Desynchronization resistant privacy preserving user authentication protocol for location based services

Preserving user privacy and authenticity are essential requirements for location based services in order to protect user's confidential information from public exposure and provide secure access to various services. Recently, numerous approaches towards these challenges have been proposed. Many of these are based on dynamic update of fixed parameters (such as pseudonym, transaction sequence number, shared key, counter, etc.) along with symmetric/asymmetric key cryptography, and seems promising in dealing with various security related issues such as unlinkability, forward/backward secrecy, replay attack and stolen verifier attack. However, the concept of dynamic update may affect the system performance in case of desynchronization attack as it requires to perform additional computations or user reregistration in order to resynchronize the peers. In this article, we address the problem of desynchronization attack and propose a privacy preserving user authentication protocol for location based services. The proposed protocol is based on elliptic curve cryptography and introduces dynamic randomized counters in order to synchronize the peers. Also, there is no need to resynchronize the peers in case of desynchronization attack. Additionally, there is no timestamp used in construction of the protocol to avoid clock synchronization problem. The security properties of the protocol are validated both formally and informally. Moreover, the safety of the protocol is assured using AVISPA tool based automated simulation. Finally, a performance comparison has been made against some recently proposed approaches to ensure the effectiveness of our protocol in real life implementations.

Automated summary

This article introduces a privacy-preserving user authentication protocol for location-based services based on elliptic curve cryptography, which includes dynamic randomized counters to synchronize the peers.