Cryptanalysis of some improved password-authenticated key exchange schemes

Computer Communications 29 (2006) 2822–2829 www.elsevier.com/locate/comcom

Cryptanalysis of some improved password-authenticated key exchange schemes Raphael C.-W. Phan a

a,*

, Bok-Min Goi

b,1

, Kah-Hoong Wong

b

Information Security Research (iSECURES) Lab, Swinburne University of Technology (Sarawak Campus), 93576 Kuching, Malaysia b Faculty of Engineering, Multimedia University, 63100 Cyberjaya, Malaysia Available online 7 December 2005

Abstract Password-authenticated key exchange (PAKE) protocols allow two parties to share common secret keys in an authentic manner based on a memorizable password. In 1999, a PAKE protocol called simple authenticated key agreement (SAKA) was presented, and since then until 2004, several improved variants were presented to resist known attacks. In this paper, we present attacks on variants proposed by Kim et al. and Ku-Wang that directly cause them to fail in achieving a mutually authenticated secret key between legitimate parties. These results are devastating since achieving this is the basic security criterion that any key exchange should provide. We also show dictionary attacks on the original SAKA and all its variants. These dictionary attacks invalidate the basic security goals of these protocols since a PAKE scheme must be secure against dictionary attacks due to the low entropy of human-memorizable passwords being used.  2005 Elsevier B.V. All rights reserved. Keywords: Password-authenticated key exchange; Security protocols; Cryptanalysis; Replay attacks

1. Introduction The next generation internet, known as IPv6 (or IPng – Internet Protocol next generation) has a corresponding IPsec standard [14,29] that performs encryption and authentication protection on the IP layer. Although IPsec is optional for the current internet (IPv4), it is mandatory for next generation internet (IPv6). The IPsec architecture [15] specifies several components for ensuring security, including the authentication header (AH), encapsulating security payload (ESP), and a set of key exchange protocols known as internet key exchange (IKE) [16]. The AH and ESP protocols require keys for setting up authentication and an encrypted channel between two parties, and this exchanging of shared secret keys between *

Corresponding author. Tel.: +60 82 416 353; fax: +60 82 423 594. E-mail addresses: [email protected] (R.C.-W. Phan), [email protected] (B.-M. Goi), [email protected] (K.-H. Wong). 1 Supported by the Malaysia IRPA Grant (04-99-01-00003-EAR). 0140-3664/$ - see front matter  2005 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2005.10.033

them is handled by the IKE protocols. The internet engineering task force (IETF) is currently addressing the security issues in these protocols, and equally important is the work done by security researchers around the world to support this effort. Therefore, the development of key exchange (KE) and authenticated key exchange (AKE) protocols is crucial to the strengthening of the next generation internets security mechanisms. Authenticated key exchange (AKE) protocols allow two parties to share a common secret key for subsequent communication sessions between them. Such schemes are becoming inherently important especially in next-generation internet where seamless and built-in security is one of the criteria for ubiquity and ease of use. Examples include the transport layer security (TLS) [13] which is an extension of the secure sockets layer (SSL) protocol [8] originally developed by Netscape Inc. for securing online internet communications, and the IPsec [14]. The future internet will have inherent security capabilities unlike older versions where security is an option or an extra feature of the web server/browser often disabled by default.

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

For practicality, where human users are required to remember secrets without having to write them down on a piece of paper thus calls for AKE schemes to be based on memorizable passwords. These are known as password-authenticated key exchange (PAKE) protocols. The concept of PAKE is due to Bellovin and Merritt in 1992 [3] where they presented some example such protocols including the encrypted key exchange (EKE) protocols. Since then, there have been a variety of PAKEs proposed including [2,6,27,25,18,9,22,26,7,10,12,20]. Designing efficient yet secure key exchange protocols needs extreme care due to stringent security requirements. Over the years, many protocols have been proposed and many have been broken and re-designed time and again. Among others, some recent cryptanalyses of PAKE protocols include [31,27,23,24,1]. The respective protocols are vulnerable to various attacks because security parameters in the respective protocols are not carefully chosen or verified. In this paper, we first provide in Section 2 the security requirements for PAKE schemes and common attacks used in this paper. In Section 3, we give an overview of a PAKE scheme called the simple authenticated key agreement (SAKA) and its variants, as well as their weaknesses. Then, we present our attacks on them in Section 4. Finally, we conclude in Section 5. 2. Preliminaries

2823

2.2. Some common attacks The following are some of the attacks [5,28] that are relevant to this paper: Replay attacks. The attacker records the messages from a protocol run and re-sends them in a new or the same protocol run. Reflection attacks. The attacker intercepts the messages from the sender and sends them back to the sender in the proper sequence. This attack exploits the symmetrical pattern of the protocol, namely that both parties send similar messages between them, and may be considered a more complex variant of the replay attack. Modification attacks. The attacker alters the messages sent in the protocol run. Dictionary attacks. Due to the low entropy of the password (since it must be so in order to be human-memorizable), a brute force search for the password is feasible if verifiable ciphertexts are available to the attacker. These attacks can be further subdivided into: • Off-line dictionary attacks: In this attack, a passive attacker eavesdrops on one or more sessions and uses those messages in verifying his password guesses. Such attacks are very hard to trace. • On-line dictionary attacks: In this attack, an active attacker tries to verify his password guesses by impersonating a legitimate party to interact with other parties.

2.1. General requirements for PAKE schemes Most PAKE schemes satisfy the following requirements [28] to achieve its intended objectives. Mutual authentication. This criterion is to ensure that each party knows whom the other party is and to verify that the opposite party is not an im-poster. In PAKE schemes, a pre-agreed memorizable password between two communicating parties is used. Message integrity. This is to make sure that the messages being exchanged have not been altered, or at the very least, alterations can be detected. Normally, a one-way hash function is used to achieve this. Key confirmation. This is important to verify that both communicating parties share the same key for future cryptographic use. Key confirmation is also a way to detect errors in the previous messages that contribute to the realization of the session key. Perfect forward secrecy. The underlying technique in most PAKE schemes is the Diffie-Hellman key exchange protocol. Therefore, most PAKE schemes provide perfect forward secrecy: the compromise of long term private keys would not affect the security of previous session keys. Resistance to man-in-the-middle attacks. An man-in-themiddle (MITM) attack is where an attacker places himself between two legitimate parties and can impersonate one or both of them. A security protocol should achieve this criterion else it entirely fails to achieve its standard objective of providing authentication between legitimate parties.

3. Simple authenticated key agreement variants We briefly describe the original simple authenticated key agreement protocol due to Seo and Sweeney [35], as well other improved variants of this [36,21,19,33]. For compactness of description, we depict the Seo– Sweeney protocol in Fig. 1. For convenience, we stick to the same notations used in [35,36,21,19,33]; the public known system parameter are n and g, where n is a large prime (such that p1 is also a prime) and g is a 2 generator of the multiplicative group, Z n of order (n  1). Also, unless otherwise specified, all arithmetic operations are performed under Z n . Both communication parties, Alice, A (the initiator) and Bob, B have a common pre-shared human-memorable password, P. By using a pre-agreed special function (could be public known), they can compute an integer Q from P before running the authenticated key agreement protocol. Note that Q must have its multiplicative inverse, Q1 in mod (n  1). H (Æ) and kdf denote a standard oneway hash function and a pre-agreed key derivation function, respectively. Tseng [36] showed that the Seo–Sweeney protocol falls to a simple replay attack where an attacker just needs to replay the message Key Q1 mod n sent by Alice intended for Bob, back to Alice as a reply message Key Q2 mod n from Bob. This would cause Alice to correctly verify that his

2824

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

Fig. 1. Seo–Sweeney simplified authenticated key agreement (SAKA) protocol.

key, Key1 is the same as Bobs key, Key2 when in fact it was not Bob but the attacker who responded to him. Note that by replaying Alices messages back to Alice (in this case, the attacker is reflecting them back to where they came from), the attacker is exploiting Alice as an oracle to generate answers (messages) for its own challenge queries. Such reflection attacks are extremely devastating since they do not even require the attacker to do any massive computations that are required in other types of attacks such as dictionary attacks. These attacks are thus very easy to mount. To overcome this problem, Tseng modified the protocol namely the last two messages communicated for key verification, as shown in Fig. 2. Nevertheless, Tsengs variant is also insecure. Ku and Wang [21] showed that Tsengs variant can be attacked where an attacker replays the message X1 sent from Alice to Bob as Bobs supposed reply Y1 back to Alice. Having 1 1 received this, Alice then computes Y ¼ Y Q1 ¼ X Q1 ¼ a a a2 g mod n and thus Key 1 ¼ Y ¼ g mod n. This incorrect Y is sent by Alice to Bob for verification, and immedi-

ately the attacker replays this Y as Bobs response X to Alice. Since Y1 = X1, and thus Y = X, Alice would correctly verify that Y = X = ga mod n and be convinced that it is sharing the correct key with Bob, when in fact Bob is not present at all. Observe that this is also a reflection attack. Ku and Wang proposed to modify Tsengs variant by changing the symmetric structure (either party doing and sending similar messages) to a non-symmetric one, as illustrated in Fig. 3. Recently at ICCSA 2004, Kim et al. [19] and Ryu et al. [33] presented two other variants of the SAKA protocols. Kim et al. modified Tsengs variant such that Bobs reply messages are sent at one go whereas Ryu et al. [33] claimed that their new protocol is not only secure to the dictionary attacks but also can provide several attractive security features. Both of them are shown in Figs. 4 and 5, respectively. 4. Attacks on the SAKA protocols 4.1. Attacks on the Kim et al. variant We show two attacks on the Kim et al. variant of the SAKA protocol. Our attacks are based on the fact that an attacker can exploit Alice or Bob as an oracle to do Q1 the computation ðÞ on any message that it receives. In more detail, note from Fig. 4 that Bob will always reply 1 X ¼ X Q1 to any X1 that it receives, regardless of what X1 may be. We exploit this in Attack 1. In the case 1of Alice, it is a bit harder since she responds with Y ¼ Y Q1 to any Y1 only1 when the other party correctly replies with a X ¼ X Q1 to Alices challenge X1. Nevertheless, this can still be done by using Alice to answer her own challenges, as we highlight in Attack 2.

Fig. 2. Tsengs variant.

4.1.1. Attack 1: on Bobs security In our first attack, we exploit Bob as an oracle. Due to the nature of the Kim et al. variant, we have observed

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

2825

Fig. 3. Ku-Wang variant.

obtain X 0 = Y. (We precede all the corresponding communicated messages in the new session with the single quote 0 .) Consequently, E (A) possesses the desired Y and continues the previous/first session by sending this to Bob. Upon receiving Y, Bob is convinced that he shares the same key with Alice when in fact Alice is not present at all. E (A) is therefore able to impersonate Alice to Bob.

Fig. 4. Kim et al. variant.

that any message that Bob received at the beginning of Q1 the protocol will always be responded with ðÞ . Therefore, an attacker can send message Y1 to Bob and obtain Y in return, as shown in Fig. 6. Note that Y1 is the message protected with password while Y is the decrypted version of it. We show that an attacker, E (A) by impersonating Alice is able to convince Bob that the new session key generated, Key2 is valid with this exploitation. More precisely (see Fig. 7), the attacker first randomly selects a value X1 and sends it to Bob. In response, Bob will1reply with X and the challenge Y1, where X ¼ X Q1 mod n and Y1 = gbQ mod n, respectively. Without the knowledge of Q, E (A) definitely cannot compute Y with Y1. However, because of the exploitable oracle property of the Kim et al. protocol as mentioned above, E (A) can exploit Bob to do it for him unintentionally; viz., he just replays Y1 to Bob as the first message, X 01 in a new protocol run to

4.1.2. Attack 2: on Alices security Our second attack is a type of replay attack often called the reflection attack since we are replaying whatever messages from Alice back to Alice, therefore using her as an oracle to answer her own challenge queries. X1, X, Y1, Y denote messages sent in one protocol session initiated by Alice while X 01 ; X 0 ; Y 01 ; Y 0 denote messages sent in another session, this time initiated by the Attacker, E (B) who is impersonating Bob. Fig. 8 illustrates the details of attack 2. Note that Alice will only believe it is communicating with Bob if it receives a valid1X obtained by having Bob Q perform the computation ðÞ on the challenge X1 sent by Alice. However, besides Bob, Alice also has the capability to do this computation, so the attacker simply replays X1 back to Alice as a new message X 01 , seemingly pretending to be Bob and initiating a new (second) protocol ses1 sion with Alice. Now, Alice has to do the ðÞQ on the challenge X [and return the answer X 0 to Bob so that the second session can proceed. Unfortunately, this is also X that the attacker needs to answer Alices challenge query. Q1 Thus, the attacker has used Alice to do the ðÞ computation for him. Alice now believes that she is communicating with Bob, and the rest of the attack proceeds. Throughout the attack, the attacker is simply replaying valid messages generated by Alice back to herself. In the end, Alice is tricked into thinking that she has established not only one but two secret keys with Bob, when in fact Bob is not present at all.

2826

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

Fig. 5. Ryu et al. variant.

Fig. 6. Exploiting Bob as an oracle.

4.2. Attacks on the Ku-Wang variant 4.2.1. Attack 1 Our attack here highlights the importance of the order in which messages are sent. If X is sent without first verifying Key2 (as apparent in Fig. 3),21then the attacker can use Bob as an oracle to compute ðÞQ . Thus, when an attacker supplies the message X 01 ¼ Y 2 ¼ Key Q1 mod n, then Bob Q1

Q1

would return the value X 0 ¼ ðX 01 Þ ¼ ðY 2 Þ ¼ Key 1 and a session key would be disclosed!

¼ Key QQ 1

1

4.2.2. Attack 2 Our second attack considers the case where if an old a is disclosed (and there is no reason why it should not be since it is ephemeral and temporary and never reused but is only required for that old session). It also exploits the fact that what is required of Alice is that upon receipt of Y1 from

2 Actually, it appears no reason why not since an attacker would not be able to obtain the key from X anyway.

Fig. 7. Attack 1: on Bobs security.

Bob, then Alice should return Y 2 ¼ Y a1 mod n, i.e., Alice just needs to be able to do a (Æ)a mod n computation. An attacker impersonates Alice and replays the old 0 X1 = gaQ mod n to Bob, who then returns Y 01 ¼ gb Q mod n 0Q1 0 a and computes X ¼ X 1 mod n ¼ g mod n and Key 2 ¼ 0 0 X 0b mod n ¼ gab mod n. The attacker now simply computes Y 02 ¼ Y 0a 1 mod n ¼ b0 Qa g mod n and returns this to Bob. This would be correctly 0 Q1 verified since ðY 02 Þ mod n ¼ gab mod n ¼ Key 2 . Bob is convinced that Alice is now sharing a session key with him, when Alice is not present at all.

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

2827

Fig. 8. Attack 2: on Alices security.

4.3. Dictionary attacks In this subsection, we show that the Tseng, Ku-Wang, and Kim et al. variants of the SAKA protocol fall to offline dictionary attacks. Surprisingly, the original SAKA protocol proposed by Seo and Sweeney is resistant against such attacks. This calls to question the caution in ‘‘improving’’ protocols, that it is not always the newer version will be secure against attacks. However, unfortunately, we show that the original SAKA protocol and Ryu et al. protocol are still vulnerable under online dictionary attacks (for stronger security notion). 4.3.1. Off-line dictionary attacks In the Tseng, Ku-Wang, and Kim et al. protocols, 1 1 the pair ðX 1 ; X ¼ X Q1 mod nÞ or ðY 1 ; Y ¼ Y Q1 mod nÞ is available in the clear. Since X1 and X (similarly Y1 and Y) are related only by Ql which is a function of the password shared between Alice and Bob, an attacker can therefore guess all possible values of the pass1 word, compute it Ql and verify if X ¼ X Q1 mod n. Since all variants are password-based AKEs, the existence of dictionary attacks invalidates their security goal.

4.3.2. On-line dictionary attacks We show how on-line dictionary attacks can be applied on the original SAKA protocol in Fig. 9. If the attacker guesses 1 the password correctly, where Q 0 = Q, then 1 Q bQ0 Q b Y ¼ Y 1 ¼ ðg Þ ¼ g mod n. Therefore, the value of Key Q1 mod n sent by Alice is equivalent to gabQ. We notice that X1 = gaQ mod n, thus, the attacker with just needs to verify if X b1 ¼ Key Q1 mod n. Fig. 10 shows the on-line dictionary attack on the Ryu et al. protocol. If correct password was guessed by the attacker, SBA = (X  Q)b = (ga + Q 0  Q)b = gab mod n. Hence, SBA computed by Bob equals to SAB = Ya = gab mod n, by the attacker. He can easily verify this by checking H (idA, X, SAB) = VB. 5. Concluding remarks We have shown devastating attacks on not only the original SAKA protocol due to Seo and Sweeney, but also on four ‘‘improved variants’’ proposed by Tseng, Ku-Wang, Kim et al., and Ryu et al. Our attacks invalidate the security goals of these protocols because they show the protocols are not able to mutually authenticate the keys exchanged between legitimate parties, and also that they are insecure against dictionary attacks. Our

2828

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829

Fig. 9. On-line dictionary attack on the original SAKA protocol.

Fig. 10. On-line dictionary attacks on the Ryu et al. variant.

work highlights the danger in relying too much on new variants, and that ‘‘improved’’ variants may not be more secure than their predecessors. We hope that this our work will contribute to the standardization process of the next generation internet (IPv6)s security mechanisms currently being addressed by the IETF. It would be interesting to come up with a PAKE protocol specially suited for the IPv6s computing and communications requirements but that does not compromise on security, i.e., it meets all the criteria for security mentioned in Section 2. However, we caution that even meeting those criteria may not exhaustively mean resistance against any attacks, because the mind of an attacker is far from predictable, and the ways he will use to break into a system are often very subtle.

References [1] F. Bao. Security analysis of a password authenticated key exchange protocol, in: Proc. ISC 2003, Lecture Notes in Computer Science, vol. 2851, 2000, pp. 208–217. [2] M. Bellare, D. Pointcheval, P. Rogaway. Authenticated key exchange secure against dictionary attacks, in: Proc. Eurocrypt 2000, Lecture Notes in Computer Science, vol. 1807, 2000, pp. 139–155. [3] S.M. Bellovin, M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks, in: Proc. IEEE Symposium on Security and Privacy, 1992, pp. 72–84. [5] C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment, Springer-Verlag, 2003. [6] V. Boyko, P. MacKenzie, S. Patel. Provably secure passwordauthenticated key exchange using Diffie-Hellman, in: Proc. Eurocrypt 2000, Lecture Notes in Computer Science, vol. 1807, 2000, pp. 156– 171.

R.C.-W. Phan et al. / Computer Communications 29 (2006) 2822–2829 [7] E. Bresson, O. Chevassut, D. Pointcheval. Group Diffie-Hellman key exchange secure against dictionary attacks, in: Proc. Asiacrypt 2002, Lecture Notes in Computer Science, vol. 2501, 2002, pp. 497–514. [8] A. Frier, P. Karlton, P. Kocher. The SSL 3.0 Protocol. Netscape Communications Corp., 1996. . [9] O. Goldreich, Y. Lindell. Session-key generation using human passwords only, in: Proc. Crypto 2001, Lecture Notes in Computer Science, vol. 2139, 2001, pp. 408–432. [10] R. Goldreich, Y. Lindell. A framework for password-based authenticated key exchange, in: Proc. Eurocrypt 2003, Lecture Notes in Computer Science, vol. 2656, 2003, pp. 524–543. Full paper available from: . [12] IEEE P1363.2. Standard Specifications for Password-based Public Key Cryptographic Techniques. Draft version 11, August 12, 2003. [13] IETF (Internet Engineering Task Force) Transport Layer Security (tls) Charter. . [14] IETF (Internet Engineering Task Force) IP Security Protocol (ipsec) Charter. . [15] IETF (Internet Engineering Task Force). RFC 2401 – Security Architecture for the Internet Protocol. November 1998. . [16] IETF (Internet Engineering Task Force). RFC 2409 – The Internet Key Exchange (IKE). November 1998. . [18] J. Katz, R. Ostrovsky, M. Yung. Efficient password-based authenticated key exchange using human-memorable passwords, in: Proc. Eurocrypt 2001, Lecture Notes in Computer Science, vol. 2045, 2001, pp. 475–494. [19] Y.-S. Kim, E.-N. Huh, J. Hwang, B.-W. Lee. An efficient key agreement protocol for secure authentication, in: Proc. ICCSA 2004, Lecture Notes in Computer Science, vol. 3043, 2004, pp. 746–754. [20] K. Kobara, H. Imai. Pretty simple password-authenticated keyexchange under standard assumptions. IACR ePRint Archive, 2003. Available from: . [21] W.-C. Ku, S.-D. Wang. Cryptanalysis of modified authenticated key agreement protocol, in: Electronics Letters, vol. 36, No. 21, 2000, pp. 1770–1771. [22] T. Kwon. Authentication and key agreement via memorable password, in: Proc. NDSS 2001 Symposium, 2001. [23] C.-L. Lin, H.-M. Sun, T. Hwang. Three-party encrypted key exchange: attacks and a Solution, in: ACM Operating Systems Review, vol. 34, No. 4, 2000, pp. 12–20. [24] C.-L. Lin, H.-M. Sun, T. Hwang. Three-party encrypted key exchange without server public-keys, in: IEEE Communication Letters, vol. 5, No. 12, 2001, pp. 497–499. [25] P. MacKenzie. More efficient password-authenticated key exchange. In Proc. CT-RSA 2001, Lecture Notes in Computer Science, vol. 2020, 2001, pp. 361–377. [26] P. MacKenzie. On the security of the SPEKE password-authenticated keyexchange protocol. IACR ePRint Archive, 2001. Available from: . [27] P. MacKenzie, S. Patel, R. Swaminathan. Password-authenticated key exchange based on RSA, in: Proc. Asiacrypt 2000, Lecture Notes in Computer Science, vol. 1976, 2000, pp. 599–613. [28] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1997.

2829

[29] NTT Communications. IPsec: a basis for IPv6 security. Tech Tutorial. . [31] S. Patel. Number theoretic attacks on secure password schemes, in: Proc. IEEE Symposium on Research in Security and Privacy, 1997, pp. 236–247. [33] E.-K, Ryu, K.-W, Kim, K.-Y, Yoo. An authenticated key agreement protocol resistant to a dictionary attack, in: Proc. ICCSA 2004, Lecture Notes in Computer Science, vol. 3043, 2004, pp. 603–610. [35] D.H. Seo and P. Sweeney. Simple authenticated key agreement algorithm, in: Electronics Letters, vol. 35, No. 13, 1999, pp. 1073–1074. [36] Y.-M. Tseng. Weakness in simple authenticated key agreement protocol, in: Electronics Letters, vol. 36, No. 1, 2000, pp. 48–49. Raphael C.-W. Phan is currently Director of the Information Security Research (iSECURES) Laboratory at the Swinburne University of Technology (Sarawak Campus) – SUTS, Kuching, Malaysia. Raphael researches on cryptography, cryptanalysis, authentication and key exchange protocols, smart card security, hash functions and digital watermarking. His work has been published in refereed journals published by IEE, IEEE, Elsevier Science and US Military Academy; and ZXin internationally refereed cryptology conferences published by Springer-Verlag, Germany. He is referee for several IEEE journals on the area of information security. He is General Chair of Mycrypt 05 and Asiacrypt 07, Program Chair of the International Workshop on Information Security & Hiding (ISH 05), and technical Program Committee member of Mycrypt 05, the International Conference on Information Security & Cryptology (ICISC 05) and International Conference on Applied Cryptography & Network Security (ACNS 06).

Bok-Min Goi received the BE degree in Electrical Engineering from University of Malaya (MU) and the M. EngSc degree from Multimedia University (MMU), Malaysia, in 1998 and 2002, respectively. Since 2002, he has been working as a lecturer in the Faculty of Engineering, MMU. Currently, he is the Chairman of MMUs Centre for Cryptography and Information Security (CCIS). His current research interests include cryptography, incremental hash function, authentication and key exchange protocols, and embedded systems design.

Kah-Hoong Wong received the BE degree from Multimedia University (MMU) in the first half of 2005 and is currently working as an engineer in the telecommunication industry.