Key establishment protocols for secure mobile ... - Semantic Scholar

9 downloads 10 Views 193KB Size Report
Current digital mobile communications systems are usually termed second gen- .... is used to implement digital signatures using the ElGamal algorithm 9]. The.

Key establishment protocols for secure mobile communications: A selective survey Colin Boyd1 and Anish Mathuria2 1

Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane Q4001 AUSTRALIA 2

[email protected]

IBM Research, Tokyo Research Laboratory 1623-14, Shimotsuruma, Yamato-shi Kanagawa-ken 242-0001 JAPAN [email protected]

Abstract. We analyse several well-known key establishment protocols

for mobile communications. The protocols are examined with respect to their security and suitability in mobile environments. In a number of cases weaknesses are pointed out, and in many cases re nements are suggested, either to improve the eciency or to allow simpli ed security analysis.

1 Introduction Security is a critical issue in mobile radio applications, both for the users and providers of such systems. Although the same may be said of all communications systems, mobile applications have special requirements and vulnerabilities, and are therefore of special concern. Once a call has been set up by establishing various security parameters, the problem is reduced to that of employing appropriate cryptographic algorithms to provide the required security services. The most important problem is undoubtedly that of designing protocols for authentication and key management as part of the call set-up process; security-critical errors made at this stage will undermine the security of the whole of the session, and possibly subsequent sessions as well. The problem of designing correct protocols for authentication and key management is dicult to solve in any environment. This is particularly evident from the surprisingly large number of published protocols which have later been found to contain various aws, in many cases several years after the publication of the protocols. In the mobile scenario, the extra constraints and requirements make this problem all the harder. A variety of protocols speci cally designed for use in mobile applications has been proposed in recent years by many authors [1, 3{7, 12]. In this paper we have assembled some of the most prominent published security protocols proposed for mobile applications and examined them with regard to the following issues.

Security Are they secure in relation to their intended function?

Suitability How well do they t the special requirements of mobile applications?

Optimisation Are they in their simplest form both with regard to eciency and their structure?

In most cases we are able to suggest possible improvements to the protocols in one or more of the above aspects. Having examined the protocols we then go on to compare them, thereby allowing an informed choice to be made by prospective designers of mobile applications. There are many more proposed protocols which we could have included, but space restrictions prevent a more comprehensive survey. The rest of this paper is organized as follows. In the following section, the security requirements for authentication and key management protocols are summarised with particular reference to the special needs of a mobile environment. Following that each protocol, or group of protocols, is examined in turn with regard to the criteria mentioned above. To conclude, a comparison of the various protocols is made.

2 Mobile Security Requirements The protocols used at the start of a communications session are variously called authentication protocols or key establishment protocols amongst others. The goals of these protocols typically include verifying that the identity of some party involved is the same as that claimed, and establishing a session key for use in conjunction with chosen cryptographic algorithms to secure the subsequent session. These goals are typically part but not all of what is needed for a secure mobile protocol. In particular, there are additional factors that naturally arise due to the speci c nature of the mobile environment.

Heterogenous communications path The communications channel is split

into a number of parts, one of which (the radio link) is particularly vulnerable to attack. Location privacy The mobile station is allowed to roam freely and information on its location may be valuable to an adversary. Computational constraints The mobile station is computationally limited in comparison with typical communications devices. In particular there is an asymmetry between the computational power of the mobile and base station.

For a general discussion on mobile security requirements, the reader is referred to the many sources detailed in the references, such as the article of Vedder [18]. The reader should beware that there are many di erent standards for mobile communications currently operating, and a great many more are planned for future implementation. The above threats may, therefore, be more or less relevant depending on the precise architecture in place.

2.1 End-to-End or Radio Link Security? Current digital mobile communications systems are usually termed second generation in distinction to the rst generation analogue systems. Current research is devoted mainly to the emerging third generation systems [12] which will be characterised by higher bandwidth and integrated data services. In second generation systems security has been applied only to the radio link. Third generation mobile networks are likely to require enhanced radio link security but in addition end-to-end security between mobile users and their communications partners may be desirable. The following appears to represent a fair summary of the requirements for a security protocol protecting the radio link.

{ { { {

Con dentiality of the radio link between mobile and base station. Mutual authentication between the mobile and base station. Con dentiality of the identity of the mobile station. Computational simplicity of the protocol with regard to the requirements on the mobile station.

The required end-to-end security services will correspond to what is required to secure the particular application. These will typically include con dentiality and integrity of user data, and may also include non-repudiation for applications such as electronic commerce.

2.2 Type of Cryptography As a rule of thumb, public key cryptographic algorithms are computationally around 1000 times more costly than symmetric key algorithms. As technology develops, and with the advent of special purpose chips, public key cryptography is seeing widespread implementation (cf. Needham [13]). However, commercial demands for inexpensive mobile stations of low power and light weight mean that the deployment of public key technology will require convincing arguments. Basyouni and Tavares [2] have recently compared protocols using public key against symmetric key solutions. They concluded that public key solutions carry no appreciable advantage over symmetric key solutions, while imposing a performance penalty. However, although this conclusion may be justi ed with regard to the particular protocols they examined, it is not clear that their analysis covers all the issues necessary for a general answer to the question.

{ Current symmetric key solutions require trust in the entire network; when

mobiles roam to di erent domains their secrets are passed to the visited domains. This can be avoided if mobiles have certi ed public keys, since public keys may be freely distributed. This would at the same time reduce key management overheads. In addition end-to-end security may be implemented without trusting the network to distribute keys. { Non-repudiation services are currently only practically implemented with public key cryptography. It seems likely that in third generation systems non-repudiation services will be demanded by various parties.

{ Anonymity over the radio link is simple to provide if base stations have a

certi ed public key. The use of public keys can preserve anonymity even if the network must be re-initialised, whereas current symmetric key schemes do not cope well in this case.

Most of the protocols considered in this paper do employ public key cryptography. Many of them employ what we might term unbalanced public key cryptography, in which one party (invariably the mobile) has far less computational requirements than the other. This is possible to achieve using many public key algorithms, but not all.

3 Beller-Chang-Yacobi protocols Beller, Chang and Yacobi [3{5], and Beller and Yacobi [6] have proposed hybrid protocols using a combination of asymmetric and symmetric cryptographic algorithms, carefully chosen so that the computational demands imposed satisfy the imbalance in the computational power of a typical mobile and base. The protocols of Beller et al. were critically examined by Carlsen [7], who identi ed some possible attacks and suggested protocol modi cations to avoid them. He also pointed out an inherent shortcoming of their protocols. In particular, although the protocols hide the identity of an initiating mobile station, the unbalanced nature of the solution meant that the dual requirement of hiding the identity of the responding station remained unsolved. In this section, we will examine the original protocols of Beller et al. and also some suggested improvements of Carlsen.

3.1 Three Hybrid Protocols The protocols of Beller et al. rely on a public key cryptosystem for which encryption is particularly ecient, at least in comparison to other public key cryptosystems. The speci c public key cryptosystem employed is due to Rabin [15], in which encryption and decryption tantamount, respectively, to modulo squaring and extracting a modulo square root (MSR). Instead of showing the mathematical details of the MSR algorithms, we shall continue to use the more general notation in describing the protocols of Beller et al. (hereafter referred to as the MSR protocols). However, we note that the MSR technique allows public key encryption to be implemented within the computational power of a mobile station. The MSR protocols consist of three variants with varying complexity and security features. We discuss each protocol in turn below.

Basic MSR protocol As mentioned above, in the protocol description we show any public key encryption algorithm being employed, rather than the speci c MSR technique. In the following, the notation fX gK denotes encryption with key

K

(we abuse the notation somewhat by allowing K to be either a symmetric or

a public key). SCM denotes the secret certi cate of the mobile M which is issued by a trusted central authority. This certi cate can be checked by anyone using the public-key of the central authority in order to verify the mobile's identity. The certi cate is kept secret from all other mobile users and eavesdroppers, because it is all that is required to masquerade as M . The basic MSR protocol runs as follows [5]. 1. B ! M : B; P KB 2. M ! B : fxgPKB 3. M ! B : fM; SCM gx Upon receiving B 's public key P KB , the mobile uses it to encrypt the session key x, and sends the encrypted message to B . The mobile also sends its identity and secret certi cate encrypted under x to authenticate x to the base. The encryption in message 3 is carried out using a symmetric key cryptosystem. Since this encryption is negligible compared to the public key encryption in message 2, the computational e ort at the mobile is e ectively reduced to that of modulo squaring of the session key. Carlsen [7] identi ed two security weaknesses in the above protocol: { The public key of B is uncerti ed, thereby allowing anyone to masquerade as B . As we mentioned earlier, this is perceived as a serious threat in the emerging standards. { It is not possible for B to di erentiate between a new run of the protocol and one where messages from an old run are replayed by a malicious attacker. At best this may allow an attacker to incur extra costs for the owner of M . But worse, it is a normal assumption in key management that old sessions keys may be compromised; replay of an old compromised session key then allows masquerade of M . The rst of these weaknesses appears to have been recognised as early as 1993 by Beller et al. [5] themselves. It should be noted that the protocol ensures the privacy of new calls initiated by a genuine mobile user if the attacker merely replays old messages from previous runs of the protocol.

Improved MSR (IMSR) protocol The improved MSR protocol of Beller et al. [5], IMSR, overcomes a major weakness of MSR by including a certi cate of the base station in the rst message. Apart from this feature it is identical to the basic MSR protocol, and therefore does not address the problem of replay. Carlsen [7] recognised this problem and suggested an `improved IMSR' protocol which includes a challenge-response mechanism to allow B to detect a session key replay. (He also includes adds an expiration time to the contents of the certi cate of B , Cert(B ), to allow for checks on the certi cate's validity while at the same time deleting B 's identity from Cert(B ). The e ect of this latter change is that base station \impersonation attacks" become possible, as pointed out by Varadharajan and Mu [20]. Such attacks may become important in third generation systems.)

The improved IMSR protocol runs as follows [7]. 1. B ! M : B; NB ; P KB ; Cert(B) 2. M ! B : fxgPKB 3. M ! B : fNB ; M; SCM gx There is a twofold increase in the complexity of this protocol as compared to the basic MSR protocol. The mobile now calculates an additional modulo square to verify the base's certi cate on receiving message 1. Upon receiving the nal message, B decrypts it using the session key x, and checks that the value NB is the same as the random challenge sent in message 1. Curiously, although Carlsen clearly identi es the problem of replay, his suggested improvement does not really overcome it. In the above protocol, if x is compromised an attacker can obtain SCM , and thus freely masquerade as M . There is a way around the above protocol weakness. Instead of sending NB and SCM encrypted under x, the two can be sent together with the session key in message 2. The third message is now simply M 's identity encrypted under x. 2. M ! B : fx; NB ; SCM gPKB 3. M ! B : fM gx

MSR + DH protocol This protocol is an extended version of the IMSR

protocol and incorporates the well known Die-Hellman key exchange [8]. A major improvement is that now both parties have genuine public keys which means that the mobile no longer needs to reveal its permanent secret to the base. Carlsen [7] has also suggested an `improved MSR+DH' protocol by making similar modi cations to those carried out in the improved MSR protocol. The improved MSR+DH protocol runs as follows [7]. 1. B ! M : B; NB ; P KB ; Cert(B) 2. M ! B : fxgPKB ; fNB ; M; P KM ; Cert(M)gx Here P KB and P KM denote the public-keys of B and M respectively; these serve to establish a shared secret  using the Die-Hellman technique. The session key is computed as the symmetric key encryption of x with . To complete the protocol, M and B exchange a pre-agreed set of messages encrypted under the session key. Although the security of the MSR+DH protocol appears far improved over the other MSR variants it carries a heavy price. Now both parties need to calculate a full modular exponentiation at session set-up leading, as per the calculations of Beller et al., to a 100 times increase in the required computing power. Such calculations may not be feasible within a reasonable time on today's mobiles, except with specialised hardware. Furthermore, the whole purpose of using specially ecient public key computations appears to be lost.

3.2 Beller and Yacobi's Protocol

In a separate publication, Beller and Yacobi [6] suggest a further variation on the IMSR protocol. Like the MSR+DH protocol, the Beller-Yacobi protocol (BY) employs a public key for the mobile as well as the base. The mobile's private key is used to implement digital signatures using the ElGamal algorithm [9]. The speci c appeal in choosing this algorithm is that the computations required for signature generation can largely be executed prior to choosing the message to be signed. This means that it is easy for the mobile processor to do most of the work o -line, during idle time between calls. The rst two messages in the BY protocol are essentially identical to those in the IMSR protocol. The main di erence is in the subsequent stage which employs a challenge-response mechanism based on digital signatures. The protocol runs as follows [6]. 1. B ! M : B; P KB ; Cert(B ) 2. M ! B : fxgPKB 3. B ! M : fNB gx 4. M ! B : fM; P KM ; Cert(M ); fNB gPKM?1 gx In the third message, B sends a random challenge NB encrypted using x. The mobile then returns NB signed using its private key together with its identity, public key P KM?1, and certi cate, all encrypted under x. Finally, B decrypts this message and veri es the signature on NB .

An Attack on the BY Protocol We now present a potential attack on the BY protocol. Although the attack makes quite strong assumptions, it must be taken seriously because it indicates a aw in the protocol design. We understand that the same attack was found independently by the original authors subsequent to the protocol's publication.1 The attacker, C , must be a legitimate user known to B . Further, C needs to be able to set up simultaneous sessions with both B and M . (C could be a rogue mobile and base station in collusion.) In the attack below, C is able to convince B that his identity is M . The notation CM means that C is the actual principal involved in the sending or receiving of a message, but is masquerading as M . An attack on the BY protocol proceeds as follows. 1. B ! CM : B; P KB ; Cert(B ) 2. CM ! B : fxgPKB 3. B ! CM : fNB gx 1'. C ! M : C; P KC ; Cert(C ) 2'. M ! C : fx0 gPKC 3'. C ! M : fNB gx0 4'. M ! C : fM; P KM ; Cert(M ); fNB gPKM?1 gx0 4. CM ! B : fM; P KM ; Cert(M ); fNB gPKM?1 gx 1

Personal communication.

The essence of the attack is that C starts a parallel session with M in order to obtain M 's signature on B 's challenge NB . At the end of the attack, B accepts x as a session key with M , whereas in fact it is shared with C . The session started between C and M can be dropped after the receipt of message 4'. Note that message 3 must precede message 3', and message 4' must precede message 4; the remaining messages may overlap each other.

An Improved Protocol There is a simple way to alter the protocol so as to

avoid the attack. Essentially the change is to have M sign the new session key when it is rst sent to B , in message 2, together with the challenge NB which guarantees its freshness. The key must have its con dentiality protected by a suitable one-way hash function h, but the use of such a function is a standard practice in most digital signature schemes. Since x is now authenticated in message 2, message 4 is redundant and message 3 is used simply for M to verify that B has received the key. The revised protocol is as follows. 1. B ! M : B; P KB ; Cert(B ); NB 2. M ! B : fxgPKB ; fM; P KM ; Cert(M )gx ; fh(B; M; NB ; x)gPKM?1 3. B ! M : fNB gx Comparison with the original BY protocol shows that the above protocol is no more costly in either computational or communications requirements. Therefore it appears to be just as suitable as the original for the situation where M has limited computing power.

x

4 Aziz-Die protocol The protocol proposed by Aziz and Die [1] uses public-key cryptography for securing the wireless link. It is assumed that each protocol participant (a mobile M and base B ) has a public-key certi cate signed by a trusted certi cation authority. The certi cate binds a principal's name and its public key amongst other information; the corresponding private key is kept secret by that principal. The public keys of M and B are denoted as P KM and P KB respectively; the corresponding private keys are denoted as P KM?1 and P KB?1 respectively. Cert(M ) and Cert(B ) denote the public-key certi cates of M and B , respectively. In the following, alg list denotes a list of ags representing potential sharedkey algorithms chosen by the mobile. The ag sel alg represents the particular algorithm selected by the base from the list alg list. The selected algorithm is subsequently employed for encipherment of the call data once the protocol is completed and a session key is established between M and B . The protocol for providing the initial connection setup between a mobile and base runs as follows [1]. 1. M ! B : Cert(M ); NM ; alg list 2. B ! M : Cert(B ); fxB gPKM ; sel alg; fhash(fxB gPKM ; sel alg; NM ; alg list)gPKB?1 3. M ! B : fxM gPKB ; fhash(fxM gPKB ; fxB gPKM )gPKM?1

Here NM is a random challenge generated by M ; xM and xB denote the partial session key values chosen by M and B , respectively. The session key x is calculated as xM  xB . The above protocol makes heavy use of public key cryptography. The mobile has to perform two computationally expensive operations using its private key: one decryption to recover xB from message 2, and one encryption to generate the signature in message 3. A weakness in the protocol has been found by Meadows [11], who shows how a rogue principal C can replay a (legitimate) mobile M 's challenge in one run to start another run and pass o B 's response containing a partial session key intended for C as if it were for M without this spoof being detected. Inspired by Meadows' attack, we construct another attack below to show how B may be spoofed similarly: 1. C ! B : Cert(M ); NC ; alg list 2. B ! C : Cert(B ); fxB gPKM ; sel alg; fhash(fxB gPKM ; sel alg; NC ; alg list)gPKB?1 1'. M ! C : Cert(M ); NM ; alg list 2'. C ! M : Cert(C ); fxB gPKM ; sel alg; fhash(fxB gPKM ; sel alg; NM ; alg list)gPKC?1 3'. M ! C : fxM gPKC ; fhash(fxM gPKC ; fxB gPKM )gPKM?1 3. C ! B : fxM gPKC ; fhash(fxM gPKC ; fxB gPKM )gPKM?1 The result of the above attack is that B computes a false session key for use with M , even though M does not really engage in a protocol run with B . As with Meadows' attack, the con dentiality of the session key is not breached by our attack. It might therefore be argued that neither Meadows' attack nor our above attack is serious. However, the provision of session key integrity appears to have been speci cally desired by the protocol authors and is a reasonable goal to achieve. Essentially, the above attack works because the attacker C is able to construct message 2' without the knowledge of xB . This is prevented if the base were to sign xB rather than fxB gPKM in the signature forming part of message 2 of the original protocol. We also note that the protocol includes fxB gPKM in the signature forming part of message 3 to assure B of the freshness of the partial session key sent by M . This appears more economical than introducing a separate challenge for the above purpose: xB doubles up as a random challenge in message 2. However, this is not a signi cant issue since the computational power of the base in not a limiting factor in the protocol design. We may thus use a more conventional challenge-response mechanism to ensure freshness of the partial session key sent from the mobile to the base in message 3 of the protocol. The revised protocol is as follows, where NB is a random challenge generated by B. 1. M ! B : Cert(M ); NM ; alg list 2. B ! M : Cert(B ); NB ; fxB gPKM ; sel alg; fhash(xB ; M; NM ; sel alg)gPKB?1 3. M ! B : fxM gPKB ; fhash(xM ; B; NB )gPKM?1 We next show a more subtle attack on the original protocol by exploiting the structure of public key certi cates. A public-key certi cate employed by

the protocol consists of the following: (i) a set of attributes associated with the certi cate owner; (ii) a signature over this set under the private key of a certi cation authority CA. In particular, (i) includes the identity of the owner and its public key amongst other information. The exact set of attributes is de ned as follows [1]:

fSerial Number; Validity Period; Machine Name; Machine Public Key; CA nameg: Such a de nition does not make it clear whether the certi cates for a mobile and base are distinguishable. Assuming the two are indistinguishable, it is easy to see that a rogue mobile can masquerade as the base in the protocol simply by constructing a message of the appropriate form in place of B . One way to avoid this attack is by stipulating that the set of attributes above should include a distinguishing identi er that conveys the type of the certi cate owner (mobile or base). The point of our attack is to illustrate the danger of omitting a securitycritical parameter from the protocol design.

5 Other Protocols A great many other protocols have been proposed for key management and authentication in mobile communications. Due to space restrictions we cannot consider any more protocols in detail here. We brie y mention two other prominent sets of protocols.

5.1 TMN Protocol One of the earliest suggested protocols for use in a mobile environment was that of Tatebayashi, Matsuzaki and Newman [17], which has widely become known as the TMN protocol. In distinction to the protocols examined above, the TMN protocol takes place between two mobile stations M and M 0 who wish to exchange a session key to provide end-to-end security, making use of a server S . The design takes account of the limitations in mobile station computational ability by requiring the mobile stations only to encrypt with short RSA [16] public exponents. A number of attacks have been published on the TMN protocol, some of which rely on the speci c cryptographic algorithms used, and others exploiting problems in the message structures [10]. For example an attack based on the algebraic properties of the encryption algorithms has been found by Park et al. [14]. They also suggest improved protocols. However, since S has a shared secret with all parties in the repaired protocols it is worthwhile questioning whether the use of public key cryptography is justi ed in this case.

5.2 Varadharajan-Mu A set of protocols proposed by Vardharajan and Mu [19, 20] uses a basic architecture similar to that in the current standard protocols: mobile users share a

secret with their home domain which is used to establish a session key whenever they roam into a di erent domain. Another similarity is that temporary identities are used (although they are here termed subliminal identities) to provide for user anonymity. A potential problem with all the protocols is that the temporary identities are also used as nonces. This is possible because the identity is normally updated at every protocol run, but it may cause practical diculties if the mobile and home location lose synchronisation on the temporary identity, which is inevitable in the long run. Recovery from loss of synchronisation is not addressed by the protocol authors. As well as authentication and key exchange for mobile to base station, protocols for end-to-end security are proposed. A symmetric key solution relies on trusting the home and visited locations to distribute the session key; alternative models in which an independent trusted third party is used may be preferable to some users. An alternative public key solution [20] overcomes this objection because the session key need not be available to any parties apart from the users. However, this protocol requires full public key exponentiations as used in the MSR+DH protocol, and therefore may not be suitable with current technology.

6 Comparison Table 1 attempts to compare the main features of interest in the di erent protocols we have examined in the paper. Those protocols that use public key cryptography are classi ed as using either light or heavy algorithms to indicate the computational complexity required by the mobile agents. It should be emphasised that this gives only a rough indication since speci c algorithms can di er markedly in their required computation. However, in most cases we can di erentiate between those protocols which have been designed with the limited computational ability of a mobile in mind, and which use light public key cryptography, and those which have not, and use heavy public key cryptography.

Protocol

BCY Beller-Yacobi Aziz-Die TMN Varadharajan-Mu

Scope Anonymity Public Key Comments Link Yes Link Yes Link No End-End No Both Yes

Light Light Heavy Light Heavy

Flaws

Yes Yes Yes Yes Also symmetric No

Table 1. Comparison of Major Features of Di erent Protocols

References 1. A. Aziz and W. Die, \Privacy and Authentication for Wireless Local Area Networks," IEEE Personal Communications, vol. 1, pp. 25{31, 1994.

2. A.M. Basyouni and S.E. Tavares, \Public Key versus Private Key in Wireless Authentication Protocols," Proceedings of the Canadian Workshop on Information Theory, pp. 41{44, Toronto, June 1997. 3. M. J. Beller, L.-F. Chang, and Y. Yacobi, \Privacy and Authentication on a Portable Communications System," in Proceedings of GLOBECOM'91, pp. 1922{1927, IEEE Press, 1991. 4. M. J. Beller, L.-F. Chang, and Y. Yacobi, \Security for Personal Communication Services: Public-Key vs. Private Key Approaches," in Proceedings of Third IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC'92), pp. 26{31, IEEE Press, 1992. 5. M. J. Beller, L.-F. Chang, and Y. Yacobi, \Privacy and Authentication on a Portable Communications System," IEEE Journal on Selected Areas in Communications, vol. 11, pp. 821{829, Aug. 1993. 6. M. J. Beller and Y. Yacobi, \Fully-Fledged two-way Public Key Authentication and Key Agreement for Low-Cost Terminals," Electronics Letters, 29, pp. 999{1001, May 1993. 7. U.Carlsen, \Optimal Privacy and Authentication on a Portable Communications System" ACM Operating Systems Review, 28 (3), 1994, pp.16-23. 8. W. Die and M. Hellman, \New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, pp. 644{654, 1976. 9. T. ElGamal, \A public key cryptosystem and a signature scheme based on discrete logarithms," IEEE Transactions on Information Theory, vol. 31, pp. 469{472, 1985. 10. R. Kemmerer, C. Meadows and J. Millen, \Three Systems for Cryptographic Protocol Analysis," Journal of Cryptology, vol. 7, pp. 79{130, 1994. 11. C. Meadows, \Formal Veri cation of Crytographic Protocols: A Survey," in Advances in Cryptology - ASIACRYPT '94 (J. Pieprzyk and R. Safavi-Naini, eds.), vol. 917 of Lecture Notes in Computer Science, pp. 135{150, Springer-Verlag, 1995. Invited lecture. 12. C. J. Mitchell, \Security in future mobile networks," in Proc. Second International Workshop on Mobile Multi-Media Communications (MoMuC-2), 1995. 13. R. Needham, \The Changing Environment for Security Protocols," IEEE Network Magazine, vol. 11, no. 3, pp. 12{15, May/June 1997. 14. C. Park, K. Kurosawa, T. Okamoto and S. Tsujii, \On Key Distribution and Authentication in Mobile Radio Networks", Advances in Cryptology - Eurocrypt'93, Springer-Verlag, 1994, pp. 461{465. 15. M.O. Rabin, \Digitalized Signatures and Public-Key Functions as Intractable as Factorization", MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979. 16. R. Rivest, A. Shamir, and L. Adleman, \A Method for Obtaining Digital Signatures and Public-key Cryptosystems," Comm. ACM, vol. 21, pp. 120{126, Feb. 1978. 17. M. Tatebayashi, N. Matsuzaki and D.B. Newman Jr., \Key Distribution Protocol for Digital Mobile Communications Systems", Advances in Cryptology { Crpyto'89, Springer-Verlag, 1990, pp.324-333. 18. K. Vedder, \Security Aspects of Mobile Communications," in Computer Security and Industrial Cryptography (B. Preneel, R. Govaerts, and J. Vandewalle, eds.), vol. 741 of Lecture Notes in Computer Science, pp. 193{210, Springer-Verlag, 1993. 19. V. Varadharajan and Y. Mu, \Design of Secure End-to-End Protocols for Mobile Systems," Wireless 96 Conference, Alberta, Canada, pp. 561{568. 20. V. Varadharajan and Y. Mu, \On the Design of Security Protocols for Mobile Communications", ACISP'96 Conference, Springer-Verlag, 1996, pp. 134{145.

Suggest Documents