Secure Authenticated and Key Agreement Protocols With Access Control for Mobile Environments Pierre E. ABI-CHAR #
#1
, Abdallah M'HAMED
#2
, Bachar EL-HASSAN
∗3
, Mounir MOKHTARI
#4
Computer and Communication Department, Telecom SudParis (ex. INT) 9 Rue Charles Fourier, Evry, France
[email protected] 2
[email protected] 4
[email protected] 1
∗
Computer and Communication Department, Lebanese University Al Arz street, El kobbeh, Tripoli, Lebanon 3
[email protected]
AbstractThe increasing development and progress in wireless
protocol and propose several authenticated key agreements
mobile communications has attracted an important amount of at-
protocols, each based on different cryptographic assumptions
tention on the security, anonymity and privacy issues. To provide secure communications over un-trusted network, authenticated key agreement protocols are crucial primitive by establishing
including computational problems of a discrete logarithm
(DL),
elliptic curve complexity, the security of one-way
secure session keys. Achieving secure communications between
hash functions and block ciphers which are based on the
communicating entities is an important issue for mobile envi-
complexity of analyzing a simple iterated function of multiple
ronment. Anonymous authentication is a means of authorizing a
rounds, etc. There are two types of authentication, namely,
user without revealing his/her identication. Mobile technologies such PDAs and mobile phone systems are increasingly being deployed in pervasive computing. These mobile devices have
user
authentication
and
shared
key
authentication.
User
authentication is the process where communicating entities
raised public concern regarding violation of privacy, anonymity
are
and information condentiality. Considering these concerns, there
ensures that a shared key is known only to the legitimate
is a growing need to discover and develop techniques and methods
entities. A key-agreement protocol without user authentication
to overcome the threats described above. In this paper we propose several protocols which enhance the authentication, security and access control in mobile computing and yet preserves the
authenticated
in
real
time.
Shared-key
authentication
and shared-key authentication is not secure, leading to many attacks such as replay attack, unknown key shared, resource-
security requirements of the system. Our proposed protocols are
exhaustion,
based on different cryptographic techniques including Elliptic
shared key authentication are needed to be integrated together
Curve techniques, Map-to-Curve function, Weil/bilinear pairing
for providing a robust authenticated key agreement protocol.
techniques and elliptic curve based Identity Schemes. Our proposed protocols achieves many of desirable security requirements including man-in-the-middle attack, dictionary attack, perfect
The term
etc.
Therefore,
both
user
authentication
authenticated key − agreement
and
protocol can be
somewhat misleading in terms of what type of authentication
forward secrecy, etc. Moreover, another comparative study of
a protocol really provides. Many protocols provide shared
our proposed protocols is to provide privacy and Anonymity for
key authentication but not user authentication. For example,
mobile users and to signicantly offer improved performance in
Harn et al. [57], Shim [58], Yen et al. [59], and Wu et al. [60]
computational and communication load over comparably many authenticated key agreement protocol such as B-SPEKE, SRP, AMP, EC-SRP, etc. Index TermsAuthentication, Access Control, WLAN, EC-
provide shared key authentication but not user authentication. The
2-pass
M QV
protocol
[61]
authentication only, while the 3-pass
provides
M QV
shared
key
provides both
Cryptography, Bilinear Pairing, Map-to-Point/Curve Function,
user authentication as well as shared key authentication. In
AVISPA, HLPSL, Identication Scheme, Digital Signature.
this paper, all our 3-pass proposed protocols provide both user and shared key authentication.
I. I NTRODUCTION Authenticated key agreement is a process of verifying
The rest of this paper is as follows. The key management
the legitimacy of communicating parties and establishing
denition and usage are described in section 2. key agreement
common secrets among these parties for subsequent use
desirable properties are outlined in Section 3. Section 4
such as data condentiality, integrity, etc. Authenticated key
provides an outline for the mathematical backgrounds needed
agreement
for our protocols process. Section 5 provides an overview
such
very
important
e-commerce,
for
regarding related work. An application for the protocol in [8] is given in section 6. Our proposed protocol and its security
using multiple cryptographic algorithms which are based
discussion are introduced in Section 7 and 8 respectively.
on various cryptographic assumptions. In This paper, we
Section 9 provides an extension for our protocol proposed
limit our scope to the area of authenticated key agreement
in section 7 by combining authentication and access control
key
internet
systems
constructed
authenticated
wireless,
communication
etc.
An
as
is
agreement
applications,
protocol
is
to provide user authentication and role-based authorization.
loss does not enable an adversary to impersonate other entities
Finally, the paper future work and conclusion are discussed in
to A.
Section 10.
Unknown key-share: Entity A cannot be coerced into sharing a key with entity B without A's knowledge, i.e., when
II. K EY M ANAGEMENT
A believes the key is shared with some entity C
Key establishment refers to the situation where network
6= B ,
and B
(correctly) believes the key is shared with A.
users employ an inter-active protocol to construct a shared secret key called session key. This session key can then be
In
addition,
Identication
protocols
should
have
other
used to achieve some cryptographic goal such as condential
properties
communication channel between entities or data integrity.
round trips and large blocks are critical factors in terms of
There are two kinds of key establishment protocols: Key
communication load and because exponentiations and random
transport protocols in which a key is created by one entity and
numbers are to be critical factors in terms of computation
securely transmitted to the second entity, and Key agreement
load, such properties are listed below:
which
are
related
to
performance.
Because
protocols in which both parties contribute information which jointly establish the shared key [2]. A key agreement protocol is said to provide implicit key authentication if entity A is assured that no other entity aside from a specically identied second entity B can possibly learn the value of a particular secret key. A key agreement protocol which provides implicit key authentication to both entities is called an authenticated key agreement protocol. If both implicit key authentication and key conrmation are provided, then the key establishment protocol is said to provide explicit key authentication. A key agreement protocol which provides explicit key authentication to both entities is called an authenticated key agreement with key conrmation [2]. Apart
from
authentication,
the
other
aspects
of
key
agreement protocols are computational and communication efciency. In key agreement protocols, all users should be able to agree upon a common secret key. The total number of bits exchanged in the protocol is a crucial parameter in judging the efciency of the protocol. Further, in each round, user has to perform some computational like an exponentiation or a scalar multiplication. The total amount of computational required by all the users is another measure of goodness of the protocol.
Computational efciency: this includes the number of operations required to execute a protocol. In order to achieve this property, the protocol should have the minimum number of operation as possible. Communication efciency: This includes the number of passes (message exchanges) and the bandwidth required (total number of bits transmitted). Moreover, to Protect the user privacy and anonymity, we consider the following requirement in cryptography point of view, [4], [5]. Data Condentiality: The private information of ED must be kept secure to guarantee user privacy. The information of
ED
must be meaningless for its bearer even though it is
eavesdropped by an unauthorized
R. ED ED is
Anonymity: Although the data of unique identication information of
is encrypted, the exposed since the
encrypted data is constant. An attacker can identify each ED with its constant encrypted data. Therefore, it is important to make the information of
ED
anonymous.
location Privacy: Neither the system nor the users of the system will be able to know the exact location of a user, unless
III. D ESIRABLE P ROPERTIES FOR KEY AGREEMENT PROTOCOLS:
that user decides to disclose such information or if another person physically sees that user at that location.
A number of desirable properties for key agreement protocols have been identied [3] and nowadays most of the proto-
Data Integrity: If the memory of
ED
is rewritable, forgery
and data modication will happen. Thus, the linkage between
cols are analyzed using these properties which are described
the authentication information and ED itself must be given in
below:
order to prevent the simple copy for
Known-key security: Each run of a key agreement protocol between two entities A and B should produce a unique shared
ED
Mutual Authentication and Reader Authentication: The mutual authentication between
ED
and the back-end authen-
A protocol should still
tication server (ASID ) must be provided as a measure of
achieve its goal in the face of an adversary who has learned
trust. By authenticating mutually, the replay attack the man-in-
some other session key.
middle attack to both ED and
secret key called session key
Ks .
Perfect forward secrecy: If long-term private keys of one or more entities are compromised, the secrecy of previous
also authenticate an illegitimate
R
R
ASID
is prevented.
ASID
must
to avoid the man-in-the-middle attack by
on the insecure channel.
session keys established by honest entities is not affected. Key-compromise impersonation: Suppose that A's long-
IV. P RELIMINARIES:
term private key is disclosed. Clearly an adversary that knows this value can now impersonate A, since it is precisely this value that identies A. However, it may be desirable that this
In this section we briey introduce some mathematical backgrounds necessary for the description of our scheme.
A. Elliptic Curve Cryptography, ECC: Many researchers have examined elliptic curve cryptosystems,
which
were
rstly
proposed
by
Miller
[62]
and
Koblitz [63]. The elliptic curves which are based on the elliptic curve discrete logarithm problem over a nite eld have some advantages than other systems: the key size can be much smaller than the other schemes since only exponentialtime attacks have been known so far if the curve is carefully chosen [64], and the elliptic curve discrete logarithms might be still intractable even if factoring and the multiplicative group discrete logarithm are broken. In this paper we use an elliptic curve
E
dened over a nite eld
Fp .
a
To generate a signature for a message
The elliptic curve The ECEGS runs as follows: The signer selects a random
parameters to be selected [65] and [66] are:
b ∈ Fp ,which dene the 2 3 equation of the elliptic curve E over Fp (i.e., y = x +ax+b 3 2 in the case p ≥ 4, where 4a + 27b 6= 0. 2 -Two eld elements xp and yp in Fp , which dene a nite point P (xp , yp ) of prime order in E(Fp ) (P is not equal to O, where O denotes the point at innity). 3 -The order n of the point P . 1 -Two eld elements
(E, Ya , B, n) and m, the signer will select a random number k , where 2 ≤ k ≤ n − 2 computes r = x(KB)modn. If r 6= 0, then computes s = K −1 (h(m) + xa .r)modn and the signature will be (r, s). To verify the signature, the verier will rst conrm that r −1 and s ∈ [2, n-2] and then computes c = s modn and h(m), then computes t1 = (h(m) ∗ c)modn and t2 = (rc)modn, also the verier computes T = (t1 B + t2 Ya )modn and v = x(T )modn. Finally the verier will accept the signature if and only if (v == r). the public key and the private key are
xa .
and
number
xa ,
where
2 ≤ xa ≤ n − 2,
as his secret key and
avoid the Pollard-rho [67] and Pohling-Hellman algorithms
= xa B . Therefore (E, Ya , B, n) and xa . To generate a signature for a message m, the signer will select a random number k , where 2 ≤ k ≤ n − 2 computes R = kB and computes r = x(KB)modn. If r 6= 0, then computes s = K −1 (h(m) + xa r)modn. The couple (R, s) will be the signer's signature of m. To verify the signature, the verier will rst conrm that r and s ∈ [2, n-2] and then computes v1 = sR and v2 = h(m)B + rYa . Finally the verier will accept the signature if and only if (v1 == v2 ).
for
B. ECDLP-Based Okamoto Identication Scheme:
The Elliptic Curve domain parameter can be veried to meet the following requirements [65] and [66]. In order to the
elliptic
necessary
that
n.
discrete
number
#E(Fp ),
denoted by prime
curve the
of
logarithm
Fp -rational
problem, points
it
on
is
E,
be divisible by a sufciently large
To avoid the reduction algorithms of Menezes,
Okamoto and Vanstone [68] and Frey and Ruck [69], the curve should be non-supersingular (i.e.,
p
should not devide
(p + 1 − #E(Fp ))). To avoid the attack of Semaev [70] on Fp -anomalous curves, the curve should not be Fp -anomalous (i.e., #E(Fp ) 6= p). In the following, we will give an introduction to the ECdiscrete logarithm problem, to Dife-Hellman key exchange based on EC, to the elliptic curve based digital signature algorithm (EC-DSA) and nally to the elliptic curve-based Elgamal signature scheme (EC-EGS).
E be an elliptic curve dened over a nite eld Fp and let P ∈ E(Fp ) be a point of order n. Given Q where Q ∈ E(Fq ), the elliptic curve discrete logarithm problem (ECDLP) is to nd the integer l, 0 ≤ l ≤ n − 1, such that Q = l.P . Let
computes the corresponding public key Ya the public key and the private key are
In this subsection, we briey describe the elliptic curve based
Okamoto
Identication
Scheme.
The
Okamoto
identication protocol is considered secure against active and concurrent attack under the assumption of the hardness of the discrete logarithm problem [1]. The set of system parameters are
(q, F R, a, b, P1 , P2 , n, h). The Prover's secret are (s1 , s2 ) Z = −s1 .P1 − s2 .P2 . the steps of the protocol are:
such that
A prover: the prover picks ri
∈ {0, ....., n − 1}, i = 1, 2 and X = r1 .P + r2 .P to the reader. The reader picks up t a number e ∈ [1, 2 ] and sends it to the prover. The prover computes yi = ri +e.si , i = 1, 2 and sends them to the reader. The Reader checks if y.p + e.Z = X , by computing y1 .P1 + y2 .P2 + e.Z and comparing it to X . if they are equal, then the sends
reader accept else reject. C. Bilinear Pairing: This section briey describes the bilinear pairing, the BDHP and CDHP assumptions. Let
G1
and
G2
denote two groups of prime q, where G1 is
an additive group that consists of points on an elliptic curve, The Dife-Hellman key agreement protocol runs as follows: The rst party selects a random number
Ya = na B ,
he sends
Ya
the second entity computes
na
and
G2
is a multiplicative group of a nite eld. A bilinear
and computes
pairing is a computable bilinear map between two groups,
to the second party. Similarly,
which could be the modied weil pairing or the modied
Y b = nb B
Tate
and sends
Yb
to the
pairing
[71],
[72].
rst party. Finally the two parties generate the same key
within this paper, we let
K = na Yb B = nb Ya = na nb B .
e : G1 × G1 −→ G2 ,
The ECDSA runs as follows: The signer selects a random number
xa ,
where
2 ≤ xa ≤ n − 2,
as his secret key and
computes the corresponding public key Ya
= xa B .
Therefore
e
For
our
proposed
architecture
denote a general bilinear map
which has the following four properties:
∗ 1 -Bilinear : if P , Q, R ∈ G1 and a ∈ Zq , e(P + Q, R) = e(P, R).e(Q, R), e(P, Q + R) = e(P, Q).e(P, R) a and e(aP, Q) = e(P, aQ) = e(P, Q) .
2 -N on − degenerate: There exists P, Q ∈ G1 , such that e(P, Q) 6= 1. 3 -Computability : There exist efcient algorithms to compute e(P, Q) for all P, Q ∈ G1 . −1 4 -Alternative: e(P, Q) = e(Q, P ) .
Seo et al. [28] proposed a simple authenticated key agreement protocol
(SAKA)
for wireless mobile communications. The
proposed protocol required 3 rounds in order to establish authentication process and to agree on the secret session key. However,
SAKA
protocol, as listed in [29], [30] , is
vulnerable to impersonate attack and does not provide perfect Denition 1 -The bilinear Dife-Hellman problem (BHDP) for
a
bilinear
pairing
is
dened
P, aP, bP, cP ∈ G1 , where a, b and ∗ abc from Zq , compute e(P, P ) ∈ G1 .
as
follows:
Given
c are random numbers
forward secrecy nor identity authentication. In an
anonymous
authentication
protocol
was
2001
[31] ,
proposed
for
mobile devices to roam anonymously on distributed wireless networks. Their protocol is targeted to protect the mobile
BDHP assumption: The BDHP problem is assumed to be hard,
device's identity from all entities other than its home server
that is, there is no polynomial time algorithm to solve BDHP
and the visiting foreign server. However, according to [32] ,
problem with non-negligible probability.
it is found that a malicious foreign server which is not
Denition 2 -The computational Dife-Hellman problem
serving the mobile device can launch an impersonate attack
(CDHP) is dened as follows: Given P, aP, bP ∈ G1 , where ∗ a and b are random numbers from Zq , compute abP ∈ G1 . CDHP assumption: There exists no algorithm running in
to reveal the mobile device's identity. Most password-based
polynomial time, which can solve the CDHP problem with
of a low-power device makes these schemes not suitable
non-negligible probability.
for imbalanced wireless networks because of the modular
A trusted Key Generation Center (TKGC) chooses two order
G1
group
and
G2 .
Next
h
cryptography hash function denoted by
TKGC
selects
a l
h : {0, 1} s ∈ Zq∗ as its = sG, where G
where
for some l. Then it picks a random number
Ppub
private key and compute its public key is a generator of For a user maps
IDi
Ui
Hellman key exchange protocol. However, the limitations
exponential operations.
D. MapToPoint/Curve Function:
prime
authenticated key exchange protocols are based on Dife-
G1 .
In
2002
[33] , Zhu et al. proposed a password-based
authenticated key exchange protocol based on RSA with short public exponents. Their protocol run challenge-response protocol to establish the session secret key. Zhu et al. claimed that the protocol is efcient for low-power devices in wireless networks and is secure against dictionary attacks. However,
whose identication information is IDi , TKGC
onto a point on
G1
M apT oP oint.
using the
The
MapToPoint Algorithm [71]:
Bao [34] pointed out that the password protocol of Zhu et al. is subject to ofine dictionary attack if entity's identity is too short. In [35] Yeh et al. proposed a notion of security against undetectable on-line password guessing attack and argued
Let
p
a prime such that
p = 2(mod3)
and
p = 6.q − 1.
Let
that Zhu et al.'s protocol is insecure against this undetectable
E be a supersingular curve
attack. Moreover, Yeh et al. proposed an improved protocol
y0 = H(ID) and x0 = (y02 − 1)2.p−1 (modp) ∗ 2 -Let Qi = (x0 , y0 ) ∈ E/F p2 , and set QID = 6.Qi . Then QID has order q as required.
to defend against this attack. In [36], [37] , Zhang pointed
1 -computes
out that Zhu et al.'s protocol is vulnerable to some form of off-line dictionary attacks. Recently, [38], [39], [36], [40], [41], [42]
pointed out that Yeh et al.'s improvement is
vulnerable to the off-line dictionary attack. To avoid off-line
V. R ELATED W ORK
dictionary attack existed in Yeh et al.'s improved protocol, Lo
Key agreement is one of the fundamental cryptography
[38] and Yang-Wang [39] proposed two improved protocols.
primitives. This required in situations where two or more
However, in [43]
parties want to communicate securely among themselves.
protocol is still vulnerable to an active off-line dictionary
Key
attack and the Yang-Wang protocol is vulnerable to a passive
agreement
protocols
fall
authenticated
and
cryptographic
authentication
naturally
unauthenticated. schemes
A
into wide
and
two
classes
variety
protocols
of
authors pointed out that the Lo proposed
off-line dictionary attack.
have
been developed to provide authenticated key agreement to prevent man-in-the-middle, replay attack, etc.
In
2002,
Chien
et
al.
[44]
proposed
a
remote
user
authentication scheme using smart cards. Chien et al. claimed that their proposed scheme has the merits of providing mutual
Basic
Related
Work:
The
rst
two-key
agreement
authentication,
freely
choosing
password,
no
verication
protocol was introduced by Dife-Hellman in [25] . It is
table, and involving only a few hashing operations instead of
an unauthenticated protocol in the sense that an adversary
the costly modular exponentiations. In 2004, Ku et al. [45] ,
who has control over the channel can use man-in-the-middle
however, pointed out that Chien et al.s scheme is vulnerable
attack to agree upon two separate keys with the two users
to a reection attack, insider attack, guessing attack and is
without the users being aware of this. This was modied into
not reparable once a users permanent secret is compromised.
an authenticated key agreement protocol by Matsumoto et al.
Ku et al. also proposed an improved scheme to resolve
[26] , which was in turn showed to be insecure [27] . In 1999,
these security pitfalls. Nevertheless, in 2004, Yoon et al.
[46]
showed that Ku et al.s scheme is still susceptible to
parallel session attack and is insecure for changing the users
performances and it establish a shared secret key K between the two entities.
password, and also proposed an enhancement to Ku et al.s In addition to a complete security analysis presented in their
scheme to overcome such problems.
paper [6], authors compare their proposed protocols SAKAshowed that both
v1 and V2 with the following protocols: Leakage-Resilient
Ku et al.s scheme and Yoon et al.s scheme were vulnerable
Authenticated Key Exchange (LR-AKE) protocol [12], Simple
to
service
Key Agreement (SKA) protocol [13], Secure Remote Pass-
attack, as well as inefciency in password authentication. By
word (SRP) protocol [14], Simple Password Exponential Key
introducing the two-variant hashing operation, Wang et al.
Exchange (B-SPEKE) protocol [15], Password-Authenticated
proposed an improved scheme to keep the merits of original
Key Exchange (PAK-X [17] and PAK-RY [16]) protocols and
schemes that can be easily realized in the practical resource
Authentication Memorable Password (AMP) protocol [18].
limited
improved
The comparison is done in terms of number of steps, random
scheme does not provide perfect forward secrecy and is still
numbers, exponentiations, hash functions and large blocks.
vulnerable to a guessing attack and Denning-Sacco attack.
Table I shows the compared result for number of steps,
Accordingly to [48] , authors demonstrate that Wang et
exponentiations and large blocks. Table II shows the compared
al.s scheme does not provide perfect forward secrecy and
result for random numbers and hash functions numbers
Thereafter, in 2007, Wang et al. [47] a
guessing
attack,
environment.
forgery
attack
However,
Wang
and
et
denied
al.s
is susceptible to the guessing attack and Denning-Sacco attack.
TABLE I C OMPARISON
To simply the
P KI
OF
system, authors in [49] have introduced
P ERFORMANCE-1Exponentiations
the new idea of ID-Based systems. The advantages of ID-
Protocol
Rounds
C
S
Total
L. B.
Based cryptosystems is that it simplies the key management
B-SPEKE
4
3
4
7
3
process which is a heavy burden in PKI based cryptosystems.
SRP
4
3
3
6
2
The
AMP
4
2
3
5
2
PAK-RY
3
5
4
9
2
PAK-X
3
5
4
9
3
SKA
3
2
3
5
2
that Smart's protocol do not provide full forward security
LR-AKE
3
3
2
5
2
and proposed his own protocol. Nonetheless, Shim's protocol
SAKA-v1
3
3
2
5
2
still suffers from an important security aw because it is not
SAKA-v2
3
2
2
4
2
rst
ID-based
authenticated
key
agreement
scheme
based on Weil pairing was introduced by Smart [50] Shamir's ID-based concept. However, Shim [51]
using
pointed out
protected against the man-in-the-middle attack [52] . In 2004, Ryu et al. [53]
It is clear from Table I that the SAKA protocol has the
proposed a new ID-based protocol which is
minimal cost in terms of number of steps, exponentiations and
more efcient requiring only one pairing computation and
large blocks compared with the previous protocols. It can be
two point multiplication. However, Yaun et al. [54]
pointed
easily noticed that B-SPEKE, SRP and AMP require 4 rounds
out that the protocol is insecure under the key compromise
while PAK-RY, PAK-X, SKA, LR-AKE and SAKA (v1 and
impersonate attack.
v2) require 3 rounds. In addition, the computational load was clearly improved using SAKA-v2 protocol because, as noted
Aydos et al. [55] proposed an ECC-based authentication key
agreement
protocol
for
wireless
communications.
in table 2, SAKA-v2 requires four exponentiations, two for
In
the client and two for the server, while the other protocols,
their protocol, they used ECDSA and Dife Hellman Key
including SKA and LR-AKE, require at least 5 exponentia-
agreement to provide authentication and to obtain a session
tions. Although SAKA-v1 requires 5 exponentiations, it shows
key for later communications. Because their protocol is based
better performance. The SAKA-v1 shows better performance
on ECC, the protocol is suitable for mobile devices in which
in terms of computational load over B-SPEKE, SRP, PAK-
the computational power is low. However, Sun et al. [56]
RY, PAK-X and it is equal with SKA and LR-AKE. SAKA-
demonstrate that Aydos et al.'s ECC-based protocol do not
v1 shows better performance over SKA because there is no
achieve forward security, known-key security and mutual
revealed data as the case with SKA where
authentication.
are sent in clear-text.
XA , XB
and
W
From Table II, it can be easily noticed that the SAKA Closely Related Work: In [6], ABI-CHAR et al. present a
(v1 or v2) protocol requires 2 random numbers and 9 hash
new and efcient three-pass authenticated key establishment
functions while PAK-X requires more. SAKA (v1 or v2)
protocol that provides secure mutual authentication and key
also requires two more hash functions than SKA protocol
agreement with key conrmation. Their proposed protocol, namely
SAKA
is based on the challenge and response
in the Secret-key setting
due to the two necessary
to
M AC
bring
computations of
more
security
and
Kh
which were
robustness
to
our
[1], [2], on KAS (Simplied
proposed protocol. In addition, for the SRP and LR-AKE
Station-to-Station) scheme [1], [2] and on the Dife-Hellman
protocols, it can be easily noticed that the proposed protocols
Key Predistribution
[1], [2]. According to [6], the proposed
(v1 or v2) requires one more hash function because, from
protocol achieves the desirable security requirements and
SRP and LR-AKE schemes, the two entities did not agree
TABLE II C OMPARISON
OF
TABLE IV
P ERFORMANCE-2-
C OMPARISON
OF
P ERFORMANCE-2-
Protocol
Random N.
Hash Function N.
Protocol
Random N.
Hash Function N.
SRP
2
6
SRP
2
6
AMP
2
9
AMP
2
9
PAK-RY
3
8
PAK-RY
3
8
PAK-X
3
10
PAK-X
3
10
SKA
2
7
SKA
2
7
LR-AKE
2/4
6
LR-AKE
2/4
6
SAKA-v1
2
9
EC-AKE
2
6
SAKA-v2
2
9
EC-SRP
3
5
EC-SAKA
2
5
Ks ,
on a common session key
as in the case of proposed
protocols; SRP and LR-AKE just agreed on the shared key K .
protocol requires 2 random numbers and 5 hash functions while
In [7], ABI-CHAR et al. proposed another new and efcient ECDSA-based
three-pass
protocol, namely
the
other
protocols
require
more.
In
addition,
establishment
it can be easily noticed that our protocol is better then
that provides secure mutual
these two protocols in terms of hash functions numbers.
authenticated
EC − SAKA,
all
for the EC-SRP and EC-AKE protocols described in [19],
key
authentication and key agreement with key conrmation. The
For
EC-SAKA is based on the Elliptic Curve Cryptography [1],
protocol was proposed for a one way authentication while our
on
SKA
(Simple Key Agreement) protocol
the assumption that the
ECC
[13] and on
the
EC-SRP
protocols
described
in
[20],
EC-SRP
proposed protocol, EC-SAKA, provides mutual authentication.
discrete logarithm problem is
secure [1]. The proposed protocol achieves many of desirable
Moreover, ABI-CHAR et al. [8] proposed another new and efcient key agreement authentication protocol namely
security requirements and performances.
EGS −SAKA. In addition to providing mutual authentication In addition to a complete security analysis presented in their
and key conrmation between the client, their proposed
SKA
paper [7], authors also compare the proposed protocol with
protocol applies the EC-EGS to the
the same protocols used in [6], with EC-SRP, and nally with
enhancing the safely level and protocol simplication in terms
[13] protocol for
EC-AKE [19]. The comparison is done in terms of number of
of computational and communications load. In the following,
steps, random numbers, exponentiations and hash functions.
we will briey describe the proposed protocol:
Table III shows the compared result for number of steps and exponentiation. Table IV shows the compared result for
where
TABLE III C OMPARISON
OF
Within the rst: ow, Bob chooses a random challenge b,
1 ≤ b ≤ n − 1, then he calculates the B = b ∗ P + Q. Finally he sends B to Alice.
random numbers and hash functions numbers.
point
B
where
Within the second ow:, Alice chooses a random challenge
P ERFORMANCE-1Exponentiations
Protocol
Rounds
Client
Server
Total
B-SPEKE
4
3
4
7
SRP
4
3
3
6
AMP
4
2
3
5
PAK-RY
3
5
4
9
PAK-X
3
5
4
9
a, where 1 ≤ a ≤ n − 1, then computes A where A = a ∗ P = (xA , yA ) and calculates α where α = a(B − Q) and K = Q + α. In addition, Alice calculates r = (xA )mod(n) −1 and computes i = a (h(α) + x ∗ r)mod(n). Finally (A, i) becomes the signatures pair and Alice transfers A and i to the server.
3
2
3
5
3
3
2
5
K = Q + β,
EC-AKE
4
2
2
4
EC-SRP
3
2
2
4
and calculates
EC-SAKA
3
1
1
2
It is clear from Table III that the EC-SAKA protocol has the minimal cost in terms of number of steps and exponentiations
β = b∗A Computes r = xA modn, computes v1 = i ∗ A v2 = (h(β)P ) + r ∗ Q. Finally, Bob checks if
Within the third ow:, Bob computes
SKA LR-AKE
computes
(v1 == v2 ),
if so, Bob authenticates Alice and Bob can be
conrmed that Alice has actually established the same shared session key. Then Bob computes: sends
YB
YB = h(β)
and nally he
to Alice.
compared with other protocols. It can be easily noticed that BSPEKE, SRP, EC-AKE and AMP require 4 rounds while PAK-
In
order
to
authenticate
Bob,
Alice
will
compute:
RY, PAK-X, SKA, LR-AKE and EC-SAKA require 3 rounds.
YA = h(α)
In addition, the computational load was clearly improved using
checking that
EC-SAKA protocol because, as noted in table 2, EC-SAKA
authenticates Bob and Alice can be conrmed that Bob has
requires two exponentiations, one for the client and one for
actually established the same shared session key with her.
and then Alice will verify the value of
(YA == YB ),
YA
by
if so, if they match, then Alice
the server, while the other protocols, including SKA, LR-AKE, EC-AKE and EC-SRP require at least 4 exponentiations. From Table IV, It can be easily noticed that the EC-SAKA
Finally, Alice and Bob agree on the common session key
Ks
where
Ks = h(ID(Alice)||ID(Bob)||K).
Both sides
Ks
will agree on the session Key
if all steps are executed
correctly. Once the protocol run completes successfully, both parties may use
Ks
proposed for a one way authentication while our proposed protocol, EGS-SAKA, provides mutual authentication.
to encrypt subsequent session trafc in
VI. P ROTOCOL A PPLICATION
order to create a condential communication channel.
In this section, our proposed protocol [8] is applied to In
addition
to
a
complete
security
analysis
presented
two applications scenarios. In the rst scenario, the protocol
3GP P 2
in their paper [8], authors compare the proposed protocol
is applied to improve the A-key distribution in
with the following protocols: Leakage-Resilient Authenti-
networks. While in the second scenario, the protocol is
cated Key Exchange (LR-AKE) protocol, Simple Key Agree-
applied to wireless LAN, IEEE 802.11i, in order to provide a
ment (SKA) protocol, Secure Remote Password (SRP) pro-
more robust WLAN communications.
tocol, EC-SRP, Simple Password Exponential Key Exchange (B-SPEKE) protocol, Password-Authenticated Key Exchange
1Application To 3GPP2: According to [11], there are
(PAK-X and PAK-RY) protocols Authentication Memorable
several proposed approaches for A-Key generation and dis-
(OT ASP )
Password (AMP) protocol and with the protocols presented
tribution. The Over the Air Service Provisioning
in [6] and [7]. The comparison is done in terms of number of
is the preferred approach by 3GPP2. The A-Key genera-
steps, random numbers, exponentiations and hash functions.
tion and renewal procedure take place between a Mobile
Table V shows the compared result for number of steps
Subscriber
and exponentiation. Table VI shows the compared result for
Authentication Center
random numbers and hash functions numbers.
Hellman key exchanged mechanism is used and 16 messages
OF
and its home network represented by the
(AC).
In addition, the basic Dife-
are needed. Moreover, the method is not completely secure
TABLE V C OMPARISON
(M S)
since it is subject to a man-in-the-middle attack. Using the
P ERFORMANCE-1-
same approach as in [11], our proposed protocol can be easily implemented in 3GPP2 networks. We assume that the
Exponentiations Protocol
Rounds
Client
Server
Total
SRP
4
3
3
6
EC-AKE
4
2
2
4
EC-SRP
3
2
2
4
generated secretly and it is known by the MS and the AC of the
SAKA-V2
3
3
2
2
home network. Figure (1) shows the normal A-Key generation
SAKA-V1
3
2
2
2
EC-SAKA
3
1
1
2
procedure (black arrows) and the A-Key generation procedure
EGS-SAKA
3
1
0
1
MS device has the ability to implement the ECC techniques. We also assume that the password is chosen by the user or
using our EC-based protocol [8] (red arrows).
It is clear from Table V that the EGS-SAKA protocol has
Fig. 1.
The A-Key Distribution Procedures
the minimal cost in terms of number of steps, exponentiations compared with these above protocols. It can be easily noticed
MSC
MS
OTAF
HLR
AC
that B-SPEKE, SRP, EC-AKE and AMP require 4 rounds 1-REQ(AC, AKE)
while PAK-RY, PAK-X, SKA, LR-AKE and EGS-SAKA
1-REQ(AC,AKE)
require 3 rounds. In addition, the computational load was
2-REQ(AC,AKE)
clearly improved using EGS-SAKA protocol because, as noted
2-REQ(AC,AKE)
in table V, EGS-SAKA requires 1 exponentiations, one for the
3-REQ(AKE,n,g,BSK) 3-REQ(AKE,P.E.n,B)
client and nothing for the server. While for the other protocols,
AC Comput es B
4- The same as 3
including SKA, LR-AKE, EC-AKE and EC-SRP, they require
5:smdpp(3+srvind)
at least 4 exponentiations.
6: The same as 3
4- The same as 3
5:smdpp(3+srvind)
6: The same as 3 MS comput es (A, i)
TABLE VI C OMPARISON
OF
P ERFORMANCE-2-
7: Key R.M. 7: sent (A.i) 8: smdpp of 7
Protocol
Random N.
Hash Function N.
8: smdpp of 7
SRP
2
6
9:smdpp(8+srvind)
EC-AKE
2
6
EC-SRP
3
5
EGS-SAKA
2
5
From Table VI, It can be easily noticed that the EGS-SAKA protocol requires 2 random numbers and 5 hash functions while all the other protocols require more. In addition, for the EGS-SRP and EC-AKE protocols described in
[19], it
can be easily noticed that their protocol is better then these two protocols in terms of hash functions numbers. For the EC-SRP protocols described in
[19], EC-SRP protocol was
MS comput es Y’
9:REQ(AC + 7)
10:BSKEY
10: The same as 9
11:MSKEY
11: REQ(Y of B) 12:smdpp(11)
12:The same as11
13:smd(12+srvind)
13:REQ(11+AC)
14: REQ(Yof B)
14: The same as 13
15: ack
15:ack 16:smdpp(ack)
16:smdpp(ack)
AC comput es Y
The integration of our proposed protocol within 3GPP2 networks is performed as follows: the messages exchange and
2
Fig. 3.
Auth. Layer TLS
are the same for the two protocols. After receiving
message
2,
AC
the authentication center
computes
B
M S.
as in gure (1), and nally send it to
(A, i).
are required to compute
MS
---------
EC-EAP[8] E A P L a y e r
Extensible Authentication Protocol (EAP)
From message
3 through 6, we transmit all needed parameters to
CHAP
as
described in our proposed protocol [8], package the message
3
The EC-based In EAP Stack
1
that
Please refer to message
3
EAP over LAN (EAPOL)
in gure (1). Then messages 7-10 will be used to inform the authentication center about all parameters required to compute center
YB .
will
verication
Using
messages
11-14,
transmit
YB
and
establishment.
specications,
key
our
new
to
the
protocol
MS
the for
key
to
thwart the man-in-the-middle attack. Moreover, the A-Key require
4
exponentiation
802.5
802.11 MAC Layer
3GPP2
validation,
mutual authentication, perfect forward privacy, and it can protocol
802.3
authentication,
Compared
provides
PPP
authentication
operations,
while
our
proposed protocol require 1 exponentiation operation and it could be easily up-gradated to just require multiplication and addition operations This upgrade could be achieved by using a suitable digital signature.
pass through device and it passes the EAP-request ID to the radius server. The three-pass exchange messages in gure (4) start by the radius server sending B to the
ST A. Depending on
the authentication process, the success/failure is issued and the
ST A
can accept or discard the session. Figure (4), shows the
corresponding message exchanges of the proposed EC-based protocol in the ESS network.
Fig. 4.
2Application To WLAN: Moreover, our EC-based pro-
The EC-based In ESS Networks
posed protocol [8], can be easily integrated into the BSS and ESS networks respectively by using the same approach as [75].
AP
STA
Radius Server
In case of BSS networks the entity Bob works as an access point
AP ,
whereas in ESS networks it works as a RADIUS
EAPOL Start
server. For both networks, the entity Alice works as a mobile station
ST A.
In BSS networks, after the reception of the
authentication request sent by the ST A, the
AP
EAP Request ID
will start the
EAP Response S(id)
EC-based protocol [8] and depending on the verication,the
ST A
will accept or discard the session. Figure (2), shows the
message exchange of EC-based protocol in the BSS network.
EC-Based Three Pass Authenticated Key Agreement Message Sequence With EAP Success/Failure Message
The exchange of messages used by the EC-based protocol for BSS network are done using
W LAN
frame format. Key Establishment
Fig. 2.
The EC-based In BSS
Authentication Request
VII. O UR F RAMEWORK M ODEL : A N ID-BASED PAIRING Access Point
The First 2-Pass of The EC-Based Protocol
P ROTOCOL
STA
As the elliptic curve pairings techniques have brought many interesting applications to authentication and key agreement
The Third Pass of the EC-Based Protocol Integrated with the Final BSS Success/Failure Message
protocols [10], we will present an identity-based authenticated key agreement protocols from pairings where an entity is proving its identity to the verifying server in such a way that
In addition, our EC-based proposed protocol [8], can be
privacy and anonymity are protected. The presented work is
easily integrated into the ESS networks. The exchange of
mainly based on [9] and also partially on [7], [8] by applying
messages used by the EC-based protocol within the ESS
the EC pairings techniques. A User
network are done using EAP packet format. Figure (3), shows
client which has a mobile Phone or a PDA as an access
the implementation of the proposed EC-based protocol within
device for accessing the needed services. In the following, we
EAP stack. In ESS networks, after ST A's response to AP 's
will present our proposed work and we discuss the security
the
the association phase and after the EAP-request
ID, AP
becomes a
Ui
represents a mobile
analysis. The gure below (Figure 5) shows the PAPA design architecture.
Fig. 5.
B. Proposed Architecture Assumption:
The PAPA Design
We rstly assume that the user's public and private key
(Qi , Si )
Smart Environment
are kept secure, which means that
is stored on his own
ED
Si
for each
Ui
in a secure way. In additional, we
assume that the communication channel between the reader and the back-end server (DBID server or the authentication
Server for services
server) is insecure. In addition, and different from the previous
4-b
works, a reader is no more a trusted third party, which means
Reader H
U
/B
M
A
U
N
%
U
T
LI
I
AZ
T
OI
R
M
C
M
b
G s/
N
V
C
N
T
E
that the reader will be authenticated by the back-end server
R
U
N
1
R
9
P
R
H
LE
P
A
L
P
H
A
S
H
I
I
N
F
T
T
G D
D
3
Y . X
Z
(DBID ). Finally,
Mobile phone PDA, RFID etc...
U 2
W
0
E
O 8
G
T
D
DB Server for authentication
B
F
2 3
L B
7
G
N
A
I E
K
D B
4
C
N
T
G D
J A
I
T KGC
sends
a secure channel. The database
4-a
Si , Pi , Z to the user via DBID manages an stores,
Ui with an ED, a record pair consisting hQi , Si , s1 , s2 i, where (s1 , s2 ) are the prover's secret. for each user
Fig. 6.
A. Parameters Initialization: Our
infrastructure
involves
a
Trusted
Center (T KGC ), an embedded device
Key
ED,
Reader Query, X
f, (Rx, Tx)
DB
The trusted Key Generation Center (TKGC) chooses two and
G2
of prime order
q. q
E(Rx,Tx)
is a prime E(s1,s2)
which is large enough to make solving discrete logarithm
G2 infeasible. The TKGC chooses G G1 , chooses Map-To-Point/Curve function H and chooses e where e is the bilinear pairing map. The ∗ TKGC computes PT KGC = s.G, where s ∈ Zq is the TKGC 's private key and keep s secret. Finally, for each user Ui to be registered, TKGC calculates Qi , where Qi is user's partial public key with Qi = H(IDi ), and determines Ui 's partial private key Si = s.Qi . Moreover, the TKGC calculates the user's public key [74] as PU = xu .PP ub = xu .s.G, where xu ∈ Zq∗ is generated on user's behavior. problem in
G1
User U
a Reader (or
Server for providing services (SS ) and users denoted by (Ui ).
G1
The PAPA Architecture
Generation
readers) (R), a Database Server for authentication (DBID ), a
primes order group
of
and
(y1, y2)
as a generator of
The table below (Table VII) shows the ECC mathematical
C. Proposed Architecture Description: Before running the authentication procedure (Figure
device, to singulate it, from among a population of many others devices. During singularization, multiple embedded devices responses may interfere with each other, necessitating an
anti-collision
algorithm.
The
Anti-Collision
algorithm
may either be probabilistic or deterministic. Following this situation, the reader
parameters that are used for our proposed scheme.
6),
the reader must be able to address a particular embedded
R
applies a collision-avoidance protocol
like the secure binary tree walking [20], [21] or the standard TABLE VII
Index
T KGC G1 G2 G Ppub s
An additive group with prime order
H 1 , H2 H
G1 T KGC , Ppub = s.G Zq∗ by T KGC , s is kept IDi ∈ {o, 1}∗ 1 ≤i≤ n key of user i, Qi =
The identity of the user i, The long term public where
H
is a Map function
Hash function A map to curve algorithm where an ID is
e
the
reader
singulate
one
device,
the
described in the following steps. Within the rst round, (From
R
to
ED),
the reader starts
the protocol by generating two fresh random nonce r1 and
∈ Zn ,
then he calculates the point
The long term private key of user i,
mapped into a point on
e p, q P, Q a, b E B x(Q)
q
The public key of
s.H(IDi ),
Once
process for our three-pass authentication protocol will be
An multiplicative group with prime order q
secret
IDi Si Qi
performance.
Explanation
it is chosen from
Higher densities
of devices will result in a higher collision rate and degraded
The trusted key generation center
A generator of
ED.
protocols of ISO [22] to singularize
EC M ATHEMATICAL N OTATIONS
X
r2
where
X = r1 × P1 + r2 × P2
(1)
and nally he sends the pair (request,X ) to the embedded device
ED.
(Step 1 in gure 5).
G1
denote a bilinear pairing map
large prime numbers, where
p = 2.q + 1
Random points over elliptic curve Random generated private keys non-supersingular elliptic curve
B ∈ E(Fq ) with order q x coordinate of point Q
ED generates two f and a, where f ∈R Z2t and a ∈ Zq∗ , then computes (Rx , Tx ) where (Rx , Tx ) is the signature pair over the user's private key Si . Moreover, she calculates TED , where TED = a.G. Finally ED sends (Rx , Tx ), TED , and Within the second round, the queried
fresh random nonces
f
to the Reader
R.
(Step 2 in gure 5). We can choose to
key
deploy one of many available secure signature algorithm. The choice of the algorithm depend on the Computation and communication cost factor regarding the choice of the ED 's
KR/ED = e(QED , PED )b .e(xr .Sr , TED )
(5)
KED/R = e(QR , PR )a .e(xed .Sed , TR )
(6)
and
type. Within the third round, and as we have declared in the above assumption that the communication channel between the reader and the authentication server is insecure, and upon receiving the signature pair (Rx , Tx ) from the
R
ED,
the reader
will deploy a Weil Pairing-based encryption algorithm
on the signature pair. Finally he sends Back-end server
DBID .
EKe (Rx , Tx )
to the
respectively. We denote by the key
K
K = KR/ED = KED/R .
Hence,
is a shared between the entities. To ensure forward
security, we can use a the new shared key a hash function to
K.
Kh
after applying
Once the protocol run completes suc-
cessfully, both parties may use the
Kh
to encrypt subsequent
session trafc in order to create a condential communication channel. VIII. P ROTOCOL D ISCUSSION
Our two nodes, the reader and the back-end server, can directly compute a share key between them without exchanging any previous message. Based on the one's own private key and the other party's public key, they can directly compute the share key as follows. We denote their private key/public
SR = s.QR , where QR = H1 (IDR ) and by SDB = s.QDB , where QDB = H1 (IDDB ). Now the reader computes KR/DB = e(SR , QDB ) and KDB/R = e(QR , SDB ). And
key by
nally the share symmetric secret key will be
In this section, the correctness of our proposed protocol is shown rst. Second the security analysis of our proposed protocol is described. Finally, the validation or formal analysis of our proposed protocol will be also given. A. Correctness In
the
following
equations.
s
Ke = H2 (KR/DB ) = H2 [e(QR , QDB ) ] = H2 (KDB/R ). (2) This approach is very efcient in terms of communications and computations and this feature makes it very attractive to
Within
the
fourth
round,
the back-end server,
DBID ,
and
upon
receiving
EKe (Rx , Tx )
from the
Since
KR/ED
= = = = =
R,
verify the signature pair, if it is valid, then the back-end server
accept,
authenticated
and
ED
the
pair
(s1 , s2 )
associated
with
present
a
brief
verication
an
identical
2-party
key
K
KR/ED
has
to
be
=? KED/R
should be true. Proof:
the
will decrypt the message, then
will
established, this means the equation
the environments where the entities capabilities are limited.
encrypted signature pair message
we
regarding the correctness and similarity of the shared key
e(QED , PED )b .e(xr .Sr , TED ) e(QED , xed .s.G)b .e(xr .Sr , a.G) e(xed .s.QED , b.G).e(xr .s.QR , a.G) e(xed .Sed , TR ).e(QR , PR )a KED/R
B. Security Analysis Our proposed architecture is considered to provide privacy
the
and anonymity for users. In the following, we evaluate our
is extracted from the database, encrypted
architecture regarding the security requirement addressed in
using the Weil-Pairing-based encryption algorithm. Finally, the back-end server sends
EKe (s1 , s2 )
to the reader
R.
section2 -Mutual Authentication: Considering the fact that the digital
Within the fth round, the reader, generates a random ∗ nonce b ∈ Zq and computes TR = b.G. Then she decrypts the receiving message, extracts the pair (s1 , s2 ) and then computes
yi = (ri + (f × si ))(modn) i=1 ED. for
The
and
2.
yi
for
i=1
and
2)
to the
(Rx , Tx ),
created by the
ED,
is veried by
the Back-end server. Considering that the pair
(s1 , s2 ),
sent
by the back-end server, is recalculated by the reader under
(y1 , y2 )
and veried by the
architecture
guarantees
the
between the embedded device
ED.
Therefore, our proposed
secure
ED
mutual
authentication
and the back-end server.
-Passive attack: Suppose an attacker performs a passive
ED
attack, then the session will terminate with both legitimates
computes
and then checks if so the
Finally sends (TR ,
(3)
signature pair
ED
X ( (yi × Pi ) + f × Z) P that if ( (yi × Pi ) + f × Z)
parties (4)
TED
That
is,
the
two
parties
successfully
that the exchanges messages between the reader and the is equals to
X,
accepts else rejects.
After the above messages,
accepting.
identify themselves to each other. And regarding the fact
ED
are generated from random nonce which are generated
with every new session, so it is infeasible that an attacker and
TR
are exchanged, the
reader and the user can agree and compute the secret shared
computes any useful information including the IDi of a user Ui . Therefore the architecture resists against the passive attack.
-Man in the middle attack (or active attack): Suppose that X and replaces it with X 0 , the attacker
Fig. 7.
The OFMC Output
an attacker intercepts then receives
f
(Rx , Tx ) from the ED. He would 0 0 (Rx , Tx ), as before. However,
and
like
to replace the pair with
and
unfortunately for the attacker, he can not compute the value of the new pair because he does not know the users credentials and parameters and because the transmitted messages are meaningless. Therefore the proposed scheme thwarts the man in-the-middle attack. -Perfect
forward
secrecy:
Each
run
of
the
protocol
x, a unique Signature pair (Rx , Tx ) and a (y1 , y2 ). In addition the transmitted messages are
computes a unique unique pair
meaningless as they are generated for each new session using new random nonce. Thus, the architecture is secure against
concerning privacy and anonymity are reached. The protocol is also safe and a mutual strong authentication is established
perfect forward secrecy.
IX. C OMBINING AUTHENTICATION AND ACCESS C ONTROL
-Data
Condentiality:
Since
our
architecture
provides
secure mutual authentication between the ED and the system
Authentication and access control are decisive for the
ED
security and integrity of information. In this section, we
and
since
the
information
transmitted
between
the
and system is meaningless, thus, our architecture provide
propose a robust protocol through combining authentication
(RBAC).
data condentiality and the user privacy on data is strongly
and role-based access control
protected.
extend our previous protocol to cooperate with role-based
To achieve this, we
access control. Our new scheme is based on identity-based -ED
Anonymity
and
Location
Privacy:
During
the
authentication processes, a signature algorithm is used to
(Rx , Tx ). The pair (Rx , Tx ) and f between the ED and R are randomized
produce the signature pair that are transmitted
and anonymous since they are updated for each read attempt. Thus, our architecture provides user anonymity and location privacy is not compromised.
is based on the insecure communication channel between R and back-end server. The unauthorized reader
DBID
R
0
is detected
using the weil
pairing based encryption algorithm between the reader and the back-end server, and by verifying the pair the legitimate user or
ED.
can check the validity of a user's identity and its activated roles simultaneously by verifying the user's signature, so the
independent
We
extend
the
authentication element
user
procedure in
our
is
previous
eliminated. proposed
protocol [9] to cooperate with role-based access control. We dene each user as
Ui =< ID, AKra >, where ID is AKra is a set of assigned
a user identity information and
-Unauthorized Reader Detection: Our Proposed architecture
and prevented by the back-end server
cryptography and bilinear pairings. Our proposed protocol
(y1 , y2 )
by
Thus, our scheme protects against
Unauthorized reader.
C. Formal Analysis In The AVISPA tool [23], security protocols are specied using the High Level Protocol Specication Language (HLPSL). The HLPSL specication is translated into an Intermediate Format (IF). The current version of the AVISPA tool integrates
keys corresponding to the roles assigned to the user dened as
AKra = {KIDr1 , ..., KIDrn }.
In addition, we dene a
role as a set of pair of public and private keys belonging to the role. Each role is represented as
r =< rpub , rpriv >.
We also assume that the Trusted Key Generation Center (T KGC ) in [9] is extended in a way to be able to dene
ri T KGC picks a random rpki as ri 's private key and sets RP Ki = rpki .G as ri 's public key. To assign the role ri to a user with an identity ID , the T KGC check the user ID, computes QID = H(ID), and generates the user's assigned key KIDri corresponding to ri with KIDri = rpki .Q(ID) and where rpki is the ri 's private key. Finally, T KGC sends KIDri or a set of KID , Si , Pi , Z to the user via a secure channel. roles and to assigning these roles to users. When a role is added to the system, the
four back-ends: OFMC, CL-ATSE, SATMC and TA4SP. Before we run verications from AVISPA [23], [24], our protocol was written in the High Level Protocol Specication
The process for our new three-pass authenticated key agreement protocol will be as follows:
Language, or HLPSL. A modied model was written in order to be suitable for the OFMC validation. Once the HLPSL
Within the rst round, (From
R
to
ED),
the reader
specication was debugged, it was checked automatically for
starts the protocol by generating two fresh random nonce
attack detection using the AVISPA verication tools. Figure 7
r1 and r2 ∈ Zn , then he calculates the point X where X = r1 × P1 + r2 × P2 and nally he sends the pair (request,X ) to the embedded device ED . (Step 1 in
shows the corresponding execution with AVISPA's OFMC tool. No reveals attacks were found, and the security goals
gure 5)
ED selects a role or = {r1 , r2 , ..., rh }. signature SigQ on Q with
Within the second round The queried
a corresponding set of roles denoted by SR Generates a message
Q = ID|SR|per
Q
and a
and where
per
is the permission that the
SigQ will be denoted < U, V >. Moreover, ED generates two fresh random t ∗ nonces f and a, where f ∈R Z2 and a ∈ Zq , she calculates TED , where TED = a.G. Finally ED sends (Q, SigQ ), TED , and f to the Reader R. (Step 2 in gure 5). We can choose user wants to enforce. Finally the
by
to deploy one of many available secure signature algorithm. The choice of the algorithm depend on the Computation and communication cost factor regarding the choice of the ED 's type.
e(P, V ) =? e(PAR , U + hQID ). Proof: Pk e(PAR , U + hQID ) = e( i=1 Pi , rQID + hQID ) Pk = e( i=1 s.P, (r + h)QID ) Pk = e(P, (r + h) i=1 si QID ) = e(P, (r + h)SIDAR ) = e(P, V ) Since the key establishment process in our current proposed protocol is similar to the key establishment in previous work, section 7
(section 8 part A ),
the same correctness verica-
tion will be applied here as well. Security Analysis Since our new proposed authenticated key agreement protocol is also a direct extension of the protocol described in [9], the security analysis and validation will be applied to the proposed authenticated key agreement
Within the third round, and as we have declared in the above assumption that the communication channel between the reader and the authentication server is insecure, and
R
(Q, SigQ )
X. C ONCLUSION AND F UTURE W ORK : Mobile computing is an emerging research area with great
ED,
potential. In this paper, we introduce several secure authenti-
will deploy a Weil Pairing-based encryption
cated key agreement protocols based on elliptic curve cryp-
upon receiving the signature pair the reader
protocol as well.
from the
algorithm on the signature pair. Finally he sends EKe (SigQ )
DBID .
to the Back-end server
tography that provides mutual authentication and explicit key establishment. Our schemes is simple, easy to realize, and secure against both passive and active attacks. It also resists
Within
the
fourth
round,
and
the
many others attacks. Our proposed protocols are compared
from the
to well-known protocols such as B-SPEKE, SRP, EC-SRP,
will decrypt the message,
EC-AKE, PAK-RY, PAK-X, AMP, SKA and LR-AKE in
then verify the signature pair, if it is valid, then the back-end
terms of communication and computation cost and the results
encrypted signature pair message
R,
the back-end server,
server
accept,
(s1 , s2 )
were well discussed. Moreover, the privacy and anonymity of users in pervasive environments should are well and care-
using the Weil-Pairing-based encryption algorithm. Finally,
fully considered. In addition, (section 7 and 8), We present
the back-end server sends
pair
EKe (Q, SigQ )
is extracted from the database, encrypted
ED
the
receiving
the
authenticated
and
DBID ,
upon
EKe (s1 , s2 )
associated
with
to the reader
R.
new authentication based architectures to preserve privacy and anonymity and to combine authentication with access
Within the fth round, the reader, generates a random ∗ nonce b ∈ Zq and computes TR = b.G. Then she decrypts the receiving message, extracts the pair (s1 , s2 ) and then
yi = (ri + (f × si ))(modn) for i = 1 and 2. Finally (TR , yi for i = 1 and 2) to the ED .
control respectively. These proposed protocols are based on elliptic curve techniques, MaptoPoint/Curve algorithm, Weil Pairing and on Identication schemes. Our proposed protocols
computes
support authenticated key agreement mechanism and dynamic
sends
key updating. Our Schemes are simple, easy to realize, and
The that if
P ED P computes ( (yi × Pi ) + f × Z) and then checks ( (yi × Pi ) + f × Z) is equals to X , if so the ED
accepts else rejects.
meets security and privacy objectives including, mutual authentication, man-in-the-middle attack, condentiality, replay attack and users anonymity and location privacy. Our Proposed protocols are exible in such a way that they can be
After the above messages,
TED
and
TR
congured to use one of many secure communication scheme are exchanged, the
desired (signature schemes, identity-based schemes and weil
reader and the user can agree and compute the secret shared
pairing based encryption algorithms). As Future Work, we
key as in equations 5 and 6.
are currently working on extending these proposed protocols to be deal with context-aware environments where both user and contextual information will be authenticated which are
A. Protocol Discussion
essential elements to access context-aware network services. In
Protocol Correctness We can choose one of many identitybased signature scheme to compute the
SigQ .
Therefore,
addition, we will try to show a complete comparison, security and overhead computations, with other relevant protocols and
we will adopt the signature scheme that was used by [73]. ∗ To compute the SigQ , the user selects a random r ∈ Zq , computes U = r.QID , computes h = H(Q, U ), computes Ph KSR = i=1 KIDri , and nally computes V = (r + h)KSR .
we will try to show the correctness of the proposed scheme.
The validity of
Lebanese University Laboratories's staff for their contributions
SigQ
can be accomplished by verifying if
ACKNOWLEDGMENT The authors would like to thank Telecom SudParis and
and support. I would like to thank everyone for his help, guidance, advise as well as his enthusiasm and many valuable contributions to this work. Their suggestions and observations were extremely helpful throughout this paper. Without their
[20] A. Juels, R.L. Rivest, and M. Szydlo, The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy,
In Proceeding 10th ACM
Conference on Computer and Commnunications, pp 103-111, 2003. [21] S. Weis, Secuirty and Privacy in Radio Frequency Identication Devices, Master's thesis, MIT, 2003. [22] ISO/IEC-JTC 1/SC-31/WG, Information technology AIDC techniques-
input, I would not have been able to complete this work.
RFID for item management Air interface,
Part 3: Parameters for air
interface communications at 13.56 MHZ, Apr. 2004.
R EFERENCES
[23] http://www.avispa-project.org, Automated Validation of Internet Secuirty Protocols and Applications,
[1] D. R. Stinson, Cryptography Theory and Practice,
In Proceeding of
AVISPA,
Chapman and Hall/CRC, Third Edition, pages: 353-438, 2006. [2] A. Menezes, P.V. Oorschot and S. Vanstone, Handbook of Apllied Cryptography,
[3] S.B. Wilson, D. Johnson and A. Menezes, Key Agreement Protocols and In Proceeding of Sixth IMA International
In
644-654, November 1976. [26] T.
Matsumoto
Sysytems,
Conference on Cryptography and Coding, UK, pp.:30-45, 1997. [4] M. Ohkubo, K. Suzuki and S. Kinoshita, Cyptography Approach to Privacy-Frindly Tags,
, 2008.
[25] W. Dife and M. Hellman, New Directions In Cryptograhy,
Procceding of IEEE Transactions on Information Theory, IT-22(6), pp.
in Proceeding of CRC Press, 2nd Edition, 1996.
Their Security Analysis,
, 2006.
[24] http://www.irisa.fr/lande/genet/span, A Security Protocol ANimator for
In Proceeding of the Privacy WorkShop, MIT,
et
al., On
Seeking
Smart
Public-Key
Distributions
In Procceding of the Transactions of the IECE of Japan,
E69(1986), pp. 99-106, 1986 . [27] L. LAW et al., An Efcient Protocol for Authenticated Key Agreement, Technical Report CORR 98-05, Department of C & O, University of
MA, USA, Nov. 2003. [5] S. Weis, Secuirty and Privacy in Radio Frequency Identication Devices,
Waterloo, 1998. Available ar Citeseer.nj.nec.com/law98efcient. [28] S. Dong and P. Sweeney, Simple Authenticated Key Agreement Algo-
Master's thesis, MIT, 2003. [6] P. ABI-CHAR, A. Mhamed, B. Hassan, A Secure Authenticated Key Agreement Protocol For Wireless Security,
In Proceeding of the
rithm,
Electronics Letters, vol. 35, Issue 13, pp. 1073-1074, 1999.
[29] K. Wei-Chi and W. Sheng-De, Cryptanalysis of Modied Authenticated
Third International Symposium on Information Assurance and Security
Key Agreement Protocol,
IAS2007, Manchester, United Kingdom, IEEE Computer Society Press,
1770-1771, October 2000.
Electronics Lettres, vol. 36, Issue 21, pp.
[30] B.T. Hsieh et al., Cryptonalysis of Enhancement for Simple Authentica-
August, pp. 33-38, 2007. [7] P. ABI-CHAR, A. Mhamed, B. EL-Hassan, A Secure Authenticated Key Agreement Protocol Based on Elliptic Curve Cryptography,
In Pro-
ceeding of the Third International Symposium on Information Assurance
tion Key Agreement Algorithm,
Electronics Letters, vol. 38, Issue 1,
pp. 20-21, 2001. [31] J. Go and K. Kim, Wireless Authentication Protocol Preserving User
and Security IAS2007, Manchester, United Kingdom, IEEE Computer
Anonymity,
Society Press, pp. 89-94, 2007.
and Information Security (SCIS 2001), pp. 159-164, Jan. 2001.
[8] P. ABI-CHAR, A. Mhamed, B. EL-Hassan, A Fast and Secure Elliptic
In Proceeding of the 2001 Symposium on Cryptography
[32] W. Duncan and K. Hong, Security Analysis of Two Anonymous Authen-
Curve Based Authenticated Key Agreement Protocol For Low Power
tication Protocols for Distributed Wirless Networks,
Mobile Communications,
the 3rd International Conference on Pervasive Computing and Commu-
In Proceeding of the International Conference
and Exhibition On Next Generation Mobile Applications, Services And Technologies, NGMAST07. Cardiff, Wales, United Kingdom , IEEE
a Robust Privacy and Anonymity Preserving Architecture for Ubiquitous Computing,
nications Workshops (PerCom 2005), pp. 284-288,2005. [33] F. Zhu et al., RSA-Based Password Authenticated Key Exchange for Imbalanced Wireless Networks,
Computer Society Press, pp. 236-241, 2007. [9] P. ABI-CHAR, M. Mokhtari, A. Mhamed and B. EL -Hassan, Towards In Proc. of the Third International Conference on Risks
In Proceeding of
In Proceeding of the 5th Information
Security Conference, Lecture Notes in Computer Science, SpringerVerlag, vol 2433, pp.150-161, 2002. [34] F. Bao, Security Analysis of a Password Authenticated Key Exchange
and Security of Internet and Systems (CRISIS08). Tozeur, Tunisia, IEEE
Protocol,
Computer Society Press, October 28-30, pp. 125-132, 2008.
Lecture Notes in Computer Science, Springer-Verlag, vol 2851, pp. 208-
[10] D. Boneh, and M. Franklin, Identity Based encryption From the Weil Pairing,
In Proceeding of CRYPTO 2001, LNCS 2139, pp. 213-229,
In Proceeding of the 6th Information Security Conference,
217, 2003. [35] H. Yeh et al., Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,
SPRINGER-Verlag, 2001. [11] A.F. Sui et al., An Improved Authenticated Key Agreement Protocol with Perfect Forward Secrecy for Wireless Mobile Communication,
In
[36] M. Zhang, Breaking an Improved Password Authenticated Key Exchange
Proceeding of the International Conference of Wireless Communications
Protocol for Imbalanced Wireless Networks,
and Networking, IEEE Press, pp. 2088-2093, 2005.
9, pp. 276-278, Mar. 2005.
[12] I. Hideki, S. Seonghan, and K. Kobara, Authenticated Key Exchange for Wireless Secuirty,
In Proceeding of the IEEE Wirless Communications
and Networking Confernece, pp. 1180-1186, 2005. In
Proceeding of IEEE 37th Annual 2003 International Carnahan Conference, pp. 128-131, 2003. Symposium on Network and Distribution System Security, 1998. In Proceeding of the WETICE Workshop, pp. 248-
thenticated Key exchange using Dife-hellman,
In Proceeding of the
Notes in Computer Science, Springer-Verlag, vol 3225, pp. 13-24, 2004. [38] J. W.Lo, The Improvement of YSYCT Scheme for Imbalanced Wireless International Journal Network Security , vol 3, pp. 39-43,
July 2006. Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,
IEICE Transactions Commun, vol. E88-B, pp. 4370-4372,
[17] P. Mackenzie, More Efcient Password Authenticated Key Exchange,
In
[18] T. Kwon, Ultimate solution to authenticate via memorable passIn
Proceeding group
for
of
the
Future
Contribution
PKC
Standards,
to
the
IEEE
available
for
http://grouper.ieee.org/groups/1363/passwdPK/contribution.html. [19] K. Jung, J. Kim and T. Chung, Password-Based Independent Authentication and Key Exchange Protocol, Singapore, 2003.
RSA based Password Authenticated Key Exchange,
IEICE Transactions
[41] E. Yoon and K. Yoo, Cryptoanalysis of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,
Proceeding of the CT-RSA, pp. 361-377, 2001.
Study
[40] S. Wang and F. Bao and J. Wang, Security Analysis on an Improvement of Commun, vol. E88-B, pp. 1641-1646, Apr. 2005.
EuroCrypt, pp. 156-171, 2000.
1363
In
Nov. 2005.
[16] V. Boyko, P. Mackenzie and S. Patel, Provably Secure Password Au-
P
Protocol based on RSA for Imbalanced Wireless Networks,
[39] C. Yang and R. Wang, Cryptoanalysis of Improvement of Password
255, 1997.
word,
[37] M. Zheng, Further Analysis of Password Authenticated Key Exchange
Network, In Proceeding of the Interent
[15] D. Jablon, Extended password Key exchange Protocols immune to dictionary attack,
IEEE Commun, Letter, vol.
Proceeding of the 7th Information Security Conference 2004, Lecture
[13] E. Ryu, K. Kim, and K. Yoo, A Simple Key Agreement Protocol,
[14] T. Wu, Secure Remote Password Protocol,
IEICE Transactions
Commun, vol. E86-B, pp. 3278-3282, Nov. 2003.
In Proceeding of ICICS-PCM03,
IEICE
Transactions Commun, vol. E88-B, pp. 2627-2628, June. 2005. [42] Y. Chang et al., An Efcient Password Authenticated Key Exchange Protocols for Imbalanced Wireless Networks,
Computers Standards
& Interfaces, vol. 27, pp. 313-322, Mar. 2005 [43] C. Tianjie and L. Dongdai, Cryptoanalysis of Two Password Authenticated Key Exchange Protocols Based on RSA, Letter, vol 10, No. 8, pp. 623-625, August 2006.
IEEE Communications
[44] H.Y. Chien and J.K. Jan and Y.M. Tseng, An Efcient and Practical Solution to Remote Authentication Smart Card,
Computer and Secuirty,
vol. 21, no. 4, pp. 372-375, 2002.
[69] G. Frey and H. Ruck, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves,
[45] W.C. Ku and S.M. Chen, Weaknesses and Improvements of an Efcient
[70] I. Semaev, Evaluation of Discrete logarithms in a group of p-torsion
Password Based Remote User Authentication Sheme Using Smart Card,
points of an elliptic curve in Characteristic p,
IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204-207,
Computation, vol. 67, pp. 353-356, 1998.
Mathematics of
[71] D. Boneh and M. Franklin, Identity-based encryption from the Weil
2004. [46] E.J. Yoon and E.K. Ryu and K.Y. Yoo, Further improvement of an efcient password based remote user authentication scheme using smart cards,
Mathematics
of Computation, vol 62, pp. 865-874, 1994.
IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp.
Pairing,
Advanced in CRYPTO2001, LNCS 2139, pp. 213-229, 2001.
[72] G. Frey, M. Muller and H. Ruck, The Tate Pairing and the discrete logarithm applied to elliptic curve cryptosystem,
IEEE Transaction on
Information Theory, Vol. 45, No.5, pp. 1717-1719, 1999.
612-614, 2004. [47] X.M. Wang, W.F. Zhang, J.S. Zhang and M.K. Khan, Cryptanalysis and
[73] J. Wang, J. Yu, D. Li, X. Bai, and Z. Jia Combining User Authentication
improvement on two efcient remote user authentication scheme using
With Role-Based Authorization Based on Identity-Based Signature,
smart cards,
Computer Standards & Interfaces, vol. 29, no. 5, pp.
Proceding of International Conference on Computational Intelligence and
[48] E.J. Yoon, E.J. Lee and K.Y. Yoo Cryptanalysis of Wang et al.'s Remote
[74] S. Wang, Z. Cao, and H. Bao Efcient Certicateless Authentication
Security, CIS, pp.847-857, 2006.
507-512, 2007. User Authentication Scheme Using Smart Cards.,
In Proceedings
of the Fifth International Conference on Information Technology: New In
Advanced in Cryptology- Crypto'84, LNCS 196, pp. 47-53, SpringerVerlag, 1984. [50] N.P. Smart, An ID-Based Authentication Key Agreement Protocol Based Electron. letter, 38(13), pp. 630-632, 2002.
[51] K. Shim, Efcient ID-Based Authentication Key Agreement Protocol Based on the Weil Pairing,
Electron. letter, 39(8), pp. 653-654, 2003.
[52] H. Sun and B. Hsieh, Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings,
Cryptology ePrint Archive, Report
2003/113, 2003. http://eprint.iacr.org/2003/113. [53] E. Ryu and E. Yoon and K. Yoo, An Efcient ID-Based Authenticated Key Agreement Protocol,
Networking 2004 Volume 3042, 2004.
[54] Q. Yuan and S. Li, A New Efcient ID-Based Authenticated Key Agreement Protocol,
IEEE Communications Letter, vol 10, No. 8,
pp. 623-625, March 1, 2005. [55] C.K. Koc and M.Aydos and B.Sunar An Elliptic Curve Cryptography based authentication and key Agreement protocol for Wireless Commnuication,
In 2nd International Workshop on Discrete Algorithm and
Methods for Mobile Computing and Communications, 1998. [56] H.M. Sun and B.T.Hsieh and S.M. Tseng Cryptanalysis of Aydos et al.'s ECC-based Wireless Authentication Protocol.,
In Proceedings of the
2004 IEEE International Conference on e-Technology, e-Commerce and e-Servce (EEE'04), pp. 563-566, 2004. [57] L. Harn, and H.Y. Lin Authenticated Key Agreement Without Using OneWay Hash Function,
In Proceeding of the Electron, Lett.,(10)37, 2001.
[58] K. Shim, Unknown Key-Share Attack on Authenticated Multiple Key Agreement Protocol,
In Proceeding of the Electron, Lett., 39(1), pp.
38-39, 2003. [59] S. Yen, and M. Joye, Improved Authentication Multiple key Agreement Protocols,
In Proceeding of the Electron, Lett., 34 (18), pp. 1738-1739,
1998. [60] T. Wu, W. He, and C. Hsu Security of Authenticated Multiple Key Agreement Protocol,
In Proceeding of the Electron, Lett., 35, (5),
pp. 391-392, 1999. [61] L. Law, A. Menezes, A. Qu, J. Solinas, and S. Vanstone, An Efcient Protocol for Authenticated Key agreement,
In Proceeding Technical
Report CORR 98-08, Univerity of Waterloo, Canada, 1998. [62] V. Miller, Uses of elliptic curves in cryptography,
In Proceeding of
Crypto '85, Santa Barbara, pp. 417 - 426. 1986. [63] N. Koblitz, Elliptic Curve cryptosystems,
Mathematics of Computation,
vol 48., pp. 203 - 209, 1987. [64] N. Koblitz, CM-Curves With Good Cryptography Properties,
In Proc.
of Crypto' 91, Santa Barbara, USA, 1992. [65] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstane, An efcient Protocol for Authenticated Key Agreement,
Technical report CORR98-
05, Department of CO, University of Waterloo, 1998. [66] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstane, An efcient Protocol for Authenticated Key Agreement,
Designs, Codes and
Cryptography, vol. 28, pp. 119-134, 2003. [67] J. Pollard, Monte Carlo methods for index computation mod p,
Math-
ematics of Computation, vol. 32, pp. 918-924, 1978. [68] A. Menezes, T. Okamoto and S. Vanstane, Reducing elliptic curve logarithms ina nite eld,
IEEE Transactions on Information Theory,
vol. 39, pp. 1639-1646, 1993.
and Key Agreement (CL-AK) for Grid Computing,
In Proceeding of
the International Journal of Network Security, vol.7, No.3, pp. 342-347, 2008.
Generations, pp. 575-580, 2008. [49] A. Shamir, Identity-based Cryptosystems and Signature Schemes,
on the Weil Pairing,
In
[75] A.A. Mohammad, and A. Jamalipour An Efcient Elliptic Curve Cryptography Based Authentication Key Agreement Protocol for Wireless LAN Security,
In Proceeding of High Performance Switching and Routing,
HPSR2005 Workshop, pp 376-380, 2005.