Computer Standards & Interfaces 34 (2012) 314–326

Contents lists available at SciVerse ScienceDirect

Computer Standards & Interfaces

j ourna l homepage: www.e lsev ie r .com/ locate /cs i

Preventing delegation-based mobile authentications fromman-in-the-middle attacks

Jian-Zhu Lu ⁎, Jipeng ZhouDepartment of Computer Science, Jinan University, Guangzhou 510630, China

⁎ Corresponding author. Tel: +86 13678938179; faxE-mail addresses: tljz@jnu.edu.cn (J.-Z. Lu), tjpzhou@

0920-5489/$ – see front matter © 2011 Elsevier B.V. Alldoi:10.1016/j.csi.2011.10.014

a b s t r a c t

a r t i c l e i n f o

Article history:Received 11 January 2011Received in revised form 17 July 2011Accepted 22 October 2011Available online 3 November 2011

Keywords:SecurityMobile communicationMutual authenticationElliptic curve cryptosystem

In this paper, an approach of mutual authentication and key exchange for mobile access, based on the trustdelegation and message authentication code, is developed, and a novel nonce-based authentication approachis presented. The proposed protocols can effectively defend all known attacks to mobile networks includingthe denial-of-service attacks and man-in-the-middle attacks. In particular, in contrast to some previous work,our design gives users a chance to set a session key according to users' will, and does not require a mobileuser to compute useless hash key chains in the face of HLR-online authentication failures or run the initialauthentication protocol before HLR-offline authentication. Moreover, our design enjoys both computation ef-ficiency and communication efficiency as compared to known mobile authentication schemes.

© 2011 Elsevier B.V. All rights reserved.

1. Introduction

The explosive growth of wide-area cellular systems and local-areawireless networks and the emergence of home area radio networksare just the beginning of “the wireless revolution”. A host is mobileif it is allowed to move freely around a local or wide area network.This allows users to access electronic data and services anywhereand anytime. Owing to the features of fast mobility and high portabil-ity, mobile access has played an extremely important role in personalcommunication activities.

A central problem in mobile access is that of enabling parties tocommunicate secretly and reliably in the presence of an adversary.This is often achieved by having the parties run an authenticationprotocol for generating a mutual and secret session key. Then, thissession key can be used for secure communication using known tech-niques (e.g., applying encryption and message authentication codesto all communication).

A mobile communication system consists of three basic parts:mobile Stations (MSs), visited location registers (VLRs), and homelocation registers (HLRs). An MS communicates with a VLR via aradio link and each VLR is connected to an HLR through the wire–line link. Assume that the wire–line communication links are secure.Therefore, we shall concentrate only on the security of the radiolinks. Each MS is registered to its HLR. The VLR and the HLR have aroaming agreement and share a secret key. Before being allowed toaccess a visited VLR, an MS out of its HLR needs to be authenticated.If the authentication is successful, a session key is setup to encrypt

: +86 20 85220227.jnu.edu.cn (J. Zhou).

rights reserved.

further communications in the session between them. In general,there is no trusted authentication server available to the MS out ofits HLR. The security such as authentication of MSs is challenging inmobile communication system.

Needham et al. [1] and Molva et al. [2] provided a solution to themobile authentication and key exchange problems in the Kerberos-like model. This work was very influential and became the basisfor much future work in this area [3–5,9]. However, these protocolshave not been proven secure and their conjectured security is basedon heuristic arguments. Despite the strong need for secure mobileauthentication protocols, the problem was not treated rigorouslyuntil quite recently. A first rigorous treatment of the problemwas provided by Fan et al. [10]. Their protocols are based onsymmetric-key cryptography and the proofs of authenticated keyexchange can actually be obtained. Unfortunately, Fan et al.'s proto-cols [10] involve the HLR in each online authentication request(authentic or false), and thus it suffers from denial-of-service(DoS) attacks in practice.

Lee and Yeh [6] presented a protocol for the problem of mobileauthentication and key exchange in the trust delegation model. Inthis model, a VLR can authenticate the MS after its initial HLR registra-tion. Their protocol employs off-line authentication processes, suchthat VLR does not need to contact HLR frequently, and can rapidlyre-authenticate MS. However, their scheme suffers from both amalicious VLR attack [7] and an impersonated HLR attack [11]. Someimprovements of the scheme are presented in [7,8,11–13]. The proto-cols in [7,8,13] are based on the Elliptic curve discrete logarithmproblem (ECDLP) assumption, while the protocols in [6,11,12] arebased on the discrete logarithm problem (DLP) assumption. SinceHLR authenticates a roaming MS through VLR relaying MS's request,mobile authentication among them would easily become susceptibleto masquerading and man-in-the-middle attacks. However, these

Fig. 1. Mobile authentication scheme in [9].

315J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

protocols don't provide formal security proofs with provable securitytechnique.

In an attempt to come up with a secure and efficient solution formobile authentication, we propose the following problem: can wesimplify and speed up the mobile authentication by the integrationof trust delegation techniques [7] and one-time secret mechanisms[6,10]? Unlike the previous schemes, new solution is immune toboth the DoS attack and the man-in-the-middle (MITM) attacks. Apossible method is to use a nonce-based authentication approachand a timestamp-based authentication approach together to designthe protocol. Such an approach may be useful in practice, as it cangive a secure and efficient authentication scheme in most cases.How to efficiently generate a nonce and swiftly evaluate its freshnessis an interesting and challenging work. Furthermore, dealing withMITM attacks is even more challenging [14] when considering mobileauthentication among three parties.

In practice, there is the requirement for some MSs to use theservices in different location in a relatively short time. Again, theywish to be given a chance to set a session key according to theirwill. The main contribution of this article is a scheme developedfor mobile authentication and key exchange exhibiting both securityand efficiency according to the practical scenarios. The timestampwithout synchronized clock is used to efficiently generated a nonceand swiftly evaluate the freshness of the nonce. An advantage ofthe “local” cryptographic binding method is hence powerful enoughto prevent a faulty process from changing a message it relays, orintroducing a new message into the system and claiming to havereceived it from some other process. Below, we outline our resultsin more detail:

1. A novel nonce-based approach: the timestamp without synchro-nized clock is generated by MS as a nonce instead of the life ofrequest, whose freshness is characterized by monotone increasingproperty of timestamp.

2. The “local” cryptographic binding method: a parameter NM bind-ing the identity of a new visited VLR with the request is generatedand sent to HLR by MS. Then HLR verifies the VLR by NM. Moreover,we equip every request with its digital signature using a delegationkey between MS and the HLR to achieve authenticity and integrity.

3. A secure and efficient scheme is developed for mobile authentica-tion and key exchange, by combining above benefits with one-time session key mechanism. The scheme is immune to both theDoS attack and the man-in-the-middle (MITM) attacks.

4. Our mobile authentication scheme is both practical and provably-secure using cryptographic assumptions in the random oraclemodel.

The remainder of this article is organized as follows. Section 2analyzes two general approaches for mobile authentication in wire-less networks. Section 3 presents the proposed authentication mech-anism, and discusses how to integrate the authenticators with mobileauthentication. Section 4 develops a scheme for mobile authentica-tion and key exchange. The security and performance of the proposedscheme is analyzed and discussed in Sections 5 and 6, respectively.We make some conclusions in Section 7. Finally, the formal securityproofs for both the used proxy signature scheme and proposedscheme are proposed in Appendixes I and II, respectively.

2. Motivation

In the presence of an adversary, mobile authentication is a criticalsecurity service to ensure the trustworthiness of wireless networkapplications. Due to the resource constraints on MSs (especially thelimited battery power) and possible VLR compromises, mobileauthentication in wireless networks is by no means a trivial problem.

There are two general approaches formobile authentication inwire-less networks: digital signatures and MAC (Message Authentication

Codes)-based approaches. Public key based digital signatures were ini-tially considered impractical for resource constrained MSs. However, itwas recently demonstrated that it is feasible to performpublic key cryp-tographic operations on low-end MSs [6,7].

In the past several years, MAC and its variations [3,5,9,10] havebeen developed for scalable mobile authentication in wireless net-works. All of these schemes are based on MAC, which provides mobileauthentication based on symmetric cryptography. Compared withdigital signatures, MAC-based approaches are much more efficientand less resource consuming, but cannot provide authenticationimmediately after MS's request is received by a VLR.

Both digital signatures and MAC-based approaches are vulnerableto masquerade and MITM attacks. This is a fatal threat to MSs becauseeach request from a roaming MS is transmitted to the HLR by a visitedVLR.

2.1. DoS attacks against MAC-based mobile authentication

A major limitation of MAC and its variations [3,5,9,10] is theauthentication delay. In other words, a visited VLR cannot authenti-cate an MS's request immediately after receiving it. This means thata visited VLR has to forward an MS's request to the HLR before prop-erly authenticating it. However, once an adversary receives an MS'srequest, he/she can reuse the request to forge many requests. As aresult, an adversary can force some VLRs to forward a large numberof bogus requests to the HLR such that the resources of HLR are even-tually exhausted.

Let's consider an instance of MAC-based mobile authentication. Anefficient implementation of this mobile authentication was presentedin [9]. Assume that HLR and VLR have established a secure session Kvh

with the help of a trustworthy authentication server, and that Kuh is ashared secret betweenMS andHLRwithout trust delegation. Referringto Fig. 1, the scheme is described below. MS sends a request in mes-sage EKuh

(Kuh||r0) to HLR via VLR, and VLR generates EKuh(MS||r1||t)

and sends it and EKuh(Kuh||r0) to HLR. Here, t denotes the current time-

stamp, and r0 and r1 are two randomnumbers. HLR verifies the legalityof MS and VLR, and then sends EKvh

(r1) and EKuh(r0||r1) back to VLR.

To authenticate itself to MS, VLR sends back MS the encrypted r0 inmessage EKuh

(r0||r1). MS checks r0 and sends back EKauth(r1) to VLR.

After EKauth(r1), MS and VLR authenticate each other successfully, and

establish a shared key Kauth=r1.This scheme requires total five transmissions. In particular, there

are three transmissions required between VLR and MS. It is not effi-cient on communications for MS since communications from MS toVLR (i.e., uplink) is especially expensive in wireless networks. Anoth-er major limitation is that there is no way to prevent malicious MSsfrom launching DoS attack to HLR, though these MSs can be detectedand then excluded from the wireless network.

Fig. 3. Mobile authentication scheme in [7].

316 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

2.2. MITM attacks against signature-based mobile authentication

In contrast, the public-key system-based protocol can providemore security features such as nonrepudiation and mutual authenti-cation. To provide solutions for DoS attacks to the HLR, authors in[6,7] introduce the concept of delegation into the mobile authentica-tion system. However, their scheme does not prevent an MS fromMITM attacks.

Referring to Fig. 2, the visited VLR cannot be masqueraded sincean MS shares their random value n2 with two rounds of messageexchange. However, this does not help for the MS to resist MITMattacks, which suffers from the impersonated HLR attacks [7]. Bymodifying IDH in L3 to IDF, an adversary can divert the VLR to anHLR under control of the adversary, and we denote this impersonatedHLR by FHLR with identification IDF. After the diversion, the attacker,that acts as a VLR, then can obtain the session key C1 by a shared keyK(F,H) with the legitimate HLR of the MS.

The scheme shown in Fig. 3 suffers from the malicious VLR attacks[13]. By first modifying IDV in S2 to IDV∗ and then sending {IDV∗,IDM,C}, a malicious VLR∗ with identification IDV∗ can obtain the ses-sion key ck if the HLR forgets to check the freshness of the nonce.We added IDV into the ciphertext C such that ck was bound withthe visited VLR [13].

In fact, it is quite reasonable in the mobile authentication toconsider an active adversary – a “man-in-the-middle” –whomodifiesthe request as it is transmitted from an MS to the HLR. Dealing withMITM attacks is even more challenging [14] when considering mobileauthentication protocols consisting of many rounds of interaction,possibly among more than two parties.

2.3. Proposed approach

In practice, there is the requirement for some MSs to use the ser-vices in different location in a relatively short time. Again, they wishto be given a chance to set a session key according to their will. Toprovide a solution for the practical scenarios, we develop an approachfor mobile authentication and key exchange problems to mitigate theDoS attacks and MITM attacks.

The basic idea is to use efficiently verifiable authenticators alongwith mobile authentication, so that either a visited VLR performs therequest forwarding (in case of signature-based authentication) orthe HLR generates a response for it (in case of MAC-based authentica-tion) only when the corresponding authenticator can be verified. Wedevelop an authentication mechanism integrating these authentica-tors with one-time session key to achieve this goal.

Fig. 2. Mobile authentication scheme in [6].

This mechanism has a number of nice properties: (1) the authen-ticator can be efficiently achieved by an MS; (2) the authenticationmechanism has reasonable communication overhead; (3) the au-thentication mechanism works with the one-time session key.

3. Design idea

The design of a mobile authentication protocol, as with any proto-col, requires that tradeoffs be made. One consideration when achiev-ing a mobile authentication is reducing the number of messagesneeded for the MS. A second consideration in the generation of userrequest was minimizing computation costs at an MS. Several practicalauthentication techniques for improving the performance of mobileauthentication are introduced. They are incorporated in our authenti-cation mechanism.

3.1. A novel nonce-based approach to support user mobility

We present a novel nonce-based authentication offering the samefeatures as a timestamp-based authentication. Consequently we donot need synchronized clocks. Our approach has the property ofusing a minimal number of messages to establish a session key foran MS.

A timestamp-based authentication is simple and efficient. Time-stamp is now used in most production authentication services includ-ing Kerberos. However, the approach is impractical in the mobileenvironments since it is difficult for the HLR to maintain the synchro-nization of clocks among all MSs.

A nonce-based authentication isn't relying on synchronizedclocks. This approach has been used by some schemes [6–8,11,10,12]. Their attention is focused on the effect a nonce has onthe new request or response. With the use of a traditional nonce, itis unclear how to generate such a nonce for an MS and check its fresh-ness for the HLR.

We now turn our attention to a novel nonce-based approach. Todo this we apply the technique from [15] that allows timestampwith-out synchronized clocks. The timestamp in the request can be treatedas a nonce generated by an MS. The MS sets a temporary variable tostore the nonce tM. Upon receipt of the response at t′M, the MS candetermine that the elapsed time is t′M− tM for the initial request. Fur-ther, using the fact that the timestamp is monotone increasing for therequests from an MS, the HLR checks its freshness by comparing it tothe timestamp in the latest request of the MS.

By using this novel nonce-based approach, a nonce can be effi-ciently generated by an MS, and the HLR can swiftly evaluate thefreshness of the nonce.

317J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

3.2. Authenticators for resistance to MITM attacks

MITM attacks on cryptographic protocols have long been recog-nized as a fundamental problem [14]. Mobile authentication amongthree parties is easily susceptible to masquerading and man-in-the-middle attacks ([7] [page 1411]). Protocol design has been evenmore difficult, with few efficient mobile authentication protocolsknown that prevent MITM attacks.

Look at security for mobile authentication in different contexts.There are many approaches for session key distribution between anMS and the visited VLR. A session key ck in [7,13] is determined byan MS, and the HLR sending ck to the visited VLR plays the assistancerole. The HLR in [10] generates a session key by itself after a request isreceived. From the point of view of user, this may be inconvenient ifan MS in [11,12,10] can't choose a session key for itself. Our schemeallows a session key to be chosen by the MS.

Our construction is based on the trust delegation [6,7] and MAC[10], yet new techniques are needed for the present setting. A distin-guishing feature of each request is its powerful use of “local” crypto-graphic binding. By a secure MAC function Fσ, the binding is used toensure the authenticity in the MS's identity IDM, the visited VLR'sidentity IDV, the freshness of nonce tM, etc. Each MS's request con-tains a ciphertext CM, timestamp tM and the proxy signature (R,s),such that a VLR knows a witness — MS's delegation key σ. In particu-lar, the MAC value NM in CM should depend on the VLR's identity IDVand a timestamp tM which the MS cannot re-use.

A request will be secure as long as the following hold: (1) it is pos-sible for a VLR to know the witness σ; yet (2) learning CM for anyt′M> tM will allow the adversary to break some computationally-hard problem; and (3) the value of tM used by the MS cannot beused in any other request of MS; (4) furthermore, the identity ofIDV matches the corresponding element of MAC value NM.

In this way, unless the man-in-the-middle attack occurs duringthe first connection between MS and VLR, it can be detected, as theidentity of the legitimate VLR and the identity returned by theMITM attacker will not match. Moreover, we equip every requestwith its digital signature using a delegation key σ between MS andthe HLR to achieve authenticity and integrity. A false request is fil-tered out by the legitimate VLR verifying its proxy signature.

3.3. One-time session key mechanism for off-line authentication

Lee and Yeh [6] employed off-line authentication processes on there-authentication of the MS, such that VLR did not need to contactHLR frequently. The solution can save authentication time and in-crease the communication efficiency in mobile authentication.

In general, there may be three solutions that achieve an off-lineauthentication. The first one pre-computes a hash chain h(1)(n1),h(2)(n1), ⋯, h(n+1)(n1) before the on-line authentication [6,11,12],where n1 is a random number, and n is the predefined times of off-line authentications. It suffers from the disadvantage of computinguseless information if the online authentication fails. The secondone requires that for an off-line authentication, a mobile user mustperform both the on-line authentication protocol and the initialauthentication protocol [10]. When the number of off-line authenti-cations is small, it is an expensive solution. The third one proposes adigital signature to the MS to be performed only if the online authen-tication succeeds [7]. Both the execution time and communicationcost are increased by adding the signing operation.

In practice, there is the requirement for some MSs to use the ser-vices in different location in a relatively short time. We combine thepractical scenarios and extend the research mentioned above. Ourscheme should guarantee that at a smaller cost, such anMS can accessthe resources in the same VLR. To this end, we use the third solution.The difference is that the session key ck is replaced by one-time

secret. Furthermore, by using 160-bit version of the ECDSA, the in-crease in the potential cost during the signing operation is tolerable.

4. The proposed scheme

Based on the ideas introduced in Section 3, we propose a secure andefficient mutual authentication scheme for mobile communications.Our scheme consists of three parts, and each part contains a protocol.

The first part of the scheme (Section 4.1) is a trust delegation ini-tialization protocol that is used to generate a pair of proxy signing/verification keys between an MS and the HLR. The second part(Section 4.2) is an HLR-online authentication protocol for mutualauthentication based on the proxy signing key. We then move on toHLR-offline authentication procedure (Section 4.3).

We use the following notations throughout the paper: G is a sub-group of the additive group of points of an elliptic curve, P is the gen-erator of G, q is the order of the element P, Fσ is a one-way functionwith key σ, H is a mapping from {0,1}∗ to Zq, ⊎ denotes a point addi-tion operator in G, [m]σ denotes a message m enciphered under asymmetric key σ, tM denotes the current timestamp made by anMS, ‘|’ or ‘,’ denotes a concatenation operator of two bit strings.

4.1. The trust delegation initialization for MS and HLR

In order to make efficient the mutual authentication, we will makeuse of a trust delegation initialization protocol by which an MS andthe HLR agree on common parameters. The protocol is similar tothe TDI protocol in [7]. The HLR has a private key x and a public keyY=xP.

The details of the trust delegation initialization protocol aredescribed as follows:

Step (1) First, a new MS sends its real identity IDM to the HLR forregistration.

Step (2) After receiving IDM at time tIDM, the HLR sets MS's servicetype and key access rights on IDM in mw. Next, it generatesa digital signature (Γ,σ) on mw by calculating Γ=rP,σ=xH(00|IDM|mw|Γ)+rmodp, where r is a random num-ber. The HLR puts (IDM,mw,Γ) in public, and delivers (σ,mw) to MS securely. The HLR also stores (IDM,mw,σ, tIDM).

Step (3) MS checks if σP=H(00|IDM|mw|Γ)Y⊎Γ. If the test fails, thenMS goes to Step (1). Otherwise, MS accepts (σ,mw), andstores them for the future.

The trust delegation initialization protocol shown in Fig. 4 issecure. We prove its security in Theorem 2 of Appendix I.

4.2. The HLR-online authentication protocol for MS and the system

The protocol is performed between the MS and the system afterthe successful execution of the protocol in Section 4.1 is describedabove. MS initiates the protocol using the proxy signing key as longas it visits a new VLR.

The details of HLR-online authentication protocol for MS and thesystem are described as follows.

Step (1) MS sends a request S1(I) to VLR for the service item I. First,MS computes NM=Fσ(IDV, tM)) where tM is the currenttimestamp made by MS. MS randomly chooses a sessionkey sk and a random number r′, and computes CM=[sk,Texp,NM]σ, R=r′T, and s=σH(01|CM|tM|R)+r′ modp. Here, MSandHLR do not require the clock synchronization, tM is treatedas a nonce generated by MS, and Texp is the time limit on itemI. Then, MS sends S1(I)={IDM,IDH,CM, tM, (R,s)} to VLR, andstores tM and sk in its memory as temporary values.

Step (2) After receiving S1(I), VLR retrieves (IDM,mw,Γ) according toIDH and IDM, and checks if tM is valid and I∈mw. If both are

Fig. 5. The HLR-online authentication protocol for MS and the system.

Fig. 6. The ι-th HLR-offline authentication protocol for MS and the VLR.

Fig. 4. The trust delegation initialization protocol for an MS and the HLR.

318 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

true, VLR authenticates MS by using the attached digitalsignature (R,s), that is, sP=H(01|CM|tM|R)Y⊎R. If the verifi-cation fails, VLR will drop this request. Otherwise, VLR com-putes CV=[IDM,CM, tM, tV]K(V, H)

, and sends {IDV,CV} to theHLR, where tV is the current timestamp made by VLR.

Step (3) The HLR decrypts CV to obtain IDM, tM, tV and CM, and checks iftV is not expired. If true, HLR retrieves (mw,σ, tIDM) accordingto IDM and decrypts CM to obtain sk, Texp, and NM. If tM> tIDMand NM=Fσ(IDV,tM), HLR computes NH=Fσ(IDV,sk, tM).Then, HLR sends {IDH, CHV} to VLR, and updates tIDM by settingtIDM=tM, where CHV=[sk,Texp, tM, tV,CHM]K(V,H)

, and CHM=[NH]σ.

Step (4) VLR decrypts CHV to obtain sk, Texp, tM, tV, and CHM, thenchecks if tV is valid. If true, VLR stores (IDM,sk,Texp, tM) andsends {IDV,CHM} to MS.

Step (5) MS decrypts CHM to obtain NH. MS checks if tM is not expiredand NH=Fσ(IDV,sk, tM). If both are true, MS and VLR authen-ticate each other successfully. MS deletes the temporaryvalue tM, and stores sk for the future. Besides, MS and VLRtake as the session key H(sk|0) for secure communicationin this session. H(sk|1) is used as a common secret key forthe HLR-offline authentication between MS and VLR if MSstill stays in the service area of VLR then.

The above protocol is also shown in Fig. 5. The security proof ispresented in Theorem 3 of Appendix II for this protocol.

4.3. The ι-th HLR-offline authentication protocol for MS and the currentVLR

The ι-th HLR-offline authentication protocol is performed by MS,who has finished the execution of two protocols in Sections 4.1and 4.2 and will access again to the VLR within the specified time.Here, ι is a positive integer, the initial value of ι is reset to 1,sk0=sk, and tM, 0= tM.

The details of the ι-th HLR-offline authentication protocol aredescribed as follows:

Step (0) The ι-th HLR-offline authentication process begins.Step (1) MS randomly chooses a randomnumbers rι in Zq

∗ and a key skι.Then, MS takes the (ι−1)-th inner one-time session keyskι−1, and computes CM, ι=[skι]skι− 1

1 , Rι=rιT, andsι=σH(01|CM, ι|tM, ι|Rι)+rι modp, where skι−1

1 =H(skι−1|1),and tM, ι is the current timestamp made by MS. Then, MSsends {IDM,CM, ι, tM, ι, (Rι,sι)} to the VLR.

Step (2) According to IDM, the VLR gets the verification information(Γ,mw), and retrieves key data (skι−1,Texp, tM, ι−1). It firstchecks the consistency of mw restrictions. Then, VLR verifiesif tM, ι> tM, ι−1 and skι−1 is not expired. If both are true, VLRcan authenticate MS by checking whether sιP=H(01|CM, ι|Rι)Y⊎Rι. If yes, VLR decrypts CM, ι using skι−1

1 =H(skι−1|1) toget skι. VLR encrypts the content of a desired file f using thekey skι−1

1 =H(skι−1|1),and sends CV, ι=[f,NV, ι]skι− 11 to MS,

where NV, ι=Fskι− 11 (f|skι|tM). At the same time, VLR deletes

(IDM,skι−1,Texp, tM, ι−1) and stores (IDM,skι,Texp, tM, ι).Step (3) Upon receiving CV, ι, MS decrypts f′ and NV, ι from this cipher

with skι−11 =H(skι−1|1), and checks whether NV, ι=Fskι− 1

1 (f′|skι|tM). If they are equal, MS can be sure that f′ is indeed thefile f sent from VLR and f has not been modified during trans-mission. MS receives f′, and replaces skι−1 with skι.

Step (4) The ι-th authentication process ends. If MS wants to performthe next round of authentication process, it sets ι= ι+1 andgoes to Step (0).

This protocol is shown in Fig. 6. The security proof for this protocolis presented in Theorem 4 of Appendix II.

Finally, the three protocols proposed in Sections 4.1–4.3, respec-tively, are integrated into a secure and efficient mobile authenticationscheme. Fig. 7 illustrates the execution order and the relationship ofthe three proposed protocols in the proposed scheme.

5. Security analysis

MS has a (long-term) delegation key σ with associated rights mw

that is used for authentication to its HLR. Moreover, a (long-term)pairwise disjoint key K(V,H) is distributed to the VLR and the HLR,each party involved in an association can reliably verify the identityof the party at the other end. We assume that both σ and K(V,H) can-not be obtained by an attacker. Further, we assume that both H and Fare secure one-way functions. According to the above assumptions,we analyze the security of the proposed scheme under variousattacks, demonstrating its capability in dealing with diverse types ofattacks. Hence, we are most concerned with the following four differ-ent types of attacks: message en route attacks, false base stationattacks, mobile DoS attacks to the HLR, and session key leakage.

5.1. Perfectly secure message transmission

The message integrity/authenticity is the one major securitygoal in a secure wireless network. Informally speaking, mobile

http

Fig. 7. The execution order and the relationship of three proposed protocols.

319J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

authentication assures the parties that the messages have not beentampered with en route. We often associate message en route attackswith message replay, but the attack also includes bogus message in-jection, and disruption.

A replaying attack is a method that an attacker stores stale inter-cepted messages, and retransmits them at a later time. In order toillegally obtain a session key, she/he will attempt to impersonate alegal MS by replaying its exchanged messages. In HLR-online authen-tication, the attacker intercepts the message S1(I) sent by MS at step(1), and then replays message {IDM,IDH,CM, tM, (R,s)} to VLR. Threeproperties are necessary for a valid request: a timestamp-based au-thenticated ciphertext CM, a valid digital signature (R,s), and a freshtimestamp tM. By the last property, it is feasible that tM is changedto a timestamp, t′M, satisfying t′M> tM. However, this does not sufficefor proving that the MS outputs the request. The first two propertiesreflect that without the secret key σ the attacker is successful in forg-ing a proxy signature for CM|tM. This is not possible, which is a viola-tion of the security properties of the proxy signature scheme.Likewise, it is unsuccessful for an attacker to replay the ι-th request{IDM,CM, ι, tM, ι, (Rι,sι)} in the HLR-offline authentication. As we havementioned above, it requires forging a proxy signature for CM, ι|tM, ι

such that t′M, ι satisfies t′M, ι> tM, ι; furthermore, due to the securityproperties of the proxy signature scheme, it is not possible. Accordingto above analysis, our proposed protocols are able to resist suchreplaying attacks.

An attacker wants to inject bogus messages to the mobile authen-tication aimed at utilizing the network service for free. The bogusmessages could be injected by an outsider or insider. However, suchbogus messages will be all immediately filtered in the proposedscheme. In HLR-online authentication, an attacker only have twoways in injecting bogus messages for the request from an MS: (1) Away to change the timestamp tM; (2) a rather simple substitutionfor ciphertext of the digital signature (R,s). In both cases, a VLR canfilter out the bogus messages, performing the verification of digitalsignature. Even though a bogus ciphertext CM is sent to HLR, the attack-er cannot get the correct response from HLR, because the validity ofboth tM and NM can be verified by using tM> tIDM and NM=Fσ(IDV, tM)provided that CM can be decrypted at step (3). Similarly, the VLR canfilter out the bogus requests in HLR-offline authentication, by verifyingthe digital signature and checking the freshness of tM, ι.

In addition, AES [18] is chosen as the symmetric-key encryptionalgorithm for the proposed scheme. The main advantage of thisalgorithm is that it is a good pseudorandom permutation, and is in-vulnerable to the prefix attack. Therefore, segment of messages inthe proposed scheme is not possible.

5.2. Provide complete security against member collusion and membercompromise

Many of the requirements established in Section 3 are naturallyfulfilled by implementing the framework as described above. Howev-er, member collusion and member compromise need to be consid-ered on a mobile authentication. The member compromise involvesthe case in which an attacker could impersonate a VLR/HLR, as wellas the case where some MSs under the control of an attacker collude.

5.2.1. Member collusionThere are three cases of collusion in a mobile authentication:

(i) MS and VLR collude to gain trust of HLR, (ii) VLR and HLR colludeto induce an MS to trust a dishonest VLR, and (iii) MS and HLR colludetogether to trick an honest VLR to trust a dishonest MS. The use oftrust delegation makes it impossible for an honest HLR to trust anyMS that is not registered in case (i). In addition, such trust delegationsmake it impossible for a dishonest HLR to gain the trust of an honestMS in case (ii). Moreover, the scheme is designed to make sure thatthe HLR cannot misbehave. The problem illustrated in case (iii) doesnot occur during a mobile authentication.

5.2.2. Impersonation attacksIf there is at most one dishonest party in the proposed scheme,

she/he cannot accomplish the impersonation attack without beingdetected. Other members will thus send confidential information tothe attacker rather than to the real recipients. This is typically thehardest attack to mount and defend against.

Firstly, HLR-online authentication protocol can efficiently preventan attacker from impersonating attacks, since the scheme providessecure mutual authentication mechanisms between a roaming MSand VLR, MS and HLR, or VLR and HLR. Consider the following imper-sonation attack scenarios in this protocol (Fig. 5):

An attacker cannot impersonate a legitimate VLR to cheat MS,since he doesn't possess the correct value tM and CHM. By interceptingthe exchanging messages in steps (2) and (4), an outside attacker firstobtains CV=[IDM,CM, tM, tV]K(V, H)

and CHM=[NH]σ. Then, she/he tries tocheat MS by replaying previously reply messages (e.g., C′HM=[N′H]σ).However, N′H=Fσ(IDV,sk′, t′M)), and t′M in the replayed messagesis less than tM in S1(I) and, therefore, it would be rejected by MS.Furthermore, an inside attacker cannot impersonate the visited VLRto cheat MS. Since the delegation key σ is unknown to the insideattacker, and she/he cannot generate CHM=[NH]σ such that NH=Fσ(IDV,sk, tM)), where sk and tM are generated by MS.

An attacker hasn't the power to break the authentication of thecommunication between the HLR and a VLR, since neither the long-term secret key K(V,H) nor a valid N in CM is possessed. While commu-nicating with HLR, an attacker cannot generate the valid messages CVin step (2) such that N in CM satisfies NM=Fσ(IDV, tM). Likewise, anattacker can neither generate the responding confirmation CHVwhile communicating with VLR.

MS and its HLR can authenticate their messages so that an attackercannot impersonate them anymore. Since the delegation key σ is un-known to the attacker, and she/he cannot generate a valid ciphertextCM=[sk,Texp,NM]σ. Here, NM=Fσ(IDV, tM)), and sk and tM is generatedby M. Similarly, an attacker can neither generate the respondingconfirmation CHM such that NH in CHM satisfies NH=Fσ(IDV,sk, tM)).

We consider the following impersonation attack scenarios in HLR-offline authentication Protocol. On the one hand, an attacker cannotimpersonate VLR to cheat MS, since he does not possess the previous

Table 1Computation costs and security strength comparison.

Our YL [12] LCHC [11] TW [7] LY [6]

TDI 2th+ tm 3th+3tm 3texHonA 2th þ tmþ

ten þ 2tdenþ 2ð Þthþtm þ texþtde

nþ 2ð Þthþtm þ texþtde

2th þ tmþten þ tnoþten þ tno

2th þ texþtde

HofA 2th þ tmþten þ tde

3th+ ten 3th+ ten th+ tno+ tm 3th+ tde

SP1 ★ ★ ★ ★ ★SP2 ★ ★ ★SP3 ★ ★ ★ ★ ★SP4 ★ ★ ★

320 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

session key skι−1. Without knowing skι−1, it is impossible for anattacker to get skι from CM, ι=[skι]skι− 1

1 . Hence, an attacker can neithergenerate the authentic message CV, ι=[f,NV, ι]skι− 1

1 to MS such thatNV, ι=Fskι− 1

1 (f|skι|tM). On the other hand, an attacker cannot imper-sonate MS to cheat VLR. Since the share key skι−1 is unknown to any-one except only MS and VLR, the attacker cannot send the authenticmessage CM, ι=[skι]skι− 1

1 to VLR. Moreover, without the proxy keyσ of MS, the attacker can neither generate a valid digital signature(Rι,sι) for CM, ι|tM, ι. Therefore, Our solution doesn't suffer from imper-sonation attacks.

5.2.3. The MITM attacksIn the MITM attacks, an attacker pretending to be a legitimate VLR

fools either the previous requester MS or the HLR to connect to it,instead of the VLR. The attacker can then capture the MS's sessionkey. In the HLR-online authentication protocol, session security isprovided through the use of digital signature and a one-way functionwith the key σ. In the case that the identity of each party in theprotocol is authenticated, the protocol is secure against man-in-the-middle attacks.

In the proposed protocol, the authenticity of each request messageis confirmed in time at each step. VLR verifies the digital signature(R,s) to guarantee the authenticity for message S1(I) received froma registered MS. By checking NM=Fσ(IDV, tM), HLR can know if VLRis going to be accessed by MS. If the check of VLR's identity fails,then an attacker could redirect that message S1(I) at step (1), say toVLR, before the VLR receives it, with the subsequent result that MSwould unknowingly communicate with VLR instead of VLR.

Following decryption at step (5), MS checks NH=Fσ(IDV,sk, tM) toverify that the message really is a reply by HLR to the current sessionkey sk. If the check of VLR's identity fails, the message at step (4) isredirected to another VLR, say to VLR, after the VLR sends it. As aresult, MS communicates with VLR, rather than the intended VLR.

5.3. DoS-resilient

In DoS attacks, the attackers may flood a large number of illegalaccess requests to the HLR. Their aim is to consume critical resourcesin the HLR. By exhausting these critical resources, the attacker canprevent the HLR from serving legitimate users. In HLR-online authen-tication, for each access request S1(I) from an MS that has registeredin the HLR, HLR has to perform two decryption operations andcheck the validity of the requesters. These can easily be exploited bythe attacker.

Using digital signature approach, we improve a purely symmetrickey based scheme (with regard to MS) on mobile authentication sothat it is robust against the DoS attack of this type. The basic idea asadopted in [7] is to use a proxy signature along with mobile authen-tication. HLR performs a mobile authentication only when the proxysignature can be verified by a VLR.

The following steps describe the proxy signature verification pro-cedure performed by a VLR. For the received request S1(I), VLR ex-tracts CM, tM, and (R,s), and then checks their validity with thecorresponding verification information (IDM,Γ,mw) of MS. IfsP=H(01|CM|tM|R)Y⊎R, both CM|tM and its signature (R,S) are consid-ered to be legitimate (i.e., unmodified). Otherwise, S1(I) is illegiti-mate. Employing the encryption algorithm, VLR constructs a requestCV=[IDM,CM, tM, tV]K(V, H)

for legitimate S1(I), and sends it to the HLR.Thus, it is difficult for an attacker to launch an effective DoS attackto HLR.

5.4. Key agreement and the one-time session key

Consider key agreement mechanism in HLR-online authenticationprotocol. According to the step (1), HLR receives a session key fromMS. While, in this phase, HLR will authenticate both the MS and the

VLR, the session key of legal MS will be forwarded to the visitedVLR, thus preserving the security of session key. In contrast to someprevious work [6,11,10,12], our design gives the MS a chance to seta session key according to its will.

In addition, the freshness of session key is guaranteed by execut-ing HLR-offline authentication protocol. The exchanged messageCM, ι=[tM, ι,skι]skι− 1

1 provides a nonce tM, ι and a fresh session key skι,respectively. The fresh key skι is also chosen by the MS according toits will. The freshness of tM, ι and skι guarantees the freshness of thesession key in each session key renewal.

We also compare our scheme to other contributory mobileauthentication schemes including the Lee–Yeh (LY) [6], Tang–Wu(TW) [7], Youn–Lim (YL) [12], and Lee et al.'s (LCHC) [11] schemes.The reason is that, in mobile authentication services, LY scheme [6]is the most widely studied public-key based scheme, and TW [7]scheme is quite efficient public-key based scheme for mobile users.The schemes in [11,12] are the enhanced authentication protocolsbased on LY scheme.

Table 1 summarizes the security properties of the three schemes.The security properties against message en route attacks, the falsebase station attacks, mobile DoS attacks to a base station, and mutualagreement of one-time session key are denoted as: SP1, SP2, SP3 andSP4, respectively. An entry ⋆ indicates that the scheme satisfies the re-quirement. Tang and Wu [7] showed that LY scheme suffers from animpersonated HLR attack such that the session key is compromised.Lu and Zhou [13] described a dishonest VLR for TW scheme to obtainthe communication key generated by MS. The above comparisonsshow that our protocol provides the stronger security protection.

6. Performance analysis

According to the practical scenarios, computational time and thecommunication cost are reasonable for both HLR and VLR in the pro-posed scheme, since HLR does not need to perform any point arith-metic operation. Due to the limited computation power of mobiledevices, mobile authentication is meant to pay attention to the detailsof designing scheme for MS, especially when trying to minimize theoverhead of MS. Next, we shall analyze the computation time andcommunication cost on MS.

In order to explain the computation time and communication cost,some notations are defined as below: th: the time for a one-way func-tion computation; ten: the time for a symmetrical encryption process;tde: the time for a symmetrical decryption process; tm: the time for ascalar point multiplication computation; tex: the time for a modularexponentiation computation; tno: the time for a nonce generation;|x|: the length of binary string x.

In the trust delegation initialization (TDI) phase, MS requires 2th+3tm computations for checking the correctness of (σ,mw,Γ). To com-plete an HLR-online authentication (HonA) process, MS requires2th+ tm+ ten at step (1) and 2tde computations in step (5), respective-ly. In addition, MS requires 2th+ tm+ ten+ tde computations for eachHLR-offline authentication (HofA). However, since we introduce a

Table 2Communication costs comparison.

Our YL [12] LCHC[11] TW [7] LY [6]

TDI:RoundMS→VLRMS←VLRStorage size

2128160+w160+w

2011841184

201184160+w

2128160+w1184

2011841184

HonA:RoundMS→VLRMS←VLRStorage size

2108638480

435482072256(1+n)

434081152256(1+n)

21996+w57680

33648608416

HofA:RoundMS→VLRStorage size

172880

1256256(1+n-i)

1256256(1+n-i)

1816+w80

1512416

Here, w is the length of mw, i denotes the number of off-line authentication.

321J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

one-time session key for encrypting messages, our protocol will bebeneficial because the secure performance of one-time session keyis better than that of repetitive use key. Table 1 shows the computa-tion costs of five schemes. The time used to perform a symmetricencryption/decryption operation is negligible compared with thetime needed to execute a public-key computation. Thus, our compu-tation cost is almost identical to TW's.

We adopt SHA-256, which has a 256-bit output, to implement theone-way hash function. We also implement the random-number gen-erator and the message authentication code function by SHA-256 inthe scheme. In general, the length of the identity of every user isusually less than 128 bits. Thus, we let the length of the user's identitybe 128 bits. Besides, the length of every random number produced bythe random-number generator is 256 bits and the length of everytimestamp is about 60 bits. It is recommended that the securitystrength of |q| based on ECDLP isn't less than 160 bits in [19] [page27], and the minimum of the security strength of the (|p|, |q|) pairbased on DLP is (1024, 160) in [19] [page 15]. The one-time sessionkey of block cipher can be set as short as |sk|=80 bits [20] whilethe scheme still enjoys strong security. Table 2 shows that the com-munication costs and storage sizes of five schemes. In the HLR-online authentication, our design is a less strong requirement forMS in the communication cost and storage space than others, espe-cially in the uplink request to VLR. Our communication cost is greaterthan that of schemes in [12,11] in the HLR-offline authentication.Compared to our design, a disadvantage of the protocols [12,11] isthat an MS has to compute useless hash key chains in the face of on-line authentication failures. In practice, our protocol is appropriate foran MS to use the services in different VLRs in a relatively short time.

7. Conclusions

We have proposed a secure and efficient mobile authenticationscheme based on one-time secrets, and have analyzed its securityproperty. Compared to the existing schemes [7,6,11,12], not onlydoes the proposed scheme reduce the communication and computa-tion cost in HLR-online authentications, but also the security of ourscheme has been improved.

Our results, thus are encouraging, but there is room for improve-ment. Our future work includes privacy protection for mobile sta-tions. We consider the task of improving the protocols given in[6,8,12] and designing additional ones to be an interesting line for fur-ther research.

Acknowledgments

This work was supported in part by the National Natural ScienceFoundation of China under grant 60773083, by the Provincial Natural

Science Foundation of Guangdong under grants 2008B090500201,2009B010-800023 and 2010B090400164, and by the Projects in theScientific Innovation of Jinan University under grant 11611510. Wethank the anonymous reviewers for their helpful comments.

Appendix I. Security proof of proxy signature used in the proposedprotocols

Tang and Wu [7] proposed a proxy signature scheme based on theelliptic curve discrete-logarithm problem (ECDLP). They employedSchnorr signature scheme for both standard signing and delegation.Some modifications to their scheme are needed in order to simplifythe proof of protocols in Section 4. Our modifications do not affectthe length of the signature produced, nor do they have a significantimpact on performance.

Appendix I.1. ECDLP assumption and Schnorr signature scheme

We briefly review the ECDLP assumption as well as Schnorr signa-ture scheme.

LetGecdl be a randomized polynomial algorithmwhich, on input 1k,outputs a quintuple (p,q,P,G,E(Fp)), where p, q are primes such that|q|=k and q divides p-1, G is a cyclic group on an elliptic curveE(Fp) over some Galois (i.e., finite) field Fp, and P is a generator of G.

Definition 1. Given Gecdl as above, and for any algorithm A, define

AdvecdlGecdlkð Þ ¼ Pr½ p; q; P;G; E Fp

� �� �←Gecdl 1k

� �;Q←G;

x←A p; q; P;G; E Fp� �

;Q� �

: xP ¼ Q�:We say the ECDLP is hard for Gecdl if AdvecdlGecdl

kð Þ is negligible for allPPT adversary A. The ECDLP assumption is that there exists a Gecdl

for which the ECDLP is hard. If G is a group output by some Gecdl forwhich the ECDLP is hard, we will sometimes (informally) say theECDLP is hard in G.

A Schnorr signature scheme DS is a quadruple of PPT algorithmsG;K;S;Vð Þ such that

− sp←G 1k� �

, where sp={p,q,P,G,E(Fp) is output by first runningthe algorithm Gecdl and then choosing a secure hash function H :{0,1}∗→Zq.

− sk; pkð Þ←K spð Þ, where pk=sk×P.− R; sð Þ←S sk;Mð Þ, where R=rP, s=sk×H(M|R)+rmodq, and r is a

random number.− b←V pk;M; R; sð Þð Þ, where b∈ {0,1}, and b=1 if and only if

sP=H(M|R)×pk⊎R.

We require that for all k, all (sk,pk) output by K spð Þ, all M, and all(R,s) output by S sk;Mð Þ, we have V pk;M; R; sð Þð Þ=1.

Definition 2. DS ¼ G;K;S;Vð Þ is a secure digital signature schemeif the following is negligible for all PPT adversary A:

AdvcmaDS kð Þ ¼ Pr½sp←G 1k

� �; sk; pkð Þ←K spð Þ;

M; R; sð Þð Þ←AS sk;⋅ð Þ sp;pkð Þ : V pk; M; R; sð Þð Þð Þ ¼ 1�whereA makes some queries to S sk; ⋅ð Þ, and we require that M is notqueried to the signing oracle S sk; ⋅ð Þ.

Lemma 1. Assuming (1) ECDLP is hard for G and (2) H is a randomoracle, the above Schnorr signature scheme DS is secure against adaptivechosen-message attacks.

Proof. Let AdvcmaDS;A kð Þ be the probability that A breaks the above

Schnorr signature scheme DS and achieve a forgery. Assume that

322 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

AdvcmaDS;A kð Þ is nonnegligible. We will construct an algorithm B which

can solve the ECDLP in G.

Let P be a generator of G1. Given a point Q=xP∈G as a challengetoB, it aims to output such a value x∈Zq

∗. The hash function H behavesas a random oracle.

B starts A on input 1k. Let T1(k) denote the bound of the entitynumber. B picks at random a i∈{1,⋯,T1(k)}, guessing that A willsucceed against the entity i. B runs K spð Þ to generate for each entityits private/public pair, except i. i is given a public key Q, while thecorresponding private key x is unknown toB. A i's signature on a mes-sage can be generated by querying the signing oracle S sk; ⋅ð Þ.

B can simulate the entity i to respond messages via the followingoracles:

Hash queries: At any time,A can query H. B maintains a list Hlist oftuples (M,R, r) which is initially empty, and a query counter μ whichis initially set to 0. A provides a new pair (M,R) for hash query byfirst choosing a message M and then computing R=rP, where r is arandom number in Zq

∗. Upon a hash query (M,R) for which there existsa record (M,R,h) in Hlist, B returns h to A; otherwise, B uniformlychooses a random number h∈Zq

∗ as the value of H(M|R), places (M,R,h) into Hlist, and returns h to A.

Signature queries: Proceeding adaptively, the adversaryB answersA's queries for signing oracle S sk; ⋅ð Þ. When A provides a query mes-sage M, B works as follows:

1. Randomly choose two numbers u,v∈Zq∗, and compute

R=uP⊎(−vQ);2. Set s=u, H(M|R)=v, and place (M,R,v) into Hlist;3. Returns (R,s) as a signature on message M to A.

After A makes H-hash query on (M,R) to get v=H(M|R), it canverify that (R,s) satisfies sP=vQ⊎R. Therefore, (R,s) is a valid signa-ture on message M with respect to i's public key Q. Since R and sfollow the uniform distribution, and H behaves as a random oracle,A cannot distinguish between B's response and the real life.

Output: Eventually, supposeA returns a forgery (M∗,R∗,s∗), where(R∗,s∗) is a valid forgery distinct from any previously given signatureon message M∗ with respect to the public key Q.

According to the above proof, A can find a valid signature withnon-negligible probability Advcma

DS;A kð Þ. Then, by using the forminglemma, A can outputs a new forgery R�; s�ð Þ on the same messageM∗ and a different oracle H ⋅ð Þ, with non-negligible probability, suchthat H(M∗|R∗)≠H′(M∗|R∗) and s�≠s�. From this, we get:

s� ¼ xH M�ð jR� Þ þ rmodqs� ¼ xH M�� ��R�Þ þ rmodq:

Thus, B can solve out the private key:

x ¼ s�−s�

H M�ð jR�Þ−H M�ð jR�Þmodq ð1Þ

which is justB's challenge x. The choices of i in algorithmB imply thatwith probability at least 1

T1 kð Þ he can ‘hit’ the correct value of A. Thus,

AdvecdlGecdl ;B kð Þ≥ AdvcmaDS;A kð Þ

T1 kð Þ . Since the ECDLP is assumed to be hard in G,

then AdvecdlGecdl ;B kð Þ must be negligible. This contradicts the assumption

that AdvcmaDS;A kð Þ is nonnegligible. Thus, we conclude that Advcma

DS;A kð Þ isnegligible for all adversaries A. □

Appendix I.2. The proxy signature scheme and its security

We use a proxy signature to generate a trust delegation for someaccess decisions mw. This scheme allows a designated person, calleda proxy signer, to sign on behalf of the original signer. Let IDM bethe identity of proxy signer. For Tang-Wu's proxy signature scheme[7], we now describe our modification.

Construction 1. Let DS ¼ G;K;S;Vð Þ be a Schnorr signaturescheme, and∑ ¼ GT ;KT ;ST ;VT ; PS; PVð Þ be a proxy signature scheme.All components of ∑ are defined as follows:

1. The GT algorithm is that of DS: GT ¼ G.2. KT spð Þ: Run the algorithm K spð Þ, and output a pair of keys (sk,pk)

for each original signer.3. ST sk;mwð Þ: Prepend “00” to the message IDM|mw. Run the algo-

rithm S sk;00ð jIDMjmwÞ, and output the result (Γ,σ). Then, Γ ispublic, and σ is sent to the proxy signer via a secure channel.

4. VT pk; IDM;mw; Γ;σð ÞÞ: Run the algorithm V pk;00ð jIDMjmw; Γ;σð ÞÞ,and return a single bit b. If b=1, the proxy key σ is accepted by theproxy signer.

5. PS(σ,M): Prepend “01” to the message M. Run the algorithmS σ ;01ð jMÞ=(R,s), and output a proxy signature (R,s) if M∈mw.

6. PV(pk, IDM,mw,Γ,M,R,s): Check if M∈mw, run the algorithmV pkp;01ð jIDMjM; R; sð ÞÞ, and return a single bit b. Here,pkp=H(00|IDM|mw|)×pk⊎Γ.

The modification is classified in partial delegation of proxy signa-ture scheme. The original signer generates a warrant mw and aproxy secret key σ for the proxy signer. The warrant mw specifiesthe identities of both the original signer and the proxy signer, therange of messages to sign, the expiration time of the delegation ofsigning power, etc. The proxy signer can use the key σ to make digitalsignatures on behalf of the original signer, but cannot derive the orig-inal signer's private key x from it.

To prove the authenticity of our construction, we refer to the ex-tended proxy signature model in [16,17]. A secure proxy signatureshould satisfy the following basic requirements:

1. The verifier can confirm the validity of both a proxy signer's mes-sage and an original signer's one.

2. A proxy signer can generate a valid proxy signature for the originalsigner. However, this is not done by other third party who is not adesignated proxy signer.

3. The proxy signer cannot repudiate its generation once he gener-ates a valid proxy signature.

4. The identity of proxy signer generating a proxy signature can bedetermined by anyone.

5. The proxy signer cannot use the proxy key for other purposes thatis unauthorized.

In the following, we mainly analyze if the constructed scheme canwork correctly and satisfy the basic security requirements.

Lemma 2. The constructed scheme is verifiable if the original signer,proxy signer and verifier all follow the protocol.

Proof. From the algorithms VT pk; IDM;mw; Γ;σð ÞÞ and PV(pk, IDM,mw,Γ,M,R,s), the constructed scheme satisfy the verification ofauthorization. □

We first prove that the proxy generation algorithm ST sk;mwð Þ issecure.

Lemma 3. If an existential forgery of the proxy secret key, under anadaptively chosen message attack, has non-negligible probability ofsuccess in the random oracle model, then the ECDLP in G can be solvedin polynomial time.

Proof. This is followed from Lemma 1. □

Let us focus on the security of proxy signature algorithm PS(σ,M).Note that the proxy generation algorithm ST(sk,wm) has been provedsecure in Lemma 3. Since the constructed proxy signature algorithmPS(σ,M) is derived from Schnorr signature scheme DS, which is prov-ably secure in Lemma 1, we will have the following Lemma 4.

323J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

Lemma 4. Assuming that the ECDLP assumption holds in G, the con-structed proxy signature algorithm PS(σ,M) is secure in the random oracle.

Proof. From the above Lemma 3 and σ=sk×H(00|P|wm|Γ)+rmodq,we conclude that the proxy key σ is only known by the proxy signerexcept the original signer. Thus the constructed proxy signature algo-rithm PS(σ,M) can be regarded as a Schnorr signature S σ ;01ð jMÞ.Then, its security proof is derived from that of Schnorr signaturescheme DS and Lemma 1. □

Since the warrant mw specifies the identities of the proxy signer,the range of messages to sign, the expiration time of the delegationof signing power, etc., the constructed scheme satisfies R4 and R5.Combining Lemmas 2, 3 and 4 for this case we get.

Theorem 1. Assuming (1) ECDLP is hard for G and (2) H is a randomoracle, the constructed proxy signature scheme ∑ is secure.

Appendix I.3. Security proof of protocol in Section 4.1

From Lemma 3, we can get the following theorem.

Theorem 2. The trust delegation initialization protocol in Section 4.1 issecure under ECDLP assumption in the random oracle model.

Appendix II. Security proof of the proposed authenticationprotocols

Appendix II.1. Security model and formalization

In this section, we provide the security proof for the proposedauthentication protocols in Sections 4.2 and 4.3. Let I be the set ofthe identities of the players who can participate in the protocol Π,and N be the set of positive integers. Oracle Πi, j

s models instance sof player i attempting to agree on a shared session key with player j.Our communication model and security notions follow the Wilson–Johnson–Menezes (WJM) model [21], i.e., the extension of the Bellare–Rogaway model [22] in asymmetric cryptosystem. In protocol Π, thereare two partner oracles, Πi, j

s and Πj, it , and an adversary A can control

the entire network and obtain the transmitted data in the past process-es. We omit the description of theWJMmodel due to space limitations,and the related concepts can be found in [21,22].

Let k denote the security parameter, and No−matchingA kð Þ be theevent that there exist two protocol participants i and j such thatΠi, j

s ac-cepted, but there is no oracle Πj, i

t that engaged in a matching conversa-tion. The formal definition for mutual authentication is given as follows.

Definition 3. A secure mutual authentication protocol [22]. A proto-col Π is a secure mutual authentication protocol if for any PPT adver-sary A, the following conditions hold: (1) if oracles Πi, j

s and Πj, it have

matching conversations, then both oracles accept; (2) the probabilityof No−matchingA κð Þ is negligible.

Let us furthermore define the event Distinguishsk;A kð Þ, whichmeans that an adversary A can correctly guess that she/he is giventhe real session key sk or a random number after the protocol is per-formed and terminates successfully, where k is a security parameter.

Definition 4. A secure mutual authentication and key exchange pro-tocol [22]. A protocol Π is a secure mutual authentication and keyexchange protocol if the following properties are satisfied: (1) Π isa secure mutual authentication protocol; (2) Πi, j

s and Πj, it hold the

same session key after running successfully; (3) (indistinguishability):the probability of Distinguishsk;A kð Þ− 1

2 is negligible.

Next, we define the security primitives on which to base our proof.

Definition 5. The game for indistinguishability under the Chosen-Ciphertext Attack (IND-CCA). A challenger L and a PPT adversary A

play the following game with a symmetric cryptosystem Π=(setup,E,D).

Step 1 L runs a setup algorithm. L gives A the resulting publicparameters. An encryption oracle Esk and the decryptionoracle Dsk are given a key sk. The above oracles hold thesecret key secret.

Step 2 A issues a sequence of encryption and decryption queries.Upon receiving an encryption query, denoted bym,S returnsπ=Esk(m) toA. Upon receiving a decryption query, denotedby π, S returns ρ=Dsk(π) to A.

Challenge A outputs a plaintext pair (m0∗,m1

∗). Upon receiving (m0∗,m1

∗),L randomly chooses b∈{0,1} and computes the ciphertextπ∗=Esk(mb

∗). Then, L returns π∗ to A.Step 3 A issues a sequence of encryption and decryption queries

as those in Step 2, where a restriction here is that π≠π∗.Guess Finally,A outputs b′∈{0,1}. If b′=b, A will win the game.

Such an adversary A is referred to as an IND-CCA adversary. Wedefine that the guessing advantage of the IND-CCA adversary A inthe game is AdvIND−CCA

Π Að Þ= Pr b′ ¼ bh i

− 12

������.

Definition 6. IND-CCA security. A symmetric cryptosystem Π is saidto be with (t,ε)-IND-CCA security if no polynomial time adversary Awithin running time t has guessing advantage AdvIND−CCA

Π Að Þ≥εafter performing the game of Definition 5.

Definition 7. The game for unforgeability under Chosen Message At-tacks [23]. We view a message authentication code as a function F:{0,1}k×{0,1}∗↦ {0,1}l(k) for some polynomial l(k). The function Ftakes as input a key sk∈{0,1}k and a message m∈{0,1}∗, and outputsa string tag μ=Fsk(m). The chosen message attack (CMA) game isdefined as follows:

Step 1 A key is selected uniformly at random sk←R

0;1f gk.Step 2 The adversaryA is given μς=Fsk(mς) for adversatively chosen

mς, where ς=1,⋯,d.Step 3 A outputs a pair (m∗,μ∗). We say that (m∗,μ∗) is a forgery if

m∗≠mς and μ∗=Fsk(m∗).

More formally we define the success probability ofA in the CMA1game as:

Succeuf−cma1MAC;A kð Þ :¼ Pr½sk←R 0;1f gk; m�

; μ�� �←AFsk ⋅ð Þ 1k

� �:

μ� ¼ Fsk m�ð Þ∧:Fsk m�ð Þ�:

We say that MAC is existentially-unforgeable under chosen mes-sage attacks (EUF-CMA) if Succcma1

MAC;A kð Þ is negligible for any PPT adver-sary A.

Definition 8. EUF-CMA security. A message authentication code F issaid to be with (t,ε)-EUF-CMA security if no polynomial time adver-sary A within running time t has the success probabilitySucceuf−cma1

MAC;A kð Þ≥ε after performing the game of Definition 7.

Appendix II.2. Security proof of protocol in Section 4.2

In this section, we prove the authenticity of protocol П inSection 4.2 by appealing Definition 5 and using the techniques similarto that in [10].

We start by proving the security of mutual authentication be-tween the instances of VLR and HLR. Note that the mutual authentica-tion between VLR and HLR does not depend on the honesty of MS thatcan be corrupted by adversary . Using the same proof as in Lemma 1[10], we can prove the following lemma:

324 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

Lemma 5. The proposed protocol П in Section 4.2 is a secure mutualauthentication between VLR and HLR under the random oracle model,provided that the used symmetric cryptosystem is a secure pseudoran-dom permutation.

Our next proof aims to prove the security of mutual authenticationbetween the instances of MS and system (VLR and HLR). The proof isdivided into two steps. First, we prove that if the proxy signaturescheme employed in П is secure, then no accepted initiator oraclewithout a matching conversation can be found. Second, we provethat if the used symmetric cryptosystem is with IND-CCA security,then no accepted responder oracle without a matching conversationcan be found. An initiator oracle is one who plays the role of MSin the description of protocol П, that is, it sends out the first flow. Aresponder oracle who receives a flow to start is one who plays therole of system (VLR and HLR).

Lemma 6. The proposed protocol in Section 4.2 is a secure mutualauthentication protocol for MS and the system (VLR and HLR) underthe assumption that the message authentication code and the proxy sig-nature are secure.

Proof. The former condition in Definition 5 follows immediatelyfrom the description of П in Section 4.2. To prove the lemma, weshow that Pr No−matchingA kð Þ½ � is negligible, by finding a reductionto the security of the encryption scheme and the proxy signaturescheme.

Assume that T1(k) denotes the bound of the entity MS number,T2(k) denotes the bound of the system number, and T3(k) denotesthe bound of the session number. Let Eσ be an encryption functionand Fσ be a one-way function which uses key σ. For the eventNo−matchingA kð Þ, the proof is divided into two cases, since theadversary A can gain her advantage against the protocol either bybreaking the IND-CCA security or without breaking it. The proofassumes that there exists an adversary A that has a non-negligible advantage against the protocol, and shows that this im-plies that either the encryption scheme or the proxy signaturescheme is insecure.

Case 1: Let Pr No−matchingA kð Þ½ �=n1(k) be the probability thatAsucceeds against at least one initiator oracle. That is, at some stageA asks a query Send(Πi, j

s , j,CHM) to some fresh oracle, Πi, js , such that

Πi, js accepts, but CHM was not previously output by a fresh oracle. If

n1(k) is non-negligible, we can construct an EUF-CMA1 adversary Bin Definition 8 from A.

Setup: B picks at random an instanceΠi, js , whereMS i∈{1,2,⋯,T1(k)},

system j∈{1,2,⋯,T2(k)} and s∈{1,⋯,T3(k)}. Πi, js is B's guess at which A

will succeed against the EUF-CMA1 security.For eachMS in {1,2,⋯,T1(k)}∖{i}, B gets the shared encryption keys

with all systems including j.The shared encryption key σ between i and j is unknown to B.B is provided permanent access to the oracles Fσ, Eσ and Dσ

associated with the shared key σ throughout the game. If a proxy sig-nature of i is needed, the result is obtained from the signing oraclePS(σ, ⋅).

Queries: B runs A and answers all oracle queries from A. In theexecution, B has oracle access to PS(σ, ⋅), Fσ, Eσ and Dσ. Thus, B cansimulate a user and the system to respond messages to A via thefollowing oracles:

H is answered at random just as a real random oracle would.B answers Send and Execute queries according to specification ofΠ, except for Send(Πi, j,M) and Execute(Πi, j,Πj, i). To answer suchqueries, instead of generating the required message with σ, Bappeals its own oracles on behalf of Πj, i, and decides whetherΠi, j and Πj, i should accept.

Output: If A doesn't invokes Πi, j as an initiator oracle, then Baborts.

Otherwise,A does invokeΠi, js as an initiator oracle. That is,Πi, j

s sendsan request {i, j,Ci, ti, (R,s)} to A at the time τ0, where Ci=[sk,Texp,Ni].Then, at some time τ2,Πi, j

s receives the secondmessage from the adver-saryA. IfΠi, j

s is to accept, the received message must be the formM′={j, [NH]σ}, where NH=Fσ(j,sk, ti). In this event, if A has not queried itsoracle Fσ(⋅) on (j,sk, ti), then it stops and outputs ((j,sk, ti),NH) as avalid forgery. If B has previously called its oracle to compute thevalue, then B gives up.

Analysis:Πi, js is the random choice by B. The probability thatΠi, j

s isthe party for whomA generates a forgery (if A generates any forgeryat all) is at least 1

T1 kð ÞT2 kð ÞT3 kð Þ.

Suppose that ((j,sk, ti),NH) was never outputted by the oracle Fσ(⋅)in between times τ0 and τ2. Since NH is a random l-bits string pro-duced at time τ1 by a MAC oracle, the probability that NH was queriedof Fσ(⋅) before time τ0 is at most T3 kð Þ � 1

2l.The probability that A succeeds against at least one responder or-

acle is n2(k). Hence, the success probability of B is:

Succeuf−cma1MAC;B kð Þ≥ n1 kð Þ

T1 kð ÞT2 kð ÞT3 kð Þ−T3 kð Þ2l

:

We conclude that B succeeds in forgery with non-negligibleprobability.

Case 2: Let Pr No−matchingA kð Þ½ �=n2(k) be the probability thatAsucceeds against at least one responder oracle. That is, at some stageA asks a query Send(Πj, i

t , i,Ci, ti, (R,s)) to some fresh oracle, Πj, it , such

that Πj, it accepts, but (Ci|ti, (R,s)) was not previously output by a

fresh oracle. If n2(k) is non-negligible, we can construct a proxy signa-ture adversary B in Definition 2 from A.

Setup: Assume that the adversaryA working against a single hon-est user, say user 0, is assumed. B is provided permanent access totwo oracles, Fσ and Dσ, associated with the shared delegation key σthroughout the game. B randomly chooses a system j∈{1,2,⋯,T2(k)},an MS i∈{1,2,⋯,T1(k)}, and s∈{1,⋯,T3(k)}. Πj, i

t is B's guess at whichparty A will choose for the proxy signature forgery.

For each system in {1,2,⋯,T2(k)}∖{j}, B gets the shared delegationkeys with all MSs including i. The corresponding public informationand the system public key are published.

There is the shard delegation key σ between i and j, where σ isunknown to B. The public key of j is Y, and σ's verification key is(i,mw,Γ).

By appealing to the signing oracle PS(σ, ⋅), B can generates a proxysignature under the delegation key σ. Again, B is provided permanentaccess to the oracles Fσ, Eσ and Dσ associated with the shared key σthroughout the game.

Queries: Now B starts executing the experiment of running theprotocol Π using A. B has oracle access to PS(σ, ⋅), Fσ(⋅), Eσ(⋅), andDσ(⋅) . Via the oracle queries as in Case 1 and Definition 3, B cansimulate a user and the system to respond messages to A.

Output: IfA dose not invoke the systemΠj, is as a responder oracle,

then B gives up.Otherwise, if A does invoke Πj, i

s as a responder oracle, then atsome time τ1, Πi, j

s receives the first message from the adversary A.If Πj, i

s is to accept, the received message must be the form M′={i, j,Ci, ti, (R,s)}. In this event, if A has not queried its proxy signatureoracle PS(σ, ⋅) on Ci, then it stops and outputs Ci together with (R,s)as a valid proxy signature forgery. If B has previously called itsproxy signature oracle to compute the flow, then B gives up.

Analysis: Suppose A does succeed against responder Πi, js . In this

event, B outputs a valid forgery and wins its experiment, providedthat B has not previously called its proxy signature oracle to makeΠ j, i

s accept.

325J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

Suppose that (Ci|ti, (R,s))was never outputted by the oracle PS(σ, ⋅)in between times τ0 and τ1. Since Ci is a random k-bits string producedat time τ1 by an (uncorrupted) encryption oracle, the probability thatCi was queried of PS(σ, ⋅) before time τ0 is at most T3 kð Þ � 1

2k.

B's random choices of i, j and t in above game imply that B “hit” thecorrect oracle with probability at least 1

T1 kð ÞT2 kð ÞT3 kð Þ. Again, the proba-bility that A succeeds against at least one responder oracle is n2(k).Thus, the probability of B's outputting a valid forgery is at least

n2 kð ÞT1 kð ÞT2 kð ÞT3 kð Þ−

T3 kð Þ2k

. We conclude that B succeeds in forgery with non-

negligible probability.Considering together Cases 1 and 2, we have that n(k)=n1(k)+n2(k)

is negligible, which contradicts the assumption that n(k) is non-negligible. Thus, we conclude that Pr No−MatchingA kð Þ½ � is negligiblefor any PPT adversary A.□

Combining Theorem 1 and Lemmas 5 and 6, we have;

Theorem 3. Assuming (1) ECDLP is hard for group G, (2) the underlyingpseudorandom function and the message authentication code are secure,and (3) the underlying symmetric cryptosystem is with IND-CCA securi-ty, the protocol proposed in Section 4.2 is a secure mutual authenticationand key exchange protocol.

Proof. Assume that a PPT adversaryA is with a nonnegligible advan-tage Distinguishsk;A kð Þ− 1

2

� �≥ε. We will construct an IND-CCA adver-

sary B that plays the game in Definition 5 with challenger L.Setup: B picks at random an instanceΠi, j

s , whereMS i∈{1,2,⋯,T1(k)},system j∈{1,2,⋯,T2(k)} and s∈{1,⋯,T3(k)}. Πi, j

s is B's guess at which Awill succeed against the IND-CCA security.

For eachMS in {1,2,⋯,T1(k)}∖{i}, B gets the shared encryption keyswith all systems including j.

The shared encryption key σ between i and j is unknown to B.B is provided permanent access to the oracles Fσ, Eσ and Dσ

associatedwith the shared key σ throughout the game. If a proxy signa-ture of i is needed, the result is obtained from the signing oracle PS(σ,⋅).

Queries: B runs A and answers all oracle queries from A. In theexecution, B has oracle access to PS(σ, ⋅), Fσ, Eσ and Dσ. Thus, B cansimulate a user and the system to respond messages to A via thefollowing oracles:

H is answered at random just as a real random oracle would.B answers Send and Execute queries according to specification ofΠ, except for Send(Πi, j,M) and Execute(Πi, j,Πj, i). To answer suchqueries, instead of generating the required message with σ, Bappeals its own oracles on behalf of Πj, i, and decides whetherΠi, j and Πj, i should accept.

Output: IfA doesn't invokesΠi, j as an initiator oracle, then B aborts.Otherwise, if A invokes Πi, j as an initiator oracle, then at some

time τ0, Πi, j receives λ, and calls the challenger L to output a chal-lenge {i, j,Ci, ti, (R,s)}. Concretely, Πi, j, which is a part of B, sends apair of random session keys (sk0,sk1), to L, where sk0≠sk1. L inputssk0 or sk1 to Fσ(⋅) and Eσ(⋅) according to the value of a random bit b,and gets the value Ni=Fσ(j|ti) and Ci=Eσ(skb|Texp|Ni). Here, Texp isthe session-key expiration. Then,L outputs Ci to B. By querying oraclePS(σ, ⋅), B generates the proxy signature (R,s) for Ci|ti, and sends {i, j,Ci, ti, (R,s)} to A.

Guess: If Πi, j is to accept, it must later receive a flow of the form{j,Eσ(Nj)}. In this event, if B has previously called its encryption/decryption oracles to compute Eσ(Nj), then B aborts. Otherwise, Bwill input Eσ(Nj) to Dσ(⋅), and then it can get Nj. If Nj=Fσ(j,sk0, ti), Bwill output b′=0; otherwise, it will randomly choose b′∈{0,1} andoutput b′.

Analysis: To finish off, we show the success probability of breakingIND-CCA security by B, given the adversaryAwith the advantage ε(k).

The probability that B doesn't aborts is Pr aborth i

= 1T1 kð ÞT2 kð ÞT3 kð Þ. If

neither of the abort event occur, then B succeeds only if it can guess

the value of b used by the challenge. The preceding discussion implies

that Pr b′ ¼ bh ���abort∧b ¼ 0�=ε, and Pr b′ ¼ b

h ���abort∧b ¼ 1�=12. Again,

Pr[b′=b]=Pr[b′=b|abort]Pr[abort]+Pr b′ ¼ bh ���abort � Pr abort

h i, and

Pr b′ ¼ bh ���abort �= 1

2 Pr b′ ¼ bh ���abort∧b ¼ 0�+ 1

2 Pr b′ ¼ bh ���abort∧b ¼

1�. Thus, we have Pr[b′=b]= 12 1− 1

T1 kð ÞT2 kð ÞT3 kð Þ� �

+ 12

12 þ ε� �þ�

12 � 1

2Þ 1T1 kð ÞT2 kð ÞT3 kð Þ=

12 þ ε

2T1 kð ÞT2 kð ÞT3 kð Þ. That is, the guessing advantage in

the game of Definition 6 is Pr b′ ¼ bh i

− 12

������= ε

2T1 kð ÞT2 kð ÞT3 kð Þ. Therefore,

B can break the IND-CCA security with ε′= ε2T1 kð ÞT2 kð ÞT3 kð Þ.

Finally, by Definition 4 and Lemmas 5 and 6, Theorem 2 holds. □

Appendix II.3. Security proof of protocol in Section 4.3

Lemma 7. The proposed protocol in Section 4.3 is a secure mutualauthentication protocol under the assumption that the message authen-tication code and the proxy signature are secure.

Proof. The former condition in Definition 3 follows immediatelyfrom the description of Π in Section 3. By finding a reduction to thesecurity of the message authentication code and the proxy signaturescheme, we show thatPr No−matchingA kð Þ½ � is negligible. If we regardskι−1

1 as σ for the oracles F, E and D, then the proof is similar to that ofLemma 6. □

Theorem 4. Assuming (1) ECDLP is hard for group G, (2) the messageauthentication code is secure, and (3) the underlying symmetric crypto-system is with IND-CCA security, the protocol proposed in Section 4.3 is asecure mutual authentication protocol.

Proof. By finding a reduction to the security of the encryptionscheme, we show that Pr No−matchingA kð Þ½ � is negligible. The proofis the same as that of Theorem 2. Then, by Definition 4 and Lemma 7,Theorem 3 holds. □

References

[1] R.M. Needham, M.D. Schroeder, Using encryption for authentication in large net-works of computers, Communication of ACM 21 (12) (1978) 993–999.

[2] R. Molva, D. Samfat, G. Tsudik, Authentication of mobile users, IEEE NetworkSpecial Issue on Mobile Communications 8 (2) (1994) 26–34.

[3] M. Toorani, A.A. Beheshti Shirazi, Solutions to the GSM Security Weaknesses,(NGMAST '08) The Second International Conference on Next Generation MobileApplications, Services and Technologies, 2008, pp. 576–581.

[4] L. Buttyan, C. Gbaguidi, S. Staamann, U. Wilhelm, Extensions to an authenticationtechnique proposed for the global mobility network, IEEE Transactions on Com-munications 48 (3) (2000) 373–376.

[5] Y. Jiang, C. Lin, X. Shen, M. Shi, Mutual authentication and key exchange protocolsfor roaming services in wireless mobile networks, IEEE Transactions on WirelessCommunications 5 (9) (2006) 2569–2577.

[6] W.-B. Lee, C.-K. Yeh, A new delegation-based authentication protocol for use inportable communication systems, IEEE Transactions on Wireless Communica-tions 4 (1) (2005) 57–64.

[7] C. Tang, D.O. Wu, An efficient mobile authentication for wireless networks, IEEETransactions on Wireless Communications 7 (4) (2008) 1408–1416.

[8] C. Tang, D.O. Wu, Mobile privacy in wireless networks revisited, IEEE Transactionson Wireless Communications 7 (3) (2008) 1035–1042.

[9] K.F. Hwang, C.C. Chang, A self-encryption mechanism for authentication of roam-ing and teleconference services, IEEE Transactions onWireless Communications 2(2) (2003) 400–407.

[10] C.-I. Fan, P.-H. Ho, R.-H. Hsu, Provably secure nested one-time secret mechanismsfor fast mutual authentication and key exchange in mobile communications,EEE/ACM Transactions on Networking 18 (3) (2010) 996–1094.

[11] T.-F. Lee, S.-H. Chang, T. Hwang, S.-K. Chong, Enhanced delegation-based authen-tication protocol for PCSs, Transactions on Wireless Communications 8 (5)(2009) 2166–2171.

[12] T.-Y. Youn, J. Lim, Improved delegation-based authentication protocol for secureroaming service with unlinkability, IEEE Communications Letters 14 (9) (2010)791–793.

326 J.-Z. Lu, J. Zhou / Computer Standards & Interfaces 34 (2012) 314–326

[13] J. Lu, J. Zhou, The security of an efficient mobile authentication scheme for wire-less networks, WiCOM 2010: 6th International Conference on Wireless Commu-nications Networking and Mobile Computing, 2010, pp. 1–3.

[14] D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography, SIAM Journal of Com-puting 30 (2) (2000) 391–437.

[15] A. Kehne, J. Schonwalder, H. Langendoffer, A nonce-based protocol for multipleauthentication, Operating Systems Review 26 (4) (1992) 84–89.

[16] T. Okamoto, M. Tada, E. Okamoto, Extended proxy signature for smart card, in:ISW '99, Proceedings of the Second International Workshop on Information Secu-rity, Springer-Verlag, London, UK, 1999, pp. 247–258.

[17] R. Lu, D. Dong, Z. Cao, Designing efficient proxy signature schemes for mobilecommunication, Science in China Series F: Information Science 51 (2) (2008)183–195.

[18] FIPS Pub. 197: Advanced Encryption Standard (AES), N. I. of Science and Technol-ogy, 2001.

[19] NIST FIPS PUB 186-3, Digital Signature Standard (DSS), U.S. Department of Com-merce, 2009.

[20] D. Hankerson, J.L. Hernandez, A. Menezes, Software implementation of ellipticcurve cryptography over binary fields, Proceedings CHES 2000 (LNCS 1965),Springer-Verlag, 2000, pp. 1–24.

[21] S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their secu-rity analysis, Proc. 6th IMA Int. Conf. Cryptography Coding, 1997, pp. 30–45.

[22] M. Bellare, P. Rogaway, Random Oracles are Practical: A Paradigm for DesigningEfficient Protocols, 1993, pp. 62–73.

[23] M. Manulis, J. Schwenk, Security model and framework for information aggrega-tion in sensor networks, ACM Transactions on Sensor Networks, 5(2), 2009,Article 13.

Jian-Zhu Lu was born in Hunan, China. He received theM.S. degree in application mathematics from Guangxi Uni-versity, Nanning, China, in 1992, and the Ph.D. degree inComputing Mathematics from Sun Yat-sen University,Guangzhou, China, in 1998. In 1998, he joined the facultyof the Department of Computer Science, Jinan University,Guangzhou, China, and is now an Associate Professor. Hehas published over 40 papers in journals, books, and con-ference proceedings. His current research interests in-clude information security, cryptographic protocols,wireless security, and electronic commerce.