Open Access Open Access  Restricted Access Subscription or Fee Access

A Server Spoofing Attack on Zhang et al. SIP Authentication Protocol

Mourade Azrour, Yousef Farhaoui, Mohammed Ouanan


In recent years, Internet and online services are very important in humane life. Telephony over IP (ToIP) is one of those services. Session Initiation Protocol (SIP) is the most signaling protocol used by ToIP, which is delivered in unsecured public network, the authentication of SIP is become more and more important. In 2013, Zhang et al. have proposed an improved authentication protocol for SIP. Then, they showed that their protocol is secured against various attacks. However, in this work we prove that Zhang et al.’s protocol is unsecured against server spoofing attack. As result, we propose a new SIP authentication protocol to overcome the weakness. The performance analysis shows that our protocol is secured against different attacks and it is efficient. Furthermore, we have used AVISPA (Automated Validation of Internet Security Protocols and Applications) tool to simulate the proposed protocol, the result obtained confirms that our protocol is SAFE under OFMC and CL-AtSe models, so our proposed scheme is secure against active and passive attacks.


Session Initiation Protocol; security; authentication protocol; Elliptic Curve Cryptography; Smart card; server spoofing attack.

Full Text:


Disclaimer/Regarding indexing issue:

We have provided the online access of all issues and papers to the indexing agencies (as given on journal web site). It’s depend on indexing agencies when, how and what manner they can index or not. Hence, we like to inform that on the basis of earlier indexing, we can’t predict the today or future indexing policy of third party (i.e. indexing agencies) as they have right to discontinue any journal at any time without prior information to the journal. So, please neither sends any question nor expects any answer from us on the behalf of third party i.e. indexing agencies.Hence, we will not issue any certificate or letter for indexing issue. Our role is just to provide the online access to them. So we do properly this and one can visit indexing agencies website to get the authentic information. Also: DOI is paid service which provided by a third party. We never mentioned that we go for this for our any journal. However, journal have no objection if author go directly for this paid DOI service.