International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 217

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC

Dianli Guo and Fengtong Wen (Corresponding author: Fengtong Wen)

School of Mathematical Sciences, University of Jinan No. 106, Jiwei Road, Shizhong District, Jinan 250022, China (Email: [email protected]) (Received Aug. 13, 2013; revised and accepted Jan. 14 & Mar. 4, 2015)

Abstract GLOMONET could not achieve user anonymity. In or- der to remedy this flaw, Chuang et al. proposed a new In 2012, Chuang et al. proposed a smart card based authentication scheme with user anonymity for roaming anonymous user authentication scheme for roaming ser- service in GLOMONET. vice in global mobility networks. In this paper, however, In this paper, we analyze Chuang et al.’s scheme and we analyze Chuang et al.’s scheme and show that their show that their anonymous user authentication scheme scheme is in fact insecure to against server masquerad- is vulnerable to server masquerading attack, off-line dic- ing attack, off-line dictionary attack and user imperson- tionary attack, user impersonation attack, besides, it also ation attack. Moreover, their scheme cannot achieve the cannot preserve user anonymity under the non-tamper re- claimed user anonymity once the smart card is compro- sistance assumption of smart cards. Furthermore, we pro- mised. Then, we propose a new robust authentication pose a more robust authentication scheme for roaming ser- scheme for the roaming service in global mobility net- vice in global mobility networks using elliptic curve cryp- works using elliptic curve cryptosystem to eliminate these tosystem, which can successfully prevent different kinds weaknesses. Compared with the existing schemes, our of network attacks. proposed scheme can provide stronger security than pre- This paper is organized as follows. In Section 2, we vious schemes. briefly review Chuang et al.’s scheme. We show its weak- Keywords: Anonymity, authentication, roaming service nesses in Section 3. Then, we propose a new robust au- thentication scheme in Section 4. In Section 5, we analyze the security of our proposal. In Section 6, we compare 1 Introduction the performance of our new protocol with the previous schemes. Section 7 concludes the paper. Global mobility networks (GLOMONET) provide the global roaming service that permits mobile users to use the services provided by the home agent in a foreign agent. 2 Review of Chuang et al.’s However, with the rapid development of such environ- ment, many security problems are brought into attention Scheme due to the dynamic nature and vulnerable-to-attack struc- ture. Chuang et al.’s anonymous authentication scheme com- As user privacy becomes a notable security issue in prises three phases, namely registration phase, mutual GLOMONET, it is desirable to protect the privacy of authentication and key agreement phase and password mobile users in remote user authentication process [17]. changing phase. Each foreign agent F shares a secret key In order to achieve this goal, several authentication KFH with the home agent H. The abbreviations and schemes [2,3,6,8–10,12–14,16,18,19] with user anonymity notations used in their scheme are listed in Table 1. have been proposed for roaming service in GLOMONET. Nevertheless, most of the existing schemes were broken 2.1 Registration Phase shortly after they were proposed. In 2012, Chuang et al. [4] pointed out some pre- Step 1. M freely chooses IDM and PWM , then sends vious authentication schemes for roaming service in them to H through a secure channel. International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 218

the received V . If it is true, then M establishes trust Table 1: Notations 3 with F . Otherwise, this session will be terminated. M A mobile user H The home agent of M After the mutual authentication phase successfully, M F The foreign agent and F share the session key SK = h(TKknM knF ) = IDA The identity of the participant A h(h(CkrM ) ⊕ z ⊕ h(CknM krM )knM knF ). PWM The password of M KFH The pre-shared secret key between F and H 2.3 Password Changing Phase P ubH The home agent H’s public key P riH The matching private key of P ubH hold by H When M wants to update PWM , M inserts his/her smart x The secret key of H card into a terminal and inputs the origin password PWM h(·) A one-way hash function to the smart card. ⊕ Exclusive-OR operation k String concatenation operation Step 1. The smart card computes h(PWM ) and checks Ek An encryption function with key the k whether it is equal to the stored k. If yes, M inputs new Dk A decryption function with key the k a new password PWM ; otherwise, the smart card Adv The adversary rejects the password change request and terminates this procedure.

new new Step 2. H computes R = h(IDM kx) ⊕ PWM and k = Step 3. The smart card computes k = h(PWM ), new new h(PWM ). After that, H stores {IDM , R, k, P ubH , R = R ⊕ PWM ⊕ PWM and replaces k, R by new new h(·), E(·)} into the smart card and submits it to M. k , R , respectively.

2.2 Mutual Authentication and Key 3 Analysis of Chuang et al.’s Agreement Phase Scheme Step 1. M inserts the smart card into the device and in- ∗ ∗ puts PWM . Then the smart card calculates k = To analyze the security weaknesses of Chuang et al.’s ∗ ∗ ? h(PWM ) and checks whether k = k. If yes, it scheme, we assume that an attacker Adv could obtain means M is the cardholder; otherwise, the smart card the secret values stored in the smart cards by monitor- terminates the procedure. Afterwards, the smart ing the power consumption [7,11] and intercept messages ∗ card randomly selects nM , rM ∈ Zq , and computes transmitted in the insecure communication channel. Un-

AIDM = EP ubH (rM kIDM ). Finally, M sends m1 = der this assumption, we demonstrate that Chuang et al.’s {IDH , AIDM , nM } to F . scheme fails to provide user anonymity and is susceptible to various attacks, such as server masquerading attack, ∗ Step 2. On receiving m1, F generates nF , rF ∈ Zq and off-line dictionary attack, user impersonation attack.

computes V1 = EP ubH (rF kIDH kIDF k AIDM knM knF ). Subsequently, F sends m2 = {IDH , IDF , V1} to H. 3.1 Server Masquerading Attack Assume an adversary Adv has intercepted the message Step 3. Upon receiving m , H can obtain (r kID 2 F H m = {V ,V , y, z} transmitted from H to F . Then kID kAID kn kn ) by decrypting V using 3 2 3 F M M F 1 Adv generates a random number n and sends m = the private key P ri . Subsequently, H can get F 4 H {V , z, n } to M, where n is selected randomly by Adv. (r kID ) from decrypting AID . Then, H ver- 3 F F M M M After receiving m from Adv, M computes C = R ⊕ ifies the validity of M. If M successfully passes the 4 PW ∗ ⊕ r and h(Ckz), it is obvious that V = h(Ckz). verification, H generates a random integer n ∈ Z∗ M M 3 H q Thus, M will be fooled into believing the adversary as the and calculates C = h(ID kx)⊕r , y = h(Ckr )⊕ M M M legitimate foreign agent F . nH ⊕ h(KFH krF ), z = h(CknM krM ) ⊕ nH , V2 = h(KFH knM knF krF kykz), V3 = h(Ckz), and then sends m3 = {V2,V3, y, z} to F . 3.2 Off-line Dictionary Attack

? Step 4. Upon receiving m3, F verifies V2 = h(KFH In case a legitimate mobile user M’s smart card is some- knM knF krF ky kz). If this equation holds, F how obtained (e.g., stolen or picked up) by Adv, and computes TK = y ⊕ h(KFH krF ), and then sends he/she can extract the stored secret value k [1, 7, 11, 15]. m4 = {V3, z, nF } to M; otherwise, F terminates this Then Adv can acquire M’s password PWM by performing session. the following procedures:

∗ Step 5. After receiving m4, M calculates C = R ⊕ Step 1. Guesses a candidate password PWM from the ∗ PWM ⊕ rM and checks whether h(Ckz) is equal to password space DPW . International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 219

∗ ∗ Step 2. Computes k = h(PWM ) and verifies the cor- 4.1 Registration Phase ∗ ∗ ? rectness of PWM by checking k = k. Step 1. M freely chooses his/her identity IDM and pass- word PW . Then, M sends them to H via a secure Step 3. Repeats the Steps 1 and 2 by replacing another M communication channel. guessed password until the correct password is found.

Step 2. H calculates A = h(IDM kx), B = h(IDM kv) Generally, due to the inherent limitation of human cog- and C = h(IDM × P + PWM × P ), where v is a nition, the identity is easy-to-remember and hence the secret random number chosen by H for every mobile identity space is very limited, and it follows that the above user. attack can be completed quite effectively. The running time of the above attack procedure is O(|DPW | ∗ Th), Step 3. After that, H maintains a registration table in where Th is the running time for Hash operation. And the format (B,A). H can retrieve A from the regis- hence, their scheme cannot resist off-line dictionary at- tration table by B in the revocation phase and in the tack. mutual authentication and key agreement phase.

Step 4. H personalizes the smart card with {C, P , Q, 3.3 Failure to Provide Users’ Anonymity Ep(a, b), q, p, h(·)} and issues it to M.

In Chuang et al.’s scheme, the home agent H stored IDM in M’s smart card. Hence, Adv can get IDM by monitor- 4.2 Mutual Authentication and Key ing the power assumption [1,7, 11, 15]. Although Chuang Agreement Phase et al.’s scheme does not use IDM as a parameter in the lo- gin request message, it is used to compute AIDM . Then, Step 1. M inserts his/her smart card into a card reader Adv can launch a series of attacks, such as user imperson- and enters IDM ,PWM . Then, the smart card ver- ? ation attack, to damage the security of this scheme [4]. ifies C = h(IDM × P + PWM × P ), if not, the lo- gin phase is terminated immediately; otherwise, the smart card generates a random number α ∈ [1, q − 1] 3.4 User Impersonation Attack and computes X = α × P , X1 = α × Q, D = IDM ⊕ h(X + X1). Finally, the smart card sends 0 As explained above, if Adv successfully obtains M s smart m1 = {IDH ,X,D} to F . card, he/she can get PWM and IDM corresponding to M. Then, Adv can impersonate M to make fool of both F and Step 2. Upon receiving m1, F generates a random inte- H as follows. ger number β ∈ [1, q − 1] and calculates Y = β × P , In the mutual authentication and key agreement Y1 = β × Q, E = KFH × P + Y1. Then, F transmits 0 0 the message m = {ID ,ID ,X,D,Y,E} to H. phase, Adv generates two random number nM , rM ∈ 2 H F ∗ 0 0 Zq and computes AIDM = EP ubH (rM kIDM ). Then 0 Step 3. On receiving m2, H computes X1 = x × X, he/she sends the forged login request message m1 = 0 0 ID = D ⊕ h(X + X ), B = h(ID kv), and {IDH , AID , n } to F . M 1 M M M ∗ It is easy to see the forged login request is in the cor- A = h(IDM kx). Then, H retrieves A from the ∗ ? rect format. Upon receiving m0 , H and F will execute registration table by B and checks A = A. If B 1 ∗ the protocol normally and Adv will pass the verification does not exist in the verifier table or A 6= A, H successfully. terminates this session. If three continuous requests from M fail in a short interval, H will ignore M’s following request within a guard interval. If the all conditions hold, H verifies the legitimacy of M suc- 4 Our Proposed Scheme cessfully. Afterwards, H computes Y1 = x × Y , ∗ ∗ E = h(IDF kx) × P + Y1 and verifies E with In this section, we propose a new authentication scheme the received E. If they are equal, the authenticity with user anonymity in global mobility networks using of F is ensured; otherwise, H rejects this request. elliptic curve cryptography. Our scheme consists of four After the verification of M and F , H computes phases, which are the registration phase, mutual authenti- I = IDM ×P +X1, J = h(h(IDF kx)×P −Y1)⊕h(X1) cation and key agreement phase, password changing phase and K = h(IDF kx) × Y1. Finally, H sends the mes- and revocation phase. sage m3 = {I, J, K} to F . Before the system begins, H generates two distinct large primes p and q with p = 2q + 1 and chooses a gen- Step 4. After receiving m3 from H, F firstly calculates erator P of order q on the elliptic curve Ep(a, b). H com- KFH × Y1 and verifies it with the received K. If it putes the public key Q = x · P mod p with the master is valid, F computes h(X1) = J ⊕ h(KFH × P − Y1), secret key x of H. Subsequently, H computes a secret key TK = h(X1)×β ×X and sk = h(h(X1)×P −β ×X) KFH = h(IDF kx) for each foreign agent F . and transmits the message m4 = {I,Y,TK} to M. International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 220

∗ Step 5. Upon receiving m4, M computes I = IDM × 2) CDHP [5]: Given three points P, s · P, t · P ∈ ∗ ∗ P + X1 and TK = h(X1) × α × Y . Then M checks Ep(a, b), where s, t ∈ Zp , the computation Diffie- ∗ ? ∗ ? I = I and TK = TK, respectively. If the two equa- Hellman problem(CDHP) is to find the point (s · t)P tions hold, M successfully authenticates H and F , on Ep(a, b). then sends m = h(h(h(X ) × P − α × Y )k0) to F . If 5 1 Theorem 1. Our scheme could provide mutual authen- any of these two equations is false, the authentication tication. fails.

∗ Proof. Mutual authentication means that these three Step 6. After receiving m5, F computes m5 = h(skk0) ∗ ? communication parties involved in global mobility net- and checks m5 = m5. If they are equal, F ensures the works can authenticate each other before generating the legitimate of M; otherwise, terminates the session. common session key. In order to withstand user & server masquerading attack, it is necessary for a robust authen- After mutual authentication, M and F compute and tication scheme to satisfy this security feature. In our share the session key SK = h(skk1) = h(h(h(X ) × P − 1 scheme, only the home agent H can generate I, J, K us- α × β × P )k1) for future secure communication. ing its secret key x. Then the foreign agent F could check the validity of K to verify H. Afterwards, the mobile user 4.3 Password Changing Phase M could check the validity I and TK to verify H and F , respectively. Further, our scheme allow them to agree on When the user M wants to update his/her password off- a session key which varies in each session run. Therefore, line, he/she inserts the smart card into a terminal and our scheme satisfies this feature. enters his/her identity IDM and old password PWM to the smart card. Theorem 2. Our scheme could provide perfect forward ? security. Step 1. The smart card checks C = h(IDM ×P +PWM × new P ). If yes, M inputs a new password PWM ; oth- Proof. The forward secrecy is defined as the assurance erwise, the smart card rejects the password change that any previous session keys cannot be compromised if request and terminates this procedure. the master secret key x of the home agent H is leaked. In our scheme, the session key h(h(h(X )×P −α×β ×P )k1) new 1 Step 3. The smart card computes C = h(IDM ×P + is generated by two one-time random number {α, β} in new new PWM × P ) and stores C into its memory to each session. Moreover, even if the adversary eavesdrops replace C. the mutual authentication messages, he/she still cannot compute α × β × P from α × P and β × P since the 4.4 Revocation Phase intractability of the Diffie-Hellman problem. Therefore, our scheme could provide perfect forward security. In case of lost or stolen smart cards, M could request H to revoke his/her smart card. In our scheme, M should Theorem 3. Our scheme could provide user anonymity transmit IDM to H via a secure communication channel, and untraceability. then H computes h(ID kv), and checks whether it exists M Proof. In the proposed scheme, the information of ID is in the registration table. If yes, H retrieves A from the M hidden in D = ID ⊕ h(X + X ). If the adversary wants registration table by B and checks whether h(ID kx) is M 1 M to retrieve the mobile user M’s identity from D, he/she equal to A. Supposing that these two conditions hold, should compute X = α×x×P from α×P and Q = x×P H removes the entry (B,A) from the registration table. 1 to obtain the value h(X + X ), then he/she will face with If M wants to re-register in H, he/she just needs to re- 1 the CDHP. Furthermore, {X,D} varies in each session register in H through performing the registration phase because they are generated by the random number α. It again. is difficult for the adversary to tell apart M from others in the communication channel. Hence, the proposed scheme 5 Secure Analysis of Our Scheme satisfies user anonymity and untraceability. Theorem 4. Our scheme could withstand user imperson- In this section, we analyze the security of the proposed ation attack. scheme and show that it can resist different types of at- tacks and provides user anonymity and untraceability. Proof. In our scheme, if the adversary wants to forgery We assume that the following problems are difficult to the legal mobile user M, he/she has to generate a valid solve in polynomial time, in other words, there are no message m1 = {IDH ,X,D}, where D = IDM ⊕ h(X + efficient polynomial-time algorithm to solve the following X1), X = α × P . However, Adv cannot generate a valid problems. D without the knowledge of IDM . Therefore, our scheme could withstand user impersonation attack. 1) ECDLP [5]: Given two points P,Q ∈ Ep(a, b), the elliptic curve discrete logarithm problem(ECDLP) is Theorem 5. Our scheme could withstand server mas- ∗ to find an integer s ∈ Zp such that Q = s · P . querading attack. International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 221

M F H

m ID X D m m ID Y E 1 = { H , , } 2= { 1 ,F , , }

m I Y TK m IJK 4 = { , , } 3 = { , , }

m hsk 5 = ( || 0)

FigureFig. 1. 1: Message Message Flows flows in in Authentication authentication and and Key key Agr agreementeement phasePhase

Table 2: Comparisons of the security properties Ours He et al.’s [6] Chuang et al.’s [4] User anonymity Yes No No Prevention of user impersonation attack Yes No No Prevention of off-line dictionary attack Yes No No Prevention of server masquerading attack Yes No No Revocation of smart cards Yes No No Freely change password Yes No Yes Mutual authentication Yes No No Prevention of replay attack Yes No No

Proof. In our scheme, if Adv wants to impersonate H or F However, the adversary cannot generate valid m5 with- to fool the mobile user M, he/she has to generate a valid out knowing x and α. Then, F can find the attack by reply message m4 = {I,Y,TK}, where I = IDM ×P +X1, checking the valid of m5. Moreover, Adv also cannot gen- TK = h(X1)×β×X and Y = β×P . However, the adver- erate valid SK without knowing the value β to construct sary cannot generate I and TK without the knowledge of a communication channel with F . Therefore, our scheme x. So, our scheme could withstand server masquerading could withstand replay attack. attack. Theorem 6. Our scheme could withstand stolen smart card attack. 6 Comparisons Proof. If M’s smart card is lost and obtained by Adv, In this section, we compare security properties of the pro- he/she can extract the stored data {C, P , Q, Ep(a, b), posed authentication scheme with other related schemes, q, p, h(·)} in the smart card through the differential including the schemes of He et al. [6] and Chuang et al. [4]. power analysis [1, 7, 11, 15] and intercept the message In Table 2, we provide the comparison based on the key m1 = {IDH , X, D}, m2 = {IDH , IDF , X, D, Y , E}, security of these schemes, while we compare their effi- m3 = {I, J, K}, m4 = {I,Y,TK}. If Adv wants to ob- ciency in terms of computation and communication cost tain IDM from these messages, he/she has to compute in Table 3. We define the following notations are used X1 = α × x × P from α × P and Q = x × P . Adv will in Table 3: th: the time complexity of the hash com- face with the CDHP. putation; tsym: the time complexity of the symmetric We should consider the off-line password guessing at- encryption/decryption; tasym: the time complexity of en- tack in this case, that is, the adversary uses a brute force cryption/decryption or signature using asymmetric cryp- search to find out the correct password from the value C. tosystem. In our proposed anonymous authentication scheme, the According to Table 2, we can conclude that He et al.’s user identity is protected against outsiders what can help scheme does not satisfy any of the criterion listed in Ta- to withstand the password guessing attack. Since there ble 2. Chuang et al.’s scheme satisfies only one criteria can be a huge number of users in the mobile system, it listed in Table 2. While, our proposed scheme can achieve is infeasible for an adversary to do an exhaustive search all the criterion listed in Table 2. Particularly, our pro- for all the possible (ID, P assword) pairs. Therefore, our posed scheme does not require H to store some secret scheme can withstand stolen smart card attack. information that is shared with F in its database, which enhances our scheme’s security strength to resist against Theorem 7. Our scheme could withstand replay attacks. different attacks. Proof. In our scheme, Adv may intercept the message In Table 3, we summarize the efficiency comparison m1 = {IDH ,X,D} and replay it to the foreign agent F . between our scheme and other schemes in [4, 6] in case International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 222 of the mutual authentication phase. From Table 3, it is phy,” International Journal of Network Security, vol. easy to see that our scheme is more efficient than other 15, no. 2, pp. 139–147, 2013. schemes. Our scheme requires three extra transmitted [3] C. Chen, D. J. He, S. Chan, J. J. Bu, Y. Gao and messages as compared with Chuang et al.’s scheme and R. Fan, “Lightweight and provably secure user au- five extra transmitted messages as compared with He et thentication with anonymity for the global mobility al.’s scheme. However, our proposed scheme does not pro- network,” International Journal of Communication ceed encryption/decryption using asymmetric cryptosys- Systems, vol. 24, no. 3, pp. 347–362, 2011. tem, moreover, our scheme achieves stronger security than [4] Y. H. Chuang, Y. M. Tseng and C. L. Lei, “Effi- the previous solutions as shown in Table 2. cient mutual authentication and key agreement with user anonymity for roaming services in global mo- bility networks,” International Journal of Innovative Table 3: Efficiency comparison Computing Information and Control, vol. 8, no. 9, Chuang et al. [4] He et al. [6] Ours pp. 6415–6427, 2012. [5] D. Hankerson, A. Menezes and S. Vanstone, Guide to C1 2th + tasym 10th + 2tsym 5th C2 2t + t 4t 7t Elliptic Curve Cryptography, Springer: Heidelberg, h asym h h 2003. C3 6th + 2tasym 4th + 2tsym + 4tasym 7th C4 1 1 3/2 [6] D. He, M. Ma, Y. Zhang, C. Chen and J. Bu, “A C5 1 1 1 strong user authentication scheme with smart cards C6 6 5 7 for wireless communications,” Computer Communi- C7 7 6 9 cations, vol. 34, pp. 367–374, 2011. [7] P. Kocher, J. Jaffe and B. Jun, “Differential power C1: Computation cost of the M analysis,” in Proceedings of Advances in Cryptology, C2: Computation cost of the F pp. 388–397, Santa Barbara, CA, U.S.A., 1999. C3: Computation cost of the H [8] C. C. Lee, M. S. Hwang and I. E. Liao, “Secu- C4: Communication rounds between the M and F rity enhancement on a new authentication scheme C5: Communication rounds between the F and H with anonymity for wireless communications,” IEEE C6: Total messages transmitted between M and F Transactions on Industrial Electronics, vol. 53, no. C7: Total messages transmitted between F and H 5, pp. 1683–1686, 2006. [9] C. C. Lee, R. X. Chang and T. Williams, “On the anonymity of an enhanced authentication scheme for a roaming service in global mobility networks,” Inter- national Journal of Secure Digital Information Age, 7 Conclusions 2010, (in press). [10] C. T. Li and C. C. Lee, “A novel user authentication In this paper, we analyze several security flaws in Chuang and privacy preserving scheme with smart card for et al.’s authentication scheme with user anonymity for wireless communications,” Mathematical and Com- roaming service in global mobility networks. Further, we puter Modelling, vol. 55, pp. 35–44, 2012. propose a new authentication scheme for roaming service [11] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, in GLOMONET to overcome these shortcomings. In ad- “Examining smart-card security under the threat dition, the security analysis and performance comparisons of power analysis attacks,” IEEE Transactions on demonstrate our proposal is more secure and suitable to Computers, vol. 5, no.51, pp. 541–552, 2002. the practical application environment. [12] J. Niu and X. Li, “A novel user authentication scheme with anonymity for wireless communica- Acknowledgments tions,” Security and Communication Networks, vol. 7, no. 10, pp. 1439–1640, 2014. The authors gratefully acknowledge the anonymous re- [13] R. Ramasamy and A. P. Muniyandi, “An efficient viewers for their valuable comments. This work is password authentication scheme for smart card,” In- supported by Natural Science Foundation of Shandong ternational Journal of Network Security, vol. 14, no. Province(NO.ZR2013FM009). 3, pp. 180–186, 2012. [14] S. K. Sood, “An improved and secure smart card based dynamic identity authentication protocol,” In- References ternational Journal of Network Security, vol. 14, no. 1, pp. 39–46, 2012. [1] G T. Becker, Intentional and Unintentional Side- [15] J. van Woudenberg, M. Witteman, and B. Bakker, channels in Embedded Systems, University of Mas- “Improving differential power analysis by elastic sachusetts Amherst, 2014. alignment,” in Proceedings of the 11th International [2] C. C. Chang and C. Y. Lee, “A smart card-based Conference on Topics in Cryptology (CT-RSA’11), authentication scheme using user identify cryptogra- pp. 104–119, 2011. International Journal of Network Security, Vol.18, No.2, PP.217-223, Mar. 2016 223

[16] F. T. Wen, W. Susilo, G. M. Yang, “A robust smart Dianli Guo received his B.S.degree in applied mathe- card-based anonymous user authentication protocol matics from Heze University, China in June 2011. He for wireless communications,” Security and Commu- is currently working towards his M.S degree in applied nication Networks, vol. 7, no. 6, pp. 987–993, 2014. mathematics at Jinan University, China. His current [17] G. M. Yang, D. C. Wong, and X. T. Deng, “Anony- research interest includes wireless network security and mous and authenticated key exchange for roaming applied cryptography. networks,” IEEE Transactions on Wireless Commu- nication, vol. 6, no. 9, pp. 3461–3472, 2007. Fengtong Wen received his B.S degree in mathematics [18] P. Zeng, Z. Cao, K. K. R. Choo, and S. Wang, “On from Qufu normal university, China in June 1994. He the anonymity of some authentication schemes for received his M.S degree in fundamental mathematics from wireless communications,” IEEE Communications Qufu normal university, China in June 1997. He received Letters, vol. 13, no. 3, pp. 170–171, 2009. his Ph.D degree in cryptography from Beijing University [19] J. Zhu and J. Ma, “A new authentication scheme of Posts and Telecommunications, China in 2006. He is with anonymity for wireless environment,” IEEE a professor at the School of mathematics, university of Transactions on Consumer Electronics, vol. 50, no. Jinan, China. His research interests include information 1, pp. 230–234, 2004. security, cryptography and applied mathematics.