Journal of the Chinese Institute of Engineers, Vol. 30, No. 2, pp. 343-347 (2007)
343
Short Paper
A DUAL-PURPOSE SIGNATURE FOR AUTHENTICATION ON UMTS
Chang-Kuo Yeh* and Wei-Bin Lee
ABSTRACT In UMTS, the mobile station and the authentication server can perform mutual authentication via the secret shared key. This implies that the server requires a secure storage to maintain the shared keys of all users. Clearly this large, sensitive storage increases both maintenance loading and security concerns: re malicious intruders. As this paper shows, the signature technique can be applied not only to discard the bulky storage needed at the server but also to guarantee the access rights of the mobile clients. Two different important purposes can be simultaneously achieved from the same signature equation, so the Dual-Purpose signature provides valuable improvements to UMTS. Key Words: UMTS, dual-purpose, signature, authentication.
I. INTRODUCTION Due to the fast development of advanced wireless network technology, the number of cellular users has increased tremendously in recent years. As the demands of the cellular system increase, so does the importance of the coping security. Security issues were not properly addressed in the earliest cellular system, the first-generation (1G) analog system. With low cost equipment, an attacker can easily intercept user traffic to obtain illegal services. Due to this, security measures were considered in designing the second-generation (2G) digital cellular systems. For instance, the Global System for Mobile (GSM) communications (ETSI. Recommendation GSM 02.09, 1993) takes account of security issues to provide user authentication and data confidentiality (Rahnema, 1993). And improved versions (Harn and Lin, 1995), (Lo and Chen, 1999), (Lee et al., 2003) of the GSM protocol were subsequently proposed. However, the security features of the GSM are gradually insufficient for the current demands of the mobile system. A more powerful security mechanism is *Corresponding author. (Email:
[email protected]) The authors are with the Department of Information Engineering and Computer Science, Feng Chia University, Taichung, Taiwan 407, R.O.C.
essential to address and improve current GSM security. The Universal Mobile Telecommunication System (UMTS) (3GPP TS23.002., v3.6.0., 2002), an emerging standard for third-generation (3G) digital cellular systems, adopts an enhanced authentication and key agreement protocol proposed by the Third Generation Partnership Project (3GPP) (3GPP TS33.102., v4.2.0., 2001). The UMTS authentication protocol retains the framework of the GSM but provides significant enhancement to achieve more security features such as mutual authentication, agreement on an integrity key between the user and the serving network, and assured freshness of agreed cipher key and integrity key. In the UMTS authentication protocol, according to the properties of the Message Authentication Code (MAC) (RSA Laboratories’ Frequently Asked Questions about Today’s Cryptography, 2000), the mobile station and the authentication server can perform mutual authentication by sharing the same secret key in advance. Thus, a large amount of secure storage is absolutely required by the authentication server to maintain the secret shared keys of all mobile stations. Certainly, so much storage causes high demands for maintenance and makes itself a target for hackers. If the server is compromised, the security of the whole system will be broken down due to the leakage of sensitive information.
344
Journal of the Chinese Institute of Engineers, Vol. 30, No. 2 (2007)
In this paper, we propose a Dual-purposes signature technique: The first usage solves the above mentioned issue. The basic idea is that the shared secret is concealed by the authentication server and distributed to the clients. After that, only the authentication server has the ability to open it on-line, so the large, secure storage can be discarded. In this way, the risks of hacker attacks and the cost of server maintenance can be reduced significantly. The second usage can guarantee user’s access rights. Our idea comes from the work (Hwu et al., 2006) which skillfully applied an efficient ID-based cryptosystem (Shamir, 1984) to improve performance for the end-to-end mobile mechanism. The improved UMTS authentication protocol not only can reduce requirements for bulky storage for the shared keys but also can simultaneously validate the user access right. These two different purposes can be accomplished by the same signature equation, simultaneously. This shows an alternative application for a signature technique. In the next section, the UMTS authentication protocol is reviewed. How the Dual-Purpose signature mechanism applies in UMTS will be introduced in Section III. The security analysis and discussion are respectively elaborated in Section IV and Section V. Finally, the conclusions are given in Section VI. II. THE UMTS AUTHENTICATION PROTOCOL In UMTS, initially, a secret key K, two message authentication code functions f1 and f 2, and the one key generation function f 5 are shared between an MU (Mobile User) and its HN (Home Network). On the other hand, the transmission channel between SN (Service Network) and HN is assumed to be secure. To simplify the discussion, we divide the UMTS authentication protocol into two phases which are the authorization phase and the verification phase. In the authorization phase, SN accepts the request from a new arrival MU and then obtains the authorization from HN to authenticate the MU locally. In the verification phase, mutual authentication between MU and SN is performed. A more detail description follows and is shows in Fig. 1. 1. The Authorization Phase As Fig. 1 shows, upon receipt of a request from a user, HN authorizes the authentication ability to the SN by generating n authentication vectors (AVs) and sends them to SN via a secure channel. Each AV consists of a random number RAND, an expected response XRES and an authentication token AUTH. After receiving the n AVs, SN stores them for the subsequent authentication.
Fig. 1 UMTS authentication protocol
2. The Verification Phase In the ith authentication, SN sends RAND(i) and AUTH(i) to MU. MU can use the AUTH(i) to authenticate SN and compute the response RES for the challenge RAND[i] with the knowledge of the shared key K. By comparing the received RES with the stored XRES, SN can authenticate the MU. The mutual authentication is done in this way. III. THE IMPROVED UMTS PROTOCOL BY EMPLOYING DUAL-PURPOSE SIGNATURE From Fig. 1, it is easy to find that the secret key, K, shared between HN and MU plays the critical role in the UMTS authentication protocol. Therefore, the key K must be stored in the authentication server in advance. In other words, HN must maintain a lot of secure storage to store the sensitive keys for all mobile users. As mentioned before, the storage will cause high demand for maintenance and makes itself a target for hackers. To eliminate the bulky storage, the signature technique is applied to help HN to derive the secret shared key on-line. That is, the UMTS authentication protocol can be enhanced via discarding the storage. The core technique is the signature, which can be used to resolve another important issue -- How the access rights of the MU can be guaranteed. According to our understanding, this area has not been discussed in any previous studies. Like UMTS, the improved version also covers authorization and verification. The initialization and registration phase must be described first to deploy the Dual-Purpose signature. The two phases can be performed off-line. Thus, the computation cost of the two phases does not affect the current system.
C. K. Yeh and W. B. Lee: A Dual-Purpose Signature for Authentication on UMTS
345
1. Initialization Phase HN generates parameters p (a 1024-bit prime number), q (a 160-bit prime factor of p-1), and a generator g = h (p-1)/q mod p, where h ∈ [1, p-1]. Then HN selects an integer x less than q as the private key and the corresponding public key y = g x mod p. 2. Registration Phase Assume a mobile user MU with IMSI (International Mobile Subscriber Identifier) wants to register in HN to request specific access rights clearly stated in a warrant W, such as the limitation of the user to use the network resources only in some restricted SN, HN will execute the following steps to complete the registration. Step 1. Generate a random number k ∈ [1, q]. Step 2. Compute r = g k mod p. Step 3. Sign W as s = h(W ||IMSI)x + kr –1 mod q.
(1) (2)
Step 4. Compute the secret shared key K = h(k||r||s). (3) Step 5. Place IMSI, K, W, r and s into SIM card and send them to the MU. MU can assure that HN grants him the rights stated in W by checking whether the following equation holds or not g s = r r . y h(W ||IMSI) mod p. –1
(4)
3. Authorization Phase When MU roams into a new SN, the parameters IMSI, W, r and s must be handed off to a new SN for authentication. In this phase, only the following three steps are directly plugged in to the original authorization phase without any modification. Step 1. SN passes the IMSI, W, r and s to HN, if the rights in W are approved. Step 2. HN derives the parameter k as k = (s – h(W ||IMSI)x)r mod q
(5)
Step 3. HN computes the K = h(k||r||s) as Eq. (3) After the secret shared key, K, is computed, the following processes including the verification phase are nothing different from the original UMTS. Fig. 2 illustrates the new protocol and only the first three steps in the authorization are added without influencing the original design.
Fig. 2 The improved UMTS authentication protocol
IV. SECURITY ANALYSIS The new scheme inherits the same security environments from UMTS. The only different part, the authorization phase, will be discussed here. The major difference is that the parameters (W , r, s) are sent to HN and used to derive the shared secret on-line. The parameters (W , r, s) are indeed the type of generalized ElGamal digital signature (Harn and Xu, 1994), which can be used as evidences of the promise to the HN. The correctness of the signature verification, Eq. (4), is a non-repudiation token for MU received from HN. Thus, HN doesn’t have ways to deny the access rights stated in the warrant W and the access rights of MU are guaranteed. Due to the property of the digital signature, to alter the content of W implies forging a signature. The other major contribution of the new scheme is the way to protect the secret shared key K. Without knowing the K, the malicious intruders cannot compute the correct MAC value to pass the authentication process. The details regarding secret key K are elaborated in the following paragraph. At the client end, the K is securely stored in the SIM card of the user. The SIM card is assumed to be a tamper resistant device. Nobody can learn any secret information from the SIM card not even the card owner. On the other hand, anyone who knows the parameter k can compute K = h(k||r||s). However it is infeasible for any attackers to compute k because the parameter k is concealed in the signature (r, s). From r or s to derive k is infeasible. The reasons are described as follows. Deriving k from r = g k mod p is difficult due to the intractability of the discrete logarithm problem
346
Journal of the Chinese Institute of Engineers, Vol. 30, No. 2 (2007)
for a large prime p with the generator g. On the other hand, if k is derived from (r, s) then the private key x will also be derived. Therefore, the successful attack implies breaking the underlying signature scheme. Apparently, only HN can derive the parameter k according to its private key x from Eq. (5). After the parameter k is derived, the HN computes the secret shared key K via the combination of the secret parameter k and the signature r and s. Since the secret shared key K can be derived on-line via the HN, the storage that used to store the secret shared keys can be discarded. Hence, the malicious intruders lose an opportunity to steal the user’s common secret key K from HN. The underlying signature provides a well-defined secure vault to conceal the seed k if the private key x is well-protected. V. DISCUSSION 1. Implications of the Dual-Purpose The cost of storage maintenance and the threat of malicious attackers can be greatly reduced on the server side since the secret parameter k is derived online as Eq. (5). On the other hand, to guarantee the specific rights of the mobile user MU, the signature (r, s) for the rights stated in W is generated by the server HN as Eq. (2). However, these equations are equal. The derivation is elaborated as followed s = h(W ||IMSI)x + kr –1 mod q ⇒ kr = s-h(W ||IMSI)x mod q ⇒ k = (s-h(W ||IMSI)x)r mod q. That is, no matter what equations are used, they are from the same signature parameters. For the HN, the signature, Eq. (5), is a safe deposit used to derive the secret shared key K on-line. The necessity of maintaining secure storage to store the shared secret K for HN no longer exists. And the cost of storage maintenance and the threat of malicious attackers are successfully avoided. For the MU, the signature, Eq. (2), is an evidence to guarantee rights. The non-repudiation and unforgeability properties of the signature help an arbiter to judge disputes concerning guaranteed rights. Therefore, we propose the name dual-purpose signature for this technique. 2. Cost Evaluation of the Dual-Purpose Signature (i) Mobile Side Because the signature verification, Eq. (4), is a time-consuming operation, it is only recommended
to be performed at the registration phase for MS to assure the rights grant and avoid rights repudiation. Since this action is required only during the registration phase which can be performed off-line, the computation cost can be neglected. The major concern shifts to the authorization and verification phase where the computation cost on the mobile side is the same as in UMTS. Thus, the computation load of MS will not affect current systems. (ii) Authentication Server Side Instead of retrieving the secret K from the storage according to IMSI, the secret K is allowed to be derived on-line in our design. Some extra computations containing k = (s-h(W ||IMSI)x)r mod q and K = h(k||r||s) are necessary. In such a way, the following two steps are major burdens that have to be added to our design: Step 1. k = (s-h(W ||IMSI)x)r mod q, Step 2. K = h(k||r||s). Although these extra computations are large number arithmetic operations notorious for their timeconsumption, our method still seems to have better performance than the original UMTS. This is because that these extra computations are all processed in the memory. However, in UMTS, the database query not only involves memory but also disk I/O processes. The speed of memory processing far outstrips that of disk I/O access. In general, the disk I/O processes are about four orders of magnitude slower than main memory (Silberschatz and Galvin, 1997). In the following, we will estimate how much process time is needed in these two models - computation model in the new design and the database query model in UMTS. Using a computer with a Pentium-4 3.2 GHz CPU, 2G RAM, and the Windows 2003 Operating System, we wrote a program in Java 1.4 language to estimate the system’s return time for the extra computations in our method. The program randomly generates the three 1024 bits parameters r, IMSI and W, and the three 160 bits parameters s, x and q. SHA-1 (Biham and Shamir, 1993) is selected as the hash function. The program continually implements the above two steps 1000 times. The system’s return time for the simulation is varied from 40 to 80 milliseconds illustrated in Table 1. On the other hand, in UMTS, the cost for obtaining K is the time needed for the database query. Therefore, using the same program, we also estimate the query time for different sizes of the database. The database table is created by MySQL. Two fields, user ID and the corresponding delegation key K, are built into the table. Character is chosen as data type and
C. K. Yeh and W. B. Lee: A Dual-Purpose Signature for Authentication on UMTS
Table 1 The comparison of computation model in our design and database query model in UMTS UMTS model
347
and the editor, Prof. Chung, for valuable suggestions that have resulted in the improvement of the paper. Their comments regarding our manuscript were extremely helpful to us in preparing a clearer version.
Our design System return time (ms)
Number of records
Query time (ms)
REFERENCES
78 63 63 63 47 47 47 45 45
100,000 500,000 1,000,000 2,000,000 3,000,000 5,000,000 7,000,000 9,000,000 10,000,000
395 360 405 349 405 375 359 375 355
Biham, E., and Shamir, A., 1993, Differential Cryptanalysis of the Data Encryption Standard, Spring Verlag, Berlin, Germany. ETSI. Recommendation GSM 02.09, 1993, “Security Related Network Functions,” Technical Report, European Telecommunications Standards Institute, ETSI. Harn, L., and Lin, H. Y., 1995, “Modification to Enhance the Security of the GSM Protocol,” Proceedings of the 5th National Conference on Information security, Taipei, Taiwan, pp. 416-420. Harn, L., and Xu, Y., 1994, “Design of Generalized ElGamal Type Digital Signature Schemes Based on Discrete Logarithm,” Electronics Letters, Vol. 30, No. 24, pp. 2025-2026. Hwu, J. S., Chen, R. J. Chen, and Lin Y. B., 2006, “An Identity-Based Cryptosystem for End-to-End Mobile Security,” Accepted and to appear in IEEE Transactions on Wireless Communications. Lee, C. H., Hwang, M. S., and Yang W. P. Yang, 2003, “Extension of Authentication Protocol for GSM,” IEE Proceedings-Communications, Vol. 150, No. 2, pp. 91-95. Lo, C. C., and Chen, Y. J., 1999, “Secure communication mechanisms for-GSM networks,” IEEE Transaction Consumer Electronics, Vol. 45, No. 4, pp. 1074-1080. Rahnema, M., 1993 “Overview of the GSM System and Protocol Architecture,” IEEE Communication Magazine, Vol 31, No. 4, pp. 92-100. RSA Laboratories’ Frequently Asked Questions about Today’s Cryptography, 2000, V4.0. Available: http://www.rsasecurity.com/rsalabs/faq/ Shamir, A. 1984, “Identity-based Cryptosystems and Signature Schemes,” Advances in CRYPTO’84, pp. 47-53. Silberschatz, A., and Galvin, P. B., 1997, Operating System Concepts, 5th ed., John Wiley & Sons, Inc. 3GPP TS23.002., v3.6.0., 2002., Network Architecture, Release 99. 3GPP TS33.102., v4.2.0., 2001., Security Architecture, Release 4.
field length is 20 bytes. The field user ID is the primary key. The number of records varies from 100,000 to 10,000,000. The query time is accumulated by randomly searching for the user ID 1000 times. The simulation results are illustrated in Table 1. From Table 1, it can be seen that the query time varies between 300 and 500 milliseconds for different sizes of database. According to this simulation, the cost to derive the secret K in our computational model is lower than the database query model in UMTS. Therefore, from an overall cost-benefit viewpoint, it is worthwhile to apply our method’s dual-purpose signature technique. In summary, by employing the Dual-Purpose signature, the improved UMTS authentication protocol not only can spare the requirement of bulky storage for the shared keys but also can simultaneously validate the access rights of the user. These two different purposes can be achieved at the same time with same signature equation that shows an alterative application for signature technique. VI. CONCLUSIONS The concept of Dual-Purpose signature is introduced to the UMTS, so that not only the requirement of bulky storage for the shared keys is spared but also the access rights of the mobile clients are guaranteed. With the new method, the UMTS will benefit from the elimination of maintaining the bulky storage and face fewer security threats. The Dual-Purpose signature concept provides an alternative application for signature technique in an efficient way. ACKNOWLEDGMENTS We would like to thank the anonymous referees
Manuscript Received: Sep. 15, 2005 Revision Received: Jul. 18, 2006 and Accepted: Aug. 21, 2006
