An anonymous authentication scheme for roaming services in global mobility networks allows a mobile user visiting a foreign network to achieve mutual authentication and session key establishment with the foreign-network operator in an anonymous manner. In this work, we revisit He et al.’s anonymous authentication scheme for roaming services and present previously unpublished security weaknesses in the scheme: (1) it fails to provide user anonymity against any third party as well as the foreign agent, (2) it cannot protect the passwords of mobile users due to its vulnerability to an offline dictionary attack, and (3) it does not achieve session-key security against a man-in-the-middle attack. We also show how the security weaknesses of He et al.’s scheme can be addressed without degrading the efficiency of the scheme.
1. Introduction
As wireless network and communication technologies advance, there has been a dramatic increase in the use of lightweight computing devices, such as sensors, smart phones, and tablet PCs, being used in our daily lives. To enjoy the convenience of mobility, a roaming service should be seamlessly provided with respect to availability and security, by means of using a visited foreign network. In general, three parties—a mobile user, a foreign agent, and the home agent—participate in a roaming process. A seamless roaming service requires significant security challenges to be addressed among the participants. Basically, authentication and key establishment between the mobile user and the foreign agent should be achieved via assistance of the home agent to prevent illegal usages of the network and to protect their subsequent communications. Achieving anonymity of the mobile user is also important in a roaming service to protect the privacy of the user. Anonymity has recently been identified as a major security property for many applications, including location-based services, anonymous web browsing, and e-voting. These security challenges and their cryptographic solutions, commonly called anonymous authentication schemes, constitute an active research area.
The first anonymous authentication scheme for roaming services was proposed by Zhu and Ma [1] in 2004. This initial proposal has been followed by a number of authentication schemes offering various levels of security and efficiency. Some schemes [2–4] have been proven secure using a computer security approach while others (e.g., [5–7]) justify their security on purely heuristic grounds without providing no formal analysis of security. However, despite all the work conducted over the last decade, it still remains a challenging task to come up with an authentication scheme that meets all the desired goals for roaming services [8]. Most of the existing schemes fail to achieve important security properties such as user anonymity [2, 6], session-key security [9], perfect forward secrecy [10], two-factor security [11], resistance against impersonation attacks [12], and resistance against offline dictionary attacks [13]. For this domain, all published schemes are far from ideal as evidenced by a continual history of schemes being proposed and years later found to be flawed.
Recently, Xie et al. [4] proposed a new authentication scheme for roaming services and claimed that their scheme not only provides efficiency and user friendliness but also is secure against various attacks. But He et al. [12] demonstrated that Xie et al.’s scheme is susceptible to impersonation attacks and therefore does not achieve mutual authentication between a mobile user and the foreign agent. In addition, He et al. proposed a new authentication scheme which improves Xie et al.’s scheme in terms of both security and efficiency. However, we found that He et al.’s improved scheme is not satisfactory enough but still suffers from major security weaknesses.
He et al.’s scheme does not provide user anonymity not only against the foreign agent but also against any third party.
He et al.’s scheme may not protect the passwords of mobile users against an offline dictionary attack.
He et al.’s scheme is not secure against a man-in-the-middle attack and thus cannot guarantee the security of session keys.
Besides reporting these weaknesses in He et al.’s scheme, we also propose an improved authentication scheme which achieves, among others, user anonymity, session-key security, and resistance against offline dictionary attacks. The performance of our scheme is similar to that of He et al.’s scheme but is superior to that of Xie et al.’s scheme (see Section 4).
Throughout the paper, we make the following assumptions on the capabilities of the probabilistic polynomial-time adversary in order to properly capture security requirements of two-factor authentication schemes using smart cards in global mobility networks.
The adversary has the complete control of all message exchanges between the three parties: a mobile user, the foreign agent, and the home agent. That is, the adversary can eavesdrop, insert, modify, intercept, and delete messages exchanged among the parties at will [14–16].
The adversary is able to (1) extract the sensitive information on the smart card of a mobile user possibly via a power analysis attack [17, 18] or (2) learn the password of the mobile user through shoulder surfing or by employing a malicious card reader. However, it is not allowed that the adversary compromises both the information on the smart card and the password of the mobile user; it is clear that there is no way to prevent the adversary from impersonating the mobile user if both factors are compromised.
2. A Review of He et al.’s Scheme
He et al.’s authentication scheme [12] consists of three phases: the registration phase, the login and key agreement phase, and the password update phase. The system parameters listed in Table 1 are assumed to have been established in advance before the scheme is used in practice. Let ∥ and ⊕ denote the string concatenation operation and the bitwise exclusive-OR (XOR) operation, respectively.
System parameters.
IDHA,IDFA
The identities of HA and FA, respectively
p,q
Two large primes such that p=rq+1 for some r∈N
x
The master secret key of HA
kHF
A (cryptographically strong) key shared between HA and FA
(E,D)
A pair of symmetric encryption and decryption algorithms
H(·)
A cryptographic hash function
2.1. Registration Phase
For a mobile user MU, this phase is performed only once when MU registers itself with the home agent HA.
MU chooses its identity IDMU and password pwMU freely and sends the identity IDMU to HA via a secure channel.
HA computes SIDMU=Ex(IDMU∥IDHA) and DIDMU=H(IDMU)xmodp and issues MU a smart card loaded with {SIDMU, DIDMU, IDHA, p, q, (E,D), H}.
MU replaces SIDMU and DIDMU, which are contained in the smart card, with TIDMU=SIDMU⊕H(0∥pwMU) and EIDMU=DIDMU⊕H(1∥pwMU), respectively.
2.2. Login and Key Agreement Phase
This phase is carried out whenever MU visits a foreign network and wants to gain access to the network. During the phase, mutual authentication and session-key establishment are conducted between MU and FA with the help of HA. Algorithm 1 depicts how the phase works, and its description follows.
Algorithm 1: Login and key agreement phase of He et al.’s scheme [12].
MUFAHA
inputs IDMU and pwMU
retrieves the timestamp T1
a∈RZq*,A=H(IDMU)a
KMH=(EIDMU⊕H(1∥pwMU))a
=H(IDMU)ax
kMH=H(KMH∥T1)
SIDMU=TIDMU⊕H(0∥pwMU)
CMH=EkMH(SIDMU∥IDMU∥IDFA)
→M1=〈IDHA,T1,A,CMH〉
checks the freshness of T1
retrieves the timestamp T2
CFH=EkHF(IDFA∥T2∥M1)
→M2=〈IDFA,T2,CFH〉
checks the freshness of T2
Does DkHF(CFH) yield IDFA and T2?
KMH=Ax,kMH=H(KMH∥T1)
Does DkMH(CMH) yield IDFA?
Does Dx(SIDMU) yield IDMU?
retrieves the timestamp T3
σ=H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA)
CHF=EkHF(IDMU∥IDFA∥T3∥σ)
←M3=〈IDFA,T3,CHF〉
IDMU∥IDFA∥T3∥σ=DkHF(CHF)
checks the freshness of T3
b∈Zq*,B=H(IDMU)b
KFM=Ab,kFM=H(KFM)
CFM=EkFM(IDMU∥IDFA∥T3∥σ∥B)
sk=H(KFM+1)
←M4=〈IDFA,T3,B,CFM〉
checks the freshness of T3
KFM=Ba,kFM=H(KFM)
Does DkFM(CFM) yield IDMU, IDFA and T3?
σ=?H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA)
sk=H(KFM+1)
Step 1.
MU inserts its smart card into the card reader and inputs its identity IDMU and password pwMU. Next, MU retrieves the current timestamp T1, chooses a random number a∈Zq*, and computes
(1)A=H(IDMU)amodp,KMH=(EIDMU⊕H(1∥pwMU))amodp=H(IDMU)axmodp,kMH=H(KMH∥T1),SIDMU=TIDMU⊕H(0∥pwMU)=Ex(IDMU∥IDHA),CMH=EkMH(SIDMU∥IDMU∥IDFA).
Then, MU sends the message M1=〈IDHA,T1,A,CMH〉 to the foreign agent FA.
Step 2.
Upon receiving M1, FA checks the freshness of the timestamp T1. If it is not fresh, FA aborts the session. Otherwise, FA retrieves the current timestamp T2, computes
(2)CFH=EkHF(IDFA∥T2∥M1)
and sends the message M2=〈IDFA,T2,CFH〉 to HA.
Step 3.
HA checks if the timestamp T2 is fresh. If not, HA aborts the session. Otherwise, HA decrypts CFH with key kHF and verifies that the decryption yields the same IDFA and T2 as contained in M2. HA aborts if the verification fails. Otherwise, HA computes KMH=Axmodp and kMH=H(KMH∥T1), decrypts CMH with key kMH, and checks if this decryption produces the same IDFA as in M2. HA aborts if the check fails. Otherwise, HA decrypts SIDMU with key x and checks if this decryption gives the same IDMU as produced through the decryption of CMH. If only the two IDs match, HA retrieves the current timestamp T3, computes
(3)σ=H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA),CHF=EkHF(IDMU∥IDFA∥T3∥σ),
and sends the message M3=〈IDFA,T3,CHF〉 to FA.
Step 4.
FA decrypts CHF with key kHF and checks the freshness of the timestamp T3. If only T3 is fresh, FA chooses a random number b∈Zq* and computes
(4)B=H(IDMU)bmodp,KFM=Abmodp=H(IDMU)abmodp,kFM=H(KFM),CFM=EkFM(IDMU∥IDFA∥T3∥σ∥B).
(Note, here, that the timestamp T3 (received from HA) is used in generating the ciphertext CFM since MU will need it to check the validity of σ.) Then, FA sends the message M4=〈IDFA,T3,B,CFM〉 to MU and computes the session key sk=H(KFM+1).
Step 5.
MU first checks the freshness of the timestamp T3 and aborts the session if not fresh. Otherwise, MU computes KFM=Bamodp and kFM=H(KFM), decrypts CFM with key kFM, and verifies that the decryption correctly returns IDMU, IDFA, and T3. If the verification succeeds, MU checks if σ is equal to H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA) and if equal computes the session key sk=H(KFM+1).
2.3. Password Update Phase
One of the general guidelines to get better password security is to ensure that passwords are changed at regular intervals. He et al.’s scheme allows mobile users to freely update their passwords.
MU inserts his smart card into a card reader and enters both the current password pwMU and the new password pwMU′.
The smart card computes TIDMU′=TIDMU⊕H(0∥pwMU)⊕H(0∥pwMU′) and EIDMU′=EIDMU⊕H(1∥pwMU)⊕H(1∥pwMU′) and replaces TIDMU and EIDMU with TIDMU′ and EIDMU′, respectively.
3. Weaknesses in He et al.’s Scheme
In this section, we point out four weaknesses in He et al.’s scheme, starting with the most obvious one.
Weakness 1. He et al.’s scheme does not provide user anonymity against the foreign agent FA.
This weakness is straightforward to see as the identity of MU, IDMU, is given to FA via the ciphertext CHF (see Step 4 of the login and key agreement phase of the scheme).
Weakness 2. He et al.’s scheme may not protect the password of MU, pwMU, against an offline dictionary attack.
Weakness 2 is due to the fact that EIDMU is computed using the bitwise XOR operation when the multiplicative subgroup of Zp* is not closed under the XOR operation. This design flaw allows an adversary to find out the password pwMU by mounting an offline dictionary attack if the subgroup is much smaller than Zp*. We observe, for He et al.’s scheme, that (1)p and q are defined as two primes such that p=rq+1 for some r∈N and (2) the random exponents a and b are chosen from Zq*. Based on these observations, it is reasonable to speculate that He et al.’s scheme was designed to work in a multiplicative subgroup of Zp* that has a prime order q, though not explicitly mentioned by the authors. For simplicity, let us denote the prime-order subgroup by G. Since KMH and DIDMU are computed as KMH=(DIDMU)amodp and DIDMU=H(IDMU)xmodp, it ought to be the case that DIDMU∈G, which in turn implies that H is a hash function mapping arbitrary strings into elements of G. Now, assume that an adversary A has gained temporary access to the smart card of MU and then obtained the value of EIDMU stored there (possibly by employing a power analysis attack [17]). Then, note that EIDMU can be used as a password verifier in an offline dictionary attack because EIDMU is computed as EIDMU=DIDMU⊕H(1∥pwMU) when G is not closed under the bitwise XOR operation. Let PW be the set of all possible passwords. The adversary A can mount an offline dictionary attack as follows.
Step 1.
A makes a guess pwMU′∈PW on the password pwMU and computes
(5)DIDMU′=EIDMU⊕H(1∥pwMU′).
Step 2.
A then checks whether DIDMU′ is an element of G or not. If DIDMU′∉G, A deletes pwMU′ from the dictionary PW (i.e., PW=PW∖{pwMU′}). Note that DIDMU′∉G implies pwMU′≠pwMU.
Step 3.
A repeats Steps 1 and 2 until the correct password is found (i.e., until |PW|=1).
If p is a safe prime (i.e., p=2q+1), then this attack would fail, cutting only the size of PW about in half. However, if p is much greater than q (e.g., log2p⋍512 and log2q⋍256), the dictionary attack will succeed in determining the correct password with an overwhelming probability. Similar dictionary attacks have been also mounted against key exchange protocols; see, for example, [19]. Weakness 2 can be easily addressed by replacing the bitwise XOR operation with the multiplication operation.
Next, we identify two other major weaknesses in He et al.’s scheme.
Weakness 3. He et al.’s scheme may not guarantee user anonymity even against a third party who is not a legitimate protocol participant.
Weakness 4. He et al.’s scheme could wrongly lead MU and FA to establish a session key with a malicious party who is not even registered with HA.
We demonstrate Weaknesses 3 and 4 by mounting a type of man-in-the-middle attack against the scheme. The attack scenario is outlined in Figure 1 and is detailed as follows.
A man-in-the-middle attack on He et al.’s scheme.
Step 1.
As a preliminary step, the adversary A chooses a random number a′∈Zq* and computes A′=H(ID)a′modp, where ID denotes an arbitrary identity.
Step 2.
When MU sends the first message M1=〈IDHA,T1,A,CMH〉 to FA, A eavesdrops on this message to obtain A and CMH. Immediately after the eavesdropping, A retrieves the current timestamp T1′ and sends a fake message M1′=〈IDHA,T1′,A′,CMH〉 to FA as if it is another roaming request from a mobile user.
Step 3.
Since both T1 and T1′ are fresh, FA will compute CFH=EkHF(IDFA∥T2∥M1) and CFH′=EkHF(IDFA∥T2′∥M1′) and send two messages M2=〈IDFA,T2,CFH〉 and M2′=〈IDFA,T2′,CFH′〉 to HA. Let ΠFA and ΠFA′ be the instances of FA who sends the messages M2 and M2′, respectively.
Step 4.
A intercepts the message M2′ while letting M2 reach its destination, HA. Since M2 is a valid message, HA will compute
(6)σ=H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA),CHF=EkHF(IDMU∥IDFA∥T3∥σ),
and send the message M3=〈IDFA,T3,CHF〉 to FA.
Step 5.
A redirects the message M3 so that it is delivered to ΠFA′ instead of ΠFA. As a result, ΠFA will not receive any response message and thus will abort after a certain amount of time.
Step 6.
After decrypting CHF and since T3 is fresh, ΠFA′ will proceed as per the protocol specification. That is, ΠFA′ will choose a random number b′∈Zq*, compute
(7)B′=H(IDMU)b′modp,KFM′=A′b′modp=H(ID)a′b′modp,kFM′=H(KFM′),CFM′=EkFM′(IDMU∥IDFA∥T3∥σ∥B′),
send the message M4′=〈IDFA,T3,B′,CFM′〉 to MU, and then compute its session key as
(8)skFA=H(KFM′+1).
Step 7.
A intercepts the message M4′, computes KFM′=B′a′modp and kFM′=H(KFM′), and decrypts CFM′ with key kFM′ to obtain IDMU, IDFA, and σ. Then, A chooses a random number b′′∈Zq*, computes
(9)B′′=H(IDMU)b′′modp,KFM′′=Ab′′modp=H(IDMU)ab′′modp,kFM′′=H(KFM′′),CFM′′=EkFM′′(IDMU∥IDFA∥T3∥σ∥B′′),
and sends the message M4′′=〈IDFA,T3,B′′,CFM′′〉 to MU as if it is from FA.
Step 8.
Upon receiving M4′′, MU will proceed to compute its session key
(10)skMU=H(KFM′′+1),
where KFM′′ is computed as KFM′′=B′′amodp, because (1) T3 is fresh, (2) decryption of CFM′′ with key kFM′′ correctly yields IDMU, IDFA, and T3, and (3) σ is equal to H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA).
Step 9.
A computes the two session keys, skFA and skMU, in the straightforward way.
Through the attack, user anonymity is completely compromised as the identity of MU, IDMU, is disclosed to the adversary A in Step 7. From the viewpoint of session-key secrecy, the effect of our attack is the same as that of a man-in-the-middle attack. At the end of the attack, MU and FA believe that they have established a secure session with each other sharing a secret key, while in fact they have shared their keys with the adversary A. As a result, A can not only access and relay any confidential messages between MU and FA but also send arbitrary messages for its own benefit impersonating one of them to the other. Man-in-the-middle attacks similar to the attack above have been also presented against various key exchange protocols; see, for example, [20, 21].
4. Our Improved Scheme
We now show how to address all the weaknesses identified in He et al.’s scheme without degrading the efficiency of the scheme. Let G be a cyclic group of prime order q. A standard way of generating G is to choose two large primes p,q such that p=rq+1 for some small r∈N (e.g., r=2) and let G be the subgroup of order q in Zp*. Hereafter, we will omit “mod p” from expressions for notational simplicity. Assume that the master secret key of HA, x, is an element of Zq* (i.e., x∈Zq*) and the secret key shared between FA and HA, kHF, has length of l bits. Then we define four cryptographic hash functions:
F:{0,1}*→{0,1}l,
G:{0,1}*→G,
H:{0,1}*→{0,1}κ, where κ represents the bit-length of session keys,
I:{0,1}*→{0,1}ɛ, where ɛ represents the bit-length of SIDMU (for the definition of SIDMU, see the description of He et al.’s scheme given in Section 2).
We begin by presenting how to address Weaknesses 3 and 4 (described in the previous section). The vulnerability of He et al.’s scheme to the man-in-the-middle attack is because there is no way for an instance of FA to check whether the received ciphertext CHF was sent in response to its own request or another instance’s request. This design flaw allows the adversary to exploit HA’s response sent for one session as the response for another session. To prevent the attack, we suggest to modify the computation of the ciphertext CHF from CHF=EkHF(IDMU∥IDFA∥T3∥σ) to
(11)CHF=EkHF(IDMU∥IDFA∥T2∥T3∥σ).
The timestamp T2 is now included as part of the plaintext to be encrypted to CHF. The inclusion of T2 tightly links FA’s request and HA’s response and thus effectively prevents the man-in-the-middle attack.
However, with the above modification alone, He et al.’s scheme cannot fully achieve user anonymity in the sense that the identity of MU is still disclosed to FA. Therefore, we suggest to further modify the computation of CHF as follows:
(12)CHF=EkHF(G(IDMU)∥IDFA∥T2∥T3∥σ).
The ciphertext CHF is now generated using G(IDMU) instead of IDMU. This modification certainly prevents FA from immediately learning IDMU via decryption of CHF.
We next present a possible way of eliminating the vulnerability of He et al.’s scheme to offline dictionary attacks. Recall that this vulnerability is due to the fact that EIDMU is computed using the bitwise XOR operation when the multiplicative subgroup of Zp* is not closed under the XOR operation. Given the flaw in the design, the solution is clear; use the multiplication operation instead of the XOR operation when computing EIDMU. Hence, we change the computation of EIDMU from EIDMU=DIDMU⊕H(1∥pwMU) to
(13)EIDMU=DIDMU·G(1∥pwMU)-1.
Accordingly, the computation of KMH should be also changed to
(14)KMH=(EIDMU·G(1∥pwMU))a=G(IDMU)ax.
Finally, we suggest the following additional changes to resolve some notational ambiguities and to correct the misuse of the hash function H:
(15)SIDMU=EF(x)(IDMU∥IDHA),DIDMU=G(IDMU)x,TIDMU=SIDMU⊕I(0∥pwMU)A=G(IDMU)a,kMH=F(KMH∥T1),SIDMU=TIDMU⊕I(0∥pwMU),B=G(IDMU)b,kFM=F(KFM).
As a result of the above modifications, the password update phase is modified as follows.
MU inserts his smart card into a card reader and enters the identity IDMU, the current password pwMU, and the new password pwMU′.
The smart card computes TIDMU′=TIDMU⊕I(0∥pwMU)⊕I(0∥pwMU′) and EIDMU′=EIDMU·G(1∥pwMU)·G(1∥pwMU′)-1 and replaces TIDMU and EIDMU with TIDMU′ and EIDMU′, respectively.
Combining the above modifications together yields an improved authentication scheme described in Algorithm 2. Our scheme improves He et al.’s scheme in various aspects: (1) it enjoys the anonymity of the mobile user MU against any parties other than the home agent HA, including the foreign agent FA; (2) it withstands offline dictionary attacks even when the information in the smart card is disclosed; (3) it protects the security of session keys against man-in-the-middle attacks. Clearly, the performance of our scheme is similar to that of He et al.’s scheme. Hence, we can say that our improvement enhances the security of He et al.’s scheme while maintaining the efficiency of the scheme.
Algorithm 2: The login and key agreement phase of our improved scheme.
MUFAHA
inputs IDMU and pwMU
retrieves the timestamp T1
a∈RZq*,A=G(IDMU)a
KMH=(EIDMU·G(1∥pwMU))a
=G(IDMU)ax
kMH=F(KMH∥T1)
SIDMU=TIDMU⊕I(0∥pwMU)
CMH=EkMH(SIDMU∥IDMU∥IDFA)
→M1=〈IDHA,T1,A,CMH〉
checks the freshness of T1
retrieves the timestamp T2
CFH=EkHF(IDFA∥T2∥M1)
→M2=〈IDFA,T2,CFH〉
checks the freshness of T2
Does DkHF(CFH) yield IDFA and T2?
KMH=Ax,kMH=F(KMH∥T1)
Does DkMH(CMH) yield IDFA?
Does Dx(SIDMU) yield IDMU?
retrieves the timestamp T3
σ=H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA)
CHF=EkHF(G(IDMU)∥IDFA∥T2∥T3∥σ)
←M3=〈IDFA,T3,CHF〉
checks the freshness of T3
Does DkMH(CHF) yield T2 & T3?
b∈Zq*,B=G(IDMU)b
KFM=Ab,kFM=F(KFM)
CFM=EkFM(IDMU∥IDFA∥T3∥σ∥B)
sk=H(KFM+1)
←M4=〈IDFA,T3,B,CFM〉
checks the freshness of T3
KFM=Ba,kFM=F(KFM)
Does DkFM(CFM) yield IDMU, IDFA and T3?
σ=?H(M1∥T3∥KMH∥IDMU∥IDFA∥IDHA)
sk=H(KFM+1)
5. Concluding Remarks
This work demonstrated that He et al.’s authentication scheme for roaming services fails to achieve major security properties—user anonymity, password security, and session-key security—in the presence of a malicious adversary. We have shown that failure to achieving user anonymity and session-key security is due to the vulnerability to a man-in-the-middle attack while failure to achieving password security is due to the vulnerability to an offline dictionary attack. Note that the latter vulnerability implies that He et al.’s scheme does not achieve two-factor security. We hope that similar security flaws as identified in this work can be prevented in the future design of anonymous authentication schemes.
This work also showed how the security of He et al.’s authentication scheme can be improved without efficiency degradation. Our improved scheme not only protects user anonymity against any third parties other than the home agent but also is secure against offline dictionary attacks as well as man-in-the-middle attacks. We leave it as a future work to design an anonymous authentication scheme for roaming services that achieves provable security in a well-defined communication model while providing the same (or even better) level of efficiency as the schemes studied in this paper.
Conflict of Interests
The authors declare no conflict of interests.
Acknowledgment
This work was supported by Howon University in 2014.
ZhuJ.MaJ.A new authentication scheme with anonymity for wireless environments2004501230234ChangC.LeeC.ChiuY.Enhanced authentication scheme with anonymity for roaming service in global mobility networks200932461161810.1016/j.comcom.2008.11.0322-s2.0-59649101587HeD.ChanS.ChenC.BuJ.Design and validation of an efficient authentication scheme with anonymity for roaming service in global mobility networks2011612465476XieQ.HuB.TanX.BaoM.YuX.Robust anonymous two-factor authentication scheme for roaming service in global mobility network2014742601614LeeC.HwangM.LiaoI.Security enhancement on a new authentication scheme with anonymity for wireless environments200653516831687WuC.LeeW.TsaurW.A secure authentication scheme with anonymity for wireless communications20081210722723SonK.HanD.WonD.A privacy-protecting authentication scheme for roaming services with smart cards201295518191821MadhusudhanR.MittalR.Dynamic id-based remote user password authentication schemes using smart cards: a review201235412351248YounT.ParkY.LiM.Weaknesses in an anon ymous authentication scheme for roaming service in global mobility networks20091371118112310.1109/LCOMM.2009.090488MessergesT. S.DabbishE. A.SloanR.Examining smart-card security under the threat of power analysis attacks200251554155210.1109/TC.2002.1004593MR1901004JiangQ.MaJ.LiG.YangL.An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks20136841477149110.1007/s11277-012-0535-4HeD.KumarN.KhanM. K.LeeJ.Anonymous two-factor authentication for consumer roaming service in global mobility networks2013594811817JeonW.KimJ.NamJ.LeeY.WonD.An enhanced secure authentication scheme with anonymity for wireless environments201295725052508BellareM.RogawayP.Entity authentication and key distribution1994773Berlin, GermanySpringer232249Lecture Notes in Computer Science10.1007/3-540-48329-2_21MR1288970NamJ.ChooK. K. R.KimJ.KangH.PaikJ.WonD.Password-only authenticated three-party key exchange with provable security in the standard model201420141182507210.1155/2014/825072NamJ.ChooK.-K. R.KimJ.Password-only authenticated three-party key exchange with provable security in the standard model201420141180235910.1155/2014/825072KocherP.JaffeJ.JunB.Differential power analysis19991666Springer388397Lecture Notes in Computer ScienceMunH.HanK.LeeY.YeunC.ChoiH. H.Enhanced secure anonymous authentication scheme for roaming service in global mobility networks2012551-221422210.1016/j.mcm.2011.04.036MR2865109NamJ.ChooK. K. R.KimM.PaikJ.WonD.Dictionary attacks against password-based authenticated three-party key exchange protocols201371232443260NamJ.PaikJ.WonD.A security weakness in Abdalla et al.'s generic construction of a group key exchange protocol2011181123423810.1016/j.ins.2010.09.011MR2737472NamJ.ChooK. K. R.ParkM.PaikJ.WonD.On the security of a simple three-party key exchange protocol without server's public keys201420147479534