1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin University of Science & Technology, Taiwan
2 Outline Introduction Roaming Authentication Protocol Security Analysis Performance Analysis Conclusion
3 Introduction The mobile communication environment Access data at any place and at any time Security issues Data privacy Data integrity Mutual authentication Anonymity Non-repudiation
4 Introduction An authentication server exists in each network Authenticate roaming users before providing any service AS: Authentication Server MS: Mobile Station Home Network Foreign Network AS HN AS FN MS Accept/Reject Roaming Service Request Roaming MS
5 Introduction Roaming Authentication Methods: On-Line Authentication Off-Line Authentication The mixture of On-Line and Off-Line Authentication
6 On-Line Authentication Authenticate the roaming user each time Roaming Service Request Is the MS valid? Yes or No Home Network Foreign Network AS HN AS FN MS Accept/Reject Roaming MS
7 Off-Line Authentication Authenticate the roaming user locally Home NetworkForeign Network Accept/Reject Roaming Service Request pre-shared information AS HN AS FN MS Roaming
8 The mixture of On-Line and Off-Line Authentication On-line authentication when the roaming user requests service for the first time. Off-line authentication for subsequent service requests Home Network Accept/Reject Roaming Service Request Is the MS valid? Yes or No shared information AS HN AS FN MS Roaming Foreign Network
9 The roaming authentication protocol Off-line roaming authentication Security properties Anonymity of MS Mutual Authentication between MS and Foreign Network Nonrepudiation of MS Minimizing the number of exchanged messages Minimizing the computation load at MS Simple Key Management
10 The roaming authentication protocol ID-based signature technique from Weil-pairing No certificate is needed Verify the signature by public information of the signer ( address, identity, …) Secret sharing technique from Lagrange Interpolating polynomial
11 Lagrange interpolating polynomial - secret sharing ID 1 ID 2 ID n … x 1 =ID 1 and y 1 = f (ID 1 ) x 2 =ID 2 and y 2 = f (ID 2 ) x n =ID n and y n = f (ID n ) y 1 = f (ID 1 ) y 2 = f (ID 2 ) y n = f (ID n )
12 Lagrange interpolating polynomial - secret sharing ID 1 ID 2 ID t … x 1 =ID 1 and y 1 = f (ID 1 ) x 2 =ID 2 and y 2 = f (ID 2 ) x t =ID t and y t = f (ID t ) secret
13 The Roaming Authentication Protocol Home Network Foreign Network K Accept/Reject Sig charge2 AS HN AS FN MS 2 + K MS 1 MS n … RS MS1 RS MS2 RS MSn Roaming Information RS FN
14 System Initialization-AS HN System Initialization AS HN generates System public parameters {e, G 1, G 2, P, H 1, H 2, H 3 } System private key s System public key P pub = s P AS HN selects a RS FN R Z q, and sends the RS FN to AS FN by secure channel.
15 System Initialization-AS HN When MS registers at AS HN, the MS will get {ID MS, TID MS, SK MS, RS MS, K comm } Where PK MS =H 1 (TID MS || ID HN || Date MS ), SK MS = s PK MS Date MS : the expiration date of the public/secret key pair
16 Mutual Authentication MS roams to the Foreign Network (AS FN ): Foreign Network Compute the Sig charge Compute the session key K Verify the Sig charge Compute the session key K MS AS FN {TID MS, ID HN, Date MS, PK MS, request, T, RS MS, C MS, Sig charge } {E K [ServiceData, T]} or reject
17 Mutual Authentication-MS MS executes the following steps: Step A1: MS computes the Sig charge ={R charge, S charge } Step A2: MS sends the authentication request to AS FN
18 Mutual Authentication-AS FN When AS FN receives the request from MS, AS FN will execute the following steps: Step B1: verify the public key PK MS Step B2: check the Date MS then check
19 Mutual Authentication-AS FN Step B3: verify the correctness of Sig charge Step B4: compute the r MS and the session key K Step B5: send to MS
20 Mutual Authentication-MS When MS receives the message from AS FN, MS computes the session key K’ K’ = K comm ⊕ C MS MS decrypts the by using K’ MS gets the ServiceData and T’ MS checks T’ = T ?
21 Security Analysis Anonymity of Roaming User TID MS Mutual Authentication between MS and AS FN AS FN MS: Sig charge MS AS FN : Session key K Nonrepudiation of Roaming User Sig charge
22 Security Analysis Prevention of Attacks Replay Attack timestamp: T Impersonating Attack MS Attacker cannot get the SK MS cannot compute the Sig charge AS FN Attacker cannot get the RS FN cannot compute the K Dishonest AS FN The AS FN cannot compute the Sig charge Disclosure of session key Attacker cannot get the Roaming Share RS FN of AS FN cannot compute the K
23 Performance analysis [ 7] M. Rahnema, “Overview of the GSM system and protocol architecture,” IEEE Commun. Mag., pp. 92–100, Apr [12] J. Zhu, J. Ma, “A new authentication scheme with anonymity for wireless environments,” IEEE Trans. Consumer Electronics, Vol.50, No. 1, pp. 231 – 235, Feb [ 6] M. Long, C.-H. Wu, J.D. Irwin, “Localized authentication for inter-network roaming across wireless LANs,” IEE Proc. Communications, Vol.151, No5, Oct [ 5] W.-B. Lee, C.-K. Yeh, “A New Delegation-Based Authentication Protocol for Use in Portable Communication System”, IEEE Trans. Wireless Communication, Vol.4, No.1, pp , Jan
24 Performance Analysis The Number of Exchanged Messages The Number of Exchanged Messages protocolOn-LineOff-Line GSM [7]Mixture62 ZHU[12]Mixture41 Long[6]Off-Line03 Lee[5]Mixture61 OursOff-Line02
25 Performance Analysis Comparison of Computation Load at MS Asymmetric Computation Symmetric Computation Hash Function GSM [7]On-Line012 Off-Line002 ZHU[12]On-Line022 Off-Line010 M.Long[6]Off-Line310 Lee[5]On-Line111 Off-Line013 OursOff-Line1*10
26 Performance Analysis Storage Overhead Each MS: {ID MS, TID MS, SK MS, RS MS, K comm } AS FN : RS FN
27 Conclusion The proposed off-line anonymous roaming authentication Number of exchanged messages: 2 Security Issues Anonymity, Mutual authentication, Non-repudiation, data privacy and data integrity Low computation load at MS Simple key management