Scholarly article on topic 'An Authentication and Key Agreement Mechanism for Multi-Domain Wireless Networks using Bilinear Pairings'

An Authentication and Key Agreement Mechanism for Multi-Domain Wireless Networks using Bilinear Pairings Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Engineering
OECD Field of science
Keywords
{"Mutual authentication" / "Key agreement" / "Certificateless public key cryptography" / "Bilinear pairing"}

Abstract of research paper on Computer and information sciences, author of scientific article — Ming Luo, Qi-jun Yan, Guo-qiang Jiang, Jian-feng Xu

Abstract This paper presents an authentication and key agreement mechanism for multi-domain wireless networks using bilinear pairings. Based on the computational Diffie-Hellman assumption and the random oracle model, we show that the proposed scheme is secure against an uncertified user and a malicious registration server simultaneously. As compared with the recently proposed schemes, our scheme enjoys less computational cost and has higher security level by exploiting the certificateless public key cryptography system. Moreover, our scheme can be used to mutual authentication and key agreement between members of distinct domains where all the servers use different system parameters. Efficiency analysis of related the security and computation overheads are given to demonstrate that our scheme is well suited for mobile devices with limited computing capability.

Academic research paper on topic "An Authentication and Key Agreement Mechanism for Multi-Domain Wireless Networks using Bilinear Pairings"

Available online at www.sciencedirect.com

SciVerse ScienceDirect

Procedía Engineering 29 (2012) 2649 - 2654

Procedía Engineering

www.elsevier.com/Iocate/procedia

2012 International Workshop on Information and Electronics Engineering (IWIEE)

An Authentication and Key Agreement Mechanism for MultiDomain Wireless Networks using Bilinear Pairings

Ming Luoa*, Qi-jun Yanb, Guo-qiang Jiangc, Jian-feng Xua

"School of Software, Nanchang University, Nanchang 330047, China bNetwork Department, Shenyang Institute of Education, Shenyang 110031, China cInformation Technology Center, China Mobile Group Liaoning Co.Ltd, Shenyang 110179, China

Abstract

This paper presents an authentication and key agreement mechanism for multi-domain wireless networks using bilinear pairings. Based on the computational Diffie-Hellman assumption and the random oracle model, we show that the proposed scheme is secure against an uncertified user and a malicious registration server simultaneously. As compared with the recently proposed schemes, our scheme enjoys less computational cost and has higher security level by exploiting the certificateless public key cryptography system. Moreover, our scheme can be used to mutual authentication and key agreement between members of distinct domains where all the servers use different system parameters. Efficiency analysis of related the security and computation overheads are given to demonstrate that our scheme is well suited for mobile devices with limited computing capability.

© 2011 Published by Elsevier Ltd.

Keywords: mutual authentication; key agreement; certificateless public key cryptography; bilinear pairing

1. Introduction

Now, handheld devices are popularly used by people and many mobile applications have been rapidly developed. Considering the limited computing capability of smart cards or mobile devices, the security scheme design based on traditional public-key systems is a nontrivial challenge because most cryptographic algorithms require many expensive computations. In 2006, Das et al. [1] proposed an efficient ID-based remote user authentication scheme with smart cards using bilinear pairings. Goriparthi et al. [2] showed that their scheme is insecure against forgery attack resulting in an adversary can always pass the authentication. Lately, Giri and Srivastava [3] proposed an improved scheme to withstand the

'Corresponding author.

E-mail address: lmhappy21@163.com.

1877-7058 © 2011 Published by Elsevier Ltd. doi:10.1016/j.proeng.2012.01.366

forgery attack. Unfortunately it was shown by Tseng et rl. [4] that [3] has too expensive computational cost for smart cards with limited computing capability and is unable to be used for a multi-server environment and proposed a more efficient scheme. In 2010, Wu and Tseng [5] pointed out these above schemes do not provide mutual authentication and key agreement between the client and the server. Subsequently, Yoon and Yoo [6] analyzed the efficiency problem of the protocol [5] and then proposed a more efficient protocol that can reduce some hash operations and provide same security levels with an explicit key confirmation. However, all of schemes above face the key escrow issue as a result of adopting identity-based cryptography system. Moreover, their schemes assume that a single PKG will be responsible for issuing secret keys to members of a large-scale network or assume that different PKGs will share common system parameters.

In this paper, we propose a mutual authentication and key exchange mechanism for multi-domain wireless networks using bilinear pairings based on certificateless public key cryptography proposed by Al-Riyami and Paterson [7]. Currently, many CL-based cryptographic schemes such as signature schemes [8, 9] and authenticated key agreement protocols [10, 11] have been proposed for low-bandwidth channels and/or low-computation power. The smart card is a low power computing device while a server is regarded as a powerful node in the wireless networks. We shift the computational burden to the powerful node and reduce the computational cost required by smart cards. Compared with other secure schemes for wireless network regarding the security and computation overheads, we believe that our scheme is more efficient and more suitable for handheld devices with low computational capabilities on wireless communication. Our scheme has the following merits: (1) Users needn't submit their passwords to the registration server and they can freely choose and change their password without any assistance from the server; (2) The bilinear pairing operations to be computed only at the server side, and our scheme adopts CL-based short signatures to further induce the user computational cost. This makes our scheme especially attractive for the applications with a powerful server and number of handheld devices with low computational capabilities. (3) The scheme can be used to mutual authentication and key agreement between members of distinct domains using different system parameters. (4) The scheme is secure against an uncertified user and a malicious registration server simultaneously under the computational Diffie-Hellman assumption.

2. Proposed Scheme

In the following, we present our authentication and key agreement mechanism for multi-domain wireless networks using bilinear pairings based on certificateless public key cryptography. Unlike the scheme [3], in our proposed scheme each service server does not keep the system private keys to authenticate users. Users do not need to register with each service server individually and remember several identifiers and the corresponding secrets. Compared to the schemes [4,5,6], our scheme can be used to mutual authentication and key agreement between members of distinct domains using different system parameters, and our scheme is secure against an uncertified user and a malicious registration server simultaneously. The details of algorithms in the proposed scheme are given as follows:

Setup phase:

Suppose G\.i is an additive cyclic group of prime order q, and G2-i is a multiplicative cyclic group of the same order. We assume that solving CDHP is hard in group G1_i. Suppose P is a generator of G1_i. There exists a bilinear pairing map e^i from Gi_ixGi_i to G2-i and cryptographic hash functions H1-i : {0,1}n^G1.i, H2.i : {0 , 1}"xG1.,x{0 ,1}n*Gi_i^-Gi_i and H3-i : G1-i^ z*. A server selects a random number si e z* as the private key and computes the public key Ppub.i= sf. Suppose RS obtains his private key s1

and system public parameters are <Gi_i,G2_i, ex ,q1,P1,Ppub_1,H1.1,H2.1,H3.1>, and SS chooses his private key s2 and system public parameters are <Gi_2,G2_2, e2 ,q2,P2,Ppuj.2,Hi.2,H2.2,H3.2>.

Registration phase:

A user U first generates his username IDU, then he submits his identity IDUto the registration server RS for registration. The registration server RS computes QU=H1.1(IDU) and uses his private key s1 to

computes Du=s1QU. Finally, RS loads £, P1, Ppub-1, H1-1, H2.\, H3-1, DU, QU and IDU into a smart card and issues the smart card to the user U. The server stores the IDU into its database.

Mutual Authentication and Key Agreement phase:

This phase is executed whenever a user wants to log into the remote server to access the services. This phase is further divided into login, user authentication, server authentication and key agreement phases. In the login phase, user sends a login request to the SS. The SS first authenticates the user and then authenticates itself to the user. Finally, they establish a common session key after mutual authentication for the security of subsequent session message.

[Login phase]:

In the login phase, if the user U wants to access the SS with the identity IDSS, U inserts his smart card into the terminal, for the first time, the smart card asks the user U to enter his password, U selects his password sU e Z* , and then the smart card computes U's public key PKU=sUPi, the smart card stores sU and PKU. Otherwise, the user enters his identity IDU, his password and the service identity IDSS. The smart card performs the following steps:

1. The smart card computes Q'=H1-1(IDU) and PK'=sUPi, and then checks if Q'=QU and PK'=PKU. If they are correct, it continues next step, otherwise, terminates the operation

2. The smart card acquires the system public parameters of SS and the current time stamp T1, then selects one random nonce x e Z* , computes R1=xP2, W=H2.1 (IDUt PKUt T1, R1) and V=DU +sUW.

3. Finally, the smart card sends the login message ct= (IDu, IDss, T1, R1, V) to the service server SS, the login message can be viewed as a signature (R1, V) on the message (IDUt IDSS, T1).

[User Authentication Phase]:

As receives the login message (IDU, T1, R1, V) at time T2. The service server SS performs the following operations to verify the login message.

1. The SS first verifies the validity of IDU and IDSS, then verifies the time interval between T2 and T1. If (T2-T1)= A t, the SS proceeds to the next step. Otherwise, the login message is rejected. Here A t denotes the expected valid time interval for transmission delay.

2. The SS computes W=H2-1 (IDUt PKUt T1, R1) and accepts the login message if and only if the following equation holds: ¿1 (P, V) = £1 (Qu , Ppub-1 (W, PKu ), otherwise the SS rejects it.

3. If the login message is correct, the SS acquires the current time stamp T3 and selects one random nonce y e Z*, then computes R2=yP1, KB1=yPKU and Auth=H3-2(KB1). Finally, the SS sends (R2, T3, Auth) to the user U.

[Server Authentication Phase]:

As receives the authentication message (R2, T3, Auth) at time T4. The user U verifies the validity of the time interval between T3 and T4 for transmission delay. If T3 is valid, the user authenticates the service server SS by checking whether Auth=H3-2(KA1), where KA1= sUR2. It is obvious that KA1 =SuR2=ysuP1 =yPKu=KB1.

[Key Agreement Phase]:

After mutual authentication between the user U and the service server SS, they respectively computes the session key MKa=H(Kab\\KA1) and MKb=H(Kab||KB1)=MKa=MKab, where Kab =IDU||PKU||T1||R1||IDSS||Ppub-2||T3||R2 and H is a key derivation function. Thus, we come to the conclusion that the two communication entities successfully established a common session key MKAB,

Password Change Phase:

This phase is invoked whenever the user U wants to change his password. This phase does not require any interaction with the servers and works as follows:

1. U inserts the smart card into the terminal and enters his identity IDU and password sU. The smart card computes Q'=H1-1(IDU) and PK'=sUP1, and then checks if Q'=QU and PK'=PKU. If they are correct, it continues next step, otherwise, terminates the operation.

2. The smart card allows U to submits a new password sU , then the smart card computes pkU = sUP. The smart card stores new sU■ and pk'u .

3. Security Analysis

For certificateless cryptosystems, the widely accepted notion of security was defined by Al-Riyami and Paterson in [7], there are two types of adversary with different capabilities:

Type I Adversary: This type of adversary Ai models a dishonest user who does not have access to the master private key of registration server but has the ability to replace the public key of any entity with a value of his choice.

Type II Adversary: This type of adversary A2 models a malicious registration server who has access to the master private key but cannot perform public keys replacement.

On one hand, we show that the service server can authenticate the user. In our scheme, the login messages (IDU, Ti, Ri, V) is viewed as a signature (Ri, V) on the message (IDU, IDSS, Ti). For the adversary Ai, he can not forge the correct Ri=xP2 and V=DU+sUW to satisfy (i(Pi,V) = (i(Qu,Ppub-i)(i(W,PKu) without private keys pair of the user (stt DU) under the assumption of CDHP. For the adversary A2, he knows the other part of private key DU of the user, but he without the user's other private key sU, he can not compute sUWunder the assumption of CDHP. Hence, the adversary Ai(i=i,2) cannot forge a valid signature on the message (IDU, IDSS, T1) and the service server can authenticate the user.

On the other hand, we prove that the user U can authenticate the service server. In our scheme, after user authentication phase, the service server generates the authentication message (R2, T3, Auth), the user can compute and verify the Auth value by running an instance of our authenticated key agreement protocol. We prove that adversary Ai(i=i 2) in following Theorem 1 cannot compute the Auth value.

Theorem 1. The server authentication scheme is secure, provided that H3-2, H1 is random oracles and the Computational Diffie-Hellman problem is hard. Specifically, assume that adversary Ai(i=12) has non-negligible advantage Adv(A) in computing authentication value Auth, making at most qc Create-User queries and qp Password-Extract queries. Let qn be the total number of the oracles that At creates. Then there exists an algorithm C solve the CDH problem with an advantage 2(qc - qp)Adv(A,) / (qc ■ qn).

Proof. We assume the simulator C receives a random instance (P, rP, bP) of the Computational Diffie-Hellman problem. His goal is to compute rbp. C will run Ai as a subroutine to solve the CDH problem with non-negligible probability. To maintain consistency between queries made by A;, C keeps the following lists: L1 for query/response pairs to random oracle H1; Lu of the queries made by A; to the Create-User oracle and Lh of some of the queries made by At to the H3-2 oracle. At the beginning of the game, C gives Ai the system parameters of RS and SS, and gives A2 the private key s of RS, we define RS's system public parameters are <G1,G2, (,q,P,Ppub,H1,H2,H3> and SS's system public parameters are

<Gi_2,G2-2, (2 ,q2,P2,Ppub-2,Hi_2,H2_2,H3_2>

The algorithm C selects one random integers tfrom {1,2 , ..., qn} and works by interacting with A; as follows, where A2 doesn't need to access Private-Key-Extract and Public-Key-Replace oracles:

Create-User: C chooses one random numbers ib e {1, 2, .., qc} first. At the ib-th query, C sets sU= ±, IDb=IDU and PKU=rP. For others queries, C chooses a random number sUe Z* and computes PKu= sUP. In both cases, C adds (IDUt su PKU) into the list Lu and returns PKU to A,-.

H queries: C chooses a random number w e Z*, and sets H1(IDU)=wP, then C will puts the pair (IDUt w, H1(IDU)) in list L1 and answers H1(IDU).

H3-2 queries: Upon receiving a H3-2 query, C first searches Lh for the tuple with (K1, h), where K1 e G1. If the requested input is already on the list, then the corresponding h is returned, otherwise a random h e {0 , 1}n is responded and a new entry is inserted into the list Lh.

Public-Key-Replace: C replaces the original public key PKU with pkU if IDU has been created. Otherwise, C executes Create-User query to generate (IDU, su PKU), then sets PKU= pkv and adds (IDU, sUt PKU ) to the Lu. Here, to replace a public key, the password value corresponding to the new public key is not required.

Password-Extract: On a Password-Extract query of IDU, We assume that Create-User query for IDU has been asked. If IDU =IDb, then C fails and stops. Otherwise, C searches a pair (IDtt PKU) corresponding to IDU in the list Lu, then return sU to A,-.

Send queries: For any oracle nA,ss , at the t -th Send query, C answers by R2=bP. For others queries, C chooses a random number dt e Z* and answers dp.

Reveal queries: Upon receiving a Reveal query, C outputs the appropriate session key, except if At asks the oracle ni,® to ask the Test query, then C aborts.

Test queries: At some point in the simulation, At will ask a single Test query of some oracle. If At does not choose the guessed oracle ni,® to ask the Test query, then C aborts; otherwise, C randomly picks a value ft from the session key space and responds to At with ft.

Output: At the end of the game, the algorithmAt outputs its guess.

Solving the CDH Problem: C picks a tuple of the form (K1th) from Lh and returns K1 as the response to the CDH challenge.

Now we evaluate the probability that C does not abort, Note that C fails if At has asked a Private-Key-Extract query on IDb. We know that the probability for C not to fail is (qc-qp)/qc'; Further, if the test session is the t -th oracle, then the simulation goes through. The probability that the simulator has chosen the right session is l/qc, because a randomly chosen oracle is the initiator of the test session is l/qc. We have: Adv(C does cot obort) >(qc-qp)/qc ■ 1/qc =(qc-qp)/ (qc • qc)

According to the simulation of the Send query, the test oracle ni,® must have obtained the value R2=bP. The oracle should hold an authentication value Auth of the form H3-2(K1), in which K1 =/bP.

Let H be the event that obP as K1 has been queried to H3-2. Because H3-2 is a random oracle, we have PA wins|-H] = 1/2. Then

P[A,- wins]= PA wins|-H]P[-H] + PA wins|H]P[H]< PA wins|-H]P[-H] + P[H]=1/2+ 1/2(P[H])

It follows that P[H] > 2Adv(A).Combining all the above results, we have that C solves the CDH problem with probability at least 2(qc - qp )Adv(A,-)/(qc ■ qc), contradicting to the hardness of the CDH problem.

4. Protocol Comparison

In this section, we compare the efficiency of our scheme with Yoon and Yoo's scheme [6] regarding the security and computation overheads not including precomputation overheads. We use notations mul, odd, bp and h as abbreviations for multiplication in G1, addition in G1, bilinear pairing operation and oneway hash function operation respectively.

As shown in the Table 1, both schemes do not require expensive bilinear pairing operation on the client side, which makes them more efficient than others schemes [1, 3]. Compared with the Yoon and Yoo's scheme, our scheme enjoys less operation cost. Moreover, our scheme can be used to mutual authentication and key agreement between members of distinct domains using different system parameters, and our scheme is secure against an uncertified user and a malicious registration server simultaneously. Hence, consider the wireless user with limited computing capability and communication security it may be that our authentication and key agreement scheme is more applicable.

Table 1. A comparison of efficiency

Yoon and Yoo's scheme [6] Our scheme

Client 4mul+rdd+2h 3mul+rdd+3h Server_2mul+rdd+2bp+2h_2mul+2bp+3h

5. Conclusion

In this paper, we have proposed an authentication and key agreement mechanism for multi-domain wireless networks using bilinear pairings based on certificateless public key cryptography. We have shown that the proposed scheme is secure against an uncertified user and a malicious registration server simultaneously under the computational Diffie-Hellman assumption in the random oracle. By exploiting the certificateless public key cryptography system, our scheme successfully eliminates the key escrow issue which is inherent in identity-based cryptography. In the proposed scheme, we shift the computational burden to the server; moreover, our scheme adopts CL-based short signatures to further induce the user computational cost. As a result, the computational cost required by the user is reduced to be well suited for smart cards. As compared with the recently proposed schemes, our scheme has better performance in term of the security and computation overheads.

Acknowledgements

This work is supported by the National Natural Science Foundation of China under contract no. 61070139 and the Science and Technology Foundation of the Education Department of Jiangxi Province under grant no. GJJ11039.

References

[1] Das ML, Saxena A, Gulati VP, et al. A novel remote user authentication scheme using bilinear pairings. Computers and Security 2006; 25(3): 184-189.

[2] Goriparthi T, Das ML, Negi A, et al. Cryptanalysis of recently proposed Remote User Authentication Schemes. Technical Report 028, Cryptology ePrint Archive, 2006.

[3] Giri D, Srivastava PD. An improved remote user authentication scheme with smart cards using bilinear pairings. Technical Report 274, Cryptology ePrint Archive, 2006.

[4] Tseng YM, Wu TY, Wu JD. A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards. Informatica 2008; 19(2): 285-302.

[5] Wu TY, Tseng YM. An efficient client authentication and key exchange protocol for mobile client-server environment. Computer Networks 2010; 54: 1520-1530.

[6] Yoon EJ, Yoo KY. A New Efficient ID-based User Authentication and Key Exchange Protocol for Mobile Client-Server Environment, Proc. ICWITS 2010, 1-4.

[7] Al-Riyami SS, Paterson KG. Certificateless Public Key Cryptography. Proc. Cryptography-ASIACRYPT 2003, 452-473.

[8] Ma CB, Ao J. Certificateless Group Oriented Signature Secure Against Key Replacement Attack. International Journal of Network Security 2011; 12(1): 1-6.

[9] Choi KY, Park JH, Lee DH. A new provably secure certificateless short signature scheme. Computers & Mathematics with Applications 2011; 61(7): 1760-1768.

[10] He DB, Chen YT, Chen JH, etal. A new two-round certificateless authenticated key agreement protocol without bilinear pairings. Mathematical and Computer Modelling 2011; 54: 3143-3152.

[11] Xiong H, Wu QH, Chen Z. Toward Pairing-Free Certificateless Authenticated Key Exchanges. Proc. ISC 2011, 79-94.