Privacy-Preserving Mobile Roaming Authentication with Security Proof in Global Mobility Networks

Mobile roaming authentication scheme achieves the mutual authentication and session key establishment between the mobile user and the foreign agent. In 2013, Xie et al. pointed out that Chen et al.'s scheme is vulnerable to offline password attack, and does not achieve fair session key generation, user untraceability, user friendliness, and perfect forward secrecy, and then they proposed an improved scheme. In this paper, we propose an improvement of Xie et al.'s scheme, since the foreign agent may confuse the mobile users when multiple mobile users simultaneously access the foreign agent in Xie et al.'s scheme. Further, we prove the formal security of the proposed scheme, and present the performance comparison between our scheme and some related schemes. The proposed scheme is more efficient and secure than other related schemes and is suitable for using in the global mobility network.


Introduction
With the rapid development of mobile technology such as 3G and 4G wireless networks, more and more mobile users can access services in global mobility networks. A typical mobile roaming authentication scheme includes three parties: a mobile user, a foreign agent, and a home agent; both the mobile user and the foreign agent should authenticate each other before establishing the session key. Privacypreserving is usually referred to as user anonymity and user untraceability. It is important to protect the user's privacy, such as what the users did or where the users accessed, from the attacker even if he accesses to user's records. Strong anonymous mobile roaming authentication means that only the home agent can know the mobile user's identity, but adversary or foreign agent cannot. Since wireless network is more vulnerable to several attacks and mobile terminals' computational power is limited, therefore, how to design the secure and efficient authentication scheme for roaming service with strong anonymity in global mobility networks is brought into much attention.
In 2004, Zhu and Ma [1] proposed a first anonymous authentication scheme for wireless communications. Lee et al. [2] showed that their scheme is vulnerable to forgery attacks and does not provide perfect backward secrecy and mutual authentication and proposed an improved scheme. Later, Chang et al. [3], Wu et al. [4], and Xu et al. [5] pointed out that Lee et al. 's scheme cannot achieve privacypreserving and proposed an improved scheme, respectively. However, Youn et al. [6] showed that Chang et al. 's improved scheme does not achieve user anonymity and provide secure key establishing service, and Mun et al. [7] showed that Wu et al. 's scheme does not achieve anonymity and perfect forward secrecy. In 2011, He et al. [8] proposed a two-factor user authentication scheme for wireless communications. But Li and Lee [9] demonstrated that He et al. 's scheme has several weaknesses such as lacks of user friendliness, user anonymity, and fairness of key agreement, and then they proposed an improvement of He et al. 's scheme. However, Hu et al. [10] showed that Li et al. 's improved scheme cannot resist the foreign agent's impersonation attacks and proposed an improved scheme. In 2011, Chen et al. [11] proposed 2 International Journal of Distributed Sensor Networks a lightweight anonymous user authentication for roaming in the global mobility network, but Xie et al. [12] showed that their scheme is vulnerable to offline password attack and does not achieve fair session key generation, user untraceability, user friendliness, and perfect forward secrecy; then they proposed an improved scheme to overcome the weaknesses of Chen et al. 's scheme. Very recently, Chen et al. [13] and Xie et al. [14] proposed some other anonymous authentication schemes for roaming service in global mobility networks.
In this paper, we first propose a strong anonymous mobile roaming authentication scheme in the global mobility network, which is a modified version of [12], the preliminary version of our work. In [12], there is no formal model and no formal proof of the proposed scheme and no performance comparison between the proposed scheme and some related schemes. On the other hand, the scheme in [12] may be impractical; the reason is that the foreign agent does not confirm who is authenticated by the home agent; when multiple mobile users simultaneously access the foreign agent, the foreign agent may confuse the mobile users. Moreover, an adversary can know the 's temporary certificate generated by if the adversary can know the session key; thus, the mobile user's information may be divulged. After that, we prove the formal security of the proposed scheme. Finally, we present the performance comparison between our scheme and some related schemes.
The rest of this paper is organized as follows. Section 2 introduces the security model. The proposed scheme and security proof are given in Sections 3 and 4, respectively. After that, we present the performance comparison between the related schemes and ours in Section 5. Finally, we conclude the paper in Section 6.

Security Model
In this section, we recall the security model based on [15,16].

Participants.
In an authenticated key exchange (AKE) protocol, there are three different participants: a mobile user , home agent , and foreign agent ; each of them may have certain number of instances and may execute in the protocol at the same time. Each has a low-entropy password chosen from a small dictionary , and and hold some high-entropy private keys, respectively. When registers to , will compute and store { , ℎ(⋅), } to a smart card, which combined with , 's identity , 's identity , and hash function ℎ(⋅), and issue the smart card to . The instance of (resp., and ) is denoted by (resp., and ); pid is the partner identifier for an instance .

2.2.
Queries. The adversary's capabilities are captured by the following oracle queries.
( , , ). The passive attack is captured by this oracle query. The adversary can get access to the honest execution process of the protocol between the instances.
( , ). This query models an active attack; the adversary sends a message to instance and gets the response message from instance according to the protocol. A query ( , ) initializes the key agreement algorithm.
V ( ). This query allows the adversary to get some information about the session key of instance .
( , ). The corruption capability of the adversary is modeled by this query. The adversary can obtain the secret value of and messages stored in the smart card.
(a) If = 1, it outputs the 's password .
(b) If = 2, it outputs messages stored in the smart card.
( ). This oracle query is used to define semantic security of the session key of instance . If session key is not defined or the instance is not fresh, then the invalid symbol ⊥ is returned. Otherwise, one flips a coin , if = 1, and one returns the session key for instance ; otherwise, a random key with the same length is returned.

Freshness.
The freshness of a session key is that the adversary does not trivially know the key. We say an instance is fresh if (1) instance has accepted; (2) no V ( ) and no V (pid ) are queried by the adversary; (3) less than 2 ( , ) are queried by the adversary.

Semantic Security.
Finally, the adversary outputs a bit . Let be the event that the adversary wins the game if = . The AKE advantage of the adversary is defined as

The Proposed Scheme
In this section, we demonstrate a practical scheme which is a modified version of our preliminary scheme in [12]. Some notations which will be used in this paper are defined as follows: : an elliptic curve defined over a finite field with large order , : a long-term common secretkey shared between and , 0 ∈ * , 0 ∈ * : random numbers chosen by and , respectively, = , = : 's secret key and public key.
The session key: Algorithm 1: The proposed scheme: login and authentication phase.

Registration.
When a mobile user wants to join the , he needs to perform the following steps.
Step 1. The mobile user freely chooses his identity and password . Then submits to HA over a secure channel.
Step 2. Upon receiving the message from , the computes = [( ‖ )], stores { , ℎ(⋅)} into the smart card, and then returns it to the .
Step 3. The computes stores into the smart card, and replaces with . Finally, the smart card contains { , ℎ(⋅), }.
The login and authentication phase of the proposed scheme is shown in Algorithm 1.

Login. When
roams into the foreign network, he inserts his smart card into a device and inputs his password . Then the smart card performs the following steps.
Step 1. It chooses a random number 0 and computes = 0 , where is current timestamp.

Authentication
Step 1. The checks the validity of the timestamp by checking − < Δ , where is the current time and Δ is a valid time interval. If it is valid, the chooses a random number 0 and computes = 0 and = ℎ ( where a long-term common secret key is shared between and , and is current timestamp. sends , , } to the .
Step 2. The checks the validity of the timestamp . If it is valid, the computes and compares it with the received . If it does not match, the terminates this connection. Otherwise, it goes to the next step since only knows the and only can generate the valid .
and replaces with new .

Security Analysis
Theorem 1. Let and be an elliptic curve group and a uniformly distributed password dictionary, respectively. Let be our scheme, and let be an adversary. Then, one has where , , ℎ , | |, , and denote the number of queries, the number of -queries, the number of ℎqueries, the size of D, the number of encryption/decryption queries, and the time of scale multiplication in , respectively.
Proof. We define a sequence of experiments starting at the real attack experiment 0 and ending up the experiment 5 . Let be the event that the adversary guesses the bit correctly involved in the -query in the experiment , where = 0, 1, . . . , 5. Let Δ be the distance between and +1 . Then, we have Experiment Exp 0 . In the random oracle model, this experiment is the real attack. By definition, we have Experiment Exp 1 . In this experiment, we simulate hash oracles and the encryption/decryption oracles (see Algorithm 2). , V , , , and oracles are also simulated (see Algorithms 3 and 4). We can see that Exp 0 and Exp 1 are indistinguishable unless the permutation property of or does not hold; we have Experiment Exp 2 . In this experiment, we simulate all oracles as in the experiment 1 except that we cancel all executions in which some collisions occur in the transcript International Journal of Distributed Sensor Networks 5 (i) On a hash query ℎ( ), for which there exists a record ( , ) appears in Λ ℎ , return .
Otherwise, choose an element ∈ * , add the record ( , ) to the list Λ ℎ and return . (ii) On a query ( ), for which there exists a record ( , * , * , ) appears in Λ , return .
Otherwise, choose an element , add the record ( , ⊥, , ) to the list Λ and return . (iii) On a query ( ), for which there exists a record ( , * , * , ) appears in Λ , return .
Otherwise, choose an element , add the record ( , ⊥, , ) to the list Λ and return .
Algorithm 2: Simulation of random oracle ℎ, encryption oracle , and decryption oracle .
(i) On a query ( , ), assuming is in the correct state, we proposed as login algorithm. Then the query is answered with { , , 1 , }.
(iv) On a query ( ( , , 2 )), assuming is in the correct state, we proposed as authentication Step 4 algorithm. The query is answered with { 3 , , }.  { 1 , 2 , 3 , 4 } in the output of the hash queries. According to the birthday paradox, we have Experiment Exp 3 . In this experiment, we cancel the executions wherein the adversary may be lucky in guessing the authentication values 1 , , 2 , and 3 . Since experiments 3 and 2 are indistinguishable unless home agent/foreign agent (or the mobile user) rejects a correct authentication value, we could get Δ 2 = / .

Performance Comparison
Since Chen et al. 's [11] scheme is more efficient than other schemes without perfect forward secrecy, to the best of our knowledge, only Mun et al. [7], Li and Lee [9], Hu et al. [10], Xie et al. [12], Chen et al. [13], and Xie et al. [14] schemes can provide perfect forward secrecy. Therefore, we will present performance comparison between our scheme and these related schemes. Table 1 is performance comparison of login and key agreement phase, as we know that login and key agreement is the main body of an authentication scheme, and registration phase only performs one time before authentication. Let , ℎ , , and be the time for performing a modular exponentiation, a one-way hash function, a symmetric encryption/decryption, and a scalar multiplication on elliptic curve, which need 0.522 seconds, 0.0005 seconds, 0.0087 seconds, and 0.063075 seconds [17][18][19], respectively. We ignore modular addition, exclusive OR operation, and string concatenation operation which are negligible compared to others.
According to  [7] schemes are more efficient than others since Chen et al. 's scheme is completely based on hash and symmetric encryption/decryption operations but does not provide perfect forward secrecy and Mun et al. 's scheme is vulnerable to several attacks such as impersonation attack, replay attack, man-in-the-middle attack, and verification table stolen attack. And our scheme only needs 0.44 seconds in login and key agreement which keeps low performance cost.

Conclusions
In this paper, we proposed a modified scheme of our preliminary work, which was presented in ISBAST 2013. Compared with the preliminary work, the modified scheme