A Novel Authentication Protocol with Strong Security for Roaming Service in Global Mobile Networks

Abstract

In today’s society, Global Mobile Networks (GLOMONETs) have become an important network infrastructure that provides seamless roaming service for mobile users when they leave their home network. Authentication is an essential mechanism for secure communication among the mobile user, home network, and foreign network in GLOMONET. Recently, Madhusudhan and Shashidhara presented a lightweight authentication protocol for roaming application in GLOMONET. However, we found their protocol not only has design flaws, but is also vulnerable to many attacks. To address these weaknesses, this paper proposes a novel authentication protocol with strong security for GLOMONET based on previous work. The fuzzy verifier technique makes the protocol free from smart card breach attack, while achieving the feature of local password change. Moreover, the computational intractability of the Discrete Logarithm Problem (DLP) guarantees the security of the session key. The security of the protocol is verified by the ProVerif tool. Compared with other related protocols, our protocol achieves a higher level of security at the expense of small increases in computational cost and communication cost. Therefore, it is more suitable for securing the roaming application in GLOMONET.

1. Introduction

The network enriches the way people access information, and technologies such as wireless sensor networks (WSN) [1,2,3,4], multi-hop wireless networks [5,6], and the Internet of Things (IoT) [7,8,9] have greatly advanced the intelligence level of peoples’ lives. Benefiting from the development of telecommunication technologies such as 4G, 5G, and Wi-Fi, wireless and mobile communication [10,11,12] have become the most popular means of communication. Meanwhile, the trend of intelligence and miniaturization of devices makes it a reality for people to deal with daily affairs through mobile terminals for various AI applications [13,14]. The Global Mobile Network (GLOMONET) is an important infrastructure for mobile users to enjoy the network anytime and anywhere, which provides roaming service for the mobile users. In the general architecture of GLOMONET environments, there are three entities, namely the Mobile User ($MU$), the Foreign Agent ($FA$) of the roaming network, and the Home Agent ($HA$ of the registered network. Due to the complexity of the wireless network communication environment, it faces serious security and privacy breach threats [15,16,17,18]. For example, in GLOMONET, in order to facilitate billing and secure communication, $FA$ needs to verify the validity of $MU$ with the assistance of the $HA$. Therefore, authentication is an indispensable mechanism for GLOMONET. Meanwhile, session key agreement is also essential for subsequent secure communication after the bidirectional authentication between $MU$ and $FA$. Besides, the update of the session key is an ideal feature for authentication in GLOMONET if $MU$ wants to access $FA$ continuously.

As early as 2004, Zhu et al. [19] first proposed an anonymous authentication mechanism for GLOMONET, which allows $MU$ to access $FA$ after authentication with the assistance of $HA$. Unfortunately, Lee et al. [20] analyzed the drawbacks of the mechanism in [19], i.e., they found that it was vulnerable to forgery attack and could not provide bidirectional authentication and backward secrecy, and they proposed an enhanced scheme. However, the work in [21] and [22] independently pointed out the shortcomings of the scheme in [20], such as it could not ensure user anonymity and could not achieve backward secrecy. In 2011, Xu et al. [23] further analyzed the defects of the scheme in [20] and pointed out that the anonymity feature of the scheme in [20] could be compromised by a malicious insider. Besides, they found that the agreement of the session key between $MU$ and $FA$ was unfair, and it could be decided unilaterally by $MU$. Based on the Diffie–Hellman Protocol (DHP), Xu et al. [23] devised an authentication scheme preserving anonymity for GLOMONET to achieve desirable security and fair session key agreement. Later, many researchers proposed their special solutions for authentication in GLOMONET. In 2011, the work in [24] proposed a robust authentication scheme for GLOMONET, which used the certificate to achieve the three parties’ authentication. Their scheme had many advantages, such as single registration, no verifier table, high efficiency, and resistance to smart card breach attack. However, Li et al. [25] found that the protocol in [24] was still vulnerable to a tracking attack and could not achieve fair key agreement. To fix these drawbacks, Li et al. proposed an improvement scheme [25] relying on DHP. However, their scheme needed more modular exponential operations than the previous scheme [23]. Based on elliptic curve cryptography, Yoon et al. [26] proposed a user-friendly authentication protocol for GLOMONET. However, Niu and Li [27] found that their scheme had the same drawbacks as the scheme in [24]. In 2012, Mun et al. [28] proposed an improved authentication scheme for GLOMONET. Due to it was designed on the basis of elliptic curve DHP, their scheme guaranteed forward secrecy and also could resist man-in-the-middle attack. However, their scheme lacked some ideal functions such as local password change and also suffered from several attacks [29]. Hereafter, many user authentication protocols [30,31,32,33,34,35,36] were proposed to improve the efficiency and enhance the security. In 2015, Marimuthu and Saravanan [30] designed an authentication for GLOMONET based on the Discrete Logarithm Protocol (DLP) and DHP. However, their protocol lacked the session key update function and could not achieve perfect forward secrecy [31]. Recently, Madhusudhan and Shashidhara [32] pointed out some other defects of the scheme in [30], such as stolen verifier attack, impersonation attack, and insider attack. They also proposed an improved authentication protocol for GLOMONET [32], which they claimed was secure and lightweight. However, their protocol had a fatal flaw in the design, i.e., some information that should be kept secret was transmitted by plaintext. Therefore, their protocol not only lacked proper bidirectional authentication, but also suffered from stolen verifier attack, mobile device breach attack, session key compromise attack, and user impersonation attack.

Although many solutions for user authentication in GLOMONET have been presented by researchers, most of them have certain defects in security or function. For example, most of the protocols did not address the contradiction between the function of local password change and resistance to smart card loss attack. To achieve the feature of local password change, some verification information should be stored in the mobile device or smart card. Therefore, an adversary $\mathcal{A}$ can use this verification information to guess the corresponding password when $\mathcal{A}$ obtains the mobile device or smart card. Besides, to ensure the security of the session key and secure update of the session key, public key cryptography is essential. In order to reconcile this contradiction and enhance security, we propose a novel authentication protocol with strong security for GLOMONET. The fuzzy verifier technique is used to balance the conflict between local password change and stolen smart card attack. A discrete logarithm based DHP was adopted to keep the session key secure and achieve the session key update.

The arrangement of the remaining sections is as follows: Section 2 reviews the protocol in [32] and points out their design and security flaws; our protocol, the corresponding formal proof, and the formal verification by ProVerif are presented in Section 3– Section 5, respectively; Section 6 discusses the security properties and compares it with other related protocols; Section 7 summarizes the full paper.

2. Review and Cryptanalysis of Madhusudhan and Shashidhara’s Protocol

In this section, Madhusudhan and Shashidhara’s scheme [32] for GLOMONET is reviewed, and then, the design and security defects of their scheme are pointed out. For convenience of description, the notations used throughout the paper are listed in

Table 1. Notations.

Symbol	Meaning
$MU$, $I{D}_{MU},P{W}_{MU}$	a mobile user and the corresponding identity and password
$HA$, $I{D}_{HA}$	$MU$’s home agent and the identity
$FA$, $I{D}_{FA}$	a foreign agent and the identity
$(x,X)$	secret and public key pair of $HA$
$K_{HF}$	a secret key shared between $HA$ and $FA$
$p,q$	two large prime numbers
g	a generator of $Z_p^{*}$
$n_0$	an integer between $[2^6,2^8]$ for the fuzzy verifier
$E,D$	a pair of symmetric encryption and decryption algorithms
$h(·)$	the hash function
$r_{MU},r_{FA}$	the random integers generated by $MU$ and $FA$
⊕	the XOR operation
l	secure length
$\mathcal{A}$	an adversary

.

2.1. Review of Madhusudhan and Shashidhara’s Scheme

Their scheme [32] contained four phases, which were initialization, registration, authentication, and password change. Since the last phase was not involved in our analysis, only the first three phases were reviewed.

2.1.1. Initialization Phase

$HA$ generates two large prime numbers p, q and chooses a generator g of $Z_p^{*}$. Besides, $HA$ calculates $n=p\times q$ and $\varphi (n)=(p-1)\times (q-1)$. Then, $HA$ chooses an integer $e\in (1,\varphi (n))$ and calculates $d=e^{-1}$ mod $\varphi (n)$, where $gcd(e,\varphi (n))=1$. Next, $HA$ calculates and releases the public key $y=g^d$ mod n and retains $\{d,p,q\}$ secretly.

2.1.2. Registration Phase

To register as a legitimate user, $MU$ interacts with $HA$ as follows:

Step 1.

$MU$ chooses identity $I{D}_{MU}$, password $P{W}_{MU}$, and produces a nonce N. Next, $MU$ calculates $R_1=h(I{D}_{MU}\parallel N)$ and submits it to $HA$ securely.

Step 2.

Upon obtaining the registration request, $HA$ calculates $R=(R_1\parallel I{D}_{HA}\parallel d)$, $a=h(d)$, $C_{MU}=(g^a$ mod $p)\oplus h(R)$. Then, $HA$ initializes the value of the counter K to zero and saves $\{K,R\}$ in the database. Finally, $HA$ submits $\{R,C_{MU},K,h(·)\}$ to $MU$ via a secret manner.

Step 3.

After getting the reply message from $HA$, $MU$ computes $K_{MU}=h(I{D}_{MU}\parallel P{W}_{MU}\parallel R)$ and stores $\{K_{MU},R,C_{MU},K,h(·)\}$ in the mobile device.

2.1.3. Authentication Phase

Whenever $MU$ roams to a foreign network, the following steps allow $FA$ and $MU$ to achieve bidirectional authentication with the assistance of $HA$.

Step 1.

$MU$ types in $I{D}_{MU}$ and $P{W}_{MU}$. The mobile device computes $K_{MU}^{*}=h(I{D}_{MU}\parallel P{W}_{MU}\parallel R)$ and checks $K_{MU}^{*}\stackrel{?}{=}{K}_{MU}$. The request is rejected if they are not equal. Otherwise, $MU$ produces a nonce $R_{MU}$ and computes $U=R\oplus R_{MU}$, $V=((C_{MU}\oplus h(R))\parallel I{D}_{FA})\oplus R_{MU}$ and $W=(U\parallel K\parallel (C_{MU}\oplus h(R)))$. Finally, $MU$ submits the login request $M_1=\{U,V,W\}$ to $FA$.

Step 2.

Upon receiving $M_1$, $FA$ produces a nonce $R_{FA}$, and encrypts $M_1$ with $R_{FA}$ using $K_{FH}$. Then, $FA$ submits $M_2=\{I{D}_{FA},E_{K_{FH}}(M_1,R_{FA})\}$ to $HA$.

Step 3.

After obtaining $M_2$, $HA$ checks $I{D}_{FA}$ and finds the secret key $K_{FH}$. Next, $HA$ retrieves $\{U,V,W,R_{FA}\}$ by calculating $D_{K_{FH}}(E_{K_{FH}}(M_1,R_{FA}))$ and calculates $a=h(d)$, $R_{MU}^{*}=V\oplus ((g^a$ mod $p)\parallel I{D}_{FA})$, $R^{*}=U\oplus R_{MU}^{*}$. Then, $HA$ checks if $R^{*}$ is preserved in the database. If so, $HA$ calculates $W^{*}=(U\parallel K\parallel (g^a$ mod $p))$ and checks $W^{*}\stackrel{?}{=}W$. Non-equality results in the termination of the session, or else $HA$ calculates $SK=h(g^a$ mod $p)\oplus R_{MU}\oplus R_{FA}$ and submits $M_3=\{E_{K_{FH}}(SK)\}$ to $FA$.

Step 4.

When getting $M_3$, $FA$ retrieves $SK$ by calculating $D_{K_{FH}}(E_{K_{FH}}(SK))$ and computes $X=h(SK\parallel R_{FA})$. Then, $FA$ forwards the message $M_4=\{X,R_{FA}\}$ to $MU$.

Step 5.

Upon obtaining $M_4$, $MU$ calculates $S{K}^{*}=h(C_{MU}\oplus h(R))\oplus R_{MU}\oplus R_{FA}$ (In Madhusudhan and Shashidhara’s scheme [32], $S{K}^{*}=C_{MU}\oplus h(R)\oplus R_{MU}\oplus R_{FA}$. However, combined with the context, the formula should be $S{K}^{*}=h(C_{MU}\oplus h(R))\oplus R_{MU}\oplus R_{FA}$, and we correct it here.) and $X^{*}=h(S{K}^{*}\parallel R_{FA})$. Then, $MU$ checks $X^{*}\stackrel{?}{=}X$. The equality means $FA$ is authenticated by $MU$.

2.2. Cryptanalysis of Madhusudhan and Shashidhara’s Scheme

Madhusudhan and Shashidhara’s scheme [32] had some design flaws, and these flaws would lead to some security weaknesses. We analyze the design and security defects of Madhusudhan and Shashidhara’s scheme [32] in this section.

2.2.1. Transmitting Messages in Plaintext

As we know, the XOR and concatenation operations cannot protect the security of the message, and the different parts of message through these two operations can readily be extracted by an adversary $\mathcal{A}$. In Madhusudhan and Shashidhara’s scheme [32], the message $M_1=\{U,V,W\}$ is directly transmitted after XOR and concatenation operations on the public channel, which means that these messages are transparent to $\mathcal{A}$. We assume that $\mathcal{A}$ gets the messages $M_1=\{U,V,W\}$ and $M_2=\{I{D}_{FA},E_{K_{FH}}(M_1,R_{FA})\}$ of a session among $MU$, $FA$, and $HA$ by eavesdropping attack, where $U=R\oplus R_{MU}$, $V=((C_{MU}\oplus h(R))\parallel I{D}_{FA})\oplus R_{MU}$ and $W=(U\parallel K\parallel (C_{MU}\oplus h(R)))$. Therefore, $\mathcal{A}$ can extract K and $C_{MU}\oplus h(R)=g^a$ mod p from W. Then, $\mathcal{A}$ can calculate $R_{MU}=V\oplus ((C_{MU}\oplus h(R))\parallel I{D}_{FA})$ and $R=U\oplus R_{MU}$. Therefore, $\mathcal{A}$ can extract some secret information from $M_1$ due to it being transmitted in plaintext.

2.2.2. User Impersonation Attack

If $\mathcal{A}$ forges a login request message as the name of $MU$ and the forged message passes the authentication of $HA$, we say that $\mathcal{A}$ successfully implemented the user impersonation attack. In Madhusudhan and Shashidhara’s scheme [32], as shown in Section 2.2.1, an adversary $\mathcal{A}$ can extract $MU$’s information $\{(C_{MU}\oplus h(R))=g^a$ mod $p,R,K\}$. As we can see from the review of Madhusudhan and Shashidhara’s scheme [32], this information was sufficient for $\mathcal{A}$ to impersonate as $MU$ sends the login information to $FA$. To forge a login request, $\mathcal{A}$ produces a nonce $R_{MU}^{\prime }$ and calculates $U^{\prime }=R\oplus R_{MU}^{\prime }$, $V^{\prime }=((C_{MU}\oplus h(R))\parallel I{D}_{FA})\oplus R_{MU}^{\prime }$ and $W^{\prime }=(U^{\prime }\parallel K\parallel (C_{MU}\oplus h(R)))$. The forged message $M_1^{\prime }=\{U^{\prime },V^{\prime },W^{\prime }\}$ is a valid login request in the name of $MU$ by using $MU$’s corresponding secret information $\{R,(C_{MU}\oplus h(R)),K\}$. The forged login request $M_1^{\prime }$ can pass the authentication of $FA$ and $HA$, and $\mathcal{A}$ can calculate $SK$ by using $(C_{MU}\oplus h(R))$ in Step 5 of the authentication phase. Therefore, Madhusudhan and Shashidhara’s scheme [32] is vulnerable to user impersonation attack.

2.2.3. Session Key Compromise Attack

In Madhusudhan and Shashidhara’s scheme [32], $MU$ and $FA$ share a session key $SK=h(g^a$ mod $p)\oplus R_{MU}\oplus R_{FA}$ after the authentication, where $R_{MU}$ and $R_{FA}$ are two nonces produced by $MU$ and $FA$, respectively. There are two design drawbacks on the session key. On the one hand, the shared session key should be generally calculated by $MU$ and $FA$ independently. In Madhusudhan and Shashidhara’s scheme [32], although both $MU$ and $FA$ contributed the session key, the value of $SK$ was determined by $HA$, and $FA$ cannot calculate the session key since it cannot get the contribution of $MU$. On the other hand, the session key was calculated only by XOR operations, and it is easily calculated by an adversary $\mathcal{A}$. Assume that $\mathcal{A}$ has obtained the messages $\{M_1,M_2,M_3,M_4\}$ by eavesdropping on the public channel. Next, $\mathcal{A}$ can extract $g^a$ mod $p=C_{MU}\oplus h(R)$ and calculate $R_{MU}$ as shown in Section 2.2.1, as well as can get $R_{FA}$ from $M_4$. Then, $\mathcal{A}$ can calculate the session key $SK=h(g^a$ mod $p)\oplus R_{MU}\oplus R_{FA}$ of $MU$, $FA$, and $HA$. Therefore, in Madhusudhan and Shashidhara’s scheme [32], the session key is easily compromised just by eavesdropping the exchanged messages among $MU$, $FA$, and $HA$ on the public channel.

2.2.4. Mobile Device Breach Attack

In the security analysis section of Madhusudhan and Shashidhara’s protocol [32], they claimed that their protocol could avoid off-line dictionary attack even if $\mathcal{A}$ obtained the information stored in $MU$’s mobile device. However, user’s identity and password are often easy to remember and have low entropy in real-life scenarios, and the dictionaries of identity and password are very limited. Therefore, Wang et al. [37,38] pointed out that the data pair $(ID,PW)$ can be guessed within polynomial time. We suppose that $MU$’s mobile device information $\{K_{MU},R,C_{MU},K,h(·)\}$ has been obtained by $\mathcal{A}$, then the following offline steps can be used by $\mathcal{A}$ to guess $MU$’s identity and password:

Step 1.

$\mathcal{A}$ chooses a pair $(I{D}_{MU}^{*},P{W}_{MU}^{*})$ from the identity dictionary and password dictionary.

Step 2.

$\mathcal{A}$ calculates $K_{MU}^{*}=h(I{D}_{MU}^{*}\parallel P{W}_{MU}^{*}\parallel R)$.

Step 3.

$\mathcal{A}$ tests the correctness of $(I{D}_{MU}^{*},P{W}_{MU}^{*})$ by checking $K_{MU}^{*}\stackrel{?}{=}{K}_{MU}$.

Step 4.

$\mathcal{A}$ repeats the above steps until the right pair $(I{D}_{MU}^{*},P{W}_{MU}^{*})$ is found.

2.2.5. Lack of Bidirectional Authentication

In the digital environment, the authentication between two parties often depends on whether the information provided by the two parties matches, i.e., one party verifies if the calculated value is equal to the value received from another party. Generally, a user authentication scheme should allow one participant to authenticate other participants in an explicit or implicit manner. In Madhusudhan and Shashidhara’s scheme [32], both $FA$ and $MU$ have not authenticated the validity of $HA$. When receiving $M_3=\{E_{k_{FH}}(SK)\}$ from $HA$ in Step 3, $FA$ just decrypts $SK$, but does not verify the validity of the message and $HA$. $MU$ also does not authenticate $HA$. Therefore, Madhusudhan and Shashidhara’s scheme [32] is not suitable for practical use due to it lacking the real bidirectional authentication.

2.2.6. Stolen Verifier Attack

In Madhusudhan and Shashidhara’s scheme [32], $HA$ stores $\{K,R\}$ as the verification information in the database for the each mobile user. As shown in Section 2.2.2, $\mathcal{A}$ can impersonate a mobile user if he/she knows $MU$’s information $\{(C_{MU}\oplus h(R)),R,K\}$. Actually, the value $(C_{MU}\oplus h(R))$ for each mobile user is equal, and it is equal to $g^a$ mod p. As shown in Section 2.2.1, $\mathcal{A}$ can easily get $g^a$ mod p by eavesdropping the communication messages from the public channel. If the verifier was stolen by $\mathcal{A}$, he/she can impersonate any mobile user by using $\{(C_{MU}\oplus h(R))=g^a$ mod $p,R,K\}$. Therefore, Madhusudhan and Shashidhara’s scheme [32] suffers from stolen verifier attack.

2.2.7. Other Weaknesses

In addition to the above security flaw, there are some other weaknesses in Madhusudhan and Shashidhara’s scheme [32]. First, the counter mechanism is used in their scheme to resist the replay attack. Both $MU$ and $HA$ maintain a count value K synchronously, and $HA$ judges the replay message by checking whether the received count value K equals the stored counter value. However, the authors did not explain how the two parties update the count value synchronously. Besides, the synchronization-based mechanism is vulnerable to asynchronous attack, and $MU$ cannot access the server anymore if the updated K in $MU$ does not match $HA$’s. Second, there are some errors in their protocol’s password change phase. In the description of their protocol, the mobile device $MU$ computes $K_{MU}^{*}=h(I{D}_{MU}\parallel P{W}_{MU})$ to check if the identity and password are correct, and $K_{MU}^{NEW}=h(I{D}_{MU}\parallel P{W}_{MU}^{NEW})$ to update the password. However, the correct formulas should be $K_{MU}^{*}=h(I{D}_{MU}\parallel P{W}_{MU}\parallel K)$ and $K_{MU}^{NEW}=h(I{D}_{MU}\parallel P{W}_{MU}^{NEW}\parallel K)$.

3. Our Proposed Scheme

This section proposes a novel authentication protocol with strong security for GLOMONET based on the previous relevant work. In the protocol, the fuzzy verifier technique [39] is adopted to resolve the contradiction of local password change and stolen smart card attack. Besides, the Diffie–Hellman agreement method is used in the new protocol to secure the session key. Except the phases shown in Madhusudhan and Shashidhara’s scheme [32], our new protocol contains a session key update phase, which makes the protocol more practical.

3.1. Initialization Phase

$HA$ initializes the system by selecting some parameters. $HA$ chooses a large prime number p and a generator g of $Z_p^{*}$, where the DLP on $Z_p^{*}$ is intractable. Next, $HA$ selects a hash function $h(·):{(0,1)}^{*}\to {(0,1)}^l$, which transforms the arbitrary binary into l bit (such as 128 bits) data. Furthermore, $HA$ chooses an integer $2^6\le n_0\le 2^8$, which is used for the fuzzy verifier. Besides, $HA$ generates the secret and public key pair $(x,X)$, where $x\in Z_p^{*}$ and $X=g^x$ mod p. Finally, $HA$ chooses a symmetric encryption algorithm E and the corresponding decryption algorithm D.

In addition to the generation of the above parameters, $HA$ and $FA$ have their identities $I{D}_{HA}$ and $I{D}_{FA}$, respectively, and they share a secret key $K_{HF}$ by using the key exchange protocol.

3.2. Registration Phase

In this phase, $MU$ interacts with the $HA$ as follows to register as a legitimate user.

Step R1.

$MU\Rightarrow HA:\{I{D}_{MU},HP{W}_{MU}\}$:

$MU$ first chooses $I{D}_{MU}$, $P{W}_{MU}$, and a nonce b. Then, $MU$ calculates $HP{W}_{MU}=h(P{W}_{MU}\parallel b)$ and transmits the registration request $\{I{D}_{MU},HP{W}_{MU}\}$ to $HA$ with a secure method.

Step R2.

$HA\Rightarrow MU:$ A Smart Card $SC$:

$HA$ checks if $I{D}_{MU}$ exists in the system. If so, $MU$ is asked to send a new one. Otherwise, $HA$ computes $A_{MU}=h((h(I{D}_{MU})\oplus HP{W}_{MU})$ mod $n)$, $K_{MH}=h(I{D}_{MU}\parallel x)$, and $C_{MU}=HP{W}_{MU}\oplus K_{MH}$. Then, $HA$ stores the parameters $\{A_{MU},C_{MU},I{D}_{HA},p,g,X,E,D,h(·)\}$ in a smart card ($SC$) and forwards it to $MU$ over a secure manner.

Step R3.

When obtaining the $SC$, $MU$ activates it and stores b into it.

3.3. Login and Authentication Phase

Whenever $MU$ roams to $FA$, the following steps allow $FA$ and $MU$ to achieve bidirectional authentication and share a session key with the assistance of $HA$. These procedures can also be found in Figure 1.

Step V1.

$MU\to FA$: $M_1=\{I{D}_{HA},CI{D}_{MU},R_{MU},C_3\}$.

$MU$ inserts the $SC$ into the mobile terminal and types in $I{D}_{MU}$ and $P{W}_{MU}$. $SC$ computes $A_{MU}^{\prime }=h((h(I{D}_{MU})\oplus h(P{W}_{MU}\parallel b))$ mod $n)$ and verifies $A_{MU}^{\prime }\stackrel{?}{=}{A}_{MU}$. Unequal means that $MU$ entered incorrect $I{D}_{MU}$ or $P{W}_{MU}$, and the session is terminated by $SC$. The card will be locked if there are three consecutive failures on the password. Otherwise, $SC$ produces a nonce $r_{MU}\in Z_p^{*}$ and calculates $R_{MU}=g^{r_{MU}}$ mod p, $C_1=X^{r_{MU}}$ mod p, $CI{D}_{MU}=I{D}_{MU}\oplus h(R_{MU}\parallel C_1)$, $K_{MH}^{\prime }=C_{MU}\oplus h(P{W}_{MU}\parallel b)$, $C_2=h(I{D}_{HA}\parallel I{D}_{FA}\parallel C_1)$, and $C_3=E_{K_{MH}^{\prime }}(C_2\parallel I{D}_{FA})$. Then, $MU$ submits the login request $M_1=\{I{D}_{HA},CI{D}_{MU},R_{MU},C_3\}$ to $FA$.

Step V2.

$FA\to HA$: $M_2=\{CI{D}_{MU},R_{MU},C_3,R_{FA},C_4\}$.

When receiving $M_1$ from a roaming user, $FA$ produces a nonce $r_{FA}\in Z_p^{*}$ and computes $R_{FA}=g^{r_{FA}}$ mod p and $C_4=h(I{D}_{FA}\parallel K_{HF}\parallel R_{MU}\parallel C_3\parallel R_{FA})$. Then, $FA$ forwards the message $M_2=\{CI{D}_{MU},R_{MU},C_3,R_{FA},C_4\}$ to $HA$.

Step V3.

$HA\to FA$: $M_3=\{C_5,C_7\}$.

Upon obtaining the message from $FA$, $HA$ calculates $C_1^{\prime }=R_{MU}^x$ mod p, $I{D}_{MU}^{\prime }=CI{D}_{MU}\oplus h(R_{MU}\parallel C_1^{\prime })$, $K_{MH}^{\prime }=h(I{D}_{MU}^{\prime }\parallel x)$, and $D_{K_{MH}^{\prime \prime }}(C_3)=(C_2^{\prime }\parallel I{D}_{FA}^{\prime })$. Then, $HA$ calculates $C_2^{\prime }=h(I{D}_{HA}\parallel I{D}_{FA}^{\prime }\parallel C_1^{\prime })$ and checks $C_2^{\prime }\stackrel{?}{=}{C}_2^{\prime }$. Unequal will lead to the rejection of the session. Otherwise, $MU$ is authenticated by $HA$. Next, $FA$ retrieves the $K_{HF}$ according to $I{D}_{FA}^{\prime }$. Then, $HA$ calculates $C_4^{\prime }=h(I{D}_{FA}^{\prime }\parallel K_{HF}\parallel R_{MU}\parallel C_3\parallel R_{FA})$ and authenticates $HA$ by checking $C_4^{\prime }\stackrel{?}{=}{C}_4$. If the verification passes, $HA$ calculates $C_5=h(I{D}_{HA}\parallel I{D}_{FA}^{\prime }\parallel K_{HF}\parallel R_{MU}\parallel R_{FA})$, $C_6=h(I{D}_{MU}^{\prime }\parallel I{D}_{FA}\parallel C_1\parallel R_{FA})$, $C_7=E_{K_{MH}^{\prime \prime }}(R_{FA}\parallel C_6)$, and forwards $M_3=\{C_5,C_7\}$ to $FA$.

Step V4.

$FA\to MU$: $M_4=\{R_{FA},C_7,C_9\}$.

When receiving the message from $HA$, $FA$ calculates $C_5^{\prime }=h(I{D}_{HA}\parallel I{D}_{FA}\parallel K_{HF}\parallel R_{MU}\parallel R_{FA})$, and the validity of $HA$ is verified if $C_5^{\prime }=C_5$. Then, $FA$ calculates $C_8=R_{MU}^{r_{FA}}$ mod p, the session key $SK=h(R_{MU}\parallel R_{FA}\parallel C_8)$, and $C_9=h(SK\parallel C_7)$. Then, $FA$ submits the message $M_4=\{R_{FA},C_7,C_9\}$ to $MU$.

Step V5.

When receiving $M_4$ from $FA$, $MU$ calculates $D_{K_{MH}^{\prime }}(C_7)=(R_{FA}^{\prime }\parallel C_6^{\prime })$ and checks if $R_{FA}^{\prime }$ is equal to the received $R_{FA}$. Then, $MU$ calculates $C_6^{\prime }=h(I{D}_{MU}\parallel I{D}_{FA}\parallel C_1\parallel R_{FA})$, and the validity of $HA$ is verified if $C_6^{\prime }=C_6^{\prime }$. Next, $MU$ calculates $C_8^{\prime }=R_{FA}^{r_{MU}}$ mod p, $S{K}^{\prime }=h(R_{MU}\parallel R_{FA}\parallel C_8^{\prime })$, $C_9^{\prime }=h(S{K}^{\prime }\parallel C_7)$, and the validity of $FA$ is verified if $C_9^{\prime }=C_9$. Finally, as a shared session key between $MU$ and $FA$, $SK$ is used by them for further security communication.

3.4. Session Key Update Phase

Since the session key is only valid for a certain period, $MU$ should update the session key with $FA$ if he/she wants continuous access to the roaming network. The following procedures allow him/her to update a new session key, and it also can be found in Figure 2.

Step S1.

$MU$ produces a new nonce $r_{MU}^{\prime }\in Z_p^{*}$ and calculates $R_{MU}^{\prime }=g^{r_{MU}^{\prime }}$ mod p, $C_{MU}=E_{SK}(R_{MU}^{\prime })$. Then, $MU$ submits $\{C_{MU}\}$ to $FA$ for session key update.

Step S2.

$FA$ retrieves $R_{MU}^{\prime }$ by decrypting $C_{MU}$ using $SK$. Next, $FA$ produces a new nonce $r_{FA}^{\prime }\in Z_p^{*}$ and calculates $R_{FA}^{\prime }=g^{r_{FA}^{\prime }}$ mod p, $C_{FA}=E_{SK}(R_{FA}^{\prime })$, $S{K}_{new}=h(R_{MU}^{\prime }\parallel R_{FA}^{\prime }\parallel ({(R_{MU}^{\prime })}^{r_{FA}^{\prime }}$ mod $p))$, and $V_{FA}=h(S{K}_{new}\parallel SK)$. Then, $FA$ sends the message $\{C_{FA},V_{FA}\}$ to $MU$.

Step S3.

When receiving the message, $MU$ first retrieves $R_{FA}^{\prime }$ by decrypting $C_{FA}$ using $SK$. Then, $MU$ calculates $S{K}_{new}^{\prime }=h(R_{MU}^{\prime }\parallel R_{FA}^{\prime }\parallel ({(R_{FA}^{\prime })}^{r_{MU}^{\prime }}$ mod $p))$, $V_{FA}^{\prime }=h(S{K}_{new}^{\prime }\parallel SK)$ and checks $V_{FA}^{\prime }\stackrel{?}{=}{V}_{FA}$. Unequal means $MU$ and $FA$ fail to agree on a new session key. Otherwise, they share a new session key $S{K}_{new}$.

3.5. Password Change Phase

The following steps allow $MU$ to change the password without the assistance of the home agent $HA$.

Step P1.

$MU$ inserts the $SC$ into the mobile terminal and types $I{D}_{MU}$ and $P{W}_{MU}$.

Step P2.

$SC$ computes $A_{MU}^{\prime }=h((h(I{D}_{MU})\oplus h(P{W}_{MU}\parallel b))$ mod $n)$ and verifies $A_{MU}^{\prime }\stackrel{?}{=}{A}_{MU}$. If they are not equal, which means that $MU$ entered incorrect $I{D}_{MU}$ or $P{W}_{MU}$, the request is rejected by $SC$. On the contrary, $MU$ is asked to type a new password.

Step P3.

$MU$ inputs a new password $P{W}_{MU}^{*}$. $SC$ calculates $HP{W}_{MU}^{*}=h(P{W}_{MU}^{*}\parallel b)$, $A_{MU}^{*}=h((h(I{D}_{MU})\oplus HP{W}_{MU}^{*})$ mod $n)$, $C_{MU}^{*}=C_{MU}\oplus HP{W}_{MU}^{*}\oplus h(P{W}_{MU}\parallel b)$. Finally, $SC$ replaces $A_{MU}$ and $C_{MU}$ with $A_{MU}^{*}$ and $C_{MU}^{*}$, respectively.

4. Formal Proof

4.1. Basic Knowledge

G is a multiplicative group with a large prime order p, and g is its generator.

• DLP (Discrete Logarithm Problem): Given $g^a\in G$ and $a\in Z_p^{*}$, it is hard to compute a.
• CDHP (Computation Diffie–Hellman Problem): If $a,b\in Z_p^{*}$ and $g^a,g^b\in G$ are known, it is hard to compute $g^{ab}$, and $Ad{v}_{\mathcal{A}}^{CDH}$ denotes the probability for $\mathcal{A}$ to break the CDHP.

4.2. Basic Knowledge for the Proof

The formal proof given in here is based on [40,41,42].

To make it easy for $\mathcal{A}$ to perform attacks, we consider only three entities: one home agent $HA$, one foreign agent $FA$, and one mobile user $MU$. They make sessions in scheme $\mathcal{S}$. $\mathcal{I}$ is for any entity that is not required to be differentiated. The entities have many instances, and each of them is numbered, as an oracle, e.g., $M{U}^i$ is the ith instance of $MU$. Similarly, we can understand ${\mathcal{I}}^t$, $F{A}^j$ and $H{A}^k$. $accept$, $reject$, and ⊥ are three states for the result of the instance. $accept$ occurs when the oracle receives the correct message; $reject$ occurs when an incorrect message comes; and ⊥ occurs when no answer appears in the oracle. Each instance of $MU$ or $FA$ has a session number, like $S{N}_{M{U}^i}$ or $S{N}_{F{A}^j}$, and a partner $P{N}_{M{U}^i}$ or $P{N}_{F{A}^j}$. If $S{N}_{M{U}^i}=S{N}_{F{A}^j}$ and they build the same session key $sk$, or $s{k}_{M{U}^i}=s{k}_{F{A}^j}$, we say that $M{U}^i$ and $F{A}^j$ are partnering, and $P{N}_{M{U}^i}=F{A}^j$ and $P{N}_{F{A}^j}=M{U}^i$. $g,p$, $I{D}_{MU}$, $I{D}_{FA}$, and $I{D}_{HA}$ are public elements. The secret parameters, such as $P{W}_i$, $K_{FH}$, and x, are owned by the entities according to the scheme $\mathcal{S}$. All passwords can be retrieved in a finite P set, which has $\left|P\right|$ elements in total.

$\mathcal{A}$ can make the following queries on a simulator $\mathbb{S}$ to crack the login and authentication process, especially the session key:

• $Send(\mathcal{I},{\mathcal{I}}_r^t,m)$: $\mathcal{I}$ sends message m to ${\mathcal{I}}_r^t$. If m is correct, the normal operations in $\mathcal{S}$ will be done on ${\mathcal{I}}_r^t$; or the query will be stopped.
• $Execute(M{U}^i,F{A}^j,H{A}^k)$: All messages in the authentication phase will be eavesdropped by $\mathcal{A}$.
• $Reveal({\mathcal{I}}^t)$: If $M{U}^i$ or $F{A}^j$ generates a session key, the key will be returned to $\mathcal{A}$.
• $Corrupt(M{U}^i,SC)$: $\mathcal{A}$ can get all information stored in $SC$ of $MU$.
• $Corrupt({\mathcal{I}}^t)$: $\mathcal{A}$ gets all long-term secret data of $\mathcal{I}$, and this is for strong forward security [41].
• $Test({\mathcal{I}}^t)$: $\mathcal{I}$ is for $MU$ or $FA$. Finally, $\mathcal{A}$ has to choose a session to make a challenge. If $\mathcal{I}$ does not reach $accept$ or $sfs-security$, which will be explained later, the result is ⊥. Else, a bit $\mu$ is chosen. If $\mu =1$, the session key is returned. Otherwise, a random string ${\{0,1\}}^l$ is returned.

Some demonstrations must be listed below to complement the above content.

• $SFS-fresh$: As shown in [41], it is Strong Forward Security-fresh for $MU$ and $FA$. ${\mathcal{I}}^t$ is $SFS-fresh$ if any of the following conditions do not appear:

  -

  $Reveal({\mathcal{I}}^t)$ or $Reveal(P{N}_{{\mathcal{I}}^t})$ is asked.

  -

  $Corrupt({\mathcal{I}}^t)$ or $Corrupt(P{N}_{{\mathcal{I}}^t})$ is queried before $Test(\mathcal{I})$.

• $SFS-secure$: The advantage for $\mathcal{A}$ breaking $\mathcal{S}$ is the probability of correctly guessing $\mu$ generated in $Test({\mathcal{I}}^t)$ over $\frac{1}{2}$, or $Ad{v}_{\mathcal{S}}^{SFS}(\mathcal{A})=2|Pr[\mu ={\mu }^{\prime }]-\frac{1}{2}|$, where ${\mu }^{\prime }$ is guessed by $\mathcal{A}$. If $q_s$ is the number of $Send$ queries, $Ad{v}_{\mathcal{S}}^{SFS}(\mathcal{A})$ is negligibly bigger than $\frac{O(q_s)}{\left|P\right|}$ and $\mathcal{S}$ is $SFS-secure$.

4.3. Process of the Proof

Theorem 1.

A multiplicative group G with a large order p, a finite password set with size P, and the security length l are basic parameters for the proof. The adversary $\mathcal{A}$ has chances for $q_s$$Send$ queries, $q_e$$Execute$ queries, and $q_h$ hash queries to crack $\mathcal{S}$, with the upper bound polynomial time t. The advantage of breaking the $SFS-secure$ scheme $\mathcal{S}$ is:

$$Ad{v}_{\mathcal{S}}^{SFS}(\mathcal{A})⩽\frac{{(q_s+q_e)}^2}{p-1}+\frac{q_h^2+6q_s+12q_h}{2^l}+\frac{2q_s}{\left|P\right|}+4q_h(1+{(q_s+q_e)}^2)Ad{v}_{\mathcal{A}}^{CDH}(t^{\prime })$$

$T_m$ represents the time of a multiplication in G and $t^{\prime }=t+(6q_e+2q_s)T_m$.

Proof. 

The proof contains a sequence of games from $G_0$ to $G_5$. $Suc{c}_i$ denotes $\mathcal{A}$’s successful probability to guess $\mu$ correctly. Since there is only one $MU$, no guessing is required for the identity.

• Game $G_0$: The random oracles are added in the real scheme. If more queries are used by $\mathcal{A}$ or the game is finished, but without answer, a new bit $\mu$ is produced. We know that $Ad{v}_{\mathcal{S}}^{SFS}(\mathcal{A})=2|Pr\left[Suc{c}_0\right]-\frac{1}{2}|$.
• Game $G_1$: All queries in Section 4.2 are brought in. However, there are five $Send$ queries: $Send(start,M{U}^i,\varphi )$, $Send(M{U}^i,F{A}^j,M_1)$, $Send(F{A}^j,H{A}^k,M_2)$, $Send(H{A}^k,F{A}^j,M_3)$, and $Send(F{A}^j,M{U}^i,M_4)$. The operations for five $Send$ queries correspond to the five steps in Section 3.3. Furthermore, three lists are required: ${\mathcal{L}}_h$ is to store the results of hash queries from the simulator $\mathbb{S}$; ${\mathcal{L}}_{\mathcal{A}}$ is to store the hash queries from $\mathcal{A}$; ${\mathcal{L}}_{\mathcal{S}}$ is to store the transcripts of the sessions. When a string $str$ is asked for the hash result, the simulator $\mathbb{S}$ returns the result r if the tuple $(str,r)$ can be found in the list. However, if there is no such result, the simulator $\mathbb{S}$ picks up a random string $r\in {\{0,1\}}^l$ as the result and stores the tuple $(str,r)$ in the corresponding list. $\mathcal{A}$ cannot know the difference between $G_1$ and $G_0$, and $Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$.
• Game $G_2$: The collisions between different sessions are discussed in this game. There are two cases below:
  • The probability for collision of random numbers $r_{MU}$ and $r_{FA}$ is at most $\frac{{(q_s+q_e)}^2}{2(p-1)}$.
  • The probability for collision of hash results is $\frac{q_h^2}{2^{l+1}}$.
  Therefore, we know $|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|⩽\frac{{(q_s+q_e)}^2}{2(p-1)}+\frac{q_h^2}{2^{l+1}}$.
• Game $G_3$: We consider the case that $\mathcal{A}$ can impersonate the entities via forging hash results without hash query.

  -

  $Send(M{U}^i,F{A}^j,M_1)$: $\mathbb{S}$ checks if $M_1\in {\mathcal{L}}_{\mathcal{S}}$, and $(R_{MU}||*,*)$, $(I{D}_{HA}\left|\right|I{D}_{FA}\left|\right|*,*)\in {\mathcal{L}}_{\mathcal{A}}$. However, $(P{W}_{MU}||b,*)$ cannot be checked. The probability is $\frac{2q_h}{2^l}$ for this case.

  -

  $Send(F{A}^j,H{A}^k,M_2)$: $\mathbb{S}$ checks if $M_1,M_2\in {\mathcal{L}}_{\mathcal{S}}$, and $(R_{MU}||*,*)$, $(I{D}_{HA}|\left|I{D}_{FA}\right||*,*)$, $(I{D}_{FA}\left|\right|*\left|\right|R_{MU}\left|\right|C_3\left|\right|*,C_4)\in {\mathcal{L}}_{\mathcal{A}}$. Furthermore, $(P{W}_{MU}||b,*)$ cannot be checked. The probability is $\frac{q_h}{2^l}$ for the first and second hash result and $\frac{q_s}{2^l}$ for the last.

  -

  $Send(H{A}^k,F{A}^j,M_3)$: $\mathbb{S}$ checks if $M_1,M_2$, $M_3\in {\mathcal{L}}_{\mathcal{S}}$, and $(I{D}_{HA}|\left|I{D}_{FA}\right||*|\left|R_{MU}\right||R_{FA},C_5)$, $(I{D}_{MU}\left|\right|I{D}_{FA}\left|\right|*\left|\right|R_{FA},*)\in {\mathcal{L}}_{\mathcal{A}}$. The probability for the first result is $\frac{q_s}{2^l}$ and for the second is $\frac{q_h}{2^l}$.

  -

  $Send(F{A}^j,M{U}^i,M_4)$: $\mathbb{S}$ checks if $M_1$, $M_2$, $M_3$, $M_4\in {\mathcal{L}}_{\mathcal{S}}$, and $(I{D}_{MU}|\left|I{D}_{FA}\right||*||R_{FA},*)$, $(*||C_7,C_9)\in {\mathcal{L}}_{\mathcal{A}}$. The probability for the first result is $\frac{q_h}{2^l}$ and for the second is $\frac{q_s}{2^l}$.

  Therefore, $G_3$ is the same as $G_2$, and the probability $|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|⩽\frac{3q_s+6q_h}{2^l}$.
• Game $G_4$: We inject the CDH problem in this game, with random oracles added again. Based on [41,42], $Corrupt(M{U}^i,SC)$ must be asked first to crack the scheme. Two cases can be listed:
  • With the most number of chance $q_s$, $\mathcal{A}$ can select one password from P to start a session. Such an active attack has the success probability $\frac{q_s}{\left|P\right|}$.
  • For passive attacks, two subcases are demonstrated below:

    (a)

    $Execute$ queries are used. Finally, $(g^{r_{MU}}|\left|g^{r_{FA}}\right||g^{r_{MU}{r}_{FA}},sk)$ should be found in ${\mathcal{L}}_{\mathcal{A}}$, and the probability is $\frac{1}{q_h}$. Therefore, the probability for this subcase is $q_{h}Ad{v}_{\mathcal{A}}^{CDH}(t+6q_e{T}_m)$.

    (b)

    $Execute$ can be replaced with the combination of all $Send$ queries. Similar to the last subcase, the probability is $q_{h}Ad{v}_{\mathcal{A}}^{CDH}(t+2q_s{T}_m)$.

  We make $t^{\prime }=t+(6q_e+2q_s)T_m$ and get $|Pr\left[Suc{c}_4\right]-Pr\left[Suc{c}_3\right]|⩽\frac{q_s}{\left|P\right|}+2q_{h}Ad{v}_{\mathcal{A}}^{CDH}(t^{\prime })$.
• Game $G_5$: This game is for strong forward security. With the concept of $SFS-secure$, $Corrupt$ should be asked after $Test$, so we can only consider old messages here. Like $G_4$, the probability for $g^{r_{MU}}$ and $g^{r_{FA}}$ occurring in the same session is $\frac{1}{{(q_s+q_e)}^2}$, and $|Pr\left[Suc{c}_5\right]-Pr\left[Suc{c}_4\right]|⩽2q_h{(q_s+q_e)}^{2}Ad{v}_{\mathcal{A}}^{CDH}(t^{\prime })$. Till now, $Pr\left[Suc{c}_5\right]=\frac{1}{2}$, and there is no advantage for $\mathcal{A}$.

Via the above games, Theorem 1 can be deduced. □

5. Formal Verification by ProVerif

In this section, the emulator tool ProVerif is utilized by us to test the security of the proposed protocol, which is a new and efficient tool to detect the confidentiality of an information security protocol. The tool supports unlimited rounds of protocol execution.

The normalized mode description about our protocol is presented as follows. There are three entities, which are $MU$, $FA$, and $HA$, in the protocol. Firstly, $MU$ sends the registration request to $HA$. Secondly, $HA$ transmits the information to $MU$ in a secure manner. Thirdly, $MU$ sends the login request to $FA$. Fourthly, $FA$ forwards the message to $HA$. Then, $HA$ tightly transmits the response to $FA$. Lastly, $FA$ returns the message to $HA$.

• $MU\to HA:\{I{D}_{MU},HP{W}_{MU}\}$
• $HA\to MU:\{A_{MU},C_{MU},I{D}_{HA},p,g,X,E,D,h(·)\}$
• $MU\to FA$: $M_1=\{I{D}_{HA},CI{D}_{MU},R_{MU},C_3\}$.
• $FA\to HA$: $M_2=\{CI{D}_{MU},R_{MU},C_3,R_{FA},C_4\}$.
• $HA\to FA$: $M_3=\{C_5,C_7\}$.
• $FA\to MU$: $M_4=\{R_{FA},C_7,C_9\}$.

The detail of the code is shown in the following. The predefinition code in Figure 3 consists by three parts, and we firstly declare some statements (parameters, space and functions) and channels (secure and unsecure channel). Then, we define some equations (hash function, XOR operation, and the inverse operation of ‖). We also make some queries to satisfy the security requirements. The processes of MU, FA, and HA were operated simultaneously, and the corresponding codes are shown in Figure 4, Figure 5 and Figure 6, respectively. In summary, As shown in Figure 7, we state the protocol by using events BeginUser(muID) and EndUser(muID), and the verification results are “RESULT not attacker(SK[]) is true.”, “RESULT not attacker(KHF[]) is true.”, “RESULT not attacker(KMH’[]) is true.”, and “RESULT inj-event(EndUser(id)) ==> inj-event(BeginUser(id)) is true.”. Thus, the session key $SK$, the shared key $K_{HF}$, and the shared key $K_{MH}$ could withstand the attacks, and the proposed protocol could pass the verification of ProVerif.

6. Security Analysis and Comparisons

To show the advantages of our protocol, security features of our protocol are discussed in this part. Besides, the comparisons of our protocol and other related protocols are also given in this section.

6.1. Resist Smart Card Loss (Off-Line Password Guessing) Attack

To achieve the feature of freely local password update for users, the smart card must store verification information of user’s identity and password. However, this verification information can be used to guess a password if the smart card is lost. Our scheme uses the fuzzy verifier technique [39] to resist smart card loss attack while realizing local password change. If $MU$’s $SC$ is lost, $\mathcal{A}$ can retrieve the information in $SC$$\{A_{MU},C_{MU},I{D}_{HA},p,g,X,E,D,b,h(·)\}$. However, $\mathcal{A}$ cannot guess $I{D}_{MU}$ and $P{W}_{MU}$ from $C_{MU}$ without knowing $HA$’s secret key x. $\mathcal{A}$ may also want to guess $ID$ and $PW$ from $A_{MU}=h((h(I{D}_{MU})\oplus h(P{W}_{MU}\parallel b))$ mod $n)$. However, for ${10}^6$ sized identity/password dictionaries, and $n_0\approx 2^8$, there are more than $2^{30}$ pairs of $(I{D}_{MU},P{W}_{MU})$ such that the value of $h((h(I{D}_{MU})\oplus h(P{W}_{MU}\parallel b))$ mod $n)$ equals $A_{MU}$. Therefore, it is impossible for $\mathcal{A}$ to obtain the correct $(I{D}_{MU},P{W}_{MU})$. According to the above analysis, it can be seen that our protocol can resist smart card loss attack, and $\mathcal{A}$ cannot guess the user’s correct $(I{D}_{MU},P{W}_{MU})$ even if $\mathcal{A}$ obtained the smart card information.

6.2. User Anonymity

In our protocol, $I{D}_{MU}$ is not included in any of communication messages $M_1$, $M_2$, $M_3$, and $M_4$. Among these messages transmitted on the public channel, just $CI{D}_{MU}$ is related to $I{D}_{MU}$. Only $HA$ can reveal $I{D}_{MU}$ from $CI{D}_{MU}$ by using the secret key x, and $\mathcal{A}$ cannot know $I{D}_{MU}$ from the messages obtained on the public channel. Meanwhile, in each session, the messages $M_1$, $M_2$, $M_3$, and $M_4$ exchanged among the three parties, all elements except $I{D}_{HA}$ are dynamically changed with the random numbers. Therefore, $\mathcal{A}$ cannot track different sessions from the same mobile user. Therefore, our protocol can protect the user’s anonymity.

6.3. Proper Bidirectional Authentication

Our protocol achieves the bidirectional authentication among $MU$, $FA$, and $HA$ with the assistance of $HA$. The bidirectional authentication between $MU$ and $HA$ relies on the shared secret information $K_{MH}=h(I{D}_{MU}\parallel x)$, which can be retrieved by $MU$ with the $P{W}_{MU}$ from $C_{MU}$ and also can be calculated by $HA$ when he/she retrieves the correct $I{D}_{MU}$ from $CI{D}_{MU}$ using x. With the shared $K_{MH}$, $HA$ can authenticate $MU$ by checking $C_2^{\prime \prime }\stackrel{?}{=}{C}_2^{\prime }$ in Step V3, and $MU$ can authenticate $HA$ by checking $C_6^{\prime \prime }\stackrel{?}{=}{C}_6^{\prime }$ in Step V5. Meanwhile, the bidirectional authentication between $FA$ and $HA$ can be achieved due to the pre-shared secret key $K_{HF}$. With this secret key, $HA$ can authenticate $FA$ by verifying $C_4^{\prime }\stackrel{?}{=}{C}_4$ in Step V3, and $FA$ can also verify if $HA$ is valid by checking $C_5^{\prime }\stackrel{?}{=}{C}_5$ in Step V5. For $MU$ and $FA$, $MU$ is a legal foreign user for $FA$ if $MU$ passes the verification of $HA$. On the contrary, $FA$ is valid for $MU$ if they generate the same $SK$ and $C_9^{\prime }=C_9$.

6.4. Resist Impersonation Attack

In our protocol, the secret keys x and $K_{HF}$ are indispensable for $HA$ to authenticate mobile users and $FA$. Therefore, any adversary cannot imitate $HA$. For the same reason, the adversary cannot impersonate $FA$. Besides, based on the description of the authentication phase, $I{D}_{MU}$ and $P{W}_{MU}$ are essential for $MU$ to generate a valid login request message. However, as we can see from Section 6.1, an adversary $\mathcal{A}$ cannot guess $MU$’s $I{D}_{MU}$ and $P{W}_{MU}$ even if $\mathcal{A}$ has obtained the user’s smart card. Therefore, our protocol can avoid user impersonation attack.

6.5. Session Key Security

After the bidirectional authentication, a session key $SK=h(g^{r_{MU}}\parallel g^{r_{FA}}\parallel g^{r_{MU}·r_{FA}})$ (we omit the modular exponential operations here) is shared between $MU$ and $FA$, which includes contributions from both $MU$ and $FA$. $SK$ is secure due to the intractability of the DLP; no adversary, even $HA$, can calculate the $SK$ without knowing $r_{MU}$ or $r_{FA}$. Besides, since $SK$ is independent of the master secret key x, it is still secure even though x is compromised. Therefore, the forward secrecy feature is achieved. Furthermore, the session key depends on the nonce generated by $MU$ and $FA$, which dynamically change with different sessions. Therefore, the compromise of one session key would not deduce the compromise of other session keys, and our protocol guarantees the feature of known-key secrecy.

6.6. Resist Insider Attack

In our protocol’s registration phase, the mobile user $MU$ submits $HP{W}_{MU}=h(P{W}_{MU}\parallel b)$ to $HA$ for registration. Even if the privileged insider gets the registration information $\{I{D}_{MU},HP{W}_{MU}\}$, he/she still cannot reveal $MU$’s real identity $I{D}_{MU}$ since it is hidden by the random number b. Therefore, our protocol resists insider attack.

6.7. Secure Session Key Update

Session key update is an important function for a mobile user if he/she wants to access the foreign network continuously. Our protocol allows $MU$ and $FA$ to generate securely a new session key based on their current session key. Since our key agreement mechanism is similar to the DHP, we have adjusted the mechanism to avoid the man-in-the-middle attack. $MU$ and $FA$ generate the new shares $R_{MU}$ and $R_{FA}$ and transmit the encrypted share $C_{MU}=E_{SK}(R_{MU}^{\prime })$ and $C_{FA}=E_{SK}(R_{FA}^{\prime })$ to each other. An adversary $\mathcal{A}$ cannot obtain their real shares without knowing the current session key $SK$, and our protocol allows the two parties to update their session key securely.

6.8. Comparison with Other Related Protocols

To demonstrate the robustness and advantages of our protocol, the features of our protocol and other relevant protocols [30,32] are compared in this section.

First, the function and security features of our protocol and the protocols in [30,32] are evaluated, and the result is shown in

Table 2. Comparison of security and function features.

	Protocol in [30]	Protocol in [32]	Our Protocol
Resist mobile device/smart card breach attack	√	×	√
Resist insider attack	√	√	√
Resist user impersonation attack	√	×	√
Resist stolen verifier attack	×	×	√
User anonymity	√	√	√
Local password change	×	√	√
Proper bidirectional authentication	√	×	√
Session key security	√	×	√
Forward secrecy	×	×	√
Session key update	×	×	√

√: satisfies the property ×: fails to satisfy the property.

. As can be seen from the table, both protocols in [30,32] failed to provide forward secrecy and session key update and were vulnerable to stolen verifier attack. Except for their common defects, the protocol in [30] cannot realize the function of local password change for a mobile user, while the protocol in [32] was also vulnerable to mobile device breach attack and user impersonation attack and cannot provide bidirectional authentication and session key security. Unlike the previous work, our protocol resisted all known attacks and provided some ideal functions. The fuzzy verifier technique resolved the contradiction of local password change and smart card breach attack. Besides, the modular exponential operation based on DLP guaranteed the security of session key. Therefore, our protocol was better than the related protocols on security and functions.

Next, we evaluate the computation complexity and the storage cost of our protocol and the protocols in [30,32]. In order to facilitate the description, let $T_h$, $T_{me}$, and $T_e$ represent the computation cost of a hash function, a modular exponential, and a symmetric encryption/decryption operation, respectively. To evaluate the computation cost, we used the computation costs for related cryptographic operations in [43] on platform Intel(R) T5870 2.00 GHz, which were $T_h=2.580\mathsf{\mu }$s, $T_{me}=10.257$ ms, and $T_e=2.012\mathsf{\mu }$s, respectively.

Table 3. Performance comparison.

	Protocol in [30]	Protocol in [32]	Our Protocol
$MU$’s computational cost	$9T_h+T_e+2T_{me}$	$4T_h$	$8T_h+2T_e+3T_{me}$
$FA$’s computational cost	$3T_h$	$T_h+2T_e$	$4T_h+2T_{me}$
$HA$’s computational cost	$9T_h+T_e+T_{me}$	$2T_h+2T_e+2T_{me}$	$6T_h+2T_e+T_{me}$
Total computational cost	$21T_h+2T_e+3T_{me}\approx 30.83$ ms	$7T_h+4T_e+2T_{me}\approx 20.54$ ms	$18T_h+4T_e+6T_{me}\approx 61.60$ ms
$MU$’s storage cost	4496 bits	2448 bits	3472 bits

shows the result of the performance comparison, from which we can see that our protocol just needed a few more modular exponential operations than the protocols in [30,32]. The total computational cost for a session of our protocol was about 61.6 ms, and it was also at a very efficient level. It was precisely because of these increased computational cost that our protocol surpassed other related work [30,32] in terms of security and function. Our protocol not only guaranteed the security of the session key, but also balanced the contradiction between local password change and stolen smart card attack. Therefore, the increased computational cost was worthwhile, and it enhanced the security of the protocol. Furthermore, we compared the $MU$ side’s storage cost of three protocols and omitted the storage cost of $HA$ and $FA$ since the servers both had adequate storage space. Compared with other protocols [30,32], the storage requirements of $MU$ in our protocol was somewhere in between, and it also can be seen in Table 3.

Finally, we evaluated the communication complexity of our protocol and the protocols in [30,32]. For comparison purposes, let $L_{ID}$, $L_h$, $L_r$, $L_T$, $L_S$, and $L_p$ represent the bit lengths of identity, hash function, random number, timestamps, symmetric cryptography, and large prime number, respectively, and we assumed they were 80 bits, 160 bits, 160 bits, 80 bits, 128 bits, and 1024 bits, respectively. We counted the communication cost of one session for the three protocols, and the comparison result is shown in

Table 4. Communication cost comparison (bits).

	Protocol in [30]	Protocol in [32]	Our Protocol
$MU$ to $FA$	$L_p+10L_s+T{L}_{+}{L}_{ID}=$ 2624 bits	$2L_{ID}+4L_p+2L_h=$ 4656 bits	$L_{ID}+L_h+L_p+2L_S$ = 1520 bits
$FA$ to $HA$	$2L_h+L_{ID}+L_r+2L_T+L_p+10L_s=$ 3024 bits	$L_{ID}+20L_s=$ 2640 bits	$2L_h+2L_p+2L_S$ = 2624 bits
$HA$ to $FA$	$3L_h+L_T=$ 560 bits	$2L_s=$ 256 bits	$L_h+10L_s$ = 1440 bits
$FA$ to $MU$	$L_h+L_r+L_T=$ 400 bits	$2L_h=$ 320 bits	$L_p+L_h+10L_s$ = 2464 bit
Total cost	6308 bits	7872 bits	8048 bits

. From the table, we can see that our protocol had a lesser increase in communication cost to achieve higher security.

7. Conclusions

This paper focused on the user authentication mechanism in GLOMONET. Firstly, some design and security weaknesses of the user authentication protocol in [32] were pointed out. Their protocol had a fatal flaw that some important information of the mobile user was transmitted via the public channel in plaintext, and it can be easily obtained by an adversary. Therefore, their protocol suffered from stolen verifier attack, user impersonate attack, session key compromise attack, and mobile device breach attack. Secondly, we proposed a novel user authentication protocol with strong security for GLOMONET. The use of the fuzzy verifier technique ensured that the proposed protocol resisted the smart card loss attack while achieving the feature of local password update. Besides, the proposal was based on the Diffie–Hellman Protocol (DHP) under the discrete logarithm, which not only ensured the security of session key, but also enabled our protocol to achieve the function of secure session key agreement. Compared with other relevant protocols, our protocol achieved a higher level of security with a small amount of increased computation and communication, and it was more suitable for the GLOMONET environment.