Weakness in a Mutual Authentication Scheme for Session Initiation Protocol using Elliptic Curve Cryptography

TL;DR

This paper critically analyzes a recent elliptic curve-based SIP authentication scheme and reveals its vulnerability to password guessing attacks, highlighting the need for more secure protocols.

Contribution

The paper provides a cryptanalysis of Arshad et al.'s scheme, exposing its weaknesses and demonstrating that it is susceptible to password guessing attacks.

Findings

Arshad et al.'s scheme is vulnerable to password guessing attacks.

The proposed scheme does not fully withstand cryptographic attacks.

Further improvements are needed for secure SIP authentication protocols.

Abstract

The session initiation protocol (SIP) is a powerful signaling protocol that controls communication on the Internet, establishing, maintaining, and terminating the sessions. The services that are enabled by SIP are equally applicable in the world of mobile and ubiquitous computing. In 2009, Tsai proposed an authenticated key agreement scheme as an enhancement to SIP. Very recently, Arshad et al. demonstrated that Tsai's scheme was vulnerable to offline password guessing attack and stolen-verifier attack. They also pointed that Tsai's scheme did not provide known-key secrecy and perfect forward secrecy. In order to overcome the weaknesses, Arshad et al. also proposed an improved mutual authentication scheme based on elliptic curve discrete logarithm problem for SIP and claimed that their scheme can withstand various attacks. In this paper, we do a cryptanalysis of Arshad et al.'s scheme and show that Arshad et al.'s scheme is vulnerable to the password guessing attack.