Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol

Authentication is an important security requirement for session initiation protocol (SIP). The conventional authentication method for SIP is HTTP Digest authentication which is insecure against several security attacks. Hence, several authentication schemes have been proposed for SIP. Most recently, Jiang et al. and Yeh et al. proposed two separate authentication and key agreement schemes for SIP using smart cards. The present paper shows that Jiang et al.’s scheme is vulnerable to user impersonation attacks and Yeh et al.’s scheme is insecure against offline password guessing attacks and does not provide perfect forward secrecy. Furthermore, in order to overcome the mentioned drawbacks, this paper proposes a new two-factor authentication and key agreement scheme for SIP. Security and performance analyses show that the proposed scheme not only enhances the security, but also improves the efficiency.

[1]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[2]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[3]  Muhammad Sher,et al.  A single round-trip SIP authentication scheme for Voice over Internet Protocol using smart card , 2013, Multimedia Tools and Applications.

[4]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[5]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002 .

[6]  Ibrahim Sogukpinar,et al.  SIP Authentication Scheme using ECDH , 2007 .

[7]  Eun-Jun Yoon,et al.  Cryptanalysis of DS-SIP Authentication Scheme Using ECDH , 2009, 2009 International Conference on New Trends in Information and Service Science.

[8]  Nassar Ikram,et al.  Elliptic curve cryptography based mutual authentication scheme for session initiation protocol , 2011, Multimedia Tools and Applications.

[9]  Hu Jin,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012 .

[10]  Jianfeng Ma,et al.  Cryptanalysis of smart‐card‐based password authenticated key agreement protocol for session initiation protocol of Zhang et al. , 2015, Int. J. Commun. Syst..

[11]  Jianhua Chen,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012, Inf. Fusion.

[12]  Hartmut König,et al.  Cryptanalysis of a SIP Authentication Scheme , 2011, Communications and Multimedia Security.

[13]  Zhihua Cai,et al.  Cryptanalysis and improvement of password-authenticated key agreement for session initiation protocol using smart cards , 2014, Secur. Commun. Networks.

[14]  Zhihua Cai,et al.  Efficient and flexible password authenticated key agreement for Voice over Internet Protocol Session Initiation Protocol using smart card , 2014, Int. J. Commun. Syst..

[15]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[16]  Hsiao-Hwa Chen,et al.  A secure and efficient SIP authentication scheme for converged VoIP networks , 2010, Comput. Commun..

[17]  Yuqing Zhang,et al.  A new provably secure authentication and key agreement protocol for SIP using ECC , 2009, Comput. Stand. Interfaces.

[18]  Mohammad Sabzinejad Farash An improved password-based authentication scheme for session initiation protocol using smart cards without verification table , 2017, Int. J. Commun. Syst..

[19]  Mohammad Sabzinejad Farash Security analysis and enhancements of an improved authentication for session initiation protocol with provable security , 2016, Peer Peer Netw. Appl..

[20]  Wei-Kuan Shih,et al.  Robust smart card secured authentication scheme on SIP using Elliptic Curve Cryptography , 2014, Comput. Stand. Interfaces.

[21]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[22]  Shehzad Ashraf Chaudhry,et al.  A secure authentication scheme for session initiation protocol by using ECC on the basis of the Tang and Liu scheme , 2014, Secur. Commun. Networks.

[23]  Naveen K. Chilamkurti,et al.  An improved authentication protocol for session initiation protocol using smart card , 2015, Peer Peer Netw. Appl..

[24]  Jianhua Chen,et al.  A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography , 2012, Secur. Commun. Networks.

[25]  Morteza Nikooghadam,et al.  An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC , 2014, Multimedia Tools and Applications.

[26]  Alfred Menezes,et al.  The State of Elliptic Curve Cryptography , 2000, Des. Codes Cryptogr..

[27]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[28]  Xinsong Liu,et al.  Cryptanalysis of Arshad et al.’s ECC-based mutual authentication scheme for session initiation protocol , 2012, Multimedia Tools and Applications.

[29]  Máire O'Neill,et al.  Differential Power Analysis of CAST-128 , 2010, 2010 IEEE Computer Society Annual Symposium on VLSI.

[30]  Chou Chen Yang,et al.  Secure authentication scheme for session initiation protocol , 2005, Comput. Secur..

[31]  Morteza Nikooghadam,et al.  Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Information Systems , 2014, Journal of Medical Systems.

[32]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[33]  Jia Lun Tsai Efficient Nonce-based Authentication Scheme for Session Initiation Protocol , 2009, Int. J. Netw. Secur..

[34]  Jian Wang,et al.  Secure SIP authentication scheme supporting lawful interception , 2013, Secur. Commun. Networks.