A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. The proposed authentication in SIP is HTTP digest based authentication. Recently, Tu et al. presented an improvement of Zhang et al.’s smart card-based authenticated key agreement protocol for SIP. Their scheme efficiently resists password guessing attack. However, in this paper, we analyze the security of Tu et al.’s scheme and demonstrate their scheme is still vulnerable to user’s impersonation attack, server spoofing attack and man-in-the middle attack. We aim to propose an efficient improvement on Tu et al.’s scheme to overcome the weaknesses of their scheme, while retaining the original merits of their scheme. Through the rigorous informal and formal security analysis, we show that our scheme is secure against various known attacks including the attacks found in Tu et al.’s scheme. Furthermore, we simulate our scheme for the formal security analysis using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. Additionally, the proposed scheme is comparable in terms of the communication and computational overheads with Tu et al.’s scheme and other related existing schemes.