Jing Xu, Wen-Tao Zhu, Deng-Guo Feng 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 1 

• Introduction » Mobile network authentication • Review of Lee et al.’s » Weaknesses and attacks • New proposed protocol » Security analysis » Performance analysis • Conclusion 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 2 http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg 

01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 3 

• Radio interface and open access to wireless services are two major areas where wireless networks do not provide the same level of protection as wired ones. • Typical mobile network authentication approach: » Mobile Node (MN) roams to a network managed by a Foreign Agent (FA). » MN performs authentication with the FA, under the assistance of his Home Agent (HA). » After successful authentication, FA and HA share a symmetric key (session key). 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 4 

• In 2004, Zhu and Ma, proposed a wireless security protocol based on the smart card. • In 2006, Lee and Hwang, pointed out it is subject to the forgery attack, and proposed a slightly modified version. • Now, Xu et al. show that they are vulnerable to the insider attack, and propose a new protocol. » Above weaknesses are eliminated, while the efficiency is not sacrificed. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 5 

Password of a mobile user X Time stamp by an entity X Certificate of an entity X Identity of an entity X ℎ ∙ An appropriate one-way hash function ‖ String concatenation ⊕ The XOR operation · Symmetric encryption of a message using key K −1 · Symmetric decryption of a message using key K · Asymmetric encryption of a message using X’s public key · Asymmetric decryption of a message using X’s private key ℎ · Signature of a message using X’s private key 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 6 

01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 7 

• Lee and Huang’s scheme is claimed to be a security enhancement on Zhu and Ma’s protocol. • Lee et al.’s protocol consists of three phases: » Phase 1, the HA securely issues a password and a smart card to MN. » Phase 2, mutual authentication between MN and FA, is performed under the assistance of HA. » Phase 3, MN renews his session key with FA. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 8 

• MN registers with his HA. » MN submits his identity to HA • HA has already had a large random number , which plays as the secret key. » HA computes ≜ ℎ ∥ and ≜ ℎ ∥ ⊕ ⊕ ⊕ » HA issues MN’s password and a smart card, which contains , , ℎ · 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 9 

• FA authenticates MN under the assistance of HA, and issues a temporary certificate to MN. • In Lee and Hwang’s scheme, this phase is completed by five steps. • Step 1 (MN): » User inputs his and to his smart card, which computes ≜ ⊕ and ≜ ℎ ⊕ , then does an encryption 1 ≜ ℎ ∥ 0 ∥ . Here 0 and are secret random numbers. » MN sends to FA a Msg-1: , , 1 , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 10 

• Step 2 (FA): » FA receives Msg-1: , , 1 , , and checks if is valid. » FA generates a secret random number , and computes a signature 1 ≜ ℎ , , 1 , , . » FA sends to HA a Msg-2: , , 1 , , 1 , , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 11 

• Step 3 (HA): » HA receives Msg-2: , , 1 , , 1 , , , and checks if and are both valid. » HA computes = ℎ ∥ ⊕ ⊕ , and = ℎ ⊕ ℎ ∥ , then does a decryption ℎ ∥ 0 ∥ = −1 1 . » Hashes the afore-computed , compares this ℎ to the one recovered from 1 . If matches, HA believes MN is authenticated. » HA does an encryption 2 ≜ ℎ ∥ ∥ 0 ∥ , and computes a signature 2 ≜ ℎ , , 2 , » HA sends FA a Msg-3: , 2 , 2 , , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 12 

• Step 4 (FA): » FA receives Msg-3: , 2 , 2 , , , and checks if and are both valid. » FA does a decryption ℎ ∥ ∥ 0 ∥ = 2 , then computes session key ≜ ℎ ∥ ⊕ 0 , and does an encryption 3 ≜ ∥ ℎ 0 ∥ . » FA sends 3 to MN. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 13 

• Step 5 (MN): » MN receives 3 . » MN computes the session key = ℎ ∥ ⊕ 0 , then does a decryption ∥ ℎ 0 ∥ = −1 3 . » MN computes ℎ 0 ∥ , and compares it to the on recovered by decrypting 3 . If matches, MN believes FA is authenticated. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 14 

• In this phase, HA is no longer involved. • Periodically, MN updates the session key, from to a future +1 . » MN randomly chooses , and sends to FA both and ∥ . » FA checks if the received is valid. » FA does a decryption ∥ = −1 ∥ , and check if the this matches the received one. » Both MN and FA computes the new session key, which would be +1 ≜ ℎ ∥ ⊕ . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 15 

01/07/2011 16 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , 0 , , ≜ ⊕ ≜ ℎ ⊕ 1 ≜ ℎ ∥ 0 ∥ ? 1 ≜ ℎ , , 1 , , ? ? = ℎ ∥ ⊕ ⊕ = ℎ ⊕ ℎ ∥ ℎ ∥ 0 ∥ = −1 1 ℎ ? 2 ≜ ℎ ∥ ∥ 0 ∥ 2 ≜ ℎ , , 2 , , ? ? ℎ ∥ ∥ 0 ∥ = 2 ≜ ℎ ∥ ⊕ 0 3 ≜ ∥ ℎ 0 ∥ 3 = ℎ ∥ ⊕ 0 ∥ ℎ 0 ∥ = −1 3 ℎ 0 ∥ ? 

• Xu et al. show that Lee and Huang’s improved scheme still have several serious deficiencies: 1. Lack of user anonymity (suffers insider attack). 2. Unfair key agreement. 3. Inapplicable security design. • The original scheme by Zhu and Ma is also affected similarly. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 17 

• It is very important to assure that user anonymity, so that the user’s real identity can only by recognized by his home agent (HA). • Consider a legitimate but malicious user MNα registered with the HA, which is also the home agent of many other mobile users, like an innocent MNi . • Disclosure of MNi ’s identity , may allow tracking of MNi ’s behavior, such as the moving history and current position. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 18 

• In phase 2, the mutual authentication between MNi and FA. » MNα eavesdrops the Msg-1 sent by MNi over the air, where ≜ ⊕ = ℎ ∥ ⊕ ⊕ . » MNα holds ≜ ⊕ = ℎ ∥ ⊕ ⊕ . » MNα reveals by = ⊕ ⊕ . • Essentially, MNα can reveal the identity of any other MN registered with the same HA. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 19 

01/07/2011 20 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , 0 , , ≜ ⊕ ≜ ℎ ⊕ 1 ≜ ℎ ∥ 0 ∥ ? 1 ≜ ℎ , , 1 , , ? ? = ℎ ∥ ⊕ ⊕ = ℎ ⊕ ℎ ∥ ℎ ∥ 0 ∥ = −1 1 ℎ ? 2 ≜ ℎ ∥ ∥ 0 ∥ 2 ≜ ℎ , , 2 , , ? ? ℎ ∥ ∥ 0 ∥ = 2 ≜ ℎ ∥ ⊕ 0 3 ≜ ∥ ℎ 0 ∥ 3 = ℎ ∥ ⊕ 0 ∥ ℎ 0 ∥ = −1 3 ℎ 0 ∥ ? 

01/07/2011 21 , , 0 , , ≜ ⊕ ≜ ℎ ⊕ 1 ≜ ℎ ∥ 0 ∥ ? 1 ≜ ℎ , , 1 , , ? ? = ℎ ∥ ⊕ ⊕ = ℎ ⊕ ℎ ∥ ℎ ∥ 0 ∥ = −1 1 ℎ ? 2 ≜ ℎ ∥ ∥ 0 ∥ 2 ≜ ℎ , , 2 , , ? ? ℎ ∥ ∥ 0 ∥ = 2 ≜ ℎ ∥ ⊕ 0 3 ≜ ∥ ℎ 0 ∥ http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png ≜ ℎ ∥ ⊕ ⊕ ≜ ℎ ∥ ⊕ ⊕ = ⊕ ⊕ 

• A fair key agreement protocol is such a one that the agreed key contains some contribution from each participant, so that nobody has an unfair advantage in controlling the session key. • MN can always choose 0 ∗ ≜ ℎ ∥ ⊕ ∗, where ∗ is the designated key by MN alone. • The shared session key computed by FA, according to ≜ ℎ ∥ ⊕ 0 , is always MN’s pre-determined ∗. • The key renewal is not a fair protocol, either. As +1 ≜ ℎ ∥ ⊕ , MN can deliberately choose , such that +1 is still exactly in his preference. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 22 

01/07/2011 23 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , 0 , , ≜ ⊕ ≜ ℎ ⊕ 1 ≜ ℎ ∥ 0 ∥ ? 1 ≜ ℎ , , 1 , , ? ? = ℎ ∥ ⊕ ⊕ = ℎ ⊕ ℎ ∥ ℎ ∥ 0 ∥ = −1 1 ℎ ? 2 ≜ ℎ ∥ ∥ 0 ∥ 2 ≜ ℎ , , 2 , , ? ? ℎ ∥ ∥ 0 ∥ = 2 ≜ ℎ ∥ ⊕ 0 3 ≜ ∥ ℎ 0 ∥ 3 = ℎ ∥ ⊕ 0 ∥ ℎ 0 ∥ = −1 3 ℎ 0 ∥ ? 

01/07/2011 24 , , 0 , , ≜ ⊕ ≜ ℎ ⊕ 1 ≜ ℎ ∥ 0 ∥ ? 1 ≜ ℎ , , 1 , , ? ? = ℎ ∥ ⊕ ⊕ = ℎ ⊕ ℎ ∥ ℎ ∥ 0 ∥ = −1 1 ℎ ? 2 ≜ ℎ ∥ ∥ 0 ∥ 2 ≜ ℎ , , 2 , , ? ? ℎ ∥ ∥ 0 ∥ = 2 ≜ ℎ ∥ ⊕ 0 3 ≜ ∥ ℎ 0 ∥ 3 = ℎ ∥ ⊕ 0 ∥ ℎ 0 ∥ = −1 3 ℎ 0 ∥ ? http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png 0 ∗ ≜ ℎ ∥ ⊕ ∗ ∗ = ≜ ℎ ∥ ⊕ 0 , 

• Both in Zhu et al.’s and Lee et al.’s design, a MN cannot freely choose his own password, or change it for any sake of security: » Typically, ℎ • is instantiated with the 160-bit SHA-1. • In phase 1, ≜ ℎ ∥ , a user has to bear in mind such a 160-bit password » As ≜ ℎ ∥ , HA cannot update , unless the server key is updated. • However, updating will immediately affect all users. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 25 

01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 26 

• The weaknesses of Lee et al.’s protocol root in that there is a static binding between and in Msg-1. • Also employs a user password, and a smart card. • Xu et al.’s design also has three phases involved: » Phase 1, MN freely choose his password, and HA issues a smart card, based on Diffie-Hellman. » Phase 2, mutual authentication between MN and FA, is performed under the assistance of HA. » Phase 3, MN renews his session key with FA. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 27 

• Based on Diffie-Hellman, involved arithmetic: » A multiplicative group of order , where = 2 + 1. Both and are both large primer numbers. • HA, chooses the public parameters (thus ) and , and selects a private key , then computes ≜ mod. • When MN registers with his HA, he submit his freely chosen and . • HA computes ≜ ℎ ∥ with its server secret key . • HA issues a smart card, where , , , and ℎ · are stored. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 28 

• Different from Lee and Huang’s scheme, it does not employ asymmetric encryptions between HA and FA. • Instead, HA pre-shares a distinct symmetric key with each FA. • This scheme has 5 steps to complete phase 2. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 29 

• Step 1 (MN): » User input and to his smart card, the device chooses two secret random numbers and , and then ≜ mod, ≜ ℎ mod , ≜ ℎ ⊕ , ≜ ∥ , does a encryption ≜ ∥ . » Note that is the user’s ephemeral public key, ≜ ℎ mod is the (hashed) Diffie-Hellman key. Both keys can be pre-computed off-line. » Sends to FA a Msg-1: , , , , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 30 

• Step 2 (FA): » FA receives Msg-1: , , , , , and checks if is valid. » FA randomly chooses , then computes ≜ ∥ ∥ ∥ ∥ . » FA sends to HA a Msg-2: , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 31 

• Step 3 (HA): » HA receives Msg-2: , , and then does a decryption ∥ ∥ ∥ ∥ = −1 . » HA checks if the recovered is valid, then computes = ℎ mod , and ∥ = −1 . » HA checks if is valid, computes ℎ ∥ = −1 , = ℎ ⊕ , and ∥ = −1 . » HA checks if from and matches, if so, HA believes MN is legally enrolled. » HA computes ≜ ∥ and ≜ ∥ ∥ . » HA sends to FA a Msg-3: , . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 32 

• Step 4 (FA): » FA receives Msg-3: , , and do a decryption ∥ = −1 . » FA checks if recovered equals its original choice, if so, FA believes MN is an authorized user. » FA forwards to MN. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 33 

• Step 5 (MN): » MN receives , then does a decryption ∥ ∥ = −1 . » MN checks if equals its original choice, and if is the identifier of the intended FA, if so, MN believes FA is authenticated. » Both MN and FA can compute the agreed session key by ≜ ⊕ . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 34 

• Updated by +1 = ℎ ∥ . • Such a concise renewal protocol does not involve exchange of any secret messages, and is particularly preferable for a wireless environment. • The MN may probably be energy constrained devices, this renewal favorably lowers the communication costs for both MN and FA. • This scheme allows MN to “hibernate”, once MN “wakes up”, it applies ℎ · on its last saved key. • It features self-healing. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 35 

, , 01/07/2011 36 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , , , ≜ mod, ≜ ℎ mod ≜ ℎ ⊕ , ≜ ∥ ≜ ∥ ? ≜ ∥ ∥ ∥ ∥ ∥ = −1 ? ∥ ∥ = −1 ? ? ≜ ⊕ ∥ ∥ ∥ ∥ = −1 ? = ℎ mod , ∥ = −1 ? ℎ ∥ = −1 , = ℎ ⊕ ∥ = −1 ? ≜ ∥ , ≜ ∥ ∥ ≜ ⊕ S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 

• An attacker α may intercept, insert, delete, or modify any message. • Α may also: 1. Obtains a user’s password 2. Steal a user’s smart card, and extract all information from it • Obviously, if a user’s password and smart card are both stolen, there is not way to prevent the attacker. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 37 

• Can be view from two aspects: 1. is hidden in ≜ ℎ ∥ . As only HA knows the secret key , even if MN’s is revealed by an attacker α, from a stolen smart card, α still cannot decrypt . 2. is also hidden in ≜ ∥ . Even if α can obtain the , he still cannot acquire the decryption key ≜ ℎ ⊕ , because Diffie-Hellman problem prevents α from inferring ≜ ℎ mod from ≜ mod. (This happens when α is an insider MNα ). 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 38 

, , 01/07/2011 39 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , , , ≜ mod, ≜ ℎ mod ≜ ℎ ⊕ , ≜ ∥ ≜ ∥ ? ≜ ∥ ∥ ∥ ∥ ∥ = −1 ? ∥ ∥ = −1 ? ? ≜ ⊕ ∥ ∥ ∥ ∥ = −1 ? = ℎ mod , ∥ = −1 ? ℎ ∥ = −1 , = ℎ ⊕ ∥ = −1 ? ≜ ∥ , ≜ ∥ ∥ ≜ ⊕ S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 

• MN and FA agree on ≜ ⊕ , a session key containing equal contributions from both parties. • Consider HA wants to pre-determine : 1. MN randomly chooses his contribution , embeds it in , and sends a Msg-1 to FA. 2. FA receives Msg-1, and chooses his , and sends a Msg-2 to HA. 3. HA receives Msg-1, and recovers from , and sends a Msg-3 to FA. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 40 

• Up to now nothing seems unusual, but the fact is that HA already reveals for FA. i. FA receives Msg-3, and obtains . Instead of forwarding to MN, the tricky FA chooses another ∗ = ⊕ ∗. Then FA sends a Msg-2 to HA, the genuine is discarded. ii. HA receives Msg-2, and innocently sends to FA a Msg-3’, where ∗ instead of is embedded. 4. FA receives Msg-3’, and obtains as in Msg-3, and forward ′ to HA, who is blind to the trick. 5. On receiving ′, both MN and FA “agree” on ∗ = ∗ ⊕ , which is determined by FA alone. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 41 

• To prevent such a tricky FA, in phase 2 of the protocol requires that , sent from MN, should also be forwarded to HA (embedded in ). » HA can check both and to determine whether the received Msg-2 is fresh one. » One may argue that, since FA may manipulate before generating for HA, FA can also alter before embedding it into . » Recall that, when MN generates , he also embeds in it, so that only HA can recover with the Diffie-Hellman key . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 42 

, , 01/07/2011 43 http://www.atamo.com.au/images/wireless-module.jpg http://www.mobile.ie/wp-content/uploads/2009/06/wireless.jpg http://cache.gawkerassets.com/assets/images/4/2009/03/custom_1236089054186_Picture_1.png , , , , ≜ mod, ≜ ℎ mod ≜ ℎ ⊕ , ≜ ∥ ≜ ∥ ? ≜ ∥ ∥ ∥ ∥ ∥ = −1 ? ∥ ∥ = −1 ? ? ≜ ⊕ ∥ ∥ ∥ ∥ = −1 ? = ℎ mod , ∥ = −1 ? ℎ ∥ = −1 , = ℎ ⊕ ∥ = −1 ? ≜ ∥ , ≜ ∥ ∥ ≜ ⊕ S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 

• User can freely choose and update his password. • When MN wants to update his password from to ′, he presents at the registry his smart card, which computes and submits ℎ ′ to HA. • After validating MN is legally enrolled, HA replaces the original in MN’s smart card with ′ = ℎ ′ ∥ . 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 44 

• Consider following scenario: 1. HA authenticates MN according to and . Since ≜ ∥ , α cannot forge it without . On the other hand, ≜ ∥ is protected by ≜ ℎ ⊕ , α cannot forge without . • That is, α is blind to either or . 2. α cannot impersonate HA, due to in Msg-3, is protected by , and verified with ; is protected by and verified with . • Thus, Msg-3 is immune to replay attacks. 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 45 

01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 46 Primitives Xu et al.’s Zhu et al.’s Lee et al.’s Modular exponentiation MN 2 Pre N/A N/A FA N/A N/A N/A HA 1 N/A N/A Hash operation · MN 1 1 1+1 Pre FA N/A N/A N/A HA N/A 3 3 Symmetric encryption · MN 2 1 1 FA 1 1 1 HA 2 N/A N/A Symmetric decryption − · MN 1 1 1 FA 1 N/A N/A HA 4 1 1 Asymmetric encryption · MN N/A N/A N/A FA N/A 1 1 HA N/A 2 2 Asymmetric decryption · MN N/A N/A N/A FA N/A 2 2 HA N/A 1 1 

01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 47 

• Zhu et al. present a new mutual authentication and key agreement protocol, featuring: 1. User identity anonymity 2. Fair shared key agreement 3. User friendliness 4. Cost-efficient for a mobile node 01/07/2011 S.-C. Chen, S.-H. Yang, T.-C. Li [at] CSIE, NTNU 48