900 Dandenong Road, Caulfield East, Melbourne, Victoria, AUSTRALIA. Abstract â Protecting sensitive information systems from security threats such as ...
Design & Implementation of a Secure Sensitive Information System for Wireless Mobile Devices Xianping Wu, Huy Hoang Ngo, Phu Dung Le, Balasubramaniam Srinivasan School of Information Technology, Monash University 900 Dandenong Road, Caulfield East, Melbourne, Victoria, AUSTRALIA
integrated with authentication mechanism to prevent from unauthorized accessing restricted sensitive information. Our paper is organised as follows: The next section briefly discusses the related work. The proposed secure sensitive information system is presented in section 3. The result and performance of the proposed work is shown in section 4. The last section concludes our work.
Abstract – Protecting sensitive information systems from security threats such as unauthorised access, information eavesdropping and information interfering, is significant. Most of the natural approaches employ strong authentication and/or cryptography systems to protect critical data. But those approaches do not stress on the potential amount of risks associated with sensitive information, especially the vulnerability of long term cryptographic keys. Therefore, in this paper, a secure sensitive information system is proposed and implemented based on a dynamic key generation technique. It associates with elliptic curve key exchange protocol as a design solution for wireless mobile devices to achieve critical information data security and network security.
II. RELATED WORK In this section, we outline two existing security techniques, which are used to protect sensitive information. First part, presents SSL/TLS-based information system to secure communication via open networks. Then, strong authentication Kerberos-based information system is discussed.
I. INTRODUCTION In recent years, the rapid growth of internet and wireless networks has brought not only conveniences but also challenges. Information can be easily accessed from a variety of networks and at anytime. However, utilising the emerging technologies also creates an amount of problematic issues. Because of the network structures and designs, information is transferred over different open network routes. In other words, this transmitted sensitive information is vulnerable open under many security threats. There are several traditional approaches to protect the information system. In SSL/TLS [1], strong cryptosystem and secure tunnels are applied to secure communication between entities. In another approach, Kerberos [2] uses strong authentication mechanism to prevent unauthorised access to the information system. In order to protect information, both approaches employ long term cryptographic keys. This feature may attract cryptanalysis attacks on the information system. With adequate computational power, even though strongest cryptographies can be broken. Therefore, the long term shared cryptographic keys are not suitable for protecting sensitive information in the long run, which requires high secure standards. In this paper, we design and implement a secure sensitive information system. In this system, the long tern shared cryptographic keys are replaced by dynamic keys, in order to overcome the problem of long term keys. In the system, dynamic keys are used to secure communication and
978-1-4244-2603-4/08/$25.00 © 2008 IEEE
A.
SSL/TLS-Based Information System SSL/TLS is cryptographic protocols that provide secure communication on the internet. Many systems, such as internet banking, e-payment and electronic medical record (EMR), employ the protocols to protect sensitive information from eavesdropping and data interfering threads. The SSL/TLS protocol has three steps: negotiation for cryptography algorithm support, key exchange via RSA[12], Diffie-Hellman[13], or Fortezza[14] using share large long term keys, and symmetric data encryption. Although SSL/TLS offers flexibly secure tunnel for communication, it also has some drawbacks. In [15], Coarfa et. al. implied that although the RSA operations in TLS/SSL consumes the largest computational resource, they do not explain the large overheads in computational and communicational resources. Besides performance issues, it also has security problems. The major problem of SSL/TLS is the long term shared cryptographic keys. Once the keys are compromised, the whole system will be vulnerable. As Bard [9] stated, an attacker can use plaintext attacks to break SSL/TLS protocols due to the long term shared keys. B.
Kerberos-Based Information System Kerberos [3] provides a strong authentication to protect sensitive information, such as operating systems and Secure
45
ATNAC 2008
European System for Applications in a Multi-vendor Environment (SESAME)[7]. It uses a Key Distributed Center to authenticate for users, and it distributes session keys to both users and servers. In the original design of Kerberos, session keys exchange uses long term shared keys. While providing high efficiency and secure authentication, Kerberos has two major drawbacks (a) depends on long term symmetric encryption keys for key exchange (b) requires clock synchronisation among all parties. Although [4], [5] and [6] have proposed to use public key cryptography to enhance security for key exchange and authentication, the long term shared key is still the weakness for Kerberos-based information systems. In 2006, Cervesato [8] pointed out that man-in-the-middle attack could break down the Kerberos-based systems. Furthermore, Habitter and Menasce[5] also pointed out the public key operations of MPKINIT and MP-PKINIT causes the large overhead that limits the application of them on mobile devices on wireless networks. In the following part, a secure sensitive information system is proposed to overcome the limitations of above systems and improve their security. III.
Fig 1: Secure SIS Architecture.
B. SIS Design and Implementation In the Secure SIS, it consists of user registration procedure for U first time to access the system and transaction procedure to verify U and retrieve sensitive information. 1). Environment Setting: The whole system is divided into client system and server system. The server system is built from Java J2SE 1.6 running on DELL Pentium 4 3Ghz using Certicom™ Security Builder Crypto-J Platform [10]. The client system runs on either wireless mobile devices (Nokia Communicator 9500) or wired devices (DELL Pentium 4 3Ghz).
THE PROPOSED SECURE SENSITIVE INFORMATION SYSTEM (SIS)
2). User Registration Procedure (URP): Only at the first transaction, U needs to register with SIS in order to share a secret S, which is used to generate dynamic keys to secure communication. When SGS receives a registration request from U, SGS starts the ECMQV key exchange [11] process. In the ECMQV key exchange, we assume that U and SGS have possessed their own pair of keys (WU , ωU ) and
A. SIS Architecture The proposed secure SIS consists of Security Guard Server SGS, Key Server KS and Record Tracing Server RTS entities to protect sensitive information. User/Users U can securely access the data from SIS via open networks. In addition, the SIS employs ECC over MQV [11] known as ECMQV, which is an authenticated protocol for key agreement, to exchange initial secret. The system also adapts a dynamic key generation technique to generate one time keys to secure communication between two parties. Among the entities in the architecture, SGS plays the key role. It controls the verification and authorisation for legitimate U to access the sensitive information system. When U first time joins the system, U needs to register with SGS. This registration information is stored in backend secure database. All the communication between U and SGS via open networks is protected by strong authentication and symmetric cryptography. KS manages all keys and tokens generation, and distributes them to SGS. It only communicates with SGS to dispatch keys or tokens. RTS records all inbound and outbound transactions, such as who, when and from where has access the system and what information has been accessed. The records help the system to trace back what U has done in the system to achieve information non-repudiation. The proposed architecture is shown in Figure 1.
(WKS , ωKS ) respectively, based on same elliptic curve. The URP can be described as follows and shown in Figure 2: a. U sends the registration request to SGS. b. After completion of registration with SGS, KS generates an ephemeral pair of keys ( RKS , rKS ) and sends the public key RKS to U. c. Upon receiving RKS , in return, U generates an ephemeral pair keys ( RU , rU ) and sends RU back to KS. d. KS
computes
sKS = ⎢ rKS + RKS ωKS ⎥ ⎣ ⎦p
and
R U + RU WU = sU Ρ , where P is base point of the elliptic curve. RKS = ⎣⎢ x ⎦⎥ 2⎢⎡ f / 2⎥⎤ + 2⎡⎢
f / 2 ⎤⎥
and f is the bitlength of
prime number p of the elliptic curve and x is the integer obtained by considering the binary representation of the RKS e. U computes sU = ⎢ rU + RU wU ⎥ and ⎣ ⎦p
R KS + RKS WKS = sKS Ρ
46
f. Both KS and U can calculate the shared secret S ( sKS sU Ρ )
Fig 3: Transaction Procedure Message Flow
c. After that, SGS sends another request to KS via the internal channel for getting the U’s DKi +1 and retrieves relevant sensitive data based on the NU .
Fig 2: URP Message Flow
SGS → KS : DK i +1 _ Request
After generating the first dynamic key, the shared secret S is removed from both entities. Finally, SGS sends a registration status to U.
KS → SGS : DK i +1 d. Then SGS encrypts the retrieved data together with a generated token h(U ID , data ) in order to achieve data integrity. Note that, when U and KS generate a new dynamic key DKi +1 , both entities will remove the previous one DKi .
3). Transaction Procedure (TP): After registration with SIS, U is able to access the sensitive information via SGS without asymmetric key systems employed. Meanwhile, all occurred events in SIS are logged into RTS for nonrepudiation purpose. For accessing the sensitive information, U needs to authenticate itself to SIS using dynamic key DKi and retrieves the sensitive data encrypting with DKi +1 . The message dialogue is shown in Figure 3 and described as follows.
SGS → U :{data, h(U ID , data)}DKi+1 4). Dynamic Key Generation Technique (DKGT): The proposed system employs limited-used key generation technique [17] with slightly amendment. It dynamically generates shared secret between U and SIS and takes place in KS. When U first registers with SGS, U and KS generate shared secret S via ECMQV key exchange protocol (details see URP). Note that U can only communicate with SIS via SGS. For example, in share secret scenario, SGS manages all incoming encapsulated packets then forward them to proper target servers. In order to generate the dynamic keys DKi , the initialization is required. a. After U and SIS share the secret S, U generates a random integer number r ( r > 1, r ∈ ` ) and transmits it via open networks to SIS.
a. When U makes a data query NU with SIS, U sends its ID U ID together with an encrypted packet to SGS.
U → SGS : U ID ,{NU , h(U ID + NU , DK i −1 )}DKi b. Upon receiving from U, SGS sends a request through an internal secure channel to KS for getting the U’s DKi . SGS → KS : DK i _ Request KS → SGS : DK i Then the received packet is decrypted to extract the query NU and a hashing value of U’s ID and NU . After that, SGS can calculate a new hashing value to compare with the abstracted hashing value. If the two values match, the legalisation of U is confirmed.
b. Both U and SIS (KS) generate a set of keys {K i | i = 1,...., m} , where m > r , as follows K1 = h( S , S r −bit − shift )
47
,
K 2 = h( S , K1 )
,
…,
IV.
K m = h( S , K m −1 ) , where r − bit − shift stands for r-bit cyclic shifting of S.
IMPLEMENTATION RESULT & DISCUSSION
A. Security Discussion In this section, we will discuss security of each component, and then compare the designed and implemented system with SSL/TSL and Kerberos based information systems to show the security strength of the system.
c. U and SIS (KS) then select the keys K Mid 1 and K Mid 2 based on r follow promissory rules and compute SIK, where SIK = h( K Mid 1 , K Mid 2 ).
Security of DKGT: From the equation 1). DK i+1 = h( SIK , DK i ) , if an adversary might guess the
d. Then both entities U and SIS (KS) generate the first dynamic key DK1 = h( SIK , S ) . Then both entities remove the secret S.
dynamic key DK i , he still cannot compute next dynamic key DK i +1 . Because the security of DK i +1 bases on SIK
After initialization, both entities can generate dynamic keys DK i by using previous dynamic key DK i-1 and SIK for transactions. DK 2 = h( SIK , DK1 ) , DK 3 = h( SIK , DK 2 ) …,
and DK i , and SIK is never involved into communication and cryptographic operations. The only way to calculate SIK is from S and r. However, S is exchanged via secure ECMQV protocol, which bases on a mathematically hard problem (discrete logarithm problem). Therefore, the security of employed dynamic key generation technique depends on the security of elliptic curve cryptography.
DK n = h( SIK , DK n −1 ) In this implementation, the calculation of DK i from previous key DK i-1 is taken place at the beginning of each transaction. After n-1 times successful transactions, U and SIS follows ECMQV key exchange protocol to generate a new shared secret S and initialize dynamic keys again.
Security of URP & TP: The procedure of user 2). registration is to initialize secret S for user and the system to generate dynamic keys. The secret S is only used once, and then removed from the system. To verify security of Transaction Procedure, we take measures of confidentiality, data integrity and nonrepudiation. Confidentiality is only authorized users are able to retrieve sensitive information from the system. TP conducts its confidentiality by using a token h(U ID + NU , DK i −1 ) and a
Secure SIS Application: In our proposed system, U 5). needs to install an application either on a wired computer or a wireless mobile device. Every time a transaction starts, U is required to verify itself to access the application utility. For wireless device users, there is a value-added security mechanism. When U gives incorrect PIN entries, the application will lock itself automatically in order to prevent U from suffering stolen mobile devices. Also for wireless mobile users, when U gains authorised access to the application, U has options to choose Wi-Fi, GPRS or EDGE connectivity for transaction taking place in Figure 4. After having a network connection, the application will run URP or TP.
dynamic key DK i . It is unlikely to guess two contiguous dynamic key successfully for an adversary. Data Integrity refers to the validity of data. It can be compromised through, malicious altering and accidental altering. In TP, it uses hash functions to promise data integrity. When the data is changed, the hash function yields a different result. Non-repudiation can be achieved with the use of DKGT. When user sends requests for retrieving sensitive information, a token needs to be generated and sent to the system. The token is constructed by unique dynamic key, which is only known between the user and the system. Therefore, it eliminates user denies sending requests. In addition, the token is dynamically generated and only used once. So it eradicates security threat of sniffing attacks. Furthermore, in our system, RTS records every transaction occurred in the system. Therefore, user also cannot deny what he has done in the system based on the nonce token. Security Comparison: Our proposed system has 3). overcome the weaknesses of SSL/TLS and Kerberos-based SIS as illustrated in Table 1.
Fig 4: Secure SIS Application Flow
48
TABLE 1 THE COMPARISON OF THREE SIS
Strong Authentication Dynamic Keys Long Term Key Independence Public Key System (RSA or ECC) No critical Key information transferred via open networks Record Tracking
SSL /TLS
Kerberos
NO NO NO
YES NO NO
Secure SIS YES YES YES
RSA
RSA
ECC
NO
NO
YES
NO
NO
YES
TABLE 3 TP TIME CONSUMPTION IN MICROSECOND (µsec)
AES Encryption
User Verification Total Time
14.5
