This action might not be possible to undo. Are you sure you want to continue?
,
Vol. 8, No. 2, 2010
Cryptanalysis on Two MultiServer Password Based
Authentication Protocols
JueSam Chou
*
Dept. of Information Management
Nanhua University, Taiwan
jschou@mail.nhu.edu.tw
ChunHui Huang
Dept. of Information Management
Nanhua University, Taiwan
g6451519@mail.nhu.edu.tw
Yalin Chen
Institute of Information Systems and
Applications, NTHU, Tawain
d949702@oz.nthu.edu.tw
*
: corresponding author
Abstract¡ In 2004 and 2005, Tsaur et al. proposed two smart
card based password authentication protocols for multiserver
environments. They claimed that their protocols are safe and can
withstand various kinds of attacks. However, after analyses, we
found both of them have some security loopholes. In this article,
we will demonstrate the security loopholes of the two protocols.
Keywords multiserver; remote password authenticationl;
smart card; key agreement; Lagrange interpolating polynomial
I. INTRODUCTION
In a traditional identity authentication mechanism, a user
must use his identity ID and password PW to register at the
remote server and the server needs to employ a verification
table to record the ID and PW. However, this approach might
make the system suffer from the stolen verifier attack. To
address this problem, some researchers suggested the
authentication system adopt a nonverificationtable approach.
In 1990, Hwang et al. [4] first proposed a smart card based
authentication protocol by using such a nonverificationtable
way. Thereafter, many smartcard nonverificationtable based
authentication schemes [1, 2, 3, 5, 6, 7, 1020] were proposed.
In 2004 and 2005, Tsaur et al. proposed two such
authentication schemes [8, 9] for multiserver environments.
They claimed that their schemes are secure and can withstand
various attacks. However, after analyses, we found that both of
them have some security loopholes. In this article, we will
demonstrate the security flaws found in their protocols.
II. REVIEW AND ATTACK ON TSAUR ET AL.¡S FIRST
PROTOCOL
A. Review
Tsaur et al.¡s first protocol [8] consists of next four stages.
a) The System Setup Stage: CA defines an oneway hash
function h(X, Y); he selects two large prime numbers p
1
, p
2
, and
computes N = p
1
¡ p
2
; he randomly chooses the encryption key
e satisfying gcd(e, φ(N)) = 1, where φ(N) = (p
1
¡ 1) ¡ ( p
2
¡ 1),
and computes his corresponding private key as d = e
1
mod
φ(N). For each server S
j
, CA selects a random S_SK
j
as the
server¡s private key and computes S_ID
j
=
j
SK S
g
_
(mod N) as
his oublic identity, where j = 1,2, ..., m.
b) The User Registration Stage: When a new user U
i
wants
to register at m servers, S
1
, S
2
, ¡, and S
m
(in a multiserver
system), he and CA together perform the registration process
through a secure channel described as follows:
 U
i
chooses his identity U_ID
i
and password U_PW
i
,
and transmits them to CA.
 CA randomly chooses a number r
ui
, and computes two
secret keys as
) (mod _
_
N g R U
ui i
r PW U
i

= and
) (mod _S N g U
d r
i
ui

= .
 CA assumes that U
i
wants to obtain the services of r
servers, S
1
, S
2
, ¡, S
r
, for 1 ≤ r < m. The service periods
provided by these servers are E_T
i1
, E_T
i2
, ¡, and
E_T
ir
respectively. The periods of the other m¡ r servers
are all set to zeros. CA then constructs a Lagrange
interpolating polynomial function f
i
(X) for U
i
as
×
÷
÷
+ =
¯
=
) _ _ (
) _ (
) _ _ ( ) (
1 i j
i
ij
m
j
i i
ID U SK S
ID U X
T E ID U X f
+
÷
÷
I
= =
m
j k k k j
k
SK S SK S
SK S X
, 1
) _ _ (
) _ (
I
=
÷
÷
m
y y i
y
i
SK S ID U
SK S X
R U
1
) _ _ (
) _ (
_
) (mod
0 1
1
1
N a X a X a X a
m
m
m
m
+ + + + =
÷
÷
 CA stores f
i
(X), U
i
¡s identity U_ID
i
, his two secret keys
U_S
i
, U_R
i
, and oneway function h(X, Y) in smart card
U_SC
i
. Then, CA sends the card to U
i
via a secure
channel.
c) The Login Stage: In this phase, when a registered user U
i
wants to login server S
j
(1 ≤ j ≤ m), he inserts his smart card
U_SC
i
to the reader and keys in his U_PW
i
. Then, U_SC
i
performs the following steps on behalf of U
i
:
 U_SC
i
gets timestamp t. Then, it generates a secret
random number r
1
and computes
16 http://sites.google.com/site/ijcsis/
ISSN 19475500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
) (mod
1
1
N g C
r e
= ,
) , ( _
1 2
1 1
) _ (
t C h r PW U
g S U C
i

· =
) , ( _
1 1
t C h r d r PW U
g g
ui i
  
· = (mod N), and
1
1 1
_ _
) ( ) _ (
r e SK S r e SK S r e
j
j j
g g ID S P
   
= = = (mod N)
 Given 1, 2, ¡, m, and P, U_SC
i
computes f
i
(1),
f
i
(2), ¡, f
i
(m), and f
i
(P). Then, it constructs an
authentication message M = {U_ID
i
, t, C
1
, C
2
, f
i
(1),
f
i
(2), ¡, f
i
(m), f
i
(P)} and sends it to S
j
, one of the m
servers for, 1 ≤ j ≤ m.
d) The Server Authentication Stage: In this phase, after
receiving the authentication message from U
i
, S
j
gets current
timestamp t
now
and performs the following steps to verify the
login message from U
i
:
 S
j
checks U
i
's identity U_ID
i
and determines if t
now
¡ t
>ΔT. If either of the two checks does nothold, S
j
rejects
U
i
's login message. Otherwise, it continues.
 S
j
uses value C
1
and its secret key S_SK
j
to derive the
value P shown as below.
) (mod ) (
_
1
N C P
j
SK S
=
) (mod ) (
_
1
N g
j
SK S r e
=
) (mod
_
1
N g
j
SK S r e  
= .
Then, it uses these m + 1 points {(1, f
i
(1)), (2, f
i
(2)), ¡,
(m, f
i
(m)), (P, f
i
(P))} to reconstruct the interpolating
polynomial
) (mod ) (
0 1
1
1
N a X a X a X a X f
m
m
m
m i
+ + + + =
÷
÷
 He checks to see whether
1
_ ) (
) (
) , (
1
2
1
=
·
i
t C h
e
R U C
C
. If it
holds, user U
i
is authentic. Otherwise, S
j
rejects U
i
's
login message.
B. Attack
We show an impersonation attack on Tsaur et al.¡s first
protocol. First, an attacker E forges a smart card as follows.
 E enters U_ID
i
, randomly chooses a password
) (
_
E
i
PW U and a random number
) (E
ui
r , and calculates
two secrets:
) (mod _
* * _ ) (
) ( ) (
N g R U
e r PW U E
i
E
ui
E
i
= and
) (mod _
) (
) (
N g S U
E
ui
r E
i
= .
 Though, E does not know each server¡s private key, he
knows these servers¡ identities. Therefore, he uses each
server¡s identity to replace the original corresponding
private key in polynomial f
i
(X) and form another
polynomial f
E
(X) as shown in following Equation (1).
×
÷
÷
+ =
¯
=
) _ _ (
) _ (
) _ _ ( ) (
1 i j
i
ij
m
j
i E
ID U ID S
ID U X
T E ID U X f
+
÷
÷
I
= =
m
j k k k j
k
ID S ID S
ID S X
, 1
) _ _ (
) _ (
) (mod
) _ _ (
) _ (
_
1
) (
N
ID S ID U
ID S X
R U
m
y y i
y E
i I
=
÷
÷
) (mod
0 1
1
1
N b X b X b X b
m
m
m
m
+ + + + =
÷
÷
.
In login stage, E performs the follows steps:
 E gets timestamp t. Then, he generates a secret random
number r
1
(E)
and computes C
1
(E)
, C
2
(E)
, and P
(E)
as
) (mod
) (
1
) (
1
N g C
E
r e E 
=
,
) (mod ) _ (
) , ( * _
1
) (
2
) (
1
) (
1
) (
N g S U C
t C h r PW U E
E E E
i
· =
,
) (
1
) (
1
) ( ) _ (
_
) (
E
j
E
r e
SK S
r e
j
E
g ID S P
 
= =
) (
1 _
E
j
r e SK S
g
 
=
(mod N).
 Then, E computes f
E
(1), f
E
(2), ¡, f
E
(m), and f
E
(P
(E)
)
and sends message M
(E)
= {U_ID
i
, t, C
1
(E)
, C
2
(E)
, f
E
(1),
f
E
(2), ¡, f
E
(m), f
E
(P
(E)
)} to server S
j
, one of the m
servers for 1 ≤ j ≤ m.
When receiving message M
(E)
, S
j
gets current timestamp t
now
.
It then performs the following verification steps to authenticate
E.
 S
j
checks E's identity U_ID
i
and determines whether
t
now
¡ t <ΔT. If either of the two checks dose not hold,
S
j
rejects. Otherwise, he continues.
 S
j
uses the transmitted value C
1
(E)
and his secret key
S_SK
j
to derive the value P
(E)
, as shown in the
following equation, Equation (2).
) (mod ) ( ) (
_ _ ) (
1
) (
) (
1
N g C P
j
E
j
SK S r e SK S E E

= =
) (mod
_
) (
1
N g
j
E
SK S r e  
= ¡ ¡ ¡ Equation (2)
Then, it uses these m + 1 points {(1, f
E
(1)), (2,
f
E
(2)), ¡, (m, f
E
(m)), (P
(E)
, f
E
(P
(E)
)} to reconstruct the
interpolating polynomial
) (mod ) (
0 1
1
1
N b X b X b X b X f
m
m
m
m E
+ + + + =
÷
÷
 S
j
verifies whether
1
_ ) (
) (
) ( ) , ( ) (
1
) (
2
) (
1
=
·
E
i
t C h E
e E
R U C
C
E
. If it
holds, E is authentic.
Obviously, E can pretend as U
i
successfully since the
computation result is equal to 1, as shown in Equation (3).
17 http://sites.google.com/site/ijcsis/
ISSN 19475500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
) ( ) , ( ) (
1
) (
2
_ ) (
) (
) (
1
E
i
t C h E
e E
R U C
C
E
·
e r PW U t C h r e
e t C h r r PW U
E
ui
E
i
E E
E E
ui
E
i
g g
g g
* * _ ) , ( * *
) , ( '* * _
) ( ) ( ) (
1
) (
1
) (
1 1
) ( ) (
) (
·
·
=
e r PW U t C h r e
e t C h r e r PW U
E
ui
E
i
E E
E E E
ui
E
i
g g
g g
* * _ ) , ( * *
* ) , ( * * * _
) ( ) ( ) (
1
) (
1
) (
1
) (
1
) ( ) (
·
·
=
= 1 (mod N) ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ Equation (3)
III. REVIEW AND ATTACK ON TSAUR ET AL.¡S SECOND
PROTOCOL
A. Review
Tsaur et al.¡s second protocol [9] consists of four stages.
They are (1) The system setup stage, (2) The user registration
stage, (3) The login stage, and (4) The server authentication
stage. We show them as follows.
1) The System Setup Stage: CA selects a large number p,
and publishes a generator g of
*
P
Z and an oneway hash
function h(X, Y). CA also selects a secret key S_SK
j
for server
S
j
and computes S
j
¡s public identity as S_ID
j
=
j
SK S
g
_
(mod p),
1 ≤ j ≤ m.
2) The User Registration Stage: When a new user U
i
wants to register at m servers, S
1
, S
2
, ¡, and S
m
(in a multi
server system), he and CA together perform the registration
process through a secure channel described as follows:
 U
i
chooses his identity U_ID
i
and password U_PW
i
,
and transmits them to CA.
 CA randomly chooses a number r and computes two
secret keys:
) (mod _ p g R U
r
i
= and
) (mod _
_
p r S U
i
PW U
i
÷
= .
 CA supposes that U
i
wants to obtain the services of r
servers, S
1
, S
2
, ¡ , and S
r
. Assume that the service
periods of r servers are E_T
i1
, E_T
i2
, ¡, and E_T
ir
respectively. The periods of the other servers S
r+1
,
S
r+2
, ¡, and S
m
are all set to zeros. CA then uses S
j
¡s
secret key S_SK
j
to construct a Lagrange interpolating
polynomial function f
i
(X) for U
i
as follows:
×
÷
÷
+ =
¯
=
) _ _ (
) _ (
) _ _ ( ) (
1 i j
i
ij
m
j
i i
ID U SK S
ID U X
T E ID U X f
+
÷
÷
I
= =
m
j k k k j
k
SK S SK S
SK S X
, 1
) _ _ (
) _ (
I
=
÷
÷
m
y y i
y
i
SK S ID U
SK S X
R U
1
) _ _ (
) _ (
_
) (mod
0 1
1
1
p a X a X a X a
m
m
m
m
+ + + + =
÷
÷
.
 CA then stores U_S
i
and f
i
(X) into the storage of smart
card U_SC
i
, and sends the card to U
i
via a secure
channel.
3) The Login Stage: When a registered user U
i
wants to
login to server S
j
, he inserts his smart card U_SC
i
to the reader
and keys in his password U_PW
i
. Then, U_SC
i
performs the
following steps on behalf of U
i
:
 U_SC
i
gets timestamp t and computes
i
PW U
i
S U r
_
) _ ( = .
Then, it generates a secret random number r
1
and
computes C
1
, C
2
and P as
) (mod
1
1
p g C
r
= ,
) )(mod , (
1 1 2
p t C h r r C · + = , and
) (mod ) _ (
1
p ID S P
r
j
= .
 Given 1, 2,¡, m, and P, U_SC
i
computes f
i
(1), f
i
(2), ¡,
f
i
(m), and f
i
(P). Then, it constructs message M =
{U_ID
i
, t, C
1
, C
2
, f
i
(1), f
i
(2), ¡, f
i
(m), f
i
(P)} and sends
it to S
j
.
4) The Server Authentication Stage: When receiving the
authentication message from U
i
, S
j
obtains current timestamp
t
now
and performs the following steps to verify U
i
¡s login
message:
 S
j
checks U
i
's identity U_ID
i
and determines whether
t
now
¡ t < Δ T. If both hold, S
j
computes
) (mod ) (
_
1
p C P
j
SK S
= .
 S
j
uses the m + 1 points {(1, f
i
(1)), (2, f
i
(2)), ¡, (m,
f
i
(m)), (P, f
i
(P))} from U_ID
i
to reconstruct the
interpolating polynomial
+ + + =
÷
÷
1
1
) (
m
m
m
m i
X a X a X f a
1
X+a
0
(mod N)
 S
j
checks to see whether
1
) _ ( ) (
) , (
1
1
2
=
·
t C h
i
C
R U C
g
. If it
holds, user U
i
is authentic. Otherwise, U
i
is rejected.
B. Attack
We show an impersonation attack on Tsaur et al.¡s second
protocol. First, an attacker E forges a smart card as follows.
 E enters U_ID
i
, randomly chooses a password U_PW
i
(E)
and a number r
(E)
, and computes two secrets as
) (mod _
) (
) (
p g R U
E
r E
i
= and
) (mod _S
) (
_ ) (
p r U
E
i
PW U E
i
÷
= .
 Though, E does not know each server¡s private key, he
knows these servers¡ identities. Therefore, he uses each
server¡s identity to replace the original corresponding
private key in polynomial f
i
(X) and form another
polynomial f
E
(X) as shown in following Equation (4).
18 http://sites.google.com/site/ijcsis/
ISSN 19475500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
×
÷
÷
+ =
¯
=
) _ _ (
) _ (
) _ _ ( ) (
1 i j
i
ij
m
j
i E
ID U ID S
ID U X
T E ID U X f
I
= =
+
÷
÷
m
j k k k j
k
ID S ID S
ID S X
, 1
) _ _ (
) _ (
I
=
÷
÷
m
y y i
y E
i
ID S ID U
ID S X
R U
1
) (
) _ _ (
) _ (
_
) (mod
0 1
1
1
p b X b X b X b
m
m
m
m
+ + + + =
÷
÷
¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ Equation (4)
In the login stage, when E wants to login to server S
j
, he
performs the following steps:
 E gets timestamp t and computes r
(E)
=
) (
_ ) (
) _ (
E
i
PW U E
i
S U . Then, it generates a secret random
number r
1
(E)
and computes C
1
(E)
, C
2
(E)
and P
(E)
as
) (
1
) (
1
E
r E
g C = (mod p),
) , (
) (
1
) ( ) (
1
) (
2
t C h r r C
E E E E
· + = (mod p), and
) (mod ) _ (
) (
1
) (
p ID S P
E
r
j
E
= .
 E computes f
E
(1), f
E
(2), ¡, f
E
(m), and f
E
(P
(E)
) and
sends message M
(E)
= {U_ID
i
, t, C
1
(E)
, C
2
(E)
, f
E
(1),
f
E
(2), ¡, f
E
(m), f
E
(P
(E)
)} to the server S
j
.
After receiving message M
(E)
, S
j
gets current timestamp t
now
.
He then performs the following verification steps to
authenticate E.
 S
j
checks E's identity U_ID
i
and determines whether
t
no
w ¡ t <ΔT. If both hold, S
j
computes
j
SK S E E
C P
_ ) (
1
) (
) ( =
(mod p).
 S
j
uses the m + 1 points {(1, f
E
(1)), (2, f
E
(2)), ¡, (m,
f
E
(m)), (P, f
E
(P))} to reconstruct the interpolating
polynomial
+ + + =
÷
÷
1
1
) (
m
m
m
m E
X b X b X f b
1
X+b
0
(mod p)
 S
j
verifies if
1
) _ ( ) (
) , ( ) ( ) (
1
) (
1
) (
2
=
·
t C h E
i
E
C
E
E
R U C
g
. If it
holds, E is authentic.
Obviously, E can pretend as U
i
successfully. Since that the
computation result of the verification is obviously equal to 1, as
shown in following Equation (5).
) , ( ) ( ) (
1
) (
1
) (
2
) _ ( ) (
t C h E
i
E
C
E
E
R U C
g
·
) , ( *
) , ( *
) (
1
) ( ) (
1
) 9
1
) ( ) (
1
t C h r r
t C h r r
E E E
E E E
g g
g
·
+
=
) , ( *
) , ( *
) (
1
) ( ) (
1
) (
1
) ( ) (
1
t C h r r
t C h r r
E E E
E E E
g
g
+
+
=
) (mod 1 p = ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ Equation (5)
IV. CONCLUSION
In this paper, we present the security analyses of Tsaur et
al.¡s two smart card based password authentication protocols in
multiserver environments. Our results show that they are both
vulnerable and suffer from the impersonation attacks which we
have described in this article.
REFERENCES
[1] A. K. Awasthi and S. Lal ¡An enhanced remote user authentication
scheme using smart cards, ¡ IEEE Trans. Consumer Electron., vol. 50,
No. 2, pp. 583586, May 2004.
[2] C.K. Chan, L.M. Cheng, ¡ Cryptanalysis of a remote user authentication
scheme using smarts cards, ¡ IEEE Transactions on Consumer
Electronics, vol. 46, no 4, pp. 992¡ 993, 2000.
[3] C.C. Chang, T.C. Wu, ¡Remote password authentication scheme with
smart cards, ¡ IEE ProceedingsComputers and Digital Techniques, vol.
138, issue 3, pp.165¡ 168, 1991.
[4] T. Hwang, Y. Chen, and C.S. Laih, ¡Noninteractive password
authentications without password tables, ¡IEEE Region 10 Conference
on Computer and Communication Systems, IEEE Computer Society, Vol.
1, pp.429¡ 431, 1990.
[5] M.S. Hwang and L.H. Li, ¡A new remote user authentication scheme
using smart cards, ¡ IEEE Transactions on Consumer Electronics, vol.46,
no.1, pp. 2830, Feb. 2000.
[6] K. C. Leung, L. M. Cheng, A. S. Fong and C. K. Chan, ¡ Cryptanalysis
of a modified remote user authentication scheme using smart cards,
¡ IEEE Trans. Consumer Electron., vol. 49, No. 4, pp. 12431245, Nov.
2003.
[7] J.J. Shen, C. W. Lin and M. S. Hwang, ¡ A modified remote user
authentication scheme using smart cards, ¡ IEEE Trans. Consumer
Electron., vol. 49, No. 2, pp. 414416, May 2003.
[8] W.J. Tsaur, C.C. Wu, W.B. Lee, ¡A smart cardbased remote scheme for
password authentication in multiserver Internet services, ¡ Computer
Standards & Interfaces, Vol. 27, No. 1, pp. 3951, November 2004.
[9] W.J. Tsaur, C.C. Wu, W.B. Lee, ¡An enhanced user authentication
scheme for multiserver Internet services, ¡ Applied Mathematics and
Computation, Vol. 170, No. 11, pp. 258266, November 2005.
[10] G. Yang, D. S. Wong, H. Wang, X. Deng, ¡Twofactor mutual
authentication based on smart cards and passwords¡, Journal of
Computer and System Sciences, Vol. 74, No. 7, pp.11601172,
November 2008.
[11] T. Goriparthi, M. L. Das, A. Saxena, ¡An improved bilinear pairing
based remote user authentication scheme¡, Computer Standards &
Interfaces, Vol. 31, No. 1, pp. 181185, January 2009.
[12] I. E. Liao, C. C. Lee, M. S. Hwang, ¡A password authentication scheme
over insecure networks¡, Journal of Computer and System Sciences, Vol.
72, No. 4, pp. 727740, June 2006.
[13] J. Y. Liu, A. M. Zhou, M. X. Gao, ¡A new mutual authentication scheme
based on nonce and smart cards¡, Computer Communications, Vol. 31,
No. 10, pp. 22052209, June 2008.
[14] H. S. Rhee, J. O. Kwon, D. H. Lee, ¡A remote user authentication
scheme without using smart cards¡, Computer Standards & Interfaces,
Vol. 31, No. 1, pp. 613, January 2009.
[15] S. K. Kim , M. G. Chung, ¡More secure remote user authentication
scheme¡, Computer Communications, Vol. 32, No. 6, pp. 10181021,
April 2009.
19 http://sites.google.com/site/ijcsis/
ISSN 19475500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
[16] Y. Y. Wang, J. Y. Liu, F. X. Xiao, J. Dan, ¡A more efficient and secure
dynamic IDbased remote user authentication scheme¡, Computer
Communications, Vol. 32, No. 4, pp. 583585, March 2009.
[17] J. Xu, W. T. Zhu, D. G. Feng, ¡An improved smart card based password
authentication scheme with provable security¡, Computer Standards &
Interfaces, Vol. 31, No. 4, pp. 723728, June 2009.
[18] M. S. Hwang, S. K. Chong, T. Y. Chen, ¡DoSresistant IDbased
password authentication scheme using smart cards¡, Journal of Systems
and Software, Vol. 83, No. 1, pp. 163172, January 2010.
[19] C. T. Li, M. S. Hwang, ¡An efficient biometricsbased remote user
authentication scheme using smart cards¡, Journal of Network and
Computer Applications, Vol. 33, No. 1, pp. 15, January 2010.
[20] D. Z. Sun, J. P. Huai, J. Z. Sun, J. X. Li, J. W. Zhang, Z. Y. Feng,
¡Improvements of Juang et al.¡s PasswordAuthenticated Key
Agreement Scheme Using Smart Cards¡, IEEE Transactions on
Industrial Electronics, Vol. 56, No. 6, pp. 22842291, June 2009.
AUTHORS PROFILE
JueSam Chou received his Ph.D. degree
in the department of computer science and
information engineering from National
Chiao Tung Univ. (NCTU) in Hsinchu,
Taiwan,ROC. He is an associate professor
and teaches at the department of Info.
Management of Nanhua Univ. in Chiayi,
Taiwan. His primary research interests are
electronic commerce, data security and
privacy, protocol security, authentication,
key agreement, cryptographic protocols, E
commerce protocols, and so on.
ChunHui Huang is now a graduate
student at the department of Info.
Management of Nanhua Univ. in Chiayi,
Taiwan. She is also a teacher at Nantou
County Shuang Long Elementary School in
Nantou, Taiwan. Her primary interests are
data security and privacy, protocol security,
authentication, key agreement.
Yalin Chen received her bachelor degree
in the depart. of computer science and
information engineering from Tamkang
Univ. in Taipei, Taiwan and her MBA
degree in the department of information
management from National SunYatSen
Univ. (NYSU) in Kaohsiung, Taiwan. She
is now a Ph.D. candidate of the Institute of
Info. Systems and Applications of National
TsingHua Univ.(NTHU) in Hsinchu,
Taiwan. Her primary research interests are
data security and privacy, protocol security,
authentication, key agreement, electronic commerce, and wireless
communication security.
20 http://sites.google.com/site/ijcsis/
ISSN 19475500