SMASG: Secure Mobile Authentication Scheme for Global Mobility Network

The rapid growth of the Internet of Things (IoT) has enabled prompt services over mobile devices. The Global Mobility Network (GLOMONET) is an important global network that allows mobile users to access the Internet anywhere. Although implementing a secure mechanism in GLOMONET is a difficult and complex task due to the computational and processing limitations of most mobile devices, an authentication system is vital for secure communications among such mobile devices. In 2021, Rahmani et al. proposed an authentication method, called the advanced mobile authentication protocol for GLOMONET (AMAPG). However, we found three serious vulnerabilities in AMAPG. First, the scheme contains large amounts of information on the smart card of the mobile phone. Therefore, they are vulnerable to attacks that steal critical information. Second, it is susceptible to password-guessing attacks. Third, the scheme cannot guarantee the security of future messages because attackers can steal the session key. In this study, we discuss the weaknesses of AMAPG and propose a new three-factor authentication scheme called the secure mobile authentication scheme for GLOMONET (SMASG). We performed informal and formal security analyses using ProVerif and BAN Logic on SMASG. In addition, we analyzed and compared its performance with that of the latest GLOMONET-based authentication schemes. Our scheme saves an average of 93% time in user login and authentication phase.


I. INTRODUCTION
Advancements in the Internet of Things (IoT) have facilitated global access to networks through mobile devices. Thus, people can operate these devices from any location. Furthermore, the automated exchange of information among devices and information available over a network helps connected users obtain the desired information [1], [2].
A global mobility network (GLOMONET) [3]- [11] provides security to mobile users accessing the network from anywhere. Global roaming services enable legitimate mobile users to use ubiquitous services. However, with the rapid development of this environment, numerous security issues such as user privacy have risen [11]- [14]. Therefore, anonymous mutual authentication in GLOMONET is important. For this purpose, cryptographers worldwide are developing computationally complex processes based on symmetric/asymmetric encryption/decryption or using modular op-erations to design authentication protocols [15]- [19]. These protocols must handle various security issues such as forgery attacks, known as session-key attacks, reverse and forward secrecy, and smart card loss issues.
In GLOMONET, authentication is generally divided into three categories, authentication for: (1) mobile users (M U ), (2) home agents (HA), and (3) foreign agents (F A) . In the registration stage, M U registers with HA and is issued a smart card. In the subsequent authentication step, M U enters the login process with its information and the smart card to request a session key. F A receives information from M U , requests authentication from HA including its information, and receives a message from HA. It then generates a session key and sends a message to M U . Then, M U generates a session key using the received message ( Figure 1).
In 1998, Horn and Preneel [3] first proposed a mobile pay authentication method. Since then, several studies have been Zhu and Ma [4] first proposed a different GLOMONET authentication method for mobile users, foreign agents, and home agents. However, their proposed method did not satisfy perfect backward secrecy, mutual authentication, or protect against a forgery attack [5]. Lee-Whang-Liao [5] proposed a novel authentication method to address these problems. Chang-Chi-Liu [6] found that Lee-Hwang-Liao's scheme had a weakness in time synchronization and proposed a new scheme; however, the new scheme faced user anonymity and confidentiality challenges [7]. Zhou and Xu [7] introduced a wireless authentication protocol to address these problems. Unfortunately, Gope and Hwang [8] observed that their scheme was also insecure owing to unsuccessful key agreements, replay attacks, and insider attacks; they then proposed a novel scheme to address these vulnerabilities. Xu et al. proposed mutual authentication and key agreement (MAKA) in 2018 [9] as a new method to prevent the storage consumption, computational burden, and replay attack problems faced by the scheme designed by Gope and Hwang [8]. However, in 2020, Shashidhara et al. [10] analyzed and identified problems such as untraceability, impersonation attacks, denial of service attacks, privilegedinsider attacks, clock synchronization, and wrong password detection in this scheme. They presented an efficient protocol to address problems, such as the rapid detection of incorrect passwords. However, in the scheme proposed by Shashidhara et al. [10], Rahmani et al. [11] in 2021 discovered problems such as user impersonation, traceability, forward secrecy contradiction, and stolen smart card attacks; they proposed a new scheme, an advanced mobile authentication protocol for GLOMONET (AMAPG), to resolve these schemes [11]. However, AMAPG [11] has three critical vulnerabilities. First, the scheme stores the information on the smart card of mobile phones. Therefore, it is susceptible to attacks that steal critical information. Second, the scheme can be exposed to password-guessing incidents. Third, their protocol cannot guarantee the security of future messages, as attackers can steal the session key. In the following sections, we explain the weaknesses of AMAPG and propose a new secure mobile authentication scheme for GLOMONET (SMASG) that compensates for these weaknesses. The contributions of this study can be summarized as follows: • We summarize the security properties required for GLOMONET. The following aspects must be satisfied: user anonymity, low communication cost, computational complexity, single registration, user-friendliness, no password table, security. • However, the recently proposed AMAPG scheme allows password-guessing attacks. In addition, the AMAPG has a fatal problem in that the session key can be calculated by an external attacker. To solve this problem, we used the user's biometric information for authentication. Biometrics are included in the authentication phase, VOLUME 4, 2016 and our new SMASG method achieves robust security. Our scheme presents a three-factor method, including biometric authentication, in line with the recent mobile authentication trends. The user's biometric information is randomized using a fuzzy extractor and is used for user authentication. • We conducted security and performance analyses of SMASG and compared its safety and performance with the latest GLOMONET schemes.
The remainder of this paper is organized as follows. Section II provides a preliminary overview of the basic elements used in this study and describes the threat model and assumptions. Section III provides a review of AMAPG, and Section IV analyzes its security vulnerabilities. Section V proposes a novel three-step authentication scheme called SMASG that compensates for the weaknesses of AMAPG. Sections VI and VII present the security and performance analysis results, respectively. Section VIII discusses the performance, and Section IX concludes the paper.

II. PRELIMINARIES
This section introduces the fuzzy extractor, hash function, and threat model used in the study.

A. FUZZY EXTRACTOR
The fuzzy extractor receives the user's biometric information and can use the error tolerance to obtain a unique string. This error tolerance can distinguish biometric information from the same individual even if the biometric information is not exactly the same. This character string is easy to use because it allows an error range for recognizing the biometric information. A fuzzy extractor uses two operators [20]- [25].
GEN and REP are probabilistic and deterministic reproduction functions, respectively. Gen returns a factored-out string P ∈ {0, 1} k for input biometrics B and a coadjutant string R ∈ {0, 1} * . Rep is a function that restores R to P , and any vector B * close to B.

B. THREAT MODEL
Based on previous studies [27]- [29], this study establishes a threat model with the following assumptions: • An attacker can steal the user's smart card and identity. • Attackers can eavesdrop on messages shared on public channels. In other words, attackers can eavesdrop on the interactions between mobile users (M U ) and the foreign agents (F A) and between foreign and home agents (HA). • An attacker can discover information on a smart card through a side-channel attack.

C. SECURITY PROPERTY IN GLOMONET
For GLOMONET, mobile device-specific network communication must be applied. The requirements of the user authentication scheme for GLOMONET are as follows: • User anonymity: When an unauthorized attacker eavesdrops on a message, they can track the real-time location of the users from their identities. Hence, GLOMONET requires a protocol that renders its user anonymous. • Computational efficiency: The usable space of a mobile device is limited; thus, if the protocol occupies a large amount of space, its usefulness decreases. Therefore, an authentication scheme should consider the computational efficiency of the device to which it is to be applied.

III. REVIEW OF RAHMANI ET AL.'S ADVANCED MOBILE AUTHENTICATION PROTOCOL FOR GLOMONET (AMAPG)
This section describes the AMAPG target scheme. This scheme consists of three phases: registration, login and authentication, and password change. The notations used in these phases are listed in Table 1.

A. REGISTRATION PHASE
In the registration step, a smart card is created when the user enters an identity and password; the card stores the user's information with the home agent. The details of the registration phase for AMAPG are as follows:

B. LOGIN AND AUTHENTICATION PHASE
In the login and authentication phase, the user logs in with the smart card created by the user and shares the session key between the mobile user and the foreign agent.
1) M U requests the reader terminal for login by inputting its smart card SC, identity M U id , and password M U psw . 2) Subsequently, the reader terminal that receives the smart card SC information, identity M U id , and password M U psw calculates P V * = h (M U id ∥ M U psw ∥ M U r ) and checks whether the value P V * matches the information P V in the smart card SC. If they match, the terminal authenticates M U and generates a random value N M and a timestamp T M .
and verifies the timestamp T M . If the verification is confirmed, F A generates a random value N F and timestamp T F and calculates 3 and authenticates M U and HA. If they are authenticated,

C. PASSWORD CHANGE PHASE
The password change phase of AMAPG is performed in a secure channel as follows.
1) The mobile user M U logs in with the identity M U id and password M U psw , gives smart card information SC = {SP, P V, M U r , h (·)} to the reader terminal, and requests a password change.
) updates the old P V , and SP is replaced with P V new and SP new on the smart card

IV. ANALYSIS OF RAHMANI ET AL.'S AMAPG
This section describes the above vulnerabilities in AMAPG step by step.

A. LOSS OF SMART CARD INFORMATION
A side-channel attack can steal information on a smart card. In general, three methods exist for side-channel attacks. We assume that smart-card information can easily be extracted through the following attacks [26]: 1) Timing Attacks: These attacks are calculated by measuring the time taken to perform the unit operation.  faulty operations, with the expectation that the results of the fault operation will leak information regarding the secret keys involved.

B. PASSWORD GUESSING ATTACK
Using stolen smart card information (Section IV-A) and assuming that the user's identity is known, an attack that guesses the user's password can be attempted. The details are as follows.
1) The attacker obtains the P V and M U r information from the user's smart card. It is also assumed that M U id is known.
attacker enters the user's identity M U id , M U r , and P V values, and extracts the password.

C. SESSION KEY DISCLOSURE ATTACK
If an attacker is involved in the registration phase, they can steal session keys of the mobile user and the foreign agent.
1) The attacker steals the HID value in the registration phase.

V. SMASG: THE PROPOSED SCHEME
To compensate for the vulnerabilities in AMAPG, we propose a novel scheme, SMASG that uses a fuzzy extractor to authenticate the user's biometric information. It consists of three phases: registration, login and authentication, and password changes, as shown in Figure 2. The details are as follows.

A. REGISTRATION PHASE
M U inputs the user information and receives a smart card SC from the home agent HA. HA provides M U the information required for the smart card and stores the user's information in its database DB. The details are presented in Figure 3.
1) M U inputs identity M U id , password M U psw , and the biometric information M U bio . The fuzzy extractor receives M U bio and generates (R, and sends the P ID and hash function h (·) to HA.

C. PASSWORD CHANGE PHASE
We provide users with the opportunity to change their old passwords. What the user has lost is to prepare an option so that the password can be changed regularly for safety if the password is exposed. In SMASG, when M U changes password M U psw , we pursue the following process.
1) M U inputs the original identity M U id , password M U old psw , and biometric information M U bio into its smart card.
2) The smart card calculates R = REP (M U bio , P ), , HID = SP ⊕ RID, and P V old = h (x ∥ HID), compares P V old with P V old of the smart card SC, and checks whether M U has correctly entered the user information.
3) M U inputs the new password M U new psw into the smart card SC. HID). M U 's smart card sends P ID new along with the original P ID old to HA on a secure channel, such that HA updates the P ID old information in its database DB with P ID new . 5) Smart card SC finally updates the original P V old using the information from the new P V new .

VI. SECURITY ANALYSIS OF SMASG
In this section, we analyze the security of SMASG in two ways: formal and informal security analyses. We used the formal protocol verification tool called ProVerif and BAN logic in Section VI-A to demonstrate the security of our scheme. We also provide a theoretical security analysis of this protocol in Section VI-B. Through this verification, we demonstrate the safety of the proposed scheme.

A. FORMAL SECURITY ANALYSIS
We verified the protocol using two well-known securityanalysis tools. The first method involves verification using Proverif software. The second method involves verification using the BAN logic. The details are as follows:

1) Security proof through Proverif
We used ProVerif to analyze the security and correctness of the proposed scheme. ProVerif has been widely used to verify security protocols [30], [31], [35]. This software tool formally verifies the security of cryptographic protocols. We define basic cryptographic primitives, such as hash functions, encryption, digital signatures, and bit commitment. This tool can systematically prove cryptographic properties such as reachability, secrecy, correspondence, and some observational equivalence properties. ProVerif has two unique design characteristics. First, it uses an extension of pi-calculus with cryptography; thus, it supports various types VOLUME 4, 2016 of cryptographic primitives. In addition, ProVerif analyzes protocols after translating them into Horn clauses; therefore, it can verify the security features in an unbounded number of sessions.
We use three channels: a registration channel (mobile user-home agent channel) (cha), a mobile user-foreign agent channel (chb), and a foreign agent-home agent channel (chc). Table 4 lists the variables, constants, secret keys, functions, and events.
When we run the query in Table 2, we obtain the following results: is false.

3) RESULT not attacker(QUERY) is true. 4) RESULT not attacker(QUERY) is false.
"RESULT inj-event (EVENTA) == > inj-event (EVENTB) is true." indicates that the process from EVENTA to EVENTB has been authenticated. By contrast, "RESULT inj-event (EVENTA) == > inj-event (EVENTB) is false." indicates that the authentication from EVENTA to EVENTB is not successful. "RESULT not attacker (QUERY) is true." implies that an attacker cannot get a free name QUERY, and "RESULT not attacker (QUERY) is false." implies that an attacker can trace the QUERY.
The results for the queries in Table 2 are listed in Table 3. In this case, the authentication process is performed correctly and the attacker cannot obtain M U id.

Notations Description
P | ≡ X P believes that X holds P ◁ X P sees/holds that X P | ∼ X P has once said that X P ⇒ X P has complete control over X #(X) X is fresh and recent P K ← → Q P , and Q shares secret key K ⟨X⟩ K X encrypted with key K (X) h hashed X We also use the following BAN logic postulates. Assuming that formulas X 1 , X 2 , ... X n are performed and Y is performed, it is written as follows: According to [1], [11], [32], the following rule is applied.

5) P 5 (Freshness-conjuncatenation rule) :
P | ≡ #(X) P | ≡ #(X, Y ) 6) P 6 (Jurisdiction rule) : P | ≡ Q ⇒ X, P | ≡ Q| ≡ X P | ≡ X When the message in the registration phase is completed, the messages exchanged in the login and authentication phases are expressed and idealized as follows: 1) When using T H ⟩ HID To derive the goal of our scheme, we make the following assumptions:

B. INFORMAL SECURITY ANALYSIS
We performed a formal analysis in Section VI-A. However, according to [33], [34], formal analysis is not sufficient to prove security. Therefore, we further analyzed our scheme using an informal analysis.  Madhusudhan et al. [13] Nikooghadama et al. [14] AMAPG [11] SMASG We present a theoretical analysis of the SMASG. Subsequently, we briefly explain the results of the informal security analysis.

1) Privileged Insider Attack
In the registration phase, the mobile user (M U ) sends the value P ID = h (M U id ∥ M U psw ), created using identity M U id and password M U psw to the home agent (HA). At this time, no information is disclosed, and there is no way to know personal information because RID = h (M U id ∥ R), P ID = h (M U id ∥ M U psw ), SP = HID ⊕ RID, and P V = h (h (M U id ∥ M U psw ∥ R) ∥ HID) are encrypted along with M U 's information. Therefore, it is safe against privileged insider attacks.

2) Outsider Attack
The information contained in smart card SC is {SP , P V , REP , P , h (·)}, and the mobile user (M U ) cannot be identified.

3) Offline ID Guessing Attack
M U 's identity is not disclosed in the plain text of the scheme. Although the identity of M U contains information in RID, P ID, and x, it is encrypted with the hash functions, R and M U psw .

4) Online ID Guessing Attack
As mentioned in the offline ID-guessing attack, the identity of M U is not disclosed in plain text. Therefore, this protects the protocol from online ID-guessing attacks.

5) Session Key Disclosure Attack
Session-key information is expressed as SK = h (N M ∥ N F ∥ N H ). At this time, N M , N F , and N H are not directly disclosed, and an outside intruder cannot determine the session key because they cannot be calculated unless they are involved.

6) Mobile User Impersonation Attack
The information in M U is authenticated when HA checks the value of A = h (V 2 ∥ N F ). Because we calculate the session-key value using the information generated in A and confirm the information of M U through P ID, the protocol is safe from mobile user-impersonation attacks.

7) Home Agent Impersonation Attack
In SMASG, foreign agents F A and M U verify the home agent (HA) in a manner that checks respectively, to prevent impersonation attacks.

8) Replay Attack
An attacker can send the user M U 's previous login message back to F A. However, because the attacker does not have access to the HID, he/she cannot create a session key SK, and therefore, cannot perform a replay attack.

VII. PERFORMANCE ANALYSIS OF SMASG
The four symbols necessary for performance analysis are as follows [36]- [38]: T Rep is the time required to check for a match when recognizing a mobile user (M U )'s biometric M U bio . T h denotes hash time. T m denotes the time of the multiplicative operation used in the elliptic curve cryptography (ECC). T s denotes the time required for the symmetric encryption or decryption. These values are listed in Table 12. Table 9 lists the computer hardware and software used to calculate the algorithm runtime. We compared our scheme with the state-of-the-art schemes proposed by Madhusudhan et al. [13], Nikooghadama et al. [14], and AMAPG [11].
The costs for the registration phases are listed in Table 10. Table 11 compares the costs of the login and authentication phases. The scheme of Madhusudhan et al. [13] uses ECC cryptography, symmetric cryptography, and hash functions. Therefore, the time taken for the registration phase is 51.8 ms, and the time taken for the login and authentication phase is 88.1 ms. Nikooghadama et al. [14]'s scheme also uses the ECC encryption method, symmetric encryption method, and hash function to consume 54.3 ms for the registration phase and 311.7 ms for the login and authentication phase. AMAPG [11] only uses a hash function. At this time, it takes 2 ms for the registration phase and 9 ms for the login and authentication phases.
In contrast, our proposed scheme, SMASG, uses a hash function and a biometric fuzzy extractor, and consumes 3 ms in the registration phase and 9.5 ms in the login and authentication phases. The registration computation cost is listed in Table 10, and the login and authentication costs are listed in Table 11.

VIII. DISCUSSION OF PERFORMANCE
The proposed scheme, SMASG, is a secure user authentication scheme that overcomes the weaknesses of AMAPG [11] and uses biometric information from mobile users. We used a fuzzy extractor to safely extract biometric information.
Our study compares the performance of three schemes [13], [14], and [11] in Section VII. Compared to Madhusudhan et al.'s scheme [13], SMASG takes 0.058 times longer for the registration phase, 0.108 times longer for the login and authentication phases, respectively, 0.055 and 0.030 compared to [14] and 1.5 times compares to [11], it takes 1.056 times the time. Because SMASG is an improved scheme of [11], it overcomes the small gap in time by fully addressing their vulnerabilities.
Therefore, on average, the time taken for the registration phase was reduced by 91.67%, the time taken for the login and authentication phases was reduced by 93.03%, and the performance was greatly improved to 1101.11% and 1334.39%, respectively.

IX. CONCLUSION
A recent study proposed AMAPG, a GLOMONET-based authentication scheme. It is efficient because it is designed to be lightweight and involves simple operations such as hash function and XOR operation; however, we found a critical vulnerability in this protocol. First, smart cards store vital information; therefore, the information is exposed when the smart card is stolen. In addition, it is vulnerable to passwordguessing attacks. Third, because attackers can steal sessionkeys, the security of future messages is not guaranteed.
Three elements were used to solve these AMAPG issues : identity, password, and biometric information. Biometrics is a function used in most mobile devices; therefore, there are no technical problems in its use. SMASG, a new scheme using these three elements, provides security verification of the proposed scheme using ProVerif and shows that it performs better than other proposed schemes.
Our proposed method, SMASG, is a lightweight scheme that can be implemented only with a hash function, XOR operation, and fuzzy extractor. The SMASG assumes that a foreign agent is an honest user. However, in some applications, users may not want to trust the foreign agents. This scenario has not been addressed. Our scheme is not suitable for scenarios in which the mobile user does not trust the foreign agent. Therefore, this case is left for future work.
DONGHO WON received B.S., M.S. and Ph.D. in Electronic Engineering from Sungkyunkwan University, South Korea. After working in Electronics and Telecommunication Research Institute for two years, he joined Sungkyunkwan University. He also served as a President of Korea Institute of Information Security and Cryptography. His research interests are cryptology and information security. VOLUME 4, 2016