An Improved Forward Secure Elliptic Curve ... - Semantic Scholar

19 downloads 14593 Views 401KB Size Report
The main objective in security is to optimize the cost of commu- nication and ... of encryption along with digital signature in a single logical step. The author ...
An Improved Forward Secure Elliptic Curve Signcryption Key Management Scheme for Wireless Sensor Networks Suman Bala, Gaurav Sharma And Anil K. Verma

Abstract The concept of forward secrecy is extended to wireless sensor networks where it is frequent that nodes run out of energy and new nodes join the network. However it should not be able to retrieve the previous session key or some crucial information. In 2011 Hagras et al. proposed a key management scheme for heterogeneous wireless sensor networks, which satisfies confidentiality, authentication, integrity and unforgeability but lacks forward secrecy. In this paper, the shortcomings of the victim scheme has been extricated and repaired with the help of Elliptic Curve Discrete logarithm problem (ECDLP). An elliptic curve based signcryption key management scheme has been proposed which includes forward secrecy. Keywords Signcryption, Key Management, Forward Secrecy, Wireless Sensor Networks _________________________ Suman Bala () Computer Science and Engineering Department, Thapar University, Patiala, India

e-mail: [email protected] Gaurav Sharma Computer Science and Engineering Department, Thapar University, Patiala, India

e-mail: [email protected] Anil K. Verma Computer Science and Engineering Department, Thapar University, Patiala, India

e-mail: [email protected]

2

1. Introduction Sensor networks have proved its existence to verify a wide range of applications such as home automation, monitoring of critical infrastructures, environmental monitoring, forest fire detection, data acquisition in hazardous environments, and military operations and many more. The basic security primitives for key management schemes are confidentiality, authenticity, integrity and non-repudiation. Forward secrecy and public verifiability are two more security aspect needs to be addressed. Numerous schemes [2, 4, 5, 6, 7] are proposed over the years to provide different level of security measures and communication/computational costs. The main objective in security is to optimize the cost of communication and computation. Elliptic Curve cryptography [16] has been widely used to attain a desired security level with smaller key size in contrast to conventional security approaches. It leads to a better utilization of memory, energy and bandwidth for the resourceconstrained devices such as wireless sensor networks. Signcryption [1] can lessen the cost of communication and computation to a great extent, which can process the signature and encryption together. Signcryption is a cryptographic process proposed by Zheng [1] to join the functionalities of encryption along with digital signature in a single logical step. The author further finds out that the signcryption costs 58% less in average computation time and 70% less in message expansion than does signature-then-encryption based on the discrete logarithm problem [1]. Later, the author proposed two key exchange protocols [2] using signcryption, which are based on discrete logarithm problem (DLP) called DKEUN (Direct Key Exchange Using a Nonce) and DKEUTS (Direct Key Exchange Using Time-stamp). But, the scheme fails the forward secrecy of message confidentiality when the sender’s private key disclosed [7]. Moreover, Zheng and Imai [3] proposed a signcryption scheme based on elliptic curve discrete logarithm problem (ECDLP), which saves 58% in computational cost and 40% in communication overhead as compared with signature-then-encryption on elliptic curves but it lacks forward secrecy, public verifiability and encrypted message authentication. In the previous discussed schemes [2, 3], there is one more problem that is these schemes can’t be used in such applications where third party validation is necessary using a public key as done in signature schemes. The solution is provided by Zheng [4], which introduces an independent judge. But when dispute occurs the judge can’t verify the signature, as he is not having the private key of the recipient. To overcome the above problem Bao and Deng [5] enhanced Zheng’s scheme [4] in such a way that verification of a signature does not need the recipient’s private key but the scheme was not as efficient as Zheng’s scheme. Gamage et al. [6] also modifies Zheng’s [1] signcryption scheme in such a way that anyone can verify the signature of ciphertext to protect confidentiality of message in firewall application. Jung et al. [7] proposed a signcryption scheme based on discrete logarithm problem (DLP) with forward secrecy. Later, Hwang et al. [8] proposed a signcryption scheme based

3

on ECDLP (elliptic curve discrete logarithm problem), which provides forward secrecy for message confidentiality and public verification along with other basic security notions. When dispute occurs, the judge can verify sender’s signature without the sender’s private key. Kim and Youm [9] proposed two protocols named SAKE (Secure Authenticated Key Exchange) protocol and EC-SAKE (Elliptic Curve - Secure Authenticated Key Exchange) protocol. The protocols are efficient in terms of computation complexity and communication performance as compared to DKEUN, DKEUTS and EC-DKEUN, EC-DKEUTS respectively. Zhou [10] proposed a scheme based on ECDLP with public verifiability through a trusted third party without disclosing private key. Toorani and Beheshti [11] and Elsayed and Hassan [12] proposed the schemes based on ECDLP, which provides forward secrecy for message confidentiality and public verification. Hamed and Khamy [13] proposed a scheme based on ECDLP for cluster based wireless sensor networks. Whereas, Hagras et al. [14] proposed a scheme based on ECDLP for heterogeneous wireless sensor networks. Later, Hagras et al. [15] proposed a scheme which is efficient [13] in terms of total number of operations, key storage, energy consumption and communication overhead as 75%, 96%, 23.79 mJ and 40% respectively but lacks to provide forward secrecy.The scheme proposed by Hagras et al. [15] satisfies all the security requirements except forward secrecy. In this paper, an improved elliptic curve based key management signcryption scheme has been proposed which provides forward secrecy along with all security requirements. In addition to confidentiality, unforegeability, integrity and non-repudiation, the proposed scheme has been proved to be more secure.

2. Problem Identification and Solution This section covers the details regarding identification of the problem, proposed solution and parameters used for elliptic curve signcryption.

2.1 Identification of the Problem The scheme proposed by Hagras et al. [15] satisfies all the security requirements except forward secrecy. The condition for forward secrecy is: Even if the long-term private key of the sender is revealed, the adversary is not capable of decrypting the previously signcrypted texts.

2.2 Proposed Solution The proposed scheme satisfies forward secrecy along with the basic security requirements. The forward secrecy of the proposed scheme will be compromised only if the attacker can solve the ECDLP that is computationally infeasible with the selected domain parameters. The proposed scheme has secure key exchange, less storage requirement, scalability and low complexity.

4

2.3 Elliptic Curve Signcryption Parameters In this section, we discuss various parameters and their notations, which are used throughout the paper in table 1. Table 1 Parameters public to all : a large prime : an elliptic curve over

, with

and

, or

, and

: a large prime factor of : a point with order , chosen randomly from the points on : a one-way hash function whose output has at least 128 bits : a keyed one-way hash function : the encryption and decryption algorithms of a private key cipher

3. Proposed Scheme This section covers the proposed scheme in detail. The proposed scheme works in three phases in the following manner.

3.1 Phase-I: Generation of public/private key This phase is responsible for creating public/private key pair for Base-Node (B), Cluster-Heads (H) and Cluster-Nodes (N). It creates the BH symmetric keys, which is used for secure communication between the cluster-heads among each other and with the base-node. Also, it creates the HN symmetric keys, which is used for secure communication between the cluster-nodes among each other in the cluster and with the corresponding cluster-head as shown in Figure 1(a). A.1: Base-Node generates public/private key pair. : Base-node (B) choose its private-key uniformly at a random from . : Base-node (B) computes the public-key, . A.2: Cluster-Head generates public/private key pair. Each cluster-head choose its private-key uniformly at a random from , where ; : the number of cluster-heads. : Each cluster-head computes its public-key, . A.3: Cluster-Node generates public/private key pair. Each cluster-node choose its private-key uniformly at a random from , where ; : the number of cluster-nodes. : Each cluster-node computes its public-key, . A.4: Cluster-Head sends its public key to Base-Node.

5

All cluster-heads send their public-key to the Base-node. A.5: Cluster-Node sends its public key to Cluster-Head. All cluster-nodes send their public-key to corresponding cluster-head . A.6: Base-Node creates BH symmetric key. Base-node (B) creates the symmetric key which is used for secure communication between the base-node and the cluster-heads, and among the cluster-heads. A.7: Cluster-Heads creates HN symmetric key Cluster-heads create the symmetric key which is used for secure communication between the cluster-head and their corresponding cluster-nodes, and among the cluster-nodes within the cluster-head.

3.2 Phase-II: Base-Node Cluster-Head Key Establishment This phase is responsible for the base-node cluster-head key establishment as shown in Figure 1(b). The base-node generates the shared symmetric key for each cluster-head by using their public-keys; signcrypts the symmetric key generated in the first phase and send to the cluster-heads, which later unsigncrypts by the cluster-head as follows: B.1: Base-Node generate a shared symmetric key for each cluster-head by using their public-key. B.2: Base-Node encrypt and signature the BH symmetric key using shared symmetric key. B.3: Base-Node sends the encrypted BH symmetric key and its encrypted signature. B.4: Cluster-Head generates a shared symmetric key using private key of Cluster-Head and received signature. B.5: Cluster-Head decrypts the BH symmetric key and its signature using shared symmetric key. B.6: Cluster-Head verifies BH symmetric key signature.

3.3 Phase-III: Cluster-Head Cluster-Node Key Establishment This phase is responsible for the cluster-head cluster-node key establishment as shown in Figure 1(c). Each cluster-head generates the shared symmetric key for each cluster-node in the corresponding cluster by using their public-keys; signcrypts the symmetric key generated in the first phase and send to the cluster-nodes, which later unsigncrypts by the cluster-node as follows: C.1: Cluster-Head generates a shared symmetric key using public key of Cluster-Node. C.2: Cluster-Head encrypts and signature the HN symmetric key using shared symmetric key. C.3: Cluster-Head sends the encrypted HN symmetric key and its encrypted signature. C.4: Cluster-Node generates a shared symmetric key using private key of cluster-node and received signature.

6

C.5: Cluster-Node decrypts the HN symmetric key and its signature using shared symmetric key. C.6: Cluster-Node verify HN symmetric key signature.

Algorithm 1: BH Symmetric Key Signcryption /Unsigncryption Signcryption: The base-node signcrypts the symmetric key and sends the ciphertext to each cluster-head 1. The base-node chooses 2. 3. 4. 5. 6. Unsigncryption: The base-node sends the cipher text each cluster-head unsigncrypts the symmetric key 7. 8. 9. 10. Accept if and only if G

using its private key

to each cluster-head and

Algorithm 2: HN Symmetric Key Signcryption/Unsigncryption Signcryption: The cluster-head signcrypts the symmetric key key and sends the ciphertext cluster 1. The cluster-head chooses

using its private

to all the cluster-nodes in the corresponding

2. 3. 4. 5. 6. Unsigncryption: The cluster-head sends the cipher text and each cluster-node unsigncrypts the symmetric key 7. 8. 9. 10. Accept

if and only if

G

to each cluster-node

7

(a)

(b)

(c)

Fig. 1 (a) Generation of public/private keys (Phase-I), (b) Key Establishment of Base-Node Cluster-Head (Phase-II), (c) Key Establishment of Cluster-Head Cluster-Node (Phase-III)

4. Security Analysis The concept of forward secrecy proves its importance in wireless sensor networks. If a sensor node runs out of energy and gets replaced with a new node, the new node should not be able to unsigncrypt the previous signcrypted messages. In this paper the flaw of the existing scheme has been bring into notice and repaired. The proposed key management using public key elliptic curves signcryption for WSN provides all security functions: key confidentiality, authentication, integrity and unforgeability but lacks in forward secrecy. The security proof of all the required parameters can be directly taken from the parent scheme. The security of improved scheme is based upon the elliptic curve discrete logarithm problem (ECDLP), which is computationally infeasible to solve for the specified parameters. The new scheme does not change the storage used for sensor nodes.

5. Conclusion In the case of wireless sensor networks, forward secrecy is a vital security requirement. In this paper, an elliptic curve based key management scheme has been improved in terms of forward secrecy. The proposed scheme satisfies all the basic security requirements of key management schemes. The security of the proposed scheme can be proved with the help of victim scheme. The forward secrecy of the proposed scheme will be compromised only if the attacker can solve the ECDLP, which is computationally infeasible with the selected domain parameters.

References 1.

Zheng Y., Digital signcryption or how to achieve Cost (Signature & Encryption) Cost (Signature) + Cost (Encryption), in: Advances in Cryptology––CryptoÕ97LNCS 1294, Springer-Verlag, 1997, pp. 165–179.

8

2.

3. 4. 5. 6.

7. 8.

9.

10.

11. 12.

13.

14.

15.

16.

Zheng Y., "Shortened Digital Signature, Signcryption and Compact and Unforgeable Key Agreement Schemes" IEEE P1363a: Standard Specifications for Public-key Cryptography: Additional Techiques, 1998 Zheng Y., Imai H., How to construct efficient signcryption schemes on elliptic curves, Information Processing Letters 68 (1998) 227–233. Zheng Y., "Signcryption and its application in efficient public key solutions ", Proc. of ISW '97, LNCS Vol. 1396, Springer - Verlag , pp. 291- 312, 1998. Bao F., Deng R.H., A signcryption scheme with signature directly verifiable by public key, in: Proceedings of PKCÕ98LNCS 1431, Springer-Verlag, 1998, pp. 55–59. Gamage C., Leiwo J., Zheng Y., Encrypted message authentication by firewalls, in: Proceedings of 1999 International Workshop on Practice and Theory in Public Key Cryptography (PKCÕ99), 1–3 March, 1999, Kamakura, JapanLNCS 1560, SpringerVerlag, 1999, pp. 69–81. Jung H.Y., Chang K.S., Lee D.H., Lim J.I., Signcryption schemes with forward secrecy, Proceeding of WISA 2 (2001) 403–475. Hwang, R. J., Lai C. H., Su F.F., 2005. An efficient signcryption scheme with forward secrecy based on elliptic curve. Journal of Applied Mathematics and Computation (Elsevier Inc.), 167 (2): 870-881, 2005. DOI: 10.1016/j.amc.2004.06.124. Kim R. H., Youm H. Y., Secure Authenticated Key Exchange Protocol based on EC using Signcryption Scheme. Proc. International Conference on Hybrid Information Technology (IEEE Computer society). 8/06 2006. Zhou X., Improved Signcryption Scheme with Public Verifiability. In Proc. PacificAsia Conference on Knowledge Engineering and Software Engineering (IEEE Computer Society). 4/09. 2009. Toorani M., Beheshti A. A., An Elliptic Curve-based Signcryption Scheme with Forward Secrecy. In Journal of Applied Sciences, Vol 9, No. 6, pp. 1025-1035, 2009. Elsayed M., Hasan E., Elliptic Curve Signcryption with Encrypted Message Authentication and Forward Secrecy. In International Journal of Computer Science and Network Security, Vol. 9, No. 1, 2009. Said E. K., Amr I. H., New Low Complexity Key Exchange and Encryption Protocols for Wireless Sensor Networks Clusters based on Elliptic Curve Cryptography. Proceedings of the 2009 National Conference on Radio Science. Cairo, Egypt. Hagras E. A., Aly H. H., Saied D. I., An Efficient Key Management Scheme based on Elliptic Curve Signcryption for Heterogeneous Wireless Sensor Networks. UCST Vol. I, Issue 2, December 2010. Hagras E. A., Aly H. H., Saied D. I., Energy Efficient Key Management Scheme Based on Elliptic Curve Signcryption for Wireless Sensor Networks. 28th NRSC’11 April 26-28, 2011, National Telecommunication Institute, Egypt. Hankerson D., Menezes A. J., Vanstone S., Guide to Elliptic Curve Cryptography, Springer, New York, 2004.