A Secure Authenticated Key Agreement Protocol For Wireless Security

Pierre E. ABI-CHAR, Abdallah MHAMED

UMR CNRS 5157

GET/Institut National des Telecommunications

9 rue C. Fourier - 91011 Evry CEDEX - France

{pierre.abichar; abdallah.mhamed}@int-edu.eu

Bachar EL-HASSAN

Libanese University

Faculty of Engineering

Tripoli - Lebanon

bachar elhassan@ul.edu.lb

Abstract

Several protocols have been proposed to provide robust

mutual authentication and key establishment for wireless lo-

cal area network (WLAN). In this paper we present a new

Secure Authenticated Key Agreement (SAKA) protocol that

provides secure mutual authentication, key establishment

and key confirmation over an untrusted network. The new

protocol achieves many of the required security and perfor-

mance properties. It can resist dictionary attacks mounted

by either passive or active networks intruders. It can re-

sist Man-In-The Middle attack, and Impersonate attack. It

also offers perfect forward secrecy which protects past ses-

sions and passwords against future compromise. In addi-

tion, it can resist known-key and resilience to server attack.

Our proposed protocol combines techniques of challenge-

response protocols with symmetric key agreement protocols

and offers significantly improved performance in computa-

tional and communication load over comparably many au-

thenticated key agreement protocols such as B-SPEKE, SRP,

AMP, PAK-RY, PAK-X, SKA and LR-AKE.

1. Introduction

Key establishment refers to the situation where network

users employ an inter-active protocol to construct a shared

secret key called session key. This session key can then

be used to achieve some cryptographic goal such as confi-

dential communication channel between entities or data in-

tegrity. There are two kinds of key establishment protocols:

Key transport protocols in which a key is created by one en-

tity and securely transmitted to the second entity, and Key

agreement protocols in which both parties contribute infor-

mation which jointly establish the shared key [7]. A key

agreement protocol is said to provide implicit key authenti-

cation if entity A is assured that no other entity aside from a

specifically identified second entity B can possibly learn the

value of a particular secret key. A key agreement protocol

which provides implicit key authentication to both entities is

called an authenticated key agreement protocol. If both im-

plicit key authentication and key confirmation are provided,

then the key establishment protocol is said to provide ex-

plicit key authentication. A key agreement protocol which

provides explicit key authentication to both entities is called

an authenticated key agreement with key confirmation [7].

In this paper we will consider the case of key agreement

protocol with symmetric two-entities setting. The idea of

cryptographic challenge-response protocols is that one en-

tity (the claimant) proves its identity to another entity (the

verifier) by demonstrating knowledge of a secret known to

be associated with that entity, without revealing the secret

itself to the verifier during the protocol. This is done by

providing a response to a time-variant challenge, where the

response depends on both the entity’s secret and the chal-

lenge. The challenge is typically a number chosen by one

entity (randomly and secretly) at the outset of the protocol.

In this paper we present a new and efficient three-pass

authenticated key establishment protocol that provides se-

cure mutual authentication and key agreement with key con-

firmation. The SAKA (Secure Authenticated Key Agree-

ment) is based on the challenge and response in the Secret-

key setting [9], on KAS (Simplified Station-to-Station)

scheme [9] and on the Diffie-Hellman Key Predistribution

[9]. Our proposed protocol achieves many of desirable se-

curity requirements and performances.

The protocol described in this paper establish a shared

key K between the two entities. A key derivation function

should then be used to derive the session key Ks based on

the shared key.

The remainder of this paper is organized as follows. Sec-

tion 2 reviews the desirable properties needed for WLAN

(Wireless Local Area Network) authenticated protocols.

Section 3 presents the overall architecture of our proposed

protocol. In section 4, the security analysis is described.

In section 5, a complete comparison over comparably many

protocols is listed. Finally, section 6 makes concluding re-

marks.

Third International Symposium on Information Assurance and Security

0-7695-2876-7/07 $25.00 © 2007 IEEEDOI 10.1109/IAS.2007.56

33

2 Desirable Properties for key agreement

protocols:

A number of desirable properties for key agreement pro-

tocols have been identified [1] and nowadays most of the

protocols are analyzed using these properties which are de-

scribed below:

-Known-key security: Each run of a key agreement pro-

tocol between two entities A and B should produce a unique

shared secret key called session key Ks. A protocol should

still achieve its goal in the face of an adversary who has

learned some other session key.

-Perfect forward secrecy: If long-term private keys of

one or more entities are compromised, the secrecy of pre-

vious session keys established by honest entities is not af-

fected.

-Key-compromise impersonation: Suppose that A’s

long- term private key is disclosed. Clearly an adversary

that knows this value can now impersonate A, since it is

precisely this value that identifies A. However, it may be

desirable that this loss does not enable an adversary to im-

personate other entities to A.

-Unknown key-share: Entity A cannot be coerced into

sharing a key with entity B without A’s knowledge, i.e.,

when A believes the key is shared with some entity C �= B,

and B (correctly) believes the key is shared with A.

-Key control: No other entity should be able to force the

session key to a preselected value.

In addition, Identification protocols should have other

properties which are related to performance. Because round

trips and large blocks are critical factors in terms of com-

munication load and because exponentiations and random

numbers are to be critical factors in terms of computation

load, such properties are listed below:

-Computational efficiency: this includes the number of

operations required to execute a protocol. In order to

achieve this property, the protocol should have the mini-

mum number of operation as possible.

-Communication efficiency: This includes the number

of passes (message exchanges) and the bandwidth required

(total number of bits transmitted).

Other desirable properties are:

-Nature of security guarantees: including provable secu-

rity and zero-knowledge properties.

-Storage of secrets: This refer to the location and the

method used (e.g., software only, local disks, hardware to-

kens, etc.) to store critical keying material.

3 The Proposed Protocol

In this section we describe a protocol in which two en-

tities are both proving their identities to each other and es-

tablish a common session key in order to elaborate a secure

connection. Alice and Bob represent a client and a server

respectively.

3.1 Protocol Parameters

The public domain parameters consist of a group (G,.)

and an element α where α ∈ G having order n, each user

T has a secret exponent uT , where 0 ≤ uT ≤ n − 1 and

a corresponding Public Key bT = αUT . In addition Alice

chooses a password P and computes:

KH = h(P ||ID(Alice)) and bs (1)

Two versions of SAKA protocol were proposed. These two

versions are SAKA-v1 and SAKA-v2. For SAKA-v1, bs is

equal to αKH while for SAKA-v2, bs is equal to KH . The

SAKA-v2 could be proposed and implemented if the server,

Bob, is well protected and unauthorized access is denied.

Finally, Alice notify Bob in a secure way about bs. Then

Bob store bs in a secure database server. In our proposed

protocol all computations (multiplication and exponentia-

tion) are performed modulo n (mod(n)). The table below

(Table 1) shows the mathematical parameters that are used

in our proposed protocol.

Table 1. Mathematical NotationIndex Explanation

(G, .) A multiplicative group

n A large prime number. All compu-

tation are performed modulo n

α An element ∈ G having order n

ba, bb Corresponding public keys

|| Concatenation

Ks Session Key

h() One-way hash function

ua, ub Corresponding private key, gener-

ated randomly and not publicly re-

vealed

P The user ’s password

MAC A message authenticated code

3.2 Protocol Description

In general an interactive protocol will involve two or

more parties that are communicating with each other. Each

party is modeled by an algorithm that alternately sends

and receives information, each run of a protocol will be

called a session, each step within a session of the protocol

is called a flow (a flow consists of information transmitted

from one party to another) and at the end of a session, Bob

(the server) will accepts or rejects. Our proposed protocol

consists of three flows, it is illustrated in Figure 1, and it is

34

defined as follow:

Within the first flow, Bob chooses a random challenge

ub, where 1 ≤ ub ≤ n − 1, then he computes:

bb = αub + bs (2)

and finally he sends bb to Alice.

Within the second flow, Alice chooses a random chal-

lenge ua, where 1 ≤ ua ≤ n − 1, then Alice computes:

ba = αua (3)

computes bs and computes K, where

K = [bb − bs]ua (4)

Also Alice computes Kh where

Kh = MACK(bs||K) (5)

and computes:

Y1 = MACKh(ID(Alice)||bb||ba) (6)

Finally he sends Y1 and ba to Bob.

Within the third flow, Bob computes:

K = [ba]ub = αuaub (7)

and Bob computes Kh where

Kh = MACK(bs||K) (8)

Also Bob computes:

Y ′

1 = MACKh(ID(Alice)||bb||ba) (9)

Bob can then verify the value of Y ′

1 by checking that (Y ′

1

== Y1) If so, Bob authenticates Alice. Furthermore, if Y ′

1

and Y1 are equal, Bob can be confirmed that Alice has ac-

tually established the same shared K with him because the

value of Kh used in MAC is derived from the shared key

K. Then Bob computes:

Y2 = MACKh(ID(Bob)||ba) (10)

and finally he sends Y2 to Alice.

In order to authenticate Bob, Alice will compute:

Y ′

2 = MACKh(ID(Bob)||ba) (11)

and then Alice will verify the value of Y ′

2 by checking that

(Y ′

2 == Y2), if so, if they match, then Alice authenticates

Bob and Alice can be confirmed that Bob has actually

established the same shared K with her.

Finally, Alice and Bob agree on the common session key

Ks where

Ks = MACKh(ID(Alice)||ID(Bob)||K) (12)

Both sides will agree on the session Key Ks if all steps are

executed correctly. Once the protocol run completes suc-

cessfully, both parties may use Ks to encrypt subsequent

session traffic in order to create a confidential communica-

tion channel.

Figure 1. The SAKA Protocol Scheme

Alice� Bob�

4 Security Analysis

In the following section, we will analyze the security of

our proposed protocol by studying the effect of the protocol

against man-in-the middle attack, passive and active attack

regarding the goal of obtained information about password

or session key. Before working on analyzing our proposed

protocol, some assumptions should be taken into consider-

ation:

Secret Key KH : we assume that the secret key KH is

known only by Alice and Bob.

Random Challenges ua and ub: we assume that Al-

ice and Bob both have perfect random number generators

35

which they used to determine their challenges. Therefore,

there is only a very small probability that the same chal-

lenge occurs by chance in two different sessions.

MAC Security: we assume that the message authen-

tication code is very secure. Therefore, the probability

that Oscar, the adversary, can correctly compute MACk is

almost negligible.

The SAKA (v1 or v2) protocol is considered to be

a secure authenticated key establishment protocol, if it

satisfies the following properties:

-Passive attack: Suppose that Oscar the attacker perform

a passive attack, then the session will terminate with both

parties accepting. That is, Bob and Alice successfully iden-

tify themselves to each other, and they both compute the

session key. So, Oscar, the adversary, cannot compute any

information about the common shared session key Ks by

assuming the intractability of the Decision Diffie-Hellman

problem and by assuming that the MAC is very secure.

In addition, to the fact that the key Kh used by MAC is a

combination of KH and K. Therefore the SAKA (v1 or

v2) protocol resists against the passive attack.

-Man in the middle attack (or active attack): Suppose

that an attacker, Oscar, intercepts αub and replaces it with

αuo1 , Oscar then receives Y1 and αua from Alice. He

would like to replace αua with αuo2 , as before. However,

this means that he must also replace Y1 by Yo where

Yo = MACKh(ID(Alice)||bb||α

uo2), but unfortunately

for Oscar, he can not compute the MACKhon the string

Yo because he does not know the MAC algorithm that it

is used neither the value of K, KH and Kh. Oscar can

not computes the value of K because he does not know

the value of bs, so he will not be able to compute Kh.

Therefore the SAKA (v1 or v2) protocol thwarts the man

in-the-middle attack.

-Dictionary attack: In dictionary attack, the attacker

finds the real password by repeating a process of guessing

the password of legal client and applying the passwords.

The dictionary could be performed in offline or online

mode. In our proposed protocol, (v1 or v2), it is impossible

to get the real password since a one way hash function is

applied to the password and during the protocol process,

the key used by the MAC algorithm is Kh and not KH . So

Oscar can not have any information about the KH in order

to crack the password. Moreover, the shared Key K used in

the calculation of Kh is calculated from αua and αub which

are generated every new session Therefore the SAKA (v1 or

v2) protocol thwarts the offline and online dictionary attack.

-Impersonation attack: in this attack, an attacker tries to

impersonate one entity of two in order to access the WLAN

services. If an attacker, Oscar, pretending to be Bob, he can

initiate a session with Alice. When Oscar receives Alice’s

challenge ba = αua in the second flow, he will accepts and

then he initiates a second session (pretending to be Alice)

with Bob. In this second session, Oscar sends ba to Bob as

his challenge in the first flow. So Oscar will receive Bob’s

response MACKh(ID(Bob)||ba||b

′

b) which is different

from MACKh(ID(Bob)||ba). Therefore our SAKA (v1 or

v2) protocol resists impersonate attack.

-Known-key attack: In this attack, an adversary will

capture the session key from an eavesdropped session.

In our proposed protocol, (v1 or v2), the client and the

server both generates new αua and αub every new session,

and in addition the key Kh is generated with every new

session also. Thus SAKA (v1 or v2) protocol is secure

against known key attacks assuming that the Decision

Diffie-Hellman problem is intractable.

-Perfect forward secrecy: The perfect forward secrecy

is that an exposed password does not enable an attacker

to derive session keys of past communication sessions. In

our protocol, (v1 or v2), the security of perfect forward

secrecy is based upon the assumption that the Decision

Diffie-Hellman problem is intractable and on the value

of the key Kh used by MAC. Even if the attacker knew

the correct password, the attacker still cannot compute

the previous session keys because Kh is derived from the

shared key K using the formula Kh = MACK(KH ||K)and because the value of ba and ba are based on the

Diffie-Hellman . Therefore, the SAKA (v1 or v2) protocol

satisfies the property of perfect forward secrecy.

-Resilience to server compromised: if the host’s pass-

word file is compromised, an adversary can not use it to im-

personate legitimate user since the password file is stored

in a verifier form. For SAKA-v1, an attacker, Oscar, has

to solve αKH . By taking the assumption that the Deci-

sion Diffie-Hellman problem is intractable thus our SAKA-

v1 protocol provides resilience to server compromise. For

SAKA-v2, it could be proposed by taking the assumption

that the server, Bob, is well protected and unauthorized ac-

cess is denied.

5 Performance evaluation: Efficiency and

Comparison:

Computation cost and communication cost are the most

important aspects of password authentication protocols

which affect the overall performance. They include num-

ber of steps, exponentiations, large blocks, symmetric en-

cryption and decryption, hash functions and random num-

36

bers. In this section, we compare SAKA-v1 and SAKA-v2

protocols, with the following protocols: Leakage-Resilient

Authenticated Key Exchange (LR-AKE) protocol, Simple

Key Agreement (SKA) protocol, Secure Remote Password

(SRP) protocol, Simple Password Exponential Key Ex-

change (B-SPEKE) protocol, Password-Authenticated Key

Exchange (PAK-X and PAK-RY) protocols and Authenti-

cation Memorable Password (AMP) protocol. The compar-

ison is done in terms of number of steps, random numbers,

exponentiations, hash functions and large blocks. Table 2

shows the compared result for number of steps, exponenti-

ations and large blocks. Table 3 shows the compared result

for random numbers and hash functions numbers

Table 2. Comparison of Performance-1-Exponentiations

Protocol Rounds C S Total L. B.

B-SPEKE 4 3 4 7 3

SRP 4 3 3 6 2

AMP 4 2 3 5 2

PAK-RY 3 5 4 9 2

PAK-X 3 5 4 9 3

SKA 3 2 3 5 2

LR-AKE 3 3 2 5 2

SAKA-v1 3 3 2 5 2

SAKA-v2 3 2 2 4 2

It is clear from Table 2 that the SAKA protocol has the

minimal cost in terms of number of steps, exponentiations

and large blocks compared with the previous protocols [8].

We can easily notice that B-SPEKE [3], SRP [10] and

AMP [5] require 4 rounds while PAK-RY [2], PAK-X [6],

SKA [8], LR-AKE [4] and SAKA (v1 and v2) require

3 rounds. In addition, the computational load was clearly

improved using SAKA-v2 protocol because, as noted in ta-

ble 2, SAKA-v2 requires four exponentiations, two for the

client and two for the server, while the other protocols, in-

cluding SKA [8] and LR-AKE [4], require at least 5 ex-

ponentiations. Although SAKA-v1 requires 5 exponentia-

tions, it shows better performance. The SAKA-v1 shows

better performance in terms of computational load over B-

SPEKE, SRP, PAK-RY, PAK-X and it is equal with SKA

and LR-AKE. SAKA-v1 shows better performance over

SKA because there is no revealed data as the case with SKA

where XA, XB and W are sent in clear-text.

From Table 3, we can easily notice that the SAKA (v1 or

v2) protocol requires 2 random numbers and 9 hash func-

tions while PAK-X requires more. SAKA (v1 or v2) also

requires two more hash functions than SKA protocol due

to the two MAC computations of Kh which were neces-

sary to bring more security and robustness to our proposed

protocol. In addition, for the SRP and LR-AKE protocols

described in [10] and [4] respectively, we can easily notice

Table 3. Comparison of Performance-2-Protocol Random N. Hash Function N.

SRP 2 6

AMP 2 9

PAK-RY 3 8

PAK-X 3 10

SKA 2 7

LR-AKE 2/4 6

SAKA-v1 2 9

SAKA-v2 2 9

that our protocol (v1 or v2) requires one more hash function

because, from SRP and LR-AKE schemes, the two entities

did not agree on a common session key Ks, as in the case of

our protocol; SRP and LR-AKE just agreed on the shared

key K.

6 Conclusion

Wireless network access are nowadays very important

for users. This paper describes a new network access mech-

anism for wireless local area networks. In this paper, we in-

troduce a new secure and efficient authenticated key agree-

ment protocol that provides mutual authentication and ex-

plicit key establishment. We also give a formal approach to

prove its security based on the previous work by [8]. Our

scheme is simple, easy to realize, and secure against both

passive and active attacks. It also resists many others at-

tacks as described in section 4. Our proposed protocol is

compared to well-known protocols such as B-SPEKE, SRP,

PAK-RY, PAK-X, AMP, SKA and LR-AKE in terms of

communication and computation cost and the results were

well discussed in section 5.

Acknowledgments

The authors would like to thanks the following depart-

ments RST-INT Evry and FOE-UL for their support and

comments. Their suggestions and observations were ex-

tremely helpful throughout this paper. Mr. Pierre E. ABI-

CHAR would like to present his work for the memory of

his father Mr. Emile N. ABI-CHAR, and also would like

to acknowledge the contributions of his colleagues, Mari-

ana Dirani and Chadi Tarhini, at the Institut National des

Telecommunications (INT).

References

[1] S. Blake-Wilson, D. Johnson, and A. Menezes. Key agree-

ment protocols and their security analysis. In Proc. of Sixth

IMA International Conference on Cryptography and Cod-

ing, pages 30 – 45. Cirencester, UK, 1997.

37

[2] V. Boyko, P. Mackenzie, and S. Patel. Provably secure pass-

word authenticated key exchange using diffie-hellman. Eu-

roCrypt, pages 156 – 171, 2000.

[3] D.Jablon. Extended password key exchange protocols im-

mune to dictionary attack. WETICE Workshop, pages 248 –

255, 1997.

[4] I. Hideki, S. Seonghan, and K. Kobara. Authenticated key

exchange for wireless secuirty. IEEE Wirless Communica-

tions and Networking Confernece, pages 1180 – 1186, 2005.

[5] T. Kwon. Ultimate solution to authenticate via mem-

orable password. Contribution to the IEEE P 1363

Study group for Future PKC Standards, available for

http://grouper.ieee.org/groups/1363/passwdPK/contribution.html.

[6] P. Mackenzie. More efficient password authenticated key

exchange. CT-RSA, pages 361 – 377, 2001.

[7] A. Menezes, P. Oorschot, and S. Vanstone. Handbook of

Apllied Cryptography. CRC Press, 2nd edition, 1996.

[8] E. Ryu, K. Kim, and K. Yoo. A simple key agreement proto-

col. In Proc. of IEEE 37th Annual 2003 International Car-

nahan Conference, pages 128 – 131, 2003.

[9] D. R. Stinson. Cryptography Theory and Practice. Chapman

and Hall/CRC, third edition, 2006.

[10] T. Wu. Secure remote password protocol. Interent Sympo-

sium on Network and Distribution System Security, 1998.

38