1

Anonymous Roaming Authentication Protocol with ID-based Signatures

Lih-Chyau WuuChi-Hsiang Hung

Department of Electronic EngineeringNational Yunlin University of Science & Technology, Taiwan

E-mail: wuulc@yuntech.edu.tw

2

Outline

Introduction

Roaming Authentication Protocol

Security Analysis

Performance Analysis

Conclusion

3

Introduction The mobile communication environment

Access data at any place and at any time Security issues

Data privacy Data integrity Mutual authentication Anonymity Non-repudiation

4

Introduction An authentication server exists in each network Authenticate roaming users before providing any service

AS: Authentication Server

MS: Mobile Station

Home Network Foreign Network

ASHN ASFN

MS

Accept/RejectRoaming ServiceRequest

Roaming

MS

5

Introduction

Roaming Authentication Methods:

On-Line Authentication

Off-Line Authentication

The mixture of On-Line and Off-Line Authentication

6

On-Line Authentication Authenticate the roaming user each time

Roaming ServiceRequest

Is the MS valid?

Yes or No

Home Network Foreign Network

ASHN ASFN

MS

Accept/Reject

Roaming

MS

7

Off-Line Authentication Authenticate the roaming user locally

Home Network Foreign Network

Accept/RejectRoaming ServiceRequest

pre-shared information

ASHN ASFN

MS MS

Roaming

8

The mixture of On-Line and Off-Line Authentication

On-line authentication when the roaming user requests service for the first time.

Off-line authentication for subsequent service requests

Home Network

Accept/RejectRoaming ServiceRequest

Is the MS valid?

Yes or Noshared information

shared information

ASHN ASFN

MS MS

Roaming

Foreign Network

9

The roaming authentication protocol

Off-line roaming authentication

Security properties

Anonymity of MS

Mutual Authentication between MS and Foreign Network

Nonrepudiation of MS

Minimizing the number of exchanged messages

Minimizing the computation load at MS

Simple Key Management

10

The roaming authentication protocol

ID-based signature technique from Weil-pairing

No certificate is needed

Verify the signature by public information of the signer

(email address, identity, …)

Secret sharing technique from Lagrange Interpolating

polynomial

11

Lagrange interpolating polynomial - secret sharing

ID1

ID2

IDn

…

x1=ID1 and y1= f (ID1)

secretxaxaxaxf tt 1

22

11)( x2=ID2 and y2= f (ID2)

xn=IDn and yn= f (IDn)

y1= f (ID1)

y2= f (ID2)

yn= f (IDn)

12

Lagrange interpolating polynomial - secret sharing

ID1

ID2

IDt

…

x1=ID1 and y1= f (ID1)

x2=ID2 and y2= f (ID2)

xt=IDt and yt= f (IDt)

secret

secretxx

xyf

t

ijj ji

jt

ii

,11

0)0(

secretxaxaxaxf tt 1

22

11)(

13

The Roaming Authentication Protocol

Home Network Foreign Network

K

Accept/Reject

Sigcharge2

ASHN ASFN

MS 2

+K

MS 1 MS n

…

RSMS1 RSMS2 RSMSn

Roaming Information

RSFN

14

System Initialization-ASHN

System Initialization

ASHN generates

System public parameters {e, G1, G2, P, H1, H2, H3}

System private key s

System public key Ppub = s P

ASHN selects a RSFN R Zq, and sends the RSFN to ASFN by se

cure channel.

15

System Initialization-ASHN

When MS registers at ASHN, the MS will get {IDMS, TIDMS, SKMS, RSMS, Kcomm}

Where

PKMS =H1(TID MS || IDHN || DateMS), SKMS = s PKMS

DateMS : the expiration date of the public/secret key pair

)()(

)(

)()(

)(

22

2

22

2

MSFN

FNMS

FNMS

MSFNMS TIDHIDH

IDHRS

IDHTIDH

TIDHRSr

)(2 MSMScomm rTIDHK

16

Mutual Authentication

MS roams to the Foreign Network (ASFN):

Foreign NetworkCompute the Sigcharge

Compute the session key K

Verify the Sigcharge

Compute the session key K

MSASFN

{TIDMS, IDHN, DateMS, PKMS, request, T, RSMS, CMS, Sigcharge}

{EK[ServiceData, T]} or reject

17

Mutual Authentication-MS

MS executes the following steps:Step A1: MS computes the Sigcharge ={Rcharge, Scharge}

Step A2: MS sends the authentication request to ASFN

))()((

where,

||||||||||

,:,

321

*

*

MSchargechargeMScharge

qRMSMScharge

MSMSFNMScharge

qRMS

SKRHPMHkS

ZkPkR

CRSrequestIDTTIDM

timestampTZC

},,,,,,,,{ chargeMSMSMSMSHNMS SigCRSTrequestPKDateIDTID

18

Mutual Authentication-ASFN

When ASFN receives the request from MS, ASFN will ex

ecute the following steps:

Step B1: verify the public key PKMS

Step B2: check the DateMS

then check

MSMSHNMS PKDateIDTIDH?

1 )||||(

MSMSrevoke RSTIDHf?

2 )((

19

Mutual Authentication-ASFN

Step B3: verify the correctness of Sigcharge

Step B4: compute the rMS and the session key K

Step B5: send to MS

)()(?

32 ),(),(),( chargechargeRH

MSpubMH

chargecharge PKPePPeSRe

)()(

)(

)()(

)(

22

2

22

2

MSFN

FNMS

FNMS

MSFNMS TIDHIDH

IDHRS

IDHTIDH

TIDHRSr

MSMSMS CrTIDHK )(2

]},[{ TaServiceDatEK

20

Mutual Authentication-MS

When MS receives the message from ASFN,

MS computes the session key K’

K’ = Kcomm ⊕ CMS

MS decrypts the by using K’

MS gets the ServiceData and T’

MS checks T’ = T

]',[ TServicDataEK

?

21

Security Analysis

Anonymity of Roaming User

TIDMS

Mutual Authentication between MS and ASFN

ASFNMS: Sigcharge

MSASFN: Session key K

Nonrepudiation of Roaming User

Sigcharge

22

Security Analysis

Prevention of Attacks Replay Attack

timestamp: T

Impersonating Attack

MS Attacker cannot get the SKMS cannot compute the Sigcharge

ASFN Attacker cannot get the RSFN cannot compute the K

Dishonest ASFN

The ASFN cannot compute the Sigcharge

Disclosure of session key

Attacker cannot get the Roaming Share RSFN of ASFN

cannot compute the K

23

Performance analysis

[ 7] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE Commun. Mag., pp. 92–100, Apr. 1993. [12] J. Zhu, J. Ma, “A new authentication scheme with anonymity for wireless environments,” IEEE Trans. Consumer Electronics, Vol.50, No. 1, pp. 231 – 235, Feb 2004.[ 6] M. Long, C.-H. Wu, J.D. Irwin, “Localized authentication for inter-network roaming across wireless LANs,” IEE Proc. Communications, Vol.151, No5, Oct. 2004.[ 5] W.-B. Lee, C.-K. Yeh, “A New Delegation-Based Authentication Protocol for Use in Portable Communication System”, IEEE Trans. Wireless Communication, Vol.4, No.1, pp. 57-64, Jan. 2005.

24

Performance Analysis

The Number of Exchanged Messages

The Number of Exchanged Messages

protocol On-Line Off-Line

GSM [7] Mixture 6 2

ZHU[12] Mixture 4 1

Long[6] Off-Line 0 3

Lee[5] Mixture 6 1

Ours Off-Line 0 2

25

Performance Analysis Comparison of Computation Load at MS

AsymmetricComputation

Symmetric Computation

Hash Function

GSM [7] On-Line 0 1 2

Off-Line 0 0 2

ZHU[12] On-Line 0 2 2

Off-Line 0 1 0

M.Long[6] Off-Line 3 1 0

Lee[5] On-Line 1 1 1

Off-Line 0 1 3

Ours Off-Line 1* 1 0

))()((

where,

SignaturebasedIDanofnComputatio:*

321

*

MSchargechargeMScharge

qRMSMScharge

SKRHPMHkS

ZkPkR

26

Performance Analysis

Storage Overhead

Each MS: {IDMS, TIDMS, SKMS, RSMS, Kcomm}

ASFN : RSFN

27

Conclusion

The proposed off-line anonymous roaming authentication

Number of exchanged messages: 2

Security Issues

Anonymity, Mutual authentication, Non-repudiation, data privacy and

data integrity

Low computation load at MS

Simple key management