Cryptanalysis and improvement of 2 mutual authentication schemes for Session Initiation Protocol

Qiu, Shuming; Xu, Guizhi; Guo, Yanhui; Zhang, Miao

doi:10.1002/dac.3568

Cited by 3 publications

(2 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the scheme does not support mutual authentication and is vulnerable to insider attack [22]. Recently, Shuming et al [33] proposed the scheme on the top of Zhang et al [32] that provide resistance against off-line password guessing and insider attacks. Hsiu-Lien [34] proposed a scheme that uses a smart card along with elliptic curve cryptography for the SIP authentication.…”

Section: Related Workmentioning

confidence: 99%

Authentic Caller: Self-Enforcing Authentication in a Next-Generation Network

Azad¹,

Bag²,

Perera³

et al. 2020

IEEE Trans. Ind. Inf.

View full text Add to dashboard Cite

The Internet of Things (IoT) or the Cyber-Physical System (CPS) is the network of connected devices, things and people which collect and exchange information using the emerging telecommunication networks (4G, 5G IP-based LTE). These emerging telecommunication networks can also be used to transfer critical information between the source and destination, informing the control system about the outage in the electrical grid, or providing information about the emergency at the national express highway. This sensitive information requires authorization and authentication of source and destination involved in the communication. To protect the network from unauthorized access and to provide authentication, the telecommunication operators have to adopt the mechanism for seamless verification and authorization of parties involved in the communication. Currently, the next-generation telecommunication networks use a digest-based authentication mechanism, where the call-processing engine of the telecommunication operator initiates the challenge to the request-initiating client or caller, which is being solved by the client to prove his credentials. However, the digest-based authentication mechanisms are vulnerable to many forms of known attacks e.g., the Man-In-The-Middle (MITM) attack and the password guessing attack. Furthermore, the digest-based systems require extensive processing overheads. Several Public-Key Infrastructure (PKI) based and identity-based schemes have been proposed for the authentication and key agreements. However, these schemes generally require smart-card to hold long-term private keys and authentication credentials. In this paper, we propose a novel self-enforcing authentication protocol for the SIPbased next-generation network based on a low-entropy shared password without relying on any PKI or trusted third party system. The proposed system shows effective resistance against various attacks e.g., MITM, replay attack, password guessing attack, etc. We analyze the security properties of the proposed scheme in comparison to the state of the art.

show abstract

Section: Related Workmentioning

confidence: 99%

Authentic Caller: Self-Enforcing Authentication in a Next-Generation Network

Azad¹,

Bag²,

Perera³

et al. 2020

IEEE Trans. Ind. Inf.

View full text Add to dashboard Cite

show abstract

“…However, Yang et al [ 3 ] identified that Frank’s proposal was insecure and provided an improved solution in 2005. In order to present a secure and efficient authentication and key agreement protocol, in the following decade, many single-, two-, and three-factor authentication protocols were constructed while employing RSA, discrete logarithm over general groups, elliptic curve cryptography (ECC), chaotic maps [ 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 ], etc. However, some security limitations are prevailing in these protocols.…”

Section: Introductionmentioning

confidence: 99%

A Multi-Server Two-Factor Authentication Scheme with Un-Traceability Using Elliptic Curve Cryptography

Qiu

Ahmad

et al. 2018

Sensors

Self Cite

View full text Add to dashboard Cite

To provide secure communication, the authentication-and-key-agreement scheme plays a vital role in multi-server environments, Internet of Things (IoT), wireless sensor networks (WSNs), etc. This scheme enables users and servers to negotiate for a common session initiation key. Our proposal first analyzes Amin et al.’s authentication scheme based on RSA and proves that it cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Secondly, we provide that Srinivas et al.’s multi-server authentication scheme is not secured against offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. To remedy such limitations and improve computational efficiency, we present a multi-server two-factor authentication scheme using elliptic curve cryptography (ECC). Subsequently, employing heuristic analysis and Burrows–Abadi–Needham logic (BAN-Logic) proof, it is proven that the presented scheme provides security against all known attacks, and in particular provides user un-traceability and perfect forward security. Finally, appropriate comparisons with prevalent works demonstrate the robustness and feasibility of the presented solution in multi-server environments.

show abstract