Enhanced Session Initiation Protocols for Emergency Healthcare Applications

09/25/2018 ∙ by Saha Sourav, et al. ∙ BITS Pilani IIIT Sri City 0

In medical emergencies, an instant and secure messaging is an important service to provide quality healthcare services. A session initiation protocol (SIP) is an IP-based multimedia and telephony communication protocol used to provide instant messaging services. Thus, design of secure and efficient SIP for quality medical services is an emerging problem. In this paper, we first explore the security limitations of the existing SIPs proposed by Sureshkumar et al. and Zhang et al. in the literature. Our analysis shows that most of the existing schemes fail to protect the user credentials when unexpectedly the session-specific ephemeral secrets revealed to an adversary by the session exposure attacks. We then present a possible improvement over Sureshkumar et al.'s scheme without increasing the computational cost. We compare the proposed improvement for computational overheads and security features with the various related existing schemes in the literature.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

With the recent advances in the mobile healthcare applications, demand for secure SIP for emergency messaging alert is dramatically increasing. The e-health services present one of the major societal and economic challenges around the world, particularly for the aging society. Due to rapid growth in the number of aged people who are suffering from chronic diseases, it is emerging to improve the fast and quality low cost healthcare services. As a result, a primary focus is shifted towards delivering real-time health monitoring and quality healthcare services to the patients from their respective localities in a secure and efficient way, particularly in the medical emergency [1]. In emergency medical services (EMS), system can send an emergency request when a patient is in a critical situation. There are several EMS available where the emergency request (instant message)/ multimedia services (transmission of voice and video calls) can be sent via the cellular networks (4G/LTE,3G) [2], [3].

In the last couple of years, Voice-over-IP (VoIP) has been used mostly for multimedia data communication. The VoIP facilitates to make calls over the standard Internet broadband connection instead of public switched telephone network [4], [5], [6]. On the other hand, SIP is typically used for IP-based telephony authentication, which is robust and superior over VoIP for instant messaging, internet telephone calls as well as Internet multimedia messages. SIP is used for multimedia data communications in 4G/LTE or 3G mobile networks by the 3GPP (3G Partnership Project) [7]. Primarily, SIP has been standardized by the Internet Engineering Task Force standard for IP telephony [8]. SIP is a client/server based authentication scheme and it works based on digest access authentication protocol for HTTP (Hyper Text Transport Protocol) [9]. In the healthcare system, when a patient wants to send an emergency request, he/she has to perform the authentication process with remote server for secure communication. According to Salsano et al. [10] and Keromytis et al. [11], it is quite facile for a malicious/unauthorized user to raise a spam call or send a manipulated message to the server. If an adversary can eavesdrop, intercept or modify the emergency request, it can be catastrophic for a patient.

Figure 1: Proposed architecture for IoT based patient monitoring System.

We consider a network scenario as shown in Figure 1. In this model, mobile care unit (MCU) collect the information from the body sensors of patient. MCU is responsible to monitor the patient’s health data and send the emergency request to the hospital server through a cellular network. Since the health data and resources are valuable in the emergency medical situations, the hospital server (authentication server) must ensure the validity of the received request. Therefore, ensure security while maintaining efficiency is one of the important concern in SIP for healthcare applications. In this paper, we consider the widely accepted Canetti-Krawczyk adversary (CK-adversary) model [12] to analyze the existing SIP. According to CK-adversary model, an authentication protocol should satisfy the following two security properties [13], [14].

  • Future sessions should secure even if a session-specific ephemeral secrets are unexpectedly revealed to an adversary through session exposure attack.

  • All past sessions should secure even if the long-term keys of some/all the users as well as server compromise to an adversary.

In addition, the user secret credentials should be protected against an adversary, that is, even session-specific ephemeral revealed to an adversary, he/she cannot derive the user secret credentials such identity and password.

1.1 Organization of the paper

The rest of the paper is organized as follows. In Section 2, we briefly discuss the required mathematical preliminaries to review and analyze the security pitfall of the existing schemes. In Section 3, we discuss the related work. In Sections 4 & 5, we review and analyze the security weakness of the existing schemes. We then discuss the possible improvement in Section 6. The performance analysis is presented in Section 7. Finally, we discuss the conclusion and future work in Section 8.

2 Mathematical preliminaries

A non-singular elliptic curve over the finite field is the set of solutions to the congruence , where are constants such that , along with the point at infinity or zero point, denoted by , and be a prime. The set of elliptic curve points forms an abelian group under addition modulo operation [15].

Let be a base point on and generates a cyclic group , whose order is , that is, .

The elliptic curve point multiplication is defined as the repeated additions. For example, if , then is computed as .

Definition 1

Computing is relatively easy for given and . But, computing scalar for given and is computationally difficult problem, known as elliptic curve discrete logarithm problem (ECDLP).

Definition 2 (Computational Diffie-Hellman problem (CDHP))

Given the parameters , computing the value is computationally hard without the knowledge of either or , where .

Definition 3 (Collision-resistant one-way hash function)

A collision-resistant one-way hash function , where and , is considered as a deterministic algorithm which takes arbitrary length input binary and outputs a fixed length binary string of length [16], [17].

3 Related Work

An authentication scheme should provide various aspects of security features for the SIP-based secure messaging system. The aim of an authentication protocol facilitate to the client and server to mutually authenticate each other and share a session key to communicate securely over the public channel. In 1999, Franks et al. [9] derived the original SIP authentication scheme from HTTP digest authentication. Later, Yang et al. [18] found the limitations of Franks et al. [9] that it fails achieve the off-line password guessing attack, server-spoofing attack, and Yang et al. [18] then proposed a new authentication scheme for SIP. In 2015, Zhang et al. [19] presented an SIP authentication approach using ECC, and they claimed that their scheme satisfies all the required security features. However, Lu et al. [20] and Tu et al. [21] proved that the Zhang et al.’s proposed scheme [19] is suffering from insider attack, impersonation attack, and failed to achieve strong mutual authentication. Further, Tu et al. presented an enhancement Tu et al. [21] over the Zhang et al.’s scheme. Lu et al. [20] also proposed an ECC base efficient SIP with less computation cost. However, both Farash [7] and Chaudhry et al. [22] analyzed and shown that Tu et al.’s scheme [21] still have security pitfalls as it failed to provide the user anonymity as well as insecure against impersonation attack. Farash [7] further proposed an improved SIP, and simultaneously, Chaudhry et al. also proposed an improved SIP [22]. In the recent, Lu et al. [23] and Chaudhry et al. [22] independently analyzed and showed that Farash’s scheme [7] is insecure against replay attack and impersonate attack, and failed to provide the user anonymity. Further they presented the improved versions to overcome the drawback. Recently, in 2017, Sureshkumar et al. [26] proposed an enhanced authentication scheme for SIP by pointing out the limitations in Lu et al. [20] and shown that it does not provide user anonymity, and the capability to resist user and server impersonation attacks. In this paper, we analyze and explore the security limitations of Zhang et al. [19] and Sureshkumar et al. [26]. Our proposed security analysis is also applicable to the most of existing schemes in the literature, particularly we consider the related existing SIPs in the literature proposed by Lu et al. [20], Tu et al. [21], Farash [7], Chaudhry et al. [22], and Lu et al. [23]. We then propose a possible improvement to withstand the drawback find in the existing schemes, and discuss the future work.

U & S User & Server
and Chosen identity and password of U
& P Elliptic curve defined over finite field & P a base point on
Point multiplication in , where
& Master private key & Public key of S, respectively, where
A collusion-resistant one-way hash function
Current timestamp generated by entity
and Concatenation and Bit-wise XOR operation, respectively
Table 1: Notations used in this paper

4 Review and analysis of Sureshkumar et al.’s Scheme

In this section, we briefly review Sureshkumar et al. [26] proposed SIP and then present a security analysis. Sureshkumar et al. scheme consist of three phases, namely, system initialization, registration and authentication phases. The briefly review the three phases of Sureshkumar et al. scheme below. Note that hereafter we use the notations listed in Table 1.

Three phases of Sureshkumar et al.’s scheme
Initialization phase
Select elliptic curve and base point
Selects secure one-way hash function
Selects master private key and compute public key
Declares publicly
User registration phase User Server Choose , Computes , , Computes Stores in the database against .
Login and key establishment phase User Server Chooses Computes , , , , , Checks validity of . Accept/Reject. Computes , = Checks . Accept/Reject. Selects Computes , Checks validity of . Accept/Reject. Computes Checks . Accept/Reject. Computes , Checks . Accept/Reject.

Security Analysis

In the following, we describe the security drawbacks of Sureshkumar et al.’s proposed scheme. Assume that an adversary captures all the transmitted messages between user U and server S via a public channel. The list of transcripts of each session are , where , , and . Now we assume that the adversary launch session exposure attacks and get the session random secret [12]. The adversary computes the user credentials and as follows using the revealed session ephemeral of user U:

  • Computes . Checks whether matches with the parameter from .

  • If it matches, it guess the identity as follows. Otherwise, repeat search for matching .

    • Compute and .

    • Guess an identity and checks the validity of . If valid guessed identity is the original identity .

    • Otherwise, repeat guessing until match. Since identity is chosen by user, off-line guessing of identity is not hard [26].

Next adversary launch the off-line password guessing attack as follows:

  • Guess a password .

  • Check the validity of . If it is valid, the guessed password is valid, that is, is .

  • Otherwise, repeat the guessing until the match.

Therefore, from the above analysis, it is clear that Sureshkumar et al.’s proposed SIP fails to provide the user credentials privacy when the session-ephemeral secrets unexpectedly revealed to the adversary.

5 Review and analysis of Zhang et al.’s Scheme

In this section, we review and present the security analysis on Zhang et al.’s [19], and shows that their scheme also fail to protect the user credentials under CK-adversary assumption. Zhang et al.’s scheme consist three phases such as initialization, registration, and authentication phases. The initialization phase of Zhang et al.’s scheme is same as in Sureshkumar et al.’s scheme [26]. The other two phases registration and authentication of Zhang et al.’s scheme are as follows. Note that user’s realm is used to prompt the user identity and password.

User registration phase
User Server
Chooses
=
Stores in the database
Login and key establishment phase User Server Chooses , Computes , , , Chooses , Computes , , , Computes Check . Accept/Reject. Computes , Computes Checks . Accept/Reject. Computes

Security Analysis

We assume that an adversary captures all the transmitted messages between user and server via a public channel. The captured messages are , where , , and . As defined, suppose the session ephemeral secret unexpectedly revealed to the adversary by the session exposure attacks [12]. Then the adversary can compute the user credentials as follows:

  • Computes and .

  • Checks whether matches with the parameter presented in .

  • If match found, and of user with identity .

  • Computes user identity . Then adversary launches off-line password guessing attack as follows.

    • Computes .

    • Guess password .

    • Checks the validity of .

    • If it is valid, the guessed password is original password . Otherwise, repeat the guessing until find the match.

From the above analysis, it is clear that Zhang et al.’s scheme fails to protect the user secret credentials when the session ephemeral secrets revealed to the adversary.

6 Proposed Enhancement

In this section, we propose an improvement over the Sureshkumar et al.’s scheme [26]. Our small modification in the storing parameters in the server database and small variation in the login request message, make the enhanced protocol is secure against the defined adversary. Our improved also have three phases, namely initialization, registration and authentication phases. The registration phase is same as in Sureshkumar et al.’s scheme [26], and the other phases are presented below.

User registration phase User Server Choose , Computes , , Choose a random number Computes Stores in the database against .
Login and key establishment phase User Server Chooses Computes , , , , Checks validity of . Accept/Reject. Computes , Checks . Accept/Reject. Retrieve which is stored against Chooses Computes , = Checks validity of . Accept/Reject. Computes Checks . Accept/Reject. Computes , Checks . Accept/Reject.

Security Analysis

In our improved version of the protocol, we updated the server database table as : for user . We then modified the request message as . In our scheme, we are sending instead of sending in the Sureshkumar et al.’s scheme [26]. In our case, even if the session ephemeral secret revealed to an adversary , he/she can only retrieve . Therefore, guessing both identity and password simultaneously makes hard to the adversary than guessing one-by-one individually the identity and password . Whereas, other protocols leave the option of guessing individually the identity and the password. Therefore, our improved version provides strong credential privacy even in the case of ephemeral leakage without increasing the computational overheads over the Sureshkumar et al.’s protocol [26] and Zhang et al.’s protocol [19].

7 Performance analysis

In this section, we discuss the performance comparison as well as the security features satisfied by various related schemes in the literature.

Scheme Participant Total overhead Running Time

User U Server S


Lu et al. [23]
3+8 3+7 6+15 0.1074 sec

Chaudhry et al. [22]
3+5 3+5 6+10 0.1058 sec

Tu et al. [21]
+5 +5 +10 0.1058 sec


Farash [7]
4+5 3+5 7+10 0.1229 sec


Lu et al. [20]
2+4 2+5 4+9 0.07128 sec

Arshad et al. [24]
2+4 2+4 +8 0.07096 sec


Zhang et al. [19]
3+4 3+5 6+9 0.10548 sec

Sureshkumar et al. [26]
3+7 3+5 6+12 0.10644 sec

Ours
3+6 3+5 6+11 0.10612 sec
Table 2: Computation cost comparison

In Table 2, we compare the computational overheads required in various existing protocols as well as our improved version of the protocol. To analyze the computational cost, we use the notations for different cryptographic operations as follows: : ECC point multiplication and

: cryptographic hash function, and we omit the other lightweight operation such as symmetric-key encryption/decryption and bitwise exclusive-OR operations in our comparison. In order to estimate the approximate execution timings, we use the experimental results presented in He et al.’s work

[27]. The approximate execution timings are 0.0171sec and 0.00032sec. From the Table 2, it is clear that our proposed improvement requires little lesser computational cost compared to the original Sureshkumar et al.’s protocol [26], and our improvement is also comparable with the other existing protocols.

Scheme


Lu et al. [23]
N N Y Y N Y Y Y Y Y N

Chaudhry et al. [22]
N Y Y N Y Y Y Y Y Y N

Tu et al. [21]
N Y N Y N N Y Y Y Y N


Farash [7]
N N N Y N N Y Y Y N N

Lu et al. [20]
N Y N Y N N Y Y Y Y N

Arshad et al. [24]
N Y Y Y N Y Y Y Y Y N


Zhang et al. [19]
Y Y N N N N Y Y Y Y N

Sureshkumar et al. [26]
Y N Y Y Y Y Y Y Y Y N

Ours
Y Y Y Y Y Y Y Y Y Y Y

Note: : Achieves user anonymity; : Withstand off-line password guessing attack; : Withstand impersonation attack; : Withstand insider attack; : Withstand replay attack; : Achieves strong mutual authentication; : Withstand stolen verifier attack; : Provides session key security; : Achieves perfect forward secrecy; : Withstand man-in-the-middle attack; : Whether provide credentials privacy when session ephemeral revealed to an adversary;
Y : Provides the security feature; N : Does not provide the security feature.

Table 3: Security requirement comparison

In the Table 3, we compare security features satisfied by the various related existing protocols [23, 22, 21, 7, 20, 24, 19, 26] with our improved version of the protocol. We can observe that Lu et al. [23], Chaudhry et al. [22], Tu et al. [21], Farash [7], Lu et al. [20] and Arshad et al. [24] failed to provide user anonymity because most of them send his/her username/identity in plaintext to the server through a public channel or we can compute the identity easily from the transmitted messages. However, according to our observation, from the Table 3, Lu et al. [23], Tu et al. [21], Farash [7], Lu et al. [20], Arshad et al. [24] and Zhang et al. [19] schemes fail to resist from replay attack. Off course we can prevent this attack by properly merging the timestamp in the transmitted messages. In addition, the impersonation attacks is also a serious concern where Tu et al. [21], Farash [7], Lu et al. [20],and Zhang et al. [19] fails to provide it. Our improved version of the protocol provides more security features along with the comparable computational overheads compared to the other existing schemes in the literature. As a result, our proposed improvement outperform in terms of computational efficiency along with offers increased security features.

8 Conclusion and Future Work

We have first analyzed the security limitations of the recently proposed Sureshkumar et al. and Zhang et al.’s session initiation protocols. We have shown that both the schemes fail to protect the user secret credentials (identity and password) when the session ephemeral secrets are unexpectedly revealed to an adversary by the session exposure attacks. The presented security analysis in this paper is also applicable to most of the existing schemes in the literature. We then discuss the possible improvement to overcome the pitfalls find the existing schemes. In addition, we present the security and performance comparisons of the related existing schemes in the literature and compare with the proposed enhanced scheme. In our observation, the further study is required in this area of research to design secure and efficient session initiation protocols for quality healthcare services. In the future work, we aim to explore novel privacy preserving approaches for session initiation protocol, particular to the emergency healthcare application.

References

  • [1] Aamir Hussain, Rao Wenbi, Aristides Lopes da Silva, Muhammad Nadher, and Muhammad Mudhish. Health and emergency-care platform for the elderly and disabled people in the smart city. Journal of Systems and Software, 110:253–263, 2015.
  • [2] Alvaro Alesanco and José García. Clinical assessment of wireless ecg transmission in real-time cardiac telemonitoring. IEEE Transactions on Information Technology in Biomedicine, 14(5):1144–1152, 2010.
  • [3] Sebastian Thelen, Michael Czaplik, Philipp Meisen, Daniel Schilberg, and Sabina Jeschke. Using off-the-shelf medical devices for biomedical signal monitoring in a telemedicine system for emergency medical services. In Automation, Communication and Cybernetics in Science and Engineering 2015/2016, pages 797–810. Springer, 2016.
  • [4] SK Hafizul Islam, Pandi Vijayakumar, Md Zakirul Alam Bhuiyan, Ruhul Amin, Balamurugan Balusamy, et al. A provably secure three-factor session initiation protocol for multimedia big data communications. IEEE Internet of Things Journal, 2017.
  • [5] Bur Goode. Voice over internet protocol (voip). Proceedings of the IEEE, 90(9):1495–1517, 2002.
  • [6] Dheerendra Mishra, Ashok Kumar Das, and Sourav Mukhopadhyay. A secure and efficient ecc-based user anonymity-preserving session initiation authentication protocol using smart card. Peer-to-peer networking and applications, 9(1):171–192, 2016.
  • [7] Mohammad Sabzinejad Farash. Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Networking and Applications, 9(1):82–91, 2016.
  • [8] Ben Campbell, Jonathan Rosenberg, Henning Schulzrinne, Christian Huitema, and David Gurle. Session initiation protocol extension for instant messaging. 2002.
  • [9] John Franks, Phillip Hallam-Baker, Jeffrey Hostetler, Scott Lawrence, Paul Leach, Ari Luotonen, and Lawrence Stewart. Http authentication: Basic and digest access authentication. Technical report, 1999.
  • [10] Stefano Salsano, Luca Veltri, and Donald Papalilo. Sip security issues: the sip authentication procedure and its processing load. IEEE network, 16(6):38–44, 2002.
  • [11] Angelos D Keromytis. A comprehensive survey of voice over ip security research. IEEE communications surveys & tutorials, 14(2):514–537, 2012.
  • [12] Ran Canetti and Hugo Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In International Conference on the Theory and Applications of Cryptographic Techniques, Innsbruck, Austria, pages 453–474. Springer, 2001.
  • [13] Vanga Odelu, Ashok Kumar Das, Mohammad Wazid, and Mauro Conti. Provably secure authenticated key agreement scheme for smart grid. IEEE Transactions on Smart Grid, 2016.
  • [14] Vanga Odelu, Ashok Kumar Das, and Adrijit Goswami. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Transactions on Information Forensics and Security, 10(9):1953–1966, 2015.
  • [15] W. Stallings. Cryptography and Network Security: Principles and Practices. Prentice Hall, Cloth, 3/e edition, 2003.
  • [16] P. Sarkar. A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security, 13(4):33, 2010.
  • [17] D. R. Stinson. Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography, 38(2):259–277, 2006.
  • [18] Chou-Chen Yang, Ren-Chiun Wang, and Wei-Ting Liu. Secure authentication scheme for session initiation protocol. Computers & Security, 24(5):381–386, 2005.
  • [19] Zezhong Zhang, Qingqing Qi, Neeraj Kumar, Naveen Chilamkurti, and Hwa-Young Jeong. A secure authentication scheme with anonymity for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications, 74(10):3477–3488, 2015.
  • [20] Yanrong Lu, Lixiang Li, Haipeng Peng, and Yixian Yang. A secure and efficient mutual authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications, 9(2):449–459, 2016.
  • [21] Hang Tu, Neeraj Kumar, Naveen Chilamkurti, and Seungmin Rho. An improved authentication protocol for session initiation protocol using smart card. Peer-to-Peer Networking and Applications, 8(5):903–910, 2015.
  • [22] Shehzad Ashraf Chaudhry, Husnain Naqvi, Muhammad Sher, Mohammad Sabzinejad Farash, and Mahmood Ul Hassan. An improved and provably secure privacy preserving authentication protocol for sip. Peer-to-Peer Networking and Applications, 10(1):1–15, 2017.
  • [23] Yanrong Lu, Lixiang Li, Haipeng Peng, and Yixian Yang. An anonymous two-factor authenticated key agreement scheme for session initiation protocol using elliptic curve cryptography. Multimedia Tools and Applications, 76(2):1801–1815, 2017.
  • [24] Hamed Arshad and Morteza Nikooghadam. An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc. Multimedia Tools and Applications, 75(1):181–197, 2016.
  • [25] Azeem Irshad, Muhammad Sher, Eid Rehman, Shehzad Ashraf Ch, Mahmood Ul Hassan, and Anwar Ghani. A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications, 74(11):3967–3984, 2015.
  • [26] Venkatasamy Sureshkumar, Ruhul Amin, and R Anitha. A robust mutual authentication scheme for session initiation protocol with key establishment. Peer-to-Peer Networking and Applications, pages 1–17, 2017.
  • [27] Debiao He, Neeraj Kumar, Jong-Hyouk Lee, and R Sherratt. Enhanced three-factor security protocol for consumer usb mass storage devices. IEEE Transactions on Consumer Electronics, 60(1):30–37, 2014.