Documente Academic
Documente Profesional
Documente Cultură
RESEARCH ARTICLE
ABSTRACT
The use of anonymous channel tickets was proposed for authentication in wireless environments to provide user anonymity
and to probably reduce the overhead of re-authentications. Recently, Yang et al. proposed a secure and efficient authentication
protocol for anonymous channel in wireless systems without employing asymmetric cryptosystems. In this paper, we will
show that Yang et al.’s scheme is vulnerable to guessing attacks performed by malicious visited networks, which can easily
obtain the secret keys of the users. We propose a new practical authentication scheme not only reserving the merits of Yang
et al.’s scheme, but also extending some additional merits including: no verification table in the home network, free of
time synchronization between mobile stations and visited networks, and without obsolete anonymous tickets left in visited
networks. The proposed scheme is developed based on a secure one-way hash function and simple operations, a feature
which is extremely fit for mobile devices. We provide the soundness of the authentication protocol by using VO logic.
Copyright © 2010 John Wiley & Sons, Ltd.
KEYWORDS
authentication; security; user anonymity; VO logic; wireless network
*Correspondence
Yen-Cheng Chen, Department of Information Management, National Chi Nan University, Puli, Nantou 545, Taiwan.
E-mail: ycchen@ncnu.edu.tw
smart cards. Their scheme achieves user anonymity by using element of order Q in Z* p . Yang et al.’s protocol consists of
a hashed token to protect user’s identity. However, we find two phases, described as follows.
that all users of the same home agent share the same hashed
token. A malicious user can make use of the hashed token
to get the identities of other users. Thus, Zhu-Ma’s authen- 2.1. Yang et al.’s scheme
tication scheme fails to preserve user anonymity. Besides,
Zhu-Ma’s scheme also fails to prevent ticket copies for mali- 2.1.1. The anonymous channel issuing phase.
cious users intentionally setting same session keys in each In this phase, MS purchases an anonymous ticket from
session. Recently, Yang et al. [10] proposed a secure and HN via VN before MS is granted to access VN.
efficient protocol for anonymous channel in wireless sys- Step 1. MS → VN: IDHN , kh,i IDi
mod p, (IDi , T1 , A, B,
tems without employing asymmetric cryptosystems. Yang C)kh,i
et al.’s scheme achieves user anonymity by using symmetric MS selects three random numbers a, b, and c to compute
cryptosystem for authenticating each user. Another merit of A = ga mod p, B = gb mod p, and C = gc mod p. MS then
this scheme is the prevention of ticket copy. In this paper, we uses kh,i to encrypt message (IDi , T1 , A, B, C), where T1 is
will show that Yang et al.’s scheme is vulnerable to guessing a timestamp. The encrypted message along with IDHN and
attacks performed by malicious visited networks. A visited IDi
kh,i mod p is then sent to VN.
network can successfully guess the secret keys of the users IDi
Step 2. VN → HN: IDVN , kh,i mod p, (IDi , T1 , A, B,
who are visiting it. To withstand the proposed attack, we will
C)kh,i , (IDVN , T2 , D, E, F )kh,v
develop a new authentication scheme preserving the same
VN selects three random numbers d, e, and f to compute
merits of Yang et al.’s scheme. The proposed scheme also
D = gd mod p, E = ge mod p, and F = gf mod p. VN then
provides several enhancements. In the proposed scheme, it
uses kh,v to encrypt message (IDVN , T2 , D, E, F), where T2
is not necessary to store a verification table in the home IDi
is a timestamp. Then VN sends IDVN , kh,i mod p, (IDi , T1 ,
network, which is the perfect solution to the stolen veri-
A, B, C)kh,i , and (IDVN , T2 , D, E, F)kh,v to HN.
fier problem. Moreover, different from previous approaches
Step 3. HN → VN: kh,v ⊕(T2 , A, B, C, Texpire ), kh,i ⊕(T1 ,
using timestamps, the proposed scheme uses nonces to pre-
D, E, F, Texpire )
vent replay attacks, because in practice it is difficult for a
HN first records the received time T3 and accords
mobile station to present a synchronized timestamp before IDi
kh,i mod p to find IDi and kh,i . HN then uses kh,i and kh,v
the mobile station is granted to access a visited network. The
to extract (IDi , T1 , A, B, C) and (IDVN , T2 , D, E, F), respec-
proposed scheme also provides anonymous tickets but lim-
tively. HN then checks whether T3 − T2 ≤ T and IDVN is
its the use of anonymous tickets by expired times, instead
valid, where T denotes a valid time interval. If yes, HN
of the number of logins. This can further prevent storing
successfully authenticates VN. Similarly, HN authenticates
obsolete tickets in visited networks.
MS by checking whether T2 − T1 ≤ T and IDi is valid.
The rest of this paper is organized as follows. Section 2
Then, HN sends kh,v ⊕(T2 , A, B, C, Texpire ) and kh,i ⊕(T1 ,
is a brief overview of Yang et al.’s scheme. In the end of
D, E, F, Texpire ) to VN, where Texpire denotes the maximum
Section 2, we will present attacks and comments on Yang
login numbers of MS.
et al.’s scheme. Then, a new practical authentication scheme
Step 4. VN → MS: kh,i ⊕(T1 , D, E, F, Texpire )
is proposed in Section 3. In Section 4, we show the secu-
From the received message kh,v ⊕(T2 , A, B, C, Texpire ), VN
rity and performance analysis of the proposed scheme. A
uses kh,v to extract (T2 , A, B, C, Texpire ) and authenticates HN
conclusion is given in Section 5. Finally, we will further
by verifying T2 . Then, VN computes A’ = Ad = gad mod p,
prove the correctness of the proposed scheme by the logic
B’ = Be = gbe mod p, and C’ = Cf = gcf mod p, and stores
of authentication in Appendix.
(A’, B’, C’, Texpire ) in a ticket database. Message kh,i ⊕(T1 ,
D, E, F, Texpire ) is then forwarded to MS.
After receiving kh,i ⊕(T1 , D, E, F, Texpire ) in Step 4,
2. REVIEW OF YANG ET AL.’S
MS extracts (T1 , D, E, F, Texpire ) with shared key kh,i
SCHEME
and authenticates HN by verifying T1 . MS then computes
A1 = Da = gda mod p, B1 = Eb = geb mod p, and C1 = Fc = g
In this section, Yang et al.’s protocol is reviewed. Then, we fc
mod p, and stores them with Texpire in its device storage.
present our attacks and comments on Yang et al.’s scheme.
The notations used in Yang et al.’s protocol are as follows.
Three entities are involved in the protocol: a mobile station
MS, a visited network VN, and a home network HN. IDi , 2.1.2. The anonymous channel authentication
IDVN , and IDHN denote the identity of MS, VN, and HN, phase.
respectively. It is assumed that HN and VN share a secret It can be easily found that A1 = A’, B1 = B’, and C1 = C’.
key kh,v and HN and MS share a secret key kh,i . “X → Y: A1 will be used as the identity of an anonymous ticket. B1
M” denotes that X sends message M to Y. (M)k denotes that and C1 will be used for authentication between MS and
ciphertext of the message M encrypted with the symmetric VN. The anonymous channel authentication phase goes as
key k, and “⊕” indicates the bit-wise XOR operation. And, follows.
p is a large prime, Q is a prime factor of p−1 and g is an Step 1. MS → VN: A1 , Texpire
Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd. 1367
DOI: 10.1002/wcm
Authentication for wireless access networks Y. Chen et al.
MS presents A1 and Texpire to declare the ownership of an timestamps, time synchronization is required among MSs,
anonymous ticket. VNs, and HNs. Time synchronization is usually performed
Step 2. VN → MS: (B’, gd’ mod p, ge ’ mod p)B ’ via a time synchronization protocol, e.g., Network Time
According to A1 , VN finds the corresponding (A’, B’, C’, Protocol (NTP). Thus, to synchronize clock times, MSs
Texpire ) in the ticket database and checks whether Texpire > 0. have to be already in the network. However, each MS is
If yes, VN selects two random numbers d’ and e’ and com- asked to present a synchronized timestamp before the MS
putes gd’ mod p and ge ’ mod p. Then VN encrypts (B’, gd’ is granted to access the wireless network. This raises a
mod p, ge ’ mod p) with key B’ and sends it to MS. chicken-or-egg dilemma in the implementation of time syn-
Step 3. MS → VN: (C1 , ga mod p, gb mod p)C1 chronization. Therefore, we recommend that timestamps be
MS extracts (B’, gd’ mod p, ge ’ mod p) with key B’. used only within wired or fixed wireless networks.
If B’ = B1 , MS believes the VN is authentic. MS selects
two random numbers a’ and b’ and compute gd’ mod p
and gb ’ mod p for the next authentication. MS then sends 2.2.3. Key length problem.
(C1 , ga mod p, gb mod p)C1 to VN. VN receives the Yang et al.’s scheme uses shared keys to perform bitwise
message and extracts (C1 , ga’ mod p, gb ’ mod p) with key XOR operations on messages sent in Steps 3 and 4 of the
C’. If the obtained C1 is the same as C’, VN successfully anonymous channel issuing phase. Basically, the lengths of
authenticates MS. VN then updates (A’, B’, C’, Texpire ) in symmetric keys are short. In practice, these messages to be
its ticket database by setting A’ = C’, B’ = (ga’ ) d ’ mod p, XORed may be longer than the shared keys. Thus, the latter
C’ = (gb ’) e ’ mod p, and Texpire = Texpire −1. part of an XORed message is subject to being revealed and
modified.
2.2. Attacks and comments on Yang
et al.’s scheme 2.2.4. Obsolete tickets left in VNs.
Yang et al.’s scheme allows each issued anonymous ticket
The major merits of Yang et al.’s scheme are user anonymity, to be used at most Texpire times. Each VN is responsible for
mutual authentication, and secure anonymous tickets. In storing all the tickets whose Texpire values are not reached
Yang et al.’s scheme, each home network has to store yet. Since each MS may travel everywhere and stay in a
IDi
kh,i mod p, IDi and kh,i for each of its registered users. visited network just for a short period of time, it will be
Obviously, these values should be securely protected in very possible that a lot of tickets are maintained in a visited
order to prevent possible stolen verifier attacks. In addition, network and these tickets will not be used anymore. Yang
we find that Yang et al.’s scheme is vulnerable to guessing et al.’s scheme did not address the obsolete ticket issue.
attacks performed by visited networks. In addition, we indi-
cate a few potential deficiencies in the implementation of
Yang et al.’s scheme. 3. THE PROPOSED SCHEME
1368 Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd.
DOI: 10.1002/wcm
Y. Chen et al. Authentication for wireless access networks
Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd. 1369
DOI: 10.1002/wcm
Authentication for wireless access networks Y. Chen et al.
The security of the proposed scheme is analyzed with 4.2. Performance analysis
respect to some well known attacks.
The performance of the proposed scheme is evaluated by
comparing it with Yang et al.’s scheme. The following nota-
tions are used in the performance comparison.
4.1.1. Replay attack.
Our protocol uses nonces and timestamps to withstand
Texp : the time for computing modular exponentiation.
the replay attacks. Since both nonces NMS and NFA are gen-
Tsym : the time of computing symmetric key cryptogra-
erated independently, attacks by just replaying messages of
phy.
previous sessions will fail.
Thash : the time of computing one-way hash function
TXOR : the time of computing XOR operation.
1370 Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd.
DOI: 10.1002/wcm
Y. Chen et al. Authentication for wireless access networks
Computational cost Ticket issuing phase 6Texp + 4Tsym + 9Thash + 4TXOR 12Texp + 4Tsym + 4TXOR
Authentication phase 4Texp + 4Tsym + 2TXOR 8Texp + 4Tsym
Overall 10Texp + 8Tsym + 9Thash + 6TXOR 20Texp + 8Tsym + 4TXOR
Estimated time (s) 5.2941 10.5096
as well as the entire authentication phase, all take zero com- takes about 0.522 s. The computational cost of XOR oper-
putation time. Accordingly, the computation time of Yang ations can be ignored compared to the other computations.
et al.’s scheme is only 1Tsym + 2TXOR . We find that the eval- Based on the above estimated times, the computational
uated computation time is incorrect, since it doesn’t include cost of our scheme is 5.2941 s, while Yang et al.’s scheme
the computations required for decrypting and extracting requires 10.5096 s. Our scheme reduces about 50% in com-
received messages. In addition, there are the following putational cost. In terms of overall computation time, our
problems in those pre-computations: (1) The symmetric scheme is slower than Yang et al.’s scheme by 1 s. Most of
encryption in step 1 of the ticket issuing phase cannot be our computation time is spent in the ticket issuing phase.
pre-computed until timestamp T1 is determined; (2) Most Nevertheless, compared with Yang et al.’s scheme, our
pre-computations for the next session should be performed scheme takes the same computation time in the authen-
in the current session; and (3) Additional storage space is tication phase, which will be performed more frequently
needed to store pre-computed messages and corresponding than ticket issue phase. Table I summarizes the performance
parameters used in the messages. Indeed, pre-computations comparisons of our scheme with Yang et al.’s one. In sum-
can reduce the running time of the scheme. However, it mary, our scheme takes more computation time in the ticket
doesn’t imply that not any computational cost is incurred issuing phase, but achieves the same performance in the
in pre-computations. Therefore, a performance analysis in authentication phase. Our scheme outperforms Yang et al.’s
terms of computational cost is also required. In the fol- approach in terms of the computational cost. In addition,
lowing performance analysis, the computational cost of our scheme provides improvements in security protection,
a scheme is evaluated according to all the computations time synchronization, use of verification tables, and ticket
required in the scheme, and the computation time is esti- maintenance.
mated by the elapsed time for running the ticket issuing
phase and a round of the authentication phase assuming
that pre-computations have been done. 5. CONCLUSION
By our performance analysis, Yang et al.’s scheme takes
4Tsym + 4TXOR in terms of computation time, and requires We have successfully presented guessing attacks on Yang
20Texp + 8Tsym + 4TXOR in computational cost. Our scheme et al.’s scheme, and also indicated potential drawbacks in the
takes 2Texp + 6Tsym + 6Thash + 4TXOR in terms of compu- implementation of their scheme. A new secure and practical
tation time, and spends 10Texp + 8Tsym + 9Thash + 6TXOR authentication scheme is thus proposed. In the proposed
in computational cost. Obviously, Yang et al.’s scheme scheme, nonces are used for both message protection and
gains better performance from the pre-computations, but key agreement between MS and FA. To protect the secrecy
incurs more computational cost than our scheme does. of MS from FA, we carefully use nonces in the scheme such
More precisely, as indicated in Reference [13], a one-way that FA can issue an anonymous ticket based on nonces,
hashing operation takes about 0.0005 s and a symmetric but cannot learn any information about MS. In summary,
encryption/decryption requires 0.0087 s. An exponential the proposed scheme provides the following merits: user
operation is approximately equal to 60 symmetric encryp- anonymity, mutual authentication, ticket copy prevention,
tion/decryptions. Therefore, an exponential computation lower computational cost, free of time synchronization in
Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd. 1371
DOI: 10.1002/wcm
Authentication for wireless access networks Y. Chen et al.
wireless clients, and free of verification tables in HAs. We cation of FA to MS in the sense that the response
further prove the correctness of the proposed scheme by VO is from a corroborated operational entity, and is tar-
logic analysis. geted in response to a challenge from MS.
K−
Our study is a theoretical approach for the authentication G3. Secure key establishment: MS| ≡ MS ↔ FA
in wireless access networks, and several practical issues MS believes that the key K is shared with no party
have been considered in the development of our scheme. other than party FA.
The security issues of wireless access networks become K+
G4. Key confirmation: MS| ≡ MS ↔ FA
more crucial for contemporary mobile applications. In the
MS believes the key K is shared with FA alone, and
future, we will take into consideration the application of our
FA has provided evidence of knowledge of the key
scheme in current wireless and mobile networks, e.g., IEEE
to MS.
802.11 wireless LANs, 3G, and WiMAX networks.
G5. Key freshness: MS| ≡ #(K)
MS believes the key K is fresh.
G6. Mutual belief in shared secret: MS| ≡ (FA| ≡
APPENDIX: LOGIC ANALYSIS K−
FA ↔ MS)
In the VO logic, the original protocol must be first trans- MS believes the target entity FA also believes K is
formed to an idealized form, and write assumptions about an unconfirmed secret suitable for use with MS.
the initial state of the protocol, and then use the logic
to derive the beliefs held by protocol principals. P |≡≡X
denotes P believes that the statement X is true. P|≈X and Idealization
P|∼X denote P says X and P said X to discriminate the
tense, i.e., P sends or once sent a message including X. {X}K We transform the proposed protocol to the following ideal-
represents X encrypted with the key K. < X > Y denotes X ized form suitable for further logic manipulation:
Step 1. MS → FA: IDHA , RMS, IDMS h(RMS ||IDHA ||x) , NMS h(IDMS ||x)
Step 2. FA → HA: RMS, ID
MS h(RMS ||IDHA ||x) , NMS h(IDMS ||x) , IDFAc, {ID
FA , T1 , NFA }kh,f
c
NFA h(h(IDMS ||x)||NMS )
, h(h(ID MS ||x)||N MS ||N FA N c ,
)
Step 3. HA → FA: c
c
FA
T3 , NMS , h(h(IDMS ||x)||NMS + 1||NFA + 1) N c
c
c
FA kh,f
Step 4. FA → MS: NFA h(h(IDMS ||x)||NMS )
, h(h(IDMS ||x)||NMS ||NFA ) c
NFA
c
Step 5. MS → FA: h(h(IDMS ||x), NMS + 1, NFA + 1) c
NFA
Step 6. MS → FA: {K, NMS }K
Step 7. FA → MS: {K + 1, NFA }K
1372 Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd.
DOI: 10.1002/wcm
Y. Chen et al. Authentication for wireless access networks
1. MS| ≡ φ({NMS }K ) (S5) 4. MS| ≡ # c
h(h(IDMS ||x)||NMS ||NFA ) c
NFA
2. #(NMS ) ∧ φ({NMS }K ) ⊃ confirm(K) (S6) By freshness propagation, (S10) and (A4)
c
5. MS| ≡ HA| ≡ h(h(IDMS ||x)||NMS ||NFA ) c
NFA
By Confirmation Axiom, (S4), and (S5)
By nonce-verification, (S10) and (S11)
3. MS sees confirm(K)
By message decryption rule for unqualified keys,
c
6. MS| ≡ HA| ≡ NFA h(h(IDMS ||x)||NMS )
,
(S2) and (S6), Step 7
MS does not create any message of the specific
c
form (K + 1, N’FA ) encrypted by K in the current h(h(IDMS ||x)||NMS ||NFA ) c
NFA
session. That is, (K + 1, N’FA ) was not originated by
MS itself. The confirmation belief would be marked (S12)
with a “not-originated-here” symbol from GNY’s
construct: By freshness propagation
Thus, MS believes that HA recently said message
MS sees ∗ confirm(K ) (S7) c
NFA c
, h(h(IDMS ||x)||NMS ||NFA )
h(h(IDMS ||x)||NMS ) c
NFA
K+
4. MS| ≡ MS ↔ FA, where K + is the session key SK
of the proposed scheme. 7. MS| ≡ FA| ∼ (K + 1, NFA ) (S13)
Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd. 1373
DOI: 10.1002/wcm
Authentication for wireless access networks Y. Chen et al.
9. MS| ≡ FA| ≡ (K + 1, NFA ) (S15) REFERENCES
By nonce-verification, (S13) and (S14) 1. Harn L, Lin H. Authentication in wireless communi-
Therefore, MS believes that FA recently said (K + 1, cations, IEEE Global Telecommunications Conference
NFA ), which implies that FA is currently operational. (GLOBECOM ’93), Houston, USA, November 29--
Q.E.D. December 2, 1993; 550--554.
Lemma 5. The proposed scheme provides tar- 2. Juang WS, Lei CL, Chang CY. Anonymous channel and
geted entity authentication, i.e., goal (G2) MS| ≡ FA| ≈ authentication in wireless communications. Computer
(Y, R(G(RA ), Y )) is achieved. Communications 1999; 22: 1502--1511.
Proof.
3. Park J, Go J, Kim K. Wireless authentication protocol
preserving user anonymity. In Proceedings of the 2001
c
1. MS| ≡ FA| ∼ NFA h(h(IDMS ||x)||NMS )
, Symposium on Cryptography and Information Security
(SCIS 2001), Oiso, Japan, January 23--26, 2001.
c
h(h(IDMS ||x)||NMS ||NFA ) c
NFA
, TID , Texp 4. Lin WD, Jan JK. A wireless-based authentication and
anonymous channels for large scale area. In Proceedings
By Lemma 4, and Step 4 of the 6th IEEE Symposium on Computers and Commu-
We break the conjuncatenation and derive h(h(IDMS || nications (ISCC 2001), Hammamet, Tunisia, July 3--5,
x)||NMS ) which provides authentication evidence of FA 2001; 36--41.
and HA to MS in the sense that the response is from
5. Rahman MG, Imai H. Security in wireless communi-
the corroborated operational entity HA and FA, and
cation. Wireless Personal Communications 2002; 22(2):
it is targeted to response to the challenge from MS in
Step 1. Furthermore, since NMS = ga , provided that MS 213--228.
does not intentionally re-choose a random number a 6. Racherla G, Saha D. Security and privacy issues in
to generate the nonce in the current epoch using an wireless and mobile computing. IEEE International
appreciate random number generator, the nonce will not be Conference on Personal Wireless Communications
a duplicate of a previous nonce. Thus, upon a successful (ICPWC’2000), Hyderabad, India, December 17--20,
c
completion MS believes that FAc conveyed
of the protocol, 2000; 509--513.
NFA h(h(ID ||x)||N ) , h(h(IDMS ||x)||NMS ||NFA ) N c in 7. Barbancho AM, Peinado A. Cryptanalysis of anonymous
MS MS FA
the current epoch, as an intended response to the specific channel protocol for large-scale area in wireless commu-
challengeh(h(IDMS ||x)||NMS ). Q.E.D. nications, Computer Networks 2003; 43: 777--785.
Lemma 6. The proposed scheme provides mutual belief 8. Zhu J, Ma J. A new authentication scheme with
in shared keying relationship, i.e., goal (G6) MS| ≡ (FA| ≡ anonymity for wireless environments. IEEE Transac-
K−
FA ↔ MS) is achieved. tions on Consumer Electronics 2004; 50(1): 231--235.
Proof. 9. Chien HY, Chen CH. A remote authentication scheme
At the end of Step 7, MS can derive all beliefs and iden- preserving user anonymity. In Proceedings of the 19th
tify of the principal FA, which MS shares the key K with. International Conference on Advanced Information Net-
MS may believe FA possesses K and derive MS| ≡ (FA| ≡
K− working and Applications (AINA’05), Taipei, Taiwan,
FA ↔ U), U = FA. From Lemma 5, MS can confirm March 28--30, 2005; 509--513.
K−
U = MS. Therefore, MS| ≡ (FA| ≡ FA ↔ MS). Consider 10. Yang CC, Tang YL, Wang RC, Yang HW. A secure and
the beliefs of FA. After a successful completion of the pro- efficient authentication protocol for anonymous channel
tocol, FA is also able to derive the above beliefs like MS. It in wireless communications. Applied Mathematics and
K−
can be deduced that FA| ≡ (MS| ≡ MS ↔ FA). Computation 2005; 169(2): 1431--1439.
For more conscientious, we prove this lemma with the 11. van Oorschot PC. Extending cryptographic logics of
inference rules as follows. belief to key agreement protocols. In Proceedings of the
1st ACM Conference on Computer and Communications
1. MS| ≡ FA| ≈ K (S16)
Security, Virginia, USA, November 3--5, 1993; 233--243.
By Lemma 4, (S15) 12. Burrows M, Abadi M, Needham R. A logic of authenti-
cation. ACM Transactions on Computer Systems 1990;
K−
2. MS| ≡ (FA| ≡ FA ↔ MS) 8(1): 18--36.
1374 Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd.
DOI: 10.1002/wcm
Y. Chen et al. Authentication for wireless access networks
13. Li C-T, Hwang M-S, Chu Y-P. A secure and efficient Lo-Yao Yeh received the B.S. degree
communication scheme with authenticated key estab- in Information Management from Da
lishment and privacy preserving for vehicular d hoc Yeh University, Taiwan, in 2003. He
networks, Computer Communication 2008; 31: 2803-- got the M.S. degree in the Depart-
2814. ment of Information Management from
National Chi Nan University in 2005.
Now, he is a Ph.D. candidate in the
AUTHORS’ BIOGRAPHIES Department of Computer Science in
National Chiao Tung University. He
Yen-Cheng Chen received the Ph.D. was a visiting scholar in UC Berkeley. His current research
degree in Computer Science from the interests include network security and overlay networks
National Tsing Hua University, Tai- security, and sensor networks.
wan, in 1992. He was an Associative
Researcher of the ChungHwa Telecom Jiun-Long Huang received the B.S.
Labs. from 1992 to 1998. From 1998 and M.S. degrees from the Department
to 2001, he was an Assistant Profes- of Computer Science and Information
sor of the Department of Information Engineering at National Chiao Tung
Management, Ming Chuan University, University in 1997 and 1999, respec-
Taiwan. Currently, he is an Associate Professor of the tively, and the Ph.D. degree from the
Department of Information Management, National Chi Nan Department of Electrical Engineering
University, Taiwan. His current research interests are net- at National Taiwan University in 2003.
work management, wireless networks, and security. Currently, he is an Assistant Professor
in the Department of Computer Science at National Chiao
Shu-Chuan Chuang received the M.S. Tung University. His research interests include mobile com-
degree in the Department of Infor- puting, mobile data management, wireless access networks,
mation Management from National and Internet technology.
Chi-Nan University in 2006. Currently,
she is a computer technician of the
department of Information Manage-
ment in Kaohsiung Veterans General
Hospital, in charge of the applications
development and information security
audit. Her interests include Internet technology and network
security.
Wirel. Commun. Mob. Comput. 2011; 11:1366–1375 © 2010 John Wiley & Sons, Ltd. 1375
DOI: 10.1002/wcm