Secure Delegation-Based Authentication Protocol for ... - IEEE Xplore

3 downloads 5484 Views 91KB Size Report
In addition, the proposed protocol provides user unlinkability. Index Terms—Portable device, wireless roaming service, au- thentication, Denial of Service (DoS) ...
1100

IEEE COMMUNICATIONS LETTERS, VOL. 16, NO. 7, JULY 2012

Secure Delegation-Based Authentication Protocol for Wireless Roaming Service Jia-Lun Tsai, Nai-Wei Lo, and Tzong-Chen Wu

Abstract—Portable devices, with wireless communication capability, are used widely in everyday life. Preventing personal sensitive information from being revealed to an adversary through insecure wireless communication channels has therefore become a serious concern. This study proposes a novel ECC-based authentication protocol for portable communication systems. The proposed protocol resists DoS attacks and requires less computation cost when authenticating a communication session. In addition, the proposed protocol provides user unlinkability. Index Terms—Portable device, wireless roaming service, authentication, Denial of Service (DoS) attack, unlinkability.

I. I NTRODUCTION

I

N recent years, portable communication systems have become a part of everyday life. Since mobile devices are used widely in both personal and business matters, information leakage on sensitive data through wireless mobile devices has become a grave security concern. One of the most serious security issues for service providers and enterprises is to provide a secure and robust authentication mechanism. A wireless mobile device only has relatively limited computing capability compared to a personal computer. It also has a narrow bandwidth for data transmission in comparison to wired networks. Traditional authentication mechanisms are therefore unsuitable in a wireless mobile environment. In addition, the nature of wireless communication allows an adversary to intercept messages transmitting through the air easily. Several authentication protocols for wireless environments have been proposed in recent years [1-12] to circumvent the limitation on mobile devices and provide robust security on user authentication. Wireless Roaming Service allows a Visited Location Register (VLR) to authenticate a visiting Mobile Station (MS) with the help of its Home Location Register (HLR). In 2005, Lee and Yeh [4] first proposed an anonymous delegation-based authentication protocol. This protocol uses the idea of a proxy signature. Security robustness of this protocol is built upon the hardness of DLP. However, Tang and Wu [10] discovered that the protocol of Lee and Yeh is vulnerable to impersonated VLR attack, and then proposed a delegation-based authentication protocol for wireless environment based on Elliptic Manuscript received March 12, 2012. The associate editor coordinating the review of this letter and approving it for publication was C. Mitchell. The authors are with the Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan (e-mail: [email protected]; [email protected]; tcwu@cs. ntust.edu.tw). N.-W. Lo is the corresponding author. The authors gratefully acknowledge the support from the Taiwan Information Security Center (TWISC) and the National Science Council, Taiwan, under the Grant Numbers NSC 100-2218-E-011-002 and NSC 100-2218-E011-005. Digital Object Identifier 10.1109/LCOMM.2012.052112.120525

curve cryptosystem (ECC). For user privacy protection, the protocol of Tang and Wu utilizes a one-time alias mechanism to dynamically generate and apply a user alias for a user as the temporary user ID during an authentication session. Later, Lee et al. [5] demonstrated that the protocol of Lee and Yeh cannot achieve user non-repudiation in their offline authentication process. In addition, Lee et al. proposed an enhanced protocol to support user identity privacy. A year later, Youn and Lim [12] proved that the protocol of Lee et al. cannot achieve user unlinkability. They also proposed a new protocol to provide user unlinkability by randomizing the proxy key pair, which is used to generate required delegation. In their protocol, the HLR has a database to store the proxy key pair of each legal MS. After the MS has been authenticated by the VLR and HLR, the proxy key pair of the MS of VLR database must be in sync with the proxy key pair of the MS SIM card. In 2011, Lu and Zhou [8] discovered that the protocol of Tang and Wu did not achieve user unlinkability, and then proposed a ECC-based delegation authentication protocol with user privacy protection. To provide user unlinkability, the protocol of Lu and Zhou introduces alias name mechanism, which dynamically generates a one-time only user alias to substitute the original user ID during an authentication session. In addition, Lu and Zhou had compared security features and protocol cost between their protocol and the protocol of Youn and Lim. As the protocol of Lu and Zhou adopts ECCbased signature, their protocol cost is less than the protocol cost of Youn and Lim in general cases, while both protocols support the same security robustness. At the same time, Wang and Lin [11] discovered that the protocol of Youn and Lim is vulnerable to Denial of Service (DoS) attack if the last authentic message sent from the VLR was disrupted by the adversary. Consequently, they proposed an enhanced protocol. In the protocol of Wang and Lin, the HLR utilizes two databases to withstand DoS attack. The first database is used to store the new proxy key pairs and the other database is used to store the old proxy key pairs. Assume that an adversary interrupts the last authentic message sent by the VLR. A visiting MS still can be authenticated by the VLR with the help of HLR by searching the database that stores old proxy key pairs for MS. Obviously, the protocol of Lu and Zhou [8] is also vulnerable to the DoS attack of Wang and Lin [11], since the proxy key pair of the MS of HLR database must be in sync with the proxy key pair of the MS SIM card after the MS has been authenticated by the VLR and HLR. This letter proposes a new delegation-based authentication protocol for Wireless Roaming Service. The proposed protocol does not require proxy key pair synchronization between the HLR database and MS SIM card. Hence, the proposed proto-

c 2012 IEEE 1089-7798/12$31.00 

TSAI et al.: SECURE DELEGATION-BASED AUTHENTICATION PROTOCOL FOR WIRELESS ROAMING SERVICE

col can withstand DoS attacks. In addition, the computational cost of the proposed protocol is lower than existing protocols. II. T HE P ROPOSED P ROTOCOL The proposed protocol comprises three phases: setup, online authentication, and i-th offline authentication. Symbol notations are introduced as follows: p, q g IDV , IDH [M ]K G h() H() l Bl (m) P

the prime numbers satisfying q|(p − 1) a generator in Zp the identities of VLR and HLR a symmetric encryption for message M with the key K an cyclic additive group a one-way hash function such that h(): Zp → Zp a one-way hash function such that H(): G → Zp an integer representing the length of an alias the first l bits of binary string m the generator of the cyclic additive group

1101

= [CT2 n2 N1 SK]KHV , where n3 is a random number and SK is the session key. Finally, HLR sends (CT3 , IDH , IDV ) to VLR. Step6. VLR obtains CT2 n2 N1 SK by decrypting CT3 with the secret key KHV and then verifies whether n2 and N1 exist in the decrypted string CT2 n2 N1 SK. If the verification holds, VLR sends (CT2 , IDV ) to MS. Step7. MS obtains N1 n3 IDV by decrypting CT2 with the key σ and then checks whether N1 and IDV exist in the decrypted string N1 n3 IDV . If the condition holds, MS computes the session key SK = h(N1 n2 n3 σ). i-th Offline authentication phase: MS retrieves h(n−i+1) (n1 ) from its database and sends [h(n−i+1) (n1 )]Ci to VLR. Upon receiving [h(n−i+1) (n1 )]Ci , VLR decrypts encrypted message [h(n−i+1) (n1 )]Ci and computes h(h(n−i+1) (n1 )). Next, VLR verifies whether the computed value h(h(n−i+1) (n1 )) is the same as the stored value h(n−i+2) (n1 ) in its database. If the condition holds, VLR replaces h(n−i+2) (n1 ) with h(n−i+1) (n1 ), and computes the session key Ci+1 = h(h(n−i+1) (n1 ), Ci ) and increases i = i + 1.

Details of each phase are described as follows. Setup phase: First of all, HLR chooses two private keys x and xv , and then computes their corresponding public keys v = xP and yv = xv P , respectively. Next, HLR shares KHV , xv and v with VLR. HLR also computes proxy key pair K = kP and σ = x + kh(K) (mod q) for each MS, where k is a random number. Then, each MS’s generated proxy key pair (σ, K) is stored in HLR’s database, and each MS’s proxy key pair (σ, K) and public key yv are stored in each corresponding MSs SIM card, respectively. Online authentication phase: For each online authentication session, MS precomputes h(1) (n1 ), h(2) (n1 ), . . ., h(n+1) (n1 ) and stores them in its database, where n1 is a random number and n is the total amount of time for offline authentication supported by the protocol. Step1. MS sends a login request to VLR. Step2. VLR sends (n2 , IDV ) to MS, where n2 is randomly generated by VLR. Step3. MS retrieves N1 = h(n+1) (n1 ) from its SIM card, and then computes r1 = tP , r2 = H(tyv ) ⊕ (K, N1 ) and s = σ × h(N1 n2 IDV r1 r2 IDH ) + t (mod q), where t is a random number. Next, MS sends (r1 , r2 , s, IDH , IDV ) to VLR. Step4. VLR first uses xv to retrieve K and N1 by computing r2 ⊕ H(xv r1 ). Next, VLR computes sP and h(N1 n2 IDV r1 r2 IDH ) × (v + h(K)K) + r1 , and then verifies whether the two computed values are the same. If the verification establishes, VLR computes CT1 = [N1 n2 K]KHV by using KHV as the encryption key and then sends (CT1 , IDH , IDV ) to HLR. Otherwise, VLR denies the login request. Step5. HLR obtains N1 n2 K by decrypting CT1 with the secret key KHV . Next, HLR finds its corresponding σ from its database according to the decrypted K. HLR computes SK = h(N1 n2 n3 σ), CT2 = [N1 n3 IDV ]σ , and CT3

III. S ECURITY A NALYSES This section analyzes the security of the proposed protocol as follows. A. Unlinkability The proposed protocol securely sends the authentic value K securely such that unlinkability is achieved. Assuming that adversaries attempt to trace whether a legal user has previously requested to login the server, they will be unable to plot this attack successfully. In each online authentication session, the authentic message (r1 , r2 , s) in the step3 of online authentication phase are always different, since the authentic message (r1 , r2 , s) are randomized by the random number t. It is impossible to link two different value instances (r1 , r2 , s) into the same user even all authentic messages are learned by the adversary. In addition, without knowing the private key of VLR, adversaries cannot retrieve the value K from the value r2 = H(tyv )⊕(K, N1 ) (mod p)that is sent from the MS in the step3 of online authentication phase. The proposed protocol therefore achieves unlinkability property. B. Resistance to Man-in-the-Middle attack Man-in-the-middle attack is an attack in which the adversary eavesdrops on all the authentic messages among the victims and then relays these authentic messages among them to make the victims believe that they are actually communicating with each other. However, the entire communication session is controlled by the adversary. In the proposed protocol, it is impossible for an adversary to plot this kind of attack successfully, since the adversary requires knowledge of the secret value σ or the secret key KHV . Without this knowledge, the adversary cannot decrypt the authentic messages CT2 and CT3 to compute the session key. The proposed protocol therefore resists the man-in-the-middle attack.

1102

IEEE COMMUNICATIONS LETTERS, VOL. 16, NO. 7, JULY 2012

TABLE I M AJOR S ECURITY F EATURES AND P ERFORMANCE C OMPARISON A MONG D ELEGATION -BASED AUTHENTICATION P ROTOCOLS

Unlinkability

Youn and Lim

Yes

Success of DoS Attack Yes

Space Size of Database 2n

Wang and Lin

Yes

No

4n

Lu and Zhou

Yes

Yes

2n

Ours

Yes

No

2n

Computational Cost HLR

MS

VLR

2Th + 2Tm + TE + Te 2Th + 2Tm + TE + Te

Th + 2Tm + 2TE + 4Te Th + 2Tm + 2TE + 4Te

3Th + 3TE + 2TEM 3Th + TE + 3TEM

3Th + 2TE + 3TEM 3Th + 2TE + 4TEM

C. Resistance to DoS attack In our protocol, the proxy key pair of the SIM card of MS and the database of HLR do not require synchronous updates. Therefore, even if adversaries interfere with the transmitted authentic messages among MS, VLR and HLR, they still cannot plot the DoS attack successfully. D. Resistance to request replication attack [13] In the proposed protocol, the session key SK is derived by three random numbers N1 , n2 , n3 which are generated by MS, VLR and HLR, respectively. In addition, MS has the ability to verify whether MS has correctly logged-in the current VLR by checking IDV . Without knowing the value σ and the key KHV , a malicious VLR cannot plot the replication attack to copy and modify the authentic message CT2 and send the modified message CT2 in the next authentication session successfully. Therefore, the proposed protocol resists the request replication attack. IV. C OMPARISONS We only compare our protocol with the most related protocols invented in [8, 11, 12] in this section, since only these three protocols provide unlinkability property, as far as this study has gathered. Let Tm be the time for performing a modular multiplication computation, Th be the time for performing a one-way hash function, TE be the time for performing a symmetric encryption cryptosystem, TEM be the time for performing a ECC point multiplication operation, and Te be the time for performing a modular exponentiation computation. Let n be the number of legal MSs and TS be the time period to search the corresponding proxy key pair of MS from the database according to key K. The comparisons on storage space for database and the total computing cost among delegation-based authentication protocols are given in Table I. As shown in Table I, we can discover that the MSs computational cost of our proposed protocol is more akin than the protocol of Lu and Zhou by TEM − 2TE , but the total computational cost of the proposed protocol is less than the others. However, the proposed protocol can withstand the DoS

2Th + Tm + 2TE + Te + TS Th + Tm + 3TE + Te + TS (Th + Tm + 3TE + Te + 2TS ) 3Th + 3TE + 3TEM + TS Th + 3TE + TS

Total 4Th + 5Tm + 5TE + 6Te + TS 4Th + 4Tm + 6TE + 6Te + TS (4Th + 4Tm + 6TE + 6Te + 2TS ) 9Th + 8TE + 8TEM + TS 7Th + 6TE + 7TEM + TS

attack, but both of the protocol of Youn and Lim and the protocol of Lu and Zhou cannot. In summary, the proposed protocol is better than previously proposed ones. V. C ONCLUSION In this letter, we propose a novel delegation-based authentication protocol with user unlinkability feature. The proposed protocol requires less computational cost than existing delegation-based authentication protocols. In addition, the proposed protocol can withstand the DoS attack. R EFERENCES [1] M. J. Beller, L. F. Chang, and Y. Yacobi, “Privacy and authentication on a portable communications system,” IEEE J. Sel. Areas Commun., vol. 11, pp. 821–829, 1993. [2] C. C. Lo and Y. J. Chen, “Secure communication mechanisms for GSM networks,” IEEE Trans. Consum. Electron., vol. 45, pp. 1074–1080, 1999. [3] T. F. Lee, C. C. Chang, and T. Hwang, “Private authentication techniques for the global mobility network,” Wireless Personal Commun., vol. 35, no. 4, pp. 329–336, 2005. [4] W. B. Lee and C. K. Yeh, “A new delegation-based authentication protocol for use in portable communication systems,” IEEE Trans. Wireless Commun., vol. 4, no. 1, pp. 57–64, 2005. [5] T. F. Lee, S. H. Chang, T. Hwang, and S. K. Chong, “Enhanced delegation-based authentication protocol for PCSs,” IEEE Trans. Wireless Commun., vol. 8, no. 5, pp. 2166–2171, 2009. [6] H. Y. Lin and L. Harn, “Authentication protocols with non-repudiation services in personnel communication systems,” IEEE Commun. Lett., vol. 3, no. 8, pp. 236–238, 1999. [7] H. Y. Lin, “Security and authentication in PCS,” Comput. Elect. Eng., vol. 25, no. 4, pp. 225–248, 1999. [8] J. Z. Lu and J. Zhou, “Preventing delegation-based mobile authentications from man-in-the-middle attacks,” Computer Standards and Interfaces, vol. 34, no. 3, pp. 314–326, 2012. [9] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE Commun. Mag., pp. 92–100, 1993. [10] C. Tang and D. O. Wu, “An efficient mobile authentication scheme for wireless networks,” IEEE Trans. Wireless Commun., vol. 7, no. 4, pp. 1408–1416, 2008. [11] C. H. Wang and C. Y. Lin, “An efficient delegation-based roaming payment, protocol against denial of service attacks,” in Proc. 2011 International Conference on Electronics, Communications and Control, pp. 4136–4140. [12] T. Y. Youn and J. Lim, “Improved delegation-based authentication protocol for secure roaming service with unlinkability,” IEEE Commun. Lett., vol. 14, no. 9, pp. 791–793, 2010. [13] J. Z. Lu and J. Zhou, “On the security of an efficient mobile authentication scheme for wireless networks,” in Proc. 2010 International Conference on Wireless Communications Networking and Mobile Computing, pp. 1–3.