Zheng, Jun,Wang, Dongyun

DOI: https://doi.org/10.1109/ICITEC.2014.7105601

2014-01-01

Abstract:SIP (Session Initial Protocol) has been a very popular protocol for VoIP. However, the authentication of this protocol just derives from HTTP digest authentication, which has been demonstrated insecure in the open network. Recently, Arshad et al. proposed an improved mutual authentication scheme based on ECC and claimed that it's secure enough. In this paper, however, we point out that their protocol still could not resist offline password guessing attacks. Furthermore, we propose an ECC-based mutual authentication and key agreement scheme to overcome such a security problem. Also, an analysis of it is provided to indicate that compared to Arshad et al.'s scheme, this scheme reduces twice hash operation and is more secure with reasonable computation cost.

Debiao He,Jianhua Chen,Yitao Chen

DOI: https://doi.org/10.1002/sec.506

2011-01-01

Abstract:The session initiation protocol (SIP) is a powerful signaling protocol that controls communication on the Internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of mobile and ubiquitous computing. In 2009, Tsai proposed an authenticated key agreement scheme as an enhancement to SIP. Very recently, Arshad et al. demonstrated that Tsai's scheme was vulnerable to offline password guessing attack and stolen-verifier attack. They also pointed that Tsai's scheme did not provide known-key secrecy and perfect forward secrecy. In order to overcome the weaknesses, Arshad et al. also proposed an improved mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP and claimed that their scheme can withstand various attacks. In this paper, we do a cryptanalysis of Arshad et al.'s scheme and show that Arshad et al.'s scheme is vulnerable to the password guessing attack.

Saru Kumari,Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Fan Wu,Vidushi Gupta

DOI: https://doi.org/10.1007/s12652-017-0460-1

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:The session initiation protocol (SIP) is a signaling protocol which is used to controlling communication in the Internet. It is also used for initiating, terminating and maintaining the sessions. A strong authentication scheme plays a pivotal role in safeguarding communications over the Internet. In order to ensure the secure communication, several authentication schemes have been proposed for SIP in the literature. Recently, Lu et al. proposed an authentication scheme for SIP-based communications and proved that their scheme can resist various network attacks. In this paper, we show that their scheme is susceptible to the user and server impersonation attacks. Also, their scheme fails to achieve user anonymity and mutual authentication. Hence, there is a need to propose a secure ECC-based authentication scheme with user anonymity for SIP to overcome the shortcomings of Lu et al.’s scheme. Security analysis shows that the proposed scheme is able to fix the flaws found in Lu et al.’s scheme. In addition to informal security discussions, we give formal security analysis of the proposed scheme under the generic group model of cryptography. Performance analysis also shows that the proposed scheme is suitable for SIP based communication.

Zahid Mehmood,Gongliang Chen,Jianhua Li,Linsen Li,Bander Alzahrani

DOI: https://doi.org/10.1371/journal.pone.0186044

IF: 3.7

2017-01-01

PLoS ONE

Abstract:Over the past few years, Session Initiation Protocol ( SIP) is found as a substantial application-layer protocol for the multimedia services. It is extensively used for managing, altering, terminating and distributing the multimedia sessions. Authentication plays a pivotal role in SIP environment. Currently, Lu et al. presented an authentication protocol for SIP and profess that newly proposed protocol is protected against all the familiar attacks. However, the detailed analysis describes that the Lu et al.'s protocol is exposed against server masquerading attack and user's masquerading attack. Moreover, it also fails to protect the user's identity as well as it possesses incorrect login and authentication phase. In order to establish a suitable and efficient protocol, having ability to overcome all these discrepancies, a robust ECC-based novel mutual authentication mechanism with anonymity for SIP is presented in this manuscript. The improved protocol contains an explicit parameter for user to cope the issues of security and correctness and is found to be more secure and relatively effective to protect the user's privacy, user's masquerading and server masquerading as it is verified through the comprehensive formal and informal security analysis.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Qiong Pu,Jian Wang,Shuhua Wu

DOI: https://doi.org/10.1002/sec.568

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTThe session initiation protocol (SIP) is the most widely used signaling protocol for creating, modifying, and terminating multimedia sessions in an Internet Protocol‐based telephony environment. Recently, Arshad et al. proposed an authentication scheme based on elliptic curve cryptosystems for SIP. In this paper, we first show that their scheme is vulnerable to the password‐guessing attack. Thereafter, we propose a new authentication and key agreement scheme for SIP, which is immune to the presented attacks. Our scheme achieves provable security and, yet, is efficient. Moreover, we also provide an extended scheme capable of protecting media stream's privacy even against SIP servers while supporting lawful interception, which is inevitably required for protecting the national security or for detecting the criminal evidence. Copyright © 2012 John Wiley & Sons, Ltd.

TANG Hong-bin,LIU Xin-song

DOI: https://doi.org/10.3724/SP.J.1087.2012.00468

2012-01-01

Journal of Computer Applications

Abstract:Session Initiation Protocol(SIP) provides authentication and session key agreement to ensure the security of the successive session.In 2010,Yoon et al.(YOON E-J,YOO K-Y.A three-factor authenticated key agreement scheme for SIP on elliptic curves.NSS '10: 4th International Conference on Network and System Security.Piscataway: IEEE,2010: 334-339.) proposed a three-factor authenticated key agreement scheme named TAKA_SIP for SIP.However,the scheme is vulnerable to insider attack,server-spoofing attack,off-line password attack,and losing token attack.Moreover,it does not provide mutual authentication.To overcome these flaws of TAKA_SIP,a new three-factor authentication scheme named ETAKA_SIP based on Elliptic Curve Cryptosystem(ECC) was proposed.ETAKA_SIP,on the basis of elliptic curve discrete logarithm problem,provides higher security than TAKA_SIP.It needs 7 elliptic curve scalar multiplication operations,1 additional operation and up to 6 Hash operations,and of high efficiency.

Dongqing Xu,Shu Zhang,Jianhua Chen,Mimi Ma

DOI: https://doi.org/10.1007/s12083-017-0583-3

IF: 3.488

2017-01-01

Peer-to-Peer Networking and Applications

Abstract:Recently, Lu et al. and Chaudhry et al. presented an authenticated key agreement scheme for session initiation protocol (SIP), respectively. They illustrated their schemes are secure against various familiar attacks. However, we demonstrate Lu et al.'s scheme is vulnerable to stolen verifier attack and Chaudhry et al.'s scheme is insecure to session key attack. To solve these problems, we propose a new provably secure mutual authentication scheme for SIP. Informal security analysis illustrates this proposed protocol can withstand different kinds of familiar attacks including stolen verifier attack and session key attack. And the correctness and security of the proposed protocol is also proved through Protocol Composition Logic (PCL) and generic group model. Eventually, security comparison shows our proposed scheme is more secure and performance analysis demonstrates the computation cost is also acceptable.

Sravani Challa,Ashok Kumar Das,Saru Kumari,Vanga Odelu,Fan Wu,Xiong Li

DOI: https://doi.org/10.1002/sec.1707

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Session initiation protocol (SIP) is a widely used authentication protocol for the Voice over IP communications. Over the years, several protocols have been proposed in the literature to strengthen the security of SIP. In this paper, we present an efficient elliptic curve cryptography (ECC)-based provably secure three-factor authentication and session key agreement scheme for SIP, which uses the identity, password, and personal biometrics of a user as three factors. Our scheme aims to resolve the security weaknesses and drawbacks in existing SIP authentication protocols. In addition, our scheme supports password and biometric update phase without involving the server and the user mobile device revocation phase in case the mobile device is lost/stolen. Formal security analysis under the standard model and the broadly accepted Burrows–Abadi–Needham logic ensures that the proposed scheme can withstand several known security attacks. The proposed scheme has also been analyzed informally. Simulation for formal security verification using the widely known automated validation of internet security protocols and applications tool shows the replay, and the man-in-the-middle attacks are protected by the scheme. High security and low communication and computation costs make the proposed scheme more suitable for practical application as compared with other existing related ECC-based schemes. Copyright © 2016 John Wiley & Sons, Ltd.

Yuting Feng,Feng Xiong,Wenchao Huang,Yan Xiong

DOI: https://doi.org/10.1109/bigcom53800.2021.00005

2021-01-01

Abstract:The Internet Engineering Task Force (IETF) proposed the Session Initiation Protocol (SIP) as the IP-based telephony protocol. With the widespread application of the Voice over IP (VoIP) on Internet, Security problems of SIP have received a lot of attention of researchers and the authentication mechanism in SIP is becoming increasingly important. Many studies reveal that the initial version of SIP specification suffers malicious attacks. To improve the security of the authentication mechanism in SIP, amendments and supplements are expressed over years. Researches on the previous specification have been carried out and some attacks are found, such as replay attack, online dictionary attack, man in the middle attack, etc. However, there is currently a lack of security analysis to the fresh security mechanisms of SIP. In this paper, we accommodate such a requirement by analyzing the security properties of SIP Digest Access Authentication Scheme adopting a formal protocol analysis tool SPAN. The authentication scheme is modeled in the validator according to two practical scenarios. With the two back-ends of SPAN, the two models of authentication scheme are verified both as safe. This result confirms that the supplemented version of SIP authentication mechanism is more reliable.

Shehzad Ashraf Chaudhry,Husnain Naqvi,Muhammad Sher,Mohammad Sabzinejad Farash,Mahmood Ul Hassan

DOI: https://doi.org/10.1007/s12083-015-0400-9

2015-09-07

Abstract:Session Initiation Protocol (SIP) has proved to be the integral part and parcel of any multimedia based application or IP-based telephony service that requires signaling. SIP supports HTTP digest based authentication, and is responsible for creating, maintaining and terminating sessions. To guarantee secure SIP based communication, a number of authentication schemes are proposed, typically most of these are based on smart card due to its temper resistance property. Recently Zhang et al. presented an authenticated key agreement scheme for SIP based on elliptic curve cryptography. However Tu et al. (Peer to Peer Netw. Appl 1–8, 2014) finds their scheme to be insecure against user impersonation attack, furthermore they presented an improved scheme and claimed it to be secure against all known attacks. Very recently Farash (Peer to Peer Netw. Appl 1–10, 2014) points out that Tu et al.’s scheme is vulnerable to server impersonation attack, Farash also proposed an improvement on Tu et al.’s scheme. However, our analysis in this paper shows that Tu et al.’s scheme is insecure against server impersonation attack. Further both Tu et al.’s scheme and Farash’s improvement do not protect user’s privacy and are vulnerable to replay and denial of services attacks. In order to cope with these limitations, we have proposed a privacy preserving improved authentication scheme based on ECC. The proposed scheme provides mutual authentication as well as resists all known attacks as mentioned by Tu et al. and Farash.

computer science, information systems,telecommunications

Junsong Zhang,Jian Ma,Xiong Li,Wendong Wang

DOI: https://doi.org/10.3837/tiis.2014.08.021

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid growth of the communication technology, intelligent terminals (i.e. PDAs and smartphones) are widely used in many mobile applications. To provide secure communication in mobile environment, in recent years, many user authentication schemes have been proposed. However, most of these authentication schemes suffer from various attacks and cannot provide provable security. In this paper, we propose a novel remote user mutual authentication scheme for multi-server environments using elliptic curve cryptography (ECC). Unlike other ECC-based schemes, the proposed scheme uses ECC in combination with a secure hash function to protect the secure communication among the users, the servers and the registration center (RC). Through this method, the proposed scheme requires less ECC-based operations than the related schemes, and makes it possible to significantly reduce the computational cost. Security and performance analyses demonstrate that the proposed scheme can solve various types of security problems and can meet the requirements of computational complexity for low-power mobile devices.

Liang Ni,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.1109/ncis.2011.49

2011-01-01

Abstract:The session initiation protocol (SIP) is widely used as a signaling protocol based on the challenge-response exchange mode for handling multimedia sessions in both wire line and wireless world. The original authentication mechanism of SIP is HTTP digest based authentication, which is vulnerable to many forms of known attacks and therefore can not provide security at an acceptable level. In this paper, we propose an identity-based authenticated key agreement mechanism which can be used in SIP to solve the security problems existing in its original authentication procedure. The proposed scheme uses Elliptic Curve Cryptography and does not require expensive bilinear pairing operations, which makes it computationally much more efficient than previous identity-based and Certificateless schemes using pairings. We show the security of our proposal under the Canetti-Krawczky model. Our scheme captures many desirable security properties and can prevent various possible attacks induced by open networks and the standard of SIP message. Furthermore, through introducing some design ideas from Certificateless cryptography, our proposal avoids not only the requirement of a large Public Key Infrastructure but also key escrow problem.

Zahid Mehmood,Gongliang Chen,Jianhua Li,Aiiad Albeshri

DOI: https://doi.org/10.3837/tiis.2017.03.027

2017-01-01

Abstract:Recent evolution in the open access internet technology demands that the identifying information of a user must be protected. Authentication is a prerequisite to ensure the protection of user identification. To improve Qu et al.' s scheme for remote user authentication, a recent proposal has been published by Huang et al., which presents a key agreement protocol in combination with ECC. It has been claimed that Huang et al. proposal is more robust and provides improved security. However, in the light of our experiment, it has been observed that Huang et al.' s proposal is breakable in case of user impersonation. Moreover, this paper presents an improved scheme to overcome the limitations of Huang et al.' s scheme. Security of the proposed scheme is evaluated using the well-known random oracle model. In comparison with Huang et al.' s protocol, the proposed scheme is lightweight with improved security.

Saru Kumari,Fan Wu,Xiong Li,Mohammad Sabzinejad Farash,Qi Jiang,Muhammad Khurram Khan,Ashok Kumar Das

DOI: https://doi.org/10.1007/s11042-015-2988-4

IF: 2.577

2015-01-01

Multimedia Tools and Applications

Abstract:In recent years, Voice over Internet Protocol (VoIP) has gained more and more popularity as an application of the Internet technology. For various IP applications including VoIP, the topic of Session Initiation Protocol (SIP) has attracted major concern from researchers. SIP is an advanced signaling protocol operating on Internet Telephony. SIP uses digest authentication protocols such as Simple Mail Transport Protocol (SMTP) and Hyper Text Transport Protocol (HTTP). When a user seeks SIP services, authentication plays an important role in providing secure access to the server only to the authorized access seekers. Being an insecure-channel-based protocol, a SIP authentication protocol is susceptible to adversarial threats. Therefore, security is a big concern in SIP authentication mechanisms. This paper reveals the security vulnerabilities of two recently proposed SIP authentication schemes for VoIP, Irshad et al.'s scheme [Multimed. Tools. Appl. doi:10.1007/s11042-013-1807-z] and Arshad and Nikooghadam's scheme [Multimed. Tools. Appl. DOI 10.1007/s11042-014-2282-x], the later scheme is based on the former scheme. Irshad et al.'s scheme suffers from password guessing, user impersonation and server spoofing attacks. Arshad and Nikooghadam's scheme can be threatened with server spoofing and stolen verifier attack. None of these two schemes achieve mutual authentication. It also fails to follow the single round-trip authentication design of Irshad et al.'s scheme. To overcome these weaknesses, we propose a provable secure single round-trip SIP authentication scheme for VoIP using smart card. We formally prove the security of the scheme in random oracle and demonstrate through discussion its resistance to various attacks. The comparative analysis shows that the proposed SIP authentication scheme offers superior performance with a little extra computational cost.

Azeem Irshad,Saru Kumari,Xiong Li,Fan Wu,Shehzad Ashraf Chaudhry,Hamed Arshad

DOI: https://doi.org/10.1007/s11277-017-4601-9

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:The Session Initiation Protocol (SIP) provides a way to control the wired and wireless Voice over Internet Protocol-based communication over an insecure channel. The SIP protocol is not secure due to relying on an intrinsically open text-based communication, which further stresses the strengthening of SIP authentication protocols. Many solutions have been put forward in the last few years to design the secure and efficient SIP authentication protocols for multimedia. Recently, Zhang et al. proposed a SIP authentication protocol with an enhanced feature that enables the server authenticate the users on the basis of biometric verification. However, after a careful observation, one can witness few limitations regarding privileged insider attack, session specific temporary attack, De-synchronization attack; denial-of-service attack, inefficient password modification and lack forward secrecy compromise. We have proposed a secure scheme countering the identified flaws of Zhang et al. and other contemporary schemes. We also demonstrate the security strength of proposed scheme by employing the formal security analysis under BAN logic.

Wu,Kan,Gong,Peng,Wang,Jiantao,Yan,Xiaopeng,Li,Ping

2013-01-01

Romanian journal of information science and technology

Abstract:The authenticated key agreement protocol is an important security protocol for the session initiation protocol, which allows the and the server to authenticate each other and generate a shared session key for privacy, integrity, and non-repudiation in their communications. Recently, Zhang et al. proposed a new authenticated key agreement protocol for the session initiation protocol using smart card and claimed their protocol was secure against various attacks. However, we found that Zhang et al.'s protocol cannot withstand the user impersonation attack, i. e., a malicious user could impersonate any other user to the server. We also propose a new authenticated key agreement protocol using smart card for SIP which is immune to the presented attack. Besides, the proposed protocol also has better performance than Zhang et al.'s protocol.

Tao CUI,Qiang GAO,Bao HE

DOI: https://doi.org/10.3969/j.issn.0258-7998.2008.09.043

2008-01-01

Abstract:In this paper,a lightweight mutual authentication scheme based on improved HTTP Digest authentication was proposed to provide per-hop authentication and end-to-end user authentication.The proposed scheme can protect from many threats such as identity spoofing and Denial-of-Service(DOS)attacks.

Liu Yongliang,Gao Wen,Yao Hongxun,Huang Tiejun

DOI: https://doi.org/10.1360/crad20061207

2006-01-01

Journal of Computer Research and Development

Abstract:Recently, Aydos et al. proposed an ECC-based wireless authentication protocol. Because their protocol is based on ECC, the protocol has significant advantage including lower computational burden, lower communication bandwidth and storage requirements. However, Mangipudi et al showed that the protocol is vulnerable to the man-in-the-middle attack from the attacker within the system and proposed a user authentication protocol to prevent the attack. This paper further shows that Aydos et al.'s protocol is vulnerable to man-in-the-middle attack from any attacker not restricted on the inside attacker. Then, a forging certificate attack on Mangipudi et al's protocol is presented. Next, the reasons that Aydos et al's protocol and Mangipudi et al's protocol suffer the attacks are analyzed. Finally, we propose a novel ECC-based wireless authentication protocol and analyze the security of our protocol.