip: session initiation protocol, IETF RFC, 2002.
- J. L. Tsai, “Efficient nonce-based authentication scheme for session initiation protocol,” IJ Network Security, vol. 9, no. 1, pp. 12–16, 2009.
- E.-J. Yoon, Y.-N. Shin, I.-S. Jeon, and K.-Y. Yoo, “Robust mutual authentication with a key agreement scheme for the session initiation protocol,” IETE Technical Review, vol. 27, no. 3, pp. 203–213, 2010.
- Q. Xie, “A new authenticated key agreement for session initiation protocol,” International Journal of Communication Systems, vol. 25, no. 1, pp. 47–54, 2012.
- M. S. Farash and M. A. Attari, “An enhanced authenticated key agreement for session initiation protocol,” Information Technology and Control, vol. 42, no. 4, pp. 333–342, 2013.
- Z. Zhang, Q. Qi, N. Kumar, N. Chilamkurti, and H.-Y. Jeong, “A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography,” Multimedia Tools and Applications, vol. 74, no. 10, pp. 3477–3488, 2015.
- Y. Lu, L. Li, H. Peng, and Y. Yang, “A secure and efficient mutual authentication scheme for session initiation protocol,” Peer-to-Peer Networking and Applications, vol. 9, no. 2, pp. 449–459, 2016.
- S. A. Chaudhry, I. Khan, A. Irshad, M. U. Ashraf, M. K. Khan, and H. F. Ahmad, “A provably secure anonymous authentication scheme for session initiation protocol,” Security and Communication Networks, vol. 9, no. 18, pp. 5016–5027, 2016.
- S. Kumari, M. Karuppiah, A. K. Das, X. Li, F. Wu, and V. Gupta, “Design of a secure anonymity-preserving authentication scheme for session initiation protocol using elliptic curve cryptography,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 3, pp. 643–653, 2018.
- L. Zhang, S. Tang, and Z. Cai, “Efficient and exible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card,” International Journal of Communication Systems, vol. 27, no. 11, pp. 2691–2702, 2013.
- A. Irshad, M. Sher, Eid Rehman, S. A. Ch, M. U. Hassan, and A. Ghani, “A single round-trip sip authentication scheme for voice over internet protocol using smart card,” Multimedia Tools and Applications, vol. 74, no. 11, pp. 3967–3984, 2015.
- H. Arshad and M. Nikooghadam, “An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc,” Multimedia Tools and Applications, vol. 75, no. 1, pp. 181–197, 2016.
- L. L. Y. Lu, L. Li, and Y. Yang, “Robust and efficient authentication scheme for session initiation protocol,” Mathematical Problems in Engineering, vol. 2015, Article ID 894549, 9 pages, 2015.
- D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2016.
- D. E. Denning and G. M. Sacco, “Timestamps in key distribution protocols,” Communications of the ACM, vol. 24, no. 8, pp. 533–536, 1981.
- J. Ma, W. Yang, M. Luo, and N. Li, “A study of probabilistic password models,” in 2014 IEEE Symposium on Security and Privacy, pp. 689–704, San Jose, CA, USA, May 2014.
- J. Bonneau, “The science of guessing: analyzing an anonymized corpus of 70 million passwords,” in 2012 IEEE Symposium on Security and Privacy, pp. 538–552, San Francisco, CA, USA, May 2012.
- H. H. Kilinc and T. Yanik, “A survey of sip authentication and key agreement schemes,” IEEE Communications Surveys & Tutorials, vol. 16, no. 2, pp. 1005–1023, 2014.
- N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve cryptography,” Designs, Codes and Cryptography, vol. 19, no. 2/3, pp. 173–193, 2000.
Copyright © 2020 Yousheng Zhou and Xinyun Chen. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.