A Secure Authentication Scheme with Anonymity for Wireless Communications IEEE COMMUNICATIONS LETTERS, VOL. 12, NO. 10, OCTOBER 2008 Chia-Chun Wu, Wei-Bin Lee, and Woei-Jiunn Tsaur Speaker : Hong Ji Wei

Outline 1. 1.Introduction 2. 2.Review of Lee,Hwang And Liao ’ s Scheme 3. 3.Improved Scheme 4. 4.Security Analysis 5. 5.Conclusion

1.Introduction What is Anonymity meaning ? Communication Intercept UserServer Hacker

2.Review of Lee,Hwang And Liao ’ s Scheme R1 R2 R3 Internet HAFA MU Other Subnet Home Network Visited Network

Their scheme can be divided into three phases 1. Initial Phase HA delivers a password and a smart card for MU through a secure channel 2. First Phase FA authenticates to MU and establishes a session key 3. Second Phase MU visits FA, and FA serves for MU

Symbols MU : Mobile User HA : Home Agent of a mobile user FA : Foreign Agent of the network ID A : Identity of A T A : Timestamp of A Cert A : Certificate of A (X) K : Symmetric Encryption E K (X) : Asymmetric Encryption h(X) : Hash X using hash function PW A : Password of A MU : Mobile User HA : Home Agent of :

Initial Phase MUHA ID MU PW M U =h(N||ID MU ) PW MU, r, ID HA, h(.) Secure Channel Registration

First Phase MUFAHA FA decrypts W using E S FA

Second Phase MUFA Authentication In order to enhance the efficiency, while MU stays with the same FA, the new session key k i can be derived from the unexpired previous secret knowledge x i−1 and a fixed secret x as

Weakness 1.Anonymity From Step 3 of the first phase, it is obvious that FA can obtain the parameter W from HA, and then decrypt it to obtain h(ID MU ). In general, a user’s identity is short and has a certain format. That is, FA can launch an off-line guessing attack to find out the real identity of MU, and therefore defeat the anonymity service.

2.Backward secrecy In Lee et al.’s scheme, if the session keys k i−1 and k i are known, x i−1 and x i can be computed from (x i−1 ||TCert MU ||OtherInformation)k i−1 and (x i ||TCert MU ||OtherInformation)k i Then the secret h(ID MU ||x) can be derived without any problem from k i = h(ID MU ||x) ⊕ x i−1 Consequently, the next session key k i+1 = h(ID MU ||x) ⊕ x i It can be easily computed

3.Improved Scheme Because the original received value h(ID MU ) can be used as an evidence to assure whether the guessed identity is correct, this value needs to be modified in a way to make it un-comparable. To do so, we set W =E P FA (h(h(N||ID MU ))||x 0 ||x) instead of old one in Step 3 of the first phase. Moreover, in order to accomplish the backward secrecy, the corresponding session key k i will be k i = h(h(h(N||ID MU ))||x||x i−1 ) = h(h(PW MU )||x||x i−1 )

First Phase MUFAHA FA decrypts W using E S FA

Second Phase MUFA Authentication

4.Security Analysis 1. Our improved scheme can achieve anonymity FA obtains h(h(N||ID MU ))instead of h(ID MU ).Therefore, FA has no way of verifying whether the guessed identity is correct or not without the secret value N. Besides, deriving the h(N||ID MU ) from h(h(N||ID MU )) is also intractable if h(.) is a secure hash function such as SHA Our improved scheme can achieve backward secrecy If an attacker knows the session keys k i-1 and k i then x i-1 will be obtained. Attacker can try to compute h(PW MU )||x from using x i-1, but he/she still not know the ID MU

5.Conclusion In this paper, we discuss the properties of anonym ity and backward secrecy in the authentication scheme for wireless communications. We use a very simple way to solve the security issue- s in the previous scheme.