Abstract

Recently, Chang, Lee, and Chiu proposed an enhanced anonymous authentication scheme which permits mobile users to anonymously enjoy roaming service in global mobile networks. In this letter, we show that their scheme fails to achieve the anonymity by providing four attack strategies. Moreover, we show that anyone can recover a mobile user's session keys by using the identity of the mobile user. Hence, Chang et al.'s scheme cannot provide secure key establishing service since an adversary can recover the identity of a mobile user by performing one of our attacks.