**PRIVACY-PRESERVING** **AUTHENTICATION SCHEME FOR ROAMING SERVICE IN GLOBAL MOBILITY NETWORKS**

Sung Woon Lee1, and Hyunsung Kim2,3

1 Department of Information Security, Tongmyong University, Busan, Korea

2 Department of Mathematical Sciences, University of Malawi, Zomba, Malawi

3 School of Computer Science, Kyungil University, Kyungbuk, Korea

**ABSTRACT**

*With the rapid development of mobile intelligent technologies and services, users can freely experience ubiquitous services in global mobility networks. It is necessary to provide authentications and protection to the privacy of mobile users. Until now, many authentication and privacy schemes were proposed. However, most of the schemes have been exposed to some security problems. Recently, Madhusudhan and Shashidhara (M&S) proposed a lightweight authentication scheme, denoted as the M&S scheme, for **roaming services in global mobility networks. This paper shows that the M&S scheme has security flaws including two masquerading attacks and a mobile user trace attack. After that, we propose a privacy- preserving authentication scheme for global mobility networks. The proposed scheme not only focused on the required security but also added privacy concerns focused on anonymity based on a dynamic pseudonym, which is based on exclusive-or operation, hash operation and symmetric key cryptography. Formal security analysis is performed based on Burrow-Abadi-Needdham (BAN) logic and the ProVerif tool, which concludes that the proposed scheme is secure. The analysis shows that the proposed authentication scheme is secure and provides privacy with a reasonable performance.*

**KEYWORDS**

*Authentication, Communication System Security, Global Mobility Network, Health Information management, Privacy*

**1. INTRODUCTION**

With the rapid development of wireless communication technology and artificial intelligence, mobility is becoming more and more important in our daily life. Users with mobile intelligent devices can enjoy rich and seamless services, such as social network services, online shopping,bank transfer and many more various services [1-3]. Roaming service shown in Fig. 1 enables a mobile user (MU) to use the services extended by his/her home agent (HA) in a foreign agent (FA). User authentications and privacy schemes play an important role in global mobility networks. There are three participants in a secure scheme for roaming service, namely MU, FA and HA. MU needs to be registered to his/her HA. When MU roams to a foreign network (FN) by a FA, MU should pass authentication from FA by helping HA in a home network (HN).

Until now, many user authentication and privacy schemes for roaming service were proposed [4-19]. Zhu and Ma proposed the first anonymous authentication scheme for roaming service based on hash function, symmetric key cryptosystem and asymmetric key cryptosystem [4]. However,Lee et al. pointed out that Zhu and Ma’s authentication scheme is vulnerable to impersonation attack and does not achieve mutual authentication [12]. Furthermore, they also proposed an improved scheme to solve Zhu and Ma’s security weaknesses. Chang et al. showed that Lee etal.’s scheme has still security problem against the forgery attack and proposed an enhanced scheme to solve the security problem [13]. Yang et al. proposed a universal anonymous authentication scheme for roaming service [14]. It does not require the involvement of HA and thus is quite efficient in terms of communication. Zhou et al. showed that Chang et al.’s scheme in [13] could not provide user anonymity and that the session key could be compromised if MU’s real identity is leaked [15]. Meanwhile, Kuo et al. proposed an anonymous roaming authentication scheme for mobility networks based on elliptic curve cryptography (ECC) [16]. However, their protocol is inefficient in terms of communication. In 2015, Liu et al. proposed an anonymous authentication protocol that uses time-bound credentials for an efficient revocation. It is based on bilinear pairing and thus is inefficient in terms of computation [17]. Recently,Karuppiah and Saravanan proposed an authentication scheme, denoted by K&S scheme, with user anonymity for roaming services in global mobility networks [18]. They argued that their authentication scheme provides user anonymity and untraceability, and that it is secure against various attacks. However, Madhusudhan and Shashidhara provided cryptanalysis that K&S scheme has security weaknesses against insider attacks, stolen-verifier attacks, offline guessing attacks, denial of service (DoS) attacks and forgery attacks [19]. In addition to this, Madhusudhan and Shashidhara proposed a remedy scheme to solve the weaknesses, which is named as M&S scheme.

**Figure 1** **Roaming authentication in global mobility network**

There are two purposes of this paper. First of all, we analyze M&S scheme and show that the scheme has two design flaws and suffers from HA masquerading attack, FA masquerading attack and MU trace attack. To overcome the weaknesses, we propose a privacy-preserving authentication scheme based on only hash function and symmetric key cryptosystem. Formal security analysis is provided based on Burrow-Adadi-Needham (BAN) logic and ProVerif tool to show that the proposed scheme is secure and provide privacy [20-21]. Informal analysis will be provided focused on the various aspects of security attacks. Compared with the other related schemes, the proposed scheme not only gets better security with privacy but also achieves similar performance compared to M&S scheme.

**2. RELATED WORKS**

There are several works, which investigated user authentication and privacy schemes for roaming services [4-19]. These schemes can be implemented based on different cryptographic mechanisms for the roaming service. Zhu and Ma devised the first anonymous authentication scheme for roaming service using smart cards [4]. Zhu and Ma’s scheme is based on hash function, symmetric key cryptosystem and public key cryptosystem. However, MUs in Zhu and Ma’s scheme only use symmetric encryption and decryption. They also planned to provide anonymity and untraceability to their scheme based on the one-time use of key between MU and FN.

However, Lee et al. pointed out that Zhu and Ma’s scheme has three security weaknesses, not achieving perfect backward secrecy, not achieving mutual authentication and not protecting against forgery attack [12]. Furthermore, they proposed an improved scheme to solve Zhu and Ma’s security weaknesses, which is based on exclusive-or operation, hash function, symmetric key cryptosystem and asymmetric key cryptosystem. Both Zhu and Ma’s scheme in [4] and Lee et al.’s scheme in [12] requires the public key certificate based on X.509 that requires a big overhead for a public key infrastructure [22].

Chang et al. pointed out that Lee et al.’s scheme cannot provide anonymity under legal user’s forgery attack and proposed an improved scheme with anonymity to remedy the security problem of Lee et al.’s scheme [13]. It uses random numbers to avoid possible attacks and uses one-way hash functions to reduce the computation cost. So, Chang et al.’s schemes are lightweight because it only uses exclusive-or operations and a one-way hash function for MDs.

Yang et al. proposed a universal anonymous authentication scheme for roaming service, which uses an elliptic curve digital signature algorithm (ECDSA) [14]. It does not require the involvement of HA and thus is quite efficient in terms of communication and uses the same protocol and signalling flows regardless of the domain (home or foreign) that MU is visiting.Furthermore, they proposed a user revocation mechanism to support strong user anonymity.Zhou et al. introduced a formal security model suitable for roaming service in global mobility networks and proposed a new authentication scheme based on it [15]. After Zhou et al. showed that Chang et al.’s scheme in [13] fails to achieve user anonymity and that the leakage of MU’s real identity is related to the compromise of the session key, they proposed their new scheme.Meanwhile, Kuo et al. proposed an anonymous roaming authentication scheme for mobility networks based on ECC [16]. It does not rely on asymmetric cryptography, which needs certificates usage based on X.509, but instead uses point multiplications. However, Kuo et al.’s scheme is inefficient in terms of communication.

In 2015, Liu et al. proposed an anonymous authentication protocol for a large scale network that uses time-bound credentials for an efficient revocation [17]. They designed a group signature scheme as a building block based on bilinear pairing over q-strong Diffie-Hellman assumption and thus it is inefficient in terms of computation even if it improved the revocation check process.

Recently, Karuppiah and Saravanan proposed K&S scheme based on asymmetric key cryptosystem with user anonymity for roaming service [18]. It is aimed to provide user anonymity and untraceability, and they argued that K&S scheme is secure against various attacks in global mobility networks. But Madhusudhan and Shashidhara showed that K&S scheme has security weaknesses against insider attack, stolen-verifier attack, offline guessing attack, DoS attack and forgery attack [19]. In addition to this, they proposed M&S scheme as a remedy scheme to solve the weaknesses in K&S scheme.

Unfortunately, this paper will show that M&S scheme still has security flaws including two masquerading attacks and MU trace attack. After that, we will propose a privacy-preserving authentication scheme for global mobility networks as a solution to M&S scheme.

**3. REVIEW OF M&S SCHEME**

This section reviews the M&S scheme for roaming service in global mobility networks [19].M&S scheme is consisted with four phases, initialization phase, registration phase, login and authentication phase, and password change phase. Table 1 shows the notations used in this paper.

**3.1. Initialization Phase**

HA chooses two random numbers p and q and a generator g of a finite field in Zp∗. It computes n = p×q and (n)= (p−1)×(q−1). Next, HA selects a random integer e such that GCD(e, (n)) = 1 and 1 < e < (n). Then, HA calculates the value of an integer d such that d = e−1 where d is HA’s secret key, and y = gd mod n, where y is the public key. HA keeps [d, p, q] secretly.

**Table 1. Notations.**

**3.2. Registration Phase**

If MU wants to register with HA, he/she sends the necessary information through a secure channel.

R1: A new MU chooses his/her identity IDMU and password PWMU, and generates a random nonce N. Then, MU computes and submits R1 = h(IDMU||N) to HA through a secure channel.R2: Upon receiving R1, HA computes R = (R1||IDHA||d), a = h(d) and CMU = (ga mod p)h(R).Then, HA initializes the counter value K = 0 for MU and stores {K, R} in its database. Finally,HA sends {R, CMU, K, h (.)} to MU through a secure socket layer.

R3: After receiving authentication information from HA, MU device computes KMU = h(IDMU||PWMU||R), stores {KMU, R, CMU, K, h(.)} on his/her mobile device (MD) and sets threshold timeout to ensure the correctness of the authentication information. If the information stored in the device may be altered maliciously or carelessly, MU re-registration is necessary to get the new authentication information when he/she does not receive HA’s response within the predefined time limit.

**3.3. Login and Authentication Phase**

It is assumed that MU associated with HA visits an FA and tries to access services. The details of this phase are as follows:

A1: MU → FA: M1 = {U, V, W}

MU retrieves the authentication related information on the device and inputs IDMU and PWMU.Then, MD computes KMU∗ = h(IDMU||PWMU||R) and verifies whether KMU∗ = KMU or not. If verification fails, it terminates the session. Otherwise, the legality of MU is ensured. Then, MD chooses a random number RMU and computes U = RRMU, V = (CMUh(R)||IDFA)RMU and W =(U||K||CMU h(R)). Finally, MD sends M1 = {U, V, W} to FA.

A2: FA → HA: M2 = {IDFA, EKFH(M1, RFA)}

After receiving M1, FA generates a random number RFA and encrypts the message M1 with RFA.After that, FA sends M2 = {IDFA, EKFH(M1, RFA)} to HA.

A3: HA → FA: M3 = {EKFH(SK)}

Upon receiving the message M2, HA checks for the identity IDFA and finds the secret key corresponding to IDFA. Then HA decrypts the received information and performs authentication on it. If authentication is successful, HA generates a SK between FA and MU. If verification fails,HA rejects the request. The procedure of authentication performed by HA is as DKFH(EKFH(M1,

RFA)), a = h(d), ga mod p, RMU∗ = V((ga mod p)||IDFA) and R* = URMU∗. HA checks whether R*exists in its database. If it is not, HA terminates the session. Otherwise, HA computes W* = (U||K||(ga mod p)) and checks whether W∗ is equal to W. If the comparison fails, HA terminates the process. Otherwise, HA compute a session key SK = h(ga mod p)RMURFA, forms the message M3 = {EKFH(SK)}, and sends it to FA.

A4: FA → MU : M4 = {X, RFA}

After receiving M3, FA computes DKFH(EKFH(SK)) and X = h(SK||RFA) and sends the message M4 = {X, RFA} to MU.

A5: Upon receiving M4, MD generates a session key SK∗ = CMUh(R)RMURFA and X∗ = h(SK∗||RFA) and verifies whether X∗ is equal to the received X. If the verification fails, MD stops the process. Otherwise, MU successfully authenticates FA.**3.4. Password Change Phase**

In this phase, MU can easily change his/her password, which does not need involvement of any FA or HA. The detailed steps of the password change phase are:

P1: If a legal MU wants to change the password, MU inputs his/her identity IDMU and password PWMU. The password change request is submitted through the terminal.

P2: MU’s device computes KMU* = h(IDMU||PWMU) and verifies whether KMU* is equal to KMU. If verification is successful, the authenticity of MU is ensured. Otherwise, the request is rejected.

P3: MU inputs a new password PWMU* and replaces KMU = h(IDMU||PWMU*).

**4. CRYPTANALYSIS ON M&S SCHEME **

This section shows that the M&S scheme has two design flaws and some security weaknesses against HA masquerading attacks, FA masquerading attacks and MU trace attacks.**4.1. Design Flaw**

A cryptographic protocol is a concrete protocol that performs a security related function and applies cryptographic methods. A detailed protocol is recommended to a security protocol, which can be used to implement multiple and interoperable versions of a program [23]. However, since M&S scheme changes a new password improperly at password change phase, it is incomplete,which results to make a legal MU could not use the service anymore. First of all, MU verification requires to compute improper KMU* = h(IDMU||PWMU), which should be KMU* = h(IDMU||PWMU||R) as the definition of KMU at R3 in registration phase. Similar to this, new password should be replaced as KMU = h(IDMU||PWMU*||R) not as KMU = h(IDMU||PWMU*) at P3.

Furthermore, M&S scheme establishes a wrong session key in MU side because of SK∗ = CMUh(R)RMURFA computation at A5 in the login and authentication phase. MU will always reject any legal FA’s message M4 = {X, RFA} because it always fails from the verification check of SK∗, which is different from FA’s computation of SK.**4.2. Security Weaknesses**

This subsection shows that M&S scheme in [19] has security problems against HA masquerading attack, FA masquerading attack and MU trace attack.**4.2.1. HA Masquerading Attack**

This subsection shows that M&S scheme in [19] has security problems against HA masquerading attack, FA masquerading attack and MU trace attack.**4.2.1. HA Masquerading Attack**

Authenticity of MU in M&S scheme is checked of the possession of (ga mod p) in the authentication message, which is related with the private key of HA. However, each legal user could know the information. Furthermore, M&S scheme does not provide authenticity check of HA to FA because the format of M3, which is the combination of two random numbers. That is why there is possibility that FA just accept any message with the same length of M3 from attacker. This means that M3 does not provide integrity of the message. Thereby, M&S scheme is weak against HA masquerading attack.

**4.2.2. FA Masquerading Attack**

Authenticity of FA in M&S scheme is checked by MU focused on X, which uses the session key SK. However, any legal user could be an attacker to perform FA masquerading attack. For the attack, the attacker performs the authenticity check of the smart card and gets the information ga mod p. (1) After receiving M1 = {U, V, W} from MU, the attacker generates a random number

RFA∗, computes RMU∗ = V((ga mod p)||IDFA), SK = h(ga mod p)RMU∗RFA∗ and X = h(SK||RFA∗), and sends M4 = {X, RFA∗} to MU. (2) M4 could be successfully passed MU’s verification check at A5 of the login and authentication phase. Thereby, M&S scheme is weak against FA masquerading attack.

**4.2.3. MU Trace Attack**

Anonymity and untraceability of MU are based on the amplification of dynamic identity of MU by using the session dependent random number RMU at A1 in the login and authentication phase. However, any legal user could be an attacker to perform FA masquerading attack. For the attack, the attacker performs the authenticity check of the smart card and gets the information ga mod p. (1) After intercepting M1 = {U, V, W} from MU, the attacker computes RMU∗ = V((ga mod p)||IDFA). (2) The attacker could remove the session dependent random number from U and by computing R = URMU and find out the connectivity between sessions based on R. Thereby, M&S scheme is weak against MU trace attack.**5. PRIVACY-PRESERVING AUTHENTICATION SCHEME**

This section proposes a privacy-preserving authentication scheme to overcome the weaknesses of M&S scheme. We need to design a new authentication scheme, which provide integrity check with the other aspects to resist various attacks. The design goals of our authentication scheme are as follows:

– Achieve mutual authentication with the provision of privacy

– Session key establishment fairly

– Resist common security attacks

– Provide user-friendliness of password change

– Achieve computational and communicational efficiency.

The proposed privacy-preserving authentication scheme has four phases, initialization phase,registration phase, login and authentication phase and password change phase. MU registers any specific services to HA in the registration phase by using an amplified identity through secure channel after the proper initialization of the system. Unlike M&S scheme, the proposed scheme

does not need to use a verification table in HA, which improves the security of the scheme. The login and authentication phase provides mutual authentication and key agreement among communication parties. In this phase, MU and FA can authenticate each other via HA assistance with proper session key establishment. The password change phase allows MU to update the password only after the proper MU authentication, which does not require HA involvement.**5.1. Initialization Phase**

HA selects two prime numbers p and q and a generator g of a finite field in Zp∗. It computes n = p×q and (n)= (p−1)×(q−1). After that, HA chooses an integer e such that GCD(e, (n)) = 1 and 1 < e < (n). Then, HA calculates d = e −1 where d is HA’s secret key, and y = gd mod n, where y is the public key. HA keeps [d, p, q] secretly. Furthermore, HA and FA should share a secret

key KFH securely.

**5.2. Registration Phase**

If MU wants to register with its’ HA, he/she must send the necessary information through a secure channel as shown in Fig. 2.

R1: A new MU chooses his/her identity IDMU and password PWMU, and generates a random nonce N. Then, MU computes and submits R1 = h(IDMU||N) to HA through a secure channel. Note that MU can change N if MU wants to be registered HA again with the same identity IDMU. R1could be a pseudonym.

R2: Upon receiving R1, HA computes R = h(R1||IDHA||d), BMU = R1h(d), CMU = Rh(d||y) and FMU = R1R. Then, HA sends {BMU, CMU, FMU, h (.)} to MU through secure socket layer.

R3: After receiving authentication information from HA, MU computes ZMU = FMUh(IDMU||PWMU) and AMU = h(FMU), and stores {BMU, CMU, ZMU, AMU, h(.)} on his/her MD and sets threshold timeout to ensure the correctness of the authentication information. Note that when MU does not receive HA’s response in the threshold time, MU should reregister to get the new authentication information, which means that the information stored in the device may be altered maliciously or carelessly.

**5.3. Login and** **Authentication Phase**

It is assumed that MU associated with HA visits an FA and tries to access services. As shown in Fig. 3, the detailed procedure of this phase is as follows:

A1: MU → FA : M1 = {IDHA, U, V, W, MAC1}

MU checks the authentication information on the device and inputs IDMU∗ and PWMU∗. Then, MD computes FMU∗ = ZMUh(IDMU∗||PWMU∗) and verifies whether AMU = h(FMU∗) or not. If verification fails, it terminates the session. Otherwise, the legality of MU is ensured. Then, MD chooses a random number RMU and computes U = BMURMU, V = CMURMU, W = FMU∗RMU and MAC1 = h(FMU∗||RMU||U||V||W||IDFA). Finally, MD sends M1 = {IDHA, U, V, W, MAC1} to FA.

A2: FA → HA : M2 = {IDFA, CFA, MAC2}

After receiving M1, FA generates a random number RFA, encrypts the message M1 and RFA by using the shared key KFH with HA as CFA = EKFH(M1, RFA) and computes MAC2 = h(IDFA||CFA). After that, FA sends M2 = {IDFA, CFA, MAC2} to HA.

A3: HA → FA : M3 = {CHA, MAC3}

Upon receiving the message M2, HA computes MAC2∗ = h(IDFA||CFA) and checks whether MAC2∗is equal to MAC2. Only if the verification is successful, HA checks for the identity IDFA and finds the secret key corresponding to IDFA. Then HA decrypts the received information as (M1, RFA) = DKFH(CFA). Note that M1 is {IDHA, U, V, W, MAC1} at A1. After that, HA computes (R1R) = UVh(d)h(d||y), RMU∗ = W(R1R) and MAC1* = h((R1R)||RMU∗||U||V||W||IDFA). HA verifies whether MAC1∗ is equal to MAC1. If the comparison fails, HA terminates the process. Otherwise, HA compute a session key SK = h(R1R||RMU∗||RFA), CHA = EKFH(SK) and MAC3 = h(IDHA||SK||RFA), forms a message M3 = {CHA, MAC3}, and sends it to FA.

A4: FA → MU : M4 = {RFA, MAC4}

After receiving M3, FA computes SK∗ = DKFH(CHA) and MAC3∗ = h(IDHA||SK∗||RFA) and verifies whether MAC3∗ is equal to MAC3. If the comparison fails, FA terminates the process. Otherwise, FA compute MAC4 = h(U||SK∗||RFA), forms a message M4 = {RFA, MAC4}, and sends it to MU.

A5: Upon receiving M4, MD generates a session key SK** = h(FMU∗||RMU||RFA) and MAC4∗ = h(U||SK**||RFA) and verifies whether MAC4∗ is equal to the received MAC4. If the verification fails, MD stops the process. Otherwise, MU successfully authenticates FA.**5.4. Password Change Phase**

In this phase, MU can change his/her password alone, which means that there are no communication requirement with FA or its’HA. The detailed steps of the password change phase are:

P1: If a legal MU wants to change the password, MU inputs his/her identity IDMU∗ and password PWMU∗. The password change request can be submitted through terminal.

P2: MD computes FMU∗ = ZMUh(IDMU∗||PWMU∗) and verifies whether AMU = h(FMU∗) or not. If verification is uccessful, MU authenticity is ensured. Otherwise, the request is rejected. P3: MD asks MU inputs a new password PWMU∗∗ and replaces ZMU = VMU∗h(IDMU∗|| PWMU∗∗).

**6. SECURITY AND PERFORMANCE ANALYSIS**

This section performs formal security analysis for the proposed scheme, which is based on BAN logic and ProVerif tool, respectively [20-21]. Informal analysis shows that the proposed scheme solves the security and privacy problems in M&S scheme. After that, we provide performance analysis of the proposed scheme by comparing it with K&S scheme in [18] and M&S scheme in [19].**6.1. Formal Security Analysis**

We provide a formal security analysis of the proposed scheme based on the BAN logic and ProVerif tool [20-21]. BAN logic uses axioms to verify message origin, message freshness and trustworthiness of the origin of the message to analyze security schemes [21]. BAN logic uses the following notations in formal security analysis:

– Q |≡ X: Principal Q believes the statement X

– #(X): Formula X is fresh

– Q| X: Principal Q has jurisdiction over the statement X

– Q X: Principal Q sees the statement X

– Q| X: Principal Q once said the statement X

– (X, Y): Formula X or Y is one part of the formula (X, Y)

– 〈𝑃〉𝑄: Formula P combined with the formula Q

– 𝑄𝑆𝐾

↔ 𝑅: Principal Q and R may use the shared session key, SK to communicate with each other. SK is good, in that any principal except Q and R, will never discover it.

The following logic rules are used to the proposed scheme to prove that it provides a secure mutual authentication between MU and FA:

1. Message-meaning rule: 𝑅|≡𝑅𝑌↔𝑆, 𝑅⊲<𝑋>𝑌

𝑅|≡𝑆|~𝑋

2. Nonce-verification rule: 𝑅|≡ #(𝑋), 𝑅|≡𝑆|~𝑋

𝑅|≡𝑆|≡𝑋

3. Jurisdiction rule: 𝑅|≡𝑆|⟹𝑋, 𝑅|≡𝑆|≡𝑋

𝑅|≡𝑋

4. Freshness rule: 𝑅|≡ #(𝑋)

𝑅|≡ #(𝑋,𝑌).

To show that the proposed scheme provides secure authentication between MU and FA, we need to achieve the following goals:

Goal 1: MU|≡(MU𝑆𝐾

↔ FA), Goal 2: FA|≡(FA𝑆𝐾

↔ MU), Goal 3: MU|≡FA|≡(FA𝑆𝐾

↔ MU) and Goal 4:

FA|≡MU|≡(MU𝑆𝐾

↔ FA).

Idealized form: The arrangement of the transmitted messages among MU, FA and HA in the proposed scheme to the idealized forms is as follows:

Message 1. MU FA: IDHA,<U>h(d),<V>h(d||y),<W>h(d||y),<MAC1>h(d||y)

Message 2. FA HA: IDFA, <CFA>KFH, MAC2

Message 3. HA FA: <CHA>KFH, <MAC3>SK

Message 4. FA MU: RFA, <MAC4>SK.

Assumptions: The initial assumptions of the proposed scheme are as follows:

A1: MU|≡#(RMU)

A2: FA|≡#(RFA)

A3: MU|≡(MUℎ(𝑑||𝑦)

↔ HA)

A4: HA|≡(HAℎ(𝑑||𝑦)

↔ MU)

A5: FA|≡(FA𝐾𝐹𝐻

↔ HA)

A6: HA|≡(HA𝐾𝐹𝐻

↔ FA)

A7: MU|≡FA| MU𝑆𝐾

↔ FA

A8: FA|≡MU| FA𝑆𝐾

↔ MU.

Proof: We prove the test goals of the proposed scheme to show the secure authentication and key agreement using the BAN logic rules and the assumptions.

Based on Message 1, we could derive:

Step 1. FA (IDHA,<U>h(d),<V>h(d||y),<W>h(d||y),<MAC1>h(d||y))According to assumption A3 and the message-meaning rule, we get:

Step 2. FA|≡MU| (IDHA,<U>h(d),<V>h(d||y),<W>h(d||y),<MAC1>h(d||y))Based on assumption A1 and the freshness concatenation rule, we get:

Step 3: FA|≡#(IDHA,<U>h(d),<V>h(d||y),<W>h(d||y),<MAC1>h(d||y))According to Steps 2 and 3 and the nonce verification rule, we get:

Step 4. FA|≡Ui|≡(IDHA,<U>h(d),<V>h(d||y),<W>h(d||y),<MAC1>h(d||y))Based on Message 2, we derive

Step 5. HA (IDFA, <CFA>KFH, MAC2)According to assumption A3 and the message-meaning rule, we get:

Step 6. HA|≡FA| (IDFA, <CFA>KFH, MAC2)Based on assumption A2 and the freshness concatenation rule, we get:

Step 7: HA|≡#(IDFA, <CFA>KFH, MAC2)According to Steps 6 and 7 and the nonce verification rule, we get:

Step 8. HA|≡FA|≡(IDFA, <CFA>KFH, MAC2)According to Step 8, assumptions A4 and A6 and the believe rule, we get:

Step 9. HA|≡FA|≡(FA𝐾𝐹𝐻↔ HA) and HA|≡MU|≡(MUℎ(𝑑||𝑦)↔ HA)According to the jurisdiction rule, we get:

Step 10. HA|≡(HA𝐾𝐹𝐻↔ FA) and HA|≡(HAℎ(𝑑||𝑦)↔ MU)Based on Message 3, we derive

Step 11. FA (<CHA>KFH, <MAC3>SK)According to assumption A5 and the message-meaning rule, we get:

Step 12. FA|≡HA| (<CHA>KFH, <MAC3>SK)According to assumptions A1 and A2 and the freshness concatenation rule, we get:

Step 13: FA|≡#(<CHA>KFH, <MAC3>SK)According to Steps 12 and 13 and the nonce verification rule, we get:

Step 14. FA|≡HA|≡(<CHA>KFH, <MAC3>SK)According to Step 14, assumptions A4 and A5 and the believe rule, we get:

Step 15. FA|≡HA|≡(HA𝐾𝐹𝐻↔ FA) and FA|≡HA|≡(HAℎ(𝑑||𝑦)↔ MU)According to Steps 13, 14 and 15 and the nonce verification rule, we get:

Step 16. FA|≡HA|≡(HA𝑆𝐾↔ FA)According to assumption A5 and the jurisdiction rule, we get:

Step 17. FA|≡(FA𝑆𝐾↔ HA)According to Steps 2, 3 and 4 and the nonce verification rule, we conclude:

Step 18. FA|≡MU|≡(MU𝑆𝐾↔ FA) (Goal 4)According to assumption A8 and the jurisdiction rule, we get:

Step 19. FA|≡(FA𝑆𝐾↔ MU) (Goal 2)According to Message 4, we could derive

Step 20. MU (RFA, <MAC4>SK)According to assumption A5 and the message-meaning rule, we get:

Step 21. MU|≡FA| (RFA, <MAC4>SK)Based on assumption A2 and the freshness concatenation rule, we get:

Step 22: MU|≡#(RFA, <MAC4>SK)According to Steps 21 and 22 and the nonce verification rule, we get:

Step 23. MU|≡FA|≡(RFA, <MAC4>SK)According to Step 23, assumptions A4 and A7 and the believe rule, we get:

Step 24. MU|≡FA|≡(FA𝑆𝐾↔ MU) and MU|≡HA|≡(HAℎ(𝑑||𝑦)↔ MU)According to Steps 22, 23, and 24 and the nonce verification rule, we get:

Step 25. MU|≡FA|≡(FA𝑆𝐾↔ MU) (Goal 3)According to assumption A8 and the jurisdiction rule, we get:

Step 26. MU|≡(MU𝑆𝐾↔ FA) (Goal 1)According to Steps 19 and 26, the proposed scheme successfully achieves both goals (Goals 1and 2). Both MU with MD and FA believes that they share a common session key SK = h(R1R||RMU∗||RFA) = h(FMU∗||RMU||RFA).

We validated the security properties of the proposed scheme with a widely used formal verification tool, ProVerif [21]. Fig. 4 shows the proof result from ProVerif. svalueA and svalueB were used to check the security of SK in the tool. The results of the queries show that attacker could not get the session key between MU and FA. Fig. 4 shows that there are not found any

attack traces for the attacker. Thus, our proposed scheme is secure via formal verification. Also, for more studies, the full code is accessible on Github [24].**6.2. Informal Security Analysis**

The Dolev-Yao model is used for the security analysis [25]. We solved the weakness issues in the M&S scheme mentioned in Section 3. Unlike the M&S scheme and K&S scheme, the proposed authentication scheme does not need to consider the stolen verifier attack. Thereby, as shown in Table 2, the proposed authentication scheme provides more secure and efficient properties.

**Table 2. Security properties comparison among related schemes**

SP1: user anonymity, SP2: mutual authentication, SP3: prevention of masquerading attack, SP4:prevention of verifier attack, SP5: prevention of DoS attack.**6.2.1. Providing Mutual Authentication**

The proposed authentication scheme uses a challenge-response mechanism together [23]. The goal of the proposed authentication scheme is to provide mutual authentication between MU and FA. However, FA has no way to directly authenticate MU, which requires the help from HA because HA has a credential relationship with MU. HA authenticates MU through U, V, W and MAC1 by validating the possession of the correct pair of h(d) and h(d||y). Only the attacker with the knowledge of h(d) and h(d||y), at the same time, could have power to masquerade as a legal MU and the same for FA with KFH. Furthermore, MU also authenticates FA based on MAC4.

Only the legal FA could pass the correct MAC4 via HA. Furthermore, FA authenticates HA using MAC3, which only the correct HA could form it based on KFH. Therefore, MU and FA perform the mutual authentication throug h the assistance of HA since an attacker based on the Dolev-Yao attack model could not masquerade any party in the proposed scheme.**6.2.2. Providing Key Agreement**

A fair key agreement scheme uses the principle that the session key contains the contribution of each participant. In our proposed authentication scheme, the session key is derived based on MU’s information and FA’s session dependent random number, which satisfies the fair session key agreement. MU and FA achieve the key agreement by helping of HA securely since an attacker could not get any important knowledge on the session key in the proposed scheme.**6.2.3. Providing Anonymity of User**

Since the wireless network is vulnerable to several attacks and MD’s computational power is limited, anonymity is an important issue in authentication scheme design. Anonymity of an individual is the ability to seclude himself/herself or information about himself/herself. The proposed authentication scheme uses pseudonym related variables, U and V, for this purpose.Furthermore, the pseudonyms are dynamically chanced in each session depending on the session dependent random number RMU to provide anonymity. An attacker could not do anything to know the identity of MU in the proposed scheme because of the lack of knowledge on h(d), h(d||y) and RMU.

An attacker based on the Dolev-Yao attack model can achieve the messages, M1 = {IDHA, U, V,W, MAC1}, M2 = {IDFA, CFA, MAC2}, M3 = {CHA, MAC3} and M4 = {MAC4, RFA} from the open communication channels. However, it is infeasible to know identifier to the attacker due to the lack of knowledge on h(d), h(d||y) and RMU. Furthermore, MU’s pseudonym is updated in each session based on RMU. To perform the password guessing attack, the attacker needs to get MU’s MD. Even if the attacker gets MU’s MD and withdraws the information {BMU, CMU, ZMU, AMU, h(.)} stored on it, the attacker needs to know both of IDMU and PWMU at the same time, which is not feasible. Thereby, the proposed authentication scheme could cope from the identifier and password guessing attack.

The password renewal phase of the proposed authentication scheme provides authenticity check of MU. So, an attacker with the Dolev-Yao attack model could not success for the DoS attack. MU can change his/her password with a new one and update related information on MD securely only after the success of the authorization check. Thereby, the proposed authentication scheme

could cope from the DoS attack.

**6.2.6. Prevention of Replay Attack**

The proposed authentication scheme uses challenge-response mechanism to prevent replay attacks. Random numbers on the challenge-response mechanism could present the freshness of messages. There is no feasibility that attacker could forge the session related random numbers, RMU and RFA, which provide the integrity of messages. Thereby, the proposed authentication heme could cope from various replay attacks.

**6.3. Performance Analysis**

This section discusses the performance with the consideration of computational cost and communicational cost of the related authentication schemes. This experiment was performed on a system sing the 64-bits Windows 7, 3.2 GHz processor and 4 GB memory. Visual C++ 2013 was used with Crypto++ library in [26]. We choose secure hash algorithm (SHA)-1 hash, advanced encryption standard (AES)-128 symmetric encryption/decryption and Rivest-Shamir-Adleman (RSA) 1,024 bits operation for the basic cryptographic operations.

The computational analysis is performed by focusing on operations performed by each party within the authentication schemes. So, we focused on the operations conducted by the parties in the network for the computational costs analysis: namely MU, FA and HA. We define the following notations for the analysis of the computational costs.

– Th: the time to execute a one-way hash operation (0.00032s)

– Tx: the time to execute an XOR operation (0.00001s)

– Ts: the time to compute a symmetric key cryptosystem operation (0.0056s)

– Te: the time to compute an asymmetric key cryptosystem operation (0.3862s).

Table 3 summarizes the accurate measurement results of related authentication schemes. K&S scheme in [18] requires big computational overhead than two other symmetric cryptography based schemes.

**Table 3. Computational overhead comparison**

Note that we removed two hash operations overhead for h(d) and h(d||y) in HA computation in the proposed scheme since they are used as they are for every authentication after the first computation. From Table 3, we could know that the proposed authentication scheme has only 8% more operations than M&S scheme but has better security and privacy than the other scheme. It is mainly to provide ownership check for MD, remove the verification table in HA and add some more good features to the proposed authentication scheme.

The communication overhead is performed in terms of bit-length of each message in the authentication schemes. The length of random number, timestamp, identity and symmetric key operation results are 128 bits, respectively, and the length of hash function and RSA operation is 160 bits and 1024 bits [6]. Table 4 lists the comparison of communication costs among the related schemes. The required communication bits for the schemes are 4,640 bits for K&S scheme in [18], 2,888 bits for M&S scheme in [19] and 1,760 bits for the proposed scheme. Therefore, the proposed scheme minimizes communication costs by 40% compared to M&S

scheme in [19].

**Table 4. Communicational overhead comparison**

**7. CONCLUSION**

This paper has been investigated the design of privacy-preserving authentication scheme for roaming services,which is to provide security and privacy at the same time. First of all, we have analyzed the M&S scheme and shown that, the scheme has two design flaws and suffers from HA masquerading attack, FA masquerading attack and MU trace attack. To overcome the problems,we proposed a privacy-preserving authentication scheme. Formal security analysis using BAN logic and the ProVerif tool was provided. From the security analysis, we found that neither the adversary nor the agents can get any information of the mobile user’s identity. Compared with other related authentication schemes, the proposed scheme has better security with privacy but gets similar performance with the M&S scheme. As a result, the proposed authentication scheme is more suitable for roaming services in the global mobility networks. However, we found out that there are some computational overheads in the proposed scheme compared to the M&S scheme, which could think as the costs to provide security and privacy.

For the future work, the performance of the proposed scheme will be measured by implementing and conducting experiments over devices on real networks and will improve the proposed scheme based on the trial results. Furthermore, we will investigate more efforts on improving the proposed scheme in the concern of computational.**CONFLICTS OF INTEREST**

The authors declare no conflict of interest

**REFERENCES**

[1] Curado, M., Tortosa, L., Vincent, J. F. & Yeghikyan, G., (2021) “Understanding mobility in Rome by means of a multiplex network with data,” Journal of Computational Science, 101305.

[2] Cao, J., Li, Q., Tu, W., Gao, Q., Cao, R., & Zhong, C., (2021) “Resolving urban mobility networks from individual travel graphs using massive-scale mobile phone tracking data,” Cities, Vol. 110,103077.

[3] Almalki, F. A., (2021) “Developing an Adaptive Channel Modelling using a Genetic Algorithm Technique to Enhance Aerial Vehicle-to-Everything Wireless Communications,”

[4] Zhu, J., & Ma, J., (2004) “A new authentication scheme with anonymity for wireless environment,”IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 231-235.

[5] Wei, F., Vijayakumar, P., Jiang, Q., & Zhang, R., (2018) “A mobile intelligent terminal based anonymous authenticated key exchange protocol for roaming service in global mobility networks,”IEEE Transactions on Sustainable Computing, Vol. 14, No. 8, pp. 268-278.

[6] Kapito, B., Nyirenda, M., & Kim, H. (2021) “Privacy-Preserving Machine Authenticated KeyAgreement for Internet of Things,”

[7] Zhao, D., Peng, H., Li, L., & Yang, Y., (2014) “A secure and effective anonymous authentication scheme for roaming service in global mobility networks,” Wireless Personal Communications, Vol.78, No. 1, pp. 247-269.

[8] Morsi, A. M., Barakat, T. M., & Nashaat, A. A., (2020) “An Efficient and Secure Malicious Node Detection Model for Wireless Sensor Networks,”

[9] Wen, F., Susilo, W., & Yang, G., (2013) “A secure and effective anonymous user authentication scheme for roaming service in global mobility networks,” Wireless Personal Communications, Vol.73, No. 3, pp. 993-1004.

[10] Jiang, Q., Ma, J., Li, G., & Yang, L., (2013) “An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks,” Wireless Personal Communications,Vol. 68, No. 4, pp. 1477-1491.

[11] Mun, H., Han, K., Lee, Y. S., Yeun, C. Y., & Choi, H. H., (2012) “Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,” Mathematical and Computer Modelling, Vol. 55, No. 1-2, pp. 214-222.

[12] Lee, C. C., Hwang, M. S., & Liao, I. E., (2006) “Security enhancement on a new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Industrial Electronics,Vol. 53, No. 5, pp. 1683-1687.

[13] Chang, C. C., Lee, C. Y., & Chiu, Y. C., (2009) “Enhanced authentication scheme with anonymity for roaming service in global mobility networks,” Computer Communications, Vol. 32, No. 4, pp.611-618.

[14] Yang, G., Huang, Q., Wong, D. S., & Deng, X., (2010) “Universal authentication protocols for anonymous wireless communications,” IEEE Transactions on Wireless Communications, Vol. 9, No.1, pp. 1536-1276.

[15] Zhou, T., & Xu, J., (2011) “Provable secure authentication protocol with anonymity for roaming service in global mobility networks,” Computer Networks, Vol. 55, No. 1, pp. 205-213.

[16] Kuo, W. C., Wei, H. J., & Cheng, J. C., (2014) “An efficient and secure anonymous mobility network authentication scheme,” Journal of Information Security and Applications, Vol. 19, No. 1, pp. 18-24.

[17] Liu, J. K., Chu, C. K., Chow, C. M., Huang, X., Au, M. H., & Zhou, J., (2015) “Time-bound anonymous authentication for roaming networks,” IEEE Transactions on Information Forensics and Security, Vol. 10, No. 1, pp. 178-189.

[18] Karuppiah, M., & Saravanan, R., (2015) “A secure authentication scheme with user anonymity for roaming service in global mobility networks,” Wireless Personal Communications, Vol. 84, No. 3,pp. 2055-2078.

[19] Madhusudhan, R., & Shashidhara, (2018) “A secure and lightweight authentication scheme for roaming service in global mobile networks,” Journal of Information Security and Applications, Vol.38, pp. 96-110.

[20] Burrows, M., Abadi, M., & Needham, R., (1989) “A logic of authentication”, Royal Society of London Mathematical, Physical and Engineering Sciences, Vol. 426, pp. 233-271.

[21] Blanchet, B., (2013) “Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerif,” Lecture Notes in Computer Science, Vol. 8604, pp. 54-87.

[22] Housley, R., Polk, W., Ford, W., & Solo, D., (2002) Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC3280, The Internet Society.

[23] Schineier, B., (2015) Applied Cryptography: Protocols, Algorithms and Source Code in C, John Wiley & Sons Inc.

[24] https://github.com/hs-kim-andre/roaming.git.

[25] Dolev, D., & Yao, A. C., (1983) “On the Security of Public Key Protocols,” IEEE Transactions on Information Theory, Vol. IT-29, No. 2, pp. 198-208.

[26] Dai, W., Crypto++ Library, Available online: http://www.cryptopp.com, Accessed on 1 August.2021.

**AUTHORS**

**Sung Woon Lee **received the Ph.D. degree in Computer Engineering from Kyungpook National University, Korea, in 2005. He is a Professor at the Department of Information Security, Tongmyong University, Korea, from 2005. He was a visiting scholar at Georgia State University in 2017. From 1996 to 2000, he had been worked as a program developer at Korea Information System, Daegu,Korea. His research focus is considering how cryptography can be applied to improve the security and privacy of healthcare system’s patient information communicated wirelessly in Internet of Things applications. Furthermore, he is interested in database security and privacy.

**Hyunsung Kim** received the M.Sc. and Ph.D. degrees in computer engineering from Kyungpook National University, Korea, in 1998 and 2002, respectively. He is a Full Professor at the School of Computer Science, Kyungil University, Korea from 2012. Furthermore, he is currently a visiting professor at the Department of Mathematical Sciences, Chancellor College, University of Malawi, Malawi from 2015. He also was a visiting researcher at Dublin City University in 2009. From 2000 to 2002, he had been worked as a senior researcher at Ditto Technology. He had been an associate professor from 2002 to 2012 with the Department of Computer Engineering, Kyungil University. His research interests include cryptography, VLSI, authentication technologies, network security, ubiquitous computing security, and

security protoco.

%d bloggers like this: