Saru Kumari,Shehzad Ashraf Chaudhry,Fan Wu,Xiong Li,Mohammad Sabzinejad Farash,Muhammad Khurram Khan

DOI: https://doi.org/10.1007/s12083-015-0409-0

IF: 3.488

2015-01-01

Peer-to-Peer Networking and Applications

Abstract:Sessioninitiation protocol (SIP) reformed the controlling routine of voice over Internet Protocol based communication over public channels. SIP is inherently insecure because of underlying open text architecture. A number of solutions are proposed to boost SIP security. Very recently Farash (Peer to Peer Netw. Appl. 1–10, 2014 ) proposed an enhanced protocol to improve the security of Tu et al.’s protocol (Peer to Peer Netw. Appl. 1–8, 2014 ). Further, Farash claimed his protocol to be secure against all known attacks. However, in this paper we show that Farash’s protocol is insecure against impersonation attack, password guessing attack, lacks user anonymity and is vulnerable to session-specific temporary information attack. Further, we have proposed an upgraded protocol to enhance the security. The security and performance analysis shows that the proposed protocol reduced one point multiplication as compared with Farash’s protocol, while resisting all known attacks. We have proved the security of proposed protocol using automated tool ProVerif.

Azeem Irshad,Saru Kumari,Xiong Li,Fan Wu,Shehzad Ashraf Chaudhry,Hamed Arshad

DOI: https://doi.org/10.1007/s11277-017-4601-9

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:The Session Initiation Protocol (SIP) provides a way to control the wired and wireless Voice over Internet Protocol-based communication over an insecure channel. The SIP protocol is not secure due to relying on an intrinsically open text-based communication, which further stresses the strengthening of SIP authentication protocols. Many solutions have been put forward in the last few years to design the secure and efficient SIP authentication protocols for multimedia. Recently, Zhang et al. proposed a SIP authentication protocol with an enhanced feature that enables the server authenticate the users on the basis of biometric verification. However, after a careful observation, one can witness few limitations regarding privileged insider attack, session specific temporary attack, De-synchronization attack; denial-of-service attack, inefficient password modification and lack forward secrecy compromise. We have proposed a secure scheme countering the identified flaws of Zhang et al. and other contemporary schemes. We also demonstrate the security strength of proposed scheme by employing the formal security analysis under BAN logic.

Zahid Mehmood,Gongliang Chen,Jianhua Li,Linsen Li,Bander Alzahrani

DOI: https://doi.org/10.1371/journal.pone.0186044

IF: 3.7

2017-01-01

PLoS ONE

Abstract:Over the past few years, Session Initiation Protocol ( SIP) is found as a substantial application-layer protocol for the multimedia services. It is extensively used for managing, altering, terminating and distributing the multimedia sessions. Authentication plays a pivotal role in SIP environment. Currently, Lu et al. presented an authentication protocol for SIP and profess that newly proposed protocol is protected against all the familiar attacks. However, the detailed analysis describes that the Lu et al.'s protocol is exposed against server masquerading attack and user's masquerading attack. Moreover, it also fails to protect the user's identity as well as it possesses incorrect login and authentication phase. In order to establish a suitable and efficient protocol, having ability to overcome all these discrepancies, a robust ECC-based novel mutual authentication mechanism with anonymity for SIP is presented in this manuscript. The improved protocol contains an explicit parameter for user to cope the issues of security and correctness and is found to be more secure and relatively effective to protect the user's privacy, user's masquerading and server masquerading as it is verified through the comprehensive formal and informal security analysis.

Wu,Kan,Gong,Peng,Wang,Jiantao,Yan,Xiaopeng,Li,Ping

2013-01-01

Romanian journal of information science and technology

Abstract:The authenticated key agreement protocol is an important security protocol for the session initiation protocol, which allows the and the server to authenticate each other and generate a shared session key for privacy, integrity, and non-repudiation in their communications. Recently, Zhang et al. proposed a new authenticated key agreement protocol for the session initiation protocol using smart card and claimed their protocol was secure against various attacks. However, we found that Zhang et al.'s protocol cannot withstand the user impersonation attack, i. e., a malicious user could impersonate any other user to the server. We also propose a new authenticated key agreement protocol using smart card for SIP which is immune to the presented attack. Besides, the proposed protocol also has better performance than Zhang et al.'s protocol.

Qiong Pu,Jian Wang,Shuhua Wu

DOI: https://doi.org/10.1002/sec.568

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTThe session initiation protocol (SIP) is the most widely used signaling protocol for creating, modifying, and terminating multimedia sessions in an Internet Protocol‐based telephony environment. Recently, Arshad et al. proposed an authentication scheme based on elliptic curve cryptosystems for SIP. In this paper, we first show that their scheme is vulnerable to the password‐guessing attack. Thereafter, we propose a new authentication and key agreement scheme for SIP, which is immune to the presented attacks. Our scheme achieves provable security and, yet, is efficient. Moreover, we also provide an extended scheme capable of protecting media stream's privacy even against SIP servers while supporting lawful interception, which is inevitably required for protecting the national security or for detecting the criminal evidence. Copyright © 2012 John Wiley & Sons, Ltd.

Saru Kumari,Fan Wu,Xiong Li,Mohammad Sabzinejad Farash,Qi Jiang,Muhammad Khurram Khan,Ashok Kumar Das

DOI: https://doi.org/10.1007/s11042-015-2988-4

IF: 2.577

2015-01-01

Multimedia Tools and Applications

Abstract:In recent years, Voice over Internet Protocol (VoIP) has gained more and more popularity as an application of the Internet technology. For various IP applications including VoIP, the topic of Session Initiation Protocol (SIP) has attracted major concern from researchers. SIP is an advanced signaling protocol operating on Internet Telephony. SIP uses digest authentication protocols such as Simple Mail Transport Protocol (SMTP) and Hyper Text Transport Protocol (HTTP). When a user seeks SIP services, authentication plays an important role in providing secure access to the server only to the authorized access seekers. Being an insecure-channel-based protocol, a SIP authentication protocol is susceptible to adversarial threats. Therefore, security is a big concern in SIP authentication mechanisms. This paper reveals the security vulnerabilities of two recently proposed SIP authentication schemes for VoIP, Irshad et al.'s scheme [Multimed. Tools. Appl. doi:10.1007/s11042-013-1807-z] and Arshad and Nikooghadam's scheme [Multimed. Tools. Appl. DOI 10.1007/s11042-014-2282-x], the later scheme is based on the former scheme. Irshad et al.'s scheme suffers from password guessing, user impersonation and server spoofing attacks. Arshad and Nikooghadam's scheme can be threatened with server spoofing and stolen verifier attack. None of these two schemes achieve mutual authentication. It also fails to follow the single round-trip authentication design of Irshad et al.'s scheme. To overcome these weaknesses, we propose a provable secure single round-trip SIP authentication scheme for VoIP using smart card. We formally prove the security of the scheme in random oracle and demonstrate through discussion its resistance to various attacks. The comparative analysis shows that the proposed SIP authentication scheme offers superior performance with a little extra computational cost.

Debiao He,Jianhua Chen,Yitao Chen

DOI: https://doi.org/10.1002/sec.506

2011-01-01

Abstract:The session initiation protocol (SIP) is a powerful signaling protocol that controls communication on the Internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of mobile and ubiquitous computing. In 2009, Tsai proposed an authenticated key agreement scheme as an enhancement to SIP. Very recently, Arshad et al. demonstrated that Tsai's scheme was vulnerable to offline password guessing attack and stolen-verifier attack. They also pointed that Tsai's scheme did not provide known-key secrecy and perfect forward secrecy. In order to overcome the weaknesses, Arshad et al. also proposed an improved mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP and claimed that their scheme can withstand various attacks. In this paper, we do a cryptanalysis of Arshad et al.'s scheme and show that Arshad et al.'s scheme is vulnerable to the password guessing attack.

Zheng, Jun,Wang, Dongyun

DOI: https://doi.org/10.1109/ICITEC.2014.7105601

2014-01-01

Abstract:SIP (Session Initial Protocol) has been a very popular protocol for VoIP. However, the authentication of this protocol just derives from HTTP digest authentication, which has been demonstrated insecure in the open network. Recently, Arshad et al. proposed an improved mutual authentication scheme based on ECC and claimed that it's secure enough. In this paper, however, we point out that their protocol still could not resist offline password guessing attacks. Furthermore, we propose an ECC-based mutual authentication and key agreement scheme to overcome such a security problem. Also, an analysis of it is provided to indicate that compared to Arshad et al.'s scheme, this scheme reduces twice hash operation and is more secure with reasonable computation cost.

Haoran Chen,Jianhua Chen,Han Shen

DOI: https://doi.org/10.1504/ijesdf.2017.10004413

2017-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:As a lightweight and flexible signalling protocol, session initiation protocol (SIP) has been widely used for establishing, modifying and terminating the sessions in the multimedia environment. The increasing concerns about the security of communication sessions that run over the public Internet has made authentication protocols for SIP more desired. Recently, Lu et al. proposed an authentication scheme for SIP and claimed that their scheme is secure against various known attacks while maintaining efficiency. However, in this paper we will indicate that their protocol suffers from server spoofing attacks and failed to provide mutual authentication as they claimed. Further, we have presented an improved authentication protocol for SIP and proved its security using BAN logic. Though the security and performance analysis, we illustrate that the proposed scheme is more secure and flexible.

Saru Kumari,Marimuthu Karuppiah,Ashok Kumar Das,Xiong Li,Fan Wu,Vidushi Gupta

DOI: https://doi.org/10.1007/s12652-017-0460-1

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:The session initiation protocol (SIP) is a signaling protocol which is used to controlling communication in the Internet. It is also used for initiating, terminating and maintaining the sessions. A strong authentication scheme plays a pivotal role in safeguarding communications over the Internet. In order to ensure the secure communication, several authentication schemes have been proposed for SIP in the literature. Recently, Lu et al. proposed an authentication scheme for SIP-based communications and proved that their scheme can resist various network attacks. In this paper, we show that their scheme is susceptible to the user and server impersonation attacks. Also, their scheme fails to achieve user anonymity and mutual authentication. Hence, there is a need to propose a secure ECC-based authentication scheme with user anonymity for SIP to overcome the shortcomings of Lu et al.’s scheme. Security analysis shows that the proposed scheme is able to fix the flaws found in Lu et al.’s scheme. In addition to informal security discussions, we give formal security analysis of the proposed scheme under the generic group model of cryptography. Performance analysis also shows that the proposed scheme is suitable for SIP based communication.

Sravani Challa,Ashok Kumar Das,Saru Kumari,Vanga Odelu,Fan Wu,Xiong Li

DOI: https://doi.org/10.1002/sec.1707

IF: 1.968

2016-01-01

Security and Communication Networks

Abstract:Session initiation protocol (SIP) is a widely used authentication protocol for the Voice over IP communications. Over the years, several protocols have been proposed in the literature to strengthen the security of SIP. In this paper, we present an efficient elliptic curve cryptography (ECC)-based provably secure three-factor authentication and session key agreement scheme for SIP, which uses the identity, password, and personal biometrics of a user as three factors. Our scheme aims to resolve the security weaknesses and drawbacks in existing SIP authentication protocols. In addition, our scheme supports password and biometric update phase without involving the server and the user mobile device revocation phase in case the mobile device is lost/stolen. Formal security analysis under the standard model and the broadly accepted Burrows–Abadi–Needham logic ensures that the proposed scheme can withstand several known security attacks. The proposed scheme has also been analyzed informally. Simulation for formal security verification using the widely known automated validation of internet security protocols and applications tool shows the replay, and the man-in-the-middle attacks are protected by the scheme. High security and low communication and computation costs make the proposed scheme more suitable for practical application as compared with other existing related ECC-based schemes. Copyright © 2016 John Wiley & Sons, Ltd.

Imran Memon,Ibrar Hussain,Rizwan Akhtar,Gencai Chen

DOI: https://doi.org/10.1007/s11277-015-2699-1

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:Past few years, the mobile technology and location based services have experienced a great increment in number of its users. The privacy issues related to these services are becoming main concerns because of the leakage of users' private information and contents. To prevent revelation of private information, many researchers have proposed several secure and authentication schemes which apply various technologies to provide integral security properties, such as symmetric encryption, digital signature, timestamp, etc. Unfortunately, some of these schemes still exhibit security and efficiency issues. In this research paper, we proposed an efficient and secure anonymous communication for location based service using asymmetric cryptography scheme over the wireless system was attempted missing some system detail. We also proposed the prevent user private information and secure communication by asymmetric cryptography scheme. We solved the wireless communication problem in A3 algorithm such as eavesdropping and this problem solved by asymmetric cryptography scheme because of its robustness against this type of attack by providing mutual authentication make the system more secure. Finally, performance and cost analysis show our scheme is more suitable for low-power and resource limited wireless system and thus availability for real implementation. According to our security analysis and performance, we can prove that our proposed asymmetric cryptography scheme is able to improve wireless communication system security and enhance efficiency in comparison to previous schemes.

Jianqing Fu,Jian Chen,Rong Fan,XiaoPing Chen,Lingdi Ping

DOI: https://doi.org/10.1109/wcse.2009.731

2009-01-01

Abstract:With the widespread use of mobile devices, authentication and privacy of identification become important issues. We analyzed the security flaws and shortcomings of a delegation-based authentication protocol which was proposed by Caimu Tang, et al., and provided an improved protocol. We use elliptic-curve cryptography and hash chain to ensure the safety of system in our scheme. The research results reveal that the improved protocol can not only corrects the security flaws but also improve the efficiency of key management and reduce the computational load.

Jin-long Hu,Ling Zhang,Yong Xu,Zhao Ye

DOI: https://doi.org/10.3969/j.issn.1000-565X.2012.04.001

2012-01-01

Abstract:As the traditional software-based SIP security schemes are vulnerable to embezzlement, deception and invasion, a dual authentication framework combined with the trusted computing technology is proposed for endpoint system and user identity. Then, a new SIP security scheme for Internet multimedia communication is presented, which takes advantage of the trusted platform module and the direct anonymous attestation algorithm to design a new registration sub-protocol for improving the security of multimedia communication systems. Moreover, the security of the registration sub-protocol is verified by using the provable security model, and the characteristics of the whole scheme are finally analyzed.

Wenxia Zhu,Jianhua Chen,Debiao He

DOI: https://doi.org/10.1504/ijesdf.2015.072176

2015-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:Providing a security and efficiently key agreement for session initiation protocol SIP is so important to protect communication sessions on the internet. An authentication should be finished before a user utilises the SIP service provided by a server. However, there are some security problems with SIP authentication. Recently, Tu et al. improved Zhang et al.'s authenticated key agreement protocol. They also claimed that their protocol could be resistant to kinds of attacks. In our paper, we show that their protocol is susceptible to the server spoofing attack, user impersonation attack. We also proposed an enhanced protocol which can be more secure and flexible here.

Dongqing Xu,Shu Zhang,Jianhua Chen,Mimi Ma

DOI: https://doi.org/10.1007/s12083-017-0583-3

IF: 3.488

2017-01-01

Peer-to-Peer Networking and Applications

Abstract:Recently, Lu et al. and Chaudhry et al. presented an authenticated key agreement scheme for session initiation protocol (SIP), respectively. They illustrated their schemes are secure against various familiar attacks. However, we demonstrate Lu et al.'s scheme is vulnerable to stolen verifier attack and Chaudhry et al.'s scheme is insecure to session key attack. To solve these problems, we propose a new provably secure mutual authentication scheme for SIP. Informal security analysis illustrates this proposed protocol can withstand different kinds of familiar attacks including stolen verifier attack and session key attack. And the correctness and security of the proposed protocol is also proved through Protocol Composition Logic (PCL) and generic group model. Eventually, security comparison shows our proposed scheme is more secure and performance analysis demonstrates the computation cost is also acceptable.

Hongbin Tang,Xinsong Liu

DOI: https://doi.org/10.1007/s11042-012-1001-8

IF: 2.577

2012-01-01

Multimedia Tools and Applications

Abstract:Session Initiation Protocol (SIP) has been widely used in the current Internet protocols such as Hyper Text Transport Protocol (HTTP) and Simple Mail Transport Protocol (SMTP). However, the original SIP authentication scheme was insecure and many researchers tried to propose schemes to overcome the flaws. In the year 2011, Arshad et al. proposed a SIP authentication protocol using elliptic curve cryptography (ECC), but their scheme suffered from off-line password guessing attack along with password change pitfalls. To conquer the mentioned weakness, we proposed an ECC-based authentication scheme for SIP. Our scheme only needs to compute four elliptic curve scale multiplications and two hash-to-point operations, and maintains high efficiency. The analysis of security of the ECC-based protocol shows that our scheme is suitable for the applications with higher security requirement.

Liang Ni,Gongliang Chen,Jianhua Li

DOI: https://doi.org/10.1109/ncis.2011.49

2011-01-01

Abstract:The session initiation protocol (SIP) is widely used as a signaling protocol based on the challenge-response exchange mode for handling multimedia sessions in both wire line and wireless world. The original authentication mechanism of SIP is HTTP digest based authentication, which is vulnerable to many forms of known attacks and therefore can not provide security at an acceptable level. In this paper, we propose an identity-based authenticated key agreement mechanism which can be used in SIP to solve the security problems existing in its original authentication procedure. The proposed scheme uses Elliptic Curve Cryptography and does not require expensive bilinear pairing operations, which makes it computationally much more efficient than previous identity-based and Certificateless schemes using pairings. We show the security of our proposal under the Canetti-Krawczky model. Our scheme captures many desirable security properties and can prevent various possible attacks induced by open networks and the standard of SIP message. Furthermore, through introducing some design ideas from Certificateless cryptography, our proposal avoids not only the requirement of a large Public Key Infrastructure but also key escrow problem.

Cui Tao,Gao Qiang,He Baoliong

DOI: https://doi.org/10.1109/icccas.2008.4657823

2008-01-01

Abstract:Session initiation protocol (SIP), due to its simple architecture and well-defined content, is currently considered the premier signaling protocol for next generation networks (NGN). However, its simplicity will lead to serious security challenges in terms of privacy and integrity. Security mechanisms recommended by RFC3261 for SIP are either weak information protection methods or demand heavy computing resources. In this paper, a lightweight mutual authentication scheme based on improved HTTP digest authentication is proposed to provide per-hop authentication and end-to-end user authentication. The proposed scheme can protect from many threats such as identity spoofing and denial-of-service (DoS) attacks.

s k hafizul islam,muhammad khurram khan,xiong li

DOI: https://doi.org/10.1371/journal.pone.0131368

IF: 3.7

2015-01-01

PLoS ONE

Abstract:Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.'s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen's scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.