Authentication Protocols in Wireless Communications - CiteSeerX

Authentication Protocols in Wireless Communications Hung-Yu Lin, Lein Harn, and Vijay Kumar Computer Science Telecommunications Program University of Missouri - Kansas City Kansas City, MO 64110 ABSTRACT - This paper examines authentication protocols used for wireless communications, especially in the multi-operator environment, to see what security services they provide and how they do it. Weaknesses of each protocol and differences among them will also be discussed. 1. INTRODUCTION As technology advances from analogue systems to digital systems, personal communication systems (PCSs) will soon provide broadband services in addition to the traditional voice and data communications. However, whether designed for cellular phones, cordless phones, or other user devices, security of the wireless link is still the major concern of the PCSs. Wireless communication suffers from threats [10, 19] inherited from wired networks and those [13, 16, 17] which are specific in the wireless environment. For the lack of a physical association between the subscriber and the wired network and easy access to the radio, proper authentication is necessary to protect the communication against illegal usage. Such protection is elaborated in terms of security services to be provided in the authentication protocols [13, 16, 17]. To provide universal wireless access to services, such authentication must deal with subscribers' roaming among areas administered by different operators, and be implemented by subscribers’ devices with limited computing resources. During the authentication process, some secret information must be mutually agreed upon so the following communication can proceed efficiently in protected mode to achieve desired confidentiality. With modern digital and cryptographic techniques, protocols have been proposed to provide secure services to its subscribers which are comparable to those provided by traditional wireline networks. In this paper, the logic of these protocols is examined from various aspects, which include security services provided, constructing mechanisms, placement of trust, efficiency, influence of security disasters, feasibility of recovery, and applicability of implementation. Various attacks are also considered to find out weaknesses associated with these protocols. Other issues, such as implementation complexity, security management and the applications to be built, etc., are considered. Note that authentication in this paper is intended for the two parties on both ends of the wireless link. A subscriber and the mobile unit operated on his behalf will be treated as an integral part unless explicitly addressed, though they are two different entities and some sort of authentication is involved in between, either by PIN, password, or through the complicated zero-knowledge proof identification procedure. The mobile end will be called mobile station (MS), portable unit (PU), portable radio termination (PT), or simply subscriber. The fixed end will be called network, fixed radio termination (FT), sevice provider, or operator.

To appear in ICAUTO’95

II. PRELIMIRARIES A. System Architecture To make our discussions concrete, we first describe the architecture for which these authentication protocols are designed. In GSM'sarchitecture, the mobile station communicates through radio with base stations (BS) which are connected to mobile switching centers (MSC). The MSC is a bridge to the existing wireline networks. For each mobile service provider there are two databases: one is the home location register (HLR) which stores its own subscribers'information and the current location of each subscriber; another one is the visiting location register (VLR) which stores the information for visiting subscribers. The most important component in the architecture is the authentication center (AUC), which stores subscribers'secret keys and generates security parameters for the authentication protocol on the request of HLRs. Protocols of DECT and USDC can also be explained in this architecture. For the protocol proposed by researchers in Bellcore, the network-side authentication is performed by the radio control equipment (RCE) in the local central office. There is no need for the on-line AUC. Instead, an off-line certification center is employed to notarize/certify the public keys of every RCE and every subscriber. B. Security Services From existing protocols and common security concerns, we can infer a number of services which authentication protocols should provide: 1. Message confidentiality: a message transmitted after call-setup, including data and voice, is protected from outsiders. This is achieved by encrypting the message with a common secret session key established by the subscriber and the network during the authentication phase. 2. Subscriber ID/location confidentiality: As the subscriber'sreal identity may sometimes be valuable to attackers [26], the real caller'sidentity should not be exposed to outsiders. That is, irrelevant persons should not know the current location of a particular subscriber. Furthermore, the association of a particular subscriber with sessions in which he is involved should be kept from outsiders. For this stronger service, we call it session intractability. Because protocols discussed in this paper do not make such a distinction, we will simply use subsciber ID confidentiality to denote these services. In fact, roamers’ real identities can even be kept from a VSD. 3. Fraud control : Fraudulent use of the wireless service is one of the major concerns because there is no physical association between the subscriber and the network. It has caused billions of dollars in losses to system operators. Therefore, subscriber authentication is quite necessary to prevent impersonators from using services. With a more desirable feature, a subscriber should never be able to repudiate services that he has used, and the operator cannot charge a subscriber for services he does not request. Theoretically, these can be achieved with modern cryptographic techniques. But due to the computation overhead, the real non-repudiation services are rarely implemented. For most protocols, the fraudulent calls made from insiders are indistinguishable from calls actually made by the subscriber.

III. REVIEW OF PROTOCOLS A. GSM In GSM [14], each subscriber obtains one secret authentication key, Ki, and unique identity, International Mobile Subscriber Identity (IMSI), from the authentication center during the initial registration. In this protocol, three special algorithms are used: A8, A5, and A3. A8 is a public-known one-way function used for generating session keys, A5 is a one-key encryption/decryption algorithm, A3 is another one-way function used by the subscriber to compute the response to VLR's challenge.


Subscriber

VLR

HLR

IMSI

IMSI

RAND

IMSI, Kc, RAND, SRES

SRES=A3(Ki, RAND ) A5(Kc, TMSI ) ACK

Fig. 1_a. GSM authentication -using IMSI

Subscriber

Network TMSI RAND SRES

(common message exchange)

Fig. 1_b. GSM authentication -using TMSI When the authentication protocol (i.e., for location-updating) starts, the subscriber sends his IMSI to the visiting VLR, which in turn sends the request to the corresponding HLR. The HLR will then fetch (or has already fetched) an array of 3-component tuple, (RAND, SRES, Kc)s, from the AUC and sends them back to the VLR, where RAND is a random number, SRES is the output of A3 upon inputting RAND and Ki, and Kc is the output of A8 upon inputting RAND and Ki. To verify the identity of the subscriber, the VLR sends RAND to challenge the subscriber. If the expected SRES is received, the VLR believes that he does communicate with the legitimate subscriber IMSI and then sends a temporary identity, Temporary Mobile Subscriber Identity (TMSI), encrypted with Kc using A5 to the subscriber. Note that at this stage the subscriber is not yet sure that the VLR has the same Kc because the RAND received by the subscriber may not come from the legitimate VLR. Therefore, another round of message exchange must be communicated to make sure that both parties have shared the same secret session key Kc. Only after these steps are complete can both subscriber and the VLR communicate in ciphertext mode by encrypting the message using A5 under the secret key Kc. This protocol is shown in Fig. 1_a. For each subsequent call, the subscriber uses TMSI for setup request to hide his real identity, IMSI, and within each round of authentication a new TMSI is selected and transmitted to the subscriber, see fig. 1_b. In fact, since each TMSI is transmitted to the subscriber in ciphertext and only the subscriber can decrypt it, the subscriber can prove himself to the network, if TMSI is sufficiently difficult to guess, by presenting this TMSI. The protocol is simple and is expected to provide message confidentiality, caller-ID confidentiality, and fraud control. However, when the synchronization of TMSI is lost [7, 28] due to frequent interference on the signal or other possible system failures, the subscriber would be forced to send IMSI in plaintext to the VLR, which exposes the subscriber'sreal identity. Another security problem is that once a session key Kc is compromised (e.g. by the known-plaintext attack), by playing back the corresponding RAND and SRES which is already transmitted in plaintext, the intruder would be able to impersonate the legitimate VLR and establish a false connection with the subscriber, which allows the intruder to collect private


information before it is detected. Storing several tuples of (RAND, SRES, Kc)’s in the VLR is another security concern. Though this arrangement can speed up the authentication process (i.e., without the HLR involved), it increases the possibility of exposing this sensitive information. For example, some insiders may steal this information to make fraudulent calls or to reveal the subscriber's conversation. B. DECT DECT [12] is European standard for cordless telephones. In DECT, each subscriber and his home network share an authentication key, K. Depending on applications, K may be derived from other keys associated with the subscriber. These keys can be short, i.e., the user personal identity UPI, so they can be entered by the subscriber manually whenever an authentication service is required. Or they can be long, i.e., the user authentication key UAK, so they have to be kept in a detachable DECT Authentication Module (DAM). This feature, deriving the authentication key from a subscriber’s secret (and other information associated with his device), gives subscribers better protection which is not provided in GSM. The authentication of a subscriber involves two algorithms, A11 and A12. A11 is used to produce a value KS from K and a random number RS chosen by the home system. A12 is used to produce XRES and the optional session key DCK from KS and another random number RAND_F. The DCK is used as the encryption/decryption key to provide data confidentiality. Data confidentiality can also be provided through a static cipher/decipher key, SCK, which is entered in both Portable RadioTermination (PT) and Fixed Radio Termination (FT) and can be used for an indefinite period. To authenticate a subscriber, the serving network sends RS and RAND_F to the subscriber. With possession of K, see Fig. 2_a, the subscriber should be able to respond with RES, which has the same value as XRES1, using A11 and A12.

Portable Radio Termination

Fixed Radio Termination ID RS, RAND_F

Obtain RS, RAND_F XRES, and (DCK)

Compute KS and RES RES Compare XRES and RES Fig. 2_a. DECT Authentication of Subscriber

VLR

HLR K

(Option 1) RS, RAND_F, XRES, (DCK) (Option 2 ) RS, KS (Option 3) Fig. 2_b. Authentication Parameters Transfer

While roaming, there are three options, see Fig. 2_b, for a visited network to authenticate a visiting subscriber. First, the authentication key K is transferred to the visited network so it can perform the authentication. This approach is the most straightforward and has the greatest risk of the exposure of K. Second, the set RS, RAND_F, XRES, and optionally DCK is transferred to the visited network. This approach is similar to that found in GSM. Third, the pair of (RS, KS) is transferred to the visited network. This pair can be repeatedly used for different instances of authentication without the authentication key K being transferred to the visited network (In this option, the VLR, instead of HLR, generates the challenge


RAND_F). In comparison with second option, the third option has the advantage that traffic between HLR and VLR is reduced, and the disadvantage that each system must have the same A12. For the authentication of a serving network, another set of (K',A21, and A22), which can be identical to the set of (K, A11, A12), is used to construct the same mechanism. Mutual authentication can be achieved directly through the combination of the two mechanisms. It can also be done indirectly by enforcing data confidentiality following the authentication of the PT, because only the legitimate FT can have the correct DCK to encrypt/decrypt data. The indirect mutual authentication can also be provided by using the data confidentiality service with the static cipher key mechanism. Though DECT does not provide subscriber ID confidentiality, it provides the authentication of the serving network by the subscriber so the compromise of used session keys does not lead to false connections with impersonating serving networks. In comparison with GSM, DECT does have more flexibility. The flexibility allows it to incorporate various applications and to choose desired security service for these applications. It also allows it to be compatible with the existing GSM standard.. C. USDC In the USA, USDC [11] is the endorsed standard. In USDC, the subscriber gets a secret, A-key, from his home network. From A-key, a shared secret data (SSD) is established through SSD Update Protocol, see Fig. 3_a, between home network and the subscriber, in which both entities mutually authenticate each other. When the subscriber moves into a foreign domain, the serving network obtains a copy of SSD from the the subscriber’s home network. Authentication is carried out on mobile station registration, origination, and termination. The serving network can also initiate the Unique Challenge Response Procedure, see Fig. 3_b, to verify the identity of the subscriber. If both fail, the SSD Update Protocol is invoked to re-establish the SSD. With possession of the SSD and the serial number associated with the phone, the subscriber can prove himself by correctly answering the challenge from the serving network. The response to the challenge is the result of the cave function, which information is not publicly known, with input of SSD and other information. The encryption key is also decided from the output of cave. Mobile Station

Network R1

Compute XSSD and AUT

Compute SSD=CAVE(A-key, R1)

R2 XAUT=CAVE(SSD, R2) XAUT

Compare AUT vs XAUT

ACK

Fig. 3_a. USDC SSD Update Protocol

Mobile Station

Network RANDU

Compute: AUT=CAVE(SSD, RANDU)

XAUT Compare AUT vs XAUT ACK

Fig. 3_b. USDC Unique Challenge Response Procedure


By giving the SSD to the visited network, instead of several tuples of data as in GSM, the traffic between home network and the visited system is reduced. One nice thing about USDC is the unique cave algorithm which performs all security-related functions. However, the association of a subscriber'ssecret with a specific phone is less flexible[4] in comparison with GSM or DECT. USDC does not support subscriber-ID confidentiality, nor does it provide mutual authentication for the parties over the wireless link. When an SSD is compromised, the subscriber and/or the network can be impersonated and such damages may not be temporary. For example, if an SSD is compromised and the network is impersonated, the intruding cloner would not re-establish an SSD. As the SSD Update Protocol can only be invoked by the network, the subscriber won’t have the chance to re-establish a new SSD. Another problem is the message sent to the network which confirms the completion of the SSD Update Protocol. The acknowledgement should be enciphered with the newly established SSD. Otherwise,without being verified by the network, an intruder can always convinces the network that the SSD update is successful by sending back a positive acknowledgement. This leads to the denial of service to the legitimate subscriber later (because the SSD kept in the network is no longer the same as the one kept by the subscriber). D. MSR+DH Protocol In 1991, some researchers in Bellcore proposed several authentication protocols [2] for the PCS environment. The most notable one is the so called MSR+DH protocol. This protocol incorporates both the one-key and the public-key technique for the authentication. First, according to Diffie and Hellman's key distribution scheme [9], each participant (i.e., the subscriber and the service provider) chooses a secret key and publishes its corresponding public key so that each pair of the subscriber and the RCE is bounded with a common secret key η, which can only be computed by the specific subscriber and the RCE. Then the public key is presented to the globally trusted off-line certification center which generates a certificate for each of them using the modified RSA scheme [24, 25, 29]. For each round of authentication, the RCE first broadcasts its identity IDj, public key Pj, and certificate CERTj. After verifying the validity of CERTj, the portable chooses a random number x, and sends to RCE the encrypted value of x, x2 mod Nj, where Nj is the composition of two large primes which are known only by RCE. The portable also uses ƒ, an encryption algorithm, with x as the key to encrypt its identity IDi, certificate CERTi, and public key Pi, and then sends the encrypted value to RCE. The session key, Kc, is then determined as Kc=ƒ(η,x). To assure that both entities obtain the same Kc, another round of message exchange is required in the protocol. This protocol is shown in Fig. 4. Portable

RCE IDj, CERTj, Pj x2 mod Nj, ƒ(x; IDi, CERTi, Pi)

Exchange known message using Kc

Fig. 4. MSR+DH This protocol requires the portable unit to do much more computation than those in GSM, DECT, and USDC. Fortunately, the computation overhead is alleviated with the corporation of Digital Signal Processor. In this protocol, each participant chooses his own private key. The corresponding public key is certified by an off-line “universally“ trusted certification center. So, the network is alleviated from the management and storage of subscribers' secret keys. Note that MSR+DH is only for the case of subscriber origination. The protocol for subscriber termination is still absent. To provide subscriber ID confidentiality for the responding subscriber, an online server would be required to provide RCE’s with public keys of portable units. Decryption on the portables is also too time-consuming because of the large amount of computation involved. These


concerns, according to the observance of Calson [Calson], leave a less optimistic view than what is thought by the original authors for the use of public key techniques as a general solution to the security of the PCS when confidentiality of destination identity is required. Though this problem can be solved by assigning a temporary ID to the registered roamer, some concerns on MSR+DH are still worthy of being mentioned. First, the security of the protocol is based on two different cryptographic assumptions (i.e., the difficulty of factoring two large numbers and the difficulty of solving the discrete logarithm in the Galois field of a large prime). The strength of the protocol is that of the weaker of the two. Second, if one Kc is compromised, the intruder would be able to impersonate the subscriber to make fraudulent calls by playing back the associated ciphertext of x. Another concern is that if one RCE is compromised (i.e., the factoring is known), then all subscribers who have visited the RCE can be impersonated, and, worse yet, the attacker can impersonate the RCE to establish a false connection with the subscriber. In fact, even when one η is known (i.e., by some insiders) without compromising secret keys, the insider would be able to make fraudulent calls in the area under the name of the corresponding subscriber. Since there are many RCEs in the entire system and each RCE may be under different administration with different level of protection, these threats cannot be ignored. Another subtle but serious problem is the revoking of RCE'scertificate. When one RCE is found to be compromised and the corresponding certificate is revoked, subscribers of all service domains must be notified somehow so that they cannot be fooled into establishing a false connection with someone presenting an invalid certificate.

IV. SECURITY OF THE AUTHENTICATION CENTER AND CERTIFICATION CENTER Except for MSR+DH, all of the other three protocols discussed above use purely the traditional onekey cryptosystem in which the subscriber and the serving network must share a secret authentication key. The on-line authentication center is necessary to keep or to generate these keys when the authentication of subscribers is requested. Therefore, the authentication center becomes the most critical component of the whole system. To avoid traffic overload of incoming requests on a single authentication center, proper replication and/or delegation of the authentication service should also be arranged among multiple regional authentication centers. Some ideas on security management of the authentication centers are addressed in [17]. Generally speaking, if authentication keys are generated through a one-way algorithm with subscriber-related information and a master key as the input, the security of the authentication center is simply the issue of protecting the master key from exposure and the strength of the (one-way) algorithm. Authentication keys can also be randomly generated and then stored in ciphertext in the authentication center. Again, a secret key is needed to do the enciphering and deciphering. Though the latter approach guarantees the randomness of the authentication keys, extra storage is needed to store these encryped authentication keys. For a more detailed analysis of these two approaches, we refer the reader to [28]. Similar concerns can also be found with the certification center. One way to enhance the security is by breaking down the whole system into several security domains, each having its own certification center. Cross-domain certification can be achieved through inter-domain agreement or through a hierarchical certification path by organizing these certification centers into a hierarchical structure [5]. This approach confines the damage of a compromised certification within a single security domain. Another way is by breaking the certification capability among multiple certification centers [18]. Unless all certification centers are compromised, no key can be forged. In comparison with the on-line authentication center which must have its secret on hand to compute subscribers’ authentication keys, the certification center is less vulnerable to possible attacks because there are only limited public keys to be certified. If no more keys are to be certified, the certification center can even be closed permanently or physically destroyed so its secret can never be exposed. This completely eliminates security threats on the certification center. Perhaps the revoking of certificates is a more serious problem than the security of the certification center itself. When an RCE’s certificate is revoked due to the change of a public key or the compromise of


a private key, it would be quite impossible for the subscriber to keep a list of the revoked RCEs because of the limited storage in the mobile unit and the ever-growing property of the list. If the list of revoked certificates is provided by someone, (e.g., the serving network as suggested in [1]), is the one providing this information deemed trustworthy ? (Is this one already revoked ? Is it involve with another certification path and hence we are faced with the same problem again?) If it is the HSD, instead of the subscriber, who verifies the VSD, as shown in [18], then the revoking of a compromised VSD would be transparent to the subscribers.

V. OTHER WORKS AND FUTURE DIRECTIONS There is no doubt that one-key algorithms will be used to encipher/decipher messages if a session key is established between the subscriber and the network. The problem is whether it is appropriate to use the public-key technique in the authentication protocols which verify the identities of participating parties and establish the session key. Several standards have dropped public-key algorithms because of the timeconsumption in their operations and the requirement of large key size and communication bandwidth. Even in the wired networks where participating entities do not have the limitation of computing resources, traditional one-key systems which employ a trusted authentication server, e.g., Kerberos [27] and Krypotonight [22], are preferred. One protocol recently developed by Molva, Samfat, and Tsudik [21], is also constructed exclusively by secret-key techniques. Though this protocol is intended to facilitate user mobility on the wireline networks, experiments on wireless access is also envisioned. Different from other secret-key based protocols discussed in this paper, in which protection on messages transmitted on wireline network is left unspecified, this protocol explicitly specifies the encryption of sensitive traffic between a visited network and the corresponding home network under a common secret key. Though such specification enforces the protection of inter-domain traffic, it unnecessarily limits the choice of protection mechanisms available. It may also be redundant if the wireline network already provides sufficient protection. The requirement of frequently changing one’s password, which is reasonable for users with wireline access under the availability of a secure channel, would not be a good approach for the vulnerable wireless communication. At least, an extra protocol is needed and it itself is involved with the inevitable authentication and privacy problems. Use of the time stamp in the protocol can also raise concerns as pointed out in [3, 8, 15]. Though, public-key techniques provide better key management and strong subscriber ID confidentiality (in fact, most systems do not support subscriber ID confidentiality at all), these merits do not seem to outweigh its shortcomings. One exception is CDPD [6]. CDPD uses Diffie-Hellman’s public-key protocol to derive a common key Ks between the subscriber and the serving network. Then, the mobile subscriber sends his credential, encrypted under Ks, to the network to prove his identity. Detailed discussion and attacks on CDPD are addressed in [21]. Another protocol using public-key techniques is proposed recently by Aziz and Diffie [1]. Though it provides better security, this protocol takes much more computation than others. In fact, public-key encryption does not necessarily take much computation time. For example, by choosing a small public key in RSA scheme, it takes only a small portion of average operation time as demonstrated in [2, 20, 23]. By incorporating public-key techniques with temporary ID concept, confidentiality of terminating subscriber identity can be easily achieved as demonstrated in Lin & Harn’s protocol without much computation. If RSA public-key techniques are used to implement security services among (wired) networks as those suggested in CCITT X.509 [5], the encryption of data from a subscriber to the network can always be done with minimal computation. Such one-direction encryption would add extra security features to the wireless communication without introducing similar concerns as found in MSR+DH. (Note that the subscriber does not need to have his own public or private key.) Now consider the fact that most subscribers roam among multiple base stations, but not into foreign service domains. That is, inter-domain roaming is not frequent. A common secret established between the subscriber and the network could be used to authenticate each other repeatedly for several sessions, or to generate authentication parameters for several sessions. Computational overhead to establish this common secret would affect only the first session, which usually is the registration process and involves no realtime voice communication. If this is justified, it would be worthwhile using public-key techniques to


establish the common secret, and then more desired services, which include non-repudiation and end-toend encryption, etc., can be envisaged. For systems in which the subscriber and his home network share a secret authentication key, the ultimate secret is never transferred to a foreign network (except some options) for possible exposure in a foreign network and during transmission. However, for the systems mentioned so far, the authentication of a roamer completely relies on the visited network’s faithful execution of the protocol and its ability to protect sensitive information obtained from the roamer’s home network. Leakage of the temporary secrets could lead to fraud and loss of confidentiality not only temporarily but also possibly in a long-term period. Bill charged to a visitor due to operational errors or security breach of the visited network cannot be distinguished from that purposively denied by the visitor. All of these consequences are because the sensitive information corresponding to the visitor can not only be used to authenticate the visitor but also to establish sessions pre-approved by the home network. Questioning about the faithfulness of a network would not be necessary because it is the visited network which provides the privacy of the communication. However, relying on the visited network’s capability of protecting sensitive information contradicts the original philosophy.

VI. CONCLUSION Security is one of the most important requirements to the wide acceptance of personal communication systems and authentication is the most essential procedure to ensure that the service is properly used. In this paper, we examine some well-known protocols for the universal mobile telecommunication service from various aspects, including techniques used, system architecture, placement of trust, efficiency, influence of security disasters, feasibility of recover, and applicability of implementation. With advancement of hardware and software techniques, applications intended for data, voice, image, or their combinations can all be incorporated into this wireless environment in the future. As new services emerge, requirements for the security would be different depending on the applications. Compatibility with existing services and interoperability among different service providers should also be considered. All of these complicate the design of a proper authentication protocol and it’s still waiting for us to solve. REFERENCES [1] [2] [3] [4] [5] [6] [7]

[8] [9] [10] [11] [12] [13]

A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area Network”, IEEE Personal Communications, First Quarter, 1994, pp. 25-31. M. J. Beller, L. Cheng, Y. Yacobi, "Privacy and Authentication on a Portable Communication System", IEEE J. on Selected Areas in Communications, Vol. 11, No. 6, pp. 821-829, Aug. 1993. S.M. Bellovin and M. Meritt, "Limitations of the Kerberos Authentication System", ACM Computer Communication Review , Vol. 20, No. 5, pp. 119-132, 1990. Dan Brown, "Security Planning for Personal Communications", Proc. of 1st ACM Conference on Computer and Communications Security, pp. 107-111, Nov. 1993. CCITT Recommendation X.509, “The Directory-Authentication Framework”, 1988. Cellular Digital Packet data (CDPD) System Specification, Release 1.0, July 19, 1993. J.C. Cook, and R.L. Brewster, "Cryptographic Security Techniques for Digital Mobile Phones", IEEE International Conference on Selected Topics in Wireless Communications, pp. 425-428, 1992. D.E. Denning and G.M. Sacco, "Timestamps in Key Distribution Protocols", Comm. of. ACM, Vol. 24, No. 8, pp. 533-536, Aug. 1981. W. Diffie, and M.E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, pp. 644-654, Nov. 1976. ECMA TR/46, Security in open system: a security frame work., July 1988. EIA/TIA-IS-54-B ETSI, ETS 300 175-7, October 1992. ETSI/TC Recommendation GSM 02.09, GSM Security Aspects.


[14]

ETSI/TC Recommendation GSM 03.20, Security Related Network Function, version 3.3.2, Jan. 1991. [15] L. Gong, “A Security Risk of Depending on Synchronized Clocks”, Operating Systems Review, Jan, 1992. [16] J. Grond and W. Wolfowicz, "Security Issues for Universal Mobile Telecommunication System", 11th International Conference on Computer Communication, pp. 613-616, 1992. [17] R. Hagen, "Security Requirements and Their Realization in Mobile Networks", Telektronikk, Vol. 88, No. 3, 1992 [18] L. Harn and H.Y. Lin, “A Software Authentication System for Information Integrity”, Computers & Security, Vol. 11, No. 8, pp.747-752, Dec. 1992. [19] ISO/IEC, Open System Interconnection-Basic Reference Model. Part 2: Security Architecture, 1988. [20] H.Y. Lin and L. Harn, "Authentications in Wireless Communications," Proc. of GLOBECOM '93, pp. 550-554, Nov. 29-Dec. 2, 1993. [21] R. Molva, D. Samfat, and G. Tsudik, “Authentication of Mobile Users”, IEEE Network, pp. 26-34, March/April, 1994. [22] R. Molva, G. Tsudik, E.V. Herreweghen, and S. Zatti, “KryptoKnight Authentication and Key Distribution System”, Proceedings of ESORICS’92. [23] C. Park, K. Kurosawa, T. Okamoto, and S. Tsujii, “On key distribution and Authentication in Mobile Radio Network”, Eurocrypo’93. [24] R. L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-key Cryptosystem", Comm. of. ACM, Vol. 21, No. 12, 1978, pp. 120-126. [25] M. O. Rabin, "Digitalized Signatures and Public Key Functions as Intraceable as Factorization", MIT Laboratory for Computer Science, TR212, Jan. 1979. [26] M. Spreitzer and M. Theimer, “Scalable, Secure, Mobile Computing with Location Information”, Communications of the ACM, Vol. 36, Iss. 7, p. 27, July, 1993. [27] J.G. Steiner, C. Neuman, and J. I. Schiller, “Kerberos: An authentication service for open network systems”. In USENIX Conference Proceedings, pp. 191-202, Feb, 1988. [28] K. Vedder, “Security Aspects of Mobile Communication”, Computer Security and Industrial Cryptography-State of the Art and Evolution, East Course, Springer-Verlag, May, 1991, pp. 193210. [29] H. C. Williams, "A Modification of RSA Public-Key Encryption", IEEE Trans. Information Theory, Vol. IT-26, No. 6, Nov. 1980.
