Security Analysis and Improvement of an Anonymous Authentication Scheme for Roaming Services

An anonymous authentication scheme for roaming services in global mobility networks allows a mobile user visiting a foreign network to achieve mutual authentication and session key establishment with the foreign-network operator in an anonymous manner. In this work, we revisit He et al.'s anonymous authentication scheme for roaming services and present previously unpublished security weaknesses in the scheme: (1) it fails to provide user anonymity against any third party as well as the foreign agent, (2) it cannot protect the passwords of mobile users due to its vulnerability to an offline dictionary attack, and (3) it does not achieve session-key security against a man-in-the-middle attack. We also show how the security weaknesses of He et al.'s scheme can be addressed without degrading the efficiency of the scheme.


Introduction
As wireless network and communication technologies advance, there has been a dramatic increase in the use of lightweight computing devices, such as sensors, smart phones, and tablet PCs, being used in our daily lives. To enjoy the convenience of mobility, a roaming service should be seamlessly provided with respect to availability and security, by means of using a visited foreign network. In general, three parties-a mobile user, a foreign agent, and the home agent-participate in a roaming process. A seamless roaming service requires significant security challenges to be addressed among the participants. Basically, authentication and key establishment between the mobile user and the foreign agent should be achieved via assistance of the home agent to prevent illegal usages of the network and to protect their subsequent communications. Achieving anonymity of the mobile user is also important in a roaming service to protect the privacy of the user. Anonymity has recently been identified as a major security property for many applications, including location-based services, anonymous web browsing, and e-voting. These security challenges and their cryptographic solutions, commonly called anonymous authentication schemes, constitute an active research area.
The first anonymous authentication scheme for roaming services was proposed by Zhu and Ma [1] in 2004. This initial proposal has been followed by a number of authentication schemes offering various levels of security and efficiency. Some schemes [2][3][4] have been proven secure using a computer security approach while others (e.g., [5][6][7]) justify their security on purely heuristic grounds without providing no formal analysis of security. However, despite all the work conducted over the last decade, it still remains a challenging task to come up with an authentication scheme that meets all the desired goals for roaming services [8]. Most of the existing schemes fail to achieve important security properties such as user anonymity [2,6], session-key security [9], perfect forward secrecy [10], two-factor security [11], resistance against impersonation attacks [12], and resistance against offline dictionary attacks [13]. For this domain, all published schemes are far from ideal as evidenced by a continual history of schemes being proposed and years later found to be flawed.
Recently, Xie et al. [4] proposed a new authentication scheme for roaming services and claimed that their scheme not only provides efficiency and user friendliness but also is secure against various attacks. But He et al. [ Throughout the paper, we make the following assumptions on the capabilities of the probabilistic polynomial-time adversary in order to properly capture security requirements of two-factor authentication schemes using smart cards in global mobility networks.
(i) The adversary has the complete control of all message exchanges between the three parties: a mobile user, the foreign agent, and the home agent. That is, the adversary can eavesdrop, insert, modify, intercept, and delete messages exchanged among the parties at will [14][15][16].
(ii) The adversary is able to (1) extract the sensitive information on the smart card of a mobile user possibly via a power analysis attack [17,18] or (2) learn the password of the mobile user through shoulder surfing or by employing a malicious card reader. However, it is not allowed that the adversary compromises both the information on the smart card and the password of the mobile user; it is clear that there is no way to prevent the adversary from impersonating the mobile user if both factors are compromised.

A Review of He et al.'s Scheme
He et al. 's authentication scheme [12] consists of three phases: the registration phase, the login and key agreement phase, and the password update phase. The system parameters listed in Table 1 are assumed to have been established in advance before the scheme is used in practice. Let ‖ and ⊕ denote the string concatenation operation and the bitwise exclusive-OR (XOR) operation, respectively. (1) chooses its identity and password freely and sends the identity to via a secure channel.

Login and Key Agreement
Phase. This phase is carried out whenever visits a foreign network and wants to gain access to the network. During the phase, mutual authentication and session-key establishment are conducted between and with the help of . Algorithm 1 depicts how the phase works, and its description follows.
inserts its smart card into the card reader and inputs its identity and password . Next, retrieves the current timestamp 1 , chooses a random number ∈ Z * , and computes Then, sends the message 1 = ⟨ , 1 , , ⟩ to the foreign agent .
Algorithm 1: Login and key agreement phase of He et al. 's scheme [12].
Step 2. Upon receiving 1 , checks the freshness of the timestamp 1 . If it is not fresh, aborts the session. Otherwise, retrieves the current timestamp 2 , computes and sends the message 2 = ⟨ , 2 , ⟩ to . Step and sends the message 3 = ⟨ , 3 , ⟩ to .
Step 4. decrypts with key and checks the freshness of the timestamp 3 . If only 3 is fresh, chooses a random number ∈ Z * and computes The Scientific World Journal (Note, here, that the timestamp 3 (received from ) is used in generating the ciphertext since will need it to check the validity of .) Then, sends the message 4 = ⟨ , 3 , , ⟩ to and computes the session key = ( + 1).
Step 5. first checks the freshness of the timestamp 3 and aborts the session if not fresh. Otherwise, computes = mod and = ( ), decrypts with key , and verifies that the decryption correctly returns , , and 3 . If the verification succeeds, checks if is equal to and if equal computes the session key = ( + 1).

Password Update Phase.
One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. He et al. 's scheme allows mobile users to freely update their passwords.
(1) inserts his smart card into a card reader and enters both the current password and the new password .

Weaknesses in He et al.'s Scheme
In this section, we point out four weaknesses in He et al. 's scheme, starting with the most obvious one. This weakness is straightforward to see as the identity of , , is given to via the ciphertext (see Step 4 of the login and key agreement phase of the scheme). Weakness 2 is due to the fact that is computed using the bitwise XOR operation when the multiplicative subgroup of Z * is not closed under the XOR operation. This design flaw allows an adversary to find out the password by mounting an offline dictionary attack if the subgroup is much smaller than Z * . We observe, for He et al. 's scheme, that (1) and are defined as two primes such that = + 1 for some ∈ N and (2) the random exponents and are chosen from Z * . Based on these observations, it is reasonable to speculate that He et al. 's scheme was designed to work in a multiplicative subgroup of Z * that has a prime order , though not explicitly mentioned by the authors. For simplicity, let us denote the prime-order subgroup by G. Since and are computed as = ( ) mod and = ( ) mod , it ought to be the case that ∈ G, which in turn implies that is a hash function mapping arbitrary strings into elements of G. Now, assume that an adversary A has gained temporary access to the smart card of and then obtained the value of stored there (possibly by employing a power analysis attack [17]). Then, note that can be used as a password verifier in an offline dictionary attack because is computed as = ⊕ (1‖ ) when G is not closed under the bitwise XOR operation. Let PW be the set of all possible passwords. The adversary A can mount an offline dictionary attack as follows.
Step 1. A makes a guess ∈ PW on the password and computes = ⊕ (1‖ ) .
Step 2. A then checks whether is an element of G or not. If ∉ G, A deletes from the dictionary PW (i.e., PW = PW \ { }). Note that ∉ G implies ̸ = .
If is a safe prime (i.e., = 2 +1), then this attack would fail, cutting only the size of PW about in half. However, if is much greater than (e.g., log 2 ⋍ 512 and log 2 ⋍ 256), the dictionary attack will succeed in determining the correct password with an overwhelming probability. Similar dictionary attacks have been also mounted against key exchange protocols; see, for example, [19]. Weakness 2 can be easily addressed by replacing the bitwise XOR operation with the multiplication operation.
Next, we identify two other major weaknesses in He et al. 's scheme.  We demonstrate Weaknesses 3 and 4 by mounting a type of man-in-the-middle attack against the scheme. The attack scenario is outlined in Figure 1 and is detailed as follows.
Step 1. As a preliminary step, the adversary A chooses a random number ∈ Z * and computes = ( ) mod , where denotes an arbitrary identity.
Step 2. When sends the first message 1 = ⟨ , 1 , , ⟩ to , A eavesdrops on this message to obtain

and
. Immediately after the eavesdropping, A retrieves the current timestamp 1 and sends a fake message 1 = ⟨ , 1 , , ⟩ to as if it is another roaming request from a mobile user.
Step 4. A intercepts the message 2 while letting 2 reach its destination, . Since 2 is a valid message, will compute and send the message 3 = ⟨ , 3 , ⟩ to .
Step 5. A redirects the message 3 so that it is delivered to Π instead of Π . As a result, Π will not receive any response message and thus will abort after a certain amount of time.
Step 6. After decrypting and since 3 is fresh, Π will proceed as per the protocol specification. That is, Π will choose a random number ∈ Z * , compute send the message 4 = ⟨ , 3 , , ⟩ to , and then compute its session key as Step 7. A intercepts the message 4 , computes = mod and = ( ), and decrypts with key to obtain , , and . Then, A chooses a random number ∈ Z * , computes and sends the message 4 = ⟨ , 3 , , ⟩ to as if it is from .
Step 8. Upon receiving 4 , will proceed to compute its session key where is computed as = mod , because (1) 3 is fresh, (2) decryption of with key correctly yields , , and 3 , and (3) is equal to Step 9. A computes the two session keys, and , in the straightforward way.
Through the attack, user anonymity is completely compromised as the identity of , , is disclosed to the adversary A in Step 7. From the viewpoint of session-key secrecy, the effect of our attack is the same as that of a manin-the-middle attack. At the end of the attack, and believe that they have established a secure session with each other sharing a secret key, while in fact they have shared their keys with the adversary A. As a result, A can not only access and relay any confidential messages between and but also send arbitrary messages for its own benefit impersonating one of them to the other. Man-in-the-middle attacks similar to the attack above have been also presented against various key exchange protocols; see, for example, [20,21].

Our Improved Scheme
We now show how to address all the weaknesses identified in He et al. 's scheme without degrading the efficiency of the scheme. Let G be a cyclic group of prime order . A standard way of generating G is to choose two large primes , such that = + 1 for some small ∈ N (e.g., = 2) and let G be the subgroup of order in Z * . Hereafter, we will omit "mod " from expressions for notational simplicity. Assume that the master secret key of , , is an element of Z * (i.e., ∈ Z * ) and the secret key shared between and , , We begin by presenting how to address Weaknesses 3 and 4 (described in the previous section). The vulnerability of He et al. 's scheme to the man-in-the-middle attack is because there is no way for an instance of to check whether the received ciphertext was sent in response to its own request or another instance's request. This design flaw allows the adversary to exploit 's response sent for one session as the response for another session. To prevent the attack, we suggest to modify the computation of the ciphertext from The timestamp 2 is now included as part of the plaintext to be encrypted to . The inclusion of 2 tightly links 's request and 's response and thus effectively prevents the man-in-the-middle attack.
However, with the above modification alone, He et al. 's scheme cannot fully achieve user anonymity in the sense that the identity of is still disclosed to . Therefore, we suggest to further modify the computation of as follows: The ciphertext is now generated using ( ) instead of . This modification certainly prevents from immediately learning via decryption of . We next present a possible way of eliminating the vulnerability of He et al. 's scheme to offline dictionary attacks. Recall that this vulnerability is due to the fact that is computed using the bitwise XOR operation when the multiplicative subgroup of Z * is not closed under the XOR operation. Given the flaw in the design, the solution is clear; use the multiplication operation instead of the XOR operation when computing . Hence, we change the computation of from Accordingly, the computation of should be also changed to Finally, we suggest the following additional changes to resolve some notational ambiguities and to correct the misuse of the hash function : As a result of the above modifications, the password update phase is modified as follows.
(1) inserts his smart card into a card reader and enters the identity , the current password , and the new password .
Combining the above modifications together yields an improved authentication scheme described in Algorithm 2. Our scheme improves He et al. 's scheme in various aspects: (1) it enjoys the anonymity of the mobile user against any parties other than the home agent , including the foreign agent ; (2) it withstands offline dictionary attacks even when the information in the smart card is disclosed; (3) it protects the security of session keys against man-in-the-middle attacks. Clearly, the performance of our scheme is similar to that of He et al. 's scheme. Hence, we can say that our improvement enhances the security of He et al. 's scheme while maintaining the efficiency of the scheme.

Concluding Remarks
This work demonstrated that He et al. 's authentication scheme for roaming services fails to achieve major security properties-user anonymity, password security, and sessionkey security-in the presence of a malicious adversary. We have shown that failure to achieving user anonymity and session-key security is due to the vulnerability to a manin-the-middle attack while failure to achieving password security is due to the vulnerability to an offline dictionary attack. Note that the latter vulnerability implies that He et al. 's scheme does not achieve two-factor security. We hope that similar security flaws as identified in this work can be prevented in the future design of anonymous authentication schemes.
This work also showed how the security of He et al. 's authentication scheme can be improved without efficiency degradation. Our improved scheme not only protects user anonymity against any third parties other than the home agent but also is secure against offline dictionary attacks as well as man-in-the-middle attacks. We leave it as a future work to design an anonymous authentication scheme for roaming services that achieves provable security in a welldefined communication model while providing the same (or even better) level of efficiency as the schemes studied in this paper.