Provably Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks *

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 31, (2015) Provably Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks * KUO-YANG WU 1, KUO-YU TSAI 2, TZONG-CHEN WU 1 AND KOUICHI SAKURAI 3 1 Department of Information Management National Taiwan University of Science and Technology Taipei, 106 Taiwan 2 Department of Management Information Systems Hwa Hsia University of Technology New Taipei City, 235 Taiwan 3 Department of Computer Science and Communication Engineering Kyushu University Fukuoka, Japan This paper presents an anonymous authentication scheme for roaming service in global mobility networks, in which the foreign agent cannot obtain the identity information of the mobile user who is sending the roaming request. In addition, the home agent does not have to maintain any verification table for authenticating the mobile user. We give formal analyses to show that our proposed scheme satisfies the security requirements of user anonymity, mutual authentication, session-key security, and perfect forward secrecy. Besides, some possible attacks on the proposed scheme are discussed, such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. Keywords: user anonymity, mutual authentication, global mobility network, perfect forward security, replay attack, man-in-the-middle attack, impersonation attack 1. INTRODUCTION A Global Mobility Network (GLOMONET for short) can facilitate a global roaming service, such that a mobile user can access various internet resources by using his/her handhold device (e.g., a smart phone) anytime and anywhere. Simply to say, there are three kinds of roles in the GLOMONET: the mobile user (), the home agent (HA), and the foreign agent (FA). Initially, each should register with a home agent, namely as the HA, within its domain. When an is roaming to the domain of a foreign agent whom is not the having originally registered with, such agent is served as the FA for the. In the GLOMONET, every pair of agents, i.e., may be served as HA or FA, share a common secret key with each other in advance. This shared secret key can be used for the purpose of entity authentication and message protection between these two connected agents, i.e., the HA and the FA in regarding to a roaming. However, the messages or the requests transmitted over the radio waves between the and the FA are publicly accessible. Except for basic authentication requirement, this gives rise to the needs of additional security requirements for user anonymity (or privacy protection) and message protection in the GLOMONET. Received January 7, 2013; revised June 26, 2014; accepted August 27, Communicated by Wen-Guey Tzeng. * This work is supported partially by Ministry of Science and Technology under the Grant E MY2 and E MY2, and Taiwan Information Security Center (TWISC). 727

2 728 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI In 2004, Zhu and Ma [1] proposed an authentication scheme providing user anonymity in the GLOMONET. They claimed that in the proposed scheme FA cannot obtain s identity embedded in the service requests. Lately, Lee et al. [2] pointed out that the identity of could be exposed to FA in Zhu and Ma s scheme, and they further proposed an enforced scheme to resolve it. However, Wu et al. [3] demonstrated that Lee et al. s enforced scheme [2] still cannot satisfy the properties of user anonymity and backward secrecy. Since then, several improvements or variants of the original Zhu and Ma s scheme have been developed. Basically, there are three kinds of approaches to design authentication schemes for Roaming Service. In the first kind of approach [4-6], the communication parties sometimes encrypt their transmitted messages by using asymmetric cryptosystems, and sometimes encrypt their transmitted messages by using symmetric cryptosystems. However, the asymmetric-cryptosystems are costly in computational requirements and bandwidth for mobile devices in the GLOMONET. The second kind of approach [7-11] allows the communication parties to encrypt their transmitted messages by using the exclusive-or operation, and the third kind of approach [12-15] allows the communication parties to encrypt their transmitted messages by using symmetric cryptosystems. They are more efficient, but most of them cannot achieve some important security requirements, forward secrecy especially. To earn cost effectiveness and to achieve security robustness are two major design principles regarding to the key establishment issues for authentication schemes. In this paper, we propose a provably secure anonymous authentication scheme for roaming service in the GLOMONET. Like the authentication scheme proposed by Chen et al. [12], our proposed anonymous authentication scheme adopts the password-based approach and allows the s to change their passwords freely. Moreover, there is no password table or verification table required by the HA (or the FA) for authenticating the connected s. Based upon the adversary models defined by Canetti and Krawczyk [16], we also show that our proposed scheme satisfies the following security properties [10-12]: User Anonymity: Except for the HA whom the has registered with, any third party cannot learn about the identity of the roaming. Mutual Authentication: Any two communicating parties, i.e., the, the FA and the HA, can authenticate each other. Session-key Security: An adversary cannot learn about anything about a session key shared by the and the FA, even though the adversary obtains their past session keys. This property is also known as Backward Secrecy of session keys. Perfect Forward Secrecy: An adversary cannot compromise the past session keys shared by the and the FA, even though the adversary has compromised the longterm secret keys held by the or the FA. Replay-attack Resistance: An adversary cannot successfully replay the intercepted messages transmitted between any two communicating parties without detection. Man-in-middle-attack Resistance: An adversary cannot successfully mount an independent connection and relay the messages between any two communicating parties to let them believe that they are communicating directly to each other. Impersonation-attack Resistance: An adversary cannot successfully impersonate an, an FA or an HA to cheat the other.

3 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 729 Insider-attack Resistance: A malicious HA cannot conspire with another to impersonate a roaming to authenticate with an FA for session key establishment, although the HA knows the s original password. 2. PRELIMINARIES In this section, we first introduce the adversary models defined by Canetti and Krawczyk [16], and then present a nonce-based message transmission authenticator (MT-authenticator for short) modified from the framework proposed by Bellare et al. [17]. This modified nonce-based MT-authenticator will be used as the basic construction of our proposed anonymous authentication scheme. 2.1 Canetti and Krawczyk s Adversary Models Consider the situation that a set of communicating parties concurrently carry out multiple executions of a message-driven protocol controlled by an adversary. In such situation, two kinds of adversary models are addressed [16]: the unauthenticated-links model and the authenticated-links model. We use the key exchange protocol by example to illustrate these two adversary models. Suppose that one party U i with the identity ID i serves as the initiator, and the other party U j with the identity ID j serves as the responder. The input data to the key exchange protocol associated to U i and U i are represented in the form of (ID i, ID j, s, initiator) and (ID j, ID i, s, responder), respectively, where s is a session identifier. We say that the session associated to U i and the session associated to U j is matching if their session identifiers are identical. Details of the adversary models are described as follows. Unauthenticated-links Model: In this model, there exists a probabilistic polynomial-time attacker, denoted by, who can control the communication links and the schedule for all protocol events. That is, can modify the transmitted messages, inject some messages, and re-schedule the initiation of the protocol and the subsequent message transmission in the protocol. To gain the advantage from the game, can send the following queries to the game simulator: Session-state Reveal: submits a party s identity and an incomplete session identifier and learns the state of the session. Note that cannot learn any long-term secret information or master keys held by the party. Session-key Query: submits a party s identity and a complete session identifier, and learns the session key in the intended session. Session Expiration: submits a party s identity and a complete session identifier for letting the simulator erase the session key and related session states. This query captures the notion of perfect forward secrecy. Party-corruption Query: decides to corrupt a party and learns all secret information or master keys of the party, and then completely controls the party. After that, the party cannot be activated.

4 730 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Authenticated-links Model: This model is applicable to the case that the attacker does not have the capability to inject or modify the transmitted messages. In other words, there exists a probabilistic polynomial-time attacker, denoted by, who is restricted to only can deliver messages generated from one of the communicating parties to the other one. Note that the adversary models defined above are usually used to formally analyze the security of a key exchange protocol, in which two parties communicate with each other for obtaining a session key upon the protocol completion. Denote a messagedriven protocol in the authenticated-links model, and a message-driven protocol in the unauthenticated-links model. Let X be the interaction that an adversary interacts with in the unauthenticated-links model. Let Y be the interaction that an adversary interacts with in the authenticated-links model. In essence, these two interactions X and Y are computationally indistinguishable to any outsider of the protocol. This implies that the adversary has the ability to emulate to be in the unauthenticated-links model. 2.2 Nonce-based MT-authenticator In accordance with the well-known Challenge-Response approach, we present a nonce-based MT-authenticator in the following. Let U i with the identity ID i and U j with the identity ID j be two communicating parties. It is assumed that U i and U j share a common secret key SK in advance. To authenticate each other, U i and U j cooperatively perform the authenticator N by the following steps: Step 1: Initially, U i chooses a message m, and then generates a nonce N i and computes f SK (ID i N i m), where is a concatenation operator and f SK () is regarded as a MAC algorithm with the secret key SK for generating a message authentication code for m. After that, U i sends {m, N i, f SK (ID j N i m)} as a challenge to U j. Here, f SK (ID j N i m) is regarded as a message authentication code for m. Step 2: Upon receiving the challenge, U j first checks the validity of N i, i.e., if it is used only once. If N i is used before, then aborts the process. Otherwise, U j computes f SK (ID j N i m) and checks if the computed result is identical to the received one. If it is, then U j confirms that the challenge is indeed sent by U i, otherwise aborts the process. Afterwards, U i chooses a message m, then generates a nonce N j and computes f SK (ID i N i + 1 N i m ), and sends {m, N i, f SK (ID i N i + 1 N j m )} as a response to U i. Here, f SK (ID i N i + 1 N j m ) is regarded as a message authentication code for m. Step 3: Upon receiving the response, U i first checks the validity of N j. If N j is used before, then aborts the process. Otherwise, U i computes f SK (ID i N i + 1 N j m ) and checks if the computed result is identical to the received one. If it is, then U i confirms that the response is indeed sent by U i ; otherwise aborts the process. Theorem 1: The authenticator N is an MT-authenticator if the MAC algorithm is secure against the chosen message attack.

5 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 731 The encouraged reader may refer the detailed proof of Theorem 1 in the literature [16, 17]. It has shown that the authenticator N is a realization of MT-authenticator based on different cryptographic functions, such as digital signature, message authentication code, and public-key encryption, etc. By applying the same idea, we may construct a varied authenticator to secure a key exchange protocol in the unauthenticated-links model. Recall that the modified nonce-based MT-authenticator stated above will be used as the basic construction of our proposed anonymous authentication scheme for resisting the possible attacks, such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. 3. OUR PROPOSED SCHEME The system model of our proposed scheme is elaborated from the model developed by Mun et al. s [10], which consists of five phases: System Setup, Registration, Authentication and Session Key Establishment, Session Key Update, and Password Change. Denote by the mobile user, HA the home agent, and FA the foreign agent. Note that all agents are setup to be the HA initially, and every pair of agents share a common secret key after the system setup. Any HA will be served as an FA for the roaming s that are out of their original domains in the GLOMONET. Details of these phases are described in the following. System Setup Phase: For system setup, the following system parameters are defined: p, q Large prime numbers, e.g., more than 180 bit-length. E An elliptic curve over a finite field p defined by y 2 = x 3 + ax + b, where a, b F p, and 4a 3 + b 2 0. G An additive group of order q, where G is a subgroup for the group of points on E. Q A base point (or generator) of order q on E. h 1 A one-way hash function defined as h 1 : {0, 1} * {0, 1} l, where l is a security parameter for resisting the exhaustive search attack in practice. h 2 A one-way hash function defined as h 2 : G {0, 1} l, where l is a security parameter for resisting the exhaustive search attack in practice. The system parameters are made public. Afterwards, each HA chooses a long-term secret key K for itself, and a secret key SK shared with the other HA. Denote by SK XY the secret key shared by the home agents X and Y. At the end of system setup, the HA can accept the registration from the subordinated s within its original domain. Registration Phase: Upon receiving the registration request from a subordinated, the HA computes a password PW and its corresponding authentic information T and C in the form of: PW = h 1 (ID K R ) T = h 1 (ID HA K R ) C = T h 1 (ID ) PW

6 732 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI where R is randomly chosen, and is the XOR operator. After that, the registering stores C and R into a tamper-proof memory of his/her own mobile device. Note that the and the HA should perform the registration procedure via a secure channel. The registration procedure (see Fig. 1) is listed as follows: 1. HA: {ID } 2. HA : {ID HA, PW, C, R } 1. Choose ID 8.StoreC, R 2.ID Secure Channel 7.{ID HA, PW, C, R } Secure Channel PW T C HA 3. Choose an integer 4. Compute 5. Compute 6. Compute Fig. 1. Registration phase. h ( ID h ( ID 1 T R 1 HA K R h (ID 1 K R ) ) ) PW Authentication and Session Key Establishment Phase: For simplicity, consider the scenario that a roaming mobile user, originally registered with his/her home agent HA, attempts to request a service from a nearby foreign agent FA in the GLOMONET. The participants, i.e., the, the HA, and the FA, cooperatively perform the following procedure (see Fig. 2): Step 1: The first submits his/her identity ID and password PW to the own mobile device, and then generates an authentic information as T = C h 1 (ID ) PW, where C and R are retrieved from the tamper-proof memory of the own mobile device. Afterwards, the generates a nonce N, randomly chooses an integer b 1 F q and computes b 1 Q on E. After that, the computes MAC, and sends the roaming service request {ID HA, ID FA, N, R, b 1 Q, MAC } to the FA, where MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)). 1. FA: {ID HA, ID FA, N, R, b 1 Q, MAC } Step 2: Upon receiving the roaming service request from the of the foreign domain supervised by the HA, the FA generates a nonce N FA, randomly chooses an integer a 1 F q and then computes a 1 Q on E. After that, the FA computes MAC FA, and then sends {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA } to the HA for authenticating the, where MAC FA = h 1 (SK HF ID FA N FA N h 2 (a 1 Q) MAC ). Note that SK HF is the secret key shared between the HA and the FA in advance. 2. FA HA: {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA }

7 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE Generate T 2. Choose b 1 3. Compute b 1 4. Computer MAC 6.ID HA, ID FA, N, R, b 1 Q, MAC FA HA 23.ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC FM 24. Computer MAC2 HA 25. Check if MAC2 HA = MAC2 HA 26. Computer SK FM = (b 1 a 1 Q) 27. Computer MAC FM = (b 1 a 1 Q) 28. Check if MAC FM = MAC FM 7. Generate N FA 8. Choose a 1 9. Compute a 1 Q 10. Computer MAC FA 11. ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA 19. ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA 20. Computer MAC1 HA 21. Computer SK FM = h 2 (a 1 b 1 Q) 22. Computer MAC FM Note: T = T = C h 1 (ID ) PW MAC = MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)) MAC1 HA = MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) MAC2 HA = MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) MAC FM = MAC FM = h 1 (SK FM ID FA N N FA ) Fig. 2. Authentication and session key establishment phase. 12. Computer MAC FM 13. Check if MAC FM 14. Computer MAC 15. Check if MAC = MAC 16. Computer N HA 17. Computer MAC1 HA 18. Computer MAC2 HA Step 3: For anonymously authenticating the roaming that attempts to access to the FA, the HA first computes MAC FA = h 1 (SK HF ID FA N FA N h 2 (a 1 Q) MAC ), and then checks if MAC FA = MAC FA. If it does not hold, then aborts the process; otherwise the HA confirms the identification of the FA. Afterwards, the HA computes MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)), where T = h 1 (ID HA K R ), and K is the long-term secret key of HA, and then checks if MAC = MAC. If it does not hold, then aborts the process; otherwise the HA confirms that the is a legal mobile user with anonymity and accepts his/her roaming request. After that, the HA generates a nonce N HA and computes MAC1 HA and MAC2 HA, and then returns {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA } to the FA, where MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) 3. HA FA: {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA }

8 734 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Step 4: Upon receiving the confirmation from the HA, the FA computes MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) and checks if MAC1 HA = MAC1 HA. If it holds, then the FA confirms that the roaming is a legal but anonymous mobile user successfully verified by the HA; otherwise aborts the process. Afterwards, the FA computes a session key shared with the in the form of SK FM = h 2 (a 1 b 1 Q) and returns {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC FM } to the, where MAC FM = h 1 (SK FM ID FA N N FA ). 3. FA : {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC2 FM } Step 5: When receiving the confirmation from the FA, the computes MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) and checks if MAC2 HA = MAC2 HA. If it does not hold, then aborts the process; otherwise, the obtains the session key shared with the FA in the form of SK FM = h 2 (a 1 b 1 Q). Furthermore, the can confirm the obtained session key by checking if h 1 (SK FM ID FA N N FA ) = MAC FM. Session Key Update Phase: The and the FA can further renew the shared session key when the still stays within the domain of the FA for enforcing the security of their message transmission in the subsequent sessions. Suppose that the and the FA wants to renew the session key at the ith (for i = 2, 3, ) session. First of all, the randomly chooses an integer b i and computes b i Q. Then, the computes (MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) with the session key, where (h 2 (a i-1 b i-1 Q) is the session key used in the (i 1st) session. Finally, the sends b i Q and MAC to the FA. Upon receiving {b i Q, MAC }, the FA computes MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) and checks if MAC = MAC. If it holds, then the FA confirms that the received b i Q is chosen by the and accepts his/her session key update request; otherwise aborts the process. At this time, the FA randomly chooses a i F q, computes a new session key and its message authentication code in the form of SK FM = h 2 (a i b i Q) and MAC FM = h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) for key confirmation, where h 2 (a i-1 b i-1 Q) is the session key used in the (i 1)th session, and returns {a i, Q, MAC FM } to the. Afterwards, the obtains the new session key SK FM = h 2 (b i a i Q) and checks if h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) = MAC FM for session key confirmation (see Fig. 3). 1. FA: {b i Q, MAC" } 2. FA : {a i Q, MAC' FM } 1. Choose b 2. Compute 3. Compute i bq i MAC" 4. {b i Q, MAC" } FA

9 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 735 FM 10. Compute SKFM h2 ( bi aiq) 8. Compute MACFM 11. Verify MAC FM 9. {a i Q, MAC' FM } 5. Verify 6. Choose 7. Compute MAC a i SK h ( a bq) 2 i i Note: MAC = MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) MAC FM = h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) Fig. 3. Session key update phase. Password Change Phase: If the wants to change his/her original password PW to a new one PW, he/she only needs to replace C by C = C PW PW without participation of the HA. If the forgets his/her old password, then he/she needs to register with the HA again to get a new password. 4. SECURITY ANALYSIS Based on the intractability of solving the Elliptic Curve Computational Diffie-Hellman problem (EC-CDHP for short) [19, 20] and reversing the One-Way Hash Function (OWHF for short) [21], we will give a formal analysis to show that our proposed scheme can achieve the security requirements of user anonymity, mutual authentication, sessionkey security, perfect forward secrecy, replay-attack resistance, man-in-middle-attack resistance, impersonation-attack resistance, and insider-attack resistance. Definition 1: Elliptic Curve Computational Diffie-Hellman Problem (EC-CDHP): Given Q, aq, bq in E(F q ), it is computational infeasible to compute abq. Definition 2: One-way hash function (OWHF): Let h be a one-way hash function; (1) Given a hashing value h(m), it is computationally infeasible to derive the value of m; (2) It is computationally infeasible to find different values m and m satisfying h(m) = h(m ). Theorem 2: Our proposed scheme achieves user anonymity in the unauthenticated-links model if the advantage Adv, (l) for an adversary is negligible in the unauthenticatedlinks model. Proof: Let be an adversary in the unauthenticated-links model, and be a simulator that generates the system parameters for a given security parameter l. According the simulation defined in Section 2.1, the identity of the is embedded in MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)), where T = h 1 (ID HA K R ) and C = TW h 1 (ID ) PW. However, based on the intractability of reversing OWHF, it is computationally infeasible to obtain ID from C, even though knows PW and T. Hence, the advantage Adv. (l) for is negligible in the unauthenticated-links model. This implies that our proposed scheme achieves user anonymity in the unauthenticatedlinks model.

10 736 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Theorem 3: Our proposed scheme is session-key secure in both the authenticated-links model and the unauthenticated-links model. Proof: Let be an adversary in an authenticated-links model, and be a simulator that generates the system parameters for a given security parameter l. Given (Q, aq, bq) for some a and b, the goal of is to output abq. To do that, can send the queries defined in Section 2.1 to for obtaining the session key h 2 (a 1 b 1 Q). However, based on the intractability of EC-CDHP, it is computationally infeasible to obtain a 1 b 1 Q for given a 1 Q and b 1 Q. Hence, the advantage Adv, (l) for is negligible in the authenticated-links model. That is, our proposed scheme is session-key secure in the authenticated-links model. Furthermore, by Theorems 1 and 2, the advantage Adv, (l) for an adversary is also negligible in the unauthenticated-links model. This implies that our proposed scheme is also session-key secure in the unauthenticated model. Theorem 4: Our proposed scheme is perfect forward secure in the unauthenticated-links model if the advantage Adv. (l) for an adversary is negligible in the unauthenticatedlinks model. Proof: Let be an adversary in the unauthenticated-links model and be a simulator that generates the system parameters for a given security parameter l. According to the adversary models defined in Section 2.1, it is assumed that has compromised the longterm secret keys held by the or the FA before the session expires. Under this assumption, still has to face the intractability of EC-CDHP to obtain a 1 b 1 Q for given a 1 Q and b 1 Q. That means cannot compromise the past session keys shared by the and the FA. Hence, the advantage Adv, (l) for is negligible in the unauthenticated-links model. This implies that our proposed scheme achieves perfect forward secrecy in the unauthenticated-links model. In the following, we will discuss how can our proposed scheme achieve mutual authentication between any two communicating parties (i.e.,, FA or HA), and resist possible attacks such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. Mutual Authentication: Recall the simplified steps listed in Authentication and Key Establishment phase: 1. FA: {ID HA, ID FA, N, R, b 1 Q, MAC } 2. FA HA: {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA } 3. HA FA: {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA } 4. FA : {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC1 FM } It is to see that the HA can authenticate the if the received MAC is successfully verified by Step 2, while the can authenticate the HA if the received MAC2 HA is successfully verified by Step 4. Next, the HA can authenticate the FA if the received MAC FA is successfully verified by Step 2, while the FA can authenticate the HA if the received MAC1 HA is successfully verified by Step 3. This implies that if the HA has au-

11 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 737 thenticated the FA and returns MAC1 HA in Step 3, then the FA can further authenticate the indirectly. With the same reason, if the HA has authenticated the FA and returns MAC2 HA in Step 4, then the can further authenticate the FA indirectly. Hence, our scheme can achieve mutual authentication for any two communicating parties among the, the HA and the FA. Replay-attack Resistance: In our proposed scheme, all MACs in the transmitted messages are constructed from a keyed hash function using time-variant nonces as its input. The attempt to replay these transmitted messages without refreshing the corresponding MACs will be successfully checked out by any side of the communicating parties. Man-in-middle-attack Resistance: To succeed such attack, the attacker has to mount an independent connection and relay the transmitted messages between the communicating parties, i.e., the, the FA and the HA, to let them believe that they are talking directly to each other in the unauthenticated-links model. However, each step of session key establishment cannot be preceded unless the authentication of the target party has done. Thus, the attacker cannot succeed to launch such attack without detection. Impersonation-attack Resistance: The attacker cannot impersonate an to cheat an HA or an FA, unless he/she knows both the s password PW and its associated authentic information C stored in the tamper-proof device in advance. If the attacker attempts to impersonate an HA or an FA to cheat another communicating target party, he/she needs to first compromise the long-term secret key K held by the HA or the secret key SK HF shared between the HA and the FA. However, the security of these secret keys is based on the intractability of solving the EC-CDHP and reversing the OWHF. Insider-attack Resistance: In our proposed scheme, the HA does not require or maintain any password table or verification table for its subordinated s. Actually, the HA who may be serving as an insider attacker knows the s original password during the Registration phase. However, such security leak could be further enforced by the Password Change phase without participation of the HA. Once the original password of the registered has been changed, the associated authentic information T stored in the s own mobile device will be updated in accordance. This implies that the HA cannot conspire with another to impersonate some target successfully if the original password of the target has been changed. 5. FUNCTIONALITY COMPARISON AND PERFORMANCE EVALUATION In this section, we will compare our proposed scheme with some previous works in terms of their functionality, security achievement, and performance evaluation. Tables 1 and 2 show the comparisons of operational functionality and security achievement, respectively, among our proposed scheme and some well-known works proposed in [3, 4, 7, 8, 10, 12-14]. From Table 2, it can be seen that only our proposed scheme and He et al. s scheme [13] can achieve the same security requirements. He et al. s scheme [4] and

12 738 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Chen et al. s scheme [12] cannot achieve perfect forward secrecy because both of them employ a symmetric encryption algorithm to encrypt the secret information for generating the session key. However, this will come to a result that an adversary can obtain the secret information and further derive the shared session keys if the adversary compromise the long-term secret key held by the HA. Table 1. Operational functionality comparison. Ours Wu et al. s He et al. s Chang et al s Hsiang & Mun et al. s Chen et al. s He et al. s Xie et al. s [3] [4] [7] Shih s [8] [10] [12] [13] [14] F 1 Yes Yes Yes Yes Yes Yes Yes Yes Yes F 2 Yes Yes Yes Yes Yes No Yes Yes Yes F 3 Yes Yes Yes No Yes Yes Yes Yes Yes F 4 Yes No Yes No Yes No Yes Yes Yes F 5 Yes Yes Yes No No Yes Yes No No F 1 : single registration F 2 : no verification table required F 3 : no password table required F 4 : freely update password F 5 : periodically update session keys Table 2. Security achievement comparison. Ours Wu et al. s He et al. s Chang et al s Hsiang & Mun et al. s Chen et al. s He et al. s Xie et al. s [3] [4] [7] Shih s [8] [10] [12] [13] [14] S 1 Yes No Yes No No Yes Yes Yes Yes S 2 Yes Yes Yes Yes No Yes Yes Yes Yes S 3 Yes Yes Yes Yes Yes Yes Yes Yes Yes S 4 Yes No Yes Yes No Yes Yes Yes No S 5 Yes No Yes No Yes No Yes Yes Yes S 6 Yes No Yes Yes Yes No Yes Yes Yes S 7 Yes No Yes Yes Yes No Yes Yes Yes S 8 Yes No No No No No No Yes Yes S 1 : user anonymity S 2 : mutual authentication S 3 : session key security S 4 : resistance to impersonation attacks S 5 : resistance to insider attacks S 6 : resistance to replay attacks S 7 : resistance to man-in-middle attacks S 8 : perfect forward secrecy Since our proposed scheme, He et al. s scheme [4], Chen et al. s scheme [12], He et al. s scheme [13], and Xie et al. s scheme [14] achieve the most security requirements as compared with other previous works, we only list the comparison of performance evaluation in Table 3. However, He et al. s scheme [4], He et al. s scheme [13], and Xie et al. s scheme [14] do not provide session key update. For simplicity of performance evaluation, the following symbols are used: t ae t se t m the time for executing one asymmetric encryption/decryption operation. the time for executing one symmetric encryption/decryption operation. the time for executing one elliptic curve scalar multiplication operation.

13 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 739 t me t h the time for executing one modular exponentiation operation. the time for executing one hash function operation. Note that our proposed scheme is slightly outperformed, and achieves additional security requirement of perfect forward secrecy, which is lack of in He et al. s scheme [4] and Chen et al. s scheme [12]. Registration Phase Table 3. Performance evaluation comparison. FA HA Ours 0 0 3t h He et al. s [4] 6t h 0 t se + 2t h Chen et al. s [12] 4t h 0 t se + t h He et al. s [13] 2t h 0 t se + t me + t h Xie et al. s [14] t h 0 t se Authentication and Session Key Establishment Phase FA HA Ours 2t m + 6t h 2t m + 5t h 5t h He et al. s [4] 2t se + 7t h 3t ae + t h 4t ae + 2t se + 2t h Chen et al. s [12] 2t se + 7t h 2t se + 3t h 3t se + 5t h He et al. s [13] 3t me + 2t se + 5t h 2t me + 3t se + 3t h t me + 3t se + 2t h Xie et al. s [14] 3t m + 2t se + 3t h 2t m + 2t se + t h t m + 3t se + 3t h Session Key Update Phase FA HA Ours 2t m + 5t h 2t m + 5t h 0 He et al. s [4] N/A N/A N/A Chen et al. s [12] t se + 2t h t se 0 He et al. s [13] N/A N/A N/A Xie et al. s [14] N/A N/A N/A Password Change Phase FA HA Ours He et al. s [4] 7t h 0 0 Chen et al. s [12] 7t h 0 0 He et al. s [13] 4t h 0 0 Xie et al. s [14] 2t h CONCLUSIONS We have proposed a secure anonymous authentication scheme for roaming service in GLOMONET in which the HA or the FA do not maintain any password table or verification table. We also give a formal analysis to show that our proposed scheme achieves the security requirements of user anonymity, mutual authentication, session-key security, perfect forward secrecy, replay-attack resistance, man-in-middle-attack resistance, impersonation-attack resistance, and insider-attacker resistance. From the comparison with

14 740 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI some well-known previous works in terms of operational functionality and security requirements, our proposed scheme is applicable to practical applications. REFERENCES 1. J. Zhu and J. Ma, A new authentication scheme with anonymity for wireless environments, IEEE Transactions on Consumer Electronics, Vol. 50, 2004, pp C. C. Lee, M. S. Hwang, and I. E. Liao, Security enhancement on a new authentication scheme with anonymity for wireless environments, IEEE Transactions on Industrial Electronics, Vol. 53, 2006, pp C. C. Wu, W. B. Lee, and W. J. Tsaur, A secure authentication scheme with anonymity for wireless communications, IEEE Communications Letters, Vol. 12, 2008, pp D. He, M. Ma, Y. Zhang, C. Chen, and J. Bu, A strong user authentication scheme with smart cards for wireless communications, Computer Communications, Vol. 34, 2011, pp K. Li, A. Xiu, F. He, and D. H. Lee, Anonymous authentication with unlinkability for wireless environments, IEICE Electronics Express, Vol. 8, pp J. Xu and D. Feng, Security flaws in authentication protocols with anonymity for wireless environments, ETRI Journal, Vol. 31, 2009, pp C. C. Chang, C. Y. Lee, and Y. C. Chiu, Enhanced authentication scheme with anonymity for roaming service in global mobility networks, Computer Communications, Vol. 32, 2009, pp H. C. Hsiang and W. K. Shih, Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Standards & Interfaces, Vol. 31, 2009, pp Y. P. Liao and S. S. Wang, A secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Standards & Interfaces, Vol. 31, 2009, pp H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, Enhanced secure anonymous authentication scheme for roaming service in global mobility networks, Mathematical and Computer Modelling, Vol. 55, 2012, pp K. Y. Wu, K. Y. Tsai, and T. C. Wu, Robust anonymous authentication scheme without verification table for roaming service in global mobility networks, in Proceedings of the 6th Joint Workshop on Information Security, C. Chen, D. He, S. Chan, J. Bu, Y. Gao, and R. Fan, Lightweight and provably secure user authentication with anonymity for the global mobility network, International Journal of Communication Systems, Vol. 24, 2011, pp D. He, N. Kumar, M. Khan, and J. H. Lee. Anonymous two-factor authentication for consumer roaming service in global mobility networks, IEEE Transactions on Consumer Electronics, Vol. 59, 2013, pp Q. Xie, M. Bao, N. Dong, B. Hu, and D. S. Wong, Secure mobile user authentication and key agreement protocol with privacy protection in global mobility networks, in Proceedings of International Symposium on Biometrics and Security

15 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 741 Technologies, 2013, pp C. K. Yeh and W. B. Lee, An overall cost-effective authentication technique for the global mobility network, International Journal of Network Security, Vol. 9, 2009, pp R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Proceedings of Advances in Cryptology EUROCRYPT, 2001, pp M. Bellare, R. Canetti, and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, in Proceedings of the 30th Annual ACM Symposium on Theory of Computing, 1998, pp G. Yang, D. S. Wong, and X. Deng, Formal security definition and efficient construction for roaming with privacy-preserving extension, Journal of Universal Computer Science, Vol. 14, 2008, pp N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, Vol. 48, 1987, pp V. Miller, Use of elliptic curves in cryptography, in Proceedings of Advances in Cryptology CRYPTO, 1985, pp B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed., John Wiley & Sons, NY, Kuo-Yang Wu ( ) is a Ph.D. Candidate in Department of Information Management at National Taiwan University of Science and Technology in Taiwan. He received B.S. degree in Department of International Trade from Chinese Culture University in 1990, M.S. degree in Graduate School of Business Administration at Oklahoma City University in 1992, and M.S. degree in Department of Industrial Management from National Taiwan University of Science and Technology in 2004, respectively. He is concurrently working also with the Cheng Uei Precision Industry Co., Ltd., as the senior director of RD division. His research focuses on information security, mobile security, and multimedia security. Kuo-Yu Tsai ( ) received his MS and Ph.D. degrees in the Department of Information Management from National Taiwan University of Science and Technology in 2001 and in 2009, respectively. Now, he is an Assistant Professor at the Department of Management Information Systems, Hwa Hsia University of Technology, Taiwan. His recent research interests include information security, cryptography, network security, and cloud computing.

16 742 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Tzong-Chen Wu ( ) received B.S. degree in Information Engineering from National Taiwan University in 1983, M.S. degree in Applied Mathematics from National Chung Hsing University in 1989, and Ph.D. degree in Computer Science and Information Engineering from National Chiao Tung University in 1992, respectively. Professor Wu joined the Department of Information Management, National Taiwan University of Science and Technology (NTUST) in 1992, and served as Distinguished Professor since March Dr. Wu is the members of IEEE, ACM, IEICE and the Chinese Cryptology and Information Security Association (CCISA), and was elected as the President of CCISA from June 2003 to May His research interests include information security, mobile security, cryptographic protocols and related topics. Kouichi Sakurai received the B.S. degree in Mathematics from the Faculty of Science, Kyushu University in He received the M.S. degree in Applied Science in 1988, and the Doctorate in Engineering in 1993 from the Faculty of Engineering, Kyushu University. He was engaged in research and development on cryptography and information security at the Computer and Information Systems Laboratory at Mitsubishi Electric Corporation from 1988 to From 1994, he worked for the Department of Computer Science of Kyushu University in the capacity of Associate Professor, and became a Full Professor there in He is concurrently working also with the Institute of Systems and Information Technologies and Nanotechnologies, as the chief of Information Security Laboratory, for promoting research co-operations among the industry, university and government under the theme Enhancing IT-security in social systems. He has been successful in generating such co-operation between Japan, China and Korea for security technologies as the leader of a Cooperative International Research Project supported by the National Institute of Information and Communications Technology (NICT) during Moreover, in March 2006, he established research co-operations under a Memorandum of Understanding in the field of information security with Professor Bimal Kumar Roy, the first time Japan has partnered with The Cryptology Research Society of India (CRSI). Professor Sakurai has published more than 250 academic papers around cryptography and information security.