An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards

Transcription

1 INTERNATIONAL JORNAL OF COMMNICATION SYSTEMS Int. J. Commun. Syst. (2014) Published online in Wiley Online Library (wileyonlinelibrary.com) An anonymous and untraceable password-based authentication scheme for session initiation protocol using smart cards Mohammad Sabzinejad Farash 1, *, and Mahmoud Ahmadian Attari 2 1 Faculty of Mathematical Sciences and Computer, Kharazmi niversity, Tehran, Iran 2 Faculty of Electrical and Computer Engineering, K.N. Toosi niversity of Technology, Tehran, Iran SMMARY Recently, Zhang et al. proposed a password-based authenticated key agreement for session initiation protocol (Int J Commun Syst 2013, doi: /dac.2499). They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that the protocol by Zhang et al. is vulnerable to impersonation attack whereby an active adversary without knowing the user s password is able to introduce himself/herself as the user. In addition, we show that the protocol by Zhang et al. suffers from password changing attack. To overcome the weaknesses, we propose an improved authentication scheme for session initiation protocol. The rigorous analysis shows that our scheme achieves more security than the scheme by Zhang et al. Copyright 2014 John Wiley & Sons, Ltd. Received 19 September 2013; Revised 11 March 2014; Accepted 29 July 2014 KEY WORDS: password-based protocol; voice over internet protocol; session initiation protocol; smart card 1. INTRODCTION With the widespread application of the voice over IP (VoIP) in Internet [1 4] and mobility management [5 8], the security of VoIP is becoming increasingly important [9]. When a user wants to access a VoIP service, he or she has to perform an authentication process from the remote server. Among many protocols used to handle authentication for VoIP, the session initial protocol (SIP), developed by the Internet Engineering Task Force [10] in 1996, is the widely used one. SIP is an application layer signaling protocol for creating, modifying, and terminating multimedia sessions among one or more participants. Various authentication schemes [11, 12], especially based on elliptic curve cryptography (ECC), have been proposed to provide security for SIP for a decade [13 28] Related works In 2005, Yang et al. [29] indicated that the original SIP authentication scheme is vulnerable to offline password guessing attack and server-spoofing attack. To overcome the attacks, Yang et al. proposed a modified scheme based on Diffie Hellman key exchange protocol. However, Huang et al. [30] pointed out that the scheme by Yang et al. may not be suitable for users with limited computational power and further proposed a new scheme. In [31], Jo et al. demonstrated that the schemes by Yang et al. and Huang et al. are both vulnerable to offline password guessing attack. *Correspondence to: Mohammad Sabzinejad Farash, Faculty of Mathematical Sciences and Computer, Kharazmi niversity, Tehran, Iran. sabzinejad@khu.ac.ir Copyright 2014 John Wiley & Sons, Ltd.

2 M.S. FARASH AND M.A. ATTARI Based on the scheme by Yang et al., Durlanik et al. [32] introduced an efficient authentication scheme for SIP by using elliptic curve Diffie Hellman key exchange protocol. Because of the adoption of elliptic curves, the scheme by Durlanik et al. reduced the total execution time and the requirements for memory in comparison with the scheme by Yang et al. However, Yoon et al. [33] indicated that the scheme by Durlanik et al. still suffered from offline password guessing and Denning-Sacco attacks, and projected an improved scheme to overcome the weaknesses. However, Liu et al. [34] demonstrated that the scheme by Yoon et al. still puts up with offline password guessing and insider attacks. In 2009, Tsai [35] proposed an efficient authentication protocol based on random nonce, in which one-way hash functions and exclusive or operations were only utilized for computing all the communication messages. As a result, the computation cost was very low, and it was suitable for low computation equipments. However, it was still defenseless to offline password guessing, Denning- Sacco, and stolen-verifier attacks. Furthermore, it did not provide any key agreement, known-key secrecy, and perfect forward secrecy [36 38]. To deal with the problems, Arshad et al. proposed an ECC-based authentication scheme [38]. But Tang et al. [39] demonstrated the vulnerability of the scheme by Arshad et al. to offline password guessing attack and introduced an improved scheme to overcome the weakness. In 2010, Yoo et al. [40] also proposed an authentication scheme based on ECC to deal with the problems in the scheme by Tsai et al. In 2012, Xie [41] pointed out that the scheme by Yoo et al. still suffers from stolen-verifier and offline password guessing attacks and proposed an improved scheme. But Farash and Attari [42] fount Xie s scheme insecure against password guessing attacks and proposed an improved scheme. To equip Farash and Attari s scheme with user anonymity, Zhang et al. [43] proposed an anonymous authentication scheme Motivation and countribution To improve the efficiency of the authentication schemes, Zhang et al. [44] also proposed a new password-based authenticated protocol and claimed that their protocol is efficient and secure against known attacks. However, in this paper, we demonstrate that the protocol by Zhang et al. suffers from the crucial attacks including impersonation attack and password changing attack. In order to overcome the weaknesses of Zhang et al., we propose a novel authentication scheme to be more secure and practical for SIP Outline The rest of this paper is organized as follows. Section 2 defines elliptic curves. We review the protocol by Zhang et al. in Section 3. In Section 4, we propose the security weaknesses of the protocol by Zhang et al. The improved scheme and its analysis are proposed in Section 5 and Section 6, respectively. Finally, we conclude our paper in Section PRELIMINARIES 2.1. Elliptic curves An elliptic curve, denoted by E, over a finite field F p is defined by the Weierstrass equation E W y 2 C a 1 xy C a 3 y D x 3 C a 2 x 2 C a 4 x C a 6 (1) where a i 2 F p for i D 1; 2; 3; 4; 6 and 0. is the discriminate of the elliptic curve E. The condition 0 guarantees the smooth property of the elliptic curve. Also, there is a point at infinity on an elliptic curve, which is denoted by O. To add two points on an elliptic curve, the chord and tangent rule is used. By using this addition rule, the set of points denoted by E.F p / forms a group with the identity element O and the generator P.

3 CRYPTANALYSIS OF EFFICIENT AND FLEXIBLE PASSWORD ATHENTICATED 2.2. Security requirements of authentication schemes for SIP To provide efficiency and security, an authentication scheme for SIP should satisfy the following requirements: 1. Known-key security: The disclosure of past session keys will not help the adversary to get future session keys and to derive the password. 2. Forward secrecy: A compromised password does not affect the secrecy of previous session keys. 3. Password guessing attacks resistance: The adversary cannot perform an exhaustive offline/online search for the password by analyzing the captured messages of one or more sessions. 4. Freely change password: A mobile user is allowed to choose and change his/her password freely and does not need to remember a long string; 5. ser anonymity: Any adversary cannot obtain the real identity of a mobile user and also cannot trace the location of the mobile user; 6. Mutual authentication: A user and the server can mutually authenticate each other; 7. Key agreement: After a mutual authentication, the user should share a session key with the server for secure message transfer between them. The session keys used in each session should not be related to former session keys for forward secrecy; 3. REVIEW OF THE PROTOCOL BY ZHANG ET AL. In this Section, we review the password-based authenticated key agreement protocol by Zhang et al. using the same notation (Table I) as [44]. This protocol has four phases: setup, registration, authentication, and password changing phases Setup phase In this phases, the server chooses the following items: The elliptic curve E over the finite field F q, the additive group G generated by the base point P with the prime order p, Table I. The notations. Notation Description Auser username A The unique identity of the user A PW The password of the user.r ;a / The secret information of the user stored in the smart card p; q Two prime numbers E An elliptic curve F q A finite field E.F q / A group contains the points on the elliptic curve E over the finite field F q P An element of E.F q / with the prime order p G A subgroup of E.F q / generated by the base point P Z p The non-zero integers modulus p h The hash function h W¹0; 1º!¹0; 1º k h 1 The hash function h 1 W G ¹0; 1º ¹0; 1º!¹0; 1º k h 2 The hash function h 2 W G G ¹0; 1º ¹0; 1º!¹0; 1º k Enc, Dec Symmetric encryption and decryption algorithms s The private key of the server P pub The public key of the server, that is, P pub D sp

4 M.S. FARASH AND M.A. ATTARI three one-way hash functions h W¹0; 1º!¹0; 1º k, h 1 W G ¹0; 1º ¹0; 1º!¹0; 1º k,and h 2 W G G ¹0; 1º ¹0; 1º!¹0; 1º k,and the random number s 2 Z p as the server s private key and computes the corresponding public key P pub D sp. Finally, the server publishes the public parameters ¹E.F q /; P; p; G;h;h 1 ;h 2 ;P pub º, and maintains the private key s Registration phase In this phase, the user who wants to become a legal user of a remote server performs the following steps over a secure channel: freely chooses the password PW and the random number a 2 Z p, computes h.p W ka /, and sends the messages ¹h.P W ka/, username º to the remote server. After receiving the message ¹h.P W ka/; username º, the server computes ¹R D h.h.p W ka /kusername /s 1 P;a º, stores R in a smart card, and finally delivers the smart card to. pon receiving the smart card, inserts the random numbers a in the memory of the smart card and memorizes the password PW in his/her mind Authentication phase When the user wants to login to the remote server, he/she inserts his/her smart card to a card reader and inputs his/her username and password PW. Then, the smart card and the remote server perform as follows: Step A1. The smart card randomly chooses b 2 Z p, computes V D br C h.username /P and W D bh.h.p W ka /kusername /P pub, and sends ¹username ;V;Wº to the remote server. Step A2. pon receiving ¹username ;V;Wº, the remote server firstly computes X D h.username /P and W 0 D s 2.V X/, then he/she checks if W D W 0. If it holds, the remote server selects the random numbers c;r 2 Z p, and computes S D cp; K D cs.v X/ D cbp;sk D h 1.Kkrkusername / and Auth s D h 2.KkW 0 krksk/. Finally, the remote server sends the message ¹realm;Auth s ;S;rº to the smart card. Step A3. pon receiving the message ¹realm;Auth s ;S;rº; computes K D bs D bcp and SK D h 1.Kkrkusername /. Then, he/she verifies Auth s D h 2.KkW krksk/. If it holds, the smart card computes Auth u D h 2.KkW kr C 1kSK/ and sends the message ¹realm;Auth u º to the remote server. Step A4. pon receiving the message ¹realm;Auth u º, the remote server checks if Auth u D h 2.KkW 0 kr C 1kSK/. If it holds, the remote server confirms that the claimant is a legal user Password changing phase The user can change his/her password freely in this phase. To do so, he/she firstly executes the login and authentication phase with his/her username and the old password PW. After receiving the successful authentication and sharing the session key SK, the user does as follows: Step C1. freely selects the new password PW, and the random number N; a 2 Z p. then computes C 1 D Enc SK username kn kh PW ka kh.username kn kh PW ka.next, sends ¹username ;C 1 ;Nº to the server. Step C2. pon receiving the message ¹username ;C 1 ;Nº, the server decrypts C 1 and verifies the integrity of h username kn kh PW ka. If it is valid, the server computes R D h

5 CRYPTANALYSIS OF EFFICIENT AND FLEXIBLE PASSWORD ATHENTICATED h PW ka kusername s 1 P, encrypt it as C 2 D Enc SK R kh.username kn C 1kR, and sends C2 to. Step C3. pon receiving the message, decrypts the message and checks the integrity of it. If it is valid, stores PW ka in the smart card. 4. SECRITY WEAKNESSES OF THE PROTOCOL BY ZHANG ET AL. In this section, we propose three attacks on the protocol by Zhang et al. [44] Extraction of the sensitive information The basis of the proposed attacks on the protocol by Zhang et al. is that each legal user can calculate the value of s 1 P from his/her sensitive information R. Therefore, before the description of the proposed attacks, we show that how each user can calculate the critical data s 1 P. Assume the legal user owns a smart card containing the sensitive information R D h.h.p W ka /kusername /s 1 P;a. To obtain the sensitive data R, he/she can apply a side channel attack [45] and analyze the power consumption of his/her smart card. However, applying side channel attacks on a smart card is costly and time-consuming. Alternatively, each legal user can employ the password change protocol (Section 3.4) to obtain the sensitive information. In this procedure, the user performs the password chaining phase and selects the new parameters PW and a. At the end of this execution, the user receives the new sensitive data R. Then, he/she can easily calculate s 1 P D h h PW 1 ka kusername R. In the following subsections, we will show the malicious user A can make use of s 1 P to apply some attacks on the protocol by Zhang et al Attack 1: Stolen smart card attack By this attack, an attacker who obtained the secret information stored in the smart card be able to extract the user s password. Assume the malicious user A who obtained s 1 P from his/her smart card, finds or steals the smart card of the other user. A can guess the s password as follows: Step 1. A extracts the secret information ¹R ;a º from s smart card using side channel attack technics. Step 2. Guesses the password PW 0 and computes R0 D h h PW 0 ka kusername s 1 P. Step 3. Checks if R 0 D R. If it holds, the guessed password PW 0 is correct. Otherwise, backs to Step 3 and follows the process Attack 2: Impersonation attack By this attack, a malicious user can easily impersonate other legal users. To apply this attack, the malicious user A who obtains s 1 P, described in Section 4.1, performs the following steps with the legal as shown in Figure 1: Step I1. A randomly chooses b O 2 Z p, computes ± OV D bs O 1 P C h.username /P and OW D ObP pub, and sends username ; OV; OW to the remote server. ± Step I2. pon receiving username ; OV; OW, the remote server firstly computes X D h.username /P and W 0 D s 2. OV X/, then he/she checks if OW D W 0. It is clear that the equation holds, because W 0 D s 2. OV X/ D sbp O D bp O pub D OW. Thus, the remote server selects the random numbers c;r 2 Z p and computes S D cp, K D cs. OV X/ D cbp, O SK D h 1.Kkrkusername / and Auth s D h 2.KkW 0 krksk/. Finally, the remote server sends the message ¹realm;Auth s ;S;rº to the malicious user A.

6 M.S. FARASH AND M.A. ATTARI Figure 1. The impersonation attack on the protocol by Zhang et al. Step I3. pon receiving the message ¹realm;Auth s ;S;rº; A computes K D bs O D bcp O and SK D h 1.Kkrkusername /. Then, he/she verifies Auth s D h 2.Kk OW krksk/. It is clear that the equation holds, because OW D W 0 and the amount of K and SK computed by the remote server and A are equal. Thus, A computes Auth u D h 2.Kk OW krc1ksk/ and sends the message ¹realm;Auth u º to the remote server. Step I4. pon receiving the message ¹realm;Auth u º, the remote server checks if Auth u D h 2.KkW 0 kr C 1kSK/. It is clear that the equation holds, because OW D W 0 and the amount of K and SK computed by the remote server and A are equal. Therefore, the remote server ensures that he/she communicated with the legal user whereas the protocol indeed carried out by the malicious user A. So, the malicious user A succeeds to impersonate the legal user for the remote server satisfactorily Attack 3: Password changing attack In this attack, the malicious user A first impersonates the legal user and shares the secret key SK with the remote server (Section 4.3). Then, she/she performs the password changing phase instead of and changes s password. To do so, the malicious user A performs as follows: Step 1. A freely selects the new password PW and the random number N; a 2 Z p., then computes C 1 D Enc SK username kn kh PW ka kh username kn kh PW ka. Next, A sends ¹username ;C 1 ;Nº to the server. Step 2. pon receiving the message ¹username ;C 1 ;Nº, the server decrypts C 1 and verifies the integrity of h username kn kh PW ka. If it is valid, the server computes R D h h PW ka kusername s 1 P, encrypt it as C 2 D Enc SK R kh username kn C 1kR, and sends C2 to A.

7 CRYPTANALYSIS OF EFFICIENT AND FLEXIBLE PASSWORD ATHENTICATED Step 3. pon receiving the message, A decrypts the message and checks the integrity of it. If it is valid, stores PW ka in the smart card. Hereafter, the real user cannot login to the remote server by his/her password, because the password was changed by the malicious user A and accepted by the remote server. 5. THE IMPROVED SCHEME We propose an improved remote user authentication scheme to overcome the security weaknesses inherent in the scheme by Zhang et al. [44]. The proposed scheme consists of four phases: initial phase, registration phase, login and authentication phase, and password change phase Initial phase In this phase, the server S selects the generator P of G with order p and the master secret key s 2 Z p. Then, S computes the corresponding master public key P pub D sp, and chooses a cryptographic one-way hash function h.:/ W¹0; 1º! Z p Registration phase can register or re-register at the remote server S and perform the following steps through a secure channel as shown in Figure 2: Step 1. chooses the identity ID u, the password PW u, and the random number R u, and calculates PRW u D h.r u kpw u kbi u /,wherebi u is the unique biometric identity of. Then, he/she sends the message ¹ID u ;PRW u º to S. Step 2. pon receiving the message ¹ID u ;PRW u º;S checks if ID u is valid. If it is invalid, S rejects it. Then, S checks the account records in database. If is a new user, S adds.id u ;N D 0/ into the database. Otherwise, S sets N D N C 1 and stores it. Then, S calculates J u D h.sjjid u kn/ and L u D J u C h.prw u kid u / mod p. Finally, S stores ¹J u ;L u ; h.:/; Enc key.:/; Dec key.:/; P; p; P pubº into the smart card SC and issues it to. Step 3. pon receiving the smart card SC, computes inserts R u into SC. Finally, SC D ¹J u ;L u ;R u ; h.:/; Enc key.:/; Dec key.:/; P; p; P pub º Login and authentication phase When p wants to login the server S, he/she inserts his/her smart card into the card reader and inputs ID u ;PW u, and the biometric identity BI u. The details of this phase, shown in Figure 3, is as follows: Figure 2. Registration phase of the proposed scheme.

8 M.S. FARASH AND M.A. ATTARI Figure 3. Login and authentication phase of the proposed protocol. Step 1. The smart card SC retrieves J u ;L up,andr up ; computes PRWup 0 D h.r ujjpw u kbi u /; and checks if J u D L u h.prw u kid u / mod p. If it does not hold, S terminates the login process. Otherwise, SC selects the random number 2 Z p, computes M 1 D P; k D P pub D sp; M 2 D h.id u kj u km 1 / and M 3 D Enc k.id u km 2 /, and sends the login message ¹M 1 ;M 3 º to S. Step 2. pon receiving the message ¹M 1 ;M 3 º;S computes k 0 D sm 1 D sp, and decrypts M 3 as Dec k 0.M 2 / to obtain ID u and M 2. Then, S extracts N from his database and computes J u D h.skid u kn/,andverifiesh.id u kj u km 1 / D M 2. If it does not hold, S terminates the session. Otherwise, S selects the random number 2 Z p, computes M 3 D P; M 4 D M 1 D P and M 5 D h.id u km 3 kh.sjjid u kn/km 4 /, and sends the response message ¹M 3 ;M 5 º to SC. Step 3. pon receiving the message ¹M 3 ;M 5 º;SC computes M4 0 D M 3 D P and verifies M 5 D h ID u km 3 kj u km4 0. If it does not hold, SC terminates the session. Otherwise, it computes M 6 D h ID u km 3 km4 0 and sends it to SH. Finally, it computes the session key SK D h ID u km 3 km4 0kM 5kM 6. Step 4. pon receiving the message ¹M 7 º;S verifies M 7 D h.id u km 4 km 5 /. If it holds, S computes the session key SK D h.id u km 1 km 4 km 5 / Password change phase In the scheme by Zhang et al., the client changes the password after the verification by the server and the smart card. In our scheme, the user changes the password after the verification by the smart card only. Step 1. To change password, inserts his/her smart card SC into the card reader. inserts his/her identity ID u and old password PW u and inputs his biometrics information BI u. Step 2. SC retrieves J u ;L u,andr u, computes PRWup 0 D h.r ujjpw u kbi u /, and checks if J u D L u h.prw u kid u / mod p. If it does not hold, SC terminates the login process. Otherwise, SC allows the client to enter the new password PWu new.

9 CRYPTANALYSIS OF EFFICIENT AND FLEXIBLE PASSWORD ATHENTICATED Step 3. SC computes PRWu new modp. Step 4. SC replaces J u with Ju new D h R u kpwu new k BI u,andj new u and Fu new, respectively. 6. SECRITY ANALYSIS AND COMPARISON D L u h PRWu new kid u 6.1. No verification table The server only stores the client s identity ID u and the registered number N in the database. ID u and N are not the client s secrets and can be published in public. If the attacker compromises the server, he can only obtain the public information ID u and N, and not password verification information. Thus, the server does not need to maintain the verification table Stolen-verifier attack There is no verification table such as hashed passwords or any information containing PW u.the server SH authenticates the client s session by its secret number s and uses no number relating to PW u. So our scheme is secure against stolen-verifier attack Man-in-middle attack Assume that the attacker A intercepts the messages between and S and replaces part or the whole message with his own faked information to impersonate the user or the server. However, it is impossible for A to fabricate legal messages due to lack of PW p and s. Therefore, our scheme withstands client impersonation attack, server impersonation attack, and modification attack Mutual authentication It is important for an authentication scheme to let the client and the server verify the identity of each other. In fact, once the scheme can withstand user and server impersonation attack, it satisfies the character of mutual authentication. According to the analysis of Man-in-middle attack, we can see this point Privileged administrator resilience The privileged administrator can control the server absolutely. Once the administrator obtains a client s password, he may login the client s other applications using this password because many people use the same password in different servers. Our scheme provides password confidentiality even for the privileged administrator. In registration phase, sends ¹ID u ;PRW u º to the server S, whereprw u D h.r u jjpw u kbi u /. The submitted PRW u blinded by R u and BI u is secure from leaking confidential information about the password PW u. Here, PW u is protected by a hash function with the keys R u and BI u. Without the knowledge of R u and BI u, the administrator cannot mount offline password guessing attack to obtain client s password Freely chosen password The password is selected by the user himself and can be updated anytime if the user wants. It is more flexible and convenient compared with password chosen by the server. In password change phase, the user can update the current password with a new one Known-key security The random key materials and are fresh values for each session. One session key is independent with another session key. Thus, compromise some session keys could not affect the other session keys.

10 M.S. FARASH AND M.A. ATTARI 6.8. ser anonymity and untraceability It is obvious that any third party cannot know the real identity of, because ID u is encrypted by the key k, andk is protected by s, so the attacker A faces the problem to get k. Furthermore, k varies in each session because it is generated by the random number, which is different for each session. It is difficult for A to tell apart from others in communication channel. So our scheme satisfies user anonymity and untraceability Resistance of password guessing attacks We assume that the attacker have the ability of stealing a client s smart card. Once the attacker gets a smart card, he can derive the confidential data ¹K u ;E u ;F u ; h.:/; Enc key.:/; Dec key.:/; P; p; P pub º stored in the smart card by physical attack. We show that our scheme can resist offline password guessing attacks on a stolen smart card. In our scheme, the password PW u is blinded by the server s secret s and the user s secret R u and BI u. Although the attacker obtains confidential data stored in the smart card, he cannot verify the correctness of a guessed password because he does not know the secret parameters s; R u,andbi u Forward security Forward security is the property that the scheme is also secure even if the attacker compromises some long-term keys. Perfect forward security means that the scheme will not be compromised if all the long-term keys is compromised. Because our scheme uses Diffie Hellman key exchange, our scheme provides perfect forward security Security comparison The security properties comparisons between our proposed scheme and the scheme by Zhang et al. [44] are summarized in Table II. From Table II, we can see that the proposed scheme not only provides some new security properties, but also prevents the attacks, which are applicable to the scheme by Zhang et al. As a result, the proposed scheme is more secure and has many functionality compare with the scheme by Zhang et al Performance comparison We evaluate the performance of the proposed scheme in terms of the computation cost. To estimate the computation cost of our scheme, we define the following notations: PM is the time complexity of elliptic curve scalar point multiplication, PA is the time complexity of elliptic curve point Table II. Security comparison. Security properties Proposed scheme The scheme by Zhang et al. [44] No verification table Yes Yes Prevention of guessing attack Yes No Prevention of replay attack Yes Yes Prevention of stolen-verifier attack Yes Yes Prevention of stolen smart card attack Yes No Prevention of privileged server attack Yes Yes Prevention of impersonation attack Yes No Prevention of modification attack Yes No Mutual authentication Yes Yes Known-key security Yes Yes Providing of perfect forward secrecy Yes Yes Providing of biometrics authentication Yes No ser anonymity and untraceability Yes No Secure password chosen and update Yes No

11 CRYPTANALYSIS OF EFFICIENT AND FLEXIBLE PASSWORD ATHENTICATED Table III. Performance comparison. s computational costs S s computational costs The scheme by Zhang et al. [44] 4PM C 1PA C 4H 4PM C 1PA C 4H Our scheme 3PM C 1SE C 6H 3PM C 1SE C 5H addition, H is time complexity of one-way hash function or message authentication code, I is time complexity of modular inversion, and SE is time complexity of symmetric encryption/decryption. It is to be noted that the other operations such as random number generation and modular addition and multiplication need very few computations; it is usually neglected considering its computational cost. We summarize the computation cost of our scheme and carried out a comparison with the scheme by Zhang et al. [44] in Table III. 7. CONCLSIONS In this paper, we analyzed the password-based authenticated key agreement protocol by Zhang et al. We pointed out the main weakness of the protocol by Zhang et al. is due to the ability of each legal user to calculate s 1 P using his/her secret information. Based on this idea, we pointed out that the protocol by Zhang et al. suffers from three crucial flaws by which an insider attacker can impersonate each legal user, find the user s password, and even change the user s password without his/her awareness. As a remedy, we proposed an improved authenticated scheme using elliptic curves. Our analysis showed that the improved scheme could overcome the weaknesses in the scheme by Zhang et al. REFERENCES 1. Li JS, Kao CK, Tzeng JJ. VoIP secure session assistance and call monitoring via building security gateway. International Journal of Communication Systems, posted on , (to appear in print). 2. Chen WE, Huang YL, Lin YB. An effective IPv4-IPv6 translation mechanism for SIP applications in next generation networks. International Journal of Communication Systems, posted on , (to appear in print). 3. Chen WE, Lin PJ. A performance study for IPv4-IPv6 translation in IP multimedia core network subsystem. International Journal of Communication Systems, posted on , (to appear in print). 4. Lloret J, Garcia M, Atenas M, Canovas A. A QoE management system to improve the IPTV network. International Journal of Communication Systems 2011; 24(1): Chiu KL, Chen YS, Hwang RH. Seamless session mobility scheme in heterogeneous wireless networks. International Journal of Communication Systems, posted on , (to appear in print). 6. Cho K, Pack S, Kwon TT, Choi Y. An extensible and ubiquitous RFID management framework over next-generation networks. International Journal of Communication Systems, posted on , (to appear in print). 7. Chiang WK, Chang WY. Mobile-initiated network-executed SIP-based handover in IMS over heterogeneous accesses. International Journal of Communication Systems, posted on , (to appear in print). 8. Chen MX, Wang FJ. Session integration service over multiple devices. International Journal of Communication Systems, posted on , (to appear in print). 9. Geneiatakis D, Dagiuklas T, Kambourakis G, Lambrinoudakis C, Gritzalis S, Ehlert S. Survey of security vulnerabilities in session initiation protocol. IEEE Communications Surveys and Tutorials 2006; 8(3): Rosenberg J, Schulzrinne H, Camarillo G, Johnston A, Peterson J, Sparks R, Handley M, Schooler E. SIP: Session Initiation Protocol. The Internet Engineering Task Force, The Internet Society, RFC Farash MS, Attari MA. Cryptanalysis and improvement of a chaotic maps-based key agreement protocol using Chebyshev sequence membership testing. Nonlinear Dynamics 2014; 76(2): Farash MS, Attari MA. An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dynamics 2014; 77(1-2): Jiang Q, Ma J, Tian Y. Cryptanalysis of smartcardbased password authenticated key agreement protocol for session initiation protocol of Zhanget al. International Journal of Communication Systems, posted on DOI: doi: /dac.2767, (to appear in print). 14. Sadat Mousavi-nik S, Yaghmaee-moghaddam MH, Ghaznavi-ghoushchi MB. Proposed secure SIP authentication scheme based on elliptic curve cryptography. International Journal of Computer Applications 2012; 58(8): Yoon E, Yoo K, Kim C, Hong Y, Jo M, Chen H. A Secure and efficient SIP authentication scheme for converged VoIP networks. Computer Communications 2010; 33(14):

12 M.S. FARASH AND M.A. ATTARI 16. Wang F, Zhang Y. A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography. Computer Communications 2008; 31: Dimitris G, Costas L. A lightweight protection mechanism against signaling attacks in a SIP-Based VoIP environment. Telecommunication Systems 2007; 36(4): Wu L, Zhang Y, Wang F. A new provably secure authentication and key agreement protocol for SIP using ECC. Computer Standards & Interfaces 2009; 31(2): Liao Y, Wang S. A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves. Computer Communications 2010; 33(3): Wu S, Pu Q, Kang F. Practical authentication scheme for SIP. Peer-to-Peer Networking and Applications 2013; 6(1): He D, Chen J, Chen Y. A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography. Security Communication Networks 2012; 5: Farash MS, Bayat M, Attari MA. Vulnerability of two multiple-key agreement protocols. Computers & Electrical Engineering 2011; 37(2): Farash MS, Attari MA. An id-based key agreement protocol based on ECC among users of separate networks. 9th International ISC Conference on Information Security and Cryptology (ISCISC 12), Tabriz, Iran, 2012; Farash MS, Attari MA. A Pairing-free ID-based key agreement protocol with different PKGs. International journal of Network Security 2014; 16(2): Bayat M, Farash MS, Movahed A. A novel secure bilinear pairing based remote user authentication scheme with smart card. IEEE/IFIP International Conference on Embedded and biquitous Computing (EC), Hong Kong, China, 2010; Farash MS, Attari MA, Atani RE, Jami M. A new efficient authenticated multiple-key exchange protocol from bilinear pairings. Computers & Electrical Engineering 2013; 39(2): Farash MS, Attari MA. Provably secure and efficient identity-based key agreement protocol for independent PKGs using ECC. The ISC International Journal of Information Security 2013; 5(1): Farash MS, Attari MA, Bayat M. A certificateless multiple-key agreement protocol without hash functions based on bilinear pairings. International Journal of Engineering and Technology 2012; 4(3): Yang CC, Wang RC, Liu WT. Secure authentication scheme for session initiation protocol. Computers & Security 2005; 24: Huang HF, Wei WC, Brown GE. A new efficient authentication scheme for session initiation protocol. 9th Joint Conference on Information Sciences, Kaohsiung, Taiwan, DOI: /jcis Jo H, Lee Y, Kim M, Kim S, Won D. Off-line password-guessing attack to Yang s and Huang s authentication schemes for session initiation protocol. Fifth International Joint Conference on INC, IMS and IDC, Seoul, Korea, 2009; Durlanik A, Sogukpinar I. SIP authentication scheme using ECDH. World Enformatika Socity Transations on Engineering Computing and Technology 2005; 8: Yoon EJ, Yoo KY. Cryptanalysis of DS-SIP authentication scheme using ECDH. International Conference on New Trends in Information and Service Science, Beijing, China, 2009; Liu FW, Koenig H. Cryptanalysis of a SIP authentication scheme. Communications and Multimedia Security, Ghent, Belgium, 2011; Tsai JL. Efficient nonce-based authentication scheme for session initiation protocol. International Journal of Network Security 2009; 8(3): Yoon EJ, Yoo KY. A new authentication scheme for session initiation protocol. International Conference on Complex, Intelligent and Software Intensive Systems (CISIS), Fukuoka, Japan, 2009; Chen TH, Yeh HL, Liu PC, Hsiang HC, Shih WK. A secured authentication protocol for SIP using elliptic curves cryptography. Communication and Networking, CCIS, Vol. 119, Jeju Island, Korea, 2010; Arshad R, Ikram N. Elliptic curve cryptography based mutual authentication scheme for session initiation protocol. Multimedia Tools and Applications, posted on DOI: /s , (to appear in print). 39. Tang H, Liu X. Cryptanalysis of Arshad et al.šs ECC-based mutual authentication scheme for session initiation protocol. Multimedia Tools and Applications, posted on DOI: /s , (to appear in print). 40. Yoon E, Shin Y, Jeon I, Yoo K. Robust mutual authentication with a key agreement scheme for the session initiation protocol. IETE Technical Review 2010; 27(3): Xie Q. A new authenticated key agreement for session initiation protocol. International Journal of Communication Systems, posted on , (to appear in print). 42. Farash MS, Attari MA. An enhanced authenticated key agreement for session initiation protocol. Information Technology And Control 2013; 42(4): Zhang Z, Qi Q, Kumar N, Chilamkurti N, Jeong HY. A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications DOI: /s Zhang L, Tang S, Cai Z. Efficient and flexible password authenticated key agreement for voice over internet protocol session initiation protocol using smart card. International Journal of Communication Systems, posted on DOI: /dac.2499, (to appear in print). 45. Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computers 2002; 51(5):