An Enhanced Secure Delegation-based Anonymous Authentication Protocol for PCSs

Summary — Rapid development of wireless networks brings about many security problems in Portable Communication Systems (PCSs), which can provide mobile users with an opportunity to enjoy global roaming services. In this regard, designing a secure user authentication scheme, especially for recognizing legal roaming users is indeed a challenging task. It is noticed that, there is no delegation-based protocol for PCSs, which can guarantee anonymity, untraceability, perfect forward secrecy and resistance of Denial of Service (DoS) attack. Therefore, in this article we put forward a novel delegation-based anonymous and untraceable authentication protocol, which can guarantee to resolve all the above mentioned security issues and hence offer a solution for secure communications for PCSs.

to resolve all the security issues existing in other delegation-based protocols and even can offer a secure and expeditious PCS with the lower computation and communication costs.
The remainder of this article has been organized as follows. In Section 2, we pinpoint the weaknesses of the protocol proposed in [9] . Thereafter, we present our proposed scheme in Section 3, whose security and performance are analyzed in Section 4 and Section 5, respectively. Finally, a concluding remark is given in Section 6. The abbreviations and cryptographic functions used in this article are defined in Table 1.

SECURITY WEAKNESSES IN [9]
In this section, we present the several weaknesses of C.C. Lee et al.'s protocol in [9] (shown in Fig. 1), which certainly cause security concerns in wireless communication system.

Vulnerable to DoS Attacks
DoS attack [10][11] is an imperative concern, which may occur attributed to the loss of synchronization between MU and HA.
That can be comprehended if the last authentic response message sent by VLR has been interrupted by an adversary, so that MU cannot receive the message within a specific time period. Unfortunately, C.C. Lee [3][4] property, [12] that means conspiracy of all the visited domains may cause to identify the movement of the user. Therefore, C.C. Lee et al.'s protocol cannot ensure the untraceability property, which is greatly important for the privacy of the mobile user.

No Perfect Forward Secrecy
Perfect forward secrecy [13] is a form of security requirements in network systems. In general, a protocol that provides perfect forward secrecy (PFS) can resist an adversary from learning any previous session keys, especially when the long term secret keying material is compromised by the adversary. However, we found that C.C. Lee et al.'s protocol for PCSs fails to provide PFS. In C.C. Lee et al.'s delegation-based protocol, once the secret key pair (K, ) is disclosed, then all the previous session keys established based on the execution "On-line Authentication Phase" will be exposed. Precisely, an adversary can learn the previous session key if the home agent is compromised by the adversary. So that, the adversary may acquire secret key pair (K, ) and/or the shared secret key . Therefore, the session key in this scheme is not secure. In fact, W.B. Lee and Yeh's scheme [5] and T. F. Lee et al.'s scheme [6] also cannot ensure PFS.

Vulnerable to Side Channel Attacks
In practice, it is possible to read some sensitive information from SIM card by executing the side channel attacks [14], and the information can be used for breaking the whole system. Hence, it is highly desirable to use countermeasures for securing the secret values stored in SIM card. However, sometimes, developers do not use countermeasures due to expensive production cost. In this regard, the best alternative plan is to ensure the security of unspoiled SIM cards by restricting the damage caused by the revelation of sensitive information. Unfortunately, C.C. Lee et al.'s delegation-based protocol can be entirely broken, since an adversary can always recover the key pair , the latest temporary identity of the MU i.e. , and even the latest hash chain values with the session key from the SIM card. Once the adversary obtains these parameters, then he/she can easily impersonate as MU, which is a serious threat against the privacy of the mobile user. Similar problem can also be found in [5][6][7][8][9].

PROPOSED PROTOCOL
To mitigate the security and functionality issues in the existing solutions, in this article we design a novel authentication protocol for PCSs. The list of notations is explained in Table 1. Our protocol consists of three phases. In Phase I, a MU registers to a HLR and then the HLR issues a smartcard for the MU. The Phase II, which is an on-line authentication phase, is executed when a MU roams into a foreign network to obtain the ubiquitous services and in this situation, the VLR authenticates the MU with the support of the HLR. The Phase III, which is an off-line authentication phase, is executed when a MU roams into a foreign network and the current VLR authenticates the MU without any help from the HLR. The design goals of our protocol can be summarized in the following ways: • It provides mutual authentication; • It ensures user anonymity with the resistance of DoS attacks; • It provides privacy against eavesdropper (PAE); • It resists different attacks and provides forward/backward secrecy; • It offers perfect forward secrecy; • It has low computation and communication cost.   Step 2 After receiving , the VLR selects a random number and then encrypts by using its own key, i.e., Hereafter, the MU computes and then sends authentication message to the corresponding HLR, where the MU registered earlier, to verify the legitimacy of the MU.
Step 3   pair of is delivered with the message , the MU will also receive a new shared key as . The MU then computes as and stores it for future communication. If any verification described above fails then this phase will be terminated. If all the verifications are successful, then we can claim that the mutual authentication between the MU and the VLR is correctly performed and a secure session key SK is established between them. We further depicted this phase in Fig. 2.

C. Phase III: Off-line Authentication Phase
This phase is almost similar to the protocol proposed in [6] except that in our protocol only the VLR maintains the temporary identity for the MU. Therefore, unlike the protocol in [6], the VLR in our protocol does not send any temporary identity to the HLR. This phase can be described as follows.

Ts
Ts Step 2 Upon receiving , the MU obtains by decrypting the using the session key and subsequently updates the smartcard with the new temporary identity for next communication process.

SECURITY EVALUATION
In this section, we analyze our protocol to show that it holds different security properties and functionality requirements to offer a secure and flexible authentication environment for PCSs.

a. Mutual Authentication
In our protocol, the HLR authenticates the MU by examine and in the request message . A legal MU only can construct a valid request message in the message . In addition to that, if the synchronization between the MU and the VLR is lost due to various reasons, the HLR authenticates the MU by using the unused pseudo identity in and by checking whether the is equal to Furthermore, the MU examines the authenticity of the HLR by checking whether the is equal to Now, the HLR authenticates the VLR by verifying similarly, the VLR authenticates the HLR by using , which must be equal to . From the above discussion, it can be argued that our authentication protocol for PCSs achieves the mutual authentication attribute.

b. PAE with User Anonymity and Untraceability
Based on the literature, user anonymity falls into two categories: weak anonymity and strong anonymity. In case of weak one, an adversary has no capability to know the real identities of the mobile users, but using their temporary identities can be traced by the adversary. On the other hand, in case of the strong anonymity, the adversary should not be able to trace an entity by using their temporary identities used in different sessions. The existing standard 3G UMTS [3] cannot ensure anonymity during authentication since when current VLR refuses to accept the Temporary Mobile Subscriber Identity (TMSI) of MU, it forces him/her to provide the International Mobile Subscriber Identity (IMSI) which reveals the real identity of the MU to the VLR. In our proposed delegation-based protocol, we unitize the concept of one-time-alias identity , which will be different in each transaction. No one except the HLR knows the mobile user's real identity . Furthermore, even if the MU visits a VLR multiple times, the VLR is still unable to identify the mobile user. In this way, we ensure user anonymity along with the PAE [13] support in our proposed scheme.

c. Perfect Forward Secrecy (PFS)
In our proposed scheme, we accomplish PFS by regular updating the shared secrets and . At the end of each transaction, these keys are updated using the hash function. If any of the secret keys is compromised, because of the one-way characteristic of the hash function, adversary cannot acquire from and from the . Accordingly, our protocol achieves the PFS of the session key [14][15] and ultimately provides the guarantee of the secrecy of the old session keys.

d. Resistance to DoS Attack
Any loss of synchronization between the MU and the HLR may bring in DoS attacks [10][11][12]. Usually, one of the ways to comprehend if there is any DoS attack or not, is by checking that whether the response message has been received in a maximum roundtrip time. For dealing with this attack, we utilize the concept of un-linkable pseudo-IDs and emergency key pairs It may also happen that the adversary destroys the unsinkability by continuously listen on the communication media and interrupt the connections. It is a trade-off in wireless communications and this kind of failure can be reduced to lower limit by updating the emergency keys and the transaction sequence numbers. If all the pairs are already used, then the HLR must handover a set of pseudo-identity and emergency key pairs to the MU via a secure channel.

e. Insider Attack
Usually, it is possible that more than one user selects the same password for accessing different application servers for convenience. Now, if a privileged insider of the HLR knows the password of the MU, she/he may try to impersonate the MU by accessing other application servers where the same mobile user is a registered user. For dealing with this attack, the MU of our protocol does not submit her/his password to the HLR during registration, thus a privileged insider of the HLR could not get the password of the MU. Therefore, insider attack has been prevented by our protocol.

f. Security Assurance in Case of Lost Smartcard
In general, when a smartcard is lost or stolen by someone, then the secret parameters stored in the smartcard can be obtained through the intelligent side channel attacks [16]. In our protocol, if the smartcard of a MU is lost/stolen, the attacker does not find and of the MU. Furthermore, the adversary cannot calculate the secrets or and without knowing and . Therefore, the smartcard lost attack is resisted in our protocol.

COMPARATIVE ANALYSIS
The main intension to design a new protocol is to eliminate the security and privacy threats found in the existing authentication protocols for PCSs and to assure lower communication and computation costs. Therefore, we compared our protocol with several contemporary similar protocols in [5,6,8,9] to provide a clear view about the merits of our protocol. To reflect the security and functionality benefits, we compared our delegation-based authentication protocols for PCSs with the related protocols in [5,6,8,9], and the comparative result is addressed in Table II. The Table II demonstrates that the required functionality and security attributes are integrated with the proposed protocol, whereas other existing protocols are lacking some of these properties. In contrast, even though all the delegation-based authentication protocols in [5,6,8,9] can ensure "mutual authentication" property, they fail to achieve some other essential functionality and security attributes including, "user anonymity", "robustness against insider attacks", "robustness against side-channel attacks", and "perfect forward secrecy" "resistance of DoS attacks", which are deeply important in order to ensure secure roaming services for PCSs.