Conventional authentication and key establishment methods includes the TLS (transport layer security) method which uses certificates, the SRP (secure remote password) method and the EAP (extensible authentication protocol)-MD5 method which use passwords, and the PEAP (protected EAP) method and the EAP-TTLS (tunneled TLS) which use both certificates and passwords, and these methods respectively have advantages and disadvantages. That is, the TLS methods needs a PKI (public key infrastructure) which is complicated and spends a large cost, and a certificate management system, the SRP method requires a large amount of exponentiation from a user terminal and is weak against 2-for-1 guess attacks. Also, the PEAP and EAP-TTLS methods are weak against the MitM (man-in-the-middle) attacks and have a great number of times on exchanged messages, and the EAP-MD5 has a disadvantage of providing no mutual authentication and session key.
In particular, it is not easy to find an 802.1x EAP authentication method which is secure and effective in the case of using PDAs (personal digital assistants) on the (public access) wireless LAN because the PDAs need a long time and consumes much power when performing complicated operations such as exponentiation and inverse element computation.
General authentication factors include (1) a factor which a user memorizes (e.g., passwords) and (2) a factor which the user possesses (e.g., a token or a mobile device).
A single-factor authentication method using the password of item (1) is not secure because of following problems. First, when the user inputs the password, another person behind the user may cheat it, and the password may be exposed through keystroke monitoring. Second, the password may be exposed to the attackers through social engineering such as tricks and threats. Third, the password is weak against dictionary attacks since it has a low entropy with respect to the amount of information. Fourth, the password may be exposed because of the user's bad habits such as writing the password on a paper or using it to many places without updating it. In particular, the public access wireless LAN service for attempting network accesses in the hot spot area is more dangerous to the attacks because the attackers may acquire the passwords off line through the keystroke monitoring or social engineering even though the EAP-SRP, PEAP, and EAP-TTLS methods for authenticating the users through the passwords are secure protocols against the dictionary attacks.
Further, the single-factor authentication method using the token or the mobile device requires a token and an input device (e.g., a card reader) for reading the token. The token which is the second factor includes mobile devices such as a smart card, a USB (universal serial bus) key, and PDAs. Therefore, the usage of the USB key for the token in the radio environment requires not much cost since no further hardware is needed to be added. In this instance, the token is to be stored in a security module with a temper resistant characteristic since the token has secret information on a symmetric key or personal authentication.
Accordingly, the Internet or the (public access) wireless LAN requires a better authentication system than the authentication executed by the above-noted authentication components, and in particular, the authentication methods for solving subsequent technical requirements are needed.
(1) Identity protection: It is necessary to protect identities of clients from passive attacks such as wiretap for the purpose of privacy. In particular, the protection is useful for the user who receives an IP address through the DHCP (dynamic host configuration protocol).
(2) Powerful mutual authentication: Mutual authentication between a subscriber and a network is needed since the attackers can perform an MitM attack while they are located between the subscriber and an authentication server.
(3) Session key establishment: A session key is to be established in order to protect data communicated between the subscriber and the network.
(4) FS (forward secrecy): An FS which is a property of preventing the attackers from calculating past session keys from the previous wiretapped session when a long term secret keying material of an object which participates in a protocol is exposed, is to be provided. The FS is classified as a half FS and a full FS. The former one represents that the attacker cannot induce the past session key when a secret key of one of the objects which include the subscriber and the authentication server is exposed, and the latter one denotes that the session key is secure when the secret keys of the two objects are exposed.
(5) Security on offline dictionary attacks: The protocol is to be designed such that the attacker may not obtain secret information shared by the subscriber and the server when the attacker attacks the offline dictionary to try to acquire the secret information.
(6) Security on MitM attacks: The (public access) wireless LAN must be designed to be secure against the MitM attacks using the rouge AP (access point) or the rouge wireless NIC.
(7) Security on replay attacks: It is needed to prevent the attackers from retransmitting used messages and succeeding in authentication and key establishment.
(8) Efficiency:                Minimize operation loads: It is needed to require a less amount of operation applicable to the PDAs in the (public access) wireless LAN. The load of online computation is to be minimized by using pre-computation.        Minimize the number of times on message exchanges: It is more advantageous as the number of communication rounds becomes lesser in consideration of efficiency of network resources and delay on the network. Therefore, the number of times on the messages to be exchanged between the subscriber and the authentication server is to be less.        Minimize the usage of communication bandwidths: Sizes of protocol messages are to be small.        
(9) Key confirmation: The legal user who participates in the protocol is to be confirmed that he shares a common secret session key with a desired peer.
(10) Non-repudiation: A non-repudiation function for preventing the user from repudiating billing data such as a service used time and a number of times on network accesses.