[ieee third international symposium on information assurance and security - manchester, uk...
TRANSCRIPT
A Secure Authenticated Key Agreement Protocol For Wireless Security
Pierre E. ABI-CHAR, Abdallah MHAMED
UMR CNRS 5157
GET/Institut National des Telecommunications
9 rue C. Fourier - 91011 Evry CEDEX - France
{pierre.abichar; abdallah.mhamed}@int-edu.eu
Bachar EL-HASSAN
Libanese University
Faculty of Engineering
Tripoli - Lebanon
bachar [email protected]
Abstract
Several protocols have been proposed to provide robust
mutual authentication and key establishment for wireless lo-
cal area network (WLAN). In this paper we present a new
Secure Authenticated Key Agreement (SAKA) protocol that
provides secure mutual authentication, key establishment
and key confirmation over an untrusted network. The new
protocol achieves many of the required security and perfor-
mance properties. It can resist dictionary attacks mounted
by either passive or active networks intruders. It can re-
sist Man-In-The Middle attack, and Impersonate attack. It
also offers perfect forward secrecy which protects past ses-
sions and passwords against future compromise. In addi-
tion, it can resist known-key and resilience to server attack.
Our proposed protocol combines techniques of challenge-
response protocols with symmetric key agreement protocols
and offers significantly improved performance in computa-
tional and communication load over comparably many au-
thenticated key agreement protocols such as B-SPEKE, SRP,
AMP, PAK-RY, PAK-X, SKA and LR-AKE.
1. Introduction
Key establishment refers to the situation where network
users employ an inter-active protocol to construct a shared
secret key called session key. This session key can then
be used to achieve some cryptographic goal such as confi-
dential communication channel between entities or data in-
tegrity. There are two kinds of key establishment protocols:
Key transport protocols in which a key is created by one en-
tity and securely transmitted to the second entity, and Key
agreement protocols in which both parties contribute infor-
mation which jointly establish the shared key [7]. A key
agreement protocol is said to provide implicit key authenti-
cation if entity A is assured that no other entity aside from a
specifically identified second entity B can possibly learn the
value of a particular secret key. A key agreement protocol
which provides implicit key authentication to both entities is
called an authenticated key agreement protocol. If both im-
plicit key authentication and key confirmation are provided,
then the key establishment protocol is said to provide ex-
plicit key authentication. A key agreement protocol which
provides explicit key authentication to both entities is called
an authenticated key agreement with key confirmation [7].
In this paper we will consider the case of key agreement
protocol with symmetric two-entities setting. The idea of
cryptographic challenge-response protocols is that one en-
tity (the claimant) proves its identity to another entity (the
verifier) by demonstrating knowledge of a secret known to
be associated with that entity, without revealing the secret
itself to the verifier during the protocol. This is done by
providing a response to a time-variant challenge, where the
response depends on both the entity’s secret and the chal-
lenge. The challenge is typically a number chosen by one
entity (randomly and secretly) at the outset of the protocol.
In this paper we present a new and efficient three-pass
authenticated key establishment protocol that provides se-
cure mutual authentication and key agreement with key con-
firmation. The SAKA (Secure Authenticated Key Agree-
ment) is based on the challenge and response in the Secret-
key setting [9], on KAS (Simplified Station-to-Station)
scheme [9] and on the Diffie-Hellman Key Predistribution
[9]. Our proposed protocol achieves many of desirable se-
curity requirements and performances.
The protocol described in this paper establish a shared
key K between the two entities. A key derivation function
should then be used to derive the session key Ks based on
the shared key.
The remainder of this paper is organized as follows. Sec-
tion 2 reviews the desirable properties needed for WLAN
(Wireless Local Area Network) authenticated protocols.
Section 3 presents the overall architecture of our proposed
protocol. In section 4, the security analysis is described.
In section 5, a complete comparison over comparably many
protocols is listed. Finally, section 6 makes concluding re-
marks.
Third International Symposium on Information Assurance and Security
0-7695-2876-7/07 $25.00 © 2007 IEEEDOI 10.1109/IAS.2007.56
33
2 Desirable Properties for key agreement
protocols:
A number of desirable properties for key agreement pro-
tocols have been identified [1] and nowadays most of the
protocols are analyzed using these properties which are de-
scribed below:
-Known-key security: Each run of a key agreement pro-
tocol between two entities A and B should produce a unique
shared secret key called session key Ks. A protocol should
still achieve its goal in the face of an adversary who has
learned some other session key.
-Perfect forward secrecy: If long-term private keys of
one or more entities are compromised, the secrecy of pre-
vious session keys established by honest entities is not af-
fected.
-Key-compromise impersonation: Suppose that A’s
long- term private key is disclosed. Clearly an adversary
that knows this value can now impersonate A, since it is
precisely this value that identifies A. However, it may be
desirable that this loss does not enable an adversary to im-
personate other entities to A.
-Unknown key-share: Entity A cannot be coerced into
sharing a key with entity B without A’s knowledge, i.e.,
when A believes the key is shared with some entity C �= B,
and B (correctly) believes the key is shared with A.
-Key control: No other entity should be able to force the
session key to a preselected value.
In addition, Identification protocols should have other
properties which are related to performance. Because round
trips and large blocks are critical factors in terms of com-
munication load and because exponentiations and random
numbers are to be critical factors in terms of computation
load, such properties are listed below:
-Computational efficiency: this includes the number of
operations required to execute a protocol. In order to
achieve this property, the protocol should have the mini-
mum number of operation as possible.
-Communication efficiency: This includes the number
of passes (message exchanges) and the bandwidth required
(total number of bits transmitted).
Other desirable properties are:
-Nature of security guarantees: including provable secu-
rity and zero-knowledge properties.
-Storage of secrets: This refer to the location and the
method used (e.g., software only, local disks, hardware to-
kens, etc.) to store critical keying material.
3 The Proposed Protocol
In this section we describe a protocol in which two en-
tities are both proving their identities to each other and es-
tablish a common session key in order to elaborate a secure
connection. Alice and Bob represent a client and a server
respectively.
3.1 Protocol Parameters
The public domain parameters consist of a group (G,.)
and an element α where α ∈ G having order n, each user
T has a secret exponent uT , where 0 ≤ uT ≤ n − 1 and
a corresponding Public Key bT = αUT . In addition Alice
chooses a password P and computes:
KH = h(P ||ID(Alice)) and bs (1)
Two versions of SAKA protocol were proposed. These two
versions are SAKA-v1 and SAKA-v2. For SAKA-v1, bs is
equal to αKH while for SAKA-v2, bs is equal to KH . The
SAKA-v2 could be proposed and implemented if the server,
Bob, is well protected and unauthorized access is denied.
Finally, Alice notify Bob in a secure way about bs. Then
Bob store bs in a secure database server. In our proposed
protocol all computations (multiplication and exponentia-
tion) are performed modulo n (mod(n)). The table below
(Table 1) shows the mathematical parameters that are used
in our proposed protocol.
Table 1. Mathematical NotationIndex Explanation
(G, .) A multiplicative group
n A large prime number. All compu-
tation are performed modulo n
α An element ∈ G having order n
ba, bb Corresponding public keys
|| Concatenation
Ks Session Key
h() One-way hash function
ua, ub Corresponding private key, gener-
ated randomly and not publicly re-
vealed
P The user ’s password
MAC A message authenticated code
3.2 Protocol Description
In general an interactive protocol will involve two or
more parties that are communicating with each other. Each
party is modeled by an algorithm that alternately sends
and receives information, each run of a protocol will be
called a session, each step within a session of the protocol
is called a flow (a flow consists of information transmitted
from one party to another) and at the end of a session, Bob
(the server) will accepts or rejects. Our proposed protocol
consists of three flows, it is illustrated in Figure 1, and it is
34
defined as follow:
Within the first flow, Bob chooses a random challenge
ub, where 1 ≤ ub ≤ n − 1, then he computes:
bb = αub + bs (2)
and finally he sends bb to Alice.
Within the second flow, Alice chooses a random chal-
lenge ua, where 1 ≤ ua ≤ n − 1, then Alice computes:
ba = αua (3)
computes bs and computes K, where
K = [bb − bs]ua (4)
Also Alice computes Kh where
Kh = MACK(bs||K) (5)
and computes:
Y1 = MACKh(ID(Alice)||bb||ba) (6)
Finally he sends Y1 and ba to Bob.
Within the third flow, Bob computes:
K = [ba]ub = αuaub (7)
and Bob computes Kh where
Kh = MACK(bs||K) (8)
Also Bob computes:
Y ′
1 = MACKh(ID(Alice)||bb||ba) (9)
Bob can then verify the value of Y ′
1 by checking that (Y ′
1
== Y1) If so, Bob authenticates Alice. Furthermore, if Y ′
1
and Y1 are equal, Bob can be confirmed that Alice has ac-
tually established the same shared K with him because the
value of Kh used in MAC is derived from the shared key
K. Then Bob computes:
Y2 = MACKh(ID(Bob)||ba) (10)
and finally he sends Y2 to Alice.
In order to authenticate Bob, Alice will compute:
Y ′
2 = MACKh(ID(Bob)||ba) (11)
and then Alice will verify the value of Y ′
2 by checking that
(Y ′
2 == Y2), if so, if they match, then Alice authenticates
Bob and Alice can be confirmed that Bob has actually
established the same shared K with her.
Finally, Alice and Bob agree on the common session key
Ks where
Ks = MACKh(ID(Alice)||ID(Bob)||K) (12)
Both sides will agree on the session Key Ks if all steps are
executed correctly. Once the protocol run completes suc-
cessfully, both parties may use Ks to encrypt subsequent
session traffic in order to create a confidential communica-
tion channel.
Figure 1. The SAKA Protocol Scheme
Alice� Bob�
4 Security Analysis
In the following section, we will analyze the security of
our proposed protocol by studying the effect of the protocol
against man-in-the middle attack, passive and active attack
regarding the goal of obtained information about password
or session key. Before working on analyzing our proposed
protocol, some assumptions should be taken into consider-
ation:
Secret Key KH : we assume that the secret key KH is
known only by Alice and Bob.
Random Challenges ua and ub: we assume that Al-
ice and Bob both have perfect random number generators
35
which they used to determine their challenges. Therefore,
there is only a very small probability that the same chal-
lenge occurs by chance in two different sessions.
MAC Security: we assume that the message authen-
tication code is very secure. Therefore, the probability
that Oscar, the adversary, can correctly compute MACk is
almost negligible.
The SAKA (v1 or v2) protocol is considered to be
a secure authenticated key establishment protocol, if it
satisfies the following properties:
-Passive attack: Suppose that Oscar the attacker perform
a passive attack, then the session will terminate with both
parties accepting. That is, Bob and Alice successfully iden-
tify themselves to each other, and they both compute the
session key. So, Oscar, the adversary, cannot compute any
information about the common shared session key Ks by
assuming the intractability of the Decision Diffie-Hellman
problem and by assuming that the MAC is very secure.
In addition, to the fact that the key Kh used by MAC is a
combination of KH and K. Therefore the SAKA (v1 or
v2) protocol resists against the passive attack.
-Man in the middle attack (or active attack): Suppose
that an attacker, Oscar, intercepts αub and replaces it with
αuo1 , Oscar then receives Y1 and αua from Alice. He
would like to replace αua with αuo2 , as before. However,
this means that he must also replace Y1 by Yo where
Yo = MACKh(ID(Alice)||bb||α
uo2), but unfortunately
for Oscar, he can not compute the MACKhon the string
Yo because he does not know the MAC algorithm that it
is used neither the value of K, KH and Kh. Oscar can
not computes the value of K because he does not know
the value of bs, so he will not be able to compute Kh.
Therefore the SAKA (v1 or v2) protocol thwarts the man
in-the-middle attack.
-Dictionary attack: In dictionary attack, the attacker
finds the real password by repeating a process of guessing
the password of legal client and applying the passwords.
The dictionary could be performed in offline or online
mode. In our proposed protocol, (v1 or v2), it is impossible
to get the real password since a one way hash function is
applied to the password and during the protocol process,
the key used by the MAC algorithm is Kh and not KH . So
Oscar can not have any information about the KH in order
to crack the password. Moreover, the shared Key K used in
the calculation of Kh is calculated from αua and αub which
are generated every new session Therefore the SAKA (v1 or
v2) protocol thwarts the offline and online dictionary attack.
-Impersonation attack: in this attack, an attacker tries to
impersonate one entity of two in order to access the WLAN
services. If an attacker, Oscar, pretending to be Bob, he can
initiate a session with Alice. When Oscar receives Alice’s
challenge ba = αua in the second flow, he will accepts and
then he initiates a second session (pretending to be Alice)
with Bob. In this second session, Oscar sends ba to Bob as
his challenge in the first flow. So Oscar will receive Bob’s
response MACKh(ID(Bob)||ba||b
′
b) which is different
from MACKh(ID(Bob)||ba). Therefore our SAKA (v1 or
v2) protocol resists impersonate attack.
-Known-key attack: In this attack, an adversary will
capture the session key from an eavesdropped session.
In our proposed protocol, (v1 or v2), the client and the
server both generates new αua and αub every new session,
and in addition the key Kh is generated with every new
session also. Thus SAKA (v1 or v2) protocol is secure
against known key attacks assuming that the Decision
Diffie-Hellman problem is intractable.
-Perfect forward secrecy: The perfect forward secrecy
is that an exposed password does not enable an attacker
to derive session keys of past communication sessions. In
our protocol, (v1 or v2), the security of perfect forward
secrecy is based upon the assumption that the Decision
Diffie-Hellman problem is intractable and on the value
of the key Kh used by MAC. Even if the attacker knew
the correct password, the attacker still cannot compute
the previous session keys because Kh is derived from the
shared key K using the formula Kh = MACK(KH ||K)and because the value of ba and ba are based on the
Diffie-Hellman . Therefore, the SAKA (v1 or v2) protocol
satisfies the property of perfect forward secrecy.
-Resilience to server compromised: if the host’s pass-
word file is compromised, an adversary can not use it to im-
personate legitimate user since the password file is stored
in a verifier form. For SAKA-v1, an attacker, Oscar, has
to solve αKH . By taking the assumption that the Deci-
sion Diffie-Hellman problem is intractable thus our SAKA-
v1 protocol provides resilience to server compromise. For
SAKA-v2, it could be proposed by taking the assumption
that the server, Bob, is well protected and unauthorized ac-
cess is denied.
5 Performance evaluation: Efficiency and
Comparison:
Computation cost and communication cost are the most
important aspects of password authentication protocols
which affect the overall performance. They include num-
ber of steps, exponentiations, large blocks, symmetric en-
cryption and decryption, hash functions and random num-
36
bers. In this section, we compare SAKA-v1 and SAKA-v2
protocols, with the following protocols: Leakage-Resilient
Authenticated Key Exchange (LR-AKE) protocol, Simple
Key Agreement (SKA) protocol, Secure Remote Password
(SRP) protocol, Simple Password Exponential Key Ex-
change (B-SPEKE) protocol, Password-Authenticated Key
Exchange (PAK-X and PAK-RY) protocols and Authenti-
cation Memorable Password (AMP) protocol. The compar-
ison is done in terms of number of steps, random numbers,
exponentiations, hash functions and large blocks. Table 2
shows the compared result for number of steps, exponenti-
ations and large blocks. Table 3 shows the compared result
for random numbers and hash functions numbers
Table 2. Comparison of Performance-1-Exponentiations
Protocol Rounds C S Total L. B.
B-SPEKE 4 3 4 7 3
SRP 4 3 3 6 2
AMP 4 2 3 5 2
PAK-RY 3 5 4 9 2
PAK-X 3 5 4 9 3
SKA 3 2 3 5 2
LR-AKE 3 3 2 5 2
SAKA-v1 3 3 2 5 2
SAKA-v2 3 2 2 4 2
It is clear from Table 2 that the SAKA protocol has the
minimal cost in terms of number of steps, exponentiations
and large blocks compared with the previous protocols [8].
We can easily notice that B-SPEKE [3], SRP [10] and
AMP [5] require 4 rounds while PAK-RY [2], PAK-X [6],
SKA [8], LR-AKE [4] and SAKA (v1 and v2) require
3 rounds. In addition, the computational load was clearly
improved using SAKA-v2 protocol because, as noted in ta-
ble 2, SAKA-v2 requires four exponentiations, two for the
client and two for the server, while the other protocols, in-
cluding SKA [8] and LR-AKE [4], require at least 5 ex-
ponentiations. Although SAKA-v1 requires 5 exponentia-
tions, it shows better performance. The SAKA-v1 shows
better performance in terms of computational load over B-
SPEKE, SRP, PAK-RY, PAK-X and it is equal with SKA
and LR-AKE. SAKA-v1 shows better performance over
SKA because there is no revealed data as the case with SKA
where XA, XB and W are sent in clear-text.
From Table 3, we can easily notice that the SAKA (v1 or
v2) protocol requires 2 random numbers and 9 hash func-
tions while PAK-X requires more. SAKA (v1 or v2) also
requires two more hash functions than SKA protocol due
to the two MAC computations of Kh which were neces-
sary to bring more security and robustness to our proposed
protocol. In addition, for the SRP and LR-AKE protocols
described in [10] and [4] respectively, we can easily notice
Table 3. Comparison of Performance-2-Protocol Random N. Hash Function N.
SRP 2 6
AMP 2 9
PAK-RY 3 8
PAK-X 3 10
SKA 2 7
LR-AKE 2/4 6
SAKA-v1 2 9
SAKA-v2 2 9
that our protocol (v1 or v2) requires one more hash function
because, from SRP and LR-AKE schemes, the two entities
did not agree on a common session key Ks, as in the case of
our protocol; SRP and LR-AKE just agreed on the shared
key K.
6 Conclusion
Wireless network access are nowadays very important
for users. This paper describes a new network access mech-
anism for wireless local area networks. In this paper, we in-
troduce a new secure and efficient authenticated key agree-
ment protocol that provides mutual authentication and ex-
plicit key establishment. We also give a formal approach to
prove its security based on the previous work by [8]. Our
scheme is simple, easy to realize, and secure against both
passive and active attacks. It also resists many others at-
tacks as described in section 4. Our proposed protocol is
compared to well-known protocols such as B-SPEKE, SRP,
PAK-RY, PAK-X, AMP, SKA and LR-AKE in terms of
communication and computation cost and the results were
well discussed in section 5.
Acknowledgments
The authors would like to thanks the following depart-
ments RST-INT Evry and FOE-UL for their support and
comments. Their suggestions and observations were ex-
tremely helpful throughout this paper. Mr. Pierre E. ABI-
CHAR would like to present his work for the memory of
his father Mr. Emile N. ABI-CHAR, and also would like
to acknowledge the contributions of his colleagues, Mari-
ana Dirani and Chadi Tarhini, at the Institut National des
Telecommunications (INT).
References
[1] S. Blake-Wilson, D. Johnson, and A. Menezes. Key agree-
ment protocols and their security analysis. In Proc. of Sixth
IMA International Conference on Cryptography and Cod-
ing, pages 30 – 45. Cirencester, UK, 1997.
37
[2] V. Boyko, P. Mackenzie, and S. Patel. Provably secure pass-
word authenticated key exchange using diffie-hellman. Eu-
roCrypt, pages 156 – 171, 2000.
[3] D.Jablon. Extended password key exchange protocols im-
mune to dictionary attack. WETICE Workshop, pages 248 –
255, 1997.
[4] I. Hideki, S. Seonghan, and K. Kobara. Authenticated key
exchange for wireless secuirty. IEEE Wirless Communica-
tions and Networking Confernece, pages 1180 – 1186, 2005.
[5] T. Kwon. Ultimate solution to authenticate via mem-
orable password. Contribution to the IEEE P 1363
Study group for Future PKC Standards, available for
http://grouper.ieee.org/groups/1363/passwdPK/contribution.html.
[6] P. Mackenzie. More efficient password authenticated key
exchange. CT-RSA, pages 361 – 377, 2001.
[7] A. Menezes, P. Oorschot, and S. Vanstone. Handbook of
Apllied Cryptography. CRC Press, 2nd edition, 1996.
[8] E. Ryu, K. Kim, and K. Yoo. A simple key agreement proto-
col. In Proc. of IEEE 37th Annual 2003 International Car-
nahan Conference, pages 128 – 131, 2003.
[9] D. R. Stinson. Cryptography Theory and Practice. Chapman
and Hall/CRC, third edition, 2006.
[10] T. Wu. Secure remote password protocol. Interent Sympo-
sium on Network and Distribution System Security, 1998.
38