Secure Authenticated and Key Agreement Protocols ...

9 downloads 0 Views 381KB Size Report
Known-key security:Each run of a key agreement protocol between two entities A ..... ment (SKA) protocol, Secure Remote Password (SRP) pro- tocol, EC-SRP ...
Secure Authenticated and Key Agreement Protocols With Access Control for Mobile Environments Pierre E. ABI-CHAR #

#1

, Abdallah M'HAMED

#2

, Bachar EL-HASSAN

∗3

, Mounir MOKHTARI

#4

Computer and Communication Department, Telecom SudParis (ex. INT) 9 Rue Charles Fourier, Evry, France

[email protected] 2 [email protected] 4 [email protected] 1



Computer and Communication Department, Lebanese University Al Arz street, El kobbeh, Tripoli, Lebanon 3

[email protected]

Abstract—The increasing development and progress in wireless

protocol and propose several authenticated key agreements

mobile communications has attracted an important amount of at-

protocols, each based on different cryptographic assumptions

tention on the security, anonymity and privacy issues. To provide secure communications over un-trusted network, authenticated key agreement protocols are crucial primitive by establishing

including computational problems of a discrete logarithm

(DL),

elliptic curve complexity, the security of one-way

secure session keys. Achieving secure communications between

hash functions and block ciphers which are based on the

communicating entities is an important issue for mobile envi-

complexity of analyzing a simple iterated function of multiple

ronment. Anonymous authentication is a means of authorizing a

rounds, etc. There are two types of authentication, namely,

user without revealing his/her identication. Mobile technologies such PDAs and mobile phone systems are increasingly being deployed in pervasive computing. These mobile devices have

user

authentication

and

shared

key

authentication.

User

authentication is the process where communicating entities

raised public concern regarding violation of privacy, anonymity

are

and information condentiality. Considering these concerns, there

ensures that a shared key is known only to the legitimate

is a growing need to discover and develop techniques and methods

entities. A key-agreement protocol without user authentication

to overcome the threats described above. In this paper we propose several protocols which enhance the authentication, security and access control in mobile computing and yet preserves the

authenticated

in

real

time.

Shared-key

authentication

and shared-key authentication is not secure, leading to many attacks such as replay attack, unknown key shared, resource-

security requirements of the system. Our proposed protocols are

exhaustion,

based on different cryptographic techniques including Elliptic

shared key authentication are needed to be integrated together

Curve techniques, Map-to-Curve function, Weil/bilinear pairing

for providing a robust authenticated key agreement protocol.

techniques and elliptic curve based Identity Schemes. Our proposed protocols achieves many of desirable security requirements including man-in-the-middle attack, dictionary attack, perfect

The term

etc.

Therefore,

both

user

authentication

authenticated key − agreement

and

protocol can be

somewhat misleading in terms of what type of authentication

forward secrecy, etc. Moreover, another comparative study of

a protocol really provides. Many protocols provide shared

our proposed protocols is to provide privacy and Anonymity for

key authentication but not user authentication. For example,

mobile users and to signicantly offer improved performance in

Harn et al. [57], Shim [58], Yen et al. [59], and Wu et al. [60]

computational and communication load over comparably many authenticated key agreement protocol such as B-SPEKE, SRP, AMP, EC-SRP, etc. Index Terms—Authentication, Access Control, WLAN, EC-

provide shared key authentication but not user authentication. The

2-pass

M QV

protocol

[61]

authentication only, while the 3-pass

provides

M QV

shared

key

provides both

Cryptography, Bilinear Pairing, Map-to-Point/Curve Function,

user authentication as well as shared key authentication. In

AVISPA, HLPSL, Identication Scheme, Digital Signature.

this paper, all our 3-pass proposed protocols provide both user and shared key authentication.

I. I NTRODUCTION Authenticated key agreement is a process of verifying

The rest of this paper is as follows. The key management

the legitimacy of communicating parties and establishing

denition and usage are described in section 2. key agreement

common secrets among these parties for subsequent use

desirable properties are outlined in Section 3. Section 4

such as data condentiality, integrity, etc. Authenticated key

provides an outline for the mathematical backgrounds needed

agreement

for our protocols process. Section 5 provides an overview

such

very

important

e-commerce,

for

regarding related work. An application for the protocol in [8] is given in section 6. Our proposed protocol and its security

using multiple cryptographic algorithms which are based

discussion are introduced in Section 7 and 8 respectively.

on various cryptographic assumptions. In This paper, we

Section 9 provides an extension for our protocol proposed

limit our scope to the area of authenticated key agreement

in section 7 by combining authentication and access control

key

internet

systems

constructed

authenticated

wireless,

communication

etc.

An

as

is

agreement

applications,

protocol

is

to provide user authentication and role-based authorization.

loss does not enable an adversary to impersonate other entities

Finally, the paper future work and conclusion are discussed in

to A.

Section 10.

Unknown key-share: Entity A cannot be coerced into sharing a key with entity B without A's knowledge, i.e., when

II. K EY M ANAGEMENT

A believes the key is shared with some entity C

Key establishment refers to the situation where network

6= B ,

and B

(correctly) believes the key is shared with A.

users employ an inter-active protocol to construct a shared secret key called session key. This session key can then be

In

addition,

Identication

protocols

should

have

other

used to achieve some cryptographic goal such as condential

properties

communication channel between entities or data integrity.

round trips and large blocks are critical factors in terms of

There are two kinds of key establishment protocols: Key

communication load and because exponentiations and random

transport protocols in which a key is created by one entity and

numbers are to be critical factors in terms of computation

securely transmitted to the second entity, and Key agreement

load, such properties are listed below:

which

are

related

to

performance.

Because

protocols in which both parties contribute information which jointly establish the shared key [2]. A key agreement protocol is said to provide implicit key authentication if entity A is assured that no other entity aside from a specically identied second entity B can possibly learn the value of a particular secret key. A key agreement protocol which provides implicit key authentication to both entities is called an authenticated key agreement protocol. If both implicit key authentication and key conrmation are provided, then the key establishment protocol is said to provide explicit key authentication. A key agreement protocol which provides explicit key authentication to both entities is called an authenticated key agreement with key conrmation [2]. Apart

from

authentication,

the

other

aspects

of

key

agreement protocols are computational and communication efciency. In key agreement protocols, all users should be able to agree upon a common secret key. The total number of bits exchanged in the protocol is a crucial parameter in judging the efciency of the protocol. Further, in each round, user has to perform some computational like an exponentiation or a scalar multiplication. The total amount of computational required by all the users is another measure of goodness of the protocol.

Computational efciency: this includes the number of operations required to execute a protocol. In order to achieve this property, the protocol should have the minimum number of operation as possible. Communication efciency: This includes the number of passes (message exchanges) and the bandwidth required (total number of bits transmitted). Moreover, to Protect the user privacy and anonymity, we consider the following requirement in cryptography point of view, [4], [5]. Data Condentiality: The private information of ED must be kept secure to guarantee user privacy. The information of

ED

must be meaningless for its bearer even though it is

eavesdropped by an unauthorized

R. ED ED is

Anonymity: Although the data of unique identication information of

is encrypted, the exposed since the

encrypted data is constant. An attacker can identify each ED with its constant encrypted data. Therefore, it is important to make the information of

ED

anonymous.

location Privacy: Neither the system nor the users of the system will be able to know the exact location of a user, unless

III. D ESIRABLE P ROPERTIES FOR KEY AGREEMENT PROTOCOLS:

that user decides to disclose such information or if another person physically sees that user at that location.

A number of desirable properties for key agreement protocols have been identied [3] and nowadays most of the proto-

Data Integrity: If the memory of

ED

is rewritable, forgery

and data modication will happen. Thus, the linkage between

cols are analyzed using these properties which are described

the authentication information and ED itself must be given in

below:

order to prevent the simple copy for

Known-key security: Each run of a key agreement protocol between two entities A and B should produce a unique shared

ED

Mutual Authentication and Reader Authentication: The mutual authentication between

ED

and the back-end authen-

A protocol should still

tication server (ASID ) must be provided as a measure of

achieve its goal in the face of an adversary who has learned

trust. By authenticating mutually, the replay attack the man-in-

some other session key.

middle attack to both ED and

secret key called session key

Ks .

Perfect forward secrecy: If long-term private keys of one or more entities are compromised, the secrecy of previous

also authenticate an illegitimate

R

R

ASID

is prevented.

ASID

must

to avoid the man-in-the-middle attack by

on the insecure channel.

session keys established by honest entities is not affected. Key-compromise impersonation: Suppose that A's long-

IV. P RELIMINARIES:

term private key is disclosed. Clearly an adversary that knows this value can now impersonate A, since it is precisely this value that identies A. However, it may be desirable that this

In this section we briey introduce some mathematical backgrounds necessary for the description of our scheme.

A. Elliptic Curve Cryptography, ECC: Many researchers have examined elliptic curve cryptosystems,

which

were

rstly

proposed

by

Miller

[62]

and

Koblitz [63]. The elliptic curves which are based on the elliptic curve discrete logarithm problem over a nite eld have some advantages than other systems: the key size can be much smaller than the other schemes since only exponentialtime attacks have been known so far if the curve is carefully chosen [64], and the elliptic curve discrete logarithms might be still intractable even if factoring and the multiplicative group discrete logarithm are broken. In this paper we use an elliptic curve

E

dened over a nite eld

Fp .

a

To generate a signature for a message

The elliptic curve The ECEGS runs as follows: The signer selects a random

parameters to be selected [65] and [66] are:

b ∈ Fp ,which dene the 2 3 equation of the elliptic curve E over Fp (i.e., y = x +ax+b 3 2 in the case p ≥ 4, where 4a + 27b 6= 0. 2 -Two eld elements xp and yp in Fp , which dene a nite point P (xp , yp ) of prime order in E(Fp ) (P is not equal to O, where O denotes the point at innity). 3 -The order n of the point P . 1 -Two eld elements

(E, Ya , B, n) and m, the signer will select a random number k , where 2 ≤ k ≤ n − 2 computes r = x(KB)modn. If r 6= 0, then computes s = K −1 (h(m) + xa .r)modn and the signature will be (r, s). To verify the signature, the verier will rst conrm that r −1 and s ∈ [2, n-2] and then computes c = s modn and h(m), then computes t1 = (h(m) ∗ c)modn and t2 = (rc)modn, also the verier computes T = (t1 B + t2 Ya )modn and v = x(T )modn. Finally the verier will accept the signature if and only if (v == r). the public key and the private key are

xa .

and

number

xa ,

where

2 ≤ xa ≤ n − 2,

as his secret key and

avoid the Pollard-rho [67] and Pohling-Hellman algorithms

= xa B . Therefore (E, Ya , B, n) and xa . To generate a signature for a message m, the signer will select a random number k , where 2 ≤ k ≤ n − 2 computes R = kB and computes r = x(KB)modn. If r 6= 0, then computes s = K −1 (h(m) + xa r)modn. The couple (R, s) will be the signer's signature of m. To verify the signature, the verier will rst conrm that r and s ∈ [2, n-2] and then computes v1 = sR and v2 = h(m)B + rYa . Finally the verier will accept the signature if and only if (v1 == v2 ).

for

B. ECDLP-Based Okamoto Identication Scheme:

The Elliptic Curve domain parameter can be veried to meet the following requirements [65] and [66]. In order to the

elliptic

necessary

that

n.

discrete

number

#E(Fp ),

denoted by prime

curve the

of

logarithm

Fp -rational

problem, points

it

on

is

E,

be divisible by a sufciently large

To avoid the reduction algorithms of Menezes,

Okamoto and Vanstone [68] and Frey and Ruck [69], the curve should be non-supersingular (i.e.,

p

should not devide

(p + 1 − #E(Fp ))). To avoid the attack of Semaev [70] on Fp -anomalous curves, the curve should not be Fp -anomalous (i.e., #E(Fp ) 6= p). In the following, we will give an introduction to the ECdiscrete logarithm problem, to Dife-Hellman key exchange based on EC, to the elliptic curve based digital signature algorithm (EC-DSA) and nally to the elliptic curve-based Elgamal signature scheme (EC-EGS).

E be an elliptic curve dened over a nite eld Fp and let P ∈ E(Fp ) be a point of order n. Given Q where Q ∈ E(Fq ), the elliptic curve discrete logarithm problem (ECDLP) is to nd the integer l, 0 ≤ l ≤ n − 1, such that Q = l.P . Let

computes the corresponding public key Ya the public key and the private key are

In this subsection, we briey describe the elliptic curve based

Okamoto

Identication

Scheme.

The

Okamoto

identication protocol is considered secure against active and concurrent attack under the assumption of the hardness of the discrete logarithm problem [1]. The set of system parameters are

(q, F R, a, b, P1 , P2 , n, h). The Prover's secret are (s1 , s2 ) Z = −s1 .P1 − s2 .P2 . the steps of the protocol are:

such that

A prover: the prover picks ri

∈ {0, ....., n − 1}, i = 1, 2 and X = r1 .P + r2 .P to the reader. The reader picks up t a number e ∈ [1, 2 ] and sends it to the prover. The prover computes yi = ri +e.si , i = 1, 2 and sends them to the reader. The Reader checks if y.p + e.Z = X , by computing y1 .P1 + y2 .P2 + e.Z and comparing it to X . if they are equal, then the sends

reader accept else reject. C. Bilinear Pairing: This section briey describes the bilinear pairing, the BDHP and CDHP assumptions. Let

G1

and

G2

denote two groups of prime q, where G1 is

an additive group that consists of points on an elliptic curve, The Dife-Hellman key agreement protocol runs as follows: The rst party selects a random number

Ya = na B ,

he sends

Ya

the second entity computes

na

and

G2

is a multiplicative group of a nite eld. A bilinear

and computes

pairing is a computable bilinear map between two groups,

to the second party. Similarly,

which could be the modied weil pairing or the modied

Y b = nb B

Tate

and sends

Yb

to the

pairing

[71],

[72].

rst party. Finally the two parties generate the same key

within this paper, we let

K = na Yb B = nb Ya = na nb B .

e : G1 × G1 −→ G2 ,

The ECDSA runs as follows: The signer selects a random number

xa ,

where

2 ≤ xa ≤ n − 2,

as his secret key and

computes the corresponding public key Ya

= xa B .

Therefore

e

For

our

proposed

architecture

denote a general bilinear map

which has the following four properties:

∗ 1 -Bilinear : if P , Q, R ∈ G1 and a ∈ Zq , e(P + Q, R) = e(P, R).e(Q, R), e(P, Q + R) = e(P, Q).e(P, R) a and e(aP, Q) = e(P, aQ) = e(P, Q) .

2 -N on − degenerate: There exists P, Q ∈ G1 , such that e(P, Q) 6= 1. 3 -Computability : There exist efcient algorithms to compute e(P, Q) for all P, Q ∈ G1 . −1 4 -Alternative: e(P, Q) = e(Q, P ) .

Seo et al. [28] proposed a simple authenticated key agreement protocol

(SAKA)

for wireless mobile communications. The

proposed protocol required 3 rounds in order to establish authentication process and to agree on the secret session key. However,

SAKA

protocol, as listed in [29], [30] , is

vulnerable to impersonate attack and does not provide perfect Denition 1 -The bilinear Dife-Hellman problem (BHDP) for

a

bilinear

pairing

is

dened

P, aP, bP, cP ∈ G1 , where a, b and ∗ abc from Zq , compute e(P, P ) ∈ G1 .

as

follows:

Given

c are random numbers

forward secrecy nor identity authentication. In an

anonymous

authentication

protocol

was

2001

[31] ,

proposed

for

mobile devices to roam anonymously on distributed wireless networks. Their protocol is targeted to protect the mobile

BDHP assumption: The BDHP problem is assumed to be hard,

device's identity from all entities other than its home server

that is, there is no polynomial time algorithm to solve BDHP

and the visiting foreign server. However, according to [32] ,

problem with non-negligible probability.

it is found that a malicious foreign server which is not

Denition 2 -The computational Dife-Hellman problem

serving the mobile device can launch an impersonate attack

(CDHP) is dened as follows: Given P, aP, bP ∈ G1 , where ∗ a and b are random numbers from Zq , compute abP ∈ G1 . CDHP assumption: There exists no algorithm running in

to reveal the mobile device's identity. Most password-based

polynomial time, which can solve the CDHP problem with

of a low-power device makes these schemes not suitable

non-negligible probability.

for imbalanced wireless networks because of the modular

A trusted Key Generation Center (TKGC) chooses two order

G1

group

and

G2 .

Next

h

cryptography hash function denoted by

TKGC

selects

a l

h : {0, 1} s ∈ Zq∗ as its = sG, where G

where

for some l. Then it picks a random number

Ppub

private key and compute its public key is a generator of For a user maps

IDi

Ui

Hellman key exchange protocol. However, the limitations

exponential operations.

D. MapToPoint/Curve Function:

prime

authenticated key exchange protocols are based on Dife-

G1 .

In

2002

[33] , Zhu et al. proposed a password-based

authenticated key exchange protocol based on RSA with short public exponents. Their protocol run challenge-response protocol to establish the session secret key. Zhu et al. claimed that the protocol is efcient for low-power devices in wireless networks and is secure against dictionary attacks. However,

whose identication information is IDi , TKGC

onto a point on

G1

M apT oP oint.

using the

The

MapToPoint Algorithm [71]:

Bao [34] pointed out that the password protocol of Zhu et al. is subject to ofine dictionary attack if entity's identity is too short. In [35] Yeh et al. proposed a notion of security against undetectable on-line password guessing attack and argued

Let

p

a prime such that

p = 2(mod3)

and

p = 6.q − 1.

Let

that Zhu et al.'s protocol is insecure against this undetectable

E be a supersingular curve

attack. Moreover, Yeh et al. proposed an improved protocol

y0 = H(ID) and x0 = (y02 − 1)2.p−1 (modp) ∗ 2 -Let Qi = (x0 , y0 ) ∈ E/F p2 , and set QID = 6.Qi . Then QID has order q as required.

to defend against this attack. In [36], [37] , Zhang pointed

1 -computes

out that Zhu et al.'s protocol is vulnerable to some form of off-line dictionary attacks. Recently, [38], [39], [36], [40], [41], [42]

pointed out that Yeh et al.'s improvement is

vulnerable to the off-line dictionary attack. To avoid off-line

V. R ELATED W ORK

dictionary attack existed in Yeh et al.'s improved protocol, Lo

Key agreement is one of the fundamental cryptography

[38] and Yang-Wang [39] proposed two improved protocols.

primitives. This required in situations where two or more

However, in [43]

parties want to communicate securely among themselves.

protocol is still vulnerable to an active off-line dictionary

Key

attack and the Yang-Wang protocol is vulnerable to a passive

agreement

protocols

fall

authenticated

and

cryptographic

authentication

naturally

unauthenticated. schemes

A

into wide

and

two

classes

variety

protocols

of

authors pointed out that the Lo proposed

off-line dictionary attack.

have

been developed to provide authenticated key agreement to prevent man-in-the-middle, replay attack, etc.

In

2002,

Chien

et

al.

[44]

proposed

a

remote

user

authentication scheme using smart cards. Chien et al. claimed that their proposed scheme has the merits of providing mutual

Basic

Related

Work:

The

rst

two-key

agreement

authentication,

freely

choosing

password,

no

verication

protocol was introduced by Dife-Hellman in [25] . It is

table, and involving only a few hashing operations instead of

an unauthenticated protocol in the sense that an adversary

the costly modular exponentiations. In 2004, Ku et al. [45] ,

who has control over the channel can use man-in-the-middle

however, pointed out that Chien et al.s scheme is vulnerable

attack to agree upon two separate keys with the two users

to a reection attack, insider attack, guessing attack and is

without the users being aware of this. This was modied into

not reparable once a users permanent secret is compromised.

an authenticated key agreement protocol by Matsumoto et al.

Ku et al. also proposed an improved scheme to resolve

[26] , which was in turn showed to be insecure [27] . In 1999,

these security pitfalls. Nevertheless, in 2004, Yoon et al.

[46]

showed that Ku et al.s scheme is still susceptible to

parallel session attack and is insecure for changing the users

performances and it establish a shared secret key K between the two entities.

password, and also proposed an enhancement to Ku et al.s In addition to a complete security analysis presented in their

scheme to overcome such problems.

paper [6], authors compare their proposed protocols SAKAshowed that both

v1 and V2 with the following protocols: Leakage-Resilient

Ku et al.s scheme and Yoon et al.s scheme were vulnerable

Authenticated Key Exchange (LR-AKE) protocol [12], Simple

to

service

Key Agreement (SKA) protocol [13], Secure Remote Pass-

attack, as well as inefciency in password authentication. By

word (SRP) protocol [14], Simple Password Exponential Key

introducing the two-variant hashing operation, Wang et al.

Exchange (B-SPEKE) protocol [15], Password-Authenticated

proposed an improved scheme to keep the merits of original

Key Exchange (PAK-X [17] and PAK-RY [16]) protocols and

schemes that can be easily realized in the practical resource

Authentication Memorable Password (AMP) protocol [18].

limited

improved

The comparison is done in terms of number of steps, random

scheme does not provide perfect forward secrecy and is still

numbers, exponentiations, hash functions and large blocks.

vulnerable to a guessing attack and Denning-Sacco attack.

Table I shows the compared result for number of steps,

Accordingly to [48] , authors demonstrate that Wang et

exponentiations and large blocks. Table II shows the compared

al.s scheme does not provide perfect forward secrecy and

result for random numbers and hash functions numbers

Thereafter, in 2007, Wang et al. [47] a

guessing

attack,

environment.

forgery

attack

However,

Wang

and

et

denied

al.s

is susceptible to the guessing attack and Denning-Sacco attack.

TABLE I C OMPARISON

To simply the

P KI

OF

system, authors in [49] have introduced

P ERFORMANCE-1Exponentiations

the new idea of ID-Based systems. The advantages of ID-

Protocol

Rounds

C

S

Total

L. B.

Based cryptosystems is that it simplies the key management

B-SPEKE

4

3

4

7

3

process which is a heavy burden in PKI based cryptosystems.

SRP

4

3

3

6

2

The

AMP

4

2

3

5

2

PAK-RY

3

5

4

9

2

PAK-X

3

5

4

9

3

SKA

3

2

3

5

2

that Smart's protocol do not provide full forward security

LR-AKE

3

3

2

5

2

and proposed his own protocol. Nonetheless, Shim's protocol

SAKA-v1

3

3

2

5

2

still suffers from an important security aw because it is not

SAKA-v2

3

2

2

4

2

rst

ID-based

authenticated

key

agreement

scheme

based on Weil pairing was introduced by Smart [50] Shamir's ID-based concept. However, Shim [51]

using

pointed out

protected against the man-in-the-middle attack [52] . In 2004, Ryu et al. [53]

It is clear from Table I that the SAKA protocol has the

proposed a new ID-based protocol which is

minimal cost in terms of number of steps, exponentiations and

more efcient requiring only one pairing computation and

large blocks compared with the previous protocols. It can be

two point multiplication. However, Yaun et al. [54]

pointed

easily noticed that B-SPEKE, SRP and AMP require 4 rounds

out that the protocol is insecure under the key compromise

while PAK-RY, PAK-X, SKA, LR-AKE and SAKA (v1 and

impersonate attack.

v2) require 3 rounds. In addition, the computational load was clearly improved using SAKA-v2 protocol because, as noted

Aydos et al. [55] proposed an ECC-based authentication key

agreement

protocol

for

wireless

communications.

in table 2, SAKA-v2 requires four exponentiations, two for

In

the client and two for the server, while the other protocols,

their protocol, they used ECDSA and Dife Hellman Key

including SKA and LR-AKE, require at least 5 exponentia-

agreement to provide authentication and to obtain a session

tions. Although SAKA-v1 requires 5 exponentiations, it shows

key for later communications. Because their protocol is based

better performance. The SAKA-v1 shows better performance

on ECC, the protocol is suitable for mobile devices in which

in terms of computational load over B-SPEKE, SRP, PAK-

the computational power is low. However, Sun et al. [56]

RY, PAK-X and it is equal with SKA and LR-AKE. SAKA-

demonstrate that Aydos et al.'s ECC-based protocol do not

v1 shows better performance over SKA because there is no

achieve forward security, known-key security and mutual

revealed data as the case with SKA where

authentication.

are sent in clear-text.

XA , XB

and

W

From Table II, it can be easily noticed that the SAKA Closely Related Work: In [6], ABI-CHAR et al. present a

(v1 or v2) protocol requires 2 random numbers and 9 hash

new and efcient three-pass authenticated key establishment

functions while PAK-X requires more. SAKA (v1 or v2)

protocol that provides secure mutual authentication and key

also requires two more hash functions than SKA protocol

agreement with key conrmation. Their proposed protocol, namely

SAKA

is based on the challenge and response

in the Secret-key setting

due to the two necessary

to

M AC

bring

computations of

more

security

and

Kh

which were

robustness

to

our

[1], [2], on KAS (Simplied

proposed protocol. In addition, for the SRP and LR-AKE

Station-to-Station) scheme [1], [2] and on the Dife-Hellman

protocols, it can be easily noticed that the proposed protocols

Key Predistribution

[1], [2]. According to [6], the proposed

(v1 or v2) requires one more hash function because, from

protocol achieves the desirable security requirements and

SRP and LR-AKE schemes, the two entities did not agree

TABLE II C OMPARISON

OF

TABLE IV

P ERFORMANCE-2-

C OMPARISON

OF

P ERFORMANCE-2-

Protocol

Random N.

Hash Function N.

Protocol

Random N.

Hash Function N.

SRP

2

6

SRP

2

6

AMP

2

9

AMP

2

9

PAK-RY

3

8

PAK-RY

3

8

PAK-X

3

10

PAK-X

3

10

SKA

2

7

SKA

2

7

LR-AKE

2/4

6

LR-AKE

2/4

6

SAKA-v1

2

9

EC-AKE

2

6

SAKA-v2

2

9

EC-SRP

3

5

EC-SAKA

2

5

Ks ,

on a common session key

as in the case of proposed

protocols; SRP and LR-AKE just agreed on the shared key K .

protocol requires 2 random numbers and 5 hash functions while

In [7], ABI-CHAR et al. proposed another new and efcient ECDSA-based

three-pass

protocol, namely

the

other

protocols

require

more.

In

addition,

establishment

it can be easily noticed that our protocol is better then

that provides secure mutual

these two protocols in terms of hash functions numbers.

authenticated

EC − SAKA,

all

for the EC-SRP and EC-AKE protocols described in [19],

key

authentication and key agreement with key conrmation. The

For

EC-SAKA is based on the Elliptic Curve Cryptography [1],

protocol was proposed for a one way authentication while our

on

SKA

(Simple Key Agreement) protocol

the assumption that the

ECC

[13] and on

the

EC-SRP

protocols

described

in

[20],

EC-SRP

proposed protocol, EC-SAKA, provides mutual authentication.

discrete logarithm problem is

secure [1]. The proposed protocol achieves many of desirable

Moreover, ABI-CHAR et al. [8] proposed another new and efcient key agreement authentication protocol namely

security requirements and performances.

EGS −SAKA. In addition to providing mutual authentication In addition to a complete security analysis presented in their

and key conrmation between the client, their proposed

SKA

paper [7], authors also compare the proposed protocol with

protocol applies the EC-EGS to the

the same protocols used in [6], with EC-SRP, and nally with

enhancing the safely level and protocol simplication in terms

[13] protocol for

EC-AKE [19]. The comparison is done in terms of number of

of computational and communications load. In the following,

steps, random numbers, exponentiations and hash functions.

we will briey describe the proposed protocol:

Table III shows the compared result for number of steps and exponentiation. Table IV shows the compared result for

where

TABLE III C OMPARISON

OF

Within the rst: ow, Bob chooses a random challenge b,

1 ≤ b ≤ n − 1, then he calculates the B = b ∗ P + Q. Finally he sends B to Alice.

random numbers and hash functions numbers.

point

B

where

Within the second ow:, Alice chooses a random challenge

P ERFORMANCE-1Exponentiations

Protocol

Rounds

Client

Server

Total

B-SPEKE

4

3

4

7

SRP

4

3

3

6

AMP

4

2

3

5

PAK-RY

3

5

4

9

PAK-X

3

5

4

9

a, where 1 ≤ a ≤ n − 1, then computes A where A = a ∗ P = (xA , yA ) and calculates α where α = a(B − Q) and K = Q + α. In addition, Alice calculates r = (xA )mod(n) −1 and computes i = a (h(α) + x ∗ r)mod(n). Finally (A, i) becomes the signatures pair and Alice transfers A and i to the server.

3

2

3

5

3

3

2

5

K = Q + β,

EC-AKE

4

2

2

4

EC-SRP

3

2

2

4

and calculates

EC-SAKA

3

1

1

2

It is clear from Table III that the EC-SAKA protocol has the minimal cost in terms of number of steps and exponentiations

β = b∗A Computes r = xA modn, computes v1 = i ∗ A v2 = (h(β)P ) + r ∗ Q. Finally, Bob checks if

Within the third ow:, Bob computes

SKA LR-AKE

computes

(v1 == v2 ),

if so, Bob authenticates Alice and Bob can be

conrmed that Alice has actually established the same shared session key. Then Bob computes: sends

YB

YB = h(β)

and nally he

to Alice.

compared with other protocols. It can be easily noticed that BSPEKE, SRP, EC-AKE and AMP require 4 rounds while PAK-

In

order

to

authenticate

Bob,

Alice

will

compute:

RY, PAK-X, SKA, LR-AKE and EC-SAKA require 3 rounds.

YA = h(α)

In addition, the computational load was clearly improved using

checking that

EC-SAKA protocol because, as noted in table 2, EC-SAKA

authenticates Bob and Alice can be conrmed that Bob has

requires two exponentiations, one for the client and one for

actually established the same shared session key with her.

and then Alice will verify the value of

(YA == YB ),

YA

by

if so, if they match, then Alice

the server, while the other protocols, including SKA, LR-AKE, EC-AKE and EC-SRP require at least 4 exponentiations. From Table IV, It can be easily noticed that the EC-SAKA

Finally, Alice and Bob agree on the common session key

Ks

where

Ks = h(ID(Alice)||ID(Bob)||K).

Both sides

Ks

will agree on the session Key

if all steps are executed

correctly. Once the protocol run completes successfully, both parties may use

Ks

proposed for a one way authentication while our proposed protocol, EGS-SAKA, provides mutual authentication.

to encrypt subsequent session trafc in

VI. P ROTOCOL A PPLICATION

order to create a condential communication channel.

In this section, our proposed protocol [8] is applied to In

addition

to

a

complete

security

analysis

presented

two applications scenarios. In the rst scenario, the protocol

3GP P 2

in their paper [8], authors compare the proposed protocol

is applied to improve the A-key distribution in

with the following protocols: Leakage-Resilient Authenti-

networks. While in the second scenario, the protocol is

cated Key Exchange (LR-AKE) protocol, Simple Key Agree-

applied to wireless LAN, IEEE 802.11i, in order to provide a

ment (SKA) protocol, Secure Remote Password (SRP) pro-

more robust WLAN communications.

tocol, EC-SRP, Simple Password Exponential Key Exchange (B-SPEKE) protocol, Password-Authenticated Key Exchange

1–Application To 3GPP2: According to [11], there are

(PAK-X and PAK-RY) protocols Authentication Memorable

several proposed approaches for A-Key generation and dis-

(OT ASP )

Password (AMP) protocol and with the protocols presented

tribution. The Over the Air Service Provisioning

in [6] and [7]. The comparison is done in terms of number of

is the preferred approach by 3GPP2. The A-Key genera-

steps, random numbers, exponentiations and hash functions.

tion and renewal procedure take place between a Mobile

Table V shows the compared result for number of steps

Subscriber

and exponentiation. Table VI shows the compared result for

Authentication Center

random numbers and hash functions numbers.

Hellman key exchanged mechanism is used and 16 messages

OF

and its home network represented by the

(AC).

In addition, the basic Dife-

are needed. Moreover, the method is not completely secure

TABLE V C OMPARISON

(M S)

since it is subject to a man-in-the-middle attack. Using the

P ERFORMANCE-1-

same approach as in [11], our proposed protocol can be easily implemented in 3GPP2 networks. We assume that the

Exponentiations Protocol

Rounds

Client

Server

Total

SRP

4

3

3

6

EC-AKE

4

2

2

4

EC-SRP

3

2

2

4

generated secretly and it is known by the MS and the AC of the

SAKA-V2

3

3

2

2

home network. Figure (1) shows the normal A-Key generation

SAKA-V1

3

2

2

2

EC-SAKA

3

1

1

2

procedure (black arrows) and the A-Key generation procedure

EGS-SAKA

3

1

0

1

MS device has the ability to implement the ECC techniques. We also assume that the password is chosen by the user or

using our EC-based protocol [8] (red arrows).

It is clear from Table V that the EGS-SAKA protocol has

Fig. 1.

The A-Key Distribution Procedures

the minimal cost in terms of number of steps, exponentiations compared with these above protocols. It can be easily noticed

MSC

MS

OTAF

HLR

AC

that B-SPEKE, SRP, EC-AKE and AMP require 4 rounds 1-REQ(AC, AKE)

while PAK-RY, PAK-X, SKA, LR-AKE and EGS-SAKA

1-REQ(AC,AKE)

require 3 rounds. In addition, the computational load was

2-REQ(AC,AKE)

clearly improved using EGS-SAKA protocol because, as noted

2-REQ(AC,AKE)

in table V, EGS-SAKA requires 1 exponentiations, one for the

3-REQ(AKE,n,g,BSK) 3-REQ(AKE,P.E.n,B)

client and nothing for the server. While for the other protocols,

AC Comput es B

4- The same as 3

including SKA, LR-AKE, EC-AKE and EC-SRP, they require

5:smdpp(3+srvind)

at least 4 exponentiations.

6: The same as 3

4- The same as 3

5:smdpp(3+srvind)

6: The same as 3 MS comput es (A, i)

TABLE VI C OMPARISON

OF

P ERFORMANCE-2-

7: Key R.M. 7: sent (A.i) 8: smdpp of 7

Protocol

Random N.

Hash Function N.

8: smdpp of 7

SRP

2

6

9:smdpp(8+srvind)

EC-AKE

2

6

EC-SRP

3

5

EGS-SAKA

2

5

From Table VI, It can be easily noticed that the EGS-SAKA protocol requires 2 random numbers and 5 hash functions while all the other protocols require more. In addition, for the EGS-SRP and EC-AKE protocols described in

[19], it

can be easily noticed that their protocol is better then these two protocols in terms of hash functions numbers. For the EC-SRP protocols described in

[19], EC-SRP protocol was

MS comput es Y’

9:REQ(AC + 7)

10:BSKEY

10: The same as 9

11:MSKEY

11: REQ(Y of B) 12:smdpp(11)

12:The same as11

13:smd(12+srvind)

13:REQ(11+AC)

14: REQ(Yof B)

14: The same as 13

15: ack

15:ack 16:smdpp(ack)

16:smdpp(ack)

AC comput es Y

The integration of our proposed protocol within 3GPP2 networks is performed as follows: the messages exchange and

2

Fig. 3.

Auth. Layer TLS

are the same for the two protocols. After receiving

message

2,

AC

the authentication center

computes

B

M S.

as in gure (1), and nally send it to

(A, i).

are required to compute

MS

---------

EC-EAP[8] E A P L a y e r

Extensible Authentication Protocol (EAP)

From message

3 through 6, we transmit all needed parameters to

CHAP

as

described in our proposed protocol [8], package the message

3

The EC-based In EAP Stack

1

that

Please refer to message

3

EAP over LAN (EAPOL)

in gure (1). Then messages 7-10 will be used to inform the authentication center about all parameters required to compute center

YB .

will

verication

Using

messages

11-14,

transmit

YB

and

establishment.

specications,

key

our

new

to

the

protocol

MS

the for

key

to

thwart the man-in-the-middle attack. Moreover, the A-Key require

4

exponentiation

802.5

802.11 MAC Layer

3GPP2

validation,

mutual authentication, perfect forward privacy, and it can protocol

802.3

authentication,

Compared

provides

PPP

authentication

operations,

while

our

proposed protocol require 1 exponentiation operation and it could be easily up-gradated to just require multiplication and addition operations This upgrade could be achieved by using a suitable digital signature.

pass through device and it passes the EAP-request ID to the radius server. The three-pass exchange messages in gure (4) start by the radius server sending B to the

ST A. Depending on

the authentication process, the success/failure is issued and the

ST A

can accept or discard the session. Figure (4), shows the

corresponding message exchanges of the proposed EC-based protocol in the ESS network.

Fig. 4.

2–Application To WLAN: Moreover, our EC-based pro-

The EC-based In ESS Networks

posed protocol [8], can be easily integrated into the BSS and ESS networks respectively by using the same approach as [75].

AP

STA

Radius Server

In case of BSS networks the entity Bob works as an access point

AP ,

whereas in ESS networks it works as a RADIUS

EAPOL Start

server. For both networks, the entity Alice works as a mobile station

ST A.

In BSS networks, after the reception of the

authentication request sent by the ST A, the

AP

EAP Request ID

will start the

EAP Response S(id)

EC-based protocol [8] and depending on the verication,the

ST A

will accept or discard the session. Figure (2), shows the

message exchange of EC-based protocol in the BSS network.

EC-Based Three Pass Authenticated Key Agreement Message Sequence With EAP Success/Failure Message

The exchange of messages used by the EC-based protocol for BSS network are done using

W LAN

frame format. Key Establishment

Fig. 2.

The EC-based In BSS

Authentication Request

VII. O UR F RAMEWORK M ODEL : A N ID-BASED PAIRING Access Point

The First 2-Pass of The EC-Based Protocol

P ROTOCOL

STA

As the elliptic curve pairings techniques have brought many interesting applications to authentication and key agreement

The Third Pass of the EC-Based Protocol Integrated with the Final BSS Success/Failure Message

protocols [10], we will present an identity-based authenticated key agreement protocols from pairings where an entity is proving its identity to the verifying server in such a way that

In addition, our EC-based proposed protocol [8], can be

privacy and anonymity are protected. The presented work is

easily integrated into the ESS networks. The exchange of

mainly based on [9] and also partially on [7], [8] by applying

messages used by the EC-based protocol within the ESS

the EC pairings techniques. A User

network are done using EAP packet format. Figure (3), shows

client which has a mobile Phone or a PDA as an access

the implementation of the proposed EC-based protocol within

device for accessing the needed services. In the following, we

EAP stack. In ESS networks, after ST A's response to AP 's

will present our proposed work and we discuss the security

the

the association phase and after the EAP-request

ID, AP

becomes a

Ui

represents a mobile

analysis. The gure below (Figure 5) shows the PAPA design architecture.

Fig. 5.

B. Proposed Architecture Assumption:

The PAPA Design

We rstly assume that the user's public and private key

(Qi , Si )

Smart Environment

are kept secure, which means that

is stored on his own

ED

Si

for each

Ui

in a secure way. In additional, we

assume that the communication channel between the reader and the back-end server (DBID server or the authentication

Server for services

server) is insecure. In addition, and different from the previous

4-b

works, a reader is no more a trusted third party, which means

Reader H

U

/B

M

A

U

N

%

U

T

LI

I

AZ

T

OI

R

M

C

M

b

G s/

N

V

C

N

T

E

that the reader will be authenticated by the back-end server

R

U

N

1

R

9

P

R

H

LE

P

A

L

P

H

A

S

H

I

I

N

F

T

T

G D

D

3

Y . X

Z

(DBID ). Finally,

Mobile phone PDA, RFID etc...

U 2

W

0

E

O 8

G

T

D

DB Server for authentication

B

F

2 3

L B

7

G

N

A

I E

K

D B

4

C

N

T

G D

J A

I

T KGC

sends

a secure channel. The database

4-a

Si , Pi , Z to the user via DBID manages an stores,

Ui with an ED, a record pair consisting hQi , Si , s1 , s2 i, where (s1 , s2 ) are the prover's secret. for each user

Fig. 6.

A. Parameters Initialization: Our

infrastructure

involves

a

Trusted

Center (T KGC ), an embedded device

Key

ED,

Reader Query, X

f, (Rx, Tx)

DB

The trusted Key Generation Center (TKGC) chooses two and

G2

of prime order

q. q

E(Rx,Tx)

is a prime E(s1,s2)

which is large enough to make solving discrete logarithm

G2 infeasible. The TKGC chooses G G1 , chooses Map-To-Point/Curve function H and chooses e where e is the bilinear pairing map. The ∗ TKGC computes PT KGC = s.G, where s ∈ Zq is the TKGC 's private key and keep s secret. Finally, for each user Ui to be registered, TKGC calculates Qi , where Qi is user's partial public key with Qi = H(IDi ), and determines Ui 's partial private key Si = s.Qi . Moreover, the TKGC calculates the user's public key [74] as PU = xu .PP ub = xu .s.G, where xu ∈ Zq∗ is generated on user's behavior. problem in

G1

User U

a Reader (or

Server for providing services (SS ) and users denoted by (Ui ).

G1

The PAPA Architecture

Generation

readers) (R), a Database Server for authentication (DBID ), a

primes order group

of

and

(y1, y2)

as a generator of

The table below (Table VII) shows the ECC mathematical

C. Proposed Architecture Description: Before running the authentication procedure (Figure

device, to singulate it, from among a population of many others devices. During singularization, multiple embedded devices responses may interfere with each other, necessitating an

anti-collision

algorithm.

The

Anti-Collision

algorithm

may either be probabilistic or deterministic. Following this situation, the reader

parameters that are used for our proposed scheme.

6),

the reader must be able to address a particular embedded

R

applies a collision-avoidance protocol

like the secure binary tree walking [20], [21] or the standard TABLE VII

Index

T KGC G1 G2 G Ppub s

An additive group with prime order

H 1 , H2 H

G1 T KGC , Ppub = s.G Zq∗ by T KGC , s is kept IDi ∈ {o, 1}∗ 1 ≤i≤ n key of user i, Qi =

The identity of the user i, The long term public where

H

is a Map function

Hash function A map to curve algorithm where an ID is

e

the

reader

singulate

one

device,

the

described in the following steps. Within the rst round, (From

R

to

ED),

the reader starts

the protocol by generating two fresh random nonce r1 and

∈ Zn ,

then he calculates the point

The long term private key of user i,

mapped into a point on

e p, q P, Q a, b E B x(Q)

q

The public key of

s.H(IDi ),

Once

process for our three-pass authentication protocol will be

An multiplicative group with prime order q

secret

IDi Si Qi

performance.

Explanation

it is chosen from

Higher densities

of devices will result in a higher collision rate and degraded

The trusted key generation center

A generator of

ED.

protocols of ISO [22] to singularize

EC M ATHEMATICAL N OTATIONS

X

r2

where

X = r1 × P1 + r2 × P2

(1)

and nally he sends the pair (”request”,X ) to the embedded device

ED.

(Step 1 in gure 5).

G1

denote a bilinear pairing map

large prime numbers, where

p = 2.q + 1

Random points over elliptic curve Random generated private keys non-supersingular elliptic curve

B ∈ E(Fq ) with order q x coordinate of point Q

ED generates two f and a, where f ∈R Z2t and a ∈ Zq∗ , then computes (Rx , Tx ) where (Rx , Tx ) is the signature pair over the user's private key Si . Moreover, she calculates TED , where TED = a.G. Finally ED sends (Rx , Tx ), TED , and Within the second round, the queried

fresh random nonces

f

to the Reader

R.

(Step 2 in gure 5). We can choose to

key

deploy one of many available secure signature algorithm. The choice of the algorithm depend on the Computation and communication cost factor regarding the choice of the ED 's

KR/ED = e(QED , PED )b .e(xr .Sr , TED )

(5)

KED/R = e(QR , PR )a .e(xed .Sed , TR )

(6)

and

type. Within the third round, and as we have declared in the above assumption that the communication channel between the reader and the authentication server is insecure, and upon receiving the signature pair (Rx , Tx ) from the

R

ED,

the reader

will deploy a Weil Pairing-based encryption algorithm

on the signature pair. Finally he sends Back-end server

DBID .

EKe (Rx , Tx )

to the

respectively. We denote by the key

K

K = KR/ED = KED/R .

Hence,

is a shared between the entities. To ensure forward

security, we can use a the new shared key a hash function to

K.

Kh

after applying

Once the protocol run completes suc-

cessfully, both parties may use the

Kh

to encrypt subsequent

session trafc in order to create a condential communication channel. VIII. P ROTOCOL D ISCUSSION

Our two nodes, the reader and the back-end server, can directly compute a share key between them without exchanging any previous message. Based on the one's own private key and the other party's public key, they can directly compute the share key as follows. We denote their private key/public

SR = s.QR , where QR = H1 (IDR ) and by SDB = s.QDB , where QDB = H1 (IDDB ). Now the reader computes KR/DB = e(SR , QDB ) and KDB/R = e(QR , SDB ). And

key by

nally the share symmetric secret key will be

In this section, the correctness of our proposed protocol is shown rst. Second the security analysis of our proposed protocol is described. Finally, the validation or formal analysis of our proposed protocol will be also given. A. Correctness In

the

following

equations.

s

Ke = H2 (KR/DB ) = H2 [e(QR , QDB ) ] = H2 (KDB/R ). (2) This approach is very efcient in terms of communications and computations and this feature makes it very attractive to

Within

the

fourth

round,

the back-end server,

DBID ,

and

upon

receiving

EKe (Rx , Tx )

from the

Since

KR/ED

= = = = =

R,

verify the signature pair, if it is valid, then the back-end server

accept,

authenticated

and

ED

the

pair

(s1 , s2 )

associated

with

present

a

brief

verication

an

identical

2-party

key

K

KR/ED

has

to

be

=? KED/R

should be true. Proof:

the

will decrypt the message, then

will

established, this means the equation

the environments where the entities capabilities are limited.

encrypted signature pair message

we

regarding the correctness and similarity of the shared key

e(QED , PED )b .e(xr .Sr , TED ) e(QED , xed .s.G)b .e(xr .Sr , a.G) e(xed .s.QED , b.G).e(xr .s.QR , a.G) e(xed .Sed , TR ).e(QR , PR )a KED/R

B. Security Analysis Our proposed architecture is considered to provide privacy

the

and anonymity for users. In the following, we evaluate our

is extracted from the database, encrypted

architecture regarding the security requirement addressed in

using the Weil-Pairing-based encryption algorithm. Finally, the back-end server sends

EKe (s1 , s2 )

to the reader

R.

section2 -Mutual Authentication: Considering the fact that the digital

Within the fth round, the reader, generates a random ∗ nonce b ∈ Zq and computes TR = b.G. Then she decrypts the receiving message, extracts the pair (s1 , s2 ) and then computes

yi = (ri + (f × si ))(modn) i=1 ED. for

The

and

2.

yi

for

i=1

and

2)

to the

(Rx , Tx ),

created by the

ED,

is veried by

the Back-end server. Considering that the pair

(s1 , s2 ),

sent

by the back-end server, is recalculated by the reader under

(y1 , y2 )

and veried by the

architecture

guarantees

the

between the embedded device

ED.

Therefore, our proposed

secure

ED

mutual

authentication

and the back-end server.

-Passive attack: Suppose an attacker performs a passive

ED

attack, then the session will terminate with both legitimates

computes

and then checks if so the

Finally sends (TR ,

(3)

signature pair

ED

X ( (yi × Pi ) + f × Z) P that if ( (yi × Pi ) + f × Z)

parties (4)

TED

That

is,

the

two

parties

successfully

that the exchanges messages between the reader and the is equals to

X,

accepts else rejects.

After the above messages,

accepting.

identify themselves to each other. And regarding the fact

ED

are generated from random nonce which are generated

with every new session, so it is infeasible that an attacker and

TR

are exchanged, the

reader and the user can agree and compute the secret shared

computes any useful information including the IDi of a user Ui . Therefore the architecture resists against the passive attack.

-Man in the middle attack (or active attack): Suppose that X and replaces it with X 0 , the attacker

Fig. 7.

The OFMC Output

an attacker intercepts then receives

f

(Rx , Tx ) from the ED. He would 0 0 (Rx , Tx ), as before. However,

and

like

to replace the pair with

and

unfortunately for the attacker, he can not compute the value of the new pair because he does not know the users credentials and parameters and because the transmitted messages are meaningless. Therefore the proposed scheme thwarts the man in-the-middle attack. -Perfect

forward

secrecy:

Each

run

of

the

protocol

x, a unique Signature pair (Rx , Tx ) and a (y1 , y2 ). In addition the transmitted messages are

computes a unique unique pair

meaningless as they are generated for each new session using new random nonce. Thus, the architecture is secure against

concerning privacy and anonymity are reached. The protocol is also safe and a mutual strong authentication is established

perfect forward secrecy.

IX. C OMBINING AUTHENTICATION AND ACCESS C ONTROL

-Data

Condentiality:

Since

our

architecture

provides

secure mutual authentication between the ED and the system

Authentication and access control are decisive for the

ED

security and integrity of information. In this section, we

and

since

the

information

transmitted

between

the

and system is meaningless, thus, our architecture provide

propose a robust protocol through combining authentication

(RBAC).

data condentiality and the user privacy on data is strongly

and role-based access control

protected.

extend our previous protocol to cooperate with role-based

To achieve this, we

access control. Our new scheme is based on identity-based -ED

Anonymity

and

Location

Privacy:

During

the

authentication processes, a signature algorithm is used to

(Rx , Tx ). The pair (Rx , Tx ) and f between the ED and R are randomized

produce the signature pair that are transmitted

and anonymous since they are updated for each read attempt. Thus, our architecture provides user anonymity and location privacy is not compromised.

is based on the insecure communication channel between R and back-end server. The unauthorized reader

DBID

R

0

is detected

using the weil

pairing based encryption algorithm between the reader and the back-end server, and by verifying the pair the legitimate user or

ED.

can check the validity of a user's identity and its activated roles simultaneously by verifying the user's signature, so the

independent

We

extend

the

authentication element

user

procedure in

our

is

previous

eliminated. proposed

protocol [9] to cooperate with role-based access control. We dene each user as

Ui =< ID, AKra >, where ID is AKra is a set of assigned

a user identity information and

-Unauthorized Reader Detection: Our Proposed architecture

and prevented by the back-end server

cryptography and bilinear pairings. Our proposed protocol

(y1 , y2 )

by

Thus, our scheme protects against

Unauthorized reader.

C. Formal Analysis In The AVISPA tool [23], security protocols are specied using the High Level Protocol Specication Language (HLPSL). The HLPSL specication is translated into an Intermediate Format (IF). The current version of the AVISPA tool integrates

keys corresponding to the roles assigned to the user dened as

AKra = {KIDr1 , ..., KIDrn }.

In addition, we dene a

role as a set of pair of public and private keys belonging to the role. Each role is represented as

r =< rpub , rpriv >.

We also assume that the Trusted Key Generation Center (T KGC ) in [9] is extended in a way to be able to dene

ri T KGC picks a random rpki as ri 's private key and sets RP Ki = rpki .G as ri 's public key. To assign the role ri to a user with an identity ID , the T KGC check the user ID, computes QID = H(ID), and generates the user's assigned key KIDri corresponding to ri with KIDri = rpki .Q(ID) and where rpki is the ri 's private key. Finally, T KGC sends KIDri or a set of KID , Si , Pi , Z to the user via a secure channel. roles and to assigning these roles to users. When a role is added to the system, the

four back-ends: OFMC, CL-ATSE, SATMC and TA4SP. Before we run verications from AVISPA [23], [24], our protocol was written in the High Level Protocol Specication

The process for our new three-pass authenticated key agreement protocol will be as follows:

Language, or HLPSL. A modied model was written in order to be suitable for the OFMC validation. Once the HLPSL

Within the rst round, (From

R

to

ED),

the reader

specication was debugged, it was checked automatically for

starts the protocol by generating two fresh random nonce

attack detection using the AVISPA verication tools. Figure 7

r1 and r2 ∈ Zn , then he calculates the point X where X = r1 × P1 + r2 × P2 and nally he sends the pair (”request”,X ) to the embedded device ED . (Step 1 in

shows the corresponding execution with AVISPA's OFMC tool. No reveals attacks were found, and the security goals

gure 5)

ED selects a role or = {r1 , r2 , ..., rh }. signature SigQ on Q with

Within the second round The queried

a corresponding set of roles denoted by SR Generates a message

Q = ID|SR|per

Q

and a

and where

per

is the permission that the

SigQ will be denoted < U, V >. Moreover, ED generates two fresh random t ∗ nonces f and a, where f ∈R Z2 and a ∈ Zq , she calculates TED , where TED = a.G. Finally ED sends (Q, SigQ ), TED , and f to the Reader R. (Step 2 in gure 5). We can choose user wants to enforce. Finally the

by

to deploy one of many available secure signature algorithm. The choice of the algorithm depend on the Computation and communication cost factor regarding the choice of the ED 's type.

e(P, V ) =? e(PAR , U + hQID ). Proof: Pk e(PAR , U + hQID ) = e( i=1 Pi , rQID + hQID ) Pk = e( i=1 s.P, (r + h)QID ) Pk = e(P, (r + h) i=1 si QID ) = e(P, (r + h)SIDAR ) = e(P, V ) Since the key establishment process in our current proposed protocol is similar to the key establishment in previous work, section 7

(section 8 part A ),

the same correctness verica-

tion will be applied here as well. Security Analysis Since our new proposed authenticated key agreement protocol is also a direct extension of the protocol described in [9], the security analysis and validation will be applied to the proposed authenticated key agreement

Within the third round, and as we have declared in the above assumption that the communication channel between the reader and the authentication server is insecure, and

R

(Q, SigQ )

X. C ONCLUSION AND F UTURE W ORK : Mobile computing is an emerging research area with great

ED,

potential. In this paper, we introduce several secure authenti-

will deploy a Weil Pairing-based encryption

cated key agreement protocols based on elliptic curve cryp-

upon receiving the signature pair the reader

protocol as well.

from the

algorithm on the signature pair. Finally he sends EKe (SigQ )

DBID .

to the Back-end server

tography that provides mutual authentication and explicit key establishment. Our schemes is simple, easy to realize, and secure against both passive and active attacks. It also resists

Within

the

fourth

round,

and

the

many others attacks. Our proposed protocols are compared

from the

to well-known protocols such as B-SPEKE, SRP, EC-SRP,

will decrypt the message,

EC-AKE, PAK-RY, PAK-X, AMP, SKA and LR-AKE in

then verify the signature pair, if it is valid, then the back-end

terms of communication and computation cost and the results

encrypted signature pair message

R,

the back-end server,

server

accept,

(s1 , s2 )

were well discussed. Moreover, the privacy and anonymity of users in pervasive environments should are well and care-

using the Weil-Pairing-based encryption algorithm. Finally,

fully considered. In addition, (section 7 and 8), We present

the back-end server sends

pair

EKe (Q, SigQ )

is extracted from the database, encrypted

ED

the

receiving

the

authenticated

and

DBID ,

upon

EKe (s1 , s2 )

associated

with

to the reader

R.

new authentication based architectures to preserve privacy and anonymity and to combine authentication with access

Within the fth round, the reader, generates a random ∗ nonce b ∈ Zq and computes TR = b.G. Then she decrypts the receiving message, extracts the pair (s1 , s2 ) and then

yi = (ri + (f × si ))(modn) for i = 1 and 2. Finally (TR , yi for i = 1 and 2) to the ED .

control respectively. These proposed protocols are based on elliptic curve techniques, MaptoPoint/Curve algorithm, Weil Pairing and on Identication schemes. Our proposed protocols

computes

support authenticated key agreement mechanism and dynamic

sends

key updating. Our Schemes are simple, easy to realize, and

The that if

P ED P computes ( (yi × Pi ) + f × Z) and then checks ( (yi × Pi ) + f × Z) is equals to X , if so the ED

accepts else rejects.

meets security and privacy objectives including, mutual authentication, man-in-the-middle attack, condentiality, replay attack and users anonymity and location privacy. Our Proposed protocols are exible in such a way that they can be

After the above messages,

TED

and

TR

congured to use one of many secure communication scheme are exchanged, the

desired (signature schemes, identity-based schemes and weil

reader and the user can agree and compute the secret shared

pairing based encryption algorithms). As Future Work, we

key as in equations 5 and 6.

are currently working on extending these proposed protocols to be deal with context-aware environments where both user and contextual information will be authenticated which are

A. Protocol Discussion

essential elements to access context-aware network services. In

Protocol Correctness We can choose one of many identitybased signature scheme to compute the

SigQ .

Therefore,

addition, we will try to show a complete comparison, security and overhead computations, with other relevant protocols and

we will adopt the signature scheme that was used by [73]. ∗ To compute the SigQ , the user selects a random r ∈ Zq , computes U = r.QID , computes h = H(Q, U ), computes Ph KSR = i=1 KIDri , and nally computes V = (r + h)KSR .

we will try to show the correctness of the proposed scheme.

The validity of

Lebanese University Laboratories's staff for their contributions

SigQ

can be accomplished by verifying if

ACKNOWLEDGMENT The authors would like to thank Telecom SudParis and

and support. I would like to thank everyone for his help, guidance, advise as well as his enthusiasm and many valuable contributions to this work. Their suggestions and observations were extremely helpful throughout this paper. Without their

[20] A. Juels, R.L. Rivest, and M. Szydlo, The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy,

In Proceeding 10th ACM

Conference on Computer and Commnunications, pp 103-111, 2003. [21] S. Weis, Secuirty and Privacy in Radio Frequency Identication Devices, Master's thesis, MIT, 2003. [22] ISO/IEC-JTC 1/SC-31/WG, Information technology AIDC techniques-

input, I would not have been able to complete this work.

RFID for item management Air interface,

Part 3: Parameters for air

interface communications at 13.56 MHZ, Apr. 2004.

R EFERENCES

[23] http://www.avispa-project.org, Automated Validation of Internet Secuirty Protocols and Applications,

[1] D. R. Stinson, Cryptography Theory and Practice,

In Proceeding of

AVISPA,

Chapman and Hall/CRC, Third Edition, pages: 353-438, 2006. [2] A. Menezes, P.V. Oorschot and S. Vanstone, Handbook of Apllied Cryptography,

[3] S.B. Wilson, D. Johnson and A. Menezes, Key Agreement Protocols and In Proceeding of Sixth IMA International

In

644-654, November 1976. [26] T.

Matsumoto

Sysytems,

Conference on Cryptography and Coding, UK, pp.:30-45, 1997. [4] M. Ohkubo, K. Suzuki and S. Kinoshita, Cyptography Approach to Privacy-Frindly Tags,

, 2008.

[25] W. Dife and M. Hellman, New Directions In Cryptograhy,

Procceding of IEEE Transactions on Information Theory, IT-22(6), pp.

in Proceeding of CRC Press, 2nd Edition, 1996.

Their Security Analysis,

, 2006.

[24] http://www.irisa.fr/lande/genet/span, A Security Protocol ANimator for

In Proceeding of the Privacy WorkShop, MIT,

et

al., On

Seeking

Smart

Public-Key

Distributions

In Procceding of the Transactions of the IECE of Japan,

E69(1986), pp. 99-106, 1986 . [27] L. LAW et al., An Efcient Protocol for Authenticated Key Agreement, Technical Report CORR 98-05, Department of C & O, University of

MA, USA, Nov. 2003. [5] S. Weis, Secuirty and Privacy in Radio Frequency Identication Devices,

Waterloo, 1998. Available ar Citeseer.nj.nec.com/law98efcient. [28] S. Dong and P. Sweeney, Simple Authenticated Key Agreement Algo-

Master's thesis, MIT, 2003. [6] P. ABI-CHAR, A. Mhamed, B. Hassan, A Secure Authenticated Key Agreement Protocol For Wireless Security,

In Proceeding of the

rithm,

Electronics Letters, vol. 35, Issue 13, pp. 1073-1074, 1999.

[29] K. Wei-Chi and W. Sheng-De, Cryptanalysis of Modied Authenticated

Third International Symposium on Information Assurance and Security

Key Agreement Protocol,

IAS2007, Manchester, United Kingdom, IEEE Computer Society Press,

1770-1771, October 2000.

Electronics Lettres, vol. 36, Issue 21, pp.

[30] B.T. Hsieh et al., Cryptonalysis of Enhancement for Simple Authentica-

August, pp. 33-38, 2007. [7] P. ABI-CHAR, A. Mhamed, B. EL-Hassan, A Secure Authenticated Key Agreement Protocol Based on Elliptic Curve Cryptography,

In Pro-

ceeding of the Third International Symposium on Information Assurance

tion Key Agreement Algorithm,

Electronics Letters, vol. 38, Issue 1,

pp. 20-21, 2001. [31] J. Go and K. Kim, Wireless Authentication Protocol Preserving User

and Security IAS2007, Manchester, United Kingdom, IEEE Computer

Anonymity,

Society Press, pp. 89-94, 2007.

and Information Security (SCIS 2001), pp. 159-164, Jan. 2001.

[8] P. ABI-CHAR, A. Mhamed, B. EL-Hassan, A Fast and Secure Elliptic

In Proceeding of the 2001 Symposium on Cryptography

[32] W. Duncan and K. Hong, Security Analysis of Two Anonymous Authen-

Curve Based Authenticated Key Agreement Protocol For Low Power

tication Protocols for Distributed Wirless Networks,

Mobile Communications,

the 3rd International Conference on Pervasive Computing and Commu-

In Proceeding of the International Conference

and Exhibition On Next Generation Mobile Applications, Services And Technologies, NGMAST07. Cardiff, Wales, United Kingdom , IEEE

a Robust Privacy and Anonymity Preserving Architecture for Ubiquitous Computing,

nications Workshops (PerCom 2005), pp. 284-288,2005. [33] F. Zhu et al., RSA-Based Password Authenticated Key Exchange for Imbalanced Wireless Networks,

Computer Society Press, pp. 236-241, 2007. [9] P. ABI-CHAR, M. Mokhtari, A. Mhamed and B. EL -Hassan, Towards In Proc. of the Third International Conference on Risks

In Proceeding of

In Proceeding of the 5th Information

Security Conference, Lecture Notes in Computer Science, SpringerVerlag, vol 2433, pp.150-161, 2002. [34] F. Bao, Security Analysis of a Password Authenticated Key Exchange

and Security of Internet and Systems (CRISIS08). Tozeur, Tunisia, IEEE

Protocol,

Computer Society Press, October 28-30, pp. 125-132, 2008.

Lecture Notes in Computer Science, Springer-Verlag, vol 2851, pp. 208-

[10] D. Boneh, and M. Franklin, Identity Based encryption From the Weil Pairing,

In Proceeding of CRYPTO 2001, LNCS 2139, pp. 213-229,

In Proceeding of the 6th Information Security Conference,

217, 2003. [35] H. Yeh et al., Improvement of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,

SPRINGER-Verlag, 2001. [11] A.F. Sui et al., An Improved Authenticated Key Agreement Protocol with Perfect Forward Secrecy for Wireless Mobile Communication,

In

[36] M. Zhang, Breaking an Improved Password Authenticated Key Exchange

Proceeding of the International Conference of Wireless Communications

Protocol for Imbalanced Wireless Networks,

and Networking, IEEE Press, pp. 2088-2093, 2005.

9, pp. 276-278, Mar. 2005.

[12] I. Hideki, S. Seonghan, and K. Kobara, Authenticated Key Exchange for Wireless Secuirty,

In Proceeding of the IEEE Wirless Communications

and Networking Confernece, pp. 1180-1186, 2005. In

Proceeding of IEEE 37th Annual 2003 International Carnahan Conference, pp. 128-131, 2003. Symposium on Network and Distribution System Security, 1998. In Proceeding of the WETICE Workshop, pp. 248-

thenticated Key exchange using Dife-hellman,

In Proceeding of the

Notes in Computer Science, Springer-Verlag, vol 3225, pp. 13-24, 2004. [38] J. W.Lo, The Improvement of YSYCT Scheme for Imbalanced Wireless International Journal Network Security , vol 3, pp. 39-43,

July 2006. Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,

IEICE Transactions Commun, vol. E88-B, pp. 4370-4372,

[17] P. Mackenzie, More Efcient Password Authenticated Key Exchange,

In

[18] T. Kwon”, Ultimate solution to authenticate via memorable passIn

Proceeding group

for

of

the

Future

Contribution

PKC

Standards,

to

the

IEEE

available

for

http://grouper.ieee.org/groups/1363/passwdPK/contribution.html. [19] K. Jung, J. Kim and T. Chung, Password-Based Independent Authentication and Key Exchange Protocol, Singapore, 2003.

RSA based Password Authenticated Key Exchange,

IEICE Transactions

[41] E. Yoon and K. Yoo, Cryptoanalysis of Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks,

Proceeding of the CT-RSA, pp. 361-377, 2001.

Study

[40] S. Wang and F. Bao and J. Wang, Security Analysis on an Improvement of Commun, vol. E88-B, pp. 1641-1646, Apr. 2005.

EuroCrypt, pp. 156-171, 2000.

1363

In

Nov. 2005.

[16] V. Boyko, P. Mackenzie and S. Patel, Provably Secure Password Au-

P

Protocol based on RSA for Imbalanced Wireless Networks,

[39] C. Yang and R. Wang, Cryptoanalysis of Improvement of Password

255, 1997.

word,

[37] M. Zheng, Further Analysis of Password Authenticated Key Exchange

Network, In Proceeding of the Interent

[15] D. Jablon, Extended password Key exchange Protocols immune to dictionary attack,

IEEE Commun, Letter, vol.

Proceeding of the 7th Information Security Conference 2004, Lecture

[13] E. Ryu, K. Kim, and K. Yoo, A Simple Key Agreement Protocol,

[14] T. Wu, Secure Remote Password Protocol,

IEICE Transactions

Commun, vol. E86-B, pp. 3278-3282, Nov. 2003.

In Proceeding of ICICS-PCM03,

IEICE

Transactions Commun, vol. E88-B, pp. 2627-2628, June. 2005. [42] Y. Chang et al., An Efcient Password Authenticated Key Exchange Protocols for Imbalanced Wireless Networks,

Computers Standards

& Interfaces, vol. 27, pp. 313-322, Mar. 2005 [43] C. Tianjie and L. Dongdai, Cryptoanalysis of Two Password Authenticated Key Exchange Protocols Based on RSA, Letter, vol 10, No. 8, pp. 623-625, August 2006.

IEEE Communications

[44] H.Y. Chien and J.K. Jan and Y.M. Tseng, An Efcient and Practical Solution to Remote Authentication Smart Card,

Computer and Secuirty,

vol. 21, no. 4, pp. 372-375, 2002.

[69] G. Frey and H. Ruck, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves,

[45] W.C. Ku and S.M. Chen, Weaknesses and Improvements of an Efcient

[70] I. Semaev, Evaluation of Discrete logarithms in a group of p-torsion

Password Based Remote User Authentication Sheme Using Smart Card,

points of an elliptic curve in Characteristic p,

IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204-207,

Computation, vol. 67, pp. 353-356, 1998.

Mathematics of

[71] D. Boneh and M. Franklin, Identity-based encryption from the Weil

2004. [46] E.J. Yoon and E.K. Ryu and K.Y. Yoo, Further improvement of an efcient password based remote user authentication scheme using smart cards,

Mathematics

of Computation, vol 62, pp. 865-874, 1994.

IEEE Transactions on Consumer Electronics, vol. 50, no. 2, pp.

Pairing,

Advanced in CRYPTO2001, LNCS 2139, pp. 213-229, 2001.

[72] G. Frey, M. Muller and H. Ruck, The Tate Pairing and the discrete logarithm applied to elliptic curve cryptosystem,

IEEE Transaction on

Information Theory, Vol. 45, No.5, pp. 1717-1719, 1999.

612-614, 2004. [47] X.M. Wang, W.F. Zhang, J.S. Zhang and M.K. Khan, Cryptanalysis and

[73] J. Wang, J. Yu, D. Li, X. Bai, and Z. Jia Combining User Authentication

improvement on two efcient remote user authentication scheme using

With Role-Based Authorization Based on Identity-Based Signature,

smart cards,

Computer Standards & Interfaces, vol. 29, no. 5, pp.

Proceding of International Conference on Computational Intelligence and

[48] E.J. Yoon, E.J. Lee and K.Y. Yoo Cryptanalysis of Wang et al.'s Remote

[74] S. Wang, Z. Cao, and H. Bao Efcient Certicateless Authentication

Security, CIS, pp.847-857, 2006.

507-512, 2007. User Authentication Scheme Using Smart Cards.,

In Proceedings

of the Fifth International Conference on Information Technology: New In

Advanced in Cryptology- Crypto'84, LNCS 196, pp. 47-53, SpringerVerlag, 1984. [50] N.P. Smart, An ID-Based Authentication Key Agreement Protocol Based Electron. letter, 38(13), pp. 630-632, 2002.

[51] K. Shim, Efcient ID-Based Authentication Key Agreement Protocol Based on the Weil Pairing,

Electron. letter, 39(8), pp. 653-654, 2003.

[52] H. Sun and B. Hsieh, Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings,

Cryptology ePrint Archive, Report

2003/113, 2003. http://eprint.iacr.org/2003/113. [53] E. Ryu and E. Yoon and K. Yoo, An Efcient ID-Based Authenticated Key Agreement Protocol,

Networking 2004 Volume 3042, 2004.

[54] Q. Yuan and S. Li, A New Efcient ID-Based Authenticated Key Agreement Protocol,

IEEE Communications Letter, vol 10, No. 8,

pp. 623-625, March 1, 2005. [55] C.K. Koc and M.Aydos and B.Sunar An Elliptic Curve Cryptography based authentication and key Agreement protocol for Wireless Commnuication,

In 2nd International Workshop on Discrete Algorithm and

Methods for Mobile Computing and Communications, 1998. [56] H.M. Sun and B.T.Hsieh and S.M. Tseng Cryptanalysis of Aydos et al.'s ECC-based Wireless Authentication Protocol.,

In Proceedings of the

2004 IEEE International Conference on e-Technology, e-Commerce and e-Servce (EEE'04), pp. 563-566, 2004. [57] L. Harn, and H.Y. Lin Authenticated Key Agreement Without Using OneWay Hash Function,

In Proceeding of the Electron, Lett.,(10)37, 2001.

[58] K. Shim, Unknown Key-Share Attack on Authenticated Multiple Key Agreement Protocol,

In Proceeding of the Electron, Lett., 39(1), pp.

38-39, 2003. [59] S. Yen, and M. Joye, Improved Authentication Multiple key Agreement Protocols,

In Proceeding of the Electron, Lett., 34 (18), pp. 1738-1739,

1998. [60] T. Wu, W. He, and C. Hsu Security of Authenticated Multiple Key Agreement Protocol,

In Proceeding of the Electron, Lett., 35, (5),

pp. 391-392, 1999. [61] L. Law, A. Menezes, A. Qu, J. Solinas, and S. Vanstone, An Efcient Protocol for Authenticated Key agreement,

In Proceeding Technical

Report CORR 98-08, Univerity of Waterloo, Canada, 1998. [62] V. Miller, Uses of elliptic curves in cryptography,

In Proceeding of

Crypto '85, Santa Barbara, pp. 417 - 426. 1986. [63] N. Koblitz, Elliptic Curve cryptosystems,

Mathematics of Computation,

vol 48., pp. 203 - 209, 1987. [64] N. Koblitz, CM-Curves With Good Cryptography Properties,

In Proc.

of Crypto' 91, Santa Barbara, USA, 1992. [65] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstane, An efcient Protocol for Authenticated Key Agreement,

Technical report CORR98-

05, Department of CO, University of Waterloo, 1998. [66] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstane, An efcient Protocol for Authenticated Key Agreement,

Designs, Codes and

Cryptography, vol. 28, pp. 119-134, 2003. [67] J. Pollard, Monte Carlo methods for index computation mod p,

Math-

ematics of Computation, vol. 32, pp. 918-924, 1978. [68] A. Menezes, T. Okamoto and S. Vanstane, Reducing elliptic curve logarithms ina nite eld,

IEEE Transactions on Information Theory,

vol. 39, pp. 1639-1646, 1993.

and Key Agreement (CL-AK) for Grid Computing,

In Proceeding of

the International Journal of Network Security, vol.7, No.3, pp. 342-347, 2008.

Generations, pp. 575-580, 2008. [49] A. Shamir, Identity-based Cryptosystems and Signature Schemes,

on the Weil Pairing,

In

[75] A.A. Mohammad, and A. Jamalipour An Efcient Elliptic Curve Cryptography Based Authentication Key Agreement Protocol for Wireless LAN Security,

In Proceeding of High Performance Switching and Routing,

HPSR2005 Workshop, pp 376-380, 2005.