1

Enhanced secure anonymous authentication scheme for roaming service in global mobility networks

Hyeran Mun, Kyusuk Han, Yan Sun Lee, Chan Yeob Yeun, Hyo Hyun Choi

Mathematical and Computer ModellingVolume 55, Issues 1–2, January 2012, Pages 214–222

Citation: 3Presenter: 林致良Date: 2012/11/26

2

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

3

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

4

Introduction

• The GLOMONET provides global roaming service that permits mobile users to use the services provided by the home agent in a foreign agent.

• Many security problems such as user’s privacy are brought into attention

GLOMONET: Global mobility network

5

Introduction

You will see :• Security weaknesses in Wu–Lee–Tsaur’s

scheme such as disclosing of the legitimate user and failing to achieve perfect forward secrecy.

• A new novel scheme that also achieves mutual authentication and resistance to a man-in-the-middle attack.

6

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

7

Wu–Lee–Tsaur’s scheme

Wu–Lee–Tsaur’s authentication scheme consists of three phases: 1. Initial phase 2. first phase 3. second phase

8

Wu–Lee–Tsaur’s scheme

Initial phase

PWMU = h(N ǁ IDMU) rMU = h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU

where N is a secret random number that is kept by HA

9

Wu–Lee–Tsaur’s schemeFirst phase

1. nMU, (h(IDMU) ǁ x0 ǁ x)L, IDHA,TMU

2. b, nMU, (h(IDMU) ǁ x0 ǁ x)L , TMU, CertFA ,TFA

ESFA (h(b, nMU, (h(IDMU) ǁ x0 ǁ x)L, TMU, CertFA))

3. c, CertHA, THA, EPFA (h(h(N ǁ IDMU) ǁ x0 ǁ x)ESHA (h(b, c, EPFA (h(h(N ǁ IDMU)) ǁx0 ǁ x), CertHA))

4. (TCertMU ǁ h(x0 ǁ x))k

nMU = rMU ⊕ PWMU

L = h(TMU ⊕ PWMU) HA computes IDMU = h(N ǁ IDHA) ⊕ nMU⊕ IDHA

h’ = h(IDMU) compare with (h(IDMU) ǁ x0 ǁ x)L

MU can be authenticatedsession key k = h(h(h(N ǁ IDMU)) ǁx0ǁx)MU check h(x0 ǁ x) is equal to originalFA can be authenticated

10

Wu–Lee–Tsaur’s scheme

Second phase (update session key) • When MU accesses FA at ith session, MU requests FA to update the session key.Step 1: MU → FA : TCertMU, (xi ǁ TCertMU)ki

New ith session key ki can be computed by using An unexpired previous secret random number xi−1 Fixed the secret random number x

ki = h(h(h(N ǁ IDMU)ǁ x ǁ xi−1), (i = 1, 2, 3, . . . , n).

11

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

12

Weaknesses of Wu–Lee–Tsaur’s scheme

Weakness 1 : Failing to achieve the anonymity

Weakness 2: Disclosure password of legitimate user

Weakness 3: Perfect forward secrecy

Assume :A legitimate user and an attacker A register the same HA.

A is able to intercept all messages between FA and MU.Because anyone can overhear all sent and received packets within range of a wireless devices in wireless environment

13

Weaknesses of Wu–Lee–Tsaur’s scheme

1. Failing to achieve the anonymity (Zeng et al.)Step 1: A requests registration of HA, and obtains h(.) , IDHA , PWA = h(N ǁ IDA)

rA = h(NǁIDHA) ⊕ h(N ǁ IDA) ⊕ IDHA ⊕ IDA.Step 2: A can compute h(Nǁ IDHA) as follows: rA ⊕ h(NǁIDA) ⊕ IDHA ⊕ IDA = h(NǁIDHA) ⊕ h(Nǁ IDA) ⊕ IDHA ⊕ IDA ⊕ h(Nǁ IDA) ⊕ IDHA ⊕ IDA = h(Nǁ IDHA).

Step 3: A is able to intercept messages nMU, (h(IDMU) ǁx0ǁx)L , IDHA, and TMU.

Step 4: A can obtain IDMU by using nMU , IDHA, and h(NǁIDHA) nMU ⊕ h(Nǁ IDHA) ⊕ IDHA =

h(NǁIDHA) ⊕ h(NǁIDMU) ⊕ IDcHA ⊕ IDMU ⊕ h(NǁIDMU) ⊕ h(Nǁ IDHA) ⊕ IDHA

= IDMU. nMU = rMU ⊕ PWMU

利用 XOR 特性A ⊕B = CC ⊕ B = AA ⊕ A = 0

14

Weaknesses of Wu–Lee–Tsaur’s scheme

2. Disclosure password of legitimate user

A can obtain legitimate user’s password PWMU. A can compute PWMU as follows:

(1) A can guess composition of rMU by using rA. Composition of rA is h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU.IDMU is composition of rMU instead of IDA.

(2) A can compute legitimate user MU’s password PWMU by using intercepted nMU and guessed rMU.nMU ⊕ rMU = h(N ǁ IDMU) ⊕ h(N ǁ IDHA) ⊕ IDHA ⊕ IDMU ⊕ h(N ǁ IDMU)⊕ h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU

= h(N ǁ IDMU) = PWMU rMU

15

Weaknesses of Wu–Lee–Tsaur’s scheme

2. Disclosure password of legitimate user

16

Weaknesses of Wu–Lee–Tsaur’s scheme

2. Disclosure password of legitimate user

Question:How can A guess composition of rMU by using rA.

rA = h(N ǁ IDHA) ⊕ h(N ǁ IDA) ⊕ IDHA ⊕ IDA

rMU = h(N ǁ IDHA) ⊕ h(N ǁ IDMU) ⊕ IDHA ⊕ IDMU

17

Weaknesses of Wu–Lee–Tsaur’s scheme

3. Perfect forward secrecy

18

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

19

New enhancement for anonymous authentication scheme

The proposed scheme consists of three phases: 1. registration2. Authentication and establishment of session key 3.update session key

20

New enhancement for anonymous authentication scheme

First phase: registration

1. NMU, IDMU

2. Generate NHA

Compute PWMU = h(NMUǁNHA)Compute rMU = h(IDMUǁPWMU) ⊕IDHA

3. rMU , IDHA , NHA, PWMU, h(.)

21

New enhancement for anonymous authentication scheme

Second phase: Authentication and establishment of session key

1. IDHA,NHA, rMU

2.Generate NFA

4. Compare rMU with r’ MU= h(IDMUǁPWMU) ⊕IDHA

(Authenticate MU)Compute PHA = h(PWMUǁNFA)Compute SHA = h(IDFAǁNFA) ⊕rMU⊕PHA

3. IDFA,NFA, rMU

5. SHA, PFA

PWMU = h(NMUǁNHA)rMU = h(IDMUǁPWMU) ⊕IDHA

22

New enhancement for anonymous authentication scheme

6. Verify SHA

(i)Compute S’HA = h(IDFA ǁNFA) ⊕ rMU ⊕ PHA

(ii)Compare SHA with S’HA

Compute SFA = h(SHA ǁ NFA ǁ NHA) and aP

9. bP , SMF

7. SFA, aP , PFA = (SHAǁIDFAǁNFA)

8. Verify SFA (Authenticate HA andFA)1. S’HA = h(IDFA ǁNFA) ⊕ rMU ⊕ h(PWMUǁ NFA)2. Compare SFA with S’FA = h(SHA ǁ NFA ǁ NHA) 算 bP, KMF = h(abP) , SMF = fKMF (NFA ǁ bP)

10. Computes KMF = h(abP) Verify SMF (Authenticate MU)

23

New enhancement for anonymous authentication scheme

Third phase: update session key : KMFi (i = 1.2.3……n)

1. Select bi, compute biP1. biP

2.Select ai, compute ai PNew session key : h(aibiP)SMFi = fKMFi (aibiP ǁ ai−1bi−1P)3. aiP , SMFi

4.Compute KMFi = h(abP) Compare S’MFi = fKMFi (aibiP ǁai−1bi−1P) with SMFi

24

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

25

Security Analysis

Achieve anonymityFA receives rMU = h(IDMU ǁ PWMU) ⊕ IDHA instead of IDMU

Thus, FA has no way of guessing IDMU without PWMU = h(NMU ǁ NHA) and IDHA

Provide perfect forward secrecyPrevent disclose of legitimate user’s passwordTo obtain user’s password, an attacker should know two nonces NMU and NHA.rMU = h(IDMU ǁ PWMU) ⊕ IDHA, PHA = h(PWMUǁ NFA) and SFA = h(SHAǁNFAǁNHA)

Prevent replay attackThe scheme can resist a replay attack by using nonces.

Provide mutual authentication between MU and HAProvide mutual authentication between MU and FA

26

Security Analysis

27

Performance analysis

No need for time synchronization: Previous scheme use timestamps for resisting a replay attack.

Use Elliptic Curve Diffie–Hellman (ECDH): New scheme uses ECDH instead of using public key cryptosystem with certificates to reduce communication overhead.

28

Outline

• Introduction• Wu–Lee–Tsaur’s scheme• Weaknesses of Wu–Lee–Tsaur’s scheme• New enhancement for anonymous

authentication scheme• Analysis• Conclusion

29

Conclusion

• There are security weaknesses in Wu–Lee–Tsaur’s scheme such as failing to provide anonymity, disclosing of user’s password and perfect forward secrecy.

• This paper proposes a novel enhanced scheme that uses Elliptic Curve Diffie–Hellman (ECDH).

• This scheme is efficient, provides mutual authentication, and resists the man-in-the-middle attack.