Peer-to-Peer Netw. Appl. DOI 10.1007/s12083-014-0249-3
On the security of a certificateless online/offline signcryption for Internet of Things Wenbo Shi & Neeraj Kumar & Peng Gong & Naveen Chilamkurti & Hangbae Chang
Received: 2 January 2014 / Accepted: 14 January 2014 # Springer Science+Business Media New York 2014
Abstract With the development of the Internet of Things (IOT) application, information security and user privacy protection in the IOT have attracted wide attention across the globe. To solve this problem, Luo et al. proposed an efficient certificateless online/offline signcryption (COOSC) scheme for IOT. They have also demonstrated that their scheme is provably in the random oracle model. However, in this paper, we will show their scheme is vulnerable to the private key compromised problem, i.e., an adversary could get a user’s private key through an intercepted message. The analysis show that Luo et al.’s scheme is not suitable for the IOT.
Keywords Internet of Things . Certificateless cryptography . Online/offline signcryption . Bilinear pairing W. Shi Department of Electronic Engineering, Northeastern University at Qinhuangdao, Qinhuangdao, China e-mail:
[email protected] N. Kumar (*) Computer Science & Engineering, Thapar University, Patiala, India e-mail:
[email protected] P. Gong National Key Laboratory of Mechatronic Engineering and Control, School of Mechatronical Engineering, Beijing Institute of Technology, Beijing, China e-mail:
[email protected] N. Chilamkurti Department of Computer Science and Computer Engineering, La Trobe University, Melbourne, Australia e-mail:
[email protected] H. Chang Department of Business Administration, Sangmyung University, Seoul, South Korea e-mail:
[email protected]
1 Introduction The Internet of Things (IOT) is the interconnection of highly heterogeneous networked entities and networks, such as human-to-human, human-to-thing, thing-to-thing, or thingto-things and so on [1]. With the development of communication technology, IOT been widely used in various fields like military surveillance, medical care, industrial control and so on. With the wide applications of the IOT, how to provide secure commutation has caused wide public concern. To solve the problem, many schemes, such as key management schemes [2], location privacy protection schemes [3] and signcryption schemes [4], have been proposed for different applications. Compared with other schemes, the online/offline signcryption scheme is more suitable for the IOT since it could realize authentication, confidentiality non-repudiation and integrity simultaneously. Besides, its performance is much better since most of the computation is finished in the offline manner. The concept of signcryption scheme was proposed by Zheng [5]. In such scheme, the user could sign and encrypt a message simultaneously. Therefore, it is very suitable for low power devices. Since then, many public key infrastructures (PKI)-based and identity (ID)-based schemes [6–8] have been proposed for different applications. To improve performance further, Even [9] proposed the concept of offline/online signcryption (OOSC) scheme. In the scheme, the whole process is spited into two phases, i.e. offline phase and online phase. In the first phase, most of complicated computations are finished without knowing the message and the receiver’s information. Only very light computations are finished in the second phase. Therefore, the OOSC scheme is more suitable for low power devices. Zhang et al. [10] proposed the first PKI-based OOSC scheme with provable security. To satisfy applications in ID-based environment, Sun et al. [11] proposed the first ID-based OOSC scheme and show their
Peer-to-Peer Netw. Appl.
scheme is provably secure in the random oracle. Unfortunately, Liu [12] found that the previous schemes [9–11] are not real OOSC scheme since the receiver’s public key or identity is needed in the offline phase. To solve the problem, Liu et al. also proposed an improved scheme. However, Selvi et al. [13] pointed out Liu et al.’s scheme cannot provide sender anonymity. Li et al. [14] proposed a more efficient ID-based OOSC scheme using pairings. Recently, the certificateless public key cryptography was studied widely, since it could overcome both of certificate management problem in the PKI-based public key cryptography and key escrow problem in the ID-based public key cryptography. Many certificateless key agreement schemes [15–17], certificateless digital signature schemes [18–21] and certificateless encryption schemes [22,23] have been proposed for different applications. To satisfy applications in certificateless environment, Luo et al. [24] proposed the first certificateless online/offline signcryption (COOSC) scheme for the IOT. They demonstrated that their scheme is provably secure in the random oracle. Unfortunately, in this paper, we will point out that their scheme is vulnerable to the private key compromised problem. The analysis shows their scheme is not suitable for practical applications. The organization of the paper is sketched as follows. Section 2 gives some preliminaries of the bilinear pairing. Section 3 gives a brief review of Luo et al.’s scheme. The security analysis of Luo et al.’s scheme is shown in Section 4. Finally, we give some conclusions in Section 5.
2 Preliminaries Let G1 and G2 be a cyclic additive group and a multiplicative group of a prime order p separately. Let P be a generator of the group G1. We call a map e:G1 ×G1 →G2 is a bilinear pairing if it satisfy the following three properties. 1) Bilinearity: For any Q,R∈G1 and a,b∈Z*p, we have e(aQ,bR)=e(Q,R)ab. 2) Non-degeneracy: For the generator P of G1, we have eðP; PÞ≠1G2 . 3) Computability: For all Q,R∈G1, we have an efficient method to compute e(Q,R). It is well known that it is intractable to solve the following problems within polynomial time. Computational Diffie-Hellman (CDH) problem: Given a generator P of the group G1 and two random points aP, bP∈G1, the task of CDH problem is to compute abP∈G1. Bilinear Computational Diffie-Hellman (BCDH) problem: Given a generator P of the group G1 and three
random points aP,bP,cP∈G1, the task of BCDH problem is to compute e(P,P)abc∈G2.
3 Review of Luo et al.’s scheme In this section, we will briefly review Luo et al.’s COOSC scheme. Their scheme consists of six algorithms: Setup, PartialKeyGen, KeyGen, OffSigncrypt, OnSigncrypt and UnSigncrypt. The details of these algorithms are described as follows. MasterKeyGen: Taking a security parameter k, the KGC executes the following step to generate system parameters. 1) Generate a cyclic additive group G1 and a cyclic multiplicative group G2 of a prime order p. 2) Choose a generator P of G1 and a pairing e from G1 × G1 to G2. 3) Generate a random number s∈Z∗p as the master secret key and compute the public key Ppub=sP. 4) Choose three secure cryptographic hash functions H1 :{0,1}∗ →Z∗p , H2 :G1 ×G2 →Z∗p and H3 :{0,1}∗ × G1 ×G1 ×G1 ×G1 →Z∗p. 5) Publish the system parameters {G1,G2,e,P,Ppub,H1,H2,H3} and keep the master key secretly. PartialKeyGen: Taking a user U ′ identity IDU, the master key and the he system parameters as inputs, the KGC executes the following steps to generate U’s partial private key. 1) Compute hU=H1(IDU). 2) Compute the partial private key DU=(1/(hU+s))P and party of the public key QU=(hU+s)P=hUP+Ppub. KeyGen: Taking a user U′ identity IDU, the system parameters, the partial private key DU and party of public key QU as inputs, U executes steps to generate his private key and public key. 1) Generate a random number xU∈Z∗p and compute PU= xUP. 2) Publish the public key (PU,QU) and keep the private key (xU,DU) secretly. OffSigncrypt: Taking the system parameters and a sender A’s private key (xA,DA) as inputs, A executes the following steps to generate an offline signcryption. 1) Generate a random number x∈Z ∗p. 2) Compute T=e(P,P)x, R=xPpub and S=x−1(DA+P). 3) Return δ=(x,R,S,T) as the offline signcryption.
Peer-to-Peer Netw. Appl.
OnSigncrypt: Taking a message m, the system parameters, a sender A’s public key (PA,QA) and private key (xA,DA) and a receiver B’s public key (PB,QB) as inputs, A executes the following steps to generate a full signcryption.
and vðxA þ hÞ ¼ xhB ðxA þ hÞ þ xA ðxA þ hÞmodp
ð2Þ
From (1) and (2), C could get 1) Compute the session key sk=H2(xAPB,T) and y=sk⊕ m. 2) Compute hB =H1(IDB), h=H3(y,PA,PB,R,S), u=x(xA + h)modp and v=xhB+xAmodp. 3) Return the full signcryption σ=(y,u,v,R,S). UnSigncrypt: Taking a full signcryption σ=(y,u,v,R,S), a sender A’s public key (PA,QA), a receiver B’s private key (xB,DB) and public key (PB,QB) as inputs, B executes the following steps to output a plaintext m or the symbol ⊥ if σ is not a valid signcryption. 1) Compute h=H3(y,PA,PB,R,S). 2) Check if the equation e(S,uQA)=e(PA +hP,P+QA)= e(PA,P+QA)e(P,P+Q)h holds. If it does not hold, return ⊥. 3) Compute W=e(vP+R−PA,DB) and sk=H2(xBPA,W). 4) Return the plaintext m=sk⊕y.
4 Cryptanalysis of Luo et al.’s scheme In this section, we will analyze the security of Luo et al.’s COOSC scheme. Since the openness of the IOT, we could assume that the adversary has total control over the channel between the sender and the receiver, i.e., the adversary could freely intercept, modify, delete, or insert any message in the channel. There are two types of adversary in the COOSC schemes, i.e. the Type I adversary A1 and Type II adversary Α2. The Type I adversary could replace a user public key with at his will. The Type II adversary Α2 could access the master secret key and computer partial private key of any user. Luo et al. demonstrated that their scheme is secure against both of the two types of the adversary in the random oracle model. However, we find that a general adversary C, who could neither replace the sender A’s public key nor compute A’s partial private key, could get A’s private key easily once he gets a full signcryption. The details of the attacks are described as follows. 1) C intercepts a full signcryption σ=(y,u,v,R,S) sent by the sender A, where y=sk⊕m, u=x(xA+h)modp, v=xhB+xA modp, R=xPpub S=x−1(DA+P), sk=H2(xAPB,T), T=e(P,P)x and hB=H1(IDB). 2) Since u=x(xA+h)modp and v=xhB+xAmodp, C could get hB u ¼ xhB ðxA þ hÞmodp
ð1Þ
vðxA þ hÞ ¼ hB u þ xA ðxA þ hÞmodp
ð3Þ
x2A þ ðh−vÞxA ¼ hv−hB umodp
ð4Þ
x2A þ ðh−vÞ xA þ ððh−vÞ=2Þ2 ¼ hv−hB u þ ððh−vÞ=2Þ2 modp
ð5Þ
and ðxA þ ðh−vÞ=2Þ2 : ¼ hv−hB u þ ððh−vÞ=2Þ2 modp
ð6Þ
3) Using the algorithm for finding square roots modulo a prime [25], C could get two roots z′ and z′′ of the equation z2 =hv−hBu+((h−v)/2)2 modp. Then, C could get the two candidates x′A=z′−(h−v)/2 and x′′AA=z′′−(h−v)/2 of the variable xA. 4) C checks whether the equation x′AP=PA holds. If the equation holds, xA’s value is x′A; otherwise, xA’s value is x′′A. C could also compute x=h−1 B (v−xA)modp since v=xhB+xA modp. 5) Since S=x−1(DA+P), C could get A’s partial private key by computing DA = xS− P. Then, C gets A’s private key (xA,DA). From the above description, we know that the adversary C could get the sender A’s private key (xA,DA). Besides, C could get the plaintext by computing T= e(P,P) x, sk= H2 (xAPB, T) and m= sk⊕ y. Therefore, Luo et al.’s COOSC scheme is not secure for practical applications.
5 Conclusion Recently, Luo et al. proposed an efficient COOSC scheme for the Internet of Things. They claimed that their scheme is provably secure in the random oracle mode. However, after reviewing of their scheme and analyzing its security, we demonstrate that their scheme is vulnerable to the private key compromised problem. The analysis shows their scheme is not secure at all. We still have no idea about the method to
Peer-to-Peer Netw. Appl.
overcoming weakness in their scheme since it is not easy to design a secure COOSC scheme. We hope we could finish the task the near future. Acknowledgments The authors thank the editors and the anonymous reviewers for their valuable comments. This research was supported by National Natural Science Foundation of China (nos.61202447), Natural Science Foundation of Hebei Province of China (no. F2013501066), Northeastern University at Qinhuangdao Science and Technology Support Program (no. xnk201307), Beijing Natural Science Foundation (no. 4132055), and Excellent Young Scholars Research Fund of Beijing Institute of Technology. Conflict of Interest The author(s) declare(s) that there is no conflict of interests regarding the publication of this article.
References 1. Heer T, Garcia-Morchon O, Hummen R et al (2011) Security challenges in the IP-based Internet of Things. Wirel Pers Commun 61(3): 527–542 2. Yan T, Wen QY (2012) A Trust-third-party based key management protocol for secure mobile RFID service based on the Internet of Things. Advances in intelligent and soft computing, LNCS, vol 135. Springer-Verlag, Berlin, pp 201–208 3. Liu J, Hu X, Wei ZQ, et al (2012) Location privacy protect model based on positioning middleware among the Internet of Things. In Proceedings of the Computer Science and Electronics Engineering, Hang zhou, China 288–291 4. Zhou X, Jin Z, Fu Y et al (2011) Short signcryption scheme for the Internet of Things. Informatica 35:521–530 5. Zheng Y (1997) Digital signcryption or how to achieve cost (signature and encryption) 6 cost (signature) + cost(encryption). In: Goos G, Hartmanis J, van Leeuwen J (eds) Advances in Cryptology-Crypto 1997, LNCS, vol 1294. Springer-Verlag, Berlin, pp 291–312 6. An JH, Dodis Y, Rabin T (2002) On the security of joint signature and encryption. In: Knudsen LR (ed) Advances in Cryptology-Eurocrypt 2002, LNCS, vol 2332. Springer-Verlag, Berlin, pp 83–107 7. Malone-Lee J (2002) Identity based signcryption, Cryptologry ePrint Archive, Report 2002/098, 8. Libert B, Quisquater JJ (2003) A new identity based signcryption schemes from pairings. In: 2003 I.E. information theory workshop, Paris, France 155–158 9. Even S, Goldreich O, Micali S (1996) On-line/off-line digital signatures. J Cryptol 9(1):35–67 10. Zhang F, Mu Y, Susilo W (2005) Reducing security overhead for mobile networks. In Proceedings of the Advanced information networking and applications, Taipei, Taiwan 398–403 11. Sun D, Huang X, Mu Y, Susilo W (2008) Identity-based online/offline signcryption. In Proceedings of the Network and parallel computing, Shanghai, China 34–41 12. Liu JK, Baek J, Zhou JY (2011) Online/offline identity-based signcryption re-visited. In: Proceedings of the Information Security and Cryptology, LNCS, vol 6584. Berlin, Springer-Verlag, pp 36–51 13. Selvi SSD, Vivek SS, Rangan CP (2010) Identity based online/offline signcryption scheme. Cryptology ePrint Archive. Available at: http:// eprint.iacr.org/2010/376.pdf
14. Li FG, Khan MK, Alghathbar K, Takagi T (2012) Identity-based online/offline signcryption for low power devices. J Netw Comput Appl 35:340–347 15. He D, Chen Y, Chen J et al (2011) A new two-round certificateless authenticated key agreement protocol without bilinear pairings. Math Comput Model 54(11):3143–3152 16. He D, Chen J, Hu J (2012) A pairing‐free certificateless authenticated key agreement protocol. Int J Commun Syst 25(2):221–230 17. He D, Padhye S, Chen J (2012) An efficient certificateless two-party authenticated key agreement protocol. Comput Math Appl 64(6): 1914–1926 18. He D, Chen J (2013) An efficient certificateless designated verifier signature scheme. Int Arab J Inf Technol 10(4):317–324 19. He D, Chen Y, Chen J (2013) An efficient certificateless proxy signature scheme without pairing. Math Comput Model 57(9–10):2510–2518 20. He D, Huang B, Chen J (2013) New certificateless short signature scheme. IET Inf Secur 7(2):113–117 21. He D, Chen J, Zhang R (2012) An efficient and provably-secure certificateless signature scheme without bilinear pairings. Int J Commun Syst 25(11):1432–1442 22. Sun Y, Zhang F (2010) Secure certificateless encryption with short ciphertext. Chin J Electron 19(2):313–318 23. Sun Y, Li H (2010) Short-ciphertext and BDH-based CCA2 secure certificateless encryption. SCIENCE CHINA Inf Sci 53(10):2005– 2015 24. Luo M, Tu M, Xu J (2013) A security communication model based on certificateless online/offline signcryption for Internet of Things, Security and Communication Networks doi:10.1002/Sec.836 25. Turner SM (1994) Square roots mod p. Am Math Mon 101(5):443–449
Peng Gong is with the National Key Laboratory of Mechatronic Engineering and Control, School of Mechatronical Engineering, Beijing Institute of Technology, Beijing, China. (e-mail:
[email protected]). He received the B.S. degree in Mechantronic Engineering from Beijing Institute of Technology, Beijing, China, in 2004, and the M.S. and Ph.D. degrees from the Inha University, Korea, in 2006 and 2010, respectively. In July 2010, he joined School of Mechatronical Engineering , Beijing Institute of Technology, China. His research interests include link/system level performance evaluation and radio resource management in wireless systems, network security, and the next generation wireless systems such as 3GPP LTE, UWB, MIMO, Cognitive radio and so on.
Peer-to-Peer Netw. Appl.
Wenbo Shi received the M.S. degree from the Inha University, Incheon, South Korea, in 2007 and the Ph.D. degree from the Inha University, Incheon, South Korea, in 2010. Later, he joined School of computer and communication engineering, Northeastern University at Qinhuangdao, China. His main research interests include cryptography, network security and so on.
Dr. Neeraj Kumar is working as Assistant Professor in Department of Computer Science and Engineering, Thapar University, Patiala Punjab (India). He received his Ph.D. in CSE from Shri Mata Vaishno Devi University, Katra (India) and PDF from UK. He has more than 100 publications in peer reviewed journals and conferences including IEEE, Elsevier, and Springer. His research is focused on mobile computing, parallel/distributed computing, multiagent systems, service oriented computing, routing and security issues in wireless adhoc, sensor and mesh networks. He is leading the Mobile Computing and Distributed System Research Group. Prior to joining SMVDU, Katra he has worked with HEC Jagadhri and MMEC Mullana, Ambala, Haryana, India. He has delivered invited talks and lectures in various IEEE international conferences in India and abroad. He has organized various special sessions in international conferences in his area of expertise in India and abroad. He is TPC of various IEEE sponsored conferences in India and abroad. He is reviewer/ editorial board of various international journals of repute. He is guest editor of special issue of more than six international journals. He is senior member of ACEEE and IACSIT.
Naveen Chilamkurti is currently working as a Senior Lecturer at Department of Computer Science and Computer Engineering, La Trobe University, Australia. He received his PhD from La Trobe University. He is also the Inaugural Editor-in-Chief for International Journal of Wireless Networks and Broadband Technologies launched in July 2011. He has published about 125 journal and conference papers. His current research areas include intelligent transport systems (ITS), wireless multimedia, wireless sensor networks, vehicle to infrastructure, vehicle to vehicle communications, health informatics, mobile communications, WiMAX, mobile security, mobile handover, and RFID. He currently serves on editorial boards of several international journals. He is a senior member of IEEE. He is also an Associate Editor for Wiley IJCS, SCN, Inderscience JETWI, and IJIPT.
Hangbae Chang is a professor at Sangmyung University. He received his Ph. D. in Information System Management from Graduate School of Information at Yonsei University, Korea. He has published many research papers in international journals and conferences. He has been served as chairs, program committee or organizing committee for many international conferences and workshops; FutureTech, WCC, ITCS, CSA and so on. His works have been published in journals such as Journal of Super Computing, Electronic Commerce Research, EURASIP Journal On Wireless Communications and Networking, Mobile Information Systems, Personal and Ubiquitous Computing and Journal of Internet Technology. His research interests include issues related to Security Management and System in Internet of Things Environment.
