anonymous roaming authentication protocol with id-based signatures
DESCRIPTION
Anonymous Roaming Authentication Protocol with ID-based Signatures. Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin University of Science & Technology, Taiwan E-mail: [email protected]. Outline. Introduction Roaming Authentication Protocol - PowerPoint PPT PresentationTRANSCRIPT
1
Anonymous Roaming Authentication Protocol with ID-based Signatures
Lih-Chyau WuuChi-Hsiang Hung
Department of Electronic EngineeringNational Yunlin University of Science & Technology, Taiwan
E-mail: [email protected]
2
Outline
Introduction
Roaming Authentication Protocol
Security Analysis
Performance Analysis
Conclusion
3
Introduction The mobile communication environment
Access data at any place and at any time Security issues
Data privacy Data integrity Mutual authentication Anonymity Non-repudiation
4
Introduction An authentication server exists in each network Authenticate roaming users before providing any service
AS: Authentication Server
MS: Mobile Station
Home Network Foreign Network
ASHN ASFN
MS
Accept/RejectRoaming ServiceRequest
Roaming
MS
5
Introduction
Roaming Authentication Methods:
On-Line Authentication
Off-Line Authentication
The mixture of On-Line and Off-Line Authentication
6
On-Line Authentication Authenticate the roaming user each time
Roaming ServiceRequest
Is the MS valid?
Yes or No
Home Network Foreign Network
ASHN ASFN
MS
Accept/Reject
Roaming
MS
7
Off-Line Authentication Authenticate the roaming user locally
Home Network Foreign Network
Accept/RejectRoaming ServiceRequest
pre-shared information
ASHN ASFN
MS MS
Roaming
8
The mixture of On-Line and Off-Line Authentication
On-line authentication when the roaming user requests service for the first time.
Off-line authentication for subsequent service requests
Home Network
Accept/RejectRoaming ServiceRequest
Is the MS valid?
Yes or Noshared information
shared information
ASHN ASFN
MS MS
Roaming
Foreign Network
9
The roaming authentication protocol
Off-line roaming authentication
Security properties
Anonymity of MS
Mutual Authentication between MS and Foreign Network
Nonrepudiation of MS
Minimizing the number of exchanged messages
Minimizing the computation load at MS
Simple Key Management
10
The roaming authentication protocol
ID-based signature technique from Weil-pairing
No certificate is needed
Verify the signature by public information of the signer
(email address, identity, …)
Secret sharing technique from Lagrange Interpolating
polynomial
11
Lagrange interpolating polynomial - secret sharing
ID1
ID2
IDn
…
x1=ID1 and y1= f (ID1)
secretxaxaxaxf tt 1
22
11)( x2=ID2 and y2= f (ID2)
xn=IDn and yn= f (IDn)
y1= f (ID1)
y2= f (ID2)
yn= f (IDn)
12
Lagrange interpolating polynomial - secret sharing
ID1
ID2
IDt
…
x1=ID1 and y1= f (ID1)
x2=ID2 and y2= f (ID2)
xt=IDt and yt= f (IDt)
secret
secretxx
xyf
t
ijj ji
jt
ii
,11
0)0(
secretxaxaxaxf tt 1
22
11)(
13
The Roaming Authentication Protocol
Home Network Foreign Network
K
Accept/Reject
Sigcharge2
ASHN ASFN
MS 2
+K
MS 1 MS n
…
RSMS1 RSMS2 RSMSn
Roaming Information
RSFN
14
System Initialization-ASHN
System Initialization
ASHN generates
System public parameters {e, G1, G2, P, H1, H2, H3}
System private key s
System public key Ppub = s P
ASHN selects a RSFN R Zq, and sends the RSFN to ASFN by se
cure channel.
15
System Initialization-ASHN
When MS registers at ASHN, the MS will get {IDMS, TIDMS, SKMS, RSMS, Kcomm}
Where
PKMS =H1(TID MS || IDHN || DateMS), SKMS = s PKMS
DateMS : the expiration date of the public/secret key pair
)()(
)(
)()(
)(
22
2
22
2
MSFN
FNMS
FNMS
MSFNMS TIDHIDH
IDHRS
IDHTIDH
TIDHRSr
)(2 MSMScomm rTIDHK
16
Mutual Authentication
MS roams to the Foreign Network (ASFN):
Foreign NetworkCompute the Sigcharge
Compute the session key K
Verify the Sigcharge
Compute the session key K
MSASFN
{TIDMS, IDHN, DateMS, PKMS, request, T, RSMS, CMS, Sigcharge}
{EK[ServiceData, T]} or reject
17
Mutual Authentication-MS
MS executes the following steps:Step A1: MS computes the Sigcharge ={Rcharge, Scharge}
Step A2: MS sends the authentication request to ASFN
))()((
where,
||||||||||
,:,
321
*
*
MSchargechargeMScharge
qRMSMScharge
MSMSFNMScharge
qRMS
SKRHPMHkS
ZkPkR
CRSrequestIDTTIDM
timestampTZC
},,,,,,,,{ chargeMSMSMSMSHNMS SigCRSTrequestPKDateIDTID
18
Mutual Authentication-ASFN
When ASFN receives the request from MS, ASFN will ex
ecute the following steps:
Step B1: verify the public key PKMS
Step B2: check the DateMS
then check
MSMSHNMS PKDateIDTIDH?
1 )||||(
MSMSrevoke RSTIDHf?
2 )((
19
Mutual Authentication-ASFN
Step B3: verify the correctness of Sigcharge
Step B4: compute the rMS and the session key K
Step B5: send to MS
)()(?
32 ),(),(),( chargechargeRH
MSpubMH
chargecharge PKPePPeSRe
)()(
)(
)()(
)(
22
2
22
2
MSFN
FNMS
FNMS
MSFNMS TIDHIDH
IDHRS
IDHTIDH
TIDHRSr
MSMSMS CrTIDHK )(2
]},[{ TaServiceDatEK
20
Mutual Authentication-MS
When MS receives the message from ASFN,
MS computes the session key K’
K’ = Kcomm ⊕ CMS
MS decrypts the by using K’
MS gets the ServiceData and T’
MS checks T’ = T
]',[ TServicDataEK
?
21
Security Analysis
Anonymity of Roaming User
TIDMS
Mutual Authentication between MS and ASFN
ASFNMS: Sigcharge
MSASFN: Session key K
Nonrepudiation of Roaming User
Sigcharge
22
Security Analysis
Prevention of Attacks Replay Attack
timestamp: T
Impersonating Attack
MS Attacker cannot get the SKMS cannot compute the Sigcharge
ASFN Attacker cannot get the RSFN cannot compute the K
Dishonest ASFN
The ASFN cannot compute the Sigcharge
Disclosure of session key
Attacker cannot get the Roaming Share RSFN of ASFN
cannot compute the K
23
Performance analysis
[ 7] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE Commun. Mag., pp. 92–100, Apr. 1993. [12] J. Zhu, J. Ma, “A new authentication scheme with anonymity for wireless environments,” IEEE Trans. Consumer Electronics, Vol.50, No. 1, pp. 231 – 235, Feb 2004.[ 6] M. Long, C.-H. Wu, J.D. Irwin, “Localized authentication for inter-network roaming across wireless LANs,” IEE Proc. Communications, Vol.151, No5, Oct. 2004.[ 5] W.-B. Lee, C.-K. Yeh, “A New Delegation-Based Authentication Protocol for Use in Portable Communication System”, IEEE Trans. Wireless Communication, Vol.4, No.1, pp. 57-64, Jan. 2005.
24
Performance Analysis
The Number of Exchanged Messages
The Number of Exchanged Messages
protocol On-Line Off-Line
GSM [7] Mixture 6 2
ZHU[12] Mixture 4 1
Long[6] Off-Line 0 3
Lee[5] Mixture 6 1
Ours Off-Line 0 2
25
Performance Analysis Comparison of Computation Load at MS
AsymmetricComputation
Symmetric Computation
Hash Function
GSM [7] On-Line 0 1 2
Off-Line 0 0 2
ZHU[12] On-Line 0 2 2
Off-Line 0 1 0
M.Long[6] Off-Line 3 1 0
Lee[5] On-Line 1 1 1
Off-Line 0 1 3
Ours Off-Line 1* 1 0
))()((
where,
SignaturebasedIDanofnComputatio:*
321
*
MSchargechargeMScharge
qRMSMScharge
SKRHPMHkS
ZkPkR
26
Performance Analysis
Storage Overhead
Each MS: {IDMS, TIDMS, SKMS, RSMS, Kcomm}
ASFN : RSFN
27
Conclusion
The proposed off-line anonymous roaming authentication
Number of exchanged messages: 2
Security Issues
Anonymity, Mutual authentication, Non-repudiation, data privacy and
data integrity
Low computation load at MS
Simple key management