Initial Registration

The mobile node receives certain credentials for further authentication during the initial registration with the authentication server, AAA. It is assumed that the communication channel between the MN and the AAA server is secure. The initial registration steps are as follows:

1. MN → AAA: The MN sends its ID and Password to the AAA server using secure channel.
2. The AAA server checks the ID and password on the MN and then computes the required values as follows. c₁ = h(ID_MN ∥ sv), c₂ = h(PW_MN) ⊕ c₁, c₃ = E_PSK(ID_AAA ∥ sv), c₄ = h(ID_AAA ∥ sv), c₅ = h(sv)
3. AAA → MN: The AAA stores c₁, c₂, c₃, c₄, c₅, h(), ID_MN in the smart card and sends it to the MN.

The initial procedure is described in Fig 1.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Initial registration procedure of SPAM method.

https://doi.org/10.1371/journal.pone.0142716.g001

Mutual Authentication between the MN and the MAG

There are two main sections in this mutual authentication; firstly, the MN’s authenticity is checked by the MAG prior to knowing its real ID, and secondly; the MN checks the MAG authentication. The mutual authentication between the MN, and the MAG is described in the following:

1. The user inserts a smart card and enters its ID and password. The smart card verifies whether the equation, h(PW_MN) ⊕ c₂ = c₁, to check mobile user authentication. Then, it generates N and compute AID_MN = ID_MN ⊕ h(c₅ ∥ N₁) and AUTH_MN = h(c₁ ∥ N₁).
2. MN → MAG: The authentication request, AID_MN, c₃, E_c4(AUTH_MN ∥ N₁), is generated by the MN and sent to the MAG.
3. The MN verification by the MAG: After receiving authentication request, the MAG decrypts c₃ to obtain ID_AAA and sv using PSK, which is a pre-shared symmetric key. Then, the AUTH_MN and N₁ are retrieved by decrypting E_c4(AUTH_MN ∥ N₁) using c₃. To obtain the ID_MN, the MAG computes c5 and gets ID_MN = AID_MN ⊕ h(c₅ ∥ N₁). After computing c₁ = h(ID_MN ∥ sv), the MAG can verify the MAG authentication by checking the value of AUTH_MN = h(c₁ ∥ N₁) to the value of AUTH_MN obtained from E_c4(AUTH_MN ∥ N₁). If both AUTH_MN value are the same, the MN is authenticated and the MAG generates N₂, SK_{MN − MAG} = h(c₁ ∥ N₁) that is a session key between the MAG and the MN, and h(ID_MAG ∥ N₂).
4. MAG → MN: The MAG reply ID_MAG, E_c4((N₁ + 1)∥N₂ ∥ h(N₂ ∥ ID_MAG)) back to the MN.
5. The MAG verification: The MN decrypts the E_c4((N₁ + 1)∥N₂ ∥ h(N₂ ∥ ID_MAG)) and obtains (N₁ + 1) and N₂. Then, it checks the value of h(N₂ ∥ ID_MAG) and (N₁ + 1) for the MAG authentication. After verifying the MAG authenticity, the MN generates a session key, SK_{MN − MAG} = h(N₁ ∥ N₂).
6. MN → MAG: The MAG computes E_{SKMN − MAG}(N₂ + 1), and sends it to the MAG.
7. The MAG decrypts the encrypted message using the session key and checks (N₂ + 1) to prevent replay attack.

Fig 2 shows the communication between the MN and the MAG.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The SPAM authentication procedure between the MN and the MAG.

https://doi.org/10.1371/journal.pone.0142716.g002

After mutual authentication between the MN and the MAG, the mutual authentication between the MAG and the LMA is processed in the SPAM method. The details of this authentication procedure are as follows.

1. The MAG generates N₃ to compute h(N₃ ∥ ID_MAG).
2. MAG → LMA: The authentication message, ID_MAG, E_PSK(N₃ ∥ h(N₃ ∥ IDMAG) to the LMA.
3. The LMA decrypts the received message from the MAG using PSK and retrieves h(N₃ ∥ ID_MAG) and N₃. The LMA computes h(N₃ ∥ ID_MAG) and compares to the received h(N 3 ∥ IDMAG) and N₃. Then, it computes h(N₃ ∥ ID_MAG) and compares to the received h(N₃ ∥ ID_MAG) to check the MAG authenticity. Finally, it generates N₄ and computes the session key, SK_{LMA − MAG} = h(N₃ ∥ N₄), if the MAG is authentic, otherwise, it drops the message.
4. LMA → MAG: The MAG replies ID_MAG, E_PSK((N₃ + 1)∥N₄ ∥ h(ID_LMA ∥ N₄)) back to the MAG.
5. The LMA verification: The MAG decrypts E_PSK((N₃ + 1)∥N₄ ∥ h(ID_LMA ∥ N₄)) and obtains (N₃ + 1) and N₄. Then, it checks the value of h(N₄ ∥ ID_LMA) and (N₁ + 1) for the MAG authentication. After verifying the MAG authenticity, the MAG generates a session key, SK_{LMA − MAG} = h(N₃ ∥ N₄).
6. MAG → LMA: The MAG computes E_{SKLMA − MAG}(N₄ + 1), and sends it to the LMA.
7. The LMA decrypts the encrypted message using the session key and checks (N₄ + 1) to prevent the replay attack.

The message exchange flow chart of mutual authentication between the LMA and the MAG is illustrated in Fig 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. The authentication procedure between the MAG and the LMA.

https://doi.org/10.1371/journal.pone.0142716.g003

SPAM Password Change Phase

The SPAM scheme provides the password change process. Mobile users are able to change their passwords without contacting other entities like the AAA server and the MAG. The procedure is described as follows:

1. The user inserts the smart card and enters his ID and password.
2. The smart card verifies user ID by checking h(PW_MN) ⊕ c₂ = c₁. If the equation is correct, then lets user to enter new password, . After receiving the new password, the smart card computes and replaces c₂ by .

The password change flow chart is described in Fig 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. SPAM password change procedure.

https://doi.org/10.1371/journal.pone.0142716.g004

The MN Impersonation Attack

Mobile devices such as smartphones, PDAs, and Tablets are vulnerable to threats such as stolen or loss. In addition, most of the authentication mechanisms use smart card to store critical information such as secret keys, passwords, and encryption functions. Therefore, if an attacker access to smart card inside mobile devices and steal the keys, even if he leaves the mobile device intact, he can impersonate legitimate user or access point [26, 48](Khan and Kumari, 2014; Wei-Chi and Chang, 2005). In SPAM method, the information are stored in smart card, hence impersonation attack can be launched. The smart card in the SPAM method contains (ID_MN, C₁, C₂, C₃, C₄, C₅, h()), if an attacker accesses to this smart card secrets, and sniffs the first message, (AID_MN, c₃, E_C4(AUTH_MN ∥ N₁)) between the MN and the MAG in login phase, he can impersonate the MN as follows:

1. First, an attacker generates his own nonce, , then computes , and using retrieved secrets from smart card an login request message, ID_MN, C₁, and C₅.
2. An attacker generates authentication request, , and sends it to the MAG.
3. The MAG decrypts C₃ using PSK and obtains ID_AAA and sv. Then, calculates C₄ = h(ID_AAA ∥ sv) to decrypts Ec4(AUTH_A||N ∗ 1) to obtain the value of AUTH_A and N_1*. The MAG computes and h(ID_MN ∥ sv) = C₁. Finally, for checking MN authentication, the MAG compares the value of the to the value of AUTH_MN obtained from . It is clear that the value, AUTH_MN, which is retrieved from , is equal to the value, AUTH_MN, retrieved from , because AUTH_MN, is generated using the values, C₁, C₂, and , which can be captured or generated by an attacker. This means an attacker is authenticated to the MAG successfully.

The MAG Impersonation Attack

Similar to the MN impersonation attack, we assume that an attacker retrieved the smart cart secrets, (ID_MN, C₁, C₂, C₃, C₄, C₅, h()), and sniffed the login request, (AID_MN, c₃, E_C4(AUTH_MN ∥ N₁)). An attacker can impersonate the MAG as follows:

1. An attacker decrypts E_C4(AUTH_MN ∥ N₁) to get N₁, then generate , and selects a fake . Finally, computes and sends it back to the MN.
2. The MN decrypts to obtain (N₁ + 1) and . Then, it checks the value, , and (N₁ + 1) for the MAG authentication. As the value, N₁ is the original nonce issued by the MN, then, the MN verifies (N₁ + 1), which means an attacker is authenticated to the MN. When an attacker is verified, the MN completes the rest of authentication.

Anonymity

The SPAM method does not preserve the MN anonymity. An attacker can easily find the ID_MN using the intercepted login request and smart card secrets. Firstly, an attacker extracts E_C4(AUTH_MN ∥ N₁) in the login request message, (AID_MN, C₃, E_C4(AUTH_MN ∥ N₁)), and decrypts it using C₄ to get N₁. After obtaining N₁, the ID_MN can be retrieved by computing, ID_MN = AID_MN ⊕ h(C₅ ∥ N₁), because an attacker received (AID_MN) from login request, and (C₅) from smart card. Secondly, ID_MAG can be retrieved from the message, (ID_MAG, E_C4((N₁ + 1)∥N₂ ∥ h(ID_MAG ∥ N₂))), as this message is sent by the MAG to the MN in a plain text, during the mutual authentication phase. Clearly, the anonymity of user is not protected because an attacker can find the ID of network entity.

Lack of Revocation of Smart Card

The revocation procedure is used in case of the MN misbehavior or lost mobile device. The user can report the loss of the mobile device to the AAA server to prevent the further security problems like impersonation attack [30] in case of the lost or stolen mobile device. The revocation procedure is not provided for the SPAM method.

Password Guessing Attack

In this section, we show that how an attacker can retrieve the MN password using intercepted login message based on the reference [49, 50]. An attacker can get the value, (AID_MN, C₃, E_C4(AUTH_MN ∥ N₁)) and the stored information inside the smart card, (ID_MN, C₁, C₂, C₃, C₄, C₅, h()). From the equation, C₂ = h(PW_MN) ⊕ C₁, as an attacker knows C₁ and C₂, he can compute h(PW_MN) = C₁ ⊕ C₂. Now, he can guess a password and compute , then check if , if so, then an attacker possesses PW_MN.

Initial Registration Procedure

In this phase, the AAA server generates the secrets for the MN. The main objective of the improvement is to prevent revealing smart card information in the case of a stolen or loss device. All the stored information in smart card should be useless for an attacker. We introduce an extra value, R_MN, in this step. Fig 5 depicts the initial registration procedure.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Registration procedure of the proposed method.

https://doi.org/10.1371/journal.pone.0142716.g005

Authentication Procedure

The MN should perform mutual authentication with the MAG when it joins to the localized mobility domain. We assume that an attacker can retrieve the secrets inside the smart card if the case of the stolen or lost mobile device. The main idea of our approach is not to store critical secrets inside the smart card. The mobile user enters his ID and password to the smart card to start the authentication procedure. The proposed authentication procedure is as follows:

1. The user inserts a smart card and enters its ID and password. First, it computes S₁ = h(ID_MN ∥ PW_MN) ⊕ S₄. The smart card checks if, h(PW_MN) ⊕ S₂ = S₁, then generates N₁ and computes S₃ = S₆ ⊕ S₁, AID_MN = S₁ ⊕ S₆, and AUTH_MN = h(S₁ ∥ N₁).
2. MN → MAG: The authentication request is formatted as AID_MN, E_S1(AUTH_MN ∥N₁) and sent to the MAG by the MN.
3. The MN verification by the MAG: After receiving the authentication request, the MAG decrypts AID = S₁ ⊕ S₆ = E_PSK(ID_MN ∥ sv ∥ aMN) to obtain ID_MN, aMN and sv using PSK, which is a pre-shared symmetric key between the MAG and AAA. Then, it computes S₁ = h(ID_MN ∥ sv) to decrypt E_S1(AUTHM_NM ∥ N₁) and retrieve AUTH_MN and N₁. To obtain the ID_MN, the MAG computes C₅ and gets ID_MN = AID_MN ⊕ h(C₅ ∥ N₁). After computing S₁ = h(ID_MN ∥ sv), the MAG can verify the MAG authentication by checking the value of AUTH_MN = h(S₁ ∥ N₁) to the value of AUTH_MN obtained from E_S1(AUTH_MN ∥ N₁). If both AUTH_MN values are the same, the MN is authenticated and the MAG generates N₂, SK_{MN − MAG} = h(N₁ ∥ N₂) that is a session key between the MAG and the MN, and h(ID_MAG ∥ N₂).
4. MAG → MN: The MAG replies E_S1((N₁ + 1)∥N₂ ∥ ID_MAG ∥ h(N₂ ∥ ID_MAG) back to the MN.
5. The MAG verification: The MN decrypts E_S1(N1 + 1)∥N₂ ∥ h(N₂ ∥ ID_M AG)) to obtain (N₁ + 1) and N₂. Then, it checks the value of h(N₂ ∥ ID_MAG) and (N₁ + 1) for the MAG authentication. After verifying the MAG authenticity, the MN generates a session key, SK_{MN − MAG} = h(N₁ ∥ N₂).
6. MN → MAG: The MAG computes E_{SKMN − MAG}(N₂ + 1), and sends it to the MAG.
7. The MAG decrypts the received message using the session key and checks (N₂ + 1) to prevent replay attack.

This mutual authentication between the MN and the MAG is described in Fig 6.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. The Proposed authentication procedure between the MN and the MAG.

https://doi.org/10.1371/journal.pone.0142716.g006

Password Change Phase

We improved the password change phase as described in Fig 7. It is worth noticing that the random number, R_MN, should be changed as well the user password, PW_MN. The symbol,, means the new value in Fig 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. The password change procedure of the proposed method.

https://doi.org/10.1371/journal.pone.0142716.g007

It worth noticing the mutual authentication procedure between the MAG and the LMA in our proposed method is the same as the SPAM method.

Revocation Procedure

The revocation phase can be applied for the SPAM authentication scheme to protect the network entities in case of lost or stolen of smart card. Firstly, the mobile user requests the AAA server for its revocation. Then, the AAA server checks the user credentials, which can be the values known by the user. In case of revocation, the AAA server revokes all the secrets of the mobile user and creates a new set of secrets for the mobile user. Later on, the mobile user can re-register to the AAA server.

Anonymity

We applied two methods to protect the MN and the MAG anonymity. For the MN anonymity, we generate an alias ID for the MN, AID_MN = E_PSK(ID_MN ∥ sv ∥ aMN). The ID of the mobile node is mixed with aMN, and secret key sv. An adversary cannot find ID_MN the without knowing the secret key PSK. Furthermore, the use of aMN and sv restricts the adversary to launch identity guessing attack. Furthermore, in the SPAM scheme, the ID_MAG is transferred in the plain text during mutual authentication between the MN and the MAG. In our proposed methods; we mix the ID_MAG with the MAG nonce, N₂, then we encrypt using one-way hash function and N₂ in the message, E_S1((N₁ + 1)∥N₂ ∥ h(N₂ ∥ ID_MAG)). An attacker must know N₂ and N₁ to find the ID_MAG, which is impossible for him because he does not know N₂ and N₁ even if he accesses to the smart card.

Mutual Authentication

The mutual authentication between the MN and the MAG is provided in proposed method. As it is shown in Fig 6, the MAG checks the MN authentication in Step 3, by comparing the value, AUTHMN received from the MN and the value, h(S₁ ∥ N₁), where it calculates S₁ = h(ID_MN ∥ sv). Furthermore, the MN checks the MAG authenticity is Step 5 by checking the value of h(N₂ ∥ ID_MAG) and (N₁ + 1). Actually, the mobile node checks the value of its nonce, N₁ to be sure that the MAG is legitimate, as the authentic MAG has the pre-shared secrets to decrypt the received messages from the MN.

Revocation Procedure

The revocation of the lost mobile device is provided in proposed method to prevent further security threats against the PMIPv6. In case of loss or stealing the mobile device, the mobile user can inform the AAA server and request to revoke his secret credentials. Therefore, the mobile user can re-register to the AAA server.

Resistance to the MN Impersonation Attack

An attacker must know some values such as S₁, S₆, ID_MN, and N₁ to generate the required values, AID_MN = E_PSK(ID_MN ∥ sv ∥ aMN) and AUTH_MN = h(S₁ ∥ N₁) and impersonate the MN. Under the assumption of not using tamper-proof smart card; we assume that an attacker can accesses to the smart card, S₂, S₄, S₅, S₆, and even sniffs the communication messages, he cannot find out the values, AID_MN, and AUTH_MN because he does not know the values, S₁, S₃, ID_MN, and R_MN.

Resistance to the MAG Impersonation Attack

To impersonate the MAG, an attacker must know the value, S₅, which is the symmetric key between the network entities, to decrypt the sniffed message, E_S1((N₁ + 1)∥N₂ ∥ h(N₂ ∥ ID_MAG)). Furthermore, both the MN and the MAG nonce are required to decrypt this message.

Resistance to Replay Attack

A nonce is used for both the MN and the Mag during authentication procedure to prevent replay attack in the proposed method. Therefore, if an attacker intercepts the authentication communication messages and accesses to the secrets inside the smart card, he cannot replay the sniffed messages, as the MAG or the MN rejects the request because of using invalid nonce by an attacker.

Forgery Attack Resistance

In this section, we discuss that a valid MN cannot launch forgery attack. If an attacker uses the it secrets, S₂, S₄, S₅, S₆, to forge another valid MN, it is impossible to find AUTH_MN because he does not know the AAA secret key, sv, to calculate S₁ = h(ID_MN ∥ sv), an then use it to get AUTH_MN = h(S₁ ∥ N₁). As explained in Fig 6, the valid MN must calculate AUTH_MN to initiate authentication procedure.

Denial-of-service Attack Resistance

The denial-of-service (DoS) can be discussed in two different situations in our proposed method. First, when the mobile user inserts wrong username and password during the login phase, if there is no suitable mechanism, the smart card processes some procedure and sends the login request to the MAG. In our proposed method, the smart card checks the username and password of the mobile user before computing login request. As described in Fig 6, Step 1, the smart card checks the validity of the mobile user before generating N₁ and the rest of procedure. Second, an attacker can launch DoS attack by requesting password change; however, the smart card first checks PW_MN and R_MN before updating with new values, and . Therefore, DoS cannot happen by requesting password change message.

Resistance to Password Guessing Attack

In the proposed method, an attacker should know at least ID_MN, to find RPW_MN for guessing the password, which is impossible as we protect the mobile user privacy by using alias ID of the MN, AID_MN instead of real mobile node ID, ID_MN. Furthermore, even an attacker can get to find ID_MN; he cannot guess the password because he does not know the R_MN to calculate RPW_MN = h(PW_MN ∥ R_MN).

Stolen-verified Attack Resistance

The verification table is not required for the AAA server in our method. Therefore, an attacker cannot obtain the authentication secrets of the MN, even if he can access to the AAA server data base. In addition, the MAG does not need the verification table to verify the mobile node authenticity. In other words, even if the MAG reveals the MN secrets, an attacker cannot find another required information for authentication procedure. The security and privacy comparison between SPAM scheme and the proposed enhancement is summarized in Table 2.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Comparison between proposed scheme and Chuang et al.s scheme.

https://doi.org/10.1371/journal.pone.0142716.t002

BAN Logic

BAN logic is widely used to analyze security vulnerabilities of security schemes. It consists of three main steps, including translating a target scheme into an idealized version, defining assumption, and applying BAN logic rules to achieve the intended beliefs. The notations of this logic are described in Table 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. BAN logic notations.

https://doi.org/10.1371/journal.pone.0142716.t003

In order to evaluate the security scheme, BAN logic rules should be applied. We just use some of these rules as follows:

1. R1: Message-meaning rule:
2. R2: Jurisdiction rule:
3. R3: Freshness-conjuncatenation rule:
4. R4: Break conjuncatenation rule:

The main goals of our proposed method are mutual authentication between the MN and the MAG. Furthermore, both the MN and the MAG should believe in the shared key. Based on BAN logic and our objectives, the goals of our proposed method are as follows:

After identifying the main objectives of our proposed method, the communication messages are transformed to the idealized version.

The initial assumptions of our proposed method are as follows:

In this section, we analyzed our proposed method based on idealized messages and the assumptions using BAN logic rules. The proofs are as follows:

1. According to message M1.1 and assumptions A5 (message-meaning rule):
   1. S1: MAG∣≡MN∣∼
      
2. According to S1 and assumptions A1 (freshness-conjuncatenation):
   1. S2: MAG∣≡MN∣≡
      
3. According to message S2 and BAN logic break conjuncatenation rule:
   1. 
4. According to message M1.2 and S3 (message-meaning rule):
   1. S4: MAG∣≡MN∣∼
      
5. According to S4 and assumptions A1 (freshness-conjuncatenation):
   1. S5: MAG∣≡MN∣≡
      
6. According to message S5 and BAN logic break conjuncatenation rule:
   1. (Goal 1)
7. According to message S6 and A7 and BAN logic jurisdiction rule:
   1. (Goal 2)
8. According to message M2 and assumptions A4 (message-meaning rule):
   1. S8: MN∣≡MAG∣∼
      
9. According to S8 and assumptions A3 (freshness-conjuncatenation):
   1. S9: MN∣≡MAG∣≡
      
10. According to message S9 and BAN logic break conjuncatenation rule:
    1. (Goal 3)
11. According to message S10 and A6 and BAN logic jurisdiction rule:
    1. (Goal 4)