Chinese Journal of Electronics Vol.20, No.1, Jan. 2011

An Elliptic Curve Based Handoff Authentication Protocol for WLAN∗ WAN Changsheng1 , HU Aiqun1 and ZHANG Juan2 (1.Radio Department, Southeast University, Nanjing 210096, China) (2.Accounting Department, Nanjing University, Nanjing 210093, China) Abstract — This paper proposes a novel handoff authentication protocol for WLAN. It uses an elliptic curve based mechanism to design an authentication and key agreement protocol for handoff in the 802.11r domain, and it can effectively defend all known attacks to WLAN including the denial-of-service attack and the domino effect attack. Moreover, our scheme includes only two messages between two parties, and requires few cpu cycles. Therefore, during handoff authentication process, our scheme enjoys both computation efficiency and communication efficiency as compared to the 802.11r authentication scheme.

tion. To focus on handoff authentication and key agreement in WLAN, we first assume that the Authentication server (AS) in the Extended service set (ESS) has Pre-established security association (PSA) with APs and STAs respectively (Fig.1). Secondly, we assume the STA can associate with the candidate BSS after our scheme (using the same mechanism defined by FBSST[8] ).

Key words — WLAN, Handoff authentication, Elliptic curve.

I. Introduction

Fig. 1. Trust model in WLAN

[1]

Handoff among Access points (AP) is highly desirable to Stations (STA)[1] in WLAN, and secure low-latency handoff authentication is challenging. When the STA hands off from the current AP to a target AP, it needs to authenticate with the target AP, and then associate with it[1] . The IEEE 802.11 basic specification[1] defined two authentication schemes named shared key authentication and open system authentication in 1997. However, they are vulnerable to various attacks[2−4] . The IEEE 802.11f work group and IETF seamoby work group defined the context transfer protocol for handoff authentication[5,6] . But it is vulnerable to the domino effect attack[7] . Currently, the IEEE 802.11r group is designing a Fast BSS transition scheme (FBSST)[8] to address handoff authentication. However, the FBSST scheme still suffers from a variety of attacks. In Section II, we will show how DOS and domino effect attacks work in FBSST. Public key authentication schemes have been used in wireless networks[9,10] , which strongly rely on public-key certificate distribution, that is particularly costly in wireless environment. Ref.[11] designed a trust delegation based authentication scheme for wireless networks, in which the trust delegation initialization process has to be re-established, when the mobile terminal roams from one trust delegation to another. Hence it doesn’t meet the requirement of handoff authentica-

The architecture of our scheme (we name it EBSST) is summarized as follows: The AS initially generates and distributes some elliptic curve based keying materials to the APs and STAs. During subsequent handoff authentication process, the AP and the STA can authenticate each other using those keying materials without the participation of the AS, and establish a shared key using the Elliptic curve Diffie-Hellman algorithm (ECDH)[12] . In the EBSST, since the AS is not involved in the handoff process, the DOS attack aimed to it is avoided. Since the EBSST scheme does not depend on the trust relationship among APs, the domino effect attack is avoided. The security cost of EBSST is more efficient than FBSST scheme[8] and other public key based schemes, which will be explained in Section V. Moreover, our scheme requires only two messages between two parties, while the FBSST scheme[8] requires 4 messages and 3 parties. Therefore, the EBSST enjoys both efficiency and security benefits.

II. Issues in the FBSST Scheme The IEEE 802.11r WG defined the FBSST protocol, which aiming to reduce the handoff delay when the STA roams among APs within the ESS domain. It mainly includes two parts: the domain initialization process and the fast base sta-

∗ Manuscript Received July 2008; Accepted Oct. 2010. This work is supported by the 863 Hi-Tech Research and Development Program of China (No.2007AA01Z433), Chinese 242 Plan (No.2009A99).

166

Chinese Journal of Electronics

tion transition process. The domain initialization process occurs when the STA roams into the 802.11r domain. During this process, the STA and the network access server (usually the network access server is the AP that the STA is currently attached to) establish an 802.1X authentication process. After the 802.1X authentication process, the 802.11r key hierarchy is established. The R0KH on the network access server (we call it initial R0KH) get the first level key called PMK-R0 from the 802.1X authenticator. During the subsequent FBSST process, this R0KH will generate the second level key called PMK-R1 and distribute it to the R1KHs on the target APs that the STA wants to authenticate with. Note that there are two levels of key holders called R0KH and R1KH in the 802.11r key hierarchy, which are deployed on all the APs in the 802.11r domain. However, only the R0KH on the AP that is involved in the domain initialization process holds the PMK-R0 of the STA. The 802.11r document also assumes that the channel between the R0KH and the R1KH provides confidentiality and integrity protection.) The fast base station transition process occurs after the domain initialization process. When the STA wants to associate with a target AP in the 802.11r domain, it communicates with the target AP using two sorts of mechanism called overthe-air and over-the-ds transitions. As an example, this paper analyzes the security issues of the over-the-air transition. And the security issues of the over-the-ds are similar. There are four messages in the over-theair transition (Fig.2), and they are described as folFig. 2. Over-the-air transition lows. Message 1 The STA initializes the fast base station transition process by sending a transition request message to the target AP directly (some keying materials and the STA’s information are included in the message), which is protected by a signature algorithm such as AES-CMAC algorithm using the PMK-R1 key generated from PMK-R0 by itself. Message 2 Upon receiving the request message, the target AP gets the identifier of the initial R0KH and the PMKR0name from the message. Usually the initial R0KH is not the R0KH on the target AP (instead the initial R0KH is the R0KH on the network access server involved in the domain initialization process), and it can not verify message 1 for it does not have PMK-R1 of the STA. So the R1KH of the target AP will have to communicate with the initial R0KH to get the PMK-R1. Note that the messages between the R1KH and the R1KH are firstly encrypted by an algorithm such as AES, and then signed by an algorithm such as AES-CMAC (this is for providing confidentiality and integrity protection). Message 3 When the initial R0KH receives the message from R1KH, it verifies the message and decrypts the information of the STA. Then the initial R0KH generates PMK-R1, and sends it back to the R1KH. This message is encrypted and signed too. Message 4 When getting the message back from the

2011

initial R0KH, the R1KH verifies and decrypts the PMK-R1. only then, can the R1KH on the target AP verify message 1 using the PMK-R1. Then the R1KH on the target AP sends keying materials back to the STA to negotiate the PTK for association. Message 4 is signed by the PMK-R1 key. When the STA gets this message, it verifies it using PMK-R1. Then the STA and the R1KH on the target AP generate PTK from PMK-R1 and other keying materials exchanged between them respectively. From above, we can see that the FBSST protocol is a Kerberos-like three-party authentication scheme. A little difference between the FBSST protocol and the 802.1X protocol is that the FBSST protocol uses the initial R0KH as the central server during authentication process, while the 802.1X protocol usually uses an AAA server as the authentication server during authentication. The main advantage of using the initial R0KH instead of the AAA server is that the Denial-of-Service attack aiming to the AAA server is avoided. However, there are still several issues with the FBSST protocol. (1) The 802.11r document requires that the R0KHs need to establish trust relationships with the R1KHs in the 802.11r domain. Usually every AP in the domain is deployed with one R0KH and one R1KH. Assuming there are nap APs in the 802.11r domain, then the total security associations between the R0KHs and the R1KHs will be n2ap . So the deployment of security associations between R0KHs and R1KHs will be impossible when nap increases. (2) Denial-of-Service attack: In the FBSST scheme, only when the target access point received message 3 from the initial R0KH, can it verify message 1 and decide whether to deny the STA or not. Therefore, the attacker may create a lot of illegal transition request messages, and sends it to the target access point. Since the latter can not verify the message, it has to communicate with the initial R0KH, and the initial R0KH may need to verify and decrypt a lot of messages sent from the target AP. Hence the Denial-of-Service attack occurs. Note that the Denial-of-Service attack can not be completely avoided. Here we judge whether a scheme is vulnerable to DoS attack based on the following principle: Once an AP is under Denial-of-Service attack from its area, it should not propagate the attack to other APs or AS. Unfortunately, in the 802.11r scheme, the Denial-of-Service attack will be propagated from the target AP to the initial R0KH. (3) Domino effect attack: the domino effect attack here refers to the fact that compromise of one access point will lead to compromise of another. Unfortunately, for the case of 802.11r protocol, the domino effect attack still works. Once the R0KH on an AP in the 802.11r domain is compromised, the attacker can establish a successful authentication process by setting the R0KH-ID in the request message to the compromised AP. In general, the FBSST does not solve the domino effect attack issue, while it imports even more efficiency and security issues.

III. Proposed EBSST Scheme As shown in Section II, symmetric key based handoff authentication schemes are vulnerable to a variety of attacks. So

An Elliptic Curve Based Handoff Authentication Protocol for WLAN a public key based scheme is desirable to provide strong security properties. However, public key based schemes are costly, partly due to the complex certificate distribution/verification process and partly due to their long-bit modular exponentiation operations. To reduce the certificate management cost, this paper designes a novel public key distribution scheme. In our scheme, all the STAs in the domain share a public key, while every STA hold a different private key and base point. The AS broadcasts the shared public key to all the APs in the domain, and the APs can authenticate the STAs using this public key. Hence the public-key distribution process is simplified, and the certificate verification process is avoided. To design a shared public key scheme, the following lemma is used in our scheme. Lemma 1 Giving an elliptic curve T , and two publicprivate key pairs k1 , K1  and k2 , K2  with the same base point G, where k1 is a divisor of k2 , then k2 /k1 , K2  forms a new public-private key pair with the base point K1 . Proof of Lemma 1: K2 = k2 G = k2 /k1 ∗ (k1 G) = K2 /k1 K1 Our scheme includes three independent parts: EBSST initialization, handoff authentication and optional big-number transporting mechanism. 1. EBSST initialization The AS initiates the EBSST by creating two sets of prime numbers: set STAPRI and set BSSPRI. These two sets are used for storing secret of the APs and STAs, so the elements in the two sets should not be equal. The length of those prime numbers will affect the security strength of our scheme, which will be analyzed in Section IV. After creating the two sets, the AS creates an elliptic curve T = (p, a, b, G, n, h) over Fp using the technique defined by SECG[12] . When an AP in the domain requests for EBSST support, the AS initializes the APs as follows: Step 1 The AS randomly generates a prime number j, adds it to the set BSSPRI, computes Gj = jG = (j mod n)G (note that nG = O). Step 2 The AS computes the product M of all elements in the set STAPRI, and then computes GM = M G = (M mod n)G. Step 3 The AS computes the products N of all elements in the set BSSPRI, and then computes GN = N G = (N mod n)G. Step 4 The AS broadcasts GN to all the STAs in the domain which is signed by the AS to provide integrity protection and message source authentication. To protect the replay attack, a timestamp can also be added to the message too. Step 5 The AS sends BSSKEY IN G = {GM , j, N, Gj , T } to the AP under the protection of their PSA as shown in Fig.1. Since private secret is included in the BSSKEYING message, the PSA should provide confidentiality and integrity protection.

Upon receiving the BSSKEYING message from the AS, the AP computes its private key as follows: kbss = (N/j) mod n. Therefore, according to Lemma 1, kbss , GN  constructs the public-private key pair of the AP with the base point Gj . The STA initialization process is similar to that of the AP initialization process. When the STA requests for EBSST service, the AS initializes the STA as follows: Step 1 The AS randomly generates a prime number r, adds it to the set STAPRI, and then computes Gr = rG = (r mod n)G. Step 2 The AS computes the product M of all elements in the set STAPRI, and then computes GM = M G = (M mod n)G.

167

Step 3 The AS computes the products N of all elements in the set BSSPRI, and then computes GN = N G = (N mod n)G. Step 4 The AS broadcasts GM to all the APs in the domain which is signed by the AS to provide integrity protection and message source authentication. To protect the replay attack, a timestamp can also be added to the message too. Step 5 The AS sends ST AKEY IN G = {GN , r, M, Gr , T } to the STA under the protection of their PSA as shown in Fig.1. Since private secret is included in the STAKEYING message, the PSA should provide confidentiality and integrity protection.

Upon receiving the STAKEYING message from the AS, the STA computes its private key as follows: ksta = (M/r) mod n. Therefore, according to Lemma 1, ksta , GM  constructs the public-private key pair of the AP with the base point Gr . 2. Handoff authentication The handoff authentication process includes two simple messages: Message 1 The STA sends message Q1 = {Gr , y1 }ksta to the target AP, in which y1 is the public key of the STA’s ECDH public-private key pair x1 , y1 , and Q1 is protected by the STA’s private key ksta using an elliptic curve signature mechanism (e.g. signature mechanism defined in Section IV of Ref.[12]). Message 2 Upon receiving message Q1 , the target AP verifies Q1 using the public key GM it holds and the base point Gr included in Q1 . Then the target AP sends message Q2 = {Gj , y2 }kbss to the STA, in which y2 is the public key of the AP’s ECDH public-private key pair x2 , y2 , and Q2 is protected by the target AP’s private key kbss using an elliptic curve signature mechanism (e.g. signature mechanism defined in Section IV of Ref.[12]). After getting the Q2 message, the STA verifies Q2 using the public key GN it holds and the base point Gj included in Q2 . Then the target AP and the STA can generate a shared key kptk respectively, using the ECDH key generating mechanism defined in Ref.[12]. However, there are two points to be indicated: Firstly, the EBSST scheme does not rely on the trust relationship with the current AP. So the STA can initiate the EBSST scheme over the current AP or over air. Secondly, the receivers in the handoff authentication process should check that Gr and Gj in the messages should not be equal to the domain base point G, the public keys GM and GN . The reason will be revealed in Section IV. 3. Big-number transporting mechanism There are two big numbers to be stored and transported in the EBSST scheme (e.g. M and N ). If there are msta elements in the STAPRI, and those elements are bsta bits in length, then M may be as long as (msta + 1)bsta bits. For some scenarios, the transport of such a big number may not be acceptable. To address this, M can be expressed as follows: M = (2bsta )

log bsta M  (2 )

+ (M − (2bsta )

log

(2bsta )

M

)

Then, M can be transported by the two numbers: log M sta bits and (M − (2bsta ) (2bsta ) ) log (2bsta ) M  with log m 2 with bsta bits. The big number N can be stored and transported similarly.

168

Chinese Journal of Electronics

IV. Security Analysis In this section, we shall analyze the authentication properties of the EBSST, and possible attacks on it. Then, we shall analyze the security strength of the EBSST scheme. 1. Authentication properties The basic authentication property is to conform or deny an entity’s claimed identity. Proposition 1 shows EBSST has the basic authentication property. Proposition 1 If the target AP can verify the Q1 message successfully, then Gr is the legal identity of the STA assigned by the AS. Proof Gr is computed by the AS using G and r, and distributed only to the STA. So, the one claiming Gr belongs to it must prove that it holds r. In the EBSST scheme, the Q1 message is signed by the STA using its private key ksta , and the target AP verifies it using the related public key Gr , GM . If the target AP can verify the Q1 message successfully, then the STA must have the private key ksta . Since ksta is computed from r, which is a secret of STA, and can not be factored from the big number M , the STA must have r. Proposition 1 follows. Note that the const number 1 is a divisor of M too. Thus M mod n, GM  forms the public-private key pair with the base point G. So in Section III.2, we require that Gr transported in Q1 should not be equal to G. Another authentication property is key agreement property. The EBSST uses the ECDH algorithm for negotiating the kptk , so it has the property of key agreement. 2. Possible attacks on the EBSST In this section, we consider three major types of threats to handoff authentication in WLAN, namely, domino effect attack, DOS attack and the man-in-the-middle attack. The domino effect attack here refers to the fact that compromise of one AP will lead to compromise of another. Proposition 2 shows that the EBSST is immune to the domino effect attack. Proposition 2 In the EBSST scheme, if AP1 with BSSKEY IN G1 = {GM , j1 , N, Gj1 , T } is compromised, then AP2 with BSSKEY IN G2 = {GM , j2 , N, Gj2 , T } can not be compromised using the keying material BSSKEY IN G1 . Proof To compromise AP2, the attacker must get j2 . Since j1 and j2 are two randomly generated prime numbers, the attacker can not compute j2 from j1 and other public key materials. Proposition 2 follows. In the FBSST protocol, the R1KH on the target AP has to consult the initial R0KH for PMK-R1, and it can only authenticate the STA after message 3 in Section II is received. The significant implication of this drawback is that DOS attack to the initial R0KH is possible. In the EBSST scheme, since only the target AP and the STA are involved in the handoff authentication process, the DOS attack will not be propagated to other entities such as other APs or AS in the domain. The ECDH algorithm is used for key negotiation in EBSST, which is vulnerable to the man-in-the-middle attack. However, in the EBSST, the ECDH messages are protected by the elliptic curve signature algorithm and only the authorized AP (or STA) can generate a legal signature, so the man in the middle can not tamper the ECDH messages. Hence, the man-in-the-middle attack on the EBSST is avoided.

2011

3. Security strength analysis The EBSST uses public key cryptography to exchange the symmetric key (kptk ), so we analyze its security strength referring to RFC3766[13] . Assuming kptk is a 128-bit AES key, moduli with about 2100 bits will have about the same resistance against attack[13] . This indicates that factoring a 2100-bit integer, which is the product of two big prime numbers, will need the same time as attacking a 128-bit symmetric key. So, the prime number length for the element in the four sets can be set as short as 2100/2 ≈ 1024bits. Due to the use of elliptic curve based signature, the parameter p for the elliptic curve T can be set as short as 193 bits, while the scheme still enjoys the same security level as that of 2100 moduli[13] . The EBSST scheme uses the ECDH algorithm for symmetric key negotiation, and the multiplier should be twice as large as the symmetric key[13] . Hence, the length of x1 and x2 which is usually a prime number, should be set as more than 128bits×2 = 256bits in length.

V. Efficiency Analysis In this section, we shall analyze the handoff authentication efficiency of the EBSST scheme, and then compare it with that of FBSST scheme[8] . For the case of symmetric key based schemes, the number of cpu cycles of encryption and decryption mechanisms are the same on both the 32-bit cpu and 64-bit cpu. However, public key based schemes will strongly rely on the cpu types. Usually, the number of cpu cycles on the 32-bit processor is 16 times as that of 64-bit processors, when processing the same public key encryption/decryption algorithm. This conclusion can be computed from RFC3776, where the number of cpu cycles of a 1024-bit modular exponentiation on a 64-bit processor is similar to that of 256-bit modular exponentiation on a 32-bit processor, and the number of cpu cycles of 256-bit modular exponentiation on a 32-bit processor is to that of 1024-bit modular exponentiation on a 32-bit processor. This paper mainly compares the security cost of the two schemes on the 64-bit processors. We analyze the security cost of EBSST during handoff using four factors: time of signing using the private key (cps ), time of verification using the public key (cpv ), time of key generating using ECDH algorithm (cpg ). On the 64bit processors, these three factors can be computed as follow: cps = cpv = cpg = 450, 000cpucycles/5 = 90, 000cpucycles[13] . So, the efficiency of EBSST described using the term cpu cycle is shown in Table 1. Table 1. Cpu cycles of EBSST STA cps + cpv + cpg 270,000 Target AP cps + cpv + cpg 270,000 Total 2cps + 2cpv + 2cpg 540,000

The efficiency of FBSST relies on the cipher suit. This paper takes the AES-128 algorithm as an example, which is the most popular algorithm today. Similar to the EBSST scheme, the security cost of FBSST[8] can be analyzed using three factors: time of key generating using HMAC-SHA1 algorithm (Csg ), time of encrypting one block using a 128-bit AES key (Cse ), time of decrypting one block using a 128-bit AES key

An Elliptic Curve Based Handoff Authentication Protocol for WLAN (Csd ). During handoff, there are four keys to be generated (i.e. PMK-R1, PMK-R1name, PTK, PTKname). Referring to Refs.[14, 15], Csg = 32 + (2 + 2) × 1110 = 4472cpucycles, Cse = 6168cpucycles and Csd = 10992cpucycles. The handoff authentication process in FBSST includes four messages (Fig.2). The message length between the target AP and the STA is ranged from 1280-bit to 4096-bit (see the definition of the message integrity check field in Ref.[8]), and the message length between the target AP and the initial R0KH is similar. So, as an average, we assume the message length in the FBSST is 1280 + 4096bits/2 = 2688bits = 21AESblocks. Note that the channel between the target AP and the initial R0KH provides integrity and confidentiality protection[8] , so the messages between the STA and the target AP are protected using AES-CMAC algorithm, while the messages between the target AP and the initial R0KH are protected by both the AES-CMAC algorithm and AES encryption algorithm (i.e. the sender of the message encrypts the message and then generates a message authentication code to the encrypted message). So, the efficiency of FBSST described using the term cpu cycles is shown in Table 2. Table STA Target AP Initial R0KH Total

2. Cpu cycles of FBSST 42Cse + 4Csg 276944 105Cse + 21Csd + 2Csg 887446 63Cse + 21Csd + 2Csg 628360 210Cse + 42Csd + 8Csg 1,792,750

Table 1 and Table 2 show that the computation cost of EBSST scheme is around 30% as that of the FBSST scheme on the 64-bit processors. Note that the total computation cost of the EBSST on the 32-bit processor is 16 times as that of 64-bit processors (i.e. 540, 000 × 16 = 8, 640, 000cpucucles), and the computation cost of EBSST scheme is around 5 times as that of the FBSST. This conclusion seems to contradict our traditional opinion, in which computation cost of public key based schemes is usually 103 times as that of symmetric key based schemes. However, it is correct. The computation cost of FBSST is so high because the message length of the FBSST is very long, and, as a three-party protocol, there are too many encryption/decryption operations. The computation cost of EBSST is low because the 64-bit processor greatly reduced the computation cost of modular exponentiation.

VI. Conclusion In this paper, we have presented an efficient handoff authentication and key agreement protocol for WLAN, and analyzed its security. After the initial key distribution, the STA and the AP can authenticate each other and establish a shared key without the participation of other APs or AS in the domain. This paper takes the WLAN environment as an example of wireless networks. However, the scheme can also be used in other wireless networks. References [1] IEEE 802.11: 1997, Wireless LAN medium access control (MAC) and physical layer(PHY) specification. [2] W.A. Arbaugh, N. Shankar, Y.C. Justin, “Your 802.11 Wireless network has No clothes”, Proc. of IEEE Wireless LANs and Home Networks, Singapore, pp.131–141, 2001.

169

[3] IEEE 802.11-00/362:2000, “Unsafe at any key size: an analysis of the WEP encapsulation”. [4] N. Borisov, I. Goldberg and D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, Proc. of IEEE MOBICOM, New York, USA, pp.180–189, 2001. [5] IEEE 802.11f:2003, Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation. [6] IETF RFC4067:2005, Context Transfer Protocol (CXTP). [7] IETF RFC4962:2007, Guidance for Authentication, Authorization, and Accounting (AAA) Key Management. [8] IEEE 802.11r:2008, Fast BSS Transition. [9] L. Lamport, “Password authentication with insecure communication”, Commun. ACM, Vol.24, No.11, pp.770–772, 1981. [10] A. Evans et al., “A user authentication scheme not requiring secrecy in the computer”, Commun. ACM, Vol.17, No.8, pp.437– 442, 1974. [11] C. Tang, D.O. Wu, “An efficient mobile authentication scheme for wireless networks”, IEEE Trans. Wireless Commun., Vol.7, No.4, pp.1408–1416, 2008. [12] SECG SEC1:2000, Elliptic Curve Cryptography. [13] IETF RFC3766:2004, Determining Strengths for Public Keys Used for Exchanging Symmetric Keys. [14] O. Elkeelany et al., “Performance analysis of IPSec protocol: Encryption and authentication”, Proc. of IEEE Communications Conference, New York, USA, pp.1164–1168, 2002. [15] C. Xenakis et al., “A generic characterization of the overheads imposed by IPsec and associated cryptographic algorithms”, The International Journal of Computer and Telecommunications Networking, Vol.50, No.17, pp.3225–3241, 2006. WAN Changsheng received B.S. degree in applied physics from University of Science and Technology of China, Hefei in 1999, and Ph.D. degree in physical electronics from University of Science and Technology of China, in 2004. From July 2004 to Oct. 2005, he was with ZTE Corporation at Nanjing, as a senior engineer. From Nov. 2005 to Mar. 2007, he was with Huawei Technologies Co. Ltd, Nanjing, as a staff engineer. Since Apr. 2007, he has been with Southeast University, Nanjing as a teacher. His research interests are in the areas of network security, wireless communication, IP and routing technology, and data mining. (Email: [email protected]) HU Aiqun received B.S. degree in signal processing from Southeast University, Nanjing in 1987, and Ph.D. degree in signal processing from Southeast University, in 1992. Since July 1992, he has been with Southeast University, Nanjing, as a teacher. He was promoted as an associated professor in 1995, and a professor in 2000. Now, he is the leader of Information Security Laboratory in the School of Information Science and Technology, Southeast University. Since 2001, he has been a member of the expert team of information security subject for the Chinese 863 Plan. His research interests are in the areas of network security, wireless communication, and signal processing. Zhang Juan received B.S. degree in international trade from Hubei University, Wuhan, in 1999, M.S. degree in international trade from Hubei University, Wuhan, in 2002, and Ph.D. degree in accounting & auditing from Wuhan university, in 2005. Since Sept. 2005, she has been with Nanjing University, Nanjing, as a teacher. Her research interests are in the areas of network security, accounting, auditing, and data mining.