An Anonymous and Efficient ECC-Based Authentication Scheme for SIP

Session initiation protocol (SIP), a widely used signal protocol for controlling multimedia communication sessions, is under numerous attacks when performing the authentication steps between the user and server. So secure authentication schemes are needed to be presented for SIP. Recently, Arshad et al. advanced novel schemes for SIP using elliptic curve cryptography (ECC) and claimed their schemes can resist various attacks. However, Lu et al. found that Arshad et al. ’ s scheme cannot resist trace and key-compromise impersonation attacks; hence, it cannot provide proper mutual authentication. Meanwhile, an enhanced scheme was advanced by Lu et al. and they stated that their scheme can stand up to possible known attacks. Nevertheless, in this paper, we conclude that Arshad and Nikooghadam ’ s scheme is insecure against impersonation attack and Lu et al. ’ s scheme is still vulnerable to impersonation attack. To overcome these weaknesses of their schemes, we present a novel anonymous ECC-based scheme for SIP. Security analysis and performance analysis show that our proposed scheme can resist various known attacks and e ﬃ cient in the meantime.


Introduction
SIP (session initiation protocol), a text-based application layer signaling control protocol, is used to create, modify, and release sessions between participators. These sessions will be initiated when users request Internet multimedia conferences, IP phones, and multimedia distribution. The participants of SIP can communicate with each other by multicast, unicast, or a mixture of two. SIP is widely used since 2002, the time when it was presented by the Internet Engineering Task Force (IETF) [1]. To protect the privacy of users, it is critical for SIP to provide mutual authentication between communicating parties. Therefore, many researchers devote to proposing secure and efficient schemes for SIP to prevent various attacks and provide mutual authentication between a legal user and server nowadays.
In 2009, Tsai [2] presented a scheme based on random nonce for SIP. He used one-way hash functions and exclusive or operations to encrypts/decrypts all the necessary information. So Tsai's scheme can be used in low-computation equipment because its computation cost is very low. Later, Yoon et al. [3] demonstrated that Tsai's scheme is not secure against off-line password guessing attack, Denning-Sacco attack, and stolen-verifier attack and cannot provide perfect forward secrecy. To overcome the shortcomings of Tsai's scheme, Yoon et al. proposed a scheme based on the elliptic curve discrete logarithm problem (ECDLP) for SIP and they claimed their scheme can resist various attacks while providing more efficiency than Tsai's scheme. In 2012, Xie [4] proposed an improved scheme after finding Yoon et al.'s scheme is still too weak to resist stolen-verifier attack and off-line password guessing attack. Shortly afterwards, Farash and Attari [5] demonstrated that Xie's scheme still suffers from off-line password guessing attack and impersonation attack and proposed an enhanced scheme. Later on, Zhang et al. [6] proposed an authentication scheme with anonymity for SIP based on Farash and Attari's work. However, Lu et al. [7] found that Zhang et al.'s scheme cannot provide proper security, because it is insecure against insider attack. To cover the demerits of Zhang et al.'s scheme, Lu et al. advanced a new scheme and they demonstrate that their scheme is resistant to possible known attacks while having lower computation cost than other related schemes. In 2016, Chaudhry et al. [8] stated that Lu et al.'s scheme cannot withstand user and sever impersonation attacks, so they proposed their own enhanced scheme to correct these problems. However, Kumari et al. [9] suspected that the Chaudhry et al.'s scheme still has the disadvantages that appeared in Lu [7] scheme cannot resist impersonation and identity guessing attacks.
In 2014, a smart-card-based scheme was advanced by Zhang et al. [10] to overcome the weaknesses of previous schemes. When a legal user attempts to communicate with the server, he must use the smart card as another authentication factor in addition to the password to achieve authentication. Later, Irshad et al. [11] demonstrated that Zhang et al.'s scheme is vulnerable to denial of service (DOS) attack and impersonation attack and advanced an improved scheme while optimizing the cost in their protocol. However, Irshad et al.'s scheme was suspected of being unable to resist user impersonation attack by Arshad and Nikooghadam [12], and Arshad and Nikooghadam advanced a new scheme in their paper. Unfortunately, Lu et al. in [13] found that Arshad et al.'s scheme is still insecure against some attacks, such as key-compromise impersonation attack and trace attack. In order to correct the shortcomings of Arshad and Nikooghadam's scheme, Lu et al. proposed a robust and efficient authentication scheme by using ECC and demonstrated that their scheme is resistant to possible known attacks. Recently, we find that Arshad and Nikooghadam's [12] scheme cannot resist user impersonation attack. Meanwhile, we observe that Lu et al.'s [13] scheme is insecure against server impersonation attack.

Motivations and Contributions
In this paper, we revisit Arshad  The rest of the paper is organized as follows. Review and cryptanalysis of Arshad and Nikoofhadam's scheme are showed in Sections 3 and 4, separately. Review and cryptanalysis of Lu et al.'s scheme will be put in in Sections 5 and 6, separately. In Section 7, we present our scheme. Security analysis and performance analysis are showed in Sections 8 and 9, separately. Finally, conclusion of this paper is shown in Section 10.

Review of Arshad and Nikoofhadam's Scheme
In this section, we will review Arshad and Nikoofhadam's [12] scheme briefly. Firstly, we will list the notations that were used throughout Arshad et al.'s scheme in Figure 1. Then, we will use four parts to review Arshad et al.'s scheme, including setup phase, registration phase, authentication and key agreement phase, and password change phase.
3.1. Setup. Firstly, the server selects an elliptic curve equation E p ða, bÞ and a secure one-way function hðÞ. Then, the server selects a base point P with order n over E p ða, bÞ, chooses a integer k s randomly and keeps it as a secret key, and computes public key K s = k s P. Finally, the server publishes ðE p ð a, bÞ, n, P, hðÞ, K s Þ.

Registration
(1) The client generates a number Nc randomly, chooses a password PW i , computes v i = hðID i ∥PW i ∥N c Þ, sends ðID i , v i Þ to the server, and stores N c in the memory device (2) If ID i does not exit in database, the server computes V i = hðID i ∥k s Þ ⊕ v i and stores it in his/her database 3.3. Authentication and Key Agreement. In this part, we will introduce the authentication and key agreement phase of Arshad and Nikoofhadam's scheme and the steps of this phase are also represented by Table 1.
(1) The client selects an integer d c randomly, computes R c = d c K s = d c k s P and sends REQUESTðID i , R c Þ to the server through the public channel (2) If ID i exits in database, the server selects a integer d s randomly, computes Q s = d s P, Q sc = d s k −1 s R c , V s = hð ID i kQ s kQ sc Þ, and sends CHALLENGEðrealm, Q s , V s Þ to the client. If ID i does not exit in database, the server terminates the session (3) The client computes Q cs = d c Q s and compares the value of hðID i ∥Q s ∥Q cs Þ and V s . If hðID i ∥Q s ∥Q cs Þ and V s are not equal, the session will be stopped by the client. Otherwise, the client computes V c = hðID i ∥Q s ∥realm∥Q cs ∥v i Þ and SK = hðID i ∥Q s ∥Q cs ∥realmÞ. Then, RESPONSEðID i ∥realm∥V c Þ is sent to the server (4) The server computes v i = V i ⊕ hðID i ∥k s Þ and compares the value of hðID i ∥Q s ∥realm∥Q sc ∥v i Þ and V c . If hðID i ∥Q s ∥realm∥Q sc ∥v i Þ is equal to V c , the server authenticates the client

Password Change
(1) Firstly, a new password PW * i is chosen by the client. Then, the client generates a new random number and sends CHANGEPWDðID i , Z, V z Þ to server (2) The server computes v i = V i ⊕ hðID i ∥k s Þ, v * i = Z ⊕ v i ⊕ hðID i ∥SKÞ, and verify whether hðID i ∥v * i ∥SK∥v i Þ is equal to V z or not. If they are equal, the server computes V * i = V i ⊕ z and replaces V i with V * i in the database. Then, the server sends ACCEPTðhðID i ∥v i ∥ accept∥v * i ∥SKÞÞ to the client

Cryptanalysis of Arshad and Nikoofhadam's Scheme
In this part, we will prove that Arshad and Nikoofhadam's scheme cannot withstand server impersonate attack. To do so, the adversary A performs the following steps.
Step 1. Suppose A obtains REQUESTðID i , R c Þ when a client wants to communicate with the server. Then, A forges Q s ′ = K s and Q sc ′ = R c = d c K s , where K s is the server's public key. Then, A computes V s ′ = hðID i ∥Q s ′ ∥Q * sc Þ and sends CHALLENGEðrealm, Q s ′ , V s ′ Þ to the client.
Step 2. After receiving CHALLENGE, the client computes Q cs = d c Q s ′ . Since Q s ′ = K s , Q cs = d c , K s = Q sc ′ . Thus, hðID i ∥Q s ′ ∥ Q cs Þ = V s and the verification will hold. The client authenticates the "server." Then, the client ∥realmÞ. Finally, the client sends RESPONSEðID i ∥Q s ′ ∥Q cs ∥ realmÞ to A.
Step 3. After receiving RESPONSEðID i ∥Q s ′ ∥Q cs ∥realmÞ, A does not need to compute v i and verify whether V c = hðID i ∥Q s ′ ∥realm∥Q csv i Þ = V c or not. A only need to computes SK = hðID i ∥Q s ′ ∥Q cs ∥realmÞ and then can make sure that he/she shares the same SK with the victim client.
From what has been discussed above, we can come to the conclusion that Arshad and Nikoofhadam's scheme cannot resist server impersonation attack.

Review of Lu et al.'s Scheme
In this part, Lu et al.'s [13] scheme will be reviewed. And the notations that were used throughout their scheme will be showed in Figure 2.

Wireless Communications and Mobile Computing
(1) U i chooses a password PW i , selects secret key k U i , generates a number r 1 randomly, computes PWD = hðPW i ∥k U i Þ and sends SfID i , r 1 , PWDg (2) S calculates VPW = hðID i ∥PWD∥r 1 Þ ⊕ hðk s Þ and stores VPW in database 5.2. Authentication and Key Agreement. In this part, we will briefly introduce the authentication and key agreement phase of Lu et al.'s scheme and the steps of this phase are also represented by Table 2.
(1) U i generates a number r 2 randomly, then computes T = hðID i ∥PWD∥r 1 Þ, R = r 2 P, M 1 = Tr 2 P, AID = ID i ⊕ T, and M 2 = hðID i ∥RÞ. Finally, U i sends S REQUESTðM 1 , AID, M 2 Þ (2) S calculates T = VPW ⊕ hðk s Þ, then computes ID i ′ = AID ⊕ T ′ , R ′ = T −1 M 1 and checks whether M 2 ′ = hðI D i ′∥R′Þ equals to M 2 or not. If they are equal, S generates a number r 3 randomly, computes H = r 3 P, M 3 = ID i ⊕ H, SK s = r 3 P, and Auth s = hðSK s ∥T∥RÞ and sends CHALLENGEðrealm, Generates Step 1. A generates a number r * 2 randomly, computes Step 2. S computes T = VPW ⊕ hðk s Þ, ID i = AID ⊕ T, and Obviously, this equation is established. So S authenticates the attacker as U i . Then, S generates r 3 and computes H = r 3 P, Step

Our Proposed Scheme
An enhanced scheme for SIP will be advanced in this section. Our scheme is based on the schemes of Irshad et al and Lu et al. and has corrected the problem that appeared in their schemes. We will list the notations that used throughout our scheme in Figure 3. The content of our scheme will be shown as follows: 7.1. Setup Phase. Firstly, an elliptic curve equation E p ða, bÞ and a secure one-way function hðÞ are selected by the server. Then, S chooses a base point P with order n over E p ða, bÞ and two random numbers k 1 ,k 2 , computes public key K p = s 2 P. Finally, S keeps s 1 , s 2 as its secret keys, publishes ðE p ða, bÞ, n, P, hðÞ, K p Þ. Table 3 and the steps for user registration are as follows:

Registration. The registration phase will be shown in
Step 1. The user U i chooses number γ randomly, chooses a password PW i , computes v i = hðhðID i Þ ⊕ hðPW i Þ ⊕ hðγÞÞ. Then, U i sends ðID i , v i Þ to S through a secure channel.
Step 2. S calculates V i = v i ⊕ hðs 2 Þ, Y = hðv i ∥s 1 Þs −1 2 P, and V j = hðID i ∥V i ∥s 1 Þ. Then S stores V i , V j and sends Y to U i through a secure channel.
Step 3. U i keeps ðY, γÞ in the memory device.

Authentication and
Wireless Communications and Mobile Computing steps will be performed. Meanwhile, the details of this phase will be shown in Table 4.
Step 1. The user U i selects a integer r u ∈ R Z * p randomly, generates a time stamp t, and then computes v i = hðhðID i Þ ⊕ hðP W i Þ ⊕ hðγÞÞ, H j = hðv i ∥Y∥r u P∥tÞ, and X = r u Y = r u s −1 2 hðv i ∥s 1 ÞP. Finally, U i computes PID = ID i ⊕ v i and sends REQUESTðPID, X, H j , tÞ to S.
Step 2. S checks the validity of time stamp t by checking the validity of the predicate ðt ′ − t < ? ΔtÞ, and abort if the check fails. Then, S computes V i ∥s 1 Þ and compares the values of V j ′ and the stored V j . If they are equal, S can make sure that the received ID i and V i is a pair. After that, S computes v i ′ = V i ⊕ hðs 2 Þ, Y ′ = hðv i ′ ∥s 1 Þs −1 2 P, and Q = X · s 2 · h −1 ðv i ′ ∥s 1 Þ = r u P and checks whether H j ′ = hðv i ′ ∥Y ′ ∥Q∥tÞ equals to H j or not. If they are equal, S authenticates the user U i . Then, S chooses a integer r s ∈ R Z * p randomly, computes Q sc = r s Q = r u r s P, SK = hðID i ∥v i ′∥Q sc ∥ realmÞ, μ = r s P, and η = hðSK∥Q∥realm∥v i ′Þ. Finally, S sends RESPONSEðμ, realm, ηÞ to U i .
Step 3. U i computes Q′ = r u P, Q sc ′ = r u μ = r u r s P, and SK = h ðID i ∥v i ∥Q sc ′ ∥realmÞ and then checks whether η′ = hðSK∥Q′∥ realm∥v i Þ equals to received η. If they are equal, U i authenti-cates S. Finally, U i computes Auth = hðSK∥μ∥v i Þ and sends message ConfirmðAuth, realmÞ to S.
Step 4. S calculates Auth ′ = hðSK∥r s P∥v i ′ Þ and compares the values Auth ′ and the received Auth. S confirms that he/she shares the same session key SK with U i if Auth ′ is equal to Auth.

Password Change
Step 1. U i chooses a figure γ * randomly, selects a new pass- where SK is the current session key and E SK ðmÞ means the encryption of the message m with the symmetric key SK.
Step 2. Once receiving means the decryption of message c with SK.
Step 3. After receiving

Security Analysis for our Proposed Scheme
In this part, we use Burrows-Abadi-Needham logic to prove the correctness of our proposed scheme at first. Then, we use informal security analysis to prove that our scheme is secure under various attacks.

Correctness Proof.
In this section, we will briefly introduce the BAN logic and then prove the security of our proposed scheme by using BAN logic.
8.1.1. Brief Introduction about BAN Logic. BAN logic is a belief-based logic proposed by Burrow, Abadi, and Needham, and this logic plays a significant role in analyzing authentication protocols. When applying BAN logic to protocol analysis, it is essential to idealize the message of the protocol into a formula that BAN logic can recognize. Then, according to the reasonable initialization hypothesis, and the logical reasoning rules are used to infer whether the protocol can reach the expected goal according to the idealized protocol and initialization protocol. Figure 4 lists some of the logical symbols and inference rules for BAN logic.

Verifying the Proposed Scheme with BAN Logic
(1) Goals (4) Proof of the proposed scheme (p1) From n4,U i ⊲ðU ↔ SK S, r u P, realmÞ U ↔ v i S and by applying the message meaning rule, we deduce, (p2) From n2 and by applying the fresh conjuncatenation rule, we deduce, (p3) From p1, p2 and by applying the nonce-verification rule, we deduce, (p4) From deduction p3 and by applying the belief rule, we deduce, (p5) From p4, n8 and by applying the jurusdiction rlue, we deduce, (p6) From n5, S⊲ðU ↔ SK S, r s PÞ U ↔ v i S and by applying the message meaning rule, we deduce, Therefore, our proposed scheme achieves mutual authentication and key agreement between S and U i .

Informal Security
Analysis. The security of our proposed scheme will be discussed in this section. We will prove our scheme is secure in the face of various attacks. We draw on the experience of [14] and define the capabilities of the attacker A as follows: (c1) A can off-line enumerate the Cartesian product S id * S PW , where S id , S PW means the size of the identity space and password space, separately (c2) A has full control of the communication channel (c3) A may either learn the victim's password via malicious card readers, or extract the secret data in the card by side-channel attacks, but cannot realize both (c4) A can learn the previous session key(s) (c5) A can learn the server's long-time private key(s) as well as all other data stored in the server only when evaluating the eventual failure of the server 8.2.1. Denning-Sacco Attack. In Denning-Sacco attack [15], when the client or server leaks the previous session key, then A tries to get other session keys or a long-term key (for example, the client's password or the server's key).
Suppose A has gained a session key SK = hðID i ∥v i ∥Q sc ∥ realmÞ. A cannot obtain use's password PW i since PW i is hidden in a hash function v i = hðhðID i Þ ⊕ hðPW i Þ ⊕ hðγÞÞ. Besides, it is impossible for A to obtain the other session keys as he/she does not know the values of r u r s P and v i .

Man-in-the-Middle Attack (MITM).
In this attack, A intercepts communication channels between users and the server and attempts to make them believe that they are communicating with each other directly.
In our proposed scheme, assume A intercepts REQUESTðPID, X, H j , tÞ and RESPONSEðμ, realm, ηÞ. However, A does not know Y and v i so that he/she is not able to figure out the right PID,X and H j . A will fail to cheat server as a legal user. At the same time, A is unaware of the server's secret keys s 2 and s 1 . So A cannot masquerade as a legal server since he/she cannot compute the right Q = r u P and Q sc = r u r s P.

Off-Line Password Guessing Attack.
Off-line password guessing attack means A keeps previous authentication messages. Then, A selects a set of candidate passwords and uses stored messages to verify whether there is a appropriate password.
In our proposed scheme, A can obtain PID, X, H j , μ, realm, and η from the communicating channels between users and server. But A cannot compute the values of hðSK ∥r u P∥realm∥hðhðID i Þ ⊕ hðPW i Þ ⊕ hðγÞÞÞ and hðhðhðID i Þ ⊕ h ðPW i Þ ⊕ hðγÞÞ∥Y∥r u P∥tÞ to verify the candidate password since A does not know the values of γ, r u P, r u r s P, s 1 , and s 2 .

Replay Attack.
In this attack, suppose A grabs REQUESTðPID, X, H j , tÞ when a legal user U i try to send REQUEST to server, then A replays it to server to impersonate U i . However, on account of the attacker is unaware of v i and Y, the server can easily find out if the attacker modified the time stamp t. If A replay REQUEST to server without any changing, the server can figure out the message is invalid since the verification of t will not hold. 8.2.5. Impersonation Attack. In this attack, the goal of A is impersonating a legal server or a legal user. Suppose a legal user attempts to use what he/she has got to masquerade other X believes a statement A X and Y share a key K X sees A A is fresh X said A A and B are hashed by the key k Encryption of A with key K Combination of X and Y X has jurisdiction over A k is P's public key  Suppose A tries to impersonate a legal server. Since the server's secret key S 1 and s 2 are unknown for A, he/she cannot figure out the correct Q = Xs 2 h −1 ðv i ′∥s 1 Þ = r u P. Thus, the verification η′ = hðSK∥Q′∥realm∥v i Þ = η will fail on the user's side.
8.2.6. Privileged inside Attack. Suppose a privileged inside user A of the server obtains v i , ID i , and PW i of a legal user U i , and then A tries to impersonate U i to access server. Since Y is only stored in memory device which is kept by U i and server's secret key s 1 , s 2 are kept by server, the attacker cannot get the right Y.

Performance Analysis
The performance comparison of our scheme and other related schemes [10][11][12][13] will be presented in this section. In Table 5, we compute the total computational costs of three phases (registration phase, authentication and key agreement phase and password change phase) of our scheme and make a comparison with other schemes. In order to represent each computation cost of time, we define some notations in Figure 5.
According to [18,19], an elliptic curve point multiplication operation takes 2.226 ms, an elliptic curve point addition operation costs 0.0288 ms, a one-way hash function takes 0.0023 ms, a modular inversion operation takes 0.0056 ms, and generating a random number needs 0.539 ms. Figure 6 shows the comparison of security attributes between our scheme and other schemes. We can notice that our scheme is resistant to various attacks. On the contrary, Zhang et al. [10] and Irshad et al.'s [11] schemes cannot withstand impersonation attack and are not anonymous and untraceable, and Arshad et al.'s [12] scheme fails to achieve anonymity and untraceability and cannot stand up to impersonation attack. Meanwhile, Lu et al.'s [13] scheme cannot resist impersonation attack. So our scheme's computational cost is lower than Irshad et al. and Zhang et al.'s schemes From what we have discussed above, we can draw a conclusion that our proposed scheme is efficient and can withstand virous known attacks.

Conclusion
In this paper, we have demonstrated that Arshad et al.'s scheme cannot withstand user impersonation attack and Lu et al.'s scheme is not secure against server impersonation attack. In order to remedy the weaknesses of their schemes, we present an enhanced anonymous and efficient ECCbased authentication scheme for SIP. Our scheme inherits the merits of Arshad and Nikooghadam and Lu et al.'s schemes while standing up to user and server impersonation attacks that their schemes failed to satisfy. We use BAN logic and informal analysis to demonstrate the correctness and security of our scheme. Therefore, our proposed scheme is suitable and practical for SIP.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.

Notations
Definitions e time for performing an elliptic curve point multiplication operation. e time for performing an elliptic curve point addition operation. e time for performing a one-way hash function. e time for performing a modular inversion operation. e time for generating a random number.   Figure 6: Comparison of security attributes. 10 Wireless Communications and Mobile Computing