Sie sind auf Seite 1von 60

INTERNATIONAL JOURNAL OF SECURITY (IJS)

VOLUME 5, ISSUE 1, 2011 EDITED BY DR. NABEEL TAHIR

ISSN (Online): 1985-2320 International Journal of Security (IJS) is published both in traditional paper form and in Internet. This journal is published at the website http://www.cscjournals.org, maintained by Computer Science Journals (CSC Journals), Malaysia.

IJS Journal is a part of CSC Publishers Computer Science Journals http://www.cscjournals.org

INTERNATIONAL JOURNAL OF SECURITY (IJS)


Book: Volume 5, Issue 1, May 2011 Publishing Date: 31-05-2011 ISSN (Online): 1985-2320

This work is subjected to copyright. All rights are reserved whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illusions, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication of parts thereof is permitted only under the provision of the copyright law 1965, in its current version, and permission of use must always be obtained from CSC Publishers.

IJS Journal is a part of CSC Publishers http://www.cscjournals.org IJS Journal Published in Malaysia Typesetting: Camera-ready by author, data conversation by CSC Publishing Services CSC Journals, Malaysia

CSC Publishers, 2011

EDITORIAL PREFACE
This is the first issue of volume fifth of The International Journal of Security (IJS). The Journal is published bi-monthly, with papers being peer reviewed to high international standards. The International Journal of Security is not limited to a specific aspect of Security Science but it is devoted to the publication of high quality papers on all division of computer security in general. IJS intends to disseminate knowledge in the various disciplines of the computer security field from theoretical, practical and analytical research to physical implications and theoretical or quantitative discussion intended for academic and industrial progress. In order to position IJS as one of the good journal on Security Science, a group of highly valuable scholars are serving on the editorial board. The International Editorial Board ensures that significant developments in computer security from around the world are reflected in the Journal. Some important topics covers by journal are Access control and audit, Anonymity and pseudonym, Computer forensics, Denial of service, Network forensics etc. The initial efforts helped to shape the editorial policy and to sharpen the focus of the journal. Starting with volume 5, 2011, IJS appears in more focused issues. Besides normal publications, IJS intend to organized special issues on more focused topics. Each special issue will have a designated editor (editors) either member of the editorial board or another recognized specialist in the respective field. The coverage of the journal includes all new theoretical and experimental findings in the fields of computer security which enhance the knowledge of scientist, industrials, researchers and all those persons who are coupled with computer security field. IJS objective is to publish articles that are not only technically proficient but also contains information and ideas of fresh interest for International readership. IJS aims to handle submissions courteously and promptly. IJS objectives are to promote and extend the use of all methods in the principal disciplines of computer security. IJS editors understand that how much it is important for authors and researchers to have their work published with a minimum delay after submission of their papers. They also strongly believe that the direct communication between the editors and authors are important for the welfare, quality and wellbeing of the Journal and its readers. Therefore, all activities from paper submission to paper publication are controlled through electronic systems that include electronic submission, editorial panel and review system that ensures rapid decision with least delays in the publication processes. To build its international reputation, we are disseminating the publication information through Google Books, Google Scholar, Directory of Open Access Journals (DOAJ), Open J Gate, ScientificCommons, Docstoc and many more. Our International Editors are working on establishing ISI listing and a good impact factor for IJS. We would like to remind you that the success of our journal depends directly on the number of quality articles submitted for review. Accordingly, we would like to request your participation by submitting quality manuscripts for review and encouraging your colleagues to submit quality manuscripts for review. One of the great benefits we can provide to our prospective authors is the mentoring nature of our review process. IJS provides authors with high quality, helpful reviews that are shaped to assist authors in improving their manuscripts. Editorial Board Members International Journal of Security (IJS)

EDITORIAL BOARD
EDITOR-in-CHIEF (EiC) Dr. Wei Wang Norwegian University of Science and Technology (NTNU)(Norway)

ASSOCIATE EDITORS (AEiCs) Dr.Elena Irina Neaga Loughborough University United Kindom

EDITORIAL BOARD MEMBERS (EBMs)

Dr. Jianguo Ding University of Science and Technology Norway Dr.Lei Chen Sam Houston State University United States America Professor Hung-Min Sun National Tsing Hua University Taiwan

TABLE OF CONTENTS

Volume 5, Issue 1, May 2011

Pages
1 - 12 A New Watermarking Approach Based on Combination of Reversible Watermarking and CDMA in Spatial and DWT Domain S.Bekkouche, A.Chouarfia An Exploratory Study of the Security Management Practices of Hispanic Students Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert Crossler, Jesus Tanguma

13- 21

22-34

Medical Information Security William C Figg, Hwee Joo Kam

35-61

An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobile Networks Mustafa Fayomi, Jaafer AL-Saraireh

International Journal of Security (IJS), Volume (5), Issue (1) : 2011

S.Bekkouche & A.Chouarfia

A New Watermarking Approach Based on Combination of Reversible Watermarking and CDMA in Spatial and DWT Domain
S.Bekkouche
University of Sciences and Technology Oran USTO Oran, 31100, Algeria

sbekkouche2008@gmail.com

A.Chouarfia
University of Sciences and Technology Oran USTO Oran, 31100, Algeria

chouarfia@univ-usto.dz

Abstract
Image watermarking can be defined as a technique that allows insertion of imperceptible and indelible digital data into an image. In addition to its initial application which is the copyright, watermarking can be used in other fields, particularly in the medical field in order to contribute to secure images shared on the network for telemedicine applications. In this report we study some watermarking methods and the comparison result of their combination, the first one is based on the CDMA (Code Division Multiple Access) in DWT(Discrete Wavelet Transform) domain, noted CDMA-DWT and CDMA in spatial domain, noted CDMA-SD and their aim are to verify the image authenticity whereas the second one is the reversible watermarking (the least significant bits LSB and cryptography tools) , the reversible carte mapping RCM their objective are to check the integrity of the image and to keep the Confidentiality of the patient data. A new scheme of watermarking is the combination of the reversible watermarking method and the method of CDMA-DWT and the second is the combination of the reversible watermarking and the method of CDMA-sp to verify the three security properties Integrity, Authenticity and Confidentiality of medical data and patient information. In the end, we made a comparison between these methods within the parameters of quality of medical images Initially, an in-depth study on the characteristics of medical images would contribute to improve these methods to measurements have been done on the watermarked image to verify that this technique does not lead to a wrong diagnostic. The robustness of the watermarked images against attacks has been verified on the parameters of PSNR (Peak Signal to Noise Ratio), MSE (Mean Square Error), MAE (Mean Absolute Error) and SNR (Signal to Noise Ratio ) which show that the resulting quality of combination watermarking method is good in DWT than other techniques. Keywords:
Confidentiality. Watermarking, Reversible watermarking, CDMA-DWT, Integrity, Authentication,

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

1. INTRODUCTION
Among the new technologies available to medical informatics some have a secondary impact because they are not specific to the medical field (optical disk, smart card). Others have an impact as it completely changes the use of computers particularly in hospitals. Among these, New network architectures will disrupt the manner to envisage the integration of HIS (Hospital Information Systems) and security of medical information. The diagnosis requires more and more exchanges of medical images from digital modalities and volumes (IRM, X-Scanner, nuclear medicine, etc...) Between public structure of care health facilities (university hospitals or departmental having high debit and allowing several remote experts to issue a notice for a better management of the patient. To stop the copying works of images and contribute to the Copyright Protection., new methods have been developed known more by watermarking. The watermarking is therefore proposed to ensure greater security by verifying image authentication and integrity, and on the other side, the patient information to be saved or transmitted in a confidential way in medical imagery. We will focus mainly on the watermarking images and medical data. Medical imagery is a field where the protection of the integrity and confidentiality of content is a critical issue due to the special characteristics derived from strict ethics, legislative and diagnostic implications. It is very important to prevent unauthorized manipulation and misappropriation of such digitized images. The risks are increased when dealing with an open environment like the internet. Medical images should be kept intact in any circumstance and before any operation they must be checked for: Integrity: that is the image or data has not been modified by non authorized people. Authentication: that is the image or data belongs indeed to the correct patient. Confidentiality: that is protection the medical image and patient information against attacks. Watermarking is a new technology which hopefully can help in that aim. Before applying watermarking techniques developed for medical imagery applications, it is important that the requirements imposed by medical images are carefully analyzed to investigate whether they are compatible with existing watermarking techniques. Different watermarking techniques have been proposed to address the problems of medical confidentiality protection and both origin and data authentication. In this work, a watermarking technique is adapted to provide the three properties of security authentication, confidentiality and integrity of medical image and patient information. This technique based on combination the CDMA-DWT [1] [10] and the reversible watermarking [2] [9] and. We will give in section 2 an overview of some reversible watermarking techniques and the desired functionalities of watermarking techniques are discussed in terms of medical images. In section 3, the new watermarking approach is presented as a well designed scheme for the medical field. We give the main functionalities of our security system. Finally, the experimental results are presented to validate the proposed approach.

2. WATERMARKING TECHNIQUES
Image watermarking is the process of embedding into image specific information that helps establishing the ownership of the image. Watermarking techniques are divided in two categories. Spatial Domain Watermarking, where the least significant bits is replaced with watermark, Frequency Domain Watermarking, where the image is first transformed to frequency domain and then the low frequency components are modified to contain the watermark. Watermarking can be applied in frequency domain by applying transforms like Discrete Fourier Transform (DFT) [13], Discrete Cosine Transform (DCT) [7] or the Discrete Wavelet Transform (DWT) [4][12]. Embedding the watermark in the frequency domain can provide more robustness than in the spatial domain. It is strong against attacks like compression where spatial domain is not. Image watermarking techniques can be distinguished according to the way the watermark is revealed

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

from the watermarked image. One way is by comparing this image to the original one, while the other doesnt resort to this comparison. The second are usually referred to as blind watermarking techniques and are preferable. Six different watermarking techniques each from different domain i.e. Spatial Domain and Wavelet Domain [10] watermarking have been chosen for the experiment. The techniques used for the comparative analysis of watermarking process are CDMA in spatial domain noted CDMASD, CDMA-DWT [1] [10], reversible watermarking [3] [10], RCM [8] [11], the reversible watermarking and the proposed approach which is the combination of the CDMA-DWT and the reversible watermarking. Previous work on embedding invisible watermarks can be broadly grouped into spatial domain and transform domain methods. Typically, the data used to represent the digital watermarks are a very small fraction of the host image data. Such signatures include, for example, pseudo-random numbers, trademark symbols and binary images. CDMA-SD method usually modifies the leastsignificant bits of the host image but the CDMA-DWT technique can be employing to scatter each of the bits randomly throughout the cover image. RCM is a simple integer transform that applies to pairs of pixels. For some pairs of pixels, RCM is invertible, even if the least significant bits (LSBs) of the transformed pixels are lost. The data space occupied by the LSBs is suitable for data hiding. The embedded information bit-rates of the proposed spatial domain reversible watermarking scheme are close to the highest bit-rates reported so far. The scheme does not need additional data compression, and, in terms of mathematical complexity, it appears to be the lowest complexity one proposed up to now. Reversible watermarking (RW) technique which lossless compress the bits to be affected by the embedding operation to preserve the original data and create space for the watermark. The compressed data and the watermark are then embedded into the host image. This practice of compressing original data for reversibility purpose has been widely adopted based on LSB and cryptography selects pixels or transformation coefficients, and then lossless compresses them so as to save space for the watermark. Therefore, it has the property that the embedding distortion can be completely removed from the watermarked image without any side channel. At the other side, the original host image can be recovered in its integrality.

3. PROPOSED APPROACH
3.1 Primary combination By applying the reversible watermarking(RW) [2] based on LSB bits and cryptography tools which give an image The method of CDMA-SD [3] is applied in this image for given a watermarked _image. a. Insertion process The insertion is the same of that the insertion reversible watermarking process which gives a result, considering this result as a new input or a new original image using the original watermarking dominates the CDMA in spatial domain. In the insertion process, we scan the image by rows and Lossless compress the bit-stream of LSB values as the image is scanned. Once this compressed bit-stream is obtained, we concatenate it with the encrypted patient information and hash the result of concatenation and embed it into the LSBs by scanning the image in the same pattern. The overall procedure is then a four steps process: (1) Calculate the authentication code (MAC) of the image Using SHA algorithm [7] (2) concatenate the authentication code and patient information and encrypt the resulting string; (3) Select the LSBs of all pixels and compress the resulting string using RLE algorithm [5]. (4) Concatenate the compressed string and the encrypted string and insert them back into the LSB locations by adding blanks if necessary which give a watermarked image1.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

The insertion process of CDMA in spatial domain [3] was applied on the watermarked image1 for obtain the watermarked_ image. the insertion primary combination has been shown below in Figure1

Insertion Reversible Watermarking

Original image

Watermarked image1

Insertion CDMASD

Watermarked image

FIGURE1: Insertion primary combination process b- Extraction process - Using the step of the extraction CDMA process [3] on the watermarked image. - The result will be used as watermarked image1. - Applying extraction reversible watermarking process [2] on the watermarked image1 to extracting data from LSBs. - Convert binary to ASCII to get to "@" character represents the end of the data inserted. - Make a decoding key using the RSA inclusion K. - Separate the footprint (size unknown) of Patient data and calculate the footprint of image to obtain the original ones. The extraction primary combination has been shown below in Figure2 Extraction CDMASD Watermarked image

Watermarked Image 1

Extraction reversible Watermarking

Original image FIGURE2: Extraction primary combination process

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

3.2. Second combination


By applying the reversible watermarking based on LSB bits and cryptography tools which give an image. The method of CDMA-DWT is applied in this image for given a watermarked image. Then consult the results of insertion and extraction steps and we test the performance against different types of attacks. a. Insertion process By applying the reversible watermarking [2] and CDMA - DWT [1]. 1. The insertion process is the same of that of the insertion reversible watermarking process which gives a result. 2. Considering this result as a new input or a new original image using the original watermarking dominates the CDMA in DWT domain. In the insertion process, we scan the image by rows and Lossless compress the bit-stream of LSB values as the image is scanned. Once this compressed bit-stream is obtained, we concatenate it with the encrypted patient information and the hash the concatenate result and insert it into the LSBs by scanning the image in the same pattern. The overall procedure is then a four steps process: (1) Calculate the authentication code (MAC) of the image using SHA algorithm [7]. (2) Concatenate the authentication code and patient information and encrypt the resulting string. (3) Select the LSBs of all pixels and compress the resulting string using RLE algorithm [5]. (4) Concatenate the compressed string and the encrypted string and insert them back into the LSB locations by adding blanks if necessary which give a watermarked image1. - Generation of the multilayer sequence using a Key K. - Generation of mark W. - Decomposition of the watermarked_ image1 with a DWT resolution level. - DWT (I) = (IA, DH, DV, DD) With IA: approximate image DH; horizontal detail, DV and DD vertical and diagonal detail respectively. - Insertion of the watermark in the three decomposed image details (diagonal, vertical and horizontal). The mark is weighted by the coefficient .We get the three details scored:

DH = DH + W DV = DV + W DD = DD + W

Note that the mark must be the same size as the details. - Reconstruction of the decomposed image which will give the watermarked image the inverse discrete wavelet transforms IDWT: = IDWT (IA, DH, DV, DD). The insertion process has been shown below in Figure1.

using

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

Insertion Reversible Watermarking

Original image

Watermarked image1

Insertion CDMADWT

Watermarked image

FIGURE1: Insertion second combination process b. Extraction process Using the extraction steps of the CDMA-DWT technique [1]. Generation of multilayer sequence with the same key insertion K. Decomposition of the image with the DWT into a single resolution level. Calculation of the correlation between multilayer sequence and three-layered image detail broken then the message is decoded. According to the sign of the correlation. The researched data is extracted three times thus allowing us to check and correct them. The result will be used as a watermarked Image Applying of extraction reversible watermarking method on the image result to get an original image. The extraction process has been shown below in Figure4 Extraction CDMADWT Watermarked image

Watermarked Image 1

Extraction reversible Watermarking

Original image FIGURE2: Extraction second combination process

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

4. IMPLEMENTATION AND RESULT


4.1. Test Images We have implemented six algorithms (reversible watermarking, CDMA-SD, CDMA-DWT, RCM, combination of reversible watermarking and CDMA-SD and our approach). Based on our proposal to investigate the performance of the algorithms based on PSNR values computed. The tests were performed on IRM medical images coded on 256 gray levels, bitmap format and size 256x256. We conducted tests on 10 IRM medical images.

(a)
FIGURE3 : An IRM medical image 4.2. Insertion and Extraction Data To insert the signature, the user must fill out the following input: the signature (64 bit) The secret key the number of layers used Upon insertion, the user gets the number of bits in the signature. This data is necessary for the detection phase. To detect the patient data the user must have: The marked image The key The number of embedded bits After the achievement of six techniques we compare them to evaluate the rate of evaluation of each it. 4.3. Discussion The comparative analysis of the six watermarking techniques has been done on the basis of noise and rotation attacks. Results of the individual watermarking technique have been compared on the basis of PSNR, MSE, MAE and SNR [6] given in Equations (1) to (4). The obtained PSNRs between original and watermarked images for the six techniques are used to measure the distortion caused by the watermarking. This ratio is often used as a quality measurement between the original and a watermarked image. If the PSNR is higher then the watermarked image quality is better. The PSNR is the square of ratio of maximum pixel value i.e. 255 to the MSE value. For a good image the SNR value must be high, according to the results established, we select the application field of the watermark where the luminance (Xmax) is maximum.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

The MSE is used to quantify the distortion generated by the digital watermarking. In fact, we use an additive scheme to watermark the image. This modification could hinder the quality of the image. The equation (2) quantifies the mean absolute differences between original image and the watermarked image.

MSE = MAE =

1 ( I (i, j ) I w (i, j)) 2 MN i j 1 MN

(1) (2) (3)

I (i, j ) I
i j

(i, j )

PSNR = 10 log 10
M 1 N 1 N

X max 2 255 2 = MSE MSE


2 Is

SNR =
1 M 1

(4)
e

(I
Where

Is )

is an original image PSNR

is watermarked image, MN is the image size. SNR 33.17 (dB) 29.04 (dB) 310.13 (dB) 38.71 (dB) 30.44 (dB) MSE 0.78 2.00 1.55e-02 0.213 1.45 MAE 0.78 1.002 6.75e01 0.213 0.228 Properties of Security Authentification Integrity and Confidentiality Integrity and Confidentiality Authentification Authentification, Integrity and Confidentiality Authentification, Integrity and Confidentiality

Reversible Watermarking (RW) CDMA-SD CDMA-DWT RCM Combinaison RW/CDMA-SD Combinaison RW/CDMA-DWT

49.20 (dB) 45.12 (dB) 66.22 (dB) 54.84 (dB) 46.51 (dB)

49.17 dB

1.265

0.7866

80.29

TABLE 1: Comparative parameters of the six techniques. 4.4. Noise Attacks on Watermarked Image The attack methodology on the watermarked image is based on the idea that an attacker does not have any access to the original image or the watermark image/signature. The attacks are, therefore, done on the watermarked image using only the watermarked image as input. The intruder, i.e. attacker, likely has no idea if the attack worked or not so the results are not known to the attacker. With addition of salt and pepper noise, performance of watermarking scheme is analyzed.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

Salt and pepper noise: Figure 4 (d) and figure5 (d), shows the simulation results of watermarked image with salt and pepper noise at a gain factor of 0.02. 4.5. Results of Noise Attacks

(a)

(b)

(c)

(d)

FIGURE4 : The combination RW/CDMA-SD


(a) Original image, (b)Watermarked Image after reversible watermarking, (c) Watermarked Image after RW/CDMA-SD, (d) Noise watermarked Image

(a)

(b)

(c)

(d)

FIGURE5: The combination RW/CDMA-DWT (a) Original image, (b)Watermarked Image after RW,

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

S.Bekkouche & A.Chouarfia

(c) Watermarked Image after RW/CDMA-DWT, (d) Noise watermarked Image The PSNR have been shown in Table 2 expressed in (dB) is calculated between the original image and noise Watermarked image.
Method Reversible watermarking (RW) RCM CDMA-SD in spatial domain CDMA-DWT RW/CDMA-SD Proposed approach PSNR (dB) 26.90 26.90 26.46 (dB) 26.7098 26.48 26.73 MSE 132.89 132.52 146.94 138.707 146.14 137.85

TABLE 2 : The Performance analysis of watermarking techniques against noise Attack 4.6. Results of Rotation Attack Rotation attack is among the most popular kinds of geometrical attack on digital multimedia images [8]. Three levels of rotations have been implemented. The original watermarked image is being rotated respectively by 90 degree, 180 degree and 270 degree. The rotation attack has been shown below in Figure 6.

(a)

(b)

(c)

(d)

FIGURE 6 : Rotation attack on the watermarked image (a) Watermarked image,

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

10

S.Bekkouche & A.Chouarfia

(b) Watermarked image after 90 degree rotation, (c) Watermarked image after 180 (d) Watermarked image after 270 , . TABLE 3 : Performance analysis of watermarking techniques against rotation attack

The PSNR values in Table3 show that the combination watermarking in Wavelet domain technique is having the greatest value for the PSNR value. This shows that the wavelet domain watermarking is the best practice for the digital image watermarking purpose.

5. CONCLUSION
This paper proposed an efficient digital watermark scheme to increase security, authentication, confidentiality and integrity of medical image and patient information, to transmit it via internet based on combining two watermarking techniques. First technique uses a reversible watermarking by combine the least significant bit and cryptographies tools. Second technique uses the CDMA-DWT. domain. The watermark can be used to introduce the patient's information in a private and sure manner all while preserving the visual quality of watermarked image. The experimental results show that our scheme is highly robust against others of image processing operations such as salt and pepper noise. The simulation results show that high quality image i.e. watermarked image with high PSNR is obtained by embedding the watermark in DWT domain than other techniques presented in this article. The paper focuses on the robustness of the watermarking techniques chosen from all domains of watermarking against rotation attack. It seems that the proposed approach is best and most robust for medical images watermarking. This work could further be extended to the watermarking purpose of another digital content like audio and video.

Method 90 RW/CDMA-SD RW/CDMADWT 180 RW/CDMA-SD RW/CDMADWT 270 RW/CDMA-SD RW/CDMADWT

PSNR(dB) 24.5225 (dB) 24.6972 (dB)

MSE 229.5225 220.4724

25.81

(dB)

170.582 160.225 229.3715 220.4724

26.083 (dB) 24.5225 (dB) 24.6972 (dB)

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

11

S.Bekkouche & A.Chouarfia

6. REFERENCES
[1] Chris Shoemaker, Hidden Bits: A Survey of Techniques for Digital Watermarking, Independent Study EER-290, 2002. [2] S. Boucherkha & M. Benmohamed, A lossless watermarking based authentication system for medical image, In International Journal of Signal Processing, Vol.1, N 2004. 4, [3] B. Vassaux, Technique multicouches pour le tatouage d'images et adaptation aux flux vido MPEG-2 et MPEG-4, Thse de Doctorat, Institut National Polytechnique Grenoble France, 2003. [4] Y.I. Khamlichi, M. Machkour, K. Afdel, A. Moudden, ' Medical Image Watermarked by Simultaneous Moment Invariants and Content-Based for Privacy and Tamper Detection', Proceedings of the 6th WSEAS International Conference on Multimedia Systems & Signal Processing, Hangzhou, China, April 16-18, pp109-113, 2006. [5] Rainer Steinwandt, Viktria I. Villnyi, "A one-time signature using run-length encoding", Journal Information processing Letters ,Volume 108 Issue 4,October ,2008. [6] B. Aiazzi, L. Alparone and S. Baronti. Near-lossless compression of 3-D optical data. IEEE Transactions on Geosciences and Remote Sensing, vol. 39, no 11, pp: 25472557, 2001. [7] Xu Yan-ping, Jia Li-qin,"Research of a Digital Watermarking Algorithm Based on Discrete Cosine Transform", Proceedings of the Third International Symposium on Electronic Commerce and Security Workshops(ISECS 10) Guangzhou China 29-31 July 2010 pp 373375 [8] Ping Dong, Jovan G. Brankov, Nikolas P. Galatsanos, Yongyi Yang, Franck Davoine, Digital Watermarking Robust to Geometric Distortions, IEEE Transactions on Image Processing, Vol. 14, NO. 12, December, 2005. [9] YongJie Wang, Yao Zhao, Jeng-Shyang Pan and ShaoWei Weng,"A Reversible Watermark Scheme Combined with Hash Function and Lossless Compression ", Volume 3682/2005, pp: 1168-1174, DOI: 10.1007/11552451_161, Computer Science, 2005. [10] Harsh K Verma1, Abhishek Narain Singh, Raman Kumar, Robustness of the Digital Image Watermarking Techniques against Brightness and Rotation Attack", International Journal of Computer Science and Information Security, Vol. 5, No. 1, 2009. [11] Yeh-Shun Chen, Ran-Zan Wang, Yeuan-Kuen Lee, Shih-Yu Huang "Steganalysis of Reversible Contrast Mapping Watermarking", Proceedings of the World Congress on Engineering 2008, Vol 1, WCE 2008, July 2 - 4, 2008, London, U.K [12] W.-T. Huang, S-Y. Tan, Y.-J Chang and C.-H. Chen, A robust watermarking technique for copyright protection using discrete wavelet transform, WSEAS Trans. Computers, vol. 9, no. 5, pp. 485-495, 2010.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

12

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

An Exploratory Study of the Security Management Practices of Hispanic Students


Yi-Chia Wu
College of Business Administration Department of Marketing University of Texas-Pan American Edinburg, 78539, USA

ywu@utpa.edu

Francis Kofi Andoh-Baidoo


College of Business Administration Department of Computer Information Systems & Quantitative Methods University of Texas-Pan American Edinburg, 78539, USA

andohbaidoof@utpa.edu

Robert E. Crossler
College of Business Administration Department of Computer Information Systems & Quantitative Methods University of Texas-Pan American Edinburg, 78539, USA

recrossler@utpa.edu

Jesus Tanguma
College of Business Administration Department of Computer Information Systems & Quantitative Methods University of Texas-Pan American Edinburg, 78539, USA

tangumaj@utpa.edu

Abstract The growing Internet and mobile technologies create opportunities for efficient communication and coordination among individuals and institutions. However, these technologies also pose security challenges. Although users understanding and behavior towards security solutions have been recognized as critical to ensuring effective security solutions, few research articles have examined user security management practices. The literature lacks empirical research that examines users everyday behavior and practices to managing security. In an effort to bridge the gap in user security management practices, this paper presents an exploratory study of how Hispanic college students manage the security of their computer systems. Specifically, we examine how ethnicity, gender, and age influence users behavior towards updating their operating systems, non-operating system software and antivirus definitions. The results reveal that gender influences the frequency of updating operating systems, antivirus definitions and nonoperating system software, whereas ethnicity and age influence only frequency of update of operating systems but not the frequency of update of non-operating system software and antivirus definitions. Keywords: Non-operating System Software, Antivirus Software, Security Practices, Software Update, Users Security Management, Hispanic.

1. INTRODUCTION
Even as the Internet and mobile technologies facilitate electronic commerce and effective global coordination and communication, users security management practices can hinder the benefits that such technologies promise [1]. Studies show that users security management is a problem [2] [3] [4] [5]. Other studies have noted that people tend to delegate computer security responsibilities to technology, trusted individuals or trusted institutions [1] [2]. When an individual

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

13

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

delegates his or her security responsibilities, they somehow believe that their systems security is guaranteed by the trustee (such as a family member or a roommate, even when for instance the roommate moved out). Hence the individual or computer user who has delegated his or her security responsibilities may lack information on the security safeguards that are available and what needs to be done to secure their computer systems. One specific group of users that is of concern in this paper is the Hispanic population. The rapidly growing Hispanic population has formalized a new target audience for marketers. The differences of the demographic distribution of the Hispanic population not only enforce the necessity of localization but also the modification of Hispanic online users. Even with the emerging market of Hispanic consumers, socio-economic factors such as education, income, and language barrier impede Hispanic consumers from the acceptance of online information. Among the Latino population in the United States, Mexicans are the largest national origin group. A U.S. study shows that 52% of Latinos of Mexican origins have a lower probability of online usage. Holding the socio-economic factors, such as age, income, language, generation, and nativity, constant, the Mexican population tends to have lower chances to adopt the Internet [6]. Thus, the understanding of the security behavior of the Hispanic population is useful in the design of software that may be adopted by this particular target. However, there is a lack of research on this population. This study seeks to contribute to the understanding of the security practices of the Hispanic community. Specifically, this paper examines the behavior of undergraduate students in a Hispanic serving institution with respect to how often they update operating systems, nonoperating system software (hereafter referred to as non-OS) and antivirus definitions. We also examine how ethnicity (Hispanic vs. Non-Hispanic), gender, and age influence individuals frequency or likelihood of updating operating systems, non-OS and antivirus definitions. The rest of the paper is organized as follows. We present a related background study of the topic in the next section. Here, we discuss prior related studies and present our research hypotheses. Following, we discuss the research methodology. We then present the results and discussion. Finally, we conclude the paper where we suggest some future research directions.

2. BACKGROUND AND HYPOTHESES


Dourish and Grinter [1] found that users in general had a neutral to negative attitude toward security technologies. Our definition of security practices is based on Dourish and Grinters [1] work where they define security practices as actions, and what practices and patterns people adopt to manage their security needs and accommodate them into their work (p. 393). 2.1 Operating Systems and Non-Operating Systems Vulnerabilities Unlike operating systems, the updates of non-OS are not normally set up automatically in computers [7]. End users have to regularly update the systems to enhance Internet security for the latest patch. The term patch in this paper indicates any type of update to a piece of software, whether technically a patch, update, or upgrade [8]. A patch file allows modified changes with a patching utility in a form of source code or as binary code to current files. The purpose is to replace file content with either the line- or byte-level code [8]. Users who are aware of the necessity of updating the non-OS tend to be more knowledgeable and sensitive to security vulnerabilities. The failure of updating non-OS will threaten clients stored information. Nonoperating systems include: instant messaging (Yahoo, AOL, MSN), accounting software, PDF viewers (Adobe Acrobat, Ghostview), Microsoft Office (Windows and Mac), music players (iTunes, Winamp, RealPlayer, Windows Media Player) and email clients (Mozilla, Eudora, Outlook, Lotus Notes) [9]. Many operating systems provide automated notifications for end users to update the patches. Operating systems are a lucid target for patch management because the usage is prevalent. Network applications are easy targets for attacks from outsiders since the damage can influence a work station or the entire organization [10]. The problem is, particularly for non-technical end users, not all of the non-OS automatically notify users about the availability of update packages [8]. The risks for end users, individual or organizations, of not updating a non-OS increase when the patch is not applied [11]. The longer the delay is for updating the

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

14

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

patches, the more vulnerable the computer is to outside attacks. It is increasingly dangerous when the end users fail to update a patch within days of it being made available [8]. 2.2 Factors That May Influence Security Behavior One of the major demographic variables that may influence security practices is gender. Furnell, Bryant and Phippen [12] conducted research on the awareness of security issues and respondents attitude on the use of safeguard tools of 415 personal internet users in the UK. The findings indicated that male respondents tend to be more confident in considering themselves as advanced in IT experience. Similarly, Dourish and Grinters [1] study noted that age influences users attitude towards security. In this study, we use students from a higher education institution for our study. This is very important especially for the group of users that is the target of this study. Education levels influence Internet usage [13]. Ten percent of Latinos have a college degree, and of that small group, 89% go online. By comparison, 28% of whites have college degrees, and 91% of them use the Internet. Twenty percent of African Americans have college degrees, and 93% report using the Internet [14]. According to previous studies, higher education may lead to higher confidence and the adoption of self-service technology [13]. According to the 2010 United States census data, Hispanics make up the fastest growing ethnic group in the population [15]. Also, Latinos are a young population with approximately twice as large a share of adults under age 40 than that among the white non-Hispanic population. Sixtyseven percent of Latinos age 18-29 go online, whereas 77% of African Americans and 86% whites in the same age range go online [14]. For ages 30-41, 61% of Latinos, 77% African Americans, and 85% whites go online. Fifty-eight percent of Latinos, 69% of African Americans, and 80% of whites age 42-51 use the internet. Finally 46% of Latinos, 49% of African Americans, and 75% of whites age 52-60 go online [14]. Based on the extant literature discussed in this section, we present a set of hypotheses that are tested in this exploratory study (see Table 1). Our dependent variables are frequency of updates of operating systems, non-OS and antivirus definitions whereas the independent variables are Ethnicity (Hispanic vs. Non-Hispanic), Age (< 21 years vs. >= 21 years) and Gender (Male vs. Female).
H1 H2 H3 H4 H5 H6 H7 H8 H9 Non-Hispanics are more likely to update their operating systems software than Hispanics. Non-Hispanics are more likely to update their non-operating system software than Hispanics. Non-Hispanics are more likely to update their antivirus definitions than Hispanics. Males are more likely to update their operating systems than Females. Males are more likely to update their non-operating systems than Females. Males are more likely to update their antivirus software than Females. Students less than 21 years of age are more likely to update their operating systems than those older than 21 years. Students less than 21 years of age are more likely to update their non-operating systems than those older than 21 years. Students less than 21 years of age are more likely are to update their antivirus software than those older than 21 years. TABLE 1: Set of Hypotheses tested in this study.

3. METHODOLOGY
Dourish and Grinter [1] found that users in general had a neutral to negative attitude toward security technologies. Our definition of security practices is based on Dourish and Grinters [1] work where they define security practices as actions, and what practices and patterns people adopt to manage their security needs and accommodate them into their work (p. 393).

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

15

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

Data Collection A survey was conducted to gather information regarding students behavior to security practices. The sample consisted of 315 students taking an entry level Computer Information Systems class in a Hispanic serving university in the South Eastern region of the United States. This study allowed students to have abundant time to answer the survey questions and guaranteed the anonymity of the responses. Students were permitted to opt out anytime during the administration of the survey. There were no identifying questions enclosed in the survey. The survey included demographic questions based on the 2010 United States Census form. This study uses the chi-square statistical test to examine the percentage of students responses that fit into the various categories of the frequency of updates (automatic, weekly, monthly, rarely, never, and I dont know) for the different values of the independent variables. The independent variables are gender, ethnicity, and age.

4. RESULTS AND DISCUSSION


According to 2000 census Overview of Race and Hispanic Origin guideline, Hispanics can be categorized as any race. Hispanic groups such as Mexican, Puerto Rican, or Cuban, are classified as Some other race category [6]. Therefore, students who self-identify themselves as Hispanic may contain Hispanic origin as well as with at least one other race. In order to examine different levels of demographic variables affecting the frequency of updating the operating systems, non-OS and antivirus definitions among students, this study splits race into two categories: Hispanics/Latinos and Non-Hispanics/Latinos. Table 2 presents the Chi-square analysis for the % distribution of students responses within the different categories within the independent variables.
Operating System Auto W Gender N ? X2 Non-Operating System W M R X2 Antivirus Update W M R X2

Male 69.5 16.1 7.6 6.8 18 17.1 65 39.4 24 36.5 15.88 9.959 6.777 Female 70.4 5 7.5 17.1 9.1 10.1 80.8 25.7 24 50.3 Hispanic 70.7 8.7 6.3 14.3 Ethnicity 10.56 2.827 0.285 Non-Hispanic 62.1 13.8 21 3.4 < 21 71 6.7 8 14.3 Age 7.545 0.734 1.026 >=21 66.2 16.9 6.5 10.4 Note: All the numbers are in the unit of percentage except for Chi-Square. Auto = Automatic update, W = Weekly, M = Monthly, N = Never, ? = I don't know, R = Rarely, X2 = Pearson Chi-Square. TABLE 2: Chi-Square Analysis-User Response Percentage Distribution

Prior to discussing the statistically significant differences in our results, it is interesting to note the low overall level of security practices. Operating system updates is the behavior that is most regularly performed automatically. However, this is a setting that is generally set by default and taken care of by the operating system vendor. When it comes to updating non-Operating System software and antivirus definitions there is very poor performance. While this in itself presents useful information for the overall population of interest, we also demonstrate in the following section that there are differences in behavior based on demographic variables.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

16

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

Hypothesis H1 H2 H3 H4 H5 H6 H7 H8 H9

Pearson ChiSquare

P-Value

Hypothesis supported? Yes Yes Yes Yes No No Yes No No

Males are more likely to update their operating systems than 15.881 0.001*** Females Males are more likely to update their non-operating systems 9.959 0.007*** than Females Males are more likely to update their antivirus software than 6.777 0.034** Females Non-Hispanics are more likely to update their operating 10.56 0.014*** systems software than Hispanics Non-Hispanics are more likely to update their non-operating 2.827 0.243 system software than Hispanics. Non-Hispanics are more likely to update their antivirus 0.285 0.867 definitions than Hispanics Students less than 21 years of age are more likely to update 7.545 0.056* their operating systems than those older than 21 years Students less than 21 years of age are more likely to update 0.734 0.693 their non-operating systems than those older than 21 years Students less than 21 years of age are more likely are to 1.026 0.599 update their antivirus software than those older than 21 years Note: *** Significance at 0.01, ** Significance at 0.05, * Significance at 0.1 TABLE 3: Results of the Hypotheses tests

Table 3 shows that gender is the only independent variable that significantly influences the frequency of update of all the three dependent variables (operating systems, non-OS and antivirus definitions). The Ethnicity and Age variables only significantly influence the frequency of update of operating systems but not non-OS and antivirus definitions. 4.1 Gender and Frequency of Update of Operating System The calculated Pearson Chi-Square (2 = 15.881, d.f. = 3) and its corresponding p-value (p < .05) for the relationship between frequency of update of operating system and gender indicate that hypothesis 1 is supported at the 5% significance level. Our research shows that males are more likely to update their operating systems frequently than females. While the difference in the number of students who set up their operating system to automatic update is low between males and females (69.5% v. 70.4%), there are differences for the weekly and I dont know" categories. This observation can be explained by Durish and Grinters [1] observation that individual users are likely to rely on a set of guarantees such as technology, family member, friends or institutions and delegate their security responsibilities to the guarantee. As we can see from our data, the female users were more dependent on the guarantee than the males as we see that more males updated their antivirus on a weekly basis. Further, the percentage of those who responded I dont know was far higher for females (17.1%) compared to 6.8% for males. This suggests that females are more likely to exhibit a security behavior whereby once they delegate their security management responsibility do not even worry about what security guards are available on their systems and do nothing to enhance the security of their systems. 4.2 Gender and Frequency of Update of Non-OS Once again our data reveals that males are more likely to update their non-OS than females. Hence hypothesis 2 that states that males would update their non-OS more frequently than females is supported. Although both hypotheses 1 and 2 are supported, there is a sharp distinction concerning gender and frequency of update between operating systems and non-OS. Unlike the operating systems where a great majority of both males and females set their systems to automatic, here a great majority report that they rarely update their non-OS (80.8% females to 65.0% males). Both females and males feel that they are at disadvantage in comparison with hackers and others who can undo all what they could do to protect their security and would rather prefer to delegate their security management practice to a tool or trusted person or institution and not be bothered by the mundane of managing non-operating systems.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

17

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

4.3 Gender and Frequency of Update of Antivirus Definitions Hypothesis 3 is supported as the Pearson Chi-Square was significant at the 5% level. Specifically, about 39.4% males compared to 25.7% females update their antivirus definitions on a weekly basis. In addition, while 50.3% of females update their antivirus definitions rarely, only 36.5% of males do so. This suggests that males are less likely to delegate their responsibility to update their antivirus definitions to others and take time to frequently update their antivirus definitions in comparison to females. 4.4 Ethnicity and Frequency of Update of Operating System The literature suggests that Non-Hispanics are more likely to have experience with computers than Hispanics. Dourish and Grinter [1] suggest that experience with technology influences users behavior towards security management practice. Thus as we observe from the data, NonHispanics are more likely to update their operating systems more frequently than Hispanics because the former have more experience with technologies such as operating systems. Hence hypothesis 4 is supported. We also observe from our data that Hispanics are more likely to delegate their security management practice to the technology as observed in 70.7% of Hispanics compared to 62.1% setting their operating systems to automatic update. However, more NonHispanics update their operating systems on a weekly basis with higher percentage of Hispanics responding that they do not know whether their operating systems are being updated or not. 4.5 Ethnicity and Frequency of Update of Non-OS The Pearson Chi-Square value (2 = 2.827, d.f. = 2, p = 0.243 > = 0.05) for hypothesis 5 that tests the relationship between ethnicity and frequency of update of non-OS demonstrates that the hypothesis was not supported by our data. A plausible reason for this observation is that most users may have negative attitudes towards non-OS systems in terms of how they may hinder how they use their systems [1]. Similarly, others have observed that users sometimes believe that hackers have more technological skills than they do and that whatever they do to protect their computers against viruses and other attacks, hackers can overdo and so make no effort to work towards protecting the security of their computer systems [1] [5]. Dourish and Grinter [1] also note that users see security as a barrier. They observed from their study that users could not distinguish between security and spam. To the users, security and spam were different aspects of security and so feel that a single technology can address all kinds of problems. Hence they are less interested in addressing issues of non-OS. Thus, users lackadaisical attitudes towards updating non-operating systems may not differ between ethnicities (here Hispanics and NonHispanics). 4.6 Ethnicity and Frequency of Update of Antivirus Definitions Similar to the relationship between ethnicity and frequency of update of antivirus definitions, the relationship between ethnicity and frequency of update of antivirus definition is not significant. Thus, hypothesis 6 is not supported by our data. Once again, users may rely on technology and may not see the importance of worrying about updating antivirus definitions. Dourish and Grinter [1] observe that users may look at an antivirus definition as complete solution to security problems. 4.7 Age and Frequency of Update of Operating Systems Our results reveal that young people (ages < 21) delegate their responsibility to update operating systems to technology than people older than 21 years (71% vs. 66.2%). At the same high percentage of people older than 21 update their operating systems on a more regular weekly basis than those who are younger than 21. The situation is different when it comes to those who report that they never update their operating systems or do not know whether their operating systems are updated or not. The results suggest that those young people who have experience with operating systems would typically set their systems to automatic update while those who may have less experience may not care about the update of the operating systems. However, in general gender influences the frequency of update of operating systems supporting other studies

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

18

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

that suggest that gender influence security practice. Thus hypothesis 7 is supported by our data at the 10% significance level. 4.8 Age and Frequency of Update of Non-OS For the relationship between age and frequency of updating the non-OS, the calculated Pearson Chi-Square value (2 = 0.734, d.f. = 2, p > .05) indicates that hypothesis 8 is not supported by our data. The explanation that was offered for relationship between ethnicity and frequency of update of non-OS may be relevant in this relationship as well. While Dourish and Gritner [1] observe that young people have confidence in what they can do with computer systems, they generally are unhappy with security technologies that hinder their abilities to work efficiently and may therefore choose not to worry about updating non-OS which they may feel would hinder their overall productivity and experience with their computer systems. 4.9 Age and frequency of update of antivirus definition Age was not found to influence the frequency of update of antivirus definitions. Hence our data did not support hypothesis 9. Once again, users irrespective of age would rather delegate responsibility of updates of antivirus definitions or may not be bothered.

5. CONCLUSION
The study examined security management practices of Hispanic college students. Specifically, we examine how ethnicity, gender, and age influence users behavior towards updating their operating systems, non-OS and antivirus definitions. The results reveal that gender influences the frequency of updating operating systems, non-OS and antivirus definitions, whereas ethnicity and age influence only frequency of update of operating systems but not the frequency of update of non-OS and antivirus definitions. In particular, we observe that non-Hispanic students rarely update their systems. Second, male students tend to update their system more frequently. Our research supports other study that demonstrates that male users in a primarily Hispanic institution not only update non-OS more frequently than females, but also update Anti-Virus software more frequently as well [17]. Our results also support prior research that shows that users typically delegate their security management responsibilities to technology, trusted individuals and institutions [1].

6. SUGGESTIONS FOR FUTURE RESEARCH


The fundamental question that derives from this research is: what are the implications for end users in regard to updates of operating systems, non-OS and antivirus definitions. It is arguable that certain non-operating systems would not endanger individuals information security when the software is not exploited frequently. Without the updates of the new patches, the original files are still protected and performed with no technical issues. The non-OS such as iTunes can function without the new updates based on the end users purposes. However, the lack of new updates of anti-virus software will imperil the end users information security if the new patches are not updated in time exposing the user to threats from outside attacks. This empirical study concludes that race (Hispanic versus non-Hispanic students) and age are not significant indicators for non-OS and antivirus definition update. For further research, this study suggests that the range of the non-OS should be narrowed down to several specific categories in order to detect participants awareness of non-OS updates. Additionally, future research could conduct a similar survey at a non-primarily Hispanic serving institution and compare the results. The results would provide insight to the differences in security practices between the groups of students served at each of these universities. Further research could also be conducted that utilizes theories, as opposed to demographics to hypothesize differences in security practices at primarily Hispanic serving institutions.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

19

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

7. REFERENCES
[1] P. Dourish, R.E. Grinter, J.D.D.L Flor, and M. Joseph. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal Ubiquitous Computing, vol. 8, pp. 391401, 2004. B. Friedman, D. Hurley, D. Howe, E. Felten, and H. Nissenbaum. Users Conceptions of Web Security: A Comparative Study, Short paper presented at ACM Conf. Human Factors in Computing Systems CHI, Minneapolis, MN, USA, 2002. J. Rimmer, I. Wakeman, L. Sheeran and M.A. Sasse. Examining users repertoire of internet applications, In Sasse and Johnson (eds), Human-Computer Interaction: Proc. of Interact99, 1999. L. Sheeran, M.A. Sasse, J. Rimmer and I. Wakeman. (2002). "How Web browsers shape users understanding of networks." Electronic Library, The. [On-line]. 20(1), pp. 35-42. Available: http://www.emeraldinsight.com/journals.htm?articleid=861950 [Jan. 31, 2011]. D. Weirich and M.A. Sasse. Pretty good persuasion: a first step towards effective password security for the real world, In: Proc. of the ACM new security paradigms workshop (NSPW 2001), Cloudcroft, New Mexico, ACM Press, New York, 2001, pp. 137143. S. Fox and G. Livingston. Latinos Online: Hispanics with Lower Levels of Education and English Proficiency Remain Largely Disconnected from the Internet. Internet: http://www.eric.ed.gov/PDFS/ED495954.pdf, Mar. 14, 2007 [Jan. 22, 2011]. Home network security. United States Computer Emergency Readiness Team. Internet: http://www.us-cert.gov/reading_room/home-network-security/#IV-A-7, Dec. 5, 2001 [Jan. 25, 2011]. J. Antman. Patch Management: An Overview. http://rutgerswork.jasonantman.com/antman-patchManagement.pdf, Dec. [January 21, 2011] 10, Internet: 2008,

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Updating non-operating system software, Updating non-operating system software to prevent security compromises. Internet: UCSF ITS, University of California, San Francisco: http://security.ucsf.edu/EIS/BestPractices/Staff/StaffUpdatingSoftware.html, 2010 [Jan. 25, 2011] D. Brandl. (2008). DONA forget about security. Control Engineering. 55 (12), pp.14. C. Higby and M. Bailey. Wireless security patch management system, in Proc. of the 5th conference on Information technology education, Salt Lake City, UT, USA: ACM, 2004.

[10] [11]

[12] S.M. Furnell, P. Bryant, and A.D. Phippen. (2007). Assessing the security perceptions of personal Internet users. Computers & Security. [On-line] 26 (5), pp. 410-417. Available: http://www.sciencedirect.com/science/article/B6V8G-4N6NJTT1/2/492a40cf1c60d7fbf02f0bdc01c3f609 [Jan. 25, 2011]. [13] M.L. Meuter, M.J. Bitner, A.L. Ostrom and S.W. Brown. Choosing among alternative service delivery modes: An investigation of customer trial of self-service technologies. Journal of Marketing, vol. 69(2), pp. 61-83, 2005.

[14] S. Fox and G. Livingston.Latinos Online: 2006-2008: Narrowing the Gap. Internet: http://pewhispanic.org/reports/report.php?ReportID=119, Dec. 22, 2009 [Jan. 22, 2011].

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

20

Yi-Chia Wu, Francis Kofi Andoh-Baidoo, Robert E. Crossler & Jesus Tanguma

[15] K. Humes, N. A. Jones and R.R. Ramirez. Overview of Race and Hispanic Origin: 2010, 2010 Census Briefs. Internet: http://www.census.gov/prod/cen2010/briefs/c2010br-02.pdf, Mar. 2011 [Jan. 22, 2011] [16] E.M. Grieco and R.C. Cassidy. United State Overview of Race and Hispanic Origin: Census 2000 Brief. Internet: http://www.census.gov/prod/2001pubs/cenbr01-1.pdf, Mar., 2001 [Jan. 22, 2011]. R. Crossler, M. A. Villarreal, and F. K. Andoh-Baidoo. A Preliminary Study Examining the Security Practices of Hispanic College Students. SouthWest Decision Science Institute, 2011.

[17]

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

21

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

Medical Information Security

William C. Figg, Ph.D.


Dakota State University Business and Information Systems Madison, SD 57042 USA

William.figg@dsu.edu

Hwee Joo Kam, M.S.


North Central Michigan College Computer Information Systems Petoskey, MI 49770 USA

hkam@nemich.edu

Abstract Modern medicine is facing a complex environment, not from medical technology but rather government regulations and information vulnerability. HIPPA is the governments attempt to protect patients information yet this only addresses traditional record handling. The main threat is from the evolving security issues. Many medical offices and facilities have multiple areas of information security concerns. Physical security is often weak, office personnel are not always aware of security needs and application security and transmission protocols are not consistently maintained. Health insurance needs and general financial opportunity has created an emerging market in medical identity theft. Medical offices have the perfect storm of information collection, personal, credit, banking, health, and insurance. Thieves have realized that medical facilities have as much economic value as banks and the security is much easier to crack. Mostly committed by insiders, medical identity theft is a well-hidden information crime. In spite of its covert nature, the catastrophic ramification to the victims is overt. This information crime involves stealing patients records to impersonate the patients in an effort of obtaining health care services or claiming Medicare on the patients behalf. Unlike financial identity theft, there is a lack of recourse for the victims to recover from damages. Medical identity theft undermines the quality of health care information systems and enervates the information security of electronic patient record.
Keywords: Medical Identity Theft, Electronic Patient Record, Information Crime, Information Security

1. INTRODUCTION
Medical offices have in the past focused on the gathering and disseminating information for the efficient treatment of patient maladies. Security was often limited to traditional methods of locking file rooms or file cabinets. The introduction of computers increased the efficiency of medical record keeping but it also increased the security exposure. Computer management of records took information from the hands of a manageable few and created opportunities for leaks, mismanagement and outright theft. Why would anyone be interested in medical information? If the medical facilitys gathering of information is considered the value is easily understood. Records contain personal information including the big three; birthday, social security numberand address. The second portion is financial with the repeat of the previous plus credit and banking information. The last focus is the medical information with the possibility of embarrassment or even blackmail. The advent of electronic patient records has inadvertently created opportunities to health care frauds including medical identity theft. Inaccurate medical records may lead to medical mistreatment that will cause catastrophic consequences to a patient. Literature reviews show the paucity of this research topic. Not many literatures discuss about the crime of medical identity theft and the ramification of data security

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

22

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

breaches in health care. Perpetrators treat victims merely as a commodity and they show a complete lack of concern for the damages they did to patients health and to the health care systems [31]. Many assume that medical identity theft is no different from financial identity theft but in fact medical identity theft has more devastating effects on patients for there is a lack of recourse for patient to correct the false entries in their medical records. In reality, false medical information can kill a patient.

2. ELECTRONIC PATIENT RECORD


In health care industry, patients data are vastly shifting from paper records to electronic records. Electronic patient record is a computer based memory that can be assessed over networks both internally and externally and it is highly structured, ordered and classified by a unique identifier [27]. Specifically, electronic patient record contains all the health care related information of a patient and combines several enterprise-based electronic medical records concerning one patient [30]. Electronic patient records changed the way patients information is stored. The adoption of electronic patient records is growing [12]. Moving towards electronic based health care systems enables health providers streamline automated processes as well as specific applications that can help doctors with diagnosis and treatment of patients [14]. In addition, the implementation of electronic patient records serves the purposes of electronic billing, telemedicine, and worldwide data mining of health trend [17]. Electronic patient records, however, are a double-edged sword. With the advent of electronic patient records, patients data can easily be shared among physicians, health care providers, nurses, supporting staff, medical research, and public health care services [30]. Basically, most health care information including patients data is not generated solely within a physician/patient relationship, but is generated from the diverse sources, such as non-physician specialist, nurse practitioners, public health officers, laboratories, and other ancillary health care professions [16]. The sharing as well as distribution of patient information enables productive medical research, proper treatment of patients, and improvement in health care quality. On the other hand, electronic patient records pose a challenge to maintain information confidentiality, integrity, and availability (1) the computerized record infers that the requester has the same hardware and software communication protocol and thus enables easy access to data [27]. This may open doors to the unauthorized parties who may unscrupulously steal patients data for personal benefits, alter patients records, and expose patients medical history. In other words, the high accessibility of patients data has made it easier for perpetrators to invade patients information confidentiality, integrity, and availability and commit health care fraud. Many healthcare experts are worried that as industry moves toward the adoption of electronic patient records, the threat of medical identity theft poses a growing challenge and places patients at a greater risk [29]. Similarly, the proposed National HealthcareInformation Network (NHIN) mandated by President Bushs 2004 Executive Order may increase the risk of patients information security. (2) Another problem is the operational issue in health care setting: the electronic patient records are not kept in one designated location due to the interoperability of the Integrated Delivery Systems (IDS). The records can be viewed by the government agencies, regional health database organizations or information brokers under the Integrated Delivery Systems (IDS). The unauthorized parties who work in the health care setting may have the opportunities to call up a screen to view the patient-based data. (3) Inventive persons might circumvent obstacles to access data by borrowing passwords or smart cards and then transmit the data world-wide over networks or compare sensitive data from various resources [27]. Given that, the implementation of electronic patient records that is initially meant to streamlining automated health care processes and improving health care quality have unintentionally encouraged patients data security breaches and health care fraud.

3. TECHNOLOGY AS A SECURITY MECHANISM


Technology advancement that has led to the implementation of electronic patient record is not really the culprit of patients privacy and security breaches. Amid the threats of health care fraud and violation of patients information security, there are security mechanisms available to safeguard electronic patient records. The following studies exemplify the application of information technology that serves the purpose of protecting patients information security. (1) The distributed information architecture for public health adopts a distributed data storage approach to protect patients information. A distributed database is deployed to prevent the creation of a monolithic repository, vulnerable to breach or misuse [24]. (2) A

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

23

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

research conducted by University of Michigan imposes security mechanism to protect sensitive health data. A system called the honest broker is developed to embark upon the issue of health information security. The Honest Broker (HB) is built on the two-component architecture the non-identifiable data is stored in a separate system whereas the identifiable data is stored in another system. HB meditates between these systems and manages data transfer and electronic storage of personal health identifiers [4]. This architecture increases the burden on attackers who need to compromise two systems in order to match the identifiable record with the non-identifiable one. (3) Technology can mitigate the threat of the de-identification of anonymous data and reduce the risks involving the linkability of genomic data such as DNA. A patients location visit pattern, or trail, can be constructed because patients are mobile and their data can be collected and shared by multiple health care organizations. The uniqueness of patients trail can link to a patients record, revealing a patients identity. A formal privacy protection model called kunlinkability is introduced to thwart the trail re-identification and prevent the tracing of DNA records of a patient [22]. This model adopts computational basis and is configured to strip off patients identifiers in a biomedical database.

4. HEALTH CARE MANAGEMENT AND ADMINISTRATION


Although the aforementioned security mechanism supported by information technology can assuage the violation of patients information security, a few literatures have unveiled the fact that non technical challenges such as administrative and management issue have adversely impacted patients information security and posed a thorny issue. Currently, the health care industry lacks precise instrumentation and makes no serious attempt to measure health care fraud; there has been attempt initiated by Office of Inspector General (OIG) to institute its annual audit program but the weak methodology produces only low loss estimates [31]. Furthermore, health care administration and management have permitted patients information to be reviewed and used without patients consent in the name of cost saving, quality improvement, public health, advances in research, and other commendable goals [1]. For instance, insurance companies, managed health care organizations, and health care employees are interested to access individuals medical records in an attempt to reduce expenses [17]; managed care companies insist on reviewing medical charts to determine if care should be authorized; accrediting bodies want to ensure that the clinicians notes are detailed and complete; government agencies seek identifiable information for planning purposes; and law enforcement agencies see medical records a mean to identify and convict wrongdoers [1].

5. DATA SECURITY BREACHES: MEDICAL IDENTITY THEFT


Given that many parties can view patients medical records without patients knowledge, data security breaches in health care have unfortunately become common. According to William Wikenwerder, the assistant secretary of defense for health affairs, privacy and security are the Chernobyl that is waiting to happen for the healthcare industry [5]. Among the data security breaches in health care, the newly emerging health care privacy threat is medical identity theft, which is considered a crime. Byron Hollis, director of the antifraud department at the Blue Cross and Blue Shield Association, mentioned that ''medical identity theft is the fastest-growing form of health care fraud (Pear, 2008). Through 2005, there have been nearly 18,000 cases of medical identity theft or about 1.8% of all identity theft cases reported to Federal Trade Commission (FTC) [5]. According to World Privacy Forum, there have been 19, 428 complaints regarding medical identity theft to the Federal Trade Commission (FTC) since 1992, the earliest date the FTC started to process the complaints; and the number of people who experienced medical identity theft rose from 1.6 percent in 2001 to 1.8 percent in 2005 [9]. In addition, the World Privacy Forum issued a report revealing that the growing of medical phenomenon is estimated to have impacted as many as 3.25 million people [3].

6. WHAT IS MEDICAL IDENTITY THEFT?


Identity theft, essentially, refers to the appropriation of an individuals personal information in order to impersonate that person for ones financial gain or other benefits [32]. In this regard, medical identity theft is defined as an occurrence in which a person uses another persons identity such as persons name, insurance information, Medicaid number or social security number, without the persons knowledge and consent, to obtain medical care or services or to generate a plethora of bogus medical bills for the purpose of claiming Medicare[8]. According to World Privacy Forum, medical identity theft is an

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

24

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

information crime and a health crime that can have medical, financial and other impacts [9]. The victims of medical identity theft can be patients, physicians, and nurses. Strictly speaking, medical identity theft is part of health care fraud, which, according to National Health Care Anti-Fraud Association, is an intentional deception or misrepresentation that the individual or entity makes knowing that the misrepresentation could result in some unauthorized benefit to the individual, or the entity or to some other party[25]. In the context of law, health care fraud is defined as whoever knowingly and willfully executes, or attempts to execute, a scheme or artifice - (1) to defraud any health care benefit program; or (2) to obtain, by means of false or fraudulent pretenses, representations, or promises, any of the money or property owned by, or under the custody or control of, any health care benefit program (Legal Information Institution, Cornell University Law School). Although medical identity theft can fit into the legal definition above, it is best understood in the context of information crime - a very sophisticated crime that involves theft or abuse of identity information and causes financial losses to victims, health care provides, and insurers.

7. MEDICAL IDENTITY THEFT VS. FINANCIAL IDENTITY THEFT


Medical identity theft is under-report, under-research and poorly documented [13]. Many people assume that medical identity theft is no different from financial identity theft but there are differences among these two: (1) Financial identity theft mostly involves stealing someones identity to make a staggering number of financial and personal transactions in someone elses name [32]. Similarly, medical identity theft also includes the stealing of patients information for personal gains. However, medical identity theft will devastate not only the victims finances but also the health care services the victim will receive in the future. The perpetrators may steal patients records to sell them in the black market or they may alter patients records (e.g.: add false entries regarding diagnosis) to claim the Medicare. Victims who have their medical records altered by the perpetrators will receive wrong medical treatment that may cause catastrophic consequences to their health. (2) Compared to financial identity theft, most of the medical identity thefts are conducted by insiders who may turn out to be the patients relative or family members, physicians who have access to patients records, nurses, billing clerk, lab technicians etc. In other words, medical identity theft is an insider job. (3) While the victims of financial identity thefts are presented with recovery tools to control the damages, the victims of medical identity thefts have no recourses for recovery once they discovered false entries in their medical records. Under Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules, the Accounting of Disclosure (45 C.F.R. 164.528) requires health care providers (covered entities) to maintain an accounting for disclosure and it could possibly help some victims of medical identity theft. However, there are exceptions: a covered entity is not required to maintain accounting of disclosures for treatment, payment, or health care operation. Under this circumstance, victims of medical identity theft are almost impossible to track the flow of medical information in an attempt to view the false entries created by perpetrators [9]. (4) As financial identity theft can be traced using credit reports, medical identity theft unfortunately is a hidden crime that is difficult to uncover. Financial identity theft that involves usurping someone elses credit card is very self-revealing as account holder may notice the changes in credit card statements. Nevertheless, reviewing credit report may not catch medical identity theft because what you see is never a problem [31]. Medical identity theft, indeed, is a very sophisticated crime committed by highly educated and well-trained medical employees with sophistication. Usually, the less sophisticated or greedier criminals get caught.

8. DYNAMICS OF MEDICAL IDENTITY THEFT


The root of medical identity theft is falsification of medical charts [9]. However, falsification of medical records without abusing the bogus records is not considered medical identity theft. It merely causes data inaccuracy but it does not use the fabricated data to claim Medicare for financial gain. This crime is mostly an insider job and medical information is being stolen by organized criminal gangs [5]. The insiders who commit this crime can be health care workers such as physicians, nurses, front desk workers, billing clerks, lab technician etc. A crime is identified as medical identity theft when the false information was created by a perpetrator who used the victims identity to obtain medical services or to generate false claims for services, as part of a scheme to commit health care fraud and receive payments for services never provided [23]. For instance, one group optometry practice sent salespeople to the director of nursing or social worker at different nursing facilities to offer routine eye examination for all patients at no cost. The nursing staff provided access to patients records and the Medicare was billed

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

25

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

for all kind of other services that were provided [31]. The preceding example shows that medical identity theft is committed by insiders and victims are mere a commodity in the eyes of the perpetrators. Other than insiders access to patients records, identity thieves may obtain information by [7]: (1) accessing information based on a legitimate need and then distributing the sensitive information for criminal purposes; (2) hacking into computerized patient information; (3) dumpster driving or collecting information from organizations trash or recyclables; and (4) stealing wallets, purses, or mail from patients, visitors, or staff.

9. NEGATIVE IMPACTS OF MEDICAL IDENTITY THEFT


According to World Privacy Forum [9], Medical Identity Theft has profoundly and adversely impacted the victims in the following ways: Victims may experience the familiar consequences of financial identity theft that can include loss of credit, harassment by debt collectors, and inability to find employment. False entries in victims medical record may remain in victims medical files for years and may not be corrected or even discovered. There is seriously lack of recourse for victims to make amendment to the falsified and inaccurate medical records. HIPAA rules do not mandate health care providers that did not create a falsified record correct the falsified entry. Alteration of patients medical records will reflect inaccurate medical conditions, blood types, drug allergies, and other health information relied upon to administer medical care. False entries in victims medical record may cause the victims to receive wrong medical treatment. This is most egregious crime because inaccurate medical record can kill a patient. Victims may find their health insurance exhausted, and become uninsurable for both life and health insurance coverage.

10. DETECTION OF MEDICAL IDENTITY THEFT


Given that medical identity theft is a crime that hides well, victims usually discover it at some very unpleasant moments, such as getting rejected of health care insurance and employment opportunities. Victims always discover this crime after it has occurred for a considerable amount of time. Very few literatures provide suggestions on how to proactively detect medical identity theft before it inflicts serious damages upon the victims. The following depicts how the victims of medical identity theft detect the crime: Collection notices: perpetrators change the billing address and the phone numbers on the medical charts of victims. This will make it hard for the bill collector to find the victims. If the perpetrators are not very sophisticated, the victim received letter from collection services to demand the victim to pay for the medical treatment that he or she never received. Credit report: consumers whose medical identity was stolen and used to open multiple credit card accounts will be able to detect this crime after reviewing their credit reports. However, most of these crimes are committed by educated, sophisticated perpetrators who know how to hide crimes well. Receipt of someone elses bills: A less sophisticated criminal will create medical bills that can tip victims off. Notification by law enforcement or an insurance company: victims may be contacted by an insurance fraud investigator or law enforcement regarding crime. Notification by a health care provider: it is very unusual for health care provider, such as a doctor or a hospital, to notify the patients of medical identity theft. However, there have been a few cases reported by hospital when the discrepancies in the medical records are discovered. Medical problem at an emergency room: the most unfortunate thing is that victims learn about medical identity theft during the course of medical emergency. Most often, victims spot false entries in their medical records. Denial of insurance coverage, notification that run out, or lifetime cap has been reached: this is another way for victims to discover medical identity theft. Victims may be notified that the coverage for their medical services is being denied because their benefits have been depleted.

11. PREVENTION OF MEDICAL IDENTITY THEFT

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

26

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

This research paper outlines preventive steps after analyzing data in multiple case studies. Currently, literature reviews provide background knowledge on this subject matter. An identity theft literature, Identity Theft and Fraud the Impact on HIM Operations, outlines the practical preventive guidance: Ensure appropriate background checks of employees and business associates who may have access to the patient protected health information. Minimize the use of social security numbers for identifications whenever possible and avoid displaying the entire social security numbers on the computer screens, documents or data collection fields. Store patient protected health information (PHI) in a secure manner by enforcing physical safeguards (e.g.: use restricted areas or locks). Implement and comply with organizational policies for the appropriate disposal, destruction, and reuse of any media used to store and collect patient protected health information (PHI). Train staff on organizational policies and practices to provide protection and appropriate use and disclosure of patient protected health information (PHI) as well as appropriate ways to handle identity theft events. Develop a proactive identity theft response plan or policy that clearly delineates the response process and identifies the organizations obligations to report the crime.

12. POLICIES AND PROCEDURES AND SECURITY CULTURE


Implementing policies and procedures to protect patients data from medical identity theft requires not only sound management skills but also a culture of security awareness. Security culture embodies all socio-cultural measures that support technical security measures, so that patients information security becomes a natural aspect in the daily activities of every employee [28]. The importance of security culture becomes apparent when much of the security problem is not of a technical-only nature but of a cognitive and organization nature, as well [16]. The formulation and implementation of a security policy and procedures draw on the existing culture, norms and rules and have the potential to affect them and therefore these processes can have an impact on the social context [18]. On the bright side, culture presents a common language to foster the understanding of policy and procedure and helps to enforce the security practice. Otherwise, culture can eat technology for lunch. In other words, culture decides whether to espouse or eschew security practice. The components of security culture are shown below: 1. Attitude and Awareness The attitude of the given societal environment, regarding enforcement of rules. The awareness of the societal environment, regarding security issues in general. The attitude of the relevant professional community towards enforcing security rules [19]. security

2. Power Relation between Users The exercise of power by health care professions affect the implementation of policy and procedure. Political perspective: the ability of health care professions to affect an outcome and to get things done. 3. Collective Norms, Values, and Knowledge The introduction of new rules and interpretation schemas can be in accordance or in conflict with the pre-existing ones, therefore altering the way people perceive things and thus creating new norms and patterns of practice [18]. The context in which a security policy is formulated and eventually put to practice is characterized by certain rules, norms and interpretation schemes [18]. Reluctance to change working practices in order to make information more secure among health care professionals can be an impediment to the implementation of policy and procedure [15]. 4. Assumptions and Beliefs

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

27

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

The organization values shape the underlying assumptions and beliefs that influence the security culture. In regard of medical identity theft, health care professions must be aware of the ethical issues and security practices in health care environment. Many health care professions are unaware of the security threats across the integrated network delivery system that involves multiple third parties. The security awareness will become more important after the implementation of the proposed National Health Information Network (NHIN). The United States Department of Health and Human Services (HHS) envisages that by placing health records online and making health records available everywhere, NHIN will save lives and reduce frauds [9]. However, without proper safeguards and appropriate administration supported by a culture of security, NHIN will run the risk of malicious attack and information theft. In the realm of data security breaches, technology itself is not the culprit but poor enforcement of health care policies due to a lack of security culture is. The result of the research will shed lights on how to coordinate health care policy and procedure with security awareness.

13. RESEARCH METHOD


1. Qualitative Positivist Approach A qualitative positivist approach is adopted. The key feature of qualitative positivist research method emphasizes on the scientific adoption of positivist approach (e.g.: theory testing, hypothesis testing, formal propositions, inferences making etc.) to attain a better understanding of a phenomenon from the participants view points. Qualitative positivist research method can be used for the exploration, classification, and hypothesis development stages of the knowledge building process [2]. This approach is well suited to capturing the knowledge of practitioners and developing theories from it; and the knowledge can later be formalized and brought to the testing stage [2]. Given that, qualitative positivist approach is suitable for this research topic because I would like to use case studies to capture a health care phenomenon in a natural setting and then collect data or empirical materials to draw inferences to explore the issue of medical identity theft, a topic that is less researched and studied.

14. PURPOSE OF CASE STUDIES


In health care research, case studies encompassed knowledge pertaining to technology utilization, medical and organizational innovations, and the implementation of specific health legislation, policies, and programs [33]. The need for case studies arises when an empirical inquiry must examine a contemporary phenomenon in its real life context especially when the boundaries between phenomenon and real life are not clearly evident [34]. In this regard, the primary purpose of the case studies is to explore and explain the insider job aspect of medical identity theft (phenomenon) in a natural health care setting (context). Case studies can be employed to develop and to test a theory through induction [6]. Given that medical identity theft is a new topic, this theory isconstructed from a case study so as to start from a clean theoretical slate. Theory-building research stems from the notion that there is no theory under consideration and no hypotheses to test [11]. Another viable option is running hypothesis testing or theory testing. Lee [20] has posited that when using case studies to test theories, natural science model can incorporated to make controlled observation, make controlled deduction, allow for replicability, and allow for generalizability. Finally, proposing multiple case studies for theory-building purpose to address that there are very few theory-building researches in this topic according to the available literatures. Not many insights are offered to explain the insider jobs of medical identity theft. Hence, it makes sense to build theory based on the findings and discoveries.

15. CASE STUDY DESIGN


1. Multiple Case Studies Regarding this research topic, multiple case studies are used because (1) multiple case studies provide the opportunities for juxtaposition of all the cases. Cross case research analysis prevents the researchers from jumping to conclusion by allowing researchers to draw juxtaposition to search for patterns and counteract the tendencies by divergently looking at the data; (2) multiple case studies permit researchers to conduct cross-case analysis that lists the similarities and differences between cases and

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

28

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

subsequently makes the researchers look at the subtle similarities and differences. This enables researchers to break simplistic frame, leading to sophisticated understanding [11]; and (3) case studies can be used for both exploratory and explanatory purposes. For example, the first case study will explore medical identity theft in the natural health care setting. After data collection and data analysis, the second case study will be carried out. The earlier case may produce certain facts in which its significance was only realized after a subsequent case has been completed and the reinterpretation of facts in the subsequent case facilitates the materialization of a more general explanation across all the cases [34]. This will achieve the purpose of exploring and explaining medical identity theft. 2. Operational Framework

FIGURE 1: A Detailed View of Operational Framework (Baker, Verizon 2010)

The two case studies are conducted in two different health settings Northern Michigan Hospital and Emmet County Health Care Department. Several constructs, as shown in figure 1, are outlined tentatively. The constructs demarcated are based on the findings from literature reviews. The framework above is a logical model that shapes the priorities for exploring in this case study research. Yin [35] postulated that good case studies should contain some operational framework; and having an operational framework prior to the inception of a case study helps to define what is to be studied as well as the topics or questions might have to be covered. The operational framework defined may inadvertently create biases but the framework itself is not a rigid design. Realizing that multiple case studies will unveil different findings, the framework will be modified to reflect the significant findings and discoveries. For instance, more constructs will be added or an existing construct will be better defined. Flexibility and the possibility of discovery have already been taken into consideration. In case study research, flexibility allows researchers take advantage of the uniqueness of a specific case and the emergence of new themes to improve the existing framework and resultant theory [11].

16. DATA COLLECTION


Typically, theory-building researchers combine multiple data collection methods [11]. Therefore, in these theory-building case studies, multiple data collection methods from multiple sources will be combined to make use of triangulation in support of construct validity. Medical identity theft victims and health care practitioners were interviewed wherethe interview questions were open-ended and all the interviews were recorded and transcribed to word processor, with interview date and time.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

29

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

1. Interview questions that involve the victims will encompass: The process of identifying medical identity theft The time frame of detecting medical identity theft Steps taken to notify the health care providers Any help offered by the health care providers The repercussion of medical identity theft to the individual

2. The interview questions that health care practitioners or administrators participated are as follows: Approximately how many times did the victim contact the health care providers What are the response given to the victim What steps have been taken by health care administrator to rectify the situation Other than interviews, different data collection methods were utilized, such as questionnaires, documentations, and direct observations. Both qualitative and quantitative data were collected in this case study research. Quantitative data can indicate relationships that may not salient to the researcher whereas qualitative data is useful for understanding the rationale revealed in quantitative data [11]. In summary, the following depicts different data collection methods:

17. DATA COLLECTION


1. Questionnaires The main purpose of the questionnaire is to find out whether the health care employeesare aware of the security policies and whether they support the policies [28]. The questions serve to measure the security attitude and perception of employees. Health care settings have a staggering number of documents and forms that require research attention. This is because documents usually show the operationsand events in health care settings over a period of time. This method allows researchers to keep records of exact references and details of events. In specific, this method allows us to study the existing policies and proceduresand technological application in a health care setting. Unstructured interviews will be conducted with health care professionals and victims of medical identity theft. Interviews are necessary to directly focus on the victims andhealth care workers perspective. Health care workers may not reveal their true value in questionnaires or interviews.The objective of direct observation is to compare the answer given during interviewwith their real behavior.

2. Documentations

3. Interviews

4. Direct Observation

The challenge of multiple resources of data collection is that it may be hard to attain convergence information [34]. Given an array of evidence gathered, it is essential to determine whether evidences from different sources converge on a similar set of facts [34]. One of a good way is to investigate. For example, through an informant (health care administrator) most of the health care workers strictly adhere to HIPAA regulations for the purpose of safeguarding personal health information. Through direct observation, the investigator may discover that copies of health care records with Medicaid ID and patients social security number are left unattended and this practice has continued for several days. This will disconfirm the information provided by informant and the convergence information will reveal that health care workers in the health care setting do not take necessary actions to safeguard personal health information.

18. VALIDITY AND RELIABILITY


The proper use of case study protocol indicates reliability [6],[35]. Given that, the protocol refers to sequential design in multiple case studies. The first case study, as indicated in the preceding section, was conducted in Northern Michigan Hospital. There are two rounds of data collection for each case study. The second round of data collection will serve the purpose of filling the information gap but not for

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

30

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

longitudinal reasons. The final case analysis for the first case was written after the second round of data collection. Next, a subsequent case study was carried out Emmet County Health Care Department. The final analysis for each case will be compared and further analyzed. Construct validity can be enforced by sharing the collected data and research findings with the informants and getting feedback from the informants [6]. Although the informants may disagree with the findings, they will point out the incorrect data, if any. The purpose of using sequential design is to allow for reinterpretation with the facts of the earlier case and apply general explanation across all cases [34]. Given that, multiple case studies will serve both exploratory and explanatory purposes. 1. Data Analysis Case studies research will yield a tremendous amount of data. Breaking the data by data source is a good way to handle a staggering amount of data. For instance, data collected from interviews and data collected from questionnaires independently was reviewed independently. This is to separate the qualitative data analysis from quantitative data analysis. It is important to keep in mind that qualitative data provides insights about the underlying issue of medical identity theft in a dynamic environment. There is anticipation that new variables will emerge as a result of serendipitous changes in the dynamic environment. The predefined constructs may have to iterate between constructs and case data to redefine the operational framework that serves as guideline in this case study.

19. RESULT/CONCLUSION
Attitude and perception of employees towards security has been discovered through the results of questionnaire. Descriptive statistic will be applied in data analysis of the questionnaire to give us a clue pertaining to security awareness in health care organization. This piece of information will then be integrated with qualitative data that will provide us the insight of prevention and detection of medical identity theft. The qualitative data will embody data collected from interviews, documentations (e.g. health care records), and notes taken from direct observation. In summary, the following table depicts research results: 1. Questionnaire Descriptive statistic will yield result that will shed light on the security culture of a health care organization. Data collected from interviews will produce result regarding the insights of medical identity theft, including how it occurred, the way health provider handled this issue, and the negative ramification on the victims. Documentation will include meeting minutes, medical forms, billing forms, and health record. The result will provide insights about organization structure and the operation issue within a health care organization.

2. Interview

3. Documentation

4. Direct Observation The result of direct observation will be able to capture part of the organization culture and attitude towards security. The results from every type of data collection will be integrated to shape a holistic view of medical identity theft. In specific, the incident of medical identity theft can be viewed from organizational, operational, technology, and human resource perspectives [12]. This holistic view will facilitate proper suggestions of health care policies and procedures and build theories regarding medical identity theft. Most likely, multiple theories will be derived from multiple case studies. These theories will involve several variables including detection and prevention of medical identity theft, health care policies and procedure, security culture, and technology application. Cross case analysis will point to contradicting facts. There is strong evidence indicating a lack of security culture in one case study and strong security culture in another.Thisoccurrence caused addition of technology as a new construct in the operation framework, inferring that technology plays a role in fighting medical identity theft.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

31

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

A juxtaposition of multiple case studies will reveal subtle similarities and differences. For example, both case studies show that the incidents of medical identity theft were committed by medical billing specialists. The victim in a case study discovered the crime through inaccurate billing whereas the victim in another case study discovered the crime through inaccurate medical data that was unveiled when the victim was admitted to the hospital for surgery. The difference may infer that the perpetrator in the later case study was much more sophisticated than that of the former case. Pro-active detection of medical identity theft, in this regard, will encompass reviewing both medical billing record and patients medical data [4]. Macroscopically, the resultant theories from these case studies will suggest proactive detection and prevention of medical identity theft and recommend sound policies and procedures to mitigate the risks of security breaches in health care information systems. This will also provide suggestion to reduce security risk in the proposed National Healthcare Information Network (NHIN).

20. FUTURE RESEARCH


The future research will test new theories formed in multi case studies. Given that, the next action will be shaping hypotheses by comparing the relationship with each case study to see how well it fits with case data. The hypotheses-shaping process will also involve sharpening of constructs that will encompass refining the definition of the construct and building evidence that measures the construct in each case.

REFERENCES
1. Appelbaum, P.S., Threats to the Confidentiality of Medical Records No Place to Hide, JAMA; (283:6), pp. 795-797, Feb 2000. 2. Benbasat I., Goldstein D.K., and Mead M.,The Case Research Strategy in Studies of Information Systems, MIS Quarterly; (11:3), pp. 369-386, Sept. 1987 3. Biotech Business Week, Electronic Medical Records: Medical Identity Theft Survey Shows Consumers Concerned about Privacy, Protection of Records, Jan 8, 2007. 4. Boyd, A.D., Hosner, C., Hunscher, D.A., Athey, B.D., Clauw, D.J., and Green L.A., An Honest Broker mechanism to Maintain Privacy for Patient Care and Academic Medical Research, International Journal of Medical Informatics; (76); pp. 407-411, 2007,. 5. Conn, J., "A Real Steal. Patients, Providers Face Big Liabilities as Medical Identity Theft Continues to Rise, and in Many Cases it's an Inside Job,"Mod Healthc; (36), pp. 26-28, 2006. 6. Cooper, R. B., Information Technology Development Creativity: A Case Study of Attempted Radical Change, MIS Quarterly; (24:2), pp. 245-276, Jun. 2000,. 7. Davis, N., Leniery, C., and Roberts K.,Identity Theft and Fraud The Impact on HIM Operations, Journal of AHIMA; (76:4); April 2005. 8. Davenport, K.A.,Identity Theft that can Kill www.law.uh.edu/healthlaw/perspectives/2006/(KD)IdentityTheft.pdf you, Available at

9. Dixon, P., Medical Identity Theft: the Information Crime that can Kill You, The World Privacy Forum; May 2006. 10. Earp, B.E. and Payton, F.C.,Information Privacy in the Service Sector: An Exploratory Study of Health Care and Banking Professional, Journal of Organizational Computing and Electronic Commerce; (16:2), pp. 105-122, 2006.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

32

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

11. Eisenhardt, K.M., Building Theory from Case Study Research, Academy of Management. The Academy of Management Review; (14:4), Oct 1989; ABI/INFORM Global. 12. Emam, K. E., Neri, E., and Jonker E., An Evaluation of Personal Health Informations Remnants in Second-Hand Personal Computer Disk Drives, Journal of Medical Internet Research; (9:3); 2007. 13. Fromer, M.J.,(2007) Medical Identity Theft: Under-reported, Underresearched, & More Common than Generally Known, Available atwww.oncology-times.com; Jan 5, 2007. 14. Garson, K. and Adams C., Security and Privacy System Architecture for an e-Hospital Environment, ACM International Conference Proceeding Series; (283pp. 122- 130, ); 2008. 15. Gaunt, N., Practical Approaches to Creating a Security Culture, International Journal of Medical Informatics; (60); pp. 151 157, 2000. 16. Gostin, L.O., Personal Privacy in the Health Care System: Employer-Sponsored Insurance, Managed Care, and Integrated Delivery Systems, Kennedy Institute of Ethics Journal, (7:4), pp. 361 376, 1997. 17. Hutson, T., Security Issues for Implementation of E-Medical Records, Communication of ACM; (44:9), Sept. 2001. 18. Karyda, M., Kiountuzis, E., and Kokolakis, S., Information Systems Security Policies: A Contextual Perspective, Computer & Security; (24); pp. 246-260, 2005. 19. Kluge, E. W., Fostering a Security Culture: A Model Code of Ethics for Health Information Professionals, International Journal of Medical Informatics; (49); pp. 105 110, 1998. 20. Lee, A. S., A Scientific Methodology for MIS Case Studies, MIS Quarterly; (13:1), pp. 33-50 , March 1989. 21. Lindberg, D.A.B. and Humphreys, B.L., The High-Performance of Computing and Communications Program, the National Information Infrastructure, and Health Care, Journal of the American Medical Informatics Association; (2:3), pp. 156-159, May-Jun. 1995. 22. Malin, B., A Computational Model to Protect Patient Data from Location-Based Re-Identification, Artificial Intelligence in Medicine; (40:3); pp. 223-229, Jun. 2007. 23. Merisalo, L.J., Medical Identity Theft, Aspen Publishers; (17:9); June 2008. 24. McMurray, A.J., Gilbert, C.A., Reis, B.Y., Chueh, H.C., Kohane, I.S., and Mandl, K.D., A SelfScaling, Distributed Information Architecture for Public Health, Research, and Clinical Case, Journal of American Medical Informatics Association, (14); July Aug. 2007. 25. Offen, M.L., Health Care Fraud, Neurologic Clinics, (17:2); May 1999. 26. Pear, R. (2008)Agency Sees Theft Risk For ID Card In Medicare, Available at

www.nytimes.com/2008/06/22/washington/22medicare.html
27. Roger France, F.H., Control and Use of Health Information: a Doctors Perspective, International Journal of Bio-Medical Computing, (43); pp. 19-25, 1996.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

33

William C. Figg, Ph.D. & Hwee Joo Kam M.S.

28. Schlienger, T. and Teufel, S., Analyzing Information Security Culture: Increased Trust by an Appropriate Information Security Culture, Proceedings of the 14th International Workshop on Database and Expert Systems Applications; 2003; IEEE. 29. Sloane E.B., Using Standards to Automate Electronic Health Records (EHRs) and to Create Integrated Healthcare Enterprises, Proceedings of the 29th Annual International Conference of the IEEE EMBS, Aug. 2007. 30. Smith, E., and Eloff J.H.P., Security in Health Care Information Systems Current Trends, International Journal of Medical Informatics, (54); pp. 39-54, 1999. 31. Sparrow, M. K., License to Steal. How Fraud Bleeds Americas Health Care System, Westview Press; 2000. ISBN: 0-8133-6810-3. 32. Vacca, J.R., Computer Forensics: Computer Crime Scene Investigation, Second Edition, Charles River Media; 2005. ISBN: 1-58450-389-0. 33. Yin, R. K., Enhancing the Quality of Case Studies in Health Services Research, Health Services Research (34:5), pp. 1209-1224, Dec. 1999. 34. Yin, R. K., The Case Study as a Serious Research Strategy, Science Communication; (97:3), 1981. 35. Yin, R.K., Case Study Research: Design and Methods, (2nd ed.), Sage, Newbury Park, CA, 1994.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

34

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobile Networks
Mustafa AL-Fayoumi
Faculty of Engineering and Sciences Al-Kharj University Riyadh, 11942, Saudi Arabia

fayoumi6@yahoo.com

Jaafer AL-Saraireh
Information System Applied Science University Amman, 11931, Jordan

sarjaafer@yahoo.com

Abstract This paper proposes a secure authentication mechanism by integrating the public key with the hash-chaining technique. The propose protocol satisfies the security requirements of third generation (3G) mobile networks. Also provide the protection of the international mobile subscriber identity (IMSI) to ensure subscriber un-traceability, key refreshment periodically, strong key management and a new non-repudiation service in a simple and elegant way. The proposed protocol is more secure protocol than the other available authentication protocols. To avoid the complicated synchronization as in universal mobile telecommunications system (UMTS) the proposed protocol does not use sequence number (SEQ), the management of a hash chain is simple and elegant compared to that of SEQ. This proposed protocol is secure against network attacks, such as replay attacks, guessing attacks, and other attacks. Keywords: Mobile Security, 3G, AKA, public-key, cryptography.

1. INTRODUCTION
In order to provide security services in wireless networks, authentication is used as an initial process to authorize a mobile terminal for communication through secret credentials [1] [2]. In authentication process, a mobile terminal is required to submit secret materials such as certificate or challenge and response values for verification. Without strong authentication, mobile networks access is unprotected through the release of message contents, modification of message or denial of service can be accomplished easily by an intruder. There are three entities participating in the UMTS security architecture, home environment (HE), serving network (SN) and mobile station (MS). Figure 1 illustrates the UMTS architecture. The HE contains the home location register (HLR) and authentication centre (AuC). The SN consists of the visited location register (VLR) and the Serving GPRS Support Node (SGSN). The VLR handles circuit switched traffic, but the SGSN handles the packet switched traffic [3]. Authentication procedure is executed when the MS moves from one registration area (RA) to another one (location update) during the process of calls origination and call termination. The MS is continuously listening to the broadcast message from VLR/SGSN to identify the location area by using location area identity (LAI) and the MS compares the LAI which is received with the LAI that stored in the universal subscriber identity module (USIM). When the LAI is different than the MS executes authentication procedure [2]. An authentication mechanism is a process designed to allow all participants show their legality and verify the other participants identities that involved in the networks. This mechanism using secret key K, and cryptographic algorithms - include three message authentication codes f1,

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

35

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

f1*and f2 and four key generation functions f3, f4, f5 and f5*- [3] [4] [5] that are shared between MS and the HLR/AuC. This is known as authentication and key agreement protocol (AKA). The AuC maintains a counter called sequence number (SQNHLR), where user MS maintains a counter (SQNMS), whose initial value for these counters are set to zeros [4] [5].

HLR AuC
VLR/ SGSN
MSC MSC

VLR/ SGSN

FIGURE 1: UMTS Architecture

There are three goals for the UMTS AKA [4]: a mutual authentication between the user and the network; an establishment of a cipher key and an integrity key upon successful authentication; and a freshness assurance to the user of the established cipher and integrity keys. There are two phases in AKA protocol [4] [3] i. MS registers with its HLR/AuC and then generates and distributes authentication vectors from the HLR/AuC to the VLR/SGSN. ii. The authentication and key agreement procedure between the MS and the VLR. Figure 2 describes authentication mechanism as follow: 1. When the MS moves to new VLR/SGSN area then MS sends (IMSI) authentication request to VLR/SGSN. 2. VLR passes this authentication request to HLR. 3. HLR generates authentication vectors AV(1..n) and sends authentication data response AV(1..n) to VLR/SGSN, where each authentication vector is called a quintet This AV consists of five components: random number (RAND), expected response (XRES), cipher key (CK), integrity key (IK) and authentication token (AUTN). The authentication vectors are ordered by the sequence number SQNHLR. The authentication vector is generated according to the following sequence: i. HLR/AuC generates SQNHLR and RAND. ii. HLR/AuC computes XRES = f2(K,RAND), CK = f3(K,RAND), IK = f4(K,RAND), Anonymity Key AK = f5(K,RAND), Message Authentication Code MAC = f1(K,SQN||RAND||MAF), where MAF is Message Authentication Field and AUTN = (SQN AK||AMF||MAC) where is exclusive OR operation. iii. HLR/AuC SQNHLR is increased by 1. th 4. VLR stores authentication vectors. In the i authentication and key agreement procedure, th VLR/SGSN selects the i authentication vector AV(i), and sends (RAND (i), AUTN(i)) to MS. In the VLR one authentication vector is needed for each authentication instance. This means that the signalling between VLR and HLR/AuC is not needed for every authentication events. 5. MS computes and retrieves the following:

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

36

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

Anonymity key AK = F5 (Rand, K), SQN =( (SQN AK) AK), computes expected message authentication code XMAC = f1 (SQN, RAND, AMF) and then, ii. Compares XMAC with MAC which is included in AUTN. If XMAC is not equal to MAC then MS sends failure message to the VLR/SGSN, else if XMAC is equal MAC then MS checks that the received SQN is in the correct range i.e. SQN > SQNMS. If SQN is not in the correct range then MS sends failure message to the VLR/SGSN, else if it is in the correct range, then MS computes the Response RES = f2 (K, RAND), and CK = f3 (K, Rand), iii. After that, it sends RES to VLR/SGSN. 6. VLR compares the received RES with XRES. If they match, then authentication is successfully completed. 7. i.
MS VLR/SGSN HE/HLR

Distribution of Authentication Vector


1. Authentication Data Request

2. Authentication Data Response

Authentication & Key Establishment


3. User Authentication Request

4. User Authentication Response

FIGURE 2: Authentications and Key Agreement Protocol

This paper is organized as follows. Section 2, the literature review and related works is presented. In Section 3, the framework for the proposed protocol is described. The operation modes for the proposed protocol are described in Section 4. The description of initial and subsequent authentication for the proposed protocol is presented in Section 5. The security analysis for the proposed protocol is presented in Section 6. In Section 7, a comparison with UMTS AKA protocol and related works is carried out. The paper is concluded in Section 8.

2. RELATED WORKS
Several authentication schemes have been proposed for mobile networks to enhance the security of mobile communication systems. However, these schemes cannot fulfill the security requirements of 3G mobile systems [6]. Specifically, the schemes proposed by [7] [8] [9] [10] [11] [12] [13] [14] and [15] were not designed based on 3G mobile systems and incur much computational overheads. The authentication techniques for 3G mobile networks are presented by [8] [16] [17]; but these techniques did not address other security issues, such as end to end security, anonymity and confidentiality issues. The International Telecommunication Union (ITU) proposed three authentication techniques for International Mobile Telecommunications-2000 (IMT-2000), which is the global standard for 3G. These techniques only provide some security features and have some weaknesses. The first technique is based on the use of symmetric key cryptosystems and a challenge-response exchange. This technique requires too many authentication messages and does not ensure end to end security. Also, assuming the connection between the network operator and service provider is secure; the messages that are transmitted through the connection are vulnerable. The second authentication technique is based on the unilateral use of a digital signature scheme and a challenge-response exchange. This technique did not provide mutual authentication or end to end security and created high computation costs. The third technique is also based on the use of a digital signature scheme. The public key certificates and timestamps are combined to provide user identity confidentiality and unilateral entity authentication in a single mechanism. The third technique is the same as the second technique; but did not provide mutual authentication, end to end security and created high computation costs. In all of these techniques the authentication

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

37

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

technique is fixed, such as that the network operators of visited domains must be involved in the authentication procedure between roaming users and home service providers. This represented a common weakness in the three techniques. An end to end authenticated session key exchange protocol based on the certificate over several distinct networks is presented by [18]. This protocol is not built upon a certain public key system, but the protocol can be built upon Modular Square Root (MSR) or RSA. The proposed protocol has some disadvantages, such as the public key systems (MSR and RSA) require large storage and bandwidth requirement during the execution, and the user identifications are stored in certificates and these certificates are exchanged between the users and the network in the plain text, and thus user identity confidentiality is not provided. Asymmetric cryptography in UMTS networks is proposed by [19]. This method consists of the introduction of public-private key pairs for the transactions between the VLR and HLR, as well as the MS and VLR. The information exchanged between the VLR and the HLR is based on the good trust link between these nodes. However, according to specifications that define GSM, GPRS and UMTS, there is no mutual authentication between the VLR and HLR, and no data encryption takes place when these two nodes communicate. The HLR consider that the VLR is a trusted partner, and based on this consideration it delivers information to the VLR, and the VLR delivers information to the HLR. The link between the VLR and HLR is exposed to any kind of attack (e.g. masquerading, data distortion, etc.). Using public keys in the authentication process in mobile networks was abandoned because of backwards compatibility with GSM and for the performance consideration [20] [21] [22]. UMTS AKA has some problems, including bandwidth consumption between a serving network and a users home network, space overhead of the serving network. Huang and Li propose an extension of UMTS AKA protocol, called UMTS X-AKA, to overcome the above mentioned problems of UMTS AKA [23]. Zhang and Fang, Zhang and Fujise , and Zhang showed that the 3GPP AKA protocol is vulnerable to a variant of the false base station attack [4] [24] [25] [26]. The vulnerability allows an adversary to redirect user traffic from one network to another. It also allows an adversary to use authentication vectors corrupted from one network to impersonate all other networks. Zhang and Fang presented a new authentication and key agreement protocol, which overcomes redirection attack and drastically lowers the impact of network corruption. The protocol, called adaptive protocol AKA (AP-AKA), also eliminates the need of synchronization between a mobile station and its home network [4]. A new technique for public key image authentication using fussy computations for El-Gamal authentication technique is proposed by [27]. A mutual authentication key and key exchange protocol suitable for application is proposed by [28]. This protocol named F-MAKEP. The FMAKEP scheme integrated into Wireless Transport Layer Security (WTSL) framework; the security was enhanced while more computation overhead was incurred. The UMTS AKA protocol has the problem of the bandwidth consumption between SN and HN. It is attractive to choose a suitable length (L) value for AV in the third generation mobile networks. So, many techniques are developed to minimize the authentication signalling cost and network bandwidth with consumption by selecting the dynamic length (L) for an authentication vector. Yet with this improvement, Lin and Chen (and AL-Saraireh and Yousef, are still there are bandwidth consumption [3][29]. The technique of Lin and Chen [29] basically estimates the number of authentication requests in current visited network based on the number in the previous visited network. Whereas the method of AL-Saraireh and Yousef [3], estimates the number of authentication requests in current visited network based on the history of mobile movements and the arrival rate for events.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

38

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

3. FRAMEWORK FOR PROPOSED PROTOCOL


In third generation mobile systems, many emerging services, such as the World Wide Web, stock quotes, e-mail account and multimedia, can be accessed through a wireless link. When a mobile user roams far from his home domain and wants to access these services, the user may intend to use the servers in a visited domain instead of the ones in his home domain. To meet today's needs for wireless communication the protocols need to be highly secure, and require low computational overhead and thus low power. To acquire mobile services in visited domains, mobile users must be authenticated. Normally, the VLR/SGSN in a visited domain is unable to solely perform the authentication procedure without any prior knowledge of the roaming user; hence, the visited domain requires the participation of the home domain to authenticate the user. In fact, the VLR/SGSN in the visited domain may simply forward the authentication request to the home domain and check the reply to see if the user has been successfully authenticated. In this way, the role that the VLR/SGSN in the visited domain plays is more like that of an authentication proxy. This paper presents a secure and efficient authentication framework for mobile systems, where VLR/SGSN have the capability to authenticate the user or roaming user without intervention of HLR in the home network during origination and termination of the call. Basically, the proposed authentication framework consists of the same parts as in the UMTS systems, three nodes are involved in the authentication protocol; namely, the Mobile Station (MS), the Visitors Location Register (VLR), and the Home Location Register (HLR). To enhance the 3G AKA protocol, the proposed authentication protocol has adopted three major techniques: digital signature, Message Authentication Code (MAC) and hash chaining. Public key cryptography has not previously been used in mobile communication environments due to performance constraints. It was not consider suitable for second generation systems because of the resulting length of messages and the necessary computational loads. New protocols for authentication between user and network have been developed to overcome these problems. The proposed protocol is based on a digital signature cryptography scheme. A true nonrepudiation service among HLR, VLR and MS can only be achieved via a public-key system using digital signatures [30]. A digital signature can be used in a public-key system to replace HMAC. One-way function is a variation of the message authentication code as with the message authentication code, a hash function accepts a variable size message M as input and produces a fixed size output, referred to as a hash code H (M). The hash code is a function of all the bits of the message and provides an error detection capability. When it changes any bits in the message result in a change to the hash code, a hash function H has some properties [31]. The proposed protocol uses a one-time password/hash-chaining technique which was proposed by Lamport [32]. It used a hash function with one-way property to construct a sequence of hashing value. They designed it in a remotely accessed computer system. One of the aims of the one-way hash function is to prevent eavesdroppers discovering the password and to reduce the computing time, which this technique has used in many applications [33]. In this method, let the user (claimant) and the server (verifier) deal with the secret (M) as a seed of hash value and f(M) be a one-way function, when a user (i.e., the one wishes to be authenticated) wants to register or log in the system, then the user should construct fn(M)=f(f((f(M)))), where n represents the maximum number of services that the user can request after the registration phase ( i.e., the composition of nfs ), and sends f n(M) to the server (i.e., the one decides whether the user is who it is). Then the server uses it to compute a sequence of passwords

f n1 (M ), f n2 (M ),K, f ( f ( f (M ))), f ( f (M )), f (M ) and the server stores those. The user holds f n (M ),K, f ( f ( f (M ))), f ( f (M )) .

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

39

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

After the registration is completed, each hash chain can be used by the claimant to prove itself to ih n-1 the server N times. In the j session, the user provides f (M) to ask for a connection to prove n-1 itself. The server can verify the correctness of f (M) by means of the one way function by computing f(f n-1(M)) and the server needs to store f n-1(M) as the last value of user to authenticate the next visit. So, the user reveals fn-1(M), fn-2(M),,f(M), and M=f 0(M) in sequence to prove itself n times. In this way f n-j (M) can be used as a proof of the jih connection. In the proposed protocol the dynamic concept achieved through management the dynamic keys between the MS HLR/AuC and MS SGSN/VLR. In other words the dynamic mechanism works at two levels by the keys refreshment are used whether at MS/HLR and MS/VLR for each Initial and subsequent authentication session respectively. Moreover, this property provides service providers with the ability to develop proprietary authentication mechanisms and adjust the keys in run time. Where in the dynamic key agreement the HLR/AuC is determine number of subsequent authentication procedure that will be executed for each time the initial authentication procedure starts which will discusses in the following section. When MS makes a service contract with his/her home network HLR generates the public and private keys and subscribes public key to MS and keeps it in its database and save KHU, IMSI and CertM in the SIM/USIM of MS. In the initial authentication procedure the MS encrypt an Authentication Request Message between MS to HLR (AUTHMH ) by HLR's public key that has been saved in the SIM. HLR decrypt it by its private key, and then refresh the new public key and send back to MS within Authentication Data Response Message between HLR to MS (RAUTHMH) to use it in the second time. Consequently, Dynamic key management is achieved at the level of MS and HLR/AuC. Meanwhile, the MS generates a session key KVM = f (KVM, IK CK) as a shared key between MS and SGSN/VLR, where IK and CK are a nonce numbers and f n(M) where f n(M) is a one-way hash chaining function and n represents the maximum number of services that the MS can request after initial authentication, then send it within AUTHMH to SGSN/VLR through HLR. The VLR save KVM, CK and f n(M) under the ID of that user and sends Authentication Data Response Message between VLR to MS (RAUTHMV ) encrypted by the session key KVM of its response message. In the subsequent authentication procedure the MS generates a new session key KVM = f (KVM, IK CK), where IK is a new generated nonce and KVM is the shared key. CK is in the messages sent by the MS to the VLR in the initial authentication procedure. Meanwhile, the MS produces f ni (M), where ( i) is the number of services that have been requested, and M is the secret key generated in the initial authentication. VLR generates a new session key KVM using the same function used by the MS and then encrypts RSAUTHUV = (IK+1 TMSI) with KVM, and then sent is sent back to the MS. After that upon receipt of the response message, the MS decrypts the RSAUTHUV using KVM. The subsequent authentication procedure only contains two message exchanges. The nonce number IK transmitted between the MS and VLR is used to refresh the session key. In this way, the encryption key used for every session is different. Except for the first session key, key generation is performed by both the MS and VLR. The first session key is generated by the MS and sent to the VLR. After that, the VLR can generate the following session key by itself. By using KVM and IK CK as two inputs, the MS and VLR can generate the same new session key if the inputs are identical. Consequently, Dynamic key management is achieved at the level of MS and SGSN/VLR. Therefore, using the refreshment keys concept in both MS, SGSN/VLR and HLR/AuC according to the n and t value which has determined by MS and HLR/AuC respectively, the subscribed

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

40

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

service period (t) is used to determine whether the service request is out-of-date or not, and (n) is used to determine the number of times and the ith session to perform the subsequent authentication procedure dynamically, without transfer any clear parameters. In the i-th session, the user provides n-i (M) to ask for a connection to proof of the i-th connection. Consequently, Dynamic key management is achieved at the level of MS and SGSN/VLR.

4. OPERATION MODES
In this proposed protocol, VLR/SGSN in SN maintains the profiles and privileges of the registered MS. Thus, only the MS's home network (HLR) can initially authenticate the MS. Another entity, the VLR/SGSN in SN, is responsible for forwarding the MS's authentication request to the HLR in HN. In the proposed protocol, after initial authentication has been performed, the VLR/SGSN in SN is then capable of authenticating the MS when it is required. The proposed authentication protocol contains two operation modes for initial and subsequent authentication. i. Registration and Distribution of Authentication Information (Initial Authentication): This procedure is used when a mobile user (MS) leaves his home domain and roams to a visited domain. The user may request services from the network operator of the visited domain. In this case, the initial authentication shown in Figure 3 is performed between the three parties. First, the request message is generated by the MS and sent to the authentication VLR/SN in the visited domain. Since the VLR/SN is unable to authenticate the MS by itself, it forwards it to the HLR in MSs home domain. The verification procedure is performed by the HLR. A response message is generated corresponding to the authentication result as authentication vector (AV). The VLR/SN forwards the response message to the MS and decides whether or not to provide the service to the MS according to the authentication result. Here, the VLR/SN caches some authentication information, which can be used in subsequent authentication. The response message lets the MS know whether the authentication was successful or not. After the initial authentication, both the VLR/SN and MS obtain the authentication result from the HLR/HN and share some secret information without intervention of HLR/HN.

ii. Authentication and Key Agreement (Subsequent Authentication): After initial authentication, the VLR/SGSN has the ability to authenticate the MS in subsequent communication. If the MS remains in the same visited domain and requests services, then the user should ask for subsequent authentication. MS similarly generates an authentication request message, which should contain the information shared between the MS and VLR/SN; the VLR/SN then uses this information to authenticate the MS. As mentioned above, the VLR/SN has cached information needed to authenticate MS. After authenticating the MS, the VLR/SSN sends a response message containing the authentication result to the MS. The MS receives the response message and learns whether the authentication was successful or not.

5. DESCRIPTION OF THE PROPOSED PROTOCOL


In this section, the proposed protocol shows how the proposed framework can be applied to improve the performance of authentication in call setup services. The proposed protocol satisfies the security requirements of third generation mobile systems and has the advantages of a dynamic framework. The proposed scheme involves the use of a public key of HLR and VLR, which is used for a legitimate MS to encrypt an authentication key that generated by the MS himself/herself and passes it to VLR. Moreover, we simply employ a challenge response to resist the replay attacks. The proposed authentication protocol is divided into two procedures; the first one is called the initial authentication procedure, which flow from MS VLR HLR. The second one is limited between MS VLR and is called the subsequent authentication procedure.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

41

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

5.1 Initial Authentication Procedure To mitigate the computation burden of mobile equipment, the encryption is clone in MS side since the public key operation takes (K2) complexity but private key operation takes (K3) complexity with the typical modular exponentiation algorithms used to implement the RSA algorithm, where K is the number of bits in the modulus. Table 1 gives the software speeds of RSA [34]. RSA goes much faster if we choose a value of e carefully. Therefore, we suggest the exponent value e should be smaller. In order to make use of public key cryptography on the lowcomputation mobile equipment, the related research can be found in [35]. RSA Speeds for Different Modulus Lengths with an 8-bits Public Key(on a SPARC )

512 bits
Encrypt Decrypt Sign Verify 0.03 sec 0.16 sec 0.16 sec 0.02 sec

768 bits
0.05 sec 0.48 sec 0.52 sec 0.07 sec

1,024 bits
0.08 sec 0.93 sec 0.97 sec 0.08 sec

TABLE 1: Software speeds of RSA

In 2003, RSA Laboratories recommends the minimum key length for general data is 1024 bits without any specifying lifetime [36]. NIST recently recommends 1024 bits for RSA, which is taking into account the lifetime of the data. For security concerns and the execution speeds of the public key encryption, we suggest the value of public key length is optimally 1024 bits. Before we describe the common registration phase of the proposed mechanism, we assume the following operations are performed when MS makes a service contract with his/her home network HLR: HLR generates the Public and Private Keys. HLR subscribes (Public Keys) to MS. HLR produces a certificate CertM to (Public Keys) and keeps it in its database. HLR writes KHU, IMSI and CertM in the SIM/USIM of MS. At first, the scheme consists of four messages exchanged between the MS, VLR and HLR. The message flows are indicated in Figure 3. The notations are defined as follows: IMSI TMSI KHU, KHP KVU, KVP KHU KVM KVM IK, CK T () AUTHMH AUTHVH RAUTHMH RAUTHMV NOMENCLATURE International Mobile Subscriber Identity Temporary Mobile Subscriber Identity generated by HLR/AuC Public/private key pair of HLR Public/private key pair of SGSN/VLR The new HLRs public key Session key shared by the MS and SGSN/VLR (IK, CK): session key between the MS and VLR, the function may be a simple function. e.g. the XOR of IK and CK. h (KVM, IK CK) Nonce numbers Subscribed Service Period A one way Hash function; Authentication Request Message between MS to HLR n IDM, IDH, EKHU ( IMSI IK CK KVM (M)nIDV) Authentication Request Message between VLR to HLR IDV, EKVP (IDV, RV) Authentication Data Response Message between HLR to MS EKHP (IDH IK+1 TMSI T KHU' KVU ) Authentication Data Response Message between VLR to MS EKVP (EKVM (IK+1), TMSI ))

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

42

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

RAUTHHV IDM IDV IDH

Authentication Data Response Message between HLR to VLR EKVU (RV IK CK KVM n (M)n T TMSI) The identity of the MS Identity of VLR Identity of HLR Logical computation, bit-wise exclusive or operation

To exercise the proposed protocol, this section describes how that can be applied to enhance the authentication procedure. It is known that the authentication process is achieved by all the authentication entities of 3G mobile network. The proposed authentication protocol is divided into two procedures; the first one is named Initial authentication procedure, which flow from MS VLR HLR. The second one is limited between MS VLR is the Subsequent authentication procedure. In the proposed authentication protocol, we assume that MS HLR/AuC and SGSN/VLR HLR/AuC have the public/private key pair and use Public-Key cryptosystems. In addition, there is public key infrastructure so that public keys can be correctly and efficiently distributed. This enables all entities of network (3G) to mutually authenticate each other easily. MS can obtain the public key of the VLR to be sent by the HLR. At first, the MS sends secret message to challenge the VLR and HLR, and the VLR also sends secret message to challenge the HLR. However these secret messages are encrypted with its public and private key respectively. After that the VLR and HLR send a message to response the MS that decrypt by its private key. The HLR also decrypts the secret messages to response the VLR based on VLRs public key. If the processes are finished, they can achieve mutual authentication between all participants, and refresh the HLRs public key.
MS SGSN/VLR HLR/AuC

IDM, IDH, EKHU(IMSI IK CK KVM f n(M) n ID ) IDM, IDH, EKHU(IMSI IK CK KVM f n(M) n IDn)

EKHP (IDH IK+1

TMSI T KHU' KVU )

EKVU (RV IK CK KVM n (M)n T TMSI)

EKHP (IDH IK+1

TMSI T KHU' KVU )

EKVP (EKVM (IK+1), TMSI))

FIGURE 1: Proposed Initial authentication procedure

Step 1: M1 Authentication Request Message When an MS needs to authenticate itself to all entities of network to access or utilize of network services, The MS invokes the distribution of authentication procedure by sending the Authentication Request messages to the HLR/AuC (AUTHMH) through VLR. Authentication

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

43

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

between the MS and his HLR/AuC relies on the use of its public key KHU. This process is achieved as follows: The MS generates the following: 1. The Nonce Numbers IK, CK 2. The Session Key KVM 3. M is secret information n n 4. (M) where (M) is a one-way hash function and n represents the maximum number of services that the MS can request after initial authentication. Here n ( ) = (n-1 ( )), 1( ) = ( ). The MS sends AUTHHM to VLR: n AUTHMH= IDM,IDH,EKHU(IMSI IKCKKVMf (M) nIDn), where IDM is the identification of the MS that HLR can verify his signature. Step 2: M2 Authentication Request Message When the VLR receives the message from the MS, it passes the message to the HLR, and sends the AUTHVH of its challenge message to the HLR. However, the (IDV RV) KVP is encrypted by its private key. After receiving these messages, the HLR decrypts by their corresponding private and public key them access the database to obtain the CertM and CertV, respectively. IDV, EKVP (IDV, RV) Step 3: M3 Authentication data Response Message The HLR sends RAUTHHM encrypted by HLR's private key and RAUTHHV encrypted by VLRs public key of its response messages to the VLR, respectively. After receiving these messages, the VLR decrypts RAUTHHV by his secret key to get RV, TMSI, IK, CK, KVM, n (M), n and T. Then, the VLR saves n(M), n, and CK for subsequent authentication and session key generation. RAUTHHM = EKHP (IDH IK+1 TMSI T KHU' KVU ) Step 4: M4 Authentication Response Message The SGSN/VLR sends RAUTHHM encrypted by HLRs private key and RAUTHVM encrypted by VLRs private key of its response to the MS. After receiving these messages, the MS decrypt RAUTHHM by HLR's public key to get KVU, KHU, IK+1, TMSI and IDH. After getting KHU, it knows that key refreshment is successfully. Filially, it gets KVU that has sent from HLR to decrypt RAUTHVM to obtain EKVM (IK+1), TMSI and then encrypt EKVM (IK+1) to get IK, then MS verifies the value of (IK + 1) if it is correct, then the authentication is successful, and the MS gets new temporary identities, TMSI. Also, KVM becomes the shared key used by the MS and SGSN/VLR, the authentication process is finished. RAUTHHM = EKHP (IDH IK+1 TMSI T KHU' KVU ) RAUTHVM = EKVP (EKVM (IK+1), TMSI )) 5.2 Subsequent Authentication Procedure After the initial authentication, SGSN/VLR gets a secret key KVM that it shares with the MS and subsequently can accomplish the authentication by itself. That is, subsequent authentication only happens between the MS and SGSN/VLR using two message exchanges. Figure 3.2 exhibits the subsequent authentication procedure, and the authentication steps are described as follows.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

44

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

MS

SGSN/VLR

HLR/AuC

TMSI, EKVM (IK, n-1 (M))


' EKVM (IK+1,

TMSI

FIGURE 4: Subsequent authentication procedure

The notations in Figure 2 are defined as follows: SAUTHMV : TMSI, EKVM (IK, n-1 (M)) SRAUTHVM : EKVM' (IK+1, TMSI)

Step 1: The MS generates a new session key KVM = h (KVM, IK CK), where IK is a new generated nonce and KVM is the shared key. CK is in the messages sent by the MS to the VLR in the initial authentication procedure. Meanwhile, the MS produces n-i(M), where i is the number of services that have been requested, and M is the secret key generated in the initial authentication. The MS sends SAUTHMV that encrypted the session key KVM to the VLR, which contain IK, n-i(M). SAUTHUV : TMSI, EKVM (IK, n-1 (M)) Step 2: SGSN/VLR first checks the subscribed service period of the mobile user for the requested service. If the service request is not made within the valid subscribed service period, the service request is rejected. The procedure then restarts from step 1.1. Else SGSN/VLR decrypt SAUTHMV by the shared session key KVM and compares the result with IK. Moreover, SGSN/VLR computes (n-i(M)) to verify whether it is the same as the number, n-i+1(M), which SGSN/VLR saved in the last authentication. If they are identical, the MS has been authenticated successfully. SGSN/VLR send RSAUTHMV = (IK+1 TMSI) encrypted by the new session key KVM, which was generated using the same function that used by the MS. Upon the MS receipt of the response message, the MS decrypts the authenticator using KVM. TMSI) SRAUTHUV : EKVM' (IK+1,

6. SECURITY ANALYSIS
In accordance with the proposed scheme, it is assumed that a VLR has powerful computation ability and has no worry about power supply, which means it can handle more complex calculations. Since we consider the low computation ability and low power of mobile equipments, we make the RSA encryption be clone in MS side. Table 3.1 indicates that the RSA encryption provides far superior performance than decryption. Furthermore, the session key KVM is generated by MS. The VLR will use the key to verify the MS again when he/she requires a service, e.g. making a call etc. We assume that the authentication key is generated through a secure random number generator and kept securely for each related parties. Based on the recommendation of RSA Laboratories and NIST, the public key length that we use is 1024 bits. For NIST, 1024 bits public key length is appropriate for protecting data through the year 2015, which means it can hardly be broken using todays computer technology. Since the security of public-key cryptography depends on the key length and assumes that factoring this large numbers is very hard. From the previous suggestion, we assume the public key pair (e, n) of VLR is secure, and the private key d is safe and known only by VLR.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

45

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

Furthermore, the KHP is supposed to be kept secretly by HLR. Base on these hypothesis, we make the following security analysis to prove that our modification is robust and against to replaying, guessing and substitution attacks. Note that the analysis is based on the UMTS. In this section, we will discuss the security of the proposed protocol. In order to ensure that the proposed protocol is secure, we will analyze and discuss the attack methods. The security requirements of third generation mobile systems are mutual authentication, MS anonymity, endto-end security, non-repudiation, and data integrity and data confidentiality. The proposed scheme can fulfill all of these requirements. First, consider the authentication requirement. It is clear that the proposed authentication protocol can authenticate MS, HLR/AuC and SGSN/VLR. Because the message sent to the HLR/AuC is encrypted using its public key KHU, there is no one except for the home HLR/AuC can decrypt the message. Therefore, authentication between the MS and the HLR/AuC can be achieved using KHU. Consequently, mutual authentication is achieved. Next, consider MS anonymity. To provide MS anonymity, the permanent identity IMSI of MS is never exposed in the plain-text mode. A cracker cannot get the real identity of MS by eavesdropping on the authentication messages on both wireless and wired networks. Consider the requirement of non-repudiation; our protocol can also satisfy this requirement. By using the one-way function, we can achieve non-repudiation. In the ith session, the user provides n-i (M) to ask for a connection. The SGSN/VLR can verify the correctness of n-i (M) by means of the one way function, but it cannot derive n-i (M) from n-i+1(M). In this way, n-i (M) can be used th as a proof of the i connection. Whenever a random challenge occurs, the SGSN/VLR can be n-i required to show (M). The requirement of end-to-end security is also addressed in the proposed protocol. When a MS makes a call, the caller and callee negotiate a common encryption key to encrypt the data flowing over the channel. Since the full communication path is protected, data confidentiality and integrity are both achieved. The communication between the two parties in both wired and wireless paths is protected with the encryption key Ke. Therefore, end-to-end security is achieved in this way. The proposed authentication protocol achieves all the requirements shown above. The proposed scheme is superior to other published schemes. The proposed protocol can prevent common attacks as follows:

i. Replay Attacks
It can repulse replay attack, a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Hackers capture old messages and replay them at later times. By replying to the message it appears to be legal. Suppose MS wants to prove its identity to the HLR. The HLR requests its IMSI as proof of identity, which MS dutifully provides (possibly after some transformation like a hash function). Meanwhile, the hacker is eavesdropping on the conversation and keeps the IMSI. After the interchange is over, the hacker connects to the HLR posing as the first MS. When asked for proof of identity, the hacker sends the first MSs IMSI read from the last session, which the HLR must accept. The proposed authentication protocol can prevent the replay attack by the freshness properties. The MS refreshes the session key by using the nonce to ensure the freshness of authentication sessions. Since the MS and SGSN/VLR must input IK to generate a new session key; the session key can be refreshed for each authentication process. If an attacker replaces the TMSI of an intercepted authentication message and replays the authentication request, the attack will not succeed because the AUTHMH is encrypted using KHM, so the replay attack is infeasible.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

46

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

ii. Guessing Attacks


Password authentication is widely used by many security systems. However a password is vulnerable under dictionary attack in which an attacker can guess the password successfully. In the proposed scheme, the key refreshment method prevents the guessing attack. In each authentication process, the subscriber uses different keys to request registration and authentication. Public key cryptosystems provide a means for preventing the guessing attack. Since the public key digital signature is used to sign the message, the guessing attacks fail. It has been shown that the signatures are distributed so that the attacker is unable to guess a signature value which is shared by different messages.

iii. Substitution Attacks


If an attacker replaces some fields of the authentication request, then the authentication will fail. For example, if an attacker replaces any parameter in the initial authentication, the SGSN/VLR will find the nonce IK is different from the nonce IK encrypted along with the authentication status sent by the HLR/AuC. Because the nonce used by the SGSN/VLR is the same as the one used by the HLR/AuC, SGSN/VLR can compare them to verify the MS. Therefore, our protocol can resist the substitution attack. Moreover, even if an attacker gets the session key, he will not have the ability to generate new session keys. This is because session key generation involves CK, and because only the MS and SGSN/VLR know the CK. The above analysis shows that our protocol can successfully prevent this kind of substitution attack. From the above security analysis, we can find that our scheme is secure and fully satisfies the security requirements. Furthermore, the authentication key KVM is only aware by MS and VLR. It can assure that in the later services request phase, only the legitimate MS will be allowed to use the service provided by VLR. Since MS has no reason to compromise the KVM to a third party, therefore, our scheme ensures that except the related participants, no one can harm the rights and interests of MS

7. SIMULATION RESULTS AND A COMPARISON WITH RELATED WORK


The Comparisons of the proposed Protocol with current UMTS protocol are listed in table 1. The authentication vector is used by UMTS and AP-AKA protocol to reduce the number of access to HLR/AuC. While using of authentication vector causes the bandwidth consumption and storage overhead. In UMTS AKA, the HLR/AuC cannot authenticate MS. While the proposed protocol, allows HLR/AuC to authenticate the MS. There is protocol proposed by Harn and Hsin AKA and X-AKA protocol that used hash chain. The bandwidth consumption and overhead is occurred by using of several hash chain. An analytic model is proposed to investigate the impact of the size of the authentication vector array in order to minimize the cost [3] [29]. A dynamic length of authentication vector array based on prediction of the mobile users residence time in the VLR/SGSN is proposed by [3]. Consequently, it is able to reduce the network traffic and to avoid the bottleneck at HLR/AuC. There are differences between these works and the proposed E-AKA, because these works do not change the original UMTS AKA protocol and tries to find a suitable size for the authentication vector.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

47

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

Comparison with Items Symmetric or Asymmetric Mutual authentication between MS and HN Mutual authentication between MS and SN Confidentiality of user identity during roaming User Traffic Confidentiality True non-repudiation of service Signaling data integrity Reduction of bandwidth consumption between SN and HN Reduction of storage space overhead for SNs database Element synchronization between MS and HN

(: is achieved by the protocol; : is not achieved by the protocol)

UMTS Sym

Proposed Protocol Sym+Asym

TABLE 1: A Comparison of the Proposed Protocol with UMTS Protocol

FIGURE 6: Authentication delay for current and proposed protocol

The simulation in this thesis was executed 20 times. The results of the 20 simulations were then averaged to obtain accurate results. The length of the communication system simulation was run for several hundreds of seconds (400 seconds) in order to obtain accurate and consistency results and reaches a steady state not influenced by short time differences. Simulations were performed on an Intel P4 1.67 GHz machine with 512MB of RAM. The results show that the authentication delay is minimized when compared with the current protocol, as illustrated in figure 6. Therefore, the performance and the authentication delay time have been improved significantly.

8. CONCLUSION
A novel mutual authentication scheme based on integrating the public key with the hash-chaining technique has been proposed. This scheme provides secure authentication mechanisms for mobile systems where the concepts of TMSI and key refreshment are adopted. Using TMSI can protect the subscribers true identity, and key refreshment can make authentication process more secure. In addition, the bi-unilateral and mutual authentication among UE, VLR and HLR have been adopted that resulted in a more secure protocol than the other available authentication protocols. This proposed protocol fulfills the security requirements of the third generation mobile systems. Analysis of our protocol showed that it can not only overcome the security flaws existing in some recently proposed protocols, but also satisfy the asymmetric wireless computing conditions. In addition, this proposed authentication scheme does not only protect user data, but also it prevents many kinds of attacks such as the replay attacks and Guessing attacks.

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

48

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

The proposed protocol achieved the following goals: 1. Provides mutual authentication between the user MS and the HN. 2. Provides mutual authentication between the user MS and the SN. 3. The establishment of a cipher key and an integrity key upon successful authentication. 4. Reduces the signaling traffic between serving network and home network and reduces the size of authentication information to be stored in the serving network. 5. Element synchronization between MS and HN. 6. HN allows SN to authenticate MS, then VLR/SN authenticates MS without any intervention from the subscribers HN

9. REFERENCES
[1] Al-Saraireh J., and Yousef S., "A New Authentication Protocol for UMTS Mobile Networks", EURASIP Journal on wireless communications and networking, vol. 2006, pp. 1-10, Article ID 98107, 2006. Salgarelli L., Buddhikot M., Garay J., Patel S., and Miller S.. "The Evaluation of wireless LANs and PANs Efficient Authentication and Key Distribution in Wireless IP Networks". IEEE Personal Communication on Wireless Communication, vol. 10, no. 6, pp. 52-61, 2003. Al-Saraireh J., and Yousef S., "Analytical Model: Authentication Transmission Overhead Between Entities in Mobile Networks", Elsevier, Computer Communications Journal, vol. 30, no. 9, pp. 1713-1720, 2007. Zhang M., and Fang Y., "Security Analysis and Enhancements of 3GPP Authentication and Key Agreement Protocol", IEEE Transactions on wireless communications, vol. 4, no. 2, pp. 734 742, 2005. 3GPP, "3G Security, Specification of the MILENAGE Algorithm Set: An Example Algorithm Set for the 3GPP Authentication and Key Generation Functions f1, f1*, f2, f3, f4, f5 and f5*, document 1: General", 3rd Generation Partnership Projec, 2001. Cheng S., Shieh S., Yang W., Lee F., and Luo J., "Designing Authentication Protocols for Third Generation Mobile Communication Systems", Journal of Information Science and Engineering, vol. 21, pp. 361-378, 2005. Brutch T., and Brutch P., "Mutual authentication, confidentiality, and key Management (MACKMAN) system for mobile computing and wireless communication", Proceedings of the 14th Annual Computer Security Applications Conference, pp. 308-317, 1998. Dell'Uommo S., and Scarrone E., "The mobility management and authentication authorization mechanisms in mobile networks beyond 3G", Proceedings of the 12th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, pp. 4449, 2001, Horn G., Martin K., and Mitchell C., "Authentication Protocols for Mobile Network Environment Value-Added Services", IEEE Transactions on Vehicular Technology, vol. 51, no. 2, pp. 383-392, 2002. Lee C., Hwang M., and Yang W., "Enhanced Privacy and Authentication for the Global System for Mobile Communications", Wireless network Journal, Kluwer Academic Publishers, vol. 5, no. 3, pp. 231-234, 1999. Lee C., Hwang M., and Yang W., "Extension of Authentication Protocol for GSM", IEE Proceeding Communication, vol. 150, no. 2, pp. 91-95, 2003.

[2]

[3] [4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

49

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

[12] [13] [14] [15] [16]

Lee C., Li L., and Hwang M., "A remote User Authentication Scheme Using Hash Function", ACM Operating Systems Review, vol. 36 no. 4, pp. 23-29, 2002. Lin C., and Shieh S., "Chain authentication in mobile communication systems", Journal of Telecommunication Systems, vol. 13, pp. 213-240, 2000. Looi M.,"Enhanced authentication services for internet systems using mobile networks", IEEE Global Telecommunications Conference, vol. 6, pp. 3468-3472, 2001. Molva R., Samfat D., and Tsudik G., "Authentication of Mobile Users", IEEE Network, vol. 8, no. 2, pp. 26-34, 1994. Putz S., and Schmitz R. (2000), "Secure Interoperation between 2G and 3G Mobile Radio Networks", 3G Mobile Communication Technologies, 2000, First International Conference on (IEE Conference Publication No. 471), London, UK, Pp. 28-32. Putz S., Schmitz R., Tonsing F., "Authentication Schemes for Third Generation. Mobile Radio Systems", Personal, Indoor and Mobile Radio Communication., The 9th IEEE International Symposium on Personal, vol. 1, pp. 126-130, 1998. Park C., "On Certificate-Based Security Protocols for Wireless Mobile Communication Systems", IEEE Network, vol. 11, no. 5, pp. 50-55, 1997. Grecas C., Maniatis S., and Venieris I., "Towards the introduction of the asymmetric cryptography in GSM,GPRS, and UMTS networks", Sixth IEEE Symposium on Computers and Communications, Proceedings, pp. 15-21, 2001. Argyroudis G., Verma R., Tewari H., and Mahony D., "Performance Analysis of Cryptographic Protocols on Handheld Devices", 3rd IEEE International Symposium on Network Computing and Applications (NCA 2004) Proceeding, pp. 169 174, 2004. Kambourakis G., Rouskas A., and Gritzalis S., "Using SSL/TLS in Authentication and Key Agreement Procedures of Future Mobile Networks", IEEE 4th International Workshop on Mobile and Wireless Communications Network, vol. 2002 , pp. 152 156, 2002. Kambourakis G., Rouskas A., and Gritzalis S., "Advanced SSL/TLS-Based Authentication for Secure WLAN-3G Interworking", IEE Communications, vol. 151, no. 5, pp. 501-506, 2004. Huang C., and Li J., "Authentication and Key Agreement Protocol for UMTS with Low Bandwidth Consumption", AINA2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05), vol. 1, pp. 392-397, 2005. Zhang M., "Provably-Secure Enhancement on 3GPP Authentication and Key Agreement Protocol", Cryptology ePrint Archive, Report 2003/092, 2003. [online]. Last accessed on 10 April 2006 as Available at http://eprint.iacr.org, 2003 Zhang Y., and Fujise M., "An Improvement for Authentication Protocol in Third-Generation Wireless Networks", IEEE Transaction on Wireless Communications, vol. 5, no. 9, pp. 2348-2352, 2006. Zhang Y., and Fujise M., "Security Management in the Next Generation Wireless Networks", International Journal of Network Security, vol.3, no.1, pp. 1-7, 2006. Adi W., Dawood A., Mabrouk A., and Musa S. , "Low complexity image authentication for mobile applications", IEEE South East Conference, Richmond, USA, pp. 20-20, 2007.

[17]

[18] [19]

[20]

[21]

[22]

[23]

[24]

[25]

[26] [27]

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

50

Mustafa AL-Fayoumi & Jaafer AL-Saraireh

[28]

Yijun H., Nan X., and Jie L., "A Secure Key Exchange and Mutual Authentication Protocol for Wireless Mobile Communication", IEEE International Conference on Availability, Reliability and Security, ARES07, Vienna, Austria, pp. 558 563, 2007. Lin Y, and Chen Y., "Reducing Authentication Signaling Traffic in Third-Generation Mobile Network", IEEE Transactions on Wireless Communications, vol. 2, no. 3, pp. 493-501, 2003. Harn L., and Hsin W., "On the Security of Wireless Network Access with Enhancements", Proceedings of the 2003 ACM workshop on Wireless Security, San Diego, USA, pp. 88-95, 2003. Burnett S. and Pause S, "RSA Security's Official Guide to CRYPTOGRAPHY", McGrawn, Hill, 2002. Lamport L., "Password authentication with insecure communication", Communication of ACM, Vol. 24, No. 11, pp. 770-772, 1981. Al-Fayoumi M., Nashwan S., Yousef S. and Alzoubaidi A., "A New Hybrid Approach of Symmetric/Asymmetric Authentication Protocol for Future Mobile Networks", Third IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob, pp. 29-38, 2007 Lacy, J., Mitchell, D. and Schell, W., "CryptoLib: Cryptography in Software." Proc. Fourth USENIX Security Workshop, October 1993. M.J. Belier, L. Chang, and Y. Yacobi, "Privacy and Authentication on a Portable Communications System", Global Telecommunications Conference, pp 1922- 1927, Dec. 2-5, 1991. M. Hwang, S. Chong and H. Ou, On the security of an enhanced UMTS authentication and key agreement protocol, European Transactions on Telecommunications, Vol. 22, Issue 3, pp. 99112, April 2011

[29]

[30]

[31] [32] [33]

[34] [35]

[36]

International Journal of Security (IJS), Volume (5) : Issue (1) : 2011

51

INSTRUCTIONS TO CONTRIBUTORS
Information Security is an important aspect of protecting the information society from a wide variety of threats. The International Journal of Security (IJS) presents publications and research that builds on computer security and cryptography and also reaches out to other branches of the information sciences. Our aim is to provide research and development results of lasting significance in the theory, design, implementation, analysis, and application of secure computer systems. IJS provides a platform to computer security experts, practitioners, executives, information security managers, academics, security consultants and graduate students to publish original, innovative and time-critical articles and other information describing research and good practices of important technical work in information security, whether theoretical, applicable, or related to implementation. It is also a platform for the sharing of ideas about the meaning and implications of security and privacy, particularly those with important consequences for the technical community. We welcome contributions towards the precise understanding of security policies through modeling, as well as the design and analysis of mechanisms for enforcing them, and the architectural principles of software and hardware system implementing them. To build its International reputation, we are disseminating the publication information through Google Books, Google Scholar, Directory of Open Access Journals (DOAJ), Open J Gate, ScientificCommons, Docstoc and many more. Our International Editors are working on establishing ISI listing and a good impact factor for IJS. The initial efforts helped to shape the editorial policy and to sharpen the focus of the journal. Starting with volume 5, 2011, IJS appears in more focused issues. Besides normal publications, IJS intend to organized special issues on more focused topics. Each special issue will have a designated editor (editors) either member of the editorial board or another recognized specialist in the respective field. We are open to contributions, proposals for any topic as well as for editors and reviewers. We understand that it is through the effort of volunteers that CSC Journals continues to grow and flourish. IJS LIST OF TOPICS The realm of International Journal of Security (IJS) extends, but not limited, to the following:

Anonymity Attacks, security mechanisms, and security service Authorisation Cellular/wireless/mobile/satellite networks securi Public key cryptography and key management Cryptography and cryptanalysis Data integrity issues Database security Denial of service attacks and countermeasures Design or analysis of security protocols Distributed and parallel systems security Formal security analyses Information flow Intellectual property protection

Anonymity and pseudonymity Code security, including mobile code security Biometrics Authentication Confidentiality, privacy, integrity, authenticatio Data confidentiality issues Data recovery Denial of service Dependability and reliability Distributed access control Electronic commerce Fraudulent usage Information hiding and watermarking Intrusion detection

Key management Network and Internet security Network security performance evaluation Peer-to-peer security Privacy protection Revocation of malicious parties Secure location determination Secure routing protocols Security in ad hoc networks Security in communications Security in distributed systems Security in e-mail Security in integrated networks Security in internet and WWW Security in mobile IP Security in peer-to-peer networks Security in sensor networks Security in wired and wireless integrated networks Security in wireless communications Security in wireless LANs (IEEE 802.11 WLAN, WiFi, Security in wireless PANs (Bluetooth and IEEE 802. Security specification techniques Tradeoff analysis between performance and security Viruses worms and other malicious code

Multicast security Network forensics Non-repudiation Prevention of traffic analysis Computer forensics Risk assessment and management Secure PHY/MAC/routing protocols Security group communications Security in cellular networks (2G, 2.5G, 3G, B3G, Security in content-delivery networks Security in domain name service Security in high-speed networks Security in integrated wireless networks Security in IP networks Security in optical systems and networks Security in satellite networks Security in VoIP Security in Wired Networks Security in wireless internet Security in wireless MANs (IEEE 802.16 and WiMAX) Security policies Security standards Trust establishment WLAN and Bluetooth security

CALL FOR PAPERS Volume: 5 - Issue: 2 - July 2011 i. Paper Submission: July 31, 2011 ii. Author Notification: September 01, 2011

iii. Issue Publication: September / October 2011

CONTACT INFORMATION
Computer Science Journals Sdn BhD M-3-19, Plaza Damas Sri Hartamas 50480, Kuala Lumpur MALAYSIA Phone: 006 03 6207 1607 006 03 2782 6991 Fax: 006 03 6207 1697

Email: cscpress@cscjournals.org