A practical authentication protocol with anonymity for wireless access networks

Published online 1 February 2010 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/wcm.933

RESEARCH ARTICLE

A practical authentication protocol with anonymity

for wireless access networks

Yen-Cheng Chen1*_{, Shu-Chuan Chuang}1_{, Lo-Yao Yeh}2_{and Jiun-Long Huang}2 1_{Department of Information Management, National Chi Nan University, Puli, NanTou 545, Taiwan}

2_{Department of Computer Science, National Chiao Tung University, Hsinchu 300, Taiwan}

ABSTRACT

The use of anonymous channel tickets was proposed for authentication in wireless environments to provide user anonymity and to probably reduce the overhead of re-authentications. Recently, Yang et al. proposed a secure and efficient authentication protocol for anonymous channel in wireless systems without employing asymmetric cryptosystems. In this paper, we will show that Yang et al.’s scheme is vulnerable to guessing attacks performed by malicious visited networks, which can easily obtain the secret keys of the users. We propose a new practical authentication scheme not only reserving the merits of Yang et al.’s scheme, but also extending some additional merits including: no verification table in the home network, free of time synchronization between mobile stations and visited networks, and without obsolete anonymous tickets left in visited networks. The proposed scheme is developed based on a secure one-way hash function and simple operations, a feature which is extremely fit for mobile devices. We provide the soundness of the authentication protocol by using VO logic. Copyright © 2010 John Wiley & Sons, Ltd.

KEYWORDS

authentication; security; user anonymity; VO logic; wireless network

*_{Correspondence}

Yen-Cheng Chen, Department of Information Management, National Chi Nan University, Puli, Nantou 545, Taiwan. E-mail: ycchen@ncnu.edu.tw

1. INTRODUCTION

Due to the popularity of wireless communications, there is an increasing demand for secure access to wireless networks via mobile devices. A mobile user usually accesses a wire-less network via an association with the nearest network access point. These wireless associations should be authen-ticated for preventing unauthorized access from wireless networks. Since mobile users may move freely and may occasionally access networks when in need, the associations among users and access points may change dynamically. Due to unstable wireless signals or the temporary power-saving sleep of mobile devices, associations may also be discontinued and resumed frequently within a short period of time. If re-authentication is required whenever a suspended association is to be resumed, much overhead will be incurred for authentication. In addition, when a mobile user roams to a far visited network, the visited network will spend a longer round trip time in authenti-cating the user through the authentication server located in the home network of the user. Therefore, these practical issues are usually taken into account in the development of authentication schemes for wireless environments. Another

vital security issue in wireless networks is the protection of user privacy. During an authentication process, it is usually required to present the identity of a user in authentication messages. The user identity may reveal the current location of a certain user. This information may intrigue malicious intruders. Therefore, for use in wireless networks, authen-tication schemes preserving user anonymity are preferred.

In recent years, many authentication schemes have been developed to consider security issues particular to wire-less networks [1--10]. Park-Go-Kim’s authentication and key agreement protocol [3] used the temporary identity (TID) of a mobile user instead of its real one for providing user anonymity. Lin and Jan [4] proposed an authentication scheme with the use of wireless anonymous channels. Via a prepaid anonymous channel ticket, their authentication scheme achieves mutual authentication and supports loca-tion and identity anonymity for both a mobile staloca-tion and its home network. In 2003, Barbancho and Peinado [7] pointed out that Lin and Jan’s protocol was vulnerable to forgery attack. That is, anyone can easily forge a valid anonymous ticket to pass the verification of the visited network. In 2004, Zhu and Ma [8] proposed another authentication scheme with user anonymity based on the use of hash functions and

smart cards. Their scheme achieves user anonymity by using a hashed token to protect user’s identity. However, we find that all users of the same home agent share the same hashed token. A malicious user can make use of the hashed token to get the identities of other users. Thus, Zhu-Ma’s authen-tication scheme fails to preserve user anonymity. Besides, Zhu-Ma’s scheme also fails to prevent ticket copies for mali-cious users intentionally setting same session keys in each session. Recently, Yang et al. [10] proposed a secure and efficient protocol for anonymous channel in wireless sys-tems without employing asymmetric cryptosyssys-tems. Yang et al.’s scheme achieves user anonymity by using symmetric cryptosystem for authenticating each user. Another merit of this scheme is the prevention of ticket copy. In this paper, we will show that Yang et al.’s scheme is vulnerable to guessing attacks performed by malicious visited networks. A visited network can successfully guess the secret keys of the users who are visiting it. To withstand the proposed attack, we will develop a new authentication scheme preserving the same merits of Yang et al.’s scheme. The proposed scheme also provides several enhancements. In the proposed scheme, it is not necessary to store a verification table in the home network, which is the perfect solution to the stolen veri-fier problem. Moreover, different from previous approaches using timestamps, the proposed scheme uses nonces to pre-vent replay attacks, because in practice it is difficult for a mobile station to present a synchronized timestamp before the mobile station is granted to access a visited network. The proposed scheme also provides anonymous tickets but lim-its the use of anonymous tickets by expired times, instead of the number of logins. This can further prevent storing obsolete tickets in visited networks.

The rest of this paper is organized as follows. Section 2 is a brief overview of Yang et al.’s scheme. In the end of Section 2, we will present attacks and comments on Yang et al.’s scheme. Then, a new practical authentication scheme is proposed in Section 3. In Section 4, we show the secu-rity and performance analysis of the proposed scheme. A conclusion is given in Section 5. Finally, we will further prove the correctness of the proposed scheme by the logic of authentication in Appendix.

2. REVIEW OF YANG ET AL.’S

SCHEME

In this section, Yang et al.’s protocol is reviewed. Then, we present our attacks and comments on Yang et al.’s scheme. The notations used in Yang et al.’s protocol are as follows. Three entities are involved in the protocol: a mobile station MS, a visited network VN, and a home network HN. IDi,

IDVN, and IDHN denote the identity of MS, VN, and HN,

respectively. It is assumed that HN and VN share a secret key kh,v and HN and MS share a secret key kh,i. “X→ Y:

M” denotes that X sends message M to Y. (M)kdenotes that

ciphertext of the message M encrypted with the symmetric key k, and “⊕” indicates the bit-wise XOR operation. And, p is a large prime, Q is a prime factor of p−1 and g is an

element of order Q in Z*

p. Yang et al.’s protocol consists of two phases, described as follows.

2.1. Yang et al.’s scheme

2.1.1. The anonymous channel issuing phase. In this phase, MS purchases an anonymous ticket from HN via VN before MS is granted to access VN.

Step 1. MS→ VN: IDHN, kIDh,iimod p, (IDi, T1, A, B, C)kh,i

MS selects three random numbers a, b, and c to compute A= ga_{mod p, B= g}b _{mod p, and C= g}c_{mod p. MS then}

uses kh,ito encrypt message (IDi, T1, A, B, C), where T1is

a timestamp. The encrypted message along with IDHNand

kIDi

h,i mod p is then sent to VN.

Step 2. VN→ HN: IDVN, kIDh,iimod p, (IDi, T1, A, B, C)k_h,i, (IDVN, T2, D, E, F)kh,v

VN selects three random numbers d, e, and f to compute D= gd_{mod p, E= g}e_{mod p, and F= g}f _{mod p. VN then}

uses kh,vto encrypt message (IDVN, T2, D, E, F), where T2

is a timestamp. Then VN sends IDVN, kIDh,ii mod p, (IDi, T1, A, B, C)kh,i, and (IDVN, T2, D, E, F)kh,vto HN.

Step 3. HN→ VN: kh,v⊕(T2, A, B, C, Texpire), kh,i⊕(T1, D, E, F, Texpire)

HN first records the received time T3 and accords kIDi

h,i mod p to find IDiand kh,i. HN then uses kh,iand kh,v

to extract (IDi, T1, A, B, C) and (IDVN, T2, D, E, F),

respec-tively. HN then checks whether T3− T2≤
T and IDVNis

valid, where
T denotes a valid time interval. If yes, HN successfully authenticates VN. Similarly, HN authenticates MS by checking whether T2− T1≤
T and IDiis valid.

Then, HN sends kh,v⊕(T2, A, B, C, Texpire) and kh,i⊕(T1, D, E, F, Texpire) to VN, where Texpiredenotes the maximum

login numbers of MS.

Step 4. VN→ MS: kh,i⊕(T1, D, E, F, Texpire)

From the received message kh,v⊕(T2, A, B, C, Texpire), VN

uses kh,vto extract (T2, A, B, C, Texpire) and authenticates HN

by verifying T2. Then, VN computes A’= Ad= gadmod p, B’= Be_{= g}be _{mod p, and C’= C}f_{= g}cf _{mod p, and stores}

(A’, B’, C’, Texpire) in a ticket database. Message kh,i⊕(T1, D, E, F, Texpire) is then forwarded to MS.

After receiving kh,i⊕(T1, D, E, F, Texpire) in Step 4,

MS extracts (T1, D, E, F, Texpire) with shared key kh,i

and authenticates HN by verifying T1. MS then computes A1= Da= gdamod p, B1= Eb= gebmod p, and C1= Fc= g

fc_{mod p, and stores them with T}

expirein its device storage.

2.1.2. The anonymous channel authentication phase.

It can be easily found that A1= A’, B1= B’, and C1= C’. A1will be used as the identity of an anonymous ticket. B1

and C1 will be used for authentication between MS and

VN. The anonymous channel authentication phase goes as follows.

MS presents A1and Texpireto declare the ownership of an

anonymous ticket.

Step 2. VN→ MS: (B’, gd’_{mod p, g}e_{’ mod p)} B’

According to A1, VN finds the corresponding (A’, B’, C’, Texpire) in the ticket database and checks whether Texpire> 0.

If yes, VN selects two random numbers d’ and e’ and com-putes gd’_{mod p and g}e_{’ mod p. Then VN encrypts (B’, g}d’

mod p, ge_{’ mod p) with key B’ and sends it to MS.}

Step 3. MS→ VN: (C1, ga



mod p, gbmod p)C1

MS extracts (B’, gd’ _{mod p, g}e_{’ mod p) with key B’.}

If B’= B1, MS believes the VN is authentic. MS selects

two random numbers a’ and b’ and compute gd’ _{mod p}

and gb_{’ mod p for the next authentication. MS then sends}

(C1, ga



mod p, gbmod p)C1 to VN. VN receives the

message and extracts (C1, ga’mod p, gb’ mod p) with key C’. If the obtained C1 is the same as C’, VN successfully

authenticates MS. VN then updates (A’, B’, C’, Texpire) in

its ticket database by setting A’= C’, B’ = (ga’₎d_{’ mod p,}

C’= (gb_’)e_{’ mod p, and T}

expire= Texpire−1.

2.2. Attacks and comments on Yang

et al.’s scheme

The major merits of Yang et al.’s scheme are user anonymity, mutual authentication, and secure anonymous tickets. In Yang et al.’s scheme, each home network has to store kIDi

h,i mod p, IDi and kh,ifor each of its registered users.

Obviously, these values should be securely protected in order to prevent possible stolen verifier attacks. In addition, we find that Yang et al.’s scheme is vulnerable to guessing attacks performed by visited networks. In addition, we indi-cate a few potential deficiencies in the implementation of Yang et al.’s scheme.

2.2.1. Guessing attack.

Recall that VN receives kh,v⊕(T2, A, B, C, Texpire) and kh,i⊕(T1, D, E, F, Texpire) from HN in Step 3 of the

anony-mous channel ticket issuing phase. VN attempts to guess the value of kh,ifrom message kh,i⊕(T1, D, E, F, Texpire). First,

VN uses kh,vto extract (T2, A, B, C, Texpire). VN is also aware

of the values of D, E, and F. VN so far has owned D, E, F, and Texpire, but does not know the value of T1. However, since T2− T1≤
T and
T is usually a very small value, VN

can easily list all the possible values of T1. Then, for each

possible value of T1, denoted by T ’, VN gets k ’h,iby

com-puting (kh,i⊕(T1, D, E, F, Texpire))⊕(T ’, D, E, F, Texpire), and

then checks whether message (IDi, T1, A, B, C)kh,i, received in Step 1, can be successfully decrypted by k ’h,i. If the

decryption succeeds, VN successfully obtains secret key kh,i. and also gets IDifrom the decrypted message.

There-fore, the proposed guessing attack can lead to the disclosure of users’ secret keys. Yang et al.’s scheme is insecure.

2.2.2. Time synchronization problem.

Yang et al.’s scheme uses timestamps to confirm the freshness of authentication messages. To ensure precise

timestamps, time synchronization is required among MSs, VNs, and HNs. Time synchronization is usually performed via a time synchronization protocol, e.g., Network Time Protocol (NTP). Thus, to synchronize clock times, MSs have to be already in the network. However, each MS is asked to present a synchronized timestamp before the MS is granted to access the wireless network. This raises a chicken-or-egg dilemma in the implementation of time syn-chronization. Therefore, we recommend that timestamps be used only within wired or fixed wireless networks.

2.2.3. Key length problem.

Yang et al.’s scheme uses shared keys to perform bitwise XOR operations on messages sent in Steps 3 and 4 of the anonymous channel issuing phase. Basically, the lengths of symmetric keys are short. In practice, these messages to be XORed may be longer than the shared keys. Thus, the latter part of an XORed message is subject to being revealed and modified.

2.2.4. Obsolete tickets left in VNs.

Yang et al.’s scheme allows each issued anonymous ticket to be used at most Texpiretimes. Each VN is responsible for

storing all the tickets whose Texpire values are not reached

yet. Since each MS may travel everywhere and stay in a visited network just for a short period of time, it will be very possible that a lot of tickets are maintained in a visited network and these tickets will not be used anymore. Yang et al.’s scheme did not address the obsolete ticket issue.

3. THE PROPOSED SCHEME

In this section, we propose a practical authentication protocol with user anonymity for wireless environments. Considering the implementation issues aforementioned, the proposed scheme uses random nonces in message exchanges within the wireless network, and restricts the use of anonymous tickets within a time period. Moreover, for better scalability, we do not adopt shared key schemes between MSs and HNs. Instead, we assume that the home agent, denoted by HA, in the home network has a secret key x, only known by the HA itself. It will be shown that HA can successfully authenticate each MS without the use of any verification table. On the other hand, in each visited network, there is a foreign agent, denoted by FA, responsible for authenticating anonymous tickets. Each FA and HA shares a secret key kh,f. For less computation

cost, most computations on authentication messages are based on a secure one-way hash function, denoted by h(), and string concatenation operations, denoted by “||”. For better protection, we assume that each MS uses a smart card to store information for authentication. The proposed scheme consists of three phases: the registration phase, the ticket issuing phase, and the ticket authentication phase, described as follows.

Figure 1. The ticket issuing phase of the proposed scheme.

3.1. The registration phase

MS first submits its identity IDMS and password PWMS

to its HA for an initial registration. HA selects a ran-dom number RMSand computes h(IDMS|| x)⊕h(PWMS) and

h(RMS|| IDHA|| x) with a secret number x. HA stores IDHA,

RMS, h(IDMS|| x)⊕h(PWMS), and IDMS⊕h(RMS|| IDHA|| x)

in a smart card. The smart card is then issued to MS.

3.2. The ticket issuing phase

Step 1. MS→ FA: IDHA, RMS, IDMS⊕h(RMS|| IDHA|| x),

h(IDMS|| x)⊕NMS

MS selects a random number a and generates NMS= ga

mod p. Then, MS retrieves h(IDMS|| x) from the smart card

and computes h(IDMS|| x)⊕NMS. Finally, MS sends IDHA,

RMS, IDMS⊕h(RMS|| IDHA|| x), and h(IDMS|| x)⊕NMS to

FA.

Step 2. FA→ HA: RMS, IDMS⊕h(RMS|| IDHA|| x),

h(IDMS|| x)⊕NMS, IDFA, (IDFA, T1, NFA)kh,f

FA selects a random number b and generate NFA= gb

mod p. Then, (IDFA, T1, NFA)kh,f is computed, where T1 is the current timestamp. Finally, FA sends RMS, IDMS⊕h(RMS|| IDHA|| x), h(IDMS|| x)⊕NMS, IDFA, and

(IDFA, T1, NFA)kh,fto HA.

Step 3. HA→ FA: M1, M2, (T3, NMSc , M3)kh,f, where M1= h(h(IDMS|| x) || NMS)⊕ NFAc , M2= h(h(IDMS|| x) ||

NMS||NFAc ), and M3= h(h(IDMS|| x) || NMS+ 1 ||NFAc + 1).

Upon receiving messages at time T2, HA computes h(RMS|| IDHA|| x), gets IDMSfrom message IDMS⊕h(RMS||

IDHA|| x), and gets NMSfrom message h(IDMS|| x)⊕NMS.

After that, HA decrypts (IDFA, T1, NFA)kh,f to get IDFA, T1, and NFA. If T2− T1≤
T , where
T denotes a valid

time interval, and IDFA is as expected, HA chooses a

random number c and computes NMSc = gac mod p and

Nc

FA= gbc mod p. Finally, HA prepares messages M1, M2, and M3, and sends messages M1, M2, and (T3,NMSc ,

M3)kh,f to FA, where T3is the current time.

Step 4. FA→ MS: M1, M2, TID, Texp

FA decrypts (T3,NMSc , M3)kh,f and verifies its freshness from timestamp T3. Then, FA generates an anonymous

ticket with a unique ticket identifier TIDand expired time

Texp. Finally, FA takes NMSc and M3, and forwards M1, M2, TID, and Texpto MS.

Step 5. MS→ FA: M3’

MS computes h(h(IDMS|| x) || NMS) and retrieves NFAc by

calculating M1⊕h(h(IDMS|| x) || NMS). Then, message M2

is verified. After a successful verification, MS computes M3’= h(h(IDMS|| x) || NMS+ 1 || NFAc + 1), and sends it to

FA. Upon receiving M3’, FA authenticates MS by verifying

whether M3’= M3.

After step 5, MS and FA have successfully authenticated each other, and have obtained NFAc and NMSc

respec-tively. Based on the Diffie-Hellman key agreement scheme, MS and FA determine a session key SK1= (NFAc )a mod

p= (N_MSc )b_{mod p= g}abc_{mod p. SK}

1will be used to encrypt

all the messages delivered in the ongoing session. Figure 1 illustrates the ticket issuing phase of the proposed scheme.

3.3. The ticket authentication phase

After obtaining an anonymous ticket, MS can use this ticket to access a visited network before the ticket is expired. Each anonymous ticket should be authenticated before a secure and anonymous session is started. In addition, a new session key will be negotiated for use in the next session. Suppose SKi is the session key of the ith session. The following

describes the ticket authentication phase in the ith session. Step 1. MS→ FA: TID, (SKi, N’MS)SKi

MS selects a random number a’ and computes N’MS= ga’

mod p. MS then uses SKito encrypt message (SKi, N’MS)

and sends the encrypted message to FA. Step 2. FA→ MS: (SKi+ 1, N’FA)SKi

According to TID, FA finds the corresponding ticket entry

(TID, Texp, SKi) in the ticket table. Texpis first used to

Figure 2. The ticket authentication phase of the proposed scheme.

the ticket with ticket identifier TIDis overdue and has been

deleted automatically from the ticket table. In this case, no ticket will be found and the ticket authentication request will be rejected. If the ticket is still valid, FA uses SKito decrypt

(SKi, N’MS)SKiand verifies whether the decrypted SKiis as expected. If yes, FA successfully authenticates an anony-mous ticket. After that, FA selects a random number b’ and computes N’FA= gb’ mod p. Then, FA uses SKito encrypt message (SKi+ 1, N’FA) and sends the encrypted message

to MS. MS receives the message, and decrypts it using SKi. MS will successfully authenticate FA if the decrypted

SKi+ 1 is as expected. After mutual authentication, MS

and FA negotiate a new session key SK_i+1= (N’FA)a’ mod

p= (N’MS)b’ mod p= ga’b’ mod p. The SKi, stored in MS’s

smart card and FA’s ticket table, is thus replaced with SK_i+1. The ticket authentication phase is summarized in Figure 2.

4. SECURITY AND PERFORMANCE

ANALYSIS

To confirm the correctness of the proposed scheme, we use VO logic [11] to prove our protocol. VO is an extension of BAN logic [12] developed to analyze authentication proto-cols with key agreements. The detailed proof is described in the Appendix. In this section, we present the security and performance analysis of the proposed scheme.

4.1. Security analysis

The security of the proposed scheme is analyzed with respect to some well known attacks.

4.1.1. Replay attack.

Our protocol uses nonces and timestamps to withstand the replay attacks. Since both nonces NMSand NFAare gen-erated independently, attacks by just replaying messages of previous sessions will fail.

4.1.2. Stolen-verifier attack.

An attacker may try to steal or modify the verification table. Our scheme does not store any verifiers in HAs. No stolen-verifier attack can be applied.

4.1.3. Impersonation attack.

An attacker may attempt to masquerades a legal entity involved in the scheme. However, the attacker has no way of knowing h(IDMS|| x) and nonce values to generate proper

authentication messages. Furthermore, in Step 2 and Step 3 of the ticket issuing phase, the shared key kh,f is only

known between FA and HA. No one can correctly send forged messages without knowing kh,f.

4.1.4. Guessing attack.

All of the delivered messages are protected by a secure one-way hash function and nonce values to withstand guess-ing attack. Hence, the attacker cannot verify his guessguess-ing from the eavesdropped data.

4.1.5. Known-key security.

Known-key security refers that if the session key is dis-closed, it will not cause the compromise of any future session key. Each session key SKi is constructed based

on nonces and the Diffie-Hellman key agreement scheme. Knowing the current session key is unable to derive other session keys.

4.1.6. Forward secrecy.

Forward secrecy in our scheme means that a compro-mise of the secret key x held in HA does not cause the compromise of any session key. If secret x is disclosed, IDMS, NMS, and NMSc will be also disclosed in the ticket

issuing phase. However, the proposed scheme adopts Diffie-Hellman key agreement algorithm to construct session keys. Perfect forward secrecy is ensured.

4.1.7. User anonymity preservation.

During messages delivered in our scheme, IDMSis

pro-tected by h(w|| IDHA|| x), which is only available in HA.

Therefore, any other entity, including FA, cannot obtain any identity information about MS.

4.2. Performance analysis

The performance of the proposed scheme is evaluated by comparing it with Yang et al.’s scheme. The following nota-tions are used in the performance comparison.

Texp: the time for computing modular exponentiation. Tsym: the time of computing symmetric key

cryptogra-phy.

Thash: the time of computing one-way hash function TXOR: the time of computing XOR operation.

To achieve better performance, Yang et al.’s scheme adopts pre-computations in the preparation of messages required in their scheme. It is claimed that, with pre-computations, step 1 and step 4 of the ticket issuing phase,

Table I. Performance comparison.

Our scheme Yang et al.’s scheme

Computation time∗ Ticket issuing phase 2Texp+ 4Tsym+ 6Thash+ 4TXOR 2Tsym+ 4TXOR

Authentication phase 2Tsym 2Tsym

Overall 2Texp+ 6Tsym+ 6Thash+ 4TXOR 4Tsym+ 4TXOR

Estimated time (s) 1.0992 0.0348

Computational cost Ticket issuing phase 6Texp+ 4Tsym+ 9Thash+ 4TXOR 12Texp+ 4Tsym+ 4TXOR

Authentication phase 4Texp+ 4Tsym+ 2TXOR 8Texp+ 4Tsym

Overall 10Texp+ 8Tsym+ 9Thash+ 6TXOR 20Texp+ 8Tsym+ 4TXOR

Estimated time (s) 5.2941 10.5096

User anonymity Yes Yes

Mutual authentication Yes Yes

Resistant to guessing attack Yes No

Free of time synchronization in MS Yes No

Free of user verification table in HN (HA) Yes No

Ticket expiration By expired time By number of logins

a_{With pre-computations.}

as well as the entire authentication phase, all take zero com-putation time. Accordingly, the comcom-putation time of Yang et al.’s scheme is only 1Tsym+ 2TXOR. We find that the

eval-uated computation time is incorrect, since it doesn’t include the computations required for decrypting and extracting received messages. In addition, there are the following problems in those pre-computations: (1) The symmetric encryption in step 1 of the ticket issuing phase cannot be pre-computed until timestamp T1is determined; (2) Most

pre-computations for the next session should be performed in the current session; and (3) Additional storage space is needed to store pre-computed messages and corresponding parameters used in the messages. Indeed, pre-computations can reduce the running time of the scheme. However, it doesn’t imply that not any computational cost is incurred in pre-computations. Therefore, a performance analysis in terms of computational cost is also required. In the fol-lowing performance analysis, the computational cost of a scheme is evaluated according to all the computations required in the scheme, and the computation time is esti-mated by the elapsed time for running the ticket issuing phase and a round of the authentication phase assuming that pre-computations have been done.

By our performance analysis, Yang et al.’s scheme takes 4Tsym+ 4TXORin terms of computation time, and requires

20Texp+ 8Tsym+ 4TXORin computational cost. Our scheme

takes 2Texp+ 6Tsym+ 6Thash+ 4TXOR in terms of

compu-tation time, and spends 10Texp+ 8Tsym+ 9Thash+ 6TXOR

in computational cost. Obviously, Yang et al.’s scheme gains better performance from the pre-computations, but incurs more computational cost than our scheme does. More precisely, as indicated in Reference [13], a one-way hashing operation takes about 0.0005 s and a symmetric encryption/decryption requires 0.0087 s. An exponential operation is approximately equal to 60 symmetric encryp-tion/decryptions. Therefore, an exponential computation

takes about 0.522 s. The computational cost of XOR oper-ations can be ignored compared to the other computoper-ations. Based on the above estimated times, the computational cost of our scheme is 5.2941 s, while Yang et al.’s scheme requires 10.5096 s. Our scheme reduces about 50% in com-putational cost. In terms of overall computation time, our scheme is slower than Yang et al.’s scheme by 1 s. Most of our computation time is spent in the ticket issuing phase. Nevertheless, compared with Yang et al.’s scheme, our scheme takes the same computation time in the authen-tication phase, which will be performed more frequently than ticket issue phase. Table I summarizes the performance comparisons of our scheme with Yang et al.’s one. In sum-mary, our scheme takes more computation time in the ticket issuing phase, but achieves the same performance in the authentication phase. Our scheme outperforms Yang et al.’s approach in terms of the computational cost. In addition, our scheme provides improvements in security protection, time synchronization, use of verification tables, and ticket maintenance.

5. CONCLUSION

We have successfully presented guessing attacks on Yang et al.’s scheme, and also indicated potential drawbacks in the implementation of their scheme. A new secure and practical authentication scheme is thus proposed. In the proposed scheme, nonces are used for both message protection and key agreement between MS and FA. To protect the secrecy of MS from FA, we carefully use nonces in the scheme such that FA can issue an anonymous ticket based on nonces, but cannot learn any information about MS. In summary, the proposed scheme provides the following merits: user anonymity, mutual authentication, ticket copy prevention, lower computational cost, free of time synchronization in

wireless clients, and free of verification tables in HAs. We further prove the correctness of the proposed scheme by VO logic analysis.

Our study is a theoretical approach for the authentication in wireless access networks, and several practical issues have been considered in the development of our scheme. The security issues of wireless access networks become more crucial for contemporary mobile applications. In the future, we will take into consideration the application of our scheme in current wireless and mobile networks, e.g., IEEE 802.11 wireless LANs, 3G, and WiMAX networks.

APPENDIX: LOGIC ANALYSIS

In the VO logic, the original protocol must be first trans-formed to an idealized form, and write assumptions about the initial state of the protocol, and then use the logic to derive the beliefs held by protocol principals. P|≡≡X denotes P believes that the statement X is true. P|≈X and P|∼X denote P says X and P said X to discriminate the tense, i.e., P sends or once sent a message including X.{X}K

represents X encrypted with the key K. < X >Ydenotes X

combined with the formula Y. PKσ(A,K) denotes the

pub-lic signature verification key associated with principal A, and the corresponding public signature verification key is PKσ−1(A). PKδ(A,K) denotes the public key-agreement key

associated with principal A, and the corresponding good pri-vate key-agreement key is PKδ−1(A). X⊃ Y denotes that

the current knowledge of X can be demonstrated to Y. f() is a key agreement function f(private info, public info).

Goals

The soundness of our protocol is proven if the following six generic authentication goals for party MS, similar to FA, can be finally achieved via the VO logic analysis:

G1. Far-end operative: MS| ≡ FA| ≈ Y

MS believes FA recently sent a message Y. This implies that FA is currently operational.

G2. Targeted entity authentication: MS| ≡ FA| ≈ (Y, R(G(CMS), Y ))

MS believes a message Y sent by FA in response to the specific challenge CMS. It provides

authenti-cation of FA to MS in the sense that the response is from a corroborated operational entity, and is tar-geted in response to a challenge from MS. G3. Secure key establishment: MS| ≡ MSK−↔ FA

MS believes that the key K is shared with no party other than party FA.

G4. Key confirmation: MS| ≡ MSK+↔ FA

MS believes the key K is shared with FA alone, and FA has provided evidence of knowledge of the key to MS.

G5. Key freshness: MS| ≡ #(K) MS believes the key K is fresh.

G6. Mutual belief in shared secret: MS| ≡ (FA| ≡ FAK−↔ MS)

MS believes the target entity FA also believes K is an unconfirmed secret suitable for use with MS.

Idealization

We transform the proposed protocol to the following ideal-ized form suitable for further logic manipulation:

Step 1. MS→ FA: IDHA, RMS,IDMSh(RMS||IDHA||x),NMSh(IDMS||x)

Step 2. FA→ HA: RMS,IDMSh(RMS||IDHA||x),NMSh(IDMS||x), IDFA,{IDFA, T1, NFA}kh,f Step 3. HA→ FA:
Nc FA  h(h(IDMS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA,  T3, NMSc ,
h(h(IDMS||x)||NMS+ 1||NFAc + 1)  Nc FA  kh,f Step 4. FA→ MS:
N_FAc _h(h(ID MS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA Step 5. MS→ FA:
h(h(IDMS||x), NMS+ 1, NFAc + 1)

 Nc FA Step 6. MS→ FA: {K, NMS }K Step 7. FA→ MS: {K + 1, N_FA }K Assumptions

The formal assumptions required for party MS are listed as follows. Similar assumptions are also required for FA.

A1. MS| ≡ HA| ⇒ PKδ(FA, ¯KFA), where PKδ(FA,

¯ KFA)= NFAc A2. MS| ≡ PKδ−1(MS) A3. MS| ≡ PKδ−1(FA) A4. MS| ≡ # (NMS) A5. MS|≡  HA|⇒PKδFA,KFA MS|≡HA|≡PKδFA,KFA Proofs

We prove the proposed protocol in six lemmas correspond-ing to the above six generic goals.

Lemma 1. The proposed scheme provides secure key establishment, i.e., goal (G3) MS| ≡ MSK−↔ FA is achieved.

Proof:

1. MS sees
N_FAc _h(h(ID

MS||x)||NMS)

By Step 4

2. MS sees NFAc ⊃ MS has NFAc , where NFAc =

PKδ(FA) (S1)

By brief conjuncatenation

3. MS has K, where K= f (PKδ−1(MS), PKδ(FA))

(S2) By unqualified key-agreement, (S1), and (A2)

4. MS| ≡ PKδ(FA, KFA) (S3)

By jurisdiction, (A1) and (A5)

5. MS| ≡ MSK−↔ FA, where K = f (PKδ−1(MS),

PKδ(FA))

By qualified key-agreement, (S3), (A2), and (A3) That is, MS believes K is shared with no party other than FA. Implicitly, MS also now possesses this key. Q.E.D. Lemma 2. The proposed scheme provides key confirma-tion, i.e., goal (G4) MS| ≡ MSK+↔ FA is achieved.

Proof.

We require two additional formal assumptions: MS| ≡ #(N

MS) and MS| ≡ φ(NMS ) (S4)

That is, MS believes that N’MSgenerated by MS itself is

fresh and recognizable using GNY constructs.

1. MS| ≡ φ({NMS }K) (S5)

By recognizability rule, (S2), and (S4)(S6) 2. #(NMS )∧ φ({NMS }K)⊃ confirm(K) (S6)

By Confirmation Axiom, (S4), and (S5) 3. MS sees confirm(K)

By message decryption rule for unqualified keys, (S2) and (S6), Step 7

MS does not create any message of the specific form (K+ 1, N’FA) encrypted by K in the current

session. That is, (K+ 1, N’FA) was not originated by

MS itself. The confirmation belief would be marked with a “not-originated-here” symbol from GNY’s construct:

MS sees∗ confirm(K ) (S7)

4. MS| ≡ MSK+↔ FA, where K + is the session key SK of the proposed scheme.

By key confirmation, (S7), and Lemma 1

That is, upon a successful completion of the protocol, MS believes that the session key K is shared with only FA, and FA has provided the evidence of knowledge of this key to

MS. Q.E.D.

Lemma 3. The proposed scheme provides key freshness, i.e., goal (G5) MS| ≡ #(K) is achieved.

Proof.

1. MS| ≡ #(N_MSc )b, where (N_MSc )b= gabcmod p By freshness propagation, and (A4)

For non-zero a, b, and c, the entropy K= (N_FAc )a= (NMSc )bis large. Therefore, the freshness conjuncatenation

rule over this exponentiation provides freshness of the key

K. Q.E.D.

Lemma 4. The proposed scheme establishes that the far-end party is operative, i.e., goal (G1) MS| ≡ FA| ≈ Y is achieved. Proof. 1. MS sees
h(h(IDMS||x)||NMS||NFAc )  Nc FA (S8) By Step 4

2. For shared secrets, we postulate

MS≡ MS N C FA ←→ HA (S9) 3. MS| ≡ HA| ∼
h(h(IDMS||x)||NMS||NFAc )  Nc FA (S10) By message meaning, (S8) and (S9)

4. MS| ≡ #
h(h(IDMS||x)||NMS||NFAc )  Nc FA (S11) By freshness propagation, (S10) and (A4) 5. MS| ≡ HA| ≡
h(h(IDMS||x)||NMS||NFAc )  Nc FA By nonce-verification, (S10) and (S11) 6. MS| ≡ HA| ≡
NFAc  h(h(IDMS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA (S12) By freshness propagation

Thus, MS believes that HA recently said message


Nc FA  h(h(IDMS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA 7. MS| ≡ FA| ∼ (K + 1, N_FA ) (S13)

By message meaning, Step 7 and (S3)

8. MS| ≡ #(K + 1, NFA ) (S14)

By freshness propagation, Lemma 3, and (S13)

9. MS| ≡ FA| ≡ (K + 1, N_FA ) (S15)

By nonce-verification, (S13) and (S14)

Therefore, MS believes that FA recently said (K+ 1, N

FA), which implies that FA is currently operational.

Q.E.D. Lemma 5. The proposed scheme provides tar-geted entity authentication, i.e., goal (G2) MS| ≡ FA| ≈ (Y, R(G(RA), Y )) is achieved. Proof. 1. MS| ≡ FA| ∼
N_FAc _h(h(ID MS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA, TID, Texp

By Lemma 4, and Step 4

We break the conjuncatenation and derive h(h(IDMS||

x)||NMS) which provides authentication evidence of FA

and HA to MS in the sense that the response is from the corroborated operational entity HA and FA, and it is targeted to response to the challenge from MS in Step 1. Furthermore, since NMS= ga, provided that MS

does not intentionally re-choose a random number a to generate the nonce in the current epoch using an appreciate random number generator, the nonce will not be a duplicate of a previous nonce. Thus, upon a successful completion of the protocol, MS believes that FA conveyed

Nc FA  h(h(IDMS||x)||NMS),
h(h(IDMS||x)||NMS||NFAc )  Nc FA in the current epoch, as an intended response to the specific

challengeh(h(IDMS||x)||NMS). Q.E.D.

Lemma 6. The proposed scheme provides mutual belief in shared keying relationship, i.e., goal (G6) MS| ≡ (FA| ≡ FAK−↔ MS) is achieved.

Proof.

At the end of Step 7, MS can derive all beliefs and iden-tify of the principal FA, which MS shares the key K with. MS may believe FA possesses K and derive MS| ≡ (FA| ≡ FAK−↔ U), U = FA. From Lemma 5, MS can confirm U= MS. Therefore, MS| ≡ (FA| ≡ FAK−↔ MS). Consider the beliefs of FA. After a successful completion of the pro-tocol, FA is also able to derive the above beliefs like MS. It can be deduced that FA| ≡ (MS| ≡ MSK−↔ FA).

For more conscientious, we prove this lemma with the inference rules as follows.

1. MS| ≡ FA| ≈ K (S16)

By Lemma 4, (S15) 2. MS| ≡ (FA| ≡ FAK−↔ MS)

By nonce-verification, Lemma 3, and (S16) In the same way, we can derive similar belief in FA that

FA| ≡ (MS| ≡ MSK−↔ FA). Q.E.D.

REFERENCES

1. Harn L, Lin H. Authentication in wireless communi-cations, IEEE Global Telecommunications Conference (GLOBECOM ’93), Houston, USA, November 29--December 2, 1993; 550--554.

2. Juang WS, Lei CL, Chang CY. Anonymous channel and authentication in wireless communications. Computer Communications 1999; 22: 1502--1511.

3. Park J, Go J, Kim K. Wireless authentication protocol preserving user anonymity. In Proceedings of the 2001 Symposium on Cryptography and Information Security (SCIS 2001), Oiso, Japan, January 23--26, 2001. 4. Lin WD, Jan JK. A wireless-based authentication and

anonymous channels for large scale area. In Proceedings of the 6th IEEE Symposium on Computers and Commu-nications (ISCC 2001), Hammamet, Tunisia, July 3--5, 2001; 36--41.

5. Rahman MG, Imai H. Security in wireless communi-cation. Wireless Personal Communications 2002; 22(2): 213--228.

6. Racherla G, Saha D. Security and privacy issues in wireless and mobile computing. IEEE International Conference on Personal Wireless Communications (ICPWC’2000), Hyderabad, India, December 17--20, 2000; 509--513.

7. Barbancho AM, Peinado A. Cryptanalysis of anonymous channel protocol for large-scale area in wireless commu-nications, Computer Networks 2003; 43: 777--785. 8. Zhu J, Ma J. A new authentication scheme with

anonymity for wireless environments. IEEE Transac-tions on Consumer Electronics 2004; 50(1): 231--235. 9. Chien HY, Chen CH. A remote authentication scheme

preserving user anonymity. In Proceedings of the 19th International Conference on Advanced Information Net-working and Applications (AINA’05), Taipei, Taiwan, March 28--30, 2005; 509--513.

10. Yang CC, Tang YL, Wang RC, Yang HW. A secure and efficient authentication protocol for anonymous channel in wireless communications. Applied Mathematics and Computation 2005; 169(2): 1431--1439.

11. van Oorschot PC. Extending cryptographic logics of belief to key agreement protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, Virginia, USA, November 3--5, 1993; 233--243. 12. Burrows M, Abadi M, Needham R. A logic of authenti-cation. ACM Transactions on Computer Systems 1990; 8(1): 18--36.

13. Li C-T, Hwang M-S, Chu Y-P. A secure and efficient communication scheme with authenticated key estab-lishment and privacy preserving for vehicular d hoc networks, Computer Communication 2008; 31: 2803--2814.

AUTHORS’ BIOGRAPHIES

Yen-Cheng Chen received the Ph.D. degree in Computer Science from the National Tsing Hua University, Tai-wan, in 1992. He was an Associative Researcher of the ChungHwa Telecom Labs. from 1992 to 1998. From 1998 to 2001, he was an Assistant Profes-sor of the Department of Information Management, Ming Chuan University, Taiwan. Currently, he is an Associate Professor of the Department of Information Management, National Chi Nan University, Taiwan. His current research interests are net-work management, wireless netnet-works, and security.

Shu-Chuan Chuang received the M.S. degree in the Department of Infor-mation Management from National Chi-Nan University in 2006. Currently, she is a computer technician of the department of Information Manage-ment in Kaohsiung Veterans General Hospital, in charge of the applications development and information security audit. Her interests include Internet technology and network security.

Lo-Yao Yeh received the B.S. degree in Information Management from Da Yeh University, Taiwan, in 2003. He got the M.S. degree in the Depart-ment of Information ManageDepart-ment from National Chi Nan University in 2005. Now, he is a Ph.D. candidate in the Department of Computer Science in National Chiao Tung University. He was a visiting scholar in UC Berkeley. His current research interests include network security and overlay networks security, and sensor networks.

Jiun-Long Huang received the B.S. and M.S. degrees from the Department of Computer Science and Information Engineering at National Chiao Tung University in 1997 and 1999, respec-tively, and the Ph.D. degree from the Department of Electrical Engineering at National Taiwan University in 2003. Currently, he is an Assistant Professor in the Department of Computer Science at National Chiao Tung University. His research interests include mobile com-puting, mobile data management, wireless access networks, and Internet technology.