Hongbin Tang,Xinsong Liu

DOI: https://doi.org/10.1007/s11042-012-1001-8

IF: 2.577

2012-01-01

Multimedia Tools and Applications

Abstract:Session Initiation Protocol (SIP) has been widely used in the current Internet protocols such as Hyper Text Transport Protocol (HTTP) and Simple Mail Transport Protocol (SMTP). However, the original SIP authentication scheme was insecure and many researchers tried to propose schemes to overcome the flaws. In the year 2011, Arshad et al. proposed a SIP authentication protocol using elliptic curve cryptography (ECC), but their scheme suffered from off-line password guessing attack along with password change pitfalls. To conquer the mentioned weakness, we proposed an ECC-based authentication scheme for SIP. Our scheme only needs to compute four elliptic curve scale multiplications and two hash-to-point operations, and maintains high efficiency. The analysis of security of the ECC-based protocol shows that our scheme is suitable for the applications with higher security requirement.

Debiao He,Jianhua Chen,Yitao Chen

DOI: https://doi.org/10.1002/sec.506

2011-01-01

Abstract:The session initiation protocol (SIP) is a powerful signaling protocol that controls communication on the Internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of mobile and ubiquitous computing. In 2009, Tsai proposed an authenticated key agreement scheme as an enhancement to SIP. Very recently, Arshad et al. demonstrated that Tsai's scheme was vulnerable to offline password guessing attack and stolen-verifier attack. They also pointed that Tsai's scheme did not provide known-key secrecy and perfect forward secrecy. In order to overcome the weaknesses, Arshad et al. also proposed an improved mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP and claimed that their scheme can withstand various attacks. In this paper, we do a cryptanalysis of Arshad et al.'s scheme and show that Arshad et al.'s scheme is vulnerable to the password guessing attack.

CQ Li,S Li,D Zhang,G Chen

DOI: https://doi.org/10.1049/ip-vis:20045234

2006-01-01

IEE Proceedings - Vision Image and Signal Processing

Abstract:A voice-over-Internet protocol technique with a new hierarchical data security protection (HDSP) scheme using a secret chaotic bit sequence has been recently proposed. Some insecure properties of the HDSP scheme are pointed out and then used to develop known/chosen-plaintext attacks. The main findings are: given n known plaintexts, about (100 - (50/2(n)))% of secret chaotic bits can be uniquely determined; given only one specially-chosen plaintext, all secret chaotic bits can be uniquely derived; and the secret key can be derived with practically small computational complexity when only one plaintext is known (or chosen). These facts reveal that HDSP is very weak against known/chosen-plaintext attacks. Experiments are given to show the feasibility of the proposed attacks. It is also found that the security of HDSP against the brute-force attack is not practically strong. Some countermeasures are discussed for enhancing the security of HDSP and several basic principles are suggested for the design of a secure encryption scheme.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Qiong Pu,Jian Wang,Shuhua Wu

DOI: https://doi.org/10.1002/sec.568

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTThe session initiation protocol (SIP) is the most widely used signaling protocol for creating, modifying, and terminating multimedia sessions in an Internet Protocol‐based telephony environment. Recently, Arshad et al. proposed an authentication scheme based on elliptic curve cryptosystems for SIP. In this paper, we first show that their scheme is vulnerable to the password‐guessing attack. Thereafter, we propose a new authentication and key agreement scheme for SIP, which is immune to the presented attacks. Our scheme achieves provable security and, yet, is efficient. Moreover, we also provide an extended scheme capable of protecting media stream's privacy even against SIP servers while supporting lawful interception, which is inevitably required for protecting the national security or for detecting the criminal evidence. Copyright © 2012 John Wiley & Sons, Ltd.

Shehzad Ashraf Chaudhry,Husnain Naqvi,Muhammad Sher,Mohammad Sabzinejad Farash,Mahmood Ul Hassan

DOI: https://doi.org/10.1007/s12083-015-0400-9

2015-09-07

Abstract:Session Initiation Protocol (SIP) has proved to be the integral part and parcel of any multimedia based application or IP-based telephony service that requires signaling. SIP supports HTTP digest based authentication, and is responsible for creating, maintaining and terminating sessions. To guarantee secure SIP based communication, a number of authentication schemes are proposed, typically most of these are based on smart card due to its temper resistance property. Recently Zhang et al. presented an authenticated key agreement scheme for SIP based on elliptic curve cryptography. However Tu et al. (Peer to Peer Netw. Appl 1–8, 2014) finds their scheme to be insecure against user impersonation attack, furthermore they presented an improved scheme and claimed it to be secure against all known attacks. Very recently Farash (Peer to Peer Netw. Appl 1–10, 2014) points out that Tu et al.’s scheme is vulnerable to server impersonation attack, Farash also proposed an improvement on Tu et al.’s scheme. However, our analysis in this paper shows that Tu et al.’s scheme is insecure against server impersonation attack. Further both Tu et al.’s scheme and Farash’s improvement do not protect user’s privacy and are vulnerable to replay and denial of services attacks. In order to cope with these limitations, we have proposed a privacy preserving improved authentication scheme based on ECC. The proposed scheme provides mutual authentication as well as resists all known attacks as mentioned by Tu et al. and Farash.

computer science, information systems,telecommunications

Dongqing Xu,Shu Zhang,Jianhua Chen,Mimi Ma

DOI: https://doi.org/10.1007/s12083-017-0583-3

IF: 3.488

2017-01-01

Peer-to-Peer Networking and Applications

Abstract:Recently, Lu et al. and Chaudhry et al. presented an authenticated key agreement scheme for session initiation protocol (SIP), respectively. They illustrated their schemes are secure against various familiar attacks. However, we demonstrate Lu et al.'s scheme is vulnerable to stolen verifier attack and Chaudhry et al.'s scheme is insecure to session key attack. To solve these problems, we propose a new provably secure mutual authentication scheme for SIP. Informal security analysis illustrates this proposed protocol can withstand different kinds of familiar attacks including stolen verifier attack and session key attack. And the correctness and security of the proposed protocol is also proved through Protocol Composition Logic (PCL) and generic group model. Eventually, security comparison shows our proposed scheme is more secure and performance analysis demonstrates the computation cost is also acceptable.

Zahid Mehmood,Gongliang Chen,Jianhua Li,Linsen Li,Bander Alzahrani

DOI: https://doi.org/10.1371/journal.pone.0186044

IF: 3.7

2017-01-01

PLoS ONE

Abstract:Over the past few years, Session Initiation Protocol ( SIP) is found as a substantial application-layer protocol for the multimedia services. It is extensively used for managing, altering, terminating and distributing the multimedia sessions. Authentication plays a pivotal role in SIP environment. Currently, Lu et al. presented an authentication protocol for SIP and profess that newly proposed protocol is protected against all the familiar attacks. However, the detailed analysis describes that the Lu et al.'s protocol is exposed against server masquerading attack and user's masquerading attack. Moreover, it also fails to protect the user's identity as well as it possesses incorrect login and authentication phase. In order to establish a suitable and efficient protocol, having ability to overcome all these discrepancies, a robust ECC-based novel mutual authentication mechanism with anonymity for SIP is presented in this manuscript. The improved protocol contains an explicit parameter for user to cope the issues of security and correctness and is found to be more secure and relatively effective to protect the user's privacy, user's masquerading and server masquerading as it is verified through the comprehensive formal and informal security analysis.

Azeem Irshad,Saru Kumari,Xiong Li,Fan Wu,Shehzad Ashraf Chaudhry,Hamed Arshad

DOI: https://doi.org/10.1007/s11277-017-4601-9

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:The Session Initiation Protocol (SIP) provides a way to control the wired and wireless Voice over Internet Protocol-based communication over an insecure channel. The SIP protocol is not secure due to relying on an intrinsically open text-based communication, which further stresses the strengthening of SIP authentication protocols. Many solutions have been put forward in the last few years to design the secure and efficient SIP authentication protocols for multimedia. Recently, Zhang et al. proposed a SIP authentication protocol with an enhanced feature that enables the server authenticate the users on the basis of biometric verification. However, after a careful observation, one can witness few limitations regarding privileged insider attack, session specific temporary attack, De-synchronization attack; denial-of-service attack, inefficient password modification and lack forward secrecy compromise. We have proposed a secure scheme countering the identified flaws of Zhang et al. and other contemporary schemes. We also demonstrate the security strength of proposed scheme by employing the formal security analysis under BAN logic.

TANG Hong-bin,LIU Xin-song

DOI: https://doi.org/10.3724/SP.J.1087.2012.00468

2012-01-01

Journal of Computer Applications

Abstract:Session Initiation Protocol(SIP) provides authentication and session key agreement to ensure the security of the successive session.In 2010,Yoon et al.(YOON E-J,YOO K-Y.A three-factor authenticated key agreement scheme for SIP on elliptic curves.NSS '10: 4th International Conference on Network and System Security.Piscataway: IEEE,2010: 334-339.) proposed a three-factor authenticated key agreement scheme named TAKA_SIP for SIP.However,the scheme is vulnerable to insider attack,server-spoofing attack,off-line password attack,and losing token attack.Moreover,it does not provide mutual authentication.To overcome these flaws of TAKA_SIP,a new three-factor authentication scheme named ETAKA_SIP based on Elliptic Curve Cryptosystem(ECC) was proposed.ETAKA_SIP,on the basis of elliptic curve discrete logarithm problem,provides higher security than TAKA_SIP.It needs 7 elliptic curve scalar multiplication operations,1 additional operation and up to 6 Hash operations,and of high efficiency.

Haoran Chen,Jianhua Chen,Han Shen

DOI: https://doi.org/10.1504/ijesdf.2017.10004413

2017-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:As a lightweight and flexible signalling protocol, session initiation protocol (SIP) has been widely used for establishing, modifying and terminating the sessions in the multimedia environment. The increasing concerns about the security of communication sessions that run over the public Internet has made authentication protocols for SIP more desired. Recently, Lu et al. proposed an authentication scheme for SIP and claimed that their scheme is secure against various known attacks while maintaining efficiency. However, in this paper we will indicate that their protocol suffers from server spoofing attacks and failed to provide mutual authentication as they claimed. Further, we have presented an improved authentication protocol for SIP and proved its security using BAN logic. Though the security and performance analysis, we illustrate that the proposed scheme is more secure and flexible.

Tao CUI,Qiang GAO,Bao HE

DOI: https://doi.org/10.3969/j.issn.0258-7998.2008.09.043

2008-01-01

Abstract:In this paper,a lightweight mutual authentication scheme based on improved HTTP Digest authentication was proposed to provide per-hop authentication and end-to-end user authentication.The proposed scheme can protect from many threats such as identity spoofing and Denial-of-Service(DOS)attacks.

Wu,Kan,Gong,Peng,Wang,Jiantao,Yan,Xiaopeng,Li,Ping

2013-01-01

Romanian journal of information science and technology

Abstract:The authenticated key agreement protocol is an important security protocol for the session initiation protocol, which allows the and the server to authenticate each other and generate a shared session key for privacy, integrity, and non-repudiation in their communications. Recently, Zhang et al. proposed a new authenticated key agreement protocol for the session initiation protocol using smart card and claimed their protocol was secure against various attacks. However, we found that Zhang et al.'s protocol cannot withstand the user impersonation attack, i. e., a malicious user could impersonate any other user to the server. We also propose a new authenticated key agreement protocol using smart card for SIP which is immune to the presented attack. Besides, the proposed protocol also has better performance than Zhang et al.'s protocol.

Yuting Feng,Feng Xiong,Wenchao Huang,Yan Xiong

DOI: https://doi.org/10.1109/bigcom53800.2021.00005

2021-01-01

Abstract:The Internet Engineering Task Force (IETF) proposed the Session Initiation Protocol (SIP) as the IP-based telephony protocol. With the widespread application of the Voice over IP (VoIP) on Internet, Security problems of SIP have received a lot of attention of researchers and the authentication mechanism in SIP is becoming increasingly important. Many studies reveal that the initial version of SIP specification suffers malicious attacks. To improve the security of the authentication mechanism in SIP, amendments and supplements are expressed over years. Researches on the previous specification have been carried out and some attacks are found, such as replay attack, online dictionary attack, man in the middle attack, etc. However, there is currently a lack of security analysis to the fresh security mechanisms of SIP. In this paper, we accommodate such a requirement by analyzing the security properties of SIP Digest Access Authentication Scheme adopting a formal protocol analysis tool SPAN. The authentication scheme is modeled in the validator according to two practical scenarios. With the two back-ends of SPAN, the two models of authentication scheme are verified both as safe. This result confirms that the supplemented version of SIP authentication mechanism is more reliable.

Saru Kumari,Fan Wu,Xiong Li,Mohammad Sabzinejad Farash,Qi Jiang,Muhammad Khurram Khan,Ashok Kumar Das

DOI: https://doi.org/10.1007/s11042-015-2988-4

IF: 2.577

2015-01-01

Multimedia Tools and Applications

Abstract:In recent years, Voice over Internet Protocol (VoIP) has gained more and more popularity as an application of the Internet technology. For various IP applications including VoIP, the topic of Session Initiation Protocol (SIP) has attracted major concern from researchers. SIP is an advanced signaling protocol operating on Internet Telephony. SIP uses digest authentication protocols such as Simple Mail Transport Protocol (SMTP) and Hyper Text Transport Protocol (HTTP). When a user seeks SIP services, authentication plays an important role in providing secure access to the server only to the authorized access seekers. Being an insecure-channel-based protocol, a SIP authentication protocol is susceptible to adversarial threats. Therefore, security is a big concern in SIP authentication mechanisms. This paper reveals the security vulnerabilities of two recently proposed SIP authentication schemes for VoIP, Irshad et al.'s scheme [Multimed. Tools. Appl. doi:10.1007/s11042-013-1807-z] and Arshad and Nikooghadam's scheme [Multimed. Tools. Appl. DOI 10.1007/s11042-014-2282-x], the later scheme is based on the former scheme. Irshad et al.'s scheme suffers from password guessing, user impersonation and server spoofing attacks. Arshad and Nikooghadam's scheme can be threatened with server spoofing and stolen verifier attack. None of these two schemes achieve mutual authentication. It also fails to follow the single round-trip authentication design of Irshad et al.'s scheme. To overcome these weaknesses, we propose a provable secure single round-trip SIP authentication scheme for VoIP using smart card. We formally prove the security of the scheme in random oracle and demonstrate through discussion its resistance to various attacks. The comparative analysis shows that the proposed SIP authentication scheme offers superior performance with a little extra computational cost.

Saru Kumari,Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Fan Wu,Vidushi Gupta

DOI: https://doi.org/10.1007/s12652-017-0460-1

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:The session initiation protocol (SIP) is a signaling protocol which is used to controlling communication in the Internet. It is also used for initiating, terminating and maintaining the sessions. A strong authentication scheme plays a pivotal role in safeguarding communications over the Internet. In order to ensure the secure communication, several authentication schemes have been proposed for SIP in the literature. Recently, Lu et al. proposed an authentication scheme for SIP-based communications and proved that their scheme can resist various network attacks. In this paper, we show that their scheme is susceptible to the user and server impersonation attacks. Also, their scheme fails to achieve user anonymity and mutual authentication. Hence, there is a need to propose a secure ECC-based authentication scheme with user anonymity for SIP to overcome the shortcomings of Lu et al.’s scheme. Security analysis shows that the proposed scheme is able to fix the flaws found in Lu et al.’s scheme. In addition to informal security discussions, we give formal security analysis of the proposed scheme under the generic group model of cryptography. Performance analysis also shows that the proposed scheme is suitable for SIP based communication.

Ke Xu,Xiaowei Ma,Chunyu Liu

DOI: https://doi.org/10.1109/icc.2008.292

2008-01-01

Abstract:Being one of the leading signaling protocols of VoIP applications, SIP protocol becomes popular in IP-based multimedia services, and securing SIP has become a priority. In this paper, we develop a novel authentication scheme which relies only on one way hash functions. In contrast to the computationally expensive asymmetric RSA signature scheme, our scheme is efficient in signing and verifying procedures. And hash tree is exploited to store and verify key information. Our scheme can be used in SIP entities which have less computation power and limited memory.

Sravani Challa,Ashok Kumar Das,Saru Kumari,Vanga Odelu,Fan Wu,Xiong Li

DOI: https://doi.org/10.1002/sec.1707

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Session initiation protocol (SIP) is a widely used authentication protocol for the Voice over IP communications. Over the years, several protocols have been proposed in the literature to strengthen the security of SIP. In this paper, we present an efficient elliptic curve cryptography (ECC)-based provably secure three-factor authentication and session key agreement scheme for SIP, which uses the identity, password, and personal biometrics of a user as three factors. Our scheme aims to resolve the security weaknesses and drawbacks in existing SIP authentication protocols. In addition, our scheme supports password and biometric update phase without involving the server and the user mobile device revocation phase in case the mobile device is lost/stolen. Formal security analysis under the standard model and the broadly accepted Burrows–Abadi–Needham logic ensures that the proposed scheme can withstand several known security attacks. The proposed scheme has also been analyzed informally. Simulation for formal security verification using the widely known automated validation of internet security protocols and applications tool shows the replay, and the man-in-the-middle attacks are protected by the scheme. High security and low communication and computation costs make the proposed scheme more suitable for practical application as compared with other existing related ECC-based schemes. Copyright © 2016 John Wiley & Sons, Ltd.

Saru Kumari,Shehzad Ashraf Chaudhry,Fan Wu,Xiong Li,Mohammad Sabzinejad Farash,Muhammad Khurram Khan

DOI: https://doi.org/10.1007/s12083-015-0409-0

IF: 3.488

2015-01-01

Peer-to-Peer Networking and Applications

Abstract:Sessioninitiation protocol (SIP) reformed the controlling routine of voice over Internet Protocol based communication over public channels. SIP is inherently insecure because of underlying open text architecture. A number of solutions are proposed to boost SIP security. Very recently Farash (Peer to Peer Netw. Appl. 1–10, 2014 ) proposed an enhanced protocol to improve the security of Tu et al.’s protocol (Peer to Peer Netw. Appl. 1–8, 2014 ). Further, Farash claimed his protocol to be secure against all known attacks. However, in this paper we show that Farash’s protocol is insecure against impersonation attack, password guessing attack, lacks user anonymity and is vulnerable to session-specific temporary information attack. Further, we have proposed an upgraded protocol to enhance the security. The security and performance analysis shows that the proposed protocol reduced one point multiplication as compared with Farash’s protocol, while resisting all known attacks. We have proved the security of proposed protocol using automated tool ProVerif.

Cui Tao,Gao Qiang,He Baoliong

DOI: https://doi.org/10.1109/icccas.2008.4657823

2008-01-01

Abstract:Session initiation protocol (SIP), due to its simple architecture and well-defined content, is currently considered the premier signaling protocol for next generation networks (NGN). However, its simplicity will lead to serious security challenges in terms of privacy and integrity. Security mechanisms recommended by RFC3261 for SIP are either weak information protection methods or demand heavy computing resources. In this paper, a lightweight mutual authentication scheme based on improved HTTP digest authentication is proposed to provide per-hop authentication and end-to-end user authentication. The proposed scheme can protect from many threats such as identity spoofing and denial-of-service (DoS) attacks.