668
IEEE Transactions on Consumer Electronics, Vol. 60, No. 4, November 2014
Delegation-Based Robust Authentication Model for Wireless Roaming using Portable Communication Devices Pardeep Kumar, Member, IEEE, Andrei Gurtov, Senior Member, IEEE, Jari Iinatti, Senior Member, IEEE, and Sang-Gon Lee Abstract — Wireless networks provide a convenient means of seamless roaming services using portable consumer electronics communication devices (e.g., mobile devices, MDs), but ensuring robust security in wireless roaming is still challenging. However, to prevent wireless roaming services joining from malicious users/MDs, a secure and robust authentication model is highly desirable that can ensure adequate security. This paper exploits the concept of a delegation system and introduces a delegation-based robust authentication model for protecting wireless roaming services from unauthorized user – by means of portable communication devices (MDs). To perform robust authentication, the proposed scheme utilizes the biometric and defends roaming services from popular attacks and frauds. Security analysis is provided to guarantee that the proposed model provides unlinkability, and resists to denial-of-service and man-in-the middle attacks1. Index Terms — Authentication, biometric, delegation, unlinkability.
I. INTRODUCTION Wireless networks enables portable mobile devices (e.g., 3GPP) to access roaming services seamlessly when they roam from the home network to the foreign network [1]-[8]. A mobile device transmits and receives data packets over untrusted wireless channels, thus anyone (legal/malicious user) can eavesdrop on wireless packets and misuse of the entire network for own malicious purposes. One of the main concerns for network service providers and enterprises is how to protect the wireless networks from an unauthorized/ malicious access in roaming environments. Hence, an adequate level of security at efficient cost is always a prime concern. 1 The work has been funded by Tekes under project MAMMotH; Academy of Finland projects SEMOHealth and DWHN (Dependable Wireless Healthcare Networks). Pardeep Kumar is with the University of Oulu, P. O. Box 4500, FI-90014, and Finland (e-mail:
[email protected]). Andrei Gurtov is with the Helsinki Institute for Information Technology (HIIT), Helsinki, P.O. Box 15600, 00076 Aalto, Finland. (e-mail:
[email protected]). Jari Iinatti is with the University of Oulu, P. O. Box 4500, FI-90014, Finland (e-mail:
[email protected]) Sang-Gon Lee is with the Dongseo University, San 69-1, Jurye-2-dong, Sasang-Gu, Busan, S. Korea. (e-mail:
[email protected] ).
Contributed Paper Manuscript received 10/01/14 Current version published 01/09/15 Electronic version published 01/09/15.
A secure roaming service allows a visited location register (VLR) to verify authenticity of a visiting mobile device (MD) collaborating with its home location register (HLR). In recent years, a significant number of secure roaming protocols have been proposed and analyzed (e.g., [1]-[8]). Lee-Yeh proposed a delegation-based authentication system for the portable communication systems [1]. The proposed system exploits a public key-based proxy signature and it provides user anonymity, non-repudiation and mutual authentication to the mobile systems. In this model, a VLR authenticates to the MD after its initial HLR registration. To re-authenticate an MD, offline authentication has taken place in such way that VLR do not need to contact to the HLR. The detailed concept of delegation is presented in [1]. Tang-Wu [2], however, pointed out that Lee-Yeh’s protocol has severe threat from an impersonation VLR attack. Based on elliptic curve cryptography (ECC) and one-time temporary user identity (ID), Tang-Wu proposed an efficient mobile authentication scheme for wireless networks [2]. The study of Lu et al. [3] demonstrated that Tang-Wu’s scheme did not achieve a mobile privacy and user fails to achieve the unlinkability. Then they proposed a new privacy preserving scheme that utilizes a pseudo random function (PRF) for providing privacy to the user [3]. Lee et al. [4] proposed an enhanced protocol, which is based on the scheme of Lee-Yeh, i.e., [1]. Unfortunately, Youn-Lim [5] found that the scheme proposed in [4] cannot protect the user privacy even though the protocol considers the user identity privacy. To cope with the privacy problems, Youn-Lim [5] improved the security of [4]. In 2012, Tsai et al. stated that most of the proposed schemes (e.g., [1]-[6]) found to be flawed and vulnerable to a lesser/greater extent [7], and then they proposed a new secure delegation-based authentication scheme for roaming service in wireless networks. Authors claimed that their protocol resists to denial-of-service (DoS) attacks, man-in-the-middle (MITM) attacks and replication attacks and requires less computation cost, and provides user unlinkability [7]. In most of the schemes, the MD is assigned a proxy key for the HLR authorization. To avail roaming services, the MD must register to the local VLR; and the VLR would use the proxy key to encrypt messages. Upon receiving message from the MD, the VLR can use the HLR’s public key to verify legitimacy of message and confirm the authenticity of the MD. To establish a session key that will be used in the future
0098 3063/14/$20.00 © 2014 IEEE
P. Kumar et al.: Delegation-Based Robust Authentication Model for Wireless Roaming using Portable Communication Devices
messages between the MD and VLR, the authenticity of VLR needs to be verified for MD. To execute this task, the VLR forwards the MD’s messages to HLR and initiate the session key process for future communications [8]. Indeed, several secure services and attacks have been addressed in the literatures [1]-[8]. However, most of the schemes are designed with the similar principles where an MD can prove its identity to the HLR, but the user’s real identity is ignored. This is also known as an authenticated device but unauthenticated user. A recent study reveals that the most likely threat to information security is not the typical hacker, virus or worm, but rather the malicious insider users [9]. In the existing literatures [1] - [8], the security-related all parameters are stored onto corresponding MDs SIM card, therefore, insider risks are greater for security breaches in such delegation-based authentication protocols. For instance, assumed that a legal but malicious (insider) user can have advantage over a stolen and/or borrowed MD and he/she can use the device for own purpose and impersonate to a user without revealing own identity. This can lead to the economic frauds and/or losses in some strategic scenarios (e.g., banking, finance, logistics and iCloud). Therefore, to protect the roaming services from such cyber insider attacks, the delegation-based authentication schemes should rely on a combination of the real-user and MD authentications. Using the knowledge-based identification systems (e.g., passwords), numerous two-factor authentication protocols have been proposed for the global mobility networks (GLOMONET), e.g., [10][11]. However, these schemes are not directly suitable to the concept of delegation – where the HLR delegates the signing power to the MD so that a secure communication between the MD and VLR can be established. To address above issues, this paper proposes delegationbased robust authentication model for wireless roaming. The proposed scheme utilizes the biometric to perform robust authentication – because biometric identifiers are unique to individuals and more reliable in verifying identity than those of the knowledge-based methods. The simple idea of proposed model is not only to perform the MD authentication but also verify the identity of an involved user, i.e., whether both the user and MD are authentic. Security analysis shows that the proposed scheme can defend roaming services from popular attacks, and can achieve efficiency. Rest of the paper is organized as follows. Section II presents literature review, and Section III describes the proposed scheme. Section IV shows security and performance analysis. Section V concludes the paper.
669
setup phase, HLR chooses two private keys x, y Zp, and computes their public keys V = xP and W = yP, respectively. Next, HLR shares long-term shared key (KHV), a private key (y) and a public key (V) with VLR. Now, HLR computes for proxy key pair K = rP and σ = x + rh(K) (mod q) for each MD. Here, r is a random number. Then, each MD’s generated proxy key pair (K, σ) is stored in HLR’s database. Then, each MD’s proxy key pair (K, σ), and public key (W) are stored securely to each corresponding MDs SIM card, respectively. TABLE I SYMBOLS AND DESCRIPTIONS Symbol p, q g idU, idV, and idH
Description Prime numbers satisfying q|(p-1) A generator in Zp Identities of a user (U), VLR and HLR
EK[M]
M is encrypted (E) with symmetric Key K
DK[M]
M is decrypted (E) with symmetric Key K
KHV
Shared key between HLR and VLR
G
An Cyclic additive group
h( )
One-way hash function, i.e., h(): Zp→Zp
H( )
One-way hash function, i.e., h(): G→Zp
P HMAC{K, m}
Generator of the cyclic additive group Keyed-hash message authentication code on message m with a key K Concatenation and Ex-or operation
||,
Online authentication phase is briefly depicted in Fig. 1. For each online authentication session, MD precomputes h(1)( n1), … h(n+1)(n1) and stores in own database. Here n is the total time for offline authentications supported by Lee et al. scheme.
II. REVIEW OF THE LITERATURES This section reviews two recent published relevant literatures, e.g., Lee et al.’s [7] and Ou-Hwang [8] schemes, and will point out the possible risks for such delegation-based authentication protocols. The notations used throughout in this paper are defined in Table I. The scheme of Lee et al. [7] is composed of three phases, setup, online authentication, and offline authentication. In
Fig. 1. Online authentication phase for Lee et al.’s
670
IEEE Transactions on Consumer Electronics, Vol. 60, No. 4, November 2014
In the ith Offline authentication phase of Lee et al.’s scheme, MD retrieves h(n−i+1)(n1) from own database and sends ECi [h(n−i+1)(n1)] to VLR. Upon receiving ECi[h(n−i+1)(n1)] , VLR decrypts encrypted message DCi[h(n−i+1)(n1)] and computes h(h(n−i+1) (n1)). Next, VLR verifies whether the computed value h(h(n−i+1) (n1)) is the same as the stored value h(n−i+2)(n1) in its database. If the condition holds, VLR replaces h(n−i+2)(n1) with h(n−i+1) (n1), and computes the session key Ci+1 = h(h(n−i+1)(n1), Ci) and increases i = i + 1. In [8], Ou-Hwang pointed out that the online authentication phase of the schemes proposed in [1] - [7] is relying on the HLR (i.e., the HLR is required to be active during the online authentication between the VLR and MD). Therefore, to avoid such intervention of the HLR for online authentication phase, authors proposed a double delegation-based authentication and key agreement protocol [8]. Ou-Huang’s scheme is divided into two phases, (i) online authentication phase; and (ii) offline authentication phase. Authors assumed that HLR generated two delegation key pair (K1, σ1) and (K2, σ2) are assigned to the MD and VLR, respectively. The online and offline authentication phases are briefly illustrated in Fig. 2.
Possible risks: In the literatures [1] – [8], authors suggested that all secure parameters are stored onto the corresponding MDs SIM card, therefore, the risks are greater for security breaches, as follows. Stolen/lost devices: Assume that – if a user’s mobile device is lost or stolen then using the side channel attack and power analysis attack on a SIM card, the adversary can extract stored secure parameters [12]. Borrowed device: The likelihood of this risk is much greater for mobile devices than for other devices (laptops, desktops, etc.). Generally, users often allow others to borrow their MDs to make use (i.e., for a call, or to send a short message service (SMS)) and provide the MD in an unlocked state to somebody known [13]. Therefore, a legal but malicious user can have advantage over a borrowed MD and he/she can use the device for own malicious purpose and impersonate to another user without revealing own real identity. Offline re-authentication risk: Generally, when a user (with MD) roams into a foreign network, he/she may stay there for a certain period of validity time. However, the protocols presented in literatures [1]-[8], the device authentication have been performed, but the user reauthentication have been ignored for the off-line authentication phase. More precisely, suppose after the user finished his i-th offline authentication then user’s MD is gotten by the adversary. Now let i
