匿名无线漫游密钥交换安全协议及模型的研究
|
摘要
城市级别的无线网格网络(Wireless Mesh Networks,WMNs)是一种新型无线宽带接入网络,通常由数目众多的自管理(self-managed)网络管区所组成。每个网络管区由各自独立的无线服务提供商(Wireless Service Providers, WSPs)来管理运营。它融合了无线局域网(Wireless LAN,WLAN)和Ad Hoc网络的优势,是一种大容量、高效率、覆盖范围广的网络,成为宽带接入的一种有效手段。无线网格网络支持无线漫游服务(roaming service),允许无线用户不受地理位置的限制通过移动设备穿梭于不同的无线网络,享受不同服务商提供的服务。目前为止,对于无线漫游的大部分研究主要集中在网格网络中的物理层,数据链路层及网络层,而无线漫游中的安全问题还没有得到认真的关注。为了解决无线漫游中的安全问题,例如数据机密性,数据完整性,通信双方验证,安全授权和用户匿名性等等,我们应该利用密钥交换协议在漫游用户和外地服务器之间建立一条安全的信道,并进行可认证密钥交换。
因此,作为解决安全无线漫游接入问题的关键点,一个匿名无线漫游密钥交换协议(Key Establishment for Anonymous Wireless Roaming, KE-AWR)需要为漫游用户提供以下三种基本的安全服务:第一,协议保证在漫游用户和外地服务运营商之间共享一个安全的会话密钥且该密钥仅被通信双方所持有。在随后用户与服务运营商之间的数据通信中,该会话密钥将作为对称加/解密密钥为数据加密和解密,用来保护数据的机密性和完整性。第二,在用户单次注册并登录(single-sign-on)的条件下协议应保证完成用户和外地运营商之间的相互认证。用户只需向一个本地服务运营商注册就可在网格网络中自由漫游。第三,用户隐私保护日益受到重视,更由于无线网络中广播通信的特性,窃听攻击在无线网格网络中更容易实施并且很难被检测到,因此,不仅是通信的数据,协议也应保护用户的隐私,包括用户的真实身份标识和上网行踪等。除了以上三点安全特性之外,一个KE-AWR协议必须考虑到用户移动设备的种种限制,诸如有限的电量和较低的计算能力。协议必须尽可能减少在用户端的计算量和通信量以减少移动设备的能量消耗和网络的通信延迟。
本文针对无线漫游环境中的通信安全,隐私保护及用户效率等问题,在已有工作的基础上提出了更加完善的匿名无线漫游密钥交换协议。本文的具体贡献主要有以下三点:
1.一轮通信的匿名无线漫游密钥交换协议。本文提出了一个新的仅需要一轮通信的匿名无线漫游密钥交换协议(One-Pass Key Establishment for Anonymous Wireless Roaming,协议Ⅰ)。协议保证漫游用户和外地服务运营商之间共享一个安全的会话密钥,同时保证用户的匿名性和不可追踪性。不仅如此,经协议建立的密钥还满足用户前向安全性(Partial/User Forward Secrecy)和用户密钥泄露伪装攻击安全(Partial/User Key Compromise Impersonation)。考虑到用户移动设备的资源限制,该协议在保证安全建立会话密钥的前提下,最大限度的减少用户方的计算开销,可以让用户不用进行任何在线计算(Online-Free Computation)。并且该协议总共只需要从用户到服务器的一次消息传递(One-Pass),是目前已知同类协议中通信代价最低的,也是第一个仅仅使用一轮消息传递的KE-AWR协议。
2.满足完美前向安全性的一轮通信匿名无线漫游密钥交换协议。
本文设计了一种匿名无线漫游安全解决方案(协议Ⅱ),该方案在保持一轮通信在计算时间开销和通信能量消耗上快速高效的特点外,同时满足一些一轮通信协议通常所不能满足的安全特性,如:密钥无代管(No Key Escrow),完美前向安全性(Perfect Forward Secrecy)和完美密钥泄露伪装攻击安全(Perfect Key Compromise Impersonation)。同时,进一步的完善协议可使其满足密钥确认性。而且,该协议具有同一性,即用户不仅可用该协议与外地服务运营商建立密钥,用户在与本地服务运营商通信是也同样可以采用此协议。与协议Ⅰ相同,该协议仅需要1次消息传输,并且是同类无线漫游协议中安全性最高的。在计算开销上,该协议与协议Ⅰ的总计算开销持平,但其中一个双线性配对计算需要由用户在协议运行期间实时运算。
3.匿名无线漫游密钥交换安全模型的研究。
为了分析无线漫游密钥交换协议的安全性,一个密码学上的安全数学模型是必需的。本文在CK模型和eCK模型已有工作的基础上,提出一个新的适合分析无线漫游密钥交换协议的安全性的数学模型,并称之为rCK模型。与经典模型不同,该安全模型内引入了广播信道的模型抽象模拟和复数密钥生成中心(Multiple Key Generation Center)的情景模拟,并给出了无线漫游环境下,攻击者被赋予的新的攻击手段和能力的定义和模拟,因此很适合模拟无线漫游环境下的(?)(?)E-AWR协议的安全特性。最后,本文给出了协议Ⅰ和协议Ⅱ在rCK模型模拟下的数学证明。
The metropolitan-area Wireless Mesh Networks (WMNs) which accommodate thousands of self-managed network domains operated by numerous different Wireless Service Providers (WSPs), are expected to achieve interoperable, cost-effective and especially large-scale (such as city-wide) wireless access. It supports wireless roaming services which allow people to roam around with their mobile devices without being limited by the geographical area of their own home networks and access into different network domains to enjoy the services provided by different foreign WSPs rather than his home WSP. While the much effort has been made to address issues at physical, data link, and network layers, little attention has been paid to the security aspect central to the realistic deployment of WMNs and roaming service. For solving the security problems related to WMNs, i.e., confidentiality, authenticity, integrity, authorization and non-repudiation, we should have some way to establish a secure channel between the communicating parties.
Consequently, as a critical issue to make ubiquitous and secure network access, a Key Establishment Protocol for Anonymous Wireless Roaming (KE-AWR Protocol) is expected to provide three basic kinds of services for the two communication parties. First, it ensures to build a secure channel between a mobile user and a foreign WSP. Namely, the two participants can establish a fresh session key which is a pure symmetric key shared by each other only. This key can be used for protecting data confidentiality and integrity of further communication. Second, it should ensure that a mobile user with a single sign-on (SSO) can carry on the KE-AWR protocol with a foreign WSP and also roams from one foreign network domain to another. Each of the two participants is convinced that it shares a secure session key with the intended party in an authentically way. Third, as an increasingly demanding requirement especially in wireless communication, privacy protection for a roaming user should be provided. Since eavesdropping is much easier to launch but more difficult to be detected when given the open nature of radio media, a KE-AWR protocol is required to keep mobile users' identities and whereabouts anonymous. Besides these security attributes, efficiency is also an important requirement for a KE-AWR protocol because of the limited computing capability and restrained energy of the mobile devices held by roaming users. That is, a well designed scheme would not only satisfy the above security properties, but also be as lightweight as possible at mobile user's side with both light computation load and small number of message flows in order to reduce latency and save energy.
In this thesis, we present several novel solutions for the security, privacy and efficiency issues related to secure wireless roaming scenario. Particularly, we identify three aspects as our research outcomes:
1. For our first outcome, we propose a novel One-Pass Key Establishment Protocol for Wireless Roaming (Protocol I) that achieves extremely on-line efficient at user side. To best of our knowledge, it seems to be the first One-Pass ID-based KE-AWR protocol ever presented in literatures. The protocol ensures that a fresh session key secreted from all other entities except user and foreign WSP is established in each run of protocol, by just sending one message (so called One-Pass) and eliminate any intervention of a third party. This protocol achieves secure key establishment as well as user anonymity. In addition, our protocol also achieves partial forward secrecy and partial key compromise impersonation security. Considering the imbalanced network architecture in WMNs, we focus on minimizing the number of both computational operations and communication flows at mobile user's side. Actually, most computation of user can be pre-computed before the execution of protocol, and it leaves almost no cryptographic operations to be performed on-line for user. When compared with previous roaming protocols, our protocol requires the smallest bandwidth, the least number of message flows and achieves extremely on-line efficient for user.
2. As our second result, we focus on improving the security performance for one-pass KE-AWR schemes. A one-pass protocol usually does not support the desirable properties that multi-round key establishment protocols may do, such as Perfect Forward Secrecy (PFS) and Perfect Key Compromise Impersonation (Perfect KCI). Consequently, we propose a novel solution for wireless roaming (Protocol II) which supports all the following three security properties which a one-pass protocol cannot satisfy, i.e.,(1) No Key Escrow (2) Perfect Forward Secrecy and;(3) Perfect Key Compromise Impersonation. By making use of the broadcast channel in wireless communication environment, via which a server may broadcast the public parameters shared by all roaming users who are in its signal radiation coverage, our propose protocol succeeds in providing these three attributes while still keeping the number of message flows to only one. So far as we know, it is the first one-pass KE-AWR protocol achieving PFS as well as perfect KCI security. As an improvement, we further extend the one-pass protocol to support key confirmation. Furthermore, the protocol is universal in the sense that it can be used by a user directly as key establishment protocol regardless of communicating with a foreign server or the home server. The total computational complexity of Protocol Ⅱ is comparable to that of Protocol I. However, as trade-off between efficiency and security, it needs an additional on-line Bilinear Pairing operation for mobile user during the runtime of the protocol.
3. Finally, we point out that a formal treatment for wireless roaming in WMN systems is necessary and demonstrate the unreasonable aspects of classic CK and eCK model when adapting to analysis the security properties of a KE protocol for wireless roaming scenario. To address this gap, we firstly propose a variation of classic CK and eCK model which introduces the simulation of broadcast query and multiple Key Generation Centre scenario and also gives the re-defined session definitions and additional adversary capability related to roaming scenario. We call the variation as rCK model. To fulfill our construction of this model, for both previously proposed one-pass KE-AWR protocols, Protocol I and Protocol II, we present the formal security proofs of them under our rCK security model.
因此,作为解决安全无线漫游接入问题的关键点,一个匿名无线漫游密钥交换协议(Key Establishment for Anonymous Wireless Roaming, KE-AWR)需要为漫游用户提供以下三种基本的安全服务:第一,协议保证在漫游用户和外地服务运营商之间共享一个安全的会话密钥且该密钥仅被通信双方所持有。在随后用户与服务运营商之间的数据通信中,该会话密钥将作为对称加/解密密钥为数据加密和解密,用来保护数据的机密性和完整性。第二,在用户单次注册并登录(single-sign-on)的条件下协议应保证完成用户和外地运营商之间的相互认证。用户只需向一个本地服务运营商注册就可在网格网络中自由漫游。第三,用户隐私保护日益受到重视,更由于无线网络中广播通信的特性,窃听攻击在无线网格网络中更容易实施并且很难被检测到,因此,不仅是通信的数据,协议也应保护用户的隐私,包括用户的真实身份标识和上网行踪等。除了以上三点安全特性之外,一个KE-AWR协议必须考虑到用户移动设备的种种限制,诸如有限的电量和较低的计算能力。协议必须尽可能减少在用户端的计算量和通信量以减少移动设备的能量消耗和网络的通信延迟。
本文针对无线漫游环境中的通信安全,隐私保护及用户效率等问题,在已有工作的基础上提出了更加完善的匿名无线漫游密钥交换协议。本文的具体贡献主要有以下三点:
1.一轮通信的匿名无线漫游密钥交换协议。本文提出了一个新的仅需要一轮通信的匿名无线漫游密钥交换协议(One-Pass Key Establishment for Anonymous Wireless Roaming,协议Ⅰ)。协议保证漫游用户和外地服务运营商之间共享一个安全的会话密钥,同时保证用户的匿名性和不可追踪性。不仅如此,经协议建立的密钥还满足用户前向安全性(Partial/User Forward Secrecy)和用户密钥泄露伪装攻击安全(Partial/User Key Compromise Impersonation)。考虑到用户移动设备的资源限制,该协议在保证安全建立会话密钥的前提下,最大限度的减少用户方的计算开销,可以让用户不用进行任何在线计算(Online-Free Computation)。并且该协议总共只需要从用户到服务器的一次消息传递(One-Pass),是目前已知同类协议中通信代价最低的,也是第一个仅仅使用一轮消息传递的KE-AWR协议。
2.满足完美前向安全性的一轮通信匿名无线漫游密钥交换协议。
本文设计了一种匿名无线漫游安全解决方案(协议Ⅱ),该方案在保持一轮通信在计算时间开销和通信能量消耗上快速高效的特点外,同时满足一些一轮通信协议通常所不能满足的安全特性,如:密钥无代管(No Key Escrow),完美前向安全性(Perfect Forward Secrecy)和完美密钥泄露伪装攻击安全(Perfect Key Compromise Impersonation)。同时,进一步的完善协议可使其满足密钥确认性。而且,该协议具有同一性,即用户不仅可用该协议与外地服务运营商建立密钥,用户在与本地服务运营商通信是也同样可以采用此协议。与协议Ⅰ相同,该协议仅需要1次消息传输,并且是同类无线漫游协议中安全性最高的。在计算开销上,该协议与协议Ⅰ的总计算开销持平,但其中一个双线性配对计算需要由用户在协议运行期间实时运算。
3.匿名无线漫游密钥交换安全模型的研究。
为了分析无线漫游密钥交换协议的安全性,一个密码学上的安全数学模型是必需的。本文在CK模型和eCK模型已有工作的基础上,提出一个新的适合分析无线漫游密钥交换协议的安全性的数学模型,并称之为rCK模型。与经典模型不同,该安全模型内引入了广播信道的模型抽象模拟和复数密钥生成中心(Multiple Key Generation Center)的情景模拟,并给出了无线漫游环境下,攻击者被赋予的新的攻击手段和能力的定义和模拟,因此很适合模拟无线漫游环境下的(?)(?)E-AWR协议的安全特性。最后,本文给出了协议Ⅰ和协议Ⅱ在rCK模型模拟下的数学证明。
The metropolitan-area Wireless Mesh Networks (WMNs) which accommodate thousands of self-managed network domains operated by numerous different Wireless Service Providers (WSPs), are expected to achieve interoperable, cost-effective and especially large-scale (such as city-wide) wireless access. It supports wireless roaming services which allow people to roam around with their mobile devices without being limited by the geographical area of their own home networks and access into different network domains to enjoy the services provided by different foreign WSPs rather than his home WSP. While the much effort has been made to address issues at physical, data link, and network layers, little attention has been paid to the security aspect central to the realistic deployment of WMNs and roaming service. For solving the security problems related to WMNs, i.e., confidentiality, authenticity, integrity, authorization and non-repudiation, we should have some way to establish a secure channel between the communicating parties.
Consequently, as a critical issue to make ubiquitous and secure network access, a Key Establishment Protocol for Anonymous Wireless Roaming (KE-AWR Protocol) is expected to provide three basic kinds of services for the two communication parties. First, it ensures to build a secure channel between a mobile user and a foreign WSP. Namely, the two participants can establish a fresh session key which is a pure symmetric key shared by each other only. This key can be used for protecting data confidentiality and integrity of further communication. Second, it should ensure that a mobile user with a single sign-on (SSO) can carry on the KE-AWR protocol with a foreign WSP and also roams from one foreign network domain to another. Each of the two participants is convinced that it shares a secure session key with the intended party in an authentically way. Third, as an increasingly demanding requirement especially in wireless communication, privacy protection for a roaming user should be provided. Since eavesdropping is much easier to launch but more difficult to be detected when given the open nature of radio media, a KE-AWR protocol is required to keep mobile users' identities and whereabouts anonymous. Besides these security attributes, efficiency is also an important requirement for a KE-AWR protocol because of the limited computing capability and restrained energy of the mobile devices held by roaming users. That is, a well designed scheme would not only satisfy the above security properties, but also be as lightweight as possible at mobile user's side with both light computation load and small number of message flows in order to reduce latency and save energy.
In this thesis, we present several novel solutions for the security, privacy and efficiency issues related to secure wireless roaming scenario. Particularly, we identify three aspects as our research outcomes:
1. For our first outcome, we propose a novel One-Pass Key Establishment Protocol for Wireless Roaming (Protocol I) that achieves extremely on-line efficient at user side. To best of our knowledge, it seems to be the first One-Pass ID-based KE-AWR protocol ever presented in literatures. The protocol ensures that a fresh session key secreted from all other entities except user and foreign WSP is established in each run of protocol, by just sending one message (so called One-Pass) and eliminate any intervention of a third party. This protocol achieves secure key establishment as well as user anonymity. In addition, our protocol also achieves partial forward secrecy and partial key compromise impersonation security. Considering the imbalanced network architecture in WMNs, we focus on minimizing the number of both computational operations and communication flows at mobile user's side. Actually, most computation of user can be pre-computed before the execution of protocol, and it leaves almost no cryptographic operations to be performed on-line for user. When compared with previous roaming protocols, our protocol requires the smallest bandwidth, the least number of message flows and achieves extremely on-line efficient for user.
2. As our second result, we focus on improving the security performance for one-pass KE-AWR schemes. A one-pass protocol usually does not support the desirable properties that multi-round key establishment protocols may do, such as Perfect Forward Secrecy (PFS) and Perfect Key Compromise Impersonation (Perfect KCI). Consequently, we propose a novel solution for wireless roaming (Protocol II) which supports all the following three security properties which a one-pass protocol cannot satisfy, i.e.,(1) No Key Escrow (2) Perfect Forward Secrecy and;(3) Perfect Key Compromise Impersonation. By making use of the broadcast channel in wireless communication environment, via which a server may broadcast the public parameters shared by all roaming users who are in its signal radiation coverage, our propose protocol succeeds in providing these three attributes while still keeping the number of message flows to only one. So far as we know, it is the first one-pass KE-AWR protocol achieving PFS as well as perfect KCI security. As an improvement, we further extend the one-pass protocol to support key confirmation. Furthermore, the protocol is universal in the sense that it can be used by a user directly as key establishment protocol regardless of communicating with a foreign server or the home server. The total computational complexity of Protocol Ⅱ is comparable to that of Protocol I. However, as trade-off between efficiency and security, it needs an additional on-line Bilinear Pairing operation for mobile user during the runtime of the protocol.
3. Finally, we point out that a formal treatment for wireless roaming in WMN systems is necessary and demonstrate the unreasonable aspects of classic CK and eCK model when adapting to analysis the security properties of a KE protocol for wireless roaming scenario. To address this gap, we firstly propose a variation of classic CK and eCK model which introduces the simulation of broadcast query and multiple Key Generation Centre scenario and also gives the re-defined session definitions and additional adversary capability related to roaming scenario. We call the variation as rCK model. To fulfill our construction of this model, for both previously proposed one-pass KE-AWR protocols, Protocol I and Protocol II, we present the formal security proofs of them under our rCK security model.
引文
Aboba,1999. B. Aboba, and D. Simon, "PPP EAP TLS authentication protocol", RFC 2716, IETF, Oct.1999, http://www.ietf.org/rfc/rfc2716.txt.
Aboda,2004. B. Aboba, H. Levkowetz, J. R. Vollbrecht, L. J. Blunk, and J. Carlson, "Extensible Authentication Protocol (EAP)," RFC 3748, IETF, Jun 2004.
Aboda,2008. B. Aboba, D. Simon, and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework," RFC 5247, IETF, Aug 2008.
Abadi,2007. M. Abadi, and P. Rogawa, "Reconciling two views of cryptography (the computational soundness of formal encryption)," in Proceedings of First International Conference on Theoretical Computer Science, Lecture Notes in Computer Science, vol.1872, pp.3-22,2007.
Ahmavaara,2003. K. Ahmavaara, H. Haverinen, and R. Pichna, "Interworking architecture between 3GPP and WLAN systems," Communications Magazine, vol.41, no.11, pp.74-81,2003.
Akyildiz,2005a. I. F. Akyildiz, X. Wang, and W. Wang, "Wireless mesh networks:a survey," Computer networks, vol.47, pp.445-487,2005.
Akyildiz,2005b. I. F. Akyildiz, and X. Wang, "A survey on wireless mesh networks,' Communications Magazine, vol.43, no.9, pp.23-30,2005.
Arkko,2006. J. Arkko, and H. Haverinen, "EAP AKA authentication," RFC 4187, IETF, Jan.2006, http://www.ietf.org/rfc/rfc4187.txt.
Bellare,1994. M. Bellare, and P. Rogaway, "Entity authentication and key distribution," Advances in Cryptology,-CRYPTO'93, Lecture Notes in Computer Science, vol.773, pp.232-249,1994.
Bellare,1995. M. Bellare, and P. Rogaway, "Provably secure session key distribution-the three party case," In Proceedings of the 27th Annual ACM Symposium on the Theory of Computing, pp.57-66,1995.
Bellare,1998. M. Bellare, R. Canetti, and H. Krawczyk, "A modular approach to the design and analysis of authentication and key-exchange protocols," In Proceedings of the thirtieth annual ACM symposium on Theory of computing, pp.419-428,1998.
Ben,2006. N. Ben Salem, and J. P. Hubaux, "Securing wireless mesh networks," Wireless Communications, vol.13, no.2, pp.50-55,2006.
Benits,2004. W. Benits Jr, and R. Terada, " An ibe scheme to exchange authenticated secret keys," Cryptology ePrint Archive, Report 2004/071. http://eprint. iacr.org/2004/071,2004.
Blake-Wilson,1997. S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," Crytography and Coding, pp.30-45,1997.
Blake-Wilson,1998. S. Blake-Wilson, and A. Menezes, "Entity authentication and authenticated key transport protocols employing asymmetric techniques," Security Protocols, pp.137-158,1998.
Bohm,2008. N. Bohm, "The Phorm Webwise System-a Legal Analysis,' Cambridge:Foundation for Information Policy Research,2008.
Boneh,2001. D. Boneh,and M. Franklin,, "Identity-based encryption from the Weil pairing," Advances in Cryptology-CRYPTO 2001, pp.213-229.2001.
Buttyan,2003. L. Buttyan and J. P. Hubaux, "Report on a working session on security in wireless ad hoc networks," ACM SIGMOBILE Mobile Computing and Communications Review, vol.7, no.1, pp.74-94,2003.
Canetti,2001. R. Canetti and H. Krawczyk, "Analysis of key-exchange protocols and their use for building secure channels," in Proc. EURO-CRYPT 2001, Lecture Notes in Computer Science, vol.2045, pp.453-474,2001.
Chandra,2005. P. Chandra, "Bulletproof wireless security:GSM, UMTS,802.11 and ad hoc security," 2005.
Cremers,2009. C. Cremers, "Formally and practically relating the CK, CK-HMQV, and eCK security models for authenticated key exchange," Cryptology ePrint Archive, 2009.
Dai,2004. W. Dai, "Crypto++5.2.1 Benchmarks," Available at:http://www. eskimo.com/weidai/benchmarks.html,2004.
Diffie,1976. W. Diffie, and M. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol.22, no.6, pp.644-654,1976.
Dodis,2004. Y. Dodis, R. Gennaro, J. Hastad, H. Krawczyk, and T. Rabin, "Randomness extraction and key derivation using the CBC, Cascade and HMAC modes," Lecture Notes in Computer Science, pp.494-510,2004.
ElGamal,1985. T. ElGamal, "A public-key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, vol.31, no. 4, pp.469-472,1985.
Feder,2003. P. Feder, N. Lee, and S. Martin-Leon, "A seamless mobile VPN data solution for UMTS and WLAN users," in Proceedings of 4th International Conference on 3G Mobile Communication Technologies, pp.210-216,2003.
Fischlin,1999. M. Fischlin, "Pseudorandom function tribe ensembles based on one-way permutations:Improvements and applications," in Proceedings of EURO-CRYPT 99, vol.1592, pp.432-445,1999.
Gindraux,2002. S. Gindraux, "From 2G to 3G:A guide to mobile security," In Proceedings of Third International Conference on 3G Mobile Communication Technologies, pp.308-311,2002.
Go,2001. J. Go and K. Kim. "Wireless authentication protocol preserving user anonymity," In Proceedings of the 2001 Symposium on Cryptography and Information Security (SCIS 2001), pages 159-164, Jan.2001.
Gorantla,2008. M. C. Gorantla, C. Boyd, and J. M. Gonz'alez Nieto,"ID-based one-pass authenticated key establishment," In Proceedings of the sixth Australasian Conference on Information Security, vol.81, pp.39-46,2008.
Haas,1999. Z. J. Haas, and B. Liang, "Ad-hoc mobility management with uniform quorum systems," IEEE Transactions on Networking, vol.7, no.2, pp. 228-240,1999.
Haverinen,2004. H. Haverinen, and J. Salowey, "EAP SIM authentication," IETF, Dec.2004, http://www.potaroo.net/ietf/all-ids/draft-haverinen-pppext-eap-sim-16.txt.
Hess,2003. F. Hess, "Efficient identity based signature schemes based on pairings," Selected Areas in Cryptography, pp.310-324,2003.
Hu,2005. Y. C. Hu, A. Perrig, and D. B. Johnson, "Ariadne:A secure on-demand routing protocol for ad hoc networks," Wireless Networks, vol.11, no.1, pp.21-38,2005.
Hubaux,2001. J. P. Hubaux, L. Butttan, and S. Capkun, "The quest for security in mobile ad hoc networks," in Proceedings of ACM International Symposium on Mobile Ad-Hoc Networking and Computing (MOBIHOC), pp.146-155,2001.
Islam,2011. M. Islam, and V. K. Verma, "Security Challenges in 3G Systems," International Journal of Mathematical Archive (IJMA), vol.2, no.11,2011.
Jiang,2006. Y. Jiang, C. Lin, X. Shen, and M. Shi, "Mutual authentication and key exchange protocols for roaming services in wireless mobile networks," IEEE Transactions on Wireless Communications, vol.5, no.9, pp.2569-2577,2006.
Jinn-Ke,2001. J. Jinn-Ke, and W. D. Lin, "An efficient anonymous channel protocol in wireless communications," IEICE transactions on communications, vol. 84, no.3, pp.484-491,2001.
LaMacchia,2007. B. LaMacchia, K. Lauter, and A. Mityagin, "Stronger security of authenticated key exchange," Lecture Notes in Computer Science, vol.4784, pp. 1-16,2007.
Lee,2005. W. B. Lee and C. K. Yeh, "A new delegation-based authentication protocol for use in portable communication systems," IEEE Transaction on Wireless Communication, vol.4, no.1, pp.57-64,2005.
Lee,2006. C. C. Lee, and M. S. Hwang, and I. E. Liao, "Security enhancement on a new authentication scheme with anonymity for wireless environments," IEEE Transactions on Industrial Electronics, vol.53, no.5, pp.1683-1687,2006.
Long,2008. M. Long, C. H. Wu, and J. David Irwin, "Reducing Communication Overhead for Wireless Roaming Authentication:Methods and Performance Evaluation", International Journal of Network Security, vol.6, no.3, pp.331-341,2008.
Menezes,1993. A. J. Menezes, and T. Okamoto, and S. A. Vanstone, "Reducing elliptic curve logarithms to logarithms in a finite field," IEEE Transactions on Information Theory, vol.39, no.5, pp.1639-1646,1993.
Menezes,1997. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, "Handbook of Applied Cryptography," CRC Press LLC,1997.
Mitchell,1998. C. Mitchell, M. Ward, and P. Wilson, "On key control in key agreement protocols," Electronics Letters, vol.34, pp.980-981,1998.
Mouly,1992. M. Mouly, M. B. Pautet, and T. Foreword By-Haug, "The GSM system for mobile communications," Telecom Publishing,1992.
Ntantogian,2009. C. Ntantogian, and C. Xenakis, "One-pass EAP-AKA authentication in 3GWLAN integrated networks," Wireless personal communications, vol.48, no.4, pp.569-584,2009.
Okamoto,2005. T. Okamoto, R. Tso, and E. Okamoto, "One-way and two-party authenticated ID-based key agreement protocols using pairing," MDAI'05:Lecture Notes in Computer Science, vol.3558, pp.122-133,2005.
Rivest,1978. R. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signature and public-key cryptosystem," Communication ACM, vol.21, pp. 120-126, Feb.1978.
Samfat,1995. D. Samfat, R. Molva, and N. Asokan, "Untraceability in mobile networks," In Proceedings of the 1st annual international conference on Mobile computing and networking, pp.26-36,1995.
Sanzgiri,2002. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding-Royer, "A secure routing protocol for ad hoc networks," In Proceedings of 10th IEEE International Conference on Network Protocols, pp.78-87,2002.
Scott,2006. M. Scott, N. Costigan, and W. Abdulwahab, "Implementing Cryptographic Pairings on Smartcards," Cryptographic Hardware and Embedded Systems-CHES 2006, pp.134-147,2006.
Shim,2003. K. Shim, "Efficient ID-based authenticated key agreement protocol based onWeil pairing," Electronics Letters, vol.39, no.8, pp.653-654,2003.
Siddiqui,2007. M. S. Siddiqui, and C. S. Hong, "Security issues in wireless mesh networks," In Proceedings of 2007 International Conference on Multimedia and Ubiquitous Engineering-MUE'07, pp.712-722,2007.
Smart,2002. N. Smart, "Identity-based authenticated key agreement protocol based on Weil pairing," Electronics Letters, vol.38, no.13, pp.630-632,2002.
Tang,2008. C. Tang and D. O. Wu, "An efficient mobile authentication scheme for wireless networks," IEEE Transaction onWireless Communication, vol.7, no.4, pp.1408-1416, Apr.2008.
Thompson,2007.N. Thompson, Z. Yin, H. Luo, P. Zerfos, and J. Pal Singh, "Authentication on the Edge:Distributed Authentication for a Global Open Wi-Fi Network," In Proceedings of the 13th Annual ACM International Conference on Mobile Computing and Networking, pp.334-337,2007.
Varadharajan,1997. V. Varadharajan, and Y. Mu, "Preserving privacy in mobile communications:A hybrid method," IEEE International Conference on Personal Wireless Communications, pp.532-536,1997.
Wang,2004. S. J. Wang, "Anonymous wireless authentication on a portable cellular mobile system," IEEE Transactions on Computers, vol.53, no.10, pp. 1317-1329,2004.
Wang,2010. Y. Wang, D. S. Wong and L. Huang, "One-Pass Key Establishment for Anonymous Wireless Roaming," In Proceedings of IEEE International Conference on Wireless Communication, Networking and Information Security-WCNIS 2010, pp.533-537,2010.
Wong,2005. D. S. Wong, "Security analysis of two anonymous authentication protocols for distributed wireless networks," in Proceedings of Third IEEE International Conference on Pervasive Computing and Communications Workshops, pp.284-288,2005.
Xiong,2009. X. Xiong, D. S. Wong and X. Deng, "TinyPairing:computing Tate pairing on sensor nodes with higher speed and less memory," In Proceedings of 8th IEEE International Symposium on Network Computing and Applications-NCA 2009, pp.187-194,2009.
Xiong,2010. X. Xiong, D.Wong, and X. Deng, "TinyPairing:A Fast and Lightweight Pairing-Based Cryptographic Library for Wireless Sensor Networks," In Proceedings of 2010 IEEE Wireless Communications and Networking Conference -WCNC 2010),pp.1-6,2010.
Yang,2004. H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, "Security in mobile ad hoc networks:challenges and solutions," Wireless Communications, vol.11, no.1, pp. 38-47,2004.
Yang,2005. G. Yang, D.Wong, and X. Deng, "Efficient Anonymous Roaming and its Security Analysis," Applied Cryptography and Network Security (ACNS 2005), pp.334-349,2005.
Yang,2006. C. C. Yang, K. H. Chu, and Y. W. Yang, "3G and WLAN interworking security:current status and key issues," International Journal of Network Security, vol.2, no.1, pp.1-13, Jan.2006.
Yang,2007. G. Yang, D. Wong, and X. Deng, "Anonymous and Authenticated Key Exchange for Roaming Networks," IEEE Transactions on Wireless Communications, vol.6, no.9, pp.3461-3472,2007.
Yang,2008. G. Yang, D. Wong, and X. Deng, "Formal Security Definition and Efficient Construction for Roaming with a Privacy-Preserving Extension," Journal of Universal Computer Science, vol.14, no.3, pp.441-462,2008.
Yang,2010. G. Yang, Q. Huang, D. S. Wong, and X. Deng, "Universal Authentication Protocols for Anonymous Wireless Communications," IEEE Transactions on Wireless Communications, vol.9, no.1, pp.168-174,2010.
Zapata,2002. M. G. Zapata, and N. Asokan, "Securing ad hoc routing protocols,' In Proceedings of the 1st ACM workshop on Wireless security, pp.1-10,2002.
Zeng,2010. Y. Zeng, J. Ma, and M. Sangjae, "An Improvement on a Three-party Passwordbased Key Exchange Protocol Using Weil Pairing," International Journal of Network Security, vol.11, no.1, pp.17-22,2010.
Zhang,2005. M. Zhang, and Y. Fang, "Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol," IEEE Transactions on Wireless Communications, vol.4, no.2, pp.734-742,2005.
Zhang,2007. Y. Zhang, and Y. Fang, "A secure authentication and billing architecture for wireless mesh networks," Wireless Networks, vol.13, no.5, pp. 663-678,2007.
Zhu,2002. F. Zhu, D. S. Wong, A. Chan, and R. Ye, "Password authenticated key exchange based on RSA for imbalanced wireless networks," Information Security, pp.150-161,2002.
Zhu,2009. H. Zhu, X. Lin, M. Shi, P. Ho, and X. Shen, "PPAB:A Privacy-Preserving Authentication and Billing Architecture for Metropolitan Area Sharing Networks," IEEE Transactions on Vehicular Technology, vol.58, no.5, pp. 2529-2543,2009.
Aboda,2004. B. Aboba, H. Levkowetz, J. R. Vollbrecht, L. J. Blunk, and J. Carlson, "Extensible Authentication Protocol (EAP)," RFC 3748, IETF, Jun 2004.
Aboda,2008. B. Aboba, D. Simon, and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework," RFC 5247, IETF, Aug 2008.
Abadi,2007. M. Abadi, and P. Rogawa, "Reconciling two views of cryptography (the computational soundness of formal encryption)," in Proceedings of First International Conference on Theoretical Computer Science, Lecture Notes in Computer Science, vol.1872, pp.3-22,2007.
Ahmavaara,2003. K. Ahmavaara, H. Haverinen, and R. Pichna, "Interworking architecture between 3GPP and WLAN systems," Communications Magazine, vol.41, no.11, pp.74-81,2003.
Akyildiz,2005a. I. F. Akyildiz, X. Wang, and W. Wang, "Wireless mesh networks:a survey," Computer networks, vol.47, pp.445-487,2005.
Akyildiz,2005b. I. F. Akyildiz, and X. Wang, "A survey on wireless mesh networks,' Communications Magazine, vol.43, no.9, pp.23-30,2005.
Arkko,2006. J. Arkko, and H. Haverinen, "EAP AKA authentication," RFC 4187, IETF, Jan.2006, http://www.ietf.org/rfc/rfc4187.txt.
Bellare,1994. M. Bellare, and P. Rogaway, "Entity authentication and key distribution," Advances in Cryptology,-CRYPTO'93, Lecture Notes in Computer Science, vol.773, pp.232-249,1994.
Bellare,1995. M. Bellare, and P. Rogaway, "Provably secure session key distribution-the three party case," In Proceedings of the 27th Annual ACM Symposium on the Theory of Computing, pp.57-66,1995.
Bellare,1998. M. Bellare, R. Canetti, and H. Krawczyk, "A modular approach to the design and analysis of authentication and key-exchange protocols," In Proceedings of the thirtieth annual ACM symposium on Theory of computing, pp.419-428,1998.
Ben,2006. N. Ben Salem, and J. P. Hubaux, "Securing wireless mesh networks," Wireless Communications, vol.13, no.2, pp.50-55,2006.
Benits,2004. W. Benits Jr, and R. Terada, " An ibe scheme to exchange authenticated secret keys," Cryptology ePrint Archive, Report 2004/071. http://eprint. iacr.org/2004/071,2004.
Blake-Wilson,1997. S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," Crytography and Coding, pp.30-45,1997.
Blake-Wilson,1998. S. Blake-Wilson, and A. Menezes, "Entity authentication and authenticated key transport protocols employing asymmetric techniques," Security Protocols, pp.137-158,1998.
Bohm,2008. N. Bohm, "The Phorm Webwise System-a Legal Analysis,' Cambridge:Foundation for Information Policy Research,2008.
Boneh,2001. D. Boneh,and M. Franklin,, "Identity-based encryption from the Weil pairing," Advances in Cryptology-CRYPTO 2001, pp.213-229.2001.
Buttyan,2003. L. Buttyan and J. P. Hubaux, "Report on a working session on security in wireless ad hoc networks," ACM SIGMOBILE Mobile Computing and Communications Review, vol.7, no.1, pp.74-94,2003.
Canetti,2001. R. Canetti and H. Krawczyk, "Analysis of key-exchange protocols and their use for building secure channels," in Proc. EURO-CRYPT 2001, Lecture Notes in Computer Science, vol.2045, pp.453-474,2001.
Chandra,2005. P. Chandra, "Bulletproof wireless security:GSM, UMTS,802.11 and ad hoc security," 2005.
Cremers,2009. C. Cremers, "Formally and practically relating the CK, CK-HMQV, and eCK security models for authenticated key exchange," Cryptology ePrint Archive, 2009.
Dai,2004. W. Dai, "Crypto++5.2.1 Benchmarks," Available at:http://www. eskimo.com/weidai/benchmarks.html,2004.
Diffie,1976. W. Diffie, and M. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol.22, no.6, pp.644-654,1976.
Dodis,2004. Y. Dodis, R. Gennaro, J. Hastad, H. Krawczyk, and T. Rabin, "Randomness extraction and key derivation using the CBC, Cascade and HMAC modes," Lecture Notes in Computer Science, pp.494-510,2004.
ElGamal,1985. T. ElGamal, "A public-key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, vol.31, no. 4, pp.469-472,1985.
Feder,2003. P. Feder, N. Lee, and S. Martin-Leon, "A seamless mobile VPN data solution for UMTS and WLAN users," in Proceedings of 4th International Conference on 3G Mobile Communication Technologies, pp.210-216,2003.
Fischlin,1999. M. Fischlin, "Pseudorandom function tribe ensembles based on one-way permutations:Improvements and applications," in Proceedings of EURO-CRYPT 99, vol.1592, pp.432-445,1999.
Gindraux,2002. S. Gindraux, "From 2G to 3G:A guide to mobile security," In Proceedings of Third International Conference on 3G Mobile Communication Technologies, pp.308-311,2002.
Go,2001. J. Go and K. Kim. "Wireless authentication protocol preserving user anonymity," In Proceedings of the 2001 Symposium on Cryptography and Information Security (SCIS 2001), pages 159-164, Jan.2001.
Gorantla,2008. M. C. Gorantla, C. Boyd, and J. M. Gonz'alez Nieto,"ID-based one-pass authenticated key establishment," In Proceedings of the sixth Australasian Conference on Information Security, vol.81, pp.39-46,2008.
Haas,1999. Z. J. Haas, and B. Liang, "Ad-hoc mobility management with uniform quorum systems," IEEE Transactions on Networking, vol.7, no.2, pp. 228-240,1999.
Haverinen,2004. H. Haverinen, and J. Salowey, "EAP SIM authentication," IETF, Dec.2004, http://www.potaroo.net/ietf/all-ids/draft-haverinen-pppext-eap-sim-16.txt.
Hess,2003. F. Hess, "Efficient identity based signature schemes based on pairings," Selected Areas in Cryptography, pp.310-324,2003.
Hu,2005. Y. C. Hu, A. Perrig, and D. B. Johnson, "Ariadne:A secure on-demand routing protocol for ad hoc networks," Wireless Networks, vol.11, no.1, pp.21-38,2005.
Hubaux,2001. J. P. Hubaux, L. Butttan, and S. Capkun, "The quest for security in mobile ad hoc networks," in Proceedings of ACM International Symposium on Mobile Ad-Hoc Networking and Computing (MOBIHOC), pp.146-155,2001.
Islam,2011. M. Islam, and V. K. Verma, "Security Challenges in 3G Systems," International Journal of Mathematical Archive (IJMA), vol.2, no.11,2011.
Jiang,2006. Y. Jiang, C. Lin, X. Shen, and M. Shi, "Mutual authentication and key exchange protocols for roaming services in wireless mobile networks," IEEE Transactions on Wireless Communications, vol.5, no.9, pp.2569-2577,2006.
Jinn-Ke,2001. J. Jinn-Ke, and W. D. Lin, "An efficient anonymous channel protocol in wireless communications," IEICE transactions on communications, vol. 84, no.3, pp.484-491,2001.
LaMacchia,2007. B. LaMacchia, K. Lauter, and A. Mityagin, "Stronger security of authenticated key exchange," Lecture Notes in Computer Science, vol.4784, pp. 1-16,2007.
Lee,2005. W. B. Lee and C. K. Yeh, "A new delegation-based authentication protocol for use in portable communication systems," IEEE Transaction on Wireless Communication, vol.4, no.1, pp.57-64,2005.
Lee,2006. C. C. Lee, and M. S. Hwang, and I. E. Liao, "Security enhancement on a new authentication scheme with anonymity for wireless environments," IEEE Transactions on Industrial Electronics, vol.53, no.5, pp.1683-1687,2006.
Long,2008. M. Long, C. H. Wu, and J. David Irwin, "Reducing Communication Overhead for Wireless Roaming Authentication:Methods and Performance Evaluation", International Journal of Network Security, vol.6, no.3, pp.331-341,2008.
Menezes,1993. A. J. Menezes, and T. Okamoto, and S. A. Vanstone, "Reducing elliptic curve logarithms to logarithms in a finite field," IEEE Transactions on Information Theory, vol.39, no.5, pp.1639-1646,1993.
Menezes,1997. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, "Handbook of Applied Cryptography," CRC Press LLC,1997.
Mitchell,1998. C. Mitchell, M. Ward, and P. Wilson, "On key control in key agreement protocols," Electronics Letters, vol.34, pp.980-981,1998.
Mouly,1992. M. Mouly, M. B. Pautet, and T. Foreword By-Haug, "The GSM system for mobile communications," Telecom Publishing,1992.
Ntantogian,2009. C. Ntantogian, and C. Xenakis, "One-pass EAP-AKA authentication in 3GWLAN integrated networks," Wireless personal communications, vol.48, no.4, pp.569-584,2009.
Okamoto,2005. T. Okamoto, R. Tso, and E. Okamoto, "One-way and two-party authenticated ID-based key agreement protocols using pairing," MDAI'05:Lecture Notes in Computer Science, vol.3558, pp.122-133,2005.
Rivest,1978. R. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signature and public-key cryptosystem," Communication ACM, vol.21, pp. 120-126, Feb.1978.
Samfat,1995. D. Samfat, R. Molva, and N. Asokan, "Untraceability in mobile networks," In Proceedings of the 1st annual international conference on Mobile computing and networking, pp.26-36,1995.
Sanzgiri,2002. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding-Royer, "A secure routing protocol for ad hoc networks," In Proceedings of 10th IEEE International Conference on Network Protocols, pp.78-87,2002.
Scott,2006. M. Scott, N. Costigan, and W. Abdulwahab, "Implementing Cryptographic Pairings on Smartcards," Cryptographic Hardware and Embedded Systems-CHES 2006, pp.134-147,2006.
Shim,2003. K. Shim, "Efficient ID-based authenticated key agreement protocol based onWeil pairing," Electronics Letters, vol.39, no.8, pp.653-654,2003.
Siddiqui,2007. M. S. Siddiqui, and C. S. Hong, "Security issues in wireless mesh networks," In Proceedings of 2007 International Conference on Multimedia and Ubiquitous Engineering-MUE'07, pp.712-722,2007.
Smart,2002. N. Smart, "Identity-based authenticated key agreement protocol based on Weil pairing," Electronics Letters, vol.38, no.13, pp.630-632,2002.
Tang,2008. C. Tang and D. O. Wu, "An efficient mobile authentication scheme for wireless networks," IEEE Transaction onWireless Communication, vol.7, no.4, pp.1408-1416, Apr.2008.
Thompson,2007.N. Thompson, Z. Yin, H. Luo, P. Zerfos, and J. Pal Singh, "Authentication on the Edge:Distributed Authentication for a Global Open Wi-Fi Network," In Proceedings of the 13th Annual ACM International Conference on Mobile Computing and Networking, pp.334-337,2007.
Varadharajan,1997. V. Varadharajan, and Y. Mu, "Preserving privacy in mobile communications:A hybrid method," IEEE International Conference on Personal Wireless Communications, pp.532-536,1997.
Wang,2004. S. J. Wang, "Anonymous wireless authentication on a portable cellular mobile system," IEEE Transactions on Computers, vol.53, no.10, pp. 1317-1329,2004.
Wang,2010. Y. Wang, D. S. Wong and L. Huang, "One-Pass Key Establishment for Anonymous Wireless Roaming," In Proceedings of IEEE International Conference on Wireless Communication, Networking and Information Security-WCNIS 2010, pp.533-537,2010.
Wong,2005. D. S. Wong, "Security analysis of two anonymous authentication protocols for distributed wireless networks," in Proceedings of Third IEEE International Conference on Pervasive Computing and Communications Workshops, pp.284-288,2005.
Xiong,2009. X. Xiong, D. S. Wong and X. Deng, "TinyPairing:computing Tate pairing on sensor nodes with higher speed and less memory," In Proceedings of 8th IEEE International Symposium on Network Computing and Applications-NCA 2009, pp.187-194,2009.
Xiong,2010. X. Xiong, D.Wong, and X. Deng, "TinyPairing:A Fast and Lightweight Pairing-Based Cryptographic Library for Wireless Sensor Networks," In Proceedings of 2010 IEEE Wireless Communications and Networking Conference -WCNC 2010),pp.1-6,2010.
Yang,2004. H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, "Security in mobile ad hoc networks:challenges and solutions," Wireless Communications, vol.11, no.1, pp. 38-47,2004.
Yang,2005. G. Yang, D.Wong, and X. Deng, "Efficient Anonymous Roaming and its Security Analysis," Applied Cryptography and Network Security (ACNS 2005), pp.334-349,2005.
Yang,2006. C. C. Yang, K. H. Chu, and Y. W. Yang, "3G and WLAN interworking security:current status and key issues," International Journal of Network Security, vol.2, no.1, pp.1-13, Jan.2006.
Yang,2007. G. Yang, D. Wong, and X. Deng, "Anonymous and Authenticated Key Exchange for Roaming Networks," IEEE Transactions on Wireless Communications, vol.6, no.9, pp.3461-3472,2007.
Yang,2008. G. Yang, D. Wong, and X. Deng, "Formal Security Definition and Efficient Construction for Roaming with a Privacy-Preserving Extension," Journal of Universal Computer Science, vol.14, no.3, pp.441-462,2008.
Yang,2010. G. Yang, Q. Huang, D. S. Wong, and X. Deng, "Universal Authentication Protocols for Anonymous Wireless Communications," IEEE Transactions on Wireless Communications, vol.9, no.1, pp.168-174,2010.
Zapata,2002. M. G. Zapata, and N. Asokan, "Securing ad hoc routing protocols,' In Proceedings of the 1st ACM workshop on Wireless security, pp.1-10,2002.
Zeng,2010. Y. Zeng, J. Ma, and M. Sangjae, "An Improvement on a Three-party Passwordbased Key Exchange Protocol Using Weil Pairing," International Journal of Network Security, vol.11, no.1, pp.17-22,2010.
Zhang,2005. M. Zhang, and Y. Fang, "Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol," IEEE Transactions on Wireless Communications, vol.4, no.2, pp.734-742,2005.
Zhang,2007. Y. Zhang, and Y. Fang, "A secure authentication and billing architecture for wireless mesh networks," Wireless Networks, vol.13, no.5, pp. 663-678,2007.
Zhu,2002. F. Zhu, D. S. Wong, A. Chan, and R. Ye, "Password authenticated key exchange based on RSA for imbalanced wireless networks," Information Security, pp.150-161,2002.
Zhu,2009. H. Zhu, X. Lin, M. Shi, P. Ho, and X. Shen, "PPAB:A Privacy-Preserving Authentication and Billing Architecture for Metropolitan Area Sharing Networks," IEEE Transactions on Vehicular Technology, vol.58, no.5, pp. 2529-2543,2009.