Abdullah Almuhaideb, Talal Alharbi, Mohammed Alhabeeb, Phu Dung Le, and Bala Srinivasan Faculty of Information Technology, Monash University, Melbourne, Australia {Amalm3, Tralh1, maal11}@student.monash.edu.au,{Phu.Dung.Le, Bala.Srinivasan}@infotech.monash.edu.au
AbstractThe development in mobile devices and wireless technologies opens up unlimited choices of mobile services such as mobile commerce. These advances make access services available and convenient everywhere at any time. Since mobile users usually move, accessing services becomes unavailable especially in some locations that are not covered by their home networks. Therefore, it becomes necessary to roam into foreign networks in order to access such services. However, authenticating visiting users by a foreign network results in some security concerns. This challenge lies in the fact that a foreign network provider does not initially have the authentication credentials of the mobile users. The existing approaches are either roaming agreement-based in exchanging authentication information between the home network and a foreign network or vulnerable to some security attacks. This paper proposes a roaming agreement-less approach based on our ubiquitous mobile access model. This approach consists of two tokens: Passport (identification token) and Visa (authorisation token) to provide a flexible authentication method for foreign network to authenticate mobile users. The security analysis indicates that our proposal is more secure and suitable for ubiquitous mobile communications specially in roaming agreement-less enviroment. Keywords: authentication, ubiquitous wireless access, security protocols, roaming agreement, telecommunication security. I. INTRODUCTION The advanced capabilities of mobile devices and wireless technologies facilitate accessing variety of services over the Internet: e-mail, mobile commerce and mobile banking. It becomes more desirable to mobile users (MU) to access these services wirelessly while they are on the move without being restricted to a specific location. It is estimated that half the world population pay to use mobile services [1]. MUs always ask for a higher speed at a lower cost, and demand to be Always Best Connected [2]. However, due to the differences in wireless technologies, it is hard to achieve both high data rate and wide coverage at once. Moreover, different technologies sometimes are operated by multiple network providers. As a result, ubiquitous wireless network is not feasible with a single technology and a single wireless provider. That makes a MU always in need to connect to different types of technologies and service providers depending on his/her location and the target speed. However, there are some security concerns raised from the MU and foreign network (FN) perspectives as they cannot establish a connection without being authentic to each other. The traditional solution to such a problem is to have a roaming agreement between the home network (HN) and FN for verification process. Fig.1 illustrates the problem.
Figure 1. Roaming agreement-less challenge. Problem Statement. A key challenge in such a heterogeneous networks environment is the possibility of roaming to administrative domains without a pre-established roaming agreement with a MUs home domain [3]. In other words, authenticating unknown users by FN providers and preventing unauthorised access are critical concerns. The rest of this paper is structured as follows. It starts with a review of existing approaches to the problem (Section 2). This will be followed by an overview of the ubiquitous mobile access model and the roaming agreement-less approach (Section 3), where Passport acquisition, Visa acquisition, mobile service provision, Passport and Visa revocation are illustrated. We then demonstrate the security analysis (Section 4). Then, the comparative evaluation with existing works will be illustrated (Section 5). Finally, our conclusion of this paper will be presented (Section 6). II. RELATED WORKS There are a number of related works in the area of ubiquitous mobile access authentication. However, there are some limitations in their works. Lei, Quintero and Pierre [4] presented a reusable tickets for accessing mobile services. In their proposal, lightweight computational symmetric keys are used on the mobile device side to support the limited capabilities of the MD. The major disadvantage of this work is that a FN does not have a control over granting the authorisation token, as the tickets are approved by the ticket server. Therefore, their approach will not work in case of there is no service level agreement with the potential FN. For example, a MU wants to access network services from a new FN that not yet established service agreement with the ticket server or the FN is not large enough 2010 11th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing 978-0-7695-4088-7/10 $26.00 2010 IEEE DOI 10.1109/SNPD.2010.30 143 to be approved by the ticket server. However, in our approach, the FN has a full control whether or not to grant an authorisation access (Visa) to this individual MU. Our approach gives more freedom to the MU to choose the service provider through direct negotiation with the services, identification (Passport), and authorisation (Visa). In this paper, the FN is an independent party, and it does not require a service level agreement with the MUs HN to provide the network services. Akyildiz and Mohanty [5] have proposed an Architecture for ubiquitous Mobile Communications (AMC). Their aim is to provide ubiquitous high-data rate services to MUs by integrating heterogeneous wireless systems. AMC eliminates the need for direct roaming agreements among network providers by using a third party network interoperating agent (NIA). The NIA acts as a broker, and it requires network providers to have pre-established roaming agreements. This solution does not support the open market environment as MUs depend on the NIA to access network providers, and there is no direct negotiation between MUs and FN providers. Droma and Ganchev [6] have proposed a Consumer-centric Business Model (CBM) for wireless services. They argue that their model is a better alternative to the subscriber based model (SBM). In the CBM model, entities should have business agreement only with the third-party authentication, authorization, and accounting (3P-AAA) service provisions. The 3P-AAA-SPs are independent entities and not wireless access network providers (ANPs). This research has some common goals with these of this paper such as ubiquitous wireless access and more open marketplace. However, the 3P- AAA-SP works as a broker, and it requires network providers to have a pre-established service agreement. Shi et al. [7] have introduced Service Agent (SA) to the WLAN/cellular integrated network architecture to improve service flexibility and deal with the roaming agreement issue when the number of WLAN operators is large. The SA provides cellular network and WLAN with a one-for-all roaming agreement so that one-to-one roaming agreements are no longer needed. In their proposed service model, the MU does not have to be a customer of any physical network operator. The SA can provide cellular/WLAN integrated service itself. However, this approach has the same limitation of the broker model, and it is also dependent on Wi-Fi and cellular network technologies only. Tuladhar et al. [3] have proposed proof tokens authentication architecture and protocol. In their approach, they tried to solve two problems. The first problem is that the limited roaming agreement of the HN with FNs, and they proposed to allow MUs to access the partners of previously visited networks by that MU. The second problem is authentication delays, which they identified as a major cause for high latency. They propose the collaboration between adjacent networks. However, this approach still relies on roaming agreement for authentication, and does not support a direct negotiation with the MU. Matsunaga et al. [8] have proposed a single sign-on (SSO) authentication architecture that confederates WLAN service providers through trusted identity providers (IdPs). They argue that the dynamic selection of authentication method, and IdP will play a key role in confederating public wireless LAN service providers under different trust levels and with alternative authentication schemes. However, there are three limitations to this approach. The first limitation in this approach is the dependence on roaming agreement between network providers and IdPs, which may limit the MU roaming freedom. The second limitation is the dependency on a single wireless technology. Lastly, it is limited to web-based authentication using cookies [9]. III. THE PROPOSED SOLUTION A. Ubiquitous Mobile Access Model To achieve ubiquitous wireless access, MUs should be able to have a direct negotiation with potential FNs regarding service provision. IdPs are required to verify the MUs identity and credentials. There should be more flexible ways to establish trust without relying on service agreements. Fig. 2 below illustrates the proposed model based on direct negotiation and flexible trust. Figure 2. The Overview of the Proposed Authentication Model. MU is pre-registered with IdP to get identification token. The IdP role can be played by a trusted entity such as HN. To simplify the example, in this paper the HN will be considered as the IdP in this context. In this model, the MUs are able to negotiate directly with potential FN providers to get the authorization token. Also, FN providers are able to communicate directly with potential MUs and make trust decision whether or not to provide network service. For the FN provider to trust a MU, HN is used to verify the claimed identity of the MU. Certificate Authority (CA) can be employed to establish a trust with HN. The relationships between engaging parties are shown in Fig. 3 and also described below:
Figure 3. The Relationship between Entities in the Model. Trust: There are three types of trust in the proposed model. The first type is No Trust, this type can exist between a MU and potential FN provider as the first step of communication. The second type is Partial Trust, this type exists between a FN and a HN. The term partial trust means that there is no roaming agreement between these Check authentication Return authenticated Request access Authorization token 144 two entities. The third type is the full trust which exists between a MU and the HN (after the registration process) and the FN (after the authentication process). Negotiation: A MU negotiates with prospective FN providers for the available services. Identification & Verification: Identification is the process of receiving credential from MU, and verification is the process of checking credential with the users IdP. Authorization: After verifying potential customer identity, the FN provider decides whether or not to provide the service, based on its policy on trust decision. The MU may need to reduce the level of service to the appropriate authentication credentials level s/he can provide. After the first successful authentication, the MU could access the FN provider resources using the issued authorization token without any further communication with the IdP. This paper proposes a roaming agreement-less approach based on our ubiquitous mobile access model [10] to address all the above limitations. The new features about this proposed research are: Roaming Agreement-less: In the current solutions roaming agreement is used by cellular network to extend its services using other networks. However, it is not likely to set up formal roaming agreements with every possible provider by MUs HN. Our approach on the other hand does not depend on a roaming agreement between the FN provider and the IdP. Alternatively, the FN provider uses negotiation and trust decision whether or not to authorize the MU. Privacy and User Anonymity: The MUs personal details are kept secretly with the HN. Therefore, when a MU wants to roam into a FN, s/he only needs to send his or her Passport without reveal any information related to his/her ID. Moreover, the HN only returns the Pass NO to the FN if the verification is true. This means that the FN has no idea about the ID of the owner of this Passport. Eliminate Re-authentication: Once FN verifies the MUs Passport with the HN, s/he becomes an authentic user to the FN, and there is no need to re-authenticate him/her for each access. Efficient Key Management: Since each Passport contains the master key between the HN and MU, the HN can obtain the master key once it decrypts the Passport. There is thus no need to store the users master keys, which eliminates the need of huge databases. B. Roaming Agreement-less Approach The roaming agreement-less approach was designed based on the above described model. This technique can be used when there is no roaming agreement between FNs and the MUs HN. It consists of two tokens: Passport and Visa. The Passport is an authentication token issued by the IdP to the MU in order to identify and verify MU identity. The Passport in itself does not grant any access, but provides a unique binding between an identifier and the subject. The Visa is an authorisation token that granted to a MU via a FN. The Visa token can be used as an access control to ban individual users. The followings are a set of protocols were developed to achieve the approach objective. 1) Passport Acquisition This protocol describes the MU registration process with HN (Passport issuer); by completing this protocol MU will receive a Passport (identification token). For any network service request from a FN, s/he is required to have a Passport that registered with the HN. The registration with the HN takes place offline, and it occurs once. When completed, the HN issues a Smart Card (SC) to the MU. The SC information is encrypted with the MUs biometric (such as finger print). Every SC consists of three components: 1) A Symmetric Master Key ( K MU-HN ): It is used as a base to generate session keys between a MU and the HN using the following formula: SK M0-HN = b(K M0-HN , iJ M0 , iJ PN ) (1) As we can see, to generate a new session key, there are three factors involved: shared master key K M0-HN , MUs ID, and FNs ID are hashed using one way hash function h(x). 2) Paxxpurt
MU HN : The MUs Possport
MU HN that was issued by HN and encrypted with its public key (PK HN (X) denotes HNs public key encryption). The Passport is given as: Possport
MU HN = PK HN (Sig HN (iJ M0 , Poss No , cxpiry, Joto, K MU-HN ))
3) Pass No : The Passport number to be used by the MU as an element in generation of the session keys. We will illustrate that in service provision protocol. In the Passport, Sig HN represents the digital signature of the Passport using the HNs private key which can be verified to ensure the integrity of the Passport. Inside the Passport, the following information can be stored: the mobile users identity iJ M0 and the Passport number Poss No . The expiry field which corresponds to the Passport expiry date. Finally, the field data consists of all other relevant information such as type of Passport, type of MU, MU name, MU date of birth, date of issue, place of issue, issuer ID, and issuer name. This signature is encrypted by the HNs public key to ensure the confidentiality. C. Visa Acquisition The MU will receive the required Visa (authorisation token) from the FN after completing the identification and verification process with the HN successfully. When the MU has his/her Passport (authentication token) in hand, the authentication process can be started with the FN in order to obtain the required Visa. The protocol is demonstrated as follows: Step 1: Hu - FN Possport
MU HN , IisoRcq PN , {iJ PN , r M0 , I M0 ] SK MU-HN , Poss No , I M0 , Ccrt HN , r" M0"
145 This protocol starts once the MU sends his/her Passport, Visa request, and {iJ PN , r M0 , I M0 ] where the foreign network ID (iJ PN ), MUs random number r M0 , and MUs timestamp I M0
are encrypted by the MU and the HN session key SK M0-HN . This key is generated using the formula (1) to establish a mutual authentication between the MU and the HN. The FNs ID is used to enable the HN to verify the iJ PN with the one in the FN certificate to make sure that it has not been modified by an attacker. The r M0 is used to authenticate the FN. The HNs certificate Ccrt HN is sent to the FN for verification and establishing trust with the HN using CA. Another MUs random number r" M0" is sent to the FN to be used as a factor in generating the MU and the FN session key SK M0-PN based on the formula (2). Step 2: FN - EN: Possport
M0 HN , {iJ PN , r M0 , I M0 ] SK MU-HN , I M0 , Ccrt FN , I PN , PK HN (r PN ) Before processing the authentication with the HN, the FN checks I M0 whether it is fresh or not, and if so, it forwards the MUs Passport, {iJ PN , r M0 , I M0 ] SK MU-HN and adds its certificate Ccrt FN , timestamp I PN ,
random number encrypted by HNs public key (PK HN (r PN )) to the HN as illustrated in Step 3. The FNs certificate Ccrt FN is sent to the HN for verification and establishing trust using the CA. The FNs random number r PN
used to authenticate the HN. All the timestamps I M0 anu I PN
are used to stop reply attacks. Step S: EN - FN: PK FN (Sig HN (Poss Nc , :oliJ M0 , r M0 , r PN )), {iJ PN , :oliJ PN , r PN , r M0 , I HN ] SK MU-HN
After receiving the message from the FN, the HN ensures if the timestamps of MU I M0 and FN I PN are valid. If one of them is not, the HN replies with un-fresh session and terminates the request. Otherwise, the HN checks the validity of the FN certificate Ccrt FN with the CA. If it was valid, the HN decrypts the Passport with its private key and then verifies the signature using the HNs public key. After the HN checks that the MUs Passport is genuine and valid, it gets the shared key (K M0-HN ) and its relevant information such as the date of expiry. The HN then generates the session key (SK MU-HN ) to decrypt the second part of the message {iJ PN , r M0 , I M0 ]. The HN compares the FNs ID in this message with the one in the certificate to ensure the FN has not been changed. After verifying the FN, the HN decrypts the FNs random number by its private key. The HN gets the FNs random number r PN , FNs ID from the certificate iJ PN , the indicator of the validity of the FN :oliJ PN , the MUs random number r M0 and its timestamp {iJ PN , :oliJ PN , r PN , r M0 , I HN ]. The HN then encrypts them with the MU-HN session key Sk M0-HN . Also, as the HN authenticate the MU, the HN gets the MUs Passport number Poss Nc , the indicator of the validity of MU :oliJ M0 , the MUs random number r M0 , and the FNs random number r PN ( Poss Nc , :oliJ M0 , r M0 , r PN ). The HN then computes their digital signatures using its private key, then encrypt them using the FNs public key. The HN then put the FN authentication part and the MU authentication part in one message and sends it to the FN. Step 4: FN - Hu: Iiso
MU FN , {iJ PN , :oliJ PN , r PN , r M0 , I HN ] SK MU-HN , {k M0-PN , Iiso No ] Sk MU-FN , r" PN"
Once the FN received the message from the HN, it decrypts its part using its private key and verifies it using the HNs public key. If the FN received the validity of the Passport and checks its random number, the Visa will be generated Iiso
MU FN as follows: Iiso
MU FN = PK FN (Sig FN (Poss Nc , Iiso No , cxpiry, Joto, K MU-FN )) The Poss Nc is the Passport number of the MU. The Visa number Iiso No is the unique identity of the Visa and the expiry is the Visa expiry date. The uata field includes all detailed Visa information such as Visa type, number of access, duration of access, issuer place, issuer ID, issuer name, issued time, service type, service name, and times of access. The signature of the FN Sig FN in the Visa is used to stop a forged Visa. The Visa is encrypted with the FNs public key (PK FN
(X) denotes the FNs public key encryption), which means that only the FN can decrypt it. The FN stores the Visa information for future verifications. The field valid is set to FALSE once a Visa is revoked; otherwise it is set to TRUE. The following is an example: {Poss Nc ; Iiso No ; cxpiry; valiu] Besides the Visa, the shared master key K M0-PN is issued to be used as a base for generating the next session keys SK M0-PN
between the MU and the FN. However, the session key SK M0-PN is generated using the following formula: SK M0-PN = b(Poss Nc , iJ PN , r M0 , r PN , r" M0" , r" PN" ) (2) Then the FN forwards{iJ PN , :oliJ PN , r PN , r M0 , I HN ] SK MU-HN , the Visa, K M0-PN. , and a new random number r" PN" to be used by the MU to generate the session key. After the MU receives the authorisation message {iJ PN , :oliJ PN , r PN , r M0 , I HN ] SK MU-HN from the HN through the FN, the MU decrypts it using the SK M0-HN . The HNs timestamps I HN , random number r M0 ,and foreign network ID iJ PN correctness will be checked. If they were incorrect, the Visa will be rejected, and if they were verified, the Visa will be kept for future service requests. The MU computes the MU-FN session key Sk M0-PN to deycrpt the shared master key K M0-PN . D. Mobile Service Provision This protocol illustrates how a MU can be granted network services from a FN in secure manner. When the MU obtains a valid Visa, the MU will be eligible to request network services from the FN. S/he needs to generate the first session key using 146 the hash function of three factors: last session keyK MU-FN , Passport and Visa number (received with Visa) as follows: SK' MU-FN = b(SK MU-FN , Iiso No , Poss Nc ) (S) Step1: Hu - FN: ScrRcq, Iiso
MU FN , {r M0" , Iiso No ] SKi MU-FN
To request an access to the FN services, the MU sends ScrRcq , the Visa, and {r M0" , Iiso No ] where r M0" is random number and Iiso No is Visa number encrypted by the first session key SK' MU-FN (formula 3). Step2: FN - Hu: {r PN" , Poss No ] SK" MU-FN , {Scr:icc] SK"i MU-FN
After the FN receives the service request, it decrypts the Visa with its private key to check its validity with the by its public key. If the Visa is considered as valid, the FN gets the Iiso No and searches in its database to see if the Visa is used for the first time. The Iiso No is used by the FN to detect if the holder is genuine. However, the FN has to compute the SK' MU-FN to verify the Iiso No , and to get the new random number r M0" . The new random number will be used to generate the second session key SK" MU-FN as follows (formula 4): SK" MU-FN = b(SK i MU-FN , K MU-FN , r M0" ) (4) The third session key will be used by the FN to encrypt its random number r PN" and the Passport number Poss Nc . Finally, the third session key will be generated SK"' MU-FN using the new FN random number r PN" , the first and second session keys (formula 5). SK"' MU-FN = b(SK'' MU-FN , SK' MU-FN , r PN" ) (S) By having the third session key in hand both parties know that mutual authentication has been realized, and the service can be started. However, for the next access the MU is required to generate a new session keys. E. Passport and Visa Revocation This protocol will be used to stop requesting services with a stolen Passport or Visa. If a Passport or Visa is considered to be revoked (e.g., the mobile users shared keys K MU-HN or K MU-FN expires, or the MU notices the FN revoking a Visa or the HN to revoke a Passport). The Passport revocation can be illustrated as: EN - FN: PK PN _ Poss No , Rc:0kc, Sig HN ( Poss No , Rc:0kc) ] The protocol starts when the HN sends the RevOke message (which has been encrypted with the FNs public key and signed by the HNs private key) to the corresponding FN. The FN decrypts the message with its private key and verifies the signature with the HNs public key. The FN checks if the Passport number Poss No is already stored. If not, it means that there is no Visa issued with this Passport number. If it was stored, it stores the revoked Passport information and updates the status of the Visa as RevOke. The Visa revocation can be illustrated as: Hu - FN: _ Poss Nc , Iiso No , Rc:0kc, {Poss Nc , Iiso No , Rc:0kc] SKi MU-FN _ SK MU-FN
When FN receives a RevOke message from MU, the FN decrypts the message with the last session key SK M0-PN . It then verifies by decrypting the other part of the message with the first session key SK' M0-PN (illustrated in (3)). The FN updates the status of the Visa as RevOke. Once a MU requests network services, the FN checks if the Visa was revoked. If it is revoked the service request will be rejected. IV. SYSTEM SECURITY ANALYSIS In this section, we will analyse the security of the proposed protocol with respect to some common attacks: (1) Forge Passport-Visa: Since the Passport and the Visa contain the signature of the issuer, they cannot be generated by attackers in the name of the HN or FN. So it is impossible to fabricate or fake a Passport or a Visa as the issuer will check the integrity by verifying the signature. (2) Mutual authentication: In the mobile service provision phase, the MU sends a message that consists of two parts: a Visa, and the encrypted new random numbei r M0" .The FN decrypts the Visa with its public key and gets the shared key. Also as the FN signed the Visa, it can check the validation of the Visa. The FN uses the previous session key with Poss Nc and Iiso No
to generate the first session key which will be used to decrypt the second part of the message and get a new random number. The shared master key with the first session key, an J r M0" will be used to generate the second session key. By decrypting the FN message, the MU can get the FNs random number. Now, both parties are able to generate the third session key and mutual authenticate each other. (3) Replay and man-in-the-middle attacks: An attacker may sniff a valid Visa, however, the K MU-FN , Pass No , anu visa No cannot be obtained as they are encrypted in the Visa. The only party that can get the K MU-FN , Poss Nc and Iiso No from the Visa is the FN. In addition, timestamps are used in each communication between the three entities: MU, FN and HM to ensure the message has not been replayed. (4) Impersonation attacks: In our protocol, the stored information in SC (e.g. Passport) is encrypted with the MU fingerprint. Thus, when the SC has been stolen, it is infeasible for attackers to impersonate the MU to have an access. (5) Spoofing: Since a FN cannot get any information regarding to the MU unless the HN authenticates the FN, it is impossible for a malicious entity to masquerade as a legitimate FN to get the MU information. In other word, the MU can ensure that 147 s/he is indeed communicating with a real service provider and not with a bogus entity. (6) Key freshness: Only the MU and the FN know the shared master key K MU-FN . In addition, it is not used to encrypt any message. In every service request, a new session key is generated, but it is valid only in that session. This key is established by contributing the random numbers provided both by the MU and the FN. So the key freshness is guaranteed. V. COMPARATIVE EVALUATION WITH EXISTING WORKS We have identified three key requirements for a flexible ubiquitous authentication as follows: A. Wireless Technology Independence: The proposed authentication solution is not designed for a specific underlying wireless technology. It is aimed to be designed at the network layer of the OSI to avoid the differences in the link and physical layer. B. Roaming Agreement-less: It does not depend on roaming agreement between FN providers and the HN. Alternatively, FN providers use negotiation and trust decision on whether to authorize the MU or not. C. Home Network Independent: MUs can get the benefits of the HN partners and more. They could get more network service in areas not covered by the HNs partners with full freedom of choice. The proposed solution supports direct negotiation with the MU, but not with the HN, which will increase the satisfaction of the user. The following table indicates that our proposed approach can satisfy these requirements while the other related approaches cannot (Table. 1): TABLE I. A COMPARATIVE EVALUATION BETWEEN THE EXISTING APPROACHES AND OUR APPROACH. Approach A B C Ticket Model [4]
Broker
Ubiquitous Mobile Communications [5]
Broker
Ubiquitous Consumer Wireless World [6]
Broker
Service-Agent-Based [7]
(WWAN/ WLAN)
Broker
Proof-Token [3] SSO architecture [8]
(WLAN)
Proposed Approach VI. CONCLUSION This paper has highlighted that the existing authentication models in a ubiquitous wireless access environment are not flexible enough. Thus, as a flexible and practical solution, we introduced the roaming agreement-less approach to enable MUs to authenticate themselves to FN providers through direct negotiation. Moreover, in this model, the FNs have full control over the authorisation process. In contrast to the existing models, we believe that our approach is more flexible and eliminates the need for roaming agreements. The security analysis indicates that our proposal is resistant to well-known attacks, while it efficiently ensures the security for mobile users and service provides. As for future work, we aim to increase the security of Passport and Visa protocols and usability. A very promising enhancement is the limited-used key theory to be employed [11-13]. The main idea behind this theory is that one-time use of symmetric cryptographic key will significantly improve the security of the cryptographic system. Since every message in dynamic keys system is encrypted with a different key, even if the attacker finds out the key for one message, it still cannot decrypt the whole message as s/he needs to have the other encryption keys. ACKNOWLEDGMENT Grateful acknowledgement for proofreading and correcting the English edition go to Noriaki Sato (Australia). REFERENCES [1] GSM Association. 20 Facts for 20 Years of Mobile Communications. Date Accessed: 20/8/2009 ,http://www.gsmtwenty.com/20facts.pdf . [2] E. Gustafsson and A. Jonsson, "Always best connected," IEEE Wireless Communications, vol. 10, pp. 49-55, 2003. [3] S. Tuladhar, et al., "Inter-Domain Authentication for Seamless Roaming in Heterogeneous Wireless Networks," 2008, pp. 249-255. [4] Y. Lei, et al., "Mobile services access and payment through reusable tickets," Computer Communications, 2008. [5] I. Akyildiz, et al., "A ubiquitous mobile communication architecture for next-generation heterogeneous wireless systems," IEEE Communications Magazine, vol. 43, pp. S29-S36, 2005. [6] M. O'Droma and I. Ganchev, "Toward a ubiquitous consumer wireless world," IEEE Wireless Communications, vol. 14, pp. 52-63, 2007. [7] M. Shi, et al., "A Service-Agent-Based Roaming Architecture for WLAN/Cellular Integrated Networks," IEEE Transactions on Vehicular Technology, vol. 56, pp. 3168-3181, 2007. [8] Y. Matsunaga, et al., "Secure authentication system for public WLAN roaming," 2003, pp. 113-121. [9] M. Shin, et al., "The Design of Efficient Internetwork Authentication for Ubiquitous Wireless Communications," Network, vol. 3, p. 1, 2004. [10] A. Almuhaideb, et al., "Flexible Authentication Technique for Ubiquitous Wireless Communication using Passport and Visa Tokens," Journal of Telecommunications, vol. 1, pp. 1-10, March 2010. [11] A. Rubin and R. Wright, "Off-line generation of limited-use credit card numbers," Lecture Notes in Computer Science, vol. 2339, pp. 196-209, 2001. [12] S. Kungpisdan, et al., "A limited-used key generation scheme for internet transactions," Lecture Notes in Computer Science, vol. 3325, pp. 302-316, 2005. [13] X. Wu, et al., "Dynamic Keys Based Sensitive Information System," in The 9th International Conference for Young Computer Scientists (ICYCS 2008), Zhang Jia Jie, Hunan, China, 2008, pp. 1895-1901.