On the Security of a Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptography

With the rapid development of mobile communication technologies, more and more mobile users use their mobile devices anywhere. Therefore, it is important to provide authentication process in three parties, i.e., a mobile user (MU), a home agent (HA), and a foreign agent (FA). In 2016, Reddy et al. proposed a secure and anonymous mobile authentication scheme. In their scheme, they first pointed out that Memon et al.'s scheme suffer from four secure issues, i.e., the impersonation attack, imperfect mutual authentication, unverifiable password changing phase, and the insider attack. Then, the authors proposed an improved scheme and claimed that their scheme can provide user anonymity and resist most famous attacks. Unfortunately, we have found that their scheme cannot resist known session-specific temporary information attack (KSTIA). In addition, when HA wants to charge MU fees for providing service, or, as FA and MU have argued, HA cannot find the real identity of MU. Finally, their scheme cannot achieve the mutual authentication and the session key agreement. Therefore, in this paper, we presented those weaknesses of Reddy et al.'s scheme.