Efficient Pairing-Free, Certificateless Two-Party ...

Efficient Pairing-Free, Certificateless Two-Party Authenticated Key Agreement Protocol for Grid Computing Amr Farouk and Ali Miri

Mohamed M. Fouad and Ahmed A. Abdelhafez

Department of Computer Science Ryerson University Toronto, Canada {aelemam,samiri}@scs.ryerson.ca

Department of Computer Engineering Military Technical College Cairo, Egypt {mmafoad,ahafez}@ieee.org

Abstract—The most prevalent grid security standard, grid security infrastructure uses an authentication protocol based on public key infrastructure (PKI). Certificateless public key cryptography (CL-PKC) overcomes PKI certificate management problems and is well aligned with grid computing demands. Security and efficiency are the main grid authentication protocol objectives. Practical, efficient CL-PKC-based authentication protocols for real grid environments is widely acknowledged as a challenging issue. Unfortunately, certificateless authenticated key agreement protocols rely on bilinear pairings, which are extremely computational expensive. In this paper, we present a novel pairing-free certificateless two-party authenticated grid key agreement (GPC-AKA) protocol, providing a lighter weight key management approach for grid users. We then propose the first practical GPC-AKA implementation as a proof of concept. We also compare the efficiency of GPC-AKA to other proposed work in the literature. Index Terms—Grid computing, certificateless authenticated key agreement, pairing-free.

I. I NTRODUCTION The identities of grid principals are verified by authentication protocol. This is considered the first line of defence in security. The two main concerns of grid authentication protocols are efficiency and secrecy. Moreover, they must meet the requirements of large scale, distributed, heterogeneous, dynamic grid virtual organizations, that usually span multiple trust domains. Therefore, grid authentication protocols using cryptographically secure mechanisms must tackle the following challenges: i) mutual authentication for multi-domain, scalability and delegation, ii) single sign-on, identity federation and credential confidentiality, and iii) efficiency, lightweight and flexibility [1]. One of the important cryptographic primitives in public key cryptography is the key agreement (KA) protocols. KA protocol allows two or more parties to share a secret session key over a public network, using their exchanged long-term keys and ephemeral messages where no party can predetermine the value of the secret key independently from the contributions of the other parties. Authenticated key agreement (AKA) protocol provides mutual implicit key authentication, to ensure that the key is only shared with the involved parties

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

[2]. KA protocols can be classified based on the following characteristics: i) participating entities: two-party and groups. ii) exchanged messages: three pass, one-round (i.e., two pass), one-way and non-interactive. iii) number of agreed keys: single-key and multiple-keys. For fully secure and efficient grid entities authentication, it is required to design robust AKA protocol with high security, and minimal computational and communication costs. Al-Riyami and Paterson [3] introduced CL-PKC to solve the inherent key escrow problem in identity-based cryptography (IBC). CL-PKC not only preserves all the advantages of IBC, but also avoids the use of certificates. As well, CL-PKC uses a trusted authority called a key generation center (KGC). The later only generates a partial private key given the users’ identities. The users’ private keys are generated by both a partial private key and a secret value chosen by each user. The users’ public keys do not need to be certified, so they are implicitly certified by the partial private key issued by the KGC. Certificateless authenticated key agreement (CLAKA) protocols are based on bilinear pairings where relative computation costs are approximately twenty times higher than that of scalar multiplication over an elliptic curve [4]. The pairing is thus considered an expensive cryptography primitive. Therefore, several CL-AKA protocols, without pairing, have been proposed to improve efficiency. These protocols either have security issues or are not efficient enough to be practical implemented in real environments. Previously, Wang et. al. [5] presented the first grid certificate-less authentication protocol, however it cannot withstand key compromise impersonation attack and key replicating attack. We give an overview of recent secure pairing-free CLAKA protocols, and propose an efficient protocol suitable for practical grids. Although the protocol of Yang et. al. [6] is provably secure, it has a high computational cost (i.e., 9 EC scaler point multiplications). The proposed Debiao et. al. [7] secure protocol will be discussed in Section II-C. This paper introduces a novel secure and efficient pairingfree CL-AKA protocol used in grid computing environments. We propose up to our knowledge the first practical implemen-

279

tation of pairing-free CL-AKA for grid authentication (GPCAKA), and illustrate its effectiveness using the Magma algebraic computational tool. Moreover, we provide performance analysis for the proposed GPC-AKA, and compare it to the most recent provably secure pairing-free CL-AKA protocol. The rest of this paper is organized as follows. CL-PKC fundamental concepts are described in Section II. Our novel pairing-free CL-AKA grid protocol is presented in Section III. Section IV shows the proposed GPC-AKA protocol implementation. Performance analysis comparison to recent pairingfree CL-AKA protocols are introduced in Section V. Finally, conclusions and future work are discussed in Section VI.

B. Riyami and Paterson CL-AKA Scheme Al-Riyami and Paterson presented their notion of certificateless public key cryptography in [3]. A number of two-party CL-AKA protocols have since been proposed to improve the security and efficiency of Al-Riyami and Paterson protocol, but they all include the following two phases: i) setup phase, runs between KGC and entities. It consists of five probabilistic polynomial time (PPT) algorithms: Setup, SetSecretValue, SetPartialPrivateKey, SetPrivateKey, SetPublicKey. ii) key agreement phase. It runs between two entities and based on a PPT interactive algorithm: SessionKeyAgreement. C. Debiao et. al. Scheme

II. P RELIMINARIES OF CL-PKC This section shows the cryptography notations and fundamentals required to grasp CL-PKC, as Section II-A introduces algebraic terminology including the basic fundamentals of the elliptic curve cryptography. Riyami and Paterson CLAKA scheme background is reviewed in Section II-B, then Section II-C shows Debiao et. al. scheme.

Debiao et. al. [7], introduced an CL-AKA without pairing, as shown in Fig. 1, illustrating the key agreement scheme. Client A

𝑡𝐴 𝑇𝐴

A. Background Abelian Group (i.e., Commutative Group): is a set 𝐺 and a binary operation ‘.’ - (𝐺, .) that must satisfy five requirements: closure, associativity, identity element, inverse element, commutativity. Cyclic Group is a group that is generated by a single element called a “generator”, every element of the group can be written as power of some particular element 𝑔 in multiplicative notation or as a multiple of 𝑔 in additive notation. Any finite cyclic group of order 𝑛 is isomorphic to ℤ/𝑛ℤ, the integers modulo 𝑛 with addition as the group operation. Finite Field (i.e., Galois Field) is a field that contains a finite number of elements. The finite fields are classified by size; there is exactly one finite field up to isomorphism of size 𝑝𝑘 for each prime 𝑝 and a positive integer 𝑘. Isomorphism: two mathematical structures are said to be isomorphic if there is a one-to-one mapping of the mathematical elements between them [8]. Elliptic curve (EC) cryptosystems have the potential to provide relatively small block size, high-security public key schemes that can be efficiently implemented [9]. The simplified Weierstrass equation represents 𝐸/𝔽𝑝 as an elliptic curve, 𝐸, over a prime finite field 𝔽𝑝 , in (1). 𝑦 2 = 𝑥3 + 𝑎𝑥 + 𝑏,

∀𝑎, 𝑏 ∈ 𝔽𝑝 , 4𝑎3 + 27𝑏2 ∕= 0.

(1)

A non-singular elliptic curve is a curve that has no cusps or self-intersection. The finite abelian group 𝐺 = {(𝑥, 𝑦) : 𝑥, 𝑦 ∈ 𝔽𝑝 , 𝐸(𝑥, 𝑦) = 0} ∪ {𝒪} denote the set of points on the curve 𝐸/𝔽𝑝 in addition to the point at infinity (i.e., zero element). 𝐺 is a cyclic additive group in which the point addition “+” is defined as: 𝑃 = (𝑥1 , 𝑦1 ), and 𝑄 = (𝑥2 , 𝑦2 ) ∈ 𝐺, where 𝑥1 ∕= 𝑥2 . 𝑃 + 𝑄 = (𝑥3 , 𝑦3 ), where 𝑥3 = 𝜆2 − 𝑥1 − 𝑥2 , 𝑦3 = 𝜆(𝑥1 − 1 𝑥3 ) − 𝑦1 , and 𝜆 = 𝑥𝑦22 −𝑦 −𝑥1 . Scalar multiplication over 𝐸/𝔽𝑝 is then simply computed as: 𝑡𝑃 = 𝑃 + 𝑃 + ⋅ ⋅ ⋅ + 𝑃 (𝑡 𝑡𝑖𝑚𝑒𝑠).

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

∈

=

Client B

∗ 𝑍𝑝 𝑡𝐴 .𝑔

1 𝐾𝐴𝐵 = (𝑡𝐴 + 𝐷𝐴 )(𝑇𝐵 + 𝑅𝐵 + 𝐻1 (𝐼𝐷𝐵 , 𝑅𝐵 )𝑃0 )

𝑀1 = {𝐼𝐷𝐴 , 𝑅𝐴 , 𝑇𝐴 }

𝑀2 = {𝐼𝐷𝐵 , 𝑅𝐵 , 𝑇𝐵 }

2 𝐾𝐴𝐵 = (𝑡𝐴 + 𝑥𝐴 )(𝑇𝐵 + 𝑃𝐵 ) 3 𝐾𝐴𝐵

= 𝑡𝐴 .𝑇𝐵

𝐻2 (𝐼𝐷𝐴 ∥𝐼𝐷𝐵 ∥𝑇𝐴 ∥𝑇𝐵 ∥ 1 ∥𝐾 2 ∥𝐾 3 ) 𝐾𝐴𝐵 𝐴𝐵 𝐴𝐵

𝑡𝐵 𝑇𝐵

∈

=

∗ 𝑍𝑝 𝑡𝐵 .𝑔

1 𝐾𝐵𝐴 = (𝑡𝐵 + 𝐷𝐵 )(𝑇𝐴 + 𝑅𝐴 + 𝐻1 (𝐼𝐷𝐴 , 𝑅𝐴 )𝑃0 ) 2 𝐾𝐵𝐴 = (𝑡𝐵 + 𝑥𝐵 )(𝑇𝐴 + 𝑃𝐴 ) 3 𝐾𝐵𝐴

= 𝑡𝐵 .𝑇𝐴

𝐻2 (𝐼𝐷𝐴 ∥𝐼𝐷𝐵 ∥𝑇𝐴 ∥𝑇𝐵 ∥ 1 ∥𝐾 2 ∥𝐾 3 ) 𝐾𝐵𝐴 𝐵𝐴 𝐵𝐴

Fig. 1. Debiao et. al. key agreement scheme.

The Debiao et. al. protocol is provably secure against a strong adversary model, the extended Canetti-Krawczyk (eCK) model [10]. So it is appropriate for the grid computing environment, but practically it needs to be more efficient. In the next section, we propose a novel pairing-free CL-AKA grid protocol to improve the performance of the Debiao et. al. . We also present a practical implementation for the proposed protocol. III. P ROPOSED G RID PAIRING - FREE CL-AKA In Section III-A, we present a novel secure and efficient pairing-free, certificate-less, two-party authenticated key agreement protocol for grid computing (GPC-AKA). Furthermore, GPC-AKA implementation steps and cryptographic recommendations are provided in Section III-B. A. Proposed Protocol (GPC-AKA) Our proposed secure and efficient GPC-AKA protocol for grid computing [11] has the following properties: (i) Pairing-free, reduces computational costs, and hence is more efficient. (ii) Two-party, due to grid computing environment scalability and dynamic features. (iii) One-round, lessens network overload so is more efficient.

280

User Proxy (UP)

This protocol also uses two proxies: a User Proxy (UP), and a Resource Proxy (RP). A UP is a session manager process given permission to act on behalf of a user for a limited period of time. A RP is an agent used to translate between interdomain security operations and local intra-domain mechanisms [12]. The proxies (i.e., UP, RP) can help to meet frequent mutual authentication requests between users and resources, so support grid single sign on (SSO). A unique node’s registered Distinguished Name (DN) is also assigned from the root to each node to provide cross-trust domain in which each domain comprises one KGC. Before authentication, a trust relationship is built between KGCs in order to share system parameters with each other. Based on the Debiao et. al. ’s protocol, we make the following modifications to achieve a more efficient and secure protocol for the grid computing environment: i) In phase(1), we use the hashing functions

𝑡𝑈 𝑇𝑈

∈

=

Resource Proxy (RP)

∗ 𝑍𝑝 𝑀1 = {𝐼𝐷𝑈 , 𝑅𝑈 , 𝑇𝑈 }

𝑡𝑈 .𝑔

𝐾𝑈 𝑅 = (𝑡𝑈 + 𝐷𝑈 + 𝑥𝑈 )(𝑇𝑅 + 𝑃𝑅 + 𝑅𝑅 + 𝐻1 (𝐼𝐷𝑅 , 𝑅𝑅 , 𝑃𝑅 )𝑃0 ) 𝐻2 (𝐼𝐷𝑈 ∥𝐼𝐷𝑅 ∥𝑇𝑈 ∥𝑇𝑅 ∥ 𝐾𝑈 𝑅 )

𝑀2 = {𝐼𝐷𝑅 , 𝑅𝑅 , 𝑇𝑅 }

𝑡𝑅 𝑇𝑅

∈

=

∗ 𝑍𝑝 𝑡𝑅 .𝑔

𝐾𝑅𝑈 = (𝑡𝑅 + 𝐷𝑅 + 𝑥𝑅 )(𝑇𝑈 + 𝑃𝑈 + 𝑅𝑈 + 𝐻1 (𝐼𝐷𝑈 , 𝑅𝑈 , 𝑃𝑈 )𝑃0 ) 𝐻2 (𝐼𝐷𝑈 ∥𝐼𝐷𝑅 ∥𝑇𝑈 ∥𝑇𝑅 ∥ 𝐾𝑅𝑈 )

Fig. 3. Proposed GPC-AKA key agreement scheme (Phase 2).

GPC-AKA protocol consistency is proved: 𝐾𝑈 𝑅 = (𝑡𝑈 = (𝑡𝑈 = (𝑡𝑈 = (𝑡𝑈

+ 𝐷𝑈 + 𝐷𝑈 + 𝐷𝑈 + 𝐷𝑈

+ 𝑥𝑈 )(𝑇𝑅 + 𝑃𝑅 + 𝑅𝑅 + 𝐻1 (𝐼𝐷𝑅 , 𝑅𝑅 , 𝑃𝑅 )𝑃0 ) + 𝑥𝑈 )((𝑡𝑅 .𝑔) + (𝑥𝑅 .𝑔) + (𝑟𝑅 .𝑔) + (𝑄𝑅 .𝑠𝑔)) + 𝑥𝑈 )(𝑡𝑅 + 𝑥𝑅 + 𝑟𝑅 + 𝑄𝑅 .𝑠)𝑔 + 𝑥𝑈 )(𝑡𝑅 + 𝑥𝑅 + 𝐷𝑅 )𝑔 = 𝐾𝑅𝑈

𝐻1 : {0, 1}∗ × 𝐺 × 𝐺 → 𝑍𝑝∗ 𝐻2 : {0, 1}∗ × {0, 1}∗ × 𝐺 × 𝐺 × 𝐺 → 𝑍𝑝∗ ii) In phase(2), we have embedding the entity’s long term public key 𝑃𝐴 in the key derivation function 𝐻1 . We re1 = duce the shared secret values from three (i.e., 𝐾𝐴𝐵 1 2 2 3 3 , 𝐾𝐴𝐵 = 𝐾𝐵𝐴 , 𝐾𝐴𝐵 = 𝐾𝐵𝐴 ) to one shared secret value 𝐾𝐵𝐴 (i.e., 𝐾𝑈 𝑅 = 𝐾𝑅𝑈 ) with the same security parameters. Our proposed pairing-free certificate-less two party authenticated key agreement for the grid (GPC-AKA) is introduced in two phases, as illustrated in Fig. 2 and Fig. 3, respectively. User Proxy (UP)

KGC Security Parameter 𝐾 K-bit Prime 𝑝

{𝔽𝑝 , 𝐸/𝔽𝑝 , 𝐺, 𝑔} ∗ Master key 𝑠 ∈ 𝑍𝑝

Secure Storage

System Public Key 𝑃0 = 𝑠𝑔

UP’s Identifier 𝐼𝐷𝑈 ∗ UP’s Secret Value 𝑥𝑈 ∈ 𝑍𝑝 𝑋𝑈

=

𝑥𝑈 .𝑔

Long Term Public Key 𝑃𝑈 = 𝑋𝑈

𝐻1 : {0, 1}∗ × ∗ 𝐺 × 𝐺 → 𝑍𝑝 𝐻2 : {0, 1}∗ × {0, 1}∗ × ∗ 𝐺 × 𝐺 × 𝐺 → 𝑍𝑝 Params = {𝔽𝑝 , 𝐸/𝔽𝑝 , 𝐺, 𝑔, 𝑃0 , 𝐻1 , 𝐻2 } 𝑟𝑈

∈

∗ 𝑍𝑝

𝑅𝑈 = 𝑟𝑈 .𝑔 𝑄𝑈 = 𝐻1 (𝐼𝐷𝑈 , 𝑅𝑈 , 𝑃𝑈 ) 𝐷𝑈 = 𝑟𝑈 + 𝑄𝑈 𝑠 mod 𝑝

Long Term Private Key 𝑆𝐾𝑈 = (𝑥𝑈 , 𝐷𝑈 )

Partial private Key (𝐷𝑈 , 𝑅𝑈 )

Fig. 2. Proposed GPC-AKA key generation setup scheme (Phase 1).

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

B. GPC-AKA Implementation Steps and Cryptographic Recommendations 1) Elliptic Curves Over a Finite Field: Two types of elliptic curve domain parameters may be used: i) an elliptic curve over 𝔽𝑝 is defined as prime curve, or ii) an elliptic curve over 𝔽2𝑚 is defined as binary curve. In our GPC-AKA implementation, we use a prime EC, since prime curves are best for software applications. They do not need the extended bit-fiddling operations required by binary curves. In contrast, binary curves are best for hardware applications. They require fewer logic gates than those crypto systems over prime fields [13]. First, arithmetic operations on 𝐸/𝔽𝑝 , determined by some elliptic curve domain parameters, precisely specify an elliptic curve and base point in a six-tuple 𝑇 = (𝑝, 𝑎, 𝑏, 𝑔, 𝑛, ℎ): ∙ an integer 𝑝 specifying the finite field 𝔽𝑝 , ∙ 𝑎, 𝑏 ∈ 𝔽𝑝 specifying an elliptic curve 𝐸/𝔽𝑝 defined by the equation: 𝐸 : 𝑦 2 ≡ 𝑥3 + 𝑎𝑥 + 𝑏 (mod 𝑝), ∙ a base point 𝑔 = (𝑥𝑔 , 𝑦𝑔 ) on 𝐸/𝔽𝑝 , ∙ a prime 𝑛 which is the order of 𝑔, #𝐸/𝔽𝑝 ∙ an integer ℎ which is the co-factor ℎ = . 𝑛 Second, the approximate security level in bits required by the elliptic curve domain parameters. This must be typically an integer 𝐾 ∈ {160, 224, 256, 384, 521}. Elliptic curve domain parameters over 𝔽𝑝 are generated as follows [14]: ∙ Select a prime 𝑝 such that ⌈log2 𝑝⌉ = 2𝐾 if 𝐾 ∕= 256 and ⌈log2 𝑝⌉ = 521 if 𝐾 = 256 to determine the finite field 𝔽𝑝 . ∙ Select elements 𝑎, 𝑏 ∈ 𝔽𝑝 to determine the elliptic curve 𝐸/𝔽𝑝 defined by the equation: 𝐸 : 𝑦 2 ≡ 𝑥3 + 𝑎𝑥 + 𝑏 (mod 𝑝). ∙ Select a base point 𝑔 = (𝑥𝑔 , 𝑦𝑔 ) on 𝐸/𝔽𝑝 , a prime 𝑛 which is the order of 𝑔, and an integer ℎ which is the #𝐸/𝔽 cofactor ℎ = 𝑛 𝑝 , subject to the following constraints:

281

– 4𝑎3 + 27𝑏2 ∕≡ 0 (mod 𝑝), – #𝐸/𝔽𝑝 ∕= 𝑝, – 𝑝𝐵 ∕≡ 1 (mod 𝑛) for any 1 ≤ 𝐵 < 20, – ℎ ≤ 4. One also needs to verify that all elliptic curve domain parameters over 𝔽𝑝 used are valid (i.e., satisfy the arithmetic requirements of elliptic curve domain parameters), either to prevent malicious insertion of insecure parameters, or to detect inadvertent coding or transmission errors. Given 𝑇 = (𝑝, 𝑎, 𝑏, 𝑔, 𝑛, ℎ), elliptic curve domain parameters over 𝔽𝑝 , and an integer 𝐾 ∈ {160, 224, 256, 384, 512}, a grid entities (e.g., UP, RP) can validate elliptic curve domain parameters over 𝔽𝑝 as follows: ∙ Check that 𝑝 is an odd prime such that ⌈log2 𝑝⌉ = 2𝐾 if 𝐾 ∕= 256 and ⌈log2 𝑝⌉ = 521 if 𝐾 = 256. ∙ Check that 𝑎, 𝑏, 𝑥𝑔 and 𝑦𝑔 are integers in the interval [0, 𝑝 − 1]. 3 2 ∙ Check that 4𝑎 + 27𝑏 ∕≡ 0 (mod 𝑝). 2 3 ∙ Check that 𝑦𝑔 ≡ 𝑥𝑔 + 𝑎𝑥𝑔 + 𝑏 (mod 𝑝). ∙ Check that 𝑛 is prime. √ ( 𝑝+1)2 ∙ Check that ℎ ≤ 4, and that ℎ = ⌊ ⌋. 𝑛 ∙ Check that 𝑛𝑔 = 𝒪. 𝐵 ∙ Check that 𝑞 ∕≡ 1 (mod 𝑛) for any 1 ≤ 𝐵 < 20, and that 𝑛ℎ ∕= 𝑝. This step excludes the known weak classes of curves susceptible to the Menezes-Okamoto-Vanstone attack, the Fery-Ruck attack, or the Semaev-Smart-SatohAraki attack. ∙ If the elliptic curve domain parameters have been generated at random, it may also be checked that 𝑎 and 𝑏 have been correctly derived from the random seed. 2) Cryptographic Hash Functions: Hash functions will be used to calculate the hash value associated with an octet string (e.g., SHA-1, SHA-224, SHA-256, SHA-384, SHA512) [14]. The security level associated with a hash function depends on its application. Where collision resistance is not necessary (e.g., key derivation, random number generation and curve generation), the security level is at most the output bit length of the hash function. Key derivation functions will be used to derive keying data from a shared secret octet string (e.g., ANSI-X9.63-KDF, IKEv2-KDF, TLS-KDF, NIST-80056-Concatenation-KDF). 3) Data Types and Conversions: Elliptic curve cryptography schemes involve operations using several different data types as shown in Table I. TABLE I DATA T YPES USED IN E LLIPTIC C URVE C RYPTOGRAPHY. Operation

Data Type

Elliptic Curve Arithmetic Communicate & Store Information Primitives 1

integers, field elements, EC points octet strings bit strings

1

e.g., entity identity

In EC point representation, the normal (𝑥,𝑦) pairs are

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

denoted as affine coordinates. This has disadvantages in performing point addition and doubling (i.e., expensive inverse operations are involved). The normal (𝑥,𝑦) pairs can be represented by the triplet (𝑋,𝑌 ,𝑍), which is called the projective coordinates. At least one of the projective coordinates must be nonzero. Fig. 4 show the rings or fields used in elliptic curve cryptography.

Positive integers 𝑍 + . Prime finite field 𝑍𝑝 or 𝐺𝐹 (𝑝). Elliptic curve over finite field 𝐸/𝔽𝑝 . Cyclic EC subgroup 𝐺 of base point 𝑔 with prime order 𝑛 & cofactor ℎ.

Fig. 4. Elliptic Curve Cryptography Rings/Fields.

Frequently, it is necessary to convert one of the data types into another as shown in Table II. IV. GPC-AKA I MPLEMENTATION In this section, we will propose the first practical implementation for a pairing-free CL-AKA protocol in grid computing. A. Main GPC-AKA Cryptographic Primitives To choose the appropriate tool for implementing the proposed GPC-AKA protocol. First, we determine what are the main GPC-AKA cryptographic primitives as shown in Fig. 5. Prime Number Finite Field Elliptic Curve Cryptography Random (integers/EC points) Scaler Multiplication of EC points Addition of EC points Cryptography Hashing Function

Fig. 5. Main GPC-AKA Cryptographic Primitives Building Blocks.

From the main GPC-AKA cryptographic primitives building blocks, we can infer that the Magma algebra system [8] is the appropriate tool for implementing the GPC-AKA protocol as a proof of concept. Magma is both a computer algebra system and a programming language. B. GPC-AKA Implementation Using Magma We used Magma V2.19-8, on a laptop, with a Intel core 2 duo processor P7350 running at 2 GHz, with 6 GB RAM. The proposed two-party GPC-AKA protocol is described in terms of two phases. In the first phase, 𝐾𝐺𝐶, 𝑈 𝑃 and 𝑅𝑃 apply the setup scheme to establish which options to use, then they employ the key deployment scheme to select key pairs

282

TABLE II DATA T YPES C ONVERSION M ATRIX FOR 𝐸/𝔽𝑝 .

Bit Strings Octet Strings

Integers Field Elements EC Points

1 2

Bit Strings

Octet Strings

Integers

Field Elements

EC Points

– as bit string

pad with 0’s on the left, length multiple of 8 –

as base 256 integer representation

convert to integer

compressed 𝑦-coordinate recovered from leftmost octet, 𝑥-coordinate from octet string remainder 1 leftmost octet removed, 𝑥-coordinate & 𝑦-coordinate recovered from left half & right half of octet string remainder respectively 2

– no conversion required

–

represent in binary (bit string) then convert to octet string convert integer to octet string leftmost octet indicates point compression on/off, contains compressed y-coordinate; octet string remainder contains 𝑥-coordinate 𝑥-coordinate followed by 𝑦-coordinate 2

– 1

point compression on. point compression off.

and exchange public keys. In the second phase, the two parties (i.e., 𝑈 𝑃, 𝑅𝑃 ) simultaneously use the key agreement scheme with corresponding keys as inputs to establish the same keying data. 1) Key Generation Setup Scheme (Phase 1): 𝐾𝐺𝐶 at desired security level 𝐾, determines and validates elliptic curve domain parameters 𝑇 = (𝑝, 𝑎, 𝑏, 𝑔, 𝑛, ℎ) using the primitives specified in Section III-B. 𝐾𝐺𝐶 defines security level 𝐾 (i.e., key bit-length) as input, then chooses a random prime number 𝑝 with 𝐾 bit-length. Then a prime finite field 𝔽𝑝 is selected, and a cryptographic elliptic curve 𝐸 over this prime finite field 𝔽𝑝 is defined using “CryptographicCurve(𝔽𝑝 )”, that generates random elliptic curves over prime finite field until a suitable one with the cryptographic requirements is found. To assure that elliptic curve domain parameters 𝑇 are cryptographically valid, 𝐾𝐺𝐶 uses “ValidateCryptographicCurve(E,g,n,h)” which returns the following output: Finished! Tried 9 curves. Total time: 17.370 E is: Elliptic Curve defined by yˆ2 = xˆ3 + 24493120384482762858486629245015018917871592041475054393444*x + 74429323072648061678361427045520346135291612308513002591970 over GF(76759912277068633562365864129650202491418374600327310695673) Base point (g) is: (13045657679251966494869261518125089719114735172721546773537 : 18901709873516036307994379669489784880273851978829099086286 : 1) Order of base point (n) is: 15037170273437155793639846456396887980954878795988239 Elliptic curve cofactor (h) is: 5104678 Verifying primality of the order of P... true

𝐾𝐺𝐶 randomly selects master key 𝑠, a finite field element with inverse in the cyclic group 𝐺 over elliptic curve 𝐸. Subsequently, it calculates the system public key 𝑃0 . 𝐾𝐺𝐶 selects the cryptographically secure hash function 𝐻1 and key derivation function 𝐻2 as mentioned in Section III-B. In fact, the hashing functions 𝐻1 and 𝐻2 are simply isomorphic (i.e., one-to-one), one-way mappings, that can be implemented using the “hom” Magma function. 𝐾𝐺𝐶 publishes elliptic curve domain parameters 𝑇 , the system public key 𝑃0 , hashing functions 𝐻1 , 𝐻2 and secretly keeps the master key 𝑠. This step will be implemented using message exchanges within the grid environment. 𝐾𝐺𝐶 initiates the key deployment scheme by selecting 𝑟𝑢 and 𝑟𝑟 randomly, then creates 𝑈 𝑃 and 𝑅𝑃 ’s elliptic curve random points 𝑅𝑢 and 𝑅𝑟 , respectively. 𝑈 𝑃 and 𝑅𝑃 establish the elliptic curve long term key pairs (𝑆𝐾𝑈 𝑃 , 𝑃𝑈 𝑃 ) and (𝑆𝐾𝑅𝑃 , 𝑃𝑅𝑃 ), respectively associated with the elliptic curve domain parameters 𝑇 established during the setup procedure. Subsequently, they exchange their

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

public keys 𝑃𝑈 and 𝑃𝑅 . 𝐾𝐺𝐶 converts the x-coordinate of 𝑈 𝑃 ’s elliptic curve random point 𝑅𝑈 and public key 𝑃𝑈 to integers using “ElementToSequence()” and “IntegerRing()!”. Then, it calculates 𝑈 𝑃 ’s partial private key 𝐷𝑈 . Similarly, 𝐾𝐺𝐶 calculates 𝑅𝑃 ’s partial private key 𝐷𝑅 . Finally, phase(1) processing time is calculated using the Magma function “Cputime()”, with output similar to the following: Processing time of phase(1):

17.480 seconds

2) Key Agreement Scheme (Phase 2): 𝑈 𝑃 establishes keying data with 𝑅𝑃 using the keys and parameters established during the setup and the key deployment procedures. 𝑈 𝑃 validates its private key, and chooses a value, 𝑡𝑈 , randomly (i.e., nonce), then calculates 𝑇𝑈 . Similarly, 𝑅𝑃 validates its private key, and calculates 𝑇𝑅 . 𝑈 𝑃 converts the x-coordinate of the system public key 𝑃0 , the values 𝑇𝑈 , and 𝑇𝑅 , to integers. Then, it calculates 𝑈 𝑃 ’s shared secret 𝐾𝑈 𝑅 , converts the x-coordinate of 𝑈 𝑃 ’s shared secret, 𝐾𝑈 𝑅 to integer. Finally, 𝑈 𝑃 calculates the session key 𝑠𝑠𝑢, by applying the key derivation hashing function 𝐻2 , with output similar to the following: UP Shared secret key (ssu) is: 769762818609259661106438071766686739109447\ 4653521521

Similarly, 𝑅𝑃 calculates its shared secret, 𝐾𝑅𝑈 , and session key 𝑠𝑠𝑟, with output similar to the following: RP Shared secret key (ssr) is: 769762818609259661106438071766686739109447\ 4653521521

GPC-AKA protocol implementation validation is done by checking the equality of 𝑈 𝑃 and 𝑅𝑃 shared secrets, which output a binary output such as the following: true

To calculate phase(2) processing time, we are using the Magma function “Cputime()”, with output similar to the following: Processing time of phase(2):

0.010 seconds

V. P ERFORMANCE A NALYSIS The efficiency of an algorithm can be measured in terms of: ∙ execution time (i.e., time complexity), ∙ the amount of memory required (i.e., space complexity). Time complexity analysis for an algorithm is independent of programming language and machine used. One of the time complexity analysis objectives is to compare different

283

VI. C ONCLUSIONS AND F UTURE W ORK algorithms before deciding on which one to implement. Time complexity expresses the relationship between the size of the input and the run time for the algorithm. When comparing two algorithms that perform the same task, we often just concentrate on the differences between algorithms. Simplified analysis can be based on number of: arithmetic operations performed, comparisons made, times through a critical loop, array elements accessed, etc. We analyse the efficiency of our protocol, GPC-AKA, in terms of computational cost and communication overhead as shown in Table III. In this analysis, we consider the computations for a single entity in the key agreement scheme, excluding the pre-computed ones. We compare the performance of our proposed GPC-AKA protocol versus D. He et. al. protocol. TABLE III GPC-AKA E FFICIENCY A NALYSIS . Computational cost

Protocol He et. al. [7] Proposed GPC-AKA 1 2 3

𝑇𝑚𝑢𝑙 1

𝑇𝑎𝑑𝑑 2

𝑇ℎ 3

5 3

3 5

2 2

Message exchange 2 2

EC point multiplication EC point addition hashing

The operations from left to right are ordered from high to low computational cost, respectively. Cryptographic schemes based on ECC rely on scalar multiplication of elliptic curve points. As well, it can be seen that the proposed GPCAKA protocol requires 3 elliptic curve point multiplications (i.e., less than the He et. al. protocol), 5 elliptic curve point additions, 2 hashings, and 2 message exchanges. Hence the GPC-AKA protocol is efficient and can be appropriate for a practical grid computing environment. Table IV shows the analysis of the results of the efficiency comparison between the proposed GPC-AKA protocol and the He et. al. protocol implementations at different security levels (i.e., key bit-length), and shows that GPC-AKA enhances the efficiency at the 192-bit key length by 200%, and the 224and 256-bits key length by 150%, while keeping the memory usage at 32.09 MB. TABLE IV GPC-AKA E FFICIENCY C OMPARISON Proposed GPC-AKA

1 2

K bits

CPU Time

192 224 256

0.01 0.02 0.02

1

Memory 32.09 32.09 32.09

Debiao et. al. Protocol 2

CPU Time

Memory

Speed up

0.02 0.03 0.03

32.09 32.09 32.09

200% 150% 150%

The pairing-free CL-AKA approach can provide significant impacts on grid computing authentication, particularly in scalable and dynamic real grid environments. In this paper, we presented a novel, secure and efficient pairing-free two-party certificate-less authenticated key agreement protocol for grid computing (GPC-AKA). A GPC-AKA practical implementation using Magma algebra system tools is proposed as a proof of concept. The performance analysis comparison indicates that our proposed protocol GPC-AKA is more efficient than the recently provably secure, pairing-free CL-AKA, Debiao et. al. protocol. Our future work will be to simulate the GPC-AKA message exchange in a multi-domain large scale grid environment and to implement the GPC-AKA cross-domain trust relationship. R EFERENCES [1] A. Farouk, A. A. Abdelhafez, and M. M. Fouad, “Authentication mechanisms in grid computing environment: Comparative study,” in IEEE International Conferencce on Engineering and Technology, Oct. 2012, pp. 1–6. [2] G. Manman and Z. Futai, “Provably secure certificateless two-party authenticated key agreement protocol without pairing,” in IEEE International Conference on Computational Intelligence and Security, vol. 2, 2009, pp. 208–212. [3] A. Sattam and P. Kenneth, “Certificateless public key cryptography,” in Springer Journal on Advances in Cryptology-Asiacrypt, 2003, pp. 452– 473. [4] N. Mohamed, M. Hashim, E. Bashier, and M. Hassouna, “Fully-secure and efficient pairing-free certificateless authenticated key agreement protocol,” in IEEE World Congress on Internet Security, 2012, pp. 167– 172. [5] W. Shengbao, C. Zhenfu, and B. Haiyong, “Efficient certificateless authentication and key agreement (CL-AK) for grid computing,” in International Journal of Network Security, vol. 7, no. 3, Nov. 2008, pp. 342–347. [6] Y. Guomin and T. Chik-How, “Strongly secure certificateless key exchange without pairing,” in the 6𝑡ℎ ACM Symposium on Information, Computer and Communication Security, 2011, pp. 71–79. [7] H. Debiao, P. Sahadeo, and C. Jianhua, “An efficient certificateless twoparty authenticated key agreement protocol,” Computers & Mathematics with Applications, vol. 64, no. 6, pp. 1914–1926, Sep. 2012. [8] J. Cannon and W. Bosma, “Handbook of magma functions,” Edition, vol. 2, p. 4350, 2006. [9] J. M. Alfred, O. Tatsuaki, and A. V. Scott, “Reducing elliptic curve logarithms to logarithms in a finite field,” IEEE Transactions on Information Theory, vol. 39, no. 5, pp. 1639–1646, Sep. 1993. [10] L. Brian, L. Kristin, and M. Anton, “Stronger security of authenticated key exchange,” in Provable Security, Lecture Notes in Computer Science, vol. 4784. Springer, 2007, pp. 1–16. [11] A. Farouk, M. M. Fouad, and A. A. Abdelhafez, “Analysis and improvement of pairing-free certificate-less two-party authenticated key agreement protocol for grid computing,” International Journal of Security, Privacy and Trust Management (IJSPTM), vol. 3, no. 1, 2014. [12] I. Foster, C. Kesselman, G. Tsudik, and S. Tuecke, “A security architecture for computational grids,” in Proceedings of the 5th ACM conference on Computer and communications security. ACM, 1998, pp. 83–92. [13] M. Brown, D. Hankerson, J. L´opez, and A. Menezes, Software implementation of the NIST elliptic curves over prime fields. Springer, 2001. [14] Certicom, “Standards for efficient cryptography, sec 1: Elliptic curve cryptography, version 2.0,” May 2009.

key agrement scheme (Phase 2) processing time in seconds memory usage in MBs

ISBN: 978-1-4799-3724-0/14/$31.00 ©2014 IEEE

284