An improved and provably secure privacy preserving authentication protocol for SIP

Session Initiation Protocol (SIP) has proved to be the integral part and parcel of any multimedia based application or IP-based telephony service that requires signaling. SIP supports HTTP digest based authentication, and is responsible for creating, maintaining and terminating sessions. To guarantee secure SIP based communication, a number of authentication schemes are proposed, typically most of these are based on smart card due to its temper resistance property. Recently Zhang et al. presented an authenticated key agreement scheme for SIP based on elliptic curve cryptography. However Tu et al. (Peer to Peer Netw. Appl 1–8, 2014 ) finds their scheme to be insecure against user impersonation attack, furthermore they presented an improved scheme and claimed it to be secure against all known attacks. Very recently Farash (Peer to Peer Netw. Appl 1–10, 2014 ) points out that Tu et al.’s scheme is vulnerable to server impersonation attack, Farash also proposed an improvement on Tu et al.’s scheme. However, our analysis in this paper shows that Tu et al.’s scheme is insecure against server impersonation attack. Further both Tu et al.’s scheme and Farash’s improvement do not protect user’s privacy and are vulnerable to replay and denial of services attacks. In order to cope with these limitations, we have proposed a privacy preserving improved authentication scheme based on ECC. The proposed scheme provides mutual authentication as well as resists all known attacks as mentioned by Tu et al. and Farash.