Provably Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks *
|
|
- Elaine McDowell
- 5 years ago
- Views:
Transcription
1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 31, (2015) Provably Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks * KUO-YANG WU 1, KUO-YU TSAI 2, TZONG-CHEN WU 1 AND KOUICHI SAKURAI 3 1 Department of Information Management National Taiwan University of Science and Technology Taipei, 106 Taiwan 2 Department of Management Information Systems Hwa Hsia University of Technology New Taipei City, 235 Taiwan 3 Department of Computer Science and Communication Engineering Kyushu University Fukuoka, Japan This paper presents an anonymous authentication scheme for roaming service in global mobility networks, in which the foreign agent cannot obtain the identity information of the mobile user who is sending the roaming request. In addition, the home agent does not have to maintain any verification table for authenticating the mobile user. We give formal analyses to show that our proposed scheme satisfies the security requirements of user anonymity, mutual authentication, session-key security, and perfect forward secrecy. Besides, some possible attacks on the proposed scheme are discussed, such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. Keywords: user anonymity, mutual authentication, global mobility network, perfect forward security, replay attack, man-in-the-middle attack, impersonation attack 1. INTRODUCTION A Global Mobility Network (GLOMONET for short) can facilitate a global roaming service, such that a mobile user can access various internet resources by using his/her handhold device (e.g., a smart phone) anytime and anywhere. Simply to say, there are three kinds of roles in the GLOMONET: the mobile user (), the home agent (HA), and the foreign agent (FA). Initially, each should register with a home agent, namely as the HA, within its domain. When an is roaming to the domain of a foreign agent whom is not the having originally registered with, such agent is served as the FA for the. In the GLOMONET, every pair of agents, i.e., may be served as HA or FA, share a common secret key with each other in advance. This shared secret key can be used for the purpose of entity authentication and message protection between these two connected agents, i.e., the HA and the FA in regarding to a roaming. However, the messages or the requests transmitted over the radio waves between the and the FA are publicly accessible. Except for basic authentication requirement, this gives rise to the needs of additional security requirements for user anonymity (or privacy protection) and message protection in the GLOMONET. Received January 7, 2013; revised June 26, 2014; accepted August 27, Communicated by Wen-Guey Tzeng. * This work is supported partially by Ministry of Science and Technology under the Grant E MY2 and E MY2, and Taiwan Information Security Center (TWISC). 727
2 728 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI In 2004, Zhu and Ma [1] proposed an authentication scheme providing user anonymity in the GLOMONET. They claimed that in the proposed scheme FA cannot obtain s identity embedded in the service requests. Lately, Lee et al. [2] pointed out that the identity of could be exposed to FA in Zhu and Ma s scheme, and they further proposed an enforced scheme to resolve it. However, Wu et al. [3] demonstrated that Lee et al. s enforced scheme [2] still cannot satisfy the properties of user anonymity and backward secrecy. Since then, several improvements or variants of the original Zhu and Ma s scheme have been developed. Basically, there are three kinds of approaches to design authentication schemes for Roaming Service. In the first kind of approach [4-6], the communication parties sometimes encrypt their transmitted messages by using asymmetric cryptosystems, and sometimes encrypt their transmitted messages by using symmetric cryptosystems. However, the asymmetric-cryptosystems are costly in computational requirements and bandwidth for mobile devices in the GLOMONET. The second kind of approach [7-11] allows the communication parties to encrypt their transmitted messages by using the exclusive-or operation, and the third kind of approach [12-15] allows the communication parties to encrypt their transmitted messages by using symmetric cryptosystems. They are more efficient, but most of them cannot achieve some important security requirements, forward secrecy especially. To earn cost effectiveness and to achieve security robustness are two major design principles regarding to the key establishment issues for authentication schemes. In this paper, we propose a provably secure anonymous authentication scheme for roaming service in the GLOMONET. Like the authentication scheme proposed by Chen et al. [12], our proposed anonymous authentication scheme adopts the password-based approach and allows the s to change their passwords freely. Moreover, there is no password table or verification table required by the HA (or the FA) for authenticating the connected s. Based upon the adversary models defined by Canetti and Krawczyk [16], we also show that our proposed scheme satisfies the following security properties [10-12]: User Anonymity: Except for the HA whom the has registered with, any third party cannot learn about the identity of the roaming. Mutual Authentication: Any two communicating parties, i.e., the, the FA and the HA, can authenticate each other. Session-key Security: An adversary cannot learn about anything about a session key shared by the and the FA, even though the adversary obtains their past session keys. This property is also known as Backward Secrecy of session keys. Perfect Forward Secrecy: An adversary cannot compromise the past session keys shared by the and the FA, even though the adversary has compromised the longterm secret keys held by the or the FA. Replay-attack Resistance: An adversary cannot successfully replay the intercepted messages transmitted between any two communicating parties without detection. Man-in-middle-attack Resistance: An adversary cannot successfully mount an independent connection and relay the messages between any two communicating parties to let them believe that they are communicating directly to each other. Impersonation-attack Resistance: An adversary cannot successfully impersonate an, an FA or an HA to cheat the other.
3 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 729 Insider-attack Resistance: A malicious HA cannot conspire with another to impersonate a roaming to authenticate with an FA for session key establishment, although the HA knows the s original password. 2. PRELIMINARIES In this section, we first introduce the adversary models defined by Canetti and Krawczyk [16], and then present a nonce-based message transmission authenticator (MT-authenticator for short) modified from the framework proposed by Bellare et al. [17]. This modified nonce-based MT-authenticator will be used as the basic construction of our proposed anonymous authentication scheme. 2.1 Canetti and Krawczyk s Adversary Models Consider the situation that a set of communicating parties concurrently carry out multiple executions of a message-driven protocol controlled by an adversary. In such situation, two kinds of adversary models are addressed [16]: the unauthenticated-links model and the authenticated-links model. We use the key exchange protocol by example to illustrate these two adversary models. Suppose that one party U i with the identity ID i serves as the initiator, and the other party U j with the identity ID j serves as the responder. The input data to the key exchange protocol associated to U i and U i are represented in the form of (ID i, ID j, s, initiator) and (ID j, ID i, s, responder), respectively, where s is a session identifier. We say that the session associated to U i and the session associated to U j is matching if their session identifiers are identical. Details of the adversary models are described as follows. Unauthenticated-links Model: In this model, there exists a probabilistic polynomial-time attacker, denoted by, who can control the communication links and the schedule for all protocol events. That is, can modify the transmitted messages, inject some messages, and re-schedule the initiation of the protocol and the subsequent message transmission in the protocol. To gain the advantage from the game, can send the following queries to the game simulator: Session-state Reveal: submits a party s identity and an incomplete session identifier and learns the state of the session. Note that cannot learn any long-term secret information or master keys held by the party. Session-key Query: submits a party s identity and a complete session identifier, and learns the session key in the intended session. Session Expiration: submits a party s identity and a complete session identifier for letting the simulator erase the session key and related session states. This query captures the notion of perfect forward secrecy. Party-corruption Query: decides to corrupt a party and learns all secret information or master keys of the party, and then completely controls the party. After that, the party cannot be activated.
4 730 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Authenticated-links Model: This model is applicable to the case that the attacker does not have the capability to inject or modify the transmitted messages. In other words, there exists a probabilistic polynomial-time attacker, denoted by, who is restricted to only can deliver messages generated from one of the communicating parties to the other one. Note that the adversary models defined above are usually used to formally analyze the security of a key exchange protocol, in which two parties communicate with each other for obtaining a session key upon the protocol completion. Denote a messagedriven protocol in the authenticated-links model, and a message-driven protocol in the unauthenticated-links model. Let X be the interaction that an adversary interacts with in the unauthenticated-links model. Let Y be the interaction that an adversary interacts with in the authenticated-links model. In essence, these two interactions X and Y are computationally indistinguishable to any outsider of the protocol. This implies that the adversary has the ability to emulate to be in the unauthenticated-links model. 2.2 Nonce-based MT-authenticator In accordance with the well-known Challenge-Response approach, we present a nonce-based MT-authenticator in the following. Let U i with the identity ID i and U j with the identity ID j be two communicating parties. It is assumed that U i and U j share a common secret key SK in advance. To authenticate each other, U i and U j cooperatively perform the authenticator N by the following steps: Step 1: Initially, U i chooses a message m, and then generates a nonce N i and computes f SK (ID i N i m), where is a concatenation operator and f SK () is regarded as a MAC algorithm with the secret key SK for generating a message authentication code for m. After that, U i sends {m, N i, f SK (ID j N i m)} as a challenge to U j. Here, f SK (ID j N i m) is regarded as a message authentication code for m. Step 2: Upon receiving the challenge, U j first checks the validity of N i, i.e., if it is used only once. If N i is used before, then aborts the process. Otherwise, U j computes f SK (ID j N i m) and checks if the computed result is identical to the received one. If it is, then U j confirms that the challenge is indeed sent by U i, otherwise aborts the process. Afterwards, U i chooses a message m, then generates a nonce N j and computes f SK (ID i N i + 1 N i m ), and sends {m, N i, f SK (ID i N i + 1 N j m )} as a response to U i. Here, f SK (ID i N i + 1 N j m ) is regarded as a message authentication code for m. Step 3: Upon receiving the response, U i first checks the validity of N j. If N j is used before, then aborts the process. Otherwise, U i computes f SK (ID i N i + 1 N j m ) and checks if the computed result is identical to the received one. If it is, then U i confirms that the response is indeed sent by U i ; otherwise aborts the process. Theorem 1: The authenticator N is an MT-authenticator if the MAC algorithm is secure against the chosen message attack.
5 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 731 The encouraged reader may refer the detailed proof of Theorem 1 in the literature [16, 17]. It has shown that the authenticator N is a realization of MT-authenticator based on different cryptographic functions, such as digital signature, message authentication code, and public-key encryption, etc. By applying the same idea, we may construct a varied authenticator to secure a key exchange protocol in the unauthenticated-links model. Recall that the modified nonce-based MT-authenticator stated above will be used as the basic construction of our proposed anonymous authentication scheme for resisting the possible attacks, such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. 3. OUR PROPOSED SCHEME The system model of our proposed scheme is elaborated from the model developed by Mun et al. s [10], which consists of five phases: System Setup, Registration, Authentication and Session Key Establishment, Session Key Update, and Password Change. Denote by the mobile user, HA the home agent, and FA the foreign agent. Note that all agents are setup to be the HA initially, and every pair of agents share a common secret key after the system setup. Any HA will be served as an FA for the roaming s that are out of their original domains in the GLOMONET. Details of these phases are described in the following. System Setup Phase: For system setup, the following system parameters are defined: p, q Large prime numbers, e.g., more than 180 bit-length. E An elliptic curve over a finite field p defined by y 2 = x 3 + ax + b, where a, b F p, and 4a 3 + b 2 0. G An additive group of order q, where G is a subgroup for the group of points on E. Q A base point (or generator) of order q on E. h 1 A one-way hash function defined as h 1 : {0, 1} * {0, 1} l, where l is a security parameter for resisting the exhaustive search attack in practice. h 2 A one-way hash function defined as h 2 : G {0, 1} l, where l is a security parameter for resisting the exhaustive search attack in practice. The system parameters are made public. Afterwards, each HA chooses a long-term secret key K for itself, and a secret key SK shared with the other HA. Denote by SK XY the secret key shared by the home agents X and Y. At the end of system setup, the HA can accept the registration from the subordinated s within its original domain. Registration Phase: Upon receiving the registration request from a subordinated, the HA computes a password PW and its corresponding authentic information T and C in the form of: PW = h 1 (ID K R ) T = h 1 (ID HA K R ) C = T h 1 (ID ) PW
6 732 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI where R is randomly chosen, and is the XOR operator. After that, the registering stores C and R into a tamper-proof memory of his/her own mobile device. Note that the and the HA should perform the registration procedure via a secure channel. The registration procedure (see Fig. 1) is listed as follows: 1. HA: {ID } 2. HA : {ID HA, PW, C, R } 1. Choose ID 8.StoreC, R 2.ID Secure Channel 7.{ID HA, PW, C, R } Secure Channel PW T C HA 3. Choose an integer 4. Compute 5. Compute 6. Compute Fig. 1. Registration phase. h ( ID h ( ID 1 T R 1 HA K R h (ID 1 K R ) ) ) PW Authentication and Session Key Establishment Phase: For simplicity, consider the scenario that a roaming mobile user, originally registered with his/her home agent HA, attempts to request a service from a nearby foreign agent FA in the GLOMONET. The participants, i.e., the, the HA, and the FA, cooperatively perform the following procedure (see Fig. 2): Step 1: The first submits his/her identity ID and password PW to the own mobile device, and then generates an authentic information as T = C h 1 (ID ) PW, where C and R are retrieved from the tamper-proof memory of the own mobile device. Afterwards, the generates a nonce N, randomly chooses an integer b 1 F q and computes b 1 Q on E. After that, the computes MAC, and sends the roaming service request {ID HA, ID FA, N, R, b 1 Q, MAC } to the FA, where MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)). 1. FA: {ID HA, ID FA, N, R, b 1 Q, MAC } Step 2: Upon receiving the roaming service request from the of the foreign domain supervised by the HA, the FA generates a nonce N FA, randomly chooses an integer a 1 F q and then computes a 1 Q on E. After that, the FA computes MAC FA, and then sends {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA } to the HA for authenticating the, where MAC FA = h 1 (SK HF ID FA N FA N h 2 (a 1 Q) MAC ). Note that SK HF is the secret key shared between the HA and the FA in advance. 2. FA HA: {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA }
7 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE Generate T 2. Choose b 1 3. Compute b 1 4. Computer MAC 6.ID HA, ID FA, N, R, b 1 Q, MAC FA HA 23.ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC FM 24. Computer MAC2 HA 25. Check if MAC2 HA = MAC2 HA 26. Computer SK FM = (b 1 a 1 Q) 27. Computer MAC FM = (b 1 a 1 Q) 28. Check if MAC FM = MAC FM 7. Generate N FA 8. Choose a 1 9. Compute a 1 Q 10. Computer MAC FA 11. ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA 19. ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA 20. Computer MAC1 HA 21. Computer SK FM = h 2 (a 1 b 1 Q) 22. Computer MAC FM Note: T = T = C h 1 (ID ) PW MAC = MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)) MAC1 HA = MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) MAC2 HA = MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) MAC FM = MAC FM = h 1 (SK FM ID FA N N FA ) Fig. 2. Authentication and session key establishment phase. 12. Computer MAC FM 13. Check if MAC FM 14. Computer MAC 15. Check if MAC = MAC 16. Computer N HA 17. Computer MAC1 HA 18. Computer MAC2 HA Step 3: For anonymously authenticating the roaming that attempts to access to the FA, the HA first computes MAC FA = h 1 (SK HF ID FA N FA N h 2 (a 1 Q) MAC ), and then checks if MAC FA = MAC FA. If it does not hold, then aborts the process; otherwise the HA confirms the identification of the FA. Afterwards, the HA computes MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)), where T = h 1 (ID HA K R ), and K is the long-term secret key of HA, and then checks if MAC = MAC. If it does not hold, then aborts the process; otherwise the HA confirms that the is a legal mobile user with anonymity and accepts his/her roaming request. After that, the HA generates a nonce N HA and computes MAC1 HA and MAC2 HA, and then returns {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA } to the FA, where MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) 3. HA FA: {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA }
8 734 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Step 4: Upon receiving the confirmation from the HA, the FA computes MAC1 HA = h 1 (SK HF ID FA N N HA N FA h 2 (b 1 Q)) and checks if MAC1 HA = MAC1 HA. If it holds, then the FA confirms that the roaming is a legal but anonymous mobile user successfully verified by the HA; otherwise aborts the process. Afterwards, the FA computes a session key shared with the in the form of SK FM = h 2 (a 1 b 1 Q) and returns {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC FM } to the, where MAC FM = h 1 (SK FM ID FA N N FA ). 3. FA : {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC2 FM } Step 5: When receiving the confirmation from the FA, the computes MAC2 HA = h 1 (T ID FA N N HA N FA h 2 (a 1 Q)) and checks if MAC2 HA = MAC2 HA. If it does not hold, then aborts the process; otherwise, the obtains the session key shared with the FA in the form of SK FM = h 2 (a 1 b 1 Q). Furthermore, the can confirm the obtained session key by checking if h 1 (SK FM ID FA N N FA ) = MAC FM. Session Key Update Phase: The and the FA can further renew the shared session key when the still stays within the domain of the FA for enforcing the security of their message transmission in the subsequent sessions. Suppose that the and the FA wants to renew the session key at the ith (for i = 2, 3, ) session. First of all, the randomly chooses an integer b i and computes b i Q. Then, the computes (MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) with the session key, where (h 2 (a i-1 b i-1 Q) is the session key used in the (i 1st) session. Finally, the sends b i Q and MAC to the FA. Upon receiving {b i Q, MAC }, the FA computes MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) and checks if MAC = MAC. If it holds, then the FA confirms that the received b i Q is chosen by the and accepts his/her session key update request; otherwise aborts the process. At this time, the FA randomly chooses a i F q, computes a new session key and its message authentication code in the form of SK FM = h 2 (a i b i Q) and MAC FM = h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) for key confirmation, where h 2 (a i-1 b i-1 Q) is the session key used in the (i 1)th session, and returns {a i, Q, MAC FM } to the. Afterwards, the obtains the new session key SK FM = h 2 (b i a i Q) and checks if h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) = MAC FM for session key confirmation (see Fig. 3). 1. FA: {b i Q, MAC" } 2. FA : {a i Q, MAC' FM } 1. Choose b 2. Compute 3. Compute i bq i MAC" 4. {b i Q, MAC" } FA
9 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 735 FM 10. Compute SKFM h2 ( bi aiq) 8. Compute MACFM 11. Verify MAC FM 9. {a i Q, MAC' FM } 5. Verify 6. Choose 7. Compute MAC a i SK h ( a bq) 2 i i Note: MAC = MAC = h 1 (h 2 (a i-1 b i-1 Q) h 2 (b i Q)) MAC FM = h 1 (SK FM h 2 (a i Q) h 2 (b i Q) h 2 (a i-1 b i-1 Q)) Fig. 3. Session key update phase. Password Change Phase: If the wants to change his/her original password PW to a new one PW, he/she only needs to replace C by C = C PW PW without participation of the HA. If the forgets his/her old password, then he/she needs to register with the HA again to get a new password. 4. SECURITY ANALYSIS Based on the intractability of solving the Elliptic Curve Computational Diffie-Hellman problem (EC-CDHP for short) [19, 20] and reversing the One-Way Hash Function (OWHF for short) [21], we will give a formal analysis to show that our proposed scheme can achieve the security requirements of user anonymity, mutual authentication, sessionkey security, perfect forward secrecy, replay-attack resistance, man-in-middle-attack resistance, impersonation-attack resistance, and insider-attack resistance. Definition 1: Elliptic Curve Computational Diffie-Hellman Problem (EC-CDHP): Given Q, aq, bq in E(F q ), it is computational infeasible to compute abq. Definition 2: One-way hash function (OWHF): Let h be a one-way hash function; (1) Given a hashing value h(m), it is computationally infeasible to derive the value of m; (2) It is computationally infeasible to find different values m and m satisfying h(m) = h(m ). Theorem 2: Our proposed scheme achieves user anonymity in the unauthenticated-links model if the advantage Adv, (l) for an adversary is negligible in the unauthenticatedlinks model. Proof: Let be an adversary in the unauthenticated-links model, and be a simulator that generates the system parameters for a given security parameter l. According the simulation defined in Section 2.1, the identity of the is embedded in MAC = h 1 (T ID HA ID FA N R h 2 (b 1 Q)), where T = h 1 (ID HA K R ) and C = TW h 1 (ID ) PW. However, based on the intractability of reversing OWHF, it is computationally infeasible to obtain ID from C, even though knows PW and T. Hence, the advantage Adv. (l) for is negligible in the unauthenticated-links model. This implies that our proposed scheme achieves user anonymity in the unauthenticatedlinks model.
10 736 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Theorem 3: Our proposed scheme is session-key secure in both the authenticated-links model and the unauthenticated-links model. Proof: Let be an adversary in an authenticated-links model, and be a simulator that generates the system parameters for a given security parameter l. Given (Q, aq, bq) for some a and b, the goal of is to output abq. To do that, can send the queries defined in Section 2.1 to for obtaining the session key h 2 (a 1 b 1 Q). However, based on the intractability of EC-CDHP, it is computationally infeasible to obtain a 1 b 1 Q for given a 1 Q and b 1 Q. Hence, the advantage Adv, (l) for is negligible in the authenticated-links model. That is, our proposed scheme is session-key secure in the authenticated-links model. Furthermore, by Theorems 1 and 2, the advantage Adv, (l) for an adversary is also negligible in the unauthenticated-links model. This implies that our proposed scheme is also session-key secure in the unauthenticated model. Theorem 4: Our proposed scheme is perfect forward secure in the unauthenticated-links model if the advantage Adv. (l) for an adversary is negligible in the unauthenticatedlinks model. Proof: Let be an adversary in the unauthenticated-links model and be a simulator that generates the system parameters for a given security parameter l. According to the adversary models defined in Section 2.1, it is assumed that has compromised the longterm secret keys held by the or the FA before the session expires. Under this assumption, still has to face the intractability of EC-CDHP to obtain a 1 b 1 Q for given a 1 Q and b 1 Q. That means cannot compromise the past session keys shared by the and the FA. Hence, the advantage Adv, (l) for is negligible in the unauthenticated-links model. This implies that our proposed scheme achieves perfect forward secrecy in the unauthenticated-links model. In the following, we will discuss how can our proposed scheme achieve mutual authentication between any two communicating parties (i.e.,, FA or HA), and resist possible attacks such as the replay attack, the man-in-middle attack, the impersonation attack, and the insider attack. Mutual Authentication: Recall the simplified steps listed in Authentication and Key Establishment phase: 1. FA: {ID HA, ID FA, N, R, b 1 Q, MAC } 2. FA HA: {ID FA, N, N FA, R, b 1 Q, a 1 Q, MAC, MAC FA } 3. HA FA: {ID FA, N, N FA, N HA, a 1 Q, b 1 Q, MAC1 HA, MAC2 HA } 4. FA : {ID FA, N, N FA, N HA, a 1 Q, MAC2 HA, MAC1 FM } It is to see that the HA can authenticate the if the received MAC is successfully verified by Step 2, while the can authenticate the HA if the received MAC2 HA is successfully verified by Step 4. Next, the HA can authenticate the FA if the received MAC FA is successfully verified by Step 2, while the FA can authenticate the HA if the received MAC1 HA is successfully verified by Step 3. This implies that if the HA has au-
11 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 737 thenticated the FA and returns MAC1 HA in Step 3, then the FA can further authenticate the indirectly. With the same reason, if the HA has authenticated the FA and returns MAC2 HA in Step 4, then the can further authenticate the FA indirectly. Hence, our scheme can achieve mutual authentication for any two communicating parties among the, the HA and the FA. Replay-attack Resistance: In our proposed scheme, all MACs in the transmitted messages are constructed from a keyed hash function using time-variant nonces as its input. The attempt to replay these transmitted messages without refreshing the corresponding MACs will be successfully checked out by any side of the communicating parties. Man-in-middle-attack Resistance: To succeed such attack, the attacker has to mount an independent connection and relay the transmitted messages between the communicating parties, i.e., the, the FA and the HA, to let them believe that they are talking directly to each other in the unauthenticated-links model. However, each step of session key establishment cannot be preceded unless the authentication of the target party has done. Thus, the attacker cannot succeed to launch such attack without detection. Impersonation-attack Resistance: The attacker cannot impersonate an to cheat an HA or an FA, unless he/she knows both the s password PW and its associated authentic information C stored in the tamper-proof device in advance. If the attacker attempts to impersonate an HA or an FA to cheat another communicating target party, he/she needs to first compromise the long-term secret key K held by the HA or the secret key SK HF shared between the HA and the FA. However, the security of these secret keys is based on the intractability of solving the EC-CDHP and reversing the OWHF. Insider-attack Resistance: In our proposed scheme, the HA does not require or maintain any password table or verification table for its subordinated s. Actually, the HA who may be serving as an insider attacker knows the s original password during the Registration phase. However, such security leak could be further enforced by the Password Change phase without participation of the HA. Once the original password of the registered has been changed, the associated authentic information T stored in the s own mobile device will be updated in accordance. This implies that the HA cannot conspire with another to impersonate some target successfully if the original password of the target has been changed. 5. FUNCTIONALITY COMPARISON AND PERFORMANCE EVALUATION In this section, we will compare our proposed scheme with some previous works in terms of their functionality, security achievement, and performance evaluation. Tables 1 and 2 show the comparisons of operational functionality and security achievement, respectively, among our proposed scheme and some well-known works proposed in [3, 4, 7, 8, 10, 12-14]. From Table 2, it can be seen that only our proposed scheme and He et al. s scheme [13] can achieve the same security requirements. He et al. s scheme [4] and
12 738 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Chen et al. s scheme [12] cannot achieve perfect forward secrecy because both of them employ a symmetric encryption algorithm to encrypt the secret information for generating the session key. However, this will come to a result that an adversary can obtain the secret information and further derive the shared session keys if the adversary compromise the long-term secret key held by the HA. Table 1. Operational functionality comparison. Ours Wu et al. s He et al. s Chang et al s Hsiang & Mun et al. s Chen et al. s He et al. s Xie et al. s [3] [4] [7] Shih s [8] [10] [12] [13] [14] F 1 Yes Yes Yes Yes Yes Yes Yes Yes Yes F 2 Yes Yes Yes Yes Yes No Yes Yes Yes F 3 Yes Yes Yes No Yes Yes Yes Yes Yes F 4 Yes No Yes No Yes No Yes Yes Yes F 5 Yes Yes Yes No No Yes Yes No No F 1 : single registration F 2 : no verification table required F 3 : no password table required F 4 : freely update password F 5 : periodically update session keys Table 2. Security achievement comparison. Ours Wu et al. s He et al. s Chang et al s Hsiang & Mun et al. s Chen et al. s He et al. s Xie et al. s [3] [4] [7] Shih s [8] [10] [12] [13] [14] S 1 Yes No Yes No No Yes Yes Yes Yes S 2 Yes Yes Yes Yes No Yes Yes Yes Yes S 3 Yes Yes Yes Yes Yes Yes Yes Yes Yes S 4 Yes No Yes Yes No Yes Yes Yes No S 5 Yes No Yes No Yes No Yes Yes Yes S 6 Yes No Yes Yes Yes No Yes Yes Yes S 7 Yes No Yes Yes Yes No Yes Yes Yes S 8 Yes No No No No No No Yes Yes S 1 : user anonymity S 2 : mutual authentication S 3 : session key security S 4 : resistance to impersonation attacks S 5 : resistance to insider attacks S 6 : resistance to replay attacks S 7 : resistance to man-in-middle attacks S 8 : perfect forward secrecy Since our proposed scheme, He et al. s scheme [4], Chen et al. s scheme [12], He et al. s scheme [13], and Xie et al. s scheme [14] achieve the most security requirements as compared with other previous works, we only list the comparison of performance evaluation in Table 3. However, He et al. s scheme [4], He et al. s scheme [13], and Xie et al. s scheme [14] do not provide session key update. For simplicity of performance evaluation, the following symbols are used: t ae t se t m the time for executing one asymmetric encryption/decryption operation. the time for executing one symmetric encryption/decryption operation. the time for executing one elliptic curve scalar multiplication operation.
13 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 739 t me t h the time for executing one modular exponentiation operation. the time for executing one hash function operation. Note that our proposed scheme is slightly outperformed, and achieves additional security requirement of perfect forward secrecy, which is lack of in He et al. s scheme [4] and Chen et al. s scheme [12]. Registration Phase Table 3. Performance evaluation comparison. FA HA Ours 0 0 3t h He et al. s [4] 6t h 0 t se + 2t h Chen et al. s [12] 4t h 0 t se + t h He et al. s [13] 2t h 0 t se + t me + t h Xie et al. s [14] t h 0 t se Authentication and Session Key Establishment Phase FA HA Ours 2t m + 6t h 2t m + 5t h 5t h He et al. s [4] 2t se + 7t h 3t ae + t h 4t ae + 2t se + 2t h Chen et al. s [12] 2t se + 7t h 2t se + 3t h 3t se + 5t h He et al. s [13] 3t me + 2t se + 5t h 2t me + 3t se + 3t h t me + 3t se + 2t h Xie et al. s [14] 3t m + 2t se + 3t h 2t m + 2t se + t h t m + 3t se + 3t h Session Key Update Phase FA HA Ours 2t m + 5t h 2t m + 5t h 0 He et al. s [4] N/A N/A N/A Chen et al. s [12] t se + 2t h t se 0 He et al. s [13] N/A N/A N/A Xie et al. s [14] N/A N/A N/A Password Change Phase FA HA Ours He et al. s [4] 7t h 0 0 Chen et al. s [12] 7t h 0 0 He et al. s [13] 4t h 0 0 Xie et al. s [14] 2t h CONCLUSIONS We have proposed a secure anonymous authentication scheme for roaming service in GLOMONET in which the HA or the FA do not maintain any password table or verification table. We also give a formal analysis to show that our proposed scheme achieves the security requirements of user anonymity, mutual authentication, session-key security, perfect forward secrecy, replay-attack resistance, man-in-middle-attack resistance, impersonation-attack resistance, and insider-attacker resistance. From the comparison with
14 740 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI some well-known previous works in terms of operational functionality and security requirements, our proposed scheme is applicable to practical applications. REFERENCES 1. J. Zhu and J. Ma, A new authentication scheme with anonymity for wireless environments, IEEE Transactions on Consumer Electronics, Vol. 50, 2004, pp C. C. Lee, M. S. Hwang, and I. E. Liao, Security enhancement on a new authentication scheme with anonymity for wireless environments, IEEE Transactions on Industrial Electronics, Vol. 53, 2006, pp C. C. Wu, W. B. Lee, and W. J. Tsaur, A secure authentication scheme with anonymity for wireless communications, IEEE Communications Letters, Vol. 12, 2008, pp D. He, M. Ma, Y. Zhang, C. Chen, and J. Bu, A strong user authentication scheme with smart cards for wireless communications, Computer Communications, Vol. 34, 2011, pp K. Li, A. Xiu, F. He, and D. H. Lee, Anonymous authentication with unlinkability for wireless environments, IEICE Electronics Express, Vol. 8, pp J. Xu and D. Feng, Security flaws in authentication protocols with anonymity for wireless environments, ETRI Journal, Vol. 31, 2009, pp C. C. Chang, C. Y. Lee, and Y. C. Chiu, Enhanced authentication scheme with anonymity for roaming service in global mobility networks, Computer Communications, Vol. 32, 2009, pp H. C. Hsiang and W. K. Shih, Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Standards & Interfaces, Vol. 31, 2009, pp Y. P. Liao and S. S. Wang, A secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Standards & Interfaces, Vol. 31, 2009, pp H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, Enhanced secure anonymous authentication scheme for roaming service in global mobility networks, Mathematical and Computer Modelling, Vol. 55, 2012, pp K. Y. Wu, K. Y. Tsai, and T. C. Wu, Robust anonymous authentication scheme without verification table for roaming service in global mobility networks, in Proceedings of the 6th Joint Workshop on Information Security, C. Chen, D. He, S. Chan, J. Bu, Y. Gao, and R. Fan, Lightweight and provably secure user authentication with anonymity for the global mobility network, International Journal of Communication Systems, Vol. 24, 2011, pp D. He, N. Kumar, M. Khan, and J. H. Lee. Anonymous two-factor authentication for consumer roaming service in global mobility networks, IEEE Transactions on Consumer Electronics, Vol. 59, 2013, pp Q. Xie, M. Bao, N. Dong, B. Hu, and D. S. Wong, Secure mobile user authentication and key agreement protocol with privacy protection in global mobility networks, in Proceedings of International Symposium on Biometrics and Security
15 ANONYMOUS AUTHENTICATION FOR ROAMING SERVICE 741 Technologies, 2013, pp C. K. Yeh and W. B. Lee, An overall cost-effective authentication technique for the global mobility network, International Journal of Network Security, Vol. 9, 2009, pp R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Proceedings of Advances in Cryptology EUROCRYPT, 2001, pp M. Bellare, R. Canetti, and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, in Proceedings of the 30th Annual ACM Symposium on Theory of Computing, 1998, pp G. Yang, D. S. Wong, and X. Deng, Formal security definition and efficient construction for roaming with privacy-preserving extension, Journal of Universal Computer Science, Vol. 14, 2008, pp N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, Vol. 48, 1987, pp V. Miller, Use of elliptic curves in cryptography, in Proceedings of Advances in Cryptology CRYPTO, 1985, pp B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed., John Wiley & Sons, NY, Kuo-Yang Wu ( ) is a Ph.D. Candidate in Department of Information Management at National Taiwan University of Science and Technology in Taiwan. He received B.S. degree in Department of International Trade from Chinese Culture University in 1990, M.S. degree in Graduate School of Business Administration at Oklahoma City University in 1992, and M.S. degree in Department of Industrial Management from National Taiwan University of Science and Technology in 2004, respectively. He is concurrently working also with the Cheng Uei Precision Industry Co., Ltd., as the senior director of RD division. His research focuses on information security, mobile security, and multimedia security. Kuo-Yu Tsai ( ) received his MS and Ph.D. degrees in the Department of Information Management from National Taiwan University of Science and Technology in 2001 and in 2009, respectively. Now, he is an Assistant Professor at the Department of Management Information Systems, Hwa Hsia University of Technology, Taiwan. His recent research interests include information security, cryptography, network security, and cloud computing.
16 742 KUO-YANG WU, KUO-YU TSAI, TZONG-CHEN WU AND KOUICHI SAKURAI Tzong-Chen Wu ( ) received B.S. degree in Information Engineering from National Taiwan University in 1983, M.S. degree in Applied Mathematics from National Chung Hsing University in 1989, and Ph.D. degree in Computer Science and Information Engineering from National Chiao Tung University in 1992, respectively. Professor Wu joined the Department of Information Management, National Taiwan University of Science and Technology (NTUST) in 1992, and served as Distinguished Professor since March Dr. Wu is the members of IEEE, ACM, IEICE and the Chinese Cryptology and Information Security Association (CCISA), and was elected as the President of CCISA from June 2003 to May His research interests include information security, mobile security, cryptographic protocols and related topics. Kouichi Sakurai received the B.S. degree in Mathematics from the Faculty of Science, Kyushu University in He received the M.S. degree in Applied Science in 1988, and the Doctorate in Engineering in 1993 from the Faculty of Engineering, Kyushu University. He was engaged in research and development on cryptography and information security at the Computer and Information Systems Laboratory at Mitsubishi Electric Corporation from 1988 to From 1994, he worked for the Department of Computer Science of Kyushu University in the capacity of Associate Professor, and became a Full Professor there in He is concurrently working also with the Institute of Systems and Information Technologies and Nanotechnologies, as the chief of Information Security Laboratory, for promoting research co-operations among the industry, university and government under the theme Enhancing IT-security in social systems. He has been successful in generating such co-operation between Japan, China and Korea for security technologies as the leader of a Cooperative International Research Project supported by the National Institute of Information and Communications Technology (NICT) during Moreover, in March 2006, he established research co-operations under a Memorandum of Understanding in the field of information security with Professor Bimal Kumar Roy, the first time Japan has partnered with The Cryptology Research Society of India (CRSI). Professor Sakurai has published more than 250 academic papers around cryptography and information security.
A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS
ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2012, Vol.41, No.1 A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS Bae-Ling Chen 1, Wen-Chung Kuo 2*, Lih-Chyau Wuu 3 1
More informationEfficient password authenticated key agreement using bilinear pairings
Mathematical and Computer Modelling ( ) www.elsevier.com/locate/mcm Efficient password authenticated key agreement using bilinear pairings Wen-Shenq Juang, Wei-Ken Nien Department of Information Management,
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationA Smart Card Based Authentication Protocol for Strong Passwords
A Smart Card Based Authentication Protocol for Strong Passwords Chin-Chen Chang 1,2 and Hao-Chuan Tsai 2 1 Department of Computer Science and Information Engineering, Feng Chia University, Taichung, Taiwan,
More informationRemote User Authentication Scheme in Multi-server Environment using Smart Card
Remote User Authentication Scheme in Multi-server Environment using Smart Card Jitendra Kumar Tyagi A.K. Srivastava Pratap Singh Patwal ABSTRACT In a single server environment, one server is responsible
More informationA Simple User Authentication Scheme for Grid Computing
International Journal of Network Security, Vol.7, No.2, PP.202 206, Sept. 2008 202 A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuan Chai, and Xiaohui Liang (Corresponding
More informationOn the Security of Yoon and Yoo s Biometrics Remote User Authentication Scheme
On the Security of Yoon and Yoo s Biometrics Remote User Authentication Scheme MING LIU * Department of Tourism Management WEN-GONG SHIEH Department of Information Management Chinese Culture University
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationBlind Signature Scheme Based on Elliptic Curve Cryptography
Blind Signature Scheme Based on Elliptic Curve Cryptography Chwei-Shyong Tsai Min-Shiang Hwang Pei-Chen Sung Department of Management Information System, National Chung Hsing University 250 Kuo Kuang Road.,
More informationA Simple User Authentication Scheme for Grid Computing
A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuai Chai, Xiaohui Liang Department of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationSmart-card-loss-attack and Improvement of Hsiang et al. s Authentication Scheme
Smart-card-loss-attack and Improvement of Hsiang et al. s Authentication Scheme Y.. Lee Department of Security Technology and Management WuFeng niversity, hiayi, 653, Taiwan yclee@wfu.edu.tw ABSTRAT Due
More informationSecurity Weaknesses of a Biometric-Based Remote User Authentication Scheme Using Smart Cards
Security Weaknesses of a Biometric-Based Remote User Authentication Scheme Using Smart Cards Younghwa An Computer Media Information Engineering, Kangnam University, 111, Gugal-dong, Giheung-gu, Yongin-si,
More informationAn Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings
An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings Debasis Giri and P. D. Srivastava Department of Mathematics Indian Institute of Technology, Kharagpur 721 302, India
More informationAn Improved Timestamp-Based Password Authentication Scheme Using Smart Cards
An Improved Timestamp-Based Password Authentication Scheme Using Smart Cards Al-Sakib Khan Pathan and Choong Seon Hong Department of Computer Engineering, Kyung Hee University, Korea spathan@networking.khu.ac.kr
More informationA secure and effective anonymous user authentication scheme for roaming service in global mobility networks
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 A secure and effective anonymous user authentication
More informationSecurity Improvements of Dynamic ID-based Remote User Authentication Scheme with Session Key Agreement
Security Improvements of Dynamic ID-based Remote User Authentication Scheme with Session Key Agreement Young-Hwa An* * Division of Computer and Media Information Engineering, Kangnam University 111, Gugal-dong,
More informationSecurity Flaws of Cheng et al. s Biometric-based Remote User Authentication Scheme Using Quadratic Residues
Contemporary Engineering Sciences, Vol. 7, 2014, no. 26, 1467-1473 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.49118 Security Flaws of Cheng et al. s Biometric-based Remote User Authentication
More informationCryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart Cards
Journal of Computational Information Systems 9: 14 (2013) 5513 5520 Available at http://www.jofcis.com Cryptanalysis and Improvement of a Dynamic ID Based Remote User Authentication Scheme Using Smart
More informationAn efficient and practical solution to secure password-authenticated scheme using smart card
An efficient and practical solution to secure password-authenticated scheme using smart card R. Deepa 1, R. Prabhu M.Tech 2, PG Research scholor 1, Head of the Department 2 Dept.of Information Technology,
More informationAuthenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem
Authenticated Key Agreement Without Using One-way Hash Functions Based on The Elliptic Curve Discrete Logarithm Problem Li-Chin Huang and Min-Shiang Hwang 1 Department of Computer Science and Engineering,
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationAn Efficient and Secure Multi-server Smart Card based Authentication Scheme
An Efficient Secure Multi-server Smart Card based Authentication Scheme Toshi Jain Department of r Science Engineering Oriental Institute of Science & Technology Bhopal, India Seep Pratap Singh Department
More informationA flexible biometrics remote user authentication scheme
Computer Standards & Interfaces 27 (2004) 19 23 www.elsevier.com/locate/csi A flexible biometrics remote user authentication scheme Chu-Hsing Lin*, Yi-Yi Lai Department of Computer Science and Information
More informationArticle An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks
Article An Enhanced Lightweight Anonymous Authentication Scheme for a Scalable Localization Roaming Service in Wireless Sensor Networks Youngseok Chung 1,2, Seokjin Choi 1, Youngsook Lee 3, Namje Park
More informationSecure Smart Card Based Remote User Authentication Scheme for Multi-server Environment
Secure Smart Card Based Remote User Authentication Scheme for Multi-server Environment Archana P.S, Athira Mohanan M-Tech Student [Cyber Security], Sree Narayana Gurukulam College of Engineering Ernakulam,
More informationA Hash-based Strong Password Authentication Protocol with User Anonymity
International Journal of Network Security, Vol.2, No.3, PP.205 209, May 2006 (http://isrc.nchu.edu.tw/ijns/) 205 A Hash-based Strong Password Authentication Protocol with User Anonymity Kumar Mangipudi
More informationA ROBUST AND FLEXIBLE BIOMETRICS REMOTE USER AUTHENTICATION SCHEME. Received September 2010; revised January 2011
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 5(A), May 2012 pp. 3173 3188 A ROBUST AND FLEXIBLE BIOMETRICS REMOTE USER
More informationSecurity Analysis of Shim s Authenticated Key Agreement Protocols from Pairings
Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings Hung-Min Sun and Bin-san Hsieh Department of Computer Science, National sing Hua University, Hsinchu, aiwan, R.O.C. hmsun@cs.nthu.edu.tw
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationSecure and Efficient Smart Card Based Remote User Password Authentication Scheme
International Journal of Network Security, Vol.18, No.4, PP.782-792, July 2016 782 Secure and Efficient Smart Card Based Remote User Password Authentication Scheme Jianghong Wei, Wenfen Liu and Xuexian
More informationComments on four multi-server authentication protocols using smart card
Comments on four multi-server authentication protocols using smart card * Jue-Sam Chou 1, Yalin Chen 2, Chun-Hui Huang 3, Yu-Siang Huang 4 1 Department of Information Management, Nanhua University Chiayi
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationEfficient remote mutual authentication and key agreement
computers & security 25 (2006) 72 77 available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose Efficient remote mutual authentication and key agreement Wen-Gong Shieh*, Jian-Min
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationEnhanced Security and Pairing-free Handover Authentication Scheme for Mobile Wireless Networks
Journal of Physics: Conference Series PAPER OPEN ACCESS Enhanced Security and Pairing-free Handover Authentication Scheme for Mobile Wireless Networks To cite this article: Rui Chen et al 2017 J. Phys.:
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationEFFICIENT MUTUAL AUTHENTICATION AND KEY AGREEMENT WITH USER ANONYMITY FOR ROAMING SERVICES IN GLOBAL MOBILITY NETWORKS
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 9, September 2012 pp. 6415 6427 EFFICIENT MUTUAL AUTHENTICATION AND KEY
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationA SMART CARD BASED AUTHENTICATION SCHEME FOR REMOTE USER LOGIN AND VERIFICATION. Received April 2011; revised September 2011
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 8, August 2012 pp. 5499 5511 A SMART CARD BASED AUTHENTICATION SCHEME FOR
More informationAn Improved and Secure Smart Card Based Dynamic Identity Authentication Protocol
International Journal of Network Security, Vol.14, No.1, PP.39 46, Jan. 2012 39 An Improved and Secure Smart Card Based Dynamic Identity Authentication Protocol Sandeep Kumar Sood Department of Computer
More informationCryptanalysis of a Markov Chain Based User Authentication Scheme
Cryptanalysis of a Markov Chain Based User Authentication Scheme Ruhul Amin, G.P. Biswas Indian School of Mines, Dhanbad Department of Computer Science & Engineering Email: amin ruhul@live.com, gpbiswas@gmail.com
More informationResearch Issues and Challenges for Multiple Digital Signatures
INTERNATION JOURNAL OF NETWORK SECURITY, VOL.1, NO.1,PP. 1-6, 2005 1 Research Issues and Challenges for Multiple Digital Signatures Min-Shiang Hwang, and Cheng-Chi Lee, Abstract In this paper, we survey
More informationCryptanalysis on Two Certificateless Signature Schemes
Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844 Vol. V (2010), No. 4, pp. 586-591 Cryptanalysis on Two Certificateless Signature Schemes F. Zhang, S. Li, S. Miao, Y. Mu,
More informationISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 10, April 2014
Two Way User Authentication Using Biometric Based Scheme for Wireless Sensor Networks Srikanth S P (Assistant professor, CSE Department, MVJCE, Bangalore) Deepika S Haliyal (PG Student, CSE Department,
More informationA Forward-Secure Signature with Backward-Secure Detection
A Forward-Secure Signature with Backward-Secure Detection Dai-Rui Lin and Chih-I Wang Department of Computer Science and Engineering National Sun Yat-sen University, Kaohsiung 804, Taiwan June 17, 2007
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationThe Modified Scheme is still vulnerable to. the parallel Session Attack
1 The Modified Scheme is still vulnerable to the parallel Session Attack Manoj Kumar Department of Mathematics, Rashtriya Kishan (P.G.) College Shamli- Muzaffarnagar-247776 yamu_balyan@yahoo.co.in Abstract
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationA Multi-function Password Mutual Authentication Key Agreement Scheme with Privacy Preservingg
Journal of Information Hiding and Multimedia Signal Processing 2014 ISSN 2073-4212 Ubiquitous International Volume 5, Number 2, April 2014 A Multi-function Password Mutual Authentication Key Agreement
More informationRobust Two-factor Smart Card Authentication
Robust Two-factor Smart Card Authentication Omer Mert Candan Sabanci University Istanbul, Turkey mcandan@sabanciuniv.edu Abstract Being very resilient devices, smart cards have been commonly used for two-factor
More informationEnhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization
JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 2011 345 Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization Hsing-Bai Chen, Yung-Hsiang
More informationSource Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network
Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network 1 Ms.Anisha Viswan, 2 Ms.T.Poongodi, 3 Ms.Ranjima P, 4 Ms.Minimol Mathew 1,3,4 PG Scholar, 2 Assistant Professor,
More informationISSN X INFORMATION TECHNOLOGY AND CONTROL, 2011, Vol.40, No.3. ISSN X INFORMATION TECHNOLOGY AND CONTROL, 2011 Vol.?, No.?, 1?
ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2011, Vol.40, No.3 ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2011 Vol.?, No.?, 1? A ROBUST A Robust REMOTE RemoteUSER User Authentication AUTHENTICATION
More informationAn Enhanced Dynamic Identity Based Remote User Authentication Scheme Using Smart Card without a Verification Table
An Enhanced Dynamic Identity Based Remote User Authentication Scheme Using Smart Card without a Verification Table B. Sumitra, Research Scholar, Christ University, Bangalore, India (*Corresponding Author)
More informationGroup Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings
International Journal of Network Security, Vol.5, No.3, PP.283 287, Nov. 2007 283 Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings Rongxing Lu and Zhenfu Cao (Corresponding
More informationAn Improvement on the Self-Verification Authentication Mechanism for A Mobile Satellite Communication System
Appl. Math. Inf. Sci. 8, No. 1L, 97-106 (2014) 97 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/081l13 An Improvement on the Self-Verification Authentication
More informationReliable Broadcast Message Authentication in Wireless Sensor Networks
Reliable Broadcast Message Authentication in Wireless Sensor Networks Taketsugu Yao, Shigeru Fukunaga, and Toshihisa Nakai Ubiquitous System Laboratories, Corporate Research & Development Center, Oki Electric
More informationA weakness in Sun-Chen-Hwang s three-party key agreement protocols using passwords
A weakness in Sun-Chen-Hwang s three-party key agreement protocols using passwords Junghyun Nam Seungjoo Kim Dongho Won School of Information and Communication Engineering Sungkyunkwan University 300 Cheoncheon-dong
More informationOn the Security of an Efficient Group Key Agreement Scheme for MANETs
On the Security of an Efficient Group Key Agreement Scheme for MANETs Purushothama B R 1,, Nishat Koti Department of Computer Science and Engineering National Institute of Technology Goa Farmagudi, Ponda-403401,
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationSecurity Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan*
Security Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan* Xinghua Li 1,2, Jianfeng Ma 1, and SangJae Moon 2 1 Key Laboratory of Computer Networks and Information
More informationCryptanalysis on Four Two-Party Authentication Protocols
Cryptanalysis on Four Two-Party Authentication Protocols Yalin Chen Institute of Information Systems and Applications, NTHU, Tawain d949702@oz.nthu.edu.tw Jue-Sam Chou * Dept. of Information Management
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationHOMOMORPHIC HANDOVER AUTHENTICATION TECHNIQUE FOR MOBILE CLOUD COMPUTING
HOMOMORPHIC HANDOVER AUTHENTICATION TECHNIQUE FOR MOBILE CLOUD COMPUTING Gagandeep Kaur, Dr. Gagandeep Abstract Mobile Cloud Computing has brought the IT industry to a new level by providing an innovative
More informationExtended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity
ISSN (Online): 1694-0784 ISSN (Print): 1694-0814 Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity 26 Nistala V.E.S. Murthy
More informationCryptanalysis of An Advanced Temporal Credential- Based Security Scheme with Mutual Authentication and Key Agreement for Wireless Sensor Networks
Cryptanalysis of An Advanced Temporal Credential- Based Security Scheme with Mutual Authentication and Key Agreement for Wireless Sensor Networks Chandra Sekhar Vorugunti 1, Mrudula Sarvabhatla 2 1 Dhirubhai
More informationLightweight Authentication with User Anonymity among a Group of Users Sharing Common Credentials
IJCN International Journal of Computer cience and Network ecurity, VOL.3 No., February 03 Lightweight Authentication with User Anonymity among a Group of Users haring Common Credentials Jun-Cheol Park
More informationExpert Systems with Applications
Expert Systems with Applications 38 (2011) 13863 13870 Contents lists available at ScienceDirect Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa A secure dynamic ID based
More informationSecurity Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks
An abridged version of this paper appears in the Proc. of the Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), 8-12 March 2005, Kauai Island,
More informationCryptanalysis Of Dynamic ID Based Remote User Authentication Scheme With Key Agreement
1 Cryptanalysis Of Dynamic ID Based Remote User Authentication Scheme With Key Agreement Sonam Devgan Kaul, Amit K. Awasthi School of Applied Sciences, Gautam Buddha University, Greater Noida, India sonamdevgan11@gmail.com,
More informationA Reduce Identical Composite Event Transmission Algorithm for Wireless Sensor Networks
Appl. Math. Inf. Sci. 6 No. 2S pp. 713S-719S (2012) Applied Mathematics & Information Sciences An International Journal @ 2012 NSP Natural Sciences Publishing Cor. A Reduce Identical Composite Event Transmission
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationAttribute Based Encryption with Privacy Protection in Clouds
Attribute Based Encryption with Privacy Protection in Clouds Geetanjali. M 1, Saravanan. N 2 PG Student, Department of Information Technology, K.S.R College of Engineering, Tiruchengode, Tamilnadu, India
More informationImproved Remote User Authentication Scheme Preserving User Anonymity
62 IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.3, March 28 Improved Remote User Authentication Scheme Preserving User Anonymity Mrs. C. Shoba Bindu, Dr P. Chandra Sekhar
More informationA Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags
A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags Sarah Abughazalah, Konstantinos Markantonakis, and Keith Mayes Smart Card Centre-Information Security Group (SCC-ISG) Royal Holloway,
More informationNotes on Polynomial-based Key Management for Secure Intra-Group and Inter-Group Communication
International Journal of Network Security, Vol.16, No.2, PP.143-148, Mar. 2014 143 Notes on Polynomial-based Key Management for Secure Intra-Group and Inter-Group Communication Chin-Chen Chang 1, 2, Lein
More informationThe Password Change Phase is Still Insecure
Manoj Kumar: The password change phase change is still insecure 1 The Password Change Phase is Still Insecure Manoj Kumar!"#$ %&''%% E. Mail: yamu_balyan@yahoo.co.in Abstract In 2004, W. C. Ku and S. M.
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationA New Secure Mutual Authentication Scheme with Smart Cards Using Bilinear Pairings
International Journal of Mathematical Analysis Vol. 8, 2014, no. 43, 2101-2107 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.48269 A New Secure Mutual Authentication Scheme with Smart
More information(In)security of ecient tree-based group key agreement using bilinear map
Loughborough University Institutional Repository (In)security of ecient tree-based group key agreement using bilinear map This item was submitted to Loughborough University's Institutional Repository by
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More informationA Secure and Efficient One-time Password Authentication Scheme for WSN
International Journal of Network Security, Vol.19, No.2, PP.177-181, Mar. 2017 (DOI: 10.6633/IJNS.201703.19(2).02) 177 A Secure and Efficient One-time Password Authentication Scheme for WSN Chung-Huei
More informationEfficient Delegation-Based Authentication Protocol with Strong Mobile Privacy
Efficient Delegation-Based Authentication Protocol with Strong Mobile Privacy Jian-Zhu Lu, Hong-Qing Ren, and Jipeng Zhou Department of Computer Science, Jinan University, Guangzhou, Guangdong, China 510632
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More informationImprovement of recently proposed Remote User Authentication Schemes
Improvement of recently proposed Remote User Authentication Schemes Guanfei Fang and Genxun Huang Science Institute of Information Engineering University, Zhengzhou, 450002, P.R.China feifgf@163.com Abstract
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More information1 FIVE STAGES OF I.
1 1 FIVE STAGES OF 802.11I. Stage 1. AP and Security Capability Discovery This stage consists of messages numbered (1) to (3). The AP either periodically broadcasts its security capabilities, indicated
More informationarxiv: v1 [cs.cr] 9 Jan 2018
An efficient and secure two-party key agreement protocol based on chaotic maps Nahid Yahyapoor a, Hamed Yaghoobian b, Manijeh Keshtgari b a Electrical Engineering, Khavaran Institute of Higher Education,
More informationA SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS
A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS Ounasser Abid 1 and Omar Khadir 2 1, 2 Laboratory of Mathematics, Cryptography and Mechanics, FSTM University Hassan II of Casablanca, Morocco
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationSecure Communication in Digital TV Broadcasting
IJN International Journal of omputer cience and Network ecurity, VOL.8 No.9, eptember 2008 ecure ommunication in Digital TV Broadcasting Hyo Kim Division of Digital Media, Ajou University, Korea ummary
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More information