A SMART CARD BASED GENERIC CONSTRUCTION FOR

ANONYMOUS AUTHENTICATION IN MOBILE NETWORKS

Jing Xu

, Wen-Tao Zhu

and Deng-Guo Feng

State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences

100190 Beijing, China

State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences

100049 Beijing, China

Keywords:

Wireless security, Mobile network, Roaming service, Smart card, User anonymity, Password authentication,

Key agreement.

Abstract:

The global mobility network can offer effective roaming services for a mobile wireless user between his home

network and a visited network. For the sake of privacy, user anonymity has recently become an important

security requirement for roaming services, and is a topic of concern in designing related protocols such as

mutual authentication and key agreement. In this paper we present a generic construction, which converts

any password authentication scheme based on the smart card into an anonymous authentication protocol for

roaming services. Compared with the original password authentication scheme, the transformed protocol does

not sacriﬁce authentication efﬁciency, and additionally, an agreed session key can be securely established

between an anonymous mobile user and the foreign agent in charge of the network being visited.

1 INTRODUCTION

The global mobility network such as the third gener-

ation (3G) network (3GPP, 2010) can offer effective

global roaming service for a mobile wireless user be-

tween his home network and a foreign network being

visited. A typical approachto securing wireless roam-

ing service is to employ strong authentication mea-

sures (Suzukiz, 1997). When a mobile user M roams

to a foreign network managed by a foreign agent F,

he and F may perform mutual authentication under

the assistance of his home agent H in the home net-

work; although M and H cannot directly communi-

cate with each other, the foreign agent F services as

a relay between them. Usually, a successful and com-

plete authentication ends up with a session key being

established between the mobile user M and the for-

eign agent F to protect further communications be-

tween them.

Recently, it has been understood that in the wire-

less roaming service, it is an important security re-

quirement to protect the identity anonymity for the

mobile user. The disclosure of user identity may al-

low unauthorized entities to locate the mobile user’s

current whereabouts and even to track his movements,

which is a serious violation of his privacy. In the lite-

rature, there have been a number of research efforts

on user anonymity in mobile communication systems

(Tang, 2008)(Yang, 2007)(Wan, 2008).

In the Third Generation Partnership Project -

Authentication and Key Agreement (3GPP-AKA)

(3GPP, 2010), the solution to user anonymity involves

an anonymity key (AK). 3GPP-AKA requires encryp-

tion of the sequence numbers of the mobile user M

during mobile authentication and key agreement so

as to conceal M’s identity and location. However,

3GPP-AKA provides user anonymity only when all

foreign agents (not just the currently serving one) are

benign (i.e., not compromised). Such an assumption

for anonymity protection seems to be a bit too strong.

Another approach to user anonymity is to employ

an alias, also known as the pseudo-identity (Tang,

2008). The idea is to associate a mobile user with

an alias, which appears unintelligible to anybody ex-

cept his home agent. When the user roams to a for-

eign network, he issues a service request to the corre-

sponding foreign agent by presenting his alias along

with other information needed for authentication, e.g.,

the identiﬁer of his home network. The foreign agent

then forwards the alias to the claimed home network

for veriﬁcation. This way the mobile user conceals

his identity during the authentication. However, as

269

Xu J., Zhu W. and Feng D..

A SMART CARD BASED GENERIC CONSTRUCTION FOR ANONYMOUS AUTHENTICATION IN MOBILE NETWORKS.

DOI: 10.5220/0003511202690274

In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2011), pages 269-274

ISBN: 978-989-8425-71-3

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

indicated in (Yang, 2007), the alias approach has the

drawback that a user may have to renew his alias from

time to time. Moreover, when the wireless communi-

cation link is accidentally broken or when some state

information of either party is corrupted, the user and

his home agent may loose the alias synchronization.

Yet another approach is based on sophisticated

cryptographic constructions, particularly some spe-

cial public-key operations. For instance, proxy sig-

nature (Tang, 2008), identity-based encryption (Wan,

2008) and blind signature (He, 2004) have been used

for providing anonymity in mobile networks. Sim-

ilar technique is observed in (Tzeng, 2006), though

the context is for user-to-server anonymous authenti-

cation (where the roaming service scenario is not con-

sidered). However, these schemes intrinsically suffer

from observable inefﬁciency in terms of computation

and/or communication; they may not be practically

applicable to mobile devices whose resources are usu-

ally constrained.

Recently, by using secure authenticated key ex-

change protocols (AKEPs) as building blocks, Yang

et al. proposed a novel construction for anonymous

authentication in mobile networks (Yang, 2007). The

construction eliminates the alias synchronization, and

does not rely on any additional security assumptions

on the communication channel between the foreign

network and the user’s home network. However, the

anonymous authentication protocol involves digital

signatures; although less expensive than proxy sig-

nature (Tang, 2008) and blind signature (He, 2004),

public-key operations like ordinary digital signatures

are still far inefﬁcient compared with symmetric op-

erations. Moreover, the communication overhead of

(Yang, 2007) is higher than those of other anony-

mous authentication protocols that are not based on

underlying AKEPs. Nevertheless, the idea of employ-

ing certain security protocol as a building block for a

generic construction motivates our work.

In this paper, by using secure password authen-

tication scheme based on the smart card as a build-

ing block, we present a secure and generic construc-

tion for anonymous authentication for roaming ser-

vice. Our proposal can generally convert a certain

password authentication scheme into an anonymous

authentication protocol of interest, and features no en-

cryption or digital signature operation. In addition,

we show that the generic construction can be instanti-

ated efﬁciently, and the computation and communica-

tion costs of the instantiation are lower than or com-

parable to those of similar schemes.

The rest of this paper is organized as follows. Sec-

tion 2 and Section 3 formally describe a smart card

based password authentication (SCBPA) scheme and

an anonymous authentication protocol for roaming

service, respectively. Our generic construction is pre-

sented in Section 4, where security analysis and per-

formance evaluation are also included. Section 5 con-

cludes the paper.

2 SMART CARD BASED

PASSWORD

AUTHENTICATION

Our anonymous authentication protocol is built upon

a smart card based password authentication (SCBPA)

scheme.

In a smart card based password authentication

scheme, a participant may be a user U or a remote

server S. The scheme consists of three phases: regis-

tration phase, login phase, and authentication phase.

(1) Registration Phase (SCBPA.Reg). When a user

U registers with a server S,U selects his password

PW and submits it along with his identiﬁer ID to

the server S through a secure channel. Then S is-

sues a certain smart card to U.

(2) Login Phase (SCBPA.Log). The user U inserts

his smart card to a terminal and keys in his iden-

tiﬁer ID and password PW. Then the terminal

computes and sends on behalf of the user a lo-

gin request message m to the remote server S. To

authenticate the user, a secret value sv should be

embedded in the message m in a cryptographic

manner (e.g., through encryption), so that only

the user U and the server S are able to compute

sv, while any other entity cannot obtain sv even if

he eavesdrops on the communication channel and

thus knows the message m.

(3) Authentication Phase (SCBPA.Auth). The

server S checks the legitimacy of the received

message m by verifying the secret value sv, and

consequently determines whether to accept U’s

As mentioned above, the registration phase

(SCBPA.Reg) takes place in a secure environment,

and both partiesU and S are assumed to be honest and

to perform exactly according to the scheme speciﬁca-

tion. This phase, in the real word, is typically done

out-of-band (e.g., at a service counter) so that the

transaction is authenticated, conﬁdential, and reliable.

In the login and authentication phases (SCBPA.Log

and SCBPA.Auth), the communication channel is no

longer supposed to be still secure. For example, an

active adversary A may have totally control over the

wireless communication channel; he may intercept,

SECRYPT 2011 - International Conference on Security and Cryptography

270

insert, delete, or modify any message sent over the

air. In addition, we allow such an active A to (1) ei-

ther steal a user’s smart card and then extract any se-

cretly stored information from it, or (2) compromise

the user’s password (e.g., with an over-the-shoulder

attack), but not both (1) and (2). In other words, we

do not consider the case when a user’s password and

his smart card are both compromised, as then there

will be no way to prevent the adversary A from mas-

querading as the legitimate user (i.e., the owner of the

smart card) (Xu, 2009). Nevertheless, our security as-

sumption is still weaker than most related works. In

other words, we expect the SCBPA scheme to be se-

cure in itself instead of relying on certain assumptions

that may be too strong in practice.

3 ANONYMOUS

AUTHENTICATION IN MOBILE

NETWORKS

In an anonymous authentication protocol, a partici-

pant may be a mobile user M, a foreign agent F, or

a home agent H. The home agent pre-shares a secret

key K

with the foreign agent F, whose network is

being visited by M. The protocol consists of a regis-

tration phase and a mutual authentication phase.

(1) Registration Phase. When a mobile user M reg-

isters with his home agent H, he selects his pass-

word PW and submits it along with his identiﬁer

ID to H through a secure (typically out-of-band)

channel. Then H issues a smart card to M.

(2) Mutual Authentication Phase. The mutual au-

thentication between M and the foreign agent F is

performed under the assistance of the home agent

H, who is out of M’s reach. If authenticated, M

can access the wireless service in the foreign net-

work, and an agreed session key SK (i.e., K

)

is established between M and F for securing fu-

ture communications. Note that a secret K

pre-established between the two agents.

It is desirable for anonymous authentication pro-

tocols to possess the following security attributes:

- User Anonymity: The real identity of a mobile

user M should be protected from being revealed

by any other entity except his home agent H.

- Mutual Authentication: The mobile user M and

the foreign agent F can authenticate each other

under the assistance of the home agent H, which

implies resistance against impersonation attacks.

- Conﬁdentiality and Fairness of the Session Key:

The mobile user M and the foreign agent F can

securely agree on a random session key, which

should be only known to them and contain con-

tributions from both of them.

- Protection on User Password: The password of

the mobile user M should be protected against the

off-line dictionary attack, even if his smart card is

stolen.

4 GENERAL CONSTRUCTION

FOR ANONYMOUS

AUTHENTICATION IN MOBILE

NETWORKS

We now propose a generic approach to constructing

an anonymous authentication protocol for roaming

service. In our proposal, we employ a secure SCBPA

scheme as the building block.

4.1 Proposal Description

Let SCBPA be a smart card based password authenti-

cation scheme that is secure as deﬁned in Section 2.

Suppose in the login phase, the generated login re-

quest message is m

, where the identity ID

is not

included in m

, and the secret only known to the

user and the remote server is sv. We denote this by

(sv) ← SCBPA.Log. As introduced in Section 3,

the anonymous authentication protocol consists of a

registration phase and a mutual authentication phase.

Phase I: Registration. This phase is the same

with the registration phase of the SCBPA scheme

(i.e., SCBPA.Reg). In addition, H chooses large

prime number p and two one-way hash functions

(·),h

(·) : {0, 1}

∗

→ Z

∗

Phase II: Mutual Authentication. In this phase, the

mobile user M and a foreign agent F perform mutual

authentication and agree on a session key SK, under

the assistance of M’s home agent H. The steps of this

phase are outlined in Table 1 and explained as follows.

(1) When M enters a foreign network managed by F,

he inputs his identity ID

and his password into

the smart card. The device starts the login phase

in SCBPA and generatesthe login request message

embedding the secret value sv. The device

also appropriately chooses a random number n

and computes SID = ID

⊕h

(svkn

), where the

identity ID

is appended η bits of ‘0’ in its binary

form, so that the padded ID

is of the same length

with the output of h

(·). Then the device sends the

message {n

,SID,m

} to F on behalf of M.

A SMART CARD BASED GENERIC CONSTRUCTION FOR ANONYMOUS AUTHENTICATION IN MOBILE

NETWORKS

271

Table 1: Mutual authentication phase of the proposed general construction.

mobile user M foreign agent F home agent H

(sv) ← SCBPA.Log

Choose n

SID = ID

⊕ h

(svkn

)

,SID,m

}

−−−−−−−→

Choose n

= h

kSIDkm

kID

)

,SID,m

}

−−−−−−−−−−−→

sv ← SCBPA.Auth

∗

= SID⊕ h

(svkn

)

∗

? m

SK = h

(svkID

∗

kID

)

= SK ⊕ h

)

= h

(svkID

∗

kID

)

= h

(SKkID

)

}

←−−−−−−

SK = K

⊕ h

)

}

←−−−−−

SK = h

(svkID

kID

)

(2) Upon receiving the message, F ran-

domly chooses n

, computes S

kSIDkm

kID

), where K

the pre-shared symmetric key between F and H.

Then F sends the message {n

,SID,m

}

to H.

(3) Upon receiving the message, H

checks whether S

= S

∗

, where S

∗

kSIDkm

kID

) is locally

computed. If so, H starts the authentication

phase in SCBPA, computes the secret value sv,

and obtains ID

∗

= SID ⊕ h

(svkn

). Then H

checks whether ID

∗

is the identity of a legitimate

user and whether the submitted login request

message m

is valid. If both conditions are met, H

computes SK = h

(svkID

∗

kID

), K

SK ⊕ h

), m

= h

(svkID

∗

kID

= h

(SKkID

), and sends the message

} to F.

(4) Upon receiving the message, F computes SK =

⊕h

), S

∗

= h

(SKkID

), and

checks whether S

∗

= S

. If so, F believes that M

is an authorized user, and forwards {n

} to M.

(5) M computes m

∗

= h

(svkID

kID

), and

checks whether m

∗

= m

. If so, M believes that

F is authenticated, and computes the agreed ses-

sion key SK = h

(svkID

kID

4.2 Security Analysis

We now investigate the security of our general con-

struction presented above. The analysis concerns the

semantic security of the session key as well as the user

anonymity .

Theorem 1. Let SCBPA be a smart card based pass-

word authentication scheme, and GC be our proposed

general construction depicted in Table 1. Then our

general construction GC is secure provided that the

password authentication scheme SCBPA satisﬁes se-

mantic security.

Proof. The detailed proof can be found in the full

version.

Theorem 2. Let SCBPA be a smart card based pass-

word authentication scheme. If SCBPA is seman-

tically secure, then our general construction of the

anonymous authentication protocol for roaming ser-

vice can achieve user anonymity in the random oracle

model.

Proof. In our construction, we can see that besides

SID and m

, there is no information related to the

identity of the mobile user M. Without knowing sv

(which is the secret value in SCBPA), SID and m

are just the hash results of some unknown values and

do not help the adversary obtain any additional in-

formation associated with M. Therefore, the user

anonymity of our construction reduces to the seman-

SECRYPT 2011 - International Conference on Security and Cryptography

272

tic security of SCBPA.

4.3 Instantiation

Following the general construction, we present a con-

crete example of transforming a SCBPA scheme (Xu,

2009) into an anonymous authentication protocol for

roaming service.

Phase I: Registration. To initialize, H selects large

prime number p and q such that p = 2q+1. The home

agent also chooses its secret key x ∈ Z

∗

and three

appropriate one-way hash functions h(·),h

(·),h

(·) :

{0,1}

∗

→ Z

∗

. Then the protocol proceeds in the fol-

lowing steps:

(1) The mobile user M chooses his ID

and PW. He

then submits the registration request {ID

,PW}

to H through a secure channel.

(2) Upon receiving the registration message, the

server computes B = (h(ID

)

· h(PW)) mod p.

(3) The server stores {B,h(·),h

(·),h

(·), p} into a

smart card and issues the device to the user.

Phase II: Mutual Authentication.

(1) When M enters a foreign network managed

by F, he inputs his identity ID

and his

password PW

∗

to the smart card. Then

the device appropriately chooses w ∈

∗

and a random number n

, computes R =

B/h(PW

∗

) mod p, B

′

= (B/h(PW

∗

))

mod p,

W = h(ID

)

mod p, C = h(TkB

′

kRkWkID

and SID = ID

⊕ h

′

), and sends the mes-

sage {n

,SID,C,W,T} to F, where T is a time

stamp.

(2) Upon receiving the message, F ran-

domly chooses n

, computes S

kSIDkCkWkTkn

kID

), and sends

to H the message {n

,SID,C,W,T,n

where K

is the pre-shared symmetric key

between F and H.

(3) Upon receiving the message at time T

′

, H veriﬁes

whether the difference between T and T

′

is within

a predeﬁned threshold. Then H computes S

∗

kSIDkCkWkTkn

kID

) and checks

whether S

∗

= S

. If so, H computes B

′′

= W

mod

p and obtains ID

∗

= SID ⊕ h

′′

). Then

H checks whether ID

∗

is a legal identity and

whether C equals h(TkB

′′

kh(ID

∗

)

kWkID

∗

). If

both conditions are met, M is authenticated, and

F is implicitly authenticated. H continues to com-

pute SK = h

(h(ID

∗

)

kID

∗

kID

), K

SK ⊕ h

), m

= h

′′

kID

∗

kID

= h

(SKkID

), and sends the message

} to F.

Table 2: Performance comparison between three solutions.

“Pre” denotes pre-computed (i.e., ofﬂine) operation. A sig-

nature operation is counted as an asymmetric encryption.

Performance Metrics Our scheme Tang’s Scheme Yang’s Scheme

Modular M 2 Pre N/A N/A

exponentiation F N/A N/A N/A

H 2 N/A N/A

Symmetric M N/A 1 N/A

cryptographic F N/A 1 N/A

operation H N/A 2 N/A

Asymmetric M N/A 1 2

cryptographic F N/A 0 1

operation H N/A 0 2

Communication

rounds

2 2 3

(4) Upon receiving the message, F computes SK =

⊕h

), S

∗

= h

(SKkID

), and

checks whether S

∗

= S

. If so, it believes that M

is an authorized user and forwards {n

} to M.

(5) M computes m

∗

= h

′

kID

), and

checks whether m

∗

= m

. If so, M believes F

is authenticated and computes the agreed session

key SK = h

(RkID

kID

4.4 Performance Evaluation

Next, we evaluate the performance of our instanti-

ation by comparing the mutual authentication phase

with those of Tang et al.’s scheme (Tang, 2008) and

Yang et al.’s scheme (Yang, 2007) in Table 2. Par-

ticularly, we focus on the numbers of operations that

a mobile user M needs to perform (marked in bold

font), because mobile devices usually are not as pow-

erful as desktop computers and thus are not suitable

for computation intensive tasks.

Table 2 shows that, for the mobile user M, Phase

II of our protocol only introduces two extra modular

exponentiations, but the modular exponentiations can

both be pre-computed off-line. Both (Tang, 2008) and

(Yang, 2007) require certain public-key operations,

while our construction does not need them (other than

the modular exponentiations). Therefore, the com-

putation complexity of our protocol is more efﬁcient

than those of (Tang, 2008) and (Yang, 2007).

Next, we look into the communication complex-

ity. Our mutual authentication phase takes only one

round of message exchange between M and F, and

one round between F and H (recall Table 1), while

Yang et al.’s scheme (Yang, 2007) takes two rounds of

message exchange between M and F, and one round

between F and H. Therefore, the communication

complexity of our instantiation is comparable to that

of (Tang, 2008), but more efﬁcient than that of (Yang,

2007).

A SMART CARD BASED GENERIC CONSTRUCTION FOR ANONYMOUS AUTHENTICATION IN MOBILE

NETWORKS

273

5 CONCLUSIONS

In this paper, we have proposed a secure and generic

approach to constructing an anonymous authentica-

tion protocol for roaming service, employing a secure

password authentication scheme based on the smart

card as the building block. Our approach eliminates

the alias synchronization between the mobile user and

his home agent, and does not rely on any signature

operations or encryptions. Moreover, the construc-

tion can be instantiated efﬁciently, and the computa-

tion and communication costs of the instantiation are

lower than or comparable to those of similar schemes.

ACKNOWLEDGEMENTS

This work was supported by the National Grand Fun-

damental Research (973) Program of China under

grant 2007CB311202, the National Natural Science

Foundation of China (NSFC) under grants 60970138

and 60873197, and the Knowledge Innovation Pro-

gram of Chinese Academy of Sciences under grant

YYYJ-1013.

REFERENCES

3rd Generation Partnership Project. (2010). Technical Spec-

iﬁcation Group Services and System Aspects; 3G

Security; Security architecture (Release 9). Avail-

able online at http://www.3gpp.org/ftp/Specs/html-

info/33102.htm.

Suzukiz S. and Nakada K.(1997). An authentication tech-

nique based on distributed security management for

the global mobility network. IEEE Journal on Se-

lected Areas in Communications. vol. 15, no. 8, pp.

1606–1617.

Tang C. and Wu D. O.(2008). Mobile privacy in wireless

networks-revisited. IEEE Transactions on Wireless

Communications. vol. 7, no. 3, pp. 1035–1042.

Yang G., Wong D. S., and Deng X.(2007). Anonymous and

authenticated key exchange for roaming networks.

IEEE Transactions on Wireless Communications. vol.

6, no. 9, pp. 3461–3472.

Wan Z. G., Ren K., and Preneel B.(2008). A secure

privacy-preserving roaming protocol based on hierar-

chical identity-based encryption for mobile networks.

In: 1st ACM Conference on Wireless Network Security

(WiSec 2008). pp. 62–67.

He Q., Wu D., and Khosla P.(2004). Quest for personal

control over mobile location privacy. IEEE Commu-

nications Magazine. vol. 42, no. 5, pp. 130–136.

Tzeng W.-G.(2006). A secure system for data access based

on anonymous authentication and time-dependent hi-

erarchical keys. In: 1st ACM Symposium on InformA-

tion, Computer and Communications Security (ASI-

ACCS 2006). pp. 223–230.

Xu J., Zhu W.-T., and Feng D.-G.(2009). An improved

smart card based password authentication scheme

with provable security. Computer Standards & Inter-

faces. vol. 31, no.4, pp.723–728.

SECRYPT 2011 - International Conference on Security and Cryptography

274