隨著人們使用網路需求量大增，我們將提供不同接入點且互補的網路，整合出全球性異質網路環境。例如:GSM及3GPP等，這些技術提供移動使用者在漫遊時不會受到地域上的限制。為了使無線網路擁有更大的便利性，換手機制在此環境扮演了相當重要的角色，也滿足了現今移動式設備的需求。有鑒於此，在驗證階段中，包含著重大的計算量問題以及管理金鑰挑戰。在2009，Huang et al.’s提出一次性金鑰協定在安全網路的方法，這個方法專注於提供給移動式設備一個有效率的驗證機制。此方法不僅可以抵擋中間人攻擊，也可以減少計算成本。然而，我們發現此方法仍然存在許多安全性漏洞。由於這些漏洞，我們提出一種在無線網路環境中的全新換手機制，此方法可以加強安全性並且降低計算成本。此外，我們使用正規安全分析方法:BAN邏輯，證明此方法的適用性。
除此之外，漫遊特性是移動式設備最大優點。在現今通訊網路環境中，由於移動式設備的電力有限，所以在驗證階段的計算量是移動式設備最大的挑戰。為了降低計算成本，Shrestha et al.’s提出一個有效率的驗證方法，利用事先跟參予者都分享好的秘密金鑰提供驗證彼此以及建立會議金鑰。另一方面，提供服務端也產生認證憑據，讓移動用戶可以減少計算量以及通訊次數。但是，根據我們的觀察，仍然存在著隱藏式的威脅，包括金鑰管理問題，憑據儲存問題，以及無法完整的對移動用戶提供匿名性。因此，我們提出一個有效率的驗證方法來達到減少計算量以及通訊回合數，並且利用亂數預言來證明提出的方法是安全的。
關鍵字:相互認證，金鑰協商，Kerberos網路認證協議，用戶匿名性，換手機制，BAN邏輯，亂數預言

With the increased demand in ubiquitous wireless access, we merge different but complementary wireless access technology to compose global wireless heterogeneous network, such as GSM and 3GPP, to provide mobile users the advantage of roaming services without geographical limitation. Hence, the handover technique is playing an important role nowadays to meet the epidemic mobile device usage. It has a great challenge to provide authentication such as computation overload as well as the key management burden. In 2009, Huang et al. proposed the One-time key Secure Network Protocol (OSNP) scheme. It can not only resist the man-in-the-middle attack but also reduce the computation load. Nevertheless, we have found that there still exist several defects in this method. For this reason, we aim to provide a new handover mechanism for enhancing the secure property as well as reducing the computation cost. Moreover, we provide the formal security analysis of BAN logic to demonstrate the applicability of the protocol.
Besides, owing to the mobile device only can keep limited electricity, thus the computation cost of the mobile users becomes primary defiance in the verification phase. To reduce the heavy burden of the mobile users, Shrestha et al.’s scheme proposed a Kerberos based authentication protocol, for the mobile user to reduce the computation costs and the communication rounds. Unfortunately, according to our observation, some weaknesses still exist in Shrestha et al.’s scheme. Therefore, we propose a new version with a novel architecture and then we utilize random oracle to prove the security our scheme.
Keywords: Mutual authentication, key agreement, Kerberos, Anonymous, Handover, BAN logic, Random oracle

Table of Contents
摘要...............................................................................................................................II
Abstract......................................................................................................................III
Table of Contents......................................................................................................IV
List of Figures..............................................................................................................V
List of Tables..............................................................................................................VI
Chapter 1......................................................................................................................1
Introduction..................................................................................................................1
1.1 Research Motivation and Objectives................................................................1
1.2 Organization.......................................................................................................3
Chapter 2......................................................................................................................4
A Wide-adapted Bantam Protocol for Roaming across Wireless Area...................4
2.1 Preliminary.........................................................................................................4
2.2 Review of Huang et al.’s scheme.......................................................................7
2.3 The proposed protocol.....................................................................................13
2.4 Security analysis and discussions...................................................................22
2.5 Mutual Authentication by BAN Logic...........................................................28
2.6 Summary...........................................................................................................44
Chapter 3....................................................................................................................46
A Universal Authentication Scheme with Anonymity for Heterogeneous Wireless Networks.....................................................................................................................46
3.1 Preliminary.......................................................................................................46
3.2 Drawbacks on Kerberos Based Mobile Authentication................................49
3.3 The Proposed Scheme......................................................................................52
3.4 Security Analysis and Discussions..................................................................58
3.5 Performance Analysis......................................................................................62
3.6 Summary...........................................................................................................65
Chapter 4....................................................................................................................66
Conclusions.................................................................................................................66
Bibliography...............................................................................................................67

[1] B. Aboba and D. Simon, “PPP EAP TLS Authentication Protocol,” RFC 2716, IETF, 1999. http://www.ietf.org/rfc/rfc2716.txt
[2] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H. Levkowetz, “Extensible Authentication Protocol (EAP),” RFC 3748, IETF, 2004. http://www.ietf.org/rfc/rfc3748.txt
[3] B. Aboba, D. Simon and P. Eronen, “Extensible Authentication Protocol (EAP) Key Management Framework,” RFC 5247, IETF, 2008. http://www.ietf.org/rfc/rfc5247.txt
[4] M. Burrows, M. Abadi and R. Needham, “A Logic of Authentication,” ACM Transactions on Computer Systems, Vol. 8, No. 1, pp. 18-36, 1990.
[5] D. Boneh, B. Lynn and H. Shacham, “Short Signatures from the Weil Pairing,” Journal of Cryptology, vol. 17, no. 4, pp. 297-319, 2004.
[6] M. Bellare and P. Rogaway, “Random Oracles are Practical: a Paradigm for Designing Efficient Protocols,” Proceedings of the First ACM Conference on Computer and Communication Security, NY, USA, pp. 62-73, 1993.
[7] L. Blunk and J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” RFC 2284, IETF, 1998. http://www.ietf.org/rfc/rfc2284.txt
[8] C. C. Chang, C. Y. Lee and Y. C. Chiu, “Enhanced Authentication Scheme with Anonymity for Roaming Service in Global Mobility Networks,” Computer Communications, vol. 32, no. 4, pp. 611-618, 2009.
[9] X. F. Cao, X. W. Zeng, W. D. Kou and L. B. Hu, “Identity-Based Anonymous Remote Authentication for Value-added Services in Mobile Networks,” IEEE Transactions on Vehicular Technology, vol. 58, no. 7, pp. 3508-3517, 2009.
[10] R. Dantu, G. Clothier and A. Atri, “EAP Methods for Wireless Networks,”
Computer Standards and Interfaces, Vol. 29, No. 3, pp. 289-301, 2007.
[11] T. Elgamal, “A Public key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469-472, 1985.
[12] P. Funk and S. Blake-Wilson, “Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0),” RFC 5281, IETF, 2008. http://www.ietf.org/rfc/rfc5281.txt
[13] C. I. Fan, P. H. Ho and R. H. Hsu, “Provably Secure Nested One-time Secret Mechanisms for Fast Mutual Authentication and Key Exchange in Mobile Communications,” IEEE/ACM Transactions on Networking, vol. 18, no. 3, pp. 996-1009, 2010.
[14] K. F. Hwang and C. C. Chang, “A Self-encryption Mechanism for Authentication of Roaming and Teleconference Services,” IEEE Transactions on Wireless Communications, vol. 2, no. 2, pp. 400-407, 2003.
[15] Y. L. Huang, P. H. Lu, J. D. Tygar and A. D. Joseph, “OSNP: Secure Wireless Authentication Protocol Using One-time Key,” Computers and Security, Vol. 28, No. 8, pp. 803-815, 2009.
[16] K. Han, T. Shon and K. Kim, “Efficient Mobile Sensor Authentication in Smart Home and WPAN,” IEEE Transactions on Consumer Electronics, vol. 56, no. 2, pp. 591-596, 2010.
[17] IEEE, “IEEE 802.1X: Medium Access Control (MAC) Security Enhancements,” 2001.
[18] IEEE, “IEEE 802.11i: Medium Access Control (MAC) Security Enhancements,” 2003.
[19] Y. Jiang, C. Lin, X. Shen, and M. Shi, “Mutual Authentication and Key
Exchange Protocols for Roaming Services in Wireless Mobile Networks,” IEEE Transactions on Wireless Communications, vol. 5, no. 9, pp. 2569-2576, 2006.
[20] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203-209, 1987.
[21] N. Koblitz, A. J. Menezes and S. A. Vanstone, “The State of Elliptic Curve Cryptography,” Design, Codes, and Cryptography, vol. 19, no. 2-3, pp. 173-193, 2000.
[22] J. Kohl and C. Neuman, “The Kerberos Network Authentication Service (V5),” RFC 1510, IETF, 1993. http://www.ietf.org/rfc/rfc1510.txt
[23] M. Komarova, M. Riguidel, A. Hecker, “Fast Re-authentication Protocol for Inter-domain Roaming,” Proceedings of IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications, 2007. PIMRC 2007, Athens, pp. 1-5, 2007.
[24] Y. B. Lin and Y. K. Chen, “Reducing Authentication Signaling Traffic in Third-generation Mobile Network,” IEEE Transactions on Wireless Communications, vol. 2, no. 3, pp. 493-501, 2003.
[25] W. Liang and W. Y. Wang, “On Performance Analysis of Challenge/Response Based Authentication in Wireless Networks,” Computer Networks, Vol. 48, No. 2, pp. 267-288, 2005.
[26] J. S. Lee, P. Y. Lin and C. C. Chang, “Lightweight Secure Roaming Mechanism between GPRS/UMTS and Wireless LANs,” Wireless Personal Communications, Vol. 53, No. 4, pp 569-580, 2009.
[27] W. B. Lee and C. K. Yeh, “A New Delegation-based Authentication Protocol for Use in Portable Communication Systems,” IEEE Transactions on Wireless Communications, vol. 4, no. 1, pp. 57-64, 2005.
[28] C. Macnally, “Cisco LEAP Protocol Description,” 2001. http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html
[29] A. Menezes, P. V. Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.
[30] S. Moon, “Elliptic Curve Scalar Point Multiplication using Radix-4 Booth's Algorithm,” Proceedings of IEEE International Symposium on Communications and Information Technology ISCIT, South Korea, vol. 1, pp. 80-83, 2004.
[31] A. J. Nicholson, M. D. Corner and B. D. Noble, “Mobile Device Security using Transient Authentication,” IEEE Transactions on Mobile Computing, vol. 5, no. 11, pp. 1489-1502, 2006.
[32] Y. Ohba, S. Das and A. Dutta, “Kerberized Handover Keying: a Media Independent Handover Key Management Architecture,” Proceedings of the 2nd ACM/IEEE International Workshop on Mobility in the Evolving Internet Architecture, Kyoto, Japan, No. 9, pp. 1-7, 2007.
[33] R. L. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems,” Communications of the ACM, vol. 21, no. 2, 1987.
[34] A. Shamir, “Identity-Based Cryptosystems and Signature Scheme,” Lecture Notes in Computer Science, vol.196, pp. 47-53, 1985.
[35] B. Schneier, Applied Cryptography 2nd Edition, John Wiley and Sons Press, 1996.
[36] D. Simon, B. Aboba and R. Hurst, “The EAP-TLS Authentication Protocol,” RFC 5216, IETF, 2008. http://tools.ietf.org/html/rfc5216
[37] P. F. Syverson and I. Cervesato, “The Logic of Authentication Protocols,” Lecture Notes in Computer Science, Vol. 2171, pp. 63-136, 2001.
[38] A. P. Shrestha, D. Y. Choi, G. R. Kwon, and S. J. Han, “Kerberos based Authentication for Inter-domain Roaming in Wireless Heterogeneous Network,” Computers and Mathematics with Applications, vol. 60, no. 2, pp. 245-255, 2010.
[39] D. Stanley, J. Walker and B. Aboba, “Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs,” RFC 4017, IETF, 2005. http://www.ietf.org/rfc/rfc4017.txt
[40] D. Simon, B. Aboba and R. Hurst, “The EAP-TLS Authentication Protocol,” RFC 5216, IETF, 2008. http://www.ietf.org/rfc/rfc5216.txt
[41] Y. M. Tseng, “GPRS/UMTS - Aided Authentication Protocol for Wireless LANs,” IEE Proceedings-Communications, Vol. 153, No. 6, pp. 810-817, 2006.
[42] Y. M. Tseng, “USIM-based EAP-TLS Authentication Protocol for Wireless Local Area Networks,” Computer Standards and Interfaces, Vol. 31, No. 1, pp. 128-136, 2009.
[43] H. C. Tsai, C. C. Chang and K. J. Chang, “Roaming across Wireless Local Area Networks Using SIM-based Authentication Protocol,” Computer Standards and Interfaces, Vol. 31, No. 2, pp. 381-389, 2009.
[44] S. R. Tuladhar, C. E. Caicedo and J. B. D. Joshi, “Inter-domain Authentication for Seamless Roaming in Heterogeneous Wireless Networks,” Proceedings of IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, 2008. SUTC '08, Taichung, pp. 249-255, 2008.
[45] T. Taleb and K. Letaief, “A Cooperative Diversity based Handoff Management Scheme,” IEEE Transactions on Wireless Communications, vol. 9, no. 4, pp. 1462-1471, 2010.
[46] C. Tang and D. O. Wu, “An Efficient Mobile Authentication Scheme for Wireless Networks,” IEEE Transactions on Wireless Communications, vol. 7, no. 4, pp.
1408-1416, 2008.
[47] C. Tang and D. O. Wu, “Mobile Privacy in Wireless Networks-revisited,” IEEE Transactions on Wireless Communications, vol. 7, no. 3, pp. 1035-1042, 2008.
[48] S. J. Wang, “Anonymous Wireless Authentication on a Portable Cellular Mobile System,” IEEE Transactions on Computers, vol. 53, no. 10, pp. 1317-1329, 2004.
[49] T. Y. Wu and Y. M. Tseng, “An Efficient User Authentication and Key Exchange Protocol for Mobile Client–Server Environment,” Computer Networks, Vol. 54, No. 9, pp. 1520-1530, 2010.
[50] J. H. Yang and C. C. Chang, “An Id-based Remote Mutual Authentication with Key Agreement Scheme for Mobile Devices on Elliptic Curve Cryptosystem,” Computers and Security, vol. 28, no. 3-4, pp. 138-143, 2009.
[51] G. Yang, Q. Huang, D. S. Wong, and X. Deng, “Universal Authentication Protocols for Anonymous Wireless Communications,” IEEE Transactions on Wireless Communications, vol. 9, no. 1, pp. 168-174, 2010.
[52] C. C. Yang, Y. L. Tang, R. C. Wang and H. W. Yang, “A Secure and Efficient Authentication Protocol for Anonymous Channel in Wireless Communications,” Applied Mathematics and Computation, Vol. 169, No. 2, pp. 1431-1439, 2005.
[53] G. Yang, D. S. Wong, and X. Deng, “Anonymous and Authenticated Key Exchange for Roaming Networks,” IEEE Transactions on Wireless Communications, vol. 6, no. 9, pp. 3461-3472, 2007.
[54] L. Yao, L. Wang, X. W. Kong, G. W. Wu and F. Xia, “An Inter-Domain Authentication Scheme for Pervasive Computing Environment,” Computers and Mathematics with Applications, Vol. 60, No. 2, pp. 234-244, 2010.
[55] M. Zhang and Y. Fang, “Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol,” IEEE Transactions on Wireless
Communications, vol. 4, no. 2, pp. 734-742, 2005.
[56] Y. C. Zhang, W. Liu, W. J. Lou and Y. G. Fang, “Securing Mobile Ad hoc Networks with Certificateless Public Key,” IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 386-399, 2006.
[57] J. M. Zhu and J. F. Ma, “A New Authentication Scheme with Anonymity for Wireless Environments,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 231-235, 2004.