A Privacy-Preserving Roaming Authentication Scheme for Ubiquitous Networks

A privacy-preserving roaming authentication scheme (PPRAS) for ubiquitous networks is proposed, in which a remote mobile user can obtain the service offered by a foreign agent after being authenticated. In order to protect the mobile user’s privacy, the user presents an anonymous identity to the foreign agent with the assistance of his or her home agent to complete the authentication. After that, the user and the foreign agent can establish a session key using the semi-group property of Chebyshev polynomial. In this way, huge burden of key management is avoided. Furthermore, the user can update the login password and the session key between itself and the foreign agent if necessary. The correctness is proved using BAN logic, and the performance comparison against the existing schemes is given as well. Keywords—roaming authentication; anonymous; chaotic maps; key agreement


INTRODUCTION
High-speed development of mobile internet has a profound influence on people's daily life.The mobile user wishes to share something or get some resources via mobile devices anytime anywhere and it should not be an issue when he or she locates in the range of the home network provider.However, when a mobile user moves to the region of a foreign network, how does he or she access the foreign network.Undoubtedly, as shown in Fig. 1., the ubiquitous networks should be equipped with authentication and session key establishment before it permits the user to access the Internet provided by itself.
Many authentication and key establishment protocols for mobile networks [1][2][3][4][5][6][7] have been proposed in recent years.In 2009 Chang et al. [1] proposed an efficient authentication protocol for mobile devices, which uses one-way hash functions and exclusive-or operation to reduce computation, and they claimed that their scheme can achieve perfect forward secrecy.However, their protocol cannot protect user's privacy since plaintext of real identities are used during the authentication.Later, Chang et al. [2] proposed another enhanced authentication scheme, which uses a random number and one-way hash functions to protect the user's identity, while the scheme cannot prevent insider attack as a malicious inner user can get the real identity at ease.Li et al. [8] proposed an efficient mobile networks authentication scheme, which can protect mobile users' privacy, while it is vulnerable to the manin-the-middle attacks.Shin et al. [9] and Wen et al. [10] proposed anonymous authentication schemes for mobile networks respectively, while Shin et al.'s [9] scheme cannot resist to the man-in-the-middle attacks, and Wen et al.'s [10] scheme will reveal the user's real identity.In 2014, Xie et al. [11] proposed a mobile roaming authentication protocol and claimed this scheme can protect users' privacy; however, its efficiency is not desirable.Mao et al. [12] proposed an anonymous authentication for global mobility networks in the same year.Recently, Farash et al. [13] proposed a light weight authentication scheme for roaming ubiquitous networks, while it is vulnerable to the replay attacks.To improve the security issues, some protocols [14][15][16] use smart card to authenticate and establish session key.In 2010, www.ijacsa.thesai.orgLi et al. [15] proposed an efficient authentication protocol using smart card to make user be anonymous, which enhances the security with untraceablility property.Recently, much work on Chebyshev chaotic map based authentication with smart card [17][18][19][20][21] have been done.Juang et al. [22] proposed an authenticated key agreement using smart card, which is privacy-preserving and time-synchronization free.However, in 2009, Sun et al. [23] pointed out that Juang et al.'s [22] scheme suffers inability of the password-changing operation and the session-key problem, hence they proposed an improved authentication protocol using smart card.In 2013, Guo et al. [21] proposed a password-authenticated using smart card.In 2015, Lin et al. [24] proposed an improved chaotic maps based authentication protocol using smart card.
As the popularity of mobile network-enabled devices, people are fond of dealing all work on those devices.However, the private information, for example user identification, may be illegally intercepted and then tracked by the potential attackers.However, the existing schemes either fail to provide privacy preserving or incur huge key management, since traditional symmetric or asymmetric encryption is employed for the handshake message.To address mobile users' privacy effectively, a privacy preserving roaming authentication and key agreement (PPRAS) is proposed in this paper.In PPRAS, the smart card together with chaotic maps is employed to improve efficiency and simplify the session key agreement and key management.In the proposed scheme, the foreign agent can authenticate the mobile user without knowing the user's real identity, then they can agree the shared session key and the temporary identification.
The rest of the article is organized as follows, some related basics are briefly reviewed in section II.The concrete construction of PPRAS is illustrated in section III.Analysis and comparison are presented in section IV.The paper is concluded in the last section.

II. PREMILARIES
A brief introduction of the Chebyshev maps and some related basics are given in this section.

A. Chebyshev Chaotic Maps
According the definition，the recursive form of Chebyshev polynomial map can be produced as follows The Chebyshev polynomial map follows the following two properties 2) Chaos property When >1 n , a n-degree Chebyshev polynomial map ( ) : and positive Lyapunov exponent ln 0 n λ = > .

B. The Extended Chebyshev Chaotic Maps
According to the periodicity of cos( ) y x = , there exist multiple x associated with the same y to make the equation hold.Zhang [25] proved that the Chebyshev polynomial map still keeps the semi-group property over the interval (-, ) ∞ ∞ , and proposed the concept of the extended Chebyshev chaotic maps as follows. - , and P is a big prime number.Furthermore, the following equation holds as well:

III. CONSTRUCTION OF PPRAS
In this section, the detailed construction of PPRAS is presented.For convenience, the descriptions of some symbols to be used are listed in TABLE I.
In PPRS, there exist three entities: the mobile user MU , the home agent HA and the foreign agent FA .When MU moves to FA's network, FA needs to authenticate MU before giving him the permission to access the network.To finish the authentication, FA needs the assistance of HA to verify whether MU is an authorized user or not.If not, the authentication process will be terminated.The proposed scheme consists four stages: registration phase, authentication phase including session key establishment, session key update and login password update phase.
During the initialization, FA shares a session key with HA, which is securely stored locally.The authentication is launched by MU , and then proceeds as the following interactive steps.

A. Registration Phase
A mobile user MU registers himself in his or her home agent HA using the following steps, 1) HA chooses two random numbers x , s and a big prime number P , then computes ( ) mod Otherwise, MU fails to register in the system.

B. Authentication and Key Establishment Phase
MU and FA can complete the authentication and establishment by following the steps shown in Fig. 2.

MU
FA HA ? M M = . If holds, completes establishing the session key.

C. Session Key Update Phase
In order to ensure the security, it is necessary for MU to periodically update the session key established previously between himself and FA .MU follows the following steps to update his or her session key in the th i time: Step

D. Login Password Update Phase
It is necessary for MU to update his or her login password dynamically to prevent someone else who knows his or her password from doing some impersonation attacks.The update of login password can be finished as follows: Step 1. MU puts his or her smart card into the reader, then inputs his or her real identity

A. Correctness Analysis
The Burrows-Abadi-Needham (i.e.BAN) logic [27] is useful identify some possible weakness in the security protocols, especially for the authentication protocol, so the BAN logic is used to analyze the correctness of PPRAS.Some notations are listed in TABLE II.

| X
x is a secret key or information between A and B { } X K X is encrypted by the key K

1) Idealization
According to the rules of the BAN logic, the first step is to idealize the authentication phases of PPRAS as follows:

2) Assumptions
In PPRAS, there exist three entities: the mobile user (MU), the foreign agent (FA) and the home agent (HA).Each entity has his or her possessions and abilities.The initial assumptions are descripted as follows: For MU: MU MU HA ≡ ←  → A1: MU believes his or her own identity.A2: MU believes his or her own pseudonym SID .A3: As MU registers himself in his home agent HA to be a legitimate user, so he believes HA's identity HA ID .
A4: MU believes the number MU x chosen by himself.| FA FA r ≡ A11: FA holds his own identity.
A12: FA needs to authenticate MU with the help of HA , so he needs to hold HA's identity HA ID .
A13: FA MU t is fresh so that he will be able to finish the next operation.
A14: FA believes the session key FH K between himself and HA , because FH K is computed using Chebyshev polynomials with HA's public parameter HA T and the value FA T computed by FA himself.

3) Goals
According to the proposed scheme, MU and FA want to establish a session key with the help of HA, so our proposed scheme needs to achieve the following goals: G3: FA believes that HA has verified MU's anonymous identity SID.G4: MU believes that HA believes FA is a legitimate agent.G5: MU believes the session key between himself and FA, that is MU has already successfully generated the session key with FA.
G6: FA believes the session key between himself and MU, that is FA has already successfully generated the session key with MU.
MU wants to establish a session key with FA without leaking his identify, he needs an anonymous identify which used to be authenticated by HA, and HA must believe FA's identify to enable MU to communicate with FA.After they finish the process of generating the session key, FA and MU must believe the authenticated peer holds the common session key.

4) Verification
In this section, the BAN logic is employed to check whether PPRAS is correct or not.The primary steps are shown as follows: Theorem 1. HA believes the anonymous identity of MU and the identity of FA.
Proof : According to the assumption A7 and A8, HA believes the message 1 m and 2 m are fresh, and he has never received them before, applying the seeing rule: , with the assumption A10, applying the message-mean rule: HA believes that FA has said FA ID , applying fresh rule: HA believes that FA believes FA ID , so HA believes FA ID .
After verifying the correction of MAC, HA believes the session key HF k , so he believes the identity of FA, and also believes the message 1 m has not been tampered.Then HA After MU verifies 2 h , he or she computes the session key MF K between MU and FA, so MU holds MF K , according to the proof above that MU believes 3 h , MU can verify the key MF K is right with 3 h , that is MU believes the session key between himself and FA.Theorem 5. FA believes the session key between himself and MU, that is FA has already generated the session key with MU. Proof: After FA receives the message 5 m from MU, according to the assumption A15, applying the belief rules:

| | ( , )
FA believes FM T , as FA holds the message 5 m , so FA believes the session key FM K between FA and MU.

B. Performance Analysis
The performance evaluation of the existing protocols [9-13] and PPRAS will be discussed in this section.The overall resultes are listed in TABLE III.

T T T + +
Since the authentication is a series of synchronized processes, the total computational cost of the client and server during the authentication and key agreement should be investigated.As the cost of XOR operation and module addition are rather cheap, these two operations are not included in the comparison, and only symmetric encryption/decryption operation, chaotic map operation, hash operation and modular exponential operation are evaluated.As shown in TABLE III, the computational cost of client in [9,10,13] is much cheap than PPRAS, however, as discussed previously, the scheme in [9,12] cannot resist to the man-in-the-middle attacks, and the scheme in [10] cannot preserve the user's privacy.However, the efficiency of [11] is not desirable.The scheme in [13] is vulnerable to the replay attacks.Furthermore, the schemes in [9][10][11][12][13] will inevitably incur huge key management for the symmetric and public key encryption.Although no explicit advantage of performance for PPRAS cannot be found in TABLE III, the underlying featured chaotic map based encryption for handshake message would save much more computation and storage cost.

C. Security Analysis
In this section, the security analysis and performance comparison are illustrated.

1) User Anonymity:
The user who wants to authenticate others should provide its real identifies to the trusted three party in the 3PAKE [26] protocol.If the user transfers authentication messages including his identity in plaintext via an insecure channel, an attacker can identify the user by intercepting and analyzing the message, this is not a a desirable scheme for authentication.In PPRAS, the real identity of mobile user is encrypted with the session key computed using Chebyshev polynomial.Even if the adversary got the ciphertext, he or she still faces the difficulty of solving DL hard problem if he or she want to compute the decryption key.Since the temporary identification of MU is generated with the XOR operation on the random number and real identity, it is infeasible in polyninomial time to guess the right identity since the space of identity is big enough.Therefore, FA can get nothing about the user's real identity and the privacy of the useris preserved well.
2) Resistance to The Man-in-The-Middle Attack: Suppose there exists an active attacker over the communication channel, who attempts to intercept and tamper the messages transferred via this channel to carry out the man-in-the-middle attack.If the attacker wants to tamper 1 m ，he or she needs to tamper 1 V in message 1 m produced by symmetric encryption with the session key, which is computed with the Chebyshev polynomials.However the attacker will face the difficulty of solving the DL problem.As for the messages 2 m , 3 m , 4 m , 5 m generated with the secure one-way hash functions, if the attacker wants to tamper them, he or she will face the difficulty of breaking the secure one-way hash functions according to the definition of the protocol.Above all, PPRAS is secure enough to counter the man-in-the-middle attack.
3) Forward Secrecy: In PPRAS, the forward secrecy means that even if an adversary has obtained the current session key and the password of MU , he or she cannot deduce the previous used session key.The agreement of the session key MF K ( or FM K ) between MU and FA is based on the random number MU x and FA x , and even MU does not know MU x which is chosen dynamically by the smart card, so the adversary can get nothing about MF K ( or FM K ), that is , the proposed scheme achieves forward secrecy.
4) Backward Secrecy: The backward secrecy of PPRAS refers to the adversary cannot successfully fulfil authentication and session key agreement with the password of MU and all previous used session key together with the current session key.However, all the messages are produced by the smart card and transferred in anonymous way, thus he or she cannot generate a valid message without possesing this smart card according to the protocol, even if he or she is given MU PW .So PPRAS achieves the backward secrecy.
5) Resistance to Password Guessing Attack: This attack means that an attacker attemps to deduce the password of the user with interception and analysis over the transferred messages.In PPRAS, however, there does not exist user's password in all these messages, and the attacker can get nothing about user's passwordThus, the proposed scheme can resist to password guessing attack.
6) Resistance to The Replay Attack: According to the construction of the presented protocol ， all the transffered messages among MU , FA and HA combine the timestamp FA t , MU t to provide freshness.What's more, the paramters( MU x , MU r )and( FA x , FA r )are chosen randomly to ensure freshness at the beginning of every authentication session.So the adversary can not replay those messages.
Finally, the overall security comparison of PPRAS and the existing similar schemes are listed in TABLE IV.As shown in the table, only PPRAS can achieve all the security features.

Fig. 1 .
Fig. 1.The scenario of roaming authentication Definition 2：Discrete Logarithm Problem (DL)Given any two big integer x, y, find an integer s to satisfy the equation ( )

Fig. 2 .
Fig. 2. The process of authenticating and key establishing HA believes the anonymous identity of MU.G2: HA believes FA's identity.

TABLE I
MU PW password of mobile user SID denotes the temporary identification of MU , and MH K denotes the shared session key between MU and HA .After that, SC encrypts holds or not, where FA t is the current time of FA , T ∆ denotes the permissible threshold of time interval.If yes, stores SID temporarily firstly, and then searches the shared session key HF k between FA and HA using MU ID and passwordMU PW into the smart card, then the smart card ( SC ) make the decision that allowing MU to login or not by computing ' ( , ) FA , T ∆ denotes the permissible threshold of time interval.If yes, FA uses SID to get the th i session key i FM Kto decrypt i m and check whether SID is equal to the plaintext SID .
HA believes FA t is fresh, and has never received it before so that he can authenticate FA.A9: As s is HA's secret key, so HA completely controls over his secret key s .A10: HA believes the key shared between HA and FA before authenticating.
A6: HA holds his own identity.A7: HA believes MU t is fresh, and has never received it before so that he can authenticate MU.A8: HA believes the real identify of MU, then HA can verify the anonymous identity of MU with the received value SID in message 1 m .With the proof above, it can be found that HA believes the anonymous identity ( SID ) of MU and the identity ( FA ID ) of FA.FA believes that HA has verified MU's anonymous identity SID.FA receives the value 1h in message 3 m .According to the assumption A14, we know that HA has verify the anonymous identity SID, so FA believes that HA believes the anonymous identity SID of MU after he verify the message 1 h in the received message 3 m .Above all, FA believes that HA has verified MU's anonymous identity SID.MU believes the value 2 h , and also believes MU believes that HA believes FA's identity after he or she verifies 2 h under the assumption A4.So MU believes that HA believes FA is a legitimate agent.MU believes the session key between himself and FA, that is MU has already generated the session key with FA.

TABLE III .
COMPARISON ON PERFORMANCE