Universal Authentication and Key Agreement Protocol ...

25 downloads 0 Views 12MB Size Report
May 6, 2013 - establishment of D2D communications into unique security threats. Therefore, it is necessary to take security requirements into the design of ...
UAKA-D2D: Universal Authentication and Key Agreement Protocol in D2D Communications Mingjun Wang*, Zheng Yan*†, Valtteri Niem‡ *

State Key Lab of ISN, School of Cyber Engineering, Xidian University, Xi’an, China {mjwang, zyan}@xidian.edu.cn † Department of Communications and Networking, Aalto University, Finland ‡ Department of Computer Science, University of Helsinki [email protected]

Abstract—Device-to-Device (D2D) communications have emerged as a promising technology for the next generation mobile communication networks and wireless systems (5G). As an underlay network of conventional cellular networks (LTE or LTE-Advanced), D2D communications have shown great potential in improving communication capability and fostering multifarious new applications and services. However, new application scenarios and system architecture expose establishment of D2D communications into unique security threats. Therefore, it is necessary to take security requirements into the design of D2D communications in order to ensure security and correct operations of the network. In this paper, we proposed a Universal Authentication and Key Agreement protocol for D2D communications (UAKA-D2D) to achieve secure communication session establishment, where user roaming and inter-operator operation are considered. Our protocol adopts Diffie-Hellman Key Exchange algorithm (DHKE) to achieve privacy preserving session key generation and employs message authentication code to achieve mutual authentication between D2D users. The security of the proposed protocol is analyzed theoretically and verified by a formal security verification tool. Finally, we evaluated the performance of the protocol in terms of computation and communication costs based on extensive analysis and simulations. The results show the efficiency and practicality of the proposed protocol. Keywords—Device-to-Device (D2D) Communications; LTEAdvanced Network; Key agreement; Authentication; 5G.

I.

INTRODUCTION

Device-to-Device (D2D) communications, as one of the most promising technologies in the next generation mobile communication networks and wireless systems (i.e., 5G), are drawing ever-increasing attentions from academia, industry, as well as standard organizations in recent years. It refers to a type of communication technology that enable devices in the vicinity to communicate directly with each other under the control of existing network infrastructures, which containing Access Points (AP), Base Stations (BS) and Core Networks (CN) [1]. Recent researches [1] - [7] have shown that D2D communications have great potentials in improving communication capabilities, reducing communication delays and power dissipations, as well as fostering multifarious new applications and services.

Vivid studies have been performed with regard to D2D communications in both academia and industry. In academia, D2D communications were regarded as an underlay of LTEAdvanced network to improve communication performance [1]. Many researchers have paid attention to such issues as application scenarios, communication mode selection [2], [3], resource allocation [4], power control and interference control [5]. In industry, the application developments based on D2D communications are underway. For example, Qualcomm is developing a D2D communication sub-system in cellular networks, known as FlashLinQ [6], [7], which makes devices to communicate directly with other devices in proximity. It is expected to complement traditional cellular networking based services and serve as a scalable platform for new types of applications, such as advertising, content sharing, and secure mobile payments. At the same time, the standardization work on D2D communications is underway in relevant communities. The Third Generation Partnership Project (3GPP) has specified the D2D communication under the name “Proximity-Based Services” (ProSe) [8], [9]. Many technical issues are discussed under the feasibility study of the ProSe in LTE-A, which includes system architecture, network entity functions, and extensive use case exploration. Moreover, studies on radio, service and other aspects are underway and will appear in future standardization. Although D2D communications offer such significant benefits, new application scenarios and system architecture expose it into unique security and privacy threats. Current security solutions in LTE and other wireless communication technologies (e.g., Mobile Ad Hoc Networking and Bluetooth) are not able to address these new issues. For instance, current authentication and agreement schemes in LTE networking (EPS AKA) only provide mutual authentication and key agreement between users and core network. However, in D2D communications, extra mutual authentication and key negotiation are essential between two D2D users. Without security and privacy guarantees, information transmitted via the D2D communication links could suffer from various active or passive attacks, e.g., eavesdrops, impersonation attacks and Man-in-the-Middle (MitM) attacks. Moreover, user’s privacy information, e.g. the real identity of users and communication content could be under the risk of leakage. Therefore, how to establish secure communication connections between D2D

users without leaking user privacy has become a fundamental requirement for the success of D2D services. Recently, some secure D2D communication schemes have been reported [10], [12], [13] - [17]. These studies focus on the aspects of secure data sharing [10], key agreement [12], [13], [15] and authentication [14], [16], [17] in D2D communications. However, all of these schemes addressed security issues under a primary scenario, where all D2D users are located in their local network and under management of only one operator, i.e., their home network. None of them took into consideration the impact on security caused by user roaming and inter-operator operation. Moreover, protection of user privacy has not been well addressed in existing work. If the above issues cannot be solved properly, they will greatly hinder the deployment of D2D communications in practice. In order to tackle the above-unsolved issues and make D2D communications meeting security and privacy requirements, we present a Universal Authentication and Key Agreement protocol for D2D communications (UAKA-D2D) in this paper. The protocol can support secure D2D communications across multiple operators even in roaming, and preserve user privacy during D2D communications. Our proposed protocol is novel and different from previous schemes since the target issue solved by our work has not been considered in the past work [10] – [17]. Specifically, the major contributions of our paper can be summarized as follows: • We develop a universal authentication and key agreement protocol for D2D communications based on Diffie-Hellman Key Exchange (DHKE). This protocol can help users to generate a security session key in a D2D session under the control of LTE core networks. • To the best of our knowledge, our protocol is the first work that addresses the D2D authentication and key agreement issues in the scenario where user roaming and inter-operator operation occur. Our protocol offers a universal method that can support D2D secure communications, even during roaming and across multiple operators. Our protocol is flexible to support various D2D communication scenarios. We demonstrate that the key agreement can be achieved effectively in the most complicated scenario where two users subscribing to two different operators roam to the same place and served by two different local operators. . • Our protocol supports mutual authentication between D2D users during the session key establishment process, which makes the protocol possible to resist several existing attacks, such as replay attacks and MitM attacks. • Our protocol also achieves privacy preservation in D2D communications. Secure D2D session is established under the control of core network, however, the core network has no knowledge about the final session key. Only the users who participate directly in the D2D session share the final session key, which makes this D2D communication against user information leakage to core network and outsiders.

Organization. The remainder of the paper is organized as follows. Section II reviews related work. Section III introduces the preliminaries, including Authentication and Key Agreement in LTE, Diffie–Hellman Key Exchange and the notations used in the paper. Section IV elaborates on the proposed UAKA-D2D protocol and discusses its flexibility. In Sections V and VI, we provide security analysis, formal verification and performance evaluation of the proposal. Finally, Section VII draws a conclusion. II.

RELATED WORK

The research on D2D communication security is still in its infancy. Neither the academia nor industrial standardization communities have studied the authentication and key agreement of D2D communications thoroughly. In academia, Zhang et al. proposed a secure data sharing protocol for D2D communications in LTE-A [10]. They leveraged Diffie-Hellman Key Exchange (DHKE) [11] to realize session key agreement between two D2D devices under the control of BS. The data transmission is protected by a symmetric encryption technique using a session key. Meanwhile, they took advantage of a Hash-based Message Authentication Code (HMAC) algorithm to guarantee identity authentication, data authority and integrity. Meanwhile, digital signature is used to guarantee the transmission non-repudiation. However, this protocol is an application-oriented scheme, which is specific and limited for data sharing application scenarios. Moreover, roaming and inter-operator issues are not addressed in this protocol. In order to design a universal scheme, Sheng et al. proposed a secret key sharing scheme to establish a session key between two D2D devices for D2D communications based on DHKE. In order to overcome MitM attacks, the authors used a commitment scheme to realize mutual authentication between two devices. Nevertheless, the authentication process should be accomplished with a visual or verbal comparison in the end, which makes the scheme impractical in many cases. Alam et al. [12] proposed a key distribution scheme for D2D communications in LTE-A. It reuses the existing LTE-A security architecture as much as possible to reduce deployment costs. In the scheme, the core network is regarded as a fully trusted third party that controls the generation and distribution of the session key between two D2D communication UEs. In order to overcome the leakage risk of session key transmission between the core network and UEs, CN firstly XORs the keys of two D2D UEs and sends the XOR-ed key to each UE. Once receiving the XOR-ed key, each UE derives another key using its own key. After that, each UE gets a pair of session keys to protect the D2D communications. However, this XOR operation still cannot eliminate the risk of session key leakage. If one part of session key is disclosed, the other part can be computed easily through XOR operation. The safest way is not to transmit the session key between CN and UEs or between UEs. In [13], a similar idea was proposed to establish a D2D communication key management framework. Kwon et al. [14] also proposed two protocols for D2D secure key establishment and authentication based on Bluetooth Pairing by using Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Both the confidentiality of an initial secret key between D2D users and the fine-grained user access control are

guaranteed. The authors proposed two schemes that can be applied into different application scenarios. In the first scheme, a D2D user can generate a session key using a shared initial key with arbitrary D2D users in a specific group. In the second scheme, a D2D user can set up an authenticated and secure link with a specific user in a group excluding other users. Message Integrity Code (MIC) is adopted to enhance message integrity. Benefiting from CP-ABE, the protocols achieve fine-grained user access control, mutual authentication, and also resist MitM attacks and replay attacks. However, the use of CP-ABE introduces a high computation cost and key management overhead, which is an impractical addition to Evolved Packet System (EPS) structure. But above all, none of the existing works took the roaming and inter-operator communication scenario into account, which hinders their applicability. On the other hand, some patent applications were filed in industry and proposals were made in standardizing organizations to address the authentication and key agreement issues in D2D communication. In [15], a secure D2D communication framework to perform authentication and secure communications between two D2D users was proposed. A security association is set up between two D2D users firstly using DHKE. Then, each user requests a certificate from their home core networks and uses the certificate to perform mutual authentication. But the utilization of certificate introduces a high deployment cost for PKI. In [16], a key agreement protocol for D2D communications in LTE-A was proposed. It inherits a shared secret key between a UE and a core network that is used to generate the session key for D2D communications. The protocol is compatible with the existing LTE-A system. However, the session key of D2D communications is transmitted from the core network to one UE, instead of deriving the session key in the UE locally. This introduces a leakage risk for the session key during transmission and thus the protocol could seriously impact the security of the D2D communications. An authentication protocol for D2D communications under LTE was proposed in [17]. It deals with UE registration, key distribution, and mutual authentication between UEs for D2D communications. This protocol depends on the core network to send a shared master key to UEs in order to derive a session key based on the shared master key. It is vulnerable if the master key leaks during transmission. As can be seen from the above review, the state-of-art did not consider how to achieve secure D2D communications for devices that could subscribe to different operators and roam to remote regions. Communication privacy preserved from the core network cannot be supported, either. The proposed protocol in this paper aims to set up a secure session key between two mobile devices that could subscribe to different mobile operators and roam to remote places. Meanwhile, we attempt to realize privacy-preserving D2D communications to protect D2D communication data from disclosing to core networks.

III.

PRELIMINARIES

A. Evolved Packet System Authentication and Key Agreement (EPS AKA) EPS AKA [18] is an authentication and key agreement protocol introduced by 3GPP for LTE network in Release 8. It enables mobile User Equipment (UE) and Visiting Network (VN) to mutually authenticate each other and generate keys for secure communications. The AKA protocol can be divided into two phases: 1) authentication data distribution and 2) user AKA. The former step enables the Home Network (HN) of UE to distribute authentication data to the VN that directly provides service to UE. The latter step is to establish new session keys between UE and VN. B. Diffie–Hellman Key Exchange (DHKE) DHKE [11], which is based on Discrete Logarithm Problem (DLP), provides a practical solution to the key distribution problem, i.e., it enables two parties to derive a common secret key by communicating over an insecure channel. The basic idea of underlying DHKE is that the exponentiation in ℤ∗! is a one-way commutative function, i.e. 𝐾 = (𝑔! )! = (𝑔! )! mod 𝑝, where 𝑔 is the generator of ℤ∗! , 𝑎 and 𝑏 are random values. 𝐾 is the common secret that can be used as the session key between two parties. We denote 𝐴   =   𝑔! and 𝐵   =   𝑔! as key hints for two parties, respectively. Then two parties only need to exchange their key hints and the secret key can be computed on both sides. C. Notations Table 1 summaries the notations used in this document. TABLE 1. SYSTEM NOTATION

Notation 𝑈𝐸! /𝑈𝐼𝐷!

Definition The User Equipment 𝑖 and its identity

𝐻𝑁! /𝐻𝑁𝐼𝐷!

The 𝑈𝐸! ’s Home Network and its identity

𝑉𝑁! /𝑉𝑁𝐼𝐷!

The 𝑈𝐸! ’s Visiting Network and its identity

𝐾!

The secret key shared between 𝑈𝐸! and 𝐻𝑁!

𝑃𝑎𝑟𝑎𝑚𝑠

The system parameters of Inter-operator D2D communication agreement

𝐾𝐷𝐹

The Key Derivation Function

! 𝐾!"#$

The roaming key generated by 𝐻𝑁! for 𝑉𝑁!

! 𝐾!!!

The D2D function key derived from   ! 𝐾!"#$ , used for generating D2D session key

𝐻𝐼𝑁𝑇!

The session key hint of 𝑈𝐸!

𝑚𝑎𝑐!

The message authentication code for 𝐻𝐼𝑁𝑇!

𝐹𝐼𝐷!

The identity of function entity

𝑆𝐼𝐷!

The identity of D2D session

𝐾!

The D2D session key

𝐿!

The length of Security Parameter IV.

THE PROPOSED PROTOCOL

In this section, we first introduce the system model and define the security assumption of our protocol design. Then, we present the UAKA-D2D protocol and show that it is flexible to adapt to various kinds of D2D communication scenarios. A. System Model The system model is given in Figure 1. In our system, three kinds of entities are involved: 1) D2D User Equipment (UE), 2) Home Network (HN), to which 𝑈𝐸 subscribes, and 3) Visiting Network (VN), which provides services to roaming 𝑈𝐸 directly, in addition to the underlying wired and wireless communication infrastructures. As illustrated in Figure 1, 𝑈𝐸! and 𝑈𝐸! are two users subscribing to different home networks 𝐻𝑁! and 𝐻𝑁! separately. They roam to a same place (e.g., a same university or a conference venue) from their own home networks and they are in proximity to each other. However, 𝑈𝐸! and 𝑈𝐸! are served by two different local operators (VN) because of different roaming agreements between their HNs and VNs. Specifically, 𝑈𝐸! is served by 𝑉𝑁! and 𝑈𝐸! is served by 𝑉𝑁! . We suppose 𝐻𝑁! and 𝑉𝑁! have a roaming agreement so that 𝑈𝐸! can access its subscribed services through 𝑉𝑁! , and 𝐻𝑁! and 𝑉𝑁! also have a similar roaming agreement. In some situation, 𝑈𝐸! and 𝑈𝐸! want to establish D2D direct communications for the purpose of D2D services, such as content sharing and gaming. So a D2D communication session should be established securely and efficiently between 𝑈𝐸! and 𝑈𝐸! . In this scenario, 𝑈𝐸! and 𝑈𝐸! are both roaming users and served by different VNs. The establishment of a secure D2D communication session is under the cooperation of 𝐻𝑁! , 𝐻𝑁! , 𝑉𝑁! and 𝑉𝑁! . Our protocol is proposed in order to address at least this complicated D2D communication scenario.

B. Security Assumption In our system, we assume roaming 𝑈𝐸! (e.g., 𝑈𝐸! and 𝑈𝐸! in Figure 1) has subscribed to 𝐻𝑁! (e.g., 𝐻𝑁! and 𝐻𝑁! ). There is a shared secret key 𝐾! between 𝑈𝐸! and 𝐻𝑁! . 𝐾! is stored securely in Subscriber Identity Module embedded in 𝑈𝐸! and in Authentication Center (AuC/HSS) of 𝐻𝑁! respectively. 𝐻𝑁! and 𝑉𝑁! have signed a roaming agreement so roaming user 𝑈𝐸! can access services through 𝑉𝑁! . The communications between 𝐻𝑁! and 𝑉𝑁! and between local networks (𝑉𝑁! and 𝑉𝑁! ) are secured by applying existing secure protocols, e.g., network domain security schemes [19], [20]. There exists an interoperator agreement between different networks (e.g., between 𝑉𝑁! and 𝑉𝑁! ) in order to provide inter-operator D2D services. The communication channel between two roaming users (𝑈𝐸! and 𝑈𝐸! ) is open and vulnerable to various attacks. For the reason of gaining profits, we assume that 𝐻𝑁! and 𝑉𝑁! could be curious to eavesdrop D2D communication contents. Thus, the communications between two roaming users should be kept confidential from 𝐻𝑁! and 𝑉𝑁! in order to achieve privacypreserving D2D communications. Our goal is to propose a universal and lightweight mutual authentication and key agreement protocol for D2D communications that is universally compatible to almost all roaming/non-roaming and intra/inter-operator D2D communication scenarios under 3GPP defined LTE network architecture. In the proposed protocol, we expect that D2D communication data between users should not be disclosed to any other users nearby, nor their 𝐻𝑁s and 𝑉𝑁s, although their 𝐻𝑁s and 𝑉𝑁s are involved into D2D secure communication establishment process. C. Protocol In this subsection, we propose a protocol to address secure communication establishment in the most complex D2D communications scenario, where user roaming and interoperator operation occur. In the protocol, UEs, roaming from HNs to VNs and served by VNs, discover nearby UEs and want to establish a secure D2D communication session. They negotiate a common secret via an out-of-band channel firstly. Then, with the assistant of VNs, they authenticate with each other and generate a common session key for secure and privacy-preserving communications by adopting message authentication code and the DHKE algorithm. The protocol mainly consists of four phases: Phase I: System Setup; Phase II: Roaming UE Register; Phase III: D2D Discovery and Random Negotiation; and Phase IV: D2D Session Key Generation. The detailed process is depicted in Figure 2. Phase I: System Setup In this phase, different operators generate their common system parameters and sign inter-operator agreement for D2D services. For instance, visiting networks 𝑉𝑁! and 𝑉𝑁! sign an agreement of the inter-operator operation for D2D communications. Then, an appropriate system prime 𝑝 and a multiplicative group ℤ∗! of order 𝑝 − 1 with generator 𝑔 are selected and disseminated to all system entities. Phase II: Roaming UE Register

Figure 1: System Model

In this phase, a roaming user registers into a visiting network for communication services. The registration process involves the roaming user, the visiting network and the home network to which the user subscribed. The detailed registration process works as follows: i. 𝑈𝐸! , where 𝑖 = 1, 2, representing 𝑈𝐸! and 𝑈𝐸! in Figure 2, sends a Registration Request to 𝑉𝑁! for accessing roaming services. The Registration Request contains 𝑈𝐼𝐷! , the identity of 𝑈𝐸! , 𝐻𝑁𝐼𝐷! , and the identity of 𝑈𝐸! ’s Home Network. Herein, 𝑈𝐼𝐷! might be a permanent identity or a temporary identity. ii. Once receiving the Registration Request from 𝑈𝐸! , 𝑉𝑁! checks 𝐻𝑁𝐼𝐷! to verify whether it has a roaming agreement

with 𝐻𝑁! . If so, it orients and forwards an Authentication Request to 𝐻𝑁! by replacing 𝐻𝑁𝐼𝐷! in Registration Request with its own identity 𝑉𝑁𝐼𝐷! . iii. Upon receipt of Authentication Request, 𝐻𝑁! checks if 𝑉𝑁𝐼𝐷! is a legitimate operator network in its list and whether it has signed a roaming agreement with it. If not, 𝐻𝑁! rejects the request and halts. Otherwise, it checks the authorization of 𝑈𝐸! . If 𝑈𝐸! is an authorized subscription user, 𝐻𝑁! generates authentication information that ! contains a roaming key 𝐾!"#$ and delegates the authentication authority to 𝑉𝑁! by sending the ! authentication information to 𝑉𝑁! . The roaming key 𝐾!"#$ is calculated as follows:

Figure 2: Universal key agreement protocol (inter-operator and full roaming scenario)

K !!"#$ =KDF(K ! , VNID! , RAND! ), where 𝐾𝐷𝐹 denotes the generic Key Derivation Function defined in Annex A of [18], and 𝑅𝐴𝑁𝐷! denotes a random chosen by 𝐻𝑁! . iv. Then, 𝑉𝑁! uses the Authentication Information that it got from 𝐻𝑁! to authenticate with 𝑈𝐸! mutually. Herein, the mutual authentication process between 𝑈𝐸! and 𝑉𝑁! abides by a standard EPS AKA authentication process [18]. Along with the authentication process, both 𝑉𝑁! and 𝑈𝐸! derive

! ! D2D function key 𝐾!!! from the roaming key 𝐾!"#$ , which is calculated as follows: ! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷! , 𝑅𝐴𝑁𝐷!!  ),

where 𝑅𝐴𝑁𝐷!! denotes a random chosen by 𝑉𝑁! and 𝐹𝐼𝐷! is the identity of the D2D Function Entity [8] (e.g., ProSe Function of 𝑉𝑁! ). The additional parameter 𝐹𝐼𝐷! is needed ! to ensure that 𝐾!!! is different when 𝑈𝐸! is served by different D2D Function Entities in the same network. The ! D2D function key 𝐾!!! is used for generating the D2D session key.

Phase III: D2D Discovery and Random Negotiation In this phase, two proximity users (𝑈𝐸! and 𝑈𝐸! in Figure 2), served by two different visiting networks, discover each other and share a secret random 𝑅! between them via an outof-band channel that is open but independent, and secure against core networks (e.g., 𝑉𝑁! and 𝐻𝑁! ), e.g. face-to-face negotiation, Bluetooth or social networking. Thus two users keep a pre-secret 𝑅! . Phase IV: D2D Session Key Generation In this phase, two proximity users establish a secure D2D communication link under the assistant of their visiting networks without involving their home networks. The detailed key generation works as follows: i. One user, e.g. 𝑈𝐸! , launches the Session Key Generation process by sending a D2D session request to its visiting network 𝑉𝑁! . The D2D Session Request consists of the identities of both 𝑈𝐸s, i.e., 𝑈𝐼𝐷! and 𝑈𝐼𝐷! , and the identity of 𝑈𝐸! ’s visiting network, 𝑉𝑁𝐼𝐷! . ii. Upon receipt of the request, 𝑉𝑁! checks if 𝑉𝑁! is a legitimate operator network in its list and whether they have an inter-operator agreement for D2D services. If not, it rejects the request and halts. Otherwise, 𝑉𝑁! arranges an identity for this D2D session, which is denoted as 𝑆𝐼𝐷! . Then it chooses random 𝑟! and sends a Key Agreement Request that contains 𝑈𝐼𝐷! , 𝑈𝐼𝐷! , 𝑟! and 𝑆𝐼𝐷! to 𝑉𝑁! via a secure channel. iii. When 𝑉𝑁! receives the Key Agreement Request, it checks the legality of 𝑉𝑁! and whether they have an inter-operator agreement for D2D services. If not, it rejects and halts. Otherwise, 𝑉𝑁! chooses another random 𝑟! and send it to 𝑉𝑁! with 𝑈𝐼𝐷! and 𝑈𝐼𝐷! .

exchange their hints with the message authentication codes and timestamp for the session key generation. vi. Upon receiving the hints, 𝑈𝐸! and 𝑈𝐸! verify the freshness of timestamp and whether the message authentication code received is correct by computing the HMAC of the received hints with their own 𝐾! . If both sides get positive verification results, they generate the D2D session key 𝐾! = 𝐻𝐼𝑁𝑇! ! = 𝐻𝐼𝑁𝑇! ! and protect communications using the common session key 𝐾! subsequently. D. Procotol Flexibility In the previous subsection, we presented our protocol in the most complex scenario, where both users roam to and are served by different operator’s visiting networks. In fact, our protocol is feasible in almost all authentication and key agreement scenarios in D2D communications wherever a user roams and an inter-operator communication happens. We classify all situations into six categories and only describe their key agreement processes as below. i. Intra-operator and non-roaming scenario In this scenario, both users (𝑈𝐸! and 𝑈𝐸! ) subscribe to a same operator and served by a same home network. The key agreement process is illustrated in Figure 3. As described in Figure 3, 𝑈𝐸! and 𝑈𝐸! register to their home network 𝐻𝑁 abiding by standard EPS AKA. During the mutual authentication process, 𝑈𝐸! and 𝐻𝑁 generate roaming ! ! key 𝐾!"#$ and D2D function key 𝐾!!! . Meanwhile, 𝑈𝐸! and 𝐻𝑁 generate corresponding keys as follows: ! 𝐾!"#$ =𝐾𝐷𝐹(𝐾! , 𝐻𝑁𝐼𝐷, 𝑅𝐴𝑁𝐷! ), ! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷, 𝑅𝐴𝑁𝐷!! ).

iv. After the random exchange, 𝑉𝑁! and 𝑉𝑁! generate a preshared key 𝑅! = 𝑟! ⨁𝑟! and send a D2D session confirmation message to 𝑈𝐸! and 𝑈𝐸! , respectively. The message sent from 𝑉𝑁! to 𝑈𝐸! consists of 𝑈𝐸! ’s identity 𝑈𝐼𝐷! , 𝑅! and the session identity 𝑆𝐼𝐷! , and the one send from 𝑉𝑁! to 𝑈𝐸! consists of 𝑈𝐼𝐷! , 𝑅! and 𝑆𝐼𝐷! . v. When 𝑈𝐸! and 𝑈𝐸! receive the above messages from their visiting networks, they extract the identity information contained in D2D session confirmation messages and check whether it is the same as the user identity in D2D discovery process. If these two identities match, 𝑈𝐸! and 𝑈𝐸! carry out Diffie-Hellman key exchange algorithm to generate the D2D session key. Firstly, 𝑈𝐸! and 𝑈𝐸! choose random 𝑎 and 𝑏 respectively and generate their session key hints 𝐻𝐼𝑁𝑇! = 𝑔  ! and 𝐻𝐼𝑁𝑇! = 𝑔  ! . Before exchanging the hints, they compute message authentication codes 𝑚𝑎𝑐! and 𝑚𝑎𝑐! for 𝐻𝐼𝑁𝑇! and 𝐻𝐼𝑁𝑇! using HMAC with a common secret key 𝐾! as follows: 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ), 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ), where 𝐾! = 𝑅! ⨁𝑅! ,  𝑇! and  𝑇! are timestamps from 𝑈𝐸! and 𝑈𝐸! ’s local clock, respectively. Then 𝑈𝐸! and 𝑈𝐸!

Figure 3: Key agreement protocol for intra-operator and non-roaming scenario

After the registration, 𝑈𝐸! discovers each other and shares 𝑅! via an out-of-band channel. Then 𝑈𝐸! sends session request to 𝐻𝑁 for establishing a D2D communication session. HN chooses random 𝑟 and sends to 𝑈𝐸! as pre-shared key 𝑅! . Then 𝑈𝐸! computes a common secret key (𝐾! = 𝑅! ⨁𝑅! = 𝑅! ⨁𝑟 ), a session key hint ( 𝐻𝐼𝑁𝑇! ) and a message

authentication code (𝑚𝑎𝑐! ). After these computations, 𝑈𝐸! exchanges 𝐻𝐼𝑁𝑇! , verifies 𝑚𝑎𝑐! and, finally, computes a session key 𝐾! as described in the previous subsection.

𝑉𝑁 chooses a random and send it to two users as pre-shared key. Then two users compute their key hints and MACs using a common secret key 𝐾! and generate the common session key consequently. ! 𝐾!"#$ =𝐾𝐷𝐹(𝐾! , 𝐻𝑁𝐼𝐷, 𝑅𝐴𝑁𝐷! ),   ! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷, 𝑅𝐴𝑁𝐷!! ),  

𝑅! = 𝑟, 𝐾! = 𝑅! ⊕ 𝑅! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝐾! = 𝐻𝐼𝑁𝑇! ! = 𝐻𝐼𝑁𝑇! ! . iv. Inter-operator and partial roaming scenario 1 In this scenario, 𝑈𝐸! , subscribing to 𝐻𝑁! , roams to a visiting network 𝑉𝑁! , to which 𝑈𝐸! subscribes, i.e., 𝑈𝐸! ’s visiting network is the same as 𝑈𝐸! ’s home network. The key agreement process is illustrated in Figure 6 and the key generation process is described as below: Figure 4: Key agreement protocol for inter-operator and non-roaming situation

ii. Inter-operator and non-roaming scenario In this scenario, two users, 𝑈𝐸! and 𝑈𝐸! subscribe to different operators, and are served by their own home networks. The key agreement process is illustrated in Figure 4. As described in Figure 4, 𝑈𝐸! and 𝑈𝐸! register to their home networks 𝐻𝑁! and 𝐻𝑁! abiding by standard EPS AKA. During the mutual authentication process, 𝑈𝐸! and 𝐻𝑁! ! ! generate roaming key 𝐾!"#$ and D2D function key 𝐾!!! . Meanwhile, 𝑈𝐸! and 𝐻𝑁! also generate corresponding keys as follows:

! 𝐾!"#$ =𝐾𝐷𝐹(𝐾! , 𝐻𝑁𝐼𝐷, 𝑅𝐴𝑁𝐷! ),   ! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷, 𝑅𝐴𝑁𝐷!! ),  

𝑅! = 𝑟, 𝐾! = 𝑅! ⊕ 𝑅! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ), 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝐾! = 𝐻𝐼𝑁𝑇! ! = 𝐻𝐼𝑁𝑇! ! .  

! 𝐾!"#$ =𝐾𝐷𝐹(𝐾! , 𝐻𝑁𝐼𝐷, 𝑅𝐴𝑁𝐷! ),   ! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷, 𝑅𝐴𝑁𝐷!! ).  

In this scenario, two home networks choose two random numbers respectively and compute a pre-shared key 𝑅! for two users. Then two users compute their key hints and MACs using a common secret key 𝐾! and generate the common session key consequently as follows: 𝑅! = 𝑟! ⨁𝑟! , 𝐾! = 𝑅! ⊕ 𝑅! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝐾! = 𝐻𝐼𝑁𝑇! ! = 𝐻𝐼𝑁𝑇! ! . iii. Intra-operator and roaming scenario In this scenario, both users (𝑈𝐸! and 𝑈𝐸! ) subscribe to a same operator, roam to a same place and are served by a same visiting network (𝑉𝑁) . The key agreement process is illustrated in Figure 5.

Figure 5: Key agreement protocol for intra-operator and roaming scenario

A. Security Analysis The proposed protocol inherits the architecture of EPS AKA protocol and enhances security features related to D2D communications. It can achieve the same security properties as EPS AKA at Phase II. For Phase III and IV, we summarize the security objectives of our design as follows.

Figure 6: Key agreement protocol for inter-operator and partial roaming scenario 1

v. Inter-operator and partial roaming scenario 2

In this scenario, 𝑈𝐸! , subscribing to 𝐻𝑁! , roams to a visiting network (𝑉𝐻! ) and wants to communicate via D2D means with 𝑈𝐸! , where 𝑈𝐸! subscribes to and served by its own home network 𝐻𝑁! . The key agreement process is illustrated in Figure 7 and the key generation process is described as follows: ! 𝐾!"#$ =𝐾𝐷𝐹(𝐾! , 𝐻𝑁𝐼𝐷, 𝑅𝐴𝑁𝐷! ),  

Mutual authentication: In the proposed protocol, mutual authentications should be performed between 𝑈𝐸 and networking entities, between networking entities belonging to the same operator or different operators, and between two 𝑈𝐸𝑠. Since our protocol inherits the security architecture of EPS by introducing security features for D2D communications into it, the mutual authentication between 𝑈𝐸 and networking entities can be achieved based on EPS AKA protocol as specified in [18]. The mutual authentication between networking entities belonging to same operator or different operators can be achieved by adopting the security mechanisms of Network Domain Security specified in [19], [20]. In addition, we adopted message authentication code to achieve mutual authentication between two 𝑈𝐸𝑠 that share two common secrets (𝑅! and 𝑅! ) before they start session key generation. The first common secret 𝑅! is secure against the core network (unless the core network has an ally who is able to eavesdrop on the out-of-band communication channel that uses Bluetooth, face-to-face conversation or something similar). The second common secret 𝑅! is negotiated by the core network(s). Two 𝑈𝐸𝑠 utilize these two-shared secrets to authenticate the identity of each other on the direct communication link. Only the one who knows both of the secrets is able to verify the correctness of MAC for hints and computes the common secret key 𝐾! . Specifically, 𝑈𝐸! and 𝑈𝐸! utilize 𝐾! to generate their MACs (𝑚𝑎𝑐! and 𝑚𝑎𝑐! ) for 𝐻𝐼𝑁𝑇! and 𝐻𝐼𝑁𝑇! , and authenticate the identity of communication partner by verifying the hints with the common secret key 𝐾! .

! ! 𝐾!!! =𝐾𝐷𝐹(𝐾!"#$ , 𝐹𝐼𝐷, 𝑅𝐴𝑁𝐷!! ),  

𝑅! = 𝑟! ⨁𝑟! , 𝐾! = 𝑅! ⊕ 𝑅! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝐻𝐼𝑁𝑇! = 𝑔  ! , 𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝑚𝑎𝑐! = 𝐻𝑀𝐴𝐶!! (𝐻𝐼𝑁𝑇! ,  𝑇! ),   𝐾! = 𝐻𝐼𝑁𝑇! ! = 𝐻𝐼𝑁𝑇! ! . vi. Inter-operator and full roaming scenario In this situation, 𝑈𝐸! and 𝑈𝐸! subscribe to different operators, and both of them roam to a same place but are served by two different visiting networks locally. This situation is the most complex scenario that has been discussed in Section C. The key agreement process is illustrated in Figure 2. V.

SEURITY EVALUATION

In this section, we first specify a number of security objectives and analyze the proposed protocol theoretically. Then we test our protocol with a formal verification tool. The result of the tests shows that the proposed protocol can achieve these security objectives practically.

Figure 7: Key agreement protocol for inter-operator and partial roaming scenario 2

Secure session key generation (secrecy of session key): To protect the communications over the direct D2D link between two 𝑈𝐸𝑠, a distinct session key should be negotiated for each D2D session under the cooperation of two 𝑈𝐸𝑠 and their 𝑉𝑁𝑠 and/or 𝐻𝑁𝑠. The session key is generated by carrying out the DHKE algorithm between two 𝑈𝐸𝑠 . Because of the intractability of computational Diffie–Hellman problem, only the legitimate 𝑈𝐸𝑠 can generate the session key. Furthermore, two random secrets are used by 𝑈𝐸𝑠 to ensure the authentication and integrity of the session key. Neither the core network nor other attackers can pass the MAC verification and gain the D2D session key. Thus, the proposed protocol preserves the D2D communication privacy from the core network and any other unrelated third parties. At last, a session ID is used to in the session key generation in order to guarantee the uniqueness of the session key for a specific D2D session. Privacy preserving: In current security solutions in LTE (i.e., EPS AKA), communications between 𝑈𝐸𝑠 must be routed through core networks, therefore, communication contents between UEs can be protected against other 𝑈𝐸𝑠 but they are open to core networks. It makes the privacy of communication contents between UEs are under risk if core network entities are compromised. But in the proposed protocol, neither outside 𝑈𝐸𝑠 nor core network entities (i.e., 𝐻𝑁𝑠 or 𝑉𝑁𝑠) are unable to get the plaintext, even though the core network entities participate in key generation process. For core network entities 𝐻𝑁𝑠, they have no knowledge about 𝑅! between 𝑉𝑁𝑠, nor the pre-shared secret 𝑅! , so it is hard for them to compute the final session key. For 𝑉𝑁𝑠, they first negotiate 𝑅! for 𝑈𝐸𝑠 final session key generation. They have to monitor out-of-band channels among all 𝑈𝐸𝑠 who have registered to their networks in order to get their pre-shared key 𝑅! , compute session key and intrude into sessions between 𝑈𝐸𝑠. Obviously, the cost of this kind of attach is pretty high, thus 𝑉𝑁𝑠 has no motivations to do it. We can see that our protocol can achieve privacypreserving D2D communications between 𝑈𝐸𝑠 . The communication messages are kept secret from both outside 𝑈𝐸𝑠 and core network entities that are involved into the key generation process. Attack resistance: As the channel between two VNs is assumed secure (confidentiality, integrity and entity authentication) under the existing network entity security mechanisms [10], [11] and the channel between VNs and UEs are secured by EPS AKA protocol. We only analyze the security of the channel between two UEs. In the proposed protocol, the channel between two UEs is open and under various attacks. In order to resist replay attacks, the key hints exchange messages are marked with timestamp by UEs. An adversary who intercepted the previous key hint exchange messages could not replay a message for the next key hint exchange and session key generation. Our protocol can also resist the MitM attacks. The authentication and integrity of the DH key hint exchange are ensured by the MACs with a common secret key only known by the two UEs. An outside MitM adversary who does not take part into secure session establishment process is unable to know both of the two secrets (𝑅! and 𝑅! ) and forge valid session keys between two VNs. Moreover, even the core network (VNs or HNs) could not perform the MitM attacks since they don’t know the secret

𝑅!  that is shared via an out-of-band channel and only known between two UEs.

Figure 8: Role specification for 𝑈𝐸! in HLPSL

Figure 9: Role specification for 𝑈𝐸! in HLPSL

We firstly specified the basic roles, i.e., 𝑈𝐸! , 𝑈𝐸! , 𝑉𝑁! and 𝑉𝑁! of the proposed protocol in the HLPSL Language in Figure 8 to Figure 11, respectively. In all specifications, the type declaration channel (dy) stands for the Dolev-Yao intruder model [23]. In addition, the knowledge of the intruder in the model includes the identities of all roles, the MAC function and the common system parameters. Then we set the security goals of the proposed protocol in Figure 12. We verified that the proposed protocol can guarantee the secrecy of the generated session key and the mutual authentication between two D2D users. The secrecy_of secks1 and secrecy_of secks2 represent that the generated session key are kept secret to {𝑈𝐸! and 𝑈𝐸! }. The authentication_on aut represent that 𝑈𝐸! and 𝑈𝐸! can authenticate mutually by adopting message authentication code. Figure 10: Role specification for 𝑉𝑁! in HLPSL

We executed the security test based on two widely accepted two back-ends, i.e., OFMC and CL-AtSe. The results, shown in Figure 13, confirm that the proposed protocol is SAFE under the Dolev-Yao intruder model in both OFMC and CL-AtSe. We can conclude that our protocol can accomplish the goal of secrecy of session key and mutual authentication and also can resist active and passive attacks including replay attacks and MitM attacks.

Figure 11: Role specification for 𝑉𝑁! in HLPSL

(1)

(2)

Figure 13: (1) Simulation result by the OFMC back-end. (2) Simulation result by the CL-AtSe Back-end. Figure 12: Analysis goals of the model

B. Formal Verification We tested our protocol using a formal security verification tool known as “Automated Validation of Internet Security Protocols and Applications” (AVISPA v 1.1) [21]. The AVISPA package is a state-of-the-art tool for automatic verification and analysis of Internet security protocols. AVISPA integrates automatic security analysis and verification back-end servers such as “On-the-Fly Model-Checker” (OFMC), “Constraint-Logic-based Attack Searcher” (Cl-AtSe) and “SAT-based Model-Checker” (SATMC). The current version (2006/23/13) of HLPSL supports the standard authentication and secrecy goals. The protocols under examination by the AVISPA must be coded in a “High Level Protocol Specifications Language” (HLPSL) [22] to be tested by the back-end servers.

VI.

PERFORMANCE EVALUATION

The proposed protocol is compatible with current EPS AKA protocol and is adaptive to almost all two devices’ D2D communication scenarios. Herein, we only evaluate the computation cost of the protocol that deals with the most complex scenario shown in Figure 2 since the cost of this scenario is the highest. Then we compare the protocol with current EPS AKA in terms of communication overhead. A. Computational Cost In the roaming and inter-operator scenario, there involves three kinds of system entities: 𝑈𝐸, 𝑉𝑁 and 𝐻𝑁. In Phase I, two networks negotiate common system parameters for D2D service only once, of which the computational cost is change with the length of a security parameter, which is denoted as 𝐿𝑝. In Phase II, 𝐻𝑁 generates the authentication information and the roaming key, and 𝑉𝑁 generates the D2D function key. We

define the time cost of authentication information generation operation as 𝑇!" , random generation operation as 𝑇! , roaming key generation operation as 𝑇! !"#$ and D2D function key generation operation as 𝑇! !!! . Assuming that the time cost of KDF operation is 𝑇!"# , so the computation overhead of 𝐻𝑁 in !! phase II is: 𝑇!" = 𝑇!" + 𝑇! + 𝑇! !"#$ = 𝑇!" + 𝑇! + 𝑇!"# , and !! the computation overhead of 𝑉𝑁 in Phase II is 𝑇!" = 𝑇! + 𝑇! !!! = 𝑇! + 𝑇!"# . Meanwhile, 𝑈𝐸 costs 𝑇!" = 𝑇! !"#$ + 𝑇! !!! = 2𝑇!"# to derive 𝐾!!! from 𝐾. In Phase IV, 𝑉𝑁 firstly chooses a random and computes the pre-shared secret by one !! XOR operation, with time cost 𝑇!" = 𝑇! + 𝑇!"# . Then each 𝑈𝐸 derives the session key 𝐾! by one random chosen operation, one XOR operation, two modular exponentiation operations and two HMAC operations, which is 𝑇!" = 𝑇! + 𝑇!!" + 2𝑇!"#$%& + 2𝑇!"#$ , wherein, one XOR operation is for the generation of 𝐾! , two modular exponentiation operations are for the generation of key hint and session key and two HMAC operations are for the MAC generation and verification.

We also implemented the proposed protocol and tested its performance. Table 3 shows the implementation and testing environment. Herein, we applied OpenSSL [24] to implement our authentication and key agreement protocol and did not take into account the operations related to 𝐸𝑃𝑆  𝐴𝐾𝐴 , i.e., the mutual authentication and key derive operations in Phase II. We tested the time cost of system parameter generation in Phase I and key agreement operations of 𝑈𝐸 and 𝑉𝑁 in Phase IV by applying different security parameter lengths, i.e., 𝐿𝑝 = 128, 256, 512, 768, 1024, 1536 and 2048 bits. Herein, we took the advantage of the 𝐻𝑀𝐴𝐶 − 𝑆𝐻𝐴256 function in [13] to realize 𝐾𝐷𝐹 in Phase I and message authentication code in Phase IV.

Table 2 summarizes the computational costs carried out by different entities and their time cost in our protocol. TABLE. 2 COMPUTATIONAL COST OF OUR RROTOCOL

Entity

𝐻𝑁

𝑉𝑁

𝑈𝐸

Phase

Computation Time

Phase II

𝑇!" + 𝑇! + 𝑇!"#

Phase III

-

Phase IV

-

Phase II

𝑇! + 𝑇!"#

Phase III

-

Phase IV

!! 𝑇!" = 𝑇! + 𝑇!"#

Phase II

!! 𝑇!" = 2𝑇!"#

Phase III

-

Phase IV

𝑇!" = 𝑇! + 𝑇!"# + 2𝑇!"#$%& + 2𝑇!"#$ ,

Figure 14: Operation time of system parameters generation

TABLE. 3 TESTING ENVIRONMENT

Hardware

CPU: Intel Core i5 Quad-Processor 2.5 GHz CPU RAM: 2 GB SDRAM Operating System: 32 bit CentOS Linux 6.0

Software

Developing and Test Environment: Eclipse Luna CDT, Java Toolkit: OpenSSL, cryptographic library

Figure 15: Time cost of other operations in Phase IV

Figure 14 and 15 shows the testing result of system parameters generation operation and session key generation operations. As shown in Figure 14 and 15, we find that with the increase of the length of security parameter, the time costs of all operations rise up. Comparing with the generation of session key, the generation of system parameters is more time

consuming, which is at a millisecond level. However, this operation is carried out only once when system initiates. When the length of security parameters exceeds 1024 bits, the time cost for the system parameter generation is longer than 10s. But the longer the security parameter is adopted, the higher security level and the short system parameter update duration can be achieved. We tested the operation time of the generation of key hint, MAC and session key at 𝑈𝐸, respectively. Meanwhile, the time cost of MAC verification operation is also tested. As shown in Figure 15, the highest computation overhead is the exponential operations in key hint generation (black line) and session key generation (pink line). The time cost of these two operations increases with the length of security parameter. However, since these operations include one modular exponentiation, they spend almost same time. Moreover, the time costs for MAC generation (green line) and verification (red line) are constant and about 20 𝜇𝑠, which occupy a little proportion in the overall session key generation operation. In order to show the efficiency of the proposed protocol, we compare the computational cost of our protocol with that of SeDC [10]. Since SeDC was designed for data sharing in D2D communications and it was applied into a specific but different scenario from ours, we only compare our protocol with SeDC in terms of key generation and authentication processes. In SeDC, when the length of security parameter is set as 160 bits, computational cost of key generation is about 3600 𝜇𝑠 and computational cost of authentication is about 54000 𝜇𝑠 . However, in our protocol, the computational cost of session key generation is the sum of hint generation time and session key generation time, which is only 131 𝜇𝑠. The computational cost of authentication is only 50 𝜇𝑠. As shown above, our protocol is much more efficient than SeDC with regard to key generation and authentication, especially authentication. The reason lies in the fact that we adopt MAC instead of short group signature in our protocol to achieve mutual authentication between 𝑈𝐸𝑠, which makes the authentication process is very efficient. B. Communication Overhead In order to analyze the communication cost introduced by the proposed protocol and compare it with EPS AKA in order to show its advantage, we first set the size of each parameter transferred in the protocol. Table 4 lists the settings of all parameters for evaluating communication overhead. Herein, we only analyzed the communication overhead among 𝑈𝐸, 𝑉𝑁 and 𝐻𝑁 in D2D Session Key Generation Phase, i.e., Phase IV. We skipped the registration and authentication processes in Phase II since it is similar to EPS AKA. The analysis of the communication overhead of EPS AKA is performed in [14]. The total communication overhead for one time EPS AKA is (704 + 608 ∗ 𝑎) bits, where 𝑎 presents the number of authentication vectors. TABLE 4. SETTING OF PARAMETERS

Parameters Security Parameter

Size (bits) 𝐿𝑝

𝑈𝐼𝐷 𝐻𝑁𝐼𝐷 /  𝑉𝑁𝐼𝐷 𝑆𝐼𝐷 𝐻𝐼𝑁𝑇 𝑟! , 𝑟! , 𝑅𝑘 𝑚𝑎𝑐! , 𝑚𝑎𝑐! 𝑇! , 𝑇!

128 64 64 𝐿! 𝐿! 256 64

In Phase IV of our protocol, the communication overhead of D2D session request from 𝑈𝐸 to 𝑉𝑁 is 2 ∗ 128 + 64 = 320 bits, where the first part is the overhead caused by the identity of 𝑈𝐸! and 𝑈𝐸! , the second one is the overhead of 𝑉𝑁𝐼𝐷. In the key agreement request and response phase between two 𝑉𝑁𝑠, the communication overheads of request from 𝑉𝑁! to 𝑉𝑁! are 2 ∗ 128 + 64 + 𝐿! = (320 + 𝐿! ) bits, the first two parts are the overhead caused by the identity of 𝑈𝐸! and 𝑈𝐸! and the identity of 𝑉𝑁! . The response message is only 256+𝐿! bits because of the absence of session ID. The communication overhead introduced by the D2D session confirmation message sent by 𝑉𝑁 to 𝑈𝐸 are 128 + 𝐿! + 64   =   (192 + 𝐿! ) bits, which consists of the identity of 𝑈𝐸, the Session ID, and the pre-shared random. In the process of DHKE between two UEs, each 𝑈𝐸 send a message consisting of its key hint, MAC of the hint and a timestamp to its communication partner. The message is 𝐿! + 256 + 64 = (320 + 𝐿! ) bits.

Figure 16: Comparison of communication overhead

Figure 16 shows the variation of communication overhead of the proposed protocol with the length of the security parameter. As can be observed, the communication overhead of session request is constant, other communication costs among system entities, i.e., UEs and VNs, are increased with the size of security parameter. The communication overhead of key hint exchange between UEs (blue-star line) is equal to the overhead of key agreement request (orange-circle line). Compared with the communication cost of EPS AKA, (herein we set 𝑎 = 1 and 2 for EPS AKA to perform our comparison), the cost introduced by our protocol is acceptable when the length of security parameter is below 1536 bits. When the

length is longer than 1536 bits, high security level is guaranteed, but the communication cost is higher. VII. CONCLUSIONS Establishing session key and performing mutual authentication between two users are a prerequisite issue for a secure D2D communication, which greatly impacts the success of D2D services in the next generation mobile communications. In this paper, we proposed a universal authentication and key agreement protocol to establish a secure channel between two users for D2D communications. We took the advantage of the DHKE algorithm to realize privacypreserving session key generation under the control of core network and use message authentication code to realize the mutual authentication between two D2D users. Our protocol is the first to address the mutual authentication and key agreement for D2D communications in the device roaming and inter-operator scenarios. The security analysis and formal verification further proved that our protocol is secure and robust to defend various attacks. Extensive performance analysis and simulation test further showed the practicability and efficiency of our protocol. ACKNOWLEDGMENT This work is sponsored by the National Key Foundational Research and Development on Network and Space Security, China (grant 2016YFB0800704), the NSFC (grants 61672410 and U1536202), the Project Supported by Natural Science Basic Research Plan in Shaanxi Province of China (Program No. 2016ZDJC-06), the 111 project (grants B08038 and B16037), the PhD grant of the Chinese Educational Ministry (grant JY0300130104), and Aalto University.

[8]

[9]

[10]

[11] [12]

[13] [14]

[15] [16] [17]

[18]

[19]

[20]

REFERENCES [1]

[2]

[3]

[4]

[5]

[6]

[7]

K. Doppler, M. Rinne, C. Wijting, C. Ribeiro, and K. Hugl, “Device-toDevice communication as an underlay to LTE-Advanced networks,” IEEE Communications Magazine, vol. 47, no. 12, pp. 42-49, December 2009. K. Doppler, C. Yu; C. Ribeiro, and P. Janis, “Mode selection for Device-To-Device communication underlaying an LTE-Advanced network,” 2010 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1-6, April 2010. L. Lei,; Z. Zhong;, C. Lin,; and X. Shen, “Operator controlled Deviceto-Device communications in LTE-Advanced networks,” IEEE Wireless Communications, vol. 19, no. 3, pp. 96-104, June 2012. A. Gamage, H. Liang, R. Zhang, and X. Shen, “Device-to-device communication underlaying converged heterogeneous networks,” IEEE Wireless Communications, vol. 21, no. 6, pp. 98-107, December 2014. P. Janis, C. Yu, K. Doppler, C. Ribeiro, C. Wijting, K. Hugl, O. Tirkkonen, and V. Koivunen, “Device-to-Device communication underlaying cellular communications systems,” International Journal of Communications, Network and System Sciences, Vol. 2 No. 3, pp. 169178, June 2009. M. Corson, R. Laroia, J. Li, V. Park, T. Richardson, and G. Tsirtsis, “Toward proximity-aware internetworking,” IEEE Wireless Communications, vol. 17, no. 6, pp. 26-33, December 2010. X. Wu, S. Tavildar, S. Shakkottai, T. Richardson, J. Li, R. Laroia, and A. Jovicic, “Flashlinq: A synchronous distributed scheduler for peer-topeer ad hoc networks,” IEEE/ACM Transactions on Networking, vol. 21, no. 4, pp. 1215-1228, June 2013.

[21]

[22]

[23] [24]

3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Feasibility study for Proximity Services (ProSe) (Rel 12), 3GPP TR 22.803 V1 2.2.0 (2013-06). 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on architecture enhancements to support Proximity-based Services (ProSe) (Rel 12), 3GPP TS 23.703 V12.0.0 (2014-02). A. Zhang, J. Chen, R. Hu, and Y. Qian, “SeDS: Secure data sharing strategy for D2D communication in LTE-Advanced networks,” IEEE Transactions on Vehicular Technology, vol. PP, no. 99, pp. 1, March, 2015. W. Diffie, and M. E. Hellman. “New directions in cryptography,” IEEE Transactions on Information Theory, IT-22, pp. 644-654, 1976. M. Alam, D. Yang, J. Rodriguez, and R. Abd-Alhameed, “Secure device-to-device communication in LTE-A,” IEEE Communications Magazine, vol. 52, no. 4, pp. 66-73, April 2014. S. Hakola, T. Koskela, and H. Koskinen, “Method and apparatus for device to device key management,” WO2011117677A1, 2011-09-29. H. Kwon, C. Hahn, D. Kim, K. Kang, and J. Hur, “Secure Device-toDevice Authentication in Mobile Multi-hop Networks,” 2014 the 9th International Conference on Wireless Algorithms, Systems, and Applications, pp. 267-278, June 2014. J. Ekberg, M. Uusitalo, and Z. Li, “Device to device communication security,” WO2014207506A1, 2013-06-25. Y. Liu and D. Zhang, “Methods and apparatus for generating keys in device to device communication,” WO2014205697A1, 2013-06-26. J. Wang and T. Lin, “Authentication system for device-to-device communication and authentication method therefore,” EP2663051A1, 2013-05-06. 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Rel 12), 3GPP TS 33.401 V12.16.0 (2015-12). 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Network Domain Security (NDS); IP network layer security (Rel 13), 3GPP TS 33.210 V13.0.0 (2015-12). 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network Domain Security (NDS); Authentication Framework (AF) (Rel 13), 3GPP TS 33.310 V13.0.0 (2015-12). A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P. C. Heám, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò and L. Vigneron, “The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications,” Computer Aided Verification, pp 281-285, 2005. The AVISPA team, “HLPSL Turorial, A Beginner’s Guide to Modelling and Analysing Internet Security Protocols,” Document Version: 1.1, June 30, 2006.D. Dolev, A.C. Yao, “On the security of public key protocols”, IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-208, Mar 1983. https://www.openssl.org. M.J. Wang, Z. Yan, “A survey on security in D2D communications”, Mobile Networks and Applications, Springer, 2016. Doi: 10.1007/s11036-016-0741-5

Mingjun Wang received the BSc degree in communication and information systems from Henan Normal University, Xinxiang, China, 2011. He is currently pursuing PhD degree in information security at the Xidian University, Xi'an, China. His research interests are security, privacy and trust management in social networking, 5G and cloud computing. Zheng Yan is currently a professor in Xidian University, China and a visiting professor in Aalto University, Finland. Before joining academia in 2011, she worked as a senior researcher at the Nokia Research Center, Helsinki since 2000. She received her Ph.D in Electrical

Engineering from Helsinki University of Technology. Her research interests are in trust, security and privacy. She authored over 150 peerreviewed publications and solely authored two books. She is the inventor of 13 patents and 38 PCT patent applications. She was invited to delivery 14 talks in international conferences and universities. She serves as an associate editor of Information Sciences, Information Fusion, IEEE Access, IEEE Internet of Things Journal, JNCA, Security and Communication Networks, and a leading guest editor of many prestigious journals, such as ACM TOMM, FGCS, IEEE Systems Journal, Computers & Security, MONET, etc. She is a steering and organization committee member for 30+ international conferences and a TPC member for 50+ conferences. She is a senior member of IEEE. Valtteri Niemi received a PhD degree in Mathematics from the University of Turku, Finland in 1989. After serving in various positions

in Univ. of Turku, he was an Associate Professor in Mathematics at the University of Vaasa, Finland, during 1993-97. He joined Nokia Research Center (NRC), Helsinki, Finland, in 1997. He was nominated as a Nokia Fellow in January 2009. Dr. Niemi contributed in several roles for Nokia research in wireless security area, including cryptological aspects and privacy-enhancing technologies. During 2012-2014, Valtteri was a Professor of Mathematics in Univ. of Turku, doing research in cryptology and its applications. Starting from 2015, he is a Professor of Computer Science in Univ. of Helsinki, Finland, leading the system security research group there. Dr. Niemi participated 3GPP SA3 (security) standardization group from its beginning and during 2003-2009 he was the chairman of the group. He has published more than 70 scientific articles and he is a co-author of four books and more than 30 patent families.