arxiv: v1 [cs.cr] 20 Jun 2013

Transcription

1 arxv: v [cs.cr] 20 Jun 203 A secure and effectve anonymous authentcaton scheme for roamng servce n global moblty networks Dawe Zhao a,b Hapeng Peng a,b Lxang L a,b Yxan Yang a,b a Informaton Securty Center, Bejng Unversty of Posts and Telecommuncatons, Bejng 00876, Chna. b Natonal Engneerng Laboratory for Dsaster Backup and Recovery, Bejng Unversty of Posts and Telecommuncatons, Bejng 00876, Chna. Abstract. Recently, Mun et al. analyzed Wu et al. s authentcaton scheme and proposed a enhanced anonymous authentcaton scheme for roamng servce n global moblty networks. However, through careful analyss, we fnd that Mun et al. s scheme s vulnerable to mpersonaton attacks, off-lne password guessng attacks and nsder attacks, and cannot provde user frendlness, user s anonymty, proper mutual authentcaton and local verfcaton. To remedy these weaknesses, n ths paper we propose a novel anonymous authentcaton scheme for roamng servce n global moblty networks. Securty and performance analyses show the proposed scheme s more sutable for the low-power and resource-lmted moble devces, and s secure aganst varous attacks and has many excellent features. Keyword. Authentcaton, Key agreement, Anonymty, Roamng, Global moblty networks. Introducton GLOBAL moblty network (GLOMONET) [] provdes global roamng servce that permts moble user to use the servces provded by hs/her home agent () n a foregn agent (FA). When a moble user roams nto a foregn network, mutual authentcaton must frst be solved to prevent llegal use from accessng servces and to ensure that moble users are connected to a trusted networks. A strong user authentcaton scheme n GLOMONET should satsfy the followng requrements: () user anonymty; (2) low communcaton cost and computaton complexty; (3) sngle regstraton; (4) update sesson key perodcally; (5) user frendly; (6) no password/verfer table; (7) update password securely and freely; (8) preventon of fraud; (9) preventon of replay attack; (0) securty; and () provdng the authentcaton scheme when a user s located n the home network. More detals about these requrements can be found n [2]. In order to acheve secure and effectve mutual authentcaton and prvacy protecton n GLOM-ONET, many authentcaton protocols have been proposed [2-7]. In 2004, Zhu and E-mal address: dwzhao@ymal.com (Dawe Zhao); penghapeng@bupt.edu.cn (Hapeng Peng).

2 2 Ma [3] proposed an authentcaton scheme wth anonymty for wreless envronments. However, Lee et al. [4] ponted out that Zhu et al. s scheme [3] cannot acheve mutual authentcaton and perfect backward secrecy, and s vulnerable to the forgery attack. At the same tme, Lee et al. proposed an enhanced anonymous authentcaton scheme, but Chang et al. [5] and Wu et al. [6] found that Lee et al. s scheme also cannot acheve user anonymty, and an attacker who has regstered as a user of an can obtan the dentty of other users as long as they regstered at the same. After that, n 20, L et al. [2] found Wu et al. [6] s unlkely to provde user s anonymty due to an nherent desgn weakness and also vulnerable to replay and mpersonaton attacks. Then they constructed a strong user authentcaton scheme wth smart cards for wreless communcatons. However, L and Lee [7] showed that L et al. s scheme [2] lacks of user frendlness, and cannot provde user s anonymty and unfarness n key agreement. Recently, Mun et al. [8] reanalyzed Wu et al. authentcaton scheme [6], they pont out that Wu et al. s scheme also fals to acheve user s anonymty and perfect forward secrecy, and dscloses of legtmate user s password. Then they proposed an enhanced anonymous authentcaton scheme for roamng servce n global moblty networks. However, through careful analyss, we fnd that Mun et al. s scheme s vulnerable to mpersonaton attacks, off-lne password guessng attacks and nsder attacks, and cannot provde user frendlness, user s anonymty, proper mutual authentcaton and local verfcaton. To remedy these weaknesses, n ths paper we propose a novel anonymous authentcaton scheme for roamng servce n global moblty networks. Securty and performance analyses show the proposed scheme s more sutable for the low-power and resource-lmted moble devces, and s secure aganst varous attacks and has many excellent features. The remander of ths paper s organzed as follows. Secton 2 provdes some basc knowledge. In Secton 3, we revew Mun et al. s scheme and Secton 4 shows the securty weaknesses of Mun et al. s scheme. A novel user authentcaton scheme s proposed n Secton 5. In Secton 6, we analyze the securty of our proposed scheme. Next, we compare the functonalty and performance of our proposed scheme and make comparsons wth other related schemes n Secton 7. Fnally, n Secton 8 we make some conclusons. 2 Prelmnares In ths secton, we brefly ntroduce the ellptc curve cryptosystem and some related mathematcal assumptons. Compared wth other publc key cryptography, ellptc curve cryptosystem (ECC) has sgnfcant advantages lke smaller key szes, faster computaton. It has been wdely used n several cryptographc schemes of wreless network envronment to provde desred level of securty and computatonal effcency. 2. Ellptc curve cryptosystem Let E p (a,b) be a set of ellptc curve ponts over the prme feld E p, defned by the non-sngular ellptc curve equaton: y 2 mod p = (x 3 +ax+b)modp wth a,b F p and (4a 3 +27b 2 )modp 0.

3 Dawe Zhao, et al. 3 Table : Notatons used n Mun et al. s scheme. Notaton Descrpton, FA, Moble User, Foregn Agent, Home Agent PW X Password of an entty X ID X Identty of an entty X h( ) A one-way hash functon N X Number used only once (Random number) generated by an entty X Concatenaton operaton XOR operaton f K MAC generaton functon by usng the key K Sesson key between entty X and Y K XY The addtve ellptc curve group defned as G p = {(x,y) : x,y F p and (x,y) E p (a,b)} O, where the pont O s known as pont at nfnty. The scalar multplcaton on the cyclc group G p defned as k P = P +P + +P. A pont P has order n f n P = O for smallest nteger }{{} k tmes n > 0. More detals about ellptc curve group propertes can be found n [8-20]. 2.2 Related mathematcal assumptons To prove the securty of our proposed protocol, we present some mportant computatonal problems over the ellptc curve group whch are frequently used to desgn secure cryptographc schemes. () Computatonal dscrete logarthm (CDL) problem: Gven R = x P, where P,R G p. It s easy to calculate R gven x and P, but t s hard to determne x gven P and R. (2) Computatonal Dffe-Hellman (CDH) problem: Gven P,xP,yP G p, t s hard to compute xyp G p. (3) Ellptc curve factorzaton (ECF) problem: Gven two ponts P and R = x P + y P for x,y Z q, t s hard to fnd x P and y P. 3 Revew of Mun et al. s scheme In ths secton, we brefly revew the Mun et al. s scheme [8]. There are three phases n ther scheme: regstraton phase, authentcaton and establshment of sesson key phase, and update sesson key phase. Three enttes are nvolved: s a moble user, FA s the agent of the foregn network, and s the home agent of the moble user. Table lsts some notatons used n Mun et al.s scheme.

4 4 3. Regstraton phase When a moble user wants to become a legal clent to access the servces, needs to regster hmself/herself to hs/her home agent. The handshake between M U and s depcted n Fg.. (Moble user) { ID, N } (Home Agent) Generate { r, ID, N, PW, h()} N Compute PW = h( N N ) Compute r = h( ID PW ) ID Fgure : Regstraton phase of Mun et al. s scheme. Step R: sends hs/her dentty ID and a random number N to. Step R2: generates a random number N and computes PW = h(n N ) and r = h(id PW ) ID. Step R3: sends r, PW,N,ID, and h( ) to through a secure channel. 3.2 Authentcaton and establshment of sesson key phase When a moble user roams nto a foregn network FA and wants to access servces provded by FA. The FA needs to verfy the valdty of wth the assstance of, and proves to M U that he s a legtmate servce provder. The authentcaton and establshment of sesson key phase of Mun et al. s scheme s shown n Fg.2. Step A: submts ID, N and r to FA. Step A2: FA stores the receved message from for further communcatons and generates a random number N FA. Then, FA sends ID FA, N FA and r to. Step A3: AfterrecevngthemessagesentfromFA, computesr = h(id PW ) ID and compares t wth the receved r. If they are not equal, consders as llegal user and termnates ths procedure. Otherwse, can authentcate M U. Next, computes P = h(pw N FA ) and S = h(id FA N FA ) r P. Then, sends the computed S and P to FA. Step A4: WhenrecevngS andp sentfrom,facomputess = h(id FA N FA ) r P and. Then, FA verfes whether S equals the receved S. If the result s not correct, the procedure s termnated. Next, FA computes S FA = h(s N FA N ), selects

5 Dawe Zhao, et al. 5 (Moble user) FA (Foregn Agent) (Home Agent) { ID, N, r } Generate NFA { ID, N, r } FA FA Verfy S FA Verfy S Compare r wth r = h( ID PW ) ID (Authentcate ) Compute P = h( PW N ) FA Compute S = h( ID N ) r P FA FA { S, P} Compute S = h( ID N ) r P Compare S wth S Compute S = h( ID N ) r h( PW N ) Compare S { S, ap, P = ( S ID N )} FA FA FA FA (Authentcate and FA) FA FA wth S' = h( S' N N ) FA FA FA Comput e bp, K = habp ( ), S = f ( N bp) MF MF KMF { bps, MF } FA FA Compute S = hs ( N N ) and ap FA FA FA FA Compute K = habp ( ), MF Verfy S (Authentcate ) MF Fgure 2: Authentcaton and establshment of sesson key phase of Mun et al. s scheme. random number a, and computes ap on E by usng Ellptc Curve Dffe-Hellman (ECDH) []. After that, FA sends S FA, ap and P FA = (S ID FA N FA ) to. Step A5: Frst, computes S = h(id FA N FA ) r h(pw N FA ) and S FA = h(s N FA N ). Then, checks whether S FA = S FA. If they are not equal, the procedure s termnated. Otherwse, M U can authentcate F A and. Afterwards, M U selects a random number b, and computes bp and a sesson key K MF = h(abp). Moreover, computes S MF = f KMF (N FA bp), and sends bp and S MF to FA. Step A6: After recevng the message sent from, FA computes K MF = h(abp) and S MF = f K MF (N FA bp). FA verfes whether S MF equals the receved S MF. If the result s not correct, sesson key K MF = h(abp) between and FA s not vald and FA termnates the procedure. Otherwse, FA can authentcate.

6 6 3.3 Update sesson key phase and FA need to renew sesson key for securty reasons f user s always wthn a same FA. When vsts FA at the th sesson, the followng process s conducted to authentcate FA: Step U: selects a new random number b, computes b P ( =,2,...,n), and sends b P to FA. Step U2: FA selects a new random number a and computes a P ( =,2,...,n). Then FA generatesanewsessonkeyk MF = h(a b P),andthencomputesS MF = f KMF (a b P a b P). After that, FA sends a P and S MF to. Step U3: computes sesson key K MF = h(a b P) by usng the receved a P. computes S MF = f KMF (a b P a b P). Then, checks whether S MF = S MF. If they are equal, the new sesson key K MF = h(a b P) s establshed between and FA. Procedure of update sesson key phase s depcted n Fg.3. (Moble user) FA (Foregn Agent) Select b ComputebP { bp } { aps, MF } Select a Compute ap, K = habp ( ) MF Compute S = f ( abp a b P) MF KMF Compute K = habp ( ) MF Compare S' = f ( abp a b P) wth S' MF KMF MF Fgure 3: Update sesson key phase of Mun et al. s scheme. 4 Weaknesses of Mun et al. s scheme Recently, Km and Kwak [2] ponted out that Mun et al. s scheme [8] cannot wthstand replay attacks and man-n-the-mddle attacks. Through careful analyss, n ths secton we show that Mun et al. s scheme s also vulnerable to mpersonaton attacks, off-lne password guessng attacks and nsder attacks, and cannot provde user frendlness, user s anonymty, proper mutual authentcaton and local verfcaton.

7 Dawe Zhao, et al Impersonaton attacks 4.. M U mpersonaton attacks In Mun et al. s scheme, an attacker can masquerade as a user to cheatng any foregn agent FA and s f he/she has ntercepted a vald logn request message {ID,N,r } of. Frst, the attacker generates a random number N and sends {ID,N,r } to FA. Snce ID and r are the real home agent and correct personal nformaton of M U respectvely, the logn request message can pass the valdaton of. Furthermore, wll notfy the FA that the attacker who s masqueradng as the user s a legtmate user. Therefore, the attacker can further establsh a sesson key wth FA and access the servces provded by FA F A mpersonaton attacks In the authentcaton and establshment of sesson key phase of Mun et al. s scheme, t can be found that the only authentcates the by verfyng the receved r but do not make any authentcaton to the FA. At the same tme, there s no secret nformaton of FA n the message {ID FA,N FA,r } sent from FA to s. Thus an attacker can masquerade as a foregn agent FA to cheatng any user and s. For example, f the attacker ntercepts a logn request message {ID,N,r } sent from to FA, the attacker can generate a random number N FA and send {ID FA,N FA,r } to by masqueradng as FA. Snce r s the correct personal nformaton of and there s no dentty authentcaton process of to FA. Therefore, the message {ID,N,r } can pass the authentcaton of. At the same tme, snce the authentcaton of to FA s completely dependent on and FA has been authentcated by, the FA wll pass the authentcaton of. Therefore, the attacker who s masqueradng as the FA can establsh a sesson key wth and trcks successfully mpersonaton attacks In the authentcaton and establshment of sesson key phase of Mun et al. s scheme, the FA authentcates and by verfyng whether S = S. However, there s a securty vulnerablty n ths step such that an attacker can masquerade as a home agent to help any agent pass the authentcaton of a FA and access the servces provded by FA. It s assumed that B s a agent who wants to access the servces provded by FA and A s an attacker who masquerades as B s home agent to help B pass the authentcaton of FA. Frst, B freely choosestwonumbers N and r, and submts {ID,N,r } to FA. Then FA generates a random number N FA and sends the message {ID FA,N FA,r } to. Rght now, A ntercepts ths message, freely chooses a number P, and computes S = h(id FA N FA ) r P. Then, A sends the computed S and P to FA. When recevng S and P sent from A who s masqueradng as the, FA computes S = h(id FA N FA ) r P. Obvously, the

8 8 S equals the receved S. Next, FA computes S FA = h(s N FA N ), selects random number a, and computes ap. After that, FA sends {S FA,aP,P FA = (S ID FA N FA )} to B. At ths pont, B does not need to verfy the S FA, but drectly chooses a random number b and computes K MF = h(abp) and S MF = f KMF (N FA bp). Then B sends bp and S MF to FA. After recevng {bp,s MF } sent from B, FA computes K MF = h(abp) and S MF = f KMF (N FA bp). Obvously, ths s S MF = S MF. FA thus authentcates B. By the above method, wth the assstance of A, B establshes the sesson key K MF = h(abp) wth FA and can access the servces provded by FA. 4.2 Off-lne password guessng attacks Most passwords have such low entropy that t s vulnerable to password guessng attacks, where an attacker ntercepts useful nformaton from the open channel or the lost smart card. In Mun et al. s scheme, an attacker s assumed to have ntercepted a prevous full transmtted messages {ID, N, r, ID FA, N FA,r, S, P, S FA, ap, P FA = (S ID FA N FA ), bp, S MF }. The attacker can submt the guessng password PW and compute S = h(id FA N FA ) r h(pw N FA). If the computed S s equal to S, the attacker can regard the guessng password PW as the orgnal password PW. Therefore, Mun et al. s scheme cannot wthstand the off-lne password guessng attacks. 4.3 Insder attacks Intheregstratonphase, sendsid andarandomnumbern to. ThengeneratesarandomnumberN, computespw = h(n N )andr = h(id PW ) ID, and sends {r,pw,n,id,h( )} to through a secure channel. It s obvous that the knows all the secret nformaton of so that can mpersonate to do anythng. Therefore, Mun et al. s scheme s vulnerable to the nsder attack. 4.4 Lack of user frendlness User frendlness means that the proposed authentcaton scheme should be easly used by users. However, n the regstraton phase of Mun et al. s scheme, the home agent sends the nformaton {r, PW,N,ID,h( )} to the user wthout usng smart card. So that M U needs to remember and enter so much nformaton n the authentcaton and establshment of sesson key phase. Therefore, Mun et al. s scheme s actually nfeasble and unrealstc. 4.5 Lack of user s anonymty In the secondphaseofmun et al. sscheme, sends r tofanstead ofhs/herrealdentty ID. Thus the authors clamed that ther scheme acheves the user s anonymty. However, n each logn message {ID,N,r } of, the contents of N and r are always

9 Dawe Zhao, et al. 9 unchanged. Any attacker could easly trace accordng to N and r and thus the user s anonymty cannot acheved. 4.6 Lack of proper mutual authentcaton In Mun et al. s scheme, the does not mantan any verfcaton table. Thus after recevng the message {ID FA,N FA,r } sent from FA, cannot recognze whch user launched the authentcaton request to FA. So cannot computes r and checks t wth the receved r. On the other hand, even f can compute r and check whether r = r, t only means authentcates the legalty of. However, t s found that do not make any authentcaton to the F A. Therefore, Mun et al. s scheme cannot provde proper mutual authentcaton. 4.7 Lack of local verfcaton In the authentcaton and establshment of sesson key phase of Mun et al. s scheme, the drectly enters and sends the logn message to FA. Note that the smart termnal of does not verfy the entered nformaton correctly or not. Therefore, even f the enters the logn message ncorrectly by mstake or an attacker sends an forged message, the authentcaton phase stll contnue n ther scheme. Ths obvously results to cause unnecessarly havng extra communcaton and computatonal costs. 5 The proposed scheme In ths secton, we propose a novel anonymous authentcaton scheme for roamng servce n global moblty networks usng ellptc curve cryptosystem to not only protect the scheme from securty breaches, but also emphasze the effcent features. In addton to ncludng the general regstraton phase, authentcaton and establshment of sesson key phase and update sesson key phase, our scheme also contans the update password phase and authentcaton and establshment of sesson key scheme when a moble user s located n hs/her home network. Table 2 lsts some notatons used n Mun et al.s scheme. 5. Regstraton phase When a moble user wants to become a legal clent to access the servces, needs to regster hmself/herself to hs/her home agent. Step R: freely chooses hs/her dentty ID and password PW, and generates a random number x. Then submts ID and h(pw x ) to for regstraton va a secure channel. Step R2: When recevng the message ID and h(pw x ), computes Q = h(id y) h(pw x ) and H = h(id h(pw x )). Then stores the

10 0 Notaton Table 2: Notatons used n the proposed scheme. Descrpton, FA, Moble User, Foregn Agent, Home Agent PW X Password of an entty X ID X Identty of an entty X h( ) A one-way hash functon Cert X Certfcate of an entty X P X Publc key of X S X Prvate key of X E K [ ]/D K [ ] Symmetrc encrypton/decrypton usng key K E K { }/D K { } Asymmetrc encrypton/decrypton usng key K Concatenaton operaton XOR operaton message {Q,H,C,ID } n a smart card and submts the smart card to through a secure channel. Step R3: After recevng the smart card, enters x nto the smart card. Fnally, s smart card contans parameters {Q,H,C,ID,x }. The detals of user regstraton phase are shown n Fg.4. (Moble user) Generate random numberx Compute h( PW x )., { ID, h ( PW x )} Store smart card: { Q, H, C, ID, x}. (Home Agent) Compute: Q = h( ID y) h( PW x ), H = h( ID h( PW xm U)). Smart card: { Q, H, C, ID } Fgure 4: Regstraton phase of the proposed scheme. 5.2 Authentcaton and establshment of sesson key phase When a moble user roams nto a foregn network FA and wants to access servces provded by FA. The FA needs to verfy the valdty of wth the assstance of, and proves to

11 Dawe Zhao, et al. M U that he s a legtmate servce provder. The authentcaton and establshment of sesson key phase of our proposed scheme s descrbed as follows: Step A: M U nserts hs/her smart card nto the smart card reader, and nputs dentty ID and passwordpw. Then the smart card computes H = h(id h(pw x )), and checks whether H = H. If they are equal, t means s a legtmate user. Otherwse the smart card aborts the sesson. Next, the smart card generates a random numbers a, and computes A = ap, R AC = ac, N = Q h(pw x ), DID = ID h(r AC ) and V = h(n R AC ID ). Then the smart card sends the request message {A,DID,C,V,ID } to FA over a publc channel. Step A2: After recevng the message {A,DID,C,V,ID }, FA generates a random numbers b, and computes B = bp, R BC = bc, W 2 = E RBC [A,Cert FA,V,DID ] and V 2 = E SFA {h(a,v, DID )}. Here, S FA s the prvate key of FA, and Cert FA s FA s certfcate. Then FA sends {B,W 2,V 2 } to. Step A3: Whenrecevng{B,W 2,V 2 },frstcomputesr BC = cb anddecryptsd RBC [W 2 ] to reveal A,Cert FA,V and DID. Then, verfes the certfcate Cert FA and the FA s publc key P FA. If they are vald, verfes the FA s sgnature V 2 by usng the FA s publc key P FA. If they are vald, FA s authentcated. After that, computes R AC = ca, ID = DID h(r AC ) and V = h(h(id y) R AC ID ). Then checks whether V = V. If they are equal, s authentcated by. Next, computes W = h(h(id y) A B ID FA ID ), W 3 = E RBC [ID FA,Cert,A,B,W ] and V 3 = E S {h(cert,w )}. At last, sends {W 3,V 3 } to FA. Step A4: FA decrypts D RBC [W 3 ] to reveal ID FA,Cert,A,B and W. Then, the FA verfes the s sgnature V 3 by usng the s publc key P. If t s vald, s authentcated whch also means that clamed s a legtmate user. After that, FA computes the common sesson key SK = h(ba) and sends {B,ID FA,W } to. Step A5: After recevng the message {B,ID FA,W }, computes W = h(n A B ID FA ID ) and checks whether W = W. If they are equal, FA and are all authentcated by. Then establshes the common sesson key SK = h(ab). The authentcaton and establshment of sesson key phase s depcted n Fg Update sesson key phase and FA need to renew sesson key for securty reasons f user s always wthn a same FA. When vsts FA at the th sesson, the followng process s conducted to authentcate FA: Step U: selects a new random number a, computes A = a P ( =,2,...,n), and sends A to FA. Step U2: FA selects a new random number b and computes B = b P ( =,2,...,n). Then FA generates a new sesson key SK = h(b A ), and then computes S = h(b A SK ). After that, FA sends B and S to. Step U3: computes S = h(a B SK ) and checks whether S = S. If they are not equal, aborts the sesson. Otherwse, computes the new sesson key SK = h(a B ).

12 2 (Moble user) FA (Foregn Agent) (Home Agent) Compute H h( ID h( PW x)), Check?. Generate random number a, Compute: V = h( N RA C IDH A). { ADID,, CV,, ID } W = h( N A B ID ID ), CheckW H = H A = ap, R = ac, AC N = Q h( PW x ), DID = ID =? = W, h( R FA AC If they are equal, FA and are authentcated. ), Sesson keysk = hab ( ). { B, ID, W} FA Generate random number b, Compute: B = bp, R = bc, D [ W ] ID, Cert, ABW,,, RBC 3 FA Verfy sgnature V, 3 BC W = E [ ACert,, V, DID ], 2 RBC FA V = E { h( AV,, DID )}. 2 SFA 3 { BW, 2, V2} Compute: 2 2 R = cb, D [ W ] ACert,, V, DID. RBC Verfy sgnature V, If V s vald, FA s authentcated. Compute: R = ca, ID = DID h( R ), V BC AC = hhid ( ( y ) R ID ). Check V? = V, 2 If they are equal, s authentcated. Compute: FA AC AC W = h( h( ID y ) A B ID ID ), W = E [ ID, Cert, AB,, W ], 3 RBC FA V = E { hcert (, W )}. 3 S { W3, V3} If V s vald, FA and s authentcated. Sesson key SK = hba ( ). FA Fgure 5: Authentcaton and establshment of sesson key phase of the proposed scheme.

13 Dawe Zhao, et al. 3 The detals of update sesson key phase of the proposed scheme are shown n Fg.6. (Moble user) Selecta, Compute A = ap. { A } FA (Foregn Agent) Compute S' = hab ( SK ) Check S'? = S. - New sesson key SK = hab ( ). { B, S} Select b, Compute B = bp. New sesson key SK = hba ( ). Compute S = hba ( SK ). - Fgure 6: Update sesson key phase of the proposed scheme. 5.4 Update password phase Ths phase s nvoked whenever wants to change hs password PW to a new password PW new. There s no need for a secure channel for password change, and t can be fnshed wthout communcatng wth hs/her. Step U: M U nserts hs/her smart card nto the smart card reader, and nputs dentty ID and passwordpw. Then the smart card computes H = h(id h(pw x )), and checks whether H = H. If they are not equal, the smart card rejects the password change request. Otherwse, nputs a new password PW new and a new random number xnew. Step U2: The smart card computes Q new = Q h(pw x ) h(pw new xnew ) and H new = h(id h(pw new xnew )). Then, the smart card replaces Q, H and x wth Q new, H new and x new to fnsh the password change phase. 5.5 Authentcaton and establshment of sesson key scheme when a moble user s located n hs/her home network Correspondng to the authentcaton and establshment of sesson key phase when a moble user s located n a foregn network, n ths subsecton we propose an authentcaton and establshment of sesson key scheme for that when a moble user s located n hs/her home network. The detal processes are descrbed as follows and depcted n Fg.7.

14 4 (Moble user) Compute H = h( ID h( PW x)), Check?. Generate random number a, Compute: H = H A = ap, R = ac, AC N = Q h( PW x ), DID = ID h( R V = h( N R ID ). AC AC W = h( N A C U ID ), CheckW? = W, ), If they are equal, are authentcated. Sesson key SK = ha ( U). { ADID,, CV,, ID } { U, W, ID } (Home Agent) Compute: R = ca, AC ID = DID h( R ), AC V = hhid ( ( y ) R ID ). Check V? = V, If they are equal, s authentcated. Generate a random number u, Compute: U = up, AC W = h( h( ID y ) A C U ID ). Sesson key SK = hu ( A). Fgure 7: Authentcaton and establshment of sesson key scheme when a moble user s located n hs/her home network. Step A: M U nserts hs/her smart card nto the smart card reader, and nputs dentty ID and passwordpw. Then the smart card computes H = h(id h(pw x )), and checks whether H = H. If they are equal, t means s a legtmate user. Otherwse the smart card aborts the sesson. Next, the smart card generates a random numbers a, and computes A = ap, R AC = ac, N = Q h(pw x ), DID = ID h(r AC ) and V = h(n R AC ID ). Then the smart card sends the request message {A,DID,C,V,ID } to over a publc channel. Step A2: Afterrecevngthemessage{A,DID,C,V,ID },frstcomputesr AC = ca and ID = DID h(r AC ) and V = h(h(id y) R AC ID ). Then checks whether V = V. If they are equal, s authentcated by. Next, generates a random number u, and computes U = up and W = h(h(id y) A C U ID ). At last,

15 Dawe Zhao, et al. 5 computes the sesson key SK = h(ua) and sends {U,W,ID } to. Step A3: When recevng the message {U,W,ID }, computes W = h(n A C U ID ) and checks whether W = W. If they are equal, s authentcated by. Then establshes the common sesson key SK = h(au). 6 Securty analyss of the proposed scheme In ths secton, we show that the proposed scheme can wthstand all possble securty attacks and can work correctly. Proposton. The proposed scheme can provde user s anonymty. Proof. In our proposed scheme, the moble user sends the logn request message {A, DID,C, V,ID } to FA, where DID = ID h(ac) s used to protect the real dentty ID of. Based on the CDL problem, any attacker cannot obtan the random number a form A and thus cannot retreve ID from DID. At the same tme, the attacker cannot trace the movng hstory and current locaton of accordng to the logn request message snce A, DID and V are dynamcally changed n dfferent logn request messages of M U. Therefore, the proposed scheme can provde user s anonymty. Proposton 2. The proposed scheme can provde proper mutual authentcaton and thus prevent mpersonaton attack. Proof. In order to mpersonaton attack, the moble user, the foregn agent FA, and the home agent should authentcate each other, whch requres that our protocol provdes mutual authentcaton mechansm between any two of them. The proposed scheme can effcently prevent mpersonaton attacks by consderng the followng scenaros: () The proposed scheme provdes authentcaton of FA and to, and thus attacker cannot mpersonate to cheat FA and. In the proposed scheme, whether s located n a foregn network or n hs/her home network, the authentcates by verfyng the computed V = h(h(id y) R AC ID ) wth the receved V = h(n R AC ID ). Snce the attacker does not possess s password PW, he/she cannot compute the correct N = Q h(pw x ) and thus cannot cheat by forgng a logn request message. At the same tme, snce a s a one-tme random number and only possessed by, V s dynamcally changed n each logn request message. Therefore, the attacker cannot cheat the by replayng a prevous logn request message. Besde, when s located n a foregn network, the authentcaton of FA to s completely dependent on the authentcaton of to. If an attacker cannot successfully cheat by masqueradng as, he/she cannot cheat FA successfully. (2) The proposed scheme provdes authentcaton of and to FA, and thus attacker cannot mpersonate FA to cheat and. In the proposed scheme, the authentcates FAbycheckngwhetherD PFA {V 2 }equalsh(a,v,did ), wherev 2 sfa sdgtalsgnature. Obvously, the attacker cannot compute the correct F A s dgtal sgnature wthout knowng FA s prvate key S FA. Therefore, the attacker cannot cheat successfully by masqueradng

16 6 as FA. At the same tme, the authentcaton of to FA s completely dependent on the authentcaton of to F A. If an attacker cannot successfully cheat by masqueradng as FA, he/she cannot cheat successfully. (3) The proposed scheme provdes authentcaton of FA and to, and thus attacker cannot mpersonate to cheat F A and M U. In the proposed scheme, the F A authentcates by checkng whether D P {V 3 } equals h(cert,w ), where V 3 s s dgtal sgnature. Obvously, the attacker cannot compute the correct s dgtal sgnature wthout knowng s prvate key S. Therefore, the attacker cannot cheat FA successfully by masqueradng as. Besdes, the M U authentcates by verfyng the computed W = h(n A B ID FA ID ) wth the receved W = h(h(id y) A B ID FA ID ). Snce any attacker cannot compute the correct W wthout knowng ID and y, the attacker cannot cheat M U successfully. Proposton 3. The proposed scheme can wthstand the replay attack. Proof. An attacker mght replay an old logn request message {A,DID,C,V,ID } to FA and receve the message {B,ID FA,W } from FA. However, the attacker stll cannot compute the correct sesson key SK = h(ab) snce he/she cannot derve the secret nformaton a form A = ap based on the securty of CDL problem. Thus, the proposed scheme can prevent the replay attack. Proposton 4. The proposed scheme meets the securty requrement for perfect forward secrecy. Proof. Perfect forward secrecy means that even f an attacker compromses all the passwords of the enttes of the system, he/her stll cannot compromse the sesson key. In the proposed scheme, the sesson key SK = h(abp) s generated by two one-tme random numbers a and b n eachsesson. Thesetwoone-tmerandomnumbersareonlyheldbythe andfarespectvely, and cannot be retreved from A = ap, B = bp, R AC = ac = ca and R BC = bc = cb based on the securty of CDL and CDH problem. Thus, even f an adversary obtans all the passwords of the enttes, prevous sesson keys and all the transmtted messages, he/her stll cannot compromse other sesson key. Hence, the proposed scheme acheves perfect forward secrecy. Proposton 5. Our scheme can resst off-lne password guessng attack wth smart card securty breach. Proof. Intheproposedscheme, t sassumethat fasmartcardsstolen, physcalprotecton methods cannot prevent malcous attackers to get the stored secure elements. At the same tme, attacker can access to a bg dctonary of words that lkely ncludes user s password and ntercept the communcatons between the user and server. It s assumed that an attacker has obtaned the nformaton {Q,H,C,ID,x } from the stolen ssmartcardandhasnterceptedaprevousfulltransmttedmessages{a,did,c, V,ID, B,W 2,V 2,W 3,V 3,B,ID FA,W }. In the proposed scheme, s password only makes two appearances as H = h(id h(pw x )) and V = h((q h(pw x )) ac ID ). Obvously, the attacker cannot launch an off-lne password guessng attack wth-

17 Dawe Zhao, et al. 7 out knowng the ID and a. Snce t has been demonstrated that our scheme can provde user anonymty and a s s secret random number, the proposed scheme can resst off-lne password guessng attack wth smart card securty breach. Proposton 6. The proposed scheme can wthstand nsder attack. Proof. If an nsder of the home agent has obtaned a user s password PW, he/she can mpersonate as to access any foregn agent. In the regstraton phase of the proposed scheme, sends dentty ID and h(pw x ) to. Thus, the nsder cannot derve PW wthout x. Besdes, n the password change phase, can change hs/her default password PW wthout the assstance of hs/her. Therefore the nsder has no chance to obtan s password, our scheme can wthstand the nsder attack. Proposton 7. There s no verfcaton table n the proposed scheme. Proof. In the proposed scheme, t s obvous that the user, the foregn agent and the home agent do not mantan any verfcaton table. Proposton 8. The proposed scheme can provde local password verfcaton. Proof. In the proposed scheme, smart card checks the valdty of s dentty ID and password PW before loggng nto FA. Snce the attacker cannot compute the correct H wthout the knowledge of ID and PW to pass the verfcaton equaton H = H, thus our scheme can avod the unauthorzed accessng by the local password verfcaton. 7 Performance comparson and functonalty analyss In ths secton, we compares the performance and functonalty of our proposed scheme wth some prevously schemes. It s well-known that most of the moble devces have lmted energy resources and computng capablty. Hence, one of the most mportant ssues n wreless networks s power consumpton caused by communcaton and computaton. In fact, the communcaton cost n the GLOMONET s hgher than computaton cost n terms of power consumpton. In table 3, we lst the numbers of the message exchanges n the logn, authentcaton and sesson key establsh phases of our scheme and some related prevous schemes. And the bt-length of communcaton of the moble clent n these phases s also shown snce the foregn agent and home agent are regarded as powerful devces. Table 4 shows the computatonal cost of our proposed scheme and some other related protocols. Here we manly focus on the computatonal cost of the logn, authentcaton and sesson key establsh phases because these phases are the prncpal part of an authentcaton scheme. In general, our proposed scheme spends relatvely few communcaton and computatonal cost. It s sutable for the low-power and resource-lmted moble devces. Table 5 lsts the functonalty comparsons among our proposed scheme and other related schemes. It s obvously that our scheme has many excellent features and s more secure than other related schemes.

18 8 Table 3: Communcaton cost comparson of our scheme and other schemes. Our scheme He et al. [2] L et al. [7] Mun et al. [8] Communcaton (bts) Communcaton (rounds) The bt-length of dfferent parameter: xp: 024, g x modp: 024, dentty ID x : 60, tme: 28, random number: 28, hash functon h(x): 60, encrypton/decrypton: 024. Table 4: Computatonal cost comparson of our scheme and other schemes. Add Hash Mod Mul Esym Dsym Easym Dasym Gsgn V sgn 2 6 N/A +2Pre N/A N/A N/A N/A N/A N/A Our scheme FA N/A N/A 2+Pre N/A N/A 4 N/A 2 N/A N/A 5 0 N/A N/A N/A N/A N/A N/A He et al. [2] FA N/A 2 N/A N/A N/A N/A 2 3 N/A N/A N/A 2 N/A Pre N/A 3 N/A N/A N/A N/A L-Lee [7] FA N/A 3+2Pre N/A 2 2 N/A N/A Pre N/A 3 N/A N/A 2 4 N/A +Pre N/A N/A N/A N/A N/A Mun et al. [8] FA 2 3 N/A +Pre N/A N/A N/A N/A N/A 3 3 N/A N/A N/A N/A N/A N/A N/A N/A Note: Pre: pre-computed operaton, Add: XOR operaton, Hash: hash operaton, Mod: modular exponentaton, Mul: pont scalar multplcaton, Esym: Symmetrc encrypton E K [ ], Dsym: Symmetrc decrypton D K [ ], Easym: Asymmetrc encrypton E K { }, Dasym: Asymmetrc decrypton D K { }, Gsgn: Sgnature generaton E K {h( )}, Vsgn: Sgnature verfcaton D K {h( )}.

19 Dawe Zhao, et al. 9 Table 5: Functonalty comparson between the related schemes and our scheme. Our Wu Chang He He Mun L scheme et al. et al. et al. et al. et al. et al. [6] [5] [2] [9] [8] [7] User s anonymty Yes No No No No No Yes Proper mutual authentcaton Yes No Yes Yes No No Yes Resst M U mpersonaton attack Yes No Yes Yes No No Yes Resst F A mpersonaton attack Yes Yes Yes Yes Yes No Yes Resst mpersonaton attack Yes Yes Yes Yes Yes No Yes Resst replay attack Yes No Yes Yes No No No Perfect forward secrecy Yes No No No No Yes Yes Resst off-lne password guessng attack Yes No No Yes No No Yes Resst nsder attack Yes No No Yes No No Yes No verfcaton table Yes Yes No Yes No Yes Yes Local password verfcaton Yes No No Yes Yes No No Correct password change Yes No No Yes No No Yes Provd the authentcaton scheme when user s located n hs/her home network Yes No No Yes No No No 8 Concluson In ths paper, we show that the recently proposed Mun et al. s authentcaton scheme for roamng servce cannot provde user frendlness, user s anonymty, proper mutual authentcaton and local verfcaton and also vulnerable to several attacks. In order to wthstand securty flaws n Mun et al. s scheme, we propose a novel anonymous authentcaton scheme for roamng servce n global moblty networks. Securty and performance analyses show the proposed scheme s more sutable for the low-power and resource-lmted moble devces, and s secure aganst varous attacks and has many excellent features. 9 Acknowledgment Ths paper was supported by the Natonal Natural Scence Foundaton of Chna (Grant Nos , , 6206), and the Asa Foresght Program under NSFC Grant (Grant No ). References [] S. Suzukz, K. Nakada, An authentcaton technque based on dstrbuted securty management for the global moblty network, IEEE Journal Selected Areas n Communcatons 5

20 20 (8) (997) [2] Daojng He, Maode Ma, Yan Zhang, Chun Chen, Jajun Bu. A strong user authentcaton scheme wth smart cards for wreless communcatons. Computer Communcatons, 20, 34(3): [3] J. Zhu, J. Ma. A new authentcaton scheme wth anonymty for wreless envronments. IEEE Transactons on Consumer Electroncs 5 () (2004) [4] C.C. Lee, M.S. Hwang, I.E. Lao, Securty enhancement on a new authentcaton scheme wth anonymty for wreless envronments, IEEE Transactons on Industral Electroncs 53 (5) (2006) [5] C.C. Chang, C.Y. Lee, Y.C. Chu, Enhanced authentcaton scheme wth anonymty for roamng servce n global networks, Computer Communcatons 32 (4) (2009) [6] C.C. Wu, W.B. Lee, W.J. Tsaur, A secure authentcaton scheme wth anonymty for wreless communcatons, IEEE Communcatons Letters 2 (0) (2008) [7] Chun-Ta L, Cheng-Ch Lee. A novel user authentcaton and prvacy preservng scheme wth smart cards for wreless communcatons. Mathematcal and Computer Modellng, 202, 55(-2): [8] Hyeran Mun, Kyusuk Han, Yan Sun Lee, Chan Yeob Yeun, Hyo Hyun Cho. Enhanced secure anonymous authentcaton scheme for roamng servce n global moblty networks. Mathematcal and Computer Modellng, 202, 55(-2): [9] Daojng He, Sammy Chan, Chun Chen, Jajun Bu, Rong Fan. Desgn and Valdaton of an Effcent Authentcaton Scheme wth Anonymty for Roamng Servce n Global Moblty Networks. Wreless Personal Communcatons, 20, 6(2): [0] Ashok Kumar Das. A secure and effectve user authentcaton and prvacy preservng protocol wth smart cards for wreless communcatons. Networkng Scence, 2 (-2) (203) 2-7. [] Eun-Jun Yoon, Kee-Young Yoo, Keum-Sook Ha. A user frendly authentcaton scheme wth anonymty for wreless communcatons. Computers & Electrcal Engneerng, 37 (3) 20, [2] Hsa-Hung Ou, Mn-Shang Hwang, Jnn-Ke Jan. A cocktal protocol wth the Authentcaton and Key Agreement on the UMTS. Journal of Systems and Software, 83 (2) (200) [3] Guomn Yang, Qong Huang, Duncan S. Wong, and Xaote Deng, Unversal authentcaton protocols for anonymous wreless communcatons, IEEE TRANSACTIONS ON WIRE- LESS COMNICATIONS, VOL. 9, NO., JANUARY 200,

21 Dawe Zhao, et al. 2 [4] Wang, R., Juang, W., Le, C. (2009). User authentcaton scheme wth prvacy-preservaton for mult-server envronment. IEEE Communcatons Letters, 3(2), [5] Juang, W., Chen, S., Law, H. (2008). Robust and effcent password-authentcated key agreement usng smart cards. IEEE Transactons on Industral Electroncs, 55(6), [6] Yang, G., Wong, D., Deng, X. (2007). Anonymous and authentcated key exchange for roamng networks. IEEE Transactons on Wreless Communcatons, 6(9), [7] Q Jang, Janfeng Ma, Guangsong L, L Yang, An Enhanced Authentcaton Scheme wth Prvacy Preservaton for Roamng Servce n Global Moblty Networks, Wreless Personal Communcatons, 68 (4) [8] Hankerson, D., Menezes, A., Vanstone, S., Gude to Ellptc Curve Cryptography. Sprnger-Verlag, New York, USA. [9] Kobltz, N., 987. Ellptc curve cryptosystem. Journal of Mathematcs of Computaton 48 (77), [20] Mller, V.S., 985. Use of ellptc curves n cryptography. In: Proceedng on Advances n Cryptology-CRYPTO 85. Sprnger-Verlag, New York, pp [2] Jun-Sub Km, Jn Kwak, Improved secure anonymous authentcaton scheme for roamng servce n global moblty networks, Internatonal Journal of Securty and Its Applcatons, Vol. 6, No. 3, 202,