Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization

Transcription

1 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization Hsing-Bai Chen, Yung-Hsiang Lai, Kuei-Wan Chen, and Wei-Bin Lee Abstract Portable communication systems can provide mobile users with global roaming services. Recently, Youn and Lim proposed a delegation-based authentication protocol which achieves unlinkability for secure roaming services. This paper indicates that there are two drawbacks in Youn and Lim s protocol: 1) the synchronization problem will lead to a fail in on-line authentication; and 2) the exhaustive search puts a heavy burden on the off-line authentication process. Moreover, based on Youn and Lim s protocol, a remedy is proposed to address these problems. It is worthwhile to note that the proposed remedy not only keeps the original advantages but also enhances the security and performance. Index Terms Authentication, delegation, portal communication systems, synchronization, unlinkability. 1. Introduction Portable communication systems (PCSs) permit mobile users to enjoy global roaming services, and therefore provide a convenient means of communication. A packet is sent and received over global mobility networks, and thus it is easy for anyone to perform unauthorized intercept, modification, and wiretap on the communicating message. To support greater properties, a secure communication system should be developed to achieve four major features: secrecy, authenticity, integrity, and non-repudiation [1]. Due to hardware limitations, the mobile station (MS) spent a lot of time in heavy computations, and therefore it should perform heavy computations as less as possible. On the other hand, due to the home location register (HLR) and the visited location register (VLR) must serve a large number of MSs, the heavy and periodical computations performed by them should be as less as possible. The use of cryptography can benefit the security Manuscript received September 28, 2011; revised October 28, H.-B. Chen, Y.-H. Lai, and W.-B. Lee are with the Department of Information Engineering and Computer Science, Feng Chia University. ( hsingbai@gmail.com; laiter.lai@gmail.com; wblee@fcu. edu.tw). K.-W. Chen is with the Department of Information Management, National Chung Cheng University. ( @mis.ccu.edu.tw). Digital Object Identifier: /j.issn X mechanism of PCSs. In the public key cryptosystem, the most important development is the digital signature. Even though the public key cryptosystem can achieve all of the four major features, its calculation is very complicated and therefore wastes a lot of time. Compared with the public key cryptosystem, the speed of encryption and decryption of the secret key cryptosystem is faster, but it can not provide the non-repudiation feature. As a result, to achieve the major features and efficiency, both the secret key cryptosystem and the public key one are required to develop a secure communication system. In 2005, Lee and Yeh [1] presented the concept of delegation [2],[3] in PCSs, in which HLR delegates its signature authority to MS to sign messages. Furthermore, with both of the secret key cryptosystem and the public key one, Lee and Yeh proposed a delegation based authentication (DBA) protocol to achieve secrecy, authenticity, integrity, non-repudiation, as well as low computation cost and low communication load. In such a way, an off-line authentication process is employed in Lee and Yeh s protocol, in which VLR can rapidly re-authenticate MS without contacting HLR frequently, to increase the communication efficiently but to decrease the authentication time. In 2009, Lee et al. pointed out that Lee and Yeh s protocol can not achieve the non-repudiation in the off-line authentication process [4]. Based on Lee and Yeh s protocol, Lee et al. presented an enhanced DBA protocol to withstand the weakness. Unfortunately, Youn and Lim [5] in 2010 showed that Lee et al. s protocol fails to achieve unlinkability since the same proxy key pair is re-used by MS for every on-line authentication process. It implies that anyone with the proxy key pair can link any two different on-line authentication procedures that are executed by the same MS. Moreover, by modifying Lee et al. s protocol, Youn and Lim proposed an improved DBA protocol, in which MS will receive a new proxy key pair from HLR and use the new one for the next on-line authentication process, to achieve unlinkability as well as all security features of Lee et al. s protocol. Although Youn and Lim s protocol exhibits unlinkability in the on-line authentication process, it still has two drawbacks in the on-line authentication process and

2 346 off-line one. The former is the synchronization problem that the new proxy key pair for unlinkability sent from HLR is not received by MS since someone intercepts the new one over wireless communications but HLR has replaced the old one with the new one. With the different proxy key pairs, the on-line authentication process can not work because MS and HLR can not authenticate each other. On the other hand, the other problem is exhaustive search, in which VLR learns no information about which session key in its database should be used to unlock the request sent from MS and has to use each of the session key until the request is unlocked. It implies that Youn and Lim s protocol is inefficient and impractical since exhaustive search increases computation cost and authentication time. This paper discusses the drawbacks of Youn and Lim s protocol and presents a remedy based on Youn and Lim s protocol. The proposed remedy not only keeps the original advantages of it but also addresses the drawbacks mentioned above. 2. Review of Youn and Lim s DBA Protocol This section briefly reviews Youn and Lim s DBA protocol for PCSs, and analyzes its drawbacks. The following notations are used throughout this paper: Let p and q be two large prime numbers, and g be a generator in the group Z * p. Let ID H and ID V be the identity of HLR and VLR, respectively. Assume that K HV is the long-term secret key shared by VLR and HLR. Let h( ) be an one-way hash function, h (n+1) ( )=h(h (n) ( )), where h (1) ( ) =h( ), and E K ( ) and D K ( ) be a symmetric-key encryption and decryption with a shared secret key K, respectively. The notation A B:{ } denotes a message sent from A to B, and denotes a concatenate operation notation. Youn and Lim s DBA protocol contains on-line and off-line authentication processes. Before descriptions of on-line and off-line authentication processes, the setup phase should be performed. In the setup process, HLR has a private/public key pair (x, v), where x is a random number less than q and v=g x mod p. The public key pair v is certified by a trusted certificate authority. When MS subscribes to HLR, HLR will generate a random number k and compute the proxy key pair (σ, K), for MS where σ =x+kk mod q as an MS s private key shared between HLR and MS, and K=g k mod p as an MS s public key. After subscription, a subscriber identity module (SIM) card that stores the key pair (σ, K) is obtained by MS from HLR. Apart from that, HLR also stores each MS s proxy key pair (σ, K) in its database securely. 2.1 Youn and Lim s On-Line Authentication Before each on-line authentication, MS prepares a random number n 1 to pre-compute a hash chain h (1) (n 1 ), JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 2011 h (2) (n 1 ),, h (n+1) (n 1 ) and stores them securely. The on-line authentication process is carried out as follows: Step 1: MS VLR: {K}. Whenever MS roams into a new VLR, MS sends a public key K as a request to VLR. Step 2: VLR MS: {n 2, ID V }. VLR generates a random number n 2 and transmits n 2 and ID V to reply the MS s request. Step 3: MS VLR: {r, s, K, N 0, ID H, ID V }. MS performs the following procedures to sign the roaming request: 1) Generate a random number t; 2) Pick N 0 =h (n+1) (n 1 ) and the initial authentication value from the securely prepared hash chain; 3) Compute signature (r, s) with private key σ as r=g t mod p s=σh(n 0 n 2 ID V )+tr mod q. Step 4: VLR HLR: {CT 1, ID H, ID V }. Upon receiving the roaming request and its signature from MS, VLR performs the following operations. 1) Use both HLR s public key v and MS s public key K to verify whether the signature (r, s) is valid through the following equation or not: g s =(vk K ) h(n 0 n 2 ID V ) r r mod p. If the equation does not hold, reject MS s roaming request. 2) Otherwise, compute CT 1 =E KHV (N 0 n 2 K) for verifying whether MS is a legal subscriber or not. Step 5.: HLR VLR: {CT 3, ID H, ID V }. Upon receiving the message sent from VLR, HLR generates a new proxy key pair (σ, K ) for MS as follows: 1) Use the shared key K HV to derive (N 0 n 2 K)= D KHV (CT 1 ). 2) Search the corresponding σ from its database according to the derived K. If σ can not be found, terminate the connection since MS does not subscribe to HLR. 3) Otherwise, compute the session key C 1 =h(n 0 n 2 n 3 σ), where n 3 is a random number. 4) Use the private key x to compute a new proxy key pair (σ, K ) for unlinkability as follows: K =g k mod p σ =x+k K mod q where k is a random number. 5) Compute CT 2 =E σ (N 0 n 3 ID V σ K ) to conceal information about the new proxy key pair (σ, K ) from everyone except the MS. 6) Compute CT 3 =E KHV (CT 2 n 2 N 0 C 1 ) for concealing information about C 1 and notifying VLR that MS is authenticated. 7) Replace (σ, K) with (σ, K ) in its database.

3 CHEN et al.: Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization 347 Step 6:VLR MS: {CT 2, ID V }. VLR does the following operations to set a session key for MS: 1) Use the shared key K HV to derive (CT 2 n 2 N 0 C 1 ) = D KHV (CT 3 ); 2) Check whether both the derived n 2 and N 0 are valid or not. If the derived n 2 and N 0 are valid, VLR is convinced, that is MS is authenticated by HLR; 3) Set C 1 as the session key. Step 7: Upon receiving CT 2 and ID V from VLR, MS does the following operation to complete this process: 1) Use σ to derive (N 0 n 3 ID V σ K )=D σ (CT 2 ); 2) Check whether the derived N 0 is valid or not. If the derived N 0 is valid, MS is convinced, that is CT 2 is sent from HLR indeed and (σ, K ) are the same as the one in HLR s database; 3) Use σ to compute the session key C 1 =h(n 0 n 2 n 3 σ); 4) Replace (σ, K) with (σ, K ) in the SIM card. After the on-line authentication process, the session key C 1 and the initial authentication value N 0 are agreed and can be used for off-line authentications between MS and VLR. 2.2 Youn and Lim s ith Off-Line Authentication Step 1: MS VLR: {AM i }. MS performs the following procedures for the ith off-line authentication: 1) Pick an off-line authentication value N i =h (n i+1) (n 1 ) from the securely prepared hash chain for i=1, 2,, n, where a predefined constant n is the limited times of off-line authentications; 2) Compute the authentication message AM i =E Ci (N i ) with the session key C i for the ith off-line authentication, where if i >1 then C i =h(n i C i 1 ). Step 2: Upon receiving the authentication message AM i from MS, VLR does the following operation to complete the ith off-line authentication process: 1) Use C i to derive N i =D Ci (N i ); 2) Check whether h(n i )=N i 1. If the equation does not hold, terminate the connection since MS is not authenticated; 3) Update the count i=i+1 and check if i n; 4) Compute the (i+1)th session key C i+1 =h(n i C i ); 5) Replace N i 1 with N i. 2.3 Drawbacks of Youn and Lim s DBA Protocol The following drawbacks exist in Youn and Lim s DBA protocol. Drawback 1. Synchronization problem in on-line authentication. Since the proxy key pair (σ, K) is used for the on-line authentication, the proxy key pair between HLR and MS must be the same. The synchronization problem of a new proxy key pair will occur if an attacker intercepts the message sent from HLR to VLR in Step 5, Section 2.1. In this problem, the proxy key pair (σ, K) has been replaced by the new one (σ, K ). However, MS keeps the old proxy key pair (σ, K) since the new one (σ, K ) involved into the message in Step 5, Section 2.1 can not be sent to MS. With the different proxy key pairs, MS has no way to be authenticated by HLR anymore. As a result, the on-line authentication process can not work if the synchronization problem exists. Drawback 2. Exhaustive search in off-line authentication For providing unlinkability, VLR receives the encrypted authentication message AM i but no information about MS s identity. Without any information to recognize MS, it is necessary that VLR uses all of session keys stored in its database to decrypt AM i and then checks whether the decrypted authentication value N i is valid or not as sub-steps 1) and 2) of Step 2 in the Section 2.2, to authenticate MS until the correct (C i, N i 1 ) is searched or all (C i, N i 1 ) are used. Such a way is so-called exhaustive search. In such a way, the off-line authentication process will be inefficient and lead to impracticality. And since the off-line authentication process of Youn and Lim s DBA protocol is identical with the underlying protocol proposed by Lee et al. [4], it implies that exhaustive search problem also exists in Lee et al. s scheme. 3. Enhanced DBA Protocol with Synchronization In order to address the drawbacks of Youn and Lim s DBA protocol, the remedy is proposed (see Fig. 1) by modifying Youn and Lim s protocol. Since the setup process is identical with the underlying protocol proposed by Youn and Lim [5], we only describe the on-line and off-line authentication processes. 3.1 On-Line Authentication Initially, HLR creates (σ old, K old, σ new, K new ) fields in its database for storing MS s proxy key pairs. After the setup process, HLR respectively stores each MS s key pair (σ, K) in the (σ old, K old ) fields but a null value initially appears in the (σ new, K new ) fields. For addressing the above-mentioned synchronization problem, only Step 5 in the on-line authentication process of Youn and Lim s DBA protocol is in need of revision. Here, only the revision is described. Step 5: HLR VLR: {CT 3, ID H, ID V }. Upon receiving the message sent from VLR, HLR generates a new proxy key pair (σ, K ) for MS as follows. 1) Use the shared key K HV to derive (N 0 n 2 K)= D KHV (CT 1 ).

4 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER ) Search the corresponding σ from its database according to the derived K. 2.1) Search the corresponding σ according to the K in (σ new, K new ) fields. If the σ is found, perform the step 3). Otherwise, go to step 2.2). 2.2) Search the corresponding σ according to the K in (σ old, K old ) fields. If the σ is found, perform the step 3). Otherwise, terminate the connection since MS does not subscribe to HLR. 3) Compute C 1 =h(n 0 n 2 n 3 σ), where n 3 is a random number and σ is the found one in step 2). 4) Use the private key x to compute a new proxy key pair (σ, K ) for unlinkability as follows: K =g k mod p σ =x+k K mod q where k is a random number. 5) Compute CT 2 =E σ (N 0 n 3 ID V σ K ). 6) Compute CT 3 =E KHV (CT 2 n 2 N 0 C 1 ). 7) Update (σ old, K old, σ new, K new ) fields with (σ, K, σ, K ). 3.2 Off-Line Authentication After the on-line authentication process, both VLR and MS can prepare the initially pseudo name ID 1 =h(ct 2 C 1 ). In VLR s database, the relationship of a quartet (ID 1, C 1, N 0, i) for each MS is kept privately. Step 1: MS VLR: {ID i, AM i }. MS performs the following procedures for the ith off-line authentication: 1) Pick an off-line authentication value N i =h (n i+1) (n 1 ) from the securely prepared hash chain for i=1, 2,, n, where a predefined constant n is the limited times of off-line authentications. 2) Compute AM i =E Ci (N i ) with the session key C i for the ith off-line authentication, where if i >1 then C i = h(n i 1 C i 1 ). 3) Compute the pseudo name ID i =h(id i 1 C i ) if i>1. Step 2: Upon receiving ID i and AM i from MS, VLR does the following operation to complete the ith off-line authentication process. 1) Use C i to derive N i =D Ci (N i ), where C i can be found according to ID i in its database. 2) Check if h(n i )=N i 1. If the equation does not hold, terminate the connection since MS is not authenticated. 3) Update the count i=i+1 and check if i n. 4) Compute the (i+1)th session key C i+1 =h(n i C i ). 5) Compute MS s the (i+1)th pseudo name ID i+1 = h(id i C i+1 ). 6) Replace (ID i, C i, N i 1 ) with (ID i+1, C i+1, N i ). 4. Analysis In this section, the security of the remedy is examined. For more practicality, the performance of the remedy is also investigated. The proposed protocol with this remedy is a revision of Youn and Lim s DBA protocol and the proposed protocol is almost identical with that of the underlying protocol proposed by Youn and Lim. The analyses of the proposed protocol are similar to those of the underlying protocol, such as the user identity privacy, non-repudiation in on-line authentication process, non-repudiation in the off-line authentication process, unlinkability, key management, session key security, computation cost, and communication load, so they are not mentioned herein. For the details, please refer to the analyses in [1], [4], and [5]. 4.1 Security Analysis In this sub-section, only the synchronization and no exhaustive search under the preservation of unlinkability are discussed. Prior to the analysis, the following assumptions are given. It is reasonable to assume that HLR is trustworthy since MS must register it with private information for enjoying services. It is also reasonable to assume that the long-term private key x can be securely protected by HLR, the private key of the proxy key pair is privately kept in both HLR and MS, and the session key shared between HLR and MS will be not disclosed. Proposition 1. Synchronization: the proxy key pairs in HLR and in MS are always the same in on-line authentication. Proof. If an attacker aims at bringing a synchronization problem of a proxy key pair, the attack will intercept the message sent from HLR to VLR in Step 5, Section 3.1. Because of the interception, the proxy key pair for the next process can not be received by MS. For addressing this synchronization problem, both of the proxy key pair (σ, K ) for the next on-line authentication process and the one (σ, K) for the current process are kept in HLR s database. That is, the proxy key pairs (σ, K, σ, K ) are written into (σ old, K old, σ new, K new ) fields in sub-step 7), Step 5, Section 3.1. In such a way, the proxy key stored in MS can be searched in sub-step 2), Step 5, Section 3.1 to perform the on-line authentication process well, because the proxy key pair, identical with the MS s one, is also kept in HLR. Hence, the synchronization problem in on-line authentication process can be addressed in the remedy. Since the proxy key pair for current process can be used next time in the remedy, an attacker may mount replay attacks to damage the security of the remedy by collection of the proxy key pair, such as the message sent from MS to VLR in Step 3, Section 2.1. In the remedy, a random number n 2 for each on-line authentication process will be chosen by VLR and sealed with a signature (r, s) by MS mentioned in sub-step 3), Step 3, Section 2.1. With a

5 CHEN et al.: Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization 349 different n 2 in each on-line authentication process, the replay attack will be detected in sub-step 1) of Step 4, Section 2.1, because the signature verification fails. As a result, the synchronization problem in the on-line authentication process can be addressed and the replay attacks can not work in the remedy. On-line authentication process: MS (σ, K) VLR (v, K HV ) HLR (x, v, K HV, σ old, K old, σ new, K new ) 0. Pre-compute h (1) (n 1 ), h (2) (n 1 ),, h (n+1) (n 1 ). 1. {K} 2. {n 2, ID V } Pick N 0 = h (n+1) (n 1 ). Compute r=g t mod p, and s=σh(n 0 n 2 ID V )+tr mod q. 3. {r, s, K, N 0, ID H, ID V } Check if g s =(vk K ) h(n 0 n 2 ID V ) r r mod p. Compute CT 1 =E KHV (N 0 n 2 K). 4. {CT 1, ID H, ID V } Compute D KHV (CT 1 )=(N 0 n 2 K). Search σ from its DB according to K. If find no σ in σ new filed, if find no σ in σ old filed, terminate the connection; Compute C 1 =h(n 0 n 2 n 3 σ). Compute K =g k mod p, and σ =x+k K mod q. Compute CT 2 = E σ (N 0 n 3 ID V σ K ). Compute CT 3 = E KHV (CT 2 n 2 N 0 C 1 ). Update (σ old, K old, σ new, K new ) fields with (σ, K, σ, K ). 5. {CT 3, ID H, ID V } Compute D KHV (CT 3 )=(CT 2 n 2 N 0 C 1 ). Verify n 2 and N {CT 2, ID V } Compute D σ (CT 2 )=(N 0 n 3 ID V σ K ). Verify N 0. Compute C 1 =h(n 0 n 2 n 3 σ) Replace (σ, K) with (σ, K ). Off-line authentication process: MS (ID i 1, C i 1, N i 1, N i,, ID n ) VLR (ID i, C i, N i 1, i) If i > 1, compute C i =h(n i 1 C i 1 ). Compute AM i =E Ci (N i =h (n i+1) (n 1 )). If i > 1, compute ID i =h(id i 1 C i ). 1. {ID i, AM i } Compute D Ci (N i ) = N i. Check if h(n i ) = N i 1. Update count i = i+1 n. Compute C i+1 = h(n i C i ). Compute ID i+1 = h(id i C i+1 ). Replace (ID i, C i, N i 1 ) with (ID i+1, C i+1, N i ). Fig. 1. Enhanced DBA protocol with synchronization.

6 350 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 2011 Apart from the synchronization problem in on-line authentication process, an attacker would intercept the message sent from MS to VLR in Step 1 of Section 3.2 to try to lead to a synchronization problem. In the remedy, both the pseudo name and the session key for the ith off-line authentication are computed by MS in the the ith authentication even though they are pre-computed and updated by VLR in the (i 1)th authentication. This implies that the synchronization problem, caused by the interception of the message in Step 1, Section 3.2, will not appear because both the pseudo name and the session key used for the ith off-line authentication between MS and VLR are the same. Hence, the synchronization problem also never arises in the off-line authentication process of the proposed remedy. Proposition 2. No exhaustive search: under the preservation of unlinkability, the exhaustive search never exist in an off-line authentication process. Proof. In the remedy, the relationship of a quartet (ID i, C i, N i 1, i) is privately maintained by VLR. In the off-line authentication process, the encrypted authentication message AM i associated to a pseudo name ID i is sent from MS. In such a way, VLR has the knowledge of using which session key C i to decrypt AM i. Hence, the exhaustive search never arises in the remedy. If an attacker aims to learn the linkability, finding the relationship of pseudo names is required. Since a pseudo name is the hashed value of ID i =h(id i 1 C i ) or ID 1 = h(ct 2 C 1 ), the knowledge of the session key C i, the (i 1)th pseudo name ID i 1, and an encrypted value CT 2 are required. According to the above-mentioned assumption that the session key shared between HLR and MS will not be disclosed, the attacker has no way to learn the knowledge of session keys. Without the session key, the relationship of pseudo names can not be learned. On the other hand, if an attacker tries to retrieve ID i 1 from ID i or to retrieve CT 2 from ID 1, this is impossible because the one-way hash functions possess the irreversibility characteristic [6]. Therefore, the unlinkability is provided in the remedy without the exhaustive search. 4.2 Performance Analysis Compared with the underlying protocol proposed by Youn and Lim, the search time in (σ old, K old ) fields for addressing the synchronization problem in the on-line authentication process and a hashing operation of a pseudo name ID i for no exhaustive search in the off-line authentication process are additionally included in the total cost time of the remedy. However, due to the exhaustive search in the off-line authentication process, the cost of symmetric decryption and hashing operation in sub-steps 1) and 2) of Step 2, Section 3.2 is required to spend repeatedly until the correct session key C i and the authentication value N i 1 are found or all of them stored in VLR s database are tested, which is huge and leads to a heavy burden on the performance of Youn and Lim s protocol. Without exhaustive search as analyzed in Section 4.1, the heavy burden on performance never arises in the proposed remedy. In the remedy, the increase of cost is negligible since the cost of search time in (σ old, K old ) fields of a database and a hashing operation for the computation of a pseudo name ID i is negligible compared with the cost of the exhaustive search. Therefore, the remedy is more efficient than Youn and Lim s protocol. 5. Conclusions Both the user identity privacy and the unlinkability for the privacy of mobile users are the original advantages of the delegation-based authentication protocol presented by Youn and Lim. In this paper, we show that the synchronization problem and the exhaustive search exit in Youn and Lim s protocol. Furthermore, the remedy based on Youn and Lim s protocol is proposed to successfully address the synchronization problem and the exhaustive search. And the remedy is more efficient than Youn and Lim s protocol. It is worthwhile to note that the remedy not only keeps the original advantages but also enhances the security and performance. References [1] W.-B. Lee and C.-K. Yeh, A new delegation-based authentication protocol for use in portable communication systems, IEEE Trans. on Wireless Communications, vol. 4, no. 1, pp , Jan [2] W.-B. Lee and C.-Y. Chang, Efficient proxy-protected proxy signature scheme based on discrete logarithm, in Proc. of the 10th Conf. Information Security, Hualien, 2000, pp [3] M. Mambo, K. Usuda, and E. Okamoto, Delegation of the power to sign messages, IEICE Trans. on Fundamentals, vol. E79-A, no. 9, pp , Sep [4] T.-F. Lee, S.-H. Chang, T. Hwang, and S.-K. Chong, Enhanced delegation-based authentication protocol for PCSs, IEEE Trans. on Wireless Communications, vol. 8, no. 5, pp , May [5] T.-K Youn and J. Lin, Improved delegation-based authentication protocol for secure roaming service with unlinkability, IEEE Communications Letters, vol. 14, no. 9, pp , Sep [6] W. Stallings, Network Security Essentials: Applications and Standards, 4th ed. New Jersey: Prentice Hall Inc., 2010, pp

7 CHEN et al.: Enhanced Delegation Based Authentication Protocol for Secure Roaming Service with Synchronization 351 Hsing-Bai Chen was born in Taiwan in He received his B.S. and M.S. degrees in information management from Chao Yang University of Technology in 2001 and 2003, respectively. He received his Ph.D. degree in 2009 from Feng Chia University. Since 2009, he has been with the Department of Information Engineering, Feng Chia University, where he was a postdoctoral fellow until Jul His research interests include cryptography, electronic commerce, information security, and digital rights management. Yung-Hsiang Lai was born in Taiwan in He received the B.S. degree from the Hsiuping Institute of Technology in He is currently pursuing his M.S. degree with Feng Chia University. His research interests include mobile communications and information security. Wei-Bin Lee received his B.S. degree from Chung-Yuan Christian University in 1991 and his M.S. degree in computer science and information engineering from the National Chung Cheng University in He received his Ph.D. degree in 1997 from the National Chung Cheng University. Since 1999, he has been with the Department of Information Engineering, Feng Chia University, where he is currently a professor. Since 2007, he has been with the Office of Information Technology, Feng Chia University, where he is the Dean now. In addition, he has been the Director of the Information and Communication Security Research Center, Feng Chia University since His research interests currently include medical information security, cloud computing security, e-commerce security, content protection, cryptography, watermarking, and steganography. He is an honorary member of the Phi Tau Phi Scholastic Honor Society. Kuei-Wan Chen received her B.S. and M.S. degrees in information management from Chao Yang University of Technology, in 2001 and 2005, respectively. She is currently pursuing her Ph.D. degree in information management with National Chung Cheng University. Her current research interests include impulse buying, positive psychology, consumer behavior, internet marketing, electronic commerce, information security, and data mining.