• Open Access

User authentication scheme with anonymity, unlinkability and untrackability for global mobility networks

Authors


ABSTRACT

User authentication procedures are essential for global mobility networks and enable a mobile user to communicate securely with other users. Chang et al. recently presented an efficient authentication scheme with user anonymity in roaming environments. The authentication scheme of Chang et al. used low-cost functions and was most suitable for battery-powered mobile environments. However, Youn et al. pointed out that their authentication scheme cannot ensure user anonymity and resist known session key and side channel attacks. This study will demonstrate that the scheme of Chang et al. cannot resist impersonation attacks and violates session key security. In addition, this study present a secure and efficient authentication scheme based on the scheme of Chang et al. The proposed scheme not only avoids the weaknesses of the authentication scheme of Chang et al. but also ensures data unlinkability and users untrackabilty. Copyright © 2013 John Wiley & Sons, Ltd.

1 INTRODUCTION

User authentication in a global mobility network (GLOMONET) is an extremely important issue for wireless communication networks. User authentication allows mobile users to establish an authentication key shared with a foreign agent on a foreign network and with a global roaming service.

Numerous authentication approaches with anonymity have been proposed for GLOMONETs [1-5] to increase the privacy and security of communication. These schemes provide mobile users with global roaming services while keeping their identities anonymous. To increase security, many authentication schemes have used public key systems or exponential computations. However, due to hardware limitations, a mobile user has difficulty supporting heavy encryption and decryption in a roaming environment and thus, using exponential computations increases client overhead [6-10]. Therefore, schemes that only use low-cost functions, such as one-way hash functions and exclusive-OR operations, are likely to be relatively more suited to roaming environments.

Zhu and Ma [11] in 2004 developed a novel authentication scheme using a smart card. Lin and Lee [12] later identified the limitations of this scheme. Lee, Chang and Lin [13] in 2005 also proposed an improved scheme to overcome the weaknesses in the scheme developed by Zhu and Ma. Additionally, Lee, Hwang and Liao [14] in 2006 also identified security flaws in the scheme developed by Zhu and Ma and created an improved version. However, Chang et al. [15] in 2009 demonstrated that authentication scheme of Lee, Hwang and Liao cannot provide users with anonymity and suffered forgery attacks when the smart card of a mobile user was stolen by a malicious legal mobile user. Additionally, Chang et al. presented an efficient authentication scheme with anonymity as an alternative. Although the authentication scheme of Chang et al. used low-cost functions and attempted to achieve security goals, Youn et al. [16] in 2009 still pointed out that their authentication scheme cannot ensure user anonymity and resist known session key and side channel attacks.

This study discusses the limitations of the authentication scheme developed by Chang et al. [15]. In their scheme, a malicious mobile user, who has obtained the identity of another legal user, can perform an impersonation attack and derive the session key between another mobile user and a foreign agent from transmitted messages. Additionally, a novel secure user authentication scheme that offers users anonymity and achieves data unlinkability and users untrackabilty is also developed. The proposed authentication scheme uses an adaptable and temporary identity for a mobile user to protect the actual identity of the mobile user, such that a malicious mobile user cannot derive the identity of another user, and thus, impersonation and eavesdropping attacks are eliminated. Therefore, the proposed authentication scheme is highly promising for battery-powered mobile devices in GLOMONETs and avoids the weaknesses in the scheme developed by Chang et al.

2 RELATED WORKS

This section first lists the notation used throughout this work and then briefly reviews the authentication scheme created by Chang et al. [15] and its weaknesses.

In this work, MN is a mobile user, FA is a foreign agent on a foreign network and HA is the home agent of a mobile user. Both FA and HA share a long-term secret key KFH. Table 1 lists the notations used throughout this work.

Table 1. Notation.
IDXThe identity of an entity X.
xThe private key of HA.
PWMNMN's short-term password shared with HA.
nXThe random number selected by the entity X.
SID, STIDThe shadow identities.
SKThe session key of MN and FA.
VABA message created by A is used for B's verification.
h(.)A collision free one-way hash function.
A → B: MA sends message M to B through a common channel.
A ⇒ B: MA sends message M to B through an authenticated and private channel.
M1||M2Message M1 concatenates to message M2.
An exclusive-OR operator.

2.1 Anonymous authentication scheme developed by Chang et al.

The anonymous authentication scheme developed by Chang et al. [15] has three phases—registration, authentication and session key establishment, which functions as follows.

2.1.1 Registration phase

A new mobile user MN registers his or her identity IDMN and password PWMN to HA. HA then uses its private key x to compute R = h(IDMN||x) ⊕ PWMN and h(x), issues and delivers a smart card containing {IDMN, IDHA, R, h(x), h(.)} to MN through a secure channel.

2.1.2 Authentication and key establishment phases

Assume that a mobile user MN roams in a foreign network and the foreign agent FA requires authenticating MN through MN's home agent HA. The processes are implemented as follows.

  1. MN → FA: m1 = {Login request, nMN, IDHA}

The mobile user MN selects a nonce nMN, computes C = (R ⊕ PWMN) ⊕ nMN and sends m1 = {Login request, nMN, IDHA} to FA.

  • 2.FA → HA: m2 = {Authentication request, nFA, IDFA}

FA selects a nonce nFA and sends m2 = {Authentication request, nFA, IDFA} to HA.

  • 3.HA → FA: m3 = {nHA, IDHA}

HA checks IDFA, selects a nonce nHA and returns m3 = {nHA, IDHA} to FA.

  • 4.FA → MN: m4 = {nHA, nFA, IDFA}

FA sends m4 = {nHA, nFA, IDFA} to MN.

  • 5.MN → FA: m5 = {SID, V1, V2, nMN, S1, IDHA}

MN computes V1, V2, S1 and sends m5 = {SID, V1, V2, nMN, S1, IDHA} to FA, where the shadow identity SID = IDMN ⊕ h(h(x)||nHA), V1 = h(nHA||C), SK = h(h(x)||IDMN||IDFA||nMN||nFA), V2 = SK ⊕ h(nHA||IDMN) and S1 = h(nFA||SID||V1||V2||nMN).

  • 6.FA → HA: m6 = {SID, V1, V2, nMN, S2, IDFA}

FA checks S1 and computes S2 = h(KFH||nHA||SID||V1||V2||nMN), where KFH is a long-lived key shared with FA and HA. Then FA sends message m6 = {SID, V1, V2, nMN, S2, IDFA} to HA.

  • 7.HA → FA: m7 = {K1,V3,S3}

HA checks IDFA and verifies S2 by using KFH. Then HA computes IDMN = SID ⊕ h(h(x)||nHA) and checks IDMN. Next, HA verifies PWMN by computing C* = nMN ⊕ h(IDMN||x), V*1 = h(nHA||C*) and checking V*1 = ? V1. If successful, HA computes SK = V2 ⊕ h(nHA||IDMN), K1 = SK ⊕ h(KFH||nFA), V3 = h(IDFA||h(x)||nMN) and S3 = h(KFH||nFA||K1||V3) and sends m7 = {K1,V3,S3} to FA.

  • 8.FA → MN: m8 = {V3,K2}

FA verifies S3 by computing S3 = h(KFH||nFA||K1||V3) with KFH. If successful, FA computes SK = K1 ⊕ h(KFH||nFA) and K2 = SK ⊕ h(SK||nMN) and sends m8 = {V3,K2} to MN. Finally, MN computes math formula and checks whether math formula. If successful, MN computes SK* = K2 ⊕ h(SK||nMN) and checks whether SK* = SK. Then MN and FA can use the common session key SK for later communication.

2.2 Weaknesses of the authentication scheme of Chang et al.

Youn et al. [16] in 2009 showed that the authentication scheme of Chang et al. [15] cannot provide anonymity and cannot resist known session key and side channel attacks. In the following, we also demonstrate that a malicious legal mobile user can employ the retrieved identity of another user to conduct impersonation attacks. Furthermore, this malicious user can derive the session key between another mobile user and a foreign agent from their transmitted messages. The scenarios are described as follows.

2.2.1 Security against impersonation attacks

The malicious legal mobile user MN* who has obtained the identity IDMN of MN can impersonate MN to communicate FA and HA. When MN communicates with FA and HA, MN* intercepts m5 = {SID, V1, V2, nMN, S1, IDHA} and resends math formula to FA, where math formula, math formula and Rand is a nonce selected by MN*. Then, FA successfully verifies math formula. HA successfully verifies V1 and sends out m7 = {K1,V3,S3}, where math formula, V3 = h(IDFA||h(x)||nMN) and math formula. After receiving m7 from HA, FA derives the session key as Rand by computing math formula and sends math formula to MN, where math formula. However, MN cannot successfully verify SK* = ? SK and abort this service request because MN computes math formula. At this time, MN* has the session key Rand and can successfully impersonate MN to communicate with FA.

2.2.2 Violating session key security

The malicious user MN* can derive the session key SK between MN and FA by computing SK = V2 ⊕ h(nHA||IDMN) because parameters V2, h(.), nHA  and IDMN are given for MN*. The transmitted data between MN and FA can be eavesdropped by MN*. Thus, the scheme proposed by Chang et al. [15] cannot realize the session key security (authenticated key security).

3 THE PROPOSED NOVEL AUTHENTICATION SCHEME

This section employs a temporary identity for protecting the identity of the legal user to develop an anonymous, unlinkable and untraceable authentication scheme. In the proposed authentication scheme, the used temporary identity TIDMN is protected by the previous session key and is updated during the next login. Thus, the proposed authentication scheme can avoid the weaknesses in the previous authentication scheme. The proposed scheme also has registration, authentication and session key establishment phases and is described as follows.

3.1 Registration phase

A mobile user MN registers his or her identity, IDMN and password, PWMN, to HA. However, except for computing R = h(IDMN||x) ⊕ h(PWMN) and h(x), HA must compute and store a temporary identity TIDMN = h(R). Then HA issues and delivers a smart card containing {IDMN, TIDMN, IDHA, R, h(x), h(.)} to MN through a secure channel and stores {h(TIDMN), IDMN} in its database.

3.2 Authentication and session key establishment phase

In the proposed authentication scheme, a temporary identity TIDMN is used for protecting the identity of the legal user and is updated during the next login. Figure 1 shows the authentication and session key establishment phase of the proposed authentication scheme, which functions as follows.

  1. MN → FA: m1 = {Login request, STID, nMN, IDHA}

The mobile user MN selects a nonce nMN, computes C = (R ⊕ h(PWMN)) ⊕ nMN and STID = TIDMN ⊕ h(h(x)||nMN) and sends m1 = {Login request, STID,nMN, IDHA} to FA.

  • 2.FA → HA: m2 = {Authentication request, STID, nMN, nFA, IDFA}

On receiving m1, FA records nMN, selects a nonce nFA, generates and sends m2 = {Authentication request, STID, nMN, nFA, IDFA} to HA.

  • 3.HA → FA: m3 = {nHA, IDHA, D}

On receiving m2, HA checks IDFA, selects a nonce nHA, derives TIDMN by computing TIDMN = STID ⊕ h(h(x)||nMN) and obtains IDMN by using h(TIDMN) as the index to search its database. Then HA computes C = nMN ⊕ h(IDMN||x), VHM = h(h(x)||IDMN||IDFA||C||nHA||nFA) and D = VHM ⊕ h(KFH||nFA||nHA), where KFH is a long-lived key shared with FA and HA and returns m3 = {nHA, IDHA, D} to FA.

  • 4.FA → MN: m4 = {nHA, nFA, IDFA, VFM}

After receiving m3, FA computes math formula and math formula and sends m4 = {nHA, nFA, IDFA, VFM} to MN.

  • 5.MN → FA: m5 = {VMH, VMF, IDHA}

After receiving m4, MN records nFA and nHA, computes math formula and math formula and checks whether math formula If successful, MN also has successfully verified HN's VHM. Then MN computes math formula and math formula, sets the session key math formula and sends m5 = {VMH, VMF, IDHA} to FA.

  • 6.FA → HA: m6 = {VMH, VFH, IDFA}

On receiving m5 from MN, FA checks VMF, computes VFH = h(KFH||STID||VMH||nHA) and sends m6 = {VMH, VFH, IDFA} to HA.

  • 7.HA → FA: m7 = {VHF}
  • 8.After receiving m6, HA verifies VFH with KFH and verifies VMH with IDMN and VHM. If successful, HA computes VHF = h(KFH||VFH) and sends m7 = {VHF} to FA. Finally, FA computes and verifies VHF. If successful, FA sets the session key math formula. Then MN and FA obtain a common session key SK for later communications. Besides, MN will update the temporary TIDMN = h(VHM||TIDMN||IDMN) for next login, and HA will update the record {TIDMN, IDMN} as {TIDMN, IDMN} in its database.
Figure 1.

The authentication and key establishment phase of proposed authentication scheme.

4 SECURITY AND PERFORMANCE ANALYSES

This section provides security analyses of the proposed authentication scheme and compares its performance with that of other authentication schemes.

4.1 Security analyses

This subsection shows that the proposed scheme provides the indistinguishability in the real-or-random model [17, 18].

4.1.1 Communication model

4.1.1.1 Protocol participants

The protocol participants have a mobile user MN, a foreign agent FA and MN's home agent HA. MN and FA try to establish an authentication key (session key) SK and authenticate each other via HA. A participant may be involved in numerous instances, called oracles, of distinct concurrent executions of P. The instance i of participant U is expressed as math formula.

4.1.1.2 Long-lived keys

The long-term secret key KMH = h(IDMN||x) is shared between MN and HA, and the long-term secret key KFH is shared between FA and HA.

4.1.1.3 Oracle queries

Oracle queries model the capabilities of the adversary math formula and are described as follows.

  1. Send math formula: This query models the adversary math formula that powerfully controls all communications in protocol P. math formula sends a message M to oracle math formula, then math formula computes what P tells it to and sends back the response message. math formula can initiate the execution of P by sending a query math formula to a user oracle math formula.
  2. Corrupt (U): This query models the perfect forward secrecy. That is, compromising a long-lived key does not risk previous session keys. The adversary math formula sends this query to a participant U and returns U's long-lived key.
  3. Hash (M): This query models that adversary math formula receives hash results by sending queries to a random oracle Ω. After receiving this query, if Ω successfully checks that a record (M, r) has been recorded in the H-table, then replies r to A; otherwise, replies a random r′ and records (M, r′) in the H-table.
  4. Hash_1 (M): This oracle query is similar to the previous oracle query, Hash query. However, Hash_1 query is used for generating authenticator VMF or VFM.
  5. Reveal math formula: This query models known key attacks. That is, compromising an authentication key does not reveal other authentication keys. The Reveal query is only available to adversary math formula if oracle math formula has been accepted.
  6. Test (math formula): This query measures the semantic security of the authentication key SK. It specifies the indistinguishability between the real authentication key and a random number. In protocol P, an adversary math formula can ask a single Test query, and math formula flips an unbiased coin c to return the real authentication key SK if c = 1 or a random string if c = 0. This query is available only when math formula is Fresh, which is defined in the following subsection.[17-21]

4.1.2 Security definitions

4.1.2.1 Partnering

Two user oracles math formula and math formula are partnered if

  1. oracles math formula and math formula directly exchange message flows and
  2. only oracles math formula and math formula have the same authentication key SK.
4.1.2.2 Freshness

An oracle math formula is Fresh in P if the conditions that math formula (or math formula) has accepted a authentication key and has not been sent a Reveal query are satisfied.

4.1.2.3 AKE security (session key security)

The adversary is allowed to ask many Test queries as it wants. If a Test query is asked to a client instance that has not accepted, then return the invalid symbol ⊥. If a Test query is asked to an instance of an honest participant whose intended partner is dishonest or to an instance of a dishonest participant, then returns the real authentication key. Otherwise, the Test query decides to return either the real authentication key or a random string via an unbiased coin c. The adversary aims to correctly guess the value of the hidden bit c used by the Test oracle. Let E denote the event that the adversary wins this game. The ake-advantage of the event that an adversary violates the indistinguishability of the protocol P math formula and defined as math formula.

The protocol P is AKE-secure if math formula is negligible.[17-21]

4.1.2.4 Mutual authentication security

In executing protocol P, the adversary math formula violates mutual authentication (MA) if A can fake the authenticator VMF or VFM. The probability of this event is denoted by math formula. The protocol P is MA-secure if math formula is negligible [17-21].

4.1.3 Security proof

The Difference Lemma [22] is made used within our sequence of games (SOG) is described as follows:

Lemma 1. (Difference Lemma) Let A, B and F be events defined in some probability distribution and suppose that A ∧ ¬F ⇔ B ∧ ¬F. Then |Pr[A] − Pr[B]| ≤ Pr[F].

4.1.3.1 AKE security

The following theorem shows that the proposed authentication scheme has AKE security if the used long-term secret keys and hash functions are secure.

Theorem 1. Let Advsk denote the advantage that an adversary breaks the long-term secret key. Then, the probability that an adversary breaks the AKE security of the proposed scheme:

display math

where qse denotes the numbers of the Send queries; qmh and qfh denote the numbers of the Hash queries involving MN and HA, and involving FA and HA, respectively; l is a security parameter; t ' = t + 12(qmh + qfh)τ; and τ is the relay time of a hash query.

Proof. The proof consists of a SOG starting at the game math formula. Each game math formula defines the probability of the event Ei that the adversary wins this game, that is, c′ = c. The first game is the real attack against the protocol, and the terminal game math formula concludes that the adversary has a negligible advantage to break the AKE security of the protocol. Assume that the challenger math formula attempts to break long-term secret keys (KFH and KMH), and the adversary math formula is constructed to break the authentication key security. The following game models that math formula tries to distinguish the real authentication key from the random string. The challenger math formula sets up the used parameters, starts simulating the protocol and answers the oracle queries made by math formula, which are relayed to the protocol. The challenger math formula returns the real authentication key or a random string to math formula by flipping an unbiased coin c ∈ {0,1}. The adversary math formula outputs its guess bit c′ and wins if c′ = c.

Game. math formula: This game corresponds to the real attack. By definition, we have

display math(1)

Game. math formula: This game simulates all oracles as in previous game except for replacing the long-term secret keys, KMH and KFH, with two random numbers. Thus, by Lemma 1, we have

display math(2)

Game. math formula: This game simulates all oracles as in previous game except for using two table lists H1 and H2 to simulate Hash queries. Then, games math formula and math formula are indistinguishable except collisions of H1-table and H2-table in math formula. Thus, according to the birthday paradox and Lemma 1, we have

display math(3)

where math formula makes qmh Hash queries involving U and H, and qfh Hash queries involving V and H.

display math(4)

Combining (1), (2), (3) and (4), we have

display math

Then the proof is concluded.

4.1.3.2 MA security

The following theorem shows that the proposed scheme has MA security if the used long-term secret key and hash functions are secure and the proposed scheme has AKE security.

Theorem 2. Let math formula denote the advantage that an adversary breaks the AKE security of the proposed scheme. Let Advsk denote the advantage that an adversary breaks the long-term secret keys. Let math formula denote the advantage in violating the explicit mutual authentication of the proposed scheme. Then, we have

display math

where t′ ≤ t + (qse + qmh + qfh) ⋅ trelay + 2 ⋅ τ, the used parameters are defined as in Theorem 2, and trelay is the time of relay a query.

Proof. The proof also consists of a SOG starting at the game math formula. The first game is the real attack against the proposed protocol, and the terminal game math formula concludes that the adversary has a negligible advantage to break MA security of the proposed protocol. The challenger math formula attempts to break MA security for the proposed protocol and the adversary math formula is constructed to break MA security for the protocol. The adversary math formula wins this game if he successfully fakes the authenticator VMF or VFM.

Game. math formula: This game corresponds to the real attack. By definition, we have

display math(5)

Game. math formula: This game simulates all oracles as in previous game except for replacing the long-term secret key SK with a random number. Thus, by Lemma 1, we have

display math(6)

Game. math formula: This game simulates all oracles as in previous game except for using a table list H3 to simulate Hash_1 queries involving MN and FA. Then, games math formula and math formula are undistinguishable except collisions of H3-table in math formula. Thus, according to the birthday paradox and Lemma 1, we have

display math(7)

where math formula makes qmf Hash_1 queries involving MN and FA.

Game. math formula: This game simulates all oracles as in previous game except for replacing the authentication key SK with a random number. Then, we can use math formula to build an adversary math formula against the AKE security of the protocol. First, math formula sets up the parameters, starts simulating the protocol and answers the oracle queries made by math formula as follows.

  1. When math formula makes Send or Hash queries, math formula answers what the protocol says to.
  2. When math formula makes Hash_1 queries, math formula answers corresponding authenticators to math formula by making the same queries to the oracle Hash_1.
  3. When math formula makes Test queries, math formula answers these queries using the bit c that it has previously selected and the authentication keys that it has computed.

Therefore, Pro.[math formula outputs 1 when the authenticator is obtained by the real authentication key] = Pro.[math formula correctly guesses the hidden bit c in game math formula]. Similarly, Pro.[math formula outputs 1 when the authenticator obtained by a random string] = Pro.[math formula correctly guesses the hidden bit c in game math formula]. Thus, by Lemma 1, we have

display math(8)

Because no information on the authenticator is leaked to the adversary, we have

display math(9)

Combining (5), (6), (7), (8) and (9), we have

display math

Then the proof is concluded.

4.1.3.3 Anonymity

Theorem. The proposed authentication scheme has users' anonymity.

Proof. In the proposed authentication scheme, TIDMN is equal to h(R) or h(SKold||TIDMN _ old||IDMN), where SKold is the used session key and TIDMN _ old is the used temporary identity in the previous login. The temporary identity TIDMN cannot be derived from the message STID without the knowledge of R and h(h(x)||nMN), where STID = TIDMN ⊕ h(h(x)||nMN). Although another malicious legal mobile user is able to derive TIDMN because he or she has the information of STID and h(h(x)||nMN), the malicious user still cannot derive IDMN form TIDMN because h(.) is a collision free one-way hash function.

4.1.3.4 Unlinkability

Theorem. The proposed authentication scheme has data unlinkability.

Proof. In the proposed authentication scheme, after the MN's first login, the temporary identity is updated as TIDMN = h(SK||TIDMN||IDMN) and is changeable. The information {STID,nMN} in m1 and {VMH,VMF} in m5 generated in different runs are independent because IDMN is hard to be derived, and the nonce nMN and the temporary identity TIDMN are independent among protocol executions, where STID = TIDMN ⊕ h(h(x)||nMN), math formula, VMF = h(STID||SK||nFA) and SK = h(h(x)||IDMN||IDFA||C||nHA||nFA). The proposed scheme ensures that the mobile user may make multiple uses of roaming services without others being able to link these uses together and thus exhibits the property of unlinkability.

4.1.3.5 Untrackability

Theorem. The proposed authentication scheme has users' untrackability.

Proof. Let p be the proposition that a scheme provides unlinkability and q be the proposition that a scheme provides untrackability, respectively. Because a scheme cannot provide untrackability (¬q), the user's identity must be revealed. Then, the user's communicating data is linkabe. Thus, the scheme cannot provide unlinkability (¬p), and we have ¬q → ¬p. By the logical equivalence, we have p → q ≡ ¬q → ¬p. That is, the proposed scheme exhibits the property of unlinkability and thus exhibits the property of untrackability.

4.1.3.6 Resisting side channel attacks

Theorem. The proposed authentication scheme resists side channel attacks.

Proof. Although an adversary can extract h(x) from other smart cards and derive TIDMN from STID = TIDMN ⊕ h(h(x)||nMN), IDMN cannot be derived from TIDMN = h(SKold||TIDMN _ old||IDMN), where SKold is the used session key and TIDMN _ old is the used temporary identity in the previous login. Then he or she cannot have the new identity TIDMN(=h(VHM||TIDMN||IDMN)) without IDMN. Additionally, the adversary cannot compute SK = h(h(x)||IDMN||IDFA||C||nHA||nFA) without IDMN and C(=nMN ⊕ h(IDMN||x)). Therefore, the proposed scheme can resist side channel attacks.

4.1.3.7 Resisting lost smart card attacks

Theorem. The proposed authentication scheme resists lost smart card attacks.

Proof. If an adversary steals a smart card and obtains the message {IDMN, TIDMN, IDHA, R, h(x), h(.)} in the smart card, where TIDMN = h(VHM||TIDMN||IDMN) is the next login identity, then he or she cannot derive the valuable information about password because PWMN in R(=h(IDMN||x) ⊕ h(PWMN)) is protected by HA's long-term secret key x. Thus, the adversary has no enough information to verify the password guessing. Besides, if the adversary tries to guess a password to log into the system, then he or she cannot correctly compute C(=(R ⊕ h(PWMN)) ⊕ nMN) and math formula (=h(h(x)||IDMN||C||nHA||nFA)) and cannot correctly send out math formula and math formula; a fail attack will be detected by HA because the adversary has no corrected password. However, if the adversary has the message {IDMN, TIDMN, IDHA, R, h(x), h(.)} and can have a large amount of previous used messages, then it may successfully perform an off-line password guessing attack because the adversary knows all secrets except the user's password.

4.1.3.8 Resisting stolen verifier attacks

Theorem. The proposed authentication scheme resists stolen verifier attacks.

Proof. An adversary steals a copy of user's verifier {h(TIDMN), IDMN} in HA's database. Because the adversary does not have the information TIDMN to compute STID = TIDMN ⊕ h(h(x)||nMN), he or she cannot correctly send out the login request message m1 = {Login request, STID, nMN, IDHA}. Therefore, the proposed scheme can resist stolen verifier attacks.

For forgery attacks, the analyses of the proposed scheme are similar to those of the scheme of Chang et al [15]. Thus, these analyses are not presented here.

4.2 Performance analyses

Table 2 lists performance comparisons of other authentication schemes and the proposed scheme, in which the operation of the one-way hash function is denoted as Hash, the operation of the exclusive-OR is denoted as Xor, the operation of symmetrical encryption/decryption is denoted as Sym and the operation of asymmetric encryption/decryption is denoted as Asym [15]. Both the authentication scheme of Chang et al. [15] and the proposed scheme only use the exclusive-OR and hash operations and thus have fewer computations than related authentication schemes that use symmetrical or asymmetrical encryptions/decryptions. Besides, the proposed scheme requires seven rounds in communication and has fewer rounds than the scheme of Chang et al. Because the proposed scheme employs the nonces to authenticate other participants and to guarantee the freshness, the proposed scheme must perform the challenge and response. Therefore, MN requires at least four steps (MN → FA → HA → FA → MN) to explicitly authenticate HA. Similarly, HA requires at least four steps (HA → FA → MN → FA → HA) to explicitly authenticate MN. If these two authentication processes are combined, the proposed scheme requires at least six steps (MN → FA → HA → FA → MN → FA → HA). However, in the final step, HA must notify FA that MN is a legal user. Thus, seven steps are required at least.

Table 2. Performance comparisons.
SchemeLee et al. [14]Chang et al. [15]Lee-Hwangs [21]Proposed scheme
MN4Hash + 3Xor + 2Sym7Hash + 5Xor3Sym7Hash + 2Xor
FA4Hash + 1Xor + 2Sym + 2Asym5Hash + 2Xor3Sym5Hash + 1Xor
HAHash + 3Xor + 1Sym + 2Asym8Hash + 3Xor4Sym9Hash + 3Xor
Total13Hash + 7Xor + 5Sym + 4Asym20Hash + 10Xor10Sym21Hash + 6Xor
Rounds4857

Table 3 lists functionality comparisons between the proposed scheme and other schemes. The proposed scheme realizes user anonymity and has a lower energy consumption while providing the properties of unlinkability and untrackability. Although the proposed scheme requires more rounds in communication, it has less computation and provides higher security.

Table 3. Functionality comparisons.
SchemeLee et al. [14]Chang et al. [15]Lee-Hwang [21]Proposed scheme
Energy consumptionHighLowHighLow
Mutual authenticationYesYesYesYes
Forgery attacks resistanceNoNoYesYes
User anonymityNoNoNoYes
UnlinkabilityNoNoNoYes
UntrackabilityNoNoNoYes

The proposed authentication scheme uses a temporary identity TIDMN as the index to search the database. In fact, the real identity IDMN can be regarded as a secret key. In the proposed scheme, HA derives TIDMN by computing TIDMN = STID ⊕ h(h(x||nMN)) in a constant time (O(1)) and uses more efficient searching methods (such as the binary search) to search its database for reducing HA's overheads.

5 CONCLUSIONS

This work develops a secure and efficient authentication scheme based on the scheme of Chang et al.[15] In the proposed scheme, a changeable temporary identity is utilized to protect the identity of a legal mobile user from being derived by malicious mobile users. Mobile users may make multiple uses of roaming services and others are unable to link these uses together. Thus, the proposed scheme resolves the weaknesses in other schemes, has a lower computation cost and provides enhanced security.

ACKNOWLEDGMENTS

Ted Knoy is appreciated for his editorial assistance. This effort was supported by National Science Council under the grants NSC100-2221-E-320-003.

Ancillary