1. A Secure Authentication Scheme with Anonymity for Wireless Communications IEEE COMMUNICATIONS LETTERS, VOL. 12, NO. 10, OCTOBER 2008 Chia-Chun Wu, Wei-Bin Lee, and Woei-Jiunn Tsaur Speaker : Hong Ji Wei

2. Outline 1. 1.Introduction 2. 2.Review of Lee,Hwang And Liao ’ s Scheme 3. 3.Improved Scheme 4. 4.Security Analysis 5. 5.Conclusion

3. 1.Introduction What is Anonymity meaning ? Communication Intercept UserServer Hacker

4. 2.Review of Lee,Hwang And Liao ’ s Scheme R1 R2 R3 Internet HAFA MU Other Subnet Home Network Visited Network

5. Their scheme can be divided into three phases 1. Initial Phase HA delivers a password and a smart card for MU through a secure channel 2. First Phase FA authenticates to MU and establishes a session key 3. Second Phase MU visits FA, and FA serves for MU

6. Symbols MU : Mobile User HA : Home Agent of a mobile user FA : Foreign Agent of the network ID A : Identity of A T A : Timestamp of A Cert A : Certificate of A (X) K : Symmetric Encryption E K (X) : Asymmetric Encryption h(X) : Hash X using hash function PW A : Password of A MU : Mobile User HA : Home Agent of :

7. Initial Phase MUHA ID MU PW M U =h(N||ID MU ) PW MU, r, ID HA, h(.) Secure Channel Registration

8. First Phase MUFAHA FA decrypts W using E S FA

9. Second Phase MUFA Authentication In order to enhance the efficiency, while MU stays with the same FA, the new session key k i can be derived from the unexpired previous secret knowledge x i−1 and a fixed secret x as

10. Weakness 1.Anonymity From Step 3 of the first phase, it is obvious that FA can obtain the parameter W from HA, and then decrypt it to obtain h(ID MU ). In general, a user’s identity is short and has a certain format. That is, FA can launch an off-line guessing attack to find out the real identity of MU, and therefore defeat the anonymity service.

11. 2.Backward secrecy In Lee et al.’s scheme, if the session keys k i−1 and k i are known, x i−1 and x i can be computed from (x i−1 ||TCert MU ||OtherInformation)k i−1 and (x i ||TCert MU ||OtherInformation)k i Then the secret h(ID MU ||x) can be derived without any problem from k i = h(ID MU ||x) ⊕ x i−1 Consequently, the next session key k i+1 = h(ID MU ||x) ⊕ x i It can be easily computed

12. 3.Improved Scheme Because the original received value h(ID MU ) can be used as an evidence to assure whether the guessed identity is correct, this value needs to be modified in a way to make it un-comparable. To do so, we set W =E P FA (h(h(N||ID MU ))||x 0 ||x) instead of old one in Step 3 of the first phase. Moreover, in order to accomplish the backward secrecy, the corresponding session key k i will be k i = h(h(h(N||ID MU ))||x||x i−1 ) = h(h(PW MU )||x||x i−1 )

13. First Phase MUFAHA FA decrypts W using E S FA

14. Second Phase MUFA Authentication

15. 4.Security Analysis 1. Our improved scheme can achieve anonymity FA obtains h(h(N||ID MU ))instead of h(ID MU ).Therefore, FA has no way of verifying whether the guessed identity is correct or not without the secret value N. Besides, deriving the h(N||ID MU ) from h(h(N||ID MU )) is also intractable if h(.) is a secure hash function such as SHA-256. 2.Our improved scheme can achieve backward secrecy If an attacker knows the session keys k i-1 and k i then x i-1 will be obtained. Attacker can try to compute h(PW MU )||x from using x i-1, but he/she still not know the ID MU

16. 5.Conclusion In this paper, we discuss the properties of anonym ity and backward secrecy in the authentication scheme for wireless communications. We use a very simple way to solve the security issue- s in the previous scheme.