Research Article  Open Access
Secure and Efficient Anonymous Authentication Scheme in Global Mobility Networks
Abstract
In 2012, Mun et al. pointed out that Wu et al.’s scheme failed to achieve user anonymity and perfect forward secrecy and disclosed the passwords of legitimate users. And they proposed a new enhancement for anonymous authentication scheme. However, their proposed scheme has vulnerabilities that are susceptible to replay attack and maninthemiddle attack. It also incurs a high overhead in the database. In this paper, we examine the vulnerabilities in the existing schemes and the computational overhead incurred in the database. We then propose a secure and efficient anonymous authentication scheme for roaming service in global mobility network. Our proposed scheme is secure against various attacks, provides mutual authentication and session key establishment, and incurs less computational overhead in the database than Mun et al.'s scheme.
1. Introduction
Global mobility network (GLOMONET) provides global roaming services for mobile user between the home agent and the foreign agent. The GLOMONET must have a user authentication scheme in which the mobile user has secure access to the foreign agent. A strong user authentication scheme in GLOMONET should satisfy the following requirements: (1) user anonymity, (2) low communication cost and computation complexity, (3) single registration, (4) update session key periodically, (5) user friendly, (6) password/verifier table, (7) update password securely and freely, (8) prevention of fraud, (9) prevention of replay attack, (10) security, and (11) providing the authentication scheme when a user is located in the home network [1, 2].
Many user authentication schemes for use in GLOMONET have been proposed [1–18]. In 2004, Zhu and Ma [4] proposed a simple, efficient wireless authentication scheme that provides user anonymity for wireless environments. However, Lee et al. [5] subsequently pointed out that Zhu et al.’s scheme does not achieve mutual authentication and perfect backward secrecy, and therefore cannot protect against forgery attacks. They then proposed a slight modification of Zhu et al.’s scheme. Unfortunately, Wu et al. [6] demonstrated that Lee et al.’s proposed scheme still failed to provide anonymity and perfect backward secrecy. Consequently, they proposed an improvement to overcome the weakness identified in Lee et al.’s scheme. In 2009, Zeng et al. [7] showed that Wu et al.’s scheme also fails to provide anonymity. In 2012, Mun et al. [12] showed that Wu et al.’s scheme discloses the password of legitimate users and does not achieve perfect forward secrecy. They subsequently proposed a new enhancement for anonymous authentication to overcome these security weaknesses. However, their scheme is vulnerable to replay attack and maninthemiddle attack, and incurs a high overhead in the database of the home agent.
Therefore, in this paper, we analyze the existing schemes [5, 6, 12] and show that it is vulnerable to security requirement. And we propose a secure and efficient anonymous authentication scheme that is resistant to replay attack and maninthemiddle attack. Our proposed scheme also incurs less computational overhead in the database than Mun et al.’s scheme.
The remainder of this paper is organized as follows. In Section 2, we review the existing schemes, while in Section 3, we investigate the security vulnerabilities mentioned above. In Section 4, we present our proposed secure and efficient anonymous authentication scheme. This scheme is analyzed and compared with other schemes in Section 5. Finally, Section 6 presents our conclusions.
2. Review of the Previous Schemes
In this section, we examine variety of authentication schemes with anonymity proposed by Lee et al. [5], Wu et al. [6], and Mun et al. [12].
2.1. Lee et al.’s Scheme
Figure 1 shows the procedure of Lee et al.’s scheme. Their scheme comprises three phases: an initial phase, a first phase, and a second phase.
2.1.1. Initial Phase
When a new mobile user MU wants to register with a home agent HA, he/she performs the following steps.
Step 1. Consider .
MU sends his/her identifier to HA for registration.
Step 2. HA computes and , where is a long random number kept by HA.
Step 3. Consider .
HA delivers and a smart card containing to MU through a secure channel.
2.1.2. First Phase
In this phase, FA authenticates MU and issues a temporary certificate to MU, which will be used in the second phase when MU always communicates this FA within this area. MU performs the following steps.
Step 1. Consider .
MU computes and temporary key , and encrypts using symmetric key , where and are secret random numbers. And, MU sends , , , and to FA.
Step 2. Consider .
If timestamp is valid, FA generates a secret random number and computes signature using private key . And, sends , , , , , , and to .
Step 3. Consider .
If certificate and timestamp are valid, HA computes and , and decrypts using symmetric key . If is identical to , HA authenticates MU. And, HA encrypts using public key and computes signature using private key . HA then sends , , , , and to FA.
Step 4. Consider .
If certificate and timestamp are valid, FA issues the temporary certificate and decrypts using private key . And, FA computes and session key and encrypts using symmetric key . FA then sends to MU.
Step 5. MU computes and session key and decrypts using symmetric key . If is identical to , MU authenticates FA.
2.1.3. Second Phase
In this phase, MU visits FA at th session when he/she is always within this FA. MU performs the following steps.
Step 1. Consider .
MU encrypts using symmetric key , where , for . And, MU sends and to FA.
Step 2. If is valid, FA decrypts using symmetric key . If received if identical to obtained , FA authenticates MU.
2.2. Wu et al.’s Scheme
Figure 2 shows the first and second phase of Wu et al.’s scheme. Their scheme comprises three phases: an initial phase, a first phase, and a second phase. The initial phase is the same as the initial phase of Lee et al.’s scheme.
2.2.1. First Phase
In this phase, FA authenticates MU and issues a temporary certificate to MU, which will be used in the second phase when MU always communicates this FA within this area. MU performs the following steps.
Step 1. Consider .
MU computes and temporary key , and encrypts using symmetric key , where and are secret random numbers. And, MU sends , , , and to FA.
Step 2. Consider .
If timestamp is valid, FA generates a secret random number and computes signature using private key . And, FA sends , , , , , , and to HA.
Step 3. Consider .
If certificate and timestamp are valid, HA computes and , and decrypts using symmetric key . If is identical to , authenticates MU. And, HA encrypts using public key and computes signature using private key . HA then sends , , , , and to FA.
Step 4. Consider .
If certificate and timestamp are valid, FA issues the temporary certificate and decrypts using private key . And, computes and session key and encrypts using symmetric key . FA then sends to MU.
Step 5. MU computes and session key and decrypts using symmetric key . If is identical to , MU authenticates FA.
2.2.2. Second Phase
In this phase, MU visits FA at session when he/she is always within this FA. MU performs the following steps.
Step 1. Consider .
MU encrypts using symmetric key , where , for . And, MU sends and to FA.
Step 2. If is valid, FA decrypts using symmetric key . If received if identical to obtained , FA authenticates MU.
2.3. Mun et al.’s Scheme
Their scheme comprises three phases: a registration phase, an authentication phase, and an update phase.
2.3.1. First Phase
Figure 3 shows the procedure of the first phase. When a new MU, wants to register with HA, he/she performs the following steps.
Step 1. Consider .
MU sends his/her identifier and nonce to HA for registration.
Step 2. HA generates nonce and computes and .
Step 3. Consider .
HA sends , , , , and to MU through a secure channel.
2.3.2. Second Phase
Figure 4 shows the procedure of the second phase. In this phase, for mutual authentication between MU and HA and between MU and a foreign agent FA, the following steps are performed.
Step 1. Consider .
MU accesses the new FA and sends , , and to it.
Step 2. Consider .
FA stores the message received from MU for further communication and generates nonce . FA then sends , , and to HA.
Step 3. Consider .
HA computes and checks whether is identical to the received . If they are identical, HA authenticates MU. Next, HA computes and , and sends the computed and to FA.
Step 4. Consider .
FA computes and checks whether is identical to the received . FA then computes , selects a random number , and then computes on using the elliptic curve DiffieHellman (ECDH) protocol. Next, FA sends , , and to MU.
Step 5. Consider .
MU computes and , and checks whether is identical to the received . If they are identical, MU authenticates HA and FA. After checking , MU selects a random number and computes , a session key using the received and the computed , and . Next, MU sends the computed and to FA.
Step 6. FA computes using private and public values, and . FA then checks whether is identical to the received . If they are identical, FA authenticates MU.
2.3.3. Third Phase
The procedure followed in the third phase is depicted in Figure 5. The steps are as follows.
Step 1. Consider .
MU selects a new random number and computes . MU then sends and to FA.
Step 2. Consider .
FA selects a new random number and computes . It then computes a new session key and . Next, it sends and to MU.
Step 3. MU computes a session key , using the received , the computed , and . MU then checks whether is identical to the received . If they are identical, MU and FA use the new session key .
3. Vulnerabilities in the Previous Schemes
3.1. Vulnerability of Lee et al.’s and Wu et al.’s Scheme
Lee et al.’s and Wu et al.’s scheme are almost the same. Therefore, their schemes are also the same vulnerabilities. Their scheme is vulnerable replay attack, is disclosed password, and cannot achieve anonymity and perfect forward secrecy.
3.1.1. Anonymity
An adversary can eavesdrop on and record the message transmitted from MU to FA, and can obtain MU’s as follows.
Step 1. register as legitimate user to HA and obtain own and . And, compute using , , , and .
Step 2. eavesdrops on and records messages transmitted from FA to MU.
Step 3. compute using , , and .
Therefore, Lee et al.’s and Wu et al.’s scheme cannot achieve anonymity [7].
3.1.2. Replay Attack
Legitimate can record the message transmitted from MU, and can then impersonate MU by using the recorded message to another as follows.
Step 1. accesses another and sends recorded message to this . can replay this message within the lifetime of . After receiving this message, sends the message to HA.
Step 2. HA compute and checks whether the computed is identical to the received . If they are identical, HA authenticate , then sends the message to .
Step 3. computes session key and sends the message to . computes the session key between and MU, which is the same as the session key between and . And, decrypts and authenticates .
Therefore, Lee et al.’s and Wu et al.’s scheme is vulnerable to replay attack [11].
3.1.3. Disclosure Password
If an adversary can steel MU’s smart card, can obtain MU’s password as follows.
Step 1. can record the message transmitted from MU to FA. And, as described in Section 3.1.1, can obtain the message .
Step 2. stole MU’s smart card, inserts MU’ smart card into the device, and enters the fake password . The smart card computes and obtains by eavesdropping.
Step 3. computes using , , , and .
Therefore, Lee et al.’s and Wu et al.’s scheme are disclosed password [11].
3.1.4. Perfect Forward Secrecy
Assume that an adversary obtain MU’s password . Failing to provide perfect forward secrecy is as follows.
Step 1. computes using and and decrypts using . Thus, obtains , , and .
Step 2. computes session key using , , and and decrypts using . Thus, obtains .
Step 3. computes session key using , , and .
Therefore, Lee et al.’s and Wu et al.’s scheme cannot achieve perfect forward secrecy [11].
3.2. Vulnerability of Mun et al.’s Scheme
Mun et al. claimed that their scheme can thwart a variety of known attacks. Unfortunately, we found that their scheme is vulnerable to replay attack and maninthemiddle attack. In addition, their scheme incurs a high overhead in the database of the home agent.
3.2.1. Replay Attack
In Mun et al.’s scheme, an adversary can eavesdrop on and record the message transmitted from MU to FA; and can then impersonate MU by using the recorded message as follows.
Step 1. accesses a new FA and sends the recorded message to this FA. After receiving this message, the FA sends the message to HA.
Step 2. HA computes and checks whether is identical to the received . If they are identical, HA authenticates , then computes and , and sends the message to FA. On receiving this message, FA computes and checks whether is identical to the received . Next, FA sends the message to .
Step 3. computes and checks whether is identical to the received . If they are identical, authenticates HA and FA, then computes and S_{MF}, and sends the message to FA. On receiving this message, FA computes and checks whether is identical to the received . If they are identical, FA authenticates .
Therefore, Mun et al.’s scheme is vulnerable to replay attack [18].
3.2.2. ManintheMiddle Attack
In Mun et al.’s scheme, an adversary can eavesdrop on messages transmitted between and MU. Consequently, can also successfully mount a maninthemiddle attack as follows.
Step 1. blocks and copies the message transmitted from FA to MU. It then selects a new random number , computes , replaces message with , and sends this to MU.
Step 2. MU computes and , and checks whether is identical to the received . After checking , MU selects a random number and computes , a session key using the received , the computed , and . Next, MU sends the message to FA.
Step 3. blocks and copies the message transmitted from MU to FA. It then selects a new random number and computes , a session key using the copied and the computed , and . Next, replaces message with and sends this to FA.
Step 4. FA computes using private and public values and . It then checks whether is identical to the value received for . If they are identical, FA authenticates MU. However, the session key between FA and MU is different.
Therefore, Mun et al.’s scheme is vulnerable to maninthemiddle attack [18].
3.2.3. High Overhead
For authentication, MU sends message to FA. After receiving this message, sends message to HA. In order to authenticate MU, HA computes . To compute for MU, HA must find and in its own database to compute the authentication message. However, HA incurs a high overhead because of the difficulty of finding and in the authentication message. In addition, HA incurs computational cost because of the oneway hash function and exclusive OR operation used to compute the authentication message. In other words, HA computes the authentication message using and in its own database, and incurs a high overhead because it has to compare it with the received authentication message.
4. Our Proposed Scheme
In this section, we propose a secure and efficient anonymous authentication scheme for roaming services in GLOMONETs. This scheme consists of three phases: a registration phase, an authentication and key establishment phase, and an update session key phase.
4.1. Notation
Table 1 shows the notation used to describe our proposed scheme.

4.2. Registration Phase
Figure 6 illustrates the procedure of the registration phase. When a new MU wants to register with HA, he/she performs the following steps.
Step R1. Consider .
MU selects the identity and a random nonce , and sends and to HA for registration.
Step R2. Consider .
After receiving the registration message from MU, HA selects a random nonce and computes the following:
HA then issues a smart card containing and delivers it to MU through a secure channel.
4.3. Authentication and Key Establishment Phase
The procedure followed in the authentication and key establishment phase is illustrated in Figure 7. In this phase, to attain mutual authentication between MU and HA, and between MU and FA, the following actions are performed.
Step A1. Consider .
For authentication, MU selects a random nonce and a random number , and computes value on using ECDH. MU then computes the following:
Next, MU sends , , , , , and to FA.
Step A2. Consider .
FA stores the and received from MU for further communication, selects a random number , and computes the value on using ECDH. FA then sends , , , , , , and to HA.
Step A3. Consider .
On receiving the authentication message from FA, HA computes the following:
HA then checks whether is identical to . If they are identical, HA authenticates MU. HA then computes and sends , , , , and to FA.
Step A4. .
FA checks , , and , and sends , , , , and to MU.
Step A5. .
MU checks and , and computes . MU checks whether is identical to . If they are identical, MU authenticates HA and FA. MU then computes using private and public keys and . Next, MU sends to FA.
Step A6. FA computes using private and public keys and . FA then checks whether is identical to . If they are identical, FA authenticates MU. Otherwise, the procedure is terminated.
4.4. Update Session Key Phase
The update session key phase is the same as the third phase of Mun et al.’s scheme, as shown in Figure 5.
5. Analyses
5.1. Security Analysis
Table 2 compares the security of existing schemes with that of our proposed scheme. Our scheme has the following security properties.

Anonymity. Assume that an adversary intercepts the message over a public network. An adversary cannot derive the identifier of the mobile user from , , , and . This is because an adversary does not know , , and .
Perfect Forward Secrecy. The authentication and key establishment and update session key phases of our scheme use ECDH to provide perfect forward secrecy. To establish a session key, MU and FA use different and for each session, and thus they are not related to previous values and . Thus, if the previous session key , is disclosed, an adversary cannot guess . In other words, guessing is a computationally difficult problem.
Mutual Authentication. HA can authenticate MU by checking in Step A3 of the authentication and key establishment phase, and MU can authenticate HA and FA by checking in Step A5 of the authentication and key establishment phase. And, FA can authenticate MU by checking in Step A6 of the authentication and key establishment phase.
Impersonation Attack. An adversary A cannot compute the authentication message because he/she cannot know , , , , and . Even if is a legitimate user of HA, he/she cannot compute the authentication message .
Disclosure of Password. We assume that an adversary eavesdrops on MU’s authentication message in the authentication and key establishment phase. However, cannot know MU’s from the authentication message by the nature of a oneway hash function.
Replay Attacks. MU uses a random nonce and checks to resist replay attacks in each authentication session. If an adversary is replaying the previous authentication message, but he/she cannot authenticate from HA because fail to check.
ManintheMiddle Attacks. Maninthemiddle attacks are thwarted because of the authentication between MU and HA. Similarly, maninthemiddle attacks can be thwarted by the establishment of a session key between MU and FA.
5.2. Performance Analysis
Table 3 compares the performance of existing schemes with that of our proposed scheme. Our scheme incurs less communication cost than conventional schemes [4–6]. Although our scheme incurs a little more communication cost than Mun et al.’s scheme, it incurs less computational overhead in the database than Mun et al.’s scheme [12].
 
(h): number of hash operation, (): number of XOR operation, Sym: number of symmetric key operation, Asym: number of asymmetric key operation. 
No Need for Time Synchronization. Conventional schemes use timestamps to resist replay attacks. Thus, time synchronization takes place when each entity is located in a different time zone. However, our scheme does not use timestamps, so there is no need to synchronize time between different entities.
Use of ECDH. Conventional schemes use certificates. However, mobile devices have power limitations; lowlevel computation based on certificates incurs a significant overhead. Our scheme uses ECDH instead of a public key cryptosystem with certificates in order to reduce the communication overhead. ECDH provides the same security properties and uses fewer resources than a public key cryptosystem with certificates. The performance advantage of ECDH is improved further as security needs increase.
Overhead Analysis. Our proposed authentication scheme can be compared with Mun et al.’s scheme in terms of the database overhead incurred by HA as the number of devices increase. In order to compare the overhead, the following terms are defined: the number of devices is , the identifier stored in the database of the home agent is , the computational cost for a oneway hash function and exclusive OR operation is (it is assumed that the computational cost for a oneway hash function and exclusive OR operation is 2, thus, ), and, finally, the overhead in the database of the home agent is . Thus, the overhead can be expressed as , that is, . Mun et al.’s scheme must obtain identifier and password information from its own database in order to compute the authentication message. However, their scheme compares the authentication message to compute the identifier and password of all the mobile users stored in its own database because of the difficulty of finding identifier and password information in the authentication message. For example, in Mun et al.’s scheme, if the number of devices to be authenticated by HA is 30, the number of identifiers stored in the database of the home agent is also 30, the computational cost for a oneway hash function and exclusive OR operation is 2 (according to Mun et al.’s scheme, because of the computational cost incurred); therefore, the overhead incurred in the database of HA is . Our proposed scheme can compute the authentication message in its own database because the identifier information can be found in the authentication message. For example, in our proposed scheme, if the number of devices to be authenticated by the home agent is 30, the number of identifiers stored in the database of the home agent is also 30, the computational cost for a oneway hash function and exclusive OR operation is 1 (our proposed scheme does not incur computational cost; thus, ), and thus, the overhead incurred in the database of HA is . Just like our proposed scheme, Lee et al.’s and Wu et al.’s scheme are the same overhead analysis. Compared to the existing scheme, our proposed scheme incurs less computational overhead in the database (Figure 8).
6. Conclusion
In this paper, we examined the previous schemes and security vulnerabilities of the previous schemes. Lee et al.’s and Wu et al.’s scheme was vulnerable to replay attack, cannot achieved perfect forward secrecy, cannot provided anonymity. And Mun et al.’s scheme was vulnerable to replay attack and maninthemiddle attack, and incurred a high overhead in the database. Therefore, we proposed a secure and efficient anonymous authentication scheme for roaming service in GLOMONET. Our scheme was developed using ECDH instead of the authentication mechanism used by Mun et al.’s scheme. Consequently, unlike Mun et al.’s scheme, our scheme achieves anonymity, provides perfect forward secrecy and mutual authentication, and is resistant to replay attack and maninthemiddle attack. And our scheme incurs less overhead in the database than Mun et al.’s scheme does. In addition, our scheme does not use timestamps, and as a result, it does not need to synchronize time between different entities.
Acknowledgments
This research was funded by the MSIP (Ministry of Science, ICT & Future Planning), Korea in the ICT R&D Program 2013. This work was supported by the Soonchunhyang University Research Fund. The authors declare that there is no conflict of interests regarding the publication of this article.
References
 S. Suzuki and K. Nakada, “An authentication technique based on distributed security management for the global mobility network,” IEEE Journal on Selected Areas in Communications, vol. 15, no. 8, pp. 1608–1617, 1997. View at: Publisher Site  Google Scholar
 D. He and S. Chan, “A secure and lightweight user authentication scheme with anonymity for the global mobility network,” in Proceedings of the 13th International Conference on NetworkBased Information Systems (NBiS '10), pp. 305–312, Takayama, Japan, September 2010. View at: Publisher Site  Google Scholar
 L. Buttyán, C. Gbaguidi, and S. Staamann, “Extensions to an authentication technique proposed for the global mobility network,” IEEE Transactions on Communications, vol. 48, no. 3, pp. 373–376, 2000. View at: Publisher Site  Google Scholar
 J. Zhu and J. Ma, “A new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 231–235, 2004. View at: Publisher Site  Google Scholar
 C. Lee, M. Hwang, and I. Liao, “Security enhancement on a new authentication scheme with anonymity for wireless environments,” IEEE Transactions on Industrial Electronics, vol. 53, no. 5, pp. 1683–1687, 2006. View at: Publisher Site  Google Scholar
 C. Wu, W. Lee, and W. Tsaur, “A secure authentication scheme with anonymity for wireless communications,” IEEE Communications Letters, vol. 12, no. 10, pp. 722–723, 2008. View at: Publisher Site  Google Scholar
 P. Zeng, Z. Cao, K. R. Choo, and S. Wang, “On the anonymity of some authentication schemes for wireless communications,” IEEE Communications Letters, vol. 13, no. 3, pp. 170–171, 2009. View at: Publisher Site  Google Scholar
 J. Lee, J. H. Chang, and D. H. Lee, “Security flaw of authentication scheme with anonymity for wireless communications,” IEEE Communications Letters, vol. 13, no. 5, pp. 292–293, 2009. View at: Publisher Site  Google Scholar
 C. Chang, C. Lee, and Y. Chiu, “Enhanced authentication scheme with anonymity for roaming service in global mobility networks,” Computer Communications, vol. 32, no. 4, pp. 611–618, 2009. View at: Publisher Site  Google Scholar
 T. Youn, Y. Park, and J. Lim, “Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks,” IEEE Communications Letters, vol. 13, no. 7, pp. 471–473, 2009. View at: Publisher Site  Google Scholar
 D. He, M. Ma, Y. Zhang, C. Chen, and J. Bu, “A strong user authentication scheme with smart cards for wireless communications,” Computer Communications, vol. 34, no. 3, pp. 367–374, 2011. View at: Publisher Site  Google Scholar
 H. Mun, K. Han, Y. S. Lee, C. Y. Yeun, and H. H. Choi, “Enhanced secure anonymous authentication scheme for roaming service in global mobility networks,” Mathematical and Computer Modelling, vol. 55, no. 12, pp. 214–222, 2012. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 Q. Pu, “An enhanced authentication scheme with anonymity for roaming service in global mobility networks,” in Proceedings of the 2nd International Conference on MultiMedia and Information Technology (MMIT '10), pp. 219–222, Kaifeng, China, April 2010. View at: Publisher Site  Google Scholar
 T. Zhou and J. Xu, “Provable secure authentication protocol with anonymity for roaming service in global mobility networks,” Computer Networks, vol. 55, no. 1, pp. 205–213, 2011. View at: Publisher Site  Google Scholar
 T. Lee and T. Hwang, “Provably secure and efficient authentication techniques for the global mobility network,” Journal of Systems and Software, vol. 84, no. 10, pp. 1717–1725, 2011. View at: Publisher Site  Google Scholar
 C. C. Lee, Y. M. Lai, and C. T. Li, “An improved secure dynamic ID based remote user authentication scheme for multiserver environment,” International Journal of Security and Its Applications, vol. 6, pp. 203–210, 2012. View at: Google Scholar
 Y. An and Y. Joo, “Security analysis and improvements of a passwordbased mutual authentication scheme with session key agreement,” International Journal of Security and Its Applications, vol. 7, pp. 85–94, 2013. View at: Google Scholar
 J. S. Kim and J. Kwak, “Improved secure anonymous authentication scheme for roaming service in global mobility networks,” International Journal of Security and Its Applications, vol. 6, pp. 45–54, 2012. View at: Google Scholar
Copyright
Copyright © 2013 JunSub Kim and Jin Kwak. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.