Elsevier

Computer Communications

Volume 33, Issue 3, 26 February 2010, Pages 372-380
Computer Communications

A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves

https://doi.org/10.1016/j.comcom.2009.10.005Get rights and content

Abstract

Voice over Internet Protocol (VoIP) has received much attention and has became a real competitor to traditional Public Switched Telephone Networks (PSTNs), where the Session Initial Protocol (SIP) is widely used as a signaling protocol based on HTTP-like request/response exchange to establish multimedia sessions in both wireline and wireless world. However, the original authentication scheme for SIP-based service typically uses HTTP Digest authentication protocol, which is s not providing security at an acceptable level. In this paper, we present a new secure password authenticated key agreement scheme for SIP-based service using self-certified public keys (SCPKs) on elliptic curves. Due to using SCPKs on elliptic curve, the proposed scheme not only avoids the requirement of a large Public Key Infrastructure (PKI) but also achieve efficient performance in contrast to other public key cryptosystems. The main merits include: (1) it achieves mutual authentication and session key agreement; (2) it does not maintain any password or verification table in the server; (3) it prevents various possible attacks induced by open networks and the standard of SIP message; (4) it can be applied to authenticate the users with different SIP domains; (5) it provides the users to update password quickly and securely; and (6) it can avoid key escrow problem.

Introduction

Within the traditional Public Switched Telephone Networks (PSTNs) a good level of quality of service (QoS) and security has been established over the years, and it is now widely guaranteed. With the rapid growth of Internet technology, Voice over Internet Protocol (VoIP) is receiving much attention and becomes a real competitor to traditional PSTN. If VoIP wants to replace PSTN, it should provide the same basic telephone with a comparable level of QoS and network security in many service scenarios. While the problem of QoS mainly concerns IP network layer, the problem of security involves the control architecture and its signal protocol. Among many dedicated protocols used to handle sessions for VoIP, the Session Initial Protocol (SIP) is the widely used [1], [2]. SIP is an application layer signaling protocol based on HTTP-like request/response exchange for initialing, managing and terminate voice and video session across packet networks.

The identity authentication is an important issue in SIP-based service. For example, when the user Alice wants to make a SIP voice call to the user Bob, how can he verify that he is connected exactly to SIP user agent of Bob, and not to other client pretending to be the SIP user agent of Bob. However, SIP authentication scheme typically uses HTTP Digest authentication protocol noted in RFC2617 [3] and is not providing security at an acceptable level [4], [5], [6], [7]. Although S/MIME can provide SIP message both integrity and confidentiality [8], the usage of S/MIME depending on the existence of the user’s certificates are seriously limited in that there is virtually no consolidated authority today that provides certificates for users applications on a global scale [1]. Moreover, SIP over SSL (SIPS) can also provide end-to-end protection on SIP request/response message. But it still requires end user’s certificate in place and increase the workload of SIP proxy servers significantly.

To guarantee the security of the growing SIP-based services, several new schemes have been proposed to enhance the security of SIP [9], [10], [11], [12], [13]. Yang et al. [9] pointed out that HTTP Digest authentication protocol is subject to the off-line guessing attack and the spoofing attack. Then, they introduced a public key cryptosystem based on Diffie–Hellman key exchange protocol to solve these problems. However, Yang et al.’s scheme incurs the replay attack. Furthermore, it needs to maintain preconfigured password table and involves in exponential computation, which is not suitable for the user’s device with limited computing capability. Recently, Ring et al. [10] provided a secure authenticated key agreement (AK) protocol for SIP using identity-based cryptography (IBC) [14]. It computes the hash value of use’s SIP identity as his public key without the need of concrete certificates. However, Ring et al.’s scheme suffers from the heavy computation load due to costly bilinear pairing and identity-based signatures [14], [15]. Additionally, since the trust authority (TA) knows any eligible user’s long-term private key and can therefore impersonate any user without being detected. On the other hand, the escrow key problem can be caused by way of the collusion with the relevant TAs [16]. To solve those problems of Ring et al.’s scheme, Wang and Zhang [11] proposed a new secure authentication and key agreement (SAKA) mechanism using certificateless public key cryptography (CL-PKC) [17]. Wang and Zhang’s scheme emphases that TA cooperates with the communication entity to generate the private key. Thus, Wang and Zhang’s scheme can avoid key escrow problem while remaining the heavy computation load unsolved. At the same time, Geneiatakis and Lambrinoudakis (2008) [12] proposed an improved authentication scheme to enhance the security of HTTP Digest authentication for SIP. They introduce a new SIP header, namely the Integrity-Auth header, which is aiming at protecting the SIP-based services from signaling attacks while ensuring authenticity and integrity. However, the Integrity-Auth header involves the hash value of the user’s password combined with some known parameters. Under this situation, the password table or verifier table still be maintained in the servers and susceptible to stolen-verifier table attack. In addition, the offline password guessing attack cannot be avoided. Lately, Wu et al. [13] also presented a new authenticated key exchange protocol NAKE to solve the existing problems in SIP original authentication. Wu et al.’s scheme assumes that the communication parties must share a common secret k beforehand between the ISIM (i.e., smart card-like device) and the Authentication Center (AuC). Once the secret key k is leaked for some reasons, the adversary can easily launch the forgery attack to masquerade as the user client or the server. Although pre-shared key (PSE) is the most cost effective way but the problem of distributing the shared secrets makes this solution hard to scale. Furthermore, Wu et al.’s scheme does not take the system reparability into considerations [18].

In this paper, we propose a new secure SIP authentication scheme using self-certified public keys (SCPKs). Our proposed scheme emphasizes that it does not only solves the problems caused by related works but also migrates the computation overhead in contrast to other public key cryptosystems. Additionally, the main merits include: (1) it achieves mutual authentication and session key agreement; (2) it does not maintain any password or verification table in the server; (3) it prevents various possible attacks induced by open networks and the standard of SIP message; (4) it can be applied to authenticate the users with different SIP domains; (5) it provides the users to update password quickly and securely; and (6) it can avoid key escrow problem.

The remainder of the paper is organized as follows. In Section 2, HTTP Digest authentication scheme for SIP is introduced, including the authentication procedure and the security issues retained for SIP-based service. Then, we briefly review the basic concepts on self-certified public keys (SCPKs) and some related mathematical problems in Section 3. Section 4 presents a new secure authentication scheme for SIP. Section 5 shows the correctness and security analysis. In Section 6, we evaluate the performance and compare the functionality between the proposed scheme and the others. Finally, the conclusion is given in Section 7.

Section snippets

SIP protocol overview

A VoIP infrastructure inherits and utilizes various protocols from the Internet stack architecture. Specifically, SIP is an application-layer signaling protocol for creating, modifying and terminating multimedia sessions among one or more participants. The network entities involved in SIP are composed of user agent, proxy servers, redirect servers and registrar servers, which are depicted in Fig. 1. The user agents represent the terminal (i.e., the user agent client (UAC) Alice and user agent

Preliminaries

In this section, we briefly review the basic concepts on SCPKs and some related mathematical problems.

Proposed authentication scheme

In this section, we propose a new secure password authenticated key agreement scheme using SCPKs on elliptic curve. The proposed scheme retains the original SIP authentication structure without the need of any password table for verification. In the meantime, our proposed scheme achieves mutual authentication for communication parties with different SIP domains. Moreover, we provide the password change phase to make the eligible user change password quickly and securely. The notations used

Correctness and security analysis

In this section, we will show the correctness of our scheme. Furthermore, the security analysis is examined.

Performance considerations and functionality comparison

In this section, we will evaluate the performance of our proposed scheme. In general, the performance evolution usually is divided into communication cost and computation cost. As we all know, an ECC with 160-bit key length could offer roughly the same level of security as RSA with 1024-bit modulus. We divide the computation cost of our scheme into two parts: offline computation and online computation, where the offline computation cost can reduce the latency between the communication parties.

Conclusions

In this paper, we point out that several problems caused by open networks and SIP-based service. These above-mentioned problems remain to be unsolved for original SIP authentication scheme. Then, we present a new secure SIP authentication scheme using SCPKs on elliptic curve, which is an efficient approach in contrast to certificate based Public key Infrastructure (PKI). Our scheme does not need to maintain any password table. We demonstrate that the computation cost of our scheme is well

Acknowledgements

The authors thank the reviewers for their valuable comments and suggestions.

References (32)

  • J. Galvin et al., Security Multiparts for MIME, IETF RFC 1847,...
  • Jared Ring et al.

    A new authentication mechanism and key agreement protocol for SIP using identity-based cryptography

    Proceedings of AusCert R&D Stream

    (2006)
  • D. Geneiatakis et al.

    A lightweight protection mechanism against signaling attacks in a SIP-Based VoIP environment

    Telecommunication Systems Springer

    (2007)
  • A. Shamir, Identity-based cryptosystem and signature schemes, in: Advance in Cryptology-Crypto 1984, LNCS, vol. 196,...
  • D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in:...
  • L. Chen, C. Kudla, Identity based authenticated key agreement protocol from pairings (corrected version at...
  • Cited by (50)

    • VoIPChain: A decentralized identity authentication in Voice over IP using Blockchain

      2023, Computer Communications
      Citation Excerpt :

      Authentication, confidentiality, and integrity in SIP messages are generally provided by using Transport Layer Security (TLS) or other methods like Secure/Multipurpose Internet Mail Extensions (S/MIME) that use a centralized architecture model [2]. These protocols are employed to protect the end-to-end secure communication by using Public Key Infrastructure (PKI) [8]. Traditional centralized security methods such as TLS provide authentication with encryption methods for the trusted networks by performing Trusted Third Party (TTP) or Certificate Authority (CA).

    • Robust smart card secured authentication scheme on SIP using Elliptic Curve Cryptography

      2014, Computer Standards and Interfaces
      Citation Excerpt :

      However, Lee [19] found that Tsai's protocol still suffered from password guessing attacks and insider attacks, so Tsai's protocol is not suitable for SIP. Since Elliptic Curve Cryptography (ECC) provides a smaller key size than any other cryptosystem and has faster computations than half of the other public key systems at the same security levels [8,20–25], ECC is suitable to be used for higher security authentication. In 2009, Wu et al. [24] proposed a SIP authentication scheme based on ECC and proved that the scheme is secure.

    • Security analysis of session initiation protocol digest access authentication scheme

      2021, Proceedings - 2021 7th International Conference on Big Data Computing and Communications, BigCom 2021
    • Secure outsourcing algorithms of modular exponentiations in edge computing

      2020, Proceedings - 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2020
    View all citing articles on Scopus
    View full text