Robust and Efficient Authentication Scheme for Session Initiation Protocol

The session initiation protocol (SIP) is a powerful application-layer protocol which is used as a signaling one for establishing, modifying, and terminating sessions among participants. Authentication is becoming an increasingly crucial issue when a user asks to access SIP services. Hitherto, many authentication schemes have been proposed to enhance the security of SIP. In 2014, Arshad and Nikooghadam proposed an enhanced authentication and key agreement scheme for SIP and claimed that their scheme could withstand various attacks. However, in this paper, we show that Arshad and Nikooghadam’s authentication scheme is still susceptible to key-compromise impersonation and trace attacks and does not provide proper mutual authentication. To conquer the flaws, we propose a secure and efficient ECC-based authentication scheme for SIP. Through the informal and formal security analyses, we demonstrate that our scheme is resilient to possible known attacks including the attacks found inArshad et al.’s scheme. In addition, the performance analysis shows that our scheme has similar or better efficiency in comparisonwith other existing ECCbased authentication schemes for SIP.


Introduction
Multimedia service is one of the most important application classes of wired or wireless networks.The session initiation protocol (SIP) is one of the most important protocols supporting multimedia services since it could manage sessions including multimedia distribution, internet telephone calls, and internet multimedia conferences [1].Authentication is an important security requirement when a user wants to access the SIP services.Therefore, the security of SIP [2] has received a lot of attention and the SIP authentication has become a crucial topic in modern multimedia services.
Up to now, various researches have focused on proposing a secure and efficient authenticated key agreement scheme to provide various aspects of security for SIP.In 2005, Yang et al. [3] indicated that the procedure of hyper text transport protocol (HTTP) digest authentication for SIP could not resist the offline password guessing and server-spoofing attacks.To resolve these problems, Yang et al. proposed an improved scheme based on Diffie-Hellman key exchange protocol.Later on, Huang et al. [4] identified that Yang et al. 's protocol was insecure against the offline password guessing attack.To enhance the security of Yang et al. 's scheme, Huang et al. also presented an improved scheme.Later on, Jo et al. [5] demonstrated that Huang et al. 's scheme was still vulnerable to the offline password guessing attack.Based on Yang et al. 's study, Durlanik and Sogukpinar [6] proposed an Elliptic Curve Cryptography (ECC) [7] based authentication scheme for SIP.Compared with other cryptosystems, ECC can achieve the same security with a smaller key size [8].Therefore, the scheme proposed by Durlanik and Sogukpinar is considered to be more efficient than Yang et al. 's scheme.Later, Wu et al. [9] also proposed an authentication scheme for SIP using ECC.However, Yoon et al. [10] showed that both of Durlanik et al. 's scheme and Wu et al. 's scheme were susceptible to the offline password guessing, Denning-Sacco, and stolen verifier attacks.To overcome these weaknesses, Yoon et al. proposed an enhanced authentication scheme for SIP with more security.Unfortunately, Pu [11] showed that the scheme of Yoon et al. was still prone to the offline password guessing and replay attacks.
In order to reduce the high computational cost, Tsai [12] suggested an efficient authenticated key agreement scheme only adopting one-way hash functions and exclusive-or operations.Nevertheless, Tsai's scheme was still vulnerable to the offline password guessing attack [13,14].Yoon et al. [14] proposed an enhanced scheme to overcome weaknesses in Tsai's scheme.However, Xie [15] demonstrated that Yoon et al. 's scheme did not resist the stolen-verifier and offline password guessing attacks.Xie then proposed an improved scheme to overcome the weaknesses of Yoon et al. 's scheme.Nevertheless, Farash and Attari [16] discovered that Xie's scheme was still insecure against the impersonation and offline password guessing attacks.To enhance security, Farash and Attari presented an improved scheme to solve problems in Xie's scheme.Recently, Zhang et al. [17] proposed an efficient and flexible password authenticated key agreement protocol for SIP using smart card and claimed their protocol was secure against various attacks.However, Zhang et al. 's scheme suffers from the impersonation attack [18,19].To tackle the problem, Tu et al. [18] and Irshad et al. [19], respectively, proposed their own improved authentication scheme based on Zhang et al. 's scheme.Unfortunately, Arshad and Nikooghadam [20] demonstrated that Irshad et al. 's scheme could not withstand the user impersonation attack.Arshad and Nikooghadam then proposed an enhancement of Irshad et al. 's scheme suffering from user impersonation attack and claimed that their scheme was immune to many known attacks.
In this study, we identify that the scheme by Arshad and Nikooghadam is insecure against key-compromise impersonation and trace attacks while it fails to provide proper mutual authentication.To conquer the mentioned weaknesses, we propose a robust and efficient authentication scheme using ECC.Through the informal and formal security analyses, we demonstrate that our scheme is resilient to possible known attacks including the attacks found in Arshad and Nikooghadam's scheme.In addition, the performance analysis shows that our scheme has similar or better efficiency in comparison with other related ECC-based authentication schemes for SIP.
The remainder of this paper is organized as follows.Section 2 provides some basic preliminaries and notations used in this paper.The review and security analysis of Arshad and Nikooghadam's scheme are shown in Sections 3 and 4, respectively.Section 5 shows our proposed scheme.Section 6 analyzes our scheme's security.Section 7 shows the performance and functionality comparison among the proposed scheme and other related ones.Section 8 is a brief conclusion.

Preliminaries
In this section, some notations used in this paper are described in Section 2.1.We also recall the definitions of the hash function [21] and Elliptic Curve Discrete Logarithm Problem (ECDLP) [7] which we use in the security proof of Arshad et al. 's scheme and our improved scheme.

Notations.
We use the notations that are listed below throughout the rest of the paper.
, : user and sever   ,   : identity and password of   ℎ(⋅): hash function    ,   : secret key selected by   and  ⊕, ‖: exclusive-or operation and concatenation operation.

ECDLP.
In an elliptic curve cryptosystem, the elliptic curve equation is defined as the form of   (, ) :

Review of Arshad and Nikooghadam's Scheme
In this section, we will review Arshad et al. 's authentication scheme for SIP.Their scheme is composed of three phases, which are registration, authentication, and password change.

Authentication
( (2) After receiving the message,  computes and checks whether it is equal to the received  message or not.If they are equal,   replaces   with    in his database.

Cryptanalysis of Arshad and Nikooghadam's Scheme
In this section, we present the Arshad and Nikooghadam's scheme that is vulnerable to key-compromise impersonation and trace attacks and does not provide proper mutual authentication.The following attacks are based on the assumptions that a malicious attacker A has completely monitored over the communication channel connecting   and  in login and authentication phase.So A can eavesdrop, modify, insert, or delete any messages transmitted via public channel [22][23][24].

Key-Compromise Impersonation Attack. Key-compromise impersonation attack means that
A knows the long-term secret key of one participating entity and can impersonate the entity to other participating entities [25].In Arshad et al. 's scheme, if 's secret key   is compromised by A, he can launch a user impersonation attack as per the following steps.
(1) A compromises  and steals the information {  ,   } kept in 's database.He then generates a random number    and computes    =      .Finally, he sends the forged message (  ,    ) to .
=    .Obviously, the equation holds and A then computes and sends the message (  , ,   ) to .
(4) After receiving the response message,  checks whether ℎ( 1).In this way,  believes that he has successfully established the session key with   whereas it is the adversary who is making fool of  by imitating the legal user.

Trace Attack.
In the authentication phase of Arshad and Nikooghadam's scheme, the user   sends the request messages containing the user's identity   to  without any protection.Since the user's identity   is sent over an open communication channel, A may intercept the message using the assumed capability.With the user's identity   , A can trace it to know what kind of services the user accesses and how long the user logins into the system.Since  may have the system log recording what the user did, the user's privacy may be leaked.Furthermore, A may trace the user's location according to the user's IP address.The trace attack seriously invades the user's privacy and can be utilized to commit real crimes such as kidnappings.

Lack of Proper Mutual
Store   ,   .In this condition, any one can forge and send the request message to , which leads to  thinking   is a cheater, whereas   is actually an honest user.This obviously results in making great consumption of computing resources and communication resources.

Proposed Authentication Scheme for SIP
In this section, we propose a novel mutual authentication scheme based on ECC, which consists of three phases: registration, authentication, and password change.

Registration
(1)   freely selects his password   and his own secret key    and generates a random number  1 .Then   computes  = ℎ(  ‖    ) and submits {  ,  1 , } to  through a secure channel.

Analysis Security
In this section, we first adopt Burrows-Abadi-Needham (BAN) logic [26] to demonstrate that the proposed scheme is working correctly by achieving the authentication goals.Then, we conduct a security analysis of the enhanced scheme through both the informal and formal analyses.[26] is a set of rules for defining and analyzing information exchange schemes.It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both.It has been highly successful in analyzing the security of authentication schemes [27,28].In this subsection, we prove that a session key between communicating parties can be correctly generated within authentication process using BAN logic.First, we introduce some notations and logical postulates of BAN logic that we will use in our scheme.By analyzing the security of our scheme with BAN logic, the results demonstrate that the proposed scheme can effectively achieve the security goal of the mutual authentication of   and .

Informal Security Analysis.
In this subsection, we will examine whether the enhanced scheme is safe and consider its ability to resist various known attacks.The following attacks are also based on the assumptions that a malicious adversary A has total control over the communication channel connecting   and  in authentication phase.So A can intercept, insert, delete, or modify any messages transmitted via public channel [22][23][24].

User is Anonymous and Untraceable.
Suppose A eavesdrops the request messages ( 1 , ,  2 ), the challenge message (,  3 , ℎ  ), and the response message (, ℎ   ) from the public channel.To obtain   from these values by means of guessing and verifying, A must have the knowledge of {{  ,  1 ,    }, { 3 }, { 2 }}.Due to   and  compute different  1 and  3 with a new random number ( 1 ,  2 ) and  3 for each session, and A is not able to trace who communicates with  by monitoring the channel.This shows the proposed scheme provides the attribute of anonymous.

Insider Attack.
In our scheme, it is computationally impossible to derive the password   from the  = ℎ(  ‖    ) because of the difficulties of hash function with the secret key    of   .Therefore, the proposed scheme can withstand the insider attack.

Perfect Forward Secrecy.
If   's password   , the secret key    , and 's secret key   are all compromised, this does not allow A to determine the session key  for the past session.A cannot compute  1  2  from  1 and  3 because of secure one-way hash function and ECDLP.6.6.Mutual Authentication.In our scheme,  and   can authenticate each other by checking  2 , ℎ   , and ℎ  , separately.Therefore, our scheme can provide mutual authentication.

Key-Compromise Impersonation Attack.
Assume that A intercepts the request, the challenge, and the response messages.Supposing the secret key    of   is compromised by A, he cannot go through the verification process of  as the random number  1 is not known.On the other hand, supposing the secret key   of  is compromised by A, he cannot impersonate  to cheat .Since A cannot know the values of the identity   and  1 of   , he cannot compute the correct value  and hence cannot be authenticated by .Therefore, the proposed scheme can withstand the keycompromise impersonation attack.(9) and the session key  between   and , respectively (10) return 1 (success) (11) else (12) return 0 (failure) (13) end if Algorithm 1: Algorithm  ,A , .
Since A cannot know the values of the user's identity   , the secret key    , and the random number  1 , he cannot compute the value  = ℎ(  ‖  1 ‖ ℎ(  ‖    )) to verify the guessed password   through the recorded messages.Therefore, our scheme can resist the offline password guessing attack.

Known Session Key Security.
Because of the randomness and independence of the generations of  1 and  3 in all the sessions, the session key  =  1  3  of each session is independent of that of any other sessions.Therefore, the proposed scheme can ensure known session key security.
6.11.Formal Security Analysis of the Proposed Scheme.In this subsection, we provide the formal security analysis of our scheme and show that our scheme is secure.We first define the following oracles.
Reveal 1.This random oracle will unconditionally output the input  from the given hash value  = ℎ().
Reveal 2. This random oracle will unconditionally output  from given points  and  =  in an elliptic curve   (, ).
Theorem 1.Under the ECDLP assumption, our scheme is secure against an adversary A for deriving the identity   and password   of a legal user   and the session key  between   and  if the hash function ℎ(⋅) closely behaves like a random oracle.
Proof.The formal security proof of our scheme is similar to that as in [29][30][31].A runs the experimental algorithm showed in Algorithm 1,  ,A , for our robust, and efficient authentication scheme for session initiation protocol; say REASSIP.
Define the success probability for  ,A , as  ,A , = |2[ ,A , = 1] − 1| and the advantage function for this experiment then becomes V ,A , (,   1 ,   2 ) = max A   , , where the maximum is taken over all A with execution time , and the number of queries   1 ,   2 made to the Reveal 1 and Reveal 2 oracles, respectively.If A has the ability to solve the hash function and the ECDLP, then he can directly derive   's identity   , password   , and the session key  between   and .In this case, A will discover the complete connections between   and .However, it is a computationally infeasible problem to invert the input from a given hash value and output  from given points , ; that is, V A  ( 1 ) ≤ , V A  ( 2 ) ≤ , ∀ > 0. Hence, we have V ,A , (,   1 ,   2 ) ≤ , as it is dependent on V A  ( 1 ) and V A  ( 2 ).Therefore, our scheme is probably secure against A for deriving   ,   , and .

Security Properties and Performance Comparison
In this section, we show that our proposed scheme satisfies many security attributes and has lower computation cost.Security properties and performance cost comparisons between our scheme and the other related schemes in [13][14][15][16][17][18][19][20] are given in Table 3 and Figure 1, respectively.Table 3 shows that our scheme is more secure than Arshad et al. 's scheme and other related schemes and achieves more functionality features.In performance comparison, we mainly focus on computations of the authentication phase, since it is the main body of an authentication scheme, and the registration phase only performs one time before authentication.Let PA, PM, INV, SE, M, and H be the time for performing an elliptic curve point addition, an elliptic curve point multiplication, a modular inversion, a symmetric key encryption or decryption, a modular multiplication, and a hash function.Since xor operations require very little computations, we omitted it.From Figure 1 we can see that our scheme has similar or better efficiency in comparison with other related ECC-based authentication schemes.

Conclusion
We have analyzed the security of a recently proposed Arshad et al. 's SIP authentication scheme.We have pointed out that Farash and Attari [16] al. [14] al. [19] al. [18] al. [17]  an adversary can successfully launch the trace and keycompromise impersonation attacks on Arshad et al. 's scheme.We also have shown that Arshad et al. 's scheme does not achieve proper mutual authentication.The cryptanalysis of Arshad and Nikooghadam's scheme thus shows that the security of their scheme is compromised.In order to eliminate the security pitfalls found in Arshad et al. 's scheme, we have then presented a robust and efficient ECC based authentication scheme for SIP.Our scheme is immune to the trace, key-compromise impersonation, and insider attacks which Arshad and Nikooghadam's scheme fails to satisfy.Meanwhile, our scheme can withstand the replay, offline password guessing, and insider attacks.In addition, our scheme achieves the known session key security and perfect forward secrecy.We present a cryptanalysis of our scheme through both informal and formal security analyses.Besides, our scheme is computationally efficient as compared to other related ECC based SIP authentication schemes.Considering the security and efficiency provided by our scheme, we conclude that our scheme is more appropriate for practical applications in comparison with other related schemes.

( 6 )( 4 )
(,   ,   )   → Upon receiving the message from A who masquerades as a legal user,  computes V  =   ⊕ ℎ(  ‖   ), ℎ(  ‖   ‖  ‖   ‖ V  ) and compares it with the received   .It is obvious that they are not equal, and then  immediately stops session.
| ≡ :  believes a statement     ← → : share a key  between   and  #:  is fresh  ⊲ :  sees  | ∼ :  said  {, }  :  and  are encrypted with the key  (, )  :  and  are hashed with the key  ⟨⟩  :  is xor-ed with the key .
Authentication (1) A eavesdrops the message (  ,   ), and then A generates a random number    and computes    =      .(2) A sends the forged message (  ,    ) to .Obviously,  will accept A's request because  does not verify the validity of the request message from .Then,  generates a random number   and computes   =   ,    =    −1     =      ,   After receiving the message from , A computes    =      and checks whether   = ℎ(  ‖   ‖   ) is equal to the received .If it is true, A continues to compute    = ℎ(  ‖   ‖  ‖    ‖ V   ),  = ℎ(  ‖   ‖    ‖ ), where V  = ℎ(  ‖    ‖    ); both    and    are the forged password and random number.Then, A delivers the message (,   ,    ) to .

Table 1 :
Registration and authentication phase of Arshad and Nikooghadam's scheme.