Вы находитесь на странице: 1из 6

IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 55, NO.

6, JUNE 2008

2551

Robust and Efcient Password-Authenticated Key Agreement Using Smart Cards


Wen-Shenq Juang, Sian-Teng Chen, and Horng-Twu Liaw
AbstractUser authentication and key agreement is an important security primitive for creating a securely distributed information system. Additionally, user authentication and key agreement is very useful for providing identity privacy to users. In this paper, we propose a robust and efcient user authentication and key agreement scheme using smart cards. The main merits include the following: 1) the computation and communication cost is very low; 2) there is no need for any password or verication table in the server; 3) a user can freely choose and change his own password; 4) it is a nonce-based scheme that does not have a serious time-synchronization problem; 5) servers and users can authenticate each other; 6) the server can revoke a lost card and issue a new card for a user without changing his identity; 7) the privacy of users can be protected; 8) it generates a session key agreed upon by the user and the server; and 9) it can prevent the ofine dictionary attack even if the secret information stored in a smart card is compromised. Index TermsAuthentication, elliptic curve cryptosystem, key exchange, ofine dictionary attack, smart card.

I. I NTRODUCTION N VARIOUS network environments [3], [5], [14], [15], [20], [22], if a user needs to use or control a remote server, the user rst needs to pass the authentication scheme [2], [6], [7], [10], [11], [19], [21][23] of the server. To provide a secure authentication system, password-based methods are often used in many remote log-in servers. Since Lamport proposed a password-based authentication scheme in 1981 [11], several schemes [2], [6], [7], [10], [21], [23] have been proposed. These proposed schemes [2], [6], [7], [10], [21], [23] pointed out some attacks and weaknesses of Lamports scheme [11], and then, their improved schemes were proposed. In 2005, Fan et al. proposed a robust remote authentication scheme with smart cards [4]. They claimed that their proposed scheme can satisfy the following properties: 1) low computation for smart cards; 2) no password table; 3) passwords chosen by the users themselves; 4) not requiring clock synchronization and delay-time limitation; 5) withstanding the replay attack; 6) server authentication; 7) withstanding the ofine dictionary attack without the smart card; 8) withstanding the ofine dictionary attack with the smart card; and 9) revoking the lost cards without changing the users identities. The major contribution of Fan et al.s scheme [4] is providing a method for preventing the ofine dictionary attack even if the secret information stored in a smart card is compromised. The major drawbacks of their scheme are that it has no ability of anonymity for the user and that it has higher computation and communication cost because of using Rabins public-key cryptosystem [4]. Furthermore, their scheme does not provide a function for session key agreement and cannot prevent the insider attack [10]. In this paper, we propose a robust and efcient user authentication and key agreement scheme that not only satises all the benets of Fan et al.s scheme but also can provide identity protection, session key agreement, and low communication and computation cost by using elliptic curve cryptosystems and can prevent the insider attack. In Section II, we demonstrate our proposed scheme. In Section III, we analyze the security of our scheme. In Section IV, we show the cost and functionality consideration among our scheme and the related schemes. Finally, we make a conclusion in Section V.

N OTATION h() s Es () Ds () Public one-way hash function. Master secret key of a symmetric cryptosystem, which is kept secret by the server. Secure symmetric encryption algorithm with the secret key s. Secure symmetric decryption algorithm with the secret key s. String concatenation operator. Large prime. Elliptic curve equation over ZP . Servers private key based on elliptic curve cryptosystems. Servers public key based on elliptic curve cryptosystems. Generator point of a large order.

P EP x PS G

Manuscript received July 4, 2007; revised February 25, 2008. This work was supported in part by the National Science Council of the Republic of China under Grant NSC 95-2221-E-128-004-MY2 and Grant NSC 96-3314-P-001002-Y. W.-S. Juang is with the Department of Information Management, National Kaohsiung First University of Science and Technology, Kaohsiung 811, Taiwan (e-mail: wsjuang@ccms.nkfust.edu.tw). S.-T. Chen and and H.-T. Liaw are with the Department of Information Management, Shih Hsin University, Taipei 116, Taiwan (e-mail: htliaw@ cc.shu.edu.tw). Digital Object Identier 10.1109/TIE.2008.921677

II. O UR P ROPOSED S CHEME In this section, we propose a new scheme based on elliptic curve cryptosystems for providing all the functionalities and enhancing the efciency of Fan et al.s scheme. Our proposed

0278-0046/$25.00 2008 IEEE

2552

IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 55, NO. 6, JUNE 2008

scheme consists of ve phases: 1) the parameter generation phase; 2) the registration phase; 3) the precomputation phase; 4) the log-in phase; and 5) the password-changing phase. In the registration phase, the server identies a user and then issues a smart card to the identied user. Then, the user and the server do the log-in phase to authenticate each other and generate an agreed-upon session key. If the user wants to change his password, he needs to do the password-changing phase. A. Parameter Generation Phase In this phase, the server needs to generate some parameters as follows. 1) The server chooses a large prime P and selects two eld elements a ZP and b ZP , where a and b must satisfy 4a3 + 27b2 (mob P ) = 0. The elliptic curve equation EP : y 2 = x3 + ax + b over ZP is dened. 2) The server nds a generator point G of order n, where n is a large divisor, and n G = O. 3) The server selects a random number x as its private key and safely keeps it in its secret storage. 4) The server computes the public key PS = (x G) and publishes the parameters (PS , P, EP , G, n).

C. Precomputation Phase The smart card selects a random number r and computes e = (r G) and c = (r Ps ) = (r x G) as a point over EP before the start of the log-in phase. Then, it stores (c, e) into its memory for use in the log-in phase. D. Log-in Phase When user i wants to log in to the server, he must insert his smart card into a card reader and input his password P Wi . In our proposed scheme, the smart card will complete the precomputation phase before the log-in phase. After user i has input the password and the smart card has nished the precomputation phase, the smart card sends bi and EVi (e) to the server, where Vi = h(IDi , s, CIi ). After receiving bi and EVi (e), the server decrypts bi by the secret key s and obtains h(P Wi b) IDi CIi h(IDi CIi h(P Wi b)), and then, the server computes Vi = h(IDi , s, CIi ). Therefore, the server will use Vi to decrypt EVi (e) to obtain e = (r G). Then, the server checks if: 1) decrypting bi can get the authentication tag (IDi CIi h(P Wi , b)); 2) IDi is in the registration; 3) CIi is stored in the registration table. If any of the above verications is false, the server revokes the log-in request. If all of the above verications are true, the server selects a random number u and computes c = (e x) = (r x G) and MS = h(c u Vi ). Then, the server sends u and Ms to the smart card. After the smart card receiving u and Ms , it computes MS and checks if MS is equal to h(c u Vi ). If it is not, the smart card revokes the log-in phase. Otherwise, the smart card computes MU = h(h(P Wi b) Vi c u) and a session key Sk = h(Vi , c, u) and then sends MU to the server. At this time, the server is authenticated by the smart card. Upon receiving MU , the server checks if MU is equal to h(h(P Wi b) Vi c u). If it is not, the server sends a wrong password message back to the user. The user can input the password P Wi , compute MU , and send MU to the server again. If the number of the password verications exceeds the allowed times, the server revokes the log-in request. Otherwise, the server accepts the log-in request and computes a session key Sk = h(Vi , c, u). Then, the smart card and the server authenticate each other and can use the session key Sk = h(Vi , c, u) in secure communication soon. In practical implementations, the lifetime of this session is the following transaction. Furthermore, the duration of the transaction can be adjusted according various applications. E. Password-Changing Phase When user i needs to change his password, he needs to agree on a session key with the server through the log-in phase in advance. Then, the smart card can use the session key to encrypt the password-changing message {IDi , h(P Wi b )} and send ESk (IDi , h(P Wi b )) to the server. The server computes the new secret information b = i Es (h(P Wi b ) IDi CIi h(IDi CIi h(P Wi b ))) after it

B. Registration Phase The phase is done only once, and users can use their smart cards after this phase. When user i needs to register in the server, he performs the following phase with the server. First, the server veries user i by using a secure identication scheme. A simple identication scheme is going to the registration counter and giving the identication information to the server. Then, user i gives {IDi , h(P Wi b)} to the server for registration, where b is a random number chosen by user i, and P Wi is a password chosen by user i. This procedure can be done by the manager of the server in user is face. After getting {IDi , h(P Wi b)}, the server creates the card identier CIi , which is the number of cards that the server has issued to user i. If IDi is a new user, then the server will set CIi = 1 and store {IDi , CIi } in the registration table in the server. If the server issues a new card to a user i that registered before, the server can get {IDi , CIi } from the registration table. Then, the server computes CIi = CIi + 1 and stores {IDi , CIi = CIi + 1} in the registration table in the server. The server generates bi = Es (h(P Wi b) IDi CIi h(IDi CIi h(P Wi b))) and Vi = h(IDi , s, CIi ). The purpose of the authentication tag h(IDi CIi h(P Wi b)) is for data integrity. Without this authentication tag, if the encryption mode is the electronic codebook or cipher feedback mode, an attacker may forge another bi to do the denial-of-service attack. To improve the efciency, this authentication tag can be discarded if the encryption mode is the cipher-block chaining or output feedback mode. The server then issues a smart card to user i that contains {bi , Vi , IDi , CIi }. Upon getting this smart card, the user then stores b into the smart card. The memory of the smart card contains {bi , Vi , IDi , CIi , b}. User i then keeps the smart card and P Wi for the log-in phase.

JUANG et al.: ROBUST AND EFFICIENT PASSWORD-AUTHENTICATED KEY AGREEMENT USING SMART CARDS

2553

receives the message and sends ESk (b ) to the smart card. The i smart card then decrypts the message by the session key and stores b and b in its memory. i III. S ECURITY A NALYSIS In this section, we will analyze the security of our proposed scheme. A. Mutual Authentication In our proposed scheme, the goal of mutual authentication is to establish an agreed-upon session key Sk between the user and the server [1], [7], [13]. Let A mean the user, B mean the Sk server, and A B denote that the user and the server share a common session key Sk . If there is an Sk such that A believes Sk Sk A B and B believes A B for the transaction, we can say that the mutual authentication is nished between A and B [1], [7]. If a scheme can deduce the following statement [1], [7], we can say that it satises strong mutual authentication: Sk A believes B believes A B and B believes A believes Sk A B. In step 2 of the log-in phase of our proposed scheme, after A receives u and Ms from B, he will compute Ms and verify if Ms = h(c u Vi ). A can compute the session key
k Sk = h(Vi , c, u) and will believe A B. Since the random number r is chosen by A, e = (r G) is computed by A in the precomputation phase, A believes that e is fresh and can only be decrypted by B using the shared secret key Vi , and only B can use the secret key x to compute c = (e x), then A believes B k believes A B. In step 3, after B receives the message MU from A, he rst checks if the authenticator MU = h(h(P Wi b) Vi c u) is valid. If it is, he will compute the session key Sk = h(Vi , c, u) k and then believe A B. Since the random number u is selected by B, B believe that the random number u is fresh. Upon receiving the authenticator MU from A, B can verify that u is embedded in MU by A, and then, B believes A believes Sk A B.

the registration phase will generate a random number b and compute h(P Wi b). Then, the smart card sends h(P Wi b) to the server for registration. Hence, the server cannot get the correct password. D. Preventing the Ofine Dictionary Attack Without the Smart Card The ofine dictionary attack without the smart card is when an attacker can get the tapped messages and attempts to guess the users password from the tapped messages. In some cases, the attackers ofine dictionary attack will be successful if the users password is weak and the attacker has enough information to check if the password he guesses through the tapped messages is correct or not. Therefore, if the messages do not have enough information to verify the guessed password, the scheme can prevent this attack. The rst message between the user and the server is {bi , EVi (e)}. The attacker cannot verify the password P Wi from this message. If the attacker intercepts the message MU = h(h(P Wi b) Vi c u), the attacker also cannot successfully guess the password since the entropies of Vi , c, and u are all very large. E. Preventing the Ofine Dictionary Attack With the Smart Card The problem in this kind of attack is called the smart-cardlost problem. This attack is the same as the ofine dictionary attack without the smart card, except that in this case, the attacker can obtain the secret information stored in the smart card. In order to prevent this attack, the password stored in a smart card must be encrypted by the servers secret key. Even if the attacker obtains the secret information from the smart card, the attacker also cannot obtain the right password. In our scheme, the password stored in the smart card is included in bi . Only the server can use the secret key s to decrypt bi and obtain h(P Wi b). Since the attacker cannot get the hashed password, he cannot generate a valid message MU = h(h(P Wi b) Vi c u), which is used in step 3 of the log-in phase. Therefore, the attacker cannot obtain the right password and cannot create the message MU . In our scheme, the password verication must be helped by the server. If a wrong password can be veried without the help of the server, then the ofine password dictionary attack will succeed when the information stored in the smart card is compromised. It is impossible to solve the smart-card-lost problem and provide the ofine password verication mechanism simultaneously. IV. C OST AND F UNCTIONALITY C ONSIDERATION A. Low Communication and Computation Cost

B. Preventing the Replay Attack The replay attack is when an attacker tries to imitate the user to log in to the server by resending the messages transmitted between the user and the server. In our scheme, we use nonces to prevent this kind of attack. In our proposed scheme, the smart card chooses a nonce r and computes e = (r G) in the precomputation phase and then sends it to the server in the login phase. The second nonce u is selected by the server. C. Preventing the Insider Attack The insider attack is when the users password is obtained by the server in the registration phase [10]. Therefore, the user must conceal his password from the server to prevent the insider attack. In our proposed scheme, the smart card of the user in

We suppose that p and n in the schemes in [4], [6], and [23] are of 1024 bits to make the discrete logarithm and factoring problems infeasible. We suppose that the block size of secure symmetric cryptosystems is 128 bits, and the output size of a secure one-way hash function [7] is 128 bits. Let EXP be the

2554

IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 55, NO. 6, JUNE 2008

time of one exponential operation, Hash be the time of one hashing operation, Sym be the time of one symmetric encryption or decryption operation, M be the time for the modular multiplication, and ECM be the time for the multiplication of a number over an elliptic curve. The major benet of using elliptic curve cryptosystems instead of RivestShamirAdleman (RSA) cryptosystems is the reduction of the communication cost and computation cost for low-resource devices [8], [9], [12]. We assume that ECM 29 M and EXP 240 M, and they are referenced in [12] for the implementation with the StrongARM processor in 200 MHz. We refer to [12] to assume that an elliptic curve over a 163-bit eld has the same level of the security as 1024-bit public key cryptosystems such as the RSA or the DifeHellman cryptosystem. We also assume that the modulo number in an elliptic curve is of 163 bits. Therefore, it needs 163 2 = 326 bits to store a point in an elliptic curve [8], [9]. Since the registration protocol of our scheme and the schemes in [2], [7], and [21] are based on a one-way hash function, the password length can be 128 bits in our scheme and the schemes in [2], [7], and [21]. The registration protocol of the schemes in [4], [6], and [23] are based on public-key cryptosystems, and the password length of those schemes is 1024 bits. In our proposed scheme, the cryptographic parameters {bi , Vi , IDi , CIi , b} must be stored in the smart card. The length of this information is 384 + 128 + 32 + 32 + 64 = 640 bits, where the identication can be 32 bits and bi must be encrypted in three blocks, that is, 128 bits in Chien et al.s scheme [2], 0 bits in Suns scheme [21], 32 + 128 = 160 bits in Juangs scheme [7], and 32 + 32 + 384 + 1024 = 1472 bits in Fan et al.s scheme [4]. That of the parameter p is 1024 bits in Hwang and Lis scheme [6]. The length of parameters n, e, g, IDi , CID, Si , and hi is 1024 + 1024 + 512 + 32 + 32 + 1024 + 1024 = 4672 bits in Yang and Shiehs scheme [23]. In our proposed scheme, the communication cost of the login phase for cryptographic parameters bi , EVi (e), u, Ms , and MU is 384 + 384 + 64 + 128 + 128 = 1088 bits, where u can be 64 bits and bi and EVi (e) must both be encrypted in three blocks. The communication cost of log-in for cryptographic parameters is 256 bits in Chien et al.s scheme, 128 bits in Suns scheme, 256 bits in Juangs scheme, and of thousands of bits for the schemes in [4], [6], and [23]. The communication and storage cost among our scheme and related schemes is shown in Table I. In the registration protocol of our scheme, only one symmetric key operation and two hash function operations are required for a user to register and get his smart card. In the precomputation phase of our proposed scheme, it needs two multiplications of a number over an elliptic curve. In the log-in phase, our proposed scheme needs one symmetric key operation and three hashing operations for a client and needs one multiplication of a number over an elliptic curve, two symmetric key operations, and four hashing operations for the server. The computation cost of Chien et al.s scheme [2] is of one hashing function operation in the registration protocol, is of two hashing operations in the log-in protocol for the client, and is of three hashing operations in the log-in protocol for the server.

TABLE I COMMUNICATION AND STORAGE COST BETWEEN OUR SCHEME AND RELATED SCHEMES

The computation cost of Suns scheme [21] is of one hashing function operation in the registration protocol, is of one hashing operation in the log-in protocol for the client, and is of two hashing operations in the log-in protocol for the server. The computation cost of Juangs scheme [7] is of one hashing function operation in the registration protocol, is of two hashing operations and three symmetric key operations in the log-in protocol for the client, and is of two hashing operations and three symmetric key operations for the server. The computation cost of Fan et al.s scheme [4] is of two hashing function operations and one symmetric key operation in the registration protocol, is of one multiplication operation and three hash operations in the log-in protocol for the client, and is of one exponential operation, one symmetric key operation, and three hash operations for the server. The computation cost of Hwang and Lis scheme [6] is of one exponential operation in the registration protocol, is of one hashing operation, three exponential operations in the log-in protocol for the client, and is of one hashing operation, one multiplication operation, and two exponential operations for the server. The computation cost of Yang and Shiehs scheme [23] is of two exponential operations in the registration protocol, is of two exponential operations, three multiplication operations, and one hashing operation in the log-in protocol for the client, and is of two exponential operations, one multiplication operation, and one hash operation for the server. The efciency comparison among our scheme and related schemes is shown in Table II. B. No Password Table In order to prevent the server from holding and protecting a large password table, a password or a verication table should not be stored in the server. In our proposed scheme, the hashed password with a random number h(P Wi b) is encrypted in

JUANG et al.: ROBUST AND EFFICIENT PASSWORD-AUTHENTICATED KEY AGREEMENT USING SMART CARDS

2555

TABLE II COMPUTATION COST BETWEEN OUR SCHEME AND RELATED SCHEMES

TABLE III CAPABILITY COMPARISONS BETWEEN OUR SCHEME AND RELATED SCHEMES

bi = Es (h(P Wi b) IDi CIi h(IDi CIi h(P Wi b))) and is sent to the server. The server does not need to keep a password table. In our proposed scheme, the server only needs to keep a registration table to store each cards identier. This table is smaller than the password table and does not need to be kept secret. C. Choosing and Changing of Passwords by Users In our proposed scheme, every user can select his password. Hence, the user can easily remember the password. Furthermore, we provide a password-changing phase for users to change their passwords. It is impossible for a user to change a password ofine when the system can solve the smart-cardlost problem. If we can provide ofine changing of passwords

and the information stored in the smart card is compromised, any adversary may easily guess the password and change the password if he wangles a smart card. D. No Time-Synchronization Problem In the log-in phase of our scheme, we use two nonces u and r to prevent the replay attack. No logical time clocks are needed. E. Identity Protection The users identity IDi in our scheme is included in bi , which is sent to the server and is encrypted by using the secret key s in the log-in phase. Only the server can decrypt bi and get IDi . Therefore, our proposed scheme can provide identity protection.

2556

IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 55, NO. 6, JUNE 2008

F. Revoking the Lost Cards Without Changing the Users Identity In our proposed scheme, if the user loses his smart card, the server can revoke the lost card. When this user needs to obtain a new smart card, the server will set CIi = CIi + 1 and issue a new smart card to the user. G. Session Key Agreement In our scheme, the user and the server both can agree on a session key Sk = h(Vi , c, u) after the log-in phase. The functionality comparison of our scheme and related schemes is shown in Table III. V. C ONCLUSION In this paper, we have proposed an efcient and robust user authentication and key agreement scheme that not only can satisfy all the merits of Fan et al.s scheme but also can provide identity protection, session key agreement, and low communication and computation cost by using elliptic curve cryptosystems and can prevent the insider attack. Our proposed scheme is very useful in limited computation and communication resource environments to access remote information systems. In addition, our proposed scheme can withstand the ofine dictionary attack even if the secret information stored in a smart card is compromised. R EFERENCES
[1] M. Burrow, M. Abadi, and R. Needham, A logic of authentication, ACM Trans. Comput. Syst., vol. 8, no. 1, pp. 1836, Feb. 1990. [2] H. Chien, J. Jan, and Y. Tseng, An efcient and practical solution to remote authentication: Smart card, Comput. Secur., vol. 21, no. 4, pp. 372 375, Aug. 2002. [3] A. Colombo, R. Schoop, and R. Neubert, An agent-based intelligent control platform for industrial holonic manufacturing systems, IEEE Trans. Ind. Electron., vol. 53, no. 1, pp. 322337, Feb. 2006. [4] C. Fan, Y. Chan, and Z. Zhang, Robust remote authentication scheme with smart cards, Comput. Secur., vol. 24, no. 8, pp. 619628, Nov. 2005. [5] C. Hwang, L. Chang, and Y. Yu, Network-based fuzzy decentralized sliding-mode control for car-like mobile robots, IEEE Trans. Ind. Electron., vol. 54, no. 1, pp. 574585, Feb. 2007. [6] H. Hwang and L. Li, A new remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., vol. 46, no. 1, pp. 2830, Feb. 2000. [7] W. Juang, Efcient password authenticated key agreement using smart cards, Comput. Secur., vol. 23, no. 2, pp. 167173, Mar. 2004. [8] A. Jurisic and A. Menezes, Elliptic Curves and Cryptography, pp. 113, 1997. [9] N. Koblitz, A. Menezes, and S. Vanstone, The state of elliptic curve cryptography, Designs, Codes Cryptogr., vol. 19, no. 2/3, pp. 173193, Mar. 2000. [10] W. Ku and S. Chen, Weaknesses and improvements of an efcient password based remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., vol. 50, no. 1, pp. 204207, Feb. 2004. [11] L. Lamport, Password authentication with insecure communication, Commun. ACM, vol. 24, no. 11, pp. 770772, Nov. 1981. [12] K. Lauter, The advantages of elliptic curve cryptography for wireless security, Wireless Commun., vol. 11, no. 1, pp. 6267, Feb. 2004. [13] C. Lee, M. Hwang, and I. Liao, Security enhancement on a new authentication scheme with anonymity for wireless environments, IEEE Trans. Ind. Electron., vol. 53, no. 5, pp. 16831687, Oct. 2006. [14] K. Lee, S. Lee, and M. Lee, Worst case communication delay of realtime industrial switched Ethernet with multiple levels, IEEE Trans. Ind. Electron., vol. 53, no. 5, pp. 16691676, Oct. 2006. [15] G. Liu, Y. Xia, J. Chen, D. Rees, and W. He, Networked predictive control of systems with random network delays in both forward and feedback

[16] [17] [18]

[19]

[20] [21] [22] [23]

channels, IEEE Trans. Ind. Electron., vol. 54, no. 3, pp. 12821297, Jun. 2007. D. Mcelroy and E. Turban, Using smart cards in electronic commerce, Int. J. Inf. Manage., vol. 18, no. 1, pp. 6172, Feb. 1998. R. Merkle, One-way hash functions and DES, in Proc. Advances CryptologyCrypto, G. Brassard, Ed, 1989, pp. 428446. D. Nguyen, S. Oh, and B. You, A framework for Internet-based interaction of humans, robots, and responsive environments using agent technology, IEEE Trans. Ind. Electron., vol. 52, no. 6, pp. 15211529, Dec. 2005. K. Saeed and M. Nammous, A speech-and-speaker identication system: Feature extraction, description, and classication of speech-signal Image, IEEE Trans. Ind. Electron., vol. 54, no. 2, pp. 887897, Apr. 2007. K. Sim, K. Byun, and F. Harashima, Internet-based teleoperation of an intelligent robot with optimal two-layer fuzzy controller, IEEE Trans. Ind. Electron., vol. 53, no. 4, pp. 13621372, Jun. 2006. H. Sun, An efcient remote use authentication scheme using smart cards, IEEE Trans. Consum. Electron., vol. 46, no. 4, pp. 958961, Nov. 2000. A. Weaver and M. Condry, Distributing Internet services to the networks edge, IEEE Trans. Ind. Electron., vol. 50, no. 3, pp. 404411, Jun. 2003. W. Yang and S. Shieh, Password authentication schemes with smart cards, Comput. Secur., vol. 18, no. 8, pp. 727733, 1999.

Wen-Shenq Juang received the M.S. degree in computer science from the National Chiao Tung University, Hsinchu, Taiwan, in 1993, and the Ph.D. degree in electrical engineering from the National Taiwan University, Taipei, Taiwan, in 1998. He is currently an Associate Professor with the Department of Information Management, National Kaohsiung First University of Science and Technology, Kaohsiung, Taiwan. His current research interests include ubiquitous applications, cryptography, information security, and electronic commerce. Dr. Juang has been the Deputy Secretary-General of the Chinese Cryptology and Information Security Association since 2006.

Sian-Teng Chen received the B.S. degree in information management from Oriental Institute of Technology, Pan-Chiao, Taiwan, R.O.C., in 2005 and the M.S. degree in information management from Shih Hsin University, Taipei, Taiwan, in 2007. He is currently with the Department of Information Management, Shih Hsin University. His current research interests include network security and electronic commerce.

Horng-Twu Liaw was born in Taichung, Taiwan, R.O.C., on February 2, 1964. He received the B.S. degree in computer engineering from the National Chiao Tung University, Hsinchu, Taiwan, in 1986, the M.S. degree in applied mathematics from the National Chung Hsing University, Taichung, Taiwan, 1989, and the Ph.D. degree in electrical engineering from the National Taiwan University, Taipei, Taiwan, in 1992. He is currently a Professor with the Department of Information Management, Shih Hsin University, Taipei. From 1993 to 1999, he was the Director of the computer center at Shih Hsin University. From 1999 to 2005, he was the Chief of the Department of Information Management, Shih Hsin University. Since 2005, he has been the Director of the Center for Innovation and Industry Academia, Shih Hsin University. His current research interests include electronic commerce, information security, and design of algorithm.