Security analysis and enhancements of an improved authentication for session initiation protocol with provable security

Very recently, Tu et al. proposed an authentication scheme for session initiation protocol using smart card to overcome the security flaws of Zhang et al.’s protocol. They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that Tu et al.’s protocol is insecure against impersonation attack. We show that an adversary can easily masquerade as a legal server to fool users. As a remedy, we also improve Tu et al.’s protocol without imposing extra computation cost. To show the security of our protocol, we prove its security in the random oracle model.