35 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 0 An Improved User Authentcaton and Key Agreement Scheme Provdng User Anonymty Ya-Fen Chang and Pe-Yu Chang Abstract When accessng remote servces over publc networks, a user authentcaton mechansm s requred because these actvtes are executed n an nsecure communcaton envronment. Recently, Wang et al. proposed an authentcaton and key agreement scheme preservng the prvacy of secret keys and provdng user anonymty. Later, Chang et al. ndcated that ther scheme suffers from two securty flaws. Frst, t cannot resst DoS (denal-of-servce) attack because the ndcators for the next sesson are not consstent. Second, the user password may be modfed by a malcous attacker because no authentcaton mechansm s appled before the user password s updated. To elmnate the securty flaws and preserve the advantages of Wang et al. s scheme, we propose an mprovement n ths paper. Index Terms Authentcaton, key agreement, smart card, user anonymty.. Introducton As communcaton technques have been developed rapdly n recent years, people can easly communcate wth each other over dstrbuted computer networks at any tme any place. Because remote servces are accessed over publc but nsecure dstrbuted computer networks, user authentcaton plays an mportant role to prevent unauthorzed users from accessng system resources []. Among dfferent authentcaton mechansms, password authentcaton s wdely used n plenty of applcatons. However, most password authentcaton schemes need to mantan a verfcaton table. Ths approach puts a heavy burden on the remote server because the verfcaton table sze s proportonal to the number of clents. Moreover, password authentcaton schemes may suffer from password-related attacks such as the password guessng Manuscrpt receved August 0, 0; revsed September 3, 0. Ths work was supported by Natonal Scence Councl under Grant No. 98--E-05-007- and 99-40-H-05-00-MY. Y.-F. Chang and P.-Y. Chang are wth the Department of Computer Scence and Informaton Engneerng, Natonal Tachung Insttute of Technology (e-mal: cyf@ntt.edu.tw; changpayu@ hotmal.com). Dgtal Object Identfer: 0.3969/j.ssn.674-86X.0.04.0 attack, and the server needs to protect the verfcaton table from beng nvaded by an attacker [], [3]. On the other hand, smart-card-based password authentcaton s another handy way to help a user to access the remote server. The card holder only needs to nput an easy-to-remember password and takes the smart card at hs fngertps. Therefore, many smart-card-based password authentcaton and key agreement schemes have been proposed. In 000, Sun proposed a password authentcaton scheme usng a smart card wth lght computaton loads such that the server does not need to mantan a password table [4]. Chen et al. ndcated that Sun s scheme only acheves unlateral authentcaton, and they proposed an enhanced smart-card-based authentcaton scheme provdng mutual authentcaton [5]. Ku et al. stated that Chen et al. s scheme s vulnerable to reflecton attack and nsder attack and s nsecure once a user s permanent secret stored n the smart card s compromsed, and they also proposed an enhanced scheme [6]. Later, Wang et al. proposed an mprovement on Ku et al. s scheme by preservng merts and addng some securty propertes [7]. Recently, Wang et al. found that Wang et al. s mproved scheme suffers from known-key attack and smart card loss problem [8]. Smart card loss problem means that an attacker could get the secret value stored n a lost smart card. Several researches have reported that secret values stored n smart card may be extracted by montorng the power consumpton and analyzng the leak nformaton n the smart card [9]. Wang et al. proposed an authentcaton and key agreement scheme preservng the prvacy of secret keys [8]. Furthermore, because user anonymty s an mportant ssue n modern applcatons to protect users from beng tracked, they also extended the frst scheme to provde user anonymty. The followng requrements are essental to smartcard-based password authentcaton schemes preservng user anonymty [4] [8]. ) The remote server does not need to mantan a password or verfcaton table. ) The scheme should be nvulnerable to securty problems such as smart card loss problem and prvleged admnstrator attack. 3) The scheme can defend aganst famous attack such
CHANG et al.: An Improved User Authentcaton and Key Agreement Scheme Provdng User Anonymty 353 as mpersonate attack, replay attack, known-key attack, and password guessng attack. 4) The scheme should not be nclned to problems of clock synchronzaton and delay-tme lmtaton. 5) The remote server and the clent can establsh a sesson key after mutual authentcaton to protect future communcatons. 6) The scheme should provde perfect forward secrecy even f one s long-term secret s compromsed by a malcous adversary. 7) The lost smart card can be revoked wthout changng the ordnary dentty. 8) The remote server can detect an evcted user usng overdue nformaton. 9) The remote server should not know a user s dentty and password when the scheme s appled n a prvacy concerned envronment. Later, Chang et al. ndcated that Wang et al. s scheme, provdng user anonymty, suffers from two securty flaws [0]. Frst, t cannot resst DoS (denal-of-servce) attack because the ndcators for the next sesson are not consstent. Second, the user password may be modfed by a malcous attacker because no authentcaton mechansm s appled before the user password s updated. In ths paper, we propose an mproved user authentcaton and key agreement scheme preservng user anonymty. The proposed scheme not only satsfes requrements mentoned above but also elmnates the securty vulnerabltes of prevous schemes. The remander of ths paper s organzed as follows. Secton brefly revews Wang et al. s scheme and shows the correspondng securty flaws. Our mprovement scheme s presented n Secton 3. In Secton 4, securty analyses of the mproved scheme are made. Fnally, some conclusons are drawn n Secton 5.. Revew and Securty Weakness of Wang et al. s Scheme. Notatons In ths secton, the used notatons throughout ths paper are lsted as follows: U : a user; S j : a remote server; SC : the smart card that U hols; cd : the dentty of SC ; pw : the password chosen by U ; h( ): a one-way hash functon; E K (M): a symmetrc encrypton algorthm usng a key K to encrypt the message M; D K (M): a symmetrc decrypton algorthm usng a key K to decrypt the message M; : the concatenaton operator of two strngs; : an exclusve-or (XOR) operaton; x: the master key of S j whch cannot be derved by the brute force attack.. Revew of Wang et al. s User Anonymty Scheme In ths secton, we revew Wang et al. s scheme whch preserves user anonymty [8]. Ther scheme s composed of sx phases: regstraton phase, precomputaton phase, authentcaton and key agreement phase, password changng phase, revokng smart card phase, and user evcton phase. The detals are as follows. A. Regstraton Phase To ntalze the system, S j selects a large prme p and two ntegers a and b, where p>60 and 4a 3 +7b mod p 0. Then S j chooses an ellptc curve equaton E p over fnte feld p: y =x 3 +ax+b mod p. G s a base pont of E p wth a prme order n, and ng=o, where n> 60. When a user U wants to access S j, U needs to regster at S j as follows. Step ) U sends a regstraton request to S j. Step ) Upon recevng the regstraton request, S j ssues an ndcator IND for U and B= h(x IND cd ) G, where x s the master key of S j. Step 3) S j stores (IND, B, G, E p ) nto SC and ssues ths smart card to U va a secure channel. Meanwhle, S j mantans an ID table whch ncludes (IND, cd ). Step 4) After U receves SC, U actvates SC by nsertng t nto a card reader and nputtng an easy-to-remember password pw. Then SC B = B h(pw ) and replaces B wth B. Fnally, SC stores (IND, G, E p ). B. Precomputaton Phase In ths phase, SC can compute T, whch wll be used n authentcaton and key agreement phase. Frst, SC chooses a random number R n Z * n and T =RG. Then, SC stores T nto ts memory. Fnally, SC contans (IND, G, E p, T ). C. Authentcaton and Key Agreement Phase When U wants to access S j s servce, U frst nserts SC nto a card reader and nputs pw. Then SC and S j wll execute the authentcaton and key agreement procedure. Fnally, U and S j authentcate each other and share a common sesson key whch can be used for secure communcaton. Moreover, the ndcator wll be renewed for the next sesson. The detals are as follows: Step : After U nserts SC nto a card reader and nputs pw, SC B= B h(pw )=h(x IND cd ) G and T =h(rb ). Step : U sends (IND, T, T ) to S j. Step 3: After gettng (IND, T, T ), S j checks the format
354 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 0 of IND, T =Th(x IND cd ), and checks f the dgest value of T s equal to T. Step 4: S j selects a random number W n Z n * and a new ndcator IND new. Then S j K =h(wt ), ( ( ) IND ) V = E h T + B and T 3 =WG, where K new new B new ( INDnew cd ) = h x G. Step 5: S j sends (T 3, V ) to U. Step 6: Upon recevng the message (T 3, V ), SC K =h(rt 3 ), D ( V), and V = h(rb +). K Step 7: U checks f h(rb +) s ncluded n the decrypton result of V. If t holds, S j s authentcated by U. Then SC replaces (IND, B) wth (IND new, new B ) and sends V to S j. Step 8: After gettng V, S j checks f V =h( T +). If t holds, U s authentcated by S j, and S j updates the ID table wth (IND new, cd ). After above steps, U and S j share a common sesson key K= K for secure communcaton. D. Password Changng Phase Ths phase s nvoked whenever U wants to change hs/her password pw. U frst nserts SC nto a card reader and nputs the orgnal password pw and the new password new. Then SC pw h(x IND cd ) G and B = B h(pw ) = B = B h(new ). Fnally, SC pw replaces B wth B and stores (IND, B, G, Ep). E. Revokng Smart Card Phase Ths phase s nvoked whenever U wants to revoke a lost smart card, U stll can use the prevous password and ndcator to regster agan. The detals are as follows. Step : S j B=h(x IND cd new ) G, then wrtes (IND, G, Ep) nto the new smart card SC and ssues t to U, where cd new s the ndcator of the new smart card SC. Step : S j replaces (IND, cd ) wth (IND, cd new ). Step 3: Upon recevng the smart card, U actvates SC by nsertng t nto a card reader and nputtng pw. Then SC B =BB h(pw ) and replaces B wth B. Fnally, SC stores (IND, B, G, Ep). F. User Evcton Phase Ths phase s nvoked when a clent s evcted by the server. The server wll delete the clent s ndcator and the record n the ID table. When an evcted user wants to logn to the server by usng the overdue nformaton n the smart card, the server can detect hm/her by checkng the record n the ID table..3 Weakness of Wang et al. s Scheme Although Wang et al. clamed that ther scheme provdng user anonymty was secure to resst well-known attack, Chang et al. found that ther scheme suffers from some securty flaws [0]. Frst, t cannot resst DoS attack because the ndcators for the next sesson are not consstent. Second, the user password may be modfed by a malcous attacker because no authentcaton mechansm s appled before the user password s updated. In the followng, the detals are gven. A. Dos Attack Because data s transmtted over publc but nsecure channels, a malcous user may ntercept and modfy the transmtted messages. In authentcaton and key agreement phase, SC replaces (IND, BB) wth (IND new, B new B ) and sends V to S j after S j s authentcated by U. And S j updates the ID table wth (IND new, cd ) after U s authentcated by S j by checkng f V = ht ( + ). Suppose an attacker ntercepts V and sends V to S j, where V V. After S j receves the fabrcated message V, Sj checks f V s equal to ht ( + ). Obvously, t wll never hold, and S j wll not update the ID table wth (IND new, cd ). From now on, ndcators kept by SC and S j are IND new and IND, respectvely. Later, f U sends (IND new, T, T ) to S j as a request, ths request wll be rejected by S j because no entry stored n the ID table s matched. B. Password Changng wthout Verfcaton In password changng phase of Wang et al. s scheme, a user nserts hs/her personal smart card nto a card reader and nput the orgnal and new passwords to update hs/her password. Unfortunately, no verfcaton s nvolved such that a malcous user can get a legal user s smart card and modfy the legal user s password such that the nnocent user cannot logn to the system. 3. Proposed Improvement Wang et al. s scheme possesses superor propertes although t suffers from securty flaws mentoned above. To elmnate the securty flaws and preserve the advantages of Wang et al. s scheme, we propose an mprovement. The proposed scheme s also composed of sx phases: regstraton phase, precomputaton phase, user authentcaton and key agreement phase, password changng phase, revokng smart card phase, and user evcton phase. Because precomputaton phase and user evcton phase are dentcal to those of Wang et al. s scheme, only regstraton phase, user authentcaton and key agreement phase, password changng phase, and
CHANG et al.: An Improved User Authentcaton and Key Agreement Scheme Provdng User Anonymty 355 revokng smart card phase are shown. The detals are as follows. 3. Regstraton Phase The steps n regstraton phase of the proposed mprovement are almost the same as those of Wang et al. s scheme except the followngs. In Step 3, S j stores (IND old, IND, Bold, B, G, E p ) nto the smart card, ssues ths smart card to U va a secure channel, and saves the entry (IND, cd ) n the ID table, where IND old =IND and B = Bold=h(x IND cd ) G= h(x IND old cd ) G. Though IND old =IND and B = Bold n regstraton phase, SC has to store them to protect the proposed mprovement from DoS attack that Chang et al. found. Fnally, SC contans (IND old, IND old, G, E p ), where B =B h(pw ) and B =Bold h(pw ). 3. User Authentcaton and Key Agreement Phase When U wants to access S j s servce, ths phase wll be nvoked. There are two cases n ths phase: ) U s authentcated by sendng the logn request (IND, T, T ) and ) U s authentcated by sendng the logn request (IND old, T, T ). User authentcaton and key agreement phase s depcted n Fg.. The detals are as follows. A. Case Step : U nputs pw, and SC BB= B h(pw ) and T =h(rb ). U sends (IND, T, T ) to S j. Step : S j checks whether IND s n the ID table. If t does not hold, S j aborts ths request and proceeds to Case to start over the sesson. If t holds, S j T =Th(x IND cd ) and checks f the dgest value of T s equal to T. If t holds, S j selects a random number W n Z n, a symmetrc sesson key K =h(wt ), ( ( ) IND ) V = E h T + B and an authentcaton K new new message T 3 = WG, and sends (T 3, V ) to U, where IND new s ssued by S j and only the legal user can retreve t. Step 3: After recevng (T 3, V ), SC the sesson key old K =h(rt3), uses K to decrypt V, and checks f h(rb +) s ncluded n the decrypted result. If t holds, U s convnced that S j s a legal server. Then SC V = h(rb +), sends V to S j, and replaces (IND old, IND old, where B new = B new h(pw ). B ) wth (IND, IND new, B new ), Step 4: Upon recevng V, S j V =h( T +) and checks f V = V. If t holds, Sj s convnced that U s an authorzed user. After above steps are fnshed, U and S j establsh a sesson key K = K and they can employ ths sesson key to provde the confdentalty of subsequent communcatons. Fnally, Sj renews the entry n the mantaned ID table wth (IND new, cd ). B. Case Ths case s nvoked when U s logn request (IND, T, T ) fals and the sesson s restarted by sendng (IND old, T, T ) to S j. Processes n Case are almost dentcal to those n Case. Only dfferences are shown as follows. In Step, SC B= B old h(pw) and T = h(rb ) and sends (IND old, T, T ) to S j. After S j receves (IND old, T, T ), S j checks f the receved IND old s n the ID table. If t holds, S j T = Th( x IND old cd ) and checks f the dgest value of T s equal to T. In Step 3, SC replaces (IND old, IND old ) wth (INDold, IND new, old B, B new ), where B new =Bnew h(pw ). In Step 4, S j renews the entry n mantaned ID table wth (IND new, cd ). In the proposed mprovement, an attacker cannot mount DoS attack whch Wang et al. s scheme suffers from. If S j does not renew the ID table wth (IND new, cd ) when an attacker modfes the transmtted message, the legal user U stll can be authentcated by sendng (IND old, T, T ) to S j n Case. 3.3 Password Changng Phase Ths phase s nvoked when a user wants to change hs/her password. The user frst nputs orgnal and new passwords, pw and new pw. Before changng the user s password, user authentcaton and key agreement phase needs to be performed. If the user s authentcated successfully by the server, the orgnal password stored n the smart card wll be updated wth the new one. There are two cases n ths phase: ) U s authentcated by sendng the logn request (IND, T, T ) n the user authentcaton and key agreement phase and ) U s authentcated by sendng the logn request (IND old, T, T ) n the user authentcaton and key agreement phase. A. Case U s authentcated by sendng (IND, T, T ) n the user authentcaton and key agreement phase. SC replaces ( B new ) wth ( B h(new pw ), B. new h(new pw ) ) B. Case U s authentcated by sendng the logn request (IND old, T, T ) n the user authentcaton and key agreement phase. SC replaces ( B old new ) wth ( B h(new ), B h(new )). pw old pw new
356 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 0 Clent Server Case nputs pw B = B h(pw ) = h( x IND cd ) G T = h( R B ) new K = h( R T3) DK ( ) V checks f hr ( B + ) s ncluded n V V = h( R B + ) smart card replaces (IND old,ind old ) wth (IND,IND new new ), where B = B h(pw ) new IND, T, T T3, V V checks the entry IND n the ID table T = T h( x IND cd ) checks f T = ht ( ) * selects a random number Wn Zn n K = hw ( T) V = EK ( h( T ) + ) IND new Bnew T = W G 3 checks f V = ( ) ht + server renews the ID table as (IND,cd ) new Case nputs pw B = B h(pw ) = h( x IND cd ) G old old T = h( R B) K = h( R T ) D 3 K ( V ) checks f hr ( B+ ) s ncluded n V new new V = h( R B + ) smart card replaces (IND old, IND old ) wth (IND,IND new old new ), old where B = B h(pw ) IND old, TT, T3, V V checks the entry IND old n the ID table T = T h( x IND old cd ) verfes checks Tf T? = ht ( ) * n Z n selects a random number Wn K = hw ( T) ( ( ) IND ) V = E h T + B K new new T = W G 3 checks f V = ht ( + ) V server renews the ID table as (IND,cd ) new Fg.. User authentcaton and key agreement phase. 3.4 Revokng Smart Card Phase Ths phase s almost the same as that of Wang et al. s scheme except the followngs. Step : S j BB=h(x IND cd new )G and B old B =h(x IND old cd new ), stores (IND old, IND, Bold, B, G, E p ) nto the new smart card SC and, ssues t to U, where cd new s the dentty of SC. Step : S j replaces (IND, cd ) wth (IND, cd new ). Step 3: Upon recevng the smart card, U actvates SC by nsertng t nto a card reader and nputtng pw. Then SC B =B h(pw ) and B old =Bold h(pw ) and replaces B wth B old, G, Ep). B. Fnally, SC stores (IND old, IND, 4. Securty Analyses In ths secton, the securty analyss of the proposed scheme are gven to show that t acheves aforementoned securty requrements. 4. No Verfcaton Table In the proposed scheme, no verfcaton table or password table s mantaned by the server. The remote server only has to record (IND, cd ) and utlzes them to authentcate users. 4. Resstance of Smart Card Loss Problem The smart card stores (IND old, IND old, G, E p ) n t. Assume that an attacker gets someone s smart card and extracts data stored n the smart card. It s hard for an attacker to retreve BB wthout knowng the clent s password pw. If the attacker performs onlne password guessng attack n the user authentcaton and key agreement phase to obtan pw, ths attack wll be detected by the remote server. 4.3 Resstance of Admnstrator Attack The server only mantans (IND old, IND, cd ) for the user U. No nformaton related to the user s password pw can be obtaned. Thus, admnstrator attack cannot be
CHANG et al.: An Improved User Authentcaton and Key Agreement Scheme Provdng User Anonymty 357 successfully mounted on the proposed scheme. If the server gets an actvated smart card and extracts data (IND old, IND old, G, Ep) stored n t, the server B=h(x IND cd ) G and checks f B = B h (pw ) by guessng pw =pw. If t does not hold, the server guesses U s password and checks f B=B B h (pw ) untl t holds. When B= B h( pw ), pw does not absolutely equal pw. Instead, t denotes that the hash values of pw and pw are equal. However, ths assumpton s unreasonable because efforts and benefts are not equvalent. 4.4 Resstance of Replay Attack and Clock Synchronzaton Problem An attacker mght eavesdrop whle the server and the user start the sesson. The attacker ntercepts the logn request (IND, T, T ) or (IND old, T, T ) and forwards to the server. However, the server wll detect replay attack because logn requests n dfferent sessons dffer from each other. Even f V n ths sesson s modfed such that the server does not update the ID table wth the new ndcator, replay attack stll cannot be mounted successfully because the server always chooses a new random number W such that only the legal user can compute the correct authentcaton parameter V. In addton, there s no clock synchronzaton problem snce the proposed scheme employs no tmestamp to solve replay attack. 4.5 Resstance of Impersonaton Attack The proposed scheme can resst mpersonaton attack on both server sde and clent sde. Server sde: It s hard for an attacker to compute T 3 and V wthout knowng the master key x and the random nonce W. Clent sde: The attacker cannot compute the correct V wthout knowng the random nonce R and the secret value BB. 4.6 Resstance of Known-Key Attack and Perfect Forward Secrecy Suppose that an attacker obtans a sesson key of one prevous sesson. The attacker stll cannot derve the latest sesson key because the sesson key s negotated wth the secret BB and random numbers W and R. If the long-term key B B s retreved by an attacker, he cannot obtan prevous sesson keys because the sesson key s negotated wth random numbers W and R. Therefore, our mproved scheme provdes perfect forward secrecy. 4.7 Mutual Authentcaton and User Anonymty In the user authentcaton and key agreement phase, a remote server and user can authentcate each other such that no malcous user can mpersonate any partcpant. On the other hand, the transmtted ndcator wll be updated n each sesson so no one can trace the user by eavesdroppng. Thus, the proposed scheme provdes mutual authentcaton and user anonymty. 5. Conclusons In ths paper, we revew Wang et al. s authentcaton and key agreement scheme preservng the prvacy of the clent and the securty flaws whch suffers from DoS attack. We propose an mprovement to elmnate the securty flaws and preserve the advantages of Wang et al. s scheme. The proposed scheme acheves requrements essental to smart-card-based password authentcaton schemes preservng user anonymty, and the computaton load s lght because only smple operatons are executed. Va the proposed scheme, a legal user can negotate the shared sesson key wth the server wthout leakng any secret and preservng user anonymty at the same tme. These propertes make the proposed scheme sut applcatons wth computaton effcency and user anonymty taken nto consderaton. References [] L. Lamport, Password authentcaton wth nsecure communcaton, Communcatons of the ACM, vol. 4, no., pp. 770 77, 98. [] G. Horng, Password authentcaton wthout usng a password table, Informaton Processng Letters, vol. 55, no. 5, pp. 47 50, 995. [3] C.-C. Lee and Y.-F. Chang, On securty of a practcal three-party key exchange protocol wth round effcency, Informaton Technology and Control, vol. 37, no. 4, pp. 333 335, 008. [4] H.-M. Sun, An effcent remote user authentcaton scheme usng smart cards, IEEE Trans. on Consumer Electroncs, vol. 46, no. 4, pp. 958 96, 000. [5] H.-Y. Chen, J.-K. Jan, and Y.-M, Tseng, An effcent and practcal soluton to remote authentcaton smart cards, Computer and Securty, vol., no. 4, pp. 37 375, 00. [6] W.-C. Ku and S.-M. Chen, Weakness and mprovements of an effcent password based remote user authentcaton scheme usng smart cards, IEEE Trans. on Consumer Electroncs, vol. 50, no., pp. 04 07, 004. [7] X.-M. Wang, W.-F. Zhang, J.-S. Zhang, and M.-K. Khan, Cryptanalyss and mprovement on two effcent remote user authentcaton scheme usng smart cards, Computer Standards and Interfaces, vol. 9, no. 5, pp. 507 5, 007. [8] R.-C. Wang, W.-S. Juang, and C.-L. Le, Robust authentcaton and key agreement scheme preservng the prvacy of secret key, Computer Communcatons, vol. 34, no. 3, pp. 74 80, 0. [9] T. S. Messerges, E. A. Dabbsh, and R. H. Sloan,
358 JOURNAL OF ELECTRONIC SCIENCE AND TECHNOLOGY, VOL. 9, NO. 4, DECEMBER 0 Examnng smart card securty under the threat of power analyss attacks, IEEE Trans. on Computers, vol. 5, no. 5, pp. 54 55, May 00. [0] Y.-F. Chang, J.-Y. Ln, and Y.-J. Yen, Comments on a Secret-key-prvacy-preservng authentcaton and key agreement scheme, n Proc. of the 5th Internatonal Conf. on Genetc and Evolutonary Computng, Knmen, 0, pp. 68 7. Ya-Fen Chang receved the B.S. degree n computer scence and nformaton engneerng from Natonal Chao Tung Unversty n 000 and the Ph.D. degree n computer scence and nformaton engneerng n 005 from Natonal Chung Cheng Unversty. From August 006 to March 00, she worked as an assstant professor wth the Department of Computer Scence and Informaton Engneerng, Natonal Tachung Insttute of Technology, where she has been an assocate professor snce Aprl 00. Her current research nterests nclude electronc commerce, nformaton securty, cryptography, and moble communcatons. Pe-Yu Chang receved the B.S. degree n nformaton management from Natonal Tachung Insttute of Technology n 00. He has been a graduate student wth the Department of Computer Scence and Informaton Engneerng, Natonal Tachung Insttute of Technology snce September 00. Hs current research nterests nclude electronc commerce, nformaton securty, cryptography, and computer networks.