KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Robust ID based mutual authentication and key agreement scheme preserving user anonymity in mobile networks

  • Lu, Yanrong (Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications) ;
  • Li, Lixiang (Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications) ;
  • Peng, Haipeng (Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications) ;
  • Yang, Yixian (Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications)
  • Received : 2015.10.15
  • Accepted : 2016.01.21
  • Published : 2016.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

With the swift growth of wireless technologies, an increasing number of users rely on the mobile services which can exchange information in mobile networks. Security is of key issue when a user tries to access those services in this network environment. Many authentication schemes have been presented with the purpose of authenticating entities and wishing to communicate securely. Recently, Chou et al. and Farash-Attari presented two ID authentication schemes. They both claimed that their scheme could withstand various attacks. However, we find that the two authentication schemes are vulnerable to trace attack while having a problem of clock synchronization. Additionally, we show that Farash-Attari's scheme is still susceptible to key-compromise impersonation attack. Therefore, we present an enhanced scheme to remedy the security weaknesses which are troubled in these schemes. We also demonstrate the completeness of the enhanced scheme through the Burrow-Abadi-Needham (BAN) logic. Security analysis shows that our scheme prevents the drawbacks found in the two authentication schemes while supporting better secure attributes. In addition, our scheme owns low computation overheads compared with other related schemes. As a result, our enhanced scheme seems to be more practical and suitable for resource-constrained mobile devices in mobile networks.

Keywords

1. Introduction

The mobile devices have become an important part of our learning, working and living with the rapid development of wireless communication technology. People often use mobile devices to enjoy network services anytime and anywhere, which provide a lot of convenience in our life. Unfortunately, the majority of these communication environments are insecure, thus leading to the sensitive information might be intercepted by any unauthorized entity. As a result, security has become a big problem when a remote user attempts to access the services over any open networrks. Authentication and key agreement is the representative approach to verify the legitimacy of a remote user and establish a session key between the communication parties.

From Lamport [1] proposed the first remote mutual authentication scheme over an unreliable channel, a large number of authentication schemes for different applications, have been presented, analyzed and some broken [2-6]. Shamir [7] first introduced the notion of ID based public-key cryptosystem, which might lighten the certificate overhead compared with the other public-key systems. Later, Boneh-Franklin [8] presented the formal security analysis of the ID based encryption scheme employing pairings. Since then numerous ID based key agreement schemes combining pairings have been presented [9-11]. However, the above schemes are not efficient applying for resource-constrained mobile devices due to the relative computation cost of pairing is approximately 20 times higher than that of the scalar multiplication [12].

With the tremendous development of the network technologies, recently ID based authentication and key agreement schemes using elliptic curve cryptosystem (ECC) have been broadly deployed in the wireless networrks for mobile devices. As compared with traditional cryptosystem, ECC offers equivalent security with smaller key size [13-14]. In 2009, Yang-Chang [15] proposed an efficient and practical ID based two-party mutual authentication scheme employing ECC. They both consider ID-based and ECC properties simultaneously. However, both Yoon-Yoo [16] and Islam-Biswas [17] discovered that Yang-Chang’s two-party scheme had some security flaws such as suffered from impersonation, replay attacks and did not provide the session key forward secrecy. To resolve these problems, Yoon-Yoo [16] and Islam-Biswas[17] respectively proposed their effective enhancements with higher security. In Yoon-Yoo’s scheme, user’s identity was hashed and mapped to a point on elliptic curve. Nevertheless, He et al. [18] identified thatYoon-Yoo’s scheme [16] failed to achieve forward secrecy and then presented an improvement scheme to erase the drawbacks of Yoon-Yoo’s scheme. Subsequently, Chou et al. [19] pointed out that both Yang-Chang’s and Yoon-Yoo’s schemes lacked the public key for users. Moreover, Chou et al. also showed that there were no legible key confirmation in He et al.’s scheme [18]. In order to eliminate the security pitfalls, Chou et al. presented an efficient ID and ECC based two-party scheme for mobile users. In Chou et al.’s scheme, the process of the user’s private key generation is an efficient and the user could check the correctness for his own private key. Recently, Farash-Attari [20] demonstrated that Chou et al.’s two-party scheme could not resist impersonation and key-compromise impersonation attacks. Then, Farash-Attari also presented an effective enhancement over Chou et al.’s scheme with more security.

ID based three-party scheme was proposed by Yang-Chang[21], which enhanced security and efficiency of Chen et al.’s [22] scheme. However, Tan [23] showed that Yang-Chang’s scheme was insecure against impersonation and parallel attacks. To conquer the problems, Tan proposed an improved scheme and claimed that their scheme satisfied many security attributes. However, He et al. [24] pointed out that the server had to maintain the users’ certificates in both Yang-Chang’s scheme [21] and Tan’s scheme [23]. Then, He et al. proposed an enhanced ID based three-party remote mutual authentication scheme to eliminate these flaws. He et al.’s scheme adopted general cryptographic hash function without considering map to point function. Unfortunately, Chou et al. [19] showed that He et al.’s scheme still existed the problem that there were no verification on user’s private key and the establishment of the user’s private key was time consuming. Subsequently, Chou et al. also proposed an ID based three-party authentication scheme as an extension based on their two-party scheme. Recently, Farash-Attari [20] showed that Chou et al.’s three-party scheme was susceptible to impersonation attack. To eliminate the security drawbacks in Chou et al.’s scheme, Farash-Attari proposed a modified two-party scheme.

In this paper, we present a cryptanalysis of Chou et al.’s and Farash-Attari’s schemes. We indicate that the two schemes are vulnerable to trace attack and do have the problem of clock synchronization. In addition, we show that Farash-Attari’s scheme is still susceptible to key-compromise impersonation attack. Therefore, we present an enhanced scheme based on Farash-Attari’s scheme to remedy the security weaknesses. We also demonstrate the completeness of the enhanced scheme through the Burrow-Abadi-Needham (BAN) logic. Security analysis shows that our scheme prevents the drawbacks found in the two authentication schemes while supporting better secure attributes. In addition, our scheme owns low computation overheads compared with other related schemes. As a result, our enhanced scheme seems to be more practical and suitable for resource-constrained mobile devices in mobile networrks.

The remainder of this paper is organized as follows. The review and cryptanalysis of Chou et al.’s and Farash-Attari’s schemes are shown in Section 2 and Section 3, respectively. We present our proposed scheme and its analysis in Sections 4 and Section 5, respectively. Section 6 shows the performance and functionality comparisons between the enhanced scheme and other related ones. Section 7 is a brief conclusion.

 

2. Review and analysis of Chou et al.’s scheme

In this section, we will briefly review Chou et al.’s two-party and three-party authentication schemes [19]. Moreover, we show that Chou et al.’s scheme is susceptible to the trace attack and has the problem of clock synchronization. We list notations used throughout this paper for convenience in Table 1.

Table 1.Notations

2.1 Two-party scheme

There are mainly two phases in Chou et al.’s two-party scheme: registration and authentication phases.

2.1.1 Registration

Before registration, S publishes {Ep(a, b), Ks, h1, h2}, where Ks = ks ⊕ P .

1) S sends his identity IDu to S ;

2) S computes ku = ks + h1(IDu)h1(IDu ⊕ ks), QIDu = h1(IDu ⊕ ks)P, and delivers {ku, QIDu} to U.

3) U checks . If so, U puts ku as his private key and publishes his public key QIDu.

2.1.2 Authentication

1) U selects a random number ru and computes Ru = ruP, V = kuRu, hu = h2(IDu║Ru║V║Tu). Then, U sends {IDu, Ru, hu, Tu} to S.

2) When receiving message, S verifies the freshness of Tu and checks whether (ks + h1(IDu)h1(IDu ⊕ ks)), . If they are equal, S selects a random number rs and computes Rs = rsP, sk = rsP, sk = rsRu, hs = h2(IDu║Ru║Rs║V'║Ts║sk) . Finally, S sends {Rh, hs, Ts} to U .

3) After receiving the message, U checks the freshness of Ts and checks whether If they are correct, U computes h2(IDu║V'║sk + 1) and sends it to S.

4) S computes h2(IDu║V'║sk + 1) and verifies it with the received message. If it holds, U and S successfully agree on the common session key sk.

2.2 Three-party scheme

There are also mainly two phases in Chou et al.’s three-party scheme: registration, and authentication and key agreement. The registration phase is the same as the two-party scheme, that is, both A and B obtain their private/ public key ka / QIDa and ka / QIDa, respectively, where ka = ks + h1(IDa )h1(IDa ⊕ ks), QIDa = h1(IDa ⊕ ks)P, kb = ks + h1(IDb)h1(IDb ⊕ ks), and QIDb = h1(IDb ⊕ ks)P .

2.2.1 Authentication and key agreement

1) A → B

A selects his identity IDa and sends {IDa , request} to B.

2) A → S

A chooses a random number ra, computes Ra = raP, Va = kaRa and ha = h2(IDa║IDb║Ra║Va║ta), where Ta denotes the current timestamp. Then, A sends { IDa, IDb, Ra, ha, ta} to S.

3) B → A

Upon receiving the message from A, B immediately sends {IDa, response} to A.

4) B → S

When receiving the message from A, B chooses a random number rb and computes Rb = rbP, Vb = kbRb, hb = h2(IDb║IDa║Rb║Vb║tb), where tb denotes the current timestamp. Then, B sends {IDb, IDa, Rb, hb, tb} to S.

5) S → A

Upon receiving the message from A, S first checks the freshness of ta, computes = (ks + h1(IDa )h1(IDa ⊕ ks))Ra and checks whether . If they are true, S computes hsa = h2(IDa║IDb║║Rb║ts) and sends {Rb, hsa, ts} to A.

6) S → B

Upon receiving the message from B, S first checks the freshness of tb, computes = (ks + h1(IDb)h1(IDb ⊕ ks))Rb and checks whether . If they are true, S computes hsa = h2(IDa║IDb║║Rb║ts) and sends {Ra, hsb, ts} to B.

7) S → A

Upon receiving the message from S, A checks whether . If holds, A calculates the common session key sk = raRb . Similarly, B executes the same operations as A. Finally, A and B negotiate the session key sk with the help of S.

2.3 Analysis of Chou et al.'s scheme

2.3.1 Trace attack

User anonymity is of significance issue in the wireless environment since it can protect user’s privacy. In the two authentication phases, the identity IDu is transmitted as a plain-text without any protection in an open channel, which gives an adversary to track his current location and recognize what type of services the user enjoys. This results seriously invades individual's privacy and potentially increases a bit more risk exposure. Farash-Attari presented their enhanced scheme according to Chou et al.’s scheme but the trace attack is still not immune to their scheme. For this reason, the trace attack is also inevitable in Farash-Attari's scheme.

2.3.2 Clock synchronization problem

The timestamp is employed to withstand the replay attack in the two authentication phases. Notice there is no mention of the transmitted delay can be limited in a certain interval of time. In this case, if the adversary resends the older authentication messages, then S will still authenticate the adversary each time. This inevitably leads to the problem of clock synchronization especially applying the time interval for wide area networrks. Even when initially set accurately, real clocks will differ after some amount of time due to clock drift, caused by clocks counting time at slightly different rates.

Farash-Attari’s scheme goes after the same authentication mechanism as of Chou et al.’s scheme. Therefore, clock synchronization problem also exists in Farash-Attari 's scheme.

 

3. Review and analysis of Farash-Attari's scheme

In this section, we will briefly review Farash-Attari’s two-party authentication scheme. Moreover, we show that Farash-Attari’s scheme is also inability to protect against the track attack and avoid the clock synchronization problem. Besides, Farash-Attari’s scheme is still susceptible to key-compromise impersonation attack.

3.1 Two-party scheme

Farash-Attari’s scheme [20] also contains two phase: registration, authentication and key agreement, where registration phase is the same as Chou et al.’s scheme, we omit it. Now, we mainly describe the authentication and key agreement phase.

3.1.1 Authentication and key agreement

1) U selects a random number ru, computes Ru = ruP, K1 = rukuKs, hu = h2(IDu║Ru║K1║tu), where tu denotes the current timestamp. Then, U sends {IDu║Ru║tu║hu} to S.

2) Upon receiving the message, S checks the freshness of tu. If it is valid, S computes K1 = ks(ks + h1(IDu)h1(IDu>ks))Ru and checks . If it holds, S selects a random number rs and computes Rs = rsP, K2 = rsRu, hs = h2(0║IDu║Ru║Rs║K1║K2║ts). Then, S sends {Rs, hs, ts} to U, where ts is the timestamp of S.

3) After receiving the message, U verifies if ts is valid. If true, U computes = ruRs and verifies . Then, U computes h2(1║IDu║Ru║Rs║K2║K1║ts) and sends it to S.

4) S checks whether h2(1║IDu║Ru║Rs║K2║K1║ts) is equal to the received value. If it is equal, S establishes the session key sk = h(IDu║Ru║Rs║K1║K2║tu║ts) with U.

3.2 Analysis of Farash-Attari 's scheme

Farash-Attari’s scheme is also prone to suffer from trace and replay attacks. Previous subsections analyze the reason, here we won’t cover those again. Following we present another attack referring to Farash-Attari's scheme.

3.2.1 Key-compromise impersonation attack

When the private key of S is compromised is that an adversary is able to impersonate not only as S but also to S as U. Suppose the adversary gets ks and tries to impersonate as U to access the services provided by S.

1) The adversary eavesdrops the login request message {IDu, Ru, tu, hu} from U to S. Then, he generates a random number and computes . Subsequently, he sends the forged message to S, where is the current timestamp.

2) When receiving the message, S first checks the freshness of . If it is valid, he then continues to check , where K1 = ks(ks + h1(IDu)h1(IDu ⊕ ks))Ru. Obviously, the equation is true. Therefore, S authenticates the adversary who impersonates as a legal user. After that, S selects a random number rs and calculates Rs = rsP, . Finally, S transsmits the respond message (Rs, hs, ts} to U, where ts is the current timestamp.

3) After receiving the message, the adversary also verifies the validness of ts. If holds, he figures up and checks whether is true. If holds, he calculates and then delivers it to S.

4) Upon receiving the message, S verifies if is equal to the received value. If true, S consults with the adversary to ensure the session key . That is, the adversary successfully impersonates as a legal user to cheat S but S believing the adversary is just the corresponding user.

 

4.The enhanced scheme

In this section, we present a simple enhancement on Chou et al.’s and Farash-Attari's two-party schemes, which inherits the advantages of original schemes and is immune to the security pitfalls stated in previous sections. Three-party scheme can be easily constructed by extending two-party scheme.In our scheme, the user and the server will authenticat each other and establish a session key, which is used to encrypt the subsequently information . Therefore, our scheme can be applied in many electronic transactions environments, such as online banking, on-line shopping, Pay-TV and electronic voting.

4.1 Registration

Similarly, S publishes {E(a, b), Ks, h1, h2}, where Ks = ksP before registration.

1) U chooses his identity IDu and submits it to S via a secure channel.

2) S generates a random number rs and computes ku = rsh1(IDu ⊕ ks), QIDu = h1(IDu ⊕ ks) as U’s private and public keys. Subsequently, S stores rs1 into its secret database and returns {rs1, ku, QIDu} to U through a secret channel.

3) After receiving the message, U examines kuP = rs1QIDuP. If the equation holds, U keeps ku secretly and releases QIDu.

4.2 Authentication and key agreement

1) U randomly chooses a number ru and computes P1 = rs1P ⊕ IDu, K = h2(IDu║rs1), P2 = K ⊕ ruP, P3 = h2(K║ruP║kuP). Then, U sends {P1, P2, P3} to S.

2) Upon receiving the login message, S firstly derives IDu by computing P1 ⊕ rs1P and then he makes use of IDu to get ruP by computing h2(IDu║rs1) ⊕ P2. After that, S checks whether . If it holds, S chooses a random number rs2 and computes SK = rs2ruP, Q1 = K ⊕ rs2P, Q2 = h2(K║ruP║SK). Then, S sends {Q1, Q2} to U.

3) After receiving the authentication message, U reveals rs2P by computing K ⊕ Q1 and computes SK = rurs2P. Subsequently, U verifies . If the equation is correct, U continues to compute P4 = h2(K║rsP║SK) and sends it to S.

4) When receiving the message, S checks whether . If it is true, S successfully negotiates the session key with U. Therefore, they can encrypt the communicated messages through the established session key. Fig. 1 shows the phases of registration and authentication of our scheme.

Fig. 1.Registration and authentication phase of the enhanced scheme

 

5. Analysis of the enhanced scheme

This section presents a cryptanalysis of the enhanced scheme and shows that it not only is secure against trace and key-compromise impersonation attacks but also provides the session key perfect forward secrecy and mutual authentication and other related security properties. In addition, Burrows-Abadi-Needham (BAN) logic mechanism [25] is adopted to prove that U and S achieve mutual authentication and correctly generate a session key within authentication process. Suppose an adversary has fully monitored the authentication and key agreement phase and then he can insert, modify and delete any messages transmitted between the user and the corresponding server [1].

5.1 Withstanding the trace attack

In the authentication and key agreement phase, the user’s identity IDu is hidden in all the transmitted messages P1 = rs1P ⊕ IDu, P2 = h2(IDu║rs1) ⊕ ruP, P3 = h2(h2(IDu║rs1)║ruP║kuP), P4 = h2(h2(IDu║rs1)║ruP║SK), Q1 = h2(IDu║rs1)⊕rs1P, and Q2 = h2(h2(IDu║rs1)║ruP║SK, where rs1 is a shared random number between the user and the server, ru and rs are the random numbers generated by the user and the server, respectively. Acctually, a toilless method for an adversary is to know the shared random number rs1 and then derive the real identity by intercepting P1. As a result, it is computationally infeasible for an adversary to derive the real identity from rs1P due to the property of Elliptic Curve Discrete Logarithmic Problems [26]. Therefore, the adversary has no opportunity to obtain the user’s identity and thus he has no opportunity to plot the trace attack.

5.2 Withstanding the key-compromise impersonation attack

Even if an adversary has obtained the private key of one of the entities, he cannot successfully plot an impersonation attack. We assume U's private key ku is leaked, which is concealed in the value of P3. If the adversary attempts to impersonate as a legal sever, he should know U's identity IDu and ruP, but both of them are protected by a random number rs1 which is only known by U and S. On the other hand, suppose the private key ks of S is lost, the adversary is still not able to launch an impersonation attack without the knowledge of IDu. In a word, the key-compromise impersonation attack dose not work in the enhanced scheme.

5.3 Avoiding the clock synchronization problem

In the enhanced scheme, we adopt random numbers instead of timestamp. If an adversary tries to resending the old login message to pretend as U, S will detect the attack from U since random numbers rs1 and ruP are different for each session. Therefore, the replay attack is impractical to the enhanced scheme.

5.4 Providing the session key perfect forward secrecy

Even though an adversary has known the secret key of all the entities and the previous session key, he cannot compute the next session key. Since the session key is decided by two distinct random numbers generated by U and S and the new session key is different from the old one. Therefore, the session key perfect forward secrecy is easily achieved.

5.5 Achieving the mutual authentication

In the enhanced scheme, U authenticates S through the verification Q2 = h2(IDu║SK║ruP) because any unauthorized sever is not possible to derive the user's real identity and then work out the correct value ruP. S authenticates U by computing P3 = h2(IDu║ruP║rs1QIDu) and P4 = h2(IDu║rs2P║SK). Only the legal user knows rs1 and thus derives rs2P from Q2. S will immediately perceive the attack if any one attempts to modify the parameters. Therefore, the enhanced scheme satisfies mutual authentication.

5.6 Withstanding the impersonation attack

Suppose an adversary eavesdrops the login request message to impersonate as a legal user to cheat S. However, it is impossible to pass through S without the knowledge of U's identity IDu and the shared random number rs1. Both two values are only known by U and S. The same reason is appropriate for the adversary tries to impersonate as a legal sever to deceive U. Therefore, the enhanced scheme is immune to the impersonation attack.

5.7 Verifying the enhanced scheme with BAN logic

Some notations (Table 2) and logical postulates of BAN logic that we will used in our scheme are introduced as follows.

1) BAN logical postulates

a. Message-meaning rule: : if A believes that K is shared by A and B and sees X encrypted with K, then A believes that B once said X.

b. Nonce-verification rule: : if A believes thatX could have been uttered only recently and that B once said X, then A believes that B believes X.

c. Belief rule: : if A believes X and Y, then A believes (X, Y)

d. Fresh conjuncatenation rule: : if A believes freshness of X, A then believes freshness of (X, Y).

e. Jurisdiction rule: : if A believes that Bhas jurisdiction over X and A trusts B on the truth of X, then A believes X.

Table 2.BAN logic notations

2)Idealized scheme

U :

S :

3) Establish security goals

g1 :

g2 :

g3 :

g4 :

4) Initiative premises

p1 : U ≡ #ru

p2 : U |≡ #rs1

p3 : S |≡ #rs1

p4 : S |≡ #rs2

p5 :

p6 :

p7 :

p8 :

5) Analysis scheme

a1 : By p5 and , according to the message-meaning rule, we obtain:

a2 : By p4 and a1, according to the fresh conjuncatenation rule and nonce-verification rule, we obtain:

g1 : By a2, according to the belief rule, we obtain:

g2 : By p7 and g1, according to the jurisdiction rule, we obtain:

a3 : By p6 and , according to the message-meaning rule, we obtain:

a4 : By p1 and a3, according to the fresh conjuncatenation rule and nonce-verification rule, we obtain:

g3 : By a4, according to the belief rule, we obtain:

g4 : By p8 and g3, according to the jurisdiction rule, we obtain:

 

6. Performance and functionality comparison

In this section, we will compare the performance and functionality of the enhanced scheme with other related authentication schemes using ECC [15-20]. Let TPM, TPA, TH be the time for performing an elliptic curve point multiplication, an elliptic curve point addition and a hash function. We neglect XOR operation considering it needs very few computations. To estimate accurately for the running time, we use the jPBC library 2.0.0 [27] to perform the cryptographic primitives for thousand executions and take the arithmetic mean based on Windows 10 operating system, Pentium 3:20 GHz CPU, and 4.0GB RAM. The execution time for performing an elliptic curve point multiplication is approximately 10.5129 ms, an elliptic curve point addition is approximately 0.4338 ms and a hash function is approximately 0.0359 ms. Table 3 shows the performance comparison. From Table 3, we see that the user side requires 3TPM + 4TH and the server side consumes as much as the user side. The results show that our schem has similar or better efficiency in comparison with other related ID based authentication schemes. In addition, we have only made a summing up of those security attributes which have been appeared by the authors of the related schemes. In our scheme, we adopt nonce based mechanisminstead of timestamp, consider the scenario of compromised the private key and protect the user’s identity based on the hard problem of Elliptic Curve Discrete Logarithmic. Therefore, our scheme can withstand track attack, key-compromise impersonation attack and avoid clock synchromication attack. As a consequence, in comparison to all other related schemes, our scheme supports much more security features and has thus proved to be more secure.

Table 3.N1:Providing mutual authentication; N2:Providing the session key perfect forward secrecy; N3: Withstanding trace attack;N4: Withstanding key-cpmpromise impersonation attack; N5: Withstanding impersonation attack; N6: Avoiding clock synchromization attack.

 

7.Conclusion

In this paper, we have shown that both Chou et al.’s scheme and Farash-Attari’s scheme are insecure the trace attack and do have the problem of clock synchronization. In addition, we also demonstrated that Farash-Attari’s scheme cannot resist the key-compromise impersonation attack. We then proposed an enhanced ID based mutual authentication scheme with privacy protection to tackle these problems. According to the performance and functionality analyses compared with other related schemes, we show that the enhanced scheme is more secure and efficient for mobile networrks.

References

  1. L. Lamport, “Password authentication with insecure communication,” Communications of the. ACM, vol. 24, no.11, pp. 770-772, 1981. Article (CrossRef Link). https://doi.org/10.1145/358790.358797
  2. Y. Chen, S.C. Chuang, L.Y. Yeh, J.L. Huang, “A practical authentication protocol with anonymity for wireless access networks,” Wireless Communications and Mobile Computing, vol. 11, pp. 1366-1375, 2011. Article (CrossRef Link). https://doi.org/10.1002/wcm.933
  3. R. Tso, “Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol,” The Journal of Supercomputing, vol. 66, pp. 863-874, 2013. Article (CrossRef Link). https://doi.org/10.1007/s11227-013-0917-8
  4. Y.P. Liao, C.M. Hsiao, “A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients,” Future Generation Computer Systems, vol. 29, no. 3, pp. 886-900, 2013. Article (CrossRef Link) https://doi.org/10.1016/j.future.2012.03.017
  5. W.B. Hsieh, J.S. Leu, “Anonymous authentication protocol based on elliptic curve Diffie–Hellman for wireless access networks,” Wireless Communications and Mobile Computing, vol. 14, no. 10, pp. 995-1006, 2014. Article (CrossRef Link) https://doi.org/10.1002/wcm.2252
  6. H. Lu, L. Jie, “Privacy-preserving authentication schemes for vehicular ad hoc networks: a survey,” Wireless Communications and Mobile Computing, 2014. Article (CrossRef Link)
  7. A. Shamir, "Identity-based cryptosystems and signature schemes," Advances in Cryptology-CRYPTO'84, Springer, New York, pp. 47-53, 1985. Article (CrossRef Link)
  8. D. Boneh, M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, vol. 32, no.3, pp. 586-615, 2003. Article (CrossRef Link) https://doi.org/10.1137/S0097539701398521
  9. K. Shim, "Cryptanalysis of two ID-based authenticated key agreement protocols from pairings," Cryptology ePrint Archive Report, 357, 2005. Article (CrossRef Link)
  10. H.M. Sun, B.T. Hsieh, “Security analysis of Shim’s authenticated key agreement protocols from pairings,” Cryptology ePrint Archive Report, 113, 2003. Article (CrossRef Link)
  11. M. Hölbl, T. Welzer, B. Brumen, “An improved two-party identity-based authenticated key agreement protocol using pairings,” Journal of Computer and System Sciences, vol. 78, pp. 142-150, 2012. Article (CrossRef Link) https://doi.org/10.1016/j.jcss.2011.01.002
  12. X.F. Cao, W.D. Kou, Y.U. Yu, R. Sun, “Identity-based authentication key agreement protocols without bilinear pairings,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 91, no. 12 , pp. 3833-3836, 2008. Article (CrossRef Link) https://doi.org/10.1093/ietfec/e91-a.12.3833
  13. V.S. Miller, "Use of elliptic curves in cryptography," Advances in Cryptology-Crypto'85 Proceedings, Springer Berlin, Heidelberg, 417, 1986. Article (CrossRef Link)
  14. N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of computation, vol. 48, pp. 417-426, 1987. Article (CrossRef Link) https://doi.org/10.1090/S0025-5718-1987-0866109-5
  15. J.H. Yang, C.C. Chang, “An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,” Computers & security, vol.28, no. 3, pp. 138-143, 2009. Article (CrossRef Link) https://doi.org/10.1016/j.cose.2008.11.008
  16. E.Yoon, K.Yoo, "Robust ID-based remote mutual authentication with key agreement protocol for mobile devices on ECC," in Proc. of 2009 international conference on computational science and engineering, pp. 633-640, 2009. Article (CrossRef Link)
  17. S.H. Islam, G.P. Biswas, “A more efficient and secure ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem,” Journal of Systems and Software, vol.84, no.11, pp. 1892-1898, 2011. Article (CrossRef Link) https://doi.org/10.1016/j.jss.2011.06.061
  18. D.B. He, J.H. Chen, J. Hu, “An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security,” Information Fusion, vol.13, no.3, pp. 223-230, 2011. Article (CrossRef Link) https://doi.org/10.1016/j.inffus.2010.02.001
  19. C.H. Chou, K.Y. Tsai, C.F. Lu, “Two ID-based authenticated schemes with key agreement for mobile environments,” The Journal of Supercomputing, vol.66, no.(2): 973–988, 2013. Article (CrossRef Link) https://doi.org/10.1007/s11227-013-0962-3
  20. M.S. Farash, M.A. Attari, “A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks,” The Journal of Supercomputing, vol. 69, pp. 395-411, 2014. Article (CrossRef Link) https://doi.org/10.1007/s11227-014-1170-5
  21. J.H. Yang, C.C. Chang, “An efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments,” Journal of Systems and Software, vol. 82, no. 9, pp. 1497-1502, 2009. Article (CrossRef Link) https://doi.org/10.1016/j.jss.2009.03.075
  22. T.H. Chen, W.B. Lee, H.B. Chen, “A round-and computation-efficient three-party authenticated key exchange protocol,” Journal of Systems and Software, vol.81, no. 9, pp. 1581-1590, 2008. Article (CrossRef Link) https://doi.org/10.1016/j.jss.2007.11.720
  23. Z.W. Tan, “An enhanced three-party authentication key exchange protocol for mobile commerce environments,” Journal of Communications, vol. 5, no. 5, pp. 436-443, 2010. Article (CrossRef Link) https://doi.org/10.4304/jcm.5.5.436-443
  24. D.B. He, Y.T. Chen, and J.H. Chen, “An ID-based three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments,” Arabian Journal for Science and Engineering, vol.38, no. 8, pp. 2055-2061, 2013. Article (CrossRef Link) https://doi.org/10.1007/s13369-013-0575-4
  25. M. Burrow, M. Abadi, R.M. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, vol. 8: 18-36, 1990. Article (CrossRef Link) https://doi.org/10.1145/77648.77649
  26. K.E. Lauter, and K.E. Stange, “The elliptic curve discrete logarithm problem and equivalent hard problems for elliptic divisibility sequences,” Selected Areas in Cryptography, Springer Berlin Heidelberg, 309-327, 2009. Article (CrossRef Link)
  27. Java Pairing Based Cryptography Library (jPBC). Article (CrossRef Link)

Cited by

  1. 자금 세탁 방지를 위한 블록체인 기반 스마트 컨트랙트 메커니즘 설계 vol.19, pp.5, 2018, https://doi.org/10.7472/jksii.2018.19.5.1