在分散網路環境裡，透過不安全的通道來使用保密通信是一個非常重要議題。 因此，認證和秘密金鑰的發行在分散式環境裡成為相當重要的安全服務。大多數的遠端相互認證和金鑰協議安全方案都是根據靜態識別碼; 但是靜態識別碼可能導致用戶的註冊的資訊被洩漏，使得攻擊者能根據被傳送的識別碼來追蹤一個特定用戶及進行某些攻擊行動。因此在真實生活應用中，例如在電子商務上的應用，安全性是明顯不足的。 所以，在不安全的網路上保護用戶的資訊安全成為一個重要的議題。另外，絕大多數這些安全方案都是以單一伺服個環境來設計。如果此類的密碼認證方法被運用於多伺服器環境，網路用戶不僅需要對不同的遠端伺服器反覆地進行註冊，而且需要記住所有在各伺服器已註冊的不同帳號和密碼。這是相當沒效率且容易造成帳號和密碼的洩露。 因此，在本論文中回顧了數個相關的安全認證的研究，並且指出這些研究的安全漏洞。 然後，我們提出了數個加強版的遠端用戶認證方案，包含了應用在單一伺服器及多伺服器的環境，同時也展示了使用動態識別碼的安全認證協定。用以增強及改善這些被回顧的研究的安全性。另外，我們也提出了一個RFID安全認證方案及一個安全的行動折價□協定，實際應用於真實的生活環境中。這二個行動商務應用方案符合了必要的安全需求。在安全的行動折價□協定中，NFC結合了價廉的被動式tag及伺服器用於保護各種在行動商務應用上的安全性攻擊。因此，相當適合於真實的應用環境。

Abstract
In distributed network environments, secure communication in insecure channels is a very important issue. Thus, authentication and secret key distribution become the most important security services in distributed environments. Most of the remote mutual authentication and key agreement schemes are based on static ID; the static ID may leak partial information about the user’s login message so that the adversary may trace a particular user according to the transmitted ID and start some attacking actions. It is unsatisfactory for its use in real life applications, such as e-commerce. Therefore, protecting user’s privacy in insecure networks becomes an important issue. In addition, majority of these schemes are designed for the single-server architecture. If conventional password authentication methods are applied to multi-servers environment, each network user does not only need to login various remote servers repetitively but also need to remember different identifications and passwords for accessing different servers. It is inefficient and easily evokes the compromise of the identities and passwords. Hence, this study reviews several related researches, and points out the security flaws of these researches. Then, we present several remote user authentication schemes to enhance the security of theses reviewed schemes. In addition, we propose an RFID authentication system and a mCoupons scheme for practical m-commerce environments. The proposed schemes may satisfy the essential security requirements. In the secure mCoupon scheme, NFC in combination with inexpensive passive tags and some servers is used to prevent attacks on an m-commerce application. Therefore, the proposed schemes are well suited to the real applications environment.

Bibliography

[1] C. Blundo, S. Cimato, and A. D. Bonis, Secure ECoupons, Electronic Commerce Research, 5(1): pp.117–139, 2005.
[2] C. Blundo, S. Cimato, and A. DeBonis, A Lightweight Protocol for the Generation and Distribution of Secure e-Coupons, Proc. of 2002 International WWW Conference, ACM, 2002.
[3] C.C. Chang and S.J. Hwang, Using smart cards to authenticate remote passwords, Computers and Mathematical Applications, 138(3): pp. 165-168, 1993.
[4] C.C. Chang and W.Y. Liao, A remote password authentication scheme based upon ElGamal’s signature scheme, Computers and Security, 13(2): pp. 137-144, 1994.
[5] C. K. Chan and L. M. Cheng, “Cryptanalysis of a remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, 46(4):pp. 992-993, 2000.
[6] C. Chang, J.S. Lee, An efficient and secure multi-server password authentication scheme using smart cards, IEEE Proceeding of the International Conference on Cyber worlds, 2004.
[7] C.M. Chen and W.C. Ku, Stolen-verifier attack on two new strong-password authentication protocols, IEICE Transactions on Communications, E85-B(11): pp. 2519–2521, 2002.
[8] H.Y. Chien, J.K. Jan and Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers and Security, 21(4): pp. 372-375, 2002.
[9] H.Y. Chien and C. H. Chen, A remote authentication scheme preserving user anonymity, IEEE Proceedings of Advanced Information Networking and Application 2005, pp. 245–248, Taipei, Taiwan, 2005.
[10] H.Y. Chien and C.H. Chen, Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards, Computer standards & Interfaces, 29(2):pp. 254-259, 2007.
[11] J.S. Chou, G.C. Lee and C.J. Chan, A Novel Mutual Authentication Scheme Based on Quadratic Residues for RFID Systems, Cryptology ePrint Archive, Report 2007/224, http://eprint.iacr.org/, 2007.
[12] M.L. Das, A. Saxena and V.P. Gulati, A dynamic ID-based remote user authentication scheme, IEEE Transactions on Consumer Electronics, 50(2): pp.629–631, 2004.
[13] W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Info. Theory, 22(6): pp. 644–654, 1976.
[14] S. Dominikus and M. Aigner, mCoupons: An Application for Near Field Communication (NFC), Proc. of the 21st IEEE International Conference on Advanced Information Networking and Applications Workshops (AINAW'07), pp.421-428, 2007.

[15] X. Duan, J. W. Liu and Q. Zhang, Security Improvement On Chien Et Al.’s Remote User Authentication Scheme Using Smart Cards, the 2006 IEEE International Conference on Computational Intelligence and Security (CIS 2006), 2, pp.1133–1135, 2006.
[16] EPCglobal web site, http://www.epcglobalinc.org/
[17] E. Haselsteiner and K. Breitfu□, Security in near field communication (NFC), Proc. of Workshop on RFID Security, pp.3–13, 2006.
[18] C.L. Hsu, Security of Chien et al.’s remote user authentication scheme using smart cards, Computer Standards & Interfaces, 26 (3): pp. 167–169, 2004.
[19] M.S. Hwang, Cryptanalysis of a remote login authentication scheme, Computer Communications, 22: pp. 742-744, 1999.
[20] M.S. Hwang and L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1): pp.28–30, 2000.
[21] T. Hwang and W.C. Ku, Reparable key distribution protocols for Internet environments, IEEE Transactions on Consumer Electronics, 43(5): pp. 1947–1949, 1995.
[22] H.C. Hsiang and W.K. Shih, Security Enhancement for a Novel Mutual Authentication Scheme Based on Quadratic Residues for RFID Systems, The 2nd International Symposium on Signal Processing, Image Processing and Pattern Recognition (NA 2008), Hainan Island, China, Dec. 2008.
[23] H.C. Hsiang and W.K. Shih, Secure mCoupons Scheme Using NFC, International Conference on Business and Information (BAI 2008), Seoul, South Korea, Jul. 2008.
[24] M. Jakobsson, P. D. MacKenzie, and J. P. Stern, Secure and Lightweight Advertising on the Web, Computer Networks, 31(11–16): pp.1101–1109, 1999.
[25] W.S. Juang, Efficient password authenticated Key agreement using smart cards, Computers and Security, 23: pp. 167-173, 2004.
[26] W.S. Juang, Efficient multi-server password authenticated key agreement using smart cards, IEEE Trans. Consum. Electron. 50 (1): pp. 251–255, 2004.
[27] A. Juels, Yoking-Proofs for RFID Tags, Proc. IEEE Int. Conf. Digital object identifier, pp. 138-143, 2004.

[28] W.C. Ku and S. Chen, Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Transaction on Consumer Electronics, 50(1): pp. 204-207, 2004.
[29] W.C. Ku, S.T. Chang, Impersonation attack on a dynamic ID based remote user authentication using smartcards, IEICE Transaction on Communication, 88–b (5): pp.2165 –2167, 2005.
[30] W. C. Ku, C. M. Chen and H. L. Lee, Cryptanalysis of a variant of Peyravian-Zunic’s password authentication scheme, IEICE Transactions on Communication, E86-B (5): pp.1682–1684, 2003.
[31] L. Lamport, Password authentication with insecure communication, Communications of ACM, 24: pp. 770-772, 1981.
[32] C.C. Lee, L.H. Li and M.S. Hwang, A remote user authentication scheme using smart cards, ACM Operating Systems Review, 36(4): pp. 23-29, 2002.
[33] W.B. Lee, C.C. Chang, User identification and key distribution maintaining anonymity for distributed computer network, Comput. Syst. Sci. 15 (4): pp. 211–214, 2000.
[34] L. Li, I. Lin, M. Hwang, A remote password authentication scheme for multi-server architecture using neural networks, IEEE Trans. Neural Netw. 12 (6): pp.1498–1504, 2001.
[35] Y. P. Liao, S. S. Wang, A secure dynamic ID based remote user authentication scheme for multi-server environment, Computer standards & interfaces, 31(1):pp. 24-29, 2009.
[36] C. Lin, M.S. Hwang, L.H. Li, A new remote user authentication scheme for multi-server architecture, Future Gener. Comput. Syst. 1 (19): pp. 13–22, 2003.
[37] J.S. Lee, Y.F. Chang and C.C. Chang, A novel authentication protocol for multi-server architecture without smart cards, International Journal of Innovative Computing Information and Control, 4(6): pp. 1357-1364, 2008.
[38] T.S. Messerges, E.A. Dabbish and R.H. Sloan, Examining smart-card security under the threat of power analysis attacks, IEEE Transactions on Computers, 51(5): pp. 541-552, 2002.
[39] L. Mi, and F. Takeda, Analysis of the robustness of the pressure-based individual identification system based on neural networks, International Journal of Innovative Computing, Information and Control, 3(1): pp. 97-110, 2007.
[40] C. Mitchell, Limitations of challenge-response entity authentication, Electronic Letters, 25 (17): pp. 1195–1196 ,1989.
[41] V. Patil and R. Shyamasundar, e-coupons: An Efficient, Secure and Delegable Micro-Payment System, Information Systems Frontiers, 7: pp. 371–389, Springer, 2005.
[42] P. Peyret, G. Lisimaque, and T.Y. Chua, “Smart Cards Provide Very High Security and Flexibility in Subscribers Management”, IEEE Transactions on Consumer Electronics, 36(3): pp. 744-752, 1990.
[43] K. Rhee, J. Kwak, S. Kim and D. Won, “Challenge-response based RFID authentication protocol for distributed database environment”, International Conference on Security in Pervasive Computing SPC 2005, pp. 70-84, 2005.
[44] T. Shojima, , Y. Takada and N. Komoda, H. Oiso, and A. Hiramatsu, An Incentive Attached Peer to Peer Electronical Coupon System, Proc. of Communications, Internet, and Information Technology – CIIT 2003, 2003.
[45] D. Sternglass, “The Future Is in the PC Cards”, IEEE Spectrum, 29(6): pp. 46-50,1992
[46] H. M. Sun, “An efficient remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics 46 (4): pp. 958-961, 2000.
[47] H.M. Sun and H.T. Yeh, Password-based authentication and key distribution protocols with perfect forward secrecy, J. Comput. Sys. Sci., 72: pp. 1002–1011, 2006.
[48] J.J. Shen, C.W. Lin and M.S. Hwang, A modified remote user authentication scheme using smart cards, IEEE Transaction on Consumer Electronics, 49(2): pp. 414-416, May 2003.
[49] J.J. Shen, C.W. Lin and M.S. Hwang, A modified remote user authentication scheme using smart cards, IEEE Transaction on Consumer Electronics, 49(2): pp. 414-416, May 2003.
[50] W.G. Shieh and J.M. Wang, Efficient remote mutual authentication and key agreement, Computers and Security, 25: pp. 72-77, 2006.
[51] W.G. Shieh and W.B. Horng, Efficient and complete remote authentication scheme with smart cards, IEEE Proceedings of Intelligence and Security Informatics 2008, pp. 122-127, Taipei, Taiwan, 2008.
[52] K. Tan and H. Zhu, Remote password authentication scheme based on cross-product, Computer Communications, 18: pp. 390-393, 1999.
[53] Y.L. Tang, M.S. Hwang and C.C. Lee, A simple remote user authentication scheme, Mathematical and Computer Modeling, 36: pp. 103-107, 2002.
[54] W.J. Tsuar, C.C. Wu, W.B. Lee, A flexible user authentication for multi-server internet services, Networking-JCN2001LNCS, vol. 2093, Springer-Verlag, 2001, pp. 174–183.
[55] W.J. Tsuar, An enhanced user authentication scheme for multi-server internet services, Appl. Math. Comput. 170: pp.258–266, 2005.
[56] S.Y. Wu, and B.C. Chieu, A user friendly remote authentication scheme with smart cards, Computers and Security, 22(6): pp. 547-550, 2003.
[57] S.J. Wang and J.F. Chang, Smart card based secure password authentication scheme, Computers and Security, 15(3): pp. 231-237, 1996.
[58] X.M. Wang, W.F. Zhang, J.S. Zhang, M. K. Khan, Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards, Computer Standards & Interfaces 29: pp. 507–512, 2007.
[59] X. Wang and H.B. Yu, How to Break MD5 and Other Hash Functions, Advances in Cryptology Eurocrypt’05, Springer-Verlag, pp. 19–35, 2005.
[60] S.A. Weis, S.E. Sarma, R.L. Rivest and D.W. Engels, “Security & Privacy Aspects of Low-Cost Radio Frequency Identification Systems”, Security in Pervasive Computing 2003, LNCS no. 2802, pp. 201-212, 2004.
[61] Kirk H.M. Wong, Patrick C.L. Hui, Allan C.K. Chan, “Cryptography and authentication on RFID passive tags for apparel products”, Computer in Industry 57: pp. 342-349, 2005.
[62] S.Y. Wu and B.C. Chieu, A user friendly remote authentication scheme with smart cards, Computers and Security, 22(6): pp. 547-550, 2003.
[63] T.S. Wu, C.L. Hsu, Efficient user identification scheme with key distribution preserving anonymity for distributed computer networks, Comput. Secur. 23: pp. 120–125, 2004.
[64] C.C. Yang, T.Y. Chang, J.W. Li and M.S. Hwang, Security enhancement for protecting password transmission, IEICE Transactions on Communications, E86-B(7): pp. 2178-2181, July 2003.
[65] Y. Yang, S. Wang, F. Bao, J. Wang and R. Deng, New efficient user identification and key distribution scheme providing enhanced security, Computers and Security, 23 (8): pp. 697–704, 2004.
[66] E. J. Yoon, E. K. Ryu and K. Y. Yoo, Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics, 50 (2): pp. 612–614, 2004.
[67] Z. Zhang, B. Fang, M. Hu, and H. Zhang, Security analysis of session initiation protocol, International Journal of Innovative Computing Information and Control, 3(2): pp. 457-469, 2007.