Lightweight and provably secure user authentication with anonymity for the global mobility network

Transcription

1 INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J. Commun. Syst. (2010) Published online in Wiley InterScience ( Lightweight and provably secure user authentication with anonymity for the global mobility network Chun Chen 1, Daojing He 1,,, Sammy Chan 2, Jiajun Bu 1,YiGao 1 and Rong Fan 1 1 College of Computer Science, Zhejiang University, Zhejiang, People s Republic of China 2 Department of Electronic Engineering, City University of Hong Kong, Hong Kong SAR, People s Republic of China SUMMARY Seamless roaming in the global mobility network (GLOMONET) is highly desirable for mobile users, although their proper authentication is challenging. This is because not only are wireless networks susceptible to attacks, but also mobile terminals have limited computational power. Recently, some authentication schemes with anonymity for the GLOMONET have been proposed. This paper shows some security weaknesses in those schemes. Furthermore, a lightweight and provably secure user authentication scheme with anonymity for the GLOMONET is proposed. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, user friendly, no password/verifier table, and use of one-time session key between mobile user and foreign agent. The security properties of the proposed protocol are formally validated by a model checking tool called AVISPA. Furthermore, as one of the new features in our protocol, it can defend smart card security breaches. Copyright 2010 John Wiley & Sons, Ltd. Received 19 October 2009; Revised 3 April 2010; Accepted 25 April 2010 KEY WORDS: authentication; smart card; security; model checking; anonymity; global mobility network 1. INTRODUCTION Wireless communications is a rapidly growing segment of the communications industry, with the potential to provide high-speed and high-quality information exchange between mobile devices Correspondence to: Daojing He, College of Computer Science, Zhejiang University, Zhejiang, People s Republic of China. hedaojinghit@gmail.com Contract/grant sponsor: National Basic Research Program of China; contract/grant number: 2006CB Contract/grant sponsor: Research Council of the Hong Kong SAR, China; contract/grant number: CityU Copyright 2010 John Wiley & Sons, Ltd.

2 C. CHEN ET AL. (e.g. notebook computer, PDA and smart phone) located anywhere in the world. Global mobility networks (GLOMONETs) [1], such as the 2-G and 3-G mobile telecommunication networks, provide effective global roaming services for legitimate mobile users, which enables them to access the services provided by their home networks even when they roam into a foreign network. Obviously, before providing services, the foreign network needs to authenticate the user through the user s home agent. A successful authentication scheme with anonymity for the GLOMONET should satisfy the following requirements: (1) Proper authentication: the mobile users must be authenticated to prevent illegal use of resources, (2) Anonymity: the disclosure of a mobile user s identity allows unauthorized entities to track his/her moving history and current location, (3) Low communication cost and computation complexity: the channel bandwidth is a scarce resource and mobile devices have limited computational power, (4) Single registration: it allows a mobile user to register only once at the home network and then he/she can access the whole global network, (5) No verifier table: if no verification table is maintained in the foreign agent or home agent, the overhead of the authentication system is reduced and measures against stolen verifier attacks can be omitted, (6) Update password securely and freely: it allows the card holder to update his/her password freely after being authenticated as a legitimate cardholder, (7) User friendly, (8)Providing the authentication scheme when the user is located in the home network: in the special case when a mobile user is in his/her home network, the authentication scheme can be made simpler than the original one. For the sake of completeness, the simplified scheme for this special case should also be specified, and (9) Security: clearly, the authentication scheme should have ability to resist various kinds of attacks (e.g. replay attack [e.g. [2]), insider attack (e.g. [3]) and offline password guessing attack) such that it can be applied in the real world. Many user authentication schemes (e.g. [1, 4 19]) have been proposed for the GLOMONET. Among them, due to tamper-resistance and convenience in managing a password file, smart cardbased password authentication is one of the simplest and the most effective approaches for user authentication and secret session key distribution [4 12]. In a typical smart card-based password authentication scheme, users are authenticated with their cards as identification tokens. The smart card takes as input a password from the user, creates a login message from the given password, and sends the message to a remote server, which then checks the validity of the login request message before allowing access to any services. In this way, the administrative overhead of the authentication server is reduced, and the user only needs to remember his/her password. In addition to creating and sending login messages, smart cards may also support mutual authentication, where a challenge response interaction between the card and the server takes place to verify each others identity [20]. To evaluate the security of smart card-based user authentication schemes, we assume that an adversary may have the following capabilities: (1) The adversary has total control over the communication channel between the user and the foreign agent and home agents. That is, the adversary may intercept, insert, delete, or modify any message in the channel. (2) The adversary may either (i) obtain a user s password, or (ii) extract the secret parameters of the smart card through some ways (e.g. [21, 22]), but cannot achieve both (i) and (ii). For Capability (2)ii, it is important to note that breaching smart cards has been shown to be relatively quick and easy, allowing the secrets stored in a smart card to be revealed by monitoring the power consumption [21] or by analyzing the leaked information [22]. For example, different

3 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY power analysis (DPA) is a class of attacks which extracts secret keys and compromises the security of smart cards and other cryptographic devices by analyzing their power consumption. Simple power analysis (SPA) is a simpler form of the attack that does not require statistical analysis. Although some smart card manufacturers take into account the risk of these attacks and provide countermeasures to defer the reverse engineering attempt, these smart cards are more costly. In most cases, due to the limited resources (e.g. cost, display sizes, computing capability) of mobile devices, most applications do not deploy this costly feature. Therefore, a better approach is taking into account smart card security breach when designing smart card-based authentication schemes. Obviously, it is trivial to see that if the adversary has both Capability (2)i and (2)ii, there is no way to prevent the adversary from masquerading as the user. In this paper, we focus on the security of authentication schemes for the case that the adversary has Capabilities (1) and (2)ii. To the best of our knowledge, secure user authentication with anonymity for GLOMONETs has not been addressed adequately, since designing an authentication protocol for the GLOMONET is a difficult task. There are so many details involved that the designer can only try his/her best to make sure that his/her protocol is infallible. In reality, the degree of confidence accompanying a scheme increases with time only if the underlying algorithms can survive many years of public scrutiny. The related works on smart card-based password authentication schemes in the GLOMONET include [4 12]. However, we observe that there are some security weaknesses in all these schemes. The details of these security weaknesses will be described in Section II. Moreover, all these schemes [4 12] cannot prevent smart card security breaches. The main contributions of this paper are as follows: (1) We show some security weaknesses of current user authentication schemes [1, 4 19] for the GLOMONET. (2) We present a lightweight and secure user authentication scheme for the GLOMONET. Compared with the previous schemes [1, 4 19], our proposed approach has a number of advantages. First, it is simple to implement for all participants since it only performs symmetric cryptographic and hash operations. Second, it takes only one round of message exchange between a mobile user and the visited network and one round of message exchange between the visited network and the corresponding home network. Third, this protocol enjoys important security attributes such as preventing various attacks, single registration, user anonymity, user friendly, no password/verifier table, use of one-time session key between mobile user and foreign agent, etc. Furthermore, as one of the new features in our protocol, it can defend smart card security breach. (3) The proposed authentication protocol is modeled using the high-level formal language HLPSL [23], and verified using the model checking tool AVISPA [24] (automated validation of Internet security protocols and applications), where two main security properties are checked: authenticity and confidentiality of messages. By examining all possible execution traces of the proposed scheme in the presence of a Dolev-Yao Intruder [25], we demonstrate that our proposal indeed enforces its security guarantees. The remainder of this paper is structured as follows. In Section 2, we first survey and analyze the related work, and discuss their security weaknesses. Section 3 briefly introduces the preliminaries. Section 4 describes the details of our proposed scheme, followed by the security analysis and performance analysis in Sections 5 and 6, respectively. Finally, Section 7 concludes this paper.

4 C. CHEN ET AL. 2. RELATED WORK In this section, we present the related work in the area of smart card-based user authentication in the GLOMONET. Additionally, related work regarding user authentication which does not make use of smart card is introduced Smart card-based user authentication Many related studies have been reported on smart card-based password authentication schemes for the GLOMONET [4 12]. Recently, a lightweight and efficient authentication scheme was suggested in [4]. Unfortunately, it was found that this solution has weaknesses and a modified version to overcome them was presented in [5]. The study in [6] demonstrates that the mechanism in [5] also fails to provide anonymity and a simple remedy is reported. Unfortunately, two recent studies in [7, 8] show that all these schemes [4 6] are incapable of providing anonymity. Later, security weaknesses of the approaches in [4, 5] were concluded and a novel approach with anonymity was proposed in [9] to overcome these vulnerabilities. However, a more recent study in [10] demonstrates that the scheme of [9] fails to achieve user anonymity and provide secure key establishing service. In [11], a secure remote user authentication scheme based on dynamic ID was proposed. Later, an improved version to overcome the shortcomings of [11] was presented in [12]. The authors in [12] claim that, in their protocol, the adversary cannot masquerade as a legitimate user to login the remote server (i.e. the foreign agent in this paper) even if the adversary possesses Capability (2)ii. However, contrary to their claims, we find that the protocol is still vulnerable to the masquerade attack when the adversary uses the information stored in the smart card as follows. After the adversary has obtained a login request message during one of the past logins of a mobile user, say MU, by eavesdropping, with the secrets stored in the smart card, he/she can get the real identity ID MU and password PW MU of MU by launching an offline guessing attack. Subsequently, the adversary can masquerade as MU to input {ID MU,PW MU } into the card and then access the resources of the service provider. This also implies that the scheme in [12] cannot provide anonymity service. Note that the authors in [4 6, 9] assume that the adversary does not possess Capability (2)ii. However, in reality, the secrets in the smart card can be easily extracted by the adversary. Therefore, these schemes [4 6, 9, 12] fail to meet the security requirement that smart card-based authentication schemes should achieve. Thus, all these schemes [4 12] cannot prevent from smart card security breach. In addition, we have five findings on the above schemes [4 6, 9, 11, 12] as follows. First, some schemes [4 6, 9] for the GLOMONET do not consider the authentication scheme when the user is located in his/her home network. Second, there is a serious design weakness in most existing authentication schemes [4 6, 11, 12]. More specifically, in the login request message from a user, the identity of the foreign agent which the user wants to access is not indicated. In this case, some attacks can be launched. One example is described as follows. Assume that a user, MU, wants to access a foreign agent named as FA i. At the same time, FA j is an adversary who has registered as a valid foreign agent at MU s home agent. In this case, FA j can succeed to intercept the login request message from MU and then impersonate FA i to establish a session key with MU. Third, in [4 6, 9], a user cannot update his/her password. Fourth, some authentication schemes [e.g. [4 6, 9, 11]] are vulnerable to insider attack and the related impersonation attack. Here the insider attack is defined as that where any manager of the system purposely leaks the secret information, leading to serious security weaknesses of an authentication protocol. For example, if a privileged insider of the home agent, e.g. the administrator, has learned

5 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY a user s password, it may try to impersonate the user to access any foreign agent. Last but not the least, the schemes [4 6] utilize asymmetric cryptography. Unfortunately, based on the inability of a public key infrastructure to emerging over the past decade, these schemes [4 6] seem to be highly unlikely to be deployed in the foreseeable future Other authentication schemes In addition, there are authentication schemes (e.g. [13 19]) for the GLOMONET which do not make use of smart cards. In [13], the authors assume that most communication behaviors should be honest, and a more efficient authentication protocol has been suggested despite its loss of efficiency in a dishonest communication situation. For the wireless local area network (WLAN) security, the IEEE 802.1X standard provides an authentication framework that is based on the Extensible Authentication Protocols (EAP). In the EAP framework, some authentication methods have been proposed. The detailed information is given as follows: EAP-SIM provides the authentication steps and defines the information needed to authenticate a client by the credentials retrieved from a SIM card. EAP-AKA gives the mutual authentication of the user and the radio access network resulting in strong symmetric session keys. Recently, possible man-in-the-middle attacks on EAP- AKA and EAP-SIM were reported in [26]. EAP-transport layer security (EAP-TLS) [15] is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered as one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software. EAP-tunneled transport layer security (EAP-TTLS) [16] is an EAP protocol that extends TLS. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client. However, EAP-TLS and EAP-TTLS use public key infrastructure (PKI) to achieve secure communication. Thus although these two protocols provide excellent security, the overhead of client-side certificates may be their inherit weakness. In addition, protected extensible authentication protocol (PEAP) [17] is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication. The coexistence of networks with heterogeneous link layer technologies will become normal in the near future. Mobile users will need to frequently handoff among these networks for a number of reasons. Thus, secure handoff optimization schemes should be fast and secure enough for demanding applications. A survey on the prominent methods that optimize the secure handoff process is given in [18]. Very recently, a novel and simple multi-layered architecture was proposed for pseudo-random pseudonym generation which offers a privacy-preserving mechanism for fast re-authentication processes in EAP-based next generation networks [19]. 3. PRELIMINARIES In this section, we introduce the building blocks of the proposed protocol, which include communications model, trust model and attack model Communications model and trust model In the following description of our communications model and trust model, we consider the scenario where a mobile user MU, associated with its home agent HA, is visiting a foreign network with a foreign agent FA.

6 C. CHEN ET AL. MU HA FA AS Figure 1. Communications model. MU HA FA AS Figure 2. Trust model. When MU is out of its home network, it needs to be authenticated before being allowed to access a visited foreign network. Because MU is out of the coverage of its home agent, we assume that any message between MU and HA has to go through FA. We further assume that HA has a communication link to FA that is to serve MU. As shown in Figure 1, there are four parties, namely, MU, FA, HA, and a trustworthy authentication server (AS). A link in Figure 1 indicates that there is a direct communication link between its two end parties, and vise versa. We follow the conventional assumption that global clock synchronization is supported for the GLOMONET. This clock synchronization requirement is fundamental for the GLOMONET functionalities (e.g. tracking and surveillance) and can be fulfilled by many existing techniques. An example is Global Positioning System (GPS) which can be used to synchronize mobile nodes local clocks to UTC world time without imposing additional load on the communication channels of the nodes (e.g. [27]). In fact, timestamp has been extensively used to secure the GLOMONET (e.g. [4 6]). Moreover, compared with nonces, in the literature it has been shown that the use of timestamp is a simpler and more efficient way to prevent many insidious attacks including replay attack and wormhole attack (e.g. [28]). AsshowninFigure1,HA is able to access AS, so does FA. In addition, there is a direct communication link between FA and HA. MU communicates with all other parties via FA.Note that, when MU is located in its home network, obviously, there is a direct communication link between itself and HA. Based on the communications model, with the assistance from AS, a secure channel can be established between HA and FA, for example, via Kerberos [29]. The above FA/HA model is compatible with the current standards. Here, we consider 3 GPP as an example. In the authentication and key agreement of UMTS subscribers, which is proposed in 3GPP TS , Home Location Register (HLR) plays the role of a home agent, Authentication Centre (AuC) plays the role of a trustworthy authentication server (AS), and Visitor Location Register (VLR) plays the role of a foreign agent. Figure 2 shows the trust model, where a dashed line with arrows at both ends indicates that there is mutual trust established between the two end parties, and a dashed line with arrow at one end only indicates a one-way trust. Following Figure 2, MU cannot trust FA and vise versa.

7 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY Similarly, there is no mutual trust between FA and HA. MU can trust AS and HA even if there is no direct communication channel between them upon proper authentication. All other trusting pairs connected via dashed lines in Figure 2 are straightforward to follow Attack model As described in Section 1, we assume that an adversary has total control over the communication channel between the user, and the foreign and home agents. In addition, the adversary may either (i) obtain a user s password, or (ii) extract the secret parameters of the smart card, but cannot achieve both (i) and (ii). 4. OUR PROPOSED SCHEME In this section, we will propose a lightweight and secure user authentication scheme. The protocol is divided into five phases: the registration phase, the login phase, the authentication phase, the session key update phase and the password change phase. In the following description of the proposed scheme, we consider the scenario where a mobile user MU, associated with its home agent HA, is visiting a foreign network with foreign agent FA. Table I lists some notations that will be used throughout the rest of this paper. We assume that x HA and y HA are two master secret keys, which are held only by HA. Note that the lengths of both x HA and y HA are sufficiently large, e.g. the bit length of x HA is 256 whereas that of y HA is 512. That is, these two values are high-entropy random numbers. It is assumed that before the system starts, each pair of FA and HA shares a long-term common secret key SK FA =h(id FA y HA ) using any key agreement method, such as the Diffie-Hellman key agreement protocol [30]. The users who have registered with a home agent only have the privilege to access the foreign agents, which share a long-term common secret key with the home agent. That is, HA issues a key to every foreign agent which the users are allowed to login. Here h(.) used throughout the proposed scheme is a collision free one-way hash function such as SHA-1 [31]. Therefore, the bit length of the output of the hash function is 160, and the bit length of ID FA is assumed to be 128. Table I. Notations. Notations Descriptions MU A mobile user HA The home agent of MU FA The foreign agent of the foreign network where MU is visiting PW MU A password of MU ID X The identity of an entity X (M) K Encryption of a message M using a symmetric key K h(.) A one-way hash function A concatenation operator A XOR operator

8 C. CHEN ET AL Registration phase In this phase, MU freely selects a password PW MU. The length of the user password is supposed to be at least 8 bytes. The password should contain both digits and English characters. After that, for registration, MU submits his/her identity ID MU to HA in a secure channel. Here the bit length of ID MU is assumed to be 128. Next, HA performs the following steps: (1) HA computes SID MU =(ID HA ID MU ) xha and SK MU =h(id MU x HA ). The symmetric encryption algorithm used throughout the proposed scheme is RC5 [32]. Under the RC5 algorithm, the bit length of plaintext is assumed to be X, thus the bit length of ciphertext should be 128 X 128. Here the bit length of ID HA is assumed to be 128. (2) HA issues a smart card to MU through a secure channel, where the smart card includes {SID MU, SK MU,h(.)}. (3) After receiving the smart card, MU computes: V MU = SK MU h(id MU h(pw MU )) H MU = h(h(sk MU )) Next, MU replaces SK MU with {V MU, H MU }. Finally, the smart card contains {V MU, H MU, SID MU,h(.)} Login phase Figure3 showsboth the login phaseand theauthenticationphase. When MU roams into the foreign network and tries to access service, FA first authenticates MU through HA before providing service. For authentication, MU inserts his/her smart card into the device and enters his/her identity ID MU and password PW MU. The card performs the following operations: (1) Compute SK MU = V MU h(id MU h(pw MU )) and HMU =h(h(sk MU)). (2) Check whether HMU and H MU are equal or not. If yes, the legitimacy of the user is assured and proceed to the next step. Otherwise, the login request is rejected. (3) Compute E =(h(id MU ) ID FA x 0 ) TKMU,whereTK MU (=h(t MU SK MU )) is the temporary key and ID FA is the identity of the foreign agent which MU wants to access. Here x 0 is l-bit secret random number chosen by MU, which is used to generate the session key between MU and FA. l should be sufficiently large, e.g. 256 bits. A timestamp T MU is also added by MU to resist replay attacks. Note that the bit length of a timestamp is assumed to be 64 throughout this paper. (4) Send a login message m 1 ={SID MU, E, T MU } to FA Authentication phase Upon receiving the message m 1, FA checks whether the timestamp T MU is expired. If T MU is invalid, FA will reject this login request message; Otherwise, with the secret key SK FA, FA computes a keyed-hash Message Authentication Code (HMAC) [33] to the message m 1 for the verification test by HA. FA then sends the following message m 2 to HA. m 2 ={SID MU, E, T MU, ID FA, T FA,HMAC(SK FA,(SID MU E T MU T FA ))}

9 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY Figure 3. The login phase and the authentication phase of the proposed scheme. Here HMAC(SK FA,(SID MU E T MU T FA )) denotes h(sk FA SID MU E T MU T FA ), which is the message authentication code computed over message {SID MU E T MU T FA } with key SK FA. After receiving message m 2, HA performs the following steps. (1) HA checks the timestamp T FA to see whether it is within the window of acceptance. If so, it proceeds to the next step. Otherwise, it terminates the connection. (2) HA computes SK FA =h(id FA y HA ) and then checks whether HMAC is valid. If it is not valid, HA believes that this is a false message and then terminates this process; otherwise, it goes to the next step. (3) HA decrypts SID MU with the secret x HA to obtain MU s identity ID MU.ThenHA verifies the format of ID MU. If the format is not valid, the authentication process is terminated; otherwise, with the knowledge ID MU, HA computes SK MU =h(id MU x HA ) and then generates TK MU = h(t MU SK MU ). Subsequently, HA obtains {h(idmu ), ID FA, x 0} by decrypting the submessage E with TK MU. Next, in order to verify whether MU is a legal user, HA calculates h(id MU ) and compares it with h(id MU ). Here ID MU and ID MU are from the sub-messages SID MU and E, respectively. If they are equal, HA believes MU is a legal user of its network and T MU is generated by the legal user MU. At the same time, HA checks whether IDFA included in sub-message E is equal to ID FA.Ifyes,HA believes that FA is a legal foreign agent which MU wants to access; otherwise, HA terminates this authentication process. (4) Next, HA sends the message m 3 ={T HA, W } to FA to inform that MU is a legal user, where W =(h(h(sk MU )) x 0 T HA ) SKFA.

10 C. CHEN ET AL. Once FA receives the message m 3 from HA, it checks the validity of the timestamp T HA. If it is not valid, the process is terminated; otherwise, with the secret key SK FA, FA can obtain the knowledge {h(sk MU ), x 0, THA } by decrypting the sub-message W. After that, HA checks whether the timestamp THA equals T HA. If they are not equal, the process is terminated; otherwise, FA believes that the message m 3 is from the legal home agent HA. ThenFA computes the session key sk= h(h(sk MU ) x 0 ) between FA and MU. After that, FA sends the message m 4 ={(TCert MU h(x 0 )) sk } to MU, wheretcert MU is a temporary certificate which FA issues to MU. TCert MU includes lifetime and other information. Here the bit length of TCert MU is assumed to be 256. While receiving the message m 4 from FA, MU computes the session key sk and then decrypts m 4 to obtain TCert MU and h(x0 ). MU also authenticates FA by comparing h(x 0) with the decrypted h(x0 ). As a result, MU can be sure that it is communicating with a legal FA Session key update phase In order to enhance the efficiency and ensure strong security, when MU is always associated with FA, the session key needs to be updated periodically. The process is as follows: When MU visits FA at ith session, MU sends a message {TCert MU,(x i TCert MU OtherInformation) ski } to FA.HereMU encrypts (x i TCert MU OtherInformation) with the new ith session key sk i =h(h(sk MU ) x i 1 ), where i =1,2,...,n. Upon receiving the message from MU, FA checks whether the certificate TCert MU is valid. If it is, FA decrypts (x i TCert MU Other Information) andsavesx i for the next communication with MU Password change phase This phase is invoked whenever MU wants to change his/her password PW MU with a new one, say PW new. The process is described in the following: (1) MU inserts his/her smart card into the device enters {ID MU,PW MU }, and requests to change password. (2) While receiving the request of changing passwords and ID MU, PW MU, MU s smart card computes SK MU = V MU h(id MU h(pw MU )) and H MU =h(h(h(sk MU))). Then the smart card checks whether H MU and H MU are equal. If not, the smart card rejects the password change request; otherwise, it proceeds to the next step. (3) MU s smart card computes V MUnew = SK MU h(id MU h(pw new )). The parameters V MUnew are stored in the smart card to replace V MU, respectively. As a special case, we consider the authentication scheme when MU is located in his/her home network and tries to access service. Before providing services, HA must authenticate MU. IfMU is a legal user of its network, HA will issue a temporary certificate TCert MU to MU, which will be used in the session key update phase when MU communicates with HA. Theprocessisasfollows. As the login phase described in Section 4.2, MU sends a login message m 1 ={SID MU, E, T MU } to HA. Here the difference is E =(h(id MU x 0 )) TKMU. Upon receiving the message m 1 from MU, HA checks whether timestamp T MU is valid. If it is not valid, HA will reject this login request message; otherwise, HA decrypts SID MU with the secret x HA to obtain MU s identity IDMU.Then HA verifies the format of ID MU. If the format is not valid, the authentication process is terminated; otherwise, with the knowledge ID MU, HA computes SK MU =h(id MU x HA ) and then generates

11 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY TK MU =h(t MU SK MU ). Subsequently, HA obtains {h(id MU ), x 0} by decrypting the sub-message E with TK MU. Next, in order to verify whether MU is a legal user, HA calculates h(id MU )and compares it with h(id MU ). Here ID MU and ID MU are from the sub-messages SID MU and E, respectively. If they are equal, HA believes that MU is a legal user of its network and T MU is generated by the legal user MU; otherwise,ha terminates this authentication process. After that, HA computes the session key sk=h(h(sk MU )) x 0 ) between itself and MU. HA then sends the message m 2 ={(TCert MU h(x 0 )) sk } to MU, wheretcert MU is a temporary certificate which HA issues to MU. While receiving the message m 2 from HA, MU computes the session key sk and then decrypts m 2 to obtain TCert MU and h(x0 ). MU also authenticates HA by comparing h(x 0) with the decrypted h(x0 ). As a result, MU can be sure that it is communicating with his/her home agent HA. Obviously, in order to update the session key between HA and MU, the session key update phase described in Section 4.4 can be applied to the case when user MU is located in his/her home network. 5. SECURITY ANALYSIS In this section, the security of the proposed protocol is analyzed. We first give a formal analysis of the proposed scheme, then we show its resilience against some possible attacks Formal analysis using AVISPA Many techniques have been developed to model a security protocol and check its properties. One of the most promising techniques is model checking. Model checking [34] is a formal method-based technique for verifying finite-state-concurrent systems (e.g. communication protocols), and has been implemented in several tools. It has a number of advantages over traditional approaches that are based on simulation, testing, and deductive reasoning: (1) Model checking is automatic and usually quite fast, which allows users to see whether a system works as expected. (2) Users do not need to build a prototype of the protocol, and (3) Users are able to verify the protocol against every single execution trace. This is very important because using simulation or testing, users can only find errors, but they cannot ensure that the whole protocol behaves as expected (some errors may remain hidden until the protocol is in the production stage). Model checking has been used successfully in practice to verify wireless network security protocols (e.g. [35, 36]). To ensure the security of the proposed authentication scheme, we make a formal verification for our scheme using the AVISPA [24] framework. AVISPA is a powerful tool with industrialstrength technology for the analysis of different Internet security protocols and applications. The security protocols standardized by the Internet engineering task force (IETF) have been analyzed by the AVISPA community, and indeed some of the protocols have been found to be flawed. AVISPA provides a high-level formal language HLPSL [23] for specifying our protocol and its security poverties. Once we have specified the model of our system, AVISPA translates it into an intermediate format IF. This is the input of several backends that are integrated into the AVISPA framework: SATMC OFMC, Cl-Atse and TA4SP. Besides, only one model is specified although it can be analyzed with the four backends. By examining all the possible execution traces of the proposed scheme in the presence of a Dolev-Yao Intruder [25], we check whether our proposal

12 C. CHEN ET AL. can indeed enforce its security guarantees. Here, a Dolev-Yao Intruder can overhear, intercept messages, inject new messages, or modify messages in transit. The detailed information about the formal analysis is as follows. A number of security properties (i.e. security goals) that the proposed approach should possess are as follows. Mutual authentication: The proposed scheme should provide mutual authentication among MU, FA and HA. More specifically, when HA receives the message m 2, it can make sure that the submessage m 1 included in m 2 is generated by MU and m 2 is generated by FA. In addition, when FA receives the message m 3, it can ensure that this message is generated by HA. Besides, when MU receives the message m 4, it can make sure that this message is generated by FA. Confidentiality: The proposed approach should provide confidentiality to the messages {E, W,m 4 }. More specifically, the messages {(h(id MU ) ID FA x 0 ),(h(sk MU ) x 0 )} must be secret from any adversary. Note that AVISPA is not able to capture all the security properties of the proposed protocol. However, the properties it captures and validates are the important ones. The HLPSL specification of our approach has been constructed. This specification has five roles: HA, FA and HA are basic roles, where session and environmentare composition roles, where session represents a single session of the protocol. The role is parameterized by all variables necessary for one session. The environment role represents the composition of several instances of session with instances of basic roles, including the knowledge of a Dolev-Yao Intruder intruder knowledge.for validation, the HLPSL code is transformed into IF format using the translator HLPSL2IF. Next, we have used all four backends of AVISPA. The first three (i.e. OFMC, CL-AtSe, and SATMC) have reported safe. The other (i.e. TA4SP) has announced NOT_SUPPORTED and produced INCONCLUSIVE results. Therefore, a Dolev-Yao Intruder cannot produce any attack on our protocol. Note that a web-based interface for running the AVISPA tool directly in a browser is available [37] Withstanding possible attacks In the following, we will show that the proposed protocol can resist certain possible attacks. As mentioned in Section 3.2, we will assume that wireless communications are insecure and smart card security breach exists. That is, an adversary has obtained all transmitted messages {m 1,m 2,m 3,m 4 } and the secrets {V MU, H MU,SID MU,h(.)} stored in the user s smart card. (1) Replay attack: A replay attack is a method that an adversary tries to replay messages obtained in previous communications. Suppose the adversary intercepts a valid login request m 1 ={SID MU, E, T MU } and tries to login into FA by replaying m 1. The verification of this login request in FA fails because of the interval (TMU T MU)> T,whereTMU is FA s system time when receiving the replayed message. Even if the adversary modifies the timestamp T MU and then replays, this login request cannot pass the verification from HA because of the temporary key TK MU (=h(t MU SK MU )). Similarly, if the adversary intercepts a valid request m 2 and tries to replay it to HA, the verification of this request in HA fails because of the interval (TFA T FA)> T, where TFA is HA s system time when receiving the replayed message. (2) Prevention of fraud: To prevent fraud, MU, FA, andha should authenticateeach other,which requires our protocol to provide mutual authentication mechanism between any two of them. The proposed authentication protocol can efficiently prevent impersonation attacks from an adversary

13 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY by considering the following scenarios: (1) An adversary cannot impersonate HA to cheat FA, since it does not possess the secret key SK FA. Hence it is impossible for an adversary to generate the valid response m 3 (= {T HA,(h(h(SK MU )) x 0 T HA ) SKFA })tofa. (2) FA cannot impersonate HA to cheat MU. As the secret key SK MU is unknown to FA, FA thus cannot generate the session key sk(=h(h(sk MU ) x 0 )) and then sends MU the valid response m 4 (=(TCert MU h(x 0 )) sk ). (3) An adversary cannot impersonate MU, sincehe/she does not know the real identity of MU and the secret SK MU. If the adversary uses a phony identity IDMU and false secret SKMU, the corresponding spurious E can be identified by HA, because HA cannot obtain {h(idmu ),ID FA} by decrypting E. (4) An adversary (including any valid foreign agent other than FA) cannot impersonate FA to cheat HA. In the login request message from any user, the identity of the foreign agent which the user wants to access is indicated. That is, with the secret SK MU, HA can decrypt E to obtain the identity ID FA of the foreign agent which MU wants to login. Further, HA can check whether the foreign agent communicating with itself is valid. (3) Offline password guessing attack with smart card security breach: As described in Section 4, the password PW MU only makes one presence as V MU (= SK MU h(id MU h(pw MU )). Obviously, the adversary cannot guess the password PW MU without knowing ID MU. In the following, it will be demonstrated that our protocol can preserve user anonymity. Thus, our scheme can resist the offline password guessing attack with smart card security breach. (4) Known-key attack: Known-key attack means that a key agreement protocol should still achieve its goal in the presence of an adversary who has learned some other session keys. Our scheme uses the ephemeral nonce x i in each session. Nonce is random and independent in each session. Therefore, the session key sk i (=h(h(sk MU ) x i 1 )) is also independent. Therefore, the knowledge of previous session keys does not help to derive a new session key, and vise versa. As a result, the known-key attack does not work in our proposal. (5) Insider attack: The insider attack is defined as one where any manager of the system purposely leaks the secret information leading to serious security weaknesses of an authentication protocol. In our scheme, if an insider of HA, e.g. an administrator, has obtained MU s password PW MU, it can try to impersonate the user to access any foreign agent. In the registration phase of our scheme, MU only sends his/her identity ID MU to HA, thatis,pw MU will not be revealed to HA. In addition, in the password change phase, a user is required to change his/her default password PW MU with his/her own selected password PW new. As the insider cannot obtain MU s password, our scheme can withstand the insider attack Some other security properties In the following, we show that the proposed scheme can achieve user anonymity, backward secrecy and forward secrecy. (1) User anonymity: In our scheme, the anonymity of MU is obtained by symmetric cryptographic and hash operation primitives. Only HA can get the real identity ID MU of MU by decrypting SID MU (=(ID HA ID MU ) xha ) with key x HA, since only HA knows its own secret key x HA. Therefore, our protocol can preserve user anonymity.

14 C. CHEN ET AL. (2) Backward secrecy: Backward secrecy guarantees that a passive adversary who knows a subset of session keys cannot discover preceding session keys. In our proposed scheme, the value h(sk MU ) is fixed for every session. If an adversary knows the session keys SK i and SK i+1, the adversary can obtain x i by decrypting the transmitted message (x i TCert MU OtherInformation) SK i with SK i. Thus the adversary can try to compute h(sk MU ) from SK i+1 (=h(h(sk MU ) x i )). However, SK i is an output value of a hash function h(.), and therefore deriving h(sk MU ) is intractable. That is, even if {x i, x i+1 } is known by the adversary, h(sk MU ) will not be obtained by the adversary. Further, without knowing the secret h(sk MU ), the adversary cannot generate SK i (=h(h(sk MU ) x i 1 )). Hence, our scheme can actually achieve backward secrecy. (3) Forward secrecy: Forward secrecy (i.e. perfect forward secrecy) guarantees that a passive adversary who knows a subset of old session keys cannot discover subsequent session keys. In our proposed scheme, the value h(sk MU ) is fixed for every session. If an adversary knows the session keys SK i 1 and SK i, the adversary can obtain x i 1 by decrypting the transmitted message (x i 1 TCert MU OtherInformation) SK i 1 with SK i 1. Thus the adversary can try to compute h(sk MU ) from SK i =h(h(sk MU ) x i 1 ). However, SK i is an output value of a hash function h(.), and therefore deriving h(sk MU ) is intractable. That is, even if x i 1 is known by the adversary, h(sk MU ) will not be obtained by the adversary. Further, without knowing the secret h(sk MU ), the adversary cannot generate SK i+1 (=h(h(sk MU ) x i ). Hence, our proposed scheme can actually achieve forward secrecy. 6. PERFORMANCE ANALYSIS We compare our protocol with the related smart card-based schemes [4 6, 9, 11, 12, 15] in terms of communication overhead and computation complexity. Communication overhead: One of the most important issues in wireless networks is power consumption due to either computational or communication purposes. This includes parameters generation, comparison, wait time, etc. In fact, the communication overhead in wireless networks is higher than computation costs in terms of consumed power. From Figure 3, it is easy to visualize that a successful user authentication in our protocol only requires four message exchanges, whereas scheme [7] and the three schemes [4 6] require eight and four exchanges, respectively. In addition, the scheme in [12] requires five message exchanges. Hence, the proposed scheme is simple in enhancing the security over wireless communications. Computation complexity: In wireless networks, mobile devices have limited energy resources and computing capability. It is impractical to implement those common public key techniques (e.g. RSA) with high computational load in such portable devices. This is one of the drawbacks of the three schemes in [5 7] since they require the encryption/decryption operation or the signature operation using asymmetric cryptosystem. Our proposed scheme is cost-effective because it requires only symmetric cryptographic and hash operation primitives. Therefore, the proposed scheme is particularly practical for implementation in mobile devices. We have implemented our proposed protocol to measure the computation time involved in the mobile user, foreign agent and home agent. The mobile user side programs are C programs using OpenSSL [38] running on a 1.6 GHz laptop PC. Additionally, the foreign agent and home agent side programs are C programs using OpenSSL [38] running on a 3.2 GHz desktop PC. We observe that the computation complexity of SHA-1 hash operation and RC5 symmetric encryption/decryption algorithm are of similar order of magnitude. For example, through setting a 128-bit number as

15 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY Table II. Performance comparison between the related schemes and our scheme {t pu : public-key computation; t pr : private-key computation; t h : hash computation; t s : symmetric-key computation}. MU FA HA Computation Ours 2t s +9t h 2t s +3t h 2t s +6t h The scheme in [9] (2009) 7t h 3t h 8t h Improved Scheme in [6] (2008) 2t s +3t h 2t pr +1t pu +3t h +1t s 3t pu +1t pr +5t h +1t s Improved scheme in [12](2009) 9t h 7t h 4t h Communication (bits) Ours Communication (rounds) Ours The scheme in [9] (2009) Improved Scheme in [6] (2008) Improved scheme in [12] (2009) input, the time for SHA-1 hash operation and RC5 symmetric encryption/decryption algorithm is 1.3μs and6.5μs, respectively. In the login phase, a mobile user needs 54.1μs to produce a login request. Upon receiving a request message from a roaming user, a foreign agent takes 5.7μs to deal with the message. After a home agent receives the message from a foreign agent, it takes 24.9μs to verify the message and generate a response. After receiving the response from the home agent, a foreign agent takes 26.1μs to check the validity of the message and generate a reply to the mobile user. After the mobile user receives the message from the foreign agent, it takes 41.0μs to verify the message. Experimental results show the execution time (i.e. computation time) of the login and authentication phases of the proposed scheme is less than 0.16 ms. In addition, our proposed protocol is highly efficient in password authentication. In the login phase, if MU inputs invalid messages {ID MU, PW MU }, the smart card computes H MU = h(h(v MU h(id MU h(pw MU )))) and then checks whether H MU =H MU in the login phase. Obviously the result is negative when PW MU PW MU or ID MU ID MU, and the smart card terminates the login session. Hence, the validity of input password can be immediately detected by the smart card rather than waiting for the home agent to authenticate as in the schemes in [4 6, 9]. Our approach results in high efficiency and communication bandwidth saving. Table II shows the computational and communication costs of the proposed scheme and some existing schemes [6, 9, 12]. It is clear that computation complexity of our protocol is comparable to other schemes [4 6, 9, 11, 12]. Finally, we summarize the functionality of the proposed scheme and make comparisons with that of related works [6, 9, 12] in Table III. It can be seen that our scheme achieves all security requirements whereas other schemes can only achieve a subset of them. For example, all other schemes cannot support user anonymity and are vulnerable to adversaries with Capabilities (2)ii. Therefore, our scheme is more secure than those six schemes [4 6, 9, 11, 12]. 7. CONCLUSION This paper has revealed some security weaknesses in the recently proposed user authentication schemes for the GLMONET. As the main contribution of this paper, a secure and efficient smart card-based user authentication scheme with anonymity for the GLOMONET has been proposed.

16 C. CHEN ET AL. Table III. Functionality comparison between the related schemes and our scheme. The scheme Improved Scheme Improved scheme Scheme Ours [9] (2009) in [6] (2008) in [12] (2009) Energy consumption Low Low High Low Communication overhead Low High Low Low Single registration Yes Yes Yes Yes User anonymity Yes No No No Mutual authentication Yes Yes Yes Yes No password table Yes Yes Yes Yes No verifier table Yes No Yes Yes Session key establishment Yes Yes Yes Yes Providing the authentication scheme Yes No No No when the user is located in the home network Prevention of impersonation attack Yes Yes No No Prevention of insider attack Yes No No Yes The password is chosen by the user freely Yes Yes No Yes The password is changed by the user freely Yes No No Yes Highly efficient in password authentication Yes No No Yes Session key is updated periodically Yes No Yes No Secure against adversaries with Capability (2)ii Yes No No No It only uses symmetric cryptographic and hash operation primitives to achieve security goals. Besides, it takes only four message exchanges among the user, foreign and home agents. Therefore, the proposed scheme is more suitable for battery-powered mobile devices in the GLMONET. Further, as one of the new features in our protocol, it can defend smart card security breach. Additionally, the security properties of our protocol have been formally verified by means of a model checking tool called AVISPA. Our performance and security analysis has shown that compared with the other related smart card-based authentication schemes, our proposal is more secure and efficient. ACKNOWLEDGEMENTS The authors gratefully acknowledge the reviewers constructive comments on an earlier version of this manuscript. This work was supported by National Basic Research Program of China (973 Program) under grant No. 2006CB and a grant from the Research Grants Council of the Hong Kong SAR, China [Project No. CityU ]. REFERENCES 1. Suzukiz S, Nakada K. An authentication technique based on distributed security management for the global mobility network. IEEE Journal on Selected Areas in Communications 1997; 15(8): He D, Cui L, Huang H, Ma M. Design and verification of enhanced secure localization scheme in wireless sensor networks. IEEE Transactions on Parallel and Distributed Systems 2009; 20(7): He D, Gao Y, Chan S, Chen C, Bu J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc & Sensor Wireless Networks 2010; 10(4). 4. Zhu J, Ma J. A new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics 2004; 50(1):

17 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY 5. Lee CC, Hwang MS, Liao IE. Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Transactions on Consumer Electronics 2006; 53(5): Wu CC, Lee WB, Tsaur WJ. A secure authentication scheme with anonymity for wireless communications. IEEE Communications Letters 2008; 12(10): Zeng P, Cao Z, Choo K-KR, Wang S. On the anonymity of some authentication schemes for wireless communications. IEEE Communications Letters 2009; 13(3): Lee J-S, Chang JH, Lee DH. Security Flaw of Authentication Scheme with Anonymity for wireless communications. IEEE Communications Letters 2009; 13(5): Chang C-C, Lee C-Y, Chiu Y-C. Enhanced authentication scheme with anonymity for roaming service in global mobility networks. Computer Communications 2009; 32(4): Youn T-Y, Park Y-H, LiM J. Weaknesses in an Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks. IEEE Communications Letters 2009; 13(7): Liao Y-P, Wang S-S. A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 2009; 31(1): Hsiang H-C, Shih W-K. Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces 2009; 31(6): Yeh C-K, Lee W-B. An overall cost-effective authentication technique for the global mobility network. International Journal of Network Security 2009; 9(3): Blaze M, Ioannidis J, Keromytis AD, Malkin T, Rubin A. Anonymity in wireless broadcast networks. International Journal of Network Security 2009; 8(1): Simon D, Aboba B, Hurst R. The EAP-TLS Authentication Protocol. RFC 5216, March 2008, drafthaverinenpppext-eap-sim-12, IETF, October Funk P, Blake-Wilson S. Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0). RFC5281, August Kamath V, Palekar A, Wodrich M. Microsoft s PEAP version 0. October Karopoulos G, Kambourakis G, Gritzalis S. Survey of secure hand-off optimization schemes for multimedia services over all-ip wireless heterogeneous networks. IEEE Communications Surveys and Tutorials 2007; 9(3): Pereniguez F, Kambourakis G, Marin-Lopez R, Gritzalis S, Gomez AF. Privacy-enhanced fast re-authentication for EAP-based next generation network. Computer Communications 2010; DOI: /j.comcom Xu J, Zhu W-T, Feng D-G. An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces 2009; 31(4): Kocher P, Jaffe J, Jun B. Differential power analysis. Proceeding of Advances in Cryptology (CRYPTO 99), Santa Barbara, CA, U.S.A., 1999; Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computer 2002; 51(5): Chevalier Y, Compagna L et al. A high level protocol specification language for industrial security-sensitive protocols. Proceedings of Workshop on Specification and Automated Processing of Security Requirements (SAPS), Linz, Austria, 2004; Armando A, Basin DA, Boichut Y, Chevalier Y et al. The AVISPA tool for the automated validation of Internet security protocols and applications. Lecture Notes in Computer Science, Springer: Berlin, 2005; 3576: Dolev D, Yao A. On the security of public key protocols. IEEE Transactions on Information Theory 1983; 29(2): Asokan N, Niemi V, Nyber K. Man-in-the-middle in tunnelled authentication protocols. Proceedings of the 11th International Cambridge Workshop on Security Protocols, Cambridge, U.K., 2003; Sterzbach B. GPS-based clock synchronization in a mobile, distributed real-time system. Real-time Systems 1997; 12(1): He D, Cui L, Huang H, Ma M. Secure and efficient localization scheme in ultra-wideband sensor networks. Wireless Personal Communications 2009; 50(4): Neuman BC, Tso T. Kerberos: an authentication service for computer networks. IEEE Communications Magazine 1994; 32(9): Diffie W, Hellman ME. New directions in cryptography. IEEE Transaction on Information Theory 1976; 22(6): National Institute of Standards and Technology. U.S. Department of Commerce Secure Hash Standard. U.S. Federal Information Processing Standard Publication 180-2, 2002.

18 C. CHEN ET AL. 32. Rivest RL. The RC5 Encryption Algorithm. Proceedings of the Second International Workshop on Fast Software Encryption (FSE), Leuven, Belgium, 1994; Bellare M, Canetti R, Krawczyk H. Message authentication using hash functions: The HMAC construction. CryptoBytes Spring 1996; 2(1): Clarke EM, Grumberg O, Peled DA. Model Checking. MIT Press: Cambridge, Tobarra L, Cazorla D, Cuartero F, Diaz G, Cambronero E. Model checking wireless sensor network security protocols: TinySec + LEAP + TinyPK. Telecommunication Systems 2009; 40(3 4): Hanna Y, Rajan H, Zhang W. Slede: A domainspecific verification framework for sensor network security protocol implementations. Proceeding of the ACM Conference on Wireless Network Security (WiSec 08), 2008; OpenSSL. AUTHORS BIOGRAPHIES Chun Chen received the Bachelor s degree in Mathematics from Xiamen University, China, in 1981, and the masters and PhD degrees in Computer Science from Zhejiang University, China, in 1984 and 1990, respectively. He is a professor in the College of Computer Science, and the director of the Institute of Computer Software at Zhejiang University. His research activity is in image processing, computer vision, and embedded system. Daojing He is currently a first year PhD student in Zhejiang University, P.R. China. He received his BEng and MEng degrees in Computer Science from Harbin Institute of Technology in 2007 and 2009, respectively. From June 2008 to August 2008, he worked at Bell Labs Research China (Beijing) as a Researcher intern. From July 2009 to August 2009, he did research as a visiting researcher in the Department of Electronic Engineering, City University of Hong Kong. His research interests include many areas of wireless networks and mobile computing, with an emphasis on designing and evaluating security protocols in wireless sensor networks. He has published six papers in some international journals as the first author, such as IEEE Transactions on parallel and distributed systems and Elsevier Computer Communications. Sammy Chan received his BE and MEng Sc degrees in Electrical engineering from the University of Melbourne, Australia, in 1988 and 1990, respectively, and a PhD degree in Communication Engineering from the Royal Melbourne Institute of Technology, Australia, in From 1989 to 1994, he was with Telecom Australia Research Laboratories, first as a research engineer, and then between 1992 and 1994 as a senior research engineer and project leader. Since December 1994, he has been with the Department of Electronic Engineering, City University of Hong Kong, where he is currently an associate professor.

19 LIGHTWEIGHT AND PROVABLY SECURE USER AUTHENTICATION WITH ANONYMITY Jiajun Bu received the BS and PhD degrees in Computer Science from Zhejiang University, China, in 1995 and 2000, respectively. He is currently a professor in the College of Computer Science and the deputy dean of the Department of Digital Media and Network Technology at Zhejiang University. His research interests include embedded system, mobile multimedia, and data mining. Yi Gao is currently a first year PhD student in Zhejiang University, China. He received his BEng from Zhejiang University in From December 2008 to April 2009, he worked in Information System College of Singapore Management University as an exchange student. His research interests include many areas of wireless sensor networks such as reliability, security and reprogramming protocols of wireless sensor networks. Rong Fan is a PhD candidate in Zhejiang University, China. He received his Bachelor s and Master s degree from Hangzhou Normal University in 2005 and 2007, respectively. His research interests include many areas of wireless networks security, such as intrusion prevention, secure multicast and user authentication in wireless sensor networks.