A Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptography Source : IEEE Access, In Press, 2016 Authors : Alavalapati Goutham Reddy, Ashok Kumar Das, Eun-Jun Yoon and Kee-Young Yoo Speaker : Hsiao-Ling Wu Date: 2016/11/10

Outline Proposed scheme Security analysis Performance analysis Conclusions

Proposed scheme(1/6) Notations

Proposed scheme(2/6) Mobile user registration phase HA MU Input IDMU, PWMU Choose b AMU=h(PWMU || b) PIDMU=h(IDMU || b) PWIDMU=h(IDMU || PWMU) PIDMU BMU=h(PIDMU || MSK) CMU=h(PIDMU || BMU) RL=zP Secure channel {IDHA, BMU, CMU, RL, h(.), P} Secure channel DMU=b ⊕ PWIDMU EMU= BMU ⊕ AMU {IDHA, CMU, DMU, EMU, RL, h(.), P}

Proposed scheme(3/6) Mutual authentication with key-agreement phase MU {IDHA, CMU, DMU, EMU, RL, h(.), P} FA Generate random x RM = xP RM’ = xRL AIDMU = PIDMU ⊕ RM’ K= h(BMU || RM’) M1 = h(K ||IDFA|| PIDMU) MMH ={IDHA, AIDMU, M1, RM, P}

Proposed scheme(4/6) Mutual authentication with key-agreement phase HA FA HA Generate random y RB = yP M2 = h(KFH || RB || MMH) MFH ={MMH, RB, IDFA, M2}

Proposed scheme(5/6) Mutual authentication with key-agreement phase FA {IDHA, CMU, DMU, EMU, RL, h(.), P} HA MFH ={MMH, RB, IDFA, M2} RM’ = zRM PIDMU = AIDMU ⊕ RM’ BMU=h(PIDMU || MSK) K= h(BMU || RM’) M1 ?= h(K ||IDFA|| PIDMU) KFH = h(IDFA|| FSK) M2 ?= h(KFH || RB || MMH) M3 = h(IDHA || KFH || RM) M4 = h(IDHA || IDFA|| BMU|| RB ) M3 , M4

Proposed scheme(6/6) Mutual authentication with key-agreement phase MU {IDHA, CMU, DMU, EMU, RL, h(.), P} FA M3 ?= h(IDHA || KFH || RM) RB’ = yRM SK= h(RB’ ||IDHA || IDFA) M5 = h(SK || M4) M4 , M5, RB M4 ?= h(IDHA || IDFA|| BMU|| RB ) RB’ = xRB SK= h(RB’ ||IDHA || IDFA) M5 ?= h(SK || M4) M6 = h(SK || IDFA ||IDHA ) M6 M6 ?= h(SK || IDFA ||IDHA )

Security analysis SR1: the mutual authentication between tag and server SR2: strong anonymity, which is the combination of the tag anonymity and untraceability SR3: it can resolve the issue of de-synchronization SR4: the adversary cannot acquire Kts from Ktsnew SR5: To authenticate the RFID tag, the server in the RFID system has to find matching records from its database. If the computational workload of the searching algorithm increases significantly as the number of RFID tags increases, the system will not scale. 3. If a group of tags share the same key and use it for authentication, then it is vulnerable to cloning(複製) attacks.

Performance analysis [16] I. Memon, I. Hussain, R. Akhtar, and G. Chen, ``Enhanced privacy and authentication: An efcient and secure anonymous communication for location based service using asymmetric cryptography scheme,'' Wireless Pers. Commun., vol. 84, no. 2, pp. 14871508, 2015. [17] H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, ``Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,'' Math. Comput. Model., vol. 55, no. 1, pp. 214222, 2012. [20] Q. Xie, B. Hu, X. Tan, M. Bao, and X. Yu, ``Robust anonymous two-factor authentication scheme for roaming service in global mobility network,'‘ Wireless Pers. Commun., vol. 74, no. 2, pp. 601614, 2014. [22] D. Zhao, H. Peng, L. Li, and Y. Yang, ``A secure and effective anonymous authentication scheme for roaming service in global mobility networks,'‘ Wireless Pers. Commun., vol. 78, no. 1, pp. 247269, 2014.

Conclusions High security level Lightweight