example, on entity may authorize the purchase of property y another entity and ..... using digital signature, send an encrypted session key using mobile station's ...
Wireless Authentication Protocol Keeping Low Computation in Mobile Environment GIBUN AN, JIN KWAK, DONGHO WON School of Information & Communication Engineering Sungkyunkwan University 300 Chunchun-dong, Jangan-gu, Suwon, Gyeonggi-do KOREA
Abstract: In this paper, we propose authentication and key agreement protocol that requires one modular exponentiation by both user(e.g. mobile devices) and mobile station without exchange of certified public keys in mobile environment. Thus both user and mobile station have a low computation work. In addition, the proposed protocol provides them with mutual entity authentication, mutual non-repudiation, etc. These characteristics will make our protocol easily applicable to the M-commerce. The security of the proposed protocol is equivalent to the intractability of the discrete logarithm problem. Key-Words: mobile Internet service, authentication protocol, key agreement protocol, M-commerce
1 Introduction Recently, with the widely spreading of mobile devices, M-commerce keeps growing popularity. A lot of applications can be imagined for M-commerce such as banking, trading, shopping, lottery, and game. However, these applications have a common attribute: the mobile devices have pay for services or products. Therefore, the efficient authentication and key agreement protocol in mobile environment will play an inevitable role in making M-commerce to be popular. One of the important issues in the provision of security services in mobile communication is to design the authentication protocol that will be executed at the beginning of call set-up procedure. With the welldesigned authentication protocol, communication partners authenticate each other and agree on the secret session key that will be used to secure the subsequent sessions. Since the mobile device first introduced in the world, there has been rapid development of new functions, improvement of services, and the enhancement of the computing power of mobile device make M-commerce more profitable and promising. When designing a wireless authentication protocol, we should consider the factors such as the properties of protocol environments and the resources of protocol entities. There are several factors specific to mobile communication systems. Wireless link between mobile device and station is more vulnerable to attacks than wired network. The mobile devices are inherently
limited in the computational capability compared with other wired network devices [1]. We also have to consider the security features that should be evaluated in the design of authentication protocol between mobile device and station in mobile communication systems. Those include the following: mutual entity authentication, mutual authenticated key agreement, confidentiality of user identity, mutual non- repudiation and so on. The organization of the paper is as follows. In section 2, we describe the requirement of the authentication protocol. In section 3, we propose the authentication protocol that can reduce computation work of both parties. Also, we analyze properties of existing protocol. Next, in section 4, we analyze the security of proposed protocol under several attacker models and finally make a conclusion in section 5.
2 Requirement Before getting into our proposed scheme, we have to provide some basic concerns that we try to overcome in the mobile environment. In this section, we defined some basic concerns as follows [2]: 1) Entity authentication: The assurance provided to entity U that entity U has been involved in a real-time communication with entity V. 2) Key authentication: Key authentication is the property whereby one party is assured that no other party aside from a specifically identified
3) 4) 5)
6)
second party may gain assess to a particular secret key. - Implicit key authentication : the assurance provided to one party that only one party and second party are possibly capable of computing the session key - Explicit key authentication : explicit key authentication is the property obtained when both implicit key authentication and key confirmation hold. In the case of explicit key authentication, an identified party is known to actually possess a specified key, a conclusion which cannot otherwise be drawn. Key confirmation: One entity is assured that a second (possibly unidentified) entity actually possesses a particular session key. Key freshness: A key used to compute a shared secret value is updated after the execution of a new key exchange protocol. Anonymity: Confidentiality of the user identity over the air interface to prevent an interceptor of air interface communication from learning the mobile user’s identity and/or being able to track particular mobile users. Non-repudiation: Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, on entity may authorize the purchase of property y another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute.
3 Proposed Wireless Authentication Protocol 3.1 System parameter The definitions of system parameters used in the proposed protocol are as follows. -
A , U , V : user (i.e. mobile device) B , S : mobile station E : attacker p , q : a large prime, p | q − 1
- g : generator of the subgroup of Z *p having order q
- xH : entity H’s private key - y H : y H ≡ g x mod p , an entity H’s public key - rH : a random number generated by an entity H - SK : a session key established between mobile device and mobile station - E K (m) : symmetric encryption of m using K - DK (m) : symmetric decryption of m using K - E y (m) : asymmetric encryption of m using y H - Dx (m) : asymmetric decryption of m using xH - Sig x (m) : value m signed by an entity H - Very (m) : value m verified by another entity - IDH : identifier of an entity H - h(m) : result of applying a one-way function h to input m - PIN : Personal Identification Number - TIDH : temporary identifier of an entity H - TS H : time stamp generated by an entity H - SI AB : a secret information generated by mobile station between an entity A and mobile station B - || : concatenation H
H
H
H
H
3.2 Proposed Protocol The phase of session key established of proposed protocol is divided into secret information registration and key distribution. 3.2.1 The phase of secret information registration The phase of secret information registration, which user connects with mobile station and share a secret information ( PIN , SI AB ) with the mobile station, is executed only one time when user connects the mobile station. After the phase of secret information registration, the phase of key distribution is executed. Then this session is finished. In the following communication (the following key distribution), the secret information registration phase is not executed repeatedly. When the secret information is disclosed or compromised, secret information registration phase is accomplished again. The phase of secret information registration is accomplished as follows: ① User A chooses a secret information PIN and computes h( PIN ) and E y (h( PIN ), IDA ) . B
② User A sends the generated value E y (h( PIN ), IDA ) to the mobile station B B
③ Mobile station B decrypts E y (h( PIN ), IDA ) using xB . B
Dx ( E y (h( PIN ), ID A )) = h( PIN ), ID A B
B
④ Mobile station B chooses a secret random number from SI AB ∈R Z *p−1 and computes TID A and archives TID A , SI AB , h( PIN ) .
3.2.2 The phase of key distribution In the key distribution phase, we propose a protocol that accomplishes a secure key distribution using secret information ( PIN , SI AB ). To reduce a computational work, we use Nyberg-Rueppel’s digital signature scheme [3]. ① User A chooses a random number rA and generates a time stamp TS A . ② User A signs rA , TS A , and TID A using x A . V1 = Sig x (rA , TS A , TID A ) A
TID A = h(h( PIN ), ID A , SI AB )
⑤ Mobile station B encrypts (TIDA , SI AB ) using y A and send it to user A
③ User A encrypts V1 and TID A using SI AB . User A sends it and TID A to the mobile station B. ESI (V1 , TID A ) , TID A AB
E y (TID A , SI AB ) A
⑥ User A decrypts E y (TID A , SI AB ) using x A and A
computes TID A' as follows:
④ Mobile station B identifies TID A and decrypts it using SI AB . DSI ( ESI (V1 , TID A )) = V1 , TID A AB
AB
TID = h(h( PIN ), ID A , SI AB ) ' A
⑦ User A checks TID A = TID A' and archives TID A , SI AB , h( PIN ) and sends h(TID A' ) to the mobile
station B.
⑤ Mobile station B chooses a random number rB and generates a time stamp TS B . ⑥ Mobile station B encrypts V1 using h( PIN ) . Eh ( PIN ) (V1 )
⑧ Mobile station B checks h(TID ) = h(TIDA ). ' A
User A
PIN
Mobile Station B
E SI (V1 , TID A ), TID A AB
E y ( h( PIN ), ID A )
DSI ( E SI (V1 , TID A )) = V1 , TID A
B
AB
D x ( E y ( h( PIN ), ID A )) B
E y (TID A , SI AB )
* p −1
TID A = h(h( PIN ), ID A , SI AB )
A
rB , TS B
DSI ( E SI (V2 )) = V2
D x ( E y (TID A , SI AB )) A
AB
Eh ( PIN ) (V1 ) V2 = Sig xB ( rB , TS B , TIDB ) SK = h( E h ( PIN ) (V1 ) || V2 ) E SI AB (V2 ), h(SK )
B
SI AB ∈R Z
AB
A
TIDA' = h(h( PIN ), IDA , SI AB ) TIDA = TIDA'
Mobile Station B
User A rA , TS A V1 = Sig x A (rA , TS A , TID A )
AB
Eh ( PIN ) (V1 )
SK ' = h( Eh ( PIN ) (V1 ) || V2 )
h(TIDA' )
h(TID ) = h(TIDA ) ' A
Fig. 1 The phase of secret information registration
h( SK ' ) = h( SK )
Fig. 2 The phase of key distribution
⑦ Mobile station B signs rB , TS B , and TIDB using xB . V2 = Sig x (rB , TS B , TIDB ) B
⑧ Mobile station B computes a session key SK as follows.
provide mutual entity authentication, mutual anonymity, mutual key freshness and mutual nonrepudiation. Also, since both parties exchange a certificate, computational work to verify a certificate can be reduced. Table 1 shows the properties of the proposed protocol.
SK = h( Eh ( PIN ) (V1 ) || V2 )
⑨ Mobile station B sends ESI (V2 ) , h(SK ) to user A. AB
⑩ User A decrypts E SI (V2 ) using SI AB . AB
DSI ( E SI (V2 )) = V2 AB
AB
⑪ User A computes a session key SK ' as follows. SK ' = h( Eh ( PIN ) (V1 ) || V2 )
⑫ User A checks h( SK ' ) = h( SK ).
3.4 Comparison of existing protocol 3.3 Properties of proposed protocol In this subsection, we describe analysis properties of the proposed protocol. The proposed protocol can
In this subsection, we describe analysis the proposed protocol compared with the existing protocol as follows: BCY (Beller-Chang-Yacobi) [4], PACS (Personal Access Communication System) [5], 1.5-
move [6], and LM [7]. The BCY protocol is proposed as a compound form of symmetric and asymmetric cipher, provides user’s anonymity, key agreement, and exchange of a certificate. But since any entity can impersonate a user or mobile station, BCY protocol is vulnerable to active impersonation resilience. In the PACS protocol, a user computes a session key using digital signature, send an encrypted session key using mobile station’s public key to the mobile station. The PACS protocol provides user’s anonymity. But since the PACS protocol does not provide mutual key freshness, it is vulnerable to the replay attack. 1.5-move protocol dose not provide mutual key freshness, mutual non-repudiation. The protocol has a fatal problem. It is possible that attacker known a mobile station’s private key impersonate user without user’s private key. LM protocol provides user’s anonymity using signcryption [6]. In the protocol, both parties generate a secret key to protect a message. The protocol does not provide mutual entity authentication, mutual nonrepudiation. Table 2 is summary of the comparison of existing protocol and proposed protocol.
3.5 Computational work Let us consider a computation work on user and mobile station. The most significant computational operation depends on the number of exponentiation. Considering the number of exponentiation, one exponentiation is required in our proposal. Table 3 is the result of computational work compared with the existing protocol
4 Security Analysis 1) Can the passive attacker computes the session key between user A and mobile station B? In the proposed protocol, the passive attacker’s difficulty of computation of session key between
user A and mobile station B is equivalent to Diffie-Hellman problem. So, the passive attacker can’t obtain the session key if and only if Diffie-Hellman problem is infeasible. 2) Can the attacker impersonate as a user or mobile station? When an attacker tries to impersonate as user/mobile station to establish session key with mobile station/user, s/he can’t generate a valid digital signature V1 , V2 since s/he doesn’t know secret information SI AB , h( PIN ) and user/mobile station’ private key. 3) Can a user/mobile station impersonate as a mobile station/user? When a user/mobile station tries to impersonate as mobile station/user to establish session key with mobile station/user, a user/mobile station can’t generate a valid digital signature V2 / V1 since a user/mobile station doesn’t know mobile station /user’s private key. 4) Does the proposed protocol secure against active attacker? - Active Impersonation (AI) resilience : When an attacker tries to impersonate as user/mobile station to request for generating session key, s/he can’t both decrypt ciphertext received from mobile station/user and compute session key because s/he doesn’t know the shared secret information SI AB , h( PIN ) and user/mobile station’s private key. - Key-Compromise Impersonation (KCI) resilience : Even if an attacker obtains user’s private key, s/he can’t compute the session key since s/he doesn’t know the shared secret information, SI AB , h( PIN ) . Therefore, an attacker can’t impersonate user although s/he knows user’s private key. Also, in the case of compromise of mobile station’s private key, it is the same as compromise of user’s private key. - Forward Secrecy (FS) : In the proposed scheme, the previous session key will be protect even if the private key of both parties are compromised, since an attacker doesn’t know the secret information between user and mobile station. So, proposed protocol can provide full forward secrecy. - Known Key Security (KKS) : In the proposed scheme, since the both entity’s random number rA , rB are included in the session key, even if an attacker obtain the previous session key and key tokens, s/he can’t get any advantage from that information to compute the present session key.
The ability of the adversary with that information is exactly the same as the one without any information. The proposed protocol is secure against both of known key passive (KKP) attack and known key impersonation (KKI) attack. The result of security analysis of the proposed protocol is summarized in Table 4.
5 Conclusion Recently, mobile Internet services have been activated with mobile device such as cellular phone and PDA. A mobile device has been developed. With the progress of mobile Internet service, it needs to cryptosystem as mobile environment in order to offer the more secure mobile Internet service. The key distribution is the important part to offer a secure mobile service. Several efficient and secure key agreement protocols in mobile environment have been proposed so far. But the existing protocol need a lot of computation work and cannot provide mutual entity authentication, mutual non-repudiation, and others to be activated with mobile Internet service, Mcommerce and so on. In this paper, we propose the efficient authentication and key agreement protocol in mobile environment. The proposed protocol supports the security of the Diffie-Hellman based protocol and reduces a computational work between user and mobile station. In the future, to reduce more computational work, we will study on elliptic curve and XTR(Efficient Compact Subgroup Trace Representation) cryptosystem etc. References: [1] Vigna, Giovanni, “Mobile Agents and Security”, Springer-Verlag, 1998.
[2] Guther Horn, Keith M. Martin, and Chris J. Mitchell, “Authentication Protocols for Mobile Network Environment Value-Added Service”, IEEE VOL. 51, NO. 2, 2002, pp.383-392. [3] K. Nyberg and R. A. Rueppel, “Message recovery for signature scheme based on the discrete logarithm problem”, Eurocrypt’ 94 proceeding, Springer-Verlag, 1995, pp.182-193. [4] M. J. Beller, L. F. Chang, and Y. Yacobi, “Privacy and Authentication on a Portable Communication System”, Proceeding of CLOBECOM’91, IEEE Press, 1991, pp.1922 –1927. [5] JTC, “PACS(Personal Access Communication System Air Interface Standard”, J-STD-014, 1995. [6] Y. Zheng, “An Authentication and Security Protocol for Mobile Computing”, Proceeding of IFIP, 1996, pp.249-257. [7] KookHeui Lee and SanJae Moon, “AKA Protocols for Mobile Communication”, Australaian Conference, ACISP 2000, LNCS 1841, 2002, pp.400 -411. [8] Y. Zheng, “Digital Signcryption or How to Achieve Cost(Signature & Encryption)