Cryptanalysis of smart‐card‐based password authenticated key agreement protocol for session initiation protocol of Zhang et al.

As the core signaling protocol for multimedia services, such as voice over internet protocol, the session initiation protocol SIP is receiving much attention and its security is becoming increasingly important. It is critical to develop a roust user authentication protocol for SIP. The original authentication protocol is not strong enough to provide acceptable security level, and a number of authentication protocols have been proposed to strengthen the security. Recently, Zhang et al. proposed an efficient and flexible smart-card-based password authenticated key agreement protocol for SIP. They claimed that the protocol enjoys many unique properties and can withstand various attacks. However, we demonstrate that the scheme by Zhang et al. is insecure against the malicious insider impersonation attack. Specifically, a malicious user can impersonate other users registered with the same server. We also proposed an effective fix to remedy the flaw, which remedies the security flaw without sacrificing the efficiency. The lesson learned is that the authenticators must be closely coupled with the identity, and we should prevent the identity from being separated from the authenticators in the future design of two-factor authentication protocols. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Jia Lun Tsai Efficient Nonce-based Authentication Scheme for Session Initiation Protocol , 2009, Int. J. Netw. Secur..

[2]  Xinsong Liu,et al.  Cryptanalysis of Arshad et al.’s ECC-based mutual authentication scheme for session initiation protocol , 2012, Multimedia Tools and Applications.

[3]  Zhihua Cai,et al.  Efficient and flexible password authenticated key agreement for Voice over Internet Protocol Session Initiation Protocol using smart card , 2014, Int. J. Commun. Syst..

[4]  Tugrul Yanik,et al.  A Survey of SIP Authentication and Key Agreement Schemes , 2014, IEEE Communications Surveys & Tutorials.

[5]  Fei Kang,et al.  Practical authentication scheme for SIP , 2013, Peer Peer Netw. Appl..

[6]  Debiao He,et al.  Security Flaws in a Smart Card Based Authentication Scheme for Multi-server Environment , 2012, Wireless Personal Communications.

[7]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[8]  Hsiao-Hwa Chen,et al.  A secure and efficient SIP authentication scheme for converged VoIP networks , 2010, Comput. Commun..

[9]  Shehzad Ashraf Chaudhry,et al.  A secure authentication scheme for session initiation protocol by using ECC on the basis of the Tang and Liu scheme , 2014, Secur. Commun. Networks.

[10]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[11]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[12]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[13]  Henning Schulzrinne,et al.  The impact of TLS on SIP server performance , 2012, IEEE/ACM Trans. Netw..

[14]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[15]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[16]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[17]  Jianhua Chen,et al.  A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography , 2012, Secur. Commun. Networks.

[18]  Chou Chen Yang,et al.  Secure authentication scheme for session initiation protocol , 2005, Comput. Secur..

[19]  Qi Xie A new authenticated key agreement for session initiation protocol , 2012, Int. J. Commun. Syst..

[20]  Nassar Ikram,et al.  Elliptic curve cryptography based mutual authentication scheme for session initiation protocol , 2011, Multimedia Tools and Applications.

[21]  Jianfeng Ma,et al.  An Enhanced Authentication Scheme with Privacy Preservation for Roaming Service in Global Mobility Networks , 2012, Wireless Personal Communications.

[22]  Yingjiu Li,et al.  Cryptanalysis of Hsiang-Shih's authentication scheme for multi-server architecture , 2011, Int. J. Commun. Syst..

[23]  Angelos D. Keromytis,et al.  A Comprehensive Survey of Voice over IP Security Research , 2012, IEEE Communications Surveys & Tutorials.

[24]  Qiong Pu,et al.  An Enhanced Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[25]  Cheng-Chi Lee,et al.  Mobile device integration of a fingerprint biometric remote authentication scheme , 2012, Int. J. Commun. Syst..

[26]  Jianfeng Ma,et al.  Improvement of robust smart‐card‐based password authentication scheme , 2015, Int. J. Commun. Syst..

[27]  Yong-Nyuo Shin,et al.  Robust Mutual Authentication with a Key Agreement Scheme for the Session Initiation Protocol , 2010 .

[28]  Yuqing Zhang,et al.  A new provably secure authentication and key agreement protocol for SIP using ECC , 2009, Comput. Stand. Interfaces.