Revisiting three anonymous two-factor authentication schemes for roaming service in global mobility net- works

Designing a secure and efficient anonymous authentication protocol for roaming services in global mobile networks is a hot topic in the field of information security protocols. Based on the widely accepted attacker model, this paper analyzes the security of three representative anonymous authentication protocols in global mobile networks. It is pointed out that: (1) Xu et al.’s protocol cannot resist the claimed offline password guessing attack and mobile user impersonation attack, and do not achieve mobile user untraceability and forward security; (2) Gupta et al.’s protocol cannot resist offline password guessing attacks, and temporary information disclosure attacks; (3) Madhusudhan et al.’s protocol cannot resistmobile user impersonation attack, foreign agent impersonation attack, replay attack, offline password guessing attack and session key disclosure attack, and cannot realize the anonymity and untraceability and forward security of users. It is emphasized that the fundamental reason for the failure of these protocols lies in the violation of the four basic principles of protocol design: Public key principle, Forward security principle, User anonymity principle and Anti offline guessing attack principle. The specific mistakes of these schemes are clarified, and the corresponding correction methods are proposed.


INTRODUCTION
With the rapid growth of Internet application demand, the Global Mobility Network (GLOMONET) gradually shows a wide range of application prospects in various fields closely related to people' s lives. This kind of network makes it easy for people to enjoy the convenience of mobile network. In the GLOMONET, when a travel mobile user with wireless device wants to get network service, she can pass the authentication of global mobile network with the help of home agent (HA) and be allowed to use the roaming service of foreign agent (FA) anywhere. Due to the openness and mobility of mobile networks and the limited resources of mobile devices, communication is vulnerable to various attacks, such as offline guessing attacks and failure to provide forward security. According to O'Dea [1] , the forecast number of mobile users worldwide in 2024 will be 7.41 billion, 6.6% more than the 6.95 billion users in 2020. In other words, everyone in the world has at least one mobile device on average. The huge personal data of users is in urgent need of privacy protection. In the Internet of things, access control and authentication technology has been effectively studied [2][3][4][5][6][7] . Nevertheless, how to ensure the authenticity of communication entities, prevent the abuse of services and illegal access to resources, without reducing system availability, remains a serious challenge to the GLOMONET.

Related work
In 1997, Suzuki and Nakada [8] proposed an authentication technique for GLOMONET. The proposed authentication technique which only consists of two phases: registration phase and authentication phase, is suitable for the distributed security management of GLOMONET. Since then, a large number of authentication and key agreement protocols have been proposed for GLOMONET. In 2005, Lee et al. [9] proposed an authentication scheme without password. In the proposed scheme, the home network cannot obtain the authentication key between the roaming user and the visited network. In 2006, Lee et al. [10] proposed an enhanced scheme for eliminating the security weaknesses of Zhu and Ma' s scheme [11] . However, in 2009, Chang et al. [12] pointed out Lee et al.' s scheme suffers from the impersonation attack. Afterwards, Chang et al. [12] proposed an authentication scheme for roaming service that only used one-way hash functions and exclusive-OR operations in order to obtain security goals.
In 2010, Wu et al. [13] proposed a novel lightweight authentication scheme used one-way hash functions and symmetric cryptographic operations in GLOMONET for roaming service to provide user anonymity. In 2011, Zhou and Xu [14] also proposed a provable secure two-factor authentication protocol with anonymity for roaming service based on Diffie-Hellman assumption. In 2013, to overcome two kinds of impersonation attacks, He et al. [15] proposed anonymous two-factor authentication protocol for Consumer Roaming Service. However, He et al.'s scheme [15] is vulnerable to time synchronization attack.
In 2013, Jiang et al. showed that He et al.' s scheme [16] cannot achieve two-factor security, and it suffers from multiple known attacks. In order to improve security, Jiang et al. [17] proposed a scheme which based on quadratic residue assumption for GLOMONET. But it can be observed that Jiang et al.' s scheme [17] suffers denial of service attack. Moreover, Wen et al. [18] showed that Jiang et al.' s scheme [17] is vulnerable to replay attack and the stolen-verifier attack.
In 2017, Lee et al. [19] showed that Mun et al.' s scheme [20] is insecure against impersonation attack and manin-the-middle attack, and it cannot achieve anonymity. Subsequently, Lee et al. [19] only used one-way hash function and exclusive-OR operation to propose an improved scheme for GLOMONET.
In 2018, Xu et al. [21] showed that Gope-Hwang' s scheme [22] cannot resist replay attack and synchronous attack. Afterwards, they proposed an authentication and key agreement protocol for GLOMONET used only hash functions and symmetric cryptosystem. While Gupta et al. [23] showed that Wu et al.' s scheme [24] cannot provide untraceability of the mobile user.What' s more, it' s inefficiency for the verification of the wrong password. Because there are many attacks in the existing protocols, in order to eliminate these problems, Madhusudhan and Shashidhara [25] proposed a secure authentication and key agreement scheme for mobile roaming users in 2019.
Combining with a large number of related literatures, we can observe that such authentication protocols in GLOMONET can be divided into three categories based on the different basic cryptography techniques used: (1) based on hash function and exclusive-OR operation; (2) based on hash function, exclusive-OR operation and symmetric cryptography; (3) based on public key cryptography. The authentication protocols of (1) and (2) always have some security problems, such as offline password attack and perfect forward secrecy. However, when the public key cryptography is not used properly, the authentication protocols of (3) are also vulnerable to various attacks.

Contribution
We provide a better understanding of user anonymous and untraceability, offline password guessing attack and perfect forward secrecy, etc, and we believe it would facilitate the design of secure and usability authentication and key agreement schemes for GLOMONET. Specifically, a summary of our contributions are as follows: a) We analyze Xu et al. [21] 's, Gupta et al. [23] ' s and Madhusudhan et al. [25] ' s protocols, and find that none of the three anonymous authentication protocols in GLOMONET environment can achieve the user anonymity and untraceability, and they are vulnerable to offline password guessing attacks, and there are forward secrecy issues and mobile user impersonation attack, etc. b) We highlight four basic design principles of anonymous two-factor authentication protocol in GLOMONET: (1) Public key technology principle. Under the assumption of non tamper resistant smart card, using public key technology is a necessary condition to resist offline password guessing attack; (2) Perfect forward secrecy principle. Public key technology is a necessary condition for preserving perfect forward secrecy; (3) Mobile users anonymity and untraceability principle. Using public key technology is a necessary condition for realizing user anonymity and untraceability; (4) Anti offline password guessing principle. At present, using "Fuzzy-Verifiers" and "Honeywords" technology is a good choice for realizing anti offline password guessing attack [26] .

Roadmap of this paper
The remainder of this paper is as follows: Section 2 describes the system model and attacker model. Section 3 reviews the efficient anonymous authentication scheme proposed by Xu et al. And the security of the scheme is analyzed in Section 4. Section 5 describes the two-factor authentication scheme based on quadratic residue hypothesis proposed by Gupta et al. And Section 6 points out the security problems of the scheme. Section 7 and Section 8 respectively review and analyze the scheme of Madhusudhan et al. Section 9 highlights four basic design principles of two-factor authentication scheme in GLOMONET. Finally, Section 10 summarizes the conclusion.

SYSTEM MODEL AND ATTACKER MODEL
This section introduces the system model of authentication and key agreement in GLOMONET and attacker model. The notations used in this paper are presented in Table 1.

System model
In a two-factor authentication and key exchange protocol for roaming service in GLOMONET, there exist there participants namely the mobile user (MU), the FA and the HA. First of all, MU needs to register themselves with HA before she wants to get mobile network roaming service. In the registration phase, MU sends the registration request to HA, and sends the identity or password information after privacy processing to HA on the secure channel. Then, HA stores some key parameters processed by cryptography in a new smart card and sends the smart card to the corresponding MU. Then, in order to obtain the access rights of FA, MU needs the assistance of HA. The specific process is as follows: (1) MU sends roaming service login request to FA; (2) FA sends authentication request to HA; (3) HA sends response to FA after authenticating FA; (4) FA sends response to user after authenticating HA; (5) After MU authenticates FA, the session key is calculated. Therefore, mobile users can use the session key to enjoy roaming service safely.

1)
All parameters stored in the smart card of the mobile users can be extracted using side channel attack by the adversary A.  [37,38] the space of identities and passwords is very limited in real life, |D | ≤ |D | ≤ 10 6 . 4) Any adversary A can register as a legitimate mobile user if anyone can do this. 5) A may can obtain previous session keys by improper erasure(e.g. using digital forensic techniques). 6) A can obtain the private key of the mobile user, the home agent and the foreign agent when carrying out the perfect forward secrecy attack.

XU ET AL.'S SCHEME
In 2018, Xu et al. [21] pointed out that Gopa and Hwang' s scheme [22] is vulnerable to replay attack and has the problem of computational burden. Afterwards, Xu et al. [21] designed an improved authentication scheme for roaming service in GLOMONET. However, here we show that Xu et al.' s scheme [21] still has several serious defects, including lack of mobile user untraceability and perfect forward secrecy, offline password guessing attack, and mobile user impersonation attack.

S1.
A new mobile user MU sends her real identity to the home agent HA through the secure channel. S2. On receiving the , HA generates two random numbers ℎ and 0 and then calculates ℎ = ℎ( Finally, MU replaces , ℎ with * , * ℎ , respectively. And the smart card SC contains these param-

Authentication and key agreement phase
In this part, with the help of the home agent HA, the mobile user MU and the foreign agent FA will authenticate each other and establish a common session key. S1. MU generates a random number and inputs her identity and password into the smart card SC. Then, SC computes ℎ = *  || ℎ ) and replaces with .

Password update phase
The mobile user MU can change her password by itself. In order to change the password, MU needs to use her old password and enters the new password * . After that, she calculates ℎ = * ℎ , * * } in the smart card, respectively.

Lack of mobile user untraceability
We suppose that A gets the message { , , ℎ , 1 , 1 }. Since = ( || 0 ) is a fixed value, A can track the login request behavior of legitimate mobile user . Therefore, Xu et al.' s scheme cannot provide mobile user untraceability.

Offline password guessing attack: Case I (via special parameter in smart card)
Suppose that the adversary A extracts these parameters { * , ℎ()} and gets the message { , , ℎ , 1 , 1 }.
The adversary A can guess the user password offline. The specific process is as follows: 1) A first selects * from the password dictionary space D and selects * from the identity dictionary space D .

4)
A checks whether * is equal to .
If equal, A finds the correct password and identity of MU. Otherwise, A repeat steps 1)-4) until she finds the correct password and identity.
The time complexity of the above attack is: O(|D | * |D | * ℎ ), where |D | and |D | denote the number of passwords in D and the number of identity in D , ℎ is the running time of hash computation. Usually |D | ≤ |D | ≤ 10 6 [32,37] , therefore, the above attack is very efficient. In fact, why the above attack is successful is that, A can obtain the parameter * in smart card and in public channel, and directly figures out the exact parameter ℎ( || ) directly. Finally, A just needs to traverse the space of passwords and identities.
The adversary A can guess the user password offline. The specific process is as follows: 1) A first selects * from the password dictionary space D and selects * from the identity dictionary space D .

2)
If equal, A finds the correct password and identity of MU. Otherwise, A can repeat steps 1)-4) until the equation holds.
The adversary A can guess the user password offline. The specific process is as follows: 1) A first selects * from the password dictionary space D and selects * from the identity dictionary space D .

4)
A checks if * 1 is equal to 1 . If equal, A finds the correct password and identity of MU. Otherwise, A can repeat steps 1)-4) until the equation holds. The time complexity of the above attack is: O (|D | * |D | * 2 ℎ ), therefore, the above attack is also very efficient.

No perfect forward secrecy
In Xu et al.' s scheme [21] , A can obtain the established session key between the mobile user MU and the foreign agent FA if A gets the private key of HA.

1) A eavesdrops the message {
, , ′ } in public channel and extracts the parameter { * , * ℎ , ℎ()} in smart card. 2) A decrypts using the long term private key of HA, that is , (

Mobile user impersonation attack
According to Section 2), the adversary A can figure out the shared key ℎ between MU and HA. Thus, if A obtains the identity of the mobile user MU by using of offline guessing attack, she becomes capable to impersonate MU. To do so, A captures the login request message { , , ℎ , 1 } in public channel and extracts the parameter { * , * ℎ , ℎ()} in smart card. Afterwards, A performs the following steps.

2)
A chooses a random number * ,and then calculates * = ℎ( Since FA only checks the validity of * 1 , the forged message * 1 is easy to pass the authentication of FA. On the other hand, since the forged message * 1 } is indistinguishable from the real 1 , MU also can pass the authentication of HA. Therefore, Xu et al.' s scheme [21] cannot resist mobile user impersonation attack.

GUPTA ET AL.'S SCHEME
Gupta et al.' s scheme [23] uses public key encryption based on quadratic residue assumption. Quadratic residue assumption is described as follows: Assume , are large primes, = , and and is given. It' s hard to get from the equation = 2 mod . However, if the factors of i.e. and are known, Chinese remainder theorem can solve this problem. More detailed description can be found in Jiang et al.' s scheme [17] .
Moreover, in order to solve the problems of efficient typo detection, DoS attack and password guessing attack, the proposed scheme uses the "Fuzzy-Verifier" technique [26] . And Gupta et al.' s scheme [23] has four phases. However, registration phase and mutual authentication phase are needed in this paper. The detailed descriptions of the two phases are as follows. . After that, HA stores { , , 0 , , ℎ(·), } in the smart card. is a public key of the home server which used for the encryption by the mobile users. Then HA sends it to MU. On receiving the smart card, MU enters into the smart card.

Mutual authentication phase
In this phase, the mobile user MU can get access of the foreign server by performing authentication and key agreement. Assuming is prime, is an Elliptic curve over the field ( ) where has large embedding degree, and is a base point in Elliptic curve. S1. MU inserts the smart card into a card reader and inputs and . , are the identities of the foreign agent and home agent respectively, 1 is the timestamp at which the message 1 is sent, is a random number generated by the mobile user. Afterwards, MU sends the 1 to the foreign agent FA. S3. On receving 1 , FA chooses a random number and calculates 2 = ( 1 || 2 || ). 2 is the timestamp when the message 2 is generated. Subsequently, FA uses ECDSM and private key on the message 2 to generate digital signature . Then FA publishes its public key to all the servers periodically, which is corresponding to the private key and certified by the certificate authority CA. In the end, FA sends the home agent HA the message 2 and signature . S4. On receiving 2 and , HA verifies the timestamp 2 . If the timestamp 2 is not valid, HA end this session. Otherwise, HA checks the signature using the public key of FA. If the verification is not successful, HA sends the failure notice to FA. If so, HA using the private key , decrypts 1 where = × .Then HA obtains

S2. The smart card figures out
where is digital signature generated using ECDSM, 3 is the timestamp when 3 and 4 are sent, Sign is ECDSM signature generation algorithm, is the private key of HA for ECDSM signature generation. HA publishes the public key to all the servers which is corresponding to and certified by the certified authority CA. HA sends ( 3 , 4 , 5 , ) to FA. Otherwise, MU terminates this session.

CRYPTANALYSIS OF GUPTA ET AL.'S SCHEME
Here, we show that Gupta et al.' s scheme [23] still has two serious flaws, namely, offline password guessing attack and session-specific temporary information attack.

Offline password guessing attack: Case I
Suppose that the adversary A extracts these parameters { , } from the smart card, gets the message { 1 , 3 } and the public key of HA. The adversary A can guess the user password offline. The specific process is as follows: 1) A first selects * and three identities { * , , * , * } from the password dictionary space D and three identity dictionary space D , respectively. Moreover, A chooses a time-stamp * 1 from the appropriate time interval Δ . 2) A calculates * = ℎ( * || ).
The time complexity of the above attack is: O(|D | * 3|D | * Δ * ℎ ), therefore, the above attack is efficient.

Offline password guessing attack: Case II
Suppose that the adversary A extracts these parameters { , }, gets the message { 4 , 5 }. The adversary A can guess the user password offline. The specific process is as follows: 1) A first selects * from the password dictionary space D and selects three identities { * from three identity dictionary space D .

5) A verifies whether *
5 is equal to 5 . If they are equal, A gets the correct password and identity of MU. Otherwise, A can repeat steps 1)-5) until the equation holds.
The time complexity of the above attack is: O(|D | * |D | * 2 ℎ ), therefore, the above attack is very efficient.

Sessionspecific temporary information attack
In Gupta et al.'s scheme [23] , if all temporary information , are compromised, then A can compute = . Therefore,in the case of temporary information disclosure, Gupta et al.' s scheme [23] is vulnerable to sessionspecific temporary information attack.

MADHUSUDHAN ET AL.'S SCHEME
In 2019, Madhusudhan et al. [25] only used hash function and symmetric password to construct an authentication scheme [25] in GLOMONET, and they claimed this scheme to be able to resist various attacks and provide user anonymity. But here, we show that Madhusudhan et al.' s scheme [25] cannot provide user anonymity and perfect forward secrecy, and it is vulnerable to at least five types of attacks. The specific cryptanalysis process is as follows:

Initialization phase
Suppose that HA computes = , where , are two prime numbers. And ′ and ′ are public primes, HA selects G (multiplication group) and an element ∈ with order ′ . Then HA choose a symmetric key = (< ′ ) and computes the public key = mod ′ . Similarly, FA chooses a private key = (< ′ ) then computes the public key = mod ′ .

S1. A new MU randomly chooses
, and and a random number . Afterwards, MU submits

Login and authentication phase
In this phase, MU and FA agree on a session key and perform mutual authentication through HA to access the required services. The login and authentication phases' procedures are depicted in Fig. 3. S1. MU inputs * , and calculates * = ℎ( * || * || ). After, MU checks whether * = or not. If not, MU end the session. Otherwise, the legality of MU is ensured. Then MU generates a nonce and Finally, the mobile user MU sends FA the message 1 = { , , }. S2. Upon receiving 1 , FA generates a random number . Afterwards, FA encrypts the message 1 with . Subsequently, FA sends the encrypted information with FA' s identity to HA. S3. Upon receiving 2 , HA checks and searches the secret key corresponding to . Then HA decrypts the received information and authenticates on it. If the authentication is sucessful, a session key is generated by HA for communication between FA and MU. If not, HA refuses the login request 2 . Otherwise, HA calculates MU performs further routine verification. If both pass the verification, the authentication and key agreement process are completed successfully.

No provision of moboile user anonymity and untraceability
Since the adversary A can get the parameters { . Therefore, Madhusudhan et al.' s scheme [25] cannot provide mobile user anonymity and untraceability.

Offline password guessing attack
Suppose that the adversary A extracts these parameters { , , , , , ℎ()} from the smart card. The adversary A can guess the user' s password in the offline way, and the specific process is as follows: 1) A first selects * and three identities * from the password dictionary space D and three identity dictionary space D , respectively. 2) A calculates * = ℎ( * || * || ).

3) A verifies whether * is equal to .
If it is equal, A finds out the correct password and identity of MU. Otherwise, A can repeat steps 1)-3) until the equation holds.
The time complexity of the above attack is: O(|D | * |D | * ℎ ), therefore, the above attack is very efficient. On the other hand, according to Section , A has been able to get . Hence, the time complexity of the above attack can be reduce to O (|D | * ℎ ).

Replay attack
The attacker resends the 4 to the mobile user, and the mobile user is unable to check the freshness of 4 . A method is: the user constructs the session key and the new message 5 to FA, FA checks the validity of 5 and figures out by using of its secret key.

Mobile user impersonation attack
According to Section , A has been able to get and . A must forge a real login request message so as to impersonate the legitimate mobile user. In fact, A can take the following steps: 1) A chooses a random number * and computes * = ⊕ * .

4)
The adversary A sends the forged message * 1 = { * , * , * } to FA. Obviously, the forged message * 1 is easy to pass the authentication of FA. And since the forged message * 1 = { * , * , * } is indistinguishable from the real 1 , MU can also pass the authentication of HA. Moreover, The time cost of this attack is only ℎ . Therefore, Madhusudhan et al.' s scheme [25] cannot resist mobile user impersonation attack.

Session key disclosure attack
Suppose that the adversary A can extract the parameters { }} over public channel. Moreover, according to Section , A has been able to get . Then A can figure out the established session key by performing the following steps: Therefore, the adversary can easily get the session key without the private key of HA in Madhusudhan et al.'s scheme [25] .
}} over public channel. According to Section , A has been able to get . In order to impersonate the legitimate foreign agent FA, A must forge a real respond message to the mobile user. Accordingly, A can take the following steps:  [25] is vulnerable to foreign agent impersonation attack. A can get the parameters {   , , , , , ℎ()} of the smart card and the message ,

Suppose that the adversary
}} over public channel. In order to impersonate the legitimate foreign agent FA, A must forge a real respond message to the mobile user. Accordingly, A can take the following steps: ). Accordingly, A Xu et al. [21] Lack of mobile user untraceability Offline password guessing attack No perfect forward secrecy Mobile user impersonation attack Mobile user anonymity and untraceability [29] Anti offline password guessing [27] Perfect forward secrecy [27] Public key technology [27] Gupta et al. [23] offline password guessing attack Anti Offline password guessing [27] Madhusudhan et al. [25] Lack of mobile user untraceability Offline password guessing attack No perfect forward secrecy Mobile user anonymity and untraceability [29] Anti offline password guessing [27] Perfect forward secrecy [27] Public key technology [27] gets mod .

3)
A chooses a random number * .  [25] is also vulnerable to foreign agent impersonation attack.

No perfect forward secrecy
In Madhusudhan et al.' s scheme [25] , we suppose that A can extract the parameters {  [25] . Accordingly, Madhusudhan et al.' s scheme [25] cannot provide perfect forward secrecy.

THE DESIGN PRINCIPLES OF AUTHENTICATION SCHEME IN GLOMONET
Although a lot of work has been done to study the security flaws of existing protocols, there are relatively few studies to analyze the flaws of existing protocols from the perspective of the protocol design principles for GLOMONET, so the same common mistakes are repeated again and again. In fact, many security flaws of Xu et al. [21] ' s, Gupta et al. [23] ' s and Madhusudhan et al. [25] ' s schemes, that are pointed out in this paper, are caused by violating the basic design principles of the authentication schemes in GLOMONET (the details are summarized in Table 2). In fact, there are many security flaws in existing protocols because they violate the following four design principles proposed in this paper (see Table 3). Therefore, the four design principles proposed for authentication schemes summarized in this paper provide a reference for researchers to design secure and effective two-factor authentication protocols for GLOMONET.

PKTP: Public key technology principle
Public key technology principle means that public key cryptosystem (eg., RSA, ECC and quadratic residue.) is used in the proposed authentication scheme. In order to improve the security and efficiency of authentication in global mobility networks, Lee et al. [19] propose a new authentication protocol. But the protocol only uses private key cryptography primitives (such as hash operation and XOR operation), and it is vulnerable to offline password guessing attack, and it also cannot provide perfect forward secrecy. Moreover, Ma et al. [27] also

PFSP: Perfect forward secrecy principle
The meaning of perfect forward security is to ensure that the previously established session key is still secure when one or more long-term private keys are leaked. In 2000, Park et al. [48] researched the perfect forward secrecy principle of authentication and key agreement scheme for the first time. In 2014, Ma et al. [27] further points out that for the purpose of achieving perfect forward security, the two-factor authentication and key agreement scheme protocol must satisfy two basic conditions: (1) using public key cryptography; (2) at least two public key cryptography operations are required at the server side. This just explains the failure of forward security of Xu et al. [21] 's and Madhusudhan et al. [25] ' s schemes.
In order to achieve perfect forward security, authentication protocols can take advantage of the difficulty of factorization of large integers, computational Diffie-Hellman problems on elliptic curves and chaotic maps, and lattice cryptography for compatibility with quantum resistance. Based on the balance between security and practicability, the designer can make a reasonable choice of public key cryptography technology according to the actual application requirements in GLOMONET.

MUAUP: Mobile users anonymity and untraceability principle
In GLOMONET, mobile users anonymity and untraceability is one of the most basic security properties. In actual mobile application scenarios, such as mobile electronic payment and mental health online consultation, mobile users may not want strangers to know their user names and communication traces.
In 2014, Wang et al. [49] proposed the anonymity public key principle for the two-factor protocol for wireless sensor network environment. Based on the work of Halevi et al. [50] and Impagliazzo et al. [51] , Wang et al. strictly proved that it is infeasible to use symmetric key technology to realize user anonymity. Moreover, Wang et al. [49] also pointed out that the anonymity principle is universal and can be applied to other mobile application scenarios. Therefore, Xu et al. [21] ' s and Madhusudhan et al. [25] ' s protocols only use symmetric cryptography primitives such as hash function and XOR operation, which cannot realize user anonymity and untraceability. Specifically, in Xu et al.' s scheme [21] , a fixed parameter is transmitted by the mobile user on the common channel, which causes the adversary to track the mobile user' s communication behavior. In Madhusudhan et al.' s scheme [25] , the adversary can directly figure out the identity of mobile user. In the final analysis, the reason why provides anonymity and untraceability failure is that these parameters are not well protected by public key cryptography.

AOLPGP: Anti offline password guessing principle
Any authentication protocol in GLOMONET should be able to guarantee the security of password. If the password of mobile user can be guessed offline in polynomial time, it indicates that the protocol is vulnerable to offline password guessing attacks. Moreover, in this case, the security of the authentication protocol is completely collapsed. In Xu et al.' s scheme [21] , the adversary can guess the mobile user' s password and identity in three ways. Gupta et al.' s scheme [23] suffers from offline password guessing attack of two ways. Madhusudhan et al.' s scheme [25] is also vulnerable to offline password guessing attack.
In order to achieve "local password security update", Xu et al.' s scheme and Madhusudhan et al.' s scheme store password verification parameters in smart cards, which makes them convenient for offline password guessing, that is, there is a "security vs. usability" balance problem proposed by Huang et al. [52] . Fortunately, combining "Fuzzy-Verifiers" technology [33] with "Honeywords" technology in the field of system security, Wang et al. [26] successfully solves the problems left over in [52] , achieves a better balance of "security vs. usability", and achieves security beyond the traditional upper limit.
We can observe that Gupta et al.'s scheme uses "Fuzzy-Verifiers" technology [33] and "Honeywords" technology to provide local password verification, however, these parameters 3 , 5 are constructed improperly in public channel, so that the adversary can use them to perform offline guessing attacks. In addition to offline guessing attacks, there are online guessing attacks. However, online guessing attack is easy to be detected, and can also be dealt with by setting the number of online wrong logins.

CONCLUSION
This paper analyzes the security of three representative anonymous authentication protocols in GLOMONET environment, highlights some serious security threats against these protocols, and gives the specific attack methods that attackers may take, which will provide better reference for the analysis and design of such protocols in GLOMONET. Specifically, this paper first points out that Xu et al.' s scheme [21] is vulnerable to three kinds of offline password guessing attacks and suffers from mobile user impersonation attack. Moreover, Xu et al.' s scheme [21] cannot also achieve perfect forward secrecy and user anonymity and untraceability. Next, it shows that Gupta et al.'s scheme [23] cannot resist two kinds of offline password guessing attacks and sessionspecific temporary information attack. Then, it is pointed out that Madhusudhan et al.' s scheme [25] is vulnerable to offline password guessing attacks , replay attack, mobile user impersonation attack, seesion key disclosure attack and two kinds of foreign agent impersonation attack, and cannot achieve mobile user anonymity and perfect forward secrecy.
It is pointed out that the above protocols [21,23,25] fail to resist offline password guessing attack and achieve anonymity and forward secrecy because it violates four basic principles of two-factor authentication protocol design: public key cryptography technology principle, perfect forward security principle, user anonymity & untraceability principle and anti offline password guessing principle. According to the basic design principles of authentication schemes, designing efficient and usability secure anonymous two-factor authentication protocols for roaming service in GLOMONET is worth studying in the next step.