Revocation Phase. When MU’s mobile device is stolen/lost or MU’s i R q Ai, h2((Ni ⊕ h2(n3))||Ai)) )and transmits ei to VLR. ‧Step 2. VLR→MU: { fi } VLR decrypts ei with last authenticated session key SKi-1 and obtains Ni by using the stored Ni -1. Then VLR checks whether hash value of Ni is Ni -1 and the third part of plaintext is equal to h2((Ni ⊕ h2(n3))||Ai). If either is not equal, XXX refuses the authentication request. Otherwise, VLR selects a random number i R q b ∈ Z * and calculates Bi =biQ, SKi =h7(R||Ni||SKi-1||h4(biAi)||h2(n3)), (14) fi= En (SKi-1 ,(Bi, h6(SKi||Bi))). (15) VLR stores the hash values Ni and the key SKi, and removes {SKi-1 , Ni -1}. Finally VLR transmits fi to MU. ‧Step 3. After MU receives the response from VLR, MU decrypts fi with the key SKi-1 and obtains Bi. Then MU computes SKi =h7(Ni||SKi-1||h4(aiBi)||h2(n3)). MU checks whether h6(SKi||Bi) is right. If so, MU stores the session key SKi . MU can perform offline authentications n times. service subscription expires, the HLR suspends MU’s service or revokes the MU and all VLRs will not provide MU with the roaming service any longer. In order to attain the aim, HLR searches for R corresponding to the MU who will be suspended or revoked. Then HLR periodically releases R on a bulletin. When VLR is required to access by a new mobile user MU the first time, VLR decrypts C4 and checks if one part of a proxy key pair, R, is in the suspended service list. If R is in the revocation list, VLR refuses MU. Each time HLR needs to revoke a certain MU, HLR removes the MU’s account only by simply putting the key R in the revocation list with keeping his/her identity unchanged and unpublished. Hence MU can use his/her old identity to apply for a new proxy key pair in the next registration with HLR. Meanwhile, the approach helps to provide user anonymity.
